chapter 4 network layer. chapter 4: network layer chapter goals: r understand principles behind...
Post on 19-Dec-2015
274 views
TRANSCRIPT
Chapter 4Network Layer
Chapter 4: Network Layer
Chapter goals: understand principles behind network
layer services: network layer service models forwarding versus routing how a router works routing (path selection) dealing with scale IPv4 and IPv6
Chapter 4: Network Layer
4. 1 Introduction 4.2 Virtual circuit
and datagram networks
4.3 What’s inside a router
4.4 IP: Internet Protocol Datagram format IPv4 addressing ICMP IPv6
4.5 Routing algorithms Link state Distance Vector Hierarchical routing
4.6 Routing in the Internet RIP OSPF BGP
Network layer transport segment from sending to receiving host
on sending side encapsulates segments into datagrams
on rcving side, delivers segments to transport layer
network layer protocols in every host and router
router examines header fields in all IP datagrams passing through it
application
transportnetworkdata linkphysical
application
transportnetworkdata linkphysical
networkdata linkphysical network
data linkphysical
networkdata linkphysical
networkdata linkphysical
networkdata linkphysical
networkdata linkphysical
networkdata linkphysical
networkdata linkphysical
networkdata linkphysical
networkdata linkphysicalnetwork
data linkphysical
Two Key Network-Layer Functions
forwarding: move packets from router’s input to appropriate router output
routing: determine route taken by packets from source to dest.
routing algorithms
analogy:
routing: process of planning trip from source to dest
forwarding: process of getting through single interchange
1
23
0111
value in arrivingpacket’s header
routing algorithm
local forwarding tableheader value output link
0100010101111001
3221
Interplay between routing and forwarding
Network service model
Q: What service model for “channel” transporting datagrams from sender to receiver?
Example services for individual datagrams:
guaranteed delivery guaranteed delivery
with less than 40 msec delay
Example services for a flow of datagrams:
in-order datagram delivery
guaranteed minimum bandwidth to flow
restrictions on changes in inter-packet spacing (jitter)
Why jitter is important, E.g., VoIP
VoIP requires that voice samples be played at a constant rate
5
6
7
•Moderate delay is not a problem
4 3 2 1
5 4 3 2 1 To hand set
6 5 4 3 2 To hand set
7 6 5 4 3 To hand set
Why jitter is important, E.g., VoIP
VoIP requires that voice samples be played at a constant rate
5
6
4 3 2 1
5 4 3 2 1 To hand set
7
•This buffer size just barely worked.
•If the delay had been bigger, then the voice would have dropped out, unless a larger buffer was used.
•Note that the problem was not the delay was large, but the change in delay
6 5 4 3 2 To hand set
6 5 4 3 To hand set
6 5 4 To hand set
6 5 To hand set
6 To hand set
7 To hand set
Why jitter is important, E.g., VoIP
VoIP requires that voice samples be played at a constant rate
5
6
7
•Jitter can cause the buffer to fill or empty.•In general, the larger the jitter, the larger the required buffer.•A large buffer adds delay so that the buffer delay is the same as the worst-case delay
•If average delay is small, but jitter is large, then a large buffer is needed, resulting in long delay
8
9
4 3 2 1
5 4 3 2 1 To hand set
9 8 7 6 5 4 3 2 To hand set
Network layer service models:
NetworkArchitecture
Internet
ATM
ATM
ATM
ATM
ServiceModel
best effort
CBR
VBR
ABR
UBR
Bandwidth
none
constantrateguaranteedrateguaranteed minimumnone
Loss
no
yes
yes
no
no
Order
no
yes
yes
yes
yes
Timing
no
yes
yes
no
no
Congestionfeedback
no (inferredvia loss)nocongestionnocongestionyes
no
Guarantees ?
CBR = constant bit-rate (phone, not VoIP)VBR = variable bit-rate (e.g., variable bit-rate video, audio)ABR = available bit-rate. Like best effort but with guaranteed minimum bit-rate, but it gets feedback from the network to adjust the sending rateUBR = unspecified bit-rate. Like best effort
Why the different service models
Some application require bit-rate and delay guarantees. E.g., VoIP needs low delay (under 150 ms one-way is best,
over 400ms one-way is typically unacceptable) and 15kbps Thus, it would be nice if whenever the VoIP started, the
network would reserve enough bandwidth for the call otherwise, I will just use my landline i.e., I am willing to pay for this service (except that paying for
calls this against network neutrality) But this is wasteful
In VoIP, only one side talks at a time But the network can’t reserve half of the bit-rate.
The network can reserve the full bandwidth. And give the unused bandwidth as ABR (with the average bandwidth of ½ the VoIP bit-rate, since this is the average unused bit-rate)
However, if the VoIP traffic requires the bandwidth, the ABR must stop.
Chapter 4: Network Layer
4. 1 Introduction 4.2 Virtual circuit
and datagram networks
4.3 What’s inside a router
4.4 IP: Internet Protocol Datagram format IPv4 addressing ICMP IPv6
4.5 Routing algorithms Link state Distance Vector Hierarchical routing
4.6 Routing in the Internet RIP OSPF BGP
Network layer connection and connection-less service
datagram network provides network-layer connectionless service
VC network provides network-layer connection service
Virtual circuits
call setup, teardown for each call before data can flow each packet carries VC identifier (not destination host
address) every router on source-dest path maintains “state” for each
passing connection link, router resources (bandwidth, buffers) may be allocated
to VC (dedicated resources = predictable service)
“source-to-dest path behaves much like telephone circuit” performance-wise network actions along source-to-dest path
VC implementation
a VC consists of:1. path from source to destination2. VC numbers3. entries in forwarding tables in routers along path
A packet belonging to VC carries VC number (rather than dest address)
However, it is difficult to ensure that the VC number is unique across the network
Instead, the VC number is changed at each link
Packet Switching
Data is in packets, not streams. Must be digital Each packet has an address A switch/router reads the whole packet, then reads the address and
forwards the packet – store and forward
client
Server: address = 1
1dataA
B
C
D
FE
If destination is 1, then next
hop is B
If destination is 1, then
next hop is C
If destination is 1, then
next hop is
1data
1data
1data
Forwarding table
12 22 32
1 23
VC number
interfacenumber
Incoming interface Incoming VC # Outgoing interface Outgoing VC #
1 12 3 222 63 1 18 3 7 2 171 97 3 87… … … …
Forwarding table innorthwest router:
Routers maintain connection state information!
It is much easier to perform table lookup (to get the next hop information) on a 20-bit VC number than a 32 bit IP address (but this is not that important with high-speed ASICs)
Virtual circuits: signaling protocols
used to setup, maintain teardown VC used in ATM, frame-relay, X.25 not used in today’s Internet
application
transportnetworkdata linkphysical
application
transportnetworkdata linkphysical
1. Initiate call 2. incoming call
3. Accept call4. Call connected5. Data flow begins 6. Receive data
Datagram networks no call setup at network layer routers: no state about end-to-end connections
no network-level concept of “connection”
packets forwarded using destination host address packets between same source-dest pair may take
different paths
application
transportnetworkdata linkphysical
application
transportnetworkdata linkphysical
1. Send data 2. Receive data
MPLS (Multiprotocol Label Switching)
MPLS is widely used in large ISPs (e.g., AT&T) MPLS is a compromise between IP and VC. MPLS can run over an IP network. Today, most routers support MPLS and IP at the
same time MPLS uses label switching, which the the same
idea as VC number Packets have a 20-bit label When a packet arrives on an interface, the a table lookup
is performed, the output interface is found, next label is found, and the current label is changed to the next label
Label lookup is faster than IP address lookup. But speed isn’t really a concern
MPLS Architecture
Conceptually, there are three types of routers Ingress routers – where packets enter the network (e.g.,
move from UD to Cogent ) Egress routers – where packets exit the network (e.g.,
move from Cogent to AT&T) Internal routers – where packets remain inside the
network When an IP packet arrives at an ingress routers, a
lookup is performed based on the IP address If a match is found, then an MPLS header is put on the
packet along with the next hop label. That is, the packet is placed into an MPLS tunnel
From this point, the IP header is never examined. The forwarding is based on the MPLS label
When the packet arrives at an internal router, the label is switched, just like in a VC
When the packet reaches the egress router, the MPLS header is removed and the IP address is examined to determine the next hop (just like a regular IP router)
MPLS and Traffic Engineering
MPLS allows packets to follow tunnels These tunnels can be designed to
reduce the offered load on a link
NY
Saint LouisSF
Chicago
Dallas
DC
This link is congested with NY-SF, DC-SF, and Chicago-SF traffic
NY
Saint LouisSF
Chicago
Dallas
DC
•Packets arrive at Saint Louis with SF as destination, but they take different paths. •MPLS can do this•But IP forwarding cannot do this
•IP forwarding only examines the destination IP•Examining the 64 bit source and destination could accomplish this, but that would take a large table
MPLS and Traffic Engineering
Chapter 4: Network Layer
4. 1 Introduction 4.2 Virtual circuit
and datagram networks
4.3 What’s inside a router
4.4 IP: Internet Protocol Datagram format IPv4 addressing ICMP IPv6
4.5 Routing algorithms Link state Distance Vector Hierarchical routing
4.6 Routing in the Internet RIP OSPF BGP
Router Architecture Overview
Two key router functions: run routing algorithms/protocol (RIP, OSPF, BGP) forwarding datagrams from incoming to outgoing link
Input Port Functions
Decentralized switching: given datagram dest., lookup output
port using forwarding table in input port memory
goal: complete input port processing at ‘line speed’
queuing: if datagrams arrive faster than forwarding rate into switch fabric
Physical layer:bit-level reception
Data link layer:e.g., Ethernetsee chapter 5
Three types of switching fabrics
Switching Via MemoryFirst generation routers: traditional computers with switching under direct control of CPUpacket copied to system’s memory speed limited by memory bandwidth (2 bus crossings per datagram)
InputPort
OutputPort
Memory
System Bus
Switching Via a Bus
datagram from input port memory
to output port memory via a shared bus
bus contention: switching speed limited by bus bandwidth
32 Gbps bus, Cisco 5600: sufficient speed for access and enterprise routers
Switching Via An Interconnection Network
overcome bus bandwidth limitations Banyan networks, other interconnection nets
initially developed to connect processors in multiprocessor
advanced design: fragmenting datagram into fixed length cells, switch cells through the fabric.
Cisco 12000: switches 60 Gbps through the interconnection network
Output Ports
Buffering required when datagrams arrive from fabric faster than the transmission rate
Scheduling discipline chooses among queued datagrams for transmission
Output port queueing
buffering when arrival rate via switch exceeds output line speed
queueing (delay) and loss due to output port buffer overflow!
How much buffering?
RFC 3439 rule of thumb: average buffering equal to “typical” RTT (say 250 msec) times link capacity C e.g., C = 10 Gps link: 2.5 Gbit buffer
Recent recommendation: with N flows, buffering equal to RTT C.
N
Input Port Queuing
Fabric slower than input ports combined -> queueing may occur at input queues
Head-of-the-Line (HOL) blocking: queued datagram at front of queue prevents others in queue from moving forward
queueing delay and loss due to input buffer overflow!
Chapter 4: Network Layer
4. 1 Introduction 4.2 Virtual circuit
and datagram networks
4.3 What’s inside a router
4.4 IP: Internet Protocol Datagram format IPv4 addressing ICMP IPv6
4.5 Routing algorithms Link state Distance Vector Hierarchical routing
4.6 Routing in the Internet RIP OSPF BGP
The Internet Network layer
forwardingtable
Host, router network layer functions:
Routing protocols•path selection•RIP, OSPF, BGP
IP protocol•addressing conventions•datagram format•packet handling conventions
ICMP protocol•error reporting•router “signaling”
Transport layer: TCP, UDP
Link layer
physical layer
Networklayer
Chapter 4: Network Layer
4. 1 Introduction 4.2 Virtual circuit
and datagram networks
4.3 What’s inside a router
4.4 IP: Internet Protocol Datagram format IPv4 addressing ICMP IPv6
4.5 Routing algorithms Link state Distance Vector Hierarchical routing
4.6 Routing in the Internet RIP OSPF BGP
IPv4 datagram format
ver length
32 bits
data (variable length,typically a TCP
or UDP segment)
16-bit identifier
header checksum
time tolive
32 bit source IP address
IP protocol versionnumber
header length (bytes)
total datagramlength (bytes)
upper layer protocolto deliver payload to
head.len
type ofservice
“type” of data flgsfragment
offset
forfragmentation/reassembly
upper layer
max numberremaining hops
(decremented at each router)
32 bit destination IP address
Options (if any) E.g. timestamp,record routetaken, specifylist of routers to visit. Typically, these are ignored
how much overhead with TCP?
20 bytes of TCP 20 bytes of IP = 40 bytes + app
layer overhead
IPv4 Fragmentation & Reassembly
network links have MTU (max.transfer size) - largest possible link-level frame.
different link types, different MTUs
E.g., ethernet allows 1500B frames
802.11 allows 2346B frames It would be very difficult for the end
host to know the correct packet size Note that larger packets are more
efficient (less bandwidth is consumed by the header)
Large IP datagram divided (“fragmented”) within the network
one datagram becomes several datagrams
“reassembled” only at final destination
IP header bits used to identify, order related fragments
fragmentation: in: one large datagramout: 3 smaller datagrams
reassembly
IPv4 Fragmentation and Reassembly
ID=x
offset=0
fragflag=0
length=4000
ID=x
offset=0
fragflag=1
length=1500
ID=x
offset=185
fragflag=1
length=1500
ID=x
offset=370
fragflag=0
length=1040
One large datagram becomesseveral smaller datagrams
Example 4000 byte
datagram MTU = 1500
bytes
1480 bytes in data field
offset =1480/8
Stealthy Scanning
Before attacking a network, one must learn which hosts are present.
That is, which IP addresses have host that are running various services (e.g., listening on various TCP ports)
This is done by scanning. For example, sending an ICMP ping message to random IP address or sending TCP-SYN messages
What happens if a host receives an TCP-SYN on a port that is not listening
It depends on the OS, but the typically, a TCP-RST packet is generated
ISPs (e.g., UD) will look for scanners and take action (e.g., disconnect them)
So what is an attacker to do?
Stealthy Scanning
SomeMachine
attacker
victim
ICMP echo-request (ping)
ICMP echo reply with IP-ID = X
TCP-SYN: Dest=Victim, Source=SomeMachine
If victim exists and port is open: TCP-SYN-ACK
Some machine is confused (it didn’t send a TCP-SYN)TCP-RST with IP-ID = X + 1
ICMP echo reply with IP-ID = X+2
Since the IP-ID incremented by 2, the victim must have sent a SYN-ACK.If the IP-ID only incremented by 1, then the victim is not listening on the port, or does not exist
Attacker records IP-ID=X
Chapter 4: Network Layer
4. 1 Introduction 4.2 Virtual circuit
and datagram networks
4.3 What’s inside a router
4.4 IP: Internet Protocol Datagram format IPv4 addressing ICMP IPv6
4.5 Routing algorithms Link state Distance Vector Hierarchical routing
4.6 Routing in the Internet RIP OSPF BGP
IP Addressing: introduction IP address: 32-bit identifier
for host, router interface interface: connection
between host/router and physical link
router’s typically have multiple interfaces
host typically has a small number (ethernet and wifi)
IP addresses associated with each interface
• It is possible to have more than one
• Virtual machines could each have an IP address
223.1.1.1
223.1.1.2
223.1.1.3
223.1.1.4 223.1.2.9
223.1.2.2
223.1.2.1
223.1.3.2223.1.3.1
223.1.3.27
223.1.1.1 = 11011111 00000001 00000001 00000001
223 1 11
Ipv4 special addresses: http://tools.ietf.org/html/rfc5735
Subnets IP address:
subnet part (high order bits)
host part (low order bits)
What’s a subnet ? device interfaces with
same subnet part of IP address
can physically reach each other without intervening router (but perhaps a layer 2 switch)
223.1.1.1
223.1.1.2
223.1.1.3
223.1.1.4 223.1.2.9
223.1.2.2
223.1.2.1
223.1.3.2223.1.3.1
223.1.3.27
network consisting of 3 subnets
subnet
Subnets 223.1.1.0/24223.1.2.0/24
223.1.3.0/24
Recipe To determine the
subnets, detach each interface from its host or router, creating islands of isolated networks. Each isolated network is called a subnet.
Subnet mask: /24
SubnetsHow many? 223.1.1.1
223.1.1.3
223.1.1.4
223.1.2.2223.1.2.1
223.1.2.6
223.1.3.2223.1.3.1
223.1.3.27
223.1.1.2
223.1.7.0
223.1.7.1223.1.8.0223.1.8.1
223.1.9.1
223.1.9.2
IP addressing: CIDR
CIDR: Classless InterDomain Routing subnet portion of address of arbitrary length address format: a.b.c.d/x, where x is # bits in
subnet portion of address
11001000 00010111 00010000 00000000
Subnet part or CIDR-block
hostpart
200.23.16.0/23
IP addresses: how to get one?
Q: How does network get subnet part of IP addr?
A: gets allocated portion of its provider ISP’s address space
ISP's block 11001000 00010111 00010000 00000000 200.23.16.0/20
Organization 0 11001000 00010111 00010000 00000000 200.23.16.0/23 Organization 1 11001000 00010111 00010010 00000000 200.23.18.0/23 Organization 2 11001000 00010111 00010100 00000000 200.23.20.0/23 ... ….. …. ….
Organization 7 11001000 00010111 00011110 00000000 200.23.30.0/23
Hierarchical addressing: route aggregation
“Send me anythingwith addresses beginning 200.23.16.0/20”
200.23.16.0/23
200.23.18.0/23
200.23.30.0/23
ISP1
Organization 0
Organization 7 Internet
Organization 1
ISP2“Send me anythingwith addresses beginning 199.31.0.0/16”
200.23.20.0/23Organization 2
...
...
Hierarchical addressing allows efficient advertisement of routing information:
This way, the whole 32 bit address does not need to be examined
Border Router
Hierarchical addressing: more specific routes
ISP2 has a more specific route to Organization 1
“Send me anythingwith addresses Beginning with 200.23.16.0/20”
200.23.16.0/23
200.23.18.0/23
200.23.30.0/23
ISP1
Organization 0
Organization 7
Organization 1
ISP2“Send me anythingwith addresses beginning 199.31.0.0/16or 200.23.18.0/23”
200.23.20.0/23Organization 2
...
...InternetBorder Router
Longest prefix matching
Prefix Match Link Interface200.23.16.0/20 0 200.23.18.0/23 1199.31.0.0/16 1 otherwise 2
Border Router Forwarding Table
If a packet with destination address 200.23.18.12 arrives at the boarder router, then is it forwarding to interface 0 or 1?Since interface 1 has a longer match, it goes to interface 1
Hierarchical addressing: more specific routes
ISP2 has a more specific route to Organization 1
“Send me anythingwith addresses Beginning with 200.23.16.0/20”
200.23.16.0/23
200.23.18.0/23
200.23.30.0/23
ISP1
Organization 0
Organization 7
Organization 1
ISP2“Send me anythingwith addresses beginning 199.31.0.0/16or 200.23.18.0/23”
200.23.20.0/23Organization 2
...
...InternetBorder Router
Hierarchical addressing: more specific routes
ISP2 has a more specific route to Organization 1
“Send me anythingwith addresses Beginning with 200.23.16.0/20200.23.18.0/24200.23.19.0/24”
200.23.16.0/23
200.23.18.0/23
200.23.30.0/23
ISP1
Organization 0
Organization 7
Organization 1
ISP2“Send me anythingwith addresses beginning 199.31.0.0/16or 200.23.18.0/23”
200.23.20.0/23Organization 2
...
...InternetBorder Router
IP addressing: the last word...
Q: How does an ISP get block of addresses?
A: ICANN: Internet Corporation for Assigned
Names and Numbers allocates addresses manages DNS assigns domain names, resolves disputes ICANN allocates chunks of addresses to Regional
Internet Registry (RIR), which allocate them to organizations in their region
NAT: Network Address Translation
10.0.0.1
10.0.0.2
10.0.0.3
10.0.0.4
138.76.29.7
local network(e.g., home network)
10.0.0/24
rest ofInternet
Datagrams with source or destination in this networkhave 10.0.0/24 address for
source, destination (as usual)
All datagrams leaving localnetwork have same single source
NAT IP address: 138.76.29.7,different source port numbers
NAT: Network Address Translation
Motivation: local network uses just one IP address as far as outside world is concerned: range of addresses not needed from ISP: just
one IP address for all devices can change addresses of devices in local network
without notifying outside world can change ISP without changing addresses of
devices in local network devices inside local net not explicitly
addressable, visible by outside world (a security plus).
NAT: Network Address Translation
Implementation: NAT router must:
outgoing datagrams: replace (source IP address, port #) of every outgoing datagram to (NAT IP address, new port #). . . remote clients/servers will respond using (NAT IP
address, new port #) as destination addr.
remember (in NAT translation table) every (source IP address, port #) to (NAT IP address, new port #) translation pair
incoming datagrams: replace (NAT IP address, new port #) in dest fields of every incoming datagram with corresponding (source IP address, port #) stored in NAT table
NAT: Network Address Translation
10.0.0.1
10.0.0.2
10.0.0.3
S: 10.0.0.1, 3345D: 128.119.40.186, 80
1
10.0.0.4
138.76.29.7
1: host 10.0.0.1 sends datagram to 128.119.40.186, 80
NAT translation tableWAN side addr LAN side addr
128.119.40.186, 80, 5001 10.0.0.1, 3345…… ……
S: 128.119.40.186, 80 D: 10.0.0.1, 3345
4
S: 138.76.29.7, 5001D: 128.119.40.186, 80
2
2: NAT routerchanges datagramsource addr from10.0.0.1, 3345 to138.76.29.7, 5001,updates table
S: 128.119.40.186, 80 D: 138.76.29.7, 5001
3
3: Reply arrives dest. address: 138.76.29.7, 5001
4: NAT routerchanges datagramdest addr from138.76.29.7, 5001 to 10.0.0.1, 3345
NAT: Network Address Translation(without port translation)
10.0.0.1
10.0.0.2
10.0.0.3
S: 10.0.0.1, 3345D: 128.119.40.186, 80
1
10.0.0.4
138.76.29.7
1: host 10.0.0.1 sends datagram to 128.119.40.186, 80
NAT translation tableWAN side addr LAN side addr
128.119.40.186, 80, 3345 10.0.0.1, 3345…… ……
S: 128.119.40.186, 80 D: 10.0.0.1, 3345
4
S: 138.76.29.7, 3345D: 128.119.40.186, 80
2
2: NAT routerchanges datagramsource addr from10.0.0.1, 3345 to138.76.29.7, 3345,updates table
S: 128.119.40.186, 80 D: 138.76.29.7, 3345
3
3: Reply arrives dest. address: 138.76.29.7, 3345
4: NAT routerchanges datagramdest addr from138.76.29.7, 3345 to 10.0.0.1, 3345
NAT: Network Address Translation(without port translation)
10.0.0.1
10.0.0.2
10.0.0.3
S: 10.0.0.2, 3345D: 128.119.40.186, 8010.0.0.4
138.76.29.7
1: host 10.0.0.2 sends datagram to 128.119.40.186, 80
NAT translation tableWAN side addr LAN side addr
128.119.40.186, 80, 3345 10.0.0.1, 3345128.119.40.186, 80, 3345 10.0.0.2, 3345
S: 128.119.40.186, 80 D: 10.0.0.1, 3345
4
S: 138.76.29.7, 3345D: 128.119.40.186, 80
2
S: 128.119.40.186, 80 D: 138.76.29.7, 3345
3
3: Reply arrives dest. address: 138.76.29.7, 3345????
4: NAT routerchanges datagramdest addr from138.76.29.7, 5001 to 10.0.0.1, 3345
Source port conflict!
NAT: Network Address Translation
10.0.0.1
10.0.0.2
10.0.0.3
S: 10.0.0.1, 3345D: 128.119.40.186, 80
1
10.0.0.4
138.76.29.7
1: host 10.0.0.1 sends datagram to 128.119.40.186, 80
NAT translation tableWAN side addr LAN side addr
128.119.40.186, 80, 5001 10.0.0.1, 3345…… ……
S: 128.119.40.186, 80 D: 10.0.0.1, 3345
4
S: 138.76.29.7, 5001D: 128.119.40.186, 80
2
2: NAT routerchanges datagramsource addr from10.0.0.1, 3345 to138.76.29.7, 5001,updates table
S: 128.119.40.186, 80 D: 138.76.29.7, 5002
3
3: Reply arrives dest. address: 138.76.29.7, 5001
4: NAT routerchanges datagramdest addr from138.76.29.7, 5001 to 10.0.0.1, 3345
NAT: Network Address Translation
10.0.0.1
10.0.0.2
10.0.0.3
S: 10.0.0.2, 3345D: 128.119.40.186, 8010.0.0.4
138.76.29.7
1: host 10.0.0.2 sends datagram to 128.119.40.186, 80
NAT translation tableWAN side addr LAN side addr
128.119.40.186, 80, 5001 10.0.0.1, 3345128.119.40.186, 80, 5002 10.0.0.2, 3345
S: 128.119.40.186, 80 D: 10.0.0.1, 3345
4
S: 138.76.29.7, 5002D: 128.119.40.186, 80
2
S: 128.119.40.186, 80 D: 138.76.29.7, 5002
3
3: Reply arrives dest. address: 138.76.29.7:5002
4: NAT routerchanges datagramdest addr from138.76.29.7, 5002 to 10.0.0.2, 3345
NAT: Network Address Translation
16-bit port-number field: 65,000 simultaneous connections with a
single LAN-side address! NAT is controversial:
routers should only process up to layer 3 violates end-to-end argument
• NAT possibility must be taken into account by app designers, eg, P2P applications
• The NAT must know about TCP and UDP. What about other transport protocols?
address shortage should instead be solved by IPv6
NAT traversal problem How can skype connect one client to another
when NATs are present?
138.76.29.7
Client
10.0.0.1
NAT router
NAT router
NAT translation tableWAN side addr LAN side addr
167.6.2.5
NAT translation tableWAN side addr LAN side addr
138.76.29.7, 2124 192.168.1.23, 3345…… ……
NAT traversal problem How can skype connect one client to another
when NATs are present?
138.76.29.7
Client
10.0.0.1
NAT router
NAT router
NAT translation tableWAN side addr LAN side addr
167.6.2.5
NAT translation tableWAN side addr LAN side addr
138.76.29.7, 2124 192.168.1.23, 3345…… ……
*: 80*:? (DMZ)
10.0.0.1: 8010.0.0.2:?
NAT traversal problem
138.76.29.7
Client in the lab
10.0.0.1
NAT Router
192.168.1.1
NAT translation tableWAN side addr LAN side addr
138.76.29.7
NAT translation tableWAN side addr LAN side addr
138.76.29.7, 2124 192.168.1.23, 3345…… ……
*: 80*:? (DMZ)
10.0.0.1: 8010.0.0.1:?
VNC server at home
NAT traversal problem How can skype connect one client to another
when NATs are present?
138.76.29.7
Client
10.0.0.1
NAT router
NAT router
NAT translation tableWAN side addr LAN side addr
167.6.2.5
NAT translation tableWAN side addr LAN side addr
138.76.29.7, 2124 192.168.1.23, 3345…… ……
voip
NAT traversal problem client wants to connect to
server with address 10.0.0.1 server address 10.0.0.1 local
to LAN (client can’t use it as destination addr)
only one externally visible NATted address: 138.76.29.7
solution 1: statically configure NAT to forward incoming connection requests at given port to server e.g., (123.76.29.7, port
2500) always forwarded to 10.0.0.1 port 25000
10.0.0.1
10.0.0.4
NAT router
138.76.29.7
Client?
NAT traversal problem solution 2: Universal Plug
and Play (UPnP) Internet Gateway Device (IGD) Protocol. Allows NATted host to: learn public IP address
(138.76.29.7) add/remove port
mappings (with lease times)
i.e., automate static NAT port map configuration
10.0.0.1
10.0.0.4
NAT router
138.76.29.7
IGD
NAT traversal problem solution 3: relaying (used in Skype)
NATed client establishes connection to relay
External client connects to relay relay bridges packets between to
connections
138.76.29.7
Client
10.0.0.1
NAT router
1. connection torelay initiatedby NATted host
2. connection torelay initiatedby client
3. relaying established
IP addresses: how to get one?
Q: How does a host get IP address?
hard-coded by system admin in a file Windows: control-panel->network->configuration-
>tcp/ip->properties UNIX: /etc/rc.config
DHCP: Dynamic Host Configuration Protocol: dynamically get address from as server “plug-and-play”
DHCP: Dynamic Host Configuration Protocol
Goal: allow host to dynamically obtain its IP address from network server when it joins networkCan renew its lease on address in useAllows reuse of addresses (only hold address while connected an “on”)Support for mobile users who want to join network (more shortly)
DHCP overview: host broadcasts “DHCP discover” msg DHCP server responds with “DHCP offer” msg host requests IP address: “DHCP request” msg DHCP server sends address: “DHCP ack” msg
DHCP client-server scenario
223.1.1.1
223.1.1.2
223.1.1.3
223.1.1.4 223.1.2.9
223.1.2.2
223.1.2.1
223.1.3.2223.1.3.1
223.1.3.27
A
BE
DHCP server
arriving DHCP client needsaddress in thisnetwork
DHCP client-server scenarioDHCP server: 223.1.2.5 arriving
client
time
DHCP discover
src : 0.0.0.0, port: 68 dest.: 255.255.255.255, port: 67yiaddr: 0.0.0.0transaction ID: 654
DHCP offer
src: 223.1.2.5, port: 67 dest: 255.255.255.255, port: 68yiaddrr: 223.1.2.4transaction ID: 654Lifetime: 3600 secs
DHCP request
src: 0.0.0.0, port: 68 dest:: 255.255.255.255, port: 67yiaddrr: 223.1.2.4transaction ID: 655Lifetime: 3600 secs
DHCP ACK
src: 223.1.2.5, port: 67 dest: 255.255.255.255, port: 68yiaddrr: 223.1.2.4transaction ID: 655Lifetime: 3600 secs
Chapter 4: Network Layer
4. 1 Introduction 4.2 Virtual circuit
and datagram networks
4.3 What’s inside a router
4.4 IP: Internet Protocol Datagram format IPv4 addressing ICMP IPv6
4.5 Routing algorithms Link state Distance Vector Hierarchical routing
4.6 Routing in the Internet RIP OSPF BGP
ICMP: Internet Control Message Protocol
used by hosts & routers to communicate network-level information error reporting:
unreachable host, network, port, protocol
echo request/reply (used by ping)
network-layer “above” IP: ICMP msgs carried in IP
datagrams ICMP message: type, code
plus first 8 bytes of IP datagram causing error
Type Code description0 0 echo reply (ping)3 0 dest. network unreachable3 1 dest host unreachable3 2 dest protocol unreachable3 3 dest port unreachable3 6 dest network unknown3 7 dest host unknown4 0 source quench (congestion control - not used)8 0 echo request (ping)9 0 route advertisement10 0 router discovery11 0 TTL expired12 0 bad IP header
Traceroute and ICMP
Source sends series of UDP or ICMP segments to dest First has TTL =1 Second has TTL=2, etc. Unlikely port number
When nth datagram arrives to nth router: Router discards
datagram And (might) send to
source an ICMP message (type 11, code 0)
Message includes name of router& IP address
When ICMP message arrives, source calculates RTT
Traceroute does this 3 times
Stopping criterion UDP or ICMP segment
eventually arrives at destination host
Destination (might) return ICMP “host unreachable” packet (type 3, code 3)
When source gets this ICMP, stops.
ICMP ping flood
Send many ICMP ping messages to a web server
The server will not be able to respond fast enough, and hence not be able to provide is primary service
Denial of service attack (DoS)
DDoS (distributed DoS). Many hosts send ICMP ping messages to a web server
One defense is to filter out messages from hosts that send too many ICMP messages
So, attackers send ICMP messages, but with a random source address.
Or attackers can send ICMP messages to random hosts but with the source address of the victim
One defense is to filter all ICMP messages
Chapter 4: Network Layer
4. 1 Introduction 4.2 Virtual circuit
and datagram networks
4.3 What’s inside a router
4.4 IP: Internet Protocol Datagram format IPv4 addressing ICMP IPv6
4.5 Routing algorithms Link state Distance Vector Hierarchical routing
4.6 Routing in the Internet RIP OSPF BGP
IPv6 Initial motivation: 32-bit address space soon to be
completely allocated.
Additional motivation: header format helps speed processing/forwarding “header changes to facilitate QoS and built-in security”IPv6 datagram format: fixed-length 40 byte header no fragmentation allowed
IPv6 Header (Cont)Priority: identify priority among datagrams in flow, like TOS in IPv4Flow Label: identify datagrams in same “flow.” (concept of“flow” not well defined).
•e.g., all pkts in a VoIP call would have the same flow. Allowing these pkts to be treated the same (e.g., flow the same path to avoid pkt reordering)
Next header: identify upper layer protocol for data (like protocol number in IPv4) Payload length is the length of the payload only (slightly different form IPv4 pkt length)
128 bit address permits 5×10^28 addressed for each person on the planet
Other Changes from IPv4 Checksum: removed entirely to reduce processing time at
each hop
Fragmentation: removed, but new ICMP messages to inform the source of the MTU. Also, the source network layer can fragment messages which are reassembled at the destination
Options: allowed, but outside of header, indicated by “Next Header” field Fragmentation is supported by a next header
ICMPv6: new version of ICMP additional message types, e.g. “Packet Too Big” multicast group management functions
Transition From IPv4 To IPv6
Not all routers can be upgraded simultaneous no “flag days” How will the network operate with mixed IPv4
and IPv6 routers? Tunneling: IPv6 carried as payload in IPv4
datagram among IPv4 routers
TunnelingA B E F
IPv6 IPv6 IPv6 IPv6
tunnelLogical view:
Physical view:A B E F
IPv6 IPv6 IPv6 IPv6IPv4 IPv4
TunnelingA B E F
IPv6 IPv6 IPv6 IPv6
tunnelLogical view:
Physical view:A B E F
IPv6 IPv6 IPv6 IPv6
C D
IPv4 IPv4
Flow: XSrc: ADest: F
data
Flow: XSrc: ADest: F
data
Flow: XSrc: ADest: F
data
Src:BDest: E
Flow: XSrc: ADest: F
data
Src:BDest: E
A-to-B:IPv6
E-to-F:IPv6
B-to-C:IPv6 inside
IPv4
B-to-C:IPv6 inside
IPv4
IPv6 Addresses 128 bit addresses
The address space is broken into chunks (as will be explained) So each address is not really assignable
Sample address 2001:0410:0004:0000:0000:09C0:7341:A2DF
Often the address has a long string of zeros. These can be replaced with :: 2001:0410:0004::09C0:7341:A2DF But only one :: can be used in each address
If a field has leading zeros, it can be replaced with the non zero part 2001:0410:4::09C0:7341:A2DF
Loop back address ::1 or 0000:0000:0000:0000:0000:0000:0000:0001
http://[2001:0410:4::09C0:7341:A2DF]/index.html ugly! I guess we need DNS
::FFFF:128.4.2.10 can allow the IPv4 address to be embedded in a IPv6 address.
However, because of implementation and security issues, not all system support this
IPv6 broadcast
IPv4 allows broadcast – where all hosts on the subnet receive the message 255.255.255.255 is the broadcast address On the subnet 128.4.2/24, the broadcast address is
128.4.2.255 IPv6 does not really have broadcast. Instead, it has local multicast, where every host in a
subnet gets the message (well, this seems to be the same thing that IPv4 did. IPv4
does really let you broadcast over the entire internet) FF02::1 is the local broadcast address
IPv6 Address Scope
In IPv6, the address has scope, i.e., the address is valid in some region
FE80::/10 is a link local addresses. These addresses are only used inside a subnet
(customer network) Routers do not forward these
FF00::/8 are multicast address (global scope) Everything else are global unicast addresses
(global scope)
IPv6 Unicast Addressing
2001
112 bits16 bits
2001::/16 is initially assigned for unicast addresses
20017 bits
Each Regional Internet Registry (RIR) get 7 bit IDs from IANAThus, the RIR has a /23 and allocates address from this spaceThe RIR is responsible for allocating addressesRIRs: APNIC (asia/pac), ARIN (n. america), LACNIC (S. America), RIPE NCC (europe, middle east, central asia), AfriNIC (africa)
20017 bits
RIRs give /32 to ISPs (a /32 has 96 bits available to give to customers… sort of)With only 9 bits, the RIR will quickly run out of addresses and will ask IANA for another chunk. In total, 2^(7+9) = 65536 ISP chunks can be allocated(65536 does not seem like a huge number of ISPs
9 bits
2000::/3 are unicast addresses
IPv6 Unicast addresses continued
20017 bits 9 bits
96 bits of space available to ISP
ISP allocates chunks of this space to customers. The size of the space varies.Often a customers can get a /64 (giving the customers 64 bits of addresses) and allow an ISP to have 2^32 customers!Instead of a /64, a customers might get a /48 or /56 (at one time, ISPs were supposed to give /48, but this is not happening)
RIR ISP
20017 bits 9 bits
RIR ISP
This part of the address identifies the
customer
32 bits
This part of the address identifies the
ISP
The ISP address is embedded in the customer address.•What if the customer has two ISPs (multihomed)?!•What if the customer moves to another ISP?•E.g., Udel EECIS has a /16 IPv4 address block. We have had it for a long time even though we have changed ISP
IPv6 Unicast addresses continued
Three ways to assign 64 bit interface ID DHCP Manual Auto config
• Expand the 48 MAC address to 64 bit• Eg MAC = 00:90:27:17:FC:0F• 64 bit MAC = 00:90:27:FF:FE:17:FC:0F• MAC: organizational ID (3 bytes) : interface ID (3 bytes)• ~Future MAC: organizational ID (4 bytes) : interface ID (4 bytes), so 00:90:27:FF is like a organizational part and
FE:17:FC:0F is the interface part• Also, of the most significant 8 bits,
– the first bit = 0 => unicast and 1 => multicast
– The second bit = 0 => globally unique MAC address, 1 => locally administered MAC address
• Interface ID (aka EUI-64): 02:90:27:FF:FE:17:FC:0F– The locally administered MAC address bit is set
• Once the interface ID is determined, the router can be queried for the upper 64 bits of the address
Supposedly auto config is good enough. But what about when a host has many virtual machines (VMs) and each needs an address?
20017 bits 9 bits
RIR ISP
Interface ID
32 bits
customer
This part of the address identifies the
customer
IPv6 Interface ID
The interface ID is the same as the MAC Thus, a web site can examine the IPv6 address to
determine your MAC and hence identify the end-host This is a significant privacy problem Also, MAC addresses can be guessed (e.g., I know
Apple’s organizational part and can guess the lower 3 bytes. In this way I can find MACs)
Using random interface IDs solves these problems, but might also result in address collision
DHCP is another solution DHCP is needed anyway to set the DNS server
Chapter 4: Network Layer
4. 1 Introduction 4.2 Virtual circuit
and datagram networks
4.3 What’s inside a router
4.4 IP: Internet Protocol Datagram format IPv4 addressing ICMP IPv6
4.5 Routing algorithms Link state Distance Vector Hierarchical routing
4.6 Routing in the Internet RIP OSPF BGP
4.7 Broadcast and multicast routing