lecture 2: communication stack review (from the ...subjects.ee.unsw.edu.au/tele9752/2.pdf · •...
TRANSCRIPT
Copyright © Tim Moors 2017 1
TELE9752 Network Operations and Control
Lecture 2: Communication stack review
(from the perspective of NOC)
tele9752V2
Copyright © Tim Moors 2017 2
Outline
• Layer-independent issues
• Physical Layer
• Link layer
• Network layer
• Transport layer (briefly)
• Application layer (briefly)
tele9752EZ
Very
important
Moderately
important
Very very
very VERY
approximate!
Copyright © Tim Moors 2017 3
Outline
• Layer-independent issues – Standard options
– Application layer management
– Accessing layers
– Generic protocol functions
– Internet design goals
• Physical layer
• Link layer
• Network layer
• Transport layer (briefly)
• Application layer (briefly)
tele9752NP
Copyright © Tim Moors 2017 4
Standard options
• Standards are critical for enabling interoperability
• But are developed through multi-vendor negotiations => Often include options that some don't want to
use/implement
What variant of a standard does an implementation
provide? => – IEEE Protocol Implementation Conformance Statements
(PICS)
– RFCs define necessity to implement a feature with
“MUST” “SHOULD” “MAY” clauses [RFC2119]
– Management Information Base (MIB): MODULE-
COMPLIANCE statements [S5 of RFC1904]
tele975201
Copyright © Tim Moors 2017 5
Extract of 802.1q† PICS
tele9752A5
† This lecture emphasises 802.1q only to minimise the number of protocols used for
examples, e.g. of PICS, priorities, VLANs
Copyright © Tim Moors 2017 6
Extract of RFC4293 IP MIB ipMIBCompliance2 MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"The compliance statement for systems that implement IP -
either IPv4 or IPv6....
MANDATORY-GROUPS { ipSystemStatsGroup, ipAddressGroup,
ipNetToPhysicalGroup, ipDefaultRouterGroup,
icmpStatsGroup }
GROUP ipSystemStatsHCOctetGroup
DESCRIPTION
"This group is mandatory for systems that have an aggregate
bandwidth of greater than 20MB.
...
OBJECT ipv6IpForwarding
MIN-ACCESS read-only
DESCRIPTION
"An agent is not required to provide write access to this
object."
tele9752D7
Copyright © Tim Moors 2017 7
Application layer management
• NM functions can use lower (Link to Transport)
layers to deliver info between NMS and devices =>
NM often implemented using application layer
protocols, e.g. – Simple Network Management Protocol (SNMP)
– Command-line interface through telnet
– GUI interface through http
• An alternative to using lower layers is to use a
separate communication system – See slide [4U>
tele9752ZA
Copyright © Tim Moors 2017 8
Accessing layers
How can NMS access all layers?
A1: Implementation-dependent “hooks” into layers
A2: Management planes
tele9752E3
Copyright © Tim Moors 2017 9
IEEE 802.1 management
Figure from IEEE 802.1q-2003 tele9752DW
Copyright © Tim Moors 2017 10
Generic protocol functions
• Loopback [P3>
• Priorities [QM>
• TLV formatting of options [RR>
tele9752PT
Copyright © Tim Moors 2017 11
Loopback
• Loopback services return what is received back to
the originator.
• Used to test path to/from service -> Fault Mgt [C8>
• e.g.: – Interfaces, e.g. “lo” (rather than eth0)
– Create VLAN loopback to test – see slide [WJ>
– ICMP echo (ping)
– UDP echo port (#7)
– HTTP TRACE method
tele9752P3
Copyright © Tim Moors 2017 12
Priorities
• Most layers can multiplex multiple types of traffic
• NM traffic should receive priority (lower delay / loss)
over other traffic so that NOC can fix overloaded
network
111 - Network Control
110 - Internetwork Control
101 - CRITIC/ECP
100 - Flash Override
011 - Flash
010 - Immediate
001 - Priority
000 - Routine
Priority Traffic type
7 (highest) Network management
6 Voice
5 Video
4 Controlled load
3 Excellent effort
0 (default) Best effort
2 Spare (undefined)
1 (lowest) Background
IEEE 802.1p
(used in 802.1q)
IPv4
3b of Type of Service field
tele9752QM
Copyright © Tim Moors 2017 13
Type-Length-Value formatting
• Receiver needs to determine which fields exist in a packet, and may
not recognise all (e.g. newer) fields
– Particularly important for optional fields; format of fixed fields
usually‡ implied by protocol.
TLV formatting: Fields formatted as a 3-tuple, indicating:
• Type: Which type of field is being presented?†
• Length: How long (bytes) the field is
– Particularly for variable-length content, e.g. domain names
• Value: The content of the field
Type & Length aid receivers that don't recognise field:
• Type (e.g. IPv6 extension option types) => Can I ignore this field?
Should I return an error?
• Length: How can I locate the next field? † The type is that of the next field for several protocols, e.g. IPv6 options and ISAKMP. That is because of layering: Such protocols
need to indicate which higher-layer protocol is being carried & treat optional fields like higher-layer protocols for consistency.
tele9752RR
‡ SNMP is an exception
Copyright © Tim Moors 2017 14
TLV examples
• IPv4 options, e.g. Source Routing
• TCP options
• And many more, e.g. ICMP and DHCP options
• SNMP uses TLV to encode:
– list of objects being acted on
– the fixed part of its header (Version, Community & Type
fields)!
+--------+--------+--------+---------//--------+ |10000011| length | pointer| route data | +--------+--------+--------+---------//--------+ Type=131: Loose Source Route
TCP Timestamps Option: +-------+-------+---------------------+---------------------+ |Kind=8 | 10 | TS Value (TSval) |TS Echo Reply (TSecr)| +-------+-------+---------------------+---------------------+ 1B 1B 4B 4B
tele975245
Copyright © Tim Moors 2017 15
Internet design goals • “The top level goal ... was to develop an effective technique for
multiplexed utilization of existing interconnected networks.”
• Second level goals
– Internet communication must continue despite loss of networks or
gateways.
– The Internet must support multiple types of communications
service.
– The Internet architecture must accommodate a variety of networks.
– The Internet architecture must permit distributed management of
its resources.
– The Internet architecture must be cost effective.
– The Internet architecture must permit host attachment with a low
level of effort.
– The resources used in the internet architecture must be
accountable.
• “these goals are in order of importance” D. Clark: “The Design Philosophy of the DARPA Internet Protocols”, Proc.
SIGCOMM, pp. 106-114 tele9752P2
Copyright © Tim Moors 2017 16
Physical Layer
• Choice of medium
• Topology
• Geographical layout
• Separate Phy for NM?
• Time-domain reflectometry
• Vendors of testing
equipment
tele9752PH
Copyright © Tim Moors 2017 17
Choice of medium
• Cables, e.g. Wire/Fibre – NM affected by accessibility:
• Cost to install • Need access to service -> Topology slide... [6C>
– Wear and tear of connectors • Wireless
– Often RF (e.g. 2.4 and 5GHz ISM bands) but may be freespace optics
– Often broadcast, but can be point-to-point – NM affected by susceptibility to environmental
influences: • Obstructions • Noise levels \_ particularly with omnidirectional • Interference / antennas
tele97522U
Copyright © Tim Moors 2017 18
Topology
• Cables that snake past multiple users save on wire,
but hinder Mgr access => often prefer star topology
(e.g. meandering coax -> UTP to wiring closet)
A B C D
1980s
A B C D
Late 1990s
tele97526C
Copyright © Tim Moors 2017 19
Geographical layout
• Network protocols typically only care about link/node function,
and not about how that function is achieved
• NM needs to consider geographical locations of:
– Links for multiplexing: One physical medium may be
multiplexed (e.g. TDM, WDM or multiple cables in bundle) to
provide multiple logical links, but failures due to medium will be
correlated:
• Can't rely on link “separation” to provide fault tolerance
• Failure of some (not all) such links suggests medium may
not have failed.
– Nodes for power: Power outage might affect all
devices in an area
tele9752GC
e.g. “In the case of the Baltimore tunnel fire … the redundancy of having different service providers was useless since
different service providers lay their fibres through the same geographic location. Therefore, not only logical topology,
but also underlaying physical topologies should be considered carefully when designing networks.”
[http://www.ittc.ku.edu/resilinets/papers/Sterbenz-Hutchison-Cetinkaya-Jabbar-Rohrer-Scholler-Smith-2012.pdf]
Copyright © Tim Moors 2017 20
Separate Phy for NM?
• NM traffic can pass over – Same interfaces that carry payload: “in-band”
– Separate interfaces dedicated to NM: “out-of-band”
• e.g. router may connect to other routers through Ethernet
interfaces but also provide a serial “console” port for NM.
Figure 3-12 from Clemm
tele97524U
Typical console port settings:
9600 b/s
8 data bits
0 parity bits
1 stop bit
Xon/xoff flow control
(not hardware)
Computer port usually COM1
Copyright © Tim Moors 2017 21
in- vs out-of- band issues 1
• Cost: in-band NM doesn't require extra interfaces, but does require devices to support all layers needed for NM (e.g. link layer WiFi Access Point needs TCP/IP† for SNMP)
• Reliability: – + NM interface may continue working when data
interface fails. – - Separate NM interface increases # of failure
points. • Interference: NM & production traffic might interact e.g.
– Software updates delay production traffic – Transfer of NM measurements affect load which
affects NM measurements. – Well designed network should be able to separate
by traffic class (e.g. priorities <QM], VLANs [QR>, etc)
tele9752HH
† Strictly speaking, UDP/IP
Copyright © Tim Moors 2017 22
in- vs out-of- band issues 2
Out-of-band benefits:
• Security: NM systems can be physically isolated from
production interfaces, reducing exposure (e.g.
attacker might need physical access to console port)
In-band benefits:
• Performance: NM interfaces probably not as fast as
production interfaces – e.g. 19kb/s console vs GigE
• Recursion?: How do we manage the NM network? – Not difficult, given NM << production, and tightly
controlled
tele9752C4
Copyright © Tim Moors 2017 23
Time-domain reflectometry (TDR)
Discontinuities in channel properties can reflect signals – Electrical: impedance mismatch
– Optical: change of refractive index
=> Troubleshooting: Transmit a pulse and observe delay
to reflection => location of break
• Determine if cable is terminated, and if not, how long
cable is. If so, is other end powered?
Figures from LinkRunner Quick Reference Guide Representative accuracy (Fluke Etherscope): "Length resolution ± [5% of reading + 1 m (3 ft)], with
open, shorted, with wire map adapter, or terminated with reflection = 20%" tele9752P5
Copyright © Tim Moors 2017 24
Sample tool: Fluke LinkRunner
• Jacks @ top: 1 for end of cable;
2nd for determining wiring map.
• Lower icons are soft keys
• Determines such things as – (2) cable type; what's on ends
(LinkRunner @ left, ‘switch’ @ right)
– (3) advertised link speed/duplex
– (4) actual link speed/duplex
– Graph: link utilisation over time
• RRP: $500?
http://www.flukenetworks.com/fnet/en-us/products/LinkRunner/Overview.htm tele9752F0
Copyright © Tim Moors 2017 25
Cable testing
• From Fluke Linkrunner
tele9752DE
Copyright © Tim Moors 2017 26
Linkrunner: higher layer features
• Identify machines – Linkrunner on left
– DNS server (IDed from DHCP)
– Router
– Host – (Switch via CDP [N8>; pic on <F0])
• Ping them – Above: Showing # transmitted/received
– Below: Showing delays
tele9752TJ
Copyright © Tim Moors 2017 27
Vendors of testing equipment
• Fluke Networks [flukenetworks.com],
e.g. – 620 LAN CableMeter
– Etherscope
• Agilent [agilent.com]
• Spirent [spirentcom.com]
• Ixia [ixiacom.com] e.g. Chariot load
tester
• Network General
[networkgeneral.com]
Images and more info from http://www.flukenetworks.com/fnet/en-
us/products/620+LAN+CableMeter/Overview.htm?categorycode=CPTT
http://www.flukenetworks.com/fnet/en-
us/products/EtherScope+Series+II/Overview.htm?categorycode=LANT tele9752WW
Copyright © Tim Moors 2017 28
Link layer
• Error coding
• Addresses and filtering
• MAC configuration
• Switches
• Virtual LANs
• Config lecture: [N8>
Link layer discovery (e.g. LLDP)
tele9752QZ
Copyright © Tim Moors 2017 29
Error monitoring
• Fill link with test data if no more payload to send – More accurate error rate measurement
– Faster fault detection (not just when service is
needed) -> [VR>
– Inapplicable to wireless broadcast? (shared media)
tele9752PJ
For details, see http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=222905
Copyright © Tim Moors 2017 30
Addresses and filtering
• Link layer addresses (e.g. 48b “Ethernet” address)
tend to be static => use to identify equipment;
inventory management – Can also bootstrap management process: Device
(e.g. networked camera or disk) may be designed
to obtain IP address through DHCP, but NM can
identify it on network by link layer address
• Filtering by destination address: – Nodes usually filter out info sent on shared medium
that is not destined to them (of no interest)
– “promiscuous mode” - receive such info – useful for
sniffing; e.g. Wireshark / Cloudshark
tele9752G6
Copyright © Tim Moors 2017 31
Network analyzers
tele97523T
Cloudshark example
Copyright © Tim Moors 2017 32
MAC configuration
• IEEE 802.3 (“Ethernet”): Little – Auto negotiation of speed
– Full or half duplex <F0]?
• IEEE 802.11 (“WiFi”): Lots – Channel
– Modulation (.11a/b/g)
– Data rate
– Preamble length
– RTS threshold
– SSID, password
– Security mode (e.g. WEP vs WPA)
tele975231
Copyright © Tim Moors 2017 33
‘Switches’
• In TELE9752 “switch” refers to Ethernet switches, not
the more generic meaning used in TELE9751
• Switches aid NM by self-learning – Mgr needn’t
configure.
• Mgr may specify whether to store-and-forward or cut-
through, or error rate threshold for changing mode.
Issues
• Port mirroring [05>
• Spanning Tree Protocol [DM>
tele9752AU
Copyright © Tim Moors 2017 34
Port mirroring
• Aka Switched Port Analyzer (SPAN) [Cisco] or
Monitor Port [HP]
• Copy all packets from one (VLAN) port to another.
• Useful when want to analyse traffic on a link that
doesn't allow insertion of an analyser (e.g. point-to-
point UTP between host and switch) and don't have
a hub.
tele975205
Copyright © Tim Moors 2017 35
Spanning Tree Protocol
• Automatically breaks loops
• Can help NM:
– Physical topology can contain loops
• Poor documentation
• Deliberate redundancy for fault tolerance
– Automatically respond to link/node failures
• Introduces other NM issues: configurable parameters
– priority, en/disable, delays between state transitions
Fig 4-4 from Tanenbaum tele9752DM
Copyright © Tim Moors 2017 36
Virtual LANs (VLANs)
• VLANs allow NM to control membership of broadcast domains (LANs)
– Rather than all ports of a switch belonging to same LAN and routers separating LANs
Why?: • Historically:
– Support mobility (prior to DHCP) – Hosts use broadcast to discover services (e.g.
ARP) (prior to IPv6) • Now:
– Confine broadcast traffic, for secrecy and avoid excess broadcast.
– STP <DM] converges faster for smaller networks – Limit multicast propagation (e.g. load from video)
tele9752QR
VLAN scenario
Copyright © Tim Moors 2017 tele97521W
Slide from Vijay Sivaraman
Assign each switch port to a VLAN.
Logically split switch into multiple switches
Assign port 10 to multiple VLANs – “trunk port”
Copyright © Tim Moors 2017 38
Associating frames with VLANs
Frames on trunk ports must be associated with particular VLANs
Explicit tags: Ethertype of 0x8100 => 802.1q header follows
Implicit association: use existing protocol fields (e.g. IP address); sensitive to higher layers & absence of encryption
+--+--+------+---+---+----+------+---------+-----+---+
|DA|SA|0x8100|Pri|CFI|VLAN|Len/Ty| (Data) |(Pad)|CRC|
|6B|6B| | 3b|1b | 12b| 16b | 0-1500B |0-46B| 4B|
+--+--+------+---+---+----+------+---------+-----+---+
tele9752DU
Copyright © Tim Moors 2017 39
VLAN configuration
Switches can be configured using:
• Protocols: GARP VLAN Registration Protocol
(GVRP, 802.1q S 11.2) or Cisco's VLAN Trunking
Protocol (VTP)
• Other management interfaces, e.g. SNMP/IOS
tele9752R5
Copyright © Tim Moors 2017 40
VLANs for Ethernet loop-back <P3]?
1
2
25 26
site B site A
Question: As network manager, you often install (VLAN-capable) Ethernet switches at remote sites. You want to be sure that you can, at any time, test from site A if the link to a remote site B is working or not. How to do this without having to leave a host at each site?
Slide based on one from Vijay Sivaraman
Answer:
At site A: • config vlan 2000 add ports 1, 25: adds ports 1 and 25 to vlan 2000
• config vlan 2001 add ports 2, 25: note that port 25 is now a trunk port
At site B: • config vlan 2000 add ports 3, 26
• config vlan 2001 add ports 4, 26
• Connect port 1 and port 2 using Ethernet cable
Now ping from PC1 to PC2:
• frame goes A1 -> A25 -> B26 -> B3 (on Vlan 2000)
• Out B3 over Ethernet cable, back to B4, then B4 -> B26 -> A25 -> A2 over Vlan 2001
tele9752WJ
3 4
Copyright © Tim Moors 2017 41
Network layer
• Addressing
• Routing – Metrics
– Source routing
• ICMP – ping
– traceroute
– ICMP may be blocked
tele97529C
Copyright © Tim Moors 2017 42
Addressing
• Each interface (on host or router) needs a unique
address and a mask – DHCP currently used to issue addresses to hosts
• IPv6 hosts can autoconfigure, including
constructing a link-local address from their Link
Layer address
– Addressing plan typically manually created by Mgr.
• Hosts may discover local router through DHCP or
IPv6 Neighbor Discovery
For more on IPv6 autoconfiguration, see
F. Donzé: "IPv6 Autoconfiguration", Internet Protocol Journal, 7(2)
tele9752A0
Copyright © Tim Moors 2017 43
Routing metrics
• Routing protocols automate determination of
“shortest” path, but Mgr must specify link costs,
accounting for – link performance
– monetary cost
– policies
Fault Management: May want routers to record multiple
(not just the shortest) paths to destination s.t. ready
when needed (after failure) without computation
delay
Link-state protocols are better suited to this
tele97522Z
Copyright © Tim Moors 2017 44
Source routing
• Mgr may want to test path as seen by user
• Can achieve with loose source routing: Route to
user, and from there to destination.
But source routing is often blocked since it can
facilitate source address spoofing:
• With source routing (Replies typically invert source
route): Reply to fake source address passes attacker
who can continue exchange (e.g. TCP 3-way
handshake)
• Without source routing: Reply goes to faked
address (not attacker) so attacker can't continue
exchange. See pp. 383-4 of Stevens TCP/IP Illustrated vol. 1 for an example of using source routing for troubleshooting tele9752J4
Source routing scenario
Copyright © Tim Moors 2017 tele975242
Copyright © Tim Moors 2017
29/07/08
46
Performance measurement tools
Check for response, from one end:
• ping [3E>
Determine path: traceroute [HC>
• pathping under Windows: runs traceroute, then pings each
node on path.
Measure throughput between two ends
• netperf http://netperf.org/netperf/
• ttcp
Mean Opinion Scores of voice/video
• Estimates mean opinion of human users, based on
throughput, loss, delay, perception and more
And many many more tools! tele97527T
Copyright © Tim Moors 2017 47
ICMP
• The Internet Control Message Protocol (ICMP)
augments IP by providing: – Error reporting, e.g. unreachable errors
– Configuration info, e.g. router/neighbor discovery
– Testing facilities: echo request/reply
• Used in NM tools: – Ping (slide coming [3E>)
– Traceroute (slides coming [HC>[VP>)
[RFC4560 defines a MIB that allows NM to execute
ping/traceroute on remote devices [JD> ]
• May receive unusual treatment (slides [ZE> [LG>)
tele97525K
Copyright © Tim Moors 2017 48
Ping
• Send ICMP echo request messages to destination;
expect echo reply; repeat periodically
• Measures response (loss) rate & delay (RTT)
DIY: Windows/Linux “ping” (ping6 for IPv6)
Principle can be applied to checking response time for
other protocols, which may be necessary if ICMP is
blocked...
– http://hping.org/ generalises ping to other
protocols
– Monitoring services, e.g. pingdom.com
tele97523E
Copyright © Tim Moors 2017 49
How traceroute works
• Repeatedly send probes with differing TTLs => expire different
distances into network
– Often repeat 3 times for each TTL – multiple measurements
of delay; in case firewall only reports error occasionally [ZE>
– Usually TTL increments from 1 until meet stopping criteria
• Stopping criteria: port unreachable or max probes (e.g. 30)
• Types of probes:
– ICMP: Could do (Windows “tracert” uses ICMP echo), but
many routers literally follow RFC792: “no ICMP messages
are sent about ICMP messages”; also different from normal
traffic – could follow different path
– Unix “traceroute”: UDP – send to unlikely port number; vary
port number with each probe s.t. unlikely @ receiver that
multiple probes all reach apps (no unreachable response)
tele9752HC
Path from UNSW to www.irtf.org
Copyright © Tim Moors 2017 tele9752VP
$ traceroute www.irtf.org
traceroute to www.irtf.org (192.150.187.18), 30 hops max, 38 byte packets
1 eebu4s1.uwn.unsw.EDU.AU.92.171.149.in-addr.arpa (149.171.92.2) 14.624ms 0.775ms 1.040ms
2 129.94.255.181 (129.94.255.181) 0.436ms 0.409ms 0.384ms
3 gig2-2.nswrnosbb.nswrno.net.au (138.44.1.37) 0.582ms 0.563ms 0.527ms
4 vlan948.gbe3-0.sccn1.broadway.aarnet.net.au (192.231.212.49) 1.450ms 0.805ms 0.758ms
5 pos1-0.sccn1.seattle.aarnet.net.au (192.231.212.34) 157ms 156ms 157ms
6 Abilene-PWAVE-1.peer.pnw-gigapop.net (198.32.170.43) 166ms 165ms 166ms
7 snvang-sttlng.abilene.ucaid.edu (198.32.8.10) 174ms 173ms 173ms
8 losang-snvang.abilene.ucaid.edu (198.32.8.94) 180ms 180ms 180ms
9 hpr-lax-gsr1--abilene-LA-10ge.cenic.net (137.164.25.2) 190ms 190ms 190ms
10 dc-lax-dc1--lax-hpr1-ge.cenic.net (137.164.22.12) 181ms 181ms 181ms
11 dc-sac-dc1--lax-dc1-pos.cenic.net (137.164.22.127) 190ms 190ms 189ms
12 dc-oak-dc2--csac-dc1-ge.cenic.net (137.164.22.110) 201ms 201ms 201ms
13 dc-oak-dc1--oak-dc2-ge.cenic.net (137.164.22.124) 192ms 193ms 192ms
14 dc-svl-dc1--oak-dc1-10ge.cenic.net (137.164.22.30) 192ms 193ms 193ms
15 ucb--svl-dc1-egm.cenic.net (137.164.23.66) 194ms 194ms 193ms
16 fast4-0-0.inr-667-eva.Berkeley.EDU (128.32.0.99) 203ms 203ms 204ms
17 router2-fast0-0-0.ICSI.Berkeley.EDU (169.229.0.30) 195ms 195ms 195ms
18 www.irtf.org (192.150.187.18) 195ms 195ms 194ms
3 delay measurements for each hop
Delays vary with link congestion
Large increase in delay as packets
pass over the Pacific Ocean Separate networks
Transport & Application outline
Copyright © Tim Moors 2017 Tele9752F1
Copyright © Tim Moors 2017 52
Transport layer
• Main choices: basic UDP vs reliable TCP – NM traditionally over UDP because quick access to
some info often better than delayed access to all
info [P6>.
• Congestion control part of TCP, but being added to
UDP replacements (e.g. DCCP) – Important when downloading bulky NM info, e.g.
traffic flow statistics
• SCTP fixes many TCP flaws (e.g. vulnerability to
DOS attacks) and motivated for telco NOC.
• Transport Layer Security (TLS) between
application and Transport provides secrecy &
authentication services, e.g. https and ssh tele9752WU
Copyright © Tim Moors 2017 53
netstat shows transport protocol state
$ netstat
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 alpha400.ee.unsw.e:smtp 190-49-181-211.sp:20260 ESTABLISHED
tcp 0 0 alpha400.ee.unsw.e:smtp reverse.68.70.184.:4429 ESTABLISHED
tcp 0 0 alpha400.ee.unsw.e:pop3 eo4.ee.unsw.EDU.AU:1680 TIME_WAIT
tcp 0 0 alpha400.ee.unsw.e:smtp 10-96-21-190.adsl.:4437 ESTABLISHED
tcp 0 0 alpha400.ee.unsw.e:http 149.171.87.41:4299 ESTABLISHED
tcp 0 0 alpha400.ee.unsw.ed:ssh adpg.ee.unsw.EDU.:34348 ESTABLISHED
tcp 0 55 alpha400.ee.unsw.e:smtp 230.73.41.59.broa:52781 LAST_ACK
udp 0 0 alpha400.ee.unsw.:47631 maestro.ee.unsw.:domain ESTABLISHED
udp 0 0 alpha400.ee.unsw.:39969 maestro.ee.unsw.:domain ESTABLISHED
udp 0 0 alpha400.ee.unsw.:40944 maestro.ee.unsw.:domain ESTABLISHED
tele9752AV
Copyright © Tim Moors 2017 54
netstat shows statistics from MIBs $ netstat -s
Ip:
1081899150 total packets received
2840 with invalid headers
0 forwarded
428851599 incoming packets discarded
279188500 incoming packets delivered
104189345 requests sent out
112 outgoing packets dropped
596 dropped because of missing route
552 fragments dropped after timeout
568 reassemblies required
8 packets reassembled ok
552 packet reassembles failed
2 fragments received ok
8 fragments created
Icmp:
12696571 ICMP messages received
7 input ICMP message failed.
ICMP input histogram:
destination unreachable: 12679288
timeout in transit: 3965
echo requests: 12011
echo replies: 1307
12894165 ICMP messages sent
0 ICMP messages failed
ICMP output histogram:
destination unreachable: 12882154
echo replies: 12011
Tcp:
375343 active connections openings
765775 passive connection openings
590 failed connection attempts
115903 connection resets received
20 connections established
56984968 segments received
36639810 segments send out
366075 segments retransmited
3 bad segments received.
110695 resets sent
tele9752KA
Copyright © Tim Moors 2017 55
Application layer
• Networked printers sometimes (e.g. <3T] & 149.171.36.91)
use SNMP to monitor status (of jobs & consumables)
• Trivial FTP (TFTP) [RFC1350] – Bare-bones FTP: read/write files, no directory
listings, authentication etc
– Simple to implement => traditionally used in router
bootloaders
– Insecure => suitable only for private networks, e.g.
out-of-band management <4U]
• whois: text-based Q&A protocol to access info
(particularly owner & tech support contact) for DNS
domains, IP address blocks, Autonomous System #s
Unix client, or web, e.g.: http://who.is/ tele9752J3
Copyright © Tim Moors 2017 56
Uses of ASN.1
H.323 videoconferencing uses H.245 control channel
for signalling, which defines messages using ASN.1
X.509 digital certificates for security
ZigBee uses ASN.1 to define test cases
Others: http://www.itu.int/ITU-T/asn1/uses/index.htm
tele9752W0
Copyright © Tim Moors 2017 57
H.245 uses ASN.1
H.245 conveys capabilities of multimedia terminals, e.g. resolution of video encoding
TerminalCapabilitySet ::=SEQUENCE {
sequenceNumber SequenceNumber,
protocolIdentifier OBJECT IDENTIFIER,
multiplexCapability MultiplexCapability OPTIONAL,
capabilityTable SET SIZE (1..256) OF CapabilityTableEntry
OPTIONAL, ... }
CapabilityTableEntry ::=SEQUENCE { capabilityTableEntryNumber CapabilityTableEntryNumber,
capability Capability OPTIONAL }
Capability ::=CHOICE {
nonStandard NonStandardParameter,
receiveVideoCapability VideoCapability,
transmitVideoCapability VideoCapability,
...
receiveAudioCapability AudioCapability,
transmitAudioCapability AudioCapability, ...
tele9752F2
VideoCapability ::=CHOICE {
nonStandard NonStandardParameter,
h261VideoCapability H261VideoCapability,
h262VideoCapability H262VideoCapability,
...
H261VideoCapability ::=SEQUENCE {
qcifMPI INTEGER (1..4) OPTIONAL, -- units 1/29.97 Hz
cifMPI INTEGER (1..4) OPTIONAL, -- units 1/29.97 Hz temporalSpatialTradeOffCapability BOOLEAN,
maxBitRate INTEGER (1..19200), -- units of 100 bit/s
...
Copyright © Tim Moors 2017 58
X.509 certificates use ASN.1
Defined using ASN.1 in RFC 2459: Certificate ::= SEQUENCE {
tbsCertificate TBSCertificate,
signatureAlgorithm AlgorithmIdentifier,
signatureValue BIT STRING }
TBSCertificate ::= SEQUENCE {
version [0] EXPLICIT Version DEFAULT v1,
serialNumber CertificateSerialNumber,
signature AlgorithmIdentifier,
...}
Version ::= INTEGER { v1(0), v2(1), v3(2) }
CertificateSerialNumber ::= INTEGER
AlgorithmIdentifier ::= SEQUENCE {
algorithm OBJECT IDENTIFIER,
parameters ANY DEFINED BY algorithm
OPTIONAL } tele9752KC
Copyright © Tim Moors 2017 59
Encoding of web browser cert.
Firefox 5: Tools - Options - Advanced - View Certificates Select VeriSignClass3PublicPrimaryCertificationAuthority-G5
& export as DER (Distinguished Encoding Rules [J6>)
View with hex editor
Note Little Endian format: 1st byte of pair shown last,
e.g. 8230 = 30 82 = type 30 length 82...
8230 d304 8230 bb03 03a0 0102 0202 1810
d1da 269e e87d 4abb 5821 cccd 3b6b 304a serial # 18 da d1 9e 26 7d e8 bb 4a 21 58 cd cc 6b 3b 4a
060d 2a09 4886 f786 010d 0501 0005 8130
...
Bonus mark on offer if you can explain the full decoding
tele9752NV
Things to think about
• Critical thinking: With management/NOC functions
occurring in many layers, why haven’t management
planes <DW] “taken off”?
• Engineering methods: • Many engineered systems use compliance statements to
state adherence to standards (e.g. building codes)
• Links to other areas: • Modern modules with embedded electronics often include
diagnostics (e.g. automotive On-Board Diagnostics)
• Independent learning: • Try searching for techniques for troubleshooting protocols
that you know, e.g. WiFi and TCP
CopyriCopyright © Tim Moors
2017
Tele9752!!!!
Copyright © Tim Moors 2017 61
The end
• Next week: What gets managed and how it is
presented.