network security: background - icir.org · layer 3: (inter)network layer (ip) application transport...
TRANSCRIPT
![Page 1: Network Security: Background - icir.org · Layer 3: (Inter)Network Layer (IP) Application Transport (Inter)Network Link Physical 7 4 3 2 1 Bridges multiple “subnets” to provide](https://reader033.vdocuments.site/reader033/viewer/2022042222/5ec8f1b58859ec39871c39bd/html5/thumbnails/1.jpg)
Network Security: Background
CS 161: Computer Security Prof. Vern Paxson
TAs: Paul Bramsen, Apoorva Dornadula,
David Fifield, Mia Gil Epner, David Hahn, Warren He, Grant Ho, Frank Li, Nathan Malkin, Mitar Milutinovic,
Rishabh Poddar, Rebecca Portnoff, Nate Wang
http://inst.eecs.berkeley.edu/~cs161/ March 7, 2017
![Page 2: Network Security: Background - icir.org · Layer 3: (Inter)Network Layer (IP) Application Transport (Inter)Network Link Physical 7 4 3 2 1 Bridges multiple “subnets” to provide](https://reader033.vdocuments.site/reader033/viewer/2022042222/5ec8f1b58859ec39871c39bd/html5/thumbnails/2.jpg)
Revoca'on,con’t• Approach#2:announcerevokedcerts
– Usersperiodicallydownloadcertrevoca)onlist(CRL)• Issues?
– Listscangetlarge– Needtoauthen)catethelistitself–how?Signit!– Mallorycanexploitdownloadlag– WhatdoesAlicedoifcan’treachCAfordownload?
1. Assumeallcertsareinvalid(fail-safedefaults)– Wow,whatanunhappyfailuremode!
2. Useoldlist:widensexploitaNonwindowifMallorycan“DoS”CA(DoS=denial-of-service)
![Page 3: Network Security: Background - icir.org · Layer 3: (Inter)Network Layer (IP) Application Transport (Inter)Network Link Physical 7 4 3 2 1 Bridges multiple “subnets” to provide](https://reader033.vdocuments.site/reader033/viewer/2022042222/5ec8f1b58859ec39871c39bd/html5/thumbnails/3.jpg)
Revoca'on,con’t• Approach#3:CAprovidesservicetoquery
– OCSP:OnlineCer)ficateStatusProtocol
![Page 4: Network Security: Background - icir.org · Layer 3: (Inter)Network Layer (IP) Application Transport (Inter)Network Link Physical 7 4 3 2 1 Bridges multiple “subnets” to provide](https://reader033.vdocuments.site/reader033/viewer/2022042222/5ec8f1b58859ec39871c39bd/html5/thumbnails/4.jpg)
Bob Alice
b*
B*
Mallory
I’dliketotalkprivatelywithBob
CA
{Bob: B?}K-1CA
OCSP = Online Certificate Status Protocol
![Page 5: Network Security: Background - icir.org · Layer 3: (Inter)Network Layer (IP) Application Transport (Inter)Network Link Physical 7 4 3 2 1 Bridges multiple “subnets” to provide](https://reader033.vdocuments.site/reader033/viewer/2022042222/5ec8f1b58859ec39871c39bd/html5/thumbnails/5.jpg)
Bob Alice
b*
B*
Mallory
Yo,CA:Isthiscertcool?
CA
{Bob: B?}K-1CA
?
?OCSP = Online Certificate Status Protocol
![Page 6: Network Security: Background - icir.org · Layer 3: (Inter)Network Layer (IP) Application Transport (Inter)Network Link Physical 7 4 3 2 1 Bridges multiple “subnets” to provide](https://reader033.vdocuments.site/reader033/viewer/2022042222/5ec8f1b58859ec39871c39bd/html5/thumbnails/6.jpg)
Bob Alice
b*
B*
Mallory
CA
OCSP = Online Certificate Status Protocol
K-1
CA
K-1
CA
Yo,CA:Isthiscertcool?
{Bob: B?}K-1CA
![Page 7: Network Security: Background - icir.org · Layer 3: (Inter)Network Layer (IP) Application Transport (Inter)Network Link Physical 7 4 3 2 1 Bridges multiple “subnets” to provide](https://reader033.vdocuments.site/reader033/viewer/2022042222/5ec8f1b58859ec39871c39bd/html5/thumbnails/7.jpg)
Revoca'on,con’t• Approach#3:CAprovidesservicetoquery
– OCSP:OnlineCer)ficateStatusProtocol
• Issues?– Can’tbeusedifAlicedoesn’thaveconnecNvitytoCA– CAlearnsthatAlicetalkstoBob– CAhadbe]erbuildthisinascalablefashion!– CAoutages⇒bigheadaches
• OR:AlicedefaultstotrusNngifOCSPinaccessible– AgaincreatesaDoSthreat
![Page 8: Network Security: Background - icir.org · Layer 3: (Inter)Network Layer (IP) Application Transport (Inter)Network Link Physical 7 4 3 2 1 Bridges multiple “subnets” to provide](https://reader033.vdocuments.site/reader033/viewer/2022042222/5ec8f1b58859ec39871c39bd/html5/thumbnails/8.jpg)
Alice Bob
Bob
Mi
b
{Bob: B}K-1CA
K-1
CA
GoodNll2:15PM
✔︎
OCSP Stapling I’dliketotalkprivatelywithBob
Bob’s server periodically contacts the CA to update the OCSP attestation for his cert
CA
![Page 9: Network Security: Background - icir.org · Layer 3: (Inter)Network Layer (IP) Application Transport (Inter)Network Link Physical 7 4 3 2 1 Bridges multiple “subnets” to provide](https://reader033.vdocuments.site/reader033/viewer/2022042222/5ec8f1b58859ec39871c39bd/html5/thumbnails/9.jpg)
Leap-of-FaithAuthen'ca'on• AcompletelydifferentapproachleverageskeyconNnuity
![Page 10: Network Security: Background - icir.org · Layer 3: (Inter)Network Layer (IP) Application Transport (Inter)Network Link Physical 7 4 3 2 1 Bridges multiple “subnets” to provide](https://reader033.vdocuments.site/reader033/viewer/2022042222/5ec8f1b58859ec39871c39bd/html5/thumbnails/10.jpg)
Alice Bob
Bob
Mi
b
{Bob: B}K-1CA
Leap-of-Faith Authentication
HuhI’veneverbeentoBob’ssitebefore
![Page 11: Network Security: Background - icir.org · Layer 3: (Inter)Network Layer (IP) Application Transport (Inter)Network Link Physical 7 4 3 2 1 Bridges multiple “subnets” to provide](https://reader033.vdocuments.site/reader033/viewer/2022042222/5ec8f1b58859ec39871c39bd/html5/thumbnails/11.jpg)
Alice Bob
Bob
Mi
b
{Bob: B}K-1CA Leap-of-Faith Authentication I’mgoingtohope
thatjustthisone)me,Mallorydidn’tshowup…
![Page 12: Network Security: Background - icir.org · Layer 3: (Inter)Network Layer (IP) Application Transport (Inter)Network Link Physical 7 4 3 2 1 Bridges multiple “subnets” to provide](https://reader033.vdocuments.site/reader033/viewer/2022042222/5ec8f1b58859ec39871c39bd/html5/thumbnails/12.jpg)
Alice Bob
Bob
Mi
b
{Bob: B}K-1CA Leap-of-Faith Authentication ButnowthatIhave
thecert,anyNmeinthefutureI’llrefuseadifferentcertifoffered
![Page 13: Network Security: Background - icir.org · Layer 3: (Inter)Network Layer (IP) Application Transport (Inter)Network Link Physical 7 4 3 2 1 Bridges multiple “subnets” to provide](https://reader033.vdocuments.site/reader033/viewer/2022042222/5ec8f1b58859ec39871c39bd/html5/thumbnails/13.jpg)
Leap-of-FaithAuthen'ca'on,con’t• AcompletelydifferentapproachleverageskeyconNnuity– AlsocalledTOFU:TrustOnFirstUse– Aformof“pinning”
• RequirecerttohavespecificproperNes,likeparNcularCA– VerypopularforSSH
• Webbrowsersdon’texposeaneasyequivalentusagemodel
![Page 14: Network Security: Background - icir.org · Layer 3: (Inter)Network Layer (IP) Application Transport (Inter)Network Link Physical 7 4 3 2 1 Bridges multiple “subnets” to provide](https://reader033.vdocuments.site/reader033/viewer/2022042222/5ec8f1b58859ec39871c39bd/html5/thumbnails/14.jpg)
Leap-of-FaithAuthen'ca'on,con’t• ProperNes/Issues?
• Doesn’tbugyou,justautomaNcallygivesyouasecuremodeofoperaNon– Greatdesignproperty!
• LeveragesmentalexpectaNons– Suchas:“hardfora]ackertoanNcipatethis’llbemyveryfirstvisit”(clearlynotalwaystrue!)
– Or:“BobmenNonedhe’dbeupgrading,sothenewkeyisexpected”
• Bri]le:reliesonusertonoNceandthoughDullyrespondtokeychanges
![Page 15: Network Security: Background - icir.org · Layer 3: (Inter)Network Layer (IP) Application Transport (Inter)Network Link Physical 7 4 3 2 1 Bridges multiple “subnets” to provide](https://reader033.vdocuments.site/reader033/viewer/2022042222/5ec8f1b58859ec39871c39bd/html5/thumbnails/15.jpg)
BackgroundonNetworking
![Page 16: Network Security: Background - icir.org · Layer 3: (Inter)Network Layer (IP) Application Transport (Inter)Network Link Physical 7 4 3 2 1 Bridges multiple “subnets” to provide](https://reader033.vdocuments.site/reader033/viewer/2022042222/5ec8f1b58859ec39871c39bd/html5/thumbnails/16.jpg)
Network Security• Why study network security?
– Networking greatly extends our overall attack surface o Networking = the Internet
– Opportunity to see how large-scale design affects security issues
– Protocols a great example of mindless agents in action
• This lecture: sufficient background in networking to then explore security issues in next ~5 lectures
• Complex topic with many facets – We will omit concepts/details that aren’t very security-
relevant – By all means, ask questions when things are unclear
o (but we may skip if not ultimately relevant for security, or postpone if question itself is directly about security)
![Page 17: Network Security: Background - icir.org · Layer 3: (Inter)Network Layer (IP) Application Transport (Inter)Network Link Physical 7 4 3 2 1 Bridges multiple “subnets” to provide](https://reader033.vdocuments.site/reader033/viewer/2022042222/5ec8f1b58859ec39871c39bd/html5/thumbnails/17.jpg)
Protocols• A protocol is an agreement on how to communicate
• Includes syntax and semantics – How a communication is specified & structured
o Format, order messages are sent and received – What a communication means
o Actions taken when transmitting, receiving, or timer expires
• E.g.: making a comment in lecture? 1. Raise your hand. 2. Wait to be called on. 3. Or: wait for speaker to pause and vocalize 4. If unrecognized (after timeout): vocalize w/ “excuse me”
![Page 18: Network Security: Background - icir.org · Layer 3: (Inter)Network Layer (IP) Application Transport (Inter)Network Link Physical 7 4 3 2 1 Bridges multiple “subnets” to provide](https://reader033.vdocuments.site/reader033/viewer/2022042222/5ec8f1b58859ec39871c39bd/html5/thumbnails/18.jpg)
SoYouWalkIntoACoffeeShop,OpenUpYourLaptop,
AndIssueaGoogleQuery….
![Page 19: Network Security: Background - icir.org · Layer 3: (Inter)Network Layer (IP) Application Transport (Inter)Network Link Physical 7 4 3 2 1 Bridges multiple “subnets” to provide](https://reader033.vdocuments.site/reader033/viewer/2022042222/5ec8f1b58859ec39871c39bd/html5/thumbnails/19.jpg)
![Page 20: Network Security: Background - icir.org · Layer 3: (Inter)Network Layer (IP) Application Transport (Inter)Network Link Physical 7 4 3 2 1 Bridges multiple “subnets” to provide](https://reader033.vdocuments.site/reader033/viewer/2022042222/5ec8f1b58859ec39871c39bd/html5/thumbnails/20.jpg)
Yourlaptopshouts:HEY,DOESWIRELESSNETWORKXEXIST?
1.Jointhewirelessnetwork
![Page 21: Network Security: Background - icir.org · Layer 3: (Inter)Network Layer (IP) Application Transport (Inter)Network Link Physical 7 4 3 2 1 Bridges multiple “subnets” to provide](https://reader033.vdocuments.site/reader033/viewer/2022042222/5ec8f1b58859ec39871c39bd/html5/thumbnails/21.jpg)
1.JointhewirelessnetworkWirelessaccesspoint(s)conNnuallyshout:HEY,I’MWIRELESSNETWORKY,JOINME!
![Page 22: Network Security: Background - icir.org · Layer 3: (Inter)Network Layer (IP) Application Transport (Inter)Network Link Physical 7 4 3 2 1 Bridges multiple “subnets” to provide](https://reader033.vdocuments.site/reader033/viewer/2022042222/5ec8f1b58859ec39871c39bd/html5/thumbnails/22.jpg)
1.Jointhewirelessnetwork
Ifeithermatchup,yourlaptopjoinsthenetwork.OpNonallyperformsacryptographicexchange.
![Page 23: Network Security: Background - icir.org · Layer 3: (Inter)Network Layer (IP) Application Transport (Inter)Network Link Physical 7 4 3 2 1 Bridges multiple “subnets” to provide](https://reader033.vdocuments.site/reader033/viewer/2022042222/5ec8f1b58859ec39871c39bd/html5/thumbnails/23.jpg)
2.ConfigureyourconnecNon
Yourlaptopshouts:HEY,ANYBODY,WHATBASICCONFIGDOINEEDTOUSE?
![Page 24: Network Security: Background - icir.org · Layer 3: (Inter)Network Layer (IP) Application Transport (Inter)Network Link Physical 7 4 3 2 1 Bridges multiple “subnets” to provide](https://reader033.vdocuments.site/reader033/viewer/2022042222/5ec8f1b58859ec39871c39bd/html5/thumbnails/24.jpg)
2.ConfigureyourconnecNon
Somesystemonthelocalnetworkreplies:Here’syourconfig,enjoy
![Page 25: Network Security: Background - icir.org · Layer 3: (Inter)Network Layer (IP) Application Transport (Inter)Network Link Physical 7 4 3 2 1 Bridges multiple “subnets” to provide](https://reader033.vdocuments.site/reader033/viewer/2022042222/5ec8f1b58859ec39871c39bd/html5/thumbnails/25.jpg)
2.ConfigureyourconnecNonTheconfiguraNonincludes:(1) AnInternetaddress(IPaddress)
yourlaptopshoulduse;typ.32bits(2) Theaddressofa“gateway”system
tousetoaccesshostsbeyondthelocalnetwork
(3) TheaddressofaDNSserver(“resolver”)tomapnameslikegoogle.comtoIPaddresses
192.168.1.14
![Page 26: Network Security: Background - icir.org · Layer 3: (Inter)Network Layer (IP) Application Transport (Inter)Network Link Physical 7 4 3 2 1 Bridges multiple “subnets” to provide](https://reader033.vdocuments.site/reader033/viewer/2022042222/5ec8f1b58859ec39871c39bd/html5/thumbnails/26.jpg)
3.Findtheaddressofgoogle.com
YourlaptopsendsaDNSrequestasking:“addressforgoogle.com?”It’stransmi]edusingtheUDPprotocol(lightweight,unreliable).TheDNSresolvermightnotbeonthelocalnetwork.
192.168.1.14
![Page 27: Network Security: Background - icir.org · Layer 3: (Inter)Network Layer (IP) Application Transport (Inter)Network Link Physical 7 4 3 2 1 Bridges multiple “subnets” to provide](https://reader033.vdocuments.site/reader033/viewer/2022042222/5ec8f1b58859ec39871c39bd/html5/thumbnails/27.jpg)
gateway
3.Findtheaddressofgoogle.com
192.168.1.14
![Page 28: Network Security: Background - icir.org · Layer 3: (Inter)Network Layer (IP) Application Transport (Inter)Network Link Physical 7 4 3 2 1 Bridges multiple “subnets” to provide](https://reader033.vdocuments.site/reader033/viewer/2022042222/5ec8f1b58859ec39871c39bd/html5/thumbnails/28.jpg)
gateway
resolver router
172.217.6.78
The Rest ofthe Internet
3.Findtheaddressofgoogle.com
192.168.1.14
![Page 29: Network Security: Background - icir.org · Layer 3: (Inter)Network Layer (IP) Application Transport (Inter)Network Link Physical 7 4 3 2 1 Bridges multiple “subnets” to provide](https://reader033.vdocuments.site/reader033/viewer/2022042222/5ec8f1b58859ec39871c39bd/html5/thumbnails/29.jpg)
gateway
resolver router
172.217.6.78
The Rest ofthe Internet
google.com?
3.Findtheaddressofgoogle.com
192.168.1.14
![Page 30: Network Security: Background - icir.org · Layer 3: (Inter)Network Layer (IP) Application Transport (Inter)Network Link Physical 7 4 3 2 1 Bridges multiple “subnets” to provide](https://reader033.vdocuments.site/reader033/viewer/2022042222/5ec8f1b58859ec39871c39bd/html5/thumbnails/30.jpg)
gateway
resolver router
172.217.6.78
The Rest ofthe Internet
google.com?
(TheresolvernowitselfusesDNSqueriestootherDNSserverstofigureouttheaddressassociatedwithgoogle.com.)
3.Findtheaddressofgoogle.com
192.168.1.14
![Page 31: Network Security: Background - icir.org · Layer 3: (Inter)Network Layer (IP) Application Transport (Inter)Network Link Physical 7 4 3 2 1 Bridges multiple “subnets” to provide](https://reader033.vdocuments.site/reader033/viewer/2022042222/5ec8f1b58859ec39871c39bd/html5/thumbnails/31.jpg)
gateway
resolver router
172.217.6.78
The Rest ofthe Internetgoogle.com’s
addressis172.217.6.78
3.Findtheaddressofgoogle.com
192.168.1.14
![Page 32: Network Security: Background - icir.org · Layer 3: (Inter)Network Layer (IP) Application Transport (Inter)Network Link Physical 7 4 3 2 1 Bridges multiple “subnets” to provide](https://reader033.vdocuments.site/reader033/viewer/2022042222/5ec8f1b58859ec39871c39bd/html5/thumbnails/32.jpg)
gateway
resolver router
172.217.6.78
The Rest ofthe Internet
4.Connecttogoogle.comserver
192.168.1.14
![Page 33: Network Security: Background - icir.org · Layer 3: (Inter)Network Layer (IP) Application Transport (Inter)Network Link Physical 7 4 3 2 1 Bridges multiple “subnets” to provide](https://reader033.vdocuments.site/reader033/viewer/2022042222/5ec8f1b58859ec39871c39bd/html5/thumbnails/33.jpg)
gateway
resolver router
172.217.6.78
The Rest ofthe Internet
Yourlaptopnowestablishesaconnec)onwiththewebserverat172.217.6.78.ItusesTCPforthisratherthanUDP,toobtainreliability.
4.Connecttogoogle.comserver
192.168.1.14
![Page 34: Network Security: Background - icir.org · Layer 3: (Inter)Network Layer (IP) Application Transport (Inter)Network Link Physical 7 4 3 2 1 Bridges multiple “subnets” to provide](https://reader033.vdocuments.site/reader033/viewer/2022042222/5ec8f1b58859ec39871c39bd/html5/thumbnails/34.jpg)
gateway
resolver router
172.217.6.78
The Rest ofthe Internet
ThefirststepofestablishingtheconnecNonistosendaTCPconnecNonrequest(“SYN”)totheserver.
TCPSYN
4.Connecttogoogle.comserver
192.168.1.14
![Page 35: Network Security: Background - icir.org · Layer 3: (Inter)Network Layer (IP) Application Transport (Inter)Network Link Physical 7 4 3 2 1 Bridges multiple “subnets” to provide](https://reader033.vdocuments.site/reader033/viewer/2022042222/5ec8f1b58859ec39871c39bd/html5/thumbnails/35.jpg)
gateway
resolver router
172.217.6.78
The Rest ofthe Internet
IftheserveracceptstheconnecNon,itreplieswitha“SYNACK”.
TCPSYNACK
4.Connecttogoogle.comserver
192.168.1.14
![Page 36: Network Security: Background - icir.org · Layer 3: (Inter)Network Layer (IP) Application Transport (Inter)Network Link Physical 7 4 3 2 1 Bridges multiple “subnets” to provide](https://reader033.vdocuments.site/reader033/viewer/2022042222/5ec8f1b58859ec39871c39bd/html5/thumbnails/36.jpg)
gateway
resolver router
172.217.6.78
The Rest ofthe Internet
YourlaptopcompletestheconnecNonestablishmentbylikewisesendinganacknowledgement.
TCPACK
4.Connecttogoogle.comserver
192.168.1.14
![Page 37: Network Security: Background - icir.org · Layer 3: (Inter)Network Layer (IP) Application Transport (Inter)Network Link Physical 7 4 3 2 1 Bridges multiple “subnets” to provide](https://reader033.vdocuments.site/reader033/viewer/2022042222/5ec8f1b58859ec39871c39bd/html5/thumbnails/37.jpg)
gateway
resolver router
172.217.6.78
The Rest ofthe Internet
4.Connecttogoogle.comserver
192.168.1.14
AtthispointtheconnecNonisestablishedanddatacanbe(reliably)exchanged.
![Page 38: Network Security: Background - icir.org · Layer 3: (Inter)Network Layer (IP) Application Transport (Inter)Network Link Physical 7 4 3 2 1 Bridges multiple “subnets” to provide](https://reader033.vdocuments.site/reader033/viewer/2022042222/5ec8f1b58859ec39871c39bd/html5/thumbnails/38.jpg)
gateway
resolver router
172.217.6.78
The Rest ofthe Internet
IwantaconfidenNalconnecNonwithintegrity&authenNcaNon
5.EstablishasecureconnecNonusingTLS(h]ps)
192.168.1.14
![Page 39: Network Security: Background - icir.org · Layer 3: (Inter)Network Layer (IP) Application Transport (Inter)Network Link Physical 7 4 3 2 1 Bridges multiple “subnets” to provide](https://reader033.vdocuments.site/reader033/viewer/2022042222/5ec8f1b58859ec39871c39bd/html5/thumbnails/39.jpg)
gateway
resolver router
172.217.6.78
The Rest ofthe InternetHere’sacerNficatethat
vouchesformypublickey,google.com
5.EstablishasecureconnecNonusingTLS(h]ps)
192.168.1.14
![Page 40: Network Security: Background - icir.org · Layer 3: (Inter)Network Layer (IP) Application Transport (Inter)Network Link Physical 7 4 3 2 1 Bridges multiple “subnets” to provide](https://reader033.vdocuments.site/reader033/viewer/2022042222/5ec8f1b58859ec39871c39bd/html5/thumbnails/40.jpg)
gateway
resolver router
172.217.6.78
The Rest ofthe Internet
Wellifyoureallypossessthecorrespondingprivatekey,proveitbydecrypNngthisblobwhichwe’llusetoestablishsharedsecretkeys
5.EstablishasecureconnecNonusingTLS(h]ps)
192.168.1.14
![Page 41: Network Security: Background - icir.org · Layer 3: (Inter)Network Layer (IP) Application Transport (Inter)Network Link Physical 7 4 3 2 1 Bridges multiple “subnets” to provide](https://reader033.vdocuments.site/reader033/viewer/2022042222/5ec8f1b58859ec39871c39bd/html5/thumbnails/41.jpg)
gateway
resolver router
172.217.6.78
The Rest ofthe Internet
Here’syourproof
5.EstablishasecureconnecNonusingTLS(h]ps)
192.168.1.14
![Page 42: Network Security: Background - icir.org · Layer 3: (Inter)Network Layer (IP) Application Transport (Inter)Network Link Physical 7 4 3 2 1 Bridges multiple “subnets” to provide](https://reader033.vdocuments.site/reader033/viewer/2022042222/5ec8f1b58859ec39871c39bd/html5/thumbnails/42.jpg)
gateway
resolver router
172.217.6.78
The Rest ofthe Internet
6.Finally,yourlaptopcansendalongyourquery!(UsingHTTPinsidetheTLSchannel)
GET/search?query=great+Spring+Break+beaches…
192.168.1.14
![Page 43: Network Security: Background - icir.org · Layer 3: (Inter)Network Layer (IP) Application Transport (Inter)Network Link Physical 7 4 3 2 1 Bridges multiple “subnets” to provide](https://reader033.vdocuments.site/reader033/viewer/2022042222/5ec8f1b58859ec39871c39bd/html5/thumbnails/43.jpg)
5 Minute Break
Questions Before We Proceed?
![Page 44: Network Security: Background - icir.org · Layer 3: (Inter)Network Layer (IP) Application Transport (Inter)Network Link Physical 7 4 3 2 1 Bridges multiple “subnets” to provide](https://reader033.vdocuments.site/reader033/viewer/2022042222/5ec8f1b58859ec39871c39bd/html5/thumbnails/44.jpg)
InternetLayering
![Page 45: Network Security: Background - icir.org · Layer 3: (Inter)Network Layer (IP) Application Transport (Inter)Network Link Physical 7 4 3 2 1 Bridges multiple “subnets” to provide](https://reader033.vdocuments.site/reader033/viewer/2022042222/5ec8f1b58859ec39871c39bd/html5/thumbnails/45.jpg)
Layering• Internet design is strongly partitioned into layers
– Each layer relies on services provided by next layer below …
– … and provides services to layer above it
• Analogy: – Consider structure of an
application you’ve written and the “services” each layer relies on / provides
Code You Write
Run-Time Library
System Calls
Device Drivers
Voltage Levels / Magnetic Domains }Fully
isolated from user programs
![Page 46: Network Security: Background - icir.org · Layer 3: (Inter)Network Layer (IP) Application Transport (Inter)Network Link Physical 7 4 3 2 1 Bridges multiple “subnets” to provide](https://reader033.vdocuments.site/reader033/viewer/2022042222/5ec8f1b58859ec39871c39bd/html5/thumbnails/46.jpg)
Internet Layering (“Protocol Stack”)
Application
Transport
(Inter)Network
Link
Physical
7
4
3
2
1
Note on a point of potential confusion: these diagrams are always drawn with lower layers below higher layers … But diagrams showing the layouts of packets are often the opposite, with the lower layers at the top since their headers precede those for higher layers
![Page 47: Network Security: Background - icir.org · Layer 3: (Inter)Network Layer (IP) Application Transport (Inter)Network Link Physical 7 4 3 2 1 Bridges multiple “subnets” to provide](https://reader033.vdocuments.site/reader033/viewer/2022042222/5ec8f1b58859ec39871c39bd/html5/thumbnails/47.jpg)
Horizontal View of a Single Packet
Link Layer
Header
(Inter)Network Layer Header
(IP)
Transport Layer
Header
First bit transmitted
Application Data: structure depends on the application
…
![Page 48: Network Security: Background - icir.org · Layer 3: (Inter)Network Layer (IP) Application Transport (Inter)Network Link Physical 7 4 3 2 1 Bridges multiple “subnets” to provide](https://reader033.vdocuments.site/reader033/viewer/2022042222/5ec8f1b58859ec39871c39bd/html5/thumbnails/48.jpg)
Vertical View of a Single PacketLink Layer Header
(Inter)Network Layer Header (IP)
Transport Layer Header
First bit transmitted
Application Data: structure depends on the
application . . . . . . .
![Page 49: Network Security: Background - icir.org · Layer 3: (Inter)Network Layer (IP) Application Transport (Inter)Network Link Physical 7 4 3 2 1 Bridges multiple “subnets” to provide](https://reader033.vdocuments.site/reader033/viewer/2022042222/5ec8f1b58859ec39871c39bd/html5/thumbnails/49.jpg)
Internet Layering (“Protocol Stack”)
Application
Transport
(Inter)Network
Link
Physical
7
4
3
2
1
![Page 50: Network Security: Background - icir.org · Layer 3: (Inter)Network Layer (IP) Application Transport (Inter)Network Link Physical 7 4 3 2 1 Bridges multiple “subnets” to provide](https://reader033.vdocuments.site/reader033/viewer/2022042222/5ec8f1b58859ec39871c39bd/html5/thumbnails/50.jpg)
Layer 1: Physical Layer
Application
Transport
(Inter)Network
Link
Physical
7
4
3
2
1
Encoding bits to send them over a single physical link e.g. patterns of voltage levels / photon intensities / RF modulation
![Page 51: Network Security: Background - icir.org · Layer 3: (Inter)Network Layer (IP) Application Transport (Inter)Network Link Physical 7 4 3 2 1 Bridges multiple “subnets” to provide](https://reader033.vdocuments.site/reader033/viewer/2022042222/5ec8f1b58859ec39871c39bd/html5/thumbnails/51.jpg)
Layer 2: Link Layer
Application
Transport
(Inter)Network
Link
Physical
7
4
3
2
1
Framing and transmission of a collection of bits into individual messages sent across a single “subnetwork” (one physical technology) Might involve multiple physical links (e.g., modern Ethernet) Often technology supports broadcast transmission (every “node” connected to subnet receives)
![Page 52: Network Security: Background - icir.org · Layer 3: (Inter)Network Layer (IP) Application Transport (Inter)Network Link Physical 7 4 3 2 1 Bridges multiple “subnets” to provide](https://reader033.vdocuments.site/reader033/viewer/2022042222/5ec8f1b58859ec39871c39bd/html5/thumbnails/52.jpg)
Layer 3: (Inter)Network Layer (IP)
Application
Transport
(Inter)Network
Link
Physical
7
4
3
2
1
Bridges multiple “subnets” to provide end-to-end internet connectivity between nodes
• Provides global addressing Works across different link technologies
}Different for each Internet “hop”
![Page 53: Network Security: Background - icir.org · Layer 3: (Inter)Network Layer (IP) Application Transport (Inter)Network Link Physical 7 4 3 2 1 Bridges multiple “subnets” to provide](https://reader033.vdocuments.site/reader033/viewer/2022042222/5ec8f1b58859ec39871c39bd/html5/thumbnails/53.jpg)
Layer 4: Transport Layer
Application
Transport
(Inter)Network
Link
Physical
7
4
3
2
1
End-to-end communication between processes Different services provided: TCP = reliable byte stream UDP = unreliable datagrams
(Datagram = single packet message)
![Page 54: Network Security: Background - icir.org · Layer 3: (Inter)Network Layer (IP) Application Transport (Inter)Network Link Physical 7 4 3 2 1 Bridges multiple “subnets” to provide](https://reader033.vdocuments.site/reader033/viewer/2022042222/5ec8f1b58859ec39871c39bd/html5/thumbnails/54.jpg)
Layer 7: Application Layer
Application
Transport
(Inter)Network
Link
Physical
7
4
3
2
1
Communication of whatever you wish Can use whatever transport(s) is convenient Freely structured E.g.: Skype, SMTP (email), HTTP (Web), Halo, BitTorrent
![Page 55: Network Security: Background - icir.org · Layer 3: (Inter)Network Layer (IP) Application Transport (Inter)Network Link Physical 7 4 3 2 1 Bridges multiple “subnets” to provide](https://reader033.vdocuments.site/reader033/viewer/2022042222/5ec8f1b58859ec39871c39bd/html5/thumbnails/55.jpg)
Internet Layering (“Protocol Stack”)
Application
Transport
(Inter)Network
Link
Physical
7
4
3
2
1
} Implemented only at hosts, not at interior routers (“dumb network”)
![Page 56: Network Security: Background - icir.org · Layer 3: (Inter)Network Layer (IP) Application Transport (Inter)Network Link Physical 7 4 3 2 1 Bridges multiple “subnets” to provide](https://reader033.vdocuments.site/reader033/viewer/2022042222/5ec8f1b58859ec39871c39bd/html5/thumbnails/56.jpg)
Internet Layering (“Protocol Stack”)
Application
Transport
(Inter)Network
Link
Physical
7
4
3
2
1 }Implemented everywhere
![Page 57: Network Security: Background - icir.org · Layer 3: (Inter)Network Layer (IP) Application Transport (Inter)Network Link Physical 7 4 3 2 1 Bridges multiple “subnets” to provide](https://reader033.vdocuments.site/reader033/viewer/2022042222/5ec8f1b58859ec39871c39bd/html5/thumbnails/57.jpg)
Internet Layering (“Protocol Stack”)
Application
Transport
(Inter)Network
Link
Physical
7
4
3
2
1 }Different for each Internet “hop”
~ Same for each Internet “hop” }
![Page 58: Network Security: Background - icir.org · Layer 3: (Inter)Network Layer (IP) Application Transport (Inter)Network Link Physical 7 4 3 2 1 Bridges multiple “subnets” to provide](https://reader033.vdocuments.site/reader033/viewer/2022042222/5ec8f1b58859ec39871c39bd/html5/thumbnails/58.jpg)
Hop-By-Hop vs. End-to-End Layers
Host A
Host B Host E
Host D
Host C
Router 1 Router 2
Router 3
Router 4
Router 5
Router 6 Router 7
Host A communicates with Host D
![Page 59: Network Security: Background - icir.org · Layer 3: (Inter)Network Layer (IP) Application Transport (Inter)Network Link Physical 7 4 3 2 1 Bridges multiple “subnets” to provide](https://reader033.vdocuments.site/reader033/viewer/2022042222/5ec8f1b58859ec39871c39bd/html5/thumbnails/59.jpg)
Hop-By-Hop vs. End-to-End Layers
Host A
Host B Host E
Host D
Host C
Router 1 Router 2
Router 3
Router 4
Router 5
Router 6 Router 7
Different Physical & Link Layers (Layers 1 & 2)
E.g., Wi-Fi
E.g., Ethernet
Host A communicates with Host D
![Page 60: Network Security: Background - icir.org · Layer 3: (Inter)Network Layer (IP) Application Transport (Inter)Network Link Physical 7 4 3 2 1 Bridges multiple “subnets” to provide](https://reader033.vdocuments.site/reader033/viewer/2022042222/5ec8f1b58859ec39871c39bd/html5/thumbnails/60.jpg)
Hop-By-Hop vs. End-to-End Layers
Host A
Host B Host E
Host D
Host C
Router 1 Router 2
Router 3
Router 4
Router 5
Router 6 Router 7
Same Network / Transport / Application Layers (3/4/7) (Routers ignore Transport & Application layers)
E.g., HTTP over TCP over IP
Host A communicates with Host D
![Page 61: Network Security: Background - icir.org · Layer 3: (Inter)Network Layer (IP) Application Transport (Inter)Network Link Physical 7 4 3 2 1 Bridges multiple “subnets” to provide](https://reader033.vdocuments.site/reader033/viewer/2022042222/5ec8f1b58859ec39871c39bd/html5/thumbnails/61.jpg)
Layer 3: (Inter)Network Layer (IP)
Application
Transport
(Inter)Network
Link
Physical
7
4
3
2
1
Bridges multiple “subnets” to provide end-to-end internet connectivity between nodes
• Provides global addressing Works across different link technologies
![Page 62: Network Security: Background - icir.org · Layer 3: (Inter)Network Layer (IP) Application Transport (Inter)Network Link Physical 7 4 3 2 1 Bridges multiple “subnets” to provide](https://reader033.vdocuments.site/reader033/viewer/2022042222/5ec8f1b58859ec39871c39bd/html5/thumbnails/62.jpg)
IP Packet Structure
4-bit Version
4-bit Header Length
8-bit Type of Service
(TOS) 16-bit Total Length (Bytes)
16-bit Identification 3-bit Flags 13-bit Fragment Offset
8-bit Time to Live (TTL) 8-bit Protocol 16-bit Header Checksum
32-bit Source IP Address
32-bit Destination IP Address
Options (if any)
Payload
![Page 63: Network Security: Background - icir.org · Layer 3: (Inter)Network Layer (IP) Application Transport (Inter)Network Link Physical 7 4 3 2 1 Bridges multiple “subnets” to provide](https://reader033.vdocuments.site/reader033/viewer/2022042222/5ec8f1b58859ec39871c39bd/html5/thumbnails/63.jpg)
IP Packet Structure
4-bit Version
4-bit Header Length
8-bit Type of Service
(TOS) 16-bit Total Length (Bytes)
16-bit Identification 3-bit Flags 13-bit Fragment Offset
8-bit Time to Live (TTL) 8-bit Protocol 16-bit Header Checksum
32-bit Source IP Address
32-bit Destination IP Address
Options (if any)
Payload
Specifies the length of the entire IP packet: bytes in this header plus bytes in the Payload
![Page 64: Network Security: Background - icir.org · Layer 3: (Inter)Network Layer (IP) Application Transport (Inter)Network Link Physical 7 4 3 2 1 Bridges multiple “subnets” to provide](https://reader033.vdocuments.site/reader033/viewer/2022042222/5ec8f1b58859ec39871c39bd/html5/thumbnails/64.jpg)
IP Packet Structure
4-bit Version
4-bit Header Length
8-bit Type of Service
(TOS) 16-bit Total Length (Bytes)
16-bit Identification 3-bit Flags 13-bit Fragment Offset
8-bit Time to Live (TTL) 8-bit Protocol 16-bit Header Checksum
32-bit Source IP Address
32-bit Destination IP Address
Options (if any)
Payload
Specifies how to interpret the start of the Payload, which is the header of a Transport Protocol such as TCP (6) or UDP (17)
![Page 65: Network Security: Background - icir.org · Layer 3: (Inter)Network Layer (IP) Application Transport (Inter)Network Link Physical 7 4 3 2 1 Bridges multiple “subnets” to provide](https://reader033.vdocuments.site/reader033/viewer/2022042222/5ec8f1b58859ec39871c39bd/html5/thumbnails/65.jpg)
IP Packet Structure
4-bit Version
4-bit Header Length
8-bit Type of Service
(TOS) 16-bit Total Length (Bytes)
16-bit Identification 3-bit Flags 13-bit Fragment Offset
8-bit Time to Live (TTL) 6 16-bit Header Checksum
32-bit Source IP Address
32-bit Destination IP Address
Options (if any)
Start of TCP Header
Specifies how to interpret the start of the Payload, which is the header of a Transport Protocol such as TCP (6) or UDP (17)
![Page 66: Network Security: Background - icir.org · Layer 3: (Inter)Network Layer (IP) Application Transport (Inter)Network Link Physical 7 4 3 2 1 Bridges multiple “subnets” to provide](https://reader033.vdocuments.site/reader033/viewer/2022042222/5ec8f1b58859ec39871c39bd/html5/thumbnails/66.jpg)
IP Packet Structure
4-bit Version
4-bit Header Length
8-bit Type of Service
(TOS) 16-bit Total Length (Bytes)
16-bit Identification 3-bit Flags 13-bit Fragment Offset
8-bit Time to Live (TTL) 8-bit Protocol 16-bit Header Checksum
32-bit Source IP Address
32-bit Destination IP Address
Options (if any)
Payload
![Page 67: Network Security: Background - icir.org · Layer 3: (Inter)Network Layer (IP) Application Transport (Inter)Network Link Physical 7 4 3 2 1 Bridges multiple “subnets” to provide](https://reader033.vdocuments.site/reader033/viewer/2022042222/5ec8f1b58859ec39871c39bd/html5/thumbnails/67.jpg)
IP Packet Header (Continued)• Two IP addresses – Source IP address (32 bits in main IP version) – Destination IP address (32 bits, likewise)
• Destination address – Unique identifier/locator for the receiving host – Allows each node to make forwarding decisions
• Source address – Unique identifier/locator for the sending host – Recipient can decide whether to accept packet – Enables recipient to send reply back to source