TD1: Introduction - protocol layers and addressing

Part 1A short study of protocol stack (Internet stack)1. The four layers in the Internet protocol stack are – from top to bottom – the application layer, the transport layer, the network layer, and the physical layer.

2. Application-layer message: data which an application wants to send and passed onto the transport layer; transport-layer segment: generated by the transport layer and encapsulates application-layer message with transport layer header; network-layer datagram: encapsulates transport-layer segment with a network-layer header; link/physical layer frame: encapsulates network-layer datagram with a link/physical layer header.

3. Basically the routers process layers 1 through 2. Link/physical layer switches process layer 1 (link/physical). Hosts process all four layers.

Explain the stack with protocol headers at: • terminal host, • router device and • switch device.

Explain the flow of data from source host via switch – router – switch to destination host.

Exercise 1: The data of protocols of higher level are encapsulated in the “containers” of lower level. Each level adds its own header.

• physical/link layer : frames with headers (HL)• internet layer: packets with headers (HN)• transport layer: segments with headers (HT)

Each protocol layer has its inherent performance P<1: for example at physical layer Ethernet performance is max 90%, WiFi max 40%. Let us denote physical/link performance by PL, network layer performance by PN, and transport layer performance by PT.

Calculate usefull (user) data rate for the protocol stack with: HL=HN=HT=10%; PL=(90% or 40%), PN=90%, PT=90%.

Socket concept Socket is represented by two values: IP address and port number. IP address identifies the Internet interface, the port number identifies the service/application associated to this IP address.

socket = { IP address, Port number }

Each OS controls the use of socket numbers; the values 1-1024 are associated with well known services or application level protocols (T – echo, 20 - ftp, 80 – http). The port values between 1024 and 5000 are used automatically by OS and are associated temporally to the “client” sockets. Client sockets (numbers) should not be known externally. The values between 5000 and 64K-1 are available for the normal users. Remark: root user may exploit any port number.

Exercise 2: Explain the ways the protocols ends are identified at each protocol stack layer:user layer (URL)transport layer (port)network layer (@IP)physical layer (@MAC)

How the different layers of identifiers are mapped?Explain the “mapping path” at the sender and the receiver ends ?What are the additional mechanisms necessary to do the mappings ?

Part 2Transport protocols - UDP

The transport layer is implemented only in the terminal devices and it has two functions:1. the first is the association of the application data (flow) to the chunks of data called

segments (or datagrams)2. the second is the implementation of error-less transfer over error prone links and routers.

There are two communication modes provided by transport protocols:1. the first is unconnected mode based on datagrams – it is implemented by User Datagram

Protocol (UDP). UDP does not provide error-less transfer.2. The second is “connection oriented” mode based on flow of segments controlled by the

acknowledgments and additional control mechanisms – it is implemented by Transport Control Protocol (TCP). TCP provides error-less transfer.

Study of UDP

Draw the header fields of a UDP packet given below in C:

struct udp { unsigned short int uh_sport; unsigned short int uh_dport; unsigned short int uh_len; unsigned short int uh_check;};

Explain the role of uh_check , analyze the following function:

unsigned short csum(unsigned short *buf, int nwords){unsigned long sum;for(sum=0; nwords>0; nwords--) sum += *buf++;sum = (sum >> 16) + (sum &0xffff);sum += (sum >> 16);return (unsigned short)(~sum);}

Explain the role of uh_check , analyze the following function:

Exercise:Give a numerical example with 4 16-bit values (2 words)

TD2 Study of transport protocols - TCP

The transport layer is implemented only in the terminal devices and it has two functions:1. the first is the association of the application data (flow) to the chunks of data called

segments (or datagrams)2. the second is the implementation of error-less transfer over error prone links and routers.

There are two communication modes provided by transport protocols:1. the first is unconnected mode based on datagrams – it is implemented by User Datagram

Protocol (UDP). UDP does not provide error-less transfer.2. The second is “connection oriented” mode based on flow of segments controlled by the

acknowledgments and additional control mechanisms – it is implemented by Transport Control Protocol (TCP). TCP provides error-less transfer.

Study of TCP

TCP is an error-free transport protocol. In order to be error-free several mechanisms are implemented into TCP.

• TCP is connection “oriented”• TCP uses time-out and retransmission for error free trasfer• TCP uses sending/receiving windows for congestion control.

Before studying the TCP header we are going to show how to obtain error-free transport over an error-prone channel.

Principle of ACK protocol

At the sending end - send a packet and fire a timerAt the receiving end – wait for a correct packet with its sequence number(see checksum in UDP), if the received packet is correct send the acknowledgment packet (ACK) to the received one. At the receiving end wait for the ACK packet. If the ACK arrives in the time interval smaller than time-out period send the next packet (with the next sequence number), otherwise re-send the same packet (with the same sequence number).

Draw the scheme with client (sender), server (receiver) hosts.

Exercises:1. Over an error-free link (clien-server link) send a data packet and before sending the next packet wait for the corresponding ACK packet (first bit). The propagation Round-Trip-Time (RTT) is 20 ms. The link data-rate is 1 Mbit/s. You wish to obtain the protocol efficiency of at least 80%. What is the minimal size of the packet (in bytes)?

2. During the transmission over an error-prone channel the packet may deteriorate or may be lost. Given the fixed size of packet - 1000 bits and the Bit-Error Rate equal to 10-4, what is the number of packets to be sent in order to succeed the transmission of one packet ?

Remark: no packets are lost.

TCP header and functions:

struct tcp { unsigned short int th_sport; unsigned short int th_dport; unsigned int th_seq; unsigned int th_ack; unsigned char th_x2:4, th_off:4; unsigned char th_flags; unsigned short int th_win; unsigned short int th_sum; unsigned short int th_urp;}; /* total tcp header length: 20 bytes (=160 bits) */

Draw the header fields and explain their role.

On the following example explain the flags and “connection” phase of the protocol.

1. Transfer over error-free

Figure 1.

Exercise:With the TCP sequence number encoded on 32 bits and a communication channel with 10 Mb/s, what is the maximal size of the transmitted data and the time interval allocated to the TCP connection (session).

Slow start:When a TCP connection begins, the value of cwnd is typically initialized to a small value of 1 MSS , resulting in an initial sending rate of roughly MSS/RTT.

For example, if MSS = 500 bytes and RTT = 200 msec, the resulting initial sending rate is only about 20 kbps. Since the available bandwidth to the TCP sender may be much larger than MSS/RTT, the TCP sender would like to find the amount of available bandwidth quickly.

Figure 2.

Thus, in the slow-start state, the value of cwnd begins at 1 MSS and increases by 1 MSS every time a transmitted segment is first acknowledged. In the example of Figure 2, TCP sends the first segment into the network and waits for an acknowledgment. When this acknowledgmentarrives, the TCP sender increases the congestion window by one MSS and sends out two maximum-sized segments. These segments are then acknowledged, with the sender increasing the congestion window by 1 MSS for each of the acknowledged segments, giving a congestion window of 4 MSS, and so

on. This process results in a doubling of the sending rate every RTT. Thus, the TCP send rate starts slow but grows exponentially during the slow start phase.

But when should this exponential growth end ?

Slow start provides several answers to this question. First, if there is a loss event (i.e., congestion) indicated by a timeout, the TCP sender sets the value of cwnd to 1 and begins the slow start process anew. It also sets the value of a second state variable, ssthresh (shorthand for “slow start threshold”) to cwnd/2 - half of the value of the congestion window value when congestion was detected. The second way in which slow start may end is directly tied to the value of ssthresh.

Since ssthresh is half the value of cwnd when congestion was last detected, it might be a bit reckless to keep doubling cwnd when it reaches or surpasses the value of ssthresh.

Thus, when the value of cwnd equals ssthresh, slow start ends and TCP transitions into congestion avoidance mode. On entry to the congestion-avoidance state, the value of cwnd is approximately half its value when congestion was last encountered - congestion could be just around the corner! Thus, rather than doubling the value of cwnd every RTT, TCP adopts a moreconservative approach and increases the value of cwnd by just a single MSS every RTT .

This can be accomplished in several ways. A common approach is for the TCP sender to increase cwnd by MSS bytes (MSS/cwnd) whenever a new acknowledgment arrives. For example, if MSS is 1,460 bytes and cwnd is 14,600 bytes, then 10 segments are being sent within an RTT. Each arriving ACK (assuming one ACK per segment) increases the congestion window size by 1/10.

Figure 3.

Exercise: In this exercise we calculate the time used to send a 10 KB file. The size of the initial segment MSS was 1KB and the prefixed RTT was 100 ms. The sender has not received the ACK segment when sending the segment of size=4*MSS. In the next phase the segment of size 3*MSS has been transmitted correctly.

What was the total time necessary to send this file ? What was the data rate for this transmission ?

TD 3 The network layer: IP, IMCP and ARP protocols

rapid prototyping

Figure 1.The network layer is also one of the most complex layers in the protocol stack.We begin our study with the fundamental role that addressing plays in delivering a packet to its destination host. The forwarding and routing are functions of the network layer.

Forwarding involves the transfer of a packet from an incoming link to an outgoing link within a single router.Routing involves all of a network’s routers, whose collective interactions via routing protocols determine the paths that packets take on their trips from source to destination node. We look at packet forwarding in the Internet, along with the celebrated Internet Protocol (IP). We investigate network-layer addressing and the IPv4 datagram format. Then explore datagram fragmentation an the Internet Control Message Protocol (ICMP).

We also look into the IP-to-physical (MAC) address translation via ARP protocol.

IP addressing schemeIP addressing scheme is based on two parts:

• network address (number) and • host address (number)

The classical addressing scheme is fixed into 4 classes:First byte in 32-bit address:

class A:      00000000 – 01111111  ...  class B:      10000000 – 10111111  ...class C:      11000000 – 11011111  ...class D:      11100000 – 11101111  ...

Exercise: Give the corresponding decimal values and the interpretation What is the problem with the usage of class-based addressing scheme ?

Classless addressing scheme:Classless IP addresses mean that the address range is determined by the subnet mask.the address 172.19.64.2 and subnet mask 255.255.255.0 has its range as 172.19.64.0 - 255 because 255.255.255.0 corresponds to that range.

Exercise:Take the same address 172.19.64.2 and subnet mask 255.255.248.0 ; give the subnetwork address (number) and the range of host adresses on this network.Give the broadcast address on this network.

Global and private IP addresses:Some values of IP addresses are reserved for the “private” usage on the local networks where the hosts addresses are not integrated into the global addressing scheme.

24 bit block /8 prefix –  from 10.0.0.0 to 10.255.255.255  20 bit block /12 prefix – from 172.16.0.0  to 172.31.255.25516 bit block /16 prefix –  from 192.168.0.0 to 192.168.255.255

Any user may use any of the reserved blocks. Typically, a network administrator will divide a block into subnets; for example, many home routers automatically use a default address range of 192.168.0.0 through 192.168.0.255 (192.168.0.0/24)

Example of IP addresses (host interface) :

lo: mtu 16436 qdisc noqueue state UNKNOWN     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00     inet 127.0.0.1/8 scope host lo     inet6 ::1/128 scope host 2: eth0: mtu 1500 qdisc pfifo_fast state UP qlen 1000     link/ether 00:24:1d:78:35:b5 brd ff:ff:ff:ff:ff:ff     inet 172.19.64.141/21 brd 172.19.71.255 scope global eth0     inet6 fe80::224:1dff:fe78:35b5/64 scope link 

IP protocol and the forwarding mechanisms

Here is the IP protocol header:

struct ip {   unsigned int   ip_hl:4; /* both fields are 4 bits */   unsigned int   ip_v:4;   uint8_t        ip_tos;   // type of service   uint16_t       ip_len;  // length of packet   uint16_t       ip_id;    // packet identifier   uint16_t       ip_off;   // fragmentation falgs (3 bits) and offset (13 bits)   uint8_t        ip_ttl;     // time to live   uint8_t        ip_p;     // protocol   uint16_t       ip_sum;  // check sum   struct in_addr ip_src;   // source address   struct in_addr ip_dst;   // destination address };

Exercise:Draw the IP header aligned to 32-bit words and explain the fields of the header.

Fragmentation

The IP packets are carried by physical frames; for example Ethernet or WiFi frames.The maximum size of the data field in the Ethernet frame is 1500 bytes.The fragmentation process uses ip_off field with 13-bit counter (modulo 8 ?).

Exercise:Given a 5 KB IP datagram , calculate the values of the fragment field in the fragments sent in Ethernet frames.

Internet Control Message Protocol (ICMP)ICMP is used by hosts and routers to communicate network-layer information to each other. Themost typical use of ICMP is for error reporting. For example, when running a Telnet, FTP, or HTTP session, you may have encountered an error message such as “Destination network unreachable.” This message had its origins in ICMP.

At some point, an IP router was unable to find a path to the host specified in your Telnet, FTP, orHTTP application. That router cre- ated and sent a type-3 ICMP message to your host indicating the error.

ICMP messages are carried inside IP datagrams. That is, ICMP messages are carried as IP payload, just as TCP or UDP segments are carried as IP payload. Similarly, when a host receives an IP datagram with ICMP specified as the upper-layer protocol, it demultiplexes the datagram’s contents to ICMP, just as it would demultiplex a datagram’s content to TCP or UDP.

ICMP messages have a type and a code field, and contain the header and the first 8 bytes of theIP datagram that caused the ICMP message to be generated in the first place (so that the sender can determine the datagram that caused the error).

struct icmp { unsigned char icmp_type; unsigned char icmp_code; unsigned short int icmp_cksum; /* The following data structures are ICMP type specific */ unsigned short int icmp_id; unsigned short int icmp_seq;}; /* total icmp header length: 8 bytes (=64 bits) */

Remark: The reply messages identify the requests by returning the first 8 bytes of the request datagram.

Exercise:ICMP is used to implement several usefull commands such as ping or traceroute.Indicate how to used the ICMP messages (type,code) to build:1. the ping command2. the traceroute command

Address Resolution Protocol – ARPstruct arp

{unsigned short arp_htype; /* ARP Hardware Format */unsigned short arp_ptype; /* ARP Protocol Format */unsigned char arp_haddr; /* ARP Hardware Address Length */unsigned char arp_paddr; /* ARP Protocol Address Length */unsigned short arp_op; /* ARP Opcode */unsigned char arp_hsrc[6]; /* ARP Sender Ethernet Address */unsigned char arp_psrc[4]; /* ARP Sender IP Address */unsigned char arp_hdst[6]; /* ARP Target Ethernet Address */unsigned char arp_pdst[4]; /* ARP Target IP Address */};

On a local network the hosts communicate using physical addresses (also called MAC addresses). The MAC addresses are coded on 48 bits (6 bytes); the question is how to associate the IP addreses to the MAC addresses. This work is done by ARP protocol.

Explain the usage of broadcast addresses in MAC frames. Note that the hosts maintain the ARP cache containing the associations between the IP and MAC addresses (this cache is regenerated automatically after the predefined period , for instance 30s)

TD4

Local Area Networks (LAN) : 803.3 or Ethernet

Multiple Access Control (MAC) protocolsThe physical links may be shared statically or dynamically by several transmissions; each transmission operating at “logic link” layer.

The statical sharing or multiplexing is easy to implement . It is based on time sharing with the use of identical time slots. In this way each station (emitter) takes in turn the control of the medium. If there are N stations there are N consecutive slots each one used by only one (the same) station. It is easy to show that the statical sharing is not effective when the participating stations do not have the data to send in all allocated time slots.

Exercise

Let us take a simple 1 Km bus, with the data rate of 10 Mb/s. The time slot corresponds to 100 bits sent. After the transmission each station waits at least the RTT on the bus in order to let the signal attenuate over the medium.

On this bus, what is effective data rate for: 1, 10, 100 stations.

Dynamic multiple access control (MAC)In order to increase the effective use of the physical data rate we have introduced a number of more and more efficient dynamic sharing protocols. Initially we may try to send the data frames on the bus without any coordination – this is called pure Aloha protocol. A better solution is to apply the basic synchronization scheme in a way that the station may start emission only at the beginning of a time slot corresponding to the size of the frame – this is called synchronized or slotted protocol.

The efficiency of pure and slotted Aloha protocolThe following figure shows a scenario of frame transmissions for 3 host stations using synchronized Aloha. The slot letter C means collision, S success , and E empty slot.

The equation that relates the network load (G) to the efficiency or succes (S) to transmit the frame without collision is given by:

S = Load*PS = G* e-G

Where PS or probability of success correspond to the probability that there are no other frames in emission. This is given by:

P0=G0*e-G/0! = e-G.

Remark: The value of load for the pure Aloha must be calculated on two slots – this time is called vulnerability period.

ExerciseFind the optimal load (whet the number of successes is the highest) for pure and slotted Aloha.

CSMA, CSMA/CD, and the Ethernet protocolThe first essential improvement to Aloha protocol is the introduction of carrier sense (CS) mechanism. This gives us CSMA protocol. With CSMA the emitter does not emit if the bus (carrier) is occupied by another transmission. We can show that the efficiency of this solution approaches 60%. But there is still the problem of immediate collision between 2 or more stationsat the moment when they detect that the bus is free. The second improvement consists in the introduction of back-off mechanism. In this case the emission of the data is delayed by a random number of time slots; the bigger is this number, the less probable is the collision.

Question: what is the trade-off for the lower probability of collision ?

Still with the CSMA when the collision occurs, the whole frame is destroyed.In order to react as fast as possible on the collision occurrence we have added the mechanism called collision detection (CD). As we will see later, collision detection is easy to implement onthe wired bus, but almost impossible on the wire-less channel.

ExerciseEvaluate the minimal size of the frame for collision detection on the 1 Km bus with 10 Mb/s data rate.

Ethernet protocol and Frame Ethernet is CSMA/CD protocol with adaptive back-off. At the beginning the back-off is 0 slots; then, after each consecutive collision, the back-off is spread on 2, 4, 8, .., 1024 slots.

Explain the fields of the Ethernet frame.The MAC addresses are built from 6 bytes (48 bits). A broadcast Ethernet address is: ff:ff:ff:ff:ff:ffWhy the minimal size of Ethernet frame (10Mb/s and 100Mb/s) is 8+64 bytes ?

ExerciseFor Ethernet protocol the basic time slot is 51 µs, and the inter-frame time gap is about 9 µs. The data rate is 10 Mb/s and we have to send a frame with 1500 bytes of data. A the beginning there are 3 consecutive collisions. What is the total transaction time (the time for 3 collisions plus the transmission of thedata frame) ?

Switched EthernetThe introduction of switches between the Ethernet links separates the physical network into several parts with smaller number of hosts entering into collision (or none if there is one switch entry per host). Remark that the whole network with the integrated switches has the same IP network address.

Additional advantage:The simple links between the switches and the host and switches may be active in full duplex.

Some typical parameters of switches:- number and compatibility types of interfaces: 10,100,1000 Mb/s- size of buffers (to store the multiple frames to be forwarded to the same interface)

ProblemThe Ethernet interfaces have the MAC addresses fixed by the manufacturers. How the switch knows on which output interface is it to forward the incoming frame ?

TD5

Wireless Local Area Networks – Wifi or 803.11.(a,b,g,n)

Wifi channels, protocol and frames

Wifi channels

In France the 802.11.g standard operates on 13 channels starting from 2.412 GHz. Each channel is 22 MHz wide with a 5MHz space between them (central frequency). For example channels 1, 6 and 11 are non-overlapping.

ExerciseCalculate the frequency band of channel 6 and channel 11.

Wifi protocol and framesThe basic WiFi structure is connected to distribution network (Internet) by access points (AP), that is called BSS for basic service set. Note that WiFi protocol operates also with an ad-hoc configuration where the mobile hosts communicate directly between themselves.WiFi (IEEE 803.11.x) uses CSMA/CA (collision avoidance) protocol on each radio channel. First it implies that the initial back-off value is not 0 slot, but something like 32 or 64 slots. Than after the “capture” of the channel the WiFi frames contain a time reservation vector, a value that indicates how long the transmission will take place. This value covers the time to send the data frame plus the time to receive the acknowledgmentframe for this transaction. During this period all other stations must stay quiet. Note that WiFi protocol uses the acknowledgment frame; on the radio channel this is the only way to know if the data frame has been received correctly.

On the figure above note Inter Frame slots: DIFS, SIFS and back-of sequence with short frameslots.Explain why the CSMA/CA protocol starts with the back-off of 32 or 64 slots, (remind that Ethernet starts with 1 slot) ?

WiFi (MAC) frame header

Explain the WiFi frame: why there are 4 MAC addresses ?, what is the meaning of control fields ?Note that there are many types/subtypes of frames: Management, Control, and Data frames.Some of these frames are used to provide the accessibility and security: Assignment, Association, cryptage, ..

ExerciseIEEE 802.11.g - useful data rateLet us take a WiFi link with data rate dr and a standard WiFI frame with synchronization and control fields. The data field contains 1500 bytes.

A complete transaction implies 5 stages/periods: interframe period – difs (50 µs) average backoff period - bofp ( from 0 to 31 slots) - each slot st (20 µs) frame transmission including:

- synchronization: 192 bits at 1 Mb/s andthis is the part of physical layer (coding, modulation) where the receiver and sender choose the modulation type/rate for the incoming transmission (it may depend on the distance from Access Point)

- overhead with 34 bytes (MAC header and CRC) sent with 2,11,54 Mb/s short inter-frame spacing - sifs - 10 µs acknowledge frame af with 192 bits at 1 Mb/s and 14 bytes of data: 2,11,54 Mb/s

Evaluate the efficiency of the protocol for different link data rates (2,11, and 54 Mb/s):efficiency = user_data_rate/radio_link_data_rate

Take max data field size: 2312 bytes.

IEEE 803.11 ac

IEEE 802.11ac is an amendment to IEEE 802.11, that builds on 802.11n.Changes compared to 802.11n include wider channels (80 or 160 MHz versus 40 MHz) in the 5 GHz band, more spatial streams (up to eight versus four), higher-order modulation (up to 256-QAM vs. 64-QAM), and the addition of MU-MIMO. High-end implementations support 80 MHz channels, three spatial streams, and 256-QAM, yielding a data rate of up to 433.3 Mbit/s per spatial stream, 1300 Mbit/s total, in 80 MHz channels in the 5 GHz band.Vendors have announced plans to release so-called "Wave 2" devices with support for 160 MHzchannels, four spatial streams, and MU-MIMO.

QuestionWhat is the digital modulation used in IEEE 802.11ac ?

Explain the characteristics of the channels, the spatial streams and operational mode of MU-MIMO.

WiFi and security (Wi-reless Fi-delity)The radio transmission may be captured freely by any receiver close to the mobile station.The first step is association.The association is possible if the mobile station knows the MAC address of the Access Point.This may be done actively by the mobile station sending the request frame – probe (it contains the supporting data rates and so on) or passively by receiving the beacon frame send periodically by base station. The following data transmission may be protected through the authentication and data encryption.Study the basis of free kinds of security/authentication and encryption:

1. open authentication (how to protect the data ?, what can not be protected)2. WEP (Wired Equivalent Privacy) based authentication and encrypting (symmetric key

generated once for each session) – no cryptographic integrity protection (only CRC)3. WAP1 based authentication and encrypting: WEP+TKIP (Temporal Key Integrity

Protocol - key generated for each frame4. WAP2 based on CCMP (Counter Cipher Mode) protocol (an AES-based encryption

mechanism) – mandatory implementation since 2006

Case studyWEP based protection: show how one can “crack” the WEP key The result of airodump-ng mon1 command (in monitor mode)

OPN – no authentication requiredWEP – only WEP key enabled (authorization and cypher)WPA - cipher TKIP/CCMP + MGT/PSK authorization key

The ways/methods to decypher the installation/connection key:

• Passive attacks to decrypt traffic: These are based on statistical analysis (WEP)

• Active attacks to inject new traffic from unauthorized mobile stations: These are based on known plaintext (WEP)

• Active attacks to decrypt traffic: These are based on tricking the access point (WEP).

• Dictionary-building attacks: These are possible after analyzing enough traffic on a busy network (WPA).

The problems with the WEP algorithm. Check out these bugbears in the WEP initialization vector:

• The IV is too small and in cleartext. It's a 24-bit field sent in the cleartext portion of a message. This 24-bit string, used to initialize the key stream generated by the RC4 algorithm, is a relatively small field when used for cryptographic purposes.

• The IV is static. Reuse of the same IV produces identical key streams for the protection of data, and because the IV is short, it guarantees that those streams will repeat after a relatively short time (between 5 and 7 hours) on a busy network.

• The IV makes the key stream vulnerable. The 802.11 standard does not specify how the IVs are set or changed, and individual wireless adapters from the same vendor may all generate the same IV sequences, or some wireless adapters may possibly use a constant IV. As a result, hackers can record network traffic, determine the key stream, and use it to decrypt the ciphertext.

• The IV is a part of the RC4 encryption key. The fact that an eavesdropper knows 24-bits of every packet key, combined with a weakness in the RC4 key schedule, leads to a successful analytic attack that recovers the key after intercepting and analyzing only a relatively small amount of traffic. Such an attack is so nearly a no-brainer that it's publicly available as an attack script and as open-source code.

• WEP provides no cryptographic integrity protection. However, the 802.11 MAC protocol uses a non-cryptographic Cyclic Redundancy Check (CRC) to check the integrity of packets, and acknowledges packets that have the correct checksum. The combination of non-cryptographic checksums with stream ciphers is dangerous — and often introduces vulnerabilities. The classic case? You guessed it: WEP.

There is an active attack that permits the attacker to decrypt any packet by systematically modifying the packet, and CRC sending it to the AP and noting whether the packet is acknowledged. These kinds of attacks are often subtle, and it is now considered risky to design encryption protocols that do not include cryptographic integrity protection, because of the possibility of interactions with other protocol levels that can give away information about ciphertext.

Only one of the problems listed above depends on a weakness in the cryptographic algorithm. Remember that IVs are the 24-bit values that are pre-pended to the secret key and used in the RC4 cipher. The IV is transmitted in plaintext. The reason we have IVs is to ensure that the value used as a seed for the RC4 PRNG is always different.

The key, whether it's 64 or 128 bits, is a combination of a shared secret and the IV. The IV is a 24-bit binary number. Do we choose IV values randomly? Do we start at 0 and increment by 1? Or do we start at 16,777,215 anddecrement by 1? Most implementations of WEP initialize hardware using an IV of 0; and increment by 1 for eachpacket sent. Because every packet requires a unique seed for RC4, you can see that at higher volumes, the entire 24-bit space can be used up in a matter of hours. Statistical analysis shows that all possible IVs (224) are exhausted in about 5 hours. Then the IV re-initializes, starting at 0, every 5 hours.

The active steps to decrypt rapidly (few minutes) a WEP key are:

1. Switch your wifi into monitor mode – you obtain monitor interface

2. Scan the network and look for WEP enabled Access Points (we mean your own AccessPoints)

3. Look for hosts connected to the selected Access Point

4. Change your monitor MAC address to the selected/connected host MAC (spoofing)

5. Start sniffing ARP packets and reinject them into network

6. Start to register generated data traffic (dump)

7. Start WEP key cracking

TD6

Access and Wide Area Networks (WAN)

Access networks (links): ADSL/FTTHThe principle of ADSL (Asymmetrical Digital Subscriber Line) is the use of twisted-pair cable (initial telephone loop) to carry digital data with the data rate up to 22 Mb/s (ADSL2). ADSL usesDMT modulation with maximal 1024-QPSK over total 2.2 MHz bandwidth. To obtain the highest data rate the length of the line should not exceed 1.5 km.

Figure 1 ADSL1

Exercise:Take 512 carriers for ADSL1 bandwidth (1.1 MHz), What is the bandwidth per DMT channel? What is the spectrum efficiency for each DTM channel to obtain globally 11 Mb/s. ?Question:Typical installation with ADSL and FFTH lines..

PPP (point-to-point) protocolThe access to the Internet services (infrastructure) is done using Ethernet frames and PPP protocol.

Each Ethernet frame contains PPP link-frame:– at the initial phase the PPP link control field allows us to establish a link

connection/session with the ISP concentrator that is connected to the router.– The router provides the dynamic address via DHCP protocol communicating the WAN

address and the addresses gateway and DNS servers

Discussion: Comment the IP addresses provided in the first part of the figure above.Comment the attenuations and data rates (what is the distance between the ONU and user premises ?)The following guide (distance vs. attenuation vs speed) gives you an guestimate what you can achieve: 1.0km = 13.81dB = 23Mbit1.5km = 20.7dB = 21Mbit2.0km = 27.6dB = 18Mbit2.5km = 34.5dB = 13Mbit3.0km = 41.4dB = 8Mbit3.5km = 48.3dB = 6Mbit4.0km = 56dB = 4Mbit4.5km = 62.1dB = 3Mbit5.0km = 69dB = 2Mbit

WANsLong distance communication with Internet involves the usage of numerous routers. First your packets are forwarded via the autonomous routing system belonging to your service provider, then the packets travel over global Internet system routers and backbones. All routers are connected via optical links. In the mid-range aeria several of kilometers these may be optical Ethernet links (1 Gb/s , 10 Gb/s, and 100 Gb/s). At the global level synchronous optical infrastructure (SDH, SONET) is used. This structure is operated on a global scale by telecom services providers (ATT&T, Orange, ..). SDH/SONET data rates (payload) are going from 50.1 Mb/s – OC-1 to 34.49 Gb/s - OC-768 (the line rates are 10% higher.

The architecture of optical network is shown in figure above. The network consists of optical line terminals (OLTs), optical add/drop multiplexers (OADMs), and optical crossconnects (OXCs) interconnected via fiber links. Not shown in the figure are optical line amplifiers, which are deployed along the fiber link at periodic locations to amplify the light signal. In addition, the OLTs, OADMs, and OXCs may themselves incorporate optical amplifiers to make up for losses. OLTs are widely deployed, and OADMs are deployed to a lesser extent. OXCs are just beginning to be deployed. Ethernet Over SDH (EoS or EoSDH) or Ethernet over SONET refers to a set of protocols which allow Ethernet traffic to be carried over synchronous digital hierarchy networks in an efficient and flexible way. The same functions are available using SONET (a predominantly North American standard).Ethernet frames which are to be sent on the SDH link are sent through an "encapsulation" block (typically Generic Framing Procedure or GFP) to create a synchronous stream of data from the asynchronous Ethernet packets. The synchronous stream of encapsulated data is then passed through a mapping block which typically uses virtual concatenation (VCAT) to route the stream of bits over one or more SDH paths. As this is byte interleaved, it provides a better level of security compared to other mechanisms for Ethernet transport.

Discussion: How works the multiplexing and how is synchronized SDH system.

RoutersIP routers are complex and powerful devices. They may incorporate tens or hundreds of inputs/outputs (inlets/outlets) are complex forwarding mechanisms based on routing protocols. The routing protocols are different for autonomous systems (ISPs) – internal routing protocols and global systems – externalrouting protocols (IRP – RIP, OSPF) or gateway/border (ERP/BRP) protocols.The process of forwarding involves the usage of internal buffers to queue the IP packets before their transmission on the output interfaces. The quing takes much space and time.Lets us concentrate on two problems.

• Forwarding/retransmission of the over several routers• Buffering packets – number of the packets in the buffer.

Exercise

Let us take routing path with N=10 routers (10 hops), and the file to transmit of size F= 64KB.a. Knowing that the average data rate is 1 Mb/s and that the file is sent as one packet (no segmentation), how long is the overall transmission of this file ?b. Now take the segmented file in 10 segments - add 100 bytes to each segment (identification),; what is overall transmission time ?c. Find the optimal size (shortest overall transmission) of the segments (IP packets) to be sent?

ExerciseLet us take a simple router with 4*4 inputs/outputs. The fixed size frames arrive at the inputs with the traffic intensity of TI=0.8. Inside the router each output is provided with a buffer to keep 1 frame (the current frame is send directly on the output). Assume that the incoming traffic is regular; what is the probability that a frame must be dropped (lack of place in the output buffer) ?