ccn module i part2

8/6/2019 CCN MODULE I PART2

1/89

EECC694EECC694 -- ShaabanShaaban#1 lec #3 Spring2000 3-14-2000

The OSI Reference ModelThe OSI Reference Model


2/89


Data Link Layer: Virtual Vs. Actual CommunicationData Link Layer: Virtual Vs. Actual Communication

Virtual Communication Actual Communication


3/89


The Data Link Layer FunctionsThe Data Link Layer FunctionsConcerned with reliable, error-free and efficient communication

between adjacentmachines in the network through the following functions:

1 Data Framing:The term frame refers to a small block of data used in a specific network.

The data link layer groups raw data bits to/from the physical layer into discrete

frames with error detection/correction code bits added. Framing methods:

Character count.

Starting and ending characters, with character stuffing.

Starting and ending flags with bit stuffing. Physical layer coding violations.

2 Error Detection/Correction: Error Detection:

Include enough redundant information in each frame to allow the receiver to

deduce that an error has occurred, but not which error and to request

a retransmission.

Uses error-detecting codes.

Error Correction: Include redundant information in the transmitted frame to enable the receiver

not only to deduce that an error has occurred but also correct the error.

Uses error-correcting codes.


4/89


The Data Link Layer FunctionsThe Data Link Layer Functions

3 Services to the network layer: Unacknowledged connectionless service:

Independent frames sent without having the destination acknowledge

them.

Suitable for real-time data such as speech and video where

transmission speed is more important than absolute reliability.

Utilized in most LANS.

Acknowledged connectionless service:

Each frame sent is acknowledged by the receiver.

Acknowledgment at the layer level is not essential but provides moreefficiency than acknowledgment at higher layers (transport) which is

done only for the whole message.

A lost acknowledgment may cause a frame to be sent and received

several times.


5/89


The Data Link Layer FunctionsThe Data Link Layer Functions Acknowledged connection-oriented service:

The sender and receiver establish a connection before any data transmission.

The message is broken into numbered frames. The data link guarantees that each frame sent is received exactly once and in the

right order.

4 Flow control:Protocols to control the rate the sender transmits frames at a rate acceptable to

the receiver, and the ability to retransmit lost or damaged frames. This

insures that slow receivers are not swamped by fast senders and further aidserror detection/correction.

Several flow control protocols exist, but all essentially require a form of

feedback to make the sender aware of whether the receiver can keep up.

Stop-and-wait Protocols:

A positive acknowledgment frame is send by the receiver to indicate that

the frame has been received and to indicate being ready for the next frame.

Positive Acknowledgment with Retransmission (PAR); uses timeouts

Sliding Window Protocols:

Data frames and acknowledgement frames are mixed in both directions.

Frames sent contain sequence numbers

Timeouts used to initiate retransmission of lost frames.


6/89


Placement of The Data Link ProtocolPlacement of The Data Link Protocol

Data Channel

Adjacent routers/hosts shown


7/89


Data Link Layer: FramingData Link Layer: Framing The character count method:

The frame header includes the count of characters in the frame A transmission error can cause an incorrect count causing the source

and destination to get out of synchronization

Rarely used in actual data link protocols

A character stream with no errors

A character stream with one error


8/89


Data Link Layer: FramingData Link Layer: FramingUsing Starting and ending characters, with character stuffing

Each frame starts with the ASCII character sequence DLE (Data Link Escape)

and STX (Start of TeXt) and ends with DLE ETX (End of TeXt)

When binary data is transmitted where (DLE STX or DLE ETX) can occur in

data, character stuffing is used (additional DLE is inserted in the data).

Limited to 8-bit characters and ASCII.

Network Layer Data at the sender

Data after character stuffing by the Data Link Layer at the sender

Network Layer Data at the Receiver


9/89


Data Link Layer: FramingData Link Layer: Framing

Bit-Oriented Using Start/End Flags: Each frame begins and ends with 01111110

Bit stuffing: After each five consecutive ones in a data a zero is stuffed

Stuffed zero bits are removed by the data link layer at receiving end.

The Original Data

Data appearing on the line after bit stuffing

Data received after destuffing


10/89


Data Link Layer: Error Detection/CorrectionData Link Layer: Error Detection/Correction Simplest error detection : Parity bits and checksum (sum of

1s in data).

Error-detecting and -correcting codes:

m data bits + r redundant bits added.

n = m + r transmitted in frame.

Only 2m code words out of possible 2m+r words are legal.

The Hamming distance --minimum number of positions anytwo legal code words differ-- of a code defines its error

detection/correction ability.

To detect d errors code Hamming distance = d+ 1

To correct d errors code Hamming distance = 2d+ 1

Some codes are more suitable to correct burst errors rather

than isolated errors.

Polynomial codes: Cyclic Redundancy Check (CRC) Codes,

are characterized by a generating polynomial G(X)


11/89


Cyclic Redundancy Check (CRC)Cyclic Redundancy Check (CRC) Based on polynomial arithmetic over finite field.

View m-bit string a m-1a m-2 . . . a0 as a polynomial of degree m-1:

M(x) = a m-1 xm-1 + a m-2 x

m-2 + . + a0

Select a generating polynomial G(x) of degree r.

Let R(x) be the remainder of xr M(x) / G(x)

The code word T(x) of length m + r bit generated is then given by:

T(x) = xr M(x) - R(x)

Assume code word T(x) is transmitted, but T(x) + E(x) arrives

at the receiver:

If E(x) = 0 then no transmission errors and T(x)/G(x) = 0

If E(x) {0 then transmission error(s) occurred and:

[T(x) + E(x)] / G(x) { 0


12/89


Calculation of Polynomial Code (CRC) ChecksumCalculation of Polynomial Code (CRC) Checksum1. For degree of generating polynomial

G(x) =r , append r zero bits to low-order

of frame. The frame now has m+rbits.

2. Divide the bit string corresponding to

G(X) into the bit string xrM(x) mod(2)

3. Subtract the remainder R(x) from the

bit string xrM(x) mod(2)

Frame: 1 1 0 1 0 1 1 0 1 1

Generator: 1 0 0 1 1

G(X) = X4 + X + 1

Message after appending four 0s:

1 1 0 1 0 1 1 0 1 1 0 0 0 0

Remainder: 1110

Transmitted Frame:

1 1 0 1 0 1 1 0 1 1 1 1 1 0


13/89


Hardware Computation of CRCHardware Computation of CRC

An Example Frame Format with CRC bitsAn Example Frame Format with CRC bits

For G(x)=

x16

+ x12

+ x5

+ 1

+x5 +x121 +x16


14/89


Common CRC Generator PolynomialsCommon CRC Generator Polynomials

CRC-32: x32 + x 26 + x 23 + x22 + x16 + x12 + x11 +

x10 + x8 + x7 + x5 + x4 + x2 + x + 1

pUsed in FDDI, Ethernet.

CRC-CCITT: x16 + X12 + x5 + 1

pUsed in HDLC.

CRC-8: x8 + x2 + x + 1

pUsed in ATM.


15/89


Use of A Hamming Code to Correct Burst Errors


16/89

Comparison and ContrastComparison and Contrastbetween the OSI andbetween the OSI and

TCP/IP ModelTCP/IP Model


17/89

IntroductionIntroduction This presentation would discuss someThis presentation would discuss some

comparison and contrast between the 2 maincomparison and contrast between the 2 main

reference models which uses the concept ofreference models which uses the concept ofprotocol layering.protocol layering.

Open System Interconnection Model (OSI)Open System Interconnection Model (OSI)

Transport Control Protocol /Internet ProtocolTransport Control Protocol /Internet Protocol(TCP/IP)(TCP/IP)


18/89

IntroductionIntroduction The topics that we will be discussingThe topics that we will be discussing

would be based on the diagram below.would be based on the diagram below.OSI TCP / IP

Application (Layer7)Application

Presentation (Layer6)

Session (Layer 5)

Transport (Layer 4) Transport

Network (Layer 3) Internet

Data Link (Layer 2)Subnet

Physical (Layer 1)


19/89

OutlineOutline Compare the protocol layers thatCompare the protocol layers that

correspond to each other.correspond to each other.

General ComparisonGeneral Comparison

Focus of Reliability ControlFocus of Reliability Control

Roles of Host systemRoles of Host system

DeDe--jure vs. Dejure vs. De--factofacto


20/89

The Upper LayersThe Upper LayersOSI TCP / IP

Application (Layer7)

ApplicationPresentation (Layer6)

Session (Layer 5)

SessionSession

PresentationPresentation

ApplicationApplication


21/89


22/89

The Presentation LayerThe Presentation LayerThe Presentation Layer handles data formatThe Presentation Layer handles data formatinformation for networked communications.information for networked communications.

This is done by converting data into a genericThis is done by converting data into a genericformat that could be understood by bothformat that could be understood by bothsides.sides.

Not found in TCP/IP modelNot found in TCP/IP model

In TCP/IP, this function is provided by theIn TCP/IP, this function is provided by theApplication Layer.Application Layer.

e.g.e.g. External Data Representation Standard (XDR)External Data Representation Standard (XDR)Multipurpose Internet Mail ExtensionsMultipurpose Internet Mail Extensions (MIME)(MIME)


23/89

The Application LayerThe Application LayerThe Application Layer is the top layer of theThe Application Layer is the top layer of thereference model. It provides a set of interfaces forreference model. It provides a set of interfaces forapplications to obtain access to networked servicesapplications to obtain access to networked services

as well as access to the kinds of network servicesas well as access to the kinds of network servicesthat support applications directly.that support applications directly.

OSIOSI -- FTAM,VT,MHS,DS,CMIPFTAM,VT,MHS,DS,CMIP

TCP/IPTCP/IP -- FTP,SMTP,TELNET,DNS,SNMPFTP,SMTP,TELNET,DNS,SNMP

Although the notion of an application process isAlthough the notion of an application process iscommon to both, their approaches to constructingcommon to both, their approaches to constructingapplication entities is different.application entities is different.


24/89

Approaches use in constructingApproaches use in constructing

application entitiesapplication entities The diagram below provides an overall view on theThe diagram below provides an overall view on the

methods use by both themethods use by both the OSIOSI andand TCP/IPTCP/IP model.model.


25/89

ISO ApproachISO Approach Sometime calledSometime called Horizontal ApproachHorizontal Approach

OSI asserts that distributed applicationsOSI asserts that distributed applications

operate over a strict hierarchy of layers andoperate over a strict hierarchy of layers andare constructed from a common tool kit ofare constructed from a common tool kit ofstandardized application service elements.standardized application service elements.

In OSI, each distributed application serviceIn OSI, each distributed application service

selects functions from a large commonselects functions from a large commontoolbox of application service elementtoolbox of application service element(ASEs) and complements these with(ASEs) and complements these withapplication service elements that performapplication service elements that performfunctions specific to given endfunctions specific to given end--user service .user service .


26/89

TCP/IP ApproachTCP/IP Approach Sometime calledSometime calledVertical ApproachVertical Approach

In TCP/IP, each application entity isIn TCP/IP, each application entity is

composed of whatever set of function itcomposed of whatever set of function itneeds beyond end to end transport toneeds beyond end to end transport tosupport a distributed communications service.support a distributed communications service.

Most of these application processes builds onMost of these application processes builds onwhat it needs and assumes only that anwhat it needs and assumes only that anunderlying transport mechanism (datagramunderlying transport mechanism (datagramor connection) will be provided.or connection) will be provided.


27/89

Transport LayerTransport Layer

The functionality of the transport layerThe functionality of the transport layeris to provide transparent transfer ofis to provide transparent transfer ofdata from a source end open system todata from a source end open system toa destination end open system (ISO /a destination end open system (ISO /IEC 7498: 1984).IEC 7498: 1984).

OSI TCP / IP

Transport (Layer 4) Transport (TCP/UDP)


28/89

Transport LayerTransport Layer Transport is responsible for creatingTransport is responsible for creating

and maintaining the basic endand maintaining the basic end--toto--endend

connection between communicatingconnection between communicatingopen systems, ensuring that the bitsopen systems, ensuring that the bitsdelivered to the receiver are the samedelivered to the receiver are the same

as the bits transmitted by the sender; inas the bits transmitted by the sender; inthe same order and withoutthe same order and withoutmodification, loss or duplicationmodification, loss or duplication


29/89

OSI Transport LayerOSI Transport Layer It takes the information to be sent andIt takes the information to be sent and

breaks it into individual packets that are sentbreaks it into individual packets that are sent

and reassembled into a complete message byand reassembled into a complete message bythe Transport Layer at the receiving nodethe Transport Layer at the receiving node

Also provide a signaling service for theAlso provide a signaling service for theremote node so that the sending node isremote node so that the sending node is

notified when its data is received successfullynotified when its data is received successfullyby the receiving nodeby the receiving node


30/89

OSI Transport LayerOSI Transport Layer Transport Layer protocols include theTransport Layer protocols include the

capability to acknowledge the receipt ofcapability to acknowledge the receipt of

a packet; if no acknowledgement isa packet; if no acknowledgement isreceived, the Transport Layer protocolreceived, the Transport Layer protocolcan retransmit the packet or timecan retransmit the packet or time--outout

the connection and signal an errorthe connection and signal an error


31/89

OSI Transport LayerOSI Transport Layer Transport protocols can also mark packetsTransport protocols can also mark packets

with sequencing information so that thewith sequencing information so that the

destination system can properly order thedestination system can properly order thepackets if theyre received outpackets if theyre received out--ofof--sequencesequence

In addition, Transport protocols provideIn addition, Transport protocols providefacilities for insuring the integrity of packetsfacilities for insuring the integrity of packets

and requesting retransmission should theand requesting retransmission should thepacket become garbled when routed.packet become garbled when routed.


32/89

OSI Transport LayerOSI Transport Layer Transport protocols provide theTransport protocols provide the

capability for multiple applicationcapability for multiple application

processes to access the network byprocesses to access the network byusing individual local addresses tousing individual local addresses todetermine the destination process fordetermine the destination process for

each data streameach data stream


33/89


34/89

TCP/IP Transport LayerTCP/IP Transport Layer TCP provides reliable data transmissionTCP provides reliable data transmission

UDP is useful in many applicationsUDP is useful in many applications

eg. Where data needs to be broadcastedeg. Where data needs to be broadcastedor multicastedor multicasted

Primary difference is that UDP does notPrimary difference is that UDP does not

necessarily provide reliable datanecessarily provide reliable datatransmissiontransmission


35/89

TCP/IP Transport LayerTCP/IP Transport Layer Many programs will use a separate TCPMany programs will use a separate TCP

connection as well as a UDP connectionconnection as well as a UDP connection


36/89

TCP/IP Transport LayerTCP/IP Transport Layer TCP is responsible for data recoveryTCP is responsible for data recovery

by providing a sequence number with eachby providing a sequence number with each

packet that it sendspacket that it sends

TCP requires ACK (ackowledgement) toTCP requires ACK (ackowledgement) toensure correct data is receivedensure correct data is received

Packet can be retransmitted if errorPacket can be retransmitted if errordetecteddetected


37/89

TCP/IP Transport LayerTCP/IP Transport Layer Use of ACKUse of ACK


38/89

TCP/IP Transport LayerTCP/IP Transport Layer Flow control withFlow control with WindowWindow

via specifying an acceptable range ofvia specifying an acceptable range of

sequence numberssequence numbers


39/89

TCP/IP Transport LayerTCP/IP Transport Layer TCP and UDP introduce the concept ofTCP and UDP introduce the concept of

portsports

Common ports and the services that runCommon ports and the services that runon them:on them:

FTPFTP 21 and 2021 and 20

telnettelnet 2323

SMTPSMTP 2525

httphttp 8080

POP3POP3 110110


40/89


41/89

Comparing Transport for both ModelsComparing Transport for both Models The features of UDP and TCP defined atThe features of UDP and TCP defined at

TCP/IP Transport Layer correspond to manyTCP/IP Transport Layer correspond to many

of the requirements of the OSI Transportof the requirements of the OSI TransportLayer. There is a bit of bleed over forLayer. There is a bit of bleed over forrequirements in the session layer of OSI sincerequirements in the session layer of OSI sincesequence numbers, and port values can helpsequence numbers, and port values can helpto allow the Operating System to keep trackto allow the Operating System to keep track

of sessions, but most of the TCP and UDPof sessions, but most of the TCP and UDPfunctions and specifications map to the OSIfunctions and specifications map to the OSITransport Layer.Transport Layer.


42/89

Comparing Transport for both ModelsComparing Transport for both Models The TCP/IP and OSI architecture models bothThe TCP/IP and OSI architecture models both

employ all connection and connectionlessemploy all connection and connectionless

models at transport layer. However, themodels at transport layer. However, theinternet architecture refers to the two modelsinternet architecture refers to the two modelsin TCP/IP as simply connections andin TCP/IP as simply connections anddatagrams. But the OSI reference model,datagrams. But the OSI reference model,with its penchant for precise terminology,with its penchant for precise terminology,

uses the terms connectionuses the terms connection--mode andmode andconnectionconnection--oriented for the connection modeloriented for the connection modeland the term connectionlessand the term connectionless--mode for themode for theconnectionless model.connectionless model.


43/89

Network vs. InternetNetwork vs. Internet

Like all the other OSI Layers, the networkLike all the other OSI Layers, the networklayer provides both connectionless andlayer provides both connectionless and

connectionconnection--oriented services. As for theoriented services. As for theTCP/IP architecture, the internet layer isTCP/IP architecture, the internet layer isexclusively connectionless.exclusively connectionless.

OSI TCP / IP

Network (Layer 3) Internet


44/89

Network vs. InternetNetwork vs. Internet X.25 Packet Level ProtocolX.25 Packet Level Protocol OSIsOSIs

ConnectionConnection--oriented Network Protocoloriented Network Protocol

The CCITT standard for X.25 defines the DTE/DCEThe CCITT standard for X.25 defines the DTE/DCEinterface standard to provide access to a packetinterface standard to provide access to a packet--switched network. It is the network level interface,switched network. It is the network level interface,which specifies a virtual circuit (VC) service. A sourcewhich specifies a virtual circuit (VC) service. A sourcehost must establish a connection (a VC) with thehost must establish a connection (a VC) with the

destination host before data transfer can take place.destination host before data transfer can take place.The network attempts to deliver packets flowing overThe network attempts to deliver packets flowing overa VC in sequence.a VC in sequence.


45/89

Network vs. InternetNetwork vs. Internet Connectionless Network ServiceConnectionless Network Service

Both OSI and TCP/IP support a connectionlessBoth OSI and TCP/IP support a connectionlessnetwork service: OSI as an alternative to networknetwork service: OSI as an alternative to networkconnections and TCP/IP as the only way in use.connections and TCP/IP as the only way in use.

Internetworking ProtocolsInternetworking Protocols OSIs CLNP (ISO/IEC 8473: 1993) is functionallyOSIs CLNP (ISO/IEC 8473: 1993) is functionally

identical to the Internets IP (RPC 791). Both CLNPidentical to the Internets IP (RPC 791). Both CLNP

and IP are bestand IP are best--efforteffort--delivery network protocols.delivery network protocols.Bit niggling aside, they are virtually identical. TheBit niggling aside, they are virtually identical. Themajor difference between the two is that CLNPmajor difference between the two is that CLNPaccommodates variableaccommodates variable--length addresses,length addresses,whereas IP supports fixed, 32whereas IP supports fixed, 32--bit address.bit address.


46/89

Network vs. InternetNetwork vs. Internet Internet (IP) AddressesInternet (IP) Addresses

The lnternet network address is more commonlyThe lnternet network address is more commonlycalled the IP address. It consists of 32 bits,called the IP address. It consists of 32 bits,some of which are allocated to a highsome of which are allocated to a high--orderordernetworknetwork--numbernumber part and the remainder of whichpart and the remainder of whichare allocated to a loware allocated to a low--order hostorder host--numbernumber part.part.The distribution of bitsThe distribution of bits -- how many form thehow many form thenetwork number, and how many are therefore leftnetwork number, and how many are therefore leftfor the host numberfor the host number -- can be done in one of threecan be done in one of threedifferent ways, giving three differentdifferent ways, giving three different classesclasses of IPof IPaddressaddress


47/89

Network vs. InternetNetwork vs. Internet OSI Network Layer AddressingOSI Network Layer Addressing

ISO/IEC and CCITT jointly administer the globalISO/IEC and CCITT jointly administer the globalnetwork addressing domain. The initialnetwork addressing domain. The initialhierarchical decomposition of the NSAP address ishierarchical decomposition of the NSAP address isdefined by (ISO/IEC 8348). The standard specifiesdefined by (ISO/IEC 8348). The standard specifiesthe syntax and the allowable values for the highthe syntax and the allowable values for the high--order part of the addressorder part of the address -- the Initial Domain Partthe Initial Domain Part(IDP), which consists of the Authority and Format(IDP), which consists of the Authority and Format

Identifier (AFI) and the Initial Domain IdentifierIdentifier (AFI) and the Initial Domain Identifier(IDI)(IDI) -- but specifically eschews constraints on orbut specifically eschews constraints on orrecommendations concerning the syntax orrecommendations concerning the syntax orsemantics of the domain specific part (DSP).semantics of the domain specific part (DSP).


48/89

Network vs. InternetNetwork vs. Internet OSI Routing ArchitectureOSI Routing Architecture

End systems (ESs) and intermediate systems (ISs)End systems (ESs) and intermediate systems (ISs)use routing protocols to distribute (advertise)use routing protocols to distribute (advertise)some or all of the information stored in theirsome or all of the information stored in theirlocally maintained routing information base. ESslocally maintained routing information base. ESsand ISs send and receive these routing updatesand ISs send and receive these routing updatesand use the information that they contain (andand use the information that they contain (andinformation that may be available from the localinformation that may be available from the local

environment, such as information enteredenvironment, such as information enteredmanually by an operator) to modify their routingmanually by an operator) to modify their routinginformation base.information base.


49/89

Network vs. InternetNetwork vs. Internet TCP/IP Routing ArchitectureTCP/IP Routing Architecture

The TCP/IP routing architecture looks very muchThe TCP/IP routing architecture looks very muchlike the OSI routing architecture. Hosts use alike the OSI routing architecture. Hosts use adiscovery protocol to obtain the identification ofdiscovery protocol to obtain the identification ofgateways and other hosts attached to the samegateways and other hosts attached to the samenetwork (subnetwork). Gateways withinnetwork (subnetwork). Gateways withinautonomous systems (routing domains) operateautonomous systems (routing domains) operatean interior gateway protocol (intradomain ISan interior gateway protocol (intradomain IS--ISIS

routing protocol), and between autonomousrouting protocol), and between autonomoussystems, they operate exterior or border gatewaysystems, they operate exterior or border gatewayprotocols (interdomain routing protocols). Theprotocols (interdomain routing protocols). Thedetails are different but the principles are thedetails are different but the principles are thesame.same.


50/89

Data link / Physical vs. SubnetData link / Physical vs. Subnet

Data link layerData link layer The function of theData Link Layeris provides for the control of

the physical layer, and detects and possibly corrects errors which

may occur (IOS/IEC 7498:1984). In another words, the DataLink Layer transforms a stream of raw bits (0s and 1s) from thephysical into a data frame and provides an error-free transfer fromone node to another, allowing the layers above it to assumevirtually error-free transmission

OSI TCP / IP

Data Link (Layer 2)

Subnet

Physical (Layer 1)


51/89

Data link / Physical vs. SubnetData link / Physical vs. Subnet Physical layerPhysical layer

The function of the Physical Layeris to provide

mechanical, electrical, functional, and procedural

means to activate a physical connection for bit

transmission (ISO/IEC 7498:1984). Basically, this

means that the typical role of the physical layer is to

transform bits in a computer system into

electromagnetic (or equivalent) signals for a particulartransmission medium (wire, fiber, ether, etc.)


52/89

Data link / Physical vs. SubnetData link / Physical vs. Subnet Comparing to TCP/IPComparing to TCP/IP

These 2 layers of the OSI correspond directly to the subnet layer ofthe TCP/IP model.

Majority of the time, the lower layers below the Interface or

Network layer of the TCP/IP model are seldom or rarely discussed.

The TCP/IP model does nothing but to high light the fact the hosthas to connect to the network using some protocol so it can send IP

packets over it. Because the protocol used is not defines, it will

vary from host to host and network to network


53/89

Data link / Physical vs. SubnetData link / Physical vs. Subnet Comparing to TCP/IPComparing to TCP/IP

After much deliberation by organizations, it wasdecided that the Network Interface Layer in the TCP/IPmodel corresponds to a combination of the OSI DataLink Layer and network specific functions of the OSInetwork layer (eg IEEE 203.3).

Since these two layers deal with functions that are soinherently specific to each individual networkingtechnology, the layering principle of grouping themtogether related functions is largely irrelevant.


54/89

General ComparisonGeneral Comparison

Focus of Reliability ControlFocus of Reliability Control

Roles of Host SystemRoles of Host System

DeDe--jure vs. Dejure vs. De--factofacto


55/89

Focus of Reliability ControlFocus of Reliability Control Implementation of the OSI model places emphasis onImplementation of the OSI model places emphasis on

providing a reliable data transfer service, while the TCP/IPproviding a reliable data transfer service, while the TCP/IPmodel treats reliability as an endmodel treats reliability as an end--toto--end problem.end problem.

Each layer of the OSI model detects and handles errors,Each layer of the OSI model detects and handles errors,all data transmitted includes checksums. The transportall data transmitted includes checksums. The transportlayer of the OSI model checks sourcelayer of the OSI model checks source--toto--destinationdestinationreliability.reliability.

In the TCP/IP model, reliability control is concentrated atIn the TCP/IP model, reliability control is concentrated atthe transport layer. The transport layer handles all errorthe transport layer. The transport layer handles all errordetection and recovery. The TCP/IP transport layer usesdetection and recovery. The TCP/IP transport layer useschecksums, acknowledgments, and timeouts to controlchecksums, acknowledgments, and timeouts to controltransmissions and provides endtransmissions and provides end--toto--end verificationend verification..


56/89

Roles of Host SystemRoles of Host System Hosts on OSI implementations do notHosts on OSI implementations do not

handle network operations (simplehandle network operations (simple

terminal), but TCP/IP hosts participateterminal), but TCP/IP hosts participatein most network protocols. TCP/IP hostsin most network protocols. TCP/IP hostscarry out such functions as endcarry out such functions as end--toto--endendverification, routing, and networkverification, routing, and network

control. The TCP/IP internet can becontrol. The TCP/IP internet can beviewed as a data stream deliveryviewed as a data stream deliverysystem involving intelligent hosts.system involving intelligent hosts.


57/89

DeDe--jure vs. Dejure vs. De--facto (OSI)facto (OSI) OSIOSI

StandardStandard legislatedlegislated byby officialofficial recognizedrecognized bodybody.. (ISO)(ISO)

TheThe OSIOSI referencereference modelmodel waswas deviseddevised beforebefore thethe protocolsprotocols werewere

inventedinvented.. ThisThis orderingordering meansmeans thatthat thethe modelmodel waswas not not biasedbiasedtowardtoward oneone particularparticular setset of of protocols,protocols, whichwhich mademade it it quitequitegeneralgeneral.. TheThe downdown sideside ofof thisthis orderingordering isis thatthat thethe designersdesigners diddidnotnot havehave muchmuch experienceexperience withwith thethe subjectsubject andand diddid notnot havehave aagoodgood ideaidea ofof whichwhich functionalityfunctionality toto putput inin whichwhich layerlayer..

BeingBeing general,thegeneral,the protocolsprotocols inin thethe OSIOSI modelmodel areare betterbetter hiddenhidden

thanthan inin thethe TCP/IPTCP/IP modelmodel andand cancan bebe replacedreplaced relativelyrelatively easilyeasily asasthethe technologytechnology changeschanges..

NotNot soso widespreadwidespread asas comparedcompared withwith TCP/IPTCP/IP.. (complex(complex ,, costly)costly)

MoreMore commonlycommonly usedused asas teachingteaching aidsaids..


58/89

DeDe--jure vs. Dejure vs. De--facto (TCP/IP)facto (TCP/IP) TCP/IPTCP/IP

Standards adopted due to widespread use. (Internet)Standards adopted due to widespread use. (Internet)

The protocols came first, and the model was really just aThe protocols came first, and the model was really just a

description of the existing protocols. There was no problemdescription of the existing protocols. There was no problemwith the protocols fitting the model, but it is hardly possiblewith the protocols fitting the model, but it is hardly possibleto be use to describe other modelsto be use to describe other models..

Get the job done" orientation.Get the job done" orientation.

Over the years it has handled most challenges by growing toOver the years it has handled most challenges by growing tomeet the needs.meet the needs.

More popular standard for internetworking for severalMore popular standard for internetworking for severalreasons :reasons :

relatively simple and robust compared to alternatives such as OSIrelatively simple and robust compared to alternatives such as OSI

available on virtually every hardware and operating system platformavailable on virtually every hardware and operating system platform(often free)(often free)

the protocol suite on which the Internet depends.the protocol suite on which the Internet depends.


59/89

The EndThe End Project team membersProject team members

ANDREW TAN TENG HONGANDREW TAN TENG HONG

MAH CHEE MENGMAH CHEE MENG CHEE YEW WAICHEE YEW WAI

TAN YOKE CHUANTAN YOKE CHUAN

CHEONG KIM MINGCHEONG KIM MING


60/89

Chapter 8Network Security Principles,Symmetric Key Cryptography,

Public Key CryptographyProfessor Rick Han

University of Colorado at Boulder

[email protected]


61/89

Prof. Rick Han, University of

Colorado at Boulder

Network Security

Classic properties of secure systems: Confidentiality Encrypt message so only sender and receiver can

understand it.

Authentication Both sender and receiver need to verify the identity of

the other party in a communication: are you really whoyou claim to be?

Authorization Does a party with a verified identity have permission to

access (r/w/x/) information? Gets into access controlpolicies.


62/89


Colorado at Boulder

Network Security (2)

Classic properties of secure systems: (cont.) Integrity During a communication, can both sender and receiver

detect whether a message has been altered?

Non-Repudiation Originator of a communication cant deny later that the

communication never took place

Availability Guaranteeing access to legitimate users. Prevention of

Denial-of-Service (DOS) attacks.


63/89


Colorado at Boulder

Cryptography

Encryption algorithm also called a cipher

Cryptography has evolved so that modernencryption and decryption use secret keys Only have to protect the keys! => Key distribution problem Cryptographic algorithms can be openly published

Encryption Decryption

plaintext ciphertext plaintext



Key KA Key KB


64/89


Colorado at Boulder

Cryptography (2)

Cryptography throughout history: Julius Caesar cipher: replaced each character by a

character cyclically shifted to the left. Weakness? Easy to attack by looking at frequency of characters

Mary Queen of Scots: put to deathfor treason after Queen Elizabeths Isspymaster cracked her encryption code

WWII: Allies break German Enigma

code and Japanese naval code Enigma code machine (right)


65/89


66/89


Colorado at Boulder

Cryptography (4)

Cryptanalysis Type of attacks: Chosen-plaintext attack: Attacker can choose the plaintext and look at the

paired ciphertext. Attacker has more control than known-plaintext

attack and may be able to gain more info about key

Adaptive Chosen-Plaintext attack: Attacker chooses a series of plaintexts, basing the

next plaintext on the result of previous encryption Differential cryptanalysis very powerful attacking

tool

But DES is resistant to it Cryptanalysis attacks often exploit the

redundancy of natural language Lossless compression before encryption removes

redundancy


67/89

Principl s f C nfusi n nd


68/89


Colorado at Boulder

Principles of Confusion andDiffusion (2)

Modern substitution ciphers take in N bits andsubstitute N bits using lookup table: called S-

Boxes

Confusion : a classical Substitution Cipher

Courtesy:

AndreasSteffen

Principles of Confusion and


69/89


Colorado at Boulder

Principles of Confusion andDiffusion (3)

Diffusion : a classical Transposition cipher

modern Transposition ciphers take in N bitsand permute using lookup table : called P-

Boxes

Courtesy:

AndreasSteffen


70/89


Colorado at Boulder

Symmetric-Key Cryptography

Both sender and receiver keys are the same: KA=KB

The keys must be kept secret and securely distributed wellstudy this later Thus, also called Secret Key Cryptography

Data Encryption Standard (DES)



Key KA Key KB=KA

Secure Key Distribution


71/89


Colorado at Boulder

Symmetric-Key Cryptography (2)

DES 64-bit input is permuted 16 stages of identical

operation differ in the 48-bit key

extracted from 56-bitkey - complex R2= R1 is encrypted

with K1 and XORd withL1

L2=R1, Final inverse permutation

stage


72/89


Colorado at Boulder


Data Encryption Standard (DES) Encodes plaintext in 64-bit chunks using a 64-bit key (56bits + 8 bits parity)

Uses a combination of diffusion and confusion to achievesecurity

abcd dbac

Was cracked in 1997 Parallel attack exhaustively search key space

Triple-DES: put the output of DES back as input into DESagain with a different key, loop again: 3*56 = 168 bit key

Decryption in DES its symmetric! Use KA again as input

and then the same keys except in reverse order Advanced Encryption Standard (AES) successor


73/89


Colorado at Boulder


DES is an example of a block cipher Divide input bit stream into n-bit sections, encrypt onlythat section, no dependency/history between sections

In a good block cipher, each output bit is a function ofall n input bits and all k key bits

Courtesy:

Andreas

Steffen


74/89


Colorado at Boulder


Electronic Code Book (ECB) mode for blockciphers of a long digital sequence

Vulnerable to replay attacks: if an attacker thinks block C2corresponds to $ amount, then substitute another Ck

Attacker can also build a codebook of pairs


75/89


Colorado at Boulder


Cipher Block Chaining (CBC) mode for blockciphers

Inhibits replay attacks and codebook building: identical inputplaintext Pi =Pk wont result in same output code due to memory-based chaining

IV = Initialization Vector use only once


76/89


Colorado at Boulder

Symmetric-Key Cryptography (7) S

tream ciphers

Rather than divide bit stream into discrete blocks, as block

ciphers do, XOR each bit of your plaintext continuous streamwith a bit from a pseudo-random sequence At receiver, use same symmetric key, XOR again to extract

plaintext


77/89


Colorado at Boulder


RC4 stream cipher by Ron Rivest of RSA DataSecurity Inc. used in 802.11bs security Block ciphers vs. stream ciphers

Stream ciphers work at bit-level and were originallyimplemented in hardware => fast!

Block ciphers work at word-level and were originallyimplemented in software => not as fast

Error in a stream cipher only affects one bit Error in a block cipher in CBC mode affects two blocks Distinction is blurring:

Stream ciphers can be efficiently implemented insoftware Block ciphers getting faster


78/89


Colorado at Boulder


Symmetric key is propagated to bothendpoints A & B via Diffie-Hellman keyexchange algorithm A & B agree on a large prime modulus n, a primitive element

g, and a one-way function f(x)=gx mod n

n and g are publicly known A chooses a large random int a and sends B AA=ga mod n B chooses a large random int b and sends A BB= gb mod n A & B compute secret key S = gba mod n Since x=f-1(y) is difficult to compute, then observer who

knows AA, BB, n, g and f will not be able to deduce theproduct ab and hence S is secure


79/89


Colorado at Boulder

Symmetric Key Distribution

Key distribution Public key via trusted Certificate

Authorities

Symmetric key? Diffie-Helman Key Exchange Public key, then secret key (e.g. SSL) Symmetric Key distribution via a KDC (Key Distribution

Center)


80/89


Colorado at Boulder

Symmetric Key Distribution (2)

Symmetric Key distribution via a KDC (KeyDistribution Center) KDC is a server (trusted 3rd party) sharing a different

symmetric key with each registered user Alice wants to talk with Bob, and sends encrypted request

to KDC, KA-KDC(Alice,Bob) KDC generates a one-time shared secret key R1 KDC encrypts Alices identity and R1 with Bobs secret

key, let m= KB-KDC(Alice,R1) KDC sends to both Alice R1 and m, encrypted with

Alices key: i.e. KA-KDC(R1, KB-KDC(Alice,R1))

Alice decrypts message, extracting R1 and m. Alice sendsm to Bob.

Bob decrypts m and now has the session key R1


81/89


Colorado at Boulder

Symmetric Key Distribution (3)

Kerberos authentication basically follows this KDCtrusted 3rd party approach

In Kerberos, the message m is called a ticket and hasan expiration time

m=


82/89

Chapter 8Public Key Cryptography,

Authentication, Data Integrity

Professor Rick Han

University of Colorado at Boulder

[email protected]


83/89


84/89


85/89


Colorado at Boulder

Public-Key Cryptography (3)

Decryption algorithm has the property that only a private key K

privatecan decrypt the ciphertext, and

it is computationally infeasible to deduce Kprivate eventhough attacker knows the public key Kpublic and theencryption algorithm



Key KPUBLIC Key KPRIVATE

Secure KeyPublic Key Distribution


86/89


87/89

P bl K C h (4)


88/89


Colorado at Boulder


Provides security because: There are no known algorithms for quickly factoringn=p*q, the product of two large prime #s

If we could factor n into p and q, then it would be easyto break the algorithm: have n, p, q, e, then just iterateto find decryption key d.

Public-key cryptography is slow because of theexponentiation: m = cd mod n = (me)d mod n = (md)e mod n From 21-64 kbps (1024-bit value for n) So, dont use it for time-sensitive applications and/or use

only for small amounts of data well see how SSL makesuse of this

P bli K C h (5)


89/89


A 512 bit number (155 decimals) was factored into twoprimes in 1999 using one Cray and 300 workstations 1024 bit keys still safe

Incredibly useful property of public-key cryptography: m = cd mod n = (me)d mod n = (md)e mod n Thus, can swap the order in which the keys are used. Example: can use private key for encryption and a public

key for decryption will see how it is useful inauthentication!

ccn module i part2

Documents