internetsecurityinternetsecurity dr. clincylecture1 connecting devices

Dr. Clincy Lecture 1

Internet

Securi ty

CONNECTING DEVICES


Internet

Securi ty

Repeater

Operates at the physical layer – layer 1

Receives the signal and regenerates the signal in it’s original pattern

Is there a difference between a regen or repeater and an amp ??

A repeater forwards every bit; it has no filtering capability


Internet

Securi ty

Bridge• Operates at both the physical and data link layers

• At layer 1, it regenerates the signal. At layer 2, it checks the Tx/Rx physical address (using a bridge table)

• Example Below:

• If packet arrives to bridge-interface #1 for either of the 71….. stations, the packet is dropped because the 71…. Stations will see the packet

• If packet arrives to bridge-interface #2 for either of the 71….. stations, the packet is forwarded to bridge-interface #1

With such an approach, the “bridged” network segments will acted as a single larger network

What is a “smart” bridge ??


Internet

Securi ty

Routing example

LAN 1 LAN2

• Routers can change the physical address of a packet

• Example: as a packet flow from LAN 1 to LAN 2

• In LAN 1, the source address is the Tx’s address and the destination address is the Router’s interface address

• In LAN 2, the source address is the Router’s interface address and the destination address is the Rx’s address


Internet

Securi ty

Network Addressing


Internet

Securi ty

• Recall: physical address is needed on a local perspective• Recall: logical (or IP) address is needed on a global perspective• Therefore, both addresses are needed• Likewise, there is a need to map the logical address to it’s corresponding physical

address (and vice versa)• The mapping can be “static” or “dynamic” in nature

Recall- Physical and Logical AddressesRecall- Physical and Logical Addresses


Internet

Securi ty

• The IP Address has 3 notations: Binary, Dotted-decimal and HexadecimalThe IP Address has 3 notations: Binary, Dotted-decimal and Hexadecimal• Binary: 4 Octets: Binary: 4 Octets: 01110101 10010101 00011101 11101010• Dotted-Decimal (or dot notation):

IP Addresses

• For Dotted-Decimal, each number can range from 0 to 255

• Hexadecimal: 0111 0101 1001 0101 0001 1101 1110 1010

75 95 1D EA

75951DEA


Internet

Securi ty

IP Addresses: Classful Addressing• When IP addressing was first started, it used a concept

called “classful addressing”. A newer concept called “classless addressing” is slowly replacing it though.

• Regarding “classful addressing”, the address space is divided into five classes: A, B, C, D and E.

Class # of addresses Percent of the Space

A 231=2147483648 50%

B 230=1073741824 25%

C 229=536870912 12.5%

D 228=268435456 6.25%

E 228=268435456 6.25%


Internet

Securi ty

Netid and hostid

• A, B and C class-addresses are divided into network id and host id

• For Class A, Netid=1 byte, Hostid = 3 bytes

• For Class B, Netid=2 bytes, Hostid = 2 bytes

• For Class C, Netid=3 bytes, Hostid = 1 byte


Internet

Securi ty

Blocks in class A• Class A has 128 blocks or network ids

• First byte is the same (netid), the remaining 3 bytes can change (hostids)

• Network id 0 (first), Net id 127 (last) and Net id 10 are reserved – leaving 125 ids to be assigned to organizations/companies

• Each block contains 16,777,216 addresses – this block should be used by large organizations. How many Host can be addressed ????

• The first address in the block is called the “network address” – defines the network of the organization

Example

• Netid 73 is assigned

• Last address is reserved

• Recall: routers have addressees


Internet

Securi ty

Blocks in class B• Class B is divided into 16,384 blocks (65,536 addresses each)

• 16 blocks are reserved

• First 2 bytes are the same (netid), the remaining 2 bytes can change (hostids)

• For example, Network id 128.0 covers addresses 128.0.0.0 to 128.0.255.255

• Network id 191.225 is the last netid for this block

Example

• Netid 180.8 is assigned

• Last address is reserved

• Recall: routers have addresses


Internet

Securi ty

Blocks in class C• Class C is divided into 2,097,152 blocks (256 addresses each)

• 256 blocks are reserved

• First 3 bytes are the same (netid), the remaining 1 byte can change (hostids)

• For example, Network id 192.0.0 covers addresses 192.0.0.0 to 192.0.0.255


Internet

Securi ty

Network AddressesNetwork AddressesThe network address is the first address.

The network address defines the network to the rest of the Internet.

Given the network address, we can find the class of the address, the block, and the range of the addresses in the block

Given the network address 17.0.0.0, find the class, the block, and the range of the addresses.

SolutionSolution The class is A because the first byte is between 0 and 127. The block has a netid of 17. The addresses range from 17.0.0.0 to 17.255.255.255.

Given the network address 132.21.0.0, find the class, the block, and the range of the addresses.

SolutionSolutionThe class is B because the first byte is between 128 and 191. The block has a netid of 132.21. The addresses range from 132.21.0.0 to 132.21.255.255.

Given the network address 220.34.76.0, find the class, the block, and the range of the addresses. The class is C because the first byte is between 192 and 223. The block

has a netid of 220.34.76. The addresses range from 220.34.76.0 to 220.34.76.255.

SolutionSolution


Internet

Securi ty

MaskMask

A mask is a 32-bit binary number that gives the first address in the block (the network address) when bitwise ANDed with an address in the block.

• Given the network address, we can easily determine the block and range of addresses

• Suppose given the IP address, can we determine the network address (beginning of the block) ?

• To route packets to the correct network, a router must extract the network address from the destination IP address

• For example, given 134.45.78.2, we know this is a class B, therefore 134.45 is the netid and 134.45.0.0 is the network address (starting address of the block)

• How would we EXTRACT the network address from the IP address? We would use a MASK.


Internet

Securi ty

SUBNETTING• When we talked about CLASSFUL addressing – we

realized the problem of wasted host addresses and depleting available network addresses.

• Why wasted addresses ? Because there is a single “owner” of the entire block – block can’t be shared with other “owners”

• In subnetting, a network is divided into several smaller “autonomous or self-contained” networks called subnetworks or subnets – each subnet will have it’s own set of addresses

• Typically, there are 2 steps in reaching a destination: first we must reach the network (netid) and then we reach the destination (hostid)

• With subnets, there could be atleast 3 steps, (1) netid, (2) subnet id, and (3) hostid


Internet

Securi ty

A network with two levels ofhierarchy (not subnetted)

The 2 level approach is not enough some times – you can only have 1 physical network – in example, all host are at the same level – no grouping


Internet

Securi ty

A network with three levels ofhierarchy (subnetted)

With subnetting, hosts can be grouped

(0-63) (64-127)

(192-255)

(128-191)


Internet

Securi ty

SUPERNETTING

• Although class A and B addresses are dwindling – there are plenty of class C addresses

• The problem with C addresses is, they only have 256 hostids – not enough for any midsize to large size organization – especially if you plan to give every computer, printer, scanner, etc. multiple IP addresses

• Supernetting allows an organization the ability to combine several class C blocks in creating a larger range of addresses

• Note: breaking up a network = subnetting

• Note: combining Class-C networks = supernetting


Internet

Securi ty

CLASSLESS ADDRESSING

• Recall the problems with Classful addressing – you have to get a predefined block of addresses – in most cases, the block is either too large or too small

• In the 1990’s, ISP came into prominence – they provide Internet access for individuals to midsize organizations that don’t want sponsor their own Internet service (ie. email, etc).

• The ISP’s are granted several B and C blocks of addresses and they subdivide their address space into groups of 2, 4, 8, 16, etc.. – blocks can be variable length

• Because of the up rise of ISP’s, in 1996, the Internet Authorities announced a new architecture called Classless Addressing (making classful addressing obsolete)


Internet

Securi ty

NETWORK ADDRESS TRANSLATION (NAT)

Network Address Translation (NAT)Network Address Translation (NAT) allows a site to use a set of allows a site to use a set of private addresses for internal communication and a set of global private addresses for internal communication and a set of global Internet addresses for communication with another site. The site Internet addresses for communication with another site. The site must have must have only one single connectiononly one single connection to the global Internet to the global Internet through a router that runs NAT software.through a router that runs NAT software.

The routers only 2 address: (1) the global IP address and (2) one private address


Internet

Securi ty

IP datagram• IP datagram is variable length consisting of

two parts (header, data)

• Header is 20-60 bytes & contains routing and deliver info

• Ver – version of IP

• HLEN – header length – total length of the header field (in 4-byte words or units)

• Service type – now called Differentiated Services – tells the service type (ie. ftp, dns, telnet, etc..) – will come back to this

• Total length – defines the total length of the datagram including the header – need this to determine if padding is needed – recall Ethernet frame can range 46-1500 bytes – so if the IP datagram is less than 46 bytes (need padding)

• Identification – used for fragmentation – networks that are not able to encapsulate the full IP datagram will need to fragment – will come back to this

• Flags – used for fragmentation – will come back to this

• Fragmentation offset – used for fragmentation – will come back to

• Time to live – datagram life time as it travels – used to control the number of hops (routers) a datagram can traverse – fix infinite loop problems

• Protocol – defines the higher level protocol (ie. TCP, UDP, ICMP, ICMP, etc..) that’s using the service of the IP layer – since the IP Muxes data from the Transport layer – this field is used to demux


Internet

Securi ty

Dynamic Mapping: ARP and RARP• ARP: maps the logical address to the physical address

(given logical, find physical)

• RARP: maps the physical address to the logical address (given physical, find logical)

• ARP/RARP use unicast & broadcast physical addresses (from earlier lectures, recall the formats of the broadcast/unicast addresses)


Internet

Securi ty

BOOTP• Each station connected to the Internet must know:

• It’s IP address

• It’s subnet mask

• The IP address of a router

• The IP address of a name server

• Typically, this info is stored in the computer’s config file and retrieved during boot-strap time

• What happens if a computer boots-up for the first time or if a computer is diskless ? Will need an ARP/RARP like protocol to get the needed info

• BOOTP – stands for Bootstrap Protocol – is a C/S protocol setup to provide the info above


Internet

Securi ty

DHCP• Although BOOTP provides more information to the client, the physical-to-

logical address mapping is static – this mapping must be pre-determined

• The Dynamic Host Configuration Protocol (DHCP) was devised to extend BOOTP

• DHCP server has 2 DBs: (1) one DB statically binds the physical and IP addresses (so it can provide the BOOTP type service), (2) a second DB contains a pool of IP addresses (making the assignment of IP addresses dynamic)

• Therefore, when a client sends a request, the DHCP server first checks its static DB and a permanent (static) IP address is returned. If the physical-to-logical relationship doesn’t exist, it then sends an un-used IP address from it’s second DB.

• The dynamic IP addresses have a time limit


Internet

Securi ty

Recall -Domain Name System (DNS)• As we mentioned before, the IP address is used to uniquely identify

hosts connected to the Internet (specifically “connections”)

• The actual IP address is hard to memorize or identify with

• People prefer names instead of addresses

• Therefore, we need a way of mapping a name to an address (or vice versa)

• In the old days, this mapping was done by each host and the host would update this file from a Master file

• Today, the Internet is too global and large for this approach

• One approach: have one computer holding these mappings (problem: too many hits – concentrated traffic congestion )

• Actual approach: replicate the mappings across distributed computers – the computer needing the info goes to the closest server – approach called DOMAIN NAME SYSTEM (DNS)


Internet

Securi ty

Mobile IP Approach - Big Picture Given the agent discovery and registration have occurred, a mobile host now communicate with a remote host

(1A) Remote host send packet to mobile host as if mobile host is in its home network

(1B) The packet is intercepted by the home agent acting on behalf of the mobile host

(2) The home agent then sends the packet to the foreign host via tunneling (encapsulate the IP packet into another packet that has Tx & Rx addresses for the home agent and foreign agent)

(3) The foreign agent then decapsulate the packet from the IP packet and consult a registry that cross-referenced the source address of the packet (the mobile host’s home address) with the local care-of address of the mobile host

(4) When the mobile host wants to reply back to the remote host, it sends it in the normal manner using the destination address of the packet as now the source address of the reply

internetsecurityinternetsecurity dr. clincylecture1 connecting devices

Documents