Copyright @ October 2007 by CS2105/OngGH
Module D:
Copyright @ October 2007 by CS2105/OngGH
♦
The Data Link Layer and Local Area Networks
(Part II - Local Area Networks or LANs) D.6 LAN and Ethernet Technologies •
•
MAC (Media Access Control) sublayer: provides media access management protocols for accessing a shared medium. provides unreliable datagram service.
•
Summary of IEEE Project 802 LAN Standards: see Figure 13.1 (p.396/[B]).
•
10-Mbps (standard) Ethernet/802.3 LANs:
Two main classes of LAN technologies (in 80s and 90s): see Figure 5.15 (p.488/[A]). –
Ethernet LANs (or 802.3 LANs)
–
Token-passing technologies: Token-ring LANs FDDI networks (MANs and LANs)
The IEEE and the data link layer: −
IEEE initiated its development of LAN standards with an architectural model (defined in IEEE 802.1): see Figures 12.1 (p.363/[B]) and 13.2 (p.397/[B]).
−
dividing the OSI’s data link layer into two sublayers: ♦
LLC (Logical Link Control) sublayer: encompasses several functions, including framing, flow control, and error control. can provide reliable packet transfer service.
69
70
Copyright @ October 2007 by CS2105/OngGH
−
−
−
a LAN protocol developed jointly by Xerox, Intel, and DEC at the Xerox PARC (Palo Alto Research Center) in 1970s (based on the ALOHA network developed at the University of Hawaii). IEEE 802.3 + 1-persistent CSMA/CD. (Ethernet CSMA/CD algorithm: see p.501−502/[A])
Copyright @ October 2007 by CS2105/OngGH
−
notations for IEEE 802.3 LANs:
−
physical and data link layer information: see Figures 5.20 (p.496/[A]), 5.21 (p.497/[A]), 5.23 (p.499/[A]), 13.8, 13.9, 13.10 (p.403/[B]), 13.11 (p.404/[B]) and 13.12 (p.405/[B]), and Table 13.1 (p.405/[B]).
−
using baseband transmission and Manchester encoding.
−
network diameter (for 10Base5):
general format of an IEEE 802.3 frame: see Figures 5.22 (p.497/[A]), 13.4 (p.398/[B]) and 13.5 (p.399/[B]). ♦
Preamble (8 bytes): Preamble field (7 identical octets, 10101010, for synchronization) Start Frame Delimiter field (1 byte: 10101011)
♦
Header (14 bytes): Destination (48-bit MAC) address field Source address (48-bit MAC) field Type/Length Count field
♦
Payload (46 to 1,500 bytes): Data field Pad field (dummy data that pads Data field up to its minimum length)
♦
♦
the distance between the farthest two nodes.
Trailer (4 bytes): FCS field 71
72
Copyright @ October 2007 by CS2105/OngGH
♦
•
no more than 5 segments of up to 500 m each, and no more than 4 repeaters (in the collision domain).
Copyright @ October 2007 by CS2105/OngGH
D.7 ARP (Address Resolution Protocol) •
Fast Ethernet (100-Mbps), Gigabit Ethernet, and Ten-Gigabit Ethernet LANs: see Figures 5.25 (p.505/[A]), 13.3 (p.398/[B]), 13.19 & 13.20 (p.410/[B]), 13.22 (p.414/[B]), and 13.23 (p.415/[B]).
Address binding: −
Given an IP address of a host, find its physical or hardware address; called Address Resolution (using ARP or Address Resolution Protocol).
−
Given a physical or hardware address of a host, find its IP address; called Reverse Address Resolution (using RARP or Reverse Address Resolution Protocol)
Various IEEE 802.3 specifications for the different variants of baseband Ethernet and their respective media: •
ARP: see Figures 5.17 (p.492/[A]), 5.19 (p.494/[A]), 21.1 (p.613/[B]), 21.2 (p.614/[B]), 21.3 (p.615/[B]), and 21.4 (p.616/[B]). −
operations (on the same physical network): ARP Request
ARP Reply
−
73
ARP encapsulation and identification:
74
Copyright @ October 2007 by CS2105/OngGH
Copyright @ October 2007 by CS2105/OngGH
e.g. On an Ethernet, the Type field in Ethernet frames carrying ARP messages must contain 0x0806.
•
−
ARP/RARP protocol format (28 bytes, used between IP and Ethernet):
−
ARP cache table: see Figure 5.18 (p.493/[A]). ♦
makes IP-to-physical address bindings efficient.
♦
an array of entries, each entry contains at least: State (e.g., pending, resolved, expired) Destination physical address Destination IP address TTL
e.g. one network address shared between two physical networks:
−
used in network security, mobile networking, etc.
D.8 HDLC and PPP •
HDLC (High-level Data Link Control) protocol: −
published by ISO (ISO 33009, ISO 4335) for point-topoint and multi-drop links.
−
frame structure:
Proxy ARP (or Promiscuous ARP, or ARP Hack): see Figure 21.6 (p.617/[B]). −
a router answers ARP requests intended for another by supplying its own physical address, and accepts responsibility for forwarding packets. 75
76
Copyright @ October 2007 by CS2105/OngGH
•
Copyright @ October 2007 by CS2105/OngGH
PPP (Point-to-Point Protocol): −
−
−
a link-layer protocol operating over a point-to-point link, e.g., a serial dial-up (56K modem connection) telephone line, a SONET/SDH link, an X.25 connection, or an ISDN circuit.
no CSMA/CD at hub (adapters detect collisions) a regenerator (not an amplifier) connecting segments of a LAN •
using HDLC-like framing: see Figure 5.30 (p.516/[A]).
link-layer device interconnecting LAN segments providing frame forwarding and filtering (based on the MAC-level addresses) discarding corrupt frames (based on CRC) plug-and-play and self-learning transparent (hosts are unaware of presence of layer-2 devices)
using byte stuffing to support data transparency. see Figure 5.31 (p.517/[A]).
D.9 Interconnection Devices •
Five categories of connecting devices: see Figure 15.1 (p.445/[B]).
•
Passive hub: just a connect (part of the medium).
•
Repeater or Hub: see Figures 15.2 (p.446/[B]), 15.3 (p.447/[B]), and 15.4 (p.448/[B]). physical-layer device bits coming from one link go out all other links at the same rate no frame buffering 77
Bridge and Layer-2 Switch: see Figures 5.24 (p.505/[A]), 5.26 (p.507/[A]), 5.27 (p.508/[A]), 5.28 (p.509/[A]), 15.5 (p.448/[B]), and 15.6 (p.450/[B]).
e.g., bridged Ethernet, switched Ethernet: (increasing the bandwidth and separating the collision domains on an Ethernet LAN) see Figures 13.15 & 13.16 (p.407/[B]), and 13.17 (p.408/[B]). •
Comparison of the typical features of popular interconnection devices: see Figure 5.29 (p.512/[A]) and Table 5.1 (p.513/[A]).
78
Module E:
Copyright @ October 2007 by CS2105/OngGH
Copyright @ October 2007 by CS2105/OngGH
Security in Data Communications and Networking
SSL / TLS (Secure Sockets Layer / Transport Layer Security protocols) PGP (Pretty Good Privacy protocol) VPN (Virtual Private Network)
E.1 Network Security Services •
Recall - applying SS and CDMA to Physical & Link layers.
E.2 Cryptography
•
Security services: see Figure 31.1 (p.961/[B]); providing confidentiality, integrity, authentication, and nonrepudiation of messages; and entity authentication.
•
•
Basis: see Figures 30.1 (p.931/[B]) and 8.2 (p.710/[A]). –
the science and art of transforming messages to make them secure and immune to attacks.
–
using ciphers (to encrypt a plaintext by the sender and to decrypt a ciphertext by the receiver).
Techniques used: –
for messages and entities: Cryptography (or Encryption/Decryption algorithms) MD (Message Digest) techniques MAC (Message Authentication Code) techniques DS (Digital Signature) schemes
•
Two Categories: see Figure 30.2 (p.932/[B]). –
Note that: for entity authentication, using password-based authentication and challenge-response authentication techniques (beyond the scope of CS2105). –
for the Internet: Firewalls IPSec (IP Security protocols)
79
symmetric-key cryptography: see Figures 30.3 (p.933/[B]) and 30.5 (p.934/[B]). ♦
sharing a secret key, e.g. a session key.
♦
commonly used ciphers: Traditional ciphers (character-oriented) Simple modern ciphers (bit-oriented) Modern round ciphers (involving multiple rounds)
80
Copyright @ October 2007 by CS2105/OngGH
–
Copyright @ October 2007 by CS2105/OngGH
asymmetric-key cryptography: see Figures 30.4 (p.933/[B]) and 8.6 (p.718/[A]). ♦
using a keyed hash function (e.g., HMAC – Hashed MAC algorithm based on SHA-1 with a symmetric key) to create a compressed digest from the message.
using one private key and one public key. •
♦
•
common algorithms: RSA (Rivest/Shamir/Adleman) algorithm Diffie-Hellman algorithm
Examples to achieve message confidentiality or privacy: see Figures 31.2 (p.963/[B]) and 31.3 (p.964/[B]).
DS: –
using an asymmetric-key system, but the private and public keys of the sender.
–
two ways to achieve: (i)
E.3 MD, MAC and DS •
MD:
signing the document or message: easier but less efficient; see Figures 31.11 (p.973/[B]), 8.10 (p.728/[A]), 8.11 (p.729/[A]) and 8.12 (p.730/[A]).
see Figures 31.4 (p.965/[B]) and 8.7 (p.724/[A]). –
an electronic fingerprint generated from a message.
–
using a keyless hash function (e.g., SHA-1 or Secure Hash Algorithm 1) to generate a compressed image of the message (called a message digest or MDC – Modification Detection Code).
(ii) signing the digest: see Figures 31.12 (p.974/[B]), 8.13 (p.732/[A]) and 8.14 (p.733/[A]). –
providing message nonrepudiation.
integrity,
authentication,
E.4 Security at the IP Layer (IPSec) –
•
checking the integrity of the message, see Figure 31.5 (p.966/[B]).
•
IP security: see Figure 32.2 (p.996/[B]).
MAC: see Figures 31.9 (p.970/[B]) and 8.9 (p.726/[A]); 81
82
and
Copyright @ October 2007 by CS2105/OngGH
−
−
•
a collection of protocols designed by the IETF to provide security for Internet packets at the network layer.
•
flexible and extensible (allowing endpoints to choose algorithms and parameters, such as key size).
Two modes: −
transport mode: see Figure 32.3a (p.997/[B]). ♦
♦
−
•
Copyright @ October 2007 by CS2105/OngGH
IPSec AH protocol: −
providing message authentication.
−
using a separate AH (Authentication Header) to carry authentication information:
−
consisting of the following steps: see Figures 32.6 (p.999/[B]) and 8.30 (p.756/[A]).
protecting information delivered from the transport layer to the network layer.
tunnel mode: see Figure 32.3b (p.997/[B]). protecting the whole IP packet with a new IP header.
♦
normally used between two routers, or between a host and a router, see Figure 32.5 (p.998/[B]).
Two security protocols: IPSec AH (Authentication Header) protocol IPSec ESP (Encapsulating Security Payload) protocol 83
and
message/source
(1) Add Authentication Header to the payload and set Authentication Data field to zero. (2) Add Padding to make the total length even for a particular hashing algorithm. (3) Perform hashing based on the total packet, not including mutable header fields. (4) Insert Authentication Data (or digest) in AH. (5) Add the IP Header and set Protocol value to 51.
normally used when host-to-host or end-to-end protection of data is needed, see Figure 32.4 (p.997/[B]).
♦
integrity
•
IPSec ESP protocol: −
providing message integrity, authentication, and privacy.
−
consisting of the following steps: see Figures 32.7 (p.1000/[B]) and 8.31 (p.757/[A]).
84
message/source
Copyright @ October 2007 by CS2105/OngGH
Add ESP Trailer to the payload. Encrypt the payload and ESP Trailer. Add ESP Header (between IP and TCP Headers). Create authentication data using ESP Header, encrypted payload and ESP Trailer. (5) Append ESP Auth to ESP Trailer. (6) Add the IP Header and set Protocol value to 50.
Copyright @ October 2007 by CS2105/OngGH
(1) (2) (3) (4)
•
−
a router installed between the internal network of an organization and the global Internet for access control.
−
designed to forward some packets and filter others.
Two popularly commercial implementations: (i)
•
Tunneled versions:
Packet-filtering firewall: see Figure 32.23 (p.1022/[B]), Tables 8.4 (p.766/[A]) and 8.5 (p.767/[A]).
AH – −
blocking or forwarding packets based on information in the network layer and transport layer headers.
−
filtering before packet routing.
ESP –
•
IPSec security algorithms: e.g., in Figure 32.23 (p.1022/[B]): Interface 1: Incoming packets from network 131.34.0.0; destined for any internal TELNET server; and destined for internal host 194.78.20.8 are blocked. Interface 2: Outgoing packets destined for any HTTP server are blocked.
E.5 Firewalls •
(ii) Proxy firewall: see Figure 32.24 (p.1023/[B]).
Internet firewalls: see Figures 32.22 (p.1022/[B]) and 8.35 (p.764/[A]).
85
−
also known as a proxy computer, or an application gateway. 86
Copyright @ October 2007 by CS2105/OngGH
−
providing protection at application level.
−
custom-written application programs acting as both a client and server, and serving as proxies to the actual applications.
Copyright @ October 2007 by CS2105/OngGH
−
•
E.6 Other Internet Security Technologies •
•
•
IDS (Intrusion Detection System) −
ssh (secure shell) −
an application layer protocol (similar to TELNET) to support encryption of remote login (e.g., SSH Secure Shell Client on Windows).
•
a cryptographic system developed at MIT.
−
encrypting data before transmission.
•
monitoring all arriving packets and notifying the site administrator if a security violation is detected (e.g., detecting attacks such as port scanning, SYN flood, etc.).
RADIUS (Remote Authentication Dial-In User Service) −
a protocol used to provide centralized authentication, authorization, and accounting.
−
used by ISPs (for dialup users, and VPN systems).
PGP (Pretty Good Privacy) −
consisting of Handshake protocol (for negotiating security, authenticating the server to the browser) and Data Exchange protocol (using secret key to encrypt data).
WEP (Wired Equivalent Privacy)
SSL (Secure Sockets Layer)
−
a Wi-Fi wireless LAN standard.
−
−
using an RC4 40-bit stream cipher to encrypt data and a 32-bit CRC to verify it.
−
replaced by WPA (Wi-Fi Protected Access).
−
a security protocol designed by Netscape to provide security on the WWW, but not formally adopted by the IETF (a de facto standard). residing at the same layer as the socket API (Application Program Interface for internet communications). 87
88