1 / 71

Computer Networks CSE 434 Fall 2009

Computer Networks CSE 434 Fall 2009 Sandeep K. S. Gupta Arizona State University http://impact.asu.edu/cse434fa09.html http://impact.asu.edu Research Experience for Undergraduates (REU) Agenda Quiz 2 Protocol Layering (Cont.) Summary Chapter 1 Application Layer (Intro) IP Addressing

jaden
Télécharger la présentation

Computer Networks CSE 434 Fall 2009

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Computer NetworksCSE 434 Fall 2009 Sandeep K. S. Gupta Arizona State University http://impact.asu.edu/cse434fa09.html http://impact.asu.edu Research Experience for Undergraduates (REU)

  2. Agenda • Quiz 2 • Protocol Layering (Cont.) • Summary Chapter 1 • Application Layer (Intro) • IP Addressing • DHCP – an example of App Layer Protocol Introduction

  3. Network Security (Cont. from Last Class)

  4. Network Security is Essentially about providing: Confidentiality: only sender, intended receiver should “understand” message contents sender encrypts message receiver decrypts message Authentication: sender, receiver want to confirm identity of each other Message integrity: sender, receiver want to ensure message not altered (in transit, or afterwards) without detection Access and availability: services must be accessible and available to users

  5. Friends and enemies: Alice, Bob, Trudy well-known in network security world Bob, Alice (lovers!) want to communicate “securely” Trudy (intruder) may intercept, delete, add messages Alice Bob data, control messages channel secure sender secure receiver data data Trudy

  6. Who might Bob, Alice be? … well, real-life Bobs and Alices! Web browser/server for electronic transactions (e.g., on-line purchases) on-line banking client/server DNS servers routers exchanging routing table updates other examples?

  7. There are bad guys (and girls) out there! Q: What can a “bad guy” do? A: a lot! eavesdrop: intercept messages actively insert messages into connection impersonation: can fake (spoof) source address in packet (or any field in packet) hijacking: “take over” ongoing connection by removing sender or receiver, inserting himself in place denial of service: prevent service from being used by others (e.g., by overloading resources) And much more ….

  8. The language of cryptography symmetric key crypto: sender, receiver keys identical public-key crypto: encryption key public , decryption key secret (private) K K A B Alice’s encryption key Bob’s decryption key encryption algorithm decryption algorithm ciphertext plaintext plaintext

  9. Public key cryptography + K (m) B - + m = K (K (m)) B B + Bob’s public key K B - Bob’s private key K B encryption algorithm decryption algorithm plaintext message plaintext message, m ciphertext

  10. Why is Security Difficult? Illustration using Authentication Example

  11. Authentication Goal: Bob wants Alice to “prove” her identity to him Protocol ap1.0:Alice says “I am Alice” “I am Alice” Failure scenario??

  12. Authentication Goal: Bob wants Alice to “prove” her identity to him Protocol ap1.0:Alice says “I am Alice” in a network, Bob can not “see” Alice, so Trudy simply declares herself to be Alice “I am Alice”

  13. Authentication: another try Alice’s IP address “I am Alice” Protocol ap2.0:Alice says “I am Alice” in an IP packet containing her source IP address Failure scenario??

  14. Authentication: another try Alice’s IP address “I am Alice” Protocol ap2.0:Alice says “I am Alice” in an IP packet containing her source IP address Trudy can create a packet “spoofing” Alice’s address

  15. Authentication: another try Alice’s password Alice’s IP addr “I’m Alice” Alice’s IP addr OK Protocol ap3.0:Alice says “I am Alice” and sends her secret password to “prove” it. Failure scenario??

  16. Authentication: another try Alice’s password Alice’s IP addr “I’m Alice” Alice’s IP addr OK Protocol ap3.0:Alice says “I am Alice” and sends her secret password to “prove” it. Alice’s password Alice’s IP addr “I’m Alice” playback attack: Trudy records Alice’s packet and later plays it back to Bob

  17. Authentication: yet another try encrypted password Alice’s IP addr “I’m Alice” Alice’s IP addr OK Protocol ap3.1:Alice says “I am Alice” and sends her encryptedsecret password to “prove” it. Failure scenario??

  18. Authentication: another try encrypted password Alice’s IP addr “I’m Alice” Alice’s IP addr OK Protocol ap3.1:Alice says “I am Alice” and sends her encrypted secret password to “prove” it. encrypted password Alice’s IP addr “I’m Alice” record and playback still works!

  19. Authentication: yet another try K (R) A-B Goal:avoid playback attack Nonce:number (R) used only once –in-a-lifetime ap4.0:to prove Alice “live”, Bob sends Alice nonce, R. Alice must return R, encrypted with shared secret key “I am Alice” R Alice is live, and only Alice knows key to encrypt nonce, so it must be Alice! Failures, drawbacks?

  20. Authentication: ap5.0 ap4.0 requires shared symmetric key can we authenticate using public key techniques? ap5.0: use nonce, public key cryptography - K (R) A + + K K A A - - + (K (R)) = R K (K (R)) = R A A A “I am Alice” Bob computes R and knows only Alice could have the private key, that encrypted R such that “send me your public key”

  21. ap5.0: security hole Man (woman) in the middle attack: Trudy poses as Alice (to Bob) and as Bob (to Alice) - - K (R) K (R) A T + + K K A T - - + + m = K (K (m)) m = K (K (m)) + + A T A T K (m) K (m) A T I am Alice I am Alice R R Send me your public key Send me your public key Trudy gets sends m to Alice encrypted with Alice’s public key

  22. ap5.0: security hole Man (woman) in the middle attack: Trudy poses as Alice (to Bob) and as Bob (to Alice) • Difficult to detect: • Bob receives everything that Alice sends, and vice versa. (e.g., so Bob, Alice can meet one week later and recall conversation) • problem is that Trudy receives all messages as well!

  23. More on Network Security Later (KR Chapter 8)

  24. Protocol Layering (Cont. from Last Class))

  25. Protocol stack A set of protocol layers Each layer uses the layer below and provides a service to the layer above Key idea once we define a service provided by a layer, we need know nothing more about the details of how the layer actually implements the service information hiding decouples changes

  26. The importance of layering Breaks up a complex problem into smaller manageable pieces can compose simple service to provide complex ones for example, WWW (HTTP) is Java layered over TCP over IP (and uses DNS, ARP, DHCP, RIP, OSPF, BGP, PPP, ICMP) Abstraction of implementation details separation of implementation and specification can change implementation as long as service interface is maintained Can reuse functionality upper layers can share lower layer functionality example: WinSock on Microsoft Windows

  27. Problems with layering Layering hides information if it didn’t then changes to one layer could require changes everywhere layering violation But sometimes hidden information can be used to improve performance for example, flow control protocol (at transport layer) may think packet loss is always because of network congestion if it is, instead, due to a lossy link, the flow control breaks this is because we hid information about reason of packet loss from flow control protocol

  28. Internet protocol stack application: supporting network applications FTP, SMTP, HTTP transport: process-process data transfer TCP, UDP network: routing of datagrams from source to destination IP, routing protocols link: data transfer between neighboring network elements PPP, Ethernet physical: bits “on the wire” application transport network link physical Introduction 1-28

  29. ISO/OSI reference model adds two more layers presentation: allow applications to interpret meaning of data, e.g., encryption, compression, machine-specific conventions session: synchronization, checkpointing, recovery of data exchange Internet stack “missing” these layers! these services, if needed, must be implemented in application needed? application presentation session transport network link physical Introduction 1-29

  30. Why seven layers? And Why ISO-OSI failed? Need a top and a bottom -- 2 Need to hide physical link, so need datalink -- 3 Need both end-to-end and hop-by-hop actions; so need at least the network and transport layers -- 5 Session and presentation layers are not so important, and are often ignored So, we need at least 5, and 7 seems to be excessive ISO-OSI failed – designed by committee before actual implementation experience.

  31. Layering: Implementation Issue There is a tension between information-hiding (abstraction) and achieving good performance Art of protocol design is to leak enough information to allow good performance but not so much that small changes in one layer need changes to other layers

  32. Layering: Summary Breaks a complex problem into smaller, simpler pieces Provides the application with sophisticated services Each layer provides a clean abstraction to the layer above

  33. Summary – Chapter 1 Networks are pervasive! Various Types: PAN, LAN, WAN, MAN, .. Various Networking Technologies/Standards IEEE802.11, Ethernet, WiMax Internet Networks of Networks Consists of various components: end-systems (hosts), routers, switches, links of various types (wireless, optical, satellite ..) Core of Internet versus Edge of Internet Layered Architecture – based on principle “What happens in Vegas stays in Vegas” () Performance – Bandwidth, Latency, Reliability E2E B/W constrained by bottleneck link b/w E2E latency is sum of node, propagation, transmission, and queuing delay Various causes of errors: link errors (bit errors), packet losses (drops) in congested buffers. Security is important, cross-layer issues.

  34. And Some Summary --in Songs .

  35. Song: On the Net by Sarah E. Miller (Based on “over there” by G. Cohan)(http://www.poppyfields.net/filks/00176.html) (Youtube: Over There" (George M. Cohan) sung by Ann Gibson) On the Net (to Over There) by Sarah Elizabeth Miller On the net,On the net,Hacking onAll night longOn the net.All the network systems,We're gonna list 'emAnd snarf anything that we can get.On the net,On the net,Hacking here,Hacking thereOn the net.We'll find a modemAnd then uncode'em.Then we'll log into every system on the net.

  36. You Can’t Rush the Net by Ellio TT Schiff (Based on You Can’t Hurry Love by D. ross and the Supremes -Youtube) http://www.poppyfields.net/filks/00271.html I need Netscape...To surf the webI need to find, find...Some software on lineThe F-A-Q said You can't rush the net...No, you just have to waitIt said GIFS don't come quickly...Even with 56KYou can't rush the net...No you just have to waitIt takes a lot of time...To download from Ohio State But how many searches...Must I doTo get the software...that I can useBut every single time...That I try to callI get a busy sign...Coming from the phoneBut the F-A-Q siad You can't rush the net...No you just have to waitIt said GIFS don't come quickly...even with 56KHow long must I wait...How much RAM will this takeBefore a core dump...will cause my-yDisk to break. No, I don't know...What is going wrongIt's a world wide wait...And it takes so longBut when the download...Is almost doneThat A-O-L...Keeps on hangin' up You can't rush the net...No, you just have to waitIt said GIFS don't come quickly...Even with 56KYou can't rush the net...No you just have to waitIt takes a lot of time...To download from Ohio State Four-oh-four...Site is not foundBut I keep on booing...And keep on hissingAt the programmer...To relink the siteFor the suport team...To set it all right I keep on pointing...I keep on clickingBut it keeps stalling...It keeps stallingBut the F-A-Q said You can't rush the net...No you just have to waitIt takes a lot of time...To download from Ohio StateYou can't rush the net...No, you just have to waitIt said GIFS don't come quickly...Even with 56K

  37. Application Layer? Where Network Applications and Application Layer protocols reside. Top Layer in the Internet Stack Only on the Edge of the Network

  38. Creating a network app write programs that run on (different) end systems communicate over network e.g., web server software communicates with browser software No need to write software for network-core devices Network-core devices do not run user applications applications on end systems allows for rapid app development, propagation application transport network data link physical application transport network data link physical application transport network data link physical 2: Application Layer 38

  39. KR Chapter 2: Application Layer Our goals: conceptual, implementation aspects of network application protocols transport-layer service models client-server paradigm peer-to-peer paradigm learn about protocols by examining popular application-level protocols HTTP FTP SMTP / POP3 / IMAP DNS programming network applications socket API 2: Application Layer 39

  40. Addtionally KR Ch4 DHCP Addressing Issues

  41. Some network apps e-mail web instant messaging remote login P2P file sharing multi-user network games streaming stored video clips voice over IP real-time video conferencing grid computing 2: Application Layer 41

  42. Application architectures Client-server Peer-to-peer (P2P) Hybrid of client-server and P2P 2: Application Layer 42

  43. Client-server architecture server: always-on host permanent IP address server farms for scaling clients: communicate with server may be intermittently connected may have dynamic IP addresses do not communicate directly with each other client/server 2: Application Layer 43

  44. Pure P2P architecture no always-on server arbitrary end systems directly communicate peers are intermittently connected and change IP addresses Highly scalable but difficult to manage peer-peer 2: Application Layer 44

  45. Hybrid of client-server and P2P Skype voice-over-IP P2P application centralized server: finding address of remote party: client-client connection: direct (not through server) Instant messaging chatting between two users is P2P centralized service: client presence detection/location user registers its IP address with central server when it comes online user contacts central server to find IP addresses of buddies 2: Application Layer 45

  46. Example of App Layer Protocol: DHCP

  47. IP Addressing [RKCh4] IP address: 32-bit identifier for host, router interface interface: connection between host/router and physical link router’s typically have multiple interfaces host typically has one interface IP addresses associated with each interface 223.1.1.2 223.1.3.27 223.1.3.1 223.1.3.2 223.1.2.2 223.1.2.1 223.1.1.1 223.1.2.9 223.1.1.4 223.1.1.3 223.1.1.1 = 11011111 00000001 00000001 00000001 223 1 1 1

  48. IP addresses: how to get one? Q: How does a host get IP address? hard-coded by system admin in a file Windows: control-panel->network->configuration->tcp/ip->properties UNIX: /etc/rc.config DHCP:Dynamic Host Configuration Protocol: dynamically get address from as server “plug-and-play” More ways - later

  49. DHCP [RFC2131] “In computer networking, the Dynamic Host Configuration Protocol (DHCP) is a network application protocol used by devices (DHCP clients) to obtain configuration information for operation in an Internet Protocol network. This protocol reduces system administration workload, allowing networks to add devices with little or no manual intervention.” http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol

  50. A Note on Request for Comments (RFCs) RFC Editor of Internet Society – oversees the RFCs – http://www.rfc-editor.org. Allows search by name, title, author, number. Note Internet RFCs can be updated or obsoleted by later RFCs See The Tao of IETF: A Novice's Guide to the Internet Engineering Task Force (http://www.ietf.org/tao.html) section 8.1:“Getting an RFC published” for how Internet-Draft (ID) becomes an IETF standard and is published as an RFC by RFC editor. Various types of RFCs (proposed standard, draft standard, full standard, best current practices, informational documents, experimental protocol, historic documentents).

More Related