1 / 53

Chapter 19

Chapter 19. by David G. Messerschmitt. Protocol architecture. by David G. Messerschmitt. Summary. Network architecture Internet protocols Some network security issues. Key ideas. Packet encapsulation : one packet can be encapsulated in another

cayla
Télécharger la présentation

Chapter 19

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 19 by David G. Messerschmitt

  2. Protocol architecture by David G. Messerschmitt

  3. Summary • Network architecture • Internet protocols • Some network security issues

  4. Key ideas • Packet encapsulation: one packet can be encapsulated in another • Packet fragmentation: one packet can be split into two or more packets and encapsulated • Protocol layering: one service can be layered on another by fragmentation and encapsulation

  5. Original packet New header Packet encapsulated in another packet Encapsulated again Original packet (including its header) is payload of new packet Encapsulated packet Original packet

  6. Header Payload Original packet Divide into packet fragments New packets Reassembled original packet

  7. Layer n+1 protocol header Layer n+1 Layer n+1 Peer-to-peer communication Layer n Layer n Layer n protocol header Encapsulated layer n+1 packet, including header

  8. Layered protocol modularity • Layer n+1 protocol is logically peer-to-peer • Layer n+1 protocol depends on services of layer n • Layer n+1 packets are encapsulated in layer n packets • Layer n+1 never sees layer n packet headers • Layer n ignores layer n+1 packet headers (part of payload)

  9. Key ideas (again) • Packet encapsulation: one packet can be encapsulated in another • Packet fragmentation: one packet can be split into two or more packets and encapsulated • Protocol layering: one service can be layered on another by fragmentation and encapsulation

  10. IETF/OMG Layers Physical Logical Application Application ORB ORB IIOP IIOP Layering TCP or UDP TCP or UDP IP IP IP Network 1 N 1 N 2 Network 2 Host A Host B Switch

  11. Internet: logical view Application Application Peer-to-peer TCP or UDP TCP or UDP Host A Host B The constituent networks are not visible to the application; TCP/UDP does not reside in packet switches

  12. Internet: physical view IP IP IP Network 1 N 1 N 2 Network 2 Host A Host B Switch IP serves to connect heterogeneous networks into an internetwork

  13. What IP does do • Allow packets to traverse multiple networks • Deliver packet to specified destination host • Best effort: deliver as reliably and as soon as it can

  14. Guarantee latency for packets that are delivered Guarantee delivery, or notify source host if packet is not delivered Guarantee order of delivery Guarantee integrity of packet payload Maintain conversational context (each packet is independent) Specify what process that should receive the packet at destination host What IP Doesn’t Do

  15. Version Priority FlowLabel PayloadLen NextHeader HopLimit SourceAddress DestinationAddress 32 bits IP header

  16. Transport services: UDP and TCP • Direct packet to a particular process • UDP adds: • Payload integrity for packets delivered • TCP adds: • Reliable delivery of bytestream session

  17. Comparison of services IP: host-to- host Host Host Process Process Process-to- process TCP UDP IP: Best-effort datagram UDP: best-effort datagram with payload integrity    byte byte byte byte byte byte    TCP: reliable bi-directional bytestream

  18. UDP/TCP ports (publish/subscribe) Port Port Process Process IP: host-to- host Host Host SourcePort DestinationPort (rest of UDP or TCP header) Encapsulated in IP packet 32 bits

  19. Client can make requests GET (pull) POST (push) (some others) Server responds HTTP headers HTML document or JPEG, or GIF, or… HTTP Service

  20. <scheme>://<host>:<port>/<path> Scheme HTTP, FTP, GOPHER, MAILTO, ... Host An IP address or DNS name Port TCP port number Optional (defaults to 80 for http) URL Structure

  21. HTTP example • When a browser fetches http://www.si.umich.edu/~presnick/ • http:// says to use HTTP protocol • Resolve www.si.umich.edu in DNS • 141.211.203.34 • Make TCP connection • 141.211.203.34, port 80 • Send the following text string • GET /~presnick/

  22. Server sends back HTTP/1.1 200 OK Date: Mon, 22 Dec 1997 15:12:32 GMT Server: Apache/1.2.4 Last-Modified: Thu, 04 Dec 1997 16:26:10 GMT ETag: "5f2f2-33fd-3486d9a2" Content-Length: 13309 Accept-Ranges: bytes Connection: close Content-Type: text/html <HTML> ….

  23. HTML <H1> Paul Resnick</H1> <IMG SRC="RESNICK.gif" ALT="[PHOTO]" HSPACE=10 ALIGN=LEFT> <BR>Associate Professor <BR>University of Michigan <BR>School of Information <BR>314 West Hall <BR>550 East University Avenue <BR>Ann Arbor, MI 48109-1092 <BR>presnick@umich.edu

  24. What Browsers Send to Servers • Your IP address • The browser type • The refer link • What URL you last looked at • Cookies (persistent client state for a URL) • Server response can include a set-cookie header • Browser saves the cookie • Browser resends to server next time

  25. How TCP works by David G. Messerschmitt

  26. Aggregating byte stream Original bytes are aggregated and….    byte byte byte byte byte byte    ….encapsulated in TCP packets, with a sequence number included in the TCP header    byte byte byte byte byte    byte byte byte byte byte The TCP packets are encapsulated in IP packets

  27. TCP connections • TCP establishes a session with ordered and bidirectional reliable delivery of bytes • Establishment: • Inform receiving port of connection • Initialize packet sequence number • Congestion and flow control state • Disestablishment • By either peer • Free state and resources

  28. HTTP uses TCP • Often have to request another page • e.g., image • HTTP/1.0 requires a new TCP session for each • Overhead of session establishment • HTTP/1.1 permits reuse of one TCP session for multiple requests

  29. ACK ACK Reliable packet delivery: acknowledgement and resending Source Destination Source Destination  Timeout IP loses packets IP is used to send TCP packets and return ACK

  30. ACK ACK ACK ACK ACK Source Source Destination Destination Task Concurrent tasks for higher throughput Packets can be reordered using sequence number

  31. TCP Congestion • If link is congested • Switch queue for that link fills up • Drops packets • Source resends non-ACK’ed packets • Makes congestion worse

  32. Voluntary source-imposed policy Source controls the number of non-ACK’ed packets that have been sent Controls the number of concurrent sends, and hence packet throughput Slow start, slowly increase rate Monitor non-ACK’s and delay of ACK’s to estimate congestion Quickly decrease if congestion detected TCP Congestion Control

  33. TCP congestion control flaws • “Fairness criterion” • Maybe “equal division” of resources is not what is wanted • Estimating congestion by retransmission is flawed for wireless links • Depends on accurate implementation -- cheating possible • Application can avoid congestion control by using UDP

  34. Recall that this is to avoid recipient from being overwhelmed Recipient must control source Recipient explicitly requests lower send rate MaxUnackedPackets is a parameter of ACK’s TCP Flow Control

  35. Multicasting • So far, we’ve assumed node A sends to B • Multicasting: node A sends same message to B, C, and D • Could set up A-B, A-C, and A-D connections • But A becomes a bottleneck • Handling ACKS and resends • And it’s inefficient • Some intermediate nodes may receive the message several times • Multicast protocols try to have A send only once • Intermediate nodes do more work B A C D

  36. Domain Name System by David G. Messerschmitt

  37. Hosts NS NS eecs.berkeley.edu “root” NS NS sims.berkeley.edu berkeley.edu

  38. Delegate name search to local name server “root” tj.watson.ibm.com NS info.sims.berkeley.edu berkeley.edu NS NS sims.berkeley.edu watson.ibm.com sims.berkeley.edu Local server caches recent search results NS berkeley.edu

  39. Supplements by David G. Messerschmitt

  40. Network security by David G. Messerschmitt

  41. Network security • Some things to worry about: • Sniffing • Spoofing • Security flaws in public servers

  42. Improving security • Security tools covered earlier • Firewalls: a place where security policies can be enforced • Who gains access • What servers (ports) can be accessed • What hosts can be accessed • What protocols can pass • Other security policies can be enforced

  43. Global Internet Public hosts Firewall Bastion hosts Second firewall Internal hosts Protected enclave

  44. Problems with firewalls • “Benign internal users” assumption is naïve • Obstacle to deployment of innovative applications and services • Increasingly organizations want to extend extranet to suppliers and customers • Solution: resource-based rather than enclave-based security • Analogy: border patrol not enough, need secure buildings and vehicles, guards, police, etc.

  45. Where to use encryption • Per link (wireless) • Firewall-to-firewall (extranet) • Host-to-host (IPsec) • Process-to-process (TCP-SSL) • Application What are some strengths and weaknesses in these approaches?

  46. Packet structure • Payload: • Data for application • Ignored by network and protocol • (Qualification: may also be encapsulated packet) • Header: • Information for switches • Serves as protocol message Packet length limited by network policy

  47. IP: host-to- host Host Host Process Process Process-to- process TCP UDP Protocol endpoints Internetworking layer focuses on getting datagrams from one host to another Transport layer focuses on process-to-process communication services

  48. Addresses vs. names Address specifies topological location of host to the network 128 bits (Network,host) Name is easy to remember or construct and reflects administrative boundaries info.sims.berkeley.edu

  49. Issues in congestion control • Social issue: how do we divide limited network resources among users/applications? • Approaches: • Voluntary (e.g. UDP) • “Bad citizen” is rewarded • Policy driven (e.g. TCP) • Incentivized (e.g. pricing)

  50. Advantages of pricing-based congestion control • Policies can never take into account the “importance” of traffic • Users and applications are forced to consider the common resource implications of their actions • Users and applications can choose the most “important” traffic for periods of congestion • Shift other traffic to off-peak times • Source of revenue to expand capacity

More Related