Announcement

About This Presentation

Transcript and Presenter's Notes

Title: Announcement

1
Announcement

Take-home final
Final can be picked up in my office (Room 356)
starting Monday, 3/14, 10am-1159am
Final should be returned by Thursday 3/17,
1159am
Closed Book
One 8.5 by 11 sheet of paper permitted (single
side)
Cover network layer, data link layer and network
security

2
Last class

CDMA and IEEE 802.11 wireless LANs
Network security
Today
Network security (cont.)
Review for final

3
What is network security?

Confidentiality only sender, intended receiver
should understand message contents
sender encrypts message
receiver decrypts message
Authentication sender, receiver want to confirm
identity of each other
Message Integrity sender, receiver want to
ensure message content not altered (in transit,
or afterwards) without detection
Access and Availability services must be
accessible and available to users

4
The language of cryptography
Alices encryption key
Bobs decryption key
encryption algorithm
decryption algorithm
ciphertext
plaintext
plaintext

symmetric key crypto sender, receiver keys
identical
public-key crypto encryption key public,
decryption key secret (private)

5
Public Key Cryptography

symmetric key crypto
requires sender, receiver know shared secret key
Q how to agree on key in first place
(particularly if never met)?

public key cryptography
radically different approach Diffie-Hellman76,
RSA78
sender, receiver do not share secret key
public encryption key known to all
private decryption key known only to receiver

6
Public key cryptography

Bobs public key
K
B
-
Bobs private key
K
B
encryption algorithm
decryption algorithm
plaintext message
plaintext message, m
ciphertext
7
Public key encryption algorithms
Requirements
.
.

-

need K ( ) and K ( ) such that

B
B

given public key K , it should be impossible to
compute private key K
B
-
B

Also, given
it should be impossible to determine m
and
8
RSA Choosing keys
1. Choose two large prime numbers p, q.
(e.g., 1024 bits each)
2. Compute n pq, z (p-1)(q-1)
3. Choose e (with eltn) that has no common
factors with z. (e, z are relatively prime).
4. Choose d such that ed-1 is exactly divisible
by z. (in other words ed mod z 1 ).
5. Public key is (n,e). Private key is (n,d).
9
RSA Encryption, decryption
0. Given (n,e) and (n,d) as computed above
2. To decrypt received bit pattern, c, compute
d
(i.e., remainder when c is divided by n)
Magic happens!
c
10
RSA example
Bob chooses p5, q7. Then n35, z24.
e5 (so e, z relatively prime). d29 (so ed-1
exactly divisible by z.
e
m
m
letter
encrypt
l
12
1524832
17
c
letter
decrypt
17
12
l
481968572106750915091411825223071697
11
RSA Why is that
Useful number theory result If p,q prime and n
pq, then
(using number theory result above)
(since we chose ed to be divisible by (p-1)(q-1)
with remainder 1 )
12
RSA another important property
The following property will be very useful later
use public key first, followed by private key
use private key first, followed by public key
Result is the same!
13
Overview

What is network security?
Principles of cryptography
Authentication
Access control firewalls
Attacks and counter measures

14
Authentication

Goal Bob wants Alice to prove her identity to
him

Protocol ap1.0 Alice says I am Alice
I am Alice
Failure scenario??
15
Authentication

Goal Bob wants Alice to prove her identity to
him

Protocol ap1.0 Alice says I am Alice
in a network, Bob can not see Alice, so Trudy
simply declares herself to be Alice
I am Alice
16
Authentication another try
Protocol ap2.0 Alice says I am Alice in an IP
packet containing her source IP address
Failure scenario??
17
Authentication another try
Protocol ap2.0 Alice says I am Alice in an IP
packet containing her source IP address
Trudy can create a packet spoofing Alices
address
18
Authentication another try
Protocol ap3.0 Alice says I am Alice and sends
her secret password to prove it.
Failure scenario??
19
Authentication another try
Protocol ap3.0 Alice says I am Alice and sends
her secret password to prove it.
Alices password
Alices IP addr
Im Alice
playback attack Trudy records Alices packet and
later plays it back to Bob
20
Authentication yet another try
Protocol ap3.1 Alice says I am Alice and sends
her encrypted secret password to prove it.
Failure scenario??
21
Authentication another try
Protocol ap3.1 Alice says I am Alice and sends
her encrypted secret password to prove it.
encrypted password
Alices IP addr
record and playback still works!
Im Alice
22
Authentication yet another try
Goal avoid playback attack
Nonce number (R) used only once in-a-lifetime
ap4.0 to prove Alice live, Bob sends Alice
nonce, R. Alice must return R, encrypted with
shared secret key
I am Alice
R
Alice is live, and only Alice knows key to
encrypt nonce, so it must be Alice!
Failures, drawbacks?
23
Authentication ap5.0

ap4.0 requires shared symmetric key
can we authenticate using public key techniques?
ap5.0 use nonce, public key cryptography

I am Alice
Bob computes
R
and knows only Alice could have the private key,
that encrypted R such that
send me your public key
24
ap5.0 security hole

Man (woman) in the middle attack Trudy poses as
Alice (to Bob) and as Bob (to Alice)

I am Alice
I am Alice
R
R
Send me your public key
Send me your public key
Trudy gets
sends m to Alice encrypted with Alices public key
25
ap5.0 security hole

Man (woman) in the middle attack Trudy poses as
Alice (to Bob) and as Bob (to Alice)

Difficult to detect
Bob receives everything that Alice sends, and
vice versa. (e.g., so Bob, Alice can meet one
week later and recall conversation)
problem is that Trudy receives all messages as
well!

26
Overview

What is network security?
Principles of cryptography
Authentication
Access control firewalls
Attacks and counter measures

27
Firewalls
isolates organizations internal net from larger
Internet, allowing some packets to pass, blocking
others.
firewall

28
Firewalls Why

prevent denial of service attacks
SYN flooding attacker establishes many bogus TCP
connections, no resources left for real
connections.
prevent illegal modification/access of internal
data.
e.g., attacker replaces CIAs homepage with
something else
allow only authorized access to inside network
(set of authenticated users/hosts)
two types of firewalls
application-level
packet-filtering

29
Packet Filtering
Should arriving packet be allowed in? Departing
packet let out?

internal network connected to Internet via router
firewall
router filters packet-by-packet, decision to
forward/drop packet based on
source IP address, destination IP address
TCP/UDP source and destination port numbers
ICMP message type
TCP SYN and ACK bits

30
Packet Filtering

Example 1 block incoming and outgoing datagrams
with IP protocol field 17 and with either
source or dest port 23.
All incoming and outgoing UDP flows and telnet
connections are blocked.
Example 2 Block inbound TCP SYN packets.
Prevents external clients from making TCP
connections with internal clients, but allows
internal clients to connect to outside.

31
Application gateways
gateway-to-remote host telnet session
host-to-gateway telnet session

Filters packets on application data as well as on
IP/TCP/UDP fields.
Example allow select internal users to telnet
outside.

application gateway
router and filter
1. Require all telnet users to telnet through
gateway. 2. For authorized users, gateway sets up
telnet connection to dest host. Gateway relays
data between 2 connections 3. Router filter
blocks all telnet connections not originating
from gateway.
32
Limitations of firewalls and gateways

IP spoofing router cant know if data really
comes from claimed source
if multiple apps. need special treatment, each
has own app. gateway.
client software must know how to contact gateway.
e.g., must set IP address of proxy in Web browser

filters often use all or nothing policy for UDP.
tradeoff degree of communication with outside
world, level of security
many highly protected sites still suffer from
attacks.

33
Overview

What is network security?
Principles of cryptography
Authentication
Access control firewalls
Attacks and counter measures

34
Internet security threats

Mapping
before attacking case the joint find out
what services are implemented on network
Use ping to determine what hosts have addresses
on network
Port-scanning try to establish TCP connection to
each port in sequence
Countermeasures?

35
Internet security threats

Mapping countermeasures
record traffic entering network
look for suspicious activity (IP addresses, pots
being scanned sequentially)

36
Internet security threats

Packet sniffing
broadcast media
promiscuous NIC reads all packets passing by
can read all unencrypted data (e.g. passwords)
e.g. C sniffs Bs packets

C
A
B
Countermeasures?
37
Internet security threats

Packet sniffing countermeasures
all hosts in organization run software that
checks periodically if host interface in
promiscuous mode.
one host per segment of broadcast media (switched
Ethernet at hub)

C
A
B
38
Internet security threats

IP Spoofing
can generate raw IP packets directly from
application, putting any value into IP source
address field
receiver cant tell if source is spoofed
e.g. C pretends to be B

C
A
B
Countermeasures?
39
Internet security threats

IP Spoofing ingress filtering
routers should not forward outgoing packets with
invalid source addresses (e.g., datagram source
address not in routers network)
great, but ingress filtering can not be mandated
for all networks

C
A
B
40
Internet security threats

Denial of service (DOS)
flood of maliciously generated packets swamp
receiver
Distributed DOS (DDOS) multiple coordinated
sources swamp receiver
e.g., C and remote host SYN-attack A

C
A
B
Countermeasures?
41
Internet security threats

Denial of service (DOS) countermeasures
filter out flooded packets (e.g., SYN) before
reaching host throw out good with bad
traceback to source of floods (most likely an
innocent, compromised machine)

C
A
B
42
Review (1)

Network Layer
Virtual Circuits and Datagram Networks
Routing Principles
Link State Algorithm
Distance Vector Algorithm
The Internet (IP) Protocol
IPv4 addressing
Datagram format
IP fragmentation
ICMP Internet Control Message Protocol
IPv6
NAT Network Address Translation

43
Review (2)

Routing in the Internet
Hierarchical routing
RIP
OSPF
BGP
Data link layer
Introduction and services
Error detection and correction
Multiple access protocols
TDMA/FDMA
Random Access Protocols
Taking Turns Protocols
Link-Layer Addressing
Ethernet
Hubs and switches
Mobile and wireless networks, CDMA
IEEE 802.11 wireless LANs

44
Review (3)

What is network security?
Principles of cryptography
Symmetric Key
Public Key
Authentication
Protocol evolution
Access control firewalls
Attacks and counter measures
Packet sniffing
IP spoofing
DoS attacks

45
Routing Algorithm classification

Global or decentralized information?
Global
all routers have complete topology, link cost
info
link state algorithms
Decentralized
router knows physically-connected neighbors, link
costs to neighbors
iterative process of computation, exchange of
info with neighbors
distance vector algorithms

Static or dynamic?
Static
routes change slowly over time
Dynamic
routes change more quickly
periodic update
in response to link cost changes

46
Dijsktras Algorithm
1 Initialization 2 N' u 3 for all
nodes v 4 if v adjacent to u 5
then D(v) c(u,v) 6 else D(v) 8 7 8
Loop 9 find w not in N' such that D(w) is a
minimum 10 add w to N' 11 update D(v) for
all v adjacent to w and not in N' 12
D(v) min( D(v), D(w) c(w,v) ) 13 / new
cost to v is either old cost to v or known 14
shortest path cost to w plus cost from w to v /
15 until all nodes in N'
47
Dijkstras algorithm example
D(v),p(v) 2,u 2,u 2,u
D(x),p(x) 1,u
Step 0 1 2 3 4 5
D(w),p(w) 5,u 4,x 3,y 3,y
D(y),p(y) 8 2,x
N' u ux uxy uxyv uxyvw uxyvwz
D(z),p(z) 8 8 4,y 4,y 4,y
48
Distance vector algorithm (1)

Basic idea
Each node periodically sends its own distance
vector estimate to neighbors
When a node x receives new DV estimate from
neighbor, it updates its own DV using B-F
equation

Dx(y) ? minvc(x,v) Dv(y) for each node y ?
N

Under minor, natural conditions, the estimate
Dx(y) converge the actual least cost dx(y)

49
Distance Vector Algorithm (2)

Iterative, asynchronous each local iteration
caused by
local link cost change
DV update message from neighbor
Distributed
each node notifies neighbors only when its DV
changes
neighbors then notify their neighbors if
necessary
The algorithm doesnt know the entire path only
knows the next hop

Each node
50
Dx(z) minc(x,y) Dy(z), c(x,z)
Dz(z) min21 , 70 3
Dx(y) minc(x,y) Dy(y), c(x,z) Dz(y)
min20 , 71 2
node x table
cost to
cost to
x y z
x y z
x
0 2 3
x
0 2 3
y
from
2 0 1
y
from
2 0 1
z
7 1 0
z
3 1 0
node y table
cost to
cost to
cost to
x y z
x y z
x y z
x
8
8
x
0 2 7
x
0 2 3
8 2 0 1
y
y
from
y
2 0 1
from
from
2 0 1
z
z
8
8
8
z
7 1 0
3 1 0
node z table
cost to
cost to
cost to
x y z
x y z
x y z
x
0 2 3
x
0 2 7
x
8 8 8
y
y
2 0 1
from
from
y
2 0 1
from
8
8
8
z
z
z
3 1 0
3 1 0
7
1
0
time
51
The Internet Network layer

Host, router network layer functions

Transport layer TCP, UDP
Network layer
Link layer
physical layer
52
IP datagram format

how much overhead with TCP?
20 bytes of TCP
20 bytes of IP
40 bytes app layer overhead

53
IP Addressing introduction
223.1.1.1

IP address 32-bit identifier for host, router
interface
interface connection between host/router and
physical link
routers typically have multiple interfaces
host may have multiple interfaces
IP addresses associated with each interface

223.1.2.9
223.1.1.4
223.1.1.3
223.1.1.1 11011111 00000001 00000001 00000001
223
1
1
1
54
Subnets
223.1.1.1

IP address
subnet part (high order bits)
host part (low order bits)
Whats a subnet ?
device interfaces with same subnet part of IP
address
can physically reach each other without
intervening router

223.1.2.1
223.1.1.2
223.1.2.9
223.1.1.4
223.1.2.2
223.1.1.3
223.1.3.27
LAN
223.1.3.2
223.1.3.1
network consisting of 3 subnets
55
IP addressing CIDR

Before CIDR only 8-, 16-, and 24- bit masks were
available (A, B, and C class networks)
CIDR Classless InterDomain Routing
subnet portion of address of arbitrary length
address format a.b.c.d/x, where x is bits in
subnet portion of address

56
NAT Network Address Translation
rest of Internet
local network (e.g., home network) 10.0.0/24
10.0.0.1
10.0.0.4
10.0.0.2
138.76.29.7
10.0.0.3
Datagrams with source or destination in this
network have 10.0.0/24 address for source,
destination (as usual)
All datagrams leaving local network have same
single source NAT IP address 138.76.29.7, differe
nt source port numbers
57
NAT Network Address Translation
NAT translation table WAN side addr LAN
side addr
138.76.29.7, 5001 10.0.0.1, 3345

10.0.0.1
10.0.0.4
10.0.0.2
138.76.29.7
10.0.0.3
4 NAT router changes datagram dest addr
from 138.76.29.7, 5001 to 10.0.0.1, 3345
3 Reply arrives dest. address 138.76.29.7,
5001
58
Hierarchical Routing

Our routing study thus far - idealization
all routers identical
network flat
not true in practice

scale with 200 million destinations
cant store all dests in routing tables!
routing table exchange would swamp links!

administrative autonomy
internet network of networks
each network admin may want to control routing in
its own network

59
Hierarchical Routing

aggregate routers into regions, autonomous
systems (AS)
routers in same AS run same routing protocol
intra-AS routing protocol
routers in different AS can run different
intra-AS routing protocol

Gateway router
Direct link to router in another AS

60
Interconnected ASes

Forwarding table is configured by both intra- and
inter-AS routing algorithm
Intra-AS sets entries for internal dests
Inter-AS Intra-As sets entries for external
dests

61
Routing in the Internet

Routing in the Internet
Intra-AS routing RIP and OSPF
Inter-AS routing BGP

62
RIP ( Routing Information Protocol)

Distance vector algorithm
Included in BSD-UNIX Distribution in 1982
Distance metric of hops (max 15 hops)
of hops of subnets traversed along the
shortest path from src. router to dst. subnet
(e.g., src. A)

63
RIP advertisements

Distance vectors exchanged among neighbors every
30 sec via Response Message (also called
advertisement)
Each advertisement list of up to 25 destination
nets within AS

64
OSPF (Open Shortest Path First)

open publicly available
Uses Link State algorithm
LS packet dissemination
Topology map at each node
Route computation using Dijkstras algorithm
Link costs configured by the network
administrator
OSPF advertisement carries one entry per neighbor
router
Advertisements disseminated to entire AS (via
flooding)
Carried in OSPF messages directly over IP (rather
than TCP or UDP

65
OSPF advanced features (not in RIP)

Security all OSPF messages authenticated (to
prevent malicious intrusion)
Multiple same-cost paths allowed (only one path
in RIP)
For each link, multiple cost metrics for
different TOS (e.g., satellite link cost set
low for best effort high for real time)
Integrated uni- and multicast support
Multicast OSPF (MOSPF) uses same topology data
base as OSPF
Hierarchical OSPF in large domains.

66
Hierarchical OSPF
67
Hierarchical OSPF

Two-level hierarchy local area, backbone.
Link-state advertisements only in area
each node has detailed area topology
Area border routers summarize distances to
nets in own area, advertise to other Area Border
routers.
Backbone routers run OSPF routing limited to
backbone.
Boundary routers connect to other ASs.

68
Internet inter-AS routing BGP

BGP (Border Gateway Protocol) the de facto
standard
BGP provides each AS a means to
Obtain subnet reachability information from
neighboring ASs.
Propagate the reachability information to all
routers internal to the AS.
Determine good routes to subnets based on
reachability information and policy.
Allows a subnet to advertise its existence to
rest of the Internet I am here

69
BGP basics

Pairs of routers (BGP peers) exchange routing
info over TCP conections BGP sessions
Note that BGP sessions do not correspond to
physical links.
When AS2 advertises a prefix to AS1, AS2 is
promising it will forward any datagrams destined
to that prefix towards the prefix.
AS2 can aggregate prefixes in its advertisement

70
Path attributes BGP routes

When advertising a prefix, advert includes BGP
attributes.
prefix attributes route
Two important attributes
AS-PATH contains the ASs through which the
advert for the prefix passed AS 67 AS 17
NEXT-HOP Indicates the specific internal-AS
router to next-hop AS. (There may be multiple
links from current AS to next-hop-AS.)
When gateway router receives route advert, uses
import policy to accept/decline.

71
Why different Intra- and Inter-AS routing ?

Policy
Inter-AS admin wants control over how its
traffic routed, who routes through its net.
Intra-AS single admin, so no policy decisions
needed
Scale
hierarchical routing saves table size, reduced
update traffic
Performance
Intra-AS can focus on performance
Inter-AS policy may dominate over performance

72
Data Link Layer

Some terminology
hosts and routers are nodes
communication channels that connect adjacent
nodes along communication path are links
wired links
wireless links
LANs
layer-2 packet is a frame, encapsulates datagram

data-link layer has responsibility of
transferring datagram from one node to adjacent
node over a link
73
Link Layer Services

Framing, link access
encapsulate datagram into frame, adding header,
trailer
channel access if shared medium
MAC addresses used in frame headers to identify
source, dest
different from IP address!
Reliable delivery between adjacent nodes
we learned how to do this already (chapter 3)!
seldom used on low bit error link (fiber, some
twisted pair)
wireless links high error rates
Q why both link-level and end-end reliability?

74
MAC Protocols a taxonomy

Three broad classes
Channel Partitioning
divide channel into smaller pieces (time slots,
frequency, code)
allocate piece to node for exclusive use
Random Access
channel not divided, allow collisions
recover from collisions
Taking turns
Nodes take turns, but nodes with more to send can
take longer turns

75
Channel Partitioning MAC protocols TDMA

TDMA time division multiple access
access to channel in "rounds"
each station gets fixed length slot (length pkt
trans time) in each round
unused slots go idle
example 6-station LAN, 1,3,4 have pkt, slots
2,5,6 idle
TDM (Time Division Multiplexing) channel divided
into N time slots, one per user inefficient with
low duty cycle users and at light load.
FDM (Frequency Division Multiplexing) frequency
subdivided.

76
Slotted ALOHA

Pros
single active node can continuously transmit at
full rate of channel
highly decentralized only slots in nodes need to
be in sync
simple

Cons
collisions, wasting slots
idle slots
clock synchronization

77
Slotted Aloha efficiency

For max efficiency with N nodes, find p that
maximizes Np(1-p)N-1
For many nodes, take limit of Np(1-p)N-1 as N
goes to infinity, gives 1/e .37

Efficiency is the long-run fraction of
successful slots when there are many nodes, each
with many frames to send

Suppose N nodes with many frames to send, each
transmits in slot with probability p
prob that node 1 has success in a slot
p(1-p)N-1
prob that there is a success Np(1-p)N-1

At best channel used for useful transmissions
37 of time!
78
CSMA (Carrier Sense Multiple Access)

CSMA listen before transmit
If channel sensed idle transmit entire frame
If channel sensed busy, defer transmission
Human analogy dont interrupt others!

79
CSMA collisions
spatial layout of nodes
collisions can still occur propagation delay
means two nodes may not hear each others
transmission
collision entire packet transmission time wasted
note role of distance propagation delay in
determining collision probability
80
CSMA/CD (Collision Detection)

CSMA/CD carrier sensing, deferral as in CSMA
collisions detected within short time
colliding transmissions aborted, reducing channel
wastage
collision detection
easy in wired LANs measure signal strengths,
compare transmitted, received signals
difficult in wireless LANs receiver shut off
while transmitting

81
CSMA/CD collision detection
82
Taking Turns MAC protocols

Token passing
control token passed from one node to next
sequentially.
token message
concerns
token overhead
latency
single point of failure (token)

Polling
master node invites slave nodes to transmit in
turn
concerns
polling overhead
latency
single point of failure (master)

83
ARP Address Resolution Protocol

Each IP node (Host, Router) on LAN has ARP table
ARP Table IP/MAC address mappings for some LAN
nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address
mapping will be forgotten (typically 20 min)

237.196.7.78
1A-2F-BB-76-09-AD
237.196.7.23
237.196.7.14
LAN
71-65-F7-2B-08-53
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
237.196.7.88
84
ARP protocol Same LAN (network)

A wants to send datagram to B, and Bs MAC
address not in As ARP table.
A broadcasts ARP query packet, containing B's IP
address
Dest MAC address FF-FF-FF-FF-FF-FF
all machines on LAN receive ARP query
B receives ARP packet, replies to A with its
(B's) MAC address
frame sent to As MAC address (unicast)

A caches (saves) IP-to-MAC address pair in its
ARP table until information becomes old (times
out)
soft state information that times out (goes
away) unless refreshed
ARP is plug-and-play
nodes create their ARP tables without
intervention from net administrator

85
Routing to another LAN

walkthrough send datagram from A to B via R
assume A knows Bs IP
address
Two ARP tables in router R, one for each IP
network (LAN)
In routing table at source Host, find router
111.111.111.110
In ARP table at source, find MAC address
E6-E9-00-17-BB-4B, etc

A
R
B
86

A creates datagram with source A, destination B
A uses ARP to get Rs MAC address for
111.111.111.110
A creates link-layer frame with R's MAC address
as dest, frame contains A-to-B IP datagram
As adapter sends frame
Rs adapter receives frame
R removes IP datagram from Ethernet frame, sees
its destined to B
R uses ARP to get Bs MAC address
R creates frame containing A-to-B IP datagram
sends to B

A
R
B
87
Ethernet uses CSMA/CD

No slots
adapter doesnt transmit if it senses that some
other adapter is transmitting, that is, carrier
sense
transmitting adapter aborts when it senses that
another adapter is transmitting, that is,
collision detection

Before attempting a retransmission, adapter waits
a random time, that is, random access

88
Ethernet CSMA/CD algorithm

1. Adaptor receives datagram from net layer
creates frame
2. If adapter senses channel idle, it starts to
transmit frame. If it senses channel busy, waits
until channel idle and then transmits
3. If adapter transmits entire frame without
detecting another transmission, the adapter is
done with frame !

4. If adapter detects another transmission while
transmitting, aborts and sends jam signal (48
bits)
5. After aborting, adapter enters exponential
backoff after the mth collision, adapter chooses
a K at random from 0,1,2,,2m-1.
Adapter waits K?512 bit times and returns to
Step 2

89
Ethernets CSMA/CD (more)

Jam Signal make sure all other transmitters are
aware of collision 48 bits
Bit time .1 microsec for 10 Mbps Ethernet for
K1023, wait time is about 50 msec

Exponential Backoff
Goal adapt retransmission attempts to estimated
current load
heavy load random wait will be longer
first collision choose K from 0,1 delay is K?
512 bit transmission times
after second collision choose K from 0,1,2,3
after ten collisions, choose K from
0,1,2,3,4,,1023

90
CSMA/CD efficiency

Tprop max prop between 2 nodes in LAN
ttrans time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity
Much better than ALOHA, but still decentralized,
simple, and cheap

91
Hubs

Hubs are essentially physical-layer repeaters
bits coming from one link go out all other links
at the same rate
no frame buffering
no CSMA/CD at hub adapters detect collisions
provides net management functionality
can disconnect a malfunctioning adapter

92
Interconnecting with hubs

Pros
Enables interdepartmental communication
Extends max distance btw. nodes
If a hub malfunctions, the backbone hub can
disconnect it

Cons
Collision domains are transferred into one large,
common domain
Cannot interconnect 10BaseT and 100BaseT hubs

hub
hub
hub
hub
93
Switch

Link layer device
stores and forwards Ethernet frames
examines frame header and selectively forwards
frame based on MAC dest address
when frame is to be forwarded on segment, uses
CSMA/CD to access segment
transparent
hosts are unaware of presence of switches
plug-and-play, self-learning
switches do not need to be configured

94
Forwarding
1
3
2

How to determine onto which LAN segment to
forward frame?
Looks like a routing problem...

95
Self learning

A switch has a switch table
entry in switch table
(MAC Address, Interface, Time Stamp)
stale entries in table dropped (TTL can be 60
min)
switch learns which hosts can be reached through
which interfaces
when frame received, switch learns location of
sender incoming LAN segment
records sender/location pair in switch table

96
Switch traffic isolation

switch installation breaks subnet into LAN
segments
switch filters packets
same-LAN-segment frames not usually forwarded
onto other LAN segments
segments become separate collision domains

collision domain
collision domain
collision domain
97
Switches vs. Routers

both store-and-forward devices
routers network layer devices (examine network
layer headers)
switches are link layer devices
routers maintain routing tables, implement
routing algorithms
switches maintain switch tables, implement
filtering, learning algorithms

98
Summary comparison
99
Wireless network characteristics

Multiple wireless senders and receivers create
additional problems (beyond multiple access)

Hidden terminal problem
B, A hear each other
B, C hear each other
A, C can not hear each other
means A, C unaware of their interference at B

Signal fading
B, A hear each other
B, C hear each other
A, C can not hear each other interferring at B

100
IEEE 802.11 Wireless LAN

802.11b
2.4-5 GHz unlicensed radio spectrum
up to 11 Mbps
direct sequence spread spectrum (DSSS) in
physical layer
all hosts use same chipping code
widely deployed, using base stations

802.11a
5-6 GHz range
up to 54 Mbps
802.11g
2.4-5 GHz range
up to 54 Mbps
All use CSMA/CA for multiple access
All have base-station and ad-hoc network versions

101
802.11 LAN architecture

wireless host communicates with base station
base station access point (AP)
Basic Service Set (BSS) (aka cell) in
infrastructure mode contains
wireless hosts
access point (AP) base station
ad hoc mode hosts only

hub, switch or router
BSS 1
BSS 2
102
IEEE 802.11 MAC Protocol CSMA/CA

802.11 sender
1 if sense channel idle for DIFS then
transmit entire frame (no CD)
2 if sense channel busy then
- start random backoff time
- timer counts down while channel idle
- transmit when timer expires
- if no ACK, increase random backoff interval,
repeat 2
802.11 receiver
- if frame received OK
return ACK after SIFS (ACK needed due to
hidden terminal problem)

sender
receiver
103
Collision Avoidance RTS-CTS exchange
A
B
AP
defer
time
104
802.11 frame addressing
Address 4 used only in ad hoc mode
Address 1 MAC address of wireless host or AP to
receive this frame
Address 3 MAC address of router interface to
which AP is attached
Address 2 MAC address of wireless host or AP
transmitting this frame
105
802.11 frame addressing
H1
R1
106
Network Security

What is network security?
Principles of cryptography
Symmetric Key
Public Key
Authentication
Protocol evolution
Access control firewalls
Attacks and counter measures
Packet sniffing
IP spoofing
DoS attacks

Write a Comment

User Comments (0)

About PowerShow.com

Announcement PowerPoint PPT Presentation