Title: Last class
1Last class
- Ethernet
- Hubs and Switches
- Mobile and wireless networks, CDMA
- Today
- CDMA and IEEE 802.11 wireless LANs
- Network security
210BaseT and 100BaseT Ethernet
- Uses CSMA/CD
- 10/100 Mbps rate latter called fast ethernet
- T stands for Twisted Pair
- Nodes connect to a hub star topology 100 m
max distance between nodes and hub
3Interconnecting with hubs
- Pros
- Enables interdepartmental communication
- Extends max distance btw. nodes
- If a hub malfunctions, the backbone hub can
disconnect it
- Cons
- Collision domains are transferred into one large,
common domain - Cannot interconnect 10BaseT and 100BaseT hubs
hub
hub
hub
hub
4Switch traffic isolation
- switch installation breaks subnet into LAN
segments - switch filters packets
- same-LAN-segment frames not usually forwarded
onto other LAN segments - segments become separate collision domains
collision domain
collision domain
collision domain
5Wireless network characteristics
- Multiple wireless senders and receivers create
additional problems (beyond multiple access)
- Hidden terminal problem
- B, A hear each other
- B, C hear each other
- A, C can not hear each other
- means A, C unaware of their interference at B
- Signal fading
- B, A hear each other
- B, C hear each other
- A, C can not hear each other interferring at B
6Overview
- CDMA and IEEE 802.11 wireless LANs
- Network security
7Code Division Multiple Access (CDMA)
- used in several wireless broadcast channels
(cellular, satellite, etc) standards - unique code assigned to each user i.e., code
set partitioning - all users share same frequency, but each user has
own chipping sequence (i.e., code) to encode
data - encoded signal (original data) X (chipping
sequence) - decoding inner-product of encoded signal and
chipping sequence - allows multiple users to coexist and transmit
simultaneously with minimal interference (if
codes are orthogonal)
8CDMA Encode/Decode
channel output Zi,m
Zi,m di.cm
data bits
sender
slot 0 channel output
slot 1 channel output
code
slot 1
slot 0
received input
slot 0 channel output
slot 1 channel output
code
receiver
slot 1
slot 0
9CDMA two-sender interference
10Overview
- CDMA and IEEE 802.11 wireless LANs
- Network security
11IEEE 802.11 Wireless LAN
- 802.11b
- 2.4-5 GHz unlicensed radio spectrum
- up to 11 Mbps
- direct sequence spread spectrum (DSSS) in
physical layer - all hosts use same chipping code
- widely deployed, using base stations
- 802.11a
- 5-6 GHz range
- up to 54 Mbps
- 802.11g
- 2.4-5 GHz range
- up to 54 Mbps
- All use CSMA/CA for multiple access
- All have base-station and ad-hoc network versions
12802.11 LAN architecture
- wireless host communicates with base station
- base station access point (AP)
- Basic Service Set (BSS) (aka cell) in
infrastructure mode contains - wireless hosts
- access point (AP) base station
- ad hoc mode hosts only
hub, switch or router
BSS 1
BSS 2
13802.11 Channels, association
- 802.11b 2.4GHz-2.485GHz spectrum divided into 11
channels at different frequencies - AP admin chooses frequency for AP
- interference possible channel can be same as
that chosen by neighboring AP! - host must associate with an AP
- scans channels, listening for beacon frames
containing APs name (SSID) and MAC address - selects AP to associate with
- may perform authentication Chapter 8
- will typically run DHCP to get IP address in APs
subnet
14IEEE 802.11 multiple access
- avoid collisions 2 nodes transmitting at same
time - 802.11 CSMA - sense before transmitting
- dont collide with ongoing transmission by other
node - 802.11 no collision detection!
- difficult to receive (sense collisions) when
transmitting due to weak received signals
(fading) - cant sense all collisions in any case hidden
terminal, fading - goal avoid collisions CSMA/C(ollision)A(voidance
)
15IEEE 802.11 MAC Protocol CSMA/CA
- 802.11 sender
- 1 if sense channel idle for DIFS then
- transmit entire frame (no CD)
- 2 if sense channel busy then
- - start random backoff time
- - timer counts down while channel idle
- - transmit when timer expires
- - if no ACK, increase random backoff interval,
repeat 2 - 802.11 receiver
- - if frame received OK
- return ACK after SIFS (ACK needed due to
hidden terminal problem)
sender
receiver
16Avoiding collisions (more)
- idea allow sender to reserve channel rather
than random access of data frames avoid
collisions of long data frames - sender first transmits small request-to-send
(RTS) packets to BS using CSMA - RTSs may still collide with each other (but
theyre short) - BS broadcasts clear-to-send CTS in response to
RTS - RTS heard by all nodes
- sender transmits data frame
- other stations defer transmissions
Avoid data frame collisions completely using
small reservation packets!
17Collision Avoidance RTS-CTS exchange
A
B
AP
defer
time
18802.11 frame addressing
Address 4 used only in ad hoc mode
Address 1 MAC address of wireless host or AP to
receive this frame
Address 3 MAC address of router interface to
which AP is attached
Address 2 MAC address of wireless host or AP
transmitting this frame
19802.11 frame addressing
H1
R1
20802.11 mobility within same subnet
- H1 remains in same IP subnet IP address can
remain same - switch which AP is associated with H1?
- self-learning (Ch. 5) switch will see frame from
H1 and remember which switch port can be used
to reach H1
hub or switch
BBS 1
AP 1
AP 2
H1
BBS 2
21Network Security
- What is network security?
- Principles of cryptography
- Authentication
- Access control firewalls
- Attacks and counter measures
22What is network security?
- Confidentiality only sender, intended receiver
should understand message contents - sender encrypts message
- receiver decrypts message
- Authentication sender, receiver want to confirm
identity of each other - Message Integrity sender, receiver want to
ensure message content not altered (in transit,
or afterwards) without detection - Access and Availability services must be
accessible and available to users
23Friends and enemies Alice, Bob, Trudy
- well-known in network security world
- Bob, Alice (lovers!) want to communicate
securely - Trudy (intruder) may intercept, delete, add
messages
Alice
Bob
data, control messages
channel
secure sender
secure receiver
data
data
Trudy
24Who might Bob, Alice be?
- well, real-life Bobs and Alices!
- Web browser/server for electronic transactions
(e.g., on-line purchases) - on-line banking client/server
- DNS servers
- routers exchanging routing table updates
- other examples?
25There are bad guys (and girls) out there!
- Q What can a bad guy do?
- A a lot!
- eavesdrop intercept messages
- actively insert messages into connection
- impersonation can fake (spoof) source address in
packet (or any field in packet) - hijacking take over ongoing connection by
removing sender or receiver, inserting himself in
place - denial of service prevent service from being
used by others (e.g., by overloading resources)
more on this later
26Overview
- What is network security?
- Principles of cryptography
- Authentication
- Access control firewalls
- Attacks and counter measures
27The language of cryptography
Alices encryption key
Bobs decryption key
encryption algorithm
decryption algorithm
ciphertext
plaintext
plaintext
- symmetric key crypto sender, receiver keys
identical - public-key crypto encryption key public,
decryption key secret (private)
28Symmetric key cryptography
- substitution cipher substituting one thing for
another - monoalphabetic cipher substitute one letter for
another
plaintext abcdefghijklmnopqrstuvwxyz
ciphertext mnbvcxzasdfghjklpoiuytrewq
E.g.
Plaintext bob. i love you. alice
ciphertext nkn. s gktc wky. mgsbc
- Q How hard to break this simple cipher?
- brute force (how hard?)
- other?
29Symmetric key cryptography
encryption algorithm
decryption algorithm
ciphertext
plaintext
plaintext message, m
K (m)
A-B
- symmetric key crypto Bob and Alice share know
same (symmetric) key K - e.g., key is knowing substitution pattern in mono
alphabetic substitution cipher - Q how do Bob and Alice agree on key value?
A-B
30Symmetric key crypto DES
- DES Data Encryption Standard
- US encryption standard NIST 1993
- 56-bit symmetric key, 64-bit plaintext input
- How secure is DES?
- DES Challenge 56-bit-key-encrypted phrase
(Strong cryptography makes the world a safer
place) decrypted (brute force) in 4 months - no known backdoor decryption approach
- making DES more secure
- use three keys sequentially (3-DES) on each datum
- use cipher-block chaining
31Symmetric key crypto DES
- initial permutation
- 16 identical rounds of function application,
each using different 48 bits of key - final permutation
32AES Advanced Encryption Standard
- new (Nov. 2001) symmetric-key NIST standard,
replacing DES - processes data in 128 bit blocks
- 128, 192, or 256 bit keys
- brute force decryption (try each key) taking 1
sec on DES, takes 149 trillion years for AES
33Public Key Cryptography
- symmetric key crypto
- requires sender, receiver know shared secret key
- Q how to agree on key in first place
(particularly if never met)?
- public key cryptography
- radically different approach Diffie-Hellman76,
RSA78 - sender, receiver do not share secret key
- public encryption key known to all
- private decryption key known only to receiver
34Public key cryptography
Bobs public key
K
B
-
Bobs private key
K
B
encryption algorithm
decryption algorithm
plaintext message
plaintext message, m
ciphertext
35Public key encryption algorithms
Requirements
.
.
-
- need K ( ) and K ( ) such that
B
B
given public key K , it should be impossible to
compute private key K
B
-
B
RSA Rivest, Shamir, Adelson algorithm