Yelena Yesha - PowerPoint PPT Presentation

1 / 58
About This Presentation
Title:

Yelena Yesha

Description:

Networking Technologies Yelena Yesha Olga Streltchenko WAP s by Anupam Joshi – PowerPoint PPT presentation

Number of Views:91
Avg rating:3.0/5.0
Slides: 59
Provided by: Author303
Learn more at: http://www.csee.umbc.edu
Category:

less

Transcript and Presenter's Notes

Title: Yelena Yesha


1

Networking Technologies
  • Yelena Yesha
  • Olga Streltchenko
  • WAP slides by Anupam Joshi

2
Presentation Overview
  • Internet Protocols
  • WAP
  • Caching and Proxies
  • DNS
  • Firewalls
  • Directory and Discovery Services

3
Internet Protocols
  • Originally developed to support simple wide-area
    applications (ftp, e-mail).
  • Scaled up very well to support more sophisticated
    distributed applications.
  • Standardization of TCP/IP.
  • Exceptions
  • WAP for wireless applications on portable
    devices
  • Special protocols to support MM streaming
    applications.

4
IP Addressing
  • Scheme for addressing and routing IP packets.
  • 1978-82 TCP/IP standardization provided for 232
    or approximately 4 billion hosts.
  • The Internet growth outstripped the predictions.
  • The address space allocation has been
    inefficient.
  • IP addressnetwork identifierhost identifier
  • Written as
  • Classes A, B, C, D and E.
  • D is reserved for multicast communication, E for
    future uses.

5
IP Addressing (contd)
1
Network ID, 7bits
Class A
Host ID, 24 bits
0
1
Network ID, 14 bits
Host ID, 16 bits
Class B
0
1
1
Network ID, 21 bits
Host ID, 8 bits
Class C
0
1
1
1
Multicast
Class D
Class E
0
1
1
1
1
unused
  • A 224 hosts on each subnet, national wide area
    networks
  • B more than 255 computers on a subnet, big
    companies.
  • C other network operators

6
IP Addressing Drawbacks and Solutions
  • Drawbacks
  • If a computer is connected to more than one
    network it needs more than one IP address.
  • Organizations cannot reliably predict their
    growth and tend to over-budget
  • Outcome exhaustion of class B addresses.
  • IP address is susceptible to IP spoofing, or
    counterfeiting of the source address in the IP
    header.
  • Denial-of-service attacks by placing the
    destination IP address in the target address
    field (remember Feb 2000?).
  • Solutions
  • Aggressive IPv6 with its 128-bit address fields
  • Use of mask fields and CIDR (classless
    inter-domain routing).

7
IP Protocol
  • Provides an unreliable or best-effort delivery
    service
  • Only checksum is the header checksum.
  • IP layer
  • Puts IP datagrams into network packets suitable
    for transmission in the underlying network
  • E.g., Ethernet.
  • When the datagram is longer than MTU of the
    underlying network, it is broken into smaller
    segments and reassembled at the destination.
  • Must insert physical network address of the
    message destination if necessary
  • Depends on the underlying network technology,
    i.e., Ethernet requires and Ethernet address for
    the host on the local Ethernet.

8
Network Topology Revisited
  • The Internet Backbone
  • Super-high-bandwidth link between smaller
    networks like intranets
  • consists of multiple networks operated by
    multiple companies, like UUnet, ATT, SprintLink,
    Quest, etc.
  • These networks come together at various peering
    points.
  • Autonomous system (AS) conceptual partition of
    the topological map of the internet.
  • Subdivide into areas
  • Example intranets of big organizations.

9
Routing protocols
  • RIP1 distance-vector algorithm.
  • Convergence problems.
  • RIP2 amendment of of RIP1 to accommodate CIDR
    and authentication of IP packets, improve
    multicast routing.
  • OSPF open-shortest-path-first.
  • Better convergence than the one exhibited by RIP.
  • Incremental adoption of better routing
    algorithms.
  • For routers to cooperate they need to run the
    same routing algorithm.
  • For this purpose topological areas have been
    defined the same protocol is used within an area.

10
Overcoming the Problem of the Internet Growth
  • Default router
  • To prevent routing table size explosion only
    partial information is kept.
  • Routers closer to backbones have more complete
    tables.
  • The default entry specifies a route to be used
    for all IP packets whose destination is not
    included in the routing table.
  • CIDR
  • Allocates a batch of contiguous class C IP
    address to a subnet requiring more than 255
    address
  • Allows to subdivide class B address space for
    allocation of multiple subnets
  • This is achieved by of a mask field by routing
    tables.
  • A bit pattern that selects a portion of IP
    address to be compared with the routing table
    entry.

11
IP version 6
  • A more permanent solution to the problem of the
    Internet growth.
  • Address space 2128
  • Factor in inefficiencies of address allocation
    and still get about 1000 IP addresses per m2.
  • Routing speed the complexity of the header is
    reduced.
  • Real-time and other special services the header
    includes the priority and flow control fields.
  • The use of these fields will depend on major
    improvements in the infrastructure (hardware) and
    suitable method of allocating and arbitrating
    resources.

12
IP version 6 (contd)
  • Future evolution next header field, which
    defines the type of an extension header that is
    included in the packet.
  • Multicast and anycast IPv6 supports anycast, or
    delivery to at least to one of the hosts among
    the relevant addresses.
  • Security IPv6 implements authentication and
    encrypted security payload extension header
    types.
  • Equivalent to providing a secure channel
  • Means that the payload is encrypted and/or
    digitally signed.

13
Mobility and IP
  • Dynamic Host Configuration Protocol (DHCP)
  • Designed to support the ability of a mobile
    device to maintain simple access to services
  • Assigns a temporary IP address to the device.
  • To provide permanent access by clients to a
    mobile computer it must maintain a permanent IP
    address.
  • Problem IP routing is subnet-based.
  • Subnets are at fixed locations.

14
MobileIP
  • A transparent solution based on tunnelling.
  • When a mobile computer is connected to the
    Internet elsewhere, two agents take
    responsibility for routing.
  • Home agent (HA)
  • holds up-to-date knowledge of the mobile hosts
    current location
  • The IP address at which it can be reached.
  • The mobile host informs HA upon leaving home
  • HA acts as a proxy to the clients communicating
    to the mobile host during this time.

15
MobileIP (contd)
  • Foreign agent (FA)
  • Allocates a temporary IP address to a mobile host
    upon its arrival to a new site
  • Contact HA and supplies it with the contact
    address for the mobile host (FAs address).
  • HA encapsulates original IP packets and sends
    them to FA.
  • FA unpacks the packets and delivers them to the
    mobile host.
  • HA sends the contact address for the mobile host
    o the original sender
  • If the sender is Mobile-enabled it communicates
    to the FA directly from now on
  • If not, the HA continues to act as a proxy for it.

16
TCP and UDP
  • Provide communication capabilities to the
    application programs.
  • IPv6 will support TCP/UDP as well as other
    connection protocols (remember the Internet
    Model).
  • Enable interprocess communication through the use
    of ports attached to applications.
  • Port number is included in the header.

17
UDP
  • Almost transport-level replica of IP.
  • Offers no guarantee of delivery.
  • The header is short, but includes an optional
    checksum for the payload
  • The packets that fail the check are dropped.

18
TCP
  • Provides reliable delivery of arbitrary long
    sequences of bytes via stream-based programming
    abstraction.
  • Connection-oriented
  • The sending and the receiving processes establish
    a communication channel
  • Use of ACK (acknowledgement) messages).

19
TCP Reliability Mechanisms
  • Sequencing a sequence number is attached to
    every TCP segment
  • Used for message re-assembly at the destination.
  • Flow control overflow prevention
  • The receiver send an ACK with the highest
    sequence number in its input stream (no segments
    before that one have been omitted) and a window
    size.
  • Window size specifies the amount of data the
    sender is permitted to send.
  • ACK are attached to the backward flow if there is
    any.
  • Burstiness of network traffic is smoothed through
    the use of local buffering an a configurable
    time-out on it.
  • Naggles algorithm.

20
TCP (contd)
  • Due to the unreliability of wireless networks
    these mechanisms are not efficient.
  • Solutions WAP and modified TCP.
  • Modified TCP for wireless networks.
  • Implement a TCP support component at the base
    station (gateway between wired and wireless
    networks).
  • The support component snoops on TCP packets to
    and from the wireless network
  • re-transmitting segments that are not promptly
    acknowledged.
  • Requesting re-transmission of inbound segments
    when gaps in sequence numbers are noticed.

21
WAP
  • Wireless Application Protocol
  • An open, global specification that empowers
    mobile users with wireless devices to easily
    access and interact with information and services
    instantly. -
    WAP Forum
  • The de facto worldwide standard for providing
    Internet communications and advanced telephony
    services on digital mobile phones, pagers,
    personal digital assistants and other wireless
    terminals.
  • - WAP Forum (www.wapforum.org)

22
Why is WAP needed?
  • Traditional internet protocols (HTML, HTTP, TCP,
    etc.) and their security mechanisms (TLS) are
    inefficient over mobile networks.
  • Handheld devices tend to have less powerful CPUs,
    less memory and more restrictions on power
    consumption than desktops, so require special
    considerations.
  • Handheld devices tend to use input devices other
    than keyboards (e.g. voice, keypad).

23
Bearer Limitations
  • Power consumption
  • increased bandwidth requires increased power.
  • Cellular network economics
  • Fixed bandwidth shared among many users, so
    efficient bandwidth use required.
  • Latency
  • wide range of network latencies common (lt 1
    second to 10s of seconds).
  • Bandwidth
  • Less bandwidth than found in wired environments.

24
WAP Forum www.wapforum.org
  • WAP Forum founded in December 1997 by Nokia,
    Ericsson, Motorola and Phone.com (formerly
    Unwired Planet)
  • Currently contains over 200 members
  • Carriers with more than 100 million subscribers
  • Infrastructure providers
  • Software developers, and others.
  • Represent over 95 of the global handset market.
  • WAP Protocol development
  • Current WAP Version 1.2

25
How does WAP work?
  • Uses client-server model.
  • Phone incorporates a microbrowser, while the
    intelligence is in the WAP gateways.
  • Services and applications reside on servers.
  • Similar to Java applications written for WAP,
    which then run on multiple bearers (e.g. GSM,
    SMS, USSD, etc.)

26
What works with WAP?
  • Designed for use with
  • All mobile phones
  • Any service, e.g. SMS (Short Message Service),
    CSD (Circuit Switched Data), USSD (Unstructured
    Supplementary Services Data), GPRS (General
    Packet Radio Service)
  • Any network, e.g. CDMA (Code Division Multiple
    Access), GSM (Global System for Mobiles), UMTS
    (Universal Mobile Telephone System)
  • Any input device, e.g. keyboard, stylus, touch
    screen, keypad.

27
WAP Protocol Model (Stack)
Wireless Application
Other Services and
Application Layer
Applications
Environment (WAE)
Wireless Session
Session Layer
Protocol (WSP)
Wireless Transaction
Transaction Layer
Protocol (WTP)
Wireless Transport
Security Layer
Layer Security (WTLS)
Transport Layer
Datagrams (UDP/IP)
Datagrams (WDP)
Wireless Bearers
Network Layer
SMS
USSD
CSD
IS-136
CDMA
CDPD
Etc
Source the WAP White Paper, October 1999.
28
WAP Architecture
WAP Gateway
Web Server
WAP Phone
Internet
Gateway
Web Server
Client
Encoded request
Request
Response
Encoded response
29
WDP Layer
  • Wireless Datagram Protocol.
  • Provides consistent service and common interface
    to upper layers of the protocol.
  • Supports SMS, USSD, CSD, CDPD, IS-136 packet
    data, and GPRS.

30
WTLS Layer
  • Wireless Transport Layer Security (TLS).
  • Implements options for authentication and
    encryption.
  • Optimized for mobile environment.
  • Based on Transport Layer Security (TLS), which
    was formerly Secure Sockets Layer (SSL).
  • Optimized for use over narrow-band communication
    channels.
  • Ensures data integrity, privacy, authentication
    and denial-of-service protection.

31
WTP Layer
  • Wireless Transaction Protocol
  • Runs on top of datagram service.
  • Works over both secure and non-secure wireless
    services.
  • Features
  • Three classes of transaction service
  • Class 0 for applications requiring an
    unreliable push service
  • Class 1 for applications requiring a reliable
    push service
  • Class 2 to provide the basic invoke/response
    transaction service
  • Optional user-to-user reliability.
  • Asynchronous transactions.
  • PDU (protocol data unit) concatenation and
    delayed acknowledgements to reduce number of
    messages sent.

32
WSP Layer
  • Wireless Session Protocol
  • Provides consistent interface for both
    connection-oriented and connectionless services.
  • Provides the following functionality
  • HTTP 1.1 compliance
  • Long-lived session state
  • Session suspend and resume
  • Facility for data push.

33
WAE
  • Wireless Application Environment
  • Interoperable environment for multiple wireless
    platforms.
  • Consists of
  • Wireless Markup Language (WML)
  • WMLScript
  • Wireless Telephony Application (WTA)
  • Content Formats.

34
WML
  • WAP Mark-up Language
  • WML is an XML application.
  • Also uses WMLScript, which is similar to
    JavaScript.
  • Optimized for use with handheld devices.
  • Minimal use of CPU and memory.

35
Benefits of WAP
  • Reduces amount of data to be transmitted (by
    translating HTTP headers from text into binary).
  • Allows sessions to be suspended and resumed.
  • Provides reliable datagram service without the
    unnecessary overhead of TCP.
  • TCP stack is not required on handheld device.
  • WAP protocol stack requires less packets for
    interaction than HTTP/TCP/IP.
  • Support for push functionality built into
    protocol.
  • WML developers can use standard web tools (e.g.
    CGI, Perl, ASP, etc.).

36
Drawbacks to WAP
  • Difficult to configure WAP phones for new WAP
    services.
  • Not yet widely supported.
  • Current services (e.g. SMS, USSD) not optimized
    for WAP.
  • Expected to be expensive.
  • WAP does not support cookies.
  • Premature encryption endpoint (gateway decrypts
    data, then forwards via https see
    www.gsmworld.com/technology/wap_06.html).

37
Caches and proxy servers
  • Cache a store of recently used data objects that
    is closer than the objects themselves.
  • When a new object is received it is placed in the
    cache possibly evicting another object.
  • When an object is requested, the cache is checked
    first for an up-to-date copy
  • If its not available, a fresh copy is fetched.
  • A cache can be collocated with each client or
    located on a proxy server.
  • Proxy server a machine/process performing tasks
    on behalf of its clients.
  • A web proxy server maintains a cache of web
    resources for its clients all the requests go
    though it.
  • The actual client is transparent for outside
    servers.

38
DNS
  • A name service design whose principal database is
    used across the Internet to perform name
    resolution for web resources.
  • A name is resolved when it is translated into
    data about the named resource or object in order
    to invoke an action upon it.

39
The Internet Naming Scheme
  • The Internet support a scheme for the use of
    symbolic names for hosts and networks.
  • The named entities are organized into a
    hierarchy.
  • The named entities are called domains and the
    symbolic names are called domain names.
  • Domains are organized into a hierarchy that
    intends to reflect organizational structure.
  • Naming is entirely independent from the network
    physical layout.
  • Domain names must be translated into IP
  • Responsibility of DNS.

40
DNS Operation
  • Implemented as a server process that can run on
    host computers anywhere on the Internet.
  • There are at least 2 DNS servers in each domain.
  • Servers in each domain hold a partial map of the
    domain name tree below their domain.
  • Requests for the translation of domain names
    outside their portion of the domain tree are
    handled by issuing requests to DNS servers in the
    relevant domains
  • Recursive procedure that follows from right to
    left resolving the name in segments.
  • The resulting translation is then cached at the
    server handling the original request.

41
DNS and caching
  • Caching is a key to a name service performance
  • Assists in maintaining availability and masking
    server crashes.
  • Caching is successful because naming data are
    changed relatively rarely.
  • The possibility exists of a name service
    returning out-of-date attributes during
    resolution.
  • DNS allows naming data to become inconsistent
  • Stale data might be provided for periods in order
    of days.

42
Internet and Network Security
  • Types of Attacks on Internet
  • Break-ins Unauthorized attempts to gain access
    to a secure system
  • Denial of service A legitimate user is denied
    access to a service (e.g. Flooding a WWW server
    with requests)
  • Bombs Large email messages or other large data
    intended to overwhelm and possibly weaken a
    system.
  • Eavesdropping - Listening in on an electronic
    conversation. Perhaps with intent to gather
    information for a future break-in.
  • Viruses.

43
Internet and Network Security (contd)
  • Who is perpetrating these attacks?
  • People with lots of free time
  • Former/disgruntled employees
  • Current/disgruntled employees
  • Current/former/disgruntled customers
  • Governments

44
How to Defend?
  • Some quick (although not foolproof) suggestions
  • Frequent password changes and the use of
    difficult-to-guess passwords.
  • Removal of abused services.
  • Filters that detect and delete large messages.
  • Cryptography.
  • Note that many attacks go undetected, even by
    professionals.

45
Example Scenario
  • A private company would like the following
  • Make some services available within the company
    such as Secure Shell (SSH) and FTP between the
    company's hosts.
  • Disallow outside users from gaining access to the
    company's internal hosts via Telnet, FTP, etc.
  • Allow users within the company to access other
    services on the Internet such as WWW and FTP.
  • Allow users from the Internet to visit the
    company's WWW home pages.
  • Allow the exchange of e-mail with others on the
    Internet.

46
But,
  • It is difficult to restrict traffic in only one
    direction
  • Recall that the TCP/IP protocol sends
    acknowledgements to make sure data arrives whole.
  • What we need is a more sophisticated gatekeeper
    that can distinguish what services to allow and
    which to block.
  • The general term for this is a Firewall.

47
Firewall
  • Monitors and controls all the traffic into and
    out of an intranet.
  • Firewall security policy
  • Service control determine which services are
    available for external access and reject all
    other requests
  • Levels of filtering IP, TCP.
  • Example reject HTTP request unless they are
    directed to the official website.
  • Behavioral control prevent behavior that
    infringes organization policies
  • Levels of filtering IP, TCP, application
  • Example filtering of spam e-mail.
  • User control discriminate between users
    privileges
  • Example management of dial-up provided for
    off-site users.

48
Filtering levels
  • IP packet filtering
  • Decisions made based on the destination and the
    source IP addresses, the service type field in
    the IP header, port numbers in TCP/UDP headers.
  • Example prohibition of external access to NFS
    servers.
  • Performed by a process within the operating
    system kernel of a router.
  • TCP Gateway
  • A TCP Gateway process checks TCP connection
    requests and segment transmission for
    correctness.
  • Example Denial-of-service attack prevention.

49
Filtering levels (contd)
  • Application-level gateway
  • An application-level gateway process acts as a
    proxy for an application process.
  • Example a Telnet proxy. All telnet requests are
    routed through the proxy process for approval.
  • A firewall is a combination of several processes
    working at different protocol levels running on
    more than one machine (for fault-tolerance).
  • Two overall (mutually exclusive) policies
  • Anything not explicitly denied is allowed.
  • Anything not explicitly allowed is denied.

50
Basic Internet Firewalls
  • A basic firewall is a router (a host with at
    least 2 network interfaces).
  • One interface is connected to the Internet - the
    Host side.
  • The other(s) is(are) connected to the company's
    internal network.
  • Performs IP packet filtering.

51
Advanced Internet Firewalls
  • When TCP and application-level gateway processes
    are required, they usually run on another
    computer Bastion.
  • A host located inside the intranet and protected
    by an IP router/filter, to which it is attached
    by a Stub LAN.
  • Stub LAN only has 1 or 2 hosts on it. Not
    connected to any other company LANs.
  • A bastion host is connected to both the stub LAN
    and to the company network

52
Advanced Internet Firewalls (contd)
  • Further protection can be insured by placing
    another router/filter between the bastion and the
    company intranet.
  • Note that for performance reasons company web/ftp
    severs are placed on the Stub LAN.

53
Virtual Private Networks
  • Suppose a company wants to connect the intranets
    of its 5 offices.
  • One option is to lease a private line.
  • Another is to connect through the internet.
  • But then everything is open.
  • The solution is to use encryption schemes to
    establish secure tunnels through the internet.
  • Such a set-up is called a virtual private network.

54
Directory and Discovery Services
  • Directory service A service that stores
    collections of bindings between names and
    attributes and that looks up entries that match
    attribute-based specifications.
  • Example MS Active Directory Service, UNIX X.500,
    etc.
  • Discovery service a directory service that
    registers the services in a spontaneous
    networking environment.
  • Provides an interface for automatically
    registering and de-registering services (fax
    machines, printers, etc.).
  • Provides a lookup interface for mobile devices
  • Example Jini

55
Jini
  • A system designed for spontaneous networking.
  • Java-based assumes that JVMs run on all of the
    computers, allowing them to communicate through
    RMI (remote method invocation, a flavor of
    interprocess communication in an object-oriented
    environment).
  • Provides facilities for service discovery,
    transactions and shared data spaces called
    JavaSpaces.

56
Jini Directory-Related Component
  • Lookup service, Jini services and Jini clients.
  • The lookup service implements what we have termed
    a discovery service
  • Jini uses discovery only for discovering the
    lookup service itself.
  • Allows Jini services to register the services
    they offer and Jini clients to request services
    that match their requirements.
  • A Jini service provides an object that provides
    the service as well as the attributes of the
    service.
  • May be registered with several lookup services
    that store the objects.
  • Example printing service.

57
Jini Directory-Related Component (contd)
  • Jini clients query lookup service to find Jini
    services that match their requirements.
  • If a match is found they download an object that
    provides the service from the lookup service.
  • Bootstrap connectivity how to find the lookup
    service upon entering a network.
  • Solutions
  • A priory knowledge of lookup services IP
    addresses.
  • Doesnt scale up.
  • Use a multicast IP address that is known to all
    instances of Jini software.

58
Jini Directory-Related Component (contd)
  • When a Jini client or service starts up it sends
    a request stamped with time-to-live value to a
    well-known multicast address.
  • Lookup services listen on a socket bound to this
    address and replies to a unicast address from
    which it received the request.
  • The client can then perform RMI to query the
    lookup service.
  • Lookup services sometimes broadcast datagrams
    announcing their existence to the same multicast
    address, and client and services listen on it.
Write a Comment
User Comments (0)
About PowerShow.com