Copyright @ October 2007 by CS2105/OngGH

Copyright @ October 2007 by CS2105/OngGH

Module D:

The Data Link Layer and Local Area Networks

(Part II - Local Area Networks or LANs) D.6 LAN and Ethernet Technologies
• Two main classes of LAN technologies (in 80s and 90s): see Figure 5.15 (p.488/[A]). – – Ethernet LANs (or 802.3 LANs) Token-passing technologies: Token-ring LANs FDDI networks (MANs and LANs) •

MAC (Media Access Control) sublayer: provides media access management protocols for accessing a shared medium. provides unreliable datagram service.

Summary of IEEE Project 802 LAN Standards: see Figure 13.1 (p.396/[B]).

The IEEE and the data link layer: − IEEE initiated its development of LAN standards with an architectural model (defined in IEEE 802.1): see Figures 12.1 (p.363/[B]) and 13.2 (p.397/[B]). dividing the OSI’s data link layer into two sublayers: ♦ LLC (Logical Link Control) sublayer: encompasses several functions, including framing, flow control, and error control. can provide reliable packet transfer service.

10-Mbps (standard) Ethernet/802.3 LANs:

69

70

Copyright @ October 2007 by CS2105/OngGH

Copyright @ October 2007 by CS2105/OngGH

a LAN protocol developed jointly by Xerox, Intel, and DEC at the Xerox PARC (Palo Alto Research Center) in 1970s (based on the ALOHA network developed at the University of Hawaii). IEEE 802.3 + 1-persistent CSMA/CD. (Ethernet CSMA/CD algorithm: see p.501−502/[A]) general format of an IEEE 802.3 frame: see Figures 5.22 (p.497/[A]), 13.4 (p.398/[B]) and 13.5 (p.399/[B]). ♦ Preamble (8 bytes): Preamble field (7 identical octets, 10101010, for synchronization) Start Frame Delimiter field (1 byte: 10101011) Header (14 bytes): Destination (48-bit MAC) address field Source address (48-bit MAC) field Type/Length Count field Payload (46 to 1,500 bytes): Data field Pad field (dummy data that pads Data field up to its minimum length) Trailer (4 bytes): FCS field
71

notations for IEEE 802.3 LANs:

physical and data link layer information: see Figures 5.20 (p.496/[A]), 5.21 (p.497/[A]), 5.23 (p.499/[A]), 13.8, 13.9, 13.10 (p.403/[B]), 13.11 (p.404/[B]) and 13.12 (p.405/[B]), and Table 13.1 (p.405/[B]).

− −

using baseband transmission and Manchester encoding. network diameter (for 10Base5): ♦ the distance between the farthest two nodes.

72

Copyright @ October 2007 by CS2105/OngGH

Copyright @ October 2007 by CS2105/OngGH

no more than 5 segments of up to 500 m each, and no more than 4 repeaters (in the collision domain).

D.7 ARP (Address Resolution Protocol)
• Address binding: − Given an IP address of a host, find its physical or hardware address; called Address Resolution (using ARP or Address Resolution Protocol). Given a physical or hardware address of a host, find its IP address; called Reverse Address Resolution (using RARP or Reverse Address Resolution Protocol)

Fast Ethernet (100-Mbps), Gigabit Ethernet, and Ten-Gigabit Ethernet LANs: see Figures 5.25 (p.505/[A]), 13.3 (p.398/[B]), 13.19 & 13.20 (p.410/[B]), 13.22 (p.414/[B]), and 13.23 (p.415/[B]). Various IEEE 802.3 specifications for the different variants of baseband Ethernet and their respective media: •

ARP: see Figures 5.17 (p.492/[A]), 5.19 (p.494/[A]), 21.1 (p.613/[B]), 21.2 (p.614/[B]), 21.3 (p.615/[B]), and 21.4 (p.616/[B]). − operations (on the same physical network): ARP Request

ARP Reply

ARP encapsulation and identification:

73

74

Copyright @ October 2007 by CS2105/OngGH

Copyright @ October 2007 by CS2105/OngGH

e.g. On an Ethernet, the Type field in Ethernet frames carrying ARP messages must contain 0x0806. − ARP/RARP protocol format (28 bytes, used between IP and Ethernet):

e.g. one network address shared between two physical networks:

ARP cache table: see Figure 5.18 (p.493/[A]). ♦ ♦ makes IP-to-physical address bindings efficient. an array of entries, each entry contains at least: State (e.g., pending, resolved, expired) Destination physical address Destination IP address TTL

used in network security, mobile networking, etc.

D.8 HDLC and PPP
• HDLC (High-level Data Link Control) protocol: − published by ISO (ISO 33009, ISO 4335) for point-topoint and multi-drop links. frame structure:

Proxy ARP (or Promiscuous ARP, or ARP Hack): see Figure 21.6 (p.617/[B]). − a router answers ARP requests intended for another by supplying its own physical address, and accepts responsibility for forwarding packets.
75 76

Copyright @ October 2007 by CS2105/OngGH

Copyright @ October 2007 by CS2105/OngGH

PPP (Point-to-Point Protocol): − a link-layer protocol operating over a point-to-point link, e.g., a serial dial-up (56K modem connection) telephone line, a SONET/SDH link, an X.25 connection, or an ISDN circuit. using HDLC-like framing: see Figure 5.30 (p.516/[A]). using byte stuffing to support data transparency. see Figure 5.31 (p.517/[A]).

no CSMA/CD at hub (adapters detect collisions) a regenerator (not an amplifier) connecting segments of a LAN • Bridge and Layer-2 Switch: see Figures 5.24 (p.505/[A]), 5.26 (p.507/[A]), 5.27 (p.508/[A]), 5.28 (p.509/[A]), 15.5 (p.448/[B]), and 15.6 (p.450/[B]). link-layer device interconnecting LAN segments providing frame forwarding and filtering (based on the MAC-level addresses) discarding corrupt frames (based on CRC) plug-and-play and self-learning transparent (hosts are unaware of presence of layer-2 devices) e.g., bridged Ethernet, switched Ethernet: (increasing the bandwidth and separating the collision domains on an Ethernet LAN) see Figures 13.15 & 13.16 (p.407/[B]), and 13.17 (p.408/[B]). • Comparison of the typical features of popular interconnection devices: see Figure 5.29 (p.512/[A]) and Table 5.1 (p.513/[A]).

D.9 Interconnection Devices
• Five categories of connecting devices: see Figure 15.1 (p.445/[B]). Passive hub: just a connect (part of the medium). Repeater or Hub: see Figures 15.2 (p.446/[B]), 15.3 (p.447/[B]), and 15.4 (p.448/[B]). physical-layer device bits coming from one link go out all other links at the same rate no frame buffering
77

78

Copyright @ October 2007 by CS2105/OngGH

Copyright @ October 2007 by CS2105/OngGH

Module E:

Security in Data Communications and Networking

E.1 Network Security Services
• • Recall - applying SS and CDMA to Physical & Link layers. Security services: see Figure 31.1 (p.961/[B]); providing confidentiality, integrity, authentication, and nonrepudiation of messages; and entity authentication. Techniques used: – – for messages and entities: Cryptography (or Encryption/Decryption algorithms) MD (Message Digest) techniques MAC (Message Authentication Code) techniques DS (Digital Signature) schemes Note that: for entity authentication, using password-based authentication and challenge-response authentication techniques (beyond the scope of CS2105). – for the Internet: Firewalls IPSec (IP Security protocols)

SSL / TLS (Secure Sockets Layer / Transport Layer Security protocols) PGP (Pretty Good Privacy protocol) VPN (Virtual Private Network)

E.2 Cryptography
• Basis: see Figures 30.1 (p.931/[B]) and 8.2 (p.710/[A]). – the science and art of transforming messages to make them secure and immune to attacks. using ciphers (to encrypt a plaintext by the sender and to decrypt a ciphertext by the receiver).

Two Categories: see Figure 30.2 (p.932/[B]). – symmetric-key cryptography: see Figures 30.3 (p.933/[B]) and 30.5 (p.934/[B]). ♦ ♦ sharing a secret key, e.g. a session key. commonly used ciphers: Traditional ciphers (character-oriented) Simple modern ciphers (bit-oriented) Modern round ciphers (involving multiple rounds)

79

80

Copyright @ October 2007 by CS2105/OngGH

Copyright @ October 2007 by CS2105/OngGH

asymmetric-key cryptography: see Figures 30.4 (p.933/[B]) and 8.6 (p.718/[A]). ♦ ♦ using one private key and one public key. • common algorithms: RSA (Rivest/Shamir/Adleman) algorithm Diffie-Hellman algorithm DS: –

using a keyed hash function (e.g., HMAC – Hashed MAC algorithm based on SHA-1 with a symmetric key) to create a compressed digest from the message.

using an asymmetric-key system, but the private and public keys of the sender. two ways to achieve: (i) signing the document or message: easier but less efficient; see Figures 31.11 (p.973/[B]), 8.10 (p.728/[A]), 8.11 (p.729/[A]) and 8.12 (p.730/[A]).

Examples to achieve message confidentiality or privacy: see Figures 31.2 (p.963/[B]) and 31.3 (p.964/[B]).

E.3 MD, MAC and DS
• MD: see Figures 31.4 (p.965/[B]) and 8.7 (p.724/[A]). – – an electronic fingerprint generated from a message. using a keyless hash function (e.g., SHA-1 or Secure Hash Algorithm 1) to generate a compressed image of the message (called a message digest or MDC – Modification Detection Code). checking the integrity of the message, see Figure 31.5 (p.966/[B]).

(ii) signing the digest: see Figures 31.12 (p.974/[B]), 8.13 (p.732/[A]) and 8.14 (p.733/[A]). – providing message nonrepudiation. integrity, authentication, and

E.4 Security at the IP Layer (IPSec)
– • IP security: see Figure 32.2 (p.996/[B]).

MAC: see Figures 31.9 (p.970/[B]) and 8.9 (p.726/[A]);
81 82

Copyright @ October 2007 by CS2105/OngGH

Copyright @ October 2007 by CS2105/OngGH

a collection of protocols designed by the IETF to provide security for Internet packets at the network layer. flexible and extensible (allowing endpoints to choose algorithms and parameters, such as key size).

IPSec AH protocol: − providing message authentication. integrity and message/source

Two modes: − transport mode: see Figure 32.3a (p.997/[B]). ♦ protecting information delivered from the transport layer to the network layer. normally used when host-to-host or end-to-end protection of data is needed, see Figure 32.4 (p.997/[B]).

using a separate AH (Authentication Header) to carry authentication information: consisting of the following steps: see Figures 32.6 (p.999/[B]) and 8.30 (p.756/[A]). (1) Add Authentication Header to the payload and set Authentication Data field to zero. (2) Add Padding to make the total length even for a particular hashing algorithm. (3) Perform hashing based on the total packet, not including mutable header fields. (4) Insert Authentication Data (or digest) in AH. (5) Add the IP Header and set Protocol value to 51.

tunnel mode: see Figure 32.3b (p.997/[B]). ♦ ♦ protecting the whole IP packet with a new IP header. normally used between two routers, or between a host and a router, see Figure 32.5 (p.998/[B]). •

IPSec ESP protocol: − providing message integrity, authentication, and privacy. message/source

Two security protocols: IPSec AH (Authentication Header) protocol IPSec ESP (Encapsulating Security Payload) protocol
83

consisting of the following steps: see Figures 32.7 (p.1000/[B]) and 8.31 (p.757/[A]).

84

Copyright @ October 2007 by CS2105/OngGH

Copyright @ October 2007 by CS2105/OngGH

(1) (2) (3) (4)

Add ESP Trailer to the payload. Encrypt the payload and ESP Trailer. Add ESP Header (between IP and TCP Headers). Create authentication data using ESP Header, encrypted payload and ESP Trailer. (5) Append ESP Auth to ESP Trailer. (6) Add the IP Header and set Protocol value to 50. • Tunneled versions: AH –

a router installed between the internal network of an organization and the global Internet for access control. designed to forward some packets and filter others.

− •

Two popularly commercial implementations: (i) Packet-filtering firewall: see Figure 32.23 (p.1022/[B]), Tables 8.4 (p.766/[A]) and 8.5 (p.767/[A]). − blocking or forwarding packets based on information in the network layer and transport layer headers. filtering before packet routing.

ESP – − • IPSec security algorithms:

e.g., in Figure 32.23 (p.1022/[B]): Interface 1: Incoming packets from network 131.34.0.0; destined for any internal TELNET server; and destined for internal host 194.78.20.8 are blocked. Interface 2: Outgoing packets destined for any HTTP server are blocked.

E.5 Firewalls
• Internet firewalls: see Figures 32.22 (p.1022/[B]) and 8.35 (p.764/[A]).

(ii) Proxy firewall: see Figure 32.24 (p.1023/[B]). − also known as a proxy computer, or an application gateway.
86

85

Copyright @ October 2007 by CS2105/OngGH

Copyright @ October 2007 by CS2105/OngGH

− −

providing protection at application level. custom-written application programs acting as both a client and server, and serving as proxies to the actual applications. •

consisting of Handshake protocol (for negotiating security, authenticating the server to the browser) and Data Exchange protocol (using secret key to encrypt data).

IDS (Intrusion Detection System) − monitoring all arriving packets and notifying the site administrator if a security violation is detected (e.g., detecting attacks such as port scanning, SYN flood, etc.).

E.6 Other Internet Security Technologies
• ssh (secure shell) − an application layer protocol (similar to TELNET) to support encryption of remote login (e.g., SSH Secure Shell Client on Windows).

RADIUS (Remote Authentication Dial-In User Service) − a protocol used to provide centralized authentication, authorization, and accounting. used by ISPs (for dialup users, and VPN systems).

PGP (Pretty Good Privacy) − − a cryptographic system developed at MIT. encrypting data before transmission. • −

WEP (Wired Equivalent Privacy) − − a Wi-Fi wireless LAN standard. using an RC4 40-bit stream cipher to encrypt data and a 32-bit CRC to verify it. replaced by WPA (Wi-Fi Protected Access).

SSL (Secure Sockets Layer) − a security protocol designed by Netscape to provide security on the WWW, but not formally adopted by the IETF (a de facto standard). residing at the same layer as the socket API (Application Program Interface for internet communications).
87

88