Professional Documents
Culture Documents
Chapter 4
Network Layer
encapsulates segments
network physical
physical
data link
physical
into datagrams
network network
data link data link
physical physical
routing algorithms
routing algorithm
value in arriving
packet’s header
0111 1
3 2
call setup, teardown for each call before data can flow
each packet carries VC identifier (not destination host
address)
every router on source-dest path maintains “state” for
each passing connection
link, router resources (bandwidth, buffers) may be
allocated to VC (dedicated resources = predictable service)
12 22 32
1 3
2
1 12 3 22
2 63 1 18
3 7 2 17
1 97 3 87
… … … …
application
transport 5. Data flow begins 6. Receive data application
transport
network 4. Call connected 3. Accept call
network
data link 1. Initiate call 2. incoming call
data link
physical
physical
application
application
transport
transport
network
network
data link 1. Send data 2. Receive data
data link
physical
physical
otherwise 3
Examples
Physical layer:
bit-level reception
Data link layer: Decentralized switching:
e.g., Ethernet given datagram dest., lookup output port
see chapter 5 using forwarding table in input port
memory
goal: complete input port processing at
‘line speed’
queuing: if datagrams arrive faster than
forwarding rate into switch fabric
System Bus
Link layer
physical layer
Recipe
To determine the
subnets, detach each
interface from its
host or router,
creating islands of
isolated networks.
Each isolated network
is called a subnet. 223.1.3.0/24
223.1.1.3
223.1.9.2 223.1.7.0
223.1.9.1 223.1.7.1
223.1.8.1 223.1.8.0
223.1.2.6 223.1.3.27
subnet host
part part
11001000 00010111 00010000 00000000
200.23.16.0/23
Network Layer 4-44
IP addresses: how to get one?
DHCP offer
src: 223.1.2.5, 67
dest: 255.255.255.255, 68
yiaddrr: 223.1.2.4
transaction ID: 654
Lifetime: 3600 secs
DHCP request
src: 0.0.0.0, 68
dest:: 255.255.255.255, 67
yiaddrr: 223.1.2.4
transaction ID: 655
time Lifetime: 3600 secs
DHCP ACK
src: 223.1.2.5, 67
dest: 255.255.255.255, 68
yiaddrr: 223.1.2.4
transaction ID: 655
Lifetime: 3600 secs
Organization 0
200.23.16.0/23
Organization 1
“Send me anything
200.23.18.0/23 with addresses
Organization 2 beginning
200.23.20.0/23 . Fly-By-Night-ISP 200.23.16.0/20”
.
. . Internet
.
Organization 7 .
200.23.30.0/23
“Send me anything
ISPs-R-Us
with addresses
beginning
199.31.0.0/16”
“Send me anything
with addresses
Organization 2 beginning
200.23.20.0/23 . Fly-By-Night-ISP 200.23.16.0/20”
.
. . Internet
.
Organization 7 .
200.23.30.0/23
“Send me anything
ISPs-R-Us
with addresses
Organization 1 beginning 199.31.0.0/16
or 200.23.18.0/23”
200.23.18.0/23
10.0.0.4
10.0.0.2
138.76.29.7
10.0.0.3
2. connection to
relay initiated 1. connection to
by client relay initiated
10.0.0.1
by NATted host
3. relaying
Client
established
138.76.29.7 NAT
router
A B E F
Physical view:
IPv6 IPv6 IPv4 IPv4 IPv6 IPv6
A B C D E F
Physical view:
IPv6 IPv6 IPv4 IPv4 IPv6 IPv6
data data
A-to-B: E-to-F:
B-to-C: B-to-C:
IPv6 IPv6
IPv6 inside IPv6 inside
IPv4 IPv4
Network Layer 4-70
Chapter 4: Network Layer
4. 1 Introduction 4.5 Routing algorithms
4.2 Virtual circuit and Link state
routing algorithm
value in arriving
packet’s header
0111 1
3 2
v 3 w
2 5
u 2 z
1
3
1
x y 2
Graph: G = (N,E) 1
N = set of routers = { u, v, w, x, y, z }
E = set of links ={ (u,v), (u,x), (v,x), (v,w), (x,w), (x,y), (w,y), (w,z), (y,z) }
v 3 w
2 5
u 2 z
1
3
1
x y 2
1
Network Layer 4-79
Dijkstra’s algorithm: example (2)
Resulting shortest-path tree from u:
v w
u z
x y
A A A A
1 1+e 2+e 0 0 2+e 2+e
D 0
B D B D B D B
0 0 1+e 1 0 0 1+e 1
0 C e 0 0 1 e
C C 1+e 0 C
1 1
e … recompute … recompute … recompute
initially
routing
Network Layer 4-81
Chapter 4: Network Layer
4. 1 Introduction 4.5 Routing algorithms
4.2 Virtual circuit and Link state
Then
dx(y) = min
v
{c(x,v) + dv(y) }
from
y ∞∞ ∞ y 2 0 1
z ∞∞ ∞ z 7 1 0
node y table
cost to
x y z y
2 1
x ∞ ∞ ∞
x z
y 2 0 1
from
7
z ∞∞ ∞
node z table
cost to
x y z
x ∞∞ ∞
from
y ∞∞ ∞
z 71 0
time
Network Layer 4-88
Dx(y) = min{c(x,y) + Dy(y), c(x,z) + Dz(y)} Dx(z) = min{c(x,y) +
= min{2+0 , 7+1} = 2 Dy(z), c(x,z) + Dz(z)}
node x table = min{2+1 , 7+0} = 3
cost to cost to cost to
x y z x y z x y z
x 0 2 7 x 0 2 3 x 0 2 3
from
from
y ∞∞ ∞ y 2 0 1
from
y 2 0 1
z ∞∞ ∞ z 7 1 0 z 3 1 0
node y table
cost to cost to cost to
x y z x y z x y z y
2 1
x ∞ ∞ ∞ x 0 2 7 x 0 2 3 x z
from
y 2 0 1 y 2 0 1
from
from
y 2 0 1 7
z ∞∞ ∞ z 7 1 0 z 3 1 0
node z table
cost to cost to cost to
x y z x y z x y z
x ∞∞ ∞ x 0 2 7 x 0 2 3
from
from
y 2 0 1 y 2 0 1
from
y ∞∞ ∞
z 71 0 z 3 1 0 z 3 1 0
time
Network Layer 4-89
Distance Vector: link cost changes
Link cost changes:
1
node detects local link cost change y
4 1
updates routing info, recalculates
x z
distance vector 50
if DV changes, notify neighbors
3c
3a 2c
3b 2a
AS3 2b
1c AS2
1a 1b
1d AS1
forwarding table
configured by both
intra- and inter-AS
Intra-AS
Routing
Inter-AS
Routing routing algorithm
intra-AS sets entries
algorithm algorithm
Forwarding for internal dests
inter-AS & intra-As
table
sets entries for
external dests
Network Layer 4-96
Inter-AS tasks AS1 must:
suppose router in AS1 1. learn which dests are
receives datagram reachable through
destined outside of AS2, which through
AS1: AS3
router should 2. propagate this
forward packet to reachability info to all
gateway router, but routers in AS1
which one? Job of inter-AS routing!
3c
3a 2c
3b 2a
AS3 2b
1c AS2
1a 1b
1d AS1
Network Layer 4-97
Example: Setting forwarding table in router 1d
x
3c
3a 2c
3b 2a
AS3 2b
1c AS2
1a 1b AS1
1d
Network Layer 4-98
Example: Choosing among multiple ASes
now suppose AS1 learns from inter-AS protocol that
subnet x is reachable from AS3 and from AS2.
to configure forwarding table, router 1d must
determine towards which gateway it should forward
packets for dest x.
this is also job of inter-AS routing protocol!
x
3c
3a 2c
3b 2a
AS3 2b
1c AS2
1a 1b
1d AS1
u destination hops
v
u 1
A B w v 2
w 2
x 3
x y 3
z C D z 2
y
C
Destination Network Next Router Num. of hops to dest.
w A 2
y B 2
z B 7
x -- 1
…. …. ....
Routing/Forwarding table in D
C
Destination Network Next Router Num. of hops to dest.
w A 2
y B 2
z B A 7 5
x -- 1
…. …. ....
Routing/Forwarding table in D Network Layer 4-107
RIP: Link Failure and Recovery
If no advertisement heard after 180 sec -->
neighbor/link declared dead
routes via neighbor invalidated
new advertisements sent to neighbors
neighbors in turn send out new advertisements (if
tables changed)
link failure info quickly (?) propagates to entire net
poison reverse used to prevent ping-pong loops
(infinite distance = 16 hops)
Transprt Transprt
(UDP) (UDP)
network forwarding forwarding network
(IP) table table (IP)
link link
physical physical
eBGP session
3c iBGP session
3a 2c
3b 2a
AS3 2b
1c AS2
1a 1b
AS1 1d
Network Layer 4-117
Distributing reachability info
using eBGP session between 3a and 1c, AS3 sends
prefix reachability info to AS1.
1c can then use iBGP do distribute new prefix
info to all routers in AS1
1b can then re-advertise new reachability info
to AS2 over 1b-to-2a eBGP session
when router learns of new prefix, it creates entry
for prefix in its forwarding table.
eBGP session
3c iBGP session
3a 2c
3b 2a
AS3 2b
1c AS2
1a 1b
AS1 1d
Network Layer 4-118
Path attributes & BGP routes
advertised prefix includes BGP attributes.
prefix + attributes = “route”
two important attributes:
AS-PATH: contains ASs through which prefix
advertisement has passed: e.g, AS 67, AS 17
NEXT-HOP: indicates specific internal-AS router
to next-hop AS. (may be multiple links from
current AS to next-hop-AS)
when gateway router receives route
advertisement, uses import policy to
accept/decline.
A advertises path AW to B
B advertises path BAW to X
Should B advertise path BAW to C?
No way! B gets no “revenue” for routing CBAW
since neither W nor C are B’s customers
B wants to force C to route to w via A
B wants to route only to/from its customers!
Network Layer 4-123
Why different Intra- and Inter-AS routing ?
Policy:
Inter-AS: admin wants control over how its traffic
routed, who routes through its net.
Intra-AS: single admin, so no policy decisions needed
Scale:
hierarchical routing saves table size, reduced update
traffic
Performance:
Intra-AS: can focus on performance
Inter-AS: policy may dominate over performance
duplicate
duplicate R1 creation/transmission R1
duplicate
R2 R2
R3 R4 R3 R4
source in-network
duplication duplication
B B
c c
D D
F E F E
G G
(a) Broadcast initiated at A (b) Broadcast initiated at D
A A
3
B B
c c
4
2
D D
F E F E
1 5
G G
(a) Stepwise construction (b) Constructed spanning
of spanning tree tree
Network Layer 4-129
Multicast Routing: Problem Statement
Goal: find a tree (or trees) connecting
routers having local mcast group members
tree: not all paths between routers used
source-based: different tree from each sender to rcvrs
shared-tree: same tree used by all group members
S: source LEGEND
R1 2
1 R4 router with attached
group member
R2 5
router with no attached
3 4
R5 group member
R3 6 i link used for forwarding,
R6 R7 i indicates order link
added by algorithm
Reverse Path Forwarding
S: source LEGEND
LEGEND
Dense: Sparse:
group members # networks with group
densely packed, in members small wrt #
“close” proximity. interconnected networks
bandwidth more group members “widely
plentiful dispersed”
bandwidth not plentiful
Consequences of Sparse-Dense Dichotomy:
Dense Sparse:
group membership by no membership until
routers assumed until routers explicitly join
routers explicitly prune receiver- driven
data-driven construction construction of mcast
on mcast tree (e.g., RPF) tree (e.g., center-based)
bandwidth and non- bandwidth and non-group-
group-router processing router processing
profligate conservative
PIM- Dense Mode
150
Virtual Private Network (VPN)
Public
laptop
Internet IP IPsec Secure w/ IPsec
header header payload
salesperson
in hotel
Router w/ Router w/
IPv4 and IPsec IPv4 and IPsec
branch office
151
headquarters
IPsec services
Data integrity
Origin authentication
Replay attack prevention
Confidentiality
152
IPsec Transport Mode
IPsec IPsec
153
IPsec – tunneling mode (1)
IPsec IPsec
154
IPsec – tunneling mode (2)
IPsec
IPsec
155
Two protocols
Authentication Header (AH) protocol
provides source authentication & data integrity
but not confidentiality
Encapsulation Security Protocol (ESP)
provides source authentication,data integrity,
and confidentiality
more widely used than AH
156
Four combinations are possible!
157
Security associations (SAs)
Before sending data, a virtual connection is
established from sending entity to receiving entity.
Called “security association (SA)”
SAs are simplex: for only one direction
Both sending and receiving entites maintain state
information about the SA
Recall that TCP endpoints also maintain state information.
IP is connectionless; IPsec is connection-oriented!
How many SAs in VPN w/ headquarters, branch
office, and n traveling salesperson?
158
Example SA from R1 to R2
Headquarters Internet
Branch Office
200.168.1.100
193.68.2.23
SA
R1
172.16.1/24
R2
172.16.2/24
R1 stores for SA
32-bit identifier for SA: Security Parameter Index (SPI)
the origin interface of the SA (200.168.1.100)
destination interface of the SA (193.68.2.23)
type of encryption to be used (for example, 3DES with CBC)
encryption key
type of integrity check (for example, HMAC with with MD5)
authentication key
159
Security Association Database (SAD)
Endpoint holds state of its SAs in a SAD, where it
can locate them during processing.
160
IPsec datagram
Focus for now on tunnel mode with ESP
“enchilada” authenticated
encrypted
new IP ESP original Original IP ESP ESP
header hdr IP hdr datagram payload trl auth
161
What happens?
Headquarters Internet
Branch Office
200.168.1.100
193.68.2.23
SA
R1
172.16.1/24
R2
172.16.2/24
“enchilada” authenticated
encrypted
new IP ESP original Original IP ESP ESP
header hdr IP hdr datagram payload trl auth
163
Inside the enchilada:
“enchilada” authenticated
encrypted
new IP ESP original Original IP ESP ESP
header hdr IP hdr datagram payload trl auth
Goal:
Prevent attacker from sniffing and replaying a packet
• Receipt of duplicate, authenticated IP packets may disrupt
service
Method:
Destination checks for duplicates
But doesn’t keep track of ALL received packets; instead
uses a window
165
Security Policy Database (SPD)
166
Summary: IPsec services
Suppose Trudy sits somewhere between R1
and R2. She doesn’t know the keys.
Will Trudy be able to see contents of original
datagram? How about source, dest IP address,
transport protocol, application port?
Flip bits without detection?
Masquerade as R1 using R1’s IP address?
Replay a datagram?
167
Internet Key Exchange
In previous examples, we manually established
IPsec SAs in IPsec endpoints:
Example SA
SPI: 12345
Source IP: 200.168.1.100
Dest IP: 193.68.2.23
Protocol: ESP
Encryption algorithm: 3DES-cbc
HMAC algorithm: MD5
Encryption key: 0x7aeaca…
HMAC key:0xc0291f…
Such manually keying is impractical for large VPN
with, say, hundreds of sales people.
Instead use IPsec IKE (Internet Key Exchange)
168
IKE: PSK and PKI
Authentication (proof who you are) with
either
pre-shared secret (PSK) or
with PKI (pubic/private keys and certificates).
With PSK, both sides start with secret:
then run IKE to authenticate each other and to
generate IPsec SAs (one in each direction),
including encryption and authentication keys
With PKI, both sides start with
public/private key pair and certificate.
run IKE to authenticate each other and obtain
IPsec SAs (one in each direction).
Similar with handshake in SSL.
169
IKE Phases
IKE has two phases
Phase 1: Establish bi-directional IKE SA
• Note: IKE SA different from IPsec SA
• Also called ISAKMP security association
Phase 2: ISAKMP is used to securely negotiate
the IPsec pair of SAs
Phase 1 has two modes: aggressive mode
and main mode
Aggressive mode uses fewer messages
Main mode provides identity protection and is
more flexible
170
IPSec
176
Chapter 4: summary
4. 1 Introduction 4.5 Routing algorithms
4.2 Virtual circuit and Link state