Subject: Internet working with TCPIP- MC0087 Assignment Set - 2 Q1) Describe the following with respect to Quality of service

: A) Differentiated Services B) Integrated Services (Intserv) over Diffserv networks A) Differentiated Services The goal of DS development is to provide differentiated classes of service for Internet traffic to support various types of applications and meet specific business requirements. DS offers predictable performance (delay, throughput, packet loss, and so on) for a given load at a given time. A central component of DS is the service level agreement (SLA). An SLA is a service contract between a client and a service provider that specifies the details of the traffic classifying and the corresponding forwarding service a client should receive. A client can be a user organization or another DS domain. The service provider must assure that the traffic of a client, with whom it has an SLA, gets the contracted QoS. Therefore, the service provider's network administration must set up the appropriate service policies and measure the network performance to guarantee the agreed traffic performance. To distinguish the data packets from different clients in DS-capable network devices, the IP packets are modified in a specific field. A small bit-pattern, called the DS field, in each IP packet is used to mark the packets that receive a particular forwarding treatment at each network node. The DS field uses the space of the former TOS octet in the IPv4 IP header and the traffic class octet in the IPv6 header. All network traffic inside of a domain receives a service that depends on the traffic class that is specified in the DS field. To provide SLA conform services, the following mechanisms must be combined in a network:    Setting bits in the DS field (TOS octet) at network edges and administrative boundaries. Using those bits to determine how packets are treated by the routers inside the network. Conditioning the marked packets at network boundaries in accordance with the QoS requirements of each service.

The currently defined DS architecture only provides service differentiation in one direction and is therefore asymmetric. Development of a complementary symmetric architecture is a topic of current research. The following section describes the DS architecture in more detail. B) Integrated Services (Intserv) over Diffserv networks The basic idea is to use both architectures to provide an end-to-end, quantitative QoS, which will also allow scalability. This will be achieved by applying the Intserv model end-to-end across a network containing one or more Diffserv regions. Intserv views the Diffserv regions as virtual links connecting Intserv-capable routers or hosts running Intserv. Within the Diffserv regions, the routers are implemented with specific PHB definitions to provide aggregate traffic control. The total amount of traffic that is admitted into the Diffserv region may be limited by a determined policy at the edges of the Diffserv network. The Intserv traffic has to be adapted to the limits of the Diffserv region. There are two possible approaches for connecting Intserv networks with Diffserv networks:   Resources within the Diffserv network or region include RSVP-aware devices that participate in RSVP signalling. Resources within the Diffserv region include no RSVP signalling.

Name: Sunil.E.P Roll No: 520843140 Page No: 1

This chapter explains the firewall concept. Generally. But generally speaking. The question arises of how the DSCP will be propagated to these routers. there is no way to protect the building against this intruder's actions. and prevent the internal network from outside attacks. a firewall should be considered as a means to divide the world into two or more networks: one or more secure networks and one or more non-secure networks. In this case. and badge readers authenticate visitors who enter the building. network security. Although these procedures can work well to control access to the building. firewall components. video cameras record visitor actions. Similarly. a mainframe. a firewall is designed to protect the information resources of the organization Internetworking with TCP/IP by controlling the access between the internal secure network and the untrusted external network.MC0087 Assignment Set . if an unauthorized person succeeds in entering. Firewall concept A firewall is a system (or group of systems) that enforces a security policy between a secure internal network and an untrusted network such as the Internet.2 The DSCP value has been made known to all routers in the Diffserv network. There are two choices:  DSCPs can be marked at the entrance of the Diffserv region (at the boundary routers). The building has a lobby as the only entry point. The network administrator must examine all logs and alarms generated by the firewall Name: Sunil. DSCP marking can occur in a host or in a router of the intranet. However.P Roll No: 520843140 Page No: 2 . However. which is also known as a choke point. a router. a midrange. deny the vulnerable services. a newly created attack can penetrate the firewall at any time. they can be also re-marked at the exit of the Diffserv region (at the other boundary router). receptionists welcome visitors. a firewall is installed at the point where the secure internal network and untrusted external network meet.Subject: Internet working with TCPIP.  Q2.E. security guards watch visitors. Describe the following with respect to IP Security: A) Firewalls B) Secure Socket Layer (SSL) A) Firewalls Firewalls have significant functions in an organization's security policy. a UNIX workstation. if the intruder's movements are monitored. it is important to understand these functions and apply them to Internetworking with TCP/IP the network properly. or a combination of these that determines which information or services can be accessed from the outside and who is permitted to use the information and services from outside. it can be possible to detect any suspicious activity. Firewalls tend to be seen as a protection between the Internet and a private network. and firewall examples. In this lobby. the appropriate mapping needs to be communicated to the marking device. In this case. consider the network to be a building to which access must be controlled. it is important to note that even if the firewall is designed to permit the trusted data to pass through. Therefore. In order to understand how a firewall works. A firewall can be a PC.

packet filtering is done by using these rules as input. Therefore. Depending on the requirements. Allowing these kind of services might cause security problems. Therefore. packet-filtering is accomplished by using a router that can forward packets according to filtering rules. a firewall can consist of one or more of the following functional components: Packet-filtering router Application-level gateway (proxy) Circuit-level gateway Each of these components has different functions and shortcomings. a mainframe. Service level filtering Because most services use well-known TCP/UDP port numbers. makes outbound data connections from port 20. such as NFS. When determining the filtering rules. and for a non-passive mode client. Packet-filtering router Most of the time. the router can be configured to permit packets that contain 20 and 21 as the TCP port in its header. a UNIX workstation. outside attacks must be taken into consideration. in order to build an effective firewall. However. that use RPC and use different ports for each connection. or IP tunnel) The packet-filtering rules are based on the network security policy. the router extracts certain information from the packet header and makes decisions according to the filter rules as to whether the packet will pass through or be discarded The following information can be extracted from the packet header: Source IP address Destination IP address TCP/UDP source port TCP/UDP destination port ICMP message type Encapsulated protocol information (TCP. a midrange. or combination of these.E. it is possible to allow or deny services by using related port information in the filter. Components of a firewall system as mentioned previously.P Roll No: 520843140 Page No: 3 . an FTP server listens for connections on TCP port 21. to permit FTP connections to pass through to a secure network. When a packet arrives at the packet-filtering router. UDP. ICMP.MC0087 Assignment Set . For example. there are some applications. these components are used together. a router.Subject: Internet working with TCPIP. as well as service level restrictions and source/destination level restrictions. a firewall can be a PC.2 on a regular basis. Generally. it is generally not possible to protect the internal network from outside attacks. Name: Sunil. Otherwise.

In order to protect the server from any possible attacks. Other packets that have another destination or no destination information in their headers are discarded. A virtual connection is established between the client and the destination server. a command) from passing through to the internal secure network. and so on. Packet-filtering limitations Packet-filtering rules are sometimes very complex. When there are exceptions to existing rules. it becomes much more complex. The primary goal of the SSL protocol is to provide a private channel between communicating applications. B) Secure Socket Layer (SSL) SSL is a security protocol that was developed by Netscape Communications Corporation. before sending it to the destination. A proxy acts as a server to the client and as a client to the destination server. authentication of the partners. it is still possible to leave some holes in the network security. for any desired application. Though the proxy seems to be transparent from the point of view of the client and the server. the FTP proxy in the firewall can be configured to deny PUT and MPUT commands. Therefore. For this purpose. fragment offset. Application-level gateway (proxy) An application-level gateway is often referred to as a proxy. the corresponding proxy code must be installed on the gateway in order to manage that specific service passing through the gateway). which ensures privacy of data.Subject: Internet working with TCPIP. For example. an FTP server is permitted to be accessed from outside. Although there are a few testing utilities available.MC0087 Assignment Set .P Roll No: 520843140 Page No: 4 . Name: Sunil. and integrity. Advanced filtering As mentioned previously.2 Source/destination level filtering The packet-filtering rules allow a router to permit or deny a packet according to the destination or the source information in the packet header. along with RSA Data Security. For some cases.E. Packet filters do not provide an absolute protection for a network. Inc. Some of them can be discarded by using advanced filtering rules such as checking IP options. An application-level gateway provides higher-level control on the traffic between two networks in that the contents of a particular service can be monitored and Internetworking with TCP/IP filtered according to the network security policy. it might be necessary to restrict some set of information (for example. an application-level control is required. such as commands. the proxy is capable of monitoring and filtering any specific type of data. It is not possible to control the data with packet filters because they are not capable of understanding the contents of a particular service. if a service is available. only that particular server is permitted to outside users. In most cases. there are different types of attacks that threaten the privacy and network security.

a protocol for initial authentication and transfer of encryption keys. Internetworking with TCP/IP An SSL session is initiated as follows: 1. or by clicking a link. At this point. in theory. IBM. a protocol for transferring data using a variety of predefined cipher and authentication combinations. if it does not end in a dot (for Name: Sunil. such as the domain. SSL requires that each message is encrypted and decrypted and therefore has a high performance and resource cost. Integrity Messages contain a message authentication code (MAC) ensuring the message integrity. SSL is only widely implemented for HTTP connections. 2.myCorp. It can also be based on certificates. for example. On the client (browser). Q3.P Roll No: 520843140 Page No: 5 . Therefore. If a domain name ends in a dot (for example. the user requests a document with a special URL that starts with https: instead of uses SSL to enhance security for TN3270 sessions in the IBM WebSphere Host On-Demand and Network Communications Server products. it is assumed to be complete. On the upper layer. This is called a fully qualified domain name (FQDN) or an absolute domain name. Internetworking with TCP/IP Authentication During the handshake.myDiv. has stated an intention to employ it for other application types. However. the messages are encrypted using this key.MC0087 Assignment Set . myDept. either by typing it into the URL input field. called the SSL Record Protocol.Subject: Internet working with TCPIP. the client authenticates the server using an asymmetric or public key. there is no encryption or integrity checking built in to the connection. it is common to work with only a part of the domain hierarchy.E. The client then initiates the SSL handshake phase. SSL is composed of two layers: At the lower layer. it is possible to run any TCP/IP application in a secure way without changing the application. The Domain Name System provides a simple method of minimizing the typing necessary in this circumstance. such as NNTP and Telnet. The SSL protocol addresses the following security issues: Privacy After the symmetric key is established in the initial handshake.2 SSL overview SSL provides an alternative to the standard TCP/IP socket API that has security implemented within it.myCorp. Explain: A) Fully Qualified Domain Names (FQDNs) B) Mapping domain names to IP addresses A) Fully Qualified Domain Names (FQDNs) When using the Domain Name System.). but Netscape Communications Corp. 3. using the SSL Record Protocol as a carrier. called the SSL Handshake Protocol. and there are several such implementations freely available on the Internet. The client code recognizes the SSL request and establishes a connection through TCP port 443 to the SSL code on the server. In practice.

cooperative systems called name servers. it is incomplete and the DNS resolver may complete this by appending a suffix such as .com and . and can be three characters or more in top-level domain. myDept.1 for more details. A name server is a server program that holds a master or a copy of a name to-address mapping database. These names are registered with and maintained by the Internet Corporation for Assigned Names and Numbers (ICANN).myCorp. Q4.P Roll No: 520843140 Page No: 6 .myDiv).us refers to the state of New York) are . The rules for doing this are implementationdependent and locally configurable. Links in the conceptual tree do not indicate physical connections. Country Domains : There are also top-level domains named for the each of the ISO 3166 international 2-character country codes (from ae for the United Arab Emirates to zw for Zimbabwe). . These are called the country domains or the geographical domains. Describe the following with respect to Telnet: A) Telnet Operation B) Network Virtual Terminal C) Telnet Command Structure D) Option Negotiation Telnet : Telnet is a standard protocol with STD number 8. and that answers requests from the client software. or otherwise points to a server that does. For example. which is organized geographically by state (for example. all Internet domain servers are arranged in a tree structure that corresponds to the naming hierarchy. in the United Kingdom. B) Mapping domain names to IP addresses : The mapping of names to addresses consists of independent. through which a program on one host (the Telnet client) can access the resources of another host (the Telnet server) as though the client were a local terminal connected to the Assignment Set .2 example. Conceptually. Table to the domain name.Subject: Internet working with TCPIP. Instead. called a Name (ac is an abbreviation for academic). For example. Each leaf represents a name server that handles names for a single sub-domain. There is a .1 shows some of the top-level domains of today's Internet domain namespace. The Telnet protocol provides a standardized interface. See RFC 1480 for a detailed description of the .uk and .ac. domain. See Fig. Its status is recommended. Many countries have their own second-level domains underneath which parallel the generic top-level domains. Generic Domains : The top-level names are called the generic Top-Level Domains (gTLDs). they show which other name server a given server can contact. It is described in RFC 854 – Telnet Protocol Specifications and RFC 855 – Telnet Option Specifications. the domains equivalent to the generic domains .ny. a user on a workstation on a LAN can connect to a host attached to the LAN as though the workstation were a Name: Sunil.

B) Network Virtual Terminal The NVT has a printer (or display) and a keyboard. The server and client use a set of conventions to establish the operational characteristics of their Telnet connection through the “DO. The NVT is a half-duplex device operating in a line-buffered mode. A symmetric view of terminals and processes.E. All internal Telnet commands consist of 2. which are not accessible by users.2 terminal attached directly to the host. which is sent over the Telnet connection. a local echo is preferred because of the lower network load and superior performance. The NVT provides a local echo function. All of these can be negotiated by the two hosts. although no host is required to use it. The principle of negotiated options is used by the Telnet protocol.Subject: Internet working with TCPIP. After this initial negotiation is complete. The printer receives the incoming data. The keyboard produces outgoing data. WILL.MC0087 Assignment Set . Various options can be negotiated. After this minimum understanding is achieved. Negotiation of terminal options. 11. beyond those available with the NVT. The basic characteristics of an NVT. It can handle printable ASCII characters (ASCII code 32 to 126) and understands some ASCII control characters. because many hosts want to provide additional services.P Roll No: 520843140 Page No: 7 . For example. If this command deals with option negotiation. C) Telnet Command Structure The communication between client and server is handled with internal commands. they can negotiate additional options to extend the capabilities of the NVT to reflect more accurately the capabilities of the real hardware in use. are: The data representation is 7-bit ASCII transmitted in 8-bit bytes. the command will have a third byte to show the code for the referenced option. A) Telnet Operation Telnet protocol is based on three ideas: The Network Virtual Terminal (NVT) concept.3). but there is an option for using a remote echo (see Fig. The two hosts begin by verifying their mutual understanding. unless they are modified by mutually agreed options. Name: Sunil. DONT. Most Telnet implementations do not provide you with graphics capabilities. they are capable of working on the minimum level implemented by the NVT. Of course.or 3-byte sequences. An NVT is an imaginary device with a basic structure common to a wide range of real terminals. depending on the command type. WONT” mechanism discussed later in this chapter. An NVT printer has an unspecified carriage width and page length. Telnet can be used across WANs as well as LANs. Each host maps its own terminal characteristics to those of an NVT and assumes that every other host will do the same. The Interpret As Command (IAC) character is followed by a command code.

In this model. a client must always be connected to the server for changes to be made. When disconnected.MC0087 Assignment Set . is a historic protocol with a status of not recommended. However. online. The older Post Office Protocol version 2. the client is able to switch to another model to meet whatever needs might exist at the time. and allows users to choose any of those at any point. In the online model. B) Internet Message Access Protocol (IMAP4) The Internet Message Access Protocol. the server does not delete the messages as it does in the offline model. IMAP4 servers store messages for multiple users to be retrieved upon client requests. following the disconnect. Instead. version 3. IMAP4 allows clients to make changes both when connected and when disconnected. and it is described in RFC 1939. is a standard protocol with STD number 53. Downloaded messages are then deleted from the server-based mailbox and exist only on the client’s system. the server remains the authoritative repository for the messages. and then manipulates the mail while it remains in the server-based mailbox. but because IMAP4 supports all these models. Let us discuss the underlying electronic mail models of IMAP4 first in order to understand the IMAP4 functions Fundamental IMAP4 Electronic Mail Models As defined in RFC 1733.An IMAP4 client connects to a server. Upon reconnecting. Name: Sunil.P Roll No: 520843140 Page No: 8 . The disconnected model is a combination of both the offline and online models. it establishes a connection with the server. Each of these models have advantages and disadvantages. and then disconnects from the server. there are three fundamental models implemented by the IMAP4 client and server: offline. IMAP4 clients can also specify criteria for downloading messages. The client can then manipulate the messages on the local system and later reconnect to the server. The Post Office Protocol is an electronic mail protocol with both client (sender/receiver) and server (storage) functions.E. but the IMAP4 model provides more functionality to users than does the POP model. Another difference between POP and IMAP4 implementations is in the operational mode. defined in RFC 0937. Additionally. The online model is the opposite of the offline model. an IMAP4 client connects to a server. Describe the following in the context of Mail applications: A) Post Office Protocol (POP) B) Internet Message Access Protocol (IMAP4) A) Post Office Protocol (POP) The Post Office Protocol. More advanced functions are supported by IMAP4. It is defined by RFC 3501. and disconnected. IMAP4 allows clients to have multiple remote mailboxes from which messages can be retrieved.Subject: Internet working with TCPIP. IMAP4 always keeps messages on the server and replicates copies to the clients.2 Q5. downloads some or all of the messages. Its status is elective. POP3 supports basic functions (download and delete) for electronic mail retrieval. Using POP. (referred to as a disconnected client). The offline model is similar to POP3’s implementation . Similar to POP. and disconnects. the client’s changes are synchronized with the server’s mailbox. changes made on the client take effect on the server by periodic re-synchronization of the client and server. In this model. However. such as not transferring large messages over slow links. enacting any of the changes made while offline. Version 4 is an electronic messaging protocol with both client and server functions. an IMAP4 client does not download messages from the server. downloads mail messages.

on well-known port 25. the behaviour beyond the gateway is not defined by SMTP. When a mail gateway is used. a user does not have to worry about the message header because it is managed by SMTP itself. As usual. The term Simple Mail Transfer Protocol (SMTP) is frequently used to refer to the combined set of protocols because they are so closely interrelated. or gateway-to-gateway.@host-b:user@host-c: For a relayed message. but generally require that data be represented as 7-bit ASCII text. not to the real destination host located beyond the TCP/IP network. This contains explicit routing information. the SMTP endto-end transmission is host-to-gateway. A short reference is included here for completeness.Subject: Internet working with TCPIP. because SMTP only guarantees delivery to the mail-gateway host. it is often simpler to refer to the client as the sender SMTP and to the server as the receiver SMTP.E. to deliver the mail.MC0087 Assignment Set .2 Q6. How SMTP Works SMTP is based on end-to-end delivery: An SMTP client contacts the destination host's SMTP server directly. Originally.P Roll No: 520843140 Page No: 9 . Sending mail through a mail gateway can alter the end-to-end delivery specification. the general form of the destination address is local-part@domain-name and can take several forms: user@host: For a direct destination on the same TCP/IP network. Host-b then forwards the message to the real destination host-c. RFC 2822 also describes how to parse a mail header to a canonical representation. In various implementations. where the mail item can pass through a number of intermediate hosts in the same network on its way to the destination and where successful transmission from the sender only indicates that the mail item has reached the first intermediate hop. This is different from the store-and-forward principle that is common in many mailing systems. The syntax is powerful. the client SMTP (referred to as the sending SMTP) is the entity that initiates the session. RFC 2822 contains a complete lexical analysis of the mail header. but relatively difficult to parse. Because the client SMTP frequently can also act as a server for a user mailing program. who re-sends (relay) the message to host-b. many RFCs related to RFC 2822 use this format. Additionally. removing comments. through the mail gateway-host. user%remote-host@gateway-host: For a user on a nonSMTP destination remote-host.4 Mail Header Format Typically. there were three standard protocols that apply to mail of this kind. Note that the message is stored on each of the intermediate hosts. 13. The message is first delivered to hosta. it is possible to exchange mail between the TCP/IP SMTP mailing system and the locally used mailing systems. defined in RFC 2822. so we do not have an end-to-end delivery in this case. deleting insignificant spaces. The SMTP Destination Address Also known as the mailbox address. and the server (referred to as the receiving SMTP) is the one that responds to the session request. Because this can be restrictive. and so on.2. A Name: Sunil. These applications are called mail gateways or mail bridges. unfolding continuation lines. The syntax is written in a form known as the Augmented Backus-Naur Form (ABNF). facilities have been added for the transmission of data that cannot be represented in this manner. It keeps the mail item being transmitted until it has been successfully copied to the recipient's SMTP. gateway-to-host. @host-a. Describe the following with respect to Simple Mail Transfer Protocol (SMTP): A) Working of SMTP B) SMTP Messages C) The SMTP Destination Address D) Mail Header Format Simple Mail Transfer Protocol The basic Internet mail protocols provide mail (note) and message exchange between TCP/IP hosts.

Many important field values (such as those for the To and From fields) are mailboxes. Strings enclosed in ASCII quotation marks indicate single tokens within which special characters.MC0087 Assignment Set .redbookscorp.redbookscorp. Table 13. which should be adequate for you to interpret the meaning of simple mail headers that might be> "Your Email" <yourEmail@yourdiv.2 basic description is given here.redbookscorp. ********** Name: Sunil. yourEmail@yourdiv . and are not significant.P Roll No: 520843140 Page No: 10 Your Email <> In this example. Lines beginning with white space characters (space or tab) are continuation lines that are unfolded to create a single line for each field in the canonical representation. The most common forms for these are: is the machine-readable address of the mailbox (the angle brackets delimit the address but are not part of it). the header is a list of specifications in the form of: keyword: value Fields begin in column 1. such as the colon. the string Your Email is intended to be read by human recipients and is the name of the mailbox owner. Briefly.Subject: Internet working with TCPIP.1 lists some frequently used fields.