Information Security - Lecture 2

How does the Internet work ?

Plarent Tirana Ph.D October 22nd 2018

1
 Topics
OSI Architecture
TCP / IP Architecture
TCP / and UDP
IP / Network Routing
Domain Name Service
Client Server / Peer to Peer models
The parts of an URL!
What is an IP Address ?
2/6/22 2
 OSI Architecture
OSI = Open Systems Interconnection model
There is a need for standardization
OSI is a conceptual model
Standardizes the internal functions of a
communication system
Partitions into seven logical (abstract) layers
Any layer (level):
o Serves the layer above
o It is served by the layer below it
2/6/22 3
 Description of OSI Layers

2/6/22 4
 OSI Architecture – SDU / PDU
At each layer (N)
o Two entities (layer N peers) talk via layer-N protocol
o Exchange protocol data units (PDUs)
o Exchange service data unit (SDU) is the payload of a
PDU
o PDU is transmitted unchanged to a peer
The PDU at a layer N thus becomes the SDU of
layer N-1
Layer N-1 might add a header or a footer or both

2/6/22 5
 OSI Architecture – SDU / PDU

Security services are not related to a specific

layer
o Can be related by several layers
Some degree of management and security
involved at every layer

2/6/22 6
 End to End Connectivity

Image/Info Credits to: http://en.wikipedia.org/wiki/Internet_Protocol

2/6/22 7
 Topics
OSI Architecture
TCP / IP Architecture
TCP / and UDP
IP / Network Routing
Domain Name Service
Client Server / Peer to Peer models
The parts of an URL!
What is an IP Address ?
2/6/22 8
 TCP/IP Architecture
OSI too strict
OSI almost "Layering considered harmful"
TCP/IP model protocols are not as rigid
TCP/IP has four broad layers of functionality
o The Software application
o The End-to-end transport connection
o The internetworking
o The direct links to other nodes on the local
network

2/6/22 9
 OSI to TCP/IP Mapping

2/6/22 10
 TCP/IP Architecture
Application Layer
o Groups the functions of OSI Application,
Presentation Layer and Session Layer
o Any process above the transport layer is called an
Application in the TCP/IP architecture
o Socket and port are used to describe the path over
which applications communicate
o Example Protocols: DNS, FTP, Gopher, HTTP, NFS,
NTP, NNTP, DHCP, SMPP, SMTP, SNMP, Telnet, SSH

2/6/22 11
 TCP/IP Architecture
Transport Layer
o The Transmission Control Protocol (TCP)
guarantees information transmission.
o The User Datagram Protocol (UDP) transports
datagrams without end-to-end reliability checking.
o Both protocols are useful for different
applications.
o Example Protocols: TCP, UDP, SCTP, DCCP
o A step above transport: MIME, SSL, TLS, XDR

2/6/22 12
 TCP/IP Architecture
Network Layer
o The Internet Protocol is the primary protocol in
the TCP/IP Network Layer.
o All upper and lower layer communications must
travel through IP as they are passed through the
TCP/IP protocol stack.
o There are many supporting protocols in the
Network Layer, such as ICMP, to facilitate and
manage the routing process.
o Example Protocols: IP, Ipsec, ICMP, IGMP, OSPF, RIP

2/6/22 13
 TCP/IP Architecture
Host to Network Layer
o IP compatible with the existing data link protocols
such as Ethernet, Token Ring, FDDI, HSSI, and
ATM.
o The physical layer, which defines the hardware
communication properties, is not often directly
interfaced with the TCP/IP protocols in the
network layer and above.
o Example Protocols: PPP, SBTV, SLIP

2/6/22 14
 IP Packet Structure

There is no Footer, only Header

IPv4 packet header has 14 fields, 13 are required
Minimum packet size
o Only header, no data
o 5 x 32bits (words) = 160 bits = 20 bytes
2/6/22 15
 IP Packet Structure
Version
Internet Header Length = number of 32-bit words in the
header
Differentiated Services Code Point (DSCP). Used for
applications that require real-time data streaming and
therefore make use of the DSCP field.
Explicit Congestion Notification (ECN). Allows end-to-end
notification of network congestion without dropping
packets. ECN is an optional feature that is only used when
both endpoints support it and are willing to use it. It is
only effective when supported by the underlying network.

2/6/22 16
 IP Packet Structure
Total Length = defines the entire packet (fragment) size, including
header and data, in bytes.
Identification - primarily used for uniquely identifying the group of
fragments of a single IP datagram.
Flags - A three-bit field follows and is used to control or identify
fragments.
Fragment Offset - specifies the offset of a particular fragment
relative to the beginning of the original un-fragmented IP
datagram.
Time To Live (TTL) - An eight-bit time to live field helps prevent
datagrams from persisting (e.g. going in circles) on an internet.
Protocol - This field defines the protocol used in the data portion of
the IP datagram.

2/6/22 17
 IP Packet Structure
Header Checksum = The 16-bit checksum field is
used for error-checking of the header
Source address = This field is the IPv4 address of
the sender of the packet. This address may be
changed in transit by a network address
translation device.
Destination address = This field is the IPv4 address
of the receiver of the packet. As with the source
address, this may be changed in transit by a
network address translation device.
2/6/22 18
 Topics
OSI Architecture
TCP / IP Architecture
TCP / and UDP
IP / Network Routing
Domain Name Service
Client Server / Peer to Peer models
The parts of an URL!
What is an IP Address ?
2/6/22 19
 TCP and UDP
There are two main types of Transport for
Internet Protocol (IP) traffic:
o TCP or Transmission Control Protocol
o UDP or User Datagram Protocol
TCP is connection oriented – once a connection
is established, data can be sent bidirectional.
UDP is a simpler, connectionless Internet
protocol. Multiple messages are sent as
packets in chunks using UDP.

2/6/22 20
 TCP and UDP Functions
TCP - As a message makes its way across
the internet from one computer to
another within a context of a session
UDP - is also a protocol used in message
transport or transfer. This is not
connection based which means that one
program can send a load of packets to
another and that would be the end of the
relationship
2/6/22 21
 TCP and UDP Usage
TCP - is suited for applications that require
high reliability, and transmission time is
relatively less critical
UDP - is suitable for applications that need
fast, efficient transmission, such as games.
UDP's stateless nature is also useful for
servers that answer small queries from
huge numbers of clients

2/6/22 22
 TCP and UDP
Based protocols
o TCP - HTTP, HTTPs, FTP, SMTP, Telnet
o UDP – DNS, DHCP, TFTP, SNMP, RIP, VOIP

Speed
o The speed for TCP is slower than UDP.
o UDP is faster because there is no error-
checking for packets

2/6/22 23
 TCP and UDP Ordering of data packets
TCP - rearranges data packets in the order
specified
UDP - has no inherent order as all packets
are independent of each other. If ordering
is required, it has to be managed by the
application layer

2/6/22 24
 TCP and UDP Reliability
TCP - There is absolute guarantee that the
data transferred remains intact and arrives
in the same order in which it was sent
UDP - There is no guarantee that the
messages or packets sent would reach at
all

2/6/22 25
 TCP and UDP Streaming of data
TCP - Data is read as a byte stream, no
distinguishing indications are transmitted
to signal message (segment) boundaries
UDP - Packets are sent individually and are
checked for integrity only if they arrive.
Packets have definite boundaries which
are honored upon receipt, meaning a read
operation at the receiver socket will yield
an entire message as it was originally sent
2/6/22 26
 TCP and UDP Error Checking
TCP - TCP is heavy-weight. TCP requires three
packets to set up a socket connection, before
any user data can be sent. TCP handles
reliability and congestion control.
o Yes to error checking and recovery
UDP - UDP is lightweight. There is no ordering
of messages, no tracking connections, etc. It is
a small transport layer designed on top of IP.
o Yes to error checking but No to error recovery

2/6/22 27
 TCP session establishment
TCP session establishment is a three-way
handshake

2/6/22 28
 Topics
OSI Architecture
TCP / IP Architecture
TCP / and UDP
IP / Network Routing
Domain Name Service
Client Server / Peer to Peer models
The parts of an URL!
What is an IP Address ?
2/6/22 29
 Routing Protocols
• Goal:
– Determine path or route
– Packet switching networks: determine routing
table
• Routing Table Requirements:
– Used for forwarding each packet
– Scalable, adaptive, stable

2/6/22 30
 Route Construction
• Static
– Listed Manually: change route slowly
– not robust: reachability is independent of network
condition
– stable
• Dynamic
– Learn route via routing protocols
– React to topology, traffic or configuration changes
directly
– Might not converge or oscillate
– Might have loop

2/6/22 31
 Dynamic Routing Algorithms
• Global or Link state algorithm
– Use global knowledge about topology and cost

• Decentralized or Distance Vector algorithm

– Use only knowledge of attached links and
neighbors
– Distributed and iterative algorithm

2/6/22 32
 Global or Link State Algorithm
Each node floods the entire network with information about the
other nodes it can connect to.
Each node independently assembles this information into a map.
Using this map, each router independently determines the least-
cost path from itself to every other node using a standard
shortest paths algorithm such as Dijkstra's algorithm.
The result is a tree graph rooted at the current node, such that
the path through the tree from the root to any other node is the
least-cost path to that node.
This tree then serves to construct the routing table, which
specifies the best next hop to get from the current node to any
other node.

2/6/22 33
 Link State Algorithm Issues
Processing power
o Heavier processing in terms of ASIC
Flooding
o Heavier in terms of sending updates
to each node

2/6/22 34
 Distance Vector Algorithms
Distance Vector Routing involves two factors:
o The distance, or metric, of a destination
o The vector, or direction to take to get there.
Routing information is only exchanged between
directly connected neighbors.
This means a router knows from which neighbor a
route was learned, but it does not know where that
neighbor learned the route; a router can't see beyond
its own neighbors.
This aspect of distance vector routing is sometimes
referred to as "routing by rumor."
2/6/22 35
 Decentralized or Distance Vector Algorithm

Each node communicates only with directly-

attached neighbors
Compute shortest path
Continues until no nodes exchange
information
Nodes need not exchange info/iterate in lock
step!

2/6/22 36
 Distance Vector Algorithm Issues
Robustness:
o node can advertise incorrect path cost
o each node’s table used by others
• error propagate thru network
 May have routing loops
o Split horizon and poison reverse are employed to
avoid routing loops.
Convergence Times:
o Count-to-infinity problem

2/6/22 37
 Split Horizon
 Split-horizon route advertisement is a method of preventing routing loops in
distance-vector routing protocols by prohibiting a router from advertising a route
back onto the interface from which it was learned.
 Consider the following example where A learns from B how to reach C

 According to the split-horizon rule, node A does not advertise its route for C (namely
A to B to C) back to B.
 On the surface, this seems redundant since B will never route via node A because
the route costs more than the direct route from B to C. However, if the link between
B and C goes down, and B had received a route from A to C, B could end up using
that route via A. A would send the packet right back to B, creating a loop.
 This is the Count to Infinity Problem. With the split-horizon rule in place, this
particular loop scenario cannot happen, improving convergence time in complex,
highly-redundant environments.

2/6/22 38
 Split Horizon with Poison Reverse
 Split-horizon routing with poison reverse is a variant of split-
horizon route advertising in which a router actively advertises
routes as unreachable over the interface over which they were
learned by setting the route metric to infinite (16 for RIP).

 The effect of such an announcement is to immediately remove

most looping routes before they can propagate through the
network.

2/6/22 39
 Internet Architecture

• Segregated to Autonomous Systems (ASes) belong to

– ISPs
– Companies
– Universities

• One ISP might own several ASes

– ISP Merger

2/6/22 40
 Inter-AS and Intra-AS Routing

AS1 Inter-AS routing AS2

Intra-AS routing

2/6/22 41
 Why different Inter-AS and Intra-AS routing
protocols?

• Administrative: each AS runs different intra-AS

routing protocol
• Policy: AS has commercial agreement that
determines routing policy
• Scalability or hierarchy: hiding information
within AS reduce the routing message size.

2/6/22 42
 Inter-AS Routing Protocols
• Use EGP in NSFNET

• Border Gateway Protocol (BGP)

– BGP-4: de facto standard
– Distance Vector Algorithm

2/6/22 43
 Intra-AS Routing
• Routing Information Protocol (RIP)
– Distance Vector Algorithm
• Open Shortest Path First (OSPF)
– Link State Algorithm
• IS-IS
– Link State Algorithm

2/6/22 44
 Topics
OSI Architecture
TCP / IP Architecture
TCP / and UDP
IP / Network Routing
Domain Name Service
Client Server / Peer to Peer models
The parts of an URL!
What is an IP Address ?
2/6/22 45
 DNS – Domain Name Service
Translates a Hostname to its Internet IP
A lookup mechanism for translating objects into other
objects
A globally distributed, loosely coherent, scalable,
reliable, dynamic database
Comprised of three components

A “name space”

Servers making that name space available

Resolvers (clients) which query the servers about the name
space
2/6/22 46
Global Distribution and Loose Coherency
 Global Distribution
o Data is maintained locally, but retrievable globally
• No single computer has all DNS data
o DNS lookups can be performed by any device
o Remote DNS data is locally cacheable to improve performance

 Loose Coherency
o The database is always internally consistent
 Each version of a subset of the database (a zone) has a serial number
 The serial number is incremented on each database change
o Changes to the master copy of the database are replicated according
to timing set by the zone administrator
o Cached data expires according to timeout set by zone administrator

2/6/22 47
 Reliability and Dynamicity
 Reliability
o Data is replicated
• Data from master is copied to multiple slaves
o Clients can query
• Master server
• Any of the copies at slave servers
o Clients will typically query local caches
o DNS protocols can use either UDP or TCP
• If UDP, DNS protocol handles retransmission, sequencing, etc.

 Dynamicity
o Database can be updated dynamically
• Add/delete/modify of any record
o Modification of the master database triggers replication
• Only master can be dynamically updated
– Creates a single point of failure

2/6/22 48
 DNS Tree

ws1 ws2 Domain names can be

ftp mapped to a tree.
•
www disi www
•
kcchiefs
• New branches at the
bubi isi cnn
nfl
‘dots’
• •
•
bing
net educom
No restriction to the
• amount of branches.
 Domains
• Domains are “namespaces”
• Everything below .com is in the com domain.
• Everything below bubi.net is in the bubi.net
domain and in the net domain. •
com domain
net edu com •
• •
bing
bubi.net domain
•
bubi isi cnn kchiefs
nfl •
www work
net domain ftp
• www
ws2 ws1
 Delegation
 Administrators can create sub-domains to group hosts
o According to geography, organizational affiliation or any other
criterion

 An administrator of a domain can delegate responsibility for

managing a sub-domain to someone else
o But this isn’t required

 The parent domain retains links to the delegated sub-domain

o The parent domain “remembers” who it delegated the sub-
domain to

2/6/22 51
 Zones and Delegations
 Zones are “administrative spaces”
 Zone administrators are responsible for portion of a
domain’s name space
 Authority is delegated from a parent and to a child
•
net zone
net edu com
net domain • • •
bing
bubi.net zone •
bubi isi cnn kcchiefs
nfl •
www work
work.bubi.net zone www
•
ftp
2/6/22 ws2 ws1 52
 Name Servers
Name servers answer ‘DNS’ questions.

Several types of name servers

 Authoritative servers
master (primary)
slave (secondary)
(Caching) recursive servers
also caching forwarders
Mixture of functionality
2/6/22 53
 Security Concerns
Designed when network was private so security concerns were not
major design considerations
The expansion of the Internet to the public changed the game –
authentication is needed
Several vulnerability issues were discovered and exploited by malicious
users.
DNS cache poisoning
o Data is distributed to caching resolvers under the pretense of being an
authoritative origin server
o Pollutes the data store with potentially false information
o Long expiration times (TTL = time-to-live)
Legitimate application requests may be redirected to network hosts
operated with malicious intent

2/6/22 54
 Security Concerns
DNS responses are traditionally not cryptographically
signed which leads to many attack possibilities
Domain Name System Security Extensions (DNSSEC)
modify DNS to add support for cryptographically signed
responses.
DNSCurve has been proposed as an alternative to DNSSEC.
Other extensions, such as TSIG, add support for
cryptographic authentication between trusted peers and
are commonly used to authorize zone transfer or dynamic
update operations.

2/6/22 55
 Topics
OSI Architecture
TCP / IP Architecture
TCP / and UDP
IP / Network Routing
Domain Name Service
Client Server / Peer to Peer models
The parts of an URL!
What is an IP Address ?
2/6/22 56
 Client Server Model
Client can find server and initiate a dialogue
o Question-answer session
o Formally “request-response”
 Server never initiates a dialogue.
 Client may or may not know a servers
capability!
 Question-answer sessions follow a standard,
but need not!

2/6/22 57
 Client Server Model
The client initiates the connection with a request.
The server responds to this request, delivering the required
service or resource.
Most business-related networked applications operate on
this model.
Web browsers request web pages from web servers in the same
manner.
Email Services follow the same paradigm.
Client server was the only method of network
communication until peer-to-peer networking was
invented.
2/6/22 58
 Peer to Peer Model
In a peer-to-peer network, both computers in a connection
are equals, or "peers."
Both computers in the connection are both clients and
servers simultaneously.
Usually, peer-to-peer networks involve more than two
computers.
This means that each computer in the network can maintain a
connection to more than one computer at the same time.
This provides a backup source for a file or service if the first
computer to be contacted is not available.
Perfect example is file sharing applications (Bit Torrent)

2/6/22 59
 Comparisons / Differences
In client-server communication, the client only initiates the connection.
All computers in the peer-to-peer network can be both client and server,
they do not all perform both functions simultaneously all the time.
o One computer might be available and willing to serve files to others without
needing to receive files (Bit Torrent Application)
The key difference is that the clients in a client server system can only be
clients and the servers can only be servers because they do not have
software installed to perform the other function.
No theoretical limit to the size of a peer-to-peer network. Issues:
Performance
Security
Access

2/6/22 60
 Topics
OSI Architecture
TCP / IP Architecture
TCP / and UDP
IP / Network Routing
Domain Name Service
Client Server / Peer to Peer models
The parts of an URL!
What is an IP Address ?
2/6/22 61
 Parts of a URL
URL = Uniform Resource Locator
URL is how you “address” information and content on the
web

2/6/22 62
 Parts of a URL

Port Number: is valid within a given host, it generally refers to a specific

application per standard. However, an organization can use any port number
they desire, but this is not done in most cases for commercial services. In our
case is 8080.
Think of this as identification of where an application is running on a host,
since a single host can be running multiple applications.
Default port numbers for some protocols:
FTP: 21
SSH: 22
Telnet: 23
DNS: 53
HTTP: 80
HTTPS:443
2/6/22 63
 Parts of a URL

Path: includes the resource

Path: may refer to a dynamic resource as well
Information Sent: this is the “query” or the
question being sent.
This information makes sense only to the
resource it is being sent to.

2/6/22 64
 Topics
OSI Architecture
TCP / IP Architecture
TCP / and UDP
IP / Network Routing
Domain Name Service
Client Server / Peer to Peer models
The parts of an URL!
What is an IP Address ?
2/6/22 65
 What in an IP address ?

• What is an IP Address? – A unique address for a computer over IP.

• 32 bits, but typically written as 4 decimal digits separated by dots. Each
one called an octet. This allows for 4.3 billion IP addresses.
• There are some private addresses, aka non-routable address which can
not be used on the internet.

Image/Info Credits to: http://en.wikipedia.org/wiki/Internet_Protocol

2/6/22 66
 What in an IP address ?
 Each octet is 8 bits and can have values from 0 to 255
 0 and 255 are reserved for special purposes.
 Each IP address is made up of two parts: First, part is
called Network address and the second, Host
address. Subnet Mask.
 The size of the Network address (the number of bits
in address) varies; which means the number of the
bits in Host varies too! Which means the number of
hosts in a network varies.

2/6/22 67
 Class A, B and C
 Imagine a network as tree and each node having a network
address and within each node the leaves, if any, having a host
address.
 Examples of network and host addresses (host is RED), classes
A / B / C:
– 222.200.201.35 (Class C)
– 164.43.22.178 (Class B)
– 10.34.182.2 (Class A)
 Limitations on classes A / B / C => CIDR = Classless Inter
Domain Routing

2/6/22 68
 CIDR = Classless Inter Domain Routing
 CIDR (Classless Inter-Domain Routing) was introduced in 1993 (RCF 1517)
replacing the previous generation of IP address syntax – classful networks.
 CIDR allowed for more efficient use of IPv4 address space and prefix
aggregation
 Also is known as route summarization or super-netting.
 CIDR introduction allowed for:
 More efficient use of IPv4 address space
 Prefix aggregation, which reduced the size of routing tables
 With CIDR, IP addresses and their subnet masks are written as four octets,
separated by periods, followed by a forward slash and a two-digit number
that represents the subnet mask e.g. (in YELLOW used for hosts)
 20.5.4.0/30 => 20.5.4.0, 20.5.4.1, 20.5.4.2, 20.5.4.3
 20.5.4.4/30 => 20.5.4.4, 20.5.4.5, 20.5.4.6, 20.5.4.7
 20.5.4.8/30 => 20.5.4.8, 20.5.4.9, 20.5.4.10, 20.5.4.11
2/6/22 69
 CIDR = Classless Inter Domain Routing

More Examples on CIDR More Examples on CIDR

 192.168.1.0/27  192.168.1.0/26
 192.168.1.32/27  192.168.1.64/26
 192.168.1.64/27  192.168.1.128/26
 192.168.1.96/27  192.168.1.192/26

2/6/22 70