几点注意:
1. 这篇文章是我复习KTH课程Internetworking时的学习笔记。主要的参考资料为课本与课件。
课本:Behrouz A. Forouzan, TCP/IP Protocol Suite, 3nd Edition, 2005, McGraw-Hill, ISBN 0-07-296772-2
2. 全文篇幅比较长,建议利用目录查找需要的内容
3. 由于课程是英文授课,所以许多地方中英混合出现
4. 也可以通过Google Doc查看,链接
5. 有可能会出现图片打不开的情况,翻墙会解决这个问题
目录
3. Ethernet (有线) address & MAC address
4. Collision in Wireless LAN (Problem 1. Hidden station problem)
Lecture 3 Network layer fundamentals - Basic forwarding IP addressing
Lecture 5 IP, ARP, more IP and ICMP
2. IP options (extension header)
4. Dijkstra's shortest path algorithm
5. Link-state vs. Distance-vector
Lecture 8&9 Transport Layer-UDP, TCP and beyond
Lecture 10 &11 Application Layer
2.Creating network applications
Lecture 13 IP Configuration 分IP地址
2. DHCP—Dynamic Host Configuration
3. Host Configuration—SLAAC--Stateless Autoconfiguration
4. IPv6 Autoconfiguration—Plug and Play
5. Stateful and Stateless Autoconfiguration
2. NAT-Network Address Translation
Lecture 2 Link Layer
1. Basic introduction
Data Link Layer has responsibility transferring datagram between adjacent nodes over a link. (Data link layer packet is a frame, encapsulates datagram into frame.)
Link addressing: MAC address
2. Collision in Ethernet:
CSMA: Listen before sending. Half-duplex link. But it cannot avoid all collision because there is propagation delay of each frame.
CSMA/CD: Listen while sending. If collision is detected, abort transmission and retry.
No collision (nowadays used):
Bridge learns location of MAC addresses by inspecting (检查) source address field in incoming frames.
3. Ethernet (有线) address & MAC address
The both are 48-bit number used to uniquely identify each computer in a network. The address is usually written in hexadecimal form.
The Ehernet address is the most common form of MAC address.
4. Collision in Wireless LAN (Problem 1. Hidden station problem)
To avoid collision (Now we cannot use CDMA/CD), we use CDMA/CA:
Problem 2 (RTS and CTS cannot solve this problem this time.)
C have to wait to send data to D until A finish sending data to B.
5. 数据链路层还分MAC和LLC子层
MAC连接LLC子层和下级物理层。从LLC子层接受数据,附加上MAC地址和控制信息后再校验一下放到物理层去。
其中最重要的概念是MAC address。
Review of Lecture 2
Lecture 3 Network layer fundamentals - Basic forwarding IP addressing
1.In general
End-to-end delivery of packets independent of the underlying link layer technologies.
Connectionless (只规定destination, 不规定具体路线): Packets may arrive in different paths, and may not receive in order.
IP: Implemented using unicast addresses shared between several hosts.
| Direct Dilivery |
Indirect Dilivery |
| Host to host or router to host |
Host to router or router to router |
| – Destination and sender connected to the same physical network • Last delivery is direct – Destination address and local interface have same network address (use netmask) |
– From host to router or from router to router – Destination address and forwarding table: forwarding |
2. Forwarding
The last one is using nowadays.
No.1
No.2
No.3
3. IPv4 Addressing
| |
|
– Address & Mask = NetID (network address)
– Address & !Mask = HostID (host address)
– Address | !Mask = Directed broadcast address
(limited broadcast address是都set to 1,255.255.255.255)
4. Allocate address
Address range 是从 network address 到 broadcast address 的.
Reading instruction:
Ch 5,12.2,26
Lecture 4 IP
1. IPv4&IPv6 packet
Packet contains source and destination addresses.
IPv6 没有 header length field (因为长度(不包括extension header)是固定的).
2. IPv4&IPv6 Fragmentation
MTU是数据链路层的限制,但是fragmentation发生在网络层
注意UDPheader只有8 bytes长
| |
|
Flags:
– RF (Reserved Fragment) – for future use (set to 0)
– DF (Dont Fragment).
• Set to 1 if datagram should not be fragmented.
• If set and fragmentation needed, datagram will be discarded and an error message will be returned to the sender
– MF (More Fragments)
• Set to 1 for all fragments, except the last.
IPv6只能在source,不能再中间的router上面做fragmentation
3. IPv4 header vs IPv6 header
| IPv4 |
IPv6 |
|
| header length |
20-60 bytes |
40 bytes |
| header length field |
有 |
没有 (header length fixed) |
| name of down-counter lifetime of every datagram (可以自行设置, Default initial value: 64) |
TTL (8 bit) 每经过router, -1. =0时丢弃 Every router holding a datagram for more than 1 second should decrement the TTL by the number of seconds |
Hop Limit (8 bit) |
| connectionless |
connection-oriented Because of the adding of flow label (textbook P830) |
| IP Network layer functions |
IPv4实现方法 |
IPv6实现方法 |
| Logical addressing |
Locating hosts |
|
| Routing |
Path determination |
|
| Forwarding |
Move Packet from input to output of the routers |
|
| Fragmentation |
Adaption to lower layer |
|
| Multiplexing/demultiplexing (多路复用和解复用) |
Many transport layer protocols |
|
| Error detection + avoidance |
checksum |
- |
| QoS (Quality of Service) |
ToS (Type of Service): 8 bit |
Flow Label: 20 bit |
[1] The flow label field allows labeling packets belonging to a particular flow for which the sender requests the same handling. A flow is identified by the source address, destination address, and a nonzero flow label, and packets belonging to a flow should be treated the same way by a router (rfc6437)
The first 6 bits of the traffic class field hold the DiffServ Code Points (DSCP), which can be used for classifying packets in order to implement priorities. The last 2 bits are used for ECN, and serve for signaling congestion in the network. (rfc3260)
Reading instruction:
Ch 6,7,27
Lecture 5 IP, ARP, more IP and ICMP
1. ARP![^{\[2]}](https://private.codecogs.com/gif.latex?%5E%7B%5C%5B2%5D%7D)
已知IP address,想得到MAC address:ARP (Address Resolution Protocol)
已知Name(域名,比如kth.se),想得到IP address: DNS
注意这个过程在高速缓存cache中存储了,所以第二次传输datagram的时候不需要再进行APR request (broadcast) 和APR reply (unicast)。
[2] Address Resolution的方式包括:
(用于IPv4的Address Resolution Protocol – ARP,这一部分中介绍)
(用于IPv6的Neighbor Discovery Protocol – ICMPv6,单独在3. ICMP中介绍)
代理ARP:
2. IP options (extension header)
| IPv4 |
IPv6 |
|
| Purpose |
Control, testing and debugging of the network functionality |
|
| Length |
IPv4: Max 40 bytes (Max header length is 60 bytes in IPv4) |
IPv6: No limitations |
| Option Format |
|
|
| Option Type |
End of option |
Hop-by-hop options (Pad1&PadN&jumbao payload) 用于当source需要把信息传递给datagram经过的所有routers时. eg,.if the length of the datagram is more than the usual 65535 bytes. |
| No operation |
Routing |
|
| Loose source route |
Fragment |
|
| Timestamp |
Authentication Header |
|
| Record route |
Encapsulating Security Payload |
|
| Strict source route |
Destination options |
|
| 对比 |
(IPv4的fragmentation在fixed header里面实现) |
|
[3] The header of the IP datagram is made of two parts: a fixed part and a variable part. The fixed part is 20 bytes long and was discussed in the previous section. The variable part comprises(包括) the options, which can be a maximum of 40 bytes.
[4] The length of the base header is fixed at 40 bytes. However, to give more functionality to the IP datagram, the base header can be followed by up to six extension headers
[5] 对其中的Source Route进行说明:预先指定数据报在因特网中传送时的路由,分为strick和loose两种
– Strict Source routing (SSRR)
• The path is exactly as specified-只能访问sender规定的路由。访问其他路由时,该路由会丢弃datagram然后发送error message
– Loose Source Routing (LSRR)
• The path includes the specified addresses-必须访问sender规定的路由,其他路由也可以访问
Source route: when it comes handy
• Troubleshooting
– Figure out from point "A" why machines “B" and “C" cannot communicate
• Mapping the network
– Used with traceroute in order to find all the routes between two points on the network
• Performance
– Force an alternate link to avoid congesting the correct routes w/o changing the forwarding tables (management)
– Create independent paths for MDC or FEC
• Hacking
– Can send packets to a host via a trusted third party
• Normally disabled in routers…
3. ICMP
(不属于TCP也不属于UDP)
Reading instruction:
Ch 7-9, 27, 28
Lecture 6&7 Routing
1.In general
•Problem
–Find best path from router to host
•Typically based on shortest path algorithms (from graph theory)
• Bellman-Ford algorithm
– Used by Distance-Vector protocols (RIP, IGRP, BGP)
• Dijkstra's algorithm
–Used by Link-State protocols (OSPF,popular among organizations, IS-IS,p.a. operators)
| |
|
2. Bellman-Ford Algorithm
Distance-vector = (destination, metric, next-hop) [metric表示的是cost的度量]
Path-vector = (destination, path, next-hop)
3. Real network中的问题和解决
4. Dijkstra's shortest path algorithm
例子:
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
5. Link-state vs. Distance-vector
6. Routing Protocols
1)RIP
•Metric: hop count (1: directly connected, 16: infinity)
•Supports networks with diameter 小于等于15
•Timeout timer (Purge清除 routes that are not refreshed)
•Messages carried in UDP datagrams
–Broadcast (RIP-1)
–IP Multicast (RIP-2): 224.0.0.9
–IPv6 Multicast (RIPng): FF02::9
2) Open Shortest Path First protocol (OSPF) 相对RIP更适合用于大一点的网络
与RIP和BGP不同的是,OSPF协议不使用TCP或者UDP协议而是承载在IP协议之上
• Metric: arbitrary (Often related to link speed (inverse proportional))
• Scaling achieved through hierarchy
- Every network segment has 1 designated router (+1 backup) – DR, BDR (每条线上1DR)
- AS split into areas – use Dijkstra for an area
• Messages carried directly on top of IP
- IP Multicast: 224.0.0.5
- IPv6 Multicast: FF02::5
• OSPF protocol components
(1) Hello protocol
- Detection of neighboring routers
- Election of designated router (and backup) adjacency
(2) Exchange protocol
- Exchange link-state between adjacent routers
(3) Reliable flooding
- When links change/age: send update to adjacent routers and flood recursively
(4) Shortest path calculation
- Compute shortest path tree to all destinations using Dijkstra’s algorithm
[6] LSA: link state advertisement
3) Inter-domain
AS(Aotonomous Systems)的概念: A set of routers. 每个AS都有AS number
AS7是AS3的customer,have to pay to AS3
4) Border Gateway Protocol (BGP) v4
•Path-vector routing protocol (和之前的两个Link-state, Distance-vector都不一样)
•Path vector consists of AS:s, not IP addresses
–Hides internal structure in the domains
–Loop detection only on AS-numbers!
–Example: <dst: 10.1.10/24, path: AS1:AS3:AS5, nexthop: 10.2.3.4>
•Used between domains (AS:s)
• Views the Internet as a collection of AS:s
•Supports the destination-based forwarding paradigm
–Other relations are not expressed: sources, tos, link load
•Uses TCP for data transmission between BGP peers
•Tags destinations with path attributes (attribute,属性,定语)
•Describe different properties of the destination (e.g., preferences)
•Can express and enforce policy decisions at AS level
Reading instruction:
Chapter 11: Unicast routing protocols
11.6 OSPF: Skip detailed packet descriptions
11.8 BGP: Skip detailed packet descriptions
Lecture 8&9 Transport Layer-UDP, TCP and beyond
1.In general
Purpose: Logical process-to-process communication
和IP Layer的对比:
| IP |
UDP |
TCP |
| connectionless (只规定destination) |
connectionless |
connection-oriented (规定具体路线) |
| unreliable |
unreliable |
reliable |
| message- oriented (Deliver the whole packet together, 传或不传) |
message- oriented |
byte-stream oriented (the unit of transmission is byte, and in order) |
| full-duplex |
2. UDP
△UDP data delivery based on: receiver port number and receiver IP address.
△UDP checksum: IPv4可以有,IPv6必须有(IPv6在IP层没有checksum)
△psedo-header:to double check
△Maximum UDP Segment Size
• Theoretical limit
– IPv4: 65,507 bytes of payload
• 65,535 bytes (IPv4) - 20 bytes IP header - 8 bytes of UDP header
– IPv6: 65,527 bytes of payload
• 65535 bytes payload – 8 bytes UDP header
3. TCP
△TCP service model
1) Connection-oriented – a virtual circuit
2) Between exactly two end-points – Broadcast and multicast不能用TCP (use UDP)
3) Full duplex
4) Reliable and in-order – Delivery is not guaranteed but reception is known
5) Byte stream service
– A stream of 8-bit bytes is transmitted over the TCP connection
– No record markers inserted by TCP
[7] 虚拟电路(英语:Virtual circuit,缩写为 VC),又称为虚电路、虚连接或虚通道,在分组交换的电脑网路上,交换资料的传输方式之一。它是一种预接式(connection-oriented),或线路交换式(circuit-switched)的资料传输方法,在两个终端系统(End system)间,建立一条连线,来进行资料交换。
△TCP service function
1) Multiplexing/Demultiplexing
• TCP connection identification (UDP不需要sender的IP address和port number)
– Sender IP address and port number
– Receiver IP address and port number
2) Segmentation - Byte stream to segment translation
Try to send as big segments as possible (MSS) :
• The largest chunk of data TCP will send to the other side
– Can be announced in the options field of the TCP header during connection establishment
• If not announced, a default value is assumed
– 576 bytes host MTU requirement in IPv4 : 536 bytes
– 1280 bytes MTU requirement in IPV6: 1220 bytes
• Large MSS means
– Less overhead (headers)
– Less segments to take care of (will see later)
• Until fragmentation occurs (Path MTU discovery)
– Potentially more delay
3) Error control - Reliable transmission over unreliable channel
– Noise → Bit error → Packet corruption → Packet drop
– Congestion → Packet drop
[8] Whenever an entity accepts items from more than one source, it is referred to as multiplexing (many to one); whenever an entity delivers items to more than one source, it is referred to as demultiplexing (one to many).
[9] The IP layer, as a service provider for TCP, needs to send data in packets, not as a stream of bytes. At the transport layer, TCP groups a number of bytes together into a packet called a segment.TCP adds a header to each segment (for control purposes) and delivers the segment to the IP layer for transmission. The segments are encapsulated in an IP datagram and transmitted.
Note that segments are not necessarily all the same size.
[10] The typical TCP header is 20 bytes, and the typical IPv4 header is also 20 bytes, so in this case overhead is TCP + IP =40 bytes
三种flavor:
①Stop-and-wait
Both the sender and the receiver use a sliding window of size 1. 只有两个序号.
序号指的是sequence no,确认号指的是ACK no。
[11] A flow-control method in which each data unit must be acknowledged before the next one can be sent.
这种方法的缺点是利用率太低(尤其是带宽时延积较大时)。
②Go-Back-N
在收到ACK之前能够发送多个segment,但接收方只能缓存一个分组。发送方为发送出去的segment保存副本知道ACK送达。
模即只能取0~
范围内的值。
滑动发送窗口--窗口的最大值为
[12] The send window is an abstract concept defining an imaginary box of maximum size =
with three variables:
(第一个待确认的) ,
(下一个要发送的) , and
(窗口大小)
上图的例子m=3(计数器).
③Selective Repeat-N
④三种flavor总结
|
|
发送窗口(最大值) |
接收窗口(最大值) |
序号 |
计时器(timer) |
| Stop-and-wait |
1 |
1 |
0~1 |
|
| Go-Back-N |
2m-1 |
1 |
0~2m-1 |
所有待确认的segment共用一个计时器 |
| Selective Repeat-N |
2m-1 |
2m-1 |
0~2m-1 |
每个待确认的segment各一个单独的计时器 |
△Retransmission Time-Out (RTO)– Time to wait for the ACK of a segment
(不是一个fixed number)
△Karn’s Algorithm
4) Flow control -- Adapt to the receiver’s capabilities
• Ensure that receiver does not get overwhelmed with data sent by the sender
• TCP uses a sliding window protocol
△Delayed acknowledges
Advantages:
1. ACK traffic is reduced
2. Increased chance that data can be piggy-backed(一方发送sequence时,packet内同时包含了对另一方的ACK) on the ACK
△Persistence Timer
△Silly Window Syndrome 的解决办法
发送方慢:
接收方慢:
△Bandwidth-Delay Product
• The ”capacity” of the ”pipe”
capacity(bits) = bandwidth(bits/sec) x RTT(sec)
• The receiver advertised window should be higher
△TCP Bulk Data Flow
5) Connection Management--Establishment/tear down
△TCP connection establishment
△Keepalive Timer--Avoid TCP connections to exist forever
△TCP connection teardown
△Time-Wait Timer--Connection termination
[14] FIN是一种TCP的flag, which means sender has finished sending data
汇总:TCP的各种计时器
6) Congestion control-- Adapt to network conditions
The window size must depend on the network’s state as well!
△Slow Start & Congestion Avoidance
△TCP Header
20 byte 固定+20 byte optional
TCP中的checksum是必须的(UDP不是)
Reading instruction:
Ch 13,14,15.1-15.4
Lecture 10 &11 Application Layer
1.In general
Applications run on end-systems only
Possible structure of applications:
- Client-server
| Server |
Client |
| Always on |
May be intermittently connected |
| At a permanent, well-known location (For instance, an HTTP server is at port 80, by default) |
May have dynamic IP addresses |
| Can service many clients |
“Ephemeral” ports (Short-lived, dynamically allocated ports) |
- Peer-to-peer (P2P)
• No always-on server
• Peers request service from other peers, provide service in return to other peers
2.Creating network applications
Sequencial Server
Concurrent Server
3.Web and HTTP
HTTP: hypertext transfer protocol--Web application layer protocol
△client/server model (client: browser, server: Web server)
△uses TCP,步骤如下:
•client initiates TCP connection (creates socket) to server, port 80
•server accepts TCP connection from client
•HTTP messages (application layer protocol messages) exchanged between browser (HTTP client) and Web server (HTTP server)
•TCP connection closed
△HTTP is stateless
•Request/response
•Server maintains no information about past client requests
△HTTP Response Status Codes
Status code appears in first line in server-to-client response message. Some sample codes:
200 OK - request succeeded, requested object later in this response
301 Moved Permanently - requested object moved, new location specified later in this response (Location:)
400 Bad Request - Request not understood by server
404 Not Found - requested document not found on this server 505 HTTP Version Not Supported
△TCP connection strategies
| Non-persistent Connection |
Persistent Connection |
| |
|
| One TCP connection per HTTP transaction |
1. Reuse same TCP connection for multiple HTTP transactions - Default as of HTTP 1.1 2. How long should connection be left open? - Occupies server resources - Controlled by “Keep-Alive” header |
△HTTP cookies
△Web caches (proxy server) 代理服务器
4. Remote login--Telnet & SSH
1) Telnet Remote Login
2) SSH – Secure Shell
• Telnet considered insecure
- No encryption – eavesdropping
- No authentication of client/server
• SSH
- Encryption and authentication
- Create a secure (encrypted and authenticated) channel over TCP
- Default port 22
3) Port Forwarding
5. Email
Case1. When the sender and the receiver of an e-mail are on the same mail server, we need only two user agents.
[15] User Agent--Program to create and read e-mail
- Examples: Outlook, OS X Mail, Thunderbird, Kmail,Envelope, ...
Case2. When the sender and the receiver of an e-mail are on different mail servers, we need two UAs and a pair of MTAs (client and server).
Case3. When the sender is connected to the mail server via a LAN or a WAN, we need two UAs and two pairs of MTAs (client and server).
Case4. When both sender and receiver are connected to the mail server via a LAN or a WAN, we need two UAs, two pairs of MTAs (client and server), and a pair of MAAs (client and server). This is the most common situation today.
Push和Pull用不同的协议:
Push--SMTP, Pull--POP, IMAP
a. SMTP
SMTP requires message(header & body) to be in 7-bit ASCII
b. Mail Access Protocols
Lecture 12 DNS
- One name can map to several addresses
- One address can have several names
[16] TLD: 顶级域(或顶级域名;英语:Top-level Domain;英文缩写:TLD)是互联网DNS等级之中的最高级的域,它保存于DNS根域的名字空间中。顶级域名是域名的最后一个部分,即是域名最后一点之后的字母,例如在example.com这个域名中,顶级域是.com(或.COM),大小写视为相同。TLD: 顶级域(或顶级域名;英语:Top-level Domain;英文缩写:TLD)是互联网DNS等级之中的最高级的域,它保存于DNS根域的名字空间中。顶级域名是域名的最后一个部分,即是域名最后一点之后的字母,例如在example.com这个域名中,顶级域是.com(或.COM),大小写视为相同。
[17] Having multiple name servers is for redundancy. When an organization has multiple name servers, there is one primary server and several secondary servers. The zone file is updated on the primary server, and then the updates are transferred automatically to the secondaries through “zone transfers”.
• If client requests recursion, and server agrees, the server resolves the name for the client
--Through iterative resolution
• Otherwise server sends back whatever information it has about the name
--Typically name of server to contact (but not necessarily)
• Normally, only resolvers agree to recursion
Quearying tool: dig (domain information groper)
Summary
• Domain name space organized in hierarchy
- Generic domains, country domains, inverse domain
• Database distributed over name servers
- Root server, TLD servers, authoritative servers
• Resolver performs (iterative) resolution on behalf of clients
• Name servers are responsible for zones
- Responsibilities are distributed through delegations
• Supports different kinds of queries
- A, AAAA, NS, PTR, MX, …
• BIND DNS software
- Zone file definitions
Lecture 13 IP Configuration 分IP地址
Automating IP Configuration--之前还提到了stateless和stateful的分别是HTTP和它的cookie!
• BOOTP (Bootstrap Protocol)
- Static, stateful, client-server
• DHCP (Dynamic Host Configuration Protocol)
- Dynamic, stateful, client-server
• SLAAC (Stateless Address Autoconfiguration)
- Dynamic, stateless
- RFC 4862: IPv6 Stateless Address Autoconfiguration
• Zeroconf
- Autoconfiguration completely without servers?
△RARP—Reverse ARP
1. BOOTP—Bootstrap Protocol
2. DHCP—Dynamic Host Configuration
Client has neither its own IP address, nor the server’s. How do we then address Request/ Reply?
DHCP important:
如果DHCP的client和server在不同的网络上,就需要relay agent:
DHCP Scenario(方案,分镜头)
Transaction ID should be the same value for all four messages.
Discover--Offer--Request--ACK
3. Host Configuration—SLAAC--Stateless![^{[18]}](https://private.codecogs.com/gif.latex?%5E%7B%5B18%5D%7D)
Autoconfiguration
SLAAC vs DHCP
•Unfortunately, SLAACs contain only limited information
-Prefixes and router address
•Hosts often need other configuration information
-E.g., DNS server, Time server, Printer server
•For these, we still need DHCP servers
-Good news is that we can use SLAAC for setting up the IP address, and use stateless DHCP for everything else
[18] Server keeps no state about hosts, only non-host state
4. IPv6 Autoconfiguration![^{[19]}](https://private.codecogs.com/gif.latex?%5E%7B%5B19%5D%7D)
—Plug and Play
•Idea: automatically discover parameters used to connect to the Internet
-Address, netmask, router, nameserver, ...
•Two scenarios: stateless and stateful
In IPv6 stateless autoconfiguration, the client can create an IP address based on its MAC address instead of requesting it from a DHCP server.
①Advatage:A MAC-derived IPv6 address is a straight forward way to generate a unique IP address automatically and L3/L2 address translation can be done locally by the sender (no ARP needed).
②Problem: The MAC address reveals information about the interface card(L2,L3的地址,name), such as identity and vendor of the interface card, so that e.g. potential bugs could be exploited.
③Solution:IPv6 privacy extensions solve this problem by using a randomly assigned interface ID instead and this number can change over time (temporal address). 此时需要ARP
[19] One of the interesting features of IPv6 addressing is the autoconfiguration of hosts. As we discussed in IPv4, the host and routers are originally configured manually by the network manager. However, the Dynamic Host Configuration Protocol, DHCP, can be used to allocate an IPv4 address to a host that joins the network. In IPv6, DHCP protocol can still be used to allocate an IPv6 address to a host, but a host can also configure itself.
5. Stateful and Stateless Autoconfiguration
| Stateless autoconf |
Stateful autoconf |
| -Small networks -Nodes can start communicating directly |
-Larger networks -Centralized management |
| Combination (Stateless DHCP) [DHCP本身是stateful的] |
|
Lecture 14 IP Security
1. Overview
•Authenticated Keying
–Internet Key Exchange (IKE)
•Data Encapsulation
–ESP: IP Encapsulating Security Payload (RFC 4303)
–AH: IP Authentication Header (RFC 4302)
•Security Architecture (RFC 4301)
–Tunnel/transport Mode
–Databases (Security Association, Policy, Peer Authorization)
•AH and ESP rely on an existing security association
–Idea: parties must share a set of secret keys and agree on each other’s IP addresses and crypto algorithms
•Internet Key Exchange (IKE)
–Goal: establish security association for AH and ESP
–If IKE is broken, AH and ESP provide no protection!
△IPsec Modes
•Transport mode
–Used to deliver services from host to host or from host to gateway
–Usually within the same network, but can also be end-to-end across networks
•Tunnel mode
–Used to deliver services from gateway to gateway or from host to gateway
–Usually gateways owned by the same organization
(With an insecure network in the middle)
IPsec protects communication on the insecure part of the network.
[20] tunnel mode’s typical application: virtual private network (VPN,通常由ESP实现)
两种mode对比:
| Transport |
secures packet payload and leaves IP header unchanged(只管payload) |
|
| Tunnel |
encapsulates both IP header and payload securely into IPsec packets(IPheader+Payload) |
△Security Association (SA)
•One-way sender-recipient relationship
–Manually configured or negotiated through IKE
•SA determines how packets are processed
–Cryptographic algorithms, keys, AH/ESP, lifetimes, sequence numbers, mode (transport or tunnel)
•SA is uniquely identified by {SPI, dst IP addr, flag}
–SPI: Security Parameter Index
•Chosen by destination (unless traffic is multicast...)
–Flag: ESP or AH
–Each IPsec implementation keeps a database of SAs
–SPI is sent with packet, tells recipient which SA to use
2. Encapsulation Formats
1) AH
–Authentication Header
–Provides integrity
Only in transport mode:
2) ESP
–Encapsulating Security Payload
–Provides integrity and/or privacy
Can work in transport…(original IP header没有被封装起来)
…or tunnel mode (problem with NAT)
!!!Tunnel mode can be problematic together with NAT
•If we set up a tunnel between our host and a public gateway, it won’t work:
–Our private addresses will be in the original IP header
•It is OK to set up a tunnel between our host and a private intranet:
–Private intranet addresses will be in the original IP header
–New IP header will contain our home private address, which will be translated by the NAT
3. IPsec and IPv6
IPsec is a mandatory component for IPv6.
Extension headers are used for IPsec.
IPsec Tunnel Mode in IPv6:
4. IKE
•Internet Key Exchange—setting up the SAs for IPsec (ESP and AH SA's)
•Use IKE protocol to do mutual authentication and to create a session key
–Use Diffie-Hellman to derive shared symmetric key
△Diffie-Hellman
•For IKE to use Diffie-Hellman we need to add
–Cookies for protection against denial-of-service attacks
The cookies should be stateless,so “Bob” doesn’t have to keep track of all cookies he sent.
–Nonces to ensure against replay attacks
△IKE Phases
•Phase 1
–do mutual authentication and establish IKE session keys
–Sets up the “main” SA (or IKE SA)
•Phase 2
–Set up one or more IPsec SAs (child SAs) between the nodes using the keys derived in phase 1
•Why two phases?
–Mutual authentication is expensive
–If multiple SAs are needed or if SA parameters need to be changed, this can be done without repeating mutual authentication
加入cookie和nounces之后:
Lecture 15 IP Gateways
这一章首先介绍了什么事gateway--
A machine that sits between two interconnected networks and relays traffic between them.
Traffic cannot flow between the two networks without the assistance of the gateway.
Conclusion: A routeris a network layer gateway
–But we can have other types of gateways, both at the network layer and elsewhere
都有什么特殊功能呢
1. Connecting networks with incompatible (不兼容的) address systems,比如:
•IPv4 and IPv6----IPv4/IPv6 Gateways(不是重点)
•Two IPv4 networks with independent address domains-----NAT
2. Restricting what traffic flows between two networks-----firewall
•Protective purposes
3. Redirecting traffic, possibly tunneling it
•Mobility, VPNs, IPsectunnels etc
1. Firewall
Isolates organization’s internal network from larger Internet, allowing some packets to pass and blocking others.
△Firewall Locations in the Network
•Between internal LAN and external network
•At the gateways of sensitive subnetworkswithin the organizational LAN
-Payroll’s network must be protected separately within the corporate network
•On end-user machines
-“Personal firewall”
-Microsoft’s Internet Connection Firewall (ICF)
△Firewall types
| |
|
| Two default policies: •Default = discard -which is not explicitly permitted is prohibited •Default = forward -which is not explicitly prohibited is permitted •Default = discard is more conservative |
|
| 对比: •Packet filter can do its job without requiring software changes in communicating nodes -Allowed conversations proceed normally (in most cases) •An application level gateway is visible to the users -Need to connect to the gateway •Application level gateway can be more powerful than packet filters—e.g., look at data inside email messages -Gateway is application-aware |
|
2. NAT-Network Address Translation
右边的这些local network用138.76.29.7的不同端口表示。
10.0.0.1到10.0.0.4是可以在其他local network中重复利用的,而138.76.29.7是唯一的。
例子:Assume that host 10.0.0.1 on a private network (10.0.0.0/24) sends an HTTP request through its NAT box to a web server on address 128.119.40.186 and that this web server answers with an HTTP response back to the host.
1) port 80是web server的默认HTTP端口,固定的; 10.0.0.1的port3345不是固定的
2) 最终138.76.29.7, port 5001被分配给10.0.0.2。(5001不是固定的,只是这么分配而已,可以给下面两个hosts分配5002,5003)
3) 两个方向上每次都是138和10开头的地址替换,webserver的地址一直为Source/Dest.
