
2/50


The OSI Stack Can you name the 7 layers?

P________ D___ N____

T_______ S____________

P________ A________

1 Physical

2 Data Link

3 Network

4 Transport

5 Session

6 Presentation

7 Application

Try out thismnemonic

memory aid


The OSI Stack Match each layer to these overly

simplified functional descriptions

___ routes packets between networks

___ host-to-host view of a connection

___ bit representation on the wire

___ OS link to protocol stack and network

___ hardware addressing done here

1 Physical

2 Data Link

3 Network

4 Transport

5 Session

6 Presentation

7 Application

___ sequences packets to correct port

___ end-to-end encryption usually occurshere


Match each layer to the

units

thatthey work with

The OSI Stack

___ segments

___ bits

___ frames

___ , ___ and ___

messages

(another generic term)

___ packets/datagrams

The generic term for anyof these; however, is PDU,

which stands for

_________________

_________________

1 Physical

2 Data Link3 Network

4 Transport

5 Session

6 Presentation

7 Application


The OSI Stack

1 Physical

2 Datalink

3 Network

4 Transport

5 Session

6 Presentation

7 Application

1 Physical

2 Datalink

3 Network

4 Transport

5 Session

6 Presentation

7 Application

Virtual comm channel

between each

peer

layer

Of course the physical channel is

real


3/50


En-/De-capsulation What is the relationship between

layer i and layer i+1?

Either of these answers is correct

layer i+1

rides on top

of layer i

layer i+1

is encapsulated inside

layer i

layer i

carries

layer i+1

layer i+1

is tunneled inside

of layer i

layer i adds its headers (and possiblytrailers) to layer i+1


The TCP/IP Stack TCP/IP

runs

the Internet!

TCP = ? _______________________

IP = ? _______________

What layer is TCP? ___

What layer is IP? ___

Which gets encapsulated insidewhich?______________________________


The TCP/IP Stack

1 Physical

2 Datalink

3 Network

4 Transport

5 Session

6 Presentation

7 Application

1 Physical

2 NW Int face

3 Internet

5 Application

4 Transport

How do they

stack

up against each other

OSI TCP/IP


Bandwidth (KNOW these!)

Measure of data throughput capacity

For digital data, measured in _______per second (bps or b/s)

Metric abbreviations:

Kbps = 103 ~= 210 a thousand bps

Mbps = 106 ~= 220 a million bps

Gbps = 109

~= 230

a billion bpsTbps = 1012 ~= 240 a trillion bps


4/50


Bandwidth in Perspective

OC-24

(~1.25Gbps)

OC-1 (52Mbps)

T-3 (45Mbps)

T-1 & DSL Lite(1.5Mbps)

V.90 56Kmodem(~50Kbps)


LAN Topologies Only three basic (practical) types

________: Data travels through every NIC

_________: Data travels to every NIC

PC

NIC

PC

NIC

PC

NIC

PC

NIC

Each NIC caninspect &manipulate a tokenfor access control

Each NIC will seethe same trafficas all others


LAN Topologies________: Data travels between two

NICs at a time (unless it is a broadcast message)

PC

NIC

PC

NIC

Each NIC willonly see thetraffic addressedto it

PC

NIC

PC

NIC

Switch


LAN Topologies________: A direct link is provided

between every two NICs

PC

NIC

PC

NIC

Simply does notscale well and isnot used inpractice,particularly at theLAN level

We see somedegree of meshi-ness at the corelevel of theinternet howeverPC

NIC

PC

NIC


5/50


LAN Topologies Which topology is this?

Answer: ______________________

PC PC

PC

PCPC

PC


Physically... it looks like a star

But what happens when I move thePCs to sit on one long table?

Is this no longer a

star

topology?

LAN Topologies

PC PC PC PCPCPC


LAN Topologies

The point is... physical layout isinconsequential

What matters is the electricalbehavior of the data pathways

To know this, we need to inspect thedevice at the center of the

star


If it is a MAU (or MSAU) then we havea ring

LAN Topologies

If it is a MAU (or MSAU) then we havea ring

To PC

Ring ina box


6/50


If it is a hub then we have a busLAN Topologies

To PC

Think big blobof solder


If it is a switch then we have a

star

LAN Topologies

To PCX

X

X

X


LAN Topologies

Most popular LAN topology today...

Physical star into a logical star (switch)

Hubor

Switch

PC PC

PC

PCPC

PC


Basic Network Components

At what OSI layer do each of thesework at?

Repeater? ___

Router? ___

Hub? ___

Switch? ___

Bridge? ___ (most similar to switch)


7/50


Hub aka Concentrator Hubs are considered

brainless

Basically a convenient, centralized,plug-in device to electrically connectall hosts on the network

Have no fear of hubs... they

re easy!

H C

C

C

C

C

C

C

C

These twonetworksbehave the

same way


Collision Domain Because hubs flood everything they

receive, they form collision domains

You have a collision domain if, whenone device transmits, allotherdevices on that network segment

hear(or seeif you prefer) it

This results in collisions and conges-tion, but also means that a networkeavesdropper can see others traffic


Repeater

Repeaters are also

brainless

Simply amplify digital signals andpass them along, un-inspected andunmodified

Provides a means for extending thelength of a segment

H H

R011001001 011001001


Precursor to the switch

Typically only has two ports

Traditionally used to

convert

between two different topologies orprotocols

The term is used mostly in the wire-

less world these days Let

s jump ahead to the switch...

Bridge


8/50


Switch Switches, like hubs, form networksby connecting hosts

Unlike hubs, switches have someintelligence built into them in thatthey understand layer 2 addressing

Switches can learn which hosts liveoff of each port

Switches will either: block, forward,or _________ incoming frames


Switch

Event: Switch is turned on

Switch Action: None

Host Port

?

Switch

s Table

H

CA

CD

CC

S

CB

1 2 3


Switch

Event: CA sends to CD

Switch Action: _______ ?

Host PortA 1

Switch

s Table

HCD

CC

S

CB

1 2 3

CA

The switch is learning...


Switch

Event: CC sends to CB


Host PortA 1C 3

Switch

s Table

HCD

CC

S

CB

1 2 3

CA


9/50


Switch

Event: CD sends to CA


Host PortA 1C 3D 1

Switch

s Table

HCD

CC

S

CB

1 2 3

CA


Switch

Event: CB sends to CD


Hub Action: ___________ ?

Host PortA 1C 3D 1B 2

Switch

s Table

HCD

CC

S

CB

1 2 3

CA


Switch

Event: CC sends to CB


Host PortA 1C 3D 1B 2

Switch

s Table

HCD

CC

S

CB

1 2 3

CA


Switch

Table entries will eventually

ageout

unless more traffic is received

What if...

very short age-out period?

very long age-out period?

Notice how much more efficient theswitch is at managing bandwidththan the hub... once it has learned

where every host

lives


10/50


Switch

Event: CB spoofs CA and sendssome traffic... somewhere

Switch Action: __________________

_______________________________

____________________________ ?

Host PortA 1C 3D 1B 2A 2?

Switch

s Table

HCD

CC

S

CB

1 2 3

CA

A

A Mini Cyber-Security Case StudyHost Port

E 2

F 2G 2H 2

I 2. .. .. .

ZZZ 2

Switch Table

HCD

CC

S

CB

1 2 3

CA

E,F,G,H,I,ZZZ

B is an attacker who

spoofs ~thousands (or

however many are

necessary) of MACs.

Think throughthis attack-chain

using CIA



Broadcast Domain

Unlike hubs, switches can intelligen-tly block or forward based upon layer2 (hardware) addresses

The result, is that each port on aswitch is a separate collision domain

However if a device on a switch sends

a limited __________________ packet,

this will be flooded out every port


Gateway

Precursor to the router

The term is now used quite liberallyto indicate just about any networkconnection or translation deviceDefault Gateway (a router)

Security Gateway (VPN server, authenti-cation server, etc.)

Protocol Translation Gateway (convertsbetween say TCP/IP and SPX/IPX

etc.


11/50


Router Speaks at layer 3, which for the

TCP/IP protocol stack is? ____ (protocol?)

Like switches, routers perform block,forward, and broadcast (flood)decisions based upon information intheir routing table

Unlike switches, routers map__________ to interfaces, rather than______ to portsas the switch does


Router Routers basically do this

Read the destination IP address inevery packet that arrives, then

Determine if destination is local or not

If local then deliver to that local device

Else, search the __________________to find the proper outbound interfaceto get the packet one hop closer to itsultimate destination


Router(R) vs Switch(S)

H1

S

H2 Hn. . .

R

NW1

NW2

NW3

I connect networks atlayer 3, thus I create

internetworks

I connect hosts atlayer 2, thus I

create networks

And remember... a cloud may consist of only a single host


Router

R

FDDI LAN

Ethernet LAN

running IPX

Router

s are multi-lingual when it comes toprotocols. They make Internetworking possible!

Switches are generally NOT

multi-lingual

;however

translational

switches do exist

Frame RelayWAN

Ethernet LAN

running IP


12/50


Broadcast Domain (again) Unlike switches, if a router sees a

limited broadcast packet it will block it

To summarize hub, switch and routerbehavior with respect to domains

A _________ cannot partition anything

A ___________can partition a collisiondomain, but not a broadcast domain

A _______________ can partition both acollision domain and a broadcast domain


Layer 3 Switch (??)Aka IP Switch

Aka Router Switch

Aka Switch Router... you get the idea

It

s actually a ____________

But is built using _________ technology

Basically, this means that routingdecision are made in ______________rather than_______________


ASIC

An industry trend !

ASIC = _________________________

Idea is to move functionality fromsoftware into hardware

Hardware runs at

________

speedand will always beat software since it

does not incur the penalty of all thosememory lookups & inst. decodings

Market demand justifies developmentJ.D. Fulp CISSP, ISSEP, ISSAP, CSIH 48

Layer 2 Addressing

Each NIC (not necessarily each com-puter) has a factory built-in hardwareaddress

The hardware address is the layer 2address

It is also called the _____ address

MAC addresses are ___ bits in lengthwhich is ___ hex digits in length


13/50


Layer 2 Addressing Anatomy of a MAC address

First 24 of 48 bits represent the mfr.

Last 24 of 48 bits represent a uniquemfr. assigned number

Example:

Every NIC in the world should thushave a unique MAC address !

02 60 8C 26 B5 A2

3COM Corp.

12 hexdigits


Ethernet Header (& Trailer)

Numbers indicate # of bytes

Preamble is not considered p/o header

Header 14 bytes, trailer is 4 bytes

Note min/max size of an entire Ethernetframe ( 64 1518 bytes )

8 6 6 46-1500 4

Preamble Src MAC payload

Dest MAC Frame Type CRC

2


Ethernet FramePreamblesynchronizeshardware fortransmissionof frame... wecan think of itas the layer 1

header

Preamble is 64 alternating 1s and 0s

8 6 26 46-1500 4

What

s actually in the payload field?

Ans: Application payload (aka

userdata

) plus ______________________

________________________________


Ethernet Frame

8 6 6 46-1500 4

The two byte frame type field indicates the typeof PDU header that is in the data field

0x0800 IPv4

0x809B AppleTalk

0x8137 IPX

0x86DD IPv6

0x8038 DECNet

2

Just a few ofthe morepopular L-3

protocols


14/50


Layer 3 Addressing IP is the language spoken at layer 3

IP addresses are ____ bits in length

32 bits are broken into ____

octets

IP addresses are typically formattedin ___________________ format

E.g., 130.109.45.217

The largest number an octet can beis _____ (28-1)


Layer 3 Addressing IP addresses are controlled, decon-

flicted, and assigned via severalagencies, prominant are:

IANA: Internet Assigned NumbersAuthority

ICANN: Internet Corporation forAssigned Names & Numbers

ARIN: American Registry for InternetNumbers


Layer 3 Addressing

IP address scheme is hierarchical

A network part

Possibly a subnet part

A host part

In _________ mode, the network/hostboundary falls on an octet boundary

In _________ mode, the network/hostboundary is determined by thesubnet mask


Layer 3 Addressing

IP Address classes A-E

N = a network address octet

H = a host address octet

Class A: N.H.H.H

Class B: N.N.H.H

Class C: N.N.N.H

Class D: Reserved for Multicasting Class E: Reserved for Future Use

More networks...

less hosts per

network


15/50


Layer 3 Classes How do you know what class a given

IP address belongs to?

Two methods for answering this

(1) Memorize the first octet cutoffs

class A 0..127

class B 128..191

class C 192..223

class D 224..239

class E 240..255


(2) Convert 1st octet to binary and lookat # of consecutive leading 1s

0xxxxxxx class A

10xxxxxx class B

110xxxxx class C

1110xxxx class D

1111xxxx class E

So what class is 186.56.209.32

Layer 3 Classes

128 64 32 16 8 4 2 1

Build18610in

binary


Layer 3 Classes

18610 = 1 0 1 1 1 0 1 0 2

So it

s a class B address

What is the network address in thisclass B IP address example

Ans: 186.56.0.0

What is the host address in this

example?

Ans: 186.56.209.32


Layer 3 Classes

How many hosts can a class B IPaddress specify? (Hint: N.N.H.H)

Ans: ______

The 2 comes from the fact that...

an all zero octet means

_____________

an all one octet means

_____________

,or

all hosts on this network


16/50


Layer 3 Addressing Hosts and routers often need to

figure out what network an IP is on

This is the role/function of networkmasks (aka subnet masks)

Masking utilizes the logical ANDoperation (below X is a binary variable)

X and 0 = __ (i.e.,

mask-out

X)

X and 1 = __ (i.e., keep X)


Layer 3 Addressing What would a class C mask look like

in dotted-decimal notation?

200.100.50.25

. . .

. . .

class C address

class C mask

Result (network address)


Layer 3 Addressing

What would a Class C mask look likein binary?

In bit-count notation, the class C

mask is written as ______ This is also called CIDR

11001000.01100100.00110010.00011001

. . .

. . .

IP addr

Mask?

NW addr


Layer 3 Addressing

Write the class B dotted-decimalmask: _____._____._____._____

Write the class B mask in bit-countnotation: _____

What network does the host IPaddress 117.216.89.46 /8 belong to?

Ans: _____._____._____._____

Write the /8 mask in dotted-decimalnotation: _____._____._____._____


17/50


Layer 3 Addressing IP space is a finite resource, just like

SSNs and telephone numbers

The classful A, B, C system imposesrigid, fixed-size networks

Results in wasted IPs

CIDR to the rescue

CIDR = __________________________

__________________________________


Layer 3 Addressing With CIDR we allow the network-host

cut to be placed anywhere

Example, assume you only need 18 IPaddresses for your small network

Your ISP gives you 200.200.200.96/27

Note this is an appropriately-sized(smaller) chunk of IP space than thesmallest (Class C) available under theclassful system


Layer 3 Addressing

Lets take this 200.200.200.96/27example and review the typical IP-typequestions that arise

How many hosts can you address?

What is your host address range?

What is your broadcast address?

What is your mask in dotted-decimal (ifbit-count was given) or bit-count (if dot-ted-decimal was given)


Layer 3 Addressing

Viewing in binary is helpful

IP addr

Mask?

11001000.11001000.11001000.01100000

11111111.11111111.11111111.11100000

The slash-27 cut

Network bits to the left

Host bits to the right

200 200 200 96


18/50


How many hosts can you provide anaddress for now?

Layer 3 Addressing

Ans: 25 - 2 = 30 (plenty)

5 bits of host space left

Network bits (27) Host bits (5)

11001000.11001000.11001000.011*****

11111111.11111111.11111111.11100000


Layer 3 Addressing What will your host addresses be?

96+00001 = 97

through96+11110 = 126

200 . 200 . 200 .011 * * * * *

So...valid IPs are:

200.200.200.97 through200.200.200.126

11001000.11001000.11001000.011*****

11111111.11111111.11111111.11100000


Layer 3 Addressing

What is the broadcast address forour 200.200.200.96 /27 network ?

Just set all the host bits to 1

Ans: 200.200.200._____

11001000.11001000.11001000.01111111

11111111.11111111.11111111.11100000


Layer 3 Addressing

What is you network mask in dotted-decimal?

Set all the network bits to 1 and allthe host bits to zero and convert

Ans: _____._____._____._____

11001000.11001000.11001000.01100000

11111111.11111111.11111111.11100000


19/50


Layer 3 Addressing A summary of the last octet masks:

X.Y.Z.100000002 = 12810 = /25

X.Y.Z.110000002 = 19210 = /26

X.Y.Z.111000002 = 22410 = /27

X.Y.Z.111100002 = 24010 = /28

X.Y.Z.111110002 = 24810 = /29

X.Y.Z.111111002 = 25210 = /30

X.Y.Z.111111102 = 25410 = /31


Tips for IP/Network QuestionsFirst establish the cut between net-

work and host bits as set by the mask

Set all host bits to 0 to get networkaddress

Set all host bits to 1 to get broadcastaddress

All addresses between network andbroadcast are valid (assignable) IPs

Set all network bits to 1 and all host bitsto 0 to get the mask


Some Special IP Addresses

Seven you should know about:

1. The network address: e.g., N.N.0.0

2. Directed broadcast: e.g., N.N.N.255

3. Limited broadcast: 255.255.255.255Sent to all hosts on

this

network, i.e.,the network of origin. Example ofusage? ________

4. The this host or the

I don

t have an IPIP address: 0.0.0.0. Example ofusage? ________


Some Special IP Addresses

5. The loopback address: 127.*.*.* For de-bugging purposes allows a single machineto test its protocol stack by talking to itself

6. The IPv4 Link-Local address space:169.254.*.* for hosts that fail to get an IPfrom DHCP server. (RFC 3927)

7. The private address space (RFC 1918)

- Class A: 10.*.*.*- Class B: 172.16.*.* 172.31.*.*

- Class C: 192.168.*.*


20/50


Layer 3 Private Addresses Private addresses can be used by

anyone without having to registerthrough an authority

Great idea! Allows unlimited reuse ofthese addresses

Intended to be used on your ownisolated intranet

Cannot connect to Internet though...why?___________________________


Layer 3 Private Addresses So... if you

re NOT going to connectto the public network, could youchoose whatever IP addresses youwanted? Ans: ______

But what happens if you DO want toconnect to the public network usingnetwork address translation (NAT)?

Next slide illustrates potential problem


Layer 3 Private Addresses

Host inintranet

Router

Server onInternetThe Internet

212.74.206.28

212.74.206.47131.120.0.1

Registered IPs

Un-registered IP

Do you see the problem here?


NAT & PAT

Private addresses are an excellentsolution for isolated intranets

However, the inability to connect tothe Internet is very constrictive

Two mechanisms provide a solutionNAT: Network Address Translation

(a

pool

of available public IPs)

PAT: Port Address Translation(a

pool

of port #s using a singlepublic IP)


21/50


10.3.6.19 Data

NATPrivate IPs

10.3.X.X /16

PublicInternet

Local Router

(running NAT)

Pool of

Public IPs210.46.10.5210.46.10.6

210.46.10.7210.46.10.8 210.46.10.5 Data

210.46.10.6 Data

10.3.5.26 Data


NAT

Local Router

(running NAT)

Pool of Avbl Public IP Addresses

Avbl Public IP mapped to

No 210.46.10.5 10.3.5.26

No 210.46.10.6 10.3.6.19Yes 210.46.10.7 ---.---.---.---

Yes 210.46.10.8 ---.---.---.---

Routerkeeps atable ofpublic-to-private IPmappings


NAT

There are two types of NAT:

Dynamic: Router can map & un-mappublic IPs to private IPs as necessary

Static: One public IP is permanentlymapped to one private IP

Always configure for dynamic unless?

_________________________________


PAT

Private IPs

10.3.X.X /16

PublicInternet

Local Router

(running PAT)

Public IP

210.46.10.5

10.3.6.19 Data4912

10.3.5.26 Data3705

210.46.10.5 Data2610

210.46.10.5 Data2611

source portnumber


22/50


PAT

Local Router

(running PAT)

Pool of Avbl Port Numbers

Avbl Port# mapped to .

No 2610 10.3.5.26 : 3705

No 2611 10.3.6.19 : 4912Yes 2612 ---.---.---.---

Yes 2613 ---.---.---.---

Routerkeeps atable ofexternal-port-to-

internal-IP:port

mappings


Unicast

Router SwitchSwitch

Hub

1.2.3.0 /24

1.2.4.0 /24

1.2.5.0 /24

From: 1.2.3.25To: 1.2.5.17


Multicast

Router SwitchSwitch

Hub1.2.5.0 /24

From: 1.2.3.25To: 224.4.8.6

1.2.4.0 /24

1.2.3.0 /24


_ Broadcast

Router SwitchSwitch

Hub

From: 1.2.3.25To: 1.2.5.255

1.2.4.0 /24

1.2.3.0 /24

1.2.5.0 /24

What kindofbroadcast is

this?

?


23/50


_ Broadcast

Router SwitchSwitch

Hub

From: 1.2.3.25To: 255.255.255.255

1.2.4.0 /24

1.2.3.0 /24

1.2.5.0 /24

What kindofbroadcast is

this?

?


Collision/BroadcastDomains

hub

How many collision domainshere? _______

How many broadcast domainshere? _______

This is aa) LAN?

b) segment?c) network?d) internetwork?



hub

switch

How many collision domainshere? _______

How many broadcast domainshere? _______

This is aa) LAN?

b) segment?c) network?d) internetwork?



router

hub

hub

switch router


24/50



How many collision domains on theprevious slide? _______

How many broadcast domains on theprevious slide? _______

The previous slide shows aa) LAN?b) segment?c) network?d) internetwork?


Layer 4 (Transport) Layer 3 (IP) provides no guarantee of

message delivery

Layer 3 simply provides an addressinfrastructure for

best-effort

delivery by routers

If a message is lost, IP won

t tellyou... because it won

t know

The responsibility of trackingmessage delivery is pushed up tolayer 4, the TCP part of TCP/IP


Layer 4 (Transport)

The TCP/IP protocol stack definestwo layer 4 protocols

TCP provides reliable delivery

UDP (User Datagram Protocol) providesunreliable delivery

Another way of stating this

TCP is connection-oriented

UDP is connectionless


Packet vs Circuit Switching Packet-Switching

Message divided into packets

Packets need not travel thesame node-to-node paththrough the network

Circuit-Switching

Message may or may not getdivided into separate packets

Path will be establishedbefore transmission

All data will travel the same path


25/50


Packet Switching

CH1 H2C

C

C

C

C

C

Host 1 sends

HELLO!

to Host 2

Assume packet data payload limited to 2 chars

1of3 HE


Packet Switching

CH1 H2C

C

C

C

C

C

As load/congestion changes occur within thecomm infrastructure, switching/routingdecisions may result in different paths

2of3 LL


Packet Switching

CH1 H2C

C

C

C

C

C

It

s even possible for packets to arrive out oforder

3of3 O!

2of3 LL


Packet Switching

Packets could arrive out of order, no

big deal, that

s why packets arenumbered with a __________ number

No circuit setup and tear-downoverhead with packet-switching

But, a good deal of overhead in the___________________

Similar model to postal system


26/50


Circuit Switching A set path is established prior to any

data being sent

Much like the telephone system, sogood circuit-switch technologyexamples include

xDSL (various versions of Digital Sub-scriber Line)

Dial-up (modem connection via thePOTS

Plain Old Telephone System

)


Circuit Switching

CH1 H2C

C

C

C

C

C

Host 1 sends

HELLO!

to Host 2

HELLO!


Virtual Circuit Switching

Hybrid of packet & circuit switching

Data gets divided into packets(like packet switching)

All data travels the same predeterminedpath (like circuit switching)

Frame Relay and ATM (Asynchro-nous Transfer Mode) are two suchtechnologies that works this way


Virtual Circuit Switching

CH1 H2C

C

C

C

C

C

Note how the header no longer requires a sequencenumber to ensure packet re-build order

Fm:H1 HEFm:H1 O!

Fm:H1 LL


27/50


Connection vs ConnectionlessMeet me at

12:30

Aye sir... meetyou at 12:30

TCP

UDP


Layer 4 (Transport) TCP/IP

Connection-oriented

The sending TCP host numbers thepackets and sets timer at time of packettransmission

The receiving TCP host reorders andaccounts for packets

Receiving TCP

acks

received packets

If timer expires before ack is received,sending TCP re-trasmits that packet


Layer 4 (Transport)

UDP/IP

UDP is Connectionless

Packets are not numbered

No accounting of packets

Send and assume reception

If not received . . . UDP doesn

t care, letthe higher layers figure it out order a re-

transmission if it s important enough


TCP Header (Ports)

How many port #s are there? ______

A semi-formal segregation exists

Port #s < 1024

The

well known

ports

Reserved for specific services

1024


28/50


TCP Header (Ports)Port #s > 49151

The

upper

or

ephemeral

ports

Client-side of connection uses thesethough there are a few exceptions

Assigned

on-the-fly

by clientsystem, thus also referred to as the_______________ ports

In THIS class, we will consider all portsabove 1023 to be

clients


SomeWell-Known

Ports

20 21 22 23 25

53 67/68 69 80 110

123 137-139

143 161 443


TCP Header (Ports)

Ports>1024

Ports1024

Ports1024

Ports1024

Ports


29/50


Seq#: 327Ack#: 0

Flag: Syn

Win: Seq#: 477

Ack#: 328Flag: Syn/AckWin: 1000Seq#: 328

Ack#: 478

Flag: AckWin: 600

TCP 3-way HandshakeHost A

time

Host B

time

Initial

SequenceNumbersare sent in the

Syn

packets


TCP Packet Accountability Hosts sending packets start a timer

at time of transmission

If timer expires prior to the receptionof an ack for that packet, the packetis resent

Hosts dynamically adjust this timerto account for distance, congestion,etc. lot

s of cool statisticalmathematical optimization analysis


Seq#: 328Ack#: 478

Flag: Ack

Win: 600

Seq#: 328Ack#: 478

Flag: AckWin: 600

TCP Packet AccountabilityHost A

time

Host B

time

X A s timerexpires, so Aresends the

packet


Hosts advertise their window size inthe TCP headerInitially tells other host the maximum

buffer space (ito # bytes) available

Once data transfer begins, keeps otherhost updated as to available space

Mechanism for recipient to keep fromgetting overwhelmed, for example:

Window = big # send, send, send

Window = 0

stop... I

m full

TCP Sliding Window


30/50


TCP Sliding WindowHost A

time

Host B

time

Seq#: 328Ack#: 478

Flag: Ack

Win: 600

Seq#: 478

Ack#: 428Flag: AckWin: 900

Seq#: 428Ack#: 478

Flag: AckWin: 600

Seq#: 478

Ack#: _____ ?Flag: AckWin: 700

Track the Seq &Ack numbers


TCP Sliding Window (cont)Host A

time

Host B

time

Seq#: 720


Seq#: 620


Seq#: 520

Ack#: _____ ?Flag:Ack

Win: 50

Seq#: 628Ack#: 520

Flag:Ack

Win: 558

X

What should

A

ack

now?

___________

Seq#: 1028Ack#: 520

Flag:AckWin: 800


Seq#: 1228Ack#: 620

Flag:AckWin: 700

TCP Sliding Window (cont)

Host A

time

Host B

time

Now what will A Ackback to B once thesegment is finally

received?

Ack# ______

Seq#: 620

Ack#: 1228Flag:AckWin: 1000

B will keep

receiving Ack

620 from A, andwill realize that thatsegment mustvebeen lost.


TCP Session Termination Can proceed in three ways

Reset Something wrong happens (protocol violation/confusion)

Confused host send packet with TCP Reset flag set

3-way handshake Client sends Fin-Ack (client finished sending)

Server sends Fin-Ack (server finished sending too)

Client sends Ack

4-way handshake

Client sends Fin-Ack Server sends Ack (server not finished sending)

Server sends Fin-Ack (server finished sending)

Client sends Ack


31/50


ICMP ICMP = Internet Control Message Prot.

Is it a layer 3 or 4 protocol? _______

Used to send ____________ &_____________ mesages

Some common ICMP messages:

echo request/reply (ping & traceroute)

address & subnet-mask requests

time exceeded

destination un-reachable


ICMP Ping provides a great connectivity

test utility

Ping or

Traceroute (or tracert) is ping wrap-ped inside a loop that increments theTTL value until the target is reached

Traceroute provides more detailedpath information

Tracert or


ICMP (tracert 1.2.3.4)

? ?

?

?

?

?

1.2.3.4

ping(ttl=1)

ping(ttl=2)

ping(ttl=3)


ICMP Tracert ExampleH:\>tracert usna.edu

Tracing route to usna.edu [131.122.220.30]

over a maximum of 30 hops:

1


32/50


TCP/IP Inter-layer Linkages

Application

Ethernet?

IP?

TCP?

Example:

_______ # 25SMTP

Example:______# 0x0800IPv4

Example:

___________ # 6TCP

How does each lower

layer

know

whichhigher layer to pass

its payload up to?


The Default Gateway

All hosts need tobe told which wayto go to get out ofthe local networkand toward thelarger Internet.That is... get one

hop

closer to the

highway


The Default Gateway

People often get confused regardingwhat device/IP should be configuredas the default gateway

Basically, imagine that a network fullof devices is a room full of people.

Setting the default gateway is equiva-lent to pointing out the (default) exit

door to everyone in the room Point all devices to the exitrouters inside IP address


ARP

ARP stands for __________________

Resolution is

network-speak

for amapping... or a binding

Specifically: ARP = map ( IP MAC)

And while we

re at it . . .

RARP stands for _____________ ARP

RARP = map ( _________ )

Wanna keep them straight?ARP starts with a vowel... so does IP


33/50


ARP ARP is necessry whenever a host has

an _____ address, but does not havethe corresponding _____ address

Device needing the MAC will send alimited broadcast (255.255.255.255) tothe local network asking whomeverhas this IP, please tell me your MAC

The reply (if any) is sent directly to therequestor (unicast) which will thenstore this in its ARP cache


ARP Any device receiving an ARP will . . .

Read the IP address in the ARP request

Compare the IP to its own IP

If the same, reply via __________ ( )to the sender with its MAC address

With MAC address now in hand, thesender can complete the layer 2header (it now has the destinationMAC address it needed)

unicast orbroadcast?


Routing a Packet

VariousLayer 2

IP

TCP

App/Data

Internet

Bob Sam


Routing a PacketPass datadown tolayer 3

Determinelocal subnet

address

Compare localsubnet addr todestination IP

Check ARPcache or ARPfor dest MAC

Check ARP cache orARP for the appropriate

GW router

Send to DGW router(ARP if necessary)

Arethey thesame?

Route

entry for destnetwork?

Is there adefault route

entry No

Yes

No

YesYes

Action by the sending host

NoError

Bob


34/50


Data Goes Down the Stack

Port #s Data

Data

Fm: MAC-BobTo: MAC-DGW Port #s DataFm: IP-Bob To: IP-Sam

Data

Fm: IP-Bob To: IP-Sam

. . . 10010101000101101001001011111101010 . . .

Internet

DefaultGatewayRouterBob

Data

switch

Port #s


Switch Action

Fm: MAC-Bob To: MAC-DGW ? ??

MAC on PortRob 7Alice 3DGW 2. . . . ?

Switches only know layer 2 . . . the rest is a mystery


Router ActionDest Network Interface# Dest MAC .NW-Prefix IP-Sam ethernet 1 MAC-ISPRtr

. . . other entries . . .

?

Router reads layer 3 then re-writes layer 2 for next hop

Fm: MAC-Bob To: MAC-DGW ? ?Fm: IP-Bob To: IP-Sam

Fm: MAC-DGW To: MAC-ISPRtr


Switches in the Core Also

Layer 2

Layer 3

Layer 2 Layer 2

Layer 3

S D

C i s c o A S 5 8 0 0 S E R IE S

P ow er

C I S C O S Y S T E M S

But they

re not talking Ethernet . . . probably ATMor Frame Relay using virtual circuit switching


35/50


ARP (if necessary) for Last Hop

Fm: MAC-RtrZ To: MAC-RtrB ? ?Fm: IP-Bob To: IP-Sam

?Internet

Listen up... ifany of you owns

IP address

IP-Sam ? Tellme your MAC

Fm: MAC-RtrB To: MAC-Sam

Sam

That

s me,my MAC is

MAC-Sam

M


The Big (Stack) Picture

SMTP

3567

25

IPCIPM

MACCMACR

5 App

4 Src

4 Dest

3 Src

3 Dest

2 Src

2 Dest

IPC sends e-mail (SMTP) to a mail server at IPM

Legend

MACCMACR

IPCIPM

MACRMACM

SMTP

3567

25

IPCIPM

MACRMACM

S RC

1 Media


The Big (Stack) Picture

POP3

110

29034

IPMIPC

MACMMACR

5 App

4 Src

4 Dest

3 Src

3 Dest

2 Src2 Dest

IPC downloads (POP3) mail from the mail server

Legend

IPMIPC

MACRMACC

POP3

110

29034

IPMIPC

MACRMACC

HR C

1 Media

M


DNS

DNS = _________________________

Related to ARP in that it is also a

resolution

protocol

ARP = _________ resolution

DNS = _________ resolution

Specifically: DNS = map (Name IP)

Why do we have such a mechanism?


36/50


DNS Summary

fixed toplevel

domain(tld)

vulcan.cs.nps.navy.mil.

individual

machinename

domainowner

sdiscretion(arbitrary)

fully qualifieddomain name

(fqdn)

root


DNS Summary

DNSSystem

fqdn W.X.Y.Z

{ Name space}

With exceptionof top leveldomain, fullyflexible

{ IP space}

Fixed 4 octetnumber space,but flexible viavariable lengthmasks

DNS... ahierar-chicallydistributeddatabaseof fqdn:IPmappings


DNS Servers & Domains

Every domain must have at least oneserver configured to providename IP resolution

More than one name server will

Enhance performance

Protect against single-point-of-failure

Typically a primary (P) andsecondary (S) name server arespecified


DNS Servers & DomainsHere is the minimum

knowledge

needed bythe various DNS players to get it going

Root Server

Non-RootServer

Client

Non-Root

ServerI know the address of

my DNS server

I know the address ofall DNS servers one

level below meWe know theaddress ofall the root

DNS serversand all DNSservers one

level belowus


37/50


DNS Servers & DomainsEachnetworkedmachine mustbe told whereto find its DNSserver.

Note this IPaddress doesnot haveto be

local


DNS Resolution DNS clients request ______________

look-ups from their DNS servers

Basically client is saying

you do allthe work... I

ll wait on the answer

DNS servers utilize ______________look-ups to other servers in thehierarchy

Basically server is saying

if youdon

t know the answer tell me whomight


Pure Recursive Resolution

Root Server

.mil

Domain Server

.navy

Domain Server

.nps

ClientHerrmann

Domain Server

.army

Domain Server

.usma

ClientPatton

11

23

4

5

6

7

8

9

This is NOT the way it is done. Why not?


Iterative Resolution

Root Server

.mil

Domain Server

.navy

Domain Server

.nps

Client

.Herrmann

Domain Server

.army

Domain Server

.usma

Client

.Patton

11

23

4

56

7 8

9


38/50


Authoritative or Not? Name servers provide two different

types of answers

Authoritative: Means the answeringserver is the original source of informa-tion for the IP address in the request

Non-authoritative: Means the answeringserver has a cached entry for the IPname binding that was obtained from aprevious lookup


Split DNS Split DNS is a DNS security option

Some names are resolved

Servers intended for public

Some names are not resolved

Servers with private IP addressesintended only for local users

Perhaps for security reasons... wedon

t want anyone connecting to them

Bottom line: A means to limit nameresolution for select systems


DHCP

DHCP = ________________________

Requires a DHCP server to lease outavailable IP addresses

Allows a host to join a network andobtain an IP address w/o administra-tor involvement

Permits

Plug-and-Play Networking

DHCP is an improved implementationof RARP and bootp


DHCP DHCP server can be configured to

hand out . . .Permanent IP addresses to __________

Dynamic addresses from a pool ofavailable addresses to clients

The address is held for some set leaseperiod, then either . . .It

s given up and goes back into the pool

Client negotiates for an extensionTry

ipconfig /all

from command line


39/50


DHCP When you configure a DHCP server,

you will want it to provide the followinginformation, at a minimum

An IP address

The networks subnet mask

The IP of its ___________________(router)

The IP address of a _____ server


Why does it occur?

Heterogeneous nature of internetworks

Different h/w for different transmissiontechnologies specify different maximumframe (layer 2) sizes

This maximum frame size is referred toas the ______________________ or MTU

E.g., the MTU for Ethernet is ____ bytes

Frag-men-ta-tion


IEEE 802.5

PPP

Some MTU Sizes (bytes)

1,500

296

IEEE 802.117,981

4,464

IEEE 802.31,5001,500


Frag-men-ta-tion

So what must happen when aframe travels to a network with asmaller MTU

MTU = 1500 MTU = 500

Router

The connecting router has to breakup the IP packet into smaller packets


40/50


Frag-men-ta-tionIP Header Layer 4 and 5 (payload)

IP Hdr 1 data 1

IP Hdr 2 data 2

IP Hdr 3 data 3

New IP headers are almost identical to the original IPheader, but some modifications are necessary


The IP Header

Ver HLen Svc Type Total Length

TTL Protocol Header Checksum

Source IP Address

Destination IP Address

PaddingIP Options

Identification Flags Fragment Offset

32 bits

0 4 8 16 19 24 31


The IP Header

Identification field is the link thatunifies all fragments of an originalsingle IP packet, thus it is duplicated

Flags field: 3 bits R-DF-MF where

R is Reserved (must be zero)

DF = 1 means Don

t FragmentMF = 1 means More Fragments... i.e.,

this is not the last fragment



Fragment Offset indicates the posi-

tion of the fragment

s data relative tothe beginning of the data in the origi-

nal packet, in units of 8 bytes

Combination of these three fields +

the total length field allows the desti-nation host to rebuild the originalpacket

The IP Header



41/50


Frag-men-ta-tion Where should fragments get

reassembled . . .

By other downstream routers when theMTU gets larger?

By the destination host?

Router reassembly is not a good idea

Routers would have to maintain stateinformation for all packets processed

Fragments may travel different routes!


MTU2

RouterRouter

Frag-men-ta-tion

MTU8

MTU5

M o n t e

r e y

M o n t e r e y

n t

M o

e

r e

y

Frag Offset = ____ Flags = ____

Assume

each letter is8 bytes insize




MTU5

Frag-men-ta-tion

MTU8

MTU2

MTU2

M o n t e r e y n t e r e

M o

M o

n t

e r

e

y

y

Packets can arrive out of order

Assumeeach letter is

8 bytes insize


Frag-men-ta-tion

M o n t e r e y

0 1 2 34567

Frag Offset = 2

M o

Frag Offset = 0

Frag Offset = 7

y

n t

Frag Offset = 2

M o

Frag Offset = 0

Frag Offset = 7

e r

Frag Offset = 4

e

Frag Offset = 6

y

n t e r e

Assumeeach letter is

8 bytes insize


42/50


43/50


640-714

FO MF PL

80 0 75

Re-assembly Exercise (4)FO MF PL

40 1 160

FO MF PL

20 1 160

FO MF PL

0 1 160

FO MF PL

60 1 160

0-159 160-319 320-479

480-639

Missing fragment

Question #4: What was the total length (TL) of the original(unfragmented) packet? ________________


VLANs VLAN = ____________ LAN

Switches that support the creation ofVLANs allow themselves to be split(partitioned) into >1 ________ domain

VLANs are isolated from each other

Ports on a single switch can beassigned to different VLANs

Ports on multiple switches can beaggregated to form a single VLAN


VLANsPorts 1-5

assigned toVLAN 36

Ports 6-8assigned to

VLAN 25

Communications between the 2 VLANs wouldrequire layer 3 service (e.g., a router)


VLANs

36 36

36

25 25

25

Trunk Line

2 separate VLANs (2 broadcast domains)


44/50


Before . . .

LAN 3

LAN 2

LAN 1


After . . .VLAN2 & 3

VLAN1, 2 & 3

VLAN1 & 3

TrunkLine


Routing & RoutingProtocols


Routing Protocols

Routers learn about the location ofnetworks in one of three ways

Implicitly network(s) they are

homed

in

Statically added to the routing table

Dynamically learned from other routersby sharing routing table information

Dynamic route learning is madepossible by routing protocols


45/50


Routing ProtocolsMy route

info

Myroute

info

Myroute

info


Routing Protocols No individual router needs to know

the exact location of all networks

Each individual router need onlyknow the next hop to get a packetone step closer to its destination

In effect, the collective route informa-tion of all routers superimposestrees onto what is otherwise a rather

meshy

internetwork.


Routing Protocols

A.B.C.0e0A.B.E.0 e1

s0

I can reachA.B.F.0 in 1 hopA.C.0.0 in 4 hops

I can reachA.C.0.0 in 2 hopsB.0.0.0 in 3 hops

Routing protocolupdates from

neighbor routers


Routing Protocols

A.B.C.0e0A.B.E.0 e1

s0

I can reachA.B.F.0 in ___ hopsA.C.0.0 in ___ hopsB.0.0.0 in ___ hopsA.B.E.0 in ___ hops

What would thisrouter then

advertise to anyother router in theA.B.C.0 network?


46/50


Code To reach Forward out

C A.B.C.0 ethernet 0 interfaceC A.B.E.0 ethernet 1 interfaceR A.B.F.0 ethernet 1 interfaceR A.C.0.0 serial 0 interfaceR B.0.0.0 serial 0 interfaceS default serial 0 interface

Routing Table

e0e1

s0 Code C = directly connectedCode S = static entryCode R = routing protocol


Shortest-Path Spanning Tree Graph theory from Discrete Mathe-

matics gets heavy utilization innetworking

Each graph node (network router) isnot concerned with all edges . . . onlythe minimum set of edges that willprovide the shortest possible path toall other nodes (i.e., a shortest-pathspanning tree)

Superimposing trees on graphs alsoremoves loops !


I wanna be theroot of a

shortest-pathspanning tree

Actual physical connections with somedimensionless units ofrelative conge-stion 10

3

10

3

6

2

13

58

46

15

Shortest-Path Spanning Tree


Result of Dijkstra shortest path algorithmrun from the leftmostrouter 10

3

10

3

6

2

13

58

46 1

5

Cool !



47/50


4

6

3

103

1 2

Same logicaltopology physicallyre-oriented tolook like a

classical

tree



Of course each router will create its ownshortest path spanning tree

10

3

10

3

6

2

13

58

4 61

5

Cool !



The trees can be

broken

. . .

10

3

10

3

6

2

13

58

4 61

5

XUh oh!



Events that may call for routing table(spanning tree) changes:

New link is added

Existing link is broken

Server farm is added to a network

Bandwidth-eating WORM

BW-hungry mux-media mux-casting app

Other congestion causing events

Etc.



48/50


Convergence Notification of a topology (or conges-

tion) change takes time to reach allaffected nodes of the network

_______________ = the process of allrouters

tables arriving at the same(correct) topological map of theinternetwork

___________ convergence is desired

During convergence, routers will fora period have an

inconsistent view


Bottom router has

computed a newspanning

treebutothersmay notbe aware ofthe change yet

Convergence

10

3

10

3

6

2

13

58

4 6

5X1


Routing Protocols

3 gen

l classes of routing protocolsDistance Vector (DV)

Link State (LS)

Path Vector (PV)

Another major classification isInterior Gateway Protocols (IGP), for

intra-autonomous system (AS) routing

Exterior Gateway Protocols (EGP), forinter-AS routing

AS = {routers} under common admin


IGP, EGP, and ASTwo autonomous systems(ASs), which internally usean IGP

AS border routers talkto one another usingan EGP

Most common EGP is

the Border GatewayProtocol (BGP)


49/50


Autonomous System

?

The definition of AS has been unclear and ambiguous for sometime.The classic definition of an Autonomous System is a set ofrouters under a single technical administration, using an interiorgateway protocol and common metrics to route packets within

the AS, and using an exterior gateway protocol to route packetsto other ASes. Since this classic definition was developed, it hasbecome common for a single AS to use several interior gatewayprotocols and sometimes several sets of metrics within an AS.The use of the term Autonomous System here stresses the factthat, even when multiple IGPs and metrics are used, theadministration of an AS appears to other ASes to have a single

coherent interior routing plan and presents a consistent pictureof what networks are reachable through it.

- From RFC 1930


DV Routing Protocol Examples:

RIP (Routing Information Protocol)

IGRP (Interior Gateway Routing Prot.)

Aka Bellman-Ford-[Fulkerson] algo.

General characteristics:

Entire _______ is shared

Table shared with ________________ only

Table shared at scheduled intervals (~30 secs)whether or not a change has occurred


DV Routing Protocol

Knowledge of network info >1 hopaway is merely inferred

DV routing also called

______________________

Here

swhat Iknow

Here

swhat Iknow

Here

swhat Iknow

Periodicexchange of

routing tables


LS Routing Protocol

Aka Shortest-Path-First (SPF) algo.

Examples:

OSPF (Open Shortest Path First)

NLSP (Novell Link State Protocol)

General characteristics:

Only ___________ are shared (i.e., delta)

Deltas are shared with _____ routers in ASShared info is more detailed and provides

for construction of a global network view


50/50


LS Routing Protocol All routers have global picture of entire

internetwork . . . not just the view fromthe neighbors

As you should guess this entails arelatively large amount of . . .

CPU processing (to build the initial map)

memory (to store map as a data structure)

Once built though, this global mapfacilitates rapid ________________!


LS Routing Protocol

X

A

B

C A

B

C

A C

AB linkjust went

down

D D


Finished

Documents

Sect1 Network Functionality