My Intro IP3

INTRODUCTION TO IP NETWORKS
Alcatel University - 8AS 90145 0007 VT ZZA Ed.02 - June 2000
TCP/IP
Page 1
Alcatel University - 8AS 90145 0007 VH ZZA Ed.02
Page 1
CONTENTS
INTRODUCTION TO TCP/IP IP LAYER PROTOCOLS IP OVER LAN / MAN / WAN TCP/IP : TRANSPORT LAYER TCP/IP : APPLICATIONS IP NETWORK INTERCONNECTIONS NETWORK ADMINISTRATION SECURITY IP VERSION 6
TCP/IP
Page 2
Page 2
Section 1 INTRODUCTION TO TCP/IP
TCP/IP
Page 3
Page 3
DEFINITIONS
Network architecture covers all the hardware and software resources for interchanging data between two remotely located data processing systems The OSI model (Open Systems Interconnection) is a 7-layer architecture for communication between two open systems Communication between layers is defined by the concept of service Communication between peer layers is defined by the concept of communication protocol The TCP/IP architecture incorporates only three functional layers
TCP/IP
Page 4
IP : NETWORK PROTOCOL
1.1 Fundamental concepts of TCP/IP When two data processing systems want to communicate, numerous problems of very different types have to be solved. The functions required for communication must be structured in the same way, hence the need for standardization. In the field of long haul networks, the ITU (International Telecommunications Union (formerly CCITT)) is responsible for most standardization. It has brought together both public and private telecoms Operators and telecom manufacturers from all countries to develop and distribute the most well known standards such as X.25, X.400, ISDN, V.24, etc. The standardization of local area networks is mainly the responsibility of the IEEE (Institute of Electrical and Electronics Engineers), and its committee 802. The ISO (International Standards Organization), which is dependent on the United Nations, plays a major role in networks and telecommunications. It has defined a reference model and is the only organization which can qualify a standard. In France, it is represented by AFNOR. In addition to these official organizations, manufacturers and software publishers also produce standards. When a product becomes widely used, it becomes a "de facto" standard. Ethernet (Digital, Intel, Xerox) and NetWare (Novell) are examples of manufacturer standards. TCP/IP architecture is a particular type of manufacturer standard, although not originated by manufacturers.
Page 4
FUNCTIONAL STRUCTURE
Application Presentation Session Management of application connections
Transport Network
End-to-end management Network interconnection
Data link Physical
Physical bearer access method
TCP/IP
Page 5
1.2 Layered architecture

Layer 7 : application layer : This layer manages the ways in which other layers can be used. It provides user services such as messaging, file transfer and sharing, and terminal emulation. presentation layer : This layer manages data presentation problems (that is, syntax and form). It defines the way in which two communicating entities can describe themselves to one another, and the type of data interchanged. session layer : This layer mainly manages the synchronization of remote tasks. It also manages dialogue between the tasks. transport layer : This layer adapts data units to network transport conditions. It manages end-to-end reliability functions if not provided by the network. network layer : This layer manages end-to-end routing of data units called packets, with or without reliability mechanisms. It mainly provides routing and switching functions. data link layer : This layer handles point-to-point transfer of data units called frames, incorporating error detection (and in some cases correction) mechanisms. physical layer : This layer manages data bits, adapting the form (electrical or optical) to the physical bearer. It also provides clock signals required for synchronization.
Layer 6
Layer 5 Layer 4
: :
Layer 3
Layer 2
Layer 1
Page 5
ENCAPSULATION
Layer (N+1)
(N+1) - PDU
(N)-PCI
(N) - SDU
Layer (N)
(N) - PDU
PDU : Protocol Data Unit SDU : Service Data Unit PCI : Protocol Control Information
Convention Layer 1 PDU : bit Layer 2 PDU : frame Layer 3 PDU : packet Layer 4 PDU : message
TCP/IP
Page 6
1.3 Services and Protocols Communication between adjacent layers (vertical communication) is based on the concept of service. The data unit interchanged at the service interface (transparent on a data transmission line) is called : Service Data Unit (SDU). Communication between layers on the same level (peer layers) is based on the concept of protocol. An element of protocol data is called a Protocol Data Unit (PDU).
The information to be transported is "encapsulated" on transition into a layer.
Page 6
CONNECTION-ORIENTED AND CONNECTIONLESS MODE
The connection-oriented mode is associated with the concept of reliable transfer It involves three phases: - SET-UP - TRANSFER - RELEASE Connectionless mode has only one phase: - TRANSFER
TCP/IP
Page 7
1.4 Transfer mode Information can be transported over a network in one of two modes: connection-oriented and connectionless. Connection-oriented mode entails maintaining an end-to-end connection for the duration of the dialogue between two open systems. This transport mode requires the use of resources in both systems. In involves three phases: Set-up phase to establish the connection allowing the party initiating the call to ensure that the remote terminal is present and ready to receive. Transfer phase, generally involving simultaneous bidirectional (Full-duplex) transfer. Both communicating machines can send and receive at the same time. Since the connection-oriented service is considered reliable, regular acknowledgements are sent during communication to guarantee that data is routed correctly. Release phase, used by the two machines to ensure that data still in transit is not lost. This is called a negotiated disconnection. An abrupt disconnection can be initiated by one of the two parties but may lead to data loss.
Connectionless datagram mode entails sending data over the network with no guarantee of correct delivery. There is no end-to-end continuous signal regarding the status of transfers. This service is generally not guaranteed reliable. Its main advantages are simplicity of implementation and performance.
Page 7
RELIABLE TRANSFER
The concept of reliable transfer involves 3 functions: - SEQUENCING - ERROR RECOVERY - FLOW CONTROL
TCP/IP
Page 8
The concept of reliable transfer is mainly associated with connection-oriented mode. It provides a way of guaranteeing that PDUs are routed from end to end in the order in which they were sent. Sequencing can be achieved by numbering or quantifying PDUs. Error recovery combines two functions: error detection and error correction. In general, detection is handled by an acknowledgement mechanism and correction by retransmission. The purpose of flow control is to prevent data loss in the event of congestion. It allows the receiver to control and even stop data transmission by the sender.
Page 8
CLIENT-SERVER MODEL
TCP/IP communication complies with the CLIENT-SERVER model
A machine (host) running a SERVER software package (process), responds to requests sent by a CLIENT It is always the CLIENT that sends requests to the server
TCP/IP
Page 9
In the client-server model, the client initiates dialogue and waits for confirmation from the server. If the server accepts the client, it can send requests to which the server responds. The term client-server application is now reserved for a category of applications (generally, but not necessarily, network applications) in which application processing is distributed between client and server. TCP/IP is an architecture based on networked Client-Server relations.
Page 9
ARCHITECTURES
OSI Architecture
Application Presentation Session Transport Network Link Physical VT, FTAM, X400,CMIP ASN.1 X409 ISO 8326 TP0, ..., TP4 X.25 PLP Internet 8473
Novell Architecture
TCP/IP Architecture Telnet FTP, NFS SMTP HTTP SNMP TCP UDP IP
Microsoft Architecture
NCP SAP
S.M.B. NetBios
NetBeui
SPX IPX FDDI DQDB MAN
HDLC, LAP-B, FR, ATM, X21, V35, S,T Copper, FO, Microwave WAN
802.2 802.x
Ethernet Token Ring LAN

TCP/IP
Page 10
There are three main types of architecture: Proprietary architectures These are the oldest types of architecture (defined before the OSI model). The lower layers of these architectures can use standard protocols. For example, Microsoft or Novell architectures can communicate with TCP/IP layers 3 and 4. SNA is IBM's architecture. Standardized architecture A set of services and protocols defined by the ISO within the framework of the OSI model. Although the lower layers (1 to 3) are widely used, the higher layers of the OSI model seem to be limited to administrations. TCP/IP standard architecture TCP/IP is a network architecture for connection of and communication between any type of hardware over any type of network. TCP/IP is rapidly becoming a universal architecture.
Page 10
IP-RELATED ORGANIZATIONS ISOC ("internet society")

defines policy and development objectives
IAB (Internet Activities Board)

coordinates research and development activities
IETF (Internet Engineering Task Force)

manages technical standards
IRTF (Internet Research Task Force)

responsible for network development
NICs (Network Information Centre)

In France : AFNIC (www.nic.fr) In United States : INTERNIC (www.internic.net)
TCP/IP
Page 11
The organization supervising all TCP/IP developments is the IAB (Internet Activities Board). It is independent of all manufacturers. It has recently been recognized by the ISO as an independent organization for defining standards. The IAB has two main "task forces": IRTF Internet Research Task Force : responsible for TCP/IP research and development responsible for the Internet
IETF
Internet Engineering Task Force :
Another entity manages Internet access addresses and RFC (requests for comments) numbers: NIC (Network Information Centre). Its French counterpart is the AFNIC: Association Franaise pour le Nommage Internet en Coopration. The IETF and NIC are the two main authorities for both Operators and commercial companies.
Page 11
REQUESTS FOR COMMENTS
The RFCs published by the IETF are the equivalent of ITU recommendations RFCs have no version N , but the number is changed on each update. Everyone can contribute Document references on protocols and services Technical publications on networks Since 1969 (ARPANET) : more than 2300 RFCs Freely available over the Internet (www.internic.net) Not all RFCs are equivalent to standards
State
Standard Draft standard Proposed Experimental Informational
Status
Required Recommended Elective Limited use Not recommended
TCP/IP
Page 12
Any new protocol studied and/or implemented is submitted to the IAB in the form of an RFC study document. The IAB (via the NIC) then assigns it a state and a status. The state and status are changed during formalization of the protocol described, its functionalities, implementations, etc. The different states of an RFC are listed below: Standard protocol : Official standard for TCP/IP architecture. exist and have been in operation for some time. Tested products
Draft standard protocol : Potential standard. Additional tests are required. These tests will be submitted once again to the IAB for approval and validation. Proposed Standard Protocol : Potential standard. Numerous tests are still to be carried out. The tested protocol will definitely be reviewed and improved. Experimental protocol : Protocol in the experimental phase. protocol must not be implemented by any operational system. This type of
RFCs are assigned a reference N (and any RFCs made obsolete), and the references, name, company, etc of the author or authors. Many servers relay RFCs over the Internet according to theme or N . standards, they are therefore freely accessible. Unlike the
RFCs specify whether implementation is mandatory, recommended, optional or not recommended.
Page 12
TCP/IP ARCHITECTURE
ping
Telnet SMTP DNS FTP X-Window

TCP IP
TFTP SNMP NNTP DHCP HTTP

UDP
NFS XDR RPC
IGP / EGP
ICMP
ARP HDLC, LAP-B X21, V35, S, T WAN

FDDI MAN
Ethernet Token Ring LAN

TCP/IP
Page 13
Network layer: IP ICMP ARP EIGRP OSPF Transport layer: TCP UDP TELNET SMTP DNS TFTP/FTP SNMP NFS RPC XDR HTTP : : : : : : : : : : : Transmission Control Protocol User Datagram Protocol TELecommunication NETwork Simple Mail Transfer Protocol Domain Name System Trivial / File Transfer Protocol Simple Network Management Protocol Network File System Remote Procedure Call eXternal Data Representation Hyper Text Transport Protocol : : : : : Internet Protocol Internet Control Message Protocol Address Resolution Protocol Bootstrap Protocol/Dynamic Host Configuration Protocol Enhanced Inter Gateway Protocol Open Shortest Path First
BOOTP/DHCP :
Session, Presentation and Application layers:
Page 13
Introduction : The essential
True or False
IP was created in the beginning of the 80 s, when the first PCs appeared. The OSI model has been defined in order to classify TCP/IP protocols. Both IP and X25 protocols allow to transmit data, but with different advantages A reliable transfer must be transmitted by a reliable physical bearer. Client/Server architecture is very often used in applications based on IP. IRTF et IETF are organizations depending on the DARPA All the protocols of TCP/IP architeture are defined in the RFCs. False False True False True False True
TCP/IP
Page 14
Page 14
Section 2 IP LAYER PROTOCOLS
TCP/IP
Page 15
Page 15
IP LAYER IP is a protocol that can be routed in connectionless mode

Type : Best Effort Delivery The IP layer incorporates different protocols IP datagram ICMP datagrams Routing datagrams
IP needs a transport protocol IP is non-reliable

Routing not guaranteed No error checking No flow control Sequencing not guaranteed
TCP/IP
Page 16
Adaptation to the physical network (fragmentation/reassembly) The IP protocol manages packet sizes adapted to the frame size limits at link level (MTU : Maximum Transmit Unit). (Eg. : 1500 octets for Ethernet, 8 Kbytes for Token Ring, etc). IP has a mechanism for fragmenting segments received from a higher layer so that they can be sent on the physical network. Fragmentation, if required, is performed in the routers used.
Time To Live Each packet is sent with the life span, or "time-to-live", defined by the value in the TTL field of the IP header. The counter is initialized by the packet sender and decremented by unity each time it crosses a router. When it hits 0 in a router, the packet is destroyed. An ICMP packet is then returned to the sender.
Multiplexing a number of higher level protocols IP manages N level 4 protocols. A "type" field identifies the protocol transported. Eg: TCP, UDP, Routing, etc.
Dynamic and auto-adaptive routing Routing is the IP protocol's basic functionality. packet from end to end. It serves mainly to route the
Page 16
IP : MEDIATION LAYER
LAN Ethernet LAN Token Ring WAN X.25, FR, ATM PSTN-ISDN
WAN ppp
PSTN ISDN
Internet
FDDI
TCP/IP
Page 17
Restrictions Guaranteed routing The IP protocol provides a datagram service. The IP packet sender does not keep a record of the packet sent, which means that it is not capable of retransmitting the packet if it does not reach its destination. The IP protocol therefore has no acknowledgement mechanism. Error checking The checksum computed for IP is applied only to the IP packet header and used by IP recipients (mainly routers) to check that the packet has not been altered by protocol internal management. Error monitoring is handled by link level protocols. Flow control There is no mechanism for managing buffer saturation in routers. Congestion results in packet loss. Data resequencing Packets sent are routed independently to individual recipients (datagram mode principle). They can take different paths and be received in a sequence different from the transmission sequence. The IP protocol does not guarantee sequencing of the packets transmitted (IP-SDU).
Page 17
IP ADDRESSES (V4)
10010110 150 .
00001010 10 .
00010100 20 .
00011110 30
In IP V4, an address is coded on 32 bits It is represented by the decimal value of each of the 4 octets, separated by a dot It consists of two fields: - Net ID field - Host ID field The field separator position is variable It is identified using the concept of address class
TCP/IP
Page 18
Network logical addresses used by the IP layer are 32-bit addresses configured manually or dynamically. These addresses are independent of physical addresses. A static or dynamic mechanism is therefore required to link these two types of address. Any IP station can be reached using different types of address supported by LANs but not by telecom WANs. Unicast address (individual) Each IP machine (that is, a machine with TCP/IP connectivity) has a unique individual address. Note that in contrast to the uniqueness of MAC unicast addresses, IP logical address uniqueness must be guaranteed by the administrator if there is no DHCP server. Broadcast address Any IP machine can be reached using a broadcast address and therefore process the appropriate packet. This type of address means that all stations in the network can be addressed using a single packet. This functionality does not exist on telecom networks. Multicast address (group) This type of address defines a group in which an N-machine subset of all machines can be reached. Addressing is not configurable and is generally application-based or linked to routing protocols.
Page 18
IP ADDRESSES : CLASSES
Net Id
Host Id
Class A : NET ID 1st octet, Host ID 3 octets

Net Id Host Id
Class B : NET ID 2 octets, Host ID 2 octets
Net Id
Host Id
Class C : NET ID 3 octets, Host ID 1 octet

TCP/IP
Page 19
32-bit IP addresses consist of two fields: The net ID field first and host id field last. Two stations on the same physical local network can intercommunicate only if they belong to the same IP logical network. Two stations on two different IP networks can intercommunicate only via a router. The position of the network and host field separator depends on the 32-bit address values used. These values are organized in address classes. Addresses in which the first octet has a decimal value between 1 and 126 are class A addresses. The first octet then represents the network number and the other three octets the host number. Addresses in which the first octet has a decimal value between 128 and 191 are class B addresses. The first two octets then represent the network number, and the last two octets the host number. Addresses in which the first octet has a decimal value between 192 and 223 are class C addresses. The first three octets represent the network number and the last octet the host number.
Page 19
IP ADDRESSES : CLASSES
Nets : 128
Hosts : 16 777 214
Class A : NET ID 1st octet, Host ID 3 octets. 1st octet value from 1 to 126 Nets : 16 384 Hosts : 65 534
Class B : NET ID 2 octets, Host ID 2 octets. 2nd octet value from 128 to 191
Nets : 2 097 152
Hosts : 254
Class C : NET ID 3 octets, Host ID 1 octet. 1st octet value from 192 to 223
TCP/IP
Page 20
These address classes have resulted in wastage, in particular in regard to class B addresses because of the significant differences in capability between a class B network and a class C network.
Class D contains multicast addresses, 224.
Higher values (225 to 254) are class E addresses reserved for the IETF.
Page 20
IP ADDRESSES : FEATURES
Value 0 : represents ANY Host
150.10.0.0 represents any host on network 150.10 Value 1 : represents ALL Hosts 150.10.255.255 represents all hosts on network 150.10 127.X.X.X addresses are LOOPBACK addresses These addresses are never sent over the network
TCP/IP
Page 21
Some forms of address are reserved. The all-0 and all-1 forms are special values. 0.0.0.0 This address represents any machine not yet assigned an address. It use is allowed on startup (on booting, before determining the true unicast address). It is not a valid network address. network n + machine n set to 0 : Eg. : 150.10.0.0 Represents this network. network n set to 0 + machine n : Eg. : 0.0.20.30 The machine on this network. 127.x.x.x This address is reserved for loopback (local loop). It represents the machine and can be used for intercommunication between local processes. Client and server implemented in the same host. A packet with destination address 127.0.0.1 is looped in the IP layer and therefore never leaves the machine.
Page 21
Any station can be reached at its UNICAST address Eg. : 150.10.20.30 Any station can be reached at its BROADCAST address Selected broadcast Eg. : 150.10.255.255 Restricted broadcast : 255.255.255.255 Any station can be reached at its MULTICAST address MULTICAST addresses are structured : 224.X.X.X They are class D addresses and represent ALL hosts in a group IP V6 does not support Broadcasts but introduces the concept of ANYCAST: Any (at least one) host in a group
TCP/IP
Page 22
network n + machine n set to 1 : Eg. : 160.10.255.255 Selected broadcast for broadcasting on another network.
225.255.255.255 : Restricted broadcast for broadcasting on the physical network and not crossing routers (except in special configurations). 224.0.0.9 : Represents the Multicast address of routers running the RIP Version 2 routing protocol.
Page 22
IP ADDRESSES : MASK
The function of routing is to reach any host in a network Eg. : 150.10.0.0 The HOST part of the UNICAST address must be masked Eg. : 150.10.20.30 must be converted to 150.10.0.0 A logical AND must be applied to the UNICAST address and the mask value Configuring a mask entails: Setting the NET part to 1 and the Host part to 0 It is therefore sufficient to know the class Eg. : for network 150.10, class B, the mask will be: 255.255.0.0
TCP/IP
Page 23
Any IP machine must have at least one network mask, required for the routing function.
The mask is used to specify the net part (user, server or router) which the station must choose to route the IP packet.
Page 23
IP ADDRESSES : MASK
10010110 150 AND 11111111 255 10010110 . .
00001010 10 11111111 255 00001010 . .
00010100 20 00000000 0 00000000 . .
00011110 30 00000000 0 00000000
150
10
TCP/IP
Page 24
When processing a packet, IP applies a LOGICAL AND to the unicast address generated and the configured mask value. The objective is to obtain a logical AND result in the form: Net ID (n). 0, where n depends on the class so that the packet can be routed to the appropriate network. This means that once unicast address 150.10.20.30 has been applied, mask 255.255.0.0 will be presented in the form 150.10.0.0 for interrogating the routing table.
Page 24
IP network 192.1.1.0
192.1.1.1 192.1.1.2 192.1.1.3
Requirements Two stations separated by router: Different network N s Two stations connected with no router: Same network N s On same network: Different host N s
192.1.1.17 Router 128.15.1.1
An IP machine must know: - its IP address
128.15.1.13 128.15.187.1
- its subnetwork mask - at least one IP router address
IP network 128.15.0.0
TCP/IP
Page 25
In order to "exist", a station must have a unicast address and associated mask. The address of a router (generally default address) allows it to avoid being shut in to its own network. The station derives its "routing table" on the basis of this information.
Page 25
SENDING THE IP DATAGRAM
Logical network N1
Logical network N2
Packet ready to send C:\netstat -r network address 0.0.0.0 127.0.0.0 150.10.0.0 150.10.20.30 255.255.255.255 150.10.255.255 224.0.0.0 network mask 0.0.0.0 255.0.0.0 255.255.0.0 255.255.255.255 255.255.255.255 255.255.255.255 224.0.0.0 Gateway addr. 150.10.20.31 127.0.0.1 150.10.20.30 127.0.0.1 150.10.20.30 150.10.20.30 150.10.20.30
Routing table
Interface 150.10.20.30 127.0.0.1 150.10.20.30 127.0.0.1 150.10.20.30 150.10.20.30 150.10.20.30

TCP/IP
metric 1 1 1 1 1 1 1
Page 26
The IP layer which has a packet to send must determine the interface to which the packet must be delivered. This amounts to deciding the layer 2 (LAN, MAN or WAN) to which the IP must "pass" the datagram. It interrogates the routing table using the netstat r command to identify the interface to be used.
Page 26
SENDING THE IP DATAGRAM
Logical network N1
Logical network N2
Packet ready to send
Routing table
LAN
Interface
ARP cache
No Entry
ARP cache
08 20 02 12 63 48
150.10.20.30
MAC frame ARP request

TCP/IP
Page 27
After identifying the interface, the IP must know the type of protocol associated with the interface, depending on whether the procedure is LAN/MAN or not. This is because layer 2 will have to define a physical destination address associated with the layer 3 address. For LAN/MANs, this address is supplied by an ARP cache managed dynamically using ARP requests so that IP and MAC address can be mapped. An interesting feature of these requests is that they are Broadcast by layer 2. The broadcast function does not exist on WAMs and manual mapping is required. ATM represents a special case since it can be implemented on a LAN, MAN or WAN, in which case ARP mechanisms are provided by servers.
Page 27
ADDRESSING BY SUBNETWORK
Network 2 160.10.0.0 Network 1 150.10.0.0 S/Network 3 S/Network 1 S/Network 2 Network 3 170.10.0.0
TCP/IP
Page 28
Subnetworks are used to partition the network and segregate message flows.
The subnetwork address is configured in the Host Id part.
A mask is used to create subnetworks, forcing routers to "deepen" the analysis.
The number of subnetworks depends on the number of bits reserved in the Host Id field.
Subnetwork addresses which are all 0s or all 1s have a special function.
Example: up to six subnetworks can be configured using a three-bit subnetwork address.
Page 28
ADDRESSING BY SUBNETWORK Example: Class B address 150.10.0.0 can be subnetted using one of the masks below, depending on the number of subnetworks required
N of bits 2 3 4 5 6 7 8 9 etc.
Mask 255.255.192.0 255.255.224.0 255.255.240.0 255.255.248.0 255.255.252.0 255.255.254.0 255.255.255.0 255.255.255.128
N of SNs 2 6 14 30 62 126 254 510

TCP/IP
Page 29
A second addressing level: subnetwork. The basic unicast address consisting of: <network n> <machine n > can be extended to: <network n> <subnetwork n > <machine n> The network n part remains unchanged (same addressing class, A, B or C). The subnetwork n part occupies some of the space reserved for the machine number. Its length in terms of bits varies (in contrast to the network part which varies in terms of the number of octets). The machine n part occupies the remaining space and its length also varies in terms of the number of bits.
The main advantage of this type of addressing lies in the fact that a single network (class A, B or C) can be subdivided into N IP logical subnetworks with exactly the same interconnection and routing rules as for single-level conventional hierarchical addressing.
Page 29
ADDRESSING BY SUBNETWORK
Network 2 160.10.0.0 Network 1 150.10.0.0 Network 3 170.10.0.0
S/Network 1 160.10.64.0 S/Network 2
160.10.128.0
TCP/IP
Page 30
The subnetworks (2-bit address) of network 160.10.0.0 are: 160.10.20.64.0
160.10.20.128.0
A station with address 160.10.20.30 before subnetwork creation must be renumbered.
In the first subnetwork, it becomes:
160.10.84.30
If it is installed in the second subnetwork, it becomes:
160.10.148.30
Page 30
PRIVATE / PUBLIC ADDRESSING
RFC 1918
The following network numbers are not routed on the Internet
Class A 10.0.0.0
Class B 172.16.0.0 to 172.31.0.0
Class C 192.168.0.0 to 192.168.255.0
Natural segregation of private traffic from Internet traffic Requires the presence of an address translator Network Address Translator (Router function) The NAT does not replace the FireWall and/or Proxy Server
TCP/IP
Page 31
Page 31
ADDRESS TRANSLATION
Firewall
Internet
Translator
ISP
@priv1,150.10.20.30 @priv2,150.10.20.31 @priv3,150.10.20.32
@pubA,194.10.212.47 @pubA, 194.10.212.49 @pubA, 194.10.212.49
Dynamic management of a mapping table translating private/public IP @
Translator location In the Firewall In the router Types of translation N private @ to 1 public @ N private @ to M public @ 1 private @ to 1 public @
Example : N to M
TCP/IP
Page 32
The NAT (Network Address Translation) function solves the problem associated with the shortage of public addresses, and also provides protection for stations in the private network.
n private addresses can be associated with a single public address (front end router address). The router then separates flows by identifying client-server pairs in terms of application addressing (port N s).
Page 32
IP: DATAGRAM FORMATS

0 VERSION 7 LENGTH SERVICE TYPE TOTAL LENGTH IDENTIFICATION FRAGMENT OFFSET PROTOCOL CHECKSUM SOURCE IP ADDRESS 15
DF MF
TIME TO LIVE
Frame header
DESTINATION IP ADDRESS OPTIONS + PADDING
IP packet
Physical frame
CRC
TCP/IP
Page 33
VERSION (4 bits): IP version number. Current version: 4. LENGTH (4 bits): Total length of IP header expressed in 32-bit words. value: 5 (min=5, max=15 depending on the option field). TOTAL LENGTH (16 bits): IP datagram total length in octets. Default value: 20. SERVICE TYPE (8 bits): Type of service required based on the following criteria: reliability, bit rate, network transfer time. Rarely used (value 0). FLAGS (3 bits): bit 0 : bit 1 (Don't Fragment) : bit 2 (More Fragment) : 0 1 = fragmentation not allowed / 0 = fragmentation allowed 1 = intermediate fragmentation / 0 = last fragmentation Default
OFFSET (13 bits): Displacement relative to the first packet in the event of fragmentation. Default value: 0 (offset min=0, offset max=8191). IDENTIFICATION (16 bits): SDU identification. If fragmentation is used, each fragment has the same identification. TTL (Time To Live): Life span of the IP datagram expressed in seconds, but more often in number of hops. Default value:15 (min=0, max=255). PROTOCOL: Higher layer protocol code. TCP, UDP, ICMP, OSPF CHECKSUM: Header integrity check. SOURCE ADDRESS: IP address of the sending machine. DESTINATION ADDRESS: IP address of the recipient machine. OPTIONS: Options associated with the IP protocol: routing, route discovery, security, etc.
Page 33
ICMP : INTERNET CONTROL MESSAGE PROTOCOL
ICMP packet
Network 1
Network 2
Network 3
t IIP P packet ke p c pa ack et IP
TCP/IP
Page 34
ICMP is an administration protocol for managing the network layer. information on events relating to IP protocol.
It provides
Most ICMP messages are generated by routers and sent to packet senders to notify a problem in routing an IP packet. ICMP monitors the IP protocol. ICMP is implemented over IP. ICMP PDUs are routed on the network layer. ICMP sends information in a datagram to the IP packet sender in the following cases: destruction (in a router) following a routing problem, destruction following a life span (TTL) problem, destruction following an error in the header, destruction following a router buffer saturation problem,
- information relating to the recipient IP machine's accessibility. A better route may be possible using another router. In addition, ICMP manages basic information relating to the IP layer.
Page 34
ICMP: PACKET FORMAT
15
TYPE CHECKSUM
CODE
Frame header
IP header
Physical frame IP datagram
DATA
ICMP packet
CRC
TCP/IP
Page 35
The main ICMP messages sent by routers are listed below: Flow control ICMP_SOURCE_QUENCH Allows a gateway (or host) to notify network congestion and ask the sender to slow down transmission. No check is run on whether the source has effectively slowed down. Similarly, there is no message to tell the source that it can speed up again. Time_out ICMP_TIME_OUT This message indicates packet destruction due to TTL expiry. Header error ICMP_HEADER_ERROR Reports detection of an error making the datagram unusable. Checksum errors are not handled in this way since, in this case, the sender's IP address is not reliable. Errors generally relate to options. Error report ICMP_UNREACHABLE_DEST Notifies the sender of a datagram that it has not been delivered to the recipient. Generally indicates a routing problem or unavailable station.
Page 35
ICMP: PING UTILITY
Remote system activity test IP network transfer time

Ping 150.10.20.30 IP ICMP ECHO REQUEST 160.10.20.30
Network 1
Network 2
Network 3
IP
ICMP
ECHO REPLY
Note: a ping in itself checks IP layer activity only, and not the network board
TCP/IP
Page 36
The ping command is used to test host or router accessibility. The command uses the ICMP echo function. An ICMP packet (echo request) is sent and its receipt initiates transmission of a return ICMP packet (echo reply). These packets contain data whose length is configurable. There are numerous options for enhancing the ping command. The main responses to the ping are: Host is alive Reply from host Or in the event of a problem: Host unreachable Network unreachable No answer from host Time out Etc.
Page 36
ICMP REDIRECT
Network 3 Network 2
Server
2 R1 3 1 5
Default gateway:
R2
R1
Client
TCP/IP
Page 37
The ICMP_REDIRECT message is used by a gateway to tell a host that a better gateway exists. In general, this occurs when two gateways are present on the same network, and a host in the network has out of date routing tables leading it to use the less appropriate gateway. The message is not used between two gateways. The example above shows a conventional case of route optimization from a client station: 1 : First packet sent for the server to the default gateway. 2 : Router R1 transmits the packet to router R2. 3 : Router R1 tells the client that there is a shorter path for reaching the server's logical network: ICMP Redirect. 4 : Router R2 transmits the packet to the server. 5 : The client sends subsequent packets directly to router R2. All IP machines must be capable of interpreting a received ICMP_REDIRECT message.
Page 37
ICMP : TRACEROUTE UTILITY
Traceroute is a software tool for identifying nodes crossed by an IP datagram sent to a remote machine. Traceroute is based on the use of "TTL exceeded" ICMP messages.
ICMP TTL Exceeded
A B
TTL=1
R1
TTL=2
R2
TTL= 3
R3
...
Rn
TTL= n
TCP/IP
Page 38
Page 38
DYNAMIC HOST CONFIGURATION PROTOCOL
Dynamic configuration of IP machine addresses (clients)

(DHCP is carried by IP broadcast in BOOTP packets to UDP)
DHCP client
DHCP client
I want an individual IP address
DHCP client
Here is your IP address X.X.X.X
DHCP server
TCP/IP
Page 39
The widespread use of TCP/IP machines (PC terminals) on local networks has significantly increased administrator workload, and therefore the risk of errors associated with manual address management. The most common error is allocation of duplicated addresses. The BOOTP protocol (allowing diskless stations or X terminals to boot up on the network) provides mechanisms allowing a station which does not exist on the network to contact a server, even though it does not know its address. The DHCP protocol uses BOOTP as a support and provides a high degree of interchange flexibility for allocating an address dynamically. Dynamic Host Configuration Protocol is defined in the RFCs below: RFC 1533 "DHCP Options and BOOTP Vendor Extensions" RFC 1534 "Interoperation Between DHCP and BOOTP" RFC 1541 "Dynamic Host Configuration Protocol" DHCP has a facility for permanently storing client configuration parameters and dynamically or statically allocating an IP address. The server then supplies the address of the default gateway, together with the mask value. Depending on the type of network operation, a server can provide other information such as the address of the DNS server. The allocation can be either permanent or temporary. The function is described in terms of a "lease" which the client has to renew periodically.
Page 39
INITIALIZATION
DHCP DISCOVER
Source Address: 0.0.0.0 Dest. Address: 255.255.255.255
DHCP client
DHCP server
TCP/IP
Page 40
In the initialization phase, the client sends a discover request by IP broadcast over the network. By default, the DHCP server must be on the same IP network since 255.255.255.255 restricted broadcast does not cross any routers. However, it is possible to overcome this problem by configuring the router so that it extends UDP broadcasts to the address of the server.
Page 40
SERVER SELECTION
DHCP OFFER
Source Address: 150.10.20.30 Dest. Address: 255.255.255.255 IP Address: 150.10.20.31 Subnet Mask: 255.255.0.0 Server Identifier: 150.10.20.30 Lease Length: 48 Hours
DHCP client
150.10.20.30
DHCP server
TCP/IP
Page 41
On receiving the discover, the server or servers make an offer containing an IP address, a mask and lease length, together with any other configuration information, at the administrator's initiative.
Page 41
SERVER CHOICE / REQUEST
DHCP REQUEST
Source Address: 0.0.0.0 Dest. Address: 255.255.255.255 Req IP Address: 150.10.20.31 Server Identifier: 150.10.20.30 Requested Parameters........
150.10.20.30
DHCP client
DHCP server
TCP/IP
Page 42
The DHCP client may make a selection if more than one server is offered, and then send a request to the selected server. However, these interchanges are still executed by IP broadcast.
Page 42
ATTACHMENT
DHCP ACK
Source Address: 150.10.20.30 Dest. Address: 255.255.255.255 IP Address: 150.10.20.31 Subnet Mask: 255.255.0.0 Server Identifier: 150.10.20.30 Lease Length: 48 Hours Default Gateway: 150.10.20.35 Other Requested Parameters....
150.10.20.30
DHCP client
DHCP server
TCP/IP
Page 43
The DHCP server selected sends an acknowledgement (DHCP ACK) containing the address initially sent during the exploratory phase and a lease length valid for this address, together with TCP/IP network configuration parameters for the client. After receiving the acknowledgement, the client is attached and can now operate on the TCP/IP network and terminate the startup procedure. Client computers with the appropriate facility can store the received address locally so that it can be used on subsequent startups. When the lease is about to expire, the client attempts to renew the lease with the DHCP server. If the current lease cannot be renewed, the client receives a new IP address.
Page 43
RENEWAL
DHCP REQUEST
150.10.20.30
DHCP client 150.10.20.31 DHCP server
TCP/IP
Page 44
Page 44
REATTACHMENT
DHCP REQUEST
DHCP server
DHCP client 150.10.20.31
TCP/IP
Page 45
Page 45
EXTENDED INTERSECTION
Extended
Extended
DHCP server 1
150.10.20.1 to 150.10.20.100
150.10.20.75 to 150.10.20.175
DHCP server 2
The DHCP client leases @IP 150.10.20.85 from DHCP server 1
@IP 150.10.20.85 from ERROR!! Duplicated address DHCP server 2

TCP/IP
The DHCP client leases
Page 46
Page 46
IP Layer : The essential
True or False
IP is named this way because it can interconnect any type of networks. An IP characteristic is as follow : Best Effort Delivery ; So, it s a protocol ideal for voice transmission. A broadcast packet never goes through routers. The mask is used for IP packets routing. A router has several IP addresses, one per each connected network. ICMP goal is to allow IP packets to go correctly to the destination. An IP host can not work correctly if DHCP is not managed. True False
False True True False False
TCP/IP
Page 47
Page 47
Section 3 IP over LAN / MAN / WAN
TCP/IP
Page 48
Page 48
IP OVER ALL NETWORKS
IP
LAN MAN Ethernet Token Ring FDDI DQDB Transparent
WAN Virtual circuit X.25, FR, ATM
LL, PSTN, ISDN
TCP/IP
Page 49
Page 49
IP OVER ETHERNET / 802.3
Encapsulation - IP/Ethernet DIX V2 - (RFC 894)

Destination
48 bits
Source
48 bits
Type
16 bits
IP Header
Data
0x0800
IP datagram
Encapsulation - IP/IEEE 802.2/IEEE 802.3 - (RFC 1042)
Destination
48 bits
Source
48 bits
Data length
16 bits
DSAP
8 bits
SSAP
8 bits
Ctrl
8 bits
IP header
Data
IP datagram
TCP/IP
Page 50
The ISO 8802 standard is split into a number of parts: ISO 8802.1 defines the general organization of layers 1 and 2.
- ISO 8802.2 defines the higher part of layer 2, called LLC (LOGICAL LINK CONTROL), including a number of protocol types. The "type" field in the Ethernet DIX V2 standard is used to detect the higher level protocol. Standard 802.3 replaces this field with a length field, defining the length of the information field. However, it is still possible for these two methods to co-exist on the same LAN since the maximum length is 1500 octets and protocol type codes are set to a higher value.
Page 50
ADDRESS RESOLUTION PROTOCOL (ARP)
A B Router
Eth(B) = 080026235577 ARP Reply
ARP Request Mac Broadcast IP(A) = 150.10.20.30 IP(B) = 150.10.20.31 Eth(A) = 00 10 7B 38 52 EC Eth(B) = ?
TCP/IP
Page 51
The IP network logical address facilitates end-to-end addressing on a virtual IP network. Local routing using successive approximation (physical network) is based on MAC layer physical addressing. It is therefore necessary to map the destination IP address (intermediate router to end user machine) to the MAC address of this recipient. On broadcast networks (that is, networks with an MAC broadcast address), the ARP protocol handles address resolution dynamically. It updates a table (ARP cache) mapping IP and MAC addresses. It is based on a two-frame interchange: request sent by the IP machine with an IP packet to send to an IP machine whose MAC address it does not know. broadcast over the LAN (does not cross routers). contains the IP address to be mapped, among other information. reply sent by a machine (recognizing its IP address in the request) to the machine making the request. contains the required MAC address.
By default, the time-to-live of a line in ARP cache is limited to 30 seconds.
Page 51
PROXY ADDRESS RESOLUTION PROTOCOL (ARP)
A B
Router
Eth(Router) 00 00 0C 07 AC 01 ARP Reply
ARP Request Mac Broadcast IP(A) = 150.10.20.30 IP(B) = 160.10.20.31 Eth(A) = 00 10 7B 38 52 EC Eth(B) = ?
TCP/IP
Page 52
If the IP recipient is not on the same logical network as the machine sending the request, the MAC address received is not that of the final recipient, but the address of a recipient on the LAN (that is, the gateway router providing access to the destination network). Since the gateway router replies instead of the recipient, the operation is called proxy ARP.
Page 52
POINT-TO-POINT PROTOCOL PPP is a layer 2 protocol (HDLC type) Usable on transparent circuit with synchronous or asynchronous transmision Basic functionalities Link configuration and link option negotiation Protocol multiplexing by encapsulation and identification Link quality testing and error detection Authentication Header compression Choice of CRC Incorporates sub-protocols LCP (Link Control Protocol) IPCP (IP Control Protocol) NCP: Network Control Protocol
TCP/IP
Page 53
Two protocols are used to implement IP in transparent mode on a serial link or PSTN/ISDN circuit. The historic standard is SLIP (Serial Line IP). This very simple method, limited to Asynchronous Serial transmission (low rate), is now practically obsolete. PPP is a much more complete protocol and can even be used for direct transmission on a very high rate SDH link. PPP fully defines line management (layers 1 and 2), the encapsulation method and higher level (layer 3) protocol management using the serial link as the layer 2 bearer. It incorporates three elements: Datagram encapsulation method: Link control protocol: LCP. Network control protocol: NCP (layer 3 management protocols). IP control protocol: IPCP.
Page 53
PPP AUTHENTICATION PAP Password Authentication Protocol Plain text password CHAP Challenge Handshake Authentication Protocol
Secret password Challenge (random) Challenge (random) Secret password
MD 5
MD 5
PPP client
Reply
rcvd
OK or OK
= calc
TCP/IP
PPP server
Page 54
PPP incorporates identification and authentication mechanisms. Password Authentication Protocol (PAP) is used for simple identification by interchanging a password associated with a user name. However, the password is transmitted "in plain text", and the number of attempts is unlimited. The CHAP protocol is more effective. Challenge Handshake Authentication Protocol works on the principle of a "question of the day". Identification-authentication involves an encrypted interchange and only one attempt is permitted. In addition, the encrypted sequence is not permanent and copying it does not guarantee access. Each time the link is established, a new challenge is proposed. The PPP protocol also has a callback mechanism for guaranteeing security on switched access (for example, ISDN).
Page 54
IP OVER MULTIPOINT WAN : IP OVER X.25
LAN 1
@X121 R1 @X121 R3
LAN 3
@X121 R2
X.25 network Routing table
LAN 2 Address table

@IP R1 Wan --> @X121 R1 @IP R2 Wan --> @X121 R2
LAN1 --> @IP R1 Wan LAN2 --> @IP R2 Wan
PLP X.25 HDLC X.25
IP 802.2 802.3/5 ARP table

@IP --> @MAC ...
TCP/IP
Page 55
Packet mode, X.25 and FR wide area networks are based on setting up virtual circuits either statically or dynamically. It is therefore necessary to implement a module for managing these circuits transparently for IP. Since broadcast mechanisms do not exist on these networks, it is not possible to dynamically load the ARP cache. For this reason, the link must be established manually between the IP address and either the X.121 address for an SVC (Switched Virtual Circuit), or the LCN (Logical Channel Number) for a PVC (Permanent Virtual Circuit). The use of X.25 for transporting IP datagrams incorporates a special feature. Encapsulation is used from layer 3 to layer 3. The IP datagram is encapsulated in an X.25 data packet which itself is encapsulated in an X.25 frame.
Page 55
IP OVER MULTIPOINT WAN : IP OVER FR
LAN 1
DLCI R13 DLCI R31
LAN 3 FR network
DLCI R23 DLCI R32
Routing table LAN 2 Address table

@IP R1 Wan --> DLCI R31 @IP R2 Wan --> DLCI R32 LAN1 --> @IP R1 Wan LAN2 --> @IP R2 Wan
IP Frame Relay 802.2 802.3/5 ARP table

@IP --> @MAC ...
TCP/IP
Page 56
The use of Frame Relay for IP transport has now replaced X.25. The same principle is used, except that to date Frame Relay is used in PVC mode only, and therefore setup/release phase management is not required for the virtual circuit. Mapping layer 3 and layer 2 addresses consists of associating the IP address of the remote router with a logical connection identifier, called the Data Link Connection Identifier (DLCI).
Page 56
IP OVER MULTIPOINT WAN : IP OVER ATM
LAN 1
VPI/VCI R13 VPI/VCI R31
LAN 3 ATM network

VPI/VCI R23 VPI/VCI R32
Routing table LAN 2 IP 802.2 AAL/ATM 802.3/5 ARP table

@IP --> @MAC ... LAN1 --> @IP R1 Wan LAN2 --> @IP R2 Wan
Address table
@IP R1 Wan --> VPI/VCI R31 @IP R2 Wan --> VPI/VCI R32
Frame Relay
TCP/IP
Page 57
The use of ATM for IP transport is at present mainly reserved for operator and very large business backbones. The operating principle is the same as for Frame Relay. ATM is also used in permanent virtual circuit mode, and the IP address of the remote router is mapped to the VPI-VCI (Virtual Path Identifier-Virtual Circuit Identifier) identifying the circuit.
Page 57
IP bearers : The essential
True or False
IP packets are segmented into packets of 1500 bytes for delivery to the lower layer. ARP allows to find an IP host by knowing the MAC address. PPP is a protocol at the same layer as Ethernet 2 LANs may be connected through the PSTN using PPP. 2 PCs can be connected together by serial link, in order to make an IP network. This local network can be connected to the Internet, by linking one of them by modem. As IP can be placed above any type of physical network, it can be implemented in the mobile networks. An IP host may be a router, by only adding specific software.
False False True True True True
True True
TCP/IP
Page 58
Page 58
Section 4 TCP/IP : TRANSPORT LAYER
TCP/IP
Page 59
Page 59
APPLICATION-ORIENTED ADDRESSING
Appli X Client
Appli Y Server
Appli Z Server
Appli X Server
Appli Y Client
Station A
Station B
TCP - UDP IP
Source port-Destination port
TCP - UDP IP
Physical network : layers 1 and 2

Port number: Communication local identification Socket: Association of IP address and port number Communication: Association of Server and Client sockets, transport type (TCP / UDP)
TCP/IP
Page 60
Layer 4 (transport) provides an end-to-end service between communicating applications (processes). In TCP/IP architecture, two transport protocols are used to perform this function. The transport service provided by Transmission Control Protocol (TCP: reliable transport mode) and User Datagram Protocol (UDP: non-assured transport mode for transactional traffic) is an addressing service for communication between two application processes. Any process wanting to communicate with a remote process is identified on the transport layer by a port number (encoded on 16 bits). A complete layer 4 address therefore incorporates two fields: IP address identifying the Host on the logical network, port number identifying the application within the host.
In TCP/IP terminology, this address is called a "socket". Each application process has an address of this type. Two processes therefore communicate by associating two sockets. An application stream (communication channel) between two processes is defined by: - local IP address, local port number, remote IP address, remote port number, type of transport. The "type of transport" field allows either TCP or UDP transport to be used for a given application.
Page 60
WELL KNOWN PORTS
Number 20/tcp 21/tcp 23/tcp 25/tcp 53/udp 67/udp 68/udp 69/udp 79/tcp 80/tcp 88/udp 109/tcp 110/tcp 111/udp 161/udp 162/udp 512/tcp 513/tcp 520/udp
Services file
Protocol Keyword ftp-data ftp telnet smtp domain bootps bootpc tftp finger www-http kerberos pop2 pop3 sunrpc snmp snmptrap exec login router
File Transfer Protocol [Default Data] File Transfer Protocol [Control] Telnet Simple Mail Transfer Protocol Domain Name Server Bootstrap Protocol Server Bootstrap Protocol Client Trivial File Transfer Protocol Finger World Wide Web HTTP Kerberos Post Office Protocol - Version 2 Post Office Protocol - Version 3 SUN Remote Procedure Call SNMP SNMP TRAP Remote Process Execution Remote Login RIP
TCP/IP
Page 61
Port numbers can be assigned in three ways: port number specified in the code, port number read in a configuration file, port number assigned by the system.
The port number is assigned to the client when it requests a connection (TCP) or when it sends data (UDP). Port numbers are reserved. They are used by standard application services such as ftp, telnet, etc. The application connection is always initiated by the Client, and the server monitors the port representing the application. Two client-server relations cannot be confused since each session is assigned a port number dynamically (port mapper function), and the application address also consists of two data fields: Application port n , static - session port N , dynamic Application port N s known to the system are listed in the services file.
Page 61
TRANSMISSION CONTROL PROTOCOL
Connection-oriented mode 3 Phases : Set-up - Transfer - Release Reliable transfer mode Fragmentation (octet stream) Guaranteed sequencing Error recovery (timer protection) Window flow control "Forced delivery" option PSH flag "Urgent data" option URG flag
TCP/IP
Page 62
Sequencing The TCP layer is capable of fragmenting data it receives. Although the TCP service is a "continuous octet stream" service, TCP sequences the segments transmitted by allocating sequence numbers. The sequence number representing a volume of data is also used for acknowledgement purposes. Error recovery Since IP is by design not reliable, TCP must know how to detect loss of octets and recover this condition. Detection is based on a timed acknowledgement mechanism, and recovery is based on retransmission. Flow control The flow control mechanism in TCP window. This window represents a volume of receiving at a given time. The receiver therefore manages the connected. Since transfer is full-duplex, the same ends (send and receive). is based on the use of an anticipation octets which the receiver is capable of window for the sender to which it is independent mechanism is used at both
In the event of congestion, failure to update the window results in transfer termination, avoiding data loss. TCP uses a set of pointers for managing operating mechanisms.
Page 62
TCP: CONNECTION SET-UP
TCP client A
<SYN> Snd SEQ N : 3256 <ACK> Snd SEQ N : 3257 Ack SEQ N : 2651
TCP server B
<ACK> <SYN> Snd SEQ N 2650 Ack SEQ N3257
IP network
IP
TCP/IP
Page 63
Connection phase During this phase, the transport connection is set up between the two remote processes. Each end of the link initializes the connection using the SYN pointer. Each request is acknowledged by the ACK pointer and Seq N +1. This means that there are two logical connections between the two processes: one for each transmission direction, each set up on the send side. These two connections are totally independent (characteristics / parameters, use, etc).
Page 63
TCP: DATA TRANSFER
Client Appli
TCP
SYN 3256
IP network
TCP
Server Appli
S e t u p T r a n s f e r
ACK 3257, SYN 2650 ACK 2651 PSH 3257, ACK 2651, lg=100
ACK 3357, PSH 2651, lg=500 ACK 3151 ACK 3357, PSH 3151, lg=200 ACK 3357, PSH 3351, lg=600
ACK 3951
TCP/IP
Page 64
Transfer phase During this phase, the two processes simultaneously interchange a bidirectional octet stream (TCP-PDU). For TCP, the unit of transfer is the segment. Each segment contains n octets of the N octets in the message sent by the application. TCP does not therefore provide a block transmission service. It provides a send/receive service for a linear stream of octets with no separator and no structure. The application process cannot force TCP to delimit the blocks it sends. The remote process must be capable of rebuilding the blocks received and therefore finding the block separators (applications!) in the linear stream of octets received from TCP. Information transfer by TCP is guaranteed in sequence, error free and with no losses. Transfer reliability is guaranteed by acknowledgement mechanisms, send/receive sequence numbers and the ACK pointer. A PUSH pointer forces delivery without waiting for a complete segment, such as transmission of a single character, and an URG pointer forces transmission even if the window is blocked for flow control purposes.
Page 64
TCP: CONNECTION RELEASE
TCP client A
<END> Snd SEQ N 3357 <ACK> Snd SEQ N 3258 Ack SEQ N3952
TCP server B
<ACK> <END> Snd SEQ N 3951 Ack SEQ N3258
IP network
IP
TCP/IP
Page 65
Disconnection phase This phase consists of two fully asynchronous sub-phases. TCP disconnection is secured insofar as it must be executed at both ends. In fact, there is a send disconnection for each TCP layer. This disconnection is acknowledged and any data not sent is sent before the disconnect TCP-PDU. On receiving a disconnect request, the TCP knows that the sender has no further data to send. The receiving TCP can continue to send. Disconnection is complete when TCP has sent its request. This type of disconnection is normal and guaranteed with no loss of data. The END pointer is used for disconnection. A sudden disconnection facility exists: Use of the RESET pointer (possible data loss).
Page 65
TCP : FORMAT
0 7 SOURCE PORT N DESTINATION PORT N SEND SEQUENCE NUMBER ACKNOWLEDGEMENT NUMBER OFFSET RESERVED WINDOW CHECKSUM URGENT POINTER OPTIONS + PADDING URG ACK PSH RST SYN FIN 15
Frame header IP header

Physical IP packet frame
TCP segment
crc
TCP/IP
Page 66
SOURCE PORT: TCP port of the application sending the segment. DESTINATATION PORT: TCP port of the application receiving the segment. SEQUENCE NUMBER: Sequence number of TCP segment sent. ACKNOWLEDGEMENT NUMBER: Acknowledgement number for the TCP segment sequence number. OFFSET: Indicates the position of the data in the segment from the beginning of the header (expressed in number of 32-bit words). CHECKSUM: TCP segment check, pseudo-header containing the destination IP address. WINDOW: Number of octets which can be transmitted before acknowledgement. URGENT POINTER: Segment contains urgent data (if URG = 1). FLAGS: URG ACK PSH RST SYN END : : : : : : Indicates presence of urgent data in the segment Acknowledgement number validation Indicates that data must be sent immediately (push) Indicates a connection reset (connection break) Connection set-up End of connection: release Allows interchange of optional information between modules (not used).
OPTIONS:
Page 66
USER DATAGRAM PROTOCOL
Connectionless mode transport protocol Transactional traffic oriented Also used by applications which have control over transmissions (eg.: tftp) In network terms, reduced overhead compared to TCP UDP packet checksums calculated in a pseudo-header (UDP header + source and destination IP addresses sent are replaced by IP source and IP local ports in receive mode) Used by NFS, BOOTP, TFTP, SNMP, RIP, ...
TCP/IP
Page 67
UDP protocol can be thought of as an empty layer offering a simple layer 4 addressing service. It does not improve the service provided by the IP layer. It provides a simultaneous bidirectional transport service in datagram mode (block-oriented). UDP protocol therefore has only one T-PDU: a data PDU! UDP provides the following service: creation of send or receive ports, receipt of T-PDU with data communication and the sender's socket reference (IP address, port number), data sending with processing of parameters forming the send and receive T-SAP (socket).
Page 67
UDP : FORMAT
7 SOURCE PORT N DESTINATION PORT N LENGTH CHECKSUM
15
Frame header IP header IP Physical packet frame
DATA
UDP segment
CRC
TCP/IP
Page 68
SOURCE PORT
Port sending the datagram.
DESTINATION PORT :
Port to receive the datagram.
LENGTH
Total length of the UDP packet.
CHECKSUM
UDP packet integrity check (checksum calculation is optional and a 0 value indicates that the checksum has not been calculated). Same checksum calculation method as in IP and TCP.
Page 68
SOCKET INTERFACE
Development interface for communication between remote processes The "socket" interface is derived from BSD UNIX 4.2. It generalizes interprocess communication and allows development of network-based client-server applications Sockets are used as interfaces with communication protocols Among other things, they allow a port N (application) to be associated with an IP address (host) They make TCP/IP protocols transparent to applications
TCP/IP
Page 69
Each application process using TCP/IP is identified by a data pair consisting of the machine's IP address and a local port number (relative to the machine). This reference is called the socket and therefore represents the programming interface for access to the Transport service in TCP/IP architecture. The reference consists of a set of primitives for accessing TCP and UDP transport services. The interface provides a resource for communication between Client and Server processes. The two processes can be running on the same machine or on two remote machines. A socket is a communication point with a domain, name and type. Domain: Specifies the type of protocol used: UNIX : process on the same UNIX machine. INET : remote processes communicating via TCP/IP protocol.
Name: Defines the socket reference. The reference content varies according to the socket domain. Type: Determines the way in which data is routed. In the TCP/IP domain, there are three possible types: STREAM, DATAGRAM or RAW.
Page 69
Transport layer : The essential
True or False
All the applications must use TCP or UDP to access the IP network. If an application is associated to a port number, it means that this application is connected to the Internet at this moment. The checksum on the TCP/UDP header also allows to verify parts of the IP header. TCP is defined as reliable because it has 3 working steps : Establishment, Transfer, Release. A WEB server will always listen on its dedicated port (port 80). Either, this server will not work at all. All TCP messages must be acknowldeged. If UDP is used to send data, the transmission may become reliable by adding controls in the application layer part.
TCP/IP
False False
True False
False
True True
Page 70
Page 70
Lower layers : The essential
Complete the following protocols stack : Applications Ping, traceroute, ... Applications protocols Sockets (Port + @IP)
TCP (Reliability,
Robust)
UDP
(Speed, Simple)
ICMP
IP
(Routage)
Interfaces Ethernet+ARP PPP/SLIP AAL5 Gateway
LAN
RTC
ATM
X25
TCP/IP
Page 71
Page 71
Section 5 TCP/IP : APPLICATIONS
TCP/IP
Page 72
Page 72
NAME SERVICE
The user manipulates server names and the network manipulates a server IP address. Problems: Finding an IP address based on a host name More than one type of name TCP/IP name: standard Used by applications such as http, ftp, smtp, snmp, Netbios name: Windows/Microsoft name Used by Netbios applications (SMB sharing, )
TCP/IP
Page 73
Page 73
NAME-IP ADDRESS RESOLUTION
"Static" resolution Host (standard) or lmhosts (Netbios) file 150.10.20.30 Mon_Host 150.10.20.31 Ton_Host "Dynamic" resolution DNS Standard TCP/IP name resolution Replaces the hosts file WINS Netbios resolution Replaces broadcasts and lmhosts file
TCP/IP
Page 74
DNS (Domain Name Service) is a standard protocol for resolving machine names (symbolic) into IP logical addresses (used by communication protocols). It is especially designed for large TCP/IP networks (DNS is used on the Internet). Historically, TCP/IP users directly specify the IP addresses of the corresponding applications. These addresses are then replaced locally by host names using a hosts file. Nowadays, DHCP servers have a facility for managing the hosts file.
Page 74
DNS RESOLUTION
History Impossible to load a hosts file into all Internet stations Domain Name Service standardized by RFC Principle Names organized hierarchically in a Domain Name Tree Simple request / response interchange protocol Uses UDP and TCP Cooperation between servers forming a network
TCP/IP
Page 75
For very large networks, maintaining local "mapping" files soon became impossible. Initially, for the Internet, the NIC had a file with all existing (name, IP address) pairs which stations could download via ftp. These mechanisms were superseded by a network of DNS servers. The DNS system is therefore both a system for naming machines in a TCP/IP network and an address resolution protocol (mapping machine names and IP addresses).
Page 75
DOMAIN NAME TREE
.
ru com fr jp
alcatel
alcatel
alcatel
co
mow
www.mow.alcatel.ru
usa
www.usa.alcatel.com
europe
www.europe.alcatel.fr
alcatel
www.alcatel.co.jp
TCP/IP
Page 76
DNS is based on the concept of a naming hierarchy which involves partitioning the naming space and arranging it as a tree. A machine name will therefore be complex and referenced relative to the location of the machine on the tree. This type of name breakdown and mapping administration (name, IP address) is similar to the hierarchical organization in a large company with divisions split into departments which in turn are divided into sections. Each manager on each hierarchical level has a degree of authority and autonomy within his or her domain. DNS is based on this principle and a machine name becomes: - hostname.sub_domain. ... .root_domain where: hostname : machine name (lowest level), sub_domain : intermediate administration subdomain, root_domain : highest administration domain (on the tree).
Page 76
TOP LEVEL DOMAINS ON THE INTERNET
Open to all Com : Commercial (highest demand!) Edu : universities Net : network domain companies Org : miscellaneous organizations Int : international (little used) Reserved for United States Gov : American government And also Mil : American military Firm : Business (to alleviate .com) Shop : Trader Country (ISO naming) Web : Company working for the Web Fr : France Arts : Culture and events Rec : Recreation and leisure Uk : United Kingdom Info : Content editors, media Ru : Russia Nom : Personal home pages
TCP/IP
Page 77
Each name (except on the lowest level) represents a DNS domain which forms an administration and autonomous management entity over which an administrator has authority and therefore manages internal mapping (name, IP address). Internet naming is based on the principles above. Root domain names are listed below: edu : gov : com : mil : fr, us : Note: The example is incomplete and does not show the full extent of the current name space on the Internet. The hierarchy has no specific root. On the Internet, the NIC (AFNIC in France) is the authority managing subdomain assignment. The tree structure in independent of physical network structure. Universities and schools, Government agencies, Businesses, Military administrations, Countries (France, United States).
Page 77
RECURSIVE SEARCH
.
2 3
Root servers
com
4 5
fr alcatel europe
www.europe.alcatel.fr
www : 198.64.191.11
TCP/IP
Page 78
For system security (in the event of failures), the name server (primary server) function is duplicated in one or more secondary name servers. On initialization and then at regular intervals (programmable period), each secondary name server downloads the domain local mapping database from the primary server. Each name solver must know of the existence of these secondary servers and be capable of switching over to a secondary server if the primary server does not respond. Name / address translation is handled by name servers which cooperate and respond to requests sent by client programs called name solvers. At design level, each domain has a name server which resolves domain internal mapping by cooperating with adjacent name servers (higher or lower level). The name solver generates a request specifying the machine name (full name) and type of resolution required (recursive or non-recursive). For non-recursive resolution, the name server returns a list of servers to be contacted. In this case, the name solver (client) contacts another name server.
Page 78
FORWARDER TYPE SEARCH
4 3
A
Forwarder : B 1
Server A extends the request to B If server B fails, A executes a recursive search
www.europe.alcatel.fr ?
TCP/IP
Page 79
If there is no local translation function, the server uses the procedure below: for recursive resolution: The name server contacts other name servers and returns a response (positive or negative) to the client name solver. for non-recursive resolution: The server returns a list of name servers likely to know the name-IP address mapping. The client name solver then sends the request to another name server. Note: This mechanism means that all clients must know at least one name server and that all name servers know at least one other server. Performance: A cache mechanism exists in each name server. It stores previous mappings for names outside the domain (local mappings are in the database). Each entry stored contains a TTL (Time to live). The cache is therefore regularly refreshed. Some name solvers keep their own list of translations already executed. In this case, a request from a user program can be resolved without sending a request (network) to a server.
Page 79
FTP
ftp>
Client
x y 21
Server
20
TCP IP Data Control
TCP IP
Control connection, Port 21 File transfer initialization and parameters Activation of remote commands Data connection, Port 20 Information transfer (files, results, ...)
TCP/IP
Page 80
The FTP application satisfies the client-server model by allowing access to the remote files, regardless of the OS run by each system. FTP facilitates: creation, deletion, renaming of remote files/directories, two-way transfer of ASCII, binary or EBCDIC files, navigation through the remote file management system, with directory content display, file transfer between two remote hosts, controlled by the local host, writing local macrocommands, with parameter transfer and limited loops, a condensed file name list using special characters, file name character substitution for non-UNIX remote machines using a different syntax, and complex pattern substitutions in the names of files transferred.
Page 80
FTP : EXAMPLE OF DIALOGUE

Client (150.10.20.30)
ftp serveur username password 331 Password required PASS password 230 User username logged in ascii, binary, mode, ... 220 Commands successful PORT 150,10,20,30,4,45 200 Port Command successful ls, dir, get, put LIST, RETR, STOR Data connection set up to client port 1069 150 ASCII data connection for /bin/ls 226 ASCII transfer complete List, file requested ........ Data connection closure on port 1069 bye, quit 221 Goodbye ... Control connection closure
Control connection set up to server port 21
Server (150.10.20.31)
220 Server ready USER username
Connection
TYPE / STRU / MODE
Transfer
QUIT
Disconnection
TCP/IP
Page 81
FTP requires two connections: A control connection (always using port 21 on the server) for commands and responses controlling the transfer. A data connection (always using port 20 on the FTP server) for interchanging the data. A data connection is opened, used then closed for each file transfer.
Each local reference on the client side consists of a port number dynamically assigned by the system. Interchanges on the control connection define the nature of the transfer or service requested. They include identification information as well as requests and error messages. The data connection is normally set up by the server when information transfer is about to start. In practice, the accepting port is always provided for the data connection initiator via the control connection: either by the client in a special command (PORT...) sent to the server before initiating transfer, or by the server in response to a command asking it to wait for data connection receipt.
FTP transfer can be protected by login mechanisms, user_name, password. Similarly, it is possible to restrict the client to a home_directory with read-only access, for example.
Page 81
FTP : USER COMMANDS
FTP user commands depend on implementations Commands are executed either locally or in the remote machine. Example: lcd : change local directory cd : change remote directory Some commands are redundant Example: bye and quit, get and recv, put and send, etc
append ascii bell binary bye cd close delete debug dir form get hash glob
help lcd ls mdelete mdir mget mkdir mls mode mput open prompt put pwd
quit quote recv remotehelp rename rmdir send sendport status struct tenex trace ? !
TCP/IP
Page 82
Responses sent by the ftp server consist of a decimal digit triplet, followed by a space character then a comment not defined by the protocol. The three digits in the triplet each have a particular meaning. The first digit defines the response category. 1yz introduces a preliminary response (before command execution), 2yz introduces a positive termination response, 3yz introduces a positive intermediate response, 4yz introduces a negative termination response due to a phenomenon which is probably temporary, which means that a positive response is likely if the command is repeated, 5yz introduces a negative termination response which is probably conclusive (pointless repeating the command).
The second digit defines the domain to which the response relates. x0z indicates a response concerning the syntax, x1z indicates a response concerning general information, x2z indicates a response concerning connection set-up / release, x3z indicates a response concerning identification / authentication, x4z is unspecified, x5z denotes a response concerning file management.
The third digit identifies each response with the same categories and domains.
Page 82
WORLD WIDE WEB
HTTP protocol Web Browser

URL : Uniform Ressource Locator Protocol://Server-Name:Port/Resource http://www.estnet.ee/mart/rfc/index.html HTML page interpreted by a Browser, containing: ASCII text describing the page display (tags, text) Pictures in gif or jpeg format Hypertext links to other pages or URLs Javascript or VB scripts run on the client Java Applets or Active X controls run by the client
Web Server
TCP/IP
Page 83
Page 83
SECURE SOCKET LAYER
1 Client Hello
3 Certificate ClientKeyExchange CertificateVerify ChangeCipherSpec 4 Data Exchange

1: 2: 3: 4:
2 Server Hello Certificate ServerKeyExchange CertificateRequest ServerHello Done
4 Data Exchange
Client sends a "hello" message to the target server Server returns a digital certificate containing the server's public key Client generates a random session key and returns the key encrypted using the server's public key Once secured protocol has been established, all documents are sent encrypted symmetrically in both directions (RC4)
TCP/IP
Page 84
SSL is an intermediate layer between TCP/IP and its applications. It is independent of the application protocol and provides a set of APIs for applications. Security: The connection is private. Creation of a protected channel between client and server. Terminal identities can be authenticated. The connection is safe (alteration, modification). Key generator and hash functions. Negotiation and session management protocols. X.509 format certificates. RC4 : MD5 40-bit symmetric encryption: Integrity, DSS: Signature 512 bits. Various protocols for: Negotiating security parameters. Mutual authentication (TLS). Instantiation of negotiated security parameters.
SSL components:
Encryption algorithms:
- Error report. SSL uses reserved IANA ports. https (HTTP with SSL, port 443), snews (NNTP with SSL, port 563), ssmtp (SMTP with SSL, port 465), ssl-ldap (port 636), spop3 (96)
Page 84
ELECTRONIC MESSAGING : E-MAIL POP A.Dupont's POP server in domain aile.com Message sent by albert.dupont@aile.com to jacques.dupond@alcatel.fr SMTP
SMTP
Jacques Dupond's IMAP server in domain alcatel.fr
IMAP
Mail received from albert.dupont@aile.com

TCP/IP
Page 85
SMTP protocol (Simple Mail Transfer Protocol) is extremely widely used for exchanging interpersonal mail over a TCP/IP network. In contrast to OSI, SMTP incorporates no sophisticated presentation concepts or powerful retry mechanisms. In common with the main TCP/IP architecture applications, SMTP is based on simplicity and pragmatism. The main SMTP RFCs are: RFC 821 for the protocol, RFC 822 for mail message format and RFC 974 for the message routing method. Command Domain Mailbox : : : Request sent by the client SMTP. Hierarchic structured address of a host in the messaging system. Sequence of characters of any length denoting a user. The standard naming rule stipulates that an address consists of two fields, "user" and "domain", separated by the "address" character: @ Command positive or negative acknowledgement. SMTP responses follow exactly the same rules as FTP responses and consist of a three-character code followed by an additional information field for human operators rather than automated processes.
The main terms used in SMTP are explained below: -
Response
eg : "220 Hello, this is the SMTP flag".
Page 85
SMTP : EXAMPLE OF DIALOGUE
SMTP Client
TCP connection set-up to server port 25 220 Server ready
SMTP Server
Connection Synchronization
HELLO SMTP client
250 Server SMTP OK MAIL FROM username 250 Sender Ok RCPT TO username1 250 Recipient Ok RCPT TO username2 550 User unknown DATA 354 Enter mail; end with <CRLF> <CRLF> Message ... <CRLF> <CRLF> 250 Mail accepted QUIT 221 Service closing transmission channel TCP connection release
Identity of Sender and Recipient(s)
Message transfer
Disconnection
TCP/IP
Page 86
SMTP operates on a single TCP connection initialized by the user client. SMTP acts both as a UA (User Agent) and MTA (Message Transfer Agent) in terms of OSI messaging. However, in SMTP the transfer is always initiated by the sender. This means that, under normal circumstances, a connection from SMTP client to SMTP server to receive mail is never set up. Interchanges are based on a very simple principle. Set up the TCP connection. Synchronize the two SMTPs. Specify the sender's identity. Specify recipient identity or identities. Send the message. Terminate the connection.
Note: It is so easy to attach a file to an e-mail message that nowadays many servers become saturated with large attached files, impeding their primary function.
Page 86
TELNET
Client
$ telnet server $ login : My_name $ password :
Server
23
TCP IP
TCP IP
Characters typed on the keyboard are sent to the telnet server All characters received from the server are displayed All characters displayed are received from the server
TCP/IP
Page 87
The TELNET (Telecommunication Network) protocol is in fact a combination of two completely different concepts which are often confused: TELNET is first and foremost a virtual presentation standard for communication between two processes on any two machines (not necessarily UNIX). It provides two basic services: firstly, a virtual terminal (NVT, Network Virtual Terminal) comprising in particular minimal presentation common to all machines implementing TELNET. secondly, a set of PDUs allowing two cooperating processes to negotiate miscellaneous options.
TELNET is also the name frequently given to the application used by a terminal (or process) for accessing the operating system of another machine. In this case, login, identification and authentication procedures are used. These concepts are associated with each machine and are not therefore defined in the TELNET standard.
NVT presentation. TELNET is normally used between a real terminal and an application process. However, it can be used between two terminals or two processes. In any case, the process or processes are responsible for adapting the actual presentation used locally to the NVT virtual presentation. It is also possible, using negotiation PDUs, to change all or some of the NVT presentation rules. However, changes must be implemented by common agreement and any implementation must know how to manage standard NVT presentations.
Page 87
TELNET
Server Telnet : Cisco Router

Terminal Type option negotiation request IAC WILL ECHO IAC WILL SUPPRESS-GO-AHEAD IAC DO TERMINAL_TYPE IAC DO NAWS (Negotiate About Window Size)
Client Telnet : PC
TCP connection
IAC DO ECHO
OK to negotiate
TELNET DATA : Cisco> IAC WILL ECHO IAC DO SUPPRESS-GO-AHEAD IAC WILL TERMINAL_TYPE IAC WONT NAWS (Negotiate About Window Size) IAC SB (Start of Subnegotiation Parameters) DATA : ANSI IAC SE (End of Subnegotiation Parameters)
IAC WONT NAWS (Negotiate About Window Size) TCP/IP
Page 88
TELNET provides an option negotiation mechanism so that processes can negotiation some options. There are two types of option: options whose implementation or non-implementation is sufficient in itself (for example, the echo option). These options are negotiated using the WILL, WONT, DO, DONT PDUs. options whose implementation requires additional information (for example, actual terminal_type indication). In this case, SB and SE PDUs are used. However, the PDUs above must have been used beforehand to negotiate the implementation of such options.
Page 88
TFTP
Trivial File Transfer Protocol - RFC 1350 TFTP is a file transfer protocol based on connectionless mode transport (UDP port 69). TFTP is used to transfer files in ASCII and BINARY mode. TFTP provides limited security (no user identification) and for this reason its use must be limited. TFTP protocol is based on five packet types. Each packet sent from client to server must be acknowledged. TFTP is sometimes used for downloading configurations over the network (terminal server, X terminals, router, etc).
TCP/IP
Page 89
TFTP protocol (Trivial File Transfer Protocol) is a basic file transfer application. It complies with a client-server model for single file transfer between two machines using UDP transport protocol. It is very simple to implement, very economic in terms of disk, ROM and CPU resources, and particularly suited to downloading diskless machines. In practice, it is installed in the diskless machine's ROM and run after RARP or BOOTP type protocols which determine the equipment's IP address. The TFTP client sends a request to a TFTP server at "wellingtonia port" 69 on the server. The client's source port is allocated by the system. The request defines the transfer characteristics. It initializes a TFTP application connection which entails associating a free port number chosen by the server (port number dynamically allocated by the system on the sendto) with the client's port number (source port number in the request). When the connection has been correctly set up, transfer is executed in "send and wait" mode. The sender sends the file in fixed size blocks (512 octets) and waits for an acknowledgement before sending the next block. Blocks are numbered. A block of less than 512 octets indicates the end of file. Timers are started by sender and receiver. This means that the loss of a data block or acknowledgement does not stop the transfer. The last data block must be acknowledged. The receiver then assumes that the transfer has terminated successfully. An impossible request or error during transfer causes transmission of an error packet which terminates the process and ends the transfer.
Page 89
NFS Network File System - RFC 1094 (specified by SUN Microsystems) NFS is used for file sharing in heterogenous environment NFS protocol is based on RPCs (Remote Procedure Call) NFS is hardware and system-independent. It is based on a presentation layer: XDR (eXternal Data Representation)
NFS XDR RPC UDP IP

TCP/IP
Page 90
The Network File System allows each user to access files which can be physically located on other machines, without explicit copy transfer. NFS was designed to be independent of the operating system. In particular, files can be shared by UNIX machines and also by UNIX and PC machines in DOS or OS/2, etc. The NFS service therefore provides access to remote file systems. A machine is an NFS server if it allows other machines access to all or part of its local file system. An NFS server is said to "export" or "share" its files, which means that it allows clients to access exported files. An NFS server receives a number of requests and returns a result in a response. A machine is an NFS client if it accesses files exported by an NFS server. An NFS client is said to "import" files. Importing allows a client machine to access remote files using read/write operations resulting in RPC request transmission (Remote Procedure Call). NFS uses RPCs and XDR (eXternal Data Representation). It is usually implemented using UDP transport.
Page 90
REMOTE PROCEDURE CALL
RPC protocol allows a program running on machine A to call a routine on machine B and remotely execute some of its operations.
CLIENT Request
SERVER 4
Service user
Service provider
1
Response 3
Port Mapper
TCP/IP
Page 91
Remote procedure call (SUN) is used by a process to call a procedure (function) to be executed on another machine. RPCs provide: a mechanism for addressing the remote procedure, a mechanism for encoding parameters, a call mechanism (transmission of an RPC request), execution of the remote procedure.
The RPC service model is a client-server model in which the distributed application is divided into two parts: a client part: This part of the application requests a service not provided locally. calls the service procedure. a server part: This part of the application is asked to provide a service. remotely. It
It is called
For the user, an RPC service is a set of procedures. These procedures are combined on a program and version basis. A port number is associated with a program number. An RPC request is therefore sent to the program using the port number. The request contains the program number, version, and number of the procedure to be executed in the program, among other things. To make a remote procedure call, a client must locate the program called using the port number. To do this, it can call a special service in the machine supporting the server: port mapper.
Page 91
X-WINDOW CLIENT-SERVER ARCHITECTURE
X-Window Clients
X11 protocol
X-Window server
TCP/IP
Page 92
X_WINDOW or X is a multi-window graphical interface. It is very widely used in the TCP/IP and UNIX world and has been adopted by all workstation manufacturers and by X/OPEN in the portability guide (XPG4). X_WINDOW provides a basic service and is generally used on a supplementary layer offering high level services for graphic interface management. The two most widely used high level graphic interfaces are Motif (supplied by OSF) and OPEN LOOK (supplied by Sun Microsystems). Nowadays, X-WINDOW is used, via the X.11 protocol, to run local or remote applications with local graphic display. A single process (SERVER) controls all the input-output (physical level). It is responsible for creating and manipulating screen windows, displaying text or graphics and managing input (keyboard and mouse). The implementation of an X server is closely linked to the hardware. It is run locally on a workstation, graphics terminal or in emulation mode on a Windows station, and interprets messages from client applications. Any application designed to use the facilities provided by an X server is considered a client. The client communicates with the server in asynchronous mode over the TCP/IP network.
Page 92
Applications : The essential

True or False
Any IP host must know a DNS server to work correctly An URL is a server address. A host being FTP server, it can connect as a client to a WEB server. FTP is the only way to get back a file from a remote Internet site. TELNET is an application from Internet world, but only used by UNIX systems. The following URL is valid : http://155.132.10.53:2080/coucou.html SMTP is a protocol using the connected mode. To send and receive e-mails, we must configure a POP server ! False False True False False True True False
TCP/IP
Page 93
Page 93
Section 6 IP NETWORK INTERCONNECTIONS
TCP/IP
Page 94
Page 94
GATEWAY
Definition The concept of gateway is used in the application layer Eg. : SNA gateway on Digital machine By extension, this concept is applied to all layers and especially the lower layers "Network" gateways are then seen as level N interconnection equipment Terminology Repeater : level 1 gateway Bridge : level 2 gateway Router : level 3 gateway Special case IP gateway = IP router = Level 3 gateway Switch = level 2 switch (Ethernet, ATM, etc) = level 2 gateway
TCP/IP
Page 95
Two networks are interconnected by intermediate equipment known by the generic term of "gateway". The OSI has formalized the concept of gateway. It is characterized using the criteria of action level and action mode. The action level is the level at which the gateway operates. It is in fact the highest OSI level concerned. Higher levels do not see the gateway.
The action mode is the way in which the gateway handles conversion. It can map PDUs with adaptations (headers, sizes, nature) where required, or map SDUs. In all cases, layers (1) to (N-1) on both sides do not see one another and can generally be different. Gateway names have been standardized: repeater : bridge router : : level 1 gateway, level 2 gateway (MAC), level 3 gateway.
In general, the term "gateway" is used where the above three terms (repeater, bridge, router) are not applicable. However, in TCP/IP terminology, a gateway is a router.
Page 95
REPEATER
205m
Example: 100BaseT
5m 100m
100m
The binary signal is present at all ports

TCP/IP
Page 96
Repeaters were initially used for extending the physical bearer by repeating the signal. A repeater is first and foremost a regenerator. Repeaters are widely used in Ethernet networks for integrating physical networks using different bearers such as 10 Base 5 coax, 10 Base 2 coax and 10 Base T twisted pairs. In this case, the repeater combines the AUI, BNC and RJ45 interface. The Hub is the basic element of a 10 or 100 Base T network and is in fact a multiport repeater.
Page 96
BRIDGE
CSMA/CD filtering bridge

LAN 1
Dest@ Mac C Src@ Mac A ...
Bridging
LAN 2
Dest@ Mac B Src@ Mac A ...
Port 1 Port 0 BRIDGE
Filtering
Port 0 - @ Mac A - @ Mac B - ...

Port 1 - @ Mac C - @ Mac D - ... C
D
TCP/IP
Page 97
Interconnection is handled on layer 2. Bridges do not take account of layer 3 protocols carried in frames. They direct traffic by MAC addressing. They are totally transparent to layer 3 or higher protocols. There are two types of bridge: transparent filtering bridge used in Ethernet LANs. algorithm for loop resolution. "Source routing" bridge used in Token Ring LANs. It uses the Spanning Tree
A transparent filtering bridge handles three functions: self-training: a bridge locates stations dynamically using the "source MAC address" field. It determines the position of each station. filtering: when the bridge deduces that the sender and receiver of a frame are in the same segment (on the same side of the bridge) it does not send the frame to the other network (flow optimization). bridging: when the bridge receives a frame whose recipient is on the other network (or unknown), it regenerates the frame and sends it to the other network. An unknown recipient is a station which has not yet indicated its presence by sending a frame.
For Ethernet bridges, an option allows filtering for each type of protocol.
Page 97
BRIDGE : LIMITATIONS
CSMA/CD filtering bridge

LAN 3
LAN 1
Port 2
Dest@ Mac B Src@ Mac A ...
Port 0
BRIDGE Port 1
Bridging
Filtering
Port 0 - @ Mac A - @ Mac B - ...

Port 1 - @ Mac C - @ Mac D - ... C D LAN 2

TCP/IP
Page 98
A bridge between two Ethernet segments is used primarily to create two separate collision domains. Otherwise, it is used to interconnect two remote physical networks. However, if there are more than two segments to interconnect, the bridge becomes a handicap since it will transmit on all segments if the source and destination do not belong to the same segment. In this case, a router is required.
Page 98
ROUTER
A Network 1
Dest@ IP C Src@ IP A ...
Network 3
Port 2
Dest@ IP B Src@ IP A ...
Port 0 Port 1
Routing
Dest@ IP C Src@ IP A ...
Routing Table - Network 1 Connected to port 0 - Network 2 Connected to port 1 - Network 3 Connected to port 2 D
C Network 2
TCP/IP
Page 99
Interconnection is handled on layer 3. A router is therefore associated with a network protocol (there are multi-protocol routers). Routers direct traffic by analyzing the layer 3 address. Routers are totally transparent to layer 4 and higher protocols. As its name suggests, a router routes an incoming packet to the correct output according to the destination address. A router only receives packets which it can switch. A bridge receives all frames sent on the local network. Packets are either sent directly by the sending station, or sent by another router. The products below are available on the market: Single-protocol router The router processes the packets of only one network protocol. Multi-protocol router The router processes packets for more than one network protocol. Each network protocol is independent (separate routing tables, different routing protocols). Bridge router (B-Router) A bridge router acts as a bridge for some protocols and as a router for others: "If it cannot bridge a protocol, it routes it".
Page 99
ROUTER
Network interconnection
network 3 170.10.0.0 network 1 150.10.0.0 LL, ISDN network 2 160.10.0.0
R1
X.25, FR, ATM
R2
A
@MAC R1 @IP B
@IP B DATA @IP B @MAC R2 @IP B DATA @IP B @MAC B @IP B DATA @IP B
DATA
Network 1
DATA
R1 R2 B
Network 3
DATA
Network 2
DATA
TCP/IP
Page 100
The IP router determines the route to be taken to reach the recipient IP machine. The accessibility of an IP machine is determined on the basis of the principle below: "an IP router is required between two IP machines with different network numbers [and subnetwork numbers, where applicable]." A TCP/IP network therefore consists of a set of logical subnetworks interconnected by routers. Note: A routing table does not contain all accessible networks with associated routers. In general, the last entry in the table is a default entry and contains a default router IP address for all packets which the router is unable to switch to an explicit route. In addition, a routing table contains information concerning the relative distance of each accessible network.
Page 100
ROUTING
STATIC a route corresponds to a given address Eg. : Network 150.10.0.0 accessible via R1 in one hop DYNAMIC Routers interchange routing information for choosing the best route based on different criteria Questions: What information is interchanged? When is the information interchanged? What entity is information interchanged with? Choice criteria : metric simple : number of hops multiple : bit rate, load, reliability, etc.
TCP/IP
Page 101
Two types of routing: Static and dynamic
Static routing is the simplest. A line configured manually in the routing table indicates the interface to be used and, where applicable, the next router to be reached to send the packet to the destination network. Eg. : route add net 150.10.0.0 160.10.20.30 1. This route indicates that to reach network 150.10.0.0, the IP packet must be sent to router 160.10.20.30, reached in one hop. Dynamic routing has the advantage of automatic recognition and updating. Dynamic routing involves identifying what information is to be transmitted between routers, when, and where to. It also determines the criteria for choosing the best route. information called "metrics". The choice is based on
The minimum metric is the minimum number of hops, but there are other criteria such as bit rate, delay, load and even financial cost.
Page 101
ROUTING
Convergence time length of the routing update delay Volume of information to be interchanged low to very high Routing table size Impossible to control without an address hierarchy Impossible to control without a network hierarchy CIDR : Classless Inter Domain Routing Associates the concept of geographic prefix with class C IP addresses Eg. : 194.150.160.170 -- > 194 represents France Autonomous System Combines a significant number of networks in a single entity
TCP/IP
Page 102
Convergence time depends on the type of update (cyclic or event-driven). It can vary from a few hundred milliseconds to a few minutes. One consequence of this is that a route seen as available can in fact be blocked, and vice versa. The frequency and extent of updates (entire table or modified lines only) affects the volume interchanged which ultimately must not exceed user traffic. For large networks, it is important to limit the size of routing tables (listing all possible connections is not viable). There are two solutions: CIDR (Classless Inter Domain Routing) and autonomous systems are solutions to this problem, using hierarchical addressing which does not exist in IP (based only on the concept of the net to be reached).
Page 102
ROUTING ON THE INTERNET
Routing architecture Division of the Internet into Autonomous Systems Protocol types "Internal" (IGP) : RIP, OSPF, IS-IS, EIGRP "External" (EGP) : BGP-4
Net 1 Net 1 AS 1 Net 2 Net 3 OSPF Net 1 E.G.P. I.G.P.
RIP BGP4 Net 2
AS 3
Net 2 AS 2 Net 4
TCP/IP
Net 3 EIGRP
Page 103
An autonomous system is a way of assigning the same reference to a set of networks. The AS N is an official number assigned by the NIC (Network Information Centre). It is a 16-bit number which is inserted before the IP header. It is managed (added or deleted) only by boundary routers operating on an EGP. To date, approximately 2500 autonomous systems exist, "masking" hundreds of thousands of networks. France Tlcom is an AS.
Page 103
ROUTING : CATEGORIES
Distance Vector Routers interchange routing tables cyclically The best route has the least routers to be crossed Convergence time is lengthy Volume is significant There is a risk of looping Few processor resources are required RIP, Routing Information Protocol (IETF) IGRP, Inter Gateway Routing Protocol (Cisco) EIGRP Enhanced Inter Gateway Routing Protocol (Cisco)
TCP/IP
Page 104
There are two main routing categories: Distance vector routing and link state routing. A third category, path vector routing, is specific to BGP4 protocol. Distance vector routing is the earliest category. Routers perform only one task: interchanging routing tables. This has the advantage of simplicity. With the exception of EIGRP, the main disadvantages include high volume, slow convergence and risk of looping.
Page 104
LINK STATE Each router builds a network map Routers interchange link states on an event basis The best route incurs the lowest cost Convergence time is low Volume is low No risk of looping The process is bulky OSPF, Open Shortest Path First (IETF) IS-IS , Intermediate System to Intermediate System (ISO)
TCP/IP
Page 105
Link state protocols are reputed to offer higher performance but also use up more processing resources. Each router builds a network map from its own viewpoint, based on link information received. This principle eliminates the risk of looping. Routers transmit only those link states which have changed, and when the change occurs, convergence is very fast. Updating is said to be by "flooding" and as fast as packet transmission speed. The volume of data interchanged is very low. The main disadvantage is that the router recomputes its routes each time the state of a link changes.
Page 105
PATH VECTOR Changes in the Link State Routes are described using the path taken Each router builds a network map Routers interchange path attributes on an event basis The best path incurs the least cost (including financial) Convergence time is fast Volume is low No risk of looping BGP4, Border Gateway Protocol (IETF)
TCP/IP
Page 106
BGP4 is the path vector protocol. In fact, it is a link state protocol which also supplies the route path in terms of a list of the autonomous systems crossed. BGP can be considered as an application based on TCP.
Page 106
Interconnection : The essential
True or False
Internet is made of plenty of networks connected by routers. An IP network can contain several LANs Intelligents bridges can analyse the IP header to route packets better. Internet is shared in zones to decrease routing management traffic. Routing protocols were implemented from the beginning of Internet 30 years ago. Any IP host must know the IP address of a router to communicate with other hosts. Each time a packet enters a router, OSPF is used in order to find the right route to destination. True True False True True False
False
TCP/IP
Page 107
Page 107
Section 7 NETWORK ADMINISTRATION
TCP/IP
Page 108
Page 108
ADMINISTRATION
Objective : To Manage, Optimize, Configure, Secure, Observe, Correct

INDEPENDENTLY OF PROPRIETARY TOOLS
MANAGING CONFIGURATIONS
Mechanisms to manage and set up resources
Norms / Standards
CMIS / CMIP
Common Management Information Service / Protocol
CARRYING OUT OBSERVATIONS

Measurements, statistics, performance, load
MANAGING EVENTS
Detection, location, restart on incident, alarms
CMOT
CMIS/CMIP Over TCP/IP
MANAGING COSTS
Allocating and distributing loads
SNMP
Simple Network Management Protocol
TCP/IP
Page 109
SNMP protocol (Simple Network Management Protocol) began as a standardized protocol for managing TCP/IP networks, but nowadays is applicable to both PABXs and Frame Relay equipment. Its main advantage lies in its very general nature and in the fact that it can be extended using private objects. SNMP can be used for the administration of TCP/IP machines as well as modems, bridges and dedicated routers. SNMP administration is not hampered by costly and mutually incompatible proprietary administration tools.
Page 109
SIMPLE NETWORK MANAGEMENT PROTOCOL
MANAGER Graphics tool providing the man/machine interface The Manager sends requests and receives responses to administration commands HP Openview and SunNet Manager are SNMP Managers AGENT The agent is the Server for Client Manager requests Manager and Agent dialogue via SNMP An agent can extend SNMP requests in proprietary format (agent proxy) SNMP Agents manipulate objects MIB Management Information Base MIB I and II describe more than 200 standardized objects
TCP/IP
Page 110
SNMP is based on a few simple ideas: Network Agents which are software administrative components resident in network administerable components (IP layers, TCP layer, router, monitoring equipment, etc). Network Management Stations for processing administrative information from Network Agents and providing management services for operators. These are tools such as HP Openview and SunNet Manager. each Network Agent maintains a management database (MIB: Management Information Base) consisting of a set of objects representing administerable elements in the network. The types of objects stored in MIBs, object content, object identification techniques and the MIBs themselves are standardized by INTERNET RFCs.
Page 110
SNMP ADMINISTRATION
Manager
Server Agent
MIB
Agent Router Agent Agent Hub

MIB
MIB
Router
snmp
Agent
MIB
Agent Agent proxy
Bridge
MIB
Bridge Pabx Agent Agent
MIB
proprietary
TCP/IP
Page 111
SNMP is simply the protocol for dialogue between a Network Manager and a Network Agent. The protocol is designed to facilitate three actions: Network Manager interrogation of Eg. : Number of packets sent per second. a Network Agent's MIB contents.
Modification by the Network Manager of Network Agent MIB contents. Eg : Modifying the colour of a router icon for a threshold of 1000 packets per second. Unsolicited transmission of information messages by the Network Agent to the Network Manager. Eg : alarm generation.
The protocol does not have any sophisticated commands, such as reboot. This is because any command must be equivalent to modifying an MIB parameter. The solution chosen is bound to be the most general solution.
Page 111
SNMP PROTOCOL : 5 PDUs

AGENT MIB consultation Simple
MIB
MANAGER
Get_request (object,object,...) Get_response (value,value,...) Get_Next_request (object,object,...)
1 2 3
Multiple MIB modification
MIB
Get_response (value,value,...)
Set_request ((object,value),...)
MIB
Get_response (value,value,...)
Agent Alert
MIB
Trap (infos)
TCP/IP
Page 112
SNMP defines a set of rules for the administration of a heterogeneous network. It is a protocol for information interchange between the administration station and entities managed on the network. SNMP architecture is based on the client/server model. The network administration station is an SNMP client. The entities managed on the network are SNMP servers. SNMP uses UDP transport (some manufacturers however implement it over TCP).
Page 112
MANAGEMENT INFORMATION BASE
OSI tree
ISOITU 3
ISO 1 ORG 3 DOD 6 Internet 1 Directory 1 Mgmt 2 Experimental 3
ITU 2
Internet Branches
Directory ( 1.3.6.1.1 ) OSI directory in TCP/IP Mgmt ( 1.3.6.1.2 ) Standard MIB (MIB I and II) Experimental ( 1.3.6.1.3 ) IAB trials Private ( 1.3.6.1.4 ) Manufacturer private MIBs
TCP/IP
Private 4
Page 113
The MIB is the management information base. Management information and administration parameters are organized in a tree structure. The MIB provides an organized and general view of information managed on the network. Information in the MIB is located at a tree node and represented by a number. Rather than relating to the databases themselves, which depend primarily on the different implementations, TCP/IP architecture is primarily applicable to defining types of objects in MIBs and the way in which these object types are identified. Object types The structure of an object type defined by SMI (Structure of Management Information) is fully compliant with ASN.1 and mainly hierarchical. SMI is located at the point in the hierarchy administered by the IAB (Internet Authority Board). The root of the object type tree defined by ASN.1 has no name and has three branches: an ITU branch (number 0) introducing objects administered by the ITU (formerly CCITT). an ISO branch (number 1) introducing objects administered by the ISO. a JOINT-ISO-ITU branch (number 2).
Page 113
MANAGEMENT INFORMATION BASE
Internet tree - MIB-II

Internet
1
Directory 1
Mgmt 2
Experimental 3
Private 4
MIB-2 1
At System 3 1 Interface 2
ICMP 5 IP 4 TCP 6
UDP 7 EGP 8
CMOT 9 Trans. 10
TCP/IP
SNMP 11
Page 114
The ISO node comprises a number of branches, including: an ORG branch (number 3) for other national or international organizations. This branch itself has a number of branches, one of which is assigned to the NIST, which has handed administration over to the DOD. a DOD branch (number 6) managed by the DOD. The DOD itself Authority Board). has assigned branch number 1 to the IAB (Internet
Any point on the tree is therefore defined by a sequence of numbers for each of the nodes crossed to reach the object: the INTERNET node is referenced 1.3.6.1. Note the following: iso org dod internet MIB MIB I incorporates 114 objects in eight groups, and MIB II 170 objects in ten groups. However, it is possible to make some comments. The group structure on the first level is used to access the following information: OBJECT IDENTIFIER ::= { 1 } OBJECT IDENTIFIER ::= { iso 3 } OBJECT IDENTIFIER ::= { iso org 6 } OBJECT IDENTIFIER ::= { iso org dod 1 }
Page 114
STANDARD MIB I - II VARIABLES
Examples of variables
SysUpTime : Time elapsed since last startup (System) IfNumber : Number of network interfaces (Interface) ATTable : MAC-IP address translation table (Addr. Trans.) IPdefaultTTL : Time to live value for IP packets (Interface) IPInReceives : Number of datagrams received (IP) IPForwDatagrams : Number of datagrams forwarded (IP) IPOutNoRoutes : Number of packets routed in error (IP) IPReasmOKs : Number of packets reassembled correctly (IP) IPFragOKs : Number of packets fragmented (IP) IPRoutingTable : Routing table (IP) ICMPInEchos : Number of "Echo Request" PDUs received (IP) TCPMaxConn : Maximum number of TCP connections allowed (TCP) TCPInSegs : Number of TCP segments received (TCP) UDPInDatagrams : Number of UDP datagrams received (UDP)
TCP/IP
Page 115
Page 115
ANALYSIS OF IP NETWORKS
Solution 1:
"conventional" analyzer
Analyzer R1 R2 Local area network 2 Local area network 3 Analyzer
Analyzer
Local area network 1
Solution 2:
SNMP probe + MIB Rmon

SNMP
Probe Probe R1 R2 Local area network 2 Local area network 3

TCP/IP
Probe
Administration station
Local area network 1
Page 116
Page 116
Network management : The essential
True or False
The MIB content is sent from the manager to the agent using the SNMP protocol. Some objects are defined in MIB I and II for standard equipments, but each firm may create his own objects hierarchy. SNMP is a pragmatical protocol like any other protocol from IP world. SNMP is simple and not reliable (over UDP), so a few constructors use it. Other network management architectures exist : Q3 (with CMIP) and CORBA Without network management, an equipment can not be set up. Analysing the IP branch of the MIB II, all the characteristics of this protocol can be retrieved (like those described in this document about IP introduction) False True
True False True False True
TCP/IP
Page 117
Page 117
Section 8 SECURITY
TCP/IP
Page 118
Page 118
SECURITY
System security Password verification Minimum privileges assigned to server processes Filtering on protocols Filtering router Firewall Proxy Server Information encryption SSL S/MIME User authentication Kerberos SecurID Radius
TCP/IP
Page 119
Some TCP/IP protocols are flawed, as detailed below: ARP (no authentication from recipient), ICMP (destination unreachable, redirection messages), RIP (incorrect routing information), TELNET, FTP (password in plain text), TFTP (no password). Some known Internet attacks are listed below: TCP Splicing 1) 2) 3) The pirate monitors the client-server connection. The pirate saturates the client station. The pirate replaces the client in dialogue with the server.
TCP Flooding 1) 2) 3) The pirate floods the server with connection requests containing an invalid source address. The server responds (ACK, SYN) and reserves buffers. No response follows. Actual clients risk service denial.
LAND Attack TCP Flooding with @IP, source port N = @IP, dest port N
Page 119
THE FILTERING ROUTER SOLUTION
Private addresses 150.10.0.0
Public addresses 192.170.145.0 ISDN, LL X.25, FR, ATM
INTRANET
ISP
Filtering router
I N T E R N E T
Filtering of: address, appli, protocol Network Address Translation

TCP/IP
Page 120
Filtering is effective on: Authorized IP addresses. Authorized Client-Server combinations. Communication protocol fields (IP, ICMP, TCP, UDP). Authorized application port numbers.
These access-list functions are incorporated in most commercially available routers.
Page 120
THE INTERNET FIREWALL SOLUTION
Secured transparent access to Internet servers Intranet

ISDN, LL X.25, FR, ATM
ISP
Firewall
I N T E R N E T
TCP/IP
Page 121
Firewalls provide the same facilities but are more extensive than restriction lists. The principle is similar. Filtering based on communication protocol. Filtering based on applications. Filtering based on users. Log files and usage statistics. Possible management of complex networks: VPN : Virtual Private Network. DMZ : Demilitarized Zone. NAT : Network Address Translation.
Page 121
THE PROXY SERVER SOLUTION
Powerful, non-transparent access to Internet applications Intranet
ISDN, LL X.25, FR, ATM
ISP
Proxy Server
I N T E R N E T
TCP/IP
Page 122
Application filtering (HTTP, FTP, etc) A user connection is required for each type of service. - difficult if the application is not supported by the proxy. Optimizes the bandwidth towards the Internet by using a disk cache for information viewed on the Internet. Effective filtering of authorized/prohibited sites. Address masking: a unique address for the Internet.
Page 122
INFORMATION SECURITY
OBJECTIVES
Integrity Data must not be altered Authentication The recipient must be sure of the sender's identity Confidentiality Data must not circulate unencrypted Non-Repudiation The recipient must hold a proof of sending
TCP/IP
Page 123
Symmetric key encryption DES (Data Encryption Standard): Created by IBM, 56-bit key. Rapid information encryption.
Triple DES (up to 168 bits): Triple encryption with three different keys.
RC2 and RC4: Created by RSA Data Security, variable length key. Faster than DES.
IDEA (International Data Encryption Algorithm): Created in 1991, 128-bit key.
Asymmetric key encryption: RSA (Rivest Shamir Adelman).
The key length determines the encryption quality: 40 bits : weak key 56 bits : robust key 168 bits : inviolable
Page 123
SYMMETRIC KEY ENCRYPTION
This is a private message
Mr X
xxxxxxxx xxxxxxx xxxxxxx
Mrs Y
Mr X creates the message and encrypts it using the key known to himself and Mrs Y He sends the encrypted message over the network Mrs Y receives the encrypted message and decodes it using the key
TCP/IP
Page 124
Page 124
ASYMMETRIC KEY ENCRYPTION
Mr X
Mrs Y's public key
Mrs Y
Mrs Y's private key
Mrs Y creates two keys, one private and known to no-one else, and one public which is circulated over the network Mr X creates the message and encrypts it using Mrs Y's public key He sends the encrypted message over the network Mrs Y receives the encrypted message and decodes it using a private key (only she can decode the message, guaranteeing that no-one other than Mr X and Mrs Y can read the message) If Mrs Y wants to reply, she uses Mr X's public key
TCP/IP
Page 125
Page 125
COMBINED SYMMETRIC / ASYMMETRIC KEY
Information confidentiality
xxxxxxxxx xxxxxx xxxxxxx Session key
Mr X
Session key Mrs Y's private key xxxxxxxxx xxxxxx xxxxxxx
Mrs Y
Mrs Y's public key
Mr X encrypts the message using a symmetric key created specifically for this purpose. Mr X then encrypts the session key using Mrs Y's public key and sends all this information to Mrs Y. Mrs Y decodes the session key using her private key, then decodes the message using the session key.
TCP/IP
Page 126
Page 126
Section 9 IP VERSION 6
TCP/IP
Page 127
Page 127
IP VERSION 6
Addressing space running out 128-bit addresses Routing table size 128-bit addresses organized hierarchically Lack of security Authentication mechanism Incorporation of new services Machine mobility Simplicity of configuration New applications (multimedia, VoD, remote control, ...) New version of IP protocol extends the addressing and routing function broadcasts superseded by anycasts introduces quality of service information (real time applications, multipoint, security, etc)
TCP/IP
Page 128
Page 128
IP V6 : HEADER
32 bits 4 bits Vers Pri. Payload Length 16 bits Flow Label Next Header 8 bits Source Address (128 bits) 40 octets Hop Limit
Destination Address (128 bits)

TCP/IP
Page 129
Header extension for options: IPv6 options are placed in separate headers, inserted between the IPv6 header and the transport layer header. Easy introduction of new data. Option field length no longer limited to 40 octets.
Autoconfiguration: "plug and play": Mobility management. Easy renumbering on change of service provider. Address server (DHCP : Dynamic Host Configuration Protocol).
Multipoint (Multicast) included in base: For routers and clients. scope = best routing for multicast packets. "Marking" of special flows (Flow Label): Real time applications, Quality of service. Priority of control traffic.
Security: Authentication and data integrity. Optional: confidentiality.
Source-based routing: Source Demand Routing Protocol.
Page 129
IP V6 ADDRESSING
Unicast address general format 3 5 16
Provider identifier
16
32
Subnetwork identifier
Format Registry Prefix identifier
Subscriber Subscriber type identifier
Example: Site local addresses: Intranet with router 1111 1110 11

Prefix Not used Subnetwork Isolated Intranet Interface
32
Examples: Link local addresses: network with no router 1111 1110 10

Prefix
Not used
@ MAC interface
TCP/IP
Page 130
16 octets (instead of 4 in the current version) Notation: ABCD:A987:8765:6543:FEDC:BA98:7654:3210 AB98:0:0:0:7:467:AEDC:500 AB98::7:467:AEDC:500 3 broad categories of address: Multicast 1 packet to N machines. Anycast 1 packet to at least one machine. Unicast 1 packet to one machine. 5 address classes: 1 Multicast, 1 Anycast, 3 Unicast. Differentiated in initial address bits.
Page 130
The essential of the essential
True or False
To entirely secure a private network, we just have to install a firewall in order to connect to the Internet. A proxy server is a singular router; so, it s also an IP host. IP v6 evolution is necessary, because of a penury of addresses. False
True True
Exercice
From home, you want to connect to a commercial Internet site in order to buy a CD on-line. Please complete the schema of the following page by drawing and naming the networks transitted to reach the Internet site, as well as their equipments Show and name the protocols used to make this connection work.
TCP/IP
Page 131
Page 131
The essential of the essential
SHTTP/SSL/TCP/IP/...
Your PC
LAN
Server Y
Modem
OSPF or RIP or ...

PSTN
AS
IP/PPP
ISP
AS Internet Server POP3

Proxy
TCP/IP
SNMP Manager
Page 132
Page 132
Glossary : A - I
ARP BOOTP DHCP DNS FTP HTML HTTP IAB IETF IP IRTF ITU-T
Address Resolution Protocol Boot Protocol Dynamic Host Configuration Protocol Domain Name Service File Transfer Hyper Text Markup Language Hyper Text Transfer Protocol Internet Activities Board Internet Ingineering Task Force Internet Protocol Internet Research Task Force International Telecommunications Union - Telecom
TCP/IP
Page 133
Page 133
Glossary : L - R
LAN MAN MIB NIC OSI OSPF PDU POP PPP RFC RPC
Local Access Network Metropolitan Access Network Model Information Base Network Information Center Open System Interconnexion Open Shortest Path First Packet Data Unit Post Office Protocol Point to Point Protocol Request For Comment Remote Procedure Call
TCP/IP
Page 134
Page 134
Glossary : S - Z
SDU SHTTP SLIP SMTP SNMP SSL TCP UDP WWW
Service Data Unit Secured HTTP Serial Link Internet Protocol Simple Mail Transfer Protocol Simple Network Management Protocol Secured Socket Layer Transmission Control Protocol User Datagram Protocol World Wide Web
TCP/IP
Page 135
Page 135

My Intro IP3

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

My Intro IP3

Încărcat de

Drepturi de autor:

Formate disponibile

INTRODUCTION TO IP NETWORKS

Alcatel University - 8AS 90145 0007 VT ZZA Ed.02 - June 2000

Alcatel University - 8AS 90145 0007 VH ZZA Ed.02

Alcatel University - 8AS 90145 0007 VH ZZA Ed.02

Section 1 INTRODUCTION TO TCP/IP

Alcatel University - 8AS 90145 0007 VT ZZA Ed.02 - June 2000

Alcatel University - 8AS 90145 0007 VH ZZA Ed.02

Alcatel University - 8AS 90145 0007 VH ZZA Ed.02

Application Presentation Session Management of application connections

End-to-end management Network interconnection

Data link Physical

Physical bearer access method

Alcatel University - 8AS 90145 0007 VT ZZA Ed.02 - June 2000

1.2 Layered architecture

Alcatel University - 8AS 90145 0007 VH ZZA Ed.02

Alcatel University - 8AS 90145 0007 VT ZZA Ed.02 - June 2000

The information to be transported is "encapsulated" on transition into a layer.

Alcatel University - 8AS 90145 0007 VH ZZA Ed.02

CONNECTION-ORIENTED AND CONNECTIONLESS MODE

Alcatel University - 8AS 90145 0007 VH ZZA Ed.02

Alcatel University - 8AS 90145 0007 VT ZZA Ed.02 - June 2000

Alcatel University - 8AS 90145 0007 VH ZZA Ed.02

TCP/IP communication complies with the CLIENT-SERVER model

Alcatel University - 8AS 90145 0007 VT ZZA Ed.02 - June 2000

Alcatel University - 8AS 90145 0007 VH ZZA Ed.02

SPX IPX FDDI DQDB MAN

Ethernet Token Ring LAN

Alcatel University - 8AS 90145 0007 VT ZZA Ed.02 - June 2000

Alcatel University - 8AS 90145 0007 VH ZZA Ed.02

IP-RELATED ORGANIZATIONS ISOC ("internet society")

IAB (Internet Activities Board)

IETF (Internet Engineering Task Force)

IRTF (Internet Research Task Force)

NICs (Network Information Centre)

Alcatel University - 8AS 90145 0007 VT ZZA Ed.02 - June 2000

Internet Engineering Task Force :

Alcatel University - 8AS 90145 0007 VH ZZA Ed.02

REQUESTS FOR COMMENTS

Alcatel University - 8AS 90145 0007 VT ZZA Ed.02 - June 2000

RFCs specify whether implementation is mandatory, recommended, optional or not recommended.

Alcatel University - 8AS 90145 0007 VH ZZA Ed.02

Telnet SMTP DNS FTP X-Window

TFTP SNMP NNTP DHCP HTTP

NFS XDR RPC

ARP HDLC, LAP-B X21, V35, S, T WAN

Ethernet Token Ring LAN

Session, Presentation and Application layers:

Alcatel University - 8AS 90145 0007 VH ZZA Ed.02

Introduction : The essential

Alcatel University - 8AS 90145 0007 VT ZZA Ed.02 - June 2000

Alcatel University - 8AS 90145 0007 VH ZZA Ed.02

Section 2 IP LAYER PROTOCOLS

Alcatel University - 8AS 90145 0007 VT ZZA Ed.02 - June 2000

Alcatel University - 8AS 90145 0007 VH ZZA Ed.02

IP LAYER IP is a protocol that can be routed in connectionless mode

IP needs a transport protocol IP is non-reliable

Alcatel University - 8AS 90145 0007 VH ZZA Ed.02

Alcatel University - 8AS 90145 0007 VT ZZA Ed.02 - June 2000

Alcatel University - 8AS 90145 0007 VH ZZA Ed.02

Alcatel University - 8AS 90145 0007 VH ZZA Ed.02

Class A : NET ID 1st octet, Host ID 3 octets

Class B : NET ID 2 octets, Host ID 2 octets