CIS 3360: Security in ComputingPre-Knowledge: Internet and

Networking

Cliff ZouSpring 2012

2

Objectives

Obtain the basic knowledge of computer networking and the Internet Concepts of network applications, Internet Basic knowledge of network protocols: TCP/IP

Reading assignment: Wikipiedia tutorials:

http://en.wikipedia.org/wiki/Internet http://en.wikipedia.org/wiki/TCP/IP

Reference book: Computer Networking: A Top Down Approach

Featuring the Internet, 5th edition. Jim Kurose, Keith Ross, Addison-Wesley, Pearson Education, 2010

Lecture Materials

Some of these slides are adapted from the slides copyrighted by

Jim Kurose, Keith RossAddison-Wesley, Pearson Education2010.

Computer Networking: A Top Down Approach Featuring the Internet, 5th edition.

3

4

A Little Bit of Internet History

1961: Kleinrock - queueing theory shows effectiveness of packet-switching

1967: ARPAnet conceived by Advanced Research Projects Agency 1969: First ARPAnet node operational 1972: 15 nodes in ARPAnet; First e-mail program 1973: Metcalfe’s PhD thesis proposes Ethernet 1974: Cerf and Kahn - architecture for interconnecting networks 1983: deployment of TCP/IP 1982: smtp e-mail protocol defined 1983: DNS defined for name-to-IP-address translation early 1990s: Web Late 1990’s – 2000’s: instant messaging, P2P file sharing; network

security, est. 50 million host, 100 million+ users, backbone links running at Gbps

5

Cerf and Kahn’s internetworking principles: minimalism, autonomy - no internal

changes required to interconnect networks

best effort service model stateless routers decentralized control

define today’s Internet architecture

6

What is the Internet?

Application Application

Network Network

Data Link

Transport Transport

Data Link

Physical link

Web, Email…

TCP, UDP

IP

Ethernet, cellular

Some Internet applications

E-mail Web Instant messaging Remote login P2P file sharing Multi-user network

games Streaming stored video

clips

Internet telephone Real-time video

conference Massive parallel

computing

8 8

Internet

Internet: loosely hierarchical “network of networks”

Major Components: Hosts, Routers, Communication links

Protocols: for sending, receiving of msgs

e.g., TCP, IP, HTTP, FTP, PPP Internet standards RFC: Request for comments IETF: Internet Engineering Task

Force

local ISP

companynetwork

regional ISP

router workstation

servermobile

9 9

Internet: Three Components

End systems (hosts): millions of connected computing devices executing network applications

Routers: forwarding packets (chunks of data)

Communication links:Connecting hosts and routers

fiber, copper, radio, satellite transmission rate =

bandwidth

local ISP

companynetwork

regional ISP

router workstation

servermobile

1010

Internet Service

Communication infrastructure enables distributed applications:

Web, email, games, e-commerce, file sharing

Communication services provided to applications: Connectionless unreliable connection-oriented reliable

1111

Internet structure: network of networks

roughly hierarchical at center: “tier-1” ISPs (e.g., UUNet, BBN/Genuity, Sprint,

AT&T), national/international coverage treat each other as equals

Tier 1 ISP

Tier 1 ISP

Tier 1 ISP

Tier-1 providers interconnect (peer) privately

NAP

Tier-1 providers also interconnect at public network access points

(NAPs)

1212

Internet structure: network of networks

“Tier-2” ISPs: smaller (often regional) ISPs Connect to one or more tier-1 ISPs, possibly other tier-2 ISPs

Tier 1 ISP

Tier 1 ISP

Tier 1 ISP

NAP

Tier-2 ISPTier-2 ISP

Tier-2 ISP Tier-2 ISP

Tier-2 ISP

Tier-2 ISP pays tier-1

ISP for connectivity

to rest of Internet

tier-2 ISP is customer of

tier-1 provider

Tier-2 ISPs also peer privately with each

other, interconnec

t at NAP

1313

Internet structure: network of networks

“Tier-3” ISPs and local ISPs last hop (“access”) network (closest to end systems)

Tier 1 ISP

Tier 1 ISP

Tier 1 ISP

NAP

Tier-2 ISPTier-2 ISP

Tier-2 ISP Tier-2 ISP

Tier-2 ISP

localISPlocal

ISPlocalISP

localISP

localISP Tier 3

ISP

localISP

localISP

localISP

Local and tier- 3 ISPs

are customers

ofhigher tier

ISPsconnecting

them to rest of Internet

1414

Internet structure: network of networks

a packet passes through many networks!

Tier 1 ISP

Tier 1 ISP

Tier 1 ISP

NAP

Tier-2 ISPTier-2 ISP

Tier-2 ISP Tier-2 ISP

Tier-2 ISP

localISPlocal

ISPlocalISP

localISP

localISP Tier 3

ISP

localISP

localISP

localISP

“Real” Internet delays and routes

What do “real” Internet delay & loss look like? Traceroute program: provides delay measurement

from source to router along end-end Internet path towards destination. For all i:

sends three packets that will reach router i on path towards destination

router i will return packets to sender sender times interval between transmission and reply.

3 probes

3 probes

3 probes

“Real” Internet delays and routes

1 cs-gw (128.119.240.254) 1 ms 1 ms 2 ms2 border1-rt-fa5-1-0.gw.umass.edu (128.119.3.145) 1 ms 1 ms 2 ms3 cht-vbns.gw.umass.edu (128.119.3.130) 6 ms 5 ms 5 ms4 jn1-at1-0-0-19.wor.vbns.net (204.147.132.129) 16 ms 11 ms 13 ms 5 jn1-so7-0-0-0.wae.vbns.net (204.147.136.136) 21 ms 18 ms 18 ms 6 abilene-vbns.abilene.ucaid.edu (198.32.11.9) 22 ms 18 ms 22 ms7 nycm-wash.abilene.ucaid.edu (198.32.8.46) 22 ms 22 ms 22 ms8 62.40.103.253 (62.40.103.253) 104 ms 109 ms 106 ms9 de2-1.de1.de.geant.net (62.40.96.129) 109 ms 102 ms 104 ms10 de.fr1.fr.geant.net (62.40.96.50) 113 ms 121 ms 114 ms11 renater-gw.fr1.fr.geant.net (62.40.103.54) 112 ms 114 ms 112 ms12 nio-n2.cssi.renater.fr (193.51.206.13) 111 ms 114 ms 116 ms13 nice.cssi.renater.fr (195.220.98.102) 123 ms 125 ms 124 ms14 r3t2-nice.cssi.renater.fr (195.220.98.110) 126 ms 126 ms 124 ms15 eurecom-valbonne.r3t2.ft.net (193.48.50.54) 135 ms 128 ms 133 ms16 194.214.211.25 (194.214.211.25) 126 ms 128 ms 126 ms17 * * *18 * * *19 fantasia.eurecom.fr (193.55.113.142) 132 ms 128 ms 136 ms

traceroute: gaia.cs.umass.edu to www.eurecom.frThree delay measurements from

gaia.cs.umass.edu to cs-gw.cs.umass.edu

* means no response (probe lost, router not replying)

trans-oceaniclink

Under Windows is “tracert”

Traceroute from My Home Computer

Where a Router is Placed?

There are many public websites provide IP location service www.geobytes.com/iplocator.htm http://www.iplocation.net/

Based on traceroute and IP locator, you can know the complete routing path of a connection Major reason why many networks block

traceroute traffic

19

Protocolnetwork protocols: all communication activity in Internet governed by

protocols

Protocols define format, order of messages sent and received among network entities, and actions taken on message transmission, receipt

What’s a protocol?a human protocol and a computer network protocol:

Hi

Hi

Got thetime?

2:00

TCP connection request

TCP connectionresponseGet http://www.awl.com/kurose-

ross

<file>time

2222

A closer look at network structure:

network edge: applications and hosts

network core: routers network of networks

Connection: communication links

The network edge: end systems (hosts):

run application programs e.g. Web, email at “edge of network”

client/server model client host requests, receives

service from always-on server e.g. Web browser/server; email

client/server peer-peer model:

minimal (or no) use of dedicated servers

e.g. Gnutella, KaZaA

Network edge: connection-oriented service

TCP [ Transmission Control Protocol ] reliable, in-order : byte-stream data transfer

loss: acknowledgements and retransmissions flow control:

sender won’t overwhelm receiver congestion control:

senders “slow down sending rate” when network congested

Examples of applications using TCP: HTTP (Web), FTP (file transfer), SSH

(remote secure login), SMTP (email)

Network edge: connectionless service

UDP [User Datagram Protocol] connectionless unreliable data transfer no flow control no congestion control

Examples of applications using UDP: streaming media, teleconferencing, DNS, Internet

telephony

The Network Core

mesh of interconnected routers

data transfer methods through net circuit switching:

dedicated circuit per call: telephone net

packet-switching: data sent through net in discrete “chunks”

Circuit Switching

End-end resources reserved for “call”

call setup required link bandwidth, switch

capacity dedicated resources: no

sharing circuit-like (guaranteed)

performance

Packet-switched networks

Move packets through routers from source to destination

datagram network: destination address in packet determines next hop routes may change during session

virtual circuit network: each packet carries tag (virtual circuit ID), tag determines next

hop fixed path determined at call setup time, remains fixed thru call routers maintain per-call state

Internet protocol stack application: supporting network

applications FTP, SMTP, HTTP

transport: host-host data transfer TCP, UDP

network: routing of datagrams from source to destination

IP, routing protocols link: data transfer between neighboring

network elements PPP, Ethernet

physical: bits “on the wire or wireless”

application

transport

network

link

physical

messagesegment

datagram

frame

sourceapplicati

ontransportnetwork

linkphysical

HtHnHl M

HtHn M

Ht M

M

destination

application

transport

networklink

physical

HtHnHl M

HtHn M

Ht M

M

networklink

physical

linkphysical

HtHnHl M

HtHn M

HtHnHl M

HtHn M

HtHnHl M HtHnHl M

router

switch

Encapsulation

Message Flow

transport segment from sending to receiving host on sending side encapsulates segments into

datagrams on receiving side, delivers segments to transport

layer network layer protocols in every host, router router examines header fields in all IP datagrams

passing through it

application

transportnetworkdata linkphysical

application

transportnetworkdata linkphysical

networkdata linkphysical network

data linkphysical

networkdata linkphysical

networkdata linkphysical

networkdata linkphysical

networkdata linkphysical

networkdata linkphysical

networkdata linkphysical

networkdata linkphysical

networkdata linkphysicalnetwork

data linkphysical

31

TCP/IP Introduction

32

TCP Transport Layer

IP Network Layer

Networking security mainly deals with these two services/protocols

33

Transport Layer TCP - connection-oriented service

Provide reliable data transmission Used by most data-based, not time-sensitive network

applications Email, Web, file transfer….

Require to set up TCP connection channel first UDP – connectionless service

Unreliable data transmission Error packets will be discarded without retransmission

No additional delay for future incoming packets Used for time-sensitive, error-tolerant applications

VOIP, video streaming, DNS….

34

Transport vs. network layer

network layer: logical communication between hosts transport layer: logical communication between

processes relies on, enhances, network layer services

A

B

C

DSport:4625 Dport: 80

Sport:8050 Dport: 25

Addressing processes

to receive messages, process must have identifier identifier includes both IP address and port numbers

associated with process on host. host device has unique 32-bit IP address

IP address is for addressing a host/computer Example port numbers:

HTTP server: 80 Mail server: 25

to send HTTP message to gaia.cs.umass.edu web server:

IP address: 128.119.245.12 Port number: 80

TCP and UDP Port Numbers

16 bits (0 – 65535) Internet Assigned Numbers Authority

(IANA) www.iana.org Well known ports (0 -1023)

Example: HTTP – 80, SMTP – 25 Registered ports (1024 – 49151)

Example: HTTP alternate 8080 used for web proxy and caching server

Dynamic and/or private ports: (49152–65535)

Each TCP connection is identified by 4-tuple: source IP address source port number dest IP address dest port number

These four values are widely used in network filtering and intrusion detection

38

UDP Packet Header

UDP packet header is 8 bytes long

Port number is 16 bits long

Checksum for verifying packet error

39

source port # dest port #

32 bits

Applicationdata

(message)

UDP segment format

length checksumLength, in

bytes of UDPsegment,including

header

UDP Transmission Process

40

Host A

Packet 2

time

Host B

Packet 1

Packet 3

Packet 4

Packet 5

X

No acknowledgement from recipient

Sending rate is controlled by sender (bounded by sender’s bandwidth)

TCP Transmission Process (simplified without considering piplining)

41

Need sequence # and acknowledge # to distinguish each packet

TCP segment structure (Header is 20 bytes normally)

source port # dest port #

32 bits

applicationdata

(variable length)

sequence numberacknowledgement numberReceive window

Urg data pnterchecksum

FSRPAUheadlen

notused

Options (variable length)

URG: urgent data (generally not used)

ACK: ACK #valid

PSH: push data now

RST, SYN, FIN:connection estab(setup, teardown

commands)

# bytes rcvr willingto accept

countingby bytes of data(not segments!)

Internetchecksum

(as in UDP)

TCP seq. #’s and ACKs

Seq. #’s: byte stream “number” of first byte in segment’s data

ACKs: seq # of next byte expected from other side Cumulative ack ack to receive all bytes until the

specified #Q: how receiver handles out-of-order segments?

TCP spec doesn’t say Practical approach: save in buffer

Q: How TCP implement duplex communication? Seq. # for sending data, Ack# for receiving data

An example of TCP Duplex Communication

Host A Host B

Seq=42, ACK=79, data = ‘john’

Seq=79, ACK=46, data = ‘pass’

Seq=46, ACK=83 data =‘CNT4704’

User

host ACKsreceipt, send

back use password

host ACKsreceipt, echoes

back ‘pass’

timesimple telnet scenario

4279

Sequence number is based on bytes, not packets!

ACK Only in Duplex Communication ?

45

Seq=79, ACK=46, data = ‘pass’

Seq=46, ACK=83 data =‘CNT4704’

host ACKsreceipt, send

back use password

time

Seq= 83 , ACK=53, no data section

ACK only packet, seq# is the first byte to be transmitted in the future

(the packet has no data section)

TCP: retransmission scenarios

Host A

Seq=100, 20 bytes data

ACK=100

timepremature timeout

Host B

Seq=92, 8 bytes data

ACK=120

Seq=92, 8 bytes data

Seq

=92 t

imeou

t

ACK=120

Host A

Seq=92, 8 bytes data

ACK=100

losstim

eou

t

lost ACK scenario

Host B

X

Seq=92, 8 bytes data

ACK=100

time

Seq

=92 t

imeou

tSendBase

= 100

SendBase= 120

SendBase= 120

Sendbase= 100

TCP retransmission scenarios (more)

Host A

Seq=92, 8 bytes data

ACK=100

losstim

eou

tCumulative ACK scenario

Host B

X

Seq=100, 20 bytes data

ACK=120

time

SendBase= 120

Host A

Seq=100, 20 bytes data

ACK=100

timepremature timeout

Host B

Seq=92, 8 bytes data

ACK=120

Seq=92, 8 bytes data

Seq

=92 t

imeou

t

ACK=120

Seq

=92 t

imeou

t

SendBase= 120

SendBase= 120

Sendbase= 100

TCP Connection Setup --- Three-Way Handshaking

Step 1: client host sends TCP SYN segment to server specifies initial seq # no data

Step 2: server host receives SYN, replies with SYN/ACK segment

server allocates buffers specifies server initial

seq. #Step 3: client receives

SYN/ACK, replies with ACK segment, which may contain data

client

SYN, seq=client_seq

server

SYN/ACK,

seq=server_seq,

ack=client_seq+1

ACK, seq=client_seq+1ack=server_seq+1

TCP Connection Setup

Most firewalls, packet capturing software, and intrusion detection software use TCP connection setup packets to determine how to deal with the new connection Very important to understand the three-way

handshake

49

TCP Connection Management (cont.)

Closing a connection:

close();

Step 1: client end system sends TCP/FIN control

segment to server

Step 2: server receives FIN, replies with ACK. Closes connection, sends FIN.

client

FIN

server

ACK

ACK

FIN

close

close

closed

tim

ed

wait

TCP Connection Management (cont.)

Step 3: client receives FIN, replies with ACK.

Enters “timed wait” - will respond with ACK to received FINs

Step 4: server, receives ACK. Connection closed.

client

FIN

server

ACK

ACK

FIN

closing

closing

closed

tim

ed

wait

closedSome applications simply send RST to terminate TCP connections immediately