1 / 29

Network Architecture: IP Protocol Stack

Network Architecture: IP Protocol Stack. Guilin Wang The School of Computer Science L02. Outline. Internet Protocols (IP) - The role of an IP - IPv4 - IPv6 Transport Protocols - TCP - UDP Protocol Architecture & Security. 1. Internet Protocol.

tad-phillips
Download Presentation

Network Architecture: IP Protocol Stack

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network Architecture: IP Protocol Stack Guilin Wang The School of Computer Science L02

  2. Outline • Internet Protocols (IP) - The role of an IP - IPv4 - IPv6 • Transport Protocols - TCP - UDP • Protocol Architecture & Security Network Security

  3. 1. Internet Protocol ■ An internet protocol (IP) provides the functionality for interconnecting end systems across multiple networks. ■ IP is implemented in all end systems and routers, which provide connection between networks. ■ High-level source data are encapsulated in an IP protocol data unit (PDU) for transmission. ■ PUD is then passed through one or more networks and routers to reach the destination end system. Network Security

  4. 1. Internet Protocol:Routers To provide interconnecting between networks, routers need to cope with the following differences: ■ Addressing schemes: Global network addressing solutions are needed to identify networks, which may use different kinds of network addresses. - IEEE 802 LAN: 16-bit or 48-bit binary addresses. - X.25 public packet-switching network: 12-digit decimal addresses (each digit encodes 4 bits). ■ Fragmentation: Packets may be broken into smaller ones to continue further transmission, since each network may have different maximum packet size. - Ethernet: 1500 bytes; X.25: usually 1000 bytes. Network Security

  5. 1. Internet Protocol:Routers ■ Interfaces: Various networks have different hardware and software interfaces. Routers should be independent of these differences. ■ Reliability: The operation of the routers should not depend on the reliability of underlying networks, which may provide anything from a reliable end-to-end circuit to an unreliable service. The following example illustrates the operation of routers in the scenario of TCP/IP protocol suite. Network Security

  6. 1. Internet Protocol: TCP/IP Example Network Security

  7. 1. Internet Protocol: TCP/IP Example Consider the transfer of a block of data m from X to Y. - At X: From TCP, IP layer receives m to be sent to Y. - At X: IP forms IP packet m’ by attaching an IP header that contains the global internet address of Y. - At X: IP recognizes that Y is on another subnetwork so m’ should be forwarded to router 1 first. - At X: Lower layers transfer a packet m’’ to router 1. - At router 1: Recover m’ from m’’, and analyze the ultimate destination Y. - At router 1: Send m’ to router 2 via the intermediate network, where different IP protocols may be used. - At router 2: Create a new IP packet and send it to Y. Network Security

  8. 1. Internet Protocol: TCP/IP Example Further Remarks: ■ IP must be implemented in all end systems and all routers on all networks. However, routers do not need high-level protocols over IP. ■ The IP service is unreliable. That is, any of the following may happen: data corruption,out of order, duplicate arrival, and lost. ■ This approach provides good flexibility, i.e., no particular reliability requirements on subnetworks. ■ Recovering from errors is the responsibility of the next higher layer (TCP in this case). Network Security

  9. 1. Internet Protocol: IPv4 & IPv6 For decades, the Internet Protocol version 4 (IPv4) is the keystone of TCP/IP protocol architecture. ■ Addresses look like 147.188.191.11. UoB has the entire range of 147.188.x.x (65k addresses), a class B address. ■ American universities and large companies often have class A addresses: HP has 15.x.x.x (10M addresses). ■ Up to 232 (about 4.3 billion) addresses in total, but not fairly shared. - China doesn’t have any A or B addresses. ■ Routing table are still very messy, though addressing have some geographical coherence. Network Security

  10. 1. Internet Protocol: IPv4 & IPv6 In 1996, IPv6 was specified as an Internet standard. ■ The driving force was the need of more addresses: - IPv6 supports 128-bit addresses, i.e., in total 1038 addresses, or 1028 addresses for any person live today. ■ IPv6 provides functional enhancements over IPv4. - Accommodating high-speed networks and mix transfer of data stream, including graphic and video. ■ IPv6 offers better security (IPSec). ■ Korea, Japan and China have significant deployments of IPv6. ■ As a major new network for the UK, BT’s 21CN is based on IPv4. Network Security

  11. 1. Internet Protocol: IPv4 & IPv6 Next, we discuss the format of IP header. What kinds of information should be included in the IP header? Network Security

  12. 1. Internet Protocol: IPv4 Header Length of Header Total IP packet length In octets Source routing, Route recording, Timestamping, Security Network Security

  13. 1. Internet Protocol: IPv4 Header IPv4 header, with minimum of 20 octets (=160 bits), has the following fields: ■ Version (4 bits): The value is 4, indicating version no. ■ Internet Head Length (IHL) (4 bits): Length of header in 32-bit words. So, the value of IHL is at least 5. ■ DS/ECN (8 bits): 6 bits for DS (Differentiated Services), and other 2 bits reserved for ECN (Explicit Congestion Notification). ■ Total Length (16 bits): Total IP packet length, in octets. ■ Identification (16 bits): A sequence no., together with the source add., destination add. and user protocol, is intended to identify a packet uniquely. Network Security

  14. 1. Internet Protocol: IPv4 Header ■ Flags (3 bits): The More bit indicates if this is the last fragment, and the Don’t Fragment prohibits fragmentation when set. ■ Fragment Offset (13 bits): Indicates where in the original packet this fragment belongs, measured in 64-bit units. ■ Time to Live (TTL) (8 bits): Specifies how long, in seconds, a packet can live in the internet. ■ Protocol (8 bits): Identifies the type of the next header (next higher level protocol) in IP payload. ■ Source Add. (32 bits) and Destination Add. (32 bits) ■ Options+Padding (variable): Encoded some options by the sender, used to ensure the packet is a multiple of 32 bits. Network Security

  15. 1. Internet Protocol: IPv6 Header Special handling by routers Network Security

  16. 1. Internet Protocol: IPv6 Header The fields of IPv6 header (with a fixed length of 40 octets): ■ Version (4 bits): The value is 6. ■ DS/ECN (8 bits): 6 bits for DS & 2 bits reserved for ECN. ■ Flow Label (20 bits): To label packets for assisting resource reservation and real-time traffic processing. ■ Payload Length (16 bits): Length of payload (=all extension headers+transport PDU), in octets. ■ Next Header (8 bits): Identifies the next header (an IPv6 extension header or higher-layer header) in the packet. ■ Hop Limit (8 bits): The remaining number of allowable hops for this packet. ■ Source Add. (128 bits) & Destination Add. (128 bits). Network Security

  17. 1. Internet Protocol: IPv6 Header IPv6 supports the following extension headers after IPv6 header (recommended in this order): ■ Hop-by-Hop Options header. ■ Destination Options header: Options for intermediate routers listed in Routing header. ■ Routing header: Lists a number of routers that the IP packet should visit. ■ Fragment header. ■ Authentication Header: Protects the integrity of packet. ■ Encapsulating Security Payload header. ■ Destination Options header: Options for the final destination. Network Security

  18. 1. Internet Protocol: IPv6 Example An IPv6 packet with extension headers (containing a TCP segment). Security (IPSec) headers Network Security

  19. 2. Transport Protocols: TCP & UDP TCP (Transmission Control Protocol) ■ Applications using TCP to create reliable connections between one host and another. ■ TCP uses port numbers (i.e. internet sockets) to tell different applications. - email: IMAP (port 143), POP3 (port 110), SMTP (port 25) - Web: HTTP (port 80), HTTPS (port 143) - FTP (port 21), telnet (port 23), SSH (port 22) ■ TCP is not appropriate for some applications: - Real-time applications, such as internet radio, IPTV, VoIP, online games. Getting most of the data in time is more important than getting all data in order. - Simple protocols in huge volume such as DNS servers. Network Security

  20. 2. Transport Protocols: TCP & UDP UDP (User Datagram Protocol) ■ UDP is a lighter-weight alternative to TCP: - Provides the application multiplexing and checksums as TCP does. - But does not handle building streams or retransmission. ■ Like TCP, UDP also uses port numbers to identify different applications: - Networking protocols: DHCP (port 67), routing (513, 520) - File serving: NFS (2049), CIFS/SMB (445) - Time synchronisation: NTP (123). Network Security

  21. 2. Transport Protocols: TCP & UDP TCP Header UDP Header Network Security

  22. 3. Protocol Architecture & Security A Comparison of the OSI and TCP/IP Protocol Architecture Network Security

  23. 3. Protocol Architecture & Security Network Security

  24. 3. Protocol Architecture & Security Network Security

  25. 3. Protocol Architecture & Security The idea of those architectures: ■ Each layer solves a set of problems involving the transmission of data: - A layer provides a well-defined service to the upper layer protocols by using services provided from lower layers.  ■ Upper layers are logically closer to the user and deal with more abstract data. ■ Lower layers are in charge of physical transmission. Network Security

  26. 3. Protocol Architecture & Security A natural but difficult question: At which layer we should implement security protections? Network Security

  27. 3. Protocol Architecture & Security ■ Application Layer Security (PGP, S/MIME etc.) - Most flexible, but least general. - Fine-grained security control for specific applications. - Work well with proxies and application-layer firewalls. - Only protects payload, so traffic analysis is possible. ■ Transport Layer Security (TLS etc.) - Provides uniform security across applications, but not transparent to applications and doesn’t support UDP. - More fine-grained than IPSec. - Only protects payload, so traffic analysis is possible. - Doesn’t work with proxies and application-layer firewalls. Network Security

  28. 3. Protocol Architecture & Security ■ Network Layer Security (IPSec) - Most general but least flexible. - Transparent to applications, so no need to change applications if IPSec is realized on firewall or router, and no need to train and manage users (issuing/revoking keys). - Flexible policy framework, but complicated administration. - Provides routing security. - Can prevent traffic analysis. - Doesn’t work with proxies and application-layer firewalls. - Mainly designed for IPv6 . ■ Datalink Layer Security (Wifietc.) - Secures specific link protocols (e.g., wireless). Network Security

  29. Summary The TCP/IP Protocol Architecture - IPv4 and IPv6 - TCP, UDP - Different layer can provide different security Next lectures: Continuous Assessment, IP Security (Chap 16). Network Security

More Related