1 04-NetworkData

1.1 Audio-recording

• Password for the Vimeo videos is in Zulip chat.
  • Part 1: 2022-03-14
    • https://vimeo.com/692412273
  • Part 2: 2022-03-16
    • https://vimeo.com/692412426
    • https://vimeo.com/692412536
  • ra01: 2022-03-21
    • https://vimeo.com/692413368
  • Part 3: 2022-03-23
    • https://vimeo.com/692412625
    • https://vimeo.com/692412834
  • Part 4: 2022-03-25
    • https://vimeo.com/692413021
    • https://vimeo.com/692413201
  • Part 5: 2022-04-04
    • https://vimeo.com/696706423
    • https://vimeo.com/696706548
  • Part 6: 2022-04-06
    • https://vimeo.com/696706677
    • https://vimeo.com/696706786
• Tip: If anyone want to speed up the lecture videos a little, inspect the page, go to the browser console, and paste this in: document.querySelector('video').playbackRate = 1.2

1.2 Opening thoughts

Port number is a form of address from the the layer just above,
that we just finished (the transport layer).
https://en.wikipedia.org/wiki/Port_(computer_networking)

IP address (those above in image) is the layer we’re doing now (the network layer)
https://en.wikipedia.org/wiki/IP_address

MAC address (the hex address last sent in image above)
is the next layer down that we will do next (the link layer).
https://en.wikipedia.org/wiki/MAC_address

Reminder (look back at section on encapsulation and layering after completing every layer):
01-Overview.html

1.3 More reading

• https://www.homenethowto.com/basics/dns-linking-names-with-ip-addresses/

https://www.computer-networking.info/1st/html/network/network.html
https://www.computer-networking.info/2nd/html/protocols/ipv6.html
https://www.computer-networking.info/2nd/html/protocols/ipv6b.html

http://intronetworks.cs.luc.edu/current/uhtml/intro.html#ip-internet-protocol
http://intronetworks.cs.luc.edu/current/uhtml/ipv4.html
http://intronetworks.cs.luc.edu/current/uhtml/ipv6a.html
http://intronetworks.cs.luc.edu/current/uhtml/ipv6b.html

https://en.wikipedia.org/wiki/Network_layer
https://en.wikipedia.org/wiki/Internet_layer
https://en.wikipedia.org/wiki/Internet_Protocol
https://en.wikipedia.org/wiki/IP_address

1.4 Introduction

Previous-Previous: Application headers (data from this perspective)
Previous: transport header (Example is UDP in diagram, but could be TCP)
Now: IP header
Next: Data link framing
Next-Next: Physical layer

1.4.1 Scope

• Data from the transport layer above is passed to network layer.
• Reminder: TCP and UDP had source IP and destination IP in checksum pseudo-header.

Network layer is hard to upgrade or change (it’s everywhere)!

• Goal: to transport segment from sending to receiving host
• On sending side, encapsulates segments into datagrams
• On receiving side, process datagrams, and then deliver segments to transport layer
• Network layer protocols exist in every host and router.
• Routers examine header fields in all IP datagrams passing through, potentially re-writing and editing them.

1.4.1.1 Forwarding and routing

Role of the network layer is simple, to move packets from a sending host to a receiving host.

Two important network-layer functions can be identified:

1.4.1.1.1 1. Forwarding

• When a packet arrives at a router’s input link, the router must move the packet to the appropriate output link.
• For example, a packet arriving from Host H1 to Router R1 must be forwarded to the next router on a path to H2.
• This is a fast, momentary “decision” about where to launch the packet.
• The decision is made by consulting a pre-computed table.

1.4.1.1.2 2. Routing

• The network layer must also build the tables used by the forwarding step.
• This table determines the route, or path taken by packets, as they flow from a sender to a receiver.
• The algorithms that calculate these paths are referred to as routing algorithms.
• A routing algorithm would use network graph information to determine these tables, and thus, a path along which packets flow from Host1 to Host2.

+++++++++++++++++++++ Cahoot-04-1

1.4.1.2 Data plane and control plane

We divide the network layer based on these functions.

1.4.1.2.1 Data plane

• local, per-router function
• determines how datagram arriving on router input port is forwarded to router output port
• forwarding function

1.4.1.2.2 Control plane

• network-wide logic
• determines how datagram is routed among routers along end-end path from source host to destination host
• two control-plane approaches:
  1. traditional routing algorithms: implemented in routers
  2. software-defined networking (SDN): implemented in (remote) servers

+++++++++++++++++++++ Cahoot-04-2

1.4.2 Preview: Link interface (next layer down)

A quick forward-reference:
ARP (Address Resolution Protocol) queries use a know IP address to lookup a MAC address (link layer address),
so that a switch (data-link layer 2 device that routes based on MAC address) can send directly to an interface by saying:

“Hey all on the mac layer, whoever has this IP address, what is their MAC address?”

1.4.3 IPv4 address (more to come below)

1.4.4 Routing algorithms build forwarding tables

Every router has a forwarding table.
A router forwards a packet by examining the value of the IP field in the arriving packet’s header,
and then using this header value to index into the router’s forwarding table.
The value stored in the forwarding table entry for that header indicates the router’s outgoing link interface,
to which that packet is to be forwarded.
Note: the diagram immediately below is idealized to have a short bit chunk, but the principles are the same for real IP addresses:

Routing sets up these forwarding tables.
The routing algorithm to determine tables may be centralized (e.g., with an algorithm executing on a central site and downloading routing information to each of the routers) or decentralized (i.e., with a piece of the distributed routing algorithm running in each router).
In either case, a router receives routing protocol messages, which are used to configure its forwarding table.

1.4.4.1 Classic vs. Software defined network (SDN)

1.4.4.1.1 Classic

Individual routing algorithm components in each and every router interact in the control plane.

1.4.4.1.2 SDN

A distinct (typically remote) controller interacts with local control agents (CAs).

1.4.5 Datagram networks

In a datagram network, each time an end system wants to send a packet, it stamps the packet with the address of the destination end system, and then pops the packet into the network.

1.4.5.1 Datagram packet routing

• As a packet is transmitted from source to destination, it passes through a series of routers.
• Each of these routers uses the packet’s destination IP address to forward the packet.
• Specifically, each router has a forwarding table that maps destination IP addresses to link interfaces
  • Consider the network interface card (NIC) in your computer.
• When a packet arrives at a router, that router uses the packet’s destination IP address to look up the appropriate output link interface in the forwarding table.
• The router then forwards the packet to that output link interface.

1.4.5.2 Routing tables

Suppose that our router has four links, numbered 0 through 3, and that packets are to be forwarded to the link interfaces as follows:

Important points to ponder:
If IP addresses are sold in blocks, where might ranges end up, geographically?
If ranges of addresses are re-sold, where might they end up?
Why can a match in the routing table be shorter than an IP address itself?
Why should it be?
Why do we match the longest prefix?

1.4.5.2.1 Longest prefix match

When there are multiple matches, the router uses the longest prefix matching rule.
That is, it finds the longest matching entry in the table and forwards the packet to the link interface associated with the longest prefix match.

+++++++++++++++++++++ Cahoot-04-3

1.5 Router internals

• Router architecture
• Routing and management functions are collectively referred to as the router control plane.
• Control plane is usually implemented in software, and executes on the routing processor (typically a traditional CPU)
• Millisecond time range:

• Forwarding functions are collectively referred to as the router forwarding plane.
• Often implemented in application-specific hardware.
• Nanosecond time range

1.5.1 Input ports

• Inputs are a physical layer function, terminating an incoming physical link
• Link-layer functions needed to interoperate with the link layer at the incoming link.
• Lookup function is also performed at the input port.
  • This will occur in the rightmost box of the input port.
• It is here that the forwarding table is consulted to determine the router output port to which an arriving data packet will be forwarded via the switching fabric to an output port.
• On the other hand, control packets, carrying routing protocol information, are forwarded from an input port to the routing processor.
• The term port here, is referring to the physical input and output router interfaces, is different from the software ports associated with network applications and sockets.

1.5.2 Switching fabric

The switching fabric connects the router’s input ports to its output ports.
This switching fabric is completely contained within the router,
a network inside of a network router!

1.5.3 Output ports

• Stores packets received from the switching fabric and transmits these packets on the outgoing link by performing the necessary link-layer to physical-layer functions.
• When a link is bidirectional (that is, carries traffic in both directions), an output port will typically be paired with the input port for that link
• Buffering is required when datagrams arrive from the switch fabric faster than the output transmission rate.
• “Scheduling discipline” chooses among queued datagrams for transmission:
  • FIFO (first in first out)
  • Priority queue (could be pay $, think net neutrality)
  • Round robin (rotating queue)
  • Weighted fair queuing (WFQ)
• If queues are full, Datagram (packets) can be lost due to congestion, lack of buffers.
• Priority scheduling: who gets best performance, network neutrality?

1.5.4 Routing processor

The routing processor executes the routing protocols,
maintains routing tables and attached link state information,
and computes the forwarding table for the router.
It also performs the network management functions.

1.5.5 Input processing

The lookup performed in the input port is central to the router’s operation.
It is here that the router uses the forwarding table, to look up the output port,
to which an arriving packet will be forwarded via the switching fabric.
The forwarding table is computed and updated by the routing processor,
with a shadow copy typically stored at each input port.
Each input port searches through the forwarding table looking for the longest prefix match
Once a packet’s output port has been determined via the lookup,
the packet can be sent into the switching fabric.

1.5.6 Switching

Switching architecture variations:

Which is fastest?

1.5.7 Output processing

Takes packets that have been stored in the output port’s memory and transmits them over the output link.
This includes selecting and de-queueing packets for transmission,
and performing the needed link-layer to physical-layer transmission functions.

1.5.8 Queuing

As queues grow large, the router’s memory can eventually be exhausted and packet loss will occur when no memory is available to store arriving packets.

Output port queuing:

Head of line (HOL) blocking in input queuing

1.5.9 Router control plane (more to come)

1.5.10 Queuing

1.5.10.0.1 FIFO

first-in-first out

1.5.10.0.2 Priority queue

Who determines priority?

1.5.10.0.3 Round-robin and weighted fair queuing

1.6 Architecture

Network layer components

1.6.1 IP addresses in routers

• The boundary between the host and the physical link is called an interface.
• The boundary between the router and any one of its links is also called an interface.
• A router thus has multiple interfaces, one for each of its links.
• Every host and router is capable of sending and receiving IP datagrams, and thus IP requires each host and router interface to have its own IP address.
• An IP address is technically associated with an interface, rather than with the host or router containing that interface.

Show some virtual interfaces.
What does Wireshark do with these?

+++++++++++++++++++++ Cahoot-04-4

1.7 IPv4 datagram

https://en.m.wikipedia.org/wiki/IPv4

I tried to come up with an IPv4 joke,
but the good ones were all already exhausted.

1.7.1 IPv4 address

1.7.2 Examples

1.2.3.4 corresponds to 00000001 00000010 00000011 00000100
127.0.0.1 corresponds to 01111111 00000000 00000000 00000001
255.255.255.255 corresponds to 11111111 11111111 11111111 11111111

1.7.3 IPv4 Datagram header

• Version number
  • 4 bits specify the IP protocol version of the datagram.
  • Router can determine how to interpret the remainder of the IP datagram.
  • Different versions of IP use different datagram formats.
• Header length
  • Because an IPv4 datagram can contain a variable number of options (which are included in the IPv4 datagram header), these 4 bits are needed to determine where in the IP datagram the data actually begins.
  • Most IP datagrams do not contain options, so the typical IP datagram has a 20-byte header.
• Type of service
  • included in the IPv4 header to allow different types of IP datagrams (for example, datagrams particularly requiring low delay, high throughput, or reliability) to be distinguished from each other.
  • For example, it might be useful to distinguish real-time datagrams (such as those used by an IP telephony application) from non-real-time traffic (for example, FTP).
• Datagram length
  • total length of the IP datagram (header plus data), measured in bytes.
  • Datagrams are rarely larger than 1,500 bytes.
• Identifier, flags, fragmentation offset
  • These three fields have to do with so-called IP fragmentation.
• Time-to-live
  • included to ensure that datagrams do not circulate forever (due to, for example, a long-lived routing loop)
  • Decremented by one each time the datagram is processed by a router.
  • If the TTL field reaches 0, the datagram must be dropped.
• Protocol
  • Intended to be used only when an IP datagram reaches its final destination.
  • Value of this field indicates the specific transport-layer protocol to which the data portion of this IP datagram should be passed.
  • For example, a value of 6 indicates that the data portion is passed to TCP, while a value of 17 indicates that the data is passed to UDP.
• Header checksum
  • aids a router in detecting bit errors in a received IP datagram.
• Source and destination IP addresses
  • When a source creates a datagram, it inserts its IP address into the source IP address field and inserts the address of the ultimate destination into the destination IP address field.
  • Often the source host determines the destination address via a DNS lookup.
• Options
  • allow an IP header to be extended.
  • Header options were meant to be used rarely.
• Data (payload)
  • In most circumstances, the data field of the IP datagram contains the transport-layer segment to be delivered to the destination.
• Total of 20 bytes of header (assuming no options).
• If the datagram carries a TCP segment, then each (nonfragmented) datagram carries a total of 40 bytes of header (20 bytes of IP header plus 20 bytes of TCP header) along with message.

IPv4 Datagram header details

• Version
  • The first header field in an IP packet is the four-bit version field.
• Internet Header Length (IHL)
  • The Internet Header Length (IHL) field has 4 bits, which is the number of 32-bit words.
  • Since an IPv4 header may contain a variable number of options, this field specifies the size of the header (this also coincides with the offset to the data).
• Differentiated Services Code Point (DSCP)
  • Originally defined as the Type of service (ToS) field.
  • An example is Voice over IP (VoIP), which is used for interactive data voice exchange.
• Explicit Congestion Notification (ECN)
  • This field is defined in RFC 3168 and allows end-to-end notification of network congestion without dropping packets.
  • ECN is an optional feature that is only used when both endpoints support it and are willing to use it.
  • It is only effective when supported by the underlying network.
• Total Length
  • This 16-bit field defines the entire packet size in bytes, including header and data.
  • The minimum size is 20 bytes (header without data) and the maximum is 65,535 bytes.
  • All hosts are required to be able to reassemble datagrams of size up to 576 bytes, but most modern hosts handle much larger packets.
  • Sometimes links impose further restrictions on the packet size, in which case datagrams must be fragmented.
  • Fragmentation in IPv4 is handled in either the host or in routers.
• Identification
  • This field is an identification field and is primarily used for uniquely identifying the group of fragments of a single IP datagram.
• Flags
  • A three-bit field follows and is used to control or identify fragments.
• Fragment Offset
  • The fragment offset field is measured in units of eight-byte blocks.
  • It is 13 bits long and specifies the offset of a particular fragment relative to the beginning of the original un-fragmented IP datagram.
• Time To Live (TTL)
  • An eight-bit time to live field helps prevent datagrams from persisting (e.g. going in circles) on an internet.
  • It is specified in seconds, but time intervals less than 1 second are rounded up to 1.
  • In practice, the field has become a hop count when the datagram arrives at a router, the router decrements the TTL field by one.
  • When the TTL field hits zero, the router discards the packet and typically sends an ICMP Time Exceeded message to the sender.
  • The program traceroute uses these ICMP Time Exceeded messages to print the routers used by packets to go from the source to the destination.
• Protocol
  • This field defines the protocol used in the data portion of the IP datagram, e.g., TCP, UDP, etc.
• Header Checksum
  • The 16-bit checksum field is used for error-checking of the header.
  • When a packet arrives at a router, the router calculates the checksum of the header and compares it to the checksum field.
  • If the values do not match, the router discards the packet.
  • Errors in the data field must be handled by the encapsulated protocol.
• Source address
  • This field is the IPv4 address of the sender of the packet. Note that this address may be changed in transit by a network address translation device.
• Destination address
  • This field is the IPv4 address of the receiver of the packet. As with the source address, this may be changed in transit by a network address translation device.
• Options
  • The options field is not often used.
• Data
  • The data portion of the packet is not included in the packet checksum.
  • Its contents are interpreted based on the value of the Protocol header field.

+++++++++++++++ Cahoot-04-5

1.7.4 IPv4 fragmentation

https://lwn.net/Articles/960913/
Identification is the same per-segment.
Offset identifies the fragments for each segment.

1.7.5 IPv4 address

2³² = 4,294,967,296

…about 4.3 billion addresses is not that many.

1.8 Interface addresses and sub-nets

Three separate sub-networks (sub-nets) each has it’s own block of IP addresses:

Put more routers in the middle, and it’s like the internet:

1.8.1 Sub-net addressing

Hierarchically divide IP addresses and networks:
To determine the sub-nets, detach each interface from its host or router,
creating islands of isolated networks,
with interfaces terminating the end points of the isolated networks.
Each of these isolated networks is called a sub-net.

1.8.1.1 Sub-networks

https://en.wikipedia.org/wiki/sub-network

The old way of hierarchically dividing up IP addresses:
https://en.wikipedia.org/wiki/Classful_network
where the IP address is divided up into:
n is the network portion
H is the host portion

Above, the general pattern is illustrated with the n and H, but the particular ranges of IP addresses are those arbitrarily actually assigned to the world by ICANN.

Above, this table not only illustrates the general pattern, but also the specific more arbitrary ranges assigned to the world by ICANN.

Columns that are general:

• Leading bits
• Size of network number bit field
• Size of rest bit field
• Addresses per network
• Default sub-net mask
• CIDR notation

Columns that are particular to the actual arbitrary real assignment

• Number of networks
• Total addresses in class
• Start address
• End address

1.8.1.2 CIDR

• The routing prefix may be written as the first address of a network, followed by a slash character (/), and ending with the bit-length of the prefix.
• For example, 198.51.100.0/24 is the prefix of the Internet Protocol version 4 network starting at the given address, having 24 bits allocated for the network prefix, and the remaining 8 bits reserved for host addressing.
  • Addresses in the range 198.51.100.0 to 198.51.100.255 belong to this network.
    
    The newer
    https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing
    replaced this older system:

because it was too classy and stiff…

• CIDR: Classless Inter-Domain Routing
• Variable-length sub-net masking (VLSM) technique, which allows the specification of arbitrary-length prefixes.
• CIDR introduced a new method of representation for IP addresses, now commonly known as CIDR notation, in which an address or routing prefix is written with a suffix indicating the number of bits of the prefix, such as 192.0.2.0/24
• sub-net portion of address of arbitrary length
• address format: a.b.c.d/x, where x is # bits in sub-net portion of address

++++++++++++++++++++++++++ Cahoot-04-6

1.8.1.3 Sub-net mask

You may have understood this in integer encoding:

Sub-net masks are often expressed in dot-decimal notation like an address.
For example, 255.255.255.0 is the sub-net mask for the prefix 198.51.100.0/24.

But, sub-net masks really make sense when you think about IP addresses in binary encoding:
For IPv4, a network may also be characterized by its sub-net mask or netmask.
This is a binary trick, to illustrate the h.N pattern.
Functionally, it ends up cleaving the IP address into two parts, the leading network portion, and the trailing host portion.

Specifically, it is a bitmask applied by a bitwise AND operation,
to any IP address in the network, yielding the routing prefix (see below).

Example 1 on a full class sub-net:

Example 2 on a partial CIDR sub-net.

In summary:

https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#IPv4_CIDR_blocks

++++++++++++++++++++++++++++++++ Cahoot-04-7

1.8.1.4 Special addresses

https://en.wikipedia.org/wiki/IPv4#Special-use_addresses
(check this out in class)

1.8.1.4.1 Loopback / localhost

There is no place like 127.0.0.1

https://en.wikipedia.org/wiki/Localhost

• IPv4 network standards reserve the entire address block 127.0.0.0/8 (more than 16 million addresses) for loopback purposes…
• That means any packet sent to any of those addresses is looped back.
• The address 127.0.0.1 is the standard address for IPv4 loopback traffic.
  • The rest are not supported by all operating systems.
  • However they can be used to set up multiple server applications on the host, all listening on the same port number.
• The IPv6 standard assigns only a single address for loopback, ::1
• The resolution of the name localhost to one or more IP addresses is normally configured by the following lines in the operating system’s hosts file /etc/hosts (view mine):

vim /etc/hosts
127.0.0.1 localhost
::1 localhost

Last row above is IPv6 shorthand (more below).

1.8.1.4.2 Broadcast and addresses ending in 0 or 255

• 255.255.255.255 is used for broadcast transmission to all hosts on a link.
• IPv4 uses this all-ones (in binary) host address
• It is the last address within a network.
• The number of sub-networks available, and the number of possible hosts in a network may be readily calculated.
• In the example (below) two bits were borrowed to create sub-networks, thus creating 4 (2²) possible sub-nets.
  

1.8.1.4.3 Private addresses

192.168.0.1 jokes are best told in private…

• 24-bit block 10.0.0.0/8 10.0.0.0 10.255.255.255 16777216 Single Class A.
• 20-bit block 172.16.0.0/12 172.16.0.0 172.31.255.255 1048576 Contiguous range of 16 Class B blocks.
• 16-bit block 192.168.0.0/16 192.168.0.0 192.168.255.255 65536 Contiguous range of 256 Class C blocks.

You can do whatever you want with these on your private network, e.g., at home.

1.8.1.4.4 Link-local addresses

• RFC 3927 defines the special address block 169.254.0.0/16 for link-local addressing.
• These addresses are only valid on the link (such as a local network segment or point-to-point connection) directly connected to a host that uses them.
• These addresses are not routable.
• Like private addresses, these addresses cannot be the source or destination of packets traversing the internet.
• These addresses are primarily used for address auto-configuration (Zeroconf) when a host cannot obtain an IP address from a DHCP server or other internal configuration methods.

+++++++++++++++++++ Cahoot-04-8

1.9 Obtaining IP addresses

An IPv4 address walks into a bar and yells,
“Bartender! Give me a cidr, I’m exhausted!”

• ISPs provides addresses from a larger block of addresses that had already been allocated to that ISP.
• For example, the ISP may itself have been allocated the address block 200.23.16.0/20.
• The ISP, in turn, could divide its address block into eight equal-sized contiguous address blocks, and give one of these address blocks out to each of up to eight organizations that are supported by this ISP, as shown below.
  • (underlined the sub-net part of these addresses for your convenience.)

There are eight /23 sub-nets in one /20 sub-net (3 bits consumed, 2**3=8)

1.9.1 Allocation

https://en.wikipedia.org/wiki/ICANN
The IP address space is managed globally by the Internet Assigned Numbers Authority (IANA),
and by five regional Internet registries (RIR) responsible in their designated territories,
for assignment to end users and local Internet registries, such as Internet service providers.
ICANN assigns blocks to ISPs, regions, countries, etc.
Companies (including ISPs) buy and sell them.
ISPs assign them to consumers or other businesses.

1.9.1.1 Hierarchy in practice

After a company re-selling a block:

Ask: What happens when the ranges are not nicely divided?

Didn’t we run out of IPv4 jokes?

1.9.1.2 IPv4 space exhaustion

https://en.wikipedia.org/wiki/IPv4_address_exhaustion

The top-level exhaustion occurred on 31 January 2011.

The consequence of the above, with longest-prefix matching is:

Evolution of the size of the routing tables on the Internet (Jul 1988- Dec 1992 - source : RFC 1518)

and more modern:

1.9.1.2.1 Solutions

Some mitigation efforts and technologies include:

• use of network address translation (NAT)[18] which allows a private network to use one public IP address and permitting private addresses in the private network;
• use of private network addressing;[19]
• name-based virtual hosting of web sites;
• tighter control by regional Internet registries on the allocation of addresses to local Internet registries;
• network renumbering and subnetting to reclaim large blocks of address space allocated in the early days of the Internet, when the Internet used inefficient classful network addressing.
• IPv6 to the rescue (more below)!

1.9.2 Dynamic Host Configuration Protocol (DHCP)

https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol
* [ ] https://www.homenethowto.com/basics/giving-the-computer-an-ip-address/

Client-server
When logging into a network, how does an interface get an IP address?

Either:
1. Hard coded by sys-admin
2. DHCP

Goal: Allow host to dynamically obtain its IP address from network server when it joins network.
Host can also renew its lease on an address in use.
Allows reuse of retired addresses (only hold address while connected/“on”).

DHCP is a client-server protocol:

• Host broadcasts “DHCP discover” msg [optional]
• DHCP server responds with “DHCP offer” msg [optional]
• Host requests IP address: “DHCP request” msg
• DHCP server sends address: “DHCP ack” msg

1.9.2.1 DHCP process

1. DHCP discover message, which a client sends within a UDP packet to port 67, broadcast
2. A DHCP server receiving a DHCP discover message responds to the client with a DHCP offer message that is broadcast to all nodes on the sub-net, again using the IP broadcast address of 255.255.255.255.
3. DHCP request. The newly arriving client will choose from among one or more server offers and respond to its selected offer with a DHCP request message, echoing back the configuration parameters.
4. DHCP ACK. The server responds to the DHCP request message with a DHCP ACK message, confirming the requested parameters.

DHCP query response

In addition to host IP address assignment,
DHCP also allows a host to learn additional information, such as its:
subnet mask (indicating network versus host portion of address),
the address of its first-hop router (often called the default gateway), and
the address of its local DNS server.

1.9.2.2 Example

• Connecting laptop needs its IP address, addr of first-hop router, addr of DNS server: use DHCP
• DHCP request encapsulated in UDP, encapsulated in IP, encapsulated in 802.1 Ethernet
• Ethernet frame broadcast (dest: FFFFFFFFFFFF) on LAN, received at router running DHCP server
• Ethernet demuxed to IP demuxed, UDP demuxed to DHCP
• DCP server formulates DHCP ACK containing client’s IP address, IP address of first-hop router for client, name and IP address of DNS server
• encapsulation of DHCP server, frame forwarded to client, demuxing up to DHCP at client
• client now knows its IP address, name and IP address of DSN server, IP address of its first-hop router

DHCP provides an IP address, and also usually more, including:

• IP address

• Subnet Mask

• IP address of a Default Gateway (router)

• IP address of a DNS server

• Include DHCP wireshark lab demo here next time.

  • use existing capture file.

1.10 MiddleBoxes

https://en.wikipedia.org/wiki/Middlebox#Criticism_and_challenges
“Middleboxes have generated technical challenges for application development and have incurred scorn and dismay in the network architecture community for violating the end-to-end principle of computer system design.”

Some types of middlebox covered here:

1. Firewall, IPS, IDS
2. NAT
3. Remote generalized SDN / Deep Packet Inspectors (DPI)
4. Load balancers

1.10.1 (1) Firewall, IPS, IDS

The first middlebox is:

1.10.1.0.1 Firewall (more later)

• The first firewalls included configurable packet filters.
• A packet filter is a set of rules defining the security policy of a network.
• In practice, these rules are based on the values of fields in the IP or transport layer headers.
• Any field of the IP or transport header can be used in a firewall rule, but the most common ones are:
  • filter on the source address. For example, a company may decide to discard all packets received from one of its competitors. In this case, all packets whose source address belong to the competitor’s address block would be rejected
  • filter on destination address. For example, the hosts of the research lab of a company may receive packets from the global Internet, but not the hosts of the financial department
  • filter on the Protocol number found in the IP header. For example, a company may only allow its hosts to use TCP or UDP, but not other, more experimental, transport protocols
  • filter on the TCP or UDP port numbers. For example, only the DNS server of a company should received UDP segments whose destination port is set to 53 or only the official SMTP servers of the company can send TCP segments whose source ports are set to 25
  • filter on the TCP flags. For example, a simple solution to prohibit external hosts from opening TCP connections with hosts inside the company is to discard all TCP segments received from the external interface with only the SYN flag set.
• Such firewalls are often called stateless firewalls because they do not maintain any state about the TCP connections that pass through them.
• Another type of firewalls are stateful firewalls.
• A stateful firewall tracks the state of each TCP connection passing through it and maintains a TCB for each of these TCP connection.
• This TCB allows it to reassemble the received segments in order to extract their payload and perform verifications in the application layer.
• Some firewalls are able to inspect the URLs accessed using HTTP and log all URLs visited or block TCP connections where a dangerous URL is exchanged.
• Some firewalls can verify that SMTP commands are used when a TCP connection is established on port 25 or that a TCP connection on port 80 carries HTTP commands and responses.

1.10.1.0.2 IDS

• Intrusion detection system
• Additional protection can be provided with an IDS.
• An IDS, typically situated at the network boundary, performs “deep packet inspection,” examining not only header fields but also the payloads in the datagram (including application-layer data).
• An IDS has a database of packet signatures that are known to be part of attacks.
• This database is automatically updated as new attacks are discovered.
• As packets pass through the IDS, the IDS attempts to match header fields and payloads to the signatures in its signature data-base.
• If such a match is found, an alert is created.

1.10.1.0.3 IPS

• An intrusion prevention system (IPS) is similar to an IDS, except that it actually blocks packets in addition to creating alerts.

1.10.2 (2) Network address translation (NAT)

The second middlebox is:

https://en.m.wikipedia.org/wiki/Network_address_translation

Network Address Translation (NAT) was proposed in [TE1993] and RFC 3022 as a short term solution to deal with the expected shortage of IPv4 addresses in the late 1980s - early 1990s.

• https://www.homenethowto.com/ports-and-nat/
• https://www.homenethowto.com/advanced-topics/ports-tcp-and-udp-in-depth/
• https://www.homenethowto.com/advanced-topics/address-translation-complete-picture/

1.10.2.1 Motivation

Local network uses just one IP address as far as outside world is concerned:

• range of addresses not needed from ISP: just one IP address for all devices
• can change addresses of devices in local network without notifying outside world
• can change ISP without changing addresses of devices in local network
• devices inside local net not explicitly addressable, visible by outside world (a security plus)

1.10.2.2 Process

NAT router must:

• Outgoing datagrams: replace (source IP address, port #) of every outgoing datagram to (NAT IP address, new port #)
  • . . . remote clients/servers will respond using (NAT IP address, new port #) as destination addr
• remember (in NAT translation table) every (source IP address, port #) to (NAT IP address, new port #) translation pair
• incoming datagrams: replace (NAT IP address, new port #) in dest fields of every incoming datagram with corresponding (source IP address, port #) stored in NAT table

1.10.2.3 Details

• NAT router behaves to the outside world as a single device with a single IP address, matching external ports to internal network IP/port combinations
• 10.0.0/8 is reserved by RFC as private network or real with private address
  
• What are problems with NAT?
• What are middleboxes? (this is usually a derogatory term)
• Network-layer devices that overstep their bounds: NAT, load balancing of traffic flow, firewalling, etc.,
• Wait, isn’t this just SDN, overzealous middleboxes??

1.10.2.4 Summary

• 16-bit port-number field:
  • 60,000 simultaneous connections with a single LAN-side address!
• NAT is controversial:
  • routers should only process up to layer 3
  • address shortage should be solved by IPv6
  • violates end-to-end argument
    • NAT possibility must be taken into account by app designers, e.g., P2P applications
  • NAT traversal
    • what if client wants to connect to server behind NAT?

1.10.2.4.1 Wireshark NAT

• Wireshark nat lab demo here next year

1.10.3 (3) Generalized forwarding and software defined networking (SDN)

The third middlebox is:
https://en.wikipedia.org/wiki/Software-defined_networking
For example:
https://en.wikipedia.org/wiki/OpenFlow

Packets can be routed based on arbitrary header content (think firewalls above).
SDN can route packets based on application, data-link, transport, or any layer data,
for managing traffic, security, payment, or whatever else desired.

1.10.4 (4) Load balancers

https://en.wikipedia.org/wiki/Load_balancing_(computing)#Internet-based_services

+++++++++++++++++++++++ Cahoot-04-9

1.11 IPv6

https://en.m.wikipedia.org/wiki/IPv6

I heard this really great IPv6 joke,
but I just don’t think you’re ready for it.

IPv6 streamlined the protocol, eliminating work for core routers, deferring that work to the periphery.
For example, IPv6 does not calculate checksums or fragmentation.
This supports the:
https://en.wikipedia.org/wiki/End-to-end_principle

1.11.1 IPv6 address format

**The sad thing about IPv6 jokes,**
**is that almost no one understands them,**
**and no one is using them yet.**

Examples
2001:db8:0:0:8:800:200c:417a is represented as 2001:db8::8:800:200c:417a
ff01:0:0:0:0:0:0:101 is represented as ff01::101
0:0:0:0:0:0:0:1 is represented as ::1
0:0:0:0:0:0:0:0 is represented as ::

1.11.1.1 But the “:” is used for port number!

• Colon (:) characters in IPv6 addresses may conflict with the established syntax of resource identifiers, such as URIs and URLs.
• The colon is conventionally used to terminate the host path before a port number.
• To alleviate this conflict, literal IPv6 addresses are enclosed in square brackets in such resource identifiers.

For example, an IPv6 address typed into your web browser:
http://[2001:db8:85a3:8d3:1319:8a2e:370:7348]/

When the URL also contains a port number the notation is:
https://[2001:db8:85a3:8d3:1319:8a2e:370:7348]:443/
where the trailing 443 is the example’s port number.

1.11.2 IPv6 Datagram header

https://en.wikipedia.org/wiki/IPv6_packet

1.11.2.1 Expanded addressing capabilities:

Size and type of addresses were updated.

1.11.2.1.1 Size of address

• IPv6 increases the potential size of the IP address range from 32 to 128 bits.
• This ensures that the world won’t run out of IP addresses.
• Now, every grain of sand, toaster, and television on the planet can be IP-addressable!

1.11.2.1.2 Addressing methods (scope of address)

Unicast:
* address identifies a single network interface.
* The Internet Protocol delivers packets sent to a unicast address to that specific interface.
* Unicast also exists in IPv4

Multicast:
* address is also used by multiple hosts that acquire the multicast address destination by participating in the multicast distribution protocol among the network routers.
* A packet that is sent to a multicast address is delivered to all interfaces that have joined the corresponding multicast group.
* IPv6 does not implement broadcast addressing.
* Broadcast’s traditional role is subsumed by multicast addressing to the all-nodes link-local multicast group ff02::1.
* However, the use of the all-nodes group is not recommended, and most IPv6 protocols use a dedicated link-local multicast group to avoid disturbing every interface in the network.
* Multicast also exists in IPv4

Anycast
* IPv6 introduced a new type of address, called an anycast address, which allows a datagram to be delivered to any one of a group of hosts.
* This feature could be used, for example, to send an HTTP GET to the nearest of a number of mirror sites that contain a given document.

1.11.2.2 A streamlined 40-byte header:

• A number of IPv4 fields have been dropped or made optional.
• The resulting 40-byte fixed-length header allows for faster processing of the IP datagram.
• A new encoding of options allows for more flexible options processing.

1.11.2.3 Flow labeling and priority:

• IPv6 has an elusive definition of a flow.
• RFC 1752 and RFC 2460 state that this allows “labeling of packets belonging to particular flows for which the sender requests special handling, such as a non-default quality of service or real-time service.”
• For example, audio and video transmission might likely be treated as a “flow”.
• On the other hand, the more traditional applications, such as file transfer and e-mail, might not be treated as flows.
• It is possible that the field could indicate traffic carried by a high-priority user.
  • For example, someone paying for better service for their traffic, might also be treated as a flow.

The following fields are defined in IPv6:

Version
* This 4-bit field identifies the IP version number.
* Not surprisingly, IPv6 carries a value of 6 in this field.
* Note that putting a 4 in this field does not create a valid IPv4 datagram.
* If it did, life would be a lot simpler… see the discussion below regarding the transition from IPv4 to IPv6.
Traffic class
* This 8-bit field is similar to the TOS field we saw in IPv4.

Flow label
* As discussed above, this 20-bit field is used to identify a flow of datagrams.

Payload length
* This 16-bit value is treated as an unsigned integer
* It is the number of bytes in the IPv6 datagram, following the fixed-length, 40-byte datagram header.

Next header
* This field identifies the protocol to which the contents (data field) of this datagram will be delivered (for example, to TCP or UDP).
* The field uses the same values as the protocol field in the IPv4 header.
* This field usually specifies the transport layer protocol used by a packet’s payload.
* When extension headers are present in the packet this field indicates which extension header follows.
* The values are shared with those used for the IPv4 protocol field, as both fields have the same function (see List of IP protocol numbers)
* The next header enables a neat extensibility:
* extra headers, like IPsec, or others, can be layered between IP and the Transport layer above (UDP/TCP):
* https://en.wikipedia.org/wiki/IPsec

Hop limit
* The contents of this field are decremented by one by each router that forwards the datagram.
* If the hop limit count reaches zero, the datagram is discarded.
* This is better named than the IPv4 TTL field, which was really hop-limit anyway.

Source and destination addresses
* The various formats of the IPv6 128-bit address are described in RFC 4291.

Data
* This is the payload portion of the IPv6 datagram.
* When the datagram reaches its destination, the payload will be removed from the IP datagram and passed on to the protocol specified in the next header field.

IPv6 Datagram header details

1.11.3 IPv6 sub-net addressing

Structure of IPv6 unicast addresses:

An IPv6 unicast address is composed of three chunks:
1. A global routing prefix that is assigned to the Internet Service Provider that owns this block of addresses
2. A subnet identifier that identifies a customer of the ISP
3. An interface identifier that identifies a particular interface on an endsystem
* Interface identifiers are always 64 bits wide.
* This implies that, while there are 2¹²⁸ different IPv6 addresses, they must be grouped in 2⁶⁴ subnets.
* This could appear as a waste of resources
* However, using 64 bits for the host identifier allows IPv6 addresses to be auto-configured, and also provides some benefits from a security point of view, as explained in section ICMPv6.
* Given an address size of 128 bits, an IPv6 address therefore usually has a /64 routing prefix
* 128 - 64 = 64 most significant bits
* The standard sub-nets are /64

Example of dividing up subnets:

Each “site” would have 2¹⁶ subnets, where each subnet is 2⁶⁴ large.

1.11.4 Obtaining an address

1.11.4.1 Allocation?

Same as with IPv4 above: super-governmental agencies and companies assign them, and they are re-sold.

1.11.4.2 When joining a network?

https://en.wikipedia.org/wiki/IPv6_address#Stateless_address_autoconfiguration

1.11.4.2.1 Link local

• Each interface has a link local address (below).
• On OS-network system startup, a node automatically creates a link-local address on each IPv6-enabled interface, even if globally routable addresses are manually configured or obtained via other configuration protocols.

1.11.4.2.2 DHCP vs Neighbor discover protocol

https://en.wikipedia.org/wiki/Neighbor_Discovery_Protocol
https://en.wikipedia.org/wiki/DHCPv6

In IPv4, typical “configuration protocols” include DHCP or PPP.

For IPv6, DHCPv6 exists, but IPv6 hosts normally use the Neighbor Discovery Protocol (NDP) to create a globally routable unicast address.
* The host sends router solicitation requests, and an IPv6 router responds with a prefix assignment
* NDP defines five ICMPv6 packet types for the purpose of
* router solicitation,
* router advertisement,
* neighbor solicitation,
* neighbor advertisement, and
* network redirects (like ARP next layer down).

1.11.4.2.3 Modified EUI-64 addresses

• For a globally routeable anycast address, as mentioned earlier, most IPv6 addresses can be divided into a 64-bit network prefix and a 64-bit “host” portion, the latter corresponding to the “host” bits of an IPv4 address.
• These host-portion bits are known officially as the interface identifier
• The interface portion was originally derive from your MAC address.
  • EUI-64 interface identifiers turned out to introduce a major privacy concern, Why?
  • No matter where a (portable) host connects to the Internet, home, work, airport, or Internet cafe, such an interface identifier always remains the same, and thus serves as a permanent host fingerprint!
  • That is clearly bad news for internet freedom,
• As a result, EUI-64 identifiers are now discouraged for personal workstations and mobile devices.
• Instead:
  • https://en.wikipedia.org/wiki/IPv6_address#Stable_privacy_addresses
  • http://intronetworks.cs.luc.edu/current/uhtml/ipv6a.html#slaac-privacy

+++++++++++++++ Cahoot-04-10

1.11.5 Interfaces and addresses

We assign each interface in IPv6 multiple IP addresses:
* That is, each interface is multi-homed.

1.11.5.0.1 Scope

https://en.wikipedia.org/wiki/IPv6_address#Address_scopes
Each IPv6 address has a scope, which specifies in which part of the network it is valid and unique.
* Some addresses are assumed to be unique, and are only routeable on the local (sub-)network.
* Others must be globally unique, and are globally routeable.

IPv6 addresses are classified by three types of networking methodologies:
1. unicast addresses identify each network interface,
2. anycast addresses identify a group of interfaces, usually at different locations of which the nearest one is automatically selected, and
3. multicast addresses are used to deliver one packet to many interfaces (e.g., only need to hit one of google’s servers)

The broadcast method is not implemented in IPv6.

1.11.5.0.2 Standard unicast

Globally addressable unique address.

https://en.wikipedia.org/wiki/IPv6_address#Unicast_and_anycast_address_format
Unicast and anycast addresses are typically composed of two logical parts:
1. a 64-bit network prefix used for routing, and
2. a 64-bit interface identifier used to identify a host’s network interface.

The typical size of the IPv6 anycast address blocks give out are:
* /32 for an Internet Service Provider
* /48 for a single company
* /56 for small user sites (organizations)
* /64 for a single user (e.g. a home user connected via ADSL)
* /128 in the rare case when it is known that no more than one end-host will be attached

1.11.5.0.3 Link-local (type of unicast)

• Routers won’t route these globally.
• All interfaces of IPv6 hosts require a link-local address.
• IPv6 link-local address were traditionally derived from the MAC address of the underlying network interface card and the prefix fe80::/10
  • However, this scheme has been replaced by RFC 8064 with a hash-based scheme specified in RFC 7217.
• IPv6 defines link-local addresses, with so-called link-local scope, intended to be used only on a single LAN and never routed.
• These begin with the 64-bit link-local prefix consisting of the ten bits 1111 1110 10 followed by 54 more zero bits; that is, fe80::/64.
• The remaining 64 bits are the interface identifier for the link interface in question, above.
• The EUI-64 link-local address of a machine with Ethernet address 00:a0:cc:24:b0:e4 is thus fe80::2a0:ccff:fe24:b0e4.
• The main applications of link-local addresses are as a “bootstrap” address for global-address auto-configuration.
• Link-local they may use your MAC, but that’s not a concern here, because they’re only for local routing.
  

1.11.5.0.4 Localhost (type of unicast)

Like 127.0.0.1,

::1 localhost

1.11.5.0.5 Unique local (type of unicast)

https://en.wikipedia.org/wiki/Unique_local_address
* Have global scope, but they are not globally administered.
* As a result, only other hosts in the same administrative domain (e.g., an organization), or within a cooperating administrative domain are able to reach such addresses, if properly routed.
* As their scope is global, these addresses are valid as a source address when communicating with any other global-scope address, even though it may be impossible to route packets from the destination back to the source.

1.11.5.0.6 Multicast

IPv6 has moved away from LAN-layer broadcast, instead providing a wide range of LAN-layer multicast groups.

* The low order 112 bits of an IPv6 multicast address are the group’s identifier.
* The high order bits are used as a marker to distinguish multicast addresses from unicast addresses.
* Notably, the 4 bits flag field indicates whether the address is temporary or permanent.
* Finally, the scope field indicates the boundaries of the forwarding of packets destined to a particular address.
* A link-local scope indicates that a router should not forward a packet destined to such a multicast address.
* An organization local-scope indicates that a packet sent to such a multicast destination address should not leave the organization.
* Finally the global scope is intended for multicast groups spanning the global Internet.

1.11.5.0.7 Anycast

• IPv6 also introduced anycast addresses.
• An anycast address might be assigned to each of a set of routers (in addition to each router’s own unicast addresses);
• a packet addressed to this anycast address would be delivered to only one member of this set.
• Note that this is quite different from multicast addresses;
• a packet addressed to the latter is delivered to every member of the set.

++++++++++++++++++ Cahoot-04-11

1.11.6 Adoption / deployment

https://en.wikipedia.org/wiki/IPv6_deployment
* IPv6 was designed as a replacement for IPv4 which has been in use since 1982, and is in the final stages of exhausting its unallocated address space, but still carries most Internet traffic.
* By 2011, all major operating systems in use on personal computers and server systems had production-quality IPv6 implementations.

Number of IPv6 prefixes and AS on the Internet since 2003

Monthly IPv6 allocations per RIR.

Demo: actually check these out in class (interesting).
https://www.google.com/intl/en/ipv6/statistics.html#tab=ipv6-adoption
https://www.google.com/intl/en/ipv6/statistics.html#tab=per-country-ipv6-adoption

1.11.7 Backwards compatibility

https://en.wikipedia.org/wiki/IPv6_transition_mechanism

The bad thing about IPv6 jokes is that nobody wants to tell them first.

• IPv4 and IPv6 are, functionally, rather similar.
• However, the widespread use of NAT in the IPv4 world makes IPv4 in practice appear rather different.
• IPv4 and IPv6 can, of course, coexist side-by-side, as two parallel and independent IP layers.
• But, the demand for IPv4-to-IPv6 connectivity has led to multiple solutions.
• Further, what if two central routers that are unavoidable can only do IPv4?

This section can be broken down into a several different situations:
1. IPv6-only end-machine to IPv6-only end-machine connections, which must pass through IPv4-only core.
2. IPv4-only end-machine to IPv4 end-machine connections, which must pass through IPv6-only core (more rare in USA).
3. IPv6 and IPv4 co-existence, and prioritization when both are available.
4. IPv6-only end-machine connecting to an IPv4-only end-machine, and vice-versa.

1.11.7.1 Backwards compatibility via dual-stack

https://en.wikipedia.org/wiki/IPv6_transition_mechanism#DNS64

DNS review
* For IPv4 addresses, DNS maintains so-called “A” records, for “Address”.
* The IPv6 equivalent is the “AAAA” record, for “Address four times longer”.
* A dual-stack machine usually requests both.
* Whenever a DNS server delivers an IPv4 A record, it also includes the corresponding AAAA record, much as IPv4 CNAME records are sent with piggybacked corresponding A records.
Dual-stack
* Machines that can do both IPv4 and IPv6
* Probably the most straightforward way to introduce IPv6-capable nodes is a dual-stack approach, where IPv6 nodes also have a complete IPv4 implementation.
* Such a node, referred to as an IPv6/IPv4 node in RFC 4213, has the ability to send and receive both IPv4 and IPv6 datagrams.
* When interoperating with an IPv4 node, an IPv6/IPv4 node can use IPv4 datagrams
* When interoperating with an IPv6 node, it can speak IPv6.
* IPv6/IPv4 nodes must have both IPv6 and IPv4 addresses.
* Nodes must be able to determine whether another node is IPv6-capable or IPv4-only.
* This problem can be solved using the DNS, which can return an IPv6 address if the node name being resolved is IPv6-capable, or otherwise return an IPv4 address.
* Of course, if the node issuing the DNS request is only IPv4-capable, the DNS returns only an IPv4 address.

1.11.7.2 Backwards compatibility via tunneling

https://en.wikipedia.org/wiki/Tunnel_broker
https://en.wikipedia.org/wiki/6in4

A tunnel broker provides IPv6 connectivity by encapsulating IPv6 traffic in IPv4 Internet transit links, typically using 6in4.
This establishes pseudo-end-to-end IPv6 tunnels within the IPv4 Internet.

1.11.7.3 A number of other methods exists

https://en.wikipedia.org/wiki/IPv6_transition_mechanism

An IPv6 packet walks into a bar.
Nobody talks to him.

1.12 IPsec

https://en.wikipedia.org/wiki/IPsec

While TLS or SSH secure application layer, IPsec can end-to-end encrypt the network layer:

Cryptographic agreement.
* two communicating hosts to agree on cryptographic algorithms and keys.

Encryption of IP datagram payloads.
* When the sending host receives a segment from the transport layer, IPsec encrypts the payload.
* The payload can only be decrypted by IPsec in the receiving host.

Data integrity.
* allows the receiving host to verify that the datagram’s header fields and encrypted payload were not modified while the datagram was en route from source to destination.

Origin authentication.
* When a host receives an IPsec datagram from a trusted source (with a trusted key see), the host is assured that the source IP address in the datagram is the actual source of the datagram.
* When two hosts have an IPsec session established between them, all TCP and UDP segments sent between them will be encrypted and authenticated.
IPsec therefore provides blanket coverage, securing all communication between the two hosts for all network applications.

1.12.0.1 Modes

Two major modes of operation

1.12.0.1.1 Transport mode

• In transport mode, only the payload of the IP packet is usually encrypted or authenticated.
• The routing is intact, since the IP header is neither modified nor encrypted;
• however, when the authentication header is used, the IP addresses cannot be modified by network address translation, as this always invalidates the hash value.
• The transport and application layers are always secured by a hash, so they cannot be modified in any way, for example by translating the port numbers.

1.12.0.1.2 Tunnel mode

• In tunnel mode, the entire IP packet is encrypted and authenticated.
• It is then encapsulated into a new IP packet with a new IP header.
• Tunnel mode is used to create virtual private networks for
  • network-to-network communications (e.g. between routers to link sites),
  • host-to-network communications (e.g. remote user access) and
  • host-to-host communications (e.g. private chat).
• Tunnel mode supports NAT traversal.

1.12.1 Functions

IPsec uses the following protocols to perform various functions:

Authentication Headers (AH)
* provides connectionless data integrity and data origin authentication for IP datagrams and provides protection against replay attacks.

Encapsulating Security Payloads (ESP)
* provides confidentiality, connectionless data integrity, data origin authentication, an anti-replay service (a form of partial sequence integrity), and limited traffic-flow confidentiality.

Internet Security Association and Key Management Protocol (ISAKMP)
* provides a framework for authentication and key exchange, with actual authenticated keying material provided either by manual configuration with pre-shared keys, Internet Key Exchange (IKE and IKEv2), Kerberized Internet Negotiation of Keys (KINK), or IPSECKEY DNS records.
* The purpose is to generate the Security Associations (SA) with the bundle of algorithms and parameters necessary for AH and/or ESP operations.

For more, see latter section (coming up).

1.13 Supporting and related protocols

• IP can operate over many data-link layer protocols, and other protocols operate above it at the transport layer.
• We have also not covered the IP-layer control functionality: 06-NetworkControl.html

https://en.wikipedia.org/wiki/IP_over_Avian_Carriers

1.14 IP-layer status and error messages

Some of this stuff is not quite data, not quite control…
ICMP differs from transport protocols such as TCP and UDP, in that:
it is not typically used to exchange data between systems,
nor is it regularly employed by end-user network applications,
with the exception of some diagnostic tools like ping and traceroute.
ICMP uses the basic support of IP as if it were a higher level protocol,
however, ICMP is actually an integral part of IP.
Although ICMP messages are contained within standard IP packets,
ICMP messages are usually processed as a special case,
distinguished from normal IP processing.
It is often necessary to inspect the contents of the ICMP message,
and deliver an appropriate error message,
to the application responsible for transmission of the IP packet,
that prompted the sending of the ICMP message.
ICMP is a network layer protocol.
There is no TCP or UDP port number associated with ICMP packets,
as these numbers are associated with the transport layer above.
ICMP is often considered part of IP,
but architecturally it lies just above IP,
as ICMP messages are carried inside IP datagrams.
That is, ICMP messages are carried as IP payload,
just as TCP or UDP segments are carried as IP payload.
When a host receives an IP datagram,
with ICMP specified as the upper-layer protocol,
it demultiplexes the datagram’s contents to ICMP,
just as it would demultiplex a datagram’s content to TCP or UDP.

1.14.1 ICMP

Wikipedia
https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol
https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol_for_IPv6

V1-computer-networking
https://www.computer-networking.info/1st/html/network/network.html#icmp-version-4
https://www.computer-networking.info/1st/html/network/network.html#icmp-version-6

V2-computer-networking
https://www.computer-networking.info/2nd/html/protocols/ipv6.html#icmp-version-6

Intronetworks
http://intronetworks.cs.luc.edu/current2/uhtml/ipv4.html#internet-control-message-protocol
http://intronetworks.cs.luc.edu/current2/uhtml/ipv6b.html#icmpv6

1.14.1.1 IPv4 ICMP

ICMP messages are typically used for diagnostic or control purposes,
or generated in response to errors in IP operations (as specified in RFC 1122).
ICMP errors are directed to the source IP address of the originating packet.
It is sometimes necessary for intermediate routers, or the destination host,
to inform the sender of the packet of a problem,
that occurred while processing a packet.
Reporting is done by the Internet Control Message Protocol (ICMP).
ICMP is defined in RFC 792.
ICMP messages are carried as the payload of IP packets
(the protocol value reserved for ICMP is 1).
An ICMP message is composed of an 8 byte header, and a variable length payload,
that usually contains the first bytes of the erroneous packet,
that triggered the transmission of the ICMP message.
ICMP is, like IP, host-to-host,
and so its packets are never delivered to a specific port,
even if they are sent in response to an error,
related to something sent from a port.
Individual UDP and TCP connections do not receive ICMP messages,
even when it would be helpful to get them.
ICMP messages are identified by an 8-bit type field,
followed by an 8-bit subtype, or code.
The ICMP packet is encapsulated in an IPv4 packet.
The packet consists of header and data sections.
Only part of this diagram is the ICMP header:

The Type and Code fields indicate the type of problem,
that was detected by the sender of the ICMP message.
The Checksum protects the entire ICMP message against transmission errors.
The Data field contains additional information for some ICMP messages.

1.14.1.1.1 Notable ICMP types in IPv4

ICMP packets come in a variety of types (see these in class):
https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol#Control_messages

echo request/reply
https://en.wikipedia.org/wiki/Ping_(networking_utility)

https://en.wikipedia.org/wiki/ICMP_Time_Exceeded
https://en.wikipedia.org/wiki/ICMP_Router_Discovery_Protocol

• To enable router discovery, the IRDP defines two kinds of ICMP messages:
  • The ICMP Router Solicitation Message is sent from a computer host to any routers on the local area network to request that they advertise their presence on the network.
  • The ICMP Router Advertisement Message is sent by a router on the local area network to announce its IP address as available for routing.
• And more.

1.14.1.2 IPv6 ICMP

• Unlike ICMPv4, ICMPv6 distinguishes between informational and error messages by the first bit of the type field.
  • Unknown informational messages are simply dropped, while unknown error messages must be handed off, if possible, to the appropriate upper-layer process.
  • For example, [UDP] port unreachable messages are to be delivered to the UDP sender of the undeliverable packet.
• ICMPv6 includes an IPv6 version of Echo Request / Echo Reply, upon which the ping6 command is based;
  • unlike with IPv4, arriving IPv6 echo-reply messages are delivered to the process that generated the corresponding echo request.
• ICMPv6 specifies two classes of messages: error messages that indicate a problem in handling a packet.
  
• The traditional utilisation of ICMPv6 is similar to ICMPv4.
• ICMPv6 messages are carried inside IPv6 packets (the Next Header field for ICMPv6 is 58).
• Each ICMP message contains an 8 bits header with a type field, a code field and a 16 bits checksum computed over the entire ICMPv6 message.
• The message body contains a copy of the IPv6 packet in error.

ICMPv6 specifies two classes of messages : error messages that indicate a problem in handling a packet and informational messages. Four types of error messages are defined in RFC 4443:

1: Destination Unreachable. Such an ICMPv6 message is sent when the destination address of a packet is unreachable. The code field of the ICMP header contains additional information about the type of unreachability. The following codes are specified in RFC 4443
0: No route to destination. This indicates that the router that sent the ICMPv6 message did not have a route towards the packet’s destination
1: Communication with destination administratively prohibited. This indicates that a firewall has refused to forward the packet towards its destination.
2: Beyond scope of source address. This message can be sent if the source is using link-local addresses to reach a global unicast address outside its subnet.
3: Address unreachable. This message indicates that the packet reached the subnet of the destination, but the host that owns this destination address cannot be reached.
4: Port unreachable. This message indicates that the IPv6 packet was received by the destination, but there was no application listening to the specified port.

2: Packet Too Big. The router that was to send the ICMPv6 message received an IPv6 packet that is larger than the MTU of the outgoing link. The ICMPv6 message contains the MTU of this link in bytes. This allows the sending host to implement Path MTU discovery RFC 1981

3: Time Exceeded. This error message can be sent either by a router or by a host. A router would set code to 0 to report the reception of a packet whose Hop Limit reached 0. A host would set code to 1 to report that it was unable to reassemble received IPv6 fragments.

4: Parameter Problem. This ICMPv6 message is used to report either the reception of an IPv6 packet with an erroneous header field (type 0) or an unknown Next Header or IP option (types 1 and 2). In this case, the message body contains the erroneous IPv6 packet and the first 32 bits of the message body contain a pointer to the error.

Two types of informational ICMPv6 messages are defined in RFC 4443 : echo request and echo reply, which are used to test the reachability of a destination by using ping6(8).

1.14.1.3 Applications based on ICMP

Use ICMP messages for user-space purpose.

1.14.1.3.1 Ping

$ man ping
$ man ping6

In class: check out wireshark of ping packets

https://en.wikipedia.org/wiki/Ping_(networking_utility)

• Ping is a computer network administration software utility used to test the reachability of a host on an Internet Protocol (IP) network.
• Ping measures the round-trip time for messages sent from the originating host to a destination computer that are echoed back to the source.
• Ping operates by sending Internet Control Message Protocol (ICMP) echo request packets to the target host and waiting for an ICMP echo reply.
• The program reports errors, packet loss, and a statistical summary of the results, typically including the minimum, maximum, the mean round-trip times, and standard deviation of the mean.
• Check out message format

1.14.1.3.2 Traceroute

$ man traceroute
$ man traceroute6

In class: check out wireshark of traceroute packets

https://en.wikipedia.org/wiki/Traceroute

• traceroute is a network diagnostic command for displaying the route (path) and measuring transit delays of packets across an Internet Protocol (IP) network.
• The traceroute program uses ICMP Time Exceeded messages.
• The time-to-live (TTL) value, also known as hop limit, is used in determining the intermediate routers being traversed towards the destination.
• Traceroute sends packets with TTL values that gradually increase from packet to packet, starting with TTL value of one.
• Routers decrement TTL values of packets by one when routing and discard packets whose TTL value has reached zero, returning the ICMP error message ICMP Time Exceeded.
• For the first set of packets, the first router receives the packet, decrements the TTL value and drops the packet because it then has TTL value zero.
• The router sends an ICMP Time Exceeded message back to the source.
• The next set of packets are given a TTL value of two, so the first router forwards the packets, but the second router drops them and replies with ICMP Time Exceeded.
• Proceeding in this way, traceroute uses the returned ICMP Time Exceeded messages to build a list of routers that packets traverse, until the destination is reached and returns an ICMP Destination Unreachable message if UDP packets are being used or an ICMP Echo Reply message if ICMP Echo messages are being used.
• The sender expects a reply within a specified number of seconds. If a packet is not acknowledged within the expected interval, an asterisk is displayed.

1.14.1.4 Exploits

https://en.wikipedia.org/wiki/Ping_of_death
A correctly formed ping packet is typically 56 bytes in size, or 64 bytes when the ICMP header is considered, and 84 bytes including Internet Protocol version 4 header.
However, any IPv4 packet (including pings) may be as large as 65,535 bytes.
Some computer systems were never designed to properly handle a ping packet larger than the maximum packet size because it violates the Internet Protocol.
Like other large but well-formed packets, a ping of death is fragmented into groups of 8 octets before transmission.
However, when the target computer reassembles the malformed packet, a buffer overflow can occur, causing a system crash and potentially allowing the injection of malicious code.

https://en.wikipedia.org/wiki/Ping_flood
A ping flood is a simple denial-of-service attack where the attacker overwhelms the victim with ICMP “echo request” (ping) packets.
This is most effective by using the flood option of ping which sends ICMP packets as fast as possible without waiting for replies.

https://en.wikipedia.org/wiki/ICMP_tunnel
An ICMP tunnel establishes a covert connection between two remote computers (a client and proxy), using ICMP echo requests and reply packets.
An example of this technique is tunneling complete TCP traffic over ping requests and replies.
ICMP tunneling can be used to bypass firewalls rules through obfuscation of the actual traffic.
Depending on the implementation of the ICMP tunneling software, this type of connection can also be categorized as an encrypted communication channel between two computers. Without proper deep packet inspection or log review, network administrators will not be able to detect this type of traffic through their network.
ICMP-tunnels are sometimes used to circumvent firewalls that block traffic between the LAN and the outside world.

Data storage exploit
https://www.youtube.com/watch?v=JcJSW7Rprio

1.14.1.4.1 Code

In class:

Check out ICMP-ping python code:
(user@vm-wnet: ../CS3610/pa04_icmp_grader/background_reading/ICMP-ping)

introduce traceroute python code for next week:
(user@vm-wnet: ../CS3610/pa04_icmp_grader/background_reading/ICMP-traceroute)

1.14.1.4.2 Wireshark demo

• Include IP wireshark lab demo here next year
• Include ICMP wireshark lab demo here next year

1.14.2 ARP

Will cover during data-link layer, though it’s the glue between network and data-link layers.

1.14.3 Default gateways

(a preview of datalink / MAC / LAN layer)
https://www.homenethowto.com/basics/default-gateway-finding-other-ip-networks/
https://en.wikipedia.org/wiki/Default_gateway

Q:
When a computer wants to send an IP packet,
how does it know to send it on the LAN, or to the internet,
though it’s gateway router?

A:
Using the IP address and its sub-net information,
either in the form of the sub-net mask or CIDR notation.

1.15 Other network-layer protocols

IP is not the only network layer protocol, with others for complementary purposes, and full alternatives (not popular).

https://en.wikipedia.org/wiki/Network_layer#Protocols
https://en.wikipedia.org/wiki/Internet_layer

Next: 05-Security.html