15 441 computer networking
This presentation is the property of its rightful owner.
Sponsored Links
1 / 102

15-441 Computer Networking PowerPoint PPT Presentation


  • 84 Views
  • Uploaded on
  • Presentation posted in: General

15-441 Computer Networking. Lecture 29 – Final Review. Fun. TCP/IP drinking game ( http://infohost.nmt.edu/~val/tcpip.html ) Internet map ( http://xkcd.com/c195.html ). Outline – Lec 14. The recurring IP address space problem IPv6. NAT. Tunneling / Overlays Network Management

Download Presentation

15-441 Computer Networking

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


15 441 computer networking

15-441 Computer Networking

Lecture 29 – Final Review


15 441 computer networking

Fun

  • TCP/IP drinking game

    • (http://infohost.nmt.edu/~val/tcpip.html)

  • Internet map

    • (http://xkcd.com/c195.html)

Lecture 27: Research Directions


Outline lec 14

Outline – Lec 14

  • The recurring IP address space problem

  • IPv6.

  • NAT.

  • Tunneling / Overlays

  • Network Management

    • Autoconfiguration

    • SNMP (notes only)

Lecture 27: Research Directions


Ip v6

IP v6

  • “Next generation” IP.

  • Most urgent issue: increasing address space.

    • 128 bit addresses

  • Simplified header for faster processing:

    • No checksum (why not?)

    • No fragmentation (?)

  • Support for guaranteed services: priority and flow id

  • Options handled as “next header”

    • reduces overhead of handling options

V/Pr

Flow label

Length

Next

Hop L

Source IP address

Destination IP address

Lecture 27: Research Directions


Network address translation

Network Address Translation

  • NAT maps (private source IP, source port) onto (public source IP, unique source port)

    • reverse mapping on the way back

    • destination host does not know that this process is happening

  • Very simple working solution.

    • NAT functionality fits well with firewalls

Priv A IP

B IP

A

B IP

Priv A IP

A Port

B Port

B Port

A Port

Publ A IP

B IP

B IP

Publ A IP

B

B Port

A Port’

A Port’

B Port

Lecture 27: Research Directions


Tunneling

Tunneling

  • Force a packet to go to a specific point in the network.

    • Path taken is different from the regular routing

  • Achieved by adding an extra IP header to the packet with a new destination address.

    • Similar to putting a letter in another envelope

    • preferable to using IP source routing option

  • Used increasingly to deal with special routing requirements or new features.

    • Mobile IP,..

    • Multicast, IPv6, research, ..

IP1

IP2

Data

IP1

IP2

Lecture 27: Research Directions


15 441 computer networking

DHCP

  • DHCPOFFER

    • IP addressing information

    • Boot file/server information (for network booting)

    • DNS name servers

    • Lots of other stuff - protocol is extensible; half of the options reserved for local site definition and use.

DHCPDISCOVER - broadcast

DHCPOFFER

DHCPREQUEST

DHCPACK

Lecture 27: Research Directions


Outline lec 15

Outline – Lec 15

  • Exam discussion

  • Layering review (bridges, routers, etc.)

    • Exam section C.

  • Circuit switching refresher

  • Virtual Circuits - general

    • Why virtual circuits?

    • How virtual circuits? -- tag switching!

  • Two modern implementations

    • ATM - teleco-style virtual circuits

    • MPLS - IP-style virtual circuits

Lecture 27: Research Directions


Virtual circuit switching label tag swapping

Virtual Circuit Switching:Label (“tag”) Swapping

  • Global VC ID allocation -- ICK! Solution: Per-link uniqueness. Change VCI each hop.

    Input Port Input VCI Output Port Output VCI

    R1: 1 5 3 9

    R2: 2 9 4 2

    R4: 1 2 3 5

1

3

A

R2

2

1

3

4

1

3

R1

R4

Dst

2

4

2

4

1

3

B

R3

2

4

Lecture 27: Research Directions


Multi protocol label switching mpls

Multi Protocol Label Switching - MPLS

  • Selective combination of VCs + IP

    • Today: MPLS useful for traffic engineering, reducing core complexity, and VPNs

  • Core idea: Layer 2 carries VC label

    • Could be ATM (which has its own tag)

    • Could be a “shim” on top of Ethernet/etc.:

    • Existing routers could act as MPLS switches just by examining that shim -- no radical re-design. Gets flexibility benefits, though not cell switching advantages

Layer 3 (IP) header

Layer 3 (IP) header

MPLS label

Layer 2 header

Layer 2 header

Lecture 27: Research Directions


Mpls ip

MPLS + IP

  • Map packet onto Forward Equivalence Class (FEC)

    • Simple case: longest prefix match of destination address

    • More complex if QoS of policy routing is used

  • In MPLS, a label is associated with the packet when it enters the network and forwarding is based on the label in the network core.

    • Label is swapped (as ATM VCIs)

  • Potential advantages.

    • Packet forwarding can be faster

    • Routing can be based on ingress router and port

    • Can use more complex routing decisions

    • Can force packets to followed a pinned route

Lecture 27: Research Directions


Take home points

Take Home Points

  • Costs/benefits/goals of virtual circuits

  • Cell switching (ATM)

    • Fixed-size pkts: Fast hardware

    • Packet size picked for low voice jitter. Understand trade-offs.

    • Beware packet shredder effect (drop entire pkt)

  • Tag/label swapping

    • Basis for most VCs.

    • Makes label assignment link-local. Understand mechanism.

  • MPLS - IP meets virtual circuits

    • MPLS tunnels used for VPNs, traffic engineering, reduced core routing table sizes

Lecture 27: Research Directions


Outline lec 16

Outline – Lec 16

  • Transport introduction

  • Error recovery & flow control

Lecture 27: Research Directions


Important lessons

Important Lessons

  • Transport service

    • UDP  mostly just IP service

    • TCP  congestion controlled, reliable, byte stream

  • Types of ARQ protocols

    • Stop-and-wait  slow, simple

    • Go-back-n  can keep link utilized (except w/ losses)

    • Selective repeat  efficient loss recovery

  • Sliding window flow control

    • Addresses buffering issues and keeps link utilized

Lecture 27: Research Directions


Sender receiver state

Sender/Receiver State

Sender

Receiver

Next expected

Max acceptable

Max ACK received

Next seqnum

Sender window

Receiver window

Sent & Acked

Sent Not Acked

Received & Acked

Acceptable Packet

OK to Send

Not Usable

Not Usable

Lecture 27: Research Directions


Outline lec 17

Outline – Lec 17

  • TCP flow control

  • Congestion sources and collapse

  • Congestion control basics

Lecture 27: Research Directions


Important lessons1

Important Lessons

  • Why is congestion control needed?

  • How to evaluate congestion control algorithms?

    • Why is AIMD the right choice for congestion control?

  • TCP flow control

    • Sliding window  mapping to packet headers

    • 32bit sequence numbers (bytes)

Lecture 27: Research Directions


Window flow control send side

Window Flow Control: Send Side

Packet Received

Packet Sent

Source Port

Dest. Port

Source Port

Dest. Port

Sequence Number

Sequence Number

Acknowledgment

Acknowledgment

HL/Flags

Window

HL/Flags

Window

D. Checksum

Urgent Pointer

D. Checksum

Urgent Pointer

Options…

Options...

App write

acknowledged

sent

to be sent

outside window

Lecture 27: Research Directions


Causes costs of congestion

Causes & Costs of Congestion

  • When packet dropped, any “upstream transmission capacity used for that packet was wasted!

Lecture 27: Research Directions


Phase plots

Phase Plots

  • Simple way to visualize behavior of competing connections over time

User 2’s Allocation x2

User 1’s Allocation x1

Lecture 27: Research Directions


Phase plots1

Phase Plots

  • What are desirable properties?

  • What if flows are not equal?

Fairness Line

Overload

User 2’s Allocation x2

Optimal point

Underutilization

Efficiency Line

User 1’s Allocation x1

Lecture 27: Research Directions


Outline lec 18

Outline – Lec 18

  • TCP connection setup/data transfer

  • TCP reliability

Lecture 27: Research Directions


Establishing connection three way handshake

Establishing Connection:Three-Way handshake

  • Each side notifies other of starting sequence number it will use for sending

    • Why not simply chose 0?

      • Must avoid overlap with earlier incarnation

      • Security issues

  • Each side acknowledges other’s sequence number

    • SYN-ACK: Acknowledge sequence number + 1

  • Can combine second SYN with first ACK

SYN: SeqC

ACK: SeqC+1

SYN: SeqS

ACK: SeqS+1

Client

Server

Lecture 27: Research Directions


Tearing down connection

Tearing Down Connection

  • Either side can initiate tear down

    • Send FIN signal

    • “I’m not going to send any more data”

  • Other side can continue sending data

    • Half open connection

    • Must continue to acknowledge

  • Acknowledging FIN

    • Acknowledge last sequence number + 1

A

B

FIN, SeqA

ACK, SeqA+1

Data

ACK

FIN, SeqB

ACK, SeqB+1

Lecture 27: Research Directions


Fast retransmit

Packets

Acks

Fast Retransmit

Retransmission

X

Duplicate Acks

Sequence No

Time

Lecture 27: Research Directions


Tcp reno variant

Packets

Acks

TCP (Reno variant)

X

X

X

Now what? - timeout

X

Sequence No

Time

Lecture 27: Research Directions


Important lessons2

Important Lessons

  • TCP state diagram  setup/teardown

  • TCP timeout calculation  how is RTT estimated

  • Modern TCP loss recovery

    • Why are timeouts bad?

    • How to avoid them?  e.g. fast retransmit

Lecture 27: Research Directions


Outline lec 20

Outline – Lec 20

  • TCP congestion avoidance

  • TCP slow start

  • TCP modeling

Lecture 27: Research Directions


Tcp congestion control

TCP Congestion Control

  • Changes to TCP motivated by ARPANET congestion collapse

  • Basic principles

    • AIMD

    • Packet conservation

    • Reaching steady state quickly

    • ACK clocking

Lecture 27: Research Directions


Congestion avoidance sequence plot

Packets

Acks

Congestion Avoidance Sequence Plot

Sequence No

Time

Lecture 27: Research Directions


Tcp packet pacing

TCP Packet Pacing

  • Congestion window helps to “pace” the transmission of data packets

  • In steady state, a packet is sent when an ack is received

    • Data transmission remains smooth, once it is smooth

    • Self-clocking behavior

Pb

Pr

Sender

Receiver

As

Ar

Ab

Lecture 27: Research Directions


Slow start packet pacing

Slow Start Packet Pacing

  • How do we get this clocking behavior to start?

    • Initialize cwnd = 1

    • Upon receipt of every ack, cwnd = cwnd + 1

  • Implications

    • Window actually increases to W in RTT * log2(W)

    • Can overshoot window and cause packet loss

Lecture 27: Research Directions


Slow start sequence plot

Packets

Acks

Slow Start Sequence Plot

.

.

.

Sequence No

Time

Lecture 27: Research Directions


Tcp saw tooth behavior

TCP Saw Tooth Behavior

Congestion

Window

Timeouts

may still

occur

Time

Slowstart

to pace

packets

Fast

Retransmit

and Recovery

Initial

Slowstart

Lecture 27: Research Directions


Tcp performance

TCP Performance

  • Can TCP saturate a link?

  • Congestion control

    • Increase utilization until… link becomes congested

    • React by decreasing window by 50%

    • Window is proportional to rate * RTT

  • Doesn’t this mean that the network oscillates between 50 and 100% utilization?

    • Average utilization = 75%??

    • No…this is *not* right!

Lecture 27: Research Directions


Tcp performance1

TCP Performance

  • If we have a large router queue  can get 100% utilization

    • But, router queues can cause large delays

  • How big does the queue need to be?

    • Windows vary from W  W/2

      • Must make sure that link is always full

      • W/2 > RTT * BW

      • W = RTT * BW + Qsize

      • Therefore, Qsize > RTT * BW

    • Ensures 100% utilization

    • Delay?

      • Varies between RTT and 2 * RTT

Lecture 27: Research Directions


Single tcp flow router with large enough buffers for full link utilization

Single TCP FlowRouter with large enough buffers for full link utilization

Lecture 27: Research Directions


Tcp summary

TCP (Summary)

  • General loss recovery

    • Stop and wait

    • Selective repeat

  • TCP sliding window flow control

  • TCP state machine

  • TCP loss recovery

    • Timeout-based

      • RTT estimation

    • Fast retransmit

    • Selective acknowledgements

Lecture 27: Research Directions


Tcp summary1

TCP (Summary)

  • Congestion collapse

    • Definition & causes

  • Congestion control

    • Why AIMD?

    • Slow start & congestion avoidance modes

    • ACK clocking

    • Packet conservation

  • TCP performance modeling

    • How does TCP fully utilize a link?

      • Role of router buffers

Lecture 27: Research Directions


Outline lec 19

Outline – Lec 19

  • HTTP review and details (more in notes)

  • Persistent HTTP review

  • HTTP caching

  • Content distribution networks

Lecture 27: Research Directions


Persistent http review

Nonpersistent HTTP issues:

Requires 2 RTTs per object

OS must work and allocate host resources for each TCP connection

But browsers often open parallel TCP connections to fetch referenced objects

Persistent HTTP

Server leaves connection open after sending response

Subsequent HTTP messages between same client/server are sent over connection

Persistent without pipelining:

Client issues new request only when previous response has been received

One RTT for each referenced object

Persistent with pipelining:

Default in HTTP/1.1

Client sends requests as soon as it encounters a referenced object

As little as one RTT for all the referenced objects

Persistent HTTP (review)

Lecture 27: Research Directions


Web proxy caches

User configures browser: Web accesses via cache

Browser sends all HTTP requests to cache

Object in cache: cache returns object

Else cache requests object from origin server, then returns object to client

Web Proxy Caches

origin

server

Proxy

server

HTTP request

HTTP request

client

HTTP response

HTTP response

HTTP request

HTTP response

client

origin

server

Lecture 27: Research Directions


Content distribution networks cdns

The content providers are the CDN customers.

Content replication

CDN company installs hundreds of CDN servers throughout Internet

Close to users

CDN replicates its customers’ content in CDN servers. When provider updates content, CDN updates servers

Content Distribution Networks (CDNs)

origin server

in North America

CDN distribution node

CDN server

in S. America

CDN server

in Asia

CDN server

in Europe

Lecture 27: Research Directions


Consistent hash example

Consistent Hash – Example

  • Construction

    • Assign each of C hash buckets to random points on mod 2n circle, where, hash key size = n.

    • Map object to random position on circle

    • Hash of object = closest clockwise bucket

  • Smoothness  addition of bucket does not cause movement between existing buckets

  • Spread & Load  small set of buckets that lie near object

  • Balance  no bucket is responsible for large number of objects

0

14

Bucket

4

12

8

Lecture 27: Research Directions


How akamai works

How Akamai Works

End-user

cnn.com (content provider)

DNS root server

Akamai server

Get foo.jpg

12

11

Get index.html

5

1

2

3

Akamai high-level DNS server

6

4

7

Akamai low-level DNS server

8

Nearby matchingAkamai server

9

10

Get /cnn.com/foo.jpg

Lecture 27: Research Directions


Http summary

HTTP (Summary)

  • Simple text-based file exchange protocol

    • Support for status/error responses, authentication, client-side state maintenance, cache maintenance

  • Workloads

    • Typical documents structure, popularity

    • Server workload

  • Interactions with TCP

    • Connection setup, reliability, state maintenance

    • Persistent connections

  • How to improve performance

    • Persistent connections

    • Caching

    • Replication

Lecture 27: Research Directions


Outline

Outline

  • p2p file sharing techniques

    • Downloading: Whole-file vs. chunks

    • Searching

      • Centralized index (Napster, etc.)

      • Flooding (Gnutella, etc.)

      • Smarter flooding (KaZaA, …)

      • Routing (Freenet, etc.)

  • Uses of p2p - what works well, what doesn’t?

    • servers vs. arbitrary nodes

    • Hard state (backups!) vs soft-state (caches)

  • Challenges

    • Fairness, freeloading, security, …

Lecture 27: Research Directions


Next topic

Next Topic...

  • Centralized Database

    • Napster

  • Query Flooding

    • Gnutella

  • Intelligent Query Flooding

    • KaZaA

  • Swarming

    • BitTorrent

  • Unstructured Overlay Routing

    • Freenet

  • Structured Overlay Routing

    • Distributed Hash Tables

Lecture 27: Research Directions


Napster publish

Publish

Napster: Publish

insert(X,

123.2.21.23)

...

I have X, Y, and Z!

123.2.21.23

Lecture 27: Research Directions


Napster search

Fetch

Query

Reply

Napster: Search

123.2.0.18

search(A)

-->

123.2.0.18

Where is file A?

Lecture 27: Research Directions


Search in query flooding

I have file A.

I have file A.

Reply

Query

Search in Query Flooding

Where is file A?

Lecture 27: Research Directions


Supernodes file insert

Publish

Supernodes: File Insert

insert(X,

123.2.21.23)

...

I have X!

123.2.21.23

Lecture 27: Research Directions


Supernodes file search

search(A)

-->

123.2.22.50

search(A)

-->

123.2.0.18

123.2.22.50

Query

Replies

123.2.0.18

Supernodes: File Search

Where is file A?

Lecture 27: Research Directions


Bittorrent publish join

BitTorrent: Publish/Join

Tracker

Lecture 27: Research Directions


Bittorrent fetch

BitTorrent: Fetch

Lecture 27: Research Directions


Dht consistent hashing

DHT: Consistent Hashing

Key 5

K5

Node 105

N105

K20

Circular ID space

N32

N90

K80

A key is stored at its successor: node with next higher ID

Lecture 27: Research Directions


Dht chord basic lookup

DHT: Chord Basic Lookup

N120

N10

“Where is key 80?”

N105

N32

“N90 has K80”

N90

K80

N60

Lecture 27: Research Directions


Dht chord finger table

DHT: Chord “Finger Table”

1/2

1/4

1/8

1/16

1/32

1/64

1/128

N80

  • Entry i in the finger table of node n is the first node that succeeds or equals n + 2i

  • In other words, the ith finger points 1/2n-i way around the ring

Lecture 27: Research Directions


P2p summary

P2P: Summary

  • Many different styles; remember pros and cons of each

    • centralized, flooding, swarming, unstructured and structured routing

  • Lessons learned:

    • Single points of failure are very bad

    • Flooding messages to everyone is bad

    • Underlying network topology is important

    • Not all nodes are equal

    • Need incentives to discourage freeloading

    • Privacy and security are important

    • Structure can provide theoretical bounds and guarantees

Lecture 27: Research Directions


Overview lec 22

Overview – Lec 22

  • Queue management & RED

  • Fair-queuing

  • Why QOS?

  • Integrated services

Lecture 27: Research Directions


Typical internet queuing

Typical Internet Queuing

  • FIFO + drop-tail

    • Simplest choice

    • Used widely in the Internet

  • FIFO (first-in-first-out)

    • Implies single class of traffic

  • Drop-tail

    • Arriving packets get dropped when queue is full regardless of flow or importance

  • Important distinction:

    • FIFO: scheduling discipline

    • Drop-tail: drop policy

Lecture 27: Research Directions


Fifo drop tail problems

FIFO + Drop-tail Problems

  • Full queues

    • Routers are forced to have have large queues to maintain high utilizations

    • TCP detects congestion from loss

      • Forces network to have long standing queues in steady-state

  • Lock-out problem

    • Drop-tail routers treat bursty traffic poorly

    • Traffic gets synchronized easily  allows a few flows to monopolize the queue space

Lecture 27: Research Directions


Red operation

RED Operation

Min thresh

Max thresh

Average Queue Length

P(drop)

1.0

maxP

minth

maxth

Avg queue length

Lecture 27: Research Directions


Max min fairness

Max-min Fairness

  • Allocate user with “small” demand what it wants, evenly divide unused resources to “big” users

  • Formally:

    • Resources allocated in terms of increasing demand

    • No source gets resource share larger than its demand

    • Sources with unsatisfied demands get equal share of resource

Lecture 27: Research Directions


Bit by bit rr illustration

Bit-by-bit RR Illustration

  • Not feasible to interleave bits on real networks

    • FQ simulates bit-by-bit RR

Lecture 27: Research Directions


Fair queuing

Fair Queuing

  • Mapping bit-by-bit schedule onto packet transmission schedule

  • Transmit packet with the lowest Fi at any given time

    • How do you compute Fi?

Lecture 27: Research Directions


Utility curve shapes

U

U

Elastic

Hard real-time

BW

BW

Delay-adaptive

U

BW

Utility Curve Shapes

Stay to the right and you

are fine for all curves

Lecture 27: Research Directions


Admission control

Delay-adaptive

U

BW

Admission Control

  • If U is convex  inelastic applications

    • U(number of flows) is no longer monotonically increasing

    • Need admission control to maximize total utility

  • Admission control  deciding when adding more people would reduce overall utility

    • Basically avoids overload

Lecture 27: Research Directions


Type of commitments

Type of Commitments

  • Guaranteed service

    • For hard real-time applications

    • Fixed guarantee, network meets commitment if clients send at agreed-upon rate

  • Predicted service

    • For delay-adaptive applications

    • Two components

      • If conditions do not change, commit to current service

      • If conditions change, take steps to deliver consistent performance (help apps minimize playback delay)

      • Implicit assumption – network does not change much over time

  • Datagram/best effort service

Lecture 27: Research Directions


Scheduling for guaranteed traffic

Scheduling for Guaranteed Traffic

  • Use token bucket filter to characterize traffic

    • Described by rate r and bucket depth b

  • Use Weighted Fair-Queueing at the routers

  • Parekh’s bound for worst case queuing delay = b/r

Lecture 27: Research Directions


Token bucket filter

Token Bucket Filter

Tokens enter bucket

at rate r

Operation:

  • If bucket fills, tokens are discarded

  • Sending a packet of size P uses P tokens

  • If bucket has P tokens, packet sent at max rate, else must wait for tokens to accumulate

Bucket depth b: capacity of bucket

Lecture 27: Research Directions


Lessons

Lessons

  • TCP can use help from routers

    • RED  eliminate lock-out and full-queues problems

    • FQ  heavy-weight but explicitly fair to all

  • QoS

    • What type of applications are there?  Elastic, hard real-time and adaptive real-time

    • Why do we need admission control  to maximize utility

    • How do token buckets + WFQ provide QoS guarantees?

Lecture 27: Research Directions


Outline lec 24

Outline – Lec 24

Yes:

1) Creating a “secure channel” for communication (today)

2) Protecting network resources and limiting connectivity (next Tuesday)

No:

1) Preventing software vulnerabilities & malware, or “social engineering”.

Lecture 27: Research Directions


What do we need for a secure communication channel

What do we need for a secure communication channel?

  • Authentication (Who am I talking to?)

  • Confidentiality (Is my data hidden?)

  • Integrity (Has my data been modified?)

  • Availability (Can I reach the destination?)

Lecture 27: Research Directions


The great divide

The Great Divide

Asymmetric Crypto:

(Public key)

Example: RSA

Symmetric Crypto: (Private key)

Example: AES

Requires a pre-shared secret between communicating parties?

Yes

No

Overall speed of cryptographic operations

Fast

Slow

Lecture 27: Research Directions


Symmetric key confidentiality

Symmetric Key: Confidentiality

  • Block Ciphers (ex: AES)

(fixed block size, e.g. 128 bits)

Block 1

Block 2

Block 3

Block 4

Round #1

Round #2

Round #n

Alice:

K A-B

Block 1

Block 2

Block 3

Block 4

Bob breaks the ciphertext into blocks, feeds it through decryption engine using KA-B to recover the message.

Lecture 27: Research Directions


Symmetric key integrity

Symmetric Key: Integrity

  • Hash Message Authentication Code (HMAC)

Step #1:

Alice creates MAC

Hash Fn

Message

MAC

K A-B

Alice Transmits Message & MAC

Step #2

Step #3

Bob computes MAC with message and KA-B to verify.

MAC

Message

Why is this secure? How do properties of a hash function help us?

Lecture 27: Research Directions


Symmetric key authentication

Symmetric Key: Authentication

  • A “Nonce”

    • A random bitstring used only once. Alice sends nonce to Bob as a “challenge”. Bob Replies with “fresh” MAC result.

Nonce

Bob

Alice

Nonce

Hash

B4FE64

K A-B

B4FE64

Performs same hash with KA-B and compares results

Lecture 27: Research Directions


Symmetric key crypto review

Symmetric Key Crypto Review

  • Confidentiality: Stream & Block Ciphers

  • Integrity: HMAC

  • Authentication: HMAC and Nonce

Questions??

  • Are we done? Not Really:

  • Number of keys scales as O(n2)

  • How to securely share keys in the first place?

Lecture 27: Research Directions


Asymmetric key crypto

Asymmetric Key Crypto:

  • Instead of shared keys, each person has a “key pair”

Bob’s public key

KB

Bob’s private key

KB-1

  • The keys are inverses, so:

KB-1(KB (m)) = m

Lecture 27: Research Directions


Asymmetric key confidentiality

Asymmetric Key: Confidentiality

Bob’s public

key

KB

Bob’s private

key

KB-1

encryption

algorithm

decryption

algorithm

plaintext

message

ciphertext

KB (m)

m = KB-1(KB (m))

Lecture 27: Research Directions


Asymmetric key review

Asymmetric Key Review:

  • Confidentiality: Encrypt with Public Key of Receiver

  • Integrity: Sign message with private key of the sender

  • Authentication: Entity being authenticated signs a nonce with private key, signature is then verified with the public key

But, these operations are computationally expensive*

Lecture 27: Research Directions


Key distribution center kdc

Key Distribution Center (KDC)

Q: How does KDC allow Bob, Alice to determine shared symmetric secret key to communicate with each other?

KDC generates R1

KA-KDC(A,B)

KA-KDC(R1, KB-KDC(A,R1) )

Alice

knows R1

Bob knows to use R1 to communicate with Alice

KB-KDC(A,R1)

Alice and Bob communicate: using R1 as

session key for shared symmetric encryption

Lecture 27: Research Directions


Certification authorities

CA generates

S = Sign(KB)

KB

Certification Authorities

  • Certification authority (CA): binds public key to particular entity, E.

  • An entity E registers its public key with CA.

    • E provides “proof of identity” to CA.

    • CA creates certificate binding E to its public key.

    • Certificate contains E’s public key AND the CA’s signature of E’s public key.

Bob’s

public

key

KB

certificate = Bob’s public key and signature by CA

CA

private

key

Bob’s

identifying information

K-1CA

Lecture 27: Research Directions


Setup channel with tls handshake

Setup Channel with TLS “Handshake”

  • Handshake Steps:

  • Clients and servers negotiate exact cryptographic protocols

  • Client’s validate public key certificate with CA public key.

  • Client encrypt secret random value with servers key, and send it as a challenge.

  • Server decrypts, proving it has the corresponding private key.

  • This value is used to derive symmetric session keys for encryption & MACs.

Lecture 27: Research Directions


What to take home

What to take home?

  • Internet design and growth => security challenges

  • Symmetric (pre-shared key, fast) and asymmetric (key pairs, slow) primitives provide:

    • Confidentiality

    • Integrity

    • Authentication

  • “Hybrid Encryption” leverages strengths of both.

  • Great complexity exists in securely acquiring keys.

  • Crypto is hard to get right, so use tools from others, don’t design your own (e.g. TLS).

  • Lecture 27: Research Directions


    Outline lec 25

    Outline – Lec 25

    • At every layer in the protocol stack!

    • Network-layer attacks

      • IP-level vulnerabilities

      • Routing attacks

    • Transport-layer attacks

      • TCP vulnerabilities

    • Application-layer attacks

    Lecture 27: Research Directions


    Ip level vulnerabilities

    IP-level vulnerabilities

    • IP addresses are provided by the source

      • Spoofing attacks!

    • Use of IP address for authentication

      • e.g., .rhosts allows remote login without explicit password authentication

    • Some IP features that have been exploited

      • Fragmentation

      • Broadcast for traffic amplification

    Lecture 27: Research Directions


    Routing attacks

    Routing attacks

    • Divert traffic to malicious nodes

      • Black-hole attack

      • Eavesdropping

    • How to implement routing attacks?

      • Distance-Vector

        • Announce low-cost routes

    • BGP vulnerabilities

      • Prefix hijacking

      • Path alteration

    Lecture 27: Research Directions


    Tcp level attacks

    TCP-level attacks

    • SYN-Floods

      • Implementations create state at servers before connection is fully established

      • Limited # slots get exhausted

    • Session hijack

      • Pretend to be a trusted host

      • Sequence number guessing

    • Session resets

      • Close a legitimate connection

    Lecture 27: Research Directions


    Denial of service

    Denial of Service

    • Make a service unusable, usually by overloading the server or network

    • Disrupt service by taking down hosts

      • E.g., ping-of-death

    • Consume host-level resources

      • E.g., SYN-floods

    • Consume network resources

      • E.g., UDP/ICMP floods

    Lecture 27: Research Directions


    Backscatter analysis

    Backscatter Analysis

    • Attacker is sending spoofed TCP SYN packets to www.haplessvictim.com

      • With spoofed address chosen at random

    • My network sees TCP SYN-ACKs from www.haplessvictim.com at rate R

    • What is the rate of the attack?

      • Assuming addresses chosen are uniform

      • (2^32/ Network Address space) * R

    Lecture 27: Research Directions


    Worm overview

    Worm Overview

    • Self-propagate through network

    • Typical Steps in Worm Propagation

      • Probe host for vulnerable software

      • Exploit the vulnerability

        • E.g., Sends bogus input (for buffer overflow)

        • Attacker can do anything that the privileges of the buggy program allow

      • Launches copy of itself on compromised host

    • Spread at exponential rate

      • 10M hosts in < 5 minutes

      • Hard to deal with manual intervention

    Lecture 27: Research Directions


    Probing techniques

    Probing Techniques

    • Random Scanning

    • Local Subnet Scanning

    • Routing Worm

    • Pre-generated Hit List

    • Topological

    Lecture 27: Research Directions


    Firewalls contd

    Firewalls (contd…)

    • Firewall inspects traffic through it

    • Allows traffic specified in the policy

    • Drops everything else

    • Two Types

      • Packet Filters, Proxies

    Internal Network

    Firewall

    Internet

    Lecture 27: Research Directions


    Sample firewall rule

    Client

    Server

    SYN

    SYN/ACK

    ACK

    SSH-1

    In

    Ext

    > 1023

    Int

    22

    TCP

    Any

    Allow

    SSH-2

    Out

    Int

    22

    Ext

    > 1023

    TCP

    Yes

    Alow

    Sample Firewall Rule

    • Allow SSH from external hosts to internal hosts

      • Two rules

        • Inbound and outbound

      • How to know a packet is for SSH?

        • Inbound: src-port>1023, dst-port=22

        • Outbound: src-port=22, dst-port>1023

        • Protocol=TCP

      • Ack Set?

      • Problems?

    Rule

    Dir

    Src Addr

    Src Port

    Dst Addr

    Dst Port

    Proto

    Ack Set?

    Action

    Lecture 27: Research Directions


    Summary

    Summary

    • Security vulnerabilities are real!

      • Protocol or implementation or bad specs

      • Poor programming practices

      • At all layers in protocol stack

    • DoS/DDoS

      • Resource utilization

    • Worm

      • Exponential spread

      • Scanning strategies

    • Firewall/IDS

      • Counter-measures to protect hosts

      • Fail-open vs. Fail-close?

    Lecture 27: Research Directions


    Outline lec 26

    Outline – Lec 26

    • Point to point wireless networks

      • Example: Your laptop to CMU wireless

      • Challenges:

        • Poor and variable link quality (makes TCP unhappy)

        • Many people can hear when you talk

      • Pretty well defined.

    • Ad hoc networks (wireless++)

      • Rooftop networks (multi-hop, fixed position)

      • Mobile ad hoc networks

      • Adds challenges: routing, mobility

      • Some deployment + some research

    • Sensor networks (ad hoc++)

      • Scatter 100s of nodes in a field / bridge / etc.

      • Adds challenge: Serious resource constraints

      • Current, popular, research.

    Lecture 27: Research Directions


    Tcp problems over noisy links

    TCP Problems Over Noisy Links

    • Wireless links are inherently error-prone

      • Fading, interference, attenuation -> Loss & errors

      • Errors often happen in bursts

    • TCP cannot distinguish between corruption and congestion

      • TCP unnecessarily reduces window, resulting in low throughput and high latency

    • Burst losses often result in timeouts

      • What does fast retransmit need?

    • Sender retransmission is the only option

      • Inefficient use of bandwidth

    Lecture 27: Research Directions


    Next csma cd does not work

    Next: CSMA/CD Does Not Work

    • Recall Aloha from many lectures ago

      • Wireless precursor to Ethernet.

    • Carrier sense problems

      • Relevant contention at the receiver, not sender

      • Hidden terminal

      • Exposed terminal

    • Collision detection problems

      • Hard to build a radio that can transmit and receive at same time

    Hidden

    Exposed

    A

    A

    B

    B

    C

    C

    D

    Lecture 27: Research Directions


    Traditional routing vs ad hoc

    Traditional Routing vs Ad Hoc

    • Traditional network:

      • Well-structured

      • ~O(N) nodes & links

      • All links work ~= well

    • Ad Hoc network

      • N^2 links - but many stink!

      • Topology may be really weird

        • Reflections & multipath cause strange interference

      • Change is frequent

    Lecture 27: Research Directions


    Sensor system types smart dust motes

    Sensor System Types – Smart-Dust/Motes

    • Hardware

      • UCB motes

      • 4 MHz CPU

      • 4 kB data RAM

      • 128 kB code

      • 50 kb/sec 917 Mhz radio

      • Sensors: light, temp.,

        • Sound, etc.,

      • And a battery.

    Lecture 27: Research Directions


  • Login