Announcement

1
Announcement

• Take-home final
• Final can be picked up in my office (Room 356)
  starting Monday, 3/14, 10am-1159am
• Final should be returned by Thursday 3/17,
  1159am
• Closed Book
• One 8.5 by 11 sheet of paper permitted (single
  side)
• Cover network layer, data link layer and network
  security

2
Last class

• CDMA and IEEE 802.11 wireless LANs
• Network security
• Today
• Network security (cont.)
• Review for final

3
What is network security?

• Confidentiality only sender, intended receiver
  should understand message contents
• sender encrypts message
• receiver decrypts message
• Authentication sender, receiver want to confirm
  identity of each other
• Message Integrity sender, receiver want to
  ensure message content not altered (in transit,
  or afterwards) without detection
• Access and Availability services must be
  accessible and available to users

4
The language of cryptography
Alices encryption key
Bobs decryption key
encryption algorithm
decryption algorithm
ciphertext
plaintext
plaintext

• symmetric key crypto sender, receiver keys
  identical
• public-key crypto encryption key public,
  decryption key secret (private)

5
Public Key Cryptography

• symmetric key crypto
• requires sender, receiver know shared secret key
• Q how to agree on key in first place
  (particularly if never met)?

• public key cryptography
• radically different approach Diffie-Hellman76,
  RSA78
• sender, receiver do not share secret key
• public encryption key known to all
• private decryption key known only to receiver

6
Public key cryptography

Bobs public key
K
B
-
Bobs private key
K
B
encryption algorithm
decryption algorithm
plaintext message
plaintext message, m
ciphertext
7
Public key encryption algorithms
Requirements
.
.

-

• need K ( ) and K ( ) such that

B
B

given public key K , it should be impossible to
compute private key K
B
-
B

Also, given
it should be impossible to determine m
and
8
RSA Choosing keys
1. Choose two large prime numbers p, q.
(e.g., 1024 bits each)
2. Compute n pq, z (p-1)(q-1)
3. Choose e (with eltn) that has no common
factors with z. (e, z are relatively prime).
4. Choose d such that ed-1 is exactly divisible
by z. (in other words ed mod z 1 ).
5. Public key is (n,e). Private key is (n,d).
9
RSA Encryption, decryption
0. Given (n,e) and (n,d) as computed above
2. To decrypt received bit pattern, c, compute
d
(i.e., remainder when c is divided by n)
Magic happens!
c
10
RSA example
Bob chooses p5, q7. Then n35, z24.
e5 (so e, z relatively prime). d29 (so ed-1
exactly divisible by z.
e
m
m
letter
encrypt
l
12
1524832
17
c
letter
decrypt
17
12
l
481968572106750915091411825223071697
11
RSA Why is that
Useful number theory result If p,q prime and n
pq, then
(using number theory result above)
(since we chose ed to be divisible by (p-1)(q-1)
with remainder 1 )
12
RSA another important property
The following property will be very useful later
use public key first, followed by private key
use private key first, followed by public key
Result is the same!
13
Overview

• What is network security?
• Principles of cryptography
• Authentication
• Access control firewalls
• Attacks and counter measures

14
Authentication

• Goal Bob wants Alice to prove her identity to
  him

Protocol ap1.0 Alice says I am Alice
I am Alice
Failure scenario??
15
Authentication

• Goal Bob wants Alice to prove her identity to
  him

Protocol ap1.0 Alice says I am Alice
in a network, Bob can not see Alice, so Trudy
simply declares herself to be Alice
I am Alice
16
Authentication another try
Protocol ap2.0 Alice says I am Alice in an IP
packet containing her source IP address
Failure scenario??
17
Authentication another try
Protocol ap2.0 Alice says I am Alice in an IP
packet containing her source IP address
Trudy can create a packet spoofing Alices
address
18
Authentication another try
Protocol ap3.0 Alice says I am Alice and sends
her secret password to prove it.
Failure scenario??
19
Authentication another try
Protocol ap3.0 Alice says I am Alice and sends
her secret password to prove it.
Alices password
Alices IP addr
Im Alice
playback attack Trudy records Alices packet and
later plays it back to Bob
20
Authentication yet another try
Protocol ap3.1 Alice says I am Alice and sends
her encrypted secret password to prove it.
Failure scenario??
21
Authentication another try
Protocol ap3.1 Alice says I am Alice and sends
her encrypted secret password to prove it.
encrypted password
Alices IP addr
record and playback still works!
Im Alice
22
Authentication yet another try
Goal avoid playback attack
Nonce number (R) used only once in-a-lifetime
ap4.0 to prove Alice live, Bob sends Alice
nonce, R. Alice must return R, encrypted with
shared secret key
I am Alice
R
Alice is live, and only Alice knows key to
encrypt nonce, so it must be Alice!
Failures, drawbacks?
23
Authentication ap5.0

• ap4.0 requires shared symmetric key
• can we authenticate using public key techniques?
• ap5.0 use nonce, public key cryptography

I am Alice
Bob computes
R
and knows only Alice could have the private key,
that encrypted R such that
send me your public key
24
ap5.0 security hole

• Man (woman) in the middle attack Trudy poses as
  Alice (to Bob) and as Bob (to Alice)

I am Alice
I am Alice
R
R
Send me your public key
Send me your public key
Trudy gets
sends m to Alice encrypted with Alices public key
25
ap5.0 security hole

• Man (woman) in the middle attack Trudy poses as
  Alice (to Bob) and as Bob (to Alice)

• Difficult to detect
• Bob receives everything that Alice sends, and
  vice versa. (e.g., so Bob, Alice can meet one
  week later and recall conversation)
• problem is that Trudy receives all messages as
  well!

26
Overview

• What is network security?
• Principles of cryptography
• Authentication
• Access control firewalls
• Attacks and counter measures

27
Firewalls
isolates organizations internal net from larger
Internet, allowing some packets to pass, blocking
others.
firewall


28
Firewalls Why

• prevent denial of service attacks
• SYN flooding attacker establishes many bogus TCP
  connections, no resources left for real
  connections.
• prevent illegal modification/access of internal
  data.
• e.g., attacker replaces CIAs homepage with
  something else
• allow only authorized access to inside network
  (set of authenticated users/hosts)
• two types of firewalls
• application-level
• packet-filtering

29
Packet Filtering
Should arriving packet be allowed in? Departing
packet let out?

• internal network connected to Internet via router
  firewall
• router filters packet-by-packet, decision to
  forward/drop packet based on
• source IP address, destination IP address
• TCP/UDP source and destination port numbers
• ICMP message type
• TCP SYN and ACK bits

30
Packet Filtering

• Example 1 block incoming and outgoing datagrams
  with IP protocol field 17 and with either
  source or dest port 23.
• All incoming and outgoing UDP flows and telnet
  connections are blocked.
• Example 2 Block inbound TCP SYN packets.
• Prevents external clients from making TCP
  connections with internal clients, but allows
  internal clients to connect to outside.

31
Application gateways
gateway-to-remote host telnet session
host-to-gateway telnet session

• Filters packets on application data as well as on
  IP/TCP/UDP fields.
• Example allow select internal users to telnet
  outside.

application gateway
router and filter
1. Require all telnet users to telnet through
gateway. 2. For authorized users, gateway sets up
telnet connection to dest host. Gateway relays
data between 2 connections 3. Router filter
blocks all telnet connections not originating
from gateway.
32
Limitations of firewalls and gateways

• IP spoofing router cant know if data really
  comes from claimed source
• if multiple apps. need special treatment, each
  has own app. gateway.
• client software must know how to contact gateway.
• e.g., must set IP address of proxy in Web browser

• filters often use all or nothing policy for UDP.
• tradeoff degree of communication with outside
  world, level of security
• many highly protected sites still suffer from
  attacks.

33
Overview

• What is network security?
• Principles of cryptography
• Authentication
• Access control firewalls
• Attacks and counter measures

34
Internet security threats

• Mapping
• before attacking case the joint find out
  what services are implemented on network
• Use ping to determine what hosts have addresses
  on network
• Port-scanning try to establish TCP connection to
  each port in sequence
• Countermeasures?

35
Internet security threats

• Mapping countermeasures
• record traffic entering network
• look for suspicious activity (IP addresses, pots
  being scanned sequentially)

36
Internet security threats

• Packet sniffing
• broadcast media
• promiscuous NIC reads all packets passing by
• can read all unencrypted data (e.g. passwords)
• e.g. C sniffs Bs packets

C
A
B
Countermeasures?
37
Internet security threats

• Packet sniffing countermeasures
• all hosts in organization run software that
  checks periodically if host interface in
  promiscuous mode.
• one host per segment of broadcast media (switched
  Ethernet at hub)

C
A
B
38
Internet security threats

• IP Spoofing
• can generate raw IP packets directly from
  application, putting any value into IP source
  address field
• receiver cant tell if source is spoofed
• e.g. C pretends to be B

C
A
B
Countermeasures?
39
Internet security threats

• IP Spoofing ingress filtering
• routers should not forward outgoing packets with
  invalid source addresses (e.g., datagram source
  address not in routers network)
• great, but ingress filtering can not be mandated
  for all networks

C
A
B
40
Internet security threats

• Denial of service (DOS)
• flood of maliciously generated packets swamp
  receiver
• Distributed DOS (DDOS) multiple coordinated
  sources swamp receiver
• e.g., C and remote host SYN-attack A

C
A
B
Countermeasures?
41
Internet security threats

• Denial of service (DOS) countermeasures
• filter out flooded packets (e.g., SYN) before
  reaching host throw out good with bad
• traceback to source of floods (most likely an
  innocent, compromised machine)

C
A
B
42
Review (1)

• Network Layer
• Virtual Circuits and Datagram Networks
• Routing Principles
• Link State Algorithm
• Distance Vector Algorithm
• The Internet (IP) Protocol
• IPv4 addressing
• Datagram format
• IP fragmentation
• ICMP Internet Control Message Protocol
• IPv6
• NAT Network Address Translation

43
Review (2)

• Routing in the Internet
• Hierarchical routing
• RIP
• OSPF
• BGP
• Data link layer
• Introduction and services
• Error detection and correction
• Multiple access protocols
• TDMA/FDMA
• Random Access Protocols
• Taking Turns Protocols
• Link-Layer Addressing
• Ethernet
• Hubs and switches
• Mobile and wireless networks, CDMA
• IEEE 802.11 wireless LANs

44
Review (3)

• What is network security?
• Principles of cryptography
• Symmetric Key
• Public Key
• Authentication
• Protocol evolution
• Access control firewalls
• Attacks and counter measures
• Packet sniffing
• IP spoofing
• DoS attacks

45
Routing Algorithm classification

• Global or decentralized information?
• Global
• all routers have complete topology, link cost
  info
• link state algorithms
• Decentralized
• router knows physically-connected neighbors, link
  costs to neighbors
• iterative process of computation, exchange of
  info with neighbors
• distance vector algorithms

• Static or dynamic?
• Static
• routes change slowly over time
• Dynamic
• routes change more quickly
• periodic update
• in response to link cost changes

46
Dijsktras Algorithm
1 Initialization 2 N' u 3 for all
nodes v 4 if v adjacent to u 5
then D(v) c(u,v) 6 else D(v) 8 7 8
Loop 9 find w not in N' such that D(w) is a
minimum 10 add w to N' 11 update D(v) for
all v adjacent to w and not in N' 12
D(v) min( D(v), D(w) c(w,v) ) 13 / new
cost to v is either old cost to v or known 14
shortest path cost to w plus cost from w to v /
15 until all nodes in N'
47
Dijkstras algorithm example
D(v),p(v) 2,u 2,u 2,u
D(x),p(x) 1,u
Step 0 1 2 3 4 5
D(w),p(w) 5,u 4,x 3,y 3,y
D(y),p(y) 8 2,x
N' u ux uxy uxyv uxyvw uxyvwz
D(z),p(z) 8 8 4,y 4,y 4,y
48
Distance vector algorithm (1)

• Basic idea
• Each node periodically sends its own distance
  vector estimate to neighbors
• When a node x receives new DV estimate from
  neighbor, it updates its own DV using B-F
  equation

Dx(y) ? minvc(x,v) Dv(y) for each node y ?
N

• Under minor, natural conditions, the estimate
  Dx(y) converge the actual least cost dx(y)

49
Distance Vector Algorithm (2)

• Iterative, asynchronous each local iteration
  caused by
• local link cost change
• DV update message from neighbor
• Distributed
• each node notifies neighbors only when its DV
  changes
• neighbors then notify their neighbors if
  necessary
• The algorithm doesnt know the entire path only
  knows the next hop

Each node
50
Dx(z) minc(x,y) Dy(z), c(x,z)
Dz(z) min21 , 70 3
Dx(y) minc(x,y) Dy(y), c(x,z) Dz(y)
min20 , 71 2
node x table
cost to
cost to
x y z
x y z
x
0 2 3
x
0 2 3
y
from
2 0 1
y
from
2 0 1
z
7 1 0
z
3 1 0
node y table
cost to
cost to
cost to
x y z
x y z
x y z
x
8
8
x
0 2 7
x
0 2 3
8 2 0 1
y
y
from
y
2 0 1
from
from
2 0 1
z
z
8
8
8
z
7 1 0
3 1 0
node z table
cost to
cost to
cost to
x y z
x y z
x y z
x
0 2 3
x
0 2 7
x
8 8 8
y
y
2 0 1
from
from
y
2 0 1
from
8
8
8
z
z
z
3 1 0
3 1 0
7
1
0
time
51
The Internet Network layer

• Host, router network layer functions

Transport layer TCP, UDP
Network layer
Link layer
physical layer
52
IP datagram format

• how much overhead with TCP?
• 20 bytes of TCP
• 20 bytes of IP
• 40 bytes app layer overhead

53
IP Addressing introduction
223.1.1.1

• IP address 32-bit identifier for host, router
  interface
• interface connection between host/router and
  physical link
• routers typically have multiple interfaces
• host may have multiple interfaces
• IP addresses associated with each interface

223.1.2.9
223.1.1.4
223.1.1.3
223.1.1.1 11011111 00000001 00000001 00000001
223
1
1
1
54
Subnets
223.1.1.1

• IP address
• subnet part (high order bits)
• host part (low order bits)
• Whats a subnet ?
• device interfaces with same subnet part of IP
  address
• can physically reach each other without
  intervening router

223.1.2.1
223.1.1.2
223.1.2.9
223.1.1.4
223.1.2.2
223.1.1.3
223.1.3.27
LAN
223.1.3.2
223.1.3.1
network consisting of 3 subnets
55
IP addressing CIDR

• Before CIDR only 8-, 16-, and 24- bit masks were
  available (A, B, and C class networks)
• CIDR Classless InterDomain Routing
• subnet portion of address of arbitrary length
• address format a.b.c.d/x, where x is bits in
  subnet portion of address

56
NAT Network Address Translation
rest of Internet
local network (e.g., home network) 10.0.0/24
10.0.0.1
10.0.0.4
10.0.0.2
138.76.29.7
10.0.0.3
Datagrams with source or destination in this
network have 10.0.0/24 address for source,
destination (as usual)
All datagrams leaving local network have same
single source NAT IP address 138.76.29.7, differe
nt source port numbers
57
NAT Network Address Translation
NAT translation table WAN side addr LAN
side addr
138.76.29.7, 5001 10.0.0.1, 3345

10.0.0.1
10.0.0.4
10.0.0.2
138.76.29.7
10.0.0.3
4 NAT router changes datagram dest addr
from 138.76.29.7, 5001 to 10.0.0.1, 3345
3 Reply arrives dest. address 138.76.29.7,
5001
58
Hierarchical Routing

• Our routing study thus far - idealization
• all routers identical
• network flat
• not true in practice

• scale with 200 million destinations
• cant store all dests in routing tables!
• routing table exchange would swamp links!

• administrative autonomy
• internet network of networks
• each network admin may want to control routing in
  its own network

59
Hierarchical Routing

• aggregate routers into regions, autonomous
  systems (AS)
• routers in same AS run same routing protocol
• intra-AS routing protocol
• routers in different AS can run different
  intra-AS routing protocol

• Gateway router
• Direct link to router in another AS

60
Interconnected ASes

• Forwarding table is configured by both intra- and
  inter-AS routing algorithm
• Intra-AS sets entries for internal dests
• Inter-AS Intra-As sets entries for external
  dests

61
Routing in the Internet

• Routing in the Internet
• Intra-AS routing RIP and OSPF
• Inter-AS routing BGP

62
RIP ( Routing Information Protocol)

• Distance vector algorithm
• Included in BSD-UNIX Distribution in 1982
• Distance metric of hops (max 15 hops)
• of hops of subnets traversed along the
  shortest path from src. router to dst. subnet
  (e.g., src. A)

63
RIP advertisements

• Distance vectors exchanged among neighbors every
  30 sec via Response Message (also called
  advertisement)
• Each advertisement list of up to 25 destination
  nets within AS

64
OSPF (Open Shortest Path First)

• open publicly available
• Uses Link State algorithm
• LS packet dissemination
• Topology map at each node
• Route computation using Dijkstras algorithm
• Link costs configured by the network
  administrator
• OSPF advertisement carries one entry per neighbor
  router
• Advertisements disseminated to entire AS (via
  flooding)
• Carried in OSPF messages directly over IP (rather
  than TCP or UDP

65
OSPF advanced features (not in RIP)

• Security all OSPF messages authenticated (to
  prevent malicious intrusion)
• Multiple same-cost paths allowed (only one path
  in RIP)
• For each link, multiple cost metrics for
  different TOS (e.g., satellite link cost set
  low for best effort high for real time)
• Integrated uni- and multicast support
• Multicast OSPF (MOSPF) uses same topology data
  base as OSPF
• Hierarchical OSPF in large domains.

66
Hierarchical OSPF
67
Hierarchical OSPF

• Two-level hierarchy local area, backbone.
• Link-state advertisements only in area
• each node has detailed area topology
• Area border routers summarize distances to
  nets in own area, advertise to other Area Border
  routers.
• Backbone routers run OSPF routing limited to
  backbone.
• Boundary routers connect to other ASs.

68
Internet inter-AS routing BGP

• BGP (Border Gateway Protocol) the de facto
  standard
• BGP provides each AS a means to
• Obtain subnet reachability information from
  neighboring ASs.
• Propagate the reachability information to all
  routers internal to the AS.
• Determine good routes to subnets based on
  reachability information and policy.
• Allows a subnet to advertise its existence to
  rest of the Internet I am here

69
BGP basics

• Pairs of routers (BGP peers) exchange routing
  info over TCP conections BGP sessions
• Note that BGP sessions do not correspond to
  physical links.
• When AS2 advertises a prefix to AS1, AS2 is
  promising it will forward any datagrams destined
  to that prefix towards the prefix.
• AS2 can aggregate prefixes in its advertisement

70
Path attributes BGP routes

• When advertising a prefix, advert includes BGP
  attributes.
• prefix attributes route
• Two important attributes
• AS-PATH contains the ASs through which the
  advert for the prefix passed AS 67 AS 17
• NEXT-HOP Indicates the specific internal-AS
  router to next-hop AS. (There may be multiple
  links from current AS to next-hop-AS.)
• When gateway router receives route advert, uses
  import policy to accept/decline.

71
Why different Intra- and Inter-AS routing ?

• Policy
• Inter-AS admin wants control over how its
  traffic routed, who routes through its net.
• Intra-AS single admin, so no policy decisions
  needed
• Scale
• hierarchical routing saves table size, reduced
  update traffic
• Performance
• Intra-AS can focus on performance
• Inter-AS policy may dominate over performance

72
Data Link Layer

• Some terminology
• hosts and routers are nodes
• communication channels that connect adjacent
  nodes along communication path are links
• wired links
• wireless links
• LANs
• layer-2 packet is a frame, encapsulates datagram

data-link layer has responsibility of
transferring datagram from one node to adjacent
node over a link
73
Link Layer Services

• Framing, link access
• encapsulate datagram into frame, adding header,
  trailer
• channel access if shared medium
• MAC addresses used in frame headers to identify
  source, dest
• different from IP address!
• Reliable delivery between adjacent nodes
• we learned how to do this already (chapter 3)!
• seldom used on low bit error link (fiber, some
  twisted pair)
• wireless links high error rates
• Q why both link-level and end-end reliability?

74
MAC Protocols a taxonomy

• Three broad classes
• Channel Partitioning
• divide channel into smaller pieces (time slots,
  frequency, code)
• allocate piece to node for exclusive use
• Random Access
• channel not divided, allow collisions
• recover from collisions
• Taking turns
• Nodes take turns, but nodes with more to send can
  take longer turns

75
Channel Partitioning MAC protocols TDMA

• TDMA time division multiple access
• access to channel in "rounds"
• each station gets fixed length slot (length pkt
  trans time) in each round
• unused slots go idle
• example 6-station LAN, 1,3,4 have pkt, slots
  2,5,6 idle
• TDM (Time Division Multiplexing) channel divided
  into N time slots, one per user inefficient with
  low duty cycle users and at light load.
• FDM (Frequency Division Multiplexing) frequency
  subdivided.

76
Slotted ALOHA

• Pros
• single active node can continuously transmit at
  full rate of channel
• highly decentralized only slots in nodes need to
  be in sync
• simple

• Cons
• collisions, wasting slots
• idle slots
• clock synchronization

77
Slotted Aloha efficiency

• For max efficiency with N nodes, find p that
  maximizes Np(1-p)N-1
• For many nodes, take limit of Np(1-p)N-1 as N
  goes to infinity, gives 1/e .37

Efficiency is the long-run fraction of
successful slots when there are many nodes, each
with many frames to send

• Suppose N nodes with many frames to send, each
  transmits in slot with probability p
• prob that node 1 has success in a slot
  p(1-p)N-1
• prob that there is a success Np(1-p)N-1

At best channel used for useful transmissions
37 of time!
78
CSMA (Carrier Sense Multiple Access)

• CSMA listen before transmit
• If channel sensed idle transmit entire frame
• If channel sensed busy, defer transmission
• Human analogy dont interrupt others!

79
CSMA collisions
spatial layout of nodes
collisions can still occur propagation delay
means two nodes may not hear each others
transmission
collision entire packet transmission time wasted
note role of distance propagation delay in
determining collision probability
80
CSMA/CD (Collision Detection)

• CSMA/CD carrier sensing, deferral as in CSMA
• collisions detected within short time
• colliding transmissions aborted, reducing channel
  wastage
• collision detection
• easy in wired LANs measure signal strengths,
  compare transmitted, received signals
• difficult in wireless LANs receiver shut off
  while transmitting

81
CSMA/CD collision detection
82
Taking Turns MAC protocols

• Token passing
• control token passed from one node to next
  sequentially.
• token message
• concerns
• token overhead
• latency
• single point of failure (token)

• Polling
• master node invites slave nodes to transmit in
  turn
• concerns
• polling overhead
• latency
• single point of failure (master)

83
ARP Address Resolution Protocol

• Each IP node (Host, Router) on LAN has ARP table
• ARP Table IP/MAC address mappings for some LAN
  nodes
• lt IP address MAC address TTLgt
• TTL (Time To Live) time after which address
  mapping will be forgotten (typically 20 min)

237.196.7.78
1A-2F-BB-76-09-AD
237.196.7.23
237.196.7.14
LAN
71-65-F7-2B-08-53
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
237.196.7.88
84
ARP protocol Same LAN (network)

• A wants to send datagram to B, and Bs MAC
  address not in As ARP table.
• A broadcasts ARP query packet, containing B's IP
  address
• Dest MAC address FF-FF-FF-FF-FF-FF
• all machines on LAN receive ARP query
• B receives ARP packet, replies to A with its
  (B's) MAC address
• frame sent to As MAC address (unicast)

• A caches (saves) IP-to-MAC address pair in its
  ARP table until information becomes old (times
  out)
• soft state information that times out (goes
  away) unless refreshed
• ARP is plug-and-play
• nodes create their ARP tables without
  intervention from net administrator

85
Routing to another LAN

• walkthrough send datagram from A to B via R
• assume A knows Bs IP
  address
• Two ARP tables in router R, one for each IP
  network (LAN)
• In routing table at source Host, find router
  111.111.111.110
• In ARP table at source, find MAC address
  E6-E9-00-17-BB-4B, etc

A
R
B
86

• A creates datagram with source A, destination B
• A uses ARP to get Rs MAC address for
  111.111.111.110
• A creates link-layer frame with R's MAC address
  as dest, frame contains A-to-B IP datagram
• As adapter sends frame
• Rs adapter receives frame
• R removes IP datagram from Ethernet frame, sees
  its destined to B
• R uses ARP to get Bs MAC address
• R creates frame containing A-to-B IP datagram
  sends to B

A
R
B
87
Ethernet uses CSMA/CD

• No slots
• adapter doesnt transmit if it senses that some
  other adapter is transmitting, that is, carrier
  sense
• transmitting adapter aborts when it senses that
  another adapter is transmitting, that is,
  collision detection

• Before attempting a retransmission, adapter waits
  a random time, that is, random access

88
Ethernet CSMA/CD algorithm

• 1. Adaptor receives datagram from net layer
  creates frame
• 2. If adapter senses channel idle, it starts to
  transmit frame. If it senses channel busy, waits
  until channel idle and then transmits
• 3. If adapter transmits entire frame without
  detecting another transmission, the adapter is
  done with frame !

• 4. If adapter detects another transmission while
  transmitting, aborts and sends jam signal (48
  bits)
• 5. After aborting, adapter enters exponential
  backoff after the mth collision, adapter chooses
  a K at random from 0,1,2,,2m-1.
• Adapter waits K?512 bit times and returns to
  Step 2

89
Ethernets CSMA/CD (more)

• Jam Signal make sure all other transmitters are
  aware of collision 48 bits
• Bit time .1 microsec for 10 Mbps Ethernet for
  K1023, wait time is about 50 msec

• Exponential Backoff
• Goal adapt retransmission attempts to estimated
  current load
• heavy load random wait will be longer
• first collision choose K from 0,1 delay is K?
  512 bit transmission times
• after second collision choose K from 0,1,2,3
• after ten collisions, choose K from
  0,1,2,3,4,,1023

90
CSMA/CD efficiency

• Tprop max prop between 2 nodes in LAN
• ttrans time to transmit max-size frame
• Efficiency goes to 1 as tprop goes to 0
• Goes to 1 as ttrans goes to infinity
• Much better than ALOHA, but still decentralized,
  simple, and cheap

91
Hubs

• Hubs are essentially physical-layer repeaters
• bits coming from one link go out all other links
• at the same rate
• no frame buffering
• no CSMA/CD at hub adapters detect collisions
• provides net management functionality
• can disconnect a malfunctioning adapter

92
Interconnecting with hubs

• Pros
• Enables interdepartmental communication
• Extends max distance btw. nodes
• If a hub malfunctions, the backbone hub can
  disconnect it

• Cons
• Collision domains are transferred into one large,
  common domain
• Cannot interconnect 10BaseT and 100BaseT hubs

hub
hub
hub
hub
93
Switch

• Link layer device
• stores and forwards Ethernet frames
• examines frame header and selectively forwards
  frame based on MAC dest address
• when frame is to be forwarded on segment, uses
  CSMA/CD to access segment
• transparent
• hosts are unaware of presence of switches
• plug-and-play, self-learning
• switches do not need to be configured

94
Forwarding
1
3
2

• How to determine onto which LAN segment to
  forward frame?
• Looks like a routing problem...

95
Self learning

• A switch has a switch table
• entry in switch table
• (MAC Address, Interface, Time Stamp)
• stale entries in table dropped (TTL can be 60
  min)
• switch learns which hosts can be reached through
  which interfaces
• when frame received, switch learns location of
  sender incoming LAN segment
• records sender/location pair in switch table

96
Switch traffic isolation

• switch installation breaks subnet into LAN
  segments
• switch filters packets
• same-LAN-segment frames not usually forwarded
  onto other LAN segments
• segments become separate collision domains

collision domain
collision domain
collision domain
97
Switches vs. Routers

• both store-and-forward devices
• routers network layer devices (examine network
  layer headers)
• switches are link layer devices
• routers maintain routing tables, implement
  routing algorithms
• switches maintain switch tables, implement
  filtering, learning algorithms

98
Summary comparison
99
Wireless network characteristics

• Multiple wireless senders and receivers create
  additional problems (beyond multiple access)

• Hidden terminal problem
• B, A hear each other
• B, C hear each other
• A, C can not hear each other
• means A, C unaware of their interference at B

• Signal fading
• B, A hear each other
• B, C hear each other
• A, C can not hear each other interferring at B

100
IEEE 802.11 Wireless LAN

• 802.11b
• 2.4-5 GHz unlicensed radio spectrum
• up to 11 Mbps
• direct sequence spread spectrum (DSSS) in
  physical layer
• all hosts use same chipping code
• widely deployed, using base stations

• 802.11a
• 5-6 GHz range
• up to 54 Mbps
• 802.11g
• 2.4-5 GHz range
• up to 54 Mbps
• All use CSMA/CA for multiple access
• All have base-station and ad-hoc network versions

101
802.11 LAN architecture

• wireless host communicates with base station
• base station access point (AP)
• Basic Service Set (BSS) (aka cell) in
  infrastructure mode contains
• wireless hosts
• access point (AP) base station
• ad hoc mode hosts only

hub, switch or router
BSS 1
BSS 2
102
IEEE 802.11 MAC Protocol CSMA/CA

• 802.11 sender
• 1 if sense channel idle for DIFS then
• transmit entire frame (no CD)
• 2 if sense channel busy then
• - start random backoff time
• - timer counts down while channel idle
• - transmit when timer expires
• - if no ACK, increase random backoff interval,
  repeat 2
• 802.11 receiver
• - if frame received OK
• return ACK after SIFS (ACK needed due to
  hidden terminal problem)

sender
receiver
103
Collision Avoidance RTS-CTS exchange
A
B
AP
defer
time
104
802.11 frame addressing
Address 4 used only in ad hoc mode
Address 1 MAC address of wireless host or AP to
receive this frame
Address 3 MAC address of router interface to
which AP is attached
Address 2 MAC address of wireless host or AP
transmitting this frame
105
802.11 frame addressing
H1
R1
106
Network Security

• What is network security?
• Principles of cryptography
• Symmetric Key
• Public Key
• Authentication
• Protocol evolution
• Access control firewalls
• Attacks and counter measures
• Packet sniffing
• IP spoofing
• DoS attacks