Lecture-03-overview security

  • 57 trang
  • file .pdf
Important Concepts in
Computer Networking
Dr. Nguyen Tuan Nam
Sequence number (SEQ)
• Used in many protocols
• Stamped in the header of packet
• Purpose
– To distinguish between 2 packets from the
same host (ID, CMND)
– To put packets in correct order
• Example?
WNC 2010 2
TCP-Connection Establishment
• Client-Server Client Server
• 3-way handshake Connection Request
• How many packets
(SYN=1; SEQ=client_seq)
needed to setup the
Connection Granted
connection? (SYN=1; SEQ=server_seq,
ACK=client_seq + 1)
• SYN attack
ACK
– Half-open (SYN=0; SEQ=client_seq+1,
connection ACK=server_seq + 1)
• How to prevent SYN
attack WNC 2010 3
TCP-Data Sending
• ACK for Client Server
reliability Data
[SYN=0; SEQ=70;
• ACK can be
Data (10bytes)]
piggybacked ACK=80
may contain Data
Data
[SYN=0; SEQ=80;
Data (20bytes)]
ACK=100
WNC 2010 4
TCP-Data Sending
• ACK missing
Client Server
Data
[SYN=0; SEQ=70;
Data (10bytes)]
Timeout ACK=80
Data
[SYN=0; SEQ=70;
Data (10bytes)]
ACK=80
WNC 2010 5
TCP-Cumulative ACK
• ACK the last Client Server
in-order SEQ=70; 10bytes of data
byte of data SEQ=80; 20bytes of data
ACK=80
ACK=100
SEQ=100; 10bytes of data
ACK=110
WNC 2010 6
TCP-Cumulative ACK
• Duplicate ACK? Client Server
• Fast retransmit SEQ=70; 10b
ytes of data
– 3 duplicate ACK SEQ=80;
20bytes o
f data
– Retransmit SEQ=100; 20
before timeout bytes of data
ACK=80
– Why not 2?
– Cheating?
ACK=80
WNC 2010 7
TCP-Closing
• Either side can Client Server
end the
connection FIN
ACK
FIN
• Full-duplex
ACK
WNC 2010 8
IP-Fragment
• IP max size = 64KB
• Breaking up of single IP packet into 2 or more
IP packets of smaller size
– Transmission medium has limit on Maximum size of a
frame (MTU). Why?
– Possible to avoid Fragment? (size < 536 bytes à pkt
size ~ 512 bytes to 536 bytes)
• Where it can be fragmented?
– Source
– Intermediate Router
• Where fragments can be reassembled? Why?
WNC 2010 9
Example of IP Fragment
• Datagram of 3980 bytes
• MTU = 1500 bytes
• SEQ (ID) = 245
Fragment Data Size SEQ(ID) Offset Flag
1st 1480 245 0 1
bytes (more fragment)
2nd 1480 245 1480 1
bytes (more fragment)
3rd 1020 245 2960 0
bytes (no more)
WNC 2010 10
IP-Fragment (cont.)
• Fragmentation bit: can be set to allow/not allow
fragmentation
• If bit is set to “Don’t fragment” and packet size > MTU,
what happens?
• Will all fragments go through same path?
• Will all fragments arrive at destination in correct order?
How to determine the size of the original IP packet?
• Multiple fragmentations if go through multiple links with
different MTUs
WNC 2010 11
Issues with IP Fragmentation
• CPU & Memory overhead
– Sender
– Receiver
• Fragment lost
– NFS datagram ~ 8500 bytes
– Ethernet MTU ~ 1500 bytes
– If link drops one in six packets à What is the odd that NFS data
can be transferred over this link?
• Firewall
– Layer 4 or up
– Non-initial fragment
WNC 2010 12
Avoiding IP Fragmentation
• TCP – MSS (Maximum Segment Size):
– Between 2 end hosts
– Packets still can be fragmented?
Client Router Router Server
R1 R2
• PMTUD:
– ICMP - "Destination Unreachable“
– Support by TCP only
– ICMP may get dropped by routers/firewalls
WNC 2010 13
Big Picture (FTP example)
Client Server
Image File (1KB) need to
send to server
512 bytes 512 bytes
TCP header 512 bytes
Need to send to next
IP header TCP header 512 bytes router R1
MAC header IP header TCP header 512 bytes R1
WNC 2010 14
Big Picture (FTP example)
Client Router Server
R1
Need to send to next
router R2
IP header TCP header 512 bytes
MAC header IP header TCP header 512 bytes
R2
WNC 2010 15
Big Picture (FTP example)
Client Router Server
R2
Need to send to Server
IP header TCP header 512 bytes
MAC header IP header TCP header 512 bytes
Server
WNC 2010 16
Big Picture (FTP example)
Client Server
512 bytes
TCP header 512 bytes
IP header TCP header 512 bytes
MAC header IP header TCP header 512 bytes
WNC 2010 17
Quiz
• If at data link layer, MTU = 512 bytes
– Should FTP application use an FTP packet size
of 512 bytes?
WNC 2010 18
Path MTU Discovery (IP)
• Path MTU = smallest MTU of any of the IP hops
of the path between a source and destination
• How it work?
– Set DF bit in the IP header as “Don’t fragment”
– Wait for ICMP error message (Datagram too big)
– Reduce the IP packet size and repeat
– Trial-and-error
WNC 2010 19
Comparison between Client-Server
vs. Peer-to-Peer models
• Maintenance
• Security
• Updating data
• Traffic/bandwidth
• Robustness (single point of failure)
• Copyrighted materials control
WNC 2010 20