CST 311 - Week 8

Secure Sockets Layer (SSL)

This week was a bit short as it is our last week, but we did cover a couple new topics. SSL is used to enhance TCP with security services: confidentiality (encryption), data integrity (no modifications), and end-point authentication (no unauthorized access). Although it technically resides in the application layer, SSL is often considered part of the transport protocol. SSL adds on to TCP's handshake procedure by using session keys for encryption and data integrity (MAC keys). Note that there are four session keys used here, 2 for encryption and 2 for integrity, and each host possesses one of each. SSL also uses its own sequence numbers, which are not included in data records themselves, but rather are included in the hash calculation for the MAC keys.

Firewalls

The last thing I want to go over is firewalls. Firewalls have 3 goals: for all traffic in each direction to pass through them, to only allow authorized traffic to pass (as defined by local security policy), and to be immune to penetration or compromise. A traditional packet filter may make filtering decisions based on source or destination IP and/or port, protocol type, TCP flag bits, ICMP message type, or other custom rules. An example of packet filtering would be to drop all outgoing packets to port 80 to deny outside web access, or to drop packets with a TCP ACK bit set to 0 to prevent external clients from connecting to internal servers. Stateful packet filters make decisions based on currently active connections. For example, allowing packets to pass through if they are associated with a known connection. 

Firewalls alone are not enough to secure a network. For even finer security, firewalls can be combined with application gateway servers. These servers are application-specific, so a different application gateway is needed for every application. They allow for more control over internet application or user activity, such as preventing a certain host from using telnet. Policy decisions are based on application data. Finally, intrusion detection systems (IDS) can be used for deep packet inspection. Signature-based systems, for example, compare each packet to tens of thousands of signatures. If a packet matches a signature, the system will trigger that a potentially malicious packet has arrived. Anomaly-based systems look for unusual traffic activity, such as flood of ICMP packets, but can sometimes flag legitimate traffic. Most IDS are signature-based but may include some anomaly-based features.

CST 311 - Week 7

Link-layer switches

This week I learned more about switches. Switches are similar to routers because they are responsible for forwarding packets. However, switches are level 2 network devices so they have no concept of an IP address (which routers use for forwarding). Instead, they use MAC addresses for forwarding. A MAC address is a unique address assigned to a device. Although MAC addresses were originally meant to be permanent, they are now able to be changed remotely. Regardless, the IEEE manages MAC address space and assigns chunks of it to organizations, similar to how IP addresses are managed and assigned. This ensures that MAC addresses are unique to devices. 

In order for a host to send an IP datagram, it must have not only a destination IP address but also a destination MAC address. If the destination IP address is on the same subnet as the sender, then the destination MAC address will be that of the receiving host. The switch will thus forward the datagram directly to the receiver. If the destination IP address is on another subnet, the destination MAC address will be the local router interface. In that case, the switch will forward the datagram to the router, and the router will use the IP address in the enclosed datagram to forward the datagram to the appropriate outbound link.

Address Resolution Protocol

Switches are more secure than hubs because they support point-to-point links in addition to shared broadcast channels. This means that two hosts on a network can communicate without their messages being broadcast to every other host on their subnet. To accomplish this, every host and router has an ARP table which resolves IP addresses to MAC addresses on their subnet. 

When a host first connects to a network (perhaps by plugging an ethernet cable into a switch), it obtains the MAC address of the default gateway by broadcasting an ARP request, asking who "owns" the IP address of the default gateway. The router will send an ARP reply directly back to the requesting host (not as a broadcast). Hosts may also discover each other in the same fashion. However, it is important to note that ARP tables may not contain every host on a subnet because entries can expire (using a time-to-live value), and new entries are not created until an ARP request has been sent by a host.

CST 311 - Week 6

Routing Algorithms

This week I learned about how routers find the correct path to send packets across the internet. Two types of routing algorithms are the link-state algorithm (LS) and the distance vector algorithm (DV). The LS algorithm uses Dijkstra's algorithm to find the least-cost path from source to destination. Costs are determined by the network administrator and can represent anything, such as distance, speed, or monetary cost. This algorithm is considered centralized because it requires global state information, or information about all links on the network. The DV algorithm, in contrast, is decentralized and does not use Dikjstra's algorithm. Routers using DV only have link-state information about their directly attached neighbors (and any information that their neighbors share). Nodes provide their neighbors with least-cost estimates from themselves to all other nodes that they know about. However, the shortest path is not always available. Policy issues can prevent forwarding of traffic from one organization to another. For example, one ISP may not want traffic getting a "free ride" through its network if neither the source nor destination addresses are customers.

It is up to network administrators to decide what routing algorithm to use. A network under the control of the same administration is called an autonomous system (AS). All autonomous systems on the internet run the border gateway protocol (BGP) for inter-AS communication. BGP is also often used to implement the IP-anycast service, which is commonly used for DNS Servers. Since DNS servers have duplicate content, network administrators can assign the same IP address to all of them. BGP routers select the best route to the IP address, which ends up being the closest (cheapest) server. Although CDNs also have duplicate-content servers, they tend not to use IP-anycast because BGP routing changes can result in different packets of the same TCP connection arriving at different versions of the server.

CST 311 - Week 5

IP Addresses

This week I learned more about what the numbers in IP addresses mean. In IPv4 addressing, each part of an IP address is an 8-bit number. The leftmost numbers determine what network class the IP address belongs to. Class A networks only use the leftmost 8 bits for network addressing. These numbers range from 0-127. The remaining 24 bits are used for host addressing, with each of the 127* class A networks supporting up to 16,777,214 hosts (source). Class B networks use 16 bits for network addressing and 16 bits for host addressing, with the first byte in the range 128-191, and Class C networks use 24 bits for network addressing and 8 for host addressing, with the first byte in the range 192-223. 

Subnet Masks

IP addresses are split into their network and host components using subnet masks. To understand how subnet masks work, the IP address must be converted to binary format. The network portion of an IP address (the leftmost bits) are identified by 1's in the subnet mask. Class A networks would require a subnet mask of 255.0.0.0, or 11111111000000000000000000000000, whereas Class C networks need a subnet mask of 255.255.255.0, or 11111111111111111111111100000000. Performing a bitwise AND operation using the IP address and the subnet mask reveals the network portion of the address. Network administrators can create sub-networks in their organizations by adjusting the subnet mask. This is done by "borrowing" bits from the host portion of the organization's assigned IP address and using them for internal network addressing instead. Every new host on a network is provided with its subnet mask via a DHCP server, which also provides it with its IP address, the address of its first-hop router (the default gateway), and the address of the local DNS server.

Network Address Translation (NAT)  

Since IPv4 is 32-bit, there are only approximately 4.2 billion possible IPv4 addresses*. Network Address Translation artificially increases the maximum number of addressable hosts. It allows private networks of hosts, each with a unique private IP address that is visible only to the local network, to share a single public IP address. Incoming internet traffic has its destination IP and destination ports changed so it can be internally routed to the correct host. This is done through the use of a forwarding table, which maps private IP/port combinations to public IP/port combinations. A basic example of this occurs if you host a Call of Duty (Cold War) LAN party. Cold War wants to use port 3074 by default. However, the home router cannot assign 3074 to each console. The first console to connect to the network (Console A) will be assigned 3074, but the second (Console B) will be assigned another available port (1024 for example). Therefore, incoming Cold War traffic to the router's (public) port 3074 will be forwarded to Console A's (private) port 3074, and incoming Cold War traffic to (public) port 1024 will be forwarded to Console B's (private) port 3074.***

 * Address 127 is the "loopback" address, causing the connection to return to the initiating host. A common address used for testing network applications is called localhost, or 127.0.0.1. Connecting to this IP address means you have connected to yourself. 

** IPv6, the successor to IPv4, uses 128 bits for addressing and can therefore support more unique IP addresses than grains of sand on earth. We should not run out of addresses. Hopefully.

*** Achieving Open NAT for several consoles simultaneously can be challenging, but rewarding.