CSE565: Computer Security Lecture 22 IP Basics Shambhu Upadhyaya Computer Science & Eng. University at Buffalo Buffalo, New York 14260 11/09/17 UB Fall 2017

Outline IP (November 09, 2017) IP Security architecture (November 14, 2017) Authentication Header Key Management IPv6 adoption is slower than expected. One estimate states that fewer than 10% of IP addresses are remaining. So, migration to IPv6 is inevitable. Today (2011), Verizon, HSBC, Amazon, Akamai, etc. are taking the lead. 11/09/17 UB Fall 2017

The Role of IP IP provides functionality to interconnected devices across multiple networks IP is implemented in each end system and routers The routers along the way must cope up with: Addressing schemes (IEEE 802 vs. X.25) Maximum packet sizes (fragmentation) Interfaces (hardware/software) Reliability (should be independent of it) x.25 is wide area network packet switching network (WAN) 11/09/17 UB Fall 2017

Some Issues of IP Data at higher level are encapsulated in a PDU (protocol data unit) PDU is passed through one or more networks and connected routers and to the end system IP header must contain all the necessary addresses No reliability assurance Intermediate subnets need not be concerned about reliability requirements TCP takes care of reliability 11/09/17 UB Fall 2017

Configuration of TCP/IP Figure: Configuration for TCP/IP Example 11/09/17 UB Fall 2017

Operation of Routers IP is implemented in all end systems and routers End systems must have compatible protocols above IP Routers need only have up through IP 11/09/17 UB Fall 2017

Operation, Contd. Block of data from X to Y PDU is created and IP layer attaches a header (global Internet address of Y) Since Y is on another network, the packet needs to be sent to router 1 in the form of an LLC PDU Upon receiving, MAC layer constructs a MAC packet and sticks in the address of router 1 After examination, router 1 routes packets to router 2 (wrapping in another format if necessary) Router 2 strips off header to determine that the IP packet is destined to Y Router 2 creates a packet with destination address of Y and sends it onto the LAN Y removes all headers and forwards data to upper 11/09/17 UB Fall 2017

Router, Switch and Hub Router is like a computer - acts as gateway Joins together multiple LANs to a WAN Works at layer 3 of OSI Switch is less sophisticated Must designate a computer as a gateway Works at layer 2 of OSI Connects devices to form a LAN Hub is used to connect segments of LAN Works at layer 1 of OSI It is like a splitter 11/09/17 UB Fall 2017

IPv4 20 bytes or 160 bits (minimum) 32 bit address (4.3 billion IP addresses) Study shows that available address space would not last long In April 2014, North American Registry for Internet Numbers (ARIN), announced it had reached "phase 4" of its IPv4 countdown plan, with fewer than 17 million IPv4 addresses remaining IPv4 has 4 parts. IP address has network address and host address. Host address is divided into subnet and host number. 11/09/17 UB Fall 2017

The Grim Story of IPv4 ARIN had < 17M addresses left in 2014 ARIN has tightened the address supply and now has run out of it In Sept. 2015, it declared exhaustion APNIC (Asia-Pacific registry) reached the 17M threshold five years ago RIPE NCC (Europe) reached its threshold less than four years ago Latin America and Caribbean directories in similar status AfriNIC in Africa is continuing to supply IPv4 addresses American Registry for Internet Numbers (ARIN) 11/09/17 UB Fall 2017

How Did We Get Here In the 80’s protocols used 16 bit addresses The Internet growth was not predicted well Making the addresses a meager 32 bits was a big failure of imagination It took only a decade before IP address numbering ran into trouble Initially a class system – A,B,C to handle networks and hosts This was later abolished, which improved situation a bit IPv4 has 4 parts. IP address has network address and host address. Host address is divided into subnet and host number. 11/09/17 UB Fall 2017

Use of IP Address Space 11/09/17 UB Fall 2017 Courtesy: Iljitsch van Beijnum - With the Americas running out of IPv4, it’s official: The Internet is full, arstechnica.com, June 2014 11/09/17 UB Fall 2017

Classless Regime Deployment of new IP address space slowed down to a much more sustainable pace as the Internet boomed in late 90’s Around 2000 More and more broadband always-on connections Few years later Millions of smartphones continuously connected Day was saved by NAT adoption 11/09/17 UB Fall 2017

NAT Details These days people use more than one PC ISPs provide more IP addresses for a fee Cheaper solution is to share a single add. With NAT, you get IP addresses from 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16 address ranges set aside for private use A home router that implements NAT then translates between the internal address and the regular, public address given out by the ISP 11/09/17 UB Fall 2017

The Stanford vs. China Story More than a decade ago, Stanford held more IPv4 addresses than the entire China However, by 2006, organizations in China held a total of 98M IP addresses As of 2 years ago, China had given out a total of 330M addresses China is the second largest holder of IPv4 addresses, behind the US with 1.591 billion China: 1 address for 4, US: 1 user 5 addresses If each user in the world deserves one, we have a problem! 11/09/17 UB Fall 2017

IP Addresses Held By Country 2014 11/09/17 UB Fall 2017

So, What Now? IPv6 is the solution Read the article: “With the Americas running out of IPv4, it’s official: The Internet is full” by Iljitsch van Beijnum at arstechnica.com (http://arstechnica.com/information-technology/2014/06/with-the-americas-running-out-of-ipv4-its-official-the-internet-is-full/) Also read: http://arstechnica.com/information-technology/2015/07/us-exhausts-new-ipv4-addresses-waitlist-begins/ 11/09/17 UB Fall 2017

IPv6 Fixed length of 40 octets 128 bit addresses ( 5x1028 addresses for each of the 7 billion people) U.S. government specified network backbones at federal agencies must deploy IPv6 by 2008 – the adoption is slow due to lack of client base Major backbone networks – Amazon, Comcast, HSBC, Akamai, Verizon, etc. have deployed IPv6 Microsoft Vista, Windows 7, etc. have support for IPv6 and are enabled by default 11/09/17 UB Fall 2017

Summary IPv4 has already run out of address space IPv6 initiative started in 1995 but adoption is slow, will become main stream soon https://www.akamai.com/uk/en/about/our-thinking/state-of-the-internet-report/state-of-the-internet-ipv6-adoption-visualization.jsp http://www.buffalo.edu/ubit/news/topics/working-at-ub.host.html/content/shared/www/ubit/news/2016/ipv6.detail.html Products such as Microsoft OS have support for IPv6 and are enabled by default IPv6 has no backward compatibility since headers are significantly different You need to run dual stacks to serve both types of networks 11/09/17 UB Fall 2017