1. CIS 3360: Security in Computing Pre-Knowledge: Internet and Networking Cliff Zou Spring 2012

2. 2 Objectives  Obtain the basic knowledge of computer networking and the Internet  Concepts of network applications, Internet  Basic knowledge of network protocols: TCP/IP  Reading assignment:  Wikipiedia tutorials:  http://en.wikipedia.org/wiki/Internet http://en.wikipedia.org/wiki/Internet  http://en.wikipedia.org/wiki/TCP/IP http://en.wikipedia.org/wiki/TCP/IP  Reference book:  Computer Networking: A Top Down Approach Featuring the Internet, 5th edition. Jim Kurose, Keith Ross, Addison-Wesley, Pearson Education, 2010

3. Lecture Materials Some of these slides are adapted from the slides copyrighted by Jim Kurose, Keith Ross Addison-Wesley, Pearson Education2010. Computer Networking: A Top Down Approach Featuring the Internet, 5th edition. 3

4. 4 A Little Bit of Internet History  1961: Kleinrock - queueing theory shows effectiveness of packet- switching  1967: ARPAnet conceived by Advanced Research Projects Agency  1969: First ARPAnet node operational  1972: 15 nodes in ARPAnet; First e-mail program  1973: Metcalfe’s PhD thesis proposes Ethernet  1974: Cerf and Kahn - architecture for interconnecting networks  1983: deployment of TCP/IP  1982: smtp e-mail protocol defined  1983: DNS defined for name-to-IP-address translation  early 1990s: Web  Late 1990’s – 2000’s: instant messaging, P2P file sharing; network security, est. 50 million host, 100 million+ users, backbone links running at Gbps

5. 5 Cerf and Kahn’s internetworking principles:  minimalism, autonomy - no internal changes required to interconnect networks  best effort service model  stateless routers  decentralized control define today’s Internet architecture

6. 6 What is the Internet? Application Network Data Link Transport Data Link Physical link Web, Email… TCP, UDP IP Ethernet, cellular

7. Some Internet applications  E-mail  Web  Instant messaging  Remote login  P2P file sharing  Multi-user network games  Streaming stored video clips  Internet telephone  Real-time video conference  Massive parallel computing

8. 88 Internet  Internet: loosely hierarchical “network of networks”  Major Components: Hosts, Routers, Communication links  Protocols: for sending, receiving of msgs  e.g., TCP, IP, HTTP, FTP, PPP  Internet standards  RFC: Request for comments  IETF: Internet Engineering Task Force local ISP company network regional ISP router workstation server mobile

9. 99 Internet: Three Components  End systems (hosts): millions of connected computing devices executing network applications  Routers: forwarding packets (chunks of data)  Communication links: Connecting hosts and routers  fiber, copper, radio, satellite  transmission rate = bandwidth local ISP company network regional ISP router workstation server mobile

10. 10 Internet Service  Communication infrastructure enables distributed applications:  Web, email, games, e-commerce, file sharing  Communication services provided to applications:  Connectionless unreliable  connection-oriented reliable

11. 11 Internet structure: network of networks  roughly hierarchical  at center: “tier-1” ISPs (e.g., UUNet, BBN/Genuity, Sprint, AT&T), national/international coverage  treat each other as equals Tier 1 ISP Tier-1 providers interconnect (peer) privately NAP Tier-1 providers also interconnect at public network access points (NAPs)

12. 12 Internet structure: network of networks  “Tier-2” ISPs: smaller (often regional) ISPs  Connect to one or more tier-1 ISPs, possibly other tier-2 ISPs Tier 1 ISP NAP Tier-2 ISP Tier-2 ISP pays tier-1 ISP for connectivity to rest of Internet  tier-2 ISP is customer of tier-1 provider Tier-2 ISPs also peer privately with each other, interconnect at NAP

13. 13 Internet structure: network of networks  “Tier-3” ISPs and local ISPs  last hop (“access”) network (closest to end systems) Tier 1 ISP NAP Tier-2 ISP local ISP local ISP local ISP local ISP local ISP Tier 3 ISP local ISP local ISP local ISP Local and tier- 3 ISPs are customers of higher tier ISPs connecting them to rest of Internet

14. 14 Internet structure: network of networks  a packet passes through many networks! Tier 1 ISP NAP Tier-2 ISP local ISP local ISP local ISP local ISP local ISP Tier 3 ISP local ISP local ISP local ISP

15. “Real” Internet delays and routes  What do “real” Internet delay & loss look like?  Traceroute program: provides delay measurement from source to router along end-end Internet path towards destination. For all i:  sends three packets that will reach router i on path towards destination  router i will return packets to sender  sender times interval between transmission and reply. 3 probes

16. “Real” Internet delays and routes 1 cs-gw (128.119.240.254) 1 ms 1 ms 2 ms 2 border1-rt-fa5-1-0.gw.umass.edu (128.119.3.145) 1 ms 1 ms 2 ms 3 cht-vbns.gw.umass.edu (128.119.3.130) 6 ms 5 ms 5 ms 4 jn1-at1-0-0-19.wor.vbns.net (204.147.132.129) 16 ms 11 ms 13 ms 5 jn1-so7-0-0-0.wae.vbns.net (204.147.136.136) 21 ms 18 ms 18 ms 6 abilene-vbns.abilene.ucaid.edu (198.32.11.9) 22 ms 18 ms 22 ms 7 nycm-wash.abilene.ucaid.edu (198.32.8.46) 22 ms 22 ms 22 ms 8 62.40.103.253 (62.40.103.253) 104 ms 109 ms 106 ms 9 de2-1.de1.de.geant.net (62.40.96.129) 109 ms 102 ms 104 ms 10 de.fr1.fr.geant.net (62.40.96.50) 113 ms 121 ms 114 ms 11 renater-gw.fr1.fr.geant.net (62.40.103.54) 112 ms 114 ms 112 ms 12 nio-n2.cssi.renater.fr (193.51.206.13) 111 ms 114 ms 116 ms 13 nice.cssi.renater.fr (195.220.98.102) 123 ms 125 ms 124 ms 14 r3t2-nice.cssi.renater.fr (195.220.98.110) 126 ms 126 ms 124 ms 15 eurecom-valbonne.r3t2.ft.net (193.48.50.54) 135 ms 128 ms 133 ms 16 194.214.211.25 (194.214.211.25) 126 ms 128 ms 126 ms 17 * * * 18 * * * 19 fantasia.eurecom.fr (193.55.113.142) 132 ms 128 ms 136 ms traceroute: gaia.cs.umass.edu to www.eurecom.fr Three delay measurements from gaia.cs.umass.edu to cs- gw.cs.umass.edu * means no response (probe lost, router not replying) trans-oceanic link Under Windows is “tracert”

17. Traceroute from My Home Computer

19. Where a Router is Placed?  There are many public websites provide IP location service  www.geobytes.com/iplocator.htm www.geobytes.com/iplocator.htm  http://www.iplocation.net/ http://www.iplocation.net/  Based on traceroute and IP locator, you can know the complete routing path of a connection  Major reason why many networks block traceroute traffic 19

20. Protocol network protocols:  all communication activity in Internet governed by protocols Protocols define format, order of messages sent and received among network entities, and actions taken on message transmission, receipt

21. What’s a protocol? a human protocol and a computer network protocol: Hi Got the time? 2:00 TCP connection request TCP connection response Get http://www.awl.com/kurose-ross time

22. 22 A closer look at network structure:  network edge: applications and hosts  network core:  routers  network of networks  Connection: communication links

23. The network edge:  end systems (hosts):  run application programs  e.g. Web, email  at “edge of network”  client/server model  client host requests, receives service from always-on server  e.g. Web browser/server; email client/server  peer-peer model:  minimal (or no) use of dedicated servers  e.g. Gnutella, KaZaA

24. Network edge: connection-oriented service TCP [ Transmission Control Protocol ]  reliable, in-order : byte-stream data transfer  loss: acknowledgements and retransmissions  flow control:  sender won’t overwhelm receiver  congestion control:  senders “slow down sending rate” when network congested Examples of applications using TCP:  HTTP (Web), FTP (file transfer), SSH (remote secure login), SMTP (email)

25. Network edge: connectionless service  UDP [User Datagram Protocol]  connectionless  unreliable data transfer  no flow control  no congestion control Examples of applications using UDP:  streaming media, teleconferencing, DNS, Internet telephony

26. The Network Core  mesh of interconnected routers  data transfer methods through net  circuit switching: dedicated circuit per call: telephone net  packet-switching: data sent through net in discrete “chunks”

27. Circuit Switching End-end resources reserved for “call”  call setup required  link bandwidth, switch capacity  dedicated resources: no sharing  circuit-like (guaranteed) performance

28. Packet-switched networks  Move packets through routers from source to destination  datagram network:  destination address in packet determines next hop  routes may change during session  virtual circuit network:  each packet carries tag (virtual circuit ID), tag determines next hop  fixed path determined at call setup time, remains fixed thru call  routers maintain per-call state

29. Internet protocol stack  application: supporting network applications  FTP, SMTP, HTTP  transport: host-host data transfer  TCP, UDP  network: routing of datagrams from source to destination  IP, routing protocols  link: data transfer between neighboring network elements  PPP, Ethernet  physical: bits “on the wire or wireless” application transport network link physical

30. message segment datagram frame source application transport network link physical HtHt HnHn HlHl M HtHt HnHn M HtHt M M destination application transport network link physical HtHt HnHn HlHl M HtHt HnHn M HtHt M M network link physical link physical HtHt HnHn HlHl M HtHt HnHn M HtHt HnHn HlHl M HtHt HnHn M HtHt HnHn HlHl M HtHt HnHn HlHl M router switch Encapsulation

31. Message Flow  transport segment from sending to receiving host  on sending side encapsulates segments into datagrams  on receiving side, delivers segments to transport layer  network layer protocols in every host, router  router examines header fields in all IP datagrams passing through it application transport network data link physical application transport network data link physical network data link physical network data link physical network data link physical network data link physical network data link physical network data link physical network data link physical network data link physical network data link physical network data link physical network data link physical 31

32. TCP/IP Introduction 32

33.  TCP  Transport Layer  IP  Network Layer  Networking security mainly deals with these two services/protocols 33

34. Transport Layer  TCP - connection-oriented service  Provide reliable data transmission  Used by most data-based, not time-sensitive network applications  Email, Web, file transfer….  Require to set up TCP connection channel first  UDP – connectionless service  Unreliable data transmission  Error packets will be discarded without retransmission  No additional delay for future incoming packets  Used for time-sensitive, error-tolerant applications  VOIP, video streaming, DNS…. 34

35. Transport vs. network layer  network layer: logical communication between hosts  transport layer: logical communication between processes  relies on, enhances, network layer services A B C D Sport:4625 Dport: 80 Sport:8050 Dport: 25

36. Addressing processes  to receive messages, process must have identifier  identifier includes both IP address and port numbers associated with process on host.  host device has unique 32-bit IP address  IP address is for addressing a host/computer  Example port numbers:  HTTP server: 80  Mail server: 25  to send HTTP message to gaia.cs.umass.edu web server:  IP address: 128.119.245.12  Port number: 80

37. TCP and UDP Port Numbers  16 bits (0 – 65535)  Internet Assigned Numbers Authority (IANA) www.iana.org  Well known ports (0 -1023)  Example: HTTP – 80, SMTP – 25  Registered ports (1024 – 49151)  Example: HTTP alternate 8080 used for web proxy and caching server  Dynamic and/or private ports: (49152– 65535)

38.  Each TCP connection is identified by 4-tuple:  source IP address  source port number  dest IP address  dest port number  These four values are widely used in network filtering and intrusion detection 38

39. UDP Packet Header  UDP packet header is 8 bytes long  Port number is 16 bits long  Checksum for verifying packet error 39 source port #dest port # 32 bits Application data (message) UDP segment format length checksum Length, in bytes of UDP segment, including header

40. UDP Transmission Process 40 Host A Packet 2 time Host B Packet 1 Packet 3 Packet 4 Packet 5 X  No acknowledgement from recipient  Sending rate is controlled by sender (bounded by sender’s bandwidth)

41. TCP Transmission Process (simplified without considering piplining) 41 Need sequence # and acknowledge # to distinguish each packet

42. TCP segment structure (Header is 20 bytes normally) source port # dest port # 32 bits application data (variable length) sequence number acknowledgement number Receive window Urg data pnter checksum F SR PAU head len not used Options (variable length) URG: urgent data (generally not used) ACK: ACK # valid PSH: push data now RST, SYN, FIN: connection estab (setup, teardown commands) # bytes rcvr willing to accept counting by bytes of data (not segments!) Internet checksum (as in UDP)

43. TCP seq. #’s and ACKs Seq. #’s:  byte stream “number” of first byte in segment’s data ACKs:  seq # of next byte expected from other side  Cumulative ack  ack to receive all bytes until the specified # Q: how receiver handles out-of-order segments?  TCP spec doesn’t say  Practical approach: save in buffer Q: How TCP implement duplex communication?  Seq. # for sending data, Ack# for receiving data

44. An example of TCP Duplex Communication Host A Host B Seq=42, ACK=79, data = ‘john’ Seq=79, ACK=46, data = ‘pass’ Seq=46, ACK=83 data =‘CNT4704’ User host ACKs receipt, send back use password host ACKs receipt, echoes back ‘pass’ time simple telnet scenario 42 79 Sequence number is based on bytes, not packets!

45. ACK Only in Duplex Communication ? 45 Seq=79, ACK=46, data = ‘pass’ Seq=46, ACK=83 data =‘CNT4704’ host ACKs receipt, send back use password time Seq= 83, ACK=53, no data section ACK only packet, seq# is the first byte to be transmitted in the future (the packet has no data section)

46. TCP: retransmission scenarios Host A Seq=100, 20 bytes data ACK=100 time premature timeout Host B Seq=92, 8 bytes data ACK=12 0 Seq=92, 8 bytes data Seq=92 timeout ACK=12 0 Host A Seq=92, 8 bytes data ACK=100 loss timeout lost ACK scenario Host B X Seq=92, 8 bytes data ACK=10 0 time Seq=92 timeout SendBase = 100 SendBase = 120 SendBase = 120 Sendbase = 100

47. TCP retransmission scenarios (more) Host A Seq=92, 8 bytes data ACK=100 loss timeout Cumulative ACK scenario Host B X Seq=100, 20 bytes data ACK=12 0 time SendBase = 120 Host A Seq=100, 20 bytes data ACK=100 time premature timeout Host B Seq=92, 8 bytes data ACK=12 0 Seq=92, 8 bytes data Seq=92 timeout ACK=12 0 Seq=92 timeout SendBase = 120 SendBase = 120 Sendbase = 100

48. TCP Connection Setup --- Three-Way Handshaking Step 1: client host sends TCP SYN segment to server  specifies initial seq #  no data Step 2: server host receives SYN, replies with SYN/ACK segment  server allocates buffers  specifies server initial seq. # Step 3: client receives SYN/ACK, replies with ACK segment, which may contain data client SYN, seq=client_seq server SYN/ACK, seq=server_seq, ack=client_seq+1 ACK, seq=client_seq+1 ack=server_seq+1

49. TCP Connection Setup  Most firewalls, packet capturing software, and intrusion detection software use TCP connection setup packets to determine how to deal with the new connection  Very important to understand the three-way handshake 49

50. TCP Connection Management (cont.) Closing a connection: close (); Step 1: client end system sends TCP/FIN control segment to server Step 2: server receives FIN, replies with ACK. Closes connection, sends FIN. client FIN server ACK FIN close closed timed wait

51. TCP Connection Management (cont.) Step 3: client receives FIN, replies with ACK.  Enters “timed wait” - will respond with ACK to received FINs Step 4: server, receives ACK. Connection closed. client FIN server ACK FIN closing closed timed wait closed Some applications simply send RST to terminate TCP connections immediately