Network Layer: Internet Protocol (IP)

Network Vulnerabilities 2 Monday, November 15, 2010 Sources: S&M Ch. 5; Hacking TAOE Ch 0x400; Kurose & Ross, Computer Networking (the source of many illustrations) Skoudis, Counter Hack … Reoloaded Sources: Randy Shull’s Fall ‘05 CS242 Computer Networks slides; Daniel Bilar Bilar’ss Fall’06 Fall 06 CS342 slides on Network Attacks; Daniel Bilar’s Fall’07 CS242 slides;

Examples HTTP, FTP, SMTP, POP3 IMAP, DNS UDP, TCP

You are here!

IP Ethernet, 802.11 WiFi

CS342 Computer Security Department of Computer Science Wellesley College

20-2

Network layer services

Major IP components

The transport layer is responsible for application to application. o The network layer is responsible for host to host. o

o o

o

Determine the path taken by packets. Forwards packets from one router to the next in the path.

Internet Protocol (IP) service model is best-effort delivery, but it makes no guarantees. Can drop packets!

20-3

Scalability challenge

Grouping related hosts

o Suppose hosts had arbitrary addresses o Then every router would need a lot of information o …to know how to direct packets toward the host

o The Internet is an “inter-network” o Used to connect (sub)networks together, not hosts o Needs a way to address a network (i.e., group of hosts)

host

host ...

host

host

host

...

host

WAN

router

WAN

1.2.3.4

5.6.7.8

host

host ...

2.4.6.8

1.2.3.5

host

host

5.6.7.9 host

router

router

...

2.4.6.9 host

LAN 2

LAN 1

LAN 2

LAN 1 router

20-4

WAN

router

WAN

router

1.2.3.4 1.2.3.5

LAN = Local Area Network WAN = Wide Area Network

20-5

forwarding table

20-6

1

Classless Inter-Domain Routing (CIDR)

Scalability: Address Aggregation

Use two 32-bit numbers to represent a network. Network number = IP address + Mask

IP Address : 12.4.0.0

Provider is given 201.10.0.0/21

IP Mask: 255.254.0.0

Provider Address

00001100 00000100 00000000 00000000

Mask

11111111 11111110 00000000 00000000 Network Prefix

201.10.0.0/22

201.10.4.0/24

201.10.5.0/24

201.10.6.0/23

for hosts Routers in the rest of the Internet just need to know how to reach 201.10.0.0/21. The provider can direct the IP packets to the appropriate customer.

Written as 12.4.0.0/15 20-7

CIDR: Hierarchal Address Allocation o o o o

20-8

CIDR: Address aggregation

Prefixes are key to Internet scalability Address allocated in contiguous chunks (prefixes) Routing protocols and packet forwarding based on prefixes Today, routing tables contain ~150,000-200,000 prefixes

Hierarchical addressing allows efficient advertisement of routing information: Organization 0

200.23.16.0/23

12.0.0.0/16 12 1 0 0/16 12.1.0.0/16 12.2.0.0/16 12.3.0.0/16

: : :

12.0.0.0/8

12.3.0.0/24 12.3.1.0/24 : :

Organization 1

: : :

200.23.18.0/23 Organization 2

200.23.20.0/23 Organization 7

12.3.254.0/24

. . .

Internet

200.23.30.0/23

12.254.0.0/16

12.253.0.0/19 12.253.32.0/19 12.253.64.0/19 12.253.96.0/19 12.253.128.0/19 12.253.160.0/19

ISPs-R-Us

“Send me anything with addresses beginning 199.31.0.0/16”

20-9

20-10

IPv4 datagram format

CIDR: More specific address Suppose Organization 1 moves to ISPs-R-Us:

20 bytes w/o options

deluxe or economy?

header + data

IPv4 vs. Ipv6

Organization 0

200.23.16.0/23

Organization 2

200.23.20.0/23 Organization 7

. . .

“Send Send me anything with addresses beginning Fly-By-Night-ISP 200.23.16.0/20”

. . .

. . .

“Send me anything with addresses beginning Fly-By-Night-ISP 200.23.16.0/20”

decremented by each router; TTL = 0 marks end of the line

Internet

200.23.30.0/23 ISPs-R-Us Organization 1

200.23.18.0/23

for breaking large datagrams into fragments recalculated at each router; corrupted packets discarded demultiplexing: TCP (6), UDP (17)

“Send me anything with addresses beginning 199.31.0.0/16 or 200.23.18.0/23”

20-11

20-12

2

Time-to-Live (TTL)

Major IP components

o Potential robustness problem o Forwarding loops can cause packets to cycle forever o Confusing if the packet arrives much later

o Time-to-live field in packet header o TTL field decremented by each router on the path o Packet is discarded when TTL field reaches 0… o …and “time exceeded” message is sent to the source 20-13

ICMP (Internet Control Message Protocol)

o

IP network t k “f “feedback” db k” m messages ss s

o Used to report problems with delivery of IP packets within IP

20-14

Basic ICMP Message Types Type

Code

Desc

0

0

Echo reply e.g. ping

Query/Error Q

3

1

Host unreachable

E

3

3

Port unreachable (see traceroute)

E

8

0

Echo request e.g. ping

Q

11

0

g transit Time-to-live is zero during (see traceroute)

E

networks, also for queries

o Encapsulated in an IP packet

Message types: 40 assigned, 255 possible, ~ 25 in use

o Not authenticated! 20-15

ICMP: traceroute 3 probes

20-16

Traceroute from gaia.cs.umass.edu

3 probes

3 delay measurements

3 probes o Trace route attempts to measure delay from source to each

router along an Internet path towards destination.

o Traceroute sends ordinary messages to dest with TTLs of 1, 2, 3,

… and times them until notified of their demise demise. The host where the message expires phones home (type 11 code 0) with the sad news. Sends three packets for each TTL value.

o One of the datagrams will eventually make it all the way to the

destination host. Because this datagram contains a UDP segment with an unlikely port number, the destination host sends a port unreachable port ICMP message (type 3 code 3) back to the source. When the source receives this ICMP message, it knows it does not need to send additional probe packets. 20-17

1 cs-gw (128.119.240.254) 1 ms 1 ms 2 ms 2 border1-rt-fa5-1-0.gw.umass.edu (128.119.3.145) 1 ms 1 ms 2 ms 3 cht-vbns.gw.umass.edu (128.119.3.130) 6 ms 5 ms 5 ms 4 jn1-at1-0-0-19.wor.vbns.net (204.147.132.129) 16 ms 11 ms 13 ms 5 jn1-so7-0-0-0.wae.vbns.net (204.147.136.136) 21 ms 18 ms 18 ms 6 abilene-vbns.abilene.ucaid.edu (198.32.11.9) 22 ms 18 ms 22 ms 7 nycm-wash.abilene.ucaid.edu y ((198.32.8.46)) 22 ms 22 ms 22 ms trans trans-oceanic c an c 8 62.40.103.253 (62.40.103.253) 104 ms 109 ms 106 ms link 9 de2-1.de1.de.geant.net (62.40.96.129) 109 ms 102 ms 104 ms 10 de.fr1.fr.geant.net (62.40.96.50) 113 ms 121 ms 114 ms 11 renater-gw.fr1.fr.geant.net (62.40.103.54) 112 ms 114 ms 112 ms 12 nio-n2.cssi.renater.fr (193.51.206.13) 111 ms 114 ms 116 ms 13 nice.cssi.renater.fr (195.220.98.102) 123 ms 125 ms 124 ms 14 r3t2-nice.cssi.renater.fr (195.220.98.110) 126 ms 126 ms 124 ms 15 eurecom-valbonne.r3t2.ft.net (193.48.50.54) 135 ms 128 ms 133 ms 16 194.214.211.25 (194.214.211.25) 126 ms 128 ms 126 ms 17 * * * no response 18 * * * 19 fantasia.eurecom.fr (193.55.113.142) 132 ms 128 ms 136 ms

20-18

3

ICMP: echo (a.k.a. ping)

IP Spoofing

o Source host sends an echo request (“ping”, type 8 code 0)

o Nothing prevents you from physically mailing a letter with an

o The destination host replies to source IP of request with echo reply (“pong”, type 0 code 0)

invalid return address, or someone else’s, or your own.

o Likewise, packets can be inserted in the network with invalid or

o Data received in the echo message must be returned in the echo reply.

other IP addresses.

Any node can send packets pretending to be from any IP address. dd ss

o How can this be abused? (ping flood!) [fturbak@puma ~] ping cardinal.wellesley.edu PING cardinal.wellesley.edu (149.130.136.43) 56(84) bytes of data. 64 bytes from cardinal.wellesley.edu (149.130.136.43): icmp_seq=1 ttl=64 time=1.01 ms 64 bytes from cardinal.wellesley.edu (149.130.136.43): icmp_seq=2 ttl=64 time=0.466 ms 64 bytes from cardinal.wellesley.edu (149.130.136.43): icmp_seq=3 ttl=64 time=0.390 ms 64 bytes from cardinal.wellesley.edu (149.130.136.43): icmp_seq=4 ttl=64 time=0.292 ms

Attacker might not get replies if spoofing a host on a different subnet. For some attacks this is not important. For others, like TCP hijacking attacks, it is important.

20-19

Smurf: Overview Echo request with spoofed source address 172.20.20.250 to 192.168.1.255 (broadcast address of subnet 192.168.1.x)

20-20

Bandwidth DoS Attacks: Smurf, Fraggle, UDP Flood All live hosts at subnet 192.168.1.x respond with echo reply .. to 172.20.20.50

o

One level of indirection

o

Goal: Overwhelm the victim, leading to Denial of Service (DoS)

o

Attack: Ping a broadcast address, with the (spoofed) IP of a victim as source address. All hosts on the network respond to the victim. If large subnet allows broadcasting, can get large number of responses – e.g. ~64K for 16 bit subnet.

o

Mechanism: M h i R Reflection fl ti ((amplification), lifi ti ) IP spoofing fi and d protocol t l vulnerability o

implementation can be “patched” by violating the protocol specification, to ignore pings to broadcast addresses

o

Fraggle is similar, using UDP echo service instead of ICMP.

o

UDP Flood: send UDP packet to random victim port; generates ICMP “desination unreachable” packet to forged source address

20-21

20-22

Evolution of DoS Attacks: DDoS

Bandwidth DoS Attack: UDP Ping-Pong o Attack: Spoof a packet from Victim 1

Victim 2

Victim1's chargen service to Victim2's echo service chargen service replies with a UDP packet to any incoming packet

o Goal: Computers keep Attacker

replying l i tto each h other th as fast as they can

o Food DDoS: Distributed Denial Of

Service

o Attack against bandwidth and/or

resources (like before) using two (or more) levels of indirection! Attacker: used to coordinate attack Handler: controls subservient computers Agents: Actually do the attack

20-23

20-24

4

DDoS examples

Major IP components

TRINOO

Sends UDP floods to random destination port numbers on victim

TFN

Sends UDP flood, TCP SYN Flood, ICMP Echo Flood, or a SMURF Attack Master communicates to daemon using ICMP echo reply, changes IP identification number and payload of ICMP echo reply to identify yp of attack to launch type

TFN2k

First DDOS for windows. Communication between master and agents can be encrypted over TCP, UDP, or ICMP with no identifying ports

STACHELDRAHT Combination of Trinoo and TFN Authority on analysis of DDoS is Diettrich at University of Washington http://staff.washington.edu/dittrich/misc/ddos

20-25

20-26

IP fragmentation and reassembly Some link-layer protocols carry “big” packets; some do not. o The maximum amount of data a link-layer packet can hold is called its maximum transfer unit (MTU). o What to do when a packet arriving at in link is too big to fit into the out link?

Fragmentation details

o

 Suppose a 4000 byte

datagram arriving at a router’s incoming link is to be shipped out an outgoing link whose MTU equals 1500 bytes.

Fragmentation 1 large datagram in 3 smaller datagrams

.

Reassembly at destination

length ID 4000 x

fragflag offset 0 0

One large datagram becomes several smaller datagrams length ID 1500 x

fragflag f fl ff t offset 0 1

length ID 1500 x

fragflag offset 1 185

length ID 1040 x

fragflag offset 0 370

20-27

Fragmentation Ripe for Exploits

Implementation Attack: Ping of Death

o

Have to keep track of all fragments until packet is reassembled

o

Resource allocation is necessary before all validation is possible

o

Lots of fragments from different packets can exhaust available memory; perfect grounds for resource exhaustion attacks.

o

Implementation is tricky. Incorrect implementations can be coaxed into crashing machine (another kind of Denial of Service attack). o

What do you do if you never get the last missing piece?

o

What do you do when you get packets out-of-order?

20-28

o Attack: Send ICMP echo with fragmented packets :

ping -L 65510 o Maximum legal size of an ICMP echo packet:

65535 - 20 - 8 = 65507

o Fragmentation allows bypassing the maximum size:

( ffs t + size) (offset si ) > 65535

o Reassembled packet would be larger than 65535 bytes o Goal: OS crash

o This is a legitimate situation as per RFCs o

What do you do if you get overlapping fragments?

o

What do you do if the last byte of a fragment would go over the maximum size of an IP packet, i.e., if the size of all reassembled fragments is larger than the maximum size of an IP packet?

See http://insecure.org/sploits/ping-o-death.html

20-29

20-30

5

Implementation Attack: Teardrop

Teardrop: Mechanism Deep in the protocol implementation

o IP packet can be broken, is called ‘fragmentation’

Fragmented (i.e. broken) packet is reassembled using offset fields

In ip_fragment.c@531 (ca. 1997)

o Attack: Send fragments that overlap

if (prev != NULL && offset < prev->end) // if there are overlapping fragments { i = prev prev->end >end - offset; offset += i; /* ptr into datagram */ ptr += i; /* ptr into fragment data */ //advance to the end of the previous fragment }

o Goal: Crash, reboot and hang machine Normal fragment concatenation:

Overlapping fragments:

end

Copy this

Second

First

offset (after)

offset (before) 20-31

Attack classifications

Teardrop Attack

Effect

o o Create second fragment that fits entirely within first, so offset

Bandwidth depletion: Flood the victim network with unwanted traffic that prevents legitimate traffic from reaching the victim system

o

Resource depletion: Tie up the resources of a victim host or crash victim.

now points outside of the second datagram's buffer! • fp->len = end - offset;

• V Very large l unsigned i d number! b ! C Can write it huge h number b of f bytes b t in i places they’re not supposed to be, causing machine to crash.

Vector

o

o

Direct: attacking host sends directly to victim machine

o

Reflector (indirect): Intermediate nodes are used as attack hosts

end

Reflector:

Mechanism

o

Second

Direct:

o

o Program calculates the number of bytes to copy

First

prev->end

offset

o

Protocol design

o

Protocol implementation 20-34

prev->end

Routing Protocols

Major IP components

AS3

AS1

AS2

For scalability reasons, networks are decomposed into Autonomous Systems (ASes). ISP may have one or many of these. o The forwarding tables that routers use to forward packets are determined by two kinds of routing protocols: o

• •

20-35

Intra-AS routing protocols (e.g., RIP, OPSF) for internal dests. Inter-AS routing protocols (e.g., BGP) for external dests. 20-36

6

BGP: AS Advertisements

BGP Routing Policy

o BGP allows subnet to advertise “I am here” to rest of Internet.“

legend:

o BGP determines “good” routes to subnets based on reachability information and policy.

B W

o When AS2 advertises a prefix to AS1: •

AS2 promises it will forward datagrams towards that prefix.

•

AS2 can aggregate prefixes in its advertisement

AS1 advertises to AS3: Destination: 138.16.64/24 AS-PATH: AS1; AS2 NEXT-HOP: IP address of 1c’s interface to AS3.

o

o

customer network: Y

AS2 advertises to AS1: Destination: 138.16.64/24 AS-PATH: AS2 NEXT-HOP: IP address of 2a’s interface to AS3.

o

Inter-AS routing determined by a combination of performance and policy.

o

Suppose X does not want to route from B via X to C. Then it will not advertise to B a route to C

o

Suppose A advertises path AW to B and B advertises path BAW to X. Should B advertise path BAW to C? •

No way! B wants to route only to/from its customers! B gets no “revenue” for routing CBAW since neither W nor C are B’s customers

•

Instead, B wants to force C to route to w via A

20-37

20-38

Daniel’s Bilar’s Summary

Problem: ISPs can share bad BGP advertisements with rest of Internet

o

A C

BGP Insecurities o

provider network

X

Dec. 24, 2004: TTNet in Turkey accidentally pretends to be entire Internet. All traffic is routed there, but can’t be handled, so there are widespread Intenet outages.

o The ‘glue’ of the Internet (TCP/IP protocol and associated

services like DNS) was predicated towards communication (and limited recovery from random errors, i.e. noise)

Jan 22, 2006: ConEdison accidentally “steals” several net prefixes by making false BGP advertisements. Feb 26, 2008: Pakistan Telecommunication Authority orders country’s ISPs to block YouTube for anti-Islamic video. They create BGP advertisements that redirecte YouTube YouTube’ss IP address to nonexistant destinations. These advertisements are given to service provider, Hong Kong’s PCCW, which doesn’t validate it, and shares it with other ISPs. Since they were more precise than YouTube’s own advertisements, they take precedence and effectively block YouTube from world (“YouTube outage underscores big Internet problem”, http://www.infoworld.com/print/32702 ; renesys blog , http://www.renesys.com/blog/2008/02/pakistan_hijacks_youtu be_1.shtml;)

o

Security (confidentiality, authentication, recovery from deliberate errors, i.e attacks) was an afterthought

o As such, strong assumptions were made while designing,

implementing and running the protocols

 This makes attacks against the TCP/IP protocol and implementation, as well as network services such as DNS, relatively easy and feasible

Thus far, BGP-caused outages have been accidental, but similar attacks from governments and criminals possible. 20-39

Link Layer

20-40

The link layer The transport layer provides communication of segments between two processes. o The network layer provides communication of p datagrams between two hosts. o The link layer provides communication of frames between two network nodes (routers or hosts) connected by a link (i.e. can communicat directly with each other). o Examples HTTP, FTP, SMTP, POP3 IMAP, DNS UDP, TCP IP

You are here!

Ethernet, 802.11 WiFi

20-41

20-42

7

Adapters

Link layer protocols  Lots of them, including Ethernet, 802.11 wireless LAN

(WiFi), token ring, PPP, HDLC, and ATM.

o

 Different links in a path may use different protocols.  Responsibilities include one or more of following:

The link-layer protocol is implemented in an adapter, a board containing RAM, DSP chips, host bus interface, and a link interface.

framing, li k access link  reliable delivery  flow control  bit-level error detection (and possibly error correction).  half-duplex vs. full-duplex.  

20-43

Multiple Access Protocols

20-44

LAN Addressing Key technical problem: when two or more nodes transmit frames at the same time, the frames collide and both transmissions are lost. There are several solutions to this problem, which involve detecting collisions and retransmitting. See CS242 for details.

LANs transmit frames over a broadcast channel using LAN addresses. o On the receiving end, o

o

o

If a destination address matches the node’s LAN address it extracts the address, network-layer datagram and passes it up the protocol stack. If the destination address doesn’t match, the node discards the frame.

20-45

MAC address o

o

o

o

o

23-46

MAC Address vs. IP Address

A LAN node’s MAC (Medium Access Control) address (a.k.a physical, Ethernet or LAN) properly belongs its adapter. Generally 48 bits long, the address is intended to be permanent unique ID burnt into the adapter’s ROM. (But we’ll see that in practice it’s changeable!) h bl !) LAN addresses have a flat structure (portable), as opposed to the IP hierarchical structure (routable). For Ethernet and token-passing LANs, broadcast MAC address is string of 48 1s: FF-FF-FF-FF-FF-FF. IEEE manages address space – allocates 1st 24 bits to manufacturers, who can use last 24 bits

o MAC addresses “Physical address”, Layer 2 o Hard-coded in ROM of network interface card o Similar to social security number (almost unique, immutable) o .. but flat name space of 48 bits (e.g., 00-0E-9B-6E-49-76) o Stays the same when host moves o Used to get packet between interfaces on same network o IP addresses “Logical address”, Layer 3 o Can be configured manually or learned dynamically o Similar to postal mailing address (change of address is easy) o Hierarchical name space of 32 bits (e.g., 12.178.66.9) o May change depending on where the host is attached o Used to get a packet to any destination IP subnet 20-47

20-48

8

Example: MAC/IP addresses

ARP: Address Resolution Protocol Question: how to determine MAC address of B knowing B’s IP address?

137.196.7.78 1A-2F-BB-76-09-AD

137.196.7.23

137.196.7.14 LAN

137.196.7.0/24 71-65-F7-2B-08-53

137.196.7.78

= NIC adapter with MAC address

58-23-D7-FA-20-B0

Each IP node (host, router) on LAN has ARP table o ARP table: IP/MAC address mappings for some LAN nodes o

< IP address; MAC address; TTL>

1A-2F-BB-76-09-AD 137.196.7.23

o

137.196.7.14

TTL (Time To Live): time after which address mapping will be forgotten (typically 20 min)

LAN 71-65-F7-2B-08-53

0C-C4-11-6F-E3-98

58-23-D7-FA-20-B0

0C-C4-11-6F-E3-98

137.196.7.88

137.196.7.88 20-50

20-49

ARP protocol: Same LAN (network)

 send datagram from A to B via R

A wants to send datagram to B, and B’s MAC address not in A’s ARP table. o A broadcasts ARP query packet, containing B's IP address o dest MAC address = FF-FF-FF-FF-FF-FF o all machines on LAN receive ARP query o B receives ARP packet, replies to A with its (B's) MAC address o

o

Addressing: routing to another LAN

o

 assume A knows B’s IP address

A caches (saves) IP-toMAC address pair in its ARP table until information becomes old (times out) o soft state: information that times out (goes away) unless refreshed

111.111.111.111

222.222.222.220 111.111.111.110

o o o o o o o

222.222.222.222

B

R

CC-49-DE-D0-AB-7D

nodes create their ARP tables without

 two ARP tables in router R, one for each IP network (LAN)  Should A address the message to B’s physical address,

intervention from net administrator

49-BD-D2-C7-56-2A?

20-51

o

222.222.222.221

49-BD-D2-C7-56-2A

play”:

frame sent to A’s MAC address (unicast)

E6-E9-00-17-BB-4B 1A-23-F9-CD-06-9B

111.111.111.112

o ARP is “plug-ando

88-B2-2F-54-1A-0F

74-29-9C-E8-FF-55

A

A creates IP datagram with source A, destination B A uses ARP to get R’s MAC address for 111.111.111.110 A creates link-layer frame with R's MAC address as dest, frame contains A-to-B IP datagram A’s NIC sends frame R’s NIC receives frame R removes IP datagram from Ethernet frame, sees its destined to B R uses ARP to g get B’s MAC address R creates frame containing A-to-B IP datagram sends to B

20-52

Dynamic Host Configuration Protocol (DHCP)

88-B2-2F-54-1A-0F

74-29-9C-E8-FF-55

A E6-E9-00-17-BB-4B 111.111.111.111

222.222.222.220 111.111.111.110 111.111.111.112

222.222.222.221

1A-23-F9-CD-06-9B

222.222.222.222

B

R 49-BD-D2-C7-56-2A

CC-49-DE-D0-AB-7D

20-53

20-54

9

DHCP: Bootstrapping

DHCP clientserver interaction

o Host doesn’t have an IP address yet o

So, host doesn’t know what source address to use

o Host doesn’t know who to ask for an IP address o

So, host doesn’t know what destination address to use

o Solution: Shout to discover server who can help o

Broadcast a server-discovery message

o

Server sends a reply offering an address host

host ...

host

DHCP server 20-55

Network address translation (NAT)

20-56

NAT problems

Used to set up small LAN network behind a single IP address (home/small business)

o Port numbers are meant for addressing processes, not for addressing hosts. o Routers are suppose to process packets only up to layer 3. o Nat protocol violates the so-called “end-to-end argument”; that is, hosts should be talking directly with each other, without f g nodes m modifying fy g IP addresses and port p numbers. m interfering o Interferes with P2P applications --- peers behind a NAT cannot act as server and accept TCP connections.

20-57

Ethernet

20-58

Ethernet frame structure

 Invented in mid 1970s by Bob Metcalfe and David Boggs at

Xerox PARC.

Seven bytes of 10101010 and one byte of 10101011; used to synchronize sender & receiver clock rates

 Ethernet has dominated the LAN market because:   

First LAN technology to be widely deployed. Generally cheaper and simpler than its competitors (token rings, ATM, FDDI = Fiber Distributed Data Interface), Always managed to maintain comparable data rates with emerging m g g technologies: g 10Mbps p – 10 Gbps p

Metcalfe’s Ethernet sketch

20-59

MAC addresses, 6 bytes each; receiving adapter discards unless it matches dest. address or broadcast address (except if in permiscuous mode for sniffing!)

Two bytes used for multiplexed network -layer protocols; who do I pass the data up to? Usually IP, But could also be AppleTalk, Novell IPX, DecNet, …

Our friend from previous lecture 4 bytes; if error detected, frame dropped

Carries IP datagram; has MTU of 1500 bytes and minimum of 46 (if less, it is stuffed)

20-60

10

Physical Layer: Buses

Physical Layer: Repeaters  Distance limitation in local-area networks

 In early Ethernet implementations, nodes were “tapped into”

coaxial cable

 Remained popular through mid 90s



Electrical signal becomes weaker as it travels



Propagation delays interfere with collision detection

 Repeaters join LANs together

 All nodes in same collision domain (can collide with each other)



Analog electronic device

 Limitation in bus length (often only up to 100 meters)



Continuously monitors electrical signals on each LAN

 Cable problems can cut off one part of network from another. another



Transmits an amplified copy

 Example: 

Without repeater, 10Base2 is limited to 30 nodes and 185 meters.



Up to four repeaters can be used to create a bus up to 925 meters.

Repeater 20-61

Limitations of Repeaters and Hubs

Physical Layer: Hubs  Hub is an unsophisticated broadcast device;

 One large collision domain

when bit received on any link, broadcast it to all links at same rate.



 Often (but not always) amplifies signal,



so can act like a repeater.

 Operates at the physical layer; does not



examine frames or buffer them.



 Permits star topology p gy in which each host connected separately p y to hub,,

to form a tree.



hub



hub

So, aggregate throughput is limited E.g., three departments each get 10 Mbps independently … and then connect via a hub and must share 10 Mbps Does not buffer or interpret frames So, can’t interconnect between different rates or formats, e.g., 10 Mbps Ethernet and 100 Mbps Ethernet

 Limitations on maximum nodes and distances

hub

hub

Every bit is sent everywhere

 Cannot C t support s t multiple lti l LAN technologies t h l i s

reducing impact of wire problems.

 Multiple hubs can be used

20-62



Does not circumvent the limitations of shared media

20-63

Switches: Traffic Isolation

Link Layer: Switches  Unlike “dumb” hubs, switches are smart and active,    

 Breaks subnet into LAN segments

examine incoming frame’s MAC address, selectively forward frame to one-or-more outgoing links when frame is to be forwarded on link, uses CSMA/CD to access link buffers frames, allowing links with different bandwidths Also called bridges; sometimes “switch” used when connecting hosts and “bridge” used when connecting LANs.

 transparent 

20-64

 Filters packets 

Frame only forwarded to the necessary segments



Segments become separate collision domains

B

hosts are unaware of presence of switches

switch/bridge

 concurrent communication 

Host A can talk to C, while B talks to D, without collisions!

 plug-and-play, self-learning 

switches do not need to be configured

A

collision domain

C hub

switch

hub

hub

D 20-65

collision domain

collision domain

20-66

11

Switch Table 



Switch: self-learning

Q: how does switch know that A’ reachable via interface 4, B’ reachable via interface 5?

C’

1 5

(MAC address of host, interface to reach host, time stamp) B’

Q: how are entries created, maintained in switch table? 



3

4 

C

 looks like a routing table! 

2

6

learns which hosts

Self-learning rather than routing protocols or manual configuration.

C’

B

when frame received, switch “learns” location of sender: incoming LAN segment records sender/location pair in switch table

1

2

3

6 4

5

C B’

A’

MAC addr

switch with six interfaces (1,2,3,4,5,6)

A A’

A

can be reached through which interfaces

B

A: each switch has a switch table, each entry: 

 switch

A

Source: A Dest: A’

A’

interface

A

TTL Switch table (initially empty)

60

1

20-67

Switch: frame filtering/forwarding

20-68

Self-learning, forwarding: example

When frame received: 1. record link associated with sending host 2. index switch table using MAC dest address 3. if entry found for destination then { if dest on segment from which frame arrived then drop the frame else forward the frame on interface indicated } else flood forward on all but the interface

Source: A Dest: A’

C’

B

o frame destination

unknown: flood



A A’

A

1

2

3

A6 A’ A A’

d ti ti A llocation destination ti k known:

5

4

selective send

C

A’ A B’

MAC addr A A’

on which the frame arrived

A’

interface 60 60

1 4

TTL Switch table (initially empty)

20-69

20-70

Self-learning multi-switch example

Interconnecting switches

Suppose C sends frame to I, I responds to C

o switches can be connected together

S4 1

S4 S1 S2

A C

4

1

4 S3

S2

1 F

B

3 2

4

S1

S3

E

A

I

D G

2

3

2

3

1

3

2

D

H

B

C

F

Q: sending from A to G - how does S1 know to forward frame destined to F via S4 and S3?  A: self learning! (works exactly the same as in single-switch case!) 



20-71

I

G

E

H

Q: show switch tables and packet forwarding in S1, S2, S3, S4

20-72

12

Switches: Advantages Over Hubs/Repeaters  Only forwards frames as needed 

Filters frames to avoid unnecessary load on segments



Sends frames only to segments that need to see them

 Delay in forwarding frames 

 Extends the geographic span of the network 



Separate collision domains allow longer distances



Hosts can “snoop” the traffic traversing their segment but not all the rest of the traffic



Does not transmit when the link is busy



Applies exponential back-off after a collision

Bridge/switch needs to construct a forwarding table Ideally, without intervention from network administrators

 Higher cost

 Applies carrier sense and collision detection 

Bridge/switch must receive and parse the frame and perform a look-up to decide where to forward Storing and forwarding the packet introduces delay

 Need to learn where to forward frames

 Improves privacy by limiting scope of frames 

Switches: Disadvantages Over Hubs/Repeaters



More complicated devices that cost more money

 Joins segments using different technologies 

E.g., can join 10 Mbps Ethernet and 100 Mbps Ethernet

20-73

Key Vulnerability of Link/Physical Layers: Sniffing

20-74

Wireless Sniffing in a Hotel Wireless access points in public places are often unsecured.

20-75

Wireless Sniffing in a Dormitory

20-76

Switch prevents simple sniffing

Even though many dorm rooms have wired internet access, students prefer the convenience of wireless access. But this is often much less secure!

20-77

20-78

13

ARP spoofing foils switch protection

Sniffing Defenses Wired world: o Use switches rather than hubs. But still problems • ARP spoofing/cache poisoning • MAC flooding (overflow ARP table, causing switch to act like hub instead). o Encrypt traffic – e.g. SSH, SSL/TLS, etc. Wireless world: o Encrypt traffic • Wired Equivalent Privacy (WEP) is easily crackable • Wi-Fi Protected Access (WPA) is much stronger

20-79

Scanning for Access Points

20-80

War Driving World Wide War Drive

War Driving in Wellesley Old days: war dialing to find modems connected to intranet networks Today: war driving to find unsecured access points, especially rogue access points connected to organization intranet

Reema Siyam ‘03

Erin Stadler ‘03

Outfitted with a Sony Viao, a Lucent Orinoco wireless network, a MaxRad antenna, and Netstumbler software, we jumped into a car with the antenna on the roof and were on our way to find some networks.

2001

2002

WEP Disabled

69.86%

72.07%

+2.21%

SSIDs Default

29.53%

35.24%

+5.71%

Disabled 26.64%

31.44%

+4.8

WEP

20-81

Default SSIDs

31 of 55

56.4%

AND

WEP disabled

41 of 55

74.5%

Default

% Change

SSID

20-82

Wireless Protection Require supplicant to authenticate by MAC address and/or password (but MAC addresses can be spoofed).

Put wireless access points outside organization firewall.

20-83

14