Network layer (IP) Netw etwor ork k layer er Send datagram from - - PowerPoint PPT Presentation

Network layer (IP)

Netw etwor

• rk

k layer er

 Send datagram from one host to another  Network layer protocols in every host, router

Portland State University CS 430P/530 Internet, Web & Cloud Systems

Netw etwor

• rk

k layer er func unctio tions ns

 Connection support  Delivery semantics  Security  Demux to upper layer  Routing  Addressing  Many historical examples, but only one really matters…

Portland State University CS 430P/530 Internet, Web & Cloud Systems

The e Intern ernet t Netw etwor

• rk

k layer er

Host, router network layer functions:

Portland State University CS 430P/530 Internet, Web & Cloud Systems

forwarding table

Routing protocols

• path selection
• RIP, OSPF, BGP

IP protocol

• addressing conventions
• datagram format
• packet handling conventions

ICMP protocol

• error reporting
• router “signaling”

Transport layer: TCP, UDP Link layer physical layer Network layer

IP data atagram gram forma rmat

Portland State University CS 430P/530 Internet, Web & Cloud Systems

ver length 32 bits

data (variable length, typically a TCP

• r UDP segment)

16-bit identifier Internet checksum time to live 32 bit source IP address IP protocol version number remaining hops (decremented at each router) upper layer protocol to deliver payload to head. len type of service flgs fragment

• ffset

upper layer 32 bit destination IP address Options (if any)

IP connection nnection set setup up

 Hourglass design  No support for network layer connections

 Datagram service  Connection semantics only at higher layer  Compare to phone network…

Portland State University CS 430P/530 Internet, Web & Cloud Systems

IP deli eliver ery y se sema mant ntics ics

 No reliability guarantees  No ordering guarantees  No broadcast (255.255.255.255) not forwarded  No multicast (supported in address space, but no longer used)

 224.0.0.0 to 239.255.255.255

 Mostly unicast  Recently, anycast

 IP address that has many machines associated with it  "Reach any one of them"  Done with some routing protocol hacks....

Portland State University CS 430P/530 Internet, Web & Cloud Systems

Ex Example: ple: Cloudf udflare lare's 's 1. 1.1. 1.1.1

Portland State University CS 430P/530 Internet, Web & Cloud Systems

IP se security urity

 Weak support for integrity

 IP header checksum  Leaves data integrity to TCP/UDP

 No support for secrecy  No support for authenticity

 Even source IP address can be faked!  Hosts trusted to provide legitimate address in packets (Leads to IP

spoofing attacks)

 IPsec

 Retrofit IP network layer with encryption and authentication

 Similar issues as with WPA

 On other side of IPSec, payload decrypted

Portland State University CS 430P/530 Internet, Web & Cloud Systems

IP dem emux ux to up uppe per layer er

 Protocol type field (e.g. next innermost doll)  Control messaging

 1 = ICMP

 Transport layers

 6 = TCP  17 = UDP

 Tunneling (often used to create virtual networks on cloud platforms)

 41 = IPv6 encapsulation within IPv4  47 = GRE (Generic Routing Encapsulation)

 Routing

 88 = EIGRP  89 = OSPF

https://en.wikipedia.org/wiki/List_of_IP_protocol_numbers

Portland State University CS 430P/530 Internet, Web & Cloud Systems

IP routing uting

 Internet routing done via hop-by-hop forwarding based on

destination IP address

 Each router builds forwarding table of..

 Destination IP => Next-Hop IP address

 Each router runs a routing protocol and algorithm to create

forwarding table

Portland State University CS 430P/530 Internet, Web & Cloud Systems

Rout uting ing pr protocols

• cols and

nd algori gorithm thms

 Graph abstraction for routing algorithms:  Routing algorithms find minimum cost paths through graph

Portland State University CS 430P/530 Internet, Web & Cloud Systems

Goal: determine “good” path (sequence of routers) thru network from source to dest. A E D C B F

2 2 1 3 1 1 2 5 3 5

Two ma main n ki kinds nds of routing uting algori gorithm thms

Link-state algorithms

 e.g. Dikjstra's shortest-path algorithm  Global information

 Broadcast link cost information to all routers in network  Have each router calculate shortest path to destinations

 Typically done on smaller, edge networks

Distance-vector algorithms

 e.g. Bellman-Ford algorithm  Decentralized information  Router knows physically-connected neighbors, link costs to neighbors

 Iteratively exchange information with neighbors and recompute routes

 Done within and between large, backbone networks

Details in CS 494/594

Portland State University CS 430P/530 Internet, Web & Cloud Systems

Rout uting ing iss ssue ue #1: Scale ale

 Flat routing doesn't

scale

 200 million+

destinations

 Storage

 Can’t store all dest’s in

routing tables

 Computation

 Algorithms perform poorly at

that scale

 Bandwidth

 Link and routing table

exchanges would swamp links!

Portland State University CS 430P/530 Internet, Web & Cloud Systems

Rout uting ing iss ssue ue #2: Aut utonom nomy

 Network admins need to control routing in their own networks they

manage

 Require administrative autonomy  Require isolation of networks from each other  Route changes within PSU should be hidden to anyone outside of PSU

 Motivates…

Portland State University CS 430P/530 Internet, Web & Cloud Systems

Interne ernet t Rout uting ng Hierar erarch chy

 Key observation

 Need less information with increasing distance to destination  Saves table size and reduces update traffic

 Implemented via “autonomous systems” (AS)

 Network divided into regions with administrative autonomy

 Within AS

 Routers run same routing protocol

 “Intra-AS” or Interior Gateway routing protocol (IGP)

 Each node has routes to every other node in area  Each node has routes to get to any nodes outside of area

 Done via a "border router"  Packets destined outside of area routed to nearest appropriate border router

 Between ASes

 Border routers run "Inter-AS" or Border Gateway routing protocol

(BGP) with border routers in other AS’s

Portland State University CS 430P/530 Internet, Web & Cloud Systems

Interne ernet t Rout uting ng Hierar erarch chy y exa xample ple

 Addresses in B combined into single route entry pointing to B.a  Addresses in C combined into single route entry pointing to C.b  Addresses in A combined into two route entries pointing to A.a and

A.c

 Nodes in A, B, and C have no information about individual nodes in

• ther ASes C (only an aggregate route to them)

 Routing done between aggregates

Portland State University CS 430P/530 Internet, Web & Cloud Systems

a b b a a C A B d A.a A.c C.b B.a c b c

Interne ernet t rout uting ing hiera erach chy

 At top of hierarchy: “tier-1” ISPs

 Verizon, Sprint, CenturyLink, AT&T, Cable and Wireless, Google  National/international coverage

 Peer with each other in multiple geographic locations in major cities  ISPs at any tier with a well-known, unique "AS number"

 AS numbers, the IP addresses they "own", and their location/country

well-known

 Important for attribution of attacks and mistakes

Portland State University CS 430P/530 Internet, Web & Cloud Systems

Ex Example ple Tier er-1 1 ISP: : Level el 3 / / Cen entur turyLin yLink

 We made the list!  Cocktail party question

 Which building do most of Portland's packets go through?

Portland State University CS 430P/530 Internet, Web & Cloud Systems

Portland State University CS 430P/530 Internet, Web & Cloud Systems

 Named after the same Pittock with the mansion

 Wanted former home to host something cool in the early 1900s  Turned into an electrical substation that was housed in enormous (and

infamous), sub-basement

 https://cabel.com/2012/12/19/the-basement/  http://www.oregonlive.com/silicon-

forest/index.ssf/2012/12/the_basement_subterranean_visi.html

 http://www.oregonlive.com/portland/index.ssf/2001/05/historic_pittock_buil

ding_hous.html  Hosts the NW Access Exchange (where PSU peers with Google)

 https://www.nwax.net/Members

Portland State University CS 430P/530 Internet, Web & Cloud Systems

Portland State University CS 430P/530 Internet, Web & Cloud Systems

Interne ernet t routin ting g hierar rarch chy

 “Tier-2” ISPs: smaller (often regional) ISPs  “Tier-3” ISPs and local ISPs

Portland State University CS 430P/530 Internet, Web & Cloud Systems

Tier 1 ISP Tier 1 ISP Tier 1 ISP

Tier-2 ISP Tier-2 ISP Tier-2 ISP Tier-2 ISP Tier-2 ISP local ISP local ISP local ISP local ISP local ISP Tier 3 ISP local ISP local ISP local ISP

Interne ernet t str tructure: cture: netw etwork k of netw etworks ks

 a packet passes through many networks!

Portland State University CS 430P/530 Internet, Web & Cloud Systems

Tier 1 ISP Tier 1 ISP Tier 1 ISP

Tier-2 ISP Tier-2 ISP Tier-2 ISP Tier-2 ISP Tier-2 ISP local ISP local ISP local ISP local ISP local ISP Tier 3 ISP local ISP local ISP local ISP

Inter er-AS AS rout uting ing

 Routing in between different autonomous systems in hierarchy  Done using BGP (Border Gateway Protocol)

 Uses distance-vector style algorithms  Treats each AS as a node in a graph  Each AS has a route that aggregates all destinations within it (for scale)

 BGP messages exchanged using TCP

 Simplifies BGP

, but ….

Portland State University CS 430P/530 Internet, Web & Cloud Systems

Rout uting ing iss ssue ue #3: Trus ust

 Authentication not part of TCP/IP

 BGP TCP spoofing attack  Bogus route advertisements

 Route advertisements are not authenticated (no public-key infrastructure)

 Result: Anyone can advertise a route to a site in order to redirect

traffic towards itself!

Portland State University CS 430P/530 Internet, Web & Cloud Systems

IP add ddressin ressing

 IP address:

 32-bit identifier for host/router network interface

 Specified by 4 individual bytes from 0 to 255 (0x00 to 0xFF)  Recall CS 201: What is the total number of addresses available for use?

 IP addresses associated with an interface, not host or router

 Routers typically have multiple interfaces  Host may have multiple interfaces (both real and virtual!)

Portland State University CS 430P/530 Internet, Web & Cloud Systems

131.252.220.1 = 10000011 11111100 11011100 00000001 131 252 1 220

IP addres ddressing sing

 Aggregation done to support

routing scalability

 IP address split into two

 Network part (high order

bits)

 Host part (low order bits)

 What’s a network ?

 all interfaces that can

physically reach each other without intervening router

 each interface shares the same

network part of IP address

Portland State University CS 430P/530 Internet, Web & Cloud Systems

223.1.1.1 223.1.1.2 223.1.1.3 223.1.1.4 223.1.2.9 223.1.2.2 223.1.2.1 223.1.3.2 223.1.3.1 223.1.3.27

network consisting of 3 IP networks (for IP addresses starting with 223, first 24 bits are network address) LAN

IP addres ddressing sing and nd netw etwor

• rks

ks via CIDR DR

 Classless Inter-Domain Routing

 Network part of IP address can be arbitrarily sized  Done throughout routing infrastructure to implement hierarchy

 Mechanism

 Aggregate adjacent addresses together (supernet)  Split adjacent addresses apart (subnet)  Single integer specifies the demarcation between network and host parts  Notation:<network prefix>/<bits in prefix>

 Host range is a power of 2 ranging from all 0s to all 1s.

Portland State University CS 430P/530 Internet, Web & Cloud Systems

variable network part

11001000 00010111 00010000 00000000

host part 200.23.16.0/23 200.23.16.0 to 200.23.17.255 (512 addresses)

11001000 00010111 00010001 11111111

Sub ubne nettin tting g walkthr alkthroug

• ugh

 Take large block and split into smaller sub-networks  Example: Split the following network into 4 equal subnetworks

 131.252.0.0/22  Expand out address…

10000011 . 11111100 . 00000000 . 00000000

 Q1: How many hosts are on this network?  Q2: How many hosts will be on each subnetwork?

 Split into 4 parts using next 2 significant bits

10000011 . 11111100 . 00000000 . 00000000 10000011 . 11111100 . 00000001 . 00000000 10000011 . 11111100 . 00000010 . 00000000 10000011 . 11111100 . 00000011 . 00000000

 Solution

131.252.0.0/24 131.252.1.0/24 131.252.2.0/24 131.252.3.0/24

Portland State University CS 430P/530 Internet, Web & Cloud Systems

Sub ubne nettin tting pr problem blem

 With the person sitting next to you, split the following network into

16 equal subnetworks

 131.252.128.0/17  10000011 . 11111100 . 10000000 . 00000000

Portland State University CS 430P/530 Internet, Web & Cloud Systems

Sup uperne ernettin tting walkthr lkthrough ugh

 Take small blocks and combine to reduce routes (supernetting)  Combine the following class C networks into one larger network

 131.252.0.0/24  131.252.1.0/24

Portland State University CS 430P/530 Internet, Web & Cloud Systems

10000011.11111100.0000000*.* 131.252.0.0/23 Answer: 10000011.11111100.00000000.* 10000011.11111100.00000001.* 10000011.11111100.00000000.* 10000011.11111100.00000001.*

Sup uperne ernettin tting walkthr lkthrough ugh

 Can you combine the following class C networks into a larger /23?

 131.252.1.0/24  131.252.2.0/24

 No, they do not share the same address prefix!  Ranges must be aligned properly to be supernetted.

 Only (131.252.0.0/24 + 131.252.1.0/24) and (131.252.2.0/24 +

131.252.3.0/24) can be combined into a larger /23.

Portland State University CS 430P/530 Internet, Web & Cloud Systems

10000011.11111100.00000001.* 10000011.11111100.00000010.* 10000011.11111100.00000000.* 10000011.11111100.00000001.* 10000011.11111100.00000010.* 10000011.11111100.00000011.* 131.252.0.0/23 131.252.2.0/23

Sup uperne ernettin tting proble blem

 With person sitting next to you, combine the following class C

networks into one larger network

 131.252.0.0/24  131.252.1.0/24  131.252.2.0/24  131.252.3.0/24  131.252.4.0/24  131.252.5.0/24  131.252.6.0/24  131.252.7.0/24

Portland State University CS 430P/530 Internet, Web & Cloud Systems

Spe pecial cial IP Addres ddresses: ses: Loopba pback ck

 127.0.0.1: localhost

 The self-talk address  The "lo" interface via ifconfig

Portland State University CS 430P/530 Internet, Web & Cloud Systems

catron <~> 11:47AM % ifconfig eno1 Link encap:Ethernet HWaddr 98:90:96:d8:56:e7 inet addr:10.218.103.22 Bcast:10.218.103.255 Mask:255.255.255.0 inet6 addr: fe80::9a90:96ff:fed8:56e7/64 Scope:Link inet6 addr: 2610:10:20:1103::22/128 Scope:Global UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 … lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 … catron <~> 11:48AM %

Spe pecial cial IP Addres ddresses: ses: Privat ate

 Private addresses (not globally routable)

 Class A: 10.0.0.0 - 10.255.255.255 (10.0.0.0/8 prefix)  Class B: 172.16.0.0 - 172.31.255.255 (172.16.0.0/12 prefix)  Class C: 192.168.0.0 - 192.168.255.255 (192.168.0.0/16 prefix)  Used to number internal IPv4 addresses on some PSU machines

 Previous Particle lab machine catron  Can I reach catron via IPv4 outside of PSU?

Portland State University CS 430P/530 Internet, Web & Cloud Systems

pucca <~> 12:06PM % nslookup catron.cs.pdx.edu … Non-authoritative answer: Name: catron.cs.pdx.edu Address: 10.218.103.22 pucca <~> 11:43AM % ssh catron.cs.pdx.edu ssh: connect to host catron.cs.pdx.edu port 22: Network is unreachable [1] 10085 exit 255 ssh -Y catron.cs.pdx.edu pucca <~> 12:06PM %

Spe pecial cial IP Addres ddresses: ses: Privat ate

 Must go through a machine that has a globally routable IP address

Portland State University CS 430P/530 Internet, Web & Cloud Systems

pucca <~> 11:44AM % ssh linux.cs.pdx.edu wuchang@linux.cs.pdx.edu's password: Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0-116-generic x86_64) … Last login: Wed Oct 18 12:48:13 2017 from 10.200.81.21 linux <~> 11:44AM % ssh catron.cs.pdx.edu Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0-116-generic x86_64) … Last login: Thu Apr 5 10:06:07 2018 from 2610:10:20:1130::1004 catron <~> 11:44AM %

Spe pecial cial IP Addres ddresses: ses: Privat ate

 All Google Cloud internal interfaces use them

Portland State University CS 430P/530 Internet, Web & Cloud Systems

200.23.16.0/24, 200.200.17.0/24 200.23.18.0/24, 200.200.19.0/24 200.23.20.0/24, 200.200.21.0/24 200.23.22.0/24, 200.200.23.0/24

ISP X given 16 class C networks (200.23.16.* to 200.23.31.*) Can advertise a single CIDR route to ISP W (200.23.16.0/20)

Large company 200.23.16.0/21 Medium company 200.23.24.0/22 200.23.24.0/24 200.23.25.0/24 200.23.26.0/24 200.23.27.0/24 Small company 200.23.28.0/23 200.23.28.0/24 200.23.29.0/24 Tiny company 200.23.30.0/24 ISP W ISP X Route Interface 200.23.16.0/20 1 1 Route Interface 200.23.16/21 2 200.23.24/22 3 200.23.28/23 4 200.23.30/24 5 200.23.31/24 unused 1 2 3 4 5

CID IDR R in in p prac acti tice ce

Portland State University CS 430P/530 Internet, Web & Cloud Systems

200.23.30.0/24

Ov Over erlapping lapping rout utes es

 Consider multi-homing for tiny company going to ISP

Y

 200.23.16.0/20 through ISP X to ISP W

, but tiny company would advertise 200.23.30.0/24 to ISP Y, which advertises it to ISP W

 How does ISP W handle overlapping routes from ISP X and

Y?

 Choice is to always follow the most specific route (e.g. /24) when a

packet matches both

Portland State University CS 430P/530 Internet, Web & Cloud Systems

200.23.16.0/21 200.23.24.0/22 200.23.28.0/23 200.23.30.0/24 ISP W ISP X Route Interface 200.23.16.0/20 1 200.23.30.0/24 2 1 1 2 3 4 5 ISP Y 2

Longest gest pr pref efix ix ma match tching ing pr problem blem

 Which interface would packets with the above destinations go out?

Portland State University CS 430P/530 Internet, Web & Cloud Systems

11001000 00010111 00010110 10100001 11001000 00010111 00011000 10101010 Route Prefix Link Interface 11001000 00010111 00010 11001000 00010111 00011000 1 11001000 00010111 00011 2 default 3 11001000 00010111 00011110 10100001 11001000 00010111 00001000 00000001

What t if?

 YouTube with its network traffic going through X  Has someone else advertise its prefix?

Portland State University CS 430P/530 Internet, Web & Cloud Systems

200.23.16.0/21 200.23.24.0/22 200.23.28.0/23 200.23.30.0/24 (youtube.com) ISP W ISP X (google.com) Route Interface 200.23.16.0/20 1 200.23.30.0/24 2 1 1 2 3 4 5 EVIL ISP Z 2

Send 200.23.30.0/24 to me

Trus ust t and d rout uting ing

 Like Pakistan did (2008)

Portland State University CS 430P/530 Internet, Web & Cloud Systems

Trus ust t and d rout uting ing

 Like Google did to Japan

(2017!)

Portland State University CS 430P/530 Internet, Web & Cloud Systems

Trus ust t and d rout uting ing

 Or Russia and Iran did?

Portland State University CS 430P/530 Internet, Web & Cloud Systems

Not likely to be solved…

 But we still keep on trying… ☺

Portland State University CS 430P/530 Internet, Web & Cloud Systems

On On Linux nux host st

 Terminology

 Destination = Specifies route prefix to match  Genmask = Specifies prefix length (a.k.a. subnet mask or netmask)  Gateway = Specifies a next-hop  Iface = Network interface card to send packet onto

 All destinations match 0.0.0.0/0 (first)

 Route to Gateway 131.252.220.250 on interface eth0

 Destinations matching 131.252.220.0/24 (second)

 No gateway, directly connected, goes out on eth0

 Destinations matching private IP range 172.17.0.0/16 (third)

 No gateway, directly connected, goes out on virtual interface docker 0  This is how Docker containers are networked by default

Portland State University CS 430P/530 Internet, Web & Cloud Systems

mashimaro <~> 7:29AM % netstat -rn Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 131.252.220.250 0.0.0.0 UG 0 0 0 eth0 131.252.220.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0

/0 (matches all) /24 (matches our class C subnet) /16 (matches private IP address range)

Network Address Translation

CIDR DR and nd IPv4 addres ddress s allocation location

 CIDR designed to make more efficient use of addresses

 Many large blocks with few hosts in them  CIDR allows one to break blocks up into smaller units

Portland State University CS 430P/530 Internet, Web & Cloud Systems

Portland State University CS 430P/530 Internet, Web & Cloud Systems

Bu But

 Even with CIDR, IPv4 address space running out

Portland State University CS 430P/530 Internet, Web & Cloud Systems

Netw etwor

• rk

k Address dress Translaction anslaction (NAT) T)

 One solution to address space depletion problem

 Make it appear that all connections coming from a local network comes

from a single IP address

 “Statistically multiplex” address/port usage across multiple machines

 Examples

 Built-into your cable modem at home  "NAT and Internet Gateway" in AWS  "Cloud NAT" in GCP

Portland State University CS 430P/530 Internet, Web & Cloud Systems

NAT T wi with th po port t tr trans anslation lation

Portland State University CS 430P/530 Internet, Web & Cloud Systems

10.0.0.1 10.0.0.2 10.0.0.3 10.0.0.4 138.76.29.7

local network w/ private addresses (e.g., home network) 10.0.0.0/24 rest of Internet Datagrams with 10.0.0.0/24 addresses NAT device dynamically rewrites private IP addresses All datagrams leaving local network have same single source IP address: 138.76.29.7 But, must ensure unique identifiers per connection to work.

• Connections from 3 machines to google.com must not get confused with each other
• Use the 16-bit transport layer port-number field
• NAT device dynamically rewrites private source IP addresses and source port numbers
• n connections to the Internet to global IP address and port numbers
• To Internet, entire network looks like 1 machine (with a lot of connections!)

NA NAT T operat eration ion

Portland State University CS 430P/530 Internet, Web & Cloud Systems

10.0.0.1 10.0.0.2 10.0.0.3

S: 10.0.0.1, 3345 D: 128.119.40.186, 80

1

10.0.0.4 138.76.29.7

1: host 10.0.0.1 sends datagram to 128.119.40.186:80 NAT translation table WAN side addr LAN side addr 138.76.29.7, 5001 10.0.0.1, 3345 …… ……

S: 128.119.40.186, 80 D: 10.0.0.1, 3345

4

S: 138.76.29.7, 5001 D: 128.119.40.186, 80

2 2: NAT router changes datagram source addr from 10.0.0.1:3345 to 138.76.29.7:5001, updates table

S: 128.119.40.186, 80 D: 138.76.29.7, 5001

3 3: Reply arrives

• dest. address:

138.76.29.7:5001 4: NAT router changes datagram dest addr from 138.76.29.7:5001 to 10.0.0.1:3345

NAT T advantages antages

 Only a single IP address needed from ISP to network multiple

devices (avoid depletion)

 Most cloud providers charge you for an external IP address!  GCP charges differently for VMs with

 No external IP address  Ephemeral external IP address (ones that go away when VM is shut off)  Static, reserved IP address (ones that stay with VM even when shut off)

 Portability

 Can change ISP without changing addresses of devices in local network

 Security

 Devices inside local net not explicitly addressable or visible by outside

world

Portland State University CS 430P/530 Internet, Web & Cloud Systems

NAT T iss ssue ue #1: No inbo bound und connection nnection

 Client wants to connect to web

server at address 10.0.0.1

 Web server has private LAN address

not reachable externally

 Only externally visible address:

138.76.29.7

 Must be taken into account for P2P

applications

Portland State University CS 430P/530 Internet, Web & Cloud Systems

10.0.0.1 10.0.0.4

NAT router

138.76.29.7

Client ?

NAT T iss ssue ue #2: Loss ss of tr trans anspa parency rency

 Implicit assumption that network header is unchanged in network

 Key feature that allows one to deploy any application without

coordinating with network infrastructure

 Breaks applications that assume network only touches layer 3  Transport-layer source port numbers re-written by network-layer

device (layer violation)

 New applications

 Can no longer assume their own IP address is valid!  Must never carry IP addresses and ports in application payloads  Example: ftp's PORT command

 To initiate file transfer, client sends its IP address and a port number for ftp server

to connect to

 With client behind a NAT, private address sent!  NAT breaks protocol by breaking network transparency!

Portland State University CS 430P/530 Internet, Web & Cloud Systems

IPv6

IPv6

 Address shortage should instead be solved by IPv6  Expands address space without using NAT  Redesign protocol  What changes should be made in….

 IP addressing  IP delivery semantics  IP quality of service  IP security  IP routing  IP fragmentation  IP error detection

Portland State University CS 430P/530 Internet, Web & Cloud Systems

Main in IPv6 6 Chang nges es

 Addresses are 128bit  Protocol simplified (end-to-end principle)

 Removes checksum  Eliminates fragmentation

Portland State University CS 430P/530 Internet, Web & Cloud Systems

Par Parsi sing ng an IPv6 6 addre ddress ss

 Specified as 8, 2-byte (4 hex digit) numbers

2610:10:20:220:45c7:8fb6:7430:bcb6

 Note, leading 0s omitted for brevity

 Double-colon notation

 Can be used exactly once in an address to specify a wildcard of all 0s in

address

 Fills address with enough nulls to create a 128-bit address  Example catron.cs.pdx.edu (circa 2018)

 2610:10:20:1103::22  2610:10:20:1103:0:0:0:22

Portland State University CS 430P/530 Internet, Web & Cloud Systems

Ex Example ple

Portland State University CS 430P/530 Internet, Web & Cloud Systems

catron <~> 7:03PM % ifconfig eno1 Link encap:Ethernet HWaddr 98:90:96:d8:56:e7 inet addr:10.218.103.22 Bcast:10.218.103.255 Mask:255.255.255.0 inet6 addr: fe80::9a90:96ff:fed8:56e7/64 Scope:Link inet6 addr: 2610:10:20:1103::22/128 Scope:Global catron <~> 7:37PM % dig -t AAAA meson.cs.pdx.edu … ;; ANSWER SECTION: meson.cs.pdx.edu. 6901 IN AAAA 2610:10:20:1103::21 catron <~> 7:03PM % ping6 2610:10:20:1103::21 PING 2610:10:20:1103::21(2610:10:20:1103::21) 56 data bytes 64 bytes from 2610:10:20:1103::21: icmp_seq=1 ttl=64 time=0.328 ms ^C

• -- 2610:10:20:1103::21 ping statistics ---

1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.328/0.328/0.328/0.000 ms

Ex Example ple

 Particle labs with private IPv4 addresses (e.g. 10.0.0.0/8)

 Only reachable after connecting into a machine with externally routable

IP address

 How can you ssh into Particle lab machines directly from external

locations?

 Use their IPv6 addresses

ssh -6 catron.cs.pdx.edu

Portland State University CS 430P/530 Internet, Web & Cloud Systems

Transition ansition From m IPv4 4 To IPv6

 Gradual deployment

 Eventually, want to have all devices run dual stacks

 But, what happens when you run into a cloud of IPv4-only routers?  Tunneling

 IPv6 carried as payload in an IPv4 datagram among IPv4 routers  Wraps an IPv4 Russian doll around the IPv6 one

 For IPv6, treats the entire IPv4 network as a single data-link!  e.g. IPv4 is a framing protocol for the IPv4 "data-link" layer

 Builds a virtual IPv6 network link on top of a multi-hop IPv4 network

Portland State University CS 430P/530 Internet, Web & Cloud Systems

Tunn unneling eling

Portland State University CS 430P/530 Internet, Web & Cloud Systems

Physical view: A B E F

IPv6 IPv6 IPv6

C D

IPv4 IPv4

Flow: X Src: A Dest: F data

IPv6 IPv6

Flow: X Src: A Dest: F data

IPv6

Flow: X Src: A Dest: F data

Src:B Dest: E

IPv6 inside IPv4

Flow: X Src: A Dest: F data

Src:B Dest: E

IPv6 inside IPv4 IPv6 IPv6 IPv6 IPv6

Turns IPv4 network into virtual link A B E F

tunnel

Logical view:

Network virtualization

Virtualization tualization

 A powerful abstraction in CS

 Virtual memory addresses  Virtual machines (IBM System/370 from 1960’s/70’s,

Your VirtualBox VM)

 Virtual network interfaces  Now, entire virtual networks…

 Cloud infrastructure relies heavily on network virtualization

Portland State University CS 430P/530 Internet, Web & Cloud Systems

mashimaro <~> 2:15PM % sudo ifconfig eth0:1 up 131.252.220.64 netmask 255.255.255.0 mashimaro <~> 2:16PM % sudo ifconfig eth0:2 up 131.252.220.65 netmask 255.255.255.0 mashimaro <~> 2:16PM % ifconfig -a eth0 Link encap:Ethernet HWaddr 34:17:eb:a5:23:f7 inet addr:131.252.220.66 Bcast:131.252.220.255 Mask:255.255.255.0 eth0:1 Link encap:Ethernet HWaddr 34:17:eb:a5:23:f7 inet addr:131.252.220.64 Bcast:131.252.220.255 Mask:255.255.255.0 eth0:2 Link encap:Ethernet HWaddr 34:17:eb:a5:23:f7 inet addr:131.252.220.65 Bcast:131.252.220.255 Mask:255.255.255.0

"A Protocol for Packet Network Intercommunication", V. Cerf, R. Kahn, IEEE Transactions on Communications, May, 1974, pp. 637-648.

The e Intern ernet: t: th the e first st virtual tual netw etwor

• rk

 circa 1974: multiple unconnected nets

 ARPAnet  packet satellite network (Aloha)  packet radio network  phone network

Portland State University CS 430P/530 Internet, Web & Cloud Systems

… differing in:

 addressing conventions  packet formats  error recovery  routing

ARPAnet satellite net

How do you get data from one network to another?

IP "virtu tual" al" netw etwor

• rk

k layer er

 Create a homogenous virtual network over heterogeneous physical ones

 Deploy "gateways" at edge of networks that can speak both

 Implement internetwork layer at gateways and end-points  Embed internetwork packets into local format and send to gateway  Route at internetwork level to next gateway  Embed internetwork packets into local format and send to destination

 Underlying local network layers now invisible at the IP layer  ARPAnet, satellite, 56K telephone modem, ATM, MPLS  Just another link layer to IP!

Portland State University CS 430P/530 Internet, Web & Cloud Systems

ARPAnet satellite net gateway

 Example: Virtual LAN (Local Area Network) and VPN (Virtual

Private Network)

 LAN emulation over the Internet so that branch & corporate appear on

same LAN (as if A "directly" connected to B)

 A wants to send L2 frames to B  Tunneled over the Internet between V1 and V2

Virtualizing tualizing on top of p of th the e Interne ernet

Portland State University CS 430P/530 Internet, Web & Cloud Systems

• 1. LAN frame

to B

A B

• 2. L2 frame encrypted and encapsulated in IP

packet from V1 to V2

V1 V2

• 3. IP packet decrypted and original L2 frame

decapsulated and placed on network

• 4. LAN frame

to B

• 5. A now appears to be on same LAN as B (responses treated similarly)

IP (A to B) L2 (A to B) TCP HTTP IP (V1 to V2)

Ex Example: ple: VPN via a IP in IP

 IP in IP using Generic Routing Encapsulation (more common)

 Takes original Russian doll and wraps it with additional dolls (GRE and

tunnel's IP Delivery header)

 Treats the public network as a "link-layer"  Basis for …

Portland State University CS 430P/530 Internet, Web & Cloud Systems

 Virtual Private Cloud and Hybrid Cloud implementations

 Take networks on cloud provider and bring it onto local network  Connect your network to cloud network via virtual private network

(e.g. IPSec)

Portland State University CS 430P/530 Internet, Web & Cloud Systems

Virtualized link

• ver public IP

network between Customer and AWS AWS Solutions Architect material

Software-Defined Networks (SDN)

Pre-clou cloud d Interne ernet t iss ssues ues (circa ca ea early ly 00s) s)

 Distributed routing algorithms hard to make predictable

 Stability poor (route-flapping common)  Route convergence slow

 Complex, human-intensive management

 Routers, switches, firewalls, NAT, load balancers with disparate

interfaces

 Complex, distributed control software  Difficult to manage at scale

Portland State University CS 430P/530 Internet, Web & Cloud Systems

 Opaque operation

 Inability to reason about behavior of protocols and algorithms

 Inflexible

 Can only support routing based on destination and hop count  Control-plane (routing) and data-plane (forwarding) tightly coupled  Leads to instability especially under high loads

 Proprietary (pre-2005)

 At the mercy of a small number of vendor-supported features and

proprietary platforms (Cisco, Juniper)

 Cisco, Juniper with whole certification programs

Portland State University CS 430P/530 Internet, Web & Cloud Systems

A A rep epea eating ting pa patt ttern ern in tec echnolog hnology

 How does one replace manual, opaque, inflexible, proprietary

technology?

 With automatic, transparent, flexible, open-source, and

interoperable technology

Portland State University CS 430P/530 Internet, Web & Cloud Systems

SDNs DNs (2009) 9)

 Standard uniform interface for network device programmability

(e.g. "IP" applied to router configuration and operation)

 OpenFlow (2008)  Enables network device orchestration via uniform mechanisms

 Separation of control-plane and data-plane (early 2000s)

 Central controller performs scheduling and route configuration then

pushes into the network

 Control plane => traffic policy  Data plane => forward traffic based on policy control plane makes

 Allows single software control program to control all data-plane

elements in the network (better transparency)

 Programmable handling of packets

 Support multiple actions (e.g. drop, flood, forward, modify header,

send to controller)

 Active Networks (1990s)

 Built on commodity parts

Portland State University CS 430P/530 Internet, Web & Cloud Systems

SDN DN app pplication lication #1: Traf affic ic En Engi gineering neering

 Implement predictable routing policies to control traffic paths

(versus in-band, run-time algorithms)

 Implement flexible routing policies vs. destination IP-based routes

 (e.g. base decisions on source IP

, TCP/UDP ports, application, or even time of day!)

 Perform multiple path routing at high load

Portland State University CS 430P/530 Internet, Web & Cloud Systems

 Examples

 Shift traffic during the day via a centralized schedule to maximize

resource use

 Allows one to avoid over-provisioning networks since one can control load tightly  Links can be run close to 100%!

 Break net neutrality!

 Send bulk transit traffic to alternate slower paths compared to customer traffic  Send video traffic to one peering point, non-video to another for transit based on

delay and price  DoS evasion

 Programmatically drop attack traffic (CloudFlare)

 Configure alternative routes during planned changes

Portland State University CS 430P/530 Internet, Web & Cloud Systems

SDN DN app pplication lication #2: Cloud ud Compu putin ting

 Multiple tenants sharing same underlying machines,

physical network and interfaces

 All appear on separate virtual topologies

 Example: Shared cloud-based VMs

 Co-located vCPUs on a single CPU in Compute

Engine

 Must allocate different bandwidth slices and assign the

same machine to different virtual topologies based on project the VM is running in

Portland State University CS 430P/530 Internet, Web & Cloud Systems

 Example: Virtual Private Clouds/Networks

 Custom topologies (virtual networks) managed programmatically per

customer and project

 Allows machines in disparate locations to be on same “virtual” network via a click

(vs. having someone run around configuring it)

 GCP CDN lab

 Compare to CAT switches throughout college supporting dozens of

virtual LANs

 Can turn on any port and assign it to an emulated LAN

 e.g. ports in FAB 145 and FAB 120-14 on same 220 VLAN

 Often done manually

 Example: Load balancing and content-distribution networks

 Covered later…

Portland State University CS 430P/530 Internet, Web & Cloud Systems

SDN DN and d IT

 A meta-lesson for us all  Shift to hiring programmers to write programs to control networks of

commodity routers/switches

 People with mastery of CS concepts needed versus IT and network operations

engineers

 Moves away from proprietary network hardware/software and their certifications  Evolution in networking skills over last 20 years towards automation…

 Never do the same operation manually more than once!

Portland State University CS 430P/530 Internet, Web & Cloud Systems

Reca ecall: ll: The e Intern ernet t Netw etwor

• rk

k layer er

Host, router network layer functions:

Portland State University CS 430P/530 Internet, Web & Cloud Systems

forwarding table

Routing protocols

• path selection
• RIP, OSPF, BGP

IP protocol

• addressing conventions
• datagram format
• packet handling conventions

ICMP protocol

• error reporting
• router “signaling”

Transport layer: TCP, UDP Link layer physical layer Network layer

ICMP

ICMP: MP: Interne ernet t Cont ntrol

• l Mes

essage sage Protocol

• col

 Protocol for passing control

messages

 error reporting: unreachable

host, network, port, protocol

 echo request/reply (used by

ping)

 RFC 792

Portland State University CS 430P/530 Internet, Web & Cloud Systems

Type Code description 0 0 echo reply (ping) 3 0 dest. network unreachable 3 1 dest host unreachable 3 2 dest protocol unreachable 3 3 dest port unreachable 3 6 dest network unknown 3 7 dest host unknown 4 0 source quench (congestion control - not used) 8 0 echo request (ping) 9 0 route advertisement 10 0 router discovery 11 0 TTL expired 12 0 bad IP header

TTL exp xpired ired

 Recall IP header

 Has TTL value for maximum hop

count

 Routers decrement TTL upon

forwarding

 TTL of 0 triggers an ICMP TTL

expired message back to source

 Can be used to discover routes

and their delays

Portland State University CS 430P/530 Internet, Web & Cloud Systems

ver length 32 bits

data (variable length, typically a TCP

• r UDP segment)

16-bit identifier Internet checksum time to live 32 bit source IP address head. len type of service flgs fragment

• ffset

upper layer 32 bit destination IP address Options (if any)

Use sed to impl plement ement tr tracer acerout

• ute

 What do “real” Internet delay & loss look like?  traceroute

 Measures delay from source to router along end-end Internet path

towards destination.

 Source sends series of UDP/IP packets to dest

 First has TTL =1  Second has TTL=2  Third has TTL=3, etc.

 When nth datagram arrives to nth router:

 Router discards datagram and sends to source an ICMP hop-count

exceeded message

 Message includes name of router and IP address

Portland State University CS 430P/530 Internet, Web & Cloud Systems

3 probes 3 probes 3 probes

traceroute

 When ICMP hop-count exceeded message returned, source

calculates RTT

 Performs the probe 3 times per TTL value  Stopping criterion

 UDP segment eventually arrives at destination host  Destination returns ICMP “host unreachable” packet (type 3, code 3)

 Will be used in your labs

Portland State University CS 430P/530 Internet, Web & Cloud Systems

Try it

 Some routers labeled with airport code of city or region they are

located

 Recall Northwest Access Exchange peering points

 198.32.195.0/24 (nwax)  https://www.nwax.net/Members

 Perform a traceroute 1.1.1.1 and traceroute

8.8.8.8 to discover where the DNS servers are currently hosted.

 Perform a traceroute to a university far away (www.cam.ac.uk)

Portland State University CS 430P/530 Internet, Web & Cloud Systems