Order Now

CH12.pptx

Homework Help

Chapter 12End-to-End Networking

Chapter 12 Overview

The end-to-end principle in internet architecture

Internet packet and transport protocols

Host naming with the Domain Name System

Firewalls and network address translation

Authentication on networks

“Smart” vs. “Dumb” Networks

The 20th century telephone network

A “smart” network with “dumb” endpoints

Telephones (endpoints) only had a dial or touchpad, a speaker, and a microphone

The original Internet

A “dumb” network with “smart” endpoints

Routing was as simple as possible

Hosts handled the hard work

Error detection and correction

Reordering and reassembling messages

The End-to-End Principle

Reliable packet networks must rely on smart endpoints – the network can't ensure reliable packet delivery by itself

Network-based reliability may reduce unreliability, but it doesn't ensure reliability

End-to-end in practice

Networks become more complex to address more complex routing challenges

Network-based reliability in wireless LANs reduces unreliability to acceptable levels

Internet Transport Protocols

Two separate protocols

User Datagram Protocol (UDP) – for highly efficient transmission without retransmission

Transmission Control Protocol (TCP) – for reliable, sequential data transmission

UDP packets

Contain source and destination port numbers

Contain a checksum and a data field

Applications must detect and handle any missing or damaged packets themselves

UDP Packet Format

Wireshark: UDP Packet Format

© Wireshark Foundation

Transmission Control Protocol – TCP

TCP Reliability

Uses Sequence (SEQ) and Acknowledgement (ACK) numbers to track the delivered data

Every byte of data sent via TCP is numbered consecutively

A packet's SEQ number reports the number of the first byte it contains

Recipient sends ACK number to indicate the highest consecutive byte number received

If packets arrive out of order, the ACK number never increases until missing packets arrive

Flow Control and Window Size

Flow control prevents a sender from sending data faster than the recipient can handle it

If we send data too fast, the recipient or the network will have to discard it

Each TCP packet contains a window size

Indicates the number of bytes the recipient can handle from upcoming packets

Grows smaller if traffic arrives too quickly

Establishing a TCP Connection

Two hosts must agree to establish a connection

Process uses a three-way handshake

Client sends a SYN packet

Server responds with SYN-ACK packet

Client completes the handshake with ACK

The three-way handshake establishes the starting SEQ numbers used in each direction

If one host fails to finish the handshake, the other host discards the connection

Close the connection with FIN or RST

Wireshark: TCP Connection

© Wireshark Foundation

Attacks on Internet Protocols

General types of protocol-oriented attacks

Exploit one host to attack another host

Use up the victim host's resources

Masquerade as a different host to a user

Attack mechanisms

Exploit ICMP – the Internet Control Message Protocol

Exploit IP header settings

Exploit TCP settings

ICMP Exploits

Ping floods – DOS attack that transmits numerous “ping” packets

Smurf attack – DOS attack that sends a forged “ping” using a broadcast address to amplify the number of replies produced

Ping of death – exploited a now-fixed flaw in protocol stacks: A buffer overflow in ping handling

Redirection attacks – rerouted data for one host to traverse a different (masquerading) host

TCP and IP Attacks

SYN flood – attacker sends lots of SYN packets to produce “half-open connections” and use up the protocol stack's resources.

IP spoofing – forge the sender's IP address in a TCP connection; success requires correct guessing of SEQ numbers.

Source routing attack – similar to redirection attack, but uses an IP header option to route traffic to a masquerading host.

Domain Names on the Internet

Domain names provide memorable names for hosts on the Internet

Domain Name System (DNS) converts names into IP addresses, and vice versa

The “Internet telephone book”

A distributed database managed by domain name owners and registrars

Domain names constructed hierarchically

From right to left

Domain Name Construction

Domain Name Hierarchy

Domain Names in Practice

Individuals and companies buy names from registrars

Registrar places the name under the chosen Top-Level Domain (TLD)

Tying the name to a host

Owners may provide their own domain name servers, and service hosts for Web or email

Some registrars will tie the domain name to specific host-based services for customers

Looking up Domain Names

A resolver uses the DNS to look up a name

The resolver keeps a cache of recent answers

If a name isn't in the cache, the resolver contacts a domain name server

If the server can't answer, it identifies a server that can provide the answer, or it may contact that server itself

Resolver saves the answer in its cache

Resolving may be redirected or recursive

Wireshark: A DNS response

© Wireshark Foundation

DNS Lookup

Investigating Domain Names

dnslookup – interactive DNS resolver

Returns basic information stored about a domain

IP address for the generic host

IP address, possibly different, to handle email directed at that domain

whois – returns details about domain ownership

Identifies the domain's owner

Provides technical and administrative contact information

Attacks on DNS

Cache poisoning – resolver receives a bogus response to a DNS request

Difficult: Can only affect an existing query

DOS – attacker floods an important server, like a root server, so it can't respond to queries

Botnets are often used in such attacks

DOS attack using a shared resolver – attacker sends numerous bogus queries that produce lots of traffic to a targeted server

An amplification attack, like the smurf attack

DNS Security Improvements

Randomized requests – clients choose unpredictable port numbers and request numbers to resist cache poisoning

Limited access to resolvers – ISPs only allow their customers to use their resolvers, to reduce risks of amplification attacks

Replicated DNS servers – major servers are replicated so that DOS against one won't shut down an entire TLD or subdomain.

DNSSEC – authentication for DNS responses

Internet Gateways and Firewalls

Network Address Translation

All IP packets travel between two hosts with unique addresses

There are not enough IPv4 addresses to assign one to every IP host on the planet

Sites use private addresses and NAT to provide separate addresses to all hosts

Private addresses fall into one of 3 ranges:

10.x.x.x

192.168.x.x

172.16.0.0 through 172.31.255.255

Mapping Private to Public Addresses

Configuring Host Computers

Gateways and firewalls typically assign private addresses

Use Dynamic Host Configuration Protocol (DHCP)

A client sends a broadcast DHCP query

The gateway responds with information

IP address assigned to the host

IP addresses to use for routing and DNS

Gateway must be configured to use a particular private address range

Traffic Filtering and Connectivity

Packet filtering – discards packets by checking:

MAC address – source or destination

Broadcast transmissions

ICMP messages

IP address – source or destination

IP application protocol – based on port number

Inbound connections usually rejected by NAT

Gateway may configure a server to receive inbound connections

Enterprise Network Authentication

Enterprise authentication issues

Eavesdropping risks

Management of multiple servers

Keeping credentials up to date

Authentication design patterns

Local authentication

Direct authentication

Indirect authentication

Off-line authentication

Local Authentication

Direct Authentication

Indirect Authentication

Off-Line Authentication

image2.jpg

image3.jpg

image4.jpg

image5.jpg

image6.jpg

image7.jpg

image8.jpg

image9.jpg

image10.jpg

image11.jpg

image12.jpg

image13.jpg

image14.jpg

image15.jpg

image16.jpg

image1.jpg

Continue to order Get a quote
Place your order
(550 words)

Approximate price: $22

Recent Comments

    Calculate the price of your order

    550 words
    We'll send you the first draft for approval by September 11, 2018 at 10:52 AM
    Total price:
    $26
    The price is based on these factors:
    Academic level
    Number of pages
    Urgency
    Basic features
    • Free title page and bibliography
    • Unlimited revisions
    • Plagiarism-free guarantee
    • Money-back guarantee
    • 24/7 support
    On-demand options
    • Writer’s samples
    • Part-by-part delivery
    • Overnight delivery
    • Copies of used sources
    • Expert Proofreading
    Paper format
    • 275 words per page
    • 12 pt Arial/Times New Roman
    • Double line spacing
    • Any citation style (APA, MLA, Chicago/Turabian, Harvard)

    Our guarantees

    Delivering a high-quality product at a reasonable price is not enough anymore.
    That’s why we have developed 5 beneficial guarantees that will make your experience with our service enjoyable, easy, and safe.

    Money-back guarantee

    You have to be 100% sure of the quality of your product to give a money-back guarantee. This describes us perfectly. Make sure that this guarantee is totally transparent.

    Read more

    Zero-plagiarism guarantee

    Each paper is composed from scratch, according to your instructions. It is then checked by our plagiarism-detection software. There is no gap where plagiarism could squeeze in.

    Read more

    Free-revision policy

    Thanks to our free revisions, there is no way for you to be unsatisfied. We will work on your paper until you are completely happy with the result.

    Read more

    Privacy policy

    Your email is safe, as we store it according to international data protection rules. Your bank details are secure, as we use only reliable payment systems.

    Read more

    Fair-cooperation guarantee

    By sending us your money, you buy the service we provide. Check out our terms and conditions if you prefer business talks to be laid out in official language.

    Read more