Revised August 2013

Chapter 9

Panko and Panko Business Data Networks and Security, 9th Edition
2013 Pearson

Chapter (s) Coverage

14 5 67 Core concepts and principles Single switched networks Single wireless networks

Layers
All 12 12

89
10 11

Internets
Wide Area Networks Applications

34
1-4 5
2

2013 Pearson

Chapter 8
Major TCP/IP standards
Router operation

Chapter 9
Managing Internets Securing Internets

2013 Pearson

IP Subnetting
Network Address Translation (NAT) DNS and DHCP SNMP Multiprotocol Label Switching Securing Internet Transmission IPv6 Management
2013 Pearson

Companies are given host parts by their ISP or an Internet number authority.
They divide the remaining bits between a subnet part and a host part. Larger subnet parts mean more subnets, but this results in smaller host parts, which means fewer hosts per subnet. The reverse is also true.
5

2013 Pearson

If a part has N bits, it can represent 2N - 2 subnets or hosts per subnet.

2N because if you have N bits, you can represent 2N possibilities. Minus 2 is because you cannot have a part that is all zeros or all ones.
Part Size (bits) 4 8 10 12 16 2N 24 = 16 ? ? 4,096 65,536

2N-2

16-2 = 14 ? ? 4,094 65,534 6

2013 Pearson

Step

Description Total size of IP address (bits) Size of network part assigned to firm (bits)

1
2

32
16

By definition
Assigned to the firm

3
4

Remaining bits for firm to assign

Selected subnet/host part sizes (bits)

16
8/8

Bits for the firm to assign

The firms decision

Number of possible subnets (2N - 2)

Number of possible hosts per subnet (2N - 2)
2013 Pearson

254 (28 - 2)
254 (28 - 2)

Step

Description Total size of IP address (bits) Size of network part assigned to firm (bits)

1
2

32
16

By definition
Assigned to the firm

3
4

Remaining bits for firm to assign

Selected subnet/host part sizes (bits)

16
6/10

Bits for the firm to assign

The firms decision

Number of possible subnets (2N - 2)

Number of possible hosts per subnet (2N - 2)
2013 Pearson

62 (26 - 2)
1,022 (210 - 2)

Step

Description Total size of IP address (bits) Size of network part assigned to firm (bits)

1
2

32
8

By definition
Assigned to the firm

3
4

Remaining bits for firm to assign

Selected subnet/host part sizes (bits)

24
12/12

Bits for the firm to assign

The firms decision

Number of possible subnets (2N - 2)

Number of possible hosts per subnet (2N - 2)
2013 Pearson

4,094 (212 - 2)
4,094 (212 - 2)

Step

Description Total size of IP address (bits) Size of network part assigned to firm (bits)

1
2

32
8

By definition
Assigned to the firm

3
4

Remaining bits for firm to assign

Selected subnet/host part sizes (bits)

24
8/16

Bits for the firm to assign

The firms decision

Number of possible subnets (2N - 2)

Number of possible hosts per subnet (2N - 2)
2013 Pearson

254 (28 - 2)
65,534 (216 - 2)

10

Step 2 2 3 Added 4

Description Size of IP address Size of network part assigned to firm (bits) Remaining bits for firm to assign Selected subnet part size (bits) Host part size (bits) Number of possible subnets (2N - 2) 32 20 12 4 ? ? ?

Exercise

2013 Pearson

Number of possible hosts per subnet (2N - 2)

11

Step 2 2 3 Added 4

Description Size of IP address Size of network part assigned to firm (bits) Remaining bits for firm to assign Selected subnet part size (bits) Host part size (bits) Number of possible subnets (2N - 2) 32 20 12 6 ? ? ?

Exercise

2013 Pearson

Number of possible hosts per subnet (2N - 2)

12

IP Subnetting

Network Address Translation (NAT)

DNS and DHCP SNMP Multiprotocol Label Switching Securing Internet Transmission IPv6 Management
2013 Pearson

13

NAT
Sends false external source IP addresses and port numbers that are different from internal source IP addresses and port numbers. For security purposes.
To have many more internal IP addresses than your ISP gives you external IP addresses.

2013 Pearson

14

NAT Firewall puts the real source IP address and port number in the table.

2013 Pearson

15

NAT Firewall replaces the source IP address and port number of the packet with a false source IP address and port number. Adds to table.

2013 Pearson

16

NAT Firewall reverses the process for incoming packets.

2013 Pearson

17

NAT is Transparent to Internal and External Hosts.

The NAT firewall does all the work. Neither host knows that NAT is taking place. So there is no need to modify how hosts work.

2013 Pearson

18

Security Reasons for Using NAT

External attackers can put sniffers outside the corporation.

Sniffers read IP addresses and port numbers.

Attackers can send attacks to these addresses and port numbers.

With NAT, attackers learn only false external IP addresses. Cannot use this information to attack internal hosts.
19

2013 Pearson

Expanding the Number of Available IP Addresses

Companies may receive a limited number of IP addresses from their ISPs. There are roughly 4,000 possible ephemeral port numbers for each client IP address. So for each IP address, there can be up to about 4,000 external connections. If a firm is given 248 IP addresses, there can be roughly one million external connections.

2013 Pearson

20

Expanding the Number of Available IP Addresses

If each internal device averages several simultaneous external connections, each one will require a different port number. However, there should not be a problem with this many possible external IP addresses and port numbers.

2013 Pearson

21

Companies often use private IP addresses internally.

These can be used only within companies never on the Internet. There are three Private IP address ranges.
10.x.x.x 172.16.x.x through 172.31.x.x 192.168.x.x (most popular)
22

2013 Pearson

There Are Protocol Problems Caused by NAT

IPsec, VoIP, and other applications have a difficult time with NAT firewall traversal.

They must know the real IP address and port number of the host on the other side of the NAT firewall. There are NAT firewall traversal techniques, but they must be managed carefully.
2013 Pearson

23

IP Subnetting Network Address Translation (NAT)

DNS and DHCP

SNMP Multiprotocol Label Switching Securing Internet Transmission IPv6 Management
2013 Pearson

24

 2013 Pearson

25

Originating host needs the IP address of host dakine.pukanui.com. Asks its local DNS server at Hawaii.edu.
2013 Pearson

26

 2013 Pearson

27

Sends response to local DNS server, not the client host.

28

2013 Pearson

Note that the local DNS server always sends back the response message.
2013 Pearson

29

The DNS really is a general naming system for the Internet.

A domain is a set of resources under the control of an organization.

There is a hierarchy of domains.

2013 Pearson

30

The root is all domains. There are 13 DNS root servers.

2013 Pearson

31

There are two kinds of top-level domains.

Generic top-level domains indicate organization type (.com, .edu, .gov, etc.).
Country top-level domains are specific to a country (.UK, .CA, .CH, etc.).

2013 Pearson

32

Traditionally, generic top-level domains were strongly limited in number. There have been a few additions over the year, such as .museum, .name, and .co.

As of 2013, any individual or company can propose to administer a generic top-level domain.
33

2013 Pearson

Companies want second-level domain names.

(Microsoft.com, apple.com, panko.com, etc.).

Competition for these names is fierce.
2013 Pearson

34

Most companies divide their organizations into subdomains or subnets.

2013 Pearson

35

At the bottom of the hierarchy are individual hosts.

2013 Pearson

36

 2013 Pearson

37

 2013 Pearson

38

 2013 Pearson

39

 2013 Pearson

40

Typical configuration information:

IP address for the DHCP client to use The subnet mask for the clients subnets

The IP address of the clients default router

The IP addresses of the firms multiple DNS servers

2013 Pearson

41

The two are often confused because both give a client PC an IP address.
DHCP gives a client PC its own dynamic IP address.
DNS gives a client PC the IP address of a host the client wishes to send packets to.

2013 Pearson

42

IP Subnetting Network Address Translation (NAT) DNS and DHCP

SNMP
Multiprotocol Label Switching Securing Internet Transmission IPv6 Management
2013 Pearson

43

Core Elements (from Chapter 4)

Manager program
Managed device Agents (communicate with the manager on behalf of the managed device)

Agents
Manager Managed Devices
2013 Pearson

44

Core Elements (from Chapter 4)

Management information base (MIB).
Stores the retrieved information. MIB can refer to either the database on the manager or to the database schema.

Manager

MIB

2013 Pearson

45

Messages
Commands (sent by a manager to an agent) Get (to get information from the agent) Set (to tell the agent to change how the managed devices is operating)
Responses (sent from agent to manager) Get or Set Command Response

2013 Pearson

46

Messages
Traps (alarms sent by agents). SNMP uses UDP at the transport layer to minimize the burden on the network.

Trap

2013 Pearson

47

Set Commands
Dangerous if used by attackers. Many firms disable Set to thwart such attacks. However, they give up the ability to manage remote resources without travel. SNMPv1: community string shared by the manager and all devices (poor).

SNMPv3: each manageragent pair has a different password (good).

2013 Pearson

48

Objects (Figure 9-8)

Specific pieces of information
Number of rows in the routing table Number of discards caused by lack of resources (indicates a need for an upgrade)

Objects are NOT managed devices!

Objects are specific pieces of data about a managed device.

2013 Pearson

49

Categories of Objects
System objects (one set per managed device) System name System description System contact person System uptime (since last reboot)

2013 Pearson

50

Categories of Objects
IP objects (one set per managed device)
Forwarding (for routers), Yes if forwarding (routing), No if not

Cause of resource limitations

Number of rows in routing table Rows discarded because of lack of space

Individual row data

2013 Pearson

51

Categories of Objects
TCP objects (one set per managed device)
Retransmission time Maximum number of TCP connections allowed

Opens/failed connections/resets
Segments sent Segments retransmitted

Errors in incoming segments

Data on individual connections (sockets, states)
2013 Pearson

52

Categories of Objects
UDP objects (one set per host)
Traffic statistics ICMP objects (one set per host) Number of ICMP errors of various types

2013 Pearson

53

Categories of Objects
One set per managed device: System IP TCP UDP ICMP Interface objects: one set per interface (port)

2013 Pearson

54

Categories of Objects
Interface objects (one set per interface)
Type (e.g., 69 is 100Base-FX; 71 is 802.11) Status: up/down/testing Speed Errors: discards, unknown protocols, and so on

2013 Pearson

55

SNMP Manager program collects data.

Places it in the MIB.

Visualization Program.
The administrators interface to the MIB. Helps the administrator visualize patterns in the MIB data. Can order the SNMP Manager to collect certain data or to send set commands to change the configurations of managed devices.

2013 Pearson

56

User Functionality
Reports, diagnostics tools, and so on, are very important. They are not built into the standard. They are added by network visualization program vendors. Critical in selection of a network management vendor.
57

2013 Pearson

IP Subnetting Network Address Translation (NAT) DNS and DHCP SNMP

Multiprotocol Label Switching

Securing Internet Transmission IPv6 Management
2013 Pearson

58

Routers route each packet individually, going through the three steps we saw in the last chapter.
Even if the next packet is going to the same destination IP address, the router will go through all three steps. This consumes a great deal of processing power per packet. This makes traditional routing expensive.
59

2013 Pearson

MPLS addresses this issue.

Routers identify the best route for a range of IP addresses before sending data. That route is given a label number. Each packet in a stream gets a label with this label number. Routers do only a quick table lookup per packet. Table lookups require little processing power. So multiprotocol label switching is much less expensive than traditional routing.

2013 Pearson

60

 2013 Pearson

61

Label Number is 123

2013 Pearson

62

Label sits between the frame header and the IP packet header. IP Packet Header MPLS Label Frame Header

2013 Pearson

63

Router 3 sends the packet out through Interface 1

2013 Pearson

64

 2013 Pearson

65

 2013 Pearson

66

Implementing MPLS is difficult. Many individual ISPs and corporations do it. Some individual ISPs have peering arrangements with other individual ISPs to do it. There is no general way to move MPLS out to all ISPs and organizations.

2013 Pearson

67

IP Subnetting Network Address Translation (NAT) DNS and DHCP SNMP Multiprotocol Label Switching

Securing Internet Transmission

IPv6 Management
2013 Pearson

68

Security was not addressed in the initial design of TCP/IP.

Jon Postel, who edited the main Internet RFCs, explained to the first author, It just wasnt a problem then, and we were stretched thin.

Today, firms are adding security to their transmissions through IPsec VPNs.

2013 Pearson

69

A virtual private network (VPN) is a cryptographically secured transmission path through an untrusted environment.
The Internet A wireless network Communication in a foreign country

Like having your own private network in terms of security.

However, not a real private network.
70

2013 Pearson

 2013 Pearson

71

There are two types of VPN: Remote access VPNs connect a remote user to a corporate site. The user connects to a VPN gateway at the site.

2013 Pearson

72

There are two types of VPNs: Site-to-site VPNs protect all traffic traveling between two sites. Each site has a gateway to encrypt outgoing traffic and decrypt incoming traffic.
2013 Pearson

73

IPsec has two modes (ways) of operating:

Transport mode Tunnel mode

Each mode has strengths and weaknesses. Selecting an IPsec mode option is very important to security.

2013 Pearson

74

In transport mode, IPsec provides protection over the Internet and also over site networks between the hosts.
2013 Pearson

75

Transport mode requires a digital certificate and configuration work on each host. This is expensive.
2013 Pearson

76

In tunnel mode, IPsec only provides protection over the Dangerous Internetnot within site networks.
2013 Pearson

77

Only the two IPsec gateways need digital certificates and configuration work.
2013 Pearson

78

Criterion Security

Transport Mode Better because it provides host-tohost protection.

Tunnel Mode

Not as good because it only provides security over the But firewalls cannot Internet or another trusted network (a read encrypted wireless network, traffic. etc.). Higher because of configuration work on each host. Lower because IPsec operates only on the IPsec gateway .
79

Cost

2013 Pearson

 2013 Pearson

80

 2013 Pearson

81

 2013 Pearson

82

Purpose
To provide a secure connection between a client browser and a webserver application on a webserver host Use is indicated by https:// in the URL
Very widely used

2013 Pearson

83

Origin
Created by Netscape as SSL. IETF took over the standard.

IETF changed the standards name to Transport Layer Security (TLS).

We refer to the standard, generically, as SSL/TLS.

2013 Pearson

84

Attraction of SSL/TLS
Universally supported by browsers and webserver applications. So no added cost on the client to use it! No extra software on the server is needed, but SSL/TLS must be configured, which usually is simple.

2013 Pearson

85

Limitations of SSL/TLS
Operates at transport layer so no protection for IP or transport headers

Limited to applications written to work with SSL/TLS: HTTP and e-mail, primarily
Cryptographically weaker than IPsec Has been partially cracked No policy servers for centralized management

2013 Pearson

86

Overall
Decent quality, cheap, and easy security
Limited in how it can be used and managed

Comparison with IPsec

IPsec is more complex and so more expensive. Can be used for all types of VPNs. Can be managed well. Gold standard in TCP/IP security.
87

2013 Pearson

IP Subnetting Network Address Translation (NAT) DNS and DHCP SNMP Multiprotocol Label Switching Securing Internet Transmission IPv6 Management
2013 Pearson

88

Transition from IPv4 to IPv6

IPv6 subnetting IPv6 configuration Other IPv6 standards
ICMPv6

Extending DNS
Replacing the Address Resolution Protocol

2013 Pearson

89

Must transition all clients, routers, firewalls, and so on The IETFs plan
No backward compatibility

Instead, add both IPv4 and IPv6 protocol stacks at the internet layer to all new devices
As soon as most devices have IPv6 protocol stacks, configure the devices and add IPv6 support to IPv4 support Eventually, turn off IPv4 support
2013 Pearson

90

Problems and reactions

IPv6 offered few benefits, so most companies ignored IPv6.

The shortage of IPv4 addresses was handled (intelligently) through NAT.

But now, IPv4 addresses are gone.

Now some clients, such as mobile phones, only have IPv6 stacks at the protocol layer.
To serve them, companies are rushing to turn on and configure IPv6 support.
2013 Pearson

91

Must deal with global IPv6 unicast addresses

Like public IPv6 addresses Have 3 parts but different names

IPv6 Address Part Corresponding IPv4 Address Part Routing Prefix Network Part Subnet ID Subnet Part Interface ID Host Part Total 32 bits
2013 Pearson

Length of IPv6 part Variable Variable 64 bits 128 bits

92

Global Routing Prefix (network part in IPv4)

Subnet ID (subnet part in IPv4)

Interface ID (host part in IPv4)

2013 Pearson

93

(Almost) Always 64 bits

Global Routing Prefix (network part in IPv4) Subnet ID (subnet part in IPv4) Interface ID (host part in IPv4)

Interface ID is not of variable length like IPv4 host parts. Waste 64 bits, but have plenty to lose.
94

2013 Pearson

(Almost) Always 64 bits

Global Routing Prefix (network part in IPv4) Subnet ID (subnet part in IPv4 Interface ID (host part in IPv4)

m bits 64 bits m + n = 64

n bits

2013 Pearson

95

An IP address registrar gives you a 32-bit global routing prefix.

How long is your subnet ID?

How many subnets can you have (approximately)?

Many companies have a two-layer hierarchy of subnets, using some bits for the main subnet and remaining bits for sub-subnets.
96

2013 Pearson

Modified 64-bit Extended Unique Identifier (EUI) Format

First, display the MAC address in hexadecimal notation (48 bits)
Remove dashes Convert text to lower case

AD-B1-C2-D3-E5-F5 adb1c2d3e5f5

2013 Pearson

97

Second, divide the address in half

Insert fffe in the middle This creates a 64-bit address adb1c2 fffe d3e5f5

adb1c2fffed3e5f5

2013 Pearson

98

Third, in the second nibble (d) (1101)

Invert the second bit from the right (1111) (f) This is called Modified 64-bit EUI adb1c2fffed3e5f5

afb1c2fffed3e5f5
99

2013 Pearson

1. Begin with MAC in hexadecimal notation

2. Divide the 48 bits into 2 halves of 24 bits

3. Insert fffe between the two halves 4. Place into four-hex groups separated by colons 5. Flip the second-least significant bit in the first octet
100

2013 Pearson

Hosts must be configured with IP addresses

IPv4 uses DHCP IPv6 offers two configuration mechanisms
DHCPv6 (very similar to IPv4) Stateless autoconfiguration, which does not use a DHCPv6 server Not available in IPv4

2013 Pearson

101

Stateless Autoconfiguration
The client configures itself, without using a DHCPv6 server.

First, the client creates a link-local IPv6 address.

Second, the client creates a global unicast IPv6 address.

2013 Pearson

102

Creating the Link-Local IPv6 Addresses

Link-local IPv6 addresses can be used only within a single network (wireless or switched wired).

If the client does not need a global IP address, the autoconfiguration process can stop here.

2013 Pearson

103

Creating the Link-Local Address

First create a 64-bit interface ID using the MAC address of the client.

Add a routing prefix 111 1110 10 followed by 56 bits of zeroes.

This is the link-local IP address: fe80::x, where x is the octets of the EUI-64.

2013 Pearson

104

Testing the Link-Local Address

Another host may be using this address.
So the client uses the ICMPv6 neighbor discovery protocol to ask if any other host in the single network is using this address. If none reply, the client may use this address within its single network.

2013 Pearson

105

Creating the Global Unicast IPv6 Address

Needed for communication over the Internet. Begin with the link-local address. Keep the interface ID but get a new routing prefix and subnet ID. Client sends an ICMPv6 router solicitation message to the address FFF02::1, which all routers listen for.

2013 Pearson

106

Creating the Global Unicast IPv6 Address

Routers respond with IPv6 router advertisement messages.

The router advertisement message may state that autoconfiguration is not allowed.
If this is not the case, the message gives the routing prefix and subnet ID. The client now has a global unicast IPv6 address.

2013 Pearson

107

Limits
More limited than traditional DHCP autoconfiguration.

At a minimum, router advertisement messages give only a routing prefix and subnet ID.
Of course, the packet containing the router advertisement message gives the IPv6 address of the router, which becomes the default router.

2013 Pearson

108

Uses
How can a client get other IPv6 configuration information?

If a client is a dual-stack client, the IPv4 stack can obtain full configuration information, which the IPv6 stack can use.

2013 Pearson

109

Uses
If the client is not a dual-stack client, it needs at least one more piece of configuration informationthe IPv6 addresses of DNS servers. The IETF has extended router advertisement messages to provide the IPv6 addresses of DNS servers. However, this is only an option.

2013 Pearson

110

Known Security Weaknesses

An attacker might create an address that does not use its proper EUI-64.

An attacker may create an address that uses the EUI-64 of another host to impersonate it.
Several operations can be used to create flooding denial-of-service attacks.

2013 Pearson

111

IPv6 Address Renumbering

Stateless autoconfiguration may be used to renumber all IP addresses in a firm automatically, changing subnet IDs and even routing prefixes.

2013 Pearson

112

ICMPv6
Many new types were created for neighbor discovery, stateless autoconfiguration, and so on.

2013 Pearson

113

Domain Name System (DNS)

The DNS information for a host is contained in several records.

DNS A Record. The A record contains the IPv4 address for the target host.
DNS AAAA Record. For IPv6 addresses, a new address record had to be added. IPv6 addresses are four times as long as IPv4 addresses, so the added record is called the AAAA record.
2013 Pearson

114

Address Resolution Protocol (ARP) Messages

In IPv6, handled by the ICMP neighbor discovery protocol, which has two message types.

Neighbor solicitation messages ask host to respond.

Neighbor advertisement messages give the hosts data link address. There is no ARPv6.

2013 Pearson

115

Where Weve Been

IP Subnetting Network Address Translation (NAT) DNS and DHCP SNMP Multiprotocol Label Switching Securing Internet Transmission IPv6 Management
2013 Pearson

116

Chs. 1-4 5-7 8-9 10 11

Title Core Concepts Single Networks Internets Wide Area Networks Networked Applications

Layers All 1 and 2 3 and 4 1-4 5

2013 Pearson

117

 2013 Pearson

118