几点注意：

1. 这篇文章是我复习KTH课程Internetworking时的学习笔记。主要的参考资料为课本与课件。

课本：Behrouz A. Forouzan, TCP/IP Protocol Suite, 3nd Edition, 2005, McGraw-Hill, ISBN 0-07-296772-2

2. 全文篇幅比较长，建议利用目录查找需要的内容

3. 由于课程是英文授课，所以许多地方中英混合出现，写的比较粗糙

4. 有可能会出现图片打不开的情况，翻墙会解决这个问题

5. 我在github上上传了pdf版，有需要可以下载

Lecture 2 Link Layer

1. Basic introduction

2. Collision in Ethernet:

3. Ethernet (有线) address & MAC address

4. Collision in Wireless LAN (Problem 1. Hidden station problem)

5. 数据链路层还分MAC和LLC子层

Review of Lecture 2

Lecture 3 Network layer fundamentals - Basic forwarding IP addressing

1.In general

2. Forwarding

4. Allocate address

Lecture 4 IP

1. IPv4&IPv6 packet

2. IPv4&IPv6 Fragmentation

3. IPv4 header vs IPv6 header

Lecture 5 IP, ARP, more IP and ICMP

1. ARP

2. IP options (extension header)

3. ICMP

Lecture 6&7 Routing

1.In general

2. Bellman-Ford Algorithm

3. Real network中的问题和解决

4. Dijkstra's shortest path algorithm

5. Link-state vs. Distance-vector

6. Routing Protocols

Lecture 8&9 Transport Layer－UDP, TCP and beyond

1.In general

2. UDP

3. TCP

Lecture 10 &11 Application Layer

1.In general

2.Creating network applications

3.Web and HTTP

4. Remote login--Telnet & SSH

5. Email

Lecture 12 DNS

Summary

Lecture 13 IP Configuration 分IP地址

1. BOOTP—Bootstrap Protocol

2. DHCP—Dynamic Host Configuration

3. Host Configuration—SLAAC－－Stateless Autoconfiguration

4. IPv6 Autoconfiguration—Plug and Play

5. Stateful and Stateless Autoconfiguration

Lecture 14 IP Security

1. Overview

2. Encapsulation Formats

3. IPsec and IPv6

4. IKE

Lecture 15 IP Gateways

1. Firewall

2. NAT－Network Address Translation

总图

Lecture 2 Link Layer

1. Basic introduction

Data Link Layer has responsibility transferring datagram between adjacent nodes over a link. (Data link layer packet is a frame, encapsulates datagram into frame.)

Link addressing: MAC address

2. Collision in Ethernet:

CSMA: Listen before sending. Half-duplex link. But it cannot avoid all collision because there is propagation delay of each frame.

CSMA/CD: Listen while sending. If collision is detected, abort transmission and retry.

No collision (nowadays used):

Bridge learns location of MAC addresses by inspecting (检查) source address field in incoming frames.

3. Ethernet (有线) address & MAC address

The both are 48-bit number used to uniquely identify each computer in a network. The address is usually written in hexadecimal form.

The Ehernet address is the most common form of MAC address.

4. Collision in Wireless LAN (Problem 1. Hidden station problem)

To avoid collision (Now we cannot use CDMA/CD), we use CDMA/CA:

Problem 2 (RTS and CTS cannot solve this problem this time.)

C have to wait to send data to D until A finish sending data to B.

5. 数据链路层还分MAC和LLC子层

MAC连接LLC子层和下级物理层。从LLC子层接受数据，附加上MAC地址和控制信息后再校验一下放到物理层去。

其中最重要的概念是MAC address。

Review of Lecture 2

Lecture 3 Network layer fundamentals - Basic forwarding IP addressing

1.In general

End-to-end delivery of packets independent of the underlying link layer technologies.

Connectionless (只规定destination, 不规定具体路线): Packets may arrive in different paths, and may not receive in order.

IP: Implemented using unicast addresses shared between several hosts.

Direct Dilivery

Indirect Dilivery

Host to host or router to host

Host to router or router to router

– Destination and sender connected to the same physical network

• Last delivery is direct

– Destination address and local interface have same network address (use netmask)

– From host to router or from router to router

– Destination address and forwarding table:

forwarding

2. Forwarding

The last one is using nowadays.

No.1

No.2

No.3

3. IPv4 Addressing

(IPv6 address is 128 bit long.)

– Address & Mask = NetID (network address)

– Address & !Mask = HostID (host address)

– Address | !Mask = Directed broadcast address

（limited broadcast address是都set to 1，255.255.255.255）

4. Allocate address

Address range 是从 network address 到 broadcast address 的.

Reading instruction:

Ch 5,12.2,26

Lecture 4 IP

1. IPv4&IPv6 packet

Packet contains source and destination addresses.

IPv6 没有 header length field (因为长度(不包括extension header)是固定的).

2. IPv4&IPv6 Fragmentation

MTU是数据链路层的限制，但是fragmentation发生在网络层

注意UDPheader只有8 bytes长

Flags:

– RF (Reserved Fragment) – for future use (set to 0)

– DF (Dont Fragment).

• Set to 1 if datagram should not be fragmented.

• If set and fragmentation needed, datagram will be discarded and an error message will be returned to the sender

– MF (More Fragments)

• Set to 1 for all fragments, except the last.

IPv6只能在source，不能再中间的router上面做fragmentation

3. IPv4 header vs IPv6 header

	IPv4	IPv6
header length	20-60 bytes	40 bytes
header length field	有	没有 (header length fixed)
name of down-counter lifetime of every datagram (可以自行设置, Default initial value: 64)	TTL (8 bit) 每经过router, -1. =0时丢弃 Every router holding a datagram for more than 1 second should decrement the TTL by the number of seconds	Hop Limit (8 bit)
	connectionless	connection-oriented Because of the adding of flow label (textbook P830)

IP Network layer functions	IPv4实现方法	IPv6实现方法
Logical addressing	Locating hosts
Routing	Path determination
Forwarding	Move Packet from input to output of the routers
Fragmentation	Adaption to lower layer
Multiplexing/demultiplexing （多路复用和解复用）	Many transport layer protocols
Error detection + avoidance	checksum	-
QoS (Quality of Service)	ToS (Type of Service): 8 bit	$^{\[1]}$ Traffic Class: 8 bit Flow Label: 20 bit

[1] The flow label field allows labeling packets belonging to a particular flow for which the sender requests the same handling. A flow is identified by the source address, destination address, and a nonzero flow label, and packets belonging to a flow should be treated the same way by a router (rfc6437)

The first 6 bits of the traffic class field hold the DiffServ Code Points (DSCP), which can be used for classifying packets in order to implement priorities. The last 2 bits are used for ECN, and serve for signaling congestion in the network. (rfc3260)

Reading instruction:

Ch 6,7,27

Lecture 5 IP, ARP, more IP and ICMP

1. ARP $^{\[2]}$

已知IP address，想得到MAC address：ARP （Address Resolution Protocol）

已知Name（域名，比如kth.se)，想得到IP address： DNS

注意这个过程在高速缓存cache中存储了，所以第二次传输datagram的时候不需要再进行APR request (broadcast) 和APR reply (unicast)。

[2] Address Resolution的方式包括：

(用于IPv4的Address Resolution Protocol – ARP，这一部分中介绍)

(用于IPv6的Neighbor Discovery Protocol – ICMPv6，单独在3. ICMP中介绍)

代理ARP：

2. IP options (extension header)

	IPv4	IPv6
Purpose	Control, testing and debugging of the network functionality
Length	IPv4: Max 40 bytes $^{\[3]}$ (Max header length is 60 bytes in IPv4)	IPv6: No limitations $^{\[4]}$
Option Format
Option Type	End of option	Hop-by-hop options (Pad1&PadN&jumbao payload) 用于当source需要把信息传递给datagram经过的所有routers时. eg,.if the length of the datagram is more than the usual 65535 bytes.
	No operation	Routing
	Loose source route $^{\[5]}$	Fragment
	Timestamp	Authentication Header
	Record route	Encapsulating Security Payload
	Strict source route	Destination options
对比	（IPv4的fragmentation在fixed header里面实现）

[3] The header of the IP datagram is made of two parts: a fixed part and a variable part. The fixed part is 20 bytes long and was discussed in the previous section. The variable part comprises（包括） the options, which can be a maximum of 40 bytes.

[4] The length of the base header is fixed at 40 bytes. However, to give more functionality to the IP datagram, the base header can be followed by up to six extension headers

[5] 对其中的Source Route进行说明：预先指定数据报在因特网中传送时的路由，分为strick和loose两种

– Strict Source routing (SSRR)

• The path is exactly as specified－只能访问sender规定的路由。访问其他路由时，该路由会丢弃datagram然后发送error message

– Loose Source Routing (LSRR)

• The path includes the specified addresses－必须访问sender规定的路由，其他路由也可以访问

Source route: when it comes handy

• Troubleshooting

– Figure out from point "A" why machines “B" and “C" cannot communicate

• Mapping the network

– Used with traceroute in order to find all the routes between two points on the network

• Performance

– Force an alternate link to avoid congesting the correct routes w/o changing the forwarding tables (management)

– Create independent paths for MDC or FEC

• Hacking

– Can send packets to a host via a trusted third party

• Normally disabled in routers…

3. ICMP

（不属于TCP也不属于UDP）

Reading instruction:

Ch 7-9, 27, 28

Lecture 6&7 Routing

1.In general

•Problem

–Find best path from router to host

•Typically based on shortest path algorithms (from graph theory)

• Bellman-Ford algorithm

– Used by Distance-Vector protocols (RIP, IGRP, BGP)

• Dijkstra's algorithm

–Used by Link-State protocols (OSPF,popular among organizations, IS-IS,p.a. operators)

2. Bellman-Ford Algorithm

Distance-vector = (destination, metric, next-hop) [metric表示的是cost的度量]

Path-vector = (destination, path, next-hop)

3. Real network中的问题和解决

4. Dijkstra's shortest path algorithm

例子：

5. Link-state vs. Distance-vector

6. Routing Protocols

1)RIP

•Metric: hop count (1: directly connected, 16: infinity)

•Supports networks with diameter 小于等于15

•Timeout timer (Purge清除 routes that are not refreshed)

•Messages carried in UDP datagrams

–Broadcast (RIP-1)

–IP Multicast (RIP-2): 224.0.0.9

–IPv6 Multicast (RIPng): FF02::9

2) Open Shortest Path First protocol (OSPF) 相对RIP更适合用于大一点的网络

与RIP和BGP不同的是，OSPF协议不使用TCP或者UDP协议而是承载在IP协议之上

• Metric: arbitrary (Often related to link speed (inverse proportional))

• Scaling achieved through hierarchy

- Every network segment has 1 designated router (+1 backup) – DR, BDR (每条线上1DR)

- AS split into areas – use Dijkstra for an area

• Messages carried directly on top of IP

- IP Multicast: 224.0.0.5

- IPv6 Multicast: FF02::5

• OSPF protocol components

(1) Hello protocol

- Detection of neighboring routers

- Election of designated router (and backup) adjacency

(2) Exchange protocol

- Exchange link-state between adjacent routers

(3) Reliable flooding

- When links change/age: send update to adjacent routers and flood recursively

(4) Shortest path calculation

- Compute shortest path tree to all destinations using Dijkstra’s algorithm

important example $^{[6]}$

[6] LSA: link state advertisement

3) Inter－domain

AS（Aotonomous Systems）的概念： A set of routers. 每个AS都有AS number

AS7是AS3的customer，have to pay to AS3

4) Border Gateway Protocol (BGP) v4

•Path-vector routing protocol (和之前的两个Link-state, Distance-vector都不一样)

•Path vector consists of AS:s, not IP addresses

–Hides internal structure in the domains

–Loop detection only on AS-numbers!

–Example: <dst: 10.1.10/24, path: AS1:AS3:AS5, nexthop: 10.2.3.4>

•Used between domains (AS:s)

• Views the Internet as a collection of AS:s

•Supports the destination-based forwarding paradigm

–Other relations are not expressed: sources, tos, link load

•Uses TCP for data transmission between BGP peers

•Tags destinations with path attributes （attribute，属性，定语）

•Describe different properties of the destination (e.g., preferences)

•Can express and enforce policy decisions at AS level

Reading instruction:

Chapter 11: Unicast routing protocols

11.6 OSPF: Skip detailed packet descriptions

11.8 BGP: Skip detailed packet descriptions

Lecture 8&9 Transport Layer－UDP, TCP and beyond

1.In general

Purpose： Logical process-to-process communication

和IP Layer的对比：

IP	UDP	TCP
connectionless （只规定destination）	connectionless	connection－oriented （规定具体路线）
unreliable	unreliable	reliable
message- oriented （Deliver the whole packet together, 传或不传）	message- oriented	byte－stream oriented （the unit of transmission is byte, and in order）
		full-duplex

2. UDP

△UDP data delivery based on: receiver port number and receiver IP address.

△UDP checksum: IPv4可以有，IPv6必须有（IPv6在IP层没有checksum）

△psedo-header：to double check

△Maximum UDP Segment Size

• Theoretical limit

– IPv4: 65,507 bytes of payload

• 65,535 bytes (IPv4) - 20 bytes IP header - 8 bytes of UDP header

– IPv6: 65,527 bytes of payload

• 65535 bytes payload – 8 bytes UDP header

3. TCP

△TCP service model

1) Connection-oriented – a virtual circuit $^{[7]}$

2) Between exactly two end-points – Broadcast and multicast不能用TCP (use UDP)

3) Full duplex

4) Reliable and in-order – Delivery is not guaranteed but reception is known

5) Byte stream service

– A stream of 8-bit bytes is transmitted over the TCP connection

– No record markers inserted by TCP

[7] 虚拟电路（英语：Virtual circuit，缩写为 VC），又称为虚电路、虚连接或虚通道，在分组交换的电脑网路上，交换资料的传输方式之一。它是一种预接式（connection-oriented），或线路交换式（circuit-switched）的资料传输方法，在两个终端系统（End system）间，建立一条连线，来进行资料交换。

△TCP service function

1) Multiplexing/Demultiplexing $^{[8]}$

• TCP connection identification (UDP不需要sender的IP address和port number)

– Sender IP address and port number

– Receiver IP address and port number

2) Segmentation - Byte stream to segment translation $^{[9]}$

Try to send as big segments as possible (MSS) ：

• The largest chunk of data TCP will send to the other side

– Can be announced in the options field of the TCP header during connection establishment

• If not announced, a default value is assumed

– 576 bytes host MTU requirement in IPv4 : 536 bytes

– 1280 bytes MTU requirement in IPV6: 1220 bytes

• Large MSS means

– Less overhead $^{[10]}$ (headers)

– Less segments to take care of (will see later)

• Until fragmentation occurs (Path MTU discovery)

– Potentially more delay

3) Error control - Reliable transmission over unreliable channel

– Noise → Bit error → Packet corruption → Packet drop

– Congestion → Packet drop

[8] Whenever an entity accepts items from more than one source, it is referred to as multiplexing (many to one); whenever an entity delivers items to more than one source, it is referred to as demultiplexing (one to many).

[9] The IP layer, as a service provider for TCP, needs to send data in packets, not as a stream of bytes. At the transport layer, TCP groups a number of bytes together into a packet called a segment.TCP adds a header to each segment (for control purposes) and delivers the segment to the IP layer for transmission. The segments are encapsulated in an IP datagram and transmitted.

Note that segments are not necessarily all the same size.

[10] The typical TCP header is 20 bytes, and the typical IPv4 header is also 20 bytes, so in this case overhead is TCP + IP =40 bytes

三种flavor：

①Stop-and-wait $^{[11]}$

Both the sender and the receiver use a sliding window of size 1. 只有两个序号.

序号指的是sequence no，确认号指的是ACK no。

[11] A flow-control method in which each data unit must be acknowledged before the next one can be sent.

这种方法的缺点是利用率太低（尤其是带宽时延积较大时）。

②Go-Back-N

在收到ACK之前能够发送多个segment，但接收方只能缓存一个分组。发送方为发送出去的segment保存副本知道ACK送达。

模 $2^m$ 即只能取0~ $2^m-1$ 范围内的值。

滑动发送窗口 $^{[12]}$ --窗口的最大值为 $2^m-1$

[12] The send window is an abstract concept defining an imaginary box of maximum size = $2^m-1$ with three variables: $S_f$ （第一个待确认的） , $S_n$ （下一个要发送的） , and $S_{size}$ （窗口大小）

上图的例子m=3（计数器）.

③Selective Repeat-N

④三种flavor总结

	发送窗口（最大值）	接收窗口（最大值）	序号	计时器（timer）
Stop-and-wait	1	1	0~1
Go-Back-N	2m-1	1	0~2m-1	所有待确认的segment共用一个计时器
Selective Repeat-N	2m-1	2m-1	0~2m-1	每个待确认的segment各一个单独的计时器

△Retransmission Time-Out (RTO)– Time to wait for the ACK of a segment

（不是一个fixed number）

△Karn’s Algorithm

4) Flow control -- Adapt to the receiver’s capabilities

• Ensure that receiver does not get overwhelmed with data sent by the sender

• TCP uses a sliding window protocol

△Delayed acknowledges $^{[13]}$

Advantages:

1. ACK traffic is reduced

2. Increased chance that data can be piggy-backed（一方发送sequence时，packet内同时包含了对另一方的ACK） on the ACK

△Persistence Timer

△Silly Window Syndrome 的解决办法

发送方慢：

接收方慢：

△Bandwidth-Delay Product

• The ”capacity” of the ”pipe”

capacity(bits) = bandwidth(bits/sec) x RTT(sec)

• The receiver advertised window should be higher

△TCP Bulk Data Flow

5) Connection Management--Establishment/tear down

△TCP connection establishment

△Keepalive Timer--Avoid TCP connections to exist forever

△TCP connection teardown

△Time-Wait Timer--Connection termination

$^{[14]}$

[14] FIN是一种TCP的flag， which means sender has finished sending data

汇总：TCP的各种计时器

6) Congestion control-- Adapt to network conditions

The window size must depend on the network’s state as well!

△Slow Start & Congestion Avoidance

△TCP Header

20 byte 固定＋20 byte optional

TCP中的checksum是必须的（UDP不是）

Reading instruction:

Ch 13,14,15.1-15.4

Lecture 10 &11 Application Layer

1.In general

Applications run on end-systems only

Possible structure of applications:

- Client-server

Server	Client
Always on	May be intermittently connected
At a permanent, well-known location (For instance, an HTTP server is at port 80, by default)	May have dynamic IP addresses
Can service many clients	“Ephemeral” ports (Short-lived, dynamically allocated ports)

- Peer-to-peer (P2P)

• No always-on server

• Peers request service from other peers, provide service in return to other peers

2.Creating network applications

Sequencial Server

Concurrent Server

3.Web and HTTP

HTTP: hypertext transfer protocol--Web application layer protocol

△client/server model (client: browser, server: Web server)

△uses TCP，步骤如下:

•client initiates TCP connection (creates socket) to server, port 80

•server accepts TCP connection from client

•HTTP messages (application layer protocol messages) exchanged between browser (HTTP client) and Web server (HTTP server)

•TCP connection closed

△HTTP is stateless

•Request/response

•Server maintains no information about past client requests

△HTTP Response Status Codes

Status code appears in first line in server-to-client response message. Some sample codes:

200 OK - request succeeded, requested object later in this response

301 Moved Permanently - requested object moved, new location specified later in this response (Location:)

400 Bad Request - Request not understood by server

404 Not Found - requested document not found on this server 505 HTTP Version Not Supported

△TCP connection strategies

Non-persistent Connection

Persistent Connection

One TCP connection per HTTP transaction

1. Reuse same TCP connection for multiple HTTP transactions

- Default as of HTTP 1.1

2. How long should connection be left open?

- Occupies server resources

- Controlled by “Keep-Alive” header

△HTTP cookies

△Web caches (proxy server) 代理服务器

4. Remote login--Telnet & SSH

1) Telnet Remote Login

2) SSH – Secure Shell

• Telnet considered insecure

- No encryption – eavesdropping

- No authentication of client/server

• SSH

- Encryption and authentication

- Create a secure (encrypted and authenticated) channel over TCP

- Default port 22

3) Port Forwarding

5. Email

Case1. When the sender and the receiver of an e-mail are on the same mail server, we need only two user agents $^{[15]}$ .

[15] User Agent--Program to create and read e-mail

- Examples: Outlook, OS X Mail, Thunderbird, Kmail,Envelope, ...

Case2. When the sender and the receiver of an e-mail are on different mail servers, we need two UAs and a pair of MTAs (client and server).

Case3. When the sender is connected to the mail server via a LAN or a WAN, we need two UAs and two pairs of MTAs (client and server).

Case4. When both sender and receiver are connected to the mail server via a LAN or a WAN, we need two UAs, two pairs of MTAs (client and server), and a pair of MAAs (client and server). This is the most common situation today.

Push和Pull用不同的协议：

Push--SMTP, Pull--POP, IMAP

a. SMTP

SMTP requires message(header & body) to be in 7-bit ASCII

b. Mail Access Protocols

Lecture 12 DNS

- One name can map to several addresses

- One address can have several names

$^{[16]}$

[16] TLD: 顶级域（或顶级域名；英语：Top-level Domain；英文缩写：TLD）是互联网DNS等级之中的最高级的域，它保存于DNS根域的名字空间中。顶级域名是域名的最后一个部分，即是域名最后一点之后的字母，例如在example.com这个域名中，顶级域是.com（或.COM），大小写视为相同。TLD: 顶级域（或顶级域名；英语：Top-level Domain；英文缩写：TLD）是互联网DNS等级之中的最高级的域，它保存于DNS根域的名字空间中。顶级域名是域名的最后一个部分，即是域名最后一点之后的字母，例如在example.com这个域名中，顶级域是.com（或.COM），大小写视为相同。

$^{[17]}$

[17] Having multiple name servers is for redundancy. When an organization has multiple name servers, there is one primary server and several secondary servers. The zone file is updated on the primary server, and then the updates are transferred automatically to the secondaries through “zone transfers”.

• If client requests recursion, and server agrees, the server resolves the name for the client

--Through iterative resolution

• Otherwise server sends back whatever information it has about the name

--Typically name of server to contact (but not necessarily)

• Normally, only resolvers agree to recursion

Quearying tool: dig (domain information groper)

Summary

• Domain name space organized in hierarchy

- Generic domains, country domains, inverse domain

• Database distributed over name servers

- Root server, TLD servers, authoritative servers

• Resolver performs (iterative) resolution on behalf of clients

• Name servers are responsible for zones

- Responsibilities are distributed through delegations

• Supports different kinds of queries

- A, AAAA, NS, PTR, MX, …

• BIND DNS software

- Zone file definitions

Lecture 13 IP Configuration 分IP地址

Automating IP Configuration--之前还提到了stateless和stateful的分别是HTTP和它的cookie！

• BOOTP (Bootstrap Protocol)

- Static, stateful, client-server

• DHCP (Dynamic Host Configuration Protocol)

- Dynamic, stateful, client-server

• SLAAC (Stateless Address Autoconfiguration)

- Dynamic, stateless

- RFC 4862: IPv6 Stateless Address Autoconfiguration

• Zeroconf

- Autoconfiguration completely without servers?

△RARP—Reverse ARP

1. BOOTP—Bootstrap Protocol

2. DHCP—Dynamic Host Configuration

Client has neither its own IP address, nor the server’s. How do we then address Request/ Reply?

DHCP important:

如果DHCP的client和server在不同的网络上，就需要relay agent：

DHCP Scenario（方案，分镜头）

Transaction ID should be the same value for all four messages.

Discover--Offer--Request--ACK

3. Host Configuration—SLAAC－－Stateless $^{[18]}$ Autoconfiguration

SLAAC vs DHCP

•Unfortunately, SLAACs contain only limited information

-Prefixes and router address

•Hosts often need other configuration information

-E.g., DNS server, Time server, Printer server

•For these, we still need DHCP servers

-Good news is that we can use SLAAC for setting up the IP address, and use stateless DHCP for everything else

[18] Server keeps no state about hosts, only non-host state

4. IPv6 Autoconfiguration $^{[19]}$ —Plug and Play

•Idea: automatically discover parameters used to connect to the Internet

-Address, netmask, router, nameserver, ...

•Two scenarios: stateless and stateful

In IPv6 stateless autoconfiguration, the client can create an IP address based on its MAC address instead of requesting it from a DHCP server.

①Advatage：A MAC-derived IPv6 address is a straight forward way to generate a unique IP address automatically and L3/L2 address translation can be done locally by the sender (no ARP needed).

②Problem： The MAC address reveals information about the interface card（L2，L3的地址,name）, such as identity and vendor of the interface card, so that e.g. potential bugs could be exploited.

③Solution：IPv6 privacy extensions solve this problem by using a randomly assigned interface ID instead and this number can change over time (temporal address). 此时需要ARP

[19] One of the interesting features of IPv6 addressing is the autoconfiguration of hosts. As we discussed in IPv4, the host and routers are originally configured manually by the network manager. However, the Dynamic Host Configuration Protocol, DHCP, can be used to allocate an IPv4 address to a host that joins the network. In IPv6, DHCP protocol can still be used to allocate an IPv6 address to a host, but a host can also configure itself.

5. Stateful and Stateless Autoconfiguration

Stateless autoconf

Stateful autoconf

-Small networks

-Nodes can start communicating directly

-Larger networks

-Centralized management

Combination (Stateless DHCP)

[DHCP本身是stateful的]

Lecture 14 IP Security

1. Overview

•Authenticated Keying

–Internet Key Exchange (IKE)

•Data Encapsulation

–ESP: IP Encapsulating Security Payload (RFC 4303)

–AH: IP Authentication Header (RFC 4302)

•Security Architecture (RFC 4301)

–Tunnel/transport Mode

–Databases (Security Association, Policy, Peer Authorization)

•AH and ESP rely on an existing security association

–Idea: parties must share a set of secret keys and agree on each other’s IP addresses and crypto algorithms

•Internet Key Exchange (IKE)

–Goal: establish security association for AH and ESP

–If IKE is broken, AH and ESP provide no protection!

△IPsec Modes

•Transport mode

–Used to deliver services from host to host or from host to gateway

–Usually within the same network, but can also be end-to-end across networks

•Tunnel mode $^{[20]}$

–Used to deliver services from gateway to gateway or from host to gateway

–Usually gateways owned by the same organization

(With an insecure network in the middle)

IPsec protects communication on the insecure part of the network.

[20] tunnel mode’s typical application: virtual private network (VPN，通常由ESP实现）

两种mode对比：

Transport

secures packet payload and leaves IP header unchanged（只管payload）

Tunnel

encapsulates both IP header and payload securely into IPsec packets（IPheader+Payload）

△Security Association (SA)

•One-way sender-recipient relationship

–Manually configured or negotiated through IKE

•SA determines how packets are processed

–Cryptographic algorithms, keys, AH/ESP, lifetimes, sequence numbers, mode (transport or tunnel)

•SA is uniquely identified by {SPI, dst IP addr, flag}

–SPI: Security Parameter Index

•Chosen by destination (unless traffic is multicast...)

–Flag: ESP or AH

–Each IPsec implementation keeps a database of SAs

–SPI is sent with packet, tells recipient which SA to use

2. Encapsulation Formats

1) AH

–Authentication Header

–Provides integrity

Only in transport mode:

2) ESP

–Encapsulating Security Payload

–Provides integrity and/or privacy

Can work in transport…(original IP header没有被封装起来)

…or tunnel mode (problem with NAT)

！！！Tunnel mode can be problematic together with NAT

•If we set up a tunnel between our host and a public gateway, it won’t work:

–Our private addresses will be in the original IP header

•It is OK to set up a tunnel between our host and a private intranet:

–Private intranet addresses will be in the original IP header

–New IP header will contain our home private address, which will be translated by the NAT

3. IPsec and IPv6

IPsec is a mandatory component for IPv6.

Extension headers are used for IPsec.

IPsec Tunnel Mode in IPv6:

4. IKE

•Internet Key Exchange—setting up the SAs for IPsec (ESP and AH SA's)

•Use IKE protocol to do mutual authentication and to create a session key

–Use Diffie-Hellman to derive shared symmetric key

△Diffie-Hellman

•For IKE to use Diffie-Hellman we need to add

–Cookies for protection against denial-of-service attacks

The cookies should be stateless，so “Bob” doesn’t have to keep track of all cookies he sent.

–Nonces to ensure against replay attacks

△IKE Phases

•Phase 1

–do mutual authentication and establish IKE session keys

–Sets up the “main” SA (or IKE SA)

•Phase 2

–Set up one or more IPsec SAs (child SAs) between the nodes using the keys derived in phase 1

•Why two phases?

–Mutual authentication is expensive

–If multiple SAs are needed or if SA parameters need to be changed, this can be done without repeating mutual authentication

加入cookie和nounces之后：

Lecture 15 IP Gateways

这一章首先介绍了什么事gateway--

A machine that sits between two interconnected networks and relays traffic between them.

Traffic cannot flow between the two networks without the assistance of the gateway.

Conclusion: A routeris a network layer gateway

–But we can have other types of gateways, both at the network layer and elsewhere

都有什么特殊功能呢

1. Connecting networks with incompatible (不兼容的) address systems，比如：

•IPv4 and IPv6----IPv4/IPv6 Gateways(不是重点)

•Two IPv4 networks with independent address domains-----NAT

2. Restricting what traffic flows between two networks-----firewall

•Protective purposes

3. Redirecting traffic, possibly tunneling it

•Mobility, VPNs, IPsectunnels etc

1. Firewall

Isolates organization’s internal network from larger Internet, allowing some packets to pass and blocking others.

△Firewall Locations in the Network

•Between internal LAN and external network

•At the gateways of sensitive subnetworkswithin the organizational LAN

-Payroll’s network must be protected separately within the corporate network

•On end-user machines

-“Personal firewall”

-Microsoft’s Internet Connection Firewall (ICF)

△Firewall types

Two default policies:

•Default = discard

-which is not explicitly permitted is prohibited

•Default = forward

-which is not explicitly prohibited is permitted

•Default = discard is more conservative

对比：

•Packet filter can do its job without requiring software changes in communicating nodes

-Allowed conversations proceed normally (in most cases)

•An application level gateway is visible to the users

-Need to connect to the gateway

•Application level gateway can be more powerful than packet filters—e.g., look at data inside email messages

-Gateway is application-aware

2. NAT－Network Address Translation

右边的这些local network用138.76.29.7的不同端口表示。

10.0.0.1到10.0.0.4是可以在其他local network中重复利用的，而138.76.29.7是唯一的。

例子：Assume that host 10.0.0.1 on a private network (10.0.0.0/24) sends an HTTP request through its NAT box to a web server on address 128.119.40.186 and that this web server answers with an HTTP response back to the host.

1) port 80是web server的默认HTTP端口，固定的; 10.0.0.1的port3345不是固定的

2) 最终138.76.29.7, port 5001被分配给10.0.0.2。（5001不是固定的，只是这么分配而已，可以给下面两个hosts分配5002，5003）

3) 两个方向上每次都是138和10开头的地址替换，webserver的地址一直为Source／Dest.

总图

TCP/IP协议族总结相关推荐

HTTP 协议入门 — （TCP/IP协议族、通信传输流、URI 与 URL 的区别、Cookie 状态管理、HTTP 支持的方法、状态码类别、HTTP 首部字段）
TCP/IP协议族在介绍 HTTP 协议之前,我们先对 TCP/IP 协议族有个大概的了解,TCP/IP 协议从上到下主要分为应用层.传输层.网络层和数据链路层,各层的主要功能如下表所示: 协议层 ...
TCP/IP协议族(一) HTTP简介、请求方法与响应状态码
接下来想系统的回顾一下TCP/IP协议族的相关东西,当然这些东西大部分是在大学的时候学过的,但是那句话,基础的东西还是要不时的回顾回顾的.接下来的几篇博客都是关于TCP/IP协议族的,本篇博客就先简单 ...
深入理解TCP/IP协议族
TCP/IP协议族是一个四层协议系统,自底而上分别是数据链路层.网络层.传输层和应用层.每一层完成不同的功能, 且通过若干协议来实现,上层协议使用下层协议提供的服务. MAC地址,处于数据链路层. I ...
Network 之五 TCP/IP 协议族、工作流程、常用协议格式
最近工作需要搞网络相关的内容,由于之前对网络了解比较少,因此开始重点学习一下网络相关的各种知识.博文中的有些内容来自于在学习过程中对于一些互联网上我认为的重点知识的记录,如果侵权请联系删除! ...
第一章 TCP/IP协议族
一.协议族体系结构 TCP/IP协议族分为四层协议系统,自底向下分别为数据链路层.网络层.传输层.应用层. 数据链路层常用ARP(地址解析协议)和RARP(逆地址解析协议).在网络层使用IP寻址,而在 ...
网络传输之TCP/IP协议族
我们现实网络无处不在,我们被庞大的虚拟网络包围,但我们却对它是怎样把我们的信息传递并实现通信的,我们并没有了解过,那么当我们在浏览器中出入一段地址,按下回车这背后都会发生什么? 比如说一般场景下,客户 ...
TCP/IP协议族之运输层（TCP流量控制和拥塞控制 [1]）
TCP的流量控制 1. 利用滑动窗口实现流量控制如果发送方把数据发送得过快,接收方可能会来不及接收,这就会造成数据的丢失.所谓流量控制就是让发送方的发送速率不要太快,要让接收方来得及接收. 利用滑动 ...
TCP/IP协议族详解（TCP/IP四层模型、OSI七层模型）
前些天发现了一个巨牛的人工智能学习网站,通俗易懂,风趣幽默,忍不住分享一下给大家.点击跳转到教程. TCP/IP协议族(TCP/IP Protocol Suite,或TCP/IP Protocols) ...
tcp ip协议_网络通信-TCP/IP协议族简述
导读:计算机与网络设备要相互通信需要遵守同样的规则.例如,如何找到通信目标.该使用哪种语言通信.怎么结束通信等规则.不同的硬件.操作系统之间的通信都需要遵循同一种规则,这种规则也称为是协议.下面本文主 ...
TCP/IP协议族在异构网络互联中的作用
TCP/IP协议族由应用层 .传输层.网络层.数据链路层和物理层构成,每一层的功能由一个或多个协议实现 TCP/IP协议族模型各层所处网络和用到的协议: 物理层&数据链路层:ARPANET . ...

TCP/IP协议族 总结

Lecture 2 Link Layer

1. Basic introduction

2. Collision in Ethernet:

3. Ethernet (有线) address & MAC address

4. Collision in Wireless LAN (Problem 1. Hidden station problem)

5. 数据链路层还分MAC和LLC子层

Review of Lecture 2

Lecture 3 Network layer fundamentals - Basic forwarding IP addressing

1.In general

2. Forwarding

4. Allocate address

Lecture 4 IP

1. IPv4&IPv6 packet

2. IPv4&IPv6 Fragmentation

3. IPv4 header vs IPv6 header

Lecture 5 IP, ARP, more IP and ICMP

1. ARP

2. IP options (extension header)

3. ICMP

Lecture 6&7 Routing

1.In general

2. Bellman-Ford Algorithm

3. Real network中的问题和解决

4. Dijkstra's shortest path algorithm

5. Link-state vs. Distance-vector

6. Routing Protocols

Lecture 8&9 Transport Layer－UDP, TCP and beyond

1.In general

2. UDP

3. TCP

Lecture 10 &11 Application Layer

1.In general

2.Creating network applications

3.Web and HTTP

4. Remote login--Telnet & SSH

5. Email

Lecture 12 DNS

Summary

Lecture 13 IP Configuration 分IP地址

1. BOOTP—Bootstrap Protocol

2. DHCP—Dynamic Host Configuration

3. Host Configuration—SLAAC－－Stateless Autoconfiguration

4. IPv6 Autoconfiguration—Plug and Play

5. Stateful and Stateless Autoconfiguration

Lecture 14 IP Security

1. Overview

2. Encapsulation Formats

3. IPsec and IPv6

4. IKE

Lecture 15 IP Gateways

1. Firewall

2. NAT－Network Address Translation

总图

TCP/IP协议族 总结相关推荐

最新文章

热门文章

TCP/IP协议族总结

1. ARP $^{\[2]}$

3. Host Configuration—SLAAC－－Stateless $^{[18]}$ Autoconfiguration

4. IPv6 Autoconfiguration $^{[19]}$ —Plug and Play

TCP/IP协议族总结相关推荐