578 17. 18

Each provider 有自己的protocols --> own autonomous system (AS) --> independent to others


Internet Gateway protocols --> protocols that run under AS --> replaced by broader gateway protocols (BGP)


--> two scalability issue --> routing scalability, address utilization

Stub AS --> connect only one
Multihomed AS --> connect more than one but refuse to transit traffic
Transit AS --> connect more than one and transit traffic

Distance Vector routing
--> shortest path --> 不考慮traffic
-->Not all nodes may assign the same metrics to links
Protocol --> flooding
high process overhead --> 因為一層一層

Path Vector Routing -->有點像是source routing -- > advertise path rather than the cost
advantages --> AS can locate its own identifier in the path to a destination --> 如果有 loops, drop 因為知道要往哪邊傳
BGP --> complete Path, prefix --> prefix-based path vector protocols : port 179
incremental update

BGP - policy-based routing/ local preference
--> import policy --> filter unwanted routes --> influence local preference


--> export policy --> filter the path that you don't want other know


BGP policy configuration --> vendor specific

Hot Potato --> if too many packets --> deflect some packet to other paths --> just acts like the AS takes a hot potato and want to throw

Transport Layer -> TCP, UDP
why use? give some limitation to network layer
--> network layer 為了隱藏通訊間的差異性, 看起來像是直接通訊 --> transport layer --> provide end-to-end service to application

UDP - user datagram protocol

  1. process to process --> port
  2. Best-effort
  3. transport unnecessary message

  4. <IP, port>


  5. de-multiplexing
  6. Advantages --> 只要收到就傳送/ stateless/ no delay, no handshake/ small overhead
  7. Did --> no congestion control/ suppress TCP flows
  1. How to discovery port --> well-known port, ex DNS - 53
    or --> use one port as port-mapper
  2. DNS --> www.uofarizona.edu ==== 192.128.......
  3. common port 1-1023/ registered port 1024-49151/ dynamic port 69152 - 65535
  4. same website --> open another port for users --> process based rather users based

Input/ Output/ Control Block Module
--> push to control block table --> if exist process --> queue number/ if not --> create a new one

TCP

  1. connection oriented
  2. stream of bytes
  3. reliable, in-order/ checksum, ACK, SeqNum
  4. flow/ congestion control

和前面有甚麼不同?

  1. run on route
  2. negotiate parameter SW size
  3. RTT change
  4. diff resources, diff flow control

Property


  1. format of sending message --> <portS, addS, portD, addD, flag>
  2. flag type --> SYN, FIN, URG, PUSH, RESET, ACK
  3. SeqNum reset (ISN) --> consecutive number --> change ISN over time
  4. ACK的時候 SeqNum 要加一
  5. FIN needs the handshake --> 兩次Fin and FinACK --> needs to close two connection
  6. Handshake --> no data flow

SW Algorithm


Sender


    --> Last Byte Acked, Sent, Written
    --> Sent - Acked <= AD window
    --> EffectWindwo = AD W - (Sent - Acked)

Receiver


    --> Last Byte Read, Expected (receive in order), receive
    --> MaxReceiveBuffer --> received - read
    --> Advertise W --> MRB - (Expeted-1-Read) ==? Received - Exp +1

SeqNum


AD window 16bit --> 2^16
SNUM --> 2^32 --> 傳送BW太大的時候會低於TTL
Add TimeStamp --> if SeqNum fixed but timestamp are earlier, drop it.

Trigger Transmission

  1. MSS = MTU - header =1460
  2. Push --> empty buffer --> because AD window might smaller than MSS
  3. Time expiration

避免檔案比header 還小 集滿才送出


Nagle Algorithm

TCP

Retransmission - Time out
Solution A

  • SampleRTTi = a
  • ERTTi = x*ERTTi-1+ SampleRTTi
  • Timeout = 2 ERTTi

Karn/ Patridge --> Drop bad sample , double timeout


Jacobson/Karel --> 考量 deviation

TCP extension
--> timestamps
--> timestamps + SeqNum
--> extend window size
--> selectiveAck --> 不正常的時候才用

Congestion Control and Resources Control
Resource --> available resource --> when to start, to whom
Congestion control --> respond to overload condition

Network Model --> Best Effort Services


Resources Allocation

  • router and host-centric --> 不同在一個是router分析, 一個是end-host作分析, are not mutually exclusive
  • reserved and feedback based --> in advance or not
  • window or rate based
  • fair index --> 越接近1越公平
  • Max-unin fairness --> 先從最壅擠的開始, 滿了之後再來看別的地方

First Input First Output

  • problems --> rate 比較快的可以占滿大部分的頻寬
  • Fair Queuing --> round-robin --> 某個queue滿了丟掉部分檔案就好 --> 新問題 --> 別人檔案比較大怎麼半? --> bit-by-bit RR --> 原則 : 小的先傳送 / 舊的先傳送

Congestion control

  • AIMD algorithm --> if lost CW = CW/2, else if ACKed CW = CW + (WSS)^2/CW
  • Slow Start --> exponential growth --> drop , to 1 --> exponential 成長到一半 --> 線性成長
  • performance of platform --> fast retransmit --> 3 duplicate ACK --> retransmission
  • fast recovery --> use slow start only on begining

Congestion Avoidance --> predict BW
DEC-bit scheme

  • Router --> 偵測packet --> if >= 1, set 1
  • Sources --> if lower than 50% of packets own the DEC-bit --> increase, else --> CW =0.875CW
  • Can use with AIMD
    Random Early Detection
    Source-based congestion avoidance

Security

Information Security

  • classical cryptography -> 5 tuple, plaintext set, ciphertext set, key set, encryption set, descryption
  • Definition of secure encryption --> 別人看到加密文後無法直接恢復key, 無法用加密文來找出加密公式 (encryption function)
  • Shift cipher, substitution cipher, affine (y=ax+b) cipher

Network Security - infrastructure security

  • Network Based Attack --> DoS and DDoS Attacks/ Intrusion Attacks and Exfiltration Attacks/ Routing Attacks

Cryptanalysis

  • Kerckhoffs’ principle --> EVE knows every thing
  • attacker model -> ciphertext only attack/ chosen plaintext attack/ known plaintext attack/ chosen ciphertext attack --> cipher only 最爛

Symmetric Key Model

  • k = P{k1, k2, k3.....}
  • 用key來加密 --> substitution box 改變順序
  • hard to be attack

Authentication

  • symmetric key --> 用 public key來encrypt --> 另一方認證
  • asymmetric key --> public key, authentication --> private key, signature, verify
  • certificate --> signature IDA and Pka, ver (CertA, IDA || PKA

Approach

  • Surreptitious forwarding -> 把sign, 訊息和certificate都用Pkb包起來
  • encrypt then sign approach --> 訊息encrypt, sign E(x)
  • pgp protocol --> sign x --> random key k --> encrypt x with k --> encrypt k with Pkb
  • Hash function --> 一堆數據加密到新的range裡面 --> 可能會有paradox

Key Agreement

  • Diffie Hellman --> 用mod 來確認並交換資訊 / Man in the middle attack --> 解決 --> authenticate
  • SSH protocol/ user authentication --> 問你要不要連進去

SYN flow attack --> DoS
Direct DoS --> spoofed IP, 一直送
Prevention --> ingress filter, look source IP, if not belong to the router network drop/ random drop on firewall/ router check, if unknown, drop

BotNets
Robot and network --> zombies attack
---> not necessary to use spoofed IP
--> attacker would not be seen

  • Recruitment --> download/ connect to other port 中毒/ weak password

Reflector DoS attack
--> 給別人target IP address --> 讓他自己丟回去擠爆伺服器