578 17. 18
Each provider 有自己的protocols --> own autonomous system (AS) --> independent to others
Internet Gateway protocols --> protocols that run under AS --> replaced by broader gateway protocols (BGP)
--> two scalability issue --> routing scalability, address utilization
Stub AS --> connect only one
Multihomed AS --> connect more than one but refuse to transit traffic
Transit AS --> connect more than one and transit traffic
Distance Vector routing
--> shortest path --> 不考慮traffic
-->Not all nodes may assign the same metrics to links
Protocol --> flooding
high process overhead --> 因為一層一層
Path Vector Routing -->有點像是source routing -- > advertise path rather than the cost
advantages --> AS can locate its own identifier in the path to a destination --> 如果有 loops, drop 因為知道要往哪邊傳
BGP --> complete Path, prefix --> prefix-based path vector protocols : port 179
incremental update
BGP - policy-based routing/ local preference
--> import policy --> filter unwanted routes --> influence local preference
--> export policy --> filter the path that you don't want other know
BGP policy configuration --> vendor specific
Hot Potato --> if too many packets --> deflect some packet to other paths --> just acts like the AS takes a hot potato and want to throw
Transport Layer -> TCP, UDP
why use? give some limitation to network layer
--> network layer 為了隱藏通訊間的差異性, 看起來像是直接通訊 --> transport layer --> provide end-to-end service to application
UDP - user datagram protocol
- process to process --> port
- Best-effort
- transport unnecessary message
<IP, port>
- de-multiplexing
- Advantages --> 只要收到就傳送/ stateless/ no delay, no handshake/ small overhead
- Did --> no congestion control/ suppress TCP flows
- How to discovery port --> well-known port, ex DNS - 53
or --> use one port as port-mapper - DNS --> www.uofarizona.edu ==== 192.128.......
- common port 1-1023/ registered port 1024-49151/ dynamic port 69152 - 65535
- same website --> open another port for users --> process based rather users based
Input/ Output/ Control Block Module
--> push to control block table --> if exist process --> queue number/ if not --> create a new one
TCP
- connection oriented
- stream of bytes
- reliable, in-order/ checksum, ACK, SeqNum
- flow/ congestion control
和前面有甚麼不同?
- run on route
- negotiate parameter SW size
- RTT change
- diff resources, diff flow control
Property
- format of sending message --> <portS, addS, portD, addD, flag>
- flag type --> SYN, FIN, URG, PUSH, RESET, ACK
- SeqNum reset (ISN) --> consecutive number --> change ISN over time
- ACK的時候 SeqNum 要加一
- FIN needs the handshake --> 兩次Fin and FinACK --> needs to close two connection
- Handshake --> no data flow
SW Algorithm
Sender
--> Last Byte Acked, Sent, Written
--> Sent - Acked <= AD window
--> EffectWindwo = AD W - (Sent - Acked)
Receiver
--> Last Byte Read, Expected (receive in order), receive
--> MaxReceiveBuffer --> received - read
--> Advertise W --> MRB - (Expeted-1-Read) ==? Received - Exp +1
SeqNum
AD window 16bit --> 2^16
SNUM --> 2^32 --> 傳送BW太大的時候會低於TTL
Add TimeStamp --> if SeqNum fixed but timestamp are earlier, drop it.
Trigger Transmission
- MSS = MTU - header =1460
- Push --> empty buffer --> because AD window might smaller than MSS
- Time expiration
避免檔案比header 還小 集滿才送出
Nagle Algorithm
TCP
Retransmission - Time out
Solution A
- SampleRTTi = a
- ERTTi = x*ERTTi-1+ SampleRTTi
- Timeout = 2 ERTTi
Karn/ Patridge --> Drop bad sample , double timeout
Jacobson/Karel --> 考量 deviation
TCP extension
--> timestamps
--> timestamps + SeqNum
--> extend window size
--> selectiveAck --> 不正常的時候才用
Congestion Control and Resources Control
Resource --> available resource --> when to start, to whom
Congestion control --> respond to overload condition
Network Model --> Best Effort Services
Resources Allocation
- router and host-centric --> 不同在一個是router分析, 一個是end-host作分析, are not mutually exclusive
- reserved and feedback based --> in advance or not
- window or rate based
- fair index --> 越接近1越公平
- Max-unin fairness --> 先從最壅擠的開始, 滿了之後再來看別的地方
First Input First Output
- problems --> rate 比較快的可以占滿大部分的頻寬
- Fair Queuing --> round-robin --> 某個queue滿了丟掉部分檔案就好 --> 新問題 --> 別人檔案比較大怎麼半? --> bit-by-bit RR --> 原則 : 小的先傳送 / 舊的先傳送
Congestion control
- AIMD algorithm --> if lost CW = CW/2, else if ACKed CW = CW + (WSS)^2/CW
- Slow Start --> exponential growth --> drop , to 1 --> exponential 成長到一半 --> 線性成長
- performance of platform --> fast retransmit --> 3 duplicate ACK --> retransmission
- fast recovery --> use slow start only on begining
Congestion Avoidance --> predict BW
DEC-bit scheme
- Router --> 偵測packet --> if >= 1, set 1
- Sources --> if lower than 50% of packets own the DEC-bit --> increase, else --> CW =0.875CW
- Can use with AIMD
Random Early Detection
Source-based congestion avoidance
Security
Information Security
- classical cryptography -> 5 tuple, plaintext set, ciphertext set, key set, encryption set, descryption
- Definition of secure encryption --> 別人看到加密文後無法直接恢復key, 無法用加密文來找出加密公式 (encryption function)
- Shift cipher, substitution cipher, affine (y=ax+b) cipher
Network Security - infrastructure security
- Network Based Attack --> DoS and DDoS Attacks/ Intrusion Attacks and Exfiltration Attacks/ Routing Attacks
Cryptanalysis
- Kerckhoffs’ principle --> EVE knows every thing
- attacker model -> ciphertext only attack/ chosen plaintext attack/ known plaintext attack/ chosen ciphertext attack --> cipher only 最爛
Symmetric Key Model
- k = P{k1, k2, k3.....}
- 用key來加密 --> substitution box 改變順序
- hard to be attack
Authentication
- symmetric key --> 用 public key來encrypt --> 另一方認證
- asymmetric key --> public key, authentication --> private key, signature, verify
- certificate --> signature IDA and Pka, ver (CertA, IDA || PKA
Approach
- Surreptitious forwarding -> 把sign, 訊息和certificate都用Pkb包起來
- encrypt then sign approach --> 訊息encrypt, sign E(x)
- pgp protocol --> sign x --> random key k --> encrypt x with k --> encrypt k with Pkb
- Hash function --> 一堆數據加密到新的range裡面 --> 可能會有paradox
Key Agreement
- Diffie Hellman --> 用mod 來確認並交換資訊 / Man in the middle attack --> 解決 --> authenticate
- SSH protocol/ user authentication --> 問你要不要連進去
SYN flow attack --> DoS
Direct DoS --> spoofed IP, 一直送
Prevention --> ingress filter, look source IP, if not belong to the router network drop/ random drop on firewall/ router check, if unknown, drop
BotNets
Robot and network --> zombies attack
---> not necessary to use spoofed IP
--> attacker would not be seen
- Recruitment --> download/ connect to other port 中毒/ weak password
Reflector DoS attack
--> 給別人target IP address --> 讓他自己丟回去擠爆伺服器