Network Architecture: IP Protocol Stack

Outline
Internet Protocols (IP)
- The role of an IP - IPv4 - IPv6

Transport Protocols
- TCP - UDP

Protocol Architecture & Security

Network Security 2

1. Internet Protocol
An internet protocol (IP) provides the functionality for interconnecting end systems across multiple networks. IP is implemented in all end systems and routers, which provide connection between networks.

High-level source data are encapsulated in an IP protocol data unit (PDU) for transmission.
PDU is then passed through one or more networks and routers to reach the destination end system.

Network Security

1. Internet Protocol: Routers

To provide interconnection between networks, routers need to cope with the following differences: Addressing schemes: Global network addressing solutions are needed to identify networks, which may use different kinds of network addresses. - IEEE 802 LAN: 16-bit or 48-bit binary addresses. - X.25 public packet-switching network: 12-digit decimal addresses (each digit encodes 4 bits). Fragmentation: Packets may be broken into smaller ones to continue further transmission, since each network may have different maximum packet size. - Ethernet: 1500 bytes; X.25: usually 1000 bytes.
Network Security 4

1. Internet Protocol: Routers

Interfaces: Various networks have different hardware and software interfaces. Routers should be independent of these differences. Reliability: The operation of the routers should not depend on the reliability of underlying networks, which may provide anything from a reliable end-to-end circuit to an unreliable service. The following example illustrates the operation of routers in the scenario of TCP/IP protocol suite.

Network Security

1. Internet Protocol: TCP/IP Example

April 12

Network Security

1. Internet Protocol: TCP/IP Example

Consider the transfer of a block of data m from X to Y. - At X: From TCP, IP layer receives m to be sent to Y. - At X: IP forms IP packet m by attaching an IP header that contains the global internet address of Y. - At X: IP recognizes that Y is on another subnetwork so m should be forwarded to router 1 first. - At X: Lower layers transfer a packet m to router 1. - At router 1: Recover m from x, and analyze the ultimate destination Y. - At router 1: Send m to router 2 via the intermediate network, where different IP protocols may be used. - At router 2: Create a new IP packet and send it to Y.
Network Security 7

1. Internet Protocol: TCP/IP Example

Further Remarks: IP must be implemented in all end systems and all routers on all networks. However, routers do not need high-level protocols over IP. The IP service is unreliable. That is, any of the following may happen: data corruption,out of order, duplicate arrival, and lost. This approach provides good flexibility, i.e., no particular reliability requirements on subnetworks.

Recovering from errors is the responsibility of the next higher layer (TCP in this case).
Network Security 8

1. Internet Protocol: IPv4 & IPv6

For decades, the Internet Protocol version 4 (IPv4) is the keystone of TCP/IP protocol architecture. Addresses look like 147.188.191.11. UoP has the entire range of 147.188.x.x (65k addresses), a class B address. American universities and large companies often have class A addresses: HP has 15.x.x.x (10M addresses). Up to 232 (about 4.3 billion) addresses in total, but not fairly shared. - China doesnt have any A or B addresses. Routing table are still very messy, though addressing have some geographical coherence.
Network Security 9

1. Internet Protocol: IPv4 & IPv6

In 1996, IPv6 was specified as an Internet standard. The driving force was the need for more addresses: - IPv6 supports 128-bit addresses, i.e., in total 1038 addresses, or 1028 addresses for any person alive today. IPv6 provides functional enhancements over IPv4. - Accommodating high-speed networks and mix transfer of data stream, including graphic and video. IPv6 offers better security (IPSec). Korea, Japan and China have significant deployments of IPv6. As a major new network for the UK, BTs 21CN is based on IPv4.
Network Security 10

1. Internet Protocol: IPv4 & IPv6

Next, we discuss the format of IP header. What kinds of information should be included in the IP header?

Network Security

11

Internet Protocol Version 4 (IPv4) Datagram Format

1. Internet Protocol: IPv4 Header

IPv4 header, with minimum of 20 octets (=160 bits), has the following fields: Version (4 bits): The value is 4, indicating version no. Internet Head Length (IHL) (4 bits): Length of header in 32-bit words. So, the value of IHL is at least 5. DS/ECN (8 bits): 6 bits for DS (Differentiated Services), and other 2 bits reserved for ECN (Explicit Congestion Notification). Total Length (16 bits): Total IP packet length, in octets. Identification (16 bits): A sequence no., together with the source add., destination add. and user protocol, is intended to identify a packet uniquely.
Network Security 13

1. Internet Protocol: IPv4 Header

Flags (3 bits): Identifies whether fragmentation is allowed or not. Fragment Offset (13 bits): Indicates where in the original packet this fragment belongs, measured in 64-bit units. Time to Live (TTL) (8 bits): Specifies how long, in seconds, a packet can live in the internet. Protocol (8 bits): Identifies the type of the next header (next higher level protocol) in IP payload. Source Add. (32 bits) and Destination Add. (32 bits) Options+Padding (variable): Encoded some options by the sender, used to ensure the packet is a multiple of 32 bits.
Network Security 14

2. Transport Protocols: TCP & UDP

TCP (Transmission Control Protocol)
Applications are using TCP to create reliable

connections between one host and another. TCP uses port numbers (i.e. internet sockets) to tell different applications.
- email: IMAP (port 143), POP3 (port 110), SMTP (port 25) - Web: HTTP (port 80), HTTPS (port 143) - FTP (port 21), telnet (port 23), SSH (port 22) TCP is not appropriate for some applications: - Real-time applications, such as internet radio, IPTV, VoIP, online games. Getting most of the data in time is more important than getting all data in order. - Simple protocols in huge volume such as DNS servers.
Network Security 15

2. Transport Protocols: TCP & UDP

UDP (User Datagram Protocol)
UDP is a lighter-weight alternative to TCP: - Provides the application multiplexing and checksums as TCP does. - But does not handle building streams or retransmission.

Like TCP, UDP also uses port numbers to identify different applications: - Networking protocols: DHCP (port 67), routing (513, 520) - File serving: NFS (2049), CIFS/SMB (445) - Time synchronisation: NTP (123).
Network Security 16

3. Protocol Architecture & Security

A Comparison of the OSI and TCP/IP Protocol Architecture

Network Security

17

3. Protocol Architecture & Security

Internet Protocol Suite
5. Application layer: DHCP DNS FTP HTTP IMAP4 IRC MIME POP3 SIP SMTP SNMP SSH TELNET TLS/SSL BGP RPC RTP RTCP SDP SOAP BitTorrent 4. Transport layer: TCP UDP DCCP SCTP 3. Network layer: IP(v4,v6) ARP IPSec ICMP IGMP RSVP IGP RARP 2. Data link layer: ATM Bluetooth (PAN-Profile) DTM Ethernet FDDI Frame Relay GPRS Modems PPP Wi-Fi 1. Physical layer: Bluetooth RF Ethernet physical layer ISDN Modems RS232 SONET/SDH USB Wi-Fi Power line communication
Network Security 18

3. Protocol Architecture & Security

Network Security

19

3. Protocol Architecture & Security

The idea of those architectures: Each layer solves a set of problems involving the transmission of data: - A layer provides a well-defined service to the upper layers protocols by using services provided from lower layers. Upper layers are logically closer to the user and deal with more abstract data. Lower layers are in charge of physical transmission.
Network Security 20

3. Protocol Architecture & Security

A natural but difficult question:

At which layer should we implement security protections? Answer is: ALL the layers.

Network Security

21

3. Protocol Architecture & Security

Application Layer Security (PGP, S/MIME etc.) - Most flexible, but least general. - Fine-grained security control for specific applications. - Work well with proxies and application-layer firewalls. - Only protects payload, so traffic analysis is possible. Transport Layer Security (TLS etc.) - Provides uniform security across applications, but not transparent to applications and doesnt support UDP. - More fine-grained than IPSec. - Only protects payload, so traffic analysis is possible. - Doesnt work with proxies and application-layer firewalls.
Network Security 22

3. Protocol Architecture & Security

Network Layer Security (IPSec)
- Most general but least flexible. - Transparent to applications, so no need to change applications if IPSec is realized on firewall or router, and no need to train and manage users (issuing/revoking keys). - Flexible policy framework, but complicated administration. - Provides routing security. - Can prevent traffic analysis. - Doesnt work with proxies and application-layer firewalls. - Mainly designed for IPv6 .

Datalink Layer Security (Wifi etc.)

- Secures specific link protocols (e.g., wireless).
Network Security 23

Summary
The TCP/IP Protocol Architecture
- TCP, UDP - IPv4 and IPv6 - Different layer can provide different security
Next Lecture: IP Security

Network Security

24