Upload
joanna-booker
View
217
Download
0
Embed Size (px)
Citation preview
Lecture 8Page 1Advanced Network Security
Review of Networking Basics: Internet Architecture, Routing,
and NamingAdvanced Network Security
Peter ReiherAugust, 2014
Lecture 8Page 2Advanced Network Security
Outline
• Basics of Internet architecture
• Routing for the Internet and other networks
• Naming issues in networks
Lecture 8Page 3Advanced Network Security
Internet Architecture
• The Internet is a network of networks• It connects together different networks
– Controlled by different parties– In different geographical locations– Under different legal and political
control– Using different underlying technologies
Lecture 8Page 4Advanced Network Security
So the Internet Isn’t Really This
Lecture 8Page 5Advanced Network Security
It’s More Like This
Except much, much bigger
And much, much more complicated
Lecture 8Page 6Advanced Network Security
High Level Internet Organization
• Subnetworks are considered to be:
– Tier 1 networks
– Tier 2 networks
– Or tier 3 networks
• Definitions of tiers slightly imprecise
• But commonly understood
Lecture 8Page 7Advanced Network Security
Tier 1 Networks• All tier 1 networks interconnect directly
• In essence, the Internet backbone
• Tier 1 networks mostly move data between each other
– Without paying each other per packet or for amount of bandwidth used
• Until it is moved down to lower tier networks for delivery
• Examples: AT&T, Sprint, NTT
Lecture 8Page 8Advanced Network Security
Tier 2 Networks• ISPs that do some peering, but also pay some
other networks for data transit
• Essentially, large ISPs
• They connect to some tier 1 networks
– And to some tier 3 networks
– Perhaps even directly to customers
• Examples: British Telecom, Comcast
Lecture 8Page 9Advanced Network Security
Tier 3 Networks
• ISPs that primarily provide direct service to customers
• They typically connect to one or more tier 2 networks
• Tend to be highly regional
• Usually lower bandwidth networks
• Example: Thang Long Data Center
Lecture 8Page 10Advanced Network Security
How They Fit Together
Lecture 8Page 11Advanced Network Security
Some Basic Internet Policies• Valley-free
– Once traffic goes up in tiers, it doesn’t go down until you get close to delivery• I.e., customer->tier-3->tier-2->tier-1->tier-2->tier-3-
>receiver
• Not customer->tier-3->tier-2->tier-1->tier-2->tier-1->tier2->tier-3->customer
That’s a valley!
• Prefer customer route, then peer, then provider- Go down before sideways- Go sideways before up
• Typical policy, not ironclad rule
Lecture 8Page 12Advanced Network Security
Why Should We Care?• Security solutions at Internet level must match
Internet realities
• Some parties won’t do certain things
– Tier 1 won’t filter packets
• Others might
– Tier 3 might filter packets
• Don’t design solutions based on unrealistic assumptions
Lecture 8Page 13Advanced Network Security
Autonomous Systems• A key organizational concept for the Internet
• Abbreviated “AS”
• A subnetwork run by a single organization
– Whose machines are tightly connected together
• Identified by a unique number
• Often, Internet is viewed as a set of connected ASes
Lecture 8Page 14Advanced Network Security
Internet Routing
• IP assumes the sites it visits know where to send a packet next
• Based on forwarding tables
– Except for the final destination
• How to we build and maintain these tables?
• Routing protocols
Lecture 8Page 15Advanced Network Security
Routing Protocols
• Internet nodes exchange information about how to reach destinations
– Specified by ranges of IP addresses
• Different routing protocols used in different parts of the Internet
• Used to create forwarding tables
Lecture 8Page 16Advanced Network Security
Styles of Routing Protocols• Link state protocols
– Pass around information about state of links• Distance vector protocols
– Pass around information about how far away things are• Path vector protocols
– Pass around paths that can reach various places• Ad hoc protocols
– Search for paths as necessary (typically for mobile scenarios)
Lecture 8Page 17Advanced Network Security
BGP
• A path vector protocol
• The core protocol for routing in the Internet backbone
• Autonomous systems exchange path information
• Can also be used within an AS
Lecture 8Page 18Advanced Network Security
OSPF and RIP
• Protocols used within a single network
• Such as a large company’s network
• OSPF is a link state protocol
• RIP is a distance vector protocol
• Generally only suitable for networks of limited size
Lecture 8Page 19Advanced Network Security
Security Issues for Routing Protocols
• Largely integrity and availability
• Generally, routing info is not regarded as secret
– Though perhaps some of it should be
• None of the original protocols include any integrity mechanisms
• We’ll discuss routing security in detail
Lecture 8Page 20Advanced Network Security
Internet Naming• At the low level, IP addresses are the names
understood by the Internet• But IP addresses are not convenient names for
users– No semantic meaning
• Tying a high level entity to an IP address is limiting
• So we need other names, as well
Lecture 8Page 21Advanced Network Security
Goals of Standard Internet Naming
• To tie some high level name to an IP address
• Generally a name indicating some machine
– Or collection of machines working together
• Not to tie name to a particular data item or user
Lecture 8Page 22Advanced Network Security
Internet Domain Names• A string defining a resource on the Internet
– Like a web site, mail server, etc.• Typically readable by humans• Often 1-to-1 connection between domain name
and a machine– But not always– Several machines can share domain name– One machine can host several domain names
Lecture 8Page 23Advanced Network Security
A Typical Domain Name• lever.cs.ucla.edu
• My research group’s server at UCLA
• Its IP address is 131.179.192.136
• When a person or program wants to send data there, they use the name
• When the Internet delivers packets there, it uses the IP address
• Clearly, we need to translate
Lecture 8Page 24Advanced Network Security
Format of Internet Domain Names
• The domain name is a string divided into components by dots– lever.cs.ucla.edu
• A hierarchical organization– Read right to left– So “edu” is the “highest” level in the example
• Ultimately, translates down to one IP address– Which might be different each time you ask . . .
Lecture 8Page 25Advanced Network Security
Name Translation in the Internet
• Can be done many ways
• But almost always, we use DNS
• DNS = Domain Name Service
• A special service to do these translations
Lecture 8Page 26Advanced Network Security
Basics of DNS• A hierarchical name resolution system
• With lots of caching
• Integrity and availability are big concerns
– Secrecy isn’t
– Name translations are public info
• Basic version does not perform any integrity checking
• We’ll talk about security issues later