19 - people.eecs.berkeley.edumesser/netappc/slides/19c.pdf · • protocol layering: one service...
TRANSCRIPT
Copyright 1998, David G. Messerschmitt. All rights reserved. 4-Aug-99
1
Understanding Networked Applications:A First Course
Chapter 19
by
David G. Messerschmitt
Understanding Networked Applications:A First Course
Protocol architecture
by
David G. Messerschmitt
Copyright 1998, David G. Messerschmitt. All rights reserved. 4-Aug-99
2
Understanding Networked Applications A First Course3
Summary
• Network architecture
• Internet protocols
• Some network security issues
Understanding Networked Applications A First Course4
Key ideas
• Packet encapsulation: one packet can beencapsulated in another
• Packet fragmentation: one packet can besplit into two or more packets andencapsulated
• Protocol layering: one service can belayered on another by fragmentation andencapsulation
Copyright 1998, David G. Messerschmitt. All rights reserved. 4-Aug-99
3
Understanding Networked Applications A First Course5
Original packet
Packet encapsulated in another packet
Encapsulated again
Encapsulated packet
Original packet
Newheader
Original packet(including its header)is payload of new packet
Understanding Networked Applications A First Course6
Original packet
Divide into packet fragments
New packets
Reassembled original packet
Header Payload
Copyright 1998, David G. Messerschmitt. All rights reserved. 4-Aug-99
4
Understanding Networked Applications A First Course7
Layer n+1 Layer n+1
Layer n Layer n
Layer n+1 protocol header
Layer nprotocol header
Encapsulated layer n+1packet, including header
Peer-to-peer communication
Understanding Networked Applications A First Course8
Layered protocol modularity
• Layer n+1 protocol is logically peer-to-peer
• Layer n+1 protocol depends on services of layer n
• Layer n+1 packets are encapsulated in layer npackets
• Layer n+1 never sees layer n packet headers
• Layer n ignores layer n+1 packet headers (part ofpayload)
Copyright 1998, David G. Messerschmitt. All rights reserved. 4-Aug-99
5
Understanding Networked Applications A First Course9
Key ideas (again)
• Packet encapsulation: one packet can beencapsulated in another
• Packet fragmentation: one packet can besplit into two or more packets andencapsulated
• Protocol layering: one service can belayered on another by fragmentation andencapsulation
Understanding Networked Applications A First Course10
IP IP IP
Network 1 Network 2
TCP or UDP TCP or UDP
Host A Host B
ORB ORB
Application Application
Switch
N 2N 1
IIOP IIOP
LogicalPhysical
Lay
erin
g
IETF/OMG Layers
Copyright 1998, David G. Messerschmitt. All rights reserved. 4-Aug-99
6
Understanding Networked Applications A First Course11
TCP or UDP TCP or UDP
Host A Host B
Application Application
Internet: logical view
The constituent networks are not visible to theapplication; TCP/UDP does not reside in packetswitches
Peer-to-peer
Understanding Networked Applications A First Course12
IP IP IP
Network 1 Network 2
Host A Host BSwitch
N 2N 1
Internet: physical view
IP serves to connect heterogeneousnetworks into an internetwork
Copyright 1998, David G. Messerschmitt. All rights reserved. 4-Aug-99
7
Understanding Networked Applications A First Course13
What IP does do
• Allow packets to traverse multiple networks
• Deliver packet to specified destination host
• Best effort: deliver as reliably and as soonas it can
Understanding Networked Applications A First Course14
What IP Doesn’t Do
• Guarantee latency for packets that are delivered
• Guarantee delivery, or notify source host if packet is notdelivered
• Guarantee order of delivery
• Guarantee integrity of packet payload
• Maintain conversational context (each packet isindependent)
• Specify what process that should receive the packet atdestination host
Copyright 1998, David G. Messerschmitt. All rights reserved. 4-Aug-99
8
Understanding Networked Applications A First Course15
Version Priority FlowLabelPayloadLen NextHeader HopLimit
SourceAddress
DestinationAddress
32 bits
IP header
Understanding Networked Applications A First Course16
Transport services: UDP andTCP
• Direct packet to a particular process
• UDP adds:– Payload integrity for packets delivered
• TCP adds:– Reliable delivery of bytestream session
Copyright 1998, David G. Messerschmitt. All rights reserved. 4-Aug-99
9
Understanding Networked Applications A First Course17
Process
Host
Process
HostIP: host-to-host
TCP
UDP
Process-to-
process
IP: Best-effort datagram
UDP: best-effort datagram with payload integrity
byte byte byte byte byte byte• • • • • •
TCP: reliable bi-directional bytestream
Comparison of services
Understanding Networked Applications A First Course18
PortProcess
Host
PortProcess
HostIP: host-to-host
SourcePort DestinationPort
(rest of UDP or TCP header)
32 bits
Encapsulatedin IP packet
UDP/TCP ports(publish/subscribe)
Copyright 1998, David G. Messerschmitt. All rights reserved. 4-Aug-99
10
Understanding Networked Applications A First Course19
HTTP Service
• Client can make requests– GET (pull)
– POST (push)
– (some others)
• Server responds– HTTP headers
– HTML document• or JPEG, or GIF, or…
Understanding Networked Applications A First Course20
URL Structure
• <scheme>://<host>:<port>/<path>
• Scheme– HTTP, FTP, GOPHER, MAILTO, ...
• Host– An IP address or DNS name
• Port– TCP port number
– Optional (defaults to 80 for http)
Copyright 1998, David G. Messerschmitt. All rights reserved. 4-Aug-99
11
Understanding Networked Applications A First Course21
HTTP example
• When a browser fetcheshttp://www.si.umich.edu/~presnick/– http:// says to use HTTP protocol
– Resolve www.si.umich.edu in DNS• 141.211.203.34
– Make TCP connection• 141.211.203.34, port 80
– Send the following text string• GET /~presnick/
Understanding Networked Applications A First Course22
Server sends back
HTTP/1.1 200 OK
Date: Mon, 22 Dec 1997 15:12:32 GMT
Server: Apache/1.2.4
Last-Modified: Thu, 04 Dec 1997 16:26:10 GMT
ETag: "5f2f2-33fd-3486d9a2"
Content-Length: 13309
Accept-Ranges: bytes
Connection: close
Content-Type: text/html
<HTML> ….
Copyright 1998, David G. Messerschmitt. All rights reserved. 4-Aug-99
12
Understanding Networked Applications A First Course23
HTML<H1>Paul Resnick</H1><IMG SRC="RESNICK.gif" ALT="[PHOTO]" HSPACE=10 ALIGN=LEFT><BR>Associate Professor<BR>University of Michigan<BR>School of Information<BR>314 West Hall<BR>550 East University Avenue<BR>Ann Arbor, MI 48109-1092<BR>[email protected]
Understanding Networked Applications A First Course24
What Browsers Send to Servers
• Your IP address
• The browser type
• The refer link– What URL you last looked at
• Cookies (persistent client state for a URL)– Server response can include a set-cookie header
– Browser saves the cookie
– Browser resends to server next time
Copyright 1998, David G. Messerschmitt. All rights reserved. 4-Aug-99
13
Understanding Networked Applications:A First Course
How TCP works
by
David G. Messerschmitt
Understanding Networked Applications A First Course26
Aggregating byte stream
byte byte byte byte byte byte• • • • • •
byte byte bytebyte byte • • •• • •
Original bytes are aggregated and….
….encapsulated in TCP packets, witha sequence number included in the TCP header
byte byte bytebyte byte
The TCP packets are encapsulated in IP packets
Copyright 1998, David G. Messerschmitt. All rights reserved. 4-Aug-99
14
Understanding Networked Applications A First Course27
TCP connections• TCP establishes a session with ordered and
bidirectional reliable delivery of bytes– Establishment:
• Inform receiving port of connection
• Initialize packet sequence number
• Congestion and flow control state
– Disestablishment• By either peer
• Free state and resources
Understanding Networked Applications A First Course28
HTTP uses TCP
• Often have to request another page– e.g., image
• HTTP/1.0 requires a new TCP session foreach– Overhead of session establishment
• HTTP/1.1 permits reuse of one TCP sessionfor multiple requests
Copyright 1998, David G. Messerschmitt. All rights reserved. 4-Aug-99
15
Understanding Networked Applications A First Course29
Source DestinationSource Destination
✖
Tim
eout
ACK
ACK
Reliable packet delivery:acknowledgement and resending
IP is used tosend TCPpackets andreturn ACK
IP loses packets
Understanding Networked Applications A First Course30
DestinationSource DestinationSource
ACK
ACK
ACK
ACK
ACK
TaskConcurrenttasks forhigherthroughput
Packets canbe reorderedusing sequencenumber
Copyright 1998, David G. Messerschmitt. All rights reserved. 4-Aug-99
16
Understanding Networked Applications A First Course31
TCP Congestion
• If link is congested– Switch queue for that link fills up
– Drops packets
• Source resends non-ACK’ed packets– Makes congestion worse
Understanding Networked Applications A First Course32
TCP Congestion Control
• Voluntary source-imposed policy– Source controls the number of non-ACK’ed
packets that have been sent• Controls the number of concurrent sends, and hence
packet throughput
– Slow start, slowly increase rate
– Monitor non-ACK’s and delay of ACK’s toestimate congestion
– Quickly decrease if congestion detected
Copyright 1998, David G. Messerschmitt. All rights reserved. 4-Aug-99
17
Understanding Networked Applications A First Course33
TCP congestion control flaws
• “Fairness criterion”– Maybe “equal division” of resources is not what is
wanted
• Estimating congestion by retransmission is flawedfor wireless links
• Depends on accurate implementation -- cheatingpossible
• Application can avoid congestion control by usingUDP
Understanding Networked Applications A First Course34
TCP Flow Control
• Recall that this is to avoid recipient frombeing overwhelmed
• Recipient must control source
• Recipient explicitly requests lower send rate– MaxUnackedPackets is a parameter of ACK’s
Copyright 1998, David G. Messerschmitt. All rights reserved. 4-Aug-99
18
Understanding Networked Applications A First Course35
AB
C
D
Multicasting• So far, we’ve assumed node A sends to B
• Multicasting: node A sends same message to B, C, and D– Could set up A-B, A-C, and A-D connections
– But A becomes a bottleneck• Handling ACKS and resends
– And it’s inefficient• Some intermediate nodes may receive the message several times
• Multicast protocols try to have A send only once– Intermediate nodes do more work
Understanding Networked Applications:A First Course
Domain Name System
by
David G. Messerschmitt
Copyright 1998, David G. Messerschmitt. All rights reserved. 4-Aug-99
19
Understanding Networked Applications A First Course37
NS
Hosts
sims.berkeley.eduNS
eecs.berkeley.edu
berkeley.edu
NSNS
“root”
Understanding Networked Applications A First Course38
NS
NS
berkeley.edu
NS
“root”
sims.berkeley.edu
NS
watson.ibm.com
info.sims.berkeley.edu
tj.watson.ibm.com
Delegate name search to localname server
Local server cachesrecent search results
berkeley.edu
sims.berkeley.edu
Copyright 1998, David G. Messerschmitt. All rights reserved. 4-Aug-99
20
Understanding Networked Applications:A First Course
Supplements
by
David G. Messerschmitt
Understanding Networked Applications:A First Course
Network security
by
David G. Messerschmitt
Copyright 1998, David G. Messerschmitt. All rights reserved. 4-Aug-99
21
Understanding Networked Applications A First Course41
Network security
• Some things to worry about:– Sniffing
– Spoofing
– Security flaws in public servers
Understanding Networked Applications A First Course42
Improving security
• Security tools covered earlier
• Firewalls: a place where security policiescan be enforced– Who gains access
– What servers (ports) can be accessed
– What hosts can be accessed
– What protocols can pass
– Other security policies can be enforced
Copyright 1998, David G. Messerschmitt. All rights reserved. 4-Aug-99
22
Understanding Networked Applications A First Course43
Firewall
Bastionhosts
Internalhosts
Global Internet
Secondfirewall
Public hosts
Protected enclave
Understanding Networked Applications A First Course44
Problems with firewalls
• “Benign internal users” assumption is naïve
• Obstacle to deployment of innovative applicationsand services
• Increasingly organizations want to extend extranetto suppliers and customers
• Solution: resource-based rather than enclave-basedsecurity– Analogy: border patrol not enough, need secure
buildings and vehicles, guards, police, etc.
Copyright 1998, David G. Messerschmitt. All rights reserved. 4-Aug-99
23
Understanding Networked Applications A First Course45
Where to use encryption
• Per link (wireless)
• Firewall-to-firewall (extranet)
• Host-to-host (IPsec)
• Process-to-process (TCP-SSL)
• Application What are somestrengths andweaknesses inthese approaches?
Understanding Networked Applications A First Course46
Packet structure
Header:
Information for switches
Serves as protocol message
Payload:
Data for application
Ignored by network andprotocol
(Qualification: may alsobe encapsulated packet)
Packet length limited bynetwork policy
Copyright 1998, David G. Messerschmitt. All rights reserved. 4-Aug-99
24
Understanding Networked Applications A First Course47
Process
Host
Process
HostIP: host-to-host
TCP
UDP
Process-to-
process
Protocol endpointsInternetworking layer focuseson getting datagrams from onehost to another
Transport layer focuses on process-to-processcommunication services
Understanding Networked Applications A First Course48
Addresses vs. names
128 bits (Network,host)
info.sims.berkeley.edu
Address specifiestopological location ofhost to the network
Name is easy to rememberor construct and reflectsadministrative boundaries
Copyright 1998, David G. Messerschmitt. All rights reserved. 4-Aug-99
25
Understanding Networked Applications A First Course49
Issues in congestion control
• Social issue: how do we divide limitednetwork resources amongusers/applications?
• Approaches:– Voluntary (e.g. UDP)
• “Bad citizen” is rewarded
– Policy driven (e.g. TCP)
– Incentivized (e.g. pricing)
Understanding Networked Applications A First Course50
Advantages of pricing-basedcongestion control
• Policies can never take into account the“importance” of traffic
• Users and applications are forced to consider thecommon resource implications of their actions
• Users and applications can choose the most“important” traffic for periods of congestion– Shift other traffic to off-peak times
• Source of revenue to expand capacity
Copyright 1998, David G. Messerschmitt. All rights reserved. 4-Aug-99
26
Understanding Networked Applications A First Course51
Technical approaches tocongestion control
• Source-driven throttle algorithm– Voluntary, policy, or incentive driven
• Network-driven– Must use fairness criteria
– Network-to-source flow control
– Network access enforcement (policing)• Traffic priorities allow source to control what traffic
is discarded
Understanding Networked Applications A First Course52
Capacity
Willingness to pay forone more unit of capacity
c’
p
c
In reducing capacity from c to c’Revenue gainedRevenue lost
D(c)
cmax
Undesirability of fixed pricingper unit of capacity
Copyright 1998, David G. Messerschmitt. All rights reserved. 4-Aug-99
27
Understanding Networked Applications A First Course53
Downsides of pricing
• Infrastructure for– Usage monitoring
– Congestion monitoring
– QoS configuration
– Billing
• Operational costs
• How do costs compare to the benefits?