19 - people.eecs.berkeley.edumesser/netappc/slides/19c.pdf · • protocol layering: one service...

Copyright 1998, David G. Messerschmitt. All rights reserved. 4-Aug-99

1

Understanding Networked Applications:A First Course

Chapter 19

by

David G. Messerschmitt


Protocol architecture

by



2

Understanding Networked Applications A First Course3

Summary

• Network architecture

• Internet protocols

• Some network security issues


Key ideas

• Packet encapsulation: one packet can beencapsulated in another

• Packet fragmentation: one packet can besplit into two or more packets andencapsulated

• Protocol layering: one service can belayered on another by fragmentation andencapsulation


3


Original packet

Packet encapsulated in another packet

Encapsulated again

Encapsulated packet

Original packet

Newheader

Original packet(including its header)is payload of new packet


Original packet

Divide into packet fragments

New packets

Reassembled original packet

Header Payload


4


Layer n+1 Layer n+1

Layer n Layer n

Layer n+1 protocol header

Layer nprotocol header

Encapsulated layer n+1packet, including header

Peer-to-peer communication


Layered protocol modularity

• Layer n+1 protocol is logically peer-to-peer

• Layer n+1 protocol depends on services of layer n

• Layer n+1 packets are encapsulated in layer npackets

• Layer n+1 never sees layer n packet headers

• Layer n ignores layer n+1 packet headers (part ofpayload)


5


Key ideas (again)

• Packet encapsulation: one packet can beencapsulated in another

• Packet fragmentation: one packet can besplit into two or more packets andencapsulated

• Protocol layering: one service can belayered on another by fragmentation andencapsulation


IP IP IP

Network 1 Network 2

TCP or UDP TCP or UDP

Host A Host B

ORB ORB

Application Application

Switch

N 2N 1

IIOP IIOP

LogicalPhysical

Lay

erin

g

IETF/OMG Layers


6


TCP or UDP TCP or UDP

Host A Host B

Application Application

Internet: logical view

The constituent networks are not visible to theapplication; TCP/UDP does not reside in packetswitches

Peer-to-peer


IP IP IP

Network 1 Network 2

Host A Host BSwitch

N 2N 1

Internet: physical view

IP serves to connect heterogeneousnetworks into an internetwork


7


What IP does do

• Allow packets to traverse multiple networks

• Deliver packet to specified destination host

• Best effort: deliver as reliably and as soonas it can


What IP Doesn’t Do

• Guarantee latency for packets that are delivered

• Guarantee delivery, or notify source host if packet is notdelivered

• Guarantee order of delivery

• Guarantee integrity of packet payload

• Maintain conversational context (each packet isindependent)

• Specify what process that should receive the packet atdestination host


8


Version Priority FlowLabelPayloadLen NextHeader HopLimit

SourceAddress

DestinationAddress

32 bits

IP header


Transport services: UDP andTCP

• Direct packet to a particular process

• UDP adds:– Payload integrity for packets delivered

• TCP adds:– Reliable delivery of bytestream session


9


Process

Host

Process

HostIP: host-to-host

TCP

UDP

Process-to-

process

IP: Best-effort datagram

UDP: best-effort datagram with payload integrity

byte byte byte byte byte byte• • • • • •

TCP: reliable bi-directional bytestream

Comparison of services


PortProcess

Host

PortProcess


SourcePort DestinationPort

(rest of UDP or TCP header)

32 bits

Encapsulatedin IP packet

UDP/TCP ports(publish/subscribe)


10


HTTP Service

• Client can make requests– GET (pull)

– POST (push)

– (some others)

• Server responds– HTTP headers

– HTML document• or JPEG, or GIF, or…


URL Structure

• <scheme>://<host>:<port>/<path>

• Scheme– HTTP, FTP, GOPHER, MAILTO, ...

• Host– An IP address or DNS name

• Port– TCP port number

– Optional (defaults to 80 for http)


11


HTTP example

• When a browser fetcheshttp://www.si.umich.edu/~presnick/– http:// says to use HTTP protocol

– Resolve www.si.umich.edu in DNS• 141.211.203.34

– Make TCP connection• 141.211.203.34, port 80

– Send the following text string• GET /~presnick/


Server sends back

HTTP/1.1 200 OK

Date: Mon, 22 Dec 1997 15:12:32 GMT

Server: Apache/1.2.4

Last-Modified: Thu, 04 Dec 1997 16:26:10 GMT

ETag: "5f2f2-33fd-3486d9a2"

Content-Length: 13309

Accept-Ranges: bytes

Connection: close

Content-Type: text/html

<HTML> ….


12


HTML<H1>Paul Resnick</H1><IMG SRC="RESNICK.gif" ALT="[PHOTO]" HSPACE=10 ALIGN=LEFT><BR>Associate Professor<BR>University of Michigan<BR>School of Information<BR>314 West Hall<BR>550 East University Avenue<BR>Ann Arbor, MI 48109-1092<BR>[email protected]


What Browsers Send to Servers

• Your IP address

• The browser type

• The refer link– What URL you last looked at

• Cookies (persistent client state for a URL)– Server response can include a set-cookie header

– Browser saves the cookie

– Browser resends to server next time


13


How TCP works

by



Aggregating byte stream

byte byte byte byte byte byte• • • • • •

byte byte bytebyte byte • • •• • •

Original bytes are aggregated and….

….encapsulated in TCP packets, witha sequence number included in the TCP header

byte byte bytebyte byte

The TCP packets are encapsulated in IP packets


14


TCP connections• TCP establishes a session with ordered and

bidirectional reliable delivery of bytes– Establishment:

• Inform receiving port of connection

• Initialize packet sequence number

• Congestion and flow control state

– Disestablishment• By either peer

• Free state and resources


HTTP uses TCP

• Often have to request another page– e.g., image

• HTTP/1.0 requires a new TCP session foreach– Overhead of session establishment

• HTTP/1.1 permits reuse of one TCP sessionfor multiple requests


15


Source DestinationSource Destination

✖

Tim

eout

ACK

ACK

Reliable packet delivery:acknowledgement and resending

IP is used tosend TCPpackets andreturn ACK

IP loses packets


DestinationSource DestinationSource

ACK

ACK

ACK

ACK

ACK

TaskConcurrenttasks forhigherthroughput

Packets canbe reorderedusing sequencenumber


16


TCP Congestion

• If link is congested– Switch queue for that link fills up

– Drops packets

• Source resends non-ACK’ed packets– Makes congestion worse


TCP Congestion Control

• Voluntary source-imposed policy– Source controls the number of non-ACK’ed

packets that have been sent• Controls the number of concurrent sends, and hence

packet throughput

– Slow start, slowly increase rate

– Monitor non-ACK’s and delay of ACK’s toestimate congestion

– Quickly decrease if congestion detected


17


TCP congestion control flaws

• “Fairness criterion”– Maybe “equal division” of resources is not what is

wanted

• Estimating congestion by retransmission is flawedfor wireless links

• Depends on accurate implementation -- cheatingpossible

• Application can avoid congestion control by usingUDP


TCP Flow Control

• Recall that this is to avoid recipient frombeing overwhelmed

• Recipient must control source

• Recipient explicitly requests lower send rate– MaxUnackedPackets is a parameter of ACK’s


18


AB

C

D

Multicasting• So far, we’ve assumed node A sends to B

• Multicasting: node A sends same message to B, C, and D– Could set up A-B, A-C, and A-D connections

– But A becomes a bottleneck• Handling ACKS and resends

– And it’s inefficient• Some intermediate nodes may receive the message several times

• Multicast protocols try to have A send only once– Intermediate nodes do more work


Domain Name System

by



19


NS

Hosts

sims.berkeley.eduNS

eecs.berkeley.edu

berkeley.edu

NSNS

“root”


NS

NS

berkeley.edu

NS

“root”

sims.berkeley.edu

NS

watson.ibm.com

info.sims.berkeley.edu

tj.watson.ibm.com

Delegate name search to localname server

Local server cachesrecent search results

berkeley.edu

sims.berkeley.edu


20


Supplements

by



Network security

by



21


Network security

• Some things to worry about:– Sniffing

– Spoofing

– Security flaws in public servers


Improving security

• Security tools covered earlier

• Firewalls: a place where security policiescan be enforced– Who gains access

– What servers (ports) can be accessed

– What hosts can be accessed

– What protocols can pass

– Other security policies can be enforced


22


Firewall

Bastionhosts

Internalhosts

Global Internet

Secondfirewall

Public hosts

Protected enclave


Problems with firewalls

• “Benign internal users” assumption is naïve

• Obstacle to deployment of innovative applicationsand services

• Increasingly organizations want to extend extranetto suppliers and customers

• Solution: resource-based rather than enclave-basedsecurity– Analogy: border patrol not enough, need secure

buildings and vehicles, guards, police, etc.


23


Where to use encryption

• Per link (wireless)

• Firewall-to-firewall (extranet)

• Host-to-host (IPsec)

• Process-to-process (TCP-SSL)

• Application What are somestrengths andweaknesses inthese approaches?


Packet structure

Header:

Information for switches

Serves as protocol message

Payload:

Data for application

Ignored by network andprotocol

(Qualification: may alsobe encapsulated packet)

Packet length limited bynetwork policy


24


Process

Host

Process


TCP

UDP

Process-to-

process

Protocol endpointsInternetworking layer focuseson getting datagrams from onehost to another

Transport layer focuses on process-to-processcommunication services


Addresses vs. names

128 bits (Network,host)

info.sims.berkeley.edu

Address specifiestopological location ofhost to the network

Name is easy to rememberor construct and reflectsadministrative boundaries


25


Issues in congestion control

• Social issue: how do we divide limitednetwork resources amongusers/applications?

• Approaches:– Voluntary (e.g. UDP)

• “Bad citizen” is rewarded

– Policy driven (e.g. TCP)

– Incentivized (e.g. pricing)


Advantages of pricing-basedcongestion control

• Policies can never take into account the“importance” of traffic

• Users and applications are forced to consider thecommon resource implications of their actions

• Users and applications can choose the most“important” traffic for periods of congestion– Shift other traffic to off-peak times

• Source of revenue to expand capacity


26


Technical approaches tocongestion control

• Source-driven throttle algorithm– Voluntary, policy, or incentive driven

• Network-driven– Must use fairness criteria

– Network-to-source flow control

– Network access enforcement (policing)• Traffic priorities allow source to control what traffic

is discarded


Capacity

Willingness to pay forone more unit of capacity

c’

p

c

In reducing capacity from c to c’Revenue gainedRevenue lost

D(c)

cmax

Undesirability of fixed pricingper unit of capacity


27


Downsides of pricing

• Infrastructure for– Usage monitoring

– Congestion monitoring

– QoS configuration

– Billing

• Operational costs

• How do costs compare to the benefits?

19 - people.eecs.berkeley.edumesser/netappc/slides/19c.pdf · • protocol layering: one service...

Documents