ìAdvanced Computer NetworkingCYBR 230– JeffShafer– UniversityofthePacific
Project1+PathMTUDiscovery
Schedule
ThisWeekì MonSeptember11
ì “InstructorBusy”– Noclass!
ì WedSeptember13ì Project1Due
ì FriSeptember15ì Project1Testingì IntroduceProject2
NextWeekì MonSeptember11
ì TBD
ì WedSeptember13ì TBD
ì FriSeptember15ì TBD
Fall2017SecureSoftwareSystems
2
Fall2017SecureSoftwareSystems
3
“A Digital World” with John Chambers
ì JohnChambers,formerCEOandcurrentexecutivechairmanoftheboard,Cisco
ì “ADigitalWorld”:Countrydigitization, thelatestglobaltechnologytransition, andhowitcouldchangetheglobalagenda.
ì Wednesday,September20th,5-6:15pm,DUCBallroom
Fall2017SecureSoftwareSystems
4
ìPath MTU Discovery
Fall2017AdvancedComputerNetworking
5
Path MTU Discovery (PMTUD)
ì Gooddescriptionshere!ì http://packetlife.net/blog/2008/aug/18/path-mtu-
discovery/ì https://blog.cloudflare.com/path-mtu-discovery-in-practice/
ì MaximumTransmissionUnit(MTU)ì HowmuchdatacanIputintoapacket?ì Ethernet(standard):1500bytesì Ethernetw/JumboFrames:1501-9000bytesì WLAN(802.11):2304bytes(beforeencryption)
ì WPA-TKIP uses20bytesforencryptionì AreyouusingIPSec?GREtunnel?6in4encapsulation?
ì Morebytesusedforadditionalheaders!
Fall2017AdvancedComputerNetworking
6
Maximum Transmission Unit (MTU)
Fall2017AdvancedComputerNetworking
7
FrameCheck
Sequence4bytes
Ethernet802.3FrameFormat:
StartingDelimiter1byte
DA
6bytes
SA
6bytes
Type/Len
2bytes
Payload
46-1500bytes
Preamble
7bytes
1526bytes(“fullframe”size)
1518bytes(“framesize”)
1500bytes(“payloadsize”/MTU)
Note:WithVLAN trunking (802.1q),theVLAN tagis4bytesaddedtothetotalframesize,notsubtractedfromthepayload.So,theframesizewouldbe1522bytesinsteadof1518.
Fragmentation = Bad L
Fall2017AdvancedComputerNetworking
8
http://packetlife.net/blog/2008/aug/18/path-mtu-discovery/
Fragmentation = Bad L
ì Wellknownfordecadesì “FragmentationConsideredHarmful”
1987DECtechreport,http://www.hpl.hp.com/techreports/Compaq-DEC/WRL-87-3.pdf
ì Keyproblemsì Inefficientuseofnetworkresources(moreheaderbitsfor
sameamountofdata)ì Lossoffragmentsleadstodegradedperformance
(mustretransmitallfragments,notjustlostfragment)ì Reassemblytakestime/resources
Fall2017AdvancedComputerNetworking
9
Path MTU – Best Available?
Fall2017AdvancedComputerNetworking
10
http://packetlife.net/blog/2008/aug/18/path-mtu-discovery/
Path MTU Discovery (PMTUD)
Fall2017AdvancedComputerNetworking
11
http://packetlife.net/blog/2008/aug/18/path-mtu-discovery/
Path MTU Discovery (PMTUD)
Fall2017AdvancedComputerNetworking
12
http://packetlife.net/blog/2008/aug/18/path-mtu-discovery/
Path MTU Discovery (PMTUD)
ì What isMTU?✓ì Maximumtransmissionunit(maxbytesinframe)
ì Why doIneedpathMTUDiscovery?✓ì Performance(IPv4)ì Delivery(IPv6)- IPv6routerswillneverfragment,
onlyreject!
ì How isPathMTUDiscoveryaccomplished?✓ì Usingdon’t-fragmentbitandsuccessivelysending
smallerpacketsuntilitnoerrorsreturned
Fall2017AdvancedComputerNetworking
13
Path MTU Discovery (PMTUD)
ì Q:Whodoes PathMTUDiscovery?
ì A: Theoperatingsystem
ì Q:Whatprotocols usePathMTUDiscovery?
ì A: Bothcommonprotocols,withkeydifferencesì TCP– AutomaticallychangesMTUì UDP – Some OSeswilldoPMTUD,andgiveyour
applicationanerrorifyouexceed,butit’suptoyourapptostartsendingsmallermessages
Fall2017AdvancedComputerNetworking
14
Path MTU Discovery
ì Q:When isPathMTUDiscoveryDone?ì IsitdoneoncewhenIturnonmycomputer?NOì IsitdonewhenIconnecttotheInternet?NOì IsitdonewhenIopenasocket?Connect?Kinda
ì A: Doneonacontinuous basisovernormalpacketsì DFflagisalwaysset,e.g.TCPdataandACK packetsì AllowsOStodetectifpathMTUhasdynamically
changed
Fall2017AdvancedComputerNetworking
15
Path MTU Discovery
ì Q:Whatcangowrong?
ì A:Over-zealousnetworksecurityadministratorsblockingICMP messagesneededforPMTUD tofunction
Fall2017AdvancedComputerNetworking
16
ìProject 1
Fall2017AdvancedComputerNetworking
17
Design Questions
ì DidwedecideifWireless isthesameordifferentnetwork?
ì Whatarethefirewallrulesregardingaccess?ì Instructor canaccess…?ì Student canaccess…?ì Quarantine canaccess…?ì Public canaccess…?
ì Whatfeaturesarenot likelytogetdonebytonight?
Fall2017AdvancedComputerNetworking
18
Testing
1. DoIhavemultiplenetworks?Instructor,Student,Quarantine,Public
2. Dodevicesjoiningeachnetworkreceivereasonableaddressassignments?(specifyinganIPaddress,GooglePublicDNS,labNTP server,etc…)
3. CanIdemonstrateconnectivitybetweendevicesonthesamenetwork?
4. CanIdemonstrate(a)connectivityor(b)lackofconnectivitybetweendevicesondifferentnetworks?
Fall2017AdvancedComputerNetworking
19
Testing
5. CanIcreateaVM ontheinstructorESXi boxandattachittoanynetworkwithafewmouseclicks?
6. CanIconnecttotheVPNendpointfromthecampusnetwork?(oroffcampus).WhichnetworkamIjoining?
7. Canastudentlabcomputerattachtoboththestudent networkandquarantine networkina“safe-by-default”manner?Whatarethestepsrequired?
Fall2017AdvancedComputerNetworking
20
Testing
8. [Documentation]CanIexplainthecurrentuseofwirelessspectruminthisbuilding?
9. [Documentation]Whatisthepaper(untested)configurationforthewirelessAP?Includelinkstoonlinedocs/tutorialsthatmaybeusefulforafuturestudent
10. IPv6
Fall2017AdvancedComputerNetworking
21