ECEA 5370 Network System Foundations

Link to CU Boulder page

Link Layer

  1. The Link Layer is above the Physical Layer (wire/wirelessly/we) which allows for communication to occur on top of the transmission. This is usually implemented in the network interface card/NIC.
  2. The link layer encodes the data so both sides can interpret it. It also detects and could correct an error if it occurs at the physical layer. It also helps for shared access mediums and how to coordinate between different nodes (like a wifi network). It also helps to extend to a local area network beyond the limits of the transmission area.
  3. Link layer makes sense of the 1/0's in a medium. This structure that makes sense of the structure is the frame. Header/Payload/Trailer. Header + trailer help understand how to handle the payload.
  4. Dest/Source/Type/data/FCS. Dest is 48 bits and indicates who the frame is meant for. Source (48 bits) tells who the sender of the frame is. The type (16 bits) tells what the frame is e.g. IPv4 packet, ARP etc. FCS is the trailer (32 bits) and checks for errors in the bits before it.
  5. MAC (Media Access Control) Address is 48 bits (6 bytes) commonly displayed in hex with colons. They were historically assigned by the manufacturuer and unique, but with virtualization this is no longer the case. The first three bytes are the OUI (organizationally unique idenfitier) and the final three bytes are the vendor defined numbers.
  6. FF:FF:FF:FF:FF:FF is the broadcast address. The packet is meant for everybody/all nodes in the network.
  7. 802.3 Ethernet packet and frame structure
    Layer Preamble Start frame delimiter (SFD) MAC destination MAC source 802.1Q tag (optional) Ethertype (Ethernet II) or length (IEEE 802.3) Payload Frame check sequence (32-bit CRC) Interpacket gap (IPG)
    Length (octets) 7 1 6 6 (4) 2 42–1500 4 12
    Layer 2 Ethernet frame (not part of the frame) ← 64–1522 octets →
    Layer 1 Ethernet packet & IPG ← 72–1530 octets → ← 12 octets →

Error Handling

  1. We need to at least be able to detect if an error occursed at the link layer, because the phyiscal world might flip some bits sometime.
  2. Parity forces every transmission to have an even (or odd) number of 1's by adding an extra bit of 0 or 1 to the data. If a single bit gets flipped we can see that the transmission has an error. XOR is a good way to count these 1 bits in an array. Even parity = even number of 1's in it. Calculate if it's even or odd then add a 1 or 0 appropriately. 01010111 would become 010101111.
  3. XOR every bit and it's a 0 (for even parity) it's passing the algorithm. e.g. even parity of 01010001 = 1
  4. CRC is a more powerful form of error detection. Cyclic codes are particularly suited to detect burst errors and this is used in the ethernet protocol. This is the FCS field. Basically we're trying to make the data divisible by a value G and we append that value R to D to use as error detection. This can be done only with XOR. It also helps detect more than just 1 bit errors from parity, like two adjaced 1 bit errors, any odd number of 1 bit errors, and any burst of errors with a length of 32 or less. Link for a more in depth look at this calculation. Detects burst errors, single bit errors, and can be calculated as the data is coming off the wire. Cannot fix neccessarily fix the bit error!

Sharing the Link + LAN

  1. We need the link layer to be able to share a transmission medium across multiple network devices. When collisions happen between two devices, no one can transmit reliably! Lots of different approaches.
  2. Channel Partitioning: divide the link into smaller pieces and assign to each node. Could divide by time (TDMA). Each node gets a specified time slot. Could also partition in terms of frequency (FDMA). Divide frequency spectrum and assign each node it's own proper frequency.
  3. Random: Nodes can transmit in an uncoordinated manner. Deals with collisions when they happen. Carrier Sense Multiple Access (CSMA) is used in both ethernet and wifi. Node will read from the channel to see if anothe node is sending and transmits when it senses idle. Ethernet has CSMA/CD collision detection to see if the transmission was scucesful. Ethernet will transmit a "jam" signal if it sees a collision so that all nodes see that it has a jam. CSMA/CA (Wireless) cannot read wile transmitting. Wifi/CSMA-CA depends on an explicit ack from a receiver. If it doesn't receive, it will assume a collision. Some nodes could be out of reach so assuming the connection/packet makes it is not a good assumption! Request to send and clear to send do exist, but they are optional.
  4. When a transmission fails, the node will send the frame after some time period (this is the backoff period). There are both random backoff times, to avoid synchronous issues, and exponentially increasing waiting longer each time between transmissions.
  5. We need ethernet switching to solve scalability challenges with a shared cable. Switches can direct traffic so that some cables/mediums can be shared. The switch looks at its mac address table and sends the packet to a corresponding port. The table starts empty, but MAC Table Learning is where a mac table is created. When a switch receives a frame it learns the source is at that port. If the destination is unknown, will flood to all its ports. All but the actual dest will ignore it. If a destination replies, switch will learn the address on that port. Swithces are limited in number of porst so you can extend with a topology of switches. You can get loops via flooding, if the connection has a loop direction i.e. A -> B -> C. If B and C were also connected. Can turn off links that create the loop (Spanning Tree Protocol), limit the number of hops, keep track of messages seen, and architect the network to avoid looping. STP + Architecting are popular. Wireless LAN is similar, swtiches are the special nodes. All trafic goes via access points, even if two nodes were with in range. The big challenge is staying associtaed with an access point.

Network Layer

  1. Network layer provides host to host communication.
  2. What if the nodes are on different link types? What if the nodes have different admins? What if the nodes are in different locations? The network layer comes in to solve these issues. IP is an instance of a network layer protocol.
  3. How does the network layer address scalably across networks? How do we forward destination addresses? How do the different networks coordinate so they reach destinations beyond their boundaries? How are addresses assigned and mapped to the link address? What tools can an admin use to troubleshoot beyond its network boundaries?
  4. Packet in network layer is equivalent to frame at the link layer
  5. The "internet" enables internetworking/communication between multiple, heterogenous networks. There is a router at the edge of each network (Cerf & Kahn "A protocol for packet network intercommunication"). The service model is best effort, delivery is not guaranteed, timing has no guarantee, and the order of packets may get reordered in the network. Interconnecting different link layers is hard, so it needs to be the lowest common denominator.
  6. Every interface gets an IP Address. IPV4 - 32 bits in dotted decimal. IPv6 - 128 bits in hextet (16 bits) seperated by a colon. Can drop leading zeros and can drop consecutive zeros with ::.
  7. Ethernet has 1 entry per destination. This doesn't scale! Network layer adds structure to addresses so devices can be grouped. This grouping is called a subnet. A set of consecutive IP addr's. CIDR (cider/classless inter domain routing) Format a.b.c.d/x X is the length of the prefix, number of high order bits that are the same. Basically how many upper bits are being gruped together. Subnets can be combined so 1.1.0.0/24 and 1.1.1.0/24 = 1.1.0.0/23 (upper 23 bits are the same)
  8. TTL = time to live, (hop limit in ipv6). How long is this packet valid? This is a way of preventing loops! After a certain time/number of hops the packte will just be dropped.
  9. The role of the router - gateway, it forwards traffic to a destination. Forwarding - data plane. Directs a data packet to an output port/link using a forwarding table. Routing - control plane. Computes paths by coordinating with neighbors. Creates/calculates the forwarding table.
  10. Data plane, line of packet. Received at ingress of line/network interface card. Lookup desitaino in forwarding table (determines output port), sends packet over switch fabric to output port. Line card transmits packet.
  11. Line card behavior: IP matches on a variable length prefix. Prefixes may overlap! The job of the lookup is to find the most specific prefix that matches the destination. This will eventually map a port to an address. This can be visualized with a try search tree. It walks the tree to find a specific node.
  12. Switch Fabric: Gen 1, started with switching via memory. Interface gets packet off the wire, transfers packet from interface to memory, processor determines next hop, transfers packet from memory to outputinerface. Limited by CPU processing. Generation 2: Switching via bus. Each line card has a forwarding table, transfers packet over the system bus, can only transfer 1 packet at a time over bus, but it's not limited by CPU. Generation 3: Introduced a switching fabric, parallelism via a switching fabric (could be a cross bar). During a timeslot, each input is connected to 0 or 1 on the outputs. Uses a matrix to make these connections. Allows to transfer multiple things at the same time. Generation 4: switching via memory. Processors are getting faster, same as gen 1! Useful for cloud/virtualized envs. More things, link scheduling to determing what's put on the wire (round robin, weighted, priority). Dropping packets on congestion (drop-tail, random early detection). Traffic shaping to force traffic to conform to a policy (e.g. limit to a certain speed)
  13. Router/control plane: Distributed routing, different protocols exist distinguished by three main characteristics: What info each router knows (entire topology or just its neighbors), What info each router exchanges (All routes or single route), what calculation is performed (shortest path or what's locally best)
  14. Link-state protocol - OSPF (intra domain) (there are other link state protocols). OSPFv2 for ipv4 and OSPFv3 for IPv6. Widely used in LAN's. Each router establishes peering with neighborsm link states are flooded to entire network, each router calculates shortest path(s).Link state tells what connections it has to other routers, and connections to network with end hosts (tells prefixes reachable). This process continues of sharing link state until the network reaches convergence. (everyone has agreed that this is all the info the network.) Each router now performs a shortest path calculation. This is Dijkstra's Algorithm! The weight between nodes could be latency,bandwith etc. it depends on what's being optimized for. New neighbors, failures in a link/node, and adding a prefix are all changes in the link state. Send link state paths again until convergence, calculate shortest path, and update the forwarding table.
  15. Path vector protocol - BGP (inter domain) (border gateway protocol). BGP is used to coordinate between inter-connected networks/autonomous systems. Each router peers with neighbors. For any updates any route update received or failure event or config change - update routing table, perform local best route calcuation for that prefix, if any change send update to neighbor. Route = path to a prefix. Path = sequence of autonomous systems. A route can be withdrawn by a router to tell its neighbors to delete an entry. This could be just an individualized path between two nodes being withdrawn! iBGP = internal. Provider = is paid money to transit traffic, Customer - pays money to a provider to have its traffic carried, Peer - financially neutral arrangemnet where two ASes connecto to each other and will send traffic through each other. BGP Policies to control what is being announced.
  16. OSPF knows the entire topology of the network, while BGP just has known/announced routes. Both BGP + OSPF can handle device failures (there may be an alt route). BGP may pick a different route than it's neighbor rather than OSPF which would have a set route. BGP is the main protocol used in the internet. OSPF exchanges with its neighbor all routes known, while BGP can be selective. Both OSPF and BGP are decentralized!
  17. Centralized Control Plane (software defined networking). Central controllers know the entire topology and make decisions for the entire network. Routers just become the data plane. Controller does all the calculations for the network and installs the forwarding tables.
  18. IANA - Internet Assigned Numbers Authority - coordiantes globally. Regional registries (RIR) manage local IP address allocation. ISP's own large block and provide them to their customers.
  19. More likely to know the IP address than the mac address (or at least the name of the server). actual communication at the link layer is usingthe mac address. Solution is ARP (address resolution protocol). I'm looking for IP address, what is your MAC. Only the one with that IP address will respond with that MAC address. Gives the sender's mac address and the target mac address of all 0's.
  20. IP Address can be statically assigned. Can assign an ip address to a specific network interface. Can also be dynamic via DHCP (dynamic host configuraiton protocol). There is a DHCP server that is asked for an IP address and can give back an offer.
  21. ping can be used as a quick check if a server is up/reachable. Also includes round trip time for latency issues. Ping uses ICMP Echo (within a payload of an IP packet.)
  22. traceroute - used for path to destination. It does this by slowly incrementing TTL field, when TTL expires router will send an ICMP message that the time exceeded. *** means the router does not support the response/traceroute.
  23. iperf3 can determine the max throughput between a client and a server. Can be used to identify performance issues.

Transport Layer

  1. Transport layer addresses multiplexing 1. Multiple applictions are running on a particular device! 2. Creating Reliable transport. 3. Congestion control. Congestion could cause packets to be dropped.
  2. Transport layer is for communication between processes (process to process). Network layer is for communication between hosts.
  3. This is another header/layer inside the payload of the IP. Addresses here are called ports.
  4. Two main protocols: UDP, TCP. Link Layer - Frame, Network Layer - Packet, Transport Layer - Datagram Application Layer - Message.
  5. Connectionless - Host uses Dest IP and dest Port to demultiplex to specific process. Doesn't require establishment (ack). Only state is (IP, port) -> process mapping. UDP is an example of this. Simple multiplexing/demultiplexing. Inhereit's IP service model - best effort.
  6. Connection oriented - Has more state. Src IP, Dest IP, Src Port, Dest Port idenitifies the connection. Requires establishment (ack) before data transfer. Host keeps more state about the connection. An example of this is TCP. Single process can have multiple connections. In order reliable stream.
  7. Reliable transfer is making sure that exactly what is sent at the start node is what's received at the end node. At the link layer, errors may occur (interference, etc.) Ethernet can detect, but not fix so ethernet will just drop the frame. Could also drop due to congestion, incoming rate > outgoing rate and the buffer could fill up completely. Packets could also get ordered incorrectly! This could because the routing changed mid transmission. BGP could update with a new route during transmission.
  8. TCP allows this to occur via the sequence number. It indicates which bytes are contained in the datagram. The receiver can send back what acknowledgment number is expected next. This allows for retransmissions! Retransmit happens when a timeout. The sender should wait a amount of time that the trip should take and some buffer. Also should retransmit when a duplicate ack is received. The sender may be able to send at higher rates than the receiver can accept. This is "flow control". The receiver advertises free buffer space in rwnd (receive window) field in TCP header. Sender limits amount of unACKed (in flight) data to receive rwnd.
  9. Each side of TCP needs to store a state. Data in buffer, windows (size of packet that can be accepted), RTT (round trip delay). TCP is uniquely identified by src IP, dest IP, src port, dest port. Three way handshake! SYN = synchronized sequence number. ack = acknowledgment number field is valid. Each side has their own sequence number!
  10. Congestion control. Congestion will occur! The goal is for senders to detect this and back off on the rate if needed. Congestion happends when the send rate out of a link is lower than the receive rate. It builds up a queue! Packets can get dropped and may be retransmitted (if TCP). The end result is congestion collapse. When nearing capacity, goodput (new unique data) decreases rapidly. Buffers get full, but sending keeps overloading them, so more and more packets getting dropped and retransmitted. Congestion control is meant to reach the saturation point just before collapse in an efficient and fair manner.
  11. Fair = each flow receives an equal share of the bandwith of a link. Efficient = full bandwidth of link is used. We can either do reservation (in netowkr, reserve bandwith on each router) or feedback and adjust. TCP is more feedback and adjust. Senders can increase sending rate until congestion occurs, then decrease sending rate. Feedback (implicit) and the window is used to adjust the rate.
  12. In TCP, duplicate ack, packet loss can be used to detect congestion in the network. Explicit congestion notification does exist, but depends on the router supporting it. The host can limit the traffic via the congestion window (cwnd). This is the last byte sent - last byte ack <= cwnd. This is similar to the recall flow control previously mentioned. The congestion window is an internal state on the host not an explicit field in the TCP header. Congestion window in TCP control limits how much data is allowed to be in flight at one time.
  13. Additive Increase Multiplicative Decrease (AIMD) - shown to optimized congested flow rates network wide! Additive increase, increase sending rate by 1 max seg size every RTT loss detected. Multiplicative decrease - drop by half/whatever rate whenever an RTT is failed. This leads to a sawtooth pattern of sending data rates via TCP. This has been shown to be a neccessary condition of stability. Additive increase can be too conservative (too slow to get congestion). TCP slow start can fix this (counter-intuitively) by increasing cwnd every Ack (instead of every RTT)

Application Layer

  1. On top of the transport layer. Putting actual functionality inside of the process!
  2. IP address isn't human readable. Application layer allows human readable input (youtube.com)
  3. Application layer allows for actually interacting with the full network statck.
  4. Application layer tells a process what it wants (upload/watch a video) and how the processes encode the data.
  5. Application layer focuses on hostsnames (youtube.com). They are human readable and variable length. Domains within the hostname are also hierarchical (cs.princeton.edu). Each layer has a mapping! It's a distributed database of mappings between hostnames and IP addresses. DNS is this distributed database + UDP application layer protocol to find these IP Addresses.
  6. DNS stores resource records. RR format (name, value, type, ttl). Type A - Name -> hostname and value -> IP Address. Type NS - Name -> Domain. Value -> hostname of authoritative name server for the domain. DNS can use cached values, but if it's not cached it will look for it from the local DNS server first. This can then look at its root DNS server which could send an authoritative domain dns server to look up at next.
  7. Sockets (Berkeley Sockets) is an abstract representation for the local endpoint of a network communication path. App puts data into socket and other app can get data from the socket. Operating system handles everything else.
  8. int socket(int domain, int type, int protocol) os will create a socket and return a handle. bind(int sockfd, struct sockaddr * my_addr, int addrlen) tells the OS what address to use. int listen(int sockfd, int backlog) notifies OS the willingess to accept incoming connections on this socket. int accept() blocks waiting for connections. Sets the address of the incoming connection.
  9. An appropriate socket sequence = socket() then bind() then listen() then accept()
  10. On the client, call socket() then int connect(int sockfd, const struct sockaddr *serv_addr, socklen_t addrlen). Now an exchange of send() and recv() calls to send data. Client can call close() to end the socket.
  11. Socket programming in python tutorial
  12. Application layer protocol defines, message syntax (fields, how fields are delineated), types of messages echanged (request response) and message semantics (meaning of fields)
  13. One strategy for making sure that data is correct is to convert to a canonical intermediate form that both send and receive sides agree upon.
  14. Another strategy (receiver makes right) is for the sender to send its internal representation but also includes information about the representation. This works well in homogenous infrastructure!
  15. untagged = agree on the type, length and location of data beforehand
  16. tagged = including the message tag abou the data (type and length) in the message (json/proto)
  17. HTTP is the web's application layer protocol. Client/server exchange web objects (html, jpeg, audio file). It is stateless, server doesn't retain information about past client requests.
  18. Operation Description
    OPTIONS Request information about available options
    GET Retrieve document identified in URL
    HEAD Retrieve metainformation about document identified in URL
    POST Give information (e.g., annotation) to server
    PUT Store document under specified URL
    DELETE Delete specified URL
    TRACE Loopback request message
    CONNECT For use by proxies
  19. JSON data is always in value pairs. Key - String, value - string, number, object, array, boolean, null Curly braces hold objects. Square brackets hold arrays (list of values).
  20. RPC = Remote procedure call. Defined in 1981 to run a function on a remote machine. This is really useful in modern web services. gRPC's are a modern implemntation based off of protobufs. gRPCs uses HTTP 2 (persistent and pipelined messages). The protofs allwo for binary format to serialize data. This can make the size of messages much smaller. Can also create services in the proto file!

Network Security

  1. Confidentiality - information is only visible to those intended. Keeps it secret from everyone, but the recipient. Alice and Bob are common names people use in Network Security examples. Eve, Mallory and Trudy are also common attackers :) The encrypted text is called ciphertext vs anyone can read it called plaintext.
  2. Symmetric encryption = a shared key. This is fast, but sharing the key is the main challenge. AES is a good example of this!
  3. Asymmetric Encryption = each side makes a key (private + public key). This is much slower, but it's simple to share the key! You could share the public key with anyone and they couldn't decrypt the data unless they had the private key. RSA is a common example of this algorithm.
  4. A common thing to do is to use asymmetric encryption to exchange a shared key to use symmetric encryption. This has the benefit of being easy to share the key, without the issues of having to share beforehand.
  5. Integrity - data has not been modified/corrupted. Hashing (with a good non colliding algorithm) can be a good way of checking if the message was transmitted correctly. Hash-keyed Message Authentication Code (HMAC) removes assumption of digest known/unmodified. Sender and receiver share a secret key. This hashes the key cat'd with the hash of the key and message cat'd. This underlies Digital signatures to verify that a message hasn't changed and came from a particular source. These signatures underline Cert's to prove a real public key. These are stored in a Known certificate Authority.
  6. Availability = information can be accessed
  7. All of these combined are network/information security
  8. IPSec can solve an attacker seeing the traffic between two different physical sites. It creates an encrypted tunnel between two end points. Thsi is commonly used in VPN's. A protocol (ISAKMP/IKE) can be used to exchanged keys on both sides. SA-1 Parameter Exchange, let's the endpoint know what types of algorithms it supports [Encryption (DES/AES), Hash (SHA, MD5), DH Group (1, 2, 5), Auth (Shared, certificate)], diffie hellman is a protocol to create and share private keys between two parties. It allows two parties that have no knowledge of each other to generate a shared secret key over an insecure channel. They then share a shared private key or digital cert using the new encrypted key that was negotiated. Different modes of traffic exchange, AH (Authenticating Header - provides just integrity) or ESP (Encapsulating Security Payload - provides just integrity and Confidentiality). Also can choose Transport (mostly for a single endpoint) or tunnel (mostly for a whole site, adds a new IP Header)
  9. RPKI (Resource Public Key Infrastructure) is in the network control lane. If an attacker could inject fake paths in BGP, they could reroute traffic to a "fake" website to interrupt traffic, steal data etc. The atttacker could try to announce a prefix that's already said (and is not valid). Idealized solution would have a client tell what BGP node it's in to the world.Regional Internet Registries (RIRs) established as CA's. They are well known and can issue digital certificates containing (IP Prefix, AS Origin, and the public key). RPKI Validator Routinator. Not all routers implement RPKI yet, so there is a backup state, it's getting better as an ecosystem though!
  10. TLS is a layer that provides confidentiatlity on top of http (another layer in the application layer, below http). HTTP/TCP use plaintext, the message integrity is not ensured and there is no guarantee of the correct server. Can use symmetric encryption and message Authentication codes with a shared secret key (provides confidentiatliy and integrity) or asymmetric encryption to exchange key (but can't neccessarily trust these public/private keys). We can use digital certs to authenticate the public key and use asymmetric encryption to exhange a shared private key! Let's Encrypt works by issuing a cert after proving that you control the DNS entry. This encryption happens in the TLS handshake after the TCP connection is established (3 way handshake). TLS also exhanges what algorithms the client can support for encryption/data integrity.
  11. Mutual TLS (mTLS) is similar to TLS but works both ways. The client verifies the identity of the server, but the server also verifies the identity of the client. Servers would likely have an explicity access control list.