1 04-NetworkData

1.1 Audio-recording

1.2 Opening thoughts

Port number is a form of address from the the layer just above,
that we just finished (the transport layer).

IP address (those above in image) is the layer we’re doing now (the network layer)

MAC address (the hex address last sent in image above)
is the next layer down that we will do next (the link layer).

Reminder (look back at section on encapsulation and layering after completing every layer):

1.3 More reading

1.4 Introduction

Previous-Previous: Application headers (data from this perspective)
Previous: transport header (Example is UDP in diagram, but could be TCP)
Now: IP header
Next: Data link framing
Next-Next: Physical layer

1.4.1 Scope

Network layer is hard to upgrade or change (it’s everywhere)!
* Goal: to transport segment from sending to receiving host
* On sending side, encapsulates segments into datagrams
* On receiving side, process datagrams, and then deliver segments to transport layer
* Network layer protocols exist in every host and router.
* Routers examine header fields in all IP datagrams passing through, potentially re-writing and editing them. Forwarding and routing

Role of the network layer is simple, to move packets from a sending host to a receiving host.

Two important network-layer functions can be identified: 1. Forwarding
04-NetworkData/kurose_ch4_01.png 2. Routing

+++++++++++++++++++++ Cahoot-04-1 Data plane and control plane

We divide the network layer based on these functions. Data plane Control plane

+++++++++++++++++++++ Cahoot-04-2

A quick forward-reference:
* ARP (Address Resolution Protocol) queries use a know IP address to lookup a MAC address (link layer address), so that a switch (data-link layer 2 device that routes based on MAC address) can send directly to an interface by saying:

“Hey all on the mac layer, whoever has this IP address, what is their MAC address?”

1.4.3 IPv4 address (more to come below)


1.4.4 Routing algorithms build forwarding tables

Every router has a forwarding table.
* A router forwards a packet by examining the value of the IP field in the arriving packet’s header, and then using this header value to index into the router’s forwarding table.
* The value stored in the forwarding table entry for that header indicates the router’s outgoing link interface to which that packet is to be forwarded.
* Note: the diagram immediately below is idealized to have a short bit chunk, but the principles are the same for real IP addresses:
Routing sets up these forwarding tables.
* The routing algorithm to determine tables may be centralized (e.g., with an algorithm executing on a central site and downloading routing information to each of the routers) or decentralized (i.e., with a piece of the distributed routing algorithm running in each router).
* In either case, a router receives routing protocol messages, which are used to configure its forwarding table. Classic vs. Software defined network (SDN) Classic

Individual routing algorithm components in each and every router interact in the control plane. SDN

A distinct (typically remote) controller interacts with local control agents (CAs).

1.4.5 Datagram networks

In a datagram network, each time an end system wants to send a packet, it stamps the packet with the address of the destination end system, and then pops the packet into the network. Datagram packet routing Routing tables

Suppose that our router has four links, numbered 0 through 3, and that packets are to be forwarded to the link interfaces as follows:

Important points to ponder:
* If IP addresses are sold in blocks, where might ranges end up, geographically?
* If ranges of addresses are re-sold, where might they end up?
* Why can a match in the routing table be shorter than an IP address itself?
* Why should it be?
* Why do we match the longest prefix? Longest prefix match

+++++++++++++++++++++ Cahoot-04-3

1.5 Router internals

1.5.1 Input ports

* Inputs are a physical layer function, terminating an incoming physical link
* Link-layer functions needed to interoperate with the link layer at the incoming link.
* Lookup function is also performed at the input port.
* This will occur in the rightmost box of the input port.
* It is here that the forwarding table is consulted to determine the router output port to which an arriving data packet will be forwarded via the switching fabric to an output port.
* On the other hand, control packets, carrying routing protocol information, are forwarded from an input port to the routing processor.
* The term port here, is referring to the physical input and output router interfaces, is different from the software ports associated with network applications and sockets.

1.5.2 Switching fabric

* The switching fabric connects the router’s input ports to its output ports.
* This switching fabric is completely contained within the router, a network inside of a network router!

1.5.3 Output ports

* Stores packets received from the switching fabric and transmits these packets on the outgoing link by performing the necessary link-layer to physical-layer functions.
* When a link is bidirectional (that is, carries traffic in both directions), an output port will typically be paired with the input port for that link
* Buffering is required when datagrams arrive from the switch fabric faster than the output transmission rate.
* “Scheduling discipline” chooses among queued datagrams for transmission:
* FIFO (first in first out)
* Priority queue (could be pay $, think net neutrality)
* Round robin (rotating queue)
* Weighted fair queuing (WFQ)
* If queues are full, Datagram (packets) can be lost due to congestion, lack of buffers.
* Priority scheduling: who gets best performance, network neutrality?

1.5.4 Routing processor

* The routing processor executes the routing protocols, maintains routing tables and attached link state information, and computes the forwarding table for the router.
* It also performs the network management functions

1.5.5 Input processing


1.5.6 Switching

Switching architecture variations:
Which is fastest?

1.5.7 Output processing

* Takes packets that have been stored in the output port’s memory and transmits them over the output link.
* This includes selecting and de-queueing packets for transmission, and performing the needed link-layer to physical-layer transmission functions.

1.5.8 Queuing

As queues grow large, the router’s memory can eventually be exhausted and packet loss will occur when no memory is available to store arriving packets.

Output port queuing:

Head of line (HOL) blocking in input queuing

1.5.9 Router control plane (more to come)


1.5.10 Queuing FIFO

first-in-first out
04-NetworkData/pasted_image003.png Priority queue

Who determines priority? Round-robin and weighted fair queuing


1.6 Architecture

Network layer components

1.6.1 IP addresses in routers

Show some virtual interfaces.
What does Wireshark do with these?

+++++++++++++++++++++ Cahoot-04-4

1.7 IPv4 datagram


I tried to come up with an IPv4 joke,
but the good ones were all already exhausted.

1.7.1 IPv4 address


1.7.2 Examples corresponds to 00000001 00000010 00000011 00000100 corresponds to 01111111 00000000 00000000 00000001 corresponds to 11111111 11111111 11111111 11111111

1.7.3 IPv4 Datagram header


IPv4 Datagram header details
* Version
* The first header field in an IP packet is the four-bit version field.
* Internet Header Length (IHL)
* The Internet Header Length (IHL) field has 4 bits, which is the number of 32-bit words.
* Since an IPv4 header may contain a variable number of options, this field specifies the size of the header (this also coincides with the offset to the data).
* Differentiated Services Code Point (DSCP)
* Originally defined as the Type of service (ToS) field.
* An example is Voice over IP (VoIP), which is used for interactive data voice exchange.
* Explicit Congestion Notification (ECN)
* This field is defined in RFC 3168 and allows end-to-end notification of network congestion without dropping packets.
* ECN is an optional feature that is only used when both endpoints support it and are willing to use it.
* It is only effective when supported by the underlying network.
* Total Length
* This 16-bit field defines the entire packet size in bytes, including header and data.
* The minimum size is 20 bytes (header without data) and the maximum is 65,535 bytes.
* All hosts are required to be able to reassemble datagrams of size up to 576 bytes, but most modern hosts handle much larger packets.
* Sometimes links impose further restrictions on the packet size, in which case datagrams must be fragmented.
* Fragmentation in IPv4 is handled in either the host or in routers.
* Identification
* This field is an identification field and is primarily used for uniquely identifying the group of fragments of a single IP datagram.
* Flags
* A three-bit field follows and is used to control or identify fragments.
* Fragment Offset
* The fragment offset field is measured in units of eight-byte blocks.
* It is 13 bits long and specifies the offset of a particular fragment relative to the beginning of the original un-fragmented IP datagram.
* Time To Live (TTL)
* An eight-bit time to live field helps prevent datagrams from persisting (e.g. going in circles) on an internet.
* It is specified in seconds, but time intervals less than 1 second are rounded up to 1.
* In practice, the field has become a hop count when the datagram arrives at a router, the router decrements the TTL field by one.
* When the TTL field hits zero, the router discards the packet and typically sends an ICMP Time Exceeded message to the sender.
* The program traceroute uses these ICMP Time Exceeded messages to print the routers used by packets to go from the source to the destination.
* Protocol
* This field defines the protocol used in the data portion of the IP datagram, e.g., TCP, UDP, etc.
* Header Checksum
* The 16-bit checksum field is used for error-checking of the header.
* When a packet arrives at a router, the router calculates the checksum of the header and compares it to the checksum field.
* If the values do not match, the router discards the packet.
* Errors in the data field must be handled by the encapsulated protocol.
* Source address
* This field is the IPv4 address of the sender of the packet. Note that this address may be changed in transit by a network address translation device.
* Destination address
* This field is the IPv4 address of the receiver of the packet. As with the source address, this may be changed in transit by a network address translation device.
* Options
* The options field is not often used.
* Data
* The data portion of the packet is not included in the packet checksum.
* Its contents are interpreted based on the value of the Protocol header field.


+++++++++++++++ Cahoot-04-5

1.7.4 IPv4 fragmentation

1.7.5 IPv4 address

232 = 4,294,967,296

…about 4.3 billion addresses is not that many.

1.8 Interface addresses and sub-nets

Three separate sub-networks (sub-nets) each has it’s own block of IP addresses:

Put more routers in the middle, and it’s like the internet:

1.8.1 Sub-net addressing

Hierarchically divide IP addresses and networks:
* To determine the sub-nets, detach each interface from its host or router, creating islands of isolated networks, with interfaces terminating the end points of the isolated networks.
* Each of these isolated networks is called a sub-net. Sub-networks


The old way of hierarchically dividing up IP addresses:
where the IP address is divided up into:
* n is the network portion
* H is the host portion
Above, the general pattern is illustrated with the n and H, but the particular ranges of IP addresses are those arbitrarily actually assigned to the world by ICANN.
Above, this table not only illustrates the general pattern, but also the specific more arbitrary ranges assigned to the world by ICANN.

Columns that are general:
* Leading bits
* Size of network number bit field
* Size of rest bit field
* Addresses per network
* Default sub-net mask
* CIDR notation

Columns that are particular to the actual arbitrary real assignment
* Number of networks
* Total addresses in class
* Start address
* End address CIDR

because it was too classy and stiff…

++++++++++++++++++++++++++ Cahoot-04-6

04-NetworkData/subnet_color.png Sub-net mask

You may have understood this in integer encoding:
Sub-net masks are often expressed in dot-decimal notation like an address.
For example, is the sub-net mask for the prefix

But, sub-net masks really make sense when you think about IP addresses in binary encoding:
* For IPv4, a network may also be characterized by its sub-net mask or netmask
* This is a binary trick, to illustrate the h.N pattern.
* Functionally, it ends up cleaving the IP address into two parts, the leading network portion, and the trailing host portion.

Specifically, it is a bitmask applied by a bitwise AND operation,
to any IP address in the network, yielding the routing prefix (see below).

Example 1 on a full class sub-net:

Example 2 on a partial CIDR sub-net.

In summary:


++++++++++++++++++++++++++++++++ Cahoot-04-7 Special addresses

(check this out in class) Loopback / localhost
**There is no place like**

vim /etc/hosts localhost
::1 localhost

Last row above is IPv6 shorthand (more below). Broadcast and addresses ending in 0 or 255 Private addresses jokes are best told in private…

You can do whatever you want with these on your private network, e.g., at home.

+++++++++++++++++++ Cahoot-04-8

1.9 Obtaining IP addresses

**An IPv4 address walks into a bar and yells,**
**"Bartender! Give me a cidr, I'm exhausted!"**

There are eight /23 sub-nets in one /20 sub-net (3 bits consumed, 2**3=8)

1.9.1 Allocation

* The IP address space is managed globally by the Internet Assigned Numbers Authority (IANA), and by five regional Internet registries (RIR) responsible in their designated territories for assignment to end users and local Internet registries, such as Internet service providers.
* ICANN assigns blocks to ISPs, regions, countries, etc.
* Companies (including ISPs) buy and sell them.
* ISPs assign them to consumers or other businesses. Hierarchy in practice

After a company re-selling a block:
Ask: What happens when the ranges are not nicely divided?

Didn’t we run out of IPv4 jokes? IPv4 space exhaustion

The top-level exhaustion occurred on 31 January 2011.


The consequence of the above, with longest-prefix matching is:

Evolution of the size of the routing tables on the Internet (Jul 1988- Dec 1992 - source : RFC 1518)
and more modern:
04-NetworkData/bgp-figure11.png Solutions

Some mitigation efforts and technologies include:
* use of network address translation (NAT)[18] which allows a private network to use one public IP address and permitting private addresses in the private network;
* use of private network addressing;[19]
* name-based virtual hosting of web sites;
* tighter control by regional Internet registries on the allocation of addresses to local Internet registries;
* network renumbering and subnetting to reclaim large blocks of address space allocated in the early days of the Internet, when the Internet used inefficient classful network addressing.
* IPv6 to the rescue (more below)!

1.9.2 Dynamic Host Configuration Protocol (DHCP)

* [ ] https://www.homenethowto.com/basics/giving-the-computer-an-ip-address/

When logging into a network, how does an interface get an IP address?

1. Hard coded by sys-admin

Goal: Allow host to dynamically obtain its IP address from network server when it joins network.
* Host can also renew its lease on an address in use.
* Allows reuse of retired addresses (only hold address while connected/“on”).

DHCP is a client-server protocol.
* Host broadcasts “DHCP discover” msg [optional]
* DHCP server responds with “DHCP offer” msg [optional]
* Host requests IP address: “DHCP request” msg
* DHCP server sends address: “DHCP ack” msg DHCP process

  1. DHCP discover message, which a client sends within a UDP packet to port 67, broadcast
  2. A DHCP server receiving a DHCP discover message responds to the client with a DHCP offer message that is broadcast to all nodes on the sub-net, again using the IP broadcast address of
  3. DHCP request. The newly arriving client will choose from among one or more server offers and respond to its selected offer with a DHCP request message, echoing back the configuration parameters.
  4. DHCP ACK. The server responds to the DHCP request message with a DHCP ACK message, confirming the requested parameters.

DHCP query response
In addition to host IP address assignment, DHCP also allows a host to learn additional information:
* such as its subnet mask (indicating network versus host portion of address),
* the address of its first-hop router (often called the default gateway), and
* the address of its local DNS server. Example

DHCP provides an IP address, and also usually more, including:
* IP address
* Subnet Mask
* IP address of a Default Gateway (router)
* IP address of a DNS server

1.10 MiddleBoxes

“Middleboxes have generated technical challenges for application development and have incurred scorn and dismay in the network architecture community for violating the end-to-end principle of computer system design.”

Some types of middlebox covered here:
1. Firewall, IPS, IDS
2. NAT
3. Remote generalized SDN / Deep Packet Inspectors (DPI)
4. Load balancers

1.10.1 (1) Firewall, IPS, IDS

The first middlebox is: Firewall (more later) IDS IPS

1.10.2 (2) Network address translation (NAT)

The second middlebox is:


Network Address Translation (NAT) was proposed in [TE1993] and RFC 3022 as a short term solution to deal with the expected shortage of IPv4 addresses in the late 1980s - early 1990s. Motivation

local network uses just one IP address as far as outside world is concerned:
* range of addresses not needed from ISP: just one IP address for all devices
* can change addresses of devices in local network without notifying outside world
* can change ISP without changing addresses of devices in local network
* devices inside local net not explicitly addressable, visible by outside world (a security plus) Process

NAT router must:
* outgoing datagrams: replace (source IP address, port #) of every outgoing datagram to (NAT IP address, new port #)
* . . . remote clients/servers will respond using (NAT IP address, new port #) as destination addr
* remember (in NAT translation table) every (source IP address, port #) to (NAT IP address, new port #) translation pair
* incoming datagrams: replace (NAT IP address, new port #) in dest fields of every incoming datagram with corresponding (source IP address, port #) stored in NAT table Details Summary Wireshark NAT

1.10.3 (3) Generalized forwarding and software defined networking (SDN)

The third middlebox is:
For example:

1.10.4 (4) Load balancers


+++++++++++++++++++++++ Cahoot-04-9

1.11 IPv6


I heard this really great IPv6 joke,
but I just don’t think you’re ready for it.

IPv6 streamlined the protocol, eliminating work for core routers, deferring that work to the periphery.
* For example, by not calculating checksums or fragmentation
* In support of the: https://en.wikipedia.org/wiki/End-to-end_principle

1.11.1 IPv6 address format

**The sad thing about IPv6 jokes,**
**is that almost no one understands them,**
**and no one is using them yet.**

2001:db8:0:0:8:800:200c:417a is represented as 2001:db8::8:800:200c:417a
ff01:0:0:0:0:0:0:101 is represented as ff01::101
0:0:0:0:0:0:0:1 is represented as ::1
0:0:0:0:0:0:0:0 is represented as :: But the “:” is used for port number!

For example, an IPv6 address typed into your web browser:

When the URL also contains a port number the notation is:
where the trailing 443 is the example’s port number.

1.11.2 IPv6 Datagram header

https://en.wikipedia.org/wiki/IPv6_packet Expanded addressing capabilities:

Size and type of addresses were updated. Size of address Addressing methods (scope of address)

* address identifies a single network interface.
* The Internet Protocol delivers packets sent to a unicast address to that specific interface.
* Unicast also exists in IPv4

* address is also used by multiple hosts that acquire the multicast address destination by participating in the multicast distribution protocol among the network routers.
* A packet that is sent to a multicast address is delivered to all interfaces that have joined the corresponding multicast group.
* IPv6 does not implement broadcast addressing.
* Broadcast’s traditional role is subsumed by multicast addressing to the all-nodes link-local multicast group ff02::1.
* However, the use of the all-nodes group is not recommended, and most IPv6 protocols use a dedicated link-local multicast group to avoid disturbing every interface in the network.
* Multicast also exists in IPv4

* IPv6 introduced a new type of address, called an anycast address, which allows a datagram to be delivered to any one of a group of hosts.
* This feature could be used, for example, to send an HTTP GET to the nearest of a number of mirror sites that contain a given document. A streamlined 40-byte header: Flow labeling and priority:

The following fields are defined in IPv6:

* This 4-bit field identifies the IP version number.
* Not surprisingly, IPv6 carries a value of 6 in this field.
* Note that putting a 4 in this field does not create a valid IPv4 datagram.
* If it did, life would be a lot simpler… see the discussion below regarding the transition from IPv4 to IPv6.
Traffic class
* This 8-bit field is similar to the TOS field we saw in IPv4.

Flow label
* As discussed above, this 20-bit field is used to identify a flow of datagrams.

Payload length
* This 16-bit value is treated as an unsigned integer
* It is the number of bytes in the IPv6 datagram, following the fixed-length, 40-byte datagram header.

Next header
* This field identifies the protocol to which the contents (data field) of this datagram will be delivered (for example, to TCP or UDP).
* The field uses the same values as the protocol field in the IPv4 header.
* This field usually specifies the transport layer protocol used by a packet’s payload.
* When extension headers are present in the packet this field indicates which extension header follows.
* The values are shared with those used for the IPv4 protocol field, as both fields have the same function (see List of IP protocol numbers)
* The next header enables a neat extensibility:
* extra headers, like IPsec, or others, can be layered between IP and the Transport layer above (UDP/TCP):
* https://en.wikipedia.org/wiki/IPsec

Hop limit
* The contents of this field are decremented by one by each router that forwards the datagram.
* If the hop limit count reaches zero, the datagram is discarded.
* This is better named than the IPv4 TTL field, which was really hop-limit anyway.

Source and destination addresses
* The various formats of the IPv6 128-bit address are described in RFC 4291.

* This is the payload portion of the IPv6 datagram.
* When the datagram reaches its destination, the payload will be removed from the IP datagram and passed on to the protocol specified in the next header field.

IPv6 Datagram header details

1.11.3 IPv6 sub-net addressing

Structure of IPv6 unicast addresses:
An IPv6 unicast address is composed of three chunks:
1. A global routing prefix that is assigned to the Internet Service Provider that owns this block of addresses
2. A subnet identifier that identifies a customer of the ISP
3. An interface identifier that identifies a particular interface on an endsystem
* Interface identifiers are always 64 bits wide.
* This implies that, while there are 2128 different IPv6 addresses, they must be grouped in 264 subnets.
* This could appear as a waste of resources
* However, using 64 bits for the host identifier allows IPv6 addresses to be auto-configured, and also provides some benefits from a security point of view, as explained in section ICMPv6.
* Given an address size of 128 bits, an IPv6 address therefore usually has a /64 routing prefix
* 128 - 64 = 64 most significant bits
* The standard sub-nets are /64

Example of dividing up subnets:
Each “site” would have 216 subnets, where each subnet is 264 large.

1.11.4 Obtaining an address Allocation?

Same as with IPv4 above: super-governmental agencies and companies assign them, and they are re-sold. When joining a network?

https://en.wikipedia.org/wiki/IPv6_address#Stateless_address_autoconfiguration DHCP vs Neighbor discover protocol

In IPv4, typical “configuration protocols” include DHCP or PPP.

For IPv6, DHCPv6 exists, but IPv6 hosts normally use the Neighbor Discovery Protocol (NDP) to create a globally routable unicast address.
* The host sends router solicitation requests, and an IPv6 router responds with a prefix assignment
* NDP defines five ICMPv6 packet types for the purpose of
* router solicitation,
* router advertisement,
* neighbor solicitation,
* neighbor advertisement, and
* network redirects (like ARP next layer down). Modified EUI-64 addresses

+++++++++++++++ Cahoot-04-10

1.11.5 Interfaces and addresses

We assign each interface in IPv6 multiple IP addresses:
* That is, each interface is multi-homed. Scope

Each IPv6 address has a scope, which specifies in which part of the network it is valid and unique.
* Some addresses are assumed to be unique, and are only routeable on the local (sub-)network.
* Others must be globally unique, and are globally routeable.

IPv6 addresses are classified by three types of networking methodologies:
1. unicast addresses identify each network interface,
2. anycast addresses identify a group of interfaces, usually at different locations of which the nearest one is automatically selected, and
3. multicast addresses are used to deliver one packet to many interfaces (e.g., only need to hit one of google’s servers)

The broadcast method is not implemented in IPv6. Standard unicast

Globally addressable unique address.

Unicast and anycast addresses are typically composed of two logical parts:
1. a 64-bit network prefix used for routing, and
2. a 64-bit interface identifier used to identify a host’s network interface.

The typical size of the IPv6 anycast address blocks give out are:
* /32 for an Internet Service Provider
* /48 for a single company
* /56 for small user sites (organizations)
* /64 for a single user (e.g. a home user connected via ADSL)
* /128 in the rare case when it is known that no more than one end-host will be attached Localhost (type of unicast)


::1 localhost Unique local (type of unicast)

* Have global scope, but they are not globally administered.
* As a result, only other hosts in the same administrative domain (e.g., an organization), or within a cooperating administrative domain are able to reach such addresses, if properly routed.
* As their scope is global, these addresses are valid as a source address when communicating with any other global-scope address, even though it may be impossible to route packets from the destination back to the source. Multicast

IPv6 has moved away from LAN-layer broadcast, instead providing a wide range of LAN-layer multicast groups.
* The low order 112 bits of an IPv6 multicast address are the group’s identifier.
* The high order bits are used as a marker to distinguish multicast addresses from unicast addresses.
* Notably, the 4 bits flag field indicates whether the address is temporary or permanent.
* Finally, the scope field indicates the boundaries of the forwarding of packets destined to a particular address.
* A link-local scope indicates that a router should not forward a packet destined to such a multicast address.
* An organization local-scope indicates that a packet sent to such a multicast destination address should not leave the organization.
* Finally the global scope is intended for multicast groups spanning the global Internet. Anycast

++++++++++++++++++ Cahoot-04-11

1.11.6 Adoption / deployment

* IPv6 was designed as a replacement for IPv4 which has been in use since 1982, and is in the final stages of exhausting its unallocated address space, but still carries most Internet traffic.
* By 2011, all major operating systems in use on personal computers and server systems had production-quality IPv6 implementations.
Number of IPv6 prefixes and AS on the Internet since 2003
Monthly IPv6 allocations per RIR.

Demo: actually check these out in class (interesting).
* https://www.google.com/intl/en/ipv6/statistics.html#tab=ipv6-adoption
* https://www.google.com/intl/en/ipv6/statistics.html#tab=per-country-ipv6-adoption

1.11.7 Backwards compatibility


The bad thing about IPv6 jokes is that nobody wants to tell them first.

This section can be broken down into a several different situations:
1. IPv6-only end-machine to IPv6-only end-machine connections, which must pass through IPv4-only core.
2. IPv4-only end-machine to IPv4 end-machine connections, which must pass through IPv6-only core (more rare in USA).
3. IPv6 and IPv4 co-existence, and prioritization when both are available.
4. IPv6-only end-machine connecting to an IPv4-only end-machine, and vice-versa. Backwards compatibility via dual-stack

DNS review
* For IPv4 addresses, DNS maintains so-called “A” records, for “Address”.
* The IPv6 equivalent is the “AAAA” record, for “Address four times longer”.
* A dual-stack machine usually requests both.
* Whenever a DNS server delivers an IPv4 A record, it also includes the corresponding AAAA record, much as IPv4 CNAME records are sent with piggybacked corresponding A records.
* Machines that can do both IPv4 and IPv6
* Probably the most straightforward way to introduce IPv6-capable nodes is a dual-stack approach, where IPv6 nodes also have a complete IPv4 implementation.
* Such a node, referred to as an IPv6/IPv4 node in RFC 4213, has the ability to send and receive both IPv4 and IPv6 datagrams.
* When interoperating with an IPv4 node, an IPv6/IPv4 node can use IPv4 datagrams
* When interoperating with an IPv6 node, it can speak IPv6.
* IPv6/IPv4 nodes must have both IPv6 and IPv4 addresses.
* Nodes must be able to determine whether another node is IPv6-capable or IPv4-only.
* This problem can be solved using the DNS, which can return an IPv6 address if the node name being resolved is IPv6-capable, or otherwise return an IPv4 address.
* Of course, if the node issuing the DNS request is only IPv4-capable, the DNS returns only an IPv4 address. Backwards compatibility via tunneling A number of other methods exists


**An IPv6 packet walks into a bar.**
**Nobody talks to him.**

1.12 IPsec


While TLS or SSH secure application layer, IPsec can end-to-end encrypt the network layer:

Cryptographic agreement.
* two communicating hosts to agree on cryptographic algorithms and keys.

Encryption of IP datagram payloads.
* When the sending host receives a segment from the transport layer, IPsec encrypts the payload.
* The payload can only be decrypted by IPsec in the receiving host.

Data integrity.
* allows the receiving host to verify that the datagram’s header fields and encrypted payload were not modified while the datagram was en route from source to destination.

Origin authentication.
* When a host receives an IPsec datagram from a trusted source (with a trusted key see), the host is assured that the source IP address in the datagram is the actual source of the datagram.
* When two hosts have an IPsec session established between them, all TCP and UDP segments sent between them will be encrypted and authenticated.
IPsec therefore provides blanket coverage, securing all communication between the two hosts for all network applications. Modes

Two major modes of operation
04-NetworkData/ipsec-modes.png Transport mode Tunnel mode

1.12.1 Functions

IPsec uses the following protocols to perform various functions:

Authentication Headers (AH)
* provides connectionless data integrity and data origin authentication for IP datagrams and provides protection against replay attacks.

Encapsulating Security Payloads (ESP)
* provides confidentiality, connectionless data integrity, data origin authentication, an anti-replay service (a form of partial sequence integrity), and limited traffic-flow confidentiality.

Internet Security Association and Key Management Protocol (ISAKMP)
* provides a framework for authentication and key exchange, with actual authenticated keying material provided either by manual configuration with pre-shared keys, Internet Key Exchange (IKE and IKEv2), Kerberized Internet Negotiation of Keys (KINK), or IPSECKEY DNS records.
* The purpose is to generate the Security Associations (SA) with the bundle of algorithms and parameters necessary for AH and/or ESP operations.

For more, see latter section (coming up).


1.14 IP-layer status and error messages

Some of this stuff is not quite data, not quite control…
ICMP differs from transport protocols such as TCP and UDP, in that:
it is not typically used to exchange data between systems,
nor is it regularly employed by end-user network applications,
with the exception of some diagnostic tools like ping and traceroute.
ICMP uses the basic support of IP as if it were a higher level protocol,
however, ICMP is actually an integral part of IP.
Although ICMP messages are contained within standard IP packets,
ICMP messages are usually processed as a special case,
distinguished from normal IP processing.
It is often necessary to inspect the contents of the ICMP message,
and deliver an appropriate error message,
to the application responsible for transmission of the IP packet,
that prompted the sending of the ICMP message.
ICMP is a network layer protocol.
There is no TCP or UDP port number associated with ICMP packets,
as these numbers are associated with the transport layer above.
ICMP is often considered part of IP,
but architecturally it lies just above IP,
as ICMP messages are carried inside IP datagrams.
That is, ICMP messages are carried as IP payload,
just as TCP or UDP segments are carried as IP payload.
When a host receives an IP datagram,
with ICMP specified as the upper-layer protocol,
it demultiplexes the datagram’s contents to ICMP,
just as it would demultiplex a datagram’s content to TCP or UDP.

1.14.1 ICMP

* https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol
* https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol_for_IPv6

* https://www.computer-networking.info/1st/html/network/network.html#icmp-version-4
* https://www.computer-networking.info/1st/html/network/network.html#icmp-version-6

* https://www.computer-networking.info/2nd/html/protocols/ipv6.html#icmp-version-6

* http://intronetworks.cs.luc.edu/current2/uhtml/ipv4.html#internet-control-message-protocol
* http://intronetworks.cs.luc.edu/current2/uhtml/ipv6b.html#icmpv6 IPv4 ICMP

ICMP messages are typically used for diagnostic or control purposes,
or generated in response to errors in IP operations (as specified in RFC 1122).
ICMP errors are directed to the source IP address of the originating packet.
It is sometimes necessary for intermediate routers, or the destination host,
to inform the sender of the packet of a problem,
that occurred while processing a packet.
Reporting is done by the Internet Control Message Protocol (ICMP).
ICMP is defined in RFC 792.
ICMP messages are carried as the payload of IP packets
(the protocol value reserved for ICMP is 1).
An ICMP message is composed of an 8 byte header, and a variable length payload,
that usually contains the first bytes of the erroneous packet,
that triggered the transmission of the ICMP message.
ICMP is, like IP, host-to-host,
and so its packets are never delivered to a specific port,
even if they are sent in response to an error,
related to something sent from a port.
Individual UDP and TCP connections do not receive ICMP messages,
even when it would be helpful to get them.
ICMP messages are identified by an 8-bit type field,
followed by an 8-bit subtype, or code.
The ICMP packet is encapsulated in an IPv4 packet.
The packet consists of header and data sections.
Only part of this diagram is the ICMP header:
The Type and Code fields indicate the type of problem,
that was detected by the sender of the ICMP message.
The Checksum protects the entire ICMP message against transmission errors.
The Data field contains additional information for some ICMP messages. Notable ICMP types in IPv4

ICMP packets come in a variety of types (see these in class):

echo request/reply

* To enable router discovery, the IRDP defines two kinds of ICMP messages:
* The ICMP Router Solicitation Message is sent from a computer host to any routers on the local area network to request that they advertise their presence on the network.
* The ICMP Router Advertisement Message is sent by a router on the local area network to announce its IP address as available for routing.
* And more.

04-NetworkData/detail_icmp_header.png IPv6 ICMP

ICMPv6 specifies two classes of messages : error messages that indicate a problem in handling a packet and informational messages. Four types of error messages are defined in RFC 4443:

1: Destination Unreachable. Such an ICMPv6 message is sent when the destination address of a packet is unreachable. The code field of the ICMP header contains additional information about the type of unreachability. The following codes are specified in RFC 4443
0: No route to destination. This indicates that the router that sent the ICMPv6 message did not have a route towards the packet’s destination
1: Communication with destination administratively prohibited. This indicates that a firewall has refused to forward the packet towards its destination.
2: Beyond scope of source address. This message can be sent if the source is using link-local addresses to reach a global unicast address outside its subnet.
3: Address unreachable. This message indicates that the packet reached the subnet of the destination, but the host that owns this destination address cannot be reached.
4: Port unreachable. This message indicates that the IPv6 packet was received by the destination, but there was no application listening to the specified port.

2: Packet Too Big. The router that was to send the ICMPv6 message received an IPv6 packet that is larger than the MTU of the outgoing link. The ICMPv6 message contains the MTU of this link in bytes. This allows the sending host to implement Path MTU discovery RFC 1981

3: Time Exceeded. This error message can be sent either by a router or by a host. A router would set code to 0 to report the reception of a packet whose Hop Limit reached 0. A host would set code to 1 to report that it was unable to reassemble received IPv6 fragments.

4: Parameter Problem. This ICMPv6 message is used to report either the reception of an IPv6 packet with an erroneous header field (type 0) or an unknown Next Header or IP option (types 1 and 2). In this case, the message body contains the erroneous IPv6 packet and the first 32 bits of the message body contain a pointer to the error.

Two types of informational ICMPv6 messages are defined in RFC 4443 : echo request and echo reply, which are used to test the reachability of a destination by using ping6(8). Applications based on ICMP

Use ICMP messages for user-space purpose. Ping
$ man ping
$ man ping6

In class: check out wireshark of ping packets

* Ping is a computer network administration software utility used to test the reachability of a host on an Internet Protocol (IP) network.
* Ping measures the round-trip time for messages sent from the originating host to a destination computer that are echoed back to the source.
* Ping operates by sending Internet Control Message Protocol (ICMP) echo request packets to the target host and waiting for an ICMP echo reply.
* The program reports errors, packet loss, and a statistical summary of the results, typically including the minimum, maximum, the mean round-trip times, and standard deviation of the mean.
* Check out message format Traceroute
$ man traceroute
$ man traceroute6

In class: check out wireshark of traceroute packets

* traceroute is a network diagnostic command for displaying the route (path) and measuring transit delays of packets across an Internet Protocol (IP) network.
* The traceroute program uses ICMP Time Exceeded messages.
* The time-to-live (TTL) value, also known as hop limit, is used in determining the intermediate routers being traversed towards the destination.
* Traceroute sends packets with TTL values that gradually increase from packet to packet, starting with TTL value of one.
* Routers decrement TTL values of packets by one when routing and discard packets whose TTL value has reached zero, returning the ICMP error message ICMP Time Exceeded.
* For the first set of packets, the first router receives the packet, decrements the TTL value and drops the packet because it then has TTL value zero.
* The router sends an ICMP Time Exceeded message back to the source.
* The next set of packets are given a TTL value of two, so the first router forwards the packets, but the second router drops them and replies with ICMP Time Exceeded.
* Proceeding in this way, traceroute uses the returned ICMP Time Exceeded messages to build a list of routers that packets traverse, until the destination is reached and returns an ICMP Destination Unreachable message if UDP packets are being used or an ICMP Echo Reply message if ICMP Echo messages are being used.
* The sender expects a reply within a specified number of seconds. If a packet is not acknowledged within the expected interval, an asterisk is displayed. Exploits

* A correctly formed ping packet is typically 56 bytes in size, or 64 bytes when the ICMP header is considered, and 84 bytes including Internet Protocol version 4 header.
* However, any IPv4 packet (including pings) may be as large as 65,535 bytes.
* Some computer systems were never designed to properly handle a ping packet larger than the maximum packet size because it violates the Internet Protocol.
* Like other large but well-formed packets, a ping of death is fragmented into groups of 8 octets before transmission.
* However, when the target computer reassembles the malformed packet, a buffer overflow can occur, causing a system crash and potentially allowing the injection of malicious code.

* A ping flood is a simple denial-of-service attack where the attacker overwhelms the victim with ICMP “echo request” (ping) packets.
* This is most effective by using the flood option of ping which sends ICMP packets as fast as possible without waiting for replies.

* An ICMP tunnel establishes a covert connection between two remote computers (a client and proxy), using ICMP echo requests and reply packets.
* An example of this technique is tunneling complete TCP traffic over ping requests and replies.
* ICMP tunneling can be used to bypass firewalls rules through obfuscation of the actual traffic.
* Depending on the implementation of the ICMP tunneling software, this type of connection can also be categorized as an encrypted communication channel between two computers. Without proper deep packet inspection or log review, network administrators will not be able to detect this type of traffic through their network.
* ICMP-tunnels are sometimes used to circumvent firewalls that block traffic between the LAN and the outside world.

Data storage exploit
https://www.youtube.com/watch?v=JcJSW7Rprio Code

In class:

Check out ICMP-ping python code:
(user@vm-wnet: ../CS3610/pa04_icmp_grader/background_reading/ICMP-ping)

introduce traceroute python code for next week:
(user@vm-wnet: ../CS3610/pa04_icmp_grader/background_reading/ICMP-traceroute) Wireshark demo

1.14.2 ARP

Will cover during data-link layer, though it’s the glue between network and data-link layers.

1.14.3 Default gateways

(a preview of datalink / MAC / LAN layer)
* https://www.homenethowto.com/basics/default-gateway-finding-other-ip-networks/
* https://en.wikipedia.org/wiki/Default_gateway

When a computer wants to send an IP packet,
how does it know to send it on the LAN, or to the internet,
though it’s gateway router?

Using the IP address and its sub-net information,
either in the form of the sub-net mask or CIDR notation.

1.15 Other network-layer protocols

IP is not the only network layer protocol, with others for complementary purposes, and full alternatives (not popular).

Next: 05-Security.html