1 07-DataLink

Previous: 06-NetworkControl.html

1.1 Audio-recording

1.2 Reminder

Look at section on encapsulation and layering for packet details:


Now, we’re dealing with “Frames”

We are focusing on the LAN (Local Area Network):

Circle with x is router (network layer)
Squares with x are switches.
Lines between them are “links”.
Real physical links and transmission is noisy and un-reliable!


1.3.1 Packet switches

Within Ethernet, one data-link layer protocol

https://www.homenethowto.com/switching/ (great intro, review)

* A switch is more intelligent than an Ethernet hub, which simply re-transmits packets out of every port of the hub except the port on which the packet was received, unable to distinguish different recipients, and achieving an overall lower network efficiency.
* A switch constantly monitors the traffic which is entering the switch from connected devices.
* It then learns about where the different MAC addresses of those devices are connected (port-MAC tuples, stored in its own table).
* It does this by looking at the traffic that arrives from computers, to read MAC addresses of the traffic.
* A layer 2 network device is a multi-port device that uses hardware addresses, MAC addresses, to process and forward data at the data link layer (layer 2).
* They don’t need to send the same packet to every connected device, but learn/know which MAC exists on which cable (port).
* So-called layer 3 and above switches exist, routing packets using information at higher levels, but more simply than routers, for example.

Switches learn the MAC address of the NICs attached to them, such that they may direct traffic to each individual alone, rather than broadcast.
Ask: What advantages does this provide?


1.3.3 All hosts

* link layer implemented in “adapter” (aka network interface card NIC) or on a chip
* Ethernet card, 802.11 card; Ethernet chip-set
* implements link, physical layer
* attaches into host’s system buses
* combination of hardware, software, firmware


1.5.1 Who has MAC addresses


1.5.2 What are MAC addresses used for Broadcasting to all

1.5.3 Why have another address at this layer, in addition to IP?

There are several reasons why hosts and router interfaces have MAC addresses, in addition to network-layer addresses:
* First, LANs are designed for arbitrary network-layer protocols, not just for IP and the Internet.
* If adapters were assigned IP addresses, rather than “neutral” MAC addresses, then adapters would not easily be able to support other network-layer protocols (for example, IPX or DECnet).
* Second, if adapters were to use network-layer addresses instead of MAC addresses, the network-layer address would have to be stored in the adapter RAM, and reconfigured every time the adapter was moved (or powered up).
* Another option is to not use any addresses in the adapters and have each adapter pass the data (typically, an IP datagram) of each frame it receives up the protocol stack.
* The network layer could then check for a matching network-layer address.
* One problem with this option is that the host would be interrupted by every frame sent on the LAN, including by frames that were destined for other hosts on the same broadcast LAN.
* In summary, in order for the layers to be largely independent building blocks in a network architecture, different layers need to have their own addressing scheme.
* We have now seen three types of addresses:
* host names for the application layer,
* port for the transport layer
* IP addresses for the network layer, and
* MAC addresses for the link layer.

Routers and computers have both IP and MAC addresses, but switches have neither:

1.5.4 MAC spoofing

* A MAC address may be referred to as a:
* Burned-in address
* Ethernet hardware address,
* hardware address, or
* physical address.
* Changing MAC addresses is necessary in network virtualization.
* Some modern operating systems, such as Apple iOS and Android, especially in mobile devices, are designed to randomize the assignment of a MAC address to network interface when scanning for wireless access points to avert tracking systems. Want to change your MAC address?

Option 1 (use network manager GUI)


# automatic option 2: easy
sudo dnf install macchanger
man macchanger

# manual option 2: manual, deprecated, old
ifconfig <your device here> hw ether <XX:XX:XX:XX:XX:XX (your new mac address)>

# manual option 3: (modern)
ip link show
sudo ip link set dev <your device here> down
sudo ip link set dev <your device here> address <your new mac address>
sudo ip link set dev <your device here> up

According to Edward Snowden, the USA’s National Security Agency has a system that tracks the movements of mobile devices by monitoring MAC addresses: https://www.wired.com/2014/08/edward-snowden/

+++++++++++++ Cahoot-7-1

1.6.1 Address resolution protocol (ARP)

1.6.2 ARP packet structure


1.6.3 Wireshark some ARP packets

1.6.4 ARP cache and sending ARP requests manually


# See bottom of man page for sub-pages.
man ip

# What is your default gateway (network layer)
man ip-route
ip route help
# Example:
ip route

# manage/view ARP:
man ip-neighbour
ip neigh help
# Example
ip neigh show
ip -statswire neigh show
ip neigh add ...
ip neigh del ...

# clear cache
ip -stats -stats neigh flush all
# -s, -stats, -statistics
# Output more information.
# If the option appears twice or more, the amount of information increases.
# As a rule, the information is statistics or some time values.

# Send ARP request to a neighbour host
man arping

# Send ARP request to via interface eth0
arping -I eth0

# Check for duplicate MAC addresses at on eth0
arping -D -I eth0

# clear cache
ip -s -s neigh flush all

Note these potential points of confusion:
* Depending on which interface you capture on, Wireshark may be giving you synthesized ethernet-layer data (for example, Linux cooked capture).
* If you sniffed real packets on the wire, you’d see the real data.
* Make sure to capture to a real interface (eth0 for example) to get a real capture.
* Further, the ARP protocol has its own source and destination fields, but they are used a little differently.
* For an ARP request the destination MAC in the ARP packet will be 00:00:00:00:00:00 instead of FF:FF:FF:FF:FF:FF.
* The all-zero mac is equivalent to unspecified.
* Is this confusing? Yea… it is.
* The source and destination MAC are present in both the Ethernet layer and the ARP packet.
* And yes, they may be different.
* Gratuitous ARP packet has both, source and destination IP set to the IP address of the device issuing the packet and the destination MAC is the broadcast address ff:ff:ff:ff:ff:ff or 00:00:00:00:00:00 based on the ARP implementation

1.6.5 Protocol operation ARP cache

Note that a table does not necessarily contain an entry for every host and router on the sub-net;
some may have never been entered into the table, and others may have expired.
07-DataLink/MAC-IP.png] Basics Sending within the sub-net:

07-DataLink/ARP-request-and-ARP-table-cache.jpg Sending outside the sub-net (remote host):

* A router has an IP address for each of its interfaces.
* For each router interface, there is also an ARP module (in the router) and an adapter.
* Because the router below has two interfaces, it has two IP addresses, two ARP modules, and two adapters.
* Of course, each adapter in the network has its own MAC address.
* A host determines whether an IP address either in or out of its local sub-net by using the IP/sub-net mask/CIDR information.
* When a host needs to send an IPv4 packet to a destination outside of its local sub-net, it must first send the packet to one of the routers that reside on this sub-net.
* When the computer hoping to send a packet outside the sub-net boots, its ARP cache will be empty.
* It must learn the IP address of its default external route (default gateway router).
* It must also learn the MAC address of that default gateway router, to send a packet to it, with an IP address of its final destination.

* in order for a datagram to go from to a host on sub-net 2, the datagram must first be sent to the router interface, which is the IP address of the first-hop router on the path to the final destination.
* Thus, the appropriate MAC address for the frame is the address of the adapter for router interface, namely, E6-E9-00- 17-BB-4B.
* How does the sending host acquire the MAC address for
* By using ARP, of course!
* Once the sending adapter has this MAC address, it creates a frame (containing the datagram addressed to and sends the frame into sub-net 1.
* The router adapter on sub-net 1 sees that the link-layer frame is addressed to it, and therefore passes the frame to the network layer of the router.
* Hooray, the IP datagram has successfully been moved from source host to the router!
* But we are not finished.
* We still have to move the datagram from the router to the destination.
* The router now has to determine the correct interface on which the datagram is to be forwarded.
* This is done by consulting a forwarding table in the router.
* The forwarding table tells the router that the datagram is to be forwarded via router interface
* This interface then passes the datagram to its adapter, which encapsulates the datagram in a new frame and sends the frame into sub-net 2.
* This time, the destination MAC address of the frame is indeed the MAC address of the ultimate destination.
* And how does the router obtain this destination MAC address?
* From ARP, of course!

07-DataLink/arp-detailed1.jpg Default gateway

* A Gateway router that can connect to more than one IP network and can route traffic between those IP networks.
* The router will have its own IP address on each IP network that it connects to.
* A computer can only talk with other IP addresses within its own IP network.
* So for the computer to be able to communicate via a router, at least one of the router’s IP addresses must belong to the same IP network as the computer.
* With the help of the Default Gateway address, the computers can then find their way to all other IP networks in the whole world.
* The computer knows that it can talk directly with any other IP address on the same IP network as itself.
* But as soon as it needs to talk to any other IP network it just needs to send the traffic to the Default Gateway, which is the router.
* Then the router will take over responsibility for routing the traffic towards the destination on the Internet.
* So you could say that by sending the traffic to the default gateway the computer is delegating responsibility for forwarding the traffic to the router.
* The computer will trust that the router can find the destination.
* In turn, the home router will then trust the ISP’s routers to take over responsibility for forwarding traffic further along the path toward the destination.

Q: How does each machine know this sub-net information?
A: Either
1. it got it via DHCP when joining the network, or
2. it was manually configured.

When you configure an IP address manually on a computer you need to configure the same settings that a computer normally receives via DHCP:

* **IP address:**
    * on the same IP network as the router, and not already taken (available).
* **Subnet Mask:**
    * the same that the router is using
* **Default Gateway:**
    * which should be set to the LAN IP address of the router
* **DNS Server address:**
    * either the router LAN IP address or another DNS server on the Internet. You may use the same address that the router normally hands out via DHCP Greedy refreshing

When you observe observe an ARP request, update your cache for the sender of that request:
* The above protocol is sufficient, but there is one further point.
* When A sends its broadcast “who-has D?” ARP query, all other hosts C check their own cache for an entry for A.
* If there is such an entry (that is, if A-IP is found there), then the value for A-LAN is updated with the value taken from the ARP message;
* if there is no pre-existing entry then no action is taken.
* This update process serves to avoid stale ARP-cache entries, which can arise is if a host has had its Ethernet interface replaced.
* (USB Ethernet interfaces, in particular, can be replaced very quickly.) Gratuitous ARP

Piggy-backs on greedy refreshing:
* Most hosts today implement self-ARP, or gratuitous ARP, on startup (or wakeup):
* when station A starts up it sends out an ARP query for itself: “who-has A?”.
* Two things are gained from this:
* first, all stations that had A in their cache are now updated with A’s most current A-LAN address (due to greedy refreshing), in case there was a change, and
* second, if an answer is received, then presumably some other host on the network has the same IPv4 address as A.
* ARP may also be used as a simple announcement protocol.
* This is useful for updating other hosts’ mappings of a hardware address when the sender’s IP address or MAC address has changed.
* Such an announcement, also called a gratuitous ARP message, is usually broadcast as an ARP request containing the SPA in the target field (TPA=SPA), with THA set to zero.
* An alternative way is to broadcast an ARP reply with the sender’s SHA and SPA duplicated in the target fields (TPA=SPA, THA=SHA).
* An ARP announcement is not intended to solicit a reply;
* instead it updates any cached entries in the ARP tables of other hosts that receive the packet.
* Many operating systems perform gratuitous ARP during start-up.
* That helps to resolve problems which would otherwise occur if, for example, a network card was recently changed (changing the IP-address-to-MAC-address mapping) and other hosts still have the old mapping in their ARP caches.
Reminder: 00:00:00:00:00:00 or ff:ff:ff:ff:ff:ff in the ARP header, turn into ff:ff:ff:ff:ff:ff at link-layer header. ARP and duplicate addresses

++++++++++++++ Cahoot-7-2


1.6.6 IPv6 neighbor discovery protocol (NDP) and secure neighbor discovery (SEND)

1.6.7 ARP-security

  1. First, a malicious host could create a denial of service attack on a LAN by sending random replies to the received ARP queries.
  2. A second type of attack is a man-in-the-middle attack.

Example of 2:
Suppose A wants to log in to secure server S, using a password.
How can B (for Bad) impersonate S?
* Here is an ARP-based strategy, sometimes known as ARP Spoofing.
* First, B makes sure the real S is down, either by waiting until scheduled downtime, or by launching a denial-of-service attack against S.
* When A tries to connect, it will begin with an ARP “who-has S?”.
* All B has to do is answer, “S is-at B”.
* There is a trivial way to do this:
* B simply needs to set its own IP address to that of S.
* A will connect, and may be convinced to give its password to B.
* B now simply responds with something plausible like “backup in progress; try later”, and meanwhile use A’s credentials against the real S.
* This works even if the communications channel A uses is encrypted!
* If A is using the SSH protocol, then A will get a message that the other side’s key has changed
* B will present its own SSH key, not S’s.
* Unfortunately, many users (and even some IT departments) do not recognize this as a serious problem.
* Some organizations, especially schools and universities, use personal workstations with “frozen” configuration, so that the filesystem is reset to its original state on every reboot.
* Such systems may be resistant to viruses, but in these environments the user at A will always get a message to the effect that S’s credentials are not known.

In the past, the cache timeout interval was around 10 minutes, but Linux systems now use a much smaller timeout (~30 seconds observed in 2012).

1.6.8 ARP-spoofing

../../Networking/Content/12-LanHacking.html (see code at end of page for how.html)

If you don’t like my ARP jokes, I’ll just blame them on someone else.
I like ARP jokes, because it’s so easy to make them appear to originate from other people.

1.6.9 Defenses against ARP spoofing IDS/IPS

Use Snort, that you set up earlier:
https://en.wikipedia.org/wiki/Snort_(software) Discovering promiscuous network citizens…

* Normally, your NIC will only pass up packets to the OS that are directed to its MAC.
* However, you can put your NIC in promiscuous mode, to grab all the packets.
* Finally, there is an interesting use of ARP to detect Ethernet password sniffers (generally not quite the issue it once was, due to encryption and switching).
* To find out if a particular host A is in promiscuous mode, send an ARP “who-has A?” query.
* Address it not to the broadcast Ethernet address, though, but to some nonexistent Ethernet address.
* If promiscuous mode is off, A’s network interface will ignore the packet.
* But if promiscuous mode is on, A’s network interface will pass the ARP request to A itself, which is likely then to answer it.
* This is one reason wireshark needs sudo

The data link layer has two sub-layers:
1. logical link control (LLC) and
2. media access control (MAC).

1.7.1 Services

Error control:
* errors caused by signal attenuation and noise.
* receiver detects presence of errors:
* and either
* signals sender for re-transmission, or
* drops frame
* or, receiver identifies and corrects bit error(s) without resorting to re-transmission

Flow control
* in addition to the one provided on the transport layer.
* Data-link-layer flow control is not used in LAN protocols such as Ethernet, but is in modems and wireless networks.
* pacing between adjacent sending and receiving nodes. In the medium access control (MAC) sub-layer:

https://en.wikipedia.org/wiki/Logical_link_control Error detection and correction


We can actually recover from some errors. Parity

07-DataLink/parity_matrix.png CRC

See details Flow control

Not in Ethernet, but it is in other protocols.

1.7.3 MAC layer: Sharing and multiple access protocols

Lessons in life and networking:
“Give everyone a chance to speak.”
“Don’t monopolize the conversation.”
“Raise your hand if you have a question.”
“Don’t interrupt when someone is speaking.”
“Don’t speak until you are spoken to.”
“Don’t fall asleep when someone is talking.”

Three broad classes:
* Taking turns
* nodes take turns, but nodes with more to send can take longer turns
* Channel partitioning
* divide channel into smaller “pieces” (time slots, frequency, code)
* allocate piece to node for exclusive use
* Random access
* channel not divided, allow collisions
* “recover” from collisions

Apply to many types of network structures:

07-DataLink/bus-ring-star.png Taking turns Polling

Have a coordinator.
* Controller node “invites” Agent nodes to transmit in turn
* Concerns:
* polling overhead
* latency
* single point of failure (Controller)

In the first diagram, we see that primary station asks station A if it has any data ready for transmission, since A does not have any data queued for transmission it sends a Poll Reject or NAK (negative acknowledgment), and then it asks station B, since B has data ready for transmission, so it transmits the data and in return receives acknowledgment from primary station.

If primary station wants to send data to the secondary stations, it sends a select (sel) message, and if the secondary station accepts the request from the primary station, then it sends back an acknowledgment and then primary station transmits the data and in return receives an acknowledgment.
07-DataLink/poll2.png Token passing

Take turns!
* control token passed from one node to next sequentially.
* token message
* Every computer listens on the shared “circular” bus.
* concerns:
* token overhead
* latency
* single point of failure (token)

It’s like each node is token, but only one at a time, as the pass the … token.

07-DataLink/token-good.jpg Deterministic dividing up the channels

In telecommunications and computer networks, a channel access method or multiple access method allows more than two terminals connected to the same transmission medium to transmit over it and to share its capacity.

07-DataLink/tdm-fdm.png FDMA

* FDMA: frequency division multiple access
* channel spectrum divided into frequency bands
* each station assigned fixed frequency band
* unused transmission time in frequency bands go idle TDMA

* TDMA: time division multiple access
* access to channel in “rounds”
* each station gets fixed length slot (length = packet transmission time) in each round
* unused slots go idle CDMA

To share media, CDMA employs spread spectrum technology and a special coding scheme (where each transmitter is assigned a code). Review
07-DataLink/dma_f-t-c-dma.png Opportunistic random access dividing up the channels

(statistical methods)
* https://en.wikipedia.org/wiki/Statistical_time-division_multiplexing
* https://en.wikipedia.org/wiki/Medium_access_control
* https://en.wikipedia.org/wiki/Channel_access_method#Common_multiple_access_protocols

Assumes collisions will happen, but random access MAC protocol specifies:
* how to detect collisions
* how to recover from collisions (e.g., via delayed re-transmissions) ALOHA


* all frames same are the same size
* time is divided into equal size slots (time to transmit 1 frame)
* nodes start to transmit only at the slot beginning
* nodes are synchronized
* if 2 or more nodes transmit in a given slot, then all nodes detect collision

* when a node obtains a fresh frame, it transmits in the next available slot
* if no collision:
* node can send new frame in next slot
* if collision:
* node re-transmits frame in each subsequent slot, with probability p, until success

Nodes 1, 2, and 3 collide in the first slot.
Nodes 1 and 2 collide in the third slot.
Node 2 finally succeeds in the fourth slot.
Node 1 and 3 collide in the sixth slot.
Node 1 succeeds in the eighth slot.
Node 3 succeeds in the ninth slot. CSMA

* Under CSMA, a transmitter uses a carrier-sense mechanism to determine whether another transmission is in progress before initiating a transmission.
* That is, it tries to detect the presence of a carrier signal from another node before attempting to transmit.
* If a carrier is sensed, the node waits for the transmission in progress to end before initiating its own transmission.
* Using CSMA, multiple nodes may, in turn, send and receive on the same medium.
* Transmissions by one node are generally received by all other nodes connected to the medium.

Carrier-sensing: listen before transmit. CSMA-CA


07-DataLink/csma-no-cd.png CSMA-CD

CSMA/CD: carrier sensing, multiple-access, deferral as in CSMA
* collisions detected within short time
* colliding transmissions aborted, reducing channel wastage
* collision detection:
* easy in wired LANs: measure signal strengths, compare transmitted, received signals
* difficult in wireless LANs: received signal strength overwhelmed by local transmission strength
* human analogy: the polite conversationalist

Ethernet CSMA/CD algorithm: exponential back-off
* NIC receives datagram from network layer, creates frame
* if NIC senses channel idle,
* starts frame transmission.
* else NIC senses channel busy,
* waits until channel idle, then transmits.
* If NIC transmits entire frame without detecting another transmission, NIC is done with frame!
* If NIC detects another transmission while transmitting, aborts and sends jam signal
* After aborting, NIC enters binary (exponential) back-off:
* after collision, NIC chooses K at random from {0, 1, 2, …, 2m-1){width=700px.
* NIC waits K*512 bit times, returns to Step 2 longer back-off interval with more collisions


+++++++++++++ Cahoot-7-3

1.7.4 Ethernet

Note: discussions above were actually just about ONE datalink protocol (including switches).

Modern switched Ethernet:

* no handshaking between sending and receiving NICs

* receiving NIC does not send acks or nacks to sending NIC
* data in dropped frames recovered only if initial sender uses higher layer rdt (e.g., TCP), otherwise dropped data lost

Ethernet’s MAC protocol:
* un-slotted CSMA/CD with binary back-off Frame structure

sending adapter encapsulates IP datagram (or other network layer protocol packet) in Ethernet frame
preamble (more details about why below):
* 7 bytes with pattern 10101010 followed by one byte with pattern 10101011
* used to synchronize receiver, sender clock rates
* 6 byte source, destination MAC addresses
* if adapter receives frame with matching destination address, or with broadcast address (e.g. ARP packet), it passes data in frame to network layer protocol
* otherwise, adapter discards frame

* indicates higher layer protocol (mostly IP but others possible, e.g., Novell IPX, AppleTalk)

* The minimum payload is 42 octets when an 802.1Q tag is present and 46 octets when absent.
* When the actual payload is less, padding bytes are added accordingly.
* The maximum payload is 1500 octets.
* Non-standard jumbo frames allow for larger maximum payload size.

* cyclic redundancy check at receiver
* error detected: frame is dropped
* The frame check sequence (FCS) is a four-octet cyclic redundancy check (CRC) that allows detection of corrupted data within the entire frame as received on the receiver side.
* The FCS value is computed as a function of the protected MAC frame fields:
* source and destination address,
* length/type field,
* MAC client data, and
* padding (that is, all fields except the FCS)
* The checksum/CRC is computed by the sender and placed in the frame before applying bit stuffing.
* Where should the CRC be located in a frame ?
* The transport and datalink layers usually chose different strategies to place their CRCs or checksums.
* Transport layer protocols usually place their CRCs or checksums in the segment header.
* Datalink layer protocols sometimes place their CRC in the frame header, but often in a trailer at the end of the frame.
* This choice reflects implementation assumptions, but also influences performance RFC 893.
* When the CRC is placed in the trailer, as in Ethernet, the datalink layer can compute it while transmitting the frame and insert it at the end of the transmission.
* All Ethernet interfaces use this optimization today.
* When the checksum is placed in the header, as in a TCP segment, it is impossible for the network interface to compute it while transmitting the segment.
* Some network interfaces provide hardware assistance to compute the TCP checksum, but this is more complex than if the TCP checksum were placed in the trailer Ethernet switches Self-learning

A switch table is built automatically, dynamically, and autonomously without any intervention from a network administrator or from a configuration protocol.
In other words, switches are self-learning.
This capability is accomplished as follows:
1. The switch table is initially empty.
2. For each incoming frame received on an interface, the switch stores in its table (1) the MAC address in the frame’s source address field, (2) the interface from which the frame arrived, and (3) the current time. In this manner the switch records in its table the LAN segment on which the sender resides. If every host in the LAN eventually sends a frame, then every host will eventually get recorded in the table.
3. The switch deletes an address in the table if no frames are received with that address as the source address after some period of time (the aging time). In this manner, if a PC is replaced by another PC (with a different adapter), the MAC address of the original PC will eventually be purged from the switch table.

07-DataLink/mactable.jpg Switches versus routers

both are store-and-forward:
routers: network-layer devices (examine network-layer headers)
switches: link-layer devices (examine link-layer headers)

both have forwarding tables:
routers: compute tables using routing algorithms, IP addresses
switches: learn forwarding table using flooding, learning, MAC addresses Switch poisoning

If you want to watch all packets on a network (like you can on wireless anyway), you can force a wired switch to broadcast all, then:
* send tons of packets to the switch with many different bogus source MAC addresses, thereby filling the switch table with bogus entries and leaving no room for the MAC addresses of the legitimate hosts.
* This causes the switch to broadcast most frames, which can then be picked up by the sniffer. Trees and loops

Switches must have ports turned off and not configured in loops, so that broadcasts don’t create broadcast storms. VLANs


https://en.wikipedia.org/wiki/Multiprotocol_Label_Switching Framing and encoding bits

Next: 08-Wireless.html