Review, Part 1

4/8/2009

SNMP Example

[hope@gomez ~]$ snmpget -v1 -c ${ROSTRR} 172.29.158.71 system.sysUpTime.0
SNMPv2-MIB::sysUpTime.0 = Timeticks: (951040223) 110 days, 1:46:42.23
[hope@gomez ~]$ snmpget -v1 -c ${ROSTRR} 172.29.158.71 system.sysName.0
SNMPv2-MIB::sysName.0 = STRING: ITS/Franklin Joni
[hope@gomez ~]$ snmpget -v1 -c ${ROSTRR} 172.29.158.71 system.sysLocation.0
SNMPv2-MIB::sysLocation.0 = STRING: ITS/Franklin Joni (1103)

Final Exam

What if I post the final exam questions by 6 PM on Wednesday 4/29/2009 and you turn it in by 6 PM on 5/6/2009 (the scheduled exam time)? Does anyone have an exam schedule that makes that unreasonable?

• The final will be similar to, but a little harder than the homework.
  • SampleHW1 with SampleA1
  • SampleHW2 with SampleA2

Course Evaluation

I need a volunteer to collect and turn in the forms next time.

Review

Now, on to the review! Unless you have questions ...

Networks

• types
  • connection-oriented aka circuit-switched like ISDN and ATM is a guaranteed, bounded pipe
  • connectionless aka packet-switched like Ethernet is fractal and bursty
• topology
  • distributed: mesh
  • centralized (single root): tree (graph) / star / snowflake / spaghetti
  • Ethernet is usually decentralized (in-between with full or partial mesh in core, single connections at edge)

Network Traffic Types

• unicast (one-to-one), multicast (one-to-many), broadcast (one-to-all)
• full duplex (TX and RX), half duplex (TX or RX), simplex (TX only)
• client-server, peer-to-peer

Network Performance

• time-centric
  • latency
  • jitter
• packet-centric
  • bandwidth
  • throughput
  • packet loss

Network Performance

• ping measures latency, jitter, and packet loss!
• NDT measures TCP throughput
• don't measure latency when there's packet loss (just measuring queue depth)
• can't optimize latency without impacting packet loss

The Seven-Layer Model

Each layer n can put a wrapper, an envelope, on the message from layer n+1

1. Physical
2. Data Link
3. Network
4. Transport
5. Session
6. Presentation
7. Application

Layer 1 and up: Network Devices

1. repeater / hub = "multi-port repeater"
   • shared medium, divide bandwidth
2. bridge / switch: keeps SAT (source address table of MACs seen in last 5 minutes), drops errors
   • switched medium, "multiply" bandwidth
3. router = gateway
   • latency

Network Domains

• collision domain
  • bounded by bridge/switch/router (each switch port has its own)
• broadcast domain
  • broadcast domain: bounded by router as LAN or VLAN, the "other side" is WAN

Layer 2: What's a Base?

• baseband: the signal is the information
  • standard Ethernet is 10BaseT (or 100BaseT or 1000BaseT)
• broadband: information (what would be baseband) rides on a carrier signal
  • broadband is like AM radio, if that helps

Ethernet II packet

• preamble (frame) of 8 octets of alternating ones and zeroes
  • preamble provides a baseline for timing, and establishes the voltage values for "1" and "0"
• 6 octets for destination MAC
  • comes first, so you don't have to read as far into the packet
  • vendor code in first 3 octets
• 6 octets for source MAC

Ethernet II packet

• 2 octets for frame type
  • Ethernet frame types
  • Ethernet II has frame type (positions C and D) > 0x05EE
  • assume Ethernet II unless told otherwise
• 46 to 1500 octets of data
  • pad with zeroes if less than 46, fragment across several frames if more than 1500 bytes of payload
• 4 octets of CRC
  • cyclic redundancy checksum, transmission error detection, this is what a switch checks to drop a bad packet

MTU

• maximum transmission unit
• All fragments must arrive before re-assembly.
• In TCP, a single dropped fragment means transmitting the whole segment again.
• But larger packets are more efficient.
• Path MTU is very important!
• traceroute (tracert on Windows) shows you the path of routers

Layer 3: IP packet

IP packet

• 4 bits - version 4
• 4 bits - header length
• 8 bits - type of service
  • 3 bits - precedence
  • 4 bits - service (at most one can be set)
    • minimum delay, maximum throughput, most reliable, least cost
  • 1 bit - 0/unused

IP packet

• 16 bits - total length of packet
• 16 bits - identification
• 3 bits - IP flags
  • 0 - reserved
  • DF - don't fragment
  • MF - more fragments (0 for last fragment)

IP packet

• 13 bits - fragment offset
• 8 bits - TTL
• 8 bits - protocol
• 16 bits - header checksum

IP packet

• 32 bits - source IP address
• 32 bits - destination IP address
• 24 bits - IP options, if any
• 8 bits - padding (if needed)
• minimum and most common IP header is 20 octets

IP Addresses

• 32 bits, dotted decimal
• Class A (0-127), 8 bits network, 24 bits host
• Class B (128-191), 16 bits each
• Class C (192-223), 24 bits network, 8 bits host
• Class D (224-239), multicast
• Class E (240-255), reserved

Netmask

• netmask defines local / neighbors using binary masking operation against own IP address
• Class A 255.0.0.0 or /8, Class B 255.255.0.0 or /16, Class C 255.255.255.0 or /24
• CIDR, classless inter-domain routing, ignores those octet boundaries
• private addresses from RFC 1918
  • 10.0.0.0/8 or 10.0.0.0 to 10.255.255.255
  • 172.16.0.0/12 or 172.16.0.0 to 172.31.255.255
  • 192.168.0.0/16 or 192.168.0.0 to 192.168.255.255

Layer 3 to Layer 2: ARP

• local delivery on LAN needs MAC address
• ARP maps Layer 3 address to Layer 2 address, usually IP to MAC
• When a station hears an ARP for itself, it stores the sender's MAC in its ARP table because it assumes communication may follow.
• proxy ARP - a router answers on behalf of one of its networks; promiscuous ARP, ARP hack
• gratuitous ARP - ARP for self to make sure IP address is available, usually when configuring NIC at boot

ARP packet

ARP packet header

• 6 octets - Ethernet destination address, all 1s, broadcast (reply is unicast)
• 6 octets - Ethernet source address
• 2 octets - frame type, 0x0806 for ARP
  • just an Ethernet II header, at least when the ARP is for Ethernet

ARP packet, request or reply

• 2 octets - hardware type, 1 for Ethernet
• 2 octets - protocol type, 0x0800 for IP, same as Ethernet header
• 1 octet - hardware address size (6 octets)
• 1 octet - protocol address size (4 octets)
• 2 octets - op field
  1. ARP request
  2. ARP reply

Layer 4: ICMP

• ICMP (wikipedia) is contained in IP packets
  • so ICMP has the usual Ethernet and IP headers, while ICMP is the "IP payload," the message in the IP envelope
  • 8 bits - type
  • 8 bits - code
  • 16 bits - checksum
  • message (maybe)
    • ICMP error messages contain the IP header and the first 8 octets of the IP payload of the packet that caused the error.
    • ICMP errors are never generated for ICMP errors, or for Layer 2 broadcast, IP broadcast, IP multicast, or for any packet fragment other than the first, or otherwise any address that does not define a single host. This prevents ICMP broadcast storms from filling all available bandwidth.

Layer 4: Ports

• Layer 4, the Transport Layer, provides connections (sockets and flows) and services (like reliability)
• The Layer 4 port is a unique application identifier.
• (Layer 3):(Layer 4) is a socket.
• (Station A Layer 3):(Station A Layer 4)::(Station B Layer 3):(Station B Layer 4) is a flow.
• look up well-known port numbers at IANA

UDP

• User Datagram Protocol
  • one level of service (for Layer 4) is not to offer any services at all: this is UDP
  • UDP is pure connectionless networking! at its best/worst! (best effort)
  • +: simple, lightweight with small 8 octet header that minimizes L4 overhead
  • -: not reliable, no services, not very configurable

UDP Packet

• 16 bit fields each for source and destination ports, length, and checksum

TCP

• Transmission Control Protocol
  • lost (or late) packets will be re-transmitted for reliability, thanks to ACKs
  • if it ain't UDP ... it's probably TCP
  • TCP and UDP are sorta opposites: reliable vs no services, options vs none, complex vs simple
  • +: reliable, even connection-oriented, many configuration options
  • -: overhead (some TCP packets are all header! 20 bytes > 8 bytes!), complex to program, difficult to optimize

TCP Packet: the TCP Header

• 16 bits each for source and destination ports
• 32 bits each for sequence number and acknowledgement number (what sequence number is expected next from the other end of the conversation)
  • sequence number from 0 to 2³²-1, increment with each packet and wrap

TCP Packet: the TCP Header

• 4 bits for header length, as measured in 32-bit words
  • 20 bytes minimum header length with no options
  • 60 bytes maximum header length
• 6 bits - reserved
• 6 bits for flags
  • URGent pointer is valid
  • ACKnowledgement number is valid
    • retransmissions based on ACKs
  • receiver should PuSH this packet to app asap
  • receiver should ReSeT this connection
  • receiver should SYNchronize sequence numbers to establish a connection
  • sender has FINished data transmission

The SYN Flag

• SYN
  • ISN, initial sequence number
  • maximum segment size, MSS
    • similar to MTU, to avoid the dangers of fragmentation
    • 536 default; BSD wants multiple of 512 so 1024 also common
    • 1460 octets is optimal for Ethernet: 1500 Ethernet max - 20 bytes IP header - 20 bytes TCP header (or 1420 to be safe)

TCP Start

• you can see these states, SYN_SENT, SYN_RECD, ESTABLISHED, with the netstat command

TCP Finish

• first two steps are a half close
• generally four steps since TCP is full duplex, for an orderly release
• ending with a RST is an abortive release
  • discards any queued data
• half-open: one socket open, the other end's socket closed

TCP Finish

• maximum segment lifetime (30 seconds, 1 minute, 2 minutes common)
  • must wait 2MSL before closing socket (on active close side)
  • may retransmit passive close ACK or active close FIN
  • other packets discarded

TCP Traffic Control

• flow control optimizes traffic for the two end points
  • each ACK contains a window advertisement of how much more data can be sent, generally the amount of free buffer
  • a window is number of packets in transit without an ACK (yet)
  • ACKs have a timer, and must show up before curfew
  • ideal window capacity is bandwidth delay product, (bandwidth [bits/sec]) * (RTT [sec]) * [1 byte / 8 bits]
    • TCP gets inefficient and unstable for high values
• congestion control optimizes traffic for the network
  • congestion window: use the smallest one between the congestion window and flow control's advertised window; reset to 1MSS if ACK timeout
  • congestion avoidance: assume packet loss (either the packet or its ACK dropped) due to high network traffic
    • AIMD: additive increase, multiplicative decrease
    • multiplicative decrease: halve the congestion window
    • additive increase: add one segment to congestion window for each received ACK

NAT

• Network Address Translation
  • public address routed "in front of" private addresses
    • IPv4 address are somewhat scarce
    • RFC 1918 private addresses aren't
    • aka PAT, Port Address Translation
    • remember that socket pairs are unique ...
    • but headers are modified ... so some applications like (active) ftp break
  • inherent incoming security
  • (inbound) port forwarding, DMZ

IPv6

• addresses are 128 bits (up from 32 for v4), written as 8 hex strings separated by colons
• no broadcast (different levels of multicast)
• no private addresses (but link local with low TTL)
• no DHCP (but does have automatic configuration)
• less-used options in IPv4 header are now optional for less overhead to offset the larger addresses
• flow-labeling for QoS
• IP Security built-in

IPv6 Header

• RFC 2460
  
• 4 bits - version (6)
• 8 bits - traffic class (priority)
• 20 bits - flow label

IPv6 Header

• 16 bits - payload length, including optional extension headers (or 0 for jumbo)
• 8 bits - next header
• 8 bits - hop limit, like TTL

IPv6 Header

• 128 bits - source address
• 128 bits - destination address

IPv6 Scope

• link local: LAN only, automatic, unrouted
• site local: optional, user assigned, unrouted
• global unicast: IANA assigned unique address
• multicast: several scopes here too ...
• anycast: one-to-nearest, routers only
• loopback: local NIC

IPv6 Multicast Scopes

• 8 bits - routing prefix (fixed)
• 4 bits - flags - 0000 for IANA or 0001 for transient
• 4 bits - scope
  • 0 & 3 & F reserved
  • 1 interface-local scope
  • 2 link-local scope
  • 4 admin-local scope
  • 5 site-local scope
  • 8 org-local scope
  • E global scope

Network Management

• SMI
  • structure of management information
  • rulebook and toolkit
  • ASN.1, Abstract Syntax Notation 1
    • BER, basic encoding rules
    • TLV, tag (8 bits) - length (8 bits) - value (?)
• MIB
  • management information base
  • layout and questionnaire
  • the OID, Object IDentifier, is a complete path through MIB tree, from root to leaf

Network Management

• SNMP
  • simple network management protocol
  • managers and agents
    • agents can send data to manager, unsolicited, snmptrap
    • manager can request data, snmp

RMON

• remote monitoring
  • Statistics
  • History
  • Alarms
  • Events
  • Host
  • HostTopN
  • Matrix
  • Filters
  • Packet Capture
• statistics and functions in Ethernet MIB (so RMON is a subset of SNMP)

MIB Tree

• ASN.1: iso.identified-organization.dod.internet.private.enterprises or 1.3.6.1.4.1

SNMPv1 PDU

• Protocol Data Unit
• header version has offset of 1, so SNMPv1 has value of 0
• header community name is clear text "password"

SNMPv1 PDU

• PDU type
  • 0 GetRequest, 1 GetNextRequest, 2 GetResponse, 3 SetRequest
• request ID is unique
• error status is 0 for no error, non-zero for various error pres
• error index matches a particular OID in the device MIB
• variable bindings have the data in name-value pair(s)

RMON for Measurement

• Statistics (per port)
  • packets sent, bytes sent, broadcast packets, multicast packets, runts, packets by size in five groups, giants, jabbers, fragments, CRC errors, and packets dropped
• Packet Size Groups
  • 64 to 127 bytes, 128 to 255 bytes, 256 to 511 bytes, 512 bytes to 1023 bytes, and 1024 to 1518 bytes
• RMON, expanded tree view
• compare to SNMP, ifInErrors and neighbors in RFC 1213