Internet Exchange Points (IXPs)

Internet Exchange Points (IXPs)

A Bit of History… End of NSFnet – one major backbone Move towards commercial Internet Private companies selling their bandwidth Need for coordination of routingexchange between providers Traffic from ISP A needs to get to ISP B Routing Arbiter project created tofacilitate this

What is an Exchange Point Network Access Points (NAPs)established at end of NSFnet The original “exchange points” Major providers connect their networksand exchange traffic High-speed network or ethernet switch Simple concept – any place whereproviders come together to exchangetraffic

Conceptual Diagram of an IXPExchange Point MediumISP RouterISP RouterISP Router

Internet Exchange PointWhy peer? Consider a region with one ISPThey provide internet connectivity to their customersThey have one or two international connections Internet grows, another ISP sets up incompetitionThey provide internet connectivity to their customersThey have one or two international connections How does traffic from customer of one ISP getto customer of the other ISP?Via the international connections

Internet Exchange PointWhy peer? Yes, International Connections… If satellite, RTT is around 550ms per hop So local traffic takes over 1s round trip International bandwidth… Costs order of magnitude or two more thandomestic bandwidth Becomes congested with local traffic Wastes money, harms performance

Internet Exchange PointWhy peer? Multiple service providers Each with Internet connectivity

Why IXPs? Is not cost effective Backhaul issue causes cost to bothparties

Internet Exchange PointWhy peer? Solution: Two competing ISPs peer with each other Result: Both save money Local traffic stays local Better network performance, better QoS,… More international bandwidth for expensiveinternational traffic Everyone is happy

Why IXPs? Domestic Interconnection

Faculty Qualifications—PN• ONLY applies to free standing PNprograms (not optional exit programs)• Must have:– A license to practice nursing in AZ (AZnursing license or multi-state privilege)– Minimum of a BSN with 2 years RNexperience providing direct patient care– NO DIFFERENCE IN QUALIFICATIONS OFDIDACTIC OR CLINICAL FACULTY

Why IXPs? A third ISP enters the equation

Internet Exchange PointWhy peer? Peering means that the three ISPs haveto buy circuits between each other Works for three ISPs, but adding a fourth ora fifth means this does not scale Solution: Internet Exchange Point

Internet Exchange Point Every participant has to buy just onewhole circuit From their premises to the IXP Rather than N-1 half circuits to connectto the N-1 other ISPs 5 ISPs have to buy 4 half circuits = 2 wholecircuits → already twice the cost of the IXPconnection

Internet Exchange Point SolutionEvery ISP participates in the IXPCost is minimal – one local circuit covers all domestictrafficInternational circuits are used for just internationaltraffic – and backing up domestic links in case theIXP fails Result:Local traffic stays localQoS considerations for local traffic is not an issueRTTs are typically sub 10msCustomers enjoy the Internet experienceLocal Internet economy grows rapidly

Internet Exchange Point Ethernet switch in the middle

Why use an IXP? PEERING Shared medium vs. point-to-point Shared can exchange traffic with multiple peers at onelocation via one interface Point-to-Point for high volumes of traffic

Why use an IXP? KEEP LOCAL TRAFFIC LOCAL!!! ISPs within a region peer with each other atthe local exchange No need to have traffic go overseas only tocome back Much reduced latency and increasedperformance

Why use an IXP? SAVES MONEY!!! Traffic going overseas means transitcharges paid to your upstream ISP Money stays in local economy Used to provide better local infrastructure andservices for customers Customers pay less for Internet access Therefore more customers sign up ISP has more customers, better business

Why use an IXP? VASTLY IMPROVES PERFORMANCE!!! Network RTTs between organisations in thelocal economy is measured in milliseconds,not seconds Packet loss becomes virtually non-existent Customers use the Internet for moreproducts, services, and activities

Exchange Point DesignISP 6ISP 5 ISP 4IXP Services:TLD DNS,Routing RegistryLooking Glass,news, etcEthernet SwitchIXPManagementNetworkISP 1ISP 2ISP 3

Exchange Point DesignISP 6ISP 5 ISP 4IXP Services:TLD DNS,Routing RegistryLooking Glass,news, etcEthernet SwitchesIXPManagementNetworkISP 1ISP 2ISP 3

Peering at an IXP Each participant needs to run BGP They need their own AS number Each participant configures externalBGP with the other participants in theIXP Peering with all participantsor Peering with a subset of participants

IP Address Space Some IXPs use private addresses for the IXPLANPublic address space means the IXP network can beleaked to the Internet, which could be undesirableFiltering RFC1918 address space by ISPs is BestPractice; this avoids leakage Some IXPs use public addresses for the IXPLANAddress space is available from the RIRs for IXPsIXP terms of participation usually forbid carrying theIXP LAN addressing in the ISP backbone

Exchange Point examples LINX in London, UK Ethernet switches AMS-IX in Amsterdam, NL Ethernet switches SIX in Seattle, US Ethernet switches JPNAP in Tokyo, Japan Ethernet switches

DHCP

DHCP: Dynamic HostConfiguration Protocol Goal: allow host to dynamically obtain its IPaddress from network server when it joinsnetworkCan renew its lease on address in useAllows reuse of addresses (only hold address whileconnected an “on”Support for mobile users who want to join network(more shortly) DHCP overview:host broadcasts “DHCP discover” msgDHCP server responds with “DHCP offer” msghost requests IP address: “DHCP request” msgDHCP server sends address: “DHCP ack” msg

DHCP client-server scenario223.1.1.4223.1.1.2223.1.1.1DHCPserver223.1.2.1223.1.2.9223.1.1.3223.1.3.27223.1.3.1223.1.2.2223.1.3.2arriving DHCPclient needsaddress in thisnetwork

DHCP client-server scenarioDHCP server: 223.1.2.5DHCP discoversrc : 0.0.0.0, 68dest.: 255.255.255.255,67yiaddr: 0.0.0.0transaction ID: 654arrivingclienttimeDHCP requestDHCP offersrc: 0.0.0.0, 68dest:: 255.255.255.255, 67yiaddrr: 223.1.2.4transaction ID: 655Lifetime: 3600 secssrc: 223.1.2.5, 67dest: 255.255.255.255, 68yiaddrr: 223.1.2.4transaction ID: 654Lifetime: 3600 secsDHCP ACKsrc: 223.1.2.5, 67dest: 255.255.255.255, 68yiaddrr: 223.1.2.4transaction ID: 655Lifetime: 3600 secs

Domain Name System(DNS)

Computers use IP addresses.Why do we need names? Names are easier for people toremember Computers may be moved betweennetworks, in which case their IP addresswill change.

The old solution: HOSTS.TXT A centrally-maintained file, distributedto all hosts on the InternetSPARKY 128.4.13.9UCB-MAILGATE 4.98.133.7FTPHOST 200.10.194.33... etc This feature still exists: /etc/hosts (UNIX) c:\windows\hosts

hosts.txt does not scale✗ Huge file (traffic and load)✗ Name collisions (name uniqueness)✗ Consistency✗ Always out of date✗ Single point of Administration✗ Did not scale well

The Domain Name Systemwas born DNS is a distributed database for holdingname to IP address (and other) information Distributed:Shares the AdministrationShares the Load Robustness and improved performanceachieved throughreplicationand caching Employs a client-server architecture A critical piece of the Internet's infrastructure

DNS is Hierarchical.(root)/ (root)uk com orgetcbinusrac.ukgoogle.com ba.comunesco.org/etc/hostsusr/local usr/sbinlboro.ac.ukmaps.google.comusr/local/srcDNS DatabaseUnix FilesystemForms a tree structure

DNS: Root name serverscontacted by local name server that can not resolvenameroot name server:contacts authoritative name server if name mapping notknownreturns mapping to top-level name servera NSI Herndon, VAc PSInet Herndon, VAd U Maryland College Park, MDg DISA Vienna, VAh ARL Aberdeen, MDj NSI (TBD) Herndon, VAk RIPE Londoni NORDUnet Stockholmm WIDE Tokyoe NASA Mt View, CAf Internet Software C. Palo Alto,CAb USC-ISI Marina del Rey, CAl ICANN Marina del Rey, CA

DNS: iterated queriesroot name serverrecursive query:puts burden ofname resolution oncontacted nameserverheavy load?iterated query:contacted serverreplies with name ofserver to contact“I don’t know thisname, but ask thisserver”local name serveragate.lut.ac.uk.128requesting hostmaps.google.com347iterated queryintermediate name serverB.GTLD-SERVERS.NET.5 6authoritative name serverns3.google.commaps.google.com

DNS is Hierarchical (contd.) Globally unique names Administered in zones (parts of thetree) You can give away ("delegate") controlof part of the tree underneath you Example: google.com on one set of nameservers maps.google.com on a different set www.maps.google.com on another set

Domain Names are (almost)unlimited Max 255 characters total length Max 63 characters in each part RFC 1034, RFC 1035 If a domain name is being used as ahost name, you should abide by somerestrictions RFC 952 (old!) a-z 0-9 and minus (-) only No underscores ( _ )

Using the DNS A Domain Name (like www.lut.ac.uk) isthe KEY to look up information The result is one or more RESOURCERECORDS (RRs) There are different RRs for differenttypes of information You can ask for the specific type youwant, or ask for "any" RRs associatedwith the domain name

Commonly seen ResourceRecords (RRs) A (address): map hostname to IPv4 address AAAA (quad A): map a hostname to IPv6address PTR (pointer): map IP address to hostname MX (mail exchanger): where to deliver mailfor user@domain CNAME (canonical name): map alternativehostname to real hostname TXT (text): any descriptive text NS (name server), SOA (start of authority):used for delegation and management of theDNS itself

A Simple Example Query: www.lut.ac.uk. Query type: A Result:www.lut.ac.uk. 22725 IN A 158.125.1.208 In this case a single RR is found, but ingeneral, multiple RRs may bereturned. (IN is the "class" for INTERNET use of theDNS)

Possible results from a Query POSITIVE one or more RRs found NEGATIVE definitely no RRs match the query SERVER FAIL cannot find the answer REFUSED not allowed to query the server

How do you use an IP addressas the key for a DNS query Convert the IP address to dotted-quad Reverse the four parts Add ".in-addr.arpa." to the end; specialdomain reserved for this purposee.g. to find name for 158.125.1.208Domain name: 208.1.125.158.in-addr.arpa.Query Type: PTRResult: www.lut.ac.uk.Known as a "reverse DNS lookup" (because we arelooking up the name for an IP address, ratherthan the IP address for a name)

DNS is a Client-Serverapplication (Of course - it runs across a network) Requests and responses are normallysent in UDP packets, port 53 Occasionally uses TCP, port 53 for very large requests (larger than 512-bytes) e.g. zone transfer from master toslave or an IPv6 AAAA (quad A) record.

There are three roles involvedin DNSApplicatione.g. webbrowserResolverCachingNameserverAuthoritativeNameserver

Three roles in DNS RESOLVERTakes request from application, formats it into UDPpacket, sends to cache CACHING NAMESERVERReturns the answer if already knownOtherwise searches for an authoritative server whichhas the informationCaches the result for future queriesAlso known as RECURSIVE nameserver AUTHORITATIVE NAMESERVERContains the actual information put into the DNS bythe domain owner

Three roles in DNS The SAME protocol is used for resolver cache and cache auth NScommunication It is possible to configure a single nameserver as both caching and authoritative But it still performs only one role foreach incoming query Common but NOT RECOMMENDED toconfigure in this way (we will see whylater).

ROLE 1: THE RESOLVER A piece of software which formats aDNS request into a UDP packet, sends itto a cache, and decodes the answer Usually a shared library (e.g.libresolv.so under Unix) because somany applications need it EVERY host needs a resolver - e.g.every Windows workstation has one

How does the resolver find acaching nameserver? It has to be explicitly configured(statically, or via DHCP etc) Must be configured with the IPADDRESS of a cache (why not name?) Good idea to configure more than onecache, in case the first one fails

How do you choose whichcache(s) to configure? Must have PERMISSION to use it e.g. cache at your ISP, or your own Prefer a nearby cache Minimises round-trip time and packet loss Can reduce traffic on your external link,since often the cache can answer withoutcontacting other servers Prefer a reliable cache Perhaps your own?

Resolver can be configuredwith default domain(s) If "foo.bar" fails, then retry query as"foo.bar.mydomain.com" Can save typing but adds confusion May generate extra unnecessary traffic Usually best avoided

Example: Unix resolverconfiguration/etc/resolv.confdomain lboro.ac.uknameserver 158.125.1.100nameserver 131.231.16.7That's all you need to configure a resolver

Testing DNS with "dig" "dig" is a program which just makes DNSqueries and displays the results Better than "nslookup", "host" because itshows the raw information in fulldig lboro.ac.uk.-- defaults to query type "A"dig lboro.ac.uk. mx-- specified query typedig @8.8.8.8 lboro.ac.uk. mx-- send to particular cache (overrides/etc/resolv.conf)

The trailing dot# dig lboro.ac.uk. Prevents any default domain beingappended Get into the habit of using it alwayswhen testing DNS only on domain names, not IP addresses ore-mail addresses

dig lboro.ac.uk.; DiG 9.6.0-APPLE-P2 lboro.ac.uk.;; global options: +cmd;; Got answer:;; ->>HEADER

Understanding output from dig STATUS FLAGSNOERROR: 0 or more RRs returnedNXDOMAIN: non-existent domainSERVFAIL: cache could not locate answerREFUSED: query not available on cache serverAA: Authoritative answer (not from cache)You can ignore the others QR: Query/Response (1 = Response) RD: Recursion Desired RA: Recursion Available ANSWER: number of RRs in answer

Understanding output from dig Answer section (RRs requested)Each record has a Time To Live (TTL)Says how long the cache will keep it Authority sectionWhich nameservers are authoritative for this domain Additional sectionMore RRs (typically IP addresses for the authoritativenameservers) Total query time Check which server gave the response!If you make a typing error, the query may go to adefault server

DNS recordsDNS: distributed db storing resource records (RR)RR format: (name, value, type,ttl) Type=Aname is hostnamevalue is IP addressType=NS name is domain (e.g.foo.com) value is IP address ofauthoritative name serverfor this domain Type=CNAMEname is alias name for some“cannonical” (the real) namewww.lboro.ac.uk is reallywww.lut.ac.uk.value is cannonical name Type=MXvalue is name of mailserverassociated with name

DNS protocol, messagesDNS protocol : query and reply messages, both with samemessage formatmsg header identification: 16 bit #for query, reply to queryuses same #flags: query or reply recursion desiredrecursion availablereply is authoritative

DNS protocol, messagesName, type fieldsfor a queryRRs in reponseto queryrecords forauthoritative serversadditional “helpful”info that may be used

HTTP(Hypertext Transfer Protocol)

HTTP overviewHTTP: hypertext transferprotocol Web’s application layerprotocol client/server model client: browser thatrequests, receives,“displays” Web objects server: Web server sendsobjects in response torequests HTTP 1.0: RFC 1945 HTTP 1.1: RFC 2068PC runningExplorerMac runningSafariServerrunningApache Webserver

HTTP overview (continued)Uses TCP:client initiates TCPconnection (creates socket)to server, port 80server accepts TCPconnection from clientHTTP messages(application-layer protocolmessages) exchangedbetween browser (HTTPclient) and Web server(HTTP server)TCP connection closedHTTP is “stateless”server maintains noinformation aboutpast client requestsProtocols that maintain“state” are complex!asidepast history (state) mustbe maintainedif server/client crashes,their views of “state” maybe inconsistent, must bereconciled

HTTP connectionsNonpersistent HTTP At most one object issent over a TCPconnection. HTTP/1.0 usesnonpersistent HTTPPersistent HTTP Multiple objects canbe sent over singleTCP connectionbetween client andserver. HTTP/1.1 usespersistentconnections indefault mode

Nonpersistent HTTP(contains text,references to 10Suppose user enters URL:jpeg images)http://www.someSchool.edu/someDepartment/home.index1a. HTTP client initiates TCPconnection to HTTP server(process) atwww.someSchool.edu onport 80time2. HTTP client sends HTTPrequest message (containingURL) into TCP connectionsocket. Message indicatesthat client wants objectsomeDepartment/home.index1b. HTTP server at hostwww.someSchool.edu waitingfor TCP connection at port 80.“accepts” connection,notifying client3. HTTP server receivesrequest message, formsresponse message containingrequested object, and sendsmessage into its socket

Nonpersistent HTTP (cont.)5. HTTP client receivesresponse messagecontaining html file, displayshtml. Parsing html file, finds10 referenced jpeg objects4. HTTP server closes TCPconnection.time6. Steps 1-5 repeated for eachof 10 jpeg objects

Response time modelingDefinition of RTT: time to senda small packet to travelfrom client to server andback.Response time: one RTT to initiate TCPconnection one RTT for HTTP requestand first few bytes of HTTPresponse to return file transmission timetotal = 2RTT+transmit timeinitiate TCPconnectionRTTrequestfileRTTfilereceivedtimetimetime totransmitfile

Persistent HTTPNonpersistent HTTP issues: requires 2 RTTs per object OS must work and allocate hostresources for each TCPconnection but browsers often openparallel TCP connections tofetch referenced objectsPersistent HTTP server leaves connection openafter sending response subsequent HTTP messagesbetween same client/server aresent over connectionPersistent withoutpipelining: client issues new requestonly when previousresponse has beenreceived one RTT for eachreferenced objectPersistent with pipelining: default in HTTP/1.1 client sends requests assoon as it encounters areferenced object as little as one RTT for allthe referenced objects

HTTP request message two types of HTTP messages: request, response HTTP request message:ASCII (human-readable format)request line(GET, POST,HEAD commands)headerlinesCarriage return,line feedindicates endof messageGET /somedir/page.html HTTP/1.1Host: www.someschool.eduUser-agent: Mozilla/4.0Connection: closeAccept-language:en(extra carriage return, line feed)

HTTP request message:general format

Uploading form inputPost method: Web page often includesform input Input is uploaded toserver in entity bodyURL method: Uses GET method Input is uploaded inURL field of requestline:www.somesite.com/animalsearch?monkeys&banana

Method typesHTTP/1.0 GET POST HEADasks server to leaverequested object out ofresponseHTTP/1.1 GET, POST, HEAD PUTuploads file in entitybody to path specifiedin URL field DELETEdeletes file specifiedin the URL field

Conditional GET: client-sidecachingGoal: don’t sendobject if client has upto-datecached versionclient: specify date ofcached copy in HTTPrequestIf-modified-since:clientHTTP request msgIf-modified-since:HTTP responseHTTP/1.0304 Not Modifiedserverobjectnotmodifiedserver: responsecontains no object ifcached copy is up-todate:HTTP/1.0 304 NotModifiedHTTP request msgIf-modified-since:HTTP responseHTTP/1.0 200 OKobjectmodified

HTTP response messagestatus line(protocolstatus codestatus phrase)data, e.g.,requestedHTML fileheaderlinesHTTP/1.1 200 OKConnection closeDate: Sun, 06 Dec 2009 12:00:15 GMTServer: Apache/1.3.0 (Unix)Last-Modified: Fri, 04 Dec 2009...Content-Length: 6821Content-Type: text/htmldata data data data data ...

HTTP response status codesIn first line in server->client response message.A few sample codes:200 OKrequest succeeded, requested object later in thismessage301 Moved Permanentlyrequested object moved, new location specified laterin this message (Location:)400 Bad Requestrequest message not understood by server404 Not Foundrequested document not found on this server505 HTTP Version Not Supported

Trying out HTTP (client side) for yourself1. Telnet to your favorite Web server:telnet www.lboro.ac.uk 80Opens TCP connection to port 80(default HTTP server port).Anything typed in sentto port 80 at www.lut.ac.uk.2. Type in a GET HTTP request:GET /index.html HTTP/1.0By typing this in (hit carriagereturn twice), you sendthis minimal (but complete)GET request to HTTP server3. Look at response message sent by HTTP server!

Cookies: keeping “state”Many major Web sites usecookiesFour components:1) cookie header line in the HTTPresponse message2) cookie header line in HTTPrequest message3) cookie file kept on user’s hostand managed by user’s browser4) back-end database at Web siteExample:Susan access Internetalways from same PCShe visits a specifice-commerce site forfirst timeWhen initial HTTPrequests arrives atsite, site creates aunique ID and createsan entry in backenddatabase for ID

Cookies: keeping “state” (cont.)clientserverCookie fileebay: 8734usual http request msgusual http response +Set-cookie: 1678servercreates ID1678 for userCookie fileamazon: 1678ebay: 8734one week later:usual http request msgcookie: 1678usual http response msgcookiespecificactionaccessCookie fileamazon: 1678ebay: 8734usual http request msgcookie: 1678usual http response msgcookiespectificaction

Cookies (continued)What cookies can bring: authorization shopping carts recommendations user session state(Web e-mail)asideCookies and privacy: cookies permit sites tolearn a lot about you you may supply nameand e-mail to sitessearch engines useredirection & cookies tolearn yet moreadvertising companiesobtain info across sites

User-server interaction:authorizationAuthorization: control accessto server content authorization credentials:typically name, password stateless: client mustpresent authorization ineach request authorization: headerline in each request if no authorization:header, server refusesaccess, sendsWWW authenticate:header line inresponseclientusual http request msg401: authorization req.WWW authenticate:usual http request msg+ Authorization: usual http response msgusual http request msg+ Authorization: usual http response msgservertime

CDNs(Content Distribution Networks)

Web caches (proxy server)Goal: satisfy client request without involving origin serveruser sets browser: Webaccesses via cachebrowser sends all HTTPrequests to cacheobject in cache: cachereturns objectclientProxyserveroriginserverelse cache requestsobject from origin server,then returns object toclientclient

More about Web cachingCache acts as both client andserverCache can do up-to-date checkusing If-modified-sinceHTTP headerIssue: should cache take riskand deliver cached objectwithout checking?Heuristics are used.Typically cache is installed byISP (university, company,residential ISP)Why Web caching?Reduce response time forclient request.Reduce traffic on aninstitution’s access link.Internet dense withcaches enables “poor”content providers toeffectively delivercontent

Content distribution networks(CDNs)The content providers arethe CDN customers.origin serverin North AmericaContent replication CDN company installshundreds of CDN serversthroughout Internet in lower-tier ISPs, closeto users CDN replicates itscustomers’ content in CDNservers. When providerupdates content, CDNupdates serversCDN serverin S. AmericaCDN distribution nodeCDN serverin EuropeCDN serverin Asia

CDN example12HTTP request forhttp://www.foo.com/sports/sports.htmlOrigin serverDNS query for www.cdn.com3CDNs authoritative DNS serverHTTP request forhttp://www.cdn.com/www.foo.com/sports/ruth.gifNearby CDN serverorigin server www.foo.com distributes HTMLReplaces:http://www.foo.com/sports.ruth.gifwithhttp://www.cdn.com/www.foo.com/sports/ruth.gifCDN company cdn.com distributes gif files uses its authoritativeDNS server to routeredirect requests

FTP(File Transfer Protocol)

FTP: the file transfer protocoluserat hostFTP userinterfaceFTPclientlocal filesystemfile transferFTPserverremote filesystem transfer file to/from remote host client/server model client: side that initiates transfer (either to/from remote) server: remote host ftp: RFC 959 ftp server: port 21

FTP: separate control, data connectionsFTP client contacts FTPserver at port 21, specifyingTCP as transport protocolClient obtains authorizationover control connectionClient browses remotedirectory by sendingcommands over controlconnection.When server receives acommand for a file transfer,the server opens a TCP dataconnection to clientAfter transferring one file,server closes connection.FTPclientTCP control connectionport 21TCP data connectionport 20FTPserverServer opens a second TCPdata connection to transferanother file.Control connection: “out ofband”FTP server maintains“state”: current directory,earlier authentication

FTP commands, responsesSample commands:sent as ASCII text overcontrol channelUSER usernamePASS passwordLIST return list of file incurrent directoryRETR filename retrieves(gets) fileSTOR filename stores(puts) file onto remotehostSample return codesstatus code and phrase(as in HTTP)331 Username OK,password required125 data connectionalready open; transferstarting425 Can’t open dataconnection452 Error writing file

E-Mail(SMTP, POP, IMAP)

Electronic MailThree major components:user agentsmail serverssimple mail transfer protocol:SMTPUser Agent a.k.a. “mail reader” composing, editing, reading mailmessages e.g., Eudora, Outlook, mutt,Apple Mail outgoing, incoming messagesstored on serveruseragentSMTPuseragentuseragentSMTPSMTPuseragentuseragentuseragent

Electronic MailMail Serversmailbox contains incomingmessages for usermessage queue of outgoing(to be sent) mail messagesSMTP protocol between mailservers to send emailmessages client: sending mail server “server”: receiving mailserveruseragentuseragentSMTPSMTPSMTPuseragentuseragentuseragentuseragent

Electronic Mail: SMTP [RFC 2821]uses TCP to reliably transfer email message from clientto server, port 25direct transfer: sending server to receiving serverthree phases of transfer handshaking (greeting) transfer of messages closurecommand/response interaction commands: ASCII text response: status code and phrase messages must be in 7-bit ASCII

Scenario: Alice sends messageto Bob1) Alice composes a message“to” bob@someschool.edu2) Alice’s user agent sendsmessage to her mailserver; message placed inmessage queue3) Client side of SMTP opensTCP connection with Bob’smail server4) SMTP client sends Alice’smessage over the TCPconnection5) Bob’s mail server placesthe message in Bob’smailbox6) Bob invokes his useragent to read message1useragent2 3456useragent

Sample SMTP interactionS: 220 hamburger.eduC: HELO crepes.frS: 250 Hello crepes.fr, pleased to meet youC: MAIL FROM: S: 250 alice@crepes.fr... Sender okC: RCPT TO: S: 250 bob@hamburger.edu ... Recipient okC: DATAS: 354 Enter mail, end with "." on a line by itselfC: Do you like ketchup?C: How about pickles?C: .S: 250 Message accepted for deliveryC: QUITS: 221 hamburger.edu closing connection

Try SMTP interaction foryourself: telnet servername 25 see 220 reply from server enter HELO, MAIL FROM, RCPT TO, DATA,QUIT commandsabove lets you send email without using emailclient (reader)

SMTP: final wordsSMTP uses persistentconnectionsSMTP requires message(header & body) to be in 7-bit ASCIIComparison with HTTP:HTTP: pullSMTP: pushboth have ASCIIcommand/responseinteraction, status codesHTTP: each objectencapsulated in its ownresponse msgSMTP: multiple objectssent in multipart msg

Mail message formatSMTP: protocol forexchanging email msgsRFC 822: standard for textmessage format: header lines, e.g., To: From: Subject:different from SMTPcommands!bodythe “message”, ASCIIcharacters onlyheaderbodyblankline

Message format: multimediaextensions MIME: multimedia mail extension, RFC 2045, 2056additional lines in msg header declare MIME contenttypeMIME versionmethod usedto encode datamultimedia datatype, subtype,param. declarationencoded dataFrom: alice@crepes.frTo: bob@hamburger.eduSubject: Picture of yummy crepe.MIME-Version: 1.0Content-Transfer-Encoding: base64Content-Type: image/jpegbase64 encoded data ....................................base64 encoded data

MIME typesContent-Type: type/subtype; parametersTextexample subtypes: plain,htmlImageexample subtypes: jpeg, gifAudio example subtypes: basic (8-bit mu-law encoded), 32kadpcm(32 kbps coding)Videoexample subtypes:mpeg, quicktimeApplicationother data that must beprocessed by readerbefore “viewable”example subtypes:msword, octet-stream

Multipart TypeFrom: alice@crepes.frTo: bob@hamburger.eduSubject: Picture of yummy crepe.MIME-Version: 1.0Content-Type: multipart/mixed; boundary=StartOfNextPart--StartOfNextPartDear Bob, Please find a picture of a crepe.--StartOfNextPartContent-Transfer-Encoding: base64Content-Type: image/jpegbase64 encoded data ....................................base64 encoded data--StartOfNextPartDo you want the recipe?

POP3 Short for Post Office Protocol, a protocolused to retrieve e-mail from a mail server. Still most e-mail applications use the POPprotocol, although some can use the newerIMAP (Internet Message Access Protocol). There are two versions of POP. The first, calledPOP2, became a standard in the mid-80's andrequires SMTP to send messages. The newerversion, POP3, can be used with or withoutSMTP. POP3 uses TCP/IP port 110.

POP3 protocolauthorization phaseclient commands: user: declare username pass: passwordserver responses +OK -ERRtransaction phase, client:list: list message numbersretr: retrieve message bynumberdele: deletequitS: +OK POP3 server readyC: user bobS: +OKC: pass hungryS: +OK user successfully logged onC: listS: 1 498S: 2 912S: .C: retr 1S: S: .C: dele 1C: retr 2S: S: .C: dele 2C: quitS: +OK POP3 server signing off

POP3 (more) and IMAPMore about POP3 Previous example uses“download and delete”mode. Bob cannot re-read e-mail if he changes client “Download-and-keep”:copies of messages ondifferent clients POP3 is stateless acrosssessionsIMAP Keep all messages inone place: the server Allows user to organizemessages in foldersIMAP keeps user stateacross sessions:names of folders andmappings betweenmessage IDs and foldername

IMAP IMAP is an Internet Message AccessProtocol. It is a method of accessingelectronic mail messages that are kept on apossibly shared mail server. In other words, itpermits a "client" email program to accessremote message stores as if they were local.For example, email stored on an IMAP servercan be manipulated from a desktop computerat home, a workstation at the office, and anotebook computer while travelling, withoutthe need to transfer messages or files backand forth between these computers. IMAP uses TCP/IP port 143.

POP3 vs IMAPWith IMAP, all your mail stays on the server in multiplefolders, some of which you have created. This enablesyou to connect to any computer and see all your mailand mail folders. In general, IMAP is great if you have adedicated connection to the Internet or you like tocheck your mail from various locations.With POP3 you only have one folder, the Inbox folder.When you open your mailbox, new mail is moved fromthe host server and saved on your computer. If youwant to be able to see your old mail messages, youhave to go back to the computer where you last openedyour mail.With POP3 "leave mail on server" only your emailmessages are on the server, but with IMAP your emailfolders are also on the server.

Test POP3 and IMAP ….. # telnet localhost 143 Connected to staff-mail.lboro.ac.uk. Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACETHREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION STARTTLS]Courier-IMAP ready. Copyright 1998-2005 Double Precision, Inc. See COPYING for distributioninformation. a login username password a OK LOGIN Ok. a examine inbox * FLAGS (\Answered \Flagged \Deleted \Seen \Recent) * OK [PERMANENTFLAGS ()] No permanent flags permitted * 26 EXISTS * 0 RECENT * OK [UIDVALIDITY 989061119] Ok * OK [READ-ONLY] Ok a logout * BYE Courier-IMAP server shutting down a OK LOGOUT completed Connection closed by foreign host.

EximExim is an open source mail transfer agent (MTA),which is a program responsible for receiving, routing,and delivering e-mail messages (this type of program issometimes referred to as an Internet mailer, or a mailserver program). MTAs receive e-mail messages andrecipient addresses from local users and remote hosts,perform alias creation and forwarding functions, anddeliver the messages to their destinations. Exim wasdeveloped at the University of Cambridge for the use ofUnix systems connected over the Internet. The softwarecan be installed in place of sendmail, the most commonMTA for UNIX and Linux systems. In comparison tosendmail, Exim is said to feature more straightforwardconfiguration and task management.

Network Address Translation(NAT)

NAT: Network AddressTranslation Motivation: local network uses just one IPaddress as far as outside word isconcerned:no need to be allocated range of addresses fromISP: just one IP address is used for all devicescan change addresses of devices in localnetwork without notifying outside worldcan change ISP without changing addresses ofdevices in local networkdevices inside local net not explicitlyaddressable, visible by outside world (a securityplus).

Private Network Private IP network is an IP network that is notdirectly connected to the Internet IP addresses in a private network can beassigned arbitrarily.Not registered and not guaranteed to be globallyunique Generally, private networks use addressesfrom the following experimental addressranges (non-routable addresses): 10.0.0.0 – 10.255.255.255 172.16.0.0 – 172.31.255.255 192.168.0.0 – 192.168.255.255

Private Addresses

NAT: Network AddressTranslationrest ofInternet138.76.29.7local network(e.g., home network)10.0.0/2410.0.0.410.0.0.110.0.0.210.0.0.3All datagrams leaving localnetwork have same singlesource NAT IP address:138.76.29.7,different source port numbersDatagrams with source ordestination in this networkhave 10.0.0/24 address forsource, destination (as usual)

NAT: Network AddressTranslationImplementation: NAT router must:outgoing datagrams: replace (source IP address,port #) of every outgoing datagram to (NAT IPaddress, new port #). . . remote clients/servers will respond using (NATIP address, new port #) as destination addr.remember (in NAT translation table) every (source IPaddress, port #) to (NAT IP address, new port #)translation pairincoming datagrams: replace (NAT IP address, newport #) in dest fields of every incoming datagramwith corresponding (source IP address, port #)stored in NAT table

NAT: Network AddressTranslation2: NAT gw changesdatagram sourceaddr from 10.0.0.4,3345 to138.76.29.7, 5001,updates table2NAT translation tableWAN side addr LAN side addr138.76.29.7, 5001 10.0.0.4, 3345…………S: 138.76.29.7, 5001D: 128.119.40.186, 8010.0.0.1S: 10.0.0.4, 3345D: 128.119.40.186, 8011: host 10.0.0.4sends datagram to128.119.40, 8010.0.0.410.0.0.2138.76.29.7S: 128.119.40.186, 80D: 138.76.29.7, 5001 33: Reply arrivesdest. address:138.76.29.7, 5001S: 128.119.40.186, 80D: 10.0.0.1, 3345 44: NAT routerchanges datagramdest addr from138.76.29.7, 5001 to 10.0.0.4, 334510.0.0.3

NAT: Network AddressTranslation 16-bit port-number field:60,000 simultaneous connections with a single LANsideaddress! NAT is controversial:violates end-to-end argument NAT possibility must be taken into account by appdesigners, eg, P2P applicationsaddress shortage should instead be solved by IPv6

Simple NAT(Public IP addresses)(Private IPaddresses)MainInternetNAT(Public IP addresses)

Provider NATs? ConsideredHarmful156.148.70.32MainInternet(Public IP addresses)ISPNAT192.168.2.99HomeNATHomenetworkISPnetwork192.168.2.12(Private IPadresses)10.0.0.12

NAT traversal: relayRelay S2MainInternet1NATNATLocalnetwork192.168.2.99Localnetwork10.0.0.12host Bhost A

TURN protocol Protocol for UDP/TCP relaying behindNAT Data is bounced to a public TURN server No hole punching TURN works even behind symmetricNAT

Hole punching Technique to allow traffic from/to a hostbehind a firewall/NAT withoutcollaboration of the NAT itself UDP: simple TCP: Berkeley sockets allows TCP socket toinitiate an outgoing or listen for an incomingconnectionsbut not both Solution: bind multiple sockets to samelocal endpoint

STUN (RFC 3489) Defines operations and messageformats to understand type of NAT Discovers presence and type of NAT andfirewalls between them and Internet Allows applications to determine theirpublic NAT IP address

STUNT Simple Traversal of UDP Through NATsand TCP too (STUNT) Extends STUN to include TCPfunctionality

Configuring NAT in LinuxLinux uses the Netfilter/iptable package to addfiltering rules to the IP module

Configuring NAT with iptableFirst example:iptables –t nat –A POSTROUTING –s 10.0.1.2–j SNAT --to-source 128.143.71.21Pooling of IP addresses:iptables –t nat –A POSTROUTING –s 10.0.1.0/24–j SNAT --to-source 128.128.71.0–128.143.71.30ISP migration:iptables –t nat –R POSTROUTING –s 10.0.1.0/24–j SNAT --to-source 128.195.4.0–128.195.4.254IP masquerading:iptables –t nat –A POSTROUTING –s 10.0.1.0/24–o eth1 –j MASQUERADELoad balancing:iptables -t nat -A PREROUTING -i eth1 -j DNAT --todestination10.0.1.2-10.0.1.4

Multimedia Networking

Multimedia, Quality of Service (QoS): What is it?Multimedia applications:Network audio and video(“continuous media”)QoSNetwork providesapplication with level ofperformance needed forapplication to function.

GoalsPrinciples Classify multimedia applications Identify the network services the appsneed Making the best of best effort serviceProtocols and architectures Specific protocols for best-effort Architectures for QoS

MM networking applicationsClasses of MM applications:1) Streaming stored audioand video2) Streaming live audioand video3) Real-time interactiveaudio and videoJitter is the variabilityof packet delays withinthe same packet streamFundamentalcharacteristics: Typically delaysensitiveEnd-to-end delayDelay jitter But loss tolerant:infrequent lossescause minor glitches Antithesis of data,which are lossintolerant but delaytolerant.

Streaming stored multimedia Streaming: Media stored at source Transmitted to client Streaming: client playout begins before alldata has arrived Timing constraint for still-to-be transmitteddata: in time for playout

Streaming stored multimedia:What is it?Cumulative data1. videorecorded2. videosentnetworkdelay3. video received,played out at clienttimeStreaming: at this time, clientplaying out early part of video,while server still sending laterpart of video

Streaming live multimediaExamples: Internet radio talk show Live sporting eventStreaming Playback buffer Playback can lag tens of seconds aftertransmission Still have timing constraintInteractivity Fast forward impossible Rewind, pause possible!

Interactive, real-timemultimedia Applications: IP telephony,video conference, distributedinteractive worlds End-end delay requirements: Audio: < 150 msec good, < 400 msec OK Includes application-level (packetization) and networkdelays Higher delays noticeable, impair interactivity Session initialization How does callee advertise its IP address, portnumber, encoding algorithms?

A few words about audiocompression Analog signal sampledat constant rate Telephone: 8,000samples/sec CD music: 44,100samples/sec Each sample quantized,i.e., roundedE.g., 2 8 =256 possiblequantized values Each quantized valuerepresented by bits8 bits for 256 values Example: 8,000samples/sec, 256quantized values -->64,000 bps Receiver converts itback to analog signal:Some quality reductionExample rates CD: 1.411 Mbps MP3: 96, 128, 160 kbps Internet telephony:5.3 - 13 kbps

Streaming multimedia: ClientbufferingCumulative dataconstant bitrate videotransmissionvariablenetworkdelayclient videoreceptionbufferedvideoconstant bitrate videoplayout at clientclientplayoutdelay Client-side buffering, playout delaycompensate for network-added delay,delay jittertime

Packet loss and delay Network loss: IP datagram lost due to networkcongestion (router buffer overflow) Delay loss: IP datagram arrives too late forplayout at receiverDelays: processing, queuing in network; end-system(sender, receiver) delaysTypical maximum tolerable delay: 400 ms Loss tolerance: depending on voice encoding,losses concealed, packet loss rates between1% and 10% can be tolerated.

Multimedia over today’s InternetTCP/UDP/IP: “best-effort service” no “QoS” No guarantees on delay, loss??? ? ???But you said multimedia apps requiresQoS and level of performance to beeffective!?? ??Today’s Internet multimedia applicationsuse application-level techniques to mitigate(as best possible) effects of delay, loss

How should the Internet evolveto better support multimedia?Integrated services philosophy:Fundamental changes inInternet so that apps canreserve end-to-endresourcesincluding bandwidthRequires new, complexsoftware in hosts & routersLaissez-faire: No major changesMore bandwidth whenneededContent distribution,application-layer multicastApplication layerDifferentiated servicesphilosophy:Fewer changes to Internetinfrastructure, yet provide1st and 2nd class service

Improving QOS in IP NetworksThus far: “making the best of best effort”Future: next generation Internet with QoSguarantees RSVP: signaling for resource reservations Differentiated Services: differential guarantees Integrated Services:firm guarantees simple modelfor sharing andcongestionstudies:

Principles for QOS Guarantees Example: 1Mbps IP phones and FTP/p2pshare 1.5 Mbps link. bursts of FTP can congest router, cause audioloss want to givepriority toaudio overFTPPrinciple 1packet marking needed for router todistinguish between different classes; andnew router policy to treat packets accordingly

Principles for QOS Guaranteeswhat if applications misbehave (audio sends higher thandeclared rate)policing: force source adherence to bandwidth allocationsmarking and policing at network edge:similar to ATM UNI (User Network Interface)Principle 2provide protection (isolation) for one class from others

Principles for QOS Guarantees Allocating fixed (non-sharable)bandwidth to flow: inefficient use ofbandwidth if flows doesn’t use itsallocationPrinciple 3While providing isolation, it is desirable touse resources as efficiently as possible

Principles for QOS Guarantees Basic fact of life: can not support trafficdemands beyond link capacityPrinciple 4Call Admission: flow declares its needs, network mayblock call (e.g., busy signal) if it cannot meet needs

Summary of QoS Principles

Scheduling And PolicingMechanisms scheduling: choose next packet to send onlink FIFO (first in first out) scheduling: send inorder of arrival to queue discard policy: if packet arrives to full queue:who to discard? Tail drop: drop arriving packet priority: drop/remove on priority basis random: drop/remove randomly

Scheduling Policies: morePriority scheduling: transmit highestpriority queued packet multiple classes, with different priorities class may depend on marking or otherheader info, e.g. IP source/dest, portnumbers, etc..

Scheduling Policies: still moreround robin scheduling: multiple classes cyclically scan class queues, serving onefrom each class (if available)

Scheduling Policies: still moreWeighted Fair Queuing: generalized Round Robin each class gets weighted amount ofservice in each cycle

IETF Differentiated ServicesDiffserv approach: simple functions in network core,relatively complex functions at edgerouters (or hosts) Do’t define define service classes,provide functional components to buildservice classes

Diffserv ArchitectureEdge router: per-flow trafficmanagement marks packets as in-profileand out-profilescheduling.Core router: per class traffic management buffering and schedulingbased on marking at edge preference given to in-profilepackets Assured Forwardingmarking

Edge router pckt markingprofile: pre-negotiated rate A, bucket size Bpacket marking at edge based on per-flow profileRate ABUser packetsPossible usage of marking:class-based marking: packets of different classes markeddifferentlyintra-class marking: conforming portion of flow markeddifferently than non-conforming one

Classification and Conditioning Packet is marked in the Type of Service(TOS) in IPv4, and Traffic Class in IPv6 6 bits used for Differentiated ServiceCode Point (DSCP) and determine PHBthat the packet will receive 2 bits are currently unused

Classification and Conditioningmay be desirable to limit traffic injectionrate of some class: user declares traffic profile (e.g., rate,burst size) traffic metered, shaped if nonconforming

Firewalls156

FirewallsBy conventional definition, a firewall is a partition madeof fireproof material designed to prevent the spreadof fire from one part of a building to another.firewallisolates organization’s internal net from larger Internet,allowing some packets to pass, blocking others.privately administered222.22/16Internet

Firewall goals All traffic from outside to inside andvice-versa passes through the firewall. Only authorized traffic, as defined bylocal security policy, will be allowed topass. The firewall itself is immune topenetration.

Firewalls: taxonomy1. Traditional packetfiltersfilters often combinedwith router, creatinga firewall2. Stateful filters3. ApplicationgatewaysMajor firewall vendors:CheckpointCisco PIX

Traditional packet filtersAnalyzes each datagram going through it; makesdrop decision based on: source IP address destination IPaddress source port destination port TCP flag bitsSYN bit set: datagramfor connectioninitiationACK bit set: part ofestablishedconnection TCP or UDP or ICMPFirewalls oftenconfigured to block allUDP directionIs the datagramleaving or enteringthe internal network? router interfacedecisions can bedifferent for differentinterfaces

Filtering Rules - ExamplesPolicyNo outside Web access.Outside connections topublic Web server only.Prevent Web-radios fromeating up the availablebandwidth.Prevent your networkfrom being used for aSmuft DoS attack.Prevent your networkfrom being traceroutedFirewall SettingDrop all outgoing packets toany IP address, port 80Drop all incoming TCP SYNpackets to any IP except130.207.244.203, port 80Drop all incoming UDP packets- except DNS and routerbroadcasts.Drop all ICMP packets goingto a “broadcast” address (eg130.207.255.255).Drop all incoming ICMP

Access control listsApply rules from top to bottom:actionsourceaddressdestaddressprotocolsourceportdestportflagbitallow 222.22/16outside of222.22/16TCP > 1023 80anyallowoutside of222.22/16222.22/16TCP 80 > 1023 ACKallow 222.22/16outside of222.22/16UDP > 1023 53 ---allowoutside of222.22/16222.22/16UDP 53 > 1023 ----deny all all all all all all

Access control lists Each router/firewall interface can haveits own ACL Most firewall vendors provide bothcommand-line and graphicalconfiguration interface

Advantages and disadvantages oftraditional packet filters AdvantagesOne screening router can protect entire networkCan be efficient if filtering rules are kept simpleWidely available. Almost any router, even Linuxboxes DisadvantagesCan be penetratedCannot enforce some policies. For example, permitcertain users.Rules can get complicated and difficult to test

Firewall Lab: iptables Converts linux box into a packet filter. Part of most linux distributions today.linuxhostlinuxhost w/iptablesstudentnetworkyour job:configure

Firewall lab: iptables iptables Provides firewall capability to a linux host Comes installed with linux Fedora With other versions of Linux, may need toinstall RPM

Chain typesInternetlinuxhost w/iptablesprotectednetworkINPUTchainInternetlinuxhost w/iptablesprotectednetworkOUTPUTchainInternetlinuxhost w/iptablesprotectednetworkFORWARDchain

iptables: Example commandiptables –A INPUT –i eth0 –s 232.16.4.0/24 –j ACCEPT Sets a rule Accepts packets that enter from interface eth0and have source address in 232.16.4/24 Kernel applies the rules in order. The first rule that matches packet determinesthe action for that packet Append: -A Adds rule to bottom of list of existing rules

iptables: More examplesiptables –Llist current rulesiptables –Fflush all rulesiptables – D INPUT 2 deletes 2 nd rule in INPUT chainiptables –I INPUT 1 –p tcp –tcp-flags SYN –s232.16.4.0/24 –d 0/0:22 –j ACCEPT-I INPUT 1, put rule at topAccept TCP SYNs to port 22 (ssh) from232.16.4.0/24

iptables Options-p protocol type (tcp, udp, icmp)-s source IP address & port number-d dest IP address & port number-i interface name (lo, ppp0, eth0)-j target (ACCEPT, DENY)-l log this packet--sport source port--dport dest port--icmp-type

Firewall Lab: Part A Rules for outgoing traffic:Your local machine should be able to communicatewith the student network without any restrictions. Rules for incoming traffic:All incoming connection requests should be rejected,with the following exception: Your machine should respond to Ping from network10.0.0/24 Your machine should accept all incoming SSH, HTTP,FTP requests from Network 10.0/16 Your machine should accept all incoming telnetconnections from the machine 10.0.0.1 and10.0.0.110. All multicast traffic should be allowed OSPF traffic should be allowed

Firewall Lab: Part B Rules for outgoing traffic from internal node:Outgoing SSH, and ICMP traffic should be allowedAll multicast traffic should be allowedOSPF traffic should be allowedAll other traffic should be blocked Rules for incoming traffic to protected server:All incoming SSH, http, SMTP, Ping, and anonymousftp should be permittedAll multicast traffic should be allowedOSPF traffic should be allowedAll other incoming traffic should be blocked

Stateful Filters In previous example, any packet withACK=1 and source port 80 gets in. Attacker could, for example, attempt amalformed packet attack by sending ACK=1segments Stateful filter: Adds more intelligence tothe filter decision-making process Stateful = remember past packets Memory implemented in a very dynamicstate table

Stateful filters: example Log each TCP connection initiated through firewall: SYN segment Timeout entries which see no activity for, say, 60 secondssourcedestsourcedestaddressaddressportport222.22.1.7 37.96.87.123 12699 80222.22.93.2199.1.205.23 37654 80222.22.65.143 203.77.240.43 48712 80If rule table indicates that stateful table must be checked:check to see if there is already a connection in stateful tableStateful filters can also remember outgoing UDP segments

Stateful example1) Packet arrives from outside: SA=37.96.87.123, SP=80,DA=222.22.1.7, DP=12699, SYN=0, ACK=12) Check filter table ➜ check stateful tableactionsourceaddressdestaddressprotosourceportdestportflagbitcheckconxionallow 222.22/16outside of222.22/16TCP > 1023 80anyallowoutside of222.22/16222.22/16TCP 80 > 1023 ACKxallow 222.22/16outside of222.22/16UDP > 1023 53 ---allowoutside of222.22/16222.22/16UDP 53 > 1023 ----xdeny all all all all all all3) Connection is listed in connection table ➜ let packet through

Demarcation Zone (DMZ)applicationgatewayfirewallInternetInternalnetworkWebserverFTPserverDNSserverDemilitarized zone