An Introduction to Computer Networks

Transcript

1 An Introduction to Computer Networks Release 1.9.18 Peter L Dordal Mar 31, 2019

2

3 CONTENTS 0 Preface 3 3 0.1 Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 0.2 Classroom Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0.3 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 0.4 Progress Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 7 0.5 Technical considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 0.6 A Note On the Cover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0.7 Recent Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 1 An Overview of Networks 13 1.1 Layers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 1.2 Data Rate, Throughput and Bandwidth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 1.3 Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 1.4 Datagram Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 1.5 Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 1.6 Routing Loops . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 1.7 Congestion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 1.8 Packets Again . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 1.9 LANs and Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 1.10 IP - Internet Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 1.11 DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 1.12 Transport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 1.13 Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 1.14 Some Useful Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 1.15 IETF and OSI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 1.16 Berkeley Unix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 1.17 Epilog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 1.18 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 2 Ethernet 45 2.1 10-Mbps Classic Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 2.2 100 Mbps (Fast) Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 2.3 Gigabit Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 2.4 Ethernet Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 2.5 Spanning Tree Algorithm and Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 i

4 2.6 Virtual LAN (VLAN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 2.7 TRILL and SPB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 2.8 Software-Defined Networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 2.9 Epilog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 2.10 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 3 Other LANs 85 3.1 Virtual Private Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 3.2 Carrier Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 3.3 Token Ring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 3.4 Virtual Circuits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 3.5 Asynchronous Transfer Mode: ATM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 3.6 Adventures in Radioland . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 3.7 Wi-Fi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 3.8 WiMAX and LTE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 3.9 Fixed Wireless . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 3.10 Epilog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 3.11 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 4 Links 137 4.1 Encoding and Framing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 4.2 Time-Division Multiplexing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 4.3 Epilog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 4.4 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 5 Packets 149 5.1 Packet Delay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 5.2 Packet Delay Variability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 5.3 Packet Size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 5.4 Error Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 5.5 Epilog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 5.6 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 165 6 Abstract Sliding Windows 6.1 Building Reliable Transport: Stop-and-Wait . . . . . . . . . . . . . . . . . . . . . . . . . . 165 6.2 Sliding Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170 6.3 Linear Bottlenecks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 6.4 Epilog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181 6.5 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181 185 7 IP version 4 7.1 The IPv4 Header . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186 7.2 Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188 7.3 Special Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 7.4 Fragmentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 7.5 The Classless IP Delivery Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 7.6 IPv4 Subnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194 7.7 Network Address Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200 ii

5 7.8 DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 7.9 Address Resolution Protocol: ARP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 7.10 Dynamic Host Configuration Protocol (DHCP) . . . . . . . . . . . . . . . . . . . . . . . . 217 7.11 Internet Control Message Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219 7.12 Unnumbered Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 7.13 Mobile IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223 7.14 Epilog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225 7.15 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225 8 IP version 6 229 8.1 The IPv6 Header . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230 8.2 IPv6 Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231 8.3 Network Prefixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233 8.4 IPv6 Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235 8.5 IPv6 Extension Headers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235 8.6 Neighbor Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238 8.7 IPv6 Host Address Assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242 8.8 Globally Exposed Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246 8.9 ICMPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247 8.10 IPv6 Subnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248 8.11 Using IPv6 and IPv4 Together . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250 8.12 IPv6 Examples Without a Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254 8.13 IPv6 Connectivity via Tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256 8.14 IPv6-to-IPv4 Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259 8.15 Epilog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261 8.16 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261 9 Routing-Update Algorithms 263 9.1 Distance-Vector Routing-Update Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . 264 9.2 Distance-Vector Slow-Convergence Problem . . . . . . . . . . . . . . . . . . . . . . . . . . 268 9.3 Observations on Minimizing Route Cost . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270 9.4 Loop-Free Distance Vector Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272 9.5 Link-State Routing-Update Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278 9.6 Routing on Other Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282 9.7 ECMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283 9.8 Epilog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284 9.9 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284 10 Large-Scale IP Routing 291 10.1 Classless Internet Domain Routing: CIDR . . . . . . . . . . . . . . . . . . . . . . . . . . . 291 10.2 Hierarchical Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293 10.3 Legacy Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294 10.4 Provider-Based Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294 10.5 Geographical Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299 10.6 Border Gateway Protocol, BGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300 10.7 Epilog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318 10.8 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319 iii

6 11 UDP Transport 325 11.1 User Datagram Protocol – UDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325 11.2 Trivial File Transport Protocol, TFTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337 11.3 Fundamental Transport Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339 11.4 Other TFTP notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344 11.5 Remote Procedure Call (RPC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346 11.6 Epilog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350 11.7 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350 355 12 TCP Transport 12.1 The End-to-End Principle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356 12.2 TCP Header . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356 12.3 TCP Connection Establishment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358 12.4 TCP and WireShark . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362 12.5 TCP Offloading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364 12.6 TCP simplex-talk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364 12.7 TCP state diagram . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369 12.8 TCP Old Duplicates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374 12.9 TIMEWAIT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375 12.10 The Three-Way Handshake Revisited . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376 12.11 Anomalous TCP scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378 12.12 TCP Faster Opening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379 12.13 Path MTU Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380 12.14 TCP Sliding Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380 12.15 TCP Delayed ACKs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381 12.16 Nagle Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382 12.17 TCP Flow Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382 12.18 Silly Window Syndrome . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382 12.19 TCP Timeout and Retransmission . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383 12.20 KeepAlive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384 12.21 TCP timers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385 12.22 Variants and Alternatives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385 12.23 Epilog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395 12.24 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395 13 TCP Reno and Congestion Management 401 13.1 Basics of TCP Congestion Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402 13.2 Slow Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406 13.3 TCP Tahoe and Fast Retransmit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411 13.4 TCP Reno and Fast Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412 13.5 TCP NewReno . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415 13.6 Selective Acknowledgments (SACK) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417 13.7 TCP and Bottleneck Link Utilization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418 13.8 Single Packet Losses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421 13.9 TCP Assumptions and Scalability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422 13.10 TCP Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423 13.11 Epilog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423 13.12 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424 iv

7 14 Dynamics of TCP 429 14.1 A First Look At Queuing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429 14.2 Bottleneck Links with Competition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430 14.3 TCP Fairness with Synchronized Losses . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438 14.4 Notions of Fairness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445 cwnd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446 14.5 TCP Reno loss rate versus 14.6 TCP Friendliness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449 14.7 AIMD Revisited . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451 14.8 Active Queue Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453 14.9 The High-Bandwidth TCP Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458 14.10 The Lossy-Link TCP Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460 14.11 The Satellite-Link TCP Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460 14.12 Epilog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460 14.13 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460 471 15 Newer TCP Implementations 15.1 Choosing a TCP on Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471 15.2 High-Bandwidth Desiderata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474 15.3 RTTs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475 15.4 A Roadmap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475 15.5 Highspeed TCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475 15.6 TCP Vegas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478 15.7 FAST TCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481 15.8 TCP Westwood . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483 15.9 TCP Illinois . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485 15.10 Compound TCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486 15.11 TCP Veno . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488 15.12 TCP Hybla . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489 15.13 DCTCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489 15.14 H-TCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492 15.15 TCP CUBIC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493 15.16 TCP BBR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497 15.17 Epilog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501 15.18 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502 16 Network Simulations: ns-2 507 16.1 The ns-2 simulator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507 16.2 A Single TCP Sender . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509 16.3 Two TCP Senders Competing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521 16.4 TCP Loss Events and Synchronized Losses . . . . . . . . . . . . . . . . . . . . . . . . . . 537 16.5 TCP Reno versus TCP Vegas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 546 16.6 Wireless Simulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 548 16.7 Epilog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554 16.8 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554 17 The ns-3 Network Simulator 557 17.1 Installing and Running ns-3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557 17.2 A Single TCP Sender . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558 v

8 17.3 Wireless . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567 17.4 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573 575 18 Mininet 18.1 Installing Mininet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 576 18.2 A Simple Mininet Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 578 18.3 Multiple Switches in a Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 579 18.4 IP Routers in a Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 582 18.5 IP Routers With Simple Distance-Vector Implementation . . . . . . . . . . . . . . . . . . . 584 18.6 TCP Competition: Reno vs Vegas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 587 18.7 TCP Competition: Reno vs BBR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 592 18.8 Linux Traffic Control (tc) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593 18.9 OpenFlow and the POX Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 596 18.10 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 608 611 19 Queuing and Scheduling 19.1 Queuing and Real-Time Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 611 19.2 Traffic Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 612 19.3 Priority Queuing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 612 19.4 Queuing Disciplines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 613 19.5 Fair Queuing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 614 19.6 Applications of Fair Queuing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 626 19.7 Hierarchical Queuing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 629 19.8 Hierarchical Weighted Fair Queuing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 631 19.9 Token Bucket Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 637 19.10 Applications of Token Bucket . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 642 19.11 Token Bucket Queue Utilization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 644 19.12 Hierarchical Token Bucket . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647 19.13 Fair Queuing / Token Bucket combinations . . . . . . . . . . . . . . . . . . . . . . . . . . 648 19.14 Epilog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 651 19.15 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 651 657 20 Quality of Service 20.1 Net Neutrality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 658 20.2 Where the Wild Queues Are . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 658 20.3 Real-time Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 659 20.4 Integrated Services / RSVP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 661 20.5 Global IP Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 662 20.6 RSVP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 667 20.7 Differentiated Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 671 20.8 RED with In and Out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 675 20.9 NSIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 676 20.10 Comcast Congestion-Management System . . . . . . . . . . . . . . . . . . . . . . . . . . 676 20.11 Real-time Transport Protocol (RTP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 677 20.12 Multi-Protocol Label Switching (MPLS) . . . . . . . . . . . . . . . . . . . . . . . . . . . 682 20.13 Epilog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 684 20.14 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 684 vi

9 21 Network Management and SNMP 687 21.1 Network Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 689 21.2 SNMP Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 689 21.3 SNMP Naming and OIDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 691 21.4 MIBs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 693 21.5 SNMPv1 Data Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 694 21.6 ASN.1 Syntax and SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 694 21.7 SNMP Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 695 21.8 SNMP Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 700 21.9 MIB Browsing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 705 21.10 MIB-2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 706 21.11 SNMPv1 communities and security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 715 21.12 SNMP and ASN.1 Encoding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 716 21.13 SNMPv2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 719 21.14 Table Row Creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 730 21.15 SNMPv3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 739 21.16 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 749 751 22 Security 22.1 Code-Execution Intrusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 752 22.2 Stack Buffer Overflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 753 22.3 Heap Buffer Overflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 762 22.4 Network Intrusion Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 767 22.5 Cryptographic Goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 768 22.6 Secure Hashes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 769 22.7 Shared-Key Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 774 22.8 Diffie-Hellman-Merkle Exchange . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 783 22.9 Public-Key Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 786 22.10 SSH and TLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 791 22.11 IPsec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 809 22.12 DNSSEC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 812 22.13 RSA Key Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 821 22.14 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 824 23 Bibliography 829 24 Selected Solutions 831 24.1 Solutions for An Overview of Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 831 Ethernet 24.2 Solutions for . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 832 Other LANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 833 24.3 Solutions for 24.4 Solutions for . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 834 Links 24.5 Solutions for Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 835 24.6 Solutions for Sliding Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 836 24.7 Solutions for . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 838 IPv4 24.8 Solutions for Routing-Update Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . 838 24.9 Solutions for Large-Scale IP Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 839 24.10 Solutions for UDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 840 24.11 Solutions for TCP Reno . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 840 vii

10 24.12 Solutions for . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 840 Dynamics of TCP 24.13 Solutions for Mininet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 842 Indices and tables 843 Bibliography 845 Index 853 viii

11 An Introduction to Computer Networks, Release 1.9.18 Peter L Dordal Department of Computer Science Loyola University Chicago Contents: CONTENTS 1

12 An Introduction to Computer Networks, Release 1.9.18 2 CONTENTS

13 0 PREFACE “No man but a blockhead ever wrote, except for money.” - Samuel Johnson The textbook world is changing. On the one hand, open source software and creative-commons licensing have been great successes; on the other hand, unauthorized PDFs of popular textbooks are widely available, and it is time to consider flowing with rather than fighting the tide. Hence this open-access textbook, released for free under the Creative Commons license described below. Mene, mene, tekel pharsin . Perhaps the last straw, for me, was patent 8195571 for a roundabout method to force students to purchase textbooks. (A simpler strategy might be to include the price of the book in the course.) At some point, Hirudinea . faculty have to be advocates for their students rather than, well, This is not to say that I have anything against for-profit publishing. It is just that this particular book does not – and will not – belong to that category; the online edition will always be free. In this it is in good company: there is Wikipedia, there is an increasing number of other open online textbooks out there, and there is the entire open-source world. Although the open-source-software and open-textbook models are not completely parallel, they are quite similar. The market inefficiencies of traditional publishing are sobering: the return to authors of advanced textbooks is usually modest. Costs to users are also quite high: both the direct cost of purchasing a book, and the lost-opportunity cost of not having access to a book. (None of this is meant to imply there will never be a print edition; when I started this project it seemed inconceivable that a print publisher would ever agree to having the online edition remain free, but times are changing.) The book is updated multiple times per year ( 0.7 Recent Changes ). This is another feature that paper publishing can’t touch. The official book website is intronetworks.cs.luc.edu. The book is available there as online html, as a zipped archive of html files, in .pdf format, and in other formats as may prove useful. Note that there are three html variants: the original, a version using a more universally available set of unicode characters, and a version better suited to smaller screens; see below 0.5 Technical considerations for more information. 0.1 Licensing This text is released under the Creative Commons license Attribution-NonCommercial-NoDerivs. This text is like a conventional book, in other words, except that it is free. You may copy the work and distribute it to others for any noncommercial use, but all reuse requires attribution. The Creative Commons license does not precisely spell out what constitutes “noncommercial” use. The author considers any sale of printed copies of this book, even by a non-profit organization and even if the price just covers expenses, to be commercial use. Personal printing, and free distribution of printed selections, do qualify as noncommercial. Starting with Edition 1.9.16, commercial use is also explicitly allowed, provided that printed copies are not distributed . In other words, the text is also released under the terms of the Creative Commons license 3

14 An Introduction to Computer Networks, Release 1.9.18 Attribution-NoDerivs, to include a prohibition on the distribution of printed copies. The Creative amended Commons license summary linked to here states that “you are free to share – copy and redistribute the material in any medium or format for any purpose, even commercially”; this license is amended by this paragraph to limit “any medium” to non-printed media. Permissible commercial uses may include, but are not limited to, use in internal training programs, use in for-profit training and educational programs, sale of the work in the electronic formats available here, and installation throughout the Amazon EC2. The Attribution clause of the Creative Commons licenses [Section 4, (b) for by-nd or (c) for by-nc-nd] requires that redistributors of the work provide “. . . (iii) to the extent reasonably practicable, the URI, if any, that Licensor specifies to be associated with the Work”. That URI is intronetworks.cs.luc.edu. Under the Creative Commons licenses, creation of derivative works requires permission. It is not entirely clear, however, what would be considered a derivative work, beyond the traditional examples of abridgment and translation. Any supplemental materials like exams, labs, slides or coverage of additional topics would be new, independent works, and would require no permission. Even the inclusion in such supplements of modest amounts of material from this book would have a strong claim to Fair Use. In the open-source software world, the right to make derivative works is exercised whenever the software is modified, but it is hard to see how this applies to textbook supplements. The bottom line is that if you have a situation you’re concerned about in this regard, let me know and I’ll probably be happy to grant permission. Some of the chapters contain source code; this is licensed under the Apache 2.0 license. Some code files (those which are derivative works) contain an official Apache license statement; others do not. 0.2 Classroom Use This book is meant as a serious and more-or-less thorough text for an introductory college or graduate course in computer networks, carefully researched, with consistent notation and style, and complete with diagrams and exercises. I have also tried to rethink the explanations of many protocols and algorithms, with the goal of making them easier to understand. My intent is to create a text that covers to a reasonable extent why the Internet is the way it is, to avoid the endless dreary focus on TLA’s (Three-Letter Acronyms), and to remain not mathematical. For the last, I have avoided calculus, linear algebra, and, for that matter, quadratic too terms (though some inequalities do sneak in at times). That said, the book includes a large number of back- of-the-envelope calculations – in settings as concrete as I could make them – illustrating various networking concepts. Overall, I tried to find a happy medium between practical matters and underlying principles. My goal has been to create a book that is useful to a broad audience, including those interested in network management, in high-performance networking, in software development, or just in how the Internet is put together. One of the best ways to gain insight into why a certain design choice was made is to look at a few alterna- tive implementations. To that end, this book includes coverage of some topics one may never encounter in practice, but which may be useful as points of comparison. These topics arguably include ATM ( 3.5 Asyn- chronous Transfer Mode: ATM 12.22.2 SCTP ) and even 10 Mbps Ethernet ( 2.1 10-Mbps Classic ), SCTP ( Ethernet ). The book can also be used as a networks supplement or companion to other resources for a variety of other courses that overlap to some greater or lesser degree with networking. At Loyola, this book has been used – sometimes coupled with a second textbook – in courses in computer security, network management, telecommunications, and even introduction-to-computing courses for non-majors. Another possibility is an 4 0 Preface

15 An Introduction to Computer Networks, Release 1.9.18 alternative or nontraditional presentation of networking itself. It is when used in concert with other works, in particular, that this book’s being free is of marked advantage. Finally, I hope the book may also be useful as a reference work. To this end, I have attempted to ensure that the indexing and cross-referencing is sufficient to support the drop-in reader. Similarly, obscure or specialized notation is kept to a minimum. top-down bottom-up se- Much is sometimes made, in the world of networking textbooks, about versus quencing. This book is not really either, although the chapters are mostly numbered in bottom-up fashion. Instead, the first chapter provides a relatively complete overview of the LAN, IP and transport network layers (along with a few other things), allowing subsequent chapters to refer to all network layers without forward reference, and, more importantly, allowing the chapters to be covered in a variety of different orders. As a practical matter, when I use this text to teach Loyola’s Introduction to Computer Networks course, I cover the IP/routing and TCP material more or less in parallel. A distinctive feature of the book is the extensive coverage of TCP: TCP dynamics, newer versions of TCP such as TCP Cubic and BBR TCP, and chapters on using the ns-2 simulator and the Mininet emulator. This has its roots in a longstanding goal to find better ways to present competition and congestion in the classroom. Another feature is the detailed chapter on queuing disciplines. One thing this book makes little attempt to cover in detail is the application layer; the token example in- cluded is SNMP. While SNMP actually makes a pretty good example of a self-contained application, my recommendation to instructors who wish to cover more familiar examples is to combine this text with the appropriate application documentation. Although the book is continuously updated, I try very hard to ensure that all editions are classroom- compatible. To this end, section renumbering is avoided to the extent practical, and existing exercises are never renumbered . This is an essential feature for a textbook that is often updated mid-semester, and a useful feature for any textbook that is updated at all. New exercises are regularly inserted, but with fractional (float- ing point) numbers. Existing integral exercise numbers have been given a trailing .0, to reduce confusion between exercise 12.0, say, and 12.5. For those interested in using the book for a “traditional” networks course, I with some trepidation offer the following set of core material. In solidarity with those who prefer alternatives to a bottom-up ordering, I emphasize that this represents a and not a sequence . set 1 An Overview of Networks • 2 Ethernet , particularly switched Ethernet • Selected sections from • Selected sections from 3.7 Wi-Fi • Selected sections from 5 Packets • 6 Abstract Sliding Windows • and/or 8 IP version 6 7 IP version 4 • Selected sections from 9 Routing-Update Algorithms , probably including the distance-vector algo- rithm • Selected sections from 10 Large-Scale IP Routing • 11 UDP Transport • 12 TCP Transport 0.2 Classroom Use 5

16 An Introduction to Computer Networks, Release 1.9.18 • 13 TCP Reno and Congestion Management With some care in the topic-selection details, the above can be covered in one semester along with a survey of selected important network applications, or the basics of network programming, or the introductory con- figuration of switches and routers, or coverage of additional material from this book, or some other set of additional topics. Of course, non-traditional networks courses may focus on a quite different sets of topics. Instructors who adopt this book in a course, as either a primary or a secondary text, are strongly encouraged to let me know, as this helps support continued work on the book. Below is a list of the institutions I’m aware of so far where the book has been adopted. Commercial publishers get this information from sales records, but that won’t work here; if you want to see your institution listed, contact me! Augustana College California State University, Fresno Eastern Washington University Loyola University Maryland Murray State University Ohio University Saint Martin’s University SUNY Delhi University of Arkansas Community College at Batesville University of California, Santa Cruz University of Maryland, University College University of North Alabama University of Texas at El Paso University of the People Wellington Institute of Technology 0.3 Acknowledgments I would like to thank the many Loyola students who have provided invaluable feedback on the text and the exercises. The result, I hope, is greater clarity for both. I would also like to thank the following people from outside Loyola who have contributed technical or editorial comments. I’ve included institutional affiliation if I could figure it out. If I’ve missed anyone, or their institution, please let me know. 6 0 Preface

17 An Introduction to Computer Networks, Release 1.9.18 Anonymous University of the People Jose Alvarado University of Texas at El Paso Eric Freudenthal David Garfield Jeff Harrang Emmanuel Lochin Institut supérieur de l’aéronautique et de l’espace Robert Michael Centre Tecnològic Telecomunicacions Catalunya Natale Patriciello Herman Torjussen Alexander Wijesinha Towson University Justin Yang Comments – from anyone – on clarity, completeness, consistency and correctness are much appreciated. Even single comments or corrections are very welcome, though I continue to seek reviewers willing to review an entire section or chapter. I can be contacted at pld AT cs.luc.edu, or via the book comment form. Peter Dordal Shabbona, Illinois 0.4 Progress Notes This work was started in the summer of 2012. Edition 1.0 was declared complete as of March 2014; the current edition is 1.9.18. The intronetworks.cs.luc.edu website carries both edition 1.0 and also the current 1.9.18 edition. I expect to release Edition 2.0 in summer 2019. This will mostly involve breaking some of the longer chapters into two. 0.5 Technical considerations The book was prepared in reStructuredText using the Linux Sphinx package, which can produce multiple formats from the same source. That said, the primary format is html . The table-of-contents sidebar and the text sidebars work best there. Most of the diagrams were drawn using LibreOffice Draw. The book uses a modest set of unicode special characters. Unfortunately, some of these characters are not universally available in all browsers. The comma-separated characters in the first line, below, appear to have the most limited support. 0.4 Progress Notes 7

18 An Introduction to Computer Networks, Release 1.9.18 " y , » , 훼 , 훽 , 훾 , 휆 , 휑 , 휏 , 휚 , ∆ , x , ÝÑ , ÐÝ , ÐÑ , (,), , 훼 , 훽 , 훾 , 휆 , 휑 , « , 휌 , ∆ ,^, Ñ , Ð , ÐÑ 휏 ? , , 8 μ, ď , ě , ˆ , ̃ , ̆ ,–, ‰ , Ñ , Ð , , , , , , , , , , , The characters above should look roughly as they do in the following image (the first line is the one most likely to fail): If they do not, there are two options for browser-based viewing. If the second and third rows above display successfully, there is a version of the book (both online and zipped) available at intronet- unicode-safer works.cs.luc.edu that has the characters in the first row above replaced by those in the second row. The other alternative is to add an appropriate font. Generally Firefox and Internet Explorer display the necessary characters out of the box, but Chrome does not. The Chrome situation can usually be fixed, at least on “real” computers, by adding a font and then tweaking the Chrome font settings. I have had good luck with Symbola (at shapecatcher.com/unicodefonts.html and other places). To install the font, extract the .ttf file and double-click on it. Then to adjust Chrome, go to Settings Ñ Show advanced settings Ñ Customize fonts (button), and change at a minimum the default Sans-serif font to Symbola. Then restart Chrome. Unfortunately, adding fonts to (non-rooted) Android devices continues to be very difficult. Worse, Android l ” in the place of missing characters. often fails to display even a box symbol “ If no available browser properly displays the symbols above, I recommend the pdf format. The unicode-safer version, however, should work on most systems. At some point I hope to figure out how to handle this font situation a little better using Javascript. This turns out, however, not to be straightforward, and progress has been slow. The diagrams in the body of the text have now all been migrated to the vector-graphics .svg format, although a few diagrams rendered with line-drawing characters appear in the exercises. Most browsers now (2018) appear to support zooming in on .svg images, which is a significant step forward. 8 0 Preface

19 An Introduction to Computer Networks, Release 1.9.18 0.6 A Note On the Cover Swietenia mahagoni The photo is of mahogany leaves, presumably . The original image was taken by Homer Edward Price and placed at https://commons.wikimedia.org/wiki/File:Mahogany-leaves_(5606894105).gif under a Creative Commons license; the image as used here has been cropped. I began with the idea that the cover should depict some networking reference from the natural world. The connection between mahogany and networking comes from Bertolt Brecht’s work , The City of Mahagonny “the city of nets”. Ok, “nets” in the sense of traps rather than communication, but close enough. Alas, this turned out to be based on a misapprehension. As musicologist John Simon puts it [JS05] , Where did Brecht get the name for that lawless city that was his symbol for a capitalist society Mahagonny , the opera’s Leokadja Begbick explains it as “the in distress? In coining the name City of Nets”, i.e. traps. But the word “mahogany”, from which the name must stem, has nothing to do with nets. It remains unclear just what “Mahagonny” did mean to Brecht. After learning this, a picture of mahogany seemed to be out. But, as the book progressed, with more and 0.6 A Note On the Cover 9

20 An Introduction to Computer Networks, Release 1.9.18 more reading of papers and RFCs, I began to see the non-connection here as a symbol of diligent fact- checking. So there it is. And besides, it’s green. 0.7 Recent Changes . March 31, 2019 (ver 1.9.18): correction to 22.2.2.2 The shellcode 22.12 DNSSEC , and updates to 7.8 DNS . March 9, 2019 (ver 1.9.17): , adopters, 2.4.2 Switch Hardware , December 1, 2018 (ver 1.9.16): Licensing, 0.3 Acknowledgments 10.6.7 BGP and Anycast , 7.8.4 DNS and CDNs . , 3.7.5.1.1 KRACK Attack , 3.7.4.4 Mesh Networks , October 18, 2018 (ver 1.9.15): 3.7.5.3 WPA3 , 9.4.3 HWMP , 9.7 ECMP , 2.7 TRILL and SPB 9.4.2 AODV , shortest-path proof in 9.5.1 Shortest-Path-First Algorithm . 2.2 100 Mbps (Fast) Ethernet . ref: , 3.7.5.3 WPA3 , September 11, 2018 (ver 1.9.14): KRACK 22.8.2 Simultaneous Authentication of Equals . August 28, 2018 (ver 1.9.13): fixed example in 5.4.1 Cyclical Redundancy Check: CRC . August 16, 2018 (ver 1.9.12): technical changes. 22.10.2.4.1 Domain Fronting ), multiple other updates. August 15, 2018 (ver 1.9.11): Domain fronting ( 12.22.4 QUIC Revisited February 19, 2018 (ver 1.9.10): Expanded content on QUIC ( ). 15.5 Highspeed TCP 15.10 Compound TCP , January 5, 2018 (ver 1.9.9): Corrections to , added 8.14 IPv6-to-IPv4 Connectivity 20.6.1 A CDN Alternative to IntServ and and NAT64, updates to 3.7 Wi-Fi , miscellaneous other updates. October 27, 2017 (ver 1.9.8): multiple corrections to 15.16 TCP BBR ; some updated exercises. October 3, 2017 (ver 1.9.7): Added tbf htb examples ( 18.8 Linux Traffic Control (tc) ) to and ; miscellaneous exercise updates, and more on CDNs ( ). 18 Mininet 20.6.1 A CDN Alternative to IntServ September 4, 2017 (ver 1.9.6): Added a webserver example ( 18.3.1 Running a webserver ) to 18 Mininet ; 7.8 DNS . updates to 18 Mininet ) August 27, 2017 (ver 1.9.5): Expanded examples in the chapter on Mininet ( priority 2.8.1 OpenFlow Switches . July 27, 2017 (ver 1.9.4): Clarified the role of in July 22, 2017 (ver 1.9.3): Significant revisions to ; other minor 2.8.2 Learning Switches in OpenFlow changes. July 11, 2017 (ver 1.9.2): A section in the Mininet chapter on the Pox controller ( 18.9 OpenFlow and the POX Controller ). July 7, 2017 (ver 1.9.1): A new (partially completed) chapter on Mininet ( 18 Mininet ). 8.6.4 Security and Neighbor Discovery ), DCCP Jan 27, 2017 (ver 1.9.0): New sections on SEND ( 11.1.2 DCCP ), TLS programming ( 22.10.3 A TLS Programming Example ), bufferbloat ( ( 14.8.1 Bufferbloat ), CoDel ( 14.8.6 CoDel ) and BBR TCP ( 15.16 TCP BBR ). There is also added content in . 3.7.5 Wi-Fi Security Oct 31, 2016 (ver 1.8.27): Introduction to TFTP ( 11.2 Trivial File Transport Protocol, TFTP ) moved before 11.3 Fundamental Transport Issues ; a minor adjustment to the TCP state diagram ( 12.7 TCP state diagram ) for transitions out of FIN_WAIT_1. 10 0 Preface

21 An Introduction to Computer Networks, Release 1.9.18 Oct 3, 2016 (ver 1.8.26): minor changes to the text, but a significant and hopefully useful change to the way the table-of-contents sidebar works: expanding the sidebar puts the table of contents in the current viewport, and clicking on a contents link then collapses the sidebar. Sept 27, 2016 (ver 1.8.25): several new exercises and other updates ; 24 Selected Solutions Sept 16, 2016 (ver 1.8.24): Improved integration between the exercise sections and 2.4.1 Ethernet Learning 3.7.1 Wi-Fi and Collisions , additional corrections and clarifications to Algorithm , and other places. Aug 9, 2016 (ver 1.8.23): More corrections and clarifications to SNMP ( 21 Network Management and 8.5 IPv6 Extension Headers SNMP 2.8.1 OpenFlow ); more on IPv6 extension headers ( ) and OpenFlow ( ). Switches Jul 21, 2016 (ver 1.8.22): Corrections and clarifications to SNMP ( 21 Network Management and SNMP ) Jun 14, 2016 (ver 1.8.21): Added material on 2.8 Software-Defined Networking and 1.5.1 Traffic Engineering 22 Security . (also scattered about in other sections), and updates to Apr 4, 2016 (ver 1.8.20): clarifications and new diagrams in . 9 Routing-Update Algorithms 12.3 TCP Mar 30, 2016 (ver 1.8.19): miscellaneous updates, including to TCP RST processing in . Connection Establishment Feb 29, 2016 (ver 1.8.18): Revisions to 8 IP version 6 , including updates related to 8.2.1 Interface . All line drawings are now in .svg format. identifiers Jan 20, 2016 (ver 1.8.17): New section on IPsec ( 22.11 IPsec ), and other updates. Some diagrams are now eg in chapters in .svg format ( and 22 Security ). The .pdf 13 TCP Reno and Congestion Management version also takes advantage of the .svg format. Dec 31, 2015 (ver 1.8.16): Updates to 10.6.8 BGP Relationships , 3.7.5 Wi-Fi Security , 6.2 Sliding Windows , and other miscellaneous changes. Dec 3, 2015 (ver 1.8.15): Technical corrections to some exercises. Nov 24, 2015 (ver 1.8.14): Multiple small updates and clarifications, including to several exercises. . Oct 18, 2015 (ver 1.8.13): Extensive revisions to 8 IP version 6 Oct 14, 2015 (ver 1.8.12): Minor fixes and clarifications of some exercises. ♢ Oct 11, 2015 (ver 1.8.11): Solutions to a few of the exercises (those marked with ) are now provided, in 24 Selected Solutions . Hopefully this section will continue to expand. There is a correction to 10.6.8.1 BGP No-Valley Theorem and a reorganization of the exposition; there are also several minor changes to . 8 IP version 6 Sep 9, 2015 (ver 1.8.10): Miscellaneous clarifications; a paragraph on classless routing in 1.10 IP - . Internet Protocol Aug 16, 2015 (ver 1.8.09): Sections on and 11.1.4 netcat ; 4.2.3 Optical Transport Network miscellaneous updates. Jul 23, 2015 (ver 1.8.08): Multiple changes to 2 Ethernet and 3.7 Wi-Fi ; other changes as well. Jun 16, 2015 (ver 1.8.07): Corrections to 6.3.4 Simple Packet-Based Sliding-Windows Implementation and 7.11 Internet Control Message Protocol and additions to . 8.9 ICMPv6 May 29, 2015 (ver 1.8.06): Section on RSA factoring ( 22.9.1.2 Factoring RSA Keys ), fixed typos in 1.6 Routing Loops and 11.3 Fundamental Transport Issues . May 24, 2015 (ver 1.8.05): Added discussion of the Logjam attack ( 22.8 Diffie-Hellman-Merkle Exchange ). May 22, 2015 (ver 1.8.04): Several additions to the wireless sections, including MIMO antennas ( 3.7.3 Multiple Spatial Streams ) and LTE ( 3.8 WiMAX and LTE ). Wireless LANs are now moved to the 0.7 Recent Changes 11

22 An Introduction to Computer Networks, Release 1.9.18 end of the chapter . 3 Other LANs 8.11 Using IPv6 and IPv4 Together May 1, 2015 (ver 1.8.03): This book is now available via IPv6! See . 11.5 Remote Procedure Call (RPC) . Also, corrections to exactly-once semantics in Apr 26, 2015 (ver 1.8.02): Numerous corrections and clarifications, and new sections on 12.22.1 MPTCP and 12.22.2 SCTP . Mar 19, 2015: Added unicode-safer version (above), to support reading on most Android devices. Mar 14, 2015: Expanded and revised chapter 8 IP version 6 , now including tunnel-broker IPv6 connections. 7.8 DNS . Mar 3, 2015: New section on Feb 23, 2015: certificate pinning, sidebar on Superfish in 22.10.2.1 Certificate Authorities . Feb 15, 2015: New material on IPv6, in particular 8.11 Using IPv6 and IPv4 Together . Jan, 2015: The chapter 22 Security is largely finished. 12 0 Preface

23 1 AN OVERVIEW OF NETWORKS Somewhere there might be a field of interest in which the order of presentation of topics is well agreed upon. Computer networking is not it. There are many interconnections in the field of networking, as in most technical fields, and it is difficult to find an order of presentation that does not involve endless “forward references” to future chapters; this is true even if – as is done here – a largely bottom-up ordering is followed. I have therefore taken here a different approach: this first chapter is a summary of the essentials – LANs, IP and TCP – across the board, and later chapters expand on the material here. Local Area Networks, or LANs , are the “physical” networks that provide the connection between machines within, say, a home, school or corporation. LANs are, as the name says, “local”; it is the IP , or Internet Protocol, layer that provides an abstraction for connecting multiple LANs into, well, the Internet. Finally, deals with transport and connections and actually sending user data. TCP datagram forwarding , central This chapter also contains some important other material. The section on to packet-based switching and routing, is essential. This chapter also discusses packets generally, conges- tion, and sliding windows, but those topics are revisited in later chapters. Firewalls and network address translation are also covered here and not elsewhere. 1.1 Layers These three topics – LANs, IP and TCP – are often called layers ; they constitute the Link layer, the Internet- work layer, and the Transport layer respectively. Together with the Application layer (the software you use), these form the “ four-layer model ” for networks. A layer, in this context, corresponds strongly to the idea of a programming interface or library, with the understanding that a given layer communicates directly only with the two layers immediately above and below it. An application hands off a chunk of data to the TCP library, which in turn makes calls to the IP library, which in turn calls the LAN layer for actual delivery. An application does interact directly with the IP and LAN layers at all. not The LAN layer is in charge of actual delivery of packets, using LAN-layer-supplied addresses. It is often conceptually subdivided into the “physical layer” dealing with, eg , the analog electrical, optical or radio signaling mechanisms involved, and above that an abstracted “logical” LAN layer that describes all the digital – that is, non-analog – operations on packets; see The LAN Layer . The physical layer is 2.1.4 generally of direct concern only to those designing LAN hardware; the kernel software interface to the LAN corresponds to the logical LAN layer. Application Transport IP Logical LAN Physical LAN 13

24 An Introduction to Computer Networks, Release 1.9.18 This LAN physical/logical division gives us the Internet five-layer model . This is less a formal hierarchy classification method. We will return to this below in , where we will also ad hoc as an 1.15 IETF and OSI -layer model. introduce two more rather obscure layers that complete the seven 1.2 Data Rate, Throughput and Bandwidth eg at the LAN layer – has a data rate : the rate at which bits are transmitted. Any one network connection – eg Wi-Fi) the data rate can vary with time. Throughput refers to the overall effective In some LANs ( transmission rate, taking into account things like transmission overhead, protocol inefficiencies and perhaps even competing traffic. It is generally measured at a higher network layer than the data rate. bandwidth can be used to refer to either of these, though we here use it mostly as a synonym The term for data rate. The term comes from radio transmission, where the width of the frequency band available is proportional, all else being equal, to the data rate that can be achieved. goodput is sometimes used to refer to what might also be called In discussions about TCP, the term “application-layer throughput”: the amount of usable data delivered to the receiving application. Specif- ically, retransmitted data is counted only once when calculating goodput but might be counted twice under some interpretations of “throughput”. Data rates are generally measured in kilobits per second (kbps) or megabits per second (Mbps); the use of 3 10 bits (not 2 the lower-case “b” here denotes bits. In the context of data rates, a kilobit is 10 ) and a megabit 6 is 10 volumes bits. Somewhat inconsistently, we follow the tradition of using kB and MB to denote data 10 20 bytes respectively, with the upper-case B denoting bytes. The newer abbreviations KiB and of 2 and 2 MiB would be more precise, but the consequences of confusion are modest. 1.3 Packets Packets are modest-sized buffers of data, transmitted as a unit through some shared set of links. Of necessity, packets need to be prefixed with a header containing delivery information. In the common case known as datagram forwarding , the header contains a destination address ; headers in networks using so-called virtual-circuit connection . Almost all networking today forwarding contain instead an identifier for the (and for the past 50 years) is packet-based, although we will later look briefly at some “circuit-switched” options for voice telephony. data header data header1 header2 Single and multiple headers 14 1 An Overview of Networks

25 An Introduction to Computer Networks, Release 1.9.18 At the LAN layer, packets can be viewed as the imposition of a buffer (and addressing) structure on top of low-level serial lines; additional layers then impose additional structure. Informally, packets are often referred to as segments at the Transport layer. frames at the LAN layer, and as Ethernet, Token Ring or ATM) is an intrinsic eg The maximum packet size supported by a given LAN ( attribute of that LAN. Ethernet allows a maximum of 1500 bytes of data. By comparison, TCP/IP packets originally often held only 512 bytes of data, while early Token Ring packets could contain up to 4 kB of data. While there are proponents of very large packet sizes, larger even than 64 kB, at the other extreme the ATM (Asynchronous Transfer Mode) protocol uses 48 bytes of data per packet, and there are good reasons for believing in modest packet sizes. One potential issue is how to forward packets from a large-packet LAN to (or through) a small-packet LAN; in later chapters we will look at how the IP (or Internet Protocol) layer addresses this. Generally each layer adds its own header. Ethernet headers are typically 14 bytes, IP headers 20 bytes, and TCP headers 20 bytes. If a TCP connection sends 512 bytes of data per packet, then the headers amount to 10% of the total, a not-unreasonable overhead. For one common Voice-over-IP option, packets contain 160 bytes of data and 54 bytes of headers, making the header about 25% of the total. Compressing the 160 bytes of audio, however, may bring the data portion down to 20 bytes, meaning that the headers are now 73% of 20.11.4 RTP and VoIP the total; see . In datagram-forwarding networks the appropriate header will contain the address of the destination and routers or switches will then try perhaps other delivery information. Internal nodes of the network called to ensure that the packet is delivered to the requested destination. The concept of packets and packet switching was first introduced by Paul Baran in 1962 ( [PB62] ). Baran’s primary concern was with network survivability in the event of node failure; existing centrally switched protocols were vulnerable to central failure. In 1964, Donald Davies independently developed many of the same concepts; it was Davies who coined the term “packet”. It is perhaps worth noting that packets are buffers built of 8-bit bytes , and all hardware today agrees what a byte is (hardware agrees by convention on the order in which the bits of a byte are to be transmitted). 8-bit bytes are universal now, but it was not always so. Perhaps the last great non-byte-oriented hardware platform, which did indeed overlap with the Internet era broadly construed, was the DEC-10, which had a 36-bit word size; a word could hold five 7-bit ASCII characters. The early Internet specifications introduced octet (an 8-bit byte) and required that packets be sequences of octets; non-octet-oriented hosts had the term to be able to convert. Thus was chaos averted. Note that there are still byte-oriented data issues; as one big-endian or little-endian byte example, binary integers can be represented as a sequence of bytes in either order ( 11.1.5 Binary Data ). RFC 1700 specifies that Internet protocols use big-endian byte order, therefore sometimes called network byte order. 1.4 Datagram Forwarding In the datagram-forwarding model of packet delivery, packet headers contain a destination address. It is up to the intervening switches or routers to look at this address and get the packet to the correct destination. In datagram forwarding this is achieved by providing each switch with a forwarding table of x destination,next_hop y pairs. When a packet arrives, the switch looks up the destination address (presumed globally unique) in its forwarding table and finds the next_hop information: the immediate-neighbor ad- dress to which – or interface by which – the packet should be forwarded in order to bring it one step closer 1.4 Datagram Forwarding 15

26 An Introduction to Computer Networks, Release 1.9.18 to its final destination. The next_hop value in a forwarding table is a single entry; each switch is responsible for only one step in the packet’s path. However, if all is well, the network of switches will be able to deliver the packet, one hop at a time, to its ultimate destination. The “destination” entries in the forwarding table do not have to correspond exactly with the packet des- tination addresses, though in the examples here they do, and they do for Ethernet datagram forwarding. However, for IP routing, the table “destination” entries will correspond to prefixes of IP addresses; this leads to a huge savings in space. The fundamental requirement is that the switch can perform a lookup operation, using its forwarding table and the destination address in the arriving packet, to determine the next hop. Just how the forwarding table is built is a question for later; we will return to this for Ethernet switches 2.4.1 Ethernet Learning Algorithm and for IP routers in 9 Routing-Update Algorithms . For now, the in forwarding tables may be thought of as created through initial configuration. In the diagram below, switch S1 has interfaces 0, 1 and 2, and S2 has interfaces 0,1,2,3. If A is to send a packet to B, S1 must have a forwarding-table entry indicating that destination B is reached via its interface 2, and S2 must have an entry forwarding the packet out on interface 3. C D 1 1 2 0 0 3 A B S2 S1 2 Two switches S1 and S2, E with interface numbers shown next_hop column, would be: A complete forwarding table for S1, using interface numbers in the S1 destination next_hop A 0 C 1 B 2 D 2 E 2 The table for S2 might be as follows, where we have consolidated destinations A and C for visual simplicity. S2 destination next_hop A,C 0 D 1 E 2 B 3 16 1 An Overview of Networks

27 An Introduction to Computer Networks, Release 1.9.18 In the network diagrammed above, all links are point-to-point, and so each interface corresponds to the unique immediate neighbor reached by that interface. We can thus replace the interface entries in the next_hop . For human readers, using neighbors column with the name of the corresponding neighbor column is usually much more readable. S1’s table can now be written as follows (with next_hop in the consolidation of the entries for B, D and E): S1 destination next_hop A A C C S2 B,D,E A central feature of datagram forwarding is that each packet is forwarded “in isolation”; the switches in- volved do not have any awareness of any higher-layer logical connections established between endpoints. stateless RFC This is also called forwarding, in that the forwarding tables have no per-connection state. 1122 put it this way (in the context of IP-layer datagram forwarding): To improve robustness of the communication system, gateways are designed to be stateless, forwarding each IP datagram independently of other datagrams. As a result, redundant paths can be exploited to provide robust service in spite of failures of intervening gateways and networks. The fundamental alternative to datagram forwarding is virtual circuits , 3.4 Virtual Circuits . In virtual- circuit networks, each router maintains state about each connection passing through it; different connections can be routed differently. If packet forwarding depends, for example, on per-connection information – eg is both TCP port numbers – it is not datagram forwarding. (That said, it arguably still datagram forwarding if web traffic – to TCP port 80 – is forwarded differently than all other traffic, because that rule does not depend on the specific connection.) Datagram forwarding is sometimes allowed to use other information beyond the destination address. In quality-of-service theory, IP routing can be done based on the destination address and some information, allowing, for example, different routing to the same destination for high-bandwidth bulk traffic and for low- latency real-time traffic. In practice, most Internet Service Providers (ISPs) ignore user-provided quality- of-service information in the IP header, except by prearranged agreement, and route only based on the destination. By convention, switching devices acting at the LAN layer and forwarding packets based on the LAN address are called switches (or, originally, bridges; some still prefer that term), while such devices acting at the IP layer and forwarding on the IP address are called . Datagram forwarding is used both by Ethernet routers switches and by IP routers, though the destinations in Ethernet forwarding tables are individual nodes while the destinations in IP routers are entire networks (that is, sets of nodes). In IP routers within end-user sites it is common for a forwarding table to include a catchall default entry, matching any IP address that is nonlocal and so needs to be routed out into the Internet at large. Unlike the consolidated entries for B, D and E in the table above for S1, which likely would have to be implemented as actual separate entries, a default entry is a single record representing where to forward the packet if no other destination match is found. Here is a forwarding table for S1, above, with a default entry replacing the last three entries: 1.4 Datagram Forwarding 17

28 An Introduction to Computer Networks, Release 1.9.18 S1 next_hop destination A 0 1 C default 2 Default entries make sense only when we can tell by looking at an address that it does not represent a nearby node. This is common in IP networks because an IP address encodes the destination network, and routers generally know all the local networks. It is however rare in Ethernets, because there is generally no correlation between Ethernet addresses and locality. If S1 above were an Ethernet switch, and it had some means of knowing that interfaces 0 and 1 connected directly to individual hosts, not switches – and S1 knew the addresses of these hosts – then making interface 2 a default route would make sense. In practice, however, Ethernet switches do not know what kind of device connects to a given interface. 1.5 Topology In the network diagrammed in the previous section, there are no loops; graph theorists might describe this acyclic tree . In a loop-free network there is a unique path between by saying the network graph is , or is a any pair of nodes. The forwarding-table algorithm has only to make sure that every destination appears in the forwarding tables; the issue of choosing between alternative paths does not arise. redundancy : any broken link will result in partitioning the However, if there are no loops then there is no network into two pieces that cannot communicate. All else being equal (which it is not, but never mind for now), redundancy is a good thing. However, once we start including redundancy, we have to make decisions among the multiple paths to a destination. Consider, for a moment, the following network: S1 S2 A B S3 S4 S1 S2 S4 Should S1 list S2 or S3 as the next_hop to B? Both paths A S1 S3 S4 B get there. B and A There is no right answer. Even if one path is “faster” than the other, taking the slower path is not exactly wrong (especially if the slower path is, say, less expensive). Some sort of protocol must exist to provide a mechanism by which S1 can make the choice (though this mechanism might be as simple as choosing to route via the first path discovered to the given destination). We also want protocols to make sure that, if S1 B route. S4 link fails, then S1 will switch over to the still-working S1 S3 S4 reaches B via S2 and the S2 As we shall see, many LANs (in particular Ethernet) prefer “tree” networks with no redundancy, while IP has complex protocols in support of redundancy ( 9 Routing-Update Algorithms ). 18 1 An Overview of Networks

29 An Introduction to Computer Networks, Release 1.9.18 1.5.1 Traffic Engineering S1 S2 B and A S1 S3 S4 B might be of material S4 In some cases the decision above between routes A significance – perhaps the S2–S4 link is slower than the others, or is more congested. We will use the term to refer to any intentional selection of one route over another, or any elevation of the traffic engineering priority of one class of traffic. The route selection can either be directly intentional, through configuration, or can be implicit in the selection or tuning of algorithms that then make these route-selection choices automatically. As an example of the latter, the algorithms of 9.1 Distance-Vector Routing-Update Algorithm build forwarding tables on their own, but those tables are greatly influenced by the administrative assignment of link costs. With pure datagram forwarding, used at either the LAN or the IP layer, the path taken by a packet is deter- mined solely by its destination, and traffic engineering is limited to the choices made between alternative paths. We have already, however, suggested that datagram forwarding can be extended to take quality-of- service information into account; this may be used to have voice traffic – with its relatively low bandwidth but intolerance for delay – take an entirely different path than bulk file transfers. Alternatively, the network manager may simply assign voice traffic a higher priority, so it does not have to wait in queues behind file-transfer traffic. The quality-of-service information may be set by the end-user, in which case an ISP may wish to recognize it only for designated users, which in turn means that the ISP will implicitly use the traffic source when making routing decisions. Alternatively, the quality-of-service information may be set by the ISP itself, based on its best guess as to the application; this means that the ISP may be using packet size, port num- ber ( 1.12 Transport ) and other contents as part of the routing decision. For some explicit mechanisms supporting this kind of routing, see 9.6 Routing on Other Attributes . 2.8 Software-Defined At the LAN layer, traffic-engineering mechanisms are historically limited, though see . At the IP layer, more strategies are available; see 20 Quality of Service . Networking 1.6 Routing Loops routing loop : a set of entries in the A potential drawback to datagram forwarding is the possibility of a forwarding tables that cause some packets to circulate endlessly. For example, in the previous picture we would have a routing loop if, for (nonexistent) destination C, S1 forwarded to S2, S2 forwarded to S4, S4 forwarded to S3, and S3 forwarded to S1. A packet sent to C would not only not be delivered, but in circling endlessly it might easily consume a large majority of the bandwidth. Routing loops typically arise because the creation of the forwarding tables is often “distributed”, and there is no global authority to detect inconsistencies. Even when there is such an authority, temporary routing loops can be created due to notification delays. Routing loops can also occur in networks where the underlying link topology is loop-free; for example, in the previous diagram we could, again for destination C, have S1 forward to S2 and S2 forward back to S1. We will refer to such a case as a linear routing loop. All datagram-forwarding protocols need some way of detecting and avoiding routing loops. Ethernet, for example, avoids nonlinear routing loops by disallowing loops in the underlying network topology, and avoids linear routing loops by not having switches forward a packet back out the interface by which it arrived. IP provides for a one-byte “Time to Live” (TTL) field in the IP header; it is set by the sender and decremented 1.6 Routing Loops 19

30 An Introduction to Computer Networks, Release 1.9.18 by 1 at each router; a packet is discarded if its TTL reaches 0. This limits the number of times a wayward packet can be forwarded to the initial TTL value, typically 64. In datagram routing, a switch is responsible only for the next hop to the ultimate destination; if a switch has a complete path in mind, there is no guarantee that the next_hop switch or any other downstream switch will continue to forward along that path. Misunderstandings can potentially lead to routing loops. Consider this network: B B A C E D D might feel that the best path to B is D–E–C–B (perhaps because it believes the A–D link is to be avoided). If E similarly decides the best path to B is E–D–A–B, and if D and E both choose their next_hop for B based on these best paths, then a linear routing loop is formed: D routes to B via E and E routes to B via D. Although each of D and E have identified a usable , that path is not in fact followed. Moral: successful path datagram routing requires cooperation and a consistent view of the network. 1.7 Congestion Switches introduce the possibility of congestion: packets arriving faster than they can be sent out. This can happen with just two interfaces, if the inbound interface has a higher bandwidth than the outbound interface; another common source of congestion is traffic arriving on multiple inputs and all destined for the same output. Whatever the reason, if packets are arriving for a given outbound interface faster than they can be sent, a queue will form for that interface. Once that queue is full, packets will be dropped . The most common strategy (though not the only one) is to drop any packets that arrive when the queue is full. The term “congestion” may refer either to the point where the queue is just beginning to build up, or to the [CJ89] , Chiu and Jain refer to the first point point where the queue is full and packets are lost. In their paper as the ; this is where the slope of the load vs throughput graph flattens. They refer to the second point knee as the cliff ; this is where packet losses may lead to a precipitous decline in throughput. Other authors use the term contention for knee-congestion. In the Internet, most packet losses are due to congestion. This is not because congestion is especially bad eg due to packet corruption) are insignificant (though it can be, at times), but rather that other types of losses ( by comparison. When to Upgrade? Deciding when a network really does have insufficient bandwidth is not a technical issue but an economic one. The number of customers may increase, the cost of bandwidth may decrease or customers may simply be willing to pay more to have data transfers complete in less time; “customers” here can be 20 1 An Overview of Networks

31 An Introduction to Computer Networks, Release 1.9.18 external or in-house. Monitoring of links and routers for congestion can, however, help determine exactly parts of the network would most benefit from upgrade. what mean that a network has a shortage of bandwidth. We emphasize that the presence of congestion does not Bulk-traffic senders (though not real-time senders) attempt to send as fast as possible, and congestion is simply the network’s feedback that the maximum transmission rate has been reached. For further discussion, . including alternative definitions of longer-term congestion, see [BCL09] a sign of a problem in real-time networks, which we will consider in 20 Quality of Service . is Congestion In these networks losses due to congestion must generally be kept to an absolute minimum; one way to achieve this is to limit the acceptance of new connections unless sufficient resources are available. 1.8 Packets Again Perhaps the core justification for packets, Baran’s concerns about node failure notwithstanding, is that the same link can carry, at different times, different packets representing traffic to different destinations and from different senders. Thus, packets are the key to supporting ; that is, they support shared transmission lines the multiplexing of multiple communications channels over a single cable. The alternative of a separate virtual physical line between every pair of machines grows prohibitively complex very quickly (though between every pair of machines in a datacenter are not uncommon; see 3.4 Virtual Circuits ). circuits From this shared-medium perspective, an important packet feature is the maximum packet size, as this repre- sents the maximum time a sender can send before other senders get a chance. The alternative of unbounded packet sizes would lead to prolonged network unavailability for everyone else if someone downloaded a large file in a single 1 Gigabit packet. Another drawback to large packets is that, if the packet is corrupted, the entire packet must be retransmitted; see 5.3.1 Error Rates and Packet Size . When a router or switch receives a packet, it (generally) reads in the entire packet before looking at the header to decide to what next node to forward it. This is known as , and introduces store-and-forward forwarding delay a equal to the time needed to read in the entire packet. For individual packets this forwarding delay is hard to avoid (though some switches do implement cut-through switching to begin forwarding a packet before it has fully arrived), but if one is sending a long train of packets then by keeping multiple packets at the same time one can essentially eliminate the significance of the forwarding en route delay; see 5.3 Packet Size . Total packet delay from sender to receiver is the sum of the following: • Bandwidth delay , ie sending 1000 Bytes at 20 Bytes/millisecond will take 50 ms. This is a per-link delay. Propagation delay due to the speed of light. For example, if you start sending a packet right now • on a 5000-km cable across the US with a propagation speed of 200 m/μsec (= 200 km/ms, about 2/3 the speed of light in vacuum), the first bit will not arrive at the destination until 25 ms later. The bandwidth delay then determines how much after that the entire packet will take to arrive. • Store-and-forward delay , equal to the sum of the bandwidth delays out of each router along the path • Queuing delay , or waiting in line at busy routers. At bad moments this can exceed 1 sec, though that is rare. Generally it is less than 10 ms and often is less than 1 ms. Queuing delay is the only delay component amenable to reduction through careful engineering. 1.8 Packets Again 21

32 An Introduction to Computer Networks, Release 1.9.18 See for more details. 5.1 Packet Delay 1.9 LANs and Ethernet A , or LAN, is a system consisting of local-area network • physical links that are, ultimately, serial lines • common interfacing hardware connecting the hosts to the links • protocols to make everything work together We will explicitly assume that every LAN node is able to communicate with every other LAN node. Some- times this will require the cooperation of intermediate nodes acting as switches. Far and away the most common type of (wired) LAN is Ethernet, originally described in a 1976 paper by Metcalfe and Boggs [MB76] . Ethernet’s popularity is due to low cost more than anything else, though the primary reason Ethernet cost is low is that high demand has led to manufacturing economies of scale. The original Ethernet had a bandwidth of 10 Mbps (megabits per second; we will use lower-case “b” for bits and upper-case “B” for bytes), though nowadays most Ethernet operates at 100 Mbps and gigabit (1000 Mbps) Ethernet (and faster) is widely used in server rooms. (By comparison, as of this writing (2015) the data transfer rate to a typical faster hard disk is about 1000 Mbps.) Wireless (“Wi-Fi”) LANs are gaining popularity, and in many settings have supplanted wired Ethernet to end-users. Many early Ethernet installations were unswitched; each host simply tapped in to one long primary cable that wound through the building (or floor). In principle, two stations could then transmit at the same time, rendering the data unintelligible; this was called a collision . Ethernet has several design features intended to minimize the bandwidth wasted on collisions: stations, before transmitting, check to be sure the line is idle, they monitor the line transmitting to detect collisions during the transmission, and, if a collision while 2.1.5 The Slot is detected, they execute a random backoff strategy to avoid an immediate recollision. See . While Ethernet collisions definitely reduce throughput, in the larger view they should Time and Collisions perhaps be thought of as a part of a remarkably inexpensive shared-access mediation protocol. In unswitched Ethernets every packet is received by every host and it is up to the network card in each host to determine if the arriving packet is addressed to that host. It is almost always possible to configure the card to forward all arriving packets to the attached host; this poses a security threat and “password sniffers” that surreptitiously collected passwords via such eavesdropping used to be common. Password Sniffing In the fall of 1994 at Loyola University I remotely changed the root password on several CS-department unix machines at the other end of campus, using telnet. I told no one. Within two hours, someone else logged into one of these machines, using the new password, from a host in Europe. Password sniffing was the likely culprit. Two months later was the so-called “Christmas Day Attack” ( 12.10.1 ISNs and spoofing ). One of the hosts used to launch this attack was Loyola’s hacked apollo.it.luc.edu. It is unclear the degree to which password sniffing played a role in that exploit. 22 1 An Overview of Networks

33 An Introduction to Computer Networks, Release 1.9.18 Due to both privacy and efficiency concerns, almost all Ethernets today are fully switched; this ensures that each packet is delivered only to the host to which it is addressed. One advantage of switching is that it effectively eliminates most Ethernet collisions; while in principle it replaces them with a queuing issue, in practice Ethernet switch queues so seldom fill up that they are almost invisible even to network managers (unlike IP router queues). Switching also prevents host-based eavesdropping, though arguably a better solution to this problem is encryption. Perhaps the more significant tradeoff with switches, historically, was that Once Upon A Time they were expensive and unreliable; tapping directly into a common cable was dirt cheap. Ethernet addresses are six bytes long. Each Ethernet card (or network interface ) is assigned a (supposedly) unique address at the time of manufacture; this address is burned into the card’s ROM and is called the card’s address or hardware address or physical (Media Access Control) address. The first three bytes of MAC the physical address have been assigned to the manufacturer; the subsequent three bytes are a serial number assigned by that manufacturer. By comparison, IP addresses are assigned administratively by the local site. The basic advantage of having addresses in hardware is that hosts automatically know their own addresses on startup; no manual configura- tion or server query is necessary. It is not unusual for a site to have a large number of identically configured workstations, for which all network differences derive ultimately from each workstation’s unique Ethernet address. The network interface continually monitors all arriving packets; if it sees any packet containing a destination address that matches its own physical address, it grabs the packet and forwards it to the attached CPU (via a CPU interrupt). Ethernet also has a designated broadcast address . A host sending to the broadcast address has its packet received by every other host on the network; if a switch receives a broadcast packet on one port, it forwards the packet out every other port. This broadcast mechanism allows host A to contact host B when A does not yet know B’s physical address; typical broadcast queries have forms such as “Will the designated server please answer” or (from the ARP protocol) “will the host with the given IP address please tell me your physical address”. unicast . Traffic addressed to a particular host – that is, not broadcast – is said to be Because Ethernet addresses are assigned by the hardware, knowing an address does not provide any direct indication of where that address is located on the network. In switched Ethernet, the switches must thus have a forwarding-table record for each individual Ethernet address on the network; for extremely large networks this ultimately becomes unwieldy. Consider the analogous situation with postal addresses: Ethernet is somewhat like attempting to deliver mail using social-security numbers as addresses, where each postal worker is provided with a large catalog listing each person’s SSN together with their physical location. Real postal mail is, of course, addressed “hierarchically” using ever-more-precise specifiers: state, city, zipcode, street address, and name / room#. Ethernet, in other words, does not scale well to “large” sizes. Switched Ethernet works quite well, however, for networks with up to 10,000-100,000 nodes. Forwarding tables with size in that range are straightforward to manage. To forward packets correctly, switches must know where all active destination addresses in the LAN are located; traditional Ethernet switches do this by a passive algorithm. (IP routers, by comparison, learning use “active” protocols, and some newer Ethernet switches take the approach of 2.8 Software-Defined Networking .) Typically a host physical address is entered into a switch’s forwarding table when a packet from that host is first received ; the switch notes the packet’s arrival interface and source address and assumes that the same interface is to be used to deliver packets back to that sender. If a given destination address has 1.9 LANs and Ethernet 23

34 An Introduction to Computer Networks, Release 1.9.18 not yet been seen, and thus is not in the forwarding table, Ethernet switches still have the backup delivery flooding : forwarding the packet to everyone by treating the destination address like the broadcast option of address, and allowing the host Ethernet cards to sort it out. Since this broadcast-like process is not generally used for more than one packet (after that, the switches will have learned the correct forwarding-table entries), the risks of excessive traffic and of eavesdropping are minimal. host,interface y forwarding table is often easier to think of as x host,next_hop y , where the next_hop node The x is whatever switch or host is at the immediate other end of the link connecting to the given interface. In a fully switched network where each link connects only two interfaces, the two perspectives are equivalent. 1.10 IP - Internet Protocol To solve the scaling problem with Ethernet, and to allow support for other types of LANs and point-to-point links as well, the Internet Protocol was developed. Perhaps the central issue in the design of IP was to support universal connectivity (everyone can connect to everyone else) in such a way as to allow scaling to 9 10 nodes, although IP should work to 10 enormous size (in 2013 there appear to be around ~10 nodes or more), without resulting in unmanageably large forwarding tables (currently the largest tables have about 300,000 entries.) In the early days, IP networks were considered to be “internetworks” of basic networks (LANs); nowadays users generally ignore LANs and think of the Internet as one large (virtual) network. To support universal connectivity, IP provides a global mechanism for addressing and routing , so that packets can actually be delivered from any host to any other host. IP addresses (for the most-common IPv4 version 4, which we denote IP header that generally follows ) are 4 bytes (32 bits), and are part of the the Ethernet header. The Ethernet header only stays with a packet for one hop; the IP header stays with the packet for its entire journey across the Internet. An essential feature of IPv4 (and IPv6) addresses is that they can be divided into a network part (a prefix) and a host part (the remainder). The “legacy” mechanism for designating the IPv4 network and host address portions was to make the division according to the first few bits: first few bits network bits host bits name application first byte 0-127 24 0 class A a few very large networks 8 10 16 16 class B institution-sized networks 128-191 110 192-223 24 8 class C sized for smaller entities For example, the original IP address allocation for Loyola University Chicago was 147.126.0.0, a class B. 10 010011. In binary, 147 is IP addresses, unlike Ethernet addresses, are administratively assigned . Once upon a time, you would get your Class B network prefix from the Internet Assigned Numbers Authority, or IANA (they now delegate this task), and then you would in turn assign the host portion in a way that was appropriate for your local site. As a result of this administrative assignment, an IP address usually serves not just as an endpoint identifier but also as a locator , containing embedded location information (at least in the sense of location within the IP-address-assignment hierarchy, which may not be geographical). Ethernet addresses, by comparison, are endpoint identifiers but not locators. 24 1 An Overview of Networks

35 An Introduction to Computer Networks, Release 1.9.18 The Class A/B/C definition above was spelled out in 1981 in , which introduced IP. Class D was RFC 791 RFC 988 ; class D addresses must begin with the bits 1110. These addresses are for added in 1986 by multicast , that is, sending an IP packet to every member of a set of recipients (ideally without actually transmitting it more than once on any one link). Nowadays the division into the network and host bits is dynamic, and can be made at different positions in the address at different levels of the network. For example, a small organization might receive a /27 200.1.130.96/ 27 address block (1/8 the size of a class-C /24) from its ISP, eg . The ISP routes to the or- ganization based on this /27 prefix. At some higher level, however, routing might be based on the prefix 200.1.128/ 18 ; this might, for example, represent an address block assigned to the ISP (note that the first 18 bits of 200.1.130.x match 200.1.128; the first two bits of 128 and 130, taken as 8-bit quantities, are “10”). The network/host division point is not carried within the IP header; routers negotiate this division point 7.5 The Classless IP when they negotiate the next_hop forwarding information. We will return to this in . Delivery Algorithm network number or network address or The network portion of an IP address is sometimes called the . As we shall see below, most forwarding decisions are made using only the network prefix. network prefix The network prefix is commonly denoted by setting the host bits to zero and ending the resultant address with a slash followed by the number of network bits in the address: eg 12.0.0.0/8 or 147.126.0.0/16. Note that 12.0.0.0/8 and 12.0.0.0/9 represent different things; in the latter, the second byte of any host address extending the network address is constrained to begin with a 0-bit. An anonymous block of IP addresses might be referred to only by the slash and following digit, eg “we need a /22 block to accommodate all our customers”. All hosts with the same network address (same network bits) are said to be on the same and IP network must be located together on the same LAN ; as we shall see below, if two hosts share the same network address then they will assume they can reach each other directly via the underlying LAN, and if they cannot only the network bits need to be then connectivity fails. A consequence of this rule is that outside of the site . looked at to route a packet to the site Usually, all hosts (or more precisely all network interfaces) on the same physical LAN share the same network prefix and thus are part of the same IP network. Occasionally, however, one LAN is divided into multiple IP networks. Each individual LAN technology has a maximum packet size it supports; for example, Ethernet has a maximum packet size of about 1500 bytes but the once-competing Token Ring had a maximum of 4 kB. Today the world has largely standardized on Ethernet and almost entirely standardized on Ethernet packet- size limits, but this was not the case when IP was introduced and there was real concern that two hosts on separate large-packet networks might try to exchange packets too large for some small-packet intermediate network to carry. Therefore, in addition to routing and addressing, the decision was made that IP must also support fragmen- tation : the division of large packets into multiple smaller ones (in other contexts this may also be called segmentation ). The IP approach is not very efficient, and IP hosts go to considerable lengths to avoid frag- mentation. IP does require that packets of up to 576 bytes be supported, and so a common legacy strategy was for a host to limit a packet to at most 512 user-data bytes whenever the packet was to be sent via a router; packets addressed to another host on the same LAN could of course use a larger packet size. Despite its limited use, however, fragmentation is essential conceptually, in order for IP to be able to support large packets without knowing anything about the intervening networks. IP is a best effort system; there are no IP-layer acknowledgments or retransmissions. We ship the packet 1.10 IP - Internet Protocol 25

36 An Introduction to Computer Networks, Release 1.9.18 off, and hope it gets there. Most of the time, it does. connectionless networking: the IP layer Architecturally, this best-effort model represents what is known as does not maintain information about endpoint-to-endpoint connections, and simply forwards packets like a giant LAN. Responsibility for creating and maintaining connections is left for the next layer up, the TCP layer. Connectionless networking is the only way to do things: the alternative could have been some not internetworking, in which routers do form connection-oriented maintain state information about individual 3.4 Virtual Circuits , we will examine how virtual-circuit networking can be used to connections. Later, in implement a connection-oriented approach; virtual-circuit switching is the primary alternative to datagram switching. Connectionless (IP-style) and connection-oriented networking each have advantages. Connectionless net- working is conceptually more reliable: if routers do not hold connection state, then they cannot con- lose nection state. The path taken by the packets in some higher-level connection can easily be dynamically rerouted. Finally, connectionless networking makes it hard for providers to bill by the connection; once upon a time (in the era of dollar-a-minute phone calls) this was a source of mild astonishment to many new [CK74] considers, among other things, the possibility of users. (This was not always a given; the paper per-packet accounting.) The primary advantage of connection-oriented networking, on the other hand, is that the routers are then much better positioned to accept reservations and to make quality-of-service guarantees . This remains something of a sore point in the current Internet: if you want to use Voice-over-IP, or VoIP , telephones, or if you want to engage in video conferencing, your packets will be treated by the Internet core just the same as if they were low-priority file transfers. There is no “priority service” option. The most common form of IP packet loss is router queue overflows, representing network congestion. Packet 4 losses due to packet corruption are rare ( less than one in 10 ; perhaps much less). But in a connectionless eg world a large number of hosts can simultaneously attempt to send traffic through one router, in which case queue overflows are hard to avoid. Although we will often assume, for simplicity, that routers have a fixed input queue size, the reality is often a little more complicated. See 14.8 Active Queue Management and 19 Queuing and Scheduling . 1.10.1 IP Forwarding IP routers use datagram forwarding, described in 1.4 Datagram Forwarding above, to deliver packets, but the “destination” values listed in the forwarding tables are network prefixes – representing entire LANs – instead of individual hosts. The goal of IP forwarding, then, becomes delivery to the correct LAN; a separate process is used to deliver to the final host once the final LAN has been reached. The entire point, in fact, of having a network/host division within IP addresses is so that routers need to list only the network prefixes of the destination addresses in their IP forwarding tables. This strategy is the key to IP scalability: it saves large amounts of forwarding-table space, it saves time as smaller tables allow faster lookup, and it saves the bandwidth and overhead that would be needed for routers to keep track of individual addresses. To get an idea of the forwarding-table space savings, there are currently (2013) around a billion hosts on the Internet, but only 300,000 or so networks listed in top-level forwarding tables. With IP’s use of network prefixes as forwarding-table destinations, matching an actual packet address to a forwarding-table entry is no longer a matter of simple equality comparison; routers must compare appropri- ate prefixes. 26 1 An Overview of Networks

37 An Introduction to Computer Networks, Release 1.9.18 IP forwarding tables are sometimes also referred to as “routing tables”; in this book, however, we make at least a token effort to use “forwarding” to refer to the packet forwarding process, and “routing” to refer to mechanisms by which the forwarding tables are maintained and updated. (If we were to be completely consistent here, we would use the term “forwarding loop” rather than “routing loop”.) Now let us look at an example of how IP forwarding (or routing) works. We will assume that all network hosts – user machines, with a single network connection – or routers , which do packet- nodes are either forwarding only. Routers are not directly visible to users, and always have at least two different network interfaces representing different networks that the router is connecting. (Machines can be both hosts and routers, but this introduces complications.) Suppose A is the sending host, sending a packet to a destination host D. The IP header of the packet will contain D’s IP address in the “destination address” field (it will also contain A’s own address as the “source address”). The first step is for A to determine whether D is on the same LAN as itself or not; that is, whether D is local . This is done by looking at the network part of the destination address, which we will denote by ), then A figures D is on . If this net address is the same as A’s (that is, if it is equal numerically to A D net net the same LAN as itself, and can use direct LAN delivery. It looks up the appropriate physical address for D (probably with the ARP protocol, 7.9 Address Resolution Protocol: ARP ), attaches a LAN header to the packet in front of the IP header, and sends the packet straight to D via the LAN. do and D – then A looks up a router to use. Most ordinary If, however, A not match – D is non-local net net hosts use only one router for all non-local packet deliveries, making this choice very simple. A then forwards the packet to the router, again using direct delivery over the LAN. The IP destination address in the packet remains D in this case, although the LAN destination address will be that of the router. When the router receives the packet, it strips off the LAN header but leaves the IP header with the IP destination address. It extracts the destination D, and then looks at D . The router first checks to see net if any of its network interfaces are on the same LAN as D; recall that the router connects to at least one additional network besides the one for A. If the answer is yes, then the router uses direct LAN delivery to the destination, as above. If, on the other hand, D is not a LAN to which the router is connected directly, then net the router consults its internal forwarding table. This consists of a list of networks each with an associated x net,next_hop y tables compare with switched-Ethernet’s next_hop address. These host,next_hop y tables; x the former type will be smaller because there are many fewer nets than hosts. The next_hop addresses in the table are chosen so that the router can always reach them via direct LAN delivery via one of its interfaces; generally they are other routers. The router looks up D in the table, finds the next_hop address, and uses net direct LAN delivery to get the packet to that next_hop machine. The packet’s IP header remains essentially unchanged, although the router most likely attaches an entirely new LAN header. The packet continues being forwarded like this, from router to router, until it finally arrives at a router that is connected to D ; it is then delivered by that final router directly to D, using the LAN. net To make this concrete, consider the following diagram: A B C F E D: 200.0.1.37 R1 R2 R3 200.0.0/24 200.0.1/24 Two LANs joined by three routers With Ethernet-style forwarding, R2 would have to maintain entries for each of A,B,C,D,E,F. With IP for- 1.10 IP - Internet Protocol 27

38 An Introduction to Computer Networks, Release 1.9.18 warding, R2 has just two entries to maintain in its forwarding table: 200.0.0/24 and 200.0.1/24. If A sends ‰ 200.0.1, and thus concludes to D, at 200.0.1.37, it puts this address into the IP header, notes that 200.0.0 D is not a local delivery. A therefore sends the packet to its router R1, using LAN delivery. R1 looks up the destination network 200.0.1 in its forwarding table and forwards the packet to R2, which in turn forwards it to R3. R3 now sees that it connected directly to the destination network 200.0.1, and delivers the packet is via the LAN to D, by looking up D’s physical address. In this diagram, IP addresses for the ends of the R1–R2 and R2–R3 links are not shown. They could be assigned global IP addresses, but they could also use “private” IP addresses. Assuming these links are 7.12 Unnumbered point-to-point links, they might not actually need IP addresses at all; we return to this in Interfaces . One can think of the network-prefix bits as analogous to the “zip code” on postal mail, and the host bits as analogous to the street address. The internal parts of the post office get a letter to the right zip code, and then an individual letter carrier (the LAN) gets it to the right address. Alternatively, one can think of the network bits as like the area code of a phone number, and the host bits as like the rest of the digits. Newer protocols that support different net/host division points at different places in the network – sometimes called – allow support for addressing schemes that correspond to, say, zip/street/user, or hierarchical routing areacode/exchange/subscriber. The Invertebrate Internet The backbone is not as essential as it once was. Once Upon A Time, all traffic between different providers passed through the backbone. The legacy backbone still exists, but today it is also common for traffic from large providers such as Google to take a backbone-free path; such providers connect (or “peer”) directly with large residential ISPs such as Comcast. Google refers to this as their “Edge Network”; see peering.google.com and also 10.6.6.1 MED values and traffic engineering . We will refer to the Internet backbone as those IP routers that specialize in large-scale routing on the commercial Internet, and which generally have forwarding-table entries covering all public IP addresses; note that this is essentially a business definition rather than a technical one. We can revise the table-size private claim of the previous paragraph to state that, while there are many IP networks, there are about 300,000 visible to the backbone. A forwarding table of 300,000 entries is quite feasible; a table a hundred times larger is not, let alone a thousand times larger. eg 200.0.0/24 and IP routers at non-backbone sites generally know all locally assigned network prefixes, 200.0.1/24 above. If a destination does not match any locally assigned network prefix, the packet needs to be routed out into the Internet at large; for typical non-backbone sites this almost always this means the packet is sent to the ISP that provides Internet connectivity. Generally the local routers will contain a catchall default entry covering all nonlocal networks; this means that the router needs an explicit entry only for locally assigned networks. This greatly reduces the forwarding-table size. The Internet backbone can be approximately described, in fact, as those routers that do not have a default entry. For most purposes, the Internet can be seen as a combination of end-user LANs together with point-to-point links joining these LANs to the backbone, point-to-point links also tie the backbone together. Both LANs and point-to-point links appear in the diagram above. Just how routers build their x destnet,next_hop y forwarding tables is a major topic itself, which we cover in 9 Routing-Update Algorithms . Unlike Ethernet, IP routers do not have a “flooding” delivery mechanism 28 1 An Overview of Networks

39 An Introduction to Computer Networks, Release 1.9.18 as a fallback, so the tables must be constructed in advance. (There is a limited form of IP broadcast, but it is basically intended for reaching the local LAN only, and does not help at all with delivery in the event that the destination network is unknown.) Most forwarding-table-construction algorithms used on a set of routers under common management fall into or the link-state category; these are described in either the . distance-vector 9 Routing-Update Algorithms Routers not under common management – that is, neighboring routers belonging to different organizations – exchange information through the Border Gateway Protocol, BGP ( ). BGP 10 Large-Scale IP Routing allows routing decisions to be based on a fusion of “technical” information (which sites are reachable at all, and through where) together with “policy” information representing legal or commercial agreements: which outside routers are “preferred”, whose traffic an ISP will carry even if it isn’t to one of the ISP’s customers, etc . Most common residential “routers” involve in addition to packet forwarding. network address translation See 7.7 Network Address Translation . 1.10.2 The Future of IPv4 As mentioned earlier, allocation of blocks of IP addresses is the responsibility of the Internet Assigned Numbers Authority. IANA long ago delegated the job of allocating network prefixes to individual sites; they regional registries limited themselves to handing out /8 blocks (class A blocks) to the five , which are • ARIN – North America • RIPE – Europe, the Middle East and parts of Asia • APNIC – East Asia and the Pacific • AfriNIC – most of Africa • LACNIC – Central and South America As of the end of January 2011, the IANA finally ran out of /8 blocks. There is a table at http://www.iana. org/assignments/ipv4-address-space/ipv4-address-space.xml of all IANA assignments of /8 blocks; exami- nation of the table shows all have now been allocated. In September 2015, ARIN ran out of its pool of IPv4 addresses. Most of ARIN’s customers are ISPs, which can now obtain new IPv4 addresses only by buying unused address blocks from other organizations. A few months after the IANA pool ran out, Microsoft purchased 666,624 IP addresses (2604 Class-C blocks) in a Nortel bankruptcy auction for $7.5 million. By a year later, IP-address prices appeared to have retreated only slightly. It is possible that the market for IPv4 address blocks will continue to develop; alternatively, this turn of events may accelerate implementation of IPv6, which has 128-bit addresses. An IPv4 address price in the range of $10 is unlikely to have much impact in residential Internet access, where annual connection fees are often $600. Large organizations use NAT ( 7.7 Network Address Transla- tion ) extensively, leading to the need for only a small number of globally visible addresses. The IPv4 address shortage does not even seem to have affected wireless networking. It does, however, lead to inefficient rout- ing tables, as a site that once had a single /20 address block – and thus a single backbone forwarding-table entry – might now be spread over more than a hundred /27 blocks and concomitant forwarding entries. 1.10 IP - Internet Protocol 29

40 An Introduction to Computer Networks, Release 1.9.18 1.11 DNS domain name system , or DNS IP addresses are hard to remember (nearly impossible in IPv6). The DNS ( ), comes to the rescue by creating a way to convert hierarchical text names to IP addresses. 7.8 Thus, for example, one can type www.luc.edu instead of 147.126.1.230. Virtually all Internet software uses the same basic library calls to convert DNS names to actual addresses. One thing DNS makes possible is changing a website’s IP address while leaving the name alone. This allows moving a site to a new provider, for example, without requiring users to learn anything new. It is also possible to have several different DNS names resolve to the same IP address, and – through some modest trickery – have the http (web) server at that IP address handle the different DNS names as completely different websites. DNS is hierarchical and distributed. In looking up four different DNS servers may be cs.luc.edu queried: for the so-called “DNS root zone”, for , for luc.edu and for cs.luc.edu . Searching edu a hierarchy can be cumbersome, so DNS search results are normally cached locally. If a name is not found in the cache, the lookup may take a couple seconds. The DNS hierarchy need have nothing to do with the IP-address hierarchy. 1.12 Transport The IP layer gets packets from one node to another, but it is not well-suited to transport. First, IP routing is a “best-effort” mechanism, which means packets can and do get lost sometimes. Additionally, data that does arrive can arrive out of order. Finally, IP only supports sending to a specific host; normally, one wants to send to a given application running on that host. Email and web traffic, or two different web sessions, should not be commingled! The Transport layer is the layer above the IP layer that handles these sorts of issues, often by creating some connection sort of abstraction. Far and away the most popular mechanism in the Transport layer is the Transmission Control Protocol, or TCP . TCP extends IP with the following features: reliability • : TCP numbers each packet, and keeps track of which are lost and retransmits them after a timeout. It holds early-arriving out-of-order packets for delivery at the correct time. Every arriving data packet is acknowledged by the receiver; timeout and retransmission occurs when an acknowl- edgment packet isn’t received by the sender within a given time. • connection-orientation : Once a TCP connection is made, an application sends data simply by writing to that connection. No further application-level addressing is needed. TCP connections are managed by the operating-system kernel, not by the application. stream-orientation : An application using TCP can write 1 byte at a time, or 100 kB at a time; TCP • will buffer and/or divide up the data into appropriate sized packets. • port numbers : these provide a way to specify the receiving application for the data, and also to identify the sending application. • throughput management : TCP attempts to maximize throughput, while at the same time not con- tributing unnecessarily to network congestion . 30 1 An Overview of Networks

41 An Introduction to Computer Networks, Release 1.9.18 TCP endpoints are of the form host,port y ; these pairs are known as socket addresses , or sometimes as just x though the latter refers more properly to the operating-system objects that receive the data sent to sockets (or, more precisely, server applications) listen for connections to sockets they the socket addresses. Servers is then any endpoint that initiates a connection to a server. have opened; the client When you enter a host name in a web browser, it opens a TCP connection to the server’s port 80 (the standard x server,80 y . If you have several browser web-traffic port), that is, to the server socket with socket-address same server socket, but the connections are distinguishable by virtue tabs open, each might connect to the client of using separate ports (and thus having separate socket addresses) on the end (that is, your end). A busy server may have thousands of connections to its port 80 (the web port) and hundreds of connections to port 25 (the email port). Web and email traffic are kept separate by virtue of the different ports used. All x host,port y those clients to the same port, though, are kept separate because each comes from a unique pair. A TCP connection is determined by the x host,port y socket address at each end; traffic on different connec- tions does not intermingle. That is, there may be multiple independent connections to x www.luc.edu,80 y . This is somewhat analogous to certain business telephone numbers of the “ operators are standing by ” type, which support multiple callers at the same time to the same toll-free number. Each call to that number is answered by a different operator (corresponding to a different cpu process), and different calls do not “overhear” each other. TCP uses the sliding-windows algorithm , 6 Abstract Sliding Windows , to keep multiple packets en route window size at any one time. The represents the number of packets simultaneously in transit (TCP actually keeps track of the window size in bytes, but packets are easier to visualize). If the window size is 10 packets, for example, then at any one time 10 packets are in transit (perhaps 5 data packets and 5 returning acknowledgments). Assuming no packets are lost, then as each acknowledgment arrives the window “slides forward” by one packet. The data packet 10 packets ahead is then sent, to maintain a total of 10 packets on the wire. For example, consider the moment when the ten packets 20-29 are in transit. When ACK[20] is received, the number of packets outstanding drops to 9 (packets 21-29). To keep 10 packets in flight, Data[30] is sent. When ACK[21] is received, Data[31] is sent, and so on. Sliding windows minimizes the effect of store-and-forward delays, and propagation delays, as these then only count once for the entire windowful and not once per packet. Sliding windows also provides an auto- matic, if partial, brake on congestion: the queue at any switch or router along the way cannot exceed the window size. In this it compares favorably with constant-rate transmission, which, if the available band- width falls below the transmission rate, always leads to overflowing queues and to a significant percentage of dropped packets. Of course, if the window size is too large, a sliding-windows sender may also experience dropped packets. The ideal window size, at least from a throughput perspective, is such that it takes one round-trip time to send an entire window, so that the next ACK will always be arriving just as the sender has finished transmitting the window. Determining this ideal size, however, is difficult; for one thing, the ideal size varies with network load. As a result, TCP approximates the ideal size. The most common TCP strategy – that of so-called TCP Reno – is that the window size is slowly raised until packet loss occurs, which TCP takes as a sign that it has reached the limit of available network resources. At that point the window size is reduced to half its previous value, and the slow climb resumes. The effect is a “sawtooth” graph of window size with time, which oscillates (more or less) around the “optimal” window size. For an idealized sawtooth graph, see 13.1.1 The Somewhat-Steady State ; for some “real” (simulation-created) sawtooth graphs see 16.4.1 Some TCP Reno cwnd graphs . While this window-size-optimization strategy has its roots in attempting to maximize the available band- width, it also has the effect of greatly limiting the number of packet-loss events. As a result, TCP has come 1.12 Transport 31

42 An Introduction to Computer Networks, Release 1.9.18 to be the Internet protocol charged with reducing (or at least managing) on the Internet, and – congestion fairness of bandwidth allocations to competing connections. Core Internet routers relatedly – with ensuring – at least in the classical case – essentially have no role in enforcing congestion or fairness restrictions at all. The Internet, in other words, places responsibility for congestion avoidance cooperatively into the hands of end users. While “cheating” is possible, this cooperative approach has worked remarkably well. real-time performance of TCP is not always consistent: if a packet is lost, While TCP is ubiquitous, the the receiving TCP host will not turn over anything further to the receiving application until the lost packet . This is a serious problem has been retransmitted successfully; this is often called head-of-line blocking for sound and video applications, which can discretely handle modest losses but which have much more difficulty with sudden large delays. A few lost packets ideally should mean just a few brief voice dropouts (pretty common on cell phones) or flicker/snow on the video screen (or just reuse of the previous frame); both of these are better than pausing completely. The basic alternative to TCP is known as , for User Datagram Protocol. UDP, like TCP, provides port UDP numbers to support delivery to multiple endpoints within the receiving host, in effect to a specific process on the host. As with TCP, a UDP socket consists of a host,port y pair. UDP also includes, like TCP, a checksum x over the data. However, UDP omits the other TCP features: there is no connection setup, no lost-packet detection, no automatic timeout/retransmission, and the application must manage its own packetization. This simplicity should not be seen as all negative: the absence of connection setup means data transmission can get started faster, and the absence of lost-packet detection means there is no head-of-line blocking. See 11 UDP Transport . The Real-time Transport Protocol, or RTP , sits above UDP and adds some additional support for voice and video applications. 1.12.1 Transport Communications Patterns The two “classic” traffic patterns for Internet communication are these: • Interactive or bursty communications such as via ssh or telnet, with long idle times between short bursts • Bulk file transfers, such as downloading a web page TCP handles both of these well, although its congestion-management features apply only when a large amount of data is in transit at once. Web browsing is something of a hybrid; over time, there is usually considerable burstiness, but individual pages now often exceed 1 MB. To the above we might add operations, eg to query a database or to make DNS requests. TCP request/reply is widely used here as well, though most DNS traffic still uses UDP. There are periodic calls for a new protocol specifically addressing this pattern, though at this point the use of TCP is well established. If a sequence of request/reply operations is envisioned, a single TCP connection makes excellent sense, as the connection-setup overhead is minimal by comparison. See also and 11.5 Remote Procedure Call (RPC) 12.22.2 SCTP . This century has seen an explosion in streaming video ( 20.3.2 Streaming Video ), in lengths from a few minutes to a few hours. Streaming radio stations might be left playing indefinitely. TCP generally works well here, assuming the receiver can get, say, a minute ahead, buffering the video that has been received but not yet viewed. That way, if there is a dip in throughput due to congestion, the receiver has time to 32 1 An Overview of Networks

43 An Introduction to Computer Networks, Release 1.9.18 recover. Buffering works a little less well for streaming radio, as the listener doesn’t want to get too far behind, though ten seconds is reasonable. Fortunately, audio bandwidth is smaller. Another issue with streaming video is the bandwidth demand. Most streaming-video services attempt to that throughput by changing the video resolution to estimate the available throughput, and then adapt ). 20.3 Real-time Traffic ( Typically, video streaming operates on a start/stop basis: the sender pauses when the receiver’s playback buffer is “full”, and resumes when the playback buffer drops below a certain threshold. , there is much less opportunity for stream buffer- If the video (or, for that matter, voice audio) is interactive ing. If someone asks a simple question on an Internet telephone call, they generally want an answer more or less immediately; they do not expect to wait for the answer to make it through the other party’s stream buffer. 200 ms of buffering is noticeable. Here we enter the realm of genuine real-time traffic ( 20.3 Real- ). UDP is often used to avoid head-of-line blocking. Lower bandwidth helps; voice-grade time Traffic communications traditionally need only 8 kB/sec, less if compression is used. On the other hand, there may be constraints on the in delivery time (known as jitter ; see 20.11.3 RTP Control Protocol for a variation specific numeric interpretation). Interactive video, with its much higher bandwidth requirements, is more difficult; fortunately, users seem to tolerate the common pauses and freezes. Within the Transport layer, essentially all network connections involve a client and a server . Often this pattern is repeated at the Application layer as well: the client contacts the server and initiates a login session, or browses some web pages, or watches a movie. Sometimes, however, Application-layer exchanges fit the peer-to-peer model better, in which the two endpoints are more-or-less co-equals. Some examples include • Internet telephony: there is no benefit in designating the party who place the call as the “client” • Message passing in a CPU cluster, often using 11.5 Remote Procedure Call (RPC) 9 Routing-Update Algorithms • The routing-communication protocols of . When router A reports to router B we might call A the client, but over time, as A and B report to one another repeatedly, the peer-to-peer model makes more sense. • So-called peer-to-peer file-sharing, where individuals exchange files with other individuals (and as opposed to “cloud-based” file-sharing in which the “cloud” is the server). RFC 5694 contains additional discussion of peer-to-peer patterns. 1.12.2 Content-Distribution Networks Sites with an extremely large volume of content to distribute often turn to a specialized communication pattern called a content-distribution network or CDN . To reduce the amount of long-distance traffic, or to reduce the round-trip time, a site replicates its content at multiple datacenters (also called Points of Presence for a web page or a video), (PoPs), , access points or edge servers ). When a user makes a request ( eg nodes the request is routed to the nearest (or approximately nearest) datacenter, and the content is delivered from there. CDN Mapping For a geographical map of the servers in the NetFlix CDN as of 2016, see [BCTCU16] . The map was 1.12 Transport 33

44 An Introduction to Computer Networks, Release 1.9.18 created solely through end-user measurements. Most of the servers are in North and South America and Europe. Large web pages typically contain both dynamic content. On a typical static content and also individualized Facebook page, for example, the videos and javascript might be considered static, while the individual wall posts might be considered dynamic. The CDN may cache all or most of the static content at each of its edge servers, leaving the dynamic content to come from a centralized server. Alternatively, the dynamic content may be replicated at each CDN edge node as well, though this introduces some real-time coordination issues. If dynamic content is not replicated, the CDN may include private high-speed links between its nodes, allowing for rapid low-congestion delivery to any node. Alternatively, CDN nodes may simply communicate interactive traffic using the public Internet. Finally, the CDN may (or may not) be configured to support fast eg between nodes, 20.6.1 A CDN Alternative to IntServ . teleconferencing traffic, as is outlined in Organizations can create their own CDNs, but often turn to specialized CDN providers, who often combine their CDN services with website-hosting services. In principle, all that is needed to create a CDN is a multiplicity of datacenters, each with its own connection to the Internet; private links between datacenters are also common. In practice, many CDN providers also try to build direct connections with the ISPs that serve their customers; the Google Edge Network above does this. This can improve performance and reduce traffic costs; we will return to this in 10.6.6.1 MED values and traffic engineering . Finding the edge server that is closest to a given user is a tricky issue. There are three techniques in common use. In the first, the edge servers are all given different IP addresses, and DNS is configured to have users receive the IP address of the closest edge server, 7.8 DNS . In the second, each edge server has the same IP address, and anycast 10.6.7 BGP routing is used to route traffic from the user to the closest edge server, . Finally, for HTTP applications a centralized server can look up the approximate location of and Anycast the user, and then redirect the web page to the closest edge server. 1.13 Firewalls One problem with having a program on your machine listening on an open TCP port is that someone may connect and then, using some flaw in the software on your end, do something malicious to your machine. Damage can range from the unintended downloading of personal data to compromise and takeover of your entire machine, making it a distributor of viruses and worms or a steppingstone in later break-ins of other machines. A strategy known as buffer overflow ( 22.2 Stack Buffer Overflow ) has been the basis for a great many total-compromise attacks. The idea is to identify a point in a server program where it fills a memory buffer with network-supplied data without careful length checking; almost any call to the C library function gets(buf) will suffice. The attacker then crafts an oversized input string which, when read by the server and stored in memory, overflows the buffer and overwrites subsequent portions of memory, typically con- taining the stack-frame pointers. The usual goal is to arrange things so that when the server reaches the end of the currently executing function, control is returned not to the calling function but instead to the attacker’s own payload code located within the string. A firewall is a mechanism to block connections deemed potentially risky, eg those originating from outside the site. Generally ordinary workstations do not ever need to accept connections from the Internet; client 34 1 An Overview of Networks

45 An Introduction to Computer Networks, Release 1.9.18 machines instead connections to (better-protected) servers. So blocking incoming connections works initiate eg for games) certain ports can be selectively unblocked. reasonably well; when necessary ( The original firewalls were built into routers. Incoming traffic to servers was often blocked unless it was sent to one of a modest number of “open” ports; for non-servers, typically all inbound connections were blocked. This allowed internal machines to operate reasonably safely, though being unable to accept incom- ing connections is sometimes inconvenient. Nowadays per-host firewalls – in addition to router-based firewalls – are common: you can configure your workstation not to accept inbound connections to most (or all) ports regardless of whether software on the workstation requests such a connection. Outbound connections can, in many cases, also be prevented. The typical home router implements something called network-address translation ( 7.7 Network Address Translation ), which, in addition to conserving IPv4 addresses, also provides firewall protection. 1.14 Some Useful Utilities There exists a great variety of useful programs for probing and diagnosing networks. Here we list a few of the simpler, more common and available ones; some of these are addressed in more detail in subsequent chapters. Some of these, like , are generally present by default; others will have to be installed from ping somewhere. ping is useful to determine if another machine is accessible, eg Ping ping www.cs.luc.edu ping 147.126.1.230 7.11 Internet Control Message Protocol for how it works. Sometimes ping fails because the necessary See packets are blocked by a firewall. ifconfig , ipconfig , ip To find your own IP address you can use ipconfig ifconfig on Linux and Macintosh on Windows, ip addr list on Linux. The output generally lists all active interfaces but can be systems, or the newer ip command in particular can do many other things as well. restricted to selected interfaces if desired. The The Windows command netsh interface ip show config also provides IP addresses. nslookup , dig and host This trio of programs, all developed by the Internet Systems Consortium, are all used for DNS lookups. nslookup , the one with the most options (by a They differ in convenience and options. The oldest is rather wide margin) is dig , and the newest and arguably most convenient for normal usage is host . nslookup intronetworks.cs.luc.edu Non-authoritative answer: Name: intronetworks.cs.luc.edu Address: 162.216.18.28 1.14 Some Useful Utilities 35

46 An Introduction to Computer Networks, Release 1.9.18 dig intronetworks.cs.luc.edu ... ;; ANSWER SECTION: intronetworks.cs.luc.edu. 86400 IN A 162.216.18.28 ... host intronetworks.cs.luc.edu intronetworks.cs.luc.edu has address 162.216.18.28 intronetworks.cs.luc.edu has IPv6 address 2600:3c03::f03c:91ff:fe69:f438 . See 7.8.1 nslookup (and dig) traceroute This lists the route from you to a remote host: traceroute intronetworks.cs.luc.edu 1 147.126.65.1 (147.126.65.1) 0.751 ms 0.753 ms 0.783 ms 2 147.126.95.54 (147.126.95.54) 1.319 ms 1.286 ms 1.253 ms 3 12.31.132.169 (12.31.132.169) 1.225 ms 1.231 ms 1.193 ms 4 cr83.cgcil.ip.att.net (12.123.7.46) 4.983 ms cr84.cgcil.ip.att.net (12. ã 123.7.170) 4.825 ms 4.812 ms Ñ 5 cr83.cgcil.ip.att.net (12.123.7.46) 4.926 ms 4.904 ms 4.888 ms 6 cr1.cgcil.ip.att.net (12.122.99.33) 5.043 ms cr2.cgcil.ip.att.net (12. Ñ 122.132.109) 5.343 ms 5.317 ms ã 7 gar13.cgcil.ip.att.net (12.122.132.121) 3.879 ms 18.347 ms ggr4.cgcil. Ñ ip.att.net (12.122.133.33) 2.987 ms ã 8 chi-b21-link.telia.net (213.248.87.253) 2.344 ms 2.305 ms 2.409 ms 9 nyk-bb2-link.telia.net (80.91.248.197) 24.065 ms nyk-bb1-link.telia.net ã Ñ (213.155.136.70) 24.986 ms nyk-bb2-link.telia.net (62.115.137.58) 23.158 ã Ñ ms 10 nyk-b3-link.telia.net (62.115.112.255) 23.557 ms 23.548 ms nyk-b3-link. ã telia.net (80.91.248.178) 24.510 ms Ñ 11 netaccess-tic-133837-nyk-b3.c.telia.net (213.248.99.90) 23.957 ms 24. Ñ ã 382 ms 24.164 ms 12 0.e1-4.tbr1.mmu.nac.net (209.123.10.101) 24.922 ms 24.737 ms 24.754 ms 13 207.99.53.42 (207.99.53.42) 24.024 ms 24.249 ms 23.924 ms The last router (and intronetworks.cs.luc.edu itself) don’t respond to the traceroute packets, so the list is not quite complete. The Windows tracert utility is functionally equivalent. See 7.11.1 Tracer- oute and Time Exceeded for further information. Traceroute sends, by default, three probes for each router. Sometimes the responses do not all come back from the same router, as happened above at routers 4, 6, 7, 9 and 10. Router 9 sent back three distinct responses. On Linux systems the mtr command may be available as an alternative to traceroute; it repeats the traceroute at one-second intervals and generates cumulative statistics. route and netstat 36 1 An Overview of Networks

47 An Introduction to Computer Networks, Release 1.9.18 The commands , route print (Windows), ip route show (Linux), and netstat -r (all route systems) display the host’s local IP forwarding table. For workstations not acting as routers, this includes the route to the default router and, usually, not much else. The default route is sometimes listed as destination 0.0.0.0 with netmask 0.0.0.0 (equivalent to 0.0.0.0/0). The command netstat -a shows the existing TCP connections and open UDP sockets. netcat netcat program, often called nc , allows the user to create TCP or UDP connections and send lines The 11.1.4 netcat . 12.6.2 netcat again of text back and forth. It is seldom included by default. See and WireShark This is a convenient combination of packet capture and packet analysis, from wireshark.org. See 12.4 TCP and 8.11 Using IPv6 and IPv4 Together for examples. and WireShark WireShark was originally named Etherreal. An earlier command-line-only packet-capture program is tcp- dump. WireShark is the only non-command-line program listed here. It is sometimes desired to monitor packets on a remote system. If X-windows is involved ( eg on Linux), this can be done by logging in from one’s local system using ssh -X , which enables X-windows forwarding, and then starting wireshark (or perhaps sudo wireshark ) from the command line. Tcpdump is, of course, another alternative. 1.15 IETF and OSI The Internet protocols discussed above are defined by the , or IETF (under Internet Engineering Task Force Internet Architecture Board , or IAB, in turn under the aegis of the Internet Society the aegis of the , ISOC). The IETF publishes “Request For Comment” or RFC documents that contain all the formal Internet standards; these are available at http://www.ietf.org/rfc.html (note that, by the time a document appears here, the actual comment-requesting period is generally long since closed). The five-layer model is closely associated with the IETF, though is not an official standard. RFC standards sometimes allow modest flexibility. With this in mind, RFC 2119 declares official under- standings for the words MUST and SHOULD. A feature labeled with MUST is “an absolute requirement for the specification”, while the term SHOULD is used when there may exist valid reasons in particular circumstances to ignore a particular item, but the full implications must be understood and carefully weighed before choosing a different course. The original ARPANET network was developed by the US government’s Defense Advanced Research Projects Agency, or DARPA; it went online in 1969. The National Science Foundation began NSFNet in 1986; this largely replaced ARPANET. In 1991, operation of the NSFNet backbone was turned over to ANSNet, a private corporation. The ISOC was founded in 1992 as the NSF continued to retreat from the networking business. Hallmarks of the IETF design approach were David Clark’s declaration We reject: kings, presidents and voting. We believe in: rough consensus and running code. and RFC Editor Jon Postel’s Robustness Principle 1.15 IETF and OSI 37

48 An Introduction to Computer Networks, Release 1.9.18 Be liberal in what you accept, and conservative in what you send. Postel’s aphorism has come in for criticism in recent years, especially with regard to cryptographic protocols. To be fair, however, Postel wrote this in an era when protocol specifications sometimes failed to fully spell out the rules in every possible situation. Today’s cryptographic protocols are generally much more complete. There is a persistent – though false – notion that the distributed-routing architecture of IP was due to a US Department of Defense mandate that the original ARPAnet be able to survive a nuclear attack. In fact, the developers of IP seemed unconcerned with this. However, Paul Baran did write, in his 1962 paper outlining the concept of packet switching, that If [the number of stations] is made sufficiently large, it can be shown that highly survivable system structures can be built – even in the thermonuclear era. In 1977 the International Organization for Standardization, or ISO , founded the Open Systems Interconnec- OSI , a process for creation of new network standards. OSI represented an attempt at the tion project, or creation of networking standards independent of any individual government. seven-layer The OSI project is today perhaps best known for its networking model: between Transport and Application were inserted the and Presentation layers. The Session layer was to handle “sessions” Session between applications (including the graceful closing of Transport-layer connections, something included in TCP, and the re-establishment of “broken” Transport-layer connections, which TCP could sorely use), and eg for binary numeric data, the Presentation layer was to handle things like defining universal data formats ( or for non-ASCII character sets), and eventually came to include compression and encryption as well. Data presentation and session management are important concepts, but in many cases it has not proved necessary, or even particularly useful, to make them into true layers, in the sense that a layer communicates directly only with the layers adjacent to it. What often happens is that the Application layer manages its own Transport connections, and is responsible for reading and writing data directly from and to the Transport layer. The application then uses conventional libraries for Presentation actions such as encryption, compression and format translation, and for Session actions such as handling broken Transport connections and multiplexing streams of data over a single Transport connection. Version 2 of the HTTP protocol, for example, contains a subprotocol for managing multiple streams; this is generally regarded as part of the Application layer. However, the SSL/TLS transport-encryption service, , can be viewed as an example of a true 22.10.2 TLS Presentation layer. Applications generally read and write data directly to the SSL/TLS endpoint, which in mostly encapsulates the underlying TCP connection. The encapsulation is incomplete, though, in that turn SSL/TLS applications generally are responsible for creating their own Transport-layer (TCP) connections; see 22.10.3 A TLS Programming Example and the note at the end of 22.10.3.2 TLSserver . OSI has its own version of IP and TCP. The IP equivalent is CLNP , the ConnectionLess Network Protocol, although OSI also defines a connection- protocol CMNS. The TCP equivalent is TP4; OSI also oriented defines TP0 through TP3 but those are for connection-oriented networks. It seems clear that the primary reasons the OSI protocols failed in the marketplace were their ponderous bureaucracy for protocol management, their principle that protocols be completed before implementation began, and their insistence on rigid adherence to the specifications to the point of non-interoperability. In contrast, the IETF had (and still has) a “two working implementations” rule for a protocol to become a “Draft Standard”. From RFC 2026 : A specification from which at least two independent and interoperable implementations from different code bases have been developed, and for which sufficient successful operational experience has been 38 1 An Overview of Networks

49 An Introduction to Computer Networks, Release 1.9.18 obtained, may be elevated to the “Draft Standard” level. [emphasis added] This rule has often facilitated the discovery of protocol design weaknesses early enough that the problems could be fixed. The OSI approach is a striking failure for the “waterfall” design model, when competing with the IETF’s cyclic “prototyping” model. However, it is worth noting that the IETF has similarly been unable to keep up with rapid changes in html, particularly at the browser end; the OSI mistakes were mostly evident only in retrospect. Trying to fit protocols into specific layers is often both futile and irrelevant. By one perspective, the Real- Time Protocol RTP lives at the Transport layer, but just above the UDP layer; others have put RTP into the Application layer. Parts of the RTP protocol resemble the Session and Presentation layers. A key component of the IP protocol is the set of various router-update protocols; some of these freely use higher-level layers. Similarly, tunneling might be considered to be a Link-layer protocol, but tunnels are often created and maintained at the Application layer. A sometimes-more-successful approach to understanding “layers” is to view them instead as parts of a . Thus, in the following diagram we have two protocol sublayers within the transport layer protocol graph (UDP and RTP), and one protocol (ARP) not easily assigned to a layer. RTP transport TCP transport UDP transport IP ARP ??? ATM Ethernet LAN LAN 1.16 Berkeley Unix Though not officially tied to the IETF, the Berkeley Unix releases became de facto reference implementa- tions for most of the TCP/IP protocols. 4.1BSD (BSD for Berkeley Software Distribution) was released in 1981, 4.2BSD in 1983, 4.3BSD in 1986, 4.3BSD-Tahoe in 1988, 4.3BSD-Reno in 1990, and 4.4BSD in 1994. Descendants today include FreeBSD, OpenBSD and NetBSD. The TCP implementations TCP Tahoe and TCP Reno ( 13 TCP Reno and Congestion Management ) took their names from the corresponding 4.3BSD releases. 1.16 Berkeley Unix 39

50 An Introduction to Computer Networks, Release 1.9.18 1.17 Epilog This completes our tour of the basics. In the remaining chapters we will expand on the material here. 1.18 Exercises Exercises are given fractional (floating point) numbers, to allow for interpolation of new exercises. Exercise have solutions or hints 2.5 is distinct, for example, from exercises 2.0 and 3.0. Exercises marked with a ♢ at 24.1 Solutions for An Overview of Networks . 1.0. Give forwarding tables for each of the switches S1-S4 in the following network with destinations A, B, C, D. For the next_hop column, give the neighbor on the appropriate link rather than the interface number. A B C S2 S3 S1 D S4 2.0. Give forwarding tables for each of the switches S1-S4 in the following network with destinations A, B, C, D. Again, use the neighbor form of next_hop rather than the interface form. Try to keep the route to each destination as short as possible. What decision has to be made in this exercise that did not arise in the preceding exercise? S1 S2 A B D S4 S3 C 2.5. In the network of the previous exercise, suppose that destinations directly connected to an immediate neighbor are always reached via that neighbor; eg S1’s forwarding table will always include x B,S2 y and x D,S4 . This leaves only routes to the diagonally opposite nodes undetermined ( eg S1 to C). Show that, no y matter which next_hop entries are chosen for the diagonally opposite destinations, no routing loops can ever be formed. (Hint: the number of links to any diagonally opposite switch is always 2.) 2.7. ♢ Give forwarding tables for each of the switches A-E in the following network. Destinations are A-E themselves. Keep all route lengths the minimum possible (one hop for an immediate neighbor, two hops for everything else). If a destination is an immediate neighbor, you may list its next_hop as direct or local for simplicity. Indicate destinations for which there is more than one choice for next_hop. B 1 1 C A 1 1 1 1 E D 40 1 An Overview of Networks

51 An Introduction to Computer Networks, Release 1.9.18 3.0. Consider the following arrangement of switches and destinations. Give forwarding tables (in neighbor default forwarding entries; . The form) for S1-S4 that include the default entries should point toward S5 default entries will thus automatically forward to the “possible other destinations” shown below right. Eliminate all table entries that are implied by the default entry (that is, if the default entry is to S3, eliminate all other entries for which the next hop is S3). A S1 D S3 S4 S5 ... possible other destinations C E B S2 4.0. Four switches are arranged as below. The destinations are S1 through S4 themselves. S1 S2 S4 S3 (a). Give the forwarding tables for S1 through S4 assuming packets to adjacent nodes are sent along the connecting link, and packets to diagonally opposite nodes are sent clockwise. (b). Give the forwarding tables for S1 through S4 assuming the S1–S4 link is not used at all, not even for S1 ÐÑ S4 traffic. 5.0. Suppose we have switches S1 through S4; the forwarding-table destinations are the switches themselves. The tables for S2 and S3 are as below, where the next_hop value is specified in neighbor form: S2: x S1,S1 y x S3,S3 y x S4,S3 y S3: x y x S2,S2 y x S4,S4 y S1,S2 From the above we can conclude that S2 must be directly connected to both S1 and S3 as its table lists them as next_hops; similarly, S3 must be directly connected to S2 and S4. (a). The given tables are consistent with the network diagrammed in exercise 4.0. Are the tables also consistent with a network in which S1 and S4 are not directly connected? If so, give such a network; if not, explain why S1 and S4 must be connected. (b). Now suppose S3’s table is changed to the following. Find a network layout consistent with these tables in which S1 and S4 are not directly connected. Do not add additional switches. S3: x S1,S4 y x S2,S2 y x S4,S4 y While the table for S4 is not given, you may assume that forwarding does work correctly. However, you should not assume that paths are the shortest possible. Hint: It follows from the S3 table above that the path 1.18 Exercises 41

52 An Introduction to Computer Networks, Release 1.9.18 from S3 to S1 starts S3 S4; how will this path continue? The next switch along the path cannot be S1, ÝÑ because of the hypothesis that S1 and S4 are not directly connected. 6.0. (a) Suppose a network is as follows, with the only path from A to C passing through B: A B C ... ... Explain why a single routing loop cannot include both A and C. Hint: if the loop involves destination D, how does B forward to D? (b). Suppose a routing loop follows the path A are equal to S A, where none of the S S S . . . n i 1 2 A. Show that all the S must be distinct. (A corollary of this is that any routing loop created by datagram- i forwarding either involves forwarding back and forth between a pair of adjacent switches, or else involves an actual graph cycle in the network topology; linear loops of length greater than 1 are impossible.) 7.0 Consider the following arrangement of switches: S1 S4 S10 A E S2 S5 B S11 S6 F C D S3 S12 Suppose S1-S6 have the forwarding tables below. For each of the following destinations, suppose a packet from S1 . is sent to the destination (a). A (b). B (c). C (d). D ♢ (e). E (f). F Give the switches the packet will pass through, including the initial switch S1, up until the final switch S10-S12. S1: (A,S4), (B,S2), (C,S4), (D,S2), (E,S2), (F,S4) S2: (A,S5), (B,S5), (D,S5), (E,S3), (F,S3) S3: (B,S6), (C,S2), (E,S6), (F,S6) S4: (A,S10), (C,S5), (E,S10), (F,S5) S5: (A,S6), (B,S11), (C,S6), (D,S6), (E,S4), (F,S2) S6: (A,S3), (B,S12), (C,S12), (D,S12), (E,S5), (F,S12) 7.5 Suppose a set of nodes A-F and switches S1-S6 are connected as shown. 42 1 An Overview of Networks

53 An Introduction to Computer Networks, Release 1.9.18 A 5 S4 D S1 1 1 B 2 S5 E S2 8 1 S3 4 S6 F C weights , which are used by some routing applications. The The links between switches are labeled with weights represent the cost of using that link. You are to find the path through S1-S6 with lowest total cost (that is, with smallest sum of weights), for each of the following transmissions. For example, the lowest-cost path from A to E is A–S1–S2–S5–E, for a total cost of 1+2=3; the alternative path A–S1–S4–S5–E has total cost 5+1=6. ♢ A (a). F Ñ (b). A Ñ D (c). A Ñ C (d). Give the complete forwarding table for S 2 , where all routes are selected for lowest total cost. 8.0 In exercise 7.0, the routes taken by packets A-D are reasonably direct, but the routes for E and F are rather circuitous. (a). Assign weights to the seven links S1–S2, S2–S3, S1–S4, S2–S5, S3–S6, S4–S5 and S5–S6, as in exercise 7.5, so that destination E’s route in exercise 7.0 becomes the optimum (lowest total link weight) path. (b). Assign weights to the seven links that make destination F’s route in exercise 7.0 optimal. (This will be a different set of weights from part (a).) except to one or two “bad” links; the “bad” links Hint: you can do this by assigning a weight of 1 to all links get a weight of 10. In each of (a) and (b) above, the route taken will be the route that avoids all the “bad” links. You must treat (a) entirely differently from (b); there is no assignment of weights that can account for both routes. 9.0 Suppose we have the following three Class C IP networks, joined by routers R1–R4. There is no con- nection to the outside Internet. Give the forwarding table for each router. For networks directly connected . eg 200.0.1/24 and R1), include the network in the table but list the next hop as direct or local to a router ( R1 200.0.1/24 R4 R2 200.0.2/24 1.18 Exercises 43

54 An Introduction to Computer Networks, Release 1.9.18 R3 200.0.3/24 44 1 An Overview of Networks

55 2 ETHERNET We now turn to a deeper analysis of the ubiquitous Ethernet LAN protocol. Current user-level Ethernet today (2013) is usually 100 Mbps, with Gigabit and 10 Gigabit Ethernet standard in server rooms and backbones, but because the potential for collisions makes Ethernet speeds scale in odd ways, we will start with the 10 Mbps formulation. While the 10 Mbps speed is obsolete, and while even the Ethernet collision mechanism is largely obsolete, collision management itself continues to play a significant role in wireless networks. [MB76] . The data rate was The original Ethernet specification was the 1976 paper of Metcalfe and Boggs, 10 megabits per second, and all connections were made with coaxial cable instead of today’s twisted pair. The authors described their architecture as follows: We cannot afford the redundant connections and dynamic routing of store-and-forward packet switching to assure reliable communication, so we choose to achieve reliability through sim- plicity. We choose to make the shared communication facility passive so that the failure of an active element will tend to affect the communications of only a single station. Classic Ethernet was indeed simple, and – mostly – passive. In its most basic form, the Ethernet medium was one long piece of coaxial cable, onto which stations could be connected via . If two stations happened taps to transmit at the same time – most likely because they were both waiting for a third station to finish – their collision . The only active components besides the stations were repeaters , signals were lost to the resultant originally intended simply to make end-to-end joins between cable segments. Repeaters soon evolved into multiport devices, allowing the creation of arbitrary tree (that is, loop-free) topologies. At this point the standard wiring model shifted from one long cable, snaking from host to host, to a “star” network, where each host connected directly to a central multipoint repeater. This shift allowed for the replacement of expensive coaxial cable by the much-cheaper twisted pair; links could not be as long, but they did not need to be. Repeaters, which forwarded collisions, soon gave way to switches 2.4 Ethernet Switches ). , which did not ( collision domains , or physical Ethernets, through which Switches thus partitioned an Ethernet into disjoint collisions could propagate; an aggregation of physical Ethernets connected by switches was then sometimes known as a virtual Ethernet. Collision domains became smaller and smaller, eventually down to individual links and then vanishing entirely. Throughout all these changes, Ethernet never implemented true redundant connections, in that at any one instant the topology was always required to be loop-free. However, Ethernet did adopt a mechanism by which idle backup links can quickly be placed into service after a primary link fails; 2.5 Spanning Tree Algorithm and Redundancy . 2.1 10-Mbps Classic Ethernet Originally, Ethernet consisted of a long piece of cable (possibly spliced by repeaters ). When a station transmitted, the data went everywhere along that cable. Such an arrangement is known as a broadcast bus ; all packets were, at least at the physical layer, broadcast onto the shared medium and could be seen, theoretically, by all other nodes. Logically, however, most packets would appear to be transmitted point-to- point, not broadcast. This was because between each station CPU and the cable there was a peripheral device 45

56 An Introduction to Computer Networks, Release 1.9.18 (that is, a card) known as a , which would take care of the details of transmitting and network interface receiving. The network interface would (and still does) decide when a received packet should be forwarded to the host, via a CPU interrupt. B C D A NI NI NI NI collide , and interfere with one an- Whenever two stations transmitted at the same time, the signals would other; both transmissions would fail as a result. Proper handling of collisions was an essential part of the access-mediation strategy for the shared medium. In order to minimize collision loss, each station imple- mented the following: 1. Before transmission, wait for the line to become quiet 2. While transmitting, continually monitor the line for signs that a collision has occurred; if a collision is detected, cease transmitting 3. If a collision occurs, use a backoff-and-retransmit strategy CSMA/CD acronym: Carrier Sense, Multiple Access, Colli- These properties can be summarized with the sion Detect. (The term “carrier sense” was used by Metcalfe and Boggs as a synonym for “signal sense”; there is no literal carrier frequency to be sensed.) It should be emphasized that collisions are a normal event in Ethernet, well-handled by the mechanisms above. IEEE 802 Network Standards The IEEE network standards all begin with 802: 802.3 is Ethernet, 802.11 is Wi-Fi, 802.16 is WiMAX, and there are many others. One sometimes encounters the claim that 802 represents the date of an early meeting: February 1980. However, the IEEE has a continuous stream of standards (with occasional gaps): 799: Handling and Disposal of Transformer PCBs, 800: D-C Aircraft Rotating Machines, 803: Recommended Practice for Unique Identification in Power Plants, etc . Classic Ethernet came in version 1 [1980, DEC-Intel-Xerox], version 2 [1982, DIX], and . There IEEE 802.3 are some minor electrical differences between these, and one rather substantial packet-format difference, below. In addition to these, the Berkeley Unix trailing-headers packet format was used for a while. There were three physical formats for 10 Mbps Ethernet cable: thick coax (10BASE-5), thin coax (10BASE- 2), and, last to arrive, twisted pair (10BASE-T). Thick coax was the original; economics drove the successive development of the later two. The cheaper twisted-pair cabling eventually almost entirely displaced coax, at least for host connections. The original specification included support for repeaters , which were in effect signal amplifiers although they might attempt to clean up a noisy signal. Repeaters processed each bit individually and did no buffering. In the telecom world, a repeater might be called a digital regenerator . A repeater with more than two ports was commonly called a hub ; hubs allowed branching and thus much more complex topologies. 46 2 Ethernet

57 An Introduction to Computer Networks, Release 1.9.18 It was the rise of hubs that enabled in which each host connects directly to the hub rather star topologies than to one long run of coax. This in turn enabled twisted-pair cable: while this supported maximum runs of about 100 meters, versus the 500 meters of thick coax, each run simply had to go from the host to the central hub in the wiring closet. This was much more convenient than having to snake coax all around the building. A hub failure would bring the network down, but hubs proved largely reliable. Bridges – later known as switches – came along a short time later. While repeaters act at the bit layer, a switch reads in and forwards an entire packet as a unit, and the destination address is consulted to deter- mine to where the packet is forwarded. Except for possible collision-related performance issues, hubs and switches are interchangeable. Eventually, most wiring-closet hubs were replaced with switches. Hubs propagate collisions; switches do not. If the signal representing a collision were to arrive at one port of a hub, it would, like any other signal, be retransmitted out all other ports. If a switch were to detect a collision one one port, no other ports would be involved; only packets received successfully are ever retransmitted out other ports. Originally, switches were seen as providing interconnection (“bridging”) between separate physical Ether- nets; a switch for such a purpose needed just two ports. Later, a switched Ethernet was seen as one large “virtual” Ethernet, composed of smaller collision domains. Although the term “switch” is now much more common than “bridge”, the latter is still in use, particularly by the IEEE. For some, a switch is a bridge with more than two ports, though that distinction is relatively meaningless as it has been years since two-port bridges were last manufactured. We return to switching below in 2.4 Ethernet Switches . In the original thick-coax cabling, connections were made via taps , often literally drilled into the coax central conductor. Thin coax allowed the use of T-connectors to attach hosts. Twisted-pair does not allow mid-cable attachment; it is only used for point-to-point links between hosts, switches and hubs. Mid- cable attachment, however, was always simply a way of avoiding the need for active devices like hubs and switches. There is still a role for hubs today when one wants to monitor the Ethernet signal from A to B ( eg for intrusion detection analysis), although some switches now also support a form of monitoring. All three cable formats could interconnect, although only through repeaters and hubs, and all used the same 10 Mbps transmission speed. While twisted-pair cable is still used by 100 Mbps Ethernet, it generally needs to be a higher-performance version known as Category 5, versus the 10 Mbps Category 3. Data in 10 Mbps Ethernets was transmitted using Manchester encoding; see 4.1.3 Manchester . This meant that the electronics had to operate, in effect, at 20 Mbps. Faster Ethernets use different encodings. 2.1.1 Ethernet Packet Format Here is the format of a typical Ethernet packet (DIX specification); it is still used for newer, faster Ethernets: type dest addr src addr data CRC The destination and source addresses are 48-bit quantities; the type is 16 bits, the data length is variable up to a maximum of 1500 bytes, and the final CRC checksum is 32 bits. The checksum is added by the Ethernet hardware, never by the host software. There is also a preamble, not shown: a block of 1 bits followed by a 2.1 10-Mbps Classic Ethernet 47

58 An Introduction to Computer Networks, Release 1.9.18 0, in the front of the packet, for synchronization. The type field identifies the next higher protocol layer; a few common type values are 0x0800 = IP, 0x8137 = IPX, 0x0806 = ARP. The IEEE 802.3 specification replaced the type field by the length field, though this change never caught on. The two formats can be distinguished as long as the type values used are larger than the maximum Ethernet length of 1500 (or 0x05dc); the type values given in the previous paragraph all meet this condition. The Ethernet maximum packet length of 1500 bytes worked well in the past, but can seem inconveniently small at 10 Gbit speeds. But 1500 bytes has become the de facto maximum packet size throughout the 12.5 TCP Offloading ) is Internet, not just on Ethernet LANs; increasing it would be difficult. TCP TSO ( one alternative. Each Ethernet card has a (hopefully unique) physical address in ROM; by default any packet sent to this address will be received by the board and passed up to the host system. Packets addressed to other physical addresses will be seen by the card, but ignored (by default). All Ethernet devices also agree on a broadcast address of all 1’s: a packet sent to the broadcast address will be delivered to all attached hosts. It is sometimes possible to change the physical address of a given card in software. It is almost universally possible to put a given card into promiscuous mode , meaning that all packets on the network, no matter what the destination address, are delivered to the attached host. This mode was originally intended for diagnostic purposes but became best known for the security breach it opens: it was once not unusual to find a host with network board in promiscuous mode and with a process collecting the first 100 bytes (presumably including userid and password) of every telnet connection. 2.1.2 Ethernet Multicast Another category of Ethernet addresses is multicast , used to transmit to a set of stations; streaming video to multiple simultaneous viewers might use Ethernet multicast. The lowest-order bit in the first byte of an address indicates whether the address is physical or multicast. To receive packets addressed to a given multicast address, the host must inform its network interface that it wishes to do so; once this is done, any arriving packets addressed to that multicast address are forwarded to the host. The set of subscribers to a given multicast address may be called a multicast group . While higher-level protocols might prefer that the eg the sender, this is not required, although that might be the subscribing host also notifies some other host, easiest way to learn the multicast address involved. If several hosts subscribe to the same multicast address, then each will receive a copy of each multicast packet transmitted. We are now able to list all cases in which a network interface forwards a received packet up to its attached host: • if the destination address of the received packet maches the physical address of the interface • if the destination address of the received packet is the broadcast address • if the interface is in promiscuous mode • if the destination address of the received packet is a multicast address and the host has told the network interface to accept packets sent to that multicast address If switches (below) are involved, they must normally forward multicast packets on all outbound links, exactly as they do for broadcast packets; switches have no obvious way of telling where multicast subscribers might be. To avoid this, some switches do try to engage in some form of multicast filtering, sometimes by snooping 48 2 Ethernet

59 An Introduction to Computer Networks, Release 1.9.18 on higher-layer multicast protocols. Multicast Ethernet is seldom used by IPv4, but plays a larger role in IPv6 configuration. 2.1.3 Ethernet Address Internal Structure The second-to-lowest-order bit of a physical Ethernet address indicates whether that address is believed to bit. For real Ethernet be globally unique or if it is only locally unique; this is known as the Universal/Local physical addresses, the multicast and universal/local bits of the first byte should both be 0. When (global) Ethernet IDs are assigned to physical Ethernet cards by the manufacturer, the first three bytes serve to indicate the manufacturer. They are allocated by the IEEE, and are officially known as organizationally unique identifiers . These can be looked up at any of several sites on the Internet to identify the manufacturer associated with any given Ethernet address; the official IEEE site is stan- dards.ieee.org/develop/regauth/oui/public.html (OUIs must be entered here without colons). As long as the manufacturer involved is diligent in assigning the second three bytes, every manufacturer- provided Ethernet address be globally unique. Lapses, however, are not unheard of. should Ethernet addresses for machines must be distinct from the Ethernet address of the host system, and virtual eg with so-called “bridged” configurations) as visible on the LAN as that host system’s address. may be ( The first three bytes of virtual Ethernet addresses are often taken from the OUI assigned to the manufacturer whose card is being emulated; the last three bytes are then either set randomly or via configuration. In principle, the universal/local bit should be 1, as the address is only locally unique, but this is often ignored. It is entirely possible for virtual Ethernet addresses to be assigned so as to have some local meaning, though this appears not to be common. 2.1.4 The LAN Layer The LAN layer, at its upper end, supplies to the network layer a mechanism for addressing a packet and sending it from one station to another. At its lower end, it handles interactions with the physical layer. The LAN layer covers packet addressing, delivery and receipt, forwarding, error detection, collision detection and collision-related retransmission attempts. In IEEE protocols, the LAN layer is divided into the , or MAC, sublayer and a media access control higher logical link control , or LLC, sublayer for higher-level flow-control functions that today have moved largely to the transport layer. For example, the HDLC protocol ( ) supports sliding windows 4.1.5.1 HDLC ( 6.2 Sliding Windows ) as an option, as did the early X.25 protocol. ATM, 3.5 Asynchronous Transfer Mode: ATM , also supports some higher-level functions, though not sliding windows. Because the LLC layer is so often insignificant, and because the most well-known LAN-layer functions are in fact part of the MAC sublayer, it is common to identify the LAN layer with its MAC sublayer, especially for IEEE protocols where the MAC layer has official standing. In particular, LAN-layer addresses are perhaps most often called MAC addresses. Generally speaking, much of the operation of the LAN/MAC layer takes place in the network card. Host systems (including drivers) are, for example, generally oblivious to collisions (although they may query the card for collision statistics). In some cases, eg with Wi-Fi rate scaling ( 3.7.2 Dynamic Rate Scaling ), the host-system driver may get involved. 2.1 10-Mbps Classic Ethernet 49

60 An Introduction to Computer Networks, Release 1.9.18 2.1.5 The Slot Time and Collisions of an Ethernet is the maximum distance between any pair of stations. The actual total length The diameter of cable can be much greater than this, if, for example, the topology is a “star” configuration. The maximum allowed diameter, measured in bits, is limited to 232 (a sample “budget” for this is below). This makes jam the round-trip-time 464 bits. As each station involved in a collision discovers it, it transmits a special of up to 48 bits. These 48 jam bits bring the total above to 512 bits, or 64 bytes. The time to send signal these 512 bits is the slot time of an Ethernet; time intervals on Ethernet are often described in bit times but in conventional time units the slot time is 51.2 μsec. The value of the slot time determines several subsequent aspects of Ethernet. If a station has transmitted for one slot time, then no collision can occur (unless there is a hardware error) for the remainder of that packet. This is because one slot time is enough time for any other station to have realized that the first station has started transmitting, so after that time they will wait for the first station to finish. Thus, after one the network. The slot time is also used as the basic interval for slot time a station is said to have acquired retransmission scheduling, below. can Conversely, a collision be received, in principle, at any point up until the end of the slot time. As a result, , equal to the slot time, 64 bytes (or 46 bytes in the data portion). A minimum packet size ie Ethernet has a a collision were to occur, the sender would detect it station transmitting a packet this size is assured that if (and be able to apply the retransmission algorithm, below). Smaller packets might collide and yet the sender not know it, ultimately leading to greatly reduced throughput. If we need to send less than 46 bytes of data (for example, a 40-byte TCP ACK packet), the Ethernet packet must be padded out to the minimum length. As a result, all protocols running on top of Ethernet need to provide some way to specify the actual data length, as it cannot be inferred from the received packet size. As a specific example of a collision occurring as late as possible, consider the diagram below. A and B are 5 units apart, and the bandwidth is 1 byte/unit. A begins sending “helloworld” at T=0; B starts sending just as A’s message arrives, at T=5. B has listened before transmitting, but A’s signal was not yet evident. A doesn’t discover the collision until 10 units have elapsed, which is twice the distance. T=0 A just starting to send A B h T=1 A B e h T=2 A B e l h A T=3 B l l e h T=4 A B l o l e h just before collision, B sees line is idle T=4.99 A B l o e l h B transmits; COLLISION! T=5 A B o w l l collision propagates back to A A T=6 B w o o T=7 A B r o T=8 A B l T=9 A B d A detects the collision T=10 A B Here are typical maximum values for the delay in 10 Mbps Ethernet due to various components. These 50 2 Ethernet

61 An Introduction to Computer Networks, Release 1.9.18 are taken from the Digital-Intel-Xerox (DIX) standard of 1982, except that “point-to-point link cable” is replaced by standard cable. The DIX specification allows 1500m of coax with two repeaters and 1000m of point-to-point cable; the table below shows 2500m of coax and four repeaters, following the later IEEE 802.3 Ethernet specification. Some of the more obscure delays have been eliminated. Entries are one-way delay times, in bits. The maximum path may have four repeaters, and ten transceivers (simple electronic devices between the coax cable and the NI cards), each with its drop cable (two transceivers per repeater, plus one at each endpoint). Ethernet delay budget item explanation (c = speed of light) length delay, in bits 2500 m 110 bits 23 meters/bit (.77c) coax 500 m 25 bits 19.5 meters/bit (.65c) transceiver cables 40 bits, max 10 units 4 bits each transceivers repeaters 25 bits, max 4 units 6+ bits each (DIX 7.6.4.1) 20 bits, max 10 units 2 bits each (for signal generation) encoders The total here is 220 bits; in a full accounting it would be 232. Some of the numbers shown are a little high, but there are also signal rise time delays, sense delays, and timer delays that have been omitted. It works out fairly closely. Implicit in the delay budget table above is the “length” of a bit. The speed of propagation in copper is about 8 ˆ c, where c=3 ˆ 10 0.77 m/sec = 300 m/μsec is the speed of light in vacuum. So, in 0.1 microseconds (the -7 time to send one bit at 10 Mbps), the signal propagates approximately 0.77 ˆ 10 ˆ = 23 meters. c maximum Ethernet packets also have a packet size, of 1500 bytes. This limit is primarily for the sake of fairness, so one station cannot unduly monopolize the cable (and also so stations can reserve buffers guaranteed to hold an entire packet). At one time hardware vendors often marketed their own incompatible “extensions” to Ethernet which enlarged the maximum packet size to as much as 4 kB. There is no technical reason, actually, not to do this, except compatibility. The signal loss in any single segment of cable is limited to 8.5 db, or about 14% of original strength. Repeaters will restore the signal to its original strength. The reason for the per-segment length restriction is that Ethernet collision detection requires a strict limit on how much the remote signal can be allowed to lose strength. It is possible for a station to detect and reliably read very weak remote signals, but not at the same time that it is transmitting locally . This is exactly what must be done, though, for collision detection to work: remote signals must arrive with sufficient strength to be heard even while the receiving station is itself transmitting. The per-segment limit, then, has nothing to do with the overall length limit; the latter is set only to ensure that a sender is guaranteed of detecting a collision, even if it sends the minimum-sized packet. 2.1.6 Exponential Backoff Algorithm Whenever there is a collision the exponential backoff algorithm – operating at the MAC layer – is used to determine when each station will retry its transmission. Backoff here is called exponential because the range from which the backoff value is chosen is doubled after every successive collision involving the same packet. Here is the full Ethernet transmission algorithm, including backoff and retransmissions: 1. Listen before transmitting (“carrier detect”) 2.1 10-Mbps Classic Ethernet 51

62 An Introduction to Computer Networks, Release 1.9.18 2. If line is busy, wait for sender to stop and then wait an additional 9.6 microseconds (96 bits). One consequence of this is that there is always a 96-bit gap between packets, so packets do not run together. 3. Transmit while simultaneously monitoring for collisions as follows: For transmission backoff time 4. If a collision does occur, send the jam signal, and choose a N ď 10 (N=0 represents the original attempt), choose k randomly with 0 ď k < 2 N, 1 . Wait k slot ď N 51.2 μsec). Then check if the line is idle, waiting if necessary for someone else to finish, ˆ times (k 10 N ď and then retry step 3. For 11 ď k < 1024 (= 2 ď ) 15, choose k randomly with 0 5. If we reach N=16 (16 transmission attempts), give up. If an Ethernet sender does not reach step 5, there is a very high probability that the packet was delivered successfully. Exponential backoff means that if two hosts have waited for a third to finish and transmit simultaneously, and collide, then when N=1 they have a 50% chance of recollision; when N=2 there is a 25% chance, etc . When N 10 the maximum wait is 52 milliseconds; without this cutoff the maximum wait at N=15 would ě be 1.5 seconds. As indicated above in the minimum-packet-size discussion, this retransmission strategy assumes that the sender is able to detect the collision while it is still sending, so it knows that the packet must be resent. In the following diagram is an example of several stations attempting to transmit all at once, and using the above transmission/backoff algorithm to sort out who actually gets to acquire the channel. We assume we have five prospective senders A1, A2, A3, A4 and A5, all waiting for a sixth station to finish. We will assume that collision detection always takes one slot time (it will take much less for nodes closer together) and that the slot start-times for each station are synchronized; this allows us to measure time in slots. A solid arrow at the start of a slot means that sender began transmission in that slot; a red X signifies a collision. If a collision occurs, the backoff value k is shown underneath. A dashed line shows the station waiting k slots for its next attempt. T=1 T=2 T=0 T=3 T=4 T=5 Slot 1 Slot 2 Slot 3 Slot 4 Slot 5 Slot 6 A1 k=1 k=2 A2 k=1 k=1 A3 k=0 k=3 A4 k=6 k=0 k=0 A5 k=3 k=1 : Attempt to transmit : collision At T=0 we assume the transmitting station finishes, and all the Ai transmit and collide. At T=1, then, each of the Ai has discovered the collision; each chooses a random k<2. Let us assume that A1 chooses k=1, A2 chooses k=1, A3 chooses k=0, A4 chooses k=0, and A5 chooses k=1. 52 2 Ethernet

63 An Introduction to Computer Networks, Release 1.9.18 Those stations choosing k=0 will retransmit immediately, at T=1. This means A3 and A4 collide again, and at T=2 they now choose random k<4. We will Assume A3 chooses k=3 and A4 chooses k=0; A3 will try again at T=2+3=5 while A4 will try again at T=2, that is, now. At T=2, we now have the original A1, A2, and A5 transmitting for the second time, while A4 trying again for the third time. They collide. Let us suppose A1 chooses k=2, A2 chooses k=1, A5 chooses k=3, and A4 chooses k=6 (A4 is choosing k<8 at random). Their scheduled transmission attempt times are now A1 at T=3+2=5, A2 at T=4, A5 at T=6, and A4 at T=9. At T=3, nobody attempts to transmit. But at T=4, A2 is the only station to transmit, and so successfully seizes the channel. By the time T=5 rolls around, A1 and A3 will check the channel, that is, listen first, and wait for A2 to finish. At T=9, A4 will check the channel again, and also begin waiting for A2 to finish. A maximum of 1024 hosts is allowed on an Ethernet. This number apparently comes from the maximum ď range for the backoff time as 0 k < 1024. If there are 1024 hosts simultaneously trying to send, then, once the backoff range has reached k<1024 (N=10), we have a good chance that one station will succeed in seizing the channel, that is; the minimum value of all the random k’s chosen will be unique. This backoff algorithm is not “fair”, in the sense that the longer a station has been waiting to send, the lower its priority sinks. Newly transmitting stations with N=0 need not delay at all. The Ethernet capture effect, below, illustrates this unfairness. 2.1.7 Capture effect The capture effect is a scenario illustrating the potential lack of fairness in the exponential backoff algorithm. The unswitched Ethernet must be fully busy, in that each of two senders always has a packet ready to transmit. Let A and B be two such busy nodes, simultaneously starting to transmit their first packets. They collide. Suppose A wins, and sends. When A is finished, B tries to transmit again. But A has a second packet, and so A tries too. A chooses a backoff k<2 (that is, between 0 and 1 inclusive), but since B is on its second attempt it must choose k<4. This means A is favored to win. Suppose it does. After that transmission is finished, A and B try yet again: A on its first attempt for its third packet, and B on its third attempt for its first packet. Now A again chooses k<2 but B must choose k<8; this time A is much more likely to win. Each time B fails to win a given backoff, its probability of winning the next one is reduced by about 1/2. It is quite possible, and does occur in practice, for B to lose all the backoffs until it reaches the maximum of N=16 attempts; once it has lost the first three or four this is in fact quite likely. At this point B simply discards the packet and goes on to the next one with N reset to 1 and k chosen from {0,1}. The capture effect can be fixed with appropriate modification of the backoff algorithm; the Binary Logarith- mic Arbitration Method (BLAM) was proposed in [MM94] . The BLAM algorithm was considered for the then-nascent 100 Mbps Fast Ethernet standard. But in the end a hardware strategy won out: Fast Ethernet supports “full-duplex” mode which is collision-free (see 2.2 100 Mbps (Fast) Ethernet , below). While Fast Ethernet continues to support the original “half-duplex” mode, it was assumed that any sites concerned enough about performance to be worried about the capture effect would opt for full-duplex. 2.1 10-Mbps Classic Ethernet 53

64 An Introduction to Computer Networks, Release 1.9.18 2.1.8 Hubs and topology Ethernet hubs (multiport repeaters) change the topology, but not the fundamental constraints. Hubs enabled the model in which each station now had its own link to the wiring closet. Loops are still forbidden. The maximum diameter of an Ethernet consisting of multiple segments joined by hubs is still constrained by the round-trip-time, and the need to detect collisions before the sender has completed sending, as before. However, the network “diameter”, or maximum distance between two hosts, is no longer synonymous with “total length”. Because twisted-pair links are much shorter, about 100 meters, the diameter constraint is often immaterial. 2.1.9 Errors Packets can have bits flipped or garbled by electrical noise on the cable; estimates of the frequency with 4 6 which this occurs range from 1 in 10 . Bit errors are not uniformly likely; when they occur, to 1 in 10 they are likely to occur in bursts. Packets can also be lost in hubs, although this appears less likely. Packets can be lost due to collisions only if the sending host makes 16 unsuccessful transmission attempts and gives 5.4.1 Cyclical Redundancy Check: up. Ethernet packets contain a 32-bit CRC error-detecting code (see CRC ) to detect bit errors. Packets can also be misaddressed by the sending host, or, most likely of all, they can arrive at the receiving host at a point when the receiver has no free buffers and thus be dropped by a higher-layer protocol. 2.1.10 CSMA persistence A carrier-sense/multiple-access transmission strategy is said to be nonpersistent if, when the line is busy, the sender waits a randomly selected time. A strategy is p-persistent if, after waiting for the line to clear, the sender sends with probability p ď 1. Ethernet uses 1-persistence. A consequence of 1-persistence is that, if more than one station is waiting for line to clear, then when the line does clear a collision is certain. However, Ethernet then gracefully handles the resulting collision via the usual exponential backoff. If N stations are waiting to transmit, the time required for one station to win the backoff is linear in N. 3.7 Wi-Fi , we will see that collisions cannot When we consider the Wi-Fi collision-handling mechanisms in be handled quite as cheaply: for one thing, there is no way to detect a collision in progress, so the entire packet-transmission time is wasted. In the Wi-Fi case, p-persistence is used with p<1. An Ethernet broadcast storm was said to occur when there were too many transmission attempts, and most of the available bandwidth was tied up in collisions. A properly functioning classic Ethernet had an effective bandwidth of as much as 50-80% of the nominal 10Mbps capacity, but attempts to transmit more than this typically resulted in successfully transmitting a good deal less. 2.1.11 Analysis of Classic Ethernet How much time does Ethernet “waste” on collisions? A paradoxical attribute of Ethernet is that raising the transmission-attempt rate on a busy segment can reduce the actual throughput. More transmission attempts can lead to longer contention intervals between packets, as senders use the transmission backoff algorithm to attempt to acquire the channel. What effective throughput can be achieved? 54 2 Ethernet

65 An Introduction to Computer Networks, Release 1.9.18 It is convenient to refer to the time between packet transmissions as the contention interval even if there is no actual contention, that is, even if the network is idle; we cannot tell if stations are not transmitting because they have nothing to send, or if they are simply waiting for their backoff timer to expire. Thus, a timeline for Ethernet always consists of alternating packet transmissions and contention intervals: ... contention contention packet contention packet contention packet packet Ethernet packet transmissions alternating with contention intervals As a first look at contention intervals, assume that there are N stations waiting to transmit at the start of the interval. It turns out that, if all follow the exponential backoff algorithm, we can expect O(N) slot times before one station successfully acquires the channel; thus, Ethernets are happiest when N is small and there are only a few stations simultaneously transmitting. However, multiple stations are not necessarily a severe problem. Often the number of slot times needed turns out to be about N/2, and slot times are short. If N=20, then N/2 is 10 slot times, or 640 bytes. However, one packet time might be 1500 bytes. If packet intervals are 1500 bytes and contention intervals are 640 byes, this gives an overall throughput of 1500/(640+1500) = 70% of capacity. In practice, this seems to be a reasonable upper limit for the throughput of classic shared-media Ethernet. 2.1.11.1 The ALOHA models Another approach to analyzing the Ethernet contention interval is by using the ALOHA model that was a precursor to Ethernet. In the ALOHA model, stations transmit packets without listening first for a quiet line or monitoring the transmission for collisions (this models the situation of several ground stations transmitting to a satellite; the ground stations are presumed unable to see one another). Similarly, during the Ethernet contention interval, stations transmit one-slot packets under what are effectively the same conditions (we return to this below). The ALOHA model yields roughly similar throughput values to the O(N) model of the previous section. We make, however, a rather artificial assumption: that there are a very large number of active senders, each transmitting at a very low rate. The model may thus have limited direct applicability to typical Ethernets. To model the success rate of ALOHA, assume all the packets are the same size and let T be the time to send one (fixed-size) packet; T represents the Aloha slot time. We will find the transmission rate that optimizes throughput. The core assumption of this model is that that a large number N of hosts are transmitting, each at a relatively low rate of s packets/slot. Denote by G the average number of transmission attempts per slot; we then have G = Ns. We will derive an expression for S, the average rate of successful transmissions per slot, in terms of G. If two packets overlap during transmissions, both are lost. Thus, a successful transmission requires everyone else quiet for an interval of 2T: if a sender succeeds in the interval from t to t+T, then no other node can have tried to begin transmission in the interval t–T to t+T. The probability of one station transmitting during an interval of time T is G = Ns; the probability of the remaining N–1 stations all quiet for an interval of 2T is 2(N–1) (1–s) . The probability of a successful transmission is thus 2(N–1) S = Ns*(1–s) 2.1 10-Mbps Classic Ethernet 55

66 An Introduction to Computer Networks, Release 1.9.18 2N = G(1–G/N) Math Warning -2G 2N Finding the limit of G(1–G/N) and finding the maximum of Ge realistically requires a little back- ground in calculus. However, these are not central to applying the model. -2G -2G As N gets large, the second line approaches Ge has a maximum at G=1/2, . The function S = G e S=1/2e. The rate G=1/2 means that, on average, a transmission is attempted every other slot; this yields the maximum successful-transmission throughput of 1/2e. In other words, at this maximum attempt rate G=1/2, we expect about 2e–1 slot times worth of contention between successful transmissions. What happens to the remaining G–S unsuccessful attempts is not addressed by this model; presumably some higher-level mechanism ( eg backoff) leads to retransmissions. A given throughput S<1/2e may be achieved at either of two values for G; that is, a given success rate may be due to a comparable attempt rate or else due to a very high attempt rate with a similarly high failure rate. 2.1.11.2 ALOHA and Ethernet The relevance of the Aloha model to Ethernet is that during one Ethernet slot time there is no way to detect collisions (they haven’t reached the sender yet!) and so the Ethernet contention phase resembles ALOHA with an Aloha slot time T of 51.2 microseconds. Once an Ethernet sender succeeds, however, it continues with a full packet transmission, which is presumably many times longer than T. The average length of the contention interval, at the maximum throughput calculated above, is 2e–1 slot times (from ALOHA); recall that our model here supposed many senders sending at very low individual rates. This is the minimum contention interval; with lower loads the contention interval is longer due to greater idle times and with higher loads the contention interval is longer due to more collisions. ie Finally, let P be the time to send an entire packet in units of T; the average packet size in units of T. P is thus the length of the “packet” phase in the diagram above. The contention phase has length 2e–1, so the total time to send one packet (contention+packet time) is 2e–1+P. The useful fraction of this is, of course, P, so the effective maximum throughput is P/(2e–1+P). At 10Mbps, T=51.2 microseconds is 512 bits, or 64 bytes. For P=128 bytes = 2*64, the effective bandwidth becomes 2/(2e-1+2), or 31%. For P=512 bytes=8*64, the effective bandwidth is 8/(2e+7), or 64%. For P=1500 bytes, the model here calculates an effective bandwidth of 80%. These numbers are quite similar to our earlier values based on a small number of stations sending constantly. 2.2 100 Mbps (Fast) Ethernet Classic Ethernet, at 10 Mbps, is quite slow by modern standards, and so by 1995 the IEEE had created standards for Ethernet that operated at 100 Mbps. Ethernet at this speed is commonly known as Fast Ethernet ; this name is used even today as “Fast” Ethernet is being supplanted by Gigabit Ethernet (below). By far the most popular form of 100 Mbps Ethernet is officially known as 100BASE-TX; it operates over twisted-pair cable. 56 2 Ethernet

67 An Introduction to Computer Networks, Release 1.9.18 In the previous analysis of 10 Mbps Ethernet, the bandwidth, minimum packet size and maximum network diameter were all interrelated, in order to ensure that collisions could always be detected by the sender. Increasing the speed means that at least one of the other constraints must be scaled as well. For example, if the network physical diameter were to remain the same when moving to 100 Mbps, then the Fast-Ethernet round-trip time would be the same in microseconds but would be 10-fold larger measured in bits; this might mean a minimum packet size of 640 bytes instead of 64 bytes. (Actually, the minimum packet size might be somewhat smaller, partly because the “jam signal” doesn’t have to become longer, and partly because some of the numbers in the 10 Mbps delay budget above were larger than necessary, but it would still be large enough that a substantial amount of bandwidth would be consumed by padding.) The designers of Fast Ethernet felt that such a large minimum-packet size was impractical. However, Fast Ethernet was developed at a time (~1995) when reliable switches (below) were widely avail- 2 Ethernet from [MB76] had become obsolete. Large “virtual” Ethernet networks able; the quote above at could be formed by connecting small physical Ethernets with switches, effectively eliminating the need to support large-diameter physical Ethernets. So instead of increasing the minimum packet size, the decision was made to ensure collision detectability by reducing the network diameter instead. The network diameter chosen was a little over 400 meters, with reductions to account for the presence of hubs. At 2.3 meters/bit, 400 meters is 174 bits, for a round-trip of 350 bits. The slot time (and minimum packet size) remains 512 bits – now 5.12 μsec – which is safely large enough to ensure collision detection. This 400-meter diameter, however, may be misleading: the specific 100BASE-TX standard, which uses so-called Category 5 twisted-pair cabling (or better), limits the length of any individual cable segment to 100 meters. The maximum 100BASE-TX network diameter – allowing for hubs – is just over 200 meters. The 400-meter distance does apply to optical-fiber-based 100BASE-FX in half-duplex mode, but this is not common. The 100BASE-TX network-diameter limit of 200 meters might seem small; it amounts in many cases to a single hub with multiple 100-meter cable segments radiating from it. In practice, however, such “star” configurations could easily be joined with switches . As we will see below in 2.4 Ethernet Switches , switches partition an Ethernet into separate “collision domains”; the network-diameter rules apply to each domain separately but not to the aggregated whole. In a fully switched (that is, no hubs) 100BASE-TX LAN, each collision domain is simply a single twisted-pair link, subject to the 100-meter maximum length. Fast Ethernet also introduced the concept of full-duplex Ethernet: two twisted pairs could be used, one for each direction. Full-duplex Ethernet is limited to paths not involving hubs, that is, to single station-to- station links, where a station is either a host or a switch. Because such a link has only two potential senders, and each sender has its own transmit line, full-duplex Ethernet is entirely collision-free . Fast Ethernet (at least the 100BASE-TX form) uses 4B/5B encoding, covered in . This means 4.1.4 4B/5B that the electronics have to handle 125 Mbps, versus the 200 Mbps if Manchester encoding were still used. Fast Ethernet 100BASE-TX does not particularly support links between buildings, due to the maximum- cable-length limitation. However, fiber-optic point-to-point links are an effective alternative here, provided full-duplex is used to avoid collisions. We mentioned above that the coax-based 100BASE-FX standard allowed a maximum half-duplex run of 400 meters, but 100BASE-FX is much more likely to use full duplex, where the maximum cable length rises to 2,000 meters. 2.2 100 Mbps (Fast) Ethernet 57

68 An Introduction to Computer Networks, Release 1.9.18 2.3 Gigabit Ethernet The problem of scaling Ethernet to handle collision detection gets harder as the transmission rate increases. If we were continue to maintain the same 51.2 μsec slot time but raise the transmission rate to 1000 Mbps, the maximum network diameter would now be 20-40 meters. Instead of that, Gigabit Ethernet moved to a 4096-bit (512-byte, or 4.096 μsec) slot time, at least for the twisted-pair versions. Short frames need to be padded, but this padding is done by the hardware. Gigabit Ethernet 1000Base-T uses so-called PAM- 5 encoding, below, which supports a special pad pattern (or symbol) that cannot appear in the data. The hardware pads the frame with these special patterns, and the receiver can thus infer the unpadded length as set by the host operating system. Gigabit vs Disks Once a network has reached Gigabit speed, the network is generally as fast as reading from or writing to a disk. Keeping data on another node no longer slows things down. This greatly expands the range of possibilities for constructing things like clustered databases. However, the Gigabit Ethernet slot time is largely irrelevant, as full-duplex (bidirectional) operation is almost always supported. Combined with the restriction that each length of cable is a station-to-station link (that is, hubs are no longer allowed), this means that collisions simply do not occur and the network diameter is no longer a concern. (10 Gigabit Ethernet has officially abandoned any pretense of supporting collisions; must be full-duplex.) everything There are actually multiple Gigabit Ethernet standards (as there are for Fast Ethernet). The different stan- dards apply to different cabling situations. There are full-duplex optical-fiber formulations good for many eg 1000Base-LX10), and even a version with a 25-meter maximum cable length (1000Base-CX), miles ( which would in theory make the original 512-bit slot practical. The most common gigabit Ethernet over copper wire is 1000BASE-T (sometimes incorrectly referred to as 1000BASE-TX. While there exists a TX, it requires Category 6 cable and is thus seldom used; many devices labeled TX are in fact 1000BASE-T). For 1000BASE-T, all four twisted pairs in the cable are used. , thus supporting full-duplex communication. bidirectional Each pair transmits at 250 Mbps, and each pair is Bidirectional communication on a single wire pair takes some careful echo cancellation at each end, using a circuit known as a “hybrid” that in effect allows detection of the incoming signal by filtering out the outbound signal. symbols at a rate On any one cable pair, there are five signaling levels. These are used to transmit two-bit of 125 symbols/μsec, for a data rate of 250 bits/μsec. Two-bit symbols in theory only require four signaling levels; the fifth symbol allows for some redundancy which is used for error detection and correction, for avoiding long runs of identical symbols, and for supporting a special pad symbol, as mentioned above. The encoding is known as 5-level pulse-amplitude modulation, or PAM-5. The target bit error rate (BER) for -10 6 , meaning that the packet error rate is less than 1 in 10 1000BASE-T is 10 . In developing faster Ethernet speeds, economics plays at least as important a role as technology. As new speeds reach the market, the earliest adopters often must take pains to buy cards, switches and cable known to “work together”; this in effect amounts to installing a proprietary LAN. The real benefit of Ethernet, however, is arguably that it is standardized, at least eventually, and thus a site can mix and match its cards and devices. Having a given Ethernet standard support existing cable is even more important economically; 58 2 Ethernet

69 An Introduction to Computer Networks, Release 1.9.18 the costs of replacing inter-office cable often dwarf the costs of the electronics. As Ethernet speeds continue to climb, it has become harder and harder for host systems to keep up. As a result, it is common for quite a bit of higher-layer processing to be offloaded onto the Ethernet hardware, for 12.5 TCP Offloading . example, TCP checksum calculation. See 2.4 Ethernet Switches Switches join separate physical Ethernets (or sometimes Ethernets and other kinds of networks). A switch has two or more Ethernet interfaces; when a packet is received on one interface it is retransmitted on one or not propagated. The term collision more other interfaces. Only valid packets are forwarded; collisions are is sometimes used to describe the region of an Ethernet in between switches; a given collision domain propagates only within its collision domain. Switches have revolutionized Ethernet layout: all the collision-detection rules, including the rules for maxi- mum network diameter, apply only to collision domains, and not to the larger “virtual Ethernets” created by stringing collision domains together with switches. As we shall see below, a switched Ethernet also offers eg hub-based) Ethernet. much more resistance to eavesdropping than a non-switched ( Switch Costs In the 1980’s the author once installed a two-port 10-Mbps Ethernet switch (then called a “bridge”) that cost $3000; cf the [MB76] quote at 2 Ethernet . Today a wide variety of multiport 100-Mbps Ethernet switches are available for around $10, and almost all installed Ethernets are fully switched. Like simpler unswitched Ethernets, the topology for a switched Ethernet is in principle required to be loop- free. In practice, however, most switches support the spanning-tree loop-detection protocol and algorithm, 2.5 , which automatically “prunes” the network topology to Spanning Tree Algorithm and Redundancy make it loop-free while allowing the pruned links to be placed back in service if a primary link fails. While a switch does not propagate collisions, it must maintain a queue for each outbound interface in case it needs to forward a packet at a moment when the interface is busy; on (rare) occasion packets are lost when this queue overflows. 2.4.1 Ethernet Learning Algorithm Traditional Ethernet switches use datagram forwarding as described in 1.4 Datagram Forwarding ; the trick is to build their forwarding tables without any cooperation from ordinary, non-switch hosts. Indeed, to the extent that a switch is to act as a drop-in replacement for a hub, it cannot count on cooperation from other . switches The solution is for the switch to start out with an empty forwarding table, and then incrementally build the table through a learning process. If a switch does not have an entry for a particular destination, it will fall back to flooding : it will forward the packet out every interface other than the one on which the packet arrived. This is sometimes also called “unknown unicast flooding”; it is equivalent to treating the destination as a broadcast address. The availability of fallback-to-flooding for unknown destinations is what makes it 2.4 Ethernet Switches 59

70 An Introduction to Computer Networks, Release 1.9.18 possible for Ethernet switches to learn their forwarding tables without any switch-to-switch or switch-to- host communication or coordination. This learning process is now part of the IEEE 802.1D standard, and is occasionally referred to as transparent bridging. A switch learns address locations as follows: for each interface, the switch maintains a table of physical source (MAC) addresses that have appeared as addresses in packets arriving via that interface. The switch thus knows that to reach these addresses, if one of them later shows up as a destination address, the packet needs to be sent only via that interface. Specifically, when a packet arrives on interface I with source address S,I y into its forwarding table. S and destination unicast address D, the switch enters x To actually deliver the packet, the switch also looks up the destination D in the forwarding table. If there is x D,J an entry with J ‰ I – that is, D is known to be reached via interface J – then the switch forwards the y packet out interface J. If J=I, that is, the packet has arrived on the same interfaces by which the destination is reached, then the packet does not get forwarded at all; it presumably arrived at interface I only because that interface was connected to a shared Ethernet segment that also either contained D or contained another flood the packet out switch that would bring the packet closer to D. If there is no entry for D, the switch must ‰ all interfaces J with J I; this represents the unknown-destination fallback to flooding. After a short while, the fallback-to-flooding alternative is needed less and less often, as switches learn where the active hosts are located. (However, in some switch implementations, forwarding tables also include timestamps, and entries are removed if they have not been used for, say, five minutes.) If the destination address D is the broadcast address, or, for many switches, a multicast address, broadcast (flooding) is required. Some switches try to keep track of multicast groups, so as to forward multicast traffic only out interfaces with known subscribers; see 2.1.2 Ethernet Multicast . A A B A,C B B A B S1 S2 S3 C A A,C C C S4 S5 Five learning bridges after three packet transmissions In the diagram above, each switch’s tables are indicated by listing near each interface the destinations (iden- tified by MAC addresses) known to be reachable by that interface. The entries shown are the result of the following packets: • ; all switches learn where A is A sends to B • B sends to A ; this packet goes directly to A; only S3, S2 and S1 learn where B is • C sends to B ; S4 does not know where B is so this packet goes to S5; S2 does know where B is so the packet does not go to S1. It is worth observing that, at the application layer, hosts do not commonly identify one another by their MAC addresses. In an IPv4-based network, the use of ARP ( 7.9 Address Resolution Protocol: ARP ) to translate from IPv4 to MAC addresses would introduce additional broadcasts, which would cause the above scenario 60 2 Ethernet

71 An Introduction to Computer Networks, Release 1.9.18 to play out differently. See exercise 11.0. not automatically discover directly connected neighbors; S1 does not learn about A until A Switches do transmits a packet. Once all the switches have learned where all (or most of) the hosts are, each packet is forwarded rather than flooded. At this point packets are never sent on links unnecessarily; a packet from A to B only travels those links that lie along the (unique) path from A to B. (Paths must be unique because switched Ethernet networks cannot have loops, at least not active ones. If a loop existed, then a packet sent to an unknown destination would be forwarded around the loop endlessly.) Switches have an additional privacy advantage in that traffic that does not flow where it does not need to flow is much harder to eavesdrop on. On an unswitched Ethernet, one host configured to receive all packets can eavesdrop on all traffic. Early Ethernets were notorious for allowing one unscrupulous station to capture, for instance, all passwords in use on the network. On a fully switched Ethernet, a host physically sees only the traffic actually addressed to it; other traffic remains inaccessible. This switch-based eavesdropping protection is, however, potentially vulnerable to attackers flooding the network with fake source addresses, forcing switches into fallback-to-flooding mode. 4 5 Typical large switches have room for a forwarding table with 10 - 10 entries, though fully switched net- works at the upper end of this size range are not common. The main size limitations specific to switching are the requirement that the topology must be loop-free (thus disallowing duplicate paths which might otherwise provide redundancy), and that all broadcast traffic must always be forwarded everywhere. As a switched Ethernet grows, broadcast traffic comprises a larger and larger percentage of the total traffic, and the or- ganization must at some point move to a routing architecture ( eg as in 7.6 IPv4 Subnets ). A common recommendation is to have no more than 1000 hosts per LAN (or VLAN, 2.6 Virtual LAN (VLAN) ). 2.4.2 Switch Hardware One of the differences between an inexpensive Ethernet switch and a pricier one is the degree of internal parallelism it can support. If three packets arrive simultaneously on ports 1, 2 and 3, and are destined for respective ports 4, 5 and 6, can the switch actually transmit the packets simultaneously? A “yes” answer here is the gold performance standard for an Ethernet switch: to keep up with packets as fast as they arrive. The worst-case load, for a switch with 2N ports, is for packets to arrive continuously on N ports, and depart on a different N ports. This means that, in the time required to transmit one packet, the switch must internally forward N packets in parallel. This is sometimes much faster than necessary. If all the load is departing (or arriving) via just one of the ports – for example, the port connected to the server, or to the Internet – then the above standard is N times faster than necessary; the switch need only handle one packet at a time. Such a switch may be forced to queue outbound packets on that one port, but that does not represent a lack of performance on the part of the switch. Still, greater parallelism is generally viewed as a good thing in switches. The simplest switch architecture – used whenever a switch is built around a “standard” computer – is the shared-memory model. Such a system consists of a single CPU, single memory and peripheral busses, and multiple Ethernet cards. When a packet arrives, the CPU must copy the packet from the arrival interface into RAM, determine the forwarding, and then copy the packet to the output interface. To keep up with one-at-a-time 100 Mbps transmission, the internal transfer rate must therefore be at least 200 Mbps. 2.4 Ethernet Switches 61

72 An Introduction to Computer Networks, Release 1.9.18 The maximum speed of such a device depends largely on the speed of the peripheral-to-RAM bus (the so- called front-side bus). The USB 3.0 bus operates at 5 Gbps. At an Ethernet speed of 100 Mbps, such a bus can theoretically transfer 5 Gbps/200 Mbps = 25 packets in and out in the time it takes one packet to arrive, supporting up to 50 ports total. However, with gigabit Ethernet, only two packets can be handled. For commodity five-port switches, this is enough, and such switches can generally handle this degree of parallelism. Bus speeds go up at least ten-fold, but 10 Gbps and even 40 Gbps Ethernet is now common in datacenters, and 24 ports is a bare minimum. As a result, the shared-memory architecture is generally not regarded as adequate for high-performance switches. When a high degree of parallelism is required, there are various architectures – known as switch fabrics – that can be implemented. crossbar switch fabric, consisting One common solution to this internal-bottleneck problem is a so-called of a grid of N N normally open switch nodes that can be closed under CPU control. Packets travel, via a ˆ connected path through the crossbar, directly from one Ethernet interface to another. The crossbar allows connections between any of N inputs and any of N outputs. parallel 1 2 Inputs 3 4 5 1 2 3 4 5 Outputs 5×5 crossbar with 5 parallel connections 1 1, 2 4 3, 3 5, 4 2, 5      The diagram above illustrates a 5 ˆ 5 crossbar, with 5 inputs and 5 separate outputs. (In a real Ethernet switch, any port can be an input or an output, but this is a relatively inessential difference). There are 5 parallel connections shown, from inputs 1-5 to outputs 1,3,5, 2 and 4 respectively; the large dots represent solid-state switching elements in the closed state. Packets are transmitted serially through each switch path. Crossbars, and variations, are one common approach in the design of high-speed switches that support multiple parallel transfers. The other hardware innovation often used by high-performance switches is Content-Addressable Memory, or CAM; this allows for the search of the forwarding table in a single memory load. In a shared-memory switch, each destination address must be looked up in a hash table or other data structure; including the calculation of the hash value, this process may take as long as several tens of memory loads. On some brands of switches, the forwarding table is often referred to as the CAM table. CAM memory consists of a large number N of memory registers all attached to a common data-input bus; 62 2 Ethernet

73 An Introduction to Computer Networks, Release 1.9.18 for Ethernet switching, the data width of the bus and registers needs to be at least as large as the 48-bit address size. When the input bus is activated, each memory register simultaneously compares the value on the bus with its own data value; if there is a match, the register triggers its output line. A binary-encoder circuit then converts the number k

74 An Introduction to Computer Networks, Release 1.9.18 in graph theory as a . Once the spanning tree is built, links that are not part of the tree are spanning tree disabled, even if they would represent the most efficient path between two nodes. If a link that is part of the spanning tree fails, partitioning the network, a new tree is constructed, and some formerly disabled links may now return to service. One might ask, if switches can work together to negotiate a a spanning tree, whether they can also work together to negotiate loop-free forwarding tables for the original non-tree topology, thus keeping all links active. The difficulty here is not the switches’ ability to coordinate, but the underlying Ethernet broadcast feature. As long as the topology has loops and broadcast is enabled, broadcast packets might circulate forever. And disabling broadcast is not a straightforward option; switches rely on the broadcast-based 2.4.1 Ethernet Learning Algorithm to deliver to unknown destinations. fallback-to-flooding strategy of 2.8 Software-Defined Networking However, we will return to this point in . See also exercise 10.0. The presence of hubs and other unswitched Ethernet slightly complicates the switch-connections segments graph. In the absence of these, the graph’s nodes and edges are simply the hosts (including switches) and links of the Ethernet itself. If unswitched multi-host Ethernet segments are present, then each of these becomes a single node in the graph, with a graph edge to each switch to which it directly connects. (Any Ethernet switches not participating in the spanning-tree algorithm would be treated as hubs.) Every switch has an ID, eg its smallest Ethernet address, and every edge that attaches to a switch does so via a particular, numbered interface. The goal is to disable redundant (cyclical) paths while retaining the ability to deliver to any segment. The algorithm is due to Radia Perlman, [RP85] . The switches first elect a root node, eg the one with the smallest ID. Then, if a given segment connects to two switches that both connect to the root node, the switch with the shorter path to the root is used, if possible; in the event of ties, the switch with the smaller ID is used. The simplest measure of path cost is the number of hops, though current implementations generally use a cost factor inversely proportional to the bandwidth (so larger bandwidth has lower cost). Some switches permit other configuration here. The process is dynamic, so if an outage occurs then the spanning tree is recomputed. If the outage should partition the network into two pieces, both pieces will build spanning trees. bridge protocol data units , or BPDUs (or All switches send out regular messages on all interfaces called “Hello” messages). These are sent to the Ethernet multicast address 01:80:c2:00:00:00, from the Ethernet physical address of the interface. (Note that Ethernet switches do not otherwise need a unique physical address for each interface.) The BPDUs contain • The switch ID • the ID of the node the switch believes is the root • the path cost ( eg number of hops) to that root These messages are recognized by switches and are not forwarded naively. Switches process each message, looking for • a switch with a lower ID than any the receiving switch has seen before (thus becoming the new root) • a shorter path to the existing root • an equal-length path to the existing root, but via a neighbor switch with a lower ID (the tie-breaker rule). If there are two ports that connect to that switch, the port number is used as an additional tie-breaker. 64 2 Ethernet

75 An Introduction to Computer Networks, Release 1.9.18 In a heterogeneous Ethernet we would also introduce a preference for paths, but we will assume here faster that all links have the same bandwidth. When a switch sees a new root candidate, it sends BPDUs on all interfaces, indicating the distance. The switch includes the interface leading towards the root. Once this process has stabilized, each switch knows • its own path to the root • which of its ports any further-out switches will be using to reach the root • for each port, its directly connected neighboring switches en abled by Now the switch can “prune” some (or all!) of its interfaces. It disables all interfaces that are not the following rules: 1. It enables the port via which it reaches the root 2. It enables any of its ports that further-out switches use to reach the root 3. If a remaining port connects to a segment to which other “segment-neighbor” switches connect as well, the port is enabled if the switch has the minimum cost to the root among those segment-neighbors, or, if a tie, the smallest ID among those neighbors, or, if two ports are tied, the port with the smaller ID. 4. If a port has no directly connected switch-neighbors, it presumably connects to a host or segment, and the port is enabled. Rules 1 and 2 construct the spanning tree; if S3 reaches the root via S2, then Rule 1 makes sure S3’s port towards S2 is open, and Rule 2 makes sure S2’s corresponding port towards S3 is open. Rule 3 ensures that each network segment that connects to multiple switches gets a unique path to the root: if S2 and S3 are segment-neighbors each connected to segment N, then S2 enables its port to N and S3 does not (because 2<3). The primary concern here is to create a path for any host nodes on segment N; S2 and S3 will create their own paths via Rules 1 and 2. Rule 4 ensures that any “stub” segments retain connectivity; these would include all hosts directly connected to switch ports. 2.5.1 Example 1: Switches Only We can simplify the situation somewhat if we assume that the network is : each switch port fully switched connects to another switch or to a (single-interface) host; that is, no repeater hubs (or coax segments!) are in use. In this case we can dispense with Rule 3 entirely. Any switch ports directly connected to a host can be identified because they are “silent”; the switch never receives any BPDU messages on these interfaces because hosts do not send these. All these host port ends up enabled via Rule 4. Here is our sample network, where the switch numbers ( 5 for S5) represent their eg IDs; no hosts are shown and interface numbers are omitted. S1 S2 S3 S4 S5 S6 2.5 Spanning Tree Algorithm and Redundancy 65

76 An Introduction to Computer Networks, Release 1.9.18 S1 has the lowest ID, and so becomes the root. S2 and S4 are directly connected, so they will enable the interfaces by which they reach S1 (Rule 1) while S1 will enable its interfaces by which S2 and S4 reach it (Rule 2). S3 has a unique lowest-cost route to S1, and so again by Rule 1 it will enable its interface to S2, while by Rule 2 S2 will enable its interface to S3. S5 has two choices; it hears of equal-cost paths to the root from both S2 and S4. It picks the lower-numbered neighbor S2; the interface to S4 will never be enabled. Similarly, S4 will never enable its interface to S5. Similarly, S6 has two choices; it selects S3. After these links are enabled (strictly speaking it is interfaces that are enabled, not links, but in all cases here either both interfaces of a link will be enabled or neither), the network in effect becomes: S1 S2 S3 S4 S5 S6 2.5.2 Example 2: Switches and Segments As an example involving switches that may join via unswitched Ethernet segments, consider the following network; S1, S2 and S3, for example, are all segment-neighbors via their common segment B. As before, the switch numbers represent their IDs. The letters in the clouds represent network segments; these clouds may include multiple hosts. Note that switches have no way to detect these hosts; only (as above) other switches. 2 1 2 1 K S7 S6 H G 3 3 S2 1 2 1 S3 2 B A E 2 5 1 3 1 1 4 D S1 S4 C S5 2 3 2 F J Eventually, all switches discover S1 is the root (because 1 is the smallest of {1,2,3,4,5,6}). S2, S3 and S4 are one (unique) hop away; S5, S6 and S7 are two hops away. 66 2 Ethernet

77 An Introduction to Computer Networks, Release 1.9.18 Algorhyme I think that I shall never see a graph more lovely than a tree. A tree whose crucial property is loop-free connectivity. A tree that must be sure to span so packet can reach every LAN. First, the root must be selected. By ID, it is elected. Least-cost paths from root are traced. In the tree, these paths are placed. A mesh is made by folks like me, then bridges find a spanning tree. Radia Perlman For the switches one hop from the root, Rule 1 enables S2’s port 1, S3’s port 1, and S4’s port 1. Rule 2 enables the corresponding ports on S1: ports 1, 5 and 4 respectively. Without the spanning-tree algorithm S2 could reach S1 via port 2 as well as port 1, but port 1 has a smaller number. S5 has two equal-cost paths to the root: S5 ÝÑ S4 ÝÑ S1 and S5 ÝÑ S3 ÝÑ S1. S3 is the switch with the lower ID; its port 2 is enabled and S5 port 2 is enabled. S6 and S7 reach the root through S2 and S3 respectively; we enable S6 port 1, S2 port 3, S7 port 2 and S3 port 3. The ports still disabled at this point are S1 ports 2 and 3, S2 port 2, S4 ports 2 and 3, S5 port 1, S6 port 2 and S7 port 1. Now we get to Rule 3, dealing with how segments (and thus their hosts) connect to the root. Applying Rule 3, • We do not enable S2 port 2, because the network (B) has a direct connection to the root, S1 • We do enable S4 port 3, because S4 and S5 connect that way and S4 is closer to the root. This enables connectivity of network D. We do not enable S5 port 1. • S6 and S7 are tied for the path-length to the root. But S6 has smaller ID, so it enables port 2. S7’s port 1 is not enabled. Finally, Rule 4 enables S4 port 2, and thus connectivity for host J. It also enables S1 port 2; network F has two connections to S1 and port 2 is the lower-numbered connection. All this port-enabling is done using only the data collected during the root-discovery phase; there is no additional negotiation. The BPDU exchanges continue, however, so as to detect any changes in the topology. If a link is disabled, it is not used even in cases where it would be more efficient to use it. That is, traffic 2.5 Spanning Tree Algorithm and Redundancy 67

78 An Introduction to Computer Networks, Release 1.9.18 from F to B is sent via B1, D, and B5; it never goes through B7. IP routing, on the other hand, uses the “shortest path”. To put it another way, all spanning-tree Ethernet traffic goes through the root node, or along a path to or from the root node. The traditional (IEEE 802.1D) spanning-tree protocol is relatively slow; the need to go through the tree- building phase means that after switches are first turned on no normal traffic can be forwarded for ~30 seconds. Faster, revised protocols have been proposed to reduce this problem. Another issue with the spanning-tree algorithm is that a rogue switch can announce an ID of 0 (or some similar artificially small value), thus likely becoming the new root; this leaves that switch well-positioned to eavesdrop on a considerable fraction of the traffic. One of the goals of the Cisco “Root Guard” feature is to prevent this. Another goal of this and related features is to put the spanning-tree topology under some degree of administrative control. One likely wants the root switch, for example, to be geographically at least somewhat centered, and for the high-speed backbone links to be preferred to slow links. 2.6 Virtual LAN (VLAN) What do you do when you have different people in different places who are “logically” tied together? For example, for a while the Loyola University CS department was split, due to construction, between two buildings. One approach is to continue to keep LANs local, and use IP routing between different subnets. However, it is often convenient (printers are one reason) to configure workgroups onto a single “virtual” LAN, or VLAN . A VLAN looks like a single LAN, usually a single Ethernet LAN, in that all VLAN members will see broadcast packets sent by other members and the VLAN will ultimately be considered to be a single IP subnet ( 7.6 IPv4 Subnets ). Different VLANs are ultimately connected together, but likely only by passing through a single, central IP router. Broadcast traffic on one VLAN will generally propagate to any other not VLAN; this isolation of broadcast traffic is another important justification for VLAN use. VLANs can be visualized and designed by using the concept of coloring. We logically assign all nodes on the same VLAN the same color, and switches forward packets accordingly. That is, if S1 connects to red machines R1 and R2 and blue machines B1 and B2, and R1 sends a broadcast packet, then it goes to R2 but not to B1 or B2. Switches must, of course, be told the color of each of their ports. R1 R3 S1 S2 S3 B1 B3 B2 R2 S4 Router R One network of switches S1-S4 divided into two VLANs, red and blue 68 2 Ethernet

79 An Introduction to Computer Networks, Release 1.9.18 In the diagram above, S1 and S3 each have both red and blue ports. The switch network S1-S4 will deliver traffic only when the source and destination ports are the same color. Red packets can be forwarded to the blue VLAN only by passing through the router R, entering R’s red port and leaving its blue port. R may apply firewall rules to restrict red–blue traffic. When the source and destination ports are on the same switch, nothing needs to be added to the packet; the switch can keep track of the color of each of its ports. However, switch-to-switch traffic must be additionally tagged to indicate the source. Consider, for example, switch S1 above sending packets to S3 which has nodes R3 (red) and B3 (blue). Traffic between S1 and S3 must be tagged with the color, so that S3 will know to what ports it may be delivered. The IEEE 802.1Q protocol is typically used for this packet-tagging; a 32-bit “color” tag is inserted into the Ethernet header after the source address and before the type field. The first 16 bits of this field is 0x8100, which becomes the new Ethernet type field and which identifies the frame as tagged. A separate 802.3 amendment allows Ethernet packets to be slightly larger, to accommodate the tags. Double-tagging is possible; this would allow an ISP to have one level of tagging and its customers to have another level. Finally, most commercial-grade switches do provide some way of selectively allowing traffic between dif- ferent VLANs; with such switches, for example, rules could be created to allow R1 to connect to B3 without the use of the router R. One difficulty with this approach is that there is often little standardization among switch manufacturers. This makes it difficult to create, for example, authorization applications that al- low opening inter-VLAN connections on the fly. Another issue is that some switches allow inter-VLAN rules based only on MAC addresses, and not, for example, on TCP port numbers. The OpenFlow protocol ( 2.8.1 OpenFlow Switches ) has the potential to create the necessary standardization here. Even without OpenFlow, however, some specialty access-and-authentication systems have been developed that do enable host access by dynamic creation of the appropriate switch rules. 2.7 TRILL and SPB As Ethernets get larger, the spanning-tree algorithm becomes more and more a problem, primarily because useful links are disabled and redundancy is lost. In a high-performance network, such as within a datacenter, disabled links are a wasted resource. A secondary issue is that, in the event of link failure, the spanning-tree approach can take many seconds to create a new tree and restore connectivity. To address these problems, there are now protocols which allow Ethernet to have active loops in the topology, making first-class use of links. The idea is to generate forwarding tables within the Ethernet switches – or all at least within some of them – that route every packet along the shortest path – or at least an approximation to the shortest path – based on all available links. This has long been a staple in the IP world ( 9 Routing- Update Algorithms ), but is definitely a break with tradition at the LAN layer. There are two competing protocols here: TRILL (TRansparent Interconnection of Lots of Links) and SPB [RP04] and RFC 6325 and companions, while SPB is (Shortest-Path Bridging). TRILL is documented in standardized by IEEE 802.1aq. We will focus here on TRILL. Both TRILL and SPB envision that, initially, only a few switches will be smart enough to do shortest-path routing, just as, once upon a time, only a few switches implemented the spanning-tree algorithm. But, with time, it is likely that eventually most if not all Ethernet switches will be shortest-path aware. In high- performance datacenters it is particularly likely that forwarding will be based on TRILL or SPB. 2.7 TRILL and SPB 69

80 An Introduction to Computer Networks, Release 1.9.18 In TRILL, the Ethernet switches that are TRILL-aware are known as Router-Bridges, or RBridges (the terms Legacy Ethernets RSwitches and TRILL Switches might also be appropriate). In between the RBridges are and RFC 6325 , though this term is misleading); Legacy Ethernets consist of (called “links” in [RP04] maximal subnetworks of Ethernet hosts and non-TRILL-aware switches. The intent is for the RBridges to all switches partition the entire Ethernet into relatively small Legacy Ethernets. In the ultimate case where are RBridges, the Legacy Ethernets are simply individual hosts. In the diagram below, four RBridges isolate Legacy Ethernets 1, 2, 3 and 4, though Legacy Ethernet 5 represents a degree of partitioning inefficiency. RB1 RB4 LE1 LE4 LE5 RB3 LE3 RB2 LE2 Each Legacy Ethernet elects a single connected RBridge to represent it. There is a unique choice for LE1 through LE4 above, but LE5 must make a decision. This elected RBridge is known as the Designated RBridge , or DRB. Each Legacy Ethernet then builds its own spanning tree, perhaps (though not necessarily) rooted at its Designated RBridge. Traffic from a Legacy Ethernet to the outside will generally be forwarded through its Designated RBridge; connections to other RBridges will not be used. The idea is for packets from one Legacy Ethernet to another to be delivered first to the source node’s DRB, and then to the destination node’s DRB via true shortest-path forwarding between the RBridges, and from there to the destination node. Of course, in the ultimate case where every switch is an RBridge, traffic will take the shortest path from start to finish. The one exception to this rule about forwarding through the Designated RBridge is that the DRB can dele- gate this forwarding task to other RBridges for different VLANs within the Legacy Ethernet. If this is done, each VLAN will always use the same RBridge for all its outside traffic. The second part of the process is for the RBridges each to figure out the overall topology; that is, each builds a complete map of all the RBridges and their interconnections. This is done using a link-state routing-update protocol , described in 9.5 Link-State Routing-Update Algorithm . Of the two primary link-state protocols, IS-IS and OSPF, TRILL has selected the former, as it is more easily adapted to a setting in which, as here, nodes do not necessarily have IP addresses. The RBridges each send out appropriate “link-state packets”, using multicast and using per-RBridge databases to ensure that these packets are not re-forwarded endlessly. These link-state packets can be compared to spanning-tree Hello messages. As is fundamental to link-state forwarding, once each RBridge has a complete map of all the RBridges, each RBridge can calculate an optimal route to any other RBridge. As Designated RBridges see packets from their Legacy Ethernets, they learn the MAC addresses of the active hosts within, via the usual Ethernet learning protocol. They then share these addresses with other RBridges, using the IS-IS link-state protocol, so other RBridges eventually learn how to reach most if not all Ethernet addresses present in the overall network. Delivery still must make use of fallback-to-flooding, however, to deliver to previously unknown destinations. To this end, the RBridges negotiate among themselves a spanning tree covering all the RBridges. Any packet 70 2 Ethernet

81 An Introduction to Computer Networks, Release 1.9.18 with unknown destination is flooded along this spanning tree, and then, as the packet reaches a Designated RBridge for a Legacy Ethernet, is flooded along the spanning tree of that Ethernet. This process is also used for delivery of broadcast and multicast packets. As RBridges talk to one another, they negotiate compact two-byte addresses – known as “nicknames” – for one another, versus the standard Ethernet six-byte addresses. This saves space in the RBridge-to-RBridge communications. As packets travel between RBridges, a special TRILL header is added. This header includes a hopcount field, otherwise not present in Ethernet, which means any packets caught in transient routing loops will eventually be discarded. IS-IS may occasionally generate such routing loops, though they are rare. The TRILL header also includes the nicknames of the source and destination RBridges. This means that actual packet forwarding between RBridges does not involve the MAC address of the destination host; that is used only after the packet has reached the Designated RBridge for the destination Legacy Ethernet, at which point the TRILL header is removed. If a link between two RBridges fails, then the link’s endpoints send out IS-IS update messages to notify all the other RBridges of the failure. The other RBridges can then recalculate their forwarding tables so as not to use the broken link. Recovery time is typically under 0.1 seconds, a roughly hundredfold improvement over spanning-tree recovery times. TRILL supports the use of multiple equal-cost paths to improve throughput between two RBridges; cf 9.7 ECMP . In a high-performance datacenter, this feature is very important. Like TRILL, SPB uses IS-IS between the SPB-aware bridges to find shortest paths, and encapsulates packets with a special header as they travel between RBridges. SPB does not include a hopcount in the encapsulation header; instead, it more carefully controls forwarding. SPB also uses the original destination MAC address for inter-RBridge forwarding. 2.8 Software-Defined Networking While TRILL and SPB offer one way to handle to the scaling problems of spanning trees, Software-Defined Networking, or SDN , offers another, much more general, approach. The core idea of SDN is to place the forwarding mechanism of each participating switch under the aegis of a , a user-programmable controller device that is capable of giving each switch instructions on how to forward packets. Like TRILL and SPB, this approach also allows forwarding and redundant links to coexist. The controller can be a single node on the network, or can be a distributed set of nodes. The controller manages the forwarding tables of each of the switches. To handle legitimate broadcast traffic, the controller can, at startup, probe the switches to determine their layout, and, from this, construct a suitable spanning tree. The switches can then be instructed to flood broadcast traffic only along the links of this spanning tree. Links that are not part of the spanning tree can still be used for forwarding to known destinations, however, unlike conventional switches using the spanning tree algorithm. Typically, if a switch sees a packet addressed to an unknown destination, it reports it to the controller, which then must figure out what to do next. One option is to have traffic to unknown destinations flooded along the same spanning tree used for broadcast traffic. This allows fallback-to-flooding to coexist safely with the full use of loop topologies. 2.8 Software-Defined Networking 71

82 An Introduction to Computer Networks, Release 1.9.18 Switches are often configured to report new addresses to the controller, so that the controller can tell source all the other switches the best route to that new source. SDN controllers can be configured as simple firewalls, disallowing forwarding between selected pairs of nodes for security reasons. For example, if a datacenter has customers A and B, each with multiple nodes, then it is possible to configure the network so that no node belonging to customer A can send packets to a node belonging to customer B. See also the following section. At many sites, the SDN implementation is based on standardized modules. However, controller software can also be developed locally, allowing very precise control of network functionality. This control, rather than the ability to combine loop topologies with Ethernet, is arguably SDN’s most important feature. See . [FRZ13] 2.8.1 OpenFlow Switches At the heart of SDN is the ability of controllers to tell switches how to forward packets. We next look at OpenFlow switches; OpenFlow is a specific SDN standard created the packet-forwarding architecture for [MABPPRST08] by the Open Networking Foundation. See and the OpenFlow switch specification (2015 version). OpenFlow forwarding is built around one or more . The primary components of a flow-table flow tables match fields entry are a set of actions , if the match succeeds. and a set of packet-response instructions, or Some common actions include • dropping the packet • forwarding the packet out a specified single interface • flooding the packet out a set of interfaces • forwarding the packet to the controller • modifying some field of the packet • processing the packet at another (higher-numbered) flow table can , of course, be a single entry for the destination Ethernet address. But it can also include The match fields any other packet bit-field, and can include the ingress interface number. For example, the forwarding can be done entirely (or partially) on IP addresses rather than Ethernet addresses, thus allowing the OpenFlow switch to act as a so-called Layer 3 switch ( 7.6.3 Subnets versus Switching ), that is, resembling an IP router. Matching can be by the destination IP address and the destination TCP port, allowing separate forwarding for different TCP-based applications. In 9.6 Routing on Other Attributes we define policy-based routing ; arbitrary such routing decisions can be implemented using OpenFlow switches. In SDN settings the policy- based-routing abilities are sometimes used to segregate real-time traffic and large-volume “elephant” flows. In the l2_pairs.py example of the following section, matching is done on both Ethernet source and destination addresses. Flow tables bear a rough similarity to forwarding tables, with the match fields corresponding to destinations and the actions corresponding to the next_hop. In simple cases, the match field contains a single destination address and the action is to forward out the corresponding switch port. Normally, OpenFlow switches handle broadcast packets by flooding them; that is, by forwarding them out all interfaces other than the arrival interface. It is possible, however, to set the NO_FLOOD attribute on 72 2 Ethernet

83 An Introduction to Computer Networks, Release 1.9.18 specific interfaces, which means that packets designated for flooding (broadcast or otherwise) will not be sent out on those interfaces. This is typically how spanning trees for broadcast traffic are implemented (see 18.9.6 l2_multi.py for a Mininet example). An interface marked NO_FLOOD, however, may still be used for unicast traffic. Generally, broadcast flooding does not require a flow-table entry. priority value. In the event that a packet matches two or more flow-table Match fields are also assigned a entries, the entry with the highest priority wins. The entry is the entry with no match fields table-miss (thereby matching every packet) and with priority 0. Often the table-miss entry’s action is to forward the packet to the controller, although a packet that matches no entry is simply dropped. Flow-table instructions can also involve modifying (“mangling”) packets. One Ethernet-layer application 2.6 Virtual LAN (VLAN) might be VLAN coloring ( ); at the IPv4 layer, this could be used to decrement the TTL and update the checksum ( ). 7.1 The IPv4 Header In addition to match fields and instructions, flow tables also include counters, flags, and a last_used time. The latter allows flows to be removed if no matching packets have been seen for a while. The counters allow the OpenFlow switch to implement Quality-of-Service constraints – bandwidth limiting – on the traffic. eg 2.8.2 Learning Switches in OpenFlow Suppose we want to implement a standard Ethernet learning switch ( 2.4.1 Ethernet Learning Algorithm ). The obvious approach is to use flows matching only on the destination address. But we encounter a problem because, by default, packets are reported to the controller only when there is no flow-entry match. Suppose switch S sees a packet from host B to host A and reports it to the controller, which installs a flow entry in S matching destination B (much as a real learning switch would do). If a packet now arrives at S from a third host C to B, it would simply be forwarded, as it would match the B flow entry, and therefore would not be reported to the controller. This means the controller would never learn about address C, and would never install a flow entry for C. x destaddr,srcaddr y One straightforward alternative approach that avoids this problem is to match on Ethernet . If a packet from A to B arrives at switch S and does not match any existing flow entry at S, it is pairs reported to the controller, which now learns that A is reached via the port by which the packet arrived at S. port 1 port 2 A S B In the network above, suppose A sends a packet to B (or broadcasts a packet meant for B), and the flow table of S is empty. S will report the packet to the controller (not shown in the diagram), which will send it back to S to be flooded. However, the controller will also record that A can be reached from S via port 1. Next, suppose B responds. When this packet from B arrives at S, there are still no flow-table entries, and so S again reports the packet to the controller. But this time the controller knows, because it learned from the first packet, that S can reach A via port 1. The controller also now knows, from the just-arrived packet, that B can be reached via port 2. Knowing both of these forwarding rules, the controller now installs two flow-table entries in S: dst=B,src=A: forward out port 2 dst=A,src=B: forward out port 1 2.8 Software-Defined Networking 73

84 An Introduction to Computer Networks, Release 1.9.18 If a packet from a third host C now arrives at S, addressed to B, it will not be forwarded, even though its destination address matches the first rule above, as its source address does not match A. It will instead be sent to the controller (and ultimately be flooded). When B responds to C, the controller will install rules for dst=C,src=B and dst=B,src=C. If the packet from C were not reported to the controller – perhaps because S had a flow rule for dst=B only – then the controller would never learn about C, and would never be in a position to install a flow rule for reaching C. The pairs approach to OpenFlow learning is pretty much optimal, if a single flow-entry table is available. The problem with this approach is that it does not scale well; with 10,000 addresses on the network, we will need 100,000,000 flowtable-entry pairs to describe all the possible forwarding. This is prohibitive. l2_pairs.py , using the We examine a real implementation (in Python) of the pairs approach in 18.9.2 ). Mininet network emulator and the Pox controller ( 18 Mininet A more compact approach is to use multiple flow tables : one for matching the destination, and one for matching the source. In this version, the controller never has to remember partial forwarding information, as the controller in the version above had to do after receiving the first packet from A. When a packet arrives, it is matched against the first table, and any actions specified by the match are carried out. One of the actions may be a request to repeat the match against the second table, which may lead to a second set of actions. Ñ B, B Ñ A example above, letting T We repeat the A denote the first table and T denote the second. 1 0 Initially, before any packets are seen, the controller installs the following low-priority match rules in S: T : match nothing: flood, send to T 0 1 : match nothing: send to controller T 1 These are in effect default rules: because there are no packet fields to match, they match all packets. The low priority ensures that better-matching rules are always used when available. When the packet from A to B arrives, the T rule above means the packet is flooded to B, while the T rule 0 1 means the packet is sent to the controller. The controller then installs the following rules in S: T : match dst=A: forward via port 1, send to T 1 0 : match src=A: do nothing T 1 Now B sends its reply to A. The first rule above matches, so the packet is forwarded by S to A, and is match. The only match is to the . The T rule immediately above, however, does resubmitted to T not 1 1 original default rule, and the packet is sent to the controller. The controller then installs another two rules in S: T : match dst=B: forward via port 2, send to T 0 1 T : match src=B: do nothing 1 rules ensure proper forwarding, while the T At this point, as A and B continue to communicate, the T 1 0 rules ensure that no more packets from this flow are sent to the controller. Note that the controller always installs the same address in the T table and the T table, so the list of 0 1 addresses present in these two tables will always be identical. The T table always matches destinations, 0 though, while the T table matches source addresses. 1 The Mininet/Pox version of this appears in 18.9.3 l2_nx.py . Another application for multiple flow tables involves switches that make quality-of-service prioritization decisions. A packet’s destination would be found using the first flow table, while its priority would be found 74 2 Ethernet

85 An Introduction to Computer Networks, Release 1.9.18 by matching to the second table. The packet would then be forwarded out the port determined by the first table, using the priority determined by the second table. Like building a learning switch, this can be done with a single table by listing all combinations of destaddr,priority y , but sometimes that’s too many entries. x We mentioned above that SDN controllers can be used as firewalls. At the Ethernet-address level this is tedious to configure, but by taking advantage of OpenFlow’s understanding of IP addresses, it is straight- forward, for example, to block traffic between different IP subnets, much like a router might do. OpenFlow except also allows blocking all such traffic that between specific pairs of hosts using specific protocols. For example, we might want customer A’s web servers to be able to communicate with A’s database servers using the standard TCP port, while still blocking all other web-to-database traffic. 2.8.3 Other OpenFlow examples After emulating a learning switch, perhaps the next most straightforward OpenFlow application, concep- tually, is the support of Ethernet topologies that contain loops. This can be done quite generically; the controller does not need any special awareness of the network topology. On startup, switches are instructed by the controller to report their neighboring switches. With this informa- tion the controller is then able to form a complete map of the switch topology. (One way to implement this is for the controller to order each switch to send a special marked packet out each of its ports, and then for the receiving switches to report these packets back to the controller.) Once the controller knows the switch topology, it can calculate a spanning tree, and then instruct each switch that flooded packets should be sent out only via ports that correspond to links on the spanning tree. Once the location of a destination host has been learned by the controller (that is, the controller learns which switch the host is directly connected to), the controller calculates the shortest (or lowest-cost, if the application supports differential link costs) path from each switch to that host. The controller then instructs each switch how to forward to that host. Forwarding will likely use links that are not part of the spanning tree, unlike traditional Ethernet switches. We outline an implementation of this strategy in 18.9.6 l2_multi.py . 2.8.3.1 Interconnection Fabric The previous Ethernet-loop example is quite general; it works for any switch topology. Many other Open- Flow applications require that the controller contains some prior knowledge of the switch topology. As an example of this, we present what we will refer to as an interconnection fabric . This is the S1-S5 network illustrated below, in which every upper (S1-S2) switch connects directly to every lower (S3-S5) switch. The bottom row in the diagram represents server racks, as interconnection fabrics are very common in datacen- ters. (For a real-world datacenter example, see here, although real-world interconnection fabrics are often joined using routing rather than switching.) The red and blue numbers identify the switch ports. 2.8 Software-Defined Networking 75

86 An Introduction to Computer Networks, Release 1.9.18 0 0 S1 S2 1 2 3 2 3 1 0 1 1 1 0 0 S5 S4 S3 2 2 2 3 3 3 4 4 4 The first two rows here contain many loops, eg S1–S3–S2–S4–S1 (omitting the S3-S5 row, and having S1 and S2 connect directly to the server racks, does not eliminate loops). In the previous example we described how we could handle loops in a switched network by computing a spanning tree and then allowing packet flooding only along this spanning tree. This is certainly possible here, but if we allow the spanning-tree algorithm to prune the loops, we will lose most of the parallelism between the S1-S2 and S3-S5 layers; see exercise 8.5. This generic spanning-tree approach is not what we want. If we use IP routing at S1 through S5, as in 9 Routing-Update Algorithms , we then need the three clusters of server racks below S3, S4 and S5 to be on three separate IP subnets ( 7.6 IPv4 Subnets ). While this is always technically possible, it can be awkward, if the separate subnets function for most other purposes as a single unit. single One OpenFlow approach is to assume that the three clusters of server racks below S3-S4-S5 form a from the subnet is always forwarded IP subnet. We can then configure S1-S5 with OpenFlow so that traffic to the subnet is always forwarded downwards. upwards while traffic But an even simpler solution – one not requiring any knowledge of the server subnet – is to use OpenFlow to configure the switches S1-S5 so that unknown-destination traffic entering on a red (upper) port is flooded out only on the blue (lower) ports, and vice-versa. This eliminates loops by ensuring that all traffic goes through the interconnection fabric either upwards-only or downwards-only. After the destination server below S3-S5 has replied, of course, S1 or S2 will learn to which of S3-S5 it should forward future packets to that server. This example works the way it does because the topology has a particular property: once we eliminate paths that both enter and leave S1 or S2 via blue nodes, or that enter and leave S3, S4 and S5 via red nodes, there is a unique path between any input port (red upper port) and any output port (towards the server racks). From there, it is easy to avoid loops. Given a more general topology, on the other hand, in which unique paths be guaranteed by such a rule, the OpenFlow controller has to choose a path. This in turn generally cannot entails path discovery, shortest-path selection and loop avoidance, as in the previous example. 2.8.3.2 Load Balancer The previous example was quite local , in that all the OpenFlow actions are contained within the intercon- nection fabric. As a larger-scale (and possiby more typical) special-purpose OpenFlow example, we next describe how to achieve server load-balancing via SDN; that is, users are connected transparently to one of 76 2 Ethernet

87 An Introduction to Computer Networks, Release 1.9.18 several identical servers. Each server handles only its assigned fraction of the total load. For this example, the controller must not only have knowledge of the topology, but also of the implementation goal. To build the load-balancer, imagine that the SDN controller is in charge of, in the diagram of the previous section, all switches in the interconnection fabric and also all switches among the server racks below. At this point, we configure all the frontline servers within the server racks identically, including giving them all identical IPv4 addresses . When an incoming TCP connection request arrives, the controller picks a server (perhaps using round robin, perhaps selecting the server with the lowest load) and sets up OpenFlow forwarding rules so all traffic on that TCP connection arriving from the outside world is sent to the designated server, and vice-versa. Different servers with the same IPv4 address are not allowed to talk directly with one another at all, thereby averting chaos. The lifetime of the OpenFlow forwarding rule can be adjusted as eg to match the typical lifetime of a user session. desired, When the first TCP packet of a connection arrives at the selected server, the server may or may not need to use ARP to figure out the appropriate internal LAN address to which to send its reply. Sometimes ARP needs to be massaged a bit to work acceptably in an environment in which some hosts have the same IPv4 address. At no point is the fact that multiple servers have been assigned the same IPv4 address directly exposed: not to other servers, not to internal routers, and not to end users. (Servers never initiate outbound connections to users, so there is no risk of two servers contacting the same user.) 18.9.5 loadbal- For an example of this sort of load balancing implemented in Mininet and Pox, see . ance31.py The identical frontline servers might need to access a common internal database cluster. This can be im- plemented by assigning each server a second IPv4 address for this purpose, not shared with other servers, or by using the common public-facing IPv4 address and a little more OpenFlow cleverness in setting up appropriate forwarding rules. If the latter approach is taken, it is now in principle possible that two servers would connect to the database using the same TCP port, by coincidence. This would expose the identical IPv4 addresses, and the SDN controllers would have to take care to ensure that this did not happen. One approach, if supported, would be to have the OpenFlow switches “mangle” the server IPv4 addresses or ports, as is done with NAT ( 7.7 Network Address Translation ). There are also several “traditional” strategies for implementing load balancing. For example, one can give each server its own IPv4 address but then use round-robin DNS ( 7.8 DNS ) to assign different users to different servers. Alternatively, one can place a device called a load balancer at the front of the network that assigns incoming connection requests to an internal server and then takes care of setting up the appropriate forwarding. Forwarding can be at the IP layer (that is, via routing), or at the TCP layer, or at the application layer. The load balancer can be thought of as NAT-like ( 7.7 Network Address Translation ) in that it maintains a table of associations between external-user connections and a internal servers; once a user connects, the association with the chosen server remains in place for a period of time. One advantage of the SDN approach described here is that the individual front-line servers need no special configuration; all of the load-sharing awareness is contained within the SDN network. Furthermore, the SDN switches do virtually no additional work beyond ordinary forwarding; they need only involve the controller when the first new TCP packet of each connection arrives. 2.8 Software-Defined Networking 77

88 An Introduction to Computer Networks, Release 1.9.18 2.9 Epilog Ethernet dominates the LAN layer, but is not one single LAN protocol: it comes in a variety of speeds and flavors. Higher-speed Ethernet seems to be moving towards fragmenting into a range of physical-layer options for different types of cable, but all based on switches and point-to-point linking; different Ethernet types can be interconnected only with switches. Once Ethernet finally abandons physical links that are bi-directional (half-duplex links), it will be collision-free and thus will no longer need a minimum packet size. Other wired networks have largely disappeared (or have been renamed “Ethernet”). Wireless networks, however, are here to stay, and for the time being at least have inherited the original Ethernet’s collision- management concerns. 2.10 Exercises Exercises are given fractional (floating point) numbers, to allow for interpolation of new exercises. Exercise ♢ 2.5 is distinct, for example, from exercises 2.0 and 3.0. Exercises marked with a have solutions or hints at 24.2 Solutions for Ethernet . 1.0. Simulate the contention period of five Ethernet stations that all attempt to transmit at T=0 (presumably when some sixth station has finished transmitting), in the style of the diagram in 2.1.6 Exponential Backoff . Assume that time is measured in slot times, and that exactly one slot time is needed to detect a Algorithm collision (so that if two stations transmit at T=1 and collide, and one of them chooses a backoff time k=0, then that station will transmit again at T=2). Use coin flips or some other source of randomness. 2.0. Suppose we have Ethernet switches S1 through S3 arranged as below; each switch uses the learning algorithm of 2.4 Ethernet Switches . All forwarding tables are initially empty. S1 S2 D S3 A B C (a). If A sends to B, which switches see this packet? (b). If B then replies to A, which switches see this packet? (c). If C then sends to B, which switches see this packet? (d). If C then sends to D, which switches see this packet? 2.7. ♢ Suppose we have the Ethernet switches S1 through S4 arranged as below. All forwarding tables are empty; each switch uses the learning algorithm of 2.4 Ethernet Switches . B S4 A S1 S2 S3 C 78 2 Ethernet

89 An Introduction to Computer Networks, Release 1.9.18 D Now suppose the following packet transmissions take place: • A sends to D • D sends to A • A sends to B • B sends to D For each switch S1-S4, list what source addresses ( eg A,B,C,D) it has seen (and thus what nodes it has learned the location of). 3.0. Repeat the previous exercise (2.7), with the same network layout, except that instead the following packet transmissions take place: • A sends to B • B sends to A • C sends to B • D sends to A For each switch, list what source addresses ( A,B,C,D) it has seen (and thus what nodes it has learned the eg location of). 4.0. In the switched-Ethernet network below, find two packet transmissions so that, when a third transmis- sion A D occurs, the packet is seen by B (that is, it is flooded out all ports by S2), but is not similarly ÝÑ seen by C (because it is forwarded to D, not flooded, by S3). All forwarding tables are initially empty, and each switch uses the learning algorithm of 2.4 Ethernet Switches . B C A S2 S3 D S1 Hint: Destination D must be in S3’s forwarding table, but must not be in S2’s. So there must have been a packet sent by D that was seen by S3 but not by S2. 5.0. Given the Ethernet network with learning switches below, with (disjoint) unspecified parts represented by ?, explain why it is impossible for a packet sent from A to B to be forwarded by S1 directly to S2, but to be flooded by S2 out all of S2’s other ports. ? ? | | S1 S2 B A 6.0. In the diagram below, from 2.4.1 Ethernet Learning Algorithm , suppose node D is connected to S5. Now, with the tables as shown by the labels in the diagram (that is, S5 knows about A and C, etc ), D sends to B. 2.10 Exercises 79

90 An Introduction to Computer Networks, Release 1.9.18 A A B A,C B B A B S1 S2 S3 C A A,C C C S4 S5 D Ñ Which switches will see this D not already B packet, and thus learn about D? Of these switches, which do know where B is and will use fallback-to-flooding? 7.0. Suppose two Ethernet switches are connected in a loop as follows; S1 and S2 have their interfaces 1 and 2 labeled. These switches do not use the spanning-tree algorithm. 1 1 0 A S1 S2 2 2 Suppose A attempts to send a packet to destination B, which is unknown. S1 will therefore flood the packet out interfaces 1 and 2. What happens then? How long will A’s packet circulate? 8.0. The following network is like that of 2.5.1 Example 1: Switches Only , except that the switches are numbered differently. Again, the ID of switch Sn is n, so S1 will be the root. Which links end up “pruned” by the spanning-tree algorithm, and why? Diagram the network formed by the surviving links. S4 S6 S1 S3 S5 S2 8.5. Consider the network below, consisting of just the first two rows from the datacenter diagram in 2.8.1 OpenFlow Switches : 80 2 Ethernet

91 An Introduction to Computer Networks, Release 1.9.18 S1 S2 S5 S4 S3 (a). ♢ Give network of surviving links after application of the spanning-tree algorithm. Assume the ID of switch Sn is n. In this network, what is the path of traffic from S2 to S5? (b). Do the same as part (a) except assuming S4 has ID 0, and so will be the root, while the ID for the other Sn remains n. What will be the path of traffic from S1 to S5? 9.0. Suppose you want to develop a new protocol so that Ethernet switches participating in a VLAN all keep track of the VLAN “color” associated with every destination in their forwarding tables. Assume that each switch knows which of its ports (interfaces) connect to other switches and which may connect to hosts, and in the latter case knows the color assigned to that port. (a). Suggest a way by which switches might propagate this destination-color information to other switches. (b). What must be done if a port formerly reserved for connection to another switch is now used for a host? 10.0. (This exercise assumes some familiarity with Distance-Vector routing as in 9 Routing-Update Algo- rithms .) (a). Suppose switches are able to identify the non-switch hosts that are directly connected , that is, reachable without passing through another switch. Explain how the algorithm of 9.1 Distance-Vector Routing-Update Algorithm could be used to construct optimal Ethernet forwarding tables even if loops were present in the network topology. (b). Suppose switches are allowed to “mark” packets; all packets are initially unmarked. Give a mechanism that allows switches to detect which non-switch hosts are directly connected. (c). Explain why Ethernet broadcast (and multicast) would still be a problem. 11.0. Consider the scenario from 2.4.1 Ethernet Learning Algorithm : 2.10 Exercises 81

92 An Introduction to Computer Networks, Release 1.9.18 A A B A,C B B A B S1 S2 S3 C A A,C C C S4 S5 Five learning bridges after three packet transmissions • A sends to B B sends to A • C sends to B • broadcast packet, and Now suppose that, before each packet transmission above, the sender first sends a the destination then sends a unicast reply packet (this is roughly the ARP protocol, used to translate from 7.9 Address Resolution Protocol: ARP ). After the three IPv4 addresses to Ethernet physical addresses, transmissions listed above, what destinations do the switches S1-S5 have in their forwarding tables? 12.0. ♢ Consider the following arrangement of three hosts h1, h2, h3 and one OpenFlow switch S with ports 1, 2 and 3 and controller C (not shown) 1 2 h1 S h2 3 h3 Four packets are then transmitted: (a). h1 h2 Ñ (b). h2 Ñ h1 (c). h3 Ñ h1 (d). h2 h3 Ñ Assume that S reports to C all packets with unknown destination , that is, all packets for which S does not have a forwarding entry for that packet’s destination. Packet reports include the source and destination addresses and the arrival port. On receiving a report, if the source address is previously unknown then C installs on S a forwarding-table entry for that source address. At that point S uses its forwarding table (including any new entries) to forward the packet, if a suitable entry exists. Otherwise S floods the packet as usual. For the four packets above, indicate 1. whether S reports the packet to C 82 2 Ethernet

93 An Introduction to Computer Networks, Release 1.9.18 2. if so, any new forwarding entry C installs on S 3. whether S is then able to forward the packet using its table, or must fall back to flooding. (If S does not report the packet to C then S must have had a forwarding-table entry for that destination, and so S is able to forward the packet normally.) 12.2. Consider again the arrangement of exercise 12.0 of three hosts h1, h2, h3 and one OpenFlow switch S with ports 1, 2 and 3 and controller C (not shown) 1 2 h1 S h2 3 h3 The same four packets are transmitted: Ñ h2 (a). h1 (b). h2 h1 Ñ (c). h3 Ñ h1 (d). h2 Ñ h3 This time, assume that S reports to C all packets with unknown destination or unknown source (that is, S does not have a forwarding entry for either the packet’s source or destination address). For the four packets above, indicate 1. whether S reports the packet to C 2. if so, any new forwarding entry C installs on S 3. whether S is then able to forward the packet using its table, or must fall back to flooding. As before, packet reports include the source and destination addresses and the arrival port. On receiving a report, if the source address is previously unknown then C installs on S a forwarding-table entry for that source address. At that point S uses its forwarding table (including any new entries) to forward the packet, if a suitable entry exists. Otherwise S floods the packet as usual. Again, if S does not report a packet to C then S must have had a forwarding-table entry for that destination, and so is able to forward the packet normally. 13.0 Consider the following arrangement of three switches S1-S3, three hosts h1-h3 and one OpenFlow controller C. h1 h2 h3 S1 S2 S3 C 2.10 Exercises 83

94 An Introduction to Computer Networks, Release 1.9.18 As with exercise 12.0, assume that the switches report packets to C only if they do not already have a forwarding-table entry for the packet’s destination. After each report, C installs a forwarding-table entry on the reporting switch for reaching the packet’s source address via the arrival port. At that point the switch floods the packet (as the destination must not have been known). If a switch can forward a packet without reporting to C, no new forwarding entries are installed. Packets are now sent as follows: h1 Ñ h2 h2 Ñ h1 Ñ h3 h1 Ñ h3 h1 Ñ h3 h2 h3 h2 Ñ At the end, what are the forwarding tables on S1 ♢ , S2 and S3? 14.0 Here are the switch rules for the multiple-flow-table example in 2.8.2 Learning Switches in OpenFlow : Table match field no-match default match action T forward and send to T flood and send to T destaddr 0 1 1 T send to controller srcaddr do nothing 1 matches the srcaddr field and T reversed ; that is, T matches the Give a similar table where the matches are 1 0 destaddr field. 84 2 Ethernet

95 3 OTHER LANS In the wired era, one could get along quite well with nothing but Ethernet and the occasional long-haul point- to-point link joining different sites. However, there are important alternatives out there. Some, like token ring, are mostly of historical importance; others, like virtual circuits, are of great conceptual importance but – so far – of only modest day-to-day significance. And then there is wireless. It would be difficult to imagine contemporary laptop networking, let alone mobile devices, without it. In both homes and offices, Wi-Fi connectivity is the norm. Mobile networking is ubiquitous. A return to being tethered by wires is almost unthinkable. 3.1 Virtual Private Networks Suppose you want to connect to your workplace network from home. Your workplace, however, has a security policy that does not allow “outside” IP addresses to access essential internal resources. How do you proceed, without leasing a dedicated telecommunications line to your workplace? VPN , provides a solution; it supports creation of virtual links that join far- A virtual private network, or flung nodes via the Internet. Your home computer creates an ordinary Internet connection (TCP or UDP) to a workplace (IP-layer packet encapsulation can also be used, and avoids the timeout problems VPN server 7.13 Mobile IP ). Each end sometimes created by sending TCP packets within another TCP stream; see of the connection is typically associated with a software-created ; each of the virtual network interface two virtual interfaces is assigned an IP address. (Virtual interfaces are not essential; VPNs created with IPsec, 22.11 IPsec , generally omit them.) When a packet is to be sent along the virtual link, it is actually encapsulated and sent along the original Internet connection to the VPN server, wending its way through the commodity Internet; this process is called tunneling . To all intents and purposes, the virtual link behaves like any other physical link. Tunneled packets are often encrypted as well as encapsulated, though that is a separate issue. One relatively easy-to-implement example of a tunneling mechanism is to treat a TCP home-workplace connection as a 4.1.5.1 HDLC and RFC 1661 serial line and send packets over it back-to-back, using PPP with HDLC; see (though this can lead to the above-mentioned TCP-in-TCP timeout problems). At the workplace side, the virtual network interface in the VPN server is attached to a router or switch; at the home user’s end, the virtual network interface can now be assigned an internal workplace IP address. The home computer is now, for all intents and purposes, part of the internal workplace network. In the diagram below, the user’s regular Internet connection is via hardware interface . A connection is eth0 established to Site A’s VPN server; a virtual interface tun0 is created on the user’s machine which appears to be a direct link to the VPN server. The tun0 interface is assigned a Site-A IP address. Packets sent via the tun0 interface in fact travel over the original connection via eth0 and the Internet. 85

96 An Introduction to Computer Networks, Release 1.9.18 Site A private eth0 Internet tun0 VPN server 200.0.1.37 Site A User at home 200.0.1/24 VPN: blue link represents tunnel. Actual connection is made via eth0 The tun0 interface is a virtual network interface with a Site-A address tun0 interface appears to be locally connected to Site A, and thus After the VPN is set up, the home host’s the home host is allowed to connect to the private area within Site A. The home host’s forwarding table will be configured so that traffic to Site A’s private addresses is routed via interface . tun0 VPNs are also commonly used to connect entire remote offices to headquarters. In this case the remote-office end of the tunnel will be at that office’s local router, and the tunnel will carry traffic for all the workstations in the remote office. Other applications of VPNs include trying to appear geographically to be at another location, and bypassing firewall rules blocking specific TCP or UDP ports. To improve security, it is common for the residential (or remote-office) end of the VPN connection to use the VPN connection as the default route for all traffic except that needed to maintain the VPN itself. This may require a so-called host-specific forwarding-table entry at the residential end to allow the packets that carry the VPN tunnel traffic to be routed correctly via eth0 . This routing strategy means that potential intruders cannot access the residential host – and thus the workplace internal network – through the original residential Internet access. A consequence is that if the home worker downloads a large file from a non- workplace site, it will travel first to the workplace, then back out to the Internet via the VPN connection, and finally arrive at the home. To improve congestion response, IP packets are sometimes marked by routers that are experiencing conges- tion; see . If such marking is done to the outer, encapsulat- 14.8.3 Explicit Congestion Notification (ECN) ing, packet, and the marks are not transferred at the remote endpoint of the VPN to the inner, encapsulat ed , packet, then the marks are lost. Congestion response may suffer. RFC 6040 spells out a proper re-marking strategy in general; defines re-marking for IPsec ( 22.11 IPsec ). Older VPN protocols, however, RFC 7296 may not support congestion re-marking. 3.2 Carrier Ethernet Carrier Ethernet is a leased-line point-to-point link between two sites, where the subscriber interface at each end of the line looks like Ethernet (in some flavor). The physical path in between sites, however, need not 86 3 Other LANs

97 An Introduction to Computer Networks, Release 1.9.18 have anything to do with Ethernet; it may be implemented however the carrier wishes. In particular, it will be (or at least appear to be) full-duplex, it will be collision-free, and its length may far exceed the maximum permitted by any IEEE Ethernet standard. Bandwidth can be purchased in whatever increments the carrier has implemented. The point of carrier Ethernet is to provide a layer of abstraction between the customers, who need only install a commodity Ethernet interface, and the provider, who can upgrade the link implementation at will without requiring change at the customer end. In a sense, carrier Ethernet is similar to the widespread practice of provisioning residential DSL and cable routers with an Ethernet interface for customer interconnection; again, the actual link technologies may not look anything like Ethernet, but the interface will. A carrier Ethernet connection looks like a virtual VPN link, but runs on top of the provider’s internal network rather than the Internet at large. Carrier Ethernet connections often provide the primary Internet connectivity for one endpoint, unlike Internet VPNs which assume both endpoints already have full Internet connectivity. 3.3 Token Ring A significant part of the previous chapter was devoted to classic Ethernet’s collision mechanism for sup- porting shared media access. After that, it may come as a surprise that there is a simple multiple-access mechanism that is not only collision-free , but which supports fairness in the sense that if N stations wish to send then each will receive 1/N of the opportunities. That method is Token Ring . Actual implementations come in several forms, from Fiber-Distributed Data Interface (FDDI) to so-called “IBM Token Ring”. The central idea is that stations are connected in a ring: B C A F D E Packets will be transmitted in one direction (clockwise in the ring above). Stations in effect forward most packets around the ring, although they can also remove a packet. (It is perhaps more accurate to think of the forwarding as representing the default cable connectivity; non -forwarding represents the station’s momentarily breaking that connectivity.) token . When a When the network is idle, all stations agree to forward a special, small packet known as a station, say A, wishes to transmit, it must first wait for the token to arrive at A. Instead of forwarding the token, A then transmits its own packet; this travels around the network and is then removed by A. At that point (or in some cases at the point when A finishes transmitting its data packet) A then forwards the token. In a small ring network, the ring circumference may be a small fraction of one packet. Ring networks become “large” at the point when some packets may be entirely in transit on the ring. Slightly different 3.3 Token Ring 87

98 An Introduction to Computer Networks, Release 1.9.18 solutions apply in each case. (It is also possible that the physical ring exists only within the token-ring switch, and that stations are connected to that switch using the usual point-to-point wiring.) If all stations have packets to send, then we will have something like the following: • A waits for the token • A sends a packet • A sends the token to B • B sends a packet • B sends the token to C • C sends a packet • C sends the token to D • . . . All stations get an equal number of chances to transmit, and no bandwidth is wasted on collisions. (A station constantly sending smaller packets will send the same number of packets as a station constantly sending larger packets, but the bandwidth will be smaller in proportion to the smaller packet size.) One problem with token ring is that when stations are powered off it is essential that the packets continue forwarding; this is usually addressed by having the default circuit configuration be to keep the loop closed. Another issue is that some station has to watch out in case the token disappears, or in case a duplicate token appears. Because of fairness and the lack of collisions, IBM Token Ring was once considered to be the premium LAN mechanism. As such, Token Ring hardware commanded a substantial price premium. But due to Ethernet’s combination of lower hardware costs and higher bitrates (even taking collisions into account), the latter eventually won out. There was also a much earlier collision-free hybrid of 10 Mbps Ethernet and Token Ring known as Token Bus : an Ethernet physical network (often linear) was used with a token-ring-like protocol layer above that. Stations were physically connected to the (linear) Ethernet but were assigned identifiers that logically arranged them in a (virtual) ring. Each station had to wait for the token and only then could transmit a packet; after that it would send the token on to the next station in the virtual ring. As with “real” Token Ring, some mechanisms need to be in place to monitor for token loss. Token Bus Ethernet never caught on. The additional software complexity was no doubt part of the problem, but perhaps the real issue was that it was not necessary. 3.4 Virtual Circuits Before we can get to our final LAN example, ATM, we need to detour briefly through virtual circuits. The Road Not Taken 88 3 Other LANs

99 An Introduction to Computer Networks, Release 1.9.18 A close reading of Robert Frost’s poem referenced here reveals that the supposed great difference between the two roads exists only in the narrator’s retrospective imaginings; the roads were in fact “really about the same”. Perhaps this would also apply to datagram and virtual-circuit forwarding, though see below on per-connection billing. Virtual circuits are The Road Not Taken by IP. Virtual-circuit switching (or routing) is an alternative to datagram switching, which was introduced in Chap- ter 1. In datagram switching, routers know the next_hop to each destination, and packets are addressed by connections destination . In virtual-circuit switching, routers know about end-to-end , and packets are “ad- dressed” by a connection ID. Before any data packets can be sent, a connection needs to be established first. For that connection, the route is computed and then each link along the path is assigned a connection ID, traditionally called the VCI , for locally unique; that is, the same connection may use Virtual Circuit Identifier. In most cases, VCIs are only a different VCI on each link. The lack of global uniqueness makes VCI allocation much simpler. Although the VCI keeps changing along a path, the VCI can still be thought of as identifying the connection. To send a packet, the host marks the packet with the VCI assigned to the host–router1 link. Packets arrive at (and depart from) switches via one of several ports , which we will assume are numbered connection table indexed by x VCI,port y pairs; unlike a forwarding beginning at 0. Switches maintain a table, the connection table has a record of every connection through that switch at that particular moment. As a packet arrives, its inbound VCI and inbound port are looked up in this table; this yields an outbound in in x VCI ,port , and the packet is sent via y pair. The VCI field of the packet is then rewritten to VCI out out out port . out Note that typically there is no source address information included in the packet (although the sender can be identified from the connection, which can be identified from the VCI at any point along the connection). Packets are identified by connection, not destination. Any node along the path (including the endpoints) can in principle look up the connection and figure out the endpoints. Note also that each switch must rewrite the VCI. Datagram switches never rewrite addresses (though they do update hopcount/TTL fields). The advantage to this rewriting is that VCIs need be unique only for a given link, greatly simplifying the naming. Datagram switches also do not make use of a packet’s arrival interface. As an example, consider the network below. Switch ports are numbered 0,1,2,3. Two paths are drawn in, one from A to F in red and one from B to D in green; each link is labeled with its VCI number in the same color. We will construct virtual-circuit connections between • A and F (shown above in red) • A and E • A and C • B and D (shown above in green) • A and F again (a separate connection) The following VCIs have been chosen for these connections. The choices are made more or less randomly here, but in accordance with the requirement that they be unique to each link. Because links are generally 3.4 Virtual Circuits 89

100 An Introduction to Computer Networks, Release 1.9.18 6 4 2 2 0 0 A D S1 S2 8 7 1 1 4 8 3 3 0 1 2 0 2 0 F S5 B S4 S3 4 5 8 1 1 C E taken to be bidirectional, a VCI used from S1 to S3 cannot be reused from S3 to S1 until the first connection closes. • A to F: A S1 6 S2 4 S4 8 S5 5 F; this path goes from S1 to S4 via S2 4 5 • A to E: A 6 S3 3 S4 8 E; this path goes, for no particular reason, from S1 to S4 S1 via S3, the opposite corner of the square • A to C: A S1 7 S3 3 C 6 4 S3 8 S1 7 S2 • B to D: B D 8 • A to F: A S1 8 S2 5 7 9 S5 2 F S4 One may verify that on any one link no two different paths use the same VCI. We now construct the actual x VCI,port y tables for the switches S1-S4, from the above; the table for S5 is left as an exercise. Note that either the x VCI ,port can be used as the key; we cannot y or the x VCI y ,port out out in in have the same pair in both the in columns and the out columns. It may help to display the port numbers for each switch, as in the upper numbers in following diagram of the above red connection from A to F (lower numbers are the VCIs): 0 2 0 1 3 2 0 1 A S1 S2 S4 S5 F 4 6 4 8 5 Switch S1 : VCI connection port port VCI out out in in 0 F #1 2 A ÝÑ 4 6 5 6 1 A ÝÑ E 0 6 0 7 1 A ÝÑ C 8 7 2 B ÝÑ D 1 7 0 8 2 A ÝÑ F #2 Switch S2 : 90 3 Other LANs

101 An Introduction to Computer Networks, Release 1.9.18 VCI port connection VCI port out out in in 6 4 1 A ÝÑ F #1 0 8 2 B ÝÑ D 7 0 0 5 1 A ÝÑ F #2 8 Switch S3 : VCI port connection VCI port out out in in 3 3 6 A ÝÑ E 2 7 3 3 1 A ÝÑ C 4 0 8 3 B ÝÑ D Switch S4 : VCI port connection VCI port out out in in 3 8 4 A ÝÑ F #1 2 3 0 8 1 A ÝÑ E 5 3 9 2 A ÝÑ F #2 The namespace for VCIs is small, and compact ( eg contiguous). Typically the VCI and port bitfields can be x y composite value small enough that it is suitable for use as an array concatenated to produce a VCI,Port local index. VCIs work best as identifiers. IP addresses, on the other hand, need to be globally unique, and thus are often rather sparsely distributed. Virtual-circuit switching offers the following advantages: • connections can get quality-of-service guarantees, because the switches are aware of connections and can reserve capacity at the time the connection is made • headers are smaller, allowing faster throughput • headers are small enough to allow efficient support for the very small packet sizes that are optimal for voice connections. ATM packets, for instance, have 48 bytes of data; see below. Datagram forwarding, on the other hand, offers these advantages: • Routers have less state information to manage. • Router crashes and partial connection state loss are not a problem. • If a router or link is disabled, rerouting is easy and does not affect any connection state. (As mentioned in Chapter 1, this was Paul Baran’s primary concern in his 1962 paper introducing packet switching.) • Per-connection billing is very difficult. The last point above may once have been quite important; in the era when the ARPANET was being devel- oped, typical daytime long-distance rates were on the order of $1/minute. It is unlikely that early TCP/IP protocol development would have been as fertile as it was had participants needed to justify per-minute billing costs for every project. 3.4 Virtual Circuits 91

102 An Introduction to Computer Networks, Release 1.9.18 It is certainly possible to do virtual-circuit switching with globally unique VCIs – say the concatenation of 20.6 RSVP ) does source and destination IP addresses and port numbers. The IP-based RSVP protocol ( exactly this. However, the fast-lookup and small-header advantages of a compact namespace are then lost. 20.12 Multi-Protocol Label Switching (MPLS) ) is another IP-based ap- Multi-Protocol Label Switching ( plication of virtual circuits. Note that virtual-circuit switching does not suffer from the problem of idle channels still consuming re- eg shared T1 lines) sources, which is an issue with circuits using time-division multiplexing ( 3.5 Asynchronous Transfer Mode: ATM ATM is a network mechanism intended to accommodate real-time traffic as well as bulk data transfer. We present ATM here as a LAN layer, for which it is still sometimes used, but it was originally proposed as a replacement for the IP layer as well, and, to an extent, the Transport layer. These broader plans were not greeted with universal enthusiasm within the IETF. When used as a LAN layer, IP packets are transmitted 3.5.1 ATM Segmentation and Reassembly . over ATM as in A distinctive feature of ATM is its small packet size. ATM has its roots in the telephone industry, and was therefore particularly intended to support voice. A significant source of delay in voice traffic is the packet : at DS0 speeds (64 kbps), voice data accumulates at 8 bytes/ms. If we are sending 1 kB packets, fill time this means voice is delayed by about 1/8 second, meaning in turn that when one person stops speaking, the earliest they can hear the other’s response is 1/4 second later. Slightly smaller levels of voice delay can introduce an annoying echo. Smaller packets reduce the fill time and thus the delay: when voice is sent over IP (VoIP), one common method is to send 160 bytes every 20 ms. ATM took this small-packet strategy even further: packets have 48 bytes of data, plus 5 bytes of header. Such small packets are often called . To manage such a small header, virtual-circuit routing is a necessity. IP cells packets of such small size would likely consume more than 50% of the bandwidth on headers, if the LAN header were included. Aside from reduced voice fill-time, other benefits to small cells are reduced store-and-forward delay and minimal queuing delay, at least for high-priority traffic. Prioritizing traffic and giving precedence to high- interrupt priority traffic is standard, but high-priority traffic is never allowed to transmission already begun of a low-priority packet. If you have a high-priority voice cell, and someone else has a 1500-byte packet just started, your cell has to wait about 30 cell times, because 1500 bytes is about 30 cells. However, if their low-priority traffic is instead made up of 30 cells, you have only to wait for their first cell to finish; the delay is 1/30 as much. ATM also made the decision to require fixed-size cells. The penalty for one partially used cell among many is small. Having a fixed cell size simplifies hardware design, and, in theory, allows it easier to design for parallelism. Unfortunately, the designers of ATM also chose to mandate no cell reordering . This means cells can use a smaller sequence-number field, but also makes parallel switches much harder to build. A typical parallel switch design might involve distributing incoming cells among any of several input queues; the queues would then handle the VCI lookups in parallel and forward the cells to the appropriate output queues. With such an architecture, avoiding reordering is difficult. It is not clear to what extent the no-reordering decision was related to the later decline of ATM in the marketplace. 92 3 Other LANs

103 An Introduction to Computer Networks, Release 1.9.18 ATM cells have 48 bytes of data and a 5-byte header. The header contains up to 28 bits of VCI information, cell-loss priority , or CLP, bit, and an 8-bit checksum over the header only. The three “type” bits, one VCI is divided into 8-12 bits of Virtual Path Identifier and 16 bits of Virtual Channel Identifier, the latter supposedly for customer use to separate out multiple connections between two endpoints. Forwarding is by full switching only, and there is no mechanism for physical (LAN) broadcast. 3.5.1 ATM Segmentation and Reassembly Due to the small packet size, ATM defines its own mechanisms for segmentation and reassembly of larger packets. Thus, individual ATM links in an IP network are quite practical. These mechanisms are called ATM Adaptation Layers , and there are four of them: AALs 1, 2, 3/4 and 5 (AAL 3 and AAL 4 were once separate layers, which merged). AALs 1 and 2 are used only for voice-type traffic; we will not consider them further. The ATM segmentation-and-reassembly mechanism defined here is intended to apply only to large ; no data cells are ever further subdivided. Furthermore, segmentation is always applied at the point where the data enters the network; reassembly is done at exit from the ATM path. IPv4 fragmentation, on the other hand, applies conceptually to IP packets, and may be performed by routers within the network. For AAL 3/4, we first define a high-level “wrapper” for an IP packet, called the CS-PDU (Convergence Sublayer - Protocol Data Unit). This prefixes 32 bits on the front and another 32 bits (plus padding) on the rear. We then chop this into as many 44-byte chunks as are needed; each chunk goes into a 48-byte ATM payload, along with the following 32 bits worth of additional header/trailer: • 2-bit type field: – 10: begin new CS-PDU 00: continue CS-PDU – – 01: end of CS-PDU 11: single-segment CS-PDU – • 4-bit sequence number, 0-15, good for catching up to 15 dropped cells • 10-bit MessageID field • CRC-10 checksum. We now have a total of 9 bytes of header for 44 bytes of data; this is more than 20% overhead. This did not sit well with the IP-over-ATM community (such as it was), and so AAL 5 was developed. AAL 5 moved the checksum to the CS-PDU and increased it to 32 bits from 10 bits. The MID field was discarded, as no one used it, anyway (if you wanted to send several different types of messages, you simply created several virtual circuits). A bit from the ATM header was taken over and used to indicate: • 1: start of new CS-PDU • 0: continuation of an existing CS-PDU The CS-PDU is now chopped into 48-byte chunks, which are then used as the entire body of each ATM cell. With 5 bytes of header for 48 bytes of data, overhead is down to 10%. Errors are detected by the 3.5 Asynchronous Transfer Mode: ATM 93

104 An Introduction to Computer Networks, Release 1.9.18 CS-PDU CRC-32. This also detects lost cells (impossible with a per-cell CRC!), as we no longer have any cell sequence number. For both AAL3/4 and AAL5, in order reassembly is simply a matter of stringing together consecutive cells , starting a new CS-PDU whenever the appropriate bits indicate this. For AAL3/4 the receiver of arrival has to strip off the 4-byte AAL3/4 headers; for AAL5 the receiver has to verify the CRC-32 checksum once all cells are received. Different cells from different virtual circuits can be jumbled together on the ATM “backbone”, but on any one virtual circuit the cells from one higher-level packet must be sent one right after the other. A typical IP packet divides into about 20 cells. For AAL 3/4, this means a total of 200 bits devoted to CRC codes, versus only 32 bits for AAL 5. It might seem that AAL 3/4 would be more reliable because of this, rare , and so we typically have one or at but, paradoxically, it was not! The reason for this is that errors are ie most two per CS-PDU. Suppose we have only a single error, a single cluster of corrupted bits small enough that it is likely confined to a single cell. In AAL 3/4 the CRC-10 checksum will fail to detect that error (that is, the checksum of the corrupted packet will by chance happen to equal the checksum of the original packet) 10 . The AAL 5 CRC-32 checksum, however, will fail to detect the error with probability with probability 1/2 32 . Even if there are enough errors that two cells are corrupted, the two CRC-10s together will fail to 1/2 20 detect the error with probability 1/2 ; the CRC-32 is better. AAL 3/4 is more reliable only when we have errors in at least four cells, at which point we might do better to switch to an error- correcting code. Moral: one checksum over the entire message is often better than multiple shorter checksums over parts of the message. 3.6 Adventures in Radioland For the remainder of this chapter we leave wires (and fiber) behind, and contemplate the transmission of 3.7 Wi-Fi ) and mobile wireless ( 3.8 WiMAX packets via radio, freeing nodes from their cable tethers. Wi-fi ( and LTE ) are now ubiquitous. But radio is not quite like wire, and wireless transmission of packets brings several changes. 3.6.1 Privacy It’s hard to tap into wired Ethernet, especially if you are locked out of the building. But anyone can re- ceive wireless transmissions, often from a considerable distance. The data breach at TJX Corporation was achieved by attackers parking outside a company building and pointing a directional antenna at it; encryp- tion was used but it was weak (see 22 Security and 22.7.7 Wi-Fi WEP Encryption Failure ). Similarly, Internet café visitors generally don’t want other patrons to read their email. Radio communication needs strong encryption. 3.6.2 Collisions Ethernet-like collision detection is no longer feasible over radio. This has to do with the relative signal strength of the remote signal at the local transmitter. Along a wire-based Ethernet the remote signal might be as weak as 1/100 of the transmitted signal but that 1% received signal is still detectable during transmission. 94 3 Other LANs

105 An Introduction to Computer Networks, Release 1.9.18 However, with radio the remote signal might easily be as little as 1/1,000,000 of the transmitted signal (-60 dB), as measured at the transmitting station, and it is simply overwhelmed during transmission. As a result, wireless protocols must be constructed appropriately. We will look at how Wi-Fi handles this . Wi-Fi also supports its PCF mode in its most common mode of operation in 3.7.1 Wi-Fi and Collisions ) that involves fewer (but not zero) collisions through the use of central-point 3.7.7 Wi-Fi Polling Mode ( polling scheduling to further reduce collisions, though . Finally, WiMAX and LTE switch from polling to the potential for collisions is still inevitable when new stations join the network. It is also worth pointing out that, while an Ethernet collision affects every station in the physical Ethernet local (the “collision domain”), wireless collisions are , occuring at the receiver. Two stations can transmit at the same time, and in range of one another, but without a collision! This can happen if each of the relevant is in range of only one of the two transmitting stations. As an example, suppose three stations are receivers arranged linearly, A–C–B, with the A–C and C–B distances just under the maximum effective range. When A and B both transmit there is indeed a collision at C. But when C and B transmit simultaneously, A may receive C’s signal just fine, as B’s is too weak to interfere. 3.6.3 Hidden Nodes In wireless communication, two nodes A and B that are not in range of one another – and thus cannot detect one another – may still have their signals interfere at a third node C. This creates an additional complication to collision handling. See 3.7.1.4 Hidden-Node Problem . 3.6.4 Band Width To radio engineers, “band width” means the frequency range used by a signal, not the data transmission rate. No information can be conveyed using a single frequency; even signaling by switching a carrier frequency off and on at a low rate “blurs” the carrier into a band of nonzero width. In keeping with this we will for the remainder of this chapter use the term “data rate” for what we have previously called “bandwidth”. We will use the terms “channel width” or “width of the frequency band” for the frequency range. All else being equal, the data rate achievable with a radio signal is proportional to the channel width. The constant of proportionality is limited by the Shannon-Hartley theorem: the maximum data rate divided by (1+SNR), where SNR is the the width of the frequency band is log signal to noise power ratio. Noise here 2 is assumed to have a specific statistical form known as Gaussian white noise . If SNR is 127, for example, and the width of the frequency band is 1 MHz, then the maximum theoretical data rate is 7 Mbps, where 7 = log (128). If the signal power S drops by about half so SNR=63, the data rate falls to 6 Mbps, as 6 = 2 log (64); the relationship between signal power and data rate is logarithmic. 2 3.6.4.1 OFDM The actual data rate achievable, for a given channel width and SNR, depends on the signal encoding, or modulation , mechanism. Most newer modulation mechanisms use “orthogonal frequency-division multi- plexing”, OFDM , or some variant. 3.6 Adventures in Radioland 95

106 An Introduction to Computer Networks, Release 1.9.18 A central feature of OFDM is that one wider frequency band is divided into multiple narrow subchan- nels; each subchannel then carries a proportional fraction of the total information signal, modulated onto a subchannel-specific carrier. All the subchannels can be allocated to one transmission at a time (time-division 4.2 Time-Division Multiplexing ), or disjoint sets of subchannels can be allocated to different multiplexing, transmissions that can then proceed (at proportionally lower data rates) in parallel. The latter is known as frequency-division multiplexing . In many settings OFDM comes reasonably close to the Shannon-Hartley limit. Perhaps more importantly, multipath interference , below, which is endemic in urban and OFDM also performs reasonably well with building-interior environments with their many reflective surfaces. Multipath interference is, however, not necessarily comparable to the Gaussian noise assumed by the Shannon-Hartley theorem. We will not address further technical details of OFDM here, except to note that implementation usually requires some form of digital signal processing. The OFDMA variant, with the MA standing for Multiple Access, allows multiple users to use nonoverlap- ping sets of subchannels, thus allowing simultaneous transmission. It is an option available in 802.11ax. 3.6.5 Cost Another fundamental issue is that everyone shares the same radio spectrum. For mobile wireless providers, this constraint has driven prices to remarkable levels; the 2014-15 FCC AWS-3 auction raised almost $45 billion for 65 MHz (usable throughout the entire United States). This works out to somewhat over $2 per megahertz per phone. The corresponding issue for Wi-Fi users in a dense area is that all the available Wi-Fi bandwidth may be in use. Inside busy buildings one can often see dozens of Wi-Fi access points competing for the same Wi-Fi channel; the result is that no user will be getting close to the nominal data rates of . 3.7 Wi-Fi Higher data rates require wider frequency bands. To reduce costs in the face of fixed demand, the usual strategy is to make the coverage zones smaller, either by reducing power (and adding more access points as appropriate), or by using directional antennas, or both. 3.6.6 Multipath While a radio signal generally covers a wide area – even with ordinary directional antennas – it does so in surprisingly non-uniform ways. A signal may reach a receiver through a line-of-sight path and also several reflected paths, possibly of varying length. In addition to reflection, the signal may be subject to reflection- like scattering and diffraction . All of this together is known as multipath interference (or, if analog audio is involved, multipath distortion ; in the analog TV era this was ghosting ). 96 3 Other LANs

107 An Introduction to Computer Networks, Release 1.9.18 A B Line-of-sight and reflected signals Superposition of encoded data The picture above shows two transmission paths from A to B. The respective carrier paths may interfere with or supplement one another. The longer delay of the reflecting path (red) wil also delay its encoded signal. The result, shown at right, is that the line-of-sight and reflected data symbols may overlap and interfere with each other; this is known as intersymbol interference . Multipath interference may even change the meaning of the data symbol as seen by the receiver; for example, the red and black low data-signal peaks above at the point of the vertical dashed line may sum together so as to be received as a higher peak (assuming the underlying carriers are in sync). Multipath interference tends to lead to wide fluctuations in signal intensity with a period of about half a wavelength; this phenomenon is known as multipath fading. As an example, the wavelength of FM radio stations in the United States is about 3 meters; in fringe reception areas it is not uncommon to pull a car forward a quarter wavelength and have a station go from clear to indecipherable, or even for reception to switch to another station (on the same frequency but transmitted from another location) altogether. 3.6 Adventures in Radioland 97

108 An Introduction to Computer Networks, Release 1.9.18 Signal-intensity map (simulated) in a room with walls with 40% reflectivity The picture above is from a mathematical simulation intended to illustrate multipath fading. The walls of the room reflect 40% of the signal from the transmitter located in the orange ball at the lower left. The transmitter transmits an unmodulated carrier signal, which may be reflected off the walls any number of times; at any point in the room the total signal intensity is the sum over all possible reflection paths. On the right-hand side, the small-scale blue ripples represent the received carrier strength variation due to multipath interference between the line-of-sight and all the reflected paths. Note that the ripple size is about half a wavelength. In comparison to this simulated intensity map, real walls tend to have a lower reflectivity, real rooms are not two-dimensional, and real carriers are modulated. However, real rooms also introduce scattering, diffraction ˆ to 10 ˆ and shadowing from objects within, and significant (3 ) multipath-fading signal-strength variations are common in actual wireless settings. flat – affecting all frequencies more or less equally – or selective – affecting Multipath fading can be either 3.6.4.1 OFDM ) to some frequencies differently than others. It is quite possible for an OFDM channel ( encounter selective fading of only some of its subchannel frequencies. Generally, multipath interference is a problem that engineers go to great lengths to overcome. However, as we shall see in 3.7.3 Multiple Spatial Streams , multipath interference can sometimes be put to positive use by allowing almost-adjacent antennas to transmit and receive independent signals, thus increasing the effective throughput. For an alternative example of multipath interference in which the signal strength has no ripples, see exercise 13.0. 3.6.7 Power If you are cutting the network cable and replacing it with wireless, there is a good chance you will also want to cut the power cable as well and replace it with batteries. This tends to make power consumption a very important issue. The Wi-Fi standard has provisions for minimizing power usage by allowing a device to “doze” most of the time, waking periodically to check if any packets are ready to be sent to it (see 3.7.4.1 Joining a Network ). The 6LoWPAN project (IPv6 Low-power Wireless Personal Area Network) is intended to support very low-power devices; see RFC 4919 and RFC 6282 . 3.6.8 Tangle Wireless is also used simply to replace cords and their attendant tangle, and, of course, the problem of incompatible connectors. The low-power Bluetooth wireless standard is commonly used as a cable alterna- tive for things like computer mice and telephone headsets. Bluetooth is also a low-power network; for many applications the working range is about 10 meters. ZigBee is another low-power small-scale network. 3.7 Wi-Fi Wi-Fi is a trademark of the Wi-Fi Alliance denoting any of several IEEE wireless-networking protocols in the 802.11 family, specifically 802.11a, 802.11b, 802.11g, 802.11n, 802.11ac and 802.11ax. (Strictly 98 3 Other LANs

109 An Introduction to Computer Networks, Release 1.9.18 speaking, these are all to the original 802.11 standard, but they are also de facto standards amendments collisions ; unlike Ethernet, however, Wi- in their own right.) Like classic Ethernet, Wi-Fi must deal with Fi is unable to detect collisions in progress, complicating the backoff and retransmission algorithms. See above. 3.6.2 Collisions Unlike any wired LAN protocol we have considered so far, in addition to normal data packets Wi-Fi also uses management packets that exist entirely within the Wi-Fi LAN layer; these are not initiated by or control and delivered to higher network layers. Control packets are used to compensate for some of the infelicities of the radio environment, such as the lack of collision detection. Putting radio-essential control and management protocols within the Wi-Fi layer means that the IP layer can continue to interact with the Wi-Fi LAN exactly as it did with Ethernet; no changes are required. Wi-Fi is designed to interoperate freely with Ethernet at the logical LAN layer. Wi-Fi MAC (physical) 2.1.3 Ethernet Address addresses have the same 48-bit size as Ethernet’s and the same internal structure ( Internal Structure ). They also share the same namespace: one is never supposed to see an Ethernet and a Wi-Fi interface with the same address. As a result, data packets can be forwarded by switches between Ethernet and Wi-Fi; in many respects a Wi-Fi LAN attached to an Ethernet LAN looks like an extension of 3.7.4 Access Points . the Ethernet LAN. See Microwave Ovens and Wi-Fi The impact of a running microwave oven on Wi-Fi signals is quite evident if the oven is between the sender and receiver. For other configurations the effect may vary. Most ovens transmit only during one half of the A/C cycle, that is, they are on 1/60 sec and then off 1/60 sec; this may allow intervening transmission time. See also here. Traditionally, Wi-Fi used the 2.4 GHz ISM (Industrial, Scientific and Medical) band used also by microwave ovens, though 802.11a used a 5 GHz band, 802.11n supports that as an option and the new 802.11ac has returned to using 5 GHz exclusively. The 5 GHz band has reduced ability to penetrate walls, often resulting in a lower effective range (though in offices and multi-unit housing this can be an advantage). The 5 GHz band provides many more usable channels than the 2.4 GHz band, resulting in much less interference in “crowded” environments. Wi-Fi radio spectrum is usually unlicensed , meaning that no special permission is needed to transmit but also that others may be trying to use the same frequency band simultaneously. The availability of unlicensed channels in the 5 GHz band continues to improve. The table below summarizes the different Wi-Fi versions. All data bit rates assume a single spatial stream; channel widths are nominal. The names in the far-right column have been introduced by the Wi-Fi Alliance as a more convenient designation for the newer versions. maximum bit rate frequency channel width new name IEEE name 54 Mbps 5 GHz 20 MHz 802.11a 802.11b 11 Mbps 2.4 GHz 20 MHz 802.11g 54 Mbps 2.4 GHz 20 MHz 802.11n 2.4/5 GHz 20-40 MHz Wi-Fi 4 65-150 Mbps 802.11ac 78-867 Mbps 5 GHz 20-160 MHz Wi-Fi 5 802.11ax Up to 1200 Mbps 2.4/5+ GHz 20-160 MHz Wi-Fi 6 3.7 Wi-Fi 99

110 An Introduction to Computer Networks, Release 1.9.18 The maximum bit rate is seldom achieved in practice. The bit rate must take into account, at a effective minimum, the time spent in the collision-handling mechanism. More significantly, all the Wi-Fi variants above use dynamic rate scaling, below; the bit rate is reduced up to tenfold (or more) in environments with higher error rates, which can be due to distance, obstructions, competing transmissions or radio noise. All this means that, as a practical matter, getting 150 Mbps out of 802.11n requires optimum circumstances; in particular, no competing senders and unimpeded line-of-sight transmission. 802.11n lower-end performance can be as little as 10 Mbps, though 40-100 Mbps (for a 40 MHz channel) may be more typical. The 2.4 GHz ISM band is divided by international agreement into up to 14 officially designated (and mostly adjacent) channels, each about 5 MHz wide, though in the United States use may be limited to the first 11 channels. The 5 GHz band is similarly divided into 5 MHz channels. One Wi-Fi sender, however, needs several of these official channels; the typical 2.4 GHz 802.11g transmitter uses an actual frequency range of up to 22 MHz, or up to five official channels. As a result, to avoid signal overlap Wi-Fi use in the 2.4 GHz band is often restricted to official channels 1, 6 and 11. The end result is that there are generally only three available Wi-Fi bands in the 2.4 GHz range, and so Wi-Fi transmitters can and do interact with and interfere with each other. There are almost 200 5 MHz channels in the 5 GHz band. The United States requires users of the this band to avoid interfering with weather and military applications in the same frequency range; this may involve careful control of transmission power (under the IEEE 802.11h amendment) and so-called “dynamic frequency selection” to choose channels with little interference, and to switch to such channels if interference is detected later. Even so, there are many more channels than at 2.4 GHz; the larger number of channels is one of the reasons (arguably the primary reason) that 802.11ac can run faster (below). The number of channels available for Wi-Fi use has been increasing, often as conflicts with existing 5 GHz weather systems are resolved. 802.11ax has preliminary support for additional frequency bands in the 6-7 GHz range, though these are still awaiting (in the US) final FCC approval. Wi-Fi designers can improve throughput through a variety of techniques, including 1. improved radio modulation techniques 2. improved error-correcting codes 3. smaller guard intervals between symbols 4. increasing the channel width 5. allowing multiple spatial streams via multiple antennas The first two in this list seem now to be largely tapped out; OFDM modulation ( 3.6.4.1 OFDM ) is close enough to the Shannon-Hartley limit that there is limited room for improvement, though 802.11ax saw fit to move to ODFMA. The third reduces the range (because there is less protection from multipath interference) but may increase the data rate by ~10%; 802.11ax introduced support for dynamic changing of guard-interval and symbol size. The largest speed increases are obtained the last two items in the list. The channel width is increased by adding additional 5 MHz channels. For example, the 65 Mbps bit rate above for 802.11n is for a nominal frequency range of 20 MHz, comparable to that of 802.11g. However, in areas with minimal competition from other signals, 802.11n supports using a 40 MHz frequency band; the bit rate then goes up to 135 Mbps (or 150 Mbps if a smaller guard interval is used). This amounts to using two of the three available 2.4 GHz Wi-Fi bands. Similarly, the wide range in 802.11ac bit rates reflects support for using channel widths ranging from 20 MHz up to 160 MHz (32 5-MHz official channels). 100 3 Other LANs

111 An Introduction to Computer Networks, Release 1.9.18 Using multiple spatial streams is the newest data-rate-improvement technique; see 3.7.3 Multiple Spatial . Streams For all the categories in the table above, additional bits are used for error-correcting codes. For 802.11g 54 = 72 Mbps, sent in symbols consisting operating at 54 Mbps, for example, the actual raw bit rate is (4/3) ˆ of six bits as a unit. 3.7.1 Wi-Fi and Collisions 2.1 10-Mbps Classic We looked extensively at the 10 Mbps Ethernet collision-handling mechanisms in Ethernet , only to conclude that with switches and full-duplex links, Ethernet collisions are rapidly becoming a thing of the past. Wi-Fi, however, has brought collisions back from obscurity. An Ethernet sender will discover a collision, if one occurs, during the first slot time, by monitoring for faint interference with its own transmission. However, as mentioned in , Wi-Fi transmitting stations simply cannot detect 3.6.2 Collisions collisions in progress. If another station transmits at the same time, a Wi-Fi sender will see nothing amiss although its signal will not be received. While there is a largely-collision-free mode for Wi-Fi operation 3.7.7 Wi-Fi Polling Mode ), it is not commonly used, and collision management has a significant impact ( on ordinary Wi-Fi performance. 3.7.1.1 Link-Layer ACKs The first problem with Wi-Fi collisions is even detecting them. Because of the inability to detect collisions directly, the Wi-Fi protocol adds link-layer ACK packets , at least for unicast transmission. These ACKs are our first example of Wi-Fi control packets and are unrelated to the higher-layer TCP ACKs. The reliable delivery of these link-layer ACKs depends on careful timing. There are three time intervals applicable (numeric values here are for 802.11b/g in the 2.4 GHz band). The value we here call IFS is more 3.7.7 Wi-Fi Polling Mode ). formally known as DIFS (D for “distributed”; see • slot time: 20 μsec • IFS, the “normal” InterFrame Spacing: 50 μsec • SIFS, the short IFS: 10 μsec For comparison, note that the RTT between two Wi-Fi stations 100 meters apart is less than 1 μsec. At 11 Mbps, one IFS time is enough to send about 70 bytes; at 54 Mbps it is enough to send almost 340 bytes. Once a station has received a data packet addressed to it, it waits for time SIFS and sends its ACK. At this point in time the receiver will be the only station authorized to send, because, as we will see in the next section, all other stations (including those on someone else’s overlapping Wi-Fi) will be required to wait the longer IFS period following the end of the previous data transmission. These other stations will see the ACK before the IFS time has elapsed and will thus not interfere with it (though see exercise 4.0). If a packet is involved in a collision, the receiver will send no ACK, so the sender will know something went awry. Unfortunately, the sender will not be able to tell whether the problem was due to a collision, or electromagnetic interference, or signal blockage, or excessive distance, or the receiver’s being powered off. But as a collision is usually the most likely cause, and as assuming the lost packet was involved in a collision results in, at worst, a slight additional delay in retransmission, a collision will always be assumed. 3.7 Wi-Fi 101

112 An Introduction to Computer Networks, Release 1.9.18 Link-Layer ACKs contain no information – such as a sequence number – that identifies the packet being acknowledged. These ACKs simply acknowledge the most recent transmission, the one that ended one SIFS earlier. In the Wi-Fi context, this is unambiguous. It may be compared, however, to 6.1 Building Reliable Transport: Stop-and-Wait , where at least one bit of packet sequence numbering is required. 3.7.1.2 Collision Avoidance and Backoff The Ethernet collision-management algorithm was known as CSMA/CD, where CD stood for Collision , where CA stands for Collision Avoidance Detection. The corresponding Wi-Fi mechanism is CSMA/ CA . A collision is presumed to have occurred if the link-layer ACK is not received. As with Ethernet, there is an exponential-backoff mechanism as well, though it is scaled somewhat differently. Any sender wanting to send a new data packet waits the IFS time after first sensing the medium to see if it is idle. If no other traffic is seen in this interval, the station may then transmit immediately. However, is if other traffic sensed, the sender must do an exponential backoff even for its first transmission attempt; other stations, after all, are likely also waiting, and avoiding an initial collision is strongly preferred. 5 The initial backoff is to choose a random k<2 = 32 (recall that classic Ethernet in effect chooses an initial 0 backoff of k<2 ie k=0). The prospective sender then waits k slot times. While waiting, the sender = 1; continues to monitor for other traffic; if any other transmission is detected, then the sender “suspends” the backoff-wait clock. The clock resumes when the other transmission has completed and one followup idle interval of length IFS has elapsed. Note that, under these rules, data-packet senders always wait for at least one idle interval of length IFS before sending, thus ensuring that they never collide with an ACK sent after an idle interval of only SIFS. On an Ethernet, if two stations are waiting for a third to finish before they transmit, they will both transmit as soon as the third is finished and so there will always be an initial collision. With Wi-Fi, because of the larger initial k<32 backoff range, such initial collisions are unlikely. If a Wi-Fi sender believes there has been a collision, it retries its transmission, after doubling the backoff range to 64, then 128, 256, 512, 1024 and again 1024. If these seven attempts all fail, the packet is discarded and the sender starts over. In one slot time, radio signals move 6,000 meters; the Wi-Fi slot time – unlike that for Ethernet – has nothing to do with the physical diameter of the network. As with Ethernet, though, the Wi-Fi slot time represents the fundamental unit for backoff intervals. Finally, we note that, unlike Ethernet collisions, Wi-Fi collisions are a local phenomenon: if A and B transmit simultaneously, a collision occurs at node C only if the signals of A and B are both strong enough at C to interfere with one another. It is possible that a collision occurs at station C midway between A and B, but not at station D that is close to A. We return to this below in 3.7.1.4 Hidden-Node Problem . 3.7.1.3 Wi-Fi RTS/CTS RTS/CTS ) protocol, again negotiated Wi-Fi stations optionally also use a request-to-send/clear-to-send ( with designated control packets. Usually this is used only for larger data packets; often, the RTS/CTS “threshold” (the size of the largest packet not sent using RTS/CTS) is set (as part of the Access Point configuration, 3.7.4 Access Points ) to be the maximum packet size, effectively disabling this feature. The 102 3 Other LANs

113 An Introduction to Computer Networks, Release 1.9.18 idea behind RTS/CTS is that a large packet that is involved in a collision represents a significant waste of potential throughput; for large packets, we should ask first. The RTS control packet – which is small – is sent through the normal procedure outlined above; this packet includes the identity of the destination and the size of the data packet the station desires to transmit. The destination station then replies with CTS after the SIFS wait period, effectively preventing any other trans- mission after the RTS. The CTS packet also contains the data-packet size. The original sender then waits for SIFS after receiving the CTS, and sends the packet. If all other stations can hear both the RTS and CTS messages, then once the RTS and CTS are sent successfully no collisions should occur during packet transmission, again because the only idle times are of length SIFS and other stations should be waiting for time IFS. 3.7.1.4 Hidden-Node Problem Consider the diagram below. Each station has a 100-meter range. Stations A and B are 150 meters apart and so cannot hear one another at all; each is 75 meters from C. If A is transmitting and B senses the medium in preparation for its own transmission, as part of collision avoidance, then B will conclude that the medium is idle and will go ahead and send. However, C is within range of both A and B. If A and B transmit simultaneously, then from C’s perspective a collision occurs. C receives nothing usable. We will call this a hidden-node collision as the senders A and B are hidden from one another; the general scenario is known as the hidden-node problem . Note that node D receives only A’s signal, and so no collision occurs at D. The hidden-node problem can also occur if A and B cannot receive one another’s transmissions due to a physical obstruction such as a radio-impermeable wall: 3.7 Wi-Fi 103

114 An Introduction to Computer Networks, Release 1.9.18 A C B One of the rationales for the RTS/CTS protocol is the prevention of hidden-node collisions. Imagine that, instead of transmitting its data packet, A sends an RTS packet, and C responds with CTS. B has not heard the RTS packet from A, but does hear the CTS from C. A will begin transmitting after a SIFS interval, but B will not hear A’s transmission. However, B will still wait, because the CTS packet contained the data-packet size and thus, implicitly, the length of time all other stations should remain idle. Because RTS packets are quite short, they are much less likely to be involved in collisions themselves than data packets. 3.7.1.5 Wi-Fi Fragmentation Conceptually related to RTS/CTS is Wi-Fi . If error rates or collision rates are high, a sender fragmentation can send a large packet as multiple fragments, each receiving its own link-layer ACK. As we shall see in 5.3.1 Error Rates and Packet Size , if bit-error rates are high then sending several smaller packets often leads to fewer total transmitted bytes than sending the same data as one large packet. Wi-Fi packet fragments are reassembled by the receiving node, which may or may not be the final destina- tion. As with the RTS/CTS threshold, the fragmentation threshold is often set to the size of the maximum packet. Adjusting the values of these thresholds is seldom necessary, though might be appropriate if monitoring revealed high collision or error rates. Unfortunately, it is essentially impossible for an individual station to distinguish between reception errors caused by collisions and reception errors caused by other forms of noise, and so it is hard to use reception statistics to distinguish between a need for RTS/CTS and a need for fragmentation. 3.7.2 Dynamic Rate Scaling Wi-Fi senders, if they detect transmission problems, are able to reduce their transmission bit rate in a process known as or rate control . The idea is that lower bit rates will have fewer noise-related errors, rate scaling and so as the error rate becomes unacceptably high – perhaps due to increased distance – the sender should fall back to a lower bit rate. For 802.11g, the standard rates are 54, 48, 36, 24, 18, 12, 9 and 6 Mbps. Senders attempt to find the transmission rate that maximizes throughput; for example, 36 Mbps with a packet loss ˆ 75% = 27 Mbps, and so is better than 24 Mbps with no rate of 25% has an effective throughput of 36 losses. Senders may update their bit rate on a per-packet basis; senders may also choose different bit rates for different recipients. For example, if a sender sends a packet and receives no confirming link-layer ACK, the sender may fall back to the next lower bit rate. The actual bit-rate-selection algorithm lives in the particular Wi-Fi driver in use; different nodes in a network may use different algorithms. 104 3 Other LANs

115 An Introduction to Computer Networks, Release 1.9.18 The earliest rate-scaling algorithm was Automatic Rate Fallback, or ARF, . The rate decreases after [KM97] two consecutive transmission failures (that is, the link-layer ACK is not received), and increases after ten transmission successes. A significant problem for rate scaling is that a packet loss may be due either to low-level random noise (white noise, or thermal noise) or to a collision (which is also a form of noise, but less random); only in the first case is a lower transmission rate likely to be helpful. If a larger number of collisions is experienced, the longer packet-transmission times caused by the lower bit rate may increase the frequency of hidden-node higher transmission rate (leading to shorter transmission times) may help; enabling the collisions. In fact, a RTS/CTS protocol may also help. Signal Strength Most Wi-Fi drivers report the received signal strength. Newer drivers use the IEEE Received Channel Power Indicator convention; the RCPI is an 8-bit integer proportional to the absolute power received by the antenna as measured in decibel-milliwatts (dBm). Wi-Fi values range from -10 dBm to -90 dBm and below. For comparison, the light from the star Polaris delivers about -97 dBm to one eye on a good night; Venus typically delivers about -73 dBm. A GPS satellite might deliver -127 dBm to your phone. (Inspired by Wikipedia on DBm.) A variety of newer rate-scaling algorithms have been proposed; see [JB05] for a summary. One, Receiver- Based Auto Rate (RBAR, ), attempts to incorporate the signal-to-noise ratio into the calculation of [HVB01] the transmission rate. This avoids the confusion introduced by collisions. Unfortunately, while the signal- to-noise ratio has a strong theoretical correlation with the transmission bit-error rate , most Wi-Fi radios will report to the host system the received signal strength . This is not the same as the signal-to-noise ratio, which is harder to measure. As a result, the RBAR approach has not been quite as effective in practice as might be hoped. [KKCQ06] ), a transmitting station attempts With the Collision-Aware Rate Adaptation algorithm (CARA, (among other things) to infer that its packet was lost to a collision rather than noise if, after one SIFS interval following the end of its packet transmission, no link-layer ACK has been received the channel is still and busy. This will detect collisions only when the colliding packet is longer than the station’s own packet, and only when the hidden-node problem isn’t an issue. Because the actual data in a Wi-Fi packet may be sent at a rate not every participant is close enough to receive correctly, every Wi-Fi transmission begins with a brief preamble at the minimum bit rate. Link-layer ACKs, too, are sent at the minimum bit rate. 3.7.3 Multiple Spatial Streams The latest innovation in improving Wi-Fi (and other wireless) data rates is to support multiple simultaneous data streams, through an antenna technique known as multiple-input-multiple-output, or MIMO . To use N streams, both sender and receiver must have N antennas; all the antennas use the same frequency channels but each transmitter antenna sends a different data stream. At first glance, any significant improvement in throughput might seem impossible, as the antenna elements in the respective sending and receiving groups are each within about half a wavelength of each other; indeed, in clear space MIMO is not possible. The reason MIMO works in most everyday settings is that it puts multipath interference to positive use. 3.7 Wi-Fi 105

116 An Introduction to Computer Networks, Release 1.9.18 Consider again at the right-hand side of the final image of 3.6.6 Multipath , in which the signal strength varies according to the blue ripples; the peaks and valleys have a period of about half a wavelength. We will assume initially that the signal strength is low enough that reception in the darkest blue areas is no longer viable; a single antenna with the misfortune to be in one of these “dead zones” may receive nothing. We will start with two simpler cases: SIMO (single-input-multiple-output) and MISO (multiple-input- single-output). In SIMO, the receiver has multiple antennas; in MISO, the transmitter. Assume for the moment that the multiple-antenna side has two antennas. In the simplest implementation of SIMO, the re- ceiver picks the stronger of the two received signals and uses that alone; as long as at least one antenna is not in a “dead zone”, reception is successful. With two antennas under half a wavelength apart, the odds are that at least one of them will be located outside a dead zone, and will receive an adequate signal. Similarly, in simple MISO, the transmitter picks whichever of its antennas that gets a stronger signal to the transmitter antennas. Note that for MISO the receiver. The receiver is unlikely to be in a dead zone for both sender must get some feedback from the receiver to know which antenna to use. We can do quite a bit better if signal-processing techniques are utilized so the two sender or two receiver antennas can be used simultaneously (though this complicates the mathematics considerably). Such signal- processing is standard in 802.11n and above; the Wi-Fi header, to assist this process, includes added man- agement packets and fields for reporting MIMO-related information. One station may, for example, send the other a sequence of training symbols for discerning the response of the antenna system. beamforming : the sender coordinates its multiple MISO with these added techniques is sometimes called antennas to maximize the signal reaching one particular receiver. In our simplistic description of SIMO and MIMO above, in which only one of the multiple-antenna-side antennas is actually used, we have suggested that the idea is to improve marginal reception. At least one antenna on the multiple-antenna side can successfully communicate with the single antenna on the other side. MIMO , on the other hand, can be thought of as applying when transmission conditions are quite good all around, and every antenna on one side can reach every antenna on the other side. The key point is that, in an environment with a significant degree of multipath interference, the antenna-to-antenna paths may all be independent uncorrelated . At least one receiving antenna must be, from the perspective of at least one , or transmitting antenna, in a multipath-interference “gray zone” of reduced signal strength. A B 1 1 A B A B 2 2 MIMO antennas As a specific example, consider the diagram above, with two sending antennas A and A at the left and two 1 2 receiving antennas B at the right. Antenna A transmits signal S and B and A transmits S . There are 1 2 2 2 1 1 thus four physical signal paths: A . If we assume that the signal -to-B -to-B , A and A -to-B -to-B , A 2 2 1 2 1 2 1 1 -to-B path (dashed and blue) arrives with half the strength of the other three paths (solid and along the A 1 2 black), then we have signal received by B + S : S 1 2 1 signal received by B : S /2 + S 1 2 2 From these, B can readily solve for the two independent signals S and S . These signals are said to form two 1 2 106 3 Other LANs

117 An Introduction to Computer Networks, Release 1.9.18 spatial streams , though the spatial streams are abstract and do not correspond to any of the four physical signal paths. The antennas are each more-or-less omnidirectional; the signal-strength variations come from multipath -to-B and A -to-B are interference and not from physical aiming. Similarly, while the diagonal paths A 2 1 1 2 , the difference is not nearly enough to allow -to-B slightly longer than the horizontal paths A and A -to-B 2 1 1 2 B to solve for the two signals. In practice, overall data-rate improvement over a single antenna can be considerably less than a factor of 2 (or than N, the number of antennas at each end). The 802.11n standard allows for up to four spatial streams, for a theoretical maximum bit rate of 600 Mbps. 802.11ac allows for up to eight spatial streams, for an even-more-theoretical maximum of close to 7 Gbps. ˆ B ˆ C notation, eg 3 MIMO support is sometimes described with an A 3 ˆ 2, where A and B are the number ˆ of transmitting and receiving antennas and C ď min(A,B) is the number of spatial streams. 3.7.4 Access Points There are two standard Wi-Fi configurations: infrastructure and ad hoc . The former involves connection to a designated access point ; the latter includes individual Wi-Fi-equipped nodes communicating informally. For example, two laptops can set up an ad hoc connection to transfer data at a meeting. Ad hoc connections are often used for very simple networks providing Internet connectivity. Complex ad hoc networks are, not however, certainly possible; see 3.7.8 MANETs . infrastructure The configuration is much more common. Stations in an infrastructure network communi- cate directly only with their access point, which, in turn, communicates with the outside world. If Wi-Fi nodes B and C share access point AP, and B wishes to send a packet to C, then B first forwards the packet to AP and AP then forwards it to C. While this introduces a degree of inefficiency, it does mean that the access point and its associated nodes automatically act as a true LAN: every node can reach every other node. (It is also often the case that most traffic is between Wi-Fi nodes and the outside world.) In an ad hoc network, by comparison, it is common for two nodes to be able to reach each other only by forwarding through an intermediate third node; this is in fact a form of the hidden-node scenario. SSID (“Service Set IDentifier”), an administratively Wi-Fi access points are generally identified by their defined human-readable string such as “linksys” or “loyola”. Ad hoc networks also have SSIDs; these are generated pseudorandomly at startup and look like (but are not) 48-bit MAC addresses. Portable Access Points Being a Wi-Fi access point is a very specific job; Wi-Fi-enabled “station” devices like phones and work- stations do not generally act as access points. However, it is often possible to for a station device to become an access point if the access-point mode is supported by the underlying radio hardware, and if suitable drivers can be found. The Linux hostapd package is one option. The FCC may or may not bestow its blessing. Many access points can support multiple SSIDs simultaneously. For example, an access point might support SSID “guest” with limited authentication (below), and also SSID “secure” with much stronger authentica- tion. 3.7 Wi-Fi 107

118 An Introduction to Computer Networks, Release 1.9.18 Finally, Wi-Fi is by design completely interoperable with Ethernet; if station A is associated with access point AP, and AP also connects via (cabled) Ethernet to station B, then if A wants to send a packet to B it sends it using AP as the Wi-Fi destination but with B also included in the header as the “actual” destination. Once it receives the packet by wireless, AP acts as an Ethernet switch and forwards the packet to B. While this forwarding is transparent to senders, the Ethernet and Wi-Fi LAN header formats are quite different. type dest addr src addr data CRC Ethernet seq receiver transmit frame dura- dest addr src addr data CRC control tion control addr addr Wi-Fi Data The above diagram illustrates an Ethernet header and the Wi-Fi header for a typical data packet (not using Wi-Fi quality-of-service features). The Ethernet type field usually moves to an IEEE Logical Link Control header in the Wi-Fi region labeled “data”. The receiver and transmitter addresses are the MAC addresses of the nodes receiving and transmitting the (unicast) packet; these may each be different from the ultimate destination and source addresses. If station B wants to send a packet to station C in the same network, the source and destination are B and C but the transmitter and receiver are B and the access point. In infrastructure mode either the receiver or transmitter address is always the access point; in typical situations either the receiver is the destination or the sender is the transmitter. In ad hoc mode, if LAN-layer routing is used then all four addresses may be distinct; see 3.7.8.1 Routing in MANETs . 3.7.4.1 Joining a Network To join the network, an individual station must first discover its access point, and must and then associate to that access point before general communication can begin. (Older forms of authentication authenticate – so-called “open” authentication and the now-deprecated WEP authentication – came before association, 3.7.5 Wi-Fi but newer authentication protocols such as WPA2, WPA2-Personal and WPA2-Enterprise ( ) come after.) We can summarize the stages in the process as follows: Security • scanning (or active probing) • open-authentication and association • true authentication • DHCP (getting an IP address, 7.10 Dynamic Host Configuration Protocol (DHCP) ) The association and authentication processes are carried out by an exchange of special management pack- ets , which are confined to the Wi-Fi LAN layer. Occasionally stations may re-associate to their Access Point, eg if they wish to communicate some status update. Access points periodically broadcast their SSID in special beacon packets (though for pseudo-security rea- sons the SSID in the beacon packets can be suppressed). Beacon packets are one of several Wi-Fi-layer-only management packets ; the default beacon-broadcast interval is 100 ms. These broadcasts allow stations to 108 3 Other LANs

119 An Introduction to Computer Networks, Release 1.9.18 see a list of available networks; the beacon packets also contain other Wi-Fi network parameters such as radio-modulation parameters and available data rates. Another use of beacons is to support the power-management doze mode. Some stations may elect to enter this power-conservation mode, in which case they inform the access point, record the announced beacon- transmission time interval and then wake up briefly to receive each beacon. Beacons, in turn, each contain a list (in a compact bitmap form) of each dozing station for which the access point has a packet to deliver. Ad hoc networks have beacon packets as well; all nodes participate in the regular transmission of these via a distributed algorithm. probe-request packet A connecting station may either wait for the next scheduled beacon, or send a special to elicit a beacon-like probe-response packet. These operations may involve listening to or transmitting on multiple radio channels, sequentially, as the station does not yet know the correct channel to use. Uncon- nected stations often send probe-request packets at regular intervals, to keep abreast of available networks; 3.7.4.2 it is these probe packets that allow tracking by the station’s MAC address. See MAC Address . Randomization association process. There is still a vestigial open- Once the beacon is received, the station initiates an authentication process that comes before association, but once upon a time this could also be “shared WEP key” authentication (below). Later, support for a wide range of authentication protocols was introduced, via the 802.1X framework; we return to this in 3.7.5 Wi-Fi Security . For our purposes here, we will include open authentication as part of the association process. Wi-Fi Drivers Even in 2015, 100%-open-source Wi-Fi drivers are available only for selected hardware, and even then not all operations may be supported. Something as simple in principle as changing one’s source Wi- 3.7.4.2 . Using Fi MAC address is sometimes not possible, though see MAC Address Randomization multiple MAC addresses for a host plus embedded virtual machines is another problematic case. In open authentication the station sends an authentication request to the access point and the access point replies. About all the station needs to know is the SSID of the access point, though it is usually possible to configure the access point to restrict admission to stations with MAC (physical) addresses on a pre- determined list. Stations sometimes evade MAC-address checking by changing their MAC address to an acceptable one, though some Wi-Fi drivers do not support this. Because the SSID plays something of the role of a password here, some Wi-Fi access points are configured so that beacon packets does not contain the SSID; such access points are said to be hidden . Unfortunately, access points hidden this way are easily unmasked: first, the SSID is sent in the clear by any other stations that need to authenticate, and second, an attacker can often transmit forged deauthentication or disassoci- ation requests to force legitimate stations to retransmit the SSID. (See “management frame protection” in 3.7.5 Wi-Fi Security for a fix to this last problem.) The shared-WEP-key authentication was based on the (obsolete) WEP encryption mechanism ( 3.7.5 Wi-Fi Security ). It involved a challenge-response exchange by which the station proved to the access point that it knew the shared WEP key. Actual WEP encryption would then start slightly later. Once the open-authentication step is done, the next step in an infrastructure network is for the station to associate to the access point. This involves an association request from station to access point, and an 3.7 Wi-Fi 109

120 An Introduction to Computer Networks, Release 1.9.18 association response in return. The primary goal of the association exchange is to ensure that the access point knows (by MAC address) what stations it can reach. This tells the access point how to deliver packets to the associating station that come from other stations or the outside world. Association is not necessary in an ad hoc network. Dynamic Host The entire connection process (including secure authentication, below, and DHCP, 7.10 Configuration Protocol (DHCP) ), often takes rather longer than expected, sometimes several seconds. See for a discussion of some of the causes. Some station and access-point pairs appear not to [PWZMTQ17] work as well together as other pairs. 3.7.4.2 MAC Address Randomization probe requests at regular intervals (and on all Most Wi-Fi-enabled devices are configured to transmit Wi-Fi available channels), at least when not connected. These probe requests identify available Wi-Fi networks, but they also reveal the device’s MAC address. This allows sites such as stores to track customers by their MAC address randomization device. To prevent such tracking, some devices now support , proposed in [GG03] : the use at appropriate intervals of a new MAC address randomly selected by the device. Probe requests are generally sent when the device is not joined to a network. To prevent tracking via probe requests, the simplest approach is to change the MAC address used for probes at regular, frequent intervals. A device might even change its MAC address on every probe. Changing the MAC address used for actually joining a network is also important to prevent tracking, but introduces some complications. RFC 7844 suggests these options for selecting new random addresses: • At regular time intervals Per connection • : each time the device connects to a Wi-Fi network, it will select a new MAC address • Per network : like the above, except that if the device reconnects to the same network (identified by SSID), it will use the same MAC address The first option, changing the joined MAC address at regular time intervals, breaks things. First, it will likely result in assignment of a new IP address to the device, terminating all existing connections. Second, many sites still authenticate – at least in part – based on the MAC address. The per-connection option prevents the first problem. The per-network option prevents both, but allows a site at which the device actually joins the network to track repeat connections. (Configuring the device to “forget” the connection between successive joins will usually prevent this, but may not be convenient.) Another approach to the tracking problem is to disable probe requests entirely, except on explicit demand. Wi-Fi MAC address randomization is, unfortunately, not a complete barrier to device tracking; there are other channels through which devices may leak information. For example, probe requests also contain device-capability data known as Information Elements; these values are often distinctive enough that they allow at least partial fingerprinting. Additionally, it is possible to track many Wi-Fi devices based on minute variations in the modulated signals they transmit. MAC address randomization does nothing to prevent such “radiometric identification”. Access points can also impersonate other popular access points, and thus trick devices into initiating a connection with their real MAC addresses. See [BBGO08] and [VMCCP16] for these and other examples. Finally, MAC address randomization may have applications for Ethernet as well as Wi-Fi. For example, in the original IPv6 specification, IPv6 addresses embedded the MAC address, and thus introduced the 110 3 Other LANs

121 An Introduction to Computer Networks, Release 1.9.18 possibility of tracking a device by its IPv6 address. MAC address randomization can prevent this form of tracking as well. However, other techniques implementable solely in the IPv6 layer appear to be more popular; see 8.2.1 Interface identifiers . 3.7.4.3 Roaming Large installations with multiple access points can create “roaming” access by assigning all the access points the same SSID. An individual station will stay with the access point with which it originally associated until the signal strength falls below a certain level (as determined by the station), at which point it will seek out other access points with the same SSID and with a stronger signal. In this way, a large area can be carpeted with multiple Wi-Fi access points, so as to look like one large Wi-Fi domain. The access points are often connected via a wired LAN, known as the distribution system , though the use of Wi-Fi itself to provide 3.7.4.4 Mesh Networks ). At any one time, a station interconnection between access points is also an option ( may be associated to only one access point. In 802.11 terminology, a multiple-access-point configuration with a single SSID is known as an “extended service set” or . ESS In order for such a large-area network to work, traffic a wireless station, eg B, must find that station’s to eg AP. To help the distribution system track B’s current location, B is required, at current access point, to AP, to send to AP a reassociation request , containing AP ’s address. the time it moves from AP old old This sets in motion a number of things; one of them is that AP contacts AP to verify (and terminate) the old former association. This reassociation process also gives AP an opportunity – not spelled out in detail in the standard – to notify the distribution system of B’s new location. If the distribution system is a switched Ethernet supporting the usual learning mechanism ( 2.4 Ethernet Switches ), one simple approach to roaming stations is to handle this the same way as, in a wired Ethernet, traffic finds a laptop that has been unplugged, carried to a new location, and plugged in again. Suppose our wireless node B has been exchanging packets via the distribution system with wired node C (perhaps a to AP, all it has to do is send any packet router connecting B to the Internet). When B moves from AP old over the LAN to C, and the Ethernet switches on the path from B to C will then learn the route through the switched Ethernet from C back to B’s new AP, and thus to B. It is also possible for B’s new AP to send this switch-updating packet, perhaps as part of its reassociation response. This process may leave other switches in the distribution system still holding in their forwarding tables the old location for B. This is not terribly serious, as it will be fixed for any one switch as soon as B sends a packet to a destination reached by that switch. The problem can be avoided entirely if, after moving, B (or, again, its new AP) sends out an Ethernet broadcast packet. Running Ethernet cable to remote access points can easily dwarf the cost of the access point itself. As a result, there is considerable pressure to find ways to allow the Wi-Fi network itself to form the distribution system. We return to this below, in 3.7.4.4 Mesh Networks . The IEEE 802.11r amendment introduced the standardization of fast handoffs from one access point to an- other within the same ESS. It allows the station and new access point to reuse the same pairwise master keys (below) that had been negotiated between the station and the old access point. It also slightly streamlines the reassociation process. Transitions must, however, still be initiated by the station. The amendment is limited to handoffs; it does not address finding the access point to which a particular station is associated, or routing between access points. Because handoffs must be initiated by the station, sometimes all does not quite work out smoothly. Within an ESS, most newer devices (2018) are quite good at initiating handoffs. However, this is not always the 3.7 Wi-Fi 111

122 An Introduction to Computer Networks, Release 1.9.18 case for older devices, and is usually still not the case for many mobile-station devices moving from one ESS to another (that is, where there is a change in the SSID). Such devices may cling to their original access point well past the distance at which the original signal ceases to provide reasonable bandwidth, as long as it does not vanish entirely. Many Wi-Fi “repeaters” or “extenders” (below) sold for residential use do require a second SSID, and so will often do a poor job at supporting roaming. Some access points support proprietary methods for dealing with older mobile stations that are reluctant to transfer to a closer access point within the same ESS, though these techniques are now seldom necessary. By communicating amongst themselves, the access points can detect when a station’s signal is weak enough that a handoff would be appropriate. One approach involves having the original access point initiate a dissociation. At that point the station will reconnect to the ESS but should now connect to an access point within the ESS that has a stronger signal. Another approach involves having the access points all use the same MAC address, so they are indistinguishable. Whichever access point receives the strongest signal from to the station. the station is the one used to transmit 3.7.4.4 Mesh Networks Being able to move freely around a multiple-access-point Wi-Fi installation is very important for many users. When such a Wi-Fi installation is created in a typical office building pre-wired for Ethernet, the access points all plug into the Ethernet, which becomes the distribution network. However, in larger-scale residential settings, and even many offices, running Ethernet cable may be prohibitively expensive. In such cases it makes sense to have the access points interconnect via Wi-Fi itself. If Alice associates to access point A and sends a packet destined for the outside world, then perhaps A will have to forward the packet to Wi-Fi node B, which will in turn forward it to C, before delivery can be complete. This is sometimes easier said than done, however, as the original Wi-Fi standards did not provide for the use of Wi-Fi access points as “repeaters”; there was no standard mechanism for a Wi-Fi-based distribution network. One inexpensive approach is to use devices sometimes sold as Wi-Fi “extenders”. Such devices typically set up a new SSID, and forward all traffic to the original SSID. Multi-hop configurations are possible, but must usually be configured manually. Because the original access point and the extender have different SSIDs, many devices will not automatically connect to whichever is closer, preferring to stick to the SSID originally connected to until that signal essentially disappears completely. This is, for many mobile users, reason enough to give up on this strategy. The desire for a Wi-Fi-based distribution network has led to multiple proprietary solutions. It is possible to purchase a set of Wi-Fi “mesh routers” (2018), often sold at a considerable premium over “standard” routers. After they are set up, these generally work quite well: they present a single SSID, and support fast handoffs from one access point to another, without user intervention. To the user, coverage appears seamless. The downside of a proprietary mechanism, however, is that once you buy into one solution, equipment from other vendors will seldom interoperate. This has led to pressure for standardization. The IEEE introduced “mesh networking” in its 802.11s amendment, finalized as part of the 2012 edition of the full 802.11 stan- dard; it was slow to catch on. The Wi-Fi Alliance introduced the Wi-Fi EasyMesh solution in 2018, based on 802.11s, but, as of the initial rollout, no vendors were yet on board. We will assume, for the time being, that Wi-Fi mesh networking is restricted to the creation of a distribution network interconnecting the access points; ordinary stations do not participate in forwarding other users’ 112 3 Other LANs

123 An Introduction to Computer Networks, Release 1.9.18 packets through the mesh. Common implementations often take this approach, but in fact the 802.11s amendment allows more general approaches. In creating a mesh network with a Wi-Fi distribution system – proprietary or 802.11s – the participating access points must address the following issues: • They must authenticate to one another • They must identify the correct access point to reach a given station B • They must correctly handle station B’s movement to a different access point • They must agree on how to route, through the mesh of access points, between the station and the connection to the Internet 3.7.8 MANETs ), Eventually the routing issue becomes the same routing problem faced by MANETs ( although restricted to the (simpler) case where all nodes are under common management. Routing is not Ñ B trivial; the path A C might be shorter than the alternative path A Ñ D Ñ E Ñ C, but support a lower data Ñ rate. The typical 802.11s solution is to have the multiple access points participate in a mesh BSS . This allows all the access points to appear to be on a single LAN. In this setting, the mesh BSS is separate from the ESS seen by the user stations, and is only used for inter-access-point communication. One (or more) access points are typically connected to the Internet; these are referred to as root mesh stations . In the 802.11s setting, mesh discovery is achieved via initial configuration of a mesh SSID, together with a WPA3 passphrase. Mutual authentication is then via WPA3, below; it is particularly important that each pair of stations authenticate symmetrically to one another. If station B associates to access point AP, then AP uses the mesh BSS to deliver packets sent by B to the root mesh station (or to some other AP). For reverse traffic, B’s reassociation request sent to AP gives AP an opportunity to interact with the mesh BSS to update B’s new location. The act of B’s sending a packet via AP will also tell the mesh BSS how to find B. 9.4.3 HWMP . This protocol typically Routing through the mesh BSS is handled via the HWMP protocol, generates a tree of station-to-station links (that is, a subset of all links that contains no loops), based at the root station. This process uses a routing metric that is tuned to the wireless environment, so that high- bandwidth and low-error links are preferred. If a packet is routed through the mesh BSS from station A to station B, then more addresses are needed in the packet header. The ultimate source and destination are A and B, and the transmitter and receiver correspond to the specific hop, but the packet also needs a source and destination within the mesh, perhaps corresponding to the two access points to which A and B connect. 802.11s handles this by adding a mesh control field consisting of some management fields (such as TTL and sequence number) and a variable- length block of up to three additional addresses. It is also possible for ordinary stations to join the 802.11s mesh BSS directly, rather than restricting the mesh BSS to the access points. This means that the stations will participate in the mesh as routing nodes. It is hard to predict, in 2018, how popular this will become. The EasyMesh standard of the Wi-Fi Alliance is not exactly the same as the IEEE 802.11s standard. For one thing, the EasyMesh standard specifies that one access point – the one connected to the Internet – will be a 3.7 Wi-Fi 113

124 An Introduction to Computer Networks, Release 1.9.18 “Multi-AP” Controller; the other access points are called Agents. The EasyMesh standard also incorporates parts of the IEEE 1905.1 standard for home networks, which simplifies initial configuration. 3.7.5 Wi-Fi Security Unencrypted Wi-Fi traffic is visible to anyone nearby with an appropriate receiver; this eavesdropping zone can be expanded by use of a larger antenna. Because of this, Wi-Fi security is important, and Wi-Fi supports several types of traffic encryption. The original – and now obsolete – Wi-Fi encryption standard was Wired-Equivalent Privacy, or . It WEP involved a 5-byte key, later sometimes extended to 13 bytes. The encryption algorithm was based on RC4, 22.7.4.1 RC4 , manually configured into each station. . The key was a pre-shared key Because of the specific way WEP made use of the RC4 cipher, it contained a fatal (and now-classic) flaw. Bytes of the key could be could be “broken” – that is, guessed – sequentially. Knowing bytes 0 through i–1 would allow an attacker to guess byte i with a relatively small amount of data, and so on through the entire 22.7.7 Wi-Fi WEP Encryption Failure for details. key. See WPA WEP was replaced with Wi-Fi Protected Access, or . This used the so-called TKIP encryption algo- rithm that, like WEP, was ultimately based on RC4, but which was immune to the sequential attack that made WEP so vulnerable. WPA was later replaced by WPA2 as part of the IEEE 802.11i amendment, which uses 22.7.2 Block Ciphers ); the variant used by WPA2 is known as the presumptively stronger AES encryption ( CCMP. WPA2 encryption is believed to be quite secure, although there was a vulnerability in the associated robust security network Wi-Fi Protected Setup protocol. In the 802.11i standard, WPA2 is known as the protocol. Access points supporting WPA or WPA2 declare this in their beacon and probe-response packets; these packets also include a list of acceptable ciphers. WPA2 (and WPA) comes in two flavors: WPA2-Personal and WPA2-Enterprise . These use the same AES encryption, but differ in how keys are managed. WPA2-Personal, appropriate for many smaller sites, uses a pre-shared master key, known as the PSK. This key must be entered into the Access Point (ideally not over the air) and into each connecting station. The key is usually a secure hash ( ) of a 22.6 Secure Hashes passphrase. The use of a single key for multiple stations makes changing the key, or revoking the key for a particular user, difficult. WPA3 , intended to fix a host of accumulated issues. Perhaps the most im- In 2018, the IEEE introduced portant change is that WPA3-Personal switches from the WPA2 four-way handshake to the SAE mutual- password-authentication mechanism, . We return to WPA3 22.8.2 Simultaneous Authentication of Equals below, at 3.7.5.3 WPA3 . 3.7.5.1 WPA2 Four-way handshake In any secure Wi-Fi authentication protocol, the station must authenticate to the access point and the access point must authenticate to the station; without the latter part, stations might inadvertently connect to rogue access points, which would then likely gain at least partial access to private data. This bidirectional authen- tication is achieved through the so-called four-way handshake , which also generates a session key , known as the pairwise transient key or PTK , that is independent of the master key. Compromise of the PTK should not allow an attacker to determine the master key. To further improve security, the PTK is used to generate the temporal key, TK , used to encrypt data messages, a separate message-signing key used in the MIC code, below, and some management-packet keys. 114 3 Other LANs

125 An Introduction to Computer Networks, Release 1.9.18 In WPA2-Personal, the master key is the pre-shared key (PSK); in WPA2-Enterprise, below, the master key is the negotiated “pairwise master key”, or PMK. The four-way handshake begins immediately after association and, for WPA2-Enterprise, the selection of the PMK. None of the four packets that are part of the handshake are encrypted. , typically 32 bytes Both station and access point begin by each selecting a random string, called a nonce long. In the diagram below, the access point (authenticator) has chosen ANonce and the station (supplicant) has chosen SNonce . The PTK will be a secure hash of the master key, both nonces, and both MAC addresses. The first packet of the four-way handshake is sent by the access point to the station, and contains replay counter , RC; the access point assigns these its nonce, unencrypted. This packet also contains a sequentially and the station echoes them back. Station Access Point ANonce, RC= r Station knows PTK , MIC r SNonce, RC= Access Point knows PTK RC =r+1, GTK, MIC ACK, RC= r+1 , MIC Install Install PTK PTK Four-way WPA2 handshake RC = replay counter At this point the station has enough information to compute the PTK; in the second message of the handshake it now sends its own nonce to the access point. The nonce is again sent in the clear, but this second message also includes a digital signature. This signature is sometimes called a Message Integrity Code, or MIC, and in the 802.11i standard is officially named Michael . It is calculated in a manner similar to the HMAC mechanism of 22.6.1 Secure Hashes and Authentication , and uses its own key derived from the PTK. Upon receipt of the station’s nonce, the access point too is able to compute the PTK. With the PTK now in hand, the access point verifies the attached signature. If it checks out, that proves to the access point that the station did in fact know the master key, as a valid signature could not have been constructed without it. The station has now authenticated itself to the access point. For the third stage of the handshake, the access point, now also in possession of the PTK, sends a signed message to the station. The replay counter is incremented, and an optional group temporal key , GTK, may be included for encrypting non-unicast messages. If the GTK is included, it is encrypted with the PTK, though the entire message is not encrypted. When this third message is received and verified, the access point has authenticated itself to the station. The fourth and final step is simply an acknowledgment from the client. Four-way-handshake packets are sent in the EAPOL format, described in the following section. This format can be used to identify the handshake packets in WireShark scans. 3.7 Wi-Fi 115

126 An Introduction to Computer Networks, Release 1.9.18 One significant vulnerability of the four-way handshake when WPA2-Personal is used is that if an eaves- dropper records the messages, then it can attempt an offline brute-force attack on the key. Different values of the passphrase used to generate the PSK can be tried until the MIC values computed for the second and third packets match the values in the corresponding recorded packets. At this point the attacker can not only authenticate to the network, but can also decrypt packets. This attack is harder with WPA2-Enterprise, as each user has a different key. Other WPA2-Personal stations on the same network can also eavesdrop, given that all stations share the same PSK, and that the PTK is generated from the PSK and information transmitted without encryption. The Diffie-Hellman-Merkle key-exchange mechanism, 22.8 Diffie-Hellman-Merkle Exchange , would avoid easily determined by an eavesdropper, even one with inside this difficulty; keys produced this way are not information about master keys. However, this was not used, in part because WPA needed to be rushed into service after the failure of WEP. 3.7.5.1.1 KRACK Attack The purpose of the replay counter, RC in the diagram above, is to prevent an attacker from reusing an old handshake packet. Despite this effort, replayed or regenerated instances of the third handshake packet can sometimes be used to seriously weaken the underlying encryption. The attack, known as the Key Rein- , or KRACK, is documented in . The attack has several variations, some of which stallation Attack [VP17] address a particular implementation’s interpretation of the IEEE standard, and some of which address other eg Wi-Fi keys ( eg the handshake used by 3.7.4.3 Roaming ). the group temporal key) and key handshakes ( We consider only the most straightforward form here. The ciphers used by WPA2 are all “stream” ciphers ( 22.7.4 Stream Ciphers ), meaning that, for each packet, keystream the key is used to generate a of pseudorandom bits, the same length as the packet; the packet is then XORed with this keystream to encrypt it. It is essential for this scheme’s security that the keystreams of encryption nonce , different packets are unrelated; to achieve this, the keystream algorithm incorporates an initially 1 and incremented for each successive packet. The core observation of KRACK is that, whenever the station installs or reinstalls the PTK, it also resets this encryption nonce to 1. This has the effect of resetting the keystream, so that, for a while, each new packet will be encrypted with exactly the same keystream as an earlier packet. This key reinstallation at the station side occurs whenever an instance of the third handshake packet arrives. Because of the possibility of lost packets, the handshake protocol must allow duplicates of any packet. The basic strategy of KRACK is now to force key reinstallation, by arranging for either the access point or the attacker to deliver duplicates of the third handshake packet to the station. In order to interfere with packet delivery, the attacker must be able to block and delay packets from the access point to the station, and be able to send its own packets to the station. The easiest way to accomplish this is for the attacker to be set up as a “clone” of the real access point, with the same MAC address, but operating on a different Wi-Fi channel . The attacker receives messages from the real access point on the original channel, and is able to selectively retransmit them to the station on the new channel. This can be described as a channel-based man-in-the-middle attack; cf 22.9.3 Trust and the Man in the Middle . Alternatively, the attacker may also be able to selectively jam messages from the access point. If the attacker can block the fourth handshake packet, from station to access point, then the access point will eventually time out and retransmit a duplicate third packet, complete with properly updated replay counter. 116 3 Other LANs

127 An Introduction to Computer Networks, Release 1.9.18 The attacker can delay the duplicate third packet, if desired, in order to prolong the interval of keystream reuse. The station’s response to this duplicate third packet will be encrypted, but the attacker can usually generate a forged, unencrypted version. Forcing reuse of the keystream does not automatically break the encryption. However, in many cases the plaintext of a few packets can be guessed by context, and hence, by XORing, the keystream used to encrypt the packet can be determined. This allows trivial decryption of any later packet encrypted with the same keystream. Other possibilities depend on the cipher. When the TKIP cipher is used, a vulnerability in the MIC algorithm may allow determination of the key used in the MIC; this in turn would allow the attacker to inject new packets, properly signed, into the connection. These new packets can be encrypted with one of the broken keystreams. This strategy does not work with AES (CCMP) encryption. The KRACK vulnerability was fixed in wpa_supplicant by disallowing reinstallation of the same key. That is, if a retransmission of the third handshake packet is received, it is ignored; the encryption nonce is not reset. 3.7.5.2 WPA2-Enterprise WPA2-Enterprise alternative allows each station to have its own separate key. In fact, it largely The separates the encryption mechanisms from the Wi-Fi protocols, allowing sites great freedom in choosing the former. Despite the “enterprise” in the name, it is also well suited for smaller sites. WPA2-Enterprise is based rather closely on the 802.1X framework, which supports arbitrary authentication protocols as plug-in modules. In principle, the only improvement WPA2-Enterprise offers over WPA2-Personal is the ability to assign individual Wi-Fi passwords. In practice, this is an enormously important feature. It prevents, for example, one user from easily decrypting packets sent by another user. The keys are all held by a single common system known as the authentication server , usually unrelated to the access point. The client node (that is, the Wi-Fi station) is known as the supplicant , and the access point authenticator . is known as the To begin the authentication process, the supplicant contacts the authenticator using the Extensible Authen- EAP , with what amounts to a request to authenticate to that access point. EAP is a tication Protocol, or generic message framework meant to support multiple specific types of authentication; see RFC 3748 and RFC 5247 . The EAP request is forwarded to the authentication server, which may exchange (via the au- thenticator) several challenge/response messages with the supplicant. No secret credentials should be sent in the clear. EAP is usually used in conjunction with the RADIUS (Remote Authentication Dial-In User Service) pro- tocol ( RFC 2865 ), which is a specific (but flexible) authentication-server protocol. WPA2-Enterprise is sometimes known as 802.1X mode, EAP mode or RADIUS mode (though WPA2-Personal is also based on 802.1X, and uses EAP in its four-way handshake). EAP communication takes place before the supplicant is given an IP address; thus, a mechanism must be provided to support exchange of EAP packets between supplicant and authenticator. This mechanism is known as EAPOL, for EAP Over LAN. EAP messages between the authenticator and the authentication server, on the other hand, can travel via IP; in fact, sites may choose to have the authentication server 3.7 Wi-Fi 117

128 An Introduction to Computer Networks, Release 1.9.18 hosted remotely. Specific protocols using the EAP/RADIUS framework often use packet formats other than EAPOL, but EAPOL will be used in the concluding four-way handshake. Once the authentication server ( eg RADIUS server) is set up, specific per-user authentication methods can username,password pairs (below), or some form of security certificate, or x be entered. This can amount to y sometimes both. The authentication server will generally allow different encryption protocols to be used for different supplicants, thus allowing for the possibility that there is not a common protocol supported by all stations. In WPA2-Enterprise, the access point no longer needs to know anything about what authentication protocol is actually used; it is simply the middleman forwarding EAP packets between the supplicant and the authen- tication server. In particular, the access point does not need to support any specific authentication protocol. The access point allows the supplicant to connect to the network once it receives permission to do so from the authentication server. At the end of the authentication process, the supplicant and the authentication server will, as part of that pro- pairwise cess, also have established a shared secret. In WPA2-Enterprise terminology this is known as the or PMK. The authentication server then communicates the PMK securely to the access point master key 22.10 SSH and TLS ). The next step is for the supplicant and the access (using any standard protocol; see point to negotiate their session key. This is done using the four-way-handshake mechanism of the previous section, with the PMK as the master key. The resultant PTK is, as with WPA2-Personal, used as the session key. WPA2-Enterprise authentication typically does require that the access point have an IP address, in order to be able to contact the authentication server. An access point using WPA2-Personal authentication does not need an IP address, though it may have one simply to enable configuration. 3.7.5.2.1 Enabling WPA2-Enterprise Configuring a Wi-Fi network to use WPA2-Enterprise authentication is relatively straightforward, as long as an authentication server running RADIUS is available. We here give an outline of setting up WPA2- Enterprise authentication using FreeRADIUS (version 2.1.12, 2018). We want to enable per-user passwords, but per-user certificates. Passwords will be stored on the server using SHA-1 hashing ( 22.6 Secure not ). This is not necessarily strong enough for production use; see 22.6.2 Password Hashes Hashes for other options. Because passwords will be hashed, the client will have to communicate the actual password to the authentication server; authentication methods such as those in 22.6.3 CHAP are not an option. The first step is to set up the access point. This is generally quite straightforward; WPA2-Enterprise is sup- ported even on inexpensive access points. After selecting the option to enable WPA2-Enterprise security, we will need to enter the IP address of the authentication server, and also a “shared secret” password for authen- 22.6.1 Secure Hashes and Authentication ticating messages between the access point and the server (see for message-authentication techniques). Configuration of the RADIUS server is a bit more complex, as both RADIUS and EAP are both quite general; both were developed long before 802.1X, and both are used in many other settings as well. Because we have decided to use hashed passwords – which implies the client station will send the plaintext password to the authentication server – we will need to use an authentication method that creates an encrypted tunnel. The Protected EAP method is well-suited here; it encrypts its traffic using TLS ( 22.10.2 TLS , though here without TCP). (There is also an EAP TLS method, using TLS directly and traditionally requiring client-side certificates, and a TTLS method, for Tunneled TLS.) 118 3 Other LANs

129 An Introduction to Computer Networks, Release 1.9.18 Within the PEAP encrypted tunnel, we want to use plaintext password authentication. Here we want the Password Authentication Protocol, PAP, which basically just asks for the username and password. FreeRA- DIUS does not allow PAP to run directly within PEAP, so we interpose the Generic Token Card protocol, GTC. (There is no “token card” device anywhere in sight, but GTC is indeed quite generic.) We probably also have to tell the RADIUS server the IP address of the access point. The access point here have an IP address, specifically for this communication. must We enable all these things by editing the file so as to contain the following entries: eap.conf default_eap_type = peap ... peap { default_eap_type = gtc ... } ... gtc { auth_type = PAP ... } The next step is to create a (username, hashed_password) credential pair on the server. To keep things users file. The username will be “alice”, with password “snorri”. simple, we will store credentials in the Per the FreeRADIUS rules, we need to convert the password to its SHA-1 hash, encoded using base64. There are several ways to do this; we will here make use of the OpenSSL command library: echo -n "snorri" | openssl dgst -binary -sha1 | openssl base64 This returns the string which we then enter into the users file 7E6FbhrN2TYOkrBti+8W8weC2W8= as follows: alice SHA1-Password := "7E6FbhrN2TYOkrBti+8W8weC2W8=" Other options include Cleartext-Password , MD5-Password and SSHA1-Password , with the lat- ter being for salted passwords (which are recommended). With this approach, Alice will have difficulty changing her password, unless she is administrator of the authentication server. This is not necessarily worse than WPA2-Personal, where Alice shares her password with other users. However, if we want to support user-controlled password changing, we can configure the RADIUS server to look for the (username, hashed_password) credentials in a database instead of the users file. It is then relatively straightforward to create a web-based interface for allowing users to change their passwords. Now, finally, we try to connect. Any 802.1X client should ask for the username and password, before com- munication with the authentication server begins. Some may also ask for a preferred authentication method (though our RADIUS server here is only offering one), an optional certificate (which we are not using), or an “anonymous identity”, which is a way for a client to specify a particular authentication server if there are 3.7 Wi-Fi 119

130 An Introduction to Computer Networks, Release 1.9.18 several. If all goes well, connection should be immediate. If not, FreeRADIUS has an authentication-testing tool, and copious debugging output. 3.7.5.3 WPA3 In 2018 the Wi-Fi Alliance introduced WPA3, a replacement for WPA2. The biggest change is that, when both parties are WPA3-aware, the WPA2 four-way handshake is replaced with SAE, 22.8.2 Simultaneous Authentication of Equals . The advantage of SAE here is that an eavesdropper can get nowhere with an offline, dictionary-based, brute-force password attack; recall from the end of 3.7.5.1 WPA2 Four-way that WPA2 is quite vulnerable in this regard. An attacker can still attempt an on line brute-force handshake eg attack on WPA3, by parking a van within Wi-Fi range and trying one password after another, but this is slow. Another consequence of SAE is forward secrecy ( 22.9.2 Forward Secrecy ). This means that if an attacker obtains the encryption key for one session, it will not help decrypt older (or newer) sessions. In fact, even if an attacker obtains the master password, it will not be able to obtain any session keys (although the attacker will be able to connect to the network). Under WPA2, if an attacker obtains the PMK, then all session keys can be calculated from the nonce values exchanged in the four-way handshake. As with WPA2, WPA3 requires that both the station and the access point maintain the password cleartext (or at least the key derived from the password). Because each side must authenticate to the other, it is hard to see how this could be otherwise. WPA3 encrypts even connections to “open” access points, through what is called Opportunistic Wireless Encryption; see RFC 8110 . WPA3 also introduces longer key lengths, and adds some new ciphers. Although it is not strictly part of WPA3, the EasyConnect feature was announced at the same time. This al- lows easier connection of devices that lack screens or keyboards, which makes entering a password difficult. The EasyConnect device should come with a QR code; scanning the code allows the device to be connected. Finally, WPA3 contains an official fix to the KRACK attack. 3.7.5.4 Encryption Coverage Originally, encryption covered only the data packets. A common attack involved forging management pack- ets, eg to force stations to disassociate from their access point. Sometimes this was done continuously as a denial-of-service attack; it might also be done to force a station to reassociate and thus reveal a hidden SSID, or to reveal key information to enable a brute-force decryption attack. The 2009 IEEE 802.11w amendment introduced the option for a station and access point to negotiate man- agement frame protection , which encrypts (and digitally signs) essential management packets exchanged after the authentication phase is completed. This includes those station-to-access-point packets requesting deauthentication or disassociation, effectively preventing the above attacks. However, management frame protection is (as of 2015) seldom enabled by default by consumer-grade Wi-Fi access points, even when data encryption is in effect. 120 3 Other LANs

131 An Introduction to Computer Networks, Release 1.9.18 3.7.6 Wi-Fi Monitoring Again depending on ones driver, it is sometimes possible to monitor all Wi-Fi traffic on a given chan- nel. Special tools exist for this, including aircrack-ng and kismet, but often plain WireShark will suffice if one can get the underlying driver into so-called “monitor” mode. On Linux systems the command wlan0 iwconfig wlan0 mode monitor is the name of the wireless net- should do this (where interface open, work interface). It may be necessary to first kill other processes that have the wlan0 eg service NetworkManager stop . It may also be necessary to bring the interface down, with with ifconfig wlan0 down up after entering moni- , in which case the interface needs to be brought back tor mode. Finally, the receive channel can be set with, , iwconfig wlan0 channel 6 . (On some eg systems the interface name may change after the transition to monitor mode.) After the mode and channel are set, Wireshark will report the 802.11 management-frame headers, and also the so-called radiotap header containing information about the transmission data rate, channel, and received signal strength. One useful experiment is to begin monitoring and then to power up a Wi-Fi enabled device. The WireShark display filter wlan.addr == device-MAC-address helps focus on the relevant packets(or, better yet, the capture filter ether host ). The WireShark screenshot below is an example. device-MAC-address we see node SamsungE_03:3f:ad broadcast a probe request, which is answered by the access point Cisco- Li_d1:24:40. The next two packets represent the open-authentication process, followed by two packets representing the association process. The last four packets, of type EAPOL , represent the WPA2-Personal four-way authentication handshake. 3.7.7 Wi-Fi Polling Mode Wi-Fi also includes a “polled” mechanism, where one station (the Access Point) determines which stations are allowed to send. While it is not often used, it has the potential to greatly reduce collisions, or even eliminate them entirely. This mechanism is known as “Point Coordination Function”, or PCF, versus the collision-oriented mechanism which is then known as “Distributed Coordination Function”. The PCF name refers to the fact that in this mode it is the Access Point that is in charge of coordinating which stations get to send when. The PCF option offers the potential for regular traffic to receive improved throughput due to fewer collisions. However, it is often seen as intended for real-time Wi-Fi traffic, such as voice calls over Wi-Fi. The idea behind PCF is to schedule, at regular intervals, a contention-free period, or CFP . During this period, the Access Point may • send Data packets to any receiver • send Poll packets to any receiver, allowing that receiver to reply with its own data packet 3.7 Wi-Fi 121

132 An Introduction to Computer Networks, Release 1.9.18 • send a combination of the two above (not necessarily to the same receiver) • send management packets, including a special packet marking the end of the CFP None of these operations can result in a collision (unless an unrelated but overlapping Wi-Fi domain is involved). Stations receiving data from the Access Point send the usual ACK after a SIFS interval. A data packet from the Access Point addressed to station B may also carry, piggybacked in the Wi-Fi header, a Poll request to another station C; this saves a transmission. Polled stations that send data will receive an ACK from the Access Point; this ACK may be combined in the same packet with the Poll request to the next station. At the end of the CFP, the regular “contention period” or CP resumes, with the usual CSMA/CA strategy. The time interval between the start times of consecutive CFP periods is typically 100 ms, short enough to allow some real-time traffic to be supported. During the CFP, all stations normally wait only the Short IFS, SIFS, between transmissions. This works because normally there is only one station designated to respond: the Access Point or the polled station. PIFS (PCF However, if a station is polled and has nothing to send, the Access Point waits for time interval Inter-Frame Spacing), of length midway between SIFS and IFS above (our previous IFS should now really be known as DIFS, for DCF IFS). At the expiration of the PIFS, any non-Access-Point station that happens to be unaware of the CFP will continue to wait the full DIFS, and thus will not transmit. An example of such a CFP-unaware station might be one that is part of an entirely different but overlapping Wi-Fi network. The Access Point generally maintains a polling list of stations that wish to be polled during the CFP. Stations request inclusion on this list by an indication when they associate or (more likely) reassociate to the Access Point. A polled station with nothing to send simply remains quiet. PCF mode is not supported by many lower-end Wi-Fi routers, and often goes unused even when it is avail- able. Note that PCF mode is collision-free, so long as no other Wi-Fi access points are active and within range . While the standard has some provisions for attempting to deal with the presence of other Wi-Fi networks, these provisions are somewhat imperfect; at a minimum, they are not always supported by other access points. The end result is that polling is not quite as useful as it might be. 3.7.8 MANETs The MANET acronym stands for mobile ad hoc network ; in practice, the term generally applies to ad hoc wireless networks of sufficient complexity that some internal routing mechanism is needed to enable 3.7.4.4 Mesh Networks qualifies as a MANET, though full connectivity. A mesh network in the sense of MANETs also include networks with much less centralized control, and in which the routing nodes may be highly mobile. MANETs are also potentially much larger, with some designs intended to handle many hundreds of routing nodes, while a typical Wi-Fi mesh network may have only a handful of access points. While MANETs be built with any wireless mechanism, we will assume here that Wi-Fi is used. MANET nodes communicate by radio signals with a finite range, as in the diagram below. 122 3 Other LANs

133 An Introduction to Computer Networks, Release 1.9.18 C E A B G D F Typical MANET in which the radio range for each node is represented by a circle around that node. A can reach G either by the route A—B—C—E—G or by A—B—D—F—G. Each node’s radio range is represented by a circle centered about that node. In general, two MANET nodes may be able to communicate only by relaying packets through intermediate nodes, as is the case for nodes A and G in the diagram above. Finding the optimal route through those intermediate nodes is a significant problem. MANETs for the People In the early years of MANETs, many designs focused on a decentralized, communitarian approach, eg wireless community networks. During the 2010 Arab Spring, MANETs were often proposed (in conjunc- tion with a few users having satellite-Internet access) as a way to bypass government censorship of the Internet. Fast forward to 2018, and much press discussion of “mesh networks” is oriented towards those with exceptionally large private residences. Nothing endures but change. In the field, the radio range of each node may not be very circular at all, due to among other things signal reflection and blocking from obstructions. An additional complication arises when the nodes (or even just obstructions) are moving in real time (hence the “mobile” of MANET); this means that a working route may stop working a short time later. For this reason, and others, routing within MANETs is a good deal more complex than routing in an Ethernet. A switched Ethernet, for example, is required to be loop-free, so there is never a choice among multiple alternative routes. Note that, without successful LAN-layer routing, a MANET does not have full node-to-node connectivity and thus does not meet the definition of a LAN given in 1.9 LANs and Ethernet . With either LAN-layer or IP-layer routing, one or more MANET nodes may serve as gateways to the Internet. Note also that MANETs in general do not support broadcast or multicast, unless the forwarding of broadcast and multicast messages throughout the MANET is built in to the routing mechanism. This can complicate the operation of IPv4 and IPv6 networks, even assuming that the MANET routing mechanism replaces the 3.7 Wi-Fi 123

134 An Introduction to Computer Networks, Release 1.9.18 need for broadcast/multicast protocols like IPv4’s ARP ( ) and IPv6’s 7.9 Address Resolution Protocol: ARP 8.6 Neighbor Discovery Neighbor Discovery ( ) that otherwise play important roles in local packet delivery. For example, the common IPv4 address-assignment mechanism we will describe in 7.10 Dynamic Host Configuration Protocol (DHCP) relies on broadcast and so often needs adaptation. Similarly, IPv6 relies on multicast for several ancillary services, including address assignment ( 8.7.3 DHCPv6 ) and duplicate 8.7.1 Duplicate Address Detection ). address detection ( MANETs are simplest when all the nodes are under common, coordinated management, as in the mesh Wi-Fi described above. Life is much more complicated when nodes are individually owned, and each owner wishes to place limits on the amount of “transit traffic” – traffic passing through the owner’s node – that is acceptable. Yet this is often the situation faced by schemes to offer Wi-Fi-based community Internet access. Finally, we observe that while MANETs are of great theoretical interest, their practical impact has been modest; they are almost unknown, for example, in corporate environments, beyond the mesh networks of . They appear most useful in emergency situations, rural settings, and settings where 3.7.4.4 Mesh Networks the conventional infrastructure network has failed or been disabled. 3.7.8.1 Routing in MANETs Routing in MANETs can be done either at the LAN layer, using physical addresses, or at the IP layer with some minor bending (below) of the rules. Either way, nodes must find out about the existence of other nodes, and appropriate routes must then be selected. Route selection can use any of the mechanisms we describe later in 9 Routing-Update Algorithms . Routing at the LAN layer is much like routing by Ethernet switches; each node will construct an appropriate forwarding table. Unlike Ethernet, however, there may be multiple paths to a destination, direct connectivity between any particular pair of nodes may come and go, and negotiation may be required even to determine which MANET nodes will serve as forwarders. Routing at the IP layer involves the same issues, but at least IP-layer routing-update algorithms have always been able to handle multiple paths. There are some minor issues, however. When we initially presented 1.10 IP forwarding in , we assumed that routers made their decisions by looking IP - Internet Protocol only at the network prefix of the address; if another node had the same network prefix it was assumed to be reachable directly via the LAN. This model usually fails badly in MANETs, where direct reachability has nothing to do with addresses. At least within the MANET, then, a modified forwarding algorithm must be used where every address is looked up in the forwarding table. One simple way to implement this is to have the forwarding tables contain only entries as were discussed in 3.1 Virtual Private Networks . host-specific Multiple routing algorithms have been proposed for MANETs. Performance of a given algorithm may depend on the following factors: • The size of the network • How many nodes have agreed to serve as routers • The degree of node mobility, especially of routing-node mobility if applicable • Whether the nodes (especially routing nodes) are under common administration, and thus may agree to defer their own transmission interests for the common good • per-node storage and power availability 124 3 Other LANs

135 An Introduction to Computer Networks, Release 1.9.18 3.8 WiMAX and LTE WiMAX and LTE are both wireless network technologies suitable for data connections to mobile (and sometimes stationary) devices. WiMAX is an IEEE standard, 802.16; its original name is WirelessMAN (for Metropolitan Area Network), and this name appears intermittently in the IEEE standards. In its earlier versions it was intended for station- ary subscribers (802.16d), but was later expanded to support mobile subscribers (802.16e). The stationary- subscriber version is often used to provide residential Internet connectivity, in both urban and rural areas. LTE (the acronym itself stands for Long Term Evolution) is a product of the mobile telecom world; it was designed for mobile subscribers from the beginning. Its official name – at least for its radio protocols – is Evolved UTRA , or E-UTRA, where UTRA in turn stands for UMTS Terrestrial Radio Access. UMTS stands for Universal Mobile Telecommunications System, a core mobile-device data-network mechanism with standards dating from the year 2000. 4G Capacity A medium-level wireless data plan often comes with a 5 GB monthly cap. At the 100 Mbps 4G data rate, that allotment can be downloaded in under six minutes. Data rate isn’t everything. Both LTE and the mobile version of WiMAX are often marketed as fourth generation (or 4G) networking technology. The ITU has a specific definition for 4G developed in 2008, officially named IMT-Advanced and including a 100 Mbps download rate to moving devices and a 1 Gbps download rate to more-or-less- stationary devices. Neither WiMAX nor LTE quite qualified technically, but to marketers that was no im- pediment. In any event, in December 2010 the ITU issued a statement in which it “recognized that [the term 4G], while undefined, may also be applied to the forerunners of these technologies, LTE and WiMax”. So-called Advanced LTE and WiMAX2 are true IMT-Advanced protocols. As in we will use the term “data rate” for what is commonly called “bandwidth” to avoid 3.6.4 Band Width confusion with the radio-specific meaning of the latter term. WiMAX can use unlicensed frequencies, like Wi-Fi, but its primary use is over licensed radio spectrum; LTE is used almost exclusively over licensed spectrum. WiMAX and LTE both support a number of options for the width of the frequency band; the wider the band, the higher the data rate. Downlink (base station to subscriber) data rates can be well over 100 Mbps (uplink rates are usually smaller). Most LTE bands are either in the range 700-900 MHz or are above 1700 MHz; the lower frequencies tend to be better at penetrating trees and walls. Like Wi-Fi, WiMAX and LTE subscriber stations connect to a central access point. The WiMAX standard prefers the term which we will use henceforth for both protocols; LTE officially prefers the base station term “evolved NodeB” or eNB. The coverage radius for LTE and mobile-subscriber WiMAX might be one to ten kilometers, versus less (sometimes much less) than 100 meters for Wi-Fi. Stationary-subscriber WiMAX can operate on a larger scale; the coverage radius can be several tens of kilometers. As distances increase, the data rate is reduced. Large-radius base stations are typically mounted in towers; smaller-radius base-stations, generally used only in areas densely populated with subscribers, may use lower antennas integrated discretely into the local 3.8 WiMAX and LTE 125

136 An Introduction to Computer Networks, Release 1.9.18 architecture. Subscriber stations are not expected to be able to hear other stations; they interact only with the base station. 3.8.1 Uplink Scheduling As distances increase, the subscriber-to-base RTT becomes non-negligible. At 10 kilometers, this RTT is 66 μsec, based on the speed of light of about 300 m/μsec. At 100 Mbps this is enough time to send 800 bytes, making it a priority to reduce the number of RTTs. To this end, it is no longer practical to use Wi-Fi-style collisions to resolve access contention; it is not even practical to use the Wi-Fi PCF mode of 3.7.7 Wi-Fi Polling Mode because polling requires additional RTTs. Instead, WiMAX and LTE rely on scheduling of transmissions. base-station-regulated The base station has no difficulty scheduling downlink transmissions, from base to subscriber: the base station simply sends the packets sequentially (or in parallel on different sets of subcarriers if OFDM is used). If beamforming MISO antennas are used, or multiple physically directional antennas, the base station will take this into account. It is the uplink transmissions – from subscriber to base – that are more complicated to coordinate. Once a subscriber station completes the network entry process to connect to a base station ( ), 3.8.3 Network Entry it is assigned regular transmission slots, including times and frequencies. These transmission slots may vary in size over time; the base station may regularly issue new transmission schedules. Each subscriber station is told in effect that it may transmit on its assigned frequencies starting at an assigned time and for an assigned length; LTE lengths start at 1 ms and WiMAX lengths at 2 ms. The station synchronizes its clock with that of the base station as part of the network entry process. Each subscriber station is scheduled to transmit so that one transmission finishes arriving at the base station just before the next station’s same-frequency transmission begins arriving. Only minimal “guard intervals” need be included between consecutive transmissions. Two (or more) consecutive uplink transmissions may in fact be “in the air” simultaneously, as far-away stations need to begin transmitting early so their signals will arrive at the base station at the expected time. The diagram above illustrates this for stations separated by relatively large physical distances (as may be typical for long-range WiMAX). This strategy for uplink scheduling eliminates the full RTT that Wi-Fi 3.7.7 Wi-Fi Polling Mode ) entails. polling mode ( Scheduled timeslots may be periodic (as is would be appropriate for voice) or may occur at varying inter- vals. Quality-of-Service requests may also enter into the schedule; LTE focuses on end-to-end QoS while WiMAX focuses on subscriber-to-base QoS. When a station has data to send, it may include in its next scheduled transmission a request for a longer transmission interval; if the request is granted, the station may send its data (or at least some of its data) in its next scheduled transmission slot. When a station is done transmitting, its timeslot may shrink back to the minimum, and may be scheduled less frequently as well, but it does not disappear. Stations without data to send remain connected to the base station by sending “empty” messages during these slots. 3.8.2 Ranging The uplink scheduling of the previous section requires that each subscriber station know the distance to the base station. If a subscriber station is to transmit so that its message arrives at the base station at a 126 3 Other LANs

137 An Introduction to Computer Networks, Release 1.9.18 Sta2 Sta1 Base Sta3 Three packets in transit from stations Sta1, Sta2 and Sta3. The packets propagate outwards from the stations at the speed of light, like ripples, spatially confined between two concentric dot-dash circles (circles around Sta3 are not shown). The packet portion along the straight line from the station to the Base is represented as a heavy arrow. The three packets will arrive at Base sequentially and without overlap. certain time, it must actually begin transmission early by an amount equal to the one-way station-to-base propagation delay. This distance/delay measurement process is called . ranging Ranging can be accomplished through any RTT measurement. Any base-station delay in replying, once a subscriber message is received, simply needs to be subtracted from the total RTT. Of course, that base-station delay needs also to be communicated back to the subscriber. The distance to the base station is used not only for the subscriber station’s transmission timing, but also to determine its power level; signals from each subscriber station, no matter where located, should arrive at the base station with about the same power. 3.8.3 Network Entry The scheduling process eliminates the potential for collisions between normal data transmissions. But there remains the issue of initial entry to the network. If a handoff is involved, the new base station can be informed by the old base station, and send an appropriate schedule to the moving subscriber station. But if the subscriber station was just powered on, or is arriving from an area without LTE/WiMAX coverage, potential transmission collisions are unavoidable. Fortunately, network entry is infrequent, and so collisions are even less frequent. A subscriber station begins the network-entry connection process to a base station by listening for the base station’s transmissions; these message streams contain regular management messages containing, among other things, information about available data rates in each direction. Also included in the base station’s message stream is information about when network-entry attempts can be made. In WiMAX these entry-attempt timeslots are called ranging intervals ; the subscriber station waits for one 3.8 WiMAX and LTE 127

138 An Introduction to Computer Networks, Release 1.9.18 of these intervals and sends a “range-request” message to the base station. These ranging intervals are open to all stations attempting network entry, and if another station transmits at the same time there will be a collision. An Ethernet/Wi-Fi-like exponential-backoff process is used if a collision does occur. , for Random Access CHannel. The base station designates In LTE the entry process is known as RACH certain 1 ms timeslots for network entry. During one of these slots an entry-seeking subscriber chooses at random access preambles random one of up to 64 predetermined (some preambles may be reserved for a second, contention-free form of RACH), and transmits it. The 1-ms timeslot corresponds to 300 kilometers, much larger than any LTE cell, so the fact that the subscriber does not yet know its distance to the base does not matter. The preambles are mathematically “orthogonal”, in such a way that as long as no two RACH-participating subscribers choose the same preamble, the base station can decode overlapping preambles and thus receive the of all preambles transmitted during the RACH timeslot. The base station then sends a reply, listing set the preambles received and, in effect, an initial schedule indexed by preamble of when each newly entering subscriber station can transmit actual data. This reply is sent to a special temporary multicast address known radio network temporary identifier , or RNTI, as the base station does not yet know the actual identity of as a any new subscriber. Those identities are learned as the new subscribers transmit to the base station according to this initial schedule. A collision occurs when two LTE subscriber stations have the misfortune of choosing the same preamble in the same RACH timeslot, in which case the chosen preamble will not appear in the initial schedule trans- mitted by the base station. As for WiMAX, collisions are rare because network entry is rare. Subscribers experiencing a collision try again during the next RACH timeslot, choosing at random a new preamble. For both WiMAX and LTE, network entry is the only time when collisions can occur; afterwards, all subscriber-station transmissions are scheduled by the base station. If there is no collision, each subscriber station is able to use the base station’s initial-response transmission to make its first ranging measurement. Subscribers must have a ranging measurement in hand before they can send any scheduled transmission. 3.8.4 Mobility There are some significant differences between stationary and mobile subscribers. First, mobile subscribers will likely expect some sort of handoff from one base station to another as the subscriber moves out of range of the first. Second, moving subscribers mean that the base-to-subscriber ranging information may change rapidly; see exercise 7.0. If the subscriber does not update its ranging information often enough, it may transmit too early or too late. If the subscriber is moving fast enough, the Doppler effect may also alter frequencies. 3.9 Fixed Wireless This category includes all wireless-service-provider systems where the subscriber’s location does not change. Often, but not always, the subscriber will have an outdoor antenna for improved reception and range. Fixed-wireless systems can involve relay through satellites, or can be terrestrial . 128 3 Other LANs

139 An Introduction to Computer Networks, Release 1.9.18 3.9.1 Terrestrial Wireless Terrestrial wireless – also called terrestrial broadband or fixed-wireless broadband – involves direct (non- satellite) radio communication between subscribers and a central access point. Access points are usually tower-mounted and serve multiple subscribers, though single-subscriber point-to-point “microwave links” also exist. A multi-subscriber access point may serve an area with radius up to several tens of miles, de- pending on the technology, though more common ranges are under ten miles. WiMAX 802.16d is one form of terrestrial wireless, but there are several others. Frequencies may be either licensed or unlicensed. Unli- censed frequency bands are available at around 900 MHz, 2.4 GHz, and 5 GHz. Nominally all three bands require that line-of-sight transmission be used, though that requirement becomes stricter as the frequency increases. Lower frequencies tend to be better at “seeing” through trees and other obstructions. Trees vs Signal 3.9 Fixed Wireless 129

140 An Introduction to Computer Networks, Release 1.9.18 Photo of the author attempting to improve his 2.4 GHz terrestrial-wireless signal via tree trimming. Terrestrial fixed wireless was originally popularized for rural areas, where residential density is too low for economical cable connections. However, some fixed-wireless ISPs now operate in urban areas, often using WiMAX. One advantage of terrestrial fixed-wireless in remote areas is that the antennas covers a much smaller geographical area than a satellite, generally meaning that there is more data bandwidth available per user and the cost per megabyte is much lower. Outdoor subscriber antennas often use a parabolic dish to improve reception; sizes range from 10 to 50 cm in diameter. The size of the dish may depend on the distance to the central tower. While there are standardized fixed-wireless systems, such as WiMAX, there are also a number of propri- etary alternatives, including systems from Trango and Canopy. Fixed-wireless systems might, in fact, be considered one of the last bastions of proprietary LAN protocols. This lack of standardization is due to a variety of factors; two primary ones are the relatively modest overall demand for this service and the the fact that most antennas need to be professionally installed by the ISP to ensure that they are “properly mounted, aligned, grounded and protected from lightning”. 3.9.2 Satellite Internet An extreme case of fixed wireless is satellite Internet , in which signals pass through a satellite in geosyn- chronous orbit (35,786 km above the earth’s surface). Residential customers have parabolic antennas typ- ically from 70 to 100 cm in diameter, larger than those used for terrestrial wireless but smaller than the dish antennas used at access points. The geosynchronous satellite orbit means that the antennas need to be pointed only once, at installation. Transmitter power is typically 1-2 watts, remarkably low for a signal that travels 35,786 km. The primary problem associated with satellite Internet is very long RTTs. The the speed-of-light round-trip propagation delay is about 500 ms to which must be added queuing delays for the often-backlogged access point (my own personal experience suggested that RTTs of close to 1,000 ms were the norm). These long delays affect real-time traffic such as VoIP and gaming, but as we shall see in 14.11 The Satellite-Link TCP bulk TCP transfers also perform poorly with very long RTTs. To provide partial compensation for Problem the TCP issue, many satellite ISPs provide some sort of “acceleration” for bulk downloads: a web page, for example, would be downloaded rapidly by the access point and streamed to the satellite and back down to the user via a proprietary mechanism. Acceleration, however, cannot help interactive connections such as VPNs. Another common feature of satellite Internet is a low daily utilization cap, typically in the hundreds of megabytes. Utilization caps are directly tied to the cost of maintaining satellites, but also to the fact that one satellite covers a great deal of ground, and so its available capacity is shared by a large number of users. The delay issues associated with satellite Internet would go away if satellites were in so-called low-earth orbits, a few hundred km above the earth. RTTs would then be comparable with terrestrial Internet. Fixed- direction antennas could no longer be used. A large number of satellites would need to be launched to provide 24-hour coverage even at one location. To data (2016), such a network of low-earth satellites has been proposed, but not yet launched. 130 3 Other LANs

141 An Introduction to Computer Networks, Release 1.9.18 3.10 Epilog Along with a few niche protocols, we have focused primarily here on wireless and on virtual circuits. Wire- less, of course, is enormously important: it is the enabler for mobile devices, and has largely replaced traditional Ethernet for home and office workstations. While it is sometimes tempting (in the IP world at least) to write off ATM as a niche technology, virtual 20 Quality of circuits are a serious conceptual alternative to datagram forwarding. As we shall see in Service , IP has problems handling real-time traffic, and virtual circuits offer a solution. The Internet has so far embraced only small steps towards virtual circuits (such as MPLS, 20.12 Multi-Protocol Label ), but they remain a tantalizing strategy. Switching (MPLS) 3.11 Exercises Exercises are given fractional (floating point) numbers, to allow for interpolation of new exercises. Exercise ♢ 4.5 is distinct, for example, from exercises 4.0 and 5.0. Exercises marked with a have solutions or hints . at 24.3 Solutions for Other LANs 1.0. Suppose remote host A uses a VPN connection to connect to host B, with IP address 200.0.0.7. A’s eth0 with IP address 12.1.2.3; A’s VPN connection is via device normal Internet connection is via device with IP address 10.0.0.44. Whenever A wants to send a packet via ppp0 , it is encapsulated and ppp0 forwarded over the connection to B at 200.0.0.7. (a). Suppose A’s IP forwarding table is set up so that all traffic to 200.0.0.7 uses eth0 and all traffic to anywhere else uses ppp0 . What happens if an intruder M attempts to open a connection to A at 12.1.2.3? What route will packets from A to M take? (b). Suppose A’s IP forwarding table is (mis)configured so that all outbound traffic uses . Describe ppp0 what will happen when A tries to send a packet. 2.0. Suppose remote host A wishes to use a TCP-based VPN connection to connect to host B, with IP address 200.0.0.7. However, the VPN software is not available for host A. Host A is, however, able to run that software on a virtual machine V hosted by A; A and V have respective IP addresses 10.0.0.1 and 10.0.0.2 on the virtual network connecting them. V reaches the outside world through network address translation 7.7 Network Address Translation ), with A acting as V’s NAT router. When V runs the VPN software, ( it forwards packets addressed to B the usual way, through A using NAT. Traffic to any other destination it encapsulates over the VPN. Can A configure its IP forwarding table so that it can make use of the VPN? If not, why not? If so, how? (If you prefer, you may assume V is a physical host connecting to a second interface on A; A still acts as V’s NAT router.) 3.0. Token Bus was a proprietary Ethernet-based network. It worked like Token Ring in that a small token packet was sent from one station to the next in agreed-upon order, and a station could transmit only when it had just received the token. 3.10 Epilog 131

142 An Introduction to Computer Networks, Release 1.9.18 (a). If the data rate is 10 Mbps and the token is 64 bytes long (the 10-Mbps Ethernet minimum packet size), what is the average wait to receive the token on an idle network with 40 stations? (The average number of stations the token must pass through is 40/2 = 20.) Ignore the propagation delay and the gap Ethernet requires between packets. . Sketch a protocol by which stations can sort themselves out to decide the order of token transmission; (b) ♢ . . . S where station S that is, an order of the stations S sends the token to station S . (i+1) mod n 0 n-1 i 4.0. A seemingly important part of the IEEE 801.11 Wi-Fi standard is that stations do not transmit when another station is transmitting; this is meant to reduce collisions. And yet the standard states “transmission of the ACK frame shall commence after a SIFS period, without regard to the busy/idle state of the medium”; not that is, the ACK sender does listen first for an idle network. not idle does not Give a scenario in which the transmission of an ACK while the medium is result in a col- lision! That is, station A has just finished transmitting a packet to station C, but before C can begin sending its ACK, another station B starts transmitting. Hint: this is another example of the hidden-node problem, 3.7.1.4 Hidden-Node Problem , with station C again the “middle” station. Recall also that simultaneous transmission results in a collision only if some node fails to be able to read either signal as a result. (Also note that, if C does not send its ACK, despite B, the packet just sent from A has to all intents and purposes been lost.) 4.5. Give an example of a three-sender hidden-node collision ( 3.7.1.4 Hidden-Node Problem ); that is, ♢ three nodes A, B and C, no two of which can see one another, where all can reach a fourth node D. Can you do this for more than three sending nodes? 5.0. Suppose the average contention interval in a Wi-Fi network (802.11g) is 64 SlotTimes. The average packet size is 1 kB, and the data rate is 54 Mbps. At that data rate, it takes about (8 ˆ 1024)/54 = 151 μsec to transmit a packet. (a). How long is the average contention interval, in μsec? (b) ♢ . What fraction of the total potential bandwidth is lost to contention? (See 2.1.11 Analysis of Classic Ethernet for a similar example). 6.0. WiMAX and LTE subscriber stations are not expected to hear one another at all. For Wi-Fi non-access- point stations in an infrastructure (access-point) setting, on the other hand, listening to other non-access- point transmissions is encouraged. (a). List some ways in which Wi-Fi non-access-point stations in an infrastructure (access-point) network do sometimes respond to packets sent by other non-access-point stations. The responses need not be in the form of transmissions. (b). Explain why Wi-Fi stations cannot be required to respond as in part (a). 7.0. Suppose WiMAX subscriber stations can be moving, at speeds of up to 33 meters/sec (the maximum allowed under 802.16e). 132 3 Other LANs

143 An Introduction to Computer Networks, Release 1.9.18 (a). How much earlier (or later) can one subscriber packet arrive? Assume that the ranging process updates the station’s propagation delay once a minute. The speed of light is about 300 meters/μsec. (b). With 5000 senders per second, how much time out of each second must be spent on “guard intervals” accommodating the early/late arrivals above? You will need to double the time from part (a), as the base station cannot tell whether the signal from a moving subscriber will arrive earlier or later. [SM90] contained a proposal for sending IP packets over ATM as N cells as in AAL-5, followed by one 8.0. cell containing the XOR of all the previous cells. This way, the receiver can recover from the loss of any one cell. Suppose N=20 here; with the SM90 mechanism, each packet would require 21 cells to transmit; that is, we always send 5% more. Suppose the cell loss-rate is p (presumably very small). If we send 20 cells without the SM90 mechanism, we have a probability of about 20p that any one cell will be lost, and we will have to retransmit the entire 20 again. This gives an average retransmission amount of about 20p extra packets. For what value of p do the with-SM90 and the without-SM90 approaches involve about the same total number of cell transmissions? 9.0. In the example in 3.4 Virtual Circuits , give the VCI table for switch S5. 10.0. Suppose we have the following network: S1 S2 A B C S4 D S3 The virtual-circuit switching tables are below. Ports are identified by the node at the other end. Identify all the connections. Give the path for each connection and the VCI on each link of the path. S1 : Switch port port VCI VCI out out in in 1 A 2 S3 2 A 2 S2 3 A S2 3 S2 : Switch VCI port port VCI out out in in S4 1 2 B 2 S1 3 S4 3 S1 4 S4 Switch : S3 VCI port port VCI out out in in 2 S1 2 S4 3 S4 2 C 3.11 Exercises 133

144 An Introduction to Computer Networks, Release 1.9.18 Switch S4 : port VCI VCI port out out in in 2 2 S2 S3 3 3 S2 S3 S2 D 4 1 We have the same network as the previous exercise: ♢ 10.5 S1 S2 B A S3 S4 D C The virtual-circuit switching tables are below. Ports are identified by the node at the other end. Identify all the connections. Give the path for each connection and the VCI on each link of the path. : Switch S1 port VCI VCI port out out in in A 2 S2 1 S3 A 2 3 Switch S2 : VCI port VCI port out out in in 2 S1 S4 3 1 B 2 S4 : S3 Switch VCI port VCI port out out in in 2 S1 2 S4 1 S4 3 S1 Switch S4 : port VCI VCI port out out in in 3 S2 2 D 2 1 S3 S2 11.0. Suppose we have the following network: A S1 S2 B 134 3 Other LANs

145 An Introduction to Computer Networks, Release 1.9.18 C S4 D S3 Give virtual-circuit switching tables for the following connections. Route via a shortest path. (a). A–D (b). C–B, via S4 (c). B–D (d). A–D, via whichever of S2 or S3 was not used in part (a) 12.0. Below is a set of switches S1 through S4. Define VCI-table entries so the virtual circuit from A to B follows the path ÝÑ S1 ÝÑ S2 ÝÑ S4 ÝÑ S3 ÝÑ A ÝÑ S2 ÝÑ S4 ÝÑ S3 ÝÑ B S1 That is, each switch is visited twice . A S1 S2 B S3 S4 13.0. In this exercise we outline the two-ray ground model of wireless transmission in which the signal power is inversely proportional to the fourth power of the distance, rather than following the usual inverse- square law. Some familiarity with trigonometric (or complex-exponential) manipulations is necessary. 휋 ft), where A is the amplitude, f the frequency and t the Suppose the signal near the transmitter is A sin(2 2 time. Signal power is proportional to A . At distance r ě 1, the amplitude is reduced by a factor of 1/r (so 2 the power is reduced by 1/r ) and the signal is delayed by a time r/c, where c is the speed of light, giving (A/r)sin(2 휋 f(t – r/c)) = (A/r)sin(2 휋 ft – 2 휋휆 r) where 휆 = f/c is the wavelength. The received signal is the superposition of the line-of-sight signal path and its reflection from the ground, as in the following diagram: line-of-sight r arriving signals height h reflected path r  r/2 r/2 Sender and receiver are shown at equal heights above the ground, for simplicity. We assume 100% ground reflectivity (this is reasonable for very shallow angles). The phase of the ground signal is reversed 180° by the reflection, and then is delayed slightly more by the slightly longer path. 1 (a). Find a formula for the length of the reflected-signal path r , in terms of r and h. Eliminate the square 1/2 root, using the approximation (1+x) » 1 + x/2 for small x. (You will need to factor r out of the square-root 3.11 Exercises 135

146 An Introduction to Computer Networks, Release 1.9.18 1 expression for r first.) (because of the 180° reflection phase-reversal) of the line-of-sight and reflected- difference (b). Simplify the » (X-Y) cos((X+Y)/2) signal paths. Use the approximation sin(X) – sin(Y) = 2 sin((X–Y)/2) cos((X+Y)/2) iX » (X–Y) cos(X), for X ). You » Y (or else use complex exponentials, noting sin(X) is the real part of i e 1 1 휆 . Start with (A/r)sin(2 may assume r ft – 2 휋휆 r) – (A/r 휋 )sin(2 휋 ft – –r is smaller than the wavelength 1 1 휋휆 ); it helps to isolate the r Ñ r r change to one subexpression at a time by writing this as follows (adding 2 and subtracting the identical middle terms): 1 1 ft – 2 휋휆 r) – (A/r r)) + ((A/r )sin(2 휋 ft – 2 휋휆 ((A/r)sin(2 휋 )sin(2 휋 ft – 2 휋휆 r) – 1 1 휋 ft – 2 휋휆 r )sin(2 )) (A/r 1 1 1 휋 ft – 2 휋휆 r) + (A/r = (A/r – A/r )(sin(2 휋 ft – 2 휋휆 r) – sin(2 휋 ft – 2 휋휆 r )sin(2 )) 2 (c). Show that the approximate amplitude of this difference is proportional to 1/r , making the relative power 4 proportional to 1/r . 14.0. In the four-way handshake of 3.7.5 Wi-Fi Security , suppose station B (for Bad) records the successful handshake of station A and the access point. A then leaves the network, and B attempts a replay attack : B uses A’s packets in the handshake. At exactly what point does the handshake break down? 136 3 Other LANs

147 4 LINKS At the lowest (logical) level, network links look like serial lines. In this chapter we address how packet structures are built on top of serial lines, via encoding and framing. Encoding determines how bits and bytes are represented on a serial line; framing allows the receiver to identify the beginnings and endings of packets. We then conclude with the high-speed serial lines offered by the telecommunications industry, T-carrier and SONET, upon which almost all long-haul point-to-point links that tie the Internet together are based. 4.1 Encoding and Framing bits , not bytes. How do we identify byte boundaries? This is A typical serial line is ultimately a stream of made slightly more complicated by the fact that, beneath the logical level of the serial line, we generally have to avoid transmitting long runs of identical bits, because the receiver may simply lose count; this is the clock synchronization problem (sometimes called the clock recovery problem). This means that, one way or another, we cannot always just send the desired bits sequentially; for example, extra bits are often inserted to break up long runs. Exactly how we do this is the encoding mechanism. Once we have settled the transmission of bits, the next step is to determine how the receiver identifies the start of each new packet. Ethernet packets are separated by physical gaps, but for most other link mechanisms packets are sent end-to-end, with no breaks. How we tell when one packet stops and the next begins is the framing problem. To summarize: • encoding: correctly recognizing all the bits in a stream • framing: correctly recognizing packet boundaries These are related, though not the same. For long (multi-kilometer) electrical serial lines, in addition to the clock-related serial-line requirements we also want the average voltage to be zero; that is, we want no DC component. We will mostly concern ourselves here, however, only with lines short enough for this not to be a major concern. 4.1.1 NRZ NRZ (Non-Return to Zero) is perhaps the simplest encoding; it corresponds to direct bit-by-bit transmission of the 0’s and 1’s in the data. We have two signal levels, lo and hi , we set the signal to one or the other of these depending on whether the data bit is 0 or 1, as in the diagram below. Note that in the diagram the signal bits have been aligned with the start of the pulse representing that signal value. 137

148 An Introduction to Computer Networks, Release 1.9.18 0 1 1 0 1 1 1 1 0 0 0 0 0 1 0 0 1 NRZ Encoding: 1 = hi, 0 = lo NRZ replaces an earlier RZ (Return to Zero) encoding, in which hi and lo corresponded to +1 and -1, and between each pair of pulses corresponding to consecutive bits there was a brief return to the 0 level. One drawback to NRZ is that we cannot distinguish between 0-bits and a signal that is simply idle. However, the more serious problem is the lack of synchronization : during long runs of 0’s or long runs of 1’s, the eg if the receiver’s clock is running a little fast or slow. The receiver’s clock can receiver can “lose count”, transition from one level to the other. However, suppose bits and does resynchronize whenever there is a are sent at one per μs, the sender sends five 1-bits in a row, and the receiver’s clock is running 10% fast. The signal sent is a 5-μs hi pulse, but when the pulse ends the receiver’s clock reads 5.5 μs due to the clock speedup. Should this represent five 1-bits or six 1-bits? 4.1.2 NRZI An alternative that helps here (though not obviously at first) is NRZI , or NRZ Inverted. In this encoding, we represent a 0-bit as no change, and a 1-bit as a transition from lo to hi or hi to lo: 0 1 1 0 1 1 1 1 0 0 0 0 0 1 0 0 1 NRZI Encoding: 1 = transition, 0 = no transition Now there is a signal transition aligned above every 1-bit; a 0-bit is represented by the lack of a transition. This solves the synchronization problem for runs of 1-bits, but does nothing to address runs of 0-bits. However, NRZI can be combined with techniques to minimize runs of 0-bits, such as 4B/5B (below). 4.1.3 Manchester Manchester encoding sends the data stream using NRZI, with the addition of a clock transition between each pair of consecutive data bits. This means that the signaling rate is now double the data rate, eg 20 MHz for 10Mbps Ethernet (which does use Manchester encoding). The signaling is as if we doubled the bandwidth and inserted a 1-bit between each pair of consecutive data bits, removing this extra bit at the receiver: 138 4 Links

149 An Introduction to Computer Networks, Release 1.9.18 clock clock clock clock clock clock clock clock clock clock clock clock clock clock clock clock clock 1 0 0 0 1 1 0 1 1 1 1 0 0 0 0 0 1 Manchester Encoding: NRZI alternating with clock transitions All these transitions mean that the longest the clock has to “count” is 1 bit-time; clock synchronization is essentially solved, at the expense of the doubled signaling rate. 4.1.4 4B/5B In 4B/5B encoding, for each 4-bit “nybble” of data we actually transmit a designated 5-bit , or code, symbol selected to have “enough” 1-bits. A symbol in this sense is a digital or analog transmission unit that decodes to a set of data bits; the data bits are not transmitted individually. (The transmission of symbols rather than individual bits is nearly universal for high-performance links, including all forms of Ethernet faster than 10Mbps and all Wi-Fi links.) Specifically, every 5-bit symbol used by 4B/5B has at most one leading 0-bit and at most two trailing 0-bits. The 5-bit symbols corresponding to the data are then sent with NRZI, where runs of 1’s are safe. Note that the worst-case run of 0-bits has length three. Note also that the signaling rate here is 1.25 times the data rate. 4B/5B is used in 100-Mbps Ethernet, 2.2 100 Mbps (Fast) Ethernet . The mapping between 4-bit data values and 5-bit symbols is fixed by the 4B/5B standard: data symbol data symbol 0000 11110 1011 10111 0001 01001 11010 1100 10100 11011 0010 1101 0011 10101 1110 11100 01010 1111 0100 11101 0101 01011 IDLE 11111 0110 01110 HALT 00100 0111 01111 START 10001 1000 10010 01101 END 10011 RESET 1001 00111 1010 10110 DEAD 00000 There are more than sixteen possible symbols; this allows for some symbols to be used for signaling rather than data. IDLE, HALT, START, END and RESET are shown above, though there are others. These can be used to include control and status information without fear of confusion with the data. Some combinations of control symbols do lead to up to four 0-bits in sequence; HALT and RESET have two leading 0-bits. 10-Mbps and 100-Mbps Ethernet pads short packets up to the minimum packet size with 0-bytes, meaning that the next protocol layer has to be able to distinguish between padding and actual 0-byte data. Although 100-Mbps Ethernet uses 4B/5B encoding, it does not make use of special non-data symbols for packet padding. Gigabit Ethernet uses PAM-5 encoding ( 2.3 Gigabit Ethernet ), and does use special non-data 4.1 Encoding and Framing 139

150 An Introduction to Computer Networks, Release 1.9.18 symbols (inserted by the hardware) to pad packets; there is thus no ambiguity at the receiving end as to where the data bytes ended. The choice of 5-bit symbols for 4B/5B is in principle arbitrary; note however that for data from 0100 to 1101 we simply insert a 1 in the fourth position, and in the last two we insert a 0 in the fourth position. The first four symbols (those with the most zeroes) follow no obvious pattern, though. 4.1.5 Framing How does a receiver tell when one packet stops and the next one begins, to keep them from running together? We have already seen the following techniques for addressing this framing problem: determining where packets end: • Interpacket gaps (as in Ethernet) • 4B/5B and special bit patterns Putting a length field in the header would also work, in principle, but seems not to be widely used. One problem with this technique is that restoring order after desynchronization can be difficult. There is considerable overlap of framing with encoding; for example, the existence of non-data bit patterns in 4B/5B is due to an attempt to solve the encoding problem; these special patterns can also be used as unambiguous frame delimiters. 4.1.5.1 HDLC HDLC (High-level Data Link Control) is a general link-level packet format used for a number of applica- tions, including Point-to-Point Protocol (PPP) (which in turn is used for PPPoE – PPP over Ethernet – which is how a great many Internet subscribers connect to their ISP), and Frame Relay, still used as the low-level protocol for delivering IP packets to many sites via telecommunications lines. HDLC supports the following two methods for frame separation: • HDLC over asynchronous links: byte stuffing • HDLC over synchronous links: bit stuffing The basic encapsulation format for HDLC packets is to begin and end each frame with the byte 0x7E, or, in binary, 0111 1110. The problem is that this byte may occur in the data as well; we must make sure we don’t misinterpret such a data byte as the end of the frame. serial lines are those with some sort of start/stop indication, typically between bytes; such Asynchronous lines tend to be slower. Over this kind of line, HDLC uses the byte 0x7D as an escape character. Any data bytes of 0x7D and 0x7E are escaped by preceding them with an additional 0x7D. (Actually, they are transmitted as 0x7D followed by (original_byte xor 0x20).) This strategy is fundamentally the same as that “ and the escape character is \ . used by C-programming-language character strings: the string delimiter is Any occurrences of “ or \ within the string are escaped by preceding them with \ . Over synchronous serial lines (typically faster than asynchronous), HDLC generally uses bit stuffing . The underlying bit encoding involves, say, the reverse of NRZI, in which transitions denote 0-bits and lack of transitions denote 1-bits. This means that long runs of 1’s are now the problem and runs of 0’s are safe. 140 4 Links

151 An Introduction to Computer Networks, Release 1.9.18 Whenever five consecutive 1-bits appear in the data, 011111, a 0-bit is then inserted, or “stuffed”, by the eg transmitting hardware (regardless of whether or not the next data bit is also a 1). The HDLC frame byte of 0x7E = 0111 1110 thus can never appear as encoded data, because it contains six 1-bits in a row. If we had 10. 0x7E in the data, it would be transmitted as 0111 11 0 The HDLC receiver knows that • six 1-bits in a row marks the end of the packet • when five 1-bits in a row are seen, followed by a 0-bit, the 0-bit is removed Example: Data: 011110 0111110 01111110 0 0 011111 0 Sent as: 011110 011111 bold ) 10 (stuffed bits in Note that bit stuffing is used by HDLC to solve two unrelated problems: the synchronization problem where long runs of the same bit cause the receiver to lose count, and the framing problem, where the transmitted bit pattern 0111 1110 now represents a flag that can never be mistaken for a data byte. 4.1.5.2 B8ZS While insertion of an occasional extra bit or byte is no problem for data delivery, it is anathema to voice engineers; extra bits upset the precise 64 kbps DS-0 rate. As a result, long telecom lines prefer encodings that, like 4B/5B, do not introduce timing fluctuations. Very long (electrical) lines also tend to require encodings that guarantee a long-term average voltage level of 0 (versus 0.5 if half the bits are 1 v and half are 0 v in NRZ); that is, the signal must have no DC component. The AMI (Alternate Mark Inversion) technique eliminates the DC component by using three voltage levels, bipolar nominally +1, 0 and -1; this ternary encoding is also known as . Zero bits are encoded by the 0 voltage, while 1-bits take on alternating values of +1 and -1 volts. Thus, the bits 011101 might be encoded as 0,+1,-1,+1,0,-1, or, more compactly, 0+–+0–. Over a long run, the +1’s and the –1’s cancel out. Plain AMI still has synchronization problems with long runs of 0-bits. The solution used on North American T1 lines (1.544 Mbps) is known as , for bipolar with 8-zero substitution. The sender replaces any run B8ZS of 8 zero bits with a special bit-pattern, either 000+–0–+ or 000–+0+–. To decide which, the sender checks to see if the previous 1-bit sent was +1 or –1; if the former, the first pattern is substituted, if the latter then the second pattern is substituted. Either way, this leads to two instances of violation of the rule that consecutive 1-bits have opposite sign. For example, if the previous bit were +, the receiver sees + 0 0 0 +  0 +  B8ZS Encoding. The bits in the box were originally all zeros. Arrows link 1-bit alternating-sign violations This double-violation is the clue to the receiver that the special pattern is to be removed and replaced with the original eight 0-bits. 4.1 Encoding and Framing 141

152 An Introduction to Computer Networks, Release 1.9.18 4.2 Time-Division Multiplexing means a separate wire for each connection. This is still in common use for circuit switching Classical residential telephone connections: each subscriber has a dedicated wire to the Central Office. But a separate physical line for each connection is not a solution that scales well. Once upon a time it was not uncommon to link computers with serial lines, rather than packet networks. This was most often done for file transfers, but telnet logins were also done this way. The problem with this approach is that the line had to be dedicated to one application (or one user) at a time. Packet switching naturally implements multiplexing (sharing) on links; the demultiplexer is the destination address. Port numbers allow demultiplexing of multiple streams to same destination host. There are other ways for multiple channels to share a single wire. One approach is frequency-division , or putting each channel on a different carrier frequency. Analog cable television did this. multiplexing Some fiber-optic protocols also do this, calling it wavelength -division multiplexing. But perhaps the most pervasive alternative to packets is the voice telephone system’s time division mul- , or TDM, sometimes prefixed with the adjective synchronous . The idea is that we decide on a tiplexing number of channels, N, and the length of a timeslice, T, and allow each sender to send over the channel for time T, with the senders taking turns in round-robin style. Each sender gets to send for time T at regular intervals of NT, thus receiving 1/N of the total bandwidth. The timeslices consume no bandwidth on headers or addresses, although sometimes there is a small amount of space dedicated to maintaining synchronization between the two endpoints. Here is a diagram of sending with N=8: ... ... A B C D E F G H A B C D E F G H A B Time-Division Multiplexing Note, however, that if a sender has nothing to send, its timeslice cannot be used by another sender. Because bursty , involving considerable idle periods, TDM has traditionally been rejected for so much data traffic is data networks. 4.2.1 T-Carrier Lines TDM, however, works extremely well for voice networks. It continues to work when the timeslice T is small, when packet-based approaches fail because the header overhead becomes unacceptable. Consider for a moment the telecom Digital Signal hierarchy. A single digitized voice line in North America is one 8-bit sample every 1/8,000 second, or 64 kbps; this is known as a DS0 channel. A T1 line – the lowest level of the T-carrier DS1 line – represents 24 DS0 lines multiplexed via hierarchy and known at the logical level as a TDM, where each channel sends a single byte at a time. Thus, every 1/8,000 of a second a T1 line carries 24 bytes of user data, one byte per channel (plus one bit for framing), for a total of 193 bits. This gives a raw line speed of 1.544 Mbps. Note that the per-channel frame size here is a single byte. There is no efficient way to send single-byte packets . The advantage to the single-byte approach is that it greatly reduces the latency across the line. The biggest source of delay in packet-based digital voice lines is the packet fill time at the sender’s end: the sender generates voice data at a rate of 8 bytes/ms, and a packet cannot be sent until it is full. For a 1 kB 142 4 Links

153 An Introduction to Computer Networks, Release 1.9.18 packet, that’s about a quarter second. For standard Voice-over-IP or channels, RTP is used with 160 VoIP bytes of data sent every 20 ms; for ATM, a 48-byte packet is sent every 6 ms. But the fill-time delay for a call sent over a T1 line is 0.125 ms, which is negligible (to be fair, 6 ms and even 20 ms turn out to be pretty negligible in terms of call quality). The T1 one-byte-at-a-time strategy also means that T1 multiplexers need to do essentially no buffering, which might have been important back in 1962 when T-carrier was introduced. The next most common T-carrier / Digital Signal line is perhaps T3/DS3; this represents the TDM multiplex- ing of 28 DS1 signals. The problem is that some individual DS1s may run a little slow, so an elaborate pulse protocol has been developed. This allows extra bits to be inserted at specific points, if necessary, in stuffing such a way that the original component T1s can be exactly recovered even if there are clock irregularities. The pulse-stuffing solution did not scale well, and so T-carrier levels past T3 were very rarely used. While T-carrier was originally intended as a way of bundling together multiple DS0 channels on a single high-speed line, it also allows providers to offer leased digital point-to-point links with data rates in almost any multiple of the DS0 rate. 4.2.2 SONET SONET stands for Synchronous Optical NETwork; it is the telecommunications industry’s standard mecha- nism for very-high-speed TDM over optical fiber. While there is now flexibility regarding the the “optical” part, the “synchronous” part is taken quite seriously indeed, and SONET senders and receivers all use very precisely synchronized clocks (often atomic). The actual bit encoding is NRZI. Due to the frame structure, below, the longest possible run of 0-bits is ~250 bits (~30 bytes), but is usually much less. Accurate reception of 250 0-bits requires a clock accurate to within (at a minimum) one part in 500, which is potentially within reach. However, SONET also has a “bit-scrambling” feature, involving XOR with a fixed bit pattern, to ensure in most cases that there is a 1-bit every byte or less. The primary reason for SONET’s accurate clocking, however, is not the clock-synchronization problem as we have been using the term, but rather the problem of demultiplexing and remultiplexing multiple compo- nent bitstreams in a setting in which some of the streams may run slow. One of the primary design goals for SONET was to allow such multiplexing without the need for “pulse stuffing”, as is used in the Digital Signal hierarchy. SONET tributary streams are in effect not allowed to run slow (although SONET does provide for occasional very small byte slips, below). Furthermore, as multiple SONET streams are demultiplexed at a switching center and then remultiplexed into new SONET streams, synchronization means that none of the streams falls behind or gets ahead. The basic SONET format is known as STS-1. Data is organized as a 9x90 byte grid. The first 3 bytes of each row (that is, the first three columns) form the frame header. Frames are not addressed; SONET is a point-to-point protocol and a node sends a continuous sequence of frames to each of its neighbors. When the frames reach their destination, in principle they need to be fully demultiplexed for the data to be forwarded on. In practice, there are some shortcuts to full demultiplexing. 4.2 Time-Division Multiplexing 143

154 An Introduction to Computer Networks, Release 1.9.18 The actual bytes sent are scrambled: the data is XORed with a standard, fixed pseudorandom pattern before transmission. This introduces many 1-bits, on which clock resynchronization can occur, with a high degree of probability. There are two other special columns in a frame, each guaranteed to contain at least one 1-bit, so the maxi- mum run of data bytes is limited to ~30; this is thus the longest run of possible 0’s. The first two bytes of each frame are 0xF628. SONET’s frame-synchronization check is based on verifying these byte values at the start of each frame. If the receiver is ever desynchronized, it begins a frame re- synchronization procedure: the receiver searches for those 0xF628 bytes at regular 810-byte (6480-bit) spacing. After a few frames with 0xF628 in the right place, the receiver is “very sure” it is looking at the synchronization bytes and not at a data-byte position. Note that there is no evident byte boundary to a SONET frame, so the receiver must check for 0xF628 beginning at every bit position. SONET frames are transmitted at a rate of 8,000 frames/second. This is the canonical byte sampling rate for standard voice-grade (“DS0”, or 64 kbps) lines. Indeed, the classic application of SONET is to transmit multiple DS0 voice calls using TDM: within a frame, each data byte position is given over to one voice channel. The same byte position in consecutive frames constitutes one byte every 1/8000 seconds. The basic STS-1 data rate of 51.84 Mbps is exactly 810 bytes/frame ˆ 8 bits/byte ˆ 8000 frames/sec. To a customer who has leased a SONET-based channel to transmit data, a SONET link looks like a very fast bitstream. There are several standard ways of encoding data packets over SONET. One is to encapsulate the data as ATM cells, and then embed the cells contiguously in the bitstream. Another is to send IP packets encoded in the bitstream using HDLC-like bit stuffing, which means that the SONET bytes and the IP bytes may no longer correspond. The advantage of HDLC encoding is that it makes SONET re-synchronization vanishingly infrequent. Most IP backbone traffic today travels over SONET links. ˆ 90-byte STS-1 frame, the payload envelope is the 9 ˆ 87 region nominally following the three Within the 9 header columns; this payload region has its own three reserved columns meaning that there are 84 columns (9 ˆ 84 bytes) available for data. This 9 ˆ 87-byte payload envelope can “float” within the physical 9 ˆ 90- byte frame; that is, if the input frames are running slow then the output physical frames can be transmitted at the correct rate by letting the payload frames slip “backwards”, one byte at a time. Similarly, if the input frames are arriving slightly too fast, they can slip “forwards” by up to one byte at a time; the extra byte is stored in a reserved location in the three header columns of the 9 ˆ 90 physical frame. Faster SONET streams are made by multiplexing slower ones. The next step up is STS-3, an STS-3 frame is three STS-1 frames, for 9 ˆ 270 bytes. STS-3 (or, more properly, the physical layer for STS-3) is also called OC-3, for Optical Carrier. Beyond STS-3, faster lines are multiplexed combinations of four of the 144 4 Links

155 An Introduction to Computer Networks, Release 1.9.18 next-slowest lines. Here are some of the higher levels: STM line rate STS 51.84 Mbps STS-1 STM-0 STS-3 STM-1 155.52 Mbps STS-12 STM-4 622.08 Mbps (=12*51.84, exactly) STM-16 2.48832 Gbps STS-48 STM-64 STS-192 9.953 Gbps STM-256 STS-768 39.8 Gbps Usable capacity is typically 84/90 of the above line rates, as six of the 90 columns of an STS-1 frame are for overhead. SONET provides a wide variety of leasing options at various bandwidths. High-volume customers can lease an entire STS-1 or larger unit. Alternatively, the 84 data columns of an STS-1 frame can be divided into seven virtual tributary groups, each of twelve columns; these groups can be leased individually or in multiples, or be further divided into as few as three columns (which works out to be just over the T1 data rate). 4.2.3 Optical Transport Network The Optical Transport Network, or OTN, is an ITU specification for data transmission over optical fiber; the primary standard is G.709. A preliminary version of G.709 was published in 1988, but version 1.0 was released in 2001. OTN abandons SONET’s voice-oriented frame rate of 8000 frames/sec; while OTN is still widely used for voice, transmission no longer quite so perfectly fits the time-division-multiplexing model. The standard OTN frame is as diagrammed below; each frame is arranged in four rows. It can be helpful to view the 4,080 columns as divided into 255 16-byte-wide “supercolumns”: one for the frame and payload overhead, 238 for the payload itself, and 16 for error correction. 1 14 16 3824 4080 = 16×255 256 bytes 3824 = 16×239 bytes Error Correction Payload: 3808 = 16×238 bytes Payload Overhead Frame Overhead OTN Frame Format: 4080 columns × 4 rows The portion available for carrying customer data is highlighted in blue; unlike SONET, the payload portion of a frame is not allowed to “float”. The 256 columns at the end are for error-correcting codes ( 5.4.2 Error- Correcting Codes ); the addition of such error correction (below) is a major advantage of OTN over SONET. OTN comes in three primary rates, OTN1, OTN2 and OTN3; there are also a few variants. The OTN1 rate is chosen so that a SONET STS-48/STM-16 stream – 2.48832 Gbps – exactly fits in the blue payload portion 4.2 Time-Division Multiplexing 145

156 An Introduction to Computer Networks, Release 1.9.18 of the frame. This means that the OTN1 line rate must be (255/238) 2.48832 » 2.6661 Gbps. The frame ˆ rate, in turn, is therefore about 20.42 frames/ms. Four OTN1 streams can be multiplexed into a single OTN2 stream; four OTN2 streams can be multiplexed into a single OTN3 stream. The frame layout does not change, however; it is the frame rate that increases. The data rate does not increase by an exact multiple of 4; the OTN2 rate is chosen so that four OTN1 payloads and an additional 16 columns per frame can be carried in the payload portion of the OTN2 frames. The additional 16 columns serve to specify details about the interleaving of the four OTN1 frames; this ˆ 237 columns for the OTN1-stream data. The end result is that the OTN2 stream must leaves 3792 = 16 carry data at a line rate of 4 ˆ ˆ 255/237 times the STS-48/STM-16 rate. 238/237 times the OTN1 rate, or 4 This works out to be about 10.709 Gbps. In order to handle multiplexing without the need for T-carrier-style pulse stuffing, OTN streams must have a ̆ 20 parts per million, which works out to be one byte every 3-4 frames. The long-term bit-rate accuracy of frame-overhead region takes care of the slack. The last 256 columns of each frame are devoted to error correction; SONET has nothing comparable. By default, these columns are used for so-called Reed-Solomon codes; specifically, in a formulation where 16 bytes of codes are used for each 239 bytes of payload (this is exactly consistent with the relative sizes of the payload and error-correction columns). Such codes can correct up to 8 bytes of error. They can be used to increase the length of cable runs before regeneration is needed. Alternatively, their use can reduce the bit error rate as much as a hundredfold, which will be important in . 14.9 The High-Bandwidth TCP Problem OTN also includes, at the physical layer, extensive support for dense wavelength-division multiplexing (DWDM, a form of frequency-division multiplexing), meaning that multiple independent OTN streams can be carried on relatively close wavelengths. This greatly increases the overall capacity of a given run of fiber. DWDM works at a lower network layer than the frame organization outlined above, and in principle SONET could implement DWDM as well. In practice, though, DWDM has been integrated with OTN from the beginning. 4.2.4 Other Optical Fiber Optical Fiber and Lightning One of the advantages of of optical fiber (particularly at mountaintop observatories) is its resistance to damage and interference from lightning. Some fiber-optic cables do, however, have metal jackets to add strength or to resist animals; lightning resistance must be researched carefully. SONET and OTN are primarily, though not exclusively, used by telecommunications carriers. There are also multiple fiber-optic alternatives for smaller-scale operations. These are often part of the Ethernet family although they may have little except their bitrate in common with one another or with Ethernet over copper wire. Another standard that supports optical fiber links is so-called “Fibre Channel”, though that too also now supports copper. Distances supported by fiber-optic Ethernet range from hundreds of meters to tens of kilometers. Generally, the longer-haul links require the use of full duplex to avoid the collision-detection (slot time) requirement that a sender continue to transmit for one full Ethernet-segment RTT, but full duplex is common at high Ethernet speeds even for short links. For 100 Mbps Ethernet, fiber-optic standards include 100BASE-FX, 146 4 Links

157 An Introduction to Computer Networks, Release 1.9.18 100BASE-SX, 100BASE-LX and 100BASE-BX. The latter supports distances up to 40 km; the limiting factor is the need for signal regeneration. 1000-Gbit Ethernet optical standards include 1000BASE-SX, 1000BASE-LX, 1000BASE-BX and 1000BASE-EX; the latter again supports up to 40 km. These forms of Ethernet are often deployed in residential “fiber Internet” connections, although in some cases the last hundred meters or so may still involve copper. At speeds of 10 Gbps, long-range optical fiber alternatives include 10GBASE-ER and 10GBASE-ZR, sup- porting 40 and 80 km respectively; 10GBASE-ZR is based on SONET STM-64 standards. It is worth noting that fiber is often used for short links as well at 1 Gbps and 10 Gbps speeds; at 10 Gbps some copper-link standards support distances of only a few meters. As of 2014, several 10-Gbps Ethernet physical-layer standards come from industry consortiums rather than the IEEE. 4.3 Epilog This completes our discussion of common physical links. Perhaps the main takeaway point is that transmit- ting bits over any distance is not quite as simple as it may appear; simple NRZ transmission is not effective. 4.4 Exercises Exercises are given fractional (floating point) numbers, to allow for interpolation of future exercises. Exer- cise 3.5 is distinct, for example, from exercises 3.0 and 4.0. Exercises marked with a ♢ have solutions or hints at 24.4 Solutions for Links . 1.0. What is encoded by the following NRZI signal? The first two bits are shown. 0 1 2.0. Argue that sending 4 0-bits via NRZI requires a clock accurate to within 1 part in 8. Assume that the receiver resynchronizes its clock whenever a 1-bit transition is received, but that otherwise it attempts to sample a bit in the middle of the bit’s timeslot. 3.0.(a) What bits are encoded by the following Manchester-encoded sequence? (b). Why is there no ambiguity as to whether the first transition is a clock transition or a data (1-bit) transition? (c). Give an example of a signal pattern consisting of an NRZI encoding of 0-bits and 1-bits that does not contain two consecutive 0-bits and which is not a valid Manchester encoding of data. Such a pattern could thus could be used as a special non-data marker. 4.3 Epilog 147

158 An Introduction to Computer Networks, Release 1.9.18 ♢ What is the 4B/5B encoding for the 3-byte string “Net”? (Hint: ‘N’ is 0100 1110.) 3.5. 4.0. What three ASCII letters (bytes) are encoded by the following 4B/5B pattern? (Be careful about upper- case vs lower-case.) 010110101001110101010111111110 5.0.(a) Suppose a device is forwarding SONET STS-1 frames. How much clock drift, as a percentage, on the incoming line would mean that the output payload envelopes must slip backwards by one byte per three physical frames? | (b). In 4.2.2 SONET it was claimed that sending 250 0-bits required a clock accurate to within 1 part in 500. Describe how a SONET clock might meet the requirement of part (a) above, and yet fail at this second requirement. (Hint: in part (a) the requirement is a long-term average). 148 4 Links

159 5 PACKETS In this chapter we address a few abstract questions about packets, and take a close look at transmission times. We also consider how big packets should be, and how to detect transmission errors. These issues are independent of any particular set of protocols. 5.1 Packet Delay There are several contributing sources to the delay encountered in transmitting a packet. On a LAN, the most significant is usually what we will call bandwidth delay : the time needed for a sender to get the packet onto the wire. This is simply the packet size divided by the bandwidth, after everything has been converted to common units (either all bits or all bytes). For a 1500-byte packet on 100 Mbps Ethernet, the bandwidth delay is 12,000 bits / (100 bits/μsec) = 120 μsec. propagation delay , relating to the propagation of the bits at the speed of light (for the transmis- There is also sion medium in question). This delay is the distance divided by the speed of light; for 1,000 m of Ethernet cable, with a signal propagation speed of about 230 m/μsec, the propagation delay is about 4.3 μsec. That is, if we start transmitting the 1500 byte packet of the previous paragraph at time T=0, then the first bit arrives at a destination 1,000 m away at T = 4.3 μsec, and the last bit is transmitted at 120 μsec, and the last bit arrives at T = 124.3 μsec. Minimizing Delay Back in the last century, gamers were sometimes known to take advantage of players with slow (as in dialup) links; an opponent could be eliminated literally before he or she could respond. As an updated take on this, some financial-trading firms have set up microwave-relay links between trading centers, say New York and Chicago, in order to reduce delay. In computerized trading, milliseconds count. A direct line of sight from New York to Chicago – which we round off to 1200 km – takes about 4 ms in air, where signals propagate at essentially the speed of light c = 300 km/ms. But fiber is slower; even an absolutely straight run would take 6 ms at glass fiber’s propagation speed of 200 km/ms. In the presence of high-speed trading, this 2 ms savings is of considerable financial significance. Bandwidth delay, in other words, tends to dominate within a LAN. But as networks get larger, propagation delay begins to dominate. This also happens as networks get faster: bandwidth delay goes down, but propagation delay remains unchanged. An important difference between bandwidth delay and propagation delay is that bandwidth delay is propor- tional to the amount of data sent while propagation delay is not. If we send two packets back-to-back, then the bandwidth delay is doubled but the propagation delay counts only once. The introduction of switches leads to store-and-forward delay , that is, the time spent reading in the entire packet before any of it can be retransmitted. Store-and-forward delay can also be viewed as an additional bandwidth delay for the second link. 149

160 An Introduction to Computer Networks, Release 1.9.18 Finally, a switch may or may not also introduce ; this will often depend on competing traffic. queuing delay 14 Dynamics of TCP eg We will look at this in more detail in , but for now note that a steady queuing delay ( due to a more-or-less constant average queue utilization) looks to each sender more like propagation delay than bandwidth delay, in that if two packets are sent back-to-back and arrive that way at the queue, then the pair will experience only a single queuing delay. 5.1.1 Delay examples Case 1: A B • Propagation delay is 40 μsec • Bandwidth is 1 byte/μsec (1 MB/sec, 8 Mbit/sec) • Packet size is 200 bytes (200 μsec bandwidth delay) Then the total one-way transmit time for one packet is 240 μsec = 200 μsec + 40 μsec. To send two back- to-back packets, the time rises to 440 μsec: we add one more bandwidth delay, but not another propagation delay. Case 2: A B Like the previous example except that the propagation delay is increased to 4 ms The total transmit time for one packet is now 4200 μsec = 200 μsec + 4000 μsec. For two packets it is 4400 μsec. R B Case 3: A We now have two links, each with propagation delay 40 μsec; bandwidth and packet size as in Case 1. The total transmit time for one 200-byte packet is now 480 μsec = 240 + 240. There are two propagation delays of 40 μsec each; A introduces a bandwidth delay of 200 μsec and R introduces a store-and-forward delay (or second bandwidth delay) of 200 μsec. Case 4: A R B The same as 3, but with data sent as two 100-byte packets The total transmit time is now 380 μsec = 3x100 + 2x40. There are still two propagation delays, but there is only 3/4 as much bandwidth delay because the transmission of the first 100 bytes on the second link overlaps with the transmission of the second 100 bytes on the first link. 150 5 Packets

161 An Introduction to Computer Networks, Release 1.9.18 T=40 T=40 T=40 T=140 T=180 T=240 T=240 T=240 T=280 T=280 T=380 T=480 Case 3: two links Case 4: two half-sized packets Case 1: one link Bandwidth delay 200 μsec, per-link propagation delay 40 μsec ladder diagrams These represent the full transmission; a snapshot state of the transmission at any one instant can be obtained by drawing a horizontal line. In the middle, case 3, diagram, for example, at no instant are both links active. Note that sending two smaller packets is faster than one large packet. We expand on this important point below. Now let us consider the situation when the propagation delay is the most significant component. The cross- continental US roundtrip delay is typically around 50-100 ms (propagation speed 200 km/ms in cable, 5,000- 10,000 km cable route, or about 3-6000 miles); we will use 100 ms in the examples here. At a bandwidth of 1.0 Mbps, 100ms is about 12 kB, or eight full-sized Ethernet packets. At this bandwidth, we would have four packets and four returning ACKs strung out along the path. At 1.0 Gbit/s, in 100ms we can send 12,000 kB, or 800 Ethernet packets, before the first ACK returns. round-trip time RTT : the time between At most non-LAN scales, the delay is typically simplified to the , or sending a packet and receiving a response. Different delay scenarios have implications for protocols: if a network is bandwidth-limited then protocols are easier to design. Extra RTTs do not cost much, so we can build in a considerable amount of back-and- forth exchange. However, if a network is delay-limited, the protocol designer must focus on minimizing extra RTTs. As an extreme case, consider wireless transmission to the moon (0.3 sec RTT), or to Jupiter (1 hour RTT). At my home I formerly had satellite Internet service, which had a roundtrip propagation delay of ~600 ms. This is remarkably high when compared to purely terrestrial links. eg the Internet), to good approx- When dealing with reasonably high-bandwidth “large-scale” networks ( imation most of the non-queuing delay is propagation, and so bandwidth and total delay are effectively independent. Only when propagation delay is small are the two interrelated. Because propagation delay dominates at this scale, we can often make simplifications when diagramming. In the illustration below, A sends a data packet to B and receives a small ACK in return. In (a), we show the data packet traversing several switches; in (b) we show the data packet as if it were sent along one long unswitched link, and in (c) we introduce the idealization that bandwidth delay (and thus the width of the packet line) no longer matters. 5.1 Packet Delay 151

162 An Introduction to Computer Networks, Release 1.9.18 (Most later ladder diagrams in this book are of this type.) ˆ 5.1.2 Bandwidth Delay The bandwidth ˆ delay product (usually involving round-trip delay, or RTT), represents how much we can send before we hear anything back, or how much is “pending” in the network at any one time if we send continuously. Note that, if we use RTT instead of one-way time, then half the “pending” packets will be returning ACKs. Here are a few approximate values, where 100 ms can be taken as a typical inter- continental-distance RTT: RTT bandwidth bandwidth ˆ delay 1 ms 10 Mbps 1.2 kB 100 ms 1.5 Mbps 20 kB 100 ms 8 MB 600 Mbps 100 ms 1.5 Gbps 20 MB 5.2 Packet Delay Variability For many links, the bandwidth delay and the propagation delay are rigidly fixed quantities, the former by the bandwidth and the latter by the speed of light. This leaves queuing delay as the major source of variability. This state of affairs lets us define RTT to be the time it takes to transmit a packet from A to B, and noLoad receive an acknowledgment back, with no queuing delay. While this is often a reasonable approximation, it is not necessarily true that RTT is always a fixed noLoad quantity. There are several possible causes for RTT variability. On Ethernet and Wi-Fi networks there is an initial “contention period” before transmission actually begins. Although this delay is related to waiting for other senders, it is not exactly queuing delay, and a packet may encounter considerable delay here even if it 152 5 Packets

163 An Introduction to Computer Networks, Release 1.9.18 ends up being the first to be sent. For Wi-Fi in particular, the uncertainty introduced by collisions into packet delivery times – even with no other senders competing – can complicate higher-level delay measurements. It is also possible that different packets are routed via slightly different paths, leading to (hopefully) minor variations in travel time, or are handled differently by different queues of a parallel-processing switch. A link’s bandwidth, too, can vary dynamically. Imagine, for example, a T1 link comprised of the usual 24 DS0 channels, in which all channels not currently in use by voice calls are consolidated into a single data channel. With eight callers, the data bandwidth would be cut by a third from 24 ˆ DS0 to 16 ˆ DS0. reserve a varying amount of bandwidth for high-priority traffic, Alternatively, perhaps routers are allowed to depending on demand, and so the bandwidth allocated to the best-effort traffic can vary. Perceived link bandwidth can also vary over time if packets are compressed at the link layer, and some packets are able to be compressed more than others. Finally, if mobile nodes are involved, then the distance and thus the propagation delay can change. This can be quite significant if one is communicating with a wireless device that is being taken on a cross-continental road trip. is fixed and well-defined, espe- Despite these sources of fluctuation, we will usually assume that RTT noLoad cially when we wish to focus on the queuing component of delay. 5.3 Packet Size How big should packets be? Should they be large ( eg 64 kB) or small ( eg 48 bytes)? The Ethernet answer to this question had to do with equitable sharing of the line: large packets would not allow other senders timely access to transmit. In any network, this issue remains a concern. On the other hand, large packets waste a smaller percentage of bandwidth on headers. However, in most of the cases we will consider, this percentage does not exceed 10% (the VoIP/RTP example in 1.3 Packets is an exception). It turns out that if store-and-forward switches are involved, smaller packets have much better throughput. The links on either side of the switch can be in use simultaneously, as in Case 4 of 5.1.1 Delay examples . This is a very real effect, and has put a damper on interest in support for IP “jumbograms”. The ATM protocol (intended for both voice and data) pushes this to an extreme, with packets with only 48 bytes of data and 5 bytes of header. As an example of this, consider a path from A to B with four switches and five links: A R1 R2 R3 R4 B Suppose we send either one big packet or five smaller packets. The relative times from A to B are illustrated in the following figure: 5.3 Packet Size 153

164 An Introduction to Computer Networks, Release 1.9.18 R3 R4 R2 R1 A B R2 B R3 R1 A R4 One large packet over five links Five smaller packets over five links The point is that we can take advantage of parallelism: while the R4–B link above is handling packet 1, the R3–R4 link is handling packet 2 and the R2–R3 link is handling packet 3 and so on. The five smaller packets have five times the header capacity, but as long as headers are small relative to the data, this would is not a significant issue. The sliding-windows algorithm, used by TCP, uses this idea as a continuous process: the sender sends a continual stream of packets which travel link-by-link so that, in the full-capacity case, all links may be in use at all times. 5.3.1 Error Rates and Packet Size Packet size is also influenced, to a modest degree, by the transmission error rate. For relatively high error rates, it turns out to be better to send smaller packets, because when an error does occur then the entire packet containing it is lost. Small error rates Generally, if the bit error rate p is small, we can approximate the probability of error in an N-bit packet N ˆ N, rather than working out the exact answer (assuming bit-error independence) of 1 – (1–p) . This as p approximation works best if p ˆ N is also small. For the 1000-bit example here with p=1/10,000, the exact value of the success rate is 90.4833% versus the p ˆ N approximation of 90%. For the 10,000-bit packet, though, the p ˆ N approximation predicts a 100% chance of error, which is not very helpful at all. For example, suppose that 1 bit in 10,000 is corrupted, at random, so the probability that a single bit is 154 5 Packets

165 An Introduction to Computer Networks, Release 1.9.18 transmitted is 0.9999 (this is much higher than the error rates encountered on real networks). For a correctly 1000 every , or about 1000-bit packet, the probability that bit in the packet is transmitted correctly is (0.9999) 10,000 » 90.5%. For a 10,000-bit packet the probability is (0.9999) 37%. For 20,000-bit packets, the success rate is below 14%. Now suppose we have 1,000,000 bits to send, either as 1000-bit packets or as 20,000-bit packets. Nominally this would require 1,000 of the smaller packets, but because of the 90% packet-success rate we will need to retransmit 10% of these, or 100 packets. Some of the retransmissions may also be lost; the total number of » packets we expect to need to send is about 1,000/90% 1,111, for a total of 1,111,000 bits sent. Next, let us try this with the 20,000-bit packets. Here the success rate is so poor that each packet needs to be sent on seven times ˆ 50 = 350 packets, average ; lossless transmission would require 50 packets but we in fact need 7 or 7,000,000 bits. Moral: choose the packet size small enough that most packets do not encounter errors. eg TDM and SONET). Wireless, To be fair, very large packets can be sent reliably on most cable links ( however, is more of a problem. 5.3.2 Packet Size and Real-Time Traffic There is one other concern regarding excessive packet size. As we shall see in 20 Quality of Service , it is common to commingle bulk traffic on the same links with real-time traffic. It is straightforward to give priority to the real-time traffic in such a mix, meaning that a router does not begin forwarding a bulk-traffic packet if there are any real-time packets waiting (we do need to be sure in this case that real-time traffic will not amount to so much as to starve the bulk traffic). However, once a bulk-traffic packet has begun transmission, it is impractical to interrupt it. Therefore, one component of any maximum-delay bound for real-time traffic is the transmission time for bulk -traffic packet; we will call this the the largest . As a practical matter, most IPv4 largest-packet delay packets are limited to the maximum Ethernet packet size of 1500 bytes, but IPv6 has an option for so-called “jumbograms” up to 2 MB in size. Transmitting one such packet on a 100 Mbps link takes about 1/6 of a second, which is likely too large for happy coexistence with real-time traffic. 5.4 Error Detection The basic strategy for packet error detection is to add some extra bits – formally known as an error-detection code – that will allow the receiver to determine if the packet has been corrupted in transit. A corrupted packet will then be discarded by the receiver; higher layers do not distinguish between lost packets and those never received. While packets lost due to bit errors occur much less frequently than packets lost due to queue overflows, it is essential that data be received accurately. Intermittent packet errors generally fall into two categories: low-frequency bit errors due to things like cosmic rays, and interference errors, typically generated by nearby electrical equipment. Errors of the latter type generally occur in bursts , with multiple bad bits per packet. Occasionally, a malfunctioning network device will introduce bursty errors as well. 5.4 Error Detection 155

166 An Introduction to Computer Networks, Release 1.9.18 Networks v Refrigerators At Loyola we once had a workstation used as a mainframe terminal that kept losing its connection. We eventually noticed that the connection dropped every time the office refrigerator kicked on. Sure enough, the cable ran directly behind the fridge; rerouting it solved the problem. The simplest error-detection mechanism is a single parity bit; this will catch all one-bit errors. There is, however, no straightforward generalization to N bits! That is, there is no N-bit error code that catches all N-bit errors; see exercise 9.0. The so-called , used by IP, TCP and UDP, is formed by taking the ones-complement sum Internet checksum of the 16-bit words of the message. Ones-complement is an alternative way of representing signed integers in binary; if one adds two positive integers and the sum does not overflow the hardware word size, then ones-complement and the now-universal are identical. To form the ones-complement sum twos-complement of 16-bit words A and B, first take the ordinary twos-complement sum A+B. Then, if there is an overflow bit, add it back in as low-order bit. Thus, if the word size is 4 bits, the ones-complement sum of 0101 and 0011 is 1000 (no overflow). Now suppose we want the ones-complement sum of 0101 and 1100. First we take the “exact” sum and get 1|0001, where the leftmost 1 is an overflow bit past the 4-bit wordsize. Because of this overflow, we add this bit back in, and get 0010. The 4-bit ones-complement numeric representation has two forms for zero: 0000 and 1111 (it is straightfor- ward to verify that any 4-bit quantity plus 1111 yields the original quantity; in twos-complement notation 1111 represents -1, and an overflow is guaranteed, so adding back the overflow bit cancels the -1 and leaves us with the original number). It is a fact that the ones-complement sum is never 0000 unless all bits of all the summands are 0; if the summands add up to zero by coincidence, then the actual binary representation will be 1111. This means that we can use 0000 in the checksum to represent “checksum not calculated”, which the UDP protocol still allows over IPv4 for efficiency reasons. Over IPv6, UDP packets must include a calculated checksum ( RFC 2460 , §8.1). Ones’ complement Long ago, before Loyola had any Internet connectivity, I wrote a primitive UDP/IP stack to allow me to use the Ethernet to back up one machine that did not have TCP/IP to another machine that did. We used “private” IP addresses of the form 10.0.0.x. I set as many header fields to zero as I could. I paid no attention to how to implement ones-complement addition; I simply used twos-complement, for the IP header only, and did not use a UDP checksum at all. Hey, it worked. Then we got a real Class B address block 147.126.0.0/16, and changed IP addresses. My software no longer worked. It turned out that, in the original version, the IP header bytes were all small enough that when I added up the 16-bit words there were no carries, and so ones-complement was the same as twos- complement. With the new addresses, this was no longer true. As soon as I figured out how to implement ones-complement addition properly, my backups worked again. Ones-complement addition has a few properties that make numerical calculations simpler. First, when finding the ones-complement sum of a series of 16-bit values, we can defer adding in the overflow bits until the end. Specifically, we can find the ones-complement sum of the values by adding them using ordinary (twos-complement) 32-bit addition, and then forming the ones-complement sum of the upper and lower 16-bit half-words. The upper half-word here represents the accumulated overflow. See exercise 10.0. 156 5 Packets

167 An Introduction to Computer Networks, Release 1.9.18 We can also find the ones-complement sum of a series of 16-bit values by concatenating them pairwise into 32-bit values, taking the 32-bit ones-complement sum of these, and then, as in the previous paragraph, forming the ones-complement sum of the upper and lower 16-bit half-words. Somewhat surprisingly, when calculating the 16-bit ones-complement sum of a series of bytes taken two at a time, it does not matter whether we convert the pairs of consecutive bytes to integers using big-endian or 11.1.5 Binary Data ). The overflow from the low-order bytes is added to the high- little-endian byte order ( order bytes by virtue of ordinary carries in addition, and the overflow from the high-order bytes is added to the low-order bytes by the ones-complement rule. See exercise 10.5. upon Finally, there is another way to look at the (16-bit) ones-complement sum: it is in fact the remainder 16 - 1, provided we replace a remainder of 0 dividing the message (seen as a very long binary number) by 2 with the equivalent ones-complement zero value consisting of sixteen 1-bits. This is similar to the decimal “casting out nines” rule: if we add up the digits of a base-10 number, and repeat the process until we get a single digit, then that digit is the remainder upon dividing the original number by 10-1 = 9. The analogy 16 , where the “digits” are the here is that the message is looked at as a very large number written in base-2 16-bit words. The process of repeatedly adding up the “digits” until we get a single “digit” amounts to taking the ones-complement sum of the words. This remainder approach to ones-complement addition isn’t very practical, but it does provide a useful way to analyze ones-complement checksums mathematically. A weakness of any error-detecting code based on sums is that transposing words leads to the same sum, and the error is not detected. In particular, if a message is fragmented and the fragments are reassembled in the wrong order, the ones-complement sum will likely not detect it. While some error-detecting codes are better than others at detecting certain kinds of systematic errors (for example, CRC, below, is usually better than the Internet checksum at detecting transposition errors), ulti- mately the effectiveness of an error-detecting code depends on its length. Suppose a packet P1 is corrupted randomly into P2, but still has its original N-bit error code EC(P1). This N-bit code will fail to detect the error that has occurred if EC(P2) is, by chance , equal to EC(P1). The probability that two random N-bit N codes will match is 1/2 (though a small random change in P1 might not lead to a uniformly distributed random change in EC(P1); see the tail end of the CRC section below). N This does not mean, however, that one packet in 2 will be received incorrectly, as most packets are error- free. If we use a 16-bit error code, and only 1 packet in 100,000 is actually corrupted, then the rate at which 9 65536, or about one in 6 ˆ corrupted packets will sneak by is only 1 in 100,000 ˆ . If packets are 1500 10 bytes, you have a good chance (90+%) of accurately transferring a terabyte, and a 37% chance (1/e) at ten terabytes. 5.4.1 Cyclical Redundancy Check: CRC The CRC error code is based on long division of polynomials, where the coefficients are integers modulo 2. The use of polynomials tends to sound complicated but in fact it eliminates the need for carries or borrowing in addition and subtraction. Together with the use of modulo-2 coefficients, this means that addition and subtraction become equivalent to XOR. We treat the message, in binary, as a giant polynomial m(X), using 7 4 3 eg 10011011 = X + X + X + X + 1). We standardize the bits of the message as successive coefficients ( a divisor polynomial p(X) of degree N (N=32 for CRC- 32 codes); the full specification of a given CRC code requires giving this polynomial. (A full specification also requires spelling out the bit order within N bytes.) We append N 0-bits to m(X) (this is the polynomial X m(X)), and divide the result by p(X). The “checksum” is the remainder r(X), of maximum degree N–1 (that is, N bits). 5.4 Error Detection 157

168 An Introduction to Computer Networks, Release 1.9.18 This is a reasonably secure hash against real-world network corruption, in that it is very hard for systematic intentional corruption; given an errors to result in the same hash code. However, CRC is not secure against , there are straightforward algebraic means for tweaking the last bytes of msg so that arbitrary message msg the CRC code of the result is equal to any predetermined value in the appropriate range. As an example of CRC, suppose that the CRC divisor is 1011 (making this a CRC-3 code) and the message is 1001 1011 1100. Here is the division; we repeatedly subtract (using XOR) a copy of the divisor 1011, shifted so the leading 1 of the divisor lines up with the leading 1 of the previous difference. A 1 then goes on the quotient line, lined up with the last digit of the shifted divisor; otherwise a 0. There are several online eg calculators for this sort of thing, here. Note that an extra 000 has been appended to the dividend. 1 0100 1101 011 1001 1011 1100 000 1011 1011 010 1011 1100 000 10 11 00 0111 1100 000 101 1 010 0100 000 10 11 00 1000 000 1011 0011 000 10 11 01 110 1 011 0 101 The remainder, at the bottom, is 101; this is the N-bit CRC code. We then append the code to the original N message, that is, without the added zeroes: 1001 1011 1100 101; algebraically this is X m(X) + r(X). This is what is actually transmitted; if converted to a polynomial, it yields a remainder of zero upon division by p(X). This slightly simplifies the receiver’s job of validating the CRC code: it just has to check that the remainder is zero. CRC is easily implemented in hardware, using bit-shifting registers. Fast software implementations are also possible, usually involving handling the bits one byte at a time, with a precomputed lookup table with 256 entries. If we randomly change enough bits in packet P1 to create P2, then CRC(P1) and CRC(P2) are effectively N independent random variables, with probability of a match 1 in 2 where N is the CRC length. However, if we change just a few bits then the change is not so random. In particular, for many CRC codes (that is, for many choices of the underlying polynomial p(X)), changing up to three bits in P1 to create a new message P2 guarantees that CRC(P1) ‰ CRC(P2). For the Internet checksum, this is not guaranteed even if we know only two bits were changed. 158 5 Packets

169 An Introduction to Computer Networks, Release 1.9.18 Finally, there are also 22.6 Secure Hashes ). secure hashes , such as MD-5 and SHA-1 and their successors ( Nobody knows (or admits to knowing) how to produce two messages with same hash here. However, these much secure-hash codes are generally not used in network error-correction as they are slower to calculate than CRC; they are generally used only for secure authentication and other higher-level functions. 5.4.2 Error-Correcting Codes correction forward error correction ) that allows the If a link is noisy, we can add an error- code (also called receiver in many cases to figure out which bits are corrupted, and fix them. This has the effect of improving the bit error rate at a cost of reducing throughput. Error-correcting codes tend to involve many more bits than are needed for error detection. Typically, if a communications technology proves to have an unacceptably high bit-error rate (such as wireless), the next step is to introduce an error-correcting code to the protocol. This generally reduces the “virtual” bit-error rate (that is, the error rate as corrected) to acceptable levels. 1/2 ) additional Perhaps the easiest error-correcting code to visualize is 2-D parity, for which we need O(N bits. We take N ˆ N data bits and arrange them into a square; we then compute the parity for every column, for every row, and for the entire square; this is 2N+1 extra bits. Here is a diagram with N=4, and with even parity; the column-parity bits (in blue) are in the bottom (fifth) row and the row-parity bits (also in blue) ˆ 4 data square is the light-blue bit in the are in the rightmost (fifth) column. The parity bit for the entire 4 bottom right corner. 0 1 0 1 0 0 1 1 1 1 1 0 0 1 0 0 1 1 1 1 0 1 1 0 0 Now suppose one bit is corrupted; for simplicity, assume it is one of the data bits. Then exactly one column- parity bit will be incorrect, and exactly one row-parity bit will be incorrect. These two incorrect bits mark the column and row of the incorrect data bit, which we can then flip to the correct state. We can make N large, but an essential requirement here is that there be only a single corrupted bit per square. We are thus likely either to keep N small, or to choose a different code entirely that allows correction of multiple bits. Either way, the addition of error-correcting codes can easily increase the size of a packet significantly; some codes double or even triple the total number of bits sent. 5.4.2.1 Hamming Codes The Hamming code is another popular error-correction code; it adds O(log N) additional bits, though if N is 1/2 large enough for this to be a material improvement over the O(N ) performance of 2-D parity then errors must be very infrequent. If we have 8 data bits, let us number the bit positions 0 through 7. We then write each bit’s position as a binary value between 000 and 111; we will call these the position bits of the given data bit. We now add four code bits as follows: 5.4 Error Detection 159

170 An Introduction to Computer Networks, Release 1.9.18 1. a parity bit over all 8 data bits 2. a parity bit over those data bits for which the first digit of the position bits is 1 (these are positions 4, 5, 6 and 7) 3. a parity bit over those data bits for which the second digit of the position bits is 1 (these are positions 010, 011, 110 and 111, or 2, 3, 6 and 7) 4. a parity bit over those data bits for which the third digit of the position bits is 1 (these are positions 001, 011, 101, 111, or 1, 3, 5 and 7) We can tell whether or not an error has occurred by the first code bit; the remaining three code bits then tell us the respective three position bits of the incorrect bit. For example, if the #2 code bit above is correct, then the first digit of the position bits is 0; otherwise it is one. With all three position bits, we have identified the incorrect data bit. As a concrete example, suppose the data word is 10110010. The four code bits are thus 1. 0, the (even) parity bit over all eight bits 2. 1, the parity bit over the second half, 1011 0010 3. 1, the parity bit over the bold bits: 10 00 10 11 4. 1, the parity bit over these bold bits: 1 1 1 0 0 0 0 1 If the received data+code is now 1011 1 010 0111, with the bold bit flipped, then the fact that the first code bit is wrong tells the receiver there was an error. The second code bit is also wrong, so the first bit of the position bits must be 1. The third code bit is right, so the second bit of the position bits must be 0. The fourth code bit is also right, so the third bit of the position bits is 0. The position bits are thus binary 100, or 4, and so the receiver knows that the incorrect bit is in position 4 (counting from 0) and can be flipped to the correct state. 5.5 Epilog The issues presented here are perhaps not very glamorous, and often play a supporting, behind-the-scenes role in protocol design. Nonetheless, their influence is pervasive; we may even think of them as part of the underlying “physics” of the Internet. As the early Internet became faster, for example, and propagation delay became the dominant limiting factor, protocols were often revised to limit the number of back-and-forth exchanges. A classic example is the Simple Mail Transport Protocol (SMTP), amended by RFC 1854 to allow multiple commands to be sent together – called pipelining – instead of individually. While there have been periodic calls for large-packet support in IPv4, and IPv6 protocols exist for “jum- bograms” in excess of a megabyte, these are very seldom used, due to the store-and-forward costs of large packets as described in . 5.3 Packet Size Almost every LAN-level protocol, from Ethernet to Wi-Fi to point-to-point links, incorporates an error- detecting code chosen to reflect the underlying transportation reliability. Ethernet includes a 32-bit CRC code, for example, while Wi-Fi includes extensive error-correcting codes due to the noisier wireless envi- ronment. The Wi-Fi fragmentation option ( 3.7.1.5 Wi-Fi Fragmentation ) is directly tied to 5.3.1 Error Rates and Packet Size . 160 5 Packets

171 An Introduction to Computer Networks, Release 1.9.18 5.6 Exercises Exercises are given fractional (floating point) numbers, to allow for interpolation of new exercises. Exercises marked with a have solutions or hints at 24.5 Solutions for Packets . ♢ 1.0. Suppose a link has a propagation delay of 20 μsec and a bandwidth of 2 bytes/μsec. (a). How long would it take to transmit a 600-byte packet over such a link? (b). How long would it take to transmit the 600-byte packet over two such links, with a store-and-forward switch in between? 2.0. Suppose the path from A to B has a single switch S in between: A S B. Each link has a propaga- tion delay of 60 μsec and a bandwidth of 2 bytes/μsec. (a). How long would it take to send a single 600-byte packet from A to B? (b). How long would it take to send two back-to-back 300-byte packets from A to B? (c). How long would it take to send three back-to-back 200-byte packets from A to B? 3.0. ♢ Repeat parts (a) and (b) of the previous exercise, except change the per-link propagation delay from 60 μsec to 600 μsec. B. The propagation delays S 3.5. Suppose the path from A to B has a single switch S in between: A on the A–S and S–B are 24 μsec and 35 μsec respectively. The per-packet bandwidth delays on the A–S and S–B links are 103 μsec and 157 μsec respectively. The ladder diagram below describes the sending of two consecutive packets from A to B. Label the time intervals (a) through (e) at the right edge, and give the total time for the packets to be sent. 5.6 Exercises 161

172 An Introduction to Computer Networks, Release 1.9.18 A S B (a) packet 1 (b) packet 2 (c) packet 1 (d) packet 2 (e) 4.0. Again suppose the path from A to B has a single switch S in between: A B. The per-link S bandwidth and propagation delays are as follows: link bandwidth propagation delay A S 5 bytes/μsec 24 μsec S B 3 bytes/μsec 13 μsec (a). How long would it take to send a single 600-byte packet from A to B? (b). How long would it take to send two back-to-back 300-byte packets from A to B? Note that, because B link is slower, packet 2 arrives at S from A before S has finished transmitting packet 1 to B. the S 5.0. Suppose in the previous exercise, the A–S link has the smaller bandwidth of 3 bytes/μsec and the S–B link has the larger bandwidth of 5 bytes/μsec. The propagation delays are unchanged. Now how long does it take to send two back-to-back 300-byte packets from A to B? 6.0. Suppose we have five links, A R1 R2 R3 R4 B. Each link has a bandwidth of 100 bytes/ms. Assume we model the per-link propagation delay as 0. (a). How long would it take a single 1500-byte packet to go from A to B? (b). How long would it take five consecutive 300-byte packets to go from A to B? The diagram in 5.3 Packet Size may help. 7.0. Suppose there are N equal-bandwidth links on the path between A and B, as in the diagram below, and we wish to send M consecutive packets. 162 5 Packets

173 An Introduction to Computer Networks, Release 1.9.18 A S . . . S B N-1 1 Let BD be the bandwidth delay of a single packet on a single link, and assume the propagation delay on BD. Hint: the total time is the sum each link is zero. Show that the total (bandwidth) delay is (M+N-1) ˆ of the time A takes to begin transmitting the last packet, and the time that last packet (or any other packet) BD and the latter is N ˆ takes to travel from A to B. Show that the former is (M-1) ˆ BD. Note that no packets because the ith packet takes exactly as long to arrive as the (i-1)th packet takes to ever have to wait at any S i depart. 5.3.1 Error Rates and Packet Size to compare the probable total number of bytes 8.0. Repeat the analysis in 7 that need to be sent to transmit 10 bytes using (a). 1,000-byte packets (b). 10,000-byte packets 5 5 Assume the bit error rate is 1 in 16 ˆ byte about 1 in 2 ˆ 10 10 . , making the error rate per 9.0. In the text it is claimed “there is no N-bit error code that catches all N-bit errors” for N ě 2 (for N=1, a parity bit works). Prove this claim for N=2. Hint: pick a length M, and consider all M-bit messages with a single 1-bit. Any such message can be converted to any other with a 2-bit error. Show, using the Pigeonhole must have the same error code, that is, e(m ) = Principle, that for large enough M two messages m and m 1 2 1 ). If this occurs, then the error code fails to detect the error that converted m e(m . into m 2 1 2 10.0. Consider the following four-bit numbers, with decimal values in parentheses: 1000 (8) 1011 (11) 1101 (13) 1110 (14) The ones-complement sum of these can be found using the division method by treating these as a four-digit hex number 0x8bde and taking the remainder mod 15; the result is 1. (a). Find this ones-complement sum via three 4-bit ones-complement additions. To get started, note that the (exact) sum of 1000 and 1011 is 1|0011, and adding the carry bit to the low-order 4 bits gives a ones-complement sum of the first pair of 0100. (b). The exact (and 8-bit twos-complement) sum of the values above is 46, or 10|1110 in binary. Find the ones-complement sum of the values by taking this exact sum and then forming the ones-complement sum of the 4-bit high and low halves. Note that this is not the same as the twos-complement sum of the halves. 10.5. Let [a,b] denote a pair of bytes a and b. The 16-bit integer corresponding to [a,b] using big-endian conversion is a ˆ 256 + b; using little-endian conversion it is a + 256 ˆ b. (a). Find the ones-complement sum of [200,150] and [90,230] by using big-endian conversion to the respective 16-bit integers 51,350 and 23,270. Convert back to two bytes, again using big-endian 5.6 Exercises 163

174 An Introduction to Computer Networks, Release 1.9.18 conversion, at the end. (b). Do the same using little-endian conversion, in which case the 16-bit integers are 38,600 and 58,970. 3 11.0. Suppose a message is 110010101. Calculate the CRC-3 checksum using the polynomial X + 1, that is, find the 3-bit remainder using divisor 1001. 12.0. The CRC algorithm presented above requires that we process one bit at a time. It is possible to do the N algorithm N bits at a time ( eg N=8), with a precomputed lookup table of size 2 . Complete the steps in the 3 following description of this strategy for N=3 and polynomial X + X + 1, or 1011. 13.0. Consider the following set of bits sent with 2-D even parity; the data bits are in the 4 4 upper-left ˆ block and the parity bits are in the rightmost column and bottom row. Which bit is corrupted? 1 0 1 1 1 1 0 0 1 0 1 1 1 1 1 1 0 1 0 0 1 1 1 1 0 14.0. (a) Show that 2-D parity can detect any three errors. (b). Find four errors that cannot be detected by 2-D parity. (c). Show that that 2-D parity cannot correct all two-bit errors. Hint: put both bits in the same row or column. 15.0. Each of the following 8-bit messages with 4-bit Hamming code contains a single error. Correct the message. (a) ♢ . 10100010 0111 (b). 10111110 1011 16.0 (a) What happens in 2-D parity if the corrupted bit is in the parity column or parity row? (b). In the following 8-bit message with 4-bit Hamming code, there is an error in the code portion. How can this be determined? 1001 1110 0100 164 5 Packets

175 6 ABSTRACT SLIDING WINDOWS In this chapter we take a general look at how to build reliable data-transport layers on top of unreliable retransmit-on-timeout lower layers. This is achieved through a policy; that is, if a packet is transmitted and there is no acknowledgment received during the timeout interval then the packet is resent. As a class, protocols where one side implements retransmit-on-timeout are known as ARQ protocols, for Automatic Repeat reQuest. In addition to reliability, we also want to keep as many packets in transit as the network can support. The strategy used to achieve this is known as sliding windows . It turns out that the sliding-windows algorithm is also the key to managing congestion; we return to this in 13 TCP Reno and Congestion Management . The End-to-End principle, 12.1 The End-to-End Principle , suggests that trying to achieve a reliable trans- port layer by building reliability into a lower layer is a misguided approach; that is, implementing reliability at the endpoints of a connection – as is described here – is in fact the correct mechanism. 6.1 Building Reliable Transport: Stop-and-Wait Retransmit-on-timeout generally requires sequence numbering for the packets, though if a network path is guaranteed not to reorder packets then it is safe to allow the sequence numbers to wrap around surprisingly quickly (for stop-and-wait, a single-bit sequence number will work; see exercise 8.5). However, as the no-reordering hypothesis does not apply to the Internet at large, we will assume conventional numbering. Data[N] will be the Nth data packet, acknowledged by ACK[N]. In the stop-and-wait version of retransmit-on-timeout, the sender sends only one outstanding packet at a time. If there is no response, the packet may be retransmitted, but the sender does not send Data[N+1] until it has received ACK[N]. Of course, the receiving side will not send ACK[N] until it has received Data[N]; each side has only one packet in play at a time. In the absence of packet loss, this leads to the following: 165

176 An Introduction to Computer Networks, Release 1.9.18 Data 1 Ack 1 Data 2 Ack 2 Data 3 Ack 3 Data 4 Ack 4 Stop and Wait 6.1.1 Packet Loss Lost packets, however, are a reality. The left half of the diagram below illustrates a lost Data packet, where the sender is the host sending Data and the Receiver is the host sending ACKs. The receiver is not aware of the loss; it sees Data[N] as simply slow to arrive. 166 6 Abstract Sliding Windows

177 An Introduction to Computer Networks, Release 1.9.18 Sender Sender Receiver Receiver Data[N] Data[N] ACK[N] Timeout Timeout Data[N] Data[N] ACK[N] ACK[N] Lost Data Lost ACK The right half of the diagram, by comparison, illustrates the case of a lost ACK. The receiver has received a Data[N]. We have assumed here that the receiver has implemented a retransmit-on-duplicate duplicate strategy, and so its response upon receipt of the duplicate Data[N] is to retransmit ACK[N]. As a final example, note that it is possible for ACK[N] to have been delayed (or, similarly, for the first Data[N] to have been delayed) longer than the timeout interval. Not every packet that times out is actually lost! Sender Receiver Data[N] ACK[N] Data[N] Timeout Data[N+1] Expecting ACK[N+1] ACK[N] Late ACK In this case we see that, after sending Data[N], receiving a delayed ACK[N] (rather than the expected ACK[N+1]) must be considered a normal event . In principle, either side can implement retransmit-on-timeout if nothing is received. Either side can also implement retransmit-on-duplicate; this was done by the receiver in the second example above but not by the sender in the third example (the sender received a second ACK[N] but did not retransmit Data[N+1]). 6.1 Building Reliable Transport: Stop-and-Wait 167

178 An Introduction to Computer Networks, Release 1.9.18 At least one side implement retransmit-on-timeout; otherwise a lost packet leads to deadlock as the must must implement at least one of retransmit-on- sender and the receiver both wait forever. The other side duplicate or retransmit-on-timeout; usually the former alone. If both sides implement retransmit-on-timeout with different timeout values, generally the protocol will still work. 6.1.2 Sorcerer’s Apprentice Bug Sorcerer’s Apprentice The Sorcerer’s Apprentice bug is named for the legend (in which the apprentice casts a spell on a broom to carry water, one bucket at a time. When the basin is full, the apprentice chops the broom in half, only to find both halves carrying water. An animated version of this appears in Disney’s _Fantasia_, set to the music of Paul Dukas. I used to post a YouTube link here to the video, but Disney has blocked it. It may still be findable online, though. Mickey Mouse chops the broom about five and a half minutes in from the start of the music. A strange thing happens if one side implements retransmit-on-timeout but both sides implement retransmit- on-duplicate, as can happen if the implementer takes the naive view that retransmitting on duplicates is “safer”; the moral here is that too much redundancy can be the Wrong Thing. Let us imagine that an im- plementation uses this strategy (with the sender retransmitting on timeouts), and that the initial ACK[3] is delayed until after Data[3] is retransmitted on timeout. In the following diagram, the only packet retrans- mitted due to timeout is the second Data[3]; all the other duplications are due to the bilateral retransmit-on- duplicate strategy. 168 6 Abstract Sliding Windows

179 An Introduction to Computer Networks, Release 1.9.18 sender receiver First Data[3] First ACK[3], delayed Second Data[3] TIMEOUT Second ACK[3] First Data[4] First ACK[4] First ACK[4] Second Data[4] Second ACK[4] First Data[5] First ACK[5] Second Data[5] Second ACK[5] ... The Sorcerer's Apprentice bug First transmissions are in black Second transmissions are in blue All packets are sent from Data[3] on. The transfer completes normally, but takes double the normal twice bandwidth. The usual fix is to have one side (usually the sender) retransmit on timeout only. TCP does this; 12.19 TCP Timeout and Retransmission see . See also exercise 1.5. 6.1.3 Flow Control Stop-and-wait also provides a simple form of flow control to prevent data from arriving at the receiver faster than it can be handled. Assuming the time needed to process a received packet is less than one RTT, the stop-and-wait mechanism will prevent data from arriving too fast. If the processing time is slightly larger than RTT, all the receiver has to do is to wait to send ACK[N] until Data[N] has not only arrived but also ready for Data[N+1]. been processed, and the receiver is For modest per-packet processing delays this works quite well, but if the processing delays are long it introduces a new problem: Data[N] may time out and be retransmitted even though it has successfully been two kinds received; the receiver cannot send an ACK until it has finished processing. One approach is to have [N] meaning that Data[N] has arrived but the receiver is not yet ready for Data[N+1], of ACKs: ACK WAIT and ACK [N] meaning that the sender may now send Data[N+1]. The receiver will send ACK [N] GO WAIT when Data[N] arrives, and ACK [N] when it is done processing it. GO Presumably we want the sender not to time out and retransmit Data[N] after ACK [N] is received, as WAIT a retransmission would be unnecessary. This introduces a new problem: if the subsequent ACK [N] is GO lost and neither side times out, the connection is deadlocked. The sender is waiting for ACK [N], which GO 6.1 Building Reliable Transport: Stop-and-Wait 169

180 An Introduction to Computer Networks, Release 1.9.18 is lost, and the receiver is waiting for Data[N+1], which the sender will not send until the lost ACK [N] GO arrives. One solution is for the receiver to switch to a timeout model, perhaps until Data[N+1] is received. . TCP has a fix to the flow-control problem involving sender-side polling; see 12.17 TCP Flow Control 6.2 Sliding Windows Stop-and-wait is reliable but it is not very efficient (unless the path involves neither intermediate switches nor significant propagation delay; that is, the path involves a single LAN link). Most links along a multi-hop stop-and-wait path will be idle most of the time. During a file transfer, ideally we would like zero idleness (at least along the slowest link; see 6.3 Linear Bottlenecks ). We can improve overall throughput by allowing the sender to continue to transmit, sending Data[N+1] (and beyond) without too far ahead of the waiting for ACK[N]. We cannot, however, allow the sender get returning ACKs. Packets sent too fast, as we shall see, simply end up waiting in queues, or, worse, dropped from queues. If the links of the network have sufficient bandwidth, packets may also be dropped at the receiving end. Now that, say, Data[3] and Data[4] may be simultaneously in transit, we have to revisit what ACK[4] means: does it mean that the receiver has received only Data[4], or does it mean both Data[3] and Data[4] have arrived? We will assume the latter, that is, ACKs are cumulative : ACK[N] cannot be sent until Data[K] has arrived for all K ď N. With this understanding, if ACK[3] is lost then a later-arriving ACK[4] makes up for it; without it, if ACK[3] is lost the only recovery is to retransmit Data[3]. The sender picks a , winsize. The basic idea of sliding windows is that the sender is allowed window size to send this many packets before waiting for an ACK. More specifically, the sender keeps a state variable last_ACKed , representing the last packet for which it has received an ACK from the other end; if data packets are numbered starting from 1 then initially last_ACKed = 0. Window Size In this chapter we will assume winsize does not change. TCP, however, varies winsize up and down with 13 TCP the goal of making it as large as possible without introducing congestion; we will return to this in Reno and Congestion Management . At any instant, the sender may send packets numbered last_ACKed + 1 through last_ACKed + winsize; this packet range is known as the window . Generally, if the first link in the path is not the slowest one, the sender will most of the time have sent all these. slides forward ; we If ACK[N] arrives with N > last_ACKed (typically N = last_ACKed+1), then the window set last_ACKed = N. This also increments the upper edge of the window, and frees the sender to send more packets. For example, with winsize = 4 and last_ACKed = 10, the window is [11,12,13,14]. If ACK[11] arrives, the window slides forward to [12,13,14,15], freeing the sender to send Data[15]. If instead ACK[13] arrives, then the window slides forward to [14,15,16,17] (recall that ACKs are cumulative), and three more packets become eligible to be sent. If there is no packet reordering and no packet losses (and every packet is ACKed individually) then the window will slide forward in units of one packet at a time; the next arriving ACK will always be ACK[last_ACKed+1]. 170 6 Abstract Sliding Windows

181 An Introduction to Computer Networks, Release 1.9.18 Note that the rate at which ACKs are returned will always be exactly equal to the rate at which the slowest link is delivering packets. That is, if the slowest link (the “bottleneck” link) is delivering a packet every 50 ms, then the receiver will receive those packets every 50 ms and the ACKs will return at a rate of one every 50 ms. Thus, new packets will be sent at an average rate exactly matching the delivery rate; property. Self-clocking has the effect of reducing congestion by this is the sliding-windows self-clocking rate whenever the available fraction of the bottleneck bandwidth is automatically reducing the sender’s reduced. Below is a video of sliding windows in action, with winsize = 5. (A link is here, if the embedded video does not display properly, which will certainly be the case with non-html formats.) The nodes are labeled 0, 1 and 2. The second link, 1–2, has a capacity of five packets in transit either way, so one “flight” (windowful) of five packets can exactly fill this link. The 0–1 link has a capacity of one packet in transit either way. The video was prepared using the network animator, “nam”, described further in 16 Network Simulations: ns-2 . The first flight of five data packets leaves node 0 just after T=0, and leaves node 1 at around T=1 (in video time). Subsequent flights are spaced about seven seconds apart. The tiny packets moving leftwards from node 2 to node 0 represent ACKs; at the very beginning of the video one can see five returning ACKs from the previous windowful. At any moment (except those instants where packets have just been received) there are in principle five packets in transit, either being transmitted on a link as data, or being transmitted as an ACK, or sitting in a queue (this last does not happen in this video). Due to occasional video artifacts, in some frames not all the ACK packets are visible. 6.2.1 Bandwidth ˆ Delay 5.1 Packet Delay As indicated previously ( ˆ RTT product represents the amount of data ), the bandwidth that can be sent before the first response is received. It plays a large role in the analysis of transport protocols. In the literature the bandwidth ˆ delay product is often abbreviated BDP. The bandwidth ˆ RTT product is generally the optimum value for the window size. There is, however, one catch: if a sender chooses winsize larger than this, then the RTT simply grows – due to queuing delays – to the point that bandwidth RTT matches the chosen winsize. That is, a connection’s own traffic can inflate ˆ 6.3.1.3 Case 3: winsize = 6 ; see RTT below for an example. For this reason, a to well above RTT actual noLoad ˆ RTT , or, at the very least, the RTT before the sender’s sender is often more interested in bandwidth noLoad own packets had begun contributing to congestion. We will sometimes refer to the bandwidth ˆ RTT of the route. As product as the transit capacity noLoad will become clearer below, a winsize smaller than this means underutilization of the network, while a larger winsize means each packet spends time waiting in a queue somewhere. Below are simplified diagrams for sliding windows with window sizes of 1, 4 and 6, each with a path bandwidth of 6 packets/RTT (so bandwidth ˆ RTT = 6 packets). The diagram shows the initial packets sent as a burst; these then would be spread out as they pass through the bottleneck link so that, after the first burst, packet spacing is uniform. (Real sliding-windows protocols such as TCP generally attempt to avoid such initial bursts.) 6.2 Sliding Windows 171

182 An Introduction to Computer Networks, Release 1.9.18 Data 1-6 Data 1-4 Data 1 Ack 1 Ack 1 / Data 7 Ack 1 / Data 5 Ack 2 / Data 8 Data 2 Ack 2 / Data 6 Ack 3 / Data 9 Ack 3 / Data 7 Ack 4 / Data 10 Ack 4 / Data 8 Ack 5 / Data 11 Ack 2 Ack 6 / Data 12 Ack 5 / Data 9 Ack 7 / Data 13 Ack 6 / Data 10 Ack 8 / Data 14 Data 3 Ack 7 / Data 11 Ack 9 / Data 15 Ack 8 / Data 12 Ack 10 / Data 16 Ack 3 WinSize = 1 WinSize = 4 WinSize = 6 Sliding Windows, bandwidth 6 packets/RTT average 4 packets per RTT. To put With winsize=1 we send 1 packet per RTT; with winsize=4 we always this another way, the three window sizes lead to bottle-neck link utilizations of 1/6, 4/6 and 6/6 = 100%, respectively. While it is tempting to envision setting winsize to bandwidth ˆ RTT, in practice this can be complicated; neither bandwidth nor RTT is constant. Available bandwidth can fluctuate in the presence of competing traffic. As for RTT, if a sender sets winsize too large then the RTT is simply inflated to the point that ˆ RTT matches winsize; that is, a connection’s own traffic can inflate RTT to well above bandwidth actual RTT . This happens even in the absence of competing traffic. noLoad 6.2.2 The Receiver Side Perhaps surprisingly, sliding windows can work pretty well with the receiver assuming that winsize=1, even if the sender is in fact using a much larger value. Each of the receivers in the diagrams above receives Data[N] and responds with ACK[N]; the only difference with the larger sender winsize is that the Data[N] arrive faster. 172 6 Abstract Sliding Windows

183 An Introduction to Computer Networks, Release 1.9.18 If we are using the sliding-windows algorithm over single links, we may assume packets are never reordered, and a receiver winsize of 1 works quite well. Once switches are introduced, however, life becomes more complicated (though some links may do link-level sliding-windows for per-link throughput optimization). If packet reordering is a possibility, it is common for the receiver to use the same winsize as the sender. This means that the receiver must be prepared to buffer a full window full of packets. If the window is [11,12,13,14,15,16], for example, and Data[11] is delayed, then the receiver may have to buffer Data[12] through Data[16]. Like the sender, the receiver will also maintain the state variable last_ACKed, though it will not be completely synchronized with the sender’s version. At any instant, the receiver is willing to accept Data[last_ACKed+1] through Data[last_ACKed+winsize]. For any but the first of these, the receiver must buffer the arriving packet. If Data[last_ACKed+1] arrives, then the receiver should consult its buffers and send back the largest cumulative ACK it can for the data received; for example, if the window is [11-16] and Data[12], Data[13] and Data[15] are in the buffers, then on arrival of Data[11] the correct response is ACK[13]. Data[11] fills the “gap”, and the receiver has now received everything up through Data[13]. The new receive window is [14-19], and as soon as the ACK[13] reaches the sender that will be the new send window as well. 6.2.3 Loss Recovery Under Sliding Windows Suppose winsize = 4 and packet 5 is lost. It is quite possible that packets 6, 7, and 8 may have been received. However, the only (cumulative) acknowledgment that can be sent back is ACK[4]; the sender does not know how much of the windowful made it through. Because of the possibility that only Data[5] (or more generally Data[last_ACKed+1]) is lost, and because losses are usually associated with congestion, when we most especially do not wish to overburden the network, the sender will usually retransmit only the first lost packet, packet 5. If packets 6, 7, and 8 were also lost, then after retransmission of Data[5] the sender eg will receive ACK[5], and can assume that Data[6] now needs to be sent. However, if packets 6-8 did make it through, then after retransmission the sender will receive back ACK[8], and so will know 6-8 do not need retransmission and that the next packet to send is Data[9]. Normally Data[6] through Data[8] would time out shortly after Data[5] times out. After the first time- out, however, sliding windows protocols generally suppress further timeout/retransmission responses until recovery is more-or-less complete. Once a full timeout has occurred, usually the sliding-windows process itself has ground to a halt, in that there are usually no packets remaining in flight. This is sometimes described as pipeline drain . After recovery, the sliding-windows process will have to start up again. Most implementations of TCP, as we shall see later, implement a mechanism (“fast recovery”) for early detection of packet loss, before the pipeline has fully drained. 6.3 Linear Bottlenecks Consider the simple network path shown below, with bandwidths shown in packets/ms. The minimum bandwidth, or path bandwidth , is 3 packets/ms. 6.3 Linear Bottlenecks 173

184 An Introduction to Computer Networks, Release 1.9.18 10 pkts/ms 6 pkts/ms 3 pkts/ms 3 pkts/ms 8 pkts/ms A R1 R2 R3 R4 B link; if there are The slow links are R2–R3 and R3–R4. We will refer to the slowest link as the bottleneck (as here) ties for the slowest link, then the first such link is the bottleneck. The bottleneck link is where the queue will form. If traffic is sent at a rate of 4 packets/ms from A to B, it will pile up in an ever-increasing not pile up at R3; it arrives at R3 at the same rate by which it departs. queue at R2. Traffic will Furthermore, if sliding windows is used (rather than a fixed- rate sender), traffic will eventually not queue up at any router other than R2: data cannot reach B faster than the 3 packets/ms rate, and so B will not return send data faster than this rate. At this 3 packets/ms ACKs faster than this rate, and so A will eventually not rate, traffic will not pile up at R1 (or R3 or R4). There is a significant advantage in speaking in terms of winsize rather than transmission rate . If A sends to B at any rate greater than 3 packets/ms, then the situation is unstable as the bottleneck queue grows without bound and there is no convergence to a steady state. There is no analogous instability, however, if A uses sliding windows, even if the winsize chosen is quite large (although a large-enough winsize will overflow the bottleneck queue). If a sender specifies a sending window size rather than a rate, then the network will converge to a steady state in relatively short order; if a queue develops it will be steadily replenished at the same rate that packets depart, and so will be of fixed size. 6.3.1 Simple fixed-window-size analysis We will analyze the effect of window size on overall throughput and on RTT. Consider the following network second . path, with bandwidths now labeled in packets/ infinitely fast 1 pkt/sec 1 pkt/sec 1 pkt/sec 1 pkt/sec A R1 R2 R3 R4 B ÝÑ A direction, all connections are infinitely fast, meaning zero We will assume that in the backward B delay; this is often a good approximation because ACK packets are what travel in that direction and they are negligibly small. In the A ÝÑ B direction, we will assume that the A ÝÑ R1 link is infinitely fast, but the other four each have a bandwidth of 1 packet/second (and no propagation-delay component). This makes the R1 ÝÑ R2 link the bottleneck link ; any queue will now form at R1. The “path bandwidth” is 1 packet/second, and the RTT is 4 seconds. As a roughly equivalent alternative example, we might use the following: 1 pkt/sec infinitely fast 1 pkt/sec C S1 S2 D with the following assumptions: the C–S1 link is infinitely fast (zero delay), S1 ÝÑ S2 and S2 ÝÑ D each take 1.0 sec bandwidth delay (so two packets take 2.0 sec, per link, etc), and ACKs also have a 1.0 sec 174 6 Abstract Sliding Windows

185 An Introduction to Computer Networks, Release 1.9.18 bandwidth delay in the reverse direction. In both scenarios, if we send one packet, it takes 4.0 seconds for the ACK to return, on an idle network. This means that the no-load delay, RTT , is 4.0 seconds. noLoad (These models will change significantly if we replace the 1 packet/sec bandwidth delay with a 1-second delay; in the former case, 2 packets take 2 seconds, while in the latter, 2 packets take 1 second. propagation See exercise 4.0.) We assume a single connection is made; ie there is no competition. Bandwidth ˆ delay here is 4 packets (1 packet/sec ˆ 4 sec RTT) 6.3.1.1 Case 1: winsize = 2 In this case winsize < bandwidth ˆ delay (where delay = RTT). The table below shows what is sent by A and each of R1-R4 for each second. Every packet is acknowledged 4 seconds after it is sent; that is, RTT actual ; this will remain true as the winsize changes by small amounts ( = 4 sec, equal to RTT eg to 1 or 3). noLoad Throughput is proportional to winsize: when winsize = 2, throughput is 2 packets in 4 seconds, or 2/4 = 1/2 packet/sec. During each second, two of the routers R1-R4 are idle. The overall path will have less than 100% utilization. A R1 R1 R2 R3 R4 B Time sends queues sends sends sends sends ACKs T 0 1,2 2 1 1 2 1 2 2 1 3 2 1 3 3 2 1 4 5 4 3 2 4 6 3 4 7 4 3 8 5 5 4 3 9 5 4 6 6 Note the brief pile-up at R1 (the bottleneck link!) on startup. However, in the steady state, there is no queuing. Real sliding-windows protocols generally have some way of minimizing this “initial pileup”. 6.3.1.2 Case 2: winsize = 4 When winsize=4, at each second all four slow links are busy. There is again an initial burst leading to a brief surge in the queue; RTT for Data[4] is 7 seconds. However, RTT for every subsequent packet is 4 actual actual seconds, and there are no queuing delays (and nothing in the queue) after T=2. The steady-state connection throughput is 4 packets in 4 seconds, ie 1 packet/second. Note that overall path throughput now equals the bottleneck-link bandwidth, so this is the best possible throughput. 6.3 Linear Bottlenecks 175

186 An Introduction to Computer Networks, Release 1.9.18 T R1 queues R1 sends R2 sends R3 sends R4 sends B ACKs A sends 1,2,3,4 2,3,4 0 1 2 1 1 3,4 2 1 2 3 4 3 3 2 1 4 5 4 3 4 1 5 2 6 5 4 3 2 5 6 7 6 5 4 3 6 7 8 8 7 6 5 7 4 8 9 8 7 6 5 9 At T=4, R1 has just finished sending Data[4] as Data[5] arrives from A; R1 can begin sending packet 5 immediately. No queue will develop. [CJ89] , defined here in 1.7 Congestion . Case 2 is the “congestion knee” of Chiu and Jain 6.3.1.3 Case 3: winsize = 6 A sends R1 queues R1 sends R2 sends R3 sends R4 sends B ACKs T 1,2,3,4,5,6 2,3,4,5,6 1 0 3,4,5,6 1 1 2 4,5,6 3 2 2 1 3 5,6 4 3 2 1 4 7 6,7 5 4 3 2 1 5 8 6 5 4 3 2 7,8 9 7 6 5 4 3 6 8,9 10 9,10 8 7 6 5 4 7 8 11 9 8 7 6 5 10,11 9 11,12 10 9 8 7 6 12 10 13 12,13 11 10 9 8 7 Note that packet 7 is sent at T=4 and the acknowledgment is received at T=10, for an RTT of 6.0 seconds. All later packets have the same RTT . That is, the RTT has risen from RTT = 4 seconds to 6 seconds. noLoad actual ; that is, the throughput is still winsize/RTT, but RTT Note that we continue to send one windowful each RTT is now 6 seconds. ˆ RTT One might initially conjecture that if winsize is greater than the bandwidth product, then the noLoad entire window cannot be in transit at one time. In fact this is not the case; the sender does usually have the entire window sent and in transit, but RTT has been inflated so it appears to the sender that winsize equals the bandwidth ˆ RTT product. In general, whenever winsize > bandwidth RTT , what happens is that the extra packets pile up at ˆ noLoad a router somewhere along the path (specifically, at the router in front of the bottleneck link). RTT is actual inflated by queuing delay to winsize/bandwidth, where bandwidth is that of the bottleneck link; this means winsize = bandwidth ˆ RTT . Total throughput is equal to that bandwidth. Of the 6 seconds of RTT actual actual in the example here, a packet spends 4 of those seconds being transmitted on one link or another because 176 6 Abstract Sliding Windows

187 An Introduction to Computer Networks, Release 1.9.18 RTT =4. The other two seconds, therefore, must be spent in a queue; there is no other place for packets noLoad wait. Looking at the table, we see that each second there are indeed two packets in the queue at R1. If the bottleneck link is the very first link, packets may begin returning before the sender has sent the entire windowful. In this case we may argue that the full windowful has at least been queued by the sender, and thus has in this sense been “sent”. Suppose the network, for example, is 1 pkt/sec 1 pkt/sec 1 pkt/sec 1 pkt/sec A R1 R2 R3 B where, as before, each link transports 1 packet/sec from A to B and is infinitely fast in the reverse direction. Then, if A sets winsize = 6, a queue of 2 packets will form at A. 6.3.2 RTT Calculations We can make some quantitative observations of sliding windows behavior, and about queue utilization. First, 5.2 is the physical “travel” time (subject to the limitations addressed in we note that RTT Packet noLoad Delay Variability ); any time in excess of RTT is spent waiting in a queue somewhere. Therefore, the noLoad following holds regardless of competing traffic, and even for individual packets: – RTT 1. queue_time = RTT actual noLoad When the bottleneck link is saturated, that is, is always busy, the number of packets actually in transit (not queued) somewhere along the path will always be bandwidth RTT . ˆ noLoad Second, we always send one windowful per actual RTT, assuming no losses and each packet is individually acknowledged. This is perhaps best understood by consulting the diagrams above, but here is a simple non- visual argument: if we send Data[N] at time T , by , and ACK[N] arrives at time T – T , then RTT = T D D A A ď T definition. At time T the sender is allowed to send Data[N+winsize], so during the RTT interval T D A < T the sender must have sent Data[N] through Data[N+winsize-1]; that is, winsize many packets in time A RTT. Therefore (whether or not there is competing traffic) we always have 2. throughput = winsize/RTT actual where “throughput” is the rate at which the connection is sending packets. This relationship holds even if winsize or the bottleneck bandwidth changes suddenly, though in that case RTT might change from one packet to the next, and the throughput here must be seen as a measurement actual averaged over the RTT of one specific packet. If the sender doubles its winsize, those extra packets will immediately end up in a queue somewhere (perhaps a queue at the sender itself, though this is why in examples it is often clearer if the first link has infinite bandwidth so as to prevent this). If the bottleneck bandwidth is cut in half without changing winsize, eventually the RTT must rise due to queuing. See exercise 12.0. In the sliding windows are reasonably constant, the average , where throughput and RTT steady state actual number of packets in the queue is just throughput ˆ queue_time (where throughput is measured in pack- ets/sec): ˆ (RTT 3. queue_usage = throughput – RTT ) noLoad actual = winsize ˆ (1 – RTT /RTT ) noLoad actual 6.3 Linear Bottlenecks 177

188 An Introduction to Computer Networks, Release 1.9.18 To give a little more detail making the averaging perhaps clearer, each packet spends time (RTT – actual RTT ) in the queue, from equation 1 above. The total time spent by a windowful of packets is winsize noLoad thus gives the average number of packets in the ), and dividing this by RTT ˆ (RTT – RTT actual noLoad actual queue over the RTT interval in question. In the presence of competing traffic, the throughput referred to above is simply the connection’s current share of the total bandwidth. It is the value we get if we measure the rate of returning ACKs. If there is competing traffic and winsize is below the congestion knee – winsize < bandwidth ˆ RTT no – then noLoad winsize is the limiting factor in throughput. Finally, if there is no competition and winsize bandwidth ˆ ě RTT then the connection is using 100% of the capacity of the bottleneck link and throughput is equal noLoad to the bottleneck-link physical bandwidth. To put this another way, 4. RTT = winsize/bottleneck_bandwidth actual queue_usage = winsize – bandwidth ˆ RTT noLoad Dividing the first equation by RTT = winsize - queue_usage , and noting that bandwidth ˆ RTT noLoad noLoad = transit_capacity, we get 5. /RTT = winsize/transit_capacity = (transit_capacity + queue_usage) / tran- RTT actual noLoad sit_capacity Regardless of the value of winsize, in the steady state the sender never sends faster than the bottleneck bandwidth. This is because the bottleneck bandwidth determines the rate of packets arriving at the far end, which in turn determines the rate of ACKs arriving back at the sender, which in turn determines the continued sending rate. This illustrates the self-clocking nature of sliding windows. We will return in 14 Dynamics of TCP to the issue of bandwidth in the presence of competing traffic. For now, suppose a sliding-windows sender has winsize > bandwidth ˆ RTT , leading as above to a noLoad fixed amount of queue usage, and no competition. Then another connection starts up and competes for the bottleneck link. The first connection’s effective bandwidth will thus decrease. This means that bandwidth ˆ RTT will decrease, and hence the connection’s queue usage will increase. noLoad 6.3.3 Graphs at the Congestion Knee Consider the following graphs of winsize versus 1. throughput 2. delay 3. queue utilization 178 6 Abstract Sliding Windows

189 An Introduction to Computer Networks, Release 1.9.18 T h r o queue delay u utilization g h p u t winsize winsize winsize Graphs of winsize versus throughput, delay and queue utilization. Vertical dashed line represents winsize = bandwidth x no-load delay The critical winsize value is equal to bandwidth ˆ RTT . For ; this is known as the congestion knee noLoad winsize below this, we have: • throughput is proportional to winsize • delay is constant • queue utilization in the steady state is zero For winsize larger than the knee, we have • throughput is constant (equal to the bottleneck bandwidth) • delay increases linearly with winsize • queue utilization increases linearly with winsize Ideally, winsize will be at the critical knee. However, the exact value varies with time: available bandwidth changes due to the starting and stopping of competing traffic, and RTT changes due to queuing. Standard TCP makes an effort to stay well above the knee much of the time, presumably on the theory that maximizing throughput is more important than minimizing queue use. power of a connection is defined to be throughput/RTT. For sliding windows below the knee, RTT is The constant and power is proportional to the window size. For sliding windows above the knee, throughput is constant and delay is proportional to winsize; power is thus proportional to 1/winsize. Here is a graph, akin to those above, of winsize versus power: power winsize 6.3 Linear Bottlenecks 179

190 An Introduction to Computer Networks, Release 1.9.18 6.3.4 Simple Packet-Based Sliding-Windows Implementation Here is a pseudocode outline of the receiver side of a sliding-windows implementation, ignoring lost packets and timeouts. We abbreviate as follows: W: winsize LA: last_ACKed Thus, the next packet expected is LA+1 and the window is [LA+1, . . . , LA+W]. We have a data structure EarlyArrivals in which we can place packets that cannot yet be delivered to the receiving application. Upon arrival of Data[M]: ď LA or M>LA+W, ignore the packet if M if M>LA+1, put the packet into EarlyArrivals. if M==LA+1: deliver the packet (that is, Data[LA+1]) to the application LA = LA+1 (slide window forward by 1) while (Data[LA+1] is in EarlyArrivals) { output Data[LA+1] LA = LA+1 } send ACK[LA] A possible implementation of EarlyArrivals is as an array of packet objects, of size W. We always put packet Data[M] into position M % W. At any point between packet arrivals, Data[LA+1] is not in EarlyArrivals, but some later packets may be present. For the sender side, we begin by sending a full windowful of packets Data[1] through Data[W], and set- ting LA=0. When ACK[M] arrives, LALA+W, ignore the packet if M otherwise: set K = LA+W+1, the first packet just above the old window set LA = M, just below the bottom of the new window for (i=K; i LA+W; i++) send Data[i] ď Note that new ACKs may arrive while we are in the loop at the last line. We assume here that the sender stolidly sends what it may send and only after that does it start to process additional arriving ACKs. Some implementations may take a more asynchronous approach, perhaps with one thread processing arriving ACKs and incrementing LA and another thread sending everything it is allowed to send. To add support for timeout and retransmission, each transmitted packet would need to be stored, together with the time it was sent. Periodically this collection of stored packets must then be scanned, looking for 180 6 Abstract Sliding Windows

191 An Introduction to Computer Networks, Release 1.9.18 packets for which + timeout_interval ď current_time ; those packets get retrans- send_time mitted. When a packet Data[N] is acknowledged (perhaps by an ACK[M] for M>N), it can be deleted. 6.4 Epilog This completes our discussion of the sliding-windows algorithm in the abstract setting. We will return to concrete implementations of this in 11.4.1 TFTP and the Sorcerer (stop-and-wait) and in 12.14 TCP ; the latter is one of the most important mechanisms on the Internet. Sliding Windows 6.5 Exercises Exercises are given fractional (floating point) numbers, to allow for interpolation of new exercises. Exercise ♢ have solutions or hints 1.5 is distinct, for example, from exercises 1.0 and 2.0. Exercises marked with a . at 24.6 Solutions for Sliding Windows 1.0 Sketch a ladder diagram for stop-and-wait if Data[3] is lost the first time it is sent, assuming no sender timeout (but the sender retransmits on duplicate), and a receiver timeout of 2 seconds. Continue the diagram to the point where Data[4] is successfully transmitted. Assume an RTT of 1 second. 1.5 Re-draw the Sorcerer’s Apprentice diagram of 6.1.2 Sorcerer’s Apprentice Bug , assuming the sender now does not retransmit on duplicates, though the receiver still does. ACK[3] is, as before, delayed until the sender retransmits Data[3]. 2.0 Suppose a stop-and-wait receiver has an implementation flaw. When Data[1] arrives, ACK[1] and ACK[2] are sent, separated by a brief interval; after that, the receiver transmits ACK[N+1] when Data[N] arrives, rather than the correct ACK[N]. (a). Draw a diagram, including at least three RTTs. (b). What is the average throughput, in data packets per RTT? (For normal stop-and-wait, the average throughput is 1.) (c). Is there anything the sender can do to detect this receiver behavior before the final packet, assuming the sender must respond to each ACK as soon as it arrives? 2.5 ♢ Consider the alternative model of 6.3.1 Simple fixed-window-size analysis : infinitely fast 1 pkt/sec 1 pkt/sec C S1 S2 D (a). Using the formulas of 6.3.2 RTT Calculations , calculate the steady-state queue usage for a window size of 6. 6.4 Epilog 181

192 An Introduction to Computer Networks, Release 1.9.18 (b). Again for a window size of 6, create a table like those in up 6.3.1 Simple fixed-window-size analysis through T=8 seconds. the table as in 6.3.1 Simple fixed-window-size analysis for a original 3.0 Create R1 R2 R3 R4 B network with winsize = 8. As in the text examples, assume 1 A ÝÑ packet/sec bandwidth delay for the R1 ÝÑ R3, R3 ÝÑ R4 and R4 ÝÑ B links. The A–R1 link and R2, R2 all reverse links (from B to A) are infinitely fast. Carry out the table for 10 seconds. 6.3.1 Simple fixed-window-size analysis 4.0 Create a table as in for a network A R1 R2 B. The A–R1 ink is infinitely fast; the R1–R2 and R2–B each have a 1-second delay, in each direction, propagation and zero bandwidth delay (that is, one packet takes 1.0 sec to travel from R1 to R2; two packets also take 1.0 sec to travel from R1 to R2). Assume winsize=6. Carry out the table for 8 seconds. Note that with zero bandwidth delay, multiple packets sent together will remain together until the destination; propagation delay behaves very differently from bandwidth delay! 5.0 Suppose RTT = 4 seconds and the bottleneck bandwidth is 1 packet every 2 seconds. noLoad (a). What window size is needed to remain just at the knee of congestion? ? (b). Suppose winsize=6. What is the eventual value of RTT actual (c). Again with winsize=6, how many packets are in the queue at the steady state? 6.0 Create a table as in 6.3.1 Simple fixed-window-size analysis for a network A R1 R3 B. R2 The A–R1 link is infinitely fast. The R1–R2 and R3–B links have a bandwidth delay of 1 packet/second with no additional propagation delay. The R2–R3 link has a bandwidth delay of 1 packet / 2 seconds, and no propagation delay. The reverse B ÝÑ A direction (for ACKs) is infinitely fast. Assume winsize = 6. (a). Carry out the table for 10 seconds. Note that you will need to show the queue for both R1 and R2. (b). Continue the table at least partially until T=18, in sufficient detail that you can verify that RTT for actual packet 8 is as calculated in exercise 5.0. To do this you will need more than 10 packets, but fewer than 16; the use of hex labels A, B, C for packets 10, 11, 12 is a convenient notation. Hint: The column for “R2 sends” (or, more accurately, “R2 is in the process of sending”) should look like this: T R2 sends 0 1 1 2 1 3 2 4 2 5 3 6 3 . . . . . . 182 6 Abstract Sliding Windows

193 An Introduction to Computer Networks, Release 1.9.18 7.0 Argue that, if A sends to B using sliding windows, and in the path from A to B the slowest link is not the first link out of A, then eventually A will have the entire window outstanding (except at the instant just after each new ACK comes in). Suppose RTT 7.5 is 100 ms and the available bandwidth is 1,000 packets/sec. Sliding windows is ♢ noLoad used. (a). What is the transit capacity for the connection? (b). If RTT rises to 130 ms (due to use of a larger winsize), how many packets are in a queue at any actual one time? (c). If winsize increases by 50, what is RTT ? actual 8.0 Suppose RTT is 50 ms and the available bandwidth is 2,000 packets/sec. Sliding windows is used noLoad for transmission. (a). What window size is needed to remain just at the knee of congestion? (b). If RTT rises to 60 ms (due to use of a larger winsize), how many packets are in a queue at any one actual time? = 60 ms? (c). What value of winsize would lead to RTT actual (d). What value of winsize would make RTT rise to 100 ms? actual 8.5 Suppose stop-and-wait is used (winsize=1), and assume that while packets may be lost, they are never reordered (that is, if two packets P1 and P2 are sent in that order, and both arrive, then they arrive in that order). Show that at the point the receiver is waiting for Data[N], the only two packet arrivals possible are Data[N] and Data[N-1]. (A consequence is that, in the absence of reordering, stop-and-wait can make do with 1-bit packet sequence numbers.) Hint: if the receiver is waiting for Data[N], it must have just received Data[N-1] and sent ACK[N-1]. Also, once the sender has sent Data[N], it will never transmit a Data[K] with K

194 An Introduction to Computer Networks, Release 1.9.18 winsize/bandwidth = 6 seconds. Give the RTTs of the first eight packets. How long does it take for RTT to rise to 6 seconds? 12.0 In this exercise we look at the relationship between bottleneck bandwidth and winsize/RTT when actual the former changes suddenly. Suppose the network is as follows A R1 R3 B R2 The A R2 link has a 1 packet/sec bandwidth delay in the R1 Ñ R2 R1 link is infinitely fast. The R1 Ñ Ñ R3 and R3 direction. The remaining links R2 B have a 1 sec bandwidth delay in the direction indicated. Ñ ACK packets, being small, travel instantaneously from B back to A. A sends to B using a winsize of three. Three packets P0, P1 and P2 are sent at times T=0, T=1 and T=2 respectively. Ñ R2 bandwidth is suddenly halved to 1 packet / 2 sec; P3 is At T=3, P0 arrives at B. At this instant the R1 transmitted at T=3 and arrives at R2 at T=5. It will arrive at B at T=7. (a). Complete the following table of packet arrival times T R1’s queue R1 sends R2 sends R3 sends B recvs/ACKs A sends 2 P2 P2 P1 P0 3 P3 P2 P1 P0 P3 P4 P2 P3 cont 4 P1 P4 5 P5 P4 P3 P2 P5 6 P5 P4 cont P3 7 P3 P6 8 9 P7 10 11 P8 (b). For each of P2, P3, P4 and P5, calculate the througput given by winsize/RTT over the course of that packet’s round trip. Obtain each packet’s RTT from the completed table above. (c). Once the steady state is reached in which RTT = 6, how much time does each packet spend in actual transit? How much time does each packet spend in R1’s queue? 184 6 Abstract Sliding Windows

195 7 IP VERSION 4 There are multiple LAN protocols below the IP layer and multiple transport protocols above, but IP itself stands alone. The Internet is essentially the IP Internet. If you want to run your own LAN protocol some- where, or if you want to run your own transport protocol, the Internet backbone will still work just fine for you. But if you want to change the IP layer, you will encounter difficulty. (Just talk to the IPv6 people, or the IP-multicasting or IP-reservations groups.) Currently the Internet uses (mostly, but no longer quite exclusively) IP version 4, with its 32-bit address size. As the Internet has run out of new large blocks of IPv4 addresses ( 1.10 IP - Internet Protocol ), there is increasing pressure to convert to IPv6, with its 128-bit address size. Progress has been slow, however, ) – by which 7.7 Network Address Translation and delaying tactics such as IPv4-address markets and NAT ( multiple hosts can share a single public IPv4 address – have allowed IPv4 to continue. Aside from the major change in address structure, there are relatively few differences in the routing models of IPv4 and IPv6. We will study IPv4 in this chapter and IPv6 in the following; at points where the IPv4/IPv6 difference doesn’t much matter we will simply write “IP”. routing and addressing protocol. Routing and addressing are IPv4 (and IPv6) is, in effect, a universal developed together; every node has an IP address and every router knows how to handle IP addresses. IP was originally seen as a way to inter connect multiple LANs, but it may make more sense now to view IP as a virtual LAN overlaying all the physical LANs. 9 . As the Internet has grown to ~10 A crucial aspect of IP is its hosts, the forwarding tables are scalability 5 5.5 (perhaps now 10 not much larger than 10 ). Ethernet, in comparison, scales poorly. Furthermore, IP, unlike Ethernet, offers excellent support for multiple redundant links . If the network below were an IP network, each node would communicate with each immediate neighbor via their shared direct link. If, on the other hand, this were an Ethernet network with the spanning-tree algorithm, then one of the four links would simply be disabled completely. A B C D The IP network service model is to act like a giant LAN. That is, there are no acknowledgments; delivery is generally described as best-effort. This design choice is perhaps surprising, but it has also been quite fruitful. If you want to provide a universal service for delivering any packet anywhere, what else do you need besides routing and addressing? Every network (LAN) needs to be able to carry any packet. The protocols spell too large for a given out the use of octets (bytes), so the only possible compatibility issue is that a packet is network. IPv4 handles this by supporting fragmentation : a network may break a too-large packet up into units it can transport successfully. While IPv4 fragmentation is inefficient and clumsy, it does guarantee that any packet can potentially be delivered to any node. (Note, however, that IPv6 has given up on universal fragmentation; 8.5.4 IPv6 Fragment Header .) 185

196 An Introduction to Computer Networks, Release 1.9.18 7.1 The IPv4 Header The IPv4 Header needs to contain the following information: • destination and source addresses • indication of ipv4 versus ipv6 • a Time To Live (TTL) value, to prevent infinite routing loops • a field indicating what comes next in the packet ( eg TCP v UDP) • fields supporting fragmentation and reassembly. The header is organized as a series of 32-bit words as follows: 8 0 16 24 32 Total Length ECN IHL Version DS field Flags Fragment Offset Identification Protocol Time to Live Header Checksum Source Address Destination Address IPv4 Options (0-10 rows) Padding The IPv4 header, and basics of IPv4 protocol operation, were originally defined in RFC 791 ; some minor changes have since occurred. Most of these changes were documented in RFC 1122 , though the DS field was defined in RFC 2474 and the ECN bits were first proposed in RFC 2481 . The Version IHL field represents the total IPv4 Header Length, field is, for IPv4, the number 4: 0100. The in 32-bit words; an IPv4 header can thus be at most 15 words long. The base header takes up five words, so the IPv4 Options can consist of at most ten words. If one looks at IPv4 packets using a packet-capture tool that displays the packets in hex, the first byte will most often be 0x45. Differentiated Services (DS) field is used by the Differentiated Services suite to specify preferen- The tial handling for designated packets, those involved in VoIP or other real-time protocols. The Explicit eg Congestion Notification bits are there to allow routers experiencing congestion to mark packets, thus indi- cating to the sender that the transmission rate should be reduced. We will address these in 14.8.3 Explicit Congestion Notification (ECN) Type of Service field. . These two fields together replace the old 8-bit The Total Length field is present because an IPv4 packet may be smaller than the minimum LAN packet size (see Exercise 1) or larger than the maximum (if the IPv4 packet has been fragmented over several LAN packets. The IPv4 packet length, in other words, cannot be inferred from the LAN-level packet size. 16 Because the Total Length field is 16 bits, the maximum IPv4 packet size is 2 bytes. This is probably much too large, even if fragmentation were not something to be avoided (though see IPv6 “jumbograms” in 8.5.1 Hop-by-Hop Options Header ). The second word of the header is devoted to fragmentation, discussed below. 186 7 IP version 4

197 An Introduction to Computer Networks, Release 1.9.18 The (TTL) field is decremented by 1 at each router; if it reaches 0, the packet is discarded. A Time-to-Live typical initial value is 64; it must be larger than the total number of hops in the path. In most cases, a value of 32 would work. The TTL field is there to prevent routing loops – always a serious problem should they occur – from consuming resources indefinitely. Later we will look at various IP routing-table update protocols and how they minimize the risk of routing loops; they do not, however, eliminate it. By comparison, Ethernet headers have no TTL field, but Ethernet also disallows cycles in the underlying topology. The field contains a value to identify the contents of the packet body. A few of the more common Protocol values are • 1: an ICMP packet, 7.11 Internet Control Message Protocol • 4: an encapsulated IPv4 packet, 7.13.1 IP-in-IP Encapsulation • 6: a TCP packet • 17: a UDP packet • 41: an encapsulated IPv6 packet, 8.13 IPv6 Connectivity via Tunneling 22.11 IPsec • 50: an Encapsulating Security Payload, A list of assigned protocol numbers is maintained by the IANA. The field is the “Internet checksum” applied to the header only, not the body. Its only Header Checksum purpose is to allow the discarding of packets with corrupted headers. When the TTL value is decremented the router must update the header checksum. This can be done “algebraically” by adding a 1 in the correct place to compensate, but it is not hard simply to re-sum the 8 halfwords of the average header. The header checksum must also be updated when an IPv4 packet header is rewritten by a NAT router. Source and Destination Address The fields contain, of course, the IPv4 addresses. These would normally be updated only by NAT firewalls. The source-address field is supposed to be the sender’s IPv4 address, but hardly any ISP checks that traffic they send out has a source address matching one of their customers, despite the call to do so in RFC 2827 . As a result, IP spoofing – the sending of IP packets with a faked source address – is straightforward. For some examples, see 12.10.1 ISNs and spoofing 12.3 TCP Connection Establishment . , and SYN flooding at denial-of-service IP-address spoofing also facilitates an all-too-common IP-layer attack in which a server is flooded with a huge volume of traffic so as to reduce the bandwidth available to legitimate traffic to a trickle. This flooding traffic typically originates from a large number of compromised machines. Without spoofing, even a lengthy list of sources can be blocked, but, with spoofing, this becomes quite difficult. Record Route option, in which routers are to insert their own IPv4 address into One IPv4 option is the the IPv4 header option area. Unfortunately, with only ten words available, there is not enough space to record most longer routes (but see 7.11.1 Traceroute and Time Exceeded , below). The Timestamp option is related; intermediate routers are requested to mark packets with their address and a local timestamp (to save space, the option can request only timestamps). There is room for only four x address,timestamp y pairs, but addresses can be ; that is, the sender can include up to four IPv4 addresses and only those prespecified routers will fill in a timestamp. Another option, now deprecated as security risk, is to support source routing . The sender would insert into the IPv4 header option area a list of IPv4 addresses; the packet would be routed to pass through each of those IPv4 addresses in turn. With strict source routing, the IPv4 addresses had to represent adjacent neighbors; no router could be used if its IPv4 address were not on the list. With loose source routing, the 7.1 The IPv4 Header 187

198 An Introduction to Computer Networks, Release 1.9.18 listed addresses did not have to represent adjacent neighbors and ordinary IPv4 routing was used to get from one listed IPv4 address to the next. Both forms are essentially never used, again for security reasons: if a packet has been source-routed, it may have been routed outside of the at-least-somewhat trusted zone of the Internet backbone. Finally, the IPv4 header was carefully laid out with memory alignment in mind. The 4-byte address fields are aligned on 4-byte boundaries, and the 2-byte fields are aligned on 2-byte boundaries. All this was once considered important enough that incoming packets were stored following two bytes of padding at the head of their containing buffer, so the IPv4 header, starting after the 14-byte Ethernet header, would be aligned on a 4-byte boundary. Today, however, the architectures for which this sort of alignment mattered have mostly faded away; alignment is a non-issue for ARM and Intel x86 processors. 7.2 Interfaces . interfaces IP addresses (both IPv4 and IPv6) are, strictly speaking, assigned not to hosts or nodes, but to In the most common case, where each node has a single LAN interface, this is a distinction without a dif- eth0 ference. In a room full of workstations each with a single Ethernet interface Ethernet (or perhaps adapter Local Area Connection ), we might as well view the IP address assigned to the interface as assigned to the workstation itself. Each of those workstations, however, likely also has a loopback interface (at least conceptually), providing a way to deliver IP packets to other processes on the same machine. On many systems, the name “local- host” resolves to the IPv4 loopback address 127.0.0.1 (the IPv6 address ::1 is also used); see 7.3 Special Addresses . Delivering packets to the loopback interface is simply a form of interprocess communication; a functionally similar alternative is named pipes. Loopback delivery avoids the need to use the LAN at all, or even the need to have a LAN. For simple client/server testing, it is often convenient to have both client and server on the same machine, in which case the loopback interface is a convenient (and fast) standin for a “real” network interface. On unix-based lo machines the loopback interface represents a genuine logical interface, commonly named . On Windows systems the “interface” may not represent an actual operating-system entity, but this is of practical concern only to those interested in “sniffing” all loopback traffic; packets sent to the loopback address are still delivered as expected. Workstations often have special other interfaces as well. Most recent versions of Microsoft Windows have a Teredo Tunneling pseudo-interface and an Automatic Tunneling pseudo-interface; these are both intended (when activated) to support IPv6 connectivity when the local ISP supports only IPv4. The Teredo protocol is documented in RFC 4380 . When VPN connections are created, as in 3.1 Virtual Private Networks , each end of the logical connection typically terminates at a virtual interface (one of these is labeled in the diagram of 3.1 Virtual Private tun0 Networks ). These virtual interfaces appear, to the systems involved, to be attached to a point-to-point link that leads to the other end. When a computer hosts a virtual machine, there is almost always a virtual network to connect the host and virtual systems. The host will have a virtual interface to connect to the virtual network. The host may act as a NAT router for the virtual machine, “hiding” that virtual machine behind its own IP address, or it may act as an Ethernet switch, in which case the virtual machine will need an additional public IP address. 188 7 IP version 4

199 An Introduction to Computer Networks, Release 1.9.18 What’s My IP Address? This simple-seeming question is in fact not very easy to answer, if by “my IP address” one means the IP address assigned to the interface that connects directly to the Internet. One strategy is to find the address with the Java NetworkInterface of the default router, and then iterate through all interfaces ( eg class) to find an IP address with a matching network prefix; a Python3 example of this approach appears 18.5.1 . Unfortunately, finding the default router (to identify the primary in Multicast Programming interface) is hard to do in an OS-independent way, and even then this approach can fail if the Wi-Fi and Ethernet interfaces both are assigned IP addresses on the same network, but only one is actually connected. Routers always have at least two interfaces on two separate IP networks. Generally this means a separate IP address for each interface, though some point-to-point interfaces can be used without being assigned any IP address ( 7.12 Unnumbered Interfaces ). 7.2.1 Multihomed hosts multihomed A non-router host with multiple non-loopback network interfaces is often said to be . Many laptops, for example, have both an Ethernet interface and a Wi-Fi interface. Both of these can be used simultaneously, with different IP addresses assigned to each. On residential networks the two interfaces will eg the same bridged Wi-Fi/Ethernet LAN); at more security-conscious often be on the same IP network ( sites the Ethernet and Wi-Fi interfaces are often on quite different IP networks (though see 7.9.5 ARP and multihomed hosts ). Multiple physical interfaces are not actually needed here; it is usually possible to assign multiple IP ad- dresses to a single interface. Sometimes this is done to allow two IP networks (two distinct prefixes) to share a single physical LAN; in this case the interface would be assigned one IP address for each IP net- work. Other times a single interface is assigned multiple IP addresses on the same IP network; this is often done so that one physical machine can act as a server ( eg a web server) for multiple distinct IP addresses corresponding to multiple distinct domain names. Multihoming raises some issues with packets addressed to one interface, A, with IP address A , but which IP arrive via another interface, B, with IP address B . Strictly speaking, such arriving packets should be IP discarded unless the host is promoted to functioning as a router. In practice, however, the strict interpretation should work to reach the host often causes problems; a typical user understanding is that the IP address A IP even if the physical connection is to interface B. A related issue is whether the host receiving such a packet on interface B is allowed to send its reply with source address A , even though the reply addressed to A IP IP must be sent via interface B. RFC 1122 , §3.3.4, defines two alternatives here: • The Strong End-System model: IP addresses – incoming and outbound – must match the physical interface. • The Weak End-System model: A match is not required: interface B can accept packets addressed to A . , and send packets with source address A IP IP Linux systems generally use the weak model by default. See also 7.9.5 ARP and multihomed hosts . 7.2 Interfaces 189

200 An Introduction to Computer Networks, Release 1.9.18 While it is important to be at least vaguely aware of the special cases that multihoming presents, we empha- size again that in most ordinary contexts each end-user workstation has one IP address that corresponds to a LAN connection. 7.3 Special Addresses A few IPv4 addresses represent special cases. While the standard IPv4 loopback address is 127.0.0.1, any IPv4 address beginning with 127 can serve as a loopback address. Logically they all represent the current host. Most hosts are configured to resolve the name “localhost” to 127.0.0.1. However, any loopback address – 127.255.37.59 – should work, eg with eg . For an example using 127.0. 1 .0, see ping . 7.8 DNS Private addresses eg either behind a NAT firewall or are IPv4 addresses intended only for site internal use, eg intended to have no Internet connectivity at all. If a packet shows up at any non-private router ( at an ISP router), with a private IPv4 address as either source or destination address, the packet should be dropped. Three standard private-address blocks have been defined: • 10.0.0.0/8 • 172.16.0.0/12 • 192.168.0.0/16 The last block is the one from which addresses are most commonly allocated by DHCP servers ( 7.10.1 NAT, DHCP and the Small Office ) built into NAT routers. are a special form of IPv4 address intended to be used in conjunction with LAN-layer Broadcast addresses broadcast. The most common forms are “broadcast to this network”, consisting of all 1-bits, and “broadcast to network D”, consisting of D’s network-address bits followed by all 1-bits for the host bits. If you try to send a packet to the broadcast address of a remote network D, the odds are that some router involved will refuse to forward it, and the odds are even higher that, once the packet arrives at a router actually on network D, that router will refuse to broadcast it. Even addressing a broadcast to one’s own network will fail if the eg ATM). underlying LAN does not support LAN-level broadcast ( The highly influential early Unix implementation Berkeley 4.2 BSD used 0-bits for the broadcast bits, in- stead of 1’s. As a result, to this day host bits cannot be all 1-bits or all 0-bits in order to avoid confusion with the IPv4 broadcast address. One consequence of this is that a Class C network has 254 usable host addresses, not 256. 7.3.1 Multicast addresses IPv4 multicast addresses remain as the last remnant of the Class A/B/C strategy: multicast ad- Finally, dresses are Class D, with first byte beginning 1110 (meaning that the first byte is, in decimal, 224-239). Multicasting means delivering to a specified set of addresses, preferably by some mechanism more efficient than sending to each address individually. A reasonable goal of multicast would be that no more than one copy of the multicast packet traverses any given link. Support for IPv4 multicast requires considerable participation by the backbone routers involved. For exam- ple, if hosts A, B and C each connect to different interfaces of router R1, and A wishes to send a multicast 190 7 IP version 4

201 An Introduction to Computer Networks, Release 1.9.18 packet to B and C, then it is up to R1 to receive the packet, figure out that B and C are the intended recipients, twice , once for B’s interface and once for C’s. R1 must also keep track of what hosts and forward the packet and what hosts have left. Due to this degree of router participation, back- have joined the multicast group bone router support for multicasting has not been entirely forthcoming. A discussion of IPv4 multicasting appears in 20 Quality of Service . 7.4 Fragmentation If you are trying to interconnect two LANs (as IP does), what else might be needed besides Routing and Addressing? IPv4 (and IPv6) explicitly assumes all packets are composed on 8-bit bytes (something not universally true in the early days of IP; to this day the RFCs refer to “octets” to emphasize this requirement). IP also defines bit-order within a byte, and it is left to the networking hardware to translate properly. Neither byte size nor bit order, therefore, can interfere with packet forwarding. There is one more feature IPv4 must provide, however, if the goal is universal connectivity: it must ac- Maximum Transfer Unit commodate networks for which the maximum packet size, or , MTU, is smaller than the packet that needs forwarding. Otherwise, if we were using IPv4 to join Token Ring (MTU = 4kB, at least originally) to Ethernet (MTU = 1500B), the token-ring packets might be too large to deliver to the en route to another Token Ring. (Token Ring, in its day, Ethernet side, or to traverse an Ethernet backbone did commonly offer a configuration option to allow Ethernet interoperability.) So, IPv4 must support fragmentation, and thus also reassembly. There are two potential strategies here: fragmentation and reassembly, where the reassembly is done at the opposite end of the link (as in per-link ATM), and path fragmentation and reassembly, where reassembly is done at the far end of the path. The latter approach is what is taken by IPv4, partly because intermediate routers are too busy to do reassembly (this is as true today as it was in 1981 when RFC 791 was published), partly because there is no absolute guarantee that all fragments will go to the same next-hop router, and partly because IPv4 fragmentation has always been seen as the strategy of last resort. IDENT An IPv4 sender is supposed to use a different value for the field for different packets, at least up until the field wraps around. When an IPv4 datagram is fragmented, the fragments keep the same IDENT field, so this field in effect indicates which fragments belong to the same packet. Fragment Offset field marks the start position of the data portion of this fragment After fragmentation, the 16 within the data portion of the original IPv4 packet. Note that the start position can be a number up to 2 , the maximum IPv4 packet length, but the FragOffset field has only 13 bits. This is handled by requiring the data portions of fragments to have sizes a multiple of 8 (three bits), and left-shifting the FragOffset value by 3 bits before using it. As an example, consider the following network, where MTUs are excluding the LAN header: MTU 1500 MTU 1000 MTU 400 MTU 1500 A A R1 R2 R3 B Suppose A addresses a packet of 1500 bytes to B, and sends it via the LAN to the first router R1. The packet contains 20 bytes of IPv4 header and 1480 of data. R1 fragments the original packet into two packets of sizes 20+976 = 996 and 20+504=544. Having 980 7.4 Fragmentation 191

202 An Introduction to Computer Networks, Release 1.9.18 bytes of payload in the first fragment would fit, but violates the rule that the sizes of the data portions be divisible by 8. The first fragment packet has FragOffset = 0; the second has FragOffset = 976. R2 re fragments the first fragment into three packets as follows: • first: size = 20+376=396, FragOffset = 0 • second: size = 20+376=396, FragOffset = 376 • third: size = 20+224 = 244 (note 376+376+224=976), FragOffset = 752. R2 refragments the second fragment into two: • first: size = 20+376 = 396, FragOffset = 976+0 = 976 • second: size = 20+128 = 148, FragOffset = 976+376=1352 R3 then sends the fragments on to B, without reassembly. Note that it would have been slightly more efficient to have fragmented into four fragments of sizes 376, 376, 376, and 352 in the beginning. Note also that the packet format is designed to handle fragments of different sizes easily. The algorithm is based on multiple fragmentation with reassembly only at the final destination. Each fragment has its IPv4-header Total Length field set to the length of that fragment. We have not yet discussed the three flag bits. The first bit is reserved, and must be 0. The second bit is the Don’t Fragment , or DF, bit. If it is set to 1 by the sender then a router must fragment the packet and not must drop it instead; see 12.13 Path MTU Discovery for an application of this. The third bit is set to 1 for all fragments except the final one (this bit is thus set to 0 if no fragmentation has occurred). The third bit tells the receiver where the fragments stop. The receiver must take the arriving fragments and them into a whole packet. The fragments reassemble may not arrive in order – unlike in ATM networks – and may have unrelated packets interspersed. The reassembler must identify when different arriving packets are fragments of the same original, and must figure out how to reassemble the fragments in the correct order; both these problems were essentially trivial for ATM. Fragments are considered to belong to the same packet if they have the same IDENT field and also the same source and destination addresses and same protocol. As all fragment sizes are a multiple of 8 bytes, the receiver can keep track of whether all fragments have been received with a bitmap in which each bit represents one 8-byte fragment chunk. A 1 kB packet could have up to 128 such chunks; the bitmap would thus be 16 bytes. If a fragment arrives that is part of a new (and fragmented) packet, a buffer is allocated. While the receiver cannot know the final size of the buffer, it can usually make a reasonable guess. Because of the FragOffset field, the fragment can then be stored in the buffer in the appropriate position. A new bitmap is also allocated, and a reassembly timer is started. As subsequent fragments arrive, not necessarily in order, they too can be placed in the proper buffer in the proper position, and the appropriate bits in the bitmap are set to 1. If the bitmap shows that all fragments have arrived, the packet is sent on up as a completed IPv4 packet. If, on the other hand, the reassembly timer expires, then all the pieces received so far are discarded. 192 7 IP version 4

203 An Introduction to Computer Networks, Release 1.9.18 TCP connections usually engage in , and figure out the largest packet size they can Path MTU Discovery not send that will ). But it is not unusual, for example, entail fragmentation ( 12.13 Path MTU Discovery for UDP protocols to use fragmentation, especially over the short haul. In the Network File System (NFS) protocol, for example, UDP is used to carry 8 kB disk blocks. These are often sent as a single 8+ kB IPv4 packet, fragmented over Ethernet to five full packets and a fraction. Fragmentation works reasonably well here because most of the time the packets do not leave the Ethernet they started on. Note that this is an , not by an intermediate router. example of fragmentation done by the sender Finally, any given IP link may provide its own link-layer fragmentation and reassembly; we saw in that ATM does just this. Such link-layer mechanisms are, how- 3.5.1 ATM Segmentation and Reassembly ever, generally invisible to the IP layer. 7.5 The Classless IP Delivery Algorithm and a host portion IP Recall from Chapter 1 that any IPv4 address can be divided into a net portion IP ; net host the division point was determined by whether the IPv4 address was a Class A, a Class B, or a Class C. We also indicated in Chapter 1 that the division point was not always so clear-cut; we now present the delivery not assume a globally predeclared division point of the input algorithm, for both hosts and routers, that does IPv4 address into net and host portions. We will, for the time being, punt on the question of forwarding-table lookup() method available that, when given a destination address, returns lookup and assume there is a the next_hop neighbor. Instead of class-based divisions, we will assume that each of the IPv4 addresses assigned to a node’s inter- faces is configured with an associated length of the network prefix; following the slash notation of 1.10 IP - Internet Protocol , if B is an address and the prefix length is k = k then the prefix itself is B/k. As usual, B an ordinary host may have only one IP interface, while a router will always have multiple interfaces. Let D be the given IPv4 destination address; we want to decide if D is local or nonlocal . The host or router involved may have multiple IP interfaces, but for each interface the length of the network portion of the address will be known. For each network address B/k assigned to one of the host’s interfaces, we compare matches the first k bits of B and D; that is, we ask if D B/k. • If one of these comparisons yields a match, delivery is local ; the host delivers the packet to its final destination via the LAN connected to the corresponding interface. This means looking up the LAN address of the destination, if applicable, and sending the packet to that destination via the interface. • If there is no match, delivery is , and the host passes D to the lookup() routine of the nonlocal forwarding table and sends to the associated next_hop (which must represent a physically connected neighbor). It is now up to lookup() routine to make any necessary determinations as to how D might be split into D . and D lookup() ; the split cannot be made outside of net host The forwarding table is, abstractly, a set of network addresses – now also with lengths – each of the form B/k, with an associated next_hop destination for each. The lookup() routine will, in principle, compare D with bits). As with the local-delivery each table entry B/k, looking for a match (that is, equality of the first k = k B interfaces check above, the net/host division point (that is, k) will come from the table entry; it will not be inferred from D or from any other information borne by the packet. There is, in fact, no place in the IPv4 header to store a net/host division point, and furthermore different routers along the path may use different values of k with the same destination address D. Routers receive the prefix length /k for a destination B/k as part of the process by which they receive x destination,next_hop y pairs; see 9 Routing-Update Algorithms . 7.5 The Classless IP Delivery Algorithm 193

204 An Introduction to Computer Networks, Release 1.9.18 In we will see that in some cases multiple matches in the forwarding table may 10 Large-Scale IP Routing eg 147.0.0.0/8 and 147.126.0.0/16. The rule will be introduced for such cases to pick exist, longest-match the best match. Here is a simple example for a router with immediate neighbors A-E: destination next_hop 10.3.0.0/16 A 10.4.1.0/24 B C 10.4.2.0/24 D 10.4.3.0/24 E 10.3.37.0/24 The IPv4 addresses 10.3.67.101 and 10.3.59.131 both route to A. The addresses 10.4.1.101, 10.4.2.157 and 10.4.3.233 route to B, C and D respectively. Finally, 10.3.37.103 matches both A and E, but the E match is longer so the packet is routed that way. default The forwarding table may also contain a entry for the next_hop, which it may return in cases when the destination D does not match any known network. We take the view here that returning such a default entry is a valid result of the routing-table lookup() operation, rather than a third option to the algorithm above; one approach is for the default entry to be the next_hop corresponding to the destination 0.0.0.0/0, which does indeed match everything (use of this would definitely require the above longest-match rule, though). Default routes are hugely important in keeping leaf forwarding tables small. Even backbone routers some- times expend considerable effort to keep the network address prefixes in their forwarding tables as short as possible, through consolidation. At a site with a single ISP and with no Internet customers (that is, which is not itself an ISP for others), the top-level forwarding table usually has a single external route: its default route to its ISP. If a site has more than one ISP, however, the top-level forwarding table can expand in a hurry. For example, Internet2 is a consortium of research sites with very-high-bandwidth internal interconnections, acting as a sort of “parallel Internet”. Before Internet2, Loyola’s top-level forwarding table had the usual single external default route. After Internet2, we in effect had a second ISP and had to divide traffic between the commercial ISP and the Internet2 ISP. The default route still pointed to the commercial ISP, but the top-level forwarding table now had to have an entry for every individual Internet2 site, so that traffic to any of these sites would be forwarded via the Internet2 ISP. See exercise 5.0. Routers may also be configured to allow passing quality-of-service information to the lookup() method, as mentioned in Chapter 1, to support different routing paths for different kinds of traffic ( bulk file-transfer eg versus real-time). For a modest exception to the local-delivery rule described here, see below in 7.12 Unnumbered Interfaces . 7.6 IPv4 Subnets Subnets were the first step away from Class A/B/C routing: a large network ( eg a class A or B) could be divided into smaller IPv4 networks called subnets. Consider, for example, a typical Class B network such as Loyola University’s (originally 147.126.0.0/16); the underlying assumption is that any packet can be 194 7 IP version 4

205 An Introduction to Computer Networks, Release 1.9.18 delivered via the underlying LAN to any internal host. This would require a rather large LAN, and would require that a single physical LAN be used throughout the site. What if our site has more than one physical LAN? Or is really too big for one physical LAN? It did not take long for the IP world to run into this problem. Subnets were first proposed in RFC 917 , and became official with RFC 950 . Getting a separate IPv4 network prefix for each subnet is bad for routers: the backbone forwarding tables now must have an entry for every subnet instead of just for every site. What is needed is a way for a site to inside the appear to the outside world as a single IP network, but for further IP-layer routing to be supported site. This is what subnets accomplish. Subnets introduce : first we route to the primary network, then inside that site we route hierarchical routing to the subnet, and finally the last hop delivers to the host. Routing with subnets involves in effect moving the IP division line rightward. (Later, when we consider net CIDR, we will see the complementary case of moving the division line to the left.) For now, observe that moving the line rightward within a site does not affect the outside world at all; outside routers are not even aware of site-internal subnetting. In the following diagram, the outside world directs traffic addressed to 147.126.0.0/16 to the router R. Inter- nally, however, the site is divided into subnets. The idea is that traffic from 147.126.1.0/24 to 147.126.2.0/24 is routed, not switched; the two LANs involved may not even be compatible. Most of the subnets shown are of size /24, meaning that the third byte of the IPv4 address has become part of the network portion of the subnet’s address; one /20 subnet is also shown. RFC 950 would have disallowed the subnet with third byte 0, but having 0 for the subnet bits generally does work. Internet R R2 147.126.2.0/24 147.126.0.0/24 147.126.1.0/24 A D 147.126.3.0/24 147.126.16.0/20 What we want is for the internal routing to be based on the extended network prefixes shown, while exter- nally continuing to use only the single routing entry for 147.126.0.0/16. To implement subnets, we divide the site’s IPv4 network into some combination of physical LANs – the subnets –, and assign each a subnet address : an IPv4 network address which has the site’s IPv4 network 7.6 IPv4 Subnets 195

206 An Introduction to Computer Networks, Release 1.9.18 address as prefix. To put this more concretely, suppose the site’s IPv4 network address is A, and consists of n network bits (so the site address may be written with the slash notation as A/n); in the diagram above, A/n = 147.126.0.0/16. A subnet address is an IPv4 network address B/k such that: • The address B/k is within the site: the first n bits of B are the same as A/n’s n • B/k extends A/n: k ě An example B/k in the diagram above is 147.126.1.0/24. (There is a slight simplification here in that subnet to be prefixes; see below.) addresses do not absolutely have We now have to figure out how packets will be routed to the correct subnet. For incoming packets we could set up some proprietary protocol at the entry router to handle this. However, the more complicated situation is all those existing internal hosts that, under the class A/B/C strategy, would still believe they can deliver via the LAN to any site host, when in fact they can now only do that for hosts on their own subnet. We need a more general solution. We proceed as follows. For each subnet address B/k, we create a for B consisting of k 1-bits subnet mask followed by enough 0-bits to make a total of 32. We then make sure that every host and router in the site interfaces knows the subnet mask for every one of its . Hosts usually find their subnet mask the same way they find their IP address (by static configuration if necessary, but more likely via DHCP, below). Hosts and routers now apply the IP delivery algorithm of the previous section, with the proviso that, if a subnet mask for an interface is present, then the subnet mask is used to determine the number of address bits rather than the Class A/B/C mechanism. That is, we determine whether a packet addressed to destination D is deliverable locally via an interface with subnet address B/k and corresponding mask M by comparing D&M with B&M, where & represents bitwise AND; if the two match, the packet is local. This will generally involve a match of more bits than if we used the Class A/B/C strategy to determine the network portion of addresses D and B. As stated previously, given an address D with no other context, we will be able to determine the net- not eg work/host division point in general ( for outbound packets). However, that division point is not in fact is needed is a way to tell if a given destination host address D belongs to the current what we need. All that subnet, say B; that is, we need to compare the first k bits of D and B where k is the (known) length of B. In the diagram above, the subnet mask for the /24 subnets would be 255.255.255.0; bitwise ANDing any IPv4 address with the mask is the same as extracting the first 24 bits of the IPv4 address, that is, the subnet portion. The mask for the /20 subnet would be 255.255.240.0 (240 in binary is 1111 0000). In the diagram above none of the subnets overlaps or conflicts: the subnets 147.126.0.0/24 and 147.126.1.0/24 are disjoint. It takes a little more effort to realize that 147.126.16.0/20 does not overlap with the others, but note that an IPv4 address matches this network prefix only if the first four bits of the third byte are 0001, so the third byte itself ranges from decimal 32 to decimal 63 = binary 0001 1111. Note also that if host A = 147.126.0.1 wishes to send to destination D = 147.126.1.1, and A is subnet- not aware, then delivery will fail: A will infer that the interface is a Class B, and therefore compare the first two bytes of A and D, and, finding a match, will attempt direct LAN delivery. But direct delivery is now likely impossible, as the subnets are not joined by a switch. Only with the subnet mask will A realize that its network is 147.126.0.0/ 24 while D’s is 147.126.1.0/24 and that these are not the same. A would still be able to send packets to its own subnet. In fact A would still be able to send packets to the outside world: it would realize that the destination in that case does not match 147.126.0.0/16 and will thus forward to its router. Hosts on other subnets would be the only unreachable ones. 196 7 IP version 4

207 An Introduction to Computer Networks, Release 1.9.18 Properly, the subnet address is the entire prefix, 147.126.65.0/24. However, it is often convenient to eg identify the subnet address with just those bits that represent the extension of the site IPv4-network address; we might thus say casually that the subnet address here is 65. The class-based IP-address strategy allowed any host anywhere on the Internet to properly separate any address into its net and host portions. With subnets, this division point is now allowed to vary; for example, the address 147.126.65.48 divides into 147.126 | 65.48 outside of Loyola, but into 147.126.65 | 48 inside. This means that the net-host division is no longer an absolute property of addresses, but rather something that depends on where the packet is on its journey. Technically, we also need the requirement that given any two subnet addresses of different, disjoint subnets, neither is a proper prefix of the other. This guarantees that if A is an IP address and B is a subnet address with mask M (so B = B&M), then A&M = B implies A does not match any other subnet. Regardless of the net/host division rules, we cannot possibly allow subnet 147.126.16.0/20 to represent one LAN while 147.126.16.0/24 represents another; the second subnet address block is a subset of the first. (We , can and sometimes do, allow the first LAN to correspond to everything in 147.126.16.0/20 that is not also in 147.126.16.0/24; this is the longest-match rule.) The strategy above is actually a slight simplification of what the subnet mechanism actually allows: subnet address bits do not in fact have to be contiguous, and masks do not have to be a series of 1-bits followed by 0-bits. The mask can be any bit-mask; the subnet address bits are by definition those where there is a 1 in the mask bits. For example, we could at a Class-B site use the fourth byte as the subnet address, and the third byte as the host address. The subnet mask would then be 255.255.0.255. While this generality was once sometimes useful in dealing with “legacy” IPv4 addresses that could not easily be changed, life is simpler when the subnet bits precede the host bits. 7.6.1 Subnet Example As an example of having different subnet masks on different interfaces, let us consider the division of a class-C network into subnets of size 70, 40, 25, and 20. The subnet addresses will of necessity have different lengths, as there is not room for four subnets each able to hold 70 hosts. • A: size 70 • B: size 40 • C: size 25 • D: size 20 Because of the different subnet-address lengths, division of a local IPv4 address LA into net versus host on subnets cannot be done in isolation, without looking at the host bits. However, that division is not in fact what we need. All that is needed is a way to tell if the local address LA belongs to a given subnet, say B; that is, we need to compare the first n bits of LA and B, where n is the length of B’s subnet mask. We do this by comparing LA&M to B&M, where M is the mask corresponding to n. LA&M is not necessarily the same as LA , if LA actually belongs to one of the other subnets. However, if LA&M = B&M, then LA net must belong subnet B, in which case LA&M is in fact LA . net We will assume that the site’s IPv4 network address is 200.0.0.0/24. The first three bytes of each subnet address must match 200.0.0. Only some of the bits of the fourth byte will be part of the subnet address, so 7.6 IPv4 Subnets 197

208 An Introduction to Computer Networks, Release 1.9.18 we will switch to binary for the last byte, and use both the /n notation (for total number of subnet bits) and also add a vertical bar | to mark the separation between subnet and host. Example: 200.0.0.10 | 00 0000 / 26 Note that this means that the 0-bit following the 1-bit in the fourth byte is “significant” in that for a subnet to match, it must match this 0-bit exactly. The remaining six 0-bits are part of the host portion. To allocate our four subnet addresses above, we start by figuring out just how many host bits we need in each subnet. Subnet sizes are always powers of 2, so we round up the subnets to the appropriate size. For 7 = 128 hosts, and so we have a single bit in the subnet A, this means we need 7 host bits to accommodate 2 fourth byte to devote to the subnet address. Similarly, for B we will need 6 host bits and will have 2 subnet bits, and for C and D we will need 5 host bits each and will have 8-5=3 subnet bits. We now start choosing non-overlapping subnet addresses. We have one bit in the fourth byte to choose for every other subnet address must A’s subnet; rather arbitrarily, let us choose this bit to be 1. This means that have a 0 in the first bit position of the fourth byte, or we would have ambiguity. Now for B’s subnet address. We have two bits to work with, and the first bit must be 0. Let us choose the second bit to be 0 as well. If the fourth byte begins 00, the packet is part of subnet B, and the subnet addresses for C and D must therefore begin 00. not Finally, we choose subnet addresses for C and D to be 010 and 011, respectively. We thus have subnet address bits in fourth byte host bits in 4th byte decimal range size 128 1 7 128-255 A B 64 00 6 0-63 C 32 5 64-95 010 32 011 D 96-127 5 As desired, none of the subnet addresses in the third column is a prefix of any other subnet address. The end result of all of this is that routing is now hierarchical : we route on the site IP address to get to a site, and then route on the subnet address within the site. 7.6.2 Links between subnets Suppose the Loyola CS department subnet (147.126.65.0/24) and a department at some other site, we will say 147.100.100.0/24, install a private link. How does this affect routing? Each department router would add an entry for the other subnet, routing along the private link. Traffic addressed to the other subnet would take the private link. All other traffic would go to the default router. Traffic from the remote department to 147.126.6 4 .0/24 would take the long route, and Loyola traffic to 147.100.10 1 .0/24 would take the long route. Subnet anecdote A long time ago I was responsible for two hosts, abel and borel. One day I was informed that machines in computer lab 1 at the other end of campus could not reach borel, though they could reach abel. Machines 198 7 IP version 4

209 An Introduction to Computer Networks, Release 1.9.18 in lab 2, to lab 1, however, could reach both borel and abel just fine. What was the difference? adjacent It turned out that borel had a bad (/16 instead of /24) subnet mask, and so it was attempting local delivery to the labs. This should have meant it could reach neither of the labs, as both labs were on a different subnet from my machines; I was still perplexed. After considerably more investigation, it turned out that bridge-router : a hybrid device that properly routed subnet between abel/borel and the lab building was a traffic at the IP layer, but which also forwarded Ethernet packets directly, the latter feature apparently for the purpose of backwards compatibility. Lab 2 was connected directly to the bridge-router and thus appeared to be on the same LAN as borel, despite the apparently different subnet; lab 1 was connected to its own router R1 which in turn connected to the bridge-router. Lab 1 was thus, at the LAN level, isolated from abel and borel. Moral 1: Switching and routing are both great ideas, alone. But switching at one layer mixed with routing at another is not. Moral 2: Test thoroughly! The reason the problem wasn’t noticed earlier was that previously borel communicated only with other hosts on its own subnet and with hosts outside the university entirely. Both of these worked with the bad subnet mask; it was different-subnet local hosts that were the problem. How would nearby subnets at either endpoint decide whether to use the private link? Classical link-state or 9 Routing-Update Algorithms distance-vector theory ( ) requires that they be able to compare the private- link route with the going-around-the-long-way route. But this requires a global picture of relative routing costs, which, as we shall see, almost certainly does not exist. The two departments are in different routing domains; if neighboring subnets at either end want to use the private link, then manual configuration is likely the only option. 7.6.3 Subnets versus Switching A frequent network design question is whether to have many small subnets or to instead have just a few (or even only one) larger subnet. With multiple small subnets, IP would be used to interconnect them; routing the use of larger subnets would replace much of that routing with LAN-layer communication, likely Eth- ernet switching . Debates on this route-versus-switch question have gone back and forth in the networking community, with one aphorism summarizing a common view: Switch when you can, route when you must This aphorism reflects the idea that switching is faster, cheaper and easier to configure, and that subnet boundaries should be drawn only where “necessary”. Ethernet switching equipment is indeed generally cheaper than routing equipment, for the same overall level of features and reliability. And traditional switching requires relatively little configuration, while to implement subnets not only must the subnets be created by hand but one must also set up and configure the routing-update protocols. However, the price difference between switching and routing is not always significant in the big picture, and the configuration involved is often straightforward. Somewhere along the way, however, switching has acquired a reputation – often deserved – for being faster than routing. It is true that routers have more to do than switches: they must decrement TTL, update the header checksum, and attach a new LAN header. But these things are relatively minor: a larger reason many routers are slower than switches may simply be that they are inevitably asked to serve as firewalls . This means “deep inspection” of every packet, eg comparing every packet to each of a large number of firewall 7.6 IPv4 Subnets 199

210 An Introduction to Computer Networks, Release 1.9.18 rules. The firewall may also be asked to keep track of connection state. All this drives down the forwarding rate, as measured in packets-per-second. Traditional switching scales remarkably well, but it does have limitations. First, broadcast packets must be forwarded throughout a switched network; they do not, however, pass to different subnets. Second, LAN networks do not like redundant links (that is, loops); while one can rely on the spanning-tree algorithm to eliminate these, that algorithm too becomes less efficient at larger scales. The rise of software-defined networking ( 2.8 ) has blurred the distinction Software-Defined Networking between routing and switching. The term “Layer 3 switch” is sometimes used to describe routers that in effect do not support all the usual firewall bells and whistles. These are often SDN Ethernet switches 2.8 ( ) that are making forwarding decisions based on the contents of the Software-Defined Networking IP header. Such streamlined switch/routers may also be able to do most of the hard work in specialized hardware, another source of speedup. But SDN can do much more than IP-layer forwarding, by taking advantage of site-specific layout informa- tion. One application, of a switch hierarchy for traffic entering a datacenter, appears in 2.8.1 OpenFlow . Other SDN applications include enabling Ethernet topologies with loops, offloading large-volume Switches flows to alternative paths, and implementing policy-based routing as in 9.6 Routing on Other Attributes . Some SDN solutions involve site-specific programming, but others work more-or-less out of the box. Loca- tions with switch-versus-route issues are likely to turn increasingly to SDN in the future. 7.7 Network Address Translation What do you do if your ISP assigns to you a single IPv4 address and you have two computers? The solution is Network Address Translation, or . NAT’s ability to “multiplex” an arbitrarily large number of indi- NAT vidual hosts behind a single IPv4 address (or small number of addresses) makes it an important tool in the conservation of IPv4 addresses. It also, however, enables an important form of firewall-based security. It is RFC 3022 , where this is called NAPT, or Network Address Port Translation. documented in The basic idea is that, instead of assigning each host at a site a publicly visible IPv4 address, just one such address is assigned to a special device known as a NAT router. A NAT router sold for residential or small- office use is commonly simply called a “router”, or (somewhat more precisely) a “residential gateway”. One side of the NAT router connects to the Internet; the other connects to the site’s internal network. Hosts on the internal network are assigned private IP addresses ( 7.3 Special Addresses ), typically of the form or 192.168.x.y or 10.x.y.z. Connections to internal hosts that originate in the outside world are banned. When an internal machine wants to connect to the outside, the NAT router intercepts the connection, and forwards the connection’s packets after rewriting the source address to make it appear they came from the NAT router’s own IP address, shown below as 200.1.2.37. 200 7 IP version 4

211 An Introduction to Computer Networks, Release 1.9.18 10.0.0.10 host A 10.0.0.11 10.0.0.1 200.1.2.37 NAT Internet host B router 10.0.0.12 host C The remote machine responds, sending its responses to the NAT router’s public IPv4 address. The NAT router remembers the connection, having stored the connection information in a special forwarding table, and forwards the data to the correct internal host, rewriting the destination-address field of the incoming packets. The NAT forwarding table also includes port numbers. That way, if two internal hosts attempt to connect to the same external host, the NAT router can tell which packets belong to which. For example, suppose internal hosts A and B each connect from port 3000 to port 80 on external hosts S and T, respectively. Here is what the NAT forwarding table might look like. No columns for the NAT router’s own IPv4 addresses are needed; we shall let NR denote the router’s external address. remote port outside source port inside host inside port remote host 80 A S 3000 3000 80 B 3000 T 3000 x A,3000 y A packet to S from x NR,3000 y . A packet from x S,80 y would be rewritten so that the source was addressed to x NR,3000 y would be rewritten and forwarded to x A,3000 y . Similarly, a packet from x T,80 y addressed to x y would be rewritten and forwarded to x B,3000 y ; the NAT table takes into account NR,3000 the source host and port as well as the destination. Sometimes it is necessary for the NAT router to rewrite the internal-side port number as well; this happens if same port, to the same external host and port. For example, two internal hosts want to connect, each from the x , also from inside port 3000. This time the NAT router must y suppose B now opens a connection to S,80 remap the port number, because that is the only way to distinguish between packets from S,80 y back to A x and to B. With B’s second connection’s internal port remapped from 3000 to 3001, the new table is remote host remote port outside source port inside host inside port S 3000 A 3000 80 T 80 3000 B 3000 S 80 3001 B 3000 The NAT router does not create TCP connections between itself and the external hosts; it simply forwards packets (with rewriting). The connection endpoints are still the external hosts S and T and the internal hosts A and B. However, NR might very well monitor the TCP connections to know when they have closed, and so can be removed from the table. For UDP connections, NAT routers typically remove the forwarding entry after some period of inactivity; see 11 UDP Transport , exercise 14.0. 7.7 Network Address Translation 201

212 An Introduction to Computer Networks, Release 1.9.18 NAT still works for traffic without port numbers, such as network pings, though the above table is then some 7.11 Internet Control Message Protocol . not quite the whole story. See Done properly, NAT improves the security of a site, by making it impossible for an external host to probe or connect to any of the internal hosts. While this firewall feature is of great importance, essentially the same effect can be achieved without address translation, and with public IPv4 addresses for all internal hosts, by having the router refuse to forward incoming packets that are not part of existing connections. The router still needs to maintain a table like the NAT table above, in order to recognize such packets. The address translation itself, in other words, is not the source of the firewall security. That said, it is hard for a NAT ie to fail in a way that lets outside connections in. It is much easier for a non-NAT router to “fail open”; firewall to fail open. For the common residential form of NAT router, see . 7.10.1 NAT, DHCP and the Small Office 7.7.1 NAT Problems NAT router’s refusal to allow inbound connections is a source of occasional frustration. We illustrate some of these frustrations here, using Voice-over-IP (VoIP) and the call-setup protocol SIP ( ). The RFC 3261 basic strategy is that each phone is associated with a remote phone server . These phone servers, because they have to be able to accept incoming connections from anywhere, must not be behind NAT routers. The phones themselves, however, usually will be: Server1 Internet NAT2 NAT1 phone1 phone2 Server2 For phone1 to call phone2, phone1 first contacts Server1, which then contacts Server2. So far, all is well. The final step is for Server2 to contact phone2, which, however, cannot be done normally as NAT2 allows no inbound connections. One common solution is for phone2 to maintain a persistent connection to Server2 (and ditto for phone1 and Server1). By having these persistent phone-to-server connections, we can arrange for the phone to ring on incoming calls. As a second issue, somewhat particular to the SIP protocol, is that it is common for server and phone to prefer to use UDP port 5060 at both ends. For a single internal phone, it is likely that port 5060 will pass through without remapping, so the phone will appear to be connecting from the desired port 5060. However, if there are two phones inside (not shown above), one of them will appear to be connecting to the server from an alternative port. The solution here is to have the server tolerate such port remapping. VoIP systems run into a much more serious problem with NAT, however. Once the call between phone1 and phone2 is set up, the servers would prefer to step out of the loop, and have the phones exchange voice packets directly. The SIP protocol was designed to handle this by having each phone report to its respective server the UDP socket ( x IP address,port y pair) it intends to use for the voice exchange; the servers then 202 7 IP version 4

213 An Introduction to Computer Networks, Release 1.9.18 report these phone sockets to each other, and from there to the opposite phones. This socket information is rendered incorrect by NAT, however, certainly the IP address and quite likely the port as well. If only one of the phones is behind a NAT firewall, it can initiate the voice connection to the other phone, but the other phone will see the voice packets arriving from a different socket than promised and will likely not recognize them as part of the call. If both phones are behind NAT firewalls, they will not be able to connect directly to one another at all. The common solution is for the VoIP server of a phone behind a NAT firewall to remain in the communications path, forwarding packets to its hidden partner. This works, but represents an unwanted server workload. If a site wants to make it possible to allow external connections to hosts behind a NAT router or other . This is the creation of a “virtual LAN link” that runs on top of a TCP firewall, one option is tunneling connection between the end user and one of the site’s servers; the end user can thus appear to be on one 3.1 Virtual Private Networks . Another option is to “open up” a of the organization’s internal LANs; see specific port: in essence, a static NAT-table entry is made connecting a specific port on the NAT router to a specific internal host and port (usually the same port). For example, all UDP packets to port 5060 on the NAT router might be forwarded to port 5060 on internal host A, even in the absence of any prior packet exchange. Gamers creating peer-to-peer game connections must also usually engage in some port-opening RFC 6887 configuration. The Port Control Protocol ( ) is sometimes used for this. NAT routers work very well when the communications model is of client-side TCP connections, originating from the inside and with public outside servers as destination. The NAT model works less well for peer-to- peer networking, as with the gamers above, where two computers, each behind a different NAT router, wish to establish a connection. Most NAT routers provide at least limited support for “opening” access to a given internal host,port y socket, by creating a semi-permanent forwarding-table entry. See also 12.24 Exercises , x exercise 2.5. NAT routers also often have trouble with UDP protocols, due to the tendency for such protocols to have the public server reply from a port than the one originally contacted. For example, if host A behind a different 11.2 Trivial File Transport Protocol, TFTP NAT router attempts to use TFTP ( ), and sends a packet to port new port, say 3000, and this reply is likely to be 69 of public server C, then C is likely to reply from some dropped by the NAT router as there will be no entry there yet for traffic from C,3000 y . x 7.7.2 Middleboxes Firewalls and NAT routers are sometimes classed as middleboxes : network devices that block, throttle or modify traffic beyond what is necessary for basic forwarding. Middleboxes play a very important role in network security, but they sometimes (as here with VoIP) break things. The word “middlebox” (versus “router” or “firewall”) usually has a perjorative connotation; middleboxes have, in some circles, acquired a rather negative reputation. NAT routers’ interference with VoIP, above, is a direct consequence of their function: NAT handles connec- tions from inside to outside quite well, but the NAT mechanism offers no support for connections from one inside to another inside. Sometimes, however, middleboxes block traffic when there is no technical reason to do so, simply because correct behavior has not been widely implemented. As an example, the SCTP protocol, 12.22.2 SCTP , has seen very limited use despite some putative advantages over TCP, largely due to lack of NAT-router support. SCTP cannot be used by residential users because the middleboxes have not kept up. A third category of middlebox-related problems is overzealous blocking in the name of security. SCTP 7.7 Network Address Translation 203

214 An Introduction to Computer Networks, Release 1.9.18 runs into this problem as well, though not quite as universally: a few routers simply drop all SCTP packets because they represent an “unknown” – and therefore suspect – type of traffic. There is a place for this block-by-default approach. If a datacenter firewall blocks all inbound TCP traffic except to port 80 (the HTTP port), and if SCTP is not being used within the datacenter intentionally, it is hard to argue against blocking all inbound SCTP traffic. But if the frontline router for home or office users blocks all outbound SCTP traffic, then the users cannot use SCTP. A consequence of overzealous blocking is that it becomes much harder to introduce new protocols. If a new protocol is blocked for even a small fraction of potential users, it is just not worth the effort. See also the ; the design of QUIC includes several elements to mitigate middlebox discussion at 12.22.4 QUIC Revisited problems. For another example of overzealous blocking by middleboxes, with the added element of spoofed TCP RST packets, see the sidebar at 14.8.3 Explicit Congestion Notification (ECN) . 7.8 DNS Domain Name System , DNS, is an essential companion protocol to IPv4 (and IPv6); an overview can The RFC 1034 be found in . It is DNS that permits users the luxury of not needing to remember numeric IP addresses. Instead of 162.216.18.28, a user can simply enter intronetworks.cs.luc.edu, and DNS will take care of looking up the name and retrieving the corresponding address. DNS also makes it easy to move DNS services from one server to another with a different IP address; as users will locate the service by name and not by IP address, they do not need to be notified. While DNS supports a wide variety of queries, for the moment we will focus on queries for IPv4 addresses, or so-called records. The AAAA record type is used for IPv6 addresses, and, internally, the NS record type A is used to identify the “name servers” that answer DNS queries. While a workstation can use TCP/IP without DNS, users would have an almost impossible time finding anything, and so the core startup configuration of an Internet-connected workstation almost always includes the IP address of its DNS server (see below for how 7.10 Dynamic Host Configuration Protocol (DHCP) startup configurations are often assigned). Most DNS traffic today is over UDP, although a TCP option exists. Due to the much larger response sizes, 22.12 DNSSEC ). TCP is often necessary for DNSSEC ( distributed , meaning that each domain is responsible for maintaining its own DNS is to DNS servers translate names to addresses. (DNS, in fact, is a classic example of a highly distributed database where each node maintains a relatively small amount of data.) It is hierarchical as well; for the DNS name intronetworks.cs.luc.edu the levels of the hierarchy are • : the top-level domain (TLD) for educational institutions in the US edu • luc : Loyola University Chicago • cs : The Loyola Computer Science Department • intronetworks : a hostname associated to a specific IP address The hierarchy of DNS names (that is, the set of all names and suffixes of names) forms a tree, but it is not only leaf nodes that represent individual hosts. In the example above, domain names luc.edu and cs.luc.edu happen to be valid hostnames as well. 204 7 IP version 4

215 An Introduction to Computer Networks, Release 1.9.18 The DNS hierarchy is in a great many cases not very deep, particularly for DNS names assigned to commer- cial websites. Such domain names are often simply the company name (or a variant of it) followed by the top-level domain (often .com ). Still, internally most organizations have many individually named behind- the-scenes servers with three-level (or more) domain names; sometimes some of these can be identified by viewing the source of the web page and searching it for domain names. Top-level domains are assigned by ICANN. The original top-level domains were seven three-letter domains , .net , .org , .int – .edu , .mil and .gov – and the two-letter country-code domains ( eg .com , .aero , .us, .ca, .mx). Now there are hundreds of non-country top-level domains, such as , .info , .biz and, apparently, .wtf. Domain names (and subdomain names) can also contain unicode characters, so as to generic support national alphabets. Some top-level domains are , meaning anyone can apply for a subdomain although there may be qualifying criteria. Other top-level domains are sponsored , meaning the sponsoring organization determines who can be assigned a subdomain, and so the qualifying criteria can be a little more arbitrary. ICANN still must approve all new top-level domains. Applications are accepted only during specific in- tervals; the application fee for the 2012 interval was US$185,000. The actual leasing of domain names to companies and individuals is done by organizations known as who work under contract domain registrars with ICANN. The full tree of all DNS names and prefixes is divided administratively into zones : a zone is an independently managed subtree, minus any sub-subtrees that have been placed – by delegation – into their own zone. Each zone has its own root DNS name that is a suffix of every DNS name in the zone. For example, the luc. edu zone contains most of Loyola’s DNS names, but cs.luc.edu has been spun off into its own zone. A zone cannot be the disjoint union of two subtrees; that is, cs.luc.edu math.luc.edu must be and two distinct zones, unless both remain part of their parent zone. A zone can define DNS names more than one level deep. For example, the zone can define luc.edu luc.edu name itself, for names with one additional level such as www.luc.edu , and for records for the names with two additional levels such as . That said, it is common for each zone to www.cs.luc.edu handle only one additional level, and to create subzones for deeper levels. Each zone has its own authoritative nameservers for the zone, which are charged with maintaining the records – known as resource records , or RRs – for that zone. Each zone must have at least two nameservers, for redundancy. IPv4 addresses are stored as so-called A records , for Address. Information about how to find sub-zones is stored as NS records , for Name Server. Additional resource-record types are discussed at . An authoritative nameserver need not be part of the organization that manages 7.8.2 Other DNS Records the zone, and a single server can be the authoritative nameserver for multiple unrelated zones. For example, many domain registrars maintain single nameservers that handle DNS queries for all their domain customers who do not wish to set up their own nameservers. The root nameservers handle the zone that is the root of the DNS tree; that is, that is represented by the DNS name that is the empty string. As of 2019, there are thirteen of them. The root nameservers contain only NS records, identifying the nameservers for all the immediate subzones. Each top-level domain is its own such subzone. The IP addresses of the root nameservers are widely distributed. Their DNS names (which a.root.servers.net through are only of use if some DNS lookup mechanism is already present) are m.root-servers.net . These names today correspond not to individual machines but to clusters of up to hundreds of servers. We can now put together a first draft of a DNS lookup algorithm. To find the IP address of intronet- works.cs.luc.edu, a host first contacts a root nameserver (at a known address) to find the nameserver for the 7.8 DNS 205

216 An Introduction to Computer Networks, Release 1.9.18 edu edu nameserver is then queried to find the name- zone; this involves the retrieval of an NS record. The luc.edu zone, which in turn supplies the NS record giving the address of the server for the cs.luc.edu zone. This last has an A record for the actual host. (This example is carried out in detail below.) DNS Policing It is sometimes suggested that if a site is engaged in illegal activity or copyright infringement, such as thepiratebay.se, its domain name should be seized. The problem with this strategy is that it is straight- forward for users to set up “nonstandard” nameservers (for example the Gnu Name System, GNS) that continue to list the banned site. This strategy has a defect in that it would send much too much traffic to the root nameservers. Instead, there exists a great number of local and semi-local “DNS servers” that we will call resolvers (though, confusingly, non -authoritative nameservers). A these are sometimes also known as “nameservers” or, more precisely, resolver is a host charged with looking up DNS names on behalf of a user or set of users, and returning corresponding addresses; for this reason they are sometimes called nameservers (we return to recursive recursive DNS lookups below). Most ISPs and companies provide a resolver to handle the DNS needs of their customers and employees; we site resolvers . The IP addresses of these site resolvers is generally supplied via DHCP will refer to these as 7.10 Dynamic Host Configuration Protocol (DHCP) ); such resolvers are thus the default choice options ( for DNS services. Sometimes, however, users elect to use a DNS resolver not provided by their ISP or company; there are a number of public DNS servers (that is, resolvers) available. Such resolvers generally serve much larger areas. Common choices include OpenDNS, Google DNS (at 8.8.8.8), Cloudflare (at 1.1.1.1) and the Gnu Name System mentioned in the sidebar above, though there are many others. Searching for “public DNS server” turns up lists of them. One advantage of using a public DNS server is that your local ISP can no longer track your DNS queries. On the other hand, the public server now , so this becomes a matter of which you trust more (or less). can Some public DNS servers provide additional services, such as automatically filtering out domain names associated with security risks, or content inappropriate for young users. Sometimes there is a fee for this service. A resolver uses the level-by-level algorithm above as a fallback, but also keeps a large cache of all the domain names (and other record types) that have been requested. A lifetime for each cache entry is provided by that entry’s authoritative nameserver; these lifetimes are typically on the order of several days. Every DNS record has a TTL (time-to-live) value representing its maximum cache lifetime. If I send a query to Loyola’s site resolver for google.com , it is almost certainly in the cache. If I send a query for the misspelling googel.com, this may not be in the cache, but the .com top-level nameserver almost certainly is in the cache. From that nameserver my local resolver finds the nameserver for the googel.com googel.com host. zone, and from that finds the IP address of the Applications almost always invoke DNS through library calls, such as Java’s InetAddress. getByName() . The library forwards the query to the system-designated resolver (though browsers some- times offer other DNS options; see 22.12.4 DNS over HTTPS ). We will return to DNS library calls in 11.1.3.3 The Client and 12.6.1 The TCP Client . 206 7 IP version 4

217 An Introduction to Computer Networks, Release 1.9.18 On unix-based systems, traditionally the IPv4 addresses of the local DNS resolvers were kept in a file / . Typically this file was updated with the addresses of the current resolvers by DHCP etc/resolv.conf ), at the time the system received its IPv4 address. It ( 7.10 Dynamic Host Configuration Protocol (DHCP) so that queries about /etc/resolv.conf is possible, though not common, to create special entries in different domains are sent to different resolvers, or so that single-level hostnames have a domain name appended to them before lookup. On Windows, similar functionality can be achieved through settings on the DNS tab within the Network Connections applet. eg Linux’s dnsmasq); such resolvers are sometimes Recent systems often run a small “stub” resolver locally ( forwarders . The entry in /etc/resolv.conf also called DNS localhost is then an IPv4 address of (sometimes 127.0. .1 rather than 127.0. 0 .1). Such a stub resolver would, of course, still need access to the 1 addresses of site or public resolvers; sometimes these addresses are provided by static configuration and sometimes by DHCP ( ). 7.10 Dynamic Host Configuration Protocol (DHCP) If a system running a stub resolver then runs internal virtual machines, it is usually possible to configure everything so that the virtual machines can be given an IP address of the host system as their DNS resolver. For example, often virtual machines are assigned IPv4 addresses on a private subnet and connect to the 7.7 Network Address Translation ). In such a setting, the virtual machines are outside world using NAT ( given the IPv4 address of the host system interface that connects to the private subnet. It is then necessary to ensure that, on the host system, the local resolver accepts queries sent not only to the designated loop- back address but also to the host system’s private-subnet address. (Generally, local resolvers do not accept requests arriving from externally visible addresses.) When someone submits a query for a nonexistent DNS name, the resolver is supposed to return an error NXDOMAIN message, technically known as (Non eXistent Domain). Some resolvers, however, have been configured to return the IP address of a designated web server; this is particularly common for ISP-provided site resolvers. Sometimes the associated web page is meant to be helpful, and sometimes it presents an offer to buy the domain name from a registrar. Either way, additional advertising may be displayed. Of course, this is completely useless to users who are trying to contact the domain name in question via a protocol (ssh, smtp) other than http. recursive At the DNS protocol layer, a DNS lookup query can be either non-recursive . If A sends to B or a recursive query to resolve a given DNS name, then B takes over the job until it is finally able to return an answer to A. If The query is non-recursive, on the other hand, then if B is not an authoritative nameserver for the DNS name in question it returns either a failure notice or an NS record for the sub-zone that is the next step on the path. Almost all DNS requests from hosts to their site or public resolvers are recursive. A basic DNS response consists of an ANSWER section, an AUTHORITY section and, optionally, an ADDI- TIONAL section. Generally a response to a lookup of a hostname contains an ANSWER section consisting of a single A record, representing a single IPv4 address. If a site has multiple servers that are entirely equiv- alent, however, it is possible to give them all the same hostname by configuring the authoritative nameserver to return, for the hostname in question, multiple A records listing, in turn, each of the server IPv4 addresses. This is sometimes known as round-robin DNS . It is a simple form of load balancing ; see also 18.9.5 load- balance31.py . Consecutive queries to the nameserver should return the list of A records in different orders; ideally the same should also happen with consecutive queries to a local resolver that has the hostname in its cache. It is also common for a single server, with a single IPv4 address, to be identified by multiple DNS names; see the next section. The response AUTHORITY section contains the DNS names of the authoritative nameservers responsible for the original DNS name in question. The ADDITIONAL section contains information the sender thinks is related; for example, this section often contains A records for the authoritative nameservers. 7.8 DNS 207

218 An Introduction to Computer Networks, Release 1.9.18 The Tor Project uses DNS-like names that end in “.onion”. While these are not true DNS names in that RFC 7686 . These they are not managed by the DNS hierarchy, they do work as such for Tor users; see names follow an unusual pattern: the next level of name is an 80-bit hash of the site’s RSA public key 22.9.1 RSA ), converted to sixteen ASCII bytes. For example, 3g2upl4pq6kufc4m.onion is apparently the ( Tor address for the search engine duckduckgo.com. Unlike DuckDuckGo, many sites try different RSA keys until they find one where at least some initial prefix of the hash looks more or less meaningful; for example, nytimes2tsqtnxek.onion . Facebook got very lucky in finding an RSA key whose corresponding Tor address is fortune is infatuated with the facebookcorewwwi.onion (though it is sometimes said that ). This naming strategy is a form of cryptographically generated addresses ; for another example wealthy see . The advantage of this naming strategy is that you don’t need a 8.6.4 Security and Neighbor Discovery certificate authority ( ) to verify a site’s RSA key; the site name does it for 22.10.2.1 Certificate Authorities you. 7.8.1 nslookup (and dig) intronetworks.cs.luc.edu , using the nslookup tool. The Let us trace a non-recursive lookup of nslookup tool is time-honored, but also not completely up-to-date, so we also include examples using the dig utility (supposedly an acronym for “domain Internet groper”). Lines we type in ’s interactive nslookup mode begin below with the prompt “>”; the shell prompt is “#”. All dig commands are typed directly at the shell prompt. The first step is to look up the IP address of the root nameserver a.name-servers.net . We can do this with a regular call to nslookup dig , we can look this up in our nameserver’s configuration files, or we or can search for it on the Internet. The address is 198.41.0.4. We now send our nonrecursive query to this address. The presence of the single hyphen in the nslookup command line below means that we want to use 198.41.0.4 as the nameserver rather than as the thing to be dig has places on the command line for both the nameserver (following the @ looked up; ) and the DNS name. For both commands, we use the norecurse option to send a nonrecursive query. # nslookup -norecurse - 198.41.0.4 > intronetworks.cs.luc.edu 't find intronetworks.cs.luc.edu: No answer Can *** # dig @198.41.0.4 intronetworks.cs.luc.edu +norecurse These fail because by default nslookup and dig ask for an A record. What we want is an NS record: the name of the next zone down to ask. (We can tell the dig query failed to find an A record because there are zero records in the ANSWER section) > set query=ns > intronetworks.cs.luc.edu edu nameserver = a.edu-servers.net ... a.edu-servers.net internet address = 192.5.6.30 # dig @198.41.0.4 intronetworks.cs.luc.edu NS +norecurse ;; AUTHORITY SECTION: edu. 172800 IN NS b.edu-servers.net. 208 7 IP version 4

219 An Introduction to Computer Networks, Release 1.9.18 ;; ADDITIONAL SECTION: b.edu-servers.net. 172800 IN A 192.33.14.30 The full responses in each case are a list of all nameservers for the .edu zone; we list only the first response in the query here is not an exact above. Note that the full DNS name intronetworks.cs.luc.edu in the resource record returned; the latter is a suffix of the former. Some match for the DNS name .edu newer resolvers send just the .edu part, to limit the user’s privacy exposure. We send the next NS query to a.edu-servers.net (which does appear in the full answer) dig # nslookup -query=ns -norecurse - 192.5.6.30 > intronetworks.cs.luc.edu ... Authoritative answers can be found from: luc.edu nameserver = bcdnswt1.it.luc.edu. bcdnswt1.it.luc.edu internet address = 147.126.64.64 # dig @192.5.6.30 intronetworks.cs.luc.edu NS +norecurse ;; AUTHORITY SECTION: luc.edu. 172800 IN NS bcdnswt1.it.luc.edu. ;; ADDITIONAL SECTION: bcdnswt1.it.luc.edu. 172800 IN A 147.126.64.64 (Again, we show only one of several luc.edu nameservers returned). We continue. # nslookup -query=ns - -norecurse 147.126.64.64 > intronetworks.cs.luc.edu ... Authoritative answers can be found from: cs.luc.edu nameserver = dns1.cs.luc.edu. ns1.cs.luc.edu internet address = 147.126.2.44 # dig @147.126.64.64 intronetworks.cs.luc.edu NS +norecurse ;; AUTHORITY SECTION: cs.luc.edu. 86400 IN NS ns1.cs.luc.edu. ;; ADDITIONAL SECTION: ns1.cs.luc.edu. 86400 IN A 147.126.2.44 We now ask this last nameserver, for the cs.luc.edu zone, for the A record: # nslookup -query=A -norecurse - 147.126.2.44 > intronetworks.cs.luc.edu ... intronetworks.cs.luc.edu canonical name = linode1.cs.luc.edu. Name: linode1.cs.luc.edu Address: 162.216.18.28 # dig @147.126.2.44 intronetworks.cs.luc.edu A +norecurse ;; ANSWER SECTION: intronetworks.cs.luc.edu. 300 IN A 162.216.18.28 This is the first time we get an ANSWER section (versus the AUTHORITY section) 7.8 DNS 209

220 An Introduction to Computer Networks, Release 1.9.18 Here we get a , or CNAME, record. The server that hosts intronetworks.cs.luc. canonical name also hosts several other websites, with different names; for example, introcs.cs.luc.edu (at least as of edu . Rather than provide separate A records for each website name, 2015). This is known as virtual hosting record for each website name pointing to a single physical server name CNAME DNS was set up to provide a . Only one A record is then needed, for this server. linode1.cs.luc.edu request for an A record returned instead the CNAME record, together with the A record The nslookup for that CNAME (this is the 162.216.18.28 above). This is done for convenience. Note that the IPv4 address here, 162.216.18.28, is unrelated to Loyola’s own IPv4 address block 147.126.0.0/16. The server linode1.cs.luc.edu is managed by an external provider; there is no connection between the DNS name hierarchy and the IP address hierarchy. www.cs.luc.edu and cs.luc.edu , we see they resolve to the same address. Finally, if we look up both www The use of as a hostname for a domain’s webserver is often considered unnecessary and old-fashioned; eg cs.luc.edu . many users prefer the shorter, “naked” domain name, cs.luc.edu It might be tempting to create a CNAME record for the naked domain, , pointing to the full hostname www.cs.luc.edu . However, RFC 1034 does not allow this: If a CNAME RR is present at a node, no other data should be present; this ensures that the data for a canonical name and its aliases cannot be different. There are, however, several other DNS data records for cs.luc.edu : an NS record (above), a SOA, or Start of Authority, record containing various administrative data such as the expiration time, and an MX record, discussed in the following section. All this makes and cs.luc.edu www.cs.luc.edu ineluctably quite different. RFC 1034 adds, “this rule also insures that a cached CNAME can be used without checking with an authoritative server for other RR types.” A better way to create a naked-domain record, at least from the perspective of DNS, is to give it its own A record. This does mean that, if the webserver address changes, there are now two DNS records that need to be updated, but this is manageable. Recently ANAME records have been proposed to handle this issue; an ANAME is like a limited CNAME not subject to the RFC 1034 restriction above. An ANAME record for a naked domain, pointing to another hostname rather than to address, is legal. See the Internet draft draft-hunt-dnsop-aname. Some large CDNs 1.12.2 Content-Distribution Networks ) already implement similar DNS tweaks internally. This does not ( require end-user awareness; the user requests an A record and the ANAME is resolved at the CDN side. Finally, there is also an argument, at least when HTTP (web) traffic is involved, that the www not be deprecated, and that the naked domain should instead be redirected , at the HTTP layer, to the full hostname. This simplifies some issues; for example, you now have only one website, rather than two. You no longer have to be concerned with the fact that HTTP cookies with and without the “www” are different. And some CDNs may not be able to handle website failover to another server if the naked domain is reached via an A record. But none of these are DNS issues. 7.8.2 Other DNS Records Besides address lookups, DNS also supports a few other kinds of searches. The best known is probably reverse DNS , which takes an IP address and returns a name. This is slightly complicated by the fact that 210 7 IP version 4

221 An Introduction to Computer Networks, Release 1.9.18 one IP address may be associated with multiple DNS names. What DNS does in this case is to return the canonical name, or CNAME; a given address can have only one CNAME. Given an IPv4 address, say 147.126.1.230, the idea is to reverse it and append to it the suffix in-addr. arpa . 230.1.126.147. -addr.arpa in There is a DNS name hierarchy for names of this form, with zones and authoritative servers. If all this record has been configured – which it often is not, especially for user workstations – a request for the PTR corresponding to the above should return a DNS hostname. In the case above, the name luc.edu is returned (at least as of 2018). PTR records are the only DNS records to have an entirely separate hierarchy; other DNS types fit into the “standard” hierarchy. For example, DNS also supports MX, or Mail eXchange, records, meant to map a domain name (which might not correspond to any hostname, and, if it does, is more likely to correspond to the name of a web server) to the hostname of a server that accepts email on behalf of the domain. In effect eg this allows an organization’s domain name, , to represent both a web server and, at a different luc.edu IP address, an email server. MX records can even represent a of IP addresses that accept email. set DNS has from the beginning supported TXT records, for arbitrary text strings. The email Sender Policy Framework ( ) was developed to make it harder for email senders to pretend to be a domain they RFC 7208 are not; this involves inserting so-called SPF records as DNS TXT records (or as substrings of TXT records, if TXT is also being used for something else. google.com For example, a DNS query for TXT records of (not gmail.com!) might yield (2018) google.com text = "docusign=05958488-4752-4ef2-95eb-aa7ba8a3bd0e" google.com text = "v=spf1 include:_spf.google.com ~all" The SPF system is interested in only the second record; the “v=spf1” specifies the SPF version. This second record tells us to look up _spf.google.com . That lookup returns text = "v=spf1 include:_netblocks.google.com include:_netblocks2.google.com Ñ ã include:_netblocks3.google.com ~all" Lookup of _netblocks.google.com then returns text = "v=spf1 ip4:64.233.160.0/19 ip4:66.102.0.0/20 ip4:66.249.80.0/20 ã ip4:72.14.192.0/18 ip4:74.125.0.0/16 ip4:108.177.8.0/21 ip4:173.194.0.0/16 Ñ ã Ñ ip4:209.85.128.0/17 ip4:216.58.192.0/19 ip4:216.239.32.0/19 ~all" If a host connects to an email server, and declares that it is delivering mail from someone at google.com, then the host’s email list should occur in the list above, or in one of the other included lists. If it does not, there is a good chance the email represents spam. Each DNS record (or “resource record”) has a name ( eg cs.luc.edu ) and a type ( eg A or AAAA or NS or ). Given a name and type, the set of matching resource records is known as the RRset for that name MX and type (technically there is also a “class”, but the class of all the DNS records we are interested in is IN , for Internet). When a nameserver responds to a DNS query, what is returned (in the ANSWER section) is always an entire RRset: the RRset of all resource records matching the name and type contained in the original query. 7.8 DNS 211

222 An Introduction to Computer Networks, Release 1.9.18 In many cases, RRsets have a single member, because many hosts have a single IPv4 address. However, this is not universal. We saw above the example of a single DNS name having multiple A records when round-robin DNS is used. A single DNS name might also have separate A records for the host’s public and private IPv4 addresses. And perhaps most MX-record (Mail eXchange) RRsets have multiple entries, as organizations often prefer, for redundancy, to have more than one server that can receive email. 7.8.3 DNS Cache Poisoning The classic DNS security failure, known as cache poisoning, occurs when an attacker has been able to convince a DNS resolver that the address of, say, www.example.com is something other than what it really is. A successful attack means the attacker can direct traffic meant for to the attacker’s www.example.com own, malicious site. The most basic cache-poisoning strategy is to send a stream of DNS reply packets to the resolver which declare that the IP address of www.example.com is the attacker’s chosen IP address. The source IP address of these packets should be spoofed to be that of the example.com authoritative nameserver; such spoofing is relatively easy using UDP. Most of these reply packets will be ignored, but the hope is that one will arrive shortly after the resolver has sent a DNS request to the authoritative nameserver, and example.com interprets the spoofed reply packet as a legitimate reply. To prevent this, DNS requests contain a 16-bit ID field; the DNS response must echo this back. The response must also come from the correct port. This leaves the attacker to guess 32 bits in all, but often the ID field (and even more often the port) can be guessed based on past history. Another approach requires the attacker to wait for the target resolver to issue a legitimate request to the attacker’s site, attacker.com . The attacker then piggybacks in the ADDITIONAL section of the reply message an A record for example.com pointing to the attacker’s chosen bad IP address for this site. The hope is that the receiving resolver will place these A records from the ADDITIONAL section into its cache without verifying them further and without noticing they are completely unrelated. Once upon a time, such DNS resolver behavior was common. Most newer DNS resolvers carefully validate the replies: the ID field must match, the source port must match, and any received DNS records in the ADDITIONAL section must match, at a minimum, the DNS zone of the request. Additionally, the request ID field and source port should be chosen pseudorandomly in a secure fashion. For additional vulnerabilities, see . RFC 3833 The central risk in cache poisoning is that a resolver can be tricked into supplying users with invalid DNS records. A closely related risk is that an attacker can achieve the same result by spoofing an authoritative nameserver. Both of these risks can be mitigated through the use of the DNS security extensions, known as DNSSEC . Because DNSSEC makes use of public-key signatures, we defer coverage to 22.12 DNSSEC . 7.8.4 DNS and CDNs 1.12.2 Content-Distribution Networks ) to identify their closest DNS is often pressed into service by CDNs ( “edge” server to a given user. Typically this involves the use of geoDNS , a slightly nonstandard variation of DNS. When a DNS query comes in to one of the CDN’s authoritative nameservers, that server 1. looks up the approximate location of the client ( 10.4.4 IP Geolocation ) 2. determines the closest edge server to that location 212 7 IP version 4

223 An Introduction to Computer Networks, Release 1.9.18 3. replies with the IP address of that closest edge server This works reasonably well most of the time. However, the requesting client is essentially never the end user; rather, it is the DNS resolver being used by the user. Typically such resolvers are the site resolvers provided by the user’s ISP or organization, and are physically quite close to the user; in this case, the edge server identified above will be close to the user as well. However, when a user has chosen a (likely remote) public DNS resolver, as above, the IP address returned for the CDN edge server will be close to the DNS resolver but likely far from optimal for the end user. One solution to this last problem is addressed by RFC 7871 , which allows DNS resolvers to include the IP address of the client in the request sent to the authoritative nameserver. For privacy reasons, usually only a prefix of the user’s IP address is included, perhaps /24. Even so, user’s privacy is at least partly RFC 7871 recommends that the feature be disabled by default, and only compromised. For this reason, enabled after careful analysis of the tradeoffs. A user who is concerned about the privacy issue can – in theory – configure their own DNS software to RFC 7871 option with a zero-length prefix of the user’s IP address, which conveys no address include this information. The user’s resolver will then not change this to a longer prefix. Use of this option also means that the DNS resolver receiving a user query about a given hostname can no longer simply return a cached answer from a previous lookup of the hostname. Instead, the resolver needs to x hostname,prefix y pair it handles, where the prefix is the prefix of the user’s IP address cache separately each forwarded to the authoritative nameserver. This has the potential to increase the cache size by several orders of magnitude, which may thereby enable some cache-overflow attacks. 7.9 Address Resolution Protocol: ARP If a host or router A finds that the destination IP address D = D matches the network address of one of IP its interfaces, it is to deliver the packet via the LAN (probably Ethernet). This means looking up the LAN address (MAC address) D corresponding to D . How does it do this? IP LAN One approach would be via a special server, but the spirit of early IPv4 development was to avoid such Address Resolution Protocol (ARP) is used. This servers, for both cost and reliability issues. Instead, the is our first protocol that takes advantage of the existence of LAN-level broadcast; on LANs without physical broadcast (such as ATM), some other mechanism (usually involving a server) must be used. The basic idea of ARP is that the host A sends out a broadcast ARP query or “who-has D ?” request, IP which includes A’s own IPv4 and LAN addresses. All hosts on the LAN receive this message. The host for whom the message is intended, D, will recognize that it should reply, and will return an ARP reply or “is-at” . Because the original request contained A , D’s response can be sent directly message containing D LAN LAN to A, that is, unicast. A B C D A broadcasts “who-has D” D replies to A, unicast, and includes its LAN address 7.9 Address Resolution Protocol: ARP 213

224 An Introduction to Computer Networks, Release 1.9.18 Additionally, all hosts maintain an , consisting of x IPv4,LAN y address pairs for other hosts on ARP cache x D ,D the network. After the exchange above, A has y in its table; anticipating that A will soon send it IP LAN a packet to which it needs to respond, D also puts A ,A x y into its cache. IP LAN ARP-cache entries eventually expire. The timeout interval used to be on the order of 10 minutes, but Linux systems now use a much smaller timeout (~30 seconds observed in 2012). Somewhere along the line, and timed-out probably related to this shortened timeout interval, repeat ARP queries about a entry are first sent , not broadcast, to the previous Ethernet address on record. This cuts down on the total amount of unicast broadcast traffic; LAN broadcasts are, of course, still needed for new hosts. The ARP cache on a Linux system can be examined with the command ; the corresponding windows command is arp ip -s neigh -a . The above protocol is sufficient, but there is one further point. When A sends its broadcast “who-has D?” A ARP query, all other hosts C check their own cache for an entry for is such an entry (that is, if . If there A is found there), then the value for A is updated with the value taken from the ARP message; if there IP LAN is no pre-existing entry then no action is taken. This update process serves to avoid stale ARP-cache entries, which can arise is if a host has had its Ethernet interface replaced. (USB Ethernet interfaces, in particular, can be replaced very quickly.) ARP is quite an efficient mechanism for bridging the gap between IPv4 and LAN addresses. Nodes generally find out neighboring IPv4 addresses through higher-level protocols, and ARP then quickly fills in the miss- 2.8 Software-Defined Networking ) ing LAN address. However, in some Software-Defined Networking ( environments, the LAN switches and/or the LAN controller may have knowledge about IPv4/LAN address correspondences, potentially making ARP superfluous. The LAN (Ethernet) switching network might in principle even know exactly how to route via the LAN to a given IPv4 address, potentially even making LAN addresses unnecessary. At such a point, ARP may become an inconvenience. For an example of a 18.9.5 loadbalance31.py . situation in which it is necessary to work around ARP, see 7.9.1 ARP Finer Points Most hosts today implement self-ARP , or gratuitous ARP , on startup (or wakeup): when station A starts up it sends out an ARP query for itself : “who-has A?”. Two things are gained from this: first, all stations that had A in their cache are now updated with A’s most current A address, in case there was a change, LAN and second, if an answer is received, then presumably some other host on the network has the same IPv4 address as A. Self-ARP is thus the traditional IPv4 mechanism for duplicate address detection . Unfortunately, it does not always work as well as might be hoped; often only a single self-ARP query is sent, and if a reply is received then frequently the only response is to log an error message; the host may even continue using the duplicate address! If the duplicate address was received via DHCP, below, then the host is supposed to notify its DHCP server of the error and request a different IPv4 address. RFC 5227 has defined an improved mechanism known as Address Conflict Detection , or ACD. A host using ACD sends out three ARP queries for its new IPv4 address, spaced over a few seconds and leaving the ARP field for the sender’s IPv4 address filled with zeroes. This last step means that any other host with that IPv4 address in its cache will ignore the packet, rather than update its cache. If the original host receives no replies, it then sends out two more ARP queries for its new address, this time with the ARP field for the sender’s IPv4 address filled in with the new address; this is the stage at which other hosts on the network will make any necessary cache updates. Finally, ACD requires that hosts that do detect a duplicate address 214 7 IP version 4

225 An Introduction to Computer Networks, Release 1.9.18 must discontinue using it. It is also possible for other stations to answer an ARP query on behalf of the actual destination D; this is called proxy ARP . An early common scenario for this was when host C on a LAN had a modem connected to a serial port. In theory a host D dialing in to this modem should be on a different subnet, but that requires allocation of a new subnet. Instead, many sites chose a simpler arrangement. A host that dialed in to C’s serial port might be assigned IP address D , from the same subnet as C. C would be configured to route IP packets to D; that is, packets arriving from the serial line would be forwarded to the LAN interface, and packets sent to C would be forwarded to D. But we also have to handle ARP, and as addressed to D IP LAN D is not actually on the LAN it will not receive broadcast ARP queries. Instead, C would be configured to x D . This generally worked quite well. , C answer on behalf of D, replying with y IP LAN Proxy ARP is also used in Mobile IP, for the so-called “home agent” to intercept traffic addressed to the “home address” of a mobile device and then forward it ( via tunneling) to that device. See 7.13 Mobile eg IP . broadcast One delicate aspect of the ARP protocol is that stations are required to respond to a query. In the absence of proxies this theoretically should not create problems: there should be only one respondent. However, there were anecdotes from the Elder Days of networking when a broadcast ARP query would trigger an avalanche of responses. The protocol-design moral here is that determining who is to respond to a broadcast message should be done with great care. ( RFC 1122 section 3.2.2 addresses this same point in the context of responding to broadcast ICMP messages.) ARP-query implementations also need to include a timeout and some queues, so that queries can be resent if lost and so that a burst of packets does not lead to a burst of queries. A naive ARP algorithm without these might be: is in the ARP cache. If it is, address the packet To send a packet to destination D , see if D IP IP to D ; if not, send an ARP query for D LAN To see the problem with this approach, imagine that a 32 kB packet arrives at the IP layer, to be sent over Ethernet. It will be fragmented into 22 fragments (assuming an Ethernet MTU of 1500 bytes), all sent at once. The naive algorithm above will likely send an ARP query for each of these. What we need instead is something like the following: To send a packet to destination D : IP If D and return is in the ARP cache, send to D IP LAN If not, see if an ARP query for D is pending. IP If it is, put the current packet in a queue for D. If there is no pending ARP query for D , start one, IP again putting the current packet in the (new) queue for D We also need: If an ARP query for some C times out, resend it (up to a point) IP If an ARP query for C is answered, send off any packets in C’s queue IP 7.9.2 ARP Security Suppose A wants to log in to secure server S, using a password. How can B (for Bad) impersonate S? 7.9 Address Resolution Protocol: ARP 215

226 An Introduction to Computer Networks, Release 1.9.18 Here is an ARP-based strategy, sometimes known as . First, B makes sure the real S is down, ARP Spoofing either by waiting until scheduled downtime or by launching a denial-of-service attack against S. When A tries to connect, it will begin with an ARP “who-has S?”. All B has to do is answer, “S is-at B”. There is a trivial way to do this: B simply needs to set its own IP address to that of S. A will connect, and may be convinced to give its password to B. B now simply responds with something plausible like “backup in progress; try later”, and meanwhile use A’s credentials against the real S. This works even if the communications channel A uses is encrypted! If A is using the SSH protocol 22.10.1 SSH ), then A will get a message that the other side’s key has changed (B will present its own ( SSH key, not S’s). Unfortunately, many users (and even some IT departments) do not recognize this as a serious problem. Some organizations – especially schools and universities – use personal workstations with “frozen” configuration, so that the filesystem is reset to its original state on every reboot. Such systems may be resistant to viruses, but in these environments the user at A will always get a message to the effect that S’s credentials are not known. 7.9.3 ARP Failover Suppose you have two front-line servers, A and B (B for Backup), and you want B to be able to step in if A ARP Failover . freezes. There are a number of ways of achieving this, but one of the simplest is known as First, we set A , but for the time being B does not use the network so this duplication is not a problem. = B IP IP as the Then, once B gets the message that A is down, it sends out an ARP query for A , including B IP LAN x source LAN address. The gateway router, which previously would have had in its ARP cache, ,A y A IP LAN updates this to x A , and packets that had formerly been sent to A will now go to B. As long as B is , B y IP LAN eg html), B can pick up right where A left off. trafficking in stateless operations ( 7.9.4 Detecting Sniffers Finally, there is an interesting use of ARP to detect Ethernet password sniffers (generally not quite the issue it once was, due to encryption and switching). To find out if a particular host A is in promiscuous mode, send an ARP “who-has A?” query. Address it not to the broadcast Ethernet address, though, but to some nonexistent Ethernet address. If promiscuous mode is off, A’s network interface will ignore the packet. But if promiscuous mode is on, A’s network interface will pass the ARP request to A itself, which is likely then to answer it. Alas, Linux kernels reject at the ARP-software level ARP queries to physical Ethernet addresses other than their own. However, they do respond to faked Ethernet multicast addresses, such as ff:ff:ff:00:00:00 or ff:ff:ff:ff:ff:fe. 7.9.5 ARP and multihomed hosts If host A has two interfaces iface1 and iface2 on the same LAN , with respective IP addresses A and 1 A may be received via , then it is common for the two to be used interchangeably. Traffic addressed to A 1 2 iface2 and vice-versa, and traffic from A this is may be sent via iface2 . In 7.2.1 Multihomed hosts 1 and A weak end-system model; the idea is that we should think of the IP addresses A as described as the 2 1 bound to A rather than to their respective interfaces. 216 7 IP version 4

227 An Introduction to Computer Networks, Release 1.9.18 In support of this model, ARP can usually be configured (in fact this is often the default) so that ARP requests for either IP address and received by either interface may be answered with either physical address. Usually all requests are answered with the physical address of the preferred ( ie faster) interface. with IP address 10.0.0.2 and a faster Wi-Fi eth0 As an example, suppose A has an Ethernet interface with IP address 10.0.0.3 (although Wi-Fi interfaces are not interface wlan0 always faster). In this setting, wlan0 ’s physical address, and so all traffic an ARP request “who-has 10.0.0.2” would be answered with to A, to either IP address, would arrive via . The eth0 interface would go essentially unused. wlan0 Similarly, though not due to ARP, traffic sent by A with source address 10.0.0.2 might depart via . wlan0 arp_ignore and This situation is on Linux systems adjusted by changing in /proc/ arp_announce sys/net/ipv4/conf/all . 7.10 Dynamic Host Configuration Protocol (DHCP) DHCP is the most common mechanism by which hosts are assigned their IPv4 addresses. DHCP started as a protocol known as Reverse ARP (RARP), which evolved into BOOTP and then into its present form. It is RFC 2131 documented in . Recall that ARP is based on the idea of someone broadcasting an ARP query for a host, containing the host’s IPv4 address, and the host answering it with its LAN address. DHCP involves a host, at startup, broadcasting a query containing its own LAN address, and having a server reply telling the host what IPv4 address is assigned to it, hence the “Reverse ARP” name. The DHCP response message is also likely to carry, piggybacked onto it, several other essential startup options. Unlike the IPv4 address, these additional network parameters usually do not depend on the specific host that has sent the DHCP query; they are likely constant for the subnet or even the site. In all, a typical DHCP message includes the following: • IPv4 address • subnet mask • default router • DNS Server minimal network configuration ; in practical terms, hosts cannot function These four items are a standard properly without them. Most DHCP implementations support the piggybacking of the latter three above, and a wide variety of other configuration values, onto the server responses. Default Routers and DHCP If you lose your default router, you cannot communicate. Here is something that used to happen to me, courtesy of DHCP: 1. I am connected to the Internet via Ethernet, and my default router is via my Ethernet interface 2. I connect to my institution’s wireless network. 3. Their DHCP server sends me a new default router on the wireless network. However, this default router will only allow access to a tiny private network, because I have neglected to complete the “Wi-Fi network registration” process. 7.10 Dynamic Host Configuration Protocol (DHCP) 217

228 An Introduction to Computer Networks, Release 1.9.18 4. I therefore disconnect from the wireless network, and my wireless-interface default router goes away. However, my system does not automatically revert to my Ethernet default-router entry; DHCP does not work that way. As a result, I will have no router at all until the next scheduled DHCP lease renegotiation, and must fix things manually. The DHCP server has a range of IPv4 addresses to hand out, and maintains a database of which IPv4 address has been assigned to which LAN address. Reservations can either be permanent or dynamic; if the latter, hosts typically renew their DHCP reservation periodically (typically one to several times a day). 7.10.1 NAT, DHCP and the Small Office If you have a large network, with multiple subnets, a certain amount of manual configuration is inevitable. What about, however, a home or small office, with a single line from an ISP? A combination of NAT 7.7 Network Address Translation ) and DHCP has made autoconfiguration close to a reality. ( 7.7 Network Address Translation The typical home/small-office “router” is in fact a NAT router ( ) coupled with an Ethernet switch, and usually also coupled with a Wi-Fi access point and a DHCP server. In this section, we will use the term “NAT router” to refer to this whole package. One specially designated port, the external port, connects to the ISP’s line, and uses DHCP as a client to obtain an IPv4 address for that port. The other, internal , ports are connected together by an Ethernet switch; these ports as a group are connected to the external port using NAT translation. If wireless is supported, the wireless side is connected directly to the internal ports. Isolated from the Internet, the internal ports can thus be assigned an arbitrary non-public IPv4 address block, eg 192.168.0.0/24. The NAT router typically contains a DCHP server, usually enabled by default, that will hand out IPv4 addresses to everything connecting from the internal side. Generally this works seamlessly. However, if a second NAT router is also connected to the network (some- times attempted to extend Wi-Fi range, in lieu of a commercial Wi-Fi repeater), one then has two operating DHCP servers on the same subnet. This often results in chaos, though is easily fixed by disabling one of the DHCP servers. While omnipresent DHCP servers have made IPv4 autoconfiguration work “out of the box” in many cases, in the era in which IPv4 was designed the need for such servers would have been seen as a significant drawback in terms of expense and reliability. IPv6 has an autoconfiguration strategy ( 8.7.2 Stateless Autoconfiguration (SLAAC) ) that does not require DHCP, though DHCPv6 may well end up displacing it. 7.10.2 DHCP and Routers It is often desired, for larger sites, to have only one or two DHCP servers, but to have them support multiple subnets. Classical DHCP relies on broadcast, which isn’t forwarded by routers, and even if it were, the DHCP server would have no way of knowing on what subnet the host in question was actually located. This is generally addressed by DHCP Relay (sometimes still known by the older name BOOTP Relay). The router (or, sometimes, some other node on the subnet) receives the DHCP broadcast message from a host, and notes the subnet address of the arrival interface. The router then relays the DHCP request, together with this subnet address, to the designated DHCP Server; this relayed message is sent directly (unicast), not 218 7 IP version 4

229 An Introduction to Computer Networks, Release 1.9.18 broadcast. Because the subnet address is included, the DHCP server can figure out the correct IPv4 address to assign. This feature has to be specially enabled on the router. 7.11 Internet Control Message Protocol The Internet Control Message Protocol, or ICMP, is a protocol for sending IP-layer error and status mes- RFC 792 host-to-host , and so they are never delivered to a specific . ICMP is, like IP, sages; it is defined in port, even if they are sent in response to an error related to something sent from that port. In other words, individual UDP and TCP connections do not receive ICMP messages, even when it would be helpful to get them. field, followed by an 8-bit subtype, or code . Here are the type ICMP messages are identified by an 8-bit more common ICMP types, with subtypes listed in the description. Type Description Echo Request queries ping ping Echo Reply responses Destination network unreachable Destination Unreachable host unreachable Destination Destination port unreachable Fragmentation required but DF flag set Network administratively prohibited Source Quench Congestion control Redirect datagram for the Redirect Message network Redirect datagram for the host Redirect for TOS and network Redirect for TOS and host Router discovery/selection/solicitation Router Solicitation TTL expired in transit Time Exceeded Fragment reassembly time exceeded Bad IP Header or Parameter Pointer indicates the error Missing a required option Bad length Timestamp Timestamp Reply Like ping , but requesting a timestamp from the destination The Echo and Timestamp formats are , sent by one host to another. Most of the others are all error queries messages , sent by a router to the sender of the offending packet. Error-message formats contain the IP header and next 8 bytes of the packet in question; the 8 bytes will contain the TCP or UDP port numbers. Redirect and Router Solicitation messages are informational, but follow the error-message format. Query formats contain a 16-bit Query Identifier , assigned by the query sender and echoed back by the query responder. ping Packet Size 7.11 Internet Control Message Protocol 219

230 An Introduction to Computer Networks, Release 1.9.18 The author once had to diagnose a problem where pings were 100% successful, and yet file trans- almost fers failed immediately; this could have been the result of either a network fault or a file-transfer applica- tion fault. The problem turned out to be a failed network device with a very high bit-error rate: 1500-byte file-transfer packets were frequently corrupted, but ping packets, with a default size of 32-64 bytes, were mostly unaffected. If the bit-error rate is such that 1500-byte packets have a 50% success rate, 50-byte 1/30 » ) success rate. Setting the ping packet size to a larger 0.5 packets can be expected to have a 98% ( value made it immediately clear that the network, and not the file-transfer application, was at fault. ICMP is perhaps best known for Echo Request/Reply, on which the 1.14 Some Useful Utilities ) ping tool ( is based. Ping remains very useful for network troubleshooting: if you can ping a host, then the network is reachable, and any problems are higher up the protocol chain. Unfortunately, ping replies are often blocked by many firewalls, on the theory that revealing even the existence of computers is a security risk. While this may sometimes be an appropriate decision, it does significantly impair the utility of ping. Ping can be asked to include IP timestamps ( 7.1 The IPv4 Header -T option, ) on Linux systems with the -s and on Windows with . Source Quench was used to signal that congestion has been encountered. A router that drops a packet due to congestion experience was encouraged to send ICMP Source Quench to the originating host. Generally the TCP layer would handle these appropriately (by reducing the overall sending rate), but UDP applications never receive them. ICMP Source Quench did not quite work out as intended, and was formally deprecated by . (Routers can inform TCP connections of impending congestion by using the ECN bits.) RFC 6633 The Destination Unreachable type has a large number of subtypes: • Network unreachable : some router had no entry for forwarding the packet, and no default route • Host unreachable : the packet reached a router that was on the same LAN as the host, but the host failed to respond to ARP queries • : the packet was sent to a UDP port on a given host, but that port was not open. Port unreachable reset TCP, on the other hand, deals with this situation by replying to the connecting endpoint with a packet. Unfortunately, the UDP Port Unreachable message is sent to the host, not to the application on that host that sent the undeliverable packet, and so is close to useless as a practical way for applications to be informed when packets cannot be delivered. Fragmentation required but DF flag set : a packet arrived at a router and was too big to be forwarded • without fragmentation. However, the Don’t Fragment bit in the IPv4 header was set, forbidding fragmentation. • Administratively Prohibited : this is sent by a router that knows it can reach the network in question, but has configureintro to drop the packet and send back Administratively Prohibited messages. A router can also be configured to blackhole messages: to drop the packet and send back nothing. In we will see how TCP uses the ICMP message Fragmentation required but 12.13 Path MTU Discovery DF flag set as part of Path MTU Discovery , the process of finding the largest packet that can be sent to a specific destination without fragmentation. The basic idea is that we set the DF bit on some of the packets we send; if we get back this message, that packet was too big. Some sites and firewalls block ICMP packets in addition to Echo Request/Reply, and for some messages one can get away with this with relatively few consequences. However, blocking Fragmentation required but DF flag set has the potential to severely affect TCP connections, depending on how Path MTU Discovery is 220 7 IP version 4

231 An Introduction to Computer Networks, Release 1.9.18 implemented, and thus is not recommended. If ICMP filtering is contemplated, it is best to base block/allow decisions on the ICMP type, or even on the type and code. For example, most firewalls support rule sets of the form “allow ICMP destination-unreachable; block all other ICMP”. option works something like Echo Request/Reply, but the receiver includes its own local The Timestamp 7.1 The IPv4 timestamp for the arrival time, with millisecond accuracy. See also the IP Timestamp option, , which appears to be more frequently used. Header The type/code message format makes it easy to add new ICMP types. Over the years, a significant number of additional such types have been defined; a complete list is maintained by the IANA. Several of these later RFC 6918 ICMP types were seldom used and eventually deprecated, many by . ICMP packets are usually forwarded correctly through NAT routers, though due to the absence of port RFC 3022 and RFC 5508 address this. For ICMP queries, numbers the router must do a little more work. like ping, the ICMP Query Identifier field can be used to recognize the returning response. ICMP error messages are a little trickier, because there is no direct connection between the inbound error message and any of the previous outbound non-ICMP packets that triggered the response. However, the headers of the packet that triggered the ICMP error message are embedded in the body of the ICMP message. The NAT router can look at those embedded headers to determine how to forward the ICMP message (the NAT router must also rewrite the addresses of those embedded headers). 7.11.1 Traceroute and Time Exceeded The traceroute program uses ICMP Time Exceeded messages. A packet is sent to the destination (often UDP to an unused port), with the TTL set to 1. The first router the packet reaches decrements the TTL to 0, drops it, and returns an ICMP Time Exceeded message. The sender now knows the first router on the chain. The second packet is sent with TTL set to 2, and the second router on the path will be the one to return ICMP Time Exceeded. This continues until finally the remote host returns something, likely ICMP Port Unreachable. For an example of traceroute output, see . In that example, the three traceroute 1.14 Some Useful Utilities probes for the Nth router are sometimes answered by two or even three different routers; this suggests routers configured to work in parallel rather than route changes. Many routers no longer respond with ICMP Time Exceeded messages when they drop packets. For the distance value corresponding to such a router, traceroute reports . *** Traceroute assumes the path does not change. This is not always the case, although in practice it is seldom an issue. Route Efficiency Once upon a time (~2001), traceroute showed that traffic from my home to the office, both in the Chicago area, went through the MAE-EAST Internet exchange point, outside of Washington DC. That inefficient route was later fixed. A situation like this is typically caused by two higher-level providers who did not negotiate sufficient Internet exchange points. Traceroute to a nonexistent site works up to the point when the packet reaches the Internet “backbone”: the first router which does not have a default route. At that point the packet is not routed further (and an ICMP 7.11 Internet Control Message Protocol 221

232 An Introduction to Computer Networks, Release 1.9.18 Destination Network Unreachable should be returned). 20.12 Multi-Protocol Label Switch- Traceroute also interacts somewhat oddly with routers using MPLS (see ing (MPLS) ). Such routers – most likely large-ISP internal routers – may continue to forward the ICMP Time Exceeded message on further towards its destination before returning it to the sender. As a result, the round- trip time measurements reported may be quite a bit larger than they should be. 7.11.2 Redirects Most non-router hosts start up with an IPv4 forwarding table consisting of a single (default) router, discov- ered along with their IPv4 address through DHCP. ICMP Redirect messages help hosts learn of other useful routers. Here is a classic example: R1 B R2 A A is configured so that its default router is R1. It addresses a packet to B, and sends it to R1. R1 receives the packet, and forwards it to R2. However, R1 also notices that R2 and A are on the same network, and so A could have sent the packet to R2 directly. So R1 sends an appropriate ICMP redirect message to A (“Redirect Datagram for the Network”), and A adds a route to B via R2 to its own forwarding table. 7.11.3 Router Solicitation These ICMP messages are used by some router protocols to identify immediate neighbors. When we look at routing-update algorithms, 9 Routing-Update Algorithms , these are where the process starts. 7.12 Unnumbered Interfaces We mentioned in and 7.2 Interfaces that some devices allow the use of point- 1.10 IP - Internet Protocol to-point IP links without assigning IP addresses to the interfaces at the ends of the link. Such IP interfaces are referred to as unnumbered ; they generally make sense only on routers. It is a firm requirement that the node ( ie router) at each endpoint of such a link has at least one other interface that does have an IP address; otherwise, the node in question would be anonymous, and could not participate in the router-to- router protocols of 9 Routing-Update Algorithms . The diagram below shows a link L joining routers R1 and R2, which are connected to subnets 200.0.0.0/24 and 201.1.1.0/24 respectively. The endpoint interfaces of L, both labeled link0 , are unnumbered. 222 7 IP version 4

233 An Introduction to Computer Networks, Release 1.9.18 200.0.0.1 201.1.1.1 A B E F L R1 R2 eth0 link0 link0 eth0 200.0.0.0/24 201.1.1.0/24 Two LANs joined by an unnumbered link L Special Addresses ), such as The endpoints of L could always be assigned private IPv4 addresses ( 7.3 10.0.0.1 and 10.0.0.2. To do this we would need to create a subnet; because the host bits cannot be all eg 10.0.0.0/30). Furthermore, the routing protocols to be 0’s or all 1’s, the minimum subnet size is four ( 9 will distribute information about the subnet throughout the introduced in Routing-Update Algorithms organization or “routing domain”, meaning care must be taken to ensure that each link’s subnet is unique. Use of unnumbered links avoids this. originate a packet to be sent to (or forwarded via) R2, the standard strategy is for it to treat If R1 were to link0 interface as if it shared the IP address of its Ethernet interface its , that is, 200.0.0.1; R2 eth0 would do likewise. This still leaves R1 and R2 violating the IP local-delivery rule of 7.5 The Classless IP Delivery Algorithm ; R1 is expected to deliver packets via local delivery to 201.1.1.1 but has no interface that is assigned an IP address on the destination subnet 201.1.1.0/24. The necessary dispensation, however, is granted by RFC 1812 . All that is necessary by way of configuration is that R1 be told R2 is a directly connected neighbor reachable via its link0 ip interface. On Linux systems this might be done with the command on R1 as follows: route ip route The Linux ip route command illustrated here was tested on a virtual point-to-point link created with and pppd ssh ppp0 . While the command appeared to work as ; the link interface name was in fact advertised, it was only possible to create the link if endpoint IP addresses were assigned at the time of creation; these were then removed with ip route del and then re-assigned with the command shown here. ip route add 201.1.1.1 dev link0 Because L is a point-to-point link, there is no destination LAN address and thus no ARP query. 7.13 Mobile IP In the original IPv4 model, there was a strong if implicit assumption that each IP host would stay put. One role of an IPv4 address is simply as a unique endpoint identifier, but another role is as a locator : some prefix of the address ( eg the network part, in the class-A/B/C strategy, or the provider prefix) represents something about where the host is physically located. Thus, if a host moves far enough, it may need a new address. When laptops are moved from site to site, it is common for them to receive a new IP address at each location, eg via DHCP as the laptop connects to the local Wi-Fi. But what if we wish to support devices like smartphones that may remain active and communicating while moving for thousands of miles? Changing IP addresses requires changing TCP connections; life (and application development) might be simpler if a device had a single, unchanging IP address. 7.13 Mobile IP 223

234 An Introduction to Computer Networks, Release 1.9.18 One option, commonly used with smartphones connected to some so-called “3G” networks, is to treat the phone’s data network as a giant wireless LAN. The phone’s IP address need not change as it moves within this LAN, and it is up to the phone provider to figure out how to manage LAN-level routing, much as is . done in 3.7.4.3 Roaming is another option, documented in RFC 5944 Mobile IP But . In this scheme, a mobile host has a permanent home address and, while roaming about, will also have a temporary care-of address , which changes from place to place. The care-of address might be, for example, an IP address assigned by a local Wi-Fi network, the and which in the absence of Mobile IP would be IP address for the mobile host. (This kind of care-of address is known as “co-located”; the care-of address can also be associated with some other device – known foreign agent as a – in the vicinity of the mobile host.) The goal of Mobile IP is to make sure that the mobile host is always reachable via its home address. home agent back on the To maintain connectivity to the home address, a Mobile IP host needs to have a home network; the job of the home agent is to maintain an IP tunnel that always connects to the device’s current care-of address. Packets arriving at the home network addressed to the home address will be for- warded to the mobile device over this tunnel by the home agent. Similarly, if the mobile device wishes to send packets from its home address – that is, with the home address as IP source address – it can use the tunnel to forward the packet to the home agent. The home agent may use proxy ARP ( 7.9.1 ) to declare itself to be the appropriate ARP Finer Points destination on the home LAN for packets addressed to the home (IP) address; it is then straightforward for the home agent to forward the packets. agent discovery process is used for the mobile host to decide whether it is mobile or not; if it is, it then An needs to notify its home agent of its current care-of address. 7.13.1 IP-in-IP Encapsulation There are several forms of packet encapsulation that can be used for Mobile IP tunneling, but the default one is IP-in-IP encapsulation, defined in RFC 2003 . In this process, the entire original IP packet (with header addressed to the home address) is used as data for a new IP packet, with a new IP header (the “outer” header) addressed to the care-of address. Original Data IP header Original packet Original Outer header Data IP header Encapsulated packet with outer header A value of 4 in the outer-IP-header Protocol field indicates that IPv4-in-IPv4 tunneling is being used, so the receiver knows to forward the packet on using the information in the inner header. The MTU of the tunnel will be the original MTU of the path to the care-of address, minus the size of the outer header. A very 224 7 IP version 4

235 An Introduction to Computer Networks, Release 1.9.18 similar mechanism is used for IPv6-in-IPv4 encapsulation (that is, with IPv6 in the inner packet), except Protocol field value is now 41. See . that the outer IPv4 8.13 IPv6 Connectivity via Tunneling IP-in-IP encapsulation presents some difficulties for NAT routers. If two hosts A and B behind a NAT router send out encapsulated packets, the packets may differ only in the source IP address. The NAT router, upon receiving responses, doesn’t know whether to forward them to A or to B. One partial solution is for the NAT router to support only one inside host sending encapsulated packets. If the NAT router knew that encapsulation was being used for Mobile IP, it might look at the home address in the inner header to determine the correct home agent to which to deliver the packet, but this is a big assumption. A fuller solution is outlined in RFC 3519 . 7.14 Epilog At this point we have concluded the basic mechanics of IPv4. Still to come is a discussion of how IP routers build their forwarding tables. This turns out to be a complex topic, divided into routing within single 9 Routing-Update Algorithms 10 Large- organizations and ISPs – – and routing between organizations – . Scale IP Routing But before that, in the next chapter, we compare IPv4 with IPv6, now twenty years old but still seeing limited adoption. The biggest issue fixed by IPv6 is IPv4’s lack of address space, but there are also several other less dramatic improvements. 7.15 Exercises Exercises are given fractional (floating point) numbers, to allow for interpolation of new exercises. Exercise 6.5 is distinct, for example, from exercises 6.0 and 7.0. Exercises marked with a ♢ have solutions or hints at 24.7 Solutions for IPv4 . 1.0. Suppose an Ethernet packet represents a TCP acknowledgment; that is, the packet contains an IPv4 header and a 20-byte TCP header but nothing else. Is the IPv4 packet here smaller than the Ethernet minimum-packet size, and, if so, by how much? 2.0. How can a receiving host tell if an arriving IPv4 packet is unfragmented? Hint: such a packet will be both the “first fragment” and the “last fragment”; how are these two states marked in the IPv4 header? 3.0. How long will it take the IDENT field of the IPv4 header to wrap around, if the sender host A sends a stream of packets to host B as fast as possible? Assume the packet size is 1500 bytes and the bandwidth is 600 Mbps. 4.0. The following diagram has routers A, B, C, D and E; E is the “border router” connecting the site to the Internet. All router-to-router connections are via Ethernet-LAN /24 subnets with addresses of the form 200.0.x. Give forwarding tables for each of A ♢ , B, C and D. Each table should include each of the listed subnets and also a default entry that routes traffic toward router E. Directly connected subnets may be listed with a next_hop of “direct”. D A 200.0.6 B 200.0.7 200.0.5 200.0.8 E Internet 200.0.9 7.14 Epilog 225

236 An Introduction to Computer Networks, Release 1.9.18 C 200.0.10 5.0. (This exercise is an attempt at modeling Internet-2 routing.) Suppose sites S . . . S each have a n 1 single connection to the standard Internet, and each site S has a single IPv4 address block A . Each site’s i i ’s default route points towards the standard ; each R connection to the Internet is through a single router R i i Internet. The sites also maintain a separate, higher-speed network among themselves; each site has a single will have to link to this separate network, also through R . Describe what the forwarding tables on each R i i to another will always use the separate higher-speed network. look like so that traffic from one S i 6.0. For each IPv4 network prefix given (with length), identify which of the subsequent IPv4 addresses are part of the same subnet. (a). 10.0.130.0/23 : 10.0.130.23, 10.0.129.1, 10.0.131.12, 10.0.132.7 (b). 10.0.132.0/22 : 10.0.130.23, 10.0.135.1, 10.0.134.12, 10.0.136.7 (c). 10.0.64.0/18 : 10.0.65.13, 10.0.32.4, 10.0.127.3, 10.0.128.4 ♢ : 10.0.166.1, 10.0.170.3, 10.0.174.5, 10.0.177.7 (d). 10.0.168.0/21 10.0.0.64/26 : 10.0.0.125, 10.0.0.66, 10.0.0.130, 10.0.0.62 (e). 6.5. Convert the following subnet masks to /k notation, and vice-versa: (a). ♢ 255.255.240.0 (b). 255.255.248.0 (c). 255.255.255.192 (d). /20 ♢ (e). /22 (f). /27 7.0. Suppose that the subnet bits below for the following five subnets A-E all come from the beginning of the fourth byte of the IPv4 address; that is, these are subnets of a /24 block. • A: 00 • B: 01 • C: 110 • D: 111 • E: 1010 (a). What are the sizes of each subnet, and the corresponding decimal ranges? Count the addresses with 226 7 IP version 4

237 An Introduction to Computer Networks, Release 1.9.18 host bits all 0’s or with host bits all 1’s as part of the subnet. (b). How many IPv4 addresses in the class-C block do not belong to any of the subnets A, B, C, D and E? 8.0. In it was stated that, in newer implementations, “repeat ARP 7.9 Address Resolution Protocol: ARP queries about a timed out entry are first sent unicast”, in order to reduce broadcast traffic. Suppose multiple unicast repeat-ARP queries for host A’s IP address fail, but a followup broadcast query for A’s address succeeds. What probably changed at host A? 9.0. Suppose A broadcasts an ARP query “who-has B?”, receives B’s response, and proceeds to send B a regular IPv4 packet. If B now wishes to reply, why is it likely that A will already be present in B’s ARP cache? Identify a circumstance under which this can fail. 10.0. Suppose A broadcasts an ARP request “who-has B”, but inadvertently lists the physical address of = A, but LAN = C). What will another machine C instead of its own (that is, A’s ARP query has IP src src happen? Will A receive a reply? Will any other hosts on the LAN be able to send to A? What entries will be made in the ARP caches on A, B and C? 11.0. Suppose host A connects to the Internet via Wi-Fi. The default router is R . Host A now begins W exchanging packets with a remote host B: A sends to B, B replies, etc . The exact form of the connection does not matter, except that TCP may not work. (a). You now plug in A’s Ethernet cable. The Ethernet port is assumed to be on a different subnet from the Wi-Fi (so that the strong and weak end-system models of 7.9.5 ARP and multihomed hosts do not play a role here). Assume A automatically selects the new Ethernet connection as its default route, with router R . E What happens to the original connection to A? Can packets still travel back and forth? Does the return address used for either direction change? (b). You now disconnect A’s Wi-Fi interface, leaving the Ethernet interface connected. What happens now to the connection to B? Hint: to what IP address are the packets from B being sent? exercise 13.0, and 9 Routing-Update Algorithms , 9 Routing-Update Algorithms See also 12 TCP Trans- port , exercise 13.0. 7.15 Exercises 227

238 An Introduction to Computer Networks, Release 1.9.18 228 7 IP version 4

239 8 IP VERSION 6 What has been learned from experience with IPv4? First and foremost, more than 32 bits are needed for addresses; the primary motive in developing IPv6 was the specter of running out of IPv4 addresses (some- thing which, at the highest level, has already happened; see the discussion at the end of 1.10 IP - Internet Protocol ). Another important issue is that IPv4 requires (or used to require) a modest amount of effort at configuration; IPv6 was supposed to improve this. By 1990 the IETF was actively interested in proposals to replace IPv4. A working group for the so-called was this group’s “IP next generation”, or IPng, was created in 1993 to select the new version; RFC 1550 formal solicitation of proposals. In July 1994 the IPng directors voted to accept a modified version of the 20.11.4 RTP and VoIP ), “Simple Internet Protocol”, or SIP (unrelated to the Session Initiation Protocol, as the basis for IPv6. The first IPv6 specifications, released in 1995, were (now RFC 2460 , RFC 1883 with updates) for the basic protocol, and (now RFC 4291 , again with updates) for the addressing RFC 1884 architecture. SIP addresses were originally 64 bits in length, but in the month leading up to adoption as the basis for IPv6 this was increased to 128. 64 bits would probably have been enough, but the problem is less the actual number than the simplicity with which addresses can be allocated; the more bits, the easier this becomes, as sites can be given relatively large address blocks without fear of waste. A secondary consideration in the 64-to-128 leap was the potential to accommodate now-obsolete CLNP addresses ( 1.15 IETF and OSI ), which were up to 160 bits in length, but compressible. IPv6 has to some extent returned to the idea of a fixed division between network and host portions; for most IPv6 addresses, the first 64 bits is the network prefix (including any subnet portion) and the remaining 64 bits represents the host portion. The rule as spelled out in RFC 2460 , in 1998, was that the 64/64 split would apply to all addresses except those beginning with the bits 000; those addresses were then held in reserve in the unlikely event that the 64/64 split ran into problems in the future. This was a change from 1995, when RFC 1884 envisioned 48-bit host portions and 80-bit prefixes. While the IETF occasionally revisits the issue, at the present time the 64/64 split seems here to stay; for discussion and justification, see 8.10.1 Subnets and /64 and RFC 7421 . The 64/64 split is not automatic, however; there is no default prefix length as there was in the Class A/B/C IPv4 scheme. Thus, it is misleading to think of IPv6 as a return to something like IPv4’s classful addressing scheme. Router advertisements must always include the prefix length, and, when assigning IPv6 addresses manually, the /64 prefix length must be specified explicitly; see 8.12.3 Manual address configuration . High-level routing, however, can, as in IPv4, be done on prefixes of any length (usually that means lengths shorter than /64). Routing can also be done on different prefix lengths at different points of the network. IPv6 is now twenty years old, and yet usage as of 2015 remains quite modest. However, the shortage in IPv4 addresses has begun to loom ominously; IPv6 adoption rates may rise quickly if IPv4 addresses begin to climb in price. 229

240 An Introduction to Computer Networks, Release 1.9.18 8.1 The IPv6 Header fixed header is pictured below; at 40 bytes, it is twice the size of the IPv4 header. The fixed The IPv6 packet needs: there is no support for fragmentation, no header header is intended to support only what every extension headers has been introduced to support checksum, and no option fields. However, the concept of IPv6 Extension Headers . some of these as options; some IPv6 extension headers are described in 8.5 Whatever header comes next is identified by the Next Header field, much like the IPv4 Protocol field. Some other fixed-header fields have also been renamed from their IPv4 analogues: the IPv4 TTL is now the IPv6 Hop_Limit (still decremented by each router with the packet discarded when it reaches 0), and the IPv4 DS field has become the IPv6 Traffic Class. 0 16 32 Traffic Class Version Flow Label Hop Limit Next Header Payload Length Source Address Destination Address The Flow Label is new. RFC 2460 states that it may be used by a source to label sequences of packets for which it requests special handling by the IPv6 routers, such as non-default quality of service or “real-time” service. Senders not actually taking advantage of any quality-of-service options are supposed to set the Flow Label to zero. When used, the Flow Label represents a sender-computed hash of the source and destination addresses, and perhaps the traffic class. Routers can use this field as a way to look up quickly any priority or reservation state for the packet. All packets belonging to the same flow should have the same Routing Extension header, 8.5.3 Routing Header . The Flow Label will in general not include any information about the source and destination port numbers, except that only some of the connections between a pair of hosts may make use of this field. flow , as the term is used here, is one-way ; the return traffic belongs to a different flow. Historically, A the term “flow” has also been used at various other scales: a single bidirectional TCP connection, multiple related TCP connections, or even all traffic from a particular subnet ( eg the “computer-lab flow”). 230 8 IP version 6

241 An Introduction to Computer Networks, Release 1.9.18 8.2 IPv6 Addresses RFC 5952 ). The IPv6 addresses are written in eight groups of four hex digits, with a-f preferred over A-F ( groups are separated by colons, and have leading 0’s removed, eg fedc:13:1654:310:fedc:bc37:61:3210 If an address contains a long run of 0’s – for example, if the IPv6 address had an embedded IPv4 address – then when writing the address the string “::” should be used to represent however many blocks of 0000 as are needed to create an address of the correct length; to avoid ambiguity this can be used only once. Also, embedded IPv4 addresses may continue to use the “.” separator: ::ffff:147.126.65.141 8.11 Using IPv6 The above is an example of one standard IPv6 format for representing IPv4 addresses (see and IPv4 Together ). 48 bits are explicitly displayed; the :: means these are prefixed by 80 0-bits. The IPv6 loopback address is ::1 (that is, 127 0-bits followed by a 1-bit). prefixes Network address may be written with the “/” notation, as in IPv4: 12ab:0:0:cd30::/60 suggested that initial IPv6 unicast-address allocation be initially limited to addresses beginning RFC 3513 with the bits 001, that is, the 2000::/3 block (20 in binary is 0010 0000). Generally speaking, IPv6 addresses consist of a 64-bit network prefix (perhaps including subnet bits) fol- 8.3 Network Prefixes and 8.2.1 Interface identifiers lowed by a 64-bit “interface identifier”. See . IPv6 addresses all have an associated scope , defined in RFC 4007 . The scope of a unicast address is either global , meaning it is intended to be globally routable, or link-local , meaning that it will only work with directly connected neighbors ( 8.2.2 ). The loopback address is considered to have Link-local addresses eg ). RFC 4291 link-local scope. A few more scope levels are available for multicast addresses, “site-local” ( The scope of an IPv6 address is implicitly coded within the first 64 bits; addresses in the 2000::/3 block above, for example, have global scope. Packets with local-scope addresses ( eg link-local addresses) for either the destination or the source cannot be routed (the latter because a reply would be impossible). Although addresses in the “unique local address” category of 8.3 Network Prefixes officially have global scope, in a practical sense they still behave as if they had the now-officially-deprecated “site-local scope”. 8.2.1 Interface identifiers As mentioned earlier, most IPv6 addresses can be divided into a 64-bit network prefix and a 64-bit “host” portion, the latter corresponding to the “host” bits of an IPv4 address. These host-portion bits are known of- ficially as the interface identifier ; the change in terminology reflects the understanding that all IP addresses attach to interfaces rather than to hosts. The original plan for the interface identifier was to derive it in most cases from the LAN address, though the interface identifier can also be set administratively. Given a 48-bit Ethernet address, the interface identifier based on it was to be formed by inserting 0xfffe between the first three bytes and the last three bytes, to get 64 bits in all. The seventh bit of the first byte (the Ethernet “universal/local” flag) was then set to 1. 8.2 IPv6 Addresses 231

242 An Introduction to Computer Networks, Release 1.9.18 The result of this process is officially known as the , where EUI stands for Modified EUI-64 Identifier RFC 4291 . As an example, for a host with Ethernet Extended Unique Identifier; details can be found in a0:ccff:fe24:b0e4 (the leading 00 becomes 02 address 00:a0:cc:24:b0:e4, the EUI-64 identifier would be 0 2 when the seventh bit is turned on). At the time the EUI-64 format was proposed, it was widely expected that Ethernet MAC addresses would eventually become 64 bits in length. EUI-64 interface identifiers turn out to introduce a major privacy concern: no matter where a (portable) host connects to the Internet – home or work or airport or Internet cafe – such an interface identifier always remains the same, and thus serves as a permanent host fingerprint. As a result, EUI-64 identifiers are now discouraged for personal workstations and mobile devices. (Some fixed-location hosts continue to use EUI- 64 interface identifiers, or, alternatively, administratively assigned interface identifiers.) proposes an alternative: the interface identifier is a secure hash ( 22.6 Secure Hashes ) of a RFC 7217 “Net_Iface” parameter, the 64-bit IPv6 address prefix, and a host-specific secret key (a couple other param- eters are also thrown into the mix, but they need not concern us here). The “Net_Iface” parameter can be eg . Interface identifiers created the interface’s MAC address, but can also be the interface’s “name”, eth0 this way change from connection point to connection point (because the prefix changes), do not reveal the 64 Ethernet address, and are randomly scattered (because of the key, if nothing else) through the 2 -sized interface-identifier space. The last feature makes probing for IPv6 addresses effectively impossible; see exercise 6.0. Interface identifiers as in the previous paragraph do not change unless the prefix changes, which normally happens only if the host is moved to a new network. In 8.7.2.1 SLAAC privacy we will see that interface identifiers are often changed at regular intervals, for privacy reasons. Finally, interface identifiers are often centrally assigned, using DHCPv6 ( 8.7.3 DHCPv6 ). Remote probing for IPv6 addresses based on EUI-64 identifiers is much easier than for those based on RFC- 7217 identifiers, as the former are not very random. If an attacker can guess the hardware vendor, and thus 24 2.1.3 Ethernet Address Internal Structure ), there are only 2 the first three bytes of the Ethernet address ( 64 possibilities, down from 2 . As the last three bytes are often assigned in serial order, considerable further narrowing of the search space may be possible. While it may amount to security through obscurity, keeping internal global IPv6 addresses hidden is often of practical importance. Additional discussion of host-scanning in IPv6 networks can be found in RFC 7707 and draft-ietf-opsec- ipv6-host-scanning-06. 8.2.2 Link-local addresses IPv6 defines addresses, with so-called link-local scope, intended to be used only on a single LAN link-local and never routed. These begin with the 64-bit link-local prefix consisting of the ten bits 1111 1110 10 followed by 54 more zero bits; that is, fe80::/64. The remaining 64 bits are the interface identifier for the link interface in question, above. The EUI-64 link-local address of the machine in the previous section with Ethernet address 00:a0:cc:24:b0:e4 is thus fe80::2a0:ccff:fe24:b0e4. The main applications of link-local addresses are as a “bootstrap” address for global-address autoconfigura- tion ( 8.7.2 Stateless Autoconfiguration (SLAAC) ), and as an optional permanent address for routers. IPv6 routers often communicate with neighboring routers via their link-local addresses, with the understanding that these do not change when global addresses (or subnet configurations) change ( RFC 4861 §6.2.8). If EUI-64 interface identifiers are used then the link-local address does change whenever the Ethernet hard- 232 8 IP version 6

243 An Introduction to Computer Networks, Release 1.9.18 ware is replaced. However, if interface identifiers are used and that mechanism’s “Net_Iface” RFC 7217 parameter represents the interface name rather than its physical address, the link-local address can be con- stant for the life of the host. (When RFC 7217 is used to generate link-local addresses, the “prefix” hash parameter is the link-local prefix fe80::/64.) A consequence of identifying routers to their neighbors by their link-local addresses is that it is often pos- sible to configure routers so they do not even have global-scope addresses; for forwarding traffic and for exchanging routing-update messages, link-local addresses are sufficient. Similarly, many ordinary hosts for- ward packets to their default router using the latter’s link-local address. We will return to router addressing and 8.13.2.1 A second router in 8.13.2 Setting up a router . eg tunnel interfaces, there may be no natural candidate for the interface For non-Ethernet-like interfaces, may identifier, in which case a link-local address be assigned manually, with the low-order 64 bits chosen to be unique for the link in question. When sending to a link-local address, one must separately supply somewhere the link’s “zone identifier”, often by appending a string containing the interface name to the IPv6 address, fe80::f00d:cafe %eth0 . eg 8.12.1 See and 8.12.2 TCP connections using link-local addresses for examples of such use of ping6 link-local addresses. IPv4 also has true link-local addresses, defined in RFC 3927 , though they are rarely used; such addresses are in the 169.254.0.0/16 block (not to be confused with the 192.168.0.0/16 private-address block). Other than these, IPv4 addresses always implicitly identify the link subnet by virtue of the network prefix. duplicate-address detection Once the link-local address is created, it must pass the test before being used; see 8.7.1 Duplicate Address Detection . 8.2.3 Anycast addresses anycast IPv6 also introduced addresses. An anycast address might be assigned to each of a set of routers (in addition to each router’s own unicast addresses); a packet addressed to this anycast address would be delivered to only one member of this set. Note that this is quite different from multicast addresses; a packet addressed to the latter is delivered to every member of the set. It is up to the local routing infrastructure to decide which member of the anycast group would receive the packet; normally it would be sent to the “closest” member. This allows hosts to send to any of a set of routers, rather than to their designated individual default router. Anycast addresses are not marked as such, and a node sending to such an address need not be aware of its anycast status. Addresses are anycast simply because the routers involved have been configured to recognize them as such. IPv4 anycast exists also, but in a more limited form ( 10.6.7 BGP and Anycast ); generally routers are configured much more indirectly ( eg through BGP). 8.3 Network Prefixes We have been assuming that an IPv6 address, at least as seen by a host, is composed of a 64-bit network prefix and a 64-bit interface identifier. As of 2015 this remains a requirement; RFC 4291 (IPv6 Addressing Architecture) states: 8.3 Network Prefixes 233

244 An Introduction to Computer Networks, Release 1.9.18 For all unicast addresses, except those that start with the binary value 000, Interface IDs are required to be 64 bits long. . . . This /64 requirement is occasionally revisited by the IETF, but is unlikely to change for mainstream IPv6 traffic. This firm 64/64 split is a departure from IPv4, where the host/subnet division point has depended, since the development of subnets, on local configuration. 10.1 Classless Note that while the net/interface (net/host) division point is fixed, routers may still use CIDR ( Internet Domain Routing: CIDR ) and may still base forwarding decisions on prefixes shorter than /64. As of 2015, all allocations for globally routable IPv6 prefixes are part of the 2000::/3 block. IPv6 also defines a variety of specialized network prefixes, including the link-local prefix and prefixes for anycast and multicast addresses. For example, as we saw earlier, the prefix ::ffff:0:0/96 identifies IPv6 addresses with embedded IPv4 addresses. The most important class of 64-bit network prefixes, however, are those supplied by a provider or other address-numbering entity, and which represent the first half of globally routable IPv6 addresses. These are the prefixes that will be visible to the outside world. IPv6 customers will typically be assigned a relatively large block of addresses, /48 or /56. The former eg allows 64–48 = 16 bits for local “subnet” specification within a 64-bit network prefix; the latter allows 8 subnet bits. These subnet bits are – as in IPv4 – supplied through router configuration; see 8.10 IPv6 Subnets . The closest IPv6 analogue to the IPv4 subnet mask is that all network prefixes are supplied to hosts with an associated length, although that length will almost always be 64 bits. Many sites will have only a single externally visible address block. However, some sites may be multihomed and thus have multiple independent address blocks. Sites may also have private unique local address prefixes, corresponding to IPv4 private address blocks like 192.168.0.0/16 and 10.0.0.0/8. They are officially called Unique Local Unicast Addresses and are defined in RFC 4193 site-local address plan (and official site-local scope) formally deprecated ; these replace an earlier RFC 3879 (though unique-local addresses are sometimes still informally referred to as site-local). in The first 8 bits of a unique-local prefix are 1111 1101 (fd00::/8). The related prefix 1111 1100 (fc00::/8) is reserved for future use; the two together may be consolidated as fc00::/7. The last 16 bits of a 64-bit unique- local prefix represent the subnet ID, and are assigned either administratively or via autoconfiguration. The 40 bits in between, from bit 8 up to bit 48, represent the Global ID . A site is to set the Global ID to a pseudorandom value. The resultant unique-local prefix is “almost certainly” globally unique (and is considered to have global scope in the sense of 8.2 IPv6 Addresses ), although it is not supposed to be routed off a site. Furthermore, a site would generally not admit any packets from the outside world addressed to a destination with the Global ID as prefix. One rationale for choosing unique Global IDs for each site is to accommodate potential later mergers of organizations without the need for renumbering; this has been a chronic problem for sites using private IPv4 address blocks. Another justification is to accommodate VPN connections from other sites. For example, if I use IPv4 block 10.0.0.0/8 at home, and connect using VPN to a site also using 10.0.0.0/8, it is possible that my printer will have the same IPv4 address as their application server. 234 8 IP version 6

245 An Introduction to Computer Networks, Release 1.9.18 8.4 IPv6 Multicast broad cast, instead providing a wide range of LAN-layer cast IPv6 has moved away from LAN-layer multi (Note that LAN-layer multicast is often straightforward; it is general IP-layer multicast groups. ( 20.5 ) that is problematic. See 2.1.2 Ethernet Multicast for the Ethernet imple- Global IP Multicast mentation.) This switch to multicast is intended to limit broadcast traffic in general, though many switches still propagate LAN multicast traffic everywhere, like broadcast. An IPv6 multicast address is one beginning with the eight bits 1111 1111 (ff00::/8); numerous specific such addresses, and even classes of addresses, have been defined. For actual delivery, IPv6 multicast addresses correspond to LAN-layer ( Ethernet) multicast addresses through a well-defined static correspondence; eg specifically, if x, y, z and w are the last four bytes of the IPv6 multicast address, in hex, then the correspond- RFC 2464 ing Ethernet multicast address is 33:33:x:y:z:w ( ). A typical IPv6 host will need to join (that is, subscribe to) several Ethernet multicast groups. The IPv6 multicast address with the broadest scope is all-nodes , with address ff02::1; the corresponding Ethernet multicast address is 33:33:00:00:00:01. This essentially corresponds to IPv4’s LAN broadcast, though the use of LAN multicast here means that non-IPv6 hosts should not see packets sent to this address. Another important IPv6 multicast address is ff02::2, the address. This is meant to be used to all-routers reach all routers, and routers only; ordinary hosts do not subscribe. Generally speaking, IPv6 nodes on Ethernets send LAN-layer (MLD) mes- Multicast Listener Discovery sages to multicast groups they wish to start using; these messages allow multicast-aware Ethernet switches to optimize forwarding so that only those hosts that have subscribed to the multicast group in question will receive the messages. Otherwise switches are supposed to treat multicast like broadcast; worse, some switches may simply fail to forward multicast packets to destinations that have not explicitly opted to join the group. 8.5 IPv6 Extension Headers In IPv4, the IP header contained a Protocol field to identify the next header; usually UDP or TCP. All IPv4 options were contained in the IP header itself. IPv6 has replaced this with a scheme for allowing an arbitrary chain of supplemental IPv6 headers. The IPv6 Next Header field indicate that the following can header is UDP or TCP, but can also indicate one of several IPv6 options. These optional, or extension, headers include: • Hop-by-Hop options header • Destination options header • Routing header • Fragment header • Authentication header • Mobility header • Encapsulated Security Payload header 8.4 IPv6 Multicast 235

246 An Introduction to Computer Networks, Release 1.9.18 These extension headers must be processed in order; the recommended order for inclusion is as above. Most of them are intended for processing only at the destination host; the hop-by-hop and routing headers are exceptions. 8.5.1 Hop-by-Hop Options Header type,value pairs which are intended to be processed by each router on the path. A This consists of a set of y x tag in the type field indicates what a router should do if it does not understand the option: drop the packet, or continue processing the rest of the options. The only Hop-by-Hop options provided by RFC 2460 were for padding, so as to set the alignment of later headers. jumbograms : datagrams larger than 65,535 later defined a Hop-by-Hop option to support IPv6 RFC 2675 bytes. The need for such large packets remains unclear, in light of 5.3 Packet Size . IPv6 jumbograms are not meant to be used if the underlying LAN does not have an MTU larger than 65,535 bytes; the LAN world is not currently moving in this direction. Because Hop-by-Hop Options headers must be processed by each router encountered, they have the potential RFC 6564 to overburden the Internet routing system. As a result, strongly discourages new Hop-by-Hop Option headers, unless examination at every hop is essential. 8.5.2 Destination Options Header x type,value y This is very similar to the Hop-by-Hop Options header. It again consists of a set of pairs, and the original RFC 2460 specification only defined options for padding. The Destination header is intended to be processed at the destination, before turning over the packet to the transport layer. Since RFC 2460 , a few more Destination Options header types have been defined, though none is in com- mon use. RFC 2473 defined a Destination Options header to limit the nesting of tunnels, called the Tunnel Encapsulation Limit. RFC 6275 RFC 6553 , defines a Destination Options header for use in Mobile IPv6. on the Routing Protocol for Low-Power and Lossy Networks, or RPL, has defined a Destination (and Hop- by-Hop) Options type for carrying RPL data. A complete list of Option Types for Hop-by-Hop Option and Destination Option headers can be found at RFC 2780 . www.iana.org/assignments/ipv6-parameters; in accordance with 8.5.3 Routing Header The original, or Type 0, Routing header contained a list of IPv6 addresses through which the packet should be routed. These did not have to be contiguous. If the list to be visited en route to destination D was x R1,R2,. . . ,Rn y , then this option header contained x R2,R3,. . . ,Rn,D y with R1 as the initial destination ad- dress; R1 then would update this header to R1,R3,. . . ,Rn,D y (that is, the old destination R1 and the current x next-router R2 were swapped), and would send the packet on to R2. This was to continue on until Rn ad- dressed the packet to the final destination D. The header contained a Segments Left pointer indicating the next address to be processed, incremented at each Ri. When the packet arrived at D the Routing Header would contain the routing list x R1,R3,. . . ,Rn y . This is, in general principle, very much like IPv4 Loose Source routing. Note, however, that routers between the listed routers R1. . . Rn did not need to examine this header; they processed the packet based only on its current destination address. 236 8 IP version 6

247 An Introduction to Computer Networks, Release 1.9.18 This form of routing header was deprecated by , due to concerns about a traffic-amplification RFC 5095 attack. An attacker could send off a packet with a routing header containing an alternating list of just two routers y ; this would generate substantial traffic on the R1–R2 link. RFC 6275 x R1,R2,R1,R2,. . . ,R1,R2,D define more limited routing headers. RFC 6275 defines a quite limited routing header to be and RFC 6554 RFC 6554 routing header used for used for IPv6 mobility (and also defines the IPv6 Mobility header). The RPL, mentioned above, has the same basic form as the Type 0 header described above, but its use is limited to specific low-power routing domains. 8.5.4 IPv6 Fragment Header IPv6 supports limited IPv4-style fragmentation via the Fragment Header. This header contains a 13-bit Fragment Offset field, which contains – as in IPv4 – the 13 high-order bits of the actual 16-bit offset of the fragment. This header also contains a 32-bit Identification field; all fragments of the same packet must carry the same value in this field. only IPv6 fragmentation is done by the original sender; routers along the way are not allowed to fragment or re-fragment a packet. Sender fragmentation would occur if, for example, the sender had an 8 kB IPv6 packet to send via UDP, and needed to fragment it to accommodate the 1500-byte Ethernet MTU. If a packet needs to be fragmented, the sender first identifies the unfragmentable part , consisting of the IPv6 fixed header and any extension headers that must accompany each fragment (these would include Hop-by-Hop and Routing headers). These unfragmentable headers are then attached to each fragment. IPv6 also requires that every link on the Internet have an MTU of at least 1280 bytes beyond the LAN header; link-layer fragmentation and reassembly can be used to meet this MTU requirement (which is what ATM links ( ) carrying IP traffic do). 3.5 Asynchronous Transfer Mode: ATM Generally speaking, fragmentation should be avoided at the application layer when possible. UDP-based applications that attempt to transmit filesystem-sized (usually 8 kB) blocks of data remain persistent users of fragmentation. 8.5.5 General Extension-Header Issues 7.7.2 Middleboxes ) examine not just the destination address but also In the IPv4 world, many middleboxes ( the TCP port numbers; firewalls, for example, do this routinely to block all traffic except to a designated list of ports. In the IPv6 world, a middlebox may have difficulty finding the TCP header, as it must traverse a possibly lengthy list of extension headers. Worse, some of these extension headers may be newer than the middlebox, and thus unrecognized. Some middleboxes would simply drop packets with unrecognized extension headers, making the introduction of new such headers problematic. RFC 6564 addresses this by requiring that all future extension headers use a common “type-length-value” format: the first byte indicates the extension-header’s type and the second byte indicates its length. This facilitiates rapid traversal of the extension-header chain. A few older extension headers – for example the Encapsulating Security Payload header of RFC 4303 – do not follow this rule; middleboxes must treat these as special cases. RFC 2460 states With one exception [that is, Hop-by-Hop headers], extension headers are not examined or pro- cessed by any node along a packet’s delivery path, until the packet reaches the node (or each of 8.5 IPv6 Extension Headers 237

248 An Introduction to Computer Networks, Release 1.9.18 the set of nodes, in the case of multicast) identified in the Destination Address field of the IPv6 header. Nonetheless, sometimes intermediate nodes do attempt to add extension headers. This can break Path MTU ), as the sender no longer controls the total packet size. Discovery ( 12.13 Path MTU Discovery attempts to promulgate some general rules for the real-world handling of extension headers. For RFC 7045 example, it states that, while routers are allowed to drop packets with certain extension headers, they may ignore Hop-by-Hop Option may not do this simply because those headers are unrecognized. Also, routers headers, or else process packets with such headers via a slower queue. 8.6 Neighbor Discovery IPv6 Neighbor Discovery, or ND , is a set of related protocols that replaces several IPv4 tools, most notably ARP, ICMP redirects and most non-address-assignment parts of DHCP. The messages exchanged in ND are 8.9 part of the ICMPv6 framework, . The original specification for ND is in RFC 2461 , later ICMPv6 RFC 4861 . ND provides the following services: updated by 8.6.1 Router Discovery ] • Finding the local router(s) [ • Finding the set of network address prefixes that can be reached via local delivery (IPv6 allows there to be more than one) [ 8.6.2 Prefix Discovery ] • Finding a local host’s LAN address, given its IPv6 address [ 8.6.3 Neighbor Solicitation ] • Detecting duplicate IPv6 addresses [ 8.7.1 Duplicate Address Detection ] • Determining that some neighbors are now unreachable 8.6.1 Router Discovery Router Advertisement (RA) packets to the all-nodes multicast group. Ordi- IPv6 routers periodically send nary hosts wanting to know what router to use can wait for one of these periodic multicasts, or can request an RA packet immediately by sending a request to the all-routers multicast group. Router Router Solicitation Advertisement packets serve to identify the routers; this process is sometimes called Router Discovery . In IPv4, by comparison, the address of the default router is usually piggybacked onto the DHCP response message ( 7.10 Dynamic Host Configuration Protocol (DHCP) ). These RA packets, in addition to identifying the routers, also contain a list of all network address prefixes in use on the LAN. This is “prefix discovery”, described in the following section. To a first approximation on a simple network, prefix discovery supplies the network portion of the IPv6 address; on IPv4 networks, DHCP usually supplies the entire IPv4 address. RA packets may contain other important information about the LAN as well, such as an agreed-on MTU. These IPv6 router messages represent a change from IPv4, in which routers need not send anything besides forwarded packets. To become an IPv4 router, a node need only have IPv4 forwarding enabled in its kernel; it is then up to DHCP (or the equivalent) to inform neighboring nodes of the router. IPv6 puts the responsibility for this notification on the router itself: for a node to become an IPv6 router, in addition to forwarding packets, it “MUST” ( RFC 4294 ) also run software to support Router Advertisement. Despite this mandate, however, the RA mechanism does not play a role in the forwarding process itself; an IPv6 network can 238 8 IP version 6

249 An Introduction to Computer Networks, Release 1.9.18 run without Router Advertisements if every node is, for example, manually configured to know where the routers are and to know which neighbors are on-link. (We emphasize that manual configuration like this scales very poorly.) On Linux systems, the Router Advertisement agent is most often the radvd daemon. See 8.13 IPv6 Con- below. nectivity via Tunneling 8.6.2 Prefix Discovery Prefix Discovery process by which hosts learn what IPv6 Closely related to Router Discovery is the network-address prefixes, above, are valid on the network. It is also where hosts learn which prefixes are considered to be local to the host’s LAN, and thus reachable at the LAN layer instead of requiring router not limit determination of whether delivery is local to the assistance for delivery. IPv6, in other words, does IPv4 mechanism of having a node check a destination address against each of the network-address prefixes assigned to the node’s interfaces. eg Even IPv4 allows two IPv4 network prefixes to share the same LAN ( a private one 10.1.2.0/24 and a public one 147.126.65.0/24), but a consequence of IPv4 routing is that two such LAN-sharing subnets can only reach one another via a router on the LAN, even though they should in principle be able to communicate directly. IPv6 drops this restriction. The Router Advertisement packets sent by the router should contain a complete list of valid network-address Prefix Information option. In simple cases this list may contain a single globally routable prefixes, as the 64-bit prefix corresponding to the LAN subnet. If a particular LAN is part of multiple (overlapping) physical subnets, the prefix list will contain an entry for each subnet; these 64-bit prefixes will themselves likely share a common site-wide prefix of length N<64. For multihomed sites the prefix list may contain multiple unrelated prefixes corresponding to the different address blocks. Finally, site-specific “unique local” IPv6 address prefixes may also be included. Each prefix will have an associated lifetime ; nodes receiving a prefix from an RA packet are to use it only for the duration of this lifetime. On expiration (and likely much sooner) a node must obtain a newer RA packet with a newer prefix list. The rationale for inclusion of the prefix lifetime is ultimately to allow sites renumber to easily ; that is, to change providers and switch to a new network-address prefix provided by a new router. Each prefix is also tagged with a bit indicating whether it can be used for autoconfiguration, as in 8.7.2 Stateless Autoconfiguration (SLAAC) below. Each prefix also comes with a flag indicating whether the prefix is . If set, then every node receiving on-link that prefix is supposed to be on the same LAN. Nodes assume that to reach a neighbor sharing the same on-link address prefix, Neighbor Solicitation is to be used to find the neighbor’s LAN address. If a neighbor shares an off-link prefix, a router must be used. The IPv4 equivalent of two nodes sharing the same on-link prefix is sharing the same subnet prefix. For an example of subnets with prefix-discovery information, see 8.10 IPv6 Subnets . Routers advertise off-link prefixes only in special cases; this would mean that a node is part of a subnet but eg MANETs cannot reach other members of the subnet directly. This may apply in some wireless settings, ( 3.7.8 MANETs ) where some nodes on the same subnet are out of range of one another. It may also apply when using IPv6 Mobility ( 7.13 Mobile IP , RFC 3775 ). 8.6 Neighbor Discovery 239

250 An Introduction to Computer Networks, Release 1.9.18 8.6.3 Neighbor Solicitation messages are the IPv6 analogues of IPv4 ARP requests. These are essentially queries Neighbor Solicitation of the form “who has IPv6 address X?” While ARP requests were broadcast, IPv6 Neighbor Solicitation , which at the LAN layer usually represents a messages are sent to the solicited-node multicast address rather small multicast group. This address is ff02::0001:x.y.z.w, where x, y, z and w are the low-order 32 bits of the IPv6 address the sender is trying to look up. Each IPv6 host on the LAN will need to subscribe to all the solicited-node multicast addresses corresponding to its own IPv6 addresses (normally this is not too many). Neighbor Solicitation messages are repeated regularly, but followup verifications are initially sent to the unicast LAN address on file (this is common practice with ARP implementations, but is optional). Unlike with ARP, other hosts on the LAN are not expected to eavesdrop on the initial Neighbor Solicitation message. The target host’s response to a Neighbor Solicitation message is called ; a host Neighbor Advertisement may also send these unsolicited if it believes its LAN address may have changed. The analogue of Proxy ARP is still permitted, in that a node may send Neighbor Advertisements on behalf of another. The most likely reason for this is that the node receiving proxy services is a “mobile” host temporarily remote from the home LAN. Neighbor Advertisements sent as proxies have a flag to indicate that, if the real target does speak up, the proxy advertisement should be ignored. Once a node (host or router) has discovered a neighbor’s LAN address through Neighbor Solicitation, it continues to monitor the neighbor’s continued reachability. Neighbor Solicitation also includes Neighbor Unreachability Detection. Each node (host or router) contin- ues to monitor its known neighbors; reachability can be inferred either from ongoing IPv6 traffic exchanges or from Neighbor Advertisement responses. If a node detects that a neighboring host has become unreach- able, the original node may retry the multicast Neighbor Solicitation process, in case the neighbor’s LAN address has simply changed. If a node detects that a neighboring router has become unreachable, it attempts to find an alternative path. Finally, IPv4 ICMP Redirect messages have also been moved in IPv6 to the Neighbor Discovery proto- col. These allow a router to tell a host that another router is better positioned to handle traffic to a given destination. 8.6.4 Security and Neighbor Discovery In the protocols outlined above, received ND messages are trusted; this can lead to problems with nodes pretending to be things they are not. Here are two examples: • A host can pretend to be a router simply by sending out Router Advertisements; such a host can thus capture traffic from its neighbors, and even send it on – perhaps selectively – to the real router. • A host can pretend to be another host, in the IPv6 analog of ARP spoofing ( 7.9.2 ARP Security ). If host A sends out a Neighbor Solicitation for host B, nothing prevents host C from sending out a Neighbor Advertisement claiming to be B (after previously joining the appropriate multicast group). These two attacks can have the goal either of eavesdropping or of denial of service; there are also purely denial-of-service attacks. For example, host C can answer host B’s DAD queries (below at 8.7.1 Duplicate Address Detection ) by claiming that the IPv6 address in question is indeed in use, preventing B from ever acquiring an IPv6 address. A good summary of these and other attacks can be found in RFC 3756 . 240 8 IP version 6

251 An Introduction to Computer Networks, Release 1.9.18 These attacks, it is worth noting, can only be launched by nodes on the same LAN; they cannot be launched remotely. While this reduces the risk, though, it does not eliminate it. Sites that allow anyone to connect, such as Internet cafés, run the highest risk, but even in a setting in which all workstations are “locked down”, a node compromised by a virus may be able to disrupt the network. RFC 4861 suggested that, at sites concerned about these kinds of attacks, hosts might use the IPv6 Authenti- cation Header or the Encapsulated Security Payload Header to supply digital signatures for ND packets (see ). If a node is configured to require such checks, then most ND-based attacks can be prevented. 22.11 IPsec offered no suggestions beyond static configuration, which scales poorly and also Unfortunately, RFC 4861 rather completely undermines the goal of autoconfiguration. SEND , specified in RFC 3971 . This uses A more flexible alternative is Secure Neighbor Discovery, or 22.9 Public-Key Encryption public-key encryption ( ) to validate ND messages; for the remainder of this section, some familiarity with the material at may be necessary. Each message 22.9 Public-Key Encryption is digitally signed by the sender, using the sender’s private key; the recipient can validate the message using the sender’s corresponding public key. In principle this makes it impossible for one message sender to pretend to be another sender. In practice, the problem is that public keys by themselves guarantee (if not compromised) only that the sender of a message is the same entity that previously sent messages using that key. In the second bulleted example above, in which C sends an ND message falsely claiming to be B, straightforward applications of public keys would prevent this the original host A had previously heard from B, and trusted that sender to if be the real B. But in general A would not know which of B or C was the real B. A cannot trust whichever host it heard from first, as it is indeed possible that C started its deception with A’s very first query for B, beating B to the punch. A common solution to this identity-guarantee problem is to create some form of “public-key infrastructure” such as certificate authorities , as in 22.10.2.1 Certificate Authorities . In this setting, every node is config- ured to trust messages signed by the certificate authority; that authority is then configured to vouch for the identities of other nodes whenever this is necessary for secure operation. SEND implements its own version trust anchors of certificate authorities; these are known as . These would be configured to guarantee the identities of all routers, and perhaps hosts. The details are somewhat simpler than the mechanism outlined in 22.10.2.1 Certificate Authorities , as the anchors and routers are under common authority. When trust anchors are used, each host needs to be configured with a list of their addresses. SEND also supports a simpler public-key validation mechanism known as cryptographically generated addresses , or CGAs ( RFC 3972 ). These are IPv6 interface identifiers that are secure hashes ( 22.6 Secure Hashes ) of the host’s public key (and a few other non-secret parameters). CGAs are an alternative to the interface-identifier mechanisms discussed in 8.2.1 Interface identifiers . DNS names in the .onion domain used by TOR also use CGAs. The use of CGAs makes it impossible for host C to successfully claim to be host B: only B will have the public key that hashes to B’s address and the matching private key. If C attempts to send to A a neighbor advertisement claiming to be B, then C can sign the message with its own private key, but the hash of the corresponding public key will not match the interface-identifier portion of B’s address. Similarly, in the DAD scenario, if C attempts to tell B that B’s newly selected CGA address is already in use, then again C won’t have a key matching that address, and B will ignore the report. In general, CGI addresses allow recipients of a message to verify that the source address is the “owner” of the associated public key, without any need for a public-key infrastructure ( 22.9.3 Trust and the Man in the Middle ). C can still pretend to be a router, using its own CGA address, because router addresses are not 8.6 Neighbor Discovery 241

252 An Introduction to Computer Networks, Release 1.9.18 known by the requester beforehand. However, it is easier to protect routers using trust anchors as there are fewer of them. SEND relies on the fact that finding two inputs hashing to the same 64-bit CGA is infeasible, as in general 64 this would take about 2 tries. An IPv4 analog would be impossible as the address host portion won’t have enough bits to prevent finding hash collisions via brute force. For example, if the host portion of the address 10 tries (by tweaking the supplemental hash parameters) until it found a has ten bits, it would take C about 2 match for B’s CGA. SEND has seen very little use in the IPv6 world, partly because IPv6 itself has seen such slow adoption, but also because of the perception that the vulnerabilities SEND protects against are difficult to exploit. RA-guard is a simpler mechanism to achieve ND security, but one that requires considerable support from the LAN layer. Outlined in , it requires that each host connects directly to a switch; that is, there RFC 6105 must be no shared-media Ethernet. The switches must also be fairly smart; it must be possible to configure them to know which ports connect to routers rather than hosts, and, in addition, it must be possible to configure them to block Router Advertisements from host ports that are router ports. This is quite not effective at preventing a host from pretending to be a router, and, while it assumes that the switches can do a significant amount of packet inspection, that is in fact a fairly common Ethernet switch feature. If Wi-Fi is involved, it does require that access points (which are a kind of switch) be able to block Router Advertisements; this isn’t quite as commonly available. In determining which switch ports are connected to routers, RFC 6105 suggests that there might be a brief initial learning period, during which all switch ports connecting to a device that claims to be a router are considered, permanently, to be router ports. 8.7 IPv6 Host Address Assignment IPv6 provides two competing ways for hosts to obtain their full IP addresses. One is , based on DHCPv6 7.10 Dynamic Host Configuration Protocol (DHCP) IPv4’s DHCP ( ), in which the entire address is handed StateLess Address AutoConfiguration , or SLAAC, in which the out by a DHCPv6 server. The other is interface-identifier part of the address is generated locally, and the network prefix is obtained via prefix discovery. The original idea behind SLAAC was to support complete plug-and-play network setup: hosts on an isolated LAN could talk to one another out of the box, and if a router was introduced connecting the LAN to the Internet, then hosts would be able to determine unique, routable addresses from information available from the router. In the early days of IPv6 development, in fact, DHCPv6 may have been intended only for address assign- ments to routers and servers, with SLAAC meant for “ordinary” hosts. In that era, it was still common for RFC 4862 states that SLAAC is IPv4 addresses to be assigned “statically”, via per-host configuration files. to be used when “a site is not particularly concerned with the exact addresses hosts use, so long as they are unique and properly routable.” SLAAC and DHCPv6 evolved to some degree in parallel. While SLAAC solves the autoconfiguration prob- lem quite neatly, at this point DHCPv6 solves it just as effectively, and provides for greater administrative control. For this reason, SLAAC may end up less widely deployed. On the other hand, SLAAC gives hosts greater control over their IPv6 addresses, and so may end up offering hosts a greater degree of privacy by allowing endpoint management of the use of private and temporary addresses (below). When a host first begins the Neighbor Discovery process, it receives a Router Advertisement packet. In this packet are two special bits: the M (managed) bit and the O (other configuration) bit. The M bit is set to 242 8 IP version 6

253 An Introduction to Computer Networks, Release 1.9.18 indicate that DHCPv6 is available on the network for address assignment. The O bit is set to indicate that eg the name of the DNS server) to hosts DHCPv6 is able to provide additional configuration information ( that are using SLAAC to obtain their addresses. In addition, each individual prefix in the RA packet has an A bit, which when set indicates that the associated prefix may be used with SLAAC. 8.7.1 Duplicate Address Detection Whenever an IPv6 host obtains a unicast address – a link-local address, an address created via SLAAC, an address received via DHCPv6 or a manually configured address – it goes through a duplicate-address detection (DAD) process. The host sends one or more Neighbor Solicitation messages (that is, like an ARP 8.6 Neighbor Discovery , asking if any other host has this address. If anyone answers, then query), as in 7.9.1 ARP Finer Points ), but not the address is a duplicate. As with IPv4 ACD ( as with the original IPv4 self-ARP, the source-IP-address field of this NS message is set to a special “unspecified” value; this allows other hosts to recognize it as a DAD query. Because this NS process may take some time, and because addresses are in fact almost always unique, RFC 4429 defines an optimistic DAD mechanism. This allows limited use of an address before the DAD process completes; in the meantime, the address is marked as “optimistic”. Outside the optimistic-DAD interval, a host is not allowed to use an IPv6 address if the DAD process has failed. RFC 4862 in fact goes further: if a host with an established address receives a DAD query for that address, indicating that some other host wants to use that address, then the original host should discontinue use of the address. If the DAD process fails for an address based on an EUI-64 identifier, then some other node has the same Ethernet address and you have bigger problems than just finding a working IPv6 address. If the DAD process fails for an address constructed with the RFC 7217 8.2.1 Interface identifiers , the host is able mechanism, to generate a new interface identifier and try again. A counter for the number of DAD attempts is included in the hash that calculates the interface identifier; incrementing this counter results in an entirely new identifier. While DAD works quite well on Ethernet-like networks with true LAN-layer multicast, it may be inefficient 3.7.8 MANETs ), as distant hosts may receive the DAD Neighbor Solicitation message on, say, MANETs ( only after some delay, or even not at all. Work continues on the development of improvements to DAD for such networks. 8.7.2 Stateless Autoconfiguration (SLAAC) To obtain an address via SLAAC, defined in RFC 4862 , the first step for a host is to generate its link-local address (above, 8.2.2 Link-local addresses ), appending the standard 64-bit link-local prefix fe80::/64 to its interface identifier ( ). The latter is likely derived from the host’s LAN address 8.2.1 Interface identifiers using either EUI-64 or the RFC 7217 mechanism; the important point is that it is available without network involvement. The host must then ensure that its newly configured link-local address is in fact unique; it uses DAD (above) to verify this. Assuming no duplicate is found, then at this point the host can talk to any other hosts on the same LAN, eg to figure out where the printers are. The next step is to see if there is a router available. The host may send a Router Solicitation (RS) message to the all-routers multicast address. A router – if present – should answer with a Router Advertisement 8.7 IPv6 Host Address Assignment 243

254 An Introduction to Computer Networks, Release 1.9.18 (RA) message that also contains a Prefix Information option; that is, a list of IPv6 network-address prefixes 8.6.2 Prefix Discovery ). ( As mentioned earlier, the RA message will mark with a flag those prefixes eligible for use with SLAAC; if no prefixes are so marked, then SLAAC should not be used. All prefixes will also be marked with a lifetime, indicating how long the host may continue to use the prefix. Once the prefix expires, the host must obtain a new one via a new RA message. The host chooses an appropriate prefix, stores the prefix-lifetime information, and appends the prefix to the front of its interface identifier to create what should now be a routable address. The address so formed must now be verified through the DAD mechanism above. In the era of EUI-64 interface identifiers, it would in principle have been possible for the receiver of a packet to extract the sender’s LAN address from the interface-identifier portion of the sender’s SLAAC-generated IPv6 address. This in turn would allow bypassing the Neighbor Solicitation process to look up the sender’s LAN address. This was never actually permitted, however, even before the privacy options below, as there RFC 7217 is no way to be certain that a received address was in fact generated via SLAAC. With -based interface identifiers, LAN-address extraction is no longer even potentially an option. A host using SLAAC may receive multiple network prefixes, and thus generate for itself multiple addresses. RFC 6724 defines a process for a host to determine, when it wishes to connect to destination address D, which of its own multiple addresses to use. For example, if D is a unique-local address, not globally visible, then the host will likely want to choose a source address that is also unique-local. RFC 6724 also includes mechanisms to allow a host with a permanent public address (possibly corresponding to a DNS entry, but just as possibly formed directly from an interface identifier) to prefer alternative “temporary” or “privacy” addresses for outbound connections. Finally, RFC 6724 also defines the sorting order for multiple addresses representing the same destination; see 8.11 Using IPv6 and IPv4 Together . At the end of the SLAAC process, the host knows its IPv6 address (or set of addresses) and its default router. In IPv4, these would have been learned through DHCP along with the identity of the host’s DNS server; one concern with SLAAC is that it originally did not provide a way for a host to find its DNS server. One strategy RFC 6106 now defines a process by which IPv6 routers can is to fall back on DHCPv6 for this. However, include DNS-server information in the RA packets they send to hosts as part of the SLAAC process; this completes the final step of autoconfiguration. How to get DNS names for SLAAC-configured IPv6 hosts into the DNS servers is an entirely separate issue. One approach is simply not to give DNS names to such hosts. In the NAT-router model for IPv4 autoconfiguration, hosts on the inward side of the NAT router similarly do not have DNS names (although they are also not reachable directly, while SLAAC IPv6 hosts would be reachable). If DNS names are needed for hosts, then a site might choose DHCPv6 for address assignment instead of SLAAC. It is also possible to figure out the addresses SLAAC would use (by identifying the host-identifier bits) and then creating DNS Dynamic DNS ( RFC 2136 ) to update their own DNS entries for these hosts. Finally, hosts can also use records. 8.7.2.1 SLAAC privacy A portable host that always uses SLAAC as it moves from network to network and always bases its SLAAC addresses on the EUI-64 interface identifier (or on any other static interface identifier) will be easy to track: its interface identifier will never change. This is one reason why the obfuscation mechanism of RFC 7217 244 8 IP version 6

255 An Introduction to Computer Networks, Release 1.9.18 interface identifiers ( ) includes the network prefix in the hash: connecting to a 8.2.1 Interface identifiers new network will then result in a new interface identifier. Well before RFC 4941 introduced a set of privacy extensions to SLAAC: optional , however, RFC 7217 mechanisms for the generation of alternative interface identifiers, based as with RFC 7217 on pseudorandom generation using the original LAN-address-based interface identifier as a “seed” value. RFC 4941 goes further, however, in that it supports regular changes to the interface identifier, to increase the difficulty of tracking a host over time even if it does not change its network prefix. One first selects a eg MD5 ( 22.6 Secure Hashes ). New temporary interface IDs (IIDs) can 128-bit secure-hash function F(), then be calculated as follows (IID ,seed ) = F(seed , IID ) new new old old where the left-hand pair represents the two 64-bit halves of the 128-bit return value of F() and the arguments to F() are concatenated together. (The seventh bit of IID Interface must also be set to 0; cf 8.2.1 new identifiers where this bit is set to 1.) This process is privacy-safe even if the initial IID is based on EUI-64. The probability of two hosts accidentally choosing the same interface identifier in this manner is vanishingly small; the Neighbor Solicitation mechanism with DAD must, however, still be used to verify that the address is in fact unique within the host’s LAN. The privacy addresses above are to be used only for connections initiated by the client; to the extent that the host accepts incoming connections and so needs a “fixed” IPv6 address, the address based on the original EUI-64/RFC-7217 interface identifier should still be available. As a result, the RFC 7217 mechanism is still important for privacy even if the RFC 4941 mechanism is fully operational. RFC 4941 stated that privacy addresses were to be disabled by default, largely because of concerns about frequently changing IP addresses. These concerns have abated with experience and so privacy addresses are often now automatically enabled. Typical address lifetimes range from a few hours to 24 hours. Once an address has “expired” it generally remains available but deprecated for a few temporary-address cycles longer. DHCPv6 also provides an option for temporary address assignments, again to improve privacy, but one of the potential advantages of SLAAC is that this process is entirely under the control of the end system. Regularly ( eg every few hours, or less) changing the host portion of an IPv6 address should make external tracking of a host more difficult, at least if tracking via web-browser cookies is also somehow prevented. However, for a residential “site” with only a handful of hosts, a considerable degree of tracking may be obtained simply by observing the common 64-bit prefix. For a general discussion of privacy issues related to IPv6 addressing, see RFC 7721 . 8.7.3 DHCPv6 The job of a DHCPv6 server is to tell an inquiring host its network prefix(es) and also supply a 64-bit host- identifier, very similar to an IPv4 DHCPv4 server. Hosts begin the process by sending a DHCPv6 request to the All_DHCP_Relay_Agents_and_Servers multicast IPv6 address ff02::1:2 (versus the broadcast address for IPv4). As with DHCPv4, the job of a relay agent is to tag a DHCPv6 request with the correct current subnet, and then to forward it to the actual DCHPv6 server. This allows the DHCPv6 server to be on a different subnet from the requester. Note that the use of multicast does nothing to diminish the need for relay agents. In fact, the All_DHCP_Relay_Agents_and_Servers multicast address scope is limited to 8.7 IPv6 Host Address Assignment 245

256 An Introduction to Computer Networks, Release 1.9.18 the current LAN; relay agents then forward to the actual DHCPv6 server using the -scoped address site All_DHCP_Servers. Hosts using SLAAC to obtain their address can still use a special Information-Request form of DHCPv6 to obtain their DNS server and any other “static” DHCPv6 information. Clients may ask for temporary addresses. These are identified as such in the “Identity Association” field of the DHCPv6 request. They are handled much like “permanent” address requests, except that the client may ask for a new temporary address only a short time later. When the client does so, a different temporary address will be returned; a repeated request for a permanent address, on the other hand, would usually return the same address as before. When the DHCPv6 server returns a temporary address, it may of course keep a log of this address. The absence of such a log is one reason SLAAC may provide a greater degree of privacy. SLAAC also places control of the cryptographic mechanisms for temporary-address creation in the hands of the end user. A DHCPv6 response contains a list (perhaps of length 1) of IPv6 addresses. Each separate address has an expiration date. The client must send a new request before the expiration of any address it is actually using. In DHCPv4, the host portion of addresses typically comes from “address pools” representing small ranges of integers such as 64-254; these values are generally allocated consecutively. A DHCPv6 server, on the 64 other hand, should take advantage of the enormous range (2 ) of possible host portions by allocating values more sparsely, through the use of pseudorandomness. This is to make it very difficult for an outsider who knows one of a site’s host addresses to guess the addresses of other hosts, cf 8.2.1 Interface identifiers . The Internet Draft draft-ietf-dhc-stable-privacy-addresses proposes the following mechanism by which a DHCPv6 server may generate the interface-identifier bits for the addresses it hands out; F() is a secure-hash function and its arguments are concatenated together: F(prefix, client_DUID, IAID, DAD_counter, secret_key) 8.7.2.1 SLAAC privacy . The client_DUID is The prefix, DAD_counter and secret_key arguments are as in the string by which the client identifies itself to the DHCPv6 server; it may be based on the Ethernet address though other options are possible. The IAID, or Identity Association identifier, is a client-provided name for this request; different names are used when requesting temporary versus permanent addresses. Some older DHCPv6 servers may still allocate interface identifiers in serial order; such obsolete servers might make the SLAAC approach more attractive. 8.8 Globally Exposed Addresses Perhaps the most striking difference between a contemporary IPv4 network and an IPv6 network is that on the former, many hosts are likely to be “hidden” behind a NAT router ( 7.7 Network Address Translation ). On an IPv6 network, on the other hand, host may be globally visible to the IPv6 world (though NAT every may still be used to allow connectivity to legacy IPv4 servers). Legacy IPv4 NAT routers provide a measure of each of privacy, security and nuisance. Privacy in IPv6 can be handled, as above, through private or temporary addresses. The degree of security provided via NAT is entirely due to the fact that all connections must be initiated from the inside; no packet from the outside is allowed through the NAT firewall unless it is a response to a packet sent from the inside. This feature, however, can also be implemented via a conventional firewall 246 8 IP version 6

257 An Introduction to Computer Networks, Release 1.9.18 (IPv4 or IPv6), without address translation. Furthermore, given such a conventional firewall, it is then straightforward to modify it so as to support limited and regulated connections from the outside world as desired; an analogous modification of a NAT router is more difficult. (That said, a blanket ban on IPv6 connections from the outside can prove as frustrating as IPv4 NAT.) Finally, one of the major reasons for hiding IPv4 addresses is that with IPv4 it is easy to map a /24 subnet by pinging or otherwise probing each of the 254 possible hosts; such mapping may reveal internal structure. In 64 IPv6 such mapping is meant to be impractical as a /64 subnet has 2 » 18 quintillion hosts (though see the randomness note in 8.2.1 Interface identifiers ). If the low-order 64 bits of a host’s IPv6 address are chosen with sufficient randomness, finding the host by probing is virtually impossible; see exercise 6.0. As for nuisance, NAT has always broken protocols that involve negotiation of new connections ( eg TFTP, FTP, or SIP, used by VoIP); IPv6 should make these much easier to manage. 8.9 ICMPv6 RFC 4443 defines an updated version of the ICMP protocol for IPv6. As with the IPv4 version, messages are identified by 8-bit type and code (subtype) fields, making it reasonably easy to add new message formats. We have already seen the ICMP messages that make up Neighbor Discovery ( ). 8.6 Neighbor Discovery Unlike ICMPv4, ICMPv6 distinguishes between informational and error messages by the first bit of the type field. Unknown informational messages are simply dropped, while unknown error messages must be handed off, if possible, to the appropriate upper-layer process. For example, “[UDP] port unreachable” messages are to be delivered to the UDP sender of the undeliverable packet. ICMPv6 includes an IPv6 version of Echo Request / Echo Reply, upon which the “ping6” command ( 8.12.1 ping6 ) is based; unlike with IPv4, arriving IPv6 echo-reply messages are delivered to the pro- cess that generated the corresponding echo request. The base ICMPv6 specification also includes formats for the error conditions below; this list is somewhat cleaner than the corresponding ICMPv4 list: Destination Unreachable In this case, one of the following numeric codes is returned: 0. , returned when a router has no next_hop entry. No route to destination Communication with destination administratively prohibited , returned when a router has 1. a next_hop entry, but declines to use it for policy reasons. Codes 5 and 6, below, are special cases of this situation; these more-specific codes are returned when appropriate. 2. Beyond scope of source address , returned when a router is, for example, asked to route a packet to a global address, but the return address is not, eg is unique-local. In IPv4, when a host with a private address attempts to connect to a global address, NAT is almost always involved. Address unreachable , a catchall category for routing failure not covered by any other message. An 3. example is if the packet was successfully routed to the last_hop router, but Neighbor Discovery failed to find a LAN address corresponding to the IPv6 address. 4. Port unreachable , returned when, as in ICMPv4, the destination host does not have the requested UDP port open. 5. Source address failed ingress/egress policy , see code 1. 8.9 ICMPv6 247

258 An Introduction to Computer Networks, Release 1.9.18 6. , see code 1. Reject route to destination Packet Too Big This is like ICMPv4’s “Fragmentation Required but DontFragment flag set”; IPv6 however has no router- based fragmentation. Time Exceeded This is used for cases where the Hop Limit was exceeded, and also where source -based fragmentation was used and the fragment-reassembly timer expired. Parameter Problem This is used when there is a malformed entry in the IPv6 header, an unrecognized Next Header type, or an unrecognized IPv6 option. _node information: 8.9.1 Node Information Messages Node Information (NI) Messages, defined in RFC 4620 . One form of NI query ICMPv6 also includes allows a host to be asked directly for its name; this is accomplished in IPv4 via reverse-DNS lookups ( 7.8.2 Other DNS Records ). Other NI queries allow a host to be asked for its other IPv6 addresses, or for its IPv4 addresses. Recipients of NI queries may be configured to refuse to answer. 8.10 IPv6 Subnets In the IPv4 world, network managers sometimes struggle to divide up a limited address space into a pool of appropriately sized subnets. In IPv6, this is much simpler: all subnets are of size /64, following the 8.3 Network Prefixes guidelines set out in . RFC 6164 permits the use of 127-bit prefixes at each end of a point-to- There is one common exception: point link. The 128th bit is then 0 at one end and 1 at the other. A site receiving from its provider an address prefix of size /56 can assign up to 256 /64 subnets. As with IPv4, the reasons for IPv6 subnetting are to join incompatible LANs, to press intervening routers into service as inter-subnet firewalls, or otherwise to separate traffic. The diagram below shows a site with an external prefix of 2001::/62, two routers R1 and R2 with in- terfaces numbered as shown, and three internal LANS corresponding to three subnets 2001:0:0: 1 ::/64, 2001:0:0: 2 ::/64 and 2001:0:0: 3 ::/64. The subnet 2001:0:0: 0 ::/64 (2001::/64) is used to connect to the provider. 248 8 IP version 6

259 An Introduction to Computer Networks, Release 1.9.18 ::/64 2 2001:0:0: 2 1 1 0 Provider R1 R2 ::/64 2001:0:0: 0 1 ::/64 2001:0:0: 3 ::/64 3 2001:0:0: Interface 0 of R1 would be assigned an address from the /64 block 2001:0:0: 0 /64, perhaps 2001::2. R1 will announce over its interface 1 – via router advertisements – that it has a route to ::/0, that is, it has the default route. It will also advertise via interface 1 the on-link prefix 2001:0:0:1::/64. R2 will announce via interface 1 its routes to 2001:0:0:2::/64 and 2001:0:0:3::/64. It will also announce the default route on interfaces 2 and 3. On interface 2 it will advertise the on-link prefix 2001:0:0:2::/64, and on interface 3 the prefix 2001:0:0:3::/64. It could also, as a backup, advertise prefix 2001:0:0:1::/64 on its interface 1. On each subnet, only the subnet’s on-link prefix is advertised. 8.10.1 Subnets and /64 Fixing the IPv6 division of prefix and host (interface) lengths at 64 bits for each is a compromise. While it 128 64 does reduce the maximum number of subnets from 2 to 2 , in practice this is not a realistic concern, as 64 2 is still an enormous number. By leaving 64 bits for host identifiers, this 64/64 split leaves enough room for the privacy mechanisms of 8.7.2.1 SLAAC privacy 8.7.3 DHCPv6 to provide reasonable protection. and Much of the recent motivation for considering divisions other than 64/64 is grounded in concerns about ISP address-allocation policies. By declaring that users should each receive a /64 allocation, one hope is that users will in fact get enough for several subnets. Even a residential customer with only, say, two hosts and a router needs more than a single /64 address block, because the link from ISP to customer needs to be on its own subnet (it could use a 127-bit prefix, as above, but many customers would in fact have a need for multiple /64 subnets). By requiring /64 for a subnet, the hope is that users will all be allocated, for example, prefixes of at least /60 (16 subnets) or even /56 (256 subnets). Even if that hope does not pan out, the 64/64 rule means that every user should at least get a /64 allocation. On the other hand, if users given only /64 blocks, and they want to use subnets, then they have to break are the 64/64 rule locally. Perhaps they can create four subnets each with a prefix of length 66 bits, and each with only 62 bits for the host identifier. Wanting to do that in a standard way would dictate more flexibility in the prefix/host division. But if the prefix/host division becomes completely arbitrary, there is nothing to stop ISPs from handing out prefixes with lengths of /80 (leaving 48 host bits) or even /120. The general hope is that ISPs will not be so stingy with prefix lengths. But with IPv6 adoption still relatively modest, how this will all work out is not yet clear. In the IPv4 world, users use NAT ( 7.7 Network Address Translation ) to create as many subnets as they desire. In the IPv6 world, NAT is generally considered to be a bad idea. 8.10 IPv6 Subnets 249

260 An Introduction to Computer Networks, Release 1.9.18 Finally, in theory it is possible to squeeze a site with two subnets onto a single /64 by converting the site’s main router to a switch; all the customer’s hosts now connect on an equal footing to the ISP. But this means making it much harder to use the router as a firewall, as described in 8.8 Globally Exposed Addresses . For most users, this is too risky. 8.11 Using IPv6 and IPv4 Together In this section we will assume that IPv6 connectivity exists at a site; if it does not, see 8.13 IPv6 Connectivity via Tunneling . If IPv6 coexists on a client machine with IPv4, in a so-called dual-stack configuration, which is used? If the client wants to connect using TCP to an IPv4-only website (or to some other network service), there is no choice. But what if the remote site also supports both IPv4 and IPv6? DNS lookup The first step is the , triggered by the application’s call to the appropriate address- 11.1.3.3 The Client we use lookup library procedure; in the Java stalk example of InetAddress. getByName() . In the C language, address lookup is done with getaddrinfo() or (the now- deprecated) gethostbyname() . The DNS system on the client then contacts its DNS resolver and asks for the appropriate address record corresponding to the server name. For IPv4 addresses, DNS maintains so-called “A” records, for “Address”. The IPv6 equivalent is the “AAAA” record, for “Address four times longer”. A dual-stack machine usually requests both. The In- ternet Draft draft-vavrusa-dnsop-aaaa-for-free proposes that, whenever a DNS server delivers an IPv4 A record, it also includes the corresponding AAAA record, much as IPv4 CNAME records are sent with pig- gybacked corresponding A records ( 7.8.1 nslookup (and dig) ). The DNS requests are sent to the client’s pre-configured DNS-resolver address (probably set via DHCP). IPv6 and this book This book is, as of April 2015, available via IPv6. Within the cs.luc.edu DNS zone are defined the following: • intronetworks: both A and AAAA records • intronetworks6: AAAA records only • intronetworks4: A records only DNS itself can run over either IPv4 or IPv6. A DNS server (authoritative nameserver or just resolver) using only IPv4 can answer IPv6 AAAA-record queries, and a DNS server using only IPv6 can answer IPv4 A- record queries. Ideally each nameserver would eventually support both IPv4 and IPv6 for all queries, though it is common for hosts with newly enabled IPv6 connectivity to continue to use IPv4-only resolvers. See RFC 4472 for a discussion of some operational issues. Here is an example of DNS requests for A and AAAA records made with the nslookup utility from the command line. (In this example, the DNS resolver was contacted using IPv4.) nslookup -query=A facebook.com Name: facebook.com 250 8 IP version 6

261 An Introduction to Computer Networks, Release 1.9.18 Address: 173.252.120.6 nslookup -query=AAAA facebook.com facebook.com has AAAA address 2a03:2880:2130:cf05: b00c :0:1 face : A few sites have IPv6-only DNS names. If the DNS query returns only an AAAA record, IPv6 must be used. One example in 2015 is ipv6.google.com. In general, however, IPv6-only names such as this are recommended only for diagnostics and testing. The primary DNS names for IPv4/IPv6 sites should have both types of DNS records, as in the Facebook example above (and as for google.com). Java getByName() call may The Java abide by system-wide RFC 6742 -style preferences; the Java getByName() not Networking Properties documentation (2015) states that “the default behavior is to prefer using IPv4 This can be changed by setting the system property addresses over IPv6 ones”. java.net. preferIPv6Addresses true , using System.setProperty() . to InetAddress.getByName() If the client application uses a library call like Java’s , which returns a IP address, the client will then attempt to connect to the address returned. If an IPv4 address is single returned, the connection will use IPv4, and similarly with IPv6. If an IPv6 address is returned and IPv6 connectivity is not working, then the connection will fail. RFC For such an application, the DNS resolver library thus effectively makes the IPv4-or-IPv6 decision. 6724 , which we encountered above in 8.7.2 Stateless Autoconfiguration (SLAAC) , provides a configuration mechanism, through a small table of IPv6 prefixes and precedence values such as the following. prefix precedence 50 ::1/128 IPv6 loopback ::/0 40 “default” match 2002::/16 30 6to4 address; see sidebar in 8.13 IPv6 Connectivity via Tunneling ::ffff:0:0/96 Matches embedded IPv4 addresses; see 8.3 Network Prefixes 10 fc00::/7 3 unique-local plus reserved; see 8.3 Network Prefixes An address is assigned a precedence by looking it up in the table, using the longest-match rule ( 10.1 Class- less Internet Domain Routing: CIDR ); a list of addresses is then sorted in decreasing order of precedence. There is no entry above for link-local addresses, but by default they are ranked below global addresses. This can be changed by including the link-local prefix fe80::/64 in the above table and ranking it higher than, say, ::/0. The default configuration is generally to prefer IPv6 if IPv6 is available; that is, if an interface has an IPv6 address that is (or should be) globally routable. Given the availability of both IPv6 and IPv4, a preference for IPv6 is implemented by assigning the prefix ::/0 – matching general IPv6 addresses – a higher precedence than that assigned to the IPv4-specific prefix ::ffff:0:0/96. This is done in the table above. Preferring IPv6 does not always work out well, however; many hosts have IPv6 connectivity through tun- neling that may be slow, limited or outright down. The precedence table can be changed to prefer IPv4 over IPv6 by raising the precedence for the prefix ::ffff:0.0.0.0/96 to a value higher than that for ::/0. Such system-wide configuration is usually done on Linux hosts by editing /etc/gai.conf and on Windows via the netsh command; for example, netsh interface ipv6 show prefixpolicies . 8.11 Using IPv6 and IPv4 Together 251

262 An Introduction to Computer Networks, Release 1.9.18 We can see this systemwide IPv4/IPv6 preference in action using OpenSSH (see ), between 22.10.1 SSH two systems that each support both IPv4 and IPv6 (the remote system here is intronetworks.cs.luc.edu). With the IPv4-matching prefix precedence set high, connection is automatically via IPv4: /etc/gai.conf: precedence ::ffff:0:0/96 100 Connecting to intronetworks.cs.luc.edu [162.216.18.28] ... ssh: With the IPv4-prefix precedence set low, new connections use IPv6: /etc/gai.conf: precedence ::ffff:0:0/96 10 ssh: Connecting to intronetworks.cs.luc.edu [2600:3c03::f03c:91ff:fe69:f438] ... list of all addresses matching a given host- Applications can also use a DNS-resolver call that returns a name. (Often this list will have just two entries, for the IPv4 and IPv6 addresses, though round-robin DNS ( ) can make the list much longer.) The C language getaddrinfo() call returns such a list, 7.8 DNS InetAddress.getAllByName() as does the Java RFC 6724 preferences then determine the . The relative order of IPv4 and IPv6 entries in this list. If an application requests such a list of all addresses, probably the most common strategy is to try each address in turn, according to the system-provided order. In the example of the previous paragraph, OpenSSH does in fact request a list of addresses, using getaddrinfo() , but, according to its source code, tries them in order and so usually connects to the first address on the list, that is, to the one preferred by the RFC 6724 rules. Alternatively, an application might implement user-specified configuration preferences to decide between IPv4 and IPv6, though user interest in this tends to be limited (except, perhaps, by readers of this book). Happy Eyeballs ” algorithm, RFC 8305 , offers a more nuanced strategy for deciding whether an The “ application should connect using IPv4 or IPv6. Initially, the client might try the IPv6 address (that is, 12.3 TCP Connection Establishment ). If that connection does not will send TCP SYN to the IPv6 address, succeed within, say, 250 ms, the client would try the IPv4 address. 250 ms is barely enough time for the TCP handshake to succeed; it does not allow – and is not meant to allow – sufficient time for a retransmission. The client falls back to IPv4 well before the failure of IPv6 is certain. IPv6 servers As of 2015, the list of websites supporting IPv6 was modest, though the number has crept up since then. Some sites, such as apple.com and microsoft.com, require the “www” prefix for IPv6 availability. Networking providers are more likely to be IPv6-available. Sprint.com gets an honorable mention for having the shortest IPv6 address I found: 2600::aaaa. A Happy-Eyeballs client is also encouraged to cache the winning protocol, so for the next connection the client will attempt to use only the protocol that was successful before. The cache timeout is to be on the order of 10 minutes, so that if IPv6 connectivity failed and was restored then the client can resume using it with only moderate delay. Unfortunately, if the Happy Eyeballs mechanism is implemented at the application layer, which is often the case, then the scope of this cache may be limited to the particular application. As IPv6 becomes more mainstream, Happy Eyeballs implementations are likely to evolve towards placing greater confidence in the IPv6 option. One simple change is to increase the time interval during which the client waits for an IPv6 response before giving up and trying IPv4. 252 8 IP version 6

263 An Introduction to Computer Networks, Release 1.9.18 We can test for the Happy Eyeballs mechanism by observing traffic with WireShark. As a first example, we imagine giving our client host a unique-local IPv6 address (in addition to its automatic link-local address); recall that unique-local addresses are not globally routable. If we now were to connect to, say, google.com, and monitor the traffic using WireShark, we would see a DNS AAAA query (IPv6) for “google.com” fol- lowed immediately by a DNS A query (IPv4). The subsequent TCP SYN, however, would be sent only to the IPv4 address: the client host would know that its IPv6 unique-local address is not routable, and it is not even tried. 2000:dead:beef:cafe::2 , through manual Next let us change the IPv6 address for the client host to 8.12.3 Manual address configuration ), and without providing an actual IPv6 connection . configuration ( (We also manually specify a fake default router.) This address is part of the 2000::/3 block, and is supposed to be globally routable. We now try two connections to google.com , TCP port 80. The first is via the Firefox browser. We see two DNS queries, AAAA and A, in packets 1-4, followed by the first attempt (highlighted in orange) 12.3 TCP Connec- at T=0.071 to negotiate a TCP connection via IPv6 by sending a TCP SYN packet ( tion Establishment ) to the google.com IPv6 address 2607:f8b0:4009:80b::200e. Only 250 ms later, at T=0.321, we see a second DNS A-query (IPv4), followed by an ultimately successful connection attempt using IPv4 starting at T=0.350. This particular version of Firefox, in other words, has implemented the Happy Eyeballs dual-stack mechanism. Now we try the connection using the previously mentioned OpenSSH application, using -p 80 to connect to port 80. (This example was generated somewhat later; DNS now returns 2607:f8b0:4009:807::1004 as google.com’s IPv6 address.) We see two DNS queries, AAAA and A, in packets numbered 4 and 6 (pale blue); these are made by the client from its IPv4 address 10.2.5.19. Half a millisecond after the A query returns (packet 7), the client sends a TCP SYN packet to google.com’s IPv6 address; this packet is highlighted in orange. This SYN packet is retransmitted 3 seconds and then 9 seconds later (in black), to no avail. After 21 seconds, the 8.11 Using IPv6 and IPv4 Together 253

264 An Introduction to Computer Networks, Release 1.9.18 client gives up on IPv6 and attempts to connect to at its IPv4 address, 173.194.46.105; this google.com connection (in green) is successful. The long delay shows that Happy Eyeballs was not implemented by OpenSSH, which its source code confirms. (The host initiating the connections here was running Ubuntu 10.04 LTS, from 2010. The ultimately failing TCP connection gives up after three tries over only 21 seconds; newer systems make more tries and take much longer before they abandon a connection attempt.) 8.12 IPv6 Examples Without a Router In this section we present a few IPv6 experiments that can be done without an IPv6 connection and without even an IPv6 router. Without a router, we cannot use SLAAC or DHCPv6. We will instead use link-local addresses, which require the specification of the interface along with the address, and manually configured Network Prefixes ) addresses. One practical problem with link-local addresses is that unique-local ( 8.3 application documentation describing how to include a specification of the interface is sometimes sparse. 8.12.1 ping6 The IPv6 analogue of the familiar ping ping6 on command, used to send ICMPv6 Echo Requests, is ping -6 on Windows. The ping6 command supports an option to specify the Linux and Mac systems and eg -I eth0 ; as noted above, this is mandatory when sending to link-local addresses. Here are a interface; few ping6 examples: ping6 ::1 : This pings the host’s loopback address; it should always work. ping6 -I eth0 ff02::1 : This pings the all-nodes multicast group on interface eth0 . Here are two of the answers received: • 64 bytes from fe80::3e97:eff:fe2c:2beb (this is the host I am pinging ) from • 64 bytes from fe80::2a0:ccff:fe24:b0e4 (a second Linux host) Answers were also received from a Windows machine and an Android phone. A VoIP phone – on the same subnet but supporting IPv4 only – remained mute, despite VoIP’s difficulties with IPv4 NAT that -I eth0 , the “zone-identifier” syntax ping6 would be avoided with IPv6. In lieu of the interface option ff02::1%eth0 also usually works; see the following section. ping6 -I eth0 fe80::2a0:ccff:fe24:b0e4 : This pings the link-local address of the second Linux host answer- ing the previous query; again, the %eth0 syntax should also work. The destination interface identifier here uses the now-deprecated EUI-64 format; note the “ff:fe” in the middle. Also note the flipped seventh bit of the two bytes 02a0; the destination has Ethernet address 00:a0:cc:24:b0:e4. 8.12.2 TCP connections using link-local addresses The next experiment is to create a TCP connection. Some commands, like ping6 above, may provide for a way of specifying the interface as a command-line option. Failing that, RFC 4007 defines the concept of a zone identifier that is appended to the IPv6 address, separated from it by a “%” character, to specify the link involved. On Linux systems the zone identifier is most often the interface name, eg eth0 or ppp1 . 254 8 IP version 6

265 An Introduction to Computer Networks, Release 1.9.18 Numeric zone identifiers are also used, in which case it represents the number of the particular interface in zone index . On Windows systems the zone index for an interface some designated list and can be called the command, which should include it with each link- can often be inferred from the output of the ipconfig local address. The use of zone identifiers is often restricted to literal (numeric) IPv6 addresses, perhaps because there is little demand for symbolic link-local addresses. The following link-local address with zone identifier creates an ssh connection to the second Linux host in the example of the preceding section: ssh fe80::2a0:ccff:fe24:b0e4 %eth0 netstat -a | That the ssh service is listening for IPv6 connections can be verified on that host by grep -i tcp6 . That the ssh connection actually used IPv6 can be verified by, say, use of a network ipv6 sniffer like WireShark (for which the filter expression ip.version == 6 is useful). If the or connection fails, but ssh works for IPv4 connections and shows as listening in the tcp6 list from the netstat command, a firewall-blocked port is a likely suspect. 8.12.3 Manual address configuration ie not con- The use of manually configured addresses is also possible, for either global or unique-local ( nected to the Internet) addresses. However, without a router there can be no Prefix Discovery, 8.6.2 Prefix Discovery , and this may create subtle differences. The first step is to pick a suitable prefix; in the example below we use the unique-local prefix fd37:beef:cafe::/64 (though this particular prefix does not meet the randomness rules for unique-local pre- fixes). We could also use a globally routable prefix, but here we do not want to mislead any hosts about reachability. Without a router as a source of Router Advertisements, we need some way to specify both the prefix and the prefix ; the latter can be thought of as corresponding to the IPv4 subnet mask. One might be forgiven length for imagining that the default prefix length would be /64, given that this is the only prefix length generally allowed ( ), but this is often not the case. In the commands below, the prefix length 8.3 Network Prefixes is included at the end as the /64. This usage is just slightly peculiar, in that in the IPv4 world the slash notation is most often used only with true prefixes, with all bits zero beyond the slash length. (The Linux command also uses the slash notation in the sense here, to specify an IPv4 subnet mask, eg ip 10.2.5.37/24. The ifconfig and Windows netsh commands specify the IPv4 subnet mask the traditional way, eg 255.255.255.0.) Hosts will usually assume that a prefix configured this way with a length represents an prefix, on-link meaning that neighbors sharing the prefix are reachable directly via the LAN. We can now assign the low-order 64 bits manually. On Linux this is done with: • host1: ip -6 address add fd37:beef:cafe::1/64 dev eth0 • host2: ip -6 address add fd37:beef:cafe::2/64 dev eth0 Macintosh systems can be configured similarly except the name of the interface is probably en0 rather than eth0 . On Windows systems, a typical IPv6-address-configuration command is netsh interface ipv6 add address "Local Area Connection" fd37:beef:cafe::1/64 8.12 IPv6 Examples Without a Router 255

266 An Introduction to Computer Networks, Release 1.9.18 Now on host1 the command ssh fd37:beef:cafe::2 should create an ssh connection to host2, again assuming ssh on host2 is listening for IPv6 connections. Because the addresses here are not link-local, /etc/host entries may be created for them to simplify entry. not Assigning IPv6 addresses manually like this is recommended, except for experiments. On a LAN not connected to the Internet and therefore with no actual routing, it is nonetheless possible to ), such as start up a Router Advertisement agent ( , with a manually configured 8.6.1 Router Discovery radvd /64 prefix. The RA agent will include this prefix in its advertisements, and reasonably modern hosts will then construct full addresses for themselves from this prefix using SLAAC. IPv6 can then be used within the LAN. If this is done, the RA agent should also be configured to announce only a meaningless route, such as ::/128, or else nodes may falsely believe the RA agent is providing full Internet connectivity. 8.13 IPv6 Connectivity via Tunneling The best option for IPv6 connectivity is native support by one’s ISP. In such a situation one’s router should be sending out Router Advertisement messages, and from these all the hosts should discover how to reach the IPv6 Internet. If native IPv6 support is not forthcoming, however, a short-term option is to connect to the IPv6 world packet tunneling (less often, some other VPN mechanism is used). RFC 4213 using outlines the common 6in4 strategy of simply attaching an IPv4 header to the front of the IPv6 packet; it is very similar to the IPv4-in-IPv4 encapsulation of 7.13.1 IP-in-IP Encapsulation . There are several available providers for this service; they can be found by searching for “IPv6 tunnel broker”. Some tunnel brokers provide this service at no charge. 6in4, 6to4 in to 4 tunneling, which uses the same encapsulation as 6in4 but 6 4 tunneling should not be confused with 6 129 .3.5.7 which constructs a site’s IPv6 prefix by embedding its IPv4 address: a site with IPv4 address 81 03:0507::/48 (129 decimal = 0x81). See RFC 3056 . There is also a 6 over 4, gets IPv6 prefix 2002: RFC 2529 . The basic idea behind 6in4 tunneling is that the tunnel broker allocates you a /64 prefix out of its own address block, and agrees to create an IPv4 tunnel to you using 6in4 encapsulation. All your IPv6 traffic from the Internet is routed by the tunnel broker to you via this tunnel; similarly, IPv6 packets from your site reach the outside world using this same tunnel. The tunnel, in other words, is your link to an IPv6 router. Generally speaking, the MTU of the tunnel must be at least 20 bytes less than the MTU of the physical interface, to allow space for the header. At the near end this requires a local configuration change; tunnel brokers often provide a way for users to set the MTU at the far end. Practical MTU values vary from a mandatory IPv6 minimum of 1280 to the Ethernet maximum of 1500–20 = 1480. Setting up the tunnel does not involve creating a stateful connection. All that happens is that the tunnel client ( ie your endpoint) and the broker record each other’s IPv4 addresses, and agree to accept encapsulated IPv6 packets from one another provided these two endpoint addresses are used as source and destination. The 256 8 IP version 6

267 An Introduction to Computer Networks, Release 1.9.18 tunnel at the client end is represented by an appropriate “virtual network interface”, sit0 or gif0 or eg . Tunnel providers generally supply the basic commands necessary to get the tunnel interface IP6Tunnel configured and the MTU set. Once the tunnel is created, the tunnel interface at the client end must be assigned an IPv6 address and then a (default) route. We will assume that the /64 prefix for the broker-to-client link is 2001:470:0:10::/64, with the broker at 2001:470:0:10:: 2 . The address 1 and with the client to be assigned the address 2001:470:0:10:: and route are set up on the client with the following commands (Linux/Mac/Windows respectively; interface names may vary, and some commands assume the interface represents a point-to-point link): ip addr add 2001:470:0:10::2/64 dev sit1 ip route add ::/0 dev sit1 ifconfig gif0 inet6 2001:470:0:10::2 2001:470:0:10::1 prefixlen 128 route -n add -inet6 default 2001:470:0:10::1 netsh interface ipv6 add address IP6Tunnel 2001:470:0:10::2 netsh interface ipv6 add route ::/0 IP6Tunnel 2001:470:0:10::1 ping6 At this point the tunnel client should have full IPv6 connectivity! To verify this, one can use , or visit IPv6-only versions of websites ( eg intronetworks6.cs.luc.edu), or visit IPv6-identifying sites such as IsMyIPv6Working.com. Alternatively, one can often install a browser plugin to at least make visible whether IPv6 is used. Finally, one can use with the -6 option to force IPv6 use, following the netcat HTTP example in 12.6.2 netcat again . There is one more potential issue. If the tunnel client is behind an IPv4 NAT router, that router must deliver arriving encapsulated 6in4 packets correctly. This can sometimes be a problem; encapsulated 6in4 packets are at some remove from the TCP and UDP traffic that the usual consumer-grade NAT router is primarily designed to handle. Careful study of the router forwarding settings may help, but sometimes the only fix is a newer router. A problem is particularly likely if two different inside clients attempt to set up tunnels 7.13.1 IP-in-IP Encapsulation . simultaneously; see 8.13.1 IPv6 firewalls block new inbound connections over its IPv6 interface ( It is strongly recommended that an IPv6 host eg the tunnel interface), much as an IPv4 NAT router would do. Exceptions may be added as necessary for essential services (such as ICMPv6). Using the linux ip6tables firewall command, with IPv6-tunneled interface sit1 , this might be done with the following: ip6tables --append INPUT -- in -interface sit1 --protocol icmpv6 --jump ACCEPT ip6tables --append INPUT -- -interface sit1 --match conntrack --ctstate in ã Ñ ESTABLISHED,RELATED --jump ACCEPT ip6tables --append INPUT -- in -interface sit1 --jump DROP At this point the firewall should be tested by attempting to access inside hosts from the outside. At a minimum, ping6 from the outside to any global IPv6 address of any inside host should fail if the ICMPv6 exception above is removed (and should succeed if the ICMPv6 exception is restored). This can be checked by using any of several websites that send pings on request; such sites can be found by searching for “online ipv6 ping”. There are also a few sites that will run a remote IPv6 TCP port scan; try searching for “online ipv6 port scan”. See also exercise 7.0. 8.13 IPv6 Connectivity via Tunneling 257

268 An Introduction to Computer Networks, Release 1.9.18 8.13.2 Setting up a router The next step, if desired, is to set up the tunnel endpoint as a router, so other hosts at the client site can also enjoy IPv6 connectivity. For this we need a second /64 prefix; we will assume this is 2001:470:0: 2 0::/64 (note this is not an “adjacent” /64; the two /64 prefixes cannot be merged into a /63). Let R be the tunnel eth0 endpoint, with its LAN interface, and let A be another host on the LAN. package as our Router Advertisement agent ( 8.6.1 Router Discovery We will use the linux radvd ). In the file, we need to say that we want the LAN prefix 2001:470:0:20::/64 advertised as on-link radvd.conf over interface eth0: interface eth0 { ... prefix 2001:470:0:20::/64 { # advertise this prefix as on-link AdvOnLink on; # allows SLAAC with this prefix AdvAutonomous on; }; }; radvd If eg A) will automatically get the prefix (and thus a full SLAAC is now started, other LAN hosts ( address). Radvd will automatically share R’s default route (::/0), taking it not from the configuration file but from R’s routing table. (It may still be necessary to manually configure the IPv6 address of R’s eth0 interface, eg 1 .) as 2001:470:0:20:: On the author’s version of host A, the IPv6 route is now (with some irrelevant attributes not shown) default via fe80::2a0:ccff:fe24:b0e4 dev eth0 link-local address, always guaranteed on-link, rather than via the That is, host A routes to R via the latter’s subnet address. radvd or its equivalent is not available, the manual approach is to assign R and A each a /64 address: If On host R: ip -6 address add 2001:470:0:20::1/64 dev eth0 On host A: ip -6 address add 2001:470:0:20::2/64 dev eth0 Because of the “/64” here ( ), R and A understand that they can reach 8.12.3 Manual address configuration each other via the LAN, and do so. Host A also needs to be told of the default route via R: On host A: ip -6 route add ::/0 via 2001:470:0:10::1 dev eth0 Here we use the subnet address of R, but we could have used R’s link-local address as well. It is likely that A’s eth0 will also need its MTU configured, so that it matches that of R’s virtual tunnel interface (which, recall, should be at least 20 bytes less than the MTU of R’s physical outbound interface). 8.13.2.1 A second router R2 link is via a separate Ethernet LAN, Now let us add a second router R2, as in the diagram below. The R not a point-to-point link. The LAN with A is, as above, subnet 2001:470:0:20::/64. 258 8 IP version 6

269 An Introduction to Computer Networks, Release 1.9.18 eth0 eth1 eth2 Tunnel R R2 A provider 2001:470:0:20::/64 subnet fe80::ba5e:ba11 fe80::dead:beef radvd). If this were an IPv4 In this case, it is R2 that needs to run the Router Advertisement agent ( eg network, the interfaces eth0 and eth1 on the R R2 link would need IPv4 addresses from some new subnet 7.12 Unnumbered (though the use of private addresses is an option). We can’t use unnumbered interfaces ( ), because the R Interfaces R2 connection is not a point-to-point link. R2 routing to use only link-local addresses. Let us assume for But with IPv6, we can configure the R mnemonic convenience these are as follows: R’s eth0: fe80::ba5e:ba11 fe80::dead:beef R2’s eth1: fe80::ba5e:ba11 (R). Similarly, R2’s forwarding table will have a default route with next_hop R’s forwarding table will have an entry for destination subnet 2001:470:0:20::/64 with next_hop fe80::dead:beef (R2). Neither eth0 nor eth1 needs any other IPv6 address. R2’s eth2 interface will likely need a global IPv6 address, eg 2001:470:0:20::1 again. Otherwise R2 may not be able to determine that its eth2 interface is in fact connected to the 2001:470:0:20::/64 subnet. One advantage of not giving eth0 or eth1 global addresses is that it is then impossible for an outside attacker to reach these interfaces directly. It also saves on subnets, although one hopes with IPv6 those are not in short supply. All routers at a site are likely to need, for management purposes, an IP address reachable throughout the site, but this does not have to be globally visible. 8.14 IPv6-to-IPv4 Connectivity What happens if you switch to IPv6 completely, perhaps because your ISP (or phone provider) has run out of IPv4 addresses? Some of the time – hopefully more and more of the time – you will only need to talk to IPv6 servers. For example, the DNS names and google.com each correspond to an facebook.com IPv4 address, but also to an IPv6 address (above). But what do you do if you want to reach an IPv4-only server? Such servers are expected to continue operating for a long time to come. It is necesary to have some sort of centralized IPv6-to-IPv4 translator . An early strategy was NAT-PT ( ). The translator was assigned a /96 prefix. The IPv6 host would RFC 2766 append to this prefix the 32-bit IPv4 address of the destination, and use the resulting address to contact the IPv4 destination. Packets sent to this address would be delivered via IPv6 to the translator, which would translate the IPv6 header into IPv4 and then send the translated packet on to the IPv4 destination. As in IPv4 NAT ( 7.7 Network Address Translation ), the reverse translation will typically involve TCP port numbers to resolve ambiguities. This approach requires the IPv6 host to be aware of the translator, and is limited to TCP and UDP (because of the use of port numbers). Due to these and several other limitations, NAT-PT was formally deprecated in RFC 4966 . 8.14 IPv6-to-IPv4 Connectivity 259

270 An Introduction to Computer Networks, Release 1.9.18 Do you still have IPv4 service? As of 2017, several phone providers have switched many of their customers to IPv6 while on their mobile- data networks. The change can be surprisingly inconspicuous. Connections to IPv4-only services still work just fine, courtesy of NAT64. About the only way to tell is to look up the phone’s IP address. The replacement protocol is NAT64 , documented in RFC 6146 . This is also based on address translation, and, as such, cannot allow connections initiated from IPv4 hosts to IPv6 hosts. It is, however, transparent to both the IPv6 and IPv4 hosts involved, and is not restricted to TCP (though only TCP, UDP and ICMP are RFC 6146 ). It uses a special DNS variant, DNS64 ( RFC 6147 supported by ), as a companion protocol. To use NAT64, an IPv6 client sends out its ordinary DNS query to find the addresses of the destination server. 7.8 DNS The DNS resolver ( ) receiving the request must use DNS64. If the destination has only an IPv4 address, then the DNS resolver will return to the IPv6 client (as an AAAA record) a synthetic IPv6 address consisting of a prefix and the embedded IPv4 address of the server, much as in NAT-PT above (though multiple prefix-length options exist; see ). The prefix belongs to the actual NAT64 translator; any RFC 6052 packet addressed to an IPv6 address starting with the prefix will be delivered to the translator. There is no relationship between the NAT64 translator and the DNS64 resolver beyond the fact that the former’s prefix is configured into the latter. The IPv6 client now uses this synthetic IPv6 address to contact the IPv4 server. Its packets will be routed to the NAT64 translator itself, by virtue of the prefix, much as in NAT-PT. Upon receiving the first packet from the IPv6 client, the NAT64 translator will assign one of its IPv4 addresses to the new connection. As IPv4 addresses are in short supply, this pool of available IPv4 addresses may be small, so NAT64 allows one IPv4 address to be used by many IPv6 clients. To this end, the NAT64 translator will also (for TCP and UDP) establish a port mapping between the incoming IPv6 source port and a port number allocated by the NAT64 to ensure that traffic is uniquely reversable. As with IPv4 NAT, if two IPv6 clients try to contact the same IPv4 server using the same source ports, and are assigned the same NAT64 IPv4 address, then one of the clients will have its port number changed. If an ICMP query is being sent, the Query Identifier is used in lieu of port numbers. To extend NAT64 to new protocols, an appropriate analog of port numbers must be identified, to allow demultiplexing of multiple connections sharing a single IPv4 address. After the translation is set up, by creating appropriate table entries, the translated packet is sent on to the IPv4 server address that was embedded in the synthetic IPv6 address. The source address will be the assigned IPv4 address of the translator, and the source port will have been rewritten in accordance with the new port mapping. At this point packets can flow freely between the original IPv6 client and its IPv4 destination, with neither endpoint being aware of the translation (unless the IPv6 client carefully inspects the synthetic address it receives via DNS64). A timer within the NAT64 translator will delete the association between the IPv6 and IPv4 addresses if the connection is not used for a while. As an example, suppose the IPv6 client has address 2000:1234::abba, and is trying to reach intronet- works4.cs.luc.edu at TCP port 80. It contacts its DNS server, which finds no AAAA record but IPv 4 address 162.216.18.28 (in hex, a2d8:121c). It takes the prefix for its NAT64 translator, which we will assume is 2000:cafe::, and returns the synthetic address 2000:cafe::a2d8:121c. 260 8 IP version 6

271 An Introduction to Computer Networks, Release 1.9.18 AAAA query DNS query for intronetworks4 none 2000:1234::abba cs.luc.edu cs.luc.edu abba DNS64 A query nameserver 2000:cafe::a2d8:121c 162.216.18.28 TCP connect to 2000:cafe:a2d8:121c from port 4000 To 162.216.18.28 from port 4002 intro 200.0.0.1 networks4 NAT64 intronetworks4.cs.luc.edu 2000:cafe::/64 162.216.18.28 (a2d8:121c) IPv4 addr src IPv4 addr dest IPv4 port src IPv6 addr src IPv6 port src 4000 200.0.0.1 162.216.18.28 4002 2000:1234::abba not all columns shown The IPv6 client now tries to connect to 2000:cafe::a2d8:121c, using source port 4000. The first packet arrives at the NAT64 translator, which assigns the connection the outbound IPv4 address of 200.0.0.1, and reassigns the source port on the IPv4 side to 4002. The new IPv4 packet is sent on to 162.216.18.28. The intronetworks4.cs.luc.edu comes back, to x 200.0.0.1,4002 y reply from . The NAT64 translator looks this up and finds that this corresponds to x 2000:1234::abba,4000 y , and forwards it back to the original IPv6 client. 8.15 Epilog IPv4 has run out of large address blocks, as of 2011. IPv6 has reached a mature level of development. Most common operating systems provide excellent IPv6 support. Yet conversion has been slow. Many ISPs still provide limited (to nonexistent) support, and inexpensive IPv6 firewalls to replace the ubiquitous consumer-grade NAT routers are just beginning to appear. Time will tell how all this evolves. However, while IPv6 has now been around for twenty years, top-level IPv4 address blocks disappeared much more recently. It is quite possible that this will prove to be just the catalyst IPv6 needs. 8.16 Exercises Exercises are given fractional (floating point) numbers, to allow for interpolation of new exercises. 1.0. Each IPv6 address is associated with a specific solicited-node multicast address. (a). Explain why, on a typical Ethernet, if the original IPv6 host address was obtained via SLAAC then the LAN multicast group corresponding to the host’s solicited-node multicast addresses is likely to be small, in many cases consisting of one host only. (Packet delivery to small LAN multicast groups can be much more efficient than delivery to large multicast groups.) 8.15 Epilog 261

272 An Introduction to Computer Networks, Release 1.9.18 (b). What steps might a DHCPv6 server take to ensure that, for the IPv6 addresses it hands out, the LAN multicast groups corresponding to the host addresses’ solicited-node multicast addresses will be small? 2.0. If an attacker sends a large number of probe packets via IPv4, you can block them by blocking the attacker’s IP address. Now suppose the attacker uses IPv6 to launch the probes; for each probe, the attacker changes the low-order 64 bits of the address. Can these probes be blocked efficiently? If so, what do you have to block? Might you also be blocking other users? 3.0. Suppose someone tried to implement ping6 so that, if the address was a link-local address and no interface was specified, the ICMPv6 Echo Request was sent out all non-loopback interfaces. Could the end result be different than conventional ping6 with the correct interface supplied? If so, how likely is this? 4.0. Create an IPv6 ssh connection as in 8.12 IPv6 Examples Without a Router . Examine the connection’s packets using WireShark or the equivalent. Does the TCP handshake ( ) 12.3 TCP Connection Establishment look any different over IPv6? 5.0. Create an IPv6 ssh connection using manually configured addresses as in 8.12.3 Manual address configuration . Again use WireShark or the equivalent to monitor the connection. Is DAD ( 8.7.1 Duplicate Address Detection ) used? 6.0. An IPv6 fixed-header is 40 bytes. Taking this as the minimum packet size, how long will it take to send 15 10 hosts (one quadrillion) probe packets to a site, if the bandwidth is 1 Gbps? 8.13 IPv6 Connectivity via 7.0. Suppose host A gets its IPv6 traffic through tunnel provider H, as in . To improve security, A blocks all packets that are not part of connections it has initiated, and Tunneling makes no exception for ICMPv6 traffic. H is correctly configured to know the MTU of the A–H link. For (a) and (b), this MTU is 1280, the minimum allowed for IPv6. Much of the Internet, however, allows larger MTU values. A H Internet B (a). If A attempts to send a larger-than-1280-byte IPv6 packet to remote host B, will A be informed of the resultant failure? Why or why not? (b). Suppose B attempts to send a larger-than-1280-byte IPv6 packet to A. Will B receive an ICMPv6 Packet Too Big message? Why or why not? (c). Now suppose the MTU of the A–H link is raised to 1400 bytes. Outline a scenario in which A sends a packet of size greater than 1280 bytes to remote host B, the packet is too big to make it all the way to B, and yet A receives no notification of this. 262 8 IP version 6

273 9 ROUTING-UPDATE ALGORITHMS How do IP routers build and maintain their forwarding tables? Ethernet bridges always have the option of fallback-to-flooding for unknown destinations, so they can afford to build their forwarding tables “incrementally”, putting a host into the forwarding table only when that host . For IP, there is no fallback delivery mechanism: forwarding tables must be built is first seen as a sender delivery can succeed. While manual table construction is possible, it is not practical. before In the literature it is common to refer to router-table construction as “routing algorithms”. We will avoid that term, however, to avoid confusion with the fundamental datagram-forwarding algorithm; instead, we will call these “routing-update algorithms”. The two classes of algorithms we will consider here are link-state . In the distance- distance-vector and vector approach, often used at smaller sites, routers exchange information with their immediately neighbor- ing routers; tables are built up this way through a sequence of such periodic exchanges. In the link-state approach, routers rapidly propagate information about the state of each link; all routers in the organization receive this link-state information and each one uses it to build and maintain a map of the entire network. The forwarding table is then constructed (sometimes on demand) from this map. Both approaches assume that consistent information is available as to the of each link ( eg that the two cost routers at opposite ends of each link know this cost, and agree on how the cost is determined). This require- ment classifies these algorithms as routing-update algorithms: the routers involved are internal to a interior larger organization or other common administrative regime that has an established policy on how to assign link weights. The set of routers following a common policy is known as a routing domain or (from the BGP protocol) an autonomous system . The simplest link-weight strategy is to give each link a cost of 1; link costs can also be based on bandwidth, propagation delay, financial cost, or administrative preference value. Careful assignment of link costs often plays a major role in herding traffic onto the faster or “better” links. In the following chapter we will look at the Border Gateway Protocol, or BGP, in which no link-cost cal- culations are made. BGP is used to select routes that traverse other organizations, and financial rather than technical factors may therefore play the dominant role in making routing choices. Generally, all these algorithms apply to IPv6 as well as IPv4, though specific protocols of course may need modification. Finally, we should point out that from the early days of the Internet, routing was allowed to depend not just on the destination, but also on the “quality of service” (QoS) requested; thus, forwarding table entries are strictly speaking not x destination, next_hop y but rather x destination, QoS, next_hop y . Originally, the Type of Service field in the IPv4 header ( ) could be used to specify QoS (often then called 7.1 The IPv4 Header ToS). Packets could request low delay, high throughput or high reliability, and could be routed accordingly. In practice, the Type of Service field was rarely used, and was eventually taken over by the DS field and ECN bits. The first three bits of the Type of Service field, known as the precedence bits, remain available, however, and can still be used for QoS routing purposes (see the Class Selector PHB of 20.7 Differentiated Services for examples of these bits). See also RFC 2386 . In much of the following, we are going to ignore QoS information, and assume that routing decisions are based only on the destination. See, however, the first paragraph of 9.5 Link-State Routing-Update 263

274 An Introduction to Computer Networks, Release 1.9.18 Algorithm 9.6 Routing on Other Attributes . , and also 9.1 Distance-Vector Routing-Update Algorithm Distance-vector is the simplest routing-update algorithm, used by the Routing Information Protocol, or RIP. . Version 2 of the protocol is specified in RFC 2453 Routers identify their router neighbors (through some sort of neighbor-discovery mechanism), and add a cost third column to their forwarding tables representing the total for delivery to the corresponding destina- tion. These costs are the “distance” of the algorithm name. Forwarding-table entries are now of the form y . x destination,next_hop,cost Costs are administratively assigned to each link, and the algorithm then calculates the total cost to a desti- nation as the sum of the link costs along the path. The simplest case is to assign a cost of 1 to each link, in which case the total cost to a destination will be the number of links to that destination. This is known as the “hopcount” metric; it is also possible to assign link costs that reflect each link’s bandwidth, or de- lay, or whatever else the network administrators wish. Thoughtful cost assignments are a form of traffic engineering and sometimes play a large role in network performance. reports the x destination,cost At this point, each router then portion of its table to its neighboring routers at y regular intervals; these table portions are the “vectors” of the algorithm name. It does not matter if neighbors exchange reports at the same time, or even at the same rate. Each router also monitors its continued connectivity to each neighbor; if neighbor N becomes unreachable then its reachability cost is set to infinity. In a real IP network, actual destinations would be subnets attached to routers; one router might be directly connected to several such destinations. In the following, however, we will identify all a router’s directly connected subnets with the router itself. That is, we will build forwarding tables to reach every router . While it is possible that one destination subnet might be reachable by two or more routers, thus breaking our identification of a router with its set of attached subnets, in practice this is of little concern. See exercise 4.0 for an example in which subnets are not identified with adjacent routers. In 18.5 IP Routers With Simple Distance-Vector Implementation we present a simplified working imple- mentation of RIP using the Mininet network emulator. 9.1.1 Distance-Vector Update Rules Let A be a router receiving a report x D,c . Note that this means A can reach D y from neighbor N at cost c N D with cost c = c + c . A updates its own table according to the following three rules: via N N D New destination : D is a previously unknown destination. A adds x D,N,c y 1. to its forwarding table. 2. : D is a known destination with entry x D,M,c Lower cost y , but the new total cost c is less than c . old old A switches to the cheaper route, updating its entry for D to x D,N,c y . It is possible that M=N, meaning that N is now reporting a cost decrease to D. (If c = c , A ignores the new report; see exercise 5.5.) old 3. Next_hop increase : A has an existing entry x D, N ,c . y , and the new total cost c is greater than c old old Because this is a cost increase from the neighbor N that A is currently using to reach D, A must incorporate the increase in its table. A updates its entry for D to x D,N,c y . 264 9 Routing-Update Algorithms

275 An Introduction to Computer Networks, Release 1.9.18 The first two rules are for new destinations and a shorter path to existing destinations. In these cases, the cost to each destination monotonically decreases (at least if we consider all unreachable destinations as being at cost 8 ). Convergence is automatic, as the costs cannot decrease forever. The third rule, however, introduces the possibility of instability, as a cost may also go up. It represents the case, in that neighbor N has learned that some link failure has driven up its own cost to reach D, bad-news N. and is now passing that “bad news” on to A, which routes to D via The next_hop-increase case only passes bad news along; the very first cost increase must always come from 8 . Similarly, if a router discovering that a neighbor N is unreachable, and thus updating its cost to N to router A learns of a next_hop increase to destination D from neighbor B, then we can follow the next_hops back until we reach a router C which is either the originator of the cost= 8 report, or which has learned of an alternative route through one of the first two rules. 9.1.2 Example 1 For our first example, no links will break and thus only the first two rules above will be used. We will start out with the network below with empty forwarding tables; all link costs are 1. B 1 1 C A 1 1 1 1 D E After initial neighbor discovery, here are the forwarding tables. Each node has entries only for its directly connected neighbors: B,B,1 y x A: y x D,D,1 y x C,C,1 B: A,A,1 y x C,C,1 y x C: A,A,1 y x B,B,1 y x E,E,1 y x x y x E,E,1 y D: A,A,1 x C,C,1 y x D,D,1 y E: x x Now let D report to A; it sends records and x E,1 y . A ignores D’s A,1 A,1 y record, but x E,1 y represents a y new destination; A therefore adds x E,D, 2 y to its table. Similarly, let A now report to D, sending x B,1 yx C,1 y x D,1 E,2 y (the last is the record we just added). D ignores A’s records x D,1 y and x E,2 y but A’s records y x and B,1 and x C,1 y cause D to create entries x B,A,2 y y x C,A,2 y . A and D’s tables are now, in fact, complete. x Now suppose C reports to B; this gives B an entry x E,C,2 y . If C also reports to E, then E’s table will have x A,C,2 y and x B,C,2 y . The tables are now: A: x y x C,C,1 y x D,D,1 y x E,D,2 y B,B,1 x A,A,1 y x C,C,1 y x E,C,2 y B: C: x A,A,1 y x B,B,1 y x E,E,1 y B,A,2 D: A,A,1 y x E,E,1 y x x y x C,A,2 y 9.1 Distance-Vector Routing-Update Algorithm 265

276 An Introduction to Computer Networks, Release 1.9.18 E: C,C,1 y x D,D,1 y x A,C,2 y x B,C,2 y x We have two missing entries: B and C do not know how to reach D. If A reports to B and C, the tables will be complete; B and C will each reach D via A at cost 2. However, the following sequence of reports might also have occurred: D,E,2 • E reports to C, causing C to add y x D,C, 3 y • C reports to B, causing B to add x In this case we have 100% reachability but B routes to D via the longer-than-necessary path B–C–E–D. x D,1 y from A, and will However, one more report will fix this: suppose A reports to B. B will received x D,C,3 y to x D,A,2 y . update its entry Note that A routes to E via D while E routes to A via C; this asymmetry was due to indeterminateness in the order of initial table exchanges. If all link weights are 1, and if each pair of neighbors exchange tables once before any pair starts a second ie the shortest paths will be the exchange, then the above process will discover the routes in order of length, first to be discovered. This is not, however, a particularly important consideration. 9.1.3 Example 2 The next example illustrates link weights other than 1. The first route discovered between A and B is the direct route with cost 8; eventually we discover the longer A–C–D–B route with cost 2+1+3=6. 2 A C 8 1 3 B D The initial tables are these: x C,C,2 A: B,B,8 y y x B: x A,A,8 y x D,D,3 y C: x A,A,2 y x D,D,1 y D: x y x C,C,1 y B,B,3 x y and C has x B,A,10 y . After C and D exchange, C updates its After A and C exchange, A has D,C,3 B,A,10 y entry to x x y and D adds x A,C,3 y ; D receives C’s report of x B,10 y but ignores it. Now finally B,D,4 suppose B and D exchange. D ignores B’s route to A, as it has a better one. B, however, gets D’s report x A,3 y and updates its entry for A to x A,D,6 y . At this point the tables are as follows: A: x y x B,B,8 y x D,C,3 y C,C,2 x A,D,6 y x D,D,3 y B: C: x A,A,2 y x D,D,1 y x B,D,4 y D: x B,B,3 y x C,C,1 y x A,C,3 y 266 9 Routing-Update Algorithms

277 An Introduction to Computer Networks, Release 1.9.18 We have two more things to fix before we are done: A has an inefficient route to B, and B has no route x B,4 to A; A will replace its route to B with x B,C,6 y . The to C. The first will be fixed when C reports y second will be fixed when D reports to B; if A reports to B first then B will temporarily add the inefficient route C,A,10 y ; this will change to x C,D,4 y when D’s report to B arrives. If we look only at the A–B route, x after that, D reports to B; a B discovers the lower-cost route to A once, first, C reports to D and, second, similar sequence leads to A’s discovering the lower-cost route. 9.1.4 Example 3 breaks . We return to the first Our third example will illustrate how the algorithm proceeds when a link diagram, with all tables completed, and then suppose the D–E link breaks. This is the “bad-news” case: a link has broken, and is no longer available; this will bring the third rule into play. B 1 1 C A 1 1 1 1 E D We shall assume, as above, that A reaches E via D, but we will here assume – contrary to Example 1 – that C reaches D via A (see exercise 3.5 for the original case). Initially, upon discovering the break, D and E update their tables to x E,-, 8y and x D,-, 8y respectively (whether or not they actually enter 8 into their tables is implementation-dependent; we may consider this removing as equivalent to their entries for one another; the “-” as next_hop indicates there is no next_hop). Eventually D and E will report the break to their respective neighbors A and C. A will apply the “bad-news” x E,-, 8y rule above and update its entry for E to . We have assumed that C, however, routes to D via A, and so it will ignore E’s report. We will suppose that the next steps are for C to report to E and to A. When C reports its route x D,2 y to E, E will add the entry x D,C,3 y , and will again be able to reach D. When C reports to A, A will add the route . Connectivity is restored. x y . The final step will be when A next reports to D, and D will have x E,A,3 y E,C,2 9.1.5 Example 4 The previous examples have had a “global” perspective in that we looked at the entire network. In the next example, we look at how one specific router, R, responds when it receives a distance-vector report from its neighbor S. Neither R nor S nor we have any idea of what the entire network looks like. Suppose R’s table is initially as follows, and the S–R link has cost 1: 9.1 Distance-Vector Routing-Update Algorithm 267

278 An Introduction to Computer Networks, Release 1.9.18 destination cost next_hop S 3 A 4 B T S 5 C 6 D U S now sends R the following report, containing only destinations and its costs: cost destination A 2 3 B C 5 4 D 2 E R then updates its table as follows: next_hop cost reason destination S 3 No change; S probably sent this report before A B T 4 No change; R’s cost via S is tied with R’s cost via T C S 6 Next_hop increase D S 5 Lower-cost route via S 3 S E New destination Whatever S’s cost to a destination, R’s cost to that destination via S is one greater. 9.2 Distance-Vector Slow-Convergence Problem There is a significant problem with distance-vector table updates in the presence of broken links. Not only can routing loops form, but the loops can persist indefinitely! As an example, suppose we have the following arrangement, with all links having cost 1: 1 1 D A B ⟨ D,D,1 ⟩ ⟩ ⟨ D,A,2 Now suppose the D–A link breaks: D A B ⟨ D,-, ⟩ D,A,2 ⟨ ⟩  If A immediately reports to B that D is no longer reachable (cost = 8 ), then all is well. However, it is possible that B reports to A first, telling A that it has a route to D, with cost 2, which B still believes it has. 268 9 Routing-Update Algorithms

279 An Introduction to Computer Networks, Release 1.9.18 This means A now installs the entry y . At this point we have what we called in 1.6 Routing Loops a x D,B,3 linear routing loop: if a packet is addressed to D, A will forward it to B and B will forward it back to A. x D,3 y to B, at which point B will Worse, this loop will be with us a while. At some point A will report x D,A,4 y . Then B will report x D,4 y to A, and A’s entry will be x D,B,5 y , etc . This process update its entry to slow convergence to infinity is known as . If A and B each report to the other once a minute, it will take 2,000 years for the costs to overflow an ordinary 32-bit integer. 9.2.1 Slow-Convergence Fixes The simplest fix to this problem is to use a small value for infinity. Most flavors of the RIP protocol use infinity=16, with updates every 30 seconds. The drawback to so small an infinity is that no path through the network can be longer than this; this makes paths with weighted link costs difficult. Cisco IGRP uses a variable value for infinity up to a maximum of 256; the default infinity is 100. There are several well-known other fixes: 9.2.1.1 Split Horizon Under split horizon, if A uses N as its next_hop for destination D, then A simply does not report to N that it can reach D; that is, in preparing its report to N it first deletes all entries that have N as next_hop. In the example above, split horizon would mean B would never report to A about the reachability of D because A is B’s next_hop to D. Split horizon prevents all linear routing loops. However, there are other topologies where it cannot prevent loops. One is the following: ⟨ ⟩ D,A,2 B 1 1 D A 1 1 ⟩ D,A,2 ⟨ C Suppose the A-D link breaks, and A updates to D,-, 8y . A then reports x D, 8y to B, which updates its x x table to 8y . But then, before A can also report x D, 8y to C, C reports x D,2 y to B. B then updates to D,-, x D,C,3 y , and reports x D,3 y back to A; neither this nor the previous report violates split-horizon. Now A’s D,A,5 entry is y . Eventually A will report to C, at which point C’s entry becomes x D,B,4 y , and the numbers x keep increasing as the reports circulate counterclockwise. The actual routing proceeds in the other direction, clockwise. Split horizon often also includes poison reverse : if A uses N as its next_hop to D, then A in fact reports x D, 8y to N, which is a more definitive statement that A cannot reach D by itself. However, coming up with a scenario where poison reverse actually affects the outcome is not trivial. 9.2.1.2 Triggered Updates In the original example, if A was first to report to B then the loop resolved immediately; the loop occurred if B was first to report to A. Nominally each outcome has probability 50%. Triggered updates means that 9.2 Distance-Vector Slow-Convergence Problem 269

280 An Introduction to Computer Networks, Release 1.9.18 any router should report immediately to its neighbors whenever it detects any change for the worse. If A reports first to B in the first example, the problem goes away. Similarly, in the second example, if A reports to both B and C before B or C report to one another, the problem goes away. There remains, however, a small window where B could send its report to A just as A has discovered the problem, before A can report to B. 9.2.1.3 Hold Down Hold down is sort of a receiver-side version of triggered updates: the receiver does not use new alternative routes for a period of time (perhaps two router-update cycles) following discovery of unreachability. This gives time for bad news to arrive. In the first example, it would mean that when A received B’s report D,2 y , x x D, 8y to B as usual, at which point B would now report x it would set this aside. It would then report 8y D, back to A, at which point B’s earlier report D,2 y would be discarded. A significant drawback of hold down x is that legitimate new routes are also delayed by the hold-down period. These mechanisms for preventing slow convergence are, in the real world, quite effective. The Routing Information Protocol (RIP, ) implements all but hold-down, and has been widely adopted at RFC 2453 smaller installations. However, the potential for routing loops and the limited value for infinity led to the development of al- ternatives. One alternative is the link-state strategy, 9.5 Link-State Routing-Update Algorithm . Another alternative is Cisco’s Enhanced Interior Gateway Routing Protocol, or EIGRP, 9.4.4 EIGRP . While part of the distance-vector family, EIGRP is provably loop-free, though to achieve this it must sometimes suspend forwarding to some destinations while tables are in flux. 9.3 Observations on Minimizing Route Cost Does distance-vector routing actually achieve minimum costs? For that matter, does each packet incur the x D,B,c y , meaning that A forwards packets cost its sender expects? Suppose node A has a forwarding entry to destination D via next_hop B, and expects the total cost to be c. If A sends a packet to D, and we follow accurate it on the actual path it takes, must the total link cost be c? If so, we will say that the network has costs . The answer to the accurate-costs question, as it turns out, is yes for the distance-vector algorithm, if we follow the rules carefully, and the network is stable (meaning that no routing reports are changing, or, more concretely, that every update report now circulating is based on the current network state); a proof is below. However, if there is a routing loop, the answer is of course no: the actual cost is now infinite. The answer would also be no if A’s neighbor B has just switched to using a longer route to D than it last reported to A. It turns out, however, that we seek the shortest route not because we are particularly trying to save money on transit costs; a route 50% longer would generally work just fine. (AT&T, back when they were the Phone Company, once ran a series of print advertisements claiming longer routes as a feature : if the direct path was congested, they could still complete your call by routing you the long way ‘round.) However, we are guaranteed that if all routers seek the shortest route – and if the network is stable – then all paths are loop-free, because in this case the network will have accurate costs. Here is a simple example illustrating the importance of global cost-minimization in preventing loops. Sup- pose we have a network like this one: 270 9 Routing-Update Algorithms

281 An Introduction to Computer Networks, Release 1.9.18 cost=20 A cost=1 cost=1 C D cost=20 B Now suppose that A and B use distance-vector but are allowed to choose the shortest route . A to within 10% would get a report from C that D could be reached with cost 1, for a total cost of 21. The forwarding entry D,C,21 y . Similarly, A would get a report from B that D could be reached with cost 21, for via C would be x x D,B,22 y . Similarly, B has choices x D,C,21 y and x a total cost of 22: y . D,A,22 If A and B both choose the minimal route, no loop forms. But if A and B both use the 10%-overage rule, x y and B could choose x D,A,22 y . they would be allowed to choose the other route: A could choose D,B,22 If this happened, we would have a routing loop: A would forward packets for D to B, and B would forward them right back to A. As we apply distance-vector routing, each router independently builds its tables. A router might have some notion of the path its packets would take to their destination; for example, in the case above A might believe that with forwarding entry x D,B,22 y its packets would take the path A–B–C–D (though in distance-vector routing, routers do not particularly worry about the big picture). Consider again the accurate-cost question above. This fails in the 10%-overage example, because the actual path is now infinite. We now prove that, in distance-vector routing, the network will have accurate costs, provided • each router selects what it believes to be the shortest path to the final destination, and • the network is stable, meaning that further dissemination of any reports would not result in changes To see this, suppose the actual route taken by some packet from source to destination, as determined by application of the distributed distance-vector algorithm, is longer than the cost calculated by the source. Choose an example of such a path with the fewest number of links , among all such paths in the network. Let S be the source, D the destination, and k the number of links in the actual path P. Let S’s forwarding x D,N,c y , where N is S’s next_hop neighbor. entry for D be x D,c y from To have obtained this route through the distance-vector algorithm, S must have received report D N, where we also have the cost of the S–N link as c and c = c + c . If we follow a packet from N to D, it N N D must take the same path P with the first link deleted; this sub-path has length k-1 and so, by our hypothesis that k was the length of the shortest path with non-accurate costs, the cost from N to D is c . But this means D that the cost along path P, from S to D via N, must be c + c = c, contradicting our selection of P as a path D N longer than its advertised cost. There is one final observation to make about route costs: any cost-minimization can occur only within a single routing domain, where full information about all links is available. If a path traverses multiple routing domains, each separate routing domain may calculate the optimum path traversing that domain. But these “local minimums” do not necessarily add up to a globally minimal path length, particularly when domain rather than to a one domain calculates the minimum cost from one of its routers only to the other router within that other domain. Here is a simple example. Routers BR1 and BR2 are the border routers connecting the domain LD to the left of the vertical dotted line with domain RD to the right. From A to B, LD will choose the shortest path to RD (not to B, because LD is not likely to have information about links within RD). This is the path of length 3 through BR2. But this leads to a total path length of 3+8=11 from 9.3 Observations on Minimizing Route Cost 271

282 An Introduction to Computer Networks, Release 1.9.18 A to B; the global minimum path length, however, is 4+1=5, through BR1. cost=4 cost=1 BR1 B A cost=3 cost=8 BR2 Domain LD Domain RD In this example, domains LD and RD join at two points. For a route across two domains joined at only a single point, the domain-local shortest paths do add up to the globally shortest path. 9.4 Loop-Free Distance Vector Algorithms It is possible for routing-update algorithms based on the distance-vector idea to eliminate routing loops – and thus the slow-convergence problem – entirely. We present brief descriptions of two such algorithms. 9.4.1 DSDV DSDV, or Destination-Sequenced Distance Vector , was proposed in [PB94] . It avoids routing loops by the introduction of sequence numbers : each router will always prefer routes with the most recent sequence number, and bad-news information will always have a lower sequence number then the next cycle of cor- rected information. DSDV was originally proposed for MANETs ( 3.7.8 MANETs ) and has some additional features for traffic minimization that, for simplicity, we ignore here. It is perhaps best suited for wired networks and for small, relatively stable MANETs. DSDV forwarding tables contain entries for every other reachable node in the system. One successor of DSDV, Ad Hoc On-Demand Distance Vector routing or AODV, AODV , allows forwarding tables 9.4.2 to contain only those destinations in active use; a mechanism is provided for discovery of routes to newly active destinations. Under DSDV, each forwarding table entry contains, in addition to the destination, cost and next_hop, the cur- rent sequence number for that destination. When neighboring nodes exchange their distance-vector reacha- bility reports, the reports include these per-destination sequence numbers. When a router R receives a report from neighbor N for destination D, and the report contains a sequence number larger than the sequence number for D currently in R’s forwarding table, then R always updates to use the new information. The three cost-minimization rules of 9.1.1 Distance-Vector Update Rules above are used only when the incoming and existing sequence numbers are equal. Each time a router R sends a report to its neighbors, it includes a new value for its own sequence number, which it always increments by 2. This number is then entered into each neighbor’s forwarding-table entry for 272 9 Routing-Update Algorithms

283 An Introduction to Computer Networks, Release 1.9.18 R, and is then propagated throughout the network via continuing report exchanges. Any sequence number originating this way will be even, and whenever another node’s forwarding-table sequence number for R is even, then its cost for R will be finite. Infinite-cost reports are generated in the usual way when former neighbors discover they can no longer reach one another; however, in this case each node increments the sequence number for its former neighbor by 1, thus generating an odd value. Any forwarding-table entry with infinite cost will thus always have an odd sequence number. If A and B are neighbors, and A’s current sequence number is s, and the A–B link breaks, then B will start reporting A at cost 8 with sequence number s+1 while A will start reporting its own new sequence number s+2. Any other node now receiving a report originating with B (with sequence number s+1) will mark A as having cost 8 , but will obtain a valid route to A upon receiving a report originating from A with new (and larger) sequence number s+2. The triggered-update mechanism is used: if a node receives a report with some destinations newly marked with infinite cost, it will in turn forward this information immediately to its other neighbors, and so on. This is, however, not essential; “bad” and “good” reports are distinguished by sequence number, not by relative arrival time. It is now straightforward to verify that the slow-convergence problem is solved. After a link break, if there is some alternative path from router R to destination D, then R will eventually receive D’s latest even sequence number, which will be greater than any sequence number associated with any report listing D as unreachable. If, on the other hand, the break partitioned the network and there is no longer any path to D from R, then the highest sequence number circulating in R’s half of the original network will be odd and the associated table entries will all list D at cost 8 . One way or another, the network will quickly settle down to a state where every destination’s reachability is accurately described. In fact, a stronger statement is true: not even transient routing loops are created. We outline a proof. First, whenever router R has next_hop N for a destination D, then N’s sequence number for D must be greater than or equal to R’s, as R must have obtained its current route to D from one of N’s reports. A consequence is that all routers participating in a loop for destination D must have the same (even) sequence number s for D throughout. This means that the loop would have been created if only the reports with sequence number 9.1.1 Distance-Vector Update Rules , any application of the next_hop- s were circulating. As we noted in increase rule must trace back to a broken link, and thus must involve an odd sequence number. Thus, the loop must have formed from the sequence-number-s reports by the application of the first two rules only. But this violates the claim in Exercise 10.0. There is one drawback to DSDV: nodes may sometimes briefly switch to routes that are longer than optimum (though still correct). This is because a router is required to use the route with the newest sequence number, even if that route is longer than the existing route. If A and B are two neighbors of router R, and B is closer to destination D but slower to report, then every time D’s sequence number is incremented R will receive A’s longer route first, and switch to using it, and B’s shorter route shortly thereafter. DSDV implementations usually address this by having each router R keep track of the time interval between first arrival at R of a new route to a destination D with a given sequence number, and the arrival of the the best route with that sequence number. During this interval following the arrival of the first report with a new sequence number, R will use the new route, but will refrain from including the route in the reports it sends to its neighbors, anticipating that a better route will soon arrive. This works best when the hopcount cost metric is being used, because in this case the best route is likely to arrive first (as the news had to travel the fewest hops), and at the very least will arrive soon after the first route. However, if the network’s cost metric is unrelated to the hop count, then the time interval between 9.4 Loop-Free Distance Vector Algorithms 273

284 An Introduction to Computer Networks, Release 1.9.18 first-route and best-route arrivals can involve multiple update cycles, and can be substantial. 9.4.2 AODV AODV, or Ad-hoc On-demand Distance Vector routing, is another routing mechanism often proposed for MANETs, though it is suitable for some wired networks as well. Unlike DSDV, above, AODV messages circulate only if a link breaks, or when a node is looking for a route to some other node; this second case is the rationale for the “on-demand” in the name. For larger MANETs, this may result in a significant reduction in routing-management traffic. AODV is described in RFC 3561 . [PR99] and The “ad hoc” in the name was intended to suggest that the protocol is well-suited for mobile nodes forming 3.7.4 Access Points ). It is, but the protocol is also works well with infrastructure (those an ad hoc network ( with access points) Wi-Fi networks. RouteRequest AODV has three kinds of messages: or RREQ, for nodes that are looking for a path to a RouteReply RouteError or RERR for the reporting of broken destination, or RREP, as the response, and links. AODV performs reasonably well for MANETs in which the nodes are highly mobile, though it does assume all routing nodes are trustworthy. AODV is loop-free, due to the way it uses sequence numbers. However, it does not always find the shortest route right away, and may in fact not find the shortest route for an arbitrarily long interval. Each AODV node maintains a node sequence number and also a broadcast counter . Every routing message contains a sequence number for the destination, and every routing record kept by a node includes a field for the destination’s sequence number. Copies of a node’s sequence number held by other nodes may not be the most current; however, nodes always discard routes with an older (smaller) sequence number as soon as they hear about a route with a newer sequence number. AODV nodes also keep track of other nodes that are directly reachable; in the diagram below we will assume these are the nodes connected by a line. If node A wishes to find a route to node F, as in the diagram below, the first step is for A to increment RouteRequest . This message contains the addresses of A and F, A’s its sequence number and send out a just-incremented sequence number, the highest sequence number of any previous route to F that is known to A (if any), a hopcount field set initially to 1, and A’s broadcast counter. The end result should be a route from A to F, entered at each node along the path, and also a return route from F back to A. → B RREQ G A D RREQ → F C E The RouteRequest is sent initially to A’s direct neighbors, B and C in the diagram above, using UDP. We will assume for the moment that the RouteRequest reaches all the way to F before a RouteReply is generated. 274 9 Routing-Update Algorithms

285 An Introduction to Computer Networks, Release 1.9.18 This is always the case if the “destination only” flag is set, though if not then it is possible for an intermediate RouteReply . node to generate the must flood it (“broadcast” it) out all its interfaces to all its directly A node that receives a RouteRequest reachable neighbors, after incrementing the hopcount field. B therefore sends A’s message to C and D, and C sends it to B and E. For this example, we will assume that C is a bit slow sending the message to E. Each node receiving a RouteRequest must hang on to it for a short interval (typically 3 seconds). During this period, if it sees a duplicate of the RouteRequest , identified by having the same source and the same RouteRequest messages do not circulate broadcast counter, it discards it. This discard rule ensures that endlessly around loops; it may be compared to the reliable-flooding algorithm in 9.5 Link-State Routing- . Update Algorithm RouteRequest A node receiving a new also records (or updates) a routing-table entry for reaching the source RouteRequest of the . Unless there was a pre-existing newer route (that is, with larger sequence number), the entry is marked with the sequence number contained in the message, and with next_hop the neighbor from which the RouteRequest was received. This process ensures that, as part of each node’s processing of RouteRequest a message, it installs a return route back to the originator. We will suppose that the following happen in the order indicated: • B forwards the RouteRequest to D* • D forwards the RouteRequest to E and G • C forwards the RouteRequest to E • E forwards the to F RouteRequest Because E receives D’s copy of the RouteRequest first, it ignores C’s copy. This will mean that, at least initially, the return path will be longer than necessary. Variants of AODV (such as HWMP below) sometimes allow E to accept C’s message on the grounds that C has a shorter path back to A. This does mean that initial messages farther on in the network now have incorrect hopcount values, though these will be RouteRequest RouteRequest messages. corrected by later After the above messages have been received, each node has a path back to A as indicated by the blue arrows below: B G D A F C E F now increments its own sequence number and creates a RouteReply message; F then sends it to A by following the highlighted (unicast) arrows above, F Ñ E Ñ D Ñ B Ñ A. As each node on the path processes the message, it creates (or updates) its route to the final destination, F; the return route to A had been created earlier when the node processed the corresponding RouteRequest . 9.4 Loop-Free Distance Vector Algorithms 275

286 An Introduction to Computer Networks, Release 1.9.18 At this point, A and F can communicate bidirectionally. (Each is acknowledged to ensure RouteRequest bidirectionality of each individual link.) C Ñ D Ñ B Ñ A is longer than necessary; a shorter path is F Ñ E Ñ E Ñ A. The shorter path will be This F Ñ Ñ C Ñ A is a better path, though there is no mechanism to adopted if, at some future point, E learns that E seek out this route. RouteRequest If the “destination only” flag were not set, any intermediate node reached by the flooding could have answered with a route to F, if it had one. Such a node would generate the on its own, RouteReply without involving F. The sequence number of the intermediate node’s route to F must be greater than the sequence number in the message. RouteRequest If two neighboring nodes can no longer reach one another, each sends out a RouteError message, to in- validate the route. Nodes keep track of what routes pass through them, for just this purpose. One node’s message will reach the source and the other’s the destination, at which point the route is invalidated. In larger networks, it is standard for the originator of a to set the IPv4 header TTL value (or RouteRequest the IPv6 Hop_Limit) to a smallish value ( RFC 3561 recommends an intial value of 1) to limit the scope of the RequestRoute messages. If no answer is received, the originator tries again, with a slightly larger TTL value. In a large network, this reduces the volume of RouteRequest messages that have gone too far and therefore cannot be of use in finding a route. AODV cannot form even short-term loops. To show this, we start with the observation that whenever a destination,next_hop forwarding entry installed at a node, due either to a RouteRequest or to a RouteReply , x y RouteRequest or RouteReply the next_hop is always the node from which the was received, and therefore the destination sequence number cannot get smaller as we move from the original node to its next_hop. That is, as we follow any route to a destination, the destination sequence numbers are nondecreasing. It immediately follows that, for a routing loop, the destination sequence number is constant along the loop. This means that each node on the route must have heard of the route via the same RouteRequest RouteReply message, as or forwarded. The second observation, completing the argument, is that the hopcount field must strictly decrease as we travel along the route to the destination; the processing rules for RouteRequests and RouteReplies mean that each node installs a hopcount of one more than that of the neighboring node from which the route was received. This is impossible for a route that returns to the same node. 9.4.3 HWMP The Hybrid Wireless Mesh Protocol is based on AODV, and has been chosen for the IEEE 802.11s Wi- Fi mesh networking standard ( 3.7.4.4 Mesh Networks ). In the discussion here, we will assume HWMP is being used in a Wi-Fi network, though the protocol applies to any type of network. A set of nodes is designated as the routing (or forwarding) nodes; ordinary Wi-Fi stations may or may not be included here. HWMP replaces the hopcount metric used in AODV with an “airtime link metric” which decreases as the link throughput increases and as the link error rate decreases. This encourages the use of higher-quality wireless links. HWMP has two route-generating modes: an on-demand mode very similar to AODV, and a proactive mode used when there is at least one identified “root” node that connects to the Internet. In this case, the route-generating protocol determines a loop-free subset of the relevant routing links (that is, a spanning tree) by which each routing node can reach the root (or one of the roots). This tree-building process does 276 9 Routing-Update Algorithms

287 An Introduction to Computer Networks, Release 1.9.18 not attempt to find best paths between pairs of non-root nodes, though such nodes can use the on-demand mode as necessary. In the first, on-demand, mode, HWMP implements a change to classic AODV in that if a node receives message and then later receives a second RouteRequest message with the same sequence a RouteRequest number but a lower-cost route, then the second route replaces the first. In the proactive mode, the designated root node – typically the node with wired Internet access – periodically sends out specially marked messages. These are sent to the broadcast address, rather than to RouteRequest any specific destination, but otherwise propagate in the usual way. Routing nodes receiving two copies from two different neighbors pick the one with the shortest path. Once this process stabilizes, each routing node knows the best path to the root (or to root); the fact that each routing node chooses the best path a from among all RouteRequest messages received ensures eventual route optimality. Routing nodes that have RouteReply traffic to send can at any time generate a , which will immediately set up a reverse route from the root to the node in question. Finally, reversing each link to the root allows the root to send broadcast messages. HWMP has yet another mode: the root nodes can send out (RANN) messages. These let RootAnnounce other routing nodes know what the root is, but are not meant to result in the creation of routes to the root. 9.4.4 EIGRP EIGRP, or the Enhanced Interior Gateway Routing Protocol , is a once-proprietary Cisco distance-vector protocol that was released as an Internet Draft in February 2013. As with DSDV, it eliminates the risk of [JG93] . routing loops, even ephemeral ones. It is based on the “distributed update algorithm” (DUAL) of EIGRP is an actual protocol; we present here only the general algorithm. Our discussion follows [CH99] . Each router R keeps a list of neighbor routers N , as with any distance-vector algorithm. Each R also R maintains a data structure known (somewhat misleadingly) as its topology table . It contains, for each destination D and each N in N , an indication of whether N has reported the ability to reach D and, if so, the R of the link from R to N. Finally, reported cost c(D,N). The router also keeps, for each N in N , the cost c R N the forwarding-table entry for any destination can be marked “passive”, meaning safe to use, or “active”, meaning updates are in process and the route is temporarily unavailable. Initially, we expect that for each router R and each destination D, R’s next_hop to D in its forwarding table is the neighbor N for which the following total cost is a minimum: c(D,N) + c N Now suppose R receives a distance-vector report from neighbor N that it can reach D with cost c(D,N ). 1 1 This is processed in the usual distance-vector way, unless it represents an increased cost and N is R’s 1 next_hop to D; this is the third case in 9.1.1 Distance-Vector Update Rules . In this case, let C be R’s current cost to D, and let us say that neighbor N of R is a next_hop (feasible successor in Cisco’s feasible terminology) if N’s cost to D (that is, c(D,N)) is strictly less than C. R then updates its route to D to use the feasible neighbor N for which c(D,N) + c is a minimum. Note that this may not in fact be the shortest path; N it is possible that there is another neighbor M for which c(D,M)+c C. However, is smaller, but c(D,M) ě M because N’s path to D is loop-free, and because c(D,N) < C, this new path through N must also be loop-free; this is sometimes summarized by the statement “one cannot create a loop by adopting a shorter route”. If no neighbor N of R is feasible – which would be the case in the D—A—B example of 9.2 Distance-Vector Slow-Convergence Problem , then R invokes the “DUAL” algorithm. This is sometimes called a “diffusion” 9.4 Loop-Free Distance Vector Algorithms 277

288 An Introduction to Computer Networks, Release 1.9.18 algorithm as it invokes a diffusion-like spread of table changes proceeding away from R. ’s report. R marks destination D as Let C in this case denote the new cost from R to D as based on N 1 “active” (which suppresses forwarding to D) and sends a special query to each of its neighbors, in the form of a distance-vector report indicating that its cost to D has now increased to C. The algorithm terminates when all R’s neighbors reply back with their own distance-vector reports; at that point R marks its entry for D as “passive” again. Some neighbors may be able to process R’s report without further diffusion to other nodes, remain “passive”, and reply back to R immediately. However, other neighbors may, like R, now become “active” and continue the DUAL algorithm. In the process, R may receive other queries that elicit its distance-vector report; as long as R is “active” it will report its cost to D as C. We omit the argument that this process – and thus the network – must eventually converge. 9.5 Link-State Routing-Update Algorithm Link-state routing is an alternative to distance-vector. It is often – though certainly not always – considered to be the routing-update algorithm class of choice for networks that are “sufficiently large”, such as those of OSPF ISPs. There are two specific link-state protocols: the IETF’s Open Shortest Path First ( RFC 2328 ), , IS-IS and OSI’s Intermediate Systems to Intermediate Systems ( RFC 1142 ). , documented unofficially in In distance-vector routing, each node knows a bare minimum of network topology: it knows nothing about links beyond those to its immediate neighbors. In the link-state approach, each node keeps a maximum amount of network information: a full map of all nodes and all links. Routes are then computed locally from this map, using the shortest-path-first algorithm. The existence of this map allows, in theory, the calculation of different routes for different quality-of-service requirements. The map also allows calculation of a new route as soon as news of the failure of the existing route arrives; distance-vector protocols on the other hand must wait for news of a new route after an existing route fails. Link-state protocols distribute network map information through a modified form of broadcast of the status of each individual link. Whenever either side of a link notices the link has died (or if a node notices that link-state packets (LSPs) that “flood” the network. This a new link has become available), it sends out reliable flooding . In general, broadcast mechanisms are not compatible with broadcast process is called networks that have topological looping (that is, redundant paths); broadcast packets may circulate around the loop endlessly. Link-state protocols must be carefully designed to ensure that both every router sees every LSP, and also that no LSPs circulate repeatedly. (The acronym LSP is used by IS-IS; the preferred acronym used by OSPF is LSA, where A is for advertisement.) LSPs are sent immediately upon link-state changes, like triggered updates in distance-vector protocols except there is no “race” between “bad news” and “good news”. It is possible for ephemeral routing loops to exist; for example, if one router has received a LSP but another has not, they may have an inconsistent view of the network and thus route to one another. However, as soon as the LSP has reached all routers involved, the loop should vanish. There are no “race conditions”, as with distance-vector routing, that can lead to persistent routing loops. The link-state flooding algorithm avoids the usual problems of broadcast in the presence of loops by having each node keep a database of all LSP messages. The originator of each LSP includes its identity, information about the link that has changed status, and also a sequence number . Other routers need only keep in their databases the LSP packet with the largest sequence number; older LSPs can be discarded. When a router 278 9 Routing-Update Algorithms

289 An Introduction to Computer Networks, Release 1.9.18 receives a LSP, it first checks its database to see if that LSP is old, or is current but has been received before; in these cases, no further action is taken. If, however, an LSP arrives with a sequence number not seen before, then in typical broadcast fashion the LSP is retransmitted over all links except the arrival interface. As an example, consider the following arrangement of routers: E A B C D Suppose the A–E link status changes. A sends LSPs to C and B. Both these will forward the LSPs to D; suppose B’s arrives first. Then D will forward the LSP to C; the LSP traveling C Ñ D and the LSP traveling Ñ C might even cross on the wire. D will ignore the second LSP copy that it receives from C and C will D ignore the second copy it receives from D. It is important that LSP sequence numbers not wrap around. (Protocols that allow a numeric field to wrap do around usually have a clear-cut idea of the “active range” that can be used to conclude that the numbering has wrapped rather than restarted; this is harder to do in the link-state context.) OSPF uses lollipop sequence- 31 31 numbering and increment to 2 -1. At this point they wrap around here: sequence numbers begin at -2 back to 0. Thus, as long as a sequence number is less than zero, it is guaranteed unique; at the same time, 31 routing will not cease if more than 2 updates are needed. Other link-state implementations use 64-bit sequence numbers. Actual link-state implementations often give link-state records a maximum lifetime; entries must be period- ically renewed. 9.5.1 Shortest-Path-First Algorithm The next step is to compute routes from the network map, using the shortest-path-first (SPF) algorithm. This algorithm computes shortest paths from a given node, A in the example here, to all other nodes. Below is our example network; we are interested in the shortest paths from A to B, C and D. 3 A B 11 9 10 4 C D 2 Before starting the algorithm, we note the shortest path from A to D is A-B-C-D, which has cost 3+4+2=9. The algorithm builds the set R of all shortest-path routes iteratively. Initially, R contains only the 0-length route to the start node; one new destination and route is added to R at each stage of the iteration. At each 9.5 Link-State Routing-Update Algorithm 279

290 An Introduction to Computer Networks, Release 1.9.18 stage we have a node, representing the node most recently added to R . The initial current node is current our starting node, in this case, A. We will also maintain a set T , for tentative, of routes to other destinations. This is also initialized to empty. node and which do not At each stage, we find all nodes which are immediate neighbors of the current already have routes in the set . For each such node N, we calculate the cost of the route from the start node R node. We see if this is our first route to N, or if the route improves on current to N that goes through the any route to N already in ; if so, we add or update the route in T accordingly. Doing this, the routes will T be discovered in order of increasing (or nondecreasing) cost. , and move the route and destination node to T . At the end of this process, we choose the shortest path in R node. Ties can be resolved arbitrarily, current The destination node of this shortest path becomes the next but note that, as with distance-vector routing, we must choose the minimum or else the accurate-costs property will fail. We repeat this process until all nodes have routes in the set R . current = A and R = { x A,A,0 y }. The set T will be { x B,B,3 y , x C,C,10 For the example above, we start with , y x y }. The lowest-cost entry is x B,B,3 y , so we move that to R and continue with current = B. No path D,D,11 through C or D can possibly have lower cost. For the next stage, the neighbors of B without routes in are C and D; the routes from A to these through B R x C,B,7 y and x D,B,12 y . The former is an improvement on the existing T entry x C,C,10 y are and so replaces it; the latter is not an improvement over D,D,11 y . T is now { x x y , x D,D,11 y }. The lowest-cost route in C,B,7 T is that to C, so we move this node and route to R and set C to be current . Again, x y must be the shortest path to C. If any lower-cost path to C existed, then we would be selecting C,B,7 x C,B,7 path; see the proof below. that shorter path – or a prefix of it – at this point, instead of the y neighbor; the path from A to D via C has entry R D,B,9 y , an improve- For the next stage, D is the only non- x x D,D,11 y in T . The only entry in T is now ment over the existing D,B,9 y ; this has the lowest cost and thus x we move it to . R R We now have routes in to all nodes, and are done. Here is another example, again with links labeled with costs: 3 A B 2 8 1 D C We start with current = A. At the end of the first stage, x B,B,3 y is moved into R , T is { x D,D,12 y }, and , and then moves this to current C,B,5 y to T x R ; current then becomes C. The is B. The second stage adds third stage introduces the route (from A) x D,B,10 y ; this is an improvement over x D,D,12 y and so replaces it in ; at the end of the stage this route to D is moved to R . T In both the examples above, the current nodes progressed along a path, A Ñ B Ñ C Ñ D. This is not generally the case; here is a similar example but with different lengths in which current jumps from B to D: 280 9 Routing-Update Algorithms

291 An Introduction to Computer Networks, Release 1.9.18 3 A B 3 4 1 D C = { B,B,3 is moved into x , with T y x D,D,4 y }, and As in the previous example, at the end of the first stage R current . The second stage adds x C,B,6 y to T B becomes T is now x D,D,4 y , . However, the shortest path in and so it is D that becomes the next . The final stage replaces x C,B,6 y in T with x C,D,5 y current . At that point this route is added to R and the algorithm is completed. Proof that SPF paths are shortest : suppose, by contradiction, that, for some node, a shorter path exists than the one generated by SPF. Let A be the start node, and let U be the first node generated for which the SPF path is not shortest. Let T be the Tentative set and let R be the set of completed routes at the point when we choose U as current , and let d be the cost of the new P x A,. . . ,X,Y,. . . ,U y be the shorter path to U, with cost c

292 An Introduction to Computer Networks, Release 1.9.18 links. 9.6 Routing on Other Attributes There is sometimes a desire to route on packet attributes other than the destination, or the destination and QoS bits. For example, we might want to route packets based in part on the packet source, or on the TCP port number. This kind of routing is decidedly nonstandard, though it is often available, and often an important component of traffic engineering. This option is often known as , because packets are routed according to attributes spec- policy-based routing ( ified by local administrative policy. (This term should not be confused with BGP routing policy 10.6 Bor- ), which means something quite different.) der Gateway Protocol, BGP Policy-based routing is not used frequently, but one routing decision of this type can have far-reaching effects. If an ISP wishes to route customer voice traffic differently from customer data traffic, for example, it need only apply policy-based routing to classify traffic at the point of entry, and send the voice traffic to its own router. After that, ordinary routers on the voice path and on the separate data path can continue the forwarding without using policy-based methods. Sometimes policy-based routing is used to packets for special processing; this might mean different mark routing further downstream or it might mean being sent along the same path as the other traffic but with pref- 20.7 Differentiated Services erential treatment. For two packet-marking strategies, see 20.12 Multi- and Protocol Label Switching (MPLS) . On Linux systems policy-based routing is part of the Linux Advanced Routing facility, often grouped with some advanced queuing features known as Traffic Control; the combination is referred to as LARTC. As a simple example of what can be done, suppose a site has two links L1 and L2 to the Internet, with L1 the default route to the Internet. Perhaps L1 is faster and L2 serves more as a backup; perhaps L2 has been added to increase outbound capacity. A site may wish to route some outbound traffic via L2 for any of the following reasons: eg email) • the traffic may involve protocols deemed lower in priority ( • the traffic may be real-time traffic that can benefit from reduced competition on L2 • the traffic may come from lower-priority senders; some customers within the site may be relegated eg to using L2 because they are paying less • a few large-volume elephant flows may be offloaded from L1 to L2 In the first two cases, routing might be based on the destination port numbers; in the third, it might be based on the source IP address. In the fourth case, a site’s classification of its elephant flows may have accumulated over time. Note that nothing can be done in the direction unless L1 and L2 lead to the same ISP, and even inbound there any special routing would be at the discretion of that ISP. The trick with LARTC is to be compatible with existing routing-update protocols; this would be a problem if the kernel forwarding table simply added columns for other packet attributes that neighboring non-LARTC routers knew nothing about. Instead, the forwarding table is split up into multiple x dest, next_hop y (or x dest, 282 9 Routing-Update Algorithms

293 An Introduction to Computer Networks, Release 1.9.18 QoS, next_hop ) tables. One of these tables is the main table, and is the table that is updated by routing- y update protocols interacting with neighbors. Before a packet is forwarded, administratively supplied rules are consulted to determine which table to apply; these rules are allowed to consult other packet attributes. . routing policy database The collection of tables and rules is known as the As a simple example, in the situation above the main table would have an entry default, L1 y (more precisely, x it would have the IP address of the far end of the L1 link instead of L1 itself). There would also be another slow , with a single entry x default, L2 table, perhaps named . If a rule is created to have a packet routed y using the “slow” table, then that packet will be forwarded via L2. Here is one such Linux rule, applying to traffic from host 10.0.0.17: ip rule add 10.0.0.17 table slow from Now suppose we want to route traffic to port 25 (the SMTP port) via L2. This is harder; Linux provides no support here for routing based on port numbers. However, we can instead use the iptables mechanism to “mark” all packets destined for port 25, and then create a routing-policy rule to have such marked traffic use the slow table. The mark is known as the forwarding mark, or ; its value is 0 by default. The fwmark fwmark is not actually part of the packet; it is associated with the packet only while the latter remains within the kernel. iptables --table mangle --append PREROUTING \\ --protocol tcp --dest-port 25 --jump MARK --set-mark 1 ip rule add fwmark 1 table slow Consult the applicable man pages for further details. 7.1 The IPv4 The iptables mechanism can also be used to set the appropriate QoS bits – the IPv4 DS bits ( ) or the IPv6 Traffic Class bits ( 8.1 The IPv6 Header ) – so that a single standard IP forwarding table Header can be used, though support for the IPv4 QoS bits is limited. 9.7 ECMP Equal-Cost MultiPath routing, or ECMP, is a technique for combining two (or more) routes to a destina- tion into a single unit, so that traffic to that destination is distributed (not necessarily equally) among the routes. ECMP is supported by EIGRP ( 9.4.4 EIGRP ) and the link-state implementations OSPF and IS-IS ( 9.5 Link-State Routing-Update Algorithm ). At the Ethernet level, ECMP is supported in spirit (if not in name) by TRILL and SPB ( 2.7 TRILL and SPB ). It is also supported by BGP ( 10.6 Border Gateway Protocol, BGP ) for inter-AS routing. A simpler alternative to ECMP is channel bonding , also known as link aggregation , and often based on the IEEE 802.3ad standard. In channel bonding, two parallel Ethernet links are treated as a single unit. In many cases it is simpler and cheaper to bond two or three 1 Gbps Ethernet links than to upgrade everything to support 10 Gbps. Channel bonding applies, however, in limited circumstances; for example, the two channels must both be Ethernet, and must represent a single link. In the absence of channel bonding, equal-cost does not necessarily mean equal-propagation-delay. Even for two short parallel links, queuing delays on one link may mean that packet delivery order is not preserved. As TCP usually interprets out-of-order packet delivery as evidence of packet loss ( 13.3 TCP Tahoe and Fast 9.7 ECMP 283

294 An Introduction to Computer Networks, Release 1.9.18 Retransmit ), this can lead to large numbers of spurious retransmissions. For this reason, ECMP is usually configured to send all the packets of any one TCP connection over just one of the links (as determined by a hash function); some channel-bonding implementations do the same, in fact. A consequence is that ECMP configured this way must see many parallel TCP connections in order to utilize all participating paths reasonably equally. In special cases, however, it may be practical to configure ECMP to alternate between the paths on a per-packet basis, using round-robin transmission; this approach typically achieves much better load-balancing between the paths. In terms of routing-update protocols, ECMP can be viewed as allowing two (or more) next_hop values, each with the same cost, to be associated with the same destination. for an example of the use of software-defined networking to have multiple TCP See 18.9.4 multitrunk.py connections take different paths to the same destination, in a way similar to the ECMP approach. 9.8 Epilog At this point we have concluded the basics of IP routing, involving routing within large (relatively) homo- geneous organizations such as multi-site corporations or Internet Service Providers. Every router involved must agree to run the same protocol, and must agree to a uniform assignment of link costs. At the very largest scales, these requirements are impractical. The next chapter is devoted to this issue of very-large-scale IP routing, on the global Internet. eg 9.9 Exercises Exercises are given fractional (floating point) numbers, to allow for interpolation of new exercises. Exercise 2.5 is distinct, for example, from exercises 2.0 and 3.0. Exercises marked with a have solutions or hints ♢ at 24.8 Solutions for Routing-Update Algorithms . 1.0. Suppose the network is as follows, where distance-vector routing update is used. Each link has cost 1, and each router has entries in its forwarding table only for its immediate neighbors (so A’s table contains x B,B,1 y , x D,D,1 y and B’s table contains x A,A,1 y , x C,C,1 y ). 1 1 A C B 1 1 D E F 1 1 (a). Suppose each node creates a report from its initial configuration and sends that to each of its neighbors. What will each node’s forwarding table be after this set of exchanges? The exchanges, in other words, are all conducted simultaneously; each node first sends out its own report and then processes the reports arriving from its two neighbors. (b). What will each node’s table be after the simultaneous-and-parallel exchange process of part (a) is repeated a second time? 284 9 Routing-Update Algorithms

295 An Introduction to Computer Networks, Release 1.9.18 Hint: you do not have to go through each exchange in detail; the only information added by an exchange is reachability information. additional 2.0. Now suppose the configuration of routers has the link weights shown below. 3 4 A C B 12 2 D E F 1 1 (a). As in the previous exercise, give each node’s forwarding table after each node exchanges with its immediate neighbors simultaneously and in parallel. (b). How many iterations of such parallel exchanges will it take before C learns to reach F via B; that is, x before it creates the entry y ? Count the answer to part (a) as the first iteration. F,B,11 ♢ 2.5. A router R has the following distance-vector table: cost next hop destination A R1 2 B 3 R2 C 4 R1 D 5 R3 R now receives the following report from R1; the cost of the R–R1 link is 1. destination cost A 1 2 B 4 C D 3 Give R’s updated table after it processes R1’s report. For each entry that changes, give a brief explanation 3.0. A router R has the following distance-vector table: destination cost next hop A R1 5 B 6 R1 C 7 R2 D 8 R2 E 9 R3 9.9 Exercises 285

296 An Introduction to Computer Networks, Release 1.9.18 R now receives the following report from R1; the cost of the R–R1 link is 1. cost destination A 4 7 B C 7 D 6 E 8 F 8 Give R’s updated table after it processes R1’s report. For each entry that changes, give a brief explanation, in the style of 9.1.5 Example 4 . 9.1.4 Example 3 3.5. At the start of Example 3 ( ), we changed C’s routing table so that it reached D via A instead of via E: C’s entry D,E,2 y was changed to x D,A,2 y . This meant that C had a valid route to D at the x start. How might the scenario of Example 3 play out if C’s table had not been altered? Give a sequence of reports that leads to correct routing between D and E. 4.0. In the following exercise, A-D are routers and the attached subnets N1-N6, which are the ultimate destinations, are shown explicitly. In the case of N1 through N4, the links are the subnets. Routers still exchange distance-vector reports with neighboring routers, as usual. In the tables requested below, if a router has a direct connection to a subnet, you may report the next_hop as “direct”, eg , from A’s table, x N1,direct,0 y N1 N5 A B N3 N4 N6 D C N2 (a). Give the initial tables for A through D, before any distance-vector exchanges. (b). Give the tables after each router A-D exchanges with its immediate neighbors simultaneously and in parallel. (c). At the end of (b), what subnets are not known by what routers? 5.0. Suppose A, B, C, D and E are connected as follows. Each link has cost 1, and so each forwarding table is uniquely determined; B’s table is x A,A,1 y , x C,C,1 y , x D,A,2 y , x E,C,2 y . Distance-vector routing update is used. 286 9 Routing-Update Algorithms

297 An Introduction to Computer Networks, Release 1.9.18 B B 1 1 C A 1 1 1 E D x 8y . Now suppose the D–E link fails, and so D updates its entry for E to E,-, (a). Give A’s table after D reports x E, 8y to A (b). Give B’s table after A reports to B x (c). Give A’s table after B reports to A; note that B has an entry y E,C,2 (d). Give D’s table after A reports to D. 5.5. In the network below, A receives alternating reports about destination D from neighbors B and C. 9.1.1 Distance-Vector Update Rules , in which it updates its Suppose A uses a modified form of Rule 2 of or equal to c forwarding table whenever new cost c is less than . old B 1 1 A D 1 1 C Explain why A’s forwarding entry for destination D never stabilizes. 9.2.1.1 Split Horizon :, using distance-vector routing updates. B and C’s table 6.0. Consider the network in entries for destination D are shown. All link costs are 1. D,A,2 ⟨ ⟩ B 1 1 D A 1 1 D,A,2 ⟨ ⟩ C Suppose the D–A link breaks and then these update reports occur: • A reports x D, 8y to B (as before) • C reports D,2 y to B (as before) x • A now reports x D, 8y to C (instead of B reporting x D,3 y to A) 9.9 Exercises 287

298 An Introduction to Computer Networks, Release 1.9.18 (a). Give A, B and C’s forwarding-table records for destination D, including the cost, after these three reports. (b). What additional reports (a pair should suffice) will lead to the formation of the routing loop? (c). What (single) additional report will eliminate the possibility of the routing loop? is changed to the following. 9.2 Distance-Vector Slow-Convergence Problem 7.0. Suppose the network of Distance-vector update is used; again, the D–A link breaks. ⟩ ⟨ D,D,1 D,E,2 ⟩ ⟨ 1 1 D A B 1 1 E (a). Explain why B’s report back to A, after A reports D,-, 8y , is now valid. x (b). Explain why hold down ( ) will delay the use of the new route A–B–E–D. 9.2.1.3 Hold Down 8.0. Suppose the routers are A, B, C, D, E and F, and all link costs are 1. The distance-vector forwarding tables for A and F are below. Give the network with the fewest links that is consistent with these tables. Hint: any destination reached at cost 1 is directly connected; if X reaches Y via Z at cost 2, then Z and Y must be directly connected. A’s table cost next_hop dest 1 B B C 1 C D 2 C E 2 C 3 F B F’s table dest cost next_hop 3 A E B 2 D C 2 D D 1 D E E 1 9.0. (a) Suppose routers A and B somehow end up with respective forwarding-table entries x D,B,n y and x D,A,m y , thus creating a routing loop. Explain why the loop may be removed more quickly if A and B both use poison reverse with split horizon ( 9.2.1.1 Split Horizon ), versus if A and B use split horizon only. (b). Suppose the network looks like the following. The A–B link is extremely slow. 288 9 Routing-Update Algorithms

299 An Introduction to Computer Networks, Release 1.9.18 A slow C D B Suppose A and B send reports to each other advertising their routes to D, and immediately afterwards the C–D link breaks and C reports to A and B that D is unreachable. After those unreachability reports from C are processed, A and B’s reports sent to each other before the break finally arrive. Explain why the network is now in the state described in part (a). 10.0. Suppose the distance-vector algorithm is run on a network and no links break (so by the last paragraph 9.1.1 Distance-Vector Update Rules the next_hop-increase rule is never applied). of (a). Prove that whenever A is B’s next_hop to destination D, then A’s cost to D is strictly less than B’s. Hint: assume that if this claim is true, then it remains true after any application of the rules in . If the lower-cost rule is applied to B after receiving a report from A, 9.1.1 Distance-Vector Update Rules resulting in a change to B’s cost to D, then one needs to show A’s cost is less than B’s, and also B’s new cost is less than that of any neighbor C that uses B as its next_hop to D. (b). Use (a) to prove that no routing loops ever form. 11.0. It was mentioned in that link-state routing might give rise 9.5 Link-State Routing-Update Algorithm to an ephemeral routing loop. Give a concrete scenario illustrating creation (and then dissolution) of such a loop. 12.0. Use the Shortest-Path-First algorithm to find the shortest path from A to E in the network below. Show the sets R and T , and the node current , after each step. 5 D B 1 1 2 3 A C E 4 5 13.0. Suppose you take a laptop, plug it into an Ethernet LAN, and connect to the same LAN via Wi-Fi. From laptop to LAN there are now two routes. Which route will be preferred? How can you tell which way 7.9.5 ARP and traffic is flowing? How can you configure your OS to prefer one path or another? (See also multihomed hosts , 7 IP version 4 exercise 11.0, and 12 TCP Transport exercise 13.0.) 9.9 Exercises 289

300 An Introduction to Computer Networks, Release 1.9.18 290 9 Routing-Update Algorithms

301 10 LARGE-SCALE IP ROUTING In the previous chapter we considered two classes of routing-update algorithms: distance-vector and link- state. Each of these approaches requires that participating routers have agreed first to a common protocol, and then to a common understanding of how link costs are to be assigned. We will address this further 10.6 Border Gateway Protocol, BGP , but a basic problem is that if one site prefers the hop-count below in approach, assigning every link a cost of 1, while another site prefers to assign link costs in proportion to their bandwidth, then meaningful path cost comparisons between the two sites simply cannot be done. routing domain The term is used to refer to a set of routers under common administration, using a common link-cost assignment. Another term for this is autonomous system . While use of a common routing- update protocol within the routing domain is not an absolute requirement – for example, some subnets may internally use distance-vector while the site’s “backbone” routers use link-state – we can assume that all routers have a uniform view of the site’s topology and cost metrics. One of the things included in the term “large-scale” IP routing is the coordination of routing between mul- tiple routing domains. Even in the earliest Internet there were multiple routing domains, if for no other reason than that how to measure link costs was (and still is) too unsettled to set in stone. However, another component of large-scale routing is support for hierarchical routing, above the level of subnets; we turn to this next. 10.1 Classless Internet Domain Routing: CIDR CIDR is the mechanism for supporting hierarchical routing in the Internet backbone. Subnetting moves the network/host division line further rightwards; CIDR allows moving it to the left as well. With subnetting, the revised division line is visible only within the organization that owns the IP network address; subnetting is not visible outside. CIDR allows aggregation of IP address blocks in a way that visible to the Internet is backbone. When CIDR was introduced in 1993, the following were some of the justifications for it, all relating to the increasing size of the backbone IP forwarding tables, and expressed in terms of the then-current Class A/B/C mechanism: • The Internet is running out of Class B addresses (this happened in the mid-1990’s) • There are too many Class C’s (the most numerous) for backbone forwarding tables to be efficient • Eventually IANA (the Internet Assigned Numbers Authority) will run out of IP addresses (this hap- pened in 2011) Assigning non-CIDRed multiple Class C’s in lieu of a single Class B would have helped with the first point in the list above, but made the second point worse. Ironically, the current (2013) very tight market for IP address blocks is likely to lead to larger and larger backbone IP forwarding tables, as sites are forced to use multiple small address blocks instead of one large block. 291

302 An Introduction to Computer Networks, Release 1.9.18 By the year 2000, CIDR had essentially eliminated the Class A/B/C mechanism from the backbone Internet, and had more-or-less completely changed how backbone routing worked. You purchased an address block from a provider or some other IP address allocator, and it could be whatever size you needed, from /32 to /15. What CIDR enabled is IP routing based on an address prefix of any length; the Class A/B/C mechanism of course used fixed prefix lengths of 8, 16 and 24 bits. Furthermore, CIDR allows different routers, at different levels of the backbone, to route on prefixes of different lengths. If organization P were allocated a /10 block, suballocate into /20 blocks. At the top level, routing to P would likely be based for example, then P could on the first 10 bits, while routing within P would be based on the first 20 bits. CIDR was formally introduced by RFC 1519 . For a while there were strategies in place to RFC 1518 and support compatibility with non-CIDR-aware routers; these are now obsolete. In particular, it is no longer appropriate for large-scale routers to fall back on the Class A/B/C mechanism in the absence of CIDR information; if the latter is missing, the routing should fail. One way to look at the basic strategy of CIDR is as a mechanism to consolidate multiple network blocks going to the same destination into a single entry. Suppose a router has four class C’s all to the same destina- tion: 200.7.0.0/24 foo ÝÑ 200.7.1.0/24 ÝÑ foo 200.7.2.0/24 foo ÝÑ 200.7.3.0/24 ÝÑ foo The router can replace all these with the single entry 200.7.0.0/ 22 ÝÑ foo It does not matter here if foo represents a single ultimate destination or if it represents four sites that just happen to be routed to the same next_hop. It is worth looking closely at the arithmetic to see why the single entry uses /22. This means that the first 22 bits must match 200.7.0.0; this is all of the first and second bytes and the first six bits of the third byte. Let us look at the third byte of the network addresses above in binary: 200.7.000000 00.0/24 ÝÑ foo ÝÑ foo 200.7.000000 01.0/24 ÝÑ foo 200.7.000000 10.0/24 200.7.000000 11.0/24 ÝÑ foo The /24 means that the network addresses stop at the end of the third byte. The four entries above cover every possible combination of the last two bits of the third byte; for an address to match one of the entries above it suffices to begin 200.7 and then to have 0-bits as the first of the third byte. This is another six bits way of saying the address must match 200.7.0.0/22. Most implementations actually use a bitmask, eg 255.255.252.0, rather than the number 22. Note 252 is, in binary, 1111 1100, with 6 leading 1-bits, so 255.255.252.0 has 8+8+6=22 1-bits followed by 10 0-bits. The IP delivery algorithm of 7.5 The Classless IP Delivery Algorithm still works with CIDR, with the understanding that the router’s forwarding table can now have a network-prefix length associated with any entry. Given a destination D, we search the forwarding table for network-prefix destinations B/k until we 292 10 Large-Scale IP Routing

303 An Introduction to Computer Networks, Release 1.9.18 find a match; that is, equality of the first k bits. In terms of masks, given a destination D and a list of table x entries = x B[i],M[i] y , we search for i such that (D & M[i]) = B[i]. prefix,mask y But what about the possibility of multiple matches? For subnets, avoiding this was the responsibility of the subnetting site, but responsibility for avoiding this with CIDR is much too distributed to be declared illegal by IETF mandate. Instead, CIDR introduced the longest-match rule : if destination D matches both B /k 1 1 match is to be used. (Note that if D matches two /k /k , with k , then the longer match B < k and B 2 2 2 2 2 1 then either k and B /k distinct entries B < k /k or k < k ). 2 1 2 2 1 1 1 2 10.2 Hierarchical Routing Strictly speaking, CIDR is simply a mechanism for routing to IP address blocks of any prefix length; that is, for setting the network/host division point to an arbitrary place within the 32-bit IP address. However, by making this network/host division point variable , CIDR introduced support for routing on different prefix lengths at different places in the backbone routing infrastructure. For example, top-level routers might route on /8 or /9 prefixes, while intermediate routers might route based on prefixes of length 14. This feature of routing on fewer bits at one point in the Internet and more bits at another point is exactly . what is meant by hierarchical routing We earlier saw hierarchical routing in the context of subnets: traffic might first be routed to a class-B site etc 147.126.0.0/16, and then, within that site, to subnets such as 147.126.1.0/24, 147.126.2.0/24, . But with CIDR the hierarchy can be much more flexible: the top level of the hierarchy can be much larger than the “customer” level, lower levels need not be administratively controlled by the higher levels (as is the case with subnets), and more than two levels can be used. CIDR is an address-block-allocation ; it does not directly speak to the kinds of policy we might mechanism wish to implement with it. Here are four possible applications; the latter two involve hierarchical routing: • Application 1 (legacy): CIDR allows the allocation of multiple blocks of Class C, or fragments of a Class A, to a single customer, so as to require only a single forwarding-table entry for that customer • Application 2 (legacy): CIDR allows opportunistic aggregation of routes: a router that sees the four 200.7.x.0/24 routes above in its table may consolidate them into a single entry. • Application 3 (current): CIDR allows huge provider blocks, with suballocation by the provider. This is known as provider-based routing. • Application 4 (hypothetical): CIDR allows huge regional blocks, with suballocation within the re- gion, somewhat like the original scheme for US phone numbers with area codes. This is known as geographical routing. Each of these has the potential to achieve a considerable reduction in the size of the backbone forwarding tables, which is arguably the most important goal here. Each involves using CIDR to support the creation of arbitrary-sized address blocks and then routing to them as a single unit . For example, the Internet backbone might be much happier if all its routers simply had to maintain a single entry x 200.0.0.0/8, R1 y , versus 256 entries x 200.x.0.0/16, R1 y for every value of x. (As we will see below, this is still useful even if a few of the x’s have a different next_hop.) Secondary CIDR goals include bringing some order to IP address allocation and (for the last two items in the list above) enabling a routing hierarchy that mirrors the actual flow of most traffic. 10.2 Hierarchical Routing 293

304 An Introduction to Computer Networks, Release 1.9.18 Hierarchical routing does introduce one new wrinkle: the routes chosen may no longer be globally optimal, at least if we also apply the routing-update algorithms hierarchically. Suppose, for example, at the top level forwarding is based on the first eight bits of the address, and all traffic to 200.0.0.0/8 is routed to router R1. At the second level, R1 then routes traffic (hierarchically) to 200.20.0.0/16 via R2. A packet sent to 200.20.1.2 by an independent router R3 might therefore pass through R1, even if there were a lower- x Ñ cost path R3 . The top-level forwarding entry Ñ 200.0.0.0/8,R1 y , in other words, R4 R2 that bypassed R1 Ñ may represent a simplification of the real situation. Prohibiting “back-door” routes like R3 Ñ R2 is R4 impractical (and would not be helpful either); customers are independent entities. This non-optimal routing issue cannot happen if all routers agree upon one of the shortest-path mechanisms Ñ ; in that case R3 would learn of the lower-cost R3 Ñ of 9 Routing-Update Algorithms R2 path. But then R4 the potential hierarchical benefits of decreasing the size of forwarding tables would be lost. More seriously, complete global agreement of all routers on one common update protocol is simply not practical; in fact, one of the goals of hierarchical routing is to provide a workable alternative. We will return to this below in 10.4.3 Hierarchical Routing via Providers . 10.3 Legacy Routing Back in the days of NSFNet, the Internet backbone was a single routing domain. While most customers did not connect directly to the backbone, the intervening providers tended to be relatively compact, geograph- ically – that is, – and often had a single primary routing-exchange point with the backbone. IP regional addresses were allocated to subscribers directly by the IANA, and the backbone forwarding tables contained entries for every site, even the Class C’s. Because the NSFNet backbone and the regional providers did not necessarily share link-cost information, routes were even at this early point not necessarily globally optimal; compromises and approximations were made. However, in the NSFNet model routers generally did find a reasonable approximation to the shortest path to each site referenced by the backbone tables. While the legacy backbone routing domain was not all-encompassing, if there were differences between two routes, at least the backbone portions – the longest components – would be identical. 10.4 Provider-Based Routing In provider-based routing, large CIDR blocks are allocated to large-scale providers. The different providers each know how to route to one another. Subscribers (usually) obtain their IP addresses from within their within the provider’s providers’ blocks; thus, traffic from the outside is routed first to the provider, and then, routing domain, to the subscriber. We may even have a hierarchy of providers, so packets would be routed first to the large-scale provider, and eventually to the local provider. There may no longer be a central backbone; instead, multiple providers may each build parallel transcontinental networks. Here is a simpler example, in which providers have unique paths to one another. Suppose we have providers P0, P1 and P2, with customers as follows: • P0: customers A,B,C • P1: customers D,E • P2: customers F,G 294 10 Large-Scale IP Routing

305 An Introduction to Computer Networks, Release 1.9.18 We will also assume that each provider has an IP address block as follows: • P0: 200.0.0.0/8 • P1: 201.0.0.0/8 • P2: 202.0.0.0/8 Let us now allocate addresses to the customers: A: 200.0.0.0/16 B: 200.1.0.0/16 C: 200.2.16.0/20 (16 = 0001 0000) D: 201.0.0.0/16 E: 201.1.0.0/16 F: 202.0.0.0/16 G: 202.1.0.0/16 The routing model is that packets are first routed to the appropriate provider, and then to the customer. While this model may not in general guarantee the shortest end-to-end path, it does in this case because each provider has a single point of interconnection to the others. Here is the network diagram: P0 P1 P2 A B C D E F G With this diagram, P0’s forwarding table looks something like this: P0 destination next_hop 200.0.0.0/16 A 200.1.0.0/16 B 200.2.16.0/20 C 201.0.0.0/8 P1 202.0.0.0/8 P2 That is, P0’s table consists of 10.4 Provider-Based Routing 295

306 An Introduction to Computer Networks, Release 1.9.18 • one entry for each of P0’s own customers • one entry for each other provider If we had 1,000,000 customers divided equally among 100 providers, then each provider’s table would have only 10,099 entries: 10,000 for its own customers and 99 for the other providers. Without CIDR, each provider’s forwarding table would have 1,000,000 entries. CIDR enables hierarchical routing by allowing the routing decision to be made on different prefix lengths in different contexts. For example, when a packet is sent from D to A, P1 looks at the first 8 bits while P0 looks at the first 16 bits. Within customer A, routing might be made based on the first 24 bits. Even if we have some additional “secondary” links, that is, additional links that do not create alterna- relatively straightforward. Shown here are the private tive paths between providers, the routing remains customer-to-customer links C–D and E–F; these are likely used only by the customers they connect. Two multihomed customers, A and E, are ; that is, they have connections to alternative providers: A–P1 and E–P2. (The term “multihomed” is often applied to any host with multiple network interfaces on different LANs, which includes any router; here we mean more specifically that there are multiple network interfaces connecting to different providers.) outbound traffic, Typically, though, while A and E may use their alternative-provider links all they want for their respective traffic would still go through their primary providers P0 and P1 respectively. inbound P0 P1 P2 A B C D E F G 10.4.1 Internet Exchange Points The long links joining providers in these diagrams are somewhat misleading; providers do not always like sharing long links and the attendant problems of sharing responsibility for failures. Instead, providers of- P1 might actually be ten connect to one another at Internet eXchange Points or IXPs; the link P0 P0 IXP P1, where P0 owns the left-hand link and P1 the right-hand. IXPs can either be third-party sites open to all providers, or private exchange points. The term “Metropolitan Area Exchange”, or MAE, appears in the names of the IXPs MAE-East, originally near Washington DC, and MAE-West, originally in San Jose, California; each of these is now actually a set of IXPs. MAE in this context is now a trademark. 10.4.2 CIDR and Staying Out of Jail Suppose we want to change providers. One way we can do this is to accept a new IP-address block from the new provider, and change all our IP addresses. The paper Renumbering: Threat or Menace [LKCT96] was 296 10 Large-Scale IP Routing

307 An Introduction to Computer Networks, Release 1.9.18 frequently cited – at least in the early days of CIDR – as an intimation that such renumbering was inevitably keeping our IP address a Bad Thing. In principle, therefore, we would like to allow at least the option of allocation while changing providers. An address-allocation standard that did not allow changing of providers might even be a violation of the US Sherman Antitrust Act; see , 456 American Society of Mechanical Engineers v Hydrolevel Corporation US 556 (1982). The IETF thus had the added incentive of wanting to stay out of jail, when writing the CIDR standard so as to allow portability between providers (actually, antitrust violations usually involve civil penalties). longest-match rule turns out to be exactly what we (and the IETF) need. Suppose, in the diagrams The CIDR above, that customer C wants to move from P0 to P1, and does not want to renumber. What routing changes x 200.2.16.0/20, P1 need to be made? One solution is for P0 to add a route that routes all of C’s traffic to y P1; P1 will then forward that traffic on to C. P1’s table will be as follows, and P1 will use the longest-match rule to distinguish traffic for its new customer C from traffic bound for P0. P1 next_hop destination 200.0.0.0/8 P0 P2 202.0.0.0/8 D 201.0.0.0/16 201.1.0.0/16 E 200.2.16.0/20 C This does work, but all C’s inbound traffic except for that originating in P1 will now be routed through C’s ex-provider P0, which as an ex -provider may not be on the best of terms with C. Also, the routing is Ñ Ñ P1 instead of the more direct P2 Ñ P1. inefficient: C’s traffic from P2 is routed P2 P0 A better solution is for providers other than P1 to add the route x 200.2.16.0/20, P1 y . While traffic to all 200.0.0.0/8 otherwise goes to P0, this particular sub-block is instead routed by each provider to P1. The important case here is P2, as a stand-in for all other providers and their routers: P2 routes 200.0.0.0/8 traffic to P0 for the block 200.2.16.0/20, which goes to P1. except Having every other provider in the world need to add an entry for C has the potential to cost some money, and, one way or another, C will be the one to pay. But at least there is a choice: C can consent to renumbering (which is not difficult if they have been diligent in using DHCP and perhaps NAT too), or they can pay to keep their old address block. As for the second diagram above, with the various private links (shown as dashed lines), it is likely that the longest-match rule is not needed for these links to work. A’s “private” link to P1 might only mean that • A can send outbound traffic via P1 • P1 forwards A’s traffic to A via the private link P2, in other words, is still free to route to A via P0. P1 may not advertise its route to A to anyone else. 10.4 Provider-Based Routing 297

308 An Introduction to Computer Networks, Release 1.9.18 10.4.3 Hierarchical Routing via Providers With provider-based routing, the route taken may no longer be end-to-end optimal; we have replaced the problem of finding an optimal route from A to B with the two problems of finding an optimal route from A to B’s provider P, and then from P’s entry point to B. This strategy mirrors the two-stage hierarchical routing process of first routing on the address bits that identify the provider, and then routing on the address bits including the subscriber portion. This two-stage strategy may not yield the same result as finding the globally optimal route. The result will be the same if B’s customers can only be reached through P’s single entry-point router RP, which models the situation that P and its customers look like a single site. However, either or both of the following can disrupt this model: eg RP , with , RP and RP • There may be multiple entry-point routers into provider P’s network, 3 2 1 different costs from A. • P’s customer B may have an alternative connection to the outside world via a different provider, as in 10.4 Provider-Based Routing . the second diagram in Consider the following example representing the first situation (the more important one in practice), in which 10.4.1 In- providers P1 and P2 have three interconnection points IX1, IX2, IX3 (from Internet eXchange, ternet Exchange Points ). Links are labeled with costs; we assume that P1’s costs happen to be comparable with P2’s costs. A Provider P1 0 3 5 7 R1 R2 R1 R3 R R2 R3 0 IX3 1 1 1 IX2 IX1 0 0 4 3 8 S1 S2 S S3 0 Provider P2 B The globally shortest path between A and B is via the R2–IX2–S2 crossover, with total length 5+1+0+4=10. However, traffic from A to B will be routed by P1 to its closest crossover to P2, namely the R3–IX3–S3 link. The total path is 3+0+1+8+4=16. Traffic from B to A will be routed by P2 via the R1–IX1–S1 crossover, for a length of 3+0+1+7+5=16. This routing strategy is sometimes called hot-potato routing; each provider tries to get rid of any traffic (the potatoes) as quickly as possible, by routing to the closest exit point. . This can be inefficient , but the A ÝÑ B and B ÝÑ A paths are now asymmetric Not only are the paths taken a problem if forward and reverse timings are critical, or if one of P1 or P2 has significantly more bandwidth or less congestion than the other. In practice, however, route asymmetry is seldom important. As for the route inefficiency itself, this also is not necessarily a significant problem; the primary reason routing-update algorithms focus on the shortest path is to guarantee that all computed paths are loop-free. 298 10 Large-Scale IP Routing

309 An Introduction to Computer Networks, Release 1.9.18 As long as each half of a path is loop-free, and the halves do not intersect except at their common midpoint, these paths too will be loop-free. The BGP “MED” value ( 10.6.5.3 MULTI_EXIT_DISC ) offers an optional mechanism for P1 to agree that B traffic should take the r1–s1 crossover. This might be desired if P1’s network were “better” and ÝÑ A customer A was willing to pay extra to keep its traffic within P1’s network as long as possible. 10.4.4 IP Geolocation In principle, provider-based addressing may mean that consecutive IP addresses are scattered all over a continent. In practice, providers (even many mobile providers) do not do this; any given small address block – perhaps /24 – is used in a limited geographical area. Different blocks are used in different areas. A consequence of this is that it is possible in principle to determine, from a given IP address, the corresponding IP geolocation approximate geographical location; this is known as . Even satellite-Internet users can be geolocated, although sometimes only to within a couple hundred miles. Several companies have created detailed geolocation maps, identifying many locations roughly down to the zip code, and typically available as an online service. IP geolocation was originally developed so that advertisers could serve up regionally appropriate advertise- ments. It is, however, now used for a variety of purposes including identification of the closest CDN edge server ( 1.12.2 Content-Distribution Networks ), network security, compliance with national regulations, higher-level user tracking, and restricting the streaming of copyrighted content. 10.5 Geographical Routing The classical alternative to provider-based routing is geographical routing; the archetypal model for this is the telephone area code system. A call from anywhere in the US to Loyola University’s main switchboard, 773-274-3000, would traditionally be routed first to the 773 area code in Chicago. From there the call would can be used be routed to the north-side 274 exchange, and from there to subscriber 3000. A similar strategy for IP routing. Geographical addressing has some advantages. Figuring out a good route to a destination is usually straight- forward, and close to optimal in terms of the path physical distance. Changing providers never involves renumbering (though moving may). And approximate IP address geolocation (determining a host’s location from its IP address) is automatic. Geographical routing has some minor technical problems. First, routing may be inefficient between imme- diate neighbors A and B that happen to be split by a boundary for larger geographical areas; the path might go from A to the center of A’s region to the center of B’s region and then to B. Another problem is that some eg large corporations) are themselves geographically distributed; if efficiency is the goal, each larger sites ( office of such a site would need a separate IP address block appropriate for its physical location. But the real issue with geographical routing is apparently the business question of who carries the traffic. The provider-based model has a very natural answer to this: every link is owned by a specific provider. For geographical IP routing, my local provider might know at once from the prefix that a packet of mine is to be delivered from Chicago to San Francisco, but who will carry it there? My provider might have to enter into different traffic contracts for multiple different regions. If different local providers make different arrange- ments for long-haul packet delivery, the routing efficiency (at least in terms of table size) of geographical 10.5 Geographical Routing 299

310 An Introduction to Computer Networks, Release 1.9.18 routing is likely lost. Finally, there is no natural answer for who should own those long inter-region links. It may be useful to recall that the present area-code system was created when the US telephone system was an AT&T monopoly, and the question of who carried traffic did not exist. That said, the top five Regional Internet Registries represent geographical regions (usually continents), and that level. That is, the IANA handed out address blocks to the geograph- provider-based addressing is below ical RIRs, and the RIRs then allocated address blocks to providers. At the intercontinental level, geography does matter: some physical link paths are genuinely more expensive than other (shorter) paths. It is much easier to string terrestrial cable than undersea cable. However, within a continent physical distance does not always matter as much as might be supposed. Furthermore, a large geographically spread-out provider can always divide up its address blocks by region, allowing internal geographical routing to the correct region. Here is a diagram of IP address allocation as of 2006: http://xkcd.com/195. 10.6 Border Gateway Protocol, BGP In 9 Routing-Update Algorithms , we considered interior routing-update protocols: those in which all the routers involved are under common management. That management can then dictate the routing-update protocol to be used, and also the rules for assigning per-link costs. For both Distance-Vector and Link State methods, the per-link cost played an essential role: by trying to minimize the cost, we were assured that no routing loops would be present in a stable network ( 9.3 Observations on Minimizing Route Cost ). But now consider the problem of exterior routing; that is, of choosing among routes that pass through inde- pendent organizations. In the diagram below, suppose that A, B, C and D are each managed independently; it may be useful to think of A, B and C as three ISPs and D as some destination. B D A C Organization (or ISP) A has two routes to destination D – one via B and one via C – and must choose between them. If A wanted to use one of the interior routing-update protocols to choose its path to D, it would face several purely technical problems. First, what if B uses distance-vector while C speaks only in link-state LSP messages? Second, what if B measures its path costs using the hopcount metric, while C assigns costs based on bandwidth, or congestion, or pecuniary considerations? The mixing of unrelated metrics isn’t necessarily useless: all that is required for the shortest-path-is-loop- free result mentioned above is that the two ends of each link agree on the cost assigned to that link. But apples-and-oranges comparison of different metrics would completely undermine the intended use of those 300 10 Large-Scale IP Routing

311 An Introduction to Computer Networks, Release 1.9.18 metrics to influence the selection of which links should carry the most traffic. Sharing link-cost information without a common administrative policy to set those costs does not, in practical terms, make sense. But A also faces a larger issue: to reach D it must rely on having its traffic carried by an outsider – either B or C. Outsiders are likely not inclined to offer this service without some form of compensation, either monetary or through reciprocal exchange. If A reaches an understanding with B on this matter of traffic carriage, then A does not want its traffic routed via C . If A even if that latter route is of lower technical cost is paying B, it is going to expect to use B. If A is not paying C, C is going to expect that A not use C. The Border Gateway Protocol , or BGP, is assigned the job of handling exterior routing; that is, of handling exchange of routing information between neighboring independent organizations. The current version is BGP-4, documented in RFC 4271 . BGP’s primary goal is to provide support for what are sometimes called ; that is, for choos- routing policies ing routes based on or administrative input. We address this in 10.6.4 BGP Filtering and Rout- managerial . (Routing policies have nothing to do with the policy-based routing described in ing Policies 9.6 Routing on Other Attributes , in which different packets with the same destination address may be routed differently because a site has a “policy” to take packet attributes other than destination into account. With BGP, once a site’s policies to choose a route to a given destination are applied, all traffic to that destination takes that single route.) Ultimately, the administrative input used by BGP very likely relates to who is paying what for the traffic carried. It is also possible, though less common, to use BGP to implement other preferences, such as for domestic traffic to remain within national boundaries. The BGP term for a routing domain under coordinated administration, and using one consistent interior pro- Autonomous System tocol and link-cost metric throughout, is , or AS. That said, all that is strictly required is that all BGP routers within an AS have the same consistent view of routing, and in fact some Autonomous Systems do run multiple routing protocols and may even use different metrics at different points. As indi- not support the exchange of link-cost information between Autonomous Systems. cated above, BGP does BGP speakers : the routers that run BGP. Every non-leaf site (and some large leaf sites) has one or more If there is more than one, they must remain coordinated with one another so as to present a consistent view of the site’s connections and advertisements; this coordination process is sometimes called internal BGP to distinguish it from the communication with neighboring Autonomous Systems. The latter process is then known as external BGP . The BGP speakers of a site are often not the busy border routers that connect directly to the neighboring AS, though they are usually located near them and are often on the same subnet. Each interconnection point with a neighboring AS generally needs its own BGP speaker. Connections between BGP speakers of neighboring Autonomous Systems – sometimes called BGP peers – are generally configured administratively; they are not subject to a “neighbor discovery” process like that used by most interior routers. The BGP speakers must maintain a database of all routes received, not just of the routes actually used. However, the speakers exchange with neighbors only the routes they (and thus their AS) use themselves; this is a firm BGP rule. Many BGP implementations support Equal-Cost Multi-Path routing ( 9.7 ECMP ). The Internet Draft draft- lapukhov-bgp-ecmp-considerations-01 addresses this further. 10.6 Border Gateway Protocol, BGP 301

312 An Introduction to Computer Networks, Release 1.9.18 10.6.1 AS-paths At its most basic level, BGP involves the exchange of lists of reachable destinations, like distance-vector routing without the distance information. But that strategy, alone, cannot detect routing loops. BGP solves the loop problem by having routers exchange, not just destination information, but also the entire path used to reach each destination. Paths including each router would be cumbersome; instead, BGP abbreviates the AS-path . This allows routers to make sure their routes path to the list of AS’s traversed. This is called the do not traverse any AS more than once, and thus do not have loops. As an example of this, consider the network below, in which we consider Autonomous Systems also to be destinations. Initially, we will assume that each AS discovers its immediate neighbors. AS3 and AS5 will then each advertise to AS4 their routes to AS2, but AS4 will have no reason at this level to prefer one route to the other (BGP does use the shortest AS-path as part of its tie-breaking rule, but, before falling back on commercial preference for which of AS3 and AS5 it uses to reach AS2). that rule, AS4 is likely to have a AS1 AS2 AS3 AS5 AS4 Also, AS2 will advertise to AS3 its route to reach AS1; that advertisement will contain the AS-path AS2,AS1 x . Similarly, AS3 will advertise this route to AS4 and then AS4 will advertise it to AS5. y When AS5 in turn advertises this AS1-route to AS2, it has the potential to create a loop. It does not, however, because it will include the entire AS-path x AS5,AS4,AS3,AS2,AS1 y in the advertisement it sends to AS2. AS2 will know not to use this route because it will see that it is a member of the AS-path. Thus, BGP is spared the kind of slow-convergence problem that traditional distance-vector approaches were subject to. It is theoretically possible that the shortest path (in the sense, say, of the hopcount metric) from one host to another traverses some AS twice. If so, BGP will not allow this route. AS-paths potentially add considerably to the size of the AS database. The number of paths a site must keep track of is proportional to the number of AS’s, because there will be one AS-path to each destination AS. (Actually, an AS may have to record many times that many AS-paths, as an AS may hear of AS-paths that it elects not to use.) Typically there are several thousand AS’s in the world. Let A be the number of AS’s. Typically the average length of an AS-path is about log(A), although this depends on connectivity. The amount of memory required by BGP is C ˆ A ˆ log(A) + K ˆ N, where C and K are constants. administrative input to what, for interior routing, is largely a The other major goal of BGP is to allow technical calculation (though an interior-routing administrator can set link costs). BGP is the interface between ISPs (and between ISPs and their larger customers), and can be used to implement contractual agreements made regarding which ISPs will carry other ISPs’ traffic. If ISP2 tells ISP1 it has a route to destination D, but ISP1 chooses not to send traffic to ISP2, BGP can be used to implement this. Perhaps more likely, if ISP2 has a route to D but does not want ISP1 to use it until they pay for the privilege, BGP can be used to implement this as well. 302 10 Large-Scale IP Routing

313 An Introduction to Computer Networks, Release 1.9.18 Despite the exchange of AS-path information, temporary routing loops may still exist. This is because BGP may first decide to use a route and only then export the new AS-path; the AS on the other side may realize there is a problem as soon as the AS-path is received but by then the loop will have at least briefly been in . existence. See the first example below in 10.6.9 Examples of BGP Instability BGP’s predecessor was EGP, which guaranteed loop-free routes by allowing only a single route to any AS, thus forcing the Internet into a tree topology, at least at the level of Autonomous Systems. The AS graph could contain no cycles or alternative routes, and hence there could be no redundancy provided by alternative paths. EGP also thus avoided having to make decisions as to the preferred path; there was never more than one choice. EGP was sometimes described as a reachability protocol; its only concern was whether a given network was reachable. 10.6.2 AS-Paths and Route Aggregation There is some conflict between the goal of reporting precise AS-paths to each destination, and of consoli- dating as many address prefixes as possible into a single prefix (single CIDR block). Consider the following network: AS1 AS2 AS3 AS4 Suppose AS2 has paths x AS2 y , destination 200.0.0/23 path= x AS2,AS3 y , destination 200.0.2/24 path= path= x AS2,AS4 y , destination 200.0.3/24 If AS2 wants to optimize address-block aggregation using CIDR, it may prefer to aggregate the three des- tinations into the single block 200.0.0/22. In this case there would be two options for how AS2 reports its routes to AS1: • Option 1 : report 200.0.0/22 with path x y . But this ignores the AS’s AS3 and AS4! These AS2 are legitimately part of the AS-paths to some of the destinations within the block 200.0.0/22; loop detection could conceivably now fail. • Option 2 : report 200.0.0/22 with path x AS2,AS3,AS4 y , which is not a real path but which does include all the AS’s involved. This ensures that the loop-detection algorithm works, but artificially inflates the length of the AS-path, which is used for certain tie-breaking decisions. As neither of these options is desirable, the concept of the AS-set was introduced. A list of Autonomous Systems traversed in order now becomes an AS-sequence . In the example above, AS2 can thus report net 200.0.0/22 with • AS-sequence= x AS2 y • AS-set={AS3,AS4} AS2 thus both achieves the desired aggregation and also accurately reports the AS-path length. 10.6 Border Gateway Protocol, BGP 303

314 An Introduction to Computer Networks, Release 1.9.18 The AS-path can in general be an arbitrary list of AS-sequence and AS-set parts, but in cases of simple aggregation such as the example here, there will be one AS-sequence followed by one AS-set. RFC 6472 now recommends against using AS-sets entirely, and recommends that aggregation as above be avoided. 10.6.3 Transit Traffic It is helpful to distinguish between two kinds of traffic, as seen from a given AS. Local traffic is traffic that either originates or terminates at that AS; this is traffic that “belongs” to that AS. At leaf sites (that is, sites that connect only to their ISP and not to other sites), all traffic is local. The other kind of traffic is transit traffic; the AS is forwarding it along on behalf of some nonlocal party. For ISPs, most traffic is transit traffic. A large almost-leaf site might also carry a small amount of transit traffic for one particular related (but autonomous!) organization. The decision as to whether to carry transit traffic is a classic example of an administrative choice, im- plemented by BGP’s support for routing policies. Most real-world BGP configuration issues relate to the carriage (or non-carriage) of transit traffic. 10.6.4 BGP Filtering and Routing Policies routing policies ; that is, routing based on managerial As stated above, one of the goals of BGP is to support or administrative concerns in addition to technical ones. A BGP speaker may be aware of multiple routes to a destination. To choose the one route that we will use, it may combine a mixture of optimization rules and policy rules. Some examples of policy rules might be: • do not use AS13 as we have an adversarial relationship with them • do not allow transit traffic BGP implements policy through filtering rules – that is, rules that allow rejection of certain routes – at three different stages: 1. is applied to the lists of routes a BGP speaker receives from its neighbors. Import filtering Best-path selection is then applied as that BGP speaker chooses which of the routes accepted by the 2. first step it will actually use. 3. Export filtering is done to decide what routes from the previous step a BGP speaker will actually advertise. A BGP speaker can only advertise paths it uses, but does not have to advertise every such path. While there are standard default rules for all these (accept everything imported, use simple tie-breakers, export everything), a site will usually implement at least some through this filtering process ( eg policy rules “prefer routes through the ISP we have a contract with”). As an example of import filtering, a site might elect to ignore all routes from a particular neighbor, or to ignore all routes whose AS-path contains a particular AS, or to ignore temporarily all routes from a neighbor that has demonstrated too much recent “route instability” (that is, rapidly changing routes). Import filtering can also be done in the best-path-selection stage, by having the best-path-selection process ignore routes from selected neighbors. 304 10 Large-Scale IP Routing

315 An Introduction to Computer Networks, Release 1.9.18 BGP Breakdowns In the real world, it sometimes happens that a small regional ISP is misconfigured to attempt to report to some high-level provider that it can reach, say, every site in the world. Export filtering on the part of the small ISP and best-path selection and import filtering on the part of the large ISP usually – though not . always – catches this. Occasionally, such incidents represent malicious BGP hijacking The next stage is best-path selection , to pick the preferred routes from among all those just imported. The first step is to eliminate AS-paths with loops. Even if the neighbors have been diligent in not advertising paths with loops, an AS will still need to reject routes that contain itself in the associated AS-path. The next step in the best-path-selection stage, generally the most important in BGP configuration, is to local_preference , or weight, to each route received. An AS may have policies that add a certain assign a etc amount to the local_preference for routes that use a certain AS, . Very commonly, larger sites will have preferences based on contractual arrangements with particular neighbors. Provider AS’s, for example, will in general prefer routes learned from their customers, as these are “cheaper”. A smaller ISP that connects to two larger ones might be paying to route the majority of its outbound traffic through a particular one of the implement this choice. After BGP calculates the local_preference two; its local_preference values will then value for every route, the routes with the best local_preference are then selected. Domains are free to choose their local_preference rules however they wish. In principle this can involve rather strange criteria; for example, in 10.6.9 Examples of BGP Instability we will consider an example where AS1 prefers routes with AS-path x AS3,AS2 y to the strictly shorter path x AS2 y . That example, how- ever, demonstrates instability; domains are encouraged to set their rules in accordance with some standard principles, below, to avoid this. Local_preference values are communicated internally via the LOCAL_PREF path attribute, below. They are not shared with other Autonomous Systems. In the event of ties – two routes to the same destination with the same local_preference – a first tie-breaker rule is to prefer the route with the shorter AS-path. While this superficially resembles a shortest-path algorithm, the real work should have been done in administratively assigning local_preference values. The shorter-AS-path tie-breaker is perhaps best thought of as similar in spirit to the smaller-AS-number tie-breaker (although the sometimes-significant Multi-Exit-Discriminator tie-breaker, next, comes between them). The final significant step of the route-selection phase is to apply the Multi-Exit-Discriminator value, 10.6.5.3 MULTI_EXIT_DISC . A site may very well choose to ignore this value entirely. Finally we get to the trivial tie-breaker rules, though if a tie-breaker rule assigns significant traffic to one AS over another then it may have economic consequences and shouldn’t be considered “trivial”. If this situation is detected, it would probably be addressed in the local-preferences phase. The trivial tie-breakers take into account the internal routing cost, the numeric value of the AS number, and the numeric value of the neighbor’s IP address. After the best-path-selection stage is complete, the BGP speaker has now selected the routes it will use. The final stage is to decide what rules will be exported to which neighbors. Only routes the BGP speaker will use – that is, routes that have made it to this point – can be exported; a site cannot route to destination D through AS1 but export a route claiming D can be reached through AS2. 10.6 Border Gateway Protocol, BGP 305

316 An Introduction to Computer Networks, Release 1.9.18 It is at the export-filtering stage that an AS can enforce no-transit rules. If it does not wish to carry transit traffic to destination D, it will not advertise D to any of its AS-neighbors. The export stage can lead to anomalies. Suppose, for example, that AS1 reaches D and AS5 via AS2, and announces this to AS4. AS2 AS4 AS1 AS5 D AS3 Later, we imagine, AS1 switches to reaching D via AS3, but is to announce to AS4 forbidden by policy any routes with AS-path containing AS3; such a policy is straightforward to implement via export filtering. Then AS1 must simply withdraw the announcement to AS4 that it could reach D at all, even though the route to D via AS2 is still there. 10.6.5 BGP Path attributes BGP supports the inclusion of various path attributes when exchanging routing information. Attributes exchanged with neighbors can be transitive or non-transitive ; the difference is that if a neighbor AS does not recognize a received path attribute then it should pass it along anyway if it is marked transitive, but not local , that is, internal to the AS of origin. Other flags are used otherwise. Some path attributes are entirely to indicate whether recognition of a path attribute is required or optional, and whether recognition can be partial or must be complete. The AS-path itself is perhaps the most fundamental path attribute. Here are a few other common attributes: 10.6.5.1 NEXT_HOP This mandatory external attribute allows BGP speaker B1 of AS1 to inform its BGP peer B2 of AS2 what actual router to use to reach a given destination. If B1, B2 and AS1’s actual border router R1 are all on the same subnet, B1 will include R1’s IP address as its NEXT_HOP attribute. If B1 is not on the same subnet as B2, it may not know R1’s IP address; in this case it may include its own IP address as the NEXT_HOP attribute. Routers on AS2’s side will then look up the “immediate next hop” they would use as the first step to reach B1, and forward traffic there. This should either be R1 or should lead to R1, which will then route the traffic properly ( not necessarily on to B1). 306 10 Large-Scale IP Routing

317 An Introduction to Computer Networks, Release 1.9.18 Rest of AS1 B1 R1 B2 AS1 AS2 AS border 10.6.5.2 LOCAL_PREF If one BGP speaker in an AS has been configured with local_preference values, used in the best-path- selection phase above, it uses the LOCAL_PREF path attribute to share those preferences with all other BGP speakers at a site. In other words, once one BGP speaker has determined the local_preference value of a given route, the LOCAL_PREF attribute is used to distribute that value uniformly throughout the AS. 10.6.5.3 MULTI_EXIT_DISC The Multi-Exit Discriminator, or MED , attribute allows one AS to learn something of the internal structure of another AS, should it elect to do so . Using the MED information provided by a neighbor has the potential to cause an AS to incur higher costs, as it may end up carrying traffic for longer distances internally; MED values received from a neighboring AS are therefore only recognized when there is an explicit administrative decision to do so. Specifically, if an autonomous system AS1 has multiple links to neighbor AS2, then AS1 can, when adver- tising an internal destination D to AS2, have each of its BGP speakers provide associated MED values so that AS2 can know which link AS1 would prefer that AS2 use to reach D. This allows AS2 to route traffic to D so that it is carried primarily by AS2 rather than by AS1. The alternative is for AS2 to use only the closest gateway to AS1, which means traffic is likely carried primarily by AS1. MED values are considered late in the best-path-selection process; in this sense the use of MED values is a tie-breaker when two routes have the same local_preference. As an example, consider the following network (from 10.4.3 Hierarchical Routing via Providers , with providers now replaced by Autonomous Systems); the numeric values on links are their relative costs. We will assume that each site has three BGP speakers co-located at the exchange points IX1, IX2 and IX3. 10.6 Border Gateway Protocol, BGP 307

318 An Introduction to Computer Networks, Release 1.9.18 A AS1 0 3 5 7 R1 R2 R1 R3 R R2 R3 0 IX3 1 1 1 IX2 IX1 0 0 4 3 8 S1 S2 S S3 0 AS 2 B In the absence of the MED, AS1 will send traffic from A to B via the R3–IX3–S3 link, and AS2 will return the traffic via S1–IX1–R1. These are the links that are closest to R and S, respectively, representing AS1 and AS2’s desire to hand off the outbound traffic as quickly as possible. However, AS1’s BGP speakers at IX1, IX2 and IX3 can provide MED values to AS2 when advertising destination A, indicating a preference for AS2 AS1 traffic to use the rightmost link: Ñ • IX1: destination A has MED 200 • IX2: destination A has MED 150 • IX3: destination A has MED 100 If this is done, and AS2 abides by this information, then AS2 will route traffic from B to A via IX3; that is, via the exchange point with the lowest MED value. Note the importance of fact that AS2 is allowed to ignore the MED; use of it may shift costs from AS1 to AS2! The relative order of the MED values for R1 and R2 is irrelevant, unless the IX3 exchange becomes disabled, in which case the numeric MED values above would mean that AS2 should then prefer IX2 for reaching A. We cannot use MED values to cause A–B traffic to take the path through IX2; that path has minimal cost only in the global sense, and the only way to achieve global cost minimization is for the two AS’s to agree to use a common distance metric and a common metric-based routing algorithm, in effect becoming one AS. While AS1 does provide different numeric MED values for the three exchange points, they are used only in ranking precedence, not as numeric measures of cost (though they are sometimes derived from that). In the example above, importing and using MED values raises AS2’s costs, by causing it to route AS2- to-AS1 traffic so that it stays for a longer path within AS2’s network. This is, in fact, almost always the case when using MED values. Why, then, would AS2 agree to this? One simple reason might be that AS2 and AS1 have, together, negotiated this arrangement; perhaps AS1 gives AS2 a break on interconnection (“peering”) fees in exchange for AS2’s accepting and using AS1’s MED data. It is also possible that AS2’s use of AS1’s MED data may improve the quality of service AS2 can offer to its customers; we will return to an example of this in 10.6.6.1 MED values and traffic engineering . Also in the example above, the MED values are used to decide between multiple routes to the same desti- nation that all pass through the same AS, namely AS1. Some BGP implementations allow the use of MED values to decide between different routes through different neighbor AS’s. The different neighbors must all 308 10 Large-Scale IP Routing

319 An Introduction to Computer Networks, Release 1.9.18 have the same local_preference values. For example, AS2 might connect to AS3 and AS4 and receive the following BGP information: • AS3: destination A has MED 200 • AS4: destination A has MED 100 Assuming AS2 assigns the same local_preference to AS3 and AS4, it might be configured to use these MED always-compare-med values as the tie-breaker, and thus routing traffic to A via AS3. On Cisco routers, the command is used to create this behavior. MED values are not intended to be used to communicate routing preferences to non-neighboring AS’s. Additional information on the use of MED values can be found in RFC 4451 . 10.6.5.4 COMMUNITY Routes can have multiple tags corresponding to member- This is simply a tag to attach to routes. ship in multiple communities. Some communities are defined globally; for example, NO_EXPORT and NO_ADVERTISE. A route marked with one of these two communities will not be shared further. Other communities may be relevant only to a particular AS. The importance of communities is that they allow one AS to place some of its routes into specific categories when advertising them to another AS; the categories must have been created and recognized by the receiving AS. The receiving AS is not obligated to honor the community memberships, of course, but doing so has the effect of allowing the original AS to “configure itself” without involving the receiving AS in the pro- cess. Communities are often used, for example, by (large) customers of an ISP to request specific routing treatment. A customer would have to find out from the provider what communities the provider defines, and what their numeric codes are. At that point the customer can place itself into the provider’s community at will. Here are some of the community values once supported by a no-longer-extant ISP that we shall call AS1. The full community value would have included AS1’s AS-number. value action 90 set local_preference used by AS1 to 90 100 set local_preference used by AS1 to 100, the default 105 set local_preference used by AS1 to 105 110 set local_preference used by AS1 to 110 990 the route will not leave AS1’s domain; equivalent to NO_EXPORT 991 route will only be exported to AS1’s other customers 10.6.6 BGP and Traffic Engineering BGP is the mechanism for inter-autonomous-system traffic engineering. The first-line tools are import and export filtering and best-path selection. For autonomous systems with multiple interconnection points, the Multi-Exit Discriminator above also may play a large role. 10.6 Border Gateway Protocol, BGP 309

320 An Introduction to Computer Networks, Release 1.9.18 After establishing basic connectivity, perhaps the most important decision a site makes via its BGP config- transit traffic . As a first example of this, let us consider the case of uration is whether or not it will accept configuring a private link, such as the dashed link1 below between “friendly” but unaffiliated sites A and B (link1 can be either a shared “real” link or a short “jumper” link within an Internet exchange point): A ISP1 The Internet link1 ISP2 B Suppose A exports its link1 route to B to its provider ISP1. Then ISP1 may in turn announce this route to the Internet at large, and so some or all of B’s inbound traffic may be routed through ISP1 (paid by A) and through A itself. Similarly, B may end up paying to carry A’s traffic if B exports its link1 route to A to ISP2. Economically, carrying someone else’s transit traffic not desirable unless you are compensated for it. The might primary issue here is the use of the ISP1–A link by B and the ISP2–B link by A; use of the shared link1 be a secondary issue depending on the relative bandwidths and A and B’s understandings of appropriate uses for link1. no-transit and backup Two common options A and B might agree to regarding link1 are . For the no-transit option, A and B simply do not export the route to their respective ISPs at all. This is done via export filtering. If ISP1 does not know A can reach B, it will not send any of B’s traffic to A. For the backup option, the intent is that traffic to A will normally arrive via ISP1, but if the ISP1 link is down then A’s traffic will be allowed to travel through ISP2 and B. To achieve this, A and B can export their link1- route to each other, but arrange for ISP1 and ISP2 respectively to assign this route a low local_preference its value. As long as ISP1 hears of a route to B from upstream provider, it will reach B that way, and will not advertise the existence of the link1 route to B; ditto ISP2. However, if the ISP2 route to B fails, then A’s upstream provider will stop advertising any route to B, and so ISP1 will begin to use the link1 route to B and begin advertising it to the Internet. The link1 route will be the primary route to B until ISP2’s service is restored. A and B must convince their respective ISPs to assign the link1 route a low local_preference; they cannot mandate this directly. However, if their ISPs recognize community attributes that, as above, allow customers to influence their local_preference value, then A and B can use this to create the desired local_preference. To use the shared link for backup outbound traffic, A and B will need a way to send through one another if their own ISP link is down. If A detects that its ISP link is down, it can simply change its default route to eg to 0.0.0.0/0) to be a point to B. One way to automate this is for A and B to view their default-route path ( concrete destination within BGP. ISP1 advertises this to A, using BGP, but so does B, and A has configured its import rules so B’s route to 0.0.0.0/0 has a higher cost. Then A will route to 0.0.0.0/0 through ISP1 – that is, will use ISP1 as its default route – as long as it is available, and will switch to B when it is not. A and B might also wish to use their shared private link for load balancing , but for this BGP offers limited help. If ISP1 and ISP2 both export routes to A, then A has lost all control over how other sites will prefer one to the other. A may be able to make one path artificially appear more expensive, perhaps by duplicating one of the ISPs in the AS-path. A might then be able to keep tweaking this cost until the inbound loads are 310 10 Large-Scale IP Routing

321 An Introduction to Computer Networks, Release 1.9.18 comparable, but there is no guarantee (or even likelihood) this will be stable. Outbound load-balancing is up to A and B’s respective internal routers. Providers in the business of carrying transit traffic must also make decisions about exactly whose traffic they will carry; these decisions are again implemented with BGP. In the diagram below, two transit-providing Autonomous Systems B and C connect to individual sites (or regional ISPs) A and D. Transit B IXP1 A IXP2 D Transit C In the diagram above, the left and right interconnections are shown taking place at Internet exchange points IXP1 and IXP2 ( ). IXPs are typically where such interconnections take 10.4.1 Internet Exchange Points place but are not required; the essential topology is simply this: Transit B A D Transit C B would like to make sure C does not attempt to save on its long-haul transit costs by forwarding A ÝÑ D traffic over to B at IXP1, and D ÝÑ A traffic over to B at IXP2. B avoids this problem by not advertising to C that it can reach A and D, and similarly with C. Transit providers are quite careful about not advertising reachability to any other AS for whom they do not intend to provide transit service, because to do so is likely to mean getting stuck with that traffic. If B advertises to A that it can reach D, then A may accept that route, and send all its D-bound traffic via B, with C not involved at all. B is not likely to do this unless A pays for the privilege. If B and C both advertise to A that they can reach D, then A has a choice, which it will make via its best-path-selection rules. But in such a case A will want to be sure that it does not end up paying full price to both B and C to carry its traffic while using only one of them. Site A might, for example, agree to payment based on the actual volume of carried traffic, meaning that if it prefers B’s route then it will pay only B. It is quite possible that B advertises to A that it can reach D, but does not advertise to D that it can reach A. As we have seen, B advertises to A that it can reach D only if A has paid for this privilege; perhaps D prefers to do business with C rather than with B. In that case, A-to-D traffic would travel via B, while D-to-A traffic would travel via C. In the unlikely event that B and C both advertise to one another at IXP1 their route to D, a routing loop may even be created. B might forward D-bound traffic to C while C forwards it back to B. But in that case B would state, in its next BGP advertisement to C at IXP1, that it reaches D via an AS-path that begins with C, and C would do similarly. B and C would then see themselves in the AS-paths they receive and would stop using these routes. 10.6 Border Gateway Protocol, BGP 311

322 An Introduction to Computer Networks, Release 1.9.18 10.6.6.1 MED values and traffic engineering Let us now address why an AS would bother with importing and using MED values, given that doing so will almost always increase the site’s cost. Consider the following diagram of autonomous systems AS1 and AS2, with link costs shown: DC AS1 0 2 12 R1 R1 R2 R 0 1 IX2 1 IX1 0 3 3 4 4 S1 S S2 S3 S4 0 AS 2 A Site DC in the diagram above is a datacenter that wants its user – at site A – to experience high-performance downloads. Perhaps DC delivers high-performance streaming video, and needs to minimize both congestion and packet losses. In order to achieve this superior quality, it builds a particularly robust network R1–R–R2, shown above as AS1. A first step is to have AS1 connect (or peer) directly to customer networks such as AS2, rather than relying on the Internet backbone. Two such interconnection points are shown above, IX1 and IX2. At this point, traffic from A to DC will take IX1 (on the shortest path from A to AS1), and so will travel most of the way in AS1. This is good, but traffic from A to DC is probably mostly acknowledgments; these are unlikely to benefit from the special network. The actual data , sent from DC to A, will take IX2, because that is AS1’s shortest path to reach AS2. The data will thus travel most of the way in AS2, bypassing AS1’s high-performance network. This is not what DC wants. However, the picture changes if AS1 agrees to accept MED information from AS2 (and other providers). If AS2 tells AS1 that AS2’s preferred link for reaching A is via IX1, then traffic from DC to A will travel through R1 to IX1, and from there onto A. This keeps DC’s outbound traffic in the AS1 network as long as possible, instead of handing it off to the other network of lower quality. This is what DC wants; this is why DC built the high-performance network. Rather than building its own high-performance network, DC might simply contract with an existing high- performance network. That would make AS1’s business model the following: • peering with as many potential customer networks as possible • importing and using the MED information from those networks • advertising to potential customers like DC that their network will give DC’s users a better experience 312 10 Large-Scale IP Routing

323 An Introduction to Computer Networks, Release 1.9.18 10.6.7 BGP and Anycast 7.8.4 DNS and CDNs we discussed how some CDNs use DNS tricks to arrange for user traffic to be In : using the same IP address for all the delivered to the closest edge server. Another CDN option is anycast edge servers, and arranging for routers to deliver to the closest server. IPv6 routers can be configured to have some awareness of anycast delivery, but in IPv4 this must be done more passively, using BGP. To implement the anycast approach, the CDN uses the same IP address block at each of its datacenter locations. Each customer has a server at each CDN datacenter, and each of these servers is assigned the same IP address. It is up to the CDN to make sure that the content made available at each server is identical. At each of its locations, the CDN then announces this address block to its local BGP neighbors. Reachability information for the address block then propagates, via BGP, throughout the Internet. An AS connected to a single CDN datacenter will route the CDN’s address block to that datacenter. If AS1 hears about the CDN from neighbors AS2 and AS3, then AS1 will apply its usual best-path-selection process to determine whether to route the CDN’s block via AS2 or AS3. Ultimately, every AS on the Internet will deploy exactly one route to the CDN. Each such route will lead to one of the CDN’s datacenters, but different ASes may deploy routes to different datacenters. One advantage to the anycast approach, over the DNS approach, is that users who use a geographically distant DNS resolver will not pay a penalty. Another is that the BGP best-path-selection process is likely to produce better routes in general than a process based solely on geographical distance; for example, ASes may choose best paths based on available bandwidth rather than distance. In IP routing, geography is not destiny. It may at first seem odd to have multiple servers with the same public IP address, given that such config- uration within an organization usually represents a dire error. However, none of the CDN’s data centers will use these addresses to talk to one another; the CDN will arrange for the use of other IP addresses for inter-datacenter traffic. 10.6.8 BGP Relationships Arbitrarily complex policies may be created through BGP, and, as we shall see in the following section, convergence to a stable set of routes is not guaranteed. Nonconvergence does not mean distance-vector’s “slow convergence to infinity”, but rather a regular oscillation of routes among competing alternatives. It turns out, however, that if some constraints are applied to the different AS-to-AS relationships, then better [LG01] analyzed BGP networks in which each AS-to-AS relationship fit behavior is obtained. The paper one of the following three business patterns, discussed further below: 1. Customer to provider (the most common pattern) 2. Peer to peer ( eg two top-level providers mutually exchanging traffic) 3. Sibling to sibling (for very close AS-to-AS relationships) A major consequence these relationships is the extent to which the autonomous systems involved accept one another’s “non-customer” routes (below), and hence the extent to which they provide each other with transit services. We start with the most basic case, that of customer and provider. If autonomous systems C and P have a customer-to-provider relationship, with C as the customer and P as the provider, then C is paying P to carry some or all of its traffic to the “outside world”. P may not 10.6 Border Gateway Protocol, BGP 313

324 An Introduction to Computer Networks, Release 1.9.18 1 . C may also have its own carry all such traffic, because C may also be a customer of another provider P 1 : sub-customers, such as C P P  C C  In offering itself as a provider, P will export all the routes it has, from all sources, to C, in effect telling C “this is what I can reach”. If C has no other providers it might accept these routes in the form of a single 1 then it might accept some routes from P and default-route entry pointing to P; if C has another provider P 1 some from P . 1 Similarly, C will always export its own routes to P. If C has customers of its own, such as C , then it will also export those routes to P. Collectively, we will say that C’s own routes and the routes of its own customers and sub-customers are its . customer routes non -customer routes, eg But what about does not routes learned from other providers? These C generally 1 export. If C were to export to P a route to destination D that it learned from second provider P , then C might 1 , this is probably . As a customer end up providing transport service to P, carrying P’s D-bound traffic to P not what C intends. To summarize, a provider export its non-customer routes to its customer, but a customer generally does export its non-customer routes to its providers. This rule is not, in the world of real business does not relationships, absolute; AS’s may negotiate all sorts of special arrangements. A nominal customer might, for example, agree to provide transit service for some set of destinations, in exchange for a lower-priced rate for the handling of its other traffic. Nonetheless, the rule is largely accurate, and provides a helpful starting 10.6.8.1 BGP No-Valley Theorem , we point to understanding customer-provider relationships. Below, in definition of customer-provider relationships. will in effect use this rule as a Now let us consider a peer-to-peer relationship, which is a connection between two transit providers that have agreed to exchange all their customer traffic with each other; thus carrying transit traffic for one another. Often the idea is for the interconnection to be seen as equally valuable by both parties ( eg because the parties exchange comparable volumes of traffic); in such a case the relationship would likely be “settlement-free”, that is, involving no monetary exchange. If, however, the volume flow is significantly asymmetric then compensation can certainly be negotiated, making the relationship more like customer-to-provider. As with customers and providers, two peers P1 and P2 each export all their customer routes to the other; that way, P2 knows it how to reach P1’s customers and vice-versa. By doing this, P1 and P2 each carry transit traffic for their own customers. Peers do not , however, generally export their non-customer routes, in either direction. If P1 learns of a route to destination D from another peer (or provider) P3, it does not export this to P2. If it were to do so, then P1 would carry non-customer transit traffic from P2 to P3. Instead, P2 is expected also to peer with P3, and learn of P3’s route to D that way. Alternatively, P3 can become a customer of P1, and thus pay for P1’s transit carriage of P3’s traffic. The so-called tier-1 providers are those that are not customers of anyone; these represent the top-level 314 10 Large-Scale IP Routing

325 An Introduction to Computer Networks, Release 1.9.18 “backbone” providers. Each tier-1 AS must, as a rule, peer with every other tier-1 AS, though AS’s are free to negotiate exceptions. Finally, some autonomous system relationships that do not fit the customer-to-provider or peer-to-peer pat- . Siblings are ISPs that have a close relationship; often terns can be characterized as sibling-to-sibling siblings are AS’s that, due to mergers, are now part of the same organization. Siblings may also be nominal 10.6.6 competitors who intend to use their mutual link as a cooperative backup, as in BGP and Traffic Engineering . Two siblings may or may not have the same upstream ISP as provider. Siblings typically export everything to one another – both customer and non-customer routes – and thus do potentially use their connection for transit traffic in both directions (although they may rank routes through one another at low preference, so as to use the shared link only when nothing else is available). We can summarize the three kinds of relationships in terms of how they export non-customer routes: • in peer-to-peer relationships, non-customer routes are not exported in either direction. • in customer-to-provider relationships, non-customer routes are exported only from the provider to the customer. • in sibling-to-sibling relationships, non-customer routes are exported in both directions. It is possible to make at least some inferences about BGP relationships from sites’ actual export information, though accuracy is imperfect because sites may negotiate non-standard arrangements; see [LG01] . In the real world, BGP sibling relationships are relatively rare, probably because they do not really fit the model of traffic carriage as a service. This may be fortunate, as sibling relationships, with universal and bidirectional route export, tend to introduce the greatest complexity. The non-convergence examples of 10.6.9 Examples of BGP Instability all require sibling relationships. One problematic sibling case is the following, in which P1 and P2 are providers for C1 and C2, respectively, and C1 and C2 are siblings: P1 P2 siblings C1 C1 C2 Suppose P1 exports to C1 a route to destination D. C1 then exports it to sibling C2. If C2 treats this as a customer route, it will export it to P2, in which case C1 and C2 are now providing transit service to traffic from P2 bound for D. Sibling relationships can be tamed considerably, however, if we adopt a requirement that collections of linked siblings act as a unit, keeping track of the original non-sibling source (that is, customer, provider or 1 sibling family if there peer) of each route. Let us say that autonomous systems S and S are in the same 1 ď so that S=S n, are , S , i =S . . . S , and each consecutive S and S is a chain of autonomous systems S n n i 0 i-1 0 siblings. We can then define the following property: Selective Export Property : A sibling family satisfies this property if, whenever one member of the family learns of a route from a provider (respectively peer or customer) then all other members of the family treat the route as a provider (respectively peer or customer) route when deciding whether to export. 10.6 Border Gateway Protocol, BGP 315

326 An Introduction to Computer Networks, Release 1.9.18 In other words, in the situation diagrammed above, in which C1 has learned of a route to D from its provider P1, C2 will also treat this route as a non-customer route and will not export it to P2. In the real world, BGP relationships may not fit any of the above three categories, or else there may be many sibling relationships for which the selective-export property fails. However, quite often these relationships do hold to a useful degree. We can also specialize the relationships to a particular set of destinations, or even to an individual destina- tion; for example, autonomous systems C and P might be said to have a customer-to-provider relationship for destination D if C learned its route to D from a non-customer, does not export this route to P, and P does export to C its own route to D. BGP certainly allows for complicated variations: if a regional provider is a customer of a large transit backbone, then the backbone might only announce routes listed in transit agreement (rather than all routes, as above). There is a supposition here that the regional provider has multiple connections, and has contracted with that particular transit backbone only for certain routes. But we can fit this into the classification above either by restricting attention to the set of routes listed in the agreement, or by declaring that in principle the transit provider exports all routes, but the regional customer doesn’t import the ones it hasn’t paid for. 10.6.8.1 BGP No-Valley Theorem A consequence of adherence to the above classification and attendant export rules is the no-valley theorem of [LG01] : Suppose every pair of adjacent AS’s has a relationship described by the customer-provider, peer- to-peer or sibling rules above (now taken to be of these three relationships). In addition, every definitions sibling family abides by the selective-export property. Let A=A be an autonomous system that has received 0 y A : in this AS-path, there is at most one peer-to- ,A Then a route to destination D with AS-path . x ,. . . ,A n 2 1 peer link. Links to the left of the peer-to-peer link (that is, closer to A) are either customer Ñ provider links or sibling Ñ sibling links; that is, they are non-downwards. To the right of the peer-to-peer link, there are only provider Ñ Ñ sibling links; that is, these are non-upwards. If there is no peer-to-peer customer or sibling link, then we can still divide the AS-path into a non-downwards first part and a non-upwards second part. Intuitively, autonomous systems on the right (non-upwards) part of the path export the route to D as a customer route. Autonomous systems on the left (non-downwards) part of the path export the route from provider to customer. The no-valley theorem can be seen as an illustration of the power of the restrictions built into the customer- to-provider and peer-to-peer export rules. We give an informal argument for the case in which the AS-path has no peer-to-peer link. First, note that BGP rules mean that each autonomous system AS in the path has received the route to D from neighbor i AS . with AS-path x A y ,. . . ,A n i+1 i+1 If the no-valley theorem were to fail, then somewhere along the AS-path in order of increasing i we would have a downward link followed by, eventually, an upward link. Choose the largest i for which this arrange- ment appears, and let k be the position of the first subsequent upward link, so that to A • A is provider-to-customer i+1 i • A to A is sibling-to-sibling for i

327 An Introduction to Computer Networks, Release 1.9.18 Then the route to D was acquired by A from its provider A , and so is a provider route. The set k-1 k {A } is a sibling family, and so by the selective-export rule A ,. . . ,A also treats this route to D as i+1 k-1 i+1 a provider route. It therefore cannot export this non-customer route to different provider A , a contradiction. i For the case with a peer-to-peer edge, see exercise 12.0. If the hypotheses of the no-valley theorem hold only for routes involving a particular destination or set of destinations, then the theorem is still true for those routes. The hypotheses of the no-valley theorem are not quite sufficient to guarantee convergence of the BGP system to a stable set of routes. To ensure convergence in the case without sibling relationships, it is shown in [GR01] that the following simple local_preference rule suffices: If AS1 gets two routes r1 and r2 to a destination D, and the first AS of the r1 route is a customer of AS1, and the first AS of r2 is not, then r1 will be assigned a higher local_preference value than r2. More complex rules exist that allow for cases when the local_preference values can be equal; one such rule states that strict inequality is only required when r2 is a provider route. Other straightforward rules handle the case of sibling relationships, eg by requiring that siblings have local_preference rules consistent with the use of their shared connection only for backup. As a practical matter, whether or not actual BGP relationships are consistent with the rules above, arrange- ments resulting in actual BGP instability appear rare on the Internet. 10.6.9 Examples of BGP Instability not followed? It turns out that BGP allows What if the “normal” rules regarding BGP preferences are genuinely unstable situations to occur; this is a consequence of allowing each AS a completely independent hand in selecting preference functions. Here are two simple examples, from [GR01] . Example 1 : A stable state exists, but convergence to it is not guaranteed. Consider the following network arrangement: AS1 AS0 D AS2 We assume AS1 prefers AS-paths to destination D in the following order: AS2,AS0 , x AS0 y x y x That is, y is preferred to the direct path x AS0 y (one way to express this preference might be AS2,AS0 “prefer routes for which the AS-PATH begins with AS2”; perhaps the AS1–AS0 link is more expensive). Similarly, we assume AS2 prefers paths to D in the order x AS1,AS0 y , x AS0 y . Both AS1 and AS2 start out using path AS0 y ; they advertise this to each other. As each receives the other’s advertisement, they apply x their preference order and therefore each switches to routing D’s traffic to the other; that is, AS1 switches to the route with AS-path x AS2,AS0 y and AS2 switches to x AS1,AS0 y . This, of course, causes a routing 10.6 Border Gateway Protocol, BGP 317

328 An Introduction to Computer Networks, Release 1.9.18 loop! However, as soon as they export these paths to one another, they will detect the loop in the AS-path x and reject the new route, and so both will switch back to as soon as they announce to each other the AS0 y change in what they use. x y at the This oscillation may continue indefinitely, as long as both AS1 and AS2 switch away from AS0 AS2,AS0 y while AS2 continues to use x AS0 same moment. If, however, AS1 switches to , then AS2 is x y “stuck” and the situation is stable. In practice, therefore, eventual convergence to a stable state is likely. AS1 and AS2 might choose not to export their D-route to each other to avoid this instability. Because they do export this route to one another, they are siblings in the sense of the previous section. Example 2 : No stable state exists. This example is from [VGE00] . Assume that the destination D is attached to AS0, and that AS0 in turn connects to AS1, AS2 and AS3 as in the following diagram: AS1 AS0 D AS3 AS2 AS1-AS3 each have a direct route to AS0, but we assume each prefers the AS-path that takes their clockwise x AS3,AS0 y to x AS0 y ; AS3 prefers x AS2,AS0 y neighbor; that is, AS1 prefers x AS0 y , and AS2 prefers to x AS1,AS0 y to x AS0 y . This is a peculiar, but legal, example of input filtering. Suppose all initially adopt AS-path x AS0 y , and advertise this, and AS1 is the first to look at the incoming advertisements. AS1 switches to the route x y , and announces this to AS2 and AS3. AS3,AS0 x y ; if AS2 switches to AS1 then its path would be At this point, AS2 sees that AS1 uses AS3,AS0 AS1,AS3,AS0 y rather than x AS1,AS0 x and so it does not make the switch. y But AS3 does switch: it prefers x AS2,AS0 y and this is still available. Once it makes this switch, and advertises it, AS1 sees that the route it had been using, x AS3,AS0 y , has become x AS3,AS1,AS0 y . At this point AS1 switches back to x y . AS0 x Now AS2 can switch to using y , and does so. After that, AS3 finds it is now using x AS2,AS1,AS0 y AS1,AS0 and it switches back to x AS0 y . This allows AS1 to switch to the longer route, and then AS2 switches back to the direct route, and then AS3 gets the longer route, then AS2 again, , forever rotating clockwise. etc Because each of AS1, AS2 and AS3 export their route to D to both their neighbors, they must all be siblings of one another. 10.7 Epilog CIDR was a deceptively simple idea. At first glance it is a straightforward extension of the subnet concept, moving the net/host division point to the left as well as to the right. But it has ushered in true hierarchical routing, most often provider-based. While CIDR was originally offered as a solution to some early crises in IPv4 address-space allocation, it has been adopted into the core of IPv6 routing as well. 318 10 Large-Scale IP Routing

329 An Introduction to Computer Networks, Release 1.9.18 Interior routing – using either distance-vector or link-state protocols – is neat and mathematical. Exterior routing with BGP is messy and arbitrary. Perhaps the most surprising thing about BGP is that the Internet works as well as it does, given the complexity of provider interconnections. The business side of routing almost never has an impact on ordinary users. To an extent, BGP works well because providers volun- tarily limit the complexity of their filtering preferences, but that seems to be largely because the business relationships of real-world ISPs do not seem to require complex filtering. 10.8 Exercises Exercises are given fractional (floating point) numbers, to allow for interpolation of new exercises. Exercise ♢ have solutions or hints 5.5 is distinct, for example, from exercises 5.0 and 6.0. Exercises marked with a at 24.9 Solutions for Large-Scale IP Routing . 0.5. Consider the following IP forwarding table that uses CIDR. ♢ destination next_hop A 200.0.0.0/8 200.64.0.0/10 B C 200.64.0.0/12 200.64.0.0/16 D For each of the following IP addresses, indicate to what destination it is forwarded. 64 is 0x40, or 0100 0000 in binary. (i) 200.63.1.1 (ii) 200.80.1.1 (iii) 200.72.1.1 (iv) 200.64.1.1 hexadecimal here, 1.0. Consider the following IP forwarding table that uses CIDR. IP address bytes are in so each hex digit corresponds to four address bits. This makes prefixes such as /12 and /20 align with hex-digit boundaries. As a reminder of the hexadecimal numbering, “:” is used as the separator rather than “.” destination next_hop 81:30:0:0/12 A 81:3c:0:0/16 B 81:3c:50:0/20 C 81:40:0:0/12 D 81:44:0:0/14 E For each of the following IP addresses, give the next_hop for each entry in the table above that it matches. If there are multiple matches, use the longest-match rule to identify where the packet would be forwarded. (i) 81:3b:15:49 (ii) 81:3c:56:14 10.8 Exercises 319

330 An Introduction to Computer Networks, Release 1.9.18 (iii) 81:3c:85:2e (iv) 81:4a:35:29 (v) 81:47:21:97 (vi) 81:43:01:c0 2.0. Consider the following IP forwarding table, using CIDR. As in exercise 1, IP address bytes are in hexadecimal , and “:” is used as the separator as a reminder. destination next_hop 00:0:0:0/2 A B 40:0:0:0/2 C 80:0:0:0/2 D c0:0:0:0/2 (a). To what next_hop would each of the following be routed? 63:b1:82:15, 9e:00:15:01, de:ad:be:ef (b). Explain why every IP address is routed somewhere, even though there is no default entry. Hint: convert the first bytes to binary. 3.0. Give an IPv4 forwarding table – using CIDR – that will route all Class A addresses (first bit 0) to next_hop A, all Class B addresses (first two bits 10) to next_hop B, and all Class C addresses (first three bits 110) to next_hop C. 4.0. Suppose a router using CIDR has the following entries. Address bytes are in decimal except for the third byte, which is in binary . destination next_hop A 37.149.0000 0000.0/18 37.149.0100 0000.0/18 A A 37.149.1000 0000.0/18 37.149.1100 0000.0/18 B If the next_hop for the last entry were also A, we could consolidate these four into a single entry 37.149.0.0/ 16 Ñ A. But with the final next_hop as B, how could these four be consolidated into two entries? You will need to assume the longest-match rule. 5.0. Suppose P, Q and R are ISPs with respective CIDR address blocks (with bytes in decimal) 51.0.0.0/8, 52.0.0.0/8 and 53.0.0.0/8. P then has customers A and B, to which it assigns address blocks as follows: A: 51.10.0.0/16 B: 51.23.0.0/16 Q has customers C and D and assigns them address blocks as follows: C: 52.14.0.0/16 D: 52.15.0.0/16 320 10 Large-Scale IP Routing

331 An Introduction to Computer Networks, Release 1.9.18 (a). Give forwarding tables for P, Q and R assuming they connect to each other and to each of their own ♢ customers. (b). Now suppose A switches from provider P to provider Q, and takes its address block with it. Give the changes to the forwarding tables for P, Q and R; the longest-match rule will be needed to resolve conflicts. 5.5 Let P, Q and R be the ISPs of exercise 5.0. This time, suppose customer C switches from provider Q to provider R. R will now have a new entry 52.14.0.0/16 Ñ C. Give the changes to the forwarding tables of P and Q. 6.0. Suppose P, Q and R are ISPs as in exercise 5.0. This time, P and R do not connect directly; they route traffic to one another via Q. In addition, customer B is multihomed and has a secondary connection to provider R; customer D is also multihomed and has a secondary connection to provider P. R and P use these secondary connections to send to B and D respectively; however, these secondary connections are not advertised to other providers. Give forwarding tables for P, Q and R. 7.0. Consider the following network of providers P-S, all using BGP. The providers are the horizontal lines; each provider is its own AS. Provider P Provider Q Provider R net NQ net NR net NS Provider S ♢ What routes to network NS will P receive, assuming each provider exports all its routes to its (a). neighbors without filtering? For each route, list the AS-path. (b). What routes to network NQ will P receive? For each route, list the AS-path. (c). Suppose R now uses export filtering so as not to advertise any of its routes to P, though it does continue to advertise its routes to S. What routes to network NR will P receive, with AS-paths? 8.0. Consider the following network of Autonomous Systems AS1 through AS6, which double as destina- tions. When AS1 advertises itself to AS2, for example, the AS-path it provides is x AS1 y . AS1 AS3 AS2 : : : AS4 AS5 AS6 10.8 Exercises 321

332 An Introduction to Computer Networks, Release 1.9.18 (a). If neither AS3 nor AS6 exports their AS3–AS6 link to their neighbors AS2 and AS5 to the left, what routes will AS2 receive to reach AS5? Specify routes by AS-path. (b). What routes will AS2 receive to reach AS6? (c). Suppose AS3 exports to AS2 its link to AS6, but AS6 continues not to export the AS3–AS6 link to AS5. How will AS5 now reach AS3? How will AS2 now reach AS6? Assume that there are no local preferences in use in BGP best-path selection, and that the shortest AS-path wins. 9.0. Suppose that Internet routing in the US used geographical routing, and the first 12 bits of every IP address represent a geographical area similar in size to a telephone area code. Megacorp gets the prefix 12.34.0.0/16, based geographically in Chicago, and allocates subnets from this prefix to its offices in all 50 states. Megacorp routes all its internal traffic over its own network. (a). Assuming all Megacorp traffic must enter and exit in Chicago, what is the route of traffic to and from the San Diego office to a client also in San Diego? (b). Now suppose each office has its own link to a local ISP, but still uses its 12.34.0.0/16 IP addresses. Now what is the route of traffic between the San Diego office and its neighbor? eg (c). Suppose Megacorp gives up and gets a separate geographical prefix for each office, 12.35.1.0/24 for San Diego and 12.37.3.0/24 for Boston. How must it configure its internal IP forwarding tables to ensure that its internal traffic is still routed entirely over its own network? 10.0. Suppose we try to use BGP’s strategy of exchanging destinations plus paths as an interior routing- update strategy, perhaps replacing distance-vector routing. No costs or hop-counts are used, but routers attach to each destination a list of the routers used to reach that destination. Routers can also have route preferences, such as “prefer my link to B whenever possible”. (a). Consider the network of : 9.2 Distance-Vector Slow-Convergence Problem D A B The D–A link breaks, and B offers A what it thinks is its own route to D. Explain how exchanging path information prevents a routing loop here. (b). Suppose the network is as below, and initially each router knows about itself and its immediately adjacent neighbors. What sequence of router announcements can lead to A reaching F via B D Ñ E A Ñ Ñ C Ñ F, and what individual router preferences would be necessary? (Initially, for example, Ñ A would reach B directly; what preference might make it prefer A Ñ D Ñ E Ñ B?) A B C D E F 322 10 Large-Scale IP Routing

333 An Introduction to Computer Networks, Release 1.9.18 (c). Explain why this method is equivalent to using the hopcount metric with either distance-vector or link-state routing, if routers are not allowed to have preferences and if the router-path length is used as a tie-breaker. 11.0. In the following AS-path from AS0 to AS4, with customers lower than providers, how far can a customer route of AS0 be exported towards AS4? How far can a customer route of AS4 be exported towards AS0? AS1 / \ / \ / AS2--peer--AS3 / \ AS0 AS4 12.0. Complete the proof of the no-valley theorem of 10.6.8 BGP Relationships to include peer-to-peer links. (a). Show that the existing argument also works if the A -to-A link was peer-to-peer rather than provider- i+1 i to-customer, establishing that an upwards link cannot appear to the right of a peer-to-peer link. (b). Show that the existing argument works if the A -to-A link was peer-to-peer rather than customer-to- k k-1 provider, establishing that a downwards link cannot appear to the left of a peer-to-peer link. (c). Show that there cannot be two peer-to-peer links. 10.8 Exercises 323

334 An Introduction to Computer Networks, Release 1.9.18 324 10 Large-Scale IP Routing

335 11 UDP TRANSPORT The standard transport protocols riding above the IP layer are and UDP . As we saw in Chapter 1, UDP TCP x host,port pairs. TCP provides a much provides simple datagram delivery to remote sockets, that is, to y . In this chapter, connected richer functionality for sending data, but requires that the remote socket first be we start with the much-simpler UDP, including the UDP-based Trivial File Transfer Protocol. We also review some fundamental issues any transport protocol must address, such as lost final packets and packets arriving late enough to be subject to misinterpretation upon arrival. These fundamental issues will be equally applicable to TCP connections. 11.1 User Datagram Protocol – UDP refers to UDP as “almost a null protocol”; while that is something of a harsh assessment, UDP RFC 1122 port numbers and a checksum . The is indeed fairly basic. The two features it adds beyond the IP layer are UDP header consists of the following: 0 16 32 Destination Port Source Port Length Data Checksum The port numbers are what makes UDP into a real transport protocol: with them, an application can now connect to an individual server process (that is, the process “owning” the port number in question), rather than simply to a host. UDP is , in that there is no UDP-layer attempt at timeouts, acknowledgment and retransmission; unreliable x host,port y applications written for UDP must implement these. As with TCP, a UDP pair is known as a socket (though UDP ports are considered a separate namespace from TCP ports). UDP is also unconnected , or stateless; if an application has opened a port on a host, any other host on the Internet may deliver packets to that x host,port y socket without preliminary negotiation. An old bit of Internet humor about UDP’s unreliability has it that if I send you a UDP joke, you might not get it . UDP packets use the 16-bit Internet checksum ( 5.4 Error Detection ) on the data. While it is seldom done today, the checksum can be disabled and the field set to the all-0-bits value, which never occurs as an actual ones-complement sum. The UDP checksum covers the UDP header, the UDP data and also a “pseudo-IP header” that includes the source and destination IP addresses. If a NAT router rewrites an IP address or port, the UDP checksum must be updated. UDP packets can be dropped due to queue overflows either at an intervening router or at the receiving host. When the latter happens, it means that packets are arriving faster than the receiver can process them. Higher- 325

336 An Introduction to Computer Networks, Release 1.9.18 level protocols that define ACK packets ( UDP-based RPC, below) typically include some form of flow eg to prevent this. control UDP is popular for “local” transport, confined to one LAN. In this setting it is common to use UDP as the , or RPC, protocol. The conceptual idea behind RPC is that transport basis for a Remote Procedure Call one host invokes a procedure on another host; the parameters and the return value are transported back and ; for forth by UDP. We will consider RPC in greater detail below, in 11.5 Remote Procedure Call (RPC) now, the point of UDP is that on a local LAN we can fall back on rather simple mechanisms for timeout and retransmission. UDP is well-suited for “request-reply” semantics beyond RPC; one can use TCP to send a message and get a reply, but there is the additional overhead of setting up and tearing down a connection. DNS uses UDP, largely for this reason. However, if there is any chance that a sequence of request-reply operations will be performed in short order then TCP may be worth the overhead. UDP is also popular for real-time transport; the issue here is head-of-line blocking. If a TCP packet is host lost, then the receiving queues any later data until the lost data is retransmitted successfully, which can take several RTTs; there is no option for the receiving application to request different behavior. UDP, on the other hand, gives the receiving application the freedom simply to ignore lost packets. This approach is very successful for voice and video, which are in that small losses simply degrade the received loss-tolerant signal slightly, but delay-intolerant in that packets arriving too late for playback might as well not have arrived at all. Similarly, in a computer game a lost position update is moot after any subsequent update. Loss tolerance is the reason the Real-time Transport Protocol , or RTP, is built on top of UDP rather than TCP. It is common for VoIP telephone calls to use RTP and UDP. See also the NoTCP Manifesto. There is a dark side to UDP: it is sometimes the protocol of choice in flooding attacks on the Internet, as it is easy to send UDP packets with spoofed source address. See the Internet Draft draft-byrne-opsec-udp- advisory. That said, it is not especially hard to send TCP connection-request (SYN) packets with spoofed source address. It is, however, quite difficult to get TCP source-address spoofing to work for long enough that data is delivered to an application process; see 12.10.1 ISNs and spoofing . UDP also sometimes enables what are called attacks: the attacker sends a small mes- traffic amplification sage to a server, with spoofed source address, and the server then responds to the spoofed address with a much larger response message. This creates a larger volume of traffic to the victim than the attacker would be able to generate directly. One approach is for the server to limit the size of its response – ideally to the size of the client’s request – until it has been able to verify that the client actually receives packets sent to its claimed IP address. QUIC uses this approach; see 12.22.4.4 Connection handshake and TLS encryption . 11.1.1 QUIC Sometimes UDP is used simply because it allows new or experimental protocols to run entirely as user-space applications; no kernel updates are required, as would be the case with TCP changes. Google has created a protocol named QUIC (Quick UDP Internet Connections, chromium.org/quic) in this category, rather specifically to support the HTTP protocol. QUIC can in fact be viewed as a transport protocol specifically tailored to HTTPS: HTTP plus TLS encryption ( 22.10.2 TLS ). QUIC also takes advantage of UDP’s freedom from head-of-line blocking. For example, one of QUIC’s goals includes supporting multiplexed streams in a single connection ( eg for the multiple components of a web page). A lost packet blocks its own stream until it is retransmitted, but the other streams can continue 326 11 UDP Transport

337 An Introduction to Computer Networks, Release 1.9.18 without waiting. An early version of QUIC supported error-correcting codes ( Error-Correcting 5.4.2 ); this is another feature that would be difficult to add to TCP. Codes In many cases QUIC eliminates the initial RTT needed for setting up a TCP connection, allowing data delivery with the very first packet. This usually this requires a recent previous connection, however, as otherwise accepting data in the first packet opens the recipient up to certain spoofing attacks. Also, QUIC usually eliminates the second (and maybe third) RTT needed for negotiating TLS encryption ( 22.10.2 TLS ). QUIC provides support for advanced congestion control, currently (2014) including a UDP analog of TCP CUBIC ( 15.15 TCP CUBIC ). QUIC does this at the application layer but new congestion-control mecha- nisms within TCP often require client operating-system changes even when the mechanism lives primarily at 14.8.3 Explicit the server end. (QUIC may require kernel support to make use of ECN congestion feedback, Congestion Notification (ECN) , as this requires setting bits in the IP header.) QUIC represents a promising approach to using UDP’s flexibility to support innovative or experimental transport-layer features. One downside of QUIC is its nonstandard programming interface, but note that Google can (and does) achieve widespread web utilization of QUIC simply by distributing the client side in its Chrome browser. Another downside, more insidious, is that QUIC breaks the “social contract” that everyone should use TCP so that everyone is on the same footing regarding congestion. It turns out, though, that TCP users are not 15 Newer TCP Implementations in fact all on the same footing, as there are now multiple TCP variants ( ). Furthermore, QUIC is supposed to compete fairly with TCP. Still, QUIC does open an interesting can of worms. Because many of the specific features of QUIC were chosen in response to perceived difficulties with TCP, we will explore the protocol’s details after introducing TCP, in 12.22.4 QUIC Revisited . 11.1.2 DCCP The Datagram Congestion Control Protocol, or , is another transport protocol build atop UDP, pre- DCCP RFC 4340 serving UDP’s fundamental tolerance to packet loss. It is outlined in . DCCP adds a number of TCP-like features to UDP; for our purposes the most significant are connection setup and teardown (see ) and TCP-like congestion management (see 14.6.3 DCCP Congestion Control 12.22.3 DCCP ). DCCP data packets, while numbered, are delivered to the application in order of arrival rather than in order of sequence number. DCCP also adds acknowledgments to UDP, but in a specialized form primarily for congestion control. There is no assumption that unacknowledged data packets will ever be retransmitted; that decision is entirely up to the application. Acknowledgments can acknowledge single packets or, through the DCCP acknowledgment-vector format, all packets received in a range of recent sequence numbers (SACK TCP, 13.6 Selective Acknowledgments (SACK) , also supports this). DCCP does support reliable delivery of control packets, used for connection setup, teardown and option negotiation. Option negotiation can occur at any point during a connection. DCCP packets include not only the usual application-specific UDP port numbers, but also a 32-bit service code . This allows finer-grained packet handling as it unambiguously identifies the processing requested by an incoming packet. The use of service codes also resolves problems created when applications are forced to use nonstandard port numbers due to conflicts. DCCP is specifically intended to run in in the operating-system kernel, rather than in user space. This is because the ECN congestion-feedback mechanism ( 14.8.3 Explicit Congestion Notification (ECN) ) requires setting flag bits in the IP header, and most kernels do not allow user-space applications to do this. 11.1 User Datagram Protocol – UDP 327

338 An Introduction to Computer Networks, Release 1.9.18 11.1.3 UDP Simplex-Talk One of the early standard examples for socket programming is simplex-talk. The client side reads lines of text from the user’s terminal and sends them over the network to the server; the server then displays them on its terminal. The server does not acknowledge anything sent to it, or in fact send any response to the client at all. “Simplex” here refers to the one-way nature of the flow; “duplex talk” is the basis for Instant Messaging, or IM. Even at this simple level we have some details to attend to regarding the data protocol: we assume here that the lines are sent with a trailing end-of-line marker. In a world where different OS’s use different end-of- line marks, including them in the transmitted data can be problematic. However, when we get to the TCP version, if arriving packets are queued for any reason then the embedded end-of-line character will be the only thing to separate the arriving data into lines. As with almost every Internet protocol, the server side must select a port number, which with the server’s IP socket address address will form the to which clients connect. Clients must discover that port number or have it written into their application code. Clients too will a port number, but it is largely invisible. have On the server side, simplex-talk must do the following: • ask for a designated port number • create a socket , the sending/receiving endpoint • bind the socket to the socket address, if this is not done at the point of socket creation • receive packets sent to the socket • for each packet received, print its sender and its content The client side has a similar list: • look up the server’s IP address, using DNS • create an “anonymous” socket; we don’t care what the client’s port number is • read a line from the terminal, and send it to the socket address server_IP,port y x 11.1.3.1 The Server We will start with the server side, presented here in Java. The Java socket implementation is based mostly 1.16 Berkeley Unix . We will use port 5432; this can easily be changed if, for on the BSD socket library, example, on startup an error message like “cannot create socket with port 5432” appears. The port we use here, 5432, has also been adopted by PostgreSQL for TCP connections. (The client, of course, would also need to be changed.) Java type DatagramPacket Java DatagramPacket objects contain the packet data and the x IP_address,port y source or destination. Packets themselves combine both data and address, of course, but nonetheless combining these in a single programming-language object is not an especially common design choice. The original BSD socket library implemented data and address as separate parameters, and many other languages have followed 328 11 UDP Transport

339 An Introduction to Computer Networks, Release 1.9.18 that precedent. A case can be made that the Java approach violates the single-responsibility principle, because data and address are so often handled separately. The socket-creation and port-binding operations are combined into the single operation new DatagramSocket(destport) . Once created, this socket will receive packets from any host that ad- dresses a packet to it; there is no need for preliminary connection. In the original BSD socket library, a and bound to an address with the separate operation bind() socket is created with socket() . The server application needs no parameters; it just starts. (That said, we could make the port number a parameter, to allow easy change.) The server accepts both IPv4 and IPv6 connections; we return to this below. Though it plays no role in the protocol, we will also have the server time out every 15 seconds and display always a message, just to show how this is done. Implementations of real UDP protocols essentially must arrange when attempting to receive a packet to time out after a certain interval with no response. The file below is at udp_stalks.java. / / simplex-talk server, UDP version * * import java.net. ; * import java.io. ; * public class stalks { static public int destport = 5432; static public int bufsize = 512; static public final int timeout = 15000; // time in milliseconds static public void main(String args[]) { DatagramSocket s; // UDP uses DatagramSockets try { s = new DatagramSocket(destport); } catch (SocketException se) { System.err.println("cannot create socket with port " + destport); return; } try { s.setSoTimeout(timeout); // set timeout in milliseconds } catch (SocketException se) { System.err.println("socket exception: timeout not set!"); } // create DatagramPacket object for receiving data: DatagramPacket msg = new DatagramPacket(new byte[bufsize], bufsize); while(true) { // read loop try { msg.setLength(bufsize); // max received packet size s.receive(msg); // the actual receive operation System.err.println("message from <" + 11.1 User Datagram Protocol – UDP 329

340 An Introduction to Computer Networks, Release 1.9.18 msg.getAddress().getHostAddress() + "," + msg.getPort() + Ñ ">"); ã } catch (SocketTimeoutException ste) { // receive() timed out System.err.println("Response timed out!"); continue; } catch (IOException ioe) { // should never happen! System.err.println("Bad receive"); break; } String str = new String(msg.getData(), 0, msg.getLength()); System.out.print(str); // newline must be part of str } s.close(); } // end of main } 11.1.3.2 UDP and IP addresses The server line creates a DatagramSocket object s = new DatagramSocket(destport) to the given port. If a host has multiple IP addresses (that is, is multihomed), packets sent to that bound localhost (and in fact all IPv4 port to any of those IP addresses will be delivered to the socket, including addresses between 127.0.0.1 and 127.255.255.255) and the subnet broadcast address ( eg 192.168.1.255). If a client attempts to connect to the subnet broadcast address, multiple servers may receive the packet (in this we are perhaps fortunate that the stalk server does not reply). Alternatively, we could have used s = new DatagramSocket(int port, InetAddress local_addr) in which case only packets sent to the host and port through the host’s specific IP address local_addr would be delivered. It does not matter here whether IP forwarding on the host has been enabled. In the original C socket library, this binding of a port to (usually) a server socket was done with the bind() call. To allow connections via any of the host’s IP addresses, the special IP address is passed to INADDR_ANY bind() . When a host has multiple IP addresses, the BSD socket library and its descendents do not appear to provide a way to find out to which these an arriving UDP packet was actually sent (although it is supposed to, according to RFC 1122 , §4.1.3.5). Normally, however, this is not a major difficulty. If a host has only one interface on an actual network ( not counting loopback), and only one IP address for that interface, then ie any remote clients must send to that interface and address. Replies (if any, which there are not with stalk) will also come from that address. Multiple interfaces do not necessarily create an ambiguity either; the easiest such case to experiment with involves use of the loopback and Ethernet interfaces (though one would need to use an application that, unlike stalk, sends replies). If these interfaces have respective IPv4 addresses 127.0.0.1 and 192.168.1.1, and the client is run on the same machine, then connections to the server application sent to 127.0.0.1 will be answered from 127.0.0.1, and connections sent to 192.168.1.1 will be answered from 192.168.1.1. The IP layer sees these as different subnets, and fills in the IP source-address field according to the appropriate 330 11 UDP Transport

341 An Introduction to Computer Networks, Release 1.9.18 subnet. The same applies if multiple Ethernet interfaces are involved, or if a single Ethernet interface is eg 192.168. .1 and 192.168. 2 .1. assigned IP addresses for two different subnets, 1 subnet, same Life is slightly more complicated if a single interface is assigned multiple IP addresses on the 1 and 192.168.1. 2 . Regardless of which address a client sends its request to, the server’s reply eg 192.168.1. 192.168.1.1. Thus, it is possible eg will generally always come from one designated address for that subnet, that a legitimate UDP reply will come from a different IP address than that to which the initial request was . sent If this behavior is not desired, one approach is to create multiple server sockets, and to bind each of the host’s network IP addresses to a different server socket. 11.1.3.3 The Client Next is the Java client version udp_stalkc.java. The client – any client – provide the name of the host must to which it wishes to send; as with the port number this can be hard-coded into the application but is more commonly specified by the user. The version here uses host localhost as a default but accepts any other InetAddress.getByName(desthost) invokes hostname as a command-line argument. The call to InetAddress. the DNS system, which looks up name desthost and, if successful, returns an IP address. ( getByName() also accepts addresses in numeric form, eg “127.0.0.1”, in which case DNS is not neces- sary.) When we create the socket we do not designate a port in the call to new DatagramSocket() ; this means any port will do for the client. When we create the DatagramPacket object, the first parameter is a zero-length array as the actual data array will be provided within the loop. A certain degree of messiness is introduced by the need to create a object to handle BufferedReader terminal input. // simplex-talk CLIENT java, UDP version in import java.net. ; * import java.io. ; * public class stalkc { static public BufferedReader bin; static public int destport = 5432; static public int bufsize = 512; static public void main(String args[]) { String desthost = "localhost" ; if (args.length >= 1) desthost = args[0]; bin = new BufferedReader(new InputStreamReader(System. in )); InetAddress dest; System.err.print( "Looking up address of " + desthost + "..." ); try { dest = InetAddress.getByName(desthost); // DNS query } catch (UnknownHostException uhe) { System.err.println( "unknown host: " + desthost); 11.1 User Datagram Protocol – UDP 331

342 An Introduction to Computer Networks, Release 1.9.18 return ; } System.err.println( " got it!" ); DatagramSocket s; { try s = new DatagramSocket(); } catch(IOException ioe) { System.err.println( "socket could not be created" ); ; return } "Our own port is " System.err.println( + s.getLocalPort()); DatagramPacket msg = new DatagramPacket(new byte[0], 0, dest, Ñ ã destport); while (true) { String buf; int slen; try { buf = bin.readLine(); } catch (IOException ioe) { System.err.println( "readLine() failed" ); return ; } if break ; // user typed EOF character (buf == null) " " ; // append newline character buf = buf + \n slen = buf.length(); byte[] bbuf = buf.getBytes(); msg.setData(bbuf); msg.setLength(slen); try { s.send(msg); } catch (IOException ioe) { System.err.println( "send() failed" ); return ; } } // while s.close(); } } The default value of desthost here is localhost ; this is convenient when running the client and the server on the same machine, in separate terminal windows. 332 11 UDP Transport

343 An Introduction to Computer Networks, Release 1.9.18 All packets are sent to the dest,destport y address specified in the initialization of msg . Alternatively, we x s.connect(dest,destport) . This causes nothing to be sent over the network, as could have called allowing it to send only to dest,destport y . In Java UDP is connectionless, but locally marks the socket x s we send() , so this offers no we still have to embed the destination address in every DatagramPacket benefit, but in other languages this can simplify subsequent sending operations. InetAddress object dest in the server Like the server, the client works with both IPv4 and IPv6. The code above can hold either IPv4 or IPv6 addresses; InetAddress is the base class with child classes and Inet6Address . If the client and server can communicate at all via IPv6 and if the Inet4Address desthost value of dest will be an Inet6Address supplied to the client is an IPv6-only name, then object and IPv6 will be used. For example, if the client is invoked from the command line with , and java stalkc ip6-localhost ip6-localhost resolves to the IPv6 loopback address ::1 , the client will send its packets to the name an stalk server on the same host using IPv6 (and the loopback interface). If greater IPv4-versus-IPv6 control is desired, one can replace the call with the following, getByName() dests where InetAddress[] : now has type dests = InetAddress.getAllByName(desthost); This returns an array of all addresses associated with the given name. One can then find the IPv6 addresses by searching this array for addresses addr for which addr instanceof Inet6Address . For non-Java languages, IP-address objects often have an AddressFamily attribute that can be used to 8.11 Using IPv6 and IPv4 Together . determine whether an address is IPv4 or IPv6. See also Finally, here is a simple python version of the client, udp_stalkc.py. #!/usr/bin/python3 from socket import * from sys import argv portnum = 5432 def talk(): "localhost" rhost = len(argv) > 1: if rhost = argv[1] print( "Looking up address of " + rhost + "..." "" ) , end= try : dest = gethostbyname(rhost) except (GAIerror, herror) mesg: # GAIerror: error in as Ñ gethostbyname() ã errno,errstr=mesg.args print( " \n " , errstr); return ; print( + dest) "got it: " addr=(dest, portnum) # a socket address s = socket(AF_INET, SOCK_DGRAM) s.settimeout(1.5) # we don't actually need to set ã Ñ timeout here 11.1 User Datagram Protocol – UDP 333

344 An Introduction to Computer Networks, Release 1.9.18 while True : : try "> " ) buf = input( except : break " \n " , 'ascii' ), addr) s.sendto(bytes(buf + talk() Why not C? While C is arguably the most popular language for network programming, it does not support IP addresses and other network objects as first-class types, and so we omit it here. But see 22.2.2 An Actual Stack- and 22.10.3 A TLS Programming Example for TCP-based C versions of stalk-like Overflow Example programs. (The problem is not entirely C’s fault; a network address might be an IPv4 address or an IPv6 address (or even a “named pipe” address); these objects are of different sizes and so addresses must be handled by reference, which is awkward in C.) To experiment with these on a single host, start the server in one window and one or more clients in other windows. One can then try the following: • have two clients simultaneously running, and sending alternating messages to the same server • invoke the client with the external IP address of the server in dotted-decimal, eg 10.0.0.3 (note that localhost is 127.0.0.1) • run the java and python clients simultaneously, sending to the same server • run the server on a different host ( a virtual host or a neighboring machine) eg • invoke the client with a nonexistent hostname netcat , below, as a client, though One can also use as a server will not work for the multiple- netcat client experiments. Note that, depending on the DNS server, the last one may not actually fail. When asked for the DNS name of a nonexistent host such as zxqzx.org, many ISPs will return the IP address of a host running a web server hosting an error/search/advertising page (usually their own). This makes some modicum of sense when attention is restricted to web searches, but is annoying if it is not, as it means non-web applications have no easy way to identify nonexistent hosts. Simplex-talk will work if the server is on the public side of a NAT firewall. No server-side packets need to be delivered to the client! But if the other direction works, something is very wrong with the firewall. 11.1.4 netcat The versatile netcat utility (also sometimes spelled nc ) utility enables sending and receiving of individual UDP (and TCP) packets; we can use it to substitute for the stalk client, or, with a limitation, the server. (The netcat utility, unlike stalk, supports bidirectional communication.) 334 11 UDP Transport

345 An Introduction to Computer Networks, Release 1.9.18 The utility is available for Windows, Linux and Macintosh systems, in both binary and source netcat forms, from a variety of places and in something of a variety of versions. The classic version is available from sourceforge.net/projects/nc110; a newer implementation is ncat. The Wikipedia page has additional information. sends the final end-of-line marker along with its data. The flag is used to request As with stalk, netcat -u UDP. To send to port 5432 on localhost using UDP, like an stalk client, the command is netcat -u localhost 5432 One can then type multiple lines that should all be received by a running stalk server. If desired, the source -p option; eg netcat -u -p 40001 localhost 5432 . port can be specified with the server , we need the -l option to ask To act as an stalk to listen instead of sending: netcat netcat -l -u 5432 stalkc netcat in client mode. However, once netcat in server mode One can then send lines using or receives its first UDP packet, it will not accept later UDP packets from different sources (some versions of have a -k netcat netcat option to allow this for TCP, but not for UDP). (This situation arises because makes use of the connect() call on the server side as well as the client, after which the server can only send to and receive from the socket address to which it has connected. This simplifies bidirectional communication. Often, UDP connect() is called only by the client, if at all. See the paragraph about connect() following the Java stalkc code in 11.1.3.3 The Client .) 11.1.5 Binary Data In the stalk example above, the client sent strings to the server. However, what if we are implementing a binary protocol that requires us to send data? Or designing such a protocol? The client and server will now have to agree on how the data is to be encoded . As an example, suppose the client is to send to the server a list of 32-bit integers, organized as follows. The length of the list is to occupy the first two bytes; the remainder of the packet contains the consecutive integers themselves, four bytes each, as in the diagram: 4 2003 3011 4003 10009 packet data layout The client needs to create the byte array organized as above, and the server needs to extract the values. (The inclusion of the list length as a short int is not really necessary, as the receiver will be able to infer the list length from the packet size, but we want to be able to illustrate the encoding of both int and short int values.) The protocol also needs to define how the integers themselves are laid out. There are two common ways to 2 3 256 + 2 ˆ 256 represent a 32-bit integer as a sequence of four bytes. Consider the integer 0x01020304 = 1 ˆ + 3 ˆ 256 + 4. This can be encoded as the byte sequence [1,2,3,4], known as big-endian encoding, or as [4,3,2,1], known as little-endian encoding; the former was used by early IBM mainframes and the latter is 11.1 User Datagram Protocol – UDP 335

346 An Introduction to Computer Networks, Release 1.9.18 used by most Intel processors. (We are assuming here that both architectures represent signed integers using twos-complement; this is now universal but was not always.) To send 32-bit integers over the network, it is certainly possible to tag the data as big-endian or little-endian, or for the endpoints to negotiate the encoding. However, by far the most common approach on the Internet – RFC 1700 and use big-endian encoding at least below the application layer – is to follow the convention of exclusively; big-endian encoding has since come to be known as “network byte order”. How one converts from “host byte order” to “network byte order” is language-dependent. It must always be done, even on big-endian architectures, as code may be recompiled on a different architecture later. to In Java the byte-order conversion is generally combined with the process of conversion from int DataOutputStream class to support the writing of the binary val- . The client will use a byte[] ues to an output stream, through methods such as writeInt() and writeShort() , together with a class to support the conversion of the output stream to type byte[] . The ByteArrayOutputStream ArrayList theNums . named code below assumes the list of integers is initially in an ByteArrayOutputStream baos = new ByteArrayOutputStream(); DataOutputStream dos = new DataOutputStream(baos); try { dos.writeShort(theNums.size()); (int n : theNums) { for dos.writeInt(n); } } catch (IOException ioe) { / exception handling / } * * byte[] bbuf = baos.toByteArray(); msg.setData(bbuf); // msg the DatagramPacket is Ñ ã object to be sent The server then needs to to the reverse; again, msg is the arriving DatagramPacket. The code below simply msg : calculates the sum of the 32-bit integers in ByteArrayInputStream bais = new ByteArrayInputStream(msg.getData(), 0, msg. ã Ñ getLength()); DataInputStream dis = new DataInputStream(bais); int sum = 0; try { int count = dis.readShort(); for (int i=0; i

347 An Introduction to Computer Networks, Release 1.9.18 • : host-to-network conversion for long (32-bit) integers htonl() ntohl() : network-to-host conversion for long integers • • htons() : host-to-network conversion for short (16-bit) integers • ntohs() : network-to-host conversion for short integers int char and A certain amount of casting between is also necessary. As both casting and byte-order * * conversions are error-prone, it is best if all conversions are made in a block, just after a packet arrives or just before it is sent, rather than on demand throughout the program. In general, the designer of a protocol needs to select an unambiguous format for all binary data; protocol- defining RFCs always include such format details. This can be a particular issue for floating-point data, eg in normalization or the size of the for which two formats can have the same endianness but still differ, exponent field. Formats for structured data, such as arrays, must also be spelled out; in the example above the list size was indicated by a length field but other options are possible. The example above illustrates fixed-field-width encoding. Another possible option, using variable-length encoding, is ASN.1 using the Basic Encoding Rules ( 21.6 ASN.1 Syntax and SNMP ); fixed-field encoding sometimes becomes cumbersome as data becomes more hierarchical. At the application layer, the use of non-binary encodings is common, though binary encodings continue to remain common as well. Two popular formats using human-readable unicode strings for data encoding are ASN.1 with its XML Encoding Rules and JSON. While the latter format originated with JavaScript, it is now widely supported by many other languages. 11.2 Trivial File Transport Protocol, TFTP We now introduce a real protocol based on UDP: the Trivial File Transport Protocol, or TFTP. While TFTP supports file transfers in both directions, we will restrict attention to the more common case where the client requests a file from the server. TFTP does not support a mechanism for authentication; any requestable files are available to anyone. In this TFTP does not differ from basic web browsing; as with web servers, a TFTP file server must ensure that requests are disallowed if the file – for example – ../../../etc/passwd is not within a permitted directory. Because TFTP is UDP-based, and clients can be implemented very compactly, it is well-suited to the down- loading of startup files to very compact systems, including diskless systems. Because it uses stop-and-wait, often uses a fixed timeout interval, and offers limited security, TFTP is typically confined to internal use within a LAN. Although TFTP is a very simple protocol, for correct operation it must address several fundamental transport issues; these are discussed in detail in the following section. TFTP is presented here partly as a way to intro- duce these transport issues; we will later return to these same issues in the context of TCP ( 12.11 Anomalous TCP scenarios ). TFTP, documented first in RFC 783 and updated in RFC 1350 , has five packet types: • Read ReQuest, RRQ, containing the filename and a text/binary indication • Write ReQuest, WRQ • Data, containing a 16-bit block number and up to 512 bytes of data 11.2 Trivial File Transport Protocol, TFTP 337

348 An Introduction to Computer Networks, Release 1.9.18 • ACK, containing a 16-bit block number • Error, for certain designated errors. All errors other than “Unknown Transfer ID” are cause for sender termination. Data block numbering begins at 1; we will denote the packet with the Nth block of data as Data[N]. Ac- knowledgments contain the block number of the block being acknowledged; thus, ACK[N] ack