Module 1 Unit 1 Introduction 1.1 Introduction 1.2 Uses of Computer
advertisement
Module 1
Unit 1 Introduction
1.1 Introduction
1.2 Uses of Computer Networks
1.2.1 Business Applications
1.2.2 Home Applications
1.2.3 Mobile Users
1.2.4 Social Issues
Unit 2 Network Hardware and software
2.1 Network Hardware
2.1.1 Wireless Networks
2.1.2 Internetworks
2.2 Network Software
2.2.1 Protocol Hierarchies
2.2.2 Design Issues for the Layers
2.2.3 Connection-Oriented and Connectionless Service
2.2.4 Service Primitives
2.2.5 Relationships of Services to Protocols
Unit 3 Example Networks
3.1 The ARPANET
3.2 The Internet
3.3 ATM
Module 2
Unit 1 Network Layer Design issues
1.1 Store-and-Forward Packet Switching
1.2 Services Provided to the Transport Layer
1.3 Comparison of Virtual Circuit and Datagram Subnets
Unit 2 Routing algorithms
2.1 The Optimality Principle
2.2 Shortest Path Routing
2.3 Flooding
2.4 Distance Vector Routing
2.5 Link state Routing
2.6 Hierarchical Routing
2.7 Broadcast Routing
2.8 Multicast Routing
2.9 Routing for Mobile Hosts
Unit 3 Congestion Control Algorithms
3.1 General Principles of Congestion Control
3.2 Congestion Prevention Policies
3.3 Congestion Control in Virtual-Circuit Subnets
3.4 Congestion Control in Datagram Subnet
3.5 Load Shedding
3.6 Jitter Control
Module 3
Unit 1 Quality of Service
1.1
1.2
1.3
1.4
Flow characteristics
Techniques for Achieving- Good Quality of Service
Integrated Services
Differentiated Services
Unit 2 Internetworking
2.1
2.2
2.3
2.4
2.5
2.6
Need for Network Layer
Internet as Packet-Switched Network
Internet as Connectionless Network
Tunneling
Internetwork Routing
Fragmentation
Unit 3 The Network Layer in the Internet
3.1
3.2
3.3
3.4
The IP Protocol
IP Addresses
Subnet
IPV6
Module 4
Unit 1 Services and elements
1.1 The Transport Service
1.1.1 Services Provided to the Upper Layers
1.1.2
Transport Service Primitives
1.2 Elements of Transport Protocols
1.2.1 Addressing
1.2.2 Connection Establishment
1.2.3 Connection Release
1.2.4
Flow Control and Buffering
Unit 2 The Internet Transport Protocol
2.1 Introduction to UDP
2.2 Remote Procedure Call
2.3 The Real-Time Transport Protocol
Unit 3 Transmission Control Protocol
3.1
3.2
3.3
3.4
3.5
3.6
3.7
Introduction to TCP
TCP Segment Header
TCP Connection Establishment
TCP Connection Release
Modeling TCP Connection Management
TCP Transmission Policy
TCP Congestion Control
Module 5
Unit 1Domain Name System
1.1 Application Layer Overview
1.2 DNS
1.2.1 The DNS Name System
1.2.2 Resource Records
1.2.3 Name Servers
Unit 2 Electronic Mail
2.1
2.2
2.3
2.4
2.5
Architecture and Services
The User Agent
Message Formats
Message Transfer
Final Delivery
Module 6
Unit 1Overview
1.1 Services, Mechanisms and Attacks
1.2 OSI Security Architecture
1.3 A Model for Network Security
Unit 2 Cryptography-I
2.1 Symmetric cipher Model
2.2 General concepts
2.3 Cryptanalysis
2.4 Substitution Techniques
2.5 Transposition Techniques
Unit 3 Cryptography-II
3.1
3.2
3.3
3.4
Simplified DES
Block Cipher principles
The Data Encryption Standard
The RSA algorithm
Unit 4 E-mail Security
4.1 Introduction
4.2 Pretty Good Security
4.2.1 Operational description of PGP
4.2.2 Cryptographic keys and key rings
4.3 S/MIME
4.3.1 S/MIME Functionality
4.3.2 S/MIME Messages
Unit 1
Introduction to Computer Networks
1.1 Introduction
1.2 Uses of Computer Networks
1.2.1 Business Applications
1.2.2 Home Applications
1.2.3 Mobile Users
1.2.4 Social Issues
1.1 INTRODUCTION
A computer network is an interconnected collection of autonomous computers. Two
computers are said to be interconnected, if they are able to exchange the information. The
connection can be wired or wireless.
Difference between distributed systems and computer networks
Distributed systems
Collection of independent computers. It is the software built on top of a network.
Existence of multiple autonomous computers is transparent (not visible) to user.
A layer of software on top of the operating system called Middleware is responsible for
implementing this model.
E.g. www (World Wide Web)
Computer networks
Collection of autonomous computers interconnected by a single technology.
Users are exposed to actual machines; they explicitly log on to one machine, explicitly
submit jobs, move files and handle all network management personally.
No software and coherence.
Thus the distinction between a network and a distributed system lies with the software
(especially operating system), rather than with the hardware.
1.2 USES OF COMPUTER NETWORKS
Computer networks are used in various fields by individuals/organizations. The major
classifications in usage are
Business application
Home application
Mobile users
Social issues
1.2.1 Business Applications
Networks for companies provides
Resource sharing
High reliability
Reliable cost
Scalability
Resource sharing
The goal is to make the availability of all the programs, equipments and data to anyone on
the network, without considering the physical location of the resource of user. An example is
group of office workers sharing a common printer.
Reliability
High reliability can be obtained by having alternate sources of supply. For example the files
could be placed in two or three machines on the network. In case of any hardware failure, the
copy of the file stored on the other system can be used.
Saving money
Small computers have much better price/performance than the larger ones. Networks can be
built with personal computers, one per user with data kept on one or more shared file server
machines, this arrangement is called client-server model.
Client-server model
The users are called as clients and data stored on the machines are called as servers. The
client and server machines are connected by a network, as shown in the fig.1.1
Fig 1.1 A network with two clients and one server
Generally the communication starts from the client. The client sends the request over the
network to the server process and waits for a reply message. When the server process gets
the request, it performs the requested data and sends back the reply. This is depicted in
fig1.2.
Fig 1.2 Client-Server model
Scalability
It is the ability to increase the system performance gradually as the work load grows by
adding more processors. With the client-server model, new clients and servers can be added
as needed.
Communication
Networks provides a powerful communication medium among the widely spread employees.
It enhances human-to-human communication.
1.2.2 Home Applications
Some of the popular uses of networks for the people are
Access to remote information
Person-to-person communication
Interactive entertainment
Electronic commerce
Access to remote information
Some of the examples are
Access to financial institution – people staying at home pay their bills, mange their
accounts and handle their investments.
Home shopping – the ability to view online catalogs of thousands of companies and place
their orders.
Online newspaper and digital library can be personalized.
Access to information system like www, which contains information about science,
sports, cooking, government, health, travel etc…
Person-to-person communication
E-mail (Electronic mail) is used by millions of people for interaction in the form of text
or audio or video.
Video conference – virtual meetings among the far flung people.
Chatting – instant messaging between two persons or group of people.
Interactive entertainment
Video-on-demand – watching the selective move online.
Live television becomes interactive.
On-line games provide more entertainment.
E-Commerce
Some forms of e-commerce are tabulated in the table 1.1
Table 1.1 Some forms of e-commerce
1.2.3 Mobile users
Mobile computers like laptops, PDA’s (Personal Digital Assistants) are one of the fastest
growing segments of computer industry. People on the road often use their mobile computers
to send and receive telephone calls, faxes, e-mail, surf the web and log on to remote
machines.
Wireless parking meters have advantages for both users and city governments. Wireless
smoke detectors could call the fire department. Wireless networks are of great value to fleet
of trucks, taxis, delivery vehicles and repair persons for keeping in contact with home.
Wireless networking and mobile computing are often related. The distinction between fixed
wireless and mobile wireless is tabulated below in table 1.2.
Table 1.2 Combination of wireless networks and mobile computing
1.2.4 Social issues
The networking introduces new social, ethical and political problems. A popular feature of
many networks are newsgroups or bulletin boards, where by people can exchange messages
with like-minded individuals. The trouble comes when newsgroups set up topics like politics,
religion or sex. Views posted to such groups may affect some people.
Employee rights versus employer rights. Many people read/write email at work. Some
employers have claimed the right to read and edit employee messages. Not all employees
agree with this.
Government versus citizen. The government does not have control on threatening
people’s privacy. Example – Small files called cookies that web browsers store on users’
computers allow companies to track users’ activities in cyberspace and may allow credit
card numbers, social security numbers and other confidential information to leak all over
the internet.
Along with the good comes the bad. The internet provides a way to find information
quickly but a lot of it is ill-informed. Example – email messages containing active
contents can contain viruses.
Unit 2
Network Hardware and software
2.1
2.2
Network Hardware
2.1.1 Wireless Networks
2.1.2 Internetworks
Network Software
2.2.1 Protocol Hierarchies
2.1.3 Design Issues for the Layers
2.1.4 Connection-Oriented and Connectionless Service
2.1.5 Service Primitives
2.1.6 Relationships of Services to Protocols
2.1 NETWORK HARDWARE
Apart from LAN, WAN and MAN, we have wireless networks and internetworks.
2.1.1 Wireless networks
Wireless networks can be divided into three main categories
1. System interconnection
2. Wireless LAN’s
3. Wireless WAN’s
Fig 2.1 (a) Bluetooth configuration (b) Wireless LAN
System interconnection is about interconnecting the components of a computer using shortrange radio. A short-range wireless network called Bluetooth is used to connect the
components without using wires. It allows digital cameras, headsets, scanners, and other
devices to connect to a computer by merely being brought within range. The simplest form is
shown in the fig 2.1.
Wireless LAN’s are the systems in which every computer has a radio modem and antenna
with which it can communicate with other systems. Often there is an antenna on ceiling that
the machines talk to, as shown in fig 2.1(b). It is used in small offices, homes etc. the
standard for wireless LAN’s is IEEE 802.11.
Wireless WAN’s is the third kind of wireless network. The radio network used for cellular
telephones is an example of low-bandwidth wireless system. The system has undergone three
generations. The first generation was analog and for voice. Second generation was digital and
for voice only. Third generation is digital and for both voice and data. Cellular wireless
network are wireless LAN’s except the distances involved are much greater and the bit rates
much lower.
2.1.2 Internetwork
A collection of interconnected networks is called internetwork or internet. A common form
of internet is a collection of LAN’s connected by a WAN as shown in fig 2.2.
Fig 2.2 A common form of Internet
An internetwork is formed when distinct networks are interconnected. Connecting a LAN
and a WAN or connecting two LAN’s forms an internetwork with little agreement in the
industry over the terminology. If different organizations paid to construct different parts of
network and each maintains its part, then it is an internetwork rather than single network.
2.2 NETWORK SOFTWARE
Network software is highly structured at present. Some of the software structuring techniques
is dealt below.
2.2.1 Protocol Hierarchies
Networks are organized as a stack of layers or levels, each one built upon the other. The
number of layers, name of each layer, contents and functionality of each layer differ from
network to network. Each layer offers services to the upper layers.
Layer n on one machine carries a conversation with layer n on another machine. The rules
and conventions are collectively known as layer n protocol. Protocol is an agreement
between the communicating parties on how communication is to proceed.
Fig 2.3 Layers, protocols and interfaces
A five-layered network is shown in the fig 2.3. The entities comprising the corresponding
layers on different machines are called Peers. Between each pair of adjacent layers is an
Interface. The interface defines which primitive operations and services the lower layer
makes available to the upper one. A set of layers and protocols is called Network
architecture. A list of protocols used by a system, one protocol per layer is called Protocol
stack. The fig 2.4 shows the communication between the layers in the network.
Fig 2.4 Example information flow supporting virtual communication in layer 5
At the sending machine
A message M produced by an application process in layer 5, is given to layer 4 for
transmission.
Layer 4 adds a header in front of the message to identify the message and passes it to
layer 3. The header includes control information such as sequence number, size, address
etc.
Consequently layer 3 breaks up the incoming message to smaller units. M is divided into
M1 and M2 and sends to layer 2.
Layer 2 on the other hand adds a header and trailer to each piece and sends to layer 1 for
physical transmission.
At the receiving machine
As the message moves upward from layer to layer, the header and trailers are stripped off
and message is delivered.
2.2.2 Design Issues for the Layers
Some of the key design issues that occur in computer networks are present in several layers.
The more important ones are:
1. Addressing- The unique identity of machines on the network is addressing. It helps to
identify the specific destination.
2. Direction of data flow- Communication between two devices can be
a. Simplex– Data travel in one direction (unidirectional). This is shown in fig 2.5
Fig 2.5 Simplex
b. Half-Duplex– Data can travel in either direction but not simultaneously as shown in the
fig 2.6
Fig 2.6 Half-Duplex
c. Full-Duplex– Data can travel in both the directions simultaneously as shown in fig 2.7
Fig 2.7 Full-Duplex
3. Error control - It is one of the important issues. Many error-detecting and error-correcting
codes are known, but both ends of the connection must agree on which one is being used.
All the communication channels will not preserve the order of messages sent, so the
protocol must make explicit provision for the receiver to reassemble properly.
Another issue that occurs at every level is how to keep a fast sender from swamping a
slow receiver with data. This is called as flow control.
4. The inability of all the processes to accept arbitrarily long messages. This leads to the
mechanisms for disassembling, transmitting and then reassembling messages.
5. When it is inconvenient or expensive to set up a separate connection for each pair of
communicating processes, the underlying layer may decide to use the same connection for
multiple, unrelated conservations. As long as this multiplexing and demultiplexing is done
transparently, it can be used by any layer.
6. Routing – There are multiple paths between the source and the destination, a route must
be chosen.
2.2.3 Connection-Oriented and Connectionless Services
The layer offers two different types of services to the layer above them:
Connection-oriented
Connectionless
Connection-oriented service
The service user first establishes a connection, uses the connection and then releases the
connection. E.g. Telephone system.
When the connection is established, the sender, receiver and subnet conduct a negotiation
about parameters to be used, such as quality of service, maximum message size and other
issues.
Reliable connection-oriented service has two minor variations: message sequences and
byte streams.
Message sequences- message boundaries are preserved. For example when two 512-byte
messages are sent, they arrive as two distinct 512-byte messages.
Byte streams – A stream of bytes with no message boundaries. For example, two 512
byte messages can arrive as one 1024 byte message or two 512-byte messages.
Connectionless service
No connection is established. Each message carries the full destination address and each
one is routed independently of all others. E.g. Postal system.
Unreliable connectionless service is often called datagram service. e.g. telegram service
Acknowledged datagram service provides reliability without any connection
establishment. It is like sending a registered letter and requesting a return receipt. When
the receipt comes back to the sender, it is sure the letter has delivered to the intended
party.
Request-reply service is the service in which sender transmits a single datagram
containing a request: the reply contains the answer. Request-reply is commonly used to
implement communication in the client server model.
The table 2.1 summarizes the types of services discussed
Table 2.1 Types of service
2.2.4 Service Primitives
A service is formally specified by a set of primitives (operations) available to a user process
to access the service. These primitives tell the service to perform some action. The primitives
for connection-oriented service are different from those of connectionless service. The table
2.2 shows the primitives for simple connection-oriented service. These primitives might be
used as follows.
Table 2.2 Service primitives for implementing a simple connection-oriented service
Fig 2.8 Packets sent in a simple client-server interaction on a connection-oriented
network
Initially the server executes LISTEN primitive to accept the incoming connections.
To establish a connection the client executes CONNECT primitive, by using a parameter
– server address.
The operating system then typically sends a packet to the peer asking it to connect, as
shown by (1) in fig 2.8
When a packet arrives at the server, it is processed by the operating system. When the
system sees that the packet is requesting a connection, it checks for listener. If so it
unblocks the listener and sends back an acknowledgement (2)
This acknowledgement releases the client. At this point both client and server are
running and have a connection established.
If a connection request arrives and there is no listener the result is undefined.
The server then executes RECEIVE primitive to accept the request. The RECEIVE call
blocks the server.
Then the client executes SEND primitive to transmit its request (3) followed by the
execution of RECEIVE to get the reply. The arrival of request packet at the server
unblocks the server process so that it can process the request.
Then the server uses SEND primitive to return the answer to the client (4). If the client
does not have any additional requests, it can use DISCONNECT to terminate the
connection (5).
When the server gets this packet, it also issues a DISCONNECT of its own,
acknowledging the client and releasing the connection.
When the server’s packet (6) gets back to client machine, the client process is released
and the connection is broken.
2.2.5 The Relationship of Services to Protocols
A service is a set of primitives that a layer provides to the layer above it. The service defines
what operations the layer is prepared to perform on behalf of its users but nothing about how
these operations are implemented. The service relates to an interface between two layers,
with the lower layer – service provider and the upper layer – service user.
In contrast, a protocol is a set of results governing the format and meaning of the packets or
messages that are exchanged by the peer entities within a layer. Entities use protocols to
implement their service definitions.
Services relate to the interfaces between layers. In contrast, protocols relate to the packets
sent between peer entities on different machines. This is shown in the fig 2.9.
Fig 2.9 Relationship between a service and a protocol
With respect to programming languages, service is like an abstract data type or an object in
an object-oriented language. It defines the operations to be performed but does not specify
how these operations are implemented. A protocol relates to the implementation of service.
Unit 3
Example Networks
3.1 The ARPANET
3.2 The Internet
3.3 ATM
3.1 The ARPANET
The network was originally conceived by the Advanced Research Projects Agency (ARPA)
or the U.S. Department of Defense as an experiment in computer resource sharing: a network
that would interconnect dissimilar computer throughout the United States, allowing users and
programs at one computer centre to access reliably and interactively use facilities of other
centers geographically.
The ARPA network has probably generated more interest and excitement in the field of
computer networking than any other network in the world. It has spawned a vast amount of
research activities in many diverse areas such as: computer-to-computer protocol,
interconnection of dissimilar networks, line protocol, communication processor hardware and
software design, network topological design, network reliability, network security, adaptive
routing and flow control, protocol verifications packet-switching concepts, and so on. The
development of the ARPA network has led, directly or indirectly, to the development of a
whole host of large-scale computer-communications networks worldwide, both commercial
as well as government-owned.
The subnet would consist of minicomputers called IMPs (Interface Message Processors)
connected by transmission lines. For high reliability, each IMP would be connected to atleast
two other IMPs. The subnet was to be a datagram subnet. Each node of the network was to
consist of an IMP and a host, in the same room, connected by a short wire. A host could send
message of up to 8063 bits to its IMP, which would then break these up into packets of at
most 1008 bits and forward them independently towards the destination. Each packet was
received in its entirety before being forwarded, so the subnet was the first electronic storeand-forward packet-switching network.
Later in 1968 BBN, a consulting firm chose to use specially modified Honeywell DDP-316
minicomputers with 12K 16-bit words of core memory as the IMPs. The IMPs did not have
disks, since moving parts were considered unreliable. The IMPs were interconnected by 56kbps lines leased from telephone companies.
The software was split into two parts: subnet and host. The subnet software consisted of the
IMP end of the host-IMP connection, the IMP-IMP protocol, and a source IMP to destination
IMP protocol designed to improve reliability. The original ARPANET design is shown in fig
3.1. Outside the subnet, software was also needed, namely, the host end of the host-IMP
connection, the host-host protocol, and the application software.
.
Fig 3.1 The original ARPANET design
Later the IMP software was changed to allow terminals to connect directly to a special IMP,
called a TIP (Terminal Interface Processor), without having to go through a host.
Subsequent changes included having multiple hosts per IMP, hosts talking to multiple IMPs
(to protect against IMP failures), and hosts and IMPs separated by a large distance (to
accommodate hosts far from the subnet).
ARPA also funded research on satellite networks and mobile packet radio networks. By
1983, the ARPANET was stable and successful, with over 200 IMPs and hundreds of hosts.
At this point, ARPA turned the management of the network over to the Defense
Communications Agency (DCA), to run it as an operational network.
During the 1980s, additional networks, especially LANS, were connected to the ARPANET.
As the scale increased, finding hosts became increasingly expensive, so DNS (Domain
Naming System) was created to organize machines into domains and map host names onto
IP addresses.
By 1990, the ARPANET had been overtaken by newer networks that it itself had spawned
3.1 The Internet
Internet is a vast collection of different network’s that use certain common protocols and
provide certain common services.
Architecture of the Internet
The fig 3.2 shows the overview of Internet.
Fig 3.2 Overview of the Internet
The client calls his or her ISP (Internet Service Providers) over a dial-up telephone line.
The modem is a card within the PC that converts the digital signals to analog signals.
These signals are transferred to the ISP’s POP (Point of Presence), where they are
removed from the telephone system and injected into the ISP’s regional network. From
this point on, the system is fully digital and packet switched.
The ISP’s regional network consists of interconnected routers in the various cities. If the
packet is destined for a host served directly by the ISP, the packet is delivered to the host.
Otherwise, it is handed over to the ISP’s backbone operator.
Large corporations and hosting services that run server farms (machines that can serve
thousands of web pages per second) often connect directly to the backbone.
Backbone operators encourage this direct connection by renting space in what are called
carries hotels.
To allow packets to hop between backbones, all the major backbones connect at the
NAPs. A NAP is a room full of routers, at least one per backbone.
In addition to being interconnected at NAPs, the larger backbones have numerous direct
connections between their routers, a technique known as private peering. One of the
many paradoxes of the Internet is that ISP’s who publicly compete with one another for
customers often privately cooperate to do private peering.
3.2 Asynchronous Transfer Mode
Connection-oriented network is ATM (Asynchronous Transfer Mode). ATM was designed
in the early 1990s. ATM was going to solve all the world’s networking and
telecommunications problem by merging voice, data, cable television, telex, telegraph and
everything else into a single integrated system that could do everything for everyone. ATM
was much more successful than OSI, and it is now widely used deep within the telephone
system, often for moving IP packets.
ATM Virtual circuits
ATM networks are connection-oriented so connections are virtual circuits. Most ATM
networks also support permanent virtual circuits, which are permanent connections between
two hosts. Each connection temporary/permanent has a unique connection identifier. A
virtual circuit is shown in fig 3.3.
Fig 3.3 A virtual circuit
ATM cell
The basic idea behind ATM is to transmit all information in small, fixed size packets called
cells. The cells are 53 bytes long, of which 5 bytes are header and 48 bytes are payload as
shown in fig 3.4.
Fig 3.4 An ATM cell
The connection identifier is a part of header, so the sending and receiving hosts and all
the intermediate routers can tell which cells belong to which connections. Cell routing
is done in hardware at high speed.
ATM is that the hardware can be set up to copy one incoming cell to multiple output
lines. Example-broadcast of TV programs to many receivers.
Small cells do not block any line for very long, which makes guaranteeing quality of
service easier.
Cell delivery is not guaranteed, but their order is maintained. It guarantees never to
deliver the cell out of order. Example– if cells 1 and 2 are sent in that order, then first 1
is received by the destination followed by 2.
ATM networks are organized like traditional WANs with lines and routers. The
common speeds are 155Mbps and 622Mbps.
ATM Reference Model
ATM reference model is different from OSI and TCP/IP model. It is a three dimensional
reference model; this model is shown in fig 3.5. It consists of three layers
Physical layer
ATM layer
ATM adaptation layer
plus users choice on top of that
Fig 3.5 ATM Reference model
Physical layer
It deals with physical medium: voltages, bit timing and others. ATM has been designed to be
independent of transmission medium i.e. ATM cells can be sent on a wire or fiber by themselves
but they can also be packaged inside the payload of other carrier systems. It is divided into two
sublayers
PMD (Physical Medium Dependent) - It moves the bits on and off and handles the bit
timing.
TC (Transmission Convergence) - when cells are transmitted, TC layer sends them as a
string of bits to PMD layer. At the other end, TC sublayer gets a pure incoming bit
stream from PMD sublayer. Its job is to convert this bit stream into cell stream for the
ATM layer.
ATM layer
It manages cell, including their generation and transport. It defines the layout of a cell and
tells what the header fields mean. It also deals with establishment and release of virtual
circuits. Congestion control is also located here. It is not split into sublayers.
ATM Adaptation Layer (AAL)
Most applications do not want to work directly with cells; a layer above ATM layer has been
defined to allow users to send packets larger than a cell. The ATM interface segments these
packets, transmits the cells individually and reassembles them at the other end. This layer is
AAL. It is divided into two sublayers
SAR (Segmentation And Reassembly) – This lower sublayer breaks up packets into cells
on the transmission side and puts back together at the destination.
CS (Convergence Sublayer) – This upper sublayer makes it possible to have ATM
systems offer different kinds of services to different applications like file transfer, videoon-demand etc.
The functions of the layers and sublayers are summarized in table 3.1
Table 3.1 ATM layers, sublayers and their functions
Module 2
Unit 1
Network Layer Design Issues
1.1
1.2
1.3
1.4
1.5
1.6
Store-and-Forward Packet Switching
Services Provided to the Transport Layer
Implementation of Connectionless Service
Implementation of Connection-Oriented Service
Comparison of Virtual Circuit and Datagram Subnets
Concepts of Routing Algorithms
Unit 2
Routing Algorithms
2.1 The Optimality Principle
2.2 Shortest Path Routing
2.3 Flooding
2.4 Distance Vector Routing
2.5 Link state Routing
2.6 Hierarchical Routing
2.7 Broadcast Routing
2.8 Multicast Routing
2.9 Routing for Mobile Hosts
Unit 3
Congestion Control
3.1 General Principles of Congestion Control
3.2 Congestion Prevention Policies
3.3 Congestion Control in Virtual-Circuit Subnets
3.4 Congestion Control in Datagram Subnet
3.5 Load Shedding
3.6 Jitter Control
UNIT 1
NETWORK LAYER DESIGN ISSUES
1.1 Introduction
1.2 Store-and-Forward Packet Switching
1.3 Services Provided to the Transport Layer
1.4 Implementation of Connectionless Service
1.5 Implementation of Connection-Oriented Service
1.6 Comparison of Virtual Circuit and Datagram Subnets
1.7 Concepts of Routing Algorithms
1.1 Introduction
The network layer is responsible for carrying packets from the source all the way to destination.
It deals with end to end transmission (host to host delivery). The figure 1.1 shows the position of
network layer in TCP/IP model. The network layer is the third layer in the model, which receives
services from the data link layer and provides services to the transport layer.
Fig 1.1 The position of network layer and its functionalities
1.2 Store-and-Forward Packet Switching
The context deals with which the network layer protocol operates. This is shown in the fig 1.2.
The major components of the system are
carriers equipment (router connected by transmission lines)
customers equipment
The carriers’ equipment is shown inside the shaded oval and customers’ equipment is shown
outside the oval. Host H1 is directly connected to one of the carriers’ router A by a leased line.
Host H2 is on a LAN with router F, owned and operated by the customer. This router also has a
leased line to the carrier router E.
Fig 1.2 The environment of network layer protocols
Usage of this equipment
A host sends the packet to the nearest router. This packet is stored there until it has fully arrived
so that the checksum can be verified. Then the packet is forwarded to the next router along the
path until it reaches its destination host. This mechanism is Store and forward packet
switching.
1.3 Services Provided to the Transport Layer
The network layer provides services to the transport layer at the network layer/ transport layer
interface. The services are designed with the following goals.
1. The services provided should be independent of router technology.
2. The transport layer should be secured from the number, type, and topology of the routers
present.
3. The network addresses made available to the transport layer should use a uniform
numbering plan, even across LANs and WANs.
The network layer provides connection oriented or connectionless service. The Internet offers
connectionless network layer service. ATM networks offer connection oriented network layer
service.
1.4 Implementation of Connectionless Service
In connectionless service packets are injected into the subnet individually and routed
independently of each other. No advance setup is needed. The packets are frequently called
datagrams and the subnet is called a datagram subnet.
As an example the process P1 in fig 1.3 has a long message for P2. It hands the message to the
transport layer with instructions to deliver it to process P2 on host H2. The transport layer code
runs on H1, typically within the operating system. It prepends a transport header to the front of
message and hands the result to the network layer, probably just another procedure within the
operating system.
Fig 1.3 Routing within a datagram subnet
If the message is four times longer than the maximum packet size, so the network layer has to
break it into four packets, 1, 2 , 3 and 4 and sends each of them in turn to router A using some
point-to-point protocol.
Every router has an internal table telling it where to send packets for each possible destination.
Each table entry is a pair consisting of a destination and the outgoing line to use for that
destination. Only directly-connected lines can be used.
For example, in fig 1.3, A has only two outgoing lines to B and C, so every incoming packet
must be sent to one of these routers, even if the ultimate destination is some other router. A’s
initial routing table is shown in the fig under the label “initially.”
As they arrived at A, packets 1, 2 and 3 were stored briefly. Then each was forwarded to C
according to A’s table. Packet 1 was then forwarded to E and then to F. when it got to F, it was
encapsulated in a data link layer frame and sent to H2 over the LAN. Packets 2 and 3 follow the
same route.
For some reason, A decided to send packet 4 via a different route than that of the first three.
Perhaps it learned of a traffic jam somewhere along the ACE path and updated its routing table,
as shown under the label “later.” The algorithm that manages the tables and makes the routing
decision is called the routing algorithm.
1.5 Implementation of Connection-Oriented Service
For connection-oriented service, we need a virtual-circuit subnet. The idea behind virtual circuits
is to avoid having to choose a new route for every packet sent, when a connection is established,
a route from the source machine to the destination machine is chosen as part of the connection
setup and stored in tables inside the routers. That route is used for all traffic flowing over the
connection, exactly the same way that the telephone system works. When the connection is
released, the virtual circuit is also terminated. With connection-oriented service, each packet
carries an identifier telling which virtual circuit it belongs to.
Fig 1.4 Routing within a virtual circuit subnet
Consider an example as shown in the fig 1.4; host H1 has established connection 1 with host H2.
It is remembered as the first entry in each of the routing tables. The first line of A’s table says
that if a packet bearing connection identifier 1 comes in from H1, it is to be sent to router C and
given connection identifier 1. Similarly, the first entry at C routes the packet to E, also with
connection identifier 1.
If H3 also wants to establish a connection to H2, It chooses connection identifier 1 (because it is
initiating the connection and this is its only connection) and tells the subnet to establish the
virtual circuit. This leads to the second row in the tables.
We have a conflict here because although A can easily distinguish connection 1 packets from H1
from connection 1 packets from H3, C cannot do this. For this reason, A assigns a different
connection identifier to the outgoing traffic for the second connection. Avoiding conflicts of this
kind is why routers need the ability to replace connection identifiers in outgoing packets. In some
contexts, this is called label switching.
1.6 Comparison of Virtual-Circuit and Datagram Subnets
The comparisons are tabulated in the table 1.1
Table 1.1 Comparison of datagram and virtual-circuit subnets
1.7 Concepts of Routing Algorithms
The main function of the network layer is routing packets from the source to the destination. The
routing algorithm is a part of the network layer software. It is responsible for deciding on which
output line the incoming packet should be transmitted.
If the subnet uses datagram internally, then the decision must be made for an arriving packet to
choose the best route. If the subnet uses virtual circuits internally then the decisions are made
only when a new virtual circuit is being set up. Therefore data packets just follow the previous
established route.
Difference between routing and forwarding
Forwarding moves packets from routers input to appropriate router output. It is the process of
getting through single interchange.
Routing determines the route taken by packets from the source to the destination. It is the
process of planning trip from source or destination.
The properties that are required for a routing algorithm are correctness, simplicity, robustness,
stability, fairness and optimality.
The routing algorithm classification is shown in fig 1.5
Fig 1.5 The routing algorithm classification
Non adaptive algorithm [Static routing]
The network establishes an initial topology of paths. Addresses of initial paths are loaded
onto routing tables at each node for a certain period of time.
The router changes slowly over time
The choice of the route is computed in advance off-line and downloaded to routers when
network is booted.
Adaptive routing [Dynamic routing]
The state of the network is learned through the communication of each router with its
neighbors. Thus, the state of each region in the network is propagated throughout the
network after all the nodes finally update their routing tables.
The router changes more quickly.
They change their routing decision to reflect changes in topology
UNIT 2
ROUTING ALGORITHMS
2.1 The Optimality Principle
2.2 Shortest Path Routing
2.3 Flooding
2.4 Distance Vector Routing
2.5 Link state Routing
2.6 Hierarchical Routing
2.7 Broadcast Routing
2.8 Multicast Routing
2.9 Routing for Mobile Hosts
2.1 The Optimality Principle
The optimal route is one, which has the shortest distance between any two nodes without regard
to network traffic or topology. The optimality principle states that “If router J is on the path from
router I to router K, then the optimal path from J to K also falls along the same route”
To see this, let the part of the route from I to J is r1 and the rest of the route is r2. If a route better
than r2 existed from J to K, it could be concatenated with r1 to improve the route from I to K,
contradicting our statement that r1r2 is optimal.
2.2 Shortest Path Routing [Dijikstra Shortest Path]
The key concept in this routing is to build a graph of subnet, with each node of the graph
representing a router and each arc of the graph representing a communication line (link). To
choose a route between a given pair of routers, this algorithm finds the shortest path between
them on the graph. The labels on arcs could be computed as function of distance, bandwidth,
average traffic, communication cost, mean queue length, measured delay and others.
Dijikstra’s Shortest Path Algorithm
Initially label the nodes with its distance from source node along the best known path. Since no
paths are known, all nodes are labeled with infinity (except source).
Working node = source node
Sink node = destination node
While working node is not equal to sink node
1. Mark the working node as permanent
2. Examine all adjacent nodes in turn
If the sum of label on working node plus distance from working node to adjacent
node is less than current labeled distance on the adjacent node, implies a shorter
path. Re-label the distance on the adjacent node and label it with the node from
which probe was made.
3. Examine all tentative nodes (not just adjacent nodes) and mark the node with smallest
labeled value as permanent. This node becomes the new working node.
Reconstruct the path backwards from sink to source.
In this example, we need to find the shortest path from A (source) to D (destination)
Fig 2.1 Compute shortest path from A to D
The arrows indicate the working node
Mark node A as permanent by, indicating a filled in circle as shown in the fig 2.1(a)
Examine the adjacent nodes to A, and re-label each one with the distance to A. whenever
the node is relabeled, the labeling should be from which the probe was made, so that we
can reconstruct the final path later.
Now choose B as new working node, as the distance from node A is less than the adjacent
node G, shown in fig 2.1(b)
Start with node B and examine all the nodes adjacent to it. Assign the cumulative distance
to its adjacent nodes, i.e. sum of label on B and the distance from B to adjacent nodes (C
and E). Node E is chosen as the new working node, shown in the fig 2.1(c)
The procedure works until all the nodes adjacent to the working node have been inspected and
tentative labels are changed if possible. Hence the shortest path computed is A-B-E-F-H-D with
a distance of 10 units.
2.3 Flooding
Flooding is one of the static algorithm in which every incoming packet is sent out on every
outgoing line expect the one from which the packet came. It generates large number of duplicate
packets. So certain measures are taken
1. One of the measures is to have a hop counter in the header of each packet, which is
decremented at each hop. When the counter reaches zero the packet is discarded. The hop
counter should be initialized with the length of path from the source to the destination.
2. Another measure is to keep track of which packets have been flooded, in order to avoid
sending them for the second time. So a sequence number is placed by the source router
in each packet it receives from its nodes. Each router then needs a list per source router,
telling which sequence numbers originating at that source have already been seen.
3. Another type of flooding is Selective flooding. In this algorithm the routers do not send
every incoming packet out on every line, only to those lines that are going approximately
in right direction.
Flooding is used in
Military applications – large number of router may be blown to bits at any instant
Distributed database applications – to update databases concurrently
Wireless networks – messages transmitted by a station can be received by all other
stations
It is used as a metric against which other routing algorithms can be compared.
2.4 Distance Vector Routing [Bellman Ford Routing Algorithm or Ford –
Fulkerson Algorithm]
The most popular dynamic algorithm is distance vector routing. In distance vector routing,
Each router maintains a routing table indexed by and containing one entry for each router
in the subnet.
The entry has two parts
Preferred outgoing line to use for that destination
Estimation of time/ distance to that destination.
Router transmits its distance vector to each of its neighbors.
Each router receives and saves the most recently received distance vector from each of its
neighbors.
A router recalculates its distance vector when
It receives a distance vector from a neighbor containing different information than
before.
It discovers that a link to a neighbor has gone down (topology change)
The metric used might be number of hops, time delay in milliseconds, total number of
packets queued along the path etc.
Fig 2.2 (a) A subnet
(b) Input from A, I, H, K and the new routing table for J
Consider an example, where delay is used as a metric. The fig 2.2(a) shows the subnet. The first
four columns shows the delay vectors received from neighbors of Router J in fig 2.2(b). Router A
claims to have 12 ms delay to B, 25 ms delay to C, 40 ms delay to D and so on. Router I claims
to have a 24 ms delay to A, 36 ms delay to B and proceeds. Similarly the delays are entered in the
routing table for H and K routers.
Suppose J estimates its delay to its neighbors A, I, H and K as 8, 10, 12 and 6 ms respectively.
Then the new routing table for J is computed and shown in the last column of the fig 2.2(b). To
compute a new route from router J to G
Therefore the best of these values is 18 ms, so it makes an entry in its routing table that the delay
to G is 18 ms and route used is via H. The same calculation is performed for all other
destinations.
The Count –to - Infinity Problem
Distance vector routing works in theory but has a serious drawback in practice. In particular it
reacts rapidly to good news but leisurely to bad news.
Fig 2.3 The Count-to-Infinity
To see how fast good news propagates, consider five node subnet of fig 2.3(a) where the delay
metric is number of hops.
Suppose if A is down initially and other routers know about A or all the other routers have
recorded the delay to A as infinity.
When A comes up, other routers learn about it through vector exchanges. At the first
exchange B learn that its left neighbor has zero delay to A. So B makes an entry in its
routing table that A is one hop away to left on the next exchange.
C learns that B has length 1 to A, so it updates to 2 next exchange by D so it updates to 3
and next exchange by E updating to 4.
The good news is spreading at the rate of one hop per exchange.
In fig 2.3(b) all the lines and routers are initially up. Suddenly A goes down or line between A
and B is cut.
At the first packet exchange, B does not hear anything from A. Then C suggests its path
to A of length 2. So B thinks it can reach A via C with length 3. D and E do not update
their entries for A on the first exchange.
On second exchange, C notices its neighbor have a path to A with length 3, so it makes its
new distance to A as 4.
Subsequent exchanges are shown in fig 2.3(b). So from this fig it is clear why bad news
travels slowly.
Generally all routers work their way up to infinity, but number of exchanges required depends on
numerical value used for infinity. So it is wise to set infinity to the longest path plus 1. If the
metric is time delay, then there is no well defined upper bound, so a high value is needed to
prevent a path with a long delay from being treated down. This problem is known as Count – to
– Infinity problem.
2.5 Link State Routing
Distance vector routing was used in ARPANET until 1979, and then replaced by link state
routing because of two primary problems. They are
1. The delay metric was queue length; it did not take line bandwidth into account while
choosing the routes.
2. The algorithm often took too long to converge ( count – to – infinity problem)
Each router must do the following
1. Discover its neighbors and learn their network addresses.
2. Measure the delay or cost to each of its neighbors.
3. Construct a packet telling all it has just learned.
4. Send this packet to all other routers.
5. Compute the shortest path to every other router.
Learning about neighbors
When a router is booted, it sends HELLO packet to each point-to-point line to learn who its
neighbors are. The router on the other end replies back who it is. The names must be globally
unique.
Measuring line cost
Each router should know the delay to each of its neighbors. So to determine this delay, a special
ECHO packet is sent by the router to each of its neighbors. On receiving, it has to send back
immediately.
By measuring round trip time and dividing by two, the sending router estimates the delay. For
better results, the test is carried out for several times and average is taken.
When the load is taken into account, the round trip timer must be started when the ECHO packet
is queued. To ignore the load, the timer should be started when ECHO packet reaches the front
of queue.
Building Link State Packets
After collecting the required information, the next step for each router is to build a packet. The
packet starts with identity of the sender, followed by sequence number, age, and list of
neighbors. For each neighbor, the delay to that neighbor is given. The fig 2.4 shows the subnet
and the corresponding link state packets for all six routers. The packets are build periodically (at
regular intervals) or when some significant event occurs.
Fig 2.4 (a) A subnet
(b) The link state packets for this subnet
Distributing the Link State Packets
The link state packets should be distributed reliably. The basic distribution algorithm - Flooding
is used. To keep the flood in check, each packet contains sequence number that is incremented
for each new packet sent. Routers keep track of source router, sequence number when a packet
comes in, it checks with the list of packets already sent. If it is new then it is forwarded or else if
duplicate, it is discarded. If a packet with a sequence number lower than the highest one seen so
far ever arrives, it is rejected.
This algorithm encounters certain problems
Sequence numbers wrap around
If router crashes, it will lose track of its sequence number.
If sequence number is ever corrupted and 35,450 are received instead of 4 then packets 5
through 35,450 will be rejected.
The solution to these problems is to include the Age of each packet after sequence number. It is
decremented for every second. When the age hits zero, the information from that router is
discarded.
To make this algorithm more robust, some refinements are done. When a packet comes in to a
router for flooding, it is not queued. Instead it is placed in a holding area to wait. If another link
state packet comes in, then sequence numbers of both the packets are compared. If they are equal
then the duplicate is discarded. In case of different, the older one is thrown out. To protect
against errors on router – router lines, all link state packets are acknowledged.
Computing the New Routes
Once the router receives the full set of link state packets, it constructs the entire subnet graph.
Every link is represented twice, once for each direction. The two values can be averaged or used
separately. Then Dijikstra’s algorithm can be made to run locally to construct the shortest path to
all the possible destinations. The results of this algorithm are installed in the routing tables and
normal operation is resumed.
For a subnet with n routers and k neighbors, the memory required to store input data is
proportional to kn.
Link state routing is widely used in networks
OSPF protocol used in internet uses link state algorithm.
Link state protocol IS – IS (Intermediate System – Intermediate System) is used in some
internet backbones, digital cellular systems and can even support multiple network layer
protocols at the same time.
2.6 Hierarchical Routing
The growth of networks in size increases the routing tables, memory consumption, CPU time to
scan the table and bandwidth. So the routing has to be done hierarchically.
In hierarchical routing routers are divided into Regions, with each router knowing the details to
route the packets to the destination within its own region but knowing nothing about the internal
structure of other regions. For huge networks, 2 level hierarchies are not sufficient. It is required
to group the Regions into Clusters, Clusters into Zones, and Zones into Groups and so on.
Fig 2.5 Hierarchical Routing
The fig 2.5 gives an example of two-level hierarchy routing with five regions. The full routing
table for router 1A has 17 entries as shown in fig 2.5(b). The hierarchical routing table is shown
in the fig 2.5(c).
The entries for local routers are made in detail where as for all other regions; it is condensed into
single router. So for region 2, all the traffic goes via 1B line and for the rest of the regions via 1C
line. Hence Hierarchical routing reduces the table from 17 to 7 entries. As the ratio of number of
regions to the number of router per region grows, the savings in the table space increases.
As an example consider a subnet with 720 routers
If a two-level hierarchy is chosen then subnet is partitioned into 24 regions of 30 routers.
Each router requires 53 entries (30 local entries + 23 remote entries).
If a three-level hierarchy is chosen with 8 clusters, each containing 9 regions of 10
routers. Each router needs 25 entries (10 entries for local router + 8 entries to other
regions within its own cluster + 7 entries for distant clusters)
In general the optimal number of levels for N routers, subnet is ln N, requiring total e ln N
entries per router.
2.7 Broadcast Routing
Sending packets to all the destinations simultaneously is called as Broadcasting. Some of the
proposed methods are
1. Sending distinct packet to each destination. This method results in waste of bandwidth.
2. Flooding is one of the methods for broadcasting. The disadvantage is, it generates too
many packets and consumes more bandwidth.
3. Multi destination Routing - Each packet contains a list of destinations or a bit-map
indicating the desired destinations. When a packet arrives at a router, it checks all the
destinations to set the output lines. The router generates a new copy of packet for each
output line and includes only those destinations in each packet. The destination set is
partitioned among the output lines. After sufficient number of hops, each packet will
carry only one destination and treated as a normal packet. This method is like one of
them pays full fare and the rest ride free.
4. Use of sink tree for the router or Spanning tree - A spanning tree is a subset of the
subnet that includes all routers but contains no loops. If each router knows which of its
lines belong to the spanning tree, it can copy an incoming packet onto all lines expect the
one it arrived on. This method makes excellent use of bandwidth. The only disadvantage
is each router must have the knowledge of the spanning tree for the method to be
applicable.
5. Reverse Path Forwarding - The router forwards copies of packets onto all lines except
the one it arrived on. The packets that do not arrive along the preferred line are discarded
Fig 2.6 Reverse path forwarding (a) A subnet (b) A sink tree (c) The tree built by
reverse path forwarding
The example subnet is shown in fig 2.6(a), fig 2.6(b) shows a sink tree for router I of that subnet
and fig 2.6(c) shows the working of Reverse Path Forwarding.
On the first hop, router I sends packets to F, H, J, and N. Since they arrived on the
preferred path to I, it is indicated by circle around the letter.
On the second hop, five arrive along the preferred line out of eight packets generated.
On the third hop, only three arrive on preferred path and others are duplicates.
After five hops and 24 packets, the broadcasting terminates, compared with 4 hops
and 14 packets had the sink tree been followed exactly.
This method is easy and efficient to implement. Routers need not have the knowledge of
spanning tree.
2.8 Multicast Routing
Sending the message to the members of the group is called Multicasting and its routing
algorithm is called Multicast Routing.
Multicasting requires group management. There should be a mechanism to create and destroy
groups and to allow processes to join and leave the groups. When either a host joins or leaves the
group, the router should update the information in each case.
To do multicast routing, each router computes a spanning tree covering all the other routers. As
an example fig 2.7(a) have 2 groups 1 and 2, fig 2.7(b) shows the spanning tree for the leftmost
router, fig 2.7(c) shows the trimmed spanning tree for group 1 and fig 2.7(d) shows the pruned
spanning tree for group 2.
Fig 2.7 (a) A network (b) A spanning tree for the leftmost router
(c) A multicast tree for group 1 (d) A multicast tree for group 2
Various ways of pruning (trimming) the spanning trees are
Use of link state routing and each router is aware of complete topology including which
hosts belong to which groups.
Use of distance vector routing, the basic algorithm is reverse path forwarding.
Use of core-based trees - a single spanning tree per group is computed with the root
(core) near the middle of the group.
2.9 Routing for Mobile Hosts
The different kinds of hosts are
1. Stationary hosts - the host that never moves and is connected to the network by copper
wires or fiber optics.
2. Migratory hosts - are the stationary hosts which moves from one fixed site to another
site from time to time but use the network only when they are physically connected to it.
3. Roaming hosts - they compute on the run and maintains their connections as they move
around.
4. Mobile hosts - the hosts that are away from home but still want to be connected.
Fig 2.8 A WAN to which LANs, MANs and wireless cells are attached
All the hosts have a permanent home location that never changes. They have a permanent home
address to determine their home locations. The model of the world that network designers
typically use is shown in fig 2.8. The world is divided geographically into small units. Each unit
is called as area. Each area has
One or more Foreign agents - are the processes that keep track of all mobile hosts
visiting the area.
Home agent - which keeps track of hosts, whose home is in the area, but who are
currently visiting another area.
When a new host enters an area then is must register itself with the foreign agent. The
registration procedure is as follows
Periodically, each foreign agent broadcasts a packet announcing its existence and
address. A newly arrived mobile host may wait for one of these messages, but if none
arrives quickly then the host can broadcast a packet in search of any foreign agent.
Mobile host registers with the foreign agent by giving the details – home address, current
data link layer address and some security information.
The foreign agent contacts the mobile host’s home agent to inform about the host. The
message from the foreign agent contains its network address and also security
information to convince the home agent that the host is really there.
The home agent examines the security information, which contains a timestamp. If it
accepts then it informs the foreign agent to proceed.
Once the acknowledgment from the home agent is received by the foreign agent, then it
makes an entry in its tables and informs the mobile hosts that it is registered.
Fig 2.9 Packet routing for mobile hosts
When a packet is sent to a mobile host, it is routed to the host’s home LAN as illustrated
in the step1 of fig 2.9.
The home agent then looks up the mobile host’s new location and finds the address of the
foreign agent handling the mobile host. The home agent does two things
It encapsulates the packet in the payload field of an outer packet and sends to the
foreign agent (step 2 in fig 2.9). This mechanism is called Tunneling. The foreign
agent removes original packet from payload field after getting encapsulated
packet and then sends it to the mobile host as a frame.
The home agent tells the sender to send packets to mobile host by encapsulating
them in the payload of packets explicitly addressed to the foreign agent (step 3).
Subsequent packets are routed directly to the host via foreign agent (step 4), by passing
the home location entirely.
UNIT 3
CONGESTION CONTROL
3.1 Introduction
3.2 General Principles of Congestion Control
3.3 Congestion Prevention Policies
3.4 Congestion Control in Virtual-Circuit Subnets
3.5 Congestion Control in Datagram Subnets
3.6 Load Shedding
3.7 Jitter Control
3.1 Introduction
When too many packets are present in the subnet, the performance degrades; this situation is
called as congestion. It may occur if the load on the network is greater than the capacity of the
network. The fig 3.1 depicts the congestion. When the traffic increases, the routers are no longer
able to cope, so they begin to drop the packets. Hence performance collapses completely.
Congestion occurs based on several factors
If packets arriving on three or four input lines need the same output line, a queue will be
built. If there is insufficient memory to hold, then packets will be lost.
If routers have an infinite amount of memory then congestion gets worse. Because by the
time packets get to the front of the queue, it will be timed out and duplicates will be sent.
Slow processors also cause congestion.
Low bandwidth lines can also cause congestion.
Fig 3.1 When too much traffic is offered, congestion sets in and performance degrades
sharply
Difference between congestion control and flow control
Congestion control makes sure the subnet is able to carry the offered traffic. It involves the
behavior of all the hosts, all the routers, store and forwarding processing within the routers and
all the other factors related to the carrying capacity of the subnet.
Flow control relates to the point-to point traffic between a given sender and a receiver. Its job is
to make sure that a fast sender cannot continuously transmit data faster than the receiver is able
to absorb it. It involves direct feedback from the receiver to the sender.
3.2 General Principles of Congestion Control
The solution for many problems in complex system is divided into two groups’ open loop and
closed loop.
Open loop solutions attempt to solve the problem by good design in order to make
sure it does not occur in the first place. Once the system is up and running, midcourse
corrections are not made.
Closed loop solutions are based on the concept of a feedback loop. It has three parts
when applied to congestion control
Monitor the system to detect when and where the congestion occurs
Pass this information to places where action can be taken
Adjust the system operation to correct the problem
Some of the metrics to monitor the subnet for congestion are
The percentage of all packets discarded for lack of buffer space, average queue lengths,
number of packets that time out, average packet delay; in all these cases raising numbers
indicates growing congestion.
The hosts or routers should periodically send probe packets out to explicitly ask about
congestion.
In feedback schemes the knowledge of congestion will cause the host to take appropriate
action to reduce congestion.
Congestion control algorithms are classified as
1. Open loop algorithm (prevention) - congestion control is handled either by source or
destination. Policies are applied to prevent congestion before it happens.
2. Closed loop algorithm (removal) - It is further classified into
Explicit feedback algorithm – packets are sent back from the point of congestion
to warn the source.
Implicit feedback algorithm – the source deduces the existence of congestion by
making local observations such as time required for acknowledgements to come
back.
3.3 Congestion Prevention Policies
Some of the data link, network and transport policies that affect congestion are summarized in
the table 3.1.
Table 3.1 Policies that affect congestion
With respect to data link layer
Retransmission policy is how fast a sender times out and what it transmits upon timeout. Jumpy
senders that time out quickly and retransmit all outstanding packets using go-back-n. This is
closely related to buffering policy. If receivers routinely discard packets, packets have to be
transmitted again creating extra load. So with respect to congestion control selective repeat is
better than go-back-n.
Acknowledgement policy affects congestion that is if each packet is acknowledged immediately,
traffic increases. So tight flow control scheme helps in congestion control and reduces the data
rate.
Network layer
The choice between using virtual circuits and datagram’s affects congestion since most
algorithms works only with virtual circuit subnets.
Packet queuing and service policy relates to check whether routers have one queue per
input line, one queue per output line or both.
Discard policy is to inform which packet is dropped because of no space.
Routing algorithm can help to avoid congestion by spreading the traffic over all lines.
Packet lifetime management deals with how long a packet works for long time.
Transport layer
The same issues occur as in data link layer. In addition if timeout interval is too short, extra
packets will be sent unnecessarily. If too long, congestion will be reduced but response time will
suffer whenever a packet is lost.
3.4 Congestion Control in Virtual-Circuit Subnets
One of the techniques that are widely used to control the congestion in virtual circuit subnet is
Admission control i.e. once congestion has been signaled; no more virtual circuits are set up
until the problem is solved.
Another approach is to allow new virtual circuits but carefully route all new virtual circuits
around problems areas. The example shown in the fig 3.2 depicts omitting the congested routers
and all their lines.
Fig 3.2 (a) A congested subnet (b) A redrawn subnet that eliminates the congestion. A
virtual circuit from A to B is also shown
The other factor is to negotiate an agreement between the host and the subnet when a virtual
circuit is setup. This agreement specifies the volume and the shape of traffic, quality of service
required and other parameters. As a part of agreement the subnet reserves the resources along the
path when the circuit is set up. The only disadvantage is all the time it tends to waste resources in
this kind of reservation.
3.5 Congestion Control in Datagram Subnets
Some of the approaches used in datagram subnets are
Choke packets
A choke packet is a packet sent by the router to the source host to inform about congestion. The
original packet is tagged (a header bit is turned on) not to generate anymore choke packets.
When the source gets the choke packet, it reduces the traffic on the line to the destination.
Since other packets aimed at the same destination are already on the way, choke packets
will be generated.
The host should ignore choke packets for a fixed time interval. After that period expires,
the host starts listening for choke packets. If the line is still congested, the host reduces
the flow and ignores the choke packets again. If no choke packets arrive during the
listening period, the host may increase the flow again.
Hop-by-Hop chokes packets
At high speeds or over long distances, sending a choke packet to the source hosts does not work
well as the reaction is so slow. An example of choke packet propagation is shown in the fig
3.3(a). An alternative approach is to have the choke packet take effect at every hop it passes
through, as shown in fig 3.3(b).
As choke packet reaches F, it reduces the flow to D. Doing so will require F to devote more
buffers to the flow, since the source is still sending away at full blast, but it gives D immediate
relief. In the next step, the choke packet reaches E, which tells E to reduce the flow to F. This
action puts a greater demand on E’s buffers but gives F immediate relief. Finally choke packets
reaches A and the flow genuinely slows down.
The net effect of this hop-by-hop scheme is to provide quick relief at the point of congestion at
the price of using up more buffers upstreams.
Fig 3.3 (a) A choke packet that affects only the source (b) A choke packet that affects each
hop it passes through
3.6 Loading Shedding
It is one of the methods to bring down congestion. Load shedding is when routers are being
flooded by packets that they cannot handle, they just throw them away. The packets that are to be
discarded may depend on the applications running. Some of the applications are
The router just picks the packet randomly to drop
In case of file transfer, an old packet is worth dropping than a new one. In contrast for
multimedia, a new packet is dropped than the old one.
Implementing an intelligent discard policy, applications must mark their packets in
priority classes to indicate how important they are.
To allow the hosts to exceed the limits specified in the agreement negotiated, when
virtual circuit was set up but subject to the condition that all excess traffic be marked as
low priority.
RED (Random Early Detection) is a popular algorithm to deal with congestion as soon as it is
first detected. The routers drop packets before the situation has become hopeless (hence the
name ‘early’), the idea is that there is time for action to be taken before it is too late.
To determine when to start discarding, routers maintain a running average of their queue lengths.
When this average queue length exceeds threshold on some line, the line is said to be congested
and action is to be taken.
The router informs the source about congestion by sending a choke packet. The problem is, it
puts more load on the congested network. A different approach is to just discard the selected
packet and not report it. The acknowledgement for that packet will not be received by the source.
So the source understands the situation and takes appropriate action.
3.7 Jitter Control
Jitter is the variation in delay for packets belonging to the same flow. Real time audio and video
cannot tolerate high jitter i.e. some packets taking 20 ms and other taking 30 ms to arrive will
give an uneven quality to sound/movie.
Jitter is illustrated in fig 3.4. The range chosen must be feasible. It must take into account the
speed of light transit time and the minimum delay through the routers and perhaps leave a little
slack for some inevitable delays.
The jitter can be bounded by computing the expected transmit time for each hop along the path.
When a packet arrives at a router, it checks to see how much the packet is behind /ahead of the
schedule. If it is ahead of the schedule then it slows down and behind the schedule gets speeded
up. It is done to reduce the amount of jitter.
Fig 3.4(a) High jitter (b) Low jitter
In some applications such as VOD, jitter can be eliminated by buffering at the receiver and then
fetching the data for display from the buffer instead of fetching from the network in the real time.
Module 3
Unit 1 Quality of Service
1.1 Flow characteristics
1.2 Techniques for Achieving- Good Quality of Service
1.3 Integrated Services
1.4 Differentiated Services
Unit 2 Internetworking
2.1 Need for Network Layer
2.2 Internet as Packet-Switched Network
2.3 Internet as Connectionless Network
2.4 Tunneling
2.5 Internetwork Routing
2.6 Fragmentation
Unit 3 The Network Layer in the Internet
3.1 The IP Protocol
3.2 IP Addresses
3.3 Subnet
3.4 IPV6
UNIT 1
QUALITY OF SERVICE (QoS)
1.1 Flow characteristics
1.2 Techniques for Achieving- Good Quality of Service
1.3 Integrated Services
1.4 Differentiated Services
Quality of Service (QoS) is an internetworking issue. We can informally define QoS as
something a flow seeks to attain.
1.1 Flow Characteristics
The four types of characteristics attributed to flow are reliability, delay, jitter and bandwidth as
shown in fig 1.1
Fig 1.1 Flow characteristics
Reliability
Reliability is a characteristic that a flow needs. Lack of reliability means, losing a packet or
acknowledgement which needs retransmission. E-mail, file transfer and Internet access have
reliable transmission.
Delay
Source to destination delay is another flow characteristic. Telephony, audio and video
conferencing and remote login need minimum delay where as the delay in file transfer or e-mail
is less important.
Jitter
Jitter is the variation in delay for packets belonging to the same flow. Real-time audio and video
cannot tolerate high jitter.
Bandwidth
The range of frequencies transmitted without being strongly attenuated is called bandwidth.
Different applications need different bandwidth.
Some common applications and rigidity of their requirements are listed in table 1.1.
Table 1.1 How stringent the QoS requirements are
ATM
are
networks classify flows in four broad categories with respect to their QoS demands. They
Constant bit rate (e.g. telephony)
Real-time variable bit rate (e.g. compressed video conferencing)
Non real-time variable bit rate (e.g. watching a movie over internet)
Available bit rate (e.g. file transfer)
1.2 Techniques for Achieving Good Quality of Service
Some of the techniques the system designers use to achieve QoS are
Over Provisioning
An easy solution is to provide much router capacity, buffer space and bandwidth. So that packets
flow through easily. The disadvantage is it is expensive. To some extent telephone system is over
provisioned.
Buffering
Flows can be buffered on receiving side before being delivered. Buffering does not affect
reliability or bandwidth but increases delay and smoothes out the jitter. The fig 1.2 shows the
stream of packets being delivered with substantial jitter.
Fig 1.2 Smoothing the output stream by buffering packets
Packet 1 is set from server at t = 0 sec and arrives at the client at t = 1 sec.
Packet 2 undergoes delay and takes 2 secs to arrive
As the packets arrive they are buffered on the client machine.
At t = 10 sec, the playback begins. Packets 1 through 6 that have been buffered are
removed at uniform intervals for smooth play.
Packet 8 has been delayed so playback stops until it arrives creating a gap in the play.
The problem can be solved by using large buffer and delaying the starting time still more.
Traffic Shaping
Traffic shaping is a mechanism to control the amount and the rate of traffic sent to the network.
It is about regulating the average rate of data transmission. The two techniques to shape the
traffic are
Leaky bucket
Token bucket
Leaky bucket
The fig 1.3(a) depicts a bucket with a small hole at the bottom. No matter the rate at which water
enters the bucket, the outflow is at a constant rate ρ when there is water in the bucket and zero
when the bucket is empty. Once the bucket is full, it spills out additional water at the sides.
Similarly in networking a technique called leaky bucket can smooth out bursty traffic. It is
shown in fig 1.3(b). Each host is connected to a network by an interface containing a leaky
bucket i.e. a finite internal queue. If a packet arrives at the queue when it is full then packet is
discarded. The host is allowed to put one packet per clock tick on the network. This can be
enforced by interface card or by OS. It works fine if the packets are all the same size.
Turner proposed the leaky bucket algorithm in 1986. The following is an algorithm for variable
length packets.
Initialize a counter to n at the tick of the clock.
If n is greater than the size of the packet, send the packet and decrement the counter by
packet size. Repeat this step until n is smaller than packet size.
Reset the counter and go to step 1.
Fig 1.3 (a) A leaky bucket with water (b) A leaky bucket with packets
A simple leaky bucket implementation is shown in fig 1.4
Fig 1.4 Leaky bucket implementation
Thus a leaky bucket algorithm shapes bursty traffic into fixed- rate traffic by averaging the data
rate. It drops the packets only when the bucket is full.
Token Bucket
In token bucket algorithm, the leaky bucket holds tokens, generated by a clock at the rate of one
token every Δ T sec. For a packet to be transmitted, it must capture and destroy one token.
The fig 1.5(a) shows the bucket holding three tokens with five packets waiting for transmission.
In fig 1.5(b) three packets have acquired the tokens and two are waiting for tokens to be
generated.
To implement this algorithm, the token is initialized to zero. Each time a token is added, counter
is incremented by 1. Each time a unit of data is sent counter is decremented by 1. When counter
is zero, the host cannot send the data. Thus token bucket algorithm allows bursty traffic at a
regulated maximum rate.
Fig 1.5 The token bucket algorithm (a) Before (b) After
Comparison between Leaky bucket and Token bucket
Leaky bucket is very restrictive. It does not credit an idle host. For example, if a host is
not sending for while then the bucket becomes empty. If the host has bursty data, it
allows only on average rate. The time the host was idle is not taken into account. Token
bucket allows idle host to accumulate credit for the future in the form of tokens.
Leaky bucket algorithm discards packets when the bucket fills up. Token bucket
algorithm throws average tokens when the bucket fills up but never discards packets.
To calculate the length of maximum rate
Let,
Burst length = S sec
Token Bucket Capacity = C bytes
Token Arrival Rate = ρ bytes / sec
Maximum Output Rate = M bytes / sec
Output burst contains a maximum of C + ρ S bytes. Number of bytes in a maximum
speed burst of length S sec is M S
Hence, we have C + ρ S = M S
Where S = C / (M – ρ)
The potential problem with token bucket algorithm is it allows large bursts again, even though
the maximum burst interval can be regulated by careful selection of ρ and M.
Resource reservation
A flow of data needs resources. It becomes possible to reserve resources along that route to make
sure the needed capacity is available. The three different kinds of resources that can potentially
be reserved are
Bandwidth
Buffer space
CPU cycles
To calculate mean delay of a packet T
Let packets arrive at random with mean arrival rate of λ packets/sec. CPU time required is also
random with mean processing capacity of µ packets/sec. Assuming both arrival and service
distributions are Poisson distributions. The mean delay of a packet T is
Where
ρ = λ / µ → CPU utilization
1 / µ → service time
Admission Control
Admission control refers to the mechanism used by a router, or a switch to accept or reject a flow
based on predefined parameters called Flow Specification. Typically the sender produce a flow
specification proposing the parameters it would like to use. An example based on RFC’s 2210
and 2211, is tabulated in the table 1.2. Before a router accepts the flow for processing, it checks
the specifications to see if its capacity and its previous commitments to other flows can handle
the new flow.
Table 1.2 An example flow specification
Proportional Routing
To provide a high QoS, it is required to split the traffic for each destination over multiple paths.
Since routers generally do not have complete overview of network traffic, it can use locally
available information for splitting. A simple method is to divide traffic equally or in proportion
to the capacity of outgoing links.
Packet Scheduling
Several scheduling techniques are designed to improve the quality of service. One of the
algorithms is Fair Queuing algorithm. In this algorithm the routers have separate queues for
each output line, one for each flow. When a line becomes idle, router scans the queues round
robin taking the first packet on the next queue.
This algorithm has a problem, it gives more bandwidth to hosts that use large packets than that
use small packets. So an improvement in which the round robin is done in such a way as to
simulate a byte–to–byte round robin, instead of a packet–by–packet round robin.
In fig 1.6(a), we see packets of length 2 to 6 bytes. At clock tick 1, the first byte of the packet A
is sent. Then at tick 2, the first byte of packet B is sent and so on. The first packet to finish is C
after 8 ticks. The sorted order is given in fig 1.6(b). If there are no new arrivals, the packets will
be sent in the order listed from C to A.
Fig 1.6 (a) A router with five packets queued for line O (b) Finishing times for the packets
This algorithm gives all the hosts the same priority. So a modified algorithm called Weighted
Fair Queuing is widely used. In this technique, the packets are still assigned to different classes
and admitted to different queues.
1.3 Integrated Services
Integrated Services is a flow-based QoS model designed for IP. It was aimed at both unicast and
multicast applications. To implement a flow-based model over a connectionless protocol, a
protocol was designed called as Resource Reservation Protocol (RSVP).
RSVP- Resource reSerVation Protocol
The main IETF protocol for the integrated services architecture is RVSP. This protocol is used
for making resource reservations. RSVP allows multiple senders to transmit to multiple groups
of receivers, permits individual receivers to switch channels freely and optimizes bandwidth use
and at the same time eliminates congestion.
The Protocol uses multicast routing using spanning trees. Each group is assigned a group
address. To send to a group, a sender puts the group’s address in its packets. The standard
multicast routing algorithm then builds a spanning tree covering all the group members. The
routing algorithm is not a part of RSVP.
As an example, consider the network of fig 1.7(a). Hosts 1 and 2 are multicast senders and hosts
3, 4 and 5 are multicast receivers. In this example, the senders and receivers are disjoint, but in
general, the two sets may overlap. The multicast trees for hosts 1 and 2 are shown in fig 1.7(b)
and fig 1.7(c) respectively.
To eliminate congestion, any of the receivers in a group can send a reservation message to the
sender. The message is propagated using the reverse path forwarding algorithm. At each hop, the
router notes the reservation and reserves the necessary bandwidth. If insufficient bandwidth is
available, it reports back failure. By the time the message gets back to the source, bandwidth has
been reserved all the way from the sender to the receiver making the reservation request along
the spanning tree.
An example of such a reservation is shown in the fig 1.8(a). Here host 3 has requested a channel
to host 1. Once it has been established, packets can flow from 1 to 3 without congestion. If host 3
reserves a channel for other sender host 2, so the user can watch two television programs at once.
A second path is reserved, as illustrated in fig 1.8(b). Note that two separate channels are needed
from host 3 to router E because two independent streams are being transmitted.
Fig 1.7 (a) A network (b) The multicast spanning tree for host1 (c) The multicast spanning
tree for host 2
Finally, in fig 1.8(c) host 5 decides to watch the program being transmitted by host 1. The
dedicated bandwidth is reserved as far as router H. However, this router sees that it already has a
feed from host 1, so if the necessary bandwidth has already been reserved, it does not have to
reserve any more.
Fig 1.8 (a) Host 3 requests a channel to host 1 (b) Host 3 then requests a second channel to
host 2 (c) Host 5 requests a channel to host 1
When making a reservation, a receiver can (optionally) specify one or more sources that it wants
to receive from. It can also specify whether these choices are fixed for the duration of the
reservation or whether the receiver wants to keep open the option of changing sources later. The
router uses this information to optimize bandwidth planning. In particular, two receivers are only
set up to share a path if they both agree not to change sources later on.
The reason for this strategy in the fully dynamic case is that reserved bandwidth is decoupled
from the choice of source. Once a receiver has reserved bandwidth, it can switch to another
source and keep that portion of the existing path that is valid for the new source.
1.4 Differentiated services
Flow-based algorithms have the potential to offer good quality of service to one or more flows
because they reserve whatever resources are needed along the route. They require an advance
setup to establish each flow, something that does not scale well when there are thousands or
millions of flows. IETF has also devised a simpler approach to quality of service, one that can be
largely implemented locally in each router without advance setup and without having the whole
path involved. This approach is known as class-based (as opposed to flow-based) quality of
service. IETF has standardized architecture for it, called Differentiated services.
Differentiated services (DS) can be offered by a set of routers forming an administrative domain.
The administration defines a set of service classes with corresponding forwarding rules. If a
customer signs up for DS, customer packets entering the domain may carry a Type of Service
field in them, with better service provided to some classes (e.g., premium service) than to others.
Since this scheme requires no advance setup, no resource reservation, and no time-consuming
end-to-end negotiation for each flow, as with integrated services. This makes DS relatively easy
to implement.
The difference between flow-based quality of service and class-based quality of service is
explained by an example: internet telephony. With a flow-based scheme, each telephone call gets
its own resources and guarantees. With a class-based scheme, all the telephone calls together get
the resources reserved for the class telephony. These resources cannot be taken away by packets
from the file transfer class or other classes, but no telephone call gets any private resources
reserved for it alone.
Expedited Forwarding
The simplest class is expedited forwarding. It is described in RFC 3246. Two classes of service
are available: regular and expedited. The vast majority of the traffic is expected to be regular, but
a small fraction of the packets are expedited. The expedited packets should be able to transit the
subnet as though no other packets were present. A symbolic representation of this “two-tube”
system is given in fig 1.9. The two logical pipes shown in the figure represent a way to reserve
bandwidth, not a second physical line.
Fig 1.9 Expedited packets experience a traffic free network
One way to implement this strategy is to program the routers to have two output queues for each
outgoing line, one for expedited packets and one for regular packets. When a packet arrives, it is
queued accordingly. Packet scheduling should use something like weighted fair queuing. For
example, if 10% of the traffic is expedited and 90% is regular, 20% of the bandwidth could be
dedicated to expedited traffic and the rest to regular traffic. Doing so would give the expedited
traffic twice as much bandwidth as it needs in order to provide low delay for it. This allocation
can be achieved by transmitting one expedited packet for every four regular packets.
Assured forwarding
The assured forwarding is described in RFC 2597. It specifies that there shall be four priority
classes, each class having its own resources. In addition, it defines three discard probabilities for
packets that are undergoing congestion: low, medium and high. Taken together, these two factors
define 12 service classes. Fig 1.10 shows one way packets might be processed under assured
forwarding.
Fig 1.10 A possible implementation of the data flow for assured forwarding
Step 1 is to classify the packets into one of the four priority classes. This step might be done on
the sending host or in the ingress (first) router. The advantage of doing classification on the
sending host is that more information is available about which packets belong to which flows
there.
Step 2 is to mark the packets according to their class. A header field is needed for this purpose.
Fortunately, an 8-bit Type-of-service field is available in the IP header. RFC 2597 specifies that
six of these bits are to be used for the service class, leaving coding room for historical service
classes and future ones.
Step 3 is to pass the packets through a shaper/dropper filter that may delay or drop some of them
to shape the four streams into acceptable forms, for example, by using leaky or token buckets. If
there are too many packets, some of them may be discarded here, by discard category. In this
example, these three steps are performed on the sending host, so the output stream is now fed
into the ingress router.
UNIT 2
INTERNETWORKING
2.1 Introduction
2.2 Need for Network Layer
2.3 Internet as Packet-Switched Network
2.4 Internet as Connectionless Network
2.5 Tunneling
2.6 Internetwork Routing
2.7 Fragmentation
2.1 Introduction
The physical and data link layers of a network operate locally. These two layers are jointly
responsible for data delivery on the network from one node to the next. So, for transfer of data
between networks, they need to be connected to make an internetwork. The fig 2.1 shows an
example of internetwork.
The internetwork is made of five networks: four LANs and one WAN. If host A needs to send a
data packet to host D, the packet first needs to go from A to S1 (a switch or router), then from S1
to S3 and finally from S3 to host D. The data packet passes through three links.
The main problem is when data arrive at interface f1 of S1, how does S1 know that they should
be sent out from interface f3? There is no provision in the data link (or physical) layer to help S1
make the right decision. The frame does not carry any routing information either. The frame
contains the MAC address of A as the source and the MAC address of S1 as the destination.
Fig 2.1 Internetwork
2.2 Need for network layer
To solve the problem of delivery through several links, the network layer was designed. The
network layer is responsible for host-to-host delivery and for routing the packets through the
routers or switches. Fig 2.2 shows the same internetwork with a network layer added.
Fig 2.2 Network layer in an internetwork
Network layer at source
The network layer at the source is responsible for creating a packet that carries two universal
addresses: a destination address and a source address. The source network layer receives data
from the transport layer, adds the universal address to host A, adds the universal address of D,
and makes sure the packet is the correct size for passage through the next link. If the packet is
too large, the packet is fragmented. The network layer at the source may also add fields for error
control. This is shown in fig 2.3
Network layer at router or switch
The network layer at the switch or router is responsible for routing the packet. When a packet
arrives, the router or switch finds the interface from which the packet must be sent. This is done
by using a routing table. This is depicted in fig 2.4.
Network layer at destination
The network layer at the destination is responsible for address verification; it makes sure that the
destination address on the packet is the same as the address of the host. It also checks to see if
the packet has been corrupted during transmission. If it has, the network layer discards the
packet. If the packet is a fragment, the network layer waits until all fragments have arrived. And
then it reassembles them and delivery the reassembled packet to the transport layer. This is
shown in the fig 2.5.
Fig 2.3 Network layer at the source
Fig 2.4 Network layer at a router
Fig 2.5 Network layer at the destination
2.3 Internet as a packet-switched network
The internet at the network layer, is a packet-switched network. In general, switching can be
divided into two broad categories: circuit switching and packet switching. Packet switching itself
uses either the virtual circuit approach or the datagram approach. The fig 2.7 shows the
taxonomy.
Fig 2.6 Switching
In circuit switching, a physical link is dedicated between a source and a destination. In packet
switching, data are transmitted in discrete units of potentially variable-length blocks called
packets. Each packet contains not only data but also a header with control information such as
priority codes, source and destination addresses.
Virtual Circuit Approach
In the virtual circuit approach to packet switching, the relationship between all packets belonging
to a message or session is preserved. A single route is chosen between sender and receiver at the
beginning of the session. When the data are sent, all packets of the transmission travel one after
another along that route. Wide area networks use the virtual circuit approach to packet switching.
This approach is used in WANs Frame Relay and ATM and is implemented at the data link
layer.
Datagram Approach
In the datagram approach to packet switching, each packet is treated independently of all
others. Even if one packet is just a piece of a multipacket transmission, the network treats it as
though it existed alone. Packets in this approach are referred to as datagrams. Fig 2.7 shows
how the datagram approach can be used to deliver four packets from station A to station X.
Fig 2.7 Datagram approach
The datagram approach has some advantages too. It does not need call setup and virtual circuit
identifiers. The routing and delivery of the packet are based on the source and destination
address included in the packet itself. The switches or routers each have a routing table that can
decide on the route based on these two addresses.
2.4 Internet as a Connectionless Network
The delivery of a packet can be accomplished using either a connection-oriented or a
connectionless network service.
In a connection-oriented service
1. The source first makes a connection with the destination before sending a packet.
2. When the connection is established, a sequence of packets from the same source to the
destination can be sent one after another. In this case, there is a relationship between
packets.
3. They are sent on the same path in sequential order. A packet is logically connected to the
packet traveling before it and to the packet traveling after it.
4. When all packets of a message have been delivered, the connection is terminated.
In a connection-oriented protocol, the decision about the route of a sequence of packets with the
same source and destination addresses can be made only once, when the connection is
established.
In connectionless service, the network layer protocol treats each packet independently, with
each packet having no relationship to any other packet. The packet in a message may or may not
travel the same path to their destination. This type of service is used in the datagram approach to
packet switching.
The Internet has chosen this type of service at the network layer. The reason for this decision is
that the Internet is made of so many heterogeneous networks that it is almost impossible to create
a connection from the source to the destination without knowing the nature of the networks in
advance.
2.5 Tunneling
Tunneling is a technique used when two computers are on same type of network but wants to
communicate through different networks. It can also be defined as a technique to communicate
between two different networks. The fig 2.8 shows an example
Fig 2.8 Tunneling a packet from Paris to London
To send an IP packet to host 2, host 1 constructs the packet containing IP address of host
2 and inserts into an Ethernet frame addressed to paris multilprotocol router and sends.
When multiprotocol router gets the frame, it removes the IP packet, inserts it in the
payload field of WAN network layer packet and addresses the later to WAN address of
London multiprotocol router.
When it gets there, the London router removes the IP packet and sends it to host 2 inside
Ethernet frame.
2.6 Internetwork Routing
Routing through an internetwork is similar to routing within a single subnet but with added
complications.
Consider an example of internetwork as shown in fig 2.9(a). Here five networks are connected
by six routers. Making graph model provides every router can directly access to every other
router. For example B can directly access A and C via network 2 and D via network 3. This leads
to the graph of fig 2.9(b).
Fig 2.10 (a) An internetwork (b) A graph of internetwork
Once the graph has been constructed, known routing algorithm is applied to multiprotocol
routers. This gives a two level routing algorithm, within each network an interior gateway
protocol is used and between the networks an Exterior gateway protocol is used.
Difference between internetwork routing and intranetwork routing
Internetwork routing - routing between the networks. It requires crossing international
boundaries. The exterior routing is cost expensive
Intranetwork routing - routing within each network. It does not require any crossing of
boundaries. The interior routing is comparatively less than exterior routing.
2.7 Fragmentation
Fragmentation is the process of breaking the packets into small units called fragments. Each
fragment is treated as a separate internet packet. The packet is fragmented either by source host
or any router in the path.
The two types of fragmentation are
1. Transparent fragmentation
2. Non Transparent fragmentation
Transparent fragmentation
In this approach, when an oversized packet arrives at a gateway, the gateway breaks it up into
fragments. Each fragment is addressed to the same exit gateway, where it is recombined. Passing
through small packet network is made transparent. This is shown in fig 2.10(a). Subsequent
networks are not aware that fragmentation has occurred. An example is ATM networks
The disadvantages are
1. The exit gateway must know when it has received all the pieces, so count field bit must
be provided
2. All packets must exit via the same gateway
Fig 2.10 (a) Transparent fragmentation (b) Non Transparent fragmentation
Non Transparent fragmentation
This approach is to refrain from recombining fragments at any intermediate gateways. Once a
packet has been fragmented, each fragment is treated as original packet. All fragments are passed
through exit gateway as shown in fig 2.10(b). Recombining occurs only at destination host. The
advantage is multiple exit gateways are used, achieving higher performance.
The disadvantages are
1. Every host should be able to do reassembly
2. When large packet is fragmented, total overhead increases because each fragment must
have a header.
UNIT 3
THE NETWORK LAYER IN THE INTERNET
3.1 The IP Protocol
3.2 IP Addresses
3.3 Subnet
3.4 IPV6
3.1 The IP Protocol
IP, the Internet Protocol, is the network layer protocol associated with the popular TCP/IP
network software. IP is the basis of the world-wide network commonly known as the Internet.
More correctly the Internet is a connection of smaller networks (an internetwork) and IP is the
protocol used to route between those networks. In practice, IP is also used within those networks.
IP Header
The fig 3.1 shows the format of the IP header.
Fig 3.1 The IPv4 header
The IP header contains the following fields
Version- This 4-bit field contains the version number of IP to which this packet
conforms. This field should currently contain the value 4, although IP version 6 is
currently being defined. Parts of the header for version 6 will be different, particularly the
length of the address fields.
IHL(Internet Header Length)- This 4-bit field contains the length of the header in 32bit words. If there are no options, the value of this field will be 5 (giving a header length
of 20 bytes).
Type of service- This field gives information about the quality of service requested for
this packet. It contains subfields which indicate the type of packet and its urgency.
Total length- This 16-bit field gives the total length of the packet in bytes.
Identification- The identification field is used in conjunction with the source and
destination address fields to ensure that each packet is uniquely identified. This field can
be used to reassemble packets which have been fragmented because they are too long for
one of the links.
Flags- This 3-bit field contains three flags, only two of which are currently defined. DF
stands for Don’t Fragment. If DF bit is set, then it informs the router not to fragment the
datagram. MF stands for More Fragment. If this bit is set, then all fragments except the
last one arrived have this bit set.
Fragment offset- This field is used when packets are fragmented. It contains the offset
from the beginning of the original packet where this packet starts. It is measured in
multiples of 8 bytes.
Time to live- This field is initialized when the packet is generated and decremented as
the packet passes through each node. If the value ever reaches zero, the packet is
discarded. This is intended to defeat routing loops.
Protocol- This field indicates which higher level protocol should be used to interpret the
data in this packet.
Header checksum- This checksum is used to ensure that the header has been transmitted
correctly.
Source address- This field contains the IP address of the originating host for this packet.
This does not necessarily correspond to the address of the node which sent this packet
within the network but is the address of the host which first put this packet into the
network. It thus differs from the data link layer address.
Destination address- This is the address of the host for which this packet is ultimately
destined. It is this address which is used to determine the path this packet will take
through the network. Not that each packet contains full addressing information rather
than a virtual circuit number. IP is a datagram oriented (connectionless) protocol.
Options- This field is used to include protocol information which is not present in the
original design. Options field is variable in length.
3.2 IP addresses
All IP addresses are (currently) 32 bits. The next version of IP will extend this to much longer
addresses. The address consists of two parts. A network number and a host number within that
network. The format of IP addresses is shown in fig 3.2. An IP address is traditionally written as
four decimal numbers separated by dots with each number representing one byte of the IP
address. Thus a typical IP address might be 131.172.44.7.
Fig 3.2 IP address formats
Class A addresses
A class A address has the most significant bit 0. The next seven bits contain the network number
and the last 24 bits the host number. There are thus 126 possible class A networks, each having
up to about 16,000,000 hosts. (Networks 0 and 127 are used for other purposes.)
Class B addresses
A class B address has the two most significant bits 10. The next fourteen bits contain the network
number and the last 16 bits the host number. There are thus 16384 possible class B networks
each containing 65354 hosts.
Class C addresses
A class C address has the three most significant bits 110. The next 21 bits contain the network
number and the last eight bits the host number. There are thus more than 2000000 possible class
C networks each containing 254 hosts.
Multicast addresses
It is often desirable to send some types of message to many different hosts simultaneously. The
remaining IP addresses (i.e. those which start with 111) are used for such messages. As a special
case, the address 255.255.255.255 is a broadcast address so that packets with that destination
address are received by all hosts within the network. In some networks the address 0.0.0.0 is also
a broadcast address. Within a network, the address with the host number containing all 1s (or 0s)
is a broadcast address within that network.
3.3 Subnet
IP addresses are 32 bits long. 2 bytes of the address represents or indicates a network id and
other 2 bytes indicates the host id on the network. This partitioning indicates some type of
hierarchy levels in IP addressing. To reach host on the internet, first network is reached by using
first portion (network id) of the address. After reaching the network then the host can be reached
by using second portion (host id) of the address.
In classes A, B and C, IP addressing is designed with two levels of hierarchy. But two level
hierarchies is not enough, it is because we cannot have more than one physical network. The
hosts cannot be organized into groups and all the hosts are at same level. The organization has
one network with many hosts.
The solution to this problem is subnetting. Further division of a network into smaller networks
called subnetworks. The routing of an IP datagram involves three steps:
i. Delivery to the site
ii. Delivery to the subnetwork
iii. Delivery to the host
Subnet Masking
Masking is a process that extracts the address of the physical network from an IP address.
Masking can be applied to subnetted or non-subnetted networks. If the network is not subnetted,
masking extracts the network address from an IP address.
If the network is subnetted, masking extracts subnetwork address from an IP address. The
example is shown below.
To find the subnetwork address, apply the mask to the IP address. There are two levels of
masking.
Boundary Level Masking
Non boundary level masking
Boundary Level Masking
If the masking is at the boundary level (the masked number is either 255 or 0), finding the
subnetwork address is very easy. The rules to be followed are
The bytes in the IP address that corresponds to 255 in the mask will be repeated in the
subnetwork addresss.
The bytes in the IP address that corresponds to 0 in the mask will damage subnetwork
address.
Non boundary level masking
If the masking is not at the boundary level (the masked number is not just 255 or 0), finding
the subnetwork address involves bitwise AND operator. The rules to be followed are
The bytes in the IP address that corresponds to 255 in the mask will be repeated in the
subnetwork addresss.
The bytes in the IP address that correspond to 0 in the mask will change to 0 in the
subnetwork address.
For other bytes, use the bit wise AND operator.
CIDR – Classless Inter Domain Routing
The basic idea behind the CIDR is to allocate the remaining IP addresses in variable sized
blocks, regardless of the classes. In CIDR network addresses, the network part of an IP address
can be of any number of bits long, rather than being constrained to 8, 16 or 24 bits.
The CIDR network address has the dotted decimal form a.b.c.d/x, where x indicates the number
of leading bits in 32 bit quality that constituents the network portion of the address.
In CIDR, each routing table entry is extended by giving it a 32 bit mask. The routing table for all
networks consists of an array of IP addresses, subnet mask and outgoing line as triples. When a
packet comes in, its destination IP address is first extracted. Then the routing table is scanned
entry by entry, masking the destination address and comparing it with the table entry for a match.
It is possible that multiple entries match, in which case the longest mask is used.
Example: The network address in CIDR will have the following format as shown in fig 3.3.
Fig 3.3 Network address in CIDR
Contiguous class C addresses have been assigned to various geographical regions as shown in
table 3.1.
Addresses
Region
194.0.0.0 to 195.25.255.255
Europe
196.0.0.0 to 197.255.255.255
Reserved
198.0.0.0 to 199.255.255.255
North America
200.0.0.0 to 201.255.255.255
Central and South America
202.0.0.0 to 203.255.255.255
Asia and Pacific
204.0.0.0 to 223.255.255.255
Reserved
Table 3.1 Allocation for class C network
The organizations x, y and z in the subnet needs 4096, 2048 and 1024 addresses. Each subnet
will have contiguous addresses having a base, a last address and a mask.
For organization x we have 0 to 4095
Base address
:
200.40.1010 0000 0000 0000
Last address
:
200.40.1010 1111 1111 1111
Mask
:
255.255.1111 0000 0000 0000
For organization y we have 4096 to 6143
Base address
:
200.40.1011 0000 0000 0000
Last address
:
200.40.1011 0111 1111 1111
Mask
:
255.255.1111 1000 0000 0000
For organization z we have 6144 to 7167
Base address
:
200.40.1011 1000 0000 0000
Last address
:
200.40.1011 1011 1111 1111
Mask
:
255.255.1111 1100 0000 0000
If the packet address with 200.40.189.210 comes in. This performs AND operation with all
the three masks x, y and z.
Binary equivalent of 200.40.189.210 is 1100 1000 00101000 10111101 11010010
1. After performing AND operation with x the results is
2. After performing AND operation with y, the result is
11001000 00101000 10111000 00000000
3. With c the result is
These matches with the base address of y and will be routed to the organization.
NAT (Network Address Translation)
The problem of running out of IP address has happened. The long term solution for the internet is
to migrate from IPV4 to IPV6, which has 128 bit address. This migration is slower and will take
few years. The quick short term solution came in the form of the NAT (Network Address
Translation).
The idea behind NAT is to assign single IP address for each company for internet traffic. Every
computer inside the company or organization will get a unique IP address, which is used for
routing the traffic.
Operation of NAT
The fig 3.4 shows the network setup to demonstrate the operation of the NAT.
Fig 3.4 Placement and operation of a NAT box
Step 1: Within the company, every machine has unique addresses of the form 10.x.y.z. when
packet leaves the company premises; it passes through NAT box which converts the internal IP
source addresses to true IP addresses. In figure internal IP source addresses 10.0.0.1 is converted
to the company’s true IP addresses 198.60.42.12. NAT is combined and placed with firewall,
which provides security by controlling the information going out and coming in.
Step 2: When the reply comes back from outside the company premises, it is naturally addressed
to 198.60.42.12. So, NAT has to know which address to replace it with. NAT designers observed
that most IP packets carry either TCP or UDP payloads. TCP and UDP use port for holding the
connection. These ports are used to make NAT work.
Step 3: Each outgoing TCP / UDP message contains both a source port and destination port.
Ports are used to identify the processes during the connection on both ends. Mapping between
internal IP source address and true IP addresses are done by using source port field. Whenever an
outgoing packet enters the NAT box, the internal IP 10.x.y.z source address is replaced by the
company true IP addresses. TCP source port field is replaced by an index into NAT box’s
translation table. This translation table can hold 65,536 entries and contain the original (true) IP
addresses and original source port. Finally both the TCP and IP headers checksum are
recomputed and inserted into the packet.
Step4: when packet arrives at the NAT box from the ISP, the source port in the TCP header is
extracted. This port is used as index into NAT box mapping table. Entry is located in the internal
IP address and TCP source port is extracted and inserted in to the packet. There both the TCP
and IP checksums are recomputed and inserted into the packet. The packet is then passed to the
company router for normal delivery using 10.x.y.z addresses.
There are some limitations on NAT method
NAT violates the architecture model of IP, which states that every IP address uniquely
identifies a single machine worldwide.
NAT changes the internet from a connectionless network to a kind of connection oriented
network. If the NAT box crashes, it loses mapping table and all its top connections are
destroyed
NAT violates the most fundamental rule of protocol layering i.e. layer to be kept
independent. But if TCP ports are upgraded to 32 bit ports, then NAT will fail.
Some applications insert IP addresses in the body of the text. The receiver then extracts
this address and uses them. NAT does not know about these addresses, it cannot replace
them, so NAT will fail.
On the internet, if new protocol is used other than TCP or UDP, NAT will fail. Because
NAT box will not be able to locate TCP source port correctly.
TCP source port field is 16 bits; at most 65,536 machines can be mapped into an IP
address. But first 4096 ports are reserved for special purpose. Only 61,440 machines can
be mapped.
3.4 IPv6
Internet protocol version 6 (IPv6) also known as Internetworking protocol. The next generation
(IPng), was proposed and is now a standard.
IPv6 has some advantages over IPv4 that can be summarized as follows:
Larger address space
Better header format
New options
Allowance for extension
Support for resource allocation
Support for more security
IPv6 Header Format
The fig 3.5 shows the base header with its eight fields
Fig 3.5 IPV6 header
Version- This 4-bit field defines the version number of the IP. For IPv6, the value is 6.
Traffic Class- This 8-bit field is used to distinguish between packets with different real time
delivery requirements.
Flow label- The flow label is a 20-bit field that is designed to provide special handling for a
particular flow of data.
Payload length- This 16-bit field defines the total length of the IP datagram excluding the base
header.
Next header- The next header is an 8-bit field defining the header that follows the base header in
the datagram. The next header is either one of the optional extension header used by IP or the
header for an upper-layer protocol such as UDP or TCP. Each extension header also contains this
field.
Hop limit- this 8-bit hop limit field serves the same purpose as the TTL (time to live) field in
IPv4.
Source address- the source address field is a 16-bit (128-bit) Internet address that identifies the
original source of the datagram.
Destination address- the destination address field is a 16-byte (128-bit) Internet address that
usually identifies the final destination of the datagram. However, if source routing is used, this
field contains the address of the next router.
Module 4
Unit 1 Services and Elements
1.1 The transport Service
1.1.1 Services Provided to the Upper Layers
1.1.2 Transport Protocols
1.2 Elements of Transport Protocols
1.2.1 Addressing
1.2.2 Connection Establishment
1.2.3 Connection Release
1.2.4 Flow Control and Buffering
Unit 2 The Internet Transport Protocol
2.1 Introduction to UDP
2.2 Remote Procedure Call
2.3 The Real-Time Transport Protocol
2.4 Introduction to TCP
2.5 TCP Service Model
Unit 3 Transmission Control Protocol
3.1 The TCP Protocol
3.2 TCP Segment Header
3.3 TCP Connection Establishment
3.4 TCP Connection Release
3.5 Modeling TCP Connection Management
3.6 TCP Transmission Policy
3.7 TCP Congestion Control
UNIT 1
SERVICES AND ELEMENTS
1.1 The Transport Service
1.1.1 Services Provided to the Upper Layers
1.1.2
Transport Service Primitives
1.2 Elements of Transport Protocols
1.2.1 Addressing
1.2.2 Connection Establishment
1.2.3 Connection Release
1.2.4 Flow Control and Buffering
1.1 THE TRANSPORT SERVICE
The transport layer is the heart of the whole protocol hierarchy. It provides reliable, costeffective data transport from the source to the destination machine, independent of the
networks. The figure 1.1 shows the position and functionalities of transport layer.
Fig 1.1 Position of transport layer
1.1.1 Services provided to the upper layers
The transport layer makes use of services provided by the network layer and provides
efficient, reliable and cost-effective service to its users. The hardware and/or software within
the transport layer that does the work are called transport entity. The transport entity can be
located in OS kernel, in a separate user process, in a library package bound into network
applications or on the network interface card. The fig 1.2 shows the relationship of the
network, transport and application layers. The transport layer provides both connection
oriented and connectionless transport service.
Fig 1.2 The network, transport and application layers
The differences in network layer service and transport layer service are
1. The transport code runs entirely on the user’s machine but network layer mostly runs on
the routers, which are operated by the carrier.
2. The existence of transport layer makes it possible for the transport service to be more
reliable than underlying network service which is generally unreliable. Lost packets and
managed data can be detected and compensated for by the transport layer.
3. The transport service primitives can be implemented as calls to library procedures in
order to make them independent of the network service primitives.
4. Network service is used only by transport entities whereas many programs see the
transport primitives.
Thus the application programmers can write code according to the standard set of primitives
and place them on wide variety of networks without worrying about different subnet
interfaces and unreliable transmission.
It is the transport layer that isolates the upper layers from the technology, design and
imperfections of the subnet. In the OSI model, the bottom four layers can be seen as
Transport Service Provider and upper layers are Transport Service User. This distinction
puts the transport layer in a key position, since it forms the major boundary between the
provider and user of the reliable data transmission service.
1.1.2 Transport Service Primitives
The users are allowed to access the transport service through the transport service interface.
Each transport service has its own interface. The table 1.1 provides the primitives for a
simple transport service.
Table 1.1 The primitives for a simple transport service
The general terminology in the transmission is TPDU (Transport Protocol Data Unit) for
messages sent from transport entity to transport entity. Thus TPDU’s (exchanged by
transport layer) are contained in packets (exchanged by network layer). In turn packets are
contained in frames (exchanged by data link layer). When the frame arrives, the data link
layer processes the frame header and passes the contents of frame payload field up to
network entity. The network entity processes the packet header and passes the contents of
packet payload up to the transport entity. This nesting is shown in the fig 1.3.
Fig 1.3 Nesting of TPDUs, packets and frames
Consider an example – An application with a server and a number of remote clients.
Initially the server executes LISTEN primitive, by calling a library procedure which
makes a system call to block the server until a client turns up.
When a client needs a server, it executes a CONNECT primitive. The transport entity
carries out this primitive by blocking the caller and sending a packet to the server i.e. the
client’s CONNECT call causes a CONNECTION REQUEST TPDU to be sent to the
server.
If the server is blocked on a LISTEN then it unblocks the server on receiving the client’s
TPDU and sends a CONNECTION ACCEPTED TDPU back to the client.
On receiving TDPU, client is unblocked and connection is established.
Data can be exchanged between server and client using SEND and RECEIVE primitives.
Every data packet sent will also be acknowledged. The packets bearing control TDPUs
are also acknowledged implicitly or explicitly. These acknowledgements are managed by
transport entities.
To the transport users, a connection is a reliable bit pipe: one user stuffs bits in and they
magically appear at the other end.
When a connection is no longer needed, it must be released to free up table space with in
two transport entities. Disconnection are of two types
1. Asymmetric- Either transport user can issue a DISCONNECT primitive, which
results in a DISCONNECT TDPU being sent to the remote transport entity. On
receiving, the connection is released.
2. Symmetric- Each direction is closed separately, independent of the other. When
one side does a DISCONNECT, that means it has no more data to send but it is
still willing to accept data from its partner.
The state diagram for connection establishment and release for the simple primitive is shown
in fig 1.4.
Fig 1.4 A state diagram for simple connection management scheme. The solid lines
show the clients state sequence. The dashed lines show the servers state sequence.
1.2 ELEMENTS OF TRANSPORT PROTOCOLS
The transport service is implemented by a transport protocol used between the two
transport entities. The transport protocols and data link protocols resembles as they both deal
with error control, sequencing and flow control. The differences are due to major
dissimilarities between the environments in which two protocols operate as shown in fig 1.5.
Fig 1.5 (a) Environment of data link layer (b) Environment of transport layer
The table 1.2 summarizes the differences between the functionalities of data link layer and
network layer
Transport layer
Routing – explicit
destination is required.
addressing
Data link layer
of It is not necessary for a router to specify
which router it wants to talk to. Each
outgoing line uniquely specifies a particular
router.
Connectivity
initial
connection The process of establishing a connection
establishment is more complicated.
over the physical medium is simple.
Storage capacity-when a router sends a
frame, it may arrive or be lost, but it
cannot bounce around for while and then
suddenly emerge
If the subnet uses datagrams and adaptive
routing, then there is a probability that a
packet may be stored for a number of
seconds and then delivered later.
Buffering-the difference lies in amount. Some of the protocols allocate a fixed
The larger numbers of connections that number of buffers to each line, so that when
must be managed make the idea of a frame arrives, a buffer is always available.
dedicating many buffers to each one.
Table 1.2 Differences between transport layer and data link layer
1.2.1 Addressing
Addressing is an important mechanism that is required to identify and connect to a process.
In transport layer, the addresses are used to setup a connection to a remote process. These
end points in Internet are called ports (16 bit integers between 0 and 65,535), in ATM
networks AAL-SAPs. The generic term used is TSAP (Transport Service Access Point). The
analogous end points in the network layer (network layer addresses) are called as NSAPs
(Network Service Access Points). IP addresses are examples of NSAPs.
Relationship between TSAP, NSAP and transport connection
Application process, client and server can attach themselves to a TSAP to establish
connection to a remote TSAP. These connections run through NSAPS on each host as shown
in the fig 1.6.
Each computer has a single NSAP, so some mechanism is needed to distinguish multiple
transport end points that share that NSAP. A possible scenario for transport connection is as
follows.
Server process on host-2 attaches itself to TSAP 1522 and wait for incoming request from
the client. A LISTEN call might be used.
Application process on host 1 wants to connect, issues a CONNECT request specifying
TSAP 1208 as source and TSAP 1522 as destination. This results in transport connection
being established between application process on host 1 and server process on host 2.
The application process then sends a request.
The server process responds to the request.
Transport connection is released.
Fig 1.6 TSAPs, NSAPs and transport connection
Most of the time, the server processes will be active and listening to stable TSAP address.
It is wasteful to listen to TSAP address all day long. So to overcome these problems a better
scheme is proposed called as Initial Connection Protocol. In this method, instead of each
server listening to TSAP addresses, a special process server is used to listen to a set of ports
at the same time, waiting for a connection request. Process server acts as a proxy for less
heavily used server.
If no server is waiting for users, they get a connection to the process server as shown in fig
1.7(a). When the process server gets the incoming request, the process server spawns the
requested server, allowing it to inherit the existing connection with the user. The new server
then does the requested work, while the process server goes back to listen for new requests as
shown in fig 1.7(b).
In some situations services do exist independently of the process server. For example a file
server needs to run on special hardware (a machine with a disk) and cannot just be created
on-the-fly when someone wants to talk to it. To handle this situation, an alternative scheme is
used. In this scheme, a special process called name server or directory server is used.
When a new service is created, it must register itself with the name server, giving both its
service name and its TSAP. The name server records this information in its internal database.
Fig 1.7 User process in Host-1 establishing connection with a server in Host-2
1.2.2 Connection Establishment
The connection establishment looks very simple and straight forward. But the problem
occurs when the network can lose, or store duplicate packets. When there is heavy congestion
on the subnet, the acknowledgement will not get back in time. Due to this delay, the packets
are retransmitted two or three times. After some time original packets may arrive at
destination following the different route. This mislead to the generation of duplicate packets.
These duplicate packets create lot of problem and confusion in real time applications.
The solutions are proposed to avoid duplicate packets, some of them are:
Throw away transport address - If there is disconnection, each time when transport
address is needed, a new one is generated. When connection is released, the address is
discarded and never used again.
Using connection identifier - The connection identifier is given to each connection.
Connection identifier is a sequence number incremented for each connection established.
Connection identifier is chosen by an initiating party and placed in each TPDU, including
the one requesting the connection. After each connection is released, each transport entity
could update a table listing absolute connections as pairs. When a connection request
comes in, it could be checked against the table, to see if it belongs to a previously
released connection.
The above two approaches fails because each transport entity has to maintain certain amount
of history information indefinitely. If a machine crashes and lose its memory, it will no
longer know which connection identifiers have already been used.
By killing the aged packets and ensuring that no packet lives longer than some known time,
the problem can be manageable. Packet life time can be restricted to known maximum
criteria using the following techniques:
1. Restricted subnet design
In this method, packets are prevented from looping, combined with some way of
bounding congestion delay over the longest possible path.
2. Putting a hop counter in each packet
The hop count is initialized to some appropriate value and decremented each time when
packet is forwarded. When packet hop count becomes zero, packets are discarded.
3. Time stamping each packet
Each packet is added with time it was created. The routers agree to discard any packet
older than some agreed upon time. This method requires clocks to be synchronized
because it works on time factor.
The problem of machine losing all memory after crash can be solved by a method proposed
by Tomlinson in 1975. Each host is equipped with a time of day clock. The clocks at
different hosts need not be synchronized. Each clock is assumed as a binary counter that
increments itself at uniform intervals. The number of bits in the counter must be equal or
greater than the number of bits in the sequence numbers. The important thing is, the clock is
assumed to continue running even if the host goes down.
There are many problems, before establishing a connection. After connection is established,
the clock based method solves the delayed duplicate problem for data TPDUs. If control
TPDUs is delayed, then there is potential problem in getting both sides to agree on the initial
sequence number. So connection will not be established if control TPDUs are not exchanged
properly. To overcome this problem Tomlinson introduced three way handshake.
The three protocol scenarios for establishing a connection using three way handshake is
explained with three cases.
Case 1: Normal operation
Case 2: Old duplicate CONNECTION _REQUEST
Case 3: Duplicate CONNECTION_REQUEST and duplicate ACK
Case 1: Normal setup procedure is shown in the fig 1.8(a). Host-1 chooses a sequence
number x and sends a CONNECTION_REQUEST TPDU to Host-2. Host-2 receives
CONNECTION_REQUEST TPDU and replies with ACK TPDU acknowledging x and
assigns its own initial sequence number y. Finally, Host-1 acknowledges host-2’s choice of
an initial sequence number in the first data TPDU. The DATA TPDUs has sequence number
x, indicating the connection identifier for that connection.
CR : Connection Request TPDU
REJECT : Reject TPDU
ACK : Acknowledge TPDU
x and y are sequence numbers
Fig 1.8 Three protocol scenarios for establishing a connection using a three-way
handshake
Case 2: First TPDU is a delayed duplicate CONNECTION_REQUEST from an old
connection as shown in figure 1.8(b). This delayed CR TPDU arrives at Host-2 without the
knowledge of Host-1. Host-2 replies to this delayed TPDU by sending ACK TPDU to Host1. Host-1 gets ACK TPDU without sending CR TPDU. This is because Host-1 does not have
the knowledge of CR TPDU sent, as it is the delayed one. So, Host-1 rejects Host 2’s
attempts to establish a connection, Host-2 realize that it was a delayed duplicate and discards
the connection. In this way delayed duplicate does no damage.
Case 3: This situation arises, when both CONNECTION REQUEST and ACK TPDUs are
delayed as shown in fig 1.8(c). Host-2 gets a delayed CONNECTION REQUEST and replies
to it. The CR is acknowledged by Host-2 by assigning its own sequence number y. At this
point, second delayed duplicate from old connection with acknowledge sequence number z
arrives at Host-2. But, the sequence number y is not acknowledged from Host-1, because
Host-1 is not aware of the CONNECTION_REQUEST sent to Host-2. This indicates that
both CR and old duplicate DATA with ACK z are duplicate TPDUs. So, Host-1 sends
REJECT TPDUs for rejecting the connection to Host-2.
1.2.3 Connection Release
Connection release is easier than establishing the connection. The connections are released in
two ways: asymmetric release and symmetric release, summarized in table 1.3.
Consider a scenario, shown in fig 1.9 where release is abrupt and may result in data loss.
After the connection is established, Host-1 sends DATA TPDU that arrives properly at Host2. Then Host-1 sends another TPDU. Unfortunately, Host-2 issues a DISCONNECT
REQUEST (DR) before the data TPDU arrives at Host-2. The result is that connection is
released asymmetrically and data is lost.
Table 1.3 Asymmetric and Symmetric release
Fig 1.9 Abrupt disconnection with loss of data
Four protocol scenarios for releasing a connection are discussed with the following cases:
1.
2.
3.
4.
Normal connection release
Final ACK lost
Response lost
Both response lost and subsequent DISCONNECTION_REQUESTs (DRs) lost
Case 1 Normal connection release
One of the users sends a DR TPDU to initiate the connection release as shown in the fig
1.10(a).When DR arrives at Host-2; it sends back a DR TPDU indicating its willingness to
release. Timers are started when DR TPDU is sent, to keep track of the time. When DR
TPDU arrives at Host-1, the original sender sends back an ACK TPDU and releases the
connection. Finally, ACK TPDU arrives at the Host-2 and also releases the connection.
Note: Releasing the connection means that the transport entity removes the information
about the connection from its table of currently open connection and signals the connection
owner (transport user). DISCONNECTION_REQUEST is different action from a transport
user issuing a DISCONNECT primitive.
Case 2 Final ACK TPDU is lost
When final ACK TPDU is lost, the timer will save the situation. Host-2 will wait for time
out. When the timer expires, the connection is released anyway. This is shown in the figure
1.10(b).
Case 3 Response Lost
This is the case, when second DR TPDU is being lost. This is shown in the figure 1.10(c).
The Host-1 initiating the disconnection will not receive the expected response. This is due to
second DR from Host-2 is lost. At Host-1, time out occurs and will start all over again i.e.
once again DR is sent. Host-2 upon arrival of DR, replies back. Host-1 receives second DR
and releases connections and sends ACK to Host-2. Upon receiving the ACK, Host-2
releases connection.
Case 4 Both response and subsequent DRs are lost
In this case, assume all the repeated attempts to retransmit the DR also fails due to lost
TPDUs as shown in the figure 1.10(d). After N retries, the sender just gives up and releases
the connection. Meanwhile, the receiver times out and also exits. The sender side will give up
and release the connection, while other side does not know about the attempts to disconnect.
This situation results in a half open connection.
Half open connection can be avoided by not allowing the sender to give up after N retries.
But if other side is allowed to time out, then sender will not release connection forever.
Another way is to have a rule, if no TPDUs have arrived for a certain number of seconds,
then connection is automatically disconnected. If one side ever disconnects, the other side
will detect lack of activity and also disconnect.
Normal case of three way handshake
Response lost
Final ACK lost
Response lost and subsequent DRs lost
Fig 1.10 Four protocol scenarios for releasing a connection
1.2.4 Flow Control and Buffering
Connections are to be managed while they are in use. The key issues are flow control and
buffering. Flow control problem in the transport layer is same as in the data link layer and
other issues are different. In both the layer, sliding window scheme is used to keep a fast
transmitter from over running a slow receiver.
Flow control scheme used at data link layer and transport layer are different. They are listed
below in the table 1.4.
Data Link Layer
Transport Layer
1. Frames are buffered at both sending
router and at the receiving router.
Because frames might have to be
retransmitted.
2. All the frames are acknowledged
except for the lost frames. All
frames are buffered until all the
frames are acknowledged.
1. Only if the subnet provides
datagram service, the sending
transport entity must buffer all
TPDUs for the same reason (i.e. for
retransmission).
2. If receiver knows that a sender
buffers all TPDUs until they are
acknowledged, the receiver may or
may not use specific buffers to
specific connections.
Table 1.4 Flow control at data link layer and transport layer
In transport layer, receiver may maintain a single pool shared by all connections. When
TPDUs comes in, new buffer is acquired for that connection. If buffer is available, the
TPDU is accepted, otherwise it is discarded. Even if TPDU is discarded, no harm because
sender is prepared to retransmit lost TPDUs by the subnet. The problem is wastage of
resources. The sender just keeps trying until it gets an acknowledgement.
The buffering at receiver side has some problems. The major problem is with buffer size. It
is very difficult to allocate buffer size at the receiver. If all the TPDUs are in the same size,
then it is easy to organize the buffer. Here buffer can be a pool of identically sized buffers,
with one TPDU per buffer. The fixed size buffer is shown in fig 1.11.
The problems with fixed size buffer are: If there is wide variation in TPDU from few
characters to thousands of characters, then fixed size buffer fails. For few characters TPDUs,
space is wasted and for long TPDU, it overflows as shown in the fig 1.11(a).
If the buffer size is chosen equal to the largest possible TPDU, space will be wasted when a
short TPDU arrives. If the buffer size is less than the maximum TPDU size, multiple buffers
will be needed for long TPDUs, with increasing the complexity. Buffer size problem can be
solved by using another approach. In this approach, variable sized buffers are used as shown
in the fig 1.11(b). Advantage of using variable sized buffers is better memory utilization and
disadvantage is more complicated buffer management. Third approach uses a single large
circular buffer per connection as shown in fig 1.11(c).
Fig 1.11 (a) Chained fixed-size buffers (b) Chained variable-size buffers (c) One large
circular buffer per connection
Dynamic Buffer Allocation
Dynamic buffer management means, inefficient, a variable window. The sender requests a
certain number of buffers, based on its requirement. The receiver then grants as many of
these as it can afford.
Every time, when sender transmits TPDU, it must decrement its allocation stopping
altogether when the allocation reaches zero. If allocation reaches zero, then receiver cannot
offer buffer to the sender. The receiver then separately piggy backs both acknowledgements
and buffer allocation onto the reverse traffic.
UNIT 2
THE INTERNET TRANSPORT PROTOCOL
2.1 Introduction to UDP
2.2 Remote Procedure Call
2.3 The Real-Time Transport Protocol
2.4 Introduction to TCP
2.5 TCP Service Model
The internet has two important protocols in the transport layer
UDP (User Datagram Protocol)
TCP (Transmission Control Protocol)
The connectionless protocol is UDP and connection-oriented protocol is TCP
2.1 Introduction to UDP
UDP (User Datagram Protocol) is an internet protocol, supporting a connectionless transport
service. UDP transmits segments consisting of 8 byte header followed by the payload.
Characteristics of UDP
No connection establishment
UDP provides a way for applications to send encapsulated IP datagrams and send them
without having to establish a connection. UDP does not introduce any delay to establish a
connection. So some application protocol like DNS (Domain Name System) uses UDP
instead of TCP.
No connection state
UDP does not maintain connections state and does not keep track of any parameters like
congestion control.
Small packet header overhead
The overhead caused by the UDP packet header is very less because UDP uses only 8
byte header.
Final application level control over which and when data is sent
As soon as application process passes data to UDP, UDP will pack the data inside a UDP
segment and immediately pass the segment to the network layer.
Table 2.1 Examples of application that uses UDP
DNS prefers UDP, not TCP because there is no connection establishment delay. The
following table 2.1 gives the different applications and application layer protocol that uses
UDP at the transport layer for connection.
UDP segment consists of an 8 byte header followed by payload. The header is shown in the
figure 2.1.
Fig 2.1 UDP segment structure
Source port and destination port
The source port is required when reply is needed to be sent back to the source machine.
Receiving machine copies the incoming segment source port to the outgoing segment’s
destination port. Destination port is needed to reach the destination machine.
UDP length
This field is 16 bit in length and is used to get the length of UDP datagram. The length
includes 8 byte header plus data.
Checksum
This field is also 16 bit and used for error detection. This field is optional and stored as 0
if not computed. Checksum is used to determine whether bits within the UDP segment
have been altered due to interference or noise in the links as it moves from source to
destination.
2.2 Remote Procedure Call
When a process on machine 1 calls a procedure on machine 2, the calling process on 1 is
suspended and execution of the called procedure takes place on 2. Information can be transported
from the caller to the callee in the parameters and can come back in the procedure result. No
message passing is visible to the programmer. This technique is called RPC (Remote Procedure
Call) and has become the basis for many networking applications.
The idea behind RPC is to make a remote procedure call look as much as possible like a local
one. In the simplest form, to call a remote procedure,
The client program must be bound with a small library procedure, called the client stub
that represents the server procedure in the clients address space.
The server is bound with a procedure called the server stub. These procedures hide the
fact that the procedure call from the client to the server is not local.
The actual steps in making RPC are shown in the fig 2.2
Fig 2.2 Steps in making a RPC. The stubs are shaded
Step 1–The client calling the client stub. The call is a local procedure call with the parameters
pushed onto the stack in the normal way.
Step 2 – The client stub packing the parameters into a message and making a system call to send
the message. Packing the parameters is called marshalling.
Step 3 – The kernel sending the message from the client machine to the server machine.
Step 4 – The kernel passing the incoming packet to the server stub.
Step 5 – The server stub calling the server procedure with the unmarshalled parameters. The
reply traces the same path in the other direction.
The client procedure written by the user makes a normal (local) procedure call to the client stub,
which has the same name as the server procedure. Since the client procedure and client stub are
in the same address space, the parameters are passed in the usual way.
Similarly the server procedure is called by a procedure in its address space with the parameters it
expects. To the server procedure, nothing is unusual. In this way instead of I/O being done on
sockets, network communication is done by faking a normal procedure call.
With RPC passing pointers is impossible because the client and the server are in different
address spaces. RPC need not use UDP packets, but RPC and UDP are a good fit and UDP is
commonly used for RPC.
2.3 The Real Time Transport Protocol
Client-server RPC is one area in which UDP is widely used. Another one is real-time multimedia
applications. It gradually became clear that having a generic real-time transport protocol for
multiple applications would be a good idea. Thus RTP (Real-Time Transport protocol) was
born. It is described in RFC 1889 and is now in widespread use.
The position of RTP in the protocol stack is somewhat strange. It was decided to put RTP in
user space and have it (normally) run over UDP. It operates as follows.
The multimedia application consists of multiple audio, video, text, and possibly other
streams.
These are fed into the RTP library, which is in user space along with the application.
This library then multiplexes the streams and encodes them in RTP packets, which it then
stuffs into a socket.
At the other end of the socket (in the operating system kernel), UDP packets are
generated and embedded in IP packets.
The protocol stack for this situation is shown in fig 2.3(a). The packet nesting is shown in fig
2.3(b).
Since RTP runs in user space and is linked to the application program, it certainly looks
like an application protocol.
On the other hand, it is a generic, application-independent protocol that just provides
transport facilities, so it also looks like a transport protocol.
Probably the best description is that it is a transport protocol that is implemented in the
application layer.
Fig 2.3 (a) The position of RTP in the protocol stack (b) Packet Nesting
The basic function of RTP is to multiplex several real-time data streams onto single stream of
UDP packets. The UDP stream can be sent to a single destination (unicasting) or to multiple
destinations (multicasting). Because RTP just uses normal UDP, its packets are not treated
specially by the routers unless some normal IP quality-of-service features are enabled.
Each packet sent in an RTP stream is given a number one higher than its predecessor. This
numbering allows the destination to determine if any packets are missing. If a packet is
missing, the best action for the destination to take is to approximate the missing value by
interpolation.
RTP has no flow control, no error control, no acknowledgements, and no mechanism to
request retransmissions. Each RTP payload may contain multiple samples, and they may be
coded any way that the application wants. To allow for interworking, RTP defines several
profiles and for each profile, multiple encoding formats may be allowed.
Another facility many real-time applications need is timestamping. The idea here is to allow
the source to associate a timestamp with the first sample in each packet. Time stamping
reduces the effects of jitter, but it also allows multiple streams to be synchronized with each
other.
The RTP header is illustrated in fig 2.4. It consists of three 32-bit words and potentially some
extensions.
Fig 2.4 The RTP header
The first word contains the Version field, which is already at 2.
The P bit indicates that the packet has been padded to a multiple of 4 bytes. The last
padding byte tells how many bytes were added.
The X bit indicates that an extension header is present.
The CC field tells how many contributing sources are present, from 0 to 15.
The M bit is an application-specific marker bit. It can be used to mark the start of a video
frame, the start of a word in an audio channel, or something else that the application
understands.
The Payload type field tells which encoding algorithm has been used.
The Sequence number is just a counter that is incremented on each RTP packet sent. It
is used to detect lost packets.
The timestamp is produced by the stream’s source to note when the first sample in the
packet was made. This value can help reduce jitter at the receiver by decoupling the
playback from the packet arrival time.
The Synchronization source identifier tells which stream the packet belongs to. It is the
method used to multiplex and demultiplex multiple data streams onto single stream of
UDP packets.
The Contributing source identifiers, if any, are used when mixers are present in the
studio.
RTP has a little sister protocol called RTCP (Real-time Transport Control Protocol). It
handles feedback, synchronization, and the user interface but does not transport any data.
2.4 Introduction to TCP
The internet’s transport layer, connection oriented, reliable protocol is TCP (Transmission
Control Protocol). TCP was specifically designed to provide a reliable end to end byte stream
over an unreliable internetwork (IP). The internetwork differs from single network because
they may have different topologies, bandwidth, delays, packet sizes and other parameters.
Characteristics of TCP
Connection oriented: Before actual data transfer, two communicating process must
exchange control segments to establish a connection. This means processes must first
hand shake each other. Communication is reliable one.
Full duplex: The connection established is bidirectional. So, data transfer will take place
in both the direction.
Point to point: The connection is established between the single sender and the single
receiver. TCP is not good for multicasting so only supports unicasting.
2.5 The TCP Service Model
TCP service is obtained by both the sender and receiver creating end points called sockets.
Each socket has a socket number consisting of the IP address of the host and 16 bit number
local to that host called a port.
A port is the TCP name for TSAP (Transport Service Access Point). TCP service is obtained
by establishing connection between a socket on sending machine and a socket on the
receiving machine.
Socket may be used for multiple connections at the same time. Connections are identified by
the socket identifiers at both ends i.e. (socket 1, socket 2). The port numbers below 1024 are
reserved for some standard services, they are called as well known ports. For example, file
transfer FTP uses port 21, email SMTP uses port 25 and internet HTTP uses port 80. The
lists of some of the well known ports are shown in the table 2.2.
All TCP connections are full duplex and point to point. Full duplex means that traffic can go
in both the directions at the same time. Point to point means that each connection has two end
points.
Port
Protocol
Application
21
FTP
File transfer
23
Telnet
Remote login
25
SMTP
Email
69
TFTP
Trivial FTP
79
Finger
Look up information
80
HTTP
World wide web
110
POP-3
Remote
access
119
NNTP
USENET news
e-mail
Table 2.2 Some assigned Ports
TCP connection is byte stream connection. The data is delivered to the receiving process in
terms of multiple bytes. For example, if sending process wants to write four 512 bytes to the
TCP stream then these data may be delivered to the receiving process as four 512 byte
chunks or two 1024 byte chunks or one 2048 byte chunk or in some other way. Receiver
cannot detect the units in which the data were written.
UNIT 3
TRANSMISSION CONTROL PROTOCOL
3.1
3.2
3.3
3.4
3.5
3.6
3.7
The TCP Protocol
TCP Segment Header
TCP Connection Establishment
TCP Connection Release
Modeling TCP Connection Management
TCP Transmission Policy
TCP Congestion Control
3.1 The TCP Protocol
Every byte in a TCP connection has its own 32 bit sequence number. TCP entities exchange
the data in the form of segments. TCP segment consists of fixed 20 byte header (plus an
optional part) followed by zero or more data bytes. The length of segments will be decided
by TCP software.
TCP software can split data into one or multiple segments or accumulate data into one
segment. There are two limits which restricts the segment size.
First, each segment including the TCP header, must fit in the 65,515 byte IP payload.
Second limitation is each network has a Maximum Transfer Unit (MTU) and each
segment must fit in the MTU. Generally MTU is 1500 bytes (Ethernet payload size).
The basic protocol used by TCP entities is the sliding window protocol. When a sender
transmits a segment, it also starts a timer. When the segment arrives at the destination, the
receiving TCP entity sends back a segment bearing the acknowledgement number equal to
the next sequence number it expects to receive. At the sender end, if timer goes off before
receiving the acknowledgement, then sender retransmits the segment.
3.2 TCP Segment Header
Every TCP segment begins with a fixed format, 20 byte header. The fixed header may be
followed by header options. Segments without data are commonly used for
acknowledgements and control messages. The fig 3.1 shows the layout of a TCP segment.
Fig 3.1 The TCP header
Source port and destination port: These fields identify the local end points of the
connection. A 16 bit port number plus its host’s 32 bit IP address forms a 48 bit unique
end point. The source and destination end points together identify the connection. These
port numbers are used for multiplexing or demultiplexing data from/ to upper layer
applications.
Sequence number: Is a 32-bit field that TCP assigns to each first data byte in the
segment. The sequence number restarts from 0 after the number reaches 232 - 1.
Acknowledgment number: It specifies the sequence number of the next byte that a
receiver waits for and acknowledges receipt of bytes up to this sequence number. If the
SYN field is set, the acknowledgment number refers to the initial sequence number
(ISN).
TCP header length: This field is a 4-bit field indicating the length of the TCP header in
32 bit words. TCP header can be variable length due to the TCP options field.
URG (Urgent Pointer Bit): It is a 1-bit field. URG is set to 1 if the urgent pointer is in
use. Urgent pointer is used to indicate a byte offset from the current sequence number at
which the urgent data are to be found.
ACK (Acknowledgement): This bit is set to indicate that the acknowledgement number
is valid. If ACK is 0, the segment does not contain an acknowledgement so the
acknowledgement number field is ignored.
PSH (Pushed data): If this bit is set, it indicates that the receiver should deliver the data
to the upper layer immediately.
RST (Reset bit): This bit is used to reset a connection that has become confused due to a
host crash or some other reason. It is also used to reject an invalid segment or refuse an
attempt to open connection.
SYN (Synchronize bit): This bit is used to establish connections. Connection request has
SYN=1 and ACK=0 to indicate that the piggy back acknowledgement field is not in use.
Connection request has SYN = 1 and ACK =1, this indicates the connection reply does
bear an acknowledgement.
FIN (Finished bit): This bit is used to release connection. This indicates that the sender
has no more data to transmit. After closing a connection, the closing process may
continue to receive data indefinitely.
Window size: This 16 bit window size field is used for flow control. It is used to indicate
the number of bytes that a receiver is willing to accept. TCP uses variable sized sliding
window.
Checksum: This field is used for extra reliability. The checksum in algorithm is simply
used to add-up all the 16 bit words in one’s complement and one’s complement sum is
taken. When the receiver performs the calculation on the entire segment, including
checksum field, the result should be zero.
The pseudoheader contains 32-bit IP addresses of the source and destination
machines, the protocol number for TCP and byte count for TCP segment. The
conceptual pseudoheader is shown in the fig 3.2. Including the pseudoheader in
the TCP checksum computation helps to detect misdelivered packets. Including it
also violates the protocol hierarchy since the IP addresses in it belongs to the IP
layer not to the TCP layer
Urgent data pointer field: This field directs the receiver to add up the values in the
urgent-pointer field and the sequence number field to specify the last byte number of the
data to be delivered urgently to the destination application.
Options field: This provides extra facilities that ate not covered by the regular header.
The most important option is the one that allows each host to specify the maximum TCP
payload it is willing to accept.
Fig 3.2 The pseudoheader included in the TCP checksum
3.3 TCP Connection Establishment
TCP establishes connection by three way handshake messages. Server waits passively for
an incoming connection, by executing the LISTEN and ACCECPT primitives.
At the client side, it executes CONNECT primitive, specifying the IP address and port to
which it wants to connect, maximum TCP segment size and some user data.
The CONNECT primitive sends a TCP segment with the SYN bit on and ACK bit off
and waits for a response.
When segment arrives at the destination, TCP entity checks a process that has executed
LISTEN on the port given in the destination port field. If not, it sends a reply with RST
bit on and rejects the connections.
Fig 3.3 (a) TCP connection establishment in the normal case (b) Call collision
The sequence of TCP segments sent in normal case is shown in fig 3.3(a). SYN segment
consumes one byte of sequence space so that it can be acknowledged without any problems.
In the event that the two hosts simultaneously attempt to establish a connection between the
same two sockets, the sequence of events is as illustrated in fig 3.3(b). The result of these
events is that only one connection is established, not two because connections are identified
by their end points. If the first step results in a connection identified by (x, y) and the second
one does too, only one table entry is made for (x, y).
3.4 TCP Connection Release
TCP connections are full duplex and it can be seen as a pair of simplex connections. Each
simplex connection is released independently of other. To release connection, either party
can send a TCP segment with the FIN bit set, which means no more data to transmit. When
the FIN is acknowledged, that direction is shut down for new data. Data may continue to
flow indefinitely in the other direction. When both the direction is shut down, the connection
is released.
Four TCP segments are needed to release a connection. One FIN and one ACK for each
direction, it is also possible to combine first ACK and second FIN in the same segment and
reduce segment count to three.
3.5 TCP Connection Management Modeling
The steps required establishing and release connections can be represented in a finite state
machine with the 11 states listed in table 3.1. In each state, certain events are legal. When a
legal event happens, some action may be taken. If some other event happens, an error is
reported.
Each connection starts in the CLOSED state.
It leaves that state when it does either a passive open (LISTEN), or an active open
(CONNECT).
If the other side does the opposite one, a connection is established and the state becomes
ESTABLISHED.
Connection release can be initiated by either side. When it is complete, the state returns
to CLOSED.
Table 3.1 The states used in the TCP connection management finite state machine
The finite state machine itself is shown in fig 3.4.
The common case of a client actively connecting to a passive server is shown with heavy
lines- solid for the client, dotted for the server.
The lightface lines are unusual event sequences. Each line in fig 3.4 is marked by an
event/action pair.
The event can either be a user-initiated system call (CONNECT, LISTEN, SEND, or
CLOSE).
A segment arrival (SYN, FIN, ACK or RST), or in one case, a timeout of twice the
maximum packet lifetime.
The action is the sending of a control segment (SYN, FIN or RST) or nothing, indicated
by –.
Comments are shown in parentheses.
Fig 3.4 TCP connection management finite state machine
To understand the diagram first follow the path of a client (the heavy solid line), then later
follow the path of a server (the heavy dashed line).
When an application program on the client machine issues a CONNECT request, the
local TCP entity creates a connection record, marks it as being in the SYN SENT state
and sends a SYN segment.
When the SYN+ACK arrive, TCP sends the final ACK of the three-way handshake and
switches into the ESTABLISHED state. Data can now be sent and received.
When an application is finished, it executes a CLOSE primitive, which causes the local
TCP entity to send a FIN segment and wait for the corresponding ACK (dashed box
marked active close).
When the ACK arrives, a transition is made to state FIN WAIT 2 and one direction of the
connection is now closed. When the other side closes too, a FIN comes in, which is
acknowledged.
Now both sides are closed, but TCP waits a time equal to the maximum packet lifetime to
guarantee that all packets from the connection have died off, just in case the
acknowledgement was lost. When the timer goes off, TCP deletes the connection record.
Server’s viewpoint
The server does a LISTEN and settles down to see who turns up.
When a SYN comes in, it is acknowledged and the server goes to the SYN RCVD state.
When the server’s SYN is itself acknowledged, the three-way handshake is complete and
the server goes to the ESTABLISHED state. Data transfer can now occur.
When the client is done, it does a CLOSE, which causes a FIN to arrive at the server
(dashed box marked passive close). The server is then signaled. When it, too, does a
CLOSE, a FIN is sent to the client.
When the client’s acknowledgement shows up, the server releases the connection and
deletes the connection record.
3.7 TCP Transmission policy
Window management in TCP is not directly tied to acknowledgements as it is in most data
link protocols. For example suppose the receiver has a 4096-byte buffer as shown in fig 3.5.
If the sender transmits a 2048 byte segment that is correctly received, the receiver will
acknowledge the segment. However since it now has only 2048 of buffer space, it will
advertise a window of 2048 starting at the next byte expected.
Now the sender transmits another 2048 bytes, which are acknowledged, but the advertised
window is 0. The sender must stop until the application process on the receiver host has
removed some data from the buffer, at which time TCP can advertise a large window.
When the window is 0, the sender may not normally send segments, with two exceptions.
1. Urgent data may be sent. For example, to allow the user to kill the process running on
the remote machine.
2. The sender may send a 1-byte segment to make the receiver reannounce the next byte
expected and window size.
Senders are not required to transmit data as soon as they come in from the application.
Neither are receivers required to send acknowledgements as soon as possible. For example in
fig 3.5, When the first 2KB of data came in TCP, knowing that it had a 4KB window
available, would have been completely correct in just buffering the data until another 2KB
came in, to be able to transmit a segment with a 4KB payload. This freedom can be exploited
to improve performance.
Fig 3.5 Window management in TCP
Nagle’s Algorithm
What Nagle suggested is simple: when data come into the sender one byte at a time, just send
the first byte and buffer all the rest until the outstanding byte is acknowledged. Then send all
the buffered characters in one TCP segment and start buffering again until they all are
acknowledged.
If the user is typing quickly and the network is slow, a substantial number of characters may
go in each segment, greatly reducing the bandwidth used. The algorithm additionally allows
a new packet to be sent if enough data have trickled into fill half the window or a maximum
segment.
Nagle’s algorithm is widely used by transmission implementations, but there are times when
it is better to disable it. In particular, when an X-window application is being run over the
internet, mouse movements have to be sent to the remote computer.
Another problem that can ruin TCP performance is the silly window syndrome. This
problem occurs when data are passed to the sending TCP entity in large blocks, but an
interactive application on the receiving side reads data one byte at a time.
The problem is addressed in the fig 3.6. Initially, the TCP buffer on the receiving side is full
and the sender knows this (i.e., window size 0). Then the interactive application reads one
character from the TCP stream. This action makes the receiving TCP happy, so it sends a
window update to the sender saying that it is all right to send 1 byte. The sender obliges and
sends 1 byte. The buffer is now full, so the receiver acknowledges the 1-byte segment but
sets the window to 0. This behavior can go on forever.
Fig 3.6 Silly window syndrome
Clark’s solution is to prevent the receiver from sending a window update for 1 byte. Instead
it is forced to wait until it has a decent amount of space available and advertise that instead.
Specifically, the receiver should not send a window update until it can handle the maximum
segment size it advertised when the connection was established, or its buffer is half empty,
whichever is smaller.
Furthermore, the sender can also help by not sending tiny segments. Instead, it should try to
wait until it has accumulated enough space in the window to send a full segment or at least
one containing half of the receiver’s buffer size.
Nagle’s algorithm and Clark’s solution to the silly window syndrome are complementary.
Nagle was trying to solve the problem caused by the sending application delivering data to
TCP a byte at a time. Clarke was trying to solve the problem of the receiving application
sucking the data up from TCP a byte at a time. Both solutions are valid and can work
together.
3.8 TCP congestion control
When the load offered to any network is more than it can handle, congestion builds up. In
theory, congestion can be dealt with by employing a principle borrowed from physics: the
law of conservation of packets. The idea is not to inject a new packet in to the network until
an old one leaves. TCP attempts to receive the goal by dynamically manipulating the window
size.
The first step in managing congestion is detecting it. When a connection is established, a
suitable window size has to be chosen. The receiver can specify a window based on its buffer
size. If the sender sticks to this window size, problem will not occur due to buffer overflow at
the receiving end, but they may still occur due to internal congestion within the network.
In fig 3.6(a) a thick pipe leads to a small capacity receiver. As long as sender does not send
more water than the bucket can contain, no water will be lost. Fig 3.6(b), the limiting factor
is not the bucket capacity, but the internal carrying capacity of the network. If too much
water comes in too fast, it will back up and some will be lost.
Fig 3.6 (a) A fast sender feeding a low-capacity receiver (b) A slow network-feeding a
high-capacity receiver
The internet solution is to realize that two potential problems exist: network capacity and
receiver capacity and to deal with each of them separately. To do so, each sender maintains
two windows: the window the receiver has granted and a second window, the congestion
window. Each reflects the number of bytes the sender may transmit. The number of bytes
that may be sent is the minimum of two windows. Thus the effective window is the minimum
of what the sender thinks is all right and what the receiver thinks is all right.
Module 5
Unit 1Domain Name System
1.1 Application Layer Overview
1.2 DNS
1.2.1 The DNS Name System
1.2.2 Resource Records
1.2.3 Name Servers
Unit 2 Electronic Mail
2.6 Architecture and Services
2.7 The User Agent
2.8 Message Formats
2.9 Message Transfer
2.10 Final Delivery
Unit 1
DOMAIN NAME SYSTEM
1.1 Application Layer Overview
1.2 DNS
1.2.1 The DNS Name System
1.2.2 Resource Records
1.2.3 Name Servers
1.1 Application Layer Overview
The application layer is built on the transport layer and provides network services to user
applications. The application layer defines and performs applications such as electronic mail (email), remote access to computers, file transfers, newsgroups, and the web, as well as streaming
video, internet radio and telephony, P2P file sharing, multi-user networked games, streaming
stored video clips, and real-time video conferencing.
The application layer has its own software dependencies. When a new application is developed,
its software must be able to run on multiple machines, so that it does not need to be rewritten for
networking devices, such as routers, that function at the network layer. In client/server
architecture for example, a client end host requests services from a server host. A client host can
be on sometimes or always. Fig 1.1 shows an example of application-layer communication.
Fig 1.1 Web communication between two end systems
1.2 Domain Name System (DNS)
On the internet, each host is identified by address (for example TCP/IP protocol uses the IP
address). These addresses are hard and difficult for people to remember. So, people started
preferring names instead of addresses. Therefore, we need a system that can map an ASCII name
to an address or an address to an ASCII name.
One of the most important components of the application layer is the Domain Name System
(DNS) server. DNS is a distributed hierarchical and global directory that translates machine or
domain names to numerical IP addresses. DNS can be thought as a distributed database system
used to map the host names to IP addresses, and vice versa. DNS is a critical infrastructure, and
all hosts contact DNS servers when they initiate connections. DNS can run over either UDP or
TCP. However, running over UDP is usually preferred, since a fast response for a transaction
provided by UDP is required. Some of the information-processing functions, the DNS server
handles are
Finding the address of a particular host
Delegating a sub-tree of server names to another server
Denoting the start of the sub-tree that contains cache and configuration parameters,
and giving corresponding addresses
Naming a host that processes incoming mail for the designated target
Finding the host type and the operating system information
Finding an alias for the real name of a host
Mapping IP addresses to host names
DNS is an application-layer protocol, and every Internet service provider whether for an
organization, a university campus, or even a residence has a DNS server. In the normal mode of
operation, a host sends UDP queries to a DNS server. The DNS server either replies or directs
the queries to other servers. The DNS server also stores information other than host addresses.
The DNS routinely constructs a query message and passes it to the UDP transport layer without
any handshaking with the UDP entity running on the destination end system. Then, a UDP
header field is attached to the message, and the resulting segment is passed to the network layer.
The network layer always encapsulates the UDP segment into a datagram. The datagram, or
packet, is now sent to a DNS server. If the DNS server does not respond, the fault may be UDPs
unreliability.
1.2.1 Domain Name Space
Any entity in the TCP/IP environment is identified by an IP address, which thereby identifies the
connection of the corresponding host to the Internet. An IP address can also be assigned a
domain name. Unique domain names assigned to hosts must be selected from a name space and
are generally organized in a hierarchical fashion.
The internet is divided into 200 top level domains, where each domain covers many hosts. Each
domain is partitioned into sub-domains and these are further partitioned and so on. Domain
names are defined in a tree-based structure with the root at the top, as shown in the fig 1.2. A tree
is structured with a maximum of 128 levels, starting at level 0 (root). Each level consists of
nodes. A node on a tree is identified by a label, with a string of up to 63 characters, except for the
root label, which has empty string.
Fig 1.2 Hierarchy of domain name space, labels, and domain names
The top-level domains are classified into two categories. They are
Generic domain
Countries domain
The generic domains define registered hosts according to their generic behavior and it is shown
in the fig 1.2. The Generic domains are
.com (commercial)
.edu (educational institutions)
.gov (government)
.int (some international organizations)
.mil (US armed forces)
.net (network providers)
.org (Non profit organizations)
The country domains include one entry for every country, for example India’s domain is .in,
Australia has .au etc. All these countries domains are defined in ISO 3166. It follows the same
format as the generic domains and uses two character country abbreviations.
The last label of a domain name expresses the type of organization; other parts of the domain
name indicate the hierarchy of the departments within the organization. Thus, an organization
can add any suffix or prefix to its name to define its host or resources. A domain name is a
sequence of labels separated by dots and is read from the node up to the root. For example,
moving from right to left, we can parse as follows: domain name news.company1.com, a
commercial organization (.com) and the "news" section of "company1" (news.company1).
Domain names can also be partial. For example, company1.com is a partial domain name.
The domain names are Absolute or Relative. An absolute domain name always ends with a dot,
(for example java.sun.com.), where as a relative domain names does not end with a dot. Domain
names are case insensitive. So, edu or EDU means the same thing. The full path names must not
exceed 255 characters and each component names can be up to 63 characters long. If a new
domain has to be created, permission is required of the domain in which it should be included.
1.2.2 Resource Records
Each domain name is associated with a record called as resource record. The server database
consists of resource records. These records are returned by the server to the client. Here server is
a DNS server which returns resource records associated with that name. Thus, the primary
function of DNS is to map domain names onto resource records.
Format of Resource Record
Resource record consists of five tuples and all fields are encoded in binary form for efficiency.
Resource records are represented as ASCII text, one line per resource record. The fig 1.3 shows
the format of resource record.
Fig 1.3 Resource Record Format
The five tuples are
Domain_name
Time_to_live
Class
Type
Value
Domain_name
This variable length field tells the domain to which this record applies. This field is used as
primary search key to satisfy queries.
Time_to_live
This field is 32-bit that gives an indication of how stable the record is. If the information is
highly stable then it is assigned with a large value and highly volatile information is assigned
with a small value. If this field is zero, then resource record is used only for single transaction
and it is not stored for future use.
Class
This field identifies domain class of every resource record. For internet information, it is always
IN and for non-internet information other codes can be used.
Type
This field tells what type of resource record it is. There are various types of resource records,
most important ones are listed in table 1.1.
Domain Type
SOA
A
Meaning
Start of Authority
IP address of a host
Value
Parameters for this zone
32-bit integer
Priority, Domain willing to accept
email
MX
Mail exchange
NS
Name Server
Name of a server for this domain
CNAME
PTR
HINFO
Canonical name
Pointer
Host description
Domain name
Alias for IP address
CPU and OS in ASCII
TXT
Text information
Text information associated name.
Table 1.1 The principal DNS resource record types
SOA (Start of Authority) - SOA record provides the name of the primary source
information. This information may be the name server’s zone, e-mail address of the
administrator, a unique serial number, various flags, and timeouts.
A (Address) - This record is most important record type, holds a 32-bit IP address for
some host. Each host on the internet is identified or addressed by at least one IP address.
This IP address is used by other machine for communication. Some hosts have two or
more network connections, in which case they will have only one type of A resource
record (per IP address).
MX (Mail Exchange) - The MX record provides the name of the host prepared to accept
e-mail for the specified domain. MX record is used because; every machine is not
prepared to accept e-mail. It redirects mail to a mail server.
NS (Name server) record - The NS records are used to specify the name servers. Every
DNS database normally has an NS record for each of the top-level domains.
CNAME (Canonical Name) record - CNAME records will have domain name as value.
CNAME records allow aliases to be created. Sometimes the address might not be correct.
For example a person familiar with internet naming wants to send a message to his friend
whose name is X in the computer science department at IISC. He might guess that
x@cs.iisc.edu will work. But the actual address is x@cse.iisc.edu. Making CNAME
entry, one can do the job in the following way.
cs.iisc.edu
86400IN
CNAME
cse.iisc.edu
PTR record - Similar to CNAME, PTR points to another name. But CNAME is macro
definition. PTR is a regular DNS data type whose interpretation depends on the context in
which it is found. Commonly, PTR is used to associate a name with an IP address. For a
given IP address it returns the name of the corresponding machine. This mechanism is
known as reverse lookups.
HINFO record - This record gives the type of machine and operating system a domain
corresponds to. It gives the host description with type of CPU and OS.
TXT record - Text record allows domains to identify themselves in arbitrary ways.
Value
This field can be a number, a domain name or an ASCII string. The semantics depend on the
record type. A short description of the value fields is given in the table 1.1.
1.2.3 Name Servers
The domain name space is divided into subdomains, and each domain or subdomain is assigned a
domain name server. This way, we can form a hierarchy of servers, as shown in fig 1.3, just as
the hierarchy of domain names.
A domain name server has a database consisting of all the information for every node under that
domain. Each server at any location in the hierarchy can partition part of its domain and delegate
some responsibility to another server. The root server supervises the entire domain name space.
A root server typically does not store any information about domains and keeps references only
to servers over which it has authority. Root servers are distributed around the world.
Fig 1.3 Hierarchy of DNS domain name servers
The entire DNS database should be stored and name server has to respond to all the queries, but
if we use single name server and centralized DNS database, then it may be inefficient and not
reliable to have such huge amount of information.
To avoid these problems, the DNS name was divided into nonoverlapping zones. Each zone
contains some part of the tree and also contains name servers holding the information about that
zone. Zone will have one primary name server and one or more secondary name servers. Primary
name servers get their information from a file on its disk and secondary name servers get their
information from the primary name servers. The fig 1.4 shows one of the possible ways to divide
the name space.
Fig 1.4 Part of the DNS name space showing the division into zones
Let us consider the example of fig 1.5 to explain the process of resolving remote name. A
resolver on flits.cs.vu.nl wants to know the IP address of the host linda.cs.yale.edu.
Fig 1.5 How a resolver looks up a remote name in eight steps
Step 1 Originator flits.cs.vu.nl sends a query to local name server cs.vu.nl. So, local server has
never had a query for this domain before and asks nearby name servers.
Step 2 It sends a UDP packet to the server for edu given its database edu-server.net.
Step 3 edu.server.net forwards the request to the name server for yale.edu.
Step 4 In turn, one forwards the request to cs.yale.edu which must have authoritative resource
records.
Step 5 to Step 8 Since each request is from a client to a server, the resource record requested
works its way back in step 5 to step 8.
The query method described here is a recursive query since each server that does not have the
requested information goes and finds it some where and reports back. DNS is extremely
important to the correct functioning of the internet; all it really does is mapping the symbolic
names for machines onto their IP addresses.
Unit 2
ELECTRONIC MAIL
2.1
2.2
2.3
2.4
2.5
Architecture and Services
The User Agent
Message Formats
Message Transfer
Final Delivery
Electronic mail or simply e-mail is one of the most popular network services. In the beginning email was most commonly used in academia. After 1990, it became known to the public at large
and was very popular. The first e-mail system simply consists of file transfer protocols with the
convention that the first line of each message contained the recipient’s address.
There were some limitations and problems of using file transfer protocol. They are
1. It was not possible or difficult to send message to a group of people.
2. No internal structure of messages, which makes computer processing difficult.
3. There was no way to intimate the arrival of new e-mail message to the senders.
4. There was no facility of re-directing messages to secretaries, when some one was away
on business.
5. Poor user interface.
6. Not possible to create and send messages containing a combination of text, images,
voices and facsimile.
As experience was gained, more elaborate e-mail systems were proposed and developed. The
developed standard was Internet e-mail system.
2.1 Architecture and Services
The email systems consists of two subsystems
User Agents (UA)
Users Agent will allow people to read and send mail. They are the local programs that
provide a command-based, menu-based or graphical-based method for interacting with
the e-mail system.
Message Transfer Agent (MTA)
Message Transfer Agent moves the message from the source to the destination. MTAs
are typically system daemons i.e. processes that run in the background and their job is to
move e-mail through the system.
E-mail system supports five basic functions. The basic functions are
1. Composition
2. Transfer
3. Reporting
4. Displaying
5. Disposition
Composition
The process of creating messages and answers. The e-mail system itself will support to compose
a mail. The mail address and other header fields can be attached to each message.
Transfer
This refers to transferring mail from sender to the recipient. For this we need to establish a
connection to the destination or intermediate machine. After transferring the messages the
connection can be released. The e-mail system will automatically connect/ disconnect without
the intervention of the user.
Reporting
This process will inform the sender about the e-mail sent. This information can be whether the
mail was delivered or rejected or lost. Reporting helps in providing confirmation about the email sent.
Displaying
Displays the e-mail received, so that people can read their e-mails. Sometimes, e-mail cannot be
viewed directly so simple conversion is required or special viewer tools are needed to get the
messages.
Disposition
It is the final step and concerns what the recipient want to do with the message after receiving it.
The e-mail may be read and deleted or not read or read and saved so on. The e-mails are saved so
that whenever it is needed it can be reread or retrieved or forwarded. Addition to the basic
services, some e-mail systems provide special advanced features. Some of these advanced
features are:
Mail boxes
These are created to store incoming e-mail. Explicit commands are needed to create and
destroy mailboxes, check the contents of mailboxes, insert and delete messages from mail
boxes and so on.
Mailing list
The mailing list is a list of email addresses. When an e-mail is sent to this mailing list, the
same copies are delivered to everyone on the list.
Advanced features
The advanced features like carbon copies (cc), blind carbon copies (bcc), height priority
email, encrypted e-mail, automated reply e-mail and so on are developed.
2.2 The User Agent
User Agent (UA) is a part of e-mail system used at the client side. A user agent is a program that
accepts a variety of commands. These commands are used to compose, receive, send, delete and
move mails to a folder etc. Some user agents have an extra user interface that allows window
type interactions with the system. These user agents requires mouse for using fancy menu or icon
driven interfaces. Eudora is an example of icon driven interface. Some of the popular user agent
programs are MH, Berkeley mail, Elm, Zmail and Mush.
Sending E-mail through the UA
E-mail can be sent through User Agent by creating mail that looks very similar to postal or snail
mail. It has an envelope and a message. A user must provide destination address, message and
other parameters. The message can be prepared by text editor or work processing like program
which is built into the user agent.
The envelope contains the sender address, receiver address and other related information. The
header of the message contains the sender, the receiver and the subject of the message. The body
contains the actual information to be read by the recipient.
The destination address of the recipient must be in the form of username@dns-address.Mailing
lists are supported by most of the e-mail systems. With the mailing list support, user can send the
same copy of the message to the list or to the group of people with a single command.
Reading E-mail with the UA
User Agent checks the mail boxes periodically for the incoming e-mail. If a user has a mail in
mailbox then the UA informs the user first by giving a notice (or alert) or number of messages in
the mailbox. If the user is ready to read the mail, a list is displayed in which each line contains a
summary of the information about a particular message in the mailbox as shown in the table 2.1.
Sl. No
1
2
3
4
5
Flags
K
Sender address
Subject
raj
Hello
ravi
Conference
KA
roopa@yahoo.com
Re:CSE Dept
raghu
Request
KF
rajesh
Re:Acceptence
Table 2.1 Screenshot of the contents of a mail box
Size
413K
20K
612
212K
43K
The line of the display contains several fields extracted from the envelope or header of the
corresponding message.
The first field is the message number.
Second field contain flags K, A and F. Flag K indicates that message is not new and was
read already. Flag KA indicates that message is already read and answered. Flag KF
indicates that message was read and forwarded to someone. There may be additional
flags supported by user agent.
The third field tells who has sent the message. This field may contain only first name or
e-mail address or full name.
The next field subject gives the brief summary of what the message is about.
Finally, the last field tells the size of the message in bytes.
2.3 Message Formats
The format of the e-mail message which is described in RFC 822 is studied. The envelope format
is described in RFC 821.
RFC 822
The message consist of
Primitive envelope
Header fields
Blank line
Message body
The header fields related to the message transport have the following fields as shown in the table
2.2.
Header
Meaning
To:
Field gives email addresses of the primary recipient(s)
Cc :
Gives the addresses of any secondary recipient(s)
Bcc:
Email addresses for blind carbon copies
From:
Who wrote or created the message
Sender:
Email address of the actual sender
Received:
Line added by each transfer agent along the route
Return-Path:
Can be used to identify a path back to the sender
Table 2.2 RFC 822 Header fields
The RFC 822 header fields are described below
To field: This field gives the email address of the primary recipient (to whom message
has to be sent).
Cc field: This field gives the email address of any secondary recipients. Cc stands for
Carbon copy. There is no specific distinction between the primary and secondary
recipients.
Bcc field: This field is referred as Blind carbon copy, it is similar to cc field, except this
line is deleted from all the copies sent to the primary and secondary recipients. So, that
primary and secondary recipient cannot know the copies sent from Bcc field.
From field: This field tells who wrote the mail or from whom message has been
received.
Sender field: This field tells who has sent the mail
Received field: This field is added by each message transfer agent along the way. The
line contains the agent’s identity, the data and time the message was received.
Return-path: This field is added by the final message transfer agent and was used to tell
how to get back to the sender.
In addition to these fields, RFC 822 messages may also contain a variety of header fields. The
important fields are listed in the table 2.3.
Header
Meaning
Date:
Date and time the message was sent
Reply-To:
E-mail address to which replies should be sent
Message-Id:
Unique number for referring this message later
In-Reply-To:
Message-Id of the message to which this is a reply
References:
Other relevant messages-Ids
Keywords:
User chosen keywords
Subject :
Short summary of the message for the one-line display
Table 2.3 Additional fields of RFC 822
MIME (Multipurpose Internet Mail Extensions)
There are some limitations in the message format of RFC 822. On the internet there were some
problems in sending and receiving with
Messages in languages with accents (e.g. French and German)
Messages in Non-latin alphabets (e.g. Hebrew and Russian)
Messages in languages without alphabets (e.g. Chinese and Japanese)
Messages cannot be used to send binary files.
Messages with audio or video or images.
The solutions were proposed in RFC 1341 and updated in RFCs 2045-2049. This solution is
called MIME. MIME continued to use the same RFC 822 format, but added structure to the
body and defined encoding rules for non-ASCII messages. All MIME messages can be sent
using mail programs and protocols. MIME defines five new message headers, as shown in the
table 2.4.
Header
Meaning
MIME Version:
Identifies version of the MIME used
Content-Description:
Human readable string telling what is in the message
Content-Id:
Unique identifier
Content-Transfer-Encoding:
Method to encode body for transmission
Content-Type:
Type and format of the content
Table 2.4 RFC 822 MIME headers
MIME Version
The header tells the user agent receiving the message that it is dealing with a MIME
message and which version of MIME it uses.
Content-Description
This header defines whether the body of the message is image, audio or video. So, the
recipient will know whether it is worth decoding and reading the message.
Content-Id
This header identifies the content of the message. Content-Id follows the same format as
the standard Message-Id header.
Content-Transfer-Encoding
It defines the method to encode the message into binary form for transmission through
the network. Five schemes are provided to encode which is shown in the table 2.5.
Content-type
This header is used to specify the type or nature of the message body. The content type
will have further content subtype. They are separated by a slash. Depending on the
subtype, the header may contain other parameters.
Format: Content-Type: <type/subtype; parameters>
Type
7 bit
8 bit
Binary
Base 64
Quotedprintable
Meaning
ASCII characters and short lines
Non-ASCII characters and short lines
Non-ASCII characters with unlimited length lines
6-bit blocks of the data are encoded into 8 bit ASCII characters.
Non ASCII characters are encoded as an equal sign followed by an
ASCII code.
Table 2.5 Content-Transfer-Encoding
Seven types are defined in RFC 2045, each of which has one or more subtypes. These are listed
in table 2.6.
Type
Text
Message
Image
Audio
Video
Application
Subtype
Plain
Enriched
RFC 822
External body
Partial
Meaning
Unformatted text
Text with simple formatting commands
Body is an encapsulated message.
Body is a references to a another message
Message has been split for transmission
JPEG
Image is in JPEG format
GIF
Image is in GIF format
Basic
Audible sound
MPEG
Video is in MPEG format
Octet-stream
Uninterrupted byte sequence
Postscript
printable document in postscript
Table 2.6 MIME types and subtypes
2.4 Message Transfer
Message Transfer system is related with sending messages from originator to the recipient. The
connection is established from the source machine (originator) to the destination machine
(recipient). After or once connection was established, message can be transferred. The TCP/IP
protocol that supports e-mail on the internet is called SMTP (Simple Mail Transfer Protocol).
This protocol is used to send message to other users based on the e-mail addresses.
SMTP- The Simple Mail Transfer Protocol
SMTP is a simple ASCII protocol, which uses TCP connection with port 25 of the destination
machine; email daemon (background process) listen to the port 25, accepts incoming connections
and transfer message from them into the appropriate mailboxes. If the message cannot be
delivered to the intended recipient, then error report of undeliverable message is returned to the
sender or originator.
A sample illustration of transferring a message from boy@abcd.com to girl@xyz.com is given in
steps. The line starting with C indicates sent by the client and S by the server.
S:
C:
S:
C:
S:
C:
S:
C:
S:
C:
C:
C:
C:
C:
C:
C:
C:
C:
C:
S:
220 xyz.com
HELO abcd.com
250 xyz.com
MAIL FROM
//SMPT service ready
//command from client
//says hello to abcd.com
<boy@abcd.com>
250 sender OK
RCPT TO:
<girl@xyz.com>
250 receipt OK
//only one RCPT command because only one recipient
DATA
354 send mail;
//end with “.” on a line by itself.
From: boy@abcd.com
To: girl@xyz.com
MIME-Version: 1.0
Message-Id: <0703716182. BA01474@abcd.com>
Content-Type: multipart/alternative
Subject: Wishes
Happy Birthday to you
S: 250 messages accepted
QUIT
221 xyz.com closing connection
There are some limitation of SMTP protocol, they are
Some older implementations cannot handle messages exceeding 64 KB
If the client and server have different timeouts, one of them may give up while other is
still busy, unexpectedly terminates the connection.
Infinite mailstorms can be generated which increases email traffic.
To get around all the above problems extended SMTP (ESMTP) has been developed.
2.5 Final Delivery
SMTP establishes a TCP connection to the receiver and then transfer e-mail over it. If the
recipient is not online, then connection cannot be established and e-mail is not delivered. One
solution to this problem is to have a Message Transfer Agent (MTA) on an ISP (Internet Service
Provider) machine accept e-mail for its customer and store it in their mail boxes on an ISP
machine. There are currently two mail access protocols: Post Office Protocol (POP3) and
Internet Mail Access Protocol (IMAP).
POP3 (Post Office Protocol Version 3)
POP3 protocol is used to pull or receive e-mail from the ISP’s message transfer agent and allow
email to be copied from the ISP to the user. POP3 is described in RFC 1939. There are two
situations in which POP3 protocol works. They are
1. When both sender and receiver are online (connected)
2. When sender is currently online but receiver is not.
Case 1: When both sender and receiver are online the arrangement is shown in the fig 2.1.
Fig 2.1 Sending and reading mail when the receiver has a permanent Internet
connection and the user agent runs on the same machine as the message transfer agent.
When user starts the mail reader, in turn mail reader calls up the ISP and establishes a TCP
connection with the message transfer agent at port 110. A POP3 protocol performs three
functions once the connection has been established. The three functions are
Authorization – It deals with user login
Transactions – It deals with the user collecting the e-mails and marking them for
deletion from the mail box.
Update – It causes the e-mails to be deleted
Case 2
When sender is currently online, but the receiver is not. The arrangement is shown in the fig 2.2.
Fig 2.2 Reading e-mail when the receiver has a dial-up connection to an ISP.
When sending host is currently online, SMTP establishes TCP connection with the ISP’s
machine. The email (message) is sent to the MTA, and the mail is transferred to the user’s
respective mailboxes. So, ISP machine will hold the entire message in user’s respective
mailboxes. When receiver tries to connect to the ISP’s machine via dial-up connection POP3
protocols starts working. POP3 server software is installed on users PC. Through UA, user is
allowed to connect to POP3 server and starts reading or receiving the mails which are available
in mailbox. So, the problem of sending the message to offline receiver is solved with the help of
ISP’s machine.
IMAP (Internet Mail Access Protocol)
IMAP is similar to POP3, but has more features. IMAP is more powerful and complex. POP3
allows all stored messages at each contact and this result in user’s email quickly gets spread over
multiple machines. To overcome this disadvantage IMAP was developed. IMAP is defined in
RFC 2060. IMAP server listens to port 143. Some of the limitations of POP3 are listed below.
POP3 does not allow the user to organize their mails on the server
The user cannot have different folder on the server.
POP3 does not allow the user to partially check the contents of the mail before
downloading.
IMAP provides extra functions over POP3. They are
User can check the e-mail header before downloading it.
IMAP provides mechanism for creating, destroying and manipulating multiple mailboxes
on the server.
User can create a hierarchy of mail boxes in a folder for e-mail storage.
User can also download e-mail partially. This feature is useful when bandwidth is limited
and e-mail contains multimedia which needs high bandwidth.
User can also search the contents of the email for specific characters before downloading.
Comparison of IMAP and POP3 is given in the table 2.7
POP3
IMAP
Defined in RTC 1939
Defined in RFC 2000
Uses 110 TCP port for connection
Uses 143 TCP port for connection
Emails are stored on user’s PC
Email are stored on IMAP server
Emails are read offline
Emails are read online
Little time is required for establishing a
Requires more time for establishing
connection
connection.
User will have backup of mail boxes
ISP will have backup of mail boxes
Do not provides multiple mailboxes
Provides multiple mail boxes
Not suitable for mobile user’s
More suitable for mobile users
Does not allow partial downloads
Allows partial downloads
Very simple to implement
Not so simple to implement
Table 2.7 Differences between POP3 and IMAP
Delivery features
Many systems provide additional features for incoming e-mail.
Filters: E-mail user can setup filters on some messages. These are the rules that are
checked when e-mail arrives in or when user agent is started. Each rule specifies a
condition and a corresponding action. Most of the ISP’s provide filter that automatically
separates the incoming e-mail as either important or spam (junk email or viruses) and
stores each message in separate folders. There are some techniques to detect spam. For
example if mail has sent to hundreds of users with the same message subject line, it is
probably a spam. Filters examine the subject line and sometimes even sources.
Ability to forward incoming e-mail to different addresses
The ability to install a vacation daemon, this daemon examines each incoming message
and sends the sender a stored reply.
Webmail
More users today are sending and accessing e-mail through their web browsers. Hotmail
introduced web access in mid 1990s. They provide e-mail service to anyone. They have normal
MTA’s listening to port 25 for incoming SMPT connections. The e-mails are delivered through
webpage.
User goes to the e-mail webpage and enters login name and password. When the user clicks on
signin, the login name and password are sent to the server, which then validates. If login is
successful, the server finds the user mailbox and builds a listing of all the mails and displays on
the user’s screen. All the mails are listed and formatted as HTML. Many items on the page are
interactive, so message can be read, deleted, forwarded and replied and so on. Many
implementations of web based e-mail use an IMAP server to provide the folder functionally.
Module 6
Unit 1 Introduction to Network Security
1.1 Introduction
1.2 Services, Mechanisms and Attacks
1.2.1 Services
1.2.2 Mechanisms
1.2.3 Attacks
1.3 The OSI Security Architecture
1.3.1 Security Services
1.3.2 Security Mechanisms
1.3.3 Security Attacks
1.4 A Model for Network Security
Unit 2 Cryptography-I
2.1 Symmetric Cipher Model
2.1.1 Cryptography
2.1.2 Cryptanalysis
2.2 Substitution Techniques
2.3 Transposition Techniques
Unit 3 Cryptography-II
3.1
3.2
3.3
3.4
Simplified DES
Block Cipher Principles
The Data Encryption Standard
The RSA Algorithm
Unit 4 E-mail Security
4.1
Introduction
4.2 Pretty Good Security
4.2.1 Operational description of PGP
4.2.2 Cryptographic keys and key rings
4.3 S/MIME
4.3.1 S/MIME Functionality
4.3.2 S/MIME Messages
Unit 1
Introduction to Network Security
1.5 Introduction
1.6 Services, Mechanisms and Attacks
1.6.1 Services
1.6.2 Mechanisms
1.6.3 Attacks
1.7 The OSI Security Architecture
1.7.1 Security Services
1.7.2 Security Mechanisms
1.7.3 Security Attacks
1.8 A Model for Network Security
1.1 INTRODUCTION
Computer security is the process of preventing and detecting unauthorized use of your computer.
Prevention measures helps to stop unauthorized users (also known as "intruders") from accessing
any part of your computer system. It focuses on ensuring the availability and correct operation of
a computer system without concern for the information stored or processed by the computer
Information security is concerned with the confidentiality, integrity and availability of data
regardless of the form the data may take: electronic, print, or other forms. The terms network
security and information security are often used interchangeably, however network security is
generally taken as providing protection at the boundaries of an organization, keeping the
intruders (e.g. black hat hackers, script kiddies, Trudy, etc.) out.
Network security systems today are mostly effective, so the focus has shifted to protecting
resources from attack or simple mistakes by people inside the organization, e.g. with Digital
Leak Protection (DLP). One response to this insider threat in network security is to
compartmentalize large networks, so that an employee would have to cross an internal boundary
and be authenticated when they try to access privileged information.
Examples of security violations
1. User A transmits a file to user B. the file contains sensitive information that are to be
protected from disclosure. User C, who is not authorized to read the file, is able to
monitor the transmission and capture a copy of the file during its transmission.
2. A network manager, D transmits a message to a computer, E, under its management. The
message instructs computer E to update an authorization file to include the identities of a
number of new users who are to be given access to that computer. User F intercepts the
message, alters its contents to add or delete entries, and then forwards the message to E,
which accepts the message as coming from manager D and updates its authorization file
accordingly.
3. Rather than intercept a message, user F constructs its own message with the desired
entries and transmits that message to E as if it had come from manager D. Computer E
accepts the message as coming from manager D and updates its authorization file
accordingly.
4. An employee is fired without warning. The personnel manager sends a message to a
server system to invalidate the employee s account. When the invalidation is
accomplished, the server is to post a notice to the employee s file as confirmation of the
action. The employee is able to intercept the message and delay it long enough to make a
final access to the server to retrieve sensitive information. The message is then
forwarded, the action taken, and the confirmation posted. The employee s action may go
unnoticed for some considerable time.
5. A message is sent from a customer to a stockbroker with instructions for various
transactions. Subsequently, the investments lose value and the customer denies sending
the message.
Internetwork security is both fascinating and complex. Some of the reasons follow
1. Major requirements for security services are confidentiality, authentication,
Nonrepudiation, and integrity. But the mechanisms used to meet those requirements can
be quite complex and understanding them may involve rather subtle reasoning.
2. In developing a particular security mechanisms or algorithm, one must always consider
potential countermeasures. In many cases, countermeasures and designed by looking at
the problem in a completely different.
3. Because of point 2, the procedures used to provide particular services are often
counterintuitive.
4. Having designed various security mechanisms, it is necessary to decide where to use
them. This is true both in terms of physical placement and in a logical sense.
5. Security mechanisms usually involve more than a particular algorithm or protocol. They
usually also require that participants be in possession of some secret information, which
raises questions about the creation, distribution, and protection of that secret information.
There is also a reliance on communications protocols whose behavior may complicate the
task of developing the security mechanism.
1.2 Services, Mechanisms and Attacks
Information security is about how to prevent cheating in information-based systems. The
manager is responsible for security needs. A systematic way of defining the requirements for
security and characterizing the approaches is required. The three aspects of information
security are
1. Security Attack - Any action that compromises the security of information owned by an
organization.
2. Security Mechanism - A mechanism that is designed to detect, prevent or recover from a
security attack.
3. Security Service - A service that enhances the security of the data processing systems
and the information transfers of an organization. The services are intended to counter
security attacks and they make use of one or more security mechanisms to provide the
service.
1.2.1Services
Security services can be considered as replicating the types of functions normally associated
with physical documents. Documents typically have signatures and dates; they may need to
be protected from disclosure, tampering or destruction. The types of functions traditionally
associated with paper documents must be performed on documents that exist in electronic
form. Several aspects of electronic documents make the provision of such services
challenging
It is usually possible to discriminate between an original paper document and a
xerographic copy. An electronic document is merely a sequence of bits; there is no
difference between the original and any number of copies.
An alteration to a paper document may leave some sort of physical evidence of the
alteration. Altering bits in a computer memory or in a signal leaves no physical trace.
Any proof process associated with a physical document typically depends on the physical
characteristic of that document. Any proof of authenticity of an electronic document must
be based on internal evidence present in the information itself
1.2.2 Mechanisms
There is no single mechanism to support the functions like authorization, signature,
validation, accessing, witnessing etc. The most common mechanism in use is cryptographic
techniques: Encryption or encryption-like transformations.
1.2.3 Attacks
G. J Simmons points out information security is about how to prevent attacks or failing to
detect attacks on information-based systems wherein the information itself has no meaningful
physical existence and then to recover from the attacks.
Some of the examples of attacks are
Conceal the presence of some information in other information.
Gain unauthorized access to information.
Modify the license of others
Prevent the function of software, typically by adding a convert function.
Difference between threat and attack
Threat - A potential for violation of security, which exists when there is a circumstance,
capability, action or event that could break security and cause harm .i.e. a threat is a possible
danger that might exploit a vulnerability.
Attack – An assault on system security that derives from an intelligent threat; i.e. An
intelligent act that is a deliberate attempt to evade security services and violate the security
policy of a system.
1.3 THE OSI SECURITY ARCITECTURE
1.3.1 Security Services
The classification of security services are
Confidentiality - Ensures that the information in a computer system and transmitted
information are accessible only for reading by authorized parties.
Authentication - Ensures that the origin of a message or electronic document is correctly
identified, with an assurance that the identity is not false.
Integrity - Ensures that only authorized parties are able to modify computer system
assets and transmitted information.
Nonrepudiation - Requires that neither the sender nor the receiver of a message be able
to deny the transmission.
Access control - Requires that access to information resources may be controlled by or
for the target system.
Availability - Requires that the computer system assets be available to authorized parties
when needed.
1.3.2 Security Mechanism
There is no one single mechanism that will provide all the services that performs all functions.
Transformations like encryption or decryption are generally used for providing security.
1.3.3 Security Attacks
Attacks on security can be classified into four general categories; they are as shown in the fig 1.1
below.
Fig 1.1 Classification of security attacks
Interruption - This attack is on availability. An asset of the system is destroyed or becomes
unavailable or unusable.
Interception - This is an attack on confidentiality. An unauthorized party gains access to an
asset.
Modification - This is an attack on integrity. An unauthorized party not only gains access to
an asset but also tampers with it.
Fabrication - This is an attack on authenticity. An unauthorized party inserts counterfeit
objects into the system.
According to RFC 2828 and X.800security attacks are classified as passive and active attacks.
Passive attacks are in the nature of eavesdropping on, or monitoring of, transmissions. The goal
of the opponent is to obtain information that is being transmitted. Passive attacks are very
difficult to detect because they do not alter any data. The two types of passive attacks are
Release of message contents
Traffic analysis
Active attacks involve some modification of the data stream or the creation of a false stream. It
is subdivided into four categories
Masquerade - Takes place when one entity pretends to be a different entity. A
masquerade attack usually includes one of the other forms of active attack.
Replay - It involves the passive capture of data unit and its subsequent retransmission to
produce an unauthorized effect
Modification of messages - Some portion of a legitimate message is altered or delayed
or reordered to produce an unauthorized effect.
Denial of service - Prevents or inhibits the normal use or management of
communications facilities. This attack nay have a specific target
Table 1.1 Differences between passive attacks and active attacks
1.4 A Model for Network Security
The fig 1.2 shows the model for a secured transaction. The two parties, sender and the receiver
are the principals in the transaction. A logical channel is established by defining a route through
the network by the cooperation of the principals and the protocols.
Fig 1.2 Model for Network security
The techniques to provide information security have two components.
A security related transformation on the information. This may be an encryption of the
information along with the necessary code information to verify the identity of the
sender.
Secret information shared by the principals. It may be an encryption key used to
unscramble the encrypted information.
The model also explains four tasks in designing a security service.
Designing an algorithm for performing the security related information
Generate the secret information to be used with the algorithm
Develop methods for sharing and distribution of secret information
Specify the protocol to be used by the principals
Another type of unwanted access is placing of logic that exploits the system resources and its
vulnerabilities. Such attacks may be through human intervention (hacker) or by software
(virus). Two types of threats are possible.
Information access threats intercept or modify data on behalf of users who should not
have access to the data.
Service threats exploit service flaws in computers to inhibit use by legitimate users.
Viruses and worms are two examples of software attacks. Such attacks can be introduced into
a system by means of a diskette that contains the unwanted logic concealed in otherwise
useful software. They can also be inserted into a system across a network.
Fig 1.3 Network access security model
The security mechanisms needed to cope with unwanted access fall into two broad categories
as shown in the fig 1.3.
The first category might be termed a gatekeeper function. It includes password-based
login procedures that are designed to deny access to all but authorized users and
screening logic that is designed to detect and reject worms, viruses, and other similar
attacks.
Once access is gained, by either an unwanted user or unwanted software, the second line
of defense consists of a variety of internal controls that monitor activity and analyze
stored information in an attempt to detect the presence of unwanted intruders.
Unit 2
Cryptography-I
2.1 Symmetric cipher Model
2.1.1 General concepts
2.1.2 Cryptanalysis
2.2 Substitution Techniques
2.3 Transposition Techniques
Cryptography is the study of secret (crypto) writing (graphy) concerned with developing the
algorithms which may be used to
Conceal the context of some message from all, except sender and recipient (privacy /
secrecy)
Verify the correctness of message to the recipient (authentication)
Form the basis of many technological solutions to computer and communications security
problems
2.1 Symmetric Cipher Model
Single key encryption is an encryption technique in which both the sender and recipient share
a secret key and this secret key is applied on the encryption algorithm at the sender’s side and
on the decryption algorithm at the recipient’s side. Single key encryption is also referred to as
symmetric encryption or conventional encryption. The model for this encryption is given
here which illustrates the conventional encryption process.
Fig 2.1 Simplified model of conventional encryption
The model comprises of the following components
Plaintext: This is the original intelligent message or data that is fed into the algorithm as
input.
Encryption Algorithm: It performs various substitution and transformation on the
plaintext.
Secret Key: It is also input to the encryption algorithm. The key is value independent of
the plaintext and the algorithm will produce a different output depending on the key used.
The exact substitutions and transformations performed by the algorithm depend on the
key.
Ciphertext: This is the scrambled message produced as output. It depends on the
plaintext and the key.
Decryption Algorithm: This is essentially the encryption algorithm run in reverse. It
takes the ciphertext and the secret key to produce the original plaintext.
Once the ciphertext is produced by encrypting the plaintext using the secret key, it may be
transmitted. Upon reception, the ciphertext can be transformed back to the original plaintext
by using a decryption algorithm and the same key that was used for encryption.
There are two requirements for secure use of conventional encryption.
A strong encryption algorithm is needed. The opponent should be unable to decrypt
ciphertext or discover the key even if he has a number of plaintext and ciphertext samples
of those plaintexts.
The secret key must be kept secure and only the sender and receiver must have the copies
of it.
Model of conventional cryptosystem
The conventional cryptosystem model is as shown in the figure below:
Fig 2.2 Model of conventional crytosystem
A source produces a message in plaintext, X = [X1, X2, ----, XM]. The M elements of X are
letters in some finite alphabet. Traditionally, the alphabet usually consisted of the 26 capital
letters. Nowadays, the binary alphabet {0, 1} is typically used. For encryption, a key of the
form K = [K1, K2, ----, KJ] is generated. If the key is generated at the message source, then it
must also be provided to the destination by means of some secure channel. A third party may
also generate a key and securely deliver it both source and destination.
With the message X and the encryption key K as the input, the encryption algorithm forms
the ciphertext Y = [Y1, Y2,..., YN]. This can be written as Y=EK (X)
This notation indicates that Y is produced by using the encryption algorithm E as a function
of the plaintext X, with the specific function determined by the value of the key K. The
intended receiver, in possession of the key, is able to invert the transformation: X=DK(Y)
An opponent, observing Y but not having access to K or X, may attempt to recover X or K or
both X and K. It is assumed that the opponent knows the encryption (E) and decryption (D)
algorithms. If the opponent is interested in only this particular message, then the focus of the
effort is to recover X by generating a plaintext estimate X. Often, however, the opponent is
interested in being able to read future messages as well, in which case an attempt is made to
recover K by generating an estimate K.
2.1.1 General Concepts
Cryptography systems are characterized along three independent dimensions:
The type of operations used for transforming plaintext to ciphertext: All encryption
algorithms are based on two general principles substitution and transposition.
o Substitution: In this method, each element in the plain text is mapped into
another element.
o Transposition: In this method, elements in the plain text are rearranged. There is
a requirement that no information be lost.
The number of keys used: If both sender and receiver use the same key, the system is
referred to as symmetric, single-key, secret-key or conventional encryption. If the
sender and the receiver each use a different key, such system refer to as asymmetric,
two-key or public-key encryption.
The way in which the plaintext is processed:
o A block cipher processes the input one block of elements at a time, producing an
output block for each input block.
o A stream cipher processes the input elements continuously, producing an output
element at a time.
Difference between Steganography and Cryptography
Table 2.1 Difference between steganography and cryptography
2.1.2 Cryptanalysis
The process of attempting to discover the message in plaintext (X) or encryption key (K) or
both is known as cryptanalysis. The strategy used by the cryptanalyst depends on the nature
of the encryption scheme and the information available to the cryptanalyst.
Various types of cryptanalytic attacks based on the amount of information known to the
cryptanalyst are as follows:
Ciphertext only: In this case the encryption algorithm and ciphertext to be decoded is
known by the opponent. One possible attack is the brute-force approach of trying all
possible keys, which is impractical for a very large key space.
Known plaintext: In this case, the opponent knows the encryption algorithm, the
ciphertext to be decoded and one or more plaintext-ciphertext pairs formed with the
secret key. With this knowledge, the cryptanalyst may be able to deduce the key on the
basis of the way in which the known plaintext is transformed.
Chosen plaintext: In this case, the opponent knows the encryption algorithm, ciphertext
to be decoded and a plaintext message chosen by the cryptanalyst, together with its
corresponding ciphertext generated with the secret key.
Chosen ciphertext: In this case, the opponent knows the encryption algorithm, ciphertext
to be decoded and also purported ciphertext chosen by cryptanalyst, together with its
corresponding decrypted plaintext generated with the secret key.
Chosen text: In this case, the opponent knows the encryption algorithm, ciphertext to be
decoded, purported ciphertext chosen by cryptanalyst, together with its corresponding
decrypted plaintext generated with the secret key and also plaintext message chosen by
cryptanalyst, together with its corresponding ciphertext generated with the secret key.
An encryption scheme is unconditionally secure if the ciphertext generated by the scheme
does not contain enough information to determine uniquely the corresponding plaintext, no
matter how much ciphertext is available. That is, no matter how much time an opponent has,
it is impossible for him or her to decrypt the ciphertext, simply because the required
information is not there.
With the exception of a scheme known as the one-time pad, there is no encryption algorithm
that is unconditionally secure. Therefore, all that the users of an encryption algorithm can
strive for is an algorithm that meets one or both of the following criteria:
The cost of breaking the cipher exceeds the value of the encrypted information.
The time required to break the cipher exceeds the useful lifetime of the information.
An encryption scheme is said to be computationally secure if the foregoing two criteria are
met i.e., it is very difficult to estimate the amount of effort required to cryptanalyze
ciphertext successfully.
2.2 Substitution Techniques
A substitution technique is one in which the letters of plaintext are replaced by other letters
or by numbers or symbols. If the plaintext is viewed as a sequence of bits, then substitution
involves replacing plaintext bit patterns with ciphertext bit patterns. The encryption
techniques using substitution are
Caesar cipher
Playfair cipher
Hill cipher
Caesar Cipher
Caesar cipher involves replacing each letter of the alphabet with the letter standing three
places further down the alphabet. For example:
The alphabet is wrapped around so that the letter following Z is A. The transformation can be
defined by listing all the possibilities as follows:
If we assign numerical equivalent to each letter (a-1, b=2, etc.), then the algorithm can be
expressed as follows.
C = E(p) = (p+k )mod (26)
Where, k takes on a value in the range 1 to 25. The decryption algorithm is simply
p = D(C) = (C-k) mod (26)
Cryptanalysis
If it is known that a given ciphertext is a Caesar cipher, then a brute-force cryptanalysis is
easily performed by simply trying all the 25 possible keys. Important characteristics of this
cipher which rendered the easy use of brute-force cryptanalysis are:
The encryption and decryption algorithms are known.
There are only 25 keys to try.
The language of the plaintext is known and easily recognizable.
Playfair Cipher
This is a multiple-letter encryption cipher which treats diagrams in the plaintext as single
units and translates these units into ciphertext diagrams. This is based on the use of a 5 X 5
matrix of letters constructed using a keyword. In the example shown below keyword used is
MONARCHY.
Plaintext is encrypted two letters at a time, according to the following rules
Repeating plaintext letters that would fall in the same pair are separated with a filler
letter.
Plaintext letters that fall in same row are replaced by letter to the right, with the first
element circularly following the last element
Plaintext letters that fall in the same column are replaced by letter beneath with the top
element of the row circularly following the last element.
Otherwise, it is replaced by the letter that lies in its own row and the column occupied by
the other plaintext letter.
Cryptanalysis
The Playfair cipher is a great advance over simple mono-alphabetic ciphers since there are 26
X 26 = 676 diagrams so that identification of individual diagrams is more difficult.
Furthermore, the relative frequencies of individual letters exhibit a much greater range than
that of diagrams, making frequency analysis much more difficult.
Hill Cipher
The encryption algorithm takes m successive plaintext letters and substitutes for them m
ciphertext letters. The substitution is determined by m linear equation
In which each character is assigned a numerical value (a=0, b=1, … z =25). For m=3, the
system can be described as follows
C1= (k11p1 + k12p2 + k13p3) mod 26
C2= (k21p1 + k22p2 + k23p3) mod 26
C3= (k31p1 + k32p2 + k33p3) mod 26
This can be expressed in term of column vectors and matrices
Where C and P are column vectors of length 3, representing the plaintext and ciphertext, and
K is a 3x3 matrix, representing the encryption key. Operations are performed using mod 26.
For 2 X 2 matrix determinant is k11 k22 – k33 k21. For a 3 X 3 matrix, the value of the
determinant is k11 k22 k33 + k21 k32 k13 – k31 k22 k13 – k21 k12 k33 – k11 k32 k23. If a square matrix
A has a nonzero determinant, then the inverse of the matrix is computed as
Where (Dij) is the sub-determinant formed by deleting the ith row and the jth column of A and
det(A) is the determinant of A. In general terms, the Hill system can be expressed as follows:
C = Ek (P) = KP
P = Dk (C) = K-1 C = K-1 KP = P
2.3 Transposition Techniques
A transposition cipher is achieved by performing some sort of permutation on the plaintext
letters. The simplest such cipher is the rail fence technique, in which the plaintext is written
down as a sequence of dialogues and then read as a sequence of rows.
Example: meet me after the toga party
→mematrhtgpryetefeteoaat
A more complex scheme is to write the message in a rectangle row by row, and read the
message off, column by column, but permute the order of the columns, which then becomes
the key to the algorithm.
Example
Cipher text: T T N A A P T M T S U O A O D W C O I X K N L Y P E T Z
The transposition cipher can be made significantly more secure by performing more than one
stage of transposition. The result is more complex permutation that is not easily
reconstructed.
Example
Output: N S C Y A U O P T T W L T M D N A O I E P A X T T O X Z
UNIT 3
CRYPTOGRAPHY-II
3.1 Simplified DES
3.2 Block Cipher Principles
3.3 The Data Encryption Standard
3.4 The RSA Algorithm
3.1 Simplified DES
The overall structure of simplified DES, referred to as S-DES is as shown in the fig 3.1. The SDES encryption algorithm takes an 8-bit block of plaintext and a 10-bit as input and produces an
8-bit block of ciphertext as output. The S-DES decryption algorithm takes an 8-bit block of
ciphertext and the same 10-bit key to produce that ciphertext as input and produces the original
8-bit block of plaintext.
Fig 3.1 Structure of S-DES
The encryption algorithm involves five functions:
An initial permutation (IP)
A complex function labeled fK, which involves both permutation and substitution
operations and depends on a key input
A simple permutation function that switches (SW) the two halves of the data
The function fK again
And finally a permutation function that is the inverse of the initial permutation (IP-1)
The use of multiple stages of permutation and substitution results in a more complex algorithm,
which increases the difficulty of cryptanalysis.
The function fK takes as input not only the data passing through the encryption algorithm, but
also an 8-bit key. A 10-bit key is used from which two 8-bit subkeys are generated. The key is
first subjected to permutation (P10). Then a shift operation is performed. The output of the shift
operation is then passed through a permutation function (P8) that produces an 8-bit output for the
first subkey (K1). The output of the shift operation also feeds into another shift and another
instance of P8 to produce the second subkey (K2).
The encryption algorithm can be written as follows:
Where
K1 = P8 (Shift (P10 (key)))
K2 = P8 (Shift (Shift (P10 (key))))
The decryption is essentially the reverse of encryption and can be written as:
3.1.1 S-DES Key Generation
S-DES depends on the use of a 10-bit key shared between sender and receiver. From this key,
two 8 bit subkeys are produced for use in particular stages of the encryption and decryption
algorithm.
Fig 3.2 Key generation for Simplified DES
First permute the key P10 can be defined as follows
P10
3
5
7
4
10
1
9
8
6
Next, perform a circular left shift (LS-1) or rotation, separately on the first 5 bits and the
second five bits.
Next, we apply P8, which picks out and permutes 8 of the 10 bits according to the
following rule.
P8
6
2
3
7
4
8
5
10
9
The result is subkey1 (K1).
The pair of 5 bit strings are then circular left shifted by 2 bit positions LS-2 functions on
each 5-bit string.
Finally, P8 is again applied to produce K2. Hence the required 8-bit keys K1 and K2 are
generated which are then used in the encryption stages.
S-DES Encryption Function
Initial Permutation
The input to the algorithm is an 8-bit block of plaintext, which we first permute using the IP
function
IP is the initial permutation
IP
2
6
3
1
4
8
5
7
This retains all 8-bits of the plaintext but mixes them up. At the end of the algorithm, the inverse
permutation is used:
-1
IP is inverse of IP
IP
4
1
3
5
-1
7
2
8
6
It is easy to show by example that the second permutation is indeed the reverse of the first, that
is, IP-1(IP(X)) =X.
The Function fK
The most complex component of S-DES is the function fK, which consists of a combination of
permutation and substitution functions. The functions can be expressed as follows. Let L and R
be the leftmost 4-bits and rightmost 4-bits of the 8-bit input to fK, and let F be a mapping from 4bit strings to 4-bit strings. Then we get
fK (L, R) = (L ⊕ F(R, SK), R)
Where SK is a subkey and ⊕ is the bit-by-bit exclusive-OR function.
Fig 3.3 Simplified DES scheme encryption detail
We now describe the mapping F. the input is a 4-bit number (n1n2n3n4). The first operation is an
expansion/permutation operation
E/P
4
1
2
3
2
3
4
1
It is clearer to depict
The 8-bit subkey k1= (k11, k12, k13, k14, k15, k16, k17, k18) is added to this value using exclusiveOR:
Let us rename these 8-bits
The first four bits (first row of the preceding matrix) are fed into the S-box S0 to produce a 2-bit
output, and the remaining 4-bits (second row) are fed into S1 to produce another 2-bit output.
These two boxes are defined as follows:
The S-boxes operate as follows: the first and fourth bits are treated as 2-bit numbers that specify
a row of the S-box, and second and third input bits specify a column of the S-box. The entry in
that row and column, in base 2, is the 2-bit output.
Next, the 4-bits produced by S0 and S1 undergo a further permutation as follows
P4
2
4
3
1
The output of P4 is the output of the function F.
The switch function
The function fK only alters the leftmost 4 bits of the input. The switch function (SW)
interchanges the left and right 4 bits so that the second instance of fK operates on a different 4
bits. In this, second instance, the E/P, S0, S1 and P4 functions are the same. The key input is K2.
3.2 Block Cipher Principles
A stream cipher is one that encrypts a digital data stream one bit or one byte at a time.
Examples of classical stream ciphers are the auto keyed Vigenere cipher and the Vernam cipher.
A block cipher is one in which a block of plaintext is treated as a whole and used to produce a
ciphertext block of equal length. Typically, a block of 64 or 128 bits is used. Block ciphers seem
to be applicable to a broader range of applications than stream ciphers. The vast majority of
network based symmetric cryptographic applications make use of block ciphers
Fiestel Cipher Structure
The fig 3.4 given below depicts the structure proposed by Feistel. The inputs to the encryption
algorithm are a plaintext block of length 2w bits and a key K. The plaintext block is divided into
two halves, L0 and R0. The two halves of the data pass through n rounds of processing and then
combine to produce the ciphertext block. Each round i have as inputs Li-1 and Ri-1, derived from
the previous round, as well as a subkey Ki, derived from the overall key K.
All the rounds have the same structure. A substitution is performed on the left half of the data.
This is done by applying a round function F to the right half of the data and then taking the
exclusive-OR of the output of that function and the left half of the data. The round function has
the same general structure for each round but is parameterized by the round subkey Ki.
Following this substitution, a permutation is performed that consists of the interchange of the
two halves of the data.
The parameters and design features of a Feistel network are:
Block Size: Larger block size means greater security but reduced encryption/decryption
speed. A block size of 64 bits is universally used in block cipher design.
Key Size: Larger key size means greater security but may decrease encryption/decryption
speed. Key size of 64 bits or less are considered inadequate and 128 bits is commonly
used.
Number of Rounds: the essence of Feistel cipher is that a single round offers inadequate
security but that multiple rounds offer increasing security. A typically size is 16 rounds.
Subkey Generation Algorithm: greater complexity in this algorithm should lead to
greater difficulty of cryptanalysis.
Round Function: greater complexity means greater resistance to cryptanalysis.
Fast Software Encryption/Decryption: The speed of execution of the algorithm used is
a concern and must be fast.
Ease of Analyze: The algorithm must be easier to analyze for cryptanalytic
vulnerabilities and hence develop a higher level of assurance as to its strength.
Fig 3.4 Classical fiestel network
3.3 The Data Encryption Standard
DES Encryption Algorithm
The overall scheme for DES encryption is illustrated in the fig 3.5. The processing of the
plaintext proceeds in 3 phases.
First, the 64-bit plaintext passes through an initial permutation that rearranges bits to
produce the permuted input.
This is followed by a phase consisting of 16 rounds of the same function, which involves
both permutation and substitution functions.
The output of the last round consists of 64 bits that are a function of the input plaintext
and the key. The left and right halves of the output are then swapped to produce the
preoutput.
Finally, the preoutput is passed through a permutation that is the inverse of the initial
permutation function to produce the 64-bit ciphertext.
Fig 3.5 General Description of DES Encryption Algorithm
Single Round of DES
The fig 3.6 shows the internal structure of a single round DES.
Fig 3.6 Single Round of DES Algorithm
The overall processing at each round can be summarized using the following formulas.
The round key Ki is 48-bits. The R input is 32 bits. This R input is first expanded to 48-bits
by using a table that defines a permutation plus an expansion that involves duplication of 16
of the R bits. The resulting 48 bits are XORed with Ki. This 48-bit result passes through a
substitution function that produces a 32-bit output, which is again permuted.
The role of S-boxes in the function F is as illustrated in the fig 3.7 given below. The
substitution consists of a set of 8 S-boxes, each of which accepts 6 bits as input and produced
4 bits as output as defined by the respective S-box definition table. The first and the last bits
of input to box Si form a 2-bit binary number to select one of 4 substitutions defined by the
four rows in the table for Si. The middle four bits select one of the 16 columns. The decimal
value in the cell selected by the row and column is then converted to its 4-bit representation
to produce the output.
Fig 3.7 Calculation of F(R, K)
3.4 The RSA Algorithm
The RSA scheme was developed by Rivest, Shamir and Adleman. It makes use of an
expression with exponentials. The RSA algorithm is given below:
Key Generation
Select p, q
Calculate n = p x q
Calculate φ(n) = (p - 1) (q - 1)
Select integer e
Calculate d
Public key
p and q both prime
gcd(φ(n), e) = 1; 1< e < φ(n)
d ≡ e-1 mod φ(n)
KU = {e, n}
Private key
KR = {d, n}
Encryption
Plaintext:
Ciphertext:
M<n
C = Me (mod n)
Decryption
Ciphertext:
Plaintext:
C
M = Cd (mod n)
Example
Select two prime number, p = 17 and q = 11
Calculate n = pq = 17 x 11 = 187
Calculate φ(n) = (p - 1) (q – 1) = 16 x 10 = 160
Select e such that e is relatively prime to φ(n) = 160 and less than φ(n); we choose e = 7
Determine d such that de = 1 mod 160 and d < 160. The correct value is d = 23.
The resulting keys are public key KU = {7, 187} and private key KR = {23, 187}.
The encryption of the plaintext 88 using the above values is as depicted in the fig 3.8 below:
Fig 3.8 Example of RSA algorithm
Proof of RSA
We have chosen e and d such that
d ≡ e-1 mod φ(n)
Therefore,
ed ≡ 1 mod φ(n)
Therefore, ed is of the form kφ(n) + 1. But by the corollary to Euler’s theorem, given two
prime numbers, p and q, and integer’s n = pq and M, with 0 < M < n
M k φ(n) + 1 = M k(p – 1) (q – 1) + 1 ≡ M mod n
So
Med = M mod n
Now
C = Me mod n
M = Cd mod n = (Me)d mod n = Med mod n
Hence the proof.
Unit 4
E-MAIL SECURITY
4.4 Introduction
4.5 Pretty Good Security
4.5.1 Operational description of PGP
4.5.2 Cryptographic keys and key rings
4.6 S/MIME
4.6.1 S/MIME Functionality
4.6.2 S/MIME Messages
4.1 Introduction
In the entire distributed environment, electronic mail is the most heavily used network based
application across the entire platform and among all architectures. With such a growth in this
field, there is need for authentication and confidentiality services. The two approaches that is
to stay for the next few years are
Pretty Good Privacy (PGP)
S/MIME
4.2 Pretty Good Privacy
PGP is a service which provides confidentiality and authentication for e-mails and file
storage applications. PGP is effect of Phil Zimmermann. In essence, the contribution of
Zimmermann is as follows
The building blocks are best of the available cryptographic algorithms
Integrated these algorithms into a general-purpose application that is independent of
operating system and processor and that is based on a small set of easy-to-use commands.
Made the package and its documentation, including the source code, freely available via
the internet, bulletin boards and commercial network such as AOL (American On Line).
Entered into an agreement with a company (network associates previously via crypt) to
provide a fully compatible, low-cost commercial version of PGP.
Notations used with the concept of PGP are listed below
Ks = session key used in the conventional encryption scheme
KRa = private key of user A, used in public key encryption scheme
KUa = public key of user A, used in public key encryption scheme
EP = public key encryption
DP = public key decryption
EC = conventional encryption
DC =conventional decryption
H = Hash function
|| = Concatenation
Z = Compression using ZIP algorithm
R64 = Conversion to radix 64 ASCII format
Secret key = key paired with a public key in a public key encryption scheme.
The reasons for wide usage or popularity of PGP
It is freely available
It runs on variety of platforms like DOS/windows, UNIX and Macintosh etc.
It supports several vendors
It is based on algorithms which are very popular and are supposed to be or considered to
be extremely secure like RSS, DSS and Diffie-Hellman for public-key encryption and
CAST-128, IDEA, TDEA for conventional encryption and SHA – 1 for hash coding
It can send message world wide through internet security
It was not developed by, nor is it controlled by government or standardization
organization, thus it is more attractive to people who don’t trust these establishments.
4.2.1 Operational Description of PGP
It has five services
1. Authentication
2. Confidentiality
3. Compression
4. E-mail compatibility
5. Segmentation
Authentication
This refers to the digital signature service provided by PGP. The sequence for authentication
is as follows
a. The sender creates a message.
b. SHA-1 is used to generate a 160-bit hash code of the message.
c. The hash code is encrypted with RSA using the sender’s private key, and the result is
prepended to the message.
d. The receiver uses RSA with the sender’s public key to decrypt and recover the hash code.
e. The receiver generates a new hash code for the message and compares it with the
decrypted hash code. If the two matches, the message is accepted as authentic.
The RSA assures that the matching private key can generate the signature and because of
SHA-1 the recipient is assured that no one else could generate a new message that matches
the hash code and hence, the signature of the original message.
Alternatively, we can generate the signature using DSS or SHA-1 also. Generally signatures
are attached to the message or files, detached signature may also be used. For example a user
may wish to maintain a separate signature log of all messages sent or received. A detached
signature of an executable program can detect subsequent virsus infection. A detached
signature may also be used when more than one party must sign a document. The concept is
illustrated in the fig 4.1(a).
Confidentiality
The next basic service provided by PGP is confidentiality, which is provided by encrypting
messages to be transmitted or to be stored locally as files. Algorithms like CAST-128, IDEA,
TDEA, CFB mode is used for encrypting both plain text message and the signature, for
session key encryption RSA is used. On a whole, “The sender first signs the message with its
own private key then encrypts the message with a session key and then encrypts the session
key with the recipient’s public key. The concept is shown in the fig 4.1(b).
Fig 4.1 PGP cryptographic function
It is as follows
1. The sender generates a message and a random 128-bit number to be used as a session key
for this message only.
2. The message is encrypted using CAST-128 or IDEA or 3DES with the session key.
3. The session key is encrypted with RSA using the recipient’s public key, and is prepended
to the message.
4. The receiver uses RSA with its private key to decrypt and recover the session key.
5. The session key is used to decrypt the message.
Observations
1. To reduce encryption time the combination of conventional and public-key encryption is
used in preference to simply using RSA or EIGamal to encrypt the message directly:
CAST-128 and the other conventional algorithms are substantially faster than RSA or
EIGamal.
2. The use of public-key algorithm solves the session key distribution problem, because only
the recipient is able to recover the session key that is bound to the message.
3. The use of one-time conventional keys further strengthens the conventional encryption
approach.
First a signature is generated for the plaintext message and prepended to the message. Then
the plaintext message plus signature is encrypted using CAST-128 or IDEA or 3DES, and the
session key is encrypted using RSA or EIGamal. This sequence is more convenient to store a
signature with a plaintext version of the message. Furthermore, for purposes of third party
verification, if the signature is performed first, a third party need not be concerned with the
conventional key when verifying the signature. Thus, when both services are needed, the
sender first signs the message with its own private key, then encrypts the message with a
session key, and then encrypts the session key with the recipient’s public key.
Compressions
By default, the PGP compresses the message after applying the signature, but before
encryption.
1. The signature is generated before compression for two reasons
a. It is generally preferable to store the signature with the uncompressed message. If
the one signed an uncompressed document is stored, then it would be necessary
either to store a compressed version of the message for later verification or to
recompress the message when verification is required.
b. Even if one were willing to generate dynamically a recompressed message for
verification, then PGP’s compression algorithm has problems.
This compression algorithm is not deterministic, i.e. various implementation
of the algorithm will yield different compressed forms.
However, these different compression algorithms are interoperable because of
any version. Applying the hash function and signature after compression
would constrain all PGP implementation to the same version of the
compression algorithm.
2. Message encryption is applied after compression to strengthen cryptographic security.
Because the compressed message has less redundancy than the original plaintext,
cryptanalysis is more difficult.
Email compatibility
In case of PGP, atleast part of the block, to be transmitted is encrypted. PGP provides the
service of converting the raw 8-bit binary stream to a stream of printable ASCII characters. It
uses radix-64 conversion [Each group of three octets of binary data is mapped into four
ASCII characters]. The use of radix-64 expands the message by 33%. Here the point to be
noted is that the plain text message has been compressed and the session key with the
signature portion of the message is untouched.
One point about the radix-64 algorithm is that it blindly converts the input stream to radix 64
format regardless of content, even if the input is ASCII text. Thus, if a message is signed but
not encrypted and the conversion is applied to the entire block, the output will be unreadable
to the normal observers, which provides a certain level of confidentiality.
Optionally, PGP can also be configured to convert to radix-64 format (only the signature
portion of signed plaintext messages). This enables the human recipient to read the message
without using PGP. But to verify signature, PGP must be used.
The fig 4.2 below shows the relationship among the services (Authentication,
Confidentiality, Compression and E-mail compatibility).
Fig 4.2 Generic transmission
On transmission, if it is required, a signature is generated using a hash code of the
compressed plaintext. Then the plaintext plus signature if present, is compressed.
Next, if confidentiality is required, the block is encrypted and prepended with the public
key encrypted conventional encryption key. Finally, the entire block is converted to
radix-64 format.
On reception, the incoming block is first converted back from radix-64 format to binary.
Next, if the message is encrypted, the recipient recovers the session key and decrypts the
message. The resulting block is then decompressed.
Segmentation and Reassembly
Generally email facilities have restriction on the maximum length of 50000 octets. If the
message length is greater than the specification, then it must be broken into smaller segments
each of which will be mailed separately.
To accommodate this restriction, PGP automatically subdivides a large message into smaller
segment which could be accommodated through e-mail. The segmentation process is done
after all other processing is done, including the radix-64 conversion. Thus, the session key
component and signature component appears only once, at the beginning of first segment. At
the receiving end, PGP must strip off all e-mail headers and reassemble the entire original
block before performing the strips shown in fig 4.3.
Fig 4.3 Generic reception
The PGP services are summarized in table 4.1.
Function
Digital signature
Message Encryption
Compression
E-mail compatibility
Segmentation
Algorithm used
DSS / SHA or RSA / SHA
Description
A hash code of a message is
created using SHA-1. This
message digest is encrypted
using DSS or RSA with the
sender’s private key and
included with the message.
CAST or IDEA or three-key
A message is encrypted using
triple DES with DiffieCAST-128 or IDEA or 3DES
Hellman or RSA
with a one-time session key
generated by the sender.
The session key is encrypted
using Diffie-Hellman or RSA
with the recipient’s public key
and included with the message.
ZIP
A message may be compressed
for storage or transmission
using ZIP.
Radix-64 conversion
To provide transparency for
e-mail
applications,
an
encrypted message may be
converted to an ASCII string
using radix-64 conversion
------To accommodate maximum
message size limitations, PGP
performs segmentation and
reassembly.
Table 4.1 Summary of PGP services
4.2.2 Cryptographic Keys and Key Rings
Under PGP, these is usage of four types of keys
1. One-time session conventional keys
2. Public keys
3. Private keys
4. Passphrase-based conventional keys
Requirements for these keys are
i. A means for generating unpredictable session keys is needed
ii. Every user may be allowed to have multiple public key or private key pairs. It may be
due to
User may wish to change the key pairs from time to time
A user may wish to have multiple key pairs at a given time to interact with
different groups.
Simply to enhance security
iii.
Each PGP must maintain a file of its own public or private pairs as well as a file of public
keys of correspondents.
Session key Generation
Key Identifiers and key Rings
Every message as a session key associated with it
It is only used for encryption and decrypting the message.
o Here we assume to use CAST-128 symmetric encryption algorithm.
o Using CAST-128 128-bit random number s is generated.
The plain text input to the random number generator, consists of two 64 bit blocks, which
is derived from a stream of 128-bit randomized number. These numbers are based on
keystroke input from the user.
This random input is combined with previous session key output from CAST-128 to form
the key input to the generator.
The result, given the effective scrambling of CAST-128, is to produce a sequence of
session keys that are effectively unpredictable.
Key Identifiers
The problem - At the receiving end, the recipient recovers the session key and then recovers
the message. If the sender/user employs only one public and private key pair, then it becomes
easy for the recipient to decrypt the message; but we know that there could be multiple
public/private key pairs with the user, Then “How does the recipient know which of its
public keys was used to encrypt the session key ?
The solution would be to use/associate an identifier with public key that is uniquely within
one user, i.e. combination of user ID and key ID. Thus key = user ID + key ID
In PGP, for every public key there will be a key ID assigned, that is unique for a user with
user ID. The key ID consists of atleast least significant 64 bits. Therefore key ID of public
key KUa is [KUa mod 264] which is of sufficient length and the probability of duplicate key
ID’s is very small. Therefore Key ID is also used for digital signature is PGP.
Format of a PGP message from A to B
A message consists of three components. The message component contains
1. Actual data to be stored or transmitted
2. Filename
3. Timestamp which tells the time of creation
The signature component [optional] contains
Timestamp – The time at which the signature was made
Message digest
o The digest = signature Timestamp (ii) data portion of the message component
o It uses the 160 bit SHA -1 digest encrypted with sender’s private signature key
Leading two octet of message digest
o To enable the recipient to determine, if the correct public key was used to decrypt
the message digest for authentication, by comparing this plaintext copy of the first
two octets with the first two octets of the decrypted digest.
Key ID of sender’s public key
o Identifies the public key that should be used to decrypt the message digest and
hence, identifies the private key that was used to encrypt the message digest
Fig 4.4 General format of PGP message
The session key component (Ks) includes the session key and the identifier of the recipient
public key that was used by the sender to encrypt the session key. The entire block is usually
encoded with radix-64 encoding. The PGP message format is as shown in the figure 4.4.
Key rings
The following fig 4.5 shows PGP message generation from user A to user B with no
compression or radix-64 conversion and the message is to be both signed and encrypted:
Fig 4.5 PGP message generation
The sending PGP entity performs the following steps:
1. Signing the message
a. PGP retrieves the sender’s private key from the private-key ring using
your_userid as an index. If your_userid was not provided in the command, the
first private key on the ring is retrieved.
b. PGP prompts the user for the passphrase to recover the unencrypted private key.
c. The signature component of the message is constructed.
2. Encrypting the message
a. PGP generates a session key and encrypts the message.
b. PGP retrieves the recipient’s public key from the public-key ring using the
her_userid as an index.
c. The session key component of the message is constructed.
The PGP message reception from user A to user B is as shown in the fig 4.6.
Fig 4.6 PGP reception
The receiving PGP entity performs the following steps
1. Decrypting the message
a. PGP retrieves the receiver’s private key from the private-key ring using Key ID
field of the session key component of the message as an index.
b. PGP prompts the user for the passphrase to recover the unencrypted private key.
c. PGP then recovers the session key and decrypts the message.
2. Authenticating the message
a. PGP retrieves the sender’s public key from the public-key ring using the Key ID
field in the signature component of the message as an index.
b. PGP recovers the transmitted message digest.
c. PGP computes the message digest for the received message and compares it to the
transmitted message digest to authenticate.
4.3 S/MIME
S/MIME (Secure/Multipurpose Internet Mail Extension is a security enhancement to the
MIME Internet e-mail format standard, based on technology from RSA Data Security.
The limitations of SMTP/822 scheme are:
SMTP cannot transmit executable files or other binary objects. A number of schemes are
in use for converting binary files into a text form that can be used by SMTP mail systems,
including the popular UNIX UUencode/UUdecode scheme. However, none of these is a
standard or even a de facto standard.
SMTP cannot transmit text data that includes national language characters because these
are represented by 8-bit codes with values of 128 decimal or higher, and SMTP is limited
to 7-bit ASCII.
SMTP servers may reject mail messages over a certain size.
SMTP gateways that translate between ASCII and the character code EBCDIC do not use
a consistent set of mappings, resulting in translation problems.
SMTP gateways to X.400 electronic mail networks cannot handle non-textual data
included in X.400 messages.
Some SMTP implementations do not adhere completely to the SMTP standards defined
in RFC 821. Common problems include the following:
o Deletion, addition, or recording of carriage return and linefeed.
o Truncating or wrapping lines longer than 76 characters.
o Removal of trailing white spaces (tab and space characters).
o Padding of lines in a message to the same length.
o Conversion of tab characters into multiple space characters.
MIME is intended to resolve these problems in a manner that is compatible with existing
RFC 822 implementations.
.
4.3.1 S/MIME Functionality
Enveloped data: This consists of encrypted content of any type and encrypted-content
encryption keys for one or more recipients.
Signed data: A digital signature is formed by taking the message digest of the content to
be signed and then encrypting that with the private key of the signer. The content plus
signature are then encoded using base64 encoding. A signed data can only be viewed by a
recipient with S/MIME capability.
Clear-signed data: As with signed data, a digital signature of the content is formed.
However, in this case, only the digital signature is encoded using base64. As a result,
recipients without S/MIME capability can view the message content, although they
cannot verify the signature.
Signed and enveloped data: Signed-only and encrypted-only entities may be nested, so
that encrypted data may be signed and signed data or clear-signed data may be encrypted.
4.3.2 S/MIME Message
S/MIME makes use of number of new MIME content type, shown in table 4.2
Table 4.2 MIME content type
Securing a MIME Entity
S/MIME secures a MIME entity with a signature, encryption or both.
A MIME entity may be an entire message, or if the MIME content type is multipart, then
a MIME entity is one or more of the subpart of the message.
The MIME entity is prepared according to the normal rules for MIME message
preparation. Then the MIME entity plus some security-related data, such as algorithm
identifiers and certificates are processed by S/MIME to produce what is known as PKCS
object. The PKCS object is then treated as message content and wrapped in MIME.
The result of applying the security algorithm will be to produce an object that is partially
or totally represented in arbitrary binary data .This will then be wrapped in an outer
MIME message and transfer encoding can be applied at that point typically base 64.
However in case of a multipart signed message, the message content in
one of the subparts is unchanged by the security process. Unless the content is 7 bit, it should
transfer encoded using base 64 or quoted printable, so that there is no danger of altering the
content to which the signature was applied.
EnvelopedData
The steps for preparing an envelopedData MIME entity are as follows:
Generate a pseudorandom session key for a particular symmetric encryption algorithm
(RC2/40 or tiple DES)
For each recipient encrypt the session key with the recipient’s public RSA key.
For each recipient, prepare a block known as RecipientInfo that contains the sender’s
public-key certificate, an identifier of the algorithm used to encrypt the session key and
the encrypted session key.
Encrypt the message content with session key.
The RecipientInfo blocks followed by the encrypted content constitute the envelopedData
.This information is then encoded into base 64. To recover the encrypted message, the
recipient strips off the base 64 encoding .Then the recipient’s private key is used to recover
the session key. Finally, the message content is decrypted with the session key.
SignedData
The signedData smime-type can actually be used with one or more signers. The steps for
preparing an enveloped Data MIME entity are as follows:
Select a message digest algorithm (SHA or MD5)
Compute the message digest or hash function, of the content to be signed
Encrypt the message digest with the signer’s private key
Prepare a block known as SignerInfo that contains the signer’s public key certificate, an
identifier of the message digest algorithm, an identifier of the algorithm used to encrypt
the message digest and the encrypted message digest
The signedData entity consists of a series of block including message digest algorithm
identifier, the message being signed and SignerInfo. This information is then encoded into
base 64. To recover the signed message and verify the signature, the recipient first strips off
the base 64 encoding. Then the signer’s public key is used to decrypt the message digest. The
recipient independently computes the message digest and compares it to the decrypted
message digest to verity the signature.
Clear signing
Clear signing is achieved using the multipart content type with a signed subtype. This signing
process does not involve transforming the message to be signed so that the message is sent
“in the clear”. Thus, recipients with MIME capability, but not S/MIME capability are able to
read the incoming message.
A multipart/signal message has two parts
First part can be any MIME type but must be prepared so that it will not be altered during
transfer from sources to destination.
o Then this part is processed in the same manner as signedData, but in this case an
object with signed Data format is created that has an empty message content field.
o This object has detached signature. It is then transfer encoded using base 64 to
become the second part of the multipart/signed message
The second part has a MIME content type of application and a subtype of pkcs -7
signatures.
