Wednesday, October 20, 2021

CST 311 - Week 8

Secure Sockets Layer (SSL)

This week was a bit short as it is our last week, but we did cover a couple new topics. SSL is used to enhance TCP with security services: confidentiality (encryption), data integrity (no modifications), and end-point authentication (no unauthorized access). Although it technically resides in the application layer, SSL is often considered part of the transport protocol. SSL adds on to TCP's handshake procedure by using session keys for encryption and data integrity (MAC keys). Note that there are four session keys used here, 2 for encryption and 2 for integrity, and each host possesses one of each. SSL also uses its own sequence numbers, which are not included in data records themselves, but rather are included in the hash calculation for the MAC keys.


The last thing I want to go over is firewalls. Firewalls have 3 goals: for all traffic in each direction to pass through them, to only allow authorized traffic to pass (as defined by local security policy), and to be immune to penetration or compromise. A traditional packet filter may make filtering decisions based on source or destination IP and/or port, protocol type, TCP flag bits, ICMP message type, or other custom rules. An example of packet filtering would be to drop all outgoing packets to port 80 to deny outside web access, or to drop packets with a TCP ACK bit set to 0 to prevent external clients from connecting to internal servers. Stateful packet filters make decisions based on currently active connections. For example, allowing packets to pass through if they are associated with a known connection. 

Firewalls alone are not enough to secure a network. For even finer security, firewalls can be combined with application gateway servers. These servers are application-specific, so a different application gateway is needed for every application. They allow for more control over internet application or user activity, such as preventing a certain host from using telnet. Policy decisions are based on application data. Finally, intrusion detection systems (IDS) can be used for deep packet inspection. Signature-based systems, for example, compare each packet to tens of thousands of signatures. If a packet matches a signature, the system will trigger that a potentially malicious packet has arrived. Anomaly-based systems look for unusual traffic activity, such as flood of ICMP packets, but can sometimes flag legitimate traffic. Most IDS are signature-based but may include some anomaly-based features.

Tuesday, October 19, 2021

CST 311 - Week 7

Link-layer switches

This week I learned more about switches. Switches are similar to routers because they are responsible for forwarding packets. However, switches are level 2 network devices so they have no concept of an IP address (which routers use for forwarding). Instead, they use MAC addresses for forwarding. A MAC address is a unique address assigned to a device. Although MAC addresses were originally meant to be permanent, they are now able to be changed remotely. Regardless, the IEEE manages MAC address space and assigns chunks of it to organizations, similar to how IP addresses are managed and assigned. This ensures that MAC addresses are unique to devices

In order for a host to send an IP datagram, it must have not only a destination IP address but also a destination MAC address. If the destination IP address is on the same subnet as the sender, then the destination MAC address will be that of the receiving host. The switch will thus forward the datagram directly to the receiver. If the destination IP address is on another subnet, the destination MAC address will be the local router interface. In that case, the switch will forward the datagram to the router, and the router will use the IP address in the enclosed datagram to forward the datagram to the appropriate outbound link.

Address Resolution Protocol

Switches are more secure than hubs because they support point-to-point links in addition to shared broadcast channels. This means that two hosts on a network can communicate without their messages being broadcast to every other host on their subnet. To accomplish this, every host and router has an ARP table which resolves IP addresses to MAC addresses on their subnet. 

When a host first connects to a network (perhaps by plugging an ethernet cable into a switch), it obtains the MAC address of the default gateway by broadcasting an ARP request, asking who "owns" the IP address of the default gateway. The router will send an ARP reply directly back to the requesting host (not as a broadcast). Hosts may also discover each other in the same fashion. However, it is important to note that ARP tables may not contain every host on a subnet because entries can expire (using a time-to-live value), and new entries are not created until an ARP request has been sent by a host.

Tuesday, October 12, 2021

CST 311 - Week 6

Routing Algorithms

This week I learned about how routers find the correct path to send packets across the internet. Two types of routing algorithms are the link-state algorithm (LS) and the distance vector algorithm (DV). The LS algorithm uses Dijkstra's algorithm to find the least-cost path from source to destination. Costs are determined by the network administrator and can represent anything, such as distance, speed, or monetary cost. This algorithm is considered centralized because it requires global state information, or information about all links on the network. The DV algorithm, in contrast, is decentralized and does not use Dikjstra's algorithm. Routers using DV only have link-state information about their directly attached neighbors (and any information that their neighbors share). Nodes provide their neighbors with least-cost estimates from themselves to all other nodes that they know about. However, the shortest path is not always available. Policy issues can prevent forwarding of traffic from one organization to another. For example, one ISP may not want traffic getting a "free ride" through its network if neither the source nor destination addresses are customers.

It is up to network administrators to decide what routing algorithm to use. A network under the control of the same administration is called an autonomous system (AS). All autonomous systems on the internet run the border gateway protocol (BGP) for inter-AS communication. BGP is also often used to implement the IP-anycast service, which is commonly used for DNS Servers. Since DNS servers have duplicate content, network administrators can assign the same IP address to all of them. BGP routers select the best route to the IP address, which ends up being the closest (cheapest) server. Although CDNs also have duplicate-content servers, they tend not to use IP-anycast because BGP routing changes can result in different packets of the same TCP connection arriving at different versions of the server.

Tuesday, October 5, 2021

CST 311 - Week 5

IP Addresses

This week I learned more about what the numbers in IP addresses mean. In IPv4 addressing, each part of an IP address is an 8-bit number. The leftmost numbers determine what network class the IP address belongs to. Class A networks only use the leftmost 8 bits for network addressing. These numbers range from 0-127. The remaining 24 bits are used for host addressing, with each of the 127* class A networks supporting up to 16,777,214 hosts (source). Class B networks use 16 bits for network addressing and 16 bits for host addressing, with the first byte in the range 128-191, and Class C networks use 24 bits for network addressing and 8 for host addressing, with the first byte in the range 192-223. 

Subnet Masks

IP addresses are split into their network and host components using subnet masks. To understand how subnet masks work, the IP address must be converted to binary format. The network portion of an IP address (the leftmost bits) are identified by 1's in the subnet mask. Class A networks would require a subnet mask of, or 11111111000000000000000000000000, whereas Class C networks need a subnet mask of, or 11111111111111111111111100000000. Performing a bitwise AND operation using the IP address and the subnet mask reveals the network portion of the address. Network administrators can create sub-networks in their organizations by adjusting the subnet mask. This is done by "borrowing" bits from the host portion of the organization's assigned IP address and using them for internal network addressing instead. Every new host on a network is provided with its subnet mask via a DHCP server, which also provides it with its IP address, the address of its first-hop router (the default gateway), and the address of the local DNS server.

Network Address Translation (NAT)  

Since IPv4 is 32-bit, there are only approximately 4.2 billion possible IPv4 addresses*. Network Address Translation artificially increases the maximum number of addressable hosts. It allows private networks of hosts, each with a unique private IP address that is visible only to the local network, to share a single public IP address. Incoming internet traffic has its destination IP and destination ports changed so it can be internally routed to the correct host. This is done through the use of a forwarding table, which maps private IP/port combinations to public IP/port combinations. A basic example of this occurs if you host a Call of Duty (Cold War) LAN party. Cold War wants to use port 3074 by default. However, the home router cannot assign 3074 to each console. The first console to connect to the network (Console A) will be assigned 3074, but the second (Console B) will be assigned another available port (1024 for example). Therefore, incoming Cold War traffic to the router's (public) port 3074 will be forwarded to Console A's (private) port 3074, and incoming Cold War traffic to (public) port 1024 will be forwarded to Console B's (private) port 3074.***

 * Address 127 is the "loopback" address, causing the connection to return to the initiating host. A common address used for testing network applications is called localhost, or Connecting to this IP address means you have connected to yourself. 

** IPv6, the successor to IPv4, uses 128 bits for addressing and can therefore support more unique IP addresses than grains of sand on earth. We should not run out of addresses. Hopefully.

*** Achieving Open NAT for several consoles simultaneously can be challenging, but rewarding.

Monday, September 27, 2021

CST 311 - Week 4

Secure Communication

This week I studied secure communication. The internet provides many useful communication services, but hackers can easily intercept important messages. Apps must provide confidentiality by ensuring intercepted messages cannot be read. Hackers can also modify intercepted messages or even forge messages or headers. There must be ways to verify identities (authentication) and that messages have not been altered (integrity). 


Encryption enforces confidentiality. Plaintext messages are converted to encrypted versions known as ciphertext. A key and a message are passed into an encryption algorithm (RSA, for example)  For encryption to work, the receiver must have a key to decrypt the message. Since it is not feasible for two random people on the internet to have the same (symmetric) key, a public key system was introduced to solve the problem. Every computer has a pair of keys: a public key and a private key, which are two halves of the same key (K+ and K-, respectively). If I want to send you a message, I will run your public key and my message through an encryption algorithm before I send it to you. You will then use your private key with the relevant decryption algorithm to read the message. While this does provide confidentiality, it does not include authentication: impersonation can occur.

Authentication and Integrity

To verify that a message has been received from a trusted sender, digital signatures can be used. Senders apply their private key to a message and receivers use the sender's public key to verify the signature. This also preserves message integrity because if the message has been altered, authentication will fail because the result of the private key and public key will not be the original message. Note that it can be computationally expensive to apply digital signatures to entire messages, so the digital signature can instead be applied to a message that has been passed through a hash function (like SHA-1 or MD5). The hashed version of the message would be used for authentication and integrity checks. To verify that a signature is real, certificate authorities may be referenced that bind public keys to specific, unique identities. 

Tuesday, September 21, 2021

CST 311 - Week 3

TCP Connection Management

While UDP essentially just provides a "send and pray" service, TCP provides a reliable data transfer service. As discussed previously, TCP initiates a connection with a three-way-handshake procedure. This is accomplished by the TCP client and TCP server sending special segments to each other. These segments contain no application-layer data, but do contain headers with bits that are used to establish, maintain, and close a connection. 


To initiate a connection, he client sends a SYN segment with the SYN bit set to 1. This segment's header contains a random initial sequence number (client_isn) to be used by the server for acknowledgement. The server responds with a SYNACK segment with the SYN bit also set to 1. This segment contains a random initial sequence number (server_isn) and an acknowledgement number (client_isn+1), which is the sequence number of the next expected segment from the client. Finally, the client responds with a segment that contains the acknowledgement number (server_isn+1) and (usually) its first data payload. The SYN bit is set to 0 in this final acknowledgement because the connection is already established. 


As noted above, sequence numbers and acknowledgement numbers are used by the client and server during connection establishment. However, it would be incorrect to assume they are offset by 1 every time. During normal TCP communication, the sequence numbers are offset by the number of bytes that have been transmitted. Each sequence number identifies the byte number of the first byte in the segment's payload. The maximum segment size (MSS) is the maximum size of the data payload (NOT the data + headers) and is dependent on the maximum transmission unit (MTU) in the link layer. When sending large files, sequence numbers are offset by one MSS. By synchronizing SEQ and ACK numbers, clients can retransmit lost packets when a server fails to acknowledge a segment (through a timeout timer) or when a server sends too many duplicate acknowledgements, which also implies packet loss. The procedure also guarantees that segments arrive in the correct order. 


A connection can be closed by either a client or a server. First, the initializer sends a shutdown segment with the FIN bit set to 1 and enters the FIN_WAIT_1 state. The receiver acknowledges, sends its own shutdown segment (note two segments are sent here), and enters the CLOSE_WAIT state. The initializer receives the acknowledgement and enters FIN_WAIT_2 while waiting for the receiver's shutdown segment. When it arrives, the initializer sends one final acknowledgement and enters the TIME_WAIT state, which gives it time to resend the final acknowledgement (typically 30 seconds to 2 mins). Afterwards, the connection formally closes.

Tuesday, September 14, 2021

CST 311 - Week 2

Socket Programming

This week we were introduced to something near and dear to me: socket programming! I am no stranger to it. In fact, it was one of the very first things I ever learned about programming (while modifying mIRC connection scripts for the MSN Chat Network). What I did not know or understand until this week, however, was the difference between UDP and TCP sockets. Either the User Datagram Protocol (UDP) or the Transmission Control Protocol (TCP) may be used to send data across the internet from one host to another. For general information about them, see my blog post last week

So what is a socket? A socket is, in reality, just part of the transport layer's API. Sockets are what applications use to send and receive data over the internet. All of the major languages provide a high-level abstraction (socket library) for accessing the transport layer's services. There is little programmatic difference between using TCP or UDP sockets. The primary difference is that TCP requires a connection to be established using a three-way-handshake procedure before sending data. First, the client (sending application) sends a packet (SYN) to the server (receiving application). The server then responds to the client with a packet (SYN/ACK). Finally, the client acknowledges the response with another packet (ACK). Note that applications often choose to send their first data packet with their ACK packet. For example, web browsers place an HTTP request in theirs.

The handshake procedure involves a little extra work in our program. Unlike UDP's interface, which simply requires us to bind the server application to a certain port number* before receiving data, TCP's interface requires the server application to listen to the port (after binding to it) for any incoming connections, and then explicitly accept the connection. On the client side, a TCP application must first connect to the server before sending data, whereas UDP applications attach the server's IP address and port to each sent data packet. Note that the operating system automatically assigns an available port to our client application so it can receive data from the server.

* Most internet users know that their computer/device has an IP address that others can potentially connect to. What they may not know about is something called a port. There are many port numbers, ranging from 0 to 65353, and they all belong to your IP address! Common applications are tied to certain ports. For example, e-mail applications use port 25, web browsers use port 80, and chat rooms use port 6667. Ports make it easier for the operating system to direct traffic to the correct application. If you can think of your IP address like a seaport, you probably would not want all arriving ships to unload their cargo at the same dock. 

CST 311 - Week 8

Secure Sockets Layer (SSL) This week was a bit short as it is our last week, but we did cover a couple new topics. SSL is used to enhance TC...