The Network Layer Role Services Main Functions Standard Functions Datagram Virtual Circuit Main Functions Path Determination Packet Switching Standard Functions 17/11/10 11-Network
The Role of the Network Layer The role of the network layer is to move data from the sending host to the destination host across one or more subnetworks It hides the details of the type of subnetwork from the transport layer 17/11/10 11-Network
Network Layer - Services There are two alternative network layer services Datagram or Connectionless (E.g. The Internet) All packets contain a full destination network address which is used for routing Each packet is routed independently Virtual Circuit or Connection-oriented (E.g. X.25 Packet Layer Protocol, Asynchronous Transfer Mode, Frame Relay) A virtual circuit is established before data transfer which sets up a path that is released afterwards Each packet is routed via the same path using virtual circuit numbers 17/11/10 11-Network
Connectionless Network Layer Characteristics No prior set-up required. Just adds a header and sends the packet Packets are routed independently and may follow different paths Best effort service. No guaranties about delivery, order or duplication Simple and flexible. Can support many different types of application, as most of the complexity is all in the hosts. 17/11/10 11-Network
Connection-oriented Network Layer Characteristics Connection set-up and release involves all the nodes on the path Once connection is established, virtual circuit number (only unique to each link) not addresses are used Each node holds state information (virtual circuit mapping information and buffers) Can provide guaranty that data will be delivered in order without loss and without duplication Complexity is in the network nodes rather than the hosts 17/11/10 11-Network
Datagrams versus Virtual Circuits © Tanenbaum, Prentice Hall International 17/11/10 11-Network
Network Layer – Main Functions Two main functions: Path Determination Maintenance of routing tables for datagrams or for virtual circuit setup Packet Switching Forwarding packets to the next node using routing tables or virtual circuit mappings 17/11/10 11-Network
Network Layer - Standard Functions Segmentation (Fragmentation) Encapsulation Addressing Flow Control Grade of Service (ATM) Connection Control Ordered Delivery Security (IPSec) 17/11/10 11-Network
Network Layer - Segmentation Segmentation is often called fragmentation in the network layer Different subnetworks have different Maximum Transfer Unit (MTU) sizes (1500 for Ethernet, 48 bytes for ATM) The network layer must fragment any data that it receives that is larger than the network’s MTU size. (Maximum packets size in IP is 65,535 bytes but maximum packet sizes of subnetworks are usually much lower) Fragments can be reassembled at gateways between networks (ATM) or at the network layer in the destination host (IP) 17/11/10 11-Network
Network Layer - Encapsulation At the sending end, the network layer receives a segment from the transport layer, adds network layer headers and passes a packet to the data link layer At the receiving end, the network layer receives a packet from the data link layer, processes the packet header, strips off the header and passes the segment to the transport layer 17/11/10 11-Network
Network Layer - Addressing Network Layer Addresses must be globally unique so that all hosts and other network components can be unambiguously identified Allocation of network layer addresses has to be carefully managed to ensure uniqueness Destination network addresses are used for routing packets and setting up virtual circuits 17/11/10 11-Network
Network Layer – Flow/Congestion Control Virtual circuit networks can implement sliding window flow control on each virtual circuit Virtual circuit networks can also prevent new virtual circuits being established (this is known as admission control) or ensure that new virtual circuits are routed away from the congested part of the network Both virtual circuit and datagram networks can control congestion by issuing source quench or choke packets to cause the sender to back off As a last resort routers can discard packets 17/11/10 11-Network
Network Layer – Congestion Control One of the main cause of congestion is that traffic is bursty. Traffic shaping smoothes out bursty traffic When setting up a virtual circuit, the sender can predict its traffic pattern The network contracts to support this traffic pattern when it sets up the virtual circuit The sender can regulate its traffic rate using the techniques such as the leaky or token bucket algorithms 17/11/10 11-Network
Leaky Bucket Algorithm © Tanenbaum, Prentice Hall International 17/11/10 11-Network
Token Bucket Algorithm © Tanenbaum, Prentice Hall International For a packet to be transmitted, a token must be captured and destroyed This algorithm allows bursts up to a maximum length 17/11/10 11-Network
Flow Specification An agreement between the sender, the receiver and the subnetwork to describe the characteristics of the input traffic and the quality of service expected 17/11/10 11-Network
Flow Specification © Tanenbaum, Prentice Hall International 17/11/10 11-Network
Network Layer – Grade of Service Virtual circuit network layers such as ATM can support grade of service ATM supports the following services Constant Bit Rate (CBR) Variable Bit Rate (VBR) Real Time (RT-VBR) Non-Real Time (NRT-VBR) Available Bit Rate (ABR) Unspecified Bit Rate (UBR) 17/11/10 11-Network
Network Layer - Grade of Service Virtual circuit network layers such as ATM will allow number of quality of service parameters to be specified in a contract between the customer and the network operator The customer is responsible to shape the traffic to match the contract The network operator is responsible for delivering the quality of service specified and for policing the traffic to ensure that it meets the contract 17/11/10 11-Network
Asynchronous Transfer Mode (ATM) ATM (sometimes also called Cell Relay) is a suite of protocol designed to carry multiple services such as voice, video and data It was designed to meet the requirements of Broadband ISDN to be provided by telecommunications companies and is very complex The ATM network layer protocol is connection-oriented All data is segmented into 48 byte cells which are transmitted with a 5 byte header Most carriers currently run their IP networks on top of ATM, as unlike IP it can guaranty quality of service 17/11/10 11-Network
ATM Service Categories © Tanenbaum, Prentice Hall International 17/11/10 11-Network
Network Layer – Connection Control Only relevant to virtual circuit networks which must provide the facility to establish and release virtual circuits Virtual circuits can be: Permanent (PVCs), set up by the network administrator Switched (SVCs) set up and released by network users 17/11/10 11-Network
Network Layer –SVC Establishment Switched Virtual Circuits are established in response to a user request which specifies the destination address A path across the network is found, resources at each router/switch are allocated and each router/switch stores a mapping between an incoming virtual circuit number and an outgoing port and virtual circuit number The distant host accepts the virtual circuit and this is confirmed to all the routers and to the connecting host 17/11/10 11-Network
Virtual Circuit Mapping Router Host VC # 12 VC # 23 When a virtual circuit is established a virtual circuit number is allocated for each link. All the routers/switches in the path must maintain a table that maps the incoming virtual circuit number with an output port and an outgoing virtual circuit number. Routing with virtual circuits is simply a matter of looking up the incoming VC number in the table to obtain the output port and VC number This is an example of state information. If a router crashes the mapping is lost and the whole virtual circuit has to be re-established 17/11/10 11-Network
Network Layer – Ordered Delivery Only relevant to virtual circuit networks All packets follow the same route, are given sequence numbers and are acknowledged The remote network layer is therefore able to ensure that all data is delivered in the correct order 17/11/10 11-Network
Network Layer - Security Security can be implemented in the network layer by encrypting all the data inside network layer packets It must also be possible to provide source authentication so that destinations can be sure that data originated from an authentic source IPSec is a secure network layer protocol suite that makes IP datagrams secure 17/11/10 11-Network
IPSec Protocol IPSec is based on two principle alternative protocols Authentication Header (AH) Protocol Provides authentication, and data integrity but not confidentiality Encapsulation Security Payload (ESP) Protocol Provide authentication, data integrity and confidentiality Both protocols work by establishing a network layer logical connection between the source and destination called a Security Association 17/11/10 11-Network
AH Protocol The AH protocol header sits between the IP header and the TCP or UDP header It contains a digital signature that authenticate the sender and allows the IP data fields and some IP header fields such as the source address to be checked for data integrity 17/11/10 11-Network
ESP Protocol The ESP protocol header sits between the IP header and the TCP or UDP header There is also an ESP trailer that is inserted after the TCP/UDP segment Following this trailer is an ESP authentication data field The TCP/UDP segment and the ESP Trailer are both encrypted before transmission 17/11/10 11-Network
ESP Tunnel Mode To further enhance security the encryption can be extended to the whole IP datagram (including its headers) and the whole datagram encapsulated inside another IP packet with an ESP header and trailer This is usually done between two firewall routers and the original IP datagrams appear to pass through a tunnel between the two firewall routers. The header and contents of the original datagrams are completely invisible when they are in the tunnel 17/11/10 11-Network