1 IP Addressing and Forwarding EE122 Fall 2011 Scott Shenker Materials with thanks to Jennifer Rexford, Ion Stoica, Vern Paxson and other colleagues at Princeton and UC Berkeley

Announcements Submission instructions have been sent –Does everyone understand? –Please make sure your instructional account works Switching to 122: awaiting instructions 2

Agenda for Today Quick Security Review IP Addressing IP Forwarding And an anagram contest! 3

Quick Security Analysis of IP Packet Header More for mindset than content The workings of a paranoid mind….. 4

Focus on Sender Attacks Ignore (for now) attacks by others: –Traffic analysis –Snooping payload –Denial of service Focus mostly on vulnerabilities sender can exploit 5

IP Packet Structure 4-bit Version 4-bit Header Length 8-bit Type of Service (TOS) 16-bit Total Length (Bytes) 16-bit Identification 3-bit Flags 13-bit Fragment Offset 8-bit Time to Live (TTL) 8-bit Protocol 16-bit Header Checksum 32-bit Source IP Address 32-bit Destination IP Address Options (if any) Payload

7 IP Address Integrity Source address should be the sending host –But, who’s checking? –You could send packets with any source you want –Why is checking hard?

8 Implications of IP Address Integrity Why would someone use a bogus source address? Launch a denial-of-service attack –Send excessive packets to the destination –… to overload the node, or the links leading to the node –But: victim can identify/filter you by the source address Evade detection by “spoofing” –Put someone else’s source address in the packets oOr: use many different ones so can’t be filtered Or: as a way to bother the spoofed host –Spoofed host is wrongly blamed –Spoofed host may receive return traffic from the receiver

9 More Security Implications Version field (4 bits) …. ? –Issue: fledgling IPv6 deployment means sometimes connectivity exceeds security enforcement –E.g., firewall rules only set up for IPv4 Header length (4 bits) …. ? –Controls presence of IP options oE.g., Source Route lets sender control path taken through network - say, sidestep security monitoring –IP options often processed in router’s slow path oAllows attacker to stress router for denial-of-service –Firewalls often configured to drop packets with options.

10 Security Implications of TOS? (8 bits) Attacker sets TOS priority for their traffic? –If regular traffic does not set TOS, then network prefers the attack traffic, greatly increasing damage What if network charges for TOS traffic … –… and attacker spoofs the victim’s source address? Today, network TOS generally does not work –Due to very hard problems with billing –TOS has now been redefined for Differentiated Service oDiscussed later in course

11 Security Implications of Fragmentation? Allows evasion of network monitoring/enforcement E.g., split an attack across multiple fragments –Packet inspection won’t match a “signature” Can be addressed by monitor remembering previous fragments –But that costs state, which is another vector of attack Nasty-at Offset=0 tack-bytes Offset=8

12 More Fragmentation Attacks What if 2 overlapping fragments are inconsistent? How does network monitor know whether receiver sees USERNAME NICE or USERNAME EVIL ? USERNAME Offset=0 NICE Offset=8 EVIL Offset=8

13 Even More Fragmentation Attacks What if fragments exceed IP datagram limit? –Maximum size of 13-bit field: 0x1FFF = 8191 Byte offset into final datagram = 8191*8 = Length of final datagram = = Result: kernel crash –Denial-of-service using just a few packets –Fixed in modern OS’s NineBytes Offset=65528

14 Even Even More Fragmentation Attacks What happens if attacker doesn’t send all of the fragments in a datagram? Receiver (or firewall) winds up holding the ones they receive for a long time –State-holding attack

15 Security Implications of TTL? (8 bits) Allows discovery of topology (a la traceroute) Can provide a hint that a packet is spoofed –It arrives at a router w/ a TTL different than packets from that address usually have oBecause path from attacker to router has different # hops –Though this is brittle in the presence of routing changes Initial value is somewhat distinctive to sender’s operating system. This plus other such initializations allow OS fingerprinting … –Which allow attacker to infer its likely vulnerabilities

16 Security Implications of Remainder? No apparent problems with protocol field (8 bits) –It’s just a demux’ing handle –If set incorrectly, next layer will find packet ill-formed Bad IP checksum field (16 bits) will cause packet to be discarded by the network –Not an effective attack…

17 IP Addressing

IP Packet Structure 4-bit Version 4-bit Header Length 8-bit Type of Service (TOS) 16-bit Total Length (Bytes) 16-bit Identification 3-bit Flags 13-bit Fragment Offset 8-bit Time to Live (TTL) 8-bit Protocol 16-bit Header Checksum 32-bit Source IP Address 32-bit Destination IP Address Options (if any) Payload

Use of Addresses 1.Used by routers to forward packets to destination 2.Very poor identifier (forget about this use for now) Focus: how addresses used in routing 19

IP Addressing Today’s design reflects necessary hacks No one would design such a system from scratch At end of lecture will discuss a better solution But one that requires major changes to deploy…. 20

Layer 2 Addressing Typically uses MAC addresses Unique numbers burned into interface cards –Random string of bits –No location information Local area networks route on these “flat” addresses Why can’t we use this approach for IP? 21

Layer 2 is Local, but Layer 3 is Global! Would have entry for every device in the world –Must keep track of their location individually –Update table whenever they moved! Two issues: –Sheer number of devices –Location information spread everywhere Layer 2: –Fewer devices –Location information shared only in local area 22

Addressing Goal: Scalable Routing State: Limited amount of routing state –Much less than the number of hosts Churn: Limited rate of change in routing tables –Traffic, inconsistencies, complexity Aggregation crucial for both (use single entry to cover many addresses) 23

Why Is Aggregation Nontrivial? Mobility: laptops, cellphones, etc. Multihoming: Many entities have two or more ISPs Institutional renumbering hard 24

Another Addressing Issue: Scarcity! We are running out of addresses: –Need to share addresses –Not enough for everyone Some countries have one address per 100 people –Extreme degree of sharing! 25

26 Design Questions What should an address be associated with? –Telephone network is an ambiguous model –Landlines: number refers to location (hard to move) –Cell phones: number refers to handset (easily movable) What structure should addresses have? What are the implications of that structure? Who determines who gets which addresses in the global Internet? What are the implications of how this is done?

27 IP Addresses (IPv4) Unique 32-bit number associated with an interface –on a host, on a router, … connect to ports, links, etc. –Association can be long-term or short-term Use dotted-quad notation, e.g., :

Examples What address is this? How would you represent ?

29 Routers in the Network Routers connect links and networks together Must forward packets towards destination host LAN 1... host LAN 2... router WAN Router

30 Routers Send Packets to Correct Port Location of packet queues depends on switch design incoming linksoutgoing links Node Memory

31 Forwarding Table Plays Crucial Role Table maps IP addresses into output interfaces Forwards packets based on destination address ……

32 Scalability Challenge Suppose hosts have random addresses –Then routers would need a separate entry for each host –Far too much state to hold in each router (why is it too much state?) host LAN 1... host LAN 2... router WAN forwarding table

Two Universal Tricks in CS When you need more flexibility, you add… –A layer of indirection When you need more scalability, you impose… –A hierarchical structure 33

34 Hierarchical Addressing in U.S. Mail Addressing in the U.S. mail –Zip code: –Street: Center Street –Building on street: 1947 –Location in building: Suite 600 –Name of occupant: Scott Shenker Forwarding the U.S. mail –Deliver letter to the post office in the zip code –Assign letter to mailman covering the street –Drop letter into mailbox for the building/room –Give letter to the appropriate person ???

Who Knows What? Does anyone in the US Mail system know where every house is? Separate routing tables at each level of hierarchy –Each of manageable scale 35

36 Hierarchical Structure The Internet is an “inter-network” –Used to connect networks together, not hosts Forms a natural two-level hierarchy: –WAN delivers to the right LAN (i.e., deliver to zip code) –LAN delivers to the right host (i.e., deliver to house) host LAN 1... host LAN 2... router WAN LAN = Local Area Network WAN = Wide Area Network

37 Hierarchical Addressing Prefix is network address: suffix is host address /23 is a 23-bit prefix with 2 9 addresses –Terminology: “Slash 23” Network (23 bits)Host (9 bits)

38 IP Address and a 23-bit Subnet Mask Address Mask

39 Scalability Improved Number nearby hosts with same prefix – /24 on the left LAN – /24 on the right LAN host LAN 1... host LAN 2... router WAN / /24 forwarding table

40 Easy to Add New Hosts No need to update the routers –E.g., adding a new host on the right –Doesn’t require adding a new forwarding entry host LAN 1... host LAN 2... router WAN / /24 forwarding table host

“Subnet” Terminology Think of LANs as special case of “subnets” –Subnet is region without routers containing addresses within the “subnet mask” –Could be a link, or LAN Textbook has an operational definition of subnet –Remove all interfaces from hosts, switches –The regions that remain connected are subnets 41

History of Internet Addressing Always dotted-quad notation Always network/host address split (subnets) But nature of that split has changed over time 42

Original Internet Addresses First eight bits: network address (/8) Last 24 bits: host address Assumed 256 networks were more than enough! 43

Nice Features Transit routers looked at what portion of address? –Network That portion of address space was flat –No need for hierarchy with 256 entries Rest of address only relevant on host’s network But did not provide for enough networks –Ubiquity of ethernet not foreseen 44

45 Next Design: Classful Addressing –Class A: if first byte in [0..127]  assume /8 (top bit = 0) oVery large blocks (e.g., MIT has /8) –Class B: first byte in [ ]  assume /16 (top bits = 10) oLarge blocks (e.g,. UCB has /16) –Class C: [ ]  assume /24 (top bits = 110) oSmall blocks (e.g., ICIR has /24) o(My house used to have a /25) 0*************** 10************** 110*************

46 Classful Addressing (cont’d) –Class D: [ ] (top bits 1110) oMulticast groups –Class E: [ ] (top bits 11110) oReserved for future use What problems can classful addressing lead to? –Only comes in 3 sizes –Routers can end up knowing about many class C’s (/24s) –Wasted address space 1110************ 11110***********

Today’s Addressing: CIDR CIDR = Classless Interdomain Routing Flexible division between network and host addresses Must specify both address and mask –Clarifies where boundary between addresses lies –Classful addressing communicate this with first few bits –CIDR requires explicit mask 47

48 CIDR Addressing IP Address : IP Mask: Address Mask for hostsNetwork Prefix Use two 32-bit numbers to represent a network. Network number = IP address + Mask Written as /15 or 12.4/15

49 CIDR: Hierarchal Address Allocation Prefixes are key to Internet scalability –Addresses allocated in contiguous chunks (prefixes) –Routing protocols and packet forwarding based on prefixes –Recursively break down chunks as get closer to host / / / / /16 :::: / /24 :::: / / / / / / /17 :::::: :

50 Scalability: Address Aggregation Provider is given /21 ( x x) / / / /23 Provider Routers in the rest of the Internet just need to know how to reach /21. The provider can direct the IP packets to the appropriate customer.

51 Aggregation Not Always Possible / / / / /23 Provider 1Provider 2 Multi-homed customer with /23 has two providers. Other parts of the Internet need to know how to reach these destinations through both providers.  /23 route must be globally visible

52 5 Minute Break

Anagram Quiz What anagram of a datagram involves circular reasoning? What is this compound and why is it like “heroin to me” (but with an extra b)? 53

Answers What anagram of a datagram involves circular reasoning? PI (anagram of IP) What is this compound and why is it like “heroin to me” (but with an extra b). Theobromine (psychoactive ingredient of chocolate) About 75% of my food intake 54

55 Address Allocation and Assignment

56 Obtaining a Block of Addresses Allocation is also hierarchical –Prefix: assigned to an institution –Addresses: assigned by the institution to their nodes Who assigns prefixes? –Internet Corporation for Assigned Names and Numbers oAllocates large address blocks to Regional Internet Registries oICANN is politically charged –Regional Internet Registries (RIRs) oE.g., ARIN (American Registry for Internet Numbers) oAllocates address blocks within their regions oAllocated to Internet Service Providers and large institutions ($$) –Internet Service Providers (ISPs) oAllocate address blocks to their customers (could be recursive) Often w/o charge

57 Figuring Out Who Owns an Address Address registries –Public record of address allocations –Internet Service Providers (ISPs) should update when giving addresses to customers –However, records are notoriously out-of-date Ways to query –UNIX: “whois –h whois.arin.net ” – – –…–…

Address Allocation by Country 58

Address Allocation (ordered sampling) USA million5.52 address/capita China million0.26 Japan million1.59 S. Korea million2.40 Brazil46.47 million0.27 Russian37.01 million0.25 Taiwan35.38 million1.59 India34.65 million0.03 Ukraine9.88 million0.20 Finland9.73 million1.88 Israel5.35 million0.86 Pakistan5.17 million

60 Policy Questions How much address space per geographic region? –Equal amount per country? –Proportional to the population? –What about addresses already allocated? Address space portability? –Keep your address block when you change providers? –Pro: avoid having to renumber your equipment –Con: reduces the effectiveness of address aggregation Keeping the address registries up to date? –What about mergers and acquisitions? –Delegation of address blocks to customers? –As a result, the registries are often out of date

61 Are 32-bit Addresses Enough? Not all that many unique addresses –2 32 = 4,294,967,296 (just over four billion) –Plus, some (many) reserved for special purposes –And, addresses are allocated in larger blocks And, many devices need IP addresses –Computers, PDAs, routers, tanks, toasters, … Long-term solution ( perhaps ): larger address space –IPv6 has 128-bit addresses (2 128 = × ) Short-term solutions: limping along with IPv4 –Dynamically-assigned addresses (DHCP) –Network address translation (NAT)

62 Sharing a Block of Addresses Dynamic Host Configuration Protocol (DHCP) –Configures several aspects of hosts –Most important: assigns temporary address (lease) –Uses DHCP server to do allocation –Multiplexes block of addresses across users DHCP protocol: –Broadcast a server-discovery message (layer 2) –Server(s) sends a reply offering an address host... DHCP server

63 Response from the DHCP Server DHCP “offer” message from the server –Configuration parameters (proposed IP address, mask, gateway router, DNS server,...) –Lease time (duration the information remains valid) Multiple servers may respond –Multiple servers on the same broadcast network –Each may respond with an offer Accepting one of the offers –Client sends a DHCP “request” echoing the parameters –The DHCP server responds with an “ACK” to confirm –… and the other servers see they were not chosen

64 Dynamic Host Configuration Protocol arriving client DHCP server DHCP discover (broadcast) DHCP offer DHCP request DHCP ACK (broadcast) Why all the broadcasts? (broadcast)

65 Soft State: Refresh or Forget Why is a lease time necessary? –Client can release the IP address (DHCP RELEASE) oE.g., “ipconfig /release” at the DOS prompt oE.g., clean shutdown of the computer –But, host might not release the address oE.g., the host crashes (blue screen of death!) oE.g., buggy client software –And you don’t want the address to be allocated forever Performance trade-offs –Short lease time: returns inactive addresses quickly –Long lease time: avoids overhead of frequent renewals & lessens frequency of lease being denied

66 Sharing a Single Address What if you only have a single address –But many computers? Network Address Translation (NAT) enables many hosts to share a single address –Uses port numbers (fields in transport layer) Was thought to be an architectural abomination when first proposed, but it: –Probably saved us from address exhaustion –And reflects a modern design paradigm (indirection)

67 Network Address Translation (NAT) Before NAT…every machine connected to Internet had unique IP address LAN Clients Server Internet dest addr src addr dst port src port

68 NAT (cont’d) Assign addresses to machines behind same NAT –Usually in address block /16 Use port numbers to multiplex single address Clients Server Internet NAT : :

69 NAT (cont’d) Clients Server Internet NAT : : : : Assign addresses to machines behind same NAT –Usually in address block /16 Use port numbers to multiplex single address

NAT: Early Example of “Middlebox” Boxes stuck into network to delivery functionality –NATs, Firewalls,…. Don’t fit into architecture, violate E2E principle But a very handy way to inject functionality that: –Does not require end host changes or cooperation –Is under operator control (e.g., security) An interesting architectural challenge: –How to incorporate middleboxes into architecture 70