







































































Studia grazie alle numerose risorse presenti su Docsity
Guadagna punti aiutando altri studenti oppure acquistali con un piano Premium
Prepara i tuoi esami
Studia grazie alle numerose risorse presenti su Docsity
Prepara i tuoi esami con i documenti condivisi da studenti come te su Docsity
Trova i documenti specifici per gli esami della tua università
Preparati con lezioni e prove svolte basate sui programmi universitari!
Rispondi a reali domande d’esame e scopri la tua preparazione
Riassumi i tuoi documenti, fagli domande, convertili in quiz e mappe concettuali
Studia con prove svolte, tesine e consigli utili
Togliti ogni dubbio leggendo le risposte alle domande fatte da altri studenti come te
Esplora i documenti più scaricati per gli argomenti di studio più popolari
Ottieni i punti per scaricare
Guadagna punti aiutando altri studenti oppure acquistali con un piano Premium
IPv4, IPv6, Routing, Cloud, NFV, Virtualization, Docker, Kubernetes, Containers, MPLS, QoS, optical newtork + Laboratories IPv6, virtualization and Docker
Tipologia: Appunti
1 / 79
Questa pagina non è visibile nell’anteprima
Non perderti parti importanti!








































































Politecnico di Torino
Department of Control and Computer Engineering
Master’s degree in Cybersecurity
1 IPv4 Addressing and Static Routing
Let’s start with some terminology:
In the figure the IP network is the set of IP, for example, that identifies the devices on the first net (the one on the left), which are 223.1.1.1, 223.1.1.2 and 223.1.1.3. The network part is represented by 223.1.1, while the host part is represented by the last bit of the IP address.
There are some IP addresses which are considered as special because they can’t be assigned to a specific host, but they represent something more:
In the past, the IP addressing classes were divided into 3 ”classes”:
Which are the differences between these 3 classes? Class A can be assigned to 2^2 4 different hosts, class B can be assigned to 2^1 6 different hosts and class C can be assigned to 2^8 different hosts. First bits are used to represent the class (0 for class A, 10 for class B and 110 for class C). This way of addressing is simple because we have predefined number of hosts and network, but that’s also the reason why we don’t use it anymore. If I need to represent 140 hosts, I need 9 bits, I can’t use class C for one single bit, so I have to choose the class B. As we can see, this is a waste of bits. The actual IP addressing is called CIDR, Classes InterDomain Routing. In this case, it is possible to choose the number of bits to use to describe the hosts, so as to be more flexible and optimize bits. Of course, it is important to know how many bits are reserved either to the network part or to the host part. The address format can be one of those:
1.2.1 IPv4 Multicast
It has been introduced in IPv4 because it’s more simple and intuitive, but not used. We will see it in IPv6. In IPv6 broadcast in not used or not allowed, in IPv4 multicast is introduced to reduce broadcast in order to improve security. The destinastions of a multicast are caracterized by being part of a group (only hosts are part of the group, not routers). The way of sending packets is to send one packet which is replied to many others hosts when it comes to the router and to the hosts. So we need a protocol to join the group and some protocols that allow the router to know which host in which subnet are part of a specific group and then share this information to other routers. In order to optimize the architecture, ISP and content organizations has to be transparent each other in order to know what kind of data will be sent.
A set of IP address is dedicated for multicast: they are reserved IP (224.O.O.O - 239.255.255.255). Address identifies a host group and packet is delivered to all hosts in the group anywhere in the network. Nowadays it is possible to have more virtual interface in only one physical interface (in only one host). Remember that with DHCP it is possible to change IP on an hosts. Hosts join and leave dynamically a group. IEEE 802 protocol: if a packet arrive to an host, the traffic is discarded at layer 2 if MAC is different to the destination MAC, or is discarded at layer 3 if IP is different to the destination IP. Discarding a packet in layer 2 is faster than in level 3 because layer 2 works physical level, while layer 3 works at kernel level. This protocol improve network optimization. In the MAC address the 8th bit indicate that the address is an automatic configuration (it is 0) or manually (it is 1). This is a kind of debugging bit, so it has to be controlled carefully if 1. Routers discover host groups on each LAN (Internet Group Management Protocol (IGMP)), routers announce host groups to others (multicast routing protocols) and routers build a distribution tree for each host group (to all LANs with at least a member).
2 Routing
Routing: the network layer must determine the path that packets take follow via routing algorithms. The routing function is implemented in network layer control plane. Since it occurs on larger time scales (of the order of seconds), is usually implemented in software. It is also called proactive routing, it is independent of actual traffic, determine reachable destinations, compute best route (depends on the metric we use, money, time, number of hosts, etc.), commonly referred to as “routing”. Forwarding: When a router receives a packet, it must transfer it to the appropriate one output connection. Forwarding is one of the functions implemented in the data plane. Since which occurs on a very small time scale (of the order of a few nanoseconds), is usually implemented in hardware. It is also called on-the-fly routing, it is realized when handling each packet, based on local information, routing/forwarding table, output of proactive routing or signaling, a.k.a. route. There are mainly three kind of on-the-fly routing algorithms:
Each protocol architecture adopts one or more. The forwarding phases are routing (on-the-fly) with the output port selection and the possible next-hop selection, switching: transfer to output port and eventually transmission. Proactive routing algorithms can be classified as:
As the word says, in case of problems, the non-adaptive algorithms can’t solve the problem itself and it can’t adapt to the situation. It has a fixed directory routing which can be the static one or given by a manual configuration. Also flooding and derivates are considered as non-adaptive algorithms. Selective flooding is useful because sometimes it’s important that the packets arrive to the destination (so to have the guarantee that the packets arrive).
The pro of this kind of way of working is that the administrator has full control, but the cons are that it is error prone and it does not adapt to topology changes. That’s the reason why, it is possible to perform che load balancing: it is possible to specify two different values depending on the fact that there aren’t problems on the network or there are problems (kind of backup route), like the red path in the figure.
Remember that the main problem for DV are the transitories up to the final table. If something happens in this period, this time will be increased. Some partial solutions to these problems are:
connection from C to A, because B will not send packet to A from C cause of the quarantine. Every information about A for B are gonna be discarded during the quarantine until the timer. We have to wait till the end of the quarantine to add a new route to the destination. In general, sometimes it is possible to set a threshold number that cannot be passed in terms of cost: for example, if I set a threshold number of 20, once the route from A to B is counted to have more than 20 in terms of cost, it will be discarded.
There’s the possibility to use together split horizon and poison reverse: it helps to ensure that if a router learns about a route through a neighbor, and that route subsequently becomes unreachable, the router advertises the route back to the neighbor with an infinite metric. Even if its is more aggressive, there’s the only advantage of not needing to wait for route expiration. To sum up, these kind of algorithms are simple to implement, the protocols simple to deploy and they need a very little configuration. However they have exponential worst case complexity and convergence time, complex troubleshooting, large routing traffic (and storage) and they are not suitable for large complex networks.
Path vector is in the middle between distance vector and link state adding in the information to send also the node to pass to arrive to a specific destination. It eliminates loops but increases the number of information to send.
In a link-state routing algorithm the network topology and all connection costs are available in input to the algorithm: in this way all nodes have an identical and complete view of the network and each node running the LS algorithm gets the same results. Even though the quantity of the link state of a single node is smaller that DV, each node has to store all the link state of all the nodes.
The algorithms used in this case is the Dijkstra algorithm: it has a low complexity of L log(N ) where L is the number of links and N is the number of nodes. It is a ”shortest path first” algorithm,
Routing protocols are located between layer 4 and layer 3. A routing protocol is a protocol for routers to exchange information on the network to determine the best route to each destination based on routing algorithms. They define metric(s), their encoding in packets, specific timing and configurable parameters. We define a routing domain a set of routers deploying the same routing protocol and connected to a portion of the network. A router may belong to multiple routing domains if it uses multiple rou- ting protocols. We say that it can redistribute information learned with a protocol through another one (redistribution). If 2 domain are in the same administrative domain, the redistribution is done to optimize the communication and without any kind of filters; if 2 domains are not in the same admini- strative domain, there will be some policies about what to send and how to send information (there’s the possibility to hide some kind of information). These policies are defined by administrator using filters, metric conversion and information source priority. We define an autonomous system (AS) a set of subnets grouped base on topology and organizational criteria. In general, an ISP can have one or more AS which are not shared with others ISP. A single AS can have one or more routing domains which have their routing protocol. Why do we use this kind of architecture?
An AS is identified by two byte number assigned by IANA (Internet Assigned Numbers Authority). Private number range (64512-65534) have a controlled routing information exchange. How can two or more AS communicate each other? The protocol they use is BGP (Border Gateway Protocol). In particular, if two different ASs have to communicate each other, we call it eBGP (external BGP), else if two or more routers of a single AS have to communicate each other, we call it iBGP (internal BGP). Exterior Routing is not necessarily shorter path, but it in based on policies which reflects agreements among ASs. The network structure is hierarchical:
The way multiple networks exchange messages with each other is called peering links or IXPs (Internet Exchanges Point) or NAPs (Neutral Access Point), a meeting point where multiple ISPs can peer together using BGP. Nowadays, it’s not anymore so strict that tier 3 communicate with 2 which comumnicate with 1 which communicate each other. More and more global content providers (Google, Microsoft) are emerging that build the their distribution networks to be able to bypass Tier 1 and regional ISPs, providing the service directly connectivity.
There are mainly two kind of protocols:
IGP can be based on DV or LS. Let’s start from DV. There are mainly two kind of protocols:
Going to link state, there are mainly:
3 IPv
The main reason why IPv6 was created is because the number of available address was close to finish in IPv4. So, the number of bits used to identify an host in IPv6 is increased to 128, giving the possibility to not finish the possible addresses again (we can say that 2^128 possible addresses are a number that is actually close to the infinite). The notation in IPv6 is composed by 8 hexadecimal numbers separated by ”:”, for example 1080:0000:0000:0007:0200:A There are two rules to follow:
The address is composed by two parts:
These two parts have a variable length, but mainly we say that the length of the prefix part is 64, so the other part is 64 as well because 2^6 4 is a very huge number that can identify many devices. The address is also written as prefix/N where N is the prefix length. Let’s consider this address: FEDC:0123:8700::100/40. The complete address is composed of the prefix transformed into binary ( bits) and the remaining part of 0s identifying the interface ID. There are no address classes. Some terminology:
IPv6, the next-generation Internet Protocol, offers a significantly larger address space compared to IPv4. This expanded address space allows for various addressing types, including unicast, multicast, and anycast addresses. Each serves a different purpose in IPv6 networks. They are unicast addresses, multicast addresses and anycast addresses.
3.1.1 Multicast addresses
Multicast addresses in IPv6 are used for one-to-many or many-to-many communication. They allow a sender to send a packet to a group of recipients simultaneously. Multicast addresses begin with the prefix FF00::/8. The remaining bits in the address identify the multicast group. A packet sent to a multicast group always has a unicast source address. A multicast address can never be the source address. Unlike IPv4, there is no broadcast address in IPv6. Instead, IPv6 uses multicast, including an all-IPv devices well-known multicast address and a solicited-node multicast address. There are various predefined multicast addresses for specific purposes, such as all-nodes, all-routers, and solicited-node addresses. These addresses are further divided into:
The most general IPv6 multicast address is defined as following: where:
3.1.2 Unicast addresses
A unicast address uniquely identifies an interface on an IPv6 device. A packet sent to a unicast address is received by the interface that is assigned to that address. Similar to IPv4, a source IPv6 addresses must be a unicast address. Remember that IPv6 does not include a broadcast address because broadcast is not supported cause of security improvment. In IPv4 there are 2 ways of unicast, which are the public one and the private one.
There are many kind of unicast addresses. The first one we are going to discuss are the global uni- cast addresses, also known as aggregatable global unicast addresses. They are globally routable and reachable. They are equivalent to IPv4 public addresses. The generic structure of a GUA has three fields:
source address to indicate the absence of an address. It cannot be assigned to an interface. Used in duplicate address detection in ICMPv6.
3.1.3 Anycast Addresses
The Anycast Addresses are not presented in IPv4, it a multi-multi communication. Address that can be assigned to more than one interface (typically different devices). Multiple devices can have the same anycast address. It is supported by IPv6 but used only by some specific company with specific QoS communication.
During the transaction from IPv4 to IPv6 the header is changed, now it has a fixed length to 40 bytes and some fields have been removed or added. The ones removed are:
An important field in IPv6 header is the Next Header, similar to IPv4 “Protocol” field. It specifies the protocol carried in the data portion of the IPv6 packet. It is possible to add additional “Next Header” fields in header extensions to allow chaining. Protocols coded using same values as IPv4 (0: Hop by Hop option 6: TCP 17: UDP 43: Routing extension 44: Fragment header, 50: Encapsulating Security Payload 51: Authentication 60: Destination option, ..., 59: no next header). If I need to guarantee something else (like related to the security), it possible to keep the header at the minumum size and add some pieces creating a cascading IP header extending the original one. With
the next header you can identify the next service you are going to find. The extended header format will have the next header, the length and the extension data both for the header and for the data (different for every kind of data that are offered). If some device can’t use a specific service, it can skip this part of the packet looking at the next header and length. There’s no limit of concatenated headers, but the
chain of the header has to be put in a specific order because some service can influence the rest of the packet in order to guarantee the integrity of the data (if I put the encryption extension, I can’t use it in the first block of the chain because I will encrypt all the others not giving the opportunity to read the next blocks by the next services). Some significant next headers are:
IPv6 packets are encapsulated in layer-2 frames. How is the destination MAC address set when an IPv packet is encapsulated?
3.3.1 IPv6 multicast transmission
Which is the MAC address to send the packet? Instead of using the ARP protocol (which is not used anymore in IPv6) it is possible to find the MAC address in this way: starting from the IPv6 address, you can get the IP multicast that you can use to create the MAC address. How can you do it? 33-33-xx-xx- xx-xx is the reserved Ethernet MAC address when carrying an IPv6 multicast packet (RFC 7042), so the lower 32 bits of the MAC address (xx-xx-xx-xx) are copied from the lower 32 bits of the IPv6 multicast address.
Starting from this point, we can explain why in IPv6 broadcast doesn’t exist anymore, but it has been substitued by the multicast. There’s the possibility that in a subnet more hosts can have the same final 32 IP multicast address bits, so I can send packets to a limited group of hosts (instead of sending it to all the hosts of the network). If you know the IP address of the destionation, you can modify the MAC address of an interface in order to receive the packet (bad guy can do it). That’s one of the reason why multicast is safer then broadcast and it is not used anymore. Then, since multicast is more efficient in terms of resource usage, it conserves network resources and reduces the potential for misuse or abuse of those resources. Broadcast traffic can be exploited by attackers to send unwanted or malicious data to all devices, whereas multicast traffic is more controlled. Multicast allows a sender to send data to a specific group of receivers who have expressed an interest in receiving the data, rather than sending data to all devices on the network, which is what broadcast does. This selective communication reduces unnecessary traffic and potential security risks associated with broadcasting data to all devices. Broadcast traffic can flood the entire network, consuming bandwidth and resources, and potentially causing congestion and performance issues. In contrast, multicast traffic is limited to a specific group of devices that have joined the multicast group, which minimizes the impact on the overall network.