Course Synthesis

The network layer's primary role is to move packets from a sending host to a receiving host. Two key functions: Forwarding (local action of moving packets from input to output port) and Routing (network-wide process of determining the path). The Data Plane handles per-router functions (forwarding), while the Control Plane determines how datagrams are routed (routing algorithms). The Internet uses a best-effort service model, providing no guarantees on timing, loss, or order.

Principal components: Input Ports (lookup, buffering), Switching Fabric (connects input to output), Output Ports (buffering, scheduling), and the Routing Processor (control plane functions). Scheduling disciplines include First-Come-First-Served (FCFS), Priority, and Round Robin. Longest Prefix Matching is used in the forwarding table to find the best output link for a destination IP.

IPv4 Datagram Format: Includes Version (4 bits), TTL, Upper Layer Protocol (6 for TCP, 17 for UDP), and Checksum. Addressing: IPv4 uses 32-bit addresses. Subnets: A group of interfaces that can reach each other without a router and share a common address prefix. DHCP (Dynamic Host Configuration Protocol) allows a host to obtain an IP address automatically from a network server.

A middlebox is any intermediary node performing functions other than standard IP forwarding. Examples: NAT (Network Address Translation) boxes, Firewalls, Load Balancers, and Caches. NAT allows multiple devices in a private network to share a single public IP address by mapping internal IP/port pairs to the external IP/port.

Intra-AS (Intradomain) routing prioritizes performance (speed, delay). Inter-AS (Interdomain) routing prioritizes policy (agreements between organizations). Common types: Link-State (LS, uses Dijkstra's — global, requires complete topology) and Distance-Vector (DV, uses Bellman-Ford — decentralized, iterative, neighbors share distance vectors).

OSPF (Open Shortest Path First) is a link-state protocol. It uses flooding of link-state information and Dijkstra's algorithm to find the least-cost path. OSPF features include authentication of routing messages, multiple same-cost paths (ECMP), and support for hierarchical routing within a single AS via Areas (Backbone Area 0 and local areas). Dijkstra's properties: D(v) never increases; once a node is in N', it stays forever. Distance Vector (Bellman-Ford) is decentralized: Dx(y) = min{c(x,v) + Dv(y)}. It can suffer from the count-to-infinity problem — when a link fails, bad news propagates slowly. Mitigation: poisoned reverse — if Z routes through Y to reach X, Z tells Y its distance to X is infinity.

BGP (Border Gateway Protocol) is the de-facto interdomain routing protocol. It uses a Path-Vector approach. Two flavors: eBGP (external — between border routers of different ASes) and iBGP (internal — distributing routes within an AS). Key attributes: AS-PATH (list of ASes, used for loop detection), NEXT-HOP (IP of first router along the path), and LOCAL-PREF (policy preference set by admin). BGP route selection order: 1. Local preference (policy — HIGHEST priority), 2. Shortest AS-PATH, 3. Closest NEXT-HOP (hot-potato routing — get the packet out of your AS ASAP), 4. Additional tie-breakers. Key insight: interdomain routing is driven by policy, not performance. Provider/customer/peer relationships determine what routes are advertised to whom.

SDN uses a logically centralized control plane. A remote controller computes forwarding tables and distributes them to routers. This allows for more flexible traffic engineering compared to traditional per-router control. Components: Data-plane switches (execute flow-table rules), SDN Controller (maintains network state database), and Network-control applications (implement routing, access control). APIs: Northbound (controller ↔ apps) and Southbound (controller ↔ switches, e.g., OpenFlow).

ICMP is used by hosts and routers to communicate network-layer information, such as error reporting (e.g., Destination Unreachable) and echo requests (Ping). ICMP messages are carried directly as IP payload. The TTL-expired message is famously used by the `traceroute` tool to map the path to a destination.

Services: Framing (encapsulating datagrams), Link Access (MAC protocols), Reliable Delivery (often in wireless), and Error Detection/Correction. The link layer is implemented in a Network Interface Card (NIC) or network adapter.

Techniques: Parity Checks (Single bit detects 1-bit errors; 2D Parity can detect 2-bit errors and correct single-bit errors), Checksums (used in TCP/IP/UDP), and Cyclic Redundancy Check (CRC) (hardware-implemented, very powerful for burst errors).

Three categories: 1. Channel Partitioning (TDMA, FDMA; no collisions but inefficient under low load), 2. Random Access (ALOHA, CSMA/CD, CSMA/CA; handle collisions via backoff), 3. Taking Turns (Polling, Token-passing; efficient at high load, avoids collisions).

MAC Addresses: 48-bit, 'burned-in', permanent addresses for the NIC. ARP (Address Resolution Protocol) translates IP addresses to MAC addresses. Ethernet Switches are self-learning, transparent devices that store MAC-to-port mappings in a Switch Table. If a destination MAC is unknown, the switch floods the frame to all ports.

Four goals: Confidentiality (only sender/receiver understand message), Authentication (confirming identity), Message Integrity (message not altered), and Availability (services are accessible). Common attacks: Eavesdropping (passive interception), Replay Attack (resending captured packets), Spoofing (faking source address), Hijacking (taking over a connection), DoS (denial of service). A nonce is a number used only once to prove freshness and prevent replay attacks. Key fact: encrypting a password alone does NOT prevent replay attacks — you need freshness (nonce or timestamp).

Symmetric Key: Both parties share the same secret key. Examples: DES (56-bit key, broken in <1 day by brute force), 3DES (encrypt 3× with 3 keys), AES (128/192/256-bit key, 149 trillion years to brute force — NIST standard since 2001). Public Key: Uses a public/private key pair. RSA relies on the difficulty of factoring large primes. RSA is ~100× slower than AES, so in practice it is used only to securely exchange a symmetric session key. Diffie-Hellman allows two parties to establish a shared secret without ever sending it. Attack types: Cipher-text only (only ciphertext), Known-plaintext (attacker has some pairs), Chosen-plaintext (attacker picks messages to encrypt), Brute-force (try all keys). Important: Hash functions provide integrity, NOT confidentiality.

Cryptographic Hash Functions (MD5, SHA-256) produce a fixed-length 'fingerprint' — many-to-1, computationally infeasible to reverse. A Message Digest is the hash output. Digital Signature: sender signs H(m) with their private key → verified by the receiver using sender's public key. Provides: Authentication (identity), Integrity (unaltered), and Non-repudiation (cannot deny). Key distinction: Signing uses SENDER's private key; verifying uses SENDER's public key. Encrypting a message for Bob uses BOB's public key; he decrypts with his private key. Digests are signed (not full messages) because they are smaller and faster. A Certificate Authority (CA) binds a public key to a real identity, preventing man-in-the-middle attacks where Trudy substitutes her own public key.

TLS (Transport Layer Security) provides confidentiality, integrity, and authentication for TCP connections. HTTPS = HTTP over TLS. TLS phases: 1. Handshake — negotiate cipher suite, exchange/derive keys (TLS 1.3 uses Diffie-Hellman only, dropped RSA for key exchange), verify server certificate. 2. Key Derivation — derive 4 keys from master secret: Kc (client encryption), Mc (client MAC), Ks (server encryption), Ms (server MAC). Separate keys for encryption vs. MAC, and per direction. 3. Data Transfer — stream broken into records, each encrypted with symmetric key and carrying a MAC. TLS sequence numbers included in MAC to prevent reordering/replay. 4. Connection Close — special 'close' record type prevents truncation attacks. TLS 1.3 handshake: 1 RTT (client proposes DH params + cipher suites → server responds). 0-RTT resumption is vulnerable to replay attacks (early data uses old session secret, no freshness guarantee).

IPsec provides datagram-level encryption, authentication, and integrity at the network layer — protects both user traffic and control traffic (BGP, DNS). Two modes: Transport Mode (encrypts payload only, original IP header intact) and Tunnel Mode (encrypts entire original datagram, encapsulated in new IP header — used for VPNs). Two protocols: AH (Authentication Header — authentication + integrity, NO confidentiality) and ESP (Encapsulation Security Protocol — authentication + integrity + confidentiality, more widely used). Security Associations (SAs) are simplex (one-directional, need 2 for bidirectional). SA state: SPI (32-bit Security Parameter Index), algorithms, keys, sequence numbers. IPsec is connection-oriented despite IP being connectionless. The ESP Header contains SPI + sequence number. The sequence number prevents replay attacks — receiver checks for duplicates. ESP datagram format: [New IP Header][ESP Header (SPI, Seq#)][Original IP Header + Payload (encrypted)][ESP Trailer (padding)][ESP Auth (MAC)].

Firewalls filter packets based on header fields. Stateless (packet filter) looks at each packet in isolation based on IP addresses, ports, and flags — cannot detect fake ACK packets because it has no memory of connections. Stateful firewalls track active TCP connections (SYN, SYN-ACK, ACK handshake) — can reject unsolicited ACK packets not part of a known session. Application Gateways perform deep packet inspection at the application layer (e.g., inspect HTTP content). Intrusion Detection Systems (IDS) perform deep packet inspection to find signatures of known attacks. Key limitation: no firewall can prevent ALL attacks — defense in depth is essential.

- 20, 21: FTP (Data/Control) - 22: SSH - 23: Telnet - 25: SMTP - 53: DNS (UDP for queries, TCP for zone transfers) - 67, 68: DHCP (Server/Client) - 80: HTTP - 110: POP3 - 143: IMAP - 443: HTTPS (SSL/TLS) - 161, 162: SNMP

5. Application: HTTP, SMTP, DNS, FTP (Unit: Message) 4. Transport: TCP, UDP (Unit: Segment) 3. Network: IP, ICMP, BGP, OSPF (Unit: Datagram) 2. Link: Ethernet, WiFi, ARP (Unit: Frame) 1. Physical: (Unit: Bits)

- IP Protocol Field: 6 (TCP), 17 (UDP), 1 (ICMP) - Ethernet Type Field: 0x0800 (IPv4), 0x0806 (ARP) - TCP/UDP Checksum: Detects errors in segment - IP Checksum: Detects errors in IP header only