15-744: Computer NetworkingQoS and SecurityOverviewMotivationInelastic ApplicationsWhy a New Service Model?Utility Curve ShapesUtility curve – Elastic trafficAdmission ControlUtility Curves – Inelastic trafficSlide 11Slide 12Components of Integrated Services1. Type of commitmentPlayback ApplicationsCharacteristics of Playback ApplicationsApplications VariationsSlide 18Type of CommitmentsSlide 20Scheduling for Guaranteed TrafficToken Bucket FilterToken Bucket OperationToken Bucket CharacteristicsToken Bucket SpecsPossible Token Bucket UsesGuarantee Proven by ParekhPredicted ServiceSlide 29Unified SchedulingService InterfacesSlide 33Slide 34Role of RSVPRSVP GoalsRSVP Service ModelPATH MessagesRESV MessagesPATH and RESV MessagesRouting ChangesAnnouncementsSlide 43DiffServBasic ArchitecturePer-hop Behaviors (PHBs)Slide 47Expedited Forwarding PHBExpedited Forwarding Traffic FlowAssured Forwarding PHBRed with In or Out (RIO)RIO Drop ProbabilitiesEdge Router Input FunctionalityTraffic ConditioningOutput ForwardingRouter Output ProcessingEdge Router PolicingComparisonSlide 59Basic IPDenial of ServiceBandwidth DOS Attacks - Possible SolutionsRoutingSlide 64ICMPTCPSequence Number Guessing AttackSlide 68DNSSlide 70Bandwidth DOS AttacksIP TracebackSlide 73Edge SamplingSlide 75FirewallsTypical Firewall TopologyTypes of Firewalls - ProxyTypes of Firewalls - Packet FiltersTypes of Firewalls - Stateful Packet FiltersSlide 81Trusted IntermediariesKey Distribution Center (KDC)Slide 84KerberosSlide 86Slide 87Certification AuthoritiesSlide 89Certificate ContentsSecure Sockets Layer (SSL)SSL (continued)Slide 9315-744: Computer NetworkingL-10 QoS and SecurityL -10; 12-3-04© Srinivasan Seshan, 2004 2QoS and Security•Denial of service•IntServ•DiffServ•Assigned reading•[SWKA00] Practical Network Support for IP Traceback•[MVS01] Inferring Internet Denial-of-Service Activity•[She95] Fundamental Design Issues for the Future Internet•[CSZ92] Supporting Real-Time Applications in an Integrated Services Packet Network: Architecture and Mechanisms•[CF98] Explicit Allocation of Best-Effort Packet Delivery ServiceL -10; 12-3-04© Srinivasan Seshan, 2004 3Overview•Why QOS?•Integrated services•RSVP•Differentiated services•Security holes in IP stack•Denial of service traceback•Firewalls•AuthenticationL -10; 12-3-04© Srinivasan Seshan, 2004 4Motivation•Internet currently provides one single class of “best-effort” service•No assurances about delivery•Existing applications are elastic•Tolerate delays and losses•Can adapt to congestion•Future “real-time” applications may be inelasticL -10; 12-3-04© Srinivasan Seshan, 2004 5Inelastic Applications•Continuous media applications•Lower and upper limit on acceptable performance.•BW below which video and audio are not intelligible•Internet telephones, teleconferencing with high delay (200 - 300ms) impair human interaction•Hard real-time applications•Require hard limits on performance•E.g. control applicationsL -10; 12-3-04© Srinivasan Seshan, 2004 6Why a New Service Model?•What is the basic objective of network design?•Maximize total bandwidth? Minimize latency?•Maximize user satisfaction – the total utility given to users•What does utility vs. bandwidth look like?•Must be non-decreasing function •Shape depends on applicationL -10; 12-3-04© Srinivasan Seshan, 2004 7Utility Curve ShapesStay to the right and youare fine for all curvesBWUElasticBWUHard real-timeBWUDelay-adaptiveL -10; 12-3-04© Srinivasan Seshan, 2004 8Utility curve – Elastic trafficBandwidthUElasticDoes equal allocation of bandwidth maximize total utility?L -10; 12-3-04© Srinivasan Seshan, 2004 9Admission Control•If U(bandwidth) is concave elastic applications•Incremental utility is decreasing with increasing bandwidth•Is always advantageous to have more flows with lower bandwidth•No need of admission control; This is why the Internet works!BWUElasticL -10; 12-3-04© Srinivasan Seshan, 2004 10Utility Curves – Inelastic trafficBWUHard real-timeBWUDelay-adaptiveDoes equal allocation of bandwidth maximize total utility?L -10; 12-3-04© Srinivasan Seshan, 2004 11Admission Control•If U is convex inelastic applications•U(number of flows) is no longer monotonically increasing•Need admission control to maximize total utility•Admission control deciding when the addition of new people would result in reduction of utility•Basically avoids overloadBWUDelay-adaptiveL -10; 12-3-04© Srinivasan Seshan, 2004 12Overview•Why QOS?•Integrated services•RSVP•Differentiated services•Security holes in IP stack•Denial of service traceback•Firewalls•AuthenticationL -10; 12-3-04© Srinivasan Seshan, 2004 13Components of Integrated Services1. Type of commitment What does the network promise?2. Packet scheduling How does the network meet promises?3. Service interface How does the application describe what it wants?4. Establishing the guarantee How is the promise communicated to/from the network How is admission of new applications controlled?L -10; 12-3-04© Srinivasan Seshan, 2004 141. Type of commitment What kind of promises/services should network offer? Depends on the characteristics of the applications that will use the network ….L -10; 12-3-04© Srinivasan Seshan, 2004 15Playback Applications•Sample signal packetize transmit buffer playback•Fits most multimedia applications•Performance concern:•Jitter – variation in end-to-end delay•Delay = fixed + variable = (propagation + packetization) + queuing•Solution: •Playback point – delay introduced by buffer to hide network jitterL -10; 12-3-04© Srinivasan Seshan, 2004 16Characteristics of Playback Applications•In general lower delay is preferable.•Doesn’t matter when packet arrives as long as it is before playback point•Network guarantees (e.g. bound on jitter) would make it easier to set playback point•Applications can tolerate some lossL -10; 12-3-04© Srinivasan Seshan, 2004 17Applications Variations•Rigid & adaptive applications •Rigid – set fixed playback point •Adaptive – adapt playback point•Gamble that network conditions will be the same as in the past•Are prepared to deal with errors in their estimate•Will have an earlier playback point than rigid applications•Tolerant & intolerant applications•Tolerance to brief interruptions in service•4 combinationsL -10;
View Full Document
Unlocking...