15-441 Computer NetworkingTCP Overview RevisitedQueuing DisciplinesPacket Drop DimensionsTypical Internet QueuingFIFO + Drop-tail ProblemsActive Queue ManagementInternet ProblemsDesign ObjectivesLock-out ProblemFull Queues ProblemRandom Early Detection (RED)RED AlgorithmRED OperationExplicit Congestion Notification (ECN)ECN in TCPUse of ECN with TCPAttacks and Security ThreatsPacket SniffingIP SpoofingSlide 21TCP Connection SpoofingSequence Number Guessing AttackMore TCP AttacksRoutingICMPDNSDenial of ServiceSYN Flooding AttackBandwidth DOS AttacksIP TracebackSlide 32Edge SamplingFirewallsTypical Firewall TopologyTypes of FirewallsSlide 37Slide 3815-441 Computer NetworkingOther Transport Issues,Attacks and Security Threats,FirewallsLecture #17: 11-01-01 2TCP Overview Revisited•TCP modern loss recovery•TCP options•TCP interactions•TCP modeling•Workload changes•TCP & routers•TCP header compressionLecture #17: 11-01-01 3Queuing Disciplines•Each router must implement some queuing discipline•Queuing allocates both bandwidth and buffer space:•Bandwidth: which packet to serve (transmit) next •Buffer space: which packet to drop next (when required)•Queuing also affects latencyLecture #17: 11-01-01 4Packet Drop DimensionsAggregationPer-connection stateSingle classDrop positionHeadTailRandom locationClass-based queuingEarly dropOverflow dropLecture #17: 11-01-01 5Typical Internet Queuing•FIFO + drop-tail•Simplest choice•Used widely in the Internet•FIFO (first-in-first-out) •Implies single class of traffic•Drop-tail•Arriving packets get dropped when queue is full regardless of flow or importance•Important distinction:•FIFO: scheduling discipline•Drop-tail: drop policyLecture #17: 11-01-01 6FIFO + Drop-tail Problems•Leaves responsibility of congestion control to edges (e.g., TCP)•Does not separate between different flows•No policing: send more packets get more service•Synchronization: end hosts react to same eventsLecture #17: 11-01-01 7Active Queue Management•Design active router queue management to aid congestion control •Why?•Router has unified view of queuing behavior•Routers can distinguish between propagation and persistent queuing delays•Routers can decide on transient congestion, based on workloadLecture #17: 11-01-01 8Internet Problems•Full queues•Routers are forced to have have large queues to maintain high utilizations•TCP detects congestion from loss•Forces network to have long standing queues in steady-state•Lock-out problem•Drop-tail routers treat bursty traffic poorly•Traffic gets synchronized easily allows a few flows to monopolize the queue spaceLecture #17: 11-01-01 9Design Objectives•Keep throughput high and delay low•Accommodate bursts•Queue size should reflect ability to accept bursts rather than steady-state queuing•Improve TCP performance with minimal hardware changesLecture #17: 11-01-01 10Lock-out Problem•Random drop•Packet arriving when queue is full causes some random packet to be dropped•Drop front•On full queue, drop packet at head of queue•Random drop and drop front solve the lock-out problem but not the full-queues problemLecture #17: 11-01-01 11Full Queues Problem•Drop packets before queue becomes full (early drop)•Intuition: notify senders of incipient congestion•Example: early random drop (ERD):•If qlen > drop level, drop each new packet with fixed probability p•Does not control misbehaving usersLecture #17: 11-01-01 12Random Early Detection (RED)•Detect incipient congestion, allow bursts•Keep power (throughput/delay) high•Keep average queue size low•Assume hosts respond to lost packets•Avoid window synchronization•Randomly mark packets•Avoid bias against bursty traffic•Some protection against ill-behaved usersLecture #17: 11-01-01 13RED Algorithm•Maintain running average of queue length•If avg < minth do nothing•Low queuing, send packets through•If avg > maxth, drop packet•Protection from misbehaving sources•Else mark packet in a manner proportional to queue length•Notify sources of incipient congestionLecture #17: 11-01-01 14RED OperationMin threshMax threshAverage Queue LengthminthmaxthmaxP1.0Avg queue lengthP(drop)Lecture #17: 11-01-01 15Explicit Congestion Notification(ECN)•The goal is to provide explicit congestion notification to senders.•Complements the implicit feedback through packet drops•Bits 6-7 of the TOS bit form the ECN field.•The ECN-Capable Transport (ECT) bit is set by the sender to indicate that the end-points are ECN-capable•The Congestion Experience (CE) bit is set by the router to signal congestion•The ECN is received by the receiver, who is responsible for forwarding the information to the senderV/HLV/HLTOSTOSLengthLengthIDIDFlags/OffsetFlags/OffsetTTLTTLProt.Prot.H. ChecksumH. ChecksumSource IP addressSource IP addressDestination IP addressDestination IP addressOptions..Options..DSCPDSCPECT/CEECT/CELecture #17: 11-01-01 16ECN in TCP•Receiver signals congestion to the sender by setting the ECN-Echo flag in the TCP header.•Bit 9 in the reserved field of the TCP header•Handles asymmetric routes•ECN-Echo flag also used to negotiate ECN useSource PortSource PortDest. PortDest. PortSequence NumberSequence NumberAcknowledgmentAcknowledgmentHL/FlagsHL/FlagsWindowWindowD. ChecksumD. ChecksumUrgent PointerUrgent PointerOptions..Options..HLHLECE/CWRECE/CWRFlagsFlagsIPTCPLecture #17: 11-01-01 17Use of ECN with TCP•The TCP sender should respond to ECN feedback as if a single packet loss occurred.•Reduce the congestion window size•Send “Congestion Window Reduced” flag (Bit 8) to ack•So receiver knows to stop ECE bit•ECN and RED can leverage each other.•The router should set the CE bit if it would otherwise have dropped the packet (for a non-ECN enabled flow)•When RED is used, this happens before the queues fill up so ECN and RED combined can result in congestion notification without packet loss•Deployment seems quite practical.•Can be introduced one router at a time•Strong incentive for end-points to adopt ECNLecture #17: 11-01-01 18Attacks and Security Threats•Packet Sniffing•IP Spoofing•TCP Connection Spoofing•Denial of ServiceLecture #17: 11-01-01 19Packet Sniffing•broadcast media•promiscuous NIC reads all packets passing by•can read all unencrypted data (e.g. passwords)•e.g.: C sniffs B’s packets•many protocols (ftp, telnet) send passwords
View Full Document