IT Arkitektur og Sikkerhed

Præsentationer af emnet: "IT Arkitektur og Sikkerhed"— Præsentationens transcript:

1 IT Arkitektur og Sikkerhed
Introduktion Grundlæggende Netværk

2 Agenda Hvem er jeg? Hvad omhandler kurset? Hvem er I?
Gennemgang af format for forelæsninger, øvelser, hjemmeopgaver osv. Overordnet gennemgang af indholdet i de enkelte forelæsninger Bøger, kompendium osv. Start på materialet

3 Hvem er jeg? Michael Strand Tilknyttet ITU som ekstern lektor
Ansat i Netcompany A/S Har været i IT branchen siden 1989 DTU fra 1989 til 1992 (Forskningsmedarbejder) NESA fra 1992 til 1995 (Udvikler) HP Danmark fra 1995 til 2002 (Løsningsarkitekt) PFA Pension fra 2003 til 2004 (Afdelingsleder, Chefarkitekt) HP Danmark fra 2004 til 2005 (Senior Løsningsarkitekt) Netcompany A/S fra 2006 (Manager) Fokus er i Java og .Net systemudvikling og –integration, samt Identifikationssystemer Arbejdet de sidste mange år som chefarkitekt for større komplekse projekter i Sonofon, PFA, og SKAT. Arbejder næsten altid i blandede miljøer med forskellige platforme, teknologier osv.

4 Hvem er jeg? Personlig er jeg meget løsningsorienteret. Det betyder at jeg er fleksibel med teknologi (ikke religiøs) så længe problemet bliver løst på den rigtige måde. Jeg har erkendt at jeg ikke ved alt om alt, så jeg allierer mig gerne med dem der ved hvad jeg ikke ved. Det er også det jeg fokuserer på, når I løser opgaver. Resultatet og de metoder I anvender for at nå frem til resultatet er vigtigere end stavefejl, opsætning, korrekte kildehenvisninger osv.

5 Hvad omhandler kurset? Dette er fjerde gang kurset kører og første gang (så vidt jeg ved) at IT Arkitektur og Sikkerhed er blevet koblet sammen i samme kursus. Det er første gang jeg kører det. Kurset er et FÆLLES projekt. I er MEGET med til at forme kurset. Jeres input, hele vejen igennem, er altafgørende for det bedst mulige kursus. Groft sagt handler kurset dog om to ting: IT Arkitektur IT Sikkerhed

6 IT Arkitektur MEGET bred disciplin.
Vi ser bredt og kigger på alt fra netværksarkitektur til applikationsarkitektur til enterprise arkitektur. Formålet er, at I som IT-chefer skal have overblik over det meste af det, som jeres ansatte snakker om - hvad end det er netværksfolk eller applikationsudviklere eller konsulenter, der kommer ind og bruger en masse fremmedord og skriver lange rapporter. Kurset er ikke dybt teknisk.

7 IT Sikkerhed Mere snæver disciplin.
Formålet her er at I skal forstå hvad I er oppe mod. Hvad er trusselsbilledet? Hvordan hacker man? Hvordan beskytter man sig? Hvad siger loven? Hvad er en sikkerhedspolitik osv. Efter kurset vil I være i stand til at evaluere relevante sikkerhedsteknologier og snakke med omkring sikkerhed på et overordnet niveau.

8 Hvem er i? Fortæl kort hvem I er? Hvor I kommer fra?
Hvad I grundlæggende håber at få ud af dette kursus? 15-30 sekunder i alt pr. person.

9 Forelæsninger Gennemgang af udvalgte emner i pensum.
Tager ikke udgangspunkt i at I har læst på forhånd. Hver torsdag fra kl. 17 til ca. kl. 19 (alt mellem 1 ½ og 3 timer). Uge 42 er efterårsferie. 3 (måske 4) eksterne forelæsere er inviteret ind. Intet krav om at I er til stede. Det kan dog være en god idé i relation til eksamen. Interaktiv. Stil spørgsmål ligeså snart I har nogen. Føler jeg, at der er for mange eller at vi kommer ud på et sidespor, skal jeg nok sige til. Pauser efter behov. Præsentationen (PowerPoint, PDF, og ODF) bliver lagt på kursushjemmeside 2 dage før forelæsningen. Præsentationen er en disposition for mig. Dvs. i skal ikke nødvendigvis regne med at i vil forstå dem uden at have været til forelæsningen.

10 Gruppeopgaver Gruppeopgaver af lidt sværere karakter der relaterer sig til forelæsningsindholdet. I finder selv sammen i grupper, helst 2 eller mere i hver gruppe. Hver torsdag efter forelæsninger, fra kl. ca. 19 til 21. Jeg er tilstede til at hjælpe jer. Gruppeopgaver bliver ikke besvaret.

11 Hjemmeopgaver og læsning
Frivilligt igen. En service som vi tilbyder. Dog en god idé at lave for forståelse af det vigtigste i pensum. Nogen vil føle af pensum er trivielt. Andre helt det modsatte. Pensum er dog pensum og I forventes at have læst det ved eksamen. Der er forholdsvis meget pensum. Jeg forventer ikke at I kan det udenad, men overordnet forståelse er meget vigtigt. I må gerne have bøger med til eksamen.

12 Hjemmeopgaver og læsning
Da der er fuld besat på kurset (60 elever) skal hjemmeopgaverne afleveres senest lørdag aften efter en undervisningsgang for at blive rettet til næste undervisningsgang. Hvis I sender dem senere end lørdag, vil de blive samlet op og rettet til undervisningsgangen efter igen (altså 2 uger senere). Jeg skal nok rette hvad der kommer!

13 Eksamen Skriftlig med alle hjælpemidler tilladt.
Opgaver vil handle om forståelse af koncepter og helheder mere end en masse spørgsmål i detaljer af pensum. Vis mig hvad I kan og har forståelse af og ikke hvad I kan lære udenad.

14 Bøger Der er to bøger og et kompendium. De kan alle købes i Bogladen.
Vi har to bøger som vi bruger meget i kurset og som efterfølgende er gode at have stående som opslagsbøger. Kompendiet er sammensat specielt til kurset. Der vil også som kurset skrider frem komme links til flere artikler på kursushjemmeside. De supplerer det formelle materiale. Kender desværre intet til priserne.

15 Forelæsningsplan L1 Grundlæggende Netværk L2 Grundlæggende Computere
L3 IT Arkitektur introduktion L4 Enterprise Arkitektur introduktion L5 IT Arkitekt Patterns L6 Kryptering & Prøve eksamen L7 Netværks- og applikationssikkerhed L8 Sikkerhedspolitik og -love, BCP/DCP L9 Mobil sikkerhed og VPN L10 Hacking L11 Risiko vurdering L12 Afslutning For detaljer - se hjemmesiden.

16 Og så går vi rigtigt i gang…

17 Altså grundlæggende introduktion til netværk med fokus på TCP/IP.
I dag vil vi gennemgå… Introduktion Protokoller og OSI Internetværk Protokol (IP) IP adresser Domain Name System (DNS) Routing protokoller (RIP, OSPF, BGP) Transport protokoller (TCP, UDP) Altså grundlæggende introduktion til netværk med fokus på TCP/IP.

18 Netværk Et netværk er pr. definition et hierarkisk system af bokse og ledninger organiseret i umiddelbar nærhed af hinanden rent geografisk LAN (Local Area Network) er begrænset til en bygning eller lille område. (eksempel Ethernet) WAN (Wide-Area Network) kan nærmest være vilkårlig stort og sprede sig over store områder i et land eller lande. (eksempel Telekommunikationsnetværk). Internetværk (internet) er inter-connected netværk.

19 LAN Ethernet Typisk dedikeret kabel forbinder system til hub eller switch som herefter “up” linkes til en router 10 Mbps, 100Mbps, Gigabit Ethernet Mbps stands for millions of bits per second or megabits per second and is a measure of bandwidth (the total information flow over a given time) on a telecommunications medium. The name 10BASE-T is derived from several aspects of the physical medium. The 10 refers to the transmission speed of 10 Megabits per second (Mb/s). The BASE is short for baseband. The T comes from twisted pair, which is the type of cable that is used. Contrary to popular belief, the 802.3i 10baseT specification does not indicate a maximum length. 100BASE-T is any of several Fast Ethernet 100 Mbit/s standards for twisted pair cables, including: 100BASE-TX (100 Mbit/s over two-pair Cat5 or better cable), 100BASE-T4 (100 Mbit/s over four-pair Cat3 or better cable, defunct), 100BASE-T2 (100 Mbit/s over two-pair Cat3 or better cable, also defunct). The segment length for a 100BASE-T cable is limited to 100 metres (328 ft) (as with 10BASE-T and gigabit Ethernet). All are or were standards under IEEE (approved 1995). Gigabit Ethernet, a transmission technology based on the Ethernet frame format and protocol used in local area networks (LANs), provides a data rate of 1 billion bits per second (one gigabit). Gigabit Ethernet is defined in the IEEE standard and is currently being used as the backbone in many enterprise networks. Gigabit Ethernet is carried primarily on optical fiber (with very short distances possible on copper media). Existing Ethernet LANs with 10 and 100 Mbps cards can feed into a Gigabit Ethernet backbone. An alternative technology that competes with Gigabit Ethernet is ATM. A newer standard, 10-Gigabit Ethernet, is also becoming available.

20 LAN komponenter Hub Netværkskomponent der modtager data pakker fra en eller flere destinationer, og sender data pakkerne videre (repetere) til alle andre destinationer. Switch Netværkskomponent der modtager data pakker fra et eller flere destinationer, og sender dem videre til den ønskede destination. Bridge Netværkskomponent der kobler LAN til LAN. Computere Printere Netværkskabler HUB. An Ethernet hub or concentrator is a device for connecting multiple twisted pair or fiber optic Ethernet devices together, making them act as a single segment. Hubs work at the physical layer (layer 1) of the OSI model. The device is thus a form of multiport repeater. Ethernet hubs are also responsible for forwarding a jam signal to all ports if it detects a collision. SWITCH. A network switch (or just switch) is a networking device that performs transparent bridging (connection of multiple network segments with forwarding based on MAC addresses) at up to the speed of the hardware. Common hardware includes switches, which can connect at 10, 100, or 1000 megabits per second, at half or full duplex. Half duplex means that the device can only send or receive any given time, whereas full duplex can send and receive at the same time. HUB vs. SWITCH. A HUB, or repeater, is a fairly unsophisticated broadcast device. Hubs do not manage any of the traffic that comes through them, and any packet entering any port is broadcast out on every other port (every port other than the port of entry). Since every packet is being sent out through every other port, packet collisions result--which greatly impedes the smooth flow of traffic. A SWITCH isolates ports, meaning that every received packet is sent out only to the port on which the target may be found (assuming the proper port can be found; if it is not, then the switch will broadcast the packet to all ports except the port from which the request originated). Since the switch intelligently sends packets where they need to go the performance of the network can be greatly increased. BRIDGE. A network bridge connects multiple network segments at the data link layer (layer 2) of the OSI model. Bridges are similar to repeaters or network hubs, devices that connect network segments at the physical layer, however a bridge works by using bridging where traffic from one network is managed rather than simply rebroadcast to adjacent network segments. Since bridging takes place at the data link layer of the OSI model, a bridge processes the information from each frame of data it receives. In an Ethernet frame, this provides the MAC address of the frame's source and destination. Bridges use two methods to resolve the network segment that a MAC address belongs to

21 Internetværk/WAN komponenter
Router Netværkskomponent der forbinder to eller flere netværk, og som beslutter hvor data pakker skal sendes her for lettest og hurtigst at nå til deres destination. Telefonlinier Satellitliner .. A router is a computer networking device that forwards data packets across a network toward their destinations, through a process known as routing. Routing occurs at Layer 3 (the network layer i.e. Internet Protocol (IP)) of the OSI seven-layer protocol stack. So for example, a router at home connects the Internet service provider's (ISP) network (usually on an Internet address) together with the LAN in the home (typically using a range of private IP addresses, see network address translation (NAT)) and a single broadcast domain. The switch connects devices together to form the LAN. Sometimes the switch and the router are combined together in one single package sold as a multiple port router. In order to route packets, a router communicates with other routers using routing protocols and using this information creates and maintains a routing table. The routing table stores the best routes to certain network destinations, the "routing metrics" associated with those routes, and the path to the next hop router. See the routing article for a more detailed discussion of how this works. Bridging and Routing are both ways of performing data control, but work through different methods. Bridging takes place at OSI Model Layer 2 (Data-Link Layer) while Routing takes place at the OSI Model Layer 3 (Network Layer). This difference means that a bridge directs frames according to hardware assigned MAC addresses while a router makes its decisions according to arbitrarily assigned IP Addresses. As a result of this, bridges are not concerned with and are unable to distinguish networks while routers can.

22 Hjemmenetværks eksempel
Typiske komponenter på et hjemmenetværk ADSL eller kabel modem Router (Firewall/NAT) Ethernet Wireless Access Point wireless bærbar In computer networking, the process of network address translation (NAT, also known as network masquerading, native address translation or IP-masquerading) involves re-writing the source and/or destination addresses of IP packets as they pass through a router or firewall. Most systems using NAT do so in order to enable multiple hosts on a private network to access the Internet using a single public IP address (see gateway). According to specifications, routers should not act in this way, but many network administrators find NAT a convenient technique and use it widely. Nonetheless, NAT can introduce complications in communication between hosts. Til eller fra antennestik cable modem router wireless access point Ethernet

23 Internettets struktur
Tæt på hierarkisk I centrum: “Tier-1” ISP’er (f.eks., UUNet, BBN/Genuity, Colt, AT&T) Tier 1 ISP Tier-1 ISP’er forbinder hinanden indbyrdes NAP Tier-1 ISP’er forbindes også ved såkaldte Network Access Points (NAPs) A Tier 1 Network is an IP network (typically but not necessarily an Internet Service Provider) which connects to the entire Internet solely via Settlement Free Interconnection, commonly known as peering. There are many reasons why networking professionals use the "Tier Hierarchy" to describe networks, but the most important one is better understanding of a particular network's political and economic motivations in relationship to how and with whom it peers. * AT&T (AS7018) * Global Crossing (GX) (AS3549) * Level 3 (AS3356) * Verizon Business (formerly UUNET) (AS701) * NTT Communications / (formerly Verio) (AS2914) * Qwest (AS209) * SAVVIS (AS3561) * Sprint Nextel Corporation (AS1239) The original Internet backbone was the ARPANET. It was replaced by in 1989 by the NSFNet backbone. This was similar to a Tier 1 backbone. The four Network Access Points (NAPs) were defined under the U.S. National Information Infrastructure (NII) document as transitional data communications facilities at which Network Service Providers (NSPs) would exchange traffic. Now history.

24 Tier-1 ISP eksempel

25 Internettets struktur
“Tier-2” ISP’er: mindre (typisk regionale/lande) ISP’er Forbinder sig typisk til en eller flere tier-1 ISP’er, og nogle gange andre Tier-2 ISP’er Eksempel: TDC, Telia Tier-2 ISP’er forbinder sig også mange gange med hinanden (UNI-C og TDC) Tier-2 ISP Tier-2 ISP betaler typisk tier-1 ISP’er for forbindelse til Internettet Tier 1 ISP NAP A Tier 2 Network is an Internet service provider who engages in the practice of peering with other networks, but who still purchases IP transit to reach some portion of the Internet. Tier 2 providers are the most common providers on the Internet as it is much easier to purchase transit from a Tier 1 network than it is to peer with them and then attempt to push into becoming a Tier 1 carrier. IP transit is a form by which wholesale Internet bandwidth is sold to Internet service providers (ISPs) and content providers. Pricing is typically offered on a per megabit per second per month basis (Mbit/s/Month) and requires the purchaser to commit to a minimum volume of bandwidth. Pricing for the bandwidth can be reduced significantly by purchasing larger volumes or extending the contract term. Modern IP transit agreements typically provide service level guarantees to almost all of the major Internet Exchange Points within a continental geography such as North America. These service level agreements still provide only best-effort delivery since they do not guarantee service from the Internet Exchange Point to the final destination. Tier 1 ISP Tier 1 ISP

26 Internettets struktur
“Tier-3” ISP’er og lokale ISP’er Agerer typisk sidste hub i forhold til adgang til Internettet. Eksempler er Cybercity, Tele2 osv. lokal ISP Tier 3 Lokale og tier- 3 ISP’er er typisk kunder hos ISP’er højere oppe Tier-2 ISP Tier 1 ISP NAP The term Tier 3 is sometimes also used to describe networks who solely purchase IP transit from other networks (typically Tier 1 or Tier 2 networks) to reach the Internet. Tier 1 ISP Tier 1 ISP

27 Internettets struktur
lokal ISP Tier 3 ISP lokal ISP lokal ISP lokal ISP Tier-2 ISP Tier 1 ISP NAP Tier 1 ISP Tier 1 ISP lokal ISP lokal ISP lokal ISP lokal ISP

28 Protokoller Hvordan snakker forskellige noder og netværk sammen.
Protokoller er til for at skabe orden i kaos.

29 Eksempel – En fly rejse København New York Billet (køb)
Bagage (check-in) Gaten (indstigning) Runway takeoff Fly ruteinfo (ud) Billet (klager) Bagage (bånd) Gates (udstigning) Runway landing Fly ruteinfo (ind) fly international routing København New York En serie veldefinerede skridt Hvert lag tilbyder en service og tilbyder sin egen service til laget ovenpå via veldefinerede interfaces

30 Hvorfor dele det hele i lag?
Smart når man har med komplekse systemer at gøre: Gør det nemt at identificere og forstå de enkelte dele af komplekse systemer i stedet for det hele på en gang. Når ting er nedbrudt i moduler er det nemt at lave små ændringer i moduler uden at påvirke den store sammenhæng. F.eks. er vi ligeglade med hvad der er inden i kasserne så længe service til lag oven over og nedenunder er konsistent. F.eks. at vi ændrer gate fra A7 til B5 ændrer ikke synderligt ved hele flyrejsen og specielt ikke flow beskrevet på forrige slide så længe passageren stadig kan boarde.

31 Internet protokol Application supporterer netværks applikationer
FTP, SMTP, HTTP Transport: host til host data transport TCP, UDP Internet: routing af data fra source til destination IP, routing protokoller, ICMP, IGMP, ARP Link: data transport PPP, Ethernet Physical: bits “on the wire” Applikationslag DHCP • DNS • FTP • HTTP • IMAP4 • IRC • MIME • POP3 • SIP • SMTP • SNMP • SSH • TELNET • BGP • RPC • RTP • RTCP • TLS/SSL • SDP • SOAP • L2TP • PPTP Transportlag TCP • UDP Internet IP (IPv4 • IPv6) • ARP • RARP • ICMP • IGMP • RSVP • IPSec Link ATM • DTM • Ethernet • FDDI • Frame Relay • GPRS • PPP Address Resolution Protocol (ARP) is the method for finding a host's hardware address when only its network layer address is known. Due to the overwhelming prevalence of IPv4 and Ethernet, ARP is primarily used to translate IP addresses to Ethernet MAC addresses. The Internet Control Message Protocol (ICMP) is one of the core protocols of the Internet protocol suite. It is chiefly used by networked computers' operating systems to send error messages—indicating, for instance, that a requested service is not available or that a host or router could not be reached. ICMP differs in purpose from TCP and UDP in that it is usually not used directly by user network applications. One exception is the ping tool, which sends ICMP Echo Request messages (and receives Echo Response messages) to determine whether a host is reachable and how long packets take to get to and from that host. The Internet Group Management Protocol is a communications protocol used to manage the membership of Internet Protocol multicast groups. IGMP is used by IP hosts and adjacent multicast routers to establish multicast group memberships

32 Protokol lag og datastrømme
Hvert lag får data fra laget ovenover Adderer header information og danner en ny pakke Sender data til laget nedenunder

33 OSI modellen Open Systems Interconnection (OSI) reference modellen er udviklet af International Organization for Standardization (ISO). 7 lag vs. de 4 lag i TCP/IP Alle referer til OSI og I skal kunne den, men rent praktisk når I skriver programmer eller arbejder med netværk til dagligt, er det TCP/IP modellen der er gældende. Problemet TCP/IP var allerede udbredt og moden. OSI modellen er unødig kompleks og har et par lag for meget In the 1980s, the European-dominated International Organization for Standardization (ISO), began to develop its Open Systems Interconnection (OSI) networking suite. OSI has two major components: an abstract model of networking (the Basic Reference Model, or seven-layer model), and a set of concrete protocols. The seven layer model is sometimes humorously extended to refer to non-technical issues or problems. A common joke is the 10 layer model, with layers 8, 9, and 10 being the "user", "financial", and "political" layers, or the "money", "politics", and "religion" layers. The OSI model has also been jokingly called the "Taco Bell model", since the restaurant chain has been known for their seven layer burrito.

34 OSI protocol stack application presentation session transport network
link physical Application: giver adgang for brugere og informations services X.500 (directory), X.400 ( ), etc. Presentation: Giver uafhængighed for applikationer mht. hvordan data er repræsenteret ASN.1 (abstract syntax notation) Session: Giver en kontrol struktur for kommunikation mellem applikationer ved at etablere, styre og lukke sessioner (SSL) Transport, network, link, physical: det samme som i Internet model The Application layer provides a means for the user to access information on the network through an application. This layer is the main interface for the user(s) to interact with the application and therefore the network. Some examples of application layer protocols include Telnet, applications which use File Transfer Protocol (FTP), applications which use Simple Mail Transfer Protocol (SMTP) and applications which use Hypertext Transfer Protocol (HTTP). Applications built to utilize a protocol, such as FTP, should not be confused with the protocols themselves, which often reside at the session layer. The Presentation layer transforms data to provide a standard interface for the Application layer. MIME encoding, data compression, data encryption and similar manipulation of the presentation is done at this layer to present the data as a service or protocol developer sees fit. Examples: converting an EBCDIC-coded text file to an ASCII-coded file, or serializing objects and other data structures into and out of, e.g., XML. The Session layer controls the dialogues (sessions) between computers. It establishes, manages and terminates the connections between the local and remote application. It provides for either full-duplex or half-duplex operation and establishes checkpointing, adjournment, termination, and restart procedures. The OSI model made this layer responsible for "graceful close" of sessions, which is a property of TCP, and also for session checkpointing and recovery, which is not usually used in the Internet protocols suite.

35 TCP/IP og OSI

36 Internet Protokol (IP)
Lag 3 (OSI) protokol der udfører forward af datagrams på Internettet. Benytter routningstabeller der forberedes af routning protokoller, som f.eks. Open Shortest Path Finder (OSPF), og Routing Information Protokol (RIP) Connectionless vs. Connection-orientated (circuit) IP is a connectionless protocol, which means that IP does not exchange control information (called a handshake) to establish an end-to-end connection before transmitting data. In contrast, a connection-oriented protocol exchanges control information with the remote computer to verify that it is ready to receive data before sending it. When the handshaking is successful, the computers are said to have established a connection. IP relies on protocols in other layers to establish the connection if connection-oriented services are required. IP also relies on protocols in another layer to provide error detection and error recovery. Because it contains no error detection or recovery code, IP is sometimes called an unreliable protocol. The functions performed at this layer are as follows Define the datagram, which is the basic unit of transmission in the Internet. Define the Internet addressing scheme Move data between the Network Access Layer and the Host-to-Host Transport Layer Route datagrams to remote hosts Fragment and reassemble datagrams Each type of network has a maximum transmission unit (MTU), which is the largest packet it can transfer. If the datagram received from one network is longer than the other network's MTU, it is necessary to divide the datagram into smaller fragments for transmission. This division process is called fragmentation. The Internet de facto standard MTU is 576 octets (eight-bit bytes), but ISPs often suggest using 1500 octets (eight-bit bytes)

37 IP datagram Protocol: TCP, UDP m.m. Version: IPv4 eller IPv6
Time To Live (TTL). An 8-bit time to live (TTL) field helps prevent datagrams from persisting (e.g. going in circles) on an internetwork. Historically the TTL field limited a datagram's lifetime in seconds, but has come to be a hop count field. Each packet switch (or router) that a datagram crosses decrements the TTL field by one. When the TTL field hits zero, the packet is no longer forwarded by a packet switch and is discarded. Protocol: TCP, UDP m.m. The biggest problem in IPv4 is the lack of a big enough address field, 32 bits, and its capability was not used very efficiently. IPv6 in the contrary can support at least 10^12 nodes and 10^9 networks. The routing algorithm have no knowledge how the network has been made and can support all IPv4's routing algorithms, and also support much larger number of hops then IPv4 (limit of 256). IPv6 can handle different speed of networks, from Extra Low Frequency networks to very high speed of 500Gbits/s. IPv6 provide a security layer that places "options" in separate extension headers while IPv4 does not. The extension headers can be of arbitrary length and has no limit to the amount of options that can be carried. IPv6 has an anycast address that allows nodes to control the path which their traffic flows, IPv4 does not. IPv6 headers are extensible, the option in IPv4 is not efficient to decode. IPv6 connects to global internet using a combination of it's global prefixes (see details in IPv6 Addressing) , while IPv4 manually renumbers to connect to the internet. IPv6 renumbers automatically. IPv6 2025??

38 IP adresser An identifier for a computer or device on a TCP/IP network. Networks using the TCP/IP protocol route messages based on the IP address of the destination. The format of an IP address is a 32-bit numeric address written as four numbers separated by periods. Each number can be zero to 255. For example, could be an IP address. Within an isolated network, you can assign IP addresses at random as long as each one is unique. However, connecting a private network to the Internet requires using registered IP addresses (called Internet addresses) to avoid duplicates. The four numbers in an IP address are used in different ways to identify a particular network and a host on that network. Four regional Internet registries -- ARIN, RIPE NCC, LACNIC and APNIC -- assign Internet addresses from the following three classes. # Class A - supports 16 million hosts on each of 126 networks # Class B - supports 65,000 hosts on each of 16,000 networks # Class C - supports 254 hosts on each of 2 million networks The number of unassigned Internet addresses is running out, so a new classless scheme called CIDR is gradually replacing the system based on classes A, B, and C and is tied to adoption of IPv6. CIDR is principally a bitwise, prefix-based standard for the interpretation of IP addresses. It facilitates routing by allowing blocks of addresses to be grouped together into single routing table entries. These groups, commonly called CIDR blocks, share an initial sequence of bits in the binary representation of their IP addresses. IPv4 CIDR blocks are identified using a syntax similar to that of IPv4 addresses: a four-part dotted-decimal address, followed by a slash, then a number from 0 to 32: A.B.C.D/N Alle noder skal have en unik 32-bit adresse. Eksempelvis = Alle noder i et netværk har den samme netværkspræfiks

39 IP adresser IP adresser blev indtil 1998 uddelt af EN organisation i verdenen og det er InterNIC ( I dag er det ICANN der er ansvarlig, og det er igennem IANA IP adresser allokeres. IANA opereres af ICANN. InterNIC or Internet Network Information Center was the Internet governing body primarily responsible for domain name and IP address allocations until September 18, 1998 when this role was assumed by the ICANN body. ICANN (pronounced "I can") is the Internet Corporation for Assigned Names and Numbers. The tasks of ICANN include managing the assignment of domain names and IP addresses. To date, much of its work has concerned the introduction of new generic top-level domains. The technical work of ICANN is referred to as the IANA function; the rest of ICANN is mostly concerned with defining policy. The Internet Assigned Numbers Authority (IANA) is the entity that oversees global IP address allocation, DNS root zone management, and other Internet protocol assignments. It is operated by ICANN. Both IPv4 and IPv6 addresses are assigned in a delegated manner. Users are assigned IP addresses by Internet service providers (ISPs). ISPs obtain allocations of IP addresses from a local Internet registry (LIR) or national Internet registry (NIR), or from their appropriate Regional Internet Registry (RIR): AfriNIC (African Network Information Centre) - Africa Region APNIC (Asia Pacific Network Information Centre) - Asia/Pacific Region ARIN (American Registry for Internet Numbers) - North America Region LACNIC (Regional Latin-American and Caribbean IP Address Registry) – Latin America and some Caribbean Islands RIPE NCC (Réseaux IP Européens) - Europe, the Middle East, and Central Asia

40 Private IP adresser Alle organisationer kan bruge private IP adresser. Private IP adresser kan IKKE bruges på Internettet. – – –

41 Forward IP datagram C:\TRACERT SUN.COM
Routers leverer IP datagrammer til destinationsnetværk Routers vedligeholder routingtabeller af ”hops” ”Hops” findes IKKE i datagrammerne In the simplest model, hop-by-hop routing, each routing table lists, for all reachable destinations, the address of the next device along the path to that destination; the next hop. Assuming that the routing tables are consistent, the simple algorithm of relaying packets to their destination's next hop thus suffices to deliver data anywhere in a network. In practice, hop-by-hop routing is being increasingly abandoned in favor of layered architectures such as MPLS, where a single routing table entry can effectively select the next several hops, resulting in reduced table lookups and improved performance. The need to record routes to large numbers of devices using limited storage space represents a major challenge in routing table construction. Perhaps the fundamental assumptions of routing is that similar addresses are located near each other in the network, allowing groups of destination addresses to be matched by single routing table entries. The exact nature of how this grouping is done has changed over time and still represents an active area of networking research. In the Internet, the currently dominant address grouping technology is a bitwise prefix matching scheme called Classless Inter-Domain Routing. A mask used to determine what subnet an IP address belongs to. An IP address has two components, the network address and the host address. For example, consider the IP address Assuming this is part of a Class B network, the first two numbers ( ) represent the Class B network address, and the second two numbers ( ) identify a particular host on this network. Subnetting enables the network administrator to further divide the host part of the address into two or more subnets. In this case, a part of the host address is reserved to identify the particular subnet. C:\TRACERT SUN.COM

42 Domain Name Server (DNS)
DNS er “mapping” mellem en IP adresse og et logisk navn (en slags telefonbog): DNS:  Kæææmpe directory Distribueret management baseret på domain .dk, .com, .net, .se, …ca, er alle top-level domainer .dr er et sub domane som er styret af .dk .www er et hostnavn som er styret af DR www er på netværket , og er host nummer 1

43 Domain Name Server (DNS)
.dk First-Level domain .dr .dk domain The domain name space consists of a tree of domain names. Each node or leaf in the tree has one or more resource records, which hold information associated with the domain name. The tree sub-divides into zones. A zone consists of a collection of connected nodes authoritatively served by an authoritative DNS nameserver. (Note that a single nameserver can host several zones.) When a system administrator wants to let another administrator control a part of the domain name space within his or her zone of authority, he or she can delegate control to the other administrator. This splits a part of the old zone off into a new zone, which comes under the authority of the second administrator's nameservers. The old zone becomes no longer authoritative for what comes under the authority of the new zone. DNS Forwarders DNS servers often must communicate with DNS servers outside of the local network. A forwarder is an entry that is used when a DNS server receives DNS queries that it cannot resolve locally. It then forwards those requests to external DNS servers for resolution. DNS Server Caching Caching is designed to improve response times. A DNS server caches the queries that it resolves to improve response time and reduce network traffic. .aarhus .dr domain birger mail www .aarhus domain

44 DNS processen DK ITU A DNS client sends a recursive query to the local DNS server. Before forwarding the request to a root server, the DNS server checks its local cache to determine whether the name has recently been resolved. If there is an entry in the local cache, the IP address is returned to the client. If no entry exists in the cache for the hostname, an iterative query is sent by the DNS server to a root name server. The root name server refers the DNS server to a name server responsible for the first-level domain within the hostname. For example, the root name server would refer the request to the bayside.net DNS server. The original DNS server is referred to second-level DNS servers, and then third-level DNS servers, until one of them can resolve the host-name to an IP address and return the results back to the client. Important categories of data stored in the DNS include the following: An A record or address record maps a hostname to a 32-bit IPv4 address. An AAAA record or IPv6 address record maps a hostname to a 128-bit IPv6 address A CNAME record or canonical name record is an alias of one name to another. The A record that the alias is pointing to can be either local or remote - on a foreign name server. Useful when running multiple services from a single IP address, where each service has its own entry in DNS. An MX record or mail exchange record maps a domain name to a list of mail exchange servers for that domain. A PTR record or pointer record maps an IPv4 address to the canonical name for that host. Setting up a PTR record for a hostname in the in-addr.arpa domain that corresponds to an IP address implements reverse DNS lookup for that address. For example (at the time of writing), has the IP address , but a PTR record maps in-addr.arpa to its canonical name, referrals.icann.org. An NS record or name server record maps a domain name to a list of DNS servers authoritative for that domain. Delegations depend on NS records. An SOA record or start of authority record specifies the DNS server providing authoritative information about an Internet domain, the of the domain administrator, the domain serial number, and several timers relating to refreshing the zone. An SRV record is a generalized service location record.

45 DNS navne corp05.contoso.com. corp01.sales.contoso.com. “.” Root FQDN
DNS Suffix Host Name corp01 = corp05 = com “.” Root contoso sales DNS zone transfer, also sometimes known by its (commonest) opcode mnemonic AXFR, is a type of DNS transaction. It is one of the many mechanisms available for administrators to employ for replicating the databases containing the DNS data across a set of DNS servers. Zone transfer comes in two flavours, full (opcode AXFR) and incremental (IXFR). Nearly universal at one time, it is now falling by the wayside somewhat, in favour of the use of other database replication mechanisms that modern DNS server packages provide. Master/slave: In the traditional master/slave DNS relationship, (one or more) DNS slave servers load zone data from the master server on startup and at intervals specified in the start of authority (SOA) record for each zone. This method of redundancy has one huge advantage: When a zone file is changed, the changes are automatically propagated to the slave servers. This process normally happens as soon as the changes are made if the NOTIFY DNS feature is supported. Multiple master: If you're more concerned with having DNS available at all times rather than having the convenience provided by a master/slave configuration, you can use a multiple master configuration. This concept is simple: All DNS servers are master servers for each zone. The most difficult part of having multiple master DNS servers comes when a change is made to a zone file or the DNS configuration.

46 Routing protokoller Et autonomt system er et internetværk der er forbundet af routers under administrativ kontrol af én entitet. Interior Router Protokoller (IRP) (indenfor et autonomt system) Routing Information Protocol (RIP) Open Shortest Path First (OSPF) Exterior Router Protokoller (ERP, EGP) (mellem autonomt systemer) Border Gateway Protocol (BGP) Exterior Gateway Protocol (EGP) Inter-Domain Routing Protocol (IDRP) In the Internet, an autonomous system (AS) is a collection of IP networks and routers under the control of one entity (or sometimes more) that presents a common routing policy to the Internet. See RFC 1930 for additional detail on this updated definition. Networks within an autonomous system communicate routing information to each other using an Interior Gateway Protocol (IGP). An autonomous system shares routing information with other autonomous systems using the Border Gateway Protocol (BGP). Previously, the Exterior Gateway Protocol (EGP) was used. In the future, the BGP is expected to be replaced with the OSI Inter-Domain Routing Protocol (IDRP). IRP/IGP A set of routing protocols that are used within an autonomous system are referred to as interior gateway protocols (IGP). In contrast an exterior gateway protocol is for determining network reachability between autonomous systems (AS) and make use of IGPs to resolve route within an AS. BGP (Border Gateway Protocol) is a protocol for exchanging routing information between gateway hosts (each with its own router) in a network of autonomous systems. BGP is often the protocol used between gateway hosts on the Internet. The routing table contains a list of known routers, the addresses they can reach, and a cost metric associated with the path to each router so that the best available route is chosen. Exterior Gateway Protocol (EGP) is a protocol for exchanging routing information between two neighbor gateway hosts (each with its own router) in a network of autonomous systems. EGP is commonly used between hosts on the Internet to exchange routing table information.

47 RIP Med RIP undersøger routeren hvor mange ”hops” der er til alle destinationer. Dette benyttes til at bestemme bedste route. RIP sørger for at sende oplysninger fra sin routing tabel om ”hops” til sine naboer hver 30 sek. RIP sørger for at sammenligne egen routing tabel med fremsendte oplysninger, og opdatere hvis nødvendigt. RIP is a distance-vector routing protocol, which employs the hop count as a routing metric. The maximum number of hops allowed with RIP is 15, and the hold down time is 180 seconds. Each RIP router transmits full updates every 30 seconds by default, generating large amounts of network traffic in lower bandwidth networks. It runs at the network layer of the Internet protocol suite. A mechanism called split horizon with limited poison reverse is used to avoid routing loops. Routers of some brands also use a holddown mechanism known as heuristics, whose usefulness is arguable and is not a part of the standard protocol. RIPv1 RIPv1, defined in RFC 1058, uses classful routing. The routing updates do not carry subnet information, lacking support for variable length subnet masks (VLSM). This limitation makes it impossible to have different-sized subnets inside of the same network class. In other words, all subnets in a network class must be the same size. There is also no support for router authentication, making RIPv1 slightly vulnerable to various attacks. RIPv2 Due to the above deficiencies of RIPv1, RIPv2 was developed in 1994 and included the ability to carry subnet information, thus supporting Classless Inter-Domain Routing (CIDR). However to maintain backwards compatibility the 15 hop count limit remained. Rudimentary plain text authentication was added to secure routing updates; later, MD5 authentication was defined in RFC 2082. RIPv2 is specified in RFC 2453 or STD 56.

48 OSPF Fixer de problemer der er med RIP m.fl.
I stedet for blot at tælle ”hops” benyttes yderligere netværks oplysninger til at at finde bedste rute. Muliggør load-balancing. Muliggør sikkerhed. Større netværk brydes ned i backbone net, og areas. Hver area har et eller flere subnets. Og for hvert subnet en designated router OSPF (Open Shortest Path First) is a router protocol used within larger autonomous system networks in preference to the Routing Information Protocol (RIP), an older routing protocol that is installed in many of today's corporate networks. Like RIP, OSPF is designated by the Internet Engineering Task Force (IETF) as one of several Interior Gateway Protocols (IGPs). Using OSPF, a host that obtains a change to a routing table or detects a change in the network immediately multicasts the information to all other hosts in the network so that all will have the same routing table information. Unlike the RIP in which the entire routing table is sent, the host using OSPF sends only the part that has changed. With RIP, the routing table is sent to a neighbor host every 30 seconds. OSPF multicasts the updated information only when a change has taken place. Rather than simply counting the number of hops, OSPF bases its path descriptions on "link states" that take into account additional network information. OSPF also lets the user assign cost metrics to a given host router so that some paths are given preference. OSPF supports a variable network subnet mask so that a network can be subdivided. RIP is supported within OSPF for router-to-end station communication. Since many networks using RIP are already in use, router manufacturers tend to include RIP support within a router designed primarily for OSPF.

49 TCP Point-to-Point kommunikation. Der er to slutpunkter.
Connection orienteret. Full duplex kommunikation. Reliable transport. Data leveres i rækkefølge. Tabte data pakker sendes igen. Applications send streams of octets (8-bit bytes) to TCP for delivery through the network, and TCP divides the byte stream into appropriately sized segments (usually delineated by the maximum transmission unit (MTU) size of the data link layer of the network to which the computer is attached). TCP then passes the resulting packets to the Internet Protocol, for delivery through a network to the TCP module of the entity at the other end. TCP checks to make sure that no packets are lost by giving each packet a sequence number, which is also used to make sure that the data are delivered to the entity at the other end in the correct order. The TCP module at the far end sends back an acknowledgement for packets which have been successfully received; a timer at the sending TCP will cause a timeout if an acknowledgement is not received within a reasonable round-trip time (or RTT), and the (presumably lost) data will then be re-transmitted. The TCP checks that no bytes are damaged by using a checksum; one is computed at the sender for each block of data before it is sent, and checked at the receiver. To establish a connection, TCP uses a 3-way handshake. Before a client attempts to connect with a server, the server must first bind to a port to open it up for connections: this is called a passive open. Once the passive open is established, a client may initiate an active open. To establish a connection, the three-way (or 3-step) handshake occurs: 1. The active open is performed by sending a SYN to the server. 2. In response, the server replies with a SYN-ACK. 3. Finally the client sends an ACK (usually called SYN-ACK-ACK) back to the server. Connection termination The connection termination phase uses, at most, a four-way handshake, with each side of the connection terminating independently. When an endpoint wishes to stop its half of the connection, it transmits a FIN packet, which the other end acknowledges with an ACK. Therefore, a typical teardown requires a pair of FIN and ACK segments from each TCP endpoint.

50 TCP header The TCP receive window size is the amount of received data (in bytes) that can be buffered during a connection. The sending host can send only that amount of data before it must wait for an acknowledgment and window update from the receiving host. When a receiver advertises the window size of 0, the sender stops sending data and starts the persist timer. The persist timer is used to protect TCP from the dead lock situation. For more efficient use of high bandwidth networks, a larger TCP window size may be used. The TCP window size field controls the flow of data and is limited to between 2 and 65,535 bytes.

51 UDP og UDP header Connection-less end-to-end service.
Unreliable transport. Ingen flow control. Ingen fejlhåndtering. Ingen retransmission af tabte pakker. Bruges typisk til Audio/Video Fejl rapportering er valgfrit. The User Datagram Protocol (UDP) is one of the core protocols of the Internet protocol suite. Using UDP, programs on networked computers can send short messages sometimes known as datagrams (using Datagram Sockets) to one another. UDP does not provide the reliability and ordering guarantees that TCP does. Datagrams may arrive out of order or go missing without notice. Without the overhead of checking if every packet actually arrived, UDP is faster and more efficient for many lightweight or time-sensitive purposes. Also, its stateless nature is useful for servers that answer small queries from huge numbers of clients. Compared to TCP, UDP is required for broadcast (send to all on local network) and multicast (send to all subscribers). Common network applications that use UDP include the Domain Name System (DNS), streaming media applications such as IPTV, Voice over IP (VoIP), Trivial File Transfer Protocol (TFTP) and online games.

52 Slut 