Wednesday, 11 April 2012

EAP


Extensible Authentication Protocol


The Extensible Authentication Protocol is an IETF standard described in RFC-3748. It provides an infrastructure for network access clients and authentication servers, upon which multiple authentication schemes rest.

  • EAP typically runs directly over data link layers such as PPP or IEEE 802, without requiring IP.
  • EAP provides its own support for duplicate elimination and retransmission, but is reliant on lower layer ordering guarantees.
  • EAP itself does not support fragmentation, but individual EAP methods may support it.

The best advantage of EAP architecture is it's flexibility. It does not mandate the authenticator to be updated in order to support new authentication methods; instead, it allows for the use of a backend authentication server, which may support any or all authentication methods.

  • EAP was designed for use in network access authentication, where IP layer connectivity may not be available.  
  • Use of EAP for other purposes, such as bulk data transport, is NOT RECOMMENDED.
  • EAP is a lock-step protocol which only supports a single packet in flight.
  • EAP authentication is initiated by the server (authenticator), whereas most authentication protocols are initiated by the client (peer).  


An EAP infrastructure contains the following:

EAP Peer: 

A device or a user, attempting access to the protected network.

EAP Authenticator: 

An Access Point (AP) or a Network Access Server (NAS), which initiates EAP Authentication, before granting access to a network.

Backend Authentication Server:
Typically a RADIUS server, it provides authentication services, such as negotiating a specific EAP method with an EAP peer, validating a peer's credentials and authorizing access to the network.

EAP Server:

An entity that terminates the EAP authentication method with an EAP peer. 
In the case where no Backend Authentication Server is used, the EAP Server is part of the EAP Authenticator. In the case where the Authenticator operates in pass-through mode, the EAP Server is located on the Backend Authentication Server.

The Backend Authentication Server and the EAP Server possess the final knowledge about who should have access to what and when.


In different setups, the functionality is provided by the same components under different terminologies:

Component
Wireless world
IEEE-802.1X world
Peer
Wireless STA
Supplicant
Authenticator
Wireless Access Point (WAP)
Network Access Server (NAS)
EAP Server
+
BA server
Radius Access Server
Radius Access Server







Monday, 26 March 2012

EIGRP Packets


* Technically, EIGRP is a transport layer function, since it runs on top of IP.
* EIGRP packets are encapsulated directly in IP with the protocol field set to 88.
* The source IP address is the IP address of the interface from which the packet is issued.
* The destination IP address in EIGRP depends on the packet type.

EIGRP uses a mixture of MULTICAST and UNICAST packet transmission.
Multicast address for EIGRP: (IPv4) 224.0.0.10    (IPv6) FF02::a
Multicast is link-local, so that packets do not propagate beyond the local subnet.

Packets may be reliable (Ack required) or unreliable (Ack not required).

EIGRP uses five packet types:

Hello: Used to discover neighbour before establishing adjacency. EIGRP Hellos are sent as multicasts and contain an acknowledgment number of 0. They do not need acknowledgement. A Hello with no data is also used as an acknowledgment. Acknowledgements are always sent using a unicast address and contain a non−zero acknowledgment number.

Updates: Used to convey reachability of destinations. When a new neighbor is discovered, update packets are sent so the neighbor can build its topology table. EIGRP Updates are sent as multicasts when a new route is discovered or when convergence is completed; and are sent as unicasts when synchronizing topology tables with neighbors upon the EIGRP startup. They are sent reliably between EIGRP routers.

Queries: Sent when destinations go into ACTIVE state. EIGRP Queries are sent reliably as multicasts.

Reply: Replies are always sent in response to queries to indicate to the originator that it does not need to go into ACTIVE state because it has feasible successors. Replies are reliably unicast to the originator of the query.

Request: Used to get specific information from one or more neighbours. They can be multicast or unicast. Requests are transmitted unreliably.

Summary:
Hello – unreliable, multicast
Ack – unreliable, unicast
Query - reliable, multicast
Update – reliable, multicast
Reply – reliable, unicast

PACKET FORMAT:
Following the IP Header is the EIGRP header.

The fields are as follows:
* Version: EIGRP Process version.
OpCode: Specifies the types of EIGRP packet contained:
      1 = Update
      3 = Query
      4 = Reply
      5 = EIGRP hello packet
Checksum: for the entire EIGRP packet, excluding the IP header.
Flags: Only the first two bits are used, the rest of the bits are unused.
         Bit 1: Init bit, used in new neighbour relationship
         Bit 2: Conditional receive bit
Sequence Number: Used by RTP.
Acknowledgement Number: Used by RTP.
* Autonomous System Number: identifies the EIGRP process issuing the packet. The EIGRP process receiving the packet will process the packet only if the receiving EIGRP process has the same AS number; otherwise, the packet will be discarded.

The fields following the EIGRP header depend upon the OpCode specified.
Here are a few TLVs that are commonly used:

1. Parameter TLV: This contains the parameters that the two neighbours must agree upon to establish a
    neighbour relationship.
Type = 0x0001, Size: 12 bytes.









2. IP internal route TLV: Internal Routes are routes contained within an EIGRP domain, i.e. routes 
    originated from the same EIGRP AS number as the receiving router
Type: 0x0102, Size: 28 bytes.
graphics/06fig06.gif

* Next hop — IP address of the next hop to which packets should be forwarded.
* Delay — Delay parameter of the route metric. The delay value is the sum of all the delay parameters
   on the interface across the path to the destination network.
* Bandwidth — Bandwidth parameter of the route metric. The bandwidth is obtained from the interface,
    and it is the lowest bandwidth on the interface across the path to the destination network.
* MTU — The interface MTU parameter of the route metric.
* Hop count — Number of hops to the destination network.
* Reliability — The reliability of the interface, out of a possible range of 1 to 255. A reliability of 1
   indicates that the reliability is 1/255, whereas a reliability of 255 indicates that the interface is 100
   percent reliable.
* Load — The load of the interface, out of a possible range of 1 to 255. A load value of 1 indicates that
   the interface has a very light load, while a load value of 255 indicates that the interface is highly
   saturated.
* Prefix length — The subnet mask of the destination network.


3. IP external route TLV: An external route contains a destination network outside an EIGRP domain,
   eg: redistributed routes from other routing processes into an EIGRP domain.
Type: 0x0103, Size: 48 bytes.
graphics/06fig07.gif
Most of the fields are the same as that of the Internal Route packet. The extra fields are mentioned below:

* Originating router — The router ID of the router that originates the external EIGRP routes.
* Originating AS number— The EIGRP AS number of the routes before getting redistributed into this
   EIGRP autonomous number.
* External protocol metric — The metric of the routes before getting redistributed into EIGRP.
* External protocol ID — The type of routing protocol that originates the routes that were redistributed
   into EIGRP. The values are IGRP(0x01), EIGRP(0x02), RIP(0x04), OSPF(0x06), BGP (0x09), etc.
*Arbitrary Tag  is used to carry route maps.


Sunday, 25 March 2012

EIGRP


Enhanced Interior Gateway Routing Protocol is a Cisco proprietary routing protocol. It is, in essence, a distance vector routing protocol, with significantly improved convergence properties and operating efficiency over the older IGRP.
Routing optimizations are based on the Diffusing Update Algorithm (DUAL), that guarantees
loop-freedom throughout a route computation. This also provides a mechanism for fast convergence.

- EIGRP supports Classless Inter-Domain Routing (CIDR), which allows the use of variable-length
  subnet masks.
- EIGRP is not usable where routers need to know the exact network topology
  (e.g: traffic engineering in MPLS).

   
EIGRP has four basic components:
  • Neighbour Discovery/Recovery 
  • Reliable Transport Protocol
  • DUAL Finite State Machine
  • Protocol Dependent Modules

Neighbour Discovery/Recovery:
- Neighbour Discovery/Recovery is a process of learning about other routers on the directly connected
   networks.
- Routers must know when their neighbors become unreachable.
- Small hello packets are used to discover and maintain adjacencies between neighbours.

Reliable Transport Protocol:
- The reliable transport protocol is responsible for guaranteed and ordered delivery of EIGRP packets
   to all it's neighbours.
- For the purpose of efficiency, reliability is provided only when necessary.

DUAL Finite State Machine:
- The DUAL finite state machine is the decision process for all route computations.
- It tracks all routes advertised by all neighbours.
- DUAL selects routes to be inserted into a routing table based on feasible successors.
   A successor is a neighboring router used for packet forwarding that has a least
   cost path to a destination that is guaranteed not to be part of a routing loop.  
- When there are no successors, recompilation is done.
- DUAL will test for feasible successors, when topology changes occur.

Protocol Dependent Modules:
- responsible for network layer, protocol−specific requirements.
- Eg:
   - IP−EIGRP module is responsible for sending and receiving EIGRP packets that are encapsulated in IP.
   - IP−EIGRP asks DUAL to make routing decisions and the results of which are stored in the IP routing table.
   - IP−EIGRP is responsible for redistributing routes learned by other IP routing protocols.


DATA STORAGE IN EIGRP:
EIGRP stores data in three tables:
   • Neighbour Table
    Topology Table
   • Routing Table


NEIGHBOUR TABLE:
- Each router stores state information about it's adjacent neighbours, accessible through directly
   connected interfaces.
- Upon new neighbour discovery, the address and interface information is updated in this table.
- There is one neighbour table for each protocol dependent module.
- When a neighbor sends a hello, it informs a Hold-Time.
- This Hold-Time is the amount of time a router treats that neighbour as reachable.
- If a hello packet isn't heard within that Hold-Time, then the Hold-Time expires.
- When the Hold-Time expires, that router is treated as unreachable and DUAL is informed of
   the topology change.
- Neighbour Table  also  contains  information such  as  Sequence Numbers,  used  to match
  acknowledgements with data packets.
- The last Sequence Number received from the neighbour is recorded so out-of-order packets can
  be detected.
- Round trip timers are kept in the neighbour data structure to estimate an optimal retransmission
  interval.


TOPOLOGY TABLE:
- This table contains a list of destination networks in the EIGRP-routed network together with their
   respective metrics.
- The Topology Table is populated by the protocol dependent modules and acted upon by the DUAL
   finite state machine.
- For every destination, a successor and a feasible successor are identified and stored in the table, if
   they exist.
- Every destination in the topology table can be marked either as "Passive", which is the state when
   the routing has stabilized and the router knows the route to the destination, or "Active" when the
   topology has changed and the router is in the process of updating its route to that destination.


ROUTING TABLE:
- Stores the actual routes to all destinations.
- A destination entry is moved from the topology table to the routing table when there is a feasible
   successor.
- The successors and feasible successors serve as the next hop routers for these destinations.


ROUTE COMPUTATION:
- A route recomputation starts with a router sending a query packet to all neighbours.
- Neighbouring routers can either reply if they have feasible successors for the destination or
  optionally return a query indicating that they are performing a route recomputation themselves.
- While in Active state, a router cannot change the next−hop neighbour it is using to forward packets.
- Once all replies are received for a given query, the destination can transition to Passive state and a
  new successor can be selected.
- When a link to a neighbour that is the only feasible successor goes down, all routes through that
  neighbour commence a route recomputation and enter the Active state.


ARP

ADDRESS RESOLUTION PROTOCOL


- ARP is a telecommunications protocol used for resolution of network layer addresses
  into link layer addresses.
- ARP resolves L3 addresses to L2 addresses. For example, ARP on Ethernet provides
  mapping between 32 bit IP addresses and 48 bit MAC addresses.
- It  is  a request  and reply protocol,  which  communicates within  the boundaries of a
  single network, never routed across internetwork nodes.
- ARP  is  a  low level  protocol and  it  is usually  handled  at the device driver level.



ARP PACKET FORMAT:
ARP uses a simple message format that contains one address resolution request or response.
The packet format is as follows:


Internet Protocol (IPv4) to Ethernet conversion
bit offset0 – 78 – 15
0Hardware type
16Protocol type
32Hardware address lengthProtocol address length
48Operation
64Sender hardware address (first 16 bits)
80(next 16 bits)
96(last 16 bits)
112Sender protocol address (first 16 bits)
128(last 16 bits)
144Target hardware address (first 16 bits)
160(next 16 bits)
176(last 16 bits)
192Target protocol address (first 16 bits)
208(last 16 bits)
FIELDS:

Hardware type: specifies the network protocol type. Eg: Ethernet is 1
Protocol type: the internetwork protocol for which the ARP request is intended. Eg: IPv4 is 0x0800
Hardware length: length in octets, of a hardware address. Eg: Eth addresses size is 6
Protocol length: length in octets, of addresses used in upper layer protocol. Eg: IPv4 address size is 4
Operation: operation that the sender is performing: 1 for request, 2 for reply.
Sender hardware address: media address of the sender
Sender protocol address: internetwork address of the sender
Target hardware address: media address of the intended receiver (field is ignored in requests)
Target protocol address: internetwork address of the intended receiver.


SO HOW DOES ARP WORK?
- Each device has an ARP cache, which contains a mapping of L3 addresses to L2 addresses.
- When a device wants to send data to a target device (to it's IP address), it first has to find the
   MAC address of the device.
- If the IP address does not appear in the sending device's ARP cache, then the initiating device
   first sends an ARP-request message on the local subnet.
- All ARP-REQUESTs are sent on the Ethernet Broadcast address.
- Since it is a broadcast, it is received by all the devices on the LAN.
- Every device checks if the given IP address belongs to itself:
  - If NO, then the host discards the packet. However, IF AND ONLY IF an entry exits for the 
    sender's IP address in this host's ARP cache, the entry is updated with the latest MAC address.
    If there is no entry for this sender IP address, then the ARP cache on this host is not touched.
  - If YES, then the host sends an ARP-reply in response to the broadcast, with it's own MAC
    address information in the reply packet.
- When an ARP-request is answered, both the sender of the ARP-reply and the original ARP
   request-er, record each other's IP address and MAC address as an entry in their respective
   ARP caches for future reference.
- If no ARP-reply is received for an ARP-request, then it means that no data can be sent to that
  IP address.
- Entries from an ARP cache are removed after a pre-determined timeout.

PROXY ARP:
When routers receive ARP-requests from one network for hosts which are on another network, they will respond with a ARP-reply packet with their MAC address. 
Eg: 
- Host A is in one network, host B is in another network and router C connects these two networks. 
- When host A sends an ARP-request to resolve the IP address of host B, the router C receives this packet. - The router C sends an ARP-reply with its MAC address. 
- Host A will now send all the packets destined for host B to the router C. 
- Router C will then forward those packets to host B. 


GRATUITOUS ARP:
When a host sends an ARP-request to resolve its own IP address, it is called Gratuitous ARP. In the ARP-request packet, the source IP address and destination IP address are filled with the same source IP address itself.  
Gratuitous ARP is used in the following cases:
- Detecting IP address conflict:
  Ideally, there should not be an ARP reply for a gratuitous ARP-request. 
  But if there is another host in the network with the same IP address as
  the source host, then the source host will get an ARP reply. This way a
  host can determine if there is another host on the network with its IP 
  address.
  Also, any host that receives an ARP-request with it's own IP address in
  the source field will know that there is an IP  address conflict.

- Updating ARP caches with new information:
  When the NIC card in a device is changed, it's MAC address to IP address
  mapping is changed. When the host is rebooted, it will send an ARP request
  packet for its own IP address. As this is a broadcast packet, all the 
  hosts in the network will receive and process this packet. They will 
  update their old mapping in the ARP cache with this new mapping.



Thursday, 22 March 2012

IP Addressing

A name indicates what we seek. 
                An address indicates where it is. 
                                   A route indicates how to get there...


  • IP Addresses are globally unique, 32-bit numbers, normally represented as four sets of octets. In the dotted-decimal notation, an ip address could look like: 171.32.12.2
  • As far as the devices on the network are concerned, an ip address is just a 32-bit binary number.
  • IP addresses are broken down into two parts, a network identifier and a host identifier.


CLASSFUL ADDRESSING:


ClassClass IdentifierNetwork PrefixHost Portion







A
First octet in the range 1–126* First octet N.H.H.H or
1.xxx.xxx.xxx to
126.xxx.xxx.xxx
Remaining three octets N.H.H.H or
xxx.0.0.0 to
xxx.255.255.255






B
First octet in the range 128–191First two octets N.N.H.H or
128.0.xxx.xxx to
191.255.xxx.xxx
Remaining two octets N.N.H.H or
xxx.xxx.0.0 to
xxx.xxx.255.255








C
First octet in the range 192–223**First three octets N.N.N.H or
192.0.0.xxx to
223.255.255.xxx
Remaining octet N.N.N.or
xxx.xxx.xxx.0 to
xxx.xxx.xxx.255


  • Class D addresses are for multicasting and Class E addresses are reserved for future use.

Addresses starting with 0 and 127 are reserved:


- The all-zeros address is reserved as the default network. This is used by routers as a way to identify where to send a packet when there is no match for it in a routing table.

- Addresses starting with 127 are loopback addresses. That means it points to your own device.   
So why do we need loopback addresses? Why send packets to your own self? Do we really need this?
          YES, we do! Here's why:

*  It can be used by a network client software on a device to talk to server (web server, maybe). This helps in testing services without external network exposure.

 Pinging the loopback interface is the first test to check if the functionality of the IP stack is working.

IMP: A unique use of the loopback network addresses is their part in MultiProtocol Label Switching (MPLS) traceroute error detection techniques. Here, their property of not being routable provides a convenient means to avoid delivery of faulty packets to end users.

  • Any IP address with all the Host Bits set to zero - indicates the network itself.
  • Any IP address with all the Host Bits set to one - indicates the broadcast address for that network.
  • To determine the number of possible networks or hosts, following is the formula:
                             2^n – 2, where n is the number of bits in the network or host space. 
          
          The subtraction of 2 is for the network address and broadcast address.

Some networks are reserved and cannot be used on the internet:
Class Address Range 
10.x.x.x 
172.16.x.x through 172.31.x.x 
C 192.168.x.x


These address are used for (1) testing and for (2) corporate intranets.


This CLASSFUL ADDRESSING, however, does not allow for efficient use of the available addresses. Networks are either too big or too small - hence, unmanageable. CLASSLESS ADDRESSING, on the other hand, allows networks to be divided into smaller, manageable networks. This is done using the concept of SUBNETTING.




CLASSLESS ADDRESSING:


Classless Addressing allows for a hierarchical architecture of IP addresses. The Internet, as a whole is at the top, whereas, the levels below are the smaller networks / sub-networks in it.



To use sub-netting, the host portion is broken up into two parts:
 - sub-network part
 - host part


But since the network part is the only part which is significant to the internet, the subnets are not visible outside of the private network of local organizations.
Hence, the route from the internet to any subnet of a given IP address is the same, irrespective of which subnet the destination host lies in. The local routers will then decide which subnet to route the packets to.


This has two advantages (and they are the very reasons for the classless routing concept):


-- It reduces the complexity of the routing table, since only one network address is required to reach an organization.
-- This also prevents the depletion of available network addresses because each data link does not need to take up a full IP network.



SUBNET MASK:


- is a mask used to determine which subnet an IP address belong to. 


It is the network address plus the bits reserved for identifying the subnet. 
It can be used to identify the subnet to which a particular IP address belongs by doing a bitwise AND operation on the mask and the IP address. The result of this operation is the subnetwork address:


Subnet Mask        255.255.248.0            11111111.11111111.11111000.00000000
IP Address           145.115.9.11              10010001.01110011.00001001.00001011
Subnet Address   145.115.8.0                 10010001.01110011.00001000.00000000
The subnet address is 145.115.8.0





Internet Protocol (IP) - HEADER FORMAT

IP HEADER:


















FIELDS:
  • Version - IPv4 / IPv6    (4 bits)
  • IP Header Length (how many 32-bit words)   (4 bits)
  • TOS (how the datagram should be handled)    (8 bits)
  • Total Length (Length of the IP datagram in octets, including the header and the data part)  (16 bits)
  • Identification (Each unique datagram is identified with a unique Id)     (16 bits)
  • Flags (to control fragmentation)    (3 bits)
  • Fragment Offset (measured in units of 8 bytes, measures the offset of this datagram in the original datagram)     (13 bits)
  • TTL (in seconds, how long the datagram has to live before being discarded. Also referred to as hop-count, since at every routing device, it's value is decremented)    (8 bits)
  • Protocol (which high level protocol to hand over the data to)     (8 bits)
  • Header Checksum (to maintain the integrity of the header)    (16 bits)
  • Source Address (IP address of sender)     (32 bits)
  • Destination Address (IP address of receiver)    (32 bits)
  • Options  (used for various options such as recording the route taken or specifying the route to be taken and time stamping)   (variable)

TOS:












FRAGMENTATION FIELDS:













IP OPTIONS:



Networking Fundamentals - NOTES

  • A frame is data encapsulated with a destination and source MAC addresses. 
  • MAC Address: 48 bits
    eg: 0000.0c47.93c1


BRIDGING: 

  • A device that passes packets between multiple network segments using the same communications media. 
  • If a packet is destined for a user within the sender's own network segment, the bridge keeps the packet local. 
  • If the packet is bound for another segment, the bridge passes the packet onto the network backbone. 
  • In general, a bridge will filter, forward, or flood an incoming frame based on the MAC address of that frame.


It is important to note when bridging a frame that as the frame moves through the internetwork, its destination and source MAC addresses always stay the same. They do not take on the MAC address of the interfaces on the bridge.

Bridges forward broadcast packets. 


ROUTERS AND ROUTING TABLES:
  • The device that makes internetworking possible is the router.
  • The job of the router is to keep track of which path to use when transferring data from one network to another.
  • To determine which routes to use and which routes are the most optimal, routers use a set of rules called routing protocols and store the results in routing tables.
  • A packet is data encapsulated with a destination and source network address.
  • If the router does not have the destination network in its routing table, it does one of two things: The router either forwards the packet to a predetermined default router, or it drops the packet and informs the sending device that the network is not reachable.


The fundamental concept of routing: As the data moves through the network, the destination and source network addresses stay the same, while the data-link address changes with each different network.


  • Routers use routing tables to store information about destinations in the internetwork.
  • Some routing protocols maintain an entry for each possible path to a destination. Other protocols maintain only the most desirable path to each destination. 
  • Information that a routing table contains includes the destination address, interface, and the desirability of a path. 
  • An IP routing table consists of destination address/next-hop pairs. The next hop is the IP address of the router that the outbound packet is handed to. 
  • Routing table entries can be interpreted as meaning: To reach network A, send the packet out Node A via interface 0.
  • Routers communicate with each other using Routing Updates.


NETWORK ADDRESSING: 
  • Unlike link-layer addresses, which usually exist within a flat address space, network-layer addresses are hierarchical.
  • End systems require one network-layer address per physical network connection for each network-layer protocol they support.
  • A network-layer address will always have a network part and a host part.