2002 Networking Operating Systems (CO32010) 1. Operating Systems 2. Processes and scheduling 3

bill@napier, 2002

http://www.soc.napier.ac.uk/~bill/nos.html

Networking Operating Systems (CO32010)

1. OperatingSystems

2. Processesand scheduling

3. Distributedprocessing

4. Distributedfile systems

5. Routingprotocols6. Routers

7. Encryption

8. NT, UNIX and NetWare

1.1 NOS definition and units1.2 Computer Systems1.3 Multitasking and Threading1.4 Exercises

Objectives:• To outline the main areas covered in the module.• To define some of the basic terminology of operating systems.• To define the main components of a network operating system.• To define the differences in operating systems.

bill@napier, 2002


Definition of an NOS

The infrastructure that allows the reliable distribution of processes, files systems, networking components, networking protocols, and other associated components in order to produce a system which is reliable and secure, and which operates within a required specification.

RouterProgrammingand Security

RoutingProtocols

Encryption

DistributedProcessing

Processingand scheduling

DistributedFile

Systems

bill@napier, 2002


Router

RouterRouter

6. Router Programming Router

Server7. NOS’s

2. Processes and scheduling

5. Distributed file systems8. Encryption

3. Distributed Processing

5. Routing Protocols

bill@napier, 2002


Areas covered

• Introduction. This unit provides a basic introduction to some of the concepts involved with operating systems, such as the basic definition involved in computer systems.

• Processes and Scheduling. This unit outlines some of the key concepts in the operation of an operating system, especially related to processes, and scheduling.

• Distributed Processing. This units outline some of the standard methods which are used to control the distribution of processes over a network. A key focus is on the RPC protocol, which is a standard method for distributing processes.

• Distributed File Systems. This unit outlines some of the methods which can be used to distribute file systems over a network. A key focus of this unit is the NFS standard, which can be used to distribute file system over a network.

• Routing Protocols. This unit outlines some of the key methods, and problems that occur with standard routing protocols

• Routers and ACLs. This unit outlines how routers are programming, and how ACLs can be applied to facilitate network security.

• Encryption. This unit outlines the principles of methods which allow data to be encrypted.

• Networking Operating Systems. This unit outlines the three main networking operating systems: UNIX, Novell NetWare and Microsoft Windows.

bill@napier, 2002


Hardware, Operating Systems and User Interfaces

User interface:• Microsoft Windows (Windows 95/NT/2000/XP).• Microsoft Windows 3.1.• X-Windows.

Operating system:• Microsoft Windows (Windows 95/NT/2000?XP).• DOS.• UNIX/Linux.• VMS.• Novell NetWare.

Hardware:• x86 architecture.• SPARC architecture.• Apple architecture.

bill@napier, 2002


Operating System

Printer Printer ServerPrint Queues

Volumes

User account database

Resources

Kernal

Groups

Users

File system

Memory

Operating system

Hardware, Operating Systems and User Interfaces

bill@napier, 2002


Operating system characteristics

Single-user Multi-user

Stand-alone Networked

Single-tasking Multitasking

Single processor Multi-processor

bill@napier, 2002


Operating system characteristics

Local processing

Distributedprocessing

Embedded Non-embedded

bill@napier, 2002


Operating Systems

Hardware

MicrosoftWindows95/98 (OS)

UNIXLINUX

DOSMac OS

MicrosoftWindowsNT (OS)

File system:- Creating a file system- Copying/deleting/moving files

Multi-user- Allowing users to loging into system- Allow users permissions to certain resources- Managing queues for resources

Memory:- Creating virtual memory systems- Disk swapping for memory

Multiprocessing- Allowing several processes to run, at a time- Scheduling of processing to allow priority

Device interfacing:- Access to connected devices- Multi-user access- Device drivers

Networking:- Remote login/file transfer- Creating global file systems

bill@napier, 2002


Mouse driver

Video driver

Soundcard driver

Operating System

Network driver

Application program

Applicationprogram

Kernel

Communicationwith operating system

Keyboard driver

Operating SystemComponents

bill@napier, 2002


Information passed between processes

Low-levelinterrupt

Low-levelinterrupt

ProcessProcess

Low-levelinterrupt

Low-levelinterrupt

ProcessProcess

Message or signal

Network or local computer

Data passed between processes

Interrupt Interrupt

Low-levelinterrupt

Low-levelinterrupt

ProcessProcess

Low-levelinterrupt

Low-levelinterrupt

ProcessProcess

Message or signal

Network or local computer

Data passed between processes

Interrupt Interrupt

bill@napier, 2002


Preemptive Multitasking

ProcessorOkay No.1, you’ve

had your turn,get to the back ofthe queue. Next! Process queue

23 4 5

1

Come on. My turn soon

Pre-emptive multitasking:Processes are given some time on the processor. This allows all the processes to have some time on the processor, and makes for smoother and more reliable operation

bill@napier, 2002


Co-operative Multitasking

Sorry. You’ll have towait until he’s

finished

6

Process queue

2 3 4 5

Processor

1

Hurry up. I’mwaiting. You’ve

been on that processorfor ages.

This isn’tvery fair!

Hurray. I could stay here forever.

Anyway, I’m not going back to

the end of the queue.

Co-operative multitasking:Processes must yield from the processor, before other processes can run on the processor

bill@napier, 2002


Threads

Process approach

Interlinkingof threads

Independentthreads

Threads approach

Process splits into threads

Process

Common sharingof data between threads

Splitting a process into threads

bill@napier, 2002



1. OperatingSystems





7. Encryption


2.1 Introduction2.2 Scheduling2.3 Higher-level primitives2.4 Signals, pipes and task switching 2.5 Messages2.6 Microsoft Windows scheduling2.7 UNIX process control

Objectives:• To define the main parameters used in scheduling.• To define some of the main scheduling techniques and

be able to contrast them.• To briefly define the usage of parallel processing.• To outline the usage of high-level primitives, such as

signals, pipes and task-switching.• To give examples of practical process control.

bill@napier, 2002



1. OperatingSystems




7. Encryption


3.1 Introduction3.2 Interprocess communication3.3 Flags and semaphores3.4 RPC3.5 Multi-processor systems3.6 Exercises

Objectives:• To define the concept of distributed processing, and

contrast centralized systems against distributed ones.• To define mechanisms of interprocess control, such as

pipes, semaphores, flags, and message queues.• To define, in detail, how semaphores are used, and how

the can prevent deadlock.• To define the conditions for deadlock.• To outline algorithms to prevent deadlock, such as the

Banker’s Algorithm.• To outline practical interprocess control protocols,

especially RPC.


bill@napier, 2002


3.1 Centralised v. Distributed

HeadOffice

RegionalOffice

LocalOffice

ATM

CustomersStaff

Logistics

Distributed:Decision makingAccount managementLogistics

bill@napier, 2002


3.6 Deadlock

• Resource locking. This is where a process is waiting for a resource which will never become available. Some resources are pre-emptive, where processes can release their access on them, and give other processes a chance to access them. Others, though, are non-pre-emptive, and processes are given full rights to them. No other processes can then get access to them until the currently assigned process is finished with them. An example of this is with the transmission and reception of data on a communication system. It would not be a good idea for a process to send some data that required data to be received, in return, to yield to another process which also wanted to send and receive data.

• Starvation. This is where other processes are run, and the deadlocked process is not given enough time to catch the required event. This can occur when processes have a low priority compared with other ones, as higher priority tasks tend to have a better chance to access the required resources.

bill@napier, 2002


3.7 Analogy to deadlock

C

F

AB

DE

bill@napier, 2002


3.8 Four conditions for deadlock

• Mutual exclusion condition. This is where processes get exclusive control of required resources, and will not yield the resource to any other process.

• Wait for condition. This is where processes keep exclusive control of acquired resources while waiting for additional resources.

• No pre-emption condition. This is where resources cannot be removed from the processes which have gained them, until they have completed their access on them.

• Circular wait condition. This is a circular chain of processes on which each process holds one or more resources that are requested by the next process in the chain.

bill@napier, 2002


3.7 Analogy to deadlock

C

F

AB

DE

Circular wait condition

Mutual exclusion condition and nopre-emption. None ofcars will give up theirexclusive access to the Junction.

bill@napier, 2002


3.9 Banker’s Algorithm (Safe condition)

Process A requires a maximum of 50MB.Process B requires a maximum of 40MB.Process C requires a maximum of 60MB.Process D requires a maximum of 40MB. The current state would be safe as Process A can complete which releases 50 MB (which allows the other processes to complete):

Process Current allocation Maximum allocation required

A 40 50

B 20 40

C 20 60

D 10 40

Resource unallocated

10

bill@napier, 2002


3.10 Banker’s Algorithm(Unsafe condition)

Process A requires a maximum of 50MB.Process B requires a maximum of 40MB.Process C requires a maximum of 60MB.Process D requires a maximum of 40MB. The current state would be unsafe as no process can complete:

Process Current allocation Maximum allocation required

A 15 50

B 30 40

C 45 60

D 0 40

Resource unallocated

5

bill@napier, 2002


3.11 Banker’s Algorithm

Each resource has exclusive access to resources that have been granted to it.Allocation is only granted if there is enough allocation left for at least one process to complete, and release its allocated resources.Processes which have a rejection on a requested resource must wait until some resources have been released, and that the allocated resource must stay in the safe region.

Problems:Requires processes to define their maximum resource requirement.Requires the system to define the maximum amount of a resource.Requires a maximum amount of processes.Requires that processes return their resources in a finite time.Processes must wait for allocations to become available. A slow process may stop many other processes from running as it hogs the allocation.

bill@napier, 2002


3.12 RPC

ApplicationApplication

PresentationPresentation

SessionSession

TransportTransport

NetworkNetwork

Data LinkData Link

PhysicalPhysicalEthernet/ISDN/FDDI/ATM/etc

TCP/IPUDP/IP

RPC

Application program

Data link

Network layer responsiblefor the routing data over thenetwork and delivering it at thedestination

Network

Applicationprogram

Applicationprogram

Transport layer sets upa virtual connection, andstreams data

Remote process

Remote process

Session layer (RPC) supportsthe running of remoteprocesses and passing run parameters and results



SessionSession

TransportTransport

NetworkNetwork

Data LinkData Link

PhysicalPhysicalEthernet/ISDN/FDDI/ATM/etc

TCP/IPUDP/IP

RPC

Application program

Data link

Network layer responsiblefor the routing data over thenetwork and delivering it at thedestination

Network

Applicationprogram

Applicationprogram

Transport layer sets upa virtual connection, andstreams data

Remote process

Remote process

Session layer (RPC) supportsthe running of remoteprocesses and passing run parameters and results

bill@napier, 2002


The caller process sends a call message,

with all the procedure’s parameters

Client

Server reads parameters and runs the process

Server

Caller process waits for a response

Server process waits for a call

The caller process sends a call message,

with all the procedure’s parameters

Process, andparameters

Server sends results to the

clientResults

Server process waits for a call

3.13 RPC operation

bill@napier, 2002


RPC

RPC provides:

• A unique specification of the called procedure. • A mechanism for matching response parameters with

request messages.• Authentication of both callers and servers. The call

message has two authentication fields (the credentials and verifier), and the reply message has one authentication field (the response verifier).

• Protocol errors/messages (such as incorrect versions, errors in procedure parameters, indication on why a process failed and reasons for incorrect authentication).

bill@napier, 2002


RPC

RPC provides three fields which define the called procedure:

• Remote program number. These are numbers which are defined by a central authority (like Sun Microsystems).

• Remote program version number. This defines the version number, and allows for migration of the protocol, where older versions are still supported. Different versions can possibly support different message calls. The server must be able to cope with this.

• Remote procedure number. This identifies the called procedure, and is defined in the specification of the specific program’s protocol. For example, file service may define that an 8 defines a read operation and a 10 defines a write operation.

bill@napier, 2002


RPC

RPC call message format:

• Message type. This is either CALL (0) or REPLY (1).• Message status. There are two different message status

fields, depending on whether it is a CALL or a REPLY. • Rpcvers. RPC Version number (unsigned integer). • Prog, vers and proc. Specifies the remote program, its

version number and the procedure within the remote program (all unsigned integers).

• Cred. Authentication credentials.• Verf. Authentication verifier.• Procedure specific parameters.

bill@napier, 2002


RPC authentications

RPC authentication

• No authentication (AUTH_NULL). No authentication is made when callers do not know who they are or when the server does not care who the caller is. This type of method would be used on a system that did not have external connections to networks, and assumes that all the callers are valid.

• Unix authentication (AUTH_UNIX). Unix authentication uses the Unix authentication system, which generates a data structure with a stamp (an arbitrary ID which the caller machine may generate), machine name (such as ‘Apollo’), UID (caller’s effective user ID), GID (the caller’s effective group ID) and GIDS (an array of groups which contain the caller as a member).

• Short authentication (AUTH_SHORT). • DES authentication (AUTH_DES). Unix authentication suffers from two

problems: the naming is too Unix oriented and there is no verifier (so credentials can easily be faked). DES overcomes this by addressing the caller using its network name (such as ‘[email protected]’) instead of by an operating system specific integer. These network names are unique on the Internet. For example [email protected] identifies user ID number 111 on the mycomputer.net system.

bill@napier, 2002


RPC programming

RPC programming levels:

• Highest layer. At this level the calls are totally transparent to the operating system, the computer type and the network. With this the programmer simply calls the required library routine, and does not have to worry about any of the underlying computer type, operating system or networking. For example, the rnusers routine returns the number of users on a remote computer (as given in Program 3.2).

• Middle layer. At this level the programmer does not have to worry about the network connection (such as the TCP sockets), the Unix system, or other low-level implementation mechanisms. It just makes a remote procedure call to routines on other computers, and is the most common implementation as it gives increased amount of control over the RPC call. These calls are made with: registerrpc (which obtains a unique system-wide procedure identification number); callrpc (which executes a remote procedure call); and svc_run. The middle layer, in some more complex applications, does not allow for timeout specifications, choice of transport, Unix process control, or error flexibility in case of errors. If these are required, the lower layer is used.

• Lowest layer. At this level there is full control over the RPC call, and this can be used create robust and efficient connections.

bill@napier, 2002


RPC highest level programming

#include <stdio.h> int main(int argc, char *argv[]) { int users; if (argc != 2) { fprintf(stderr, "Use: rnusers hostname\n"); return(1); } if ((users = rnusers(argv[1])) < 0) { fprintf(stderr, "Error: rnusers\n"); exit(-1); } printf("There are %d users on %s\n", users, argv[1]); return(0); }

bill@napier, 2002


RPC middle level programming

#include <stdio.h>#include <rpc.h>#define RUSERSPROG 10002 /* Program number */#define RUSERSVERSION 2 /* Version number */#define RUSERPROCVAL 1 /* Procedure number */int main(int argc, char *argv[]) { unsigned long users; int rtn; if (argc != 2) {

fprintf(stderr, "Use: nusers hostname\n"); exit(-1); } if (rtn = callrpc(argv[1], RUSERSPROG, RUSERSVERSION, RUSERSPROCVAL,

xdr_void, 0, xdr_u_long, &users) != 0) { clnt_perrno(stat); return(1); } printf("There are %d users on %s\n", users, argv[1]); return(0); }

bill@napier, 2002


RPC lowest level programming

#include <stdio.h> #include <rpc.h> #define RUSERSPROG 10002 /* Program number */#define RUSERSVERSION 2 /* Version number */#define RUSERPROCVAL 1 /* Procedure number */ char *nuser(); int main(void) { registerrpc(RUSERSPROG, RUSERSVERS, RUSERSPROC_NUM, nuser,

xdr_void, xdr_u_long); svc_run(); fprintf(stderr, "Error: server terminated\n"); return(1); }

bill@napier, 2002


RPC lowest level programming

Sample contents of /etc/rpc file:

portmapper 100000 portmap sunrpcrstatd 100001 rstat rstat_svc rup perfmeterrusersd 100002 rusersnfs 100003 nfsprogypserv 100004 ypprog

This shows RPC process name, and RPC procedure number.

bill@napier, 2002



1. OperatingSystems





7. Encryption


4.1 Distributed File Systems4.2 Active Directories4.3 Exercises4.4 Sample exam question

Objectives:• To discuss the advantages of a distributed file system.• To outline the different methods of mounting remote file

systems onto a file system structure.• To outline practical implementations of a distributed file

systems, especially NFS.• To show how domains can be created and managed,

especially using standard protocols, such as NIS.

bill@napier, 2002


4.1 Distributed file system

Distributed databases

Networked filesystem (NFS)

CentralizedConfiguration(passwords, user IDs,and so on)

LocalizedFile storage(rather thanaccessing a remote file)

Mounted asa local drive

Administrationservices

Network

bill@napier, 2002


4.2 Advantages of distributed file systems

• File system mirrors the corporate structure. File systems can be distributed over a corporate network, which might span cities, countries or even continents. The setup of a complete network file system over a corporation can allow the network to mirror the logical setup of the organization, rather than its physical and geographical organization. For example the Sales Department might be distributed around the world, but the network in which they connect to is identical to the way that the Sales Department is organized.

• Easier to protect the access rights on file systems. In a distributed file system it is typical to have a strong security policy on the file system, and each file will have an owner who can define the privileges on this file. File systems on user computers tend to have limited user security.

• Increased access to single sources of information. Many users can have access to a single source of information. Having multiple versions of a file can cause a great deal of problems, especially if it is not know as to which one is the most up-to-date.

• Automated updates. Several copies of the same information can be stored, and when any one of them is updated they are synchronized to keep each of them up-to-date. Users can thus have access to a local copy of data, rather than accessing a remote copy of it. This is called mirroring files.

bill@napier, 2002


4.3 Advantages of distributed file systems

• Improved backup facilities. A user’s computer can be switched-off, but their files can still be backed-up from the distributed file system.

• Increased reliability. The distributed file system can have a backbone which is constructed from reliable and robust hardware, which are virtually 100% reliable, even when there is a power failure, or when there is a hardware fault.

• Larger file systems. In some types of distributed file systems it is possible to build-up large file systems from a network of connected disk drives.

• Easier to administer. Administrators can easily view the complete file system.• Interlinking of databases. Small databases can be linked together to create

large databases, which can be configured for a given application. The future may also bring the concept of data mining, where agent programs will search for information with a given profile by interrogating databases on the Internet.

• Limiting file access. Organizations can setup an organization file structure, in which users can have a limited view of complete file system.

bill@napier, 2002


4.4 Traditional file structure v. corporate structure

\\

usersusers

progsprogs

configconfig

fredfred

bertbert

orgnameorgname

salessales productionproduction

researchresearch

UK OfficeUK Office

US OfficeUS Office

\\

usersusers

progsprogs

configconfig

fredfred

bertbert

orgnameorgname

salessales productionproduction

researchresearch

UK OfficeUK Office

US OfficeUS Office

Tree structure

UNIX NDS/ActiveDirectories

bill@napier, 2002


Network

4.5 Flat structures

\\

\\bert \\fred \\freddy

Local disk Local disk Local disk

Windows NT uses a flat structure, where nodes join into a domain

Flat structure

Domain

bill@napier, 2002


GlobalFile system

/etc

/user

/progs

/sys

C:

D:

E:

F:

Network

Forest ofdrives

Singletree

Drives mountedover the networkto create a single tree

Drives mountedover the networkto a forest of drives

4.6 Forest of drives v. single tree

bill@napier, 2002


4.7 NFS services protocol stack

Physical

Data link

Network

Transport

Session

Ethernet/Token Ring

IP

TCP

RPC

Application NFS NIS

Presentation XDR

RPC is stateless, where a NFS server waits for a client to contact it for a client to contact it, it then gets a request for a service, and sends back the results.

XDR defines a common data format for the conversion of data values.

RPC defines a a number of procedures which can be executed on the server, such as WRITE, CREATE, and so on.

bill@napier, 2002


4.8 Some RPC procedures used by NFS

No. Procedure Name0 void NULL(void) No operation1 attrstat GETATTR(fhandle) Get file attributes2 attrstat SETATTR(sattrargs) Set file attributes6 readres READ(readargs) Read from file8 attrstat WRITE(writeargs) Write to file9 diropres CREATE(createargs) Create file10 stat REMOVE(diropargs) Remove file11 stat RENAME(renameargs) Rename file13 stat LINK(linkargs) Create link to file14 diropres MKDIR(createargs) Create symbol link15 stat RMDIR(diropargs) Create directory

bill@napier, 2002


NetworkRPC proceduresgetattr, setattr,read, write,create, remove,rename, link,symlink, mkdir,rmdir, readdir

NFS serverRemotely accessedfile system

File system eithermounted onto a singletree or as a forest of drives

Network

NFS client

RPC responseRequested data,parameters orstatus flag (such as:NFS_OK and NFSERR_PERM)

4.9 RPC procedures and responses

bill@napier, 2002


Master NIS server maintains:/etc/passwd Domain passwords/etc/groups Domain groups/etc/hosts IP addresses and host names/etc/rpc RPC processes/etc/network Used to map IP address to networks/etc/protocols Known network layer protocols/etc/services Known transport layer protocols

ClientsNIS Domain

#/etc/passwdroot:FDEc6.32:1:0:Super unser:/user:/bin/cshfred:jt.06hLdiSDaA:2:4:Fred Blogs:/user/fred:/bin/cshfred2:jtY067SdiSFaA:3:4:Fred Smith:/user/fred2:/bin/csh

#/etc/groupsroot::0:rootother::1:root,hpdbbin::2:root,binsys::3:root,uucpfreds_grp::4:fred,fred2,fred3

#/etc/hosts138.38.32.45 bath198.4.6.3 compuserve193.63.76.2 niss148.88.8.84 hensa146.176.2.3 janet

#/etc/rpcportmapper 100000 portmap sunrpcrstatd 100001 rstat rstat_svc rusersd 100002 rusersnfs 100003 nfsprogypserv 100004 ypprog

#/etc/protocolsip 0 IPicmp 1 ICMPggp 3 GGPtcp 6 TCP

Server

#/etc/servicesftp 21/tcptelnet 23/tcpsmtp 25/tcppop3 110/tcp

#/etc/networksloopback 127.0.0.0localnet 146.176.151.0Production 146.176.142.0

4.10 NIS domain

bill@napier, 2002


Master NISServer maintains:/etc/passwd/etc/groups/etc/hosts/etc/rpc/etc/network/etc/protocols/etc/servicesand so on.

Slave NISserver

Master sends updates to NIS slaves

Slave NISserver

NIS Domain

NISclient

2. Client broadcasts an NIS request to thedomain

3. The client then binds tothe first server which responds

1. Client isstarted

4.11 NIS master and slave(s)

bill@napier, 2002


4.12 inetd.conf – defines the network services that are started

# <service_name> <sock_type> <proto> <flags> <user> <server_path> <args># Echo, discard and daytime are used primarily for testing.echo stream tcp nowait root internalecho dgram udp wait root internaldiscard stream tcp nowait root internaldiscard dgram udp wait root internaldaytime stream tcp nowait root internaldaytime dgram udp wait root internaltime dgram udp wait root internal## These are standard services.ftp stream tcp nowait root /usr/sbin/tcpd /usr/sbin/wu.ftpdtelnet stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.telnetd## Shell, login, exec and talk are BSD protocols.shell stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.rshdlogin stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.rlogindtalk dgram udp wait root /usr/sbin/tcpd /usr/sbin/in.ntalkdntalk dgram udp wait root /usr/sbin/tcpd /usr/sbin/in.ntalkd## Pop mail serverspop3 stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.pop3d#bootps dgram udp wait root /usr/sbin/tcpd /usr/sbin/in.bootpd#finger stream tcp nowait daemon /usr/sbin/tcpd /usr/sbin/in.fingerdsystat stream tcp nowait guest /usr/sbin/tcpd /usr/bin/ps -auwwx

bill@napier, 2002



1. OperatingSystems





7. Encryption


5.1 Introduction5.2 Routing fundamentals5.3 Routing protocol techniques5.4 RIP5.5 OSPF5.6 IGRP5.7 EGP/BGP

Objectives:• To outline the fundamental techniques using in routing

protocols.• To define the main problem in routing protocol

techniques, such as routing loops, and count-to-infinity, and how the may be overcome.

• To outline practical protocols, especially RIP and IGRP, and reflect on their strengths and weaknesses.

bill@napier, 2002


5.1 Alternative Routes

B

1

Net1

Net2

Net3

Net4

Net5Net6

Net7

Net8

4

3

6 BA 1

2

5

A 1

2

3

4 6

5 6

B

B

5 6

2 4 6 B

bill@napier, 2002


5.2 Best route?

Routing based on hops:

Route (1,3,5,6) = 4 hops [BEST]Route (1,3,5,2,4,6) = 6 hops

Routing based on delay (latency):

Route(2,4,6) = 1.5+1.25 = 2.75Route(2,5,6) = 1.1+1.3 = 2.4 [BEST]

Routing based on error probability:

Pe(2 – 5)=0.01 Pe(5 – 6)=0.15Pe(2 – 4)=0.05 Pe(4 – 6)=0.1

Pnoerror(2,5,6) =(1 – 0.01) (1 – 0.15) = 0.8415 Pnoerror(2,4,6) =(1 – 0.05) (1 – 0.1) = 0.855 [BEST]

bill@napier, 2002


5.2 Best route?

• Challenge 1.• Challenge 2.

DA

B

C0.1

0.2

0.05

0.3

0.2

Error probability

Route: ABCD No Error =(1-0.2)x(1-0.05)x(1-0.3)

= 0.532

Lowest errorprobability Wins!

bill@napier, 2002


5.2 Best route?

• Challenge 1.• Challenge 2.

DA

B

C1

2

0.5

3

2

Delay (ms)

Route: ABCD Delay =(2)+(0.5)+(3) ms

= 5.5 ms

Lowest delayWins!

bill@napier, 2002


5.3 Layer 3 protocols

Routing protocols. A routing protocol provides a mechanism for routers to share routing information. These protocols allow routers to pass information between themselves, and update their routing tables. Examples of routing protocols are Routing Information Protocol (RIP), Interior Gateway Routing Protocol (IGRP), Enhanced Interior Gateway Routing Protocol (EIGRP), and Open Shortest Path First (OSPF).

Routed protocols. These protocols are any network layer protocol that allows for the addressing of a host and a destination on a network, such as IP and IPX. Routers are responsible for passing a data packet onto the next router in, if possible, an optimal way, based on the destination network address. The definition of an optimal way depends on many things, especially its reachability. With IP, routers on the path between a source and a destination, examine the network part of the IP address to achieve their routing. Only the last router, which is connected to the destination node network, examines the host part of the IP address.

bill@napier, 2002


5.4 Types of Routing

Dynamic routing. In dynamic routing, the routers monitor the network, and can change their routing tables based on the current network conditions. The network thus adapts to changing conditions. Unfortunately, this method tends to reveal everything known about an internetwork to the rest of the network. This may be inappropriate for security reasons.

Static routing. In static routing, a system administrator sets up a manual route when there is only one route to get to a network (a stub network). This type of configuring reduces the overhead of dynamic routing. Static routing also allows the internetwork administrator to specify the information that is advertised about restricted parts of a network.

Default routing. These are manually defined by the system administrator and define the path that is taken if there is not a known route for the destination.

bill@napier, 2002


5.5 Best Route Parameters?

Bandwidth. The data capacity of a link, which is typically defined in bps.

Delay. The amount of time that is required to send a packet from the source to a destination.

Load. A measure of the amount of activity on a route.

Reliability. Relates to the error rate of the link.

Hop count. Defined by the number of routers that it takes between the current router and the destination.

Ticks. Defines the delay of a link by a number of ticks of a clock.

Cost. An arbitrary value which defines the cost of a link, such as financial expense, bandwidth, and so on.

bill@napier, 2002


5.6 Type of Update?

Broadcast. In broadcast, routers transmit their information to other routers at regular intervals. A typical broadcast routing protocol is RIP, in which routers send their complete routing table once every few minutes, to all of their neighbors. This technique tends to be wasteful in bandwidth, as changes in the route do not vary much over short amounts of time.

Event-driven. In event-driven routing protocols, routing information is only sent when there is a change in the topology or state of the network. This technique tends to be more efficient than broadcast, as it does not use up as much bandwidth.

bill@napier, 2002


5.7 Routing protocol types

Bandwidth

Hop count

+

+

+

Event driven v. broadcastStatic .v. dynamic

+

Link-state Distance-vector

Each routertransmits routinginformation toall other routersonlywhen there

are changes(OSPF/BGP/EGP)

Problems:•Initial flooding •Processing/memory

Each router periodically sendsinformation toeach of its neighbors(RIP).

Problems: •Bandwidth•Step-by-step updates

Hybrid (IS-IS)

+

+Routed(IP, IPX,NetBEUI)

+Routing(RIP, OSPF)

+

+

+

Delay

Reliability

Tick

Cost

SessionSessionTransportTransportNetworkNetworkData linkData linkPhysicalPhysical

HTTPHTTPTCPTCP

IP RIPIP RIPEthernet/

FDDIEthernet/

FDDI

RoutingRouting

Layer 3 protocolsLayer 3 protocols TypesTypes

UpdatesUpdates

Distancemetrics

Distancemetrics

Bandwidth

Hop count

+

+

+

Event driven v. broadcastStatic .v. dynamic

+

Link-stateLink-state Distance-vector Distance-vector

Each routertransmits routinginformation toall other routersonlywhen there

are changes(OSPF/BGP/EGP)

Problems:•Initial flooding •Processing/memory

Each router periodically sendsinformation toeach of its neighbors(RIP).

Problems: •Bandwidth•Step-by-step updates

Hybrid (IS-IS)

+

+Routed(IP, IPX,NetBEUI)

+Routing(RIP, OSPF)

+

+

+

Delay

Reliability

Tick

Cost


HTTPHTTPTCPTCP


FDDIEthernet/

FDDI


HTTPHTTPTCPTCP


FDDIEthernet/

FDDI

RoutingRouting

Layer 3 protocolsLayer 3 protocols TypesTypes

UpdatesUpdates

Distancemetrics

Distancemetrics

bill@napier, 2002


5.8 Example routing

W X

Z Y

1 3

2

4

Network A

Network BNetwork C

Dest HopsA 1B 2C 1

Dest HopsA 0B 1C 2

Dest HopsA 2B 1C 0

Dest HopsA 1B 0C 1

Nextxzz

NextNetwork Ayy

NextxNetwork Bz

NextwyNetwork C

W X

Z Y

1 3

2

4

Network A

Network BNetwork C

Dest HopsA 1B 2C 1

Dest HopsA 0B 1C 2

Dest HopsA 2B 1C 0

Dest HopsA 1B 0C 1

Nextxzz

NextNetwork Ayy

NextxNetwork Bz

NextwyNetwork C

bill@napier, 2002


5.9 Routing loops

W X

Z Y

1 32

4

A. Network Aunreachable

A. Network Aunreachable Network

unreachable

Network A

V



B. I can reachNetwork A in

3 hops


3 hops

Router Z thinks it can reach Network A in 4 hops, as Router W says it canreach it in 3 hops, this overrules the information from

Router Y which says it cannotreach Network A

C. Network AReachable via

Router W


Router W

D. Network Areachable


E. Network Areachable

E. Network AreachableAA

BB

CC

DD

EE

Timing ofevents

W X

Z Y

1 32

4


A. Network Aunreachable Network

unreachable

Network A

V




3 hops


3 hops

Router Z thinks it can reach Network A in 4 hops, as Router W says it canreach it in 3 hops, this overrules the information from

Router Y which says it cannotreach Network A


Router W


Router W



E. Network Areachable

E. Network AreachableAA

BB

CC

DD

EE

Timing ofevents

bill@napier, 2002


5.10 Overcoming Distance Vector Problems

Setting infinity values. The count-to-infinity will eventually resolve itself when the routers have counted to infinity (as infinity will be constrained with the maximum definable value), but while the network is counting to this value, the routing information will be incorrect. To reduce the time that it takes to get to this maximum, a maximum value is normally defined. In RIP this value is set at 16 hops for hop-count distance-vectors, thus the maximum number of hops that can occur is 15. This leads to a problem in that a destination which has a distance of more than 15 hops is unreachable, as a value of 16 or more defines that the network is unreachable.

Split horizon. This method tries to overcome routing loops. With this routers do not update their routing table with information on a destination if they know that the network is already connected to the router (that is, the router knows more about the state of the network than any other router, as it connects to it). Thus in Figure X, Router Z and Router X will not send routing information on Network B to Router Y, as they know that Network B is connected to Router Y.

bill@napier, 2002


5.11 Overcoming Distance Vector Problems

Hold-Down Timers. This method overcomes the count-to-infinity problem. With a hold-time time, a router starts a hold-time timer when it receives an update from a neighbor indicating that a previously accessible network is now inaccessible. It also marks the route as inaccessible. There are then three possible situations:

o If, at any time before the hold-down timer expires, an update is sent from the same neighbor which alerted the initial problem saying that it is now accessible, the router marks the network as accessible and removes the hold-down timer. o If an update arrives from a different neighboring router with a better metric than the original metric, the router marks the network as accessible and removes the hold-down timer.o If, at any time before the hold-down timer expires, an update is sent from a different neighbor which alerted the initial problem saying that it is accessible, but has a poorer metric than the previously recorded metric, the update is ignored. Obviously after the timer has expired the network will still be prone to looping routes, but the timer allows for a longer time for the network to settle down and recover the correct information.

bill@napier, 2002


5.12 Link-state overview

W X

Z Y

1 32

4

LSP:NetworkUnreachable

LSP:NetworkUnreachableLSP:Network

ReachableLSP:NetworkReachable



Networkunreachablearrives afternetwork reachable

Network 1 becomes unreachable for a short time

OSPF (RFC1583)OSPF (RFC1583)Ver.Ver. TypeType Message Len.Message Len.

Router IDRouter IDArea IDArea ID

ChecksumChecksum Auth. TypeAuth. Type

AuthenticationAuthentication+ Memory

Increased amount ofstorage memoryfor tree

ProcessingIncreased processingpower required tobuild trees

+LSP

(Link statepackets)

+Topologicaldatabase(for SPF) A change in

topology causes updates to allother routers

Each routerbuilds up a treetopology of the subnetworksand find shortest path

LSPLink-stateLink-state

MethodsMethods ProblemProblem

OperationOperation

ConcernsConcerns

W X

Z Y

1 32

4








W X

Z Y

1 32

4











AuthenticationAuthentication




AuthenticationAuthentication+ Memory

Increased amount ofstorage memoryfor tree

ProcessingIncreased processingpower required tobuild trees

+LSP

(Link statepackets)

+Topologicaldatabase(for SPF) A change in

topology causes updates to allother routers


LSPA change intopology causes updates to allother routers


LSPLink-stateLink-state

MethodsMethods ProblemProblem

OperationOperation

ConcernsConcerns

bill@napier, 2002


5.13 OSPF overview

OSPFisan IGP(Interior

Gateway Protocol)which distributes

routing information betweenrouters in a single autonomous system. All routers have the same database.

Gateways

Separatedomains

OSPF (RFC1583)OSPF (RFC1583)Ver.Ver. TypeType Message Len.Message Len.Router ID (unique in AS)Router ID (unique in AS)

Area ID (similar to subnetting)Area ID (similar to subnetting)ChecksumChecksum Auth. TypeAuth. Type


Hello [1]. Used to establish and maintain a connection. Routers agree HelloIntervalandRouterDeadInterval.•HelloInterval. Number of seconds between Hello

packets. The smaller the value, the fastest the detection of topological changes. X.25 uses 30 sec, LANs uses

10 sec.•RouterDeadInterval. Number of seconds before a routerassumes that a routeis down. It should be a multiple

of HelloInterval (such as four times).Database Description [2]. Used to send databasebetween routers.Link-state Request [3]. Request parts of a neighbor’s

database, which may be more up-to-date.Link-state Update [4]. Used to flood link state advertisements.Link-state Acknowledgement[5]. Used to acknowledge

flooded advertisements.

+

+

+

+

+

AdditionalInformation(depends onpacket type)

32 bits

OS

PF

head

er

Autonomous System

Autonomous System

Autonomous System

Autonomous System

Autonomous System

Autonomous System

EGP used between AS’sInternet

OSPFisan IGP(Interior

Gateway Protocol)which distributes

routing information betweenrouters in a single autonomous system. All routers have the same database.

Gateways

Separatedomains







Hello [1]. Used to establish and maintain a connection. Routers agree HelloIntervalandRouterDeadInterval.•HelloInterval. Number of seconds between Hello

packets. The smaller the value, the fastest the detection of topological changes. X.25 uses 30 sec, LANs uses

10 sec.•RouterDeadInterval. Number of seconds before a routerassumes that a routeis down. It should be a multiple

of HelloInterval (such as four times).Database Description [2]. Used to send databasebetween routers.Link-state Request [3]. Request parts of a neighbor’s

database, which may be more up-to-date.Link-state Update [4]. Used to flood link state advertisements.Link-state Acknowledgement[5]. Used to acknowledge

flooded advertisements.

+

+

+

+

+

AdditionalInformation(depends onpacket type)

32 bits

OS

PF

head

er

Autonomous System

Autonomous System

Autonomous System

Autonomous System

Autonomous System

Autonomous System

EGP used between AS’sInternet

bill@napier, 2002


5.14 Tree-like topology v. Internet-like topology

Org1

Site1 Site2 Site3

LAN1 LAN2 LAN3

Org2

Site1 Site2 Site3

LAN1 LAN2 LAN3

Single backbone

Org1

Site1 Site2 Site3

LAN1 LAN2 LAN3

Org2

Site1 Site2 Site3

LAN1 LAN2 LAN3

Org 3

bill@napier, 2002


5.15 Autonomously attached networks

Autonomously attached network (AAN)


AANAAN

AANAAN

AANAAN

Gateway(G/W)

G/W

G/W

G/W

G/W

G/W

G/W



AANAAN

AANAAN

AANAAN

Gateway(G/W)

G/W

G/W

G/W

G/W

G/W

G/W

bill@napier, 2002



1. OperatingSystems





7. Encryption

8. NT, UNIX and NetWare6.1 Introduction

6.2 Router configuration and startup6.3 Router commands6.4 Access Control Lists (ACLs)6.5 Exercises6.6 Cisco router commands

Objectives:• To outline the main elements of a router.• To be able to understand the main elements in the

programming of a router.• To be able to program a router for a given specification.• To understand the operation of firewalls, and how these

are implemented on a firewall.

bill@napier, 2002


6.1 Routers

Router

Consoleport

Modem

Auxiliaryport

Ether1

Seri

al0

Ether0

Consoleterminal

VirtualTerminal(throughtelnet)

TFTPServer(to downloadconfigurationfiles over thenetwork)

Seri

al1

Interfaces

Auxi

liary

Port

(RJ

-45)

Cons

ole

Port

(RJ

-45)

Serial0(DB-60)

Serial1(DB-60)

Ether0(DB-15)

Ether1(DB-15)ROUTER

bill@napier, 2002


6.2 Router modes

ROM

Performhardware

tests

Loadoperating

system

RunEXECBootstrap

program

ExecutesUser commands

Global,process

andinterface

information

Load configuration file from NVRAM

User EXEC.View configuration

parameters

Privileged EXEC.Edit configuration

parameter/debug/testing

Setup modeUsed to configurethe router when

first started

RXBOOTMaintenance mode, such as recovering

lost passwords

Global ConfigPerforms simple

configuration tasks

bill@napier, 2002


6.2 Example topology

Switch LAB-A(Router)

LAB-B(Router)

Serial0 Serial1Ether1 LAB-C(Router)

Serial0 Serial1

LAB-D(Router)HubHub

LAB-E(Router)

Ether0 Ether0 Serial0

201.100.11.0205.7.5.0

192.5.5.0 219.17.100.0 223.8.151.0

210.93.105.0

Serial1

Ether0Ether0

199.6.13.0

201.100.11.1201.100.11.2 199.6.13.1 199.6.13.2

bill@napier, 2002


6.3 Router startup

• The bootstrap loader is loaded from ROM and run on the processor. • The operation system (Cisco IOS – Internetwork Operating System) is then loaded

from the boot field of a configuration register (which specifies either boot from flash memory, boot from the network or manual boot). The lower four bits of the configuration register define the boot field.

• The operating system is then booted, and it determines the hardware and the software on the system, and displays these to the console terminal.

• The operating system then loads the configuration file from NVRAM and executes it one line at a time. These lines start different processes, and define addresses and protocol types.

• If there is no configuration file in NVRAM, the router automatically goes into user setup mode, where the router asks the user questions about the router configuration. Once these have been specified the router saves these to NVRAM, so that the settings will be saved. Once saved, the router should automatically boot, without going into user setup mode. As much as possible the router tries to discover its environment, and tries to minimize the settings that the user has to add. Typically values are given in squared brackets, which are defaults that the user can choose if the return key is pressed at the option.

bill@napier, 2002


6.4 Router memory

• NVRAM. This type of memory does not lose its contents when the power is withdrawn, but can be written to. It is used to store the router’s backup/startup configuration file. One of the options in the configuration is where the operating system image is loaded from, typically either from flash memory, or from a TFTP server.

• Flash. This is erasable, reprogrammable ROM, which keeps its contents when the power is taken away. It is used in the router to contain one or more copies of the operating system image and microcode. Flash memory allows for easy updates to the operating system software, without having to replace any parts of the hardware.

• ROM. This is a permanent type of memory, which cannot be changed, and does not lose its contents when the power is withdrawn. On the router it contains power-on diagnostics, a bootstrap program, and operating system software. Upgrades to ROM require a change of a ROM integrated circuit.

• RAM. This is the main memory of the router and stores running programs and the current running configuration file. Along with this the RAM stores routing tables, ARP cache, packet buffering and packet hold queues. The contents of the RAM are lost when the power is withdrawn.

bill@napier, 2002


6.5 Router commands (enable)

LAB-A con0 is now availablePress RETURN to get started.User Access VerificationPassword: *******LAB-A> ?Exec commands: access-enable Create a temporary Access-List entry access-profile Apply user-profile to interface clear Reset functions connect Open a terminal connection

::::::::LAB-A> enablePassword: **********LAB-A# ?Exec commands: access-enable Create a temporary Access-List entry access-profile Apply user-profile to interface access-template Create a temporary Access-List entry cd Change current directory

::::::::

bill@napier, 2002


6.6 Router commands (enable)

show arp. Displays the current status of router’s ARP tables, which map IP addresses to MAC address. Session run 6.6 gives an example of this command.show buffers. This command shows detailed statistics on the buffers within the router. Session run 6.2 gives an example of this command. In this case, the memory buffers split into small buffers (104 bytes), middle buffers (600 bytes), big buffers (1524 bytes), very big buffers (4520 bytes), large buffers (5024 bytes) and huge buffers (18024 bytes). show flash. This command displays information on the data stored in the flash memory. An example is given in Session run 6.8.show hosts. This command displays a lists of connected hosts and their IP addresses.show interfaces. This command displays statistics for all interfaces configured on the router. Session run 6.10 shows an example.show mem. This command displays the usage of the routers memory. Session run 6.3 shows an example. show processes. This command shows the active processes.show protocols. This command displays the status of currently running protocols (such as IP, IPX, AppleTalk and DECnet). It can be seen from Session run 6.9 that there are three active interfaces (Ethernet0, Serial0 and Serial1), and that each of the interfaces is operating (‘they are up’). For example the IP address of Ethernet0 interface is 219.17.100.1/24, which specifies that it has an IP address of 219.17.100.1 and that 24 bits are used to define the network part of the address (as expected as it is a Class C address).show running-config. This command displays the active configuration file. show startup. Displays the startup configuration file. show version. This command display information on the hardware, software version, configuration file name, and the boot image.

bill@napier, 2002


6.7 Router commands (show buffers)

LAB-A# show buffersBuffer elements: 500 in free list (500 max allowed) 2026 hits, 0 misses, 0 createdPublic buffer pools:Small buffers, 104 bytes (total 50, permanent 50): 49 in free list (20 min, 150 max allowed) 669 hits, 0 misses, 0 trims, 0 created

::::::::Huge buffers, 18024 bytes (total 0, permanent 0): 0 in free list (0 min, 4 max allowed) 0 hits, 0 misses, 0 trims, 0 created 0 failures (0 no memory)Interface buffer pools:Ethernet0 buffers, 1524 bytes (total 32, permanent 32): 8 in free list (0 min, 32 max allowed) 24 hits, 0 fallbacks 8 max cache size, 8 in cache

::::::::Serial0 buffers, 1524 bytes (total 32, permanent 32): 7 in free list (0 min, 32 max allowed) 102 hits, 0 fallbacks 8 max cache size, 8 in cache

bill@napier, 2002


6.8 Router commands (show hosts)

LAB-A> show hostsDefault domain is not setName/address lookup uses domain serviceName servers are 255.255.255.255 Host Flags Age Type Address(es)LAB-B (perm, OK) 17 IP 201.100.11.2 219.17.100.1 199.6.13.1LAB-C (perm, OK) 18 IP 199.6.13.2 223.8.151.1 204.204.7.1LAB-D (perm, OK) 19 IP 204.204.7.2 210.93.105.1LAB-E (perm, OK) 18 IP 210.93.105.2LAB-A (perm, OK) 19 IP 192.5.5.1 205.7.5.1 201.100.11.1

LAB-A(Router)LAB-A

(Router)LAB-B

(Router)LAB-B

(Router)Serial1 LAB-C

(Router)LAB-C

(Router)Serial0

HubHub

Ether0

201.100.11.0

219.17.100.0

199.6.13.0

201.100.11.2 199.6.13.1 199.6.13.2

201.100.11.2

LAB-A(Router)LAB-A

(Router)LAB-B

(Router)LAB-B


(Router)LAB-C

(Router)Serial0

HubHub

Ether0

201.100.11.0

219.17.100.0

199.6.13.0

201.100.11.2 199.6.13.1 199.6.13.2

201.100.11.2

bill@napier, 2002


6.9 Router commands (show protocols)

Lab-B> show protocolsInternet Protocol routing is enabledEthernet0 is up, line protocol is up Internet address is 219.17.100.1/24Serial0 is up, line protocol is up Internet address is 199.6.13.1/24Serial1 is up, line protocol is up Internet address is 201.100.11.2/24

LAB-A(Router)LAB-A

(Router)LAB-B

(Router)LAB-B


(Router)LAB-C

(Router)Serial0

HubHub

Ether0

201.100.11.0

219.17.100.0

199.6.13.0

201.100.11.2 199.6.13.1 199.6.13.2

201.100.11.2

LAB-A(Router)LAB-A

(Router)LAB-B

(Router)LAB-B


(Router)LAB-C

(Router)Serial0

HubHub

Ether0

201.100.11.0

219.17.100.0

199.6.13.0

201.100.11.2 199.6.13.1 199.6.13.2

201.100.11.2

bill@napier, 2002


6.10 Router commands (show running-config)

Lab-B# show running-configBuilding configuration... Current configuration:!version 12.0service timestamps debug uptimeservice timestamps log uptimeno service password-encryption!hostname Lab-B!enable password class!ip subnet-zero!interface Ethernet0 ip address 219.17.100.1 255.255.255.0 no ip directed-broadcast!interface Serial0 ip address 199.6.13.1 255.255.255.0 ip directed-broadcast no ip mroute-cache no fair-queue clockrate 56000!

LAB-A(Router)LAB-A

(Router)LAB-B

(Router)LAB-B


(Router)LAB-C

(Router)Serial0

HubHub

Ether0

201.100.11.0

219.17.100.0

199.6.13.0

201.100.11.2 199.6.13.1 199.6.13.2

201.100.11.2

LAB-A(Router)LAB-A

(Router)LAB-B

(Router)LAB-B


(Router)LAB-C

(Router)Serial0

HubHub

Ether0

201.100.11.0

219.17.100.0

199.6.13.0

201.100.11.2 199.6.13.1 199.6.13.2

201.100.11.2

bill@napier, 2002


6.11 Router commands (show running-config – cont.)

interface Serial1 ip address 201.100.11.2 255.255.255.0 no ip directed-broadcast!router rip network 199.6.13.0 network 201.100.11.0 network 219.17.100.0!no ip classless!line con 0 password cisco login transport input noneline aux 0line vty 0 4 password cisco login!end!

LAB-A(Router)LAB-A

(Router)LAB-B

(Router)LAB-B


(Router)LAB-C

(Router)Serial0

HubHub

Ether0

201.100.11.0

219.17.100.0

199.6.13.0

201.100.11.2 199.6.13.1 199.6.13.2

201.100.11.2

LAB-A(Router)LAB-A

(Router)LAB-B

(Router)LAB-B


(Router)LAB-C

(Router)Serial0

HubHub

Ether0

201.100.11.0

219.17.100.0

199.6.13.0

201.100.11.2 199.6.13.1 199.6.13.2

201.100.11.2

bill@napier, 2002


6.12 MAC and IP address

Switch LAB-A(Router)

Hub

MAC: 0010.7b81.1d72IP: 192.5.5.1

205.7.5.0

192.5.5.0

ARP TABLE (in LAB-A)Protocol Address Age (min) Hardware Addr Type InterfaceInternet 205.7.5.254 108 0030.8071.9f40 ARPA Ethernet1Internet 192.5.5.1 - 0010.7b81.1d72 ARPA Ethernet0Internet 192.5.5.12 1 0000.b430.b332 ARPA Ethernet0

Internet 205.7.5.1 - 0010.7b81.1d73 ARPA Ethernet1

MAC: 0000.b430.b332 IP: 192.5.5.12

MAC: 0010.7b81.1d73 IP: 205.7.5.1

MAC: 0030.8071.9f40 IP: 205.7.5.254

bill@napier, 2002


6.13 Router programming

Router> enableRouter#

Router# config tEnter configuration commands, one per line. End with END.Router (config)# hostname LAB_ALAB_A (config)#

LAB_A (config)# enable secret classLAB_A (config)# exitLAB_A# exitLAB_A> enablePassword: cccPassword: classLAB_A#

bill@napier, 2002


6.14 Router programming

LAB_A# config tLAB_A (config)# int e0LAB_A (config-if)# ip address 192.5.5.1 255.255.255.0LAB_A (config-if)# no shutdownLAB_A (config-if)# exitLAB_A (config)# int e1LAB_A (config-if)# ip address 205.7.5.1 255.255.255.0LAB_A (config-if)# no shutdownLAB_A (config-if)# exitLAB_A (config)# int s0LAB_A (config-if)# ip address 201.100.11.1 255.255.255.0LAB_A (config-if)# clock rate 56000LAB_A (config-if)# no shutdownLAB_A (config-if)# exit

LAB_A (config)# router ripLAB_A (config-router)# network 192.5.5.0LAB_A (config-router)# network 205.7.5.0LAB_A (config-router)# network 201.100.11.0LAB_A (config-router)# exitLAB_A (config)#

bill@napier, 2002


6.15 ACLs

A port on a router can be setup with ACLsto filter traffic based on the network address or the source or destination port number

For example the firewall may block FTP traffic going out of the network.

Router

bill@napier, 2002


6.16 ACLs

• Source IP address. The address that the data packet was sent from.

• Destination IP address. The address that the data packet is destined for.

• Source TCP port. The port that the data segment originated from. Typical ports which could be blocked are FTP (port 21), TELNET (port 23), and WWW (port 80).

• Destination TCP port. The port that the data segment is destined for.

• Protocol type. This filters for UDP or TCP traffic.

bill@napier, 2002


6.17 Standard ACLs

Router# access-list access-list-value {permit | deny} source source-mask

Router# access-list 1 deny 156.1.1.10 0.0.0.0

Router# access-list 1 deny 156.1.1.0 0.0.0.255

Router# access-list 1 deny 156.1.1.0 0.0.0.255Router# access-list 1 permit ip any any

Router (config)# interface Ethernet0Router (config-if)# ip address 156.1.1.130 255.255.255.0Router (config-if)# ip access-group 1 in

bill@napier, 2002


6.18 Extended ACLs

Router# access-list access-list-value {permit | deny} {test-conditions}

Router(config)#access-list 100 deny ip host 156.1.1.134 156.70.1.1 0.0.0.0

Router(config)#access-list 100 permit ip any any

Router(config)#access-list 100 deny ip 156.1.1.0 0.0.0.255 156.70.1.0 0.0.0.255Router(config)#access-list 100 permit ip any any

Router(config)#access-list 100 deny ip 156.1.1.0 0.0.0.254 host 156.70.1.1

Router(config)#access-list 100 permit ip any any

Router (config)# interface Ethernet0Router (config-if)# ip address 156.1.1.130 255.255.255.192Router (config-if)# ip access-group 100 in

bill@napier, 2002



1. OperatingSystems





7. Encryption


8.1 Introduction8.2 Microsoft Windows8.3 UNIX8.4 Novell NetWare8.5 NDS

Objectives:• To outline the usage of the three main NOS’s: NT/2000,

UNIX and Netware.• To define the usage of object properties in each of the

NOS’s.• To define how distributed files systems are created in the

three main NOS’s (UNIX – NFS, Active Directories – NT/2000 and NDS – NetWare)

bill@napier, 2002


Domain(my_d)

Domain(my_d)

Local audit policy Success Failure• User login/logout

• File and object access • Use of user rights • User and group management • Security policy changes • Restart/shutdown • Process tracking

\\bills_pc

\\freds_pc

\\server1

Domain audit policy Success Failure• User login/logout • File and object access • etc

bill@napier, 2002


UNIX file attributes

- rwxr - xr -x 1 bill_b staff 28 May 12 1993 gopc

d rwx rwx rwx

USER GROUP WORLD

group’s name

directory attribute

file owner name

date/time last modified filename

User

Group

World

bill@napier, 2002


UNIX

• TCP/IP for its communications.• NFS for mounting files over a network.• ICMP (for ping, traceroute, and so on).• RIP (for routing).• ARP (for determination of MAC addresses).• DNS (for determining domain names).• BOOTP (for IP address allocation).• FTP (for file transfer).• TELNET (for remote login).• NIS (for creating domains).• RPC (for remote processing execution).• SMTP (for e-mail).• SNMP (for network management)

bill@napier, 2002


Transport DriverInterface (TDI)



SessionSession

TransportTransport

NetworkNetwork

Data linkData link

PhysicalPhysical

NetWare(SPX/IPX)NetWare(SPX/IPX)

UNIX/Internet(TCP/IP)

UNIX/Internet(TCP/IP)

Windows(NetBEUI)Windows(NetBEUI)

Media Access ControlMedia Access Control

Ethernet/ ATM/ ISDN/ etc.Ethernet/ ATM/ ISDN/ etc.

Application programApplication program

Network DeviceInterface Specification

(NDIS)NDIS

WrapperNDIS NICDriver

NIC

bill@napier, 2002


ODI (opendata-link interface)

NIC (networkinterface card)

SPX/IPX

NCP (networkcore protocol)

NetWare shell(NETx)

Application programs

software

hardware

server

NetWare client: Windows NT, Windows 3.1, Unix, OS/2, Mac or DOS

bill@napier, 2002


Application

Presentation

Session

Transport

Network

Data link

Physical

Ethernet,Token Ring,

etc.

IPX

Open-deviceinterface (ODI)

NetWareshell

NCP redirector/NETBIOS emulator

SPX

Applicationprogram

bill@napier, 2002


Problems with Novell NetWare 3

• It uses SPX/IPX which is incompatible with TCP/IP traffic.

• It is difficult to synchronize servers with user information.

• The file structure is local to individual servers.

• Server architecture is flat and cannot be organized into a hierarchical structure (Bindery services).

bill@napier, 2002


NDS

• Hierarchical server structure.• Network-wide users and groups.• Global objects. NDS integrates users, groups,

printers, servers, volumes and other physical resources into a hierarchical tree structure.

• System-wide login with a single password. This allows users to access resources which are connected to remote servers.

• NDS processes logins between NetWare 3.1 and NetWare 4/5 servers, if the login names and passwords are the same.

• Supports distributed file system.

bill@napier, 2002


NDS (cont.)

• Synchronization services. NDS allows for directory synchronization, which allows directories to be mirrored on different partitions or different servers. This provides increased reliability in that if a server develops a fault then the files on that server can be replicated by another server.

• Standardized organizational structure for applications, printers, servers and services. This provides a common structure across different organizations.

• It integrates most of the administrative tasks in Windows-based NWADMIN.EXE program.

• It is a truly distributed system where the directory information can be distributed around the tree.

• Support for NFS server for UNIX resources. • Multiple login scripts, as opposed to system and user login scripts in

NetWare 3.1.• Windows NT support.

bill@napier, 2002


Organization

Electrical Mechanical Production Administration

BINS/VOL1

Q_LASER

CD_DISK

SYS/VOL2

Containerobjects

Containerobjects

Rootobjects

bill@napier, 2002


[ROOT]. This is the top level of the inverted tree and contains all the objects within the organizational structure.

Organization. This object class defines the organizational name (such as FRED_AND_CO). It is normally the next level after [ROOT] (or below the C=Country object).

User. This object defines an individual user. The first user created in a NetWare 4 system is the ADMIN user, which is typically the only user with rights to add and delete objects on the whole of the NDS struc-ture.

NCP (NetWare Control Protocol) Server. This appears for all NetWare 4 servers.

Volume. This identifies the mounted volume for file services. A ne t-work file system data links to the Directory tree through Volume objects.

The most commonly used objects are:

Bindery. These allow compatibility with existing Bindery-based NetWare 3, NetWare 3 clients and NetWare 4 servers which do not completely implement NDS. They display any object that isn’t a user, group, queue, profile or print server, which was created using the bind-ery services.

Organizational unit. This object represents the OU part of the NDS tree. These divide the NDS tree into subdivisions, which can represent different geographical sites, different divisions or workgroups. Diffe r-ent divisions might be PRODUCTION, ACCOUNT, RESEARCH, and so on. Each Organizational Unit has its own login script.

Organization role. This object represents a defined role within an organization object. It is thus easy to identify users who have an a d-ministrative role within the organization.

Group. This object represents a grouping of users. All users within a group inherit the same access rights.

bill@napier, 2002


Directory map. This object points to a file system directory on a mounted volume. It is typically used to create a global file system which has physically separate parts.

Alias. This identifies an object with another name. For example, a print queue which is called NET_PRINT1 might have an alias name of HP _LASER_JET_6.

Printer. This can either be connected to the printer port of a PC, or connected to a NetWare server.

Print queue. This object represents the queue of print jobs.

Profile. This object defines a special scripting file. This can be a global login script, a location login script or a special login script.

Print server. This object allows print jobs to be queued, waiting to be serviced by the associated printer.

bill@napier, 2002


• [ROOT]. This is the top level of the tree. The top of the NDS tree is the [ROOT] object.

• C=Country. This object can be used, or not, to represent different countries, typically where an organization is distributed over two or more countries. If it is used then it must be placed below the [ROOT] object. NDS normally does not use the Country object and uses the Organization Unit to define the geographically located sites, such as SALES_UK.[ROOT], SALES_USA.[ROOT], and so on.

• L=Locality. This object defines locations within other objects, and identifies network portions. The Country and Locality objects are included in the X.500 specification, but they are not normally used, because many NetWare 4 utilities do not recognize it. When used, it must be placed below the [Root] object, Country object, Organization object, or Organizational Unit object.

bill@napier, 2002


Leaf Objects (CN - Common Name)

Apart from the container objects (C, O, OU, and so on) there are leaf objects. These are assigned a CN (for Common Name). They include:

CN=AFP Server CN=BinderyCN=Bindery Queue CN=ComputerCN=Directory Map CN=GroupCN=Organizational Role CN=Print Queue CN=Print ServerCN=Printer CN=ProfileCN=Server CN=UserCN=Volume

bill@napier, 2002


[ROOT]

O=Organization(such as: O=FRED_ANDCO)

OU=Organizational Unit(such as: OU=TEST)

User1Groups

Printer

Printer Server

Print Queues

User2

Volumes

OU=Organizational Unit(such as: OU=SALES)

bill@napier, 2002


• LP=Licensed Product. This object is automatically created when a license certificate is installed. When used, it must be placed below the [Root] object, Country object, Organization object, or Organizational Unit object.

• O=Organization. This object represents the name of the organization, a company division or a department. Each NDS Directory tree has at least one Organization object, and it must be placed below the [Root] object (unless the tree uses the Country or Locality object).

• OU=Organization Unit. This object normally represents the name of the organizational unit within the organization, such as Production, Accounts, and so on. At this level, User objects can be added and a system level login script is created. It is normally placed below the Organizational object.

bill@napier, 2002


Primary server

NICMSL

adapterMSL

adapter NIC

Secondary server

Duplexedtraffic

Network connections

bill@napier, 2002


PPP/SLIP

Remote access server

Remote access to network

Remote access connection

bill@napier, 2002


PPTP PPTP

Remote access server

PPTP encapsulates the required protocol (TCP/IP, IPX, AppleTalk, NETBEUI)

Virtual Private Network

Virtual flow

bill@napier, 2002


NCP

IPCP IPXCP ACP

PPP

IP

IP

IP

IPX

IPX

IPX

IP

IP

IP

IPX

IPX

IPX

Networklayer

Datalinklayer

Authentication and LCP

Asynchronous/synchronous media

NCP

IPCP IPXCP ACP

Authentication and LCP

Asynchronous/synchronous media

IPPPP trailer PPP header

bill@napier, 2002


Flag(01111110)

Address(11111111)

Control(00000011)

1 byte 1 byte 1 byte 2 bytes 2 or 4 bytes

variable

Protocol Data FCS

Network protocols:0021h – IP0029h – Appletalk002bh – Novell IPX

Network Control Protocols:8021h – IP Control Protocol8029h – Appletalk Control Protocol802bh – Novell IPX Control Protocol

Link Control Protocols:C021h – Link Control ProtocolC023h – PAPC025h – Link Quality ReportC223h – CHAP

Flag(01111110)

1 byte

bill@napier, 2002


Flag(01111110)

Address(11111111)

Control(00000011)

1 byte 1 byte 1 byte

2 bytes2 or 4 bytes

Protocol(C021h - LCP ) FCS Flag

(01111110)

1 byte

Code Identifier Length Data

1 Configure-Request2 Configure-Ack3 Configure-Nak4 Configure-Reject5 Terminate-Request6 Terminate-Ack7 Code-Reject8 Protocol-Reject9 Echo-Request10 Echo-Reply11 Discard-Request12 RESERVED

bill@napier, 2002


Network connection

Client Server

LCP AND NCP packets• Link establishment phase• Link quality phase• Network-layer protocol phase• Link termination phase

bill@napier, 2002


Network

Hostname; remotenodePassword; pass 1

“Remotenode pass 1”

Accept/reject

Password sent with clear text

bill@napier, 2002


ClientServer

Hostname; remotenodePassword; pass 1

Challenge

Response

Accept/reject

bill@napier, 2002


Closed OpenedClosing

Ack-SentAck-RcvdReq-sent

RCR sta Tut

Closestr

RCN,TO + scr

scn

RCR-

RCR+

RCATO+

RCR-RCR+

scaRCA

RCN,TO +

Open

scascn

bill@napier, 2002


Link DeadPhase

LinkEstablishment

Phase

AuthenticationPhase

Link Terminatation

Phase

Network-Layer Protocol

Phase

Fail

Opened

Fail

Down Closing

Up

Success/ none

LCP configuration packets

NCP packets

Documents

2002 Networking Operating Systems (CO32010) 1. Operating Systems 2. Processes and scheduling 3