You can use http://windom.uccs.edu/~cs522/cgi-bin/routeMask.cgi to find the network address and netmask. a. 135.46.63.

10 Ans: The router will check the routing entry starting with the longest prefix (/23), 192.53.40.0/23. /23 mean network address is 23 bit and the corresponding network mask is 255.255.255.0. 135.45.63.10 & 255.255.254.0=135.45.62.0 != 192.53.40.0 therefore this entry does not match. Next longest prefix is /22. 135.45.63.10 & 255.255.252.0=135.45.60.0. It matches 135.45.60.0/22 routing entry, therefore the packet will be routed out over Interface 1. With quick observation, we can skip the routing entry with 192.53.40.0/23 but the router cannot. b. 135.46.57.14 Ans: 135.46.57.14 & 255.255.252.0=135.45.56.0. It matches 135.45.56.0/22 routing entry and the packet will be routed out over Interface 0. c. 135.46.52.2 Ans: This address is lower than 135.45.56.0/22. The default route will be used and the packet will be routed out over Router 2. d. 192.53.40.7 Ans: 192.53.40.7 & 255.255.254.0= 192.53.40.0. It matches 192.53.40.0/23 routing entry and the packet will be routed out over Router1. e. 192.53.56.7 Ans: 192.53.56.7 & 255.255.254.0= 192.53.56.0. The default route will be used and the packet will be routed out over Router 2.

Problem

IGMP
Internet Group Management Protocol (IGMP) is the protocol used to support multicasting. To use multicasting, a process on a host must be able to join and leave a group. A process is a user program that is using the network. Group access is identified by the group address and the interface (NIC). A host must keep track of the groups that at least one process belongs to and the number of processes that belong to the group. IGMP is defined in RFC 1112.

IGMP messages are used by multicast routers to track group memberships on each of its networks. It uses these rules:
The first time a process on a host joins a multicast group, the host will send an IGMP report. This means that every time the host needs to receive messages from a new group to support its processes, it will send a report. Multicast routers will send IGMP queries regularly to determine whether any hosts are running processes that belong to any groups. The group address of the query is set to 0, the TTL field is set to 1, and the destination IP address is 224.0.0.1 which is the all hosts group address which address all the multicast capable routers and hosts on a network. A host sends one IGMP response for each group that contains one or more processes. The router expects one response from each host for each group that one or more of its processes require access to. A host does not send a report when its last process leaves a group (when the group access is no longer required by a process). The multicast router relies on query responses to update this information.

IGMP is defined in RFC 1112. Hosts and routers use IGMP to support multicasting. Multicast routers must know which hosts belong to what group at any given point of time. The IGMP message is 8 bytes. consisting of:
Bits 0 to 3 - IGMP version number Bits 4 to 7 - IGMP type. 1=query sent by a multicast router. 2 is a response sent by a host. Bits 8 to 15 - unused Bits 16 to 31 - Checksum The last 4 bytes - 32 bit group address which is the same as the class D IP address. IGMP message formats are encapsulated in an IP datagram which contain a time to live (TTL) field. The default is to set the TTL field to 1 which means the datagram will not leave its subnetwork. an application can increase its TTL field in a message to locate a server distance in terms of hops. Addresses from 224.0.0.0 to 224.0.0.255 are not forwarded by multicast routers since these addresses are intended for applications that do not need to communicate with other networks. Therefore these addresses can be used for group multicasting on private networks with no concern for addresses being used for multicasting on other networks.

What is Kerberos?
Network authentication protocol Developed at MIT in the mid 1980s Available as open source or in supported commercial software

Why Kerberos?
Sending usernames and passwords in the clear jeopardizes the security of the network. Each time a password is sent in the clear, there is a chance for interception.

Firewall vs. Kerberos?

Firewalls make a risky assumption: that attackers are coming from the outside. In reality, attacks frequently come from within. Kerberos assumes that network connections (rather than servers and work stations) are the weak link in network security.

Design Requirements
Interactions between hosts and clients should be encrypted. Must be convenient for users (or they won t use it). Protect against intercepted credentials.

Cryptography Approach
Private Key: Each party uses the same secret key to
encode and decode messages. Uses a trusted third party which can vouch for the identity of both parties in a transaction. Security of third party is imperative.

How does Kerberos work?

Instead of client sending password to application server:
Request Ticket from authentication server Ticket and encrypted request sent to application server

How to request tickets without repeatedly sending credentials?

Ticket granting ticket (TGT)

How does Kerberos work?: Ticket Granting Tickets

How does Kerberos Work?: The Ticket Granting Service

How does Kerberos work?: The Application Server

Applications
Authentication Authorization Confidentiality Within networks and small sets of networks

Weaknesses and Solutions

If TGT stolen, can be used to access network services. Only a problem until ticket expires in a few hours. Timestamps require hacker to guess in 5 minutes. Physical protection for the server.

Subject to dictionary attack.

Very bad if Authentication Server compromised.

The Competition: SSL

SSL Kerberos

Uses public key encryption Is certificate based (asynchronous)

Uses private key encryption Relies on a trusted third party (synchronous) Ideal for the WWW Ideal for networked environments Key revocation requires Revocation Key revocation can be accomplished by Server to keep track of bad disabling a user at the Authentication certificates Server Certificates sit on a users hard drive Passwords reside in users' minds where (even if they are encrypted) where they are usually not subject to secret they are subject to being cracked. attack. Uses patented material, so the service is not free. Netscape has a profit motive in wide acceptance of the standard. Kerberos has always been open source and freely available.

Limitation: Scalability
Recent modifications attempt to address this problem Public key cryptography for Client Authentication and cross realm authentication Issues are not resolved

Example 1

What is the subnetwork address if the destination address is 200.45.34.56 and the subnet mask is 255.255.240.0?

Solution

11001000 00101101 00100010 00111000 11111111 11111111 11110000 00000000 11001000 00101101 00100000 00000000 0000 The subnetwork address is 200.45.32.0.

Figure 5-6

Example 2

Examples: 1023873914.125606 fulton.ssh > spider.1145: P 3066603742:3066603806(64) ack 1646168027 win 17520 [tos 0x10] Here is a breakdown: The black stuff is the time the packet came across our network card (not part of the packet) The dark blue stuff is the source & source port and destination & destination port of the communication taking place. The red stuff are TCP flags The olive stuff is the byte sequence/range The light blue stuff is the window size of bytes that the source (sender) is currently prepared to receive The green stuff is the TCP type of service S F R P . SYN FIN RST PSH synchronize sequence numbers sender is finished sending data reset connection push data to receiving process as soon as possible none of above four flags is on

1. What tcpheader flags are being used? S, P, F, ., ack 2. Which node initiates active open? Using which port? Y1.32790 host using using port 23? 3. What options used in IP header? tos 0x08 i.e. Maximize throughput for FTP, T field set to 1 4. Which node initiates active close? 10.50.0.1 5. Which interface being used? Eth0 interface

Classless addressing

UDP
TCP (Transmission Control Protocol) is the most commonly used protocol on the Internet. The reason for this is because TCP offers error correction. When the TCP protocol is used there is a "guaranteed delivery." This is due largely in part to a method called "flow control." Flow control determines when data needs to be resent, and stops the flow of data until previous packets are successfully transferred. This works because if a packet of data is sent, a collision may occur. When this happens, the client re-requests the packet from the server until the whole packet is complete and is identical to its original. UDP (User Datagram Protocol) is anther commonly used protocol on the Internet. However, UDP is never used to send important data such as webpages, database information, etc; UDP is commonly used for streaming audio and video. Streaming media such as Windows Media audio files (.WMA) , Real Player (.RM), and others use UDP because it offers speed! The reason UDP is faster than TCP is because there is no form of flow control or error correction. The data sent over the Internet is affected by collisions, and errors will be present. Remember that UDP is only concerned with speed. This is the main reason why streaming media is not high quality.

UDP Frame
On the contrary, UDP has been implemented among some trojan horse viruses. Hackers develop scripts and trojans to run over UDP in order to mask their activities. UDP packets are also used in DoS (Denial of Service) attacks. It is important to know the difference between TCP port 80 and UDP port 80

TFTP Message Format

Unlike FTP, all communication in TFTP is accomplished in the form of discrete messages that follow a particular message format. The reason why TFTP and FTP are so different in this regard is the different transport protocols they use. FTP uses TCP, which allows data to be streamed a byte at a time; FTP also makes use of a dedicated channel for commands. TFTP runs on UDP, which uses a conventional header/data formatting scheme. The original TFTP standard defines five different types of messages:
Read Request (RRQ), Write Request (WRQ), Data (DATA), Acknowledgment (ACK) Error (ERROR)

POP3 and IMAP4

POP3 and IMAP4 are Internet protocols that let you retrieve e-mail from an e-mail server to your computer. POP3 and IMAP4 e-mail programs provide basic e-mail functionality. But, generally, POP3 and IMAP4 e-mail programs don't provide the rich e-mail and collaboration features that are provided by Outlook, Outlook Web App, and Outlook Voice Access

POP3(Post Office Protocol version 3) Vs IMAP4(Internet Message Access Protocol version 4.)
POP3 is latest standard protocol designed to receive email messages from an email server. Majority of email service providers furnish POP3 by default and almost all email clients support POP3. POP3 is a client-server protocol, wherein your email messages are received and stored for you by your server. It deletes all the email messages soon after you download them. It is specifically designed to enable offline email processing. Unlike IMAP4 protocol, POP3 cannot synchronize more than one folder and doesn t provide any assistance for public folder access. IMAP4
enables the users to view only the header part (containing the name of the sender and the subject) of their messages. Thus, IMAP4 allows you to download only those messages that you truly want to read. you can easily access your email messages even from multiple locations. IMAP4 email allows you to not only access, but also create more than one email folders on the email server.

SNMP PDU

Symmetric Key cryptography