ETSF10 Part 3 Lect 2

Transcription

1 ETSF10 Part 3 Lect 2 DHCP, DNS, Security Jens A Andersson Electrical and Information Technology

2 DHCP Dynamic Host Configuration Protocol bootp is predecessor Alternative: manual configuration IP address Net mask Df Default gateway DNS server(s)

3 Figure 21.7 BOOTP client and server on the same and different networks Relay agent often here 21.3

4 Figure 18.3 Use of UDP ports TCP/IP Protocol Suite 4

5 Figure 18.9 Exchanging messages TCP/IP Protocol Suite 5

6 DHCP address allocation Static Static mapping MAC IP address Client always get the same IP address Used in clients home network Dynamic Client gets IP address from pool Used in open networks

7 DNS Domain Name System/Service Internets telephone book? Name to Number Number to Name Mail to which server Who s responsible More

8 Figure 25.1 Example of using the DNS service 25.8

9 Figure Domain name space 25.9

10 Figure 25.8 DNS IN THE INTERNET 25.10

11 Figure 25.9 Generic domains 25.11

12 25.12 Table 25.1 Generic domain labels

13 Figure Country domains 25.13

14 Country domain Root level ae fr se zw lth eit any any.eit.lth.se

15 Figure Inverse domain 25.15

16 Figure 25.3 Domain names and labels 25.16

17 Figure 25.4 FQDN and PQDN Note the dot FQDN = Fully Qualified Domain Name PQDN = Partially yqualified Domain Name 25.17

18 Figure Domains 25.18

19 Figure 25.7 Zones and ddomains 25.19

20 Figure 25.6 Hierarchy of name servers 25.20

21 Figure Recursive resolution 25.21

22 Figure Iterative ti resolution 25.22

23 Caching Boost efficieny Remember what you ve learned Local host / client DNS serversers (Zone transfer) Request data of a zone From primary to secondary DNS server

24 Figure Query and response messages 25.24

25 Figure Header format 25.25

26 Adding new domains Apply / Register by Regstrar Registrar: Commercial entity (many) Accredited by ICANN

27 DDNS Host may change IP address DHCP updates primary name server with new binding (IP address Name) Authentication to update

28 Encapsulation UDP Message less than 512 bytes TCP Message more than 512 bytes Example: Zone transfer

29 IP Sec IP Security Collection of protocols Security for packets on network layer Alternative: ti Securityat t application layer transport layer

30 Figure 32.1 Common structure t of three security protocols Normally two keys Payload MAC MAC = Message Authentication Code 32.30

31 Figure TCP/IP protocol suite and IPSec 32.31

32 Figure Transport mode and tunnel modes of fipsec protocol 32.32

33 Figure 32.4 Transport mode in action Host Aand host B addresses fully visable

34 Figure 32.5 Tunnel mode in action IP headers here are for the tunnel s end-points only

35 Two Protocols Authentication Header (AH) Provides source authentication and data integrity No privacy Encapsulating Security Payload (ESP) Provides source authentication and data integrity Privacy

36 Figure 32.6 Authentication ti ti Header (AH) Protocol lin transport tmode 32.36

37 Figure 32.7 Encapsulating Security Payload d(esp) Protocol lin transport tmode 32.37

38 Table 32.1 IPSec services 32.38

39 Exchange secrets Bob and Alice must exchange secrets For that they need a secured channel For the secured channel they nedd to exchange secrets For that they need a secured channel

40 Asymetric encryption Pair of keys Public, known by all Private, secure, kept by owner Encrypt messages with receivers public key Can only be decrypted with private key Sign/Authenticate ti t messages with private key Test with sender s public key

41 IPSec Security Associations Logical secured channel between two parties Internet Key Exchange (IKE) Creates SAs (inbound and outbound) in a database

42 Figure 32.8 Simple inbound and outbound security associations 32.42

43 Figure 32.9 IKE components 32.43

44 (Virtual) Private Network VPN Overlay network Alternative to a really private network

45 32.45 Table 32.2 Addresses for private networks

46 Figure Pi Private network 32.46

47 Figure Hbid Hybrid network 32.47

48 Figure A VPN 32.48

49 SSL/TLS Secure Sockets Layer Protocol Transport Layer Security TLS is IETF version of SSL

50 Figure Location of SSL and TLS in the Internet t model 32.50

51 Table 32.3 SSL cipher suite list 32.51

52 Table SSL cipher suite list (continued) 32.52

53 SSL Created by Netscape Authentictation Message integrity Confidentiallity i

54 SSL Services Fragmentation Create blocks of 2 14 bytes or less Compression Message Integrity Confidentiality Framing

55 Figure Processing done by the Record dprotocol 32.55

56 Figure Creation of cryptographic secrets in SSL 32.56

57 Figure Four SSL protocols 32.57

58 Four protocols Record Protocol The carrier Handshake Protocol Authentication Establishe cipher sets Provides keys and security parameters ChangeCipherSPec Protocol Crypotgraphic Secrets ready Alert Protocol Signaling of abnormalities

59 Figure Handshake Protocol 32.59

60 Firewalls Control system access Check/Drop packets Network layer, Transport layer Application layer

61 Figure Firewall 32.61

62 Figure Packet-filter firewall 32.62

63 Application Gateway Firewall on Application Layer Acts as server against client client against requested service Checks if user s request is legitimate i application data integrity

64 Figure Example of proxy firewall llfor http Also called application gateway