The objectives of this lab experiment are to make you :
ifconfig, route.ping, traceroute, ssh.Internet has become ubiquitous. Long before you graduate, you will come across many acronyms and ideas of networking. A goal of this article is to provide working knowledge of the Internet perhaps an year or two before you take a course on Computer Networks.
The Internet is comprised of thousands of regional networks scattered throughout the globe. The Web refers to a body of information - an abstract space of knowledge, while the Internet refers to the physical side of the global network, a giant mass of cables and computers. The WWW uses the Internet to transmit hypermedia documents between computer users internationally.
The Internet is comprised of thousands of regional networks scattered throughout the globe. On any given day, a hundred million users in over 50 countries are connected to it. The Web refers to a body of information - an abstract space of knowledge, while the Internet refers to the physical side of the global network, a giant mass of cables and computers.
Nobody owns the Internet. Nobody owns the World-Wide Web. Having access to the Internet usually means that one has access to a TCP/IP based server, typically called an Internet Service Provider (ISP). The WWW uses the Internet to transmit hypermedia documents between computer users internationally.
There are many ways of setting up a LAN. The most common of such technologies is Ethernet for the hardware layer, and TCP/IP for software layer. The 10 megabits/sec (Mb/s) is obsolete. The 100 Mb/s is becoming obsolete, and 1000 Mb/s (Gigabit Ethernet) is current.
Network Interface Cards: Many PCs have a motherboard
built-in NIC. Each NIC is identified by a unique 6-byte number
called its Ethernet address that is stored, at manufacture time, in
a ROM on the card. This number is also called a MAC (media access
control) address.
The RJ45 Twisted Pair Cable, whose connector is shown at right, is made from insulated strands of wire twisted together inside a sheath that may or may not be shielded. Unshielded Twisted Pair (UTP) is the most commonly used cable for small LANs. It is often referred to as 100BaseT because the most popular size of this cable can carry 100 Mb/s. It comes in different categories that carry between 4 Mb/s and 100 Mb/s of data to about 300 feet before the signal strength suffers.
If you connecting only two computers, you do not need any hubs.
You use one RJ45 cross over cable that has two of their
signal wires transposed between the connectors as described
below.
cross over cable connections:
| Pin Name | End1 Pin | End2 Pin | Pin Name |
|---|---|---|---|
| TX+ | 1 | 3 | RX+ |
| TX- | 2 | 6 | RX- |
| RX+ | 3 | 1 | TX+ |
| RX- | 6 | 2 | TX- |
(You may also connect 4-4, 5-5, 7-7, 8-8.) This cable can be used to cascade hubs, or for connecting two Ethernet stations back-to-back without a hub. It works with both 10Base-T and 100Base-TX.
Hubs and Switches To connect more than two computers, you need network hubs or switches. Hubs typically connect from 4-24 devices and can be "stacked" or "cascaded" together for more capacity. An arriving packet is sent out to all the connections. Switch is a small computer with several network interfaces. A switch analyzes the packet and sends an arriving packet to only the destination NIC, and not to all the connections that are made on the switch. A switch segments networks into smaller connected subnets. Networks can easily overload: switching them into separate subnets can enhance performance.
A packet is the unit of data that is routed between an origin and a destination on the network. When any file (e-mail message, HTML file, GIF file, URL request, and so forth) is sent from one machine to another on the net, the Transmission Control Protocol (TCP) layer of TCP/IP divides the file into "chunks" of an efficient size for routing. Each of these packets is separately numbered and includes the Internet address of the destination. The individual packets for a given file may travel different routes through the net. When they have all arrived, they are reassembled into the original file (by the TCP software layer at the receiving end).
Ethernet is just a "party" line. When packets are sent out on the Ethernet, every host on the Ethernet sees them. To make sure the packets get to the right place, the Ethernet designers wanted to make sure that each address is different. For this reason 48 bits are allocated for the Ethernet address, and a built in Ethernet address on the Ethernet controller. The Ethernet packets have a 14-octet header, this includes "to" and "from" MAC addresses.
Routers, Gateways A router is a computer that determines the next network point to which a packet should be sent so that it progresses toward its destination. The router is connected to at least two networks and decides which way to send each information packet based on its current understanding of the state of the networks it is connected to. A gateway is a computer that lies at the intersection of two networks, and routes traffic correctly between them, while keeping traffic internal to the two networks separated.
Modem stands for MOdulator/DEModulator. A modem converts (modulates) digital signals generated by the computer into analog signals which can be transmitted over a telephone line and transforms (demodulates) incoming analog signals into their digital equivalents. Most modems can send and receive data at 57.6 kbps (kilo bits per second) and faxes at 14.4 kbps. ISDN (Integrated Services Digital Network) and DSL modems use digital telephone lines to achieve much higher transmission speeds.
A computer system (often called a "host") communicates with another system by sending messages. The communication of messages is actually between a process running on one system and one running on the other system. Many of these processes are standard components of an operating system (OS); others are invoked when necessary as independent programs. The rules of the protocol govern the communications between two or more processes, and their behavior in terms of semantics, timing, and ordering. The protocol also determines the data compression method, how the sender will indicate that it has finished sending, etc. A protocol describes not only the syntax or structure of the message, i.e., of the various fields of a packet, but also the interrelationships of the fields, the type of error checking to be used, and validity conditions.
LAN software consists of implementations of various network protocols. The collection of of these protocols is often simply called the TCP/IP suite, naming the two dominant protocols TCP and IP. Many protocol acronyms end with a P standing for protocol, and similar to saying AC current, we often say the "IP protocol." These layers of software are now an integral part of an operating system, and various clients and servers.
The Internet is a packet-switched network; messages are split up into packets, which are logically viewed as sequences of fields. A field is a grouping of certain consecutive bytes or bits from the packet. Depending on the protocol, a packet is re-termed as a frame, a packet, or a segment.
TCP/IP is a general term relating to the whole family of Internet protocols. The protocols in this family are IP, TCP, UDP, ICMP, ARP. TCP (Transmission Control Protocol) uses a set of rules to exchange messages with other Internet points at the information packet level. IP (Internet Protocol) uses a set of rules to send and receive messages at the Internet address level. While IP takes care of handling the actual delivery of the data, TCP takes care of keeping track of the individual units of data (called packets) that a message is divided into for efficient routing through the Internet.
There is an ISO defined stack of seven layers, but the practical world of Windows and Unix OSs uses a 4-level DoD model: (i) the Ethernet NIC device driver layer, (ii) the IP layer, (iii) the TCP + UDP + ICMP layers, and (iv) the application layer.
Each packet travels independently. Even when S wishes to send several packets to D, each packet is delivered independently of the previous ones. The route that each packet takes may change over time. Thus, IP is connectionless. The IP layer is designed deliberately not to concern itself with guaranteed delivery (e.g., packets may be lost or duplicated), but instead it is a "best effort" system. ICMP, described later, aids in this effort.
Internet has a rigid and word-wide enforced addressing scheme that every computer on the network understands. Each NIC is rigidly identified by a MAC address and an IP address. Each NIC is identified by a unique 6-byte number called its Ethernet or MAC address that is stored, at manufacture time, in a ROM on the card. An IP address is a 4-byte number that uniquely identifies a specific computer connected to the Internet. The four bytes are written as four numbers, separated by periods, as in 130.108.1.20. In this form each byte is converted to a decimal number (0-255) dropping any leading zero's unless the number is zero and written with each byte separated by a `.' character.
The public IP addresses are carefully controlled worldwide. The IANA, Internet Assigned Numbers Authority (http://www.iana.org), assigns the so-called public IP addresses to organizations and individuals upon application. For example, all computers at WSU have IP addresses of the form 130.108.*.* and 130.108.1.20 is the address of a specific server at WSU. When you connect to an ISP, your computer has an IP address (the same one all the time or a different address each time you connect).
Isolated LANs, such as the on that we will use in this course, or one that you can setup at home, should have IP addresses in the group of 192.168.*.*. There are three blocks of the IP address space intended for private internets:
On the Internet at large, there must only be IP packets whose source or destination addresses are assigned public addresses.
All addresses within a network have the same prefix. The portion of the address that is common amongst all addresses within the network is called the `network portion' of the address. The remaining digits are called the `host portion'. The number of bits that are shared by all addresses within a network is called the netmask. For example, consider the following:
----------------- --------------- Host Address 192.168.110.23 Network Mask 255.255.255.0 Network Portion 192.168.110. Host portion .23 ----------------- --------------- Network Address 192.168.110.0 Broadcast Address 192.168.110.255 ----------------- ---------------
The broadcast address is a special address that every host on the network listens to in addition to its own unique address. If every host on the network is meant to receive a a packet, you send the packet to the broadcast address.
Each network device needs to be assigned an IP address. The
choice of the IP address may be done statically or dynamically via
DHCP. The command spelled ifconfig (called
ipconfig in Windows) assigns the IP address and sets
other parameters. The relevant files in this context are:
/etc/iftab /etc/network/interfaces /etc/init.d/network*
Internet domain names are the next level of Internet addressing, just as the street name is followed by the city and state. IP addresses are hard to remember, so we use names. All hosts registered on the Internet must have names that reflect them domains under which they are registered. Such names are called Fully Qualified Domain Names (FQDNs). The domain name identifies all the computers in a group. Domain names create a single identity for a set of locally connected computers used by a company or an institution. So while there may be 38 servers at a given organization, each with its own IP address, they all share a common domain name, such as wright.edu. In a name such as gamma.cs.wright.edu the "edu" shows that this host is sponsored by an education related organization. The top-level domain is wright.edu, and the second level domain is cs.wright.edu, and gamma is the name of the host machine.
Routers are specialized computer systems whose primary function (often their sole function) is to route network traffic. The typical network host has only one NIC. Routers have multiple NICs, each on a separate network. A router examines the destination IP address of a packet, consults its routing tables, and sends the packet on the network connected to the final destination or the next router. Routers are network layer (OSI layer 3) devices.
Network hosts (including routers) have routing tables that record information regarding where to deliver a packet next so that definite progress is made in moving the packet closer to its final destination. It can be visualized as a table of just two columns: To send the packet to a destination given in column 1, send the packet to the next hop whose IP address is given in column 2.
An OS maintains an internal table, known as the routing
table, that describes where the network packets that are in
the OS buffers should be sent in the next hop. The
route command manipulates this table. A simple host
(i.e., non-router) in our lab, while in "normal" use for all
classes (which ignores the second network card even though
physically plugged-in) has the following:
$ route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.17.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 0.0.0.0 192.168.17.111 0.0.0.0 UG 0 0 0 eth0
The table is used as follows. Suppose the destination address as found in an IP packet is DA. DA is bitwise-ANDed with the Genmask value of a row r. If the result (DA & Genmask[r]) equals the Desitination[r], the packet is sent out via the device named in Iface[r]. The rows are tried in order from the first to the last. The last row typically has a GenMask of 0.0.0.0 and Destination of 0.0.0.0; this is then known as the default route.
You can tell that this host has an IP address on the 192.168.17.0 network, and its router is 192.168.17.111.
The router for our lab is quite simple:
$ route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 130.108.17.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 192.168.17.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 0.0.0.0 130.108.17.1 0.0.0.0 UG 0 0 0 eth1
You can tell that the lab's router send all packets whose destination is neither 130.108.17.* nor 192.168.17.* to 130.108.17.1.
The routing table of an ordinary host is tiny and rarely changes from boot-up to shut down. The tables of routers on the Internet, however, are large (tens of thousands of rows) and must be dynamically adjustable to changing Internet conditions, perhaps by the millisecond. Routing protocols keep the routing tables up-to-date. The structure and content of the routing tables depend on the protocol.
Internet Control Message Protocol is a required protocol that manages and controls the IP layer. In general, much of the best effort in delivering IP packets is associated with ICMP. The purpose of the ICMP messages is to provide feedback and suggestions about problems. The popular network utilities ping and traceroute use ICMP. ICMP is in the network layer. But, an ICMP message is encapsulated as an IP packet. These are treated like any other IP packets.
UDP is a connectionless protocol belonging to the transport layer (OSI layer 4). It is a thin protocol on top of IP, providing high speed but low functionality. UDP does not guarantee the delivery of packets. Messages can be delivered out of order, delayed, or even lost. Packets may get duplicated without being detected. The UDP protocol is used mostly by application services where squeezing the best performance out of existing IP network is necessary, such as Trivial File Transfer (TFTP), NFS, and DNS.
TCP is a complex protocol providing lower speed than UDP but high functionality. It is the most dominant protocol of the TCP/IP suite. TCP guarantees the correct (both in content and in order) delivery of the data. TCP sends its message content over the IP layer and can detect and recover from errors. TCP, however, does not guarantee any speed of delivery, even though it offers congestion control.
Network computing is mostly based on the idea of clients and servers. Occasionally, a so-called client may become a server for a brief transient period, and vice-versa, but generally speaking servers are programs listening for requests from clients, and work on the requests after some authentication.
In a peer-to-peer network, a group of PCs are hooked together, with each PC, having equal status in the network. All the PCs can share files, send each other messages, and share a printer or two. You can setup one of the computers as a server. The other PCs are then known as client computers. The server stores the applications, files, and e-mail messages. This server delivers applications such as database, word processors, as well as data and e-mail. It also acts as the center for sharing printers, doing backup, etc.
Computers running Linux are typically configured as servers even when they are otherwise puny machines.
NFS permits multiple systems to share a file system. An NFS server ``exports'' a file system to certain client machines with certain permission regarding read / write as described in the file /etc/exports.
The Network Information System (NIS) allows the sharing of a single password system by a large number of users who may wish to login on any one of a number of systems.
A proxy server (or simply, a proxy) P is a go-between for a client C that wishes to obtain the services of a server S. To the client C, P appears as a server. P receives requests from C. It can apply various rules in deciding whether or not it should get that request honored and or log such requests. P then conveys that request to S as thought the request originated from P. To the server S, P appears as a client. The server S is wholly unaware that the request originated from C.
Network clients are used by all kinds of users. Learn the details of the following commands from our text book, from man pages, and by searching for them on the web. A few of the clients are further elaborated below.
| Linux | Windows | Brief description |
| ping | ping | Pings a host; typically, but not always, the pinged host replies |
| traceroute | tracert | Trace the route to a host |
| nslookup | nslookup | Determine the IP address of a hostname; also the reverse; and more |
| host | Determine the IP address of a hostname; also the reverse | |
| netstat | netstat | Displays current network connections. |
| ssh | secure login into a remote machine; non-standard on Windows. | |
| sftp | secure ftp to/from a remote machine; non-standard on Windows. | |
| scp | scp | secure copy to/from a remote machine; non-standard on Windows. |
| telnet | telnet is the name of a client program and a protocol for accessing remote computers. | |
| ftp | ftp | FTP is the name of a client program and a protocol for transferring files |
| net | Network config viewer and setup shell in Windows | |
Ping sends a packet, using a protocol named ICMP, to the target machine you named, and waits for a response. Ping can also be used to see how long it takes to get a response back. Here is an example captured some years ago. [ Exercise: Try it again. Why does the new result differ from the old? ]
paladin% ping www.mit.edu PING DANDELION-PATCH.MIT.EDU: 56 data bytes 64 bytes from DANDELION-PATCH.MIT.EDU (18.181.0.31): icmp_seq=0. time=118. ms 64 bytes from DANDELION-PATCH.MIT.EDU (18.181.0.31): icmp_seq=1. time=54. ms 64 bytes from DANDELION-PATCH.MIT.EDU (18.181.0.31): icmp_seq=2. time=46. ms 64 bytes from DANDELION-PATCH.MIT.EDU (18.181.0.31): icmp_seq=3. time=118. ms 64 bytes from DANDELION-PATCH.MIT.EDU (18.181.0.31): icmp_seq=4. time=84. ms 64 bytes from DANDELION-PATCH.MIT.EDU (18.181.0.31): icmp_seq=5. time=80. ms 64 bytes from DANDELION-PATCH.MIT.EDU (18.181.0.31): icmp_seq=6. time=280. ms 64 bytes from DANDELION-PATCH.MIT.EDU (18.181.0.31): icmp_seq=7. time=57. ms 64 bytes from DANDELION-PATCH.MIT.EDU (18.181.0.31): icmp_seq=8. time=95. ms 64 bytes from DANDELION-PATCH.MIT.EDU (18.181.0.31): icmp_seq=9. time=63. ms ^C ----DANDELION-PATCH.MIT.EDU PING Statistics---- 10 packets transmitted, 10 packets received, 0% packet loss round-trip (ms) min/avg/max = 46/99/280
Traceroute (or tracert) traces the
path (route) through the net between the machine where you ran this
command and the argument that specified a destination address. Each
line it outputs is a hop. It displays the the time each hop
took in this particular trace. Here is an example that traces the
route taken from unixapps1 to Yahoo.com a few years ago. [
Exercise: Try it again. Why does the new result differ from the
old? ]
unixapps1% traceroute www.yahoo.com traceroute to www.yahoo.com (204.71.200.67), 30 hops max, 40 byte packets 1 130.108.128.4 (130.108.128.4) 1.755 ms 0.831 ms 0.859 ms 2 server-fw (130.108.128.65) 0.799 ms 0.862 ms 0.702 ms 3 130.108.1.2 (130.108.1.2) 2.458 ms 3.233 ms 2.265 ms 4 dlp2-sl3-2.dayton.oar.net (199.18.109.125) 133.789 ms 190.015 ms 223.619 ms 5 tlp3-atm1-0.toledo.oar.net (199.18.202.53) 34.568 ms 10.086 ms 85.328 ms 6 atm9-0-0-153.br1.CHI1.globalcenter.net (204.246.198.73) 62.788 ms 43.312 ms 42.406 ms 7 pos4-1-155M.cr1.CHI1.globalcenter.net (206.132.118.85) 43.675 ms 43.714 ms 83.308 ms 8 www2.yahoo.com (204.71.200.67) 82.251 ms 88.184 ms 83.306 ms
To allow anyone from a host H to remote login into host A, you
add H to /etc/hosts.equiv file on the machine A. This
needs super user privileges. A user can permit himself to rlogin to
A from H without a password as follows. For example, to allow
pmateti who is currently logged on gamma.cs.wright.edu
to rlogin without having to supply a password on machine A, pmateti
would add one line of text ``gamma.cs.wright.edu
pmateti'' to his ~/.rhosts file on the machine
A. Note that the .rhosts feature is needed only between machines
that do not share file systems via NFS.
Because of the mnemonic value, humans prefer to work with host names such as gamma.cs.wright.edu, rather than its IP address 130.108.2.22, where gamma is the name of the host, and cs.wright.edu is the name of the domain the host is in. The primary function of DNS is to map such a name into its IP address. The DNS name space is a tree hierarchy. The top-most subtrees are the top level domains such as .com, .edu, .net, and .org, and the country code domains such as .us and .in. Subtrees of these are known as sub-domains. The leaves are the individual hosts. A fully qualified domain name is the sequence of labels, separated by a dot, on the path from a node to the root of the tree.
The domain name space is maintained as a database distributed over several domain name servers. A server can delegate the maintenance of any sub-domain to another server. A delegated sub-domain in the DNS is called a zone. The parent server keeps track of such delegations. Each name server has authoritative information about one or more zones. It may also have cached, but non-authoritative, data about other parts of the database. A name server marks its responses to queries as authoritative or not. A server whose zone is the entire tree is known as a root server. These are located in the United States and other countries; visit http://www.root-servers.org .
The domain name service is expected to run on selected server
machines at port 53. These selected server machines are called the
``name servers'' which are authoritative for the names of a
particular domain. All other machines describe how they resolve
names in a file; on Linux, it is /etc/resolv.conf.
Typically, a client machine has a table of host names and their IP
addresses in a file called hosts. If a host name is not found in
this file, the client machine requests the name servers listed in
resolv.conf.
For every domain, such as wright.edu, there is only one primary name server and any number of secondary name servers. The primary name server is the most authoritative name server for that domain. The secondary name servers get their information about a domain from the primary name server. The DNS stores such information as name-to-IP-address mappings, name servers for subdomains, mail exchangers for hosts and domains, gateway pointers and host information.
A typical host will invoke a DHCP client program soon after booting into the OS to configure its network. A DHCP server delivers host-specific configuration parameters, such as an IP address, a subnet mask, a list of default routers, TTL, and MTU. An OS utility then associates the IP address with a host name. DHCP assumes that the IP layer software will pass the packets delivered to the NIC of the host even though it has not been assigned an IP address yet. A DHCP client broadcasts (i.e., the IP destination address is 255.255.255.255) a request in a UDP packet containing its own MAC address. A DHCP server process listens to such requests, and IP-broadcasts or hardware-unicasts a reply that contains the configuration parameters.
Transport Layer Security provides privacy and data integrity. Privacy refers to a third party being unable to get unencrypted versions of messages between two parties. Integrity refers to the receiver being able to rely that the messages have not been tampered with in transit. TLS was referred to as secure socket layer (SSL) before becoming a standard. TLS is implemented as a layer above the TCP. Higher level protocols can layer on top of the TLS transparently. Programs that used TCP can be readily re-written to use TLS instead. HTTPS and modern implementations of such protocols as FTP, Telnet, POP3S and SMTP are based on TLS. The TLS standard, however, does not specify how other protocols add security with TLS; the decisions on how to initiate TLS handshaking and how to interpret the authentication certificates exchanged are left up to the judgment of the designers and implementers of protocols which run on top of TLS.
TLS is composed of Record and Handshake protocols. The Record Protocol provides connections that are private by encrypting data using symmetric cryptography. The encryption keys are generated for each connection based on a secret negotiated by TLS Handshake Protocol. The connection is tamper-proof. Messages are integrity checked using a keyed message authentication code based on secure hash functions such as SHA, and MD5. The TLS Handshake Protocol provides (i) authentication of the peer's identity using public key cryptography, such as RSA, and DSS, (ii) secure negotiation of a shared secret even if an attacker is present in the middle of the connection, and (iii) reliable negotiation messages that no attacker can modify without being detected by the parties to the communication.
Electronic mail existed before Internet but has become as common as the telephone due to it. Email client programs such as MS Outlook or Mozilla Thunderbird are made up of two components: a user agent (UA) and a mail transfer agent (MTA). A UA program accepts, from a user, mail memos to be sent. The mail is delivered to a server by an MTA program using SMTP. Mail is received using the protocols POP or IMAP. Mail Message Format An email consists of a message body, headers, and an envelope that includes the FROM and TO headers. An optional header line is REPLY-TO. The message body consists of text and attachments. The mail headers adhere to the standard format of Internet messages (RFC 2822). The headers are plain text lines, each line made up of a keyword, a colon, and a value. Certain keywords must appear among the headers. E.g., a TO address header is required. This specifies the email address of the recipient in the form of mbx@dnm, where mbx is the name of a mail box on the local machine, and dnm is the domain name of the destination.
Simple Mail Transfer Protocol defines the commands and replies among mail transfer agent (MTA) clients and servers. An MTA client transfers the mail spooled on the local machine across the Internet to an MTA server. The transfer can occur in a single connection between the original mail-sender and the final mail-recipient, or may go through intermediary systems known as MTA relays. SMTP is specified to require only a reliable ordered data stream channel. Modern email clients use SSL/TLS as the transport.
Post Office Protocol (POP) is used to send/receive email from a server. POP2 requires SMTP to send messages. POP3 can be used with or without SMTP. The POP protocol downloads entire message bodies, and can optionally keep the messages on the server. A user reading email from multiple machines may not have a consistent view of his messages.
Internet Message Access Protocol (IMAP) is a protocol for accessing email while it is sill located on the server. IMAP4 supports encrypted login mechanisms and SSL for the transport. A user reading email from multiple machines does have a consistent view of his messages.
Multipurpose Internet Mail Extensions (MIME) defines the format of messages to allow for: (i) Textual message bodies in character sets other than US-ASCII, (ii) An extensible set of different formats for non-textual message bodies, (iii) Multi-part message bodies, and (iv) Textual header information in character sets other than US-ASCII.
HTTP is at the core of the World Wide Web. The Web browser on a user's machine and the Web server on a machine somewhere on the Internet communicate via HTTP using TCP usually at port 80. HTTPS is a secure version of HTTP. A Web browser displays a file of marked-up text with embedded commands following the syntactic requirements of the Hypertext Markup Language (HTML).
Most of the clickable links displayed by a Web browser are the so-called links that associate a URL (universal resource locators) with a visible piece of text or graphic. URLs have the following syntax:
scheme://[userName[:password@]]
serverMachineName[:port]/[path][/resource][?parm1=parma&parm2 =
parmb].
A simple example of the above is
http://www.cs.wright.edu/~pmateti/InternetSecurity
where the scheme was chosen to be http, the port
defaults to 80, and the path given is
~pmateti/InternetSecurity. A click on such a link
generates a request message from the browser process running on the local
machine to the Web
server process running on the remote machine named
www.cs.wright.edu obtained from the link
clicked.
HTTP is stateless in that the HTTP server does not act differently to a specific request based on previous requests. Occasionally, a Web service wishes to maintain a minor amount of historical record of previous requests. Cookies create a stateful session with HTTP requests and responses. The response from a server can contain a header line such as "Set-cookie: value." The browser then creates a cookie stored on the browser's storage. In subsequent requests sent to the same server, the browser includes the header line "Cookie: value." Depending on the browser, cookies are stored in a database or as small files of text. The value of a cookie is not interpreted by the browser in any way. Cookie values often store user-specific information, such as a saved shopping cart, previous pages visited, user-name and password, and previous advertisements shown.
All modern OSs contain the Ethernet and other physical layer drivers, ICMP, IP, UDP and TCP implementations. These components are part of the OS. Additionally, during booting they would start several network specific service processes for DNS, SSH, etc. by invoking programs external to the OS. Both Linux and Windows now include simple built-in firewalls. HTTP, Mail protocols, etc. are also separate programs. These are considered applications.
We recommend that ssh be used in place of
telnet, rlogin, rsh, rcp, etc. Normal IP traffic has
the following weaknesses that can be exploited to compromise
security: (a) weak authentication based on IP addresses that
can be spoofed or reusable passwords that can be sniffed; (b) no
privacy packets can be sniffed; (c) no integrity
protection connections can be hijacked. Secure Shell
(SSH) was designed to address these problems by providing a
stronger authentication mechanism to identify both hosts and users
and to enable secure connections between machines for executing
commands and remote shells between them.
SSH (Secure Shell) is the name of a protocol and a collection of associated programs for secure remote login to execute commands on a remote machine, to securely move files from one machine to another, and other secure network services over an insecure network such as the Internet. There are three primary advantages in using ssh.
The main disadvantages are the following.
There are several open source and several commercial implementations of ssh. Some well known free versions are putty, ttermpro, openssh, winscp. Search the web for download sites.
The SSH suite of programs includes the following. All but
sshd run on the local machine. (Note that the actual
programs are named using lower case letters.)
In this article, we focus on the ssh client
program. Specific port numbers, etc. that we mention below are the
defaults.
The ssh program is invoked by the user. It establishes a TCP connection to port 22 on the server machine. This program/process is often called the ssh client.
The service process sshd on the remote machine will
be listening on the port 22. This process is often called the ssh
server. The user does not explicitly start this process. This
process is started either when the remote machine booted or
on-demand.
Even though its name includes the word "shell", the ssh does not include the functionality of the shells such as bash, csh, or ksh. Once login is completed, the user is interacting with the usual shell, but with all his key strokes and output from the shell on the remote end going through the ssh encryption tunnel.
SSH involves the following.
The public and private keys for the remote machine must have
been generated when an OS got installed on it as a new machine.
(The simplest of the ssh usages does not require items 1 and 2. )
Upon connection, the sshd presents the public host key
of the server machine.
The client checks that this key matches the key it has in its own database for that server machine. If not, it alerts the user and asks if the user wishes to continue anyway, with or without replacing the conflicting host key it has.
If this is the first connection being made to the server from this local host, there are two possibilities:
The two machines (local and remote) now negotiate a so-called session key. All traffic between the two from this moment on is encrypted with the session key. Note that the session key lasts only for one session. The public/private keys are "forever."
An ssh client can chose the encryption algorithm from among several it has: Triple-DES (3DES), "blowfish", "idea", etc.
After establishing the encrypted tunnel, the ssh client asks for user id and password. So, even someone eavesdrops on this, the captured user id and password will be in a form encrypted by the session key, and considered "computationally infeasible" to decipher into clear text.
Here is an example login. The user pmateti is currently logged
in on a machine named milner.osis.cs.wright.edu, with
prompt string PS1 set to '\h:\w% '. He wishes to login
into the machine named Minsky.
milner:~ % ssh minsky.osis.cs.wright.edu -l pmateti
login as: pmateti
pmateti@minsky's password:
minsky:~ %
If the user's name on Milner is also pmateti, there
is no need to specify the -l pmateti in the invocation
of ssh. It so happens that the prompt string on Minsky is also set
to '\h:\w% '.
Currently there are two versions, SSH1 (old) and SSH2 (current), of the SSH protocol in use. Depending on this and a few other issues, the above may look slightly different. Instead of the -l option, it is also possible to use the command line: milner:~ % ssh pmateti@minsky.osis.cs.wright.edu.
The program named ssh that you invoked is the ssh-client running on the local machine. It is the client which collects the user's password and delivers it securely to the remote machine. But even before it attempted to collect the password, ssh-client verified the authenticity of the remote host, minsky.osis.cs.wright.edu. This is further explained in SSH internals below.If you wish to avoid typing your password every time a remote login or file transfer is attempted, you must generate a public + private key pair for yourself using either DSA or RSA. In this example, we use DSA.
% ssh-keygen -t dsa -b 1024This generates a public + private DSA key pair. It will ask where to store the keys. Accept the supplied default pathnames. Just type Return so that you are not using a "passphrase". The dialog with ssh-keygen will look like this:
Enter file in which to save the key (~/.ssh/id_dsa):Append the newly generated key to other authorized keys you may have collected so far.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in id_dsa.
Your public key has been saved in id_dsa.pub.
The key fingerprint is:
ad:a3:7f:39:28:22:f8:42:7f:ac:10:83:c7:61:01:ba pmateti@milner
Copy this file (~/.ssh/authorized_keys (the _ is an underscore, not a hyphen)) to your home directory on Minsky's (unless Milner and Minsky share the home directories, as in our OSIS Lab). All the machines in this lab have a shared /home directory server from osisServer.osis.cs.wright.edu.
Now you (except root) should be able to log in to Minsky without typing the password.
milner:~ % ssh minsky.osis.cs.wright.edu
minsky:~ %
-rw-r--r-- 1 pmateti pmateti 605 Jan 13 20:08 authorized_keysMy private key (id_dsa) is shown below; normally, you must never reveal the private key to any one. Note the rw------- permissions on this file above.
-rw------- 1 pmateti pmateti 668 Jan 13 20:07 id_dsa
-rw-r--r-- 1 pmateti pmateti 605 Jan 13 20:07 id_dsa.pub
-rw-r--r-- 1 pmateti pmateti 3236 Jan 10 21:30 known_hosts
-----BEGIN DSA PRIVATE KEY----- MIIDPwIBAAKCAQEAyrQ7RLxzOyw103CnzpcDlQQHiZZ2IduSNid3YXdqoOb+hSdS BnVRAzDYTNDM2AWpxHuODpltc+C/43YKOMixkyCr/K7wYL8tiqF8UatoW0L7l8xS xNwUprxLPD9vDcrjIZcj+KBGsa5OGpfRBuv25nqSxSDwkj3ueeXLB6NKegOzoYf1 CtyyQgDh7mNS2oli9iLX10vhFer1+BgLlaFF+H+Aw/6Vkf2u+Sw1B6XwekNeISBx JKoJAcFsYTdI+s9APm/XY1XcyIGIrApAM3XMbjTxYVi5rR1ZJFfjIC8RnAZ0qqCl aa6UCNlrufvibjiehjaHxnQVpiTUsSD63ghVBwIVAJVPI22DCqUcLtBJaxxVrfnK ZvQ7AoIBAQCFjDB6k2gzmusDaplJLgZm7Fk7IiQNMnX1IKEohwlxjjyocuFV+BJ1 tJRGFRsomhxq9ag31N6+F2ifB+aQQiUU39+BH7XZbcXqU+iDS3PIPwuLjgxF3+vd rrMnBlfTIHsiheDzdRLUdwFcA+JrWir0qyCEH/Re79SISl3tMJ+L3bt8r7i8FoeJ nCRtsF0C1lSbSDf+SPxxxucd3ZrMU8wYE5JXuC3yPSsZgKwPio8F+rEB9cohS3gk bg8NPCs/16IPFULKP4gE1rd3+c8eYk83lrbjWNAheTg3Na2eYdhGVMXssOqThTTb JcxxP2bVP0JYU6P2BgPxC9f9Wf9d9TnPAoIBAB2qNpd4BYGYlTUVLMSddcs0KlNU i2MG8F1at2j1y9vT2We5WdNbl34vGI0ARia3MZLP+xSCzaq0wzS7S0l96DoCJ/9z Hg9gbEs3O2fDTOYAPFY7C7B8lG05RnJO5KllnkiSDmdd5R5vpQ568UR1QadppgOH dpvdXDevw1+FJ0LbEqMx0Sp3Ylxbys1HWKInPUd8XxwTOudkA3YnxljObUrEjFrx jPsWCCGeaKGfhR+PJ1Vk2kncFhz5KyatFL2jkVi/j+Q1OB97Pb7MB/p+fRyOBQ3t GLmxSbZYGSRw2T3QOEVvIOlzgZPdA7RdJoIivWCT9b5kEva5ApCLoeaiVpQCFQCU 3LTLbRG2Seg7GTG3mUovBXW7Rw== -----END DSA PRIVATE KEY-----My public key (id_dsa.pub) that "matches" the above private key is shown below. This should be published in ~/.ssh/authorized_keys of the remote machine (in our example: Minsky). You should not keep on Minsky the private key that you generated on Milner. The ssh client running on Milner presents your private key to the sshd on Minsky instead of the usual password.
The content of id_dsa.pub file is just one long line, but is shown below with inserted line breaks.
ssh-dss AAAAB3NzaC1kc3MAAAEBAMq0O0S8czssNdNwp86XA5UEB4mWdiHbkjYn d2F3aqDm/oUnUgZ1UQMw2EzQzNgFqcR7jg6ZbXPgv+N2CjjIsZMgq/yu8GC/LYqh fFGraFtC+5fMUsTcFKa8Szw/bw3K4yGXI/igRrGuThqX0Qbr9uZ6ksUg8JI97nnl ywejSnoDs6GH9QrcskIA4e5jUtqJYvYi19dL4RXq9fgYC5WhRfh/gMP+lZH9rvks NQel8HpDXiEgcSSqCQHBbGE3SPrPQD5v12NV3MiBiKwKQDN1zG408WFYua0dWSRX 4yAvEZwGdKqgpWmulAjZa7n74m44noY2h8Z0FaYk1LEg+t4IVQcAAAAVAJVPI22D CqUcLtBJaxxVrfnKZvQ7AAABAQCFjDB6k2gzmusDaplJLgZm7Fk7IiQNMnX1IKEo hwlxjjyocuFV+BJ1tJRGFRsomhxq9ag31N6+F2ifB+aQQiUU39+BH7XZbcXqU+iD S3PIPwuLjgxF3+vdrrMnBlfTIHsiheDzdRLUdwFcA+JrWir0qyCEH/Re79SISl3t MJ+L3bt8r7i8FoeJnCRtsF0C1lSbSDf+SPxxxucd3ZrMU8wYE5JXuC3yPSsZgKwP io8F+rEB9cohS3gkbg8NPCs/16IPFULKP4gE1rd3+c8eYk83lrbjWNAheTg3Na2e YdhGVMXssOqThTTbJcxxP2bVP0JYU6P2BgPxC9f9Wf9d9TnPAAABAB2qNpd4BYGY lTUVLMSddcs0KlNUi2MG8F1at2j1y9vT2We5WdNbl34vGI0ARia3MZLP+xSCzaq0 wzS7S0l96DoCJ/9zHg9gbEs3O2fDTOYAPFY7C7B8lG05RnJO5KllnkiSDmdd5R5v pQ568UR1QadppgOHdpvdXDevw1+FJ0LbEqMx0Sp3Ylxbys1HWKInPUd8XxwTOudk A3YnxljObUrEjFrxjPsWCCGeaKGfhR+PJ1Vk2kncFhz5KyatFL2jkVi/j+Q1OB97 Pb7MB/p+fRyOBQ3tGLmxSbZYGSRw2T3QOEVvIOlzgZPdA7RdJoIivWCT9b5kEva5 ApCLoeaiVpQ= pmateti@milnerIf your private key is exposed (like I did), you can ssh-keygen again. Obviously, you need to update all the corresponding public keys.
Port forwarding is the act of sending TCP packets addressed to
one port on one machine to another machine + port. Say, you are
logged in on Milner via X11, and if you were to ssh login to gamma
(a machine located on a different subnet/floor from OSIS lab), and
invoke an X client program, the X11 traffic generated by that
client on gamma will be sent to the X11 server on Milner via the
ssh tunnel.
All work is expected to be carried out in the Operating Systems and Internet Security (OSIS) Lab, 429 Russ. But, you are welcome to work wherever. Note that use of both Linux and Windows and other software, that may not always be installed in other facilities, may be needed.
Record the lines you type and your observations in a plain text file named myLabJournal.txt
using your own words and/or copying appropriate lines. You may use any
editor you wish to edit this file.
In Linux
ifconfig, and route commands, and the
/etc/resolv.conf file.64.236.29.120.ssh, without having to
type your password, from the machine you are sitting at to another one whose
IP address differs from yours by 20 in the last byte.In Windows
ipconfig in Windows,
not ifconfig.www.google.com
twice, leaving a gap of about 30 minutes. Are the
routes identical? [Hint: traceroute is spelled tracert in
Windows]net /?. This shows the possibilities for the
first argument. Use at least five of these, and record.On unixapps1
In this part of the experiment, we would like you to
experience "true" remote computing. You will be logging into
unixapps1.wright.edu and let unixapps1 control your
desktop!
This will
ssh unixapps1.wright.edu -l w000xxx -X
ssh you into unixapps1 using your WSU student id (w000xxx)
and enable X11 tunneling (the -X option).
gnome-session and describe what happens.
|
A few acronyms and their
expansions are collected in the table here. If you are curious
about an acronym or term not listed, type it in the input box
below, and then press the button to look it up in the TechEncyclopedia. |
| . |
| Copyright © 2009 Prabhaker Mateti | last edited: June 30, 2009 |