# Počítačové sítě od Honzy DISCLAIMER: Je to hodně psané tak, abych si to pamatoval já, takže jsem některé věci, které jsem už věděl, považoval za odvoditelné nebo jsou zmíněné v jiné otázkce, vynechal. Nemám na to veřejné repo, případné chyby nahlašujte na libovolný kontakt [na webu](https://grsc.cz#contact). ## 01 Paradigms - A01 Proudové a blokové přenosy Stream and block transmissions - stream - FIFO queue - order preserved - no division other than individual characters - block - divided into blocks - fixed / variable size - travel independently - order might not be preserved - may contain metadata, e. g. ordinal number - A02 Spojované a nespojované přenosy Connection-oriented and connectionless transmissions - TCP vs. UDP - connection-oriented - order is preserved - connection is created, maintained, terminated - stateful - state must be kept in memory - resources can be allocated and deallocated - error handling - other party must exists and be ready - connectionless - stateless - other party might not exist, or receive packets - lower latency - A03 Přepojování okruhů a paketů Circuit and packet switching - circuit switching - mainly in telecommunications - "old" way of doing things - dumb endpoints, smart network - a communication path is created first, data is then freely sent through the path - low latency - reserves capacity - block and stream both possible - packet switching - more prevalent in computer networks - smart endpoints, dumb network - packets travel independently - more resilient - only block transissions, metadata is required - shared capacity - A04 Virtuální okruhy a datagramová služba Virtual circuits and datagram service - virtual circuits - connection-oriented way of doing packet switching - a path is prepared, packets are marked and follow the same path - e. g. ATM - datagram service - connectionless - e. g. ethernet - A05 Spolehlivé a nespolehlivé přenosy Reliable and unreliable transmissions - reliable - errors are detected and recovered - all data is transmitted - higher latency and bandwidth due to overhead and confirmations - checksums - unreliable - no confirmation - errors are ignored - lower latency - lower jitter - A06 Garantované a negarantované přenosy Guaranteed and non-guaranteed transmissions - guaranteed - circuit switching - is garbage - non-guaranteed - packet switching - resources might not be available - A07 Best Effort a Quality of Service Best Effort and Quality of Service - best effort - if loss is inevitable, all data is equal - quality of service - relative = prioritization - absolute = guaranteed circuit switching with extra steps, reservations made in advance - A08 Světy telekomunikačních a počítačových sítí Worlds of telecommunication and computer networks - telecom - dumb device, smart network - inflexible - expensive - older - central management - circuit switching, connection-oriented, reliable, guaranteed - afraid to sell unreliable service - (this hasn't been true since the 1990s) - closed, corporate - computer - smart device, dumb network - flexible - cheaper - newer - packets, connectionless, unreliable, non-guaranteed - liberalized, based on standards - network owners are the users - A09 Hospodaření s dostupnými zdroji Management of available resources - moore's law - processing doubles every two years - moore's law is slowing down - disk law - space doubles every year - gilder's law - transmission triples every year - eventually gets cheaper to store than to calculate and to fetch than to store ## 02 Taxonomy - A10 Distribuční sítě a sítě s přepojováním Broadcast and switched networks - broadcast networks - DTV, DAB and co. - one broadcaster, many subscribers - data is transmitted all the time - switched networks - the internet and co. - duplex communication - data is sent on request - A12 Páteřní a přístupové sítě Core and access networks - core - small amount of high bandwidth connection - redundancy - optical fibers - access - connects end users - POPs (like rDSLAMs) - (remote subscriber units = RSU) - CP - customer premises - RSU → CP = metallic cable, passive connection - building of access networks is hard - earthworks represent 85 % of the cost - intentionally oversized and future-proof - A11 Pevná a mobilní telefonní síť Fixed and mobile telephone networks - fixed - now mostly CETIN and others (ex O₂) - 2 international, 8 transit, 140 local telephone exchanges - 3.8M active CPs in 2001, 700k in 2019 (ČSÚ (2023): 356k homes and 885k businesses) - mobile - mobile switching center (MSC) - gateway MSC - to other networks - GERAN - GSM EDGE radio access network - Base Transceiver Station - BTS - phones connect to it - A13 Překryvné přístupové sítě Overlay access networks - using existing infrastructure for newer technology - other frequencies, encapsulation - original functionality preserved - fixed telephone, power or cable television wiring - A14 Technologie xDSL xDSL technology - usage of metallic phone lines - non-voice frequencies - passive frequency splitter - modem - POP - DSLAM, separate core network - ADSL - kilometers, 8Mb/1.5Mb - VDSL - 300 meters, 200Mb/100Mb - A15 Technologie PLC PLC technology - using electrical network - higher frequencies above 50/60Hz - very noisy, unshielded cables - long haul - maintenance only, very low frequencies and speeds - last mile - expensive and not used in practice - last meter - homeplug, behind meter, up to 500Mb/s, usually sucks balls in practice - A16 Technologie DOCSIS DOCSIS technology - Data Over Cable Service Interface Spec - coax cables, originally one-way tv broadcasts - DOCSIS 1.0 - 40/10 → DOCSIS 4.0 10G/6G - POP = CMTS (cable modem termination system) - optical to CMTS, coax to CP - A17 Technologie FTTx FTTx technology - active vs passive splitting - passive good enough for access, core network is active - PON - passive optical network, usually GPON - gigabit - FTTx - Node (used by DOCSIS) - Curb - Building - Home - last meter is usually not optical - although, (Q)SPF(+) DACs exist, servers might be optical to the device - A18 Datové sítě Data networks - transmit data (duh) for various different applications (instead of calls, tv) - dumb network (not smart network) - private, public, virtual private - private - MVČR - PEGAS network (operated by ČRa - české radiokomunikace) - whole network is operated by one entity - IZS uses it - public - commertial customers - better for smaller subjects - virtual private - shared infrastructure - usually uses a public network - A19 Sítě PAN, LAN, MAN, WAN PAN, LAN, MAN and WAN networks - PAN - Personal Access Network - Bluetooth, Infrared, Wi-Fi direct and co. - USB, FireWire - connection between your devices, usually peer to peer - single person - LAN - Local Access Network - Home, Business network - all devices see each other - in narrower sense, all connected with L1 and L2 - MAN - Metropolitan Access Network - like cities or something - like local ISPs, Újezd.net, Czela.net and co? - PASNET, MEPNET - pass through public spaces - WAN - Wide Area Network - CESNET, the internet - A20 Architektura Internetu, peering a tranzit Internet architecture, peering and transit - peering - direct connection between two ISPs - transit - usually paid connection through other ISP's network - Tier 1 providers - like 15 of them - the big guys - AT&T, Deutsche Telekom - peer with everybody, don't need transit access - Tier 2 providers - peer locally, need transit to rest of internet - Tier 3 providers - local providers, connect through transits - A21 Intranet, extranet a darknet Intranet, extranet and darknet - intranet - internal resources, only available from the network - extranet - external stuff, for customers, available from the internet - darknet - what - why do you mention it here - what does it have to do with anything - ok like the fact that it is an *overlay* network is kinda relevant - do we talk about onion routing, cool crypto? - nah, sex, drugs and rock'n'roll, that's how you teach people about networking - also like, Tor isn't the only """darknet""" out there (as in a free decentralised network that doesn't use address-based routing), ever heard of IPFS? Yggdrasil? Those work differently and afaik aren't used for sex, drugs and rock'n'roll as fair as I'm aware ## 03 Layers - A22 Principy vrstvových modelů Principles of layer models - decompose a problem into multiple parts - each layer has different responsibilities - layers are strictly ordered instead of arbitrary modules - public interface and responsibilities defined, internals intentionally hidden - A23 Vertikální a horizontální komunikace Vertical and horizontal communication - horizontal - between devices - always on the same layer - only L1 is actually connected, all others are just an illusion - vertical - translation between layers ­ packing and unpacking - only adjacent layers can communicate (not actually) and cannot be skipped - A24 Principy síťových protokolů Principles of network protocols - set of rules using which devices communicate - public interface and internal transmission rules - protocols are within single layer - are interchangeable, complementary or alternative - PDU - packet, frame, cell - header + body + (footer) - MTU - maximum payload size - A25 Síťové modely a architektury Network models and architectures - model - concept of tasks and responsibilities - architecture - particular implementation - ISO OSI model - 7 layers - TCP/IP architecture - 4 layers - A26 Referenční model ISO/OSI ISO/OSI reference model - layers 1. physical 2. link-local 3. network 4. transport 6. session 5. presentation 7. application - A27 Úkoly fyzické vrstvy Physical layer tasks - transmission of individual bits - management of a shared meduium - only two adjacent nodes - modulation, keying, synchronization, timing - digital to analog - optical, wireless and metallic - A28 Úkoly linkové vrstvy Data link layer tasks - sending frames within a single local network - illusion of direct path between all nodes - bridges and switches - physical address unique within network - frames encoded in stream of bits of L1 - cooperates with L1 on synchronisation and media sharing - A29 Úkoly síťové vrstvy Network layer tasks - globally unique address - need to find shortest paths - maintenance of MTU – fragmentation and defragmentation - routing between networks, autonomous systems - address assignment – networks and individual nodes - direct - ARP&send, indirect - ARP&send to router - A30 Úkoly transportní vrstvy Transport layer tasks - separation of entities (services) within node - unique - known in advance - sockets - dynamically reserved ports - only happens in nodes, routers implement only L1-L3 (except for NAT lol) - adaptation - guaranteed over best effort - connections over connectionless - reliable over unreliable - streams over blocks - flow and congestion control - A31 Úkoly relační vrstvy Session layer tasks - session - authentication, authorization, encryption - illusion of synchronousness - 1L5-nL4, 1L4-nL5 - transactions - A32 Úkoly prezentační vrstvy Presentation layer tasks - data encoding and decoding - translation between formats - BE, LE, encodings - ASN1, BER - nowadays ProtoBuf, JSON?, GraphQL - A33 Architektura TCP/IP TCP/IP architecture - L1 - physical/data link - handles all necessary for transmission between nodes in a network - L2 - IP - global routing between all nodes - L3 - TCP/UDP - separation of services, adaptation - L4 - application layer + session and presentation ## 04 Techniques - B01 Fyzická přenosová média Physical transmission media - non ideal - attenuation, distortion, interference - guided - metallic and optical, unguided - wireless - have limited bandwidth - B02 Analogové a digitální přenosy Analog and digital transmissions - analog - directly measuring values - they always change - impact in a chain gets worse - digital - analog values interpreted as 0 or 1 - can be "perfect" by setting good thresholds - B03 Tvary a vlastnosti křivek Shapes and properties of waveforms - square - an infinite sum of sines - some will be truncated - triangle - sine - amplitude - frequency - phase - sawtooth - B04 Přenosy v základním pásmu Baseband transmissions - frequency of changes in data ~ frequency of changes in carrier - unmodulated - usually square - B05 Principy a příklady linkových kódů Principles and examples of line codes - unipolar, bipolar NRZ, RZ, manchester, transition-coding (USB2) - redundant coding, bit stuffing, scrambling, block coding - objective: reduce DC and enable synchronisation and clock recovery - B06 Problémy synchronizace, DC komponenty a disparity Synchronization, DC component and disparity issues - synchronisation - we need a clock to determine when to read a 1 or 0 - bit period - running a separate clock is impractical - clocks are inaccurate - clock recovery is needed from the signal - DC component and disparity - how much the signal is offset from 0 on average - cannot be reliably transmitted over a long distance - mean amplitude has to be kept as close to 0 as possible - B07 Techniky zajištění synchronizace Synchronization techniques - explicit clock - only in buses within a single device, I²C - self-clocking - direct recovery - redundant coding - each bit period contains a transition - indirect recovery - clock is derived from multiple bits of data - long runs of same value avoided - bit stuffing, block coding - anisochronous - clock is sent at different time to data - B08 Redundantní kódování, bit stuffing, scrambling Redundant coding, bit stuffing, scrambling - redundant coding - manchester - each bit contains transition - bit stuffing - after a successive run of n same values, opposite value is injected and automatically removed - scrambling - sequence of data is combined with PRNG sequence or pattern - QR codes - B09 Blokové kódování Block coding - blocks of bits are encoded as longer blocks - multiple different blocks mean the same thing - some blocks may be omitted - for instance with long runs or DC disparity - 4/5b - 100Mb ethernet - DC balanced with scrambler - 8/10b - 1G, HDMI, SATA, USB3 - DC balanced - max 5 consecutive equal bits - running disparity not more than ± 2 - B10 Přenosy v přeloženém pásmu Passband transmissions - amplitude, frequency and phase modulation - for analog signals - keying - digital modulation - ASK, FSK, PSK - QAM - ASK+PSK - B11 Kvadraturní amplitudová modulace Quadrature Amplitude Modulation - combination of ASK and PSK - ex. 16QAM - 3 states of amplitude, 12 of phase - only 16 out of possible 36 used - Gray code used – change to neighbouring segment causes only one bit flip - B12 Zajištění transparence Ensuring transparency - transparency - distinguishing data from control commands - separate path/escaping - B13 Techniky framingu a zapouzdření Framing and encapsulation techniques - framing - separation of bits into individual frames - start flag + end flag - start flag + length - start flag + implicit end - absence of carrier - line coding - block counting - encapsulation - combining payloads with headers and footers - B14 Techniky stuffingu Stuffing techniques - character/bit/byte - marking data with special symbols - escaping and framing - flag occurrences in data - B15 Znakově orientované protokoly Character-oriented data link protocols - use non-printable ASCII characters - positive escaping using DLE data link escape - Start of Header, Start of Text, End of Text - DLE is escaped by doubling - for instance Serial Line Internet Protocol - B16 Bitově orientované protokoly Bit-oriented data link protocols - special sequence of bits marks frames - N ones = flag, N-1 ones, zero is added - High Level Data Link Control, HLDC - B17 Bytově orientované protokoly Byte-oriented data link protocols - escaping bytes, flag bytes, synchronisation bytes - e. g. Ethernet ## 05 Routing - B18 Směrovací a forwardovací tabulky Routing and forwarding tables - routing table - used to calculate route - used to find shortest path - destination, interface, gateway, metric - forwaring table - used for individual packets - should be fast and easy to resolve where to send each packet - B19 Obvyklé a alternativní přístupy směrování Common and alternative routing approaches - hop by hop - shortest path - destination-based - content-independent - stateless - B20 Klasifikace směrovacích přístupů Classification of routing approaches - adaptive - dynamic - centralised, decentralised - non-adaptive - static - flooding - fixed directory - random walk - B21 Fixní (statické) a náhodné směrování Fixed directory and random walk routing - fixed directory - predetermined and preconfigured set of rules - random walk - send packet in random direction, not back - B22 Záplavové směrování a techniky řízené záplavy Flooding and controlled flooding techniques - send packets in all directions - hop counting - hop number set to some constant, decremented on each hop, dropped when zero is reached - sequence number, checksum remembering - spanning tree generation - reverse path forwarding - drop packet if source path wouldn't have been used to send packet to source address - B23 Centralizované směrování Centralized routing - single route server - other devices only have forwarding tables and ask route server for directions - B24 Metoda zpětného učení Backward learning method - remember where packets come from for different source addresses - send in those directions, if unknown, flood - B25 Metoda zdrojového směrování Source routing method - source finds entire route, routers follow it - uses flooding to find path, when discovery packet reaches destination, is sent back with the path written down, found path is remembered and used - B26 Směrování distance-vector Distance-vector routing - learn routes from neighbours - metric is lowest metric from neighbours + metric to that neighbour - learns good routes fast, bad routes stay for long - B27 Problém count to infinity Count to infinity problem - in a network of nodes A-B-C-D, if A-B is disconnected, B wants to update its path to A, asks C, C doesn't know B can't access A so tells B its cost of 2, B updates to 3, C updates to 4, B to 5... - solutions - small infinity - counting doesn't take long, but long paths are never discovered - split horizon - path is never advertised to node it was learned from - poisoned reverse - as split horizon, but with infinite cost instead of not at all - triggered updates - updates sent immediately before asking anyone - B28 Protokol RIP Protocol RIP - very old - uses distance-vector with infinity of 16 - only 25 routing records - updates every 30 seconds, unavailable if no update within 180 - B29 Směrování link-state Link-state routing - each router has complete information - update is sent immediately and to everyone - OSPF - B30 Srovnání distance-vector a link-state Distance-vector and link-state comparison - link-state - calculation is not incremental, fast convergence - mistakes don't influence rest of the network - each node has full information, can make own decisions - distance-vector - each node has partial information - nodes don't need that much memory - slower convergence - B31 Hierarchické směrování a směrovací domény Hierarchical routing and routing domains - routing in a big system is still hard, decomposition is needed - autonomous systems in internet (usually ISP) - hierarchical routing - RIP or OSPF inside, Path-Vector routing BGP outside (full path is sent and kept instead of just the cost) ## 06 Transport - B32 End-to-end komunikace a de/multiplexing End-to-end communication and de/multiplexing - L1-L3 treat nodes and atomic - nodes contain services and programs that all need to communicate - ⇒ sockets - L4 is handled only by end devices, devices on the way don't care - some mechanism in the node (OS) gives the data to each service by the port - B33 Srovnání protokolů TCP a UDP Comparison of TCP and UDP protocols - UDP - very simple - only port numbers, otherwise unreliable, unguaranteed etc. - low latency - connectionless - only E2E, no adaptation - TCP - very complex - connection oriented, reliable, but still best effort - adaptation - B34 Bytový stream TCP TCP byte streams - illusion of byte stream - sending side has a buffer, only when the buffer is full (or if otherwise instructed) is a segment constructed and sent - individual segments are numbered - B35 Navazování spojení Establishing connections - three way handshake - SYN, ACKSYN, ACK - also initial sequence number is agreed upon - B36 Zajištění spolehlivosti Ensuring reliability - error detection and correction - correction is expensive and not used in practice - ⇒ error detection + retransmission - B37 Kontrola parity a kontrolní součty Parity bits and checksums - parity bits - of each byte - of particular groups of bits in message - odd parity vs even parity - checksum - sum of all bytes in packet - either sum is checked or two's complement is utilised and zero is checked - B38 Cyklické redundantní součty Cyclic Redundancy Check - bits of message are coefficients of polynomial in GF(2) - gets divided by generator polynomial - remainder makes check value - very easy to implement in hardware - fixed scheme - fixed polynomial, only XOR gates are needed - generic scheme - polynomial set using and gates - B39 Potvrzovací strategie Automatic repeat requests - stop-and-wait - go-back-N - selective repeat - B40 Jednotlivé potvrzování Stop-and-Wait ARQ - wait for confirmation on each packet - B41 Kontinuální potvrzování s návratem Go-Back-N ARQ - when a retransmission happens, start over from the point of retransmission - doesn't need a buffer on the receiving side - B42 Kontinuální potvrzování se selektivním opakováním Selective Repeat ARQ - only retransmit lost segments - needs a buffer on both sides - B43 Metoda posuvného okénka Sliding window method - buffer of unacked sent messages kept on sending side - buffer moves when last message is acked - buffer of unprocessed received on receiving side - buffer moves when first message in line is received (others might be waiting) - stop-and-wait - window size is 1 x 1 - go-back-N - window size is N x 1 - selective repeat - window size is N x M - B44 Problém řízení toku Flow control - ensuring slower recipients are not overwhelmed - sliding window method in TCP - B45 Předcházení zahlcení sítě Congestion control - ensuring network on the way is not overwhelmed - feedback techniques - ICMP source quench (not used in practice) - TCP sliding window or slow start (if congestion detected, use stop-and-wait) - forward techniques - traffic shaping = delay - traffic policing = drop - B46 Možnosti zajištění QoS Quality of Service techniques - relative QoS - types of traffic given prioroties, in case of congestion, low priority dropped/delayed first - absolute QoS - reserved in advance - B47 Principy řešení DiffServ Principles of DiffServ - classes of priorities - forgotten *Type of service* IP header field - all routers must cooperate - B48 Principy řešení IntServ Principles of IntServ - part of available capacity is detached and reserved - B49 Mechanismus client buffering Client buffering mechanism - intentional delay to control and reduce jitter ## 07 Internetworking - C01 Cíle internetworkingu Internetworking objectives - connecting devices in smaller or larger networks - merging smaller units into larger ones - dividing larger units into smaller ones - C02 Aktivní a pasivní síťové prvky Active and passive network elements - active - router - switch - bridge - hub - repeater - transmitters - passive - wire - server rack (wtf) - patch panels (why tho) - structured cabling (gfy) - C03 Propojování napříč vrstvami Interconnection across layers - TODO: I have actually absolutely no clue what this question is about :( - C04 Principy propojování na L1 Internetworking principles at L1 - all devices share one medium - individual bits are transmitted - collision avoidance is needed - hub - simple repeater - transmits bit by bit as they are received - all devices must use same speed - no filtering is done - very low latency - very simple hardware - C05 Přístupová metoda CSMA/CD Collisions and CSMA/CD access method - carrier sensing media access / collision detection - devices start trying to transmit immediately when the medium is unoccupied - many can start at the same time, they detect collision and start jamming so the others notice too - wait for random! amount of time and try again - collision has to be propagated through entire segment - C06 Principy propojování na L2 Internetworking at principles L2 - devices don't share a medium anymore - frames are transmitted - filtering and forwarding is limited - packets are buffered, collisions don't propagate - packets are sent only to relevant destinations using backwards learning - C07 Filtrování a cílené předávání Filtering and forwarding at L2 - filering - local communication within a segment is not sent to other segments - forwarding - each segment receives only data intended for that segment - C08 Činnost linkového rozhraní Network controller operation at L2 - L3 packet is encapsulated into L2 frame - L2 dest. address need to be determined using ARP and co. - L2 is forwarded through the network to recipient - all recipients are reachable - switches and bridges are not visible to the end nodes - bridges and switches are promiscuous - receive and consider all traffic - end nodes are non-promiscuous - drop frames with unknown addresses - C09 Mechanismus Store&Forward Store&Forward mechanism - each frame is received in its entirety, buffered and then forwarded - allows detecting and dropping damaged frames - has higher latency - allows segments with different rates to be connected - C10 Mechanismus Cut-Through Cut-Through mechanism - each frame is buffered only until its fate is determined, then forwarding is started right away - requires segments to be the same rate - C11 Segmentace a mikrosegmentace sítě Network segmentation and microsegmentation - segmentation - separation into L1 segments - connected using split-Ts - microsegmentation - each segment contains only one device - only used solution nowadays - no collisions happen and full duplex communication is possible - C12 Srovnání přepínačů a mostů Comparison of switches and bridges - bridge - older style of device - connects few larger segments - mainly does filtering - can be implemented on the CPU level - switch - newer style of device - connects many smaller segments, usually microsegments - mainly does forwarding - usually has specialised hardware - C13 Principy propojování na L3 Internetworking at L3 - connecting all devices globally - connecting many network into one internetwork - not all clients are connected, but rachability is done through routers - limitation of broadcast domains - C14 Činnost síťového rozhraní na L3 Network interface operation at L3 - routing table is consulted - either local route is found, packet is directly sent over L2 to recipient - or packet is sent to gateway router for given address - packet contains address of final destination - C15 Pravidla 80:20 a 20:80 80:20 and 20:80 rules - originally 80 % of all traffic was local, 20 % was to other networks - with the internet 80 % is to the internet and only 20 % is local - technologies had to adapt - VLANs and L3 switches - C16 L2 a místní a cílený L3 broadcast L2 and local and targeted L3 broadcasts - L2 broadcast - FF:FF:FF:FF:FF - sent by flooding from all switches - all bits are 1 - L3 local broadcast - 255.255.255.255 - automatically sent to L2 broadcast in the local network - all bits are 1 - L3 targeted broadcast - 192.168.1.244 - all bits of the network part are 1 - routed normally at first and turned into broadcast when it reaches recipient network - C17 Směrovače a L3 přepínače Routers and L3 switches - routers - they route - have routing tables - commonly also do NAT, DHCP, DNS resolving, firwall etc. - other physical interfaces - L3 switches - switches that can understand L3 packets and forward according to simple rules - designed for speed and throughput - don't have much additional features - from 20:80 environments - C18 Využití L4 a L7 přepínačů Usage of L4 and L7 switches - switches that additionally read L4 and L7 information - L4 switches - send different applications to different nodes - L7 switches - understand L7 - different HTTP hosts to different servers - distribution and load balancing - transparent caching - traffic prioritization, blocking and limitation - C19 Principy a koncepty sítí VLAN Principles and concepts of VLAN networks - using same L1 and L2 infrastructure for multiple networks - separating geographically close nodes into separate networks - local vlans - connecting geographically separate nodes into a single network - end-to-end vlans - limiting broadcast domain - security - easier management - C20 Logický model VLAN sítě Logical model of VLAN network - switches and routers must understand VLANs - are connected with VLAN-aware segments - packets sent to end nodes are normal - end nodes can be simple - VLAN-unaware segments - VLAN ids and optional names - C21 Přístupové a trunkovací porty Access and trunk ports - access port - has one specified VID - outgoing packets are stripped of VLAN id and sent to end node - incoming packets get tagged with VID of port - trunk port - has a selection of allowed VIDs - packets with selected VIDs are forwarded, others not - can have native VID, packets without VID are assigned this VID - C22 Konfigurace VLAN sítí Configuration of VLAN networks - static - configured manually - dynamic - using MAC addresses - 802.1X authentication - MVRP for trunk port configuration - C23 Tagování 802.1q Dot1q 802.1q Dot1q tagging - TPDI = 0x8100 - TCI - 12-bit VID - adding and removing tags requires CRC - C24 Směrování ve VLAN sítích Routing in VLAN networks - VLAN-unaware router - needs physical interface for each VLAN - garbage, doesn't scale well - VLAN-aware router - has virtual interfaces for VLANs and routes between them - "router on a stick" - router connected with only one physical wire but many VLANs - C25 Princip a typy firewallů Types and principles of firewalls - network-based - host-based - dedicated device/software solution - prohibited unless permitted/permitted unless prohibited - C26 Demilitarizovaná zóna a aplikační brány Demilitarized zones and application gateways - two firewalls, outside ↔ DMZ and DMZ ↔ inside - no packets can go outside ↔ inside, only via DMZ - application servers with services for outside users are placed in DMZ - application gateway receives request and makes own request to internal server on behalf of the outside user or the other way round - C27 Realizace demilitarizovaných zón Deployment of demilitarized zones - dual firewall - much more secure - firewalls can be from different vendors - single firewall - less secure - three network interfaces - single point of failure - integrated DMZ - software based solution in the node separating inside and outside - DMZ host - fake DMZ - C28 Paketové filtry a ACL Packet filters and ACL lists - set of L3 rules that allow/disallow forwarding of packets - normal ACL uses only source address - stateless vs. stateful ## 08 Addressing - D01 Principy adresování na L2 Principles of addressing at L2 - addresses must be unique within network - also broadcast addresses are useful - but it's easier for them to be unique globally - EUI-48 and EUI-64 - addresses burned by manufacturer - D02 Adresy EUI-48 a EUI-64 EUI-48 and EUI-64 addresses - divided into 3-byte OUI assigned to manufacturers - EUI-48 → EUI-64, FF:FE inserted in the middle - 64 only used by firewire, 48 by BT, WiFi, Ethernet... - last two bits of first byte (they are first in the packet, because endianness) - individual/group - universal/local - D03 Principy adresování na L3 Principles of addressing at L3 - address must be globally unique - hierarchy in addresses is desirable, so networks can be routed as a whole - network part + node part - D04 IPv4 adresy a jejich třídy IPv4 addresses and their classes - four bytes, decimal numbers separated by dots - originally divided into classes, A, B, C, D, E (only D,E kept now) - the number of ones at the start of the address determine Class - first bit 0 = Class A - /8 network - first bits 10 = Class B - /16 network - first bits 110 = Class C - /24 network - first bits 1110 = Class D - multicast - first bits 1111 = Class E - reserved - D05 Speciální IPv4 adresy Special IPv4 addresses - 0.0.0.0 - self - 127.0.0.0/8 - lolpback, lolcalhost - 0.0.0.x - address in this Class C network (similar for A, B) (this isn't actually in use??) - 10.0/8 - reserved for local use - 172.16.0.0/11 - reserved for local use - 192.168.0.0/16 - reserved for local use - 169.254.0.0/16 - link-local addresses - D06 IPv4 multicast IPv4 multicast - class D addresses - 224.0/24 - static multicast - 224.0.1.0 - 238.255.255.255 - global multicast - 239.0.0.0 - 239.255.255.255 - 00:00:5E OUI, 23 bits taken from IP - D07 Řešení nedostatku IPv4 adres IPv4 address space exhaustion - subnetting and supernetting - cidr - IPv6 - NAT/PAT - D08 Subnetting a supernetting Subnetting and supernetting - subnetting - large blocks of Class A and B are split into smaller subnets - routes not visible to the open internet - nodes within subnet must understand, others don't - supernetting - give subjects multiple Class C networks istead of 1 larger one - routing tables get too big - netmask added to routing tables, non-class prefixes routed by same router - D09 Mechanismus CIDR CIDR mechanism - abandon classes altogether - each network can have any prefix, denoted by netmask or the number of ones in it after a slash /24 = 255.255.255.0 - routing tables contain CIDR of target network, routing independent of how addresses are assigned - D10 Hierarchie registrátorů Hierarchy of registries - IANA > RIR > NIR > LIR - for instance IANA > RIPENCC > CESNET > CUNI - D11 Koncepty privátních IP adres a NAT Private IPv4 addresses and NAT concepts - still not enough addresses and network people are notoriously scared of number 6 - devices inside of a network get private addresses which get translated by a router/firewall - static - each public address corresponds to one private one - this solves nothing - dynamic - public addresses are only allocated on demand - when a connection is made - this is still insufficient - PAT (NAPT) - D12 Doručování datagramů při aktivním NAT Forwarding of datagrams with NAT enabled - packet is sent with private srcIP and final dstIP - when passing through the router, it replaces srcIP with the public IP - recipient sends response, dstIP is public - dstIP gets translated to private in router - packet reaches its destination - D13 Charakter NAT/PAT vazeb Nature of NAT/PAT bindings - Cone PAT - each IPp:portp corresponds to one IPs:ports - symmetric NAT - different IPp:portp also for destination IP:port pair - D14 Doručování datagramů při aktivním PAT Forwarding of datagrams with PAT enabled - srcIP:port private, dstIP:port final - srcIP:port assigned new public pair - response sent back to public pair - public pair resolved using table back to private - D15 Varianty PAT kuželů Variants of PAT cones - full - once NAT is opened, anyone can send packets to it - ip restricted - only packets from contacted IPs are accepted - port restricted - only packets from contacted IPs and ports are accepted - symmetric NAT - each recipient ip:port pair has own NAT pair - D16 Problémy NAT/PAT Issues of NAT/PAT - it sucks - absolute garbage - this technology should have never existed - entirely smallbrain - setback of overall human progress by at least half a year - NAT can go die in hell - performance hits, not all communication protocols supported - implicit firewall that cannot be turned off in some cases - - D17 Cíle IPv6 adres a vztah k IPv4 adresám Goals of IPv6 addresses and relationship to IPv4 - 4 times the length IPv6 = IPv4^4 - drop broadcasts, add anycasts - other features - autoconfiguration addresses - more hierarchy levels - D18 Struktura a zápis IPv6 adres Structure and notation of IPv6 addresses - 8 groups of four hexadecimal digits - leading zeros may be ommited - one block of consecutive zeroes can be replaced by two colons - mixed notation with embedded ipv4 - D19 Unicastové IPv6 adresy IPv6 unicast addresses - global unicast - unicast local address ULA - not globally routable, reserved only within *site* - fc00::/7 - fc00::/8 reserved - fd00::/8 in use, databases exist - for instance fd00:ec2::/32 used by AWS for internal services like DNS - link local - fe80::/10, autoconf based on MAC - Site local - previous attempt, replaced by ULA, unused - D20 Principy adresování na L4 Principles of addressing at L4 - ports - individually for each protocol (TCP/UDP) - unique, abstract, implicit, static ``` Unique within a given node Static = fixed and known in advance – So that we are able to determine the address of the recipient Abstract = independent on a particular platform Implicit = independent on the current situation ``` - both src port and dst port - D21 Porty a jejich číslování Ports and their numbering - 0-1023 well known reserved ports - 1024-49ksomething user ports - 49ksomething-65535 dynamic ports - D22 Principy adresování na L7 Principles of addressing at L7 - URI - generic naming system for all objects in the universe - URL - for web resources - URN - for other resources, doi, isbn and co - něco něco železničářskej diagram ## 09 Protocols - D23 Vlastnosti protokolu IPv4 IPv4 protocol features - connectionless, stateless, unreliable - L3, globally routable - D24 Struktura IPv4 datagramu Structure of IPv4 datagrams - header and body - D25 Položky IPv4 hlavičky IPv4 header fields - 4 bits of type (static `4`) - Type of Service (forgotten, used for DiffServ) - header checksum - src, dst addr - L4 protocol type - optional options - TTL - IHL header length - total length - fragmentation identificatio, flags and offset - D26 Položka TTL a nástroj TraceRoute TTL header field and TraceRoute tool - originally actual time in seconds, nowadays hop count - starts at some value, decreased in each hop - tracepath sends pings with TTL starting at 1 - when TTL is exceeded, ICMP Time Exceeded is sent - router then reveals its identity - when time runs out, we know there is a router that doesn't want to speak - D27 IPv4 kontrolní součet IPv4 header checksum - normal checksum, no CRC, only header - whole header should add up to 0 - no message sent on fail, what if src address was damaged - D28 IPv4 doplňky hlavičky IPv4 header options - other options - option type, length and data - copied flag, class and number - some options for source routing - D29 Principy IPv4 fragmentace Principles of IPv4 fragmentation - anyone in the path can fragment - fragmentation sucks - packets identified by identifier (generated only when first fragmentation occurs) and offset - fragmentation can happen multiple times - D30 IPv4 varianty detekce MTU IPv4 MTU detection strategies - no limit - by asking nearest L2 - good for routers - minimum possible, 68 or 576 bytes - path discovery - trying along the whole path - D31 IPv4 Path MTU Discovery IPv4 Path MTU Discovery - sending pings of different sizes with Don't Fragment flag set - might not be accurate - paths change - D32 Proces IPv4 fragmentace Process of IPv4 fragmentation - ip header gets copied and modified - non-copy options get dropped - length and checksum is recalculated - D33 IPv4 fragmentační hlavičky IPv4 fragmentation headers - identification - frag offset - frag flags - first fixed 0 - don't fragment - more fragments follow - D34 Proces IPv4 defragmentace Process of IPv4 defragmentation - reassembly using offsets, identification and buffer - if some time elapses and not all frags arrive, packet is discarded with ICMP Time Exceeded - D35 Problémy IPv4 de/fragmentace IPv4 de/fragmentation issues - makes stateless protocol stateful - much more complicated than IPv4 without it - needs buffers - and timers - and such - D36 Protokol ICMPv4 ICMPv4 protocol - auxiliary protocol for IPv4 - is L3, but is encapsulated in IPv4, so is kinda L4 - service messages, errors - D37 Struktura ICMPv4 zprávy Structure of ICMPv4 messages - message type, message code, whole packet checksum, additional fields according to type - always present, but might be empty - D38 Příklady ICMPv4 zprávy Examples of ICMPv4 messages - echo req 8, reply 0 - destination unreachable - network unreachable - host unreachable - port unreachable - time exceeded - ttl exceeded - fragment reassembly too slow - D39 Protokol ARP ARP protocol - as universal as possible protocol for translation between network addresses and hardware addresses - D40 Struktura ARP zprávy Structure of ARP messages - hw addr type and length, protocol addr type and length, sender and target hardware and protocol address - D41 ARP dotazy a cachování ARP queries and cache - packet gets created without target hw address - target receives packet over broadcast, swaps addresses, adds own, sends back over unicast - reponses should be cached (routers longer than nodes) - D42 Reverzní ARP protokol Reverse ARP protocol - very old - not great - there has to be a server that replies in each network, ARP itself is L3 - D43 Protokol DHCP DHCP protocol - for assigning IP addreses, netmasks and other information to newcomers to the network - operates at L7, UDP ports 67 and 68 - D44 DHCP alokační strategie DHCP allocation strategies - static - preconfigured addreses by administrator given to devices automatically - automatic - addresses generated from pool, devices can keep them forever - dynamic - devices lease addresses for a limited time - D45 Chování DHCP klienta DHCP client behavior - allocation - when first coming to the network - reallocation - offering to change its address when needed - renewal - ½ of lease time, ask if we can keep the address - rebinding - .8 of lease time, ask new server if wee can keep address - release - the address is released back to the pool - D46 Rozdíly IPv6 oproti IPv4 Differences between IPv6 and IPv4 - larger addresses - no fragmentation on the way - higher minimum MTU - 1280 - QoS support - no header checksum - D47 Struktura IPv6 paketu Structure of IPv6 packets - header chain, last header points to "this is the last header" - optional body - D48 Položky IPv6 hlavičky IPv6 header fields - version (6) - flow identifier - next header field - src addr - dst addr - payload length - hop limit - traffic class for qos - D49 Koncept IPv6 toků Concept of IPv6 flows - identification of group of related packets (for QoS for instance) without the need for L4 information - D50 IPv6 rozšiřující hlavičky IPv6 extension headers - fragmentation - ? - D51 Principy IPv6 fragmentace Principles of IPv6 fragmentation - only sender fragments - fragmentation extension header - fragmentation may fragment some headers - D52 IPv6 Path MTU Discovery IPv6 Path MTU Discovery - same as v4, but ICMPv6 Packet Too Big also contains MTU that caused the problem - D53 Formát ICMPv6 zprávy Format of ICMPv6 messages - type, code, checksum, body