Data and Computer Data and Computer CommunicationsCommunications

Eighth EditionEighth Editionby William Stallingsby William Stallings

Lecture slides by Lawrie BrownLecture slides by Lawrie Brown

Chapter 18 – InternetChapter 18 – Internet ProtocolsProtocols

InternetInternet ProtocolsProtocolsThe map of the London Underground, which The map of the London Underground, which can be seen inside every train, has been called a can be seen inside every train, has been called a model of its kind, a work of art. It presents the model of its kind, a work of art. It presents the underground network as a geometric grid. The underground network as a geometric grid. The tube lines do not, of course, lie at right angles to tube lines do not, of course, lie at right angles to one another like the streets of Manhattan. Nor one another like the streets of Manhattan. Nor do they branch off at acute angles or form do they branch off at acute angles or form perfect oblongs.perfect oblongs.—King Solomon's Carpet. Barbara Vine (Ruth Rendell)

Protocol FunctionsProtocol Functions have a smallhave a small set of functions that form basis of all set of functions that form basis of all

protocolsprotocols encapsulationencapsulation fragmentation and reassemblyfragmentation and reassembly connection controlconnection control ordered deliveryordered delivery flow controlflow control error controlerror control addressingaddressing multiplexingmultiplexing transmission servicestransmission services

EncapsulationEncapsulation data usuallydata usually transferred in blocks transferred in blocks called Protocol called Protocol Data Units (PDUs)Data Units (PDUs) have three have three categoriescategories of control of control  

addressaddress error-detecting codeerror-detecting code protocol controlprotocol control

encapsulationencapsulation is addition is addition of control information to dataof control information to data have many examples of PDU’s in previous chaptershave many examples of PDU’s in previous chapters

e.g. TFTP, HDLC, frame relay, ATMe.g. TFTP, HDLC, frame relay, ATM,, AAL5, LLC, IEEE 802.3, AAL5, LLC, IEEE 802.3, IEEE 802.11IEEE 802.11

Fragmentation and Fragmentation and ReassemblyReassembly

protocol exchanges protocol exchanges data between two entitiesdata between two entities lowerlower-level protocols may need to break data up into -level protocols may need to break data up into

smaller smaller blocks, called fragmentationblocks, called fragmentation for various reasonsfor various reasons

network only accepts blocks of a certain sizenetwork only accepts blocks of a certain size moremore efficient efficient error control & smallererror control & smaller retransmission unitsretransmission units fairer access to shared facilitiesfairer access to shared facilities smaller bufferssmaller buffers

disadvantagesdisadvantages smaller smaller buffersbuffers more interrupts & processing timemore interrupts & processing time

PDUS and FragmentationPDUS and Fragmentation

Connection ControlConnection Control have connectionless data transferhave connectionless data transfer

where each PDU treated independentlywhere each PDU treated independently and connection-oriented data transferand connection-oriented data transfer

involves a logical association, or connection, involves a logical association, or connection, established between entitiesestablished between entities

preferred (even required) preferred (even required) forfor lengthy data exchange lengthy data exchange or if or if protocol details are worked out dynamicallyprotocol details are worked out dynamically

three phases occur for connection-oriented three phases occur for connection-oriented connection establishmentconnection establishment data transferdata transfer connection terminationconnection termination

Phases of Connection Phases of Connection Oriented TransferOriented Transfer

Connection EstablishmentConnection Establishment entitiesentities agree to exchange dataagree to exchange data typically, one station issuetypically, one station issuess connection request connection request may involve may involve central authoritycentral authority receiving entity accepts or rejectsreceiving entity accepts or rejects (simple) (simple) maymay include negotiation include negotiation syntax, semantics, and timingsyntax, semantics, and timing both entities mustboth entities must use use same protocol same protocol may allow optional featuresmay allow optional features must be agreedmust be agreed

Data Transfer and Data Transfer and TerminationTermination

both data and control information both data and control information exchangedexchanged

data flow and acknowledgements may be data flow and acknowledgements may be in one or both directionsin one or both directions

one side one side may sendmay send termination request termination request oror central authority might terminate central authority might terminate

SequencingSequencing used by many, but not all,used by many, but not all, connection-oriented connection-oriented

protocolsprotocols e.g. HDLC, IEEE 802.11e.g. HDLC, IEEE 802.11

connection-oriented protocols include some way connection-oriented protocols include some way of identifying connectionof identifying connection

have PDUs have PDUs numbered numbered sequentiallysequentially each each side tracks seq numbers in and outside tracks seq numbers in and out to supportto support three main functions three main functions

ordered deliverordered deliveryy llow controlllow control error controlerror control

Ordered DeliveryOrdered Delivery risk PDUs may arrive out of orderrisk PDUs may arrive out of order require PDU order require PDU order must must be maintainedbe maintained hence numberhence number PDU PDUss sequentially sequentially easy toeasy to reorder received PDUs reorder received PDUs use finiteuse finite sequence number fieldsequence number field

numbers repeat modulo maximum numbernumbers repeat modulo maximum number max sequence number greater than max max sequence number greater than max

number of PDUs that could be outstandingnumber of PDUs that could be outstanding

TCP/IP ConceptsTCP/IP Concepts

Flow ControlFlow Control receiving entity limits amount / rate of data sentreceiving entity limits amount / rate of data sent simplest protocol is stopsimplest protocol is stop-and-wait-and-wait more efficient protocols use concept of creditmore efficient protocols use concept of credit

amount of data sent without acknowledgmentamount of data sent without acknowledgment mustmust be implemented in several protocols be implemented in several protocols

network traffic controlnetwork traffic control buffer spacebuffer space application overflowapplication overflow

Error ControlError Control to guard against loss or damageto guard against loss or damage implemented as separate error detection and implemented as separate error detection and

retransmission functionsretransmission functions sender inserts error-detecting code in PDUsender inserts error-detecting code in PDU receiver checks code on incoming PDUreceiver checks code on incoming PDU if errorif error, discard, discard if transmitter doesn’t get if transmitter doesn’t get acknowledgment in acknowledgment in

reasonable time, retransmitreasonable time, retransmit can use an error-correction codecan use an error-correction code

enables receiver to detect enables receiver to detect and possiblyand possibly correct errors correct errors performed at various protocol layersperformed at various protocol layers

AddressingAddressing addressing leveladdressing level addressing scopeaddressing scope connection identifiersconnection identifiers addressing modeaddressing mode

Addressing LevelAddressing Level level in architecture where entity is namedlevel in architecture where entity is named have a unique addresshave a unique address for for each intermediate each intermediate

and end system and end system usually a network-level address to route PDUusually a network-level address to route PDU

e.g. IP address or internet addresse.g. IP address or internet address e.g. OSI e.g. OSI - - network service access point (NSAP)network service access point (NSAP)

at destinationat destination data data must routed to some processmust routed to some process e.g. TCP/IP porte.g. TCP/IP port e.g. OSI service access point (SAP)e.g. OSI service access point (SAP)

Addressing ScopeAddressing Scope global addressglobal address which which identifies unique systemidentifies unique system

unambiguousunambiguous synonyms permittedsynonyms permitted system may have more than one global addresssystem may have more than one global address global applicabilityglobal applicability enables internet to route data enables internet to route data between any two systems between any two systems

needneed unique address for each interface on network unique address for each interface on network MAC address on IEEE 802 network and ATM host addressMAC address on IEEE 802 network and ATM host address enablesenables network to route data units through networknetwork to route data units through network

only relevant for network-level addressesonly relevant for network-level addresses port or SAP above network level is unique within systemport or SAP above network level is unique within system

Connection IdentifiersConnection Identifiers is used by both entities for future transmissionsis used by both entities for future transmissions advantages:advantages:

reduced overhead since smallerreduced overhead since smaller routing using a fixed route tagged by connection IDrouting using a fixed route tagged by connection ID multiplexing of multiple connectionsmultiplexing of multiple connections use of state informationuse of state information

Addressing ModeAddressing Mode address usually refers to single systemaddress usually refers to single system

individual or unicast addressindividual or unicast address cancan refer to more than one system for refer to more than one system for

multiple simultaneous recipients for datamultiple simultaneous recipients for data broadcast for all entities within domainbroadcast for all entities within domain multicast for specific subset of entitiesmulticast for specific subset of entities

MultiplexingMultiplexing multiple connections into single systemmultiple connections into single system

e.g.e.g. frame relay, can frame relay, can havehave multiple data link multiple data link connections terminating in single end systemconnections terminating in single end system

e.g. e.g. multiple TCP connections multiple TCP connections toto given system given system upward multiplexingupward multiplexing

have multiple higher level connections over a have multiple higher level connections over a single lower level connectionsingle lower level connection

downward downward multiplexingmultiplexing have have single higher level connection built on single higher level connection built on

multiple lower level connections multiple lower level connections

Transmission ServicesTransmission Services may have additional services to entities:may have additional services to entities:

priority priority on on connection basis connection basis oror message basis message basis quality of servicequality of service

• e.g.e.g. minimum throughput or maximum delay minimum throughput or maximum delay thresholdthreshold

securitysecurity mechanisms, restricting accessmechanisms, restricting access these these depend on underlying transmission depend on underlying transmission

system and lower-level entitiessystem and lower-level entities

Internetworking TermsInternetworking Terms communications Networkcommunications Network internetinternet the Internet the Internet intranetintranet End System (ES)End System (ES) Intermediate System (IS)Intermediate System (IS) bridgebridge routerrouter

Requirements of Requirements of InternetworkingInternetworking

link between networkslink between networks routing and delivery of data between routing and delivery of data between

processes on different networksprocesses on different networks accounting services and status infoaccounting services and status info independent of network architecturesindependent of network architectures

Network Architecture Network Architecture FeaturesFeatures

addressingaddressing packet sizepacket size access mechanismaccess mechanism timeoutstimeouts error recoveryerror recovery status reportingstatus reporting routingrouting user access controluser access control connection based or connectionlessconnection based or connectionless

Architectural ApproachesArchitectural Approaches connection orientedconnection oriented

virtual circuitvirtual circuit connectionlessconnectionless

datagramdatagram PDU’s routed independently from source ES PDU’s routed independently from source ES

to dest ES through routers and networksto dest ES through routers and networks share common network layer protocol, e.g. IPshare common network layer protocol, e.g. IP below have network access on each nodebelow have network access on each node

Connectionless Connectionless InternetworkingInternetworking

advantagesadvantages flexibilityflexibility robustrobust no unnecessary overheadno unnecessary overhead

unreliableunreliable not guaranteed deliverynot guaranteed delivery not guaranteed order of deliverynot guaranteed order of delivery

• packets can take different routespackets can take different routes reliability is responsibility of next layer up (e.g. TCP)reliability is responsibility of next layer up (e.g. TCP)

IP IP OperationOperation

Design IssuesDesign Issues routingrouting datagram lifetimedatagram lifetime fragmentation and re-assemblyfragmentation and re-assembly error controlerror control flow controlflow control

The The Internet Internet

as a as a NetworkNetwork

RoutingRouting ES / routers maintain routing tablesES / routers maintain routing tables

indicate next router to which datagram is sentindicate next router to which datagram is sent static static dynamicdynamic

source routingsource routing source specifies route to be followedsource specifies route to be followed can be useful for security & prioritycan be useful for security & priority

route recordingroute recording

Datagram LifetimeDatagram Lifetime datagrams could loop indefinitelydatagrams could loop indefinitely

consumes resourcesconsumes resources transport protocol may need upper bound on transport protocol may need upper bound on

lifetime of a datagramlifetime of a datagram can mark datagram with lifetime can mark datagram with lifetime

Time To Live field in IPTime To Live field in IP when lifetime expires, datagram discardedwhen lifetime expires, datagram discarded simplest is hop countsimplest is hop count or time countor time count

Fragmentation and Fragmentation and Re-assemblyRe-assembly

may have different packet sizesmay have different packet sizes on networks along path used by datagramon networks along path used by datagram

issue of when to re-assembleissue of when to re-assemble at destinationat destination

• packets get smaller as data traverses internetpackets get smaller as data traverses internet intermediate re-assemblyintermediate re-assembly

• need large buffers at routersneed large buffers at routers• buffers may fill with fragmentsbuffers may fill with fragments• all fragments must go through same routerall fragments must go through same router

IP FragmentationIP Fragmentation IP re-assembles at destination onlyIP re-assembles at destination only uses fields in headeruses fields in header

Data Unit Identifier (ID)Data Unit Identifier (ID)• identifies end system originated datagramidentifies end system originated datagram

Data lengthData length• length of user data in octetslength of user data in octets

OffsetOffset• position of fragment of user data in original datagramposition of fragment of user data in original datagram• in multiples of 64 bits (8 octets)in multiples of 64 bits (8 octets)

MoreMore flag flag• indicates that this is not the last fragmentindicates that this is not the last fragment

Fragmentation ExampleFragmentation Example

Dealing with FailureDealing with Failure re-assembly may fail if some fragments re-assembly may fail if some fragments

get lostget lost need to detect failureneed to detect failure re-assembly time outre-assembly time out

assigned to first fragment to arriveassigned to first fragment to arrive if timeout expires before all fragments arrive, if timeout expires before all fragments arrive,

discard partial datadiscard partial data use packet lifetime (time to live in IP)use packet lifetime (time to live in IP)

if time to live runs out, kill partial dataif time to live runs out, kill partial data

Error ControlError Control no guaranteed deliveryno guaranteed delivery router should attempt to inform source if router should attempt to inform source if

packet discarded packet discarded source may modify transmission strategysource may modify transmission strategy may inform high layer protocolmay inform high layer protocol need datagram identificationneed datagram identification see ICMP in next sectionsee ICMP in next section

Flow ControlFlow Control allows routers and/or stations to limit rate allows routers and/or stations to limit rate

of incoming dataof incoming data limited in connectionless systemslimited in connectionless systems send flow control packets to request send flow control packets to request

reduced flowreduced flow see ICMP in next sectionsee ICMP in next section

Internet Protocol (IP)Internet Protocol (IP) v4 v4 IP version 4IP version 4 defined in RFC 791defined in RFC 791 part of TCP/IP suitepart of TCP/IP suite two partstwo parts

specification of interface with a higher layerspecification of interface with a higher layer• e.g. TCPe.g. TCP

specification of actual protocol format and specification of actual protocol format and mechanismsmechanisms

will (eventually) be replaced by IPv6will (eventually) be replaced by IPv6

IP ServicesIP Services PrimitivesPrimitives

functions to be performedfunctions to be performed form of primitive implementation dependentform of primitive implementation dependent Send - request transmission of data unitSend - request transmission of data unit Deliver - notify user of arrival of data unitDeliver - notify user of arrival of data unit

ParametersParameters used to pass data and control infoused to pass data and control info

IP ParametersIP Parameters source & destination addressessource & destination addresses protocolprotocol type of Servicetype of Service identificationidentification don’t fragment indicatordon’t fragment indicator time to livetime to live data lengthdata length option dataoption data user datauser data

IP OptionsIP Options securitysecurity source routingsource routing route recordingroute recording stream identificationstream identification timestampingtimestamping

IPIPv4 Headerv4 Header

Header Fields (1)Header Fields (1) VersionVersion

currently 4currently 4 IP v6 - see laterIP v6 - see later

Internet header lengthInternet header length in 32 bit wordsin 32 bit words including optionsincluding options

DS/ECN (was type of service)DS/ECN (was type of service) total lengthtotal length

of datagram, in octetsof datagram, in octets

Header Fields (2)Header Fields (2) IdentificationIdentification

sequence numbersequence number identify datagram uniquely with addresses / protocolidentify datagram uniquely with addresses / protocol

FlagsFlags More bitMore bit Don’t fragmentDon’t fragment

Fragmentation offsetFragmentation offset Time to liveTime to live ProtocolProtocol

Next higher layer to receive data field at destinationNext higher layer to receive data field at destination

Header Fields (3)Header Fields (3) Header checksumHeader checksum

reverified and recomputed at each routerreverified and recomputed at each router 16 bit ones complement sum of all 16 bit words in 16 bit ones complement sum of all 16 bit words in

headerheader set to zero during calculationset to zero during calculation

Source addressSource address Destination addressDestination address OptionsOptions PaddingPadding

to fill to multiple of 32 bits longto fill to multiple of 32 bits long

Data FieldData Field carries user data from next layer upcarries user data from next layer up integer multiple of 8 bits long (octet)integer multiple of 8 bits long (octet) max length of datagram (header plus data) max length of datagram (header plus data)

is 65,535 octetsis 65,535 octets

IPv4 Address FormatsIPv4 Address Formats

IP Addresses - Class AIP Addresses - Class A start with binary 0start with binary 0 all 0 reservedall 0 reserved 01111111 (127) reserved for loopback01111111 (127) reserved for loopback range 1.x.x.x to 126.x.x.xrange 1.x.x.x to 126.x.x.x all allocatedall allocated

IP Addresses - Class BIP Addresses - Class B start with binary 10start with binary 10 range 128.x.x.x to 191.x.x.xrange 128.x.x.x to 191.x.x.x second octet also included in network second octet also included in network

addressaddress 221414 = 16,384 class B addresses = 16,384 class B addresses all allocatedall allocated

IP Addresses - Class CIP Addresses - Class C start with binary 110start with binary 110 range 192.x.x.x to 223.x.x.xrange 192.x.x.x to 223.x.x.x second and third octet also part of network second and third octet also part of network

addressaddress 222121 = 2,097,152 addresses = 2,097,152 addresses nearly all allocatednearly all allocated

see IPv6see IPv6

Subnets and Subnet MasksSubnets and Subnet Masks allows arbitrary complexity of internetworked LANs allows arbitrary complexity of internetworked LANs

within organizationwithin organization insulate overall internet from growth of network insulate overall internet from growth of network

numbers and routing complexitynumbers and routing complexity site looks to rest of internet like single networksite looks to rest of internet like single network each LAN assigned subnet numbereach LAN assigned subnet number host portion of address partitioned into subnet host portion of address partitioned into subnet

number and host numbernumber and host number local routers route within subnetted networklocal routers route within subnetted network subnet mask indicates which bits are subnet number subnet mask indicates which bits are subnet number

and which are host numberand which are host number

Subnet Mask CalculationSubnet Mask Calculation

Binary Representation Dotted Decimal

IP address 11000000.11100100.00010001.00111001 192.228.17.57

Subnet mask 11111111 .11111111.11111111 .11100000 255.255.255.224

Bitwise AND ofaddress and mask(resultantnetwork/subnetnumber)

11000000.11100100.00010001.00100000 192.228.17.32

Subnet number 11000000.11100100.00010001.001 1

Host number 00000000.00000000.00000000.00011001 25

Routing Using SubnetsRouting Using Subnets

ICMPICMP Internet Control Message ProtocolInternet Control Message Protocol RFC 792 (get it and study it)RFC 792 (get it and study it) transfer of (control) messages from routers transfer of (control) messages from routers

and hosts to hostsand hosts to hosts feedback about problemsfeedback about problems

e.g. time to live expirede.g. time to live expired encapsulated in IP datagramencapsulated in IP datagram

hence not reliablehence not reliable

ICMP Message FormatsICMP Message Formats

Common ICMP MessagesCommon ICMP Messages destination unreachabledestination unreachable time exceededtime exceeded parameter problemparameter problem source quenchsource quench redirectredirect echo & echo replyecho & echo reply timestamp & timestamp replytimestamp & timestamp reply address mask request & replyaddress mask request & reply

Address Resolution Protocol Address Resolution Protocol (ARP)(ARP)

need MAC address to send to LAN hostneed MAC address to send to LAN host manualmanual included in network addressincluded in network address use central directoryuse central directory use address resolution protocoluse address resolution protocol

ARP (RFC 826) provides dynamic IP to ARP (RFC 826) provides dynamic IP to ethernet address mappingethernet address mapping source broadcasts ARP requestsource broadcasts ARP request destination replies with ARP responsedestination replies with ARP response

IP VersionsIP Versions IP v 1-3 defined and replacedIP v 1-3 defined and replaced IP v4 - current versionIP v4 - current version IP v5 - streams protocolIP v5 - streams protocol IP v6 - replacement for IP v4IP v6 - replacement for IP v4

during development it was called IPng (IP during development it was called IPng (IP Next Generation)Next Generation)

Why Change IP?Why Change IP? Address space exhaustionAddress space exhaustion

two level addressing (network and host) wastes spacetwo level addressing (network and host) wastes space network addresses used even if not connectednetwork addresses used even if not connected growth of networks and the Internetgrowth of networks and the Internet extended use of TCP/IPextended use of TCP/IP single address per hostsingle address per host

requirements for new types of servicerequirements for new types of service

IPv6 RFCsIPv6 RFCs RFC 1752 - Recommendations for the IP Next RFC 1752 - Recommendations for the IP Next

Generation ProtocolGeneration Protocol requirementsrequirements PDU formatsPDU formats addressing, routing security issuesaddressing, routing security issues

RFC 2460 - overall specificationRFC 2460 - overall specification RFC 2373 - addressing structureRFC 2373 - addressing structure many othersmany others

IPv6 EnhancementsIPv6 Enhancements expanded 128 bit address spaceexpanded 128 bit address space improved option mechanismimproved option mechanism

most not examined by intermediate routesmost not examined by intermediate routes dynamic address assignmentdynamic address assignment increased addressing flexibilityincreased addressing flexibility

anycast & multicastanycast & multicast support for resource allocationsupport for resource allocation

labeled packet flowslabeled packet flows

IPv6IPv6PDUPDU

(Packet) (Packet) StructureStructure

IP v6 HeaderIP v6 Header

IP v6 Flow LabelIP v6 Flow Label related sequence of packetsrelated sequence of packets needing special handlingneeding special handling identified by src & dest addr + flow labelidentified by src & dest addr + flow label router treats flow as sharing attributesrouter treats flow as sharing attributes

e.g. path, resource allocation, discard requirements, e.g. path, resource allocation, discard requirements, accounting, securityaccounting, security

may treat flows differentlymay treat flows differently buffer sizes, different forwarding precedence, different buffer sizes, different forwarding precedence, different

quality of servicequality of service alternative to including all info in every headeralternative to including all info in every header have requirements on flow label processinghave requirements on flow label processing

IPv6 AddressesIPv6 Addresses 128 bits long128 bits long assigned to interfaceassigned to interface single interface may have multiple unicast single interface may have multiple unicast

addressesaddresses three types of addresses:three types of addresses:

unicast - single interface addressunicast - single interface address anycast - one of a set of interface addressesanycast - one of a set of interface addresses multicast - all of a set of interfacesmulticast - all of a set of interfaces

IPv6 Extension HeadersIPv6 Extension Headers

Hop-by-Hop OptionsHop-by-Hop Options must be examined by every routermust be examined by every router

if unknown discard/forward handling is specifiedif unknown discard/forward handling is specified next headernext header header extension lengthheader extension length optionsoptions

Pad1Pad1 PadNPadN Jumbo payloadJumbo payload Router alertRouter alert

Fragmentation HeaderFragmentation Header fragmentation only allowed at sourcefragmentation only allowed at source no fragmentation at intermediate routersno fragmentation at intermediate routers node must perform path discovery to find node must perform path discovery to find

smallest MTU of intermediate networkssmallest MTU of intermediate networks set source fragments to match MTUset source fragments to match MTU otherwise limit to 1280 octetsotherwise limit to 1280 octets header includesheader includes

fragment offsetfragment offset more fragments bitmore fragments bit identificationidentification

Routing HeaderRouting Header list of one or more intermediate nodes to visitlist of one or more intermediate nodes to visit header includesheader includes

Next HeaderNext Header Header extension lengthHeader extension length Routing typeRouting type Segments leftSegments left

Type 0 routing provides a list of addressesType 0 routing provides a list of addresses initial destination address is first on listinitial destination address is first on list current destination address is next on listcurrent destination address is next on list final destination address will be last in listfinal destination address will be last in list

Destination Options HeaderDestination Options Header carries optional info for destination nodecarries optional info for destination node format same as hop-by-hop headerformat same as hop-by-hop header

Virtual Private NetworksVirtual Private Networks set of computers interconnected using an set of computers interconnected using an

insecure networkinsecure network e.g. linking corporate LANs over Internete.g. linking corporate LANs over Internet

using encryption & special protocols to using encryption & special protocols to provide securityprovide security to stop eavesdropping & unauthorized usersto stop eavesdropping & unauthorized users

proprietary solutions are problematicalproprietary solutions are problematical hence development of IPSec standardhence development of IPSec standard

IPSecIPSec RFC 1636 (1994) identified security needRFC 1636 (1994) identified security need encryption & authentication to be IPv6encryption & authentication to be IPv6 but designed also for use with current IPv4but designed also for use with current IPv4 applications needing security include:applications needing security include:

branch office connectivitybranch office connectivity remote access over Internetremote access over Internet extranet & intranet connectivity for partnersextranet & intranet connectivity for partners electronic commerce securityelectronic commerce security

IPSec ScenarioIPSec Scenario

IPSec BenefitsIPSec Benefits provides strong security for external trafficprovides strong security for external traffic resistant to bypassresistant to bypass below transport layer hence transparent to below transport layer hence transparent to

applicationsapplications can be transparent to end userscan be transparent to end users can provide security for individual users if can provide security for individual users if

neededneeded

IPSec FunctionsIPSec Functions Authentication HeaderAuthentication Header

for authentication onlyfor authentication only Encapsulating Security Payload (ESP)Encapsulating Security Payload (ESP)

for combined authentication/encryption for combined authentication/encryption a key exchange functiona key exchange function

manual or automatedmanual or automated VPNs usually need combined functionVPNs usually need combined function see chapter 21see chapter 21

SummarySummary basic protocol functionsbasic protocol functions internetworking principlesinternetworking principles connectionless internetworkingconnectionless internetworking IPIP IPv6IPv6 IPSecIPSec