Copyright @ October 2007 by CS2105/OngGH Copyright @ October 2007 by CS2105/OngGH

Module D: The Data Link Layer and Local ♦ MAC (Media Access Control) sublayer:
Area Networks provides media access management protocols
for accessing a shared medium.
(Part II - Local Area Networks or LANs) provides unreliable datagram service.

D.6 LAN and Ethernet Technologies • Summary of IEEE Project 802 LAN Standards:
see Figure 13.1 (p.396/[B]).
• Two main classes of LAN technologies (in 80s and 90s):
see Figure 5.15 (p.488/[A]).

– Ethernet LANs (or 802.3 LANs)

– Token-passing technologies:
Token-ring LANs
FDDI networks (MANs and LANs)

• The IEEE and the data link layer:

− IEEE initiated its development of LAN standards with an

architectural model (defined in IEEE 802.1):
see Figures 12.1 (p.363/[B]) and 13.2 (p.397/[B]).

− dividing the OSI’s data link layer into two sublayers:

♦ LLC (Logical Link Control) sublayer:

encompasses several functions, including
framing, flow control, and error control. • 10-Mbps (standard) Ethernet/802.3 LANs:
can provide reliable packet transfer service.

69 70
 Copyright @ October 2007 by CS2105/OngGH Copyright @ October 2007 by CS2105/OngGH

− a LAN protocol developed jointly by Xerox, Intel, and

DEC at the Xerox PARC (Palo Alto Research Center) in − notations for IEEE 802.3 LANs:
1970s (based on the ALOHA network developed at the
University of Hawaii).

− IEEE 802.3 + 1-persistent CSMA/CD.

(Ethernet CSMA/CD algorithm: see p.501−502/[A])
− general format of an IEEE 802.3 frame:
see Figures 5.22 (p.497/[A]), 13.4 (p.398/[B]) and
13.5 (p.399/[B]).
− physical and data link layer information:
see Figures 5.20 (p.496/[A]), 5.21 (p.497/[A]), 5.23
(p.499/[A]), 13.8, 13.9, 13.10 (p.403/[B]), 13.11
(p.404/[B]) and 13.12 (p.405/[B]), and Table 13.1
(p.405/[B]).

♦ Preamble (8 bytes):
Preamble field (7 identical octets, 10101010, for
synchronization)
Start Frame Delimiter field (1 byte: 10101011)

♦ Header (14 bytes):

Destination (48-bit MAC) address field
Source address (48-bit MAC) field
Type/Length Count field

♦ Payload (46 to 1,500 bytes): − using baseband transmission and Manchester encoding.
Data field
Pad field (dummy data that pads Data field up − network diameter (for 10Base5):
to its minimum length)
♦ the distance between the farthest two nodes.
♦ Trailer (4 bytes):
FCS field

71 72
 Copyright @ October 2007 by CS2105/OngGH
♦ no more than 5 segments of up to 500 m each, and
no more than 4 repeaters (in the collision domain).
• Fast Ethernet (100-Mbps), Gigabit Ethernet, and Ten-Gigabit
Ethernet LANs:
see Figures 5.25 (p.505/[A]), 13.3 (p.398/[B]), 13.19 &
13.20 (p.410/[B]), 13.22 (p.414/[B]), and 13.23
(p.415/[B]).
Various IEEE 802.3 specifications for the different variants of
baseband Ethernet and their respective media:
73
Copyright @ October 2007 by CS2105/OngGH
D.7 ARP (Address Resolution Protocol)
• Address binding:
− Given an IP address of a host, find its physical or
hardware address; called Address Resolution (using ARP
or Address Resolution Protocol).
− Given a physical or hardware address of a host, find its IP
address; called Reverse Address Resolution (using RARP
or Reverse Address Resolution Protocol)
• ARP:
see Figures 5.17 (p.492/[A]), 5.19 (p.494/[A]), 21.1
(p.613/[B]), 21.2 (p.614/[B]), 21.3 (p.615/[B]), and 21.4
(p.616/[B]).
− operations (on the same physical network):
ARP Request
ARP Reply
− ARP encapsulation and identification:
74
 Copyright @ October 2007 by CS2105/OngGH Copyright @ October 2007 by CS2105/OngGH

e.g. On an Ethernet, the Type field in Ethernet frames e.g. one network address shared between two physical
carrying ARP messages must contain 0x0806. networks:

− ARP/RARP protocol format (28 bytes, used between IP

and Ethernet):

− ARP cache table: − used in network security, mobile networking, etc.

see Figure 5.18 (p.493/[A]).
D.8 HDLC and PPP
♦ makes IP-to-physical address bindings efficient.
• HDLC (High-level Data Link Control) protocol:
♦ an array of entries, each entry contains at least:
State (e.g., pending, resolved, expired)
− published by ISO (ISO 33009, ISO 4335) for point-to-
Destination physical address
point and multi-drop links.
Destination IP address
TTL
− frame structure:

• Proxy ARP (or Promiscuous ARP, or ARP Hack):

see Figure 21.6 (p.617/[B]).

− a router answers ARP requests intended for another by

supplying its own physical address, and accepts
responsibility for forwarding packets.

75 76
 Copyright @ October 2007 by CS2105/OngGH Copyright @ October 2007 by CS2105/OngGH

• PPP (Point-to-Point Protocol): no CSMA/CD at hub (adapters detect collisions)

a regenerator (not an amplifier)
− a link-layer protocol operating over a point-to-point link, connecting segments of a LAN
e.g., a serial dial-up (56K modem connection) telephone
line, a SONET/SDH link, an X.25 connection, or an • Bridge and Layer-2 Switch:
ISDN circuit. see Figures 5.24 (p.505/[A]), 5.26 (p.507/[A]), 5.27
(p.508/[A]), 5.28 (p.509/[A]), 15.5 (p.448/[B]), and 15.6
− using HDLC-like framing: (p.450/[B]).
see Figure 5.30 (p.516/[A]).
link-layer device
− using byte stuffing to support data transparency. interconnecting LAN segments
see Figure 5.31 (p.517/[A]). providing frame forwarding and filtering (based on the
MAC-level addresses)
D.9 Interconnection Devices discarding corrupt frames (based on CRC)
plug-and-play and self-learning
• Five categories of connecting devices: transparent (hosts are unaware of presence of layer-2
see Figure 15.1 (p.445/[B]). devices)

• Passive hub: e.g., bridged Ethernet, switched Ethernet:

just a connect (part of the medium). (increasing the bandwidth and separating the collision
domains on an Ethernet LAN)
• Repeater or Hub: see Figures 13.15 & 13.16 (p.407/[B]), and 13.17
see Figures 15.2 (p.446/[B]), 15.3 (p.447/[B]), and 15.4 (p.408/[B]).
(p.448/[B]).
• Comparison of the typical features of popular interconnection
physical-layer device devices:
bits coming from one link go out all other links see Figure 5.29 (p.512/[A]) and Table 5.1 (p.513/[A]).
at the same rate
no frame buffering

77 78
 Copyright @ October 2007 by CS2105/OngGH
Module E: Security in Data Communications
and Networking
E.1 Network Security Services
• Recall - applying SS and CDMA to Physical & Link layers.
• Security services:
see Figure 31.1 (p.961/[B]);
providing confidentiality, integrity, authentication, and
nonrepudiation of messages; and entity authentication.
• Techniques used:
– for messages and entities:
Cryptography (or Encryption/Decryption algorithms)
MD (Message Digest) techniques
MAC (Message Authentication Code) techniques
DS (Digital Signature) schemes
Note that:
for entity authentication, using password-based
authentication and challenge-response authentication
techniques (beyond the scope of CS2105).
– for the Internet:
Firewalls
IPSec (IP Security protocols)
79
Copyright @ October 2007 by CS2105/OngGH
SSL / TLS (Secure Sockets Layer / Transport Layer
Security protocols)
PGP (Pretty Good Privacy protocol)
VPN (Virtual Private Network)
E.2 Cryptography
• Basis:
see Figures 30.1 (p.931/[B]) and 8.2 (p.710/[A]).
– the science and art of transforming messages to make
them secure and immune to attacks.
– using ciphers (to encrypt a plaintext by the sender and to
decrypt a ciphertext by the receiver).
• Two Categories:
see Figure 30.2 (p.932/[B]).
– symmetric-key cryptography:
see Figures 30.3 (p.933/[B]) and 30.5 (p.934/[B]).
♦ sharing a secret key, e.g. a session key.
♦ commonly used ciphers:
Traditional ciphers (character-oriented)
Simple modern ciphers (bit-oriented)
Modern round ciphers (involving multiple rounds)
80
 Copyright @ October 2007 by CS2105/OngGH Copyright @ October 2007 by CS2105/OngGH

– asymmetric-key cryptography: using a keyed hash function (e.g., HMAC – Hashed MAC
see Figures 30.4 (p.933/[B]) and 8.6 (p.718/[A]). algorithm based on SHA-1 with a symmetric key) to
create a compressed digest from the message.
♦ using one private key and one public key.
• DS:
♦ common algorithms:
RSA (Rivest/Shamir/Adleman) algorithm – using an asymmetric-key system, but the private and
Diffie-Hellman algorithm public keys of the sender.

• Examples to achieve message confidentiality or privacy: – two ways to achieve:

see Figures 31.2 (p.963/[B]) and 31.3 (p.964/[B]).
(i) signing the document or message:
E.3 MD, MAC and DS easier but less efficient;
see Figures 31.11 (p.973/[B]), 8.10 (p.728/[A]),
• MD: 8.11 (p.729/[A]) and 8.12 (p.730/[A]).
see Figures 31.4 (p.965/[B]) and 8.7 (p.724/[A]).
(ii) signing the digest:
– an electronic fingerprint generated from a message. see Figures 31.12 (p.974/[B]), 8.13 (p.732/[A])
and 8.14 (p.733/[A]).
– using a keyless hash function (e.g., SHA-1 or Secure Hash
Algorithm 1) to generate a compressed image of the – providing message integrity, authentication, and
message (called a message digest or MDC – Modification nonrepudiation.
Detection Code).
E.4 Security at the IP Layer (IPSec)
– checking the integrity of the message,
see Figure 31.5 (p.966/[B]). • IP security:
see Figure 32.2 (p.996/[B]).
• MAC:
see Figures 31.9 (p.970/[B]) and 8.9 (p.726/[A]);

81 82
 Copyright @ October 2007 by CS2105/OngGH Copyright @ October 2007 by CS2105/OngGH

− a collection of protocols designed by the IETF to provide

security for Internet packets at the network layer. • IPSec AH protocol:

− flexible and extensible (allowing endpoints to choose − providing message integrity and message/source
algorithms and parameters, such as key size). authentication.

• Two modes: − using a separate AH (Authentication Header) to carry

authentication information:
− transport mode:
see Figure 32.3a (p.997/[B]). − consisting of the following steps:
see Figures 32.6 (p.999/[B]) and 8.30 (p.756/[A]).
♦ protecting information delivered from the transport
layer to the network layer. (1) Add Authentication Header to the payload and set
Authentication Data field to zero.
♦ normally used when host-to-host or end-to-end (2) Add Padding to make the total length even for a
protection of data is needed, particular hashing algorithm.
see Figure 32.4 (p.997/[B]). (3) Perform hashing based on the total packet, not
including mutable header fields.
− tunnel mode: (4) Insert Authentication Data (or digest) in AH.
see Figure 32.3b (p.997/[B]). (5) Add the IP Header and set Protocol value to 51.

♦ protecting the whole IP packet with a new IP header. • IPSec ESP protocol:

♦ normally used between two routers, or between a − providing message integrity, message/source
host and a router, see Figure 32.5 (p.998/[B]). authentication, and privacy.

• Two security protocols: − consisting of the following steps:

IPSec AH (Authentication Header) protocol see Figures 32.7 (p.1000/[B]) and 8.31 (p.757/[A]).
IPSec ESP (Encapsulating Security Payload) protocol

83 84
 Copyright @ October 2007 by CS2105/OngGH
(1) Add ESP Trailer to the payload.
(2) Encrypt the payload and ESP Trailer.
(3) Add ESP Header (between IP and TCP Headers).
(4) Create authentication data using ESP Header,
encrypted payload and ESP Trailer.
(5) Append ESP Auth to ESP Trailer.
(6) Add the IP Header and set Protocol value to 50.
• Tunneled versions:
AH –
ESP –
• IPSec security algorithms:
E.5 Firewalls
• Internet firewalls:
see Figures 32.22 (p.1022/[B]) and 8.35 (p.764/[A]).
85
Copyright @ October 2007 by CS2105/OngGH
− a router installed between the internal network of an
organization and the global Internet for access control.
− designed to forward some packets and filter others.
• Two popularly commercial implementations:
(i) Packet-filtering firewall:
see Figure 32.23 (p.1022/[B]), Tables 8.4 (p.766/[A])
and 8.5 (p.767/[A]).
− blocking or forwarding packets based on information
in the network layer and transport layer headers.
− filtering before packet routing.
e.g., in Figure 32.23 (p.1022/[B]):
Interface 1: Incoming packets from network
131.34.0.0; destined for any internal
TELNET server; and destined for
internal host 194.78.20.8 are blocked.
Interface 2: Outgoing packets destined for any
HTTP server are blocked.
(ii) Proxy firewall:
see Figure 32.24 (p.1023/[B]).
− also known as a proxy computer, or an application
gateway.
86
 Copyright @ October 2007 by CS2105/OngGH
− providing protection at application level.
− custom-written application programs acting as both a
client and server, and serving as proxies to the actual
applications.
E.6 Other Internet Security Technologies
• ssh (secure shell)
− an application layer protocol (similar to TELNET) to
support encryption of remote login (e.g., SSH Secure
Shell Client on Windows).
• PGP (Pretty Good Privacy)
− a cryptographic system developed at MIT.
− encrypting data before transmission.
• SSL (Secure Sockets Layer)
− a security protocol designed by Netscape to provide
security on the WWW, but not formally adopted by the
IETF (a de facto standard).
− residing at the same layer as the socket API (Application
Program Interface for internet communications).
87
Copyright @ October 2007 by CS2105/OngGH
− consisting of Handshake protocol (for negotiating
security, authenticating the server to the browser) and
Data Exchange protocol (using secret key to encrypt
data).
• IDS (Intrusion Detection System)
− monitoring all arriving packets and notifying the site
administrator if a security violation is detected (e.g.,
detecting attacks such as port scanning, SYN flood, etc.).
• RADIUS (Remote Authentication Dial-In User Service)
− a protocol used to provide centralized authentication,
authorization, and accounting.
− used by ISPs (for dialup users, and VPN systems).
• WEP (Wired Equivalent Privacy)
− a Wi-Fi wireless LAN standard.
− using an RC4 40-bit stream cipher to encrypt data and a
32-bit CRC to verify it.
− replaced by WPA (Wi-Fi Protected Access).
88