There are 5 points that to me mentioned while understanding security in TCP/IP –

• Encryption – It’s the scramble of data such a manner that in between the data can’t be read. Also at the receiving end the the data must be descramble.
• Integrity – It’s the guarantee that data that is received is same as originally sent.
• Nonrepudiation – A person cannot deny that they took a specific action.
• Authentication – It means that who ever is accessing the data is the person you want to access the data. username & password defines the authentication.
• Authorization – It means what an authenticated person do with the data.

Encryption

A packet of data on the Internet often comes with a port number encapsulated in the segment or datagram, for example, so a bad guy quickly knows what type of data he’s reading. All data starts as cleartext, which roughly means the data hasn’t been encrypted yet.

Here comes the encryption and we use cipher. A cipher is a general term for a way to encrypt data. An algorithm is the mathematical formula that underlies the cipher. When you run plaintext through a cipher algorithm using a key, you get the encrypted ciphertext.

Types of encryption –

• Symmetric Encryption – It is the encryption algorithm which use single key to both encrypt and decrypt the data. So the key must be shared between the sender and receiver. There are major two kind of symmetric key –
  • Block cipher – Here it divide the data in blocks and encrypt each block. usually 128 bit block.
  • Stream cipher – Here the algorithm encrypt each bit coming from stream of bits.
• Asymmetric Encryption – There was a major drawback in the symmetric encryption that the key is tampered then the communication is vulnerable. For that we use asymmetric encryption. Here suppose there is two people Alice & David and alice wants to send the data to the david then alice will create a key pair of public and private key. The public key is used for the encryption and the private key is used for the decryption. So the alice will give her public key to david and david will encrypt the data and send it to the david. Now alice will decrypt the data with the help of her private key.

Hash

• It’s a mathematical function that we run in a string and get a fixed length of string(checksum or message digest).
• The message digest will always be same length regardless of the input string length.
• The hash is a one way function that we can’t get back the message from the hash.

Uses –

• When we download any file from the internet the download provider also provide a message digest of the download file.
• We first download the checksum and download the file.
• Then we compare our checksum with the downloaded checksum.
• If the checksum is not correct then the data has been tampered in the middle.

Digital Signature

It is the proof of truth about someone took some action in a network. and they can’t deny it.

• First sender hashes the message and encrypt with sender’s private key.
• Then send the data to the receiver.
• Then the receiver decrypts the message with the help of sender’s public key.
• If the hash match then it’s the proof that the sender has sent the message.

SSH

The invention of SSH was heavily related to the telnet protocol because the telnet protocol was completely unsecured that everything was transferred in plain text. Then a student from Helsinki University Of Technology Tatu Ylonen created another protocol called SSH after his network was breached because of telnet.

Working Principal

• When a client wants to connect to the server for the first time the server sends it’s public key to the client.
• Then the client create a session ID and encrypt it using the public key and sends it back to the server.
• Then the server decrypt the session ID using it’s private key and use in all the data communication going forward.
• Then the client server decides the type of encryption will be used for the session(Generally AES).

SSH can use public key for encryption and we can turn off the password based authentication.

Use Public/Private Key for authentication –

• client first generate a key pair using ssh-keygen.
• The the public key is sent to the server and the private key is kept safe in the client machine.
• WHen you connect to the server the client create a signature using it’s private key and send to server.
• The server check the signature using it’s public key and if everything matches you are authenticated to the server.

Properties

1. There can be multiple stations in a network.
2. It will sense if the transmission line is busy or not. If it is not busy then it will transmit the data.
3. It will also sense for any type of collision while sending the data.

Persistence Methods

1. 1 Persistent – It sense the medium continuously. When the medium is free it sends the packet imediately.
2. Non-Persistent – It first sense the medium then waits for a random amount of time then again sense.
3. P Persistent – It fist sense the medium continuously then when the medium is free it generate a random number and check if the number is less than the probability of which host if the number is less than some host’s probability then that host will transmit the data.

CSMA

Vulnerable Time – It is the total propagation time Tp. If first bit of the packet reaches to the end of the medium then every station will heard of the transmission and no one will transmit.

CSMA/CD

The Carrier Sense Multiple Access/ Collision Detection protocol is used to detect a collision in the media access control (MAC) layer. Once the collision was detected, the CSMA CD immediately stopped the transmission by sending the signal so that the sender does not waste all the time to send the data packet. Suppose a collision is detected from each station while broadcasting the packets. In that case, the CSMA CD immediately sends a jam signal to stop transmission and waits for a random time context before transmitting another data packet. If the channel is found free, it immediately sends the data and returns it.

It is used in the wired medium and used by Ethernet.

Transmission Time – Tt = 2 * Tp

CSMA/CA

CSMA stands for Carrier Sense Multiple Access with Collision Avoidance. It means that it is a network protocol that uses to avoid a collision rather than allowing it to occur, and it does not deal with the recovery of packets after a collision. It is similar to the CSMA CD protocol that operates in the media access control layer. In CSMA CA, whenever a station sends a data frame to a channel, it checks whether it is in use. If the shared channel is busy, the station waits until the channel enters idle mode. Hence, we can say that it reduces the chances of collisions and makes better use of the medium to send data packets more efficiently.

It is used in the wireless interface

• Interframe Space(IFS) = Collision are avoided by deferring transmission even if the channel is found idle. When an idle channel is found, the station does not send immediately. It waits for a period of time called the interframe space.
• Contention Window – We divide the network into windows and if some signal collide the it has to wait for the next window which is 2^n [n = number of collision]

Minimum amount of data – L ≥ 2 * Tp * B

Efficiency(η) = Tt / (C * 2 * Tp) + Tt + Tp

Back off Algorithm – Wt – K * Tslwt [ k = 0 – 2^n-1 ] [ n = collision number ]

Types of Communication Links

• Point to Point Link
• Broadcast Link – The connection is shared between all the stations.

Need Of Access Control

In the broadcast link if all stations are sending data simultaneously then there will be collision that’s why we implement the Access Control.

Types Of Access Control Method

1. TDM(Time Division Multiplexing) –

Divide the time into slots and assign each slot to one station.

Efficiency(η) = 1 / 1 + a [ a = Tp / Tt ]

2. Polling –

When a station wants to transmit the data then only we give the chance to that station to transmit the data.

Efficiency(η) = Tt / Tpoll + Tt + Tp [ Tt = Time taken for transmission, Tp = Time taken for propagation]

3. Token passing-

Token – A token is a small message composed of a special bit pattern.

Ring Latency – It is time taken by a bit to cover the entire ring and come back to the same point.

RL = d / v + N * b

[ d = length of the ring, v = velocity of data in ring, N = no. of stations in ring, b = time taken by each station to hold the bit before transmitting it (bit delay)]

Cycle Time – The time taken by the token to complete one revolution of the ring is known as cycle time.

CL – d / v + N * (THT)

[ d = length of the ring, v = velocity of data in ring, N = no. of stations in ring, THT = Token Holding Time ]

Strategies –

Delayed Token Reinsertion (DTR) –

Station keeps holding the token until the last bit of the data packet transmitted by it takes the complete revolution of the ring and comes back to it.

Working –

After a station acquires the token,

• It transmits its data packet.
• It holds the token until the data packet reaches back to it.
• After data packet reaches to it, it discards its data packet as its journey is completed.
• It releases the token.

Token Holding Time (THT) = Transmission delay + Ring Latency = Tt + Tp [ Tt = Transmission time, Tp = Propagation time ]

Ring Latency = Tp + N x bit delay = 0 [ bit delay = 0 ]

Early Token Reinsertion (ETR) –

Station releases the token immediately after putting its data packet to be transmitted on the ring.

Token Holding Time (THT) = Transmission delay of data packet = Tt

4. Aloha

Rules –

1. Any station can transmit data to a channel at any time.
2. No carrier sensing.
3. There is no collision detection.
4. It re-transmit the data after some time.(If acknowledgement don’t come)

There are mainly two type of aloha –

• Pure Aloha –

1. The total vulnerable time = 2 * Tfr [ Tfr = Average time required to send a packet ]
2. Maximum throughput occurs when G = 1/ 2 that is 18.4%.
3. Successful transmission of data frame is S = G * e ^ – 2 G.

• Slotted Aloha –

We divide the process into slots and a host can only send packets at the beginning of any slot. If it comes after then it has to wait till next slot.

1. Maximum throughput occurs in the slotted Aloha when G = 1 that is 37%.
2. The probability of successfully transmitting the data frame in the slotted Aloha is S = G * e ^ – 2 G.
3. The total vulnerable time required in slotted Aloha is Tfr.

5.

Go Back N

If there is a packet lost in the receiver side then it is going to discard the subsequent packets and re transmit the the entire window means it is going back N values and re transmit the the packets

• Sender window size is go back N is N
• Receiver Window size is always 1.
• Acknowledgement –
  • Cumulative – One acknowledgement is used for many packets.
    • Adv – Traffic is low
    • Dis Adv – Reliability low
  • Independent – One acknowledgement is used for one packet.
    • Adv – Reliability is high
    • Dis Adv – Traffic is high

Relationship Between Window Sizes and Sequence Numbers

Minimum sequence numbers required in GBN = N + 1

Bits Required in GBN = log2 (N + 1)

If the sequence number is N then Sender window size is N – 1. Receiver window size is 1.

If the bit is K then sequence number 2^k, Sender Window size is 2^k – 1. Receiver window size is 1.

Formula

• Maximum window size = 1 + 2 * a [a=Tp/Tt]
• Minimum sequence numbers required = 1 + 2 * a
• Number of Bits in Sequence Number Field = log2(1+2a)

Selective Repeat

Selective Repeat

This protocol(SRP) is mostly identical to GBN protocol, except that buffers are used and the receiver, and the sender, each maintains a window of size. Here we only re transmit the lost packet not the entire window again.

• Sender window size is greater than 1 (Ws > 1)
• Receiver window size = sender window size (Wr == Ws)
• Acknowledgements are independent. If bits in the packets are corrupted then SR will send a negative acknowledgement.

Note – If N is the size of sequence number field in the header in bits, then we can have 2N sequence numbers.

Window Size = min(1+2*a, 2^N)

	Stop & Wait	GBN	SR
Efficiency	1/1+2a	N/1+2a	N/1+2a
Buffer	1+1	N+1	N+N
Segment Number	1+1	N+1	N+N
Retransmission	1	N	1
Bandwidth	low	high	medium
CPU	low	medium	high
Implementation	simple	medium	complex

Delays

There are many types of delays –

1. Transmission Delay – The time taken for host to put the entire packet in the line is transmission delay. If the first bit of the packet on the the line at time t1 and the last bit of the packet is put on the line at time t2, so the transmission delay of the packet is (t2 – t1). We define transmission delay as Tt = L/B (L = Length of packet, B = Bandwidth) Notation Data
2. Propagation Delay – The time taken for a bit to travel from source to destination is propagation delay. Tp = d/v (d = Distance of host to destination, v = velocity of the packet)
3. Queuing delay – Packets are received in the receiver and sit in a queue until all packet come it is called queuing delay.
4. Processing Delay – Packets are taken from the queue and taken to the processor for processing that is called processing delay.

Flow Control

Sometime wile sending data from sender to receiver the other end there may be queue is full in that case the later packets will be discarded for that we use stop and wait protocol. Here we send a packet and from other end it sends an acknowledgement for this there are some transmission d delay and inefficiency.

Stop and Wait Automatic Repeat Request

• ARQ (Automatic Repeat Request) – If a sender sends a data and the packet is lost then the receiver won’t send the acknowledgement at all and the system will get into a deadlock. In order to break the deadlock we use a Timeout Timer and if no acknowledge comes in the that time we resend the packet again.
• Duplicate Packet Problem – If the acknowledgement is lost and then the sender will again assume that the data is lost and the sender will resend the packet and receiver will re process it. In order to overcome the problem we use sequence number to the data.
• Missing Packet Problem – If the sender sends a packet p1 and the acknowledgement A got delayed for that sender again sends the packet p1 and got the acknowledgement A then it sends packet p2 and the packet got lost but the first acknowledgement for p1 got arrived now the sender will think that the packet p2 got send successfully. In order to solve the problem we use a acknowledgement number.

• Some time the sender may send a lot of data and the receiver may not that much capable of handling the data.
• So the here the sender first send one data packet and wait for a particular time the acknowledgement from the receiver.
• If the acknowledgement comes in that time or before time then good.
• Otherwise the sender then automatically resend the data.

Properties

• When the receiver receives the packet it send acknowledgement for the next packet(not the packet that was received.)
• In this method there is only one packet the channel always so the when a packet is sent successfully we can reuse the sequence number of that packet again.

Formulas

• Total Time – Tt + 2 * Tp [Tt = Transmission time for data, Tp = Propagation time]
• Efficiency(η) – 1 / 1 + 2a [a = Tp / Tt]
• Throughput or Effective Bandwidth or Bandwidth Utilization – η * B [η = Efficiency, B = bandwidth]

In the routing table there is entry for all the sub networks present in a network. And as the network increase the size of the routing table also increase. For this the router combine multiple networks to form a bigger network.

Rules

1. IP addresses must be contiguous.
2. All network should be of same size(the size also should be 2^n).
3. The first network ID should be divisible by the size of the block(number of host).

200.1.0.0
200.1.1.0
200.1.2.0
200.1.3.0

Let’s see the IP address can form a supernet or not. Ans is yes they can. because-

1. All are contiguous.
2. All network of same size.
3. Total number of host is 4 * 2^8 then the first IP address is divisible.

Supernet Mask

We put all 1 in the place of Network ID and all 0 in the place of Host ID.

      200.1.00000000.00000000
      200.1.00000001.00000000
      200.1.00000010.00000000
      200.1.00000011.00000000
------------------------------------
    255.255.11111100.00000000   Mask

Supernet Mask is - 255.255.252.0

In classfull representation Every network used to get same amount of host regarding of the class of the network. But that is a waste in many cases where if a user need 2^14 host and buy the class B network then 49152 network are wasted. To counter this situation IANA came up with a new technique –

CIDR

It is also a 32 bit number but it has a special number which represents the number of bit present in block ID.

a.b.c.d/n
20.10.50.100/20

Here the number of Host present in the network is 2^(32-n) or here 2^12.

• Rules
  1. All the IP addresses re contiguous. Means there can’t be any fragmentation.
  2. Block size must be power of 2(2^n). If the block size is 2^5 then the Host ID will contain 5 bits and the Block ID will be 27 bits.
  3. First IP address must be evenly divisible by the size of the block. Means the least significant part should always start with zeroes in Host ID.
  • Check whether 100.1.2.32 to 100.1.2.47 is a valid IP address block or not?
    1. All the IP addresses are contiguous.
    2. Total number of IP addresses in the Block = 16 = 2^4
    3. 1st IP address: 100.1.2.00100000 . Since, Host Id will contains last 4 bits and all the least significant 4 bits are zero. Hence, first IP address is evenly divisible by the size of the block.

Subnetting

Suppose our CIDR address is 20.30.40.10/25 means the host ID is 7 bit 20.30.40.00001010

So the network ID will be 20.30.40.00000000 . Now If I want to divide the network in 2 part I will need to use 1 bit from the host ID. So the total ID part is now 26. 1st part : starting address is 20.30.40.00000000(20.30.40.0/26) & the direct broadcast address is 20.30.40.00111111(20.30.40.63/26).

2nd Part : Starting address is 20.30.40.01000000(20.30.40.64/26) & the direct broadcast address is 20.30.40.01111111(20.30.40.127/26). Same as if we wanted to divide the network in 4 parts we will have we will have ID part will be 27.

Casting

Sending some data from one host to another host is called casting. There are three type of casting –

1. Unicast – When we are sending message from one host to one host. The packet consist of | data | Source Address | Destination Address |
2. Broadcasting –
   1. Limited Broadcasting – When a host want to send a packet to everyone in the same network then it use Limited Broadcasting. The packet consist of | data | Source Address | 255.255.255.255 |
   2. Direct Broadcasting – When we are sending a message from one host of one network to all the host of other network then we use Directed Broadcasting. The packet consist of | data | Source Address | 20.255.255.255 |
3. Multicast – Transmitting data from one source host to a particular group of hosts that are interested in receiving the data is called Multicast. It is also called one to many transmissions.

Subnet

When a bigger network is divided into sub network to maintain security is called subnetting.
In order to divide the network into two parts you need select 1 bit from 8 bit of the host ID part.

The above network is class C network and the NID is 193.1.2.0 and we divide the network into two parts. Subnet 1 = we get the range 193.1.2.00000000(193.1.2.0) – 193.1.2.01111111(193.1.2.127). Here the 193.1.2.0 is the subnet ID and 193.1.2.127 is the Direct Broadcasting address. Subnet 2 = we get the range 193.1.2.10000000(193.1.2.128) – 193.1.2.11111111(193.1.2.255). Here the 193.1.2.128 is the subnet ID and 193.1.2.255 is the Direct Broadcasting address.

Subnet Mask

Suppose we divide a Class C network with 4 subnets. So in order to identify which packet belongs to which network we use subnet mask. It is a 32 bit number consist of 0 & 1. 1 = Network ID & Subnet ID 0 = Host ID So, for a IP address 200.1.2.30 the Subnet Mask is –

11111111.11111111.11111111.11000000 
or
255.255.255.192

So, to identify which IP belongs to which subnet use use bitwise and operation on the subnet mask and the IP address.

    11111111.11111111.11111111.11000000
&&  11001000.00000001.00000010.00011110
-----------------------------------------------------
    11001000.00000001.00000010.00000000

The address belongs to subnet 1.

11001000.00000001.00000010.00000000 
or
200.1.2.0

Internally there is a routing table which helps forward the packet.

Note: Some cases NID match with two entries, in that case the interface having longest subnet mask(More 1’s) is selected.

IP Address

When we type google.com in our web browser it is converted into IP addresses and then it reach to the desired google network and host and specific port to get the web page.

An IP address consists of two part –

1. Network ID
2. Host ID

The size of IP address is 32 bit.

Generation

• 1st Gen – In 1980 the IP address was divided into 8 bit or Network ID and 24 bit of Host ID but as people starts using computer more the requirement got more.
• Classful System – We have divided the IP address into various classes –

Class A we take the first bit, Class B we take the first 2 bit, similarly in Class C we take the first 3 bit and so on till Class E.

Class	Starts With	Network Bit	Host Bit	Total Networks	Host per Network	Network Range
Class A	0	1 + 7	24	128	16M	1-126
Class B	10	2 + 14	16	16K	65K	128-191
Class C	110	3 + 21	8	20M	256	192-223
Class D	1110	Reserved For Multicast	N/A	N/A	N/A	224-239
Class E	11111	Reserved For Experiment	N/A	N/A	N/A	240-255

What is dotted decimal representation?

If we divide the IP address in four parts(8 bits) and we convert the 8 bit into decimal and we put “.” in between it is called dotted decimal representation. e.g. – 127.0.0.1

Note : We can configure total (number of host – 2) per network.

• suppose we have a network 11.0.0.0, 14.0.0.0. Whenever there is all 0 in the host ID it represents the network itself. That’s why we don’t use first IP address as a valid IP address for a host.
• 255.255.255.255 is assigned as Limited Broadcast Address. So it can’t be assigned to any host.
• 255 as host ID is assigned as Direct Broadcasting Address. So it can’t be assigned to any host. e.g – (NID).255.255.255

DNS

What is DNS overhead?

For converting the domain name into IP address we go to DNS(Domain Name Service) Server of the ISP(Internet Service Provider) and if it doesn’t know the IP then there are three hierarchy servers that helps –

1. Root Server
2. TLD Server(Top Level Domain)
3. Name Server

Actually we don’t do it every time we visit a website after conversion we store the IP address locally in our computer.

In the past we used to use IPv4 which has limited number of host that can be given the IP addresses. For that we use NAT to solve the problem.

Let’s see how it works –

• First ISP gives you a valid public IP address and that is being setup in the router.
• The router assign a new private IP address to the new hosts that joins the network.
• The private IP addresses are reserved so no one else can connect to you.
• When you send a Ethernet packet to the outside of the world then you first send the packet to the router then it translate the private IP to public IP then sends the packet.
• When a packet comes from outside world then it first comes to the router then router translate the public IP to private IP then it uni cast the packet to the host in the LAN.

Note – Your neighbor router connected devices could have the same private IP addresses but that won’t effect you network because the IP are all private.