|
|
|
3. The Network Layer
3.1. Internetworking
In this section we will take a look at the issues that arise when two or more networks are together to form an internet.
Many network types are in operation today and it seems that this trend will continue also in the future. An example of different networks interconnection is in Fig. 5-33.
Fig. 5-33. Network interconnection.
At the junction between two networks that have to be interconnected, a "black box" for handling the necessary conversions as packets move from one network to the other has to be inserted. The name used for the black box depends on the layer that does the work. Although there is not much agreement on terminology in this area, usually the following names are used:
Layer 1: Repeaters copy individual bits between cable segments. They are used just to amplify or regenerate weak signals.
Layer 2: Bridges store and forward data link frames between LANs. A bridge accepts an entire frame and passes it up to the data link layer where the checksum is verified. Then the frame is sent down to the physical layer for forwarding on a different network.
Layer 3: Multiprotocol routers forward packets between dissimilar networks. They operate at the level of network layer.
Layer 4: Transport gateways connect byte stream in the transport layer.
Above 4: Application gateways allow interworking above layer 4. As an example we can take mail gateways.
For convenience, we will sometimes use the term "gateway" to mean any device that connects two or more dissimilar networks.
A gateway can be ripped apart in the middle and the two parts connected by a wire. Each of the halves is called a half-gateway (Fig. 5-34).
Fig. 5-34. (a) A full gateway between two WANs. (b) A full gateway
between a LAN and a WAN.
(c) Two half-gateways.
The situation in practice can be a little different than in theory. Many
devices on the market combine bridge and router functionality and moreover
some of them are sold under a wrong label.
3.1.1. How Networks Differ
Networks can differ in many ways.
3.1.2. Concatenated Virtual Circuits
Two styles of internetworking are common:
Fig. 5-36. Internetworking using concatenated virtual circuits.
In the concatenated virtual circuit model (Fig. 5-36) a connection to
a host in a distant network is set up in a way similar to the way
connections are normally established. The virtual circuit consists of
concatenated virtual circuits between the routers or gateways along the
way from the source node to the destination node. Each gateway maintains
tables telling which virtual circuits pass through it, where they are to
be routed, and what the new virtual circuit number is.
3.1.3. Connectionless Internetworking
Fig. 5-37. A connectionless internet.
The alternative internetwork model is the datagram model (Fig. 5-37). In this model, the network layer offers to the transport layer just the ability to inject datagram into the subnet and hope it will get to the destination. Not all packet from a source to the same destination traverse the same sequence of gateways. A routing decision is made separately for each packet possibly depending on the traffic at the moment the packet is sent.
Complications leading often to insurmountable problems with the internetworking arise when:
Handling the general case of making two different networks interwork is exceedingly difficult. However, in the special case, when the source and destination hosts are on the same type of network, but there is a different network in between, the situation is manageable.
Fig. 5-38. Tunneling a packet from Paris to London.
Fig. 5-39. Tunneling a car from France to England.
The solution to this problem is a technique called tunneling. In the
Fig. 5-38, to send an IP packet to host 2, host 1 constructs the
packet containing the IP address of host 2, inserts it into an
Ethernet frame addressed to the Paris multiprotocol router, and puts
it on the Ethernet. The multiprotocol router removes the IP packet,
inserts it in the payload field of the WAN network layer packet, and
addresses the later to the WAN address of the London multiprotocol
router. When it gets there, the London router removes the IP packet
and sends it to host 2 inside an Ethernet frame. So the WAN can be
seen as a big tunnel extending from one multiprotocol router
to the other.
3.1.5. Internetwork routing
Routing through an internetwork is similar to routing within a single subnet, but with some added complications. In the situation depicted in Fig. 5-40, every multiprotocol router (or gateway) can directly access (i.e. send packets to) every other router connected to any network to which it is connected. This leads to the graph model of the situation displayed in the b-part of the figure.
Fig. 5-40. (a) An internetwork. (b) A graph of the internetwork.
The typical routing process in such an internetwork looks as follows: an internet packet starts on its LAN addressed to the local multiprotocol router (in the MAC layer header). After it gets there, the network layer code decides which multiprotocol router to forward the packet to using its own routing tables. If that router can be reached using the packet's native network protocol, it is forwarded there directly. Otherwise it is tunneled there, encapsulated in the protocol required by the intervening network. This process is repeated until the packet reaches the destination network.
In the example above, two level routing algorithm has been applied: within each network an interior gateway protocol is used, but between the networks, an exterior gateway protocol is used. In fact, since each network is independent, they may all use different algorithms. Because each network in an internetwork is independent of all others, it is often referred to as Autonomous System (AS).
Internetwork routing often requires crossing international boundaries,
where various laws come into play. This fact may insert different
nontechnical elements and influences into the process of networking
(e.g., by Canadian law, data traffic originating in Canada and
ending in Canada may not leave the country. As a consequence, in
some cases, non-optimal paths must be taken to deliver data
through the network).
3.1.6. Fragmentation
Each network imposes some maximum size on its packets. These limits have various causes, among them:
Maximum payload range from 48 bytes (ATM cells) to 65515 bytes (IP packets), although the payload size in higher layers is often larger.
A problem appears when a large packet wants to travel through a network whose maximum packet size is too small. The only solution to the problem is to allow gateways to break packets into fragments, sending each fragment as a separate internet packet. But then a new problem arises: how to put the fragments back together again.
Two opposing strategies exists for recombining the fragments back into the original packet:
Fig. 5-41. (a) Transparent fragmentation. (b) Nontransparent fragmentation.
When a packet is fragmented, the fragments must be numbered in such a way that the original data stream can be reconstructed.
Fig. 5-42. Fragmentation when the elementary data size is 1 byte.
(a) Original packet, containing 10 data bytes.
(b) Fragments
after passing through a network with maximum packet size of 8 bytes.
(c) Fragments after passing through a size 5 gateway.
The ability to connect any computer to any computer is a mixed blessing. For individuals at home, wandering around the Internet is lots of fun. For corporate security managers, it is a nightmare.
Mechanisms are needed to protect systems as much as possible against the unauthorized access. Firewalls are able to accomplish this goal.
Firewall is an electronic drawbridge, all traffic to or from a company's LAN is forced to go through (Fig. 5-43). The firewall in this configuration has two components: two routers that do packet filtering and an application gateway. Simpler configurations also exists, but the advantage of this design is that every packet must transit two filters and an application gateway to go in or out.
Fig. 5-43. A firewall consisting of two packet filters
and an application gateway.
Each packet filter is a standard router equipped with some extra functionality allowing every incoming or outgoing packet to be inspected. Packets meeting some criterion are forwarded normally. Those that fail the test are dropped.
In Fig. 5-43, the packet filter on the inside LAN could check outgoing packets and the one on the outside LAN checks incoming packets. The point of putting the two packet filters on different LANs is to ensure that no packet gets in or out without having pass through the application gateway.
Packet filters are typically driven by tables configured by the system administrator. These tables list sources and destinations that are acceptable and blocked. In the common case of a UNIX setting, a source or destination consists of an IP address and a port. Ports indicate which service is desired. For example, port 23 is for Telnet, port 79 is for Finger. A company could block incoming packets for all IP addresses combined with one of these ports. In this way, no one outside the company could log in via Telnet, or look up people using the Finger daemon.
The second half of the firewall mechanism is the application gateway operating at the application level. A mail gateway, for example, can be set up to examine each message going in or coming out. For each one it makes a decision to transmit or discard it based on header fields, message size, or even content (a sensibility to some words can be set up).
Note: if some of the machines uses a wireless connection with the outside world, no firewall can ensure security of the network.