Announcements
- Final project due Wed May 2.
Syllabus
- Textbook: Computer
Networks and Internets, Fifth Edition
by Douglas E Comer (textbook web site)
- 2008 Higher Education Opportunity Act information:
- The book lists at $149. The bookstore sells it at this price.
- However Amazon
sells it for $102.82. There is no tax and can ship free.
- The Kindle edition
is $61.47, is available instantly.
- Reselling your used edition on Amazon, it looks like it will fly off
the shelf at $60, although you might have to wait until August for the
Fall terms to start, giving a net cost of about $40.
- Course structure:
- The course is project based. There will be pop quizes,
several projects, including a fina project.
- Projects are programming projects, done in C on Unix.
- You will be supplied machines in the cloud, thanks to a grant
from Amazon. You can work on that machine, your own machine,
possibly using virtual box, and possibly the lab accounts.
- Work submission, will be by subversion repositories. You are
also asked to submit work to subversion often, so that I can
share in the progress of you work, and can assist.
- Twitter account is http://twitter.com/csc524.
Please follow it.
- From time to time, you will find the class
blog to be informative reading.
- Grader/TA: there is no grader for this course.
- Writing credit: optionally the student may elect for wiring credit.
- The requirement for W is three essays each of at least 1500 words
- Topics related to computer communications, or cyberspace,
at least one non-fiction.
- First paper must be submitted by mid-term
- Submit papers in a standard format by subervsion. Place them in a
subdirectory writing-credit.
- Thanks to Amazon for a grant under their AWS
for Education program, to explore cloud computing, and integrate cloud computing
concepts into the course.
Class notes
- Introduction ↓ (more/less)
- OSI Model
(from Ciscio Internetworking Handbook)
- Use of the layered model; Internetworks, LAN, WAN
- Peer to peer communications; up and down the stack
- Encapsulation, demultiplexing
- Switching versus routing, LANS verus WANS, networking versus internetworking
- Discussion of addresses, MAC, IP and DNS (a bit of a lie).
- TFTP packet dissection
- Sockets (unix access to networking, at the Level4/5 interface)
- Beej's Guide to Network Programming (PDF)
- The IP protocol, Part I ↓ (more/less)
- Datagram service, UDP ↓ (more/less)
- UDP:
User Datagram Protocol, packet communications.
(RFC 768)
- Port numbers
- Examples of UDP
- The IP Protocol, Part II ↓ (more/less)
- Local delivery: RFC 826 - ARP
- RFC 2453: RIP2
- Distance Vector
- Counting to infinity
- Split horizon, poison reverse, triggered updates
- Default routers, subnets, authentication, and RIP2
- routing notes
- OSPF: Link state protocols
- Autonomous systems and BGP
- IP fragmentation
- ICMP, ping, traceroute, and host routing tables.
- Connection service, TCP protocol ↓ (more/less)
- TCP: Transmission Control Protocol.
(RFC 793)
- Class notes
- Segment management and acknowledgements (example)
- Connection establishment
- Resend timers, Karn's algorithm
- Congestion control: Slow start and Multiplicative decrease.
(Also, Fast retransmit, and other just-so stories)
See RFC 2001
- Silly window syndrome, Nagel's algorithm
- Network and port address translation
- Example session:
- email: SMTP, 822 headers, and MIME
; POP and IMAP
- HTTP, HTML, CSS, CGI, SHTML, DHTML, and so on.
- CGI test
- Web technologies
- FTP, passive, interaction of protocols
- Network security, protocols, and cryptography ↓ (more/less)
- Cryptography: Godzilla crypto tutorial by Peter Gutmann.
- SSL and the PKI
- Authentication
- Attacks and countermeasures:
- Email issues (mostly Spam, but also Phishing)
- Link level communications ↓ (more/less)
- Crash course in communication theory.
- Ethernet
- Wi-Fi
- Bridges, Switches, Hubs and Repeaters
Quizes:
- Quiz 1 posted. Svn update and copy [repos]/class/quiz/quiz1.txt to your
quiz subversion directory. Add your answers and commit your file by the due date.
- Quiz 2 posted. Svn update and copy [repos]/class/quiz/quiz2.txt to your
quiz subversion directory. Add your answers and commit your file by the due date.
Assignments
- First Assignment: ↓ (more/less)
- Read chapters 1 through 3 in Comer's book.
- For this course, you will need a few computers separated by networking.
In this project you will set up those two computers.
One computer is the near computer. Use either your lab account or
Virtual Box for this. The other computer is the far computer. Use either the
class's AWS cloud, or sign up for your own AWS cloud, using the
free tier
for first time users.
- Near machine, using Virtual Box:
- Download Virtual Box and install it.
- Download an ISO image of Ubuntu.
(11.10, 32-bit is current as of today)
- Install the Ubuntu inside virtual box.
- Log in, and use subversion to get a local copy of the class repository (see next step).
- Near machine, using lab computers:
- Get your username and password for your lab account
- Log in, and use subversion to get a local copy of the class repository (see next step).
- Far machine, using class AWS cloud
- You should have your near account done, so that you have access to
[repos]/username/misc
- Run [repos]/username/misc/connect.sh.
You should be logged into you AWS instance.
N.B.: the pem file in the misc directory
must have permissions read by owner only.
- Run sudo yum update to get latest software.
- Run sudo yum groupinstall "Development Tools" to install needed software.
- Use subversion to get a local copy of the class repository (see next step).
- Far machine, using your own AWS account
- At the moment, we are beyond capacity in the class AWS, so volunteers
to immediately use their own AWS account are appreciated.
- Sign up for AWS at aws.amazon.com.
- Go to the AWS Managemen
Console in your browser.
- Quick launch
a 32 bit instance of a Linux machine.
- Select new key. You will down load a pem file that functions
as a password file to gain access to your instance via ssh.
- Update the information in [repos]/username/misc with your
new pem, and choose connect from the instance actions to get the
command line to replace the contents of connect.sh.
- Connect to your instance, and continue as for a machine in the class AWS cloud.
- Use subversion to get a local copy of the class repository.
- Get your username and password for your subversion account.
- Logged into your account, either on the lab machine, in your Virtual
Box image, or in the class or your own AWS image,
checkout the class's subversion repository.
- See my Subversion tutorial
for additional information.
- P.S. Say "yes" to unencrypted password storage.
- Write the helloworld program, and Makefile. Submit to your repository,
and have it run on both the near and far machines.
- Inside your repository create a proj1 subdiectory, e.g. csc524/burt/proj1.
Submit helloworld.c and Makefile in that directory.
- See the files csc524/class/proj1/Makefile and
csc524/class/proj1/helloworld.c, and read the comments about the
code style requirements.
- The grader should only have to type: make clean; make; make run;
- short explanation of Makefiles
- Longer Makefile tutorial
- Do not check in your executable!, I may even take off
credit. They are large and I could end up have 200 executables to deal with
on my desktop by the end of the semester.
- Please have these tasks done by Monday, January 30.
- Second Assignment: ↓ (more/less)
- Read: Beej's Guide to Network Programming (PDF)
- Implement mynetcat in C.
Submit by subversion in folder proj2, file name mynetcat.c.
- Implement talker and
listener in C. Submit by
subversion in floder proj2, file names talker.c and listener.c.
- You should be able to run one program on your near machine, and one on your far machine.
- Use ports 3333 through 3339. Other ports are blocked.
- Incoming packets blocked: some ISP's will block any unusualy packet flowing in, but
rarely out. If you have trouble sending from far to near, try sending from near to far.
- There should also be
a Makefile with default target to build the projects; and a make clean target.
- Please have these tasks done, and submitted to subversion, by Monday, February 13.
- Third Assignment: ↓ (more/less)
- Read the
RFC 1034
on DNS (see below).
- Beej's Guide to Network Programming (PDF)
- Read the RFC 1350 on
TFTP.
- Write a tftp client and server.
- tftp listens on well-known port 69. However, yours will listen on port 3333 or
3334... etc.
- Save timeout retransmissions for last. Get it working in the
optimistic case of no lost packets. How are you going to simulate
lost packets so that you can test your retransmission code?
- Implement only octet. Forget netascii and email modes. If
requested return an error packet with message "mode not supported".
- Support the -p flag for server listening port number.
- To avoid any misuse, obey the usual safety restrictions: only
read or write to a single directory. Only read or write existing
files with everyone privileges.
- Try it with the server on your far machine, and the client
on your near machine.
- Here is a packet trace
and dissection for the first packet, for your reference.
You can collect these things using sudo tcpdump -i lo -X -nn, where
milage may vary on the interface name "lo", do ifconfig -a to see the
names of your interfaces.
- Use getopt for your options. Here is a good
manpage
for getopt to help.
Note the +=optind at the end of the example code. Your arguments can be
demanded to be in fixed places, but don't forget that the options might not
be in fixed places, or in a fixed quantity.
- Place all results in a proj3 (note correction) folder in your svn repository tftpclient.c, tftpserver.c.
Makefiles for all code, including targets for clean, build and test.
- Please have these tasks done by Monday,
March 6 March 19.
- Fourth assignment: ↓ (more/less)
- Write a simple web server.
- The web server can serve pages.
- The web server can handle GET or POST queries by passing the query
string in stdin.
- The web server identifies if the request is a GET or a POST. If a GET, the form
data is urlencoded and placed as the query in the URL. If a POST, it is placed
after the headers, in the message body. The data is encoded using
Percent Encoding. The
content type is application/x-www-form-urlencoded.
- See piping stdin/stdout
for further assistance.
- HTTP Easy tutorial, for some help.
- If an external application is lauched to handle the query, the
application can use stderr and stdout the return results: stdout goes to
the client (with appropriate headers added by the server but overlayed
by the external application) and stderr goes to a logging file.
- Web servers use several techniques to determine of the pathname of the URL is a file,
to be served, or a script to be executed. The x-bit hack says that if the file is
executable, it is a script. Other mechanisms is the reserving of a specially named
directory, cgi-bin, for all scripts, using the ScriptAlias directive to point out
scripts explicitly, and looking at the extension of the file and attaching a handler
according to this extension. If you want, you can use the x-bit hack.
- Watchdog and sandbox the external application.
- You might or might not wish to handle virtual serving of either
of the forms: IP address or Host: parameter.
- You can refuse to serve any pathname with a "/" in it — all files served
must be in the current directory of the running program.
- As always, makefile, and some automated test targets are required.
- What should be submitted, source to build a webserver, a run target to run it,
a test CGI programs (in any way you care, can be in shell, compiled C binary,
PHP (you will need to install PHP) that demonstrates it is working.
- Complete these tasks and submit in your proj4 folder within your
subversion repository by Monday, April 9.
- Hint: using telnet and wget, as well as a browser, helps determine if your server
is functionning correctly.
- Fifth assignment: ↓ (more/less)
- Read about SSL:
- Implement SSL for the web server your wrote for the fourth assignment.
- For the certificate, create a signing cert, sign your server cert with
the signing cert, and include your signing cert in the certificate database
of your browser. See class/proj5/certs/Makefile for help with this.
- Complete these tasks and submit in your proj5 folder within your
subversion repository by Monday, April 23.
- Hint: openssl s_client -connect host:port can be used to help debug your SSL enabled server.
- svn://.../class/proj5/certs has the CSC cert, and a Makefile with valuable hints.
- Final assignment: ↓ (more/less)
- Improve your work in the 5-th assignment to include client credentials,
a PKI, the webDAV protocol verbs, and a authentical/authorization capability
based on signed certificates.
- webDAV is simplified for us as:
- Every document resource as an associated access list.
- Define the url syntax http://www.anywhere.us/path/file:access,
where :access is litteral. This is the access control list
for the named document resource "file".
- A GET to the access list resource, i.e. with the :access tag,
will return the access control list, that is,
the list of authorized users and their authorized uses.
- When a resource is created by a PUT or POST, the client authenticated
through SSL is the owner, using the Common Name from the client certificate.
- The owner can POST to the resource
http://www.anywhere.us/path/file:access strings e.g. of the form
"pikachu:+r", meaning add read permissions on the resource for user pikachu.
- You can use a format like acl=pikachu:+r;acl=mewtoo:-w, as the names for
name-value pairs need not be distinct.
- We can go with unix file permission semantics. The letters a, r, w, x
are all, read, write and execute permissions. A plus (+) means to add the
permissions, and minus (-) to remove.
- You can use pseudo-permission "o" (owner) to set the owner. The
owner owns the right to set permissions.
- For the class signing cert, class/proj5/certs/csc524_ca.cert, sync to the
class subversion repo.
- Complete these tasks and submit in your proj6 folder within your
subversion repository by Wedneday, May 2.
References
- Additional textbooks:
- Radia Perlman, Interconnects: Bridges, Routers, Switches and Internetworking Protocols.
- Douglas Comer, Internetworking with TCP/IP, Vol I: Principles, Protocols, and Architecture.
- William R. Cheswick and Steven M. Bellovin, Firewalls and Internet Security: Repelling the Wily Hacker.
-
General Networking
- Software engineering for security
- WEP
- My RC4 example.
- CRC-32 failure of WEP.
- SecurityFocus review
- Attacks on RC4 and WEP, Fluhrer, Mantin, Shamir, Cryptobytes Vol 5., No. 2, 2002, pp 26-34.
- KoreK attacks in chopper.
Korek explains some of them.
- Weakness in the Key Scheduling Algorithm of RC4 Scott Fluhrer, Itsik Mantin, Adi Shamir.
- Using the Fluhrer, Mantin, and Shamir Attack to Break WEP Adam Stubblefield, John Ioannidis, Aviel Rubin.
- AirSnort source code.
- SSL
- Exploits
- Virus
- Open Source Security Response Philosophy
-
Secure Operating Systems
- RFC's
- IPv6
- Port Knocking
- Cookies
- Topics for next term