Misplaced Pages

#750249

49-561: Simon S. Lam was inducted into the Internet Hall of Fame (2023) for "inventing secure sockets in 1991 and implementing the first secure sockets layer, named SNP, in 1993." This work began in 1991 as a theoretical investigation by the Networking Research Laboratory on the formal meaning of a protocol layer satisfying an upper interface specification as a service provider and a lower interface specification as

98-460: A common drawback; namely, they did not export a clean and easy-to-use interface that could be readily used by Internet applications. For example, it would take a tremendous amount of effort to "kerberize" an existing distributed application. Toward the goal of "secure network programming for the masses", the inventors of SNP conceived secure sockets as a high-level abstraction suitable for securing Internet applications. In 1993, they designed and built

147-414: A complete path through them. Such systems generally use next-hop routing. Most systems use a deterministic dynamic routing algorithm. When a device chooses a path to a particular final destination, that device always chooses the same path to that destination until it receives information that makes it think some other path is better. A few routing algorithms do not use a deterministic algorithm to find

196-437: A manner that permits reuse under CC BY-SA 3.0 and GFDL . All relevant terms must be followed. The original text was at "A brief history of the first secure sockets layer" Network layer In the seven-layer OSI model of computer networking , the network layer is layer 3 . The network layer is responsible for packet forwarding including routing through intermediate routers . The network layer provides

245-413: A path that minimizes their travel time. With such routing, the equilibrium routes can be longer than optimal for all drivers. In particular, Braess's paradox shows that adding a new road can lengthen travel times for all drivers. In a single-agent model used, for example, for routing automated guided vehicles (AGVs) on a terminal, reservations are made for each vehicle to prevent simultaneous use of

294-405: A path through a multistage switching fabric . Depending on the application for which path selection is performed, different metrics can be used. For example, for web requests one can use minimum latency paths to minimize web page load time, or for bulk data transfers one can choose the least utilized path to balance load across the network and increase throughput. A popular path selection objective

343-542: A presence in New York , connected by a fast link with latency 5  ms —and each has a presence in London connected by a 5 ms link. Suppose both ISPs have trans-Atlantic links that connect their two networks, but A 's link has latency 100 ms and B 's has latency 120 ms. When routing a message from a source in A 's London network to a destination in B 's New York network, A may choose to immediately send

392-456: A prototype of SNP. Designed as an application sublayer on top of sockets, SNP provides a user interface closely resembling sockets. This resemblance was by design so that security could be retrofitted into existing socket programs with only minor modifications. Also, with such a sublayer carefully designed and its implementation thoroughly debugged, it can be easily used by any Internet application that uses sockets for end-to-end communications. This

441-415: A record of the routes to various network destinations. Routing tables may be specified by an administrator, learned by observing network traffic or built with the assistance of routing protocols . Routing, in a narrower sense of the term, often refers to IP routing and is contrasted with bridging . IP routing assumes that network addresses are structured and that similar addresses imply proximity within

490-621: A service consumer. A case study of adding a security layer between the application and network layers was presented. The Networking Research Laboratory received a grant from the National Security Agency in June 1991 to investigate how to apply their theory of modules and interfaces to security verification. At that time, there were three well-known authentication systems built (MIT's Kerberos ) or being developed (DEC's SPX and IBM's KryptoKnight). All of these systems suffered from

539-491: A single central device decides ahead of time the complete path of every packet. In some other small systems, whichever edge device injects a packet into the network decides ahead of time the complete path of that particular packet. In either case, the route-planning device needs to know a lot of information about what devices are connected to the network and how they are connected to each other. Once it has this information, it can use an algorithm such as A* search algorithm to find

SECTION 10

#1732773324751

588-438: A standard shortest paths algorithm such as Dijkstra's algorithm . The result is a tree graph rooted at the current node, such that the path through the tree from the root to any other node is the least-cost path to that node. This tree then serves to construct the routing table, which specifies the best next hop to get from the current node to any other node. A link-state routing algorithm optimized for mobile ad hoc networks

637-410: A value known as the administrative distance to each route, where smaller administrative distances indicate routes learned from a protocol assumed to be more reliable. A local administrator can set up host-specific routes that provide more control over network usage, permits testing, and better overall security. This is useful for debugging network connections or routing tables. In some small systems,

686-540: Is a natural idea in hindsight but, in 1993, it was novel and a major departure from mainstream network security research at that time. SNP's secure sockets support both stream and datagram semantics with security guarantees (i.e., data origin authenticity , data destination authenticity, data integrity , and data confidentiality). Many of the ideas and design choices in SNP can be found in subsequent secure sockets layers, including: placing authenticated communication endpoints in

735-572: Is available over the forwarding state, for example, using software-defined networking , routing techniques can be used that aim to optimize global and network-wide performance metrics. This has been used by large internet companies that operate many data centers in different geographical locations attached using private optical links, examples of which include Microsoft's Global WAN, Facebook's Express Backbone, and Google's B4. Global performance metrics to optimize include maximizing network utilization, minimizing traffic flow completion times, maximizing

784-452: Is carried in a special path attribute that records the sequence of routing domains through which the reachability information has passed. A route is defined as a pairing between a destination and the attributes of the path to that destination, thus the name, path-vector routing; The routers receive a vector that contains paths to a set of destinations. Path selection involves applying a routing metric to multiple routes to select (or predict)

833-450: Is due, in part, because two ISPs may be connected through multiple connections. In choosing the single router-level path, it is common practice for each ISP to employ hot-potato routing : sending traffic along the path that minimizes the distance through the ISP's own network—even if that path lengthens the total distance to the destination. For example, consider two ISPs, A and B . Each has

882-486: Is performed in many types of networks, including circuit-switched networks , such as the public switched telephone network (PSTN), and computer networks , such as the Internet . In packet switching networks, routing is the higher-level decision making that directs network packets from their source toward their destination through intermediate network nodes by specific packet forwarding mechanisms. Packet forwarding

931-435: Is similar to the distance vector algorithm in the sense that each border router advertises the destinations it can reach to its neighboring router. However, instead of advertising networks in terms of a destination and the distance to that destination, networks are advertised as destination addresses and path descriptions to reach those destinations. The path, expressed in terms of the domains (or confederations) traversed so far,

980-401: Is subject to instability if there are more than a few hops in the domain. Link state routing needs significant resources to calculate routing tables. It also creates heavy traffic due to flooding. Path-vector routing is used for inter-domain routing. It is similar to distance vector routing. Path-vector routing assumes that one node (there can be many) in each autonomous system acts on behalf of

1029-505: Is the dominant form of message delivery on the Internet. This article focuses on unicast routing algorithms. With static routing , small networks may use manually configured routing tables. Larger networks have complex topologies that can change rapidly, making the manual construction of routing tables unfeasible. Nevertheless, most of the public switched telephone network (PSTN) uses pre-computed routing tables, with fallback routes if

SECTION 20

#1732773324751

1078-689: Is the optimized Link State Routing Protocol (OLSR). OLSR is proactive; it uses Hello and Topology Control (TC) messages to discover and disseminate link-state information through the mobile ad hoc network. Using Hello messages, each node discovers 2-hop neighbor information and elects a set of multipoint relays (MPRs). MPRs distinguish OLSR from other link-state routing protocols. Distance vector and link-state routing are both intra-domain routing protocols. They are used inside an autonomous system , but not between autonomous systems. Both of these routing protocols become intractable in large networks and cannot be used in inter-domain routing. Distance vector routing

1127-436: Is the transit of network packets from one network interface to another. Intermediate nodes are typically network hardware devices such as routers , gateways , firewalls , or switches . General-purpose computers also forward packets and perform routing, although they have no specially optimized hardware for the task. The routing process usually directs forwarding on the basis of routing tables . Routing tables maintain

1176-402: Is to reduce the average completion times of traffic flows and the total network bandwidth consumption. Recently, a path selection metric was proposed that computes the total number of bytes scheduled on the edges per path as selection metric. An empirical analysis of several path selection metrics, including this new proposal, has been made available. In some networks, routing is complicated by

1225-477: The Bellman–Ford algorithm . This approach assigns a cost number to each of the links between each node in the network. Nodes send information from point A to point B via the path that results in the lowest total cost (i.e. the sum of the costs of the links between the nodes used). When a node first starts, it only knows of its immediate neighbors and the direct cost involved in reaching them. (This information —

1274-536: The application layer , use of public-key cryptography for authentication, a handshake protocol for establishing session state including a shared secret , use of symmetric-key cryptography for data confidentiality, and managing contexts and credentials in the secure sockets layer. The paper presented on June 8, 1994 at the USENIX Summer Technical Conference includes the system design together with performance measurement results from

1323-425: The Internet and IP networks have become mission critical business tools, there has been increased interest in techniques and methods to monitor the routing posture of networks. Incorrect routing or routing issues cause undesirable performance degradation, flapping or downtime. Monitoring routing in a network is achieved using route analytics tools and techniques. In networks where a logically centralized control

1372-544: The MTU supported by a specific path must still be established, to avoid packet loss . For this, Path MTU discovery is used between endpoints, which makes it part of the Transport layer , instead of this layer. The following are examples of protocols operating at the network layer. Routing Routing is the process of selecting a path for traffic in a network or between or across multiple networks. Broadly, routing

1421-401: The architecture and key ideas first presented in SNP, enabled secure e-commerce between browsers and servers. Today, many other Internet applications (including email ) use HTTPS , which consists of HTTP running over a secure sockets layer. As of 2023-05-10, this article is derived in whole or in part from Networking Research Laboratory . The copyright holder has licensed the content in

1470-404: The best link for a packet to get from its original source to its final destination. Instead, to avoid congestion hot spots in packet systems, a few algorithms use a randomized algorithm—Valiant's paradigm—that routes a path to a randomly picked intermediate destination, and from there to its true final destination. In many early telephone switches, a randomizer was often used to select the start of

1519-429: The best path. In high-speed systems, there are so many packets transmitted every second that it is infeasible for a single device to calculate the complete path for each and every packet. Early high-speed systems dealt with this with circuit switching by setting up a path once for the first packet between some source and some destination; later packets between that same source and that same destination continue to follow

Secure Network Programming - Misplaced Pages Continue

1568-504: The best possible routes, while link-state or topological databases may store all other information as well. In case of overlapping or equal routes, algorithms consider the following elements in priority order to decide which routes to install into the routing table: Because a routing metric is specific to a given routing protocol, multi-protocol routers must use some external heuristic to select between routes learned from different routing protocols. Cisco routers, for example, attribute

1617-466: The best route. Most routing algorithms use only one network path at a time. Multipath routing and specifically equal-cost multi-path routing techniques enable the use of multiple alternative paths. In computer networking, the metric is computed by a routing algorithm, and can cover information such as bandwidth , network delay , hop count , path cost, load, maximum transmission unit , reliability, and communication cost. The routing table stores only

1666-424: The down node. When applying link-state algorithms, a graphical map of the network is the fundamental data used for each node. To produce its map, each node floods the entire network with information about the other nodes it can connect to. Each node then independently assembles this information into a map. Using this map, each router independently determines the least-cost path from itself to every other node using

1715-487: The entire autonomous system. This node is called the speaker node. The speaker node creates a routing table and advertises it to neighboring speaker nodes in neighboring autonomous systems. The idea is the same as distance vector routing except that only speaker nodes in each autonomous system can communicate with each other. The speaker node advertises the path, not the metric, of the nodes in its autonomous system or other autonomous systems. The path-vector routing algorithm

1764-407: The fact that no single entity is responsible for selecting paths; instead, multiple entities are involved in selecting paths or even parts of a single path. Complications or inefficiency can result if these entities choose paths to optimize their own objectives, which may conflict with the objectives of other participants. A classic example involves traffic in a road system, in which each driver picks

1813-497: The list of destinations, the total cost to each, and the next hop to send data to get there — makes up the routing table, or distance table .) Each node, on a regular basis, sends to each neighbor node its own current assessment of the total cost to get to all the destinations it knows of. The neighboring nodes examine this information and compare it to what they already know; anything that represents an improvement on what they already have, they insert in their own table. Over time, all

1862-476: The means of transferring variable-length network packets from a source to a destination host via one or more networks. Within the service layering semantics of the OSI (Open Systems Interconnection) network architecture, the network layer responds to service requests from the transport layer and issues service requests to the data link layer . Functions of the network layer include: The TCP/IP model describes

1911-484: The message to B in London. This saves A the work of sending it along an expensive trans-Atlantic link, but causes the message to experience latency 125 ms when the other route would have been 20 ms faster. Additionally, a similar routing challenge can be observed in cellular networks, where different packets are destined for various endpoints, and each link exhibits varying spectral efficiency. In this context,

1960-623: The most direct route becomes blocked (see routing in the PSTN ). Dynamic routing attempts to solve this problem by constructing routing tables automatically, based on information carried by routing protocols , allowing the network to act nearly autonomously in avoiding network failures and blockages. Dynamic routing dominates the Internet. Examples of dynamic-routing protocols and algorithms include Routing Information Protocol (RIP), Open Shortest Path First (OSPF) and Enhanced Interior Gateway Routing Protocol (EIGRP). Distance vector algorithms use

2009-504: The network. Structured addresses allow a single routing table entry to represent the route to a group of devices. In large networks, structured addressing (routing, in the narrow sense) outperforms unstructured addressing (bridging). Routing has become the dominant form of addressing on the Internet. Bridging is still widely used within local area networks . [REDACTED] [REDACTED] [REDACTED] [REDACTED] Routing schemes differ in how they deliver messages: Unicast

Secure Network Programming - Misplaced Pages Continue

2058-408: The nodes in the network discover the best next hop and total cost for all destinations. When a network node goes down, any nodes that used it as their next hop discard the entry and convey the updated routing information to all adjacent nodes, which in turn repeat the process. Eventually, all the nodes in the network receive the updates and discover new paths to all the destinations that do not involve

2107-496: The protocols used by the Internet. The TCP/IP model has a layer called the Internet layer , located above the link layer . In many textbooks and other secondary references, the TCP/IP Internet layer is equated with the OSI network layer. However, this comparison is misleading, as the allowed characteristics of protocols (e.g., whether they are connection-oriented or connection-less) placed into these layers are different in

2156-476: The prototype implementation to clearly demonstrate the practicality of a secure sockets layer. SNP pioneered secure sockets for Internet applications in general, independently and concurrently with the design and development of the HTTP protocol for the world-wide web which was still in its infancy in 1993. Subsequent secure socket layers (SSL by Netscape and TLS by IETF ), implemented several years later using

2205-817: The same part of an infrastructure. This approach is also referred to as context-aware routing. The Internet is partitioned into autonomous systems (ASs) such as internet service providers (ISPs), each of which controls routes involving its network. Routing occurs at multiple levels. First, AS-level paths are selected via the BGP protocol that produces a sequence of ASs through which packets flow. Each AS may have multiple paths, offered by neighboring ASs, from which to choose. These routing decisions often correlate with business relationships with these neighboring ASs, which may be unrelated to path quality or latency. Second, once an AS-level path has been selected, there are often multiple corresponding router-level paths to choose from. This

2254-425: The same path without recalculating until the circuit teardown . Later high-speed systems inject packets into the network without any one device ever calculating a complete path for packets. In large systems, there are so many connections between devices, and those connections change so frequently, that it is infeasible for any one device to even know how all the devices are connected to each other, much less calculate

2303-538: The selection of the optimal path involves considering latency and packet error rate. To address this, multiple independent entities, one for each base station, play a crucial role in path selection while striving to optimize overall network performance. A 2003 measurement study of Internet routes found that, between pairs of neighboring ISPs, more than 30% of paths have inflated latency due to hot-potato routing, with 5% of paths being delayed by at least 12 ms. Inflation due to AS-level path selection, while substantial,

2352-554: The two models. The TCP/IP Internet layer is in fact only a subset of functionality of the network layer. It describes only one type of network architecture, the Internet. The network layer is responsible for fragmentation and reassembly for IPv4 packets that are larger than the smallest MTU of all the intermediate links on the packet's path to its destination. It is the function of routers to fragment packets if needed, and of hosts to reassemble them if received. Conversely, IPv6 packets are not fragmented during forwarding, but

2401-412: Was attributed primarily to BGP's lack of a mechanism to directly optimize for latency, rather than to selfish routing policies. It was also suggested that, were an appropriate mechanism in place, ISPs would be willing to cooperate to reduce latency rather than use hot-potato routing. Such a mechanism was later published by the same authors, first for the case of two ISPs and then for the global case. As

#750249