目录
- abbreviations
- seven layers OSI reference model
- Internet model
- IPv4/IPv6
- domain name system
- ARP
- some function
- TCP
- 3 kinds of timeout methods for socket IO operation
- I/O Model
- what is the purpose of function wait()?and what their differences between wait() and waitpid()?
- Encryption
- security attacks
- SSL
- SSL Connection and SSL Session
- security facilities in the TCP/IP Stack
- HTTP methods
- Client-Server Design Alternatives
abbreviations
IP Internet potocol
TCP transmission control protocol
UDP user datagram …
HTTP hyper-text transport …
HTML hyper-text makeup language
TLS transport layer security
URL uniform resource locator
DNS domain name system
SSL Secure Socket Layer
http 80 https 443
seven layers OSI reference model
application layer, presentation…, session…, transport…, network, data link…, physical…
Internet model
application HTTP, HTTPS, SSL, SMTP…
transport UDP, TCP
network IP
IPv4/IPv6
ipv4 32bit multicast address: 224.0.0.0 - 239.255.255.255
ipv6 128bit multicast address: ff:[*]
subnet of IPv4
Address + subnetmask = host & net ID
A & mask = net ID
A &! mask = host ID
domain name system
Translates / maps between strings and IP addresses
ARP
obtain MAC address of a host, and map that MAC address to host’s IP address.
APR buffer
MAC address, IP address, type, interface
routing table
destination, gateway, genmask, flags, mertric, ref, Use Ifacer
is a data table stored in a router or a network host that lists the routes to particular network destination.
some function
-
socket() create a socket, return a socket file descriptor.
-
bind() assign local address to the socket created in previous step. local address is a combination of an IPv4/IPv6 address and a UDP/TCP port number.
bind(int sockfd, const struct sockaddr* addr, socklen_t addrenLen) -
connect() establish a connection between client and server
-
write()/send()/sendto()/sendmsg() write data to established connection.
-
read()/recv()/recvfrom()/recvmsg() read incoming data from established connection.
-
listen() convert active socket to passive mode.
-
accept() return next completed connection from completed connection queue.
-
close() close the socket file descriptor and releases any resources associated with it.
other function
byte order
16bit …s()
32bit …l()
- htons()
- htonl()
- ntohs()
- ntohl()
address conversion - inet_pton( int family, const char* strptr, void* addptr) 32bit/128bit
- inet_ntop(int family, const struct* addrptr, char* strptr, size_t len) 32bit/128bit
inet_aton(const char *strptr, struct in_addr *addptr) 32 bit
inet_ntoa(struct in_addr inaddr) 32bit
-
getaddrinfo()
-
gethostbyname()
the main different between two function is getaddinfo can handle both IPv4 and IPv6. -
getsockname()
-
getpeername()
obtain the local|foreign potocol address
value-result argument
accept(), recvfrom(), getsockname(), getpeername()
tcp
byte oriented, realiable, retransmission of lost data. flow and congestion control, one stream data
socket(AF_INET, SOCK_STREAM)
client: (功能描述见上)
socket() -> bind() -> connect() -> write()/… -> read()/… -> close()
server:
socket() -> bind() -> listen() -> accept() -> read()/… -> write()/… -> close()
udp
message oriented, unrealiable, no error recovery, no flow and congestion control, each message independency
socket(AF_INET, SOCK_DGRAM)
client:
socket() -> bind() -> write()/… -> read()/… -> close()
server:
socket() -> bind() -> read()/… -> write()/… -> close()
TCP
backlog:
In fact, the backlog is a connection queue. Before Linux kernel 2.2, the size of the backlog includes two queue sizes: half connected and full connected. After Linux kernel 2.2, it is separated into two backlogs to limit the size of semi connected (SYN_RCVD state) and full connected (ESTABLISHED state) queues respectively.
three-way handshake
client send SYN and a random sequence num J
server send SYN, ACK J+1, and a random sequence num K
client send ACK K+1
four-way handshake
client send FIN, and a random sequence num J
server send ACK J+1, and a random sequence num K
…
server send FIN, ACK J+1 and a random sequence num M
client send ACK M+1
3 kinds of timeout methods for socket IO operation
- alarm: use SIGALARM signal
- select, last parameter in it
- socket option SO_RCVTIMEO, SO_SNDTIMEO
I/O Model
Blocking I/O:When the user process calls the recvfrom system call, the kernel begins the first stage of IO: preparing data. For network IO, most of the time, the data hasn’t arrived at the beginning. At this time, the kernel has to wait for enough data to arrive. On the user process side, the whole process will be blocked. When the kernel waits until the data is ready, it will copy the data from the kernel to the user’s memory, and then the kernel returns the result, and the user process will unblock and run again.
System call is made, and blocked until data is availible. At that point the syscall returns with the data.
Nonblocking I/O:After the recvform system call, the process is not blocked, and the kernel immediately returns to the process. If the data is not ready, an error will be returned. After the process returns, it can do something else. Once the data in the kernel is ready and the system call of the user process is received again, it immediately copies the data to the user memory and returns.
Process repeatedly calls recvfrom, expecting for an OK return (polling). At that point the recvfrom returns with the data.
I/O multiplexing (select and poll):When the user process calls select, the whole process will be blocked. At the same time, the kernel will “monitor” all the sockets responsible for select. When the data in any socket is ready, select will return. At this time, the user process calls the read operation to copy the data from the kernel to the user process.
Select is issued, it tests if a socket is ready (for read,write or exception). Once requirement is met, or timeout, the select returns. Check type of output, if timeout handle, otherwise read/write the data.
Signal driven (SIGIO):First, enable socket of signal driven I / O, and then use sigaction system call to install a signal processor. The sigaction call returns immediately, and our program continues to execute without blocking. When the data message is readable, the kernel generates sigio signals for our application. We can call recvfrom to read data packets in the signal processor, and then notify the main program that the data can be processed. We can also notify the main program to read the data packets.
Asynchronous I/O (POSIX aio_ functions):After the user process initiates the read operation, it can immediately start to do other things. On the other hand, from the perspective of kernel, when it receives an asynchronous read, it will return immediately first, so it will not block the user process. Then, the kernel will wait for the data to be prepared, and then copy the data to the user’s memory. When all this is done, the kernel will send a signal to the user process to tell it that the read operation is completed.
what is the purpose of function wait()?and what their differences between wait() and waitpid()?
Wait () is used to block the parent process to wait for the child process.The difference between them is that before a subprocess terminates, wait blocks its caller, while waitpid has an option to block or unblock the caller.
Encryption
Plain Text Original message that is fed into the algorithm,
Encryption Algorithm Algorithm that performs various operations (substituion/transformation) on the plain text.
Secret key The secret key is also an input to the encryption algorithm, it controls the operations performed by the algorithm.
Ciphertext This is the scrambled/encrypted message, it is the output of encryption algorithm + key.
Decryption Algorithm The reverse of the encryption algorithm. It takes cipher text + key + algorithm and produces a plain text.
对称
DES, AES
非
RSA, DSA
Assume we have Alice and Bob. Bob needs to send a private message to Alice and sign it so it can only be Bob that sent the message. How would Bob go about doing this?
Bob will take the message (plain text), encrypt it with his private key. Send the encrypted message to Alice somehow. Upon reception of the encrypted message, Alice will need to obtain Bob’s public key. Once obtained, Alice can decode the cipher text using the public key. This way, it was only Bob that can have encrypted the message, thus it is ’signed’ by Bob.
public-key algorithms
Encryption with public key, decryption with private key.
Encryption with private key, decryption with public key.
security attacks
Passive Security Attack
Learn or make use of information from the system but does not affect system resources.
Active Security Attack
Attempts to alter system resources or affect their operations.
SSL
provide a basic security services to higher layer potocols
three higher layer potocols are part of SSL
SSL Connection and SSL Session
Connection A connection is a transport that provides a suitable type of service.
For SSL, such connections are peer-to-peer relationships.
Connections are transient. Every connection is associated with one session.
SSL session is an association between a client and a server.
Sessions are created by the handshake protocol.
Sessions define a set of cryptographic security parameters which can be shared among multiple connections.
Sessions are used to avoid the expensive negotiation of new security parameters for each connection.
SSL Record protocol
two services:
confidentiality defines a shared secret key that is used for conventional encryption
message integrity defines a share secret key that is used to form a message authentication code(MAC)
2
14
2^{14}
214 bytes fragmentation ->compress -> add MAC -> encrypt -> append SSL record header
SSL change cipher spec protocol
Purpose is to convert pending state into current state
alert protocol
Conveys SSL-related alerts to peer
handshake protocol
Server and client authenticate each other, Server and client negotiate encryption, MAC algorithm and
cryptographic keys.
establish security capabilities:
initiate logical connection and establsih security capabilities to be associated with it
server authentication and key exchange
send a certificate(if required), may send server_key_exchange message
client aunthentication and key exchange
client verifies certificate from server and server_hello parameter, may send a certificate or alert for no certificate or one or more message
finish
complete secure connection
security facilities in the TCP/IP Stack
Network: IP/IPSec
Transport: SSL or TLS
Application PGP SET Kerberos S/MIME
HTTP methods
GET request to get web resource from server
HEAD request to get header that GET request would have obtained
POST used to post data up to the web server
PUT ask the server to store the data
DELETE ask the server to delete the data
OPTIONs ask the server to return the list of request methods it supports
http request line
request-method-name reuqest-URI http-version
get /test.html http/1.1
http response status line
http-version status code reason-phrase
http/1.1 200 OK
301 Moved permanently
400 bad request
404 not found
500 internal server error
Client-Server Design Alternatives
Client Strategies:
- Simple, blocked pending user input.
- select based
- non-blocking IO
- fork, one for client to server, one for server to client
- thread, one for client to server, one for server to client
Server Strategies:
- iterative server
- concurrent server, one fork per client request
- prefork, each child calls accept
- prefork, file locking to pretect accept
- prefork, thread mutex to protect accept
- prefork, with parent passing socket to child
- concurrent server, one thread per client
- prethread with mutex to protect accept
- prethread with main thread calling accept
扫一扫
323
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
