Needham Schroeder

I was looking for a diagram which explains Needham Schroeder Symmetric Key protocol but could not find one , so this is what I drew using the information I have on this protocol


















Step 1,2 and 3 seems to be compulsory cos all the text has described these three steps , but some text have Omitted the step 4 and 5 , and has described that lack of step 4 and 5 makes Needham Schroeder symmetric key protocol vulnerable cos "A" cannot know whether the message 3 was delivered to the intended recipient "B" ...

CC error

Two weeks a go I was in a meeting – the issue was about CC error , since no one really knew what is "cc error" , I was asked to figure out what is CC error , well … this was a task with no real information in hand , actually I knew its something to do with video multicasting , so I was looking for some clue about cc error in UDP/RTP header , but ,,, found basically nothing , the problem was I did not know what 'cc' stands for . Then I assumed that may be CC error is related to the MPEG-2 frame - ..ha ha … yha I was correct , cc = 'continuity counter' …. so the cc error is "continuity counter error" , this is used for keeping a track of the sequence of the MPEG-2 frames , and if you are seeing "cc error" at the clients end when you are using some video stream analyzer like "IQmedia" , the error can be mainly due to ,

1) one packet repeat more than twice

2) packets out of sequence

3) packet loss

each UDP packet of 1316 bytes carry 7 MPEG-2 frames of 188bytes each – each MPEG-2 frames has 4 byte header and the last byte is for continuity counter .

ETH

IP

UDP

FR-1

FR-2

FR-3

FR-4

FR-5

FR-6

FR-7

Eth…

Frame – 1 (FR-1)

SYN(8)

TEI(1)

PUSI(1)

TP(1)

PID(13)

TSC(2)

AF(2)

CC (4)

Video

DHCP infinite lease

Found something interesting , This happened with Many major DOCSIS 2.0 cable modem brands. The problems is if you set the DHCP lease time to infinite – that is the 32-bits in the DHCP header (option-51) that defines the DHCP lease time is set to

FF FF FF FF

if it is set to the maximum value , the cable modem will fail to register with the CMTS , the maximum value you can use is 7F FF FF FF , yha the most significant bit is made zero ,

0111	1111	1111	1111	1111	1111	1111	1111
7	F	F	F	F	F	F	F

I used the DHCP-turbo server where there is an option to set an infinite lease .

DHCP infinite lease ,

I wrote a small MATLAB code to calculate how many Days , hours , minutes and seconds is 7F FF FF FF

--------------------------------------------

format long

x=hex2dec('7fffffff');

days = fix(x/(3600*24))

y = x - days*3600*24;

hours = fix(y/3600)

z = y - hours*3600;

minutes = fix(z/60)

seconds = z - minutes*60

---------------------------------------------

answer :

>> dhcplease

days = 24855

hours = 3

minutes = 14

seconds = 7

IP multicasting

IP multicasting is a very interesting thing .... many protocalls to handle the Multicast traffic at different segments of the network ...but all the traffic is sent as UDP ( RTP ) ..

typical IP ulticasting environemnt with IGMP and PIM protocalls will look like this ,

PIM - is used by Router to communicate with eachother about which multicast traffic to forward and which not to.

IGMP - For Video clients to join to their local multicast server to watch videos

in my environment I already simulated the IGMP part , for that I used following equipment :

Local Multicast router : L3 DLINK swithc / PANEX SF-0420G - both are swicthes with Multicast routing feature for IGMP

L2 switch for IGMP snooping : BAS-8124 Hitron DSLAM / DLINK DES-3516/ Dray Tek A24M DSLAM

Multicast server / Multicast client : http://www.videolan.org/ - VLC media player

VLC media player is one cool software , easy to configure and works perfectly ...

VLC player - server configuration :

File - Open ->

Streaming setting - select RTP and set the Multicast address :

Multticast address range is :

IP : 224.0.0.0 through 239.255.255.255

these IP addresses are mapped to MAC address of the form : 01:00:5E :xx:xx:xx

to lean about multicast address range and MAC to IP mapping of Multciast addresses : http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/ipmulti.htm#wp1020554

*** some multicast addreses are used for special purposes therefore ,to be in the safe side , I notmally use :

225.1.1.5, 226.1.1.6, 227.1.1.7

now if u want to see wheter ur Video server is working ..... its very simple , just connect another PC with the VLC media player to the same hub ( do not use a switch for this simple test cos IGMP snooping fatures in the switch will bloc the multicast traffic )

Video client settings : just enter the same multicast address ...

File -> Open Network Stream (ctrl+N)

...yha you can watch the video stream you are sending from the Server now !!! ..pretty easy ha ..
to set up the IGMP environment :

Local Multicast router - configure the quarry interval

L2 switch - enable IGMP snooping

*** procedure depend on the particular device but the setting names are common ,it should not be difficult to configure .

*** when u join a video stream you can watch video but after some time like 5minutes the video time out - this happens when the Multicast router is not sending Periodic membership query , check ur local multicast router configuration .

Testing PIM - I am working on this now , the device I am trying to test only support PIM-DM , and its WAN interface is a Cable modem - therefore I observed the PIM table of CMTS and the Device :

CMTS : Cable modem termination system

CMTS is a router , it can send PIM hello message to it neighbours - The device I am testing (Cable modem Residential gateway ) also send PIM hello to its neighbours - therefore I could observe that CMTS and the Residential gateway can learn that they are neighbours, but so far I was not able to make the CMTS flood multicast traffic to the Cable modem RG ( according to PIM-DM) , I can see the (Source, Group) entry in the CMTS but it does not forward the multicast traffic to the cable interface.

SIP

yup , I set up a SIP server (SIP proxy) to test VoIP with our IP DSLAM ... no problem so far , VoIP use very little band width. In the beginning I thought it will be very difficult to set up a SIP server , but it was much easier than I expected and the software are available freely from many vendors. Here I will explain how to use :

SIP server : http://www.brekeke.com/download/download_sip_2_0.php ( SIP server 2.0)
SIP client : http://www.counterpath.com/index.php?menu=Products&smenu=xlite (X-lite 3.0)

first : you need three PCs ( or two PCs also is oki ) and a Small Hub to make a small network

*** may be u can use VMware to run Three OS in the same PC so you do not need a network

Step - 1

install the SIP server in Server- Windows XP is the best for this ( get Academic licence - the process is bit long but it works and its free ) ...

Install the SIP server : to an easy and trouble free installation ,

1) make you IP address fixed ( Manually assigned - NO DHCP) - if the IP address is "assigned by DHCP" the server will refuse to start !!
2) MAke sure that you can acess internet through the same IP address.

*** even if u cannot access internet through the same IP you can get this working but ... kind of .... can cause u trouble . . . just follow the instructions on http://www.brekeke.com/products/products_sip_quickstart.php

username : sa
password : sa

add two user account :

* better to user numbers as user accounts - eg : 101 , but you can use names as well , eg : "ruwan" ...

SIP server uses the TCP port 5060 , make suer that network you are in allows this port !!! ( if this is a local environmant and NO filer wall you do not have to worry abt these stuff )

Add the user info :

click "add" - and thats it !!! and another user the same way , may be as user name "104" so that you have two account for VoIP phones , 103 and 104 ...you can call from 103 to 104 abd vice versa ...

step 2 : set up two "sip clients on two PCs" or ...two virtual machines ...

Download the sip-client : http://www.counterpath.com/index.php?menu=Products&smenu=xlite

install ....

add new SIP account ( add user ) - "SIP account settings"

Now just type the number of you other SIP client ( may be 104 ) ... :D ....yha u will hear the ring !!! ha ha ha

u can always contact me if u face any issue !!! ah ha ha ...

Active FTP vs Passive FTP

wooooow ... yup ...spend almost a day testing active FTP and passive FTP through a firewall , what was interesting is not the firewall but the "active and passive FTP"



tools :
Fedora core 6 - FTP server
Fedora core 4 - FTP client



I actually tried to use Windows client but could not find the command to disable "passive mode FTP " ...but I found one artical about how to disable passve FTP in internet explorer
suprizingling I found a bug in Fedora Core 4 - when the FTP client send "PORT" command or "Passive" comand etc the pkt sent has a check sum error - in the TCP section !!!

the first problem I faced - how can I initiate an Active FTP session because all FTP clients use passive FTP by default !!! .... after lot of search I figuredout that its not that difficult ,

open linux shell , tupe "ftp" and then type "passive" - then u will see the message "passive mode is off"
shell> ftp
ftp> passive
Passive mode off
ftp>

then just use get command to download some file !!! u have ur self an ACTIVE FTP connetion !!!
ftp> get test.txt

and use "etheral to capture pkts " ... then u can see for sure that it was an Active FTP session !!!

PPPoE / PPPoA / IPoE

I did a small online research on different methods of providing broad band services over ADSL, well … mainly it can be PPPoE , PPPoA or IPoE (actually because one customer asked me this question ) . PPPoE is the most popular and IPoE is the most modern but due to some security lacks and technology immaturity not used in large scale .

PPPoE - the PPPoE client can be in the PC or in the modem , the diagram below is the case when PPPoE client is built in the modem. The user name and password will be set in the modem. For IP DSLAM there is nothing much to do about the PPPoE pkts than pass-through. According to TR-101 the DSLAM should add a tag to identify the ADSL port from which the PPPoE session is initiated.

for testing purposes , you can use a Linux PC and run RP-PPPoE server on Linux(I used FC4) or if you LOVE windows you can use http://www.raspppoe.com/ RASPPPoE protocol , this works both as server and the client .

PPPoA - PPPoA client can be the modem or an ATM network card plugged in a PIC slot of the PC , anyway it seems like using PPPoA is not very popular now due to the popularity in Ethernet technology , anyway DSLAMs are suppose to be able to detect what type of connection the modem is requesting automatically , therefore if u set PPPoA in your modem (though the originally it was set to PPPoE ) there is a good possibility that ISP's DSLAM will automatically detect this and allow ur modem to establish a link.

Pure PPPoA environment , when the ISP's network infrastructure is ATM ,

PPPoA in PPPoE environment , the IP DSLAM will convert the PPPoA in to PPPoE ,

IPoE - was the easiest to set up and configure , I used IEEE 802.1x for authentication and DHCP with relay agent and option 82 .

PPPoE Circuit ID tagging feature in DSLAM

This is the latest Issue I am dealing with - I am suppose test this feature in the DSLAM project I am working in !!!

In an Ethernet access network, there is no unique mapping between the subscriber and the ADSL port. This cause problems in RADIUS access and accouting because the RADIUS server expect the BRAS to send information about the ADSL port it is authenticating and accoring for.

How this work - During the authentication phase the BRAS includes the NAS-Port-Id attribute(Radius attribute 87) in RADIUS authentication and RADIUS Accounting request that identifies the DSL line of the subscriber.

To over come this problem DSL Forum TR-101 proposes that the DSLAM sends the DSL Line-Id in the PPP over Ethernet (PPPoE) discovery phase pkts.

RFC 2516 – Defines A Method for Transmitting PPP Over Ethernet (PPPoE) ,

TR – 101 specifies that the Vender specific TAG 0x0105 in PPPoE Discovery pkts should be added by the DSLAM :

----------------------------------------------------------------

0x0105 Vendor-Specific

This TAG is used to pass vendor proprietary information. The first four octets of the TAG_VALUE contain the vendor id and the remainder is unspecified. The high-order octet of the vendor id is 0 and the low-order 3 octets are the SMI Network Management Private Enterprise Code of the Vendor in network byte order, as defined in the Assigned Numbers RFC [4]. Use of this TAG is NOT RECOMMENDED. To ensure inter-operability, an implementation MAY silently ignore a Vendor-Specific TAG.
----------------------------------------------------------------

Vender specific TAG 0x0105 will look like this after DSLAM TAG the PPPoE pkt with the Circuit-ID

This Tag will be Identified by the BRAS (PPPoE server) and send to the RADIUS server with Authentication request and the Accounting request as RADIUS attribute 87 (in rfc2869)

-------------------------------------------------------------

5.17. NAS-Port-Id Description

This Attribute contains a text string which identifies the port of the NAS which is authenticating the user. It is only used in Access-Request and Accounting-Request packets. Note that this is using "port" in its sense of a physical connection on the NAS, not in the sense of a TCP or UDP port number. Either NAS-Port or NAS-Port-Id SHOULD be present in an Access- Request packet, if the NAS differentiates among its ports. NAS- Port-Id is intended for use by NASes which cannot conveniently number their ports. A summary of the NAS-Port-Id Attribute format is shown below. The fields are transmitted from left to right.

Type 87 for NAS-Port-Id.
--------------------------------------------------------------

to come up with above content I referred the documents given below :

rfc4679 - Vendor-Specific RADIUS Attributes
rfc2865 – RADIUS Authentication
rfc2866 - RADIUS Accounting
rfc2869 - RADIUS Extensions
rfc2516 - A Method for Transmitting PPP Over Ethernet (PPPoE)
TR-101 - Migration to Ethernet-Based DSL Aggregation
http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a00804fc456.html

ADSL ???

One thing that was not thought about ADSL at University (atleast in my case)was that the data communication between the DSLAM and the Modem is ATM ,










this is the case when you are using an IP DSLAM , but if you are using a DSLAM with ATM uplink the communication from Modem to the aggregater can be over ATM or even from PC to the aggregate cab be ATM , but the now many ISPs are using IP DSLAMs .

DHCP relay & Option 82

I had a major time searching for a DHCP serve which supports DHCP relay function as well as DHCP option82:

DHCP option 82 - provides a method to send relay agent information and the DHCP client's port information to the DHCP server, according to my experience this feature is quite popular in IP DSLAMs .

well , I tried few DHCP servers :


Windows 2000 advanced server - DHCP option 82 not available originally but when the service pack 4 was installed DHCP option 82 was available due to lack of explanation about how to set up the option 82 I could not still setup option 82 in win 2000 advanced server.

Linux , Fedora core 4 - By default the DHCP server supports DHCP option 82 , I did not have to configure anything . When received a DHCP discovery with the option 82 the FC4 server reply with the Option 82.

DHCP turbo - I downloaded DHCP Turbo form Internet (trial version) , well this software support option 82 but the sofware was not that stable , after some time it stops responding to any DHCP discovery ... then I had to restart my PC to make the DHCP server work again. Hope they will fix the stability issues . Anyway it was very easy to configure and don't need any special server platform to work , so it was very useful.
http://www.weird-solutions.com/weirdSolutions/pages/02products/02turbo/dhcpTurbo/index.php

will write more about DHCP , special my experience with DHCP server responding unicast or Broadcast !!!


Ruwan Indika