mod1-05.html

<!doctype html>
<html lang="en">

	<head>
		<meta charset="utf-8">

		<title>Advanced Networking - Module 1 Chapter 5 - Ethernet</title>

		<meta name="description" content="Abilitante alle certificazioni Cisco CCENT e CCNA">
		<meta name="author" content="Hacklab Cosenza">

		<meta name="apple-mobile-web-app-capable" content="yes">
		<meta name="apple-mobile-web-app-status-bar-style" content="black-translucent">

		<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no">

		<link rel="stylesheet" href="css/reveal.css">
		<link rel="stylesheet" href="css/theme/hlcs.css" id="theme">

		<!-- Code syntax highlighting -->
		<link rel="stylesheet" href="lib/css/zenburn.css">

		<!-- Printing and PDF exports -->
		<script>
			var link = document.createElement( 'link' );
			var link = document.createElement( 'link' );
			link.rel = 'stylesheet';
			link.type = 'text/css';
			link.href = window.location.search.match( /print-pdf/gi ) ? 'css/print/pdf.css' : 'css/print/paper.css';
			document.getElementsByTagName( 'head' )[0].appendChild( link );
		</script>

		<!--[if lt IE 9]>
		<script src="lib/js/html5shiv.js"></script>
		<![endif]-->
	</head>

	<body>

		<div class="reveal">

			<!-- Any section element inside of this container is displayed as a slide -->
			<div class="slides">
				<section>
					<h1>Advanced Networking</h1>
					<h2>Routing &amp; Switching:</h2>
					<h2>Introduction to Networks</h2>
					<h3>Chapter 5: Ethernet</h3>
					<small><a href="http://hlcs.it">Hacklab Cosenza</a> / Centro di Ricerca su Tecnologia e Innovazione</small>
				</section>

				<section>
					<h2>What is Ethernet?</h2>
					<p>Ethernet is a <strong>networking technology</strong> whose standards operate in, and define, Data Link (L2) and Physical (L1) Layers.</p>
					<p>It is the dominant technology <strong>for Local Area Networks</strong>.</p>
					<p>Ethernet specifications comprises <strong>different L1 and L2 variations</strong>, but the frame format and addressing is basically the same across all variants.</p>
				</section>

				<section>
					<h2>Recap: L2 LLC &amp; MAC Sublayer</h2>
					<img src="http://i.imgur.com/MQJ1hQu.jpg" style="width: 30%; height: 30%;">
					<ul>
						<li><strong>LLC</strong>: comunicates with upper layers, implemented in software, independent from the hardware.</li>
						<li><strong>MAC</strong>: does data encapsulation and media access control, as such is implemented in hardware.</li>
						<ul>
							<li><strong>Data Encapsulation</strong>: frame delimiting, addressing, error detection.</li>
							<li><strong>Media Access Control</strong>: CSMA/CD for modern Ethernet (not really needed with today's switches).</li>
						</ul>
					</ul>
				</section>

				<section>
					<h2>Ethernet Evolution</h2>
					<ul>
						<li><strong>1980-1990</strong>: 10 Mb/s over coaxial cable (802.3/a/i)</li>
						<li><strong>1990-1994</strong>: 10 Mb/s over twister pair and fiber optic (802.3j/u) </li>
						<li><strong>1995</strong>: 100 Mb/s (<em>FastEthernet</em>) over TP and FO (802.3u)</li>
						<li><strong>1998-1999</strong>: 1000 Mb/s (<em>GigabitEthernet</em>) over TP and FO (802.3z/ab) </li>
						<li><strong>2002</strong>: 10 Gb/s over FO (802.3ae)</li>
						<li><strong>2006</strong>: 10 Gb/s over TP (802.3an)</li>
						<li><strong>2003,2009</strong>: Power over Ethernet for 100/1000 Mb/s (802.af/at) </li>
						<li><strong>2015</strong>: 40 Gb/s and 100 Gb/s over FO</li>
						<li><strong>2016</strong>: 2.5 Gb/s and 5 Gb/s over TP</li>
					</ul>
				</section>

				<section>
					<h2>MAC Address Structure</h2>
					<p>MAC addressing allows devices to identify frame's destination <strong>without the overhead of deincapsulation</strong>.</p>
					<p>Ethernet MAC addresses are <strong>48 bits</strong> long, expressed as 12 hex digits, split in two parts:</p>
					<ul>
						<li>First 3 bytes are the <strong>Organizationally Unique Identifier (OUI)</strong>. <u>Every Ethernet device produced by one vendor must have a MAC address starting with same OUI</u>.</li>
						<li>Last 3 bytes are vendor-assigned. <u>This part must be unique for every device that has the same OUI</u> (vendor).</li>
					</ul>
					<p>e.g.: e8:11:32:4e:48:6b, e8:11:32 is the OUI assigned to Samsung.</p>
				</section>

				<section>
					<h2>Processing the Ethernet Frame</h2>
					<p>The MAC address is stored in NIC's ROM. When the host boots, <strong>the MAC is copied into the RAM</strong>.</p>
					<p>From then each device can send and receive frames, <strong>attaching source and destination MAC addresses</strong> to it.</p>
					<p>When a device receives a frame, <strong>it checks if its MAC address matches the destination</strong>. If it does, it passes the frame to upper layers. If it doesn't, the frame is discarded.</p>
					<p>MAC addresses can be represented with:</p>
					<ul>
						<li><strong>Dashes</strong>: e8-11-32-4e-48-6b (Windows)</li>
						<li><strong>Colons</strong>: e8:11:32:4e:48:6b (*nix)</li>
						<li><strong>Periods</strong>: e811.324e.486b (Cisco)</li>
					</ul>
				</section>

				<section>
					<h2>Ethernet Frame Attributes</h2>
					<p>Composed by the L3 PDU, and a <strong>header+trailer of control informations</strong>, divided in <em>fields</em>.</p>
					<p>There are two (minimally) different Ethernet frames: the <strong>Ethernet II</strong> (also called DIX) and <strong>IEEE 802.3</strong> Ethernet Standards. TCP/IP uses the Ethernet II frame type.</p>
					<p>Ethernet frames minimum size is 64 bytes, max size is 1518 bytes. From IEEE 802.3ac, max size has been extended to 1522 to accomodate for VLANs (Virtual Area Networks).</p>
					<p>Frames &lt; 64 bytes (<em>runt frames</em>) or &gt; 1522 bytes (<em>jumbo frames</em>) get discarded.</p>
				</section>

				<section>
					<section>
						<h2>Ethernet Frame Structure</h2>
						<img src="http://i.imgur.com/mDGaIgC.gif">
					</section>
					<section>
						<h2>Ethernet Frame Structure</h2>
						<ul>
							<li><strong>Preamble</strong>: not formally part of frame, it's a sequence of bytes telling the device to "get ready" for the frame.</li>
							<li><strong>SFD</strong>: <em>Start Frame Delimiter</em>, breaks the preamble pattern and marks the start of the frame.</li>
							<li><strong>Ethertype/Length</strong>: Ethertype in Ethernet II frames, Length of the data field in 802.3 standards. <u>Based on the value contained, the 2 framing styles are distinguished and can both be used.</u></li>
							<ul>
								<li>0x800 IPv4, 0x86DD IPv6, 0x806 ARP. > 0x05DC means Ethernet II.</li>
							</ul>
							<li><strong>Data</strong>: if smaller than 64 bytes, <em>padding</em> is added to respect the minimum length.</li>
							<li><strong>FCS</strong>: <em>Frame Check Sequence</em>, the result of a formula (CRC, <em>Cyclic Redundancy Check</em>) that allows to spot TX errors.</li>
						</ul>
					</section>
				</section>

				<section>
					<section>
						<h2>Binary and Hex: counting</h2>
						<img src="http://i.imgur.com/tpI3roD.gif">
					</section>
					<section>
						<h2>Binary and Hex: grouping</h2>
						<img src="http://i.imgur.com/37LF4pU.gif">
					</section>
				</section>

				<section>
					<section>
						<h2>How to get your MAC address</h2>
						<h3>Linux</h3>
						<pre><code>utente@host:$ ifconfig eth0
eth0      Link encap:Ethernet  IndirizzoHW e8:11:32:4e:48:6b  
          indirizzo inet:10.87.1.131  Bcast:10.87.1.255  Maschera:255.255.255.0
          indirizzo inet6: fe80::ea11:32ff:fe4e:486b/64 Scope:Link
          indirizzo inet6: fd3c:6b96:5233:0:2874:d02e:50ea:409b/64 Scope:Global
          indirizzo inet6: fd3c:6b96:5233:0:ea11:32ff:fe4e:486b/64 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:109834859 errors:0 dropped:1 overruns:0 frame:0
          TX packets:106355594 errors:0 dropped:0 overruns:0 carrier:0
          collisioni:0 txqueuelen:1000
          Byte RX:81573085337 (81.5 GB)  Byte TX:105092321751 (105.0 GB)</code></pre>
					</section>
					<section>
						<h2>How to get your MAC address</h2>
						<h3>Windows</h3>
						<pre><code>C:\>ipconfig /all
   Scheda Ethernet Connessione alla rete locale (LAN):

   Suffisso DNS specifico per connessione: hlcs.s
   Descrizione . . . . . . . . . . . . . : Scheda Ethernet PCI AMD PCNET Family
   Indirizzo fisico. . . . . . . . . . . : 08-00-27-3B-1B-39
   DHCP abilitato. . . . . . . . . . . . : Sì
   Configurazione automatica abilitata   : Sì
   Indirizzo IP. . . . . . . . . . . . . : 10.0.2.15
   Subnet mask . . . . . . . . . . . . . : 255.255.255.0
   Gateway predefinito . . . . . . . . . : 10.0.2.2
   Server DHCP . . . . . . . . . . . . . : 10.0.2.2
   Server DNS . . . . . . . . . . . . .  : 10.0.2.3
   Lease ottenuto. . . . . . . . . . . . : martedì 11 novembre 2014 17.50.27
   Scadenza lease . . . . . . . . . . .  : mercoledì 12 novembre 2014 17.50.27</code></pre>
					</section>
				</section>

				<section>
					<section>
						<h2>Unicast MAC Address</h2>
						<h3>e8:11:32:4e:48:6b</h3>
						<p>Combines with a <strong>unicast network address</strong>, like an IP unicast address (eg. 192.168.1.127), to deliver the frame to a <u>single</u> host.</p>
					</section>
					<section>
						<h2>Broadcast MAC Address</h2>
						<h3>ff:ff:ff:ff:ff:ff</h3>
						<h4>All 1s!</h4>
						<p>Combines with a <strong>broadcast network address</strong>, like a broadcast IP address (eg. 192.168.1.255), to deliver the frame to <u>every</u> host on a <u>local</u> network.</p>
						<p>Many fundamentals network protocols and mechanisms, like ARP and DHCP, <strong>rely on broadcast</strong>.</p>
					</section>
					<section>
						<h2>Multicast MAC Address</h2>
						<h3>01:00:5E:[00:00:00-7F:FF:FF]</h3>
						<p>Combines with a <strong>multicast network address</strong>, like the multicast IPv4 allocation (224.0.0.0 - 239.255.255.255), to deliver the frame to <u>a host group</u>.</p>
					</section>
				</section>

				<section>
					<section>
						<h2>Layer 1 and Layer 2 Devices</h2>
						<ul>
							<li>An <strong>hub</strong> is a "Layer 1 device" because it <u>makes no decision</u> and only deals with <u>physically replicating every bit</u> received on one port on every other port.</li>
							<ul>
								<li>Ethernet was developed with a <strong>multi-access bus logical topology</strong> in mind, where <u>devices would contest the media</u> in a network segment.</li>
								<li>Since with hubs every host receives every frame, MAC addresses were used as a <strong>solution to identify correct source and destination</strong>.</li>
							</ul>
						</ul>
					</section>
					<section>
						<h2>Layer 1 and Layer 2 Devices</h2>
						<ul>
							<li>A <strong>switch</strong> is a "Layer 2 device", because it takes <u>decisions based on the MAC address of the Ethernet frame</u> (an L2 PDU), regardless of the content coming from upper layers.</li>
							<ul>
								<li>Switches enabled an "uncontested" Ethernet, because they <u>direct traffic only where necessary</u> and also they can "store" the frame while <u>waiting for the media to be available</u>.</li>
								<li>As a result of this, plus the introduction of full-duplex capabilities, means <u>modern Ethernet does not have to worry about collisions</u> anymore.</li>
							</ul>
						</ul>
					</section>
				</section>

				<section>
					<h2>MAC Table</h2>
					<p>The switch has to build a <strong>MAC Table</strong> to make its decisions.</p>
					<p>It's also called <strong>CAM table</strong> (<em>content addressable memory</em>).</p>
					<ul>
						<li>The MAC table associates each <strong>port with MAC addresses</strong>.</li>
						<li>It is populated by <strong>examining source MAC adresses</strong>.</li>
					</ul>
					<img src="http://i.imgur.com/AZ06xwX.jpg">
				</section>

				<section>
					<section>
						<h2>How a Switch Works</h2>
						<h3>Learning</h3>
						<ul>
							<li>The MAC table is empty when the switch is first powered on.</li>
							<li>When a frame is received, it looks at the <strong>source MAC address</strong>.</li>
							<ul>
								<li>If it's not on the table, <strong>an association is added</strong> between the source MAC and the incoming port.</li>
								<li>If it was already on the table, the <strong>aging timer</strong> of the association is reset. Maximum aging time is usually 5 min.</li>
							</ul>
						</ul>
					</section>
					<section>
						<h2>How a Switch Works</h2>
						<h3>Forwarding</h3>
						<ul>
							<li>Then, it looks at the <strong>destination MAC address</strong></li>
							<ul>
								<li>If It's not on the table it <strong>forwards the frame to all ports</strong> except the incoming port. This is called <em>flooding</em>.</li>
									<ul>
										<li><strong>Only the destination will reply</strong> with a unicast frame. The switch can now add the missing association in the table.</li>
									</ul>
								<li>If It's already on the table, the switch forwards the frame to the <strong>associated exit port</strong>.</li>
							</ul>
							<li>Once all the associations have been learned the switch doesn't need flooding anymore.</li>
						</ul>
					</section>
				</section>

				<section>
					<section>
						<h2>Switching Methods</h2>
						<img src="http://i.imgur.com/dMGP8Ue.gif">
						<small>The figure above shows how many bytes of an incoming frame a switch needs to receive before making a forwarding decision, dependent of the switching method in use.</small>
					</section>
					<section>
						<h2>Store &amp; Fordward Switching</h2>
						<p><em>Store and Forward Switching</em> makes a forwarding decision only <strong>after receiving the entirety of the frame</strong> and error-checking it.</p>
						<p>It is the main switching method in a Cisco LAN switch.</p>
						<p>After receiving the frame, the switch computes its <em>checksum</em> (FCS). If it matches the FCS value the frame is forwarded through the appropriate exit port, <strong>otherwise it is dropped</strong>.</p>
					</section>
					<section>
						<h2>Cut-Through Switching</h2>
						<p><em>Cut-Through Switching</em> makes a forwarding decision <strong>as soon as "enough" bytes</strong> of the frame as been received.</p>
						<p>The actual forwarding process begins <strong>before the frame has been completely received</strong>.</p>
						<p>There are two variants, both <strong>not verifying the checksum</strong>:</p>
						<ul>
							<li><strong>Fast Forward</strong> - The switch forwards the frame <u>as soon as the destination MAC address is received</u>. This means it only needs the first 6 of the frame.</li>
							<li><strong>Fragment Free</strong> - The switch waits for the first 64 bytes (<em>collision window</em>). <u>If no fragmentation is detected it then forwards the frame</u>.</li>
						</ul>
					</section>
					<section>
						<h2>Switching Methods: Comparison</h2>
						<ul>
							<li>Store &amp; Forward <strong>never forwards invalid frames</strong>.</li>
							<li>Cut-Through forwards <strong>almost every invalid frame</strong>.</li>
							<li>Cut-Through provides <strong>significantly better latencies</strong>.</li>
							<li>In a network with a <strong>high error rate</strong>, C-T switching becomes counterproductive, wasting bandwidth with invalid frames.</li>
							<li>Fragment-Free is usually the best <strong>compromise</strong>: a little bit better error checking with virtually no increase in latency.</li>
						</ul>
					</section>
				</section>

				<section>
					<h2>Switch Buffers</h2>
					<p>A <em>buffer</em> is a memory with the purpose of temporarily queuing something, <strong>continuously filled and emptied</strong>.</p>
					<p>Switches use two types of memory buffer to <strong>store Ethernet frames</strong> before forwarding them:</p>
					<ul>
						<li><strong>Port-based</strong>: each port has its own queue of frames, and a frame must wait every frame in front.</li>
						<ul>
							<li>A frame is <strong>never moved off the queue and into a less congested queue</strong> of another viable destination port.</li>
						</ul>
						<li><strong>Shared</strong>: there's a single queue for all ports, and each frame has a destination port linked to it.</li>
						<ul>
							<li><strong>Frames don't have to move</strong>, just being re-linked to a different outgoing port; <strong>variable allocation</strong> of memory.</li>
						</ul>
					</ul>
				</section>

				<section>
					<h2>Matching Speed, Duplex, Cable</h2>
					<ul>
						<li>The switch port and the device connected to it <strong>must operate at the same speed and duplex</strong>.</li>
						<ul>
							<li>They can be manually set, but by default almost every device has <strong>autonegotiation</strong> for both settings enabled.</li>
							<li>Autonegotiation must be on on both sides; Gigabit ports can only operate in full-duplex mode.</li>
						</ul>
						<li><em>Ethernet over copper twisted pairs</em> has 2 wiring variants: the <strong>cable connecting switch and device must be correct</strong>.</li>
						<ul>
							<li>However switches have <strong>Auto-MDIX</strong> capability that <strong>reconfigures the interfaces no matter the cable</strong> in use.</li>
						</ul>
					</ul>
				</section>

				<section>
					<section>
						<h2>[R] Addresses</h2>
						<p>Network and Data Link layers are those responsible for <strong>uniquely identifying the source and destination</strong> of the data exchange.</p>
						<p>They <strong>both do that using addresses</strong>, but of different kind and for different purposes.</p>
						<img src="http://i.imgur.com/xDdU0zT.gif">
					</section>
					<section>
						<h2>[R] Network Address: IP Addresses</h2>
						<p>Network addresses are <strong>logical</strong> addresses (not tied to a specific device) required to deliver <u>a packet</u> from source to destination, either on the same or <strong>different networks</strong>.</p>
						<p><strong>IP addresses</strong> are <u>structured</u> and delivery operates by moving (<em>routing</em>) packets <u>according to their structure</u>.</p>
						<ul>
							<li>The <u>network part</u> (192.168.1) is used by router to identify and <strong>reach the destination network</strong>.
							<li>The <u>host part</u> (.1) is used by the <strong>last router</strong> to reach the destination host.
						</ul>
						<p>You need two of those IP addresses: source and destination.</p>
					</section>
					<section>
						<h2>[R] Data Link  Address: MAC Addresses</h2>
						<p>Data Link Layer (DLL or L2) addresses, also known as <strong>physical addresses</strong> (tied to the NIC), are used to <strong>reach another network interface in the same network</strong> (<em>link</em>).</p>
						<p>DLL addresses, like <strong>MAC addresses</strong>, have <u>no structure</u>: 00:AA:BB:11:FF:01 and 00:AA:BB:11:FF:02 could be on different planets, for all we know.</p>
						<p>L2 delivery operates on the <u>assumption</u> that end devices can <strong>communicate directly over the same link</strong>, just by sending frames with correct addressing onto the wire.</p>
						<p>You need 2 MAC addresses: source and destination.</p>
					</section>
				</section>

				<section>
					<section>
						<h2>[R] Role of L2/L3 Addresses</h2>
						<h3>In the same network</h3>
						<div><img src="https://i.imgur.com/tTqWLbM.jpg"></div>
						<ul>
							<li><strong>L2 Src</strong>: 00:15:5F:3C:A2:68 (PC A NIC)</li>
							<li><strong>L2 Dst</strong>: 00:44:C8:59:12:74 (PC B NIC)</li>
							<li><strong>L3 Src</strong>: 192.168.1.3 (PC A IP)</li>
							<li><strong>L3 Dst</strong>: 192.168.1.62 (PC B IP)</li>
						</ul>
					</section>
					<section>
						<h2>[R] Role of L2/L3 Addresses</h2>
						<h3>Over different networks (1)</h3>
						<div><img src="https://i.imgur.com/tTqWLbM.jpg"></div>
						<ul>
							<li><strong>L2 Src</strong>: 00:15:5F:3C:A2:68 (PC A NIC)</li>
							<li><strong>L2 Dst</strong>: 00:22:54:28:6F:FA (GW NIC, same net as PC A NIC)</li>
							<li><strong>L3 Src</strong>: 192.168.1.3 (PC A IP)</li>
							<li><strong>L3 Dst</strong>: 10.87.38.185 (PC C IP)</li>
						</ul>
					</section>
					<section>
						<h2>[R] Role of L2/L3 Addresses</h2>
						<h3>Over different networks (2)</h3>
						<div><img src="https://i.imgur.com/tTqWLbM.jpg"></div>
						<ul>
							<li><strong>L2 Src</strong>: 00:85:CC:D3:E2:34 (GW NIC, same net as PC C)</li>
							<li><strong>L2 Dst</strong>: 00:13:81:FC:F6:1A (PC C NIC)</li>
							<li><strong>L3 Src</strong>: 192.168.1.3 (PC A IP, unchanged)</li>
							<li><strong>L3 Dst</strong>: 10.87.38.185 (PC C IP, unchanged)</li>
						</ul>
					</section>
				</section>

				<section>
					<h2>[R] Default Gateway</h2>
					<p>A <strong><em>gateway</em></strong> is a host (a router, almost always) in a network that <strong>knows how to reach other (specific) networks</strong>.</p>
					<p>The <strong><em>default gateway</em></strong> is the router to which a host on a network will send <strong>every frame for which it has no specific gateway</strong>.</p>
					<p>The default gateway is <em>presumed</em> to know what to do.</p>
					<p>Default gateway either <strong>routes the packet</strong> to final destination or to another router, called <strong>next hop</strong>.</p>
					<p><u>L2 addressing information is rewritten</u> at every hop.</p>
				</section>

				<section>
					<h2>[R] How do I get to know these addresses?</h2>
					<p>A host needs to <strong>know both the logical and physical addresses of the destination host</strong> to be able to generate and send the frame.</p>
					<p>For IP addresses, you probably know IP addresses on your own network and you enter them <strong>manually</strong>.</p>
					<p>For remote networks, you can learn IP address by configuring your device to use <strong>DNS</strong> (<em>Domain Name System</em>).</p>
					<p>Remembering MAC Addresses would be much more trickier, but fortunately <strong>ARP</strong> (<em>Address Resolution Protocol</em>) relieves you of that need.</p>
				</section>

				<section>
					<section>
						<h2>[R] Why Don't We Go MAC-only?</h2>
						<p>Think about it: we have <u>2 different sets of addresses both able to globally and uniquely identify hosts</u>. Why?</p>
						<ul>
							<li>For MAC addresses to work globally, every router <u>would need to know every MAC address ever released</u> and where it is. Sloooow.</li>
							<li>It would not be possible to shorten that list by <u>"grouping" MAC addresses: there is no criteria/structure</u> to do it.</li>
							<li>You <u>can't move a MAC address</u> from a host to another.</li>
							<li>There are <u>L2 protocols other than Ethernet</u>, you know...</li>
							<li>MAC addresses makes sense to use because you can't really skip <em>communicating in the same network</em>.</li>
						</ul>
					</section>
					<section>
						<h2>[R] Why Don't We Go IP-only?</h2>
						<ul>
							<li>Actually, <em>we could</em>. There are vocal proposal for networking based on L3-only addressing.</li>
							<li>There are <u>not enough IPv4 addresses for every NIC</u>. <strong>IPv6 would solve this</strong>, but we've been stuck with IPv4 for 30+ years.</li>
							<li>Also, <u>checking MAC addresses used to be much faster than checking IPs</u> (because of the lack of structure to analyze), but <strong>not anymore</strong>.</li>
						</ul>
						<p><strong>If we started from scratch today, we could probably just use IPs</strong>.</p>
						<p>The reality is that the <strong>Ethernet+IP addressing has been working pretty well</strong> for ~40 years and almost everything has been based on it. So the urge to change it's minimal.</p>
					</section>
				</section>

				<section>
					<section>
						<h2>ARP: Address Resolution Protocol</h2>
						<p>To generate a frame, we need:</p>
						<ul>
							<li><strong>Source IP Address</strong>: of course I know my own!</li>
							<li><strong>Source MAC Address</strong>: of course I know my own!</li>
							<li><strong>Destination IP Address</strong>: provided by higher layers (like L7's DNS), or <em>we just know</em>.</li>
							<li><strong>Destination MAC Address</strong>: <u>that's what ARP is for</u>.</li>
						</ul>
					</section>
					<section>
						<h2>ARP: Address Resolution Protocol</h2>
						<p>What ARP does is:</p>
						<ul>
							<li>Associating (<em>resolving</em>) <u>IP addresses to corresponding MAC addresses</u>.</li>
							<li>Maintaining a table of these associations (<em>mappings</em>), the <strong>ARP table/cache</strong>.</li>
							<li>Provides a mechanism to query the ARP table, through <strong>ARP requests and replies</strong>.</li>
						</ul>
					</section>
				</section>

				<section>
					<h2>How ARP operates</h2>
					<p>When an host needs to determine the destination MAC, <strong>it searches the destination IP in the ARP table</strong> to see if there's already a mapping.</p>
					<ul>
						<li>If there is, it uses the MAC and generates the frame.</li>
						<li>If there isn't, then it can't generate the frame until <u>it has populated the ARP table</u>.</li>
					</ul>
					<p>It has two way of doing so, an <em>active</em> and a <em>passive</em> one:</p>
					<ul>
						<li><strong>Address Learning</strong>: <em>the mapping comes to you</em>.</li>
						<li><strong>ARP Requests</strong>: <em>you search for the mapping</em>.</li>
					</ul>
				</section>

				<section>
					<section>
						<h2>ARP Address Learning</h2>
						<p>Simple: the host <em>listens</em> to incoming frames, <strong>reads the source MAC and IP addresses</strong>, and if this mapping is not already on the ARP table, <strong>the mapping is added to it</strong>.</p>
					</section>
					<section>
						<h2>ARP Requests</h2>
						<ul>
							<li>The host generates a <strong>L2 broadcast</strong> frame known as ARP Request, <u>containing the IP address whose MAC address it wants to know</u>, that will be received by every host.</li>
							<li>Only the host that has the the IP address included in the ARP request will reply, with <strong>a (unicast) ARP Reply</strong> <u>containing its own MAC address</u>.</li>
							<li>The original host <strong>can now create the appropriate entry</strong> in its ARP cache.</li>
						</ul>
						<p>ARP entries are <em>time stamped</em>, they <em>expire</em>, and can be <em>static</em>.</p>
						<p>If no host replies to the ARP request, <strong>the encapsulation fails, the frame is aborted</strong> and an error might be reported to the upper layers.</p>
					</section>
					<section>
						<h2>How ARP operates for remote networks</h2>
						<p>What we've seen until now <strong>only works on a local network</strong>, because broadcast (like ARP requests) doesn't propagate to other networks.</p>
						<p>When the host recognizes that the IP address of which it wants to know the MAC address it's part of a remote network, it has to forward the frame to a (default) gateway.</p>
						<p><strong>This means it has to use the (default) gateway MAC address as the destination</strong>.</p>
					</section>
				</section>

				<section>
					<section>
						<h2>ARP commands</h2>
						<h3>Consulting the ARP table on Linux</h3>
						<pre><code>stefanauss@barney:~$ arp -a
? (10.87.23.1) associato a c0:4a:00:fc:28:9c [ether] su eth0
stefanauss@barney:~$ cat /proc/net/arp
IP address       HW type     Flags       HW address            Mask     Device
10.87.23.1       0x1         0x2         c0:4a:00:fc:28:9c     *        eth0</code></pre>
					</section>
					<section>
						<h2>ARP commands</h2>
						<h3>Consulting the ARP table on Windows</h3>
						<pre><code>C:\> arp -a
Interface: 10.0.0.1 on Interface 0x1
  Internet Address      Physical Address      Type
  10.0.0.99             00-e0-98-00-7c-dc     dynamic</code></pre>
					</section>
					<section>
						<h2>ARP commands</h2>
						<h3>Consulting the ARP table on Cisco IOS</h3>
						<pre><code>Router#show arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.20.0.2               0   001e.4a71.8f80  ARPA   Vlan2000
Internet  10.20.0.1               0   001e.4a21.af80  ARPA   Vlan2000
Internet  10.20.93.3              -   001e.4a7b.5800  ARPA   Vlan2093
Internet  10.20.93.2            143   001e.4a71.8f80  ARPA   Vlan2093
Internet  10.20.93.1             21   001e.4a21.af80  ARPA   Vlan2093
Internet  10.20.0.69              -   001e.4a7b.5800  ARPA   Vlan2000
Internet  10.20.71.5              -   001e.4a7b.5800  ARPA   Vlan2089
Internet  10.20.71.2              0   001f.6c9c.7017  ARPA   Vlan2089
Internet  10.20.71.3              0   001f.6c9c.6c17  ARPA   Vlan2089</code></pre>
					</section>
					<section>
						<h2>ARP commands</h2>
						<h3>Manipulating ARP table on Windows</h3>
						<ul>
							<li>To flush the entire ARP table:</li>
							<pre><code>ipconfig /release
ipconfig /renew</code></pre>
							<li>To add a static entry to the ARP table:</li>
							<pre><code>arp -s 10.0.0.200 00-10-54-CA-E1-40</code></pre>
							<li>To remove a single entry:</li>
							<pre><code>arp -d 192.168.0.1</code></pre>
						</ul>
					</section>
					<section>
						<h2>ARP commands</h2>
						<h3>Manipulating ARP table on Linux</h3>
						<ul>
							<li>To flush the entire ARP table:</li>
							<pre><code>root@hostname# ip -s -s neigh flush all
70.167.140.1 dev eth0 lladdr 00:00:0c:9f:f0:04 ref 42 used 17/0/65 REACHABLE
*** Round 1, deleting 1 entries ***
70.167.140.1 dev eth0  ref 42 used 0/0/0 INCOMPLETE
*** Round 2, deleting 1 entries ***
*** Flush is complete after 2 rounds ***</code></pre>
							<li>To add a static entry, and then remove it:</li>
							<pre><code>root@hostname# arp -s 10.0.0.2 00:0c:29:c0:94:bf
? (192.168.10.47) at e0:db:55:ce:13:f1 [ether] on eth0
? (192.168.10.1) at 00:e0:b1:cb:07:30 [ether] on eth0
? (10.0.0.2) at 00:0c:29:c0:94:bf [ether] PERM on eth1
root@hostname# arp -d 10.0.0.2
? (192.168.10.47) at e0:db:55:ce:13:f1 [ether] on eth0
? (192.168.10.1) at 00:e0:b1:cb:07:30 [ether] on eth0
? (10.0.0.2) at &lt;incomplete&gt; eth1</code></pre>
						</ul>
					</section>
				</section>

				<section>
					<section>
						<h2>ARP Issues</h2>
						<h3>Broadcast Overhead</h3>
						<p>The <strong>impact of broadcast communication</strong> can be very heavy for large enterprise networks and can greatly reduce throughput.</p>
						<p>ARP broadcast traffic decreases significantly once the ARP tables start to get populated.</p>
					</section>
					<section>
						<h2>ARP Issues</h2>
						<h3>ARP Poisoning/Spoofing</h3>
						<p>By issuing <strong>fake ARP replies</strong> that tries to get the wrong association on the ARP tables, an attacker can <strong>capture traffic originally intended for another host</strong> on the network.</p>
						<p>Mitigation for ARP poisoning includes:</p>
						<ul>
							<li>authorizing only specific MAC addresses.</li>
							<li>using static ARP entries (<em>ARP Binding</em>).</li>
							<li>encrypting traffic in the upper layers.</li>
						</ul>
					</section>
				</section>

				<section>
					<h1>End of Lesson</h1>
				</section>
			</div>

		</div>

		<script src="lib/js/head.min.js"></script>
		<script src="js/reveal.js"></script>

		<script>

			// More info https://github.com/hakimel/reveal.js#configuration
			Reveal.initialize({
				controls: true,
				progress: true,
				history: true,
				center: true,

				transition: 'slide', // none/fade/slide/convex/concave/zoom

				// More info https://github.com/hakimel/reveal.js#dependencies
				dependencies: [
					{ src: 'lib/js/classList.js', condition: function() { return !document.body.classList; } },
					{ src: 'plugin/markdown/marked.js', condition: function() { return !!document.querySelector( '[data-markdown]' ); } },
					{ src: 'plugin/markdown/markdown.js', condition: function() { return !!document.querySelector( '[data-markdown]' ); } },
					{ src: 'plugin/highlight/highlight.js', async: true, callback: function() { hljs.initHighlightingOnLoad(); } },
					{ src: 'plugin/zoom-js/zoom.js', async: true },
					{ src: 'plugin/notes/notes.js', async: true }
				]
			});

		</script>

	</body>
</html>