What are transport and application gateways?

- Hosts and routers are separated in TCP/IP architecture. 

- For private networks, more protection is required to maintain an access control over it. 

- Firewall is one of the components of this TCP/IP architecture. 

- Internet is separated from Intranet by this firewall.

- This means all the incoming traffic must pass through this firewall. 

- The traffic that is authorized is allowed to pass through. 

- It is not possible penetrate the firewall simply. 

Firewall has two components namely:

Ø  Filtering router and

Ø  Two types of gateways namely application and transport gateways.

- All the packets are checked by the router and filtered based up on any of the attributes such as protocol type, port numbers, and TCP header and so on. 

- Designing the rules for filtering of the packets is quite a complex task. 

- A little protection is offered by this packet filtering since with the filtering rules on one side, it is difficult to cater to the services of the users on other side.

About Application Gateways

- Application layer gateways consist of 7 layer intermediate system designed mainly for the access control. 

- However, these gateways are not commonly used in the TCP/ IP architecture. 

- These gateways might be used sometimes for solving some inter-networking issues. 

- The application gateways follow a proxy principle for supporting the authentication, restrictions on access controls, encryption and so on. 

- Consider two users A and B. 

- A generates an HTTP request which is first sent to the application layer gateway rather than being send to its destination. 

- The gateway checks about the authorization of this request and performs encryption. 

- After the request has been authorized, it is sent to user B from the gateway just at it would have been sent by A.

- B responds back with a MIME header and data which might be de-crypted or rejected by the gateway.

- If the gateway accepts, it is sent to A as if from B. 

- These gateways are designed for all the protocols of application level.

About Transport Gateways

- The working of the transport gateway is similar to application gateway but it works at the TCP connection level. 

- These gateways are not dependent up on the application code but they do need client software so as to maintain awareness about the gateway. 

- Transport gateways are intermediate systems at layer 4. 

- An example is the SOCKS gateways. 

- IETF has defined it as a standard transport gateway.

- Again, consider two clients A and B. 

- A TCP connection is opened by A to the gateway. 

- The SOCKS server port is nothing but the destination port. 

- A sends a request to this port for opening the connection to B indicating the port number of the destination. 

- After checking the request, the request for connection from A is either accepted or rejected. 

- If accepted, a new connection is opened to B. 

- The server also informs A that the connection has been established successfully. 

- The data relay between the clients is kept transparent. 

- But in actual there are two TCP connections having their own sequence numbers as well as acknowledgements. 

- The transport gateways are simpler when compared with the application layer gateways. 

- This is so because the transport gateways are not concerned with the data units at the application layer. 

- It has to act on the packets simply once the connection has been established. 

- Also, this is the reason why it also gives higher performance in comparison with the application layer gateways. 

- But it is important that the client must be aware of its presence since there is no transparency here. 

- If between the two networks the only border existing is the application gateway, it alone can act as the firewall. 

What is meant by flow specification?

- There are many problems concerning the flow specification. 

- There are limited options for the provider for mitigation of the DDoS attacks that take place internally. 

- These can be categorized in to three different categories:

Ø  BGP (border gateway protocol) destination black holes

Ø  BGP src/ uRP

Ø  ACLS

- The basic idea is to make use of the BGP for the distribution of the flow specification filters. 

- This helps in dynamic filtering in the routers. 

- The flow specification rules are encoded according to the BGP NLRI address family. 

- The flow spec NLRI is used by the BGP as its opaque key is used as an entry key for its database. 

- The extended communities are used for specifying the actions such as accepting, discarding it, rate limiting, sampling, redirecting and so on. 

- The source/destination prefix and the source/destination port are matched in combinations according to the packet size, ICMP type/co9de, fragment encoding, DSCP, TCP flag and so on. 

- For example, the TCP ports 80…90 are matched with 192.168.0/24. 

- The flow specification trust model uni casts the routing advertisements for controlling the traffic. 

- Filter is considered as a hole for the traffic that is being transmitted to some destination. 

- Filter is accepted when it is advertised for the destination by the next hop. 

- Filters with various flow specifications are available today.

- The major benefit of the flow specifications is the filters with the fine grain specification which make it easy for deploying and managing the BGP. 

- The trust and the distribution problems are solved by the BGP. 

- ASIC filtering in routers is leveraged. 

- This is another major benefit of flow specifications. 

Apart from the benefits, there are various limitations of the flow specifications as mentioned below:

Ø  There is no update level security in the BGP.

Ø The statistics and the application level acknowledgement are not well defined.

Ø  The flow specifications work only for those nodes for which the BGP has been enabled.

Ø  Beyond routing the BGP payload has to be overloaded.

Ø  There are various operational issues between the security operations and the network operations.

Ø  The threat information cannot be gathered in one place.

- The integration of the flow specifications was announced by various security vendors. 

- The DDoS attacks are experienced by a large number of customers. 

- The DDoS attacks are now massive and have put the network infrastructure at risk apart from the end customer. 

- Congestion problems occur at both the exchange and the backbone. 

- The attacks of long durations add to the cost of bursting and circuit congestion problems. 

- Depending up on the size of the attack the POP has to be isolated.

- VoIP is also affected. 

- These attacks have negative economic effects as the cost of the operations has been increased. 

- This has led to a degradation of the business. 

- Measures such as firewall filtering and destination BGP black-holing have proved to be insufficient in preventing the attacks. 

- These methods are slow since it is required to log-in and configuring the devices. 

- The configuration has to be constantly. 

- The traffic is terminated to some destination. 

- This affects the availability. 

- The black hole routes are removed by constantly changing the configurations. - Earlier version of the flow specifications had many bugs. 

- There were some limitations on the performance. 

- However, it provided arbor support for the actions of the flow specifications. 

- It does not provide multi–vendor support. 

- To some extent it provides the mitigation facility for the attack that occurred at the source. 

- The collateral damage is eliminated for both the carriers and supports the change in the matching criteria. 

What is the concept of flow control?

- Flow control is an important concept in the field of data communications. 

- This process involves management of the data transmission rate between two communicating nodes. 

- Flow control is important to avoid a slow receiver from being outrun by a fast sender. 

- Using flow control, a mechanism is designed for the receiver using which it can control its speed of transmission.

- This prevents the receiving node from getting overwhelmed with traffic from the node that is transmitting.

- Do not confuse yourself with congestion control and flow control. Both are different concepts. 

- Congestion control comes in to play when in actual there is a problem of network congestion for controlling the data flow. 

On the other hand the mechanism of flow control can be classified in the following two ways:

1. The feedback is sent to the sending node by the receiving node.
2. The feedback is not sent to the sending node by the receiving node.

- The sending computer might tend to send the data at a faster rate than what can be received and processed by the other computer. 

- This is why we require flow control. 

- This situation arises when the traffic load is too much up on the receiving computer when compared to the computer that is sending the data. 

- It can also arise when the processing power of the receiving computer is slower than the processing power of the one that is sending the data.

Stop and Wait Flow Control Technique 

- This is the simplest type of the flow control technique. 

- Here, when the receiver is ready to start receiving data from the sender, the message is broken down in to a number of frames. 

- The sending system then waits for a specific time to get an acknowledgement or ACK from the receiver after sending each frame. 

- The purpose of the acknowledgement signal is to make sure that the frame has been received properly. 

- If during the transmission a packet or frame gets lost, then it has to be re-transmitted. 

- We call this process as the automatic repeat request or ARQ. 

- This technique has a problem which is that it is capable of transmitting only one frame in one go. 

- This makes the transmission channel very inefficient. 

- Therefore, until and unless the sender gets an acknowledgement it will not proceed further for transmitting another packet. 

- Both the transmission channel and the sender are left un-utilized during this period. 

- Simplicity of this method is its biggest advantage. 

- Disadvantage is the inefficiency resulting because of this simplicity. 

- Waiting state of the sender creates inefficiency. 

- This happens usually when the transmission delay is shorter than the propagation delay. 

- Sending longer transmissions is another cause for inefficiencies. 

- Also, it increases the chance for the errors to creep in this protocol. 

- In short messages, it is quite easy to detect the errors early. 

- By breaking down one big message in to various separate smaller frames, the inefficiency increases. 

- This is so because these pieces altogether take a long to be transmitted.

Sliding window Flow Control Technique 

- This is another method of flow control where permission is given to the sender by the receiver for continuously transmitting data until a window is filled up. 

- Once the window is full, sender stops transmission until a larger window is advertised. 

- This method can be utilized in a better way if the size of the buffer is kept limited. 

- During the transmission, space for say n frames is allocated to the buffer. 

- This means n frames can be accepted by the receiver without having to wait for ACK. 

- After n frames an ACK is sent consisting of the sequence number of the next frame that has to be sent.