Layer 3 – Network

This layer is all about packets and logical addressing.  Some terms you’ll need to be familiar with:

• Unicast – one to one communications
• Multicast – one to Many
• Broadcast – one to all

It should be fairly easy to memorize these because the “Uni” is similar to “Uno” whether you think of the card game or the Spanish word, you’ll remember that Uno means “1,” and the M in “Many” matches up with the M in “Multi.”

Anycast is basically a one-to-one transmission that uses the services of a group of devices. It’s also called one-to-one-of-many. Content distribution networks use anycast to push a continuous flow of content to regional sub-distribution servers. The “destination” address doesn’t really matter, the sending node just wants somebody in its anycast group to receive the message. The recipient could be the closest node, or the one that has the shortest number of hops, or it could be the recipient on a network path that has less traffic than the others in the anycast group. 

Geocast is similar to a broadcast, but the destination IP addresses are restricted to a predefined geographic area.

IPv4
Most of us know what an IP address is, it’s a set of four numbers separated by a dot, representing the logical address of a host.  The numbers are between 0 and 255, but 0 and 255 aren’t used for hosts. Each set of digits is called an octet, which has the following associations with network classes:

Class A Network: the leftmost octet is from 1 to 127, and identifies the network. The remaining octets are reserved for hosts.

Class B Network: the leftmost octet is from 128 to 191. The first two octets identify the network, the remaining two octets are for hosts.

Class C Network: the leftmost octets is from 192 to 255. The first three octets identify the network and the remaining octet is reserved for hosts.

IPv6

IP version 6 has the following redeeming attributes:

• 128 bit address field
• Better security through IPSec, ensures confidentiality and integrity of the IP packets
• Improved quality of service 

Other protocols at layer 3:

• Internet control message protocol
• Internet group management protocol
• Open shortest path first

Devices at layer 3:

• Routers
• Firewalls (ACL and rule-based)

Vulnerabilities, threats, and mitigations at layer 3:

• Misconfigured or outdated firewalls – update hardware/software/patches, provide training for operation and maintenance
• Unwanted traffic – router ACLs, IDS/IPS
• Smurf attack – disable ICMP echo request
• Traceroute exploitation – disable node enabled deterministic route path
• Ping of death – redundancy and diverse network paths; disable ICMP echo request
• Ping scanning – disable ICMP echo request
• Tear drop attack – ensure that both operating system and routers are patched to inspect discrepancies in fragment offset and drop malformed fragment packets

Native IPv6 requires complete conversion of all internal network segments and components including software to IPv6.

Dual stack uses specialized devices that can handle both protocols.

IPv6 at the edge is where you have all publicly facing content and resources accessible to either IPv4 or IPv6 protocol.

Automatic Private IP Addressing (APIPA), is reserved for use when DHCP fails.  Addresses are in the form of 169.254.x.x, which are class B category. It provides limited connectivity until DHCP becomes available again.

Classical routing protocols don’t make use of sub-net masks in IPV4 addressing.

Classless routing protocols do make use of IPv4 subnet masks, and can also make use of variable length sub-net masks. An example is RIPv3, which uses hop counts as to compute the shortest route between end point routers.  It’s also known as RIPng, or next generation.

A path vector protocol maintains the path information that gets updated dynamically. The routers accumulate the cost of a particular path, and validate that the path is loop-free before advertising known paths via updates to peers.

Border Gateway Protocol (BGP) is used by the internet backbone to advertise networks. It’s an exterior routing protocol and relies on proper configuration to advertise routes. Misconfigured peers can redirect traffic in unintended ways opening up the possibility of traffic monitoring or denial of service. An evolution of the path vector approach, a link-state algorithm can determine the most effective path by knowing the speed, congestion, availability of the link, and the total hops to determine the best path.

The Intermediate System to Intermediate System (IS-IS) protocol is a layer 2 protocol in the eyes of ISC2, as opposed to OSPF which ISC2 considers to be a layer 3 protocol. (https://www.youtube.com/watch?v=VyljJ9Jfshc) not exactly sure why it’s presented in the Layer 3 materials, but there you have it…

Open Shortest Path First is the OSPF protocol, and it has three versions, OSPF one, two and three. 

OSPF is used in area border routers ABRs, that can segment autonomous systems (AS) into areas, or in Autonomous System Boundary Routers (ASBR), that support the routing management between two or more autonomous systems. OSPF is an example of an interior routing protocol. Link-state algorithms calculate the shortest path to each node based on a routing table constructed by the router that keeps track of routes to network destinations at services through its own links.