Presentation on theme: "CSIS 6251 CSIS 625 Week 11 TCP/IP & Presentation Layer Copyright 2001 - Dan Oelke For use by students of CSIS 625 for purposes of this class only."— Presentation transcript:
CSIS 6251 CSIS 625 Week 11 TCP/IP & Presentation Layer Copyright 2001 - Dan Oelke For use by students of CSIS 625 for purposes of this class only.
CSIS 6252 Overview TCP/IP –Network Layer - IP IP Addresses, Subnets, –Transport Layer - UDP or TCP –ICMP, Arp, etc Presentation Layer topics –ASN.1 & BER –Network Management –Encryption –Authentication
CSIS 6253 TCP/IP Introduction TCP/IP is the protocol used for the Internet Developed in the 70’s for the US Department of Defense –Arpanet - Advanced Research Project Agency NETwork TCP/IP Defines the network and transport layers –Assumes a connectionless, unreliable packet oriented data link and physical layer. –May use connection oriented or non-packet data link layers, but does not take advantage of their capabilities.
CSIS 6254 TCP/IP by the layers ARP - Address Resolution Protocol - a layer-2 to layer-3 address mapping protocol IP - Internetwork Protocol is the network layer –Best effort unreliable delivery TCP - Transmission Control Protocol - a connection oriented transport layer –Stream of data that is guarenteed delivery in sequence UDP - User Datagram Protocol - a connectionless transport layer Applications do the rest –lately there are some presentation layer type protocols for encryption (SSH is the prime example) DNS - Domain Name System –A way to map names to IP addresses –Example: www.stthomas.edu => 126.96.36.199
CSIS 6255 Internetwork Protocol Header format 0 7 15 31 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ver | hlen | TOS | Total Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Identification |Flags| Fragment Offset | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TTL | Protocol | IP Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source IP Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Destination IP Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IP Options (if any)...| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
CSIS 6256 IPv4 Header fields Ver - version - currently IPv4 or 0100 –IPv6 is starting to deploy - it has a different formatted header HLen - header length in multiples of 4 bytes –Allows header lengths up to 60 bytes TOS - Type of Service - supposed to be used for prioritization of data Total Length - length of IP datagram
CSIS 6257 IPv4 Header fields Identification, flag, fragment offset –Identification is a unique number for each packet –More fragment flag - tells if this is the last fragment –Don’t fragment flag - tells IP to not fragment this packet –fragment offset - the offset in the packet for this fragment TTL - Time to live - initialized to 32 and decremented for each hop Protocol - defines if it is TCP/UDP/ICMP/etc IP Checksum - calculated over header only
CSIS 6258 IPv4 Addresses IPv4 addresses are 32 bits. Typically written in dotted-decimal notation –Four numbers 0-255 separated by dots. –188.8.131.52 The address is divided into a network portion and a host portion Initially IPv4 had the concept of network classes that identified how many bits were the network portion based on the first couple of bits. –Caused address space crunch –This has now been abandoned in all modern IP stacks
CSIS 6259 IPv4 Address Classes Class A –184.108.40.206 -> 220.127.116.11 –0.* and 127.* reserved Class B –18.104.22.168 -> 22.214.171.124 Class C –192.0.0.0 -> 126.96.36.199 Class D/E (Multicast) –188.8.131.52 -> 255.255.255.255 Remember - usually not used in practice, just used to designate how much space is given
CSIS 62510 IPv4 Addresses and subnets Instead of looking at the first couple of bits and determining what the class is, and therefore what the Network portion is, now all systems use a subnet mask. Subnets where started before class notation was abandoned as a way to break down bigger networks. Subnet is a 32 bit number that when bitwise-or’ed with an address breaks it into a network portion and a host portion Subnets are generally set with only the most significant bits set to 1’s. This allows for a simplification where the address is written with a slash indicating number of bits in subnetmask –Example: 184.108.40.206/24 indicates that the subnet mask is 24 bits or 255.255.255.0. This indicates a network of 220.127.116.11 –Does not have to end up on even byte boundaries.
CSIS 62511 IP - default gateway. An IP node is generally provisioned with –IP address –Subnet mask –Default gateway The Default gateway is the address that a packet is forwarded to if it isn’t on the same network as the sending node. Typically the default gateway is a router that forwards packets to the correct network
CSIS 62512 ICMP - Internet Control Message Protocol Documented in RFC 792 Uses IP to transport messages, but is not a fully separate transport layer protocol because it is so integrated with IP Reports some errors - but not everything so it isn’t there to make IP reliable. Does not send error messages when the source of the destination address isn’t an individual address (multi-cast, loopback, etc) Does not send error messages for ICMP messages (avoid the infinite loop)
CSIS 62513 ICMP - Types of messages: –Echo & Echo Reply - Used for “ping” command to see if a node is there –Destination unreachable A router in-between can’t forward the packet because a link is down The end node doesn’t have a service running on that port. –Source Quench Meant to be a way for the destination to tell the source to slow down Often not used –Redirect A router tells the previous node a better way to send the packet. –Time Exceeded The TTL value of a packet counted down to zero before the packet could be delivered. Used by the traceroute command.
CSIS 62514 Transport layer – UDP/IP UDP is simple in that all it really has to support in addition to the IP header is port addresses. Header format 0 7 15 31 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Port | Destination Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Total length | Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Source and destination ports determine the service that is running them Checksum protects the UDP header (not the packet data)
CSIS 62515 Transport layer – TCP/IP TCP is connection oriented so it must provide connection setup and teardown as well as provide mechanisms for reliable packet delivery. Header format 0 7 15 31 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Port | Destination Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Acknowledgement Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | HLEN | Resv | Flags | Window Size | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Checksum | Urgent Pointer | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Options & Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
CSIS 62516 TCP Header Port Addresses – used to identify services Sequence Number & Acknowledgement number – used for sliding window flow control and error control HLEN – Header length in multiples of 4 Resv – Reserved for future use Flags – –URG – Urgent – there is urgent data in the data portion –ACK – The acknowledgement field is valid –PSH – Push – higher throughput is desired –RST – –SYN – Sequence number synchronization in the connection setup –FIN – connection termination Window Size – The number of packets that can be sent. Checksum – error detection for the header (not the data) Urgent pointer – an offset into the data portion for where the urgent data is (if the URG flag is set.
CSIS 62517 TCP flow control TCP uses a modified sliding window technique - called a credit scheme Each ACK has both a number in the window for the bytes that are being acknowledged, and a number in the window that may be sent up to before acknowledgement. Slow Start - developed by Van Jacobson - 1988 –Exponentially increases the window size as data is successfully sent. –Allows the amount of data being sent to grow up to the network capacity. –Causes “slowness” for very short data transfers Dynamic Window Sizing on Congestion –When a packet is lost, and retransmitted – the window size is cut dramatically and slow-start redone up to ½ the previous level. –From that point on – a slower linear rather than exponential growth is taken. These methods when widely implemented allow the Internet to work even in the face of extreme loads. Fortunately few people have the ability to re-write their TCP/IP stack and defeat these mechanisms.
CSIS 62518 ARP - Address Resolution Protocol Used as a way for IP to map an Ethernet Address to an IP address When a node wants to send an IP datagram over an Ethernet network, it needs to know the MAC address of the destination. An Ethernet broadcast is sent out asking who owns this IP address The node with the address replies. From the reply the original node gets the MAC address. Now the IP packet can be sent over the Ethernet to the destination.
CSIS 62519 ARP Cache The sender keeps a cache of recently resolved addresses so it doesn’t have to ARP before sending every packet –This cache can often be displayed using “arp” command –This cache must time out if one node stops using an IP address and another starts. When one node sends out an arp reply message, all nodes on a broadcast network may add it to their cache.
CSIS 62520 Proxy-ARP Sometimes an administrator will want to merge two separate Ethernet networks to look like one for IP packets A router can be configured so that it will send an ARP response on an interface for a whole range of IP addresses. The router will then receive the packets, and forward them to the correct Ethernet network –Will need to do an ARP request on that interface to find the actual node’s MAC address. –Router will typically be configured to proxy-ARP in both directions.
CSIS 62521 DNS - Domain Name System A protocol and the whole system for mapping names of machines to IP addresses The protocol is usually over UDP packets. –Unreliable, but since message is only one packet to the server and one packet in response it has lower overhead than TCP. A node is typically configured with the IP address of one or more DNS servers. –If the first one fails to respond, the second one is used, etc. Top Level Domain - the last set of letters after a period (.) in a domain name. Root name server - the master domain name server for a given top level domain.
CSIS 62522 DNS Control ICANN - Internet Corporation for Assigned Names and Numbers –Created by US government as a way to sort out the management of DNS –Very controversial in how it has been handling things Each of the top level domains has a single database maintainer –.com,.net,.org are all through Network Solutions –.gov is controlled by the United States government –Each country has a two letter top level domain (.us,.cc,.tv,.ru,.uk, etc.) –There may be multiple companies that register names into that database, but a single database exists. Some people have started creating alternative name servers.
CSIS 62524 ASN.1 & BER ASN.1 - Abstract Syntax Notation One –A formal language for describing messages that go between computer systems. BER - Basic Encoding Rules –The method by which messages using ASN.1 are arranged into bits for transmission. Many systems today use ASN.1 with BER to define their message structure. BER typically uses a header for each field that defines what it is, the length, and then the data
CSIS 62525 ASCII - The anti-ASN.1 system Many protocols on the Internet today use ASCII based encoding mechanisms –HTTP, SMTP, FTP control, etc. ASN.1 encoded messages can not be decoded by just looking at them on a terminal, while ASCII based messages can
CSIS 62526 Network Management SNMP - Simple Network Management –Uses ASN.1 encoded messages to get/put values in a table type structure –messages are sent over UDP/IP –Requests are only simple set’s and gets. –More complex operations can take significant work –Simplicity allows for very simple (and cheap) devices to implement this protocol. (cheap Ethernet switches for example) –Everything is a table in SNMP Can be a limitation for more complex devices – requires multiple tables that reference one another Makes life simpler for the devices implementing SNMP
CSIS 62527 CMISE - Common Management Information Service Elements Uses an object oriented view of the system Many layers of protocols A very rich filtering and selection system. Promoted and standardized mostly through Bellcore/Telcordia –Driven by phone companies desire to have a common management system for everything Set of objects is “standardized” but every vendor has their own extensions so the management system must adopt to these extensions. Mostly dead system So bloated it takes seconds to do a single query Requires many megabytes of RAM on managed systems.
CSIS 62528 Encryption Encryption is a method by which information is modified so that others can not understand it. –Scrambling of the data –aka Cryptography Stenography is a method by which information is hidden from others. –Hiding of the data using “noise” –Least significant bits in pictures or audio Encryption has 2 major branches –Asymmetric Encryption (Public Key) –Symmetric Encryption
CSIS 62529 Encryption - the players Instead of using A sends a message to B, cryptography books have taken to using some relatively standard names for the nodes communicating Alice, Bob, Carol, Dave - participants in an communication Eve - the eavesdropper - listens in on communication, but doesn’t alter the communication. Mallory - a malicious active attacker Peggy - a prover Victor - a verifier
CSIS 62530 Symmetric Key Encryption Both the sender and the receiver know some common secret. The secret is the key to decoding the message The secrecy of the key is important Transporting and securing the key between the Alice and Bob is difficult, because it must be done through a secure mechanism. One time pad - the key is as big as the message. The message is xor’d with the key. –The only truly unbreakable encryption system. –Most products that claim one-time-pad are not.
CSIS 62531 Symmetric Key encryption types DES - Data Encryption Standard –Uses a 56 bit key –All 2 56 keys can be tested in < 24 hours with a $250k machine 3DES - Use of DES three times over –Gives 3x56 or 168 bits of keyspace AES - Advanced Encryption Standard –Rijndael is the new chosen standard –128-256 bit key
CSIS 62532 Asymmetric Encryption Commonly called Public Key encryption Two numbers (secrets) are created. One of these keys is called the public key and given to everyone. One of these keys is called the private key and is kept secret. To send a message, the public key is used to encrypt the data. After that, only someone with the private key can decode the message.
CSIS 62533 Public Key Encryption types RSA - Ron Rivest, Adi Shamir, and Leonard Adleman. –An algorithm that picks two large prime numbers and multiplies them. It is assumed that it is very very difficult to factor the resulting number. –The bigger the numbers the harder it is to break the encryption Elliptic Curve Many practical systems use public key encryption to encrypt a symmetric key that is then used to encrypt the rest of the message –Public Key encryption tends to use compute expensive algorithms.
CSIS 62534 Key Size Comparing key size between different algorithms is not easily done. A typical 128bit symmetric key encryption method might take as long to break as a 1024 bit asymmetric key encryption. Don’t get into “my key is bigger” battles. What is important is how strong the overall system is. –Key size is one factor –Algorithm choice is another –Use of proven algorithms is best –Implementation is often the biggest problem –Beware – a lot of people are selling snake oil.
CSIS 62535 Authentication Authentication is the process of making sure that someone is who they say they are. It is also the process of making sure that a message has been transported without being modified. –Much more than error detection –Mallory might intercept the message, change it and change the CRC Secure hash – An algorithm that creates a big hashed number and it is very difficult to produce another message with the same number. –SHA-1, MD5, RIPEMD
CSIS 62536 Authentication & Encryption Authentication often uses many of the same public key encryption algorithms as encryption. Message tampering detection –Create a secure hash, and then encrypt using the private key. –Anyone can then decrypt the hash using a public key and compare the result with their own copy of the public key.