1. Survey of Information Assurance Review of TCP/IP

2. Agenda Brief review of TCP/IP Protocol stack and TCP/IP hierarchal model Detailed discussion of Transport Control Protocol Detailed discussion of Internet Protocol Discussion on limitations of TCP/IP and possible solutions.

3. Scope of Discussions The following are not covered in today’s presentation:  Implementation details/flaws of TCP/IP protocol stack for generic or specific systems  Detailed discussion on EACH of protocols treated as a part of TCP/IP Protocol Suite  Detailed discussion on earlier versions  Detailed discussion on IPv6

4. Introduction to TCP/IP History Origin of the term “IPv4” Standards: RFC 793 – TCP and RFC 791 – IP Extensions: IPv6 Deployment: Worldwide!!! Functionality Supported:  Connection oriented data delivery  Fragmentation Support  Addressing and Routing  Congestion Control etc.

5. TCP/IP Model vs. OSI Model REF: http://www.trainsignaltraining.com/wpnew/wp- content/uploads/2007/10/TCP__OSI___Stelios/1_ TCPIP_and_OSI_models.jpg http://www.trainsignaltraining.com/wpnew/wp- content/uploads/2007/10/TCP__OSI___Stelios/1_ TCPIP_and_OSI_models.jpg

6. REF: http://www.trainsignaltraining.com/wpnew/wp- content/uploads/2007/10/TCP__OSI___Stelios/2_TCPIP_Protocol_Suite.jpghttp://www.trainsignaltraining.com/wpnew/wp- content/uploads/2007/10/TCP__OSI___Stelios/2_TCPIP_Protocol_Suite.jpg

7. TCP Standards: RFC 793 – TCP Later Versions: NONE!!! Alternative technologies: UDP History:  Advanced Research projects Agency (ARPA) Research. Provides following services:  Network Technology Independence  Universal interconnection  Reliable Stream Transport Service  Congestion Control  End-to-end Acknowledgement

8. TCP Header REF: http://www.visi.com/~mjb/Drawings/TCP_Header.pdfhttp://www.visi.com/~mjb/Drawings/TCP_Header.pdf

9. TCP Header Description Source port (16-bit) and Destination port (16 bit) Sequence number (32-bit) Acknowledgement number (32-bit) Header Length (4 bit) Reserved (6 bit) Control bits (8 bits)  Urgent pointer (URG) if this bit field is set the receiving TCP should interpret the urgent pointer field.  Acknowledgement (ACK) this field is set to acknowledge the field entered is valid  Push function (PSH) if this bit field is set the receiver should deliver this segment to receiving application as soon as possible.

10. TCP Header Description (2)  Reset the connection (RST) if this bit is present, it is the receiver that sender is aborting the connection and all queued data and allocated buffers and connection can be freely relinquished.  Synchronize (SYN) this specifies that the bit field signifies that a sender to synchronize sequence numbers this is used to establish connection between the sender and receiver. Window (16-bit) Receiver side capacity to accept data Checksum (16 bit) Urgent Pointer (16 bit) Options: Variable, but cannot be larger than 40 bytes. The header length field is 4 bit. They are often used for various flow control and congestion Padding: The optional header may vary in size it may be necessary to pad the TCP header to align to 32-bit word boundary. Data: Application data

11. TCP – Reliable Stream Transport Connection Establishment and Termination Three way Handshake REF: http://condor.depaul.edu/~jkristof/technotes/tcp.htmlhttp://condor.depaul.edu/~jkristof/technotes/tcp.html

12. TCP-Flow control REF: http://condor.depaul.edu/~jkristof/technotes/tcp.htmlhttp://condor.depaul.edu/~jkristof/technotes/tcp.html

13. IP Overview Standards: RFC 791 – IP (viz. IPv4) Later Versions: IPv6 Alternative technologies: IPX Functionality Supported:  Addressing and Routing  Fragmentation Support  Type of Service  Loose/Strict Source and Record Route

14. IP Header REF: http://www.visi.com/~mjb/Drawings/IP_Header.pdfhttp://www.visi.com/~mjb/Drawings/IP_Header.pdf

15. IP Header Description Version (4 bits) describes header format. Version may be 4 for IPv4 or 6 for IPv6. IHL (Internet header length – 4 bits) is the length of IP header in 32- bit words. Thus, actual length is 32*IHL-value bits or 4*IHL-value bytes. TOS (Type of Service – 8 bits) allows setting desired service-quality parameters. Total Length (16 bits) is length of entire datagram. Identification (16 bits), Flags (3 bits) and Fragment Offset (13bits) are used for fragmentation and reassembly of datagram(s). TTL (Time to Live 8 bits) is the maximum time a datagram is allowed to remain in the internetwork. Each device decrements this value when the datagram is processed and drops it if the value is zero.

16. IP Header Description (2) Protocol (8 bits) indicates the type of higher layer protocol that follows after IP header. Header Checksum (16 bits) is checksum on header only. SA (Source address 32 bits) and DA (Destination address 32 bits) are source and destination IP addresses. Options (variable length) may or may not be used.

17. IP Addressing IP Address is 32 bit field. (~4.29 billion addresses) The IP address consists of a Network Part and a Host Part Need for larger addressing space – Division of address space into private and public addresses. The IANA (Internet Assigned Numbers Authority) has reserved the three blocks of the IP address space for private internets:  10.0.0.0 - 10.255.255.255 (10/8 prefix)  172.16.0.0 - 172.31.255.255 (172.16/12 prefix)  192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

18. IP Addressing (2) The IP Addressing is classful by design: These classful networks may be further divided by using subnetting A set of contiguous networks may also be “supernetted” ClassFirst OctetRangeNetwork BitsComments Class A0xxx xxxx1.x.x.x – 126.x.x.x [1] Bits 2 nd – 8 th 126classes, 16.7 m hosts Class B10xx xxxx128.x.x.x – 191.x.x.xBits 3 rd – 16 th 16.3k classes, 65.5 k hosts Class C110x xxxx192.x.x.x – 223.x.x.xBits 4 th – 24 th 2.09m classes, 254 hosts Class D1110 xxxx224.x.x.x – 247.x.x.xBits 5 th – 32 nd Multicast Class E1111 xxxx248.x.x.x – 255.x.x.xBits 5 th – 32 nd Research use [1] The 0.0.0.0 network is default route and 127.0.0.0 is universal loopback address. REF : http://www.faqs.org/docs/linux_network/x-087-2-issues.ip-addresses.html http://www.faqs.org/docs/linux_network/x-087-2-issues.ip-addresses.html

19. IP Addressing (3) - Subnetting Consider a Class A network: 5.0.0.0 Hosts : 16,777,214 Consider borrowing 16 bits from host address to form “subnets” 5.x.x.0 –> 65536 sub-networks Hosts : 254 for each subnet -> 16,646,144

20. IP Addressing (4) - Supernetting Consider a set of Class C networks: 222.0.0.0 – 222.0.255.0 Networks: 256  256 routes to distinct networks. Consider borrowing 16 bits from network address to form a “supernet” 222.0.x.0/16 is 1 supernet  1 route to gateway for given network. Networks need to be contiguous to form supernet.

21. IP Fragmentation IP may fragment a PDU based on the maximum transmission unit (MTU) of the link or Path MTU (PMTU). Higher layers may request DF (Don’t fragment) bit = 1; i.e. the PDU must not be fragmented. If DF = 1 and PDU size exceeds link MTU, the router will drop the PDU and send ICMP error to sender. PMTU – D : Path MTU Discovery

22. IP Fragmentation (2) IF DF = 0, PDU may be fragmented if needed. For each fragment of PDU, the Identification value is identical and allows for reassembly for out-of-order fragments at receiver. The MF (More Fragments) bit is set for all but last fragment of a PDU. The Fragment Offset value defines the location of given piece of data in the original PDU, it is used for reassembly.

23. IP Type of Service This is an 8-bit field  Bits 0-2: Precedence  Bits 3-5: Delay Throughput and Reliability (respectively) [Value: 0  Normal and 1  High]  Bits 6-7: Reserved Precedence: 111 – N/W control110 – Internetwork control 101 – CRITIC/ECP100 – Flash override 011 - Flash010 - Immediate001 - Priority000 - Routine

24. TCP/IP – Issues Faced 1.Security TCP/IP was not designed for security, TCP/IP based communication relies on IP address to identify peer. This IP address and very easily be spoofed and modified. Typical Attacks:  IP address spoofing a) DNS spoofing – Create spoofed DNS response packet for a DNS query b) ARP spoofing – Also called ARP Cache poisoning, allows a malicious host to cause all traffic to be redirected to self  Ping of Death – Uses oversized ping packet (usually >65535 bytes) as fragments and cause buffer-overflows

25. TCP/IP – Issues Faced (2)  TCP DoS Attack – excessive SYN requests to a server may use up all CPU cycles preventing it from actively provide services like FTP, Radius Authentication, DNS, DHCP etc… allowing for more complicated impersonation or simple denial of service.  TCP Sequence Number prediction – to create one-sided TCP connection (Berkeley implementation of SN generation): a) Impersonate an alive host and connect to server b) Impersonate a down host by using netstat service  Routing Based Attacks – a) Poison RIP Routing information as it is received unchecked by routers b) ICMP Redirect for an open connection c) ICMP “Destination Unreachable” and “TTL exceeded”

26. TCP/IP – Issues Faced (3) 2.Limited Address Space IPv4 supports slightly over 4.29 billion addresses. This is highly insufficient address space. 3.Connection Delay There is an inherent delay involved in session establishment and overhead involved with processing information contained in TCP header.

27. Possible Solutions Security:  Narrow spectrum technologies – Firewalls, DHCP Snooping  Broad Spectrum technologies – Encryption Address Space limitation:  NAT – introduces other issues (still widely deployed)  IPv6 – has not yet had widespread acceptance Delay and overhead of connection:  UDP

28. References www.tcpipguide.com RFC 791 – Internet Protocol RFC 791 RFC 793 – Transport Control Protocol RFC 793 By Douglas Komer http://www.securityfocus.com/infocus/1674 http://www.cs.columbia.edu/~smb/papers/ipext.pdf http://www.xs4all.nl/~rmeijer/spoofing.html