TCP/IP Protocol Suite 1 Chapter 6 Upon completion you will be able to: Delivery, Forwarding, and Routing of IP Packets Understand the different types of delivery and the connection Understand forwarding techniques in classful addressing Understand forwarding techniques in classless addressing Understand how a routing table works Understand the structure of a router Objectives

TCP/IP Protocol Suite DELIVERY The network layer supervises delivery, the handling of the packets by the underlying physical networks. Two important concepts are the type of connection and direct versus indirect delivery. The topics discussed in this section include: Connection Types Direct Versus Indirect Delivery

TCP/IP Protocol Suite 3 IP is a connectionless protocol. Note:

TCP/IP Protocol Suite 4 Figure 6.1 Direct delivery

TCP/IP Protocol Suite 5 Figure 6.2 Indirect delivery

TCP/IP Protocol Suite FORWARDING Forwarding means to place the packet in its route to its destination. Forwarding requires a host or a router to have a routing table.. The topics discussed in this section include: Forwarding Techniques Forwarding with Classful Addressing Forwarding with Classless Addressing Combination

TCP/IP Protocol Suite 7 Figure 6.3 Next-hop method

TCP/IP Protocol Suite 8 Figure 6.4 Network-specific method

TCP/IP Protocol Suite 9 Figure 6.5 Host-specific routing

TCP/IP Protocol Suite 10 Figure 6.6 Default routing

TCP/IP Protocol Suite 11 Figure 6.7 Simplified forwarding module in classful address without subnetting

TCP/IP Protocol Suite 12 Figure 6.8 shows an imaginary part of the Internet. Show the routing tables for router R1. Example 1

TCP/IP Protocol Suite 13 Solution Figure 6.9 shows the three tables used by router R1. Note that some entries in the next-hop address column are empty because in these cases, the destination is in the same network to which the router is connected (direct delivery). In these cases, the next- hop address used by ARP is simply the destination address of the packet as we will see in Chapter 7. Example 1 (Continued) See Next Slide

TCP/IP Protocol Suite 14 Figure 6.9 Tables for Example 1

TCP/IP Protocol Suite 15 Router R1 in Figure 6.8 receives a packet with destination address Show how the packet is forwarded. Example 2 Solution The destination address in binary is A copy of the address is shifted 28 bits to the right. The result is or 12. The destination network is class C. The network address is extracted by masking off the leftmost 24 bits of the destination address; the result is The table for Class C is searched. The network address is found in the first row. The next-hop address and the interface m0 are passed to ARP.

TCP/IP Protocol Suite 16 Router R1 in Figure 6.8 receives a packet with destination address Show how the packet is forwarded. Example 3 Solution The destination address in binary is A copy of the address is shifted 28 bits to the right. The result is or 10. The class is B. The network address can be found by masking off 16 bits of the destination address, the result is The table for Class B is searched. No matching network address is found. The packet needs to be forwarded to the default router (the network is somewhere else in the Internet). The next-hop address and the interface number m0 are passed to ARP.

TCP/IP Protocol Suite 17 Figure 6.10 Simplified forwarding module in classful address with subnetting

TCP/IP Protocol Suite 18 Figure 6.11 shows a router connected to four subnets. Example 4 See Next Slide

TCP/IP Protocol Suite 19 Example 4 (Continued) Note several points. First, the site address is /16 (a class B address). Every packet with destination address in the range to is delivered to the interface m4 and distributed to the final destination subnet by the router. Second, we have used the address x.y.z.t/n for the interface m4 because we do not know to which network this router is connected. Third, the table has a default entry for packets that are to be sent out of the site. The router is configured to apply the mask /18 to any destination address.

TCP/IP Protocol Suite 20 Figure 6.11 Configuration for Example 4

TCP/IP Protocol Suite 21 The router in Figure 6.11 receives a packet with destination address Show how the packet is forwarded. Example 5 Solution The mask is /18. After applying the mask, the subnet address is The packet is delivered to ARP with the next-hop address and the outgoing interface m0.

TCP/IP Protocol Suite 22 A host in network in Figure 6.11 has a packet to send to the host with address Show how the packet is routed. Example 6 Solution The router receives the packet and applies the mask (/18). The network address is The table is searched and the address is not found. The router uses the address of the default router (not shown in figure) and sends the packet to that router.

TCP/IP Protocol Suite 23 In classful addressing we can have a routing table with three columns; in classless addressing, we need at least four columns. Note:

TCP/IP Protocol Suite 24 Figure 6.12 Simplified forwarding module in classless address

TCP/IP Protocol Suite 25 Make a routing table for router R1 using the configuration in Figure Example 7 Solution Table 6.1 shows the corresponding table. See Next Slide See the table after the figure.

TCP/IP Protocol Suite 26 Figure 6.13 Configuration for Example 7

TCP/IP Protocol Suite 27 Table 6.1 Routing table for router R1 in Figure 6.13

TCP/IP Protocol Suite 28 Show the forwarding process if a packet arrives at R1 in Figure 6.13 with the destination address Example 8 Solution The router performs the following steps: 1. The first mask (/26) is applied to the destination address. The result is , which does not match the corresponding network address. See Next Slide

TCP/IP Protocol Suite 29 Example 8 (Continued) 2. The second mask (/25) is applied to the destination address. The result is , which matches the corresponding network address. The next-hop address (the destination address of the packet in this case) and the interface number m0 are passed to ARP for further processing.

TCP/IP Protocol Suite 30 Show the forwarding process if a packet arrives at R1 in Figure 6.13 with the destination address Example 9 Solution The router performs the following steps: See Next Slide

TCP/IP Protocol Suite The first mask (/26) is applied to the destination address. The result is , which does not match the corresponding network address (row 1). 2. The second mask (/25) is applied to the destination address. The result is , which does not match the corresponding network address (row 2). 3. The third mask (/24) is applied to the destination address. The result is , which matches the corresponding network address. The destination address of the package and the interface number m3 are passed to ARP. Example 9 (Continued)

TCP/IP Protocol Suite 32 Show the forwarding process if a packet arrives at R1 in Figure 6.13 with the destination address Example 10 Solution This time all masks are applied to the destination address, but no matching network address is found. When it reaches the end of the table, the module gives the next-hop address and interface number m2 to ARP. This is probably an outgoing package that needs to be sent, via the default router, to some place else in the Internet.

TCP/IP Protocol Suite 33 Now let us give a different type of example. Can we find the configuration of a router, if we know only its routing table? The routing table for router R1 is given in Table 6.2. Can we draw its topology? Example 11 See Next Slide

TCP/IP Protocol Suite 34 Table 6.2 Routing table for Example 11

TCP/IP Protocol Suite 35 Example 11 Solution We know some facts but we don’t have all for a definite topology. We know that router R1 has three interfaces: m0, m1, and m2. We know that there are three networks directly connected to router R1. We know that there are two networks indirectly connected to R1. There must be at least three other routers involved (see next-hop column). We know to which networks these routers are connected by looking at their IP addresses. So we can put them at their appropriate place. See Next Slide (Continued)

TCP/IP Protocol Suite 36 Example 11 (Continued) We know that one router, the default router, is connected to the rest of the Internet. But there is some missing information. We do not know if network is directly connected to router R2 or through a point-to-point network (WAN) and another router. We do not know if network is connected to router R3 directly or through a point-to-point network (WAN) and another router. Point-to-point networks normally do not have an entry in the routing table because no hosts are connected to them. Figure 6.14 shows our guessed topology. See Next Slide

TCP/IP Protocol Suite 37 Figure 6.14 Guessed topology for Example 6

TCP/IP Protocol Suite 38 Figure 6.15 Address aggregation

TCP/IP Protocol Suite 39 Figure 6.16 Longest mask matching

TCP/IP Protocol Suite 40 As an example of hierarchical routing, let us consider Figure A regional ISP is granted addresses starting from The regional ISP has decided to divide this block into four subblocks, each with 4096 addresses. Three of these subblocks are assigned to three local ISPs, the second subblock is reserved for future use. Note that the mask for each block is /20 because the original block with mask /18 is divided into 4 blocks. Example 12 See Next Slide

TCP/IP Protocol Suite 41 Figure 6.17 Hierarchical routing with ISPs

TCP/IP Protocol Suite 42 The first local ISP has divided its assigned subblock into 8 smaller blocks and assigned each to a small ISP. Each small ISP provides services to 128 households (H001 to H128), each using four addresses. Note that the mask for each small ISP is now /23 because the block is further divided into 8 blocks. Each household has a mask of /30, because a household has only 4 addresses (2 32−30 is 4). The second local ISP has divided its block into 4 blocks and has assigned the addresses to 4 large organizations (LOrg01 to LOrg04). Note that each large organization has 1024 addresses and the mask is /22. Example 12 (Continued) See Next Slide

TCP/IP Protocol Suite 43 The third local ISP has divided its block into 16 blocks and assigned each block to a small organization (SOrg01 to SOrg15). Each small organization has 256 addresses and the mask is /24. There is a sense of hierarchy in this configuration. All routers in the Internet send a packet with destination address to to the regional ISP. The regional ISP sends every packet with destination address to to Local ISP1. Local ISP1 sends every packet with destination address to to H001. Example 12 (Continued)

TCP/IP Protocol Suite ROUTING Routing deals with the issues of creating and maintaining routing tables. The topics discussed in this section include: Static Versus Dynamic Routing Tables Routing Table

TCP/IP Protocol Suite 45 Figure 6.18 Common fields in a routing table

TCP/IP Protocol Suite 46 One utility that can be used to find the contents of a routing table for a host or router is netstat in UNIX or LINUX. The following shows the listing of the contents of the default server. We have used two options, r and n. The option r indicates that we are interested in the routing table and the option n indicates that we are looking for numeric addresses. Note that this is a routing table for a host, not a router. Although we discussed the routing table for a router throughout the chapter, a host also needs a routing table. Example 13 See Next Slide

TCP/IP Protocol Suite 47 $ netstat -rn Kernel IP routing table Destination Gateway Mask Flags Iface U eth U lo UG eth0. Example 13 (continued) See Next Slide

TCP/IP Protocol Suite 48 More information about the IP address and physical address of the server can be found using the ifconfig command on the given interface (eth0). Example 13 (continued) $ ifconfig eth0 eth0 Link encap:Ethernet HWaddr 00:B0:D0:DF:09:5D inet addr: Bcast: Mask: From the above information, we can deduce the configuration of the server as shown in Figure See Next Slide

TCP/IP Protocol Suite 49 Figure 6.19 Configuration of the server for Example 13

TCP/IP Protocol Suite STRUCTURE OF A ROUTER We represent a router as a black box that accepts incoming packets from one of the input ports (interfaces), uses a routing table to find the departing output port, and sends the packet from this output port. The topics discussed in this section include: Components

TCP/IP Protocol Suite 51 Figure 6.20 Router components

TCP/IP Protocol Suite 52 Figure 6.21 Input port

TCP/IP Protocol Suite 53 Figure 6.22 Output port

TCP/IP Protocol Suite 54 Figure 6.23 Crossbar switch

TCP/IP Protocol Suite 55 Figure 6.24 A banyan switch

TCP/IP Protocol Suite 56 Figure 6.25 Examples of routing in a banyan switch

TCP/IP Protocol Suite 57 Figure 6.26 Batcher-banyan switch

TCP/IP Protocol Suite 58 Chapter 7 Upon completion you will be able to: ARP and RARP Understand the need for ARP Understand the cases in which ARP is used Understand the components and interactions in an ARP package Understand the need for RARP Objectives

TCP/IP Protocol Suite 59 Figure 7.2 Position of ARP and RARP in TCP/IP protocol suite

TCP/IP Protocol Suite ARP ARP associates an IP address with its physical address. On a typical physical network, such as a LAN, each device on a link is identified by a physical or station address that is usually imprinted on the NIC. The topics discussed in this section include: Packet Format EncapsulationOperation ARP over ATM Proxy ARP

TCP/IP Protocol Suite 61

TCP/IP Protocol Suite 62

TCP/IP Protocol Suite 63

TCP/IP Protocol Suite 64

TCP/IP Protocol Suite 65

TCP/IP Protocol Suite 66 Figure 7.4 ARP packet

TCP/IP Protocol Suite 67

TCP/IP Protocol Suite 68 Figure 7.5 Encapsulation of ARP packet

TCP/IP Protocol Suite 69 Figure 7.6 Four cases using ARP

TCP/IP Protocol Suite 70 An ARP request is broadcast; an ARP reply is unicast. Note:

TCP/IP Protocol Suite 71 A host with IP address and physical address B2:34:55:10:22:10 has a packet to send to another host with IP address and physical addressA4:6E:F4:59:83:AB (which is unknown to the first host). The two hosts are on the same Ethernet network. Show the ARP request and reply packets encapsulated in Ethernet frames. Example 1 Solution Figure 7.7 shows the ARP request and reply packets. Note that the ARP data field in this case is 28 bytes, and that the individual addresses do not fit in the 4-byte boundary. That is why we do not show the regular 4-byte boundaries for these addresses. Also note that the IP addresses are shown in hexadecimal. For information on binary or hexadecimal notation see Appendix B.

TCP/IP Protocol Suite 72 Figure 7.7 Example 1

TCP/IP Protocol Suite 73 Figure 7.8 Proxy ARP

TCP/IP Protocol Suite ARP PACKAGE In this section, we give an example of a simplified ARP software package to show the components and the relationships between the components. This ARP package involves five modules: a cache table, queues, an output module, an input module, and a cache-control module. The topics discussed in this section include: Cache Table Queues Output Module Input Module Cache-Control Module

TCP/IP Protocol Suite 75 Figure 7.9 ARP components

TCP/IP Protocol Suite 76 Table 7.1 Original cache table used for examples

TCP/IP Protocol Suite 77 The ARP output module receives an IP datagram (from the IP layer) with the destination address It checks the cache table and finds that an entry exists for this destination with the RESOLVED state (R in the table). It extracts the hardware address, which is ACAE32, and sends the packet and the address to the data link layer for transmission. The cache table remains the same. Example 2

TCP/IP Protocol Suite 78 Twenty seconds later, the ARP output module receives an IP datagram (from the IP layer) with the destination address It checks the cache table and does not find this destination in the table. The module adds an entry to the table with the state PENDING and the Attempt value 1. It creates a new queue for this destination and enqueues the packet. It then sends an ARP request to the data link layer for this destination. The new cache table is shown in Table 7.2. Example 3 See Next Slide

TCP/IP Protocol Suite 79 Table 7.2 Updated cache table for Example 3

TCP/IP Protocol Suite 80 Fifteen seconds later, the ARP input module receives an ARP packet with target protocol (IP) address The module checks the table and finds this address. It changes the state of the entry to RESOLVED and sets the time-out value to 900. The module then adds the target hardware address (E ACA) to the entry. Now it accesses queue 18 and sends all the packets in this queue, one by one, to the data link layer. The new cache table is shown in Table 7.3. Example 4 See Next Slide

TCP/IP Protocol Suite 81 Table 7.3 Updated cache table for Example 4

TCP/IP Protocol Suite 82 Twenty-five seconds later, the cache-control module updates every entry. The time-out values for the first three resolved entries are decremented by 60. The time-out value for the last resolved entry is decremented by 25. The state of the next-to-the last entry is changed to FREE because the time-out is zero. For each of the three pending entries, the value of the attempts Example 5 See Next Slide

TCP/IP Protocol Suite 83 Table 7.4 Updated cache table for Example 5

TCP/IP Protocol Suite RARP RARP finds the logical address for a machine that only knows its physical address. The topics discussed in this section include: Packet Format Encapsulation RARP Server Alternative Solutions to RARP

TCP/IP Protocol Suite 85 The RARP request packets are broadcast; the RARP reply packets are unicast. Note:

TCP/IP Protocol Suite 86 Figure 7.10 RARP operation

TCP/IP Protocol Suite 87 Figure 7.11 RARP packet

TCP/IP Protocol Suite 88 Figure 7.12 Encapsulation of RARP packet

TCP/IP Protocol Suite 89 ARP Spoofing Construct spoofed ARP replies. A target computer could be convinced to send frames destined for computer A to instead go to computer B. Computer A will have no idea that this redirection took place. This process of updating a target computer’s ARP cache is referred to as “ARP poisoning”.

TCP/IP Protocol Suite 90 A IP: MAC:aa:aa:aa:aa B IP: MAC:bb:bb:bb:bb Hacker IP: MAC:cc:cc:cc:cc switch IPMAC bb:bb:bb:bb ARP cache IPMAC aa:aa:aa:aa ARP cache Spoofed ARP reply IP: MAC:cc:cc:cc:cc Spoofed ARP reply IP: MAC:cc:cc:cc:cc Spoofed ARP reply IP: MAC:cc:cc:cc:cc

TCP/IP Protocol Suite 91 A IP: MAC:aa:aa:aa:aa B IP: MAC:bb:bb:bb:bb Hacker IP: MAC:cc:cc:cc:cc switch IPMAC cc:cc:cc:cc ARP cache IPMAC aa:aa:aa:aa ARP cache A’s cache is poisoned

TCP/IP Protocol Suite 92 ARP Spoofng Now all the packets that A intends to send to B will go to the hacker’s machine. Cache entry would expire, so it needs to be updated by sending the ARP reply again. How often? depends on the particular system. Usually every 40s should be sufficient.

TCP/IP Protocol Suite 93 T1 IP: MAC:aa:aa:aa:aa T2 IP: MAC:bb:bb:bb:bb Hacker IP: MAC:cc:cc:cc:cc switch IPMAC cc:cc:cc:cc ARP cache IPMAC cc:cc:cc:cc ARP cache Message intended to send to T2 Hacker will relay the message

TCP/IP Protocol Suite 94 Defenses against ARP Spoofing No Universal defense. Use static ARP entries Cannot be updated Spoofed ARP replies are ignored. ARP table needs a static entry for each machine on the network. Large overhead Deploying these tables Keep the table up-to-date

TCP/IP Protocol Suite 95 Someone point out Windows still accepts spoofed ARP replies and updates the static entry with the forged MAC. Port Security Also known as port binding or MAC Binding. A feature on some high-end switches. Prevents changes to the MAC tables of a switch. Unless manually performed by a network administrator. Not suitable for large networks and networks using DHCP.

TCP/IP Protocol Suite 96 Arpwatch A free UNIX program which listens for ARP replies on a network. Build a table of IP/MAC associations and store it in a file. When a MAC/IP pair changes (flip-flop), an is sent to an administrator. Some programs, such as Ettercap, cause only a few flip flops is difficult to be detected on a DHCP-enabled network, where flip flops occur at regular intervals.