Review of TCP/IP Internetworking

Review of TCP/IP Internetworking
Chapter 3 Panko, Corporate Computer and Network Security Copyright 2004 Prentice-Hall

Single Network: applications, client and server hosts, switches, access links, trunk links, frames, path Path Frame Server Host Client Host Trunk Link Access Link Server Host Mobile Client Host

Frame Organization Frame Trailer Data Field Header Destination Address
Other Header Field Destination Address Field Message Structure

Switching Decision Switch receives A frame, sends It back out Based on
Destination Address 1 2 3 4 5 6 Switch Frame with Station C In the destination Address field Station A Station B Station C Station D

Figure 3-1: Internet An internet is two or more individual switched networks connected by routers Switched Network 1 Switched Network 3 Router Switched Network 2

An Internet Multiple Networks Connected by Routers
Path of a Packet is its Route Single Network Routers Packet Route Single Network

The Internet The global Internet has thousands of networks Network
Webserver Software Browser Packet Packet Router Route Router Router Packet

Figure 3-6: Frames and Packets
Carrying Packet in Network 1 Packet Router A Frame 2 Carrying Packet in Network 2 Switch Client PC Frame 3 Carrying Packet in Network 3 Packet Switch Router B Server

Frames and Packets Like passing a shipment (the packet) from a truck (frame) to an airplane (frame) at an airport. Receiver Shipper Same Shipment Airport Airport Truck Truck Airplane

Figure 3-2: TCP/IP Standards (Study Figure)
Origins Defense Advanced Research Projects Agency (DARPA) created the ARPANET An internet connects multiple individual networks Global Internet is capitalized Internet Engineering Task Force (IETF) Most IETF documents are requests for comments (RFCs) Internet Official Protocol Standards: List of RFCs that are official standards

Hybrid TCP/IP-OSI Architecture (Figure 3-3) Combines TCP/IP standards at layers 3-5 with OSI standards at layers 1-2 TCP/IP OSI Hybrid TCP/IP-OSI Application Application Application Presentation Session Transport Transport Transport Internet Network Internet Subnet Access: Use OSI Standards Here Data Link Data Link Physical Physical

OSI Layers Physical (Layer 1): defines electrical signaling and media between adjacent devices Data link (Layer 2): control of a frame through a single network, across multiple switches Physical Link Frame Switched Network 1 Data Link

Figure 3-2: TCP/IP Standards
Internet Layer Governs the transmission of a packet across an entire internet. Path of the packet is its route Packet Switched Network 1 Switched Network 3 Router Route Switched Network 2

Frames and Packets Frames are messages at the data link layer Packets are messages at the internet layer Packets are carried (encapsulated) in frames There is only a single packet that is delivered from source to destination host This packet is carried in a separate frame in each network

Figure 3-7: Internet and Transport Layers
End-to-End (Host-to-Host) TCP is Connection-Oriented, Reliable UDP is Connectionless Unreliable Client PC Server Internet Layer (Usually IP) Hop-by-Hop (Host-Router or Router-Router) Connectionless, Unreliable Router 1 Router 2 Router 3

Internet and Transport Layers Purposes Internet layer governs hop-by-hop transmission between routers to achieve end- to-end delivery Transport layer is end-to-end (host-to-host) protocol involving only the two hosts

Internet and Transport Layers Internet Protocol (IP) IP at the internet layer is unreliable—does not correct errors in each hop between routers This is good: reduces the work each router along the route must do

Transport Layer Standards Transmission Control Protocol (TCP) Reliable and connection-oriented service at the transport layer Corrects errors User Datagram Protocol (UDP) Unreliable and connectionless service at the transport layer Lightweight protocol good when catching errors is not important

Figure 3-8: HTML and HTTP at the Application Layer
Hypertext Transfer Protocol (HTTP) Requests and Responses Webserver Client PC with Browser Hypertext Markup Language (HTML) Document or Other File (jpeg, etc.)

Application Layer To govern communication between application programs, which may be written by different vendors Document transfer versus document format standards HTTP / HTML for WWW service SMTP / RFC 822 (or RFC 2822) in Many application standards exist because there are many applications

Figure 3-3: TCP/IP and OSI Architectures: Recap
Hybrid TCP/IP-OSI Application Application Application Presentation Session Transport Transport Transport Internet Network Internet Subnet Access: Use OSI Standards Here Data Link Data Link Physical Physical Note: The Hybrid TCP/IP-OSI Architecture is used on the Internet and dominates internal corporate networks.

Figure 3-5: IP Packet IP Version 4 Packet Bit 0 Bit 31 Version
0100 IP Version 4 Packet Bit 0 Bit 31 Version (4 bits) Header Length (4 bits) Diff-Serv (8 bits) Total Length (16 bits) Identification (16 bits) Flags Fragment Offset (13 bits) Time to Live (8 bits) Protocol (8 bits) 1=ICMP, 6=TCP, 17=TCP Header Checksum (16 bits) Source IP Address (32 bits) Destination IP Address (32 bits) Options (if any) Padding Data Field

Figure 3-5: IP Packet Version Time to Live (TTL)
Has value of four (0100) Time to Live (TTL) Prevents the endless circulation of mis-addressed packets Value is set by sender Decremented by one by each router along the way If reaches zero, router throws packet away

Figure 3-5: IP Packet Protocol Field Identifies contents of data field
1 = ICMP 6 = TCP 17 =UDP IP Data Field ICMP Message IP Header Protocol=1 IP Data Field TCP Segment IP Header Protocol=6 IP Data Field UDP Datagram IP Header Protocol=17

Header checksum to check for errors in the header only
Figure 3-5: IP Packet Header checksum to check for errors in the header only Faster than checking the whole packet Stops bad headers from causing problems IP Version 6 drops eve this checking Address Fields 32 bits long, of course Options field(s) give optional parameters Data field contains the payload of the packet.

Figure 3-9: Layer Cooperation Through Encapsulation on the Source Host
Application Process HTTP Message Encapsulation of HTTP message in data field of a TCP segment Transport Process HTTP Message TCP Hdr Encapsulation of TCP segment in data field of an IP packet Internet Process HTTP Message TCP Hdr IP Hdr

Internet Process HTTP Message TCP Hdr IP Hdr Encapsulation of IP packet in data field of a frame Data Link Process DL Trlr HTTP Message TCP Hdr IP Hdr DL Hdr Physical Process Converts Bits of Frame into Signals

Note: The following is the final frame for supervisory TCP segments: DL Trlr TCP Hdr IP Hdr DL Hdr

Figure 3-10: Layer Cooperation Through Decapsulation on the Destination Host
Application Process HTTP Message Decapsulation of HTTP message from data field of a TCP segment Transport Process HTTP Message TCP Hdr Decapsulation of TCP segment from data field of an IP packet Internet Process HTTP Message TCP Hdr IP Hdr

Figure 3-10: Layer Cooperation Through Decapsulation on the Destination Host
Internet Process HTTP Message TCP Hdr IP Hdr Decapsulation of IP packet from data field of a frame Data Link Process DL Hdr HTTP Message TCP Hdr IP Hdr DL Hdr Physical Process Converts Signals into the Bits of the Frame

Figure 3-11: Vertical Communication on Router R1
Internet Layer Process Router R1 Packet Port 1 DL Port 2 DL Port 3 DL Port 4 DL Decapsulation Frame PHY PHY PHY PHY Notes: Router R1 receives frame from Switch X2 in Port 1. Port 1 DL process decapsulates packet. Port 1 DL process passes packet to internet process. Switch X2

Figure 3-11: Vertical Communication on Router R1
B Router R1 Internet Layer Process Packet Port 1 DL Port 2 DL Port 3 DL Port 4 DL Encapsulation Frame PHY PHY PHY PHY Internet process sends packet out on Port 4. DL Process on Port 4 encapsulates packet in a PPP frame. DL process passes frame to Port 4 PHY. Router 2

Figure 3-12: Site Connection to an ISP
Internet Backbone 1. Frame for This Data Link Site Network 2. Packet Carried in ISP Carrier Frame ISP Border Firewall Packet Packet Packet 4. Data Link Between Site and ISP (Difficult to Attack) 3. Packet Carried in Site Frame ISP Router 5. Normally, Only the Arriving Packet is Dangerous—Not the Frame Fields

Figure 3-13: Internet Protocol (IP)
Basic Characteristics There were already single networks, and many more would come in the future Developers needed to make a few assumptions about underlying networks So they kept IP simple

Connection-Oriented Service and Connectionless Service Connection-oriented services have distinct starts and closes (telephone calls) Connectionless services merely send messages (postal letters) IP is connectionless

IP Packet PC Internet Process First Router Internet Process IP Packet
Connectionless Packets Sent in Isolation Like Postal Letters Unreliable No Error Correction Discarded by Receiver if Error is Detected Leaves Error Correction to Transport Layer Reduces the Cost of Routers

Figure 3-13: Internet Protocol (IP) (Study Figure)
IP is Unreliable (Checks for Errors but does not Correct Errors) (Figure 3-14) Not doing error correction at each hop between switches reduces switch work and so switch cost Does not even guarantee packets will arrive in order

Hierarchical IP Addresses Postal addresses are hierarchical (state, city, postal zone, specific address) Most post offices have to look only at state and city Only the final post offices have to be concerned with specific addresses

Figure 3-15: Hierarchical IP Address
Network Part (not always 16 bits) Subnet Part (not always 8 bits) Host Part (not always 8 bits) Total always is 32 bits. The Internet UH Network ( ) CBA Subnet (17) Host 13

Hierarchical IP Addresses 32-bit IP addresses are hierarchical (Figure 3-15) Network part tells what network host is on Subnet part tells what subnet host is on within the network Host part specifies the host on its subnet Routers have to look only at network or subnet parts, except for the router that delivers the packet to the destination host

Hierarchical IP Addresses 32-bit IP addresses are hierarchical Total is 32 bits; part sizes vary Network mask tells you the size of the network part (Figure 3-16) Subnet mask tells you the length of the network plus subnet parts combined

Figure 3-16: IP Address Masking with Network and Subnet Masks
Network Masking Subnet Masking Mask Represents Tells the size of the network part Tells the size of the network and the subnet parts combined Eight ones give the decimal value 255 Eight zeros give the decimal value Masking gives IP address bit where the mask value is 1; 0 where the mask bit is 0 IP address bit where the mask value is 1; 0 where mask bit is 0

Figure 3-16: IP Address Masking with Network and Subnet Masks
Example 1 Network Masking Subnet Masking IP Address Mask Result Meaning 16-bit network part is Combined 24-bit network plus subnet part are Example 2 8-bit network part is 60 Combined 16-bit network plus subnet parts are 60.47

Figure 3-17: IP Address Spoofing
1. Trust Relationship 3. Server Accepts Attack Packet Trusted Server Victim Server 2. Attack Packet Spoofed Source IP Address Attacker’s Identity is Not Revealed Attacker’s Client PC

IP Addresses and Security IP address spoofing: Sending a message with a false IP address (Figure 3-17) Gives sender anonymity so that attacker cannot be identified Can exploit trust between hosts if spoofed IP address is that of a host the victim host trusts

IP Addresses and Security LAND attack: send victim a packet with victim’s IP address in both source and destination address fields and the same port number for the source and destination (Figure 3-18). In 1997, many computers, switches, routers, and even printers, crashed when they received such a packet.

Figure 3-18: LAND Attack Based on IP Address Spoofing
From: :23 To: :23 Attacker Victim Port 23 Open Crashes Source and Destination IP Addresses are the Same Source and Destination Port Numbers are the Same

Other IP Header Fields Protocol field: Identifies content of IP data field Firewalls need this information to know how to process the packet

Other IP Header Fields Time-to-Live field Each router decrements the TTL value by one Router decrementing TTL field to zero discards the packet

Other IP Header Fields Time-to-Live field Router also sends an error advisement message to the sender The packet containing this message reveals the sender’s IP address to the attacker Traceroute uses TTL to map the route to a host (Figure 3-19) Tracert on Windows machines

Figure 3-19: Tracert Program in Windows

Other IP Header Fields Header Length field and Options With no options, Header Length is 5 Expressed in units of 32 bits So, 20 bytes Many options are dangerous So if Header Length is More Than 5, be Suspicious Some firms drop all packets with options

Other IP Header Fields Length Field Gives length of entire packet Maximum is 65,536 bytes Ping-of-Death attack sent IP packets with longer data fields Many systems crashed

Figure 3-20: Ping-of-Death Attack
IP Packet Containing ICMP Echo Message That is Illegally Long Attacker Victim Crashes

Other IP Header Fields Fragmentation Routers may fragment IP packets (really, packet data fields) en route All fragments have same Identification field value Fragment offset values allows fragments to be ordered More fragments is 0 in the last fragment

Other IP Header Fields Fragmentation Harms packet inspection: TCP header, etc. only in first packet in series Cannot filter on TCP header, etc. in subsequent packets

Figure 3-22: TCP Header is Only in the First Fragment of a Fragmented IP Packet
2. Second Fragment TCP Data Field IP Header 4. TCP Data Field No TCP Header IP Header Attacker 5. Firewall Can Only Filter TCP Header in First Fragment 3. TCP Header Only in First Fragment

Other IP Header Fields Fragmentation Teardrop attack: Crafted fragmented packet does not make sense when reassembled Some firewalls drop all fragmented packets, which are rare today

Figure 3-21: Teardrop Denial-of-Service Attack
“Defragmented” IP Packet” Gap Overlap Attacker Victim Crashes Attack Pretends to be Fragmented IP Packet When Reassembled, “Packet” does not Make Sense. Gaps and Overlaps

Figure 3-24: IP Packet with a TCP Segment Data Field
Bit 0 Bit 31 IP Header (Usually 20 Bytes) Source Port Number (16 bits) Destination Port Number (16 bits) Sequence Number (32 bits) Acknowledgment Number (32 bits) Header Length (4 bits) Reserved (6 bits) Flag Fields (6 bits) Window Size (16 bits) TCP Checksum (16 bits) Urgent Pointer (16 bits)

Figure 3-23: Transmission Control Protocol (TCP) (Study Figure)
TCP Messages are TCP Segments Flags field has several one-bit flags: ACK, SYN, FIN, RST, etc. Header Length (4 bits) Reserved (6 bits) Flag Fields (6 bits) Window Size (16 bits)

Reliable Receiving process sends ACK to sending process if segment is correctly received ACK bit is set (1) in acknowledgement segments If sending process does not get ACK, resends the segment PC Transport Process Webserver Transport Process TCP Segment TCP Segment (ACK)

Connections: Opens and Closes Formal open and close Three-way open: SYN, SYN/ACK, ACK (Figure 3-25) Normal four-way close: FIN, ACK, FIN, ACK (Figure 3-25) Abrupt close: RST (Figure 3-26)

Figure 3-25: Communication During a TCP Session
PC Transport Process Webserver Transport Process 1. SYN (Open) Open (3) 2. SYN, ACK (1) (Acknowledgement of 1) 3. ACK (2) 3-Way Open

PC Transport Process Webserver Transport Process 1. SYN (Open) Open (3) 2. SYN, ACK (1) (Acknowledgement of 1) 3. ACK (2) 4. Data = HTTP Request Carry HTTP Req & Resp (4) 5. ACK (4) 6. Data = HTTP Response 7. ACK (6)

PC Transport Process Webserver Transport Process 8. Data = HTTP Request (Error) Carry HTTP Req & Resp (4) 9. Data = HTTP Request (No ACK so Retransmit) 10. ACK (9) 11. Data = HTTP Response 12. ACK (11) Error Handling

PC Transport Process Webserver Transport Process Normal Four-Way Close 13. FIN (Close) Close (4) 14. ACK (13) 15. FIN 16. ACK (15) Note: An ACK may be combined with the next message if the next message is sent quickly enough

PC Transport Process Webserver Transport Process Abrupt Close RST Close (1) Either side can send A Reset (RST) Segment At Any Time Ends the Session Immediately

Figure 3-26: SYN/ACK Probing Attack Using Reset (RST)
1. Probe 2. No Connection: Makes No Sense! SYN/ACK Segment IP Hdr RST Segment Attacker is Live! Victim Crashes 4. Source IP Addr= 3. Go Away!

Sequence and Acknowledgement Number Sequence numbers identify segment’s place in the sequence Acknowledgement number identifies which segment is being acknowledged Source Port Number (16 bits) Destination Port Number (16 bits) Sequence Number (32 bits) Acknowledgment Number (32 bits)

Port Number Port numbers identify applications Well-known ports (0-1023) used by applications that run as root (Figure 3-27) HTTP=80, Telnet=23, FTP=21 for supervision, 20 for data transfer, SMTP=25 Source Port Number (16 bits) Destination Port Number (16 bits)

Port Number Registered ports ( ) for any application Ephemeral/dynamic/private ports ( ) used by client (16,383 possible) Not all operating systems uses these port ranges, although all use well-known ports

:80 Port Number Socket format is IP address: Port, for instance, :80 Designates a specific program on a specific machine Port spoofing (Figure 3-28) Incorrect application uses a well-known port Especially 80, which is often allowed through firewalls

Figure 3-27: Use of TCP and UDP Port Number
Webserver Port 80 Client From: :50047 To: :80 SMTP Server Port 25

Webserver Port 80 Client From: :50047 To: :80 From: :80 To: :50047 SMTP Server Port 25

Webserver Port 80 Client From: :60003 To: :25 SMTP Server Port 25

Webserver Port 80 Client From: :50047 To: :80 Clients Used Different Ephemeral Ports for Different Connections From: :60003 To: :25 SMTP Server Port 25

Figure 3-29: User Data Protocol (UDP) (Study Figure)
UDP Datagrams are Simple (Figure 3-30) Source and destination port numbers (16 bits each) UDP length (16 bits) UDP checksum (16 bits) Bit 0 Bit 31 IP Header (Usually 20 Bytes) Source Port Number (16 bits) Destination Port Number (16 bits) UDP Length (16 bits) UDP Checksum (16 bits) Data Field

Figure 3-29: User Data Protocol (UDP) (Study Figure)
Port Spoofing Still Possible UDP Datagram Insertion Insert UDP datagram into an ongoing dialog stream Hard to detect because no sequence numbers in UDP

Figure 3-33: Internet Control Message Protocol (ICMP)
ICMP is for Supervisory Messages at the Internet Layer ICMP and IP An ICMP message is delivered (encapsulated) in the data field of an IP packet Types and Codes (Figure 3-2) Type: General category of supervisory message Code: Subcategory of type (set to zero if there is no code)

Figure 8.13: Internet Control Message Protocol (ICMP) for Supervisory Messages
Router “Host Unreachable” Error Message ICMP Message IP Header “Echo” “Echo Reply”

Figure 3-32: IP Packet with an ICMP Message Data Field
Bit 0 Bit 31 IP Header (Usually 20 Bytes) Type (8 bits) Code (8 bits) Depends on Type and Code Depends on Type and Code

Figure 3-32: Internet control Message Protocol (ICMP)
Network Analysis Messages Echo (Type 8, no code) asks target host if it is operational and available Echo reply (Type 0, no code). Target host responds to echo sender Ping program implements Echo and Echo Reply. Like submarine pinging a target Ping is useful for network managers to diagnose problems based on failures to reply Ping is useful for hackers to identify potential targets: live ones reply

Error Advisement Messages Advise sender of error but there is no error correction Host Unreachable (Type 3, multiple codes) Many codes for specific reasons for host being unreachable Host unreachable packet’s source IP address confirms to hackers that the IP address is live and therefore a potential victim Usually sent by a router

Error Advisement Messages Time Exceeded (Type 11, no codes) Router decrementing TTL to 0 discards packet, sends time exceeded message IP header containing error message reveals router’s IP address By progressively incrementing TTL values by 1 in successive packets, attacker can scan progressively deeper into the network, mapping the network Also usually sent by a router

Control Codes Control network/host operation Source Quench (Type=4, no code) Tells destination host to slow down its transmission rate Legitimate use: Flow control if host sending source quench is overloaded Attackers can use for denial-of-service attack

Control Codes Redirect (Type 5, multiple codes) Tells host or router to send packets in different way than they have Attackers can disrupt network operations, for example, by sending packets down black holes Many Other ICMP Messages

Topics Covered Network Elements Client and server stations
Applications Trunk lines and access lines Switches and routers Messages (frames)

Topics Covered Messages (frames) may have headers, data fields, and trailers Headers have source and destination address fields Switches forward (switch) frames based on the value in the destination address field Based on field value, switch sends frames out a different port that the one on which the frame arrived

Topics Covered Internets Group of networks connected by routers
The Internet is a global internet Organizations connect via ISPs Internet messages are called packets Path of a packet is its route Packets travel within frames in networks If route goes through four networks, There will be one packet and four frames

Topics Covered TCP/IP Standards OSI Standards Dominate the Internet
Created by the Internet Engineering Task Force (IETF) Documents are called requests for comments (RFCs) OSI Standards Dominate for single networks Physical and data link layers

Topics Covered TCP/IP OSI Hybrid TCP/IP-OSI Application Application
Presentation Session Transport Transport Transport Internet Network Internet Subnet Access: Use OSI Standards Here Data Link Data Link Physical Physical

Topics Covered Internetworking Layers Internet layer
Internet Protocol (IP) Governs packet organization Governs hop-by-hop router forwarding (routing) Transport layer Governs end-to-end connection between the two hosts TCP adds reliability, flow control, etc. UDP is simpler, offers no reliability, etc.

Topics Covered Application Layer Standards
Govern interaction between two application programs Usually, a message formatting standard and a message transfer standard HTML / HTTP in WWW RFC 2822 / SMTP in

Topics Covered IP Packet Version 4
32-bit source and destination addresses Time to live (TTLS) Header checksum Protocol (type of message in data field) Data field

Topics Covered IP Packet Version 4
Option fields may be used, but more likely to be used by hackers rather than legitimately Packet may be fragmented; this too is done mainly by attackers Data field Version 6 128-bit addresses to allow more addresses

Topics Covered Vertical Communication on the Source Host
One layer (Layer N) creates a message Passes message down to the next-lower layer (Layer N-1) The Layer N-1 process encapsulates the Layer N message in the data field of a Layer N-1 record Layer N-1 passes the Layer N-1 message down to Layer N-2

Topics Covered Process is Reversed on the Destination Host
Decapsulation occurs at each layer Vertical Processes on Router The router first receives, then sends So the router first decapsulates, then encapsulates There is one internet layer process on each router

Topics Covered Firewalls Only Need to Look at Internet, Transport, and Application Messages The attacker cannot manipulate the frame going from the ISP to the organization

Topics Covered IP Connectionless and unreliable
Hierarchical IP addresses Network part Subnet part Host part Part lengths vary

Topics Covered IP Masks
You cannot tell by looking at an IP address what its network or subnet parts are Network mask has 1s in the network part, followed by all zeros Subnet mask has 1s in the network and subnet parts, followed by all zeros

Topics Covered IP address spoofing Change the source IP address
To conceal identity of the attacker To have the victim think the packet comes from a trusted host LAND attack

Topics Covered TCP Messages Called TCP segments
Flags fields for SYN, ACK, FIN, RST 3-way handshake with SYN to open Each segment is received correctly is ACKed This provides reliability

Topics Covered TCP Messages Normally, FIN is used in a four-way close
RST can create a single-message close Attackers try to generate RSTs because the RST message is in a packet revealing the victim’s IP address

Topics Covered Port Numbers Used in both TCP and UDP
16-bit source and destination port numbers Clients use ephemeral port numbers Randomly generated by the client Major applications on servers use well-known port numbers 0 to 1023

Topics Covered ICMP For supervisory messages at the internet layer
ICMP messages are encapsulated in the data fields of IP packets Type and code designate contents of IP packet Attackers use ICMP messages in scanning Replies tell them IP addresses

Topics Covered ICMP Echo (Type 8, no code) asks target host if it is operational and available Echo reply (Type 0, no code). Target host responds to echo sender Ping program implements Echo and Echo Reply. Like submarine pinging a target ICMP error messages of several types Allow only ICMP echo replies in border router ingress filtering

Review of TCP/IP Internetworking

Similar presentations

Presentation on theme: "Review of TCP/IP Internetworking"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Review of TCP/IP Internetworking

Similar presentations

Presentation on theme: "Review of TCP/IP Internetworking"— Presentation transcript:

Similar presentations

About project

Feedback