TCPIP - PowerPoint PPT Presentation

1 / 65
About This Presentation
Title:

TCPIP

Description:

TCP: reliable data flow with acknowledgements, retransmission, and timeouts. ... TCP sends connection request to brahms using an IP datagram ... – PowerPoint PPT presentation

Number of Views:76
Avg rating:3.0/5.0
Slides: 66
Provided by: kosh2
Category:
Tags: tcpip | brahms

less

Transcript and Presenter's Notes

Title: TCPIP


1
CSC 382 Computer Security
  • TCP/IP

2
Topics
  • TCP/IP Layering
  • Encapsulation
  • Internet Addresses
  • Link Layer Protocols
  • IP
  • Routing
  • TCP and UDP
  • Application Layer Protocols

3
Network Example
A1
A2
A3
Router
External Router
B1
B2
B3
4
TCP/IP Layering
  • HTTP, FTP, telnet
  • TCP, UDP
  • IP, ICMP, IGMP
  • PPP, 802.11
  • Ethernet

5
TCP/IP Layers
  • Physical
  • NIC, cabling, electrical signaling.
  • Data Link
  • Single hop transport of packets.
  • Wired protocols (ethernet, FDDI, PPP)
  • Wireless protocols (802.11)
  • Network
  • End to end delivery of packets.
  • IP Internet Protocol

6
TCP/IP Layers
  • Transport
  • Flow of data between two hosts for application
    layer.
  • TCP reliable data flow with acknowledgements,
    retransmission, and timeouts.
  • UDP simpler service with no guarantees.
  • Application
  • Protocols for particular applications.
  • ex FTP, HTTP, SMTP

7
Encapsulation/De-multiplexing
  • Sending data sent down protocol stack
  • Each layer prepends a header to data
  • Ethernet frame sent as bit stream across wire
  • Receiving data moves up protocol stack
  • NIC moves bits into memory as ethernet frame
  • Each layer removes its header from packet

8
Encapsulation
9
De-multiplexing
10
TCP/IP Security
  • TCP/IP has no built-in strong security.
  • No confidentiality features.
  • Minimal availability features (ToS options).
  • Insecure CRC checksums for integrity.
  • IPsec protocol extension adds security.

11
Data Link Layer
  • IEEE Standards
  • Ethernet (802.3)
  • Token Ring (802.5)
  • Wireless (802.11)
  • Serial Protocols
  • SLIP and CSLIP
  • PPP

12
Hubs and Switches
  • Hubs
  • Broadcast packets received to all interfaces.
  • Switches
  • Associates MAC addresses with physical
    interfaces.
  • Sends packets only to specified interface.
  • May have SPAN port for network monitoring.

13
Data Link Layer
  • Loopback
  • Looks like any other link layer device.
  • Full network processing is performed.
  • Sends packets to localhost for testing.
  • 48-bit MAC address
  • Maximum Transmission Unit (MTU)
  • 1492 or 1500 bytes, depending on ethernet std

14
Promiscuous Mode
  • All ethernet frames to or from any locally
    connected host are seen by all hosts.
  • NIC normally filters out frames that are not
    addressed to its MAC address.
  • In promiscuous mode, NIC processes all ethernet
    frames, not just ones addressed to it.
  • Requires administrative access on most OSes.

15
IP Internet Protocol
  • Unreliable, connectionless datagram service
  • Packets may arrived damaged, out of order,
    duplicated or not at all.
  • Transport/Application layers provide reliability.
  • IPv4 underlies Internet.
  • 32-bit addresses in dotted-quad 10.17.0.90.
  • IPv6 is successor with 128-bit addresses.
  • Complexities addressing, routing

16
IP Header
17
IP Header
  • Protocol version IPv4
  • Header length 5-60 32-bit words
  • Type of service (TOS)
  • 3-bit precedence (ignored today)
  • 4 TOS bits (min delay (telnet), max throughput
    (ftp), max reliability, min monetary cost)
  • unused 0 bit

18
IP Header
  • Total length length of IP datagram (bytes)
  • maximum size 65535 bytes
  • large packets fragmented at data link layer.
  • small packets may be padded to minimum length.
  • TTL upper limit on number of router hops.
  • Protocol which protocol supplied packet data.
  • Header checksum IP header checksum

19
IP Fragments
  • IP packets may be fragmented by routers for
    transmission across different media.
  • Max IP packet size 65536
  • Max Ethernet packet size 1500
  • IP headers contain fragment data
  • Dont Fragment Flag 0allowed, 1dont
  • More Fragments Flag 0last, 1more fragments
  • Identification identifies single packet for
    reassembly.
  • Fragment Offset where contents of fragment go.

20
Internet Addresses
  • 32-bit IPv4 addresses
  • Dotted decimal notation ii.jj.kk.ll
  • Divided into two parts
  • Network ID
  • Host ID
  • XOR address with netmask to get Network ID.

21
Address Classes
  • Class A 0.0.0.0-127.255.255.255
  • 8-bit net ID, 24-bit host ID
  • Class B 128.0.0.0-191.255.255.255
  • 16-bit net ID, 16-bit host ID
  • Class C 192.0.0.0-223.255.255.255
  • 24-bit net ID, 8-bit host ID
  • Class D 224.0.0.0-239.255.255.255
  • 28-bit multicast group ID
  • Class E 240.0.0.0-255.255.255.255
  • Reserved for future use

22
CIDR
  • Class addressing too inefficient
  • Still need to aggregate routes to limit routing
    table size.
  • Example196.1.1.0/24
  • 24-bits of Net ID 196.1.1
  • Remaining 8-bits are host ID
  • Not limited to network class sizes
  • Example 192.168.128.0/22
  • 4 class C networks 192.168.128,129,130,131.0

23
Network Address Translation
  • Local network uses IETF reserved addresses.
  • Non-routable no router knows how to send packets
    to.
  • RFC 1918 10.x.y.z, 192.168.y.z, 172.16.y.z
  • Gateway translates reserved addresses to unique,
    routable IP addresses.
  • NAT Dynamic mapping to pool of routable IP
    addresses.
  • 10.0.0.1 -gt 4.2.3.5
  • 10.0.0.2 -gt 4.2.3.6
  • NAPT Dynamic mapping to IP addresss/pool of src
    ports.
  • 10.0.0.1 -gt 4.2.3.51
  • 10.0.0.2 -gt 4.2.3.52

24
ARP Address Resolution Protocol
  • MAC address determines packet destination.
  • How does network layer supply the link layer with
    a MAC address?
  • ARP Address Resolution Protocol
  • Maps 32-bit IP addresses to 48-bit MAC addrs
  • Data link layer protocol above ethernet
  • RARP Reverse ARP

25
ARP Example
  • sftp zappa.nku.edu
  • Obtains IP address via gethostbyname()
  • sftp asks TCP to connect to IP address
  • TCP sends connection request to brahms using an
    IP datagram
  • Sending host emits ARP broadcast, asking for MAC
    address of given IP address
  • Destination hosts ARP layer receives broadcast,
    answers with an ARP reply w/ IP-gtMAC mapping
  • Sending host constructs ethernet frame with
    destination MAC address containing IP datagram
  • Sending host sends IP datagram

26
ARP Cache
  • at204m02 (10.1.0.90) gt arp -a
  • Net to Media Table IPv4
  • Device IP Address Phys Addr
  • ------ -------------------- ------------------
  • hme0 at_elan.lc3net 0000a2cb285e
  • hme0 10.1.0.79 00e0cf000e92
  • hme0 at204m02 080020d8e007
  • hme0 10.1.7.103 009027b6b5e5
  • hme0 10.1.0.139 00e0cf0015bd

27
ARP Features
  • Proxy ARP
  • Router can answer ARP requests on network B for a
    host on network A that doesnt see broadcast.
  • Gratuitous ARP
  • Host sends ARP for own IP address at boot.
  • No reply should be received.
  • Network misconfiguration if reply received.

28
IP Connectivity
  • No Network
  • loopback only
  • Single LAN
  • direct connectivity to hosts
  • Single Router
  • Direct connectivity to local LAN
  • Other networks reachable through one router
  • Multiple Routes to Other Networks

29
IP Routing
30
Routing Table
  • Where to send an IP packet to?
  • Use a table lookup routing table
  • Search Process
  • Search for a matching host address.
  • Search for a matching network address.
  • Search for a default route.
  • No route to destination Host or network
    unreachable error if search fails.

31
Routing Table
  • at204m02 (10.1.0.90) gt netstat rn
  • Routing Table IPv4
  • Destination Gateway Flags Ref Use Int
  • ------------- -------------------- ----- -----
  • 10.1.0.0 10.1.0.90 U 1 4977 hme0
  • 224.0.0.0 10.1.0.90 U 1 0 hme0
  • default 10.1.0.1 UG 1 66480
  • 127.0.0.1 127.0.0.1 UH 6 798905 lo0

32
Routing Table
  • Destination final destination host/network
  • Gateway next host in route to destination
  • Flags
  • U Route is up
  • G Route is to a gateway (router)
  • H Route destination is a host (not a network)
  • D Route created by a redirect
  • M Route modified by a redirect

33
Routing Table
  • 10.1.0.0
  • direct access to local subnet
  • 224.0.0.0
  • multicast route
  • default
  • forward packets to router at IP 10.1.0.1
  • 127.0.0.1
  • loopback

34
IP Routing
  • Manual (static) routes
  • Added with the route command.
  • ICMP redirects can alter routes
  • Router sends ICMP redirect when packet shouldve
    been sent to another router.
  • Routing protocols
  • Routers exchange routes with each other using
    special routing protocols.
  • Full internet router tables contain 30,000
    routes.
  • Source routing
  • Sender includes routing info in packet header.

35
ICMP (Internet Control Message Protocol)
  • Network layer protocol encapsulated in IP
  • Communicates error messages and exceptions.
  • Messages handled by either IP or TCP/UDP.

36
ICMP Message Types
  • Type 0 echo (ping) reply
  • Type 3 destination unreachable
  • Type 4 source quench
  • Type 5 redirect
  • Type 8 echo (ping) request
  • Type 9, 10 router advertisement, solicitation
  • Type 11 time (TTL) exceeded
  • Type 12 parameter (header) problem
  • Type 13 timestamp
  • Type 14 timestamp reply
  • Type 15, 16 information request, reply

37
UDP User Datagram Protocol
  • Simple datagram transport layer protocol.
  • Each application output generates one UDP
    datagram, which produces one IP datagram.
  • Trades reliability for speed
  • Sends datagrams directly to unreliable IP layer.
  • 16-bit port numbers
  • Identify sending and receiving processes.
  • Applications
  • DNS, SNMP, TFTP, streaming audio/video

38
UDP Header
39
UDP Example TFTP
  • Trivial File Transfer Protocol
  • No authentication
  • TFTP Session

sun16 gt tftp at204m02 tftpgt get
readme.txt Received 1024 bytes in 0.2
seconds. tftpgt quit
40
TFTP Packet Types
  • Packet types
  • read a file (filename, ascii/binary)
  • write a file (filename, ascii/binary)
  • file data block
  • ACK
  • error

41
TFTP Packet Diagram
42
TFTP Session Trace
  • at204m02 gt snoop udp sun16
  • 0.00000 sun16 -gt at204m02 TFTP Read "2sun"
    (netascii)
  • 0.00498 at204m02 -gt sun16 TFTP Data block 1
    (512 bytes)
  • 0.00136 sun16 -gt at204m02 TFTP Ack block 1
  • 0.00010 at204m02 -gt sun16 TFTP Data block 2
    (300 bytes) (last block)
  • 5 0.00119 sun16 -gt at204m02 TFTP Ack block 2

43
TFTP Security
  • Feature no username/password required
  • TFTP used for diskless hosts to boot.
  • How to protect /etc/passwd?
  • Limit TFTP server filesystem access.
  • Generally only can access /tftpboot directory.

44
TCP Transmission Control Protocol
  • Connection-oriented
  • Must establish connection before sending data.
  • 3-way handshake.
  • Reliable byte-stream
  • TCP decides how to divide stream into packets.
  • ACK, timeout, retransmit, reordering.
  • 16-bit source and destination ports.
  • FTP(21), HTTP(80), POP(110), SMTP(25)

45
TCP Reliability
  • Breaks data into best-sized chunks.
  • After sending segment, maintains timer if no ACK
    within time limit, resends segment.
  • Sends ACK on receipt of packets.
  • Discards pkts on bad checkum of header and data.
  • Receiver resequences TCP segments so data arrives
    in order sent.
  • Receiver discards duplicate segments.
  • Flow control only sends as much data as receiver
    can process.

46
TCP Header
47
TCP Header
  • Sequence Number 32-bit segment identifier.
  • Acknowledgment next sequence number expected by
    sender of ACK
  • TCP is full duplex so both sides of connection
    have own set of sequence numbers
  • Header length length of header in 32-bit words
    (20bytes default60bytes w/ options)
  • Window size number of bytes receiver is willing
    to accept (flow control)

48
TCP Header Flags (Code Bits)
  • URG urgent pointer is valid
  • ACK acknowledgement number is valid
  • PSH rcvr should pass data to app asap
  • RST reset connection
  • SYN synchronize sequence numbers to initiate a
    connection
  • FIN sender is finished sending data

49
TCP Options
  • End of option list (kind0)
  • NOP (kind1)
  • Used to pad fields to 32-bit boundary
  • Maximum Segment Size (MSS) (kind2)
  • Len4 (length includes kind len bytes)
  • 16-bit MSS
  • Default 536 data 20 TCP hdr 20 IP hdr
  • Window Scale Factor (kind3)
  • Timestamp (kind8)

50
TCP Connections
  • Establishment
  • 3-way handshake
  • Connection Trace
  • Termination
  • Normal Termination
  • Connection Trace
  • Reset

51
Connection Establishment Protocol
  • Requester (client) sends a SYN segment,
    specifying the port number of the server to which
    it wants to connect and the clients initial
    sequence number (ISN).
  • Server responds with SYN segment containing
    servers ISN. Server acknowledges clients SYN
    by ACKing the clients ISN1.
  • Client acknowledges server SYN by ACKing servers
    ISN1.

52
TCP 3-way Handshake
53
Connection Establishment Test
  • at204m02gt /usr/sbin/snoop sun09
  • at204m02gt nc sun09 22
  • SSH-1.99-OpenSSH_3.7.1p2
  • C
  • If no services running, start your own
  • at204m02gt nc -l -p 8192

54
TCP Connection Trace
  • at204m02 -gt sun09 TCP D22 S37519 Syn
    Seq477982308 Len0 Win24820 Optionsltnop,nop,sac
    kOK,mss 1460gt
  • sun09 -gt at204m02 TCP D37519 S22 Syn
    Ack477982309 Seq3227257622 Len0 Win24820
    Optionsltnop,nop,sackOK,mss 1460gt
  • at204m02 -gt sun09 TCP D22 S37519
    Ack3227257623 Seq477982309 Len0 Win24820

55
Connection Termination Protocol
  • As TCP is full duplex, each side must terminate
    half of the connection as follows
  • Send FIN segment (active close)
  • Other side ACKs w/ FIN sequence number 1
  • Half-closed connections
  • Side that sent FIN can still receive data.
  • Example ssh fasthost sort lt words.txt

56
TCP Disconnection
57
Connection Termination Test
  • at204m02gt /usr/lib/sendmail -bd
  • at204m02gt /usr/sbin/snoop port 25
  • sun09gtnc at204m02 25
  • 220 at204m02.lc3net ESMTP Sendmail
    8.11.7Sun/8.11.7 Mon, 29 Mar 2004 140940
    -0500 (EST)
  • quit

58
TCP Disconnection Trace
  • at204m02 -gt sun09 TCP D33042 S25 Fin
    Ack3597541820 Seq872479258 Len0 Win24820
  • sun09 -gt at204m02 TCP D25 S33042
    Ack872479259 Seq3597541820 Len0 Win24820
  • sun09 -gt at204m02 TCP D25 S33042 Fin
    Ack872479259 Seq3597541820 Len0 Win24820
  • at204m02 -gt sun09 TCP D33042 S25
    Ack3597541821 Seq872479259 Len0 Win24820

59
TCP Reset
  • Connection Refused
  • gt telnet at204m02 8192
  • Trying 10.1.0.90...
  • telnet Unable to connect to remote host
    Connection refused
  • Packet Trace
  • sun09 -gt at204m02 TCP D8192 S33048 Syn
    Seq3848454475 Len0 Win24820 Optionsltnop,nop,sa
    ckOK,mss 1460gt
  • at204m02 -gt sun09 TCP D33048 S8192 Rst
    Ack3848454476 Win0

60
TCP Reset (cont.)
  • Connection Abort
  • Any queued data is thrown away.
  • Other side is informed of abnormal close.
  • Packet Detail
  • One side sends RST.
  • Other side aborts connection.
  • There is no ACK sent in response.

61
Half-Open Connections
  • Connections where one side has aborted or closed
    connection w/o knowledge of other.
  • Client or server host has crashed.
  • DOS attack requester sends SYN, doesnt respond
    to SYNACK.

62
Example List of TCP Ports
  • TCP IPv4 (netstat na output)
  • Local Addr Rmt Addr State
  • ---------- --------------------
  • .111 . LISTEN
  • .32771 . LISTEN
  • .32772 . LISTEN
  • .32773 . LISTEN
  • .32774 . LISTEN
  • .4045 . LISTEN
  • .22 . LISTEN
  • .2049 . LISTEN
  • .515 . LISTEN
  • .80 . LISTEN
  • .6000 . LISTEN
  • .22 10.17.0.23.32827 ESTABLISHED
  • .2049 10.17.0.23.799 ESTABLISHED

63
TCP Servers
  • Local Address
  • .80 means that it will accept connections on any
    network interface on TCP port 80.
  • Foreign Address
  • . means that the server will accept connections
    from any source host and port.
  • Conn(src IP, src port, dst IP, dst port)
  • All connections to same server will have same dst
    IP and port, but will have different source IPs
    and ports
  • Kernel maintains queue of 5 incoming connections
    for each server.

64
Key Points
  • TCP/IP Layers encapsulation/de-multiplexing
  • Physical/Data Link ethernet, PPP
  • Network IP, ICMP
  • Transport UDP, TCP
  • Application ftp, http, smtp, telnet, etc.
  • IP
  • Addressing DNS/IP/MAC, netmasks, CIDR, NAT.
  • Routing tables, hubs/switches/routers.
  • TCP
  • Connection and Termination 3-way handshake
  • Addressing source and destination ports.

65
References
  • K. Egevang and P. Francis, The IP Network
    Address Translator (NAT), RFC 1631,
    http//www.ietf.org/rfc/rfc1631.txt, 1994.
  • J.B. Postel, Internet Protocol, RFC 791,
    http//www.ietf.org/rfc/rfc0791.txt, 1981.
  • J.B. Postel, Internet Control Message Protocol,
    RFC 792, http//www.ietf.org/rfc/rfc0792.txt,
    1981.
  • J.B. Postel, Transmission Control Protocol, RFC
    793, http//www.ietf.org/rfc/rfc0793.txt, 1981.
  • Ed Skoudis, Counter Hack, Prentice Hall, 2002.
  • Richard Stevens, TCP/IP Illustrated, Vol. 1,
    Addison-Wesley, 1994.
  • Richard Stevens, UNIX Network Programming, Vol.
    1, Prentice-Hall, 1998.
  • Andrew Tannenbaum, Computer Networks, 4th
    edition, Prentice-Hall, 2002.
Write a Comment
User Comments (0)
About PowerShow.com