Title: TCPIP
1CSC 382 Computer Security
2Topics
- TCP/IP Layering
- Encapsulation
- Internet Addresses
- Link Layer Protocols
- IP
- Routing
- TCP and UDP
- Application Layer Protocols
3Network Example
A1
A2
A3
Router
External Router
B1
B2
B3
4TCP/IP Layering
- HTTP, FTP, telnet
- TCP, UDP
- IP, ICMP, IGMP
- PPP, 802.11
- Ethernet
5TCP/IP Layers
- Physical
- NIC, cabling, electrical signaling.
- Data Link
- Single hop transport of packets.
- Wired protocols (ethernet, FDDI, PPP)
- Wireless protocols (802.11)
- Network
- End to end delivery of packets.
- IP Internet Protocol
6TCP/IP Layers
- Transport
- Flow of data between two hosts for application
layer. - TCP reliable data flow with acknowledgements,
retransmission, and timeouts. - UDP simpler service with no guarantees.
- Application
- Protocols for particular applications.
- ex FTP, HTTP, SMTP
7Encapsulation/De-multiplexing
- Sending data sent down protocol stack
- Each layer prepends a header to data
- Ethernet frame sent as bit stream across wire
- Receiving data moves up protocol stack
- NIC moves bits into memory as ethernet frame
- Each layer removes its header from packet
8Encapsulation
9De-multiplexing
10TCP/IP Security
- TCP/IP has no built-in strong security.
- No confidentiality features.
- Minimal availability features (ToS options).
- Insecure CRC checksums for integrity.
- IPsec protocol extension adds security.
11Data Link Layer
- IEEE Standards
- Ethernet (802.3)
- Token Ring (802.5)
- Wireless (802.11)
- Serial Protocols
- SLIP and CSLIP
- PPP
12Hubs and Switches
- Hubs
- Broadcast packets received to all interfaces.
- Switches
- Associates MAC addresses with physical
interfaces. - Sends packets only to specified interface.
- May have SPAN port for network monitoring.
13Data Link Layer
- Loopback
- Looks like any other link layer device.
- Full network processing is performed.
- Sends packets to localhost for testing.
- 48-bit MAC address
- Maximum Transmission Unit (MTU)
- 1492 or 1500 bytes, depending on ethernet std
14Promiscuous Mode
- All ethernet frames to or from any locally
connected host are seen by all hosts. - NIC normally filters out frames that are not
addressed to its MAC address. - In promiscuous mode, NIC processes all ethernet
frames, not just ones addressed to it. - Requires administrative access on most OSes.
15IP Internet Protocol
- Unreliable, connectionless datagram service
- Packets may arrived damaged, out of order,
duplicated or not at all. - Transport/Application layers provide reliability.
- IPv4 underlies Internet.
- 32-bit addresses in dotted-quad 10.17.0.90.
- IPv6 is successor with 128-bit addresses.
- Complexities addressing, routing
16IP Header
17IP Header
- Protocol version IPv4
- Header length 5-60 32-bit words
- Type of service (TOS)
- 3-bit precedence (ignored today)
- 4 TOS bits (min delay (telnet), max throughput
(ftp), max reliability, min monetary cost) - unused 0 bit
18IP Header
- Total length length of IP datagram (bytes)
- maximum size 65535 bytes
- large packets fragmented at data link layer.
- small packets may be padded to minimum length.
- TTL upper limit on number of router hops.
- Protocol which protocol supplied packet data.
- Header checksum IP header checksum
19IP Fragments
- IP packets may be fragmented by routers for
transmission across different media. - Max IP packet size 65536
- Max Ethernet packet size 1500
- IP headers contain fragment data
- Dont Fragment Flag 0allowed, 1dont
- More Fragments Flag 0last, 1more fragments
- Identification identifies single packet for
reassembly. - Fragment Offset where contents of fragment go.
20Internet Addresses
- 32-bit IPv4 addresses
- Dotted decimal notation ii.jj.kk.ll
- Divided into two parts
- Network ID
- Host ID
- XOR address with netmask to get Network ID.
21Address Classes
- Class A 0.0.0.0-127.255.255.255
- 8-bit net ID, 24-bit host ID
- Class B 128.0.0.0-191.255.255.255
- 16-bit net ID, 16-bit host ID
- Class C 192.0.0.0-223.255.255.255
- 24-bit net ID, 8-bit host ID
- Class D 224.0.0.0-239.255.255.255
- 28-bit multicast group ID
- Class E 240.0.0.0-255.255.255.255
- Reserved for future use
22CIDR
- Class addressing too inefficient
- Still need to aggregate routes to limit routing
table size. - Example196.1.1.0/24
- 24-bits of Net ID 196.1.1
- Remaining 8-bits are host ID
- Not limited to network class sizes
- Example 192.168.128.0/22
- 4 class C networks 192.168.128,129,130,131.0
23Network Address Translation
- Local network uses IETF reserved addresses.
- Non-routable no router knows how to send packets
to. - RFC 1918 10.x.y.z, 192.168.y.z, 172.16.y.z
- Gateway translates reserved addresses to unique,
routable IP addresses. - NAT Dynamic mapping to pool of routable IP
addresses. - 10.0.0.1 -gt 4.2.3.5
- 10.0.0.2 -gt 4.2.3.6
- NAPT Dynamic mapping to IP addresss/pool of src
ports. - 10.0.0.1 -gt 4.2.3.51
- 10.0.0.2 -gt 4.2.3.52
24ARP Address Resolution Protocol
- MAC address determines packet destination.
- How does network layer supply the link layer with
a MAC address? - ARP Address Resolution Protocol
- Maps 32-bit IP addresses to 48-bit MAC addrs
- Data link layer protocol above ethernet
- RARP Reverse ARP
25ARP Example
- sftp zappa.nku.edu
- Obtains IP address via gethostbyname()
- sftp asks TCP to connect to IP address
- TCP sends connection request to brahms using an
IP datagram - Sending host emits ARP broadcast, asking for MAC
address of given IP address - Destination hosts ARP layer receives broadcast,
answers with an ARP reply w/ IP-gtMAC mapping - Sending host constructs ethernet frame with
destination MAC address containing IP datagram - Sending host sends IP datagram
26ARP Cache
- at204m02 (10.1.0.90) gt arp -a
- Net to Media Table IPv4
- Device IP Address Phys Addr
- ------ -------------------- ------------------
- hme0 at_elan.lc3net 0000a2cb285e
- hme0 10.1.0.79 00e0cf000e92
- hme0 at204m02 080020d8e007
- hme0 10.1.7.103 009027b6b5e5
- hme0 10.1.0.139 00e0cf0015bd
27ARP Features
- Proxy ARP
- Router can answer ARP requests on network B for a
host on network A that doesnt see broadcast. - Gratuitous ARP
- Host sends ARP for own IP address at boot.
- No reply should be received.
- Network misconfiguration if reply received.
28IP Connectivity
- No Network
- loopback only
- Single LAN
- direct connectivity to hosts
- Single Router
- Direct connectivity to local LAN
- Other networks reachable through one router
- Multiple Routes to Other Networks
29IP Routing
30Routing Table
- Where to send an IP packet to?
- Use a table lookup routing table
- Search Process
- Search for a matching host address.
- Search for a matching network address.
- Search for a default route.
- No route to destination Host or network
unreachable error if search fails.
31Routing Table
- at204m02 (10.1.0.90) gt netstat rn
- Routing Table IPv4
- Destination Gateway Flags Ref Use Int
- ------------- -------------------- ----- -----
- 10.1.0.0 10.1.0.90 U 1 4977 hme0
- 224.0.0.0 10.1.0.90 U 1 0 hme0
- default 10.1.0.1 UG 1 66480
- 127.0.0.1 127.0.0.1 UH 6 798905 lo0
32Routing Table
- Destination final destination host/network
- Gateway next host in route to destination
- Flags
- U Route is up
- G Route is to a gateway (router)
- H Route destination is a host (not a network)
- D Route created by a redirect
- M Route modified by a redirect
33Routing Table
- 10.1.0.0
- direct access to local subnet
- 224.0.0.0
- multicast route
- default
- forward packets to router at IP 10.1.0.1
- 127.0.0.1
- loopback
34IP Routing
- Manual (static) routes
- Added with the route command.
- ICMP redirects can alter routes
- Router sends ICMP redirect when packet shouldve
been sent to another router. - Routing protocols
- Routers exchange routes with each other using
special routing protocols. - Full internet router tables contain 30,000
routes. - Source routing
- Sender includes routing info in packet header.
35ICMP (Internet Control Message Protocol)
- Network layer protocol encapsulated in IP
- Communicates error messages and exceptions.
- Messages handled by either IP or TCP/UDP.
36ICMP Message Types
- Type 0 echo (ping) reply
- Type 3 destination unreachable
- Type 4 source quench
- Type 5 redirect
- Type 8 echo (ping) request
- Type 9, 10 router advertisement, solicitation
- Type 11 time (TTL) exceeded
- Type 12 parameter (header) problem
- Type 13 timestamp
- Type 14 timestamp reply
- Type 15, 16 information request, reply
37UDP User Datagram Protocol
- Simple datagram transport layer protocol.
- Each application output generates one UDP
datagram, which produces one IP datagram. - Trades reliability for speed
- Sends datagrams directly to unreliable IP layer.
- 16-bit port numbers
- Identify sending and receiving processes.
- Applications
- DNS, SNMP, TFTP, streaming audio/video
38UDP Header
39UDP Example TFTP
- Trivial File Transfer Protocol
- No authentication
- TFTP Session
sun16 gt tftp at204m02 tftpgt get
readme.txt Received 1024 bytes in 0.2
seconds. tftpgt quit
40TFTP Packet Types
- Packet types
- read a file (filename, ascii/binary)
- write a file (filename, ascii/binary)
- file data block
- ACK
- error
41TFTP Packet Diagram
42TFTP Session Trace
- at204m02 gt snoop udp sun16
- 0.00000 sun16 -gt at204m02 TFTP Read "2sun"
(netascii) - 0.00498 at204m02 -gt sun16 TFTP Data block 1
(512 bytes) - 0.00136 sun16 -gt at204m02 TFTP Ack block 1
- 0.00010 at204m02 -gt sun16 TFTP Data block 2
(300 bytes) (last block) - 5 0.00119 sun16 -gt at204m02 TFTP Ack block 2
43TFTP Security
- Feature no username/password required
- TFTP used for diskless hosts to boot.
- How to protect /etc/passwd?
- Limit TFTP server filesystem access.
- Generally only can access /tftpboot directory.
44TCP Transmission Control Protocol
- Connection-oriented
- Must establish connection before sending data.
- 3-way handshake.
- Reliable byte-stream
- TCP decides how to divide stream into packets.
- ACK, timeout, retransmit, reordering.
- 16-bit source and destination ports.
- FTP(21), HTTP(80), POP(110), SMTP(25)
45TCP Reliability
- Breaks data into best-sized chunks.
- After sending segment, maintains timer if no ACK
within time limit, resends segment. - Sends ACK on receipt of packets.
- Discards pkts on bad checkum of header and data.
- Receiver resequences TCP segments so data arrives
in order sent. - Receiver discards duplicate segments.
- Flow control only sends as much data as receiver
can process.
46TCP Header
47TCP Header
- Sequence Number 32-bit segment identifier.
- Acknowledgment next sequence number expected by
sender of ACK - TCP is full duplex so both sides of connection
have own set of sequence numbers - Header length length of header in 32-bit words
(20bytes default60bytes w/ options) - Window size number of bytes receiver is willing
to accept (flow control)
48TCP Header Flags (Code Bits)
- URG urgent pointer is valid
- ACK acknowledgement number is valid
- PSH rcvr should pass data to app asap
- RST reset connection
- SYN synchronize sequence numbers to initiate a
connection - FIN sender is finished sending data
49TCP Options
- End of option list (kind0)
- NOP (kind1)
- Used to pad fields to 32-bit boundary
- Maximum Segment Size (MSS) (kind2)
- Len4 (length includes kind len bytes)
- 16-bit MSS
- Default 536 data 20 TCP hdr 20 IP hdr
- Window Scale Factor (kind3)
- Timestamp (kind8)
50TCP Connections
- Establishment
- 3-way handshake
- Connection Trace
- Termination
- Normal Termination
- Connection Trace
- Reset
51Connection Establishment Protocol
- Requester (client) sends a SYN segment,
specifying the port number of the server to which
it wants to connect and the clients initial
sequence number (ISN). - Server responds with SYN segment containing
servers ISN. Server acknowledges clients SYN
by ACKing the clients ISN1. - Client acknowledges server SYN by ACKing servers
ISN1.
52TCP 3-way Handshake
53Connection Establishment Test
- at204m02gt /usr/sbin/snoop sun09
- at204m02gt nc sun09 22
- SSH-1.99-OpenSSH_3.7.1p2
- C
- If no services running, start your own
- at204m02gt nc -l -p 8192
54TCP Connection Trace
- at204m02 -gt sun09 TCP D22 S37519 Syn
Seq477982308 Len0 Win24820 Optionsltnop,nop,sac
kOK,mss 1460gt - sun09 -gt at204m02 TCP D37519 S22 Syn
Ack477982309 Seq3227257622 Len0 Win24820
Optionsltnop,nop,sackOK,mss 1460gt - at204m02 -gt sun09 TCP D22 S37519
Ack3227257623 Seq477982309 Len0 Win24820
55Connection Termination Protocol
- As TCP is full duplex, each side must terminate
half of the connection as follows - Send FIN segment (active close)
- Other side ACKs w/ FIN sequence number 1
- Half-closed connections
- Side that sent FIN can still receive data.
- Example ssh fasthost sort lt words.txt
56TCP Disconnection
57Connection Termination Test
- at204m02gt /usr/lib/sendmail -bd
- at204m02gt /usr/sbin/snoop port 25
- sun09gtnc at204m02 25
- 220 at204m02.lc3net ESMTP Sendmail
8.11.7Sun/8.11.7 Mon, 29 Mar 2004 140940
-0500 (EST) - quit
58TCP Disconnection Trace
- at204m02 -gt sun09 TCP D33042 S25 Fin
Ack3597541820 Seq872479258 Len0 Win24820 - sun09 -gt at204m02 TCP D25 S33042
Ack872479259 Seq3597541820 Len0 Win24820 - sun09 -gt at204m02 TCP D25 S33042 Fin
Ack872479259 Seq3597541820 Len0 Win24820 - at204m02 -gt sun09 TCP D33042 S25
Ack3597541821 Seq872479259 Len0 Win24820
59TCP Reset
- Connection Refused
- gt telnet at204m02 8192
- Trying 10.1.0.90...
- telnet Unable to connect to remote host
Connection refused - Packet Trace
- sun09 -gt at204m02 TCP D8192 S33048 Syn
Seq3848454475 Len0 Win24820 Optionsltnop,nop,sa
ckOK,mss 1460gt - at204m02 -gt sun09 TCP D33048 S8192 Rst
Ack3848454476 Win0
60TCP Reset (cont.)
- Connection Abort
- Any queued data is thrown away.
- Other side is informed of abnormal close.
- Packet Detail
- One side sends RST.
- Other side aborts connection.
- There is no ACK sent in response.
61Half-Open Connections
- Connections where one side has aborted or closed
connection w/o knowledge of other. - Client or server host has crashed.
- DOS attack requester sends SYN, doesnt respond
to SYNACK.
62Example List of TCP Ports
- TCP IPv4 (netstat na output)
- Local Addr Rmt Addr State
- ---------- --------------------
- .111 . LISTEN
- .32771 . LISTEN
- .32772 . LISTEN
- .32773 . LISTEN
- .32774 . LISTEN
- .4045 . LISTEN
- .22 . LISTEN
- .2049 . LISTEN
- .515 . LISTEN
- .80 . LISTEN
- .6000 . LISTEN
- .22 10.17.0.23.32827 ESTABLISHED
- .2049 10.17.0.23.799 ESTABLISHED
63TCP Servers
- Local Address
- .80 means that it will accept connections on any
network interface on TCP port 80. - Foreign Address
- . means that the server will accept connections
from any source host and port. - Conn(src IP, src port, dst IP, dst port)
- All connections to same server will have same dst
IP and port, but will have different source IPs
and ports - Kernel maintains queue of 5 incoming connections
for each server.
64Key Points
- TCP/IP Layers encapsulation/de-multiplexing
- Physical/Data Link ethernet, PPP
- Network IP, ICMP
- Transport UDP, TCP
- Application ftp, http, smtp, telnet, etc.
- IP
- Addressing DNS/IP/MAC, netmasks, CIDR, NAT.
- Routing tables, hubs/switches/routers.
- TCP
- Connection and Termination 3-way handshake
- Addressing source and destination ports.
65References
- K. Egevang and P. Francis, The IP Network
Address Translator (NAT), RFC 1631,
http//www.ietf.org/rfc/rfc1631.txt, 1994. - J.B. Postel, Internet Protocol, RFC 791,
http//www.ietf.org/rfc/rfc0791.txt, 1981. - J.B. Postel, Internet Control Message Protocol,
RFC 792, http//www.ietf.org/rfc/rfc0792.txt,
1981. - J.B. Postel, Transmission Control Protocol, RFC
793, http//www.ietf.org/rfc/rfc0793.txt, 1981. - Ed Skoudis, Counter Hack, Prentice Hall, 2002.
- Richard Stevens, TCP/IP Illustrated, Vol. 1,
Addison-Wesley, 1994. - Richard Stevens, UNIX Network Programming, Vol.
1, Prentice-Hall, 1998. - Andrew Tannenbaum, Computer Networks, 4th
edition, Prentice-Hall, 2002.