Network Security CS 478/CIS 678

1
Network Security CS 478/CIS 678

• Intro to TCP/IP

2
Objectives

• Reading Computer Security Principles and
  Practice, W Stallings, L Brown
• Appendix E
• The student should be able to
• Interpret output for ARP, IP, TCP, UDP, ICMP on a
  sniffer Wireshark (sufficient as shown in this
  PowerPoint).

3
Internet Architecture
4
TCP/IP Packet
Source Destination logical addr.
What physical node to send to?
What data is actually being sent?
Packet checkcode
Which app does this go to?
L2 L3 L4 Application
CRC Ethernet IP TCP
5
Addressing Requirements

• two levels of addressing required
• each host on a subnet needs a unique global
  network address
• its IP address
• each application on a (multi-tasking) host needs
  a unique address within the host
• known as a port

6
TCP/IP Packet
Source Destination logical addr.
What physical node to send to?
What data is actually being sent?
Packet checkcode
Which app does this go to?
L2 L3 L4 Application
CRC Ethernet IP TCP
Ginger.cs.uwp.edu 124.36.92.81
Hi Alice, Are you coming to the party on Friday?
Port 80 web
Address on LAN 000c2980ec29
7
Operation of TCP and IP
8
Operation of TCP/IP
9
Some TCP/IP Protocols
10
Protocols used at each Layer

• L5 Application
• L4 Transport
• TCP Transport Control Protocol (End-to-End Error
  control Retransmission)
• UDP User Datagram Protocol (Only Port
  Addressing)
•  
• L3 Network
• IP Internet Protocol (Routing)
• ICMP Internet Control Message Protocol (Reports
  errors, performs tests for IP)
•  
• L2 Data Link Layer - Medium Access Control
  (MAC)
• Ethernet Protocol
• ARP Address Resolution Protocol (Translates IP
  to MAC addresses)

11
Physical Layer Layer 1

• Basic Function Concerned with physical interface
  between computer and network
• concerned with issues like
• characteristics of transmission medium
• signal levels
• data rates
• other related matters

12
Network Access Layer Layer 2

• Basic Function Coordinate multiple access on LAN
• exchange of data between an end system and
  attached network
• concerned with issues like
• destination address provision
• invoking specific services like priority
• access to routing data across a network link
  between two attached systems
• allows layers above to ignore link specifics
• Example protocol Ethernet

13
Internet Layer (IP) Layer 3

• Basic Function Routing packets across
  network(s)
• for systems attached to different networks
• implemented in end systems and routers
• routers connect two networks and relays data
  between them
• Time Source IP Dest IP
  App
• 152 919.001559 10.1.1.165 10.1.1.128 IP Fragmented
  IP protocol (protoICMP 0x01, off0,
• ID19d9)

14
Internet Protocol (IP)

• Performs routing
• Addresses hosts
• Performs fragmentation/reassembly
• Security problem Spoofed fragments replace or
  confuse real data
• Security problem Fragmented attacks may not be
  noticed by firewalls, IDS (depending on their
  sophistication)

15
IP Header
16
IP Header Format

• First 8 nibbles
• 0-3 IP Version (V4 or V6)
• 4-7 Header length (in 32-bit words)
• 8-15 Type of service (relates to quality of
  service - ignore for this class)
• 16-31 Total length
• Second 8 nibbles
• 0-15 Identification (used with fragmentation)
• 16-18 Flags More bit, Dont Fragment
• 19-31 Fragment offset
• Third 8 nibbles
• 0-7 Time to live
• 8-15 Next Protocol (e.g. TCP, ICMP)
• 16-31 Header Checksum
• Fourth 8 nibbles Source IP Address
• Fifth 8 nibbles Destination IP Address

17
Transmission Control Protocol (TCP) Layer 4

• Transport protocols are TCP (most common) and UDP
• Basic Function (TCP) Provides a reliable
  connection for transfer of data between
  applications
• Reliable Packets delivered in order and no
  packets are missing
• Reliability provided by sequencing and
  retransmission
• a TCP segment is the basic protocol unit
• TCP tracks segments between end-to-end (source,
  destination) entities for duration of each
  connection

18
Transport Control Protocol (TCP)

• TCP is responsible for end-to-end retransmission,
  and reordering of packets received out-of-order.
  
• Addresses applications via 16-bit Port number
• Performs error control on an end-to-end basis
• Reorders out-of-sequence segments
• Retransmits segments when acknowledgements are
  not received
• Performs flow control to ensure destination is
  not overwhelmed with data (using a window)
• Performs congestion control to ensure network is
  not overwhelmed

19
TCP Header Fields

• Source Port Source port (application) address
• Dest Port Destination port (application) address
• Flag SSYN, FFIN, PPUSH, RRESET, AACK
• Sequence Beginning Sequence number (byte )
• AckNr Acknowledgment sequence number (next
  expected seq )
• WindowSize Size of empty space in receive buffer
  (in bytes)
• Checksum Verifies no change in segment and parts
  of IP header
• Urgent Pointer index to urgent data (rarely used)

20
TCP

• TCP is connection-oriented, which means that it
  must explicitly establish and break down a
  connection before transmission occurs.
• Establishes a connection
• Sends data
• Each side gracefully disconnects

21
TCP Flags

• The flags within segments that TCP uses includes
• SSYN Request to establish a connection
• PPUSH Request from application to flush (or
  force) transmission.
• FFIN Request to close a transmission -
  graceful
• RRESET Notification of aborting of a connection
• ack Contains an ack for previous data

22
Initiate a TCP Connection

• Establishes a connection via a 3-way handshake.
• SYNSynchronization, establishes send and receive
  sequence numbers
• SYN ?
• ? SYN,ACK
• ACK ?

23
Send TCP Data

• Each byte of TCP data has a sequence number
  associated with it, which indicates the byte
  number of the first byte sent.
• The acknowledgment indicates the sequence number
  of the byte of data expected next
• (PUSH) ?
• ? ACK
• Time Source IP Dest IP App
  Port 2 Port Packet Type SendSeq AckSeq
• 45 1037.608722 10.1.1.3 10.1.1.165 TCP 3128 gt
  1270 ACK Seq86244 Ack6584 Win19220 Len0
• 46 1037.751240 10.1.1.3 10.1.1.165 TCP TCP
  segment of a reassembled PDU
• 47 1037.751279 10.1.1.3 10.1.1.165 TCP TCP
  segment of a reassembled PDU

24
Terminate TCP Connection

• Graceful Disconnect Both sides must disconnect
• FIN Finish
• Sending FIN indicates no more data to transmit
•  
• FIN ?
• ? ACK
• ? FIN
• ACK ?
•  

25
Session Abort

• I dont want to participate in this connection
• Uses Reset
•  
• RST ?

26
TCP Connect Data - Disconnect

• Time Source IP
  Dest IP App Port 2 Port Packet
  Type SendSeq AckSeq
• 1 0.000000 10.1.1.165 10.1.1.3 TCP 1179 gt 3128
  SYN Seq0 Win64240 Len0 MSS1460
• 2 0.000623 10.1.1.3 10.1.1.165 TCP 3128 gt 1179
  SYN, ACK Seq0 Ack1 Win5840 Len0
  MSS1460
• 3 0.000667 10.1.1.165 10.1.1.3 TCP 1179 gt 3128
  ACK Seq1 Ack1 Win64240 Len0
• 7 0.029386 10.1.1.165 10.1.1.3 TCP 1179 gt 3128
  ACK Seq860 Ack3691 Win64240 Len0
• 8 0.160003 10.1.1.3 10.1.1.165 TCP 80 gt 1190
  FIN, ACK Seq341 Ack436 Win6432 Len0
• 9 0.160598 10.1.1.165 10.1.1.3 TCP 1190 gt 80
  ACK Seq436 Ack342 Win63900 Len0
• 10 0.161706 10.1.1.165 10.1.1.3 TCP 1190 gt 80
  FIN, ACK Seq436 Ack342 Win63900 Len0
• 11 0.163407 10.1.1.3 10.1.1.165 TCP 80 gt 1190
  ACK Seq342 Ack437 Win6432 Len0

27
TCP WiresharkShowing Connection, Data, Disconnect
28
TCP Header
29
User Datagram Protocol (UDP)

• UDP can be used instead of TCP to address an
  application
• Does NOT support end-to-end retransmission,
  reorder out-of-order packets, or perform flow
  control or congestion control.
• Addresses applications via 16-bit Port number
• Protocol
• UDP is connectionless, which means it sends
  packets without establishing a connection first.
  If packets cannot be successfully sent, there may
  be no indication of failure.
• 1 Packet type Send data
• 1 0.000000 131.210.13.7 10.1.1.165 UDP Source
  port 1060 Dest port 8881

30
User Datagram Protocol(UDP)

• an alternative to TCP
• no guaranteed delivery
• no preservation of sequence
• no protection against duplication
• minimum overhead
• adds port addressing to IP

31
Application Layer Layer 5 (Internet)

• Basic Function User applications
• need a separate module for each type of
  application File transfer, web, ssh, email, etc.
• 4 0.001151 10.1.1.165 10.1.1.3 HTTP GET
  http//www.cs.uwp.edu/Classes/Cs475 HTTP/1.1
• 90 80.400513  10.1.1.165  10.1.1.10 
  SNMP get-request RFC1213-MIBmib-2.25.3.2.1.5.1
  RFC1213-MIBmib-2.25.3.5.1.1.1
  RFC1213-MIBmib-2.25.3.5.1.2.1

32
Application Protocols

• Application Port
• SMTP Simple Mail Transfer Protocol (Email) 25
• HTTP HyperText Transfer Protocol (Web) 80
• FTP File Transfer Protocol 20/21
• SNMP Simple Network Management Protocol 161
• DNS Domain Name Server 53
• NBNS NetBios Name Service (Microsoft Internal,
  similar to DNS) 137
• SSL Secure Socket Layer 443

33
Some TCP/IP Protocols
34
Internet Control Message Protocol (ICMP)

• Reports errors from IP (e.g. Destination not
  reachable)
• Replies to requests (routing info)
• Test connectivity (ping)
• 71 16.725008 10.1.1.165
  207.46.170.123 ICMP Echo (ping) request
• 76 17.813662 207.231.240.7 10.1.1.165 ICMP Time
  -to-live exceeded (Time to live exceeded in
  transit)
• 73 13.696159 10.1.1.1 10.1.1.165 ICMP Destinatio
  n unreachable
• (Communication administratively
  filtered)

35
Address Resolution Protocol (ARP)

• Converts an IP Address (192.164.53.25) to a MAC
  Address (e.g. 090271c50d0)
• Protocol
• Requester broadcasts to all nodes on subnet ARP
  Request (IP_Address)
• Replier (Me) sends ARP Response (IP_Address, MAC
  Address)
• 3 8.617021 000c2980ec29 ffffffffffff
  ARP Who has
• 10.1.1.3? Tell 10.1.1.165
• 4 8.617825 000e0c3df77d 000c2980ec29
  ARP 10.1.1.3 is at 000e0c3df77d

36
Domain Name Server (DNS)

• Converts a IP address name (e.g. www.cs.uwp.edu)
  to a numeric IP address, or vice versa.
•  
• Protocol
• Request describes a name or numeric IP address to
  transfer
• Reply provides information about that IP address.
• 53  55.927059  10.1.1.165  10.1.1.3  DNS 
  Standard query A www.mozilla.org
• 54  55.946341  10.1.1.3  10.1.1.165 DNS 
  Standard query response CNAME groups.l.google.com
  A 74.125.95.138 A 74.125.95.139 A 74.125.95.100 A
  74.125.95.101 A 74.125.95.102 A 74.125.95.113

37
IGMP Internet Group Management Protocol Sets up
multicast for streaming and gaming
38
NTP Network Time ProtocolSynchronizes Clocks
39
WireShark Demo

• And now for a