Transcript Slide 1

BCIS 4630 Fundamentals of IT Security
NETWORKING
Dr. Andy Wu
Overview
• OSI Model
• Addressing
– DNS, IP, MAC address
– Address resolution
• Layer 4 communication
– Port numbers
– TCP flow control and error correction
• Headers
– TCP, UDP, IP
• ICMP
2
OSI Model
• Network communications protocols are developed using the
Open System Interconnection (OSI) model.
• An ISO standard for worldwide communications.
• The OSI model defines a framework for implementing protocols
in seven distinct layers.
• Each layer makes use of the services of the layer below it to
provide a set of specific services to the layer above it.
• Adjacent layers communicate with each other through a welldefined interface, so that in principle, we could change one
layer or even completely rewrite it without affecting the others.
3
OSI Layers
Layer
Function
Examples
Application
User interface
Program level communication
HTTP, SMTP
Presentation
Presentation format of data
Data conversion if needed
ASCII, JPEG, MP3,
Encryption
Session
Establish and maintain communication channels
OS, Application access
scheduling
Transport
Reliable or unreliable end-to-end communication
Identifies upper layer processes that will receive data
TCP, UDP, SPX
Network
Logical addressing and routing
Delivering packets from source to destination
IP, IPX
Data Link
Transforming physical layer into a reliable link and
presenting it to upper layers
Includes MAC (802.3) and LLC (802.2) sublayers
Ethernet
Physical
Transmission of bit stream over physical medium
Signaling
EIA/TIA 568B
4
OSI Mnemonic
Away
Application
Pizza
Presentation
Sausage
Session
Throw
Transport
Not
Network
Do
Data Link
Please
Physical
5
Encapsulation
• When data is passed down from higher
layers to lower ones, each layer creates its
header and places the data given to it by
the next-higher layer behind its own
header, thereby encapsulating the higher
layer’s data.
• The Data Link layer also creates a trailer.
6
Encapsulation – Layer 4
7
Encapsulation – Layer 3
8
Encapsulation – Layer 2
9
Network Communication
10
Decomposition – Layer 2
11
Decomposition – Layer 3
12
Decomposition – Layer 4
13
Protocol Data Unit
• A term that describes a set of bytes that includes the layer’s
header and trailer (if any) and all data encapsulated.
• From Layer X’s perspective, the higher-layer headers and the
user data form one large data field.
Layer(s)
PDU
Application, Presentation,
Session
Data
Transport
TCP Segment
UDP Datagram
Network
IP Packet
Data Link
Frame
Physical
Bit
14
Address Translation
15
Types of Addresses
• Communications between network computers (hosts) would be
impossible without unique addresses for each host.
• Computers on a local network use MAC addresses to
communicate with each other.
• To access hosts on remote networks, such as those on the
Internet, a computer needs to know their IP addresses.
– Routers will route the packets to the destination network by looking
up those IP addresses in the routers’ routing tables.
• IP addresses are difficult for humans to memorize, so DNS
Names (e.g., www.unt.edu) are used by humans.
16
Address Resolution
• Therefore, two types of address translation (resolution)
are essential to network communications.
– DNS Name-IP Address Resolution
• When a person uses a human-readable address like
www.unt.edu, that address must be resolved into an IP address.
– IP-MAC Address Resolution
• Scenario 1: If that IP address is local, the resolution of the IP
address into MAC address takes place right away.
• Scenario 2: If that IP address is remote, the packet is routed to
the remote network first. Then, once the packet gets to the
remote network, it is resolved into a MAC address on that
network.
• In both scenarios, the host owning that MAC address will take
care of the packet.
17
DNS-IP Resolution
• Domain Name Service (DNS) translates user friendly names
(called Fully Qualified Domain Names, or FQDNs) into IP
addresses.
– For example, www.unt.edu = 129.120.188.44
• The DNS server handles DNS queries by examining its local
records to see if it knows the answer.
• If it does not, the DNS server queries higher level domain
servers. They check records or query the server above them
and so on until a match is found.
• A domain’s DNS servers maintain a database that records all
DNS name-IP mappings inside the domain, including those for
web servers, directory servers, email servers, hosts, etc.
18
Layer 3: IP Addresses
• It is common to express the 32-bit IP addresses in
a decimal form (dotted decimal notation).
– The address is divided from the high-order bit to the
low-order bit into four 8-bit units called octets.
– IP addresses are normally written as four separate
decimal octets delimited by a period (a dot).
– Each octets has eight bits and each bit has two
possible values: 0 and 1.
– Thus, in decimal terms, an octet can have 28 or 256
possible values, ranging from 0 to 255.
19
Layer 3: IP Addresses
• An IP address is broken down into two portions: Network ID and Host
ID.
– Without subnetting, the end of the network ID falls on a 8-bit boundary
(e.g., the 16th bit in a Class B subnet).
– The network ID, or network address, identifies the nodes that are located
on the same logical network.
– The host ID, or host address, identifies a node within a network.
• An address with a host ID of all zeros is not assigned to any host. It
is reserved to define the network itself (network address, e.g., “the
132.170.0.0 network”).
• If the host ID is all 1s, the address is a broadcast address (e.g.,
132.170.255.255). It is used to send a packet to all hosts on a
specific network. It can only be a destination address; no host can be
assigned this address.
20
IP Addresses
Class A
Class B
Class C
21
Source: Davies and Lee, Windows Server 2003 TCP/IP Protocols and Services.
CIDR Notation
• A shorthand for subnet masks (n.n.n.n
stands for an IP address). It indicates the
number of bits that are set to 1 in the mask.
– n.n.n.n/8 for class A default mask, equivalent
to 255.0.0.0
– n.n.n.n/16 for class B default mask, equivalent
to 255.255.0.0
– n.n.n.n/24 for class C default mask, equivalent
to 255.255.255.0
22
Private Addresses
• An organization can use any IP addresses for its
network, as long as it is not connected to the Internet.
• If it wants to use the addresses on the Internet,
however, it has to apply for them from Internet
Corporation for Assigned Names and Numbers
(ICANN).
• Three blocks of addresses are reserved for private
networks.
Class A: 10.0.0.0 – 10.255.255.255
Class B: 172.16.0.0 – 172.31.255.255
Class C: 192.168.0.0 – 192.168.255.255
• Private addresses are not routable on the Internet.
23
Layer 2: MAC Addresses
• MAC address is a unique, 48-bit hardware address
assigned to a device by the manufacturer.
– Each manufacturer is assigned a specific block of MAC
addresses (the first 24 bits).
– The manufacturer assigns the device a unique address (the
second 24 bits).
– No two devices can share the same MAC address.
– For one system to send data to another on the local
network, it must first find out the destination system’s MAC
address.
24
IP-MAC Address Resolution
• To find a MAC address, the Address
Resolution Protocol (ARP) is used.
• Using an ARP request, the sending system
will broadcast a query – “who is
129.120.188.44”?
• This broadcast query is examined by every
host on the local network, but only the system
whose IP address is 129.120.188.44 will
respond.
25
IP-MAC Address Resolution
• That system will send back a response that says “I’m
129.120.188.44 and my MAC address is
00:07:e9:7c:c8:aa.”
• The sending system will then format the packet for
delivery and drop it on the network media, with the
MAC address of the destination host.
• If a host cannot find the destination host in this way, the
packet is forwarded to the default gateway, which is the
computer/router that knows how to route those packets.
• What happens if the receiving “host” is
129.120.255.255?
– The broadcast MAC address is all Fs.
26
Broadcast
• Used in one-to-everyone communications.
• A broadcast IP address is designed to be processed by every
IP node on the same network segment.
• It is in the format of
– Class A: nnn.255.255.255
– Class B: nnn.nnn.255.255
– Class C: nnn.nnn.nnn.255
• The broadcast IP packet is addressed at the Data Link layer
using the network technology's broadcast address.
– For example, for Ethernet and Token Ring networks, all IP
broadcasts are sent using the Ethernet and Token Ring broadcast
address 0xFF-FF-FF-FF-FF-FF.
27
Unicast
• Used in one-to-one communications.
• A packet is sent from an individual source
to an individual destination.
• In a hub-connected network, all hosts on
the network segment see the packet.
• In normal mode, however, all hosts except
the intended receipt will pick up and
process the packet.
28
What About Layer 4 “Addresses”?
• Layer 3 (IP) only takes care of host-to-host
communication. It doesn’t care which process
(program) will use which packet it delivers.
– Its job is done when a packet reaches its destination IP
address.
• Layer 4 (Transport) is responsible for process-toprocess communication.
– After getting rid of the Layer 3 header, the remainder of
the packet (datagram) is passed up to Layer 4.
– Layer 4 on the destination computer thus reads the
information transmitted from Layer 4 on the origin.
29
Layer 4 Communication
• There are two types of communication at Layer 4:
– TCP is like registered mail, which guarantees delivery to the
intended recipient (process).
– UDP is like first-class mail and is best-of-effort delivery.
There is no guarantee of delivery to the intended recipient
(process).
• Processes decide which service to use based on the
task at hand, just like how we choose between
registered vs. first-class mail depending on the
importance of the mail involved.
– For example, DNS uses UDP for DNS name queries but
TCP for zone transfers (synchronization of information in
the DNS database).
30
Ports
• In current computing environments, network communications usually
uses client/server architecture.
• Client is the requester for information; server serves information to the
client. For example, when you visit a website, your computer is the
client and the web server is the server.
• Client initiates the communication. For the packets to go to the correct
process on the server for the type of information requested (e.g.,
going to web server for HTML files), each process on the server must
be easily located.
• This locator is called a “port”. Ports are numbered, just like piers or
docks are numbered along waterfront, e.g., on Fisherman’s Wharf,
San Francisco,
– To watch seals, go to Pier 39.
– To take ferries, go to Pier 41.
31
32
Ephemeral Ports
• Servers, however, don’t have to have pre-knowledge of which port the
client will use for communication. It’s practically impossible because
the number of potential clients is limitless.
• Therefore, when initiating communication, the client picks a port (an
ephemeral port) through which it wants to receive information from
the server.
• The client uses the very first packet in the communication to notify the
server the client-side port number to use for this session.
– The process that requests the information (e.g., web browser) then awaits
it behind that particular port.
• When the server returns a packet, it knows which port to send it to on
the client.
• The client-side port is “ephemeral” because it doesn’t have to be tied
to the process after the communication is over.
33
Reserved Ports
• To avoid chaos, port numbers on the server must be reserved for
common process and this made public information.
• Most of port numbers on servers are between 0 and 1023 and are
called well known port numbers.
• However, application developers may take advantage of ports that
are 1024 or higher. As long as there is general consensus regarding
which application commonly uses which port, these registered ports
can be used to establish communication with the server for the
related process without pre-knowledge of behind which port the
process is awaiting incoming connections.
– For example, MySQL uses Port 3306 by default.
• The important corollary – By looking at the open ports on a server,
we can deduce what processes are running on that server.
34
IANA Port Ranges
•
The Internet Assigned Numbers Authority (IANA), the same organization that
assigns IP addresses, manages port numbers.
Port Type
Port Numbers
Description
Well-Known Ports
0 – 1,023
Assigned and controlled by IANA.
Reserved for the most universal
applications.
Registered Ports
1,024 – 49,151
Not assigned or controlled by IANA.
Can only be registered with IANA to
avoid duplication.
Dynamic Ports
49,152 –
65,535
Neither registered or controlled.
Often used by a private protocol that
only a particular organization uses.
35
Important Port Numbers
FTP-Data
TCP 20
FTP-Control
TCP 21
Secure Shell Login (SSH)
TCP 22
Telnet
TCP 23
SMTP
TCP 25
DNS
TCP/UDP 53
Trivial FTP (TFTP)
UDP 69
HTTP
TCP 80
NetBIOS Name Service
TCP/UDP 137
NetBIOS Session Service
TCP/UDP 139
Secure Socket Layer
TCP 443
36
TCP vs. UDP
• UDP is a “connectionless” protocol.
– Very few error recovery services – this is done by
applications.
– Unreliable protocol – No guarantee of delivery.
– For network services not affected by occasional
lost or dropped packets.
• TCP is a connection-oriented protocol.
– Data delivery is guaranteed.
– Does this with flow control and error correction.
37
TCP Flow Control
• Both hosts have a sliding window (they can be of
different sizes).
– It defines the number of bytes (actually, “chucks” of
data, or segments) that the host can send without
worrying about an acknowledgment from the other
host.
• When the window slides to a portion of the buffer,
that portion is “freed up” for transmission.
• When an acknowledgment is received, the windows
“slides” over to the next batch of bytes get to be
sent.
38
TCP Error Correction
• TCP is reliable because if the recipient receives a segment from the
sender successfully, it will let the sender know.
– Oddly, it does this not by saying “I got it” but rather, “Give me the next
piece.”
– This mechanism is called forward acknowledgment.
• If the recipient doesn’t receive a segment, it will also let the sender
know, using the same acknowledgment mechanism.
– In this case, instead of asking for the next piece, it asks for a piece that
the sender has sent previously.
– The sender interprets this as indication that the previously-sent segment
was lost somehow in transmission.
– The sender then resends the segment.
– This will be done again until the recipient gets the segment.
• Obviously, to do this, each segment must have some sort of “ID”. This
ID is called sequence number, or SEQ.
39
TCP Sequence Numbers
• A sequence number is just a very long number and
is quasi-randomly generated.
• For either side of the connection, two types of SEQ
numbers are involved:
– An initial SEQ (used in connection establishment)
– SEQs assigned to the data transmitted
• During connection establishment (handshake),
each host (client and server) must let the other one
know where its SEQs will start.
– Usually, the two hosts will have very different SEQs.
40
Initial Sequence Numbers
• In the very first segment, the client (info requester) will tell the server
(info provider) – this is my first SEQ number. This is the Initial
Sequence Number (ISN).
• The server’s answer, following the mechanism of forward
acknowledgment, is to ask for the segment with the “ID” of
ISNclient + 1.
• Therefore, for the client the SEQs for data segments start with a SEQ
of ISNclient + 2.
• At the same time the server acknowledges the receipt of the first
segment from the client, it also tells the client ISNserver.
• The client acknowledges this by asking for the segment identified by
ISNserver + 1.
• So, the data segments sent from the server start with ISNserver + 2.
• What about segment afterwards?
41
Stream Orientation of TCP
• Most, if not all, data have to be transmitted over a number of
chunks (segments).
• TCP doesn’t read the data taken from the application layer. So
it doesn’t divide data into segments based on units used in
application layers (a page of document, a row in database,
etc.).
• TCP simply line up the bytes comprising the data, sequentially,
from the first to the last byte.
• The bytes are numbered sequentially, and the numbering starts
with SEQ + 2.
• Each segment has an “ID”, which simply is the sequence
number of the first byte in the segment.
42
SEQ Numbers for Data
• The first data segment has a SEQ1 = ISN + 2.
• Since each byte is numbered and each segment
(composed by a predetermined number of bytes) is
identified by the sequence number of the first byte in the
segment, we have:
SEQ2 = SEQ1 + Size of Segment
• Subsequently,
SEQ3 = SEQ2 + Size of Segment
– And so on and so forth.
• Using SEQ numbers, segments can arrive in any order
and at different times.
– The receiving host will use the SEQs to line up the segments
in the right order. In other words, the stream of bytes that
comprise the data will be restored at the destination host.
43
44
Error Correction Expressed in SEQs
• The receiver doesn’t send out an ACK for
each segment it receives.
• Forward acknowledgement is cumulative.
• If the sender sends chunks # 202, 402, and
602, and it receives the ACK of 802, it knows
that all three segments have arrived safe and
sound.
• If it receives an ACK of 602, it knows that it
should resend chunk #602.
45
TCP Segment Format
46
TCP Segment Format
•
•
•
•
•
•
Source Port (16 bits)
Destination Port (16 bits)
Sequence Number (32 bits)
Acknowledgement Number (32 bits)
Control (6 bits)
– URG: The value of the urgent pointer field is valid
– ACK: The value of the acknowledgement field is valid
– PSH: Request for push
– RST: Reset the connection
– SYN: Synchronize sequence numbers
– FIN: Terminating the connection
Window (16 bits)
– For flow control
47
Important TCP Header Fields
•
•
•
•
•
•
Source Port (16 bits)
Destination Port (16 bits)
Sequence Number (32 bits)
Acknowledgement Number (32 bits)
Control Bits (aka flags; 1 bit each; 1 means on; 0 means off)
– URG: The value of the urgent pointer field is valid
– ACK: The value of the acknowledgement field is valid
– PSH: Request for push
– RST: Reset the connection
– SYN: Synchronize sequence numbers
– FIN: Terminating the connection
Window (16 bits)
– For flow control
48
TCP Three-Way Handshake
49
Source: Wendell Odom, Cisco CCNA Certification Guide.
UDP Datagram Format
50
Internet Protocol
• IP is unreliable. It works on the best-effort basis.
– It relegates the work of error detection to higher layers
(TCP, application, etc.).
• When a packet is too large to deliver (which often is
the case), IP divides it into smaller packets
(fragmentation).
• Packets can arrive out of sequence. IP relies on
information contained in the IP header to
reassemble them into the original-size packet and
pass it to the Transport layer.
51
Layer 3: IP Packet
52
IP Header Fields
53
Important IP Header Fields
• Version (4 bits)
– The version of the IP protocol.
• IHL (4 bits)
– The total length of the datagram header. It is needed because the
header can vary from 20 to 60 bytes.
• Total Length (16 bits)
– Header length + length of the data coming from upper layers.
– Total length has a maximum of 65,535 bytes.
• Protocol (8 bits)
– Higher layer protocol that uses the services.
– Know the values for TCP, UDP, ICMP, IGMP.
• Source Address (32 bits)
• Destination Address (32 bits)
54
Important IP Header Fields
• Fragmentation (13 bits)
– Each Data Link Layer protocol has its own frame format,
incl. the maximum size of the data field (Maximum Transfer
Unit, MTU).
– An IP datagram may have to be broken down into smaller
units to fit into the Layer 2 frame.
• When a datagram is fragmented, each fragment has its
own header with most of the fields identical except:
flags, fragmentation offset, and total length.
– The fragmentation offset is the offset of the data in the
original datagram that indicates the relative position of this
fragment in the entire packet.
55
Internet Control Message Protocol
• Internet Control Message Protocol (ICMP) is a control and
information protocol, which is used to determine:
– Remote network’s availability.
– Length of time to reach a remote network.
– The best route for packets to reach a remote network.
• ICMP can handle the flow of traffic, telling other network
devices to “slow down” transmission speeds if packets are
coming in too fast.
• ICMP is not connection-oriented (uses UDP).
– Designed to carry small messages quickly.
– Has minimal overhead.
– Has minimum impact to bandwidth.
56
ICMP Message Types
• ICMP messages are used to exchange information
about network host status, traffic condition, etc. Two
important fields in an ICMP message are:
– Type: A one-byte field to indicate the kind of ICMP
message.
– Code: For message of certain types, a one-byte Code field
may have a value to further identify a message.
• For example, a ping command goes from one host to
another and receive a response from the latter. Two
types of ICMP messages are involved in this process:
– Echo Request
– Echo Reply
57
ICMP Messages
Type
Description
0
Echo Reply
3
Destination Unreachable
4
Source Quench
5
Redirect Message
8
Echo Request
Code
Description
0
Network unreachable
1
Host unreachable
3
Port unreachable
6
Destination network
unknown
7
Destination host unknown
58