Strategic Management of Information Technology
Download
Report
Transcript Strategic Management of Information Technology
Lecture 14
Review of TCP/IP
Internetworking
1
Single Network: applications, client and
server hosts, switches, access links, trunk
links, frames, path
Path
Frame
Server
Host
Client
Host
Trunk Link
Access
Link
Mobile Client
Host
Server
Host
2
Frame Organization
Frame
Trailer
Data Field
Header
Other
Destination
Header
Address
Field
Message Structure
Field
3
Switching Decision
Switch
1 2 3 4 5 6
Frame with Station C
In the destination
Address field
Station
A
Station
B
Station
C
Switch receives
A frame, sends
It back out
Based on
Destination
Address
Station
D
4
An Internet
An internet is two or more individual
switched networks connected by routers
Switched
Network 1
Switched Network 3
Router
Switched
Network 2
5
An Internet
Multiple Networks
Connected by Routers
Path of a Packet is its Route
Single Network
Routers
Packet
Single Network
Route
6
The Internet
The global
Internet has
thousands of
networks
Webserver
Software
Browser
Network
Packet
Router
Packet
Route
Router
Router
Packet
7
Frames and Packets
Frame 1
Carrying Packet
in Network 1
Packet
Switch
Client PC
Packet
Server
Frame 3
Carrying Packet
in Network 3
Switch
Router
A
Frame 2
Carrying Packet
in Network 2
Router B
8
Frames and Packets
Like passing a shipment (the packet) from a truck
(frame) to an airplane (frame) at an airport.
Shipper
Same
Shipment
Truck
Airport
Receiver
Airport
Truck
Airplane
9
TCP/IP Standards
Origins
Defense Advanced Research Projects Agency
(DARPA) created the ARPANET
An internet connects multiple individual networks
Global Internet is capitalized
Internet Engineering Task Force (IETF)
Most IETF documents are requests for
comments (RFCs)
Internet Official Protocol Standards: List of RFCs
that are official standards
10
TCP/IP Standards
Hybrid TCP/IP-OSI Architecture
Combines TCP/IP standards at layers 3-5 with
OSI standards at layers 1-2
TCP/IP
Application
OSI
Application
Hybrid TCP/IP-OSI
Application
Presentation
Session
Transport
Transport
Transport
Internet
Network
Internet
Subnet Access: Use
OSI Standards Here
Data Link
Data Link
Physical
Physical
11
TCP/IP Standards
OSI Layers
Physical (Layer 1): defines electrical signaling
and media between adjacent devices
Data link (Layer 2): control of a frame through a
single network, across multiple switches
Physical Link
Frame
Switched
Network 1
Data Link
12
TCP/IP Standards
Internet Layer
Governs the transmission of a packet across an
entire internet. Path of the packet is its route
Packet
Switched
Network 1
Route
Switched Network 3
Router
Switched
Network 2
13
TCP/IP Standards
Frames and Packets
Frames are messages at the data link layer
Packets are messages at the internet layer
Packets are carried (encapsulated) in frames
There is only a single packet that is delivered
from source to destination host
This packet is carried in a separate frame in
each network
14
Internet and Transport Layers
Transport Layer
End-to-End (Host-to-Host)
TCP is Connection-Oriented, Reliable
UDP is Connectionless Unreliable
Client PC
Server
Internet Layer
(Usually IP)
Hop-by-Hop (Host-Router or Router-Router)
Connectionless, Unreliable
Router 1
Router 2
Router 3
15
TCP/IP Standards
Internet and Transport Layers
Purposes
Internet layer governs hop-by-hop
transmission between routers to achieve endto-end delivery
Transport layer is end-to-end (host-to-host)
protocol involving only the two hosts
16
TCP/IP Standards
Internet and Transport Layers
Internet Protocol (IP)
IP at the internet layer is unreliable—does not
correct errors in each hop between routers
This is good: reduces the work each router
along the route must do
17
TCP/IP Standards
Transport Layer Standards
Transmission Control Protocol (TCP)
Reliable and connection-oriented service at
the transport layer
Corrects errors
User Datagram Protocol (UDP)
Unreliable and connectionless service at the
transport layer
Lightweight protocol good when catching
errors is not important
18
HTML and HTTP at the Application Layer
Hypertext Transfer Protocol (HTTP)
Requests and Responses
Webserver
Client PC with
Browser
123.34.150.37
60.168.47.47
Hypertext Markup Language (HTML)
Document or Other File (jpeg, etc.)
19
TCP/IP Standards
Application Layer
To govern communication between application
programs, which may be written by different
vendors
Document transfer versus document format
standards
HTTP / HTML for WWW service
SMTP / RFC 822 (or RFC 2822) in e-mail
Many application standards exist because there
are many applications
20
TCP/IP and OSI Architectures: Recap
TCP/IP
Application
OSI
Application
Hybrid TCP/IP-OSI
Application
Presentation
Session
Transport
Transport
Transport
Internet
Network
Internet
Subnet Access: Use
OSI Standards Here
Data Link
Data Link
Physical
Physical
Note: The Hybrid TCP/IP-OSI Architecture is used on the Internet and
dominates internal corporate networks.
21
IP Packet
0100
Bit 0
Header
Version
Length
(4 bits)
(4 bits)
IP Version 4 Packet
Diff-Serv
(8 bits)
Bit 31
Total Length
(16 bits)
Identification (16 bits)
Flags Fragment Offset (13 bits)
Protocol (8 bits)
Time to Live
1=ICMP, 6=TCP,
Header Checksum (16 bits)
(8 bits)
17=TCP
Source IP Address (32 bits)
Destination IP Address (32 bits)
Options (if any)
Padding
Data Field
22
IP Packet
Version
Has value of four (0100)
Time to Live (TTL)
Prevents the endless circulation of mis-addressed
packets
Value is set by sender
Decremented by one by each router along the
way
If reaches zero, router throws packet away
23
IP Packet
Protocol Field
Identifies contents of data field
1 = ICMP
6 = TCP
IP Data Field
17 =UDP
ICMP Message
IP Data Field
TCP Segment
IP Header
Protocol=1
IP Header
Protocol=6
IP Data Field
UDP Datagram
IP Header
Protocol=17
24
IP Packet
Header checksum to check for errors in the
header only
Faster than checking the whole packet
Stops bad headers from causing problems
IP Version 6 drops eve this checking
Address Fields
32 bits long, of course
Options field(s) give optional parameters
Data field contains the payload of the packet.
25
Layer Cooperation Through
Encapsulation on the Source Host
Encapsulation of HTTP
message in data field of
a TCP segment
Application
Process
HTTP
Message
Transport
Process
HTTP
Message
TCP
Hdr
Internet
Process
HTTP
Message
TCP
Hdr
Encapsulation of TCP
segment in data field
of an IP packet
IP
Hdr
26
Layer Cooperation Through
Encapsulation on the Source Host
Internet
Process
Data Link
Process
Physical
Process
DL
Trlr
HTTP
Message
TCP
Hdr
IP
Hdr
HTTP
Message
TCP
Hdr
IP
Hdr
Encapsulation
of IP packet in
data field of
a frame
DL
Hdr
Converts Bits of Frame into Signals
27
Layer Cooperation Through
Encapsulation on the Source Host
Note: The following is the final frame for supervisory TCP segments:
DL
Trlr
TCP
Hdr
IP
Hdr
DL
Hdr
28
Layer Cooperation Through Decapsulation
on the Destination Host
Decapsulation of HTTP
message from data field of
a TCP segment
Application
Process
HTTP
Message
Transport
Process
HTTP
Message
TCP
Hdr
Internet
Process
HTTP
Message
TCP
Hdr
Decapsulation of TCP
segment from data field
of an IP packet
IP
Hdr
29
Layer Cooperation Through Decapsulation
on the Destination Host
Internet
Process
Data Link
Process
Physical
Process
DL
Hdr
HTTP
Message
TCP
Hdr
IP
Hdr
HTTP
Message
TCP
Hdr
IP
Hdr
Decapsulation of IP
packet from data
field of a frame
DL
Hdr
Converts Signals into the Bits of the Frame
30
Vertical Communication on Router R1
A
Packet
Decapsulation
Frame
Switch X2
Internet Layer Process
Port 1
DL
Port 2
DL
Port 3
DL
Port 4
DL
PHY
PHY
PHY
PHY
Router R1
Notes:
A. Router R1 receives frame from Switch X2
in Port 1.
Port 1 DL process decapsulates packet.
Port 1 DL process passes packet to
internet process.
31
Vertical Communication on Router R1
B
Router R1
Internet Layer Process
Port 1
DL
Port 2
DL
Port 3
DL
Port 4
DL
PHY
PHY
PHY
PHY
B. Internet process sends packet out on
Port 4.
DL Process on Port 4 encapsulates
packet in a PPP frame.
DL process passes frame to Port 4
PHY.
Packet
Encapsulation
Frame
Router 2
32
Site Connection to an ISP
Site Network
Border
Firewall
1.
Frame for This
Data Link
ISP
Packet
Packet
Packet
3.
Packet Carried
in Site Frame
Internet
Backbone
4.
Data Link
Between
Site and ISP
(Difficult to Attack)
ISP
Router
2.
Packet Carried
in ISP
Carrier Frame
5. Normally, Only the Arriving Packet is Dangerous—Not the
Frame Fields
33
Internet Protocol (IP)
Basic Characteristics
There were already single networks, and many
more would come in the future
Developers needed to make a few assumptions
about underlying networks
So they kept IP simple
34
Internet Protocol (IP)
Connection-Oriented Service and
Connectionless Service
Connection-oriented services have distinct starts
and closes (telephone calls)
Connectionless services merely send messages
(postal letters)
IP is connectionless
35
IP Packet
PC
Internet Process
First Router
Internet Process
IP Packet
Connectionless
Packets Sent in Isolation
Like Postal Letters
Unreliable
No Error Correction
Discarded by Receiver if Error is Detected
Leaves Error Correction to Transport Layer
Reduces the Cost of Routers
36
Internet Protocol (IP)
IP is Unreliable (Checks for Errors but does
not Correct Errors)
Not doing error correction at each hop between
switches reduces switch work and so switch cost
Does not even guarantee packets will arrive in
order
37
Internet Protocol (IP)
Hierarchical IP Addresses
Postal addresses are hierarchical (state, city,
postal zone, specific address)
Most post offices have to look only at state
and city
Only the final post offices have to be
concerned with specific addresses
38
Hierarchical IP Address
Network Part (not always 16 bits)
Subnet Part (not always 8 bits)
Host Part (not always 8 bits)
Total always is 32 bits.
128.171.17.13
The Internet UH Network
(128.171)
CBA Subnet
(17)
Host 13
128.171.17.13
39
Internet Protocol (IP)
Hierarchical IP Addresses
32-bit IP addresses are hierarchical (Figure 315)
Network part tells what network host is on
Subnet part tells what subnet host is on
within the network
Host part specifies the host on its subnet
Routers have to look only at network or
subnet parts, except for the router that
delivers the packet to the destination host
40
Internet Protocol (IP)
Hierarchical IP Addresses
32-bit IP addresses are hierarchical
Total is 32 bits; part sizes vary
Network mask tells you the size of the
network part (Figure 3-16)
Subnet mask tells you the length of the
network plus subnet parts combined
41
IP Address Masking with Network and
Subnet Masks
Eight ones give the
decimal value
255
Subnet Masking
Tells the size of the
network and the subnet
parts combined
255
Eight zeros give the
decimal value
0
0
Masking gives
IP address bit where the
mask value is 1; 0 where
the mask bit is 0
IP address bit where the
mask value is 1; 0 where
mask bit is 0
Mask Represents
Network Masking
Tells the size of the
network part
42
IP Address Masking with Network and
Subnet Masks
Example 1
IP Address
Mask
Network Masking
128.171.17.13
255.255.0. 0
Subnet Masking
128.171.17.13
255.255.255.0
Result
128.171.0. 0
128.171.17.0
Meaning
16-bit network part is 128.171 Combined 24-bit network plus subnet
part are 128.171.17
Example 2
IP Address
60.47.123.7
60.47.123.7
Mask
255.0.0.0
255.255.0.0
Result
60.0.0.0
60.47.0.0
Meaning
8-bit network part is 60
Combined 16-bit network plus subnet
parts are 60.47
43
IP Address Spoofing
1. Trust Relationship
3. Server Accepts Attack Packet
Trusted Server
60.168.4.6
Victim Server
60.168.47.47
2.
Attack Packet
Spoofed Source IP Address
60.168.4.6
Attacker’s Client PC
Attacker’s Identity is
1.34.150.37
Not Revealed
44
Internet Protocol (IP)
IP Addresses and Security
IP address spoofing: Sending a message with a
false IP address (Figure 3-17)
Gives sender anonymity so that attacker cannot
be identified
Can exploit trust between hosts if spoofed IP
address is that of a host the victim host trusts
45
Internet Protocol (IP)
IP Addresses and Security
LAND attack: send victim a packet with victim’s
IP address in both source and destination
address fields and the same port number for the
source and destination. In 1997, many
computers, switches, routers, and even printers,
crashed when they received such a packet.
46
LAND Attack Based on IP Address
Spoofing
Attacker
1.34.150.37
From: 60.168.47.47:23
To: 60.168.47.47:23
Victim
60.168.47.47
Port 23 Open
Crashes
Source and Destination IP Addresses are the Same
Source and Destination Port Numbers are the Same
47
Internet Protocol (IP)
Other IP Header Fields
Protocol field: Identifies content of IP data field
Firewalls need this information to know how
to process the packet
48
Internet Protocol (IP)
Other IP Header Fields
Time-to-Live field
Each router decrements the TTL value by
one
Router decrementing TTL field to zero
discards the packet
49
Internet Protocol (IP)
Other IP Header Fields
Time-to-Live field
Router also sends an error advisement
message to the sender
The packet containing this message reveals
the sender’s IP address to the attacker
Traceroute uses TTL to map the route to a
host (Figure 3-19)
Tracert on Windows machines
50
Tracert Program in Windows
51
Internet Protocol (IP)
Other IP Header Fields
Header Length field and Options
With no options, Header Length is 5
Expressed in units of 32 bits
So, 20 bytes
Many options are dangerous
So if Header Length is More Than 5, be
Suspicious
Some firms drop all packets with options
52
Internet Protocol (IP)
Other IP Header Fields
Length Field
Gives length of entire packet
Maximum is 65,536 bytes
Ping-of-Death attack sent IP packets with
longer data fields
Many systems crashed
53
Ping-of-Death Attack
Attacker
1.34.150.37
IP Packet Containing
ICMP Echo Message
That is Illegally Long
Victim
60.168.47.47
Crashes
54
Internet Protocol (IP)
Other IP Header Fields
Fragmentation
Routers may fragment IP packets (really,
packet data fields) en route
All fragments have same Identification
field value
Fragment offset values allows fragments
to be ordered
More fragments is 0 in the last fragment
55
Internet Protocol (IP)
Other IP Header Fields
Fragmentation
Harms packet inspection: TCP header, etc.
only in first packet in series
Cannot filter on TCP header, etc. in
subsequent packets
56
TCP Header is Only in the First
Fragment of a Fragmented IP Packet
1. Fragmented IP Packet
2. Second
Fragment
Attacker
1.34.150.37
4. TCP Data IP
Field
Header
No
TCP Header
2. First
Fragment
TCP Data
Field
IP
Header
3. TCP Header
Only in First
Fragment
5. Firewall
60.168.47.47
Can Only
Filter TCP
Header in
First Fragment
57
Internet Protocol (IP)
Other IP Header Fields
Fragmentation
Teardrop attack: Crafted fragmented packet
does not make sense when reassembled
Some firewalls drop all fragmented packets,
which are rare today
58
Teardrop Denial-of-Service Attack
“Defragmented” IP Packet”
Gap
Overlap
Attacker
1.34.150.37
Victim
60.168.47.47
Crashes
Attack Pretends to be Fragmented
IP Packet When Reassembled,
“Packet” does not Make Sense.
Gaps and Overlaps
59
IP Packet with a TCP Segment Data Field
Bit 0
Bit 31
IP Header (Usually 20 Bytes)
Source Port Number (16 bits)
Destination Port Number (16 bits)
Sequence Number (32 bits)
Acknowledgment Number (32 bits)
Header
Length
(4 bits)
Reserved
(6 bits)
Flag Fields
(6 bits)
TCP Checksum (16 bits)
Window Size
(16 bits)
Urgent Pointer (16 bits)
60
Transmission Control Protocol (TCP)
TCP Messages are TCP Segments
Header
Length
(4 bits)
Flags field has several one-bit flags: ACK, SYN,
FIN, RST, etc.
Reserved
(6 bits)
Flag Fields
(6 bits)
Window Size
(16 bits)
61
Transmission Control Protocol (TCP)
Reliable
Receiving process sends ACK to sending process if
segment is correctly received
ACK bit is set (1) in acknowledgement segments
If sending process does not get ACK, resends the
segment
PC
Transport Process
Webserver
Transport Process
TCP Segment
TCP Segment (ACK)
62
Transmission Control Protocol (TCP)
Connections: Opens and Closes
Formal open and close
Three-way open: SYN, SYN/ACK, ACK
(Figure 3-25)
Normal four-way close: FIN, ACK, FIN, ACK
(Figure 3-25)
Abrupt close: RST (Figure 3-26)
63
Communication During a TCP Session
PC
Transport Process
Webserver
Transport Process
1. SYN (Open)
Open
(3)
2. SYN, ACK (1) (Acknowledgement of 1)
3. ACK (2)
3-Way Open
64
Communication During a TCP Session
PC
Transport Process
Webserver
Transport Process
1. SYN (Open)
Open
(3)
Carry
HTTP
Req &
Resp
(4)
2. SYN, ACK (1) (Acknowledgement of 1)
3. ACK (2)
4. Data = HTTP Request
5. ACK (4)
6. Data = HTTP Response
7. ACK (6)
65
Communication During a TCP Session
PC
Transport Process
Carry
HTTP
Req &
Resp
(4)
Webserver
Transport Process
8. Data = HTTP Request (Error)
9. Data = HTTP Request (No ACK so Retransmit)
10. ACK (9)
11. Data = HTTP Response
12. ACK (11)
Error Handling
66
Communication During a TCP Session
PC
Transport Process
Close
(4)
Normal Four-Way Close
Webserver
Transport Process
13. FIN (Close)
14. ACK (13)
15. FIN
16. ACK (15)
Note: An ACK may be combined with the next message if the next message
is sent quickly enough
67
Communication During a TCP Session
PC
Transport Process
Close
(1)
Abrupt Close
Webserver
Transport Process
RST
Either side can send
A Reset (RST) Segment
At Any Time
Ends the Session Immediately
68
SYN/ACK Probing Attack Using
Reset (RST)
1. Probe
60.168.47.47
2. No Connection:
Makes No Sense!
SYN/ACK Segment
IP Hdr RST Segment
Attacker
1.34.150.37
5.
60.168.47.47
is Live!
4. Source IP
Addr=
60.168.47.47
Victim
60.168.47.47
Crashes
3. Go Away!
69
Transmission Control Protocol (TCP)
Sequence and Acknowledgement Number
Sequence numbers identify segment’s place in
the sequence
Acknowledgement number identifies which
segment is being acknowledged
Source Port Number (16 bits)
Destination Port Number (16 bits)
Sequence Number (32 bits)
Acknowledgment Number (32 bits)
70
Transmission Control Protocol (TCP)
Port Number
Port numbers identify applications
Well-known ports (0-1023) used by applications
that run as root (Figure 3-27)
HTTP=80, Telnet=23, FTP=21 for
supervision, 20 for data transfer, SMTP=25
Source Port Number (16 bits)
Destination Port Number (16 bits)
71
Transmission Control Protocol (TCP)
Port Number
Registered ports (1024-49152) for any
application
Ephemeral/dynamic/private ports (49153-65535)
used by client (16,383 possible)
Not all operating systems uses these port
ranges, although all use well-known ports
72
Transmission Control Protocol (TCP)
Port Number
128.171.17.13:80
Socket format is IP address: Port, for instance,
128.171.17.13:80
Designates a specific program on a specific
machine
Port spoofing (Figure 3-28)
Incorrect application uses a well-known port
Especially 80, which is often allowed through
firewalls
73
Use of TCP and UDP Port Number
Client
60.171.18.22
Webserver
60.171.17.13
Port 80
From: 60.171.18.22:50047
To: 60.171.17.13:80
SMTP Server
123.30.17.120
Port 25
74
Use of TCP and UDP Port Number
Client
60.171.18.22
Webserver
60.171.17.13
Port 80
From: 60.171.18.22:50047
To: 60.171.17.13:80
From: 60.171.17.13:80
To: 60.171.18.22:50047
SMTP Server
123.30.17.120
Port 25
75
Use of TCP and UDP Port Number
Client
60.171.18.22
Webserver
60.171.17.13
Port 80
From: 60.171.18.22:60003
To: 123.30.17.120:25
SMTP Server
123.30.17.120
Port 25
76
Use of TCP and UDP Port Number
Client
60.171.18.22
Webserver
60.171.17.13
Port 80
From: 60.171.18.22:50047
To: 60.171.17.13:80
Clients Used Different
Ephemeral Ports for
Different Connections
From: 60.171.18.22:60003
To: 123.30.17.120:25
SMTP Server
123.30.17.120
Port 25
77
User Data Protocol (UDP)
UDP Datagrams are Simple
Source and destination port numbers (16 bits
each)
UDP length (16 bits)
UDP checksum (16 bits)
Bit 0
Bit 31
IP Header (Usually 20 Bytes)
Source Port Number (16 bits)
Destination Port Number (16 bits)
UDP Length (16 bits)
UDP Checksum (16 bits)
Data Field
78
User Data Protocol (UDP)
Port Spoofing Still Possible
UDP Datagram Insertion
Insert UDP datagram into an ongoing dialog
stream
Hard to detect because no sequence numbers in
UDP
79
Internet Control Message Protocol (ICMP)
ICMP is for Supervisory Messages at the
Internet Layer
ICMP and IP
An ICMP message is delivered (encapsulated)
in the data field of an IP packet
Types and Codes
Type: General category of supervisory
message
Code: Subcategory of type (set to zero if there is
no code)
80
Internet Control Message Protocol (ICMP) for
Supervisory Messages
Router
“Host Unreachable”
Error Message
ICMP Message
“Echo
Reply”
IP Header
“Echo”
81
IP Packet with an ICMP Message
Data Field
Bit 0
Bit 31
IP Header (Usually 20 Bytes)
Type (8 bits)
Code (8 bits)
Depends on Type and Code
Depends on Type and Code
82
Internet control Message Protocol
(ICMP)
Network Analysis Messages
Echo (Type 8, no code) asks target host if it is
operational and available
Echo reply (Type 0, no code). Target host
responds to echo sender
Ping program implements Echo and Echo Reply.
Like submarine pinging a target
Ping is useful for network managers to diagnose
problems based on failures to reply
Ping is useful for hackers to identify potential
targets: live ones reply
83
Internet control Message Protocol
(ICMP)
Error Advisement Messages
Advise sender of error but there is no error
correction
Host Unreachable (Type 3, multiple codes)
Many codes for specific reasons for host
being unreachable
Host unreachable packet’s source IP address
confirms to hackers that the IP address is live
and therefore a potential victim
Usually sent by a router
84
Internet control Message Protocol
(ICMP)
Error Advisement Messages
Time Exceeded (Type 11, no codes)
Router decrementing TTL to 0 discards
packet, sends time exceeded message
IP header containing error message reveals
router’s IP address
By progressively incrementing TTL values by
1 in successive packets, attacker can scan
progressively deeper into the network,
mapping the network
Also usually sent by a router
85
Internet control Message Protocol
(ICMP)
Control Codes
Control network/host operation
Source Quench (Type=4, no code)
Tells destination host to slow down its
transmission rate
Legitimate use: Flow control if host sending
source quench is overloaded
Attackers can use for denial-of-service attack
86
Internet control Message Protocol
(ICMP)
Control Codes
Redirect (Type 5, multiple codes)
Tells host or router to send packets in
different way than they have
Attackers can disrupt network operations, for
example, by sending packets down black
holes
Many Other ICMP Messages
87
Topics Covered
Network Elements
Client and server stations
Applications
Trunk lines and access lines
Switches and routers
Messages (frames)
88
Topics Covered
Messages (frames) may have headers, data
fields, and trailers
Headers have source and destination address
fields
Switches forward (switch) frames based on the
value in the destination address field
Based on field value, switch sends frames out a
different port that the one on which the frame
arrived
89
Topics Covered
Internets
Group of networks connected by routers
The Internet is a global internet
Organizations connect via ISPs
Internet messages are called packets
Path of a packet is its route
Packets travel within frames in networks
If route goes through four networks,
There will be one packet and four frames
90
Topics Covered
TCP/IP Standards
Dominate the Internet
Created by the Internet Engineering Task Force
(IETF)
Documents are called requests for comments
(RFCs)
OSI Standards
Dominate for single networks
Physical and data link layers
91
Topics Covered
TCP/IP
Application
OSI
Application
Hybrid TCP/IP-OSI
Application
Presentation
Session
Transport
Transport
Transport
Internet
Network
Internet
Subnet Access: Use
OSI Standards Here
Data Link
Data Link
Physical
Physical
92
Topics Covered
Internetworking Layers
Internet layer
Internet Protocol (IP)
Governs packet organization
Governs hop-by-hop router forwarding
(routing)
Transport layer
Governs end-to-end connection between the
two hosts
TCP adds reliability, flow control, etc.
UDP is simpler, offers no reliability, etc.
93
Topics Covered
Application Layer Standards
Govern interaction between two application
programs
Usually, a message formatting standard and a
message transfer standard
HTML / HTTP in WWW
RFC 2822 / SMTP in e-mail
94
Topics Covered
IP Packet
Version 4
32-bit source and destination addresses
Time to live (TTLS)
Header checksum
Protocol (type of message in data field)
Data field
95
Topics Covered
IP Packet
Version 4
Option fields may be used, but more likely to
be used by hackers rather than legitimately
Packet may be fragmented; this too is done
mainly by attackers
Data field
Version 6
128-bit addresses to allow more addresses
96
Topics Covered
Vertical Communication on the Source Host
One layer (Layer N) creates a message
Passes message down to the next-lower layer
(Layer N-1)
The Layer N-1 process encapsulates the Layer
N message in the data field of a Layer N-1
record
Layer N-1 passes the Layer N-1 message down
to Layer N-2
97
Topics Covered
Process is Reversed on the Destination
Host
Decapsulation occurs at each layer
Vertical Processes on Router
The router first receives, then sends
So the router first decapsulates, then
encapsulates
There is one internet layer process on each
router
98
Topics Covered
Firewalls Only Need to Look at Internet,
Transport, and Application Messages
The attacker cannot manipulate the frame going
from the ISP to the organization
99
Topics Covered
IP
Connectionless and unreliable
Hierarchical IP addresses
Network part
Subnet part
Host part
Part lengths vary
100
Topics Covered
IP
Masks
You cannot tell by looking at an IP address
what its network or subnet parts are
Network mask has 1s in the network part,
followed by all zeros
Subnet mask has 1s in the network and
subnet parts, followed by all zeros
101
Topics Covered
IP address spoofing
Change the source IP address
To conceal identity of the attacker
To have the victim think the packet comes from
a trusted host
LAND attack
102
Topics Covered
TCP Messages
Called TCP segments
Flags fields for SYN, ACK, FIN, RST
3-way handshake with SYN to open
Each segment is received correctly is ACKed
This provides reliability
103
Topics Covered
TCP Messages
Normally, FIN is used in a four-way close
RST can create a single-message close
Attackers try to generate RSTs because the
RST message is in a packet revealing the
victim’s IP address
104
Topics Covered
Port Numbers
Used in both TCP and UDP
16-bit source and destination port numbers
Clients use ephemeral port numbers
Randomly generated by the client
49153-65536
Major applications on servers use well-known
port numbers
0 to 1023
105
Topics Covered
ICMP
For supervisory messages at the internet layer
ICMP messages are encapsulated in the data
fields of IP packets
Type and code designate contents of IP packet
Attackers use ICMP messages in scanning
Replies tell them IP addresses
106
Topics Covered
ICMP
Echo (Type 8, no code) asks target host if it is
operational and available
Echo reply (Type 0, no code). Target host
responds to echo sender
Ping program implements Echo and Echo
Reply. Like submarine pinging a target
ICMP error messages of several types
Allow only ICMP echo replies in border router
ingress filtering
107
End of Lecture
108