Transcript Chapter 3

TCP/IP Internetworking
(February 1, 2012)
© Abdou Illia – Spring 2012
1
Security Goals: Review
 Three main security goals:
Confidentiality of communications and
proprietary information
Integrity of corporate data
Availability of network services and
resources
CIA
2
TCP/IP and Security Goals
 Understanding TCP/IP helps understand:

Technical aspects of systems attacks like:
 Attack Messages’ structure
 Attack Messages’ content
 What makes attack messages dangerous

How defense tools are designed and configured to
meet security goals.
3
Network Communication Model?
 Communication Models that define tasks and
rules for communication in a network
 Tasks and rules allow each device to:


Generate messages in the required form for transmission
“Understand” and process received messages properly
Computer 1
Computer 2
Task 1/ Rule 1
Task 1 / Rule 1
Task 2 / Rule 2
Task 2 / Rule 2
Task 3 / Rule 3
Task 3 / Rule 3
Task 4 /Rule 4
Task 4 / Rule 4
Task 5 / Rule 5
Task 5 / Rule 5
4
OSI Reference Model
Application
 7 layers
 Each layer communicates
with its peer layer, and with
layer above and below it.
 Different protocols at each
layer
Data transport
 Upper layer deal with
application issues, and are
implemented in software
 Lower layers handle data
transport issues, and are
implemented in software and
hardware
 OSI model created by the International Organization for Standardization
5
OSI Reference Model
7
Layers
Role
Application
• Represent user interface between the application
sofware (e.g. Eudora) and the Network
• Provides services like: Identification of the intended
communication partner, determining resources availability
for communication, etc.
6
Presentation
• Performs code conversion and data reformatting (syntax
translation) incluing encryption and compression if required.
• Uses coding & conversion schemes: Common Data
Representation Formats, Common Data Encryption Schemes,
EBCDIC, ASCII, etc.
5
Session
• Responsible for establishing, managing & terminating
communication sessions between computers.
• Communication sessions consist of service requests and service
responses between applications
• Session layer’s protocols coordinate request & response sessions. 6
OSI Reference Model
4
3
Layers
Role
Transport
• Makes sure the data arrives at the destination exactly as it left
source (in case of connection-oriented communication)
Network
• Provides error checking before transmission, and error
recovery in case of failed delivery.
• Responsible for creating, maintaining and ending network
connections.
• Provides logical address (IP address) to messages
• Provides routing services: determining routes for sending. If
router can’t send large packets, break data into smaller units.
• Subdivided into 2 sublayers (Logical Link Control and Media
2
Data
Link
LLC
Access Control)
• Provides physical address (MAC address) to messages
MAC
• Combines bits into bytes, bytes into a frames with header,
address information, error detection code, and trailer
7
OSI Reference Model
1
Layers
Role
Physical
• Handles the transmission of bits over a communication
channel.
• Defines characteristics such as voltage levels, connector
types and maximum transmission distance.
• Places signal on the cable. Responsible to move bits
between devices.
8
The TCP/IP (or Internet) Model
OSI
7. Application
Internet
4. Application
6. Presentation
5. Session
4. Transport
3. Transport
3. Network
2. Network
2. Data Link
1. Physical
1. Interface
 4 layers
 Interface layer - equivalent to
the OSI’s Physical and Data
Link layers
 Network layer - roughly
equivalent to the OSI’s
Network layer
 Transport layer - performs
same function as OSI
Transport layer
 Application layer - equivalent
to the OSI’s Presentation and
Application layers
9
Applications/Protocols Use in Internet Model
Layers
Applications/Protocols
Application
 Webservice: HTTP
 E-mail: SMTP (Simple Mail Transfer Protocol), POP (Post
Office Protocol), IMAP (Internet Message Access
Protocol)
 Telnet applications: Terminal Emulation Protocol
 File transfer: FTP
Transport
 TCP (Transmission Control Protocol).
 Required in webservice when HTTP is used
 Required in Mailservice when SMTP is used. SMTP
messages are encapsulated in TCP segments
 Connection-oriented: Establishes and maintains
connections before sending. Close connections after
transmission. Correct errors in TCP segments.
 UDP (User Datagram Protocol)
 Connectionless: Don’t open connection. Simply sends.
Discards incorrect UDP datagrams (no retransmission)
Network
 IP (Internet Protocol)
Interface
 PPP (Point-to-Point Protocol)
 V.90 for 56 Kbps modems
10
Hybrid TCP/IP-OSI Model
Layers
Sample protocols for Web access
Application
HTTP
Transport
TCP, UDP, ICMP
Internet
IP
Data Link
Ethernet, PPP
Physical
Ethernet, Modem standards, Telephone standards
11
Layered Communications:
Encapsulation – De-encapsulation
 Application programs on different computers cannot
communicate directly


There is no direct connection between them!
They need to use an indirect communication system
called layered communications or layer cooperation
Browser
HTTP Request
Web App
Trans
Trans
Int
Int
DL
DL
Phy
User PC
Phy
Webserver
12
Layer Cooperation on the User PC
 Encapsulation on the sending machine

Embedding message received from upper layer in
HTTP
a new message
request
Encapsulation of HTTP
request in data field of
a TCP segment
Application
HTTP req.
Transport
HTTP req.
TCP-H
Internet
HTTP req.
TCP-H IP-H
HTTP req.
TCP-H IP-H PPP-H
Data Link
PPP-T
TCP
segment
IP Packet
Frame
13
User PC
Physical
Layer Cooperation on the Web server
 De-encapsulation

Frame
Other layers pass successive data fields (containing next-lower
layer messages) up to the next-higher layer
HTTP
request
HTTP req.
TCP
segment
HTTP req.
TCP-H
IP Packet
HTTP req.
TCP-H IP-H
PPP-T
HTTP req.
TCP-H IP-H PPP-H
Application
Transmission media
Transport
Internet
Data Link
Webserver
14
Summary Questions (Part 1)
1. What is encapsulation? On what machine does it
occur: sending or receiving machine?
2. If layer N creates a message, does Layer N or
Layer N-1 encapsulate the message?
3. What layer creates frames? Segments? Packets?
4. Which of the following network communication
models is used on the Internet?
a)
b)
c)
d)
The OSI model
The HTML model
The TCP/IP model
The IP model
15
IP Packet
Bit 0
0100
IP Version 4 Packet
Header
Version
Length
(4 bits)
(4 bits)
QoS
(8 bits)
Bit 31
Total Length
(16 bits)
Identification (16 bits)
Flags
Time To Live
Protocol (8 bits)
1=ICMP, 6=TCP,17=UDP
(8 bits)
Fragment Offset (13 bits)
Header Checksum (16 bits)
Source IP Address (32 bits)
Destination IP Address (32 bits)
Options (if any)
Padding
Data Field
 QoS: Also called Type of Service, indicates the priority level the packet should have
 Identification tag: to help reconstruct the packet from several fragments
 Flags: indicates whether packet could be fragmented or not (DF: Don't fragment), indicates whether
more fragments of a packet follow (MF: More Fragments or NF: No More Fragments)
 Fragment offset: identify which fragment this packet is attached to
 TTL: Indicates maximum number of hops (or routers) the packet could pass before a hop discards it.
 Header checksum: to check for errors in the headers only
16
Summary Questions (Part 2)
 What is the main version of the Internet
Protocol in use today? What is the other
version?
 What does a router do with an IP packet if it
decrements its TTL value to zero?
 Assume that a router received an IP packet
with the Protocol in header set to 6. What
Transport layer protocol is used in the
message: TCP, UDP, or ICMP?
17
Subnet
1
IP Fragmentation
Subnet
2
 When a packet arrives at a router, the router selects the port and
subnet to forward the packet to
 If packet too large for the subnet to handle, router fragments the
packet; ie.


Divides packet’s data field into fragments
Gives each fragment same Identification tag value, i.e. the
Identification tag of original packet
 First fragment is given Fragment Offset value of 0
 Subsequent fragments get Fragment Offset values consistent with their
data’s place in original packet
 Last fragment’s Flag is set to “No More Fragments”

Destination host reassemble fragments based on the offsets.
Identification (16 bits)
Flags
Fragment Offset (13 bits)
18
Firewalls and Fragmented IP Packet
 Fragmentation makes it hard for firewalls to filter individual packets

TCP or UDP header appears only in the first fragment
 Firewall might drop the first fragment, but not subsequent fragments
 Some firewalls drop all fragmented packets
Router
2. Second
Fragment
4. TCP Data
IP
Field
Header
Attacker
1.34.150.37
No
TCP Header
1. First
Fragment
TCP Data
Field
IP
Header
3. TCP Header
Only in First
Fragment
5. Firewall
60.168.47.47
Can Only
Filter TCP
Header in
First Fragment
19
TCP Segment
Bit 0
Bit 31
Source Port Number (16 bits)
Destination Port Number (16 bits)
Sequence Number (32 bits)
Acknowledgment Number (32 bits)
Header
Length
(4 bits)
Reserved
(6 bits)
Flag Fields:
ACK, SYN,…
(6 bits)
TCP Checksum (16 bits)
Window Size
(16 bits)
Urgent Pointer (16 bits)
Data
 Port number: identifies sending and receiving application programs.
 Sequence number: Identifies segment’s place in the sequence. Allows receiving
Transport layer to put arriving TCP segments in order.
 Acknowledgement number: identifies which segment is being acknowledged
 Flag fields: Six one-bit flags: ACK, SYN, FIN, RST, URG, PSH. Can be set to 0
(off) or 1 (on). e.g. SYN=1 means a request for connection/synchronization. 20
Q: If the ACK flag is set to 1, what other field must also be set to allow the receiver know what TCP segment is being acknowledged?
TCP and use of Flags
Flag Fields
(6 bits)
URG ACK
SYN FIN RST
PSH
 TCP is a connection-oriented protocol



Sender and receiver need to establish connection
Sender and receiver need to agree to “talk”
Flags are used for establishing connection




Sender requests connection opening: SYN flag set to 1
If receiver is ready to “talk”, it responds by a SYN/ACK segment
Sender acknowledges the acknowledgment
If sender does not get ACK, it resends the segment
PC
Transport Process
Webserver
Transport Process
1. SYN (Open)
2. SYN, ACK (1) (Acknowledgment of 1)
3. ACK (2)
3-way
Handshake
Note: With connectionless protocols like UDP, there is no flags. Messages are
just sent. If part of sent messages not received, there is no retransmission.
21
Communication during a normal
TCP Session
Q1: How many segments are sent
in a normal TCP communication
opening? ____
Q2: How many segments are sent
in a normal TCP communication
closing? ____
Note: At any time, either
process can send a TCP RST
(reset) segment with RST bit
set to 1 to drop the connection
(i.e. to abruptly end the
connection).
22
SYN/ACK Probing Attack
1. Probe
60.168.47.47
2. No SYN (Open):
Makes No Sense!
SYN/ACK Segment
IP Hdr RST Segment
Attacker
1.34.150.37
5.
60.168.47.47
is Live!
4. Source IP
Addr=
60.168.47.47
Victim
60.168.47.47
3. Go Away!
 Sending SYN/ACK segments helps attackers locate “live” targets
 Older Windows OS could crash when they receive a SYN/ACK probe
23
Source Port Number (16 bits)
Destination Port Number (16 bits)
TCP and use of Port numbers
 Port Number identify applications
 Well-known ports (0-1023): used by major server
applications running at root authority.


HTTP web service=80, Telnet=23, FTP=21, SMTP email =25
Registered ports (1024-49151): Used by client and
server applications.

Ephemeral/dynamic/private ports (49152-65535)
Not permanently assigned by ICANN.
Web server applications
www:80 FTP:21 SMTP:25
Operating System
Socket notation:
IP address:Port #
Computer hardware
RAM chip
HD
Processor
24
Summary Questions (Part 3)
 A host sends a TCP segment with source port
number 25 and destination port number
49562.
1)
2)
3)
Is the source host a server or a client? Why?
If the host is a server, what kind of service
does it provide?
Is the destination host a server or a client ?
Why?
25
TCP and Port spoofing
 Attackers set their application to use well-known port despite not being
the service associated with the port
 Most companies set their firewall to accept packet to and from port 80
 Attackers set their client program to use well-know port 80
26
Summary Questions (Part 4)
1. What is IP Fragmentation? Does IP fragmentation
make it easier for firewall to filter incoming packets?
Why?
2. What is SYN/ACK probing attack?
3. What kind of port numbers do major server
applications, such as email service, use?
4. What kind of port numbers do client applications
usually use?
5. What is socket notation?
6. What is port spoofing?
7. How many well-known TCP ports are vulnerable to
being scanned, exploited, or attacked?
27