1

TCP/IP Internetworking

(February 1, 2012)

© Abdou Illia – Spring 2012

2

Security Goals: ReviewThree main security goals:

Confidentiality of communications and proprietary information

Integrity of corporate data

Availability of network services and resources

CIA

3

TCP/IP and Security Goals

Understanding TCP/IP helps understand: Technical aspects of systems attacks like:

Attack Messages’ structure Attack Messages’ content What makes attack messages dangerous

How defense tools are designed and configured to meet security goals.

4

Network Communication Model?

Communication Models that define tasks and rules for communication in a network

Tasks and rules allow each device to: Generate messages in the required form for transmission “Understand” and process received messages properly

Computer 1

Task 1/ Rule 1

Task 2 / Rule 2

Task 3 / Rule 3

Task 4 /Rule 4

Task 5 / Rule 5

Task 1 / Rule 1

Task 2 / Rule 2

Task 3 / Rule 3

Task 4 / Rule 4

Task 5 / Rule 5

Computer 2

5

OSI Reference Model 7 layers

Each layer communicates with its peer layer, and with layer above and below it.

Different protocols at each layer

Upper layer deal with application issues, and are implemented in software

Lower layers handle data transport issues, and are implemented in software and hardware

App

lica

tion

Dat

a tr

ansp

ort

OSI model created by the International Organization for Standardization

6

OSI Reference Model

Layers RoleApplication • Represent user interface between the application

sofware (e.g. Eudora) and the Network

• Provides services like: Identification of the intended communication partner, determining resources availability for communication, etc.

7

Presentation • Performs code conversion and data reformatting (syntax translation) incluing encryption and compression if required.

• Uses coding & conversion schemes: Common Data Representation Formats, Common Data Encryption Schemes, EBCDIC, ASCII, etc.

6

Session • Responsible for establishing, managing & terminating communication sessions between computers.

• Communication sessions consist of service requests and service responses between applications

• Session layer’s protocols coordinate request & response sessions.

5

7

OSI Reference ModelLayers RoleTransport • Makes sure the data arrives at the destination exactly as it left

source (in case of connection-oriented communication)

• Provides error checking before transmission, and error recovery in case of failed delivery.

4

Network • Responsible for creating, maintaining and ending network connections.

• Provides logical address (IP address) to messages

• Provides routing services: determining routes for sending. If router can’t send large packets, break data into smaller units.

3

• Subdivided into 2 sublayers (Logical Link Control and Media Access Control)

• Provides physical address (MAC address) to messages

• Combines bits into bytes, bytes into a frames with header, address information, error detection code, and trailer

2

DataLink

LLC

MAC

8

OSI Reference ModelLayers RolePhysical • Handles the transmission of bits over a communication

channel.

• Defines characteristics such as voltage levels, connector types and maximum transmission distance.

• Places signal on the cable. Responsible to move bits between devices.

1

9

The TCP/IP (or Internet) Model

7. Application

6. Presentation

5. Session

4. Transport

3. Network

2. Data Link

1. Physical

4 layers Interface layer - equivalent to

the OSI’s Physical and Data Link layers

Network layer - roughly equivalent to the OSI’s Network layer

Transport layer - performs same function as OSI Transport layer

Application layer - equivalent to the OSI’s Presentation and Application layers

4. Application

3. Transport

2. Network

1. Interface

OSI Internet

10

Applications/Protocols Use in Internet Model

Layers Applications/ProtocolsApplication Webservice: HTTP

E-mail: SMTP (Simple Mail Transfer Protocol), POP (Post Office Protocol), IMAP (Internet Message Access Protocol) Telnet applications: Terminal Emulation Protocol File transfer: FTP

Transport TCP (Transmission Control Protocol). Required in webservice when HTTP is used Required in Mailservice when SMTP is used. SMTP messages are encapsulated in TCP segments Connection-oriented: Establishes and maintains connections before sending. Close connections after transmission. Correct errors in TCP segments.

UDP (User Datagram Protocol) Connectionless: Don’t open connection. Simply sends. Discards incorrect UDP datagrams (no retransmission)

Network IP (Internet Protocol)

Interface PPP (Point-to-Point Protocol) V.90 for 56 Kbps modems

11

Hybrid TCP/IP-OSI Model

Layers Sample protocols for Web access

Application HTTP

Transport TCP, UDP, ICMP

Internet IP

Data Link Ethernet, PPP

Physical Ethernet, Modem standards, Telephone standards

12

Layered Communications: Encapsulation – De-encapsulation Application programs on different computers cannot

communicate directly There is no direct connection between them! They need to use an indirect communication system

called layered communications or layer cooperation

BrowserBrowser

TransTrans

IntInt

DLDL

PhyPhy

User PC

Web AppWeb App

TransTrans

IntInt

DLDL

PhyPhy

Webserver

HTTP RequestHTTP Request

13

PPP-TPPP-T

Layer Cooperation on the User PC

Encapsulation on the sending machine Embedding message received from upper layer

in a new message

ApplicationApplication

TransportTransport

InternetInternet

Data LinkData Link

HTTP req.HTTP req.

PhysicalUser PC

HTTP req.HTTP req. TCP-HTCP-H

HTTP req.HTTP req. TCP-HTCP-H IP-HIP-H

HTTP req.HTTP req. TCP-HTCP-H IP-HIP-H PPP-HPPP-H

IP Packet

TCPsegment

HTTP request

Frame

Encapsulation of HTTPrequest in data field ofa TCP segment

14

Layer Cooperation on the Web server

De-encapsulation Other layers pass successive data fields (containing next-lower

layer messages) up to the next-higher layer

ApplicationApplication

TransportTransport

InternetInternet

Data LinkData Link

Transmission mediaWebserver

PPP-TPPP-T

HTTP req.HTTP req.

HTTP req.HTTP req. TCP-HTCP-H

HTTP req.HTTP req. TCP-HTCP-H IP-HIP-H

HTTP req.HTTP req. TCP-HTCP-H IP-HIP-H PPP-HPPP-H

IP Packet

TCPsegment

HTTP request

Frame

15

Summary Questions (Part 1)

1. What is encapsulation? On what machine does it occur: sending or receiving machine?

2. If layer N creates a message, does Layer N or Layer N-1 encapsulate the message?

3. What layer creates frames? Segments? Packets?

4. Which of the following network communication models is used on the Internet?

a) The OSI model

b) The HTML model

c) The TCP/IP model

d) The IP model

16

IP Packet

Total Length(16 bits)

Identification (16 bits)

Header Checksum (16 bits)Time To Live

(8 bits)

Flags

Protocol (8 bits)1=ICMP, 6=TCP,17=UDP

Bit 0 Bit 31IP Version 4 Packet

Source IP Address (32 bits)

Fragment Offset (13 bits)

QoS(8 bits)

HeaderLength(4 bits)

Version(4 bits)

Destination IP Address (32 bits)

Options (if any) Padding

Data Field

0100

QoS: Also called Type of Service, indicates the priority level the packet should have Identification tag: to help reconstruct the packet from several fragments Flags: indicates whether packet could be fragmented or not (DF: Don't fragment), indicates whether more fragments of a packet follow (MF: More Fragments or NF: No More Fragments) Fragment offset: identify which fragment this packet is attached to TTL: Indicates maximum number of hops (or routers) the packet could pass before a hop discards it. Header checksum: to check for errors in the headers only

17

Summary Questions (Part 2)

What is the main version of the Internet Protocol in use today? What is the other version?

What does a router do with an IP packet if it decrements its TTL value to zero?

Assume that a router received an IP packet with the Protocol in header set to 6. What Transport layer protocol is used in the message: TCP, UDP, or ICMP?

18

IP Fragmentation

When a packet arrives at a router, the router selects the port and subnet to forward the packet to

If packet too large for the subnet to handle, router fragments the packet; ie.

Divides packet’s data field into fragments Gives each fragment same Identification tag value, i.e. the

Identification tag of original packet First fragment is given Fragment Offset value of 0 Subsequent fragments get Fragment Offset values consistent with their

data’s place in original packet Last fragment’s Flag is set to “No More Fragments”

Destination host reassemble fragments based on the offsets.

Identification (16 bits) Flags Fragment Offset (13 bits)

Subnet 1

Subnet 2

19

Firewalls and Fragmented IP Packet

5. Firewall 60.168.47.47

Can Only Filter TCP

Header in First Fragment

Attacker 1.34.150.37

2. Second Fragment

4. TCP Data Field

NoTCP Header

IP Header

TCP Data Field

1. First Fragment

IP Header

3. TCP Header Only in First Fragment

Fragmentation makes it hard for firewalls to filter individual packets TCP or UDP header appears only in the first fragment

Firewall might drop the first fragment, but not subsequent fragments Some firewalls drop all fragmented packets

Router

20

TCP Segment

Source Port Number (16 bits) Destination Port Number (16 bits)

Bit 0 Bit 31

Acknowledgment Number (32 bits)

Sequence Number (32 bits)

TCP Checksum (16 bits)

Window Size(16 bits)

Flag Fields:ACK, SYN,…

(6 bits)

Reserved(6 bits)

HeaderLength(4 bits)

Urgent Pointer (16 bits)

Data Port number: identifies sending and receiving application programs. Sequence number: Identifies segment’s place in the sequence. Allows receiving Transport layer to put arriving TCP segments in order. Acknowledgement number: identifies which segment is being acknowledged Flag fields: Six one-bit flags: ACK, SYN, FIN, RST, URG, PSH. Can be set to 0 (off) or 1 (on). e.g. SYN=1 means a request for connection/synchronization.

Q: If the ACK flag is set to 1, what other field must also be set to allow the receiver know what TCP segment is being acknowledged?

21

TCP and use of Flags TCP is a connection-oriented protocol

Sender and receiver need to establish connection Sender and receiver need to agree to “talk” Flags are used for establishing connection

Sender requests connection opening: SYN flag set to 1 If receiver is ready to “talk”, it responds by a SYN/ACK segment Sender acknowledges the acknowledgment

If sender does not get ACK, it resends the segment

PCTransport Process

WebserverTransport Process

1. SYN (Open)

2. SYN, ACK (1) (Acknowledgment of 1)

3. ACK (2)

Note: With connectionless protocols like UDP, there is no flags. Messages are just sent. If part of sent messages not received, there is no retransmission.

3-way Handshake

Flag Fields(6 bits)

ACK SYN FIN RSTURG PSH

22

Communication during a normal TCP Session

Note: At any time, either process can send a TCP RST (reset) segment with RST bit set to 1 to drop the connection (i.e. to abruptly end the connection).

Q1: How many segments are sent in a normal TCP communication opening? ____

Q2: How many segments are sent in a normal TCP communication closing? ____

23

SYN/ACK Probing Attack

SYN/ACK Segment

Victim 60.168.47.47

Attacker 1.34.150.37

1. Probe 60.168.47.47

5. 60.168.47.47

is Live! 4. Source IP Addr=

60.168.47.473. Go Away!

2. No SYN (Open): Makes No Sense!

IP Hdr RST Segment

Sending SYN/ACK segments helps attackers locate “live” targets

Older Windows OS could crash when they receive a SYN/ACK probe

24

TCP and use of Port numbers Port Number identify applications

Well-known ports (0-1023): used by major server applications running at root authority.

HTTP web service=80, Telnet=23, FTP=21, SMTP email =25

Registered ports (1024-49151): Used by client and server applications.

Ephemeral/dynamic/private ports (49152-65535) Not permanently assigned by ICANN.

Web server applicationswww:80 FTP:21 SMTP:25

Operating System

Computer hardware

HDRAM chip

Processor

Socket notation:IP address:Port #

Source Port Number (16 bits) Destination Port Number (16 bits)

25

Summary Questions (Part 3)

A host sends a TCP segment with source port number 25 and destination port number 49562.

1) Is the source host a server or a client? Why?

2) If the host is a server, what kind of service does it provide?

3) Is the destination host a server or a client ? Why?

26

TCP and Port spoofing

Most companies set their firewall to accept packet to and from port 80 Attackers set their client program to use well-know port 80

Attackers set their application to use well-known port despite not being the service associated with the port

27

Summary Questions (Part 4)

1. What is IP Fragmentation? Does IP fragmentation make it easier for firewall to filter incoming packets? Why?

2. What is SYN/ACK probing attack?

3. What kind of port numbers do major server applications, such as email service, use?

4. What kind of port numbers do client applications usually use?

5. What is socket notation?

6. What is port spoofing?

7. How many well-known TCP ports are vulnerable to being scanned, exploited, or attacked?