1

TCP/IP Protocols

• Contains Five Layers

• Top three layers contains many protocols

• Actual transmission at the physical layer

2

TCP/IP LayersApplication

Presentation

Session Applications

SMTP FTP DNS TELNETHTTP

Transport TCP UDP

Network ICMPARP RARP

Data Link

Physical

Protocols specific to the underlying physical media used for data communication at the hardware level

IP

3

Message Transfer using TCP/IP

Original Message

Original Message

Original MessageTCP header

TCP header

IP header

Original MessageTCP headerIP headerFrame header

Original Message

Original Message

Original MessageTCP header

TCP header

IP header

Original MessageTCP headerIP headerFrame header

Source Destination

4

TCP

• Reliable transport layer communication

• Establishes a logical connection between the communicating hosts

• Socket-to-socket communication (Socket = Port + IP address)

5

TCP Segment Format

Source Port number

Destination Port number

Sequence Number Acknowledgement Number

Data

2 bytes 2 bytes 4 bytes 4 bytes20-to-60 bytes header consisting of the following fields

Header Length

4 bits

Reserved

6 bits

Flag

6 bits

Window size

2 bytes

Checksum Urgent pointer

2 bytes 2 bytes

Options

0 to 40 bytes

6

IP

• Best effort delivery

• Does not guarantee success

• Leaves error checking to higher layers (e.g. to TCP)

7

IP Datagram FormatVersion HLEN Service Type Total Length(4 bits) (4 bits) (8 bits) (16 bits)

Identification Flags Fragmentation Offset

(16 bits) (3 bits) (13 bits)

Time to live Protocol Header Checksum

(8 bits) (8 bits) (16 bits)

Source IP address(32 bits)

Destination IP address(32 bits)

Data

Options

8

Network Aspects

• Internal network (e.g. LAN)

• External Network (e.g. Internet)

• Threats from the External Network to the Internal Network

9

Network Threats

N e t w o r k B a c k

b o n e

RouterTo Internet

Outside dangers can come in from here

Inside information can leak out from here

Corporate network

10

Firewall

• Special type of router

• Controls transmission between internal and external networks

• Decides what to allow/disallow

11

NAT Implementation

Internal network with internal IP addresses

192.168.10.1

192.168.10.3

192.168.10.2

192.168.10.10Internet

201.26.7.9

Router’s internal IP address Router’s external IP address

NAT router

12

NAT Example

Internal network with internal IP addresses

192.168.10.1

192.168.10.10Internet

201.26.7.9

NAT router

Source: 192.168.10.1 Source: 201.26.7.9

Destination: 192.168.10.1 Destination: 201.26.7.9

13

NAT Translation Table

Source: 192.168.10.1Destination: 210.10.20.20

Source: 201.26.7.9Destination: 210.10.20.20

192.168.10.10 201.26.7.9

192.168.10.1 210.10.20.20

Source: 210.10.20.20Destination: 192.168.10.1

192.168.10.10 201.26.7.9

Source: 210.10.20.20Destination: 201.26.7.9

192.168.10.1 210.10.20.20

Internal

192.168.10.1……

External

210.10.20.20……

Translation table

14

Firewall Concept

N e t w

o r k B

a c k b o n e

To Internet

Corporate networkFirewall

15

Firewall Types

Firewalls

Packet Filters Application Gateways

16

Packet Filter

InternetInternal (Private)

Network

Packet filter

Protected zone

17

Packet Filter Operation

Outgoing packets Incoming packets

Receive each packet.Apply rules.If no rules, apply default rules.

18

Packet Filter Defeating IP Spoofing Attack

Incoming packet

178.29.10.89

178.29.10.90178.29.10.91

Internal network and the IP addresses of the hosts

Packet filter

Source address: 178.29.10.91

STOP!

19

Application Gateway

HTTPSMTPFTP

TELNET

Outside connection

Inside connection

Application gateway

20

Circuit Gateway

HTTPSMTPFTP

TELNET

Application gateway

IP address = 178.29.10.90

IP address = 178.29.10.70

Source address = 178.29.10.90

Source address = 178.29.10.70

IP packet IP packet

Inside host Outside host

21

Application Gateway - Illusion

HTTPSMTPFTP

TELNET

External hostInternal host

Application gateway

User’s illusion

Real connection Real connection

22

Firewall Configurations

Firewall Configurations

Screened host firewall,

Single-homed bastion

Screened host firewall,

Dual-homed bastion

Screened subnet firewall

23

Screened Host Firewall, Single-homed Bastion

Packet filter

HTTPSMTPFTP

TELNET

Internet

Application gateway

Internal network

24

Screened Host Firewall, Dual-homed Bastion

Packet filter

HTTPSMTPFTP

TELNET

Internet

Application gateway

Internal network

25

Screened Subnet Firewall

Packet filter

HTTPSMTPFTP

TELNET

Internet

Application gateway

Internal network

Packet filter

26

Demilitarized Zone (DMZ)

Internet

Internal private network

Demilitarized Zone (DMZ)

Firewall

27

Security at multiple Layers

Application Layer

Transport Layer

Internet Layer

Data Link Layer

Physical Layer

First level of security

Second level of security

28

IPSec

• Not concerned with application layer security

• Applies security at the Internet layer

• More effective in IPv6

29

IPSec Processing Result

Actual data (Encrypted)

Transport header (Encrypted)

Internet header (Not encrypted)

30

IPSec in TCP/IP

Original message

Transmission medium

Application

TransportIPSec

Internet

Data link

Original message

Application

TransportIPSec

Internet

Data link

Sender Receiver

31

IPSec Protocols

IPSec

Authentication Header (AH) Encapsulating Security Payload (ESP)

32

AH and ESP Operation Modes

AH and ESP modes of operation

Tunnel mode Transport mode

33

Tunnel Mode

X

P1

Proxy

P2

Proxy

Y

Network 1 Network 2

Tunnel

34

Tunnel Mode Implementation

A <---> BP1 <---> P2 …

Internal IP header and data (encrypted)External IP header

(not encrypted)

35

IPSec steps

Step 1Algorithm and Key negotiations using IKE

Step 2Actual AH and ESP operations

36

AH Format

Bit 0 8 16 31

Next header Payload length Reserved

Security Parameter Index (SPI)

Sequence number

Authentication data (Variable size)

37

Receiver’s Sliding Window

Receiver’s sliding window (W = 8)

N – W

Marked if a valid packet is received

Unmarked if a valid packet is not yet received

N

38

AH Transport Mode

IP header TCP headerOriginal data

(a) Before applying AH

IP header TCP header Original data

(b) After applying AH

AH

39

AH Tunnel Mode

IP header TCP headerOriginal data

(a) Before applying AH

Original IP header

TCP header Original data

(b) After applying AH

AHNew IP header

40

ESP Format

Bit 0 16 24 31

Security Parameter Index (SPI)

Sequence Number

Padding (0-255 bytes)

Payload data (Variable size)

Padding length Next header

Authentication data (Variable size)

41

ESP Transport Mode

IP header TCP headerOriginal data

(a) Before applying ESP

TCP header Original data

(b) After applying ESP

ESP header

Original IP header

ESP trailer

ESP auth

Encrypted

Authenticated

42

ESP Tunnel Mode

IP header TCP headerOriginal data

(a) Before applying ESP

TCP header Original data

(b) After applying ESP

ESP header

Original IP header

ESP trailer

ESP auth

Encrypted

Authenticated

New IP header

43

ISAKMP Header Format

Bit 0 8 16 24 31

Initiator cookie

Responder cookie

Next payload

Major version

Minor version

Exchange type

Flags

Message ID

Length

44

Virtual Private Network (VPN)

• Uses the Internet as if it is a private network

• Far less expensive than a leased line

• Uses IPSec protocol

45

VPN Between Two Networks

X

Network 1

Y

Network 2

Firewall 1 Firewall 2

VPN tunnel

Internet