Upload
davis-witt
View
22
Download
0
Tags:
Embed Size (px)
DESCRIPTION
CIT 380: Securing Computer Systems. TCP/IP. IP: Internet Protocol. IPv4 underlies Internet. 32-bit addresses in dotted-quad: 10.17.0.90. IPv6 is successor with 128-bit addresses. Complexities: addressing, routing. IP Header. IP Header. Protocol version: IPv4 - PowerPoint PPT Presentation
Citation preview
Slide #1
CIT 380: Securing Computer Systems
TCP/IP
IP: Internet Protocol
IPv4 underlies Internet.– 32-bit addresses in dotted-quad: 10.17.0.90.– IPv6 is successor with 128-bit addresses.
Complexities: addressing, routing
Slide #2
Slide #3
IP Header
Slide #4
IP Header
Protocol version: IPv4
Header length: 5-60 32-bit words
Type of service (TOS):– 3-bit precedence (ignored today)– 4 TOS bits (min delay (telnet), max throughput
(ftp), max reliability, min monetary cost)– unused 0 bit
Slide #5
IP Header
Total length: length of IP datagram (bytes)– maximum size: 65535 bytes– large packets fragmented at data link layer.– small packets may be padded to minimum length.
TTL: upper limit on number of router hops.Protocol: which protocol supplied packet data.Header checksum: IP header checksum
Slide #6
IP Fragments
IP packets may be fragmented by routers for transmission across different media.– Max IP packet size: 65536– Max Ethernet packet size: 1500
IP headers contain fragment data:– Don’t Fragment Flag: 0=allowed, 1=don’t– More Fragments Flag: 0=last, 1=more fragments– Identification: identifies single packet for
reassembly.– Fragment Offset: where contents of fragment go.
Slide #7
Internet Addresses
32-bit IPv4 addresses– Dotted decimal notation: ii.jj.kk.ll
Divided into two parts– Network ID– Host ID– XOR address with netmask to get Network ID.
Network ID Host ID
Slide #8
Address ClassesClass A: 0.0.0.0-127.255.255.255
8-bit net ID, 24-bit host IDClass B: 128.0.0.0-191.255.255.255
16-bit net ID, 16-bit host IDClass C: 192.0.0.0-223.255.255.255
24-bit net ID, 8-bit host IDClass D: 224.0.0.0-239.255.255.255
28-bit multicast group IDClass E: 240.0.0.0-255.255.255.255
Reserved for future use
Slide #9
CIDR
Class addressing too inefficient– Still need to aggregate routes to limit routing table size.
Example:196.1.1.0/24– 24-bits of Net ID: 196.1.1
– Remaining 8-bits are host ID
Not limited to network class sizes– Example: 192.168.128.0/22
– 4 class C networks: 192.168.{128,129,130,131}.0
Slide #10
Network Address TranslationLocal network uses IETF reserved addresses.
– Non-routable: no router knows how to send packets to.
– RFC 1918: 10.x.y.z, 192.168.y.z, 172.16-31.y.z
Gateway translates reserved addresses to unique, routable IP addresses.
NATGateway
Src = 10.0.0.1
Dst = 10.0.0.1
Src = 2.3.4.5
Dst = 2.3.4.5
Internal Network Internet
Slide #11
NAT Techniques
One-to-one Mapping– Map each internal IP address to a single external IP addr.
– Need as many external IP addresses as have simultaneous connections to Internet.
Many-to-one Mapping– Port Address Translation (PAT)
– Map all internal IP addresses to a single external IP addr.
– NAT device encodes state by rewriting the source port and keeping a state table of the mappings.
Slide #12
ARP: Address Resolution Protocol
MAC address determines packet destination.
How does network layer supply the link layer with a MAC address?
ARP: Address Resolution Protocol– Maps 32-bit IP addresses to 48-bit MAC addrs– Data link layer protocol above ethernet– RARP: Reverse ARP
Slide #13
ARP Example
sftp zappa.nku.edu
1. Obtains IP address via gethostbyname() 2. sftp asks TCP to connect to IP address3. TCP sends connection request to zappa using an IP
datagram4. Sending host emits ARP broadcast, asking for MAC
address of given IP address5. Destination host’s ARP layer receives broadcast, answers
with an ARP reply w/ IP->MAC mapping6. Sending host constructs ethernet frame with destination
MAC address containing IP datagram7. Sending host sends IP datagram
Slide #14
ARP Cachest361m13 (10.1.0.90) > arp -a
Net to Media Table: IPv4Device IP Address Phys Addr ------ -------------------- ------------------hme0 at_elan.lc3net 00:00:a2:cb:28:5ehme0 10.1.0.79 00:e0:cf:00:0e:92hme0 st361m13 08:00:20:d8:e0:07hme0 10.1.7.103 00:90:27:b6:b5:e5hme0 10.1.0.139 00:e0:cf:00:15:bd
Slide #15
IP Routing
Slide #16
Routing Table
Where to send an IP packet to?Use a table lookup: routing tableSearch Process:
1. Search for a matching host address.2. Search for a matching network address.3. Search for a default route.
No route to destination: Host or network unreachable error if search fails.
Slide #17
Routing Tablest361m13 (10.1.0.90) > netstat –rn
Routing Table: IPv4Destination Gateway Flags Ref Use Int------------- -------------------- ----- -----10.1.0.0 10.1.0.90 U 1 4977 hme0224.0.0.0 10.1.0.90 U 1 0 hme0default 10.1.0.1 UG 1 66480 127.0.0.1 127.0.0.1 UH 6 798905 lo0
Slide #18
Routing Table
Destination: final destination host/networkGateway: next host in route to destinationFlags
U: Route is upG: Route is to a gateway (router)H: Route destination is a host (not a network)D: Route created by a redirectM: Route modified by a redirect
Slide #19
Routing Table
10.1.0.0direct access to local subnet
224.0.0.0multicast route
defaultforward packets to router at IP 10.1.0.1
127.0.0.1loopback
Slide #20
IP RoutingManual (static) routes
Added with the route command.
ICMP redirects can alter routesRouter sends ICMP redirect when packet should’ve been
sent to another router.
Routing protocolsRouters exchange routes with each other using special
routing protocols.
Full internet router tables contain ~30,000 routes.
Source routingSender includes routing info in packet header.
ICMP (Internet Control Message Protocol)
Network layer protocol encapsulated in IP– Communicates error messages and exceptions.– Messages handled by either IP or TCP/UDP.
Slide #21
Slide #22
ICMP (Internet Control Message Protocol)
IP Header (20 bytes) ICMP Message
8-bit type 8-bit code 16-bit checksum
Contents (always
depend contains
on type and code
IP header + 8 data bytes)
Slide #23
ICMP Message TypesType 0: echo (ping) replyType 3: destination unreachableType 4: source quenchType 5: redirectType 8: echo (ping) requestType 9, 10: router advertisement, solicitationType 11: time (TTL) exceededType 12: parameter (header) problemType 13: timestampType 14: timestamp replyType 15, 16: information request, reply
Slide #24
UDP: User Datagram Protocol
Simple datagram transport layer protocol.Each application output generates one UDP
datagram, which produces one IP datagram.Trades reliability for speed
Sends datagrams directly to unreliable IP layer.
16-bit port numbersIdentify sending and receiving processes.
ApplicationsDNS, SNMP, TFTP, streaming audio/video
Slide #25
UDP Header
Slide #26
UDP Example: TFTP
Trivial File Transfer ProtocolNo authentication
TFTP Session:
sun16 > tftp at204m02tftp> get readme.txtReceived 1024 bytes in 0.2 seconds.tftp> quit
Slide #27
TFTP Packet Types
Packet types1) read a file (filename, ascii/binary)
2) write a file (filename, ascii/binary)
3) file data block
4) ACK
5) error
Slide #28
TFTP Packet Diagram
Slide #29
TFTP Session Traceat204m02 > snoop udp sun16 1 0.00000 sun16 -> at204m02 TFTP Read "2sun"
(netascii)
2 0.00498 at204m02 -> sun16 TFTP Data block 1 (512 bytes)
3 0.00136 sun16 -> at204m02 TFTP Ack block 1
4 0.00010 at204m02 -> sun16 TFTP Data block 2 (300 bytes) (last block)
5 0.00119 sun16 -> at204m02 TFTP Ack block 2
Slide #30
TFTP Security
Feature: no username/password requiredTFTP used for diskless hosts to boot.
How to protect /etc/passwd?Limit TFTP server filesystem access.
Generally only can access /tftpboot directory.
Slide #31
TCP: Transmission Control Protocol
Connection-orientedMust establish connection before sending data.
3-way handshake.
Reliable byte-streamTCP decides how to divide stream into packets.
ACK, timeout, retransmit, reordering.
16-bit source and destination ports.FTP(21), HTTP(80), POP(110), SMTP(25)
Slide #32
TCP Reliability1. Breaks data into best-sized chunks.2. After sending segment, maintains timer; if no
ACK within time limit, resends segment.3. Sends ACK on receipt of packets.4. Discards pkts on bad checkum of header and
data.5. Receiver resequences TCP segments so data
arrives in order sent.6. Receiver discards duplicate segments.7. Flow control: only sends as much data as
receiver can process.