TCP/IP Internetworking

(February 1, 2012)

Abdou Illia Spring 2012

Security Goals: Review

Three main security goals:
Confidentiality of communications and
proprietary information

Integrity of corporate data

Availability of network services and
resources

CIA

TCP/IP and Security Goals

Understanding TCP/IP helps understand:

Technical aspects of systems attacks like:

Attack Messages structure Attack Messages content What makes attack messages dangerous

How defense tools are designed and configured to meet security goals.

Network Communication Model?

Communication Models that define tasks and

rules for communication in a network Tasks and rules allow each device to:

Generate messages in the required form for transmission Understand and process received messages properly
Computer 1 Task 1/ Rule 1 Task 2 / Rule 2 Task 3 / Rule 3 Task 4 /Rule 4 Task 5 / Rule 5

Computer 2 Task 1 / Rule 1 Task 2 / Rule 2 Task 3 / Rule 3 Task 4 / Rule 4 Task 5 / Rule 5
4

OSI Reference Model

7 layers
Application

Each layer communicates

with its peer layer, and with layer above and below it.
Different protocols at each

layer
Upper layer deal with
Data transport

application issues, and are implemented in software

Lower layers handle data

transport issues, and are implemented in software and hardware

OSI model created by the International Organization for Standardization
5

OSI Reference Model

Layers
7 Application

Role
Represent user interface between the application
sofware (e.g. Eudora) and the Network Provides services like: Identification of the intended communication partner, determining resources availability for communication, etc.

Presentation

Performs code conversion and data reformatting (syntax

translation) incluing encryption and compression if required. Uses coding & conversion schemes: Common Data Representation Formats, Common Data Encryption Schemes, EBCDIC, ASCII, etc.

Session

Responsible for establishing, managing & terminating

communication sessions between computers. Communication sessions consist of service requests and service responses between applications Session layers protocols coordinate request & response sessions. 6

OSI Reference Model

Layers
4 Transport

Role
Makes sure the data arrives at the destination exactly as it left source (in case of connection-oriented communication) Provides error checking before transmission, and error recovery in case of failed delivery. Responsible for creating, maintaining and ending network connections.

Network

Provides logical address (IP address) to messages

Provides routing services: determining routes for sending. If router cant send large packets, break data into smaller units.

Subdivided into 2 sublayers (Logical Link Control and Media

Data Link

LLC

Access Control) Provides physical address (MAC address) to messages

MAC

Combines bits into bytes, bytes into a frames with header, address information, error detection code, and trailer

OSI Reference Model

Layers
1 Physical

Role
Handles the transmission of bits over a communication channel. Defines characteristics such as voltage levels, connector types and maximum transmission distance. Places signal on the cable. Responsible to move bits between devices.

The TCP/IP (or Internet) Model

OSI
7. Application 6. Presentation 5. Session 4. Transport 3. Network 2. Data Link 3. Transport 2. Network

Internet
4. Application

4 layers
Interface layer - equivalent to

1. Interface

1. Physical

the OSIs Physical and Data Link layers Network layer - roughly equivalent to the OSIs Network layer Transport layer - performs same function as OSI Transport layer Application layer - equivalent to the OSIs Presentation and Application layers
9

Applications/Protocols Use in Internet Model

Layers
Application

Applications/Protocols
Webservice: HTTP E-mail: SMTP (Simple Mail Transfer Protocol), POP (Post Office Protocol), IMAP (Internet Message Access Protocol) Telnet applications: Terminal Emulation Protocol File transfer: FTP TCP (Transmission Control Protocol).
Required in webservice when HTTP is used Required in Mailservice when SMTP is used. SMTP messages are encapsulated in TCP segments Connection-oriented: Establishes and maintains connections before sending. Close connections after transmission. Correct errors in TCP segments. Connectionless: Dont open connection. Simply sends. Discards incorrect UDP datagrams (no retransmission)

Transport

UDP (User Datagram Protocol)

Network Interface

IP (Internet Protocol) PPP (Point-to-Point Protocol) V.90 for 56 Kbps modems

10

Hybrid TCP/IP-OSI Model

Layers
Application Transport Internet Data Link

Sample protocols for Web access

HTTP TCP, UDP, ICMP IP Ethernet, PPP

Physical

Ethernet, Modem standards, Telephone standards

11

Layered Communications: Encapsulation De-encapsulation

Application programs on different computers cannot

communicate directly

There is no direct connection between them! They need to use an indirect communication system called layered communications or layer cooperation

Browser Trans Int DL Phy User PC

HTTP Request

Web App Trans Int DL Phy Webserver

12

Layer Cooperation on the User PC

Encapsulation on the sending machine

Embedding message received from upper layer in HTTP a new message

request

Application Transport Internet

HTTP req. HTTP req. HTTP req. TCP-H

Encapsulation of HTTP request in data field of a TCP segment

TCP segment IP Packet

TCP-H IP-H

Data Link User PC

PPP-T

HTTP req.

TCP-H IP-H PPP-H

Frame
13

Physical

Layer Cooperation on the Web server

De-encapsulation

Other layers pass successive data fields (containing next-lower layer messages) up to the next-higher layer HTTP req. HTTP req. HTTP req. HTTP req. TCP-H TCP-H IP-H TCP-H IP-H PPP-H

HTTP request TCP segment IP Packet Frame

Application Transport Internet Data Link

Webserver
14

PPP-T

Transmission media

Summary Questions (Part 1)

1. What is encapsulation? On what machine does it occur: sending or receiving machine? 2. If layer N creates a message, does Layer N or Layer N-1 encapsulate the message? 3. What layer creates frames? Segments? Packets? 4. Which of the following network communication models is used on the Internet?
a) b) c) d) The OSI model The HTML model The TCP/IP model The IP model
15

IP Packet
Bit 0
0100

IP Version 4 Packet QoS (8 bits) Flags Total Length (16 bits)

Bit 31

Header Version Length (4 bits) (4 bits)

Identification (16 bits) Time To Live Protocol (8 bits) 1=ICMP, 6=TCP,17=UDP (8 bits)

Fragment Offset (13 bits)

Header Checksum (16 bits)

Source IP Address (32 bits) Destination IP Address (32 bits) Options (if any) Data Field

Padding

QoS: Also called Type of Service, indicates the priority level the packet should have Identification tag: to help reconstruct the packet from several fragments Flags: indicates whether packet could be fragmented or not (DF: Don't fragment), indicates whether more fragments of a packet follow (MF: More Fragments or NF: No More Fragments) Fragment offset: identify which fragment this packet is attached to TTL: Indicates maximum number of hops (or routers) the packet could pass before a hop discards it. Header checksum: to check for errors in the headers only 16

Summary Questions (Part 2)

What is the main version of the Internet

Protocol in use today? What is the other version? What does a router do with an IP packet if it decrements its TTL value to zero? Assume that a router received an IP packet with the Protocol in header set to 6. What Transport layer protocol is used in the message: TCP, UDP, or ICMP?
17

IP Fragmentation

Subnet 1 Subnet 2

When a packet arrives at a router, the router selects the port and

subnet to forward the packet to If packet too large for the subnet to handle, router fragments the packet; ie.

Divides packets data field into fragments Gives each fragment same Identification tag value, i.e. the Identification tag of original packet
First fragment is given Fragment Offset value of 0 Subsequent fragments get Fragment Offset values consistent with their datas place in original packet Last fragments Flag is set to No More Fragments

Destination host reassemble fragments based on the offsets.

Identification (16 bits)

Flags

Fragment Offset (13 bits)

18

Firewalls and Fragmented IP Packet

Fragmentation makes it hard for firewalls to filter individual packets

TCP or UDP header appears only in the first fragment

Firewall might drop the first fragment, but not subsequent fragments Some firewalls drop all fragmented packets

Router

2. Second Fragment

1. First Fragment

4. TCP Data IP Field Header

TCP Data Field

IP Header

Attacker 1.34.150.37

No TCP Header

3. TCP Header Only in First Fragment

5. Firewall 60.168.47.47 Can Only Filter TCP Header in First Fragment

19

TCP Segment
Bit 0 Source Port Number (16 bits) Bit 31 Destination Port Number (16 bits) Sequence Number (32 bits) Acknowledgment Number (32 bits) Header Length (4 bits) Reserved (6 bits) Flag Fields:
ACK, SYN,

(6 bits)

Window Size (16 bits) Urgent Pointer (16 bits)

TCP Checksum (16 bits) Data

Port number: identifies sending and receiving application programs. Sequence number: Identifies segments place in the sequence. Allows receiving
Transport layer to put arriving TCP segments in order. Acknowledgement number: identifies which segment is being acknowledged Flag fields: Six one-bit flags: ACK, SYN, FIN, RST, URG, PSH. Can be set to 0 (off) or 1 (on). e.g. SYN=1 means a request for connection/synchronization. 20
Q: If the ACK flag is set to 1, what other field must also be set to allow the receiver know what TCP segment is being acknowledged?

TCP and use of Flags

TCP is a connection-oriented protocol

Flag Fields (6 bits)

URG ACK SYN FIN RST PSH

Sender and receiver need to establish connection Sender and receiver need to agree to talk Flags are used for establishing connection

Sender requests connection opening: SYN flag set to 1 If receiver is ready to talk, it responds by a SYN/ACK segment Sender acknowledges the acknowledgment

If sender does not get ACK, it resends the segment Webserver Transport Process 1. SYN (Open) 2. SYN, ACK (1) (Acknowledgment of 1) 3. ACK (2)
3-way Handshake
21

PC Transport Process

Note: With connectionless protocols like UDP, there is no flags. Messages are just sent. If part of sent messages not received, there is no retransmission.

Communication during a normal TCP Session

Q1: How many segments are sent in a normal TCP communication opening? ____ Q2: How many segments are sent in a normal TCP communication closing? ____

Note: At any time, either process can send a TCP RST (reset) segment with RST bit set to 1 to drop the connection (i.e. to abruptly end the connection).
22

SYN/ACK Probing Attack

1. Probe 60.168.47.47 SYN/ACK Segment

2. No SYN (Open): Makes No Sense!

IP Hdr RST Segment Attacker 1.34.150.37 5. 60.168.47.47 is Live! 4. Source IP Addr= 60.168.47.47 Victim 60.168.47.47 3. Go Away!

Sending SYN/ACK segments helps attackers locate live targets Older Windows OS could crash when they receive a SYN/ACK probe
23

Source Port Number (16 bits)

Destination Port Number (16 bits)

TCP and use of Port numbers

Port Number identify applications Well-known ports (0-1023): used by major server applications running at root authority.

HTTP web service=80, Telnet=23, FTP=21, SMTP email =25

Registered ports (1024-49151): Used by client and

server applications.

Ephemeral/dynamic/private ports (49152-65535) Not permanently assigned by ICANN.

Web server applications www:80 FTP:21 SMTP:25 Operating System

Socket notation: IP address:Port #

Computer hardware RAM chip HD Processor

24

Summary Questions (Part 3)

A host sends a TCP segment with source port

number 25 and destination port number 49562.

1) 2)

3)

Is the source host a server or a client? Why? If the host is a server, what kind of service does it provide? Is the destination host a server or a client ? Why?

25

TCP and Port spoofing

Attackers set their application to use well-known port despite not being

the service associated with the port

Most companies set their firewall to accept packet to and from port 80 Attackers set their client program to use well-know port 80
26

Summary Questions (Part 4)

1. What is IP Fragmentation? Does IP fragmentation make it easier for firewall to filter incoming packets? Why? 2. What is SYN/ACK probing attack? 3. What kind of port numbers do major server applications, such as email service, use? 4. What kind of port numbers do client applications usually use? 5. What is socket notation? 6. What is port spoofing? 7. How many well-known TCP ports are vulnerable to being scanned, exploited, or attacked? 27