tcp/ip refresher this presentation is an amalgam of presentations by mark michael, randy marchany...
TRANSCRIPT
TCP/IP Refresher
This presentation is an amalgam of presentations by Mark Michael, Randy
Marchany and Ed Skoudis.I have edited and added material.
Dr. Stephen C. Hayne
Protocol Layer n+1
Vertical & Horizontal Communication
sender receiver
Protocol Layer n+1
Protocol Layer n Protocol Layer n
Protocol Layer 1 Protocol Layer 1
The TCP/IP “Suite” of Protocols RFCs developed & maintained by the
Internet Engineering Task Force (IETF) Transmission Control Protocol (TCP) User Datagram Protocol (UDP) Internet Protocol (IP) Internet Control Message Protocol (ICMP)
Originally, no security provisions security provided at application level
IPSec is a security add-on for IPv4 IPv6 incorporates IPSec
TCP/IP In this model, the top 3 layers in the OSI
model are usually reduced to just “the application layer” Application Layer TCP IP Data Link Layer Physical Layer
In reality, we will later squeeze a layer in between the application layer and TCP’s layer
TCP/IP Transmission Control
Protocol the “workhorse” on the
Internet at OSI Layer 4 (Transport Layer)
ensures packets get to the right place, in the right order
creates TCP segment by adding a header
the User Datagram Protocol (UDP) also operates as this layer
Internet Protocol most commonly used
protocol at OSI Layer 3 (Network Layer)
delivers packets end-to-end
creates the IP datagram by adding a header
the Internet Control Message Protocol (ICMP) also operates at this layer
The TCP Header
TCP Source Port TCP Destination Port
Checksum Urgent Pointer
WindowData Offset
. Reserved .
Control Bits
Sequence Number
Acknowledgment Number
Options (if any) PaddingData
Data
32-bit words
TCP Control/Code Bits URG
the Urgent Pointer is significant ACK
the Acknowledgement field is significant PSH
Push Function — flush data RST
reset the connection (due to an error condition) SYN
synchronize sequence numbers FIN
“the end” en français
used during the 3-way handshake to
establish a connection
3-way TCP Handshake
by Steve Gibson, Gibson Research Corporation
TCP/IP Port Numbers
Client sets destination port to a well known port on the server.
Client source port is generated dynamically and is set to > 1023.
Use ‘netstat –an” command to see which ports are currently used.
Application’s TCP Ports File Transfer Protocol (FTP) — Port 21 Secure Shell (SSH) — Port 22 Telnet — Port 23 Simple Mail Transfer Protocol (SMTP) — Port 25 Post Office Protocol version 3 (POP3) — Port 110 HyperText Transfer Protocol (HTTP) — Port 80 Secure HyperText Transfer Protocol (HTTPS) — Port 443 Kerberos — Port 88 [Stallings, §4.1] Echo — Port 7 Finger — Port 79 Network News Transfer Protocol (NNTP) — Port 119 Gopher — Port 70 Doom — Port 666 31337 – Back Orifice Trojan !
TCP v. UDP
has control (= code) bits 6 bits what part of the session?
has 3-way handshake SYN=1, initial seq. no. ACK=SYN=1, initial seq.
no., acknowledgment no. ACK=1, ack. no.
has sequence numbers has more overhead SYN, ACK, RST help
attackers find open ports
“connectionless” protocol “unreliable” protocol no control bits no 3-way handshake can’t tell if a packet is ...
start of message a response a malicious scan
no sequence numbers packets may be permuted dropped packets are not
retransmitted
The UDP Header
UDP Source Port UDP Destination Port
Message Length Checksum
Data
Data
32-bit words
UDP UDP Header contains only source,
destination ports, message length, checksum and the data.
16 bit port number so 65535 possible ports. It’s harder for network devices to understand
and track UDP status. You can’t tell from the header what part of the transmission it is.
More difficult to secure therefore easy to use to attack.
Application’s UDP Ports
Requests for Domain Name Service (DNS) lookup Port 53
Trivial File Transfer Protocol (TFTP) Port 69
Simple Network Management Protocol (SNMP) Port 161 [Stallings, Chp.8]
Echo — Port 7 Gopher — Port 70 RealPlayer [streaming] Data
Port 7070 (among others)
The IP Header32-bit words
Source IP Address
Destination IP Address
Options (if any) Padding
Data
Data
Total LengthIHL Service TypeVersion . Fragment
OffsetFlagsIdentification
Header ChecksumProtocolTime to Live
Some IP Header Components
Internet Header Length (IHL) Service type
sensitivity to delays Identification
Supports fragment reassembly Flags
“Don’t Fragment,” “More Fragments” Fragment Offset
this fragment’s position in the packet Time-to-Live (TTL)
max. no. of router-to-router hops packet can take
Internet Control Message Protocol (ICMP)
Network layer, “network plumber” Provides more control than IP Same header format as IP, except . . .
protocol field holds the value 1 (= ICMP) data component holds an ICMP type field
0 — echo reply3 — destination unreachable4 — source quench5 — redirect8 — echo
11 — time exceeded12 — parameter problem13 — timestamp14 — timestamp reply15 — information request16 — information reply
IP Addresses
232 (= 4,294,967,296) dotted-quad addresses binary: 32 bits
min: 00000000000000000000000000000000 max: 11111111111111111111111111111111
decimal: 4 groups of 3 digits (0-255) min: 0.0.0.0 max: 255.255.255.255
Not all addresses are available some set aside for private networks (“unroutable”)
10.x.y.z, 172.16.y.z, 192.168.y.z
127.0.0.1 connects any machine back to itself!
MAC Addresses Medium Access Control (MAC) addresses Data link layer 48 bits Globally unique
each card manufacturer has a range of addresses to assign
each card has its own MAC address Address Resolution Protocol (ARP)
table contains MAC-to-IP mappings
Types of Network Connection Points
Hub dumb, broadcasts all packets to everybody
Bridge connects 2+ networks, sends packet to destination
Router connects several networks, can look up best route
Switch additional intelligence, sends packets to one specific MAC
address [Personal] firewall [Stallings, Chp. 10]
hardware/software passes only authorized packets
Network Address Translation (NAT)
Mapping to a single external IP address every inbound packet appears to come from the
NAT device’s IP address connect large, IP-address-poor network to Internet
One-to-one mapping each machine on the internal network is mapped
to a valid IP address map user requests to a perimeter network
NAT Example
TraditionalPacket Filters
Can filter based on . . . source IP address destination IP address source TCP/UDP port destination TCP/UDP
port TCP code bits protocol in use direction interface
Can also filter using a state table which . . .
remembers previous packets
outgoing SYN should be followed by an incoming ACK from the appropriate address
has timeouts (10-90 secs.) remove entry if no further
packets associated with the entry after interval
StatefulPacket Filters
v.
Adding Security via Protocols
Application-layer security Pretty Good Privacy (PGP) [Stallings, §5.1] Secure/Multipurpose Internet Mail Extension (S/MIME)
[Stallings, §5.2] Secure Shell (SSH)
Secure Socket Layer (SSL) Transport Layer Security (TLS) [Stallings, §7.2]
HTTPS is HTTP running over SSL (on Port 443) Internet Protocol Security (IPSec) [Stallings, Chp. 6]
Authentication Header (AH) Encapsulating Security Payload (ESP)