TCP/IP Refresher

This presentation is an amalgam of presentations by Mark Michael, Randy

Marchany and Ed Skoudis.I have edited and added material.

Dr. Stephen C. Hayne

Protocol Layer n+1

Vertical & Horizontal Communication

sender receiver

Protocol Layer n+1

Protocol Layer n Protocol Layer n

Protocol Layer 1 Protocol Layer 1

The TCP/IP “Suite” of Protocols RFCs developed & maintained by the

Internet Engineering Task Force (IETF) Transmission Control Protocol (TCP) User Datagram Protocol (UDP) Internet Protocol (IP) Internet Control Message Protocol (ICMP)

Originally, no security provisions security provided at application level

IPSec is a security add-on for IPv4 IPv6 incorporates IPSec

TCP/IP In this model, the top 3 layers in the OSI

model are usually reduced to just “the application layer” Application Layer TCP IP Data Link Layer Physical Layer

In reality, we will later squeeze a layer in between the application layer and TCP’s layer

TCP/IP Transmission Control

Protocol the “workhorse” on the

Internet at OSI Layer 4 (Transport Layer)

ensures packets get to the right place, in the right order

creates TCP segment by adding a header

the User Datagram Protocol (UDP) also operates as this layer

Internet Protocol most commonly used

protocol at OSI Layer 3 (Network Layer)

delivers packets end-to-end

creates the IP datagram by adding a header

the Internet Control Message Protocol (ICMP) also operates at this layer

The TCP Header

TCP Source Port TCP Destination Port

Checksum Urgent Pointer

WindowData Offset

. Reserved .

Control Bits

Sequence Number

Acknowledgment Number

Options (if any) PaddingData

Data

32-bit words

TCP Control/Code Bits URG

the Urgent Pointer is significant ACK

the Acknowledgement field is significant PSH

Push Function — flush data RST

reset the connection (due to an error condition) SYN

synchronize sequence numbers FIN

“the end” en français

used during the 3-way handshake to

establish a connection

3-way TCP Handshake

by Steve Gibson, Gibson Research Corporation

TCP/IP Port Numbers

Client sets destination port to a well known port on the server.

Client source port is generated dynamically and is set to > 1023.

Use ‘netstat –an” command to see which ports are currently used.

Application’s TCP Ports File Transfer Protocol (FTP) — Port 21 Secure Shell (SSH) — Port 22 Telnet — Port 23 Simple Mail Transfer Protocol (SMTP) — Port 25 Post Office Protocol version 3 (POP3) — Port 110 HyperText Transfer Protocol (HTTP) — Port 80 Secure HyperText Transfer Protocol (HTTPS) — Port 443 Kerberos — Port 88 [Stallings, §4.1] Echo — Port 7 Finger — Port 79 Network News Transfer Protocol (NNTP) — Port 119 Gopher — Port 70 Doom — Port 666 31337 – Back Orifice Trojan !

TCP v. UDP

has control (= code) bits 6 bits what part of the session?

has 3-way handshake SYN=1, initial seq. no. ACK=SYN=1, initial seq.

no., acknowledgment no. ACK=1, ack. no.

has sequence numbers has more overhead SYN, ACK, RST help

attackers find open ports

“connectionless” protocol “unreliable” protocol no control bits no 3-way handshake can’t tell if a packet is ...

start of message a response a malicious scan

no sequence numbers packets may be permuted dropped packets are not

retransmitted

The UDP Header

UDP Source Port UDP Destination Port

Message Length Checksum

Data

Data

32-bit words

UDP UDP Header contains only source,

destination ports, message length, checksum and the data.

16 bit port number so 65535 possible ports. It’s harder for network devices to understand

and track UDP status. You can’t tell from the header what part of the transmission it is.

More difficult to secure therefore easy to use to attack.

Application’s UDP Ports

Requests for Domain Name Service (DNS) lookup Port 53

Trivial File Transfer Protocol (TFTP) Port 69

Simple Network Management Protocol (SNMP) Port 161 [Stallings, Chp.8]

Echo — Port 7 Gopher — Port 70 RealPlayer [streaming] Data

Port 7070 (among others)

The IP Header32-bit words

Source IP Address

Destination IP Address

Options (if any) Padding

Data

Data

Total LengthIHL Service TypeVersion . Fragment

OffsetFlagsIdentification

Header ChecksumProtocolTime to Live

Some IP Header Components

Internet Header Length (IHL) Service type

sensitivity to delays Identification

Supports fragment reassembly Flags

“Don’t Fragment,” “More Fragments” Fragment Offset

this fragment’s position in the packet Time-to-Live (TTL)

max. no. of router-to-router hops packet can take

Internet Control Message Protocol (ICMP)

Network layer, “network plumber” Provides more control than IP Same header format as IP, except . . .

protocol field holds the value 1 (= ICMP) data component holds an ICMP type field

0 — echo reply3 — destination unreachable4 — source quench5 — redirect8 — echo

11 — time exceeded12 — parameter problem13 — timestamp14 — timestamp reply15 — information request16 — information reply

IP Addresses

232 (= 4,294,967,296) dotted-quad addresses binary: 32 bits

min: 00000000000000000000000000000000 max: 11111111111111111111111111111111

decimal: 4 groups of 3 digits (0-255) min: 0.0.0.0 max: 255.255.255.255

Not all addresses are available some set aside for private networks (“unroutable”)

10.x.y.z, 172.16.y.z, 192.168.y.z

127.0.0.1 connects any machine back to itself!

MAC Addresses Medium Access Control (MAC) addresses Data link layer 48 bits Globally unique

each card manufacturer has a range of addresses to assign

each card has its own MAC address Address Resolution Protocol (ARP)

table contains MAC-to-IP mappings

Types of Network Connection Points

Hub dumb, broadcasts all packets to everybody

Bridge connects 2+ networks, sends packet to destination

Router connects several networks, can look up best route

Switch additional intelligence, sends packets to one specific MAC

address [Personal] firewall [Stallings, Chp. 10]

hardware/software passes only authorized packets

Network Address Translation (NAT)

Mapping to a single external IP address every inbound packet appears to come from the

NAT device’s IP address connect large, IP-address-poor network to Internet

One-to-one mapping each machine on the internal network is mapped

to a valid IP address map user requests to a perimeter network

NAT Example

TraditionalPacket Filters

Can filter based on . . . source IP address destination IP address source TCP/UDP port destination TCP/UDP

port TCP code bits protocol in use direction interface

Can also filter using a state table which . . .

remembers previous packets

outgoing SYN should be followed by an incoming ACK from the appropriate address

has timeouts (10-90 secs.) remove entry if no further

packets associated with the entry after interval

StatefulPacket Filters

v.

Adding Security via Protocols

Application-layer security Pretty Good Privacy (PGP) [Stallings, §5.1] Secure/Multipurpose Internet Mail Extension (S/MIME)

[Stallings, §5.2] Secure Shell (SSH)

Secure Socket Layer (SSL) Transport Layer Security (TLS) [Stallings, §7.2]

HTTPS is HTTP running over SSL (on Port 443) Internet Protocol Security (IPSec) [Stallings, Chp. 6]

Authentication Header (AH) Encapsulating Security Payload (ESP)