TCPIP

1
CSC 382 Computer Security

• TCP/IP

2
Topics

• TCP/IP Layering
• Encapsulation
• Internet Addresses
• Link Layer Protocols
• IP
• Routing
• TCP and UDP
• Application Layer Protocols

3
Network Example
A1
A2
A3
Router
External Router
B1
B2
B3
4
TCP/IP Layering

• HTTP, FTP, telnet
• TCP, UDP
• IP, ICMP, IGMP
• PPP, 802.11
• Ethernet

5
TCP/IP Layers

• Physical
• NIC, cabling, electrical signaling.
• Data Link
• Single hop transport of packets.
• Wired protocols (ethernet, FDDI, PPP)
• Wireless protocols (802.11)
• Network
• End to end delivery of packets.
• IP Internet Protocol

6
TCP/IP Layers

• Transport
• Flow of data between two hosts for application
  layer.
• TCP reliable data flow with acknowledgements,
  retransmission, and timeouts.
• UDP simpler service with no guarantees.
• Application
• Protocols for particular applications.
• ex FTP, HTTP, SMTP

7
Encapsulation/De-multiplexing

• Sending data sent down protocol stack
• Each layer prepends a header to data
• Ethernet frame sent as bit stream across wire
• Receiving data moves up protocol stack
• NIC moves bits into memory as ethernet frame
• Each layer removes its header from packet

8
Encapsulation
9
De-multiplexing
10
TCP/IP Security

• TCP/IP has no built-in strong security.
• No confidentiality features.
• Minimal availability features (ToS options).
• Insecure CRC checksums for integrity.
• IPsec protocol extension adds security.

11
Data Link Layer

• IEEE Standards
• Ethernet (802.3)
• Token Ring (802.5)
• Wireless (802.11)
• Serial Protocols
• SLIP and CSLIP
• PPP

12
Hubs and Switches

• Hubs
• Broadcast packets received to all interfaces.
• Switches
• Associates MAC addresses with physical
  interfaces.
• Sends packets only to specified interface.
• May have SPAN port for network monitoring.

13
Data Link Layer

• Loopback
• Looks like any other link layer device.
• Full network processing is performed.
• Sends packets to localhost for testing.
• 48-bit MAC address
• Maximum Transmission Unit (MTU)
• 1492 or 1500 bytes, depending on ethernet std

14
Promiscuous Mode

• All ethernet frames to or from any locally
  connected host are seen by all hosts.
• NIC normally filters out frames that are not
  addressed to its MAC address.
• In promiscuous mode, NIC processes all ethernet
  frames, not just ones addressed to it.
• Requires administrative access on most OSes.

15
IP Internet Protocol

• Unreliable, connectionless datagram service
• Packets may arrived damaged, out of order,
  duplicated or not at all.
• Transport/Application layers provide reliability.
• IPv4 underlies Internet.
• 32-bit addresses in dotted-quad 10.17.0.90.
• IPv6 is successor with 128-bit addresses.
• Complexities addressing, routing

16
IP Header
17
IP Header

• Protocol version IPv4
• Header length 5-60 32-bit words
• Type of service (TOS)
• 3-bit precedence (ignored today)
• 4 TOS bits (min delay (telnet), max throughput
  (ftp), max reliability, min monetary cost)
• unused 0 bit

18
IP Header

• Total length length of IP datagram (bytes)
• maximum size 65535 bytes
• large packets fragmented at data link layer.
• small packets may be padded to minimum length.
• TTL upper limit on number of router hops.
• Protocol which protocol supplied packet data.
• Header checksum IP header checksum

19
IP Fragments

• IP packets may be fragmented by routers for
  transmission across different media.
• Max IP packet size 65536
• Max Ethernet packet size 1500
• IP headers contain fragment data
• Dont Fragment Flag 0allowed, 1dont
• More Fragments Flag 0last, 1more fragments
• Identification identifies single packet for
  reassembly.
• Fragment Offset where contents of fragment go.

20
Internet Addresses

• 32-bit IPv4 addresses
• Dotted decimal notation ii.jj.kk.ll
• Divided into two parts
• Network ID
• Host ID
• XOR address with netmask to get Network ID.

21
Address Classes

• Class A 0.0.0.0-127.255.255.255
• 8-bit net ID, 24-bit host ID
• Class B 128.0.0.0-191.255.255.255
• 16-bit net ID, 16-bit host ID
• Class C 192.0.0.0-223.255.255.255
• 24-bit net ID, 8-bit host ID
• Class D 224.0.0.0-239.255.255.255
• 28-bit multicast group ID
• Class E 240.0.0.0-255.255.255.255
• Reserved for future use

22
CIDR

• Class addressing too inefficient
• Still need to aggregate routes to limit routing
  table size.
• Example196.1.1.0/24
• 24-bits of Net ID 196.1.1
• Remaining 8-bits are host ID
• Not limited to network class sizes
• Example 192.168.128.0/22
• 4 class C networks 192.168.128,129,130,131.0

23
Network Address Translation

• Local network uses IETF reserved addresses.
• Non-routable no router knows how to send packets
  to.
• RFC 1918 10.x.y.z, 192.168.y.z, 172.16.y.z
• Gateway translates reserved addresses to unique,
  routable IP addresses.
• NAT Dynamic mapping to pool of routable IP
  addresses.
• 10.0.0.1 -gt 4.2.3.5
• 10.0.0.2 -gt 4.2.3.6
• NAPT Dynamic mapping to IP addresss/pool of src
  ports.
• 10.0.0.1 -gt 4.2.3.51
• 10.0.0.2 -gt 4.2.3.52

24
ARP Address Resolution Protocol

• MAC address determines packet destination.
• How does network layer supply the link layer with
  a MAC address?
• ARP Address Resolution Protocol
• Maps 32-bit IP addresses to 48-bit MAC addrs
• Data link layer protocol above ethernet
• RARP Reverse ARP

25
ARP Example

• sftp zappa.nku.edu
• Obtains IP address via gethostbyname()
• sftp asks TCP to connect to IP address
• TCP sends connection request to brahms using an
  IP datagram
• Sending host emits ARP broadcast, asking for MAC
  address of given IP address
• Destination hosts ARP layer receives broadcast,
  answers with an ARP reply w/ IP-gtMAC mapping
• Sending host constructs ethernet frame with
  destination MAC address containing IP datagram
• Sending host sends IP datagram

26
ARP Cache

• at204m02 (10.1.0.90) gt arp -a
• Net to Media Table IPv4
• Device IP Address Phys Addr
• ------ -------------------- ------------------
• hme0 at_elan.lc3net 0000a2cb285e
• hme0 10.1.0.79 00e0cf000e92
• hme0 at204m02 080020d8e007
• hme0 10.1.7.103 009027b6b5e5
• hme0 10.1.0.139 00e0cf0015bd

27
ARP Features

• Proxy ARP
• Router can answer ARP requests on network B for a
  host on network A that doesnt see broadcast.
• Gratuitous ARP
• Host sends ARP for own IP address at boot.
• No reply should be received.
• Network misconfiguration if reply received.

28
IP Connectivity

• No Network
• loopback only
• Single LAN
• direct connectivity to hosts
• Single Router
• Direct connectivity to local LAN
• Other networks reachable through one router
• Multiple Routes to Other Networks

29
IP Routing
30
Routing Table

• Where to send an IP packet to?
• Use a table lookup routing table
• Search Process
• Search for a matching host address.
• Search for a matching network address.
• Search for a default route.
• No route to destination Host or network
  unreachable error if search fails.

31
Routing Table

• at204m02 (10.1.0.90) gt netstat rn
• Routing Table IPv4
• Destination Gateway Flags Ref Use Int
• ------------- -------------------- ----- -----
• 10.1.0.0 10.1.0.90 U 1 4977 hme0
• 224.0.0.0 10.1.0.90 U 1 0 hme0
• default 10.1.0.1 UG 1 66480
• 127.0.0.1 127.0.0.1 UH 6 798905 lo0

32
Routing Table

• Destination final destination host/network
• Gateway next host in route to destination
• Flags
• U Route is up
• G Route is to a gateway (router)
• H Route destination is a host (not a network)
• D Route created by a redirect
• M Route modified by a redirect

33
Routing Table

• 10.1.0.0
• direct access to local subnet
• 224.0.0.0
• multicast route
• default
• forward packets to router at IP 10.1.0.1
• 127.0.0.1
• loopback

34
IP Routing

• Manual (static) routes
• Added with the route command.
• ICMP redirects can alter routes
• Router sends ICMP redirect when packet shouldve
  been sent to another router.
• Routing protocols
• Routers exchange routes with each other using
  special routing protocols.
• Full internet router tables contain 30,000
  routes.
• Source routing
• Sender includes routing info in packet header.

35
ICMP (Internet Control Message Protocol)

• Network layer protocol encapsulated in IP
• Communicates error messages and exceptions.
• Messages handled by either IP or TCP/UDP.

36
ICMP Message Types

• Type 0 echo (ping) reply
• Type 3 destination unreachable
• Type 4 source quench
• Type 5 redirect
• Type 8 echo (ping) request
• Type 9, 10 router advertisement, solicitation
• Type 11 time (TTL) exceeded
• Type 12 parameter (header) problem
• Type 13 timestamp
• Type 14 timestamp reply
• Type 15, 16 information request, reply

37
UDP User Datagram Protocol

• Simple datagram transport layer protocol.
• Each application output generates one UDP
  datagram, which produces one IP datagram.
• Trades reliability for speed
• Sends datagrams directly to unreliable IP layer.
• 16-bit port numbers
• Identify sending and receiving processes.
• Applications
• DNS, SNMP, TFTP, streaming audio/video

38
UDP Header
39
UDP Example TFTP

• Trivial File Transfer Protocol
• No authentication
• TFTP Session

sun16 gt tftp at204m02 tftpgt get
readme.txt Received 1024 bytes in 0.2
seconds. tftpgt quit
40
TFTP Packet Types

• Packet types
• read a file (filename, ascii/binary)
• write a file (filename, ascii/binary)
• file data block
• ACK
• error

41
TFTP Packet Diagram
42
TFTP Session Trace

• at204m02 gt snoop udp sun16
• 0.00000 sun16 -gt at204m02 TFTP Read "2sun"
  (netascii)
• 0.00498 at204m02 -gt sun16 TFTP Data block 1
  (512 bytes)
• 0.00136 sun16 -gt at204m02 TFTP Ack block 1
• 0.00010 at204m02 -gt sun16 TFTP Data block 2
  (300 bytes) (last block)
• 5 0.00119 sun16 -gt at204m02 TFTP Ack block 2

43
TFTP Security

• Feature no username/password required
• TFTP used for diskless hosts to boot.
• How to protect /etc/passwd?
• Limit TFTP server filesystem access.
• Generally only can access /tftpboot directory.

44
TCP Transmission Control Protocol

• Connection-oriented
• Must establish connection before sending data.
• 3-way handshake.
• Reliable byte-stream
• TCP decides how to divide stream into packets.
• ACK, timeout, retransmit, reordering.
• 16-bit source and destination ports.
• FTP(21), HTTP(80), POP(110), SMTP(25)

45
TCP Reliability

• Breaks data into best-sized chunks.
• After sending segment, maintains timer if no ACK
  within time limit, resends segment.
• Sends ACK on receipt of packets.
• Discards pkts on bad checkum of header and data.
• Receiver resequences TCP segments so data arrives
  in order sent.
• Receiver discards duplicate segments.
• Flow control only sends as much data as receiver
  can process.

46
TCP Header
47
TCP Header

• Sequence Number 32-bit segment identifier.
• Acknowledgment next sequence number expected by
  sender of ACK
• TCP is full duplex so both sides of connection
  have own set of sequence numbers
• Header length length of header in 32-bit words
  (20bytes default60bytes w/ options)
• Window size number of bytes receiver is willing
  to accept (flow control)

48
TCP Header Flags (Code Bits)

• URG urgent pointer is valid
• ACK acknowledgement number is valid
• PSH rcvr should pass data to app asap
• RST reset connection
• SYN synchronize sequence numbers to initiate a
  connection
• FIN sender is finished sending data

49
TCP Options

• End of option list (kind0)
• NOP (kind1)
• Used to pad fields to 32-bit boundary
• Maximum Segment Size (MSS) (kind2)
• Len4 (length includes kind len bytes)
• 16-bit MSS
• Default 536 data 20 TCP hdr 20 IP hdr
• Window Scale Factor (kind3)
• Timestamp (kind8)

50
TCP Connections

• Establishment
• 3-way handshake
• Connection Trace
• Termination
• Normal Termination
• Connection Trace
• Reset

51
Connection Establishment Protocol

• Requester (client) sends a SYN segment,
  specifying the port number of the server to which
  it wants to connect and the clients initial
  sequence number (ISN).
• Server responds with SYN segment containing
  servers ISN. Server acknowledges clients SYN
  by ACKing the clients ISN1.
• Client acknowledges server SYN by ACKing servers
  ISN1.

52
TCP 3-way Handshake
53
Connection Establishment Test

• at204m02gt /usr/sbin/snoop sun09
• at204m02gt nc sun09 22
• SSH-1.99-OpenSSH_3.7.1p2
• C
• If no services running, start your own
• at204m02gt nc -l -p 8192

54
TCP Connection Trace

• at204m02 -gt sun09 TCP D22 S37519 Syn
  Seq477982308 Len0 Win24820 Optionsltnop,nop,sac
  kOK,mss 1460gt
• sun09 -gt at204m02 TCP D37519 S22 Syn
  Ack477982309 Seq3227257622 Len0 Win24820
  Optionsltnop,nop,sackOK,mss 1460gt
• at204m02 -gt sun09 TCP D22 S37519
  Ack3227257623 Seq477982309 Len0 Win24820

55
Connection Termination Protocol

• As TCP is full duplex, each side must terminate
  half of the connection as follows
• Send FIN segment (active close)
• Other side ACKs w/ FIN sequence number 1
• Half-closed connections
• Side that sent FIN can still receive data.
• Example ssh fasthost sort lt words.txt

56
TCP Disconnection
57
Connection Termination Test

• at204m02gt /usr/lib/sendmail -bd
• at204m02gt /usr/sbin/snoop port 25
• sun09gtnc at204m02 25
• 220 at204m02.lc3net ESMTP Sendmail
  8.11.7Sun/8.11.7 Mon, 29 Mar 2004 140940
  -0500 (EST)
• quit

58
TCP Disconnection Trace

• at204m02 -gt sun09 TCP D33042 S25 Fin
  Ack3597541820 Seq872479258 Len0 Win24820
• sun09 -gt at204m02 TCP D25 S33042
  Ack872479259 Seq3597541820 Len0 Win24820
• sun09 -gt at204m02 TCP D25 S33042 Fin
  Ack872479259 Seq3597541820 Len0 Win24820
• at204m02 -gt sun09 TCP D33042 S25
  Ack3597541821 Seq872479259 Len0 Win24820

59
TCP Reset

• Connection Refused
• gt telnet at204m02 8192
• Trying 10.1.0.90...
• telnet Unable to connect to remote host
  Connection refused
• Packet Trace
• sun09 -gt at204m02 TCP D8192 S33048 Syn
  Seq3848454475 Len0 Win24820 Optionsltnop,nop,sa
  ckOK,mss 1460gt
• at204m02 -gt sun09 TCP D33048 S8192 Rst
  Ack3848454476 Win0

60
TCP Reset (cont.)

• Connection Abort
• Any queued data is thrown away.
• Other side is informed of abnormal close.
• Packet Detail
• One side sends RST.
• Other side aborts connection.
• There is no ACK sent in response.

61
Half-Open Connections

• Connections where one side has aborted or closed
  connection w/o knowledge of other.
• Client or server host has crashed.
• DOS attack requester sends SYN, doesnt respond
  to SYNACK.

62
Example List of TCP Ports

• TCP IPv4 (netstat na output)
• Local Addr Rmt Addr State
• ---------- --------------------
• .111 . LISTEN
• .32771 . LISTEN
• .32772 . LISTEN
• .32773 . LISTEN
• .32774 . LISTEN
• .4045 . LISTEN
• .22 . LISTEN
• .2049 . LISTEN
• .515 . LISTEN
• .80 . LISTEN
• .6000 . LISTEN
• .22 10.17.0.23.32827 ESTABLISHED
• .2049 10.17.0.23.799 ESTABLISHED

63
TCP Servers

• Local Address
• .80 means that it will accept connections on any
  network interface on TCP port 80.
• Foreign Address
• . means that the server will accept connections
  from any source host and port.
• Conn(src IP, src port, dst IP, dst port)
• All connections to same server will have same dst
  IP and port, but will have different source IPs
  and ports
• Kernel maintains queue of 5 incoming connections
  for each server.

64
Key Points

• TCP/IP Layers encapsulation/de-multiplexing
• Physical/Data Link ethernet, PPP
• Network IP, ICMP
• Transport UDP, TCP
• Application ftp, http, smtp, telnet, etc.
• IP
• Addressing DNS/IP/MAC, netmasks, CIDR, NAT.
• Routing tables, hubs/switches/routers.
• TCP
• Connection and Termination 3-way handshake
• Addressing source and destination ports.

65
References

• K. Egevang and P. Francis, The IP Network
  Address Translator (NAT), RFC 1631,
  http//www.ietf.org/rfc/rfc1631.txt, 1994.
• J.B. Postel, Internet Protocol, RFC 791,
  http//www.ietf.org/rfc/rfc0791.txt, 1981.
• J.B. Postel, Internet Control Message Protocol,
  RFC 792, http//www.ietf.org/rfc/rfc0792.txt,
  1981.
• J.B. Postel, Transmission Control Protocol, RFC
  793, http//www.ietf.org/rfc/rfc0793.txt, 1981.
• Ed Skoudis, Counter Hack, Prentice Hall, 2002.
• Richard Stevens, TCP/IP Illustrated, Vol. 1,
  Addison-Wesley, 1994.
• Richard Stevens, UNIX Network Programming, Vol.
  1, Prentice-Hall, 1998.
• Andrew Tannenbaum, Computer Networks, 4th
  edition, Prentice-Hall, 2002.