1 / 24

TCP/IP Refresher

TCP/IP Refresher. This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen C. Hayne. sender. receiver. Vertical & Horizontal Communication. Protocol Layer n+1. Protocol Layer n+1. Protocol Layer n.

geralyn
Download Presentation

TCP/IP Refresher

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. TCP/IP Refresher This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen C. Hayne

  2. sender receiver Vertical & Horizontal Communication Protocol Layer n+1 Protocol Layer n+1 Protocol Layer n Protocol Layer n Protocol Layer 1 Protocol Layer 1

  3. The TCP/IP “Suite” of Protocols • RFCs developed & maintained by the Internet Engineering Task Force (IETF) • Transmission Control Protocol (TCP) • User Datagram Protocol (UDP) • Internet Protocol (IP) • Internet Control Message Protocol (ICMP) • Originally, no security provisions • security provided at application level • IPSec is a security add-on for IPv4 • IPv6 incorporates IPSec

  4. TCP/IP • In this model, the top 3 layers in the OSI model are usually reduced to just “the application layer” • Application Layer • TCP • IP • Data Link Layer • Physical Layer • In reality, we will later squeeze a layer in between the application layer and TCP’s layer

  5. Transmission Control Protocol the “workhorse” on the Internet at OSI Layer 4 (Transport Layer) ensures packets get to the right place, in the right order creates TCP segment by adding a header the User Datagram Protocol (UDP) also operates as this layer Internet Protocol most commonly used protocol at OSI Layer 3 (Network Layer) delivers packets end-to-end creates the IP datagram by adding a header the Internet Control Message Protocol (ICMP) also operates at this layer TCP/IP

  6. TCP Source Port Checksum TCP Destination Port Urgent Pointer Sequence Number Acknowledgment Number DataOffset .Reserved. ControlBits Window Options (if any) Padding Data Data The TCP Header 32-bit words

  7. used during the 3-way handshake to establish a connection TCP Control/Code Bits • URG • the Urgent Pointer is significant • ACK • the Acknowledgement field is significant • PSH • Push Function — flush data • RST • reset the connection (due to an error condition) • SYN • synchronize sequence numbers • FIN • “the end” en français

  8. 3-way TCP Handshake by Steve Gibson, Gibson Research Corporation

  9. TCP/IP Port Numbers • Client sets destination port to a well known port on the server. • Client source port is generated dynamically and is set to > 1023. • Use ‘netstat –an” command to see which ports are currently used.

  10. Application’s TCP Ports • File Transfer Protocol (FTP) — Port 21 • Secure Shell (SSH) — Port 22 • Telnet — Port 23 • Simple Mail Transfer Protocol (SMTP) — Port 25 • Post Office Protocol version 3 (POP3) — Port 110 • HyperText Transfer Protocol (HTTP) — Port 80 • Secure HyperText Transfer Protocol (HTTPS) — Port 443 • Kerberos — Port 88 [Stallings, §4.1] • Echo — Port 7 • Finger — Port 79 • Network News Transfer Protocol (NNTP) — Port 119 • Gopher — Port 70 • Doom — Port 666 • 31337 – Back Orifice Trojan !

  11. has control (= code) bits 6 bits what part of the session? has 3-way handshake SYN=1, initial seq. no. ACK=SYN=1, initial seq. no., acknowledgment no. ACK=1, ack. no. has sequence numbers has more overhead SYN, ACK, RST help attackers find open ports “connectionless” protocol “unreliable” protocol no control bits no 3-way handshake can’t tell if a packet is ... start of message a response a malicious scan no sequence numbers packets may be permuted dropped packets are not retransmitted TCP v. UDP

  12. UDP Source Port Message Length UDP Destination Port Checksum Data Data The UDP Header 32-bit words

  13. UDP • UDP Header contains only source, destination ports, message length, checksum and the data. • 16 bit port number so 65535 possible ports. • It’s harder for network devices to understand and track UDP status. You can’t tell from the header what part of the transmission it is. • More difficult to secure therefore easy to use to attack.

  14. Application’s UDP Ports • Requests for Domain Name Service (DNS) lookup • Port 53 • Trivial File Transfer Protocol (TFTP) • Port 69 • Simple Network Management Protocol (SNMP) • Port 161 [Stallings, Chp.8] • Echo — Port 7 • Gopher — Port 70 • RealPlayer [streaming] Data • Port 7070 (among others)

  15. TimetoLive Flags FragmentOffset Protocol Version . IHL ServiceType Total Length Identification Header Checksum Source IP Address Destination IP Address Options (if any) Padding Data Data The IP Header 32-bit words

  16. Some IP Header Components • Internet Header Length (IHL) • Service type • sensitivity to delays • Identification • Supports fragment reassembly • Flags • “Don’t Fragment,” “More Fragments” • Fragment Offset • this fragment’s position in the packet • Time-to-Live (TTL) • max. no. of router-to-router hops packet can take

  17. Internet Control Message Protocol (ICMP) • Network layer, “network plumber” • Provides more control than IP • Same header format as IP, except . . . • protocol field holds the value 1 (= ICMP) • data component holds an ICMP type field 0 — echo reply 3 — destination unreachable 4 — source quench 5 — redirect 8 — echo 11 — time exceeded 12 — parameter problem 13 — timestamp 14 — timestamp reply 15 — information request 16 — information reply

  18. IP Addresses • 232 (= 4,294,967,296) dotted-quad addresses • binary: 32 bits • min: 00000000000000000000000000000000 • max: 11111111111111111111111111111111 • decimal: 4 groups of 3 digits (0-255) • min: 0.0.0.0 • max: 255.255.255.255 • Not all addresses are available • some set aside for private networks (“unroutable”) • 10.x.y.z, 172.16.y.z, 192.168.y.z • 127.0.0.1 connects any machine back to itself!

  19. MAC Addresses • Medium Access Control (MAC) addresses • Data link layer • 48 bits • Globally unique • each card manufacturer has a range of addresses to assign • each card has its own MAC address • Address Resolution Protocol (ARP) • table contains MAC-to-IP mappings

  20. Types of Network Connection Points • Hub • dumb, broadcasts all packets to everybody • Bridge • connects 2+ networks, sends packet to destination • Router • connects several networks, can look up best route • Switch • additional intelligence, sends packets to one specific MAC address • [Personal] firewall [Stallings, Chp. 10] • hardware/software passes only authorized packets

  21. Network Address Translation (NAT) • Mapping to a single external IP address • every inbound packet appears to come from the NAT device’s IP address • connect large, IP-address-poor network to Internet • One-to-one mapping • each machine on the internal network is mapped to a valid IP address • map user requests to a perimeter network

  22. NAT Example

  23. Can filter based on . . . source IP address destination IP address source TCP/UDP port destination TCP/UDP port TCP code bits protocol in use direction interface Can also filter using a state table which . . . remembers previous packets outgoing SYN should be followed by an incoming ACK from the appropriate address has timeouts (10-90 secs.) remove entry if no further packets associated with the entry after interval TraditionalPacket Filters StatefulPacket Filters v.

  24. Adding Security via Protocols • Application-layer security • Pretty Good Privacy (PGP) [Stallings, §5.1] • Secure/Multipurpose Internet Mail Extension (S/MIME) [Stallings, §5.2] • Secure Shell (SSH) • Secure Socket Layer (SSL)  Transport Layer Security (TLS) [Stallings, §7.2] • HTTPS is HTTP running over SSL (on Port 443) • Internet Protocol Security (IPSec) [Stallings, Chp. 6] • Authentication Header (AH) • Encapsulating Security Payload (ESP)

More Related