Introduction to TCP/IP and Protocols

puffyyaphankyonkersNetworking and Communications

Oct 26, 2013 (3 years and 9 months ago)

66 views

Network Security

CS 478/CIS 678

Intro to TCP/IP

Objectives

Reading: Computer Security Principles and
Practice, W Stallings, L Brown


Appendix E (See my web link)


The student should be able to:


Interpret output for ARP, IP, TCP, UDP, ICMP on
a sniffer: Wireshark (sufficient as shown in
this PowerPoint).


Internet Architecture

TCP/IP Packet

L2


L3


L4



Application

CRC

Ethernet


IP

TCP






What physical

node to send to?

Source &

Destination

logical addr.

Which app

does this go to?

What data is actually

being sent?

Packet

checkcode

Addressing Requirements


two levels of addressing required


each host on a subnet needs a unique global
network address


its IP address


each application on a (multi
-
tasking) host
needs a unique address within the host


known as a port

TCP/IP Packet

L2


L3


L4



Application

CRC

Ethernet


IP

TCP






What physical

node to send to?

Source &

Destination

logical addr.

Which app

does this go to?

What data is actually

being sent?

Packet

checkcode

Address on LAN:

00:0c:29:80:ec:29

Ginger.cs.uwp.edu

124.36.92.81

Port 80 =

web

Hi Alice, Are you coming

to the party on Friday?

Operation of TCP and IP

Operation of TCP/IP

Some TCP/IP Protocols

Protocols used at each Layer

L5 = Application


L4 = Transport:


TCP: Transport Control Protocol (End
-
to
-
End Error control: Retransmission)


UDP: User Datagram Protocol (Only Port Addressing)



L3 = Network:


IP: Internet Protocol (Routing)


ICMP: Internet Control Message Protocol (Reports errors, performs tests
for IP)



L2 = Data Link Layer

-

Medium Access Control (MAC):


Ethernet Protocol


ARP: Address Resolution Protocol (Translates IP to MAC addresses)



Physical Layer


concerned with physical interface between
computer and network


concerned with issues like:


characteristics of transmission medium


signal levels


data rates


other related matters

Network Access Layer


exchange of data between an end system and
attached network


concerned with issues like :


destination address provision


invoking specific services like priority


access to & routing data across a network link
between two attached systems


allows layers above to ignore link specifics


Internet Layer (IP)


routing functions across multiple networks


for systems attached to different networks


implemented in end systems and routers


routers connect two networks and relays data
between them


# Time Source IP Dest IP App

152

919.001559

10.1.1.165

10.1.1.128

IP

Fragmented IP protocol (proto=ICMP 0x01, off=0,









ID=19d9)



Internet Protocol (IP)


Performs routing


Addresses hosts


Performs fragmentation/reassembly


Security problem: Spoofed fragments replace
or confuse real data


Security problem: Fragmented attacks may
not be noticed by firewalls, IDS (depending on
their sophistication)


IP Header

IP Header Format

First 8 nibbles:


0
-
3: IP Version (V4 or V6)


4
-
7: Header length (in 32
-
bit words)


8
-
15: Type of service (relates to quality of service
-

ignore for this class)


16
-
31: Total length

Second 8 nibbles:


0
-
15: Identification (used with fragmentation)


16
-
18: Flags: More bit, Don’t Fragment


19
-
31: Fragment offset

Third 8 nibbles:


0
-
7: Time to live


8
-
15: Next Protocol (e.g. TCP, ICMP)


16
-
31: Header Checksum

Fourth 8 nibbles: Source IP Address

Fifth 8 nibbles: Destination IP Address


Transmission Control Protocol (
TCP)


usual transport layer is (TCP)


provides a reliable connection for transfer of data
between applications


a TCP segment is the basic protocol unit


TCP tracks segments between entities for duration of
each connection

Transport Control Protocol (TCP)


TCP is responsible for end
-
to
-
end retransmission,
and reordering of packets received out
-
of
-
order.


Addresses applications via 16
-
bit Port number


Performs error control on an end
-
to
-
end basis:


Reorders out
-
of
-
sequence segments


Retransmits segments when acknowledgements are
not received


Performs flow control on an end
-
to
-
end basis (using
the window)


Performs congestion control to ensure network is not
overwhelmed


TCP Header Fields


Source Port: Source port (application) address


Dest

Port: Destination port (application) address


Flag: S=SYN, F=FIN, P=PUSH, R=RESET, A=ACK


Sequence #: Beginning Sequence number (byte #)


AckNr
: Acknowledgment sequence number (=next
expected
seq

#)


WindowSize
: Size of empty space in receive buffer (in
bytes)


Checksum: Verifies no change in segment and parts of
IP header


Urgent Pointer: index to urgent data (rarely used)

TCP


TCP is connection
-
oriented, which means that
it must explicitly establish and break down a
connection before transmission occurs.


Establishes a connection


Sends data


Each side gracefully disconnects


TCP Flags

The flags within segments that TCP uses includes:

S=SYN: Request to establish a connection

P=PUSH: Request from application to flush (or
force) transmission.

F=FIN: Request to close a transmission
-

graceful

R=RESET: Notification of aborting of a connection

ack
: Contains an
ack

for previous data


Initiate a TCP Connection


Establishes a connection via a 3
-
way
handshake.


SYN=Synchronization, establishes send and
receive sequence numbers





SYN










SYN,ACK




ACK




Send TCP Data


Each byte of TCP data has a sequence number associated with it, which
indicates the byte number of the first byte sent.


The acknowledgment indicates the sequence number of the byte # of data
expected next





(PUSH)











ACK


# Time Source IP Dest IP App Port 2 Port [Packet Type] SendSeq AckSeq

45

1037.608722

10.1.1.3

10.1.1.165

TCP

3128 > 1270 [ACK] Seq=86244 Ack=6584
Win=19220 Len=0

46

1037.751240

10.1.1.3

10.1.1.165

TCP

[TCP segment of a reassembled PDU]

47

1037.751279

10.1.1.3

10.1.1.165

TCP

[TCP segment of a reassembled PDU]



Terminate TCP Connection


Graceful Disconnect: Both sides must disconnect


FIN = Finish


Sending FIN indicates no more data to transmit






FIN









ACK







FIN




ACK






Session Abort


I don’t want to participate in this connection


Uses Reset







RST




TCP Connect


Data
-

Disconnect

# Time Source IP
Dest

IP App Port 2 Port [Packet Type]
SendSeq

AckSeq

1

0.000000

10.1.1.165

10.1.1.3

TCP

1179 > 3128 [SYN]
Seq
=0 Win=64240 Len=0






MSS=1460

2

0.000623

10.1.1.3

10.1.1.165

TCP

3128 > 1179 [SYN, ACK]
Seq
=0
Ack
=1






Win=5840 Len=0 MSS=1460

3

0.000667

10.1.1.165

10.1.1.3

TCP

1179 > 3128 [ACK]
Seq
=1
Ack
=1 Win=64240





Len=0



7

0.029386

10.1.1.165

10.1.1.3

TCP

1179 > 3128 [ACK]
Seq
=860
Ack
=3691






Win=64240 Len=0



8

0.160003

10.1.1.3

10.1.1.165

TCP

80 > 1190 [FIN, ACK]
Seq
=341
Ack
=436






Win=6432 Len=0

9

0.160598

10.1.1.165

10.1.1.3

TCP

1190 > 80 [ACK]
Seq
=436
Ack
=342






Win=63900 Len=0

10

0.161706

10.1.1.165

10.1.1.3

TCP

1190 > 80 [FIN, ACK]
Seq
=436
Ack
=342






Win=63900 Len=0

11

0.163407

10.1.1.3

10.1.1.165

TCP

80 > 1190 [ACK]
Seq
=342
Ack
=437






Win=6432 Len=0


TCP Wireshark

Showing Connection, Data, Disconnect

TCP Header

User Datagram Protocol (UDP)


UDP can be used instead of TCP to address an application


Does NOT support end
-
to
-
end retransmission, reorder out
-
of
-
order
packets, or perform flow control or congestion control.


Addresses applications via 16
-
bit Port number


Protocol:


UDP is connectionless, which means it sends packets without
establishing a connection first. If packets cannot be successfully sent,
there may be no indication of failure.


1 Packet type: Send data


1

0.000000

131.210.13.7

10.1.1.165

UDP

Source port: 1060







Dest

port: 8881


User Datagram Protocol

(UDP)


an alternative to TCP


no guaranteed delivery


no preservation of sequence


no protection against duplication


minimum overhead


adds port addressing to IP

Application Layer


provide support for user applications


need a separate module for each type of
application


4

0.001151 10.1.1.165 10.1.1.3 HTTP

GET
http://www.cs.uwp.edu/Classes/Cs475

HTTP/1.1

90

80.400513


10.1.1.165


10.1.1.10


SNMP

get
-
request
RFC1213
-
MIB::mib
-
2.25.3.2.1.5.1 RFC1213
-
MIB::mib
-
2.25.3.5.1.1.1 RFC1213
-
MIB::mib
-
2.25.3.5.1.2.1



Application Protocols

Application & Port


SMTP: Simple Mail Transfer Protocol (Email): 25


HTTP:
HyperText

Transfer Protocol (Web): 80


FTP: File Transfer Protocol: 20/21


SNMP: Simple Network Management Protocol:
161


DNS: Domain Name Server: 53


NBNS:
NetBios

Name Service (Microsoft Internal,
similar to DNS): 137


SSL: Secure Socket Layer: 443


Some TCP/IP Protocols

Internet Control Message Protocol
(ICMP)


Reports errors (e.g. Destination not reachable)


Replies to requests (routing info)


Test connectivity (ping)



71

16.725008 10.1.1.165 207.46.170.123

ICMP

Echo (ping) request

76

17.813662 207.231.240.7 10.1.1.165

ICMP

Time
-
to
-
live exceeded (Time






to live exceeded in transit)

73

13.696159 10.1.1.1

10.1.1.165

ICMP

Destination unreachable








(Communication







administratively filtered
)

Address Resolution Protocol (ARP)


Converts an IP Address (192.164.53.25) to a MAC Address (e.g.
0:90:27:1c:50:d0)


Protocol:


Requester broadcasts to all nodes on subnet: ARP Request
(
IP_Address
)


Replier (Me) sends: ARP Response (
IP_Address
, MAC Address)




3

8.617021 00:0c:29:80:ec:29

ff:ff:ff:ff:ff:ff


ARP

Who has







10.1.1.3? Tell 10.1.1.165

4

8.617825 00:0e:0c:3d:f7:7d

00:0c:29:80:ec:29 ARP

10.1.1.3 is at





00:0e:0c:3d:f7:7d

Domain Name Server (DNS)


Converts a IP address name (e.g.
www.cs.uwp.edu
) to a numeric IP
address, or vice versa.



Protocol:


Request describes a name or numeric IP address to transfer


Reply provides information about that IP address.



53


55.927059


10.1.1.165


10.1.1.3


DNS


Standard query A







www.mozilla.org

54


55.946341


10.1.1.3


10.1.1.165

DNS


Standard query response
CNAME groups.l.google.com A 74.125.95.138 A 74.125.95.139 A
74.125.95.100 A 74.125.95.101 A 74.125.95.102 A 74.125.95.113





IGMP:
Internet Group Management Protocol


Sets up multicast for streaming and gaming

NTP: Network Time Protocol

Synchronizes Clocks

WIRESHARK

DEMO

And now for a …