Embed Size (px)
Citation preview
LAN Security
Don't let them in
• Networking Review• Firewall Techniques
• Network Attacks• Various Implementations
TCP/IP Stack
Apps: FTP, Telnet, SNMP, SMTP, TFTP
HTTP, DNSTransport: TCP, UDP
IP: IP, ICMP, GCMP, IPSEC
Ethernet: ARP, RARP
Applications
Transport
IP
Data Link
Physical
Ethernet FrameEncapsulation
• Ethernet Frame Length– Header – 14 bytes, CRC – 4 bytes, Payload– 64 <= Total Length <= 1518 bytes
• Ethernet Frame Payload Length– Maximum 1500 bytes– Minimum 46 bytes– Padding to a multiple of ??
Header Data >= 46 bytes Padding CRC
Preamble and 802.1AE – Wikipedia Separate presentation with GCM
Ethernet Frame Header
Destination MAC Address Source MAC AddressBit 0 47 48 95 96 111
Type orSize
Type or Size Field<= 1500 = 0x05dc – Size of 802.3 LLC/SNAP Data> 1500 = 0x05dc – Type of Frame
Value Meaning
0x0800 IPv40x86dd IPv60x0806 ARP0x809b Apple Talk0x6559 Frame Relay
What Goes Inside
• ARP, RARP Messages
• IP datagrams
– ICMP– IGMP– TCP– UDP
ARPAddress Resolution Protocol
Resolves IP Address to MAC Address
HW Addr Type
Sender Hardware Address
HW Addr Len Proto Addr Len Operation
Sender Protocol Address
Target Hardware Address
Target Protocol Address
Bit 0 15 16 31
Proto Addr Type
ARPOperation Codes
1 ARP request2 ARP response3 RARP request4 RARP response5 etc....9 etc.
IP Datagram (IPv4)RFC 791
●Internet Protocol●RFC 791●Connectionless communication●Best effort delivery●Virtual addressing
IP Datagram Format
Header Payload
Total datagram size constraintsMaximum 216 -1 bytesHeader length between 20 and 60 bytes
IP Datagram Header
Ver HlenDiff. or Type of
ServicesTotal length
IdentificationRsv
Frg
Lst
Fragment Offset
Time to Live Protocol Header Checksum
Source Address
Destination Address
Options Padding
Bit 0 15 16
31
IP Datagram (cont)
Ver IP Version 4 or 6Hlen Header length in 32 bit wordsTotal Length Total length of datagram in octets
Note: Total length = Header + Payload
Source Address IP address of senderDestination Address IP address of destinationHeader Checksum 16 bit one's complement checksum
of header
Service Type FieldBit Number 0 1 2 3 4 5 6 7
Bits 0-2 – Precedence
1 1 1 Network control
1 1 0Internetwork control
1 0 1 CRITIC/ECP
1 0 0 Flash override
0 1 1 Lash
0 1 0 Immediate
0 0 1 Priority
0 0 0 Routine
Bits 3-6 – Type of service
0 0 0 0 Normal (default)
0 0 0 1 Minimize cost
0 0 1 0Maximize reliability
0 1 0 0Maximize throughput
1 0 0 0 Minimize delay
1 1 1 1 Maximize security
Bit 7
Reserved
Type of Service
Protocol
TOS Bits
Description
3 4 5 6
ICMP 0 0 0 0 Normal
BOOTP 0 0 0 0 Normal
IGP 0 0 1 0 Maximize Reliability
SNMP 0 0 1 0 Maximize Reliability
Telnet 1 0 0 0 Minimize Delay
FTP (data) 0 1 0 0 Maximize Throughput
FTP (control) 1 0 0 0 Minimize Delay
SMTP (command) 1 0 0 0 Minimize Delay
SMTP (data) 0 1 0 0 Maximize Throughput
DNS (UDP query) 1 0 0 0 Minimize Delay
DNS (UDP query) 0 0 0 0 Normal
DNS (zone) 0 1 0 0 Maximize Throughput
Differentiated ServicesRFC 2474 & 2475
A method for differentiating services for network traffic6 high order bits of the fieldDSCP – differentiated services code pointDetermines PHB – Per-Hop BehaviorOften the the DSCP is set by a router based on trafficSometimes the DSCP is set by the content of the packet
VoIP, RTP are treated differently than e-mail
RFC 2597 & 2598 have set some DSCP values
Differentiated ServicesCongestion Control
0 1 2 3 4 5 6 7
DSCP
DSCP Differentiated Services Code PointPool 0 for usePool 1 for experimental use
ECN Explicit Congestion Notification
Differentiated services describes the types of services to be applied to this datagram.
Congestion Notification (ECN and CE) provides devices a way to notify each otherthat a link is congested.
Pool ECN
Differentiated ServicesAssured Forwarding
Assured Forwarding PHB – RFC 2579Bits 0, 1, 2 determine the class of service
Packets with the same class will be granted similar services
Available bandwidth, quality, etc.Services are determined by router
Bits 3, 4 determine the drop precedenceLow, medium, highIndicates who gets dropped first during router congestion
Assured ForwardingRFC 2597
Bit Number 0 1 2 3 4 5
Class
0 0 1 Class 1
0 1 0 Class 2
0 1 1 Class 3
1 0 0 Class 4
Drop Precedence
0 1 0 Low
1 0 0 Medium
1 1 0 High
Differentiated ServicesExpedited Forwarding
A Per Hop Behavior for services such as virtual leased lines.
Low loss, low latency, low jitter, end-to-end service through a differentiated services domain.
VoIP, video conferencing etc.
Expedited ForwardingRFC 3246
Bit Number 0 1 2 3 4 5
Class
1 0 1 Class 5
Drop Precedence
1 1 0 High
Explicit Congestion NotificationRFC 3168
Permits routers to mark packets about congestion rather than dropping them.
Also routers can indicate that they are ECN capable, i.e. ECT (ECN-Capable Transport)
Bit Number 0 1 2 3 4 5 6 7
ECN
0 0 Not ECN-Capable Transport
0 1 ECT(0) (ECN-Capable)
1 0 ECT(1) (ECN-Capable)
1 1 CE (Congestion Experienced)
Protocol Field
Value Protocol
1 ICMP Internet Control Message Ptotocol
2 IGMP Internet Group Message Protocol
6 TCP Transmission Control Protocol
8 EGP Exterior Gateway Protocol
17 UDP User Datagram Protocol
41 IPv6 Version 6
89 OSPF Open Shortest Path First
Time To Live Field
TTL – Time to live
Every router that forwards the datagram decrements this field by 1. The first to decrement the TTL field to zero must respond to originator with an ICMP message.
TTL Initialization
Different OS 's initialize this field to different values
Fragmentation Flags
Rsv, Frg, and Lst bits
– Rsv – Reserved – Frg – 0 May fragment 1 Do not fragment– Lst – 0 Last fragment 1 More fragments
Fragment Offset
This field indicates where, i.e which octet, in the datagram payload this fragment belongs.
The offset is measured in units of 8 octets (64 bits).
The first fragment has offset zero (0).
Identification
● ID field allows all fragments of a datagram to be associated
● Different OS's choose the ID differently● Linux Random ID and increments by 1● BSD Random each time● Others Random ID and increments by 1
IP Options
Copy Class Number Value Name---- ----- ------ ----- ------------------------------- 0 0 0 0 EOOL - End of Options List 0 0 1 1 NOP - No Operation 1 0 2 130 SEC - Security 1 0 3 131 LSR - Loose Source Route 0 2 4 68 TS - Time Stamp 1 0 5 133 E-SEC - Extended Security 1 0 6 134 CIPSO - Commercial Security 0 0 7 7 RR - Record Route 1 0 8 136 SID - Stream ID 1 0 9 137 SSR - Strict Source Route 1 0 16 144 IMITD - IMI Traffic Descriptor 1 0 17 145 EIP - Extended Internet Protocol 0 2 18 82 TR - Traceroute 1 0 19 147 ADDEXT - Address Extension 1 0 20 148 RTRALT - Router Alert 1 0 21 149 SDB - Selective Directed Broadcast 1 0 23 151 DPS - Dynamic Packet State 1 0 24 152 UMP - Upstream Multicast Pkt.
ICMP
• Internet Control Message Protocol
• RFC 792
• Used to
• Return error codes• Perform network testing
• Sent within an IP datagram
• Highly abused protocol
ICMP Message Format
Bit 0 15 16 31
Message Type
Identifier
ChecksumMessage Code
7 8
Payload
Sequence Number
ICMP Message Types
Type Description
0 Echo Reply3 Destination Unreachable4 Source Quench5 Redirect8 Echo Request9 Router Advertisement10 Router Selection11 Time Exceeded
Type Description
12 Parameter Problem13 Timestamp14 Timestamp Reply15 Information Request16 Information Reply17 Address Mask Request18 Address Mask Reply30 Traceroute
ICMP Message CodesType 0 Echo Reply
Code Description
0 etc.
ICMP Message CodesType 3 Destination Unreachable
Code Description
0 Net Unreachable1 Host Unreachable2 Protocol Unreachable3 Port Unreachable4 Frag Needed & DF Set5 Source Route Failed6 Dest Net Unknown7 Dest Host Unknown8 Source Host Isolatedetc.
ICMP Message CodesType 8 Echo Request
Code Description
0 etc.
ICMP Fields
• Checksum is of the entire ICMP message
• Identifier aides in matching requests/replies
• Sequence # aids in reassembly
• The data field has a number of uses
• The data field must be padded to a even number of octets
ICMP Payload
• Used for information, e.g.
• Echo request/reply: Information to be sent • Time exceeded: First 64 octets of IP datagram
dropped• Etc.
Client - ServerParadigm
• Layer 4• Network applications use the client-server model for
communication• The client
• Executes locally• Initiates communication with the server
• The server• Executes as a shared resource• Waits passively for an arbitrary unknown client• Accepts many connections at the same time
Client - ServerParadigm
• Host system
• Must simultaneously run many server applications
• Must keep communication with each server app separate
• Host system has only one IP address• Uses the concept of Port Number to maintain
the integrity of the apps
Ports
• Standard port numbers assigned to a server application by RFC 1700
• Client uses standard numbers to request a network service
• TCP/UDP assigns dynamically allocated client port number
• The protocol ID (IP header) and the port #'s uniquely identify server & client
Port Numbers
• Latest IANA port assignments http://www.iana.org/assignments/port-numbers
• Well Known Ports are those from 0 through 1023• Registered Ports are those from 1024 through 49151• Dynamic and/or Private Ports are those from 49152
through 65535
• RFC 1700, ``Assigned Numbers'' (October 1994)
Standard Port Numbers0 – 1024
• Assigned to well known network services
• Primarily used by server applications
• Controlled by IANA
Some Common Port Numbers
echo 7/tcpecho 7/udpftp-data 20/tcpftp-data 20/udpftp 21/tcpftp 21/udp fsp fspdssh 22/tcp # SSHssh 22/udp # SSH telnet 23/tcptelnet 23/udpsmtp 25/tcp mail # mailsmtp 25/udp mail # maildomain 53/tcp # name-domain serverdomain 53/udphttp 80/tcp www www-http # WorldWideWeb HTTPhttp 80/udp www www-http # httpkerberos 88/tcp kerberos5 krb5 # Kerberos v5kerberos 88/udp kerberos5 krb5 # Kerberos v5https 443/tcp # MComhttps 443/udp # MCom
Layer 4 Protocols
• UDP – User Datagram Protocol
• TCP – Transmission Control Protocol
UDP
• Connectionless transport
• No guaranteed delivery
• No error messages
UDP DatagramRFC 768
Bit 0 15 16 31
Source Port Destination Port
UDP Length Checksum
UDP Data
UDP Header Fields
• Ports are layer 5 application ports
• Length is in bytes including the header and data
• Length should be in even number of octets
• Checksum of all 16 words in the header and UDP data
TCP
• Transmission Control Protocol• RFC – 793• Connection Oriented• Reliable transport• Full Duplex communication• Stream interface• Point-to-point communication
TCP Header Format
Source Port Destination Port
RST
SYN
FIN
UnusedOffset Window
Acknowledge Number
Sequence Number
Options Padding
Bit 0 15 16 31
URG
ACK
PSH
Checksum Urgent Pointer
Flags
ECE
CWR
8
Header FieldsSequence #
• Sequence# indicates the byte position of the first octet of the current datagram within the data stream
• Usually starts with a random number and wraps if it exceeds 232
• If a SYN is present, the Seq # is the initial sequence number.
• Each successive Seq# is the previous Seq # + the payload size in octets.
Header Fields Acknowledgment #
• Ack# indicates the next Seq# expected and that the sender has correctly processed datagrams to that point within the data stream
• Insures the connected stream has not dropped any data
Header Fields cont'd
• Offset• 4-bit field is the length of the TCP Header in 32-bit words
including options
• Window• 16-bit field for the number of octets the sender is willing to
accept
• Urgent Pointer• Field (byte) in the data stream that is urgent. Receiver will
skip to this field if URG bit is set
Header Fields cont'd
• Checksum
• 16-bit checksum of the TCP header and data• Unused
• 4-bits zero filled
FlagsCWR, ECE
• CWRCongestion Window Reduced flag for the data senderto inform the data receiver that the congestion window has been reduced
• ECEECN-Echo for the data receiver to inform the data sender
when a CE packet has been received
FlagsSYN, ACK, RST
• SYNIndicates a request to initiate TCP connection
• ACKIndicates that the datagram's acknowledgment sequence
number specifies that the TCP data stream has been correctly received
• RSTIndicates that the sender has abruptly closed the connection
FlagsPSH, URG, FIN
• PSHIndicates that the receiver should immediately make the data available to the app rather than wait until subsequent or earlier datagrams
• URGIndicates that the urgent pointer is set
• FINIndicates the sender has completed its communication and is shutting down the connection
• RSV - Reserved and set to zero
Options• Single byte
– End of options– No operation
» Used to align for the next option or beginning of an option
• Multi - byte– Max segment size– Window scale factor– Timestamp
TCP Connection3-Way Handshake
Segment 1
Segment 3
Segment 2
Seq# 10580322Ack# 378086427
Seq# 10580321
(SYN , . )
Seq# 378086426
Ack# 10580322(SYN ,
ACK)
( . , ACK)
Client Server
TCP Teardown
Segment 4
Segment 7
Segment 5
Seq# 378086579Ack# 10580352
Ack #378086580
Ack# 10580353
Segment 6Seq# 10580352
Ack# 378086580
(FIN, ACK)
( . , ACK)
(FIN, ACK)
( . , ACK)
Client Server
