1

TCP/IP Protocols Review

Protocol Model Internet Protocol – IP/ICMP/ARP Reliable Stream Transport Service - TCP User Datagram Protocol - UDP Internet Applications

2

PresentationPresentation

SessionSession

TransportTransport

NetworkNetwork

Data linkData link

PhysicalPhysical

NetworkNetwork

Data linkData link

PhysicalPhysical

NetworkNetwork

Data linkData link

PhysicalPhysical

PresentationPresentation

ApplicationApplication

SessionSession

TransportTransport

NetworkNetwork

Data linkData link

PhysicalPhysical

ApplicationApplication

OSI Reference Model

3

Application

Host-to-Host Transport

Internet

Network Access

Http,Telnet,FTP,SMTP,SNMP,NFS

TCP,UDP

IP , ICMP

device driver and interface card

TCP/IP v.s. OSI 的架構

4

FrameHeader

IPHeader

TCP/UDP/ICMP

Header Data Trailer

IPHeader

TCP / UDP/ICMP

Header Data

UDPHeader

Data

TCPHeader

Data

DataApplication Layer： User Data

TCP or UDPor ICMP Layer

IPLayer

LowerLayer

ICMPHeader

Data

TCP/IP Data Encapsulation

5

TCP/IP 階層性架構

ICMP IP IGMP

ARP Interface RARP

TCP UDP

UserProcess

UserProcess

UserProcess

Application

Transport

Network

Link

Application

Transport

Internet

Network Access

6

Internet Protocol (IP)

Internet Address IP Datagram IP Fragmentation IP Routing Internet Control Message Protocol(ICMP) IP 通信協定的特性 IPv6

7

Internet Address

Network ID and Host ID (Network Mask and Subnet)

Address Class and Classless IP NIC Reserved IP Address Broadcast / Loop Back / Multicast Address Internet Addressing 的缺點

8

network mask A host needs to know how many bits are used for the Network-ID and how many bits are used for the Host-ID. This is specified using network mask.

Class C network mask example 255.255.255.0 , 255.255.255.128, 255.255.255.192 , 255.255.255.224, 255.255.255.240, 255.255.255.248

Commands to check IP address and network maskWin95/98 - winipcfgWinNT/2000 - ipconfig /allUNIX - ifconfig -a

Network Mask and Subnet

9

IP Address Class (1)

Class A nnn.hhh.hhh.hhh(1.0.0.0 ~ 126.255.255.255)

Class B nnn.nnn.hhh.hhh(128.0.0.0 ~ 191.255.255.255)

Host0 Network

Host1 Network0

0

70

15

10

IP Address Class (2)

Class C nnn.nnn.nnn.rrr(192.0.0.0 ~ 223.255.255.255)

Class D Multicast address(224.0.0.0 ~ 239.255.255.255)

Host1 Network

1 Multicast address0

0

1 0

1 2

1 1

11

Class A10.0.0.0 ~ 10.255.255.255

Class B172.16.0.0 ~ 172.31.255.255

Class C192.168.0.0 ~ 192.168.255.255

NIC Reserved IP Address

12

Special IP Address Directed Broadcast Address

Network ID + all 1’s with Host ID Limited Broadcast Address

Thirty-two 1s Multicast Address

IGMP, Internet Group Management Protocol Loop Back Address

127.0.0.1 For inter-process communication on the local

machine

13

Internet Addressing 缺點

IP 位址常常必須改變 IP Spoofing 位址不夠用

14

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

Time to live

Data......

Options + padding

Destination address

Source address

Protocol Header checksum

Identification Flags Fragment Offset

Version IHL Type of Service Total Length

IP Datagram

15

IP Fragmentation

Maximum Transmission Unit(MTU) Related fields in IP Header

Identification Flags: w/o more Fragment, DF bit Fragment Offset

Related Attack Ping of Death Tiny Fragments Fragments overlapped

16

MTU

Network MTU (bytes)

Hyperchannel

X.25

IEEE 802.3/802.2

Point-to-Point

16 Mbits/sec token ring (IBM)

4 Mbits/sec token ring (IEEE 802.5)

Ethernet

FDDI

65536

17914

4464

4352

1500

1492

576

296

Typical Maximum Transmission Units (MTUs)

17

Why Frag. is BAD

• 封包分割重組造成效率降低與資源虛耗• 封包被分割後不含 TCP/UDP Header 資訊，

造成防火牆過濾上的困難• 可能規避安全機制 ( 掃毒、入侵偵測 ) 檢

查• information hiding

• 可能造成系統當機或其他異常反應• overlapping data/header

18

Overlapping Fragments

IPHeader

TCPHeader

DATA

IPHeader

DATA

IPHeader

TCPHeader

DATA

IPHeader

DATA

IPHeader

TCPHeader

DATA

IPHeader

Fake TCPHeader

DATA

19

Time to Live (TTL)

– 封包可以經過路由器的最大限制 (hop count)

– 每當封包經過一台路由器 (router/gateway) 時，路由器會將 TTL 的值減 1

– 若 TTL 的值到達零，負責處理的路由器會將封包丟棄不再繼續傳遞，並傳回 ICMP Time Exceeded 錯誤訊息回發送端

20

Protocol Field

Determines destination upper-layer protocol

TransportLayer

InternetLayer

TCP UDP

ProtocolNumbers

IP

50

6 1751

AH

ESP

21

IP Options

– 通常是 empty ，很少使用– Firewall 可能會碰到的 IP option 為 IP s

ource route» IP source route 除 mobile IP 的應用外，無太大用途，反可能被攻擊者利用

– 有些 packet filtering systems 的政策是一見到 IP option set ，就拒絕此 packet ，不管它代表什麼意義

22

IP Routing

Mapping Internet Address to Physical Address (ARP)

Table Driven IP Routing Static and Dynamic Routing

23

Routing Scenario

Source MAC=A

Source MAC=A

Host A

Host B

Router

Dst. MAC=Router

Dst. MAC=Router

Source IP=A

Source IP=A

Dst. IP=B

Dst. IP=B Data….Data….

Source MAC=Router

Source MAC=Router

Dst. MAC=B

Dst. MAC=B

Source IP=A

Source IP=A

Dst. IP=B

Dst. IP=B Data….Data….

24

Address Resolution Protocol

非 IP Protocol ARP Cache ARP Proxy arp -a, arp -p

25

封包擷取 – 封包擷取 – Sniffing (1)Sniffing (1)

本機 IP : A目的 IP : B

ARP Request ( Broadcast)

ARP Reply

B 的 MAC位址是多少

?A

B

Ex. C:\> arp -a

我的 MAC位址是… ..

26

封包擷取 – 封包擷取 – Sniffing (2)Sniffing (2)

SnifferSniffer 是如何工作的 是如何工作的 ??

1.1. 乙太網路內任兩台電腦溝通的封包是可以被該區域網路內乙太網路內任兩台電腦溝通的封包是可以被該區域網路內 其他電腦所探知的其他電腦所探知的 ..

2.2. 由於乙太網路卡會將不屬於它的封包訊息給忽略掉由於乙太網路卡會將不屬於它的封包訊息給忽略掉 ,, 也就也就是是

它會忽略掉與它 它會忽略掉與它 MAC(Media Access Control) MAC(Media Access Control) 位址位址不同的不同的

封包封包 . . ( ( 廣播封包除外 – 廣播封包除外 – FF :FF :FF :FF :FF :FF )FF :FF :FF :FF :FF :FF )

3.3. Sniffer Sniffer 的程式會將乙太網路卡設定成隨機處理模式 的程式會將乙太網路卡設定成隨機處理模式 ””Promiscuous Mode”Promiscuous Mode”, , 也就是不做任何封包的過濾也就是不做任何封包的過濾 ,, 但前提但前提 是要在同一個區域網路中是要在同一個區域網路中 ..

27

A System’s Routing Tables Containing loop back interfaceInterface for itself networkhost-specific are addednetwork-specific are added default gateway are added

Commands to check routing tablesnetstat -rn

IP Routing Tables

28

(1) Search for host-specific host address

(2) Search for network-specific network

(3) Search for itself interface network for broadcast

(4) Search for a default entry

IP Routing Principals

29

Static routingCommand addedThere is single connection point to other network

Dynamic routing Used by routers to communication each other,informing each other of what networks each router currently connected to.

Static and Dynamic Routing

30

Windows 9x / NT / 2000 (Under Dos Mode ) route add [ Host/Network IP] mask [Network Mask] [Gateway IP]

* Example : route add 203.75.1.0 mask 255.255.255.128 192.72.155.254

Unix route add [Host/Network IP] [Gateway IP] [Metric]

* Example : - Add an Default Routing Entry : route add default 192.72.155.254 1 - Add an Static Routing Entry : route add 172.16.1.1 192.168.100.254 1

Add a Static Routing Into a Routing Table

31

192.168.1.1255.255.255.0

10.1.201.1255.255.255.0

Host A Host B

How to let the two host reach each other?

case study – static route

•route add 10.1.201.1 mask 255.255.255.255 192.168.1.1

•route add 192.168.1.1 mask 255.255.255.255 10.1.201.1

Host A

Host B

Add static routes

32

ICMP (1)

Internet Control Message Protocol ICMP only reports error conditions to the

original source; it does not correct it. ICMP Message Format Testing Destination Reachability and Status

Echo Request and Reply

33

ICMP (2)

Reports of Unreachable Destinations並非所有錯誤均可偵測到， e.g. 機器當掉、網路卡壞掉

Congestion and Datagram Flow ControlSource Quench Message

Route Change Request From GatewaysRedirect Message

Detecting Circular or Excessively Long RoutesTime Exceeded for a Datagram message

34

ICMP Message Format

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

Type

Data…..

Code Checksum

IP Header

ICMP:

IP:

ICMP Message

35

ICMP Type

0: Echo Reply 3: Destination

Unreachable 4: Source Quench 5: Redirect(Change a

route) 8: Echo Request 11: Time Exceeded for a

Datagram

12: Parameter Problem on a Datagram 13: Timestamp Request14: Timestamp Reply15: Information Request (Obsolete)16: Information Reply ( Obsolete)17: Address Mask Request18: Address Mask Reply

36

ICMP Code of Unreachable Destination

0: Network Unreachable 1: Host Unreachable 2: Protocol Unreachable 3: Port Unreachable 4: Fragmentation Needed

and DF Set 5: Source Route Failed 6: Destination Network

Unknown 7: Destination Host

Unknown

8: Source Host Isolated9: Communication with Destination Network Administratively Prohibited 10: Communication with Destination network Administratively Prohibited 11: Network Unreachable for Type of Service12: Host Unreachable for Type of Service

37

IP 通信協定的特性 Connectionless Delivery System Unreliable Delivery Protocol

Lost, Duplicated, Delayed, Out of Order 依賴其它層的協定來提供 Reliable Se

rvice

38

Plenty of addresses (one would never run out of address)

support of billions of hosts Efficient yet flexible routing

reduce the size of the routing tablessimplify the protocol for high performance routing process

Provide better securitySupport of real-time dataAllow multicasting with specified scopeAllow a host to roam without changing its addressAllow protocol to evolve in the futureAllow the coexistence of the old and new protocols

IPv6 特色

39

IPv4 Header20 Octets+Options : 13 fields, include 3 flag bits

0 bits 31

Ver IHL Total Length

Identifier Flags Fragment Offset

32 bit Source Address

32 bit Destination Address

4 8 2416

Service Type

Options and Padding

Time to Live Header ChecksumProtocol

RemovedChanged

40

IPv6 Header40 Octets, 8 fields

0 31

Version Class Flow Label

Payload Length Next Header Hop Limit

128 bit Source Address

128 bit Destination Address

4 12 2416

41

IPv6 Header

Next = TCP

TCP Header

IPv6 Header

Next = Routing

TCP HeaderRouting HdrNext = TCP

IPv6 Header

Next = Security

TCP HeaderSecurity HdrNext = Frag

Application Data

Application Data

Fragment HdrNext = TCP

DataFrag

• IP options have been moved to a set of optional Extension Headers

• Extension Headers are chained together

IPv6 Extension Headers

42

Transmission Control Protocol

TCP Segment Format Reliable Delivery Service Positive Acknowledgement with

Retransmission Sliding Windows Establish a TCP Connection

43

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

DATA

Options & padding

Checksum

Sequence Number

Source Port Destination Port

Urgent Pointer

DataOffset

ReservedURG

ACK

PSH

RST

SYN

FIN

Acknowledgment Number

Windows

TCP Segment Format

44

Port Numbers

TCP

Port Numbers

FTP

TransportLayer

TELNET

DNS

SNMP

TFTP

SMTP

UDP

ApplicationLayer

2121 2323 2525 5353 6969 161161

RIP

520520

HTTP

8080

45

TCP Port Numbers

SourcePort

SourcePort

Dest.Port

Dest.Port ……

Host A

10281028 2323 ……

SP DP

Host ZTelnet Z

Dest. port = 23.Send packet to my

Telnet application.

46

Reliable Delivery Service of TCP (1) Stream Orientation

Instead of Lost, Duplicated, and Out of Order Virtual Circuit Connection

Clients Connect and Servers Listen/Accept Ports and Connections

Buffered Transfer TCP will buffer data to make transfer more

efficient Provides a push mechanism that applications use to

force a transfer

47

Reliable Delivery Service of TCP (2) Unstructured Stream

TCP does not show packet boundaries to applications

Full Duplex ConnectionThink of it as two independent streams

joined with piggybacking mechanism

48

Acknowledgement and Retransmission

???

49

Sliding Windows (1)

Packets: 1 2 3 | 4 5 6 7 8 | 9 10 11 12 13 => done windows Not Sent

1-3 sent and ACKED4-8 in window and sent but not ACKEDif ACK arrives, sender slides window up

Recv controls sliding window and views that as available buffering, can stop sending by telling its window size is 0 in ACK

50

Sliding Windows (2)

To make stream transmission more efficient than a simple positive acknowledgement protocol

Variable windows size and flow control Congestion Control

Allowed-window = min (receiver-advertisement, congestion_window)

Multiplicative decrease congestion avoidance

Slow-start (additive) Recovery

51

TCP Three Way Handshake-1

52

TCP Three Way Handshake-2

53

TCP Three Way Handshake-3

54

TCP Session Termination-1

FIN (seq=m)

Host A Host B

1

55

TCP Session Termination-2

FIN (seq=m)

Host A Host B

1

ACK m+1 2

56

TCP Session Termination-3

FIN (seq=m)

Host A Host B

1

ACK m+1

FIN (seq=n) 3

2

57

TCP Session Termination-4

FIN (seq=m)

Host A Host B

1

ACK m+1

FIN (seq=n) 3

2

ACK n+14

58

User Datagram Protocol (UDP)

UDP Message Format IP with Ports Unreliable Connectionless Delivery Works fine just on a local network

59

UDP Message Format

0 1 2 30 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

SourcePort

DestinationPort

Length Checksum

Data...

60

Internet Applications

Telnet: Remote Terminal Access FTP: File Transfer Protocol SMTP: Simple Mail Transfer Protocol POP3: Post Office Protocol 3 HTTP: Hyper Text Transfer Protocol NNTP: Network News Transfer Protocol DNS: Domain Name Service