Concepts ofnetworking

IP, TCP/UDP protocols

IP protocol Defines a uniform mechanism to access resources between

internets Enables networking across networks that are not connected at level 2

(data-link). Defines IP addresses and how to route network packets to a destination

address. IP v.4, addresses: 4 octets, organized hierarchically

Single host: 128.220.23.4 or 192.168.33.1 Class C network: 128.220.23.x, also written 128.220.23.0/24 Class B network: 192.168.x.x., also written

192.168.0.0/16 Class A network: 10.x.x.x, or 10.0.0.0/8

IP v.6 16 octet addresses, also hierarchical Represented by eight 4-digit hexadecimal values (one

string of 0’s can be omitted) Single host: 1080:0:0:0:0:800:0:417A or 1080::800:0:417A

Internet routing is performed only on the 64 left bits (theremaining is for internal routing to hosts)

Blocks of addresses denoted using the / notation. 12AB::CD30:0:0:0:0/60 indicates a 68-bit wide space,

from 12AB:0:0:CD30:0:0:0:0to 12AB:0:0:CD3F:FFFF:FFFF:FFFF:FFFF

(all addresses starting with prefix 12AB:0:0:CD3)

IP packet

TCP/UDP Layer 4 (transport layer) protocols, run over IP

TCP and UDP packets are encapsulated into IP packets Use their own control information, stored in packet

headers Port numbers (indicate consuming program in the destination

host) TCP is connection-oriented, and provides for reliable,

order-preserving transmission of data UDP is not connection-oriented, does not guarantee data

arrival, or proper ordering of arriving data

TCP header

flags:•URG (urgent),•ACK (acknowledg-ment),•PSH (push function),•RST (close theconnection),•SYN (synchronizesequence numbers),•FIN (end of data fromsender)

TCP state diagram

TCP new connection:•3-way handshake, byTCP packets with SYN,SYN & ACK, and ACKflags set.

TCP close connection:•Via RST, without ACK•Via FIN, ACK, FIN,ACK (4 way teardown)

UDP

IP packet filteringBasic firewall functionality

Packet filtering Packet filtering is a network security mechanism

that works by controlling what data can flow toand from a network. Packet filtering occurs at routers A router inspects each packet entering and/or leaving the

network to make routing decisions. A filtering router also makes policy decisions.

Dropping spoofed/malformedpackets

From: Building Internet Firewalls(recommended text)

Basic ip-filtering policies Source and destination addresses Session and application ports

enforce visibility/connectivity policies of internal network tothe Internet

prevent certain protocols from being executed betweenspecific hosts in different networks

Maintains no state information about connections

Examples Allow outgoing TCP port 80 requests Allow incoming SMTP to mail server only Disallow outgoing packets with external source

addresses Disallow incoming packets with internal source

addresses Disallow incoming packets for TCP/UDP port 79

(finger)

Stateful packet filtering Allows for more complex policies based on

current state of connections between twomachines. Let incoming UDP packets through only if they

are responses to outgoing UDP packets youhave seen.

Accept TCP packets with SYN set only as part ofTCP connection initiation.

Stateful /dynamic filtering Routers must keep state information

For how long?

If multiple routers are used, they need tosynchronize the state information very fast, orelse there will be incorrect decisions.

Protocol-based filtering: ensure that packets contain properly formed protocol data prevent protocols being run on other ports

Default deny Disallow all by default; add rules to permit traffic explicitly Log dropped packets Log some allowed packets For some protocols, such as mail authentication, require that

send an ICMP error message in response to a disallowedpacket. In most cases, better to drop the packet and saynothing to sender.