survey of information assurance review of tcp/ip
TRANSCRIPT
Survey of Information Assurance
Review of TCP/IP
Agenda
• Brief review of TCP/IP Protocol stack and TCP/IP hierarchal model
• Detailed discussion of Transport Control Protocol
• Detailed discussion of Internet Protocol • Discussion on limitations of TCP/IP and
possible solutions.
Scope of Discussions
The following are not covered in today’s presentation:
Implementation details/flaws of TCP/IP protocol stack for generic or specific systems Detailed discussion on EACH of protocols treated as a part of TCP/IP Protocol Suite Detailed discussion on earlier versions Detailed discussion on IPv6
Introduction to TCP/IP
• History• Origin of the term “IPv4”• Standards: RFC 793 – TCP and RFC 791 – IP • Extensions: IPv6• Deployment: Worldwide!!!• Functionality Supported: Connection oriented data delivery Fragmentation Support Addressing and Routing Congestion Control etc.
TCP/IP Model vs. OSI Model
REF: http://www.trainsignaltraining.com/wpnew/wp-content/uploads/2007/10/TCP__OSI___Stelios/1_TCPIP_and_OSI_models.jpg
REF: http://www.trainsignaltraining.com/wpnew/wp-content/uploads/2007/10/TCP__OSI___Stelios/2_TCPIP_Protocol_Suite.jpg
TCP• Standards: RFC 793 – TCP • Later Versions: NONE!!! • Alternative technologies: UDP• History:
Advanced Research projects Agency (ARPA) Research.
• Provides following services: Network Technology Independence Universal interconnection Reliable Stream Transport Service Congestion Control End-to-end Acknowledgement
TCP Header
REF: http://www.visi.com/~mjb/Drawings/TCP_Header.pdf
TCP Header Description• Source port (16-bit) and Destination port (16 bit)• Sequence number (32-bit) • Acknowledgement number (32-bit) • Header Length (4 bit)• Reserved (6 bit) • Control bits (8 bits)
Urgent pointer (URG) if this bit field is set the receiving TCP should interpret the urgent pointer field.
Acknowledgement (ACK) this field is set to acknowledge the field entered is valid
Push function (PSH) if this bit field is set the receiver should deliver this segment to receiving application as soon as possible.
TCP Header Description (2) Reset the connection (RST) if this bit is present, it is the
receiver that sender is aborting the connection and all queued data and allocated buffers and connection can be freely relinquished.
Synchronize (SYN) this specifies that the bit field signifies that a sender to synchronize sequence numbers this is used to establish connection between the sender and receiver.
• Window (16-bit) Receiver side capacity to accept data • Checksum (16 bit)• Urgent Pointer (16 bit)• Options: Variable, but cannot be larger than 40 bytes. The header length
field is 4 bit. They are often used for various flow control and congestion• Padding: The optional header may vary in size it may be necessary to pad
the TCP header to align to 32-bit word boundary.• Data: Application data
TCP – Reliable Stream Transport
• Connection Establishment and Termination• Three way Handshake
REF: http://condor.depaul.edu/~jkristof/technotes/tcp.html
TCP-Flow control
REF: http://condor.depaul.edu/~jkristof/technotes/tcp.html
IP Overview
• Standards: RFC 791 – IP (viz. IPv4)• Later Versions: IPv6• Alternative technologies: IPX• Functionality Supported: Addressing and Routing Fragmentation Support Type of Service Loose/Strict Source and Record Route
IP Header
REF: http://www.visi.com/~mjb/Drawings/IP_Header.pdf
IP Header Description• Version (4 bits) describes header format. Version may be 4 for IPv4
or 6 for IPv6. • IHL (Internet header length – 4 bits) is the length of IP header in 32-
bit words. Thus, actual length is 32*IHL-value bits or 4*IHL-value bytes.
• TOS (Type of Service – 8 bits) allows setting desired service-quality parameters.
• Total Length (16 bits) is length of entire datagram.• Identification (16 bits), Flags (3 bits) and Fragment Offset (13bits)
are used for fragmentation and reassembly of datagram(s).• TTL (Time to Live 8 bits) is the maximum time a datagram is allowed
to remain in the internetwork. Each device decrements this value when the datagram is processed and drops it if the value is zero.
IP Header Description (2)• Protocol (8 bits) indicates the type of higher layer protocol
that follows after IP header. • Header Checksum (16 bits) is checksum on header only. • SA (Source address 32 bits) and DA (Destination address 32
bits) are source and destination IP addresses.• Options (variable length) may or may not be used.
IP Addressing• IP Address is 32 bit field. (~4.29 billion addresses)• The IP address consists of a Network Part and a Host
Part• Need for larger addressing space – Division of
address space into private and public addresses.• The IANA (Internet Assigned Numbers Authority) has
reserved the three blocks of the IP address space for private internets:
10.0.0.0 - 10.255.255.255 (10/8 prefix) 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
IP Addressing (2)• The IP Addressing is classful by design:
• These classful networks may be further divided by using subnetting
• A set of contiguous networks may also be “supernetted”
Class First Octet Range Network Bits Comments
Class A 0xxx xxxx 1.x.x.x – 126.x.x.x [1] Bits 2nd – 8th 126classes, 16.7 m hosts
Class B 10xx xxxx 128.x.x.x – 191.x.x.x Bits 3rd – 16th 16.3k classes, 65.5 k hosts
Class C 110x xxxx 192.x.x.x – 223.x.x.x Bits 4th – 24th 2.09m classes, 254 hosts
Class D 1110 xxxx 224.x.x.x – 247.x.x.x Bits 5th – 32nd Multicast
Class E 1111 xxxx 248.x.x.x – 255.x.x.x Bits 5th – 32nd Research use
[1] The 0.0.0.0 network is default route and 127.0.0.0 is universal loopback address.
REF : http://www.faqs.org/docs/linux_network/x-087-2-issues.ip-addresses.html
IP Addressing (3) - Subnetting
• Consider a Class A network:5.0.0.0Hosts : 16,777,214
• Consider borrowing 16 bits from host address to form “subnets”5.x.x.0 –> 65536 sub-networksHosts : 254 for each subnet -> 16,646,144
IP Addressing (4) - Supernetting• Consider a set of Class C networks:
222.0.0.0 – 222.0.255.0Networks: 256 256 routes to distinct networks.
• Consider borrowing 16 bits from network address to form a “supernet”222.0.x.0/16 is 1 supernet 1 route to gateway for given network.
• Networks need to be contiguous to form supernet.
IP Fragmentation
• IP may fragment a PDU based on the maximum transmission unit (MTU) of the link or Path MTU (PMTU).
• Higher layers may request DF (Don’t fragment) bit = 1; i.e. the PDU must not be fragmented.
• If DF = 1 and PDU size exceeds link MTU, the router will drop the PDU and send ICMP error to sender.
• PMTU – D : Path MTU Discovery
IP Fragmentation (2)
• IF DF = 0, PDU may be fragmented if needed. • For each fragment of PDU, the Identification value is
identical and allows for reassembly for out-of-order fragments at receiver.
• The MF (More Fragments) bit is set for all but last fragment of a PDU.
• The Fragment Offset value defines the location of given piece of data in the original PDU, it is used for reassembly.
IP Type of Service
• This is an 8-bit field Bits 0-2: Precedence Bits 3-5: Delay Throughput and Reliability (respectively)[Value: 0 Normal and 1 High]
Bits 6-7: Reserved• Precedence:
111 – N/W control 110 – Internetwork control
101 – CRITIC/ECP 100 – Flash override
011 - Flash 010 - Immediate 001 - Priority 000 - Routine
TCP/IP – Issues Faced1. Security
TCP/IP was not designed for security, TCP/IP based communication relies on IP address to identify peer. This IP address and very easily be spoofed and modified.Typical Attacks:
IP address spoofing a) DNS spoofing – Create spoofed DNS response
packet for a DNS queryb) ARP spoofing – Also called ARP Cache poisoning,
allows a malicious host to cause all traffic to be redirected to self Ping of Death – Uses oversized ping packet (usually >65535
bytes) as fragments and cause buffer-overflows
TCP/IP – Issues Faced (2) TCP DoS Attack – excessive SYN requests to a server may
use up all CPU cycles preventing it from actively provide services like FTP, Radius Authentication, DNS, DHCP etc… allowing for more complicated impersonation or simple denial of service.
TCP Sequence Number prediction – to create one-sided TCP connection (Berkeley implementation of SN generation):
a) Impersonate an alive host and connect to serverb) Impersonate a down host by using netstat service
Routing Based Attacks – a) Poison RIP Routing information as it is received
unchecked by routersb) ICMP Redirect for an open connectionc) ICMP “Destination Unreachable” and “TTL
exceeded”
TCP/IP – Issues Faced (3)
2. Limited Address SpaceIPv4 supports slightly over 4.29 billion addresses. This is highly insufficient address space.
3. Connection DelayThere is an inherent delay involved in session establishment and overhead involved with processing information contained in TCP header.
Possible Solutions• Security:
Narrow spectrum technologies – Firewalls, DHCP Snooping
Broad Spectrum technologies – Encryption• Address Space limitation:
NAT – introduces other issues (still widely deployed)
IPv6 – has not yet had widespread acceptance
• Delay and overhead of connection: UDP
References
• www.tcpipguide.com• RFC 791 – Internet Protocol • RFC 793 – Transport Control Protocol• By Douglas Komer• http://www.securityfocus.com/infocus/1674• http://www.cs.columbia.edu/~smb/papers/ipext.pdf• http://www.xs4all.nl/~rmeijer/spoofing.html