Survey of Information Assurance

Review of TCP/IP

Agenda

• Brief review of TCP/IP Protocol stack and TCP/IP hierarchal model

• Detailed discussion of Transport Control Protocol

• Detailed discussion of Internet Protocol • Discussion on limitations of TCP/IP and

possible solutions.

Scope of Discussions

The following are not covered in today’s presentation:

Implementation details/flaws of TCP/IP protocol stack for generic or specific systems Detailed discussion on EACH of protocols treated as a part of TCP/IP Protocol Suite Detailed discussion on earlier versions Detailed discussion on IPv6

Introduction to TCP/IP

• History• Origin of the term “IPv4”• Standards: RFC 793 – TCP and RFC 791 – IP • Extensions: IPv6• Deployment: Worldwide!!!• Functionality Supported: Connection oriented data delivery Fragmentation Support Addressing and Routing Congestion Control etc.

TCP/IP Model vs. OSI Model

REF: http://www.trainsignaltraining.com/wpnew/wp-content/uploads/2007/10/TCP__OSI___Stelios/1_TCPIP_and_OSI_models.jpg

REF: http://www.trainsignaltraining.com/wpnew/wp-content/uploads/2007/10/TCP__OSI___Stelios/2_TCPIP_Protocol_Suite.jpg

TCP• Standards: RFC 793 – TCP • Later Versions: NONE!!! • Alternative technologies: UDP• History:

Advanced Research projects Agency (ARPA) Research.

• Provides following services: Network Technology Independence Universal interconnection Reliable Stream Transport Service Congestion Control End-to-end Acknowledgement

TCP Header

REF: http://www.visi.com/~mjb/Drawings/TCP_Header.pdf

TCP Header Description• Source port (16-bit) and Destination port (16 bit)• Sequence number (32-bit) • Acknowledgement number (32-bit) • Header Length (4 bit)• Reserved (6 bit) • Control bits (8 bits)

Urgent pointer (URG) if this bit field is set the receiving TCP should interpret the urgent pointer field.

Acknowledgement (ACK) this field is set to acknowledge the field entered is valid

Push function (PSH) if this bit field is set the receiver should deliver this segment to receiving application as soon as possible.

TCP Header Description (2) Reset the connection (RST) if this bit is present, it is the

receiver that sender is aborting the connection and all queued data and allocated buffers and connection can be freely relinquished.

Synchronize (SYN) this specifies that the bit field signifies that a sender to synchronize sequence numbers this is used to establish connection between the sender and receiver.

• Window (16-bit) Receiver side capacity to accept data • Checksum (16 bit)• Urgent Pointer (16 bit)• Options: Variable, but cannot be larger than 40 bytes. The header length

field is 4 bit. They are often used for various flow control and congestion• Padding: The optional header may vary in size it may be necessary to pad

the TCP header to align to 32-bit word boundary.• Data: Application data

TCP – Reliable Stream Transport

• Connection Establishment and Termination• Three way Handshake

REF: http://condor.depaul.edu/~jkristof/technotes/tcp.html

TCP-Flow control

REF: http://condor.depaul.edu/~jkristof/technotes/tcp.html

IP Overview

• Standards: RFC 791 – IP (viz. IPv4)• Later Versions: IPv6• Alternative technologies: IPX• Functionality Supported: Addressing and Routing Fragmentation Support Type of Service Loose/Strict Source and Record Route

IP Header

REF: http://www.visi.com/~mjb/Drawings/IP_Header.pdf

IP Header Description• Version (4 bits) describes header format. Version may be 4 for IPv4

or 6 for IPv6. • IHL (Internet header length – 4 bits) is the length of IP header in 32-

bit words. Thus, actual length is 32*IHL-value bits or 4*IHL-value bytes.

• TOS (Type of Service – 8 bits) allows setting desired service-quality parameters.

• Total Length (16 bits) is length of entire datagram.• Identification (16 bits), Flags (3 bits) and Fragment Offset (13bits)

are used for fragmentation and reassembly of datagram(s).• TTL (Time to Live 8 bits) is the maximum time a datagram is allowed

to remain in the internetwork. Each device decrements this value when the datagram is processed and drops it if the value is zero.

IP Header Description (2)• Protocol (8 bits) indicates the type of higher layer protocol

that follows after IP header. • Header Checksum (16 bits) is checksum on header only. • SA (Source address 32 bits) and DA (Destination address 32

bits) are source and destination IP addresses.• Options (variable length) may or may not be used.

IP Addressing• IP Address is 32 bit field. (~4.29 billion addresses)• The IP address consists of a Network Part and a Host

Part• Need for larger addressing space – Division of

address space into private and public addresses.• The IANA (Internet Assigned Numbers Authority) has

reserved the three blocks of the IP address space for private internets:

10.0.0.0 - 10.255.255.255 (10/8 prefix) 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

IP Addressing (2)• The IP Addressing is classful by design:

• These classful networks may be further divided by using subnetting

• A set of contiguous networks may also be “supernetted”

Class First Octet Range Network Bits Comments

Class A 0xxx xxxx 1.x.x.x – 126.x.x.x [1] Bits 2nd – 8th 126classes, 16.7 m hosts

Class B 10xx xxxx 128.x.x.x – 191.x.x.x Bits 3rd – 16th 16.3k classes, 65.5 k hosts

Class C 110x xxxx 192.x.x.x – 223.x.x.x Bits 4th – 24th 2.09m classes, 254 hosts

Class D 1110 xxxx 224.x.x.x – 247.x.x.x Bits 5th – 32nd Multicast

Class E 1111 xxxx 248.x.x.x – 255.x.x.x Bits 5th – 32nd Research use

[1] The 0.0.0.0 network is default route and 127.0.0.0 is universal loopback address.

REF : http://www.faqs.org/docs/linux_network/x-087-2-issues.ip-addresses.html

IP Addressing (3) - Subnetting

• Consider a Class A network:5.0.0.0Hosts : 16,777,214

• Consider borrowing 16 bits from host address to form “subnets”5.x.x.0 –> 65536 sub-networksHosts : 254 for each subnet -> 16,646,144

IP Addressing (4) - Supernetting• Consider a set of Class C networks:

222.0.0.0 – 222.0.255.0Networks: 256 256 routes to distinct networks.

• Consider borrowing 16 bits from network address to form a “supernet”222.0.x.0/16 is 1 supernet 1 route to gateway for given network.

• Networks need to be contiguous to form supernet.

IP Fragmentation

• IP may fragment a PDU based on the maximum transmission unit (MTU) of the link or Path MTU (PMTU).

• Higher layers may request DF (Don’t fragment) bit = 1; i.e. the PDU must not be fragmented.

• If DF = 1 and PDU size exceeds link MTU, the router will drop the PDU and send ICMP error to sender.

• PMTU – D : Path MTU Discovery

IP Fragmentation (2)

• IF DF = 0, PDU may be fragmented if needed. • For each fragment of PDU, the Identification value is

identical and allows for reassembly for out-of-order fragments at receiver.

• The MF (More Fragments) bit is set for all but last fragment of a PDU.

• The Fragment Offset value defines the location of given piece of data in the original PDU, it is used for reassembly.

IP Type of Service

• This is an 8-bit field Bits 0-2: Precedence Bits 3-5: Delay Throughput and Reliability (respectively)[Value: 0 Normal and 1 High]

Bits 6-7: Reserved• Precedence:

111 – N/W control 110 – Internetwork control

101 – CRITIC/ECP 100 – Flash override

011 - Flash 010 - Immediate 001 - Priority 000 - Routine

TCP/IP – Issues Faced1. Security

TCP/IP was not designed for security, TCP/IP based communication relies on IP address to identify peer. This IP address and very easily be spoofed and modified.Typical Attacks:

IP address spoofing a) DNS spoofing – Create spoofed DNS response

packet for a DNS queryb) ARP spoofing – Also called ARP Cache poisoning,

allows a malicious host to cause all traffic to be redirected to self Ping of Death – Uses oversized ping packet (usually >65535

bytes) as fragments and cause buffer-overflows

TCP/IP – Issues Faced (2) TCP DoS Attack – excessive SYN requests to a server may

use up all CPU cycles preventing it from actively provide services like FTP, Radius Authentication, DNS, DHCP etc… allowing for more complicated impersonation or simple denial of service.

TCP Sequence Number prediction – to create one-sided TCP connection (Berkeley implementation of SN generation):

a) Impersonate an alive host and connect to serverb) Impersonate a down host by using netstat service

Routing Based Attacks – a) Poison RIP Routing information as it is received

unchecked by routersb) ICMP Redirect for an open connectionc) ICMP “Destination Unreachable” and “TTL

exceeded”

TCP/IP – Issues Faced (3)

2. Limited Address SpaceIPv4 supports slightly over 4.29 billion addresses. This is highly insufficient address space.

3. Connection DelayThere is an inherent delay involved in session establishment and overhead involved with processing information contained in TCP header.

Possible Solutions• Security:

Narrow spectrum technologies – Firewalls, DHCP Snooping

Broad Spectrum technologies – Encryption• Address Space limitation:

NAT – introduces other issues (still widely deployed)

IPv6 – has not yet had widespread acceptance

• Delay and overhead of connection: UDP

References

• www.tcpipguide.com• RFC 791 – Internet Protocol • RFC 793 – Transport Control Protocol• By Douglas Komer• http://www.securityfocus.com/infocus/1674• http://www.cs.columbia.edu/~smb/papers/ipext.pdf• http://www.xs4all.nl/~rmeijer/spoofing.html