chap2. ipv4-arp-icmp
DESCRIPTION
IPv4/ARP/ICMPTRANSCRIPT
Lesson 2
IPv4/ARP/ICMP
YuanApplication Engineer / iConnectivity Group (ICG)
2014.11.5
1
Outline
• IPv4
• ARP
• ICMP
2
IPv4
3
Outline
• IPv4
– Overview
– Classful Addressing
– Classless Addressing
– Special Addresses
– NAT
• ARP
• ICMP
4
Overview
• Internet Protocol version 4
– The fourth version in the development of the
Internet Protocol (IP) Internet
– IPv4 is described in IETF publication RFC 791
(September 1981), replacing an earlier definition
(RFC 760, January 1980)
• Addressing
– 32-bit(4-byte)
– Address space to 232 addresses
5
Classful Addressing
• Divides into 5 classes
6
Class A: 231= 2,147,483,648 addresses, 50%
Class B: 230= 1,073,741,824 addresses, 25%
Class C: 229= 536,870,912 addresses, 12.5%
Class D: 228= 268,435,456 addresses, 6.25%
Class E: 228= 268,435,456 addresses, 6.25%
8 bits 8 bits 8 bits 8 bits
Class A 0…….
Class B 10……
Class C 110…..
Class D 1110….
Class E 1111….
8 bits 8 bits 8 bits 8 bits
Class A 0-127
Class B 128-191
Class C 192-223
Class D 224-299
Class E 240-255
Class A Class B Class C Class D Class E
11 1 1
0 0 0 0
Classful Addressing
• Two-level addressing
– netid, hostid, like Tel: (02)2792-7818
– Network address, network mask(default mask)
7
8 bits 8 bits 8 bits 8 bits
Class A netid hostid 128 nets, 16,777,214 hosts per net
Class B netid hostid 16,384 nets, 65,534 host per net
Class C netid hostid 2,097,152 nets, 254 host per net
Class D Multicast address
Class E Reserve
8 bits 8 bits 8 bits 8 bits Network mask
Class A 11111111 00000000 00000000 00000000 255.0.0.0
Class B 11111111 11111111 00000000 00000000 255.255.0.0
Class C 11111111 11111111 11111111 00000000 255.255.255.0
Classful Addressing
• Three-level addressing
– Subnetting
• Network address, subnet address, host address,
like Tel: (02)2792-7818
• Subnet Mask
8
Class B 10101000 01011111 00000000 00000000 (168.95.0.0)
10101000 01011111 00000000 00000000 (168.95.0.0)
network address
network address
host address
host addresssubnet address
8 bits 8 bits 8 bits 8 bits
Class B 10101000 01011111 11000000 00000001 168.95.192.1
Network mask 11111111 11111111 00000000 00000000 255.255.0.0
Subnet mask 11111111 11111111 11111000 00000000 255.255.248.0
Classful Addressing
• Three-level addressing
– Supernetting
• Supernet Mask
9
Class C 11101000 01011111 00111000 00000000 (232.95.56.0)
11101000 01011111 00111000 00000000 subnetting
network address
network address
host address
host address
8 bits 8 bits 8 bits 8 bits
Class B 11101000 01011111 00111010 00000001 235.95.58.1
Network mask 11111111 11111111 11111111 00000000 255.255.255.0
Supernet mask 11111111 11111111 11111000 00000000 255.255.248.0
Subnet mask 11111111 11111111 11111111 11100000 255.255.255.224
11101000 01011111 00111000 00000000 supernettingnetwork address host address
Classful Addressing
• Class 4 -IP multicast addressing
– the address denotes the recipient group
– no geographic or location boundaries
10
Description IPv4 Address Range
Local-link address (reserved) 224.0.0.0/24
Globally scope address (assigned) 224.0.1.0 to 238.255.255.255
Source-specific multicast 232.0.0.0/8
GLOP addresses 233.0.0.0/8
Administratively scoped addresses (local)
239.0.0.0/8
Class D Multicast Address Allocations by IANA
Classless Addressing
• Classful addressing, the network portion ends
on one of the separating dots in the address
• Classless addressing uses a variable number of
bits for the network and host portions of the
address
11
Classful addressing 11101000 01011111 00111000 00000000
Classless addressing 11101000 01 011111 00111000 00000000
…… ……
…… ……
AddressSpace
AddressSpace
Blocks of same size
Blocks of different sizes
Classless Addressing
• Prefix: internet, like netid
• Suffix: host, like hostid
• CIDR, classless interdomain routing, slash
notation
12
byte . byte . byte . byte / n=prefix length
Slash notation Network mask
230.8.24.56/16 block 230.8.0.0 to 230.8.255.255 255.255.0.0
230.8.24.56/20 block 230.8.16.0 to 230.8.31.255 255.255.240.0
230.8.24.56/26 block 230.8.24.0 to 230.8.24.63 255.255.255.192
230.8.24.56/27 block 230.8.24.32 to 230.8.24.63 255.255.255.224
230.8.24.56/29 block 230.8.24.56 to 230.8.24.63 255.255.255.248
Level Prefix length
A /8
B /16
C /24
D /4
E /4
Classful addressing
Special Addresses
• This network: host ID all zero
– 203.75.205.0, this class C network
• Broadcast: host ID all one, also use in subnet
– 203.75.205.255, broadcast in 203.74.205.0
• Limit(Local) broadcast: broadcast in local
network
– 255.255.255.255, broadcast in the same network
• Private IP address
13
Private IPClass A 10.0.0.0 – 10.255.255.255
Class B 172.16.0.0 – 172.31.255.255
Class C 192.168.0.0 – 192.168.255.255
Special Addresses
14
Reserved address blocksRange Description Reference
0.0.0.0/8 Current network (only valid as source address) RFC 6890
10.0.0.0/8 Private network RFC 1918
100.64.0.0/10 Shared Address Space RFC 6598
127.0.0.0/8 Loopback RFC 6890
169.254.0.0/16 Link-local RFC 3927
172.16.0.0/12 Private network RFC 1918
192.0.0.0/24 IETF Protocol Assignments RFC 6890
192.0.2.0/24 TEST-NET-1, documentation and examples RFC 5737
192.88.99.0/24 IPv6 to IPv4 relay RFC 3068
192.168.0.0/16 Private network RFC 1918
198.18.0.0/15 Network benchmark tests RFC 2544
198.51.100.0/24 TEST-NET-2, documentation and examples RFC 5737
203.0.113.0/24 TEST-NET-3, documentation and examples RFC 5737
224.0.0.0/4 IP multicast (former Class D network) RFC 5771
240.0.0.0/4 Reserved (former Class E network) RFC 1700
255.255.255.255 Broadcast RFC 919
NAT
• NAT (Network Address Translator)
– Modify network address into another
– Static NAT: 1 private IP to 1 public IP
– Dynamic NAT: 1 private IP to many unfixed
public IP
– NAPT(Network Address Port Translation)
• Record port number
• Many private IP to 1 public IP
• IP Masquerade
15
NAPT
16
A
B C D
LAN
NATrouter
172.18.3.1
172.18.3.2 172.18.3.3172.18.3.4
1400 1401 1402 1403
80
172.18.3.30
25.8.3.2
Internet Private IP Private port
Public IP Public port
Layer 4 protocol
172.18.3.1 1400
25.8.3.2
80 TCP
172.18.3.2 1401 80 TCP
172.18.3.3 1402 80 TCP
172.18.3.4 1403 80 TCP
ARP
17
Outline
• IPv4
• ARP
– Introduction
– Operation
– Cache
– Format
– Application
• ICMP
18
Introduction
• Address Resolution Protocol
– RFC 826, Internet Standard STD 37
– To make a distinction between logical address (IP
address) and physical address (MAC address)
19
IP
IGMP ICMP
ARPInternet Layer
logical address
physical address
TCP/IP suite
Operation
20
A
B C
D
LAN
request
Looking for physical address of a node with IP address 166.16.66.1
• ARP request
– broadcast
Operation
21
A
B C
D
LAN
reply
166.16.66.1 physical address isA5:00:00:00:00:01
• ARP reply
– unitcast
Format
22
Preamble and SD
Destination address
Source address
Type Data CRC
ARP frame EtherType: 0x0806
8 bytes 6 bytes 6 bytes 2 bytes 4 bytes
Ex:0x0800 IP addressEx:0x0001 Ethernet
Ex:6 Ethernet Ex:4 IP
Ex: 0x0800 IP address
ARP Request or Reply packet
Cache
• Requires more bandwidth for every outgoing
packet sending ARP request and waiting for
responses
• ARP cache maintained at each node
23
ARP entries ARP timeout time
windows 256 10 mins
Linux fedora 1024 60 s
arp -a to show
arp -d [IP] to delete
arp –s [IP] [MAC] to add
Cache
24
ARP entries ARP timeout time
EKI-7756 6144 20 mins
EKI-7756#arp brief
EKI-7756#show arp switch
Application
• Proxy ARP
– Host or router responds to ARP Request that
arrives from one of its connected networks for a
host that is on another of its connected networks.
25
Application
• ARP Spoofing
– Malicious host sends unsolicited ARP replies to
take over another host’s IP address
– For what?
• Passive sniffing
• Modifying packets (man-in-the-middle attack)
• Denial-of-service attack
26
Application
• ARP probe
– an ARP request constructed with an all-zero sender
IP address
– used in the IPv4 Address Conflict Detection
specification (RFC 5227)
– Sent when there is any change in connectivity
– Should not send periodically
27
Application
• ARP Announcements (gratuitous ARP)
– Updating other host's mapping of a hardware address when the sender's IP address or MAC address has changed
– Broadcast as an ARP request containing the sender's protocol address (SPA) in the target field (TPA=SPA), with the target hardware address (THA) set to zero.
– detecting IP conflicts
– No ARP reply is expected
28
Hands On
• ARP request
29
A D
LAN
request
172.17.6.2378:24:AF:82:8B:AA
172.17.6.1778:24:AF:82:8B:A1
0x0001 0x0800
0x06 0x04 0x0001
78:24:AF:82:8B:AA
172.17.6.23
00:00:00:00:00:00
172.17.6.17
Preamble and SD FF:FF:FF:FF:FF:FF 78:24:Af:82:8B:AA 0x0806 data CRC
Hands On
• ARP reply
30
A D
LAN
reply
172.17.6.2378:24:AF:82:8B:AA
172.17.6.1778:24:AF:82:8B:A1
0x0001 0x0800
0x06 0x04 0x0002
78:24:AF:82:8B:A1
172.17.6.17
78:24:AF:82:8B:AA
172.17.6.23
Preamble and SD 78:24:Af:82:8B:AA 78:24:AF:82:8B:A1 0x0806 data CRC
Hands On
• ARP probe
• Gratuitous ARP
31
ICMP
32
Outline
• IPv4
• ARP
• ICMP
– Introduction
– Operation
– Format
– Types of ICMP
– Tools
33
Introduction
• Internet Control Message Protocol
– RFC 792
– IP provides unreliable and connectionless delivery
– Error reporting protocol for IP
– Does not correct the encountered network problem
– ICMP for IPv4 is known as ICMPv4, and IPv6 is
also known as ICMPv6
34
Operation
• Triggered when an IP packet encounters a
problem, then ICMP packet sent back to the
source IP address
35
IP
IGMP ICMP
ARPInternet Layer
TCP/IP suite
Ethernet Frame header frame data
L3 IP header IP data
ICMP messageIP protocol
numbers: 0x01
Format
– Type: ICMP type
– Code: ICMP subtype
– Checksum: Error checking data
– Rest of Header: Contents very based on the ICMP
type and code
– Data
36
ICMPheader
Type Code Checksum
Rest of Header
Data Data section(no fixed length)
1 byte 1 byte 2 bytes
Types of ICMP
• Error-reporting message: Report problems
• Query message: Get specific information
37
Category Type Message
Error-reporting
Message
3 Destination unreachable
4 Source quench
11 Time exceeded
12 Parameter problem
5 Redirection
Query
Message
8 or 0 Echo request or reply
13 or 14 Timestamp request and reply
17 or 18 Address mask request and reply
10 or 9 Router solicitation and advertisement
Types of ICMP
• Error-reporting message
38
error-reporting message
destination-unreachable message
source-quench message
time-exceeded message
parameter-problem message
redirection message
IP Header 8 bytes IP data
ICMP Header IP Header 8 bytes
IP Header ICMP Header IP Header 8 bytes
receive packet
ICMP packet
deliver packet
Types of ICMP
• Error-reporting message
39
destination-unreachablemessage
ICMPheader
Type=3 Code=0-15 Checksum
Rest of Header=unused (all zero)
Data IP header and first 8 bytes of original datagram’s data
Router
A B
Types of ICMP
• Error-reporting message
40
source-quench message
ICMPheader
Type=4 Code=0 Checksum
Rest of Header=unused (all zero)
Data IP header and first 8 bytes of original datagram’s data
Router
Source-quench85%
Types of ICMP
• Error-reporting message
41
time-exceeded message
ICMPheader
Type=11 Code=0 or 1 Checksum
Rest of Header=unused (all zero)
Data IP header and first 8 bytes of original datagram’s data
• Code=0, TTL count exceeded• Code=1, Fragment reassembly time exceeded
Router RouterTTL=1 X
Time-exceeded
Types of ICMP
• Error-reporting message
42
parameter-problem message
ICMPheader
Type=12 Code=0,1,2 Checksum
index unused (all zero)
Data IP header and first 8 bytes of original datagram’s data
• Code=0, Pointer indicates the error• Code=1, Missing a required option• Code=2, Bad length
Types of ICMP
• Error-reporting message
43
redirectionmessage
ICMPheader
Type=5 Code=0-3 Checksum
Rest of Header= IP address
Data IP header and first 8 bytes of original datagram’s data
Code Description
0 Redirect for Network
1 Redirect for Host
2 Redirect for Type of Service and Network
3 Redirect for Type of Service and Host
Types of ICMP
• Query message: Get specific information
44
echo-request messageecho-reply message
ICMPheader
Type=8 or 0 Code=0 Checksum
identifier sequence number
DataOptional data
Sent by the request message; repeated by the reply message
• type=8, echo-request• type=0, echo reply
Types of ICMP
• Query message: Get specific information
45
timestamp-request messagetimestamp-reply message
ICMPheader
Type=13, 14 Code=0 Checksum
identifier sequence number
Data
originate timestamp
receive timestamp
transmit timestamp
• type=13, timestamp-request message• type=14, timestamp-reply message• 32 bits timestamp, universal time(ms), <86,400,000
Tools
• Ping, packet Internet groper
– sends an ICMP echo request to a remote host,
which then return an ICMP echo reply to the
sender
46
Windows ping programPing [IP] [-t] [-n Count] [-l Size] [-w Timeout]
-t Sends Echoes until interrupted
-n Count Specifies the number of Echo Request messages sent
-l Size Specifies the length, in bytes, of the Data field in the Echo Request messages sent(Default is 32Bytes)
-w Timeout Specifies the amount of time, in milliseconds to wait for the Echo Reply(Default is 1000=1s)
Tools
• Traceroute program
– Determine a path from a host to a destination node
– Each router along the path decreases the TTL
– Concept
47
Tools
48
Ping
tracert
What Ping TTL default ?
49
Guess TTL default(a) 128(b) 64
What Ping TTL default ?
50
Guess again, TTL default(a) 128(b) 64
128+0=128
127+1=128
What Ping TTL default ?
51
And this, TTL default(a) 128(b) 64
Ping TTL defaultDepends on IP?
53+11=64
What Ping TTL default ?
52
Requestttl=128
Replyttl=128
windowsDefault=128
windowsDefault=128
What Ping TTL default ?
53
Requestttl=128
Replyttl=127
windowsDefault=128
windowsDefault=128
Requestttl=127
Replyttl=128
What Ping TTL default ?
54
Requestttl=128
Replyttl=53
Requestttl=117
Replyttl=64
Requestttl=127
Replyttl=54
11 routers
Default=128 Default=64
Ping TTL default
55
• Ping program TTL default depends on OS ICMP packet default.
• The TTL shows on the ping program, depends on the sender ICMP default.
• Windows XP/Vista/7 ICMP TTL is 128
• Linux 2.0.x kernal/Red Hat 9 ICMP TTL is 64
• We can guess the sender OS by TTL.
Thanks
56