lecture 2. network basics prof. taeweon suh computer science & engineering korea university...
TRANSCRIPT
Lecture 2. Network Basics
Prof. Taeweon SuhComputer Science &
EngineeringKorea University
COM850 Computer Hacking and Security
Korea Univ
Open Systems Interconnection (OSI)
• International Standards Organization (ISO) is a multinational body dedicated to worldwide agreement on international standards. Almost three-fourths of countries in the world are represented in
the ISO.
• An ISO standard that covers all aspects of network communications is the Open Systems Interconnection (OSI) model. It was first introduced in the late 1970s.
• The OSI model is a layered framework for the design of network systems that allows communication between all types of computer systems
2
Korea Univ
OSI 7 Layers
3
• Physical: transmit bits over a medium• Data link: organize bits into a frame• Network: move packets from source to destination• Transport: provide reliable process-to-process
message delivery• Session: establish, manage, and terminate sessions• Presentation: translate, encrypt and compress data• Application: allow access to the network resources
, POP3, IMAP
Korea Univ
TCP/IP Protocol Suite
• The TCP/IP protocol suite was developed prior to the OSI model Thus, the layer in TCP/IP do not match exactly with those in OSI
4
Korea Univ
Encapsulation
5
Korea Univ
OSI Layers
6
• As a message travels from A to B, it may pass through many intermediate nodes.
• These intermediate nodes usually involve only the first three layers of the OSI model
client serverRouter A Router B
Korea Univ
Ethernet
• Local Area Network (LAN) is a computer network designed for a limited geographic area such as a building or a campus
• Most LANs are linked to a wide area network (WAN) or the Internet
• There are several technologies for LAN such as Ethernet, Token ring, Token bus, FDDI and ATM LAN
• Ethernet is by far the dominant technology
7
Korea Univ
Ethernet Frame
8CRC: Cyclic Redundancy Checking
MAC (Media Access Control) addresses
Korea Univ
Ethernet Type Field
9Source: http://www.networkdictionary.com/networking/EtherType.php
Korea Univ
Internet Protocol (IP)
• IP is the transmission mechanism at the network layer
• IP is an unreliable and connectionless datagram protocol – best-effort delivery Each datagram is handled independently, and each datagram can
follow a different route to the destination
It implies that datagrams sent by the same source to the same destination could arrive out of order
IP packets can be corrupted, lost, arrived out of order or delayed
10Packets in the network layer are called datagrams
Korea Univ
IP Datagram
11
• Version (VER): IPv4 or IPv6
• Header Length (HLEN): 20 (5 x 4) or 60 (15 x 4) depending on options
• Service Type (TOS): cost, reliability, throughput, delay
• Total length: header + data in bytes (max 65535 B) Max. size of data field, Maximum Transfer Unit (MTU), differs from one physical network to another
Ethernet LAN: 1500B, FDDI LAN: 4352B, PPP: 296B
• ID, Flags, and Fragmentation offset are used in fragmentation
TTL
Korea Univ
IPv4 Addresses
• The identifier used in the IP layer, to identify each device connected to the Internet is called Internet address, or IP address
• IPv4 address is 32-bit long The address space of IPv4 is 232, or 4,294,967,296
• IPv4 addresses are unique and universal
• IP addresses use the concept of classes Classful addressing
• In the mid-1990s, a new architecture called classless addressing was introduced Classless addressing supersedes the classful addressing
12
Korea Univ
Classful Addressing
13
Korea Univ
Classful Addressing
14
• Class A: 128 (27) blocks that can be assigned to 128 organizations, each block has 16,777,216 addresses
Millions of class A address are wasted
• Class B: 16,384 (214) blocks, each block has 65536 addresses Many class B addresses are wasted
• Class C: 2,097,152 (221) blocks, each block has 256 addresses Not so many organizations are so small to have a class C block
• netid defines network. Network address is used in routing a packet to its destination network• hostid defines a particular host on the network
Korea Univ
Classless Addressing
• Solutions to the IP address depletion problem IPv6: 128-bit (or 16B) long
Classless addressing: use IPv4, but change the distribution of addresses to provide a fair share to each organization
• In classless addressing, variable-length blocks are used that belong to no classes Prefix defines network, and suffix defines host
The prefix length can be 1 to 32
15
Slash notation, formally referred to as Classless Interdomain Routing (CIDR)
Korea Univ
Examples
• One of the addresses in a block is 17.63.110.114/24
Number of addresses: First address in the block: Last address in the block:
• One of the addresses in a block is 110.23.120.14/20
Number of addresses: First address in the block: Last address in the block:
16
25617.63.110.0
17.63.110.255
4096110.23.112.0
17.63.127.255
Korea Univ
Special Addresses
• 0.0.0.0/32 Reserved for communication when a
host does not know its own address Normally used at bootstrap time to
get IP from DHCP server
• 255.255.255.255/32 Reserved for limited broadcast
address in the current network
• 127.0.0.0/8 Used for the loopback address,
which is an address used to test the software on a machine
17
Source: 0.0.0.0Destination: 255.255.255.255
Packet
221.45.71.20/24 221.45.71.178/24
221.45.71.64/24 221.45.71.126/24Network
Destination IP address:255.255.255.255Packet
Router blocksthe packet
Korea Univ
Special Addresses
• Private addresses A number of blocks are assigned for private
use. They are not recognized globally. These addresses are used either in isolation or in connection with network address translation (NAT) techniques
• Multicast addresses 224.0.0.0/4 is reserved for multicast
communication18
Korea Univ
Special Addresses in Each block
• Network Address: the first address (with the suffix set all to 0s) in a block defines the network address. It defines the network itself and not any host in the network
• Direct Broadcast Address: the last address in a block It is usually used by a router to send a packet to all hosts in a specific
network
All hosts will accept a packet having this type of destination address
This address can be used only as a destination address in an IPv4 packet
19
221.45.71.0/24
221.45.71.20/24 221.45.71.178/24
221.45.71.64/24 221.45.71.126/24
Network:
Packet
Destination IP address:221.45.71.255
Specific
Prefix Suffix
All 1s
Korea Univ
TTL
• TTL is used for controlling the maximum number of hops (routers) visited by the datagram When a source host sends the datagram, it stores a number in
TTL, which is approximately 2X the max. number of hops between any 2 hosts
TTL is needed because routing tables in the Internet can become corrupted, resulting in packet’s looping or cycling the network endlessly.
• TTL is used intentionally to limit the journey of the packet If the source wants to confine the packet to the local network, it
can store 1 in TTL
20
Korea Univ
Transmission Control Protocol (TCP)
• TCP is connection-oriented It establishes a virtual path between the source
and destination. • All of the segments belonging to a message are then
sent over this virtual path. You may wonder how TCP, which uses the
services of IP, a connectionless protocol, can be connection-oriented. • A TCP connection is virtual, not physical. • TCP uses the services of IP to deliver individual
segments to the receiver, but it controls the connection itself. If a segment is lost or corrupted, it is retransmitted
21
Korea Univ
TCP
22
• Header Length (HLEN): 20 (5 x 4) or 60 (15 x 4) depending on options
• Window Size: Normally receiving window (rwnd) in bytes
• Checksum: Used to detect errors over the entire user datagram (header + data)
• Urgent Pointer Valid only if the URG flag is set.
Used when the segment contains urgent data
Define a value that must be added to the sequence number to obtain the number of the last urgent byte in the data section of the segment
Korea Univ
Port Addresses
• The local host and the remote host are defined using IP addresses
• To define the client and server programs, the 2nd IDs are needed. They are called port numbers
• In TCP/IP, the port numbers are integers between 0 and 65,535 The server uses well-known port numbers, which are less than 1,024
A client program on the local computer defines itself with a port number (called ephemeral port number), chosen randomly by the TCP software.
23
Korea Univ
TCP Control Field
24
• PSH: Should be processed immediately
• URG: Urgent data
• RST: Reset the connection Deny a connection request
Abort an existing connection
Terminate an idle connection
Korea Univ
IP + TCP
25
Korea Univ
TCP Connection Establishment
26
Connectionopened
PassiveopenActive
open
SYN
U A P R S F
seq: 8000
SYN + ACKU A P R S F
seq: 15000
ack: 8001rwnd: 5000
ACK
U A P R S F
seq: 8000ack: 15001
rwnd: 10000
Korea Univ
SYN Flooding Attack
• A SYN flood tries to exhaust states in the TCP/IP stack Since TCP maintains “reliable” connections, each connection needs to be
tracked somewhere; The TCP/IP stack in the kernel handles this, but it has a finite table that can only track so many incoming connections
• Attackers flood the victim’s system with many SYN packets, using spoofed non-existing source addresses Victim machine sends a SYN/ACK packet to the non-existing IP address and
never get the ACK response
• A kind of denial-of-service (DoS) attacks
27
Korea Univ
TCP Connection Termination with 3-way Handshaking
28
Korea Univ
Notes
• A SYN can’t carry data, but it consumes one sequence number
• A SYN + ACK segment can’t carry data, but it consumes one sequence number
• An ACK segment, if carrying no data, consumes no sequence number
• The FIN segment consumes one sequence number if it does not carry data
• The FIN + ACK segment consumes one sequence number if it does not carry data
29
Korea Univ
Data Transfer with TCP
30
Sendrequest
Receive
Receive
Sendrequest
Sendrequest
U A P R S F
seq: 9001
Databytes: 9001-10000
U A P R S F
seq: 8001
Databytes: 8001-9000
ack: 15001
ack: 15001
U A P R S F
seq: 10000ack: 17001
U A P R S F
seq: 15001
ack: 10001
Data
bytes: 15001-17000
rwnd:10000
Connection Termination
Korea Univ
Flow Control
31
Messagesare pushed
1
Segements are pushed
2
Messagesare pulled
3
Flow control feedback
4
Flow controlfeedback5
Client Server
Korea Univ
Flow Control Example
32
Korea Univ
TCP Retransmission Timer
• To control a lost or discarded segment, TCP employs a retransmission timer that handles the retransmission time. When TCP sends a segment, it creates a retransmission timer
for that particular segment• If the timer goes off before the acknowledgement arrives, the segment
is retransmitted and the timer is reset
• TCP uses the dynamic retransmission time, A retransmission time is different for each connection A retransmission time may be different during the same
connection
• The most common retransmission time: 2 x RTT
33
Korea Univ
Round Trip Time (RTT) Calculation
• 2 methods TCP uses the timestamp option
• 10-B option
TCP sends a segment, start a timer, and waits for an acknowledge
• Measure the time between the sending of the segment and the receiving of the acknowledgement
• RTT = α x previous RTT + (1 - α) x current RTT (α usually 90%)
34
Korea Univ
Hubs
35
• A hub is no more than a repeating device operating on the layer 1 (physical layer) of the OSI model
• A hub takes packets sent from one port and transmits (repeats) them to every other port on the device
• A hub can generate a lot of unnecessary traffic and are capable of operating only in half-duplex mode, it is not typically used in most modern networks (switches are used instead)
Korea Univ
Switches
36
• Like a hub, a switch is designed to repeat packets
• Unlike a hub, a switch (full-duplex device) sends data to only the computer for which the data is intended (rather than broadcasting data to every port)
• Switches operate on the layer 2 (data link layer) of the OSI model
• Switches store the layer 2 address (MAC address) of every connected device in a CAM table
Korea Univ
Routers
37
• Routers operate on the layer 3 (Network layer) of the OSI model Routers use IP addresses (layer 3) to uniquely identify devices on a
network
Korea Univ
Traffic Classification
• Broadcast A broadcast traffic is one that is sent to all ports on a network segment
• Each broadcast domain extends until it reaches the router• Broadcast packets circulate only within specified broadcast domain
Layer 2 broadcast: the MAC address, FF:FF:FF:FF:FF:FF is the reserved broadcast address
Layer 3 broadcast: The highest possible IP address is reserved for use as the broadcast address
• IP: 192.168.0.xxx• Subnet mask: 255.255.255.0• Broadcast address: 192.168.0.255
• Multicast• Unicast
38
Korea Univ
Router Paths and Packet Switching
• As a packet travels from one networking device to another The Source and Destination IP addresses NEVER change
The Source and Destination MAC addresses CHANGE as packet is forwarded from one router to the next
TTL field decrement by one until a value of zero is reached at which pointer router discards packet (prevents packets from endlessly traversing the network)
39Source: CISCO Network Academy
Korea Univ40
http://www.cisco.com/en/US/products/hw/routers/ps282/products_tech_note09186a008035b051.shtml
Korea Univ
Path Determination and Switching Example
• PC1 wants to send something to PC2 Step 1: PC1 encapsulates packet into a frame; The frame
contains R1’s destination MAC address
41Source: CISCO Network Academy
Korea Univ
Path Determination and Switching Example
• Step 2: R1 sees that the destination MAC address matches its own MAC
R1 then strips off Ethernet frame
R1 examines destination IP
R1 consults routing table looking for destination IP• After finding destination IP in routing table, R1 now looks up the next hop
address
R1 re-encapsulates IP packet with a new Ethernet frame
R1 forwards Ethernet packet out Fa0/1 interface
42Source: CISCO Network Academy
Korea Univ
Path Determination and Switching Example
Source: CISCO Network Academy
Korea Univ
Path Determination and Switching Example
• Step 3 - Packet arrives at R2 R2 receives Ethernet frame
R2 sees that destination MAC address matches its own MAC
R2 then strips off Ethernet frame
R2 examines destination IP
R2 consults routing table looking for destination IP• After finding destination IP in routing table, R2 now looks up the next hop IP
address
R2 re-encapsulates IP packet with a new data link frame
R2 forwards Ethernet packet out S0/0 interface
44Source: CISCO Network Academy
Korea Univ
Path Determination and Switching Example
• Step 4 – Packet arrives at R3 R3 receives PPP frame
R3 then strips off PPP frame
R3 examines destination IP
R3 consults routing table looking for destination IP• After finding destination IP in routing table, it figures out that R3 is directly connected to
destination via its fast Ethernet interface
R3 re-encapsulates IP packet with a new Ethernet frame
R3 forwards Ethernet packet out Fa0/0 interface
• Step 5 – IP packet arrive at PC2 Frame is decapsulated and processed by upper layer protocols
45Source: CISCO Network Academy PPP (Point-to-Point Protocol)
Korea Univ
Network Address Translation (NAT)
• NAT is a technology providing the mapping between the private and universal addresses
46
Internet
Site using private addresses
172.18.3.1
172.18.3.2
172.18.3.20
Source: 172.18.3.1 Source: 200.24.5.8
Destination: 200.24.5.8Destination: 172.18.3.1
Korea Univ
Network Address Translation (NAT)
47
Use port numbers for a many-to-many communication between private network hosts and external server programs
200.24.5.8
Korea Univ
Address Resolution Protocol (ARP)
• ARP (Address Resolution Protocol) In TCP/IP, a protocol for obtaining the physical
address of a node when the Internet address is known
48
DataPreambleand SFD
Destinationaddress
Sourceaddress
Type CRC
8 bytes 6 bytes 6 bytes 2 bytes 4 bytes
Type: 0x0806
Korea Univ
Example
49
Korea Univ
ARP Redirection
• ARP cache poisoning No state info about the ARP traffic is kept in a
system Attacker sends spoofed ARP replies to certain
devices• ARP cache is overwritten with attacker’s MAC address
50
Korea Univ
Domain Name Service (DNS)
51
User
Hostname
1
Hostname
2
Query3
Response 4
IP address5
Transport layer
IP address6
• People prefer to use names instead of numeric addresses
• So, need a system that maps a name to an address or an address to a name
Korea Univ
POP3, SMTP
• POP3: Post Office Protocol, Version 3
• IMAP4: Internet Mail Access Protocol, Version 4
• SMTP: Simple Mail Transfer Protocol for communication between the sender and the sender’s mail server
for communication between the 2 mail servers
52
Korea Univ53
Backup Slides
Korea Univ
Linksys Router – WRT54G
54
Korea Univ
Packet Analysis Programs
• tcpdump• OmniPeek• Wireshark
55
Korea Univ
Regarding Multicast
56http://www.tldp.org/HOWTO/Multicast-HOWTO-2.html
• Every Ethernet frame with its destination in the range 01-00-5e-00-00-00 ~ 01-00-53-ff-ff-ff contains data for a multicast group The prefix 01-00-5e identifies the frame as multicast
The next bit is always 0
So, the upper 25 bits in MAC address are fixed. Only the lower 23 bits (among 48-bit MAC addr) are used for the multicast address
• Multicast groups are 28-bits long (244.0.0.0/4) The lower 23-bit of the IP multicast group are placed in the
frame (The 5 high-order bits are ignored), resulting in 32 different multicast groups being mapped to the same Ethernet address