TCP/IP Refresher
This presentation is an amalgam of presentations by
Mark Michael, Randy Marchany and Ed Skoudis.
I have edited and added material.
Dr. Stephen C. Hayne
Vertical & Horizontal
Communication
sender
receiver
Protocol Layer n+1
Protocol Layer n+1
Protocol Layer n
Protocol Layer n
Protocol Layer 1
Protocol Layer 1
The TCP/IP “Suite” of
Protocols

RFCs developed & maintained by the Internet
Engineering Task Force (IETF)





Originally, no security provisions



Transmission Control Protocol (TCP)
User Datagram Protocol (UDP)
Internet Protocol (IP)
Internet Control Message Protocol (ICMP)
security provided at application level
IPSec is a security add-on for IPv4
IPv6 incorporates IPSec
TCP/IP

In this model, the top 3 layers in the OSI
model are usually reduced to just “the
application layer”






Application Layer
TCP
IP
Data Link Layer
Physical Layer
In reality, we will later squeeze a layer in
between the application layer and TCP’s layer
TCP/IP

Transmission Control
Protocol




the “workhorse” on the
Internet at OSI Layer 4
(Transport Layer)
ensures packets get to
the right place, in the
right order
creates TCP segment by
adding a header
the User Datagram
Protocol (UDP) also
operates as this layer

Internet Protocol




most commonly used
protocol at OSI Layer 3
(Network Layer)
delivers packets end-toend
creates the IP datagram
by adding a header
the Internet Control
Message Protocol (ICMP)
also operates at this layer
The TCP Header
32-bit words
TCP Source Port
TCP Destination Port
Sequence Number
Data Offset
Acknowledgment Number
Window
. Reserved
Control Bits
Checksum
Urgent Pointer
Options (if any)
Padding
.
Data
Data
TCP Control/Code Bits

URG


ACK


synchronize sequence numbers
FIN

used during the 3-way
handshake to establish
a connection
reset the connection (due to an error condition)
SYN


Push Function — flush data
RST


the Acknowledgement field is significant
PSH


the Urgent Pointer is significant
“the end” en français
3-way TCP Handshake
by Steve Gibson, Gibson Research Corporation
TCP/IP Port Numbers



Client sets destination port to a well
known port on the server.
Client source port is generated
dynamically and is set to > 1023.
Use ‘netstat –an” command to see
which ports are currently used.
Application’s TCP Ports














File Transfer Protocol (FTP) — Port 21
Secure Shell (SSH) — Port 22
Telnet — Port 23
Simple Mail Transfer Protocol (SMTP) — Port 25
Post Office Protocol version 3 (POP3) — Port 110
HyperText Transfer Protocol (HTTP) — Port 80
Secure HyperText Transfer Protocol (HTTPS) — Port 443
Kerberos — Port 88 [Stallings, §4.1]
Echo — Port 7
Finger — Port 79
Network News Transfer Protocol (NNTP) — Port 119
Gopher — Port 70
Doom — Port 666
31337 – Back Orifice Trojan !
TCP v. UDP

has control (= code) bits



has 3-way handshake






6 bits
what part of the session?
SYN=1, initial seq. no.
ACK=SYN=1, initial seq. no.,
acknowledgment no.
ACK=1, ack. no.
has sequence numbers
has more overhead
SYN, ACK, RST help
attackers find open ports





“connectionless” protocol
“unreliable” protocol
no control bits
no 3-way handshake
can’t tell if a packet is ...




start of message
a response
a malicious scan
no sequence numbers


packets may be permuted
dropped packets are not
retransmitted
The UDP Header
32-bit words
UDP Source Port
UDP Destination Port
Message Length
Checksum
Data
Data
UDP




UDP Header contains only source,
destination ports, message length, checksum
and the data.
16 bit port number so 65535 possible ports.
It’s harder for network devices to understand
and track UDP status. You can’t tell from the
header what part of the transmission it is.
More difficult to secure therefore easy to use
to attack.
Application’s UDP Ports

Requests for Domain Name Service (DNS) lookup


Trivial File Transfer Protocol (TFTP)




Port 69
Simple Network Management Protocol (SNMP)


Port 53
Port 161 [Stallings, Chp.8]
Echo — Port 7
Gopher — Port 70
RealPlayer [streaming] Data

Port 7070 (among others)
The IP Header
32-bit words
Version
.
Time
IHL
Service Type
Identification
to Live
Protocol
Total Length
Flags
Fragment Offset
Header Checksum
Source IP Address
Destination IP Address
Options (if any)
Data
Data
Padding
Some IP Header Components


Internet Header Length (IHL)
Service type


Identification


“Don’t Fragment,” “More Fragments”
Fragment Offset


Supports fragment reassembly
Flags


sensitivity to delays
this fragment’s position in the packet
Time-to-Live (TTL)

max. no. of router-to-router hops packet can take
Internet Control Message
Protocol (ICMP)



Network layer, “network plumber”
Provides more control than IP
Same header format as IP, except . . .


protocol field holds the value 1 (= ICMP)
data component holds an ICMP type field
0
3
4
5
8
—
—
—
—
—
echo reply
destination unreachable
source quench
redirect
echo
11
12
13
14
15
16
—
—
—
—
—
—
time exceeded
parameter problem
timestamp
timestamp reply
information request
information reply
IP Addresses

232 (= 4,294,967,296) dotted-quad addresses

binary: 32 bits



decimal: 4 groups of 3 digits (0-255)



min: 0.0.0.0
max: 255.255.255.255
Not all addresses are available

some set aside for private networks (“unroutable”)


min: 00000000000000000000000000000000
max: 11111111111111111111111111111111
10.x.y.z, 172.16.y.z, 192.168.y.z
127.0.0.1 connects any machine back to itself!
MAC Addresses




Medium Access Control (MAC) addresses
Data link layer
48 bits
Globally unique



each card manufacturer has a range of addresses
to assign
each card has its own MAC address
Address Resolution Protocol (ARP)

table contains MAC-to-IP mappings
Types of Network Connection
Points

Hub


Bridge


connects several networks, can look up best route
Switch


connects 2+ networks, sends packet to destination
Router


dumb, broadcasts all packets to everybody
additional intelligence, sends packets to one specific MAC address
[Personal] firewall [Stallings, Chp. 10]

hardware/software passes only authorized packets
Network Address Translation
(NAT)

Mapping to a single external IP address



every inbound packet appears to come from the NAT
device’s IP address
connect large, IP-address-poor network to Internet
One-to-one mapping


each machine on the internal network is mapped to a
valid IP address
map user requests to a perimeter network
NAT Example
Traditional
Packet Filters
v.
Can filter based on . . .








Stateful
Packet Filters
source IP address
destination IP address
source TCP/UDP port
destination TCP/UDP port
TCP code bits
protocol in use
direction
interface
Can also filter using a
state table which . . .

remembers previous packets


outgoing SYN should be
followed by an incoming
ACK from the appropriate
address
has timeouts (10-90 secs.)

remove entry if no further
packets associated with the
entry after interval
Adding Security via Protocols

Application-layer security




Secure Socket Layer (SSL)  Transport Layer Security
(TLS) [Stallings, §7.2]


Pretty Good Privacy (PGP) [Stallings, §5.1]
Secure/Multipurpose Internet Mail Extension (S/MIME)
[Stallings, §5.2]
Secure Shell (SSH)
HTTPS is HTTP running over SSL (on Port 443)
Internet Protocol Security (IPSec) [Stallings, Chp. 6]


Authentication Header (AH)
Encapsulating Security Payload (ESP)