2 - 1 IP Concepts - SANS GIAC LevelTwo © 2000, 2001 1 IP Concepts Internet Protocol Prerequisites Hello, my name is Stephen Northcutt, and I’ll be your instructor today as we learn the fundamentals of the Internet protocols. 2 - 2 IP Concepts - SANS GIAC LevelTwo © 2000, 2001 2 Objectives • Addressing • What are TCP/IP Service Ports • Packets, How is Data Transmitted • IP Protocols (TCP, UDP, ICMP) •Domain Name System •Routing These are the things we’re going to cover. In essence, we’re going to cover a ‘nutshell’ or the core of the IP protocol. We’re going to learn IP addresses, MAC addresses, host names, and how they relate to one another. We’re going to talk about packaging data to send it over the Internet, and the difference between packets and frames. At the end of this course, you’re going to know what the IP service ports are, and be familiar with some of the most common services, such as Telnet and FTP. And you’ll be able to tell, what’s the difference between the major protocols – TCP, UDP, ICMP – and so forth. And we’re going to understand what happens when things go wrong, and the facilities that IP, TCP, UDP have for communicating when there’s a problem. 2 - 3 IP Concepts - SANS GIAC LevelTwo © 2000, 2001 3 Packets, How Data is Transmitted on a Network Section 1 OSI Model Application Presentation Session Transport Network Link Physical OSI Model Application Presentation Session Transport Network Link Physical We’re showing the famous seven-layer OSI model. It used to be impossible to teach a course on communications without showing this model. The important thing for you to understand is that IP predates this model, and it does not strictly conform to it. 2 - 4 IP Concepts - SANS GIAC LevelTwo © 2000, 2001 4 Bits and Bytes 1 0 ORBIT= 00010001 BYTE= (OCTET) As of course you know, the atom of computing is a bit – a single storage location that has a value of either a zero or a one. Now, that doesn’t hold a lot of information, so we clump these into groups of eight (called bytes or octets), but that’s still very small. However, it is enough to hold a character (such as the letter “A” or a comma) and it can hold an integer number as large as 255. So, we’re going to have to do something to carry more information! 2 - 5 IP Concepts - SANS GIAC LevelTwo © 2000, 2001 5 Packets 01001110 01001010 01000010 01001011 11001010 Header Data The header provides addressing and type information much like the outside of a snail-mail envelope. We group multiple octets together for shipping across the network by putting them in packets. On your slide you see a sample packet, and we learn right here and now one of the great truths of networking: there is a relatively high overhead cost to slinging these packets across the network. And so we go to a lot of trouble to package our content so that we can ship it across the network. When we get it to the other side, we have to unwrap it and we want to make sure that it crossed the Internet safely. And so, we have a “tamper-proof seal” which is a 16-bit cyclic redundancy checksum that is used to let us know that the contents of the packet (or, for that matter, the header of the packet) have not been damaged or corrupted in transit. Now, on your slide you see a real IP packet, and the hexadecimal part of it begins with the 4500. This is a quite common way for a packet to begin. It means that this is (the 4) Internet Protocol version 4, and the 5 tells us that no IP options are set (that’s 5 32-bit words). Now, you’ll notice that some of the characters have been changed to XXXX XXXX. This is the location in the header where the destination address would be. We’re showing you an analogy on your slide between the header and the outside of an envelope. I’ve also bolded some hexadecimal characters (d823 d9ba) for you, and that would be the source address, or the sender of this particular packet. 10:14:16.509362 216.35.217.186.telnet > PC.edu.1153: S 1472583541:1472583541(0) ack 219629 win 8736 <mss 1460> (DF) (ttl 115, id 14349) 4500 002c 380d 4000 7306 f308 d823 d9ba XXXX XXXX 0017 0481 57c5 d775 0003 59ed 6012 2220 0b7d 0000 0204 05b4 0000 2 - 6 IP Concepts - SANS GIAC LevelTwo © 2000, 2001 6 Packets Have Addresses 172.20.31.25 172.20.31.28 01001011 11001010 IP Internet Protocol (IP) Addresses are like your name and Media Access Controllers (MAC) are like your street address in the envelope analogy 0826C1f45231 0826Cf1541f2 01001011 MAC ( Packet shown is notional, IP Packets don’t have MAC addresses, however ethernet frames do ) But, it turns out that packets have multiple levels of addresses. Right now, I’d like to have you think about the hardware address and the software address. We can compare that to the address that your house has (that would be hardware address). If your house was 1218 Parsell Street, Fredericksburg, Virginia, that would be it’s hardware address. But, various people might live in a house over a house’s lifetime, and that can be thought of as a software address: Stephen Northcutt at Parsell Street. And so we have this binding between the two. We have the same situation in IP communications. As it says in your notes, the MAC address is 48 bits long. This is a really, really large number and we’re going to see that that matters, as we go further into the course, because we can’t keep numbers that large in tables. 2 - 7 IP Concepts - SANS GIAC LevelTwo © 2000, 2001 7 Frames and Packets Frames are packets on the media Data Frame Header Frame Trailer 14 Bytes 4 Bytes Now, in some sense, we can compare a software view of the world, where we talk about assembling packets for transmission, and an electrical engineer or physical view of the world, which is when they [the packets] are actually being transmitted. When they (packets) are transmitted, we call them frames, and they’re going to need to have a frame header and a frame trailer, which adds to the overhead of our packet. This is additional overhead to the packet overhead. One of the most important things that a frame header does is that it synchronizes. This is particularly important as we’re going faster and faster. This tells the computer’s network interface card (NIC) when a particular frame begins. That way it [the NIC] knows, when it sees that pattern, to start pulling in that data so it can check it out. 2 - 8 IP Concepts - SANS GIAC LevelTwo © 2000, 2001 8 One Layer’s Header is Another Layer’s Data DataFrame Header IP Datagram Header Data Data DataTCP Header Headers are prepended as packet descends the stack This is a very important concept. All of IP communications is an exercise in multiplexing and demultiplexing. So we begin with some message or some content that we want to send, perhaps through telnet or electronic mail. And as we pass it down through the IP stack, each of the layers is going to have to wrap its header information around our message that we want to send. The process of adding header information as a packet is passed down the TCP/IP stack, and reading and removing header information as the packet is passed up the stack, is also referred to as encapsulation and decapsulation. I want to introduce a term at this point, called TCP segment. The message with the TCP headers passed down to the IP layer is called the TCP segment. 2 - 9 IP Concepts - SANS GIAC LevelTwo © 2000, 2001 9 Packets are Sort of Positional 031 Source IP Address Destination IP Address Protocol Header Checksum TTL ID Field Length in BytesTOS Frag offset VER 15 IP Header with no options shown, 20 bytes total So, we’re looking at a big pile of zeros and ones – how do we know how to interpret them? We do this by their position in the header. As you can see on your slide, a certain number of bits is allocated for each field in the header. There are options flags that can be set in the headers that change how it is processed or the expected length. Also, the protocols themselves are each handled differently. For the purposes of this course, the primary protocols that we’re going to talk about are the User Datagram Protocol (UDP), Transmission Control Protocol (TCP), and the Internet Control Message Protocol (ICMP). But we will touch on other very important protocols that you will need to learn as you continue to move through the course. Now, let’s take an exercise – it’s your turn! Please take a minute and calculate how many bytes into the header we need to count in order to find the beginning of the protocol field. (Pause) Did you come up with nine? If you came up with a different number, it’s important to realize that in “IP header math”, we generally start counting with zero – that’s something we have to remember. 2 - 10 IP Concepts - SANS GIAC LevelTwo © 2000, 2001 10 IP Header Identifies Protocol IP Datagram Header Data DataProtocol Header Headers provide information needed to parse the packet Protocol Field Protocol 1 0000 0001 ICMP 6 0000 0110 TCP 17 UDP Now that we’ve counted our way to the protocol ID field, what is it, and what does it do? The value in this field tells us what protocol the packet was constructed by. We’re going to need that information when we demultiplex this layer from the packet. On your slide you see values for common protocols: 1 for ICMP, 6 for TCP, and 17 for UDP. Now, how long was the protocol field? It was eight bits. So, what is the maximum value we can display with eight bits? If every bit is set to 1 and we start counting at zero, we have 255 of course. What would the bit pattern in the packet be if it was a TCP packet? From left to right, it would be 0000 0110. Now, you remember the deal for binary. We have a 0 in the 2 0 place, and so the most that could be would be one, but that’s a zero, we can ignore it and keep going. We have a 1 in the 2 1 place, and we have a 1 in the 2 2 place. 2 2 would be a 4, 2 1 would be a 2, so 2 + 4 is 6. Okay, that’s great! Now we have time for one more student exercise. Please write down the bit pattern you would see for UDP (17 in decimal). From left to right, you should have… (Pause) 0001 0001, and that should sound familiar because we did this bit pattern earlier in this course. [...]... Address Resolution Protocol (ARP) 172.20.42.1 172.20.42.2 42.1 broadcasts a packet with 42.2’s IP Address and asks it to respond with its physical address 0 16 31 HARDWARE TYPE HLEN PLEN SOURCE MAC SOURCE MAC SOURCE IP TARGET MAC PROTOCOL TYPE OPERATION SOURCE MAC SOURCE IP TARGET MAC TARGET MAC TARGET IP TARGET IP IP Concepts - SANS GIAC LevelTwo © 2000, 2001 13 The Internet protocols are specified by standards... referred to as a subnet mask 2 - 16 Addressing - Review • Computers have physical (MAC) and protocol (IP) addresses • Computers need to map between MAC and IP addresses • ARP maps between MAC and IP • There are classes of IP addresses (A, B, C) • Netmasks tell computers how to parse IP addresses IP Concepts - SANS GIAC LevelTwo © 2000, 2001 17 This is a summary slide that covers the critical points... of being associated with a given service 2 - 21 IP Protocols Section 4 IP Model Application Transport Network Link Physical IP Model Application Transport Network Link Physical IP Concepts - SANS GIAC LevelTwo © 2000, 2001 22 So, we are going to turn our attention to four primary functions: an application, which is how we, the users, interface with the IP communications stack We use programs like FTP... Addressing: MAC to IP Address 42.2 wants to talk to 42.1, what has to happen? - 42.2 builds a packet, puts it on the media - 42.1 picks it up off the media and checks address Simple! (well mostly) - IP addresses are kept in tables, but MAC addresses aren’t - Need a way to determine MAC addresses 172.20.42.2 172.20.42.1 IP Concepts - SANS GIAC LevelTwo © 2000, 2001 12 Now, you can scour the IP headers looking... tell us how to view the protocol We have already said that byte nine in the IP packet is the IP protocol field Some other important values to know would be protocol type 50 and 51 which make up IPSec (which is the heart of all VPNs – or rather, all standard, interoperable VPNs) IP 50 is the Encapsulating Security Payload (ESP) and IP type 51 is the Authentication Header (AH), and these are often referred... see your MAC address For Windows 9x machines: From a command prompt, type winipcfg For Windows NT/2000 machines: From a command prompt, type ipconfig /all For Linux/UNIX machines: From a command prompt, type ifconfig -a 2 - 14 What are IP Address Classes? • I heard 172.20.0.0 was a Class B, what does that mean? – 32 bits for IP address space – NETID HOSTID – Class A, (24 bits HOSTID, 16M+ hosts) – Class... it MAC addresses do not mean anything to IP, which uses logical addresses They aren’t part of the protocol – for all intents and purposes, they may as well not exist By the same token, physical Media Access Controller (MAC) addresses are how the Ethernet card interfaces with the network The Ethernet card does not know one thing about IP, IP headers, or logical IP addresses So we are faced with the signature... IP Concepts - SANS GIAC LevelTwo © 2000, 2001 11 To recap, in this section we have been primarily concerned with the packaging of information to send over the network We’ve gone from bits, to octets, to the IP protocols Along the way we have introduced some terms which are needed to describe the mechanics of internetworking What is an Internet anyway? Internet is a term to describe connecting multiple... the initial ARP request and can cache the requestor’s MAC and IP addresses This will reduce the potential number of ARP requests (broadcast traffic), that consume bandwidth 2 - 13 Address Resolution Protocol (2) 172.20.42.1 172.20.42.2 Link devices such as routers and switches keep track of these IP/ MAC pairs with ARP tables 172.20.35.2 IP Concepts - SANS GIAC LevelTwo © 2000, 2001 14 Why are MAC addresses... fact, as an important privacy tip: at my last job I could tell where folks who had corporate laptops were surfing when they went home and connected to their ISPs, because they still had our DNS server set as their default name server 2 - 32 Routing - How We Get There Section 6 IP Concepts - SANS GIAC LevelTwo © 2000, 2001 33 Do you remember we were talking about TCP /IP as a four-layer protocol stack: . 2 - 1 IP Concepts - SANS GIAC LevelTwo © 2000, 2001 1 IP Concepts Internet Protocol Prerequisites Hello, my. 2 - 2 IP Concepts - SANS GIAC LevelTwo © 2000, 2001 2 Objectives • Addressing • What are TCP /IP Service Ports • Packets, How is Data Transmitted • IP Protocols