2 - 1 IP Concepts - SANS ©2001 1 IP Concepts Security Essentials The SANS Institute Hello, welcome to IP Concepts. This is one of two modules on the subject of TCP/IP. Since the TCP/IP protocol suite is fundamental to any network that is connected to the Internet, in order to secure TCP/IP based networks, one must understand how they work and why they work. In this module we are going to start by looking at the IP protocol and then in the second module we will cover the other protocols that reside in the TCP/IP protocol suite. Lets jump in and start looking at how IP works. 2 - 2 IP Concepts - SANS ©2001 2 Objectives • Protocol stacks • Numbering systems • Packets, how is data transmitted •IP • Addressing In this module we are going to cover various aspects of IP. We are going to start by looking at one of the most common protocol stacks: The OSI protocol stack and look at how communications is broken down into seven core areas. We are then going to compare the seven layer OSI stack with the TCP/IP protocol stack. Then, we are going to cover numbering systems and see how to translate between decimal and binary. Since humans operate on a base 10 numbering system and computers operate on a base 2, it is important that you understand how to translate between the two systems. Then we will cover how data is put into packets and sent across the wire. IP, which is the fundamental protocol of TCP/IP, will then be covered in-depth, looking at various aspects of the header. We will finish the section by looking at IP addresses and how they are broken down into two pieces: A network and a host portion. Now lets start by looking at what a protocol stack is. 2 - 3 IP Concepts - SANS ©2001 3 Protocol “Stacks” • Divide network communications into layers • Each layer provides service to the layer above and receives service from the layer below • Divide task of communication into pieces for easier implementation Having all these protocols is nice, but how does information actually get from one place to another? In order to understand how this happens we need to start by discussing protocol stacks. And to discuss protocol stacks, we need a good real-life example. Imagine, if you will, a five-story apartment building. This building, however, is very special (or very strange, depending on your point of view). First of all, the really important things happen on the top floor, floor 5. Second, the only way the people on the fifth floor can get anything done is by asking the people on the floors below them to do it. For example, the people on the fifth floor want to make dinner. They tell this to the people on the fourth floor. The people on the fourth floor figure out that dinner requires a soup, salad, main course, and dessert. They tell this to the people on the third floor. The people on the third floor decide that the courses will be onion soup, a garden salad, beef stew, and apple pie, and they tell this to the people on the second floor. The people on the second floor figure out what ingredients will be needed for this dinner (for example, chicken broth, lettuce, vegetables, beef, etc.) and give this information to the people on the first floor. The people on the first floor actually go to the store, buy all the ingredients, and bring them back to the apartment building. Once the ingredients are purchased, the process goes in reverse. The first floor gives the raw ingredients to the second floor. The second floor checks that all the ingredients are there and then hands them off to the third floor. The third floor prepares the various courses by making the soup, tossing the salad, cooking the beef, and baking the pie. Once all this is done they hand the food off to the fourth floor. The fourth floor people package all the food up into nice courses and bring it up to the fifth floor residents so they can eat a delicious meal. Well, in essence, that’s how protocol stacks work. Protocol stacks divide network communications into different layers, like the floors in the apartment building. Each layer in the stack works on the packet in different ways. Some layers make sure the packet has all the information it needs, some layers make sure the packet is ready for an application to work with, and some layers make sure the packet gets onto the network properly. Each layer works directly with the layer above and below it, just as in the apartment building example. As packets are passed from one layer to the next, each layer examines or modifies the packet in some way. Once the packet has reached the “ground floor” of the network it is sent to its destination. The use of protocol stacks in network communications makes the task of implementing protocols much easier. By making communications more modular, a service, process, or application need only concern itself with the layers it needs, leaving the other layers to someone else. 2 - 4 IP Concepts - SANS ©2001 4 The OSI Protocol Stack Application Presentation Session Transport Network Data Link Physical Layer 7 Layer 6 Layer 5 Layer 4 Layer 3 Layer 2 Layer 1 One of the most widely known protocol stacks is the International Standards Organization (ISO) Open Systems Interconnect (OSI) model. The OSI model divides network communications into seven layers. The Physical Layer handles transmission across the physical media. This includes such things as electrical pulses on wires, connection specifications between hardware, voltage, and current, etc. The Data Link Layer connects the physical part of the network (e.g. cables and electrical signals) with the abstract part (e.g. packets and data streams). It also creates the headers and validation information that get attached to packets. The Network Layer handles interaction with the network address scheme and connectivity over multiple network segments. It describes how systems on different network segments find and communicate with each other. The Transport Layer actually interacts with your information and prepares it to be transmitted across the network. It is this layer that ensures reliable connectivity from end-to-end. The Transport Layer also handles the sequencing of packets in a transmission. The Session Layer handles the establishment and maintenance of connections between systems. It negotiates the connection, sets it up, maintains it, and makes sure that information exchanged across the connection is in sync on both sides. The Presentation Layer makes sure that the data sent from one side of the connection is received in a format that is useful to the other side. For example, if the data is compressed by the sender prior to transmission, the Presentation Layer on the receiving end would have to decompress it before it can be used by the receiver. The Application Layer is responsible for interacting with the application to determine whether network services will be required. When a program requires access to the network, the Application Layer will manage requests from the program to the other layers down the stack. Why is all this important, and do you really need to memorize all this for an Introduction course? Well, only sort of. You need to have at least a passing familiarity with the OSI model because you will hear network engineers and vendors talk about “Layer 2 Switches” or “Layer 3 Protocols.” The layers they are referring to are the OSI model layers. Understanding what each layer does will go a long way in both understanding the conversation and securing your network services. 2 - 5 IP Concepts - SANS ©2001 5 The TCP/IP Protocol Stack • Application • Transport • Internet – sometimes called Network • Network Interface – sometimes called Data-link or Link In comparison to the OSI protocol stack, the TCP/IP stack is much simpler. The TCP/IP model predates the OSI model and, as the underlying protocol of the Internet, is more widely used than OSI- based protocols. The TCP/IP stack only has four layers: The Application Layer, the Transport Layer, the Internet Layer, and the Network Access or Network Interface Layer. The definition of the TCP/IP layers is as follows: The Network Layer defines how to access a specific network topology, for example Ethernet, Token Ring, etc. The network layer is also referred to as the Link or Data-link layer. The Internet Layer defines how datagrams are formatted and handles the routing of data through the network. Examples of Internet Layer protocols include IP. This layer is also referred to as the Network layer (when the term Link layer is used for the Network layer). The Transport Layer provides end-to-end data delivery service. This is the layer that assembles packets and sends them to the Internet layer for processing. Examples of Transport Layer protocols are TCP and UDP. Finally, the Application Layer consists of application programs and serves as the network interface into user applications. Examples of application layer services are Telnet, FTP, and DNS. It is important to note that even though the TCP/IP protocol stack only has 4 layers as compared to the 7 layer OSI model, it still performs the same functionality. It just means because there are less layers that each layer has to do a little more work. 2 - 6 IP Concepts - SANS ©2001 6 OSI vs. TCP/IP Application Presentation Session Transport Network Data Link Physical Application Transport (TCP) Internet (IP) Network OSI TCP/IP 7 6 5 4 3 2 1 This diagram shows a comparison between the OSI model and the TCP/IP model. As you can see, the OSI model has more granularity than the TCP/IP model. In addition, the OSI model chose to split apart some functionality that was combined in the TCP/IP model. For example, the Network Layer in the TCP/IP model comprises both the Physical Layer and the Data Link Layer in the OSI model. And the Application Layer in TCP/IP encompasses the Application, Presentation, and Session Layers of the OSI model. The OSI model is more detailed and more granular because it was designed to encompass protocols other than just TCP/IP. By creating more layers the designers of OSI made it easier to break down the functionality of each protocol and build more specific interfaces and linkages between the layers. Even though each model breaks down the functionality slightly differently, it is, however, important to know that no matter which model you use, it must perform all the functions required to take a piece of application data, place it into a packet, place that packet on the wire, and handle its safe and efficient delivery to its destination. 2 - 7 IP Concepts - SANS ©2001 7 How TCP/IP Packets Are Generated “Hello There” Application Layer “Hello There” TCP Hdr Transport Layer “Hello There” TCP Hdr IP Hdr Internet Layer “Hello There” TCP Hdr IP Hdr Eth Hdr Network Layer “Hello There” This slide shows how a packet is generated as it moves through the stack. To start, the Application Layer takes information from the application itself. In this case we will be sending the phrase “Hello There” to another computer. The application program gives the “Hello There” to the Application Layer of the protocol stack. The Application Layer creates an empty packet and places the “Hello There” inside of it. The Application Layer then sends the packet to the Transport Layer. The Transport Layer takes the packet and adds a header to it. The header has all the information that the Transport Layer on the other side of the connection needs to determine what to do with the packet. Once the transport header is put on the packet it is given to the Internet Layer. The Internet Layer puts another header in front of the packet. Like the Transport layer before it, this header gives information for the Internet Layer on the other end. Once this header is attached, the packet is sent to the Network Layer. As you can probably guess by now, the Network Layer will want to put its own header on the packet. This header will assist the routers and gateways between the two machines in sending the packet along its way. Once this final header is placed on the packet it is put on the wire and sent to its final destination. 2 - 8 IP Concepts - SANS ©2001 8 How Protocol Stacks Communicate Application Presentation Session Transport Network Data Link Physical Application Presentation Session Transport Network Data Link Physical Host A Host B The previous slide showed how a single stack handles the movement of data from the application program to the network. In this slide we will look at how data is passed between stacks. This slide uses the OSI model, but the process works the same way with the TCP/IP model. When two computers need to communicate with each other, it is actually the protocol stack on each computer that does the talking. Each layer on the stack of a host talks only to the corresponding layer on the remote computer. For example, in the above diagram the Application Layer on Host A exchanges information with the Application Layer on Host B, the Session Layer on Host A exchanges information with the Session layer on host B, etc. However, it does this by going through each of the layers below on its own host’s stack. Each layer takes the information from the layer above it, examines it, adds its own information to it, then sends it to the next layer down the stack. Once the packet reaches the bottom of the stack, it travels along the network wire to the remote host, then travels up the stack on the remote side. At each layer of the remote stack, the packet is examined, the information that layer needs is removed and the packet is sent further up the stack. Each layer removes only the information placed in the packet by the corresponding layer from the sending host’s stack. For example, the Network Layer from Host B removes and examines the information placed in the packet by the Network Layer in Host A. This is how protocol layers communicate with each other. Through the use of orderly flow of communications up and down the protocol stacks, packets can be created, moved, and examined with great efficiency across large distances and multiple networks. 2 - 9 IP Concepts - SANS ©2001 9 Bits and Bytes 1 0 ORBIT= 00010001 BYTE= (OCTET) Now that we understand protocol stacks, lets start to look at how information is stored in a computer. As of course you know, the atom of computing is a bit – a single storage location that has a value of either a zero or a one. Now, that doesn’t hold a lot of information, so we clump these into groups of eight (called bytes or octets), but that’s still very small. However, it is enough to hold a character (such as the letter “A” or a comma) and it can hold an integer number as large as 255. 2 - 10 IP Concepts - SANS ©2001 10 Overview of Numbering Systems •Decimal –Base 10 •Binary –Base 2 •Octal –Base 8 •Hex –Base 16 Throughout our lives we have learned how to count and have done all numerical transactions with a decimal or base 10 numbering system. Unfortunately, computers only understand 2 states, on or off, 0 or 1. So in terms of computer communications, everything is stored and communicated in a base 2 numbering system. Since having only 2 values for each number makes the resulting values very cumbersome and hard for humans to understand, other numbering systems are used to help with the conversion between computers and humans. Since computers use a base 2 numbering system, by taking multiples of 2 you can easily translate to other numbering systems. Two other systems that are most commonly used are 2 raised to the power of 3, which is a base 8 numbering system or octal, or 2 raised to the power of 4 which is a base 16 or hex numbering system. Since bits are often broken down into bytes and bytes consist of 8 bits, hex more cleanly maps to bytes because every 4 bits equals one hex, so two hex digits equal one byte. Since hex is base 16, that means for every position there are 16 possibilities. These values are 0-9 and A-F, where A is 10, B is 11, C is 12, D is 13, E is 14, and F is 15. Now that we understand the base systems, lets see how we convert between different numbering systems. [...]... in a message.) The most widely used version of IP today is Internet Protocol Version 4 (IPv4) However, IP Version 6 (IPv6) is also beginning to be supported IPv6 provides for much longer addresses and therefore the possibility of many more Internet users IPv6 includes the capabilities of IPv4 and any server that can support IPv6 packets can also support IPv4 packets 2 - 18 Packets are Sort of Positional... Header Data IP Datagram Header Data Frame Header Data Data Headers are prepended as packet descends the stack IP Concepts - SANS ©2001 16 This is a very important concept All of IP communications is an exercise in multiplexing and demultiplexing So we begin with some message or some content that we want to send, perhaps through telnet or electronic mail And as we pass it down through the IP stack, each... 11001010 0826C1f45231 0826Cf1541f2 01001011 IP 01001011 MAC Internet Protocol (IP) Addresses are like your name and Media Access Controllers (MAC) are like your street address in the envelope analogy (Packet shown is notional, IP Packets don’t have MAC addresses, however Ethernet frames do) IP Concepts - SANS ©2001 14 As you will see, it turns out that packets have multiple levels of addresses Right now, I’d... fragment overlap attack IP is responsible for determining the route a packet should take through the network It does this by using the IP addresses The source IP address indicates who sent the packet and the destination IP address indicates who the packet is being sent to 2 - 21 Socket • Uniquely identifies a connection • Consists of: – Source IP address – Source port number – Destination IP address – Destination... remembered If the device is using the IP protocol it must also have an IP address The IP address consists of four numbers separated by periods The numbers can be used to divide large networks into smaller networks Each IP- based device on the network must have a unique IP address in order for it to receive information properly Because they are shorter, it is easier to remember an IP address, but still not completely... “geek.com.” 2 - 24 IP Addresses and Subnets • Each node on an IP network has a unique IP address • Denoted as four numbers separated by periods (dotted quad) – E.g 135.118.231.10 • “Classes” of addresses – Class A: 1.0.0.0 through 127.255.255.255 – Class B: 128.0.0.0 through 191.255.255.255 – Class C: 192.0.0.0 through 223.255.255.255 IP Concepts - SANS ©2001 25 When a system uses the IP protocol to communicate... - 32 Addressing - Review • Computers have physical (MAC) and protocol (IP) addresses • There are classes of IP addresses (A, B, C) • Netmasks tell computers how to parse IP addresses • IP address broken up into two pieces: The network portion and the host portion • The broadcast address goes to all computers on a given segment IP Concepts - SANS ©2001 33 This is a summary slide that covers the critical... position, which when added together gives you a value of 17 2 - 20 IP Header Key Fields • TTL – Time to live field – Decremented at each hop • Fragment Offset – Allows packets to be broken up into smaller pieces – Offset determines how pieces are put back together • IP addresses IP Concepts - SANS ©2001 21 Now that we understand how the IP header works, let’s look at some key fields that are important... the communication will be successful 2 - 17 IP – The Internet Protocol • Deals with transmission of packets between end points • The fundamental protocol of the Internet IP Concepts - SANS ©2001 18 The Internet Protocol (IP) is the protocol by which information is sent from one computer to another on the Internet Each computer on the Internet has at least one IP address that uniquely identifies it from... • Used to uniquely identify a computer or network • A device may have multiple types of “addresses” – MAC address (00:60:1D:F0:EA:AF) – IP address (192.168.100.105) – Machine name (Enterprise) – Domain name • enterprise.federation.org • enterprise.geek.com IP Concepts - SANS ©2001 24 At this point, let’s jump into the world of IP addresses and see how they work We all have many ways of identifying ourselves . 2 - 1 IP Concepts - SANS ©2001 1 IP Concepts Security Essentials The SANS Institute Hello, welcome to IP Concepts. This is one of two. Internet users. IPv6 includes the capabilities of IPv4 and any server that can support IPv6 packets can also support IPv4 packets. 2 - 19 IP Concepts - SANS