Networking Concepts Module A Copyright Pearson Prentice Hall 2013

Definitions and Terms Octet Host internet vs. Internet A Byte (collection of 8 bits) 8 bits = 1 Character Bit Is the basic unit of IT represented as a 0 or 1 Host Any Device connected to the Internet internet vs. Internet i = computer networks or internet protocol I = The global computer network Copyright Pearson Prentice-Hall 2010

A-1: A Simple Home Network NIC = Network Interface Card, provides capability for Network communications Copyright Pearson Prentice-Hall 2010

Access Router Router Is a Switch Is a Wireless Access Point (WAP) Connects one network to another Is a Switch Sends frames between computers Is a Wireless Access Point (WAP) Signals are spread wide increasing danger Contains a Dynamic Host Configuration Protocol (DHCP) Provides each host an IP address Provides Network Address Translation (NAT) Hides IP address from attack Copyright Pearson Prentice-Hall 2010

Copyright Pearson Prentice Hall 2013

Network Types LAN (Local Area Network) Operate within building not across geographic locations WAN (Wide Area Network, internet) Operate across geographic locations Because corporations don’t have regulatory rights to lay network lines in public areas they rely on commercial companies Internet Network of Network’s Copyright Pearson Prentice-Hall 2010

Workgroup Switch: connect computers to the network Core Switch: Connect switches to other switches Any computer can plug into a wall jack and potentially gain access to the network. 802.1x requires any computer to first authenticate before gaining access to the network Copyright Pearson Prentice-Hall 2010

Two Types of Leased Lines Point to Point Connections to these Networks is limited Security by Obscurity – not the best if it is breached there is no security Public Switched Data Network (PSDN) – passes frames between multiple sites Copyright Pearson Prentice-Hall 2010

A-5: The Internet The global Internet has thousands of networks connected by routers Network Browser Webserver Software Packet Packet Router Route Router Router Packet Copyright Pearson Prentice Hall 2013

Messages Messages (data) can move from any computer to any other computer on any other network connected to the Internet Frames: Messages (data) between a single network (LAN or WAN) Packets Messages (data) between computers across the Internet Packets are contained within Frames Different Frame per Network Internet was designed specifically to NOT ADD SECURITY! Copyright Pearson Prentice-Hall 2010

Packet travels in a different frame in each network Copyright Pearson Prentice Hall 2013

A-7: Internet Service Providers (ISPs) US Backbone Map Submarine Cable Map Copyright Pearson Prentice-Hall 2010

Network Protocols Networks must “talk” with each other Interoperability Requires Standards Standards Security Issues: Is it inherently secure an essential constituent or characteristic of the standard Incidental security results from inherent security Explicitly designed into standard If added “after-the-fact” usually to newer versions going forward Vendor implementations can be defective Copyright Pearson Prentice-Hall 2010

A-8: Three Core Standards Layers Super Layer Description Application Communication between application programs on different hosts attached to different networks on an internet. Internetworking Transmission of packets across an internet. Packets contain application layer messages. Single Network Transmission of frames across a network. Frames contain packets. Core Standards for each sub-system of the network communication process Copyright Pearson Prentice-Hall 2010

Super Layer TCP/IP OSI Hybrid TCP/IP-OSI Application Presentation Session Internet Transport Network Single Network Subnet Access Data Link Physical Copyright Pearson Prentice Hall 2013

The 4 Layer Internet Model Source End-Host Network Link Transport Application Destination End-Host Network Link Transport Application Router Router Network Link Network Link The next layer up is, for us, the most important layer: the Network layer. The network layer’s job is to deliver packets end-to-end across the Internet from the source to the destination. A packet is an important basic building block in networks. A packet is the name we give to a self-contained collection of data, plus a header that describes what the data is, where it is going and where it came from. You will often see packets drawn like this: <draw a packet with header and data> Network layer packets are called datagrams. They consist of some data and a head containing the “To” and “From” addresses – just like we put the “To:” and “From” addresses on a letter. <Draw a datagram with To/From addresses> . The Network hands the datagram to the Link Layer below <click to wipe arrows down>, telling it to send the datagram over the first link. In other words, the Link Layer is providing a *service* to the Network Layer. Essentially, the Link Layer says: “if you give me a datagram to send, I will transmit it over one link for you”. At the other end of the link is a router. The Link Layer of the router accepts the datagram from the link, and hands it up to the Network Layer in the router. The Network Layer on the router examines the destination address of the datagram, and is responsible for routing the datagram one hop at a time towards its eventual destination. It does this by sending to the Link Layer again, to carry it over the next link. And so on until it reaches the Network Layer at the destination. <sequence of clicks shows the steps> Notice that the Network Layer does not need to concern itself with *how* the Link Layer sends the datagram over the link. In fact, different Link Layers work in very different ways; Ethernet and WiFi are clearly very different. This separation of concerns between the Network Layer and the Link Layer allows each to focus on its job, without worrying about how the other layer works. It also means that a single Network Layer has a common way to talk to many different Link Layers by simply handing them datagrams to send. This separation of concerns is made possibly by the modularity of each layer and a common well-defined API to the layer below. CS144, Stanford University

In a single network, a physical link connects adjacent devices. 1 2 3 In a single network, a physical link connects adjacent devices. A data link is the path that a frame takes across a single network. One data link; three physical links. Copyright Pearson Prentice Hall 2013

Physical Layer Device Connection Types UTP Links between computers and switches Uses voltage changes (high vs. low) Act like radio antennas, so signal can be intercepted without tapping Optical Fiber Uses light changes (on or off) Require tapping for interception of data Wireless Uses radio waves for transmission Spread widely and easily intercepted Copyright Pearson Prentice-Hall 2010

Internetworking Standards How routers forward packets Best effort protocol No Guarantee packets will arrive or will arrive in order Main standard is Internet Protocol (IP) Transport Main standard is Transport Control Protocol (TCP) Fixes transmission errors Ensures proper order of packets Slows transmission if necessary For transmissions that do NOT require these capabilities use User Datagram Protocol (UDP) Copyright Pearson Prentice-Hall 2010

Types of Standards (Protocols) Connection/Reliable-Oriented Requires agreement for transmission to commence Monitors transmission for errors to ensure Reliability of transmission Connectionless/Unreliable Does NOT require agreement, transmission occurs when needed No monitoring of transmission for errors occurs Copyright Pearson Prentice-Hall 2010

Internet Protocol (IP) Connectionless Unreliable Purpose How are packets organized How routers move packets to destination host Versions IPv4 32 bit address size 232 = 4,294,967,296 IPv6 128 bit address size 2128 = 3.4e+38 (three hundred forty undecillion) Copyright Pearson Prentice-Hall 2010

The Internet Protocol (IP) Network Link Transport Application Transport Segment Data Hdr Data Hdr IP Datagram IP Hdr IP Data IP Data IP Hdr <click> IP datagrams consist of a header and some data. <click> When the transport layer has data to send, it hands a Transport Segment to the Network layer below. <click to drop transport segment into IP datagram> The network layer puts the transport segement inside a new IP datagram. IP’s job is to deliver the datagram to the other end. But first, the IP datagram has to make it over the first link to the first router. <click to put IP datagram inside Link frame> IP sends the datagram to the Link Layer that puts it inside a Link frame, such as an Ethernet packet and ships it off to the first router. Link Hdr Link Data Link Frame CS144, Stanford University

The IP Service Model Property Datagram Unreliable Best effort Behavior Datagram Individually routed packets. Hop-by-hop routing. Unreliable Packets might be dropped. Best effort …but only if necessary. Connectionless No per-flow state. Packets might be mis-sequenced. Data IP DA IP SA Router Link B A C The IP service can be characterized by four properties listed here. It sends Datagrams from end host to end host; it is unreliable, but makes a best-effort to deliver the datagrams. The network maintains no per-flow state associated with the datagrams. Let’s take a look at each one in turn as listed in the table…… <Click to highlight Datagram> First, IP is a datagram service. When we ask IP to send some data for us, it creates a datagram and puts our data inside. The datagram is a packet that is routed individually through the network based on the information in its header. In other words, the datagram is self-contained. <CLICK to make packet appear>The header contains the IP address of the destination, which we abbreviate here as “IP DA” for IP destination address. The forwarding decision at each router is based on the IP DA. The datagram header also contains an IP source address, or “IP SA”, saying where the packet came from, so the receiver knows where to send any response. <Click to make datagram move hop by hop> Datagrams are routed hop-by-hop through the network from one router to the next, all the way from the IP source address to the IP destination address . We’ll learn more about how routers work later. But for now, it’s enough to know that each router contains a forwarding table that tells it where to send packets matching a given destination address. The router doesn’t know the whole path – it simply uses the destination address to index into its forwarding table so that it can forward the packet to the next hop along the path towards its final destination. Hop by hop, step by step the packet makes its way from the source to the destination using only the destination address in the datagram. You will often hear the analogy made between how IP datagrams are routed and how letters are routed by the postal service. It’s a good analogy. In the postal service, we put a letter into the mail box with the address of the destination and the letter is routed – invisibly to us – hop by hop from sorting office to sorting office until it reaches its destination. Neither the sender or the receiver know – or need to know – the path taken by letters in the postal service or by datagrams in the Internet. The IP service model provides a service which includes the routing to the destination. <click to highlight Unreliable> Second, and perhaps surprisingly, IP is unreliable. IP makes no promise that packets will be delivered to the destination. They could be delivered late, out of sequence, or never delivered at all. It’s possible that a packet will be duplicated along the way, for example by a misbehaving router. The key thing to remember is that IP is unreliable and makes no guarantees. <click to highlight Best Effort> But it won’t drop datagrams arbitrarily just because it feels like it. That’s if you believe networks have feelings. IP does make the promise to only drop datagrams if necessary. For example, the packet queue in a router might fill up because of congestion, forcing the router to drop the next arriving packet. IP won’t make any attempt to resend the data – in fact, IP doesn’t tell the source that the packet was dropped. Similarly, a faulty routing table might cause a packet to be sent to the wrong destination. Or cause a packet to be duplicated by mistake. IP doesn’t makes no promises these errors won’t happen, nor does it detect them when they do. But IP does make the promise to only make these errors when necessary. In fact, the IP datagram service is very much like the basic postal service. The basic postal service makes no promise that our letters will be delivered on time, or that if we send 2-3 letters on successive days that they will be received in the order they were sent, and it makes no promise they will be delivered at all (unless we pay for a more expensive end-to-end service to guarantee delivery). Really, when it comes down to it, IP is an extremely simple, minimal service. It maintains no state at all related to a communication. We say that a communication service is “connectionless” <click to highlight connectionless> because it doesn’t start by establishing some end to state associated with the communication. In other words, when we make a Skype call lasting several minutes and consisting of many IP datagrams, the IP layer maintains no knowledge of the call, and simply routes each datagram individually and independently of all the others. CS144, Stanford University

Why is the IP service so simple? Simple, dumb, minimal: Faster, more streamlined and lower cost to build and maintain. The end-to-end principle: Where possible, implement features in the end hosts. Allows a variety of reliable (or unreliable) services to be built on top. Works over any link layer: IP makes very few assumptions about the link layer below. You might be wondering why the IP service is so simple. After all, it is the foundation of the entire Internet. Every communication over the Internet uses – must use – the IP service. Given how important the Internet is, wouldn’t it have been better to make IP reliable? After all, we did say that most applications want a reliable, byte-communication service. There are several reasons the IP service model was designed to be so simple. <click>To keep the network simple, dumb and minimal. Faster, more streamlined and lower cost to build and maintain. It was believed that if the network is kept simple with very features and requirements, then packets could be delivered very quickly, and at low cost. The thinking was that a simple network could be made to run very fast using dedicated hardware. And given that the network is implemented by a large number of routers scattered throughout the network, if they could be kept simple then are likely to be more reliable, more affordable to maintain and will need to be upgraded less often. <click>The end to end principle: Where possible, implement features in the end hosts. In the design of communication systems, there is a well known principle called the end-to-end principle that says that if you *can*correctly implement features at the end points then you should. We’ll study the end-to-end principle in more depth in later videos, but the basic idea is to place as much intelligence as possible at the end points – in our case, the source and destination computers. This can have several advantages, such as making sure the feature is implemented correctly for the application, and it is easier to evolve and improve a feature if it is implemented in software on end computers rather than baked into the hardware of the Internet. In the case of the Internet, it was decided that features such as reliable communications and controlling congestion should be done at the end points – by the source and destination computers, and not by the network. At the time, it was quite a radical suggestion and a very different design choice from the telephone system, which was originally built on the idea of simple handsets and a complicated feature-rich network of telephone switches. In later videos we will be studying the end-to-end principle as one of the important architectural principles of communication systems. We will see many examples of the end to end principle in action. For example, when we study the transport layer, we will see how the end hosts build a reliable communication service over the unreliable IP network service. <click>Allows a variety of reliable (or unreliable) services to be built on top. If IP was reliable – in other words if any missing packets were retransmitted automatically – then it would not be ideal for some services. For example, in real time applications like a video chat, there might be no point in retransmitting lost data, because it might arrive too late to be useful. Instead, the application might choose to show a few blank pixels or use the pixels from the frame before. By not providing any reliability guarantees, IP lets the application choose the reliability service its needs. <click>Works over any link layer: IP makes very few assumptions about the link layer. IP makes very little expectation of the Link layer below – the link could be wired or wireless, and requires no retransmission or control of congestion. Some people have said IP is so simple and makes so few assumptions about the underlying link layer that you could run IP over carrier pigeons. In fact, there is even an Internet standard telling you how to do it! Making IP run over any link layer made sense because the Internet was created specifically to interconnect existing networks (which is why it was called the Internet). CS144, Stanford University

Copyright Pearson Prentice Hall 2013

IPv4 Represented as 32 bit rows Consists of: May have optional rows Header consists of 5 rows May have optional rows Data Copyright Pearson Prentice-Hall 2010

A-12: The Internet Protocol (IP) Packet 0100 IP Version 4 Packet Bit 0 Bit 31 Version (4 bits) Header Length (4 bits) Diff-Serv (8 bits) Total Length (16 bits) Identification (16 bits) Flags Fragment Offset (13 bits) Time to Live (8 bits) Protocol (8 bits) 1=ICMP, 6=TCP, 17=UDP Header Checksum (16 bits) Source IP Address (32 bits) Destination IP Address (32 bits) Options (if any) Padding Data Field Copyright Pearson Prentice-Hall 2010

IPv4 Row 1 Version Header Length (usually 5 rows) Diff-Serv Total Length (16 bits) Diff-Serv (8 bits) Header Length (4 bits) Version Version 0100 = 4 Header Length (usually 5 rows) 0101 = 5 More than 5 rows usually indicates an attack so examining this part of the header is important to detect attacks Diff-Serv Rarely uses intended to provide priority to different packets (Network Neutrality) Total Length Length of (entire packet - header) in bytes Maximum size of a packet is 216 = 65,536 Copyright Pearson Prentice-Hall 2010

IPv4 Row 2 Used if a packet is too large and is divided into smaller packets This is rare and can indicate an attack Most O/S don’t allow fragmentation Flag values: Identification (16 bits) Flags Fragment Offset (13 bits) Copyright Pearson Prentice-Hall 2010

Header Checksum (16 bits) Time to Live (8 bits) Protocol (8 bits) 1=ICMP, 6=TCP, 17=UDP IPv4 Row 3 Time to Live (TTL) Set to a value between 0 and 255 Usually set to 64 or 128 by O/D As packet moves from router to router TTL decremented by 1 If TTL reaches 0 the packet is discarded Attackers can determine how many router hops are between hacker and victim host by examining TTL and guessing 64 or 128 so… Protocol Message List of IP Protocol Numbers Header Checksum Copyright Pearson Prentice-Hall 2010

IPv4 Source and Destination IP Address Each Address is 32 bits long 111111110000000011 11111100000000 Kind of hard to remember so… Divided into 4 8 bit segments & converted to decimal (0 to 255) 132.170.217.166 www.bus.ucf.edu 4 segments divided into a mask First 2 are for the network 132.170 = UCF 217 = College of Business 166 = Web Server Copyright Pearson Prentice-Hall 2010

Copyright Pearson Prentice Hall 2013

DNS Server Organized Hierarchically 13 DNS Root Servers Top-level Domain Servers (.com, .edu, etc.) Second-level (University of Central Florida) Need to know the names of host computers within its own network Cache Poisoning occurs if an attacker replaces an IP address on the DNS with a fake one Copyright Pearson Prentice-Hall 2010

DNSSEC for the .edu Domain Becky Granger Director, Information Technology and Member Services EDUCAUSE April 29, 2010

DNS: A Review Illustration courtesy of Niranjan Kunwar / Nirlog.com

DNS Caching DNS Servers cache data to improve performance But…what happens if the cached data is wrong?

DNS is Fundamentally Flawed More detailed explanation: http://www.iana.org/about/presentations/davies-cairo-vulnerability-081103.pdf

DNS Threats Packet Interception ID Guessing & Query Prediction DNS's usual behavior of sending an entire query or response in a single unsigned, unencrypted UDP packet makes these attacks particularly easy Attacker intercepts query to DNS or response back Substituting their own message ID Guessing & Query Prediction Attacker guesses UDP ID for DNS Query DNS port number is well-known 16 bits per ID so 2⌃16 – susceptible to brute force Name Chaining or Cache Poisoning (see previous slide) DOS – no different from any other server

Chain of Trust Can Be Established Original illustration courtesy of Niranjan Kunwar / Nirlog.com

A-13: IP Version 6 Packet Payload length = Total Length from IPv4 Hop Limit = TTL from IPv4 Note there is no Checksum Reliability is assumed from higher level security Copyright Pearson Prentice-Hall 2010

IPv6 Optional Header Rows Unlike IPv4 IPv6 utilized optional header rows One such use is for IPSec Remember that IP was developed without Security IPSec was added later to provide security Everything in the data field of the packet is Secure Secure = Encrypted Application message is also secure Two Modes: Transport – host to host protection Tunnel – protection between hosts Details in Chapter 4 Copyright Pearson Prentice-Hall 2010

Transport Layer Protocols Transmission Control Protocol (TCP) Connection-oriented, reliable TCP message is called a Segment User Datagram Protocol (UDP) Connectionless, unreliable Copyright Pearson Prentice-Hall 2010

A-14: Transmission Control Protocol (TCP) Segment Copyright Pearson Prentice-Hall 2010

A-15: Messages in a TCP Session PC Transport Process Webserver Transport Process 1. SYN (Open) Open (3) 2. SYN, ACK (1) (Acknowledgement of 1) 3. ACK (2) 3-Way Open Syn = Synchronize sequence numbers, I want to send a message SYN, ACK (Acknowledge), OK I’ll accept your message ACK = OK I’m acknowledging that I received your acknowledgement Copyright Pearson Prentice-Hall 2010

Using TCP for Denial-of Service Hacks Hacker floods victim host with SYN messages The victim host Sends SYN, ACK & Sets aside resources for the upcoming message Hacker never sends ACK back Half-open SYN attack Copyright Pearson Prentice-Hall 2010

A-15: Messages in a TCP Session (continued) PC transport process Webserver transport process 1. SYN (Open) Open (3) 2. SYN, ACK (1) (Acknowledgement of 1) 3. ACK (2) 4. Data = HTTP Request Carry HTTP Req & Resp (4) 5. ACK (4) 6. Data = HTTP Response 7. ACK (6) Copyright Pearson Prentice Hall 2013

A-15: Messages in a TCP Session (continued) PC transport process Webserver transport process 8. Data = HTTP Request (Error) Carry HTTP Req & Resp (4) 9. Data = HTTP Request (No ACK so Retransmit) 10. ACK (9) 11. Data = HTTP Response 12. ACK (11) Error Handling Copyright Pearson Prentice Hall 2013

A-15: Messages in a TCP Session (continued) PC transport process Webserver transport process Normal Four-Way Close 13. FIN (Close) Close (4) 14. ACK (13) 15. FIN 16. ACK (15) Note: An ACK may be combined with the next message if the next message is sent quickly enough Copyright Pearson Prentice Hall 2013

A-15: Messages in a TCP Session PC Transport Process Webserver Transport Process Abrupt Close RST Close (1) Either side can send A Reset (RST) Segment At Any Time Ends the Session Immediately Rejection of a SYN (from an untrusted host) with a RST will provide Hacker with IP address of internal host, something the hacker tries to get Copyright Pearson Prentice-Hall 2010

A-14: Transmission Control Protocol (TCP) Segment Copyright Pearson Prentice-Hall 2010

Integrity and Reliability of Message Sequence Number field Allows for segments to be put together in order First segment uses a randomly generated number If segment contains no data (SYN, ACK, etc) number is 1 + last segment If segment contains data Number of first octet (byte) for the data field is used Acknowledgement Number field Enables verification that a segment has arrived Number of last octet (byte) for the data field + 1 Copyright Pearson Prentice-Hall 2010

Copyright Pearson Prentice Hall 2013

A-14: Transmission Control Protocol (TCP) Segment Copyright Pearson Prentice-Hall 2010

Port Numbers & Sockets Clients Servers Socket Random number used when connecting to Host for transmission session (short-lived session) Servers Represents a specific application running Socket Combination of IP Address and Port Number 132.170.217.166:80 Copyright Pearson Prentice-Hall 2010

Copyright Pearson Prentice Hall 2013

Copyright Pearson Prentice Hall 2013

TCP Security There is NO security built into the standard Security is instead provided by IPSec in the IP standard since it secures the data package where the TCP segment is contained. Copyright Pearson Prentice-Hall 2010

Copyright Pearson Prentice Hall 2013

A-20: Internet Control Message Protocol (ICMP) Copyright Pearson Prentice Hall 2013

ICMP Ping & Traceroute Ping Traceroute Are you there? Traceroute How do packets go from my client to a host ICMP messages contain error messages back to originator Hackers can send mal-formed ICMP message hoping to identify IP address of host Copyright Pearson Prentice-Hall 2010

Copyright Pearson Prentice Hall 2013

Copyright Pearson Prentice Hall 2013

A-24: Application Standards Application Exploits By taking over applications, hackers gain the permissions of the exploited program A multitude of application standards Consequently, there is a multitude of security issues at the application level Copyright Pearson Prentice Hall 2013

A-24: Application Standards Many Applications Need Two Types of Standards One for the transmission of messages, one for the content of application documents For the World Wide Web, these are HTTP and HTML, respectively For transmission, e-mail uses SMTP, POP, and IMAP For message content, e-mail uses RFC 2822 (all- text), HTML, and MIME Copyright Pearson Prentice Hall 2013

A-24: Application Standards FTP and Telnet Have no security Passwords are transmitted in the clear so can be captured by sniffers Secure Shell (SSH) can replace both securely Copyright Pearson Prentice Hall 2013

A-24: Application Standards Many Other Application Standards Have Security Issues Voice over IP Service-oriented architecture (SOA); web services Peer-to-peer applications Copyright Pearson Prentice Hall 2013

Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall