TCP IP Review

Review of TCP/IP
Internetworking
Panko, Corporate Computer

and Network Security
Copyright 2009 Prentice-Hall
Single Network: applications, client and
server hosts, switches, access links, trunk

links, frames, path
Frame
Path
Server
Host
Client
Host
Trunk Link
Access
Link
Mobile Client
Host
Server
Host
Frame Organization
Frame
Trailer
Data Field
Header
Other
Destination
Header
Address
Field
Message Structure
Field
Switching Decision
Switch
1 2 3 4 5 6
Frame with Station C

In the destination
Address field
Station
A
Station
B
Station
C
Switch receives
A frame, sends
It back out
Based on
Destination
Address
Station
D
Figure 3-1: Internet
An internet is two or more individual

switched networks connected by routers
Switched
Network 1
Switched Network 3
Router
Switched
Network 2
An Internet
Multiple Networks
Connected by Routers
Path of a Packet is its Route
Single Network
Routers
Packet
Single Network
Route
The global
Internet has
thousands of
networks
The Internet
Browser
Webserver
Software
Network
Packet
Router
Packet
Route
Router
Router
Packet
Figure 3-6: Frames and Packets

Frame 1
Carrying Packet
in Network 1
Packet
Switch
Client PC
Packet
Server
Frame 3
Carrying Packet
in Network 3
Switch
Router
A
Frame 2
Carrying Packet
in Network 2
Router B
Frames and Packets
Like passing a shipment (the packet) from a truck

(frame) to an airplane (frame) at an airport.
Shipper
Same
Shipment
Truck
Airport
Receiver
Airport
Truck
Airplane
Figure 3-2: TCP/IP Standards (Study

Figure)
Origins
Defense Advanced Research Projects Agency

(DARPA) created the ARPANET
An internet connects multiple individual networks
Global Internet is capitalized
Internet Engineering Task Force (IETF)
Most IETF documents are requests for

comments (RFCs)
Internet Official Protocol Standards: List of RFCs

that are official standards
10

Figure)
Hybrid TCP/IP-OSI Architecture (Figure 3-3)
Combines TCP/IP standards at layers 3-5 with

OSI standards at layers 1-2
TCP/IP
Application
OSI
Application
Hybrid TCP/IP-OSI
Application
Presentation
Session
Transport
Transport
Transport
Internet
Network
Internet
Subnet Access: Use

OSI Standards Here
Data Link
Data Link
Physical
Physical
11

Figure)
OSI Layers
Physical (Layer 1): defines electrical signaling

and media between adjacent devices
Data link (Layer 2): control of a frame through a

single network, across multiple switches
Physical Link
Frame
Switched
Network 1
Data Link
12
Figure 3-2: TCP/IP Standards
Internet Layer
Governs the transmission of a packet across an

entire internet. Path of the packet is its route
Packet
Switched
Network 1
Route
Switched Network 3
Router
Switched
Network 2
13

Figure)
Frames and Packets
Frames are messages at the data link layer
Packets are messages at the internet layer
Packets are carried (encapsulated) in frames
There is only a single packet that is delivered

from source to destination host
This packet is carried in a separate frame in

each network
14
Figure 3-7: Internet and Transport Layers
Transport Layer
End-to-End (Host-to-Host)
TCP is Connection-Oriented, Reliable
UDP is Connectionless Unreliable
Client PC
Internet Layer
(Usually IP)
Hop-by-Hop (Host-Router or Router-Router)
Connectionless, Unreliable
Router 1
Router 2
Server
Router 3
15

Figure)
Internet and Transport Layers
Purposes
Internet layer governs hop-by-hop

transmission between routers to achieve endto-end delivery
Transport layer is end-to-end (host-to-host)

protocol involving only the two hosts
16

Figure)
Internet and Transport Layers
Internet Protocol (IP)
IP at the internet layer is unreliabledoes not

correct errors in each hop between routers
This is good: reduces the work each router

along the route must do
17

Figure)
Transport Layer Standards
Transmission Control Protocol (TCP)

Reliable and connection-oriented service at
the transport layer
Corrects errors
User Datagram Protocol (UDP)

Unreliable and connectionless service at the
transport layer
Lightweight protocol good when catching
errors is not important
18
Figure 3-8: HTML and HTTP at the

Application Layer
Hypertext Transfer Protocol (HTTP)
Requests and Responses
Webserver
Client PC with Browser

123.34.150.37
60.168.47.47
Hypertext Markup Language (HTML)

Document or Other File (jpeg, etc.)
19

Figure)
Application Layer
To govern communication between application

programs, which may be written by different
vendors
Document transfer versus document format

standards
HTTP / HTML for WWW service
SMTP / RFC 822 (or RFC 2822) in e-mail
Many application standards exist because there

are many applications
20
Figure 3-3: TCP/IP and OSI

Architectures: Recap
TCP/IP
Application
OSI
Application
Hybrid TCP/IP-OSI
Application
Presentation
Session
Transport
Transport
Transport
Internet
Network
Internet
Subnet Access: Use

OSI Standards Here
Data Link
Data Link
Physical
Physical
Note: The Hybrid TCP/IP-OSI Architecture is used on the Internet and

dominates internal corporate networks.
21
Figure 3-5: IP Packet

Bit 0
0100
Header
Version
Length
(4 bits)
(4 bits)
IP Version 4 Packet
Diff-Serv
(8 bits)
Bit 31
Total Length
(16 bits)
Identification (16 bits)

Flags Fragment Offset (13 bits)
Protocol (8 bits)
Time to Live
1=ICMP, 6=TCP,
Header Checksum (16 bits)
(8 bits)
17=TCP
Source IP Address (32 bits)
Destination IP Address (32 bits)
Options (if any)
Padding
Data Field
22
Version
Has value of four (0100)
Time to Live (TTL)
Prevents the endless circulation of mis-addressed

packets
Value is set by sender
Decremented by one by each router along the
way
If reaches zero, router throws packet away
23
Protocol Field
Identifies contents of data field

1 = ICMP
6 = TCP
IP Data Field
ICMP Message
17 =UDP
IP Data Field
TCP Segment
IP Header
Protocol=1
IP Header
Protocol=6
IP Data Field
UDP Datagram
IP Header
Protocol=17
24
Header checksum to check for errors in the

header only
Faster than checking the whole packet

Stops bad headers from causing problems
IP Version 6 drops eve this checking
Address Fields
32 bits long, of course
Options field(s) give optional parameters
Data field contains the payload of the packet.

25
Figure 3-9: Layer Cooperation Through

Encapsulation on the Source Host
Encapsulation of HTTP
message in data field of
a TCP segment
Application
Process
HTTP
Message
Transport
Process
HTTP
Message
TCP
Hdr
Internet
Process
HTTP
Message
TCP
Hdr
Encapsulation of TCP
segment in data field
of an IP packet
IP
Hdr
26

Internet
Process
Data Link
Process
Physical
Process
DL
Trlr
HTTP
Message
TCP
Hdr
IP
Hdr
HTTP
Message
TCP
Hdr
IP
Hdr
Encapsulation
of IP packet in
data field of
a frame
DL
Hdr
Converts Bits of Frame into Signals
27

Note: The following is the final frame for supervisory TCP segments:
DL
Trlr
TCP
Hdr
IP
Hdr
DL
Hdr
28

Decapsulation on the Destination Host
Decapsulation of HTTP
message from data field of
a TCP segment
Application
Process
HTTP
Message
Transport
Process
HTTP
Message
TCP
Hdr
Internet
Process
HTTP
Message
TCP
Hdr
Decapsulation of TCP
segment from data field
of an IP packet
IP
Hdr
29

Decapsulation on the Destination Host
Internet
Process
Data Link
Process
Physical
Process
DL
Hdr
HTTP
Message
TCP
Hdr
IP
Hdr
HTTP
Message
TCP
Hdr
IP
Hdr
Decapsulation of IP
packet from data
field of a frame
DL
Hdr
Converts Signals into the Bits of the Frame
30
Figure 3-11: Vertical Communication

on Router R1
A
Packet
Decapsulation
Frame
Switch X2
Internet Layer Process

Port 1
DL
Port 2
DL
Port 3
DL
Port 4
DL
PHY
PHY
PHY
PHY
Router R1
Notes:
A.
Router R1 receives frame from Switch X2
in Port 1.
Port 1 DL process decapsulates packet.
Port 1 DL process passes packet to
internet process.
31
Figure 3-11: Vertical Communication

on Router R1
B
Router R1
B.
Internet Layer Process

Port 1
DL
Port 2
DL
Port 3
DL
Port 4
DL
PHY
PHY
PHY
PHY
Internet process sends packet out on

Port 4.
DL Process on Port 4 encapsulates
packet in a PPP frame.
DL process passes frame to Port 4
PHY.
Packet
Encapsulation
Frame
Router 2
32
Figure 3-12: Site Connection to an

ISP
Site Network
Border
Firewall
1.
Frame for This
Data Link
ISP
Packet
Packet
Packet
3.
Packet Carried
in Site Frame
Internet
Backbone
4.
Data Link
Between
Site and ISP
(Difficult to Attack)
ISP
Router
2.
Packet Carried
in ISP
Carrier Frame
5. Normally, Only the Arriving Packet is DangerousNot the

Frame Fields
33
Figure 3-13: Internet Protocol (IP)
Basic Characteristics
There were already single networks, and many

more would come in the future
Developers needed to make a few assumptions

about underlying networks
So they kept IP simple
34
Connection-Oriented Service and

Connectionless Service
Connection-oriented services have distinct starts

and closes (telephone calls)
Connectionless services merely send messages

(postal letters)
IP is connectionless
35
IP Packet
PC
Internet Process
IP Packet
First Router
Internet Process
Connectionless
Packets Sent in Isolation
Like Postal Letters
Unreliable
No Error Correction
Discarded by Receiver if Error is Detected
Leaves Error Correction to Transport Layer
Reduces the Cost of Routers
36

(Study Figure)
IP is Unreliable (Checks for Errors but does

not Correct Errors) (Figure 3-14)
Not doing error correction at each hop between

switches reduces switch work and so switch cost
Does not even guarantee packets will arrive in

order
37

(Study Figure)
Hierarchical IP Addresses
Postal addresses are hierarchical (state, city,

postal zone, specific address)
Most post offices have to look only at state

and city
Only the final post offices have to be

concerned with specific addresses
38
Figure 3-15: Hierarchical IP Address

Network Part (not always 16 bits)
Subnet Part (not always 8 bits)
Host Part (not always 8 bits)
Total always is 32 bits.
128.171.17.13
The Internet UH Network
(128.171)
CBA Subnet
(17)
Host 13
128.171.17.13
39

(Study Figure)
32-bit IP addresses are hierarchical (Figure 315)
Network part tells what network host is on
Subnet part tells what subnet host is on

within the network
Host part specifies the host on its subnet
Routers have to look only at network or

subnet parts, except for the router that
delivers the packet to the destination host
40

(Study Figure)
32-bit IP addresses are hierarchical
Total is 32 bits; part sizes vary
Network mask tells you the size of the

network part (Figure 3-16)
Subnet mask tells you the length of the

network plus subnet parts combined
41
Figure 3-16: IP Address Masking with

Network and Subnet Masks
Network Masking
Subnet Masking
Mask Represents
Tells the size of the

network part
Tells the size of the

network and the subnet
parts combined
Eight ones give the

decimal value
255
255
Eight zeros give the

decimal value
Masking gives
IP address bit where the

mask value is 1; 0 where
the mask bit is 0
IP address bit where the

mask value is 1; 0 where
mask bit is 0
42
Figure 3-16: IP Address Masking with

Network and Subnet Masks
Example 1
Network Masking
Subnet Masking
IP Address
128.171.17.13
128.171.17.13
Mask
255.255.0. 0
255.255.255.0
Result
128.171.0. 0
128.171.17.0
Meaning
16-bit network part is 128.171 Combined 24-bit network plus subnet

part are 128.171.17
Example 2
IP Address
60.47.123.7
60.47.123.7
Mask
255.0.0.0
255.255.0.0
Result
60.0.0.0
60.47.0.0
Meaning
8-bit network part is 60
Combined 16-bit network plus subnet

parts are 60.47
43
Figure 3-17: IP Address Spoofing
1. Trust Relationship
3. Server Accepts Attack Packet
Trusted Server
60.168.4.6
Victim Server
60.168.47.47
2.
Attack Packet
Spoofed Source IP Address
60.168.4.6
Attackers Client PC
Attackers Identity is
1.34.150.37
Not Revealed
44
IP Addresses and Security
IP address spoofing: Sending a message with a

false IP address (Figure 3-17)
Gives sender anonymity so that attacker cannot

be identified
Can exploit trust between hosts if spoofed IP

address is that of a host the victim host trusts
45

(Study Figure)
IP Addresses and Security
LAND attack: send victim a packet with victims

IP address in both source and destination
address fields and the same port number for the
source and destination (Figure 3-18). In 1997,
many computers, switches, routers, and even
printers, crashed when they received such a
packet.
46
Figure 3-18: LAND Attack Based on

IP Address Spoofing
Attacker
1.34.150.37
From: 60.168.47.47:23
To: 60.168.47.47:23
Victim
60.168.47.47
Port 23 Open
Crashes
Source and Destination IP Addresses are the Same

Source and Destination Port Numbers are the Same
47

(Study Figure)
Other IP Header Fields
Protocol field: Identifies content of IP data field
Firewalls need this information to know how

to process the packet
48

(Study Figure)
Time-to-Live field
Each router decrements the TTL value by

one
Router decrementing TTL field to zero

discards the packet
49

(Study Figure)
Time-to-Live field
Router also sends an error advisement

message to the sender
The packet containing this message reveals

the senders IP address to the attacker
Traceroute uses TTL to map the route to a

host (Figure 3-19)
Tracert on Windows machines
50
Figure 3-19: Tracert Program in

Windows
51

(Study Figure)
Header Length field and Options

With no options, Header Length is 5
Expressed in units of 32 bits
So, 20 bytes
Many options are dangerous
So if Header Length is More Than 5, be
Suspicious
Some firms drop all packets with options
52

(Study Figure)
Length Field
Gives length of entire packet
Maximum is 65,536 bytes
Ping-of-Death attack sent IP packets with

longer data fields
Many systems crashed
53
Figure 3-20: Ping-of-Death Attack
Attacker
1.34.150.37
IP Packet Containing
ICMP Echo Message
That is Illegally Long
Victim
60.168.47.47
Crashes
54

(Study Figure)
Fragmentation
Routers may fragment IP packets (really,
packet data fields) en route
All fragments have same Identification field
value
Fragment offset values allows fragments
to be ordered
More fragments is 0 in the last fragment
55

(Study Figure)
Fragmentation
Harms packet inspection: TCP header, etc.

only in first packet in series
Cannot filter on TCP header, etc. in

subsequent packets
56
Figure 3-22: TCP Header is Only in the

First Fragment of a Fragmented IP Packet
1. Fragmented IP Packet
2. Second
Fragment
Attacker
1.34.150.37
4. TCP Data IP
Field
Header
No
TCP Header
2. First
Fragment
TCP Data
Field
IP
Header
3. TCP Header
Only in First
Fragment
5. Firewall
60.168.47.47
Can Only
Filter TCP
Header in First
Fragment
57

(Study Figure)
Fragmentation
Teardrop attack: Crafted fragmented packet

does not make sense when reassembled
Some firewalls drop all fragmented packets,

which are rare today
58
Figure 3-21: Teardrop Denial-ofService Attack

Defragmented IP Packet
Gap
Overlap
Attacker
1.34.150.37
Attack Pretends to be Fragmented
IP Packet When Reassembled,
Packet does not Make Sense.
Gaps and Overlaps
Victim
60.168.47.47
Crashes
59
Figure 3-24: IP Packet with a TCP

Segment Data Field
Bit 0
Bit 31
IP Header (Usually 20 Bytes)
Source Port Number (16 bits)
Destination Port Number (16 bits)
Sequence Number (32 bits)

Acknowledgment Number (32 bits)
Header
Length
(4 bits)
Reserved
(6 bits)
Flag Fields
(6 bits)
TCP Checksum (16 bits)
Window Size
(16 bits)
Urgent Pointer (16 bits)
60
Figure 3-23: Transmission Control

Protocol (TCP) (Study Figure)
TCP Messages are TCP Segments
Header
Length
(4 bits)
Flags field has several one-bit flags: ACK, SYN,

FIN, RST, etc.
Reserved
(6 bits)
Flag Fields
(6 bits)
Window Size
(16 bits)
61

Reliable
Receiving process sends ACK to sending process if

segment is correctly received
ACK bit is set (1) in acknowledgement segments
If sending process does not get ACK, resends the
segment
PC
Transport Process
TCP Segment
Webserver
Transport Process
TCP Segment (ACK)
62

Connections: Opens and Closes
Formal open and close
Three-way open: SYN, SYN/ACK, ACK

(Figure 3-25)
Normal four-way close: FIN, ACK, FIN, ACK

(Figure 3-25)
Abrupt close: RST (Figure 3-26)
63
Figure 3-25: Communication During a

TCP Session
PC
Transport Process
Open
(3)
1. SYN (Open)
Webserver
Transport Process
2. SYN, ACK (1) (Acknowledgement of 1)

3. ACK (2)
3-Way Open
64

TCP Session
PC
Transport Process
Open
(3)
Carry
HTTP
Req &
Resp
(4)
1. SYN (Open)
Webserver
Transport Process
2. SYN, ACK (1) (Acknowledgement of 1)

3. ACK (2)
4. Data = HTTP Request
5. ACK (4)
6. Data = HTTP Response
7. ACK (6)
65

TCP Session
PC
Transport Process
Carry
HTTP
Req &
Resp
(4)
Webserver
Transport Process
8. Data = HTTP Request (Error)

9. Data = HTTP Request (No ACK so Retransmit)
10. ACK (9)
11. Data = HTTP Response
12. ACK (11)

Error Handling
66

TCP Session
PC
Transport Process
Close
(4)
Normal Four-Way Close
Webserver
Transport Process
13. FIN (Close)

14. ACK (13)
15. FIN
16. ACK (15)
Note: An ACK may be combined with the next message if the next message
is sent quickly enough
67

TCP Session
PC
Transport Process
Close
(1)
Abrupt Close
Webserver
Transport Process
RST
Either side can send

A Reset (RST) Segment
At Any Time
Ends the Session Immediately
68
Figure 3-26: SYN/ACK Probing

Attack Using Reset (RST)
1. Probe
60.168.47.47
2. No Connection:
Makes No Sense!
SYN/ACK Segment
Attacker
1.34.150.37
5.
60.168.47.47
is Live!
IP Hdr RST Segment

4. Source IP
Addr=
60.168.47.47
3. Go Away!
Victim
60.168.47.47
Crashes
69

Sequence and Acknowledgement Number
Sequence numbers identify segments place in

the sequence
Acknowledgement number identifies which

segment is being acknowledged
Sequence Number (32 bits)

Acknowledgment Number (32 bits)
70

Port Number
Port numbers identify applications
Well-known ports (0-1023) used by applications

that run as root (Figure 3-27)
HTTP=80, Telnet=23, FTP=21 for

supervision, 20 for data transfer, SMTP=25
71

Port Number
Registered ports (1024-49152) for any

application
Ephemeral/dynamic/private ports (49153-65535)

used by client (16,383 possible)
Not all operating systems uses these port

ranges, although all use well-known ports
72

Port Number
128.171.17.13:80
Socket format is IP address: Port, for instance,

128.171.17.13:80
Designates a specific program on a specific
machine
Port spoofing (Figure 3-28)

Incorrect application uses a well-known port
Especially 80, which is often allowed through
firewalls
73
Figure 3-27: Use of TCP and UDP

Port Number
Client
60.171.18.22
Webserver
60.171.17.13
Port 80
From: 60.171.18.22:50047
To: 60.171.17.13:80
SMTP Server
123.30.17.120
Port 25
74

Port Number
Client
60.171.18.22
Webserver
60.171.17.13
Port 80
From: 60.171.18.22:50047
To: 60.171.17.13:80
From: 60.171.17.13:80
To: 60.171.18.22:50047
SMTP Server
123.30.17.120
Port 25
75

Port Number
Client
60.171.18.22
Webserver
60.171.17.13
Port 80
From: 60.171.18.22:60003
To: 123.30.17.120:25
SMTP Server
123.30.17.120
Port 25
76

Port Number
Client
60.171.18.22
Webserver
60.171.17.13
Port 80
From: 60.171.18.22:50047
To: 60.171.17.13:80
Clients Used Different

Ephemeral Ports for
Different Connections
From: 60.171.18.22:60003
To: 123.30.17.120:25
SMTP Server
123.30.17.120
Port 25
77
Figure 3-29: User Data Protocol

(UDP) (Study Figure)
UDP Datagrams are Simple (Figure 3-30)
Source and destination port numbers (16 bits

each)
UDP length (16 bits)
UDP checksum (16 bits)
Bit 0
Bit 31
UDP Length (16 bits)
UDP Checksum (16 bits)

Data Field
78
Figure 3-29: User Data Protocol

(UDP) (Study Figure)
Port Spoofing Still Possible
UDP Datagram Insertion
Insert UDP datagram into an ongoing dialog

stream
Hard to detect because no sequence numbers in
UDP
79
Figure 3-33: Internet Control Message

Protocol (ICMP)
ICMP is for Supervisory Messages at the

Internet Layer
ICMP and IP
An ICMP message is delivered (encapsulated) in

the data field of an IP packet
Types and Codes (Figure 3-2)
Type: General category of supervisory message

Code: Subcategory of type (set to zero if there is
no code)
80
Figure 8.13: Internet Control Message Protocol

(ICMP) for Supervisory Messages
Router
Host Unreachable
Error Message
ICMP Message
Echo
Reply
IP Header
Echo
81
Figure 3-32: IP Packet with an ICMP

Message Data Field
Bit 0
Bit 31
Type (8 bits)
Code (8 bits)
Depends on Type and Code
Depends on Type and Code
82
Figure 3-32: Internet control Message

Protocol (ICMP)
Network Analysis Messages
Echo (Type 8, no code) asks target host if it is

operational and available
Echo reply (Type 0, no code). Target host
responds to echo sender
Ping program implements Echo and Echo Reply.
Like submarine pinging a target
Ping is useful for network managers to diagnose
problems based on failures to reply
Ping is useful for hackers to identify potential
targets: live ones reply
83

Protocol (ICMP)
Error Advisement Messages
Advise sender of error but there is no error

correction
Host Unreachable (Type 3, multiple codes)
Many codes for specific reasons for host

being unreachable
Host unreachable packets source IP address

confirms to hackers that the IP address is live
and therefore a potential victim
Usually sent by a router

84

Protocol (ICMP)
Error Advisement Messages
Time Exceeded (Type 11, no codes)
Router decrementing TTL to 0 discards

packet, sends time exceeded message
IP header containing error message reveals

routers IP address
By progressively incrementing TTL values by

1 in successive packets, attacker can scan
progressively deeper into the network,
mapping the network
Also usually sent by a router
85

Protocol (ICMP)
Control Codes
Control network/host operation

Source Quench (Type=4, no code)
Tells destination host to slow down its

transmission rate
Legitimate use: Flow control if host sending

source quench is overloaded
Attackers can use for denial-of-service attack

86

Protocol (ICMP)
Control Codes
Redirect (Type 5, multiple codes)
Tells host or router to send packets in

different way than they have
Attackers can disrupt network operations, for

example, by sending packets down black
holes
Many Other ICMP Messages

87
Topics Covered
Network Elements
Client and server stations
Applications
Trunk lines and access lines
Switches and routers
Messages (frames)
88
Topics Covered
Messages (frames) may have headers, data

fields, and trailers
Headers have source and destination address

fields
Switches forward (switch) frames based on the

value in the destination address field
Based on field value, switch sends frames out a

different port that the one on which the frame
arrived
89
Topics Covered
Internets
Group of networks connected by routers
The Internet is a global internet

Organizations connect via ISPs
Internet messages are called packets

Path of a packet is its route
Packets travel within frames in networks

If route goes through four networks,
There will be one packet and four frames
90
Topics Covered
TCP/IP Standards
Dominate the Internet

Created by the Internet Engineering Task Force
(IETF)
Documents are called requests for comments
(RFCs)
OSI Standards
Dominate for single networks

Physical and data link layers
91
Topics Covered
TCP/IP
Application
OSI
Application
Hybrid TCP/IP-OSI
Application
Presentation
Session
Transport
Transport
Transport
Internet
Network
Internet
Subnet Access: Use

OSI Standards Here
Data Link
Data Link
Physical
Physical
92
Topics Covered
Internetworking Layers
Internet layer
Internet Protocol (IP)
Governs packet organization
Governs hop-by-hop router forwarding
(routing)
Transport layer
Governs end-to-end connection between the
two hosts
TCP adds reliability, flow control, etc.
UDP is simpler, offers no reliability, etc.
93
Topics Covered
Application Layer Standards
Govern interaction between two application

programs
Usually, a message formatting standard and a

message transfer standard
HTML / HTTP in WWW
RFC 2822 / SMTP in e-mail
94
Topics Covered
IP Packet
Version 4
32-bit source and destination addresses
Time to live (TTLS)
Header checksum
Protocol (type of message in data field)
Data field
95
Topics Covered
IP Packet
Version 4
Option fields may be used, but more likely to

be used by hackers rather than legitimately
Packet may be fragmented; this too is done

mainly by attackers
Data field
Version 6
128-bit addresses to allow more addresses
96
Topics Covered
Vertical Communication on the Source Host
One layer (Layer N) creates a message
Passes message down to the next-lower layer

(Layer N-1)
The Layer N-1 process encapsulates the Layer

N message in the data field of a Layer N-1
record
Layer N-1 passes the Layer N-1 message down

to Layer N-2
97
Topics Covered
Process is Reversed on the Destination Host
Decapsulation occurs at each layer
Vertical Processes on Router
The router first receives, then sends
So the router first decapsulates, then

encapsulates
There is one internet layer process on each

router
98
Topics Covered
Firewalls Only Need to Look at Internet,

Transport, and Application Messages
The attacker cannot manipulate the frame going

from the ISP to the organization
99
Topics Covered
IP
Connectionless and unreliable
Hierarchical IP addresses
Network part
Subnet part
Host part
Part lengths vary
100
Topics Covered
IP
Masks
You cannot tell by looking at an IP address

what its network or subnet parts are
Network mask has 1s in the network part,

followed by all zeros
Subnet mask has 1s in the network and

subnet parts, followed by all zeros
101
Topics Covered
IP address spoofing
Change the source IP address
To conceal identity of the attacker
To have the victim think the packet comes from

a trusted host
LAND attack
102
Topics Covered
TCP Messages
Called TCP segments
Flags fields for SYN, ACK, FIN, RST
3-way handshake with SYN to open
Each segment is received correctly is ACKed
This provides reliability
103
Topics Covered
TCP Messages
Normally, FIN is used in a four-way close
RST can create a single-message close

Attackers try to generate RSTs because the
RST message is in a packet revealing the
victims IP address
104
Topics Covered
Port Numbers
Used in both TCP and UDP
16-bit source and destination port numbers
Clients use ephemeral port numbers

Randomly generated by the client
49153-65536
Major applications on servers use well-known

port numbers
0 to 1023
105
Topics Covered
ICMP
For supervisory messages at the internet layer
ICMP messages are encapsulated in the data

fields of IP packets
Type and code designate contents of IP packet
Attackers use ICMP messages in scanning

Replies tell them IP addresses
106
Topics Covered
ICMP
Echo (Type 8, no code) asks target host if it is

operational and available
Echo reply (Type 0, no code). Target host

responds to echo sender
Ping program implements Echo and Echo

Reply. Like submarine pinging a target
ICMP error messages of several types
Allow only ICMP echo replies in border router

ingress filtering
107

TCP IP Review

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

TCP IP Review

Uploaded by

Copyright:

Available Formats

Review of TCP/IP

Panko, Corporate Computer

Single Network: applications, client and

server hosts, switches, access links, trunk

Frame with Station C

Figure 3-1: Internet

An internet is two or more individual

Figure 3-6: Frames and Packets

Frames and Packets

Like passing a shipment (the packet) from a truck

Figure 3-2: TCP/IP Standards (Study

Defense Advanced Research Projects Agency

An internet connects multiple individual networks

Global Internet is capitalized

Internet Engineering Task Force (IETF)

Most IETF documents are requests for

Internet Official Protocol Standards: List of RFCs

Figure 3-2: TCP/IP Standards (Study

Hybrid TCP/IP-OSI Architecture (Figure 3-3)

Combines TCP/IP standards at layers 3-5 with

Subnet Access: Use

Figure 3-2: TCP/IP Standards (Study

Physical (Layer 1): defines electrical signaling

Data link (Layer 2): control of a frame through a

Figure 3-2: TCP/IP Standards

Governs the transmission of a packet across an

Figure 3-2: TCP/IP Standards (Study

Frames and Packets

Frames are messages at the data link layer

Packets are messages at the internet layer

Packets are carried (encapsulated) in frames

There is only a single packet that is delivered

This packet is carried in a separate frame in

Figure 3-7: Internet and Transport Layers

Figure 3-2: TCP/IP Standards (Study

Internet and Transport Layers

Internet layer governs hop-by-hop

Transport layer is end-to-end (host-to-host)

Figure 3-2: TCP/IP Standards (Study

Internet and Transport Layers

Internet Protocol (IP)

IP at the internet layer is unreliabledoes not

This is good: reduces the work each router

Figure 3-2: TCP/IP Standards (Study

Transport Layer Standards

Transmission Control Protocol (TCP)

User Datagram Protocol (UDP)

Figure 3-8: HTML and HTTP at the

Client PC with Browser

Hypertext Markup Language (HTML)

Figure 3-2: TCP/IP Standards (Study

To govern communication between application

Document transfer versus document format

Many application standards exist because there

Figure 3-3: TCP/IP and OSI

Subnet Access: Use

Note: The Hybrid TCP/IP-OSI Architecture is used on the Internet and

Figure 3-5: IP Packet

Identification (16 bits)

Figure 3-5: IP Packet

Has value of four (0100)

Time to Live (TTL)

Prevents the endless circulation of mis-addressed

Figure 3-5: IP Packet