02 - NWS - Advanced TCP-IP

NETWORK SECURITY
CT037-3-2
Advanced TCP/IP
Degree – Level 2
Prepared by: HGB First Prepared on:

Quality checked by:
Copyright 2004 Asia Pacific Institute of Information Technology
Learning Outcomes
• At the end of this session you should be

able to:
– Understand IPv4 addresses and classes
– Identify the class of an IP address
– Find the network address given an IP address
– Understand masks and how to use them
– Understand subnets
– Explain the fundamentals of TCP/IP networking
– Describe IPv4 packet structure and explain packet fragmentation
– Describe Internet Protocol version 6 (IPv6)
– Understand the need for ARP
– Understand the cases in which ARP is used
–
CT037-3-2 Network Security
Understand the componentsAdvanced
andTCP-IP
interactions in an ARP package
4.1 INTRODUCTION
INTRODUCTION
The identifier used in the IP layer of the TCP/IP protocol suite to identify
each device connected to the Internet is called the Internet address or IP
address. An IP address is a 32-bit address that uniquely and universally
defines the connection of a host or a router to the Internet. IP addresses are
unique. They are unique in the sense that each address defines one, and
only one, connection to the Internet. Two devices on the Internet can never
have the same address.
CT037-3-2 Network Security Advanced TCP-IP

Note:
An IP address is a 32-bit address.

Note:
The IP addresses are unique.

Note:
The address space of IPv4 is

232 or 4,294,967,296.

Dotted-decimal notation

Note:
The binary, decimal, and hexadecimal

number systems are reviewed in
Appendix B.

Example 1
Change the following IP addresses from binary notation to

dotted-decimal notation.
a. 10000001 00001011 00001011 11101111
b. 11000001 10000011 00011011 11111111
c. 11100111 11011011 10001011 01101111
d. 11111001 10011011 11111011 00001111
Solution
We replace each group of 8 bits with its equivalent decimal
number (see Appendix B) and add dots for separation:
a. 129.11.11.239 b. 193.131.27.255
c. 231.219.139.111 d. 249.155.251.15

Example 2
Change the following IP addresses from dotted-decimal notation

to binary notation.
a. 111.56.45.78 b. 221.34.7.82
c. 241.8.56.12 d. 75.45.34.78
Solution
We replace each decimal number with its binary equivalent:
a. 01101111 00111000 00101101 01001110
b. 11011101 00100010 00000111 01010010
c. 11110001 00001000 00111000 00001100
d. 01001011 00101101 00100010 01001110

Example 3
Find the error, if any, in the following IP addresses:

a. 111.56.045.78 b. 221.34.7.8.20
c. 75.45.301.14 d. 11100010.23.14.67
Solution
a. There are no leading zeroes in dotted-decimal notation (045).
b. We may not have more than four numbers in an IP address.
c. In dotted-decimal notation, each number is less than or equal
to 255; 301 is outside this range.
d. A mixture of binary notation and dotted-decimal notation is not
allowed.
Example 4
Change the following IP addresses from binary notation to

hexadecimal notation.
a. 10000001 00001011 00001011 11101111
b. 11000001 10000011 00011011 11111111
Solution
We replace each group of 4 bits with its hexadecimal equivalent
(see Appendix B). Note that hexadecimal notation normally has
no added spaces or dots; however, 0X (or 0x) is added at the
beginning or the subscript 16 at the end to show that the number
is in hexadecimal.
a. 0X810B0BEF or 810B0BEF16
b. 0XC1831BFF or C1831BFF16
CLASSFUL ADDRESSING
IP addresses, when started a few decades ago, used the concept of classes.
This architecture is called classful addressing. In the mid-1990s, a new
architecture, called classless addressing, was introduced and will
eventually supersede the original architecture. However, part of the
Internet is still using classful addressing, but the migration is very fast.

Occupation of the address space

Table 4.1 Addresses per class

Finding the class in binary notation

Finding the address class

Example 5
How can we prove that we have 2,147,483,648 addresses in

class A?
Solution
In class A, only 1 bit defines the class. The remaining 31 bits are
available for the address. With 31 bits, we can have 231
or 2,147,483,648 addresses.

Example 6
Find the class of each address:

a. 00000001 00001011 00001011 11101111
b. 11000001 10000011 00011011 11111111
c. 10100111 11011011 10001011 01101111
d. 11110011 10011011 11111011 00001111
Solution
See the procedure in Figure 4.4.
a. The first bit is 0. This is a class A address.
b. The first 2 bits are 1; the third bit is 0. This is a class C address.
c. The first bit is 0; the second bit is 1. This is a class B address.
d. The first 4 bits are 1s. This is a class E address..
Finding the class in decimal notation

Example 7
Find the class of each address:

a. 227.12.14.87 b.193.14.56.22 c.14.23.120.8
d. 252.5.15.111 e.134.11.78.56
Solution
a. The first byte is 227 (between 224 and 239); the class is D.
b. The first byte is 193 (between 192 and 223); the class is C.
c. The first byte is 14 (between 0 and 127); the class is A.
d. The first byte is 252 (between 240 and 255); the class is E.
e. The first byte is 134 (between 128 and 191); the class is B.

Example 8
In Example 5 we showed that class A has 231 (2,147,483,648)

addresses. How can we prove this same fact using dotted-
decimal notation?
Solution
The addresses in class A range from 0.0.0.0 to 127.255.255.255.
We need to show that the difference between these two numbers
is 2,147,483,648. This is a good exercise because it shows us
how to define the range of addresses between two addresses. We
notice that we are dealing with base 256 numbers here. Each
byte in the notation has a weight. The weights are as follows (see
Appendix B):
See Next Slide

Example 8 (continued)
2563, 2562, 2561, 2560

Now to find the integer value of each number, we multiply each
byte by its weight:
Last address: 127 × 2563 + 255 × 2562 +
255 × 2561 + 255 × 2560 = 2,147,483,647
First address: = 0
If we subtract the first from the last and add 1 to the result
(remember we always add 1 to get the range), we get
2,147,483,648 or 231.

Netid and hostid

Note:
Millions of class A addresses are

wasted.

Blocks in class A

Blocks in class B

Note:
Many class B addresses are wasted.

Blocks in class C

Note:
The number of addresses in class C is

smaller than the needs of most
organizations.

Note:
Class D addresses are used for

multicasting; there is only one block in
this class.

Note:
Class E addresses are reserved for

future purposes; most of the block is
wasted.

Note:
In classful addressing, the network

address (the first address in the block)
is the one that is assigned to the
organization. The range of addresses
can automatically be inferred from the
network address.

Example 9
Given the network address 17.0.0.0, find the class, the block, and
the range of the addresses.
Solution
The class is A because the first byte is between 0 and 127. The
block has a netid of 17. The addresses range from 17.0.0.0 to
17.255.255.255.

Example 10
Given the network address 132.21.0.0, find the class, the block,
and the range of the addresses.
Solution
The class is B because the first byte is between 128 and 191. The
block has a netid of 132.21. The addresses range from
132.21.0.0 to 132.21.255.255.

Example 11
Given the network address 220.34.76.0, find the class, the block,
and the range of the addresses.
Solution
The class is C because the first byte is between 192 and
223. The block has a netid of 220.34.76. The addresses
range from 220.34.76.0 to 220.34.76.255.

Masking concept

AND operation

Table 4.2 Default masks

Note:
The network address is the beginning

address of each block. It can be found
by applying the default mask to any of
the addresses in the block (including
itself). It retains the netid of the block
and sets the hostid to zero.

Example 12
Given the address 23.56.7.91, find the beginning address

(network address).
Solution
The default mask is 255.0.0.0, which means that only the first
byte is preserved and the other 3 bytes are set to 0s. The network
address is 23.0.0.0.

Example 13

(network address).
Solution
The default mask is 255.255.0.0, which means that the first 2
bytes are preserved and the other 2 bytes are set to 0s. The
network address is 132.6.0.0.

Example 14

(network address).
Solution
The default mask is 255.255.255.0, which means that the first 3
bytes are preserved and the last byte is set to 0. The network
address is 201.180.56.0.

Note:
Note that we must not apply the default

mask of one class to an address
belonging to another class.

Category addresses

Addresses for conferencing

Sample internet

Note:
IP addresses are designed with two

levels of hierarchy.

A network with two levels of hierarchy (not subnetted)

A network with three levels of hierarchy (subnetted)

Addresses in a network with and without subnetting

Hierarchy concept in a telephone number

Default mask and subnet mask

Subnetting
– Logically segment internal networks

• Borrow bits from host portion of IP address to
create subset of networks with network IDs
– Make network management easier
– Optimize security, performance, and access
– Mirror organization’s physical layout
– Mirror organization’s administrative structure
– Plan for future growth
– Reduce and control network traffic

Subnetting
Class B subnetting

Subnetting
• Subnetting
– Select mask that most meets your needs
• Find usable IP addresses for host address and
broadcast: convert last masking octet to binary
• Determine block size from binary place value of
last masking digit
– Assign the mask to your network

Subnetting
Subnetting example

Subnetting
• Formula for calculating subnets

2y = number of usable subnets (y is the
number of subnet bits)
2x - 2 = number of usable hosts per subnet (x
is the number of host bits (zeros in the mask))
• Variable length subnet masking (VLSM)
– Applies masks of varying sizes to same
network
– Allows more efficient use of address spaces
Subnetting
• Activity 2-1: Determining your computer’s

IP address
– Objective: Determine the IP address of your
computer
– Use Ipconfig command
• Type ipconfig / all at command prompt and press
Enter
– Note IP address, subnet mask, default
gateway address, and the address assigned
to your Ethernet adapter (external address)
Subnetting
• Classless interdomain routing (CIDR)

– Specifies number of masked bits in an IP
address/subnet mask combination
– Overcomes limits of default subnet masks:
unused addresses don’t go to waste
– Exchange subnet mask information between
routers
– Allows VLSM and supernetting to work
– Example: 255.255.255.224 becomes
192.168.6.0/27 in CIDR notation
Example 15
What is the subnetwork address if the destination address is

200.45.34.56 and the subnet mask is 255.255.240.0?
Solution
We apply the AND operation on the address and the subnet
mask.
Address ➡ 11001000 00101101 00100010 00111000
Subnet Mask ➡ 11111111 11111111 11110000 00000000
Subnetwork Address ➡ 11001000 00101101 00100000 00000000.

Comparison of a default mask and a subnet mask

Note:
In subnetting, we need the first address
of the subnet and the subnet mask to
define the range of addresses.

Comparison of subnet and default masks

Example 1
Which of the following can be the beginning address of

a block that contains 16 addresses?
a. 205.16.37.32 b.190.16.42.44
c. 17.17.33.80 d.123.45.24.52
Solution
Only two are eligible (a and c). The address
205.16.37.32 is eligible because 32 is divisible by 16.
The address 17.17.33.80 is eligible because 80 is
divisible by 16.
Example 2

a.205.16.37.32 b.190.16.42.0
c.17.17.32.0 d.123.45.24.52
Solution
In this case, the right-most byte must be 0. As we
mentioned in Chapter 4, the IP addresses use base 256
arithmetic. When the right-most byte is 0, the total
address is divisible by 256. Only two addresses are
eligible (b and c).
Example 3

a. 205.16.37.32 b.190.16.42.0
c. 17.17.32.0 d.123.45.24.52
Solution
In this case, we need to check two bytes because
1024 = 4 × 256. The right-most byte must be divisible
by 256. The second byte (from the right) must be
divisible by 4. Only one address is eligible (c).

Format of classless addressing address

Prefix lengths

Note:
Classful addressing is a special case of

classless addressing.

Example 4
What is the first address in the block if one of the

addresses is 167.199.170.82/27?
Solution
Address in binary: 10100111 11000111 10101010 01010010

Result in CIDR notation: 167.199.170.64/27

Example 5
What is the first address in the block if one of the

addresses is 140.120.84.24/20?
Solution
The first address is 140.120.80.0/20.

Example 6
Find the first address in the block if one of the

addresses is 140.120.84.24/20.
Solution
The first address is 140.120.80.0/20.

Example 7
Find the number of addresses in the block if one of the

addresses is 140.120.84.24/20.
Solution
The prefix length is 20. The number of addresses in the
block is 232−20 or 212 or 4096. Note that
this is a large block with 4096 addresses.

Example 8
Find the last address in the block if one of the

addresses is 140.120.84.24/20.
Solution
The last address is 140.120.95.255/20

Example 9
Find the last address in the block if one of the

addresses is 140.120.84.24/20.
Solution
The last address is 140.120.95.255/20.

NETWORK SECURITY
CT037-3-2
TCP/IP Fundamental Overview

TCP/IP Fundamentals Review
• Classless interdomain routing (CIDR)

– Specifies number of masked bits in an IP
address/subnet mask combination
– Overcomes limits of default subnet masks:
unused addresses don’t go to waste
– Exchange subnet mask information between
routers
– Allows VLSM and supernetting to work
– Example: 255.255.255.224 becomes
192.168.6.0/27 in CIDR notation
TCP/IP Fundamentals Review (con’t.)
• Unicasting, multicasting, and broadcasting

– Unicast: packet is sent from a server to each
client that requests a file or application
– Multicast: packet is sent from server to all
requesting clients as a group in one
transmission
• Reduces network traffic
– Broadcast: communication sent to all network
points
• Flooded: any subnet; no forwarding by router
Examining Internet Protocol Version 4
• TCP/IP is packet-based
– Packets are called datagrams
• Attackers may intercept packets and falsify
or manipulate information
– Can disable servers and make network
vulnerable

(con’t.)
• IP datagrams
– Each complete message separated into
multiple datagrams
– Divided into:
• Header
• Data
• Optional footer
• Optional CRC (Cyclic Redundancy Check): error-
checking algorithm

(con’t.)
• Header: used to
communicate across
network

(con’t.)
• IP header fields
– Header version: IP version
– Header length: describes length in 32-bit words
– Type of service: four options for quality of service
– Total length: 16-bit field
– Identification: used to reassemble packets in order
– Flags: indicate whether packet is fragment or last
fragment
– Fragment offset: indicates where fragment fits in data
stream

(con’t.)
• IP header fields (con’t.)
– Time to live (TTL): max time before packet is
dropped
– Protocol: type of transport packet
– Header checksum: sum of header packet
values calculated by CRC
– Source IP address: address of device sending
packet
– Destination IP address: address of device
receiving packet
(con’t.)
• Internet Control Message Protocol (ICMP)
– Assists TCP/IP networks with troubleshooting
communication problems
– Indicates whether another host can be
reached through a ping signal

(con’t.)
ICMP types

TCP segment format

(con’t.)
• TCP headers
– Contain six flags to filter packets
• URG (urgent)
• ACK (acknowledgement)
• PSH (forces forward and delivery of packet)
• RST (reset the connection)
• SYN (synchronize sequence numbers)
• FIN (no more data from sender)
• New flags for congestion notification: ECN, CWR

(con’t.)
• UDP headers
– UDP (user datagram protocol)
• Connectionless; unreliable delivery
• Faster than TCP
• Good for real-time and multimedia, broadcast
messages, and some protocols (SNTP, TFTP)
– Attackers can send empty datagrams to
suspected open UDP port

(con’t.)
A UDP packet header and data

(con’t.)
• Activity 1: Using Wireshark
– Objective: Download, install, and explore
software for monitoring and analyzing network
traffic
– Download Wireshark installation file
– Install packet capture utility WinPcap and
Wireshark
– Look at list of capture interfaces
– Allow Wireshark to capture packets
– Examine packet information columns
(con’t.)
• Packet fragmentation
– Originally created to allow large packets to
pass through routers
– Creates security problems
• Only fragment number 0 has port number; all
others pass through filter
• Configure firewall to drop fragmented packets or
allow only reassembled packets to pass through

(con’t.)
• The TCP life cycle
– Determine source and destination port number
– Determine random starting sequence number
– Initiate three-way handshake (SYN, ACK-SYN,
ACK)
– Control data flow through:
• Buffering
• TCP sliding windows
• Congestion avoidance

(con’t.)
TCP three-way handshake

(con’t.)
• Domain Name System
– Translates fully qualified domain names
(FQDNs) to IP addresses
– Helps administrators block unwanted
communications
– Can be exploited by attackers
• Buffer overflow: long DNS name
• Zone transfer: list of DNS-configured hosts on
network
• Cache poisoning: stored DNS addresses
NETWORK SECURITY
CT037-3-2
IPv6
IPv6
• IPv4 accommodates 4.2 billion unique 32-

bit address addresses
• New technology growth requires more
address space.
• IPv6 is designed to meet addressing
growth:
– 128 bits accommodate 340 undecillion
addresses (7 addresses for each atom of
every human)
IPv4 vs. IP v6
IPv4 IPv6
32 bits addresses 128 bits
4.2 billion addresses 340 undecillion addresses
No authentication Provides authentication of
endpoints
Encryption provided by Support for encryption in protocol
applications
Best effort transport Quality of service (QOS) features
provided in the protocol

IPv6 Features
• Extended addresses space

- Route aggregation, improved delegation/management, hirarhy
• Autoconfiguration support
• Support for IPv6 over IPv4 (tunneling)
• Support for IPv4 over IPv6 (translating)
• Flexible embedded protocol support
• Support for authentication of endpoints
• Support for encryption
IPv6 Addressing
• Address is 128 bits

• Addresses specified in hex, colon-delimited, 32 hex digits
• Divided in three portions
- Network prefix (48 bits) – defines the organization
- Subnet ID (16 bits) – used internal to the organization for subnetting
- Interface ID (64 bits) – defined from the MAC address of the NIC
(autoconfiguration)
Network Interface
prefix Identification
fe80:0000:0000:0000:0013:ceff:fe45:4fe3
Subnet ID
• Groups of repeating 0000’s can be simplified with “::”

fe80::13:ceff:fe45:4fe3

IPv6 Header

(con’t.)
IPv4 and IPv6 packet headers

NETWORK SECURITY
CT037-3-2
Address Resolution Protocol

(ARP)
ARP and RARP

Position of ARP and RARP in TCP/IP protocol suite

ARP
ARP associates an IP address with its physical address. On a typical
physical network, such as a LAN, each device on a link is identified by a
physical or station address that is usually imprinted on the NIC.

ARP operation

ARP packet

ARP Packet
• Hardware type (HTYPE) This field specifies the Link Layer protocol type.
Example: Ethernet is 1.
• Protocol type (PTYPE) This field specifies the upper layer protocol for which
the ARP request is intended. For IPv4, this has the value 0x0800.
• Hardware length (HLEN) Length (in octets) of a hardware address. Ethernet
addresses size is 6.
• Protocol length (PLEN) Length (in octets) of addresses used in the upper
layer protocol. (The upper layer protocol specified in PTYPE.) IPv4 address
size is 4.
• Operation Specifies the operation that the sender is performing: 1 for
request, 2 for reply.
• Sender hardware address (SHA) Hardware (MAC) address of the sender.
• Sender protocol address (SPA) Upper layer protocol address of the sender.
• Target hardware address (THA) Hardware address of the intended receiver.
This field is ignored in requests.
• Target protocol address (TPA) Upper layer protocol address of the intended
receiver.
Encapsulation of ARP packet

Four cases using ARP

Note:
An ARP request is broadcast;

an ARP reply is unicast.

Example 1
A host with IP address 130.23.43.20 and physical

address B2:34:55:10:22:10 has a packet to send to
another host with IP address 130.23.43.25 and physical
address A4:6E:F4:59:83:AB (which is unknown to the
first host). The two hosts are on the same Ethernet
network. Show the ARP request and reply packets
encapsulated in Ethernet frames.
See Next Slide

Example 1 (Continued)
Solution
Figure 7.7 shows the ARP request and reply packets.
Note that the ARP data field in this case is 28 bytes,
and that the individual addresses do not fit in the 4-byte
boundary. That is why we do not show the regular 4-
byte boundaries for these addresses. Also note that the
IP addresses are shown in hexadecimal. For
information on binary or hexadecimal notation see
Appendix B.
See Next Slide

Example 1

Summary
• TCP/IP: suite of many protocols to transmit

information over network
– IP addressing: network, host, and subnet mask
– CIDR: specifies number of masked bits
– ICMP: diagnostic tool
– DNS: converts domain names into IP
addresses
– IP datagrams: packets (can be fragmented)
– Encryption protects data; authentication limits
access
Summary (con’t.)
• IPv6 addresses problems with IPv4

– Larger address space (128 bits)
– Native support for IPSec
– Routing table entries streamlined for directly
connected nodes
– IPv6 datagram: connectionless; unreliable;
consists of header and payload
– ICMPv6: contains MLD and ND protocols
– Unicast, multicast, and anycast addresses
– Stateless address autoconfiguration
– Several integrated utilities
References
• TCP/IP Protocol Suite

– Behrouz Forouzan
– Publisher: McGraw-Hill Science/Engineering/Math; 4 edition (2009)
– ISBN-13: 978-0073376042
• Guide to Tactical Perimeter Defense

– Randy Weaver
– Publisher: Cengage Learning 2008
– ISBN-13: 9781428356306

02 - NWS - Advanced TCP-IP

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

02 - NWS - Advanced TCP-IP

Transféré par

Droits d'auteur :

Formats disponibles

NETWORK SECURITY

Prepared by: HGB First Prepared on:

• At the end of this session you should be

CT037-3-2 Network Security Advanced TCP-IP

An IP address is a 32-bit address.

CT037-3-2 Network Security Advanced TCP-IP

The IP addresses are unique.

CT037-3-2 Network Security Advanced TCP-IP

The address space of IPv4 is

CT037-3-2 Network Security Advanced TCP-IP

CT037-3-2 Network Security Advanced TCP-IP

The binary, decimal, and hexadecimal

CT037-3-2 Network Security Advanced TCP-IP

Change the following IP addresses from binary notation to

CT037-3-2 Network Security Advanced TCP-IP

Change the following IP addresses from dotted-decimal notation

CT037-3-2 Network Security Advanced TCP-IP

Find the error, if any, in the following IP addresses:

Change the following IP addresses from binary notation to

CT037-3-2 Network Security Advanced TCP-IP

CT037-3-2 Network Security Advanced TCP-IP

CT037-3-2 Network Security Advanced TCP-IP

CT037-3-2 Network Security Advanced TCP-IP

CT037-3-2 Network Security Advanced TCP-IP

How can we prove that we have 2,147,483,648 addresses in

CT037-3-2 Network Security Advanced TCP-IP

Find the class of each address:

CT037-3-2 Network Security Advanced TCP-IP

Find the class of each address:

CT037-3-2 Network Security Advanced TCP-IP

In Example 5 we showed that class A has 231 (2,147,483,648)

See Next Slide

2563, 2562, 2561, 2560

CT037-3-2 Network Security Advanced TCP-IP

CT037-3-2 Network Security Advanced TCP-IP

Millions of class A addresses are

CT037-3-2 Network Security Advanced TCP-IP

CT037-3-2 Network Security Advanced TCP-IP

CT037-3-2 Network Security Advanced TCP-IP

Many class B addresses are wasted.

CT037-3-2 Network Security Advanced TCP-IP

CT037-3-2 Network Security Advanced TCP-IP

The number of addresses in class C is

CT037-3-2 Network Security Advanced TCP-IP

Class D addresses are used for

CT037-3-2 Network Security Advanced TCP-IP

Class E addresses are reserved for

CT037-3-2 Network Security Advanced TCP-IP

In classful addressing, the network

CT037-3-2 Network Security Advanced TCP-IP

CT037-3-2 Network Security Advanced TCP-IP

CT037-3-2 Network Security Advanced TCP-IP

CT037-3-2 Network Security Advanced TCP-IP

CT037-3-2 Network Security Advanced TCP-IP

CT037-3-2 Network Security Advanced TCP-IP

CT037-3-2 Network Security Advanced TCP-IP

The network address is the beginning

CT037-3-2 Network Security Advanced TCP-IP

Given the address 23.56.7.91, find the beginning address

CT037-3-2 Network Security Advanced TCP-IP

Given the address 132.6.17.85, find the beginning address

CT037-3-2 Network Security Advanced TCP-IP

Given the address 201.180.56.5, find the beginning address