UNDERSTANDING INTERNET PROTOCOLS In order to detect or prevent network security

Question

UNDERSTANDING INTERNET PROTOCOLS

In order to detect or prevent network security breaches, you must understand the Internet protocols as well as the attacker does. The protocols originate from publicly available Requests for Comments, or RFCs. The official repository and publisher of all RFCs is the RFC Editor.

The purpose of this lab is to practice locating and studying two key RFCs. (Feel free to consult any newer material on IP and TCP protocols. These RFCs are original materials on these protocols. A Request for Comments (RFC) is a publication of the Internet Engineering Task Force (IETF) and the Internet Society, the principal technical development and standards-setting bodies for the Internet. Internet and its precursor ARPANET was developed by engineers and scientists using RFCs.

Assignment:

Find and identify the RFCs for IP and TCP (Questions you should answer are in bold red.)

Go to the RFC Editor and download the specifications for IP and TCP.

Procedure:

Point your browser to http://www.rfc-editor.org

Read the page, click the "RFC SEARCH" link,

In the search field "Title/Keyword," type in the complete name of the protocol (e.g. "Internet Protocol", not "IP").

By default, the search results are displayed by RFC number (ascending). Also, by default, the number of results shown is 25. Click 'All' to show all the results.

Identify the RFC for each protocol, by RFC number:
          RFC _______     Internet Protocol (5 points)
          RFC _______    Transmission Control Protocol (5 points)

Download the RFCs and use them to answer the following questions

Refer to the RFCs to answer the following questions

Questions about IP (40 Points)

What two basic functions does IP implement? (10 points)

What four key mechanisms does IP use to provide its service? 10 points)

Via what protocol does IP communicate errors? (5 points)

In the IP header, what is the Identification field used for? (5 points)

A number of bits within the IP header are designated reserved or optional; why would these be important in network security? (10 points)

Questions about TCP (40 Points)

What is the difference between a socket and a connection? (5 points)

Name five of the six calls the TCP interface provides (to applications) (15 points)

What are active and passive OPEN requests? (5 points)

Describe the three-way handshake. (15 points)

First google netstat and understand what it is. At a workstation, open some web pages and then at a command prompt type:

netstat -a .

Identify the ports your machine is listening on and the state of the various connections it is holding (10 points).

Explanation / Answer

The internet protocol implements two basic functions: addressing and
fragmentation.

The internet modules use the addresses carried in the internet header
to transmit internet datagrams toward their destinations. The
selection of a path for transmission is called routing.

The internet modules use fields in the internet header to fragment and
reassemble internet datagrams when necessary for transmission through
"small packet" networks.

The model of operation is that an internet module resides in each host
engaged in internet communication and in each gateway that
interconnects networks. These modules share common rules for
interpreting address fields and for fragmenting and assembling
internet datagrams. In addition, these modules (especially in
gateways) have procedures for making routing decisions and other
functions.

The internet protocol uses four key mechanisms in providing its
service: Type of Service, Time to Live, Options, and Header Checksum.

The Type of Service is used to indicate the quality of the service
desired. The type of service is an abstract or generalized set of
parameters which characterize the service choices provided in the
networks that make up the internet. This type of service indication
is to be used by gateways to select the actual transmission parameters
for a particular network, the network to be used for the next hop, or
the next gateway when routing an internet datagram.

The Time to Live is an indication of an upper bound on the lifetime of
an internet datagram. It is set by the sender of the datagram and
reduced at the points along the route where it is processed. If the
time to live reaches zero before the internet datagram reaches its
destination, the internet datagram is destroyed. The time to live can
be thought of as a self destruct time limit.

The Options provide for control functions needed or useful in some
situations but unnecessary for the most common communications. The
options include provisions for timestamps, security, and special
routing.

The Header Checksum provides a verification that the information used
in processing internet datagram has been transmitted correctly. The
data may contain errors. If the header checksum fails, the internet
datagram is discarded at once by the entity which detects the error.

The internet protocol does not provide a reliable communication
facility. There are no acknowledgments either end-to-end or
hop-by-hop. There is no error control for data, only a header
checksum. There are no retransmissions. There is no flow control.

Errors detected may be reported via the Internet Control Message
Protocol (ICMP) [3] which is implemented in the internet protocol
module.

IP is connection less and unreliable protocol. It is connection less in the sense that no state related to IP datagrams is maintained either on source or destination side and it is unreliable in the sense that it not guaranteed that an IP data gram will get delivered to the destination or not.

If an IP datagram encounters some error at the destination or at some intermediate host (while traveling from source to destination) then the IP datagram is generally discarded and an ICMP error message is sent back to the source.

If the address in destination address field has been reached and
        the pointer is not greater than the length, the next address in
        the source route replaces the address in the destination address
        field, and the recorded route address replaces the source
        address just used, and pointer is increased by four.

        The recorded route address is the internet module's own internet
        address as known in the environment into which this datagram is
        being forwarded.

        This procedure of replacing the source route with the recorded
        route (though it is in the reverse of the order it must be in to
        be used as a source route) means the option (and the IP header
        as a whole) remains a constant length as the datagram progresses
        through the internet.

        This option is a loose source route because the gateway or host
        IP is allowed to use any route of any number of other
        intermediate gateways to reach the next address in the route.

To provide for flexibility in assigning address to networks and
    allow for the large number of small to intermediate sized networks
    the interpretation of the address field is coded to specify a small
    number of networks with a large number of host, a moderate number of
    networks with a moderate number of hosts, and a large number of
    networks with a small number of hosts. In addition there is an
    escape code for extended addressing mode.

    Address Formats:

      High Order Bits   Format                           Class
      ---------------   ------------------------------- -----
            0            7 bits of net, 24 bits of host    a
            10          14 bits of net, 16 bits of host    b
            110         21 bits of net, 8 bits of host    c
            111         escape to extended addressing mode

      A value of zero in the network field means this network. This is
      only used in certain ICMP messages. The extended addressing mode
      is undefined. Both of these features are reserved for future use.

    The actual values assigned for network addresses is given in
    "Assigned Numbers" [9].

    The local address, assigned by the local network, must allow for a
    single physical host to act as several distinct internet hosts.
    That is, there must be a mapping between internet host addresses and
    network/host interfaces that allows several internet addresses to
    correspond to one interface. It must also be allowed for a host to
    have several physical interfaces and to treat the datagrams from
    several of them as if they were all addressed to a single host.

    Address mappings between internet addresses and addresses for
    ARPANET, SATNET, PRNET, and other networks are described in "Address
    Mappings"

Sockets allow communication between two different processes on the same or different machines. To be more precise, it's a way to talk to other computers using standard Unix file descriptors. In Unix, every I/O action is done by writing or reading a file descriptor. A file descriptor is just an integer associated with an open file and it can be a network connection, a text file, a terminal, or something else.

To a programmer, a socket looks and behaves much like a low-level file descriptor. This is because commands such as read() and write() work with sockets in the same way they do with files and pipes.

Sockets were first introduced in 2.1BSD and subsequently refined into their current form with 4.2BSD. The sockets feature is now available with most current UNIX system releases.

connection is the combination of a phone number and a particular extension. Based on this address, internet sockets deliver incoming data packets to the appropriate application process or thread.

The TCP/internet interface provides calls to send and receive
datagrams addressed to TCP modules in hosts anywhere in the internet
system. These calls have parameters for passing the address, type of
service, precedence, security, and other control information.

If there are several pending passive OPENs (recorded in TCBs) with the
same local socket, an foreign active OPEN will be matched to a TCB
with the specific foreign socket in the foreign active OPEN, if such a
TCB exists, before selecting a TCB with an unspecified foreign socket.

The procedures to establish connections utilize the synchronize (SYN)
control flag and involves an exchange of three messages. This
exchange has been termed a three-way hand shake [3].

A connection is initiated by the rendezvous of an arriving segment
containing a SYN and a waiting TCB entry each created by a user OPEN
command. The matching of local and foreign sockets determines when a
connection has been initiated. The connection becomes "established"
when sequence numbers have been synchronized in both directions.

Processes can issue passive OPENs and wait for matching active OPENs
from other processes and be informed by the TCP when connections have
been established. Two processes which issue active OPENs to each
other at the same time will be correctly connected. This flexibility
is critical for the support of distributed computing in which
components act asynchronously with respect to each other.

There are two principal cases for matching the sockets in the local
passive OPENs and an foreign active OPENs. In the first case, the
local passive OPENs has fully specified the foreign socket. In this
case, the match must be exact. In the second case, the local passive
OPENs has left the foreign socket unspecified. In this case, any
foreign socket is acceptable as long as the local sockets match.
Other possibilities include partially restricted matches.

If there are several pending passive OPENs (recorded in TCBs) with the
same local socket, an foreign active OPEN will be matched to a TCB
with the specific foreign socket in the foreign active OPEN, if such a
TCB exists, before selecting a TCB with an unspecified foreign socket.

The procedures to establish connections utilize the synchronize (SYN)
control flag and involves an exchange of three messages. This
exchange has been termed a three-way hand shake [3].

A connection is initiated by the rendezvous of an arriving segment
containing a SYN and a waiting TCB entry each created by a user OPEN
command. The matching of local and foreign sockets determines when a
connection has been initiated. The connection becomes "established"
when sequence numbers have been synchronized in both directions.

The clearing of a connection also involves the exchange of segments,
in this case carrying the FIN control flag.

When you are on the internet or are working in an networked environment you may think you have problems with your network connection. However it would be helpful if you could diagnose whether there is a problem and what it is.

Fortunately there are some useful tools built in to all versions of Windows which can help you, you just need to know what they are and how to use them. This page explains them and gives you some example of the circumstances when it is a good idea to use them.

Most of the tools on this page are accessed from the DOS or Command prompt. While this can look a little scary to a novice user, it can be quite powerful and allow you to manipulate your system and see what is going on in a a way that isn't possible with nice looking GUI (Graphic User Interface) tools. However if you are a novice to the Command Prompt, then you should read our getting started guide.

Although you can run these tools from the "Run" box off the start menu, as soon as the command has finished, the box will close which will stop you from seeing the results. Always open a command box first and then enter the command there.

Related Questions

Navigate

• Browse (All)
• Browse U
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.