Internet Protocol Security

CS155 Computer and Network Security

The Internet 141.212.120.7

Global network that provides best-e ort delivery

of packets between connected hosts

Packet: a structured sequence of bytes

Header: metadata used by network
Payload: user data to be transported

Every host has a unique identi er — IP address

Series of routers receive packets, look at

destination address on the header and send it one
hop towards the destination IP address
8.8.8.8
fi
ff
 Network Protocols
We de ne how hosts communicate in published network protocols
Syntax: How communication is structured (e.g., format and order of messages)
Semantics: What communication means. Actions taken on transmit or receipt
of message, or when a timer expires. What assumptions can be made.

Example: What bytes contain each eld in a packet header

fi
fi
Protocol Layering
Networks use a stack of protocol layers Application
- Each layer has di erent responsibilities.
Transport
- Layers de ne abstraction boundaries
Lower layers provide services to layers above Network
- Don’t care what higher layers do
Data Link
Higher layers use services of layers below
- Don’t worry about how it works Physical
fi
ff
OSI 5 Layer Model

Physical How do bits get translated into electrical, optical, or radio signals
OSI 5 Layer Model

How to get packet to the next hop. Transmission of data

Data Link frames between two nodes connected by a physical link.

Physical How do bits get translated into electrical, optical, or radio signals
 OSI 5 Layer Model

Responsible for packet forwarding. How to get a packet to the

Network nal destination when there are many hops along the way.

How to get packet to the next hop. Transmission of data

Data Link frames between two nodes connected by a physical link.

Physical How do bits get translated into electrical, optical, or radio signals
fi
 OSI 5 Layer Model

Allows a client to establish a connection to speci c services

Transport (e.g., web server on port 80). Provides reliable communication.

Responsible for packet forwarding. How to get a packet to the

Network nal destination when there are many hops along the way.

How to get packet to the next hop. Transmission of data

Data Link frames between two nodes connected by a physical link.

Physical How do bits get translated into electrical, optical, or radio signals
fi
fi
 OSI 5 Layer Model
De nes how individual applications communicate. For example,
Application HTTP de nes how browsers send requests to web servers.

Allows a client to establish a connection to speci c services

Transport (e.g., web server on port 80). Provides reliable communication.

Responsible for packet forwarding. How to get a packet to the

Network nal destination when there are many hops along the way.

How to get packet to the next hop. Transmission of data

Data Link frames between two nodes connected by a physical link.

Physical How do bits get translated into electrical, optical, or radio signals
fi
fi
fi
fi
 IP — The Narrow Waist
How does Application DNS SSH FTP SMTP NNTP HTTP Application
structure data? layer

How do I get to the right service? UDP TCP Transport layer

How do I have a reliable “stream” of data?

How a does packet nal destination? IP Network layer

How do I get to next hop? Cellular WiFi Ethernet Link layer

Radio Copper Fiber Physical layer

fi
Packet Encapsulation
Protocol N1 can use the services of lower layer protocol N2
A packet P1 of N1 is encapsulated into a packet P2 of N2
The payload of p2 is p1
The control information of p2 is derived from that of p1

P2
P1
IP TCP TCP
Header Header HTTP Request
Payload

Payload
Link Layer

Assumes: Local nodes are physically connected

Task: Transfer bytes between two hosts on the physically connected network
 Ethernet
Most common Link Layer Protocol. Let’s you send packets to other local hosts.

EtherType gives layer 3 protocol in payload

At layer 2 (link layer) packets are called frames
0x0800: IPv4
0x0806: ARP
MAC addresses: 6 bytes, universally unique
0x86DD: IPv6
Ethernet
 Internet Protocol (IP)
Internet Protocol (IP) de nes what packets that cross the Internet need to
look like to be processed by routers

Every host is assigned a unique identi er (“IP Address”)

Every packet has an IP header that indicates its sender and receiver

Routers forward packet along to try to get it to the destination host

Rest of the packet should be ignored by the router

fi
fi
 IP Addresses
IPv4: 32-bit host addresses
Written as 4 bytes in form A.B.C.D
where A,...,D are 8 bit integers in decimal
(called dotted quad) e.g. 192.168.1.1

IPv6: 128 bit host addresses

Written as 16 bytes in form AA:BB::XX:YY:ZZ
where AA,...,ZZ are 16 bit integers in hexadecimal
and :: implies zero bytes
e.g. 2620:0:e00:b::53 = 2620:0:e00:b:0:0:0:53
 IPv4 Header
Instruct routers and hosts what to do with a packet
All values are lled in by the sending host
fi
Internet Protocol (IP)
Yes:
Routing. If host knows IP of destination host, route packet to it.
Fragmentation and reassembly: Split data into packets and reassemble
Error Reporting: (maybe, if you’re lucky) tell source it dropped your packet

No:
Everything else. No ordering. No retransmission. No (real) error checking. No
acknowledgement of receipt. No “connections”. No security. Just packets.
Two Problems

Local: How does a host know what MAC address their

destination has given an IP address?

Internet: How does each router know where to send each

packet next?
ARP: Address Resolution Protocol
ARP is a Network protocol that lets hosts map IP addresses
to MAC addresses

Host who needs MAC address M corresponding to IP

address N broadcasts an ARP packet to LAN asking, “who
has IP address N?”

Host that has IP address N will reply, “IP N is at MAC

address M.”
ARP Packet
 ARP Security
Any host on the LAN can send ARP requests and replies: any host can claim
to be another host on the local network!
This is called ARP spoo ng

This allows any host X to force IP tra c between any two other hosts A and B
to ow through X (MitM!)
Claim NA is at attacker’s MAC address MX
Claim NB is at attacker’s MAC address MX
Re-send tra c addressed to NA to MA, and vice versa
fl
ffi
fi
ffi
Routing (BGP)
BGP (Border Gateway Protocol): protocol that allows routers
to exchange information about their routing tables

Each router announces what it can route to all of its

neighbors.

Every router maintains a global table of routes

Pakistan hijacks YouTube
On 24 February 2008, Pakistan Telecom (AS 17557) began
advertising a small part of YouTube’s (AS 36561) assigned
network

PCCW (3491) did not validate Pakistan Telecom’s (17557)

advertisement for 208.65.153.0/24

Youtube o ine.
ffl
Protocol Layering
How does Application
DNS SSH FTP SMTP NNTP HTTP Application
structure data? layer

How do I get to the right service?

UDP TCP Transport layer
How do I have a reliable “stream” of data?

How do I get to nal destination? IP Network layer

How do I get to next hop? Cellular WiFi Ethernet Link layer

Radio Copper Fiber Physical layer

fi
Ports
Each application on a host is identi ed by a port number

TCP connection established between port A on host X to port B on host Y

Ports are 1–65535 (16 bits)

Some destination port numbers used for speci c applications by convention

! !

" "
fi
fi
Common Ports
Port Application
80 HTTP (Web)
443 HTTPS (Web)
25 SMTP (mail)
67 DHCP (host con g)
22 SSH (secure shell)
23 Telnet
fi
UDP (User Datagram Protocol)
User Datagram Protocol (UDP) is a transport layer protocol that is essentially a
wrapper around IP
Adds ports to demultiplex tra c by application

ffi
From Packets to Streams
Most applications want a stream of bytes delivered reliably and
in-order between applications on di erent hosts

Transmission Control Protocol (TCP) provides…

- Connection-oriented protocol with explicit setup/teardown
- Reliable in-order byte stream
- Congestion control

Despite IP packets being dropped, re-ordered, and duplicated

ff
TCP Sequence Numbers
Two data streams in a TCP session, one in each direction

Bytes in data stream numbered with a 32-bit sequence number

Every packet has sequence number that indicates where data belongs

Receiver sends acknowledgement number that indicates data received

TCP Packet
Transmission Control Protocol
TCP Acknowledgement Numbers
ACKing Multiple Segments
ACKing Multiple Segments
Transmission Control Protocol
Transmission Control Protocol
Transmission Control Protocol
TCP Three Way Handshake
 Ending a Connection
Sends packet with FIN ag set
Must have ACK ag with valid seqnum

Peer receiving FIN packet acknowledges

receipt of FIN packet with ACK

FIN “consumes” one byte of seq. number

Eventually other side sends packet with

FIN ag set — terminates session
fl
fl
fl
TCP Connection Reset
TCP designed to handle possibility of spurious TCP packets (e.g. from
previous connections)

Packets that are invalid given current state of session generate a reset
If a connection exists, it is torn down
Packet with RST ag sent in response

If a host receives a TCP packet with RST ag, it tears down the connection
fl
fl
 TCP Connection Spoo ng

Can we impersonate another host when initiating a

connection?

O -path attacker can send initial SYN to server …

… but cannot complete three-way handshake
without seeing the server’s sequence number

1 in 232 chance to guess right if initial sequence

number chosen uniformly at random
ff
fi
TCP Reset Attack
Can we reset an existing TCP connection?

Need to know port numbers (16 bits)

Initiator’s port number usually chosen random by OS
Responder’s port number may be well-known port of service

There is leeway in sequence numbers B will accept

Must be within window size (32-64K on most modern OSes)

1 in 216+32/W (where W is window size) chance to guess right

DNS — Domain Name Service
Application-layer protocols (and people) usually refer to Internet
host by host name (e.g., google.com)
DNS is a delegatable, hierarchical name space
 DNS Record
A DNS server has a set of records it authoritatively knows about
$ dig bob.ucsd.edu

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30439
;; ags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 6

;; QUESTION SECTION:
;bob.ucsd.edu. IN A

;; ANSWER SECTION:
bob.ucsd.edu. 3600 IN A 132.239.80.176

;; AUTHORITY SECTION:
ucsd.edu. 3600 IN NS ns0.ucsd.edu.
ucsd.edu. 3600 IN NS ns1.ucsd.edu.
ucsd.edu. 3600 IN NS ns2.ucsd.edu.
fl
 DNS Root Name Servers
In total, there are 13 main DNS root servers, each of which is
named with the letters 'A' to 'M'.
 Caching
DNS responses are cached
Quick response for repeated translations
NS records for domains also cached
DNS negative queries are cached
Save time for nonexistent sites, e.g. misspelling
Cached data periodically times out
Lifetime (TTL) of data controlled by owner of data
TTL passed with every record
 DNS Packet
DNS requests sent over UDP

Four sections: questions,

answers, authority, additional
records

Query ID:
16 bit random value
Links response to query
Request
Response
Authoritative Response