Transport Layer Discussion Board
sb230529
CH12.pptxChapter 12 End-to-End Networking
Chapter 12 Overview
The end-to-end principle in internet architecture
Internet packet and transport protocols
Host naming with the Domain Name System
Firewalls and network address translation
Authentication on networks
“Smart” vs. “Dumb” Networks
The 20th century telephone network
A “smart” network with “dumb” endpoints
Telephones (endpoints) only had a dial or touchpad, a speaker, and a microphone
The original Internet
A “dumb” network with “smart” endpoints
Routing was as simple as possible
Hosts handled the hard work
Error detection and correction
Reordering and reassembling messages
The End-to-End Principle
Reliable packet networks must rely on smart endpoints – the network can't ensure reliable packet delivery by itself
Network-based reliability may reduce unreliability, but it doesn't ensure reliability
End-to-end in practice
Networks become more complex to address more complex routing challenges
Network-based reliability in wireless LANs reduces unreliability to acceptable levels
Internet Transport Protocols
Two separate protocols
User Datagram Protocol (UDP) – for highly efficient transmission without retransmission
Transmission Control Protocol (TCP) – for reliable, sequential data transmission
UDP packets
Contain source and destination port numbers
Contain a checksum and a data field
Applications must detect and handle any missing or damaged packets themselves
UDP Packet Format
Wireshark: UDP Packet Format
© Wireshark Foundation
Transmission Control Protocol – TCP
TCP Reliability
Uses Sequence (SEQ) and Acknowledgement (ACK) numbers to track the delivered data
Every byte of data sent via TCP is numbered consecutively
A packet's SEQ number reports the number of the first byte it contains
Recipient sends ACK number to indicate the highest consecutive byte number received
If packets arrive out of order, the ACK number never increases until missing packets arrive
Flow Control and Window Size
Flow control prevents a sender from sending data faster than the recipient can handle it
If we send data too fast, the recipient or the network will have to discard it
Each TCP packet contains a window size
Indicates the number of bytes the recipient can handle from upcoming packets
Grows smaller if traffic arrives too quickly
Establishing a TCP Connection
Two hosts must agree to establish a connection
Process uses a three-way handshake
Client sends a SYN packet
Server responds with SYN-ACK packet
Client completes the handshake with ACK
The three-way handshake establishes the starting SEQ numbers used in each direction
If one host fails to finish the handshake, the other host discards the connection
Close the connection with FIN or RST
Wireshark: TCP Connection
© Wireshark Foundation
Attacks on Internet Protocols
General types of protocol-oriented attacks
Exploit one host to attack another host
Use up the victim host's resources
Masquerade as a different host to a user
Attack mechanisms
Exploit ICMP – the Internet Control Message Protocol
Exploit IP header settings
Exploit TCP settings
ICMP Exploits
Ping floods – DOS attack that transmits numerous “ping” packets
Smurf attack – DOS attack that sends a forged “ping” using a broadcast address to amplify the number of replies produced
Ping of death – exploited a now-fixed flaw in protocol stacks: A buffer overflow in ping handling
Redirection attacks – rerouted data for one host to traverse a different (masquerading) host
TCP and IP Attacks
SYN flood – attacker sends lots of SYN packets to produce “half-open connections” and use up the protocol stack's resources.
IP spoofing – forge the sender's IP address in a TCP connection; success requires correct guessing of SEQ numbers.
Source routing attack – similar to redirection attack, but uses an IP header option to route traffic to a masquerading host.
Domain Names on the Internet
Domain names provide memorable names for hosts on the Internet
Domain Name System (DNS) converts names into IP addresses, and vice versa
The “Internet telephone book”
A distributed database managed by domain name owners and registrars
Domain names constructed hierarchically
From right to left
Domain Name Construction
Domain Name Hierarchy
Domain Names in Practice
Individuals and companies buy names from registrars
Registrar places the name under the chosen Top-Level Domain (TLD)
Tying the name to a host
Owners may provide their own domain name servers, and service hosts for Web or email
Some registrars will tie the domain name to specific host-based services for customers
Looking up Domain Names
A resolver uses the DNS to look up a name
The resolver keeps a cache of recent answers
If a name isn't in the cache, the resolver contacts a domain name server
If the server can't answer, it identifies a server that can provide the answer, or it may contact that server itself
Resolver saves the answer in its cache
Resolving may be redirected or recursive
Wireshark: A DNS response
© Wireshark Foundation
DNS Lookup
Investigating Domain Names
dnslookup – interactive DNS resolver
Returns basic information stored about a domain
IP address for the generic host
IP address, possibly different, to handle email directed at that domain
whois – returns details about domain ownership
Identifies the domain's owner
Provides technical and administrative contact information
Attacks on DNS
Cache poisoning – resolver receives a bogus response to a DNS request
Difficult: Can only affect an existing query
DOS – attacker floods an important server, like a root server, so it can't respond to queries
Botnets are often used in such attacks
DOS attack using a shared resolver – attacker sends numerous bogus queries that produce lots of traffic to a targeted server
An amplification attack, like the smurf attack
DNS Security Improvements
Randomized requests – clients choose unpredictable port numbers and request numbers to resist cache poisoning
Limited access to resolvers – ISPs only allow their customers to use their resolvers, to reduce risks of amplification attacks
Replicated DNS servers – major servers are replicated so that DOS against one won't shut down an entire TLD or subdomain.
DNSSEC – authentication for DNS responses
Internet Gateways and Firewalls
Network Address Translation
All IP packets travel between two hosts with unique addresses
There are not enough IPv4 addresses to assign one to every IP host on the planet
Sites use private addresses and NAT to provide separate addresses to all hosts
Private addresses fall into one of 3 ranges:
10.x.x.x
192.168.x.x
172.16.0.0 through 172.31.255.255
Mapping Private to Public Addresses
Configuring Host Computers
Gateways and firewalls typically assign private addresses
Use Dynamic Host Configuration Protocol (DHCP)
A client sends a broadcast DHCP query
The gateway responds with information
IP address assigned to the host
IP addresses to use for routing and DNS
Gateway must be configured to use a particular private address range
Traffic Filtering and Connectivity
Packet filtering – discards packets by checking:
MAC address – source or destination
Broadcast transmissions
ICMP messages
IP address – source or destination
IP application protocol – based on port number
Inbound connections usually rejected by NAT
Gateway may configure a server to receive inbound connections
Enterprise Network Authentication
Enterprise authentication issues
Eavesdropping risks
Management of multiple servers
Keeping credentials up to date
Authentication design patterns
Local authentication
Direct authentication
Indirect authentication
Off-line authentication
Local Authentication
Direct Authentication
Indirect Authentication
Off-Line Authentication
