TCP/IP: Ethernet, IP, and ARP (and a PGP refresher) · TCP/IP: Ethernet, IP, and ARP (and a PGP refresher) ... • Application for data encryption and ... EikeRitter Network Security

TCP/IP: Ethernet, IP, and ARP

(and a PGP refresher)

Network Security

Lecture 2

Any questions on…

• Administrativia, organizational matters?

• Historical/cultural overview?

Eike Ritter Network Security - Lecture 2 1

Today

• PGP in 6 slides

• IP

• Ethernet

• ARP

• Attacks: sniffing


PGP


Pretty Good Privacy (PGP)

• Application for data encryption and

decryption created by Phil Zimmermann

• Message format used by PGP is standardized

(RFC 4880), so that interoperability among

different programs is possible

• Here we will use GnuPG


Generating a key

• $ gpg --gen-key

• Every user has one (or more) key pairs,

consisting of a private key and a public key

– The private key can be encrypted using a

passphrase

– All keys are stored in a keyring

• This command generates a new key pair and

stores it in the keyring


Publishing the public key

• $ gpg --export –a ‘Eike Ritter (Test key)’-----BEGIN PGP PUBLIC KEY BLOCK-----Version: GnuPG v1.4.10 (GNU/Linux)

mQENBE8KvXUBCADGTet/EQF0qPeaG5IkwWzGfRxc2XT7I6KvOKI4NverNxC8JijFZKMf0RSZ5himtEVGjXTmc0hyMzuYlDzg/oVM70tygqEEC28IpppdINJVtyUfNYwu……=aGju-----END PGP PUBLIC KEY BLOCK-----

• Public key can be upload it to web site or to keyserver, such as pgp.mit.edu


Encrypting a message

• $ gpg -r <recipient-key> -e secret.txt

• Encrypts the file secret.txt so that the recipient having public key <recipient-key> can recover its plain text content

• In practice, a session key is generated randomly and is used to encrypt (symmetrically) the file

• The session key is encrypted with the public key of the recipient(s) and attached to the file

• Decrypting:$ gpg -d secret.gpg


Signing a message

• $ gpg -s -a secret.txt

• Generates a signature for the given file (in

ASCII format) using the private key of the user

• The signature can be verified by using the

public key of the signer:

$ gpg --verify secret.ascgpg: Signature made Mon 09 Jan 2012 10:43:15 GMT using

RSA key ID AA226670

gpg: Good signature from "Eike Ritter (Test key)

<[email protected]>"


Other common operations

• Generating a detached signature

• Signing and encrypting a message

• Web of trust: sign a public key

• Revoking a key


TCP/IP


TCP/IP Protocol Suite

• Network protocols– IP (Internet Protocol)

– ICMP (Internet Control Message Protocol)

• Transport protocols– TCP (Transmission Control Protocol)

– UDP (User Datagram Protocol)

• Application protocols– HTTP (HyperText Transfer Protocol)

– SSH

– DNS

• Other protocols– ARP (Address Resolution Protocol)

Eike Ritter 11Network Security - Lecture 2

TCP/IP layering


Ethernet, WirelessEthernet, Wireless

Network cardNetwork card

IPIP

TCPTCP

SSHSSH

UDPUDP

HTTPHTTPDNSDNSRPCRPC FTPFTP Application

• Application-specific

protocols

Transport

• Ordering, multiplexing,

correctness

Network

• Transmission and routing

across subnets

Data link

• Error control between

adjacent nodes

Physical

• Connect to channel

• Send/receive bytes

ICMPICMP

IP addresses

• Each host has one or more IP addresses for each network interface

• IPv4 addresses are composed of 32 bit (class+netid+hostid)

• Represented in dotted-decimal notation: 147.188.193.82

• Classes (up to ~1993)


Class Starts with Netid bits Hostid bits # hosts

A 0 7 24 16,777,21

4B 10 14 16 65,534

C 110 21 8 254

D 1110 Multicast address

E 1111 Reserved for future use

Special addresses

• 127.0.0.0 – 127.255.255.255: loopback interface

• Private networks (RFC 1597):– 10.0.0.0 - 10.255.255.255

– 172.16.0.0 - 172.31.255.255

– 192.168.0.0 - 192.168.255.255

• Network– hostid bits set to 0

• Broadcast– All bits set to 1: local broadcast

– Netid+hostid with all bits to 1: net-directed broadcast to netid (147.188.255.255)


Classless Inter-Domain Routing (CIDR)

• Classes lead to inefficient use of IP space and to large routing tables– Not enough class B

– Little opportunity for route aggregation (many class C networks geographically dispersed)

• Solution: variable-length subnet masking, i.e., the netid/hostid boundary can be placed on arbitrary bit

• Notation: /N gives the number of bits interpreted as network number (“prefix”)– /24: legacy class C

– /16: legacy class B

– /8: legacy class A


Internet Protocol (IP)

• Transmissions of blocks of data (datagrams) from source to destination

• Standardized in RFC 791

• Transmission properties

– Connectionless

– Unreliable, best-effort• delivery, integrity, ordering, non-duplication are not guaranteed

• IP does handle fragmentation and reassembly of long datagrams

• For direct communication, IP relies on lower level protocols (e.g., Ethernet)


IP datagram

Version HL ToS Total length

Identifier Flags Fragment offset

Time To Live Protocol Header checksum

Source IP address

Destination IP address

Options Padding

Data


0 4 8 12 16 20 24 28 31

IP header

• Normal size: 20 bytes

• Version (4 bits): 4 (IPv4)

• Header length (4 bits): number of 32-bit words in the header, including options (max header size: 60 bytes)

• Type Of Service (8 bits): – Used to be: priority (3 bits), quality of service (4 bits),

unused bit

– Now: Differentiated Services Code Point (6 bits), Explicit Congestion Notification (2 bits)

• Total length (16 bits): datagram length in bytes (max size: 65,535 bytes)

• ID (16 bits): datagram identifier


IP header

• Flags (3 bits) and Offset (13 bits): to support fragmentation

• Time To Live (8 bits): max number of hops in the delivery process

• Protocol (8 bits): specifies the protocol encapsulated in the datagram data (e.g., TCP, UDP)

• Header checksum (16 bits): checksum calculated over the IP header– Recomputed at each hop (TTL, fragmentation)

• Source and destination address (32 bits each): IP addresses of the source and destination of the datagram


IP options

• Present if header length > 5

• Variable length

• Type is identified by first byte

– Record route

– Source route

– Timestamp

– …

• Not often used


IP encapsulation

• How are IP datagrams transferred over a LAN?

• RFC 894 explains IP over Ethernet

– Encapsulation + direct delivery


Frame dataFrame dataFrame headerFrame header

IP headerIP header IP dataIP data

IP direct delivery

• Sender forwards a packet to the final

destination on a directly attached network


147.188.193.82

00:19:D1:80:AE:45147.188.193.15

147.188.193.6

00:04:96:1D:6B:20

From: 00:19:D1:80:AE:45

To: 00:04:96:1D:6B:20

From: 147.188.193.82

To: 147.188.193.6

147.188.193.80

Ethernet

• Widely-used link layer protocol

• Uses CSMA/CD (Carrier Sense, Multiple Access

with Collision Detection)


Dest Src Ethertype Payload CRC

6 bytes 6 bytes 2 bytes 46-1500 bytes 4 bytes

08000800 IP datagramIP datagram

08060806 ARPARP

Address Resolution Protocol (ARP)

• Used to map an IP address to the link-level

addresses associated with the peer’s

hardware interface (e.g., Ethernet)

• ARP messages are encapsulated in the

underlying link-level protocol


Address Resolution Protocol (ARP)

• Host A wants to know the hardware address associated with IP address Ib of host B

• A broadcasts a special message to all the hosts on the same physical link

• Host B answers with a message containing its own link-level address

• A keeps the answer in its cache (for some time, e.g., 20 minutes)

• When A sends its request, A includes its own IP address in the request- As an optimization, the receiver of the ARP request may

cache the requester mapping


ARP messages

• Mapping information– Hardware (2 bytes) [Typically: Ethernet]

– Protocol (2 bytes) [Typically: IP]

– Hardware size (1 byte)

– Protocol size (1 byte)

Typically: 0x0001, 0x0800, 6, 4

• Op: type of message (1: request; 2: response)

• Sender Ethernet/IP: sender data

• Target Ethernet/IP: target data- Target Ethernet is all 0s in request


Hw typeProto

typeHw size

Proto

sizeOp

Sender

Ether

Sender

IP

Target

Ether

Target

IP

ARP traffic


host1# arp –n

host1# ping –c 1 192.168.0.2

04:21:16.312430 ARP, Request who-has 192.168.0.2 tell 192.168.0.1, length 28

04:21:16.312500 ARP, Reply 192.168.0.2 is-at 00:30:48:dd:ec:12, length 46

04:21:16.312506 IP 192.168.0.1 > 192.168.0.2: ICMP echo request, id 16976, seq 1, length 64

04:21:16.312577 IP 192.168.0.2 > 192.168.0.1: ICMP echo reply, id 16976, seq 1, length 64

host1# arp –n

192.168.0.2 ether 00:30:48:dd:ec:12 C eth0

Host2# arp –n

192.168.0.1 ether 00:30:48:de:0b:3a C eth0

host1: 192.168.0.1

00:30:48:de:0b:3a

192.168.0.3 host2: 192.168.0.2

00:30:48:dd:ec:12

ARP request

ARP response

Exercise

• Alice (192.168.1.1) wants to send an IP datagram to Bob (192.168.1.2)

• What happens? (fill in the blanks)


Alice Bob

LAN attacks

Attack Security violation Attacker goal

Sniffing Confidentiality Access to information

Spoofing Authenticity Impersonation of trusted host

Hijacking Confidentiality,

Integrity, Authenticity

Impersonation, access to information

Denial of Service Availability Disruption


Network sniffing

• The attacker sets his/her network interface in promiscuous mode so that all packets can be received (not only those directed to the attacker’s host)

• Can access all the traffic on the segment

• Note: sniffing on University network is a “disciplinary offence”


Network sniffing

• Many protocols (e.g., POP, TELNET, HTTP,

IMAP) transfer sensitive information (e.g.,

authentication credentials) in the clear

• By sniffing the traffic, it is possible to collect

credentials, files, content of visited web

pages, emails, etc.

• Many tools available


tcpdump

• Tool to sniff and analyze the traffic on a network segment

• One of the “standard” network tools

• Based on libpcap, which provides a platform-independent library and API to perform traffic sniffing

• Allows one to specify an expression that defines which packets have to be printed

• Requires root privileges to set the interface in promiscuous mode (regular users can read traffic data saved in a file)


tcpdump: command line options

• -i: use the given network interface

• -r: read packets from a file

• -w: write packets to a file

• -s: specify the amount of data to be sniffed for

each packet (0 means catch whole packets)

• -n: do not convert addresses to names

• -x: print the data of each packet in hex


tcpdump: filters

• If a filter expression is provided, tpcdump only

processes packets matching the expression

• Expression consists of one or more primitives

• Primitives are composed of a qualifier and an

id

• Operators can be used to create complex filter

expressions


tcpdump filters – cont’d

Qualifiers

• Type

– host (host 192.168.0.1)

– net (net 192.168)

– port (port 80)

• Dir: direction of traffic

– src (src host 192.168.0.1)

– dst

• Proto: protocol of interest

– Ether (ether src host 00:0c:29:ab:2c:18)

– Ip

– arp

Operators

• Logical: and, or, not– src host 192.168.0.01 and

dst host google.com

• Relational: <, >, >=, <=, =, !=

• Binary: +, -, *, /, &, |

• Data: proto[expr:size]– expr: offset

– size: # bytes of interest

– ip[0] & 0xf > 5: filters IP datagrams with options

– arp[7] = 2: ARP replies


Wireshark


Detecting sniffers

• Sniffers work by putting the network interface in promiscuous mode

• ifconfig$ ifconfig en1en1:flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu1500

ether d8:a2:5e:ab:cd:efinet 10.4.59.191 netmask 0xffff0000 broadcast 10.4.255.255media: autoselectstatus: active

• On recent Linux versions, this will not (always) work due to changes in how the state of the interface is maintained in the kernel that have not been ported back to tools– Instead, read interface flags from /sys filesystem

– If flags & 0x100 then interface is in promiscuous mode (/include/linux/if.h)# cat /sys/class/net/eth0/flags0x1003# tcpdump –i eth0 &# cat /sys/class/net/eth0/flags0x1103


Detecting sniffers – cont’d

• Remote detection is difficult since sniffers are typically passive programs

• Suspicious DNS lookups– Sniffer attempts to resolve names associated with IP address (e.g., tcpdump

without –n option)

– Generate traffic to/from IP addresses and detect attempts to resolve their names

– $ ping 173.194.37.10416:27:38.657863 IP 172.16.48.130 > 173.194.37.104: ICMP echo request, id 21009, seq 1, length 6416:27:38.659014 IP 172.16.48.139.57105 > 172.16.48.2.53: 20764+ PTR? 104.37.194.173.in-addr.arpa. (45)

• Latency– Since NIC is in promiscuous mode, it will need to process every packet

– Analyze response time of host A (e.g., sending ping packets)

– Generate lots of traffic to other hosts and analyze response time of host A


NEXT ON


Take away points

• Basics of gpg

• Basics of Ethernet, IP, ARP and how they fit

together

• Sniffing on a network

• Tools

– tcpdump

– wireshark


Next time

• Continue analysis of TCP/IP

• More attacks!


TCP/IP: Ethernet, IP, and ARP (and a PGP refresher) · TCP/IP: Ethernet, IP, and ARP (and a PGP refresher) ... • Application for data encryption and ... EikeRitter Network Security

Documents