CSIT 416

DEFENSIVE TECHNOLOGIES
Lecture 2
Session 2: Fundamentals of TCP/IP Networking
[email protected]

College of Education
School of Continuing and Distance Education
 Outline

• Fundamentals of TCP/IP networking

• IPv4 packet structure

• Internet Protocol version 6 (IPv6)

 Objectives
• Explain the fundamentals of TCP/IP networking

• Describe IPv4 packet structure and explain packet

fragmentation

• Describe Internet Protocol version 6 (IPv6)

 Introduction
• The information in this session serves as an
introduction to the TCP/IP suite of network
protocols.

• Basic IPv4 and IPv6 concepts are discussed, as well as

the transport layer TCP and UDP protocols. The
differences that exist between the ICMP protocol’s
IPv4 version and IPv6 version are also covered.
FUNDAMENTALS OF TCP / IP NETWORKING

• Transmission Control Protocol/Internet Protocol

(TCP/IP) is a suite of many protocols for transmitting
information from point to point on a network
– Often referred to as a “stack”
• This section covers:
– Open System Interconnection (OSI) model
– IP addressing
– subnetting
 The OSI Model and TCP/IP Protocols
OSI TCP/IP stack

Application HTTP DNS DHCP

Presentation FTP SNMP Telnet
Session IMAP SMTP POP
Transport TCP UDP
Network IP ICMP IGMP ARP RIP OSPF
Data Link Device Drivers
Physical Network Adapter
Table 2-1 The OSI model and the subprotocols of the TCP/IP stack
 The OSI Model
• TCP/IP subprotocols are services that support a
number of network functions:
– HTTP (Hypertext Transfer Protocol)
– DNS (Domain Name System)
– DHCP (Dynamic Host Configuration Protocol)
– FTP (File Transport Protocol)
– SNMP (Simple Network Management Protocol)
– Telnet
– IMAP, SMTP, POP
 TCP/IP Addressing
• IP addresses are a method used to identify
computers
– Processed at the Network layer of the OSI model
– Most common in use conform to Internet Protocol version
4 (IPv4)
• 32-bit address divided into four groups called octets
• Each octet contains 8 bits of data
– In binary, an IP address looks like:
• 10000000.00100110.00101100.11100010
– Binary is converted to dotted decimal notation
• 192.168.10.1
 TCP/IP Addressing
• IP address components
– Network identifier – shared among computers in a
network segment
– Host address – unique to each computer on the network
segment
• Subnet mask – used to identify which part of the IP
address is the network identifier and which is the
host identifier
• Attackers can gain access to a network by
determining IP addresses of computers
• IP addresses need to be concealed to prevent
certain attacks
 TCP/IP Addressing,
• If an attacker can find a PC’s IP address, they can run
a port scan to look for open ports to exploit
• To hide addresses, use Network Address Translation
(NAT)
– Translates private network’s internal addresses into
external addresses that can be used on the public Internet
• Private network’s internal addresses are not routable on the
Internet
• Today IP addresses are in short supply, so Internet
Protocol version 6 (IPv6) is being implemented
 Address Classes
• IPv4 addresses are separated by classes
– Class is determined by the number of its networks
compared to number of hosts
– Example: a Class A address uses 8 bits for the network
portion and 24 bits for the host portion
 IP Address Classes
Class First octet decimal range Default subnet mask Purpose

Class A 1-126 255.0.0.0 Large corporations and

127-x.x.x is reserved; the address 127.0.0.1 is governments
used to indicate the local system's TCP/IP
implementation

Class B 128-191 255.255.0.0 Medium networks

Class C 192-223 255.255.255.0 Small networks

Class D 224-239 N/A Multicasting

Class E 240-254 N/A Experimentation

Table 2-2 IP address classes

 Private IP Address Ranges
• Private addresses are needed so that organizations
can build internal infrastructures
– Public IP addresses require registration and a fee for each
address
– Private addressing scheme eliminates the need to
purchase addresses for every group of machines
Network address Subnet mask First valid host address Last valid host address Broadcast address

10.0.0.0 255.0.0.0 10.0.0.1 10.255.255.254 10.255.255.255

172.16.0.0 255.240.0.0 172.16.0.1 172.31.255.254 172.31.255.255

192.168.0.0 255.255.0.0 192.168.1.1 192.168.255.254 192.168.255.255

Table 2-3 Private IP address ranges

 Subnetting.
• Address classes already have network id octets by
default
– Class A uses first octet
– Class B uses first two octets
– Class C uses first three octets
• Default Class B has 16 bits available for hosts
– This means a Class B network can have more than 65,000
host addresses
– Some of host bits can be used to identify the network
– Creates smaller subnetworks with fewer hosts
 Subnetting
• Subnetting can be used for:
– Mirroring the organization’s physical layout
– Mirroring the organization’s administrative structure
– Planning for future growth
– Reducing and controlling network traffic
– Increasing network security
• If all users with similar security and access needs are
grouped into a single subnet, the entire group can be
managed instead of managing each user separately
 Subnetting
• Subnetting
– Borrow bits from host portion of IP address
– Number of borrowed bits determines how many subnets
and hosts are available
– At least two bits must be available for hosts
• Up to 14 bits can be borrowed for a Class B network
 Subnetting
Subnet Number of subnetworks Usable hosts per subnet
255.255.128.0 2 32766
255.255.192.0 4 16384
255.255.224.0 8 8190
255.255.240.0 16 4094
255.255.248.0 32 2046
255.255.252.0 64 1022
255.255.254.0 128 510
255.255.255.0 256 254
255.255.255.128 512 126
255.255.255.192 1024 62
255.255.255.224 2048 30
Table 2-4 Class B subnetting
255.255.255.240 4096 14
255.255.255.248 8192 6
255.255.255.252 16384 2
 Subnetting

Binary 1 1 1 1 1 1 1 1
digit
Decimal
128 64 32 16 8 4 2 1
equivalent

Table 2-5 Binary-to-decimal values

 Subnetting….
• Subnetting a Class C address example:
– Network address: 199.1.10.0
– Default subnet mask: 255.255.255.0
– Selected mask: 255.255.255.224
– Mask in binary: 11111111.11111111.11111111.11100000
• Last masked digit occupies the binary value of 32
• Starting with network address, increment by 32 until you
reach the mask’s number (224)
 Subnetting, …..
Subnet address Valid host address range Broadcast address for subnet

199.1.10.0 199.1.10.1-199.1.10.30 199.1.10.31

199.1.10.32 199.1.10.33-199.1.10.62 199.1.10.63

199.1.10.64 199.1.10.65-199.1.10.94 199.1.10.95

199.1.10.96 199.1.10.97-199.1.10.126 199.1.10.127

199.1.10.128 199.1.10.129-199.1.10.158 199.1.10.159

199.1.10.160 199.1.10.161-199.1.10.190 199.1.10.191

199.1.10.192 199.1.10.193-199.1.10.222 199.1.10.223

199.1.10.224 199.1.10.225-199.1.10.254 199.1.10.255

Table 2-6 Subnetting example

 Variable Length Subnet Masking
• Networks that do not have a large number of
available IP addresses use variable length subnet
masking (VLSM)
– Involves applying masks of varying sizes to the same
network
– Creates subnets within subnets
– Often used to secure stub networks (only have one
connection to any other network
 Classless Interdomain Routing
• Classless Interdomain Routing (CIDR) – specifies the
number of masked bits in an IP address/subnet mask
combination
• Example:
– A network address of 192.168.6.0 with a subnet mask of
255.255.255.224 would have a CIDR notation of
192.168.6.0/27
• CIDR overcomes limitations of default subnet masks
so that unused addresses do not go to waste
 Unicasting, Multicasting, and
Broadcasting
• Unicast transmission: one packet is sent from one
server to each client computer individually
• Multicast transmission: server can treat several
computers as a group and send one transmission
that reaches all of them
– Example: streaming video presentation
• Broadcast transmission: sent to all nodes on a
specific network
– Flooded broadcasts: sent to any subnet
– Directed broadcasts: sent to a specific subnet
PART TWO
 IPv4 PACKET STRUCTURE
• IP datagrams
– Portion of the packet that is responsible for
routing through networks
– Processed at the Network layer of the OSI model
– Complete message is transmitted using multiple
datagrams
– Contain information about source and destination
IP addresses, control settings, and data
Examining Internet Protocol Version 4
(IPv4)
–Divided into different sections
• Primary subdivisions are header and data
• Some packets have a footer (or trailer)
that indicates the end of a packet or error
checking (CRC)
 IP Header Structure
• Part of an IP packet that computers use to
communicate
• IP header plays an important role in terms of
network security and intrusion detection
• Contains a number of fields and is similar to a TCP
header
IP Header Structure, Part 2

Figure 2-1 IP header structure

 IP Header Structure, ……
• Most network operating systems (NOSs) have a type
of built-in or add-on program to monitor network
activity
• Most administrators prefer third-party applications
for their versatility and extra features
– Wireshark (formerly Ethereal) is an example
 IP Header Structure, …..

Figure 2-2 IP header structure as seen in a Wireshark packet capture

 ICMP Messages
• Internet Control Message Protocol (ICMP) used to
assist with troubleshooting communication problems
– Ping command uses ICMP to check whether a remote host
has connectivity
• Processed at the network layer of the OSI model
• Firewalls or packet filters can be configured to accept
or deny certain ICMP packets through the network
– Some ICMP packets could be used as part of an attack
 ICMP Types
ICMP type Name ICMP type Name
0 Echo Reply 17 Address Mask Request
3 Destination Unreachable 18 Address Mask Reply
4 Source Quench 30 Traceroute
5 Redirect 31 Datagram Conversion
Error
6 Alternate Host Address 32 Mobile Host Redirect
8 Echo 33 IPv6 Where-Are-You
9 Router Advertisement 34 IPv6 l-Am-Here
10 Router Selection 35 Mobile Registration
Request
11 Time Exceeded 36 Mobile Registration Reply
12 Parameter Problem 37 Domain Name Request
13 Timestamp 38 Domain Name Reply
14 Timestamp Reply Table 2-739ICMP types SKIP
15 Information Request 40 Photuris
16 Information Reply 1-2, 7, 19-29, 41-252 Unassigned or Reserved
 TCP Headers
• TCP/IP packets may also contain TCP headers
– TCP headers are processed at the Transport layer of OSI
model
– TCP portion of a packet is called TCP segment
– Flags section of a TCP header are important:
• You can specify them when you create packet-filtering rules
TCP Header Structure

Figure 2-3 TCP header structure

 UDP Headers
• User Datagram Protocol (UDP): provides a transport
service for IP
– Processed at Transport layer of OSI model
– Considered unreliable because it is connectionless
• UDP packet does not contain sequence or acknowledgement
numbers that enable TCP to guarantee delivery
– Much faster than TCP
– Used for broadcasting messages or for protocols that do
not require the same level of service as TCP
– Attackers can scan for open UDP services
UDP Header Structure

Figure 2-5 UDP header structure

 Packet Fragmentation
• Originally developed to allow large packets to pass
through routers with frame size limitations
– Routers divide packets into multiple fragments and send
them along the network
• Fragmentation creates security problems
– Port numbers appear only in fragment 0
– Fragments 1 and higher pass through filters without being
scrutinized
• Attacker can modify the IP header to make all fragment
numbers start at 1 or higher
– Configure firewall to drop all fragmented packets
 The TCP Life Cycle and the TCP Three-
Way Handshake, Part 1
• Establishing connection-oriented communication
using a three-way handshake:
– Host A sends an initial sequence number in its first packet
to Host B
• Called a SYN packet
– Host B receives SYN packet - responds with SYN ACK with
an initial sequence number for Host B
• Includes an acknowledgement number that is one more
than the initial sequence number
– Host A sends an ACK packet to Host B
• Increases Host B’s sequence number by one
TCP Three-Way Handshake: SYN ACK
Sending computer Host A

Source TCP port 26077

Destination TCP port 80

Sequence Number 50088

Acknowledgement number 0

Flags SYN

Table 2-8 TCP three-way handshake: SYN

Sending computer Host B

Source TCP port 80

Destination TCP port 26077

Sequence number 79995

Acknowledgement number 50089

Flags SYN ACK

Table 2-9 TCP three-way handshake: SYN ACK

TCP Three-Way Handshake: ACK
Sending computer Host A

Source TCP port 26077

Destination TCP port 80

Sequence number 50089

Acknowledgement number 79996

Flags ACK

Table 2-10 TCP three-way handshake: ACK

 The TCP Life Cycle and the TCP Three-
Way Handshake, Part 2
• Sliding window size: determines the number of
packets that can be sent before ACKs must be
received
– Controls the flow and efficiency of communications
– Sender controls size of sliding window
• FIN flag is set when either side is ready to end the
session
– Station that receives the initial flag sends a response
packet with the ACK flag and its own FIN flag set to
acknowledge receipt and to show it is ready to end the
session
Summary of the TCP Three-Way
Handshake

Figure 2-7 Summary of the TCP three-way handshake

 Domain Name Service
• DNS servers translate fully qualified domain names
(FQDNs) to IP addresses
• DNS can be used to block unwanted communications
– Administrators can block Web sites containing offensive
content
• DNS attacks
– Buffer overflow
– Zone transfer
– Cache poisoning
 INTERNET PROTOCOL VERSION 6
• IPv6 addresses the many limitations of IPv4
– IPv6 has a larger address space of 128 bits
– Routing tables need only the entries of other routers that
are directly connected to them
– IPv6 has integrated support for security called IPsec
– Network Address Translation (NAT) is not needed
• NAT has security problems
– IPv6 can determine its own settings based on two different
models:
• Stateful autoconfiguration
• Stateless autoconfiguration
 Internet Protocol Version 6
• IPv6 addresses the many limitations of IPv4
– IPv6 has a larger address space of 128 bits
– Routing tables need only the entries of other routers that
are directly connected to them
– IPv6 has integrated support for security called IPsec
– Network Address Translation (NAT) is not needed
• NAT has security problems
– IPv6 can determine its own settings based on two different
models:
• Stateful autoconfiguration
• Stateless autoconfiguration
 IPv6 Core Protocols,
• IPv6 has major differences to IPv4 in its core
architecture and functions
– It is a connectionless, unreliable datagram protocol used
mainly for addressing and routing packets
• IPv6 datagram consists of the IPv6 header and IPv6
payload
– Header is made up of IPv6 base header and optional
extension headers
IPv6 Header Structure

Figure 2-8 IPv6 header structure

 IPv6 Core Protocols,
• Extension headers are not normally found in a typical
IPv6 packet
– If needed, the sending host adds appropriate header
– IPv6 extension headers:
• Hop-by-Hop Options
• Destination Options
• Routing
• Fragment
• Authentication
• Encapsulating Security Payload (ESP)
Internet Control Message Protocol for
IPv6
• ICMPv6 messages are grouped into two classes:
– Error messages: 0-127
– Informational messages: 128-255
• ICMPv6 messages is preceded by an IPv6 header
– Sometimes by extension headers
• Type field contains the value for a type of message
Message type Type
Destination Unreachable 1
Packet Too Big 2

Time Exceeded 3
Parameter Problems 4
Echo Request 128 Table 2-11 Common ICMPv6
Echo Reply 129 message type codes
 ICMPv6 Features

Message type Code

Multicast Listener Discovery MLD replaces IGMPv3 (Internet Group Message Protocol), which is used for controlling
(MLD) multicasts in IPv4. MLD is a series of three ICMPv6 messages used to manage subnet
multicast membership. (See Table 2-13.)
Neighbor Discovery (ND) ND replaces ARP, ICMPv4 Router Discovery, and ICMPv4 Redirect and has other
functions, including prefix detection, duplicate address detection, and automatic address
configuration. ND is a series of five ICMPv6 messages used to manage node-to-node
communications on a link. (See Table 2-14.)

Table 2-12 ICMPv6 features

 Multicast Listener Discovery
• Multicasts: connectionless delivery of information to
multiple subscribers at the same time
– Has a single stream on any link instead of one stream per
recipient
• IP multicast traffic is sent to a single address but is
processed by all members of a multicast group
– Hosts listening on a specific multicast address are part of
the multicast group
– Group membership is dynamic
– Members can be on different subnets
 Multicast Listener Discovery,
• Multicast Listener Discovery (MLD) enables IPv6
routers to discover multicast listeners and decide
which multicast addresses are of interest to nodes
MLD message type Description

Multicast Listener Query Multicast routers send queries to poll a network segment for group members. Queries
can be general, can request membership for all groups, or can be used for a specific
group.
Multicast Listener Report This message is sent by a host when it joins a multicast group or in response to a
Multicast Listener Query.

Multicast Listener Done This message is sent by a host when it leaves a host group and is the last member of that
group on the network segment.

Table 2-13 Multicast Listener Discovery message types

 Neighbor Discovery
• Neighbor Discovery (ND): new IPv6 protocol that
replaces ARP, ICMP Router Discovery and ICMP
Redirect in IPv4
– Uses ICMPv6 messages to manage node-to-node
communications
• Five different types of ICMP messages:
– Router Solicitation
– Router Advertisement
– Neighbor Solicitation
– Neighbor Advertisements
– Redirect
IPv6 Neighbor Discovery Functions
Process Description

Router discovery Discovers neighboring routers

Prefix discovery Discovers local network prefixes (equivalent to IPv4 network addresses)

Parameter discovery Discovers additional parameters, such as MTU (Maximum Transmission Unit) size for
the network segment and default hop limit for outbound packets
Address autoconfiguration Automatically configures addresses

Address resolution Resolves a neighboring node's address to its MAC address

Next-hop determination Determines the next-hop node address, which is typically the final destination or a
router on the network segment

Neighbor unreachability detection Determines whether neighboring hosts or routers are no longer available

Duplicate address detection Determines that an address considered for use is not already in use by a neighboring
node

Redirect function Determines the process by which a router informs a host of a better first-hop IPv6
address to reach a destination

Table 2-14 IPv6 Neighbor Discovery functions

 IPv6 Addressing
• IPv6 addresses:
– 128 bits long and use the hexadecimal numbering format
– Consist of eight hex groups separated by colons
• Each hex group contains a 16-bit value
• Examples:
– 4EDC:0000:7654:3210:F3DC:BA98:7654:AB1F
– Including leading zeros is not necessary
• 1080:0:0:0:8:800:200C:417A
– Can replace consecutive zeros with a double colon
• 1080::8:800:200C:417A
 IPv6 Addressing, …..
• Unicast addressing: used for one-to-one
communication (between two host or two routers)
• Scopes of unicast addresses:
– Global unicast address: public addresses routable on the
Internet
– Site-local unicast address: similar to private IPv4 addresses
– Unique local IPv6 unicast address: replacing site-local
unicast address
– Link-local unicast address: used by hosts to communicate
with other hosts on same network
 IPv6 Addressing,
• Multicast addresses: used for one-to-many
communications
– Always begin with FF in the first byte
• Anycast addresses: used for one-to-one or one-to-
many communications
– Created automatically when a unicast address is assigned
to more than one interface
– Offers flexibility in providing services
– Currently only used by routers but will expand as
technology becomes widespread
 IPv6 Configuration
• Microsoft OSs since Windows XP SP1 have built-in
support for IPv6 support
– Support stateless autoconfiguration
• A link-local address is assigned to every Ethernet
interface during startup
– Assigned automatically based on receipt of IPv6 Router
Advertisement messages
– Must have a correctly configured IPv6 capable router on
network segment
 IPv6 Utilities, ……
• Ipconfig: shows IPv6 configuration details
– Can also use the command with IPv4

Figure 2-10 Using the ipconfig command

 IPv6 Utilities, …..
• Netstat: display system’s routing tables by using
netstat –r command
– Netstat -n option shows current sessions with the
associated port numbers
– Netstat –ps IPv6 option displays detailed statistics on IPv6
activity since the last boot
• Netsh: command-line scripting tool on Windows
systems that allows troubleshooting and
configuration of network interfaces
 Summary,…..
• TCP/IP is a suite of protocols for transmitting
information from point to point on a network
• TCP and UDP map to the Transport layer and IPv4,
IPv6, ICMP, and ICMPv6 map to the Network layer of
the OSI model
• IP addresses most commonly used on the Internet
conform to IPv4
• You must understand the normal configuration of
fields in IP, TCP, and UDP headers to recognize and
filter unwanted or malicious traffic
 Summary, …..
• Fragmentation of IP packets allows large packets to
pass through routers with frame size limits
• DNS translates fully qualified domain names into IP
addresses
• TCP three-way handshake establishes a reliable
connection between two points
• IPv6 was designed to address problems with IPv4
• IPv6 is a connectionless, unreliable protocol used
mainly for addressing and routing packets
• ICMP is used for reporting errors and diagnostics
 Summary
• MLD enables IPv6 routers to discover multicasts
• IPv6 uses ND to perform tasks that ARP, ICMP Router
Discovery and ICMP Redirect handled
• Hexadecimal numbering format makes IPv6
addresses manageable
• IPv6 uses three types of addresses: unicast,
multicast, and anycast
• You can monitor and configure IPv6 using tools such
as Ipconfig, Netstat, and Netsh
 END

» Thank you