IP (Internet Protocol) sends data in packets called datagrams.
Routes packets between two points.
Points have addresses (IP Addresses)
Internet layer (2) of the TCP/IP model and the Network layer (3) of the OSI model.
IPv4 is the most widely used version at this time
IPv6 is starting to be used - more addresses available using IPv6
Internet Addresses
Every computer attached to IPv4 network has unique address
Part of the address defines the network and part defines the host
Subnet masks define which part of the address is the network and which part is the host
IP addresses can be dynamic or static and reassigned over time - so don't count on them remaining the same for a particular destination device
IPv4 - current version of IP most widely used
IPv6 - next version in use by some but not as common (only supported by Java 1.4 or later)
DNS is used to assign human-friendly domain names to IP addresses; domain names can remain constant when underlying IP addresses change
Addresses on internal networks are translated to external addresses using NAT.
IPv4Addresses:
IPv4 address is 4 byte number / 32 bits
Written in dotted quad format (111.111.111.111)
0.0 refers to host on same local network in source address (not used in destination)
MAC and IP addresses are not directly related
4.2 billion addresses
No encryption, authentication, QOS (Quality of Service) features
Address classes:
Address class determines part of address that pertains to the public network, the remainder indicates the host within that network
Class A address block includes all addresses associated with the first byte (e.g. 111.x.x.x)
Class B address block includes all addresses associated with first two bytes (111.111.x.x)
Class C address block includes all addresses associated with first three bytes (111.111.111.x)
Class D addresses are used for multicast groups
Class E addresses begin with five bits and are reserved for future extensions
Classless Inter-Domain Routing (CIDR)
Instead of classes uses 2 digit number indicating bits in network portion of address
Uses variable length subnet masks (VLSM)
2 digit numbers for classes:
Class A /8
Class B /16
Class C /24
http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing
Unassigned Address Blocks Used on Internal Networks
10.x.x.x
172.16.x.x
172.31.x.x
192.168.x.x
Unassigned Loopback Address
127.x.x.x
host name will typically be localhost
Directed Broadcast
Host bits of address set to 1 (255)
x.x.x.255
Passed by routers
Sent to hosts with specified network address
Limited Broadcast
255.255.255.255 (all 1's)
Not passed by routers
IPv4 Packet:
Length is between 20-60 bytes.
Length greater than 20 means header has (optional header values) *
Payload contains up to 65,515 bytes.
All bits and bytes are big-endian.
Header checksum can only verify the header contents, not the payload.
Order is not guaranteed.
* Up to Java 5.0 options not supported - need to check later versions.
IPv4 Header:
4 bit version number: always 0100 (4) for IPv4; will be 0110 (6) for IPv6
4 bit header length: unsigned integer between 0 and 15 specifying number of 4 byte words in header.
1 byte type of service: No longer used. Most routers ignore.
2 byte datagram length: unsigned length of header + payload
2 byte ID: unique identification number which allows duplicate packets to be discarded.
3 bit flags: First is 0, second is 1 if datagram may be fragmented else 0, Third is 1 if more fragments else 0
13 bit fragment offset: identifies the position in datagram of the current fragment (i.e. this packet is part of a larger message that needs to be pieced back together and this field identifies position of this fragment in the message)
1 byte TTL (Time To Live): Number of nodes which datagram can pass before discarding; when discarded router sends back ICMP unreachable response. Protects against infinite loops.
1 byte Protocol: number between 0 and 255 identifying protocol (TCP, UDP, etc)
2 byte header checksum: 16-bit ones complement sum
4 byte source address: IP of sending node
4 byte destination address: IP where packet is being sent
Tabular representation of an IPv4 Header:
| 0 | 4 | 8 | 12 | 16 | 20 | 24 | 28 | 31 |
| version | header length | type of service | datagram length | |||||
| identification | flags | fragment offset | ||||||
| time-to-live (TTL) | protocol | header checksum | ||||||
| source address | ||||||||
| destination address | ||||||||
| options | ||||||||
| payload | ||||||||
IPv6
IPv6 will be a 16 byte address / 128 bits
8 blocks of 4 hexadecimal digits (FEDC:BAA98:7654:3210:FEDC:BA98:7654:3210)
- Network: 48 bits
- Subnet: 16 bits
- Interface ID: 64 bits
Leading zeros not required
Double colon (1 at most) indicates multiple 0 blocks
FEDC:0000:0000:0000:00DC:0000:7076:0010 could be written as FEDC::DC:0:7076:10
In networks using v4 and v6 the last four bytes may be written in dotted notation
local host is 0:0:0:0:0:0:0:1 (or ::1)
0.0.0.0 always refers to original host when used as source,6 not destination
340 udecillion addresses
Authentication, encryption, QOS included
http://en.wikipedia.org/wiki/IPv4
IPv6 Header
4-bit version number
1 byte/8-bit traffic class: priority for QOS
20 bit flow label: QOS - special handling for packet
2 bytes/16 bits: payload length
1 byte/8 bit next header: next protocol in the payload (e.g. TCP, UDP, ICMP)
1 byte/8 bit hop limit: similar to TTL prevents recursive loops
16 byte/128 bit source address
16 byte/128 bit destination address
Tabular representation of an IPv6 Header:
| 0 | 1 | 2 | 3 | ||||||||||||||||||||||||||||
| 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 0 | 1 |
| Version (.5) | Traffic Class (1) | Flow Label (2.5) | |||||||||||||||||||||||||||||
| Payload length (2) | Next Header (1) | Hop Limit (1) | |||||||||||||||||||||||||||||
| source address (16) | |||||||||||||||||||||||||||||||
| destination address (16) | |||||||||||||||||||||||||||||||
http://en.wikipedia.org/wiki/IPv6
IP Routing
Routers determine the best route to get packet to destination address
Other devices transmit network traffic but do not operate at the network layer.
Network Equipment:
Router:
Forwards traffic between networks
OSI Model Layer 3
http://en.wikipedia.org/wiki/Router_%28computing%29
http://compnetworking.about.com/od/hardwarenetworkgear/f/layer3switches.htm
Hub
Pass through - rebroadcasts traffic - no examination or management of traffic
OSI Model Layer 1
http://en.wikipedia.org/wiki/Ethernet_hub
http://compnetworking.about.com/cs/internetworking/g/bldef_hub.htm
Bridge
Inspects traffic and determines whether to forward or discard
OSI Model Layer 2
http://en.wikipedia.org/wiki/Bridging_%28networking%29
http://compnetworking.about.com/cs/internetworking/g/bldef_bridge.htm
Switch
Sends network to the specific destination device
OSI Model layer 2
http://en.wikipedia.org/wiki/Network_switch
http://compnetworking.about.com/od/hardwarenetworkgear/g/bldef_switch.htm
Potential Attacks
Fragmentation Attacks: http://en.wikipedia.org/wiki/IP_fragmentation_attacks
Related
Lots of good address calculations:
https://erikberg.com/notes/networks.html
Sources:
Java Network Programming
Elliott Rusty Harold
O'Reilly
Sans Technology Institute - class notes
Security 401: SANS Security Essentials Bootcamp Style
Sources:
Java Network Programming
Elliott Rusty Harold
O'Reilly
Sans Technology Institute - class notes
Security 401: SANS Security Essentials Bootcamp Style
