Saturday, March 01, 2014

IP (Internet Protocol)

IP (Internet Protocol) Notes

IP (Internet Protocol) sends data in packets called datagrams.
Routes packets between two points.
Points have addresses (IP Addresses)
Internet layer (2) of the TCP/IP model and the Network layer (3) of the OSI model.
IPv4 is the most widely used version at this time
IPv6 is starting to be used - more addresses available using IPv6 


Internet Addresses

Every computer attached to IPv4 network has unique address
Part of the address defines the network and part defines the host
Subnet masks define which part of the address is the network and which part is the host

IP addresses can be dynamic or static and reassigned over time - so don't count on them remaining the same for a particular destination device

IPv4 - current version of IP most widely used
IPv6 - next version in use by some but not as common (only supported by Java 1.4 or later)

DNS is used to assign human-friendly domain names to IP addresses; domain names can remain constant when underlying IP addresses change

Addresses on internal networks are translated to external addresses using NAT.


IPv4Addresses:

IPv4 address is 4 byte number / 32 bits
Written in dotted quad format (111.111.111.111)
0.0 refers to host on same local network in source address (not used in destination)
MAC and IP addresses are not directly related
4.2 billion addresses 
No encryption, authentication, QOS (Quality of Service) features

Address classes:

Address class determines part of address that pertains to the public network, the remainder indicates the host within that network

Class A address block includes all addresses associated with the first byte (e.g. 111.x.x.x)
Class B address block includes all addresses associated with first two bytes (111.111.x.x)
Class C address block includes all addresses associated with first three bytes (111.111.111.x)
Class D addresses are used for multicast groups
Class E addresses begin with five bits and are reserved for future extensions

Classless Inter-Domain Routing (CIDR) 

Instead of classes uses 2 digit number indicating bits in network portion of address
Uses variable length subnet masks (VLSM)

2 digit numbers for classes:
Class A /8
Class B /16
Class C /24

http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing

Unassigned Address Blocks Used on Internal Networks

10.x.x.x
172.16.x.x
172.31.x.x
192.168.x.x

Unassigned Loopback Address

127.x.x.x

host name will typically be localhost

Directed Broadcast

Host bits of address set to 1 (255)
x.x.x.255
Passed by routers
Sent to hosts with specified network address

Limited Broadcast

255.255.255.255 (all 1's)
Not passed by routers 

IPv4 Packet: 

Length is between 20-60 bytes.
Length greater than 20 means header has (optional header values) *
Payload contains up to 65,515 bytes.
All bits and bytes are big-endian.
Header checksum can only verify the header contents, not the payload.
Order is not guaranteed.

* Up to Java 5.0 options not supported - need to check later versions.


IPv4 Header:

4 bit version number: always 0100 (4) for IPv4; will be 0110 (6) for IPv6

4 bit header length: unsigned integer between 0 and 15 specifying number of 4 byte words in header.

1 byte type of service: No longer used. Most routers ignore.

2 byte datagram length: unsigned length of header + payload

2 byte ID: unique identification number which allows duplicate packets to be discarded.

3 bit flags: First is 0, second is 1 if datagram may be fragmented else 0, Third is 1 if more fragments else 0

13 bit fragment offset: identifies the position in datagram of the current fragment (i.e. this packet is part of a larger message that needs to be pieced back together and this field identifies position of this fragment in the message)

1 byte TTL (Time To Live): Number of nodes which datagram can pass before discarding; when discarded router sends back ICMP unreachable response. Protects against infinite loops.

1 byte Protocol: number between 0 and 255 identifying protocol (TCP, UDP, etc)

2 byte header checksum: 16-bit ones complement sum

4 byte source address: IP of sending node

4 byte destination address: IP where packet is being sent


Tabular representation of an IPv4 Header:

0 4 8 12 16 20 24 28 31
version header length type of service datagram length
identification flags fragment offset
time-to-live (TTL) protocol header checksum
source address
destination address
options
payload


IPv6

IPv6 will be a 16 byte address / 128 bits
8 blocks of 4 hexadecimal digits (FEDC:BAA98:7654:3210:FEDC:BA98:7654:3210)
- Network: 48 bits
- Subnet: 16 bits
- Interface ID: 64 bits

Leading zeros not required
Double colon (1 at most) indicates multiple 0 blocks
FEDC:0000:0000:0000:00DC:0000:7076:0010 could be written as FEDC::DC:0:7076:10
In networks using v4 and v6 the last four bytes may be written in dotted notation
local host is 0:0:0:0:0:0:0:1 (or ::1)
0.0.0.0 always refers to original host when used as source,6 not destination
340 udecillion addresses
Authentication, encryption, QOS included


http://en.wikipedia.org/wiki/IPv4

IPv6 Header

4-bit version number
1 byte/8-bit traffic class: priority for QOS
20 bit flow label: QOS - special handling for packet
2 bytes/16 bits: payload length
1 byte/8 bit next header: next protocol in the payload (e.g. TCP, UDP, ICMP)
1 byte/8 bit hop limit: similar to TTL prevents recursive loops
16 byte/128 bit source address
16 byte/128 bit destination address

Tabular representation of an IPv6 Header:

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
Version (.5) Traffic Class (1) Flow Label (2.5)
Payload length (2) Next Header (1) Hop Limit (1)
source address (16)
destination address (16)


http://en.wikipedia.org/wiki/IPv6

IP Routing

Routers determine the best route to get packet to destination address

Other devices transmit network traffic but do  not operate at the network layer.

Network Equipment: 

Router:
Forwards traffic between networks
OSI Model Layer 3
http://en.wikipedia.org/wiki/Router_%28computing%29
http://compnetworking.about.com/od/hardwarenetworkgear/f/layer3switches.htm

Hub
Pass through - rebroadcasts traffic - no examination or management of traffic
OSI Model Layer 1
http://en.wikipedia.org/wiki/Ethernet_hub
http://compnetworking.about.com/cs/internetworking/g/bldef_hub.htm

Bridge
Inspects traffic and determines whether to forward or discard
OSI Model Layer 2
http://en.wikipedia.org/wiki/Bridging_%28networking%29
http://compnetworking.about.com/cs/internetworking/g/bldef_bridge.htm

Switch
Sends network to the specific destination device
OSI Model layer 2
http://en.wikipedia.org/wiki/Network_switch
http://compnetworking.about.com/od/hardwarenetworkgear/g/bldef_switch.htm


Potential Attacks 

Fragmentation Attacks: http://en.wikipedia.org/wiki/IP_fragmentation_attacks
 
Related

Lots of good address calculations:

https://erikberg.com/notes/networks.html

Sources:

Java Network Programming
Elliott Rusty Harold
O'Reilly 

Sans Technology Institute - class notes
Security 401: SANS Security Essentials Bootcamp Style