Tcp Ip Overview

OSI Layer A generic reference model apply to all networking components. Develop by ISO in 1984. Focus on Ethernet and TCP/IP Layer 1 – Physical Layer Define the electrical signaling, media type, voltage level and etc needed to transport data over a specific physical medium Example: ADSL, ISDN, LAN, RS232, V92 and etc Layer 2 – Data link layer Define addressing specific to the physical medium used Provide error checking mechanism. CRC/FCS Example: PPP, HDLC, LLC, MAC

OSI Layer Layer 3 The network layer define the logical addressing of network nodes Addressing on end system is independent of lower layer addressing Example: IP, ICMP, IGMP Layer 4 The transport layer provide the flow control and multiplexing between end systems. ( ports, sequence number and etc) Example: TCP, UDP

MAC and IP Address MAC is layer 2 address use by device driver or bridges to forward packets IP address is layer 3 address use by routers to forward packets IP address IPv4 - 32 bits (4 bytes, 4 octet) IPv6 - 128 bits (16 bytes) Ethernet MAC address is 48 bits (6 bytes), Manufacturer ID – First 24 bits Node ID – Next 24 bits http://standards.ieee.org/regauth/oui/index.shtml

Ethernet Packet Maximum Ethernet packet size is 1518 Maximum IP packet size is 1500 (MTU) 1518 – 6 – 6 -2 -4 6 bytes of Destination MAC 6 bytes of Source MAC 2 byte of Ethernet option IP – 0x800 ARP – 0x806 4 bytes of CRC TCP Maximum Segment Size is 1460 (MSS) 1500 – 20 – 20 20 bytes IP header 20 bytes TCP geader

Address Resolution Protocol ARP is the method use to map IP address to MAC address ARP request Destination MAC address is ff:ff:ff:ff:ff:ff Source MAC is the local interface MAC address Ethernet Type is 0x0806 Opcode is 1 (Request) No packets will be forwarded on the wire if the ARP resolution failed

Address Resolution Protocol Example: ARP request

Address Resolution Protocol ARP reply Destination MAC address is the requesting host interface MAC address Source MAC is the local interface card MAC address Ethernet Type is 0x0806 Opcode is 2 (Reply) Note: Ethernet Type for IP packet is 0x0800

Address Resolution Protocol Example: ARP reply Trailer is layer padding to make up the packet size to 64 bytes. Must be all zero

How to Generate ARP Request PING any host that you never PING before ARP reply is normally cache by the end host Windows Arp – a Linux Arp – a

Questions Get arp on firewall show all zero, what ’ s that mean? Can the host forward the packets to the destination host if the ARP resolution failed? In a routed network setup, will the router forward the arp request packet to other subnet? Is ARP packet has the same Ether Type as IP packet? Is ARP packet has protocol number?

Proxy ARP Also call ARP hack or promiscuous ARP Replying to ARP request on behalf of the node located on different segment or subnet Most router can function as proxy arp agent but not the NS firewall If proxy is enable on the router, it could introduce issue to the firewall if these devices are located on the same Ethernet segment

Gratuitous ARP ARPing your own IP address Usually send during NSRP failover, interface flap or during boot up The host who send gratuitous do not expect any ARP reply Any reply receive is consider as DUPLICATE IP address If the device is connected to switches, gratuitous arp will packet update the MAC learning table on the switch

Protocol Number and Port Number Protocol such as TCP/UDP further defined in OSI layer 4 and above and has PORT number to define specific applications DNS – UDP Destination Port 53 SMTP – TCP Destination Port 25 Telnet – TCP Destination Port 23 Source port would be a random number ranging from 1024 to 65535

IP fragmentation If the IP packet size is greater than 1500, the packet need to be fragmented All fragments belong to the same packet has the same IPID TCP/UDP Fragment (Assume the packet has 3 fragments with 3500 bytes data) The first fragment will have more fragment bit set to 1 fragment offset is set to zero Contain TCP/UDP header information such as port number

IP fragmentation TCP/UDP Fragment (Assume the packet has 3 fragments with 3500 bytes data) The second fragment will have More fragment bit set to 1 Fragment offset 1480 DO NOT have TCP/UDP header The last fragment will have More fragment bit set to zero Fragment offset is 540 DO NOT have TCP/UDP header

IP fragmentation Some common IP fragmentation NFS using UDP Kerberos using UDP IPSEC VPN Can TCP avoid packet fragmentation? Yes. Using the TCP MSS option in the TCP header

ICMP Layer 3 protocol mainly use to communicate errors or conditions between hosts ICMP message always has ICMP Type – 8 bits ICMP Code – 8 bits ICMP Checksum – 16 bits Example: Type 8 code 0 is PING request Example: Type 0 code 0 is PING reply Example: Type 3 code 3 is Destination port unreachable http://www.iana.org/assignments/icmp-parameters

ICMP Record Route IP Record Route option Append the IP address of the outgoing interface to the IP header option Some device has the ability to drop packet with RR option. Refer to NS firewall Screen Protection On Linux: [root@jasmine root]# ping <ip address> -R

ICMP Record Route IP Record Route option Example: Request Reply

Traceroute Similar to IP Record Route option but uses different method to obtain the incoming interface IP address Traceroute is much simpler and has less dependency on the intermediate routing devices How it work Send packet (ICMP or UDP) with TTL of 1, 2, 3 and etc When device receive the packet with TTL of 1 will send an ICMP TTL exceeded message back to the sender using the incoming interface IP address Receiver reply with ICMP TTL exceeded message. Type 11, code 0

Traceroute Example: TTL Exceeded packet capture. Note that the original ICMP request packet is embedded in this packet Windows default is using ICMP, Linux use UDP

ICMP Redirect NS firewall do not send ICMP redirect. Most router will have this option Use to redirect packets from the end host to another routing device which has more efficient path ICMP redirect packet sent by the routers will add an host route on the local routing table (PC routing table) if the ICMP redirect option is enable ICMP Type 5 and Code could 0,1,2 or 3

ICMP Redirect WinXP pro has this option enable by default

Path MTU Technique use to avoid packet fragmentation Sent by routing devices in response to packet received with Don ’ nt Fragment (DF) bit set ICMP Type 3 code 4

Path MTU How path MTU work on NS firewall CLI: set flow path-mtu CLI: get flow | i mtu This option only work for packets going into VPN tunnel Incoming packet size must be larger than the MTU on the PHYSICAL egress interface DF bit must be set on the ingress packet WINXP: Ping – l 1405 – f NS Firewall will send ICMP unreachable message back to the originating with the MTU value of Physical MTU size – 100 bytes

ICMP Unreachable and Session When NS firewall receive ICMP unreachable message from any routing device Will look at the packet embedded in the ICMP packet Check the session table If this match any existing session, clear the session Forward the ICMP unreachable packet else drop the packet

TCP Connection oriented and reliable transport protocol Provide congestion and flow control Provide packet re-transmission capability Provide packet sequencing for application Provide packet buffering function, this equal to TCP window size Connection oriented mean, two end hosts must negotiate before they can exchange data TCP connection is full duplex, it mean, data can flow on each direction independently

TCP 3 Way handshake Application uses TCP as the transport need to negotiate the TCP connection first before both end host can start transmitting data packets Client send TCP SYN to the server Server response with TCP SYN ACK if the service is available otherwise send TCP Reset packet to the client Client response with ACK to complete the TCP 3 way handshake

TCP Connection Closing Either side can terminate the connection by sending the FIN packet If Host-A send the FIN packet to Host-B, it simply mean, Host-A is done with the data transfer. Host-B is still free to send data to Host-A In the example above, Host-A is performing an Active Close and if Host-B responding the FIN packet, it is performing the passive close.

TCP 3 way close, 4 way close Either side can terminate the connection by sending the FIN packet If Host-A send the FIN packet to Host-B, it simply mean, Host-A is done with the data transfer. Host-B is still free to send data to Host-A In the example above, Host-A is performing an Active Close and if Host-B responding the FIN packet, it is performing the passive close.

TCP Half Close TCP communications are full duplex, i.e. both end host could transmit and receive at the same time Either end of the host could terminate the connection at any time If one end of the host has terminated the connection with TCP FIN packet and the other end host is still sending data to it, this is refer to TCP half close

TCP Sequence Number 32 bit number use to identify each byte in the data stream. 2 power 32 -1 Each TCP connection start the TCP connection with a random sequence number call Initial Sequence Number (ISN). SYN, SYN ACK SYN and FIN flag packet will consume ONE sequence number ACK number is always equal to the sequence plus ONE. It simply mean the next sequence number “ I ” expect to see

TCP Sequence Number Ethereal always use relative number. i.e it ’ s always start from zero on the sniffer capture display

TCP Options Sack Widow scaling MSS

TCP Push Flag Set by the sender to inform the receiver to process the data in the buffer This imply that the sender is expecting to receive response from receiver

Ethereal Expert analysis Summery Protocol hierarchy TCP offloading and ethereal

What next Know how to convert snoop output to Ethereal readable format Know how to use the Ethereal and filter to analyze data capture Describe the behavior of UDP Describe how DNS using UDP port 53 matching an DNS request to DNS reply Describe the default DNS behavior on the NS5000 and ISG

Comment and feedback All comments and feedback are most welcome

Protocol Number and Port Number Each IP protocol is associated with a protocol number TCP – 6 UDP – 17 ICMP – 1 GRE – 47 ESP – 50 OSPF - 89 http://www.iana.org/assignments/protocol-numbers

Tcp Ip Overview

More Related Content

What's hot (20)

Similar to Tcp Ip Overview (20)

Tcp Ip Overview

Editor's Notes