Transmission Control Protocol

Transcription

1 BCIS 4630 Fundamentals of IT Security Instructor: Dr. Andy Wu Transmission Control Protocol Excerpt from T. W. Ogletree, Upgrading and Repairing Networks (4/e) As we have discussed so far, the IP protocol is a protocol that can be used to make a best effort attempt to get a packet from one host to another, even when the hosts are on different networks. The Transmission Control Protocol uses IP but adds functionality that makes TCP a reliable, connectionoriented protocol. Whereas IP doesnʹt require any acknowledgment that a packet is ever received, TCP does. Whereas IP does no preliminary communication with the target system to set up any kind of session, TCP does. TCP builds on the functions that IP provides to create a session that can be used by applications for a reliable exchange of data. As stated earlier in this chapter, IP is similar to sending a letter in the mail. TCP can be compared to the ʺreturn receipt requestedʺ function which acknowledges that the letter was received by someone at the destination address. One interesting difference, however, is that TCP doesnʹt necessarily need an acknowledgment for each packet sent. Instead, it is possible for a single acknowledgment to be sent in response to more than one IP packet. TCP Provides a Reliable Connection-Oriented Session Whereas IP provides a checksum mechanism in its header to ensure that the IP header is not corrupted during transit, the TCP protocol provides checksums on the data that is transmitted. TCP also has mechanisms that regulate the flow of data to avoid problems associated with congestion. TCP also uses sequence numbers in the TCP header so that IP packets can be reassembled in the correct order on the receiving end of the communication. Examining TCP Header Information Each layer in the TCP/IP protocol stack adds information to the data it receives from a layer above it. This process is usually called encapsulation, and the added data is usually called a header. The header information is significant only to the layer that adds it, and it is added as a message is passed down the stack and stripped off at the destination as the packet is passed back up the protocol stack. Some layers also add data at the end of the packet. This is called a trailer. Earlier we looked at the makeup of the IP header. In Figure 25.6 you can see the layout of the TCP header. This header information is sometimes referred to as the TCP Protocol Data Unit. Remember that TCP is responsible for establishing a reliable connection oriented session between two applications across a network. TCP receives data (called messages) from layers above it in the protocol stack, adds its own header information, and then passes it to the IP layer, which then adds its own header information. The messages sent to TCP from applications up the stack are usually called a stream of data, because the amount of data can vary and is not limited to a set number of bytes. TCP takes these messages and, if they are too large to fit into a packet, breaks them into BCIS 4630 Fundamentals of IT Security TCP 1

2 smaller segments and sends each segment in a separate packet. The TCP layer at the receiving end reassembles these messages before passing them up to an application. Figure The TCP protocol header fields also can be used for filtering packets. Whereas most of the header information we looked at in the IP header was used for routing the packet through the Internet, the information in the TCP header is concerned with other issues, such as reliability of the connection and ordering of the messages being sent. The header fields for TCP include these: Source port This 16 bit field is used to identify the port being used by the application that is sending the data. Ports are discussed in more detail later in this chapter. Destination port This 16 bit field is used to identify the port to which the packet will be delivered on the receiving end of the connection. Sequence number This 32 bit field is used to identify where a segment fits in the larger message when a message is broken into fragments for transmission. Acknowledgment number This 32 bit field is used to indicate what the next sequence number should be. That is, this value is the next byte in the data stream that the receiver expects to receive from the sender. Data offset This 4 bit field is used to specify the number of 32 bit words that make up the header. This field is used to calculate the start of the data portion of the packet. Reserved These 6 bits were reserved for future use and, because they were never generally used, are supposed to be set to zeros. BCIS 4630 Fundamentals of IT Security TCP 2

3 URG flag When this bit is set to 1, the field titled Urgent Pointer will point to a section of the data portion of the packet that is flagged as ʺurgent.ʺ ACK flag This is the acknowledgment bit. If itʹs set to 1, the packet is an acknowledgment. If itʹs set to 0, the packet is not an acknowledgment. PSH flag If this bit is set to 1, it indicates a push function; otherwise, it is set to 0. RST flag If this bit is set to 1, it is a signal that the connection is to be reset; otherwise, it is set to 0. SYN flag If this bit is set to 1, it indicates that the sequence numbers are to be synchronized. If itʹs set to 0, the sequence numbers are not to be synchronized. FIN flag If this bit is set to 1, it specifies that the sender is finished sending information; otherwise, it is set to 0. Window This 16 bit field is used to specify how many blocks of data the receiving computer is able to accept at this time. Checksum This 16 bit field is a calculated value used to verify the integrity of both the header and the data portions of the packet. Urgent pointer If the URG flag is set, this 16 bit field points to the offset from the sequence number field into the data portion of the packet where the urgent data is stored. TCP does not use this field itself, but applications above TCP in the stack might do so. Options This field can be of variable length and is similar to the Options field in the IP header. One function this field is used for is to specify the maximum segment size. Because the Options field can vary, the header is padded with extra bits so that it will be a multiple of 32 bits. The amount of information stored in the TCP header makes it possible to use the protocol for complex communications. TCP can implement error checking, flow control, and other necessary mechanisms to ensure reliable delivery of data throughout the network. However, because of the complexity of this header, hackers can use many different methods to manipulate the TCP protocol when trying to gain access to your network or otherwise cause you problems. One interesting thing to note about the checksum field is that it is calculated based on three things: The TCP header fields The TCP data Pseudo header information BCIS 4630 Fundamentals of IT Security TCP 3

4 The pseudo header information consists of the source and destination IP addresses, one byte set to all zeros, an 8 bit protocol field, and a 16 bit field that contains the length of the TCP segment. The address and protocol fields are duplicated from the IP packet, and the length field is redundant because it also is contained in the TCP header. Because the algorithm used to calculate the checksum is based on 16 bit words, the TCP packet may be padded with a zero byte for calculation purposes only. If the checksum field contains a value of zero, this indicates that no checksum was calculated by the sender. If by some chance the value of the checksum results in a value of zero, the checksum field is set to all 1s (65,535 decimal). TCP Sessions Because TCP is a connection oriented protocol, the computers that want to communicate must first establish the conditions that will govern the session and set up the connection. TCP allows for twoway communication that is, itʹs a bidirectional, full duplex connection. Both sides can send and receive data at the same time. To set up a connection, each side must ʺopenʺ its side of the connection. On the server side this is called a passive open. The server application runs as a process on the server computer and listens for connection requests coming in for a certain port. For example, the Telnet server process typically listens for connections on port 23. By using both the IP address and a port number, the server process can uniquely identify each client that makes a connection request. Ports are discussed in more detail later in this chapter. When a client computer wants to establish a connection to a server, it goes through a process known as an active open. The server is already listening for connection requests (passive open), but the client must initiate the actual connection process by sending a request to the port number of the server application it wants to use. In Figure 25.7 (shown in the next section), the single bit field named SYN is the ʺsynchronizationʺ bit. You also can see in Figure 25.7 another field titled ACK, for the acknowledgment bit. These 2 bits are very important and are used during the process of setting up a TCP/IP session so that a reliable connection can be established between two computers on the network. Figure TCP uses a three-way handshake to establish a connection. SYN/ACK packet, ISN: BCIS 4630 Fundamentals of IT Security TCP 4

5 Setting Up a TCP Session A TCP/IP connection is made between two computers, using their addresses and, depending on the application using TCP, port numbers. The SYN and ACK bits in the TCP header are important components used to establish this initial connection. The steps involved in setting up a TCP/IP connection appear in Figure 25.7 and are listed here: The client sends a TCP segment to the server with which it wants to establish a connection. The TCP header SYN field (ʺsynchronizeʺ) is set indicating that it wants to synchronize sequence numbers so that further exchanges can be identified as belonging to this particular connection and so that the segments sent can be reassembled into the correct order and acknowledged. This first initial sequence number in the TCP header is set to an initial value chosen by the TCP software on the client computer. Additionally, the port number field in the TCP header is set to a value of the port on the server to which the client wants to connect. Port numbers can be thought of as representing the application to which the computer wants to connect. When the server receives this segment, it returns a segment to the client with the SYN field set. The serverʹs segment also contains an initial sequence number, which is chosen by its TCP software implementation. To show the client that it received the initial connection segment, the ACK bit is also set, and the acknowledgment field contains the clientʹs initial sequence number, incremented by 1. The client, upon receiving this acknowledgment from the server, sends another segment to the server, acknowledging the serverʹs initial sequence number. This is done in the same manner in which the server acknowledges the clientʹs initial sequence number. The acknowledgment field contains the serverʹs initial sequence number incremented by a value of 1. During this exchange, the 16 bit acknowledgment field is incremented by 1. You might wonder why the acknowledging computer doesnʹt just send back the same sequence number it received from the sending computer. It increments the sequence number that it received to indicate the next sequence number it expects to receive from the sending computer. Thus, during each exchange of TCP segments, each side is telling the other side what it is expecting to get from the other side during the next transmission. The sequence numbers are used to indicate the next byte in the data stream that the receiving end of the connection expects to receive. Thus, when the actual data exchange begins to take place, the sequence numbers are not simply incremented by a value of 1, but instead they are set to the actual number of bytes received (offset from the initial sequence number chosen for the connection) plus 1. Because three segments are used in this process, the connection setup is often referred to as a threeway handshake. In the last of these three steps the SYN bit is not set, because the segment is simply acknowledging the serverʹs initial sequence number. Note also that port numbers are used to indicate the application for which the connection is being set up. TCP headers donʹt need to contain the source and destination IP addresses because that information is already stored in the IP datagram that encapsulates the TCP message. BCIS 4630 Fundamentals of IT Security TCP 5

6 The method used to choose values for the initial sequence number can vary from one implementation of TCP to another. However, there are two important points to understand about the sequence numbers: For each connection a client makes to another computer, the initial sequence number for each connection must be unique. If the same initial sequence number were used for every connection the client made to a single server, it would be impossible to differentiate between different connections of the same application (that is, port number) between the two machines. Although the IP address and port number can uniquely identify a computer, they canʹt uniquely identify multiple applications of the same process running on the same computer. Sequence numbers are incremented for each segment exchanged and are acknowledged by the receiver so that both sides can determine that segments are being delivered reliably and not getting lost in the network. However, it is not necessary that each and every segment be acknowledged with another segment. Using a technique called sliding windows (which weʹll get to in a moment), TCP allows for a single acknowledgment of a number of segments. In Figure 25.7 another field is also shown in the first two packets that are exchanged. The Maximum Segment Size (MSS) field in the TCP header indicates the maximum number of bytes of data that the sender wants to receive in each TCP segment. This value is used to help prevent fragmentation of the TCP segment as it travels through various network devices that might have different transmission frame sizes. This value applies only to the size of the data that the TCP segment carries, and does not include the bytes that make up the TCP and IP headers. You will see this field only during the connection setup. After the application data exchange begins, this field is not used. If the client or server does not put a value into this field during the connection setup, a default value, usually 536, is used. Ending a TCP Session When the partyʹs over the application is finished sending data to another computer it tells TCP to close the connection from its side. Because the connection must be closed from each end, this is called a half close. To fully close a TCP connection, four steps are required, as opposed to the threeway handshake method used to set up the connection. Four steps are required because TCP operates as a full duplex connection that is, data can flow in both directions. Thus, each side needs to tell the other side of the connection that it has finished sending data and wants to close the connection. For example, when the client application, such as Telnet, wants to close a connection, TCP sends a segment that has the FIN bit set in the TCP header to the remote computer. The remote computer must first acknowledge this FIN segment, and does so by sending a segment to the client that has the ACK bit set. Because the connection is full duplex, the server TCP software informs the Telnet server application that the user application on the other end of the connection is finished. It then BCIS 4630 Fundamentals of IT Security TCP 6

7 sends its own FIN segment to the client, which, as you can probably guess, sends an acknowledgment segment back to the server. Although this is the general method used to close a TCP connection, another technique can be used in which one side sends a FIN segment, closing its data pipe, but the other side of the connection does not. Instead, it is possible for the other side to continue sending data until it is finished, at which time it sends the FIN segment and waits for an acknowledgment, which effectively closes the connection. A good example of this method is the Unix rsh (remote shell) utility. This utility allows a user to execute a command on a remote server. Because Unix allows for the capability to redirect input (using the < operator), a user can use rsh to execute a command on a remote server, and use the < operator on the command line to redirect the input for the command from the command line to a file. In such a situation, the clientʹs side of the connection sends the command to be executed to the remote server and then starts sending the data that is in the file. After the clientʹs side of the connection finishes sending the data contained in the file to the remote server, it instructs TCP to close its side of the connection. Yet, at the other side of the connection, the data needs to be processed by the program invoked by the rsh command. When finished, the program on the remote server sends the data back to the client and then instructs TCP to close its side of the connection. BCIS 4630 Fundamentals of IT Security TCP 7