Internet Protocol: IP packet headers. vendredi 18 octobre 13

Similar documents
IP addressing and forwarding Network layer

CS 457 Lecture 19 Global Internet - BGP. Fall 2011

Technical Support Information Belkin internal use only

Dynamic Host Configuration Protocol (DHCP) 02 NAT and DHCP Tópicos Avançados de Redes

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

2. IP Networks, IP Hosts and IP Ports

Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.

Network layer: Overview. Network layer functions IP Routing and forwarding

Компјутерски Мрежи NAT & ICMP

Network layer" 1DT066! Distributed Information Systems!! Chapter 4" Network Layer!! goals: "

Security in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity

DHCP, ICMP, IPv6. Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley DHCP. DHCP UDP IP Eth Phy

Transport and Network Layer

IP - The Internet Protocol

VLAN und MPLS, Firewall und NAT,

Internetworking. Problem: There is more than one network (heterogeneity & scale)

ICS 351: Today's plan. IP addresses Network Address Translation Dynamic Host Configuration Protocol Small Office / Home Office configuration

IP Networking. Overview. Networks Impact Daily Life. IP Networking - Part 1. How Networks Impact Daily Life. How Networks Impact Daily Life

8.2 The Internet Protocol

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

Lecture Objectives. Lecture 6 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs. Agenda. Nomadic Services. Agenda. Nomadic Services Functions

NETWORK LAYER/INTERNET PROTOCOLS

Outline. CSc 466/566. Computer Security. 18 : Network Security Introduction. Network Topology. Network Topology. Christian Collberg

Lecture Computer Networks

IP address format: Dotted decimal notation:

UIP1868P User Interface Guide

21.4 Network Address Translation (NAT) NAT concept

Chapter 12 Supporting Network Address Translation (NAT)

Internet Control Protocols Reading: Chapter 3

LECTURE 4 NETWORK INFRASTRUCTURE

Protocols. Packets. What's in an IP packet

Scaling the Network: Subnetting and Other Protocols. Networking CS 3470, Section 1

Guide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP

Chapter 3. TCP/IP Networks. 3.1 Internet Protocol version 4 (IPv4)

1 Data information is sent onto the network cable using which of the following? A Communication protocol B Data packet

Subnetting,Supernetting, VLSM & CIDR

Firewalls und IPv6 worauf Sie achten müssen!

Guide to TCP/IP, Third Edition. Chapter 3: Data Link and Network Layer TCP/IP Protocols

Chapter 9. IP Secure

Raritan Valley Community College Academic Course Outline. CISY Advanced Computer Networking

Chapter 4: Security of the architecture, and lower layer security (network security) 1

This tutorial will help you in understanding IPv4 and its associated terminologies along with appropriate references and examples.

Troubleshooting Tools

Chapter 4 Network Layer

13 Virtual Private Networks 13.1 Point-to-Point Protocol (PPP) 13.2 Layer 2/3/4 VPNs 13.3 Multi-Protocol Label Switching 13.4 IPsec Transport Mode

Computer Networks/DV2 Lab

Lecture 8. IP Fundamentals

IPv6 Fundamentals Ch t ap 1 er I : ntroducti ti t on I o P IPv6 Copyright Cisco Academy Yannis Xydas

Ethernet. Ethernet. Network Devices

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Digi Connect WAN Application Helper NAT, GRE, ESP and TCP/UPD Forwarding and IP Filtering

Networking Test 4 Study Guide

Computer Networks. Lecture 3: IP Protocol. Marcin Bieńkowski. Institute of Computer Science University of Wrocław

First Workshop on Open Source and Internet Technology for Scientific Environment: with case studies from Environmental Monitoring

Internet Peering, IPv6, and NATs. Mike Freedman V Networks

Internet Infrastructure Measurement: Challenges and Tools

+ iptables. packet filtering && firewall

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

Network Layer IPv4. Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS. School of Computing, UNF

Proxy Server, Network Address Translator, Firewall. Proxy Server

Understanding TCP/IP. Introduction. What is an Architectural Model? APPENDIX

NQA Technology White Paper

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Virtual Private Network VPN IPSec Testing: Functionality Interoperability and Performance

IP Address Classes (Some are Obsolete) Computer Networking. Important Concepts. Subnetting Lecture 8 IP Addressing & Packets

Protocols and Architecture. Protocol Architecture.

SUPPORT DE COURS. Dr. Omari Mohammed Maître de Conférences Classe A Université d Adrar Courriel : omarinmt@gmail.com

Netfilter / IPtables

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

Interconnection of Heterogeneous Networks. Internetworking. Service model. Addressing Address mapping Automatic host configuration

Virtual Private Networks

Networking Basics and Network Security

CompTIA Exam N CompTIA Network+ certification Version: 5.1 [ Total Questions: 1146 ]

Introduction to TCP/IP

LESSON Networking Fundamentals. Understand TCP/IP

Gary Hecht Computer Networking (IP Addressing, Subnet Masks, and Packets)

Address Resolution Protocol (ARP)

Virtual Private Networks

Source-Connect Network Configuration Last updated May 2009

High Performance VPN Solutions Over Satellite Networks

Application Protocols for TCP/IP Administration

TCP/IP Basis. OSI Model

TCP/IP Fundamentals. OSI Seven Layer Model & Seminar Outline

NAT and Firewall Traversal with STUN / TURN / ICE

1:1 NAT in ZeroShell. Requirements. Overview. Network Setup

Using IPM to Measure Network Performance

Guideline for setting up a functional VPN

EITF25 Internet Techniques and Applications L5: Wide Area Networks (WAN) Stefan Höst

Firewalls. Ahmad Almulhem March 10, 2012

VMware vcloud Air Networking Guide

Network Security TCP/IP Refresher

Firewall Defaults and Some Basic Rules

TCP/IP Network Essentials. Linux System Administration and IP Services

Lab 2. CS-335a. Fall 2012 Computer Science Department. Manolis Surligas

Introduction to IP v6

Introduction To Computer Networking

Transcription:

Internet Protocol: IP packet headers 1

IPv4 header V L TOS Total Length Identification F Frag TTL Proto Checksum Options Source address Destination address Data (payload) Padding V: Version (IPv4 ; IPv6) L: Header length (variable because of options) TOS: Type of Service - flow class Total length: packet length Identification / F / Frag: fragmentation TTL: Time to Live ; maximum number of routers traversals authorized Proto: upper level protocol (TCP or UDP) Checksum: header integrity check Source address Destination address Options (security,...) Padding: to align length to a 32 bits multiple 2 RES101

IPv6: header evolution V L TOS Total Length Identification F Frag TTL Proto Checksum Source address Destination address Options Padding 3 RES101

IPv6: header evolution V L TOS Total Length Identification F Frag TTL Proto Checksum Source address Destination address Options Padding V Class Flow Label Payload length Next H Hop lim Source address Destination address 3 RES101

IPv6: header evolution V L TOS Total Length Identification F Frag TTL Proto Checksum Source address Destination address Options Padding V Class Flow Label Payload length Next H Hop lim Source address 7 fields instead of 13 Easier routing Fixed size Removed fields Checksum ; header length ; fragmentation ; options Destination address 3 RES101

IPv6: header Version: 6 Traffic class (QoS) Flow Label (QoS) Payload length (replaces packet length) Next header (replaces protocol) Hop Limit (replaces TTL) Source address Destination address V Class Flow Label Longueur payload Next H Hop lim Source address Destination address 4 RES101

Network layer additional mechanisms Claude Chaudet

IP addresses automatic allocation: DHCP 6

DHCP = Dynamic Host Configuration Protocol Protocol destined to allocate IP addresses to terminals on a network Evolution of BootP DHCP Introduction Main goal: send to connecting hosts the whole set of network parameters Allocate an IP address and a network mask Propagate the addresses of useful servers (SMTP, DNS,...) 7 RES101

Protocol principles Simple behavior : When requesting an address, the client broadcasts a DHCPDISCOVER request The server replies with a broadcast DHCPOFFER packet The client sends back a DHCPREQUEST unicast message to validate the IP address choice The server finally answers with an unicast DHCPACK confirmation The address is leased to the client for a certain duration The client may prolongate this duration by issuing another DHCPREQUEST message 8 RES101

Detailed behavior What happens when the server and the client are not on the same segment? Broadcasts do not cross routers Use DHCP relays to catch broadcast and retransmit it towards the real DHCP server Why is DHCP an application layer protocol? It only concerns layer-3 addresses However, it relies on a client-server architecture and may need other services provided by upper layers (reliable transmission, security,...) In the absence of a pure layer-3 solution, it has been deployed as an application layer protocol. 9 RES101

IP signaling: ICMP 10

Role of ICMP IP is a simple mechanism, dedicated to end-to-end packets transmission It is not really a protocol, as there are no messages defined by IP itself However, it relies on a series of side protocols: e.g.: Routing tables management: BGP, OSPF, IS-IS ICMP (Internet Control Messages Protocol) provides the missing signaling: Errors handling (when routing fails) Exchange of information between hosts and interconnection devices 11 RES101

ICMP - Layer 3 signaling ICMP is a network layer protocol, implemented as an IP packet Protocol type = 1; TOS = 0 It is encapsulated in an IP packet and defines three fields: ICMP type: type of message Code: error code Checksum: on ICMP part only Padding/data: potential ICMP data V L TOS Total Length Identification F Frag TTL Proto Checksum Source address Destination address ICMP T Code Checksum Padding or data Data 12 RES101

Example echo request (Ping) Message sent to a host or to a router The destination should answer by the same message, indicating that it is alive and connected. Request: type = 8; code = 0; data = sequence number Answer: type = 0; code = 0; data = sequence number Used by ping Often filtered by routers for security (obfuscation) 13 RES101

Example - destination unreachable This message is sent by a router or by an end host to inform the source that the destination application cannot be reached Message type = 3 Code gives precisions on the error location: 0: network unreachable 1: host does not exist on network 4: unreachable port (no application listening) etc. Routers are not forced to send these messages. Security / reliability justification: avoid overloading the router 14 RES101

Example - Time expired The TTL field in the IP header is decremented by 1 each time a router is crossed. When the value reaches 0, the packet is dropped and the source is notified with an ICMP message Type = 11 Application (cf. Lab): traceroute Traceroute uses a series of ping requests to the destination First packet is sent with a TTL=1 The first router drops the packet and informs the source, revealing its address Second packet is sent with a TTL=2 The second router drops the packet, informs the source etc. 15 RES101

Network Address Translation (NAT) 16

NAT principle NAT was first an answer to the scarcity of the IPv4 addressing space How to hide a whole network behind one IP address? Sometimes 2, 3,..., N addresses can be shared Internet 12.24.32.17 17

In Use NAT: general principles the LAN, use a private addressing space 192.168.0.0/16; 10.0.0.0/8 or 172.16.0.0/12 Non-routable (a router will discard a packet destined to such an address) a gateway that modifies the IP header Contrary to the expected behavior of IP (keep the same address end-toend) 192.168.0.3 Internet 192.168.0.4 12.24.32.17 192.168.0.254 192.168.0.2 192.168.0.1 18

The gateway's duty The gateway keeps track of which connection involves which computer A port number (transport layer) one device One public IP address one device Combination of both The gateway looks, for each packet, the header fields to find how to modify the packet Change source/destination TCP/UDP port Change source/destination IP address Modification of every packet => time consuming and reserved for reasonable size networks 19

Example: a request and an answer Browser Port 49737 eth0 192.168.0.1 eth0 eth1 eth0 (private) 192.168.0.254 eth1 (public) 12.24.32.17 Autonomous Systems Succession eth0 72.14.238.45 eth1 173.194.78.254 Web server Port 80 eth0 173.194.78.94 Port numbers Source: 49737 Dest.: 80 Source: 192.168.0.1 Dest.: 173.194.78.94 Source: 63822 Dest.: 80 Source: 12.24.32.17 Dest.: 173.194.78.94 IP addresses Port numbers Source: 80 Dest.: 49737 Source: 173.194.78.94 Dest.: 192.168.0.1 Source: 80 Dest.: 63822 IP addresses Source: 173.194.78.94 Dest.: 12.24.32.17 20

Different NAT types Using a set of ports or IP addresses In the classical scenario (masquerading) the gateway uses a set of ports to distinguish connections Source (SNAT) vs. destination (DNAT) - outgoing: SNAT; incoming: DNAT Static NAT vs. Dynamic NAT Static: permanent association between external and internal parameters - Often used for DNAT (server behind a NAT gateway) - ex: web server (port 80) that answers on 137.194.2.34 is indeed on 192.168.0.4 Dynamic: the gateway decides of the parameters in function of the traffic - Outgoing connections: classical situation - Incoming connections: load balancing between servers (for example) 21

NAT: summary and introduced problems NAT hides behind k IP addresses a network of n > k machines Requires a gateway that performs address translation Often uses port numbers => breaks layer independence Change IP address => non-compliant to the core IP principles Introduced problems The gateway often becomes a bottleneck Explicit configuration often necessary for incoming connections Some applications negotiate port numbers dynamically (FTP, p2p) => specific mechanisms on the platform to look in the packets payloads 22

Virtual Private Networks (VPN) 23

The problem A He i.e. have an IP address that user is connected through an ISP At home (telework), from a client's network, in travel,... wants to access his company's resources as if he were inside the company's network. belongs to the company's network Access to internal servers (firewalls) Access to external resources that identify clients based on their IP addresses 137.194.0.0/16 Réseau mère Internet 212.27.0.0/16 Réseau visité 212.27.32.12 In this situation, IP forwarding will direct all packets to the home network, never to the visited network. 24

Use The solution: virtual private networks (VPN) a gateway inside the home network Authenticates devices Receives all packets destined to remote devices Retransmit packets to the real, visited, IP - Terminal uses, from its point of view, its home address 137.194.0.0/16 Réseau mère Internet 212.27.0.0/16 Serveur VPN Réseau visité 212.27.32.12 137.194.23.45 25

Base mechanism: tunneling Peers send packets to the home address Packet gets routed to the VPN server VPN server encapsulates the IP packet in another IP packet, destined to the visited address This packet is sent, through the Internet, to the real device Correspondant A Serveur VPN V Internet Destination B - May get fragmented (MTU) The VPN software "decapsulates" the packet before transmitting it to the transport layer Src: A A to V Dst: B Data Reverse direction similar V to B Src: V Dst: B Src: A Dst: B Data 26

Tunneling Various VPN types can be applied at various levels IP in IP - IPSec (with ciphering) - Mobile IP IP in HTTP Layer 2 protocol (e.g. PPP) in IP - PPTP, L2TP IP in SSL/TLS - SSL/TLS = secure session-level protocol IP in SSH - SSH: secure telnet 27

Conclusions on the Application and Network Layers

General What to know concepts Circuit switching vs. packet switching OSI model Encapsulation Standards (where to find detailed information on a protocol, technology,...) Networks architectures A few facts about telephone networks (hierarchical architecture, databases,...) Orders of magnitude (networks sizes) - 1 billion devices ; 50000 AS Internet : Access vs. Core Autonomous Systems (+ existence of online databases) Peering vs. transit 29

Application layer Transport Layer Network Layer 30 What to know (2) Notion of applicative protocol Applicative metrics (throughput, delay, jitter, loss rate,...) Application classes (real-time/conversational, streaming, elastic,...) Classical applications: DNS, DHCP,... Roles: port numbers, sessions, fault tolerance, congestion control TCP behavior and base mechanisms (slow start, congestion avoidance,...) Addressing - formats and role (locating users, routing) IP addressing principles (prefix vs IID, IPv6, reserved slices,...) IP forwarding principles (and VPN, NAT,...) Routing algorithms and protocols names and roles (ebgp, ibgp, OSPF, IS-IS) Unicast, broadcast, multicast ICMP and applications (traceroute,...)

Practical Be Be What to know skills Networking toolbox (commands, frame analysis,...) Be able to make an IP addressing map Configure routing able to characterize an application Traffic characteristics Spy on a protocol able to diagnose a connection What do I need to communicate: IP address, gateway, DNS server,... Diagnose routing problems (ping, traceroute,...) 31

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information