Post on 04-Jun-2020
transcript
Slide title
In CAPITALS
50 pt
Slide subtitle
32 pt
Manoranjan Mohanty
IPv4, IPv6, and IPSec
COMPSCI 316 (Cyber Security)
Source of some slides: Princeton University
Also thanks to J.F Kurose and K.W. Ross
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
2
THE PLAN
This week and next week
Internet layer
– IPv4, IPv6, IPSec, BGP
Wifi security
Software Defined Network (SDN) – If time permits
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
3
INTERNET LAYER
Provides service to
Transport Layer. Takes
service from Link Layer
Host-to-host
communication
– Host: An end system
(computer) having unique
IP (network) address
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
4
INTERNET LAYER CONT
Packet delivery, routing, error/information
reporting
https://www.tutorialspoint.com/data_communication_co
mputer_network/network_layer_routing.htm
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
5
INTERNET PROTOCOL PACKET
DELIVERY
Addressing
Encapsulation
Forwarding
Connectionless
Best service
IPv4 and IPv6 https://en.wikipedia.org/wiki/Encapsulation_(networ
king)#/media/File:UDP_encapsulation.svg
Destination
IP address
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
6
IPv4
IPv4 is IP version 4
IP address: A 32-bit address that uniquely and
universally identifies a host on the Internet
– 10000000 11000000 11100000 11110000
– Dotted decimal form: 128.192.224.240
The IP address allocation is done as follows
– The “wholesale” approach (ICANN -> ISP ->
Organization -> You)
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
7
CLASSFUL ADDRESSING VS CLASSLESS
ADDRESSING
For easier addressing, a group of similar IP
addresses are assigned to an organization
The address is divided into two parts
– netid (every device in the organization has the
same netid) and hostid (the hostid changes)
In classful addressing, there are only five
possible ways of division
Source: Data Communications and
Networking by Behrouz A. Forouzan
netid . hostid
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
8
IPv4 : CLASSLESS ADDRESSING
Classful addressing often leads to misuse of IP
addresses
Classless addressing: The size of “block size”
can vary
– x.y.z.t / n – first n bits for the block (prefix)
Classless addressing also not enough to solve
shortage of IPv4 address
– In the best case, more than four billion IP
addresses (232)
– Only in 2018, more than 2.3 billions of computing
devices shipped (Gartner April 2018)
Network Address Translation (NAT)
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
9
NAT
Why NAT replaces port numbers ?
Source: Computer
Networking: A Top-
Down Approach Book
by Jim Kurose
In an organization, allows large set of
addresses internally (private) but small set
externally (public)
S = 10.0.0.3, 3345
D = 128.119.40.0, 90
138.76.29.7, 3345 10.0.0.1, 3345
138.76.29.7, 3345 10.0.0.3, 3345
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
10
IPv4 PACKET FORMAT
4-bit
Version
4-bit
Header
Length
8-bit
Type of Service
(TOS)
16-bit Total Length (Bytes)
16-bit Identification3-bit
Flags 13-bit Fragment Offset
8-bit Time to
Live (TTL)8-bit Protocol 16-bit Header Checksum
32-bit Source IP Address
32-bit Destination IP Address
Options (if any)
Payload
20-byte
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
11
IP HEADER FIELDS
Version number (4-bit)
– Indicates the version of the IP protocol
– Typically 4 (for IPv4) and sometimes 6 (for IPv6)
Header length (4-bit)
– Number of 32-bit words in the header
– Typically 5 (for a 20-byte IPv4 header)
Type of service (8-bit)
– Used to manage quality of service
– E.g., low delay for audio and high bandwidth for bulk
transfer
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
12
IP HEADER FIELDS CONT
Total length (16-bit)
– Number of bytes in the packet (header+payload)
– Maximum size can be 64KB
Underlying links may impose harder limits
Fragmentation information (32-bit)
– Packet identification, flags, and fragmentation offset (see
later)
– Supports dividing a large IP packet into fragments when a
link cannot handle that (large) packet
Time-to-live (8-bit)
– Lifetime of a packet
– Used to prevent loops
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
13
TTL
TTL in packet header (8-bit)
– TTL is decremented as a packet traverses a router
– A packet is discarded when TTL reaches 0
– A ‘time exceeded’ message is sent to the source
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
14
IP HEADER FIELDS CONT
Protocol (8-bit)
– A value that specifies the type of payload
– E.g., TCP or UDP
Header checksum (32-bit)
– For IP header only
– Recalculated by each router since TTL changes
Source or destination address (32-bit)
– IP address
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
15
IP FRAGMENTATION AND
REASSEMBLY
Max IP datagram:
64KB
Network links have
Maximum Transfer
Unit (MTU)
Large IP datagrams
can be fragmented
Reassembled at
destination (not router,
internet layer)
fragmentation:
in: one large datagram
out: 3 smaller datagrams
reassembly
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
16
IP FRAGMENTATION AND
REASSEMBLY CONT
Example
– 4000 bytes
datagram
– MTU is 1500
bytes
length=header+payload
ID=7
offset=0
fragflag=0
length=4000
ID=7
offset=0
fragflag=1
length=1500
ID=7
offset=185
fragflag=1
length=1500
ID=7
offset=370
fragflag=0
length=1040
One large datagram becomesseveral smaller datagrams
1480 bytes in data field
offset =1480/8
ID identifies IP datagram
fragflag=1 means
more fragments availableoffset points fragment
offset (in octet)
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
17
ISSUES WITH FRAGMENTATION
Complicates router and end system
Reassembly computation cost
Interferes with TCP control flow
DoS attack
– Final fragment never sent
– Overlapping “offset”
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
18
IP SPOOFING
Source IP address should be the sending host
– But, who is checking that?
– One could send packets with any source IP
Why would someone want to do this?
– Launch a DoS attack
– Evade detection
– An attack against the spoofed host
Spoofed host is wrongly blamed
Spoofed host may receive return traffic from the receiver
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
19
IPv4 SECURITY
Confidentiality
Integrity
Authenticity
Availability
Replay attack
IPSec
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
20
IPv6
The recent version of Internet Protocol (IP)
Designed in 90s
It offers larger address space
– 128-bits (16-byte) address
– 18 million trillion addresses
IPv6 is intended to replace IPv4
– Likely to co-exist with IPv4 for many years
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
21
IPv6 ADDRESS
Source: Data Communications and Networking
by Behrouz A. Forouzan
"colon hex" notation – A colon between two
sections (four hex values)
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
22
ABBREVIATED IPv6 ADDRESSES
Source: Data Communications and Networking
by Behrouz A. Forouzan
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
23
IPv6 SIMPLIFIED HEADER
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
24
IPv6 HEADER: SIMPLIFICATION
Fixed length for the basic header
– IPv4 header of variable length: 20-byte (min)
– IPv6 has the main header: 40-byte (fixed)
Leads to fast header processing
No need of header length (hlen)
Fragmentation only by traffic source
– Source does path MTU discovery
– No burden on routers to do fragmentation
– No need of identification, flag, and fragment offset
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
25
IPv6 HEADER: SIMPLIFICATION CONT
Header checksums are eliminated
– IP header checksum is recalculated by every
node due to change in TTL
– The idea is to improve performance by saving
some resources
– Error detection check can be enforced by upper
layers
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
26
NEXT HEADER FIELD
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
27
IPv6 EXTENSION HEADERS
Separate header(s) between the base header and data
to carry optional internet-layer information
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
28
TRANSITION FROM IPv4 to IPv6
What’s wrong with dual-
stack approach?
Computer Networking: A Top-Down Approach Book by Jim Kurose
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
29
MAC ADDRESS TO IPv6 CONVERSION
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
30
SUMMARY
IPv4 alone is not sufficient for providing global
connectivity
– Combining IPv4 with NAT solves the problem
IPv4 header checksum is recalculated by each router
since TTL changes
TTL is decremented as a packet traverses a router
– A packet discarded when TTL is 0
Source IP address could be spoofed
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
31
SUMMARY
IPv6 uses 16-byte addressing scheme
IPv6 made some simplifications
– Fixed length basic header
– Fragmentation only by traffic source
– No header checksum
Flow label is a new field in IPv6 header, which is quite
useful
IPv6 is being deployed
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
32
Questions?
Thanks for your attention!
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
33
ACKNOWLEDGEMENT
Some slides are provided by Muhammad Rizwan Asghar.
Thanks to him!