Internet Protocol (IP)

Previous page
Table of content
Next page

In many ways, IP is the network. IP is a connectionless protocol that provides for the delivery of data to logically addressed hosts anywhere on the network. It is important to understand that IP is an unreliable delivery mechanism by design, leaving the responsibility of reliable delivery to higher- or lower-layer protocols such as TCP or IEEE 802.2 and 802.3. As far as IP is concerned, the data that is transmitted may be delivered, lost, sent out of order, duplicated, delayed, or otherwise mangled; it could not care less what the ultimate result is.

When we say that IP is connectionless, we mean that each packet that is transmitted is done so independent of every other packet. Consequently, packets that are transmitted may take different paths through the network and be lost or delayed, whereas other packets are successfully transmitted.

Although this concept of best-effort delivery may sound terribly unreliable, keep in mind that other protocols are designed that handle reliability, thus precluding the need for IP to handle such things. In addition, data is generally delivered successfully and true unreliability of data delivery is typically the result of an underlying network or communications failure of which IP would not be able to fix anyway (remember, each layer operates independent of each other, and a failure at the physical layer can only be fixed at the physical layer, not the network layer).

Note

IP is defined by the following RFCs:

  • RFC 0791

  • RFC 2474

  • RFC 3168

  • RFC 3260


IP Packet Structure

An IP packet (sometimes referred to as a datagram) has a distinct and defined structure. In simple form, an IP packet is the IP packet data (which is nothing more than the segment that was passed down from the session layer) and the IP packet header, as shown in Figure 3-5.

Figure 3-5. Simple IP Packet Structure


The IP packet header is typically 20 bytes in length (unless IP options are used, in which case the length may be variable up to a maximum length of 60 bytes) and contains the information that allows systems to determine how to process the corresponding IP packet data. The IP packet data is a variable length, ranging from 1 to 65515 bytes in length in most cases. Obviously, if the header is larger than 20 bytes, the IP packet data maximum size will be reduced in size accordingly. This provides for a minimum IP packet size of 21 bytes (20-byte header, 1-byte data) and a maximum IP packet size of 65535 bytes (20-byte header, 65515-byte data).

The IP Packet Header

The IP packet header is what tells an IP-based host what to do with the packet that was received. Think of it as an instruction manual that contains the "how to process this packet" information. Therefore, an attacker wanting to generate malicious traffic will frequently modify the IP packet header in such a way as to instruct the receiving host to do something harmful with the packet, or to instruct the host to do something it is not capable of doing in hopes that it causes the host to generate an error condition that may allow the attacker to gain access to the system. Because of this, it is not good enough to understand that there is an IP header. As a firewall administrator, we need to understand what the contents of the IP header are and what the values represent so that we can identify and block potentially malicious traffic.

The IP packet header consists of 32-bit blocks of data known as words. These words are further broken down into numerous fields of various length and function. As mentioned previously, the typical IP packet header length is 20 bytes, which means that a typical IP packet header consists of 5 words. If any IP options have been configured, the packet header will contain the options values, and then the necessary padding to ensure that the header ends on a 32-bit boundary.

Figure 3-6 depicts the structure of an IP packet header.

Figure 3-6. IP Packet Header Structure


The fields of the IP packet header and their meanings are as follows:

  • Version (VERS, 4 bits) This represents the format of the packet header. In most cases, the value is 4, which represents IP version 4; or 6, which represents IPv6. If the value is 0, the packet should be destroyed; and in most cases, any value other than 4 or 6 is going to be considered invalid.

  • Internet Header Length (IHL, 4 bits) This field represents the length of the header in 32-bit words, typically with a value of 5. If IP options are included in the header, the value will be between 6 and 15. Any values less than 5 are invalid.

  • Differentiated Services field (DS field, 6 bits) This field was originally known as the Type of Service field, but RFC 2474 replaced this functionality with what is known as the DS field. The DS field is used to provide scalable service discrimination and guarantee quality of service (QoS) for the datagram transmission. The DS code point (DSCP) is the value that is encoded in the DS field to define the QoS and per-hop behavior (PHB) for a given datagram.

    In general, the DS field should have a DSCP value of all 0s unless QoS or a PHB class has been implemented for the data and in fact the default DSCP value and PHB class for Internet communications is 000000.

    Note

    For more information about PHB codes and usage, refer to RFC 2597, RFC 3260, RFC 3246, RFC 3140, RFC 3247, and RFC 3248.


  • Explicit Congestion Notification (ECN, 2 bits) This field is used to provide a congestion indication for incipient congestion through the use of ECN code points. If both bits are set to a value of 1, it indicates that congestion has been experienced.

  • Total Length (16 bits) This field is the full length of the datagram, including the IP packet header and the data itself. Because the Total Length field consists of 16 bits, it is impossible to have a packet size greater than 65535 bits, because the maximum value that can be provided by a 16-bit field is 2^16, or 65536.

  • Identification (16 bits) This field contains a value assigned by the sender and is used by the receiver to aid in assembling the fragments of a datagram.

  • Flags (3 bits) This field is used to specify whether the datagram can be fragmented. Bit 0 is reserved and must be 0. If bit 1 is a 0, the datagram may be fragmented. If the value is 1, the datagram may not be fragmented. If bit 2 is a 0, this packet represents the last fragment of the datagram. If bit 2 is a 1, there are more fragments of the datagram.

  • Fragment Offset (13 bits) This field indicates where in the datagram the packet belongs. The fragment offset is measured in units of 8 octets, and the first fragment has an offset of 0. The Fragment Offset field should only contain data if the packet is a fragment.

  • Time to Live (8 bits) The Time to Live field specifies how long the packet may remain on a network before the datagram must be destroyed. This provides a means for removing packets from the network that were unable to be delivered in the time specified. A time-to-live value of 0 indicates that the datagram must be destroyed.

  • Protocol (8 bits) The Protocol field indicates what protocol was used at the next layer to generate the data portion of the packet. For example, TCP has a protocol value of 6 (0x06 in hex) and UDP has a value of 17 (0x11 in hex). For a full list of protocols, refer to http://www.iana.org/assignments/protocol-numbers.

  • Header Checksum (16 bits) This field is a checksum on the header only to ensure that the header is complete and verified accurate at each point that processes the header (for example, at each router or by the destination host itself).

  • Source Address (32 bits) This is the source IP address of the transmitting system.

  • Destination Address (32 bits) This is the destination IP address of the receiving system.

  • Options (variable) The Options field contains optional pieces of information that can be used by hosts to assist in the processing of the packet. Because this field is not required, not all vendors successfully or properly know how to handle and process values in the Options field (even though they are supposed to), which makes manipulation of the Options field to contain "invalid" data a common attack method. In general, the Options field is not commonly used.

  • Padding (variable) This field is nothing more than bits with a value of 0 to pad the bits of the Options field to ensure that the header ends with a 32-bit boundary.

Figure 3-7 shows a screen shot of a packet sniffer to show the IP packet header contents in a decoded fashion.

Figure 3-7. Sample IP Packet Header Contents


Bad IP Packets

In most cases, the IP packets that are received on a network can be successfully processed and acted upon accordingly. As is true with all network communications, however, it is possible for an IP packet to either be accidentally or intentionally designed in such a way as to be a bad packet. When we say "bad packet," we mean a packet that for whatever reason cannot be processed properly. In some cases, this may be the result of unreliable delivery of the data (for example, if a portion of the datagram is lost [remember, IP is an unreliable delivery mechanism, so a datagram could be fragmented and a fragment lost or something similar]).

In other cases, the packet may be intentionally crafted in such a way as to be an invalid or bad packet. This is normally done with the hope that when the destination receives the bad packet, it cannot properly deal with the packet, potentially leaving the host vulnerable to another attack.

Some examples of bad IP packets are packets that do not contain higher-layer contents such as TCP, UDP, or Internet Control Message Protocol (ICMP) contents. Another example is receiving packets that claim to be fragments, when no other packets correspond with the fragments to allow the destination to properly reassemble the datagram. In fact, sending IP fragments is a relatively common method of attacking a host with the objective typically being to cause the host to inadvertently process the fragment data, frequently an exploit of some sort. A common utility that leverages this is the tool "fragrouter," which can be used to circumvent firewalls and IDSs.

In general, the IP packet header should be interrogated to ensure that any fields that contain values contain accurate values. Any manipulation of this data could potentially cause a poorly designed host (see Windows systems for an example) to react in a negative fashion to the receipt of the data.



Previous page
Table of content
Next page
Firewall Fundamentals
Firewall Fundamentals
ISBN: 1587052210
EAN: 2147483647
Year: 2006
Pages: 147
Authors: Wes Noonan, Ido Dubrawsky
BUY ON AMAZON
CISSP Exam Cram 2
Image Processing with LabVIEW and IMAQ Vision
Programming Microsoft ASP.NET 3.5
AutoCAD 2005 and AutoCAD LT 2005. No Experience Required
Visual Studio Tools for Office(c) Using C# with Excel, Word, Outlook, and InfoPath
GDI+ Programming with C#
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy