TCP/IP Primer: How Packet Filtering Works
Before we go into the details of packet filtering, it is necessary to understand the construct and technologies behind the TCP/IP protocol and its associated packets.
The next several sections provide a basic overview of the TCP/IP protocol. Advanced readers might find this review unnecessary and might prefer to skip ahead to the section "The Cisco Router as a Packet Filter."
When systems on a network communicate, they need to speak the same language, or protocol. One such protocol suite is TCP/IP, the primary communications language of the Internet. To facilitate such communications, the information you send needs to be broken down into manageable pieces called packets. Packet headers are small segments of information that are stuck at the beginning of a packet to identify it.
The IP portion of TCP/IP stands for Internet Protocol. It is responsible for identifying the packets (by their IP address) and for guiding them to their destination. IP packets are directed, or routed, by the values located in their packet headers. These identifiers hold information about where the packets came from (source address), where they are going (destination address), as well as other information describing the type of service the packet might support, among other things.
IP Version 6
The version of IP protocol that is most commonly used on the Internet today and that we are referring to in this chapter is IP version 4 (IPv4). It was created in the 1980s and has many limitations that have required expansions to keep it valid into the twenty-first century. Those limitations include a restricted address space, no integrated security, no integrated means to automatically assign addresses, and the list goes on. Although technologies were created as "band-aids" to help overcome these issues (NAT, IPSec, and DHCP), it wasn't long before development began on a replacement version. In the 90s, IP version 6 (IPv6) was born. It has a much larger potential address space made up of eight 16-bit values, instead of IPv4's four 8-bit values. IPv4 addresses are most commonly notated as decimals in the format 192.168.1.1, where the decimal numbers are some value between 0 and 255 (2^8). IPv6 addresses are notated as hexadecimal in the format 1234:ABCD:1A2B:4321:CDEF:C5D6:789D:F12A, where the hexadecimal numbers are some value between 0 and FFFF (or 0 and 65535 decimal, 2^16). Hexadecimal is used to keep the already long IPv6 addresses notation more concise and readable. One shorthand method of IPv6 notating involves abbreviating lists of zeroes with double colons (::). For example, the IPv6 address 1234:5678:0000:0000:0000:0000:0000:1AF4 can instead be listed as 1234:5678::1AF4. The double colons indicate that all digits between those listed are zeroes. Other improvements that IPv6 offers are integrated authentication and encryption methods, automatic address assignment capabilities, improved Quality of Service (QoS) methods, and an improved header format that moves anything but essential routing information to extension headers, allowing for quicker processing. Despite all its advantages, IPv6 is still not heavily implemented. As a network administrator it is important that you are aware of IPv6 and its possible advantages for your environment, even though you may not be required to use it for years to come. For more information on the IPv6 standard, refer to RFC 2460.
When an IP packet arrives at a router, the router checks its destination to see whether it knows how to get to the place where the packet wants to go. If it does, it passes the packet to the appropriate network segment. The fact that a router passes any packet whose destination it is aware of is called implicit permit. Unless further security measures are added, all traffic is allowed in as well as out. For this reason, a method is required to control the information entering and exiting the interfaces of the router.