11IP AddressingEE 122: Intro to Communication NetworksFall 2007 (WF 4-5:30 in Cory 277)Vern PaxsonTAs: Lisa Fowler, Daniel Killebrew & Jorge Ortizhttp://inst.eecs.berkeley.edu/~ee122/Materials with thanks to Jennifer Rexford, Ion Stoica,and colleagues at Princeton and UC Berkeley2Announcements• We plan to close the Tuesday section, leaving– Mon 4-5– Wed 12-1– Fri 10-11• If this will cause you hardship, please let me knowthis week• Please take the poll (see the announcementspage) regarding lecture scheduling forThanksgiving week• Reminder, Lisa’s office hours are by appointment– And Friday section will be taught by Daniel• Once more: subscribe to the mailing list23Goals of Today’s Lecture• Finish security analysis of IP’s header design• IP addresses– Dotted-quad notation– IP prefixes for aggregationo Classless InterDomain Routing (CIDR)– Classful addresses– Special-purpose address blocks• Address allocation– Hierarchy by which address blocks are given out– Finding information about an allocationSecurity Implications of IP’s Design4-bitVersion4-bitHeaderLength8-bitType of Service(TOS)16-bit Total Length (Bytes)16-bit Identification3-bitFlags13-bit Fragment Offset8-bit Time to Live (TTL)8-bit Protocol16-bit Header Checksum32-bit Source IP Address32-bit Destination IP AddressOptions (if any)Payload35Security Implications of TOS? (8 bits)• What if attacker sets TOS for their flooding trafficfor prioritized delivery?– If regular traffic does not set TOS, then network prefersthe attack traffic, greatly compounding damage• What if network charges for TOS traffic …– … and attacker spoofs the victim’s source address?(denial-of-money)• In general, in today’s network TOS does not work– Due to very hard problems with billing– TOS has now been redefined for Differential Serviceo Discussed later in courseIP Packet Structure4-bitVersion4-bitHeaderLength8-bitType of Service(TOS)16-bit Total Length (Bytes)16-bit Identification3-bitFlags13-bit Fragment Offset8-bit Time to Live (TTL)8-bit Protocol16-bit Header Checksum32-bit Source IP Address32-bit Destination IP AddressOptions (if any)Payload47Security Implications of Fragmentation?• Allows evasion of network monitoring/enforcement• E.g., split an attack across multiple fragments– Packet inspection won’t match a “signature”• E.g., split TCP header across multiple fragments– Firewall can’t tell anything about connection associatedwith traffic• Both of these can be addressed by monitorremembering previous fragments– But that costs stateNasty-atOffset=0tack-bytesOffset=88Fragmentation Attacks, con’t• What if 2 overlapping fragments are inconsistent?• How does network monitor know whether receiversees USERNAME NICE or USERNAME EVIL?USERNAMEOffset=0NICEOffset=8EVILOffset=859Fragmentation Attacks, con’t• What if fragments exceed IP datagram limit?– Maximum size of 13-bit field: 0x1FFF = 8191Byte offset into final datagram = 8191*8 = 65528Length of final datagram = 65528 + 9 = 65537• Result: kernel crash– Denial-of-service using just a few packets– Fixed in modern OS’sNineBytesOffset=6552810Fragmentation Attacks, con’t• What happens if attacker doesn’t send all of thefragments in a datagram?• Receiver (or firewall) winds up holding the onesthey receive for a long time– State-holding attack6IP Packet Structure4-bitVersion4-bitHeaderLength8-bitType of Service(TOS)16-bit Total Length (Bytes)16-bit Identification3-bitFlags13-bit Fragment Offset8-bit Time to Live (TTL)8-bit Protocol16-bit Header Checksum32-bit Source IP Address32-bit Destination IP AddressOptions (if any)Payload12Security Implications of TTL? (8 bits)• Allows discovery of topology (ala’ traceroute)• Can provide a hint that a packet is spoofed– It arrives at a router w/ a TTL different than packets fromthat address usually doo Because path from attacker to router has different # hops– Though this is brittle in the presence of routing changes• Initial value that’s picked is somewhat distinctive tosender’s operating system. This plus other suchinitializations allow OS fingerprinting …– Which in turn can allow attacker to infer its likelyvulnerabilities713Security Implications of Remainder?• No apparent problems with protocol field (8 bits)– It’s just a demux’ing handle– If value set incorrectly, next higher layer will find packetill-formed• Similarly, bad IP checksum field (16 bits) will veryquickly cause packet to be discarded by thenetwork14IP Addressing815Designing IP’s Addresses• Question #1: what should an address beassociated with?– E.g., a telephone number is associated not with a personbut with a handset• Question #2: what structure should addresseshave? What are the implications of different typesof structure?• Question #3: who determines the particularaddresses used in the global Internet? What arethe implications of how this is done?16IP Addresses (IPv4)• A unique 32-bit number• Identifies an interface (on a host, on a router, …)• Represented in dotted-quad notation. E.g,12.34.158.5:00001100 0010001010011110 0000010112 34 158 5917Grouping Related Hosts• The Internet is an “inter-network”– Used to connect networks together, not hosts– Needs a way to address a network (i.e., group of hosts)hosthost hostLAN 1...hosthost hostLAN 2...router router routerWAN WANLAN = Local Area NetworkWAN = Wide Area Network18Scalability Challenge• Suppose hosts had arbitrary addresses– Then every router would need a lot of information– …to know how to direct packets toward the hosthosthost hostLAN 1...hosthost hostLAN 2...router router routerWAN WAN1.2.3.4 5.6.7.8 2.4.6.8 1.2.3.5 5.6.7.9 2.4.6.91.2.3.41.2.3.5forwarding table1019Hierarchical Addressing in U.S. Mail• Addressing in the U.S. mail– Zip code: 94704– Street: Center Street– Building on street: 1947– Location in building: Suite 600– Name of occupant: Vern Paxson• Forwarding the U.S. mail– Deliver letter to the post office in the zip code– Assign letter to mailman covering the street– Drop letter into mailbox for the building/room– Give letter to the appropriate person???20Hierarchical Addressing: IP Prefixes• Divided into network & host portions (left and right)• 12.34.158.0/23 is a 23-bit prefix with 29 addresses– Terminology: “Slash 23”00001100 0010001010011110 00000101Network (23 bits) Host (9 bits) 12 34 158 51121IP Address
View Full Document
Unlocking...