Tài liệu Lecture-03-overview security

Important Concepts in Computer Networking Dr. Nguyen Tuan Nam Sequence number (SEQ) •  Used in many protocols •  Stamped in the header of packet •  Purpose –  To distinguish between 2 packets from the same host (ID, CMND) –  To put packets in correct order •  Example? WNC 2010 2 TCP-Connection Establishment •  Client-Server •  3-way handshake •  How many packets Client Server Connection Request (SYN=1; SEQ=client_seq) needed to setup the connection? •  SYN attack –  Half-open connection Connection Granted (SYN=1; SEQ=server_seq, ACK=client_seq + 1) ACK (SYN=0; SEQ=client_seq+1, ACK=server_seq + 1) •  How to prevent SYN attack WNC 2010 3 TCP-Data Sending •  ACK for Client reliability Server Data [SYN=0; SEQ=70; Data (10bytes)] •  ACK can be piggybacked ACK=80 may contain Data Data [SYN=0; SEQ=80; Data (20bytes)] ACK=100 WNC 2010 4 TCP-Data Sending •  ACK missing Client Server Data [SYN=0; SEQ=70; Data (10bytes)] Timeout ACK=80 Data [SYN=0; SEQ=70; Data (10bytes)] ACK=80 WNC 2010 5 TCP-Cumulative ACK •  ACK the last Client in-order byte of data Server SEQ=70; 10bytes of data SEQ=80; 20bytes of data ACK=80 ACK=100 SEQ=100; 10bytes of data ACK=110 WNC 2010 6 TCP-Cumulative ACK •  Duplicate ACK? Client •  Fast retransmit –  3 duplicate ACK –  Retransmit before timeout –  Why not 2? –  Cheating? SEQ=70; 10b SEQ=80; Server ytes of data 20bytes o SEQ=100; 20 f data bytes of data ACK=80 ACK=80 WNC 2010 7 TCP-Closing •  Either side can Client end the connection Server FIN ACK FIN •  Full-duplex ACK WNC 2010 8 IP-Fragment •  IP max size = 64KB •  Breaking up of single IP packet into 2 or more IP packets of smaller size –  Transmission medium has limit on Maximum size of a frame (MTU). Why? –  Possible to avoid Fragment? (size < 536 bytes à pkt size ~ 512 bytes to 536 bytes) •  Where it can be fragmented? –  Source –  Intermediate Router •  Where fragments can be reassembled? Why? WNC 2010 9 Example of IP Fragment •  Datagram of 3980 bytes •  MTU = 1500 bytes •  SEQ (ID) = 245 Fragment Data Size SEQ(ID) Offset Flag 1st 1480 bytes 245 0 1 (more fragment) 2nd 1480 bytes 245 1480 1 (more fragment) 3rd 1020 bytes 245 2960 0 (no more) WNC 2010 10 IP-Fragment (cont.) •  Fragmentation bit: can be set to allow/not allow •  •  •  •  fragmentation If bit is set to “Don’t fragment” and packet size > MTU, what happens? Will all fragments go through same path? Will all fragments arrive at destination in correct order? How to determine the size of the original IP packet? Multiple fragmentations if go through multiple links with different MTUs WNC 2010 11 Issues with IP Fragmentation •  CPU & Memory overhead –  Sender –  Receiver •  Fragment lost –  NFS datagram ~ 8500 bytes –  Ethernet MTU ~ 1500 bytes –  If link drops one in six packets à What is the odd that NFS data can be transferred over this link? •  Firewall –  Layer 4 or up –  Non-initial fragment WNC 2010 12 Avoiding IP Fragmentation •  TCP – MSS (Maximum Segment Size): –  Between 2 end hosts –  Packets still can be fragmented? Client Router R2 Router R1 Server •  PMTUD: –  ICMP - "Destination Unreachable“ –  Support by TCP only –  ICMP may get dropped by routers/firewalls WNC 2010 13 Big Picture (FTP example) Client Server Image File (1KB) need to send to server 512 bytes 512 bytes TCP header 512 bytes IP header TCP header 512 bytes IP header TCP header MAC header Need to send to next router R1 512 bytes WNC 2010 R1 14 Big Picture (FTP example) Client Router R1 Server Need to send to next router R2 MAC header IP header TCP header 512 bytes IP header TCP header 512 bytes WNC 2010 R2 15 Big Picture (FTP example) Client Router R2 Server Need to send to Server MAC header IP header TCP header 512 bytes IP header TCP header 512 bytes WNC 2010 Server 16 Big Picture (FTP example) Client Server 512 bytes TCP header MAC header 512 bytes IP header TCP header 512 bytes IP header TCP header 512 bytes WNC 2010 17 Quiz •  If at data link layer, MTU = 512 bytes –  Should FTP application use an FTP packet size of 512 bytes? WNC 2010 18 Path MTU Discovery (IP) •  Path MTU = smallest MTU of any of the IP hops of the path between a source and destination •  How it work? –  Set DF bit in the IP header as “Don’t fragment” –  Wait for ICMP error message (Datagram too big) –  Reduce the IP packet size and repeat –  Trial-and-error WNC 2010 19 Comparison between Client-Server vs. Peer-to-Peer models •  Maintenance •  Security •  Updating data •  Traffic/bandwidth •  Robustness (single point of failure) •  Copyrighted materials control WNC 2010 20