Internet Protocol (IP)

In many ways, IP is the network. IP is a connectionless protocol that provides for the delivery of data to logically addressed hosts anywhere on the network
Nội dung trích xuất từ tài liệu:
Internet Protocol (IP)Internet Protocol (IP)In many ways, IP is the network. IP is a connectionless protocol that provides for thedelivery of data to logically addressed hosts anywhere on the network. It is important tounderstand that IP is an unreliable delivery mechanism by design, leaving theresponsibility of reliable delivery to higher- or lower-layer protocols such as TCP orIEEE 802.2 and 802.3. As far as IP is concerned, the data that is transmitted may bedelivered, lost, sent out of order, duplicated, delayed, or otherwise mangled; it could notcare less what the ultimate result is.When we say that IP is connectionless, we mean that each packet that is transmitted isdone so independent of every other packet. Consequently, packets that are transmittedmay take different paths through the network and be lost or delayed, whereas otherpackets are successfully transmitted.Although this concept of best-effort delivery may sound terribly unreliable, keep in mindthat other protocols are designed that handle reliability, thus precluding the need for IP tohandle such things. In addition, data is generally delivered successfully and trueunreliability of data delivery is typically the result of an underlying network orcommunications failure of which IP would not be able to fix anyway (remember, eachlayer operates independent of each other, and a failure at the physical layer can only befixed at the physical layer, not the network layer).NoteIP is defined by the following RFCs: • RFC 0791 • RFC 2474 • RFC 3168 • RFC 3260IP Packet StructureAn IP packet (sometimes referred to as a datagram) has a distinct and defined structure.In simple form, an IP packet is the IP packet data (which is nothing more than thesegment that was passed down from the session layer) and the IP packet header, as shownin Figure 3-5. Figure 3-5. Simple IP Packet StructureThe IP packet header is typically 20 bytes in length (unless IP options are used, in whichcase the length may be variable up to a maximum length of 60 bytes) and contains theinformation that allows systems to determine how to process the corresponding IP packetdata. The IP packet data is a variable length, ranging from 1 to 65515 bytes in length inmost cases. Obviously, if the header is larger than 20 bytes, the IP packet data maximumsize will be reduced in size accordingly. This provides for a minimum IP packet size of21 bytes (20-byte header, 1-byte data) and a maximum IP packet size of 65535 bytes (20-byte header, 65515-byte data).The IP Packet HeaderThe IP packet header is what tells an IP-based host what to do with the packet that wasreceived. Think of it as an instruction manual that contains the how to process thispacket information. Therefore, an attacker wanting to generate malicious traffic willfrequently modify the IP packet header in such a way as to instruct the receiving host todo something harmful with the packet, or to instruct the host to do something it is notcapable of doing in hopes that it causes the host to generate an error condition that mayallow the attacker to gain access to the system. Because of this, it is not good enough tounderstand that there is an IP header. As a firewall administrator, we need to understandwhat the contents of the IP header are and what the values represent so that we canidentify and block potentially malicious traffic.The IP packet header consists of 32-bit blocks of data known as words. These words arefurther broken down into numerous fields of various length and function. As mentionedpreviously, the typical IP packet header length is 20 bytes, which means that a typical IPpacket header consists of 5 words. If any IP options have been configured, the packetheader will contain the options values, and then the necessary padding to ensure that theheader ends on a 32-bit boundary.Figure 3-6 depicts the structure of an IP packet header. Figure 3-6. IP Packet Header Structure [View full size image]The fields of the IP packet header and their meanings are as follows: • Version (VERS, 4 bits) This represents the format of the packet header. In most cases, the value is 4, which represents IP version 4; or 6, which represents IPv6. If the value is 0, the packet should be destroyed; and in most cases, any value other than 4 or 6 is going to be considered invalid. • Internet Header Length (IHL, 4 bits) This field represents the length of the header in 32-bit words, typically with a value of 5. If IP options are included in the header, the value will be between 6 and 15. Any values less than 5 are invalid. • Differentiated Services field (DS field, 6 bits) This field was originally known as the Type of Service field, but RFC 2474 replaced this functionality with what is known as the DS field. The DS field is used to provide scalable service discrimination and guarantee quality of service (QoS) for the datagram transmission. The DS code point (DSCP) is the value that is encoded in the DS field to define the QoS and per-hop behavior (PHB) for a given datagram. In general, the DS field should have a DSCP value of all 0s unless QoS or a PHB class has been implemented for the data and in fact the default DSCP value and PHB class for Internet communications is 000000. Note For more information about PHB codes and usage, refer to RFC 2597, RFC 3260, RFC 3246, RFC 3140, RFC 3247, and RFC 3248. • Explicit Congestion Notification (ECN, 2 bits) This field is used to provide a congestion indication for incipient congestion through the use of ECN code points. If both bits are set to a value of 1, it indicates that congestion has been experienced. • Total Len ...