Docstoc

EE 122_ Computer Networks

Document Sample
EE 122_ Computer Networks Powered By Docstoc
					                    IP Addressing
        EE 122: Intro to Communication Networks
                Fall 2010 (MW 4-5:30 in 101 Barker)
                             Scott Shenker
TAs: Sameer Agarwal, Sara Alspaugh, Igor Ganichev, Prayag Narula
                  http://inst.eecs.berkeley.edu/~ee122/
    Materials with thanks to Jennifer Rexford, Ion Stoica, Vern Paxson
           and other colleagues at Princeton and UC Berkeley
                                                                         1
Goals of Today’s Lecture

• IP addressing


• Address allocation


• Brief security analysis of IP’s header design
  – Leftover from last lecture, will cover if have time




                                                          2
IP Addressing




                3
Designing IP’s Addresses
• Question #1: what should an address be
  associated with?
  – E.g., a telephone number is associated not with a person
    but with a handset

• Question #2: what structure should addresses
  have? What are the implications of different types
  of structure?
• Question #3: who determines the particular
  addresses used in the global Internet? What are
  the implications of how this is done?

                                                           4
IP Addresses (IPv4)
• A unique 32-bit number
• Identifies an interface (on a host, on a router, …)
• Represented in dotted-quad notation. E.g,
  12.34.158.5:
      12           34          158          5



  00001100 00100010 10011110 00000101

                                                        5
Examples
• What address is this?    80.19.240.51

 01010000 00010011 11110000 00110011

• How would you represent 68.115.183.7

  1000100    1110011      10110111 00000111




                                              6
What Are Addresses Used For?

• Network uses addresses to figure out where to
  forward packets


• Routers are the network devices that forward
  packets based on IP addresses


• What do “switches” do?
  – Route on Layer-2 addresses (e.g., MAC addresses)
                                                       7
Routers
• Router consists of
  – Set of input interfaces where packets arrive
  – Set of output interfaces from which packets depart
  – Some form of interconnect connecting inputs to outputs
• Router implements
  – Forward packet to corresponding output interface
  – Manage bandwidth and buffer space resources

    host     host ...   host                    host       host ...   host


     LAN 1                                                      LAN 2
                  router             router            router
                               WAN            WAN



   Router
                                                                             8
Forwarding Table

• Store mapping between IP addresses and output interfaces
   – Forward incoming packets based on destination address

                         1.2.3.5         1
                         1.2.3.6         3
                         1.2.3.4         2
                                   … …



          1.2.3.4                   1

          1.2.3.5                   2




                                                        9
Scalability Challenge
• Suppose hosts had arbitrary addresses
  – Then every router would need a lot of information
  – …to know how to direct packets toward the host

1.2.3.4     5.6.7.8    2.4.6.8               1.2.3.5     5.6.7.9      2.4.6.9
   host     host ...   host                     host       host ...   host


    LAN 1                                                       LAN 2
                 router             router             router
                              WAN            WAN

          1.2.3.4
          1.2.3.5



          forwarding table                                                      10
Two Universal Tricks in CS
• When you need more flexibility, you add…
  – A layer of indirection


• When you need more scalability, you impose…
  – A hierarchical structure




                                                11
Hierarchical Addressing in U.S. Mail
• Addressing in the U.S. mail
  – Zip code: 94704
  – Street: Center Street
                                                        ???
  – Building on street: 1947
  – Location in building: Suite 600
  – Name of occupant: Scott Shenker

• Forwarding the U.S. mail
  – Deliver letter to the post office in the zip code
  – Assign letter to mailman covering the street
  – Drop letter into mailbox for the building/room
  – Give letter to the appropriate person

                                                              12
Who Knows What?
• Does anyone in the US Mail system know where
  every house is?


• Separate routing tables at each level of hierarchy
  – Each of manageable scale




                                                       13
Hierarchical Structure
• The Internet is an “inter-network”
  – Used to connect networks together, not hosts
  – Natural two-level hierarchy:
    o WAN delivers to right LAN
    o LAN delivers to right host

   host     host ...   host                    host       host ...   host


    LAN 1                                                      LAN 2
                 router             router            router
                              WAN            WAN




LAN = Local Area Network
WAN = Wide Area Network
                                                                            14
Hierarchical Addressing
• Prefix is network address: suffix is host address
• 12.34.158.0/23 is a 23-bit prefix with 29 addresses
  – Terminology: “Slash 23”

       12            34         158         5



  00001100 00100010 10011110 00000101

            Network (23 bits)         Host (9 bits)

                                                      15
IP Address and a 23-bit Subnet Mask
Address
          12       34      158        5



       00001100 00100010 10011110 00000101

       11111111 11111111 11111110 00000000



          255     255      254        0
Mask                                      16
Scalability Improved
• Number related hosts with same prefix
  – 1.2.3.0/24 on the left LAN
  – 5.6.7.0/24 on the right LAN

1.2.3.4    1.2.3.7 1.2.3.156                 5.6.7.8 5.6.7.9 5.6.7.212
   host     host ...   host                     host       host ...   host


    LAN 1                                                       LAN 2
                 router             router             router
                              WAN            WAN

          1.2.3.0/24
          5.6.7.0/24

           forwarding table
                                                                             17
Easy to Add New Hosts
• No need to update the routers
  – E.g., adding a new host 5.6.7.213 on the right
  – Doesn’t require adding a new forwarding entry

1.2.3.4    1.2.3.7 1.2.3.156                 5.6.7.8 5.6.7.9 5.6.7.212
   host     host ...   host                     host       host ...     host


    LAN 1                                                       LAN 2
                 router             router             router            host
                              WAN            WAN
                                                                   5.6.7.213
          1.2.3.0/24
          5.6.7.0/24

           forwarding table
                                                                                18
Original Internet Addresses
• First eight bits: network address (/8)
• Last 24 bits: host address


  Assumed 256 networks were more than enough!




                                                19
Next Design: Classful Addressing

 – Class A: if first byte in [0..127], assume /8 (top bit = 0)
       0******* ******** ******** ********
   o Very large blocks (e.g., MIT has 18.0.0.0/8)

 – Class B: first byte in [128..191]  assume /16 (top bits = 10)
       10****** ******** ******** ********
   o Large blocks (e.g,. UCB has* 128.32.0.0/16)

 – Class C: [192..223]  assume /24 (top bits = 110)
       110***** ******** ******** ********
   o Small blocks (e.g., ICIR has 192.150.187.0/24)
   o (My house has a /25)
                                                                 20
Classful Addressing (cont’d)

  – Class D: [224..239] (top bits 1110)
      1110**** ******** ******** ********
    o Multicast groups

  – Class E: [240..255] (top bits 11110)
      11110*** ******** ******** ********
    o Reserved for future use


• What problems can classful addressing lead to?
  – Only comes in 3 sizes
  – Routers can end up knowing about many class C’s
                                                      21
Today’s Addressing: CIDR
• CIDR = Classless Interdomain Routing


• Flexible boundary between network and host
  addresses


• Must specify both address and mask, to clarify
  where the network address ends and the host
  address begins
  – Classful addressing communicate this with first few bits
  – CIDR requires explicit mask
                                                               22
 CIDR Addressing
          Use two 32-bit numbers to represent a network.
               Network number = IP address + Mask

  IP Address : 12.4.0.0            IP Mask: 255.254.0.0

Address    00001100 00000100 00000000 00000000

   Mask    11111111 11111110 00000000 00000000

                Network Prefix                   for hosts


               Written as 12.4.0.0/15 or 12.4/15
                                                             23
CIDR: Hierarchal Address Allocation
• Prefixes are key to Internet scalability
  – Addresses allocated in contiguous chunks (prefixes)
  – Routing protocols and packet forwarding based on prefixes

                12.0.0.0/15
                12.2.0.0/16     12.3.0.0/22           :
                12.3.0.0/16     12.3.4.0/24           :
                                     :                :
                                     :
   12.0.0.0/8       :           12.3.254.0/23
                    :              12.253.0.0/19
                                   12.253.32.0/19
                                   12.253.64.0/19
                12.253.0.0/16
                                   12.253.64.108/30
                    :              12.253.96.0/18
                                   12.253.128.0/17        24
Scalability: Address Aggregation

         Provider is given 201.10.0.0/21   (201.10.0.x .. 201.10.7.x)

                                Provider




   201.10.0.0/22   201.10.4.0/24       201.10.5.0/24       201.10.6.0/23




  Routers in the rest of the Internet just need to know
 how to reach 201.10.0.0/21. The provider can direct the
        IP packets to the appropriate customer.          25
Aggregation Not Always Possible

            201.10.0.0/21

                     Provider 1                             Provider 2




  201.10.0.0/22 201.10.4.0/24 201.10.5.0/24 201.10.6.0/23



   Multi-homed customer with 201.10.6.0/23 has two
providers. Other parts of the Internet need to know how
  to reach these destinations through both providers.
           /23 route must be globally visible         26
Growth in Routed Prefixes (1989-2005)


                            Dot-com implosion;
                            Internet bubble bursts

                     Advent of CIDR
                     allows aggregation:
                     linear growth

      Initial growth
                                                       Back in
      super-linear; no
                                                       business
      aggregation
                                       Internet boom:
                                       multihoming drives
                                       superlinear growth
                                                                  27
Special-Purpose Address Blocks
• Private addresses
  – By agreement, not routed in the public Internet
  – For networks not meant for general Internet connectivity
  – Blocks: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
• Link-local
  –   By agreement, not forwarded by any router
  –   Used for single-link communication only
  –   Intent: autoconfiguration (especially when DHCP fails)
  –   Block: 169.254.0.0/16
• Loopback
  – Address blocks that refer to the local machine
  – Block: 127.0.0.0/8
  – Usually only 127.0.0.1/32 is used
• Limited broadcast
  – Sent to every host attached to the local network
  – Block: 255.255.255.255/32
                                                               28
Summary of IP Addressing
Scalability Through Non-Uniform Hierarchy
• Hierarchical addressing
  – Critical for scalable system
  – Don’t require everyone to know everyone else
  – Reduces amount of updating when something changes


• Non-uniform hierarchy
  – Useful for heterogeneous networks of different sizes
  – Class-based addressing was far too coarse
  – Classless InterDomain Routing (CIDR) more flexible

                                                           29
Editorial
• Internet started with simple addressing design:
  – Two-layer hierarchy: network and host
  – Addresses in each hierarchy not tied to network topology

• Address exhaustion led to a less clean design
  – CIDR is based on flexible aggregation
  – Aggregation relies on topological numbering

• In “our” design, names were
  – Semantic-free
  – Verifiable

• Internet addresses violate both of these conditions
  – Spoofing, problems with mobility, etc.
                                                           30
    5 Minute Break



Questions Before We Proceed?



                               31
Address Allocation




                     32
Obtaining a Block of Addresses
• Allocation is also hierarchical
  – Prefix: assigned to an institution
  – Addresses: assigned by the institution to their nodes
• Who assigns prefixes?
  – Internet Corporation for Assigned Names and Numbers
    o Allocates large address blocks to Regional Internet Registries
    o ICANN is politically charged
  – Regional Internet Registries (RIRs)
    o E.g., ARIN (American Registry for Internet Numbers)
    o Allocates address blocks within their regions
    o Allocated to Internet Service Providers and large institutions ($$)
  – Internet Service Providers (ISPs)
    o Allocate address blocks to their customers (could be recursive)
       • Often w/o charge
                                                                        33
Figuring Out Who Owns an Address
• Address registries
  –Public record of address allocations
  –Internet Service Providers (ISPs) should update
   when giving addresses to customers
  –However, records are notoriously out-of-date

• Ways to query
  –UNIX: “whois –h whois.arin.net 169.229.60.27”
  –http://www.arin.net/whois/
  –http://www.geektools.com/whois.php
  –…
                                                   34
Are 32-bit Addresses Enough?
• Not all that many unique addresses
  – 232 = 4,294,967,296 (just over four billion)
  – Plus, some (many) reserved for special purposes
  – And, addresses are allocated in larger blocks
• And, many devices need IP addresses
  – Computers, PDAs, routers, tanks, toasters, …
• Long-term solution (perhaps): larger address space
  – IPv6 has 128-bit addresses (2128 = 3.403 × 1038)
• Short-term solutions: limping along with IPv4
  – Private addresses
  – Dynamically-assigned addresses (DHCP)
  – Network address translation (NAT)
                                                       35
Network Address Translation (NAT)

Before NAT…
 – Every machine connected to Internet had unique IP address



                                        dest addr src addr        src port
         Server                                            dst port
                                         LAN
                                               5.6.7.8 1.2.3.4 80 1001
     80 1001 5.6.7.8 1.2.3.4 Internet           1.2.3.4
           5.6.7.8


                                               1.2.3.5
                                              Clients                36
NAT (cont’d)

• Independently assign addresses to machines behind
  same NAT
  – Usually in address block 192.168.0.0/16

• Use bogus port numbers to multiplex/demultiplex internal
  addresses
         Server
                                            NAT 5.6.7.8 192.2.3.4 80 1001
     80 2000 5.6.7.8 1.2.3.4
                            Internet                             192.2.3.4
          5.6.7.8                           1.2.3.4
                                       80 1.2.3.4 80 2000
                                   5.6.7.8 1001 5.6.7.8 192.2.3.4



                          192.2.3.4:1001    1.2.3.4:2000       192.2.3.5
                                                                Clients    37
NAT (cont’d)

• Independently assign addresses to machines behind
  same NAT
  – Usually in address block 192.168.0.0/16

• Use bogus port numbers to multiplex demultiplex internal
  addresses
         Server
                                            NAT
     80 2001 5.6.7.8 1.2.3.4
                            Internet                            192.2.3.4
          5.6.7.8                           1.2.3.4
                                   5.6.7.8 1.2.3.4 80 2001
                                       80 1001 5.6.7.8 192.2.3.5

                                                 5.6.7.8 192.2.3.5 80 1001
                         192.2.3.4:1001     1.2.3.4:2000        192.2.3.5

                         192.2.3.5:1001     1.2.3.4:2001        Clients 38
Hard Policy Questions
• How much address space per geographic region?
  – Equal amount per country?
  – Proportional to the population?
  – What about addresses already allocated?

• Address space portability?
  – Keep your address block when you change providers?
  – Pro: avoid having to renumber your equipment
  – Con: reduces the effectiveness of address aggregation

• Keeping the address registries up to date?
  – What about mergers and acquisitions?
  – Delegation of address blocks to customers?
  – As a result, the registries are often out of date       39
Summary of IP Addressing
• 32-bit numbers identify interfaces
• Allocated in prefixes
• Non-uniform hierarchy for scalability and flexibility
  – Routing is based on CIDR

• A number of special-purpose blocks reserved
• Address allocation:
  – ICANN  RIR  ISP  customer network  host

• Issues to be covered later
  – How hosts get their addresses (DHCP)
  – How to map from an IP address to a link address (ARP) 40
Quick Security Analysis




                          41
Focus on Sender Attacks
• Ignore (for now) attacks by others:
  – Traffic analysis
  – Snooping payload
  – Denial of service


• Here we look at vulnerabilities sender can exploit




                                                       42
IP Packet Structure

      4-bit   4-bit      8-bit
     Version Header Type of Service
                                         16-bit Total Length (Bytes)
             Length     (TOS)

                                       3-bit
            16-bit Identification      Flags   13-bit Fragment Offset

      8-bit Time to
       Live (TTL)
                      8-bit Protocol      16-bit Header Checksum


                         32-bit Source IP Address


                      32-bit Destination IP Address


                                Options (if any)


                                    Payload
IP Address Integrity
• Source address should be the sending host
  – But, who’s checking, anyway?
  – You could send packets with any source you want
  – Why is checking hard?




                                                      44
IP Address Integrity, con’t
• Why would someone use a bogus source address?
• Launch a denial-of-service attack
  – Send excessive packets to the destination
  – … to overload the node, or the links leading to the node
  – But: victim can identify/filter you by the source address

• Evade detection by “spoofing”
  – Put someone else’s source address in the packets
    o Or: use a lot of different ones so can’t be filtered

• Or: as a way to bother the spoofed host
  – Spoofed host is wrongly blamed
  – Spoofed host may receive return traffic from the receiver
                                                                45
Security Implications of IP’s Design

      4-bit   4-bit      8-bit
     Version Header Type of Service
                                         16-bit Total Length (Bytes)
             Length     (TOS)

                                       3-bit
            16-bit Identification      Flags   13-bit Fragment Offset

      8-bit Time to
       Live (TTL)
                      8-bit Protocol      16-bit Header Checksum


                         32-bit Source IP Address


                      32-bit Destination IP Address


                                Options (if any)


                                    Payload
Security Implications, con’t
• Version field (4 bits) …. ?
  – Issue: fledgling IPv6 deployment means sometimes
    connectivity exceeds security enforcement
    o E.g., firewall rules only set up for IPv4

• Header length (4 bits) …. ?
  – Controls presence of IP options
    o E.g., Source Route lets sender control path taken through
      network - say, sidestep security monitoring
  – Non-obvious difficulty: IP options often processed in
    router’s slow path
    o Allows attacker to stress router for denial-of-service
  – Often, today’s firewalls configured to drop packets with
    options.
                                                                  47
IP Packet Structure

      4-bit   4-bit      8-bit
     Version Header Type of Service
                                         16-bit Total Length (Bytes)
             Length     (TOS)

                                       3-bit
            16-bit Identification      Flags   13-bit Fragment Offset

      8-bit Time to
       Live (TTL)
                      8-bit Protocol      16-bit Header Checksum


                         32-bit Source IP Address


                      32-bit Destination IP Address


                                Options (if any)


                                    Payload
Security Implications of TOS? (8 bits)
• What if attacker sets TOS for their flooding traffic
  for prioritized delivery?
  – If regular traffic does not set TOS, then network prefers
    the attack traffic, greatly compounding damage

• What if network charges for TOS traffic …
  – … and attacker spoofs the victim’s source address?
    (denial-of-money)

• In general, in today’s network TOS does not work
  – Due to very hard problems with billing
  – TOS has now been redefined for Differential Service
    o Discussed later in course

                                                                49
IP Packet Structure

      4-bit   4-bit      8-bit
     Version Header Type of Service
                                         16-bit Total Length (Bytes)
             Length     (TOS)

                                       3-bit
            16-bit Identification      Flags   13-bit Fragment Offset

      8-bit Time to
       Live (TTL)
                      8-bit Protocol      16-bit Header Checksum


                         32-bit Source IP Address


                      32-bit Destination IP Address


                                Options (if any)


                                    Payload
Security Implications of Fragmentation?
• Allows evasion of network monitoring/enforcement
• E.g., split an attack across multiple fragments
  – Packet inspection won’t match a “signature”
       Offset=0            Offset=8

       Nasty-at tack-bytes
• E.g., split TCP header across multiple fragments
  – Firewall can’t tell anything about connection associated
    with traffic
• Both of these can be addressed by monitor
  remembering previous fragments
  – But that costs state
                                                               51
Fragmentation Attacks, con’t
• What if 2 overlapping fragments are inconsistent?
     Offset=0      Offset=8

     USERNAME NICE
                    EVIL
                   Offset=8

• How does network monitor know whether receiver
  sees USERNAME NICE or USERNAME EVIL?



                                                      52
Fragmentation Attacks, con’t
• What if fragments exceed IP datagram limit?
     Offset=65528

      NineBytes

  – Maximum size of 13-bit field: 0x1FFF = 8191
    Byte offset into final datagram = 8191*8 = 65528
    Length of final datagram = 65528 + 9 = 65537
• Result: kernel crash
  – Denial-of-service using just a few packets
  – Fixed in modern OS’s

                                                       53
Fragmentation Attacks, con’t



• What happens if attacker doesn’t send all of the
  fragments in a datagram?


• Receiver (or firewall) winds up holding the ones
  they receive for a long time
  – State-holding attack



                                                     54
IP Packet Structure

      4-bit   4-bit      8-bit
     Version Header Type of Service
                                         16-bit Total Length (Bytes)
             Length     (TOS)

                                       3-bit
            16-bit Identification      Flags   13-bit Fragment Offset

      8-bit Time to
       Live (TTL)
                      8-bit Protocol      16-bit Header Checksum


                         32-bit Source IP Address


                      32-bit Destination IP Address


                                Options (if any)


                                    Payload
Security Implications of TTL? (8 bits)
• Allows discovery of topology (a la traceroute)
• Can provide a hint that a packet is spoofed
  – It arrives at a router w/ a TTL different than packets from
    that address usually have
    o Because path from attacker to router has different # hops
  – Though this is brittle in the presence of routing changes

• Initial value that’s picked is somewhat distinctive to
  sender’s operating system. This plus other such
  initializations allow OS fingerprinting …
  – Which in turn can allow attacker to infer its likely
    vulnerabilities
                                                                  56
Security Implications of Remainder?


• No apparent problems with protocol field (8 bits)
  – It’s just a demux’ing handle
  – If value set incorrectly, next higher layer will find packet
    ill-formed



• Similarly, bad IP checksum field (16 bits) will very
  quickly cause packet to be discarded by the
  network

                                                                   57
Next Lecture

• IP Forwarding; Transport protocols
• Read K&R: 3-3.4




                                       58

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:3
posted:8/15/2011
language:English
pages:58