document.querySelector('video').playbackRate = 1.2
Port number is a form of address from the the layer just above,
that we just finished (the transport layer).
https://en.wikipedia.org/wiki/Port_(computer_networking)
IP address (those above in image) is the layer we’re doing now (the
network layer)
https://en.wikipedia.org/wiki/IP_address
MAC address (the hex address last sent in image above)
is the next layer down that we will do next (the link layer).
https://en.wikipedia.org/wiki/MAC_address
Reminder (look back at section on encapsulation and layering after
completing every layer):
01-Overview.html
https://www.computer-networking.info/1st/html/network/network.html
https://www.computer-networking.info/2nd/html/protocols/ipv6.html
https://www.computer-networking.info/2nd/html/protocols/ipv6b.html
http://intronetworks.cs.luc.edu/current/uhtml/intro.html#ip-internet-protocol
http://intronetworks.cs.luc.edu/current/uhtml/ipv4.html
http://intronetworks.cs.luc.edu/current/uhtml/ipv6a.html
http://intronetworks.cs.luc.edu/current/uhtml/ipv6b.html
https://en.wikipedia.org/wiki/Network_layer
https://en.wikipedia.org/wiki/Internet_layer
https://en.wikipedia.org/wiki/Internet_Protocol
https://en.wikipedia.org/wiki/IP_address
Previous-Previous: Application headers (data from this
perspective)
Previous: transport header (Example is UDP in diagram,
but could be TCP)
Now: IP header
Next: Data link framing
Next-Next: Physical layer
Network layer is hard to upgrade or change (it’s everywhere)!
Role of the network layer is simple, to move packets from a sending host to a receiving host.
Two important network-layer functions can be identified:
+++++++++++++++++++++ Cahoot-04-1
We divide the network layer based on these functions.
+++++++++++++++++++++ Cahoot-04-2
A quick forward-reference:
ARP (Address Resolution Protocol) queries use a know IP address to
lookup a MAC address (link layer address),
so that a switch (data-link layer 2 device that routes based on MAC
address) can send directly to an interface by saying:
“Hey all on the mac layer, whoever has this IP address, what is their MAC address?”
Every router has a forwarding table.
A router forwards a packet by examining the value of the IP field in the
arriving packet’s header,
and then using this header value to index into the router’s forwarding
table.
The value stored in the forwarding table entry for that header indicates
the router’s outgoing link interface,
to which that packet is to be forwarded.
Note: the diagram immediately below is idealized to have a short bit
chunk, but the principles are the same for real IP addresses:
Routing sets up these forwarding tables.
The routing algorithm to determine tables may be centralized (e.g., with
an algorithm executing on a central site and downloading routing
information to each of the routers) or decentralized (i.e., with a piece
of the distributed routing algorithm running in each router).
In either case, a router receives routing protocol messages, which are
used to configure its forwarding table.
Individual routing algorithm components in each and every router
interact in the control plane.
A distinct (typically remote) controller interacts with local control
agents (CAs).
In a datagram network, each time an end system wants to send a packet,
it stamps the packet with the address of the destination end system, and
then pops the packet into the network.
Suppose that our router has four links, numbered 0 through 3, and
that packets are to be forwarded to the link interfaces as
follows:
Important points to ponder:
If IP addresses are sold in blocks, where might ranges end up,
geographically?
If ranges of addresses are re-sold, where might they end up?
Why can a match in the routing table be shorter than an IP address
itself?
Why should it be?
Why do we match the longest prefix?
When there are multiple matches, the router uses the longest prefix
matching rule.
That is, it finds the longest matching entry in the table and forwards
the packet to the link interface associated with the longest prefix
match.
+++++++++++++++++++++ Cahoot-04-3
The switching fabric connects the router’s input ports to its output
ports.
This switching fabric is completely contained within the router,
a network inside of a network router!
The routing processor executes the routing protocols,
maintains routing tables and attached link state information,
and computes the forwarding table for the router.
It also performs the network management functions.
The lookup performed in the input port is central to the router’s
operation.
It is here that the router uses the forwarding table, to look up the
output port,
to which an arriving packet will be forwarded via the switching
fabric.
The forwarding table is computed and updated by the routing
processor,
with a shadow copy typically stored at each input port.
Each input port searches through the forwarding table looking for the
longest prefix match
Once a packet’s output port has been determined via the lookup,
the packet can be sent into the switching fabric.
Switching architecture variations:
Which is fastest?
Takes packets that have been stored in the output port’s memory and
transmits them over the output link.
This includes selecting and de-queueing packets for transmission,
and performing the needed link-layer to physical-layer transmission
functions.
As queues grow large, the router’s memory can eventually be exhausted and packet loss will occur when no memory is available to store arriving packets.
Output port queuing:
Head of line (HOL) blocking in input queuing
first-in-first out
Who determines priority?
Network layer components
Show some virtual interfaces.
What does Wireshark do with these?
+++++++++++++++++++++ Cahoot-04-4
https://en.m.wikipedia.org/wiki/IPv4
I tried to come up with an IPv4 joke,
but the good ones were all already exhausted.
1.2.3.4 corresponds to 00000001 00000010 00000011 00000100
127.0.0.1 corresponds to 01111111 00000000 00000000 00000001
255.255.255.255 corresponds to 11111111 11111111 11111111 11111111
IPv4 Datagram header details
traceroute
uses these ICMP Time Exceeded
messages to print the routers used by packets to go from the source to
the destination.+++++++++++++++ Cahoot-04-5
https://lwn.net/Articles/960913/
Identification is the same per-segment.
Offset identifies the fragments for each segment.
232 = 4,294,967,296
…about 4.3 billion addresses is not that many.
Three separate sub-networks (sub-nets) each has it’s own block of IP
addresses:
Put more routers in the middle, and it’s like the internet:
Hierarchically divide IP addresses and networks:
To determine the sub-nets, detach each interface from its host or
router,
creating islands of isolated networks,
with interfaces terminating the end points of the isolated
networks.
Each of these isolated networks is called a sub-net.
https://en.wikipedia.org/wiki/sub-network
The old way of hierarchically dividing up IP addresses:
https://en.wikipedia.org/wiki/Classful_network
where the IP address is divided up into:
n is the network portion
H is the host portion
Above, the general pattern is illustrated with the n and H, but the
particular ranges of IP addresses are those arbitrarily actually
assigned to the world by ICANN.
Above, this table not only illustrates the general pattern, but also the
specific more arbitrary ranges assigned to the world by ICANN.
Columns that are general:
Columns that are particular to the actual arbitrary real assignment
because it was too classy and stiff…
++++++++++++++++++++++++++ Cahoot-04-6
You may have understood this in integer encoding:
Sub-net masks are often expressed in dot-decimal notation like an
address.
For example, 255.255.255.0 is the sub-net mask for the prefix
198.51.100.0/24.
But, sub-net masks really make sense when you think about IP
addresses in binary encoding:
For IPv4, a network may also be characterized by its sub-net mask or
netmask.
This is a binary trick, to illustrate the h.N pattern.
Functionally, it ends up cleaving the IP address into two parts, the
leading network portion, and the trailing host portion.
Specifically, it is a bitmask applied by a bitwise
AND operation,
to any IP address in the network, yielding the routing prefix (see
below).
Example 1 on a full class sub-net:
Example 2 on a partial CIDR sub-net.
In summary:
https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#IPv4_CIDR_blocks
++++++++++++++++++++++++++++++++ Cahoot-04-7
https://en.wikipedia.org/wiki/IPv4#Special-use_addresses
(check this out in class)
There is no place like 127.0.0.1
https://en.wikipedia.org/wiki/Localhost
127.0.0.1
is the standard address for IPv4
loopback traffic.
::1
/etc/hosts
(view mine):vim /etc/hosts
127.0.0.1 localhost
::1 localhost
Last row above is IPv6 shorthand (more below).
255.255.255.255
is used for broadcast transmission to
all hosts on a link.192.168.0.1 jokes are best told in private…
You can do whatever you want with these on your private network, e.g., at home.
169.254.0.0/16
for link-local addressing.+++++++++++++++++++ Cahoot-04-8
An IPv4 address walks into a bar and yells,
“Bartender! Give me a cidr, I’m exhausted!”
There are eight /23 sub-nets in one /20 sub-net (3 bits consumed,
2**3=8)
https://en.wikipedia.org/wiki/ICANN
The IP address space is managed globally by the Internet Assigned
Numbers Authority (IANA),
and by five regional Internet registries (RIR) responsible in their
designated territories,
for assignment to end users and local Internet registries, such as
Internet service providers.
ICANN assigns blocks to ISPs, regions, countries, etc.
Companies (including ISPs) buy and sell them.
ISPs assign them to consumers or other businesses.
After a company re-selling a block:
Ask: What happens when the ranges are not nicely divided?
Didn’t we run out of IPv4 jokes?
https://en.wikipedia.org/wiki/IPv4_address_exhaustion
The top-level exhaustion occurred on 31 January 2011.
The consequence of the above, with longest-prefix matching is:
Evolution of the size of the routing tables on the Internet (Jul
1988- Dec 1992 - source : RFC 1518)
and more modern:
Some mitigation efforts and technologies include:
https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol
* [ ] https://www.homenethowto.com/basics/giving-the-computer-an-ip-address/
Client-server
When logging into a network, how does an interface get an IP
address?
Either:
1. Hard coded by sys-admin
2. DHCP
Goal: Allow host to dynamically obtain its IP address
from network server when it joins network.
Host can also renew its lease on an address in use.
Allows reuse of retired addresses (only hold address while
connected/“on”).
DHCP is a client-server protocol:
DHCP query response
In addition to host IP address assignment,
DHCP also allows a host to learn additional information, such as
its:
subnet mask (indicating network versus host portion of address),
the address of its first-hop router (often called the default gateway),
and
the address of its local DNS server.
DHCP provides an IP address, and also usually more, including:
IP address
Subnet Mask
IP address of a Default Gateway (router)
IP address of a DNS server
https://en.wikipedia.org/wiki/Middlebox#Criticism_and_challenges
“Middleboxes have generated technical challenges for application
development and have incurred scorn and dismay in the network
architecture community for violating the end-to-end principle of
computer system design.”
Some types of middlebox covered here:
The first middlebox is:
The second middlebox is:
https://en.m.wikipedia.org/wiki/Network_address_translation
Network Address Translation (NAT) was proposed in [TE1993] and RFC 3022 as a short term solution to deal with the expected shortage of IPv4 addresses in the late 1980s - early 1990s.
Local network uses just one IP address as far as outside world is concerned:
NAT router must:
The third middlebox is:
https://en.wikipedia.org/wiki/Software-defined_networking
For example:
https://en.wikipedia.org/wiki/OpenFlow
Packets can be routed based on arbitrary header content (think
firewalls above).
SDN can route packets based on application, data-link, transport, or any
layer data,
for managing traffic, security, payment, or whatever else desired.
https://en.wikipedia.org/wiki/Load_balancing_(computing)#Internet-based_services
+++++++++++++++++++++++ Cahoot-04-9
https://en.m.wikipedia.org/wiki/IPv6
I heard this really great IPv6 joke,
but I just don’t think you’re ready for it.
IPv6 streamlined the protocol, eliminating work for core routers,
deferring that work to the periphery.
For example, IPv6 does not calculate checksums or fragmentation.
This supports the:
https://en.wikipedia.org/wiki/End-to-end_principle
**The sad thing about IPv6 jokes,**
**is that almost no one understands them,**
**and no one is using them yet.**
Examples
2001:db8:0:0:8:800:200c:417a
is represented as
2001:db8::8:800:200c:417a
ff01:0:0:0:0:0:0:101
is represented as
ff01::101
0:0:0:0:0:0:0:1
is represented as ::1
0:0:0:0:0:0:0:0
is represented as ::
For example, an IPv6 address typed into your web browser:
http://[2001:db8:85a3:8d3:1319:8a2e:370:7348]/
When the URL also contains a port number the notation is:
https://[2001:db8:85a3:8d3:1319:8a2e:370:7348]:443/
where the trailing 443 is the example’s port number.
https://en.wikipedia.org/wiki/IPv6_packet
Size and type of addresses were updated.
Unicast:
* address identifies a single network interface.
* The Internet Protocol delivers packets sent to a unicast address to
that specific interface.
* Unicast also exists in IPv4
Multicast:
* address is also used by multiple hosts that acquire the multicast
address destination by participating in the multicast distribution
protocol among the network routers.
* A packet that is sent to a multicast address is delivered to all
interfaces that have joined the corresponding multicast group.
* IPv6 does not implement broadcast addressing.
* Broadcast’s traditional role is subsumed by multicast addressing to
the all-nodes link-local multicast group ff02::1.
* However, the use of the all-nodes group is not recommended, and most
IPv6 protocols use a dedicated link-local multicast group to avoid
disturbing every interface in the network.
* Multicast also exists in IPv4
Anycast
* IPv6 introduced a new type of address, called an
anycast address, which allows a datagram to be
delivered to any one of a group of hosts.
* This feature could be used, for example, to send an HTTP GET to the
nearest of a number of mirror sites that contain a given document.
The following fields are defined in IPv6:
Version
* This 4-bit field identifies the IP version number.
* Not surprisingly, IPv6 carries a value of 6 in this field.
* Note that putting a 4 in this field does not create a valid IPv4
datagram.
* If it did, life would be a lot simpler… see the discussion below
regarding the transition from IPv4 to IPv6.
Traffic class
* This 8-bit field is similar to the TOS field we saw in IPv4.
Flow label
* As discussed above, this 20-bit field is used to identify a flow of
datagrams.
Payload length
* This 16-bit value is treated as an unsigned integer
* It is the number of bytes in the IPv6 datagram, following the
fixed-length, 40-byte datagram header.
Next header
* This field identifies the protocol to which the contents (data field)
of this datagram will be delivered (for example, to TCP or UDP).
* The field uses the same values as the protocol field in the IPv4
header.
* This field usually specifies the transport layer protocol used by a
packet’s payload.
* When extension headers are present in the packet this field indicates
which extension header follows.
* The values are shared with those used for the IPv4 protocol field, as
both fields have the same function (see List of IP protocol
numbers)
* The next header enables a neat extensibility:
* extra headers, like IPsec, or others, can be layered between IP and
the Transport layer above (UDP/TCP):
* https://en.wikipedia.org/wiki/IPsec
Hop limit
* The contents of this field are decremented by one by each router that
forwards the datagram.
* If the hop limit count reaches zero, the datagram is discarded.
* This is better named than the IPv4 TTL field, which was really
hop-limit anyway.
Source and destination addresses
* The various formats of the IPv6 128-bit address are described in RFC
4291.
Data
* This is the payload portion of the IPv6 datagram.
* When the datagram reaches its destination, the payload will be removed
from the IP datagram and passed on to the protocol specified in the next
header field.
IPv6 Datagram header details
Structure of IPv6 unicast addresses:
An IPv6 unicast address is composed of three chunks:
1. A global routing prefix that is assigned to the Internet Service
Provider that owns this block of addresses
2. A subnet identifier that identifies a customer of the ISP
3. An interface identifier that identifies a particular interface on an
endsystem
* Interface identifiers are always 64 bits wide.
* This implies that, while there are 2128 different IPv6
addresses, they must be grouped in 264 subnets.
* This could appear as a waste of resources
* However, using 64 bits for the host identifier allows IPv6 addresses
to be auto-configured, and also provides some benefits from a security
point of view, as explained in section ICMPv6.
* Given an address size of 128 bits, an IPv6 address therefore usually
has a /64 routing prefix
* 128 - 64 = 64 most significant bits
* The standard sub-nets are /64
Example of dividing up subnets:
Each “site” would have 216 subnets, where each subnet is
264 large.
Same as with IPv4 above: super-governmental agencies and companies assign them, and they are re-sold.
https://en.wikipedia.org/wiki/IPv6_address#Stateless_address_autoconfiguration
https://en.wikipedia.org/wiki/Neighbor_Discovery_Protocol
https://en.wikipedia.org/wiki/DHCPv6
In IPv4, typical “configuration protocols” include DHCP or PPP.
For IPv6, DHCPv6 exists, but IPv6 hosts normally use the
Neighbor Discovery Protocol (NDP) to create a globally
routable unicast address.
* The host sends router solicitation requests, and an IPv6 router
responds with a prefix assignment
* NDP defines five ICMPv6 packet types for the purpose of
* router solicitation,
* router advertisement,
* neighbor solicitation,
* neighbor advertisement, and
* network redirects (like ARP next layer down).
+++++++++++++++ Cahoot-04-10
We assign each interface in IPv6 multiple IP addresses:
* That is, each interface is multi-homed.
https://en.wikipedia.org/wiki/IPv6_address#Address_scopes
Each IPv6 address has a scope, which specifies in which part of the
network it is valid and unique.
* Some addresses are assumed to be unique, and are only routeable on the
local (sub-)network.
* Others must be globally unique, and are globally routeable.
IPv6 addresses are classified by three types of networking
methodologies:
1. unicast addresses identify each network
interface,
2. anycast addresses identify a group of interfaces,
usually at different locations of which the nearest one is automatically
selected, and
3. multicast addresses are used to deliver one packet
to many interfaces (e.g., only need to hit one of google’s servers)
The broadcast method is not implemented in IPv6.
Globally addressable unique address.
https://en.wikipedia.org/wiki/IPv6_address#Unicast_and_anycast_address_format
Unicast and anycast addresses are typically composed of two logical
parts:
1. a 64-bit network prefix used for routing, and
2. a 64-bit interface identifier used to identify a host’s network
interface.
The typical size of the IPv6 anycast address blocks give out
are:
* /32 for an Internet Service Provider
* /48 for a single company
* /56 for small user sites (organizations)
* /64 for a single user (e.g. a home user connected via ADSL)
* /128 in the rare case when it is known that no more than one end-host
will be attached
fe80::/10
00:a0:cc:24:b0:e4
is thus
fe80::2a0:ccff:fe24:b0e4
.Like 127.0.0.1,
::1 localhost
https://en.wikipedia.org/wiki/Unique_local_address
* Have global scope, but they are not globally administered.
* As a result, only other hosts in the same administrative domain (e.g.,
an organization), or within a cooperating administrative domain are able
to reach such addresses, if properly routed.
* As their scope is global, these addresses are valid as a source
address when communicating with any other global-scope address, even
though it may be impossible to route packets from the destination back
to the source.
IPv6 has moved away from LAN-layer broadcast, instead providing a
wide range of LAN-layer multicast groups.
* The low order 112 bits of an IPv6 multicast address are the group’s
identifier.
* The high order bits are used as a marker to distinguish multicast
addresses from unicast addresses.
* Notably, the 4 bits flag field indicates whether the address is
temporary or permanent.
* Finally, the scope field indicates the boundaries of the forwarding of
packets destined to a particular address.
* A link-local scope indicates that a router should not forward a packet
destined to such a multicast address.
* An organization local-scope indicates that a packet sent to such a
multicast destination address should not leave the organization.
* Finally the global scope is intended for multicast groups spanning the
global Internet.
++++++++++++++++++ Cahoot-04-11
https://en.wikipedia.org/wiki/IPv6_deployment
* IPv6 was designed as a replacement for IPv4 which has been in use
since 1982, and is in the final stages of exhausting its unallocated
address space, but still carries most Internet traffic.
* By 2011, all major operating systems in use on personal computers and
server systems had production-quality IPv6 implementations.
Number of IPv6 prefixes and AS on the Internet since 2003
Monthly IPv6 allocations per RIR.
Demo: actually check these out in class
(interesting).
https://www.google.com/intl/en/ipv6/statistics.html#tab=ipv6-adoption
https://www.google.com/intl/en/ipv6/statistics.html#tab=per-country-ipv6-adoption
https://en.wikipedia.org/wiki/IPv6_transition_mechanism
The bad thing about IPv6 jokes is that nobody wants to tell them first.
This section can be broken down into a several different
situations:
1. IPv6-only end-machine to IPv6-only end-machine connections, which
must pass through IPv4-only core.
2. IPv4-only end-machine to IPv4 end-machine connections, which must
pass through IPv6-only core (more rare in USA).
3. IPv6 and IPv4 co-existence, and prioritization when both are
available.
4. IPv6-only end-machine connecting to an IPv4-only end-machine, and
vice-versa.
https://en.wikipedia.org/wiki/IPv6_transition_mechanism#DNS64
DNS review
* For IPv4 addresses, DNS maintains so-called “A” records, for
“Address”.
* The IPv6 equivalent is the “AAAA” record, for “Address four times
longer”.
* A dual-stack machine usually requests both.
* Whenever a DNS server delivers an IPv4 A record, it also includes the
corresponding AAAA record, much as IPv4 CNAME records are sent with
piggybacked corresponding A records.
Dual-stack
* Machines that can do both IPv4 and IPv6
* Probably the most straightforward way to introduce IPv6-capable nodes
is a dual-stack approach, where IPv6 nodes also have a complete IPv4
implementation.
* Such a node, referred to as an IPv6/IPv4 node in RFC 4213, has the
ability to send and receive both IPv4 and IPv6 datagrams.
* When interoperating with an IPv4 node, an IPv6/IPv4 node can use IPv4
datagrams
* When interoperating with an IPv6 node, it can speak IPv6.
* IPv6/IPv4 nodes must have both IPv6 and IPv4 addresses.
* Nodes must be able to determine whether another node is IPv6-capable
or IPv4-only.
* This problem can be solved using the DNS, which can return an IPv6
address if the node name being resolved is IPv6-capable, or otherwise
return an IPv4 address.
* Of course, if the node issuing the DNS request is only IPv4-capable,
the DNS returns only an IPv4 address.
https://en.wikipedia.org/wiki/Tunnel_broker
https://en.wikipedia.org/wiki/6in4
A tunnel broker provides IPv6 connectivity by encapsulating IPv6
traffic in IPv4 Internet transit links, typically using 6in4.
This establishes pseudo-end-to-end IPv6 tunnels within the IPv4
Internet.
https://en.wikipedia.org/wiki/IPv6_transition_mechanism
An IPv6 packet walks into a bar.
Nobody talks to him.
https://en.wikipedia.org/wiki/IPsec
While TLS or SSH secure application layer, IPsec can end-to-end encrypt the network layer:
Cryptographic agreement.
* two communicating hosts to agree on cryptographic algorithms and
keys.
Encryption of IP datagram payloads.
* When the sending host receives a segment from the transport layer,
IPsec encrypts the payload.
* The payload can only be decrypted by IPsec in the receiving host.
Data integrity.
* allows the receiving host to verify that the datagram’s header fields
and encrypted payload were not modified while the datagram was en route
from source to destination.
Origin authentication.
* When a host receives an IPsec datagram from a trusted source (with a
trusted key see), the host is assured that the source IP address in the
datagram is the actual source of the datagram.
* When two hosts have an IPsec session established between them, all TCP
and UDP segments sent between them will be encrypted and
authenticated.
IPsec therefore provides blanket coverage, securing all communication
between the two hosts for all network applications.
Two major modes of operation
IPsec uses the following protocols to perform various functions:
Authentication Headers (AH)
* provides connectionless data integrity and data origin authentication
for IP datagrams and provides protection against replay attacks.
Encapsulating Security Payloads (ESP)
* provides confidentiality, connectionless data integrity, data origin
authentication, an anti-replay service (a form of partial sequence
integrity), and limited traffic-flow confidentiality.
Internet Security Association and Key Management Protocol
(ISAKMP)
* provides a framework for authentication and key exchange, with actual
authenticated keying material provided either by manual configuration
with pre-shared keys, Internet Key Exchange (IKE and IKEv2), Kerberized
Internet Negotiation of Keys (KINK), or IPSECKEY DNS records.
* The purpose is to generate the Security Associations (SA) with the
bundle of algorithms and parameters necessary for AH and/or ESP
operations.
For more, see latter section (coming up).
https://en.wikipedia.org/wiki/IP_over_Avian_Carriers
Some of this stuff is not quite data, not quite control…
ICMP differs from transport protocols such as TCP and
UDP, in that:
it is not typically used to exchange data between systems,
nor is it regularly employed by end-user network applications,
with the exception of some diagnostic tools like ping
and
traceroute
.
ICMP uses the basic support of IP as if it were a higher level
protocol,
however, ICMP is actually an integral part of IP.
Although ICMP messages are contained within standard IP packets,
ICMP messages are usually processed as a special case,
distinguished from normal IP processing.
It is often necessary to inspect the contents of the ICMP message,
and deliver an appropriate error message,
to the application responsible for transmission of the IP packet,
that prompted the sending of the ICMP message.
ICMP is a network layer protocol.
There is no TCP or UDP port number associated with ICMP packets,
as these numbers are associated with the transport layer above.
ICMP is often considered part of IP,
but architecturally it lies just above IP,
as ICMP messages are carried inside IP datagrams.
That is, ICMP messages are carried as IP payload,
just as TCP or UDP segments are carried as IP payload.
When a host receives an IP datagram,
with ICMP specified as the upper-layer protocol,
it demultiplexes the datagram’s contents to ICMP,
just as it would demultiplex a datagram’s content to TCP or UDP.
Wikipedia
https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol
https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol_for_IPv6
V1-computer-networking
https://www.computer-networking.info/1st/html/network/network.html#icmp-version-4
https://www.computer-networking.info/1st/html/network/network.html#icmp-version-6
V2-computer-networking
https://www.computer-networking.info/2nd/html/protocols/ipv6.html#icmp-version-6
Intronetworks
http://intronetworks.cs.luc.edu/current2/uhtml/ipv4.html#internet-control-message-protocol
http://intronetworks.cs.luc.edu/current2/uhtml/ipv6b.html#icmpv6
ICMP messages are typically used for diagnostic or control
purposes,
or generated in response to errors in IP operations (as specified in RFC
1122).
ICMP errors are directed to the source IP address of the originating
packet.
It is sometimes necessary for intermediate routers, or the destination
host,
to inform the sender of the packet of a problem,
that occurred while processing a packet.
Reporting is done by the Internet Control Message Protocol (ICMP).
ICMP is defined in RFC 792.
ICMP messages are carried as the payload of IP packets
(the protocol value reserved for ICMP is 1).
An ICMP message is composed of an 8 byte header, and a variable length
payload,
that usually contains the first bytes of the erroneous packet,
that triggered the transmission of the ICMP message.
ICMP is, like IP, host-to-host,
and so its packets are never delivered to a specific port,
even if they are sent in response to an error,
related to something sent from a port.
Individual UDP and TCP connections do not receive ICMP messages,
even when it would be helpful to get them.
ICMP messages are identified by an 8-bit type field,
followed by an 8-bit subtype, or code.
The ICMP packet is encapsulated in an IPv4 packet.
The packet consists of header and data sections.
Only part of this diagram is the ICMP header:
The Type and Code fields indicate the
type of problem,
that was detected by the sender of the ICMP message.
The Checksum protects the entire ICMP message against
transmission errors.
The Data field contains additional information for some
ICMP messages.
ICMP packets come in a variety of types (see these in class):
https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol#Control_messages
echo request/reply
https://en.wikipedia.org/wiki/Ping_(networking_utility)
https://en.wikipedia.org/wiki/ICMP_Time_Exceeded
https://en.wikipedia.org/wiki/ICMP_Router_Discovery_Protocol
ICMPv6 specifies two classes of messages : error messages that indicate a problem in handling a packet and informational messages. Four types of error messages are defined in RFC 4443:
1: Destination Unreachable. Such an ICMPv6 message is sent when the
destination address of a packet is unreachable. The code field of the
ICMP header contains additional information about the type of
unreachability. The following codes are specified in RFC 4443
0: No route to destination. This indicates that the router that sent the
ICMPv6 message did not have a route towards the packet’s
destination
1: Communication with destination administratively prohibited. This
indicates that a firewall has refused to forward the packet towards its
destination.
2: Beyond scope of source address. This message can be sent if the
source is using link-local addresses to reach a global unicast address
outside its subnet.
3: Address unreachable. This message indicates that the packet reached
the subnet of the destination, but the host that owns this destination
address cannot be reached.
4: Port unreachable. This message indicates that the IPv6 packet was
received by the destination, but there was no application listening to
the specified port.
2: Packet Too Big. The router that was to send the ICMPv6 message received an IPv6 packet that is larger than the MTU of the outgoing link. The ICMPv6 message contains the MTU of this link in bytes. This allows the sending host to implement Path MTU discovery RFC 1981
3: Time Exceeded. This error message can be sent either by a router or by a host. A router would set code to 0 to report the reception of a packet whose Hop Limit reached 0. A host would set code to 1 to report that it was unable to reassemble received IPv6 fragments.
4: Parameter Problem. This ICMPv6 message is used to report either the reception of an IPv6 packet with an erroneous header field (type 0) or an unknown Next Header or IP option (types 1 and 2). In this case, the message body contains the erroneous IPv6 packet and the first 32 bits of the message body contain a pointer to the error.
Two types of informational ICMPv6 messages are defined in RFC 4443 : echo request and echo reply, which are used to test the reachability of a destination by using ping6(8).
Use ICMP messages for user-space purpose.
$ man ping
$ man ping6
In class: check out wireshark of ping packets
https://en.wikipedia.org/wiki/Ping_(networking_utility)
$ man traceroute
$ man traceroute6
In class: check out wireshark of traceroute packets
https://en.wikipedia.org/wiki/Traceroute
https://en.wikipedia.org/wiki/Ping_of_death
A correctly formed ping packet is typically 56 bytes in size, or 64
bytes when the ICMP header is considered, and 84 bytes including
Internet Protocol version 4 header.
However, any IPv4 packet (including pings) may be as large as 65,535
bytes.
Some computer systems were never designed to properly handle a ping
packet larger than the maximum packet size because it violates the
Internet Protocol.
Like other large but well-formed packets, a ping of death is fragmented
into groups of 8 octets before transmission.
However, when the target computer reassembles the malformed packet, a
buffer overflow can occur, causing a system crash and potentially
allowing the injection of malicious code.
https://en.wikipedia.org/wiki/Ping_flood
A ping flood is a simple denial-of-service attack where the attacker
overwhelms the victim with ICMP “echo request” (ping) packets.
This is most effective by using the flood option of ping which sends
ICMP packets as fast as possible without waiting for replies.
https://en.wikipedia.org/wiki/ICMP_tunnel
An ICMP tunnel establishes a covert connection between two remote
computers (a client and proxy), using ICMP echo requests and reply
packets.
An example of this technique is tunneling complete TCP traffic over ping
requests and replies.
ICMP tunneling can be used to bypass firewalls rules through obfuscation
of the actual traffic.
Depending on the implementation of the ICMP tunneling software, this
type of connection can also be categorized as an encrypted communication
channel between two computers. Without proper deep packet inspection or
log review, network administrators will not be able to detect this type
of traffic through their network.
ICMP-tunnels are sometimes used to circumvent firewalls that block
traffic between the LAN and the outside world.
Data storage exploit
https://www.youtube.com/watch?v=JcJSW7Rprio
In class:
Check out ICMP-ping python code:
(user@vm-wnet:
../CS3610/pa04_icmp_grader/background_reading/ICMP-ping)
introduce traceroute python code for next week:
(user@vm-wnet:
../CS3610/pa04_icmp_grader/background_reading/ICMP-traceroute)
Will cover during data-link layer, though it’s the glue between network and data-link layers.
(a preview of datalink / MAC / LAN layer)
https://www.homenethowto.com/basics/default-gateway-finding-other-ip-networks/
https://en.wikipedia.org/wiki/Default_gateway
Q:
When a computer wants to send an IP packet,
how does it know to send it on the LAN, or to the internet,
though it’s gateway router?
A:
Using the IP address and its sub-net information,
either in the form of the sub-net mask or CIDR notation.
IP is not the only network layer protocol, with others for complementary purposes, and full alternatives (not popular).
https://en.wikipedia.org/wiki/Network_layer#Protocols
https://en.wikipedia.org/wiki/Internet_layer
Next: 05-Security.html