Another important protocol in the TCP/IP protocol suite operates at the Network layer of the OSI model—namely Internet Protocol (IP). IP provides route addressing for data packets. Sim- ilar to UDP, IP is connectionless and is an unreliable datagram service. IP does not offer guar- antees that packets will be delivered or that packets will be delivered in the correct order, nor
92 Chapter 3 ISO Model, Network Security, and Protocols
does it guarantee that packets will not be delivered more than once. Thus, you must employ TCP on IP to gain reliable and controlled communication sessions.
Other protocols at the OSI model Network layer include ICMP, IGMP, and NAT.
ICMP
Internet Control Message Protocol (ICMP) is used to determine the health of a network or a specific link. ICMP is utilized by ping, TRACEROUTE, PATHPING, and other network management tools. The ping utility employs ICMP echo packets and bounces them off remote systems. Thus, ping can be used to determine if the remote system is online, if the remote sys- tem is responding promptly, whether the intermediary systems are supporting communica- tions, and the level of performance efficiency at which the intermediary systems are communicating. ping includes a redirect function that allows the echo responses to be sent to a different des- tination than the system of origin. Unfortunately, this ICMP capability is often exploited in various forms of bandwidth-based denial of service attacks. The IP header protocol field value for ICMP is 1.
IGMP
Internet Group Management Protocol (IGMP) allows systems to support multicasting. Multi- casting is the transmission of data to multiple specific recipients. (RFC 1112 discusses the requirements to perform IGMP multicasting.) IGMP is used by IP hosts to register their dynamic multicast group membership. It is also used by connected routers to discover these groups. The IP header protocol field value for IGMP is 2.
ARP and Reverse ARP
Address Resolution Protocol (ARP) and Reverse Address Resolution Protocol (RARP) are two
important protocols you need to be familiar with. ARP is used to resolve IP addresses (32-bit binary number for logical addressing) into MAC (Media Access Control) addresses. MAC addresses are the six-digit hexadecimal numbers (48-bit binary numbers for hardware address- ing) assigned by manufacturers to network interface cards. Traffic on a network segment (e.g., cables across a hub) is directed from its source system to its destination system using MAC addresses. RARP is used to resolve MAC addresses into IP addresses.
NAT
Network Address Translation (NAT) was developed to allow private networks to use any IP address set without causing collisions or conflicts with public Internet hosts with the same IP addresses. In effect, NAT translates the IP addresses of your internal clients to leased addresses outside of your environment. Most often, a private network employs the private IP addresses defined in RFC 1918. The private IP address ranges are 10.0.0.0–10.255.255.255 (an entire Class A range), 172.16.0.0–172.31.255.255 (16 Class B ranges), and 192.168.0.0–192.168.255.255 (255 Class C ranges). These ranges of IP addresses are defined by default on routers as non- routable. They are reserved for use by private networks. Attempting to use these addresses directly on the Internet is futile because all publicly accessible routers will drop data packets containing a source or destination IP address from these ranges.
Communications and Network Security 93
Frequently, security professionals refer to NAT when they really mean PAT. By definition, NAT maps one internal IP address to one external IP address. How- ever, Port Address Translation (PAT) maps one internal IP address to an exter- nal IP address and port number combination. Thus, PAT can theoretically support 65,536 (232) simultaneous communications from internal clients over a single external leased IP address. So with NAT, you must lease as many public IP addresses as simultaneous communications you wish to have, while with PAT you can lease fewer IP addresses and obtain a reasonable 100:1 ratio of internal clients to external leased IP addresses.
NAT can be used in two modes: static and dynamic. Static mode NAT is used when a specific internal client's IP address is assigned a permanent mapping to a specific external public IP address. This allows for external entities to communicate with systems inside of your network even if you are using the RFC 1918 IP addresses. Dynamic mode NAT is used to grant multiple internal clients access to a few leased public IP addresses. Thus, a large internal network can still access the Internet without having to lease a large block of public IP addresses. This keeps public IP address usage abuse to a minimum and helps keep Internet access costs to a minimum. In a dynamic mode NAT implementation, the NAT system maintains a database of mappings so that all response traffic from Internet services are properly routed back to the original internal requesting client. Often NAT is combined with a proxy server or proxy firewall to provide addi- tional Internet access and content caching features. NAT is not directly compatible with IPSec because it modifies packet headers, which IPSec relies upon to prevent security violations.
Automatic Private IP Addressing (APIPA)
APIPA, or Automatic Private IP Addressing, not to be confused with RFC 1918, assigns an IP address to a system in the event of a DHCP assignment failure. APIPA is primarily a feature of Windows. APIPA assigns each failed DHCP client with an IP address from the range of 169.254.0.1 to 169.254.255.254 along with the default Class B subnet mask of 255.255.0.0. This allows the system to communicate with other APIPA configured clients within the same broadcast domain but not with any system across a router or with a correctly assigned IP address.
It is a good idea to know how to convert between decimal, binary, and even hexadecimal. Also, don't forget about how to covert from a dotted-decimal notation IP address (such as 172.16.1.1) to its binary equivalent (that is, 10101100000100000000000100000001). And it is probably not a bad idea to be able to convert the 32-bit binary number to a single decimal number (that is, 2886729985).
IP Classes
Basic knowledge of IP addressing and IP classes is a must for any security professional. If you are rusty on addressing, subnetting, classes, and other related topics, take the time to refresh yourself. Table 3.3 and Table 3.4 provide a quick overview of the key details of classes and default subnets.
94 Chapter 3 ISO Model, Network Security, and Protocols
The Loopback Address
Another IP address range that you should be careful not to confuse with RFC 1918 is the loop- back address. The loopback address is purely a software entity. It is an IP address used to create a software interface that connects back to itself via the TCP/IP protocol. The loopback address allows for testing of local network settings in spite of missing, damaged, or nonfunctional net- work hardware and/or related device drivers. Technically, the entire 127.x.x.x network is reserved for loopback use. However, only the 127.0.0.1 address is widely used. Windows XP SP2 (and possibly other OS updates) recently restricted the client to use only 127.0.0.1 as the loopback address. This caused several applications that used other addresses in the upper ranges of the 127.x.x.x network services to fail. In restricting client use to only 127.0.0.1, Microsoft has attempted to open up a wasted Class A address. Even if this tactic is successful for Microsoft, it will only affect the modern Windows systems.
T A B L E 3 . 3 IP Classes
Class First Binary Digits Decimal Range of First Octet
A 0 1–126
B 10 128–191
C 110 192–223
D 1110 224–239
E 1111 240–255
T A B L E 3 . 4 IP Classes Default Subnet Masks
Class Default Subnet Mask CIDR Equivalent
A 255.0.0.0 /8
B 255.255.0.0 /16
C 255.255.255.0 /24
D 255.0.0.0 /8
E 255.0.0.0 /8
Communications and Network Security 95
Another option for subnetting is to use Classless Inter-Domain Routing (CIDR). CIDR uses mask bits rather than a full dotted-decimal notation subnet mask. Thus, instead of 255.255.0.0, a CIDR is added to the IP address after a slash, e.g., 172.16.1.1/16.