Tag: Internet Protocol

Say Goodbye to IPv4 … it has served as well

We have a survey on IPv6, please complete it here.

Introduction

Well, when they created ARPAnet, which eventually become the Internet, they had a network of 15 nodes and 23 hosts. It basically connected nine DEC PDP-10’s and five System/360’s. At the time the concept of the PC or even computers in the home was a long way off. So along come the concept of a layered model for networking, where we give each layer a specific role, such as for the physical layer which is responsible for the electrical characters of the cables, and the 1s and 0s which travel along the line. The level above, named the Data Link layer, focuses on defining an orderly way for the data to get from one host to another, and introduces the concept of a hardware address. It is in the layer above that we get the concept of inter-networking, using the concept of an network address. So let’s look at IPv4, and it’s role, and see if we can look to the future.

Let’s take an example

ip2
Figure 1

We will create a simple network, and watch the data packets are they travel over the network (Figure 1).  Let’s say that the node at 192.168.1.3 wants to communicate with 10.0.0.1. As they are on different networks, we cannot just send the data packet to the remote computer, so we need routers to be able to take packets from one network and find the best way to send them to their destination. First the host, let’s call in HOSTA, must find out the physical address of the gateway port. In this case it is the port on the router that the host connects to. So HOSTA sends out an ARP request for the physical address (typically known as the MAC address in an Ethernet network) of 192.168.1.254. This is sent to all the hosts and network connection which are contained within the area bounded by the router port. The only network connection to respond back is the gateway port (at 192.168.1.254) which will send back its MAC address to HOSTA. HOSTA then adds this to its ARP cache, so that is does not have to ask for the MAC address for a while. Now HOSTA will send out a data packet with the destination network address (10.0.0.1) and with a source address of its own network address (192.168.1.2). The physical addresses using in the Ethernet frame will be the destination MAC address of the router (1:2:3:4:5:5) with a source MAC address of the host ((1:2:3:4:5:1). The router will then pick this up and examine the destination network address. It knows that it can pass onto the next router, as this router has told it that it can reach that network in 1 hop. The network addresses will stay the same in the network packet, but the MAC addresses will now change to a destination MAC of 1:2:3:4:5:7 and a source MAC of 1:2:3:4:5:6. The next router picks it up, and actually knows that 10.0.0.x is connected to one of its ports. So it sends out an ARP address to that network asking “Who has 10.0.0.1?”, and the destination host (HOSTB) will respond with its MAC address, after which the router can then send the data packet to the destination.

And to IP

ip
Figure 2: IP, TCP and Ethernet

We can see that the key to the data moving over the interconnected networks is the network address, and the most popular address is the one used on the Internet: IP (Internet Protocol), or more specifically IP Version 4.  Figure 2 shows the basic format for IP, and also for the layer above: TCP, and for Ethernet. The first four bits of the IP header is key, as it these bits which actually define the IP version, which in most cases is Version 4. The key element of the address is the 32-bit source and destination address. At the time the Internet was created this size of address made sense, as it gave over 4 billion unique addresses. Unfortunately the number of devices which connect to the Internet has risen massively, and just last year, we ran out of IP address which can be given out. So we are at a cross-roads. What shall we do now? If the number of devices, from laptops to mobile devices, to sensors, increases by the day, all of which want a unique IP address.

Figure
Figure 3: NAT

The first solution is to use NAT (Network Address Translation), where the IP addresses on one network can be mapped to global IP addresses. So in the most efficient method, many addresses can be overloaded into a single address. In fact, if you are at home on a wireless network, there’s a good chance you are using overloaded NAT, where many addresses on the wireless will map to a single global IP address. So if you run “ipconfig” and see an address such as 192.168.0.1, which does not existing on the Internet, then your connection to the Internet will translate this address to a publicly available IP address. If you are interested it typically does this by mapping to TCP ports. All this is fine, but it makes for a fairly private network infrastructure, which is difficult to give each host on the Internet the full rights to exist in its own space.

And so to IPv6

The solution to this problem, and eventually it will be a major problem, and one which will hold back the future of the Internet is IPv6. Let’s look at a world in which we could connect every single electronic device directly on the Internet, and for it to be seen by all the other nodes. The main change is the move toward a 128-bit address, which gives up to 115,792,089,237,316,195, 423,570,985,008,687,907,853,269, 984,665,640,564,039,457,584,007,913, 129,639,936 different address … which should be enough to go round for a long time.

In IPv4 with have four groups of decimal values, each representing 8 bits. With IPv6 addresses there are eight groups of four hexadecimal digits, separated by colons, for example:

2001:0630:0012:0600:0001:0000:0000:0107

We can compress the zeros to give:

2001:630:12:600:1::107

where the :: replaces a series of 0s.

So how do we generate an IPv6 address? Well we can do it based on the MAC address of the computer from:

C8-F7-33-4B-82-37

and using the EUI-64 format will generate an address of:

::CAF7:33FF:FE4B:8237

We can also define an IPv6 address with a network part and a host part. For example:

2001:630:12:600:1::107/64

gives a network part of:

2001:630:12:600::/24

and a host part of:

::1:0:0:107

Here’s a sample for defining IPv6 on a Cisco router:

http://www.asecuritysite.com/cisco/router?chall=1ccna%2FChallenge_146

The Art of Hidden Messages

Background

– I’ve hidden a secret message in this blog … see if you can find it.

Convert messages
Figure 1: Convert messages

As children we used to delight in sending secret messages to our friends, using secret codes, and sometimes we would hide things in something that only those who knew where to look could find it. Unfortunately, for most of us, we’ve lost that wonderment, also as we grow up we find out that people think we have doing something suspicious if we send secret messages, or our skills in creating these has often gone, as we stick to standard ways of communicating with everyone else.

So when are covert messages actually used … well these days it is likely to be used where there are two suspects (Figure 1), and they are being monitored for all their communications, and the only way they can pass messages to each other is to use a convert channel. So let’s look at some of the ways that this could be done, with very little effort.

The Mess that is the Internet

The Internet was created in a time of main frame computers where users typed-in messages to send emails and even to access Web pages. So when you wanted to send an email you connected to port 25 on the server, and type:

HELO myserver.com
MAIL FROM: Fred@home
RCPT TO: Bert@home
cc: My Message
DATA
How are you
.

which will send the email message to bert@home from fred@home, with the message of “How are you”. The “.” at the end on its own is the pointer that the message has ended, and that it can be sent. You can see that it is a fairly simple method that is used to send something as important as an email, but basically it hasn’t changed, as we are still using the same old protocols that were created all those years ago. In fact … they kinda got the email address wrong, as the orginal proposed structure was based on X.500, which has the top level domain first, such as Domain=uk.ac, Organisation=napier, Organisational Unit=”computing”, which would have given “uk.ac.napier.computing”, but it became standardized almost with the first email that was sent.

The same simplistic method goes for accessing Web pages, where, with the HTTP protocol, a simple “GET” is used to actually get a Web page. For how does that relate to covert messages? Well these simple protocols are full of holes, where they are being used in ways that they were never intended for. So things like Service-Oriented Architectures, are actually built around the original HTTP specification, so that a stateless protocol, actually becomes a way of creating and modifying objects contained within Web accesses.

Covert Channels in IP and TCP

IP and TCP
Figure 2: IP and TCP

The two great kings of the Internet are IP and TCP. They have done more for humankind than virtually anything else. In terms of knowledge creation and sharing, it is IP and TCP that have supported both the creation of the Internet, and in supporting all the applications that are now used. The figure on the right shows the main field using in IP and TCP, and basically they are the same as the first data packet that was transmitted over the Internet. In IP, there’s the 32-bit IP source and destination address, which has become so successful, that we have no more IP addresses to give it. Any for TCP, there’s the source and destination port, which allows hosts to have many connections at the same time, each of which are unique across the whole of the Internet. It’s an amazing relationship, IP does the grunt work, it stamps the data packets for their destination, and receives them on the other end, but it’s up to TCP to keep a track on them, and make sure that none of them get lost on the way.

So what about covert messages? Well there are so many fields in IP and TCP that do not have a strong use, that can be used for sending covert messages. In Figure 1, I’ve identified the rogues gallery of these, including the Fragment Offset, the TTL field and Identification, for IP, and for TCP, it is the Urgent Point and Data Offset. Each of these can easily support sending secret messages between two people. While most of these fields are unused, obviously the TTL field is used to make sure that the data packet doesn’t traverse the Internet forever, so how can we use that? Well we typically only new 26 characters to send a value, so when generating we take the first value, and then we Exclusive-OR it with the character, from 0 to 25 for each of the characters. So for example, if the TTL is 255 as an initial value the TTL value for an ‘a’ would be:

255 1111 1111
'a '  0000 0000
Result: 1111 1111 (255)

and for ‘z’

255 1111 1111
'z' 0001 1001
to give 1110 0110 (230)

So hopefully the value will never fall to a point where the TTL of the packet will never reach zero (and be deleted).

IP ID Field
Figure 3: IP ID Field

The strange thing about IP is that there is quite a bit of variation across its implementation, and the best example is in the identification field. The only requirement is that its can uniquely define IP fragments within a given time window. So some systems just increment this value by 1, from a random starting point (such as with Microsoft Windows, as show on the first diagram in Figure 3), or in Linux (second diagram in Figure 3) which create a random value for each one, or with Solaris, which increments for a while, and then takes a random jump (third diagram in Figure 3). Have a look at these: Windows packets.

You will see the ID field goes:

Identification: 0x1640 (5696)
Identification: 0x1641 (5697)

and for Ubuntu: Ubuntu packets.

This is a useful way to determine the operating system for someone monitoring network packets, and is used by security evaluators such as NMAP to guess the operating system type. The field could, though, be used to send covert messages, so the value within it is not checked by intermediate devices, or by the end hosts.

Storage or Timing

Timing or storage
Figure 4: Timing or storage

There are obviously many ways of sending covert messages. We might as a secret code decide that when we met I would wear a red rose on my lapel. So if I wanted to pass a message to you, an the first letter was an ‘a’, then the binary for this is 0110 0001 (61 in hex), so the first time I would wear a rose (‘1’), then not for the next four times, and then weak it the next two times, and then not for the next time. In this way, as long as no-one noticed I would send a message through our covert channel. Thus we can use either a storage channel – where to add something or not to be place – or we can use a timing challenge where we can change the operation of a resource. This might that I will drive the CPU on a computer to 100% at certain times when I want to pass a 1, or leave it for a 0.

HTTP Convert Channel
Figure 5: HTTP Convert Channel

So we an even use normal protocols to do this. For example there is a Connection: Keep Alive field in the HTTP header, which is used to tell the server that the client does not want to break the connection that it has created. This is used, as it reduces the time to access more content on the site. In Figure 4 we can see we can send a 0 when it is present, and a 1 when it is not present. For anyone viewing this communication, everything looks fine, but for the suspects they know where to look to find the hidden message.

Message in pictures

Picture4One obvious way to hide message is to put them in another container, such as in a graphics file. For the observer, the image looks fine, but hidden within is a message for the suspects. One way to hide a message is obviously to place it on a layer in the graphic file, and then make it invisible. In the figure we can see that we can add opacity to some text, we can make it less visible, and if we turn it to 100% opacity the user will not see it. This technique works for graphics file which have layers, such as PNG and PSD, but doesn’t work with flattened formats or bit maps, such as with GIF, JPEG, and so on. As with the problems in network protocols, so there are places in graphics files that we can hide things. For example in the GIF format we can have up to 256 24-bit colours (or Red, Green and Blue), which be used in the image. So GIF is a good graphic format when we only have a few colours (such as for icons) but it is not good with photographs, as we are limited in our colour palette. So one place to hide a message is to insert it into the colour table, which might affect a few pixels, the user might not see any changes.

Picture5I’ve hidden a message “hello” in the following image:

http://www.asecuritysite.com/information/gif?file=cat01_with_hidden_text.gif

Have a look at the two images on the right hand side, and you will see that a few pixels around the cat have changed, as the colours that these pixels map to, have had their colour changed. Remember that each colour is 24-bits, with 8-bits for red, 8-bits for green and 8 bits for blue. So for “hello” it will change a maximum of two colours in the pixel map. It could do it even more discrete by spreading the message across the least significant bits of the colour table, so that the changes in colour would be minimal, and no user could spot the changes.

The actual format of the file, with the convert message, is:

[00000000] 47 49 46 38 39 61 64 00   GIF89ad.
[00000008] 55 00 E6 00 00 FF FF FF   U.......
[00000016] F7 F7 F6 F1 F4 F2 EE EE   ........
[00000024] EF E7 E7 E7 E1 E4 E6 DF   ........
[00000032] DE DF D7 DA DD EF CE CE   ........
[00000040] D5 D5 D5 D5 D3 D0 D9 D1   ........
[00000048] A1 CC CC CC C4 C8 CC 68   .......h
[00000056] 65 6C 6C 6F C0 D1 C6 84   ello....
[00000064] C0 BF BD BD BB B8 B8 B6   ........
[00000072] B5 B5 B3 AE AA B1 B6 AB   ........
[00000080] AC AD AB A9 A5 A6 A6 A6   ........
[00000088] A7 A5 9E AB A8 70 AC 9C   .....p..
[00000096] 9F 99 99 99 94 9A A0 8B   ........
[00000104] 95 9C 93 92 8E 8C 8D 8A   ........
[00000112] 86 8C 96 98 8B 66 90 87   .....f..
[00000120] 82 83 83 83 7A 84 8A CB   ....z...
[00000128] 5E 5E FB 48 48 82 7C 73   ^^.HH.|s

Conclusions

Well if someone want to communicate with a convert channel, they will do it, and there’s often little you can do about. What you need to make sure is that, where important, the mechanisms for this are limited. In the next blog I’ll outline other methods. So, as a last little challenge, here’s a sample of some covert messages that we have used to present security to School kids:

Can you find the six secret messages? Hint … look down the lines.

If you want to check … here’s the answers.

Ode to ARP and Ethernet … the plumbing of the Internet

Introduction

Layered model
Layered model

Sometimes in life there are things that are so important and part of our every day existence, but no-one knows about them. It happens with great corporations such as Cisco Systems, where a few years ago few people actually knew about the company, but they had basically built most of the infrastructure for the Internet. So it is to ARP, the most amazing little protocol that deserves some credit for actually building the Internet too, along with Ethernet which provides the plumbing.

At one time in the computing industry it was often difficult to interconnect systems, typically because a certain vender had their own protocol and interface, which made it difficult to connect to. So, in networking, a layered approach is typically used, which allows for different hardware and software to be interconnected. This has supported a great drive for convergence and standardization, and one of the best examples of this is the seven-layered model, which is shown in the diagram above. Overall this defines the protocols which are used at each of the layer, each of which has their own function.

ARP

ARP
ARP

TCP  and IP  have made the interconnection of the world possible, but Ethernet must be given a silver medal for building up the network from the ground up. Without Ethernet we would have never have evolved organizational networks, create the Internet so quickly. Before we go on I must explain what “The Internet” actually is, so that we do no confuse it with “The Web”. Well “The Internet” is a collection of publicly registered computer systems which have registered their IP address range, and can thus be contacted within the public address space. Whereas “The Web” is a collection of Web servers, who provide Web-based content. Anyone can create “An internet”, if they want, but that will contain a private address space, whereas “The Internet”, is publicly defined addresses.

For anyone who has used a modem from home, and had to make a dial-up connection, will know how annoying this can be. But, with Ethernet, plug-in the cable, or connect through wireless, and it all works. You don’t even have to know what the physical address of the computer is. So how does it work? Well the key is ARP, as ARP allows a computer to broadcast  a message to the rest of the network, asking for the MAC (Media Access Code) address of a given network address. Thus computers can quickly determine the physical addresses of all the devices on their network segment, simply by broadcasting an ARP request.

So what if the destination is outside the network segment,, such as on the Internet? Well with this the computer sends our an ARP request for the MAC address of the gateway. The computer will normally now its gateway address, as it’s one of the key setting that we create for the network. After this the gateway will then send back it’s MAC address, and the computer is then able to communicate with it, as it knows both its network address (required in the IP packet header) and the MAC address (which is contained in the Ethernet frame). The computer will then create the data it wants to sent, and segments it up with TCP, it takes the segments and address an IP destination address with IP, and then frames it up with Ethernet. The destination IP address will be the remote node that the computer wants to communicate with, but the destination MAC address will be the gateway MAC address, and thus we have created the first link of the connection.

After this routers will guide the data packet through the Internet, until it gets to the last segment, where the last gateway node will send out an ARP request on network segment that the destination node is on, for the MAC address of the node which has the destination address contained in the IP packet — Pweh! Are you getting this? — for which, if it is on, it will respond with its MAC address, and the gateway can then deliver the data. So ARP has to be thanked for the first part and the last part of the journey. Without it we would have to register all the MAC addresses of connected computers on a large database, and have to query it every time we wanted to communicate.

Mechanics of the ARP protocol

If you would like to see examples of network protocols, there are whole lots of examples at:

http://www.asecuritysite.com/information/pcap

where you will see ARP in action. Typically it is the first part of a network connection, where a node must discover the gateway, or a node on the same network.

For example here’s the first network packet for a Web connection, where the node is sending out a broadcast to find the MAC address of the node at 192.168.75.132 (you can see that we are at 192.168.75.1):

No.     Time        Source                Destination           Protocol Info
      1 0.000000    Vmware_c0:00:08       Broadcast             ARP      Who has 192.168.75.132? 
                                                                           Tell 192.168.75.1

and then the next, the node at 192.168.75.132 responds back with its MAC address (00:0c:29:0f:71:a3):

No.     Time        Source                Destination           Protocol Info
      2 0.000339    Vmware_0f:71:a3       Vmware_c0:00:08       ARP      192.168.75.132 is at 
                                                                          00:0c:29:0f:71:a3

followed by the standard three-way handshake, were we can now communicate with the gateway, where the destination MAC is in the Ethernet destination MAC address field:

No.     Time        Source                Destination           Protocol Info
      3 0.000362    192.168.75.1          192.168.75.132        TCP      mgcp-gateway > http [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=2 TSV=344415 TSER=0
No.     Time        Source                Destination           Protocol Info
      4 0.000602    192.168.75.132        192.168.75.1          TCP      http > mgcp-gateway [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1460 WS=0 TSV=0 TSER=0
No.     Time        Source                Destination           Protocol Info
      5 0.000681    192.168.75.1          192.168.75.132        TCP      mgcp-gateway > http [ACK] Seq=1 Ack=1 Win=66608 Len=0 TSV=344415 TSER=

If you are interested in learning about network protocols, there is a presentation at:

Ethernet

IP, TCP and Ethernet
IP, TCP and Ethernet

Until recently, it seemed unlikely that Ethernet would survive as a provider of network backbones and for campus networks, and its domain would stay, in the short-term, with connections to local computers. If you are interested the diagram on the right-hand side shows the three main protocols that are involved on most of the communications on the Internet: IP, TCP and Ethernet. Each of them have information that they add to the data, so that it can be delivered correctly and within a good time period.

As a computing professor, I have seen networking standards come and go, and it seemed for a while that ATM was the solution for integrated networks, as it was the true integrator of real-time and non real-time data. This was due to Ethernet’s lack of support for real-time traffic and that it does not cope well with traffic rates that approach the maximum bandwidth of a segment (as the number of collisions increases with the amount of traffic on a segment). ATM seemed to be the logical choice as it analyses the type of data being transmitted and reserves a route for the given quality of service. It looked as if ATM would migrate down from large-scale networks to the connection of computers, telephones, and all types of analogue /digital communications equipment. But, remember, not always the best technological solution wins the battle for the market – a specialist is normally always trumped by a good all-rounder.

Ethernet is the best poker player in town. It knows all the tricks. It’s a heavyweight prize fighter. It’ll slug it out with anyone, and win. I took Token Ring on, head to head, and thrashed it. So what would you choose for your corporate network? Would it be a technology that was cheap, and could give you 10Mbps , 100Mbps for your connections to workstations and server , and, possibly, 1Gbps for your backbone . Ethernet always makes a sensible choice, as it’s cheap and it’s going to be around for a lot longer, yet. Any problems within an Ethernet network can be solved by segmenting the network, and by relocating servers . And for cable , it supports twisted-pair , coaxial and fiber. Who would have believed that you could get 1Gbps down a standard Cat-5 , twisted-pair cable. Amazing!

Ethernet also does not provide for quality of service and requires other higher-level protocols, such as IEEE 802.1p. These disadvantages are often outweighed by its simplicity, its upgradeability, its reliability and its compatibility . One way to overcome the contention problem is to provide a large enough bandwidth so that the network is not swamped by sources which burst data onto the network. For this, the gigabit Ethernet standard is likely to be the best solution for most networks.

Whatever bandwidth you want

A key method of increasing the bandwidth of a network is to replace hubs with switches, as switches allow simultaneous transmission between connected ports. Thus if the bandwidth of a single port on a switch is 100Mbps, then a multi-port switch can give a throughput of several times this. But, switches have the potential of improving the configuration of networks.

Many workers are now used to open-plan offices, where the physical environment can be changed as workgroup evolve. This is a concept which is now appearing in networking, where virtual networks are created. With this computers connect to switches. The switch then tags data frames for destination virtual networks and puts the tagged data frame onto the backbone . Other switches then read the tag, and, if the destination is connected to one of their ports, they remove the data tag, and forward the data frame to the required port. This technique is now standardized with IEEE 802.1q, an important step in getting any networking technique accepted. Imagine if whole countries were setup like this. What we would have is a programmable network, where system administrators could connect any computer to any network. Presently we are constrained by the physical location of nodes.

Virtual networks will also bring enhanced security, where it will be possible to constrain the access to sensitive data. For example a server which contains data which must be kept secret can be located in a safe physical environment and only users which a valid MAC address would be allowed access to the data.

Hats off to the IEEE who have carefully developed the basic technology, after its initial conception by DEC , Intel and the Xerox Corporation.