PART 3

PROTOCOL ANALYSIS
• TCP/IP (Transmission Control Protocol/Internet Protocol) is not simply one protocol, but
rather a suite of specialized protocols-including TCP, IP, UDP, ARP, and many others called sub
protocols.
• TCP/IP is a de facto standard on the Internet and has become the protocol of choice on LANs
and WANs.
• TCP/IP would not have become so popular if it weren’t routable. Protocols that can span
more than one LAN (or LAN segment) are routable, because they carry Network layer
addressing information that can be interpreted by a router.
• TCP (Transmission Control Protocol) operates in the Transport layer of the OSI model
and provides reliable data delivery services.
• TCP is a connection-oriented sub protocol
Problem Related to TCP
• Packet replication
• Checksum error
• Bottleneck bandwidth
• Packet loss
• PACKET REPLICATION
- Packets are retransmitted over the network if there is congestion or if
the packet lost.
- When the packet is retransmitted, the packet is replicated.
• CHECKSUM ERROR
- The checksum is part of the TCP header field.
- The purpose of a checksum is to ensure data integrity.
- A failed checksum indicates a problem with the data in a packet.
- In this case, the packet has to be retransmitted.
• BOTTLENECK BANDWIDTH
- Bottleneck bandwidth is the rate at which all bandwidth is used and
even a single additional packet cannot be accommodated.
- The self-interference time can be calculated if the bottleneck
bandwidth is known.
- It is good to measure at the buffer of the receiver.
• PACKET LOSS
- Packet loss occurs when one or more packets of data travelling across
a computer network fail to reach their destination.
- Packet loss is typically caused by network congestion.
- Packet loss is measured as a percentage of packets lost with respect
to packets sent.
IP Datagram
• Maximum Transfer Unit (MTU)
• Fragmentation
• Encapsulation
• Packets in the network (internet) layer are called datagrams.
• A datagram is a variable-length packet consisting of two parts:
header and data.
• The header is 20 to 60 bytes in length and contains information
essential to routing and delivery.
Maximum Transmission Unit
• Maximum size of IP datagram is 65535, but the data link layer protocol generally
imposes a limit that is much smaller

• Example:
• Ethernet frames have a maximum payload of 1500 bytes
 IP datagrams encapsulated in Ethernet frame cannot be longer than 1500
bytes

• The limit on the maximum IP datagram size, imposed by the data link protocol is
called maximum transmission unit (MTU)

• MTUs for various data link protocols:

Ethernet: 1500 FDDI: 4352
802.3: 1492 ATM AAL5: 9180
802.5: 4464 PPP: negotiated
13
IP Fragmentation
• What if the size of an IP datagram exceeds the MTU?
IP datagram is fragmented into smaller units.

• What if the route contains networks with different MTUs?

Ethernet
FDDI
Ring
Host A Router Host B
MTUs: FDDI: 4352 Ethernet: 1500

• Fragmentation:
• IP router splits the datagram into several datagram
• Fragments are reassembled at receiver

14
Where is Fragmentation done?

• Fragmentation can be done at the sender or at intermediate routers

• The same datagram can be fragmented several times.
• Reassembly of original datagram is only done at destination hosts !!

IP datagram H Fragment 2 H2 Fragment 1 H1

Router

15
Example of Fragmentation
• A datagram with size 2400 bytes must be fragmented according to an MTU
limit of 1000 bytes

Header length: 20 Header length: 20 Header length: 20 Header length: 20

Total length: 2400 Total length: 448 Total length: 996 Total length: 996
Identification: 0xa428 Identification: 0xa428 Identification: 0xa428 Identification: 0xa428
DF flag: 0 DF flag: 0 DF flag: 0 DF flag: 0
MF flag: 0 MF flag: 0 MF flag: 1 MF flag: 1
Fragment offset: 0 Fragment offset: 244 Fragment offset: 122 fragment offset: 0

IP datagram Fragment 3 Fragment 2 Fragment 1

MTU: 4000 MTU: 1000

Router
16
Encapsulation
• When data moves from upper layer to lower level of TCP/IP protocol
stack (outgoing transmission) each layer includes a bundle of relevant
information called a header along with the actual data.
• The data package containing the header and the data from the upper
layer then becomes the data that is repackaged at the next lower
level with lower layer's header.
• Header is the supplemental data placed at the beginning of a block of
data when it is transmitted.
• This supplemental data is used at the receiving side to extract the
data from the encapsulated data packet. This packing of data at each
layer is known as data encapsulation.
18
Encapsulating Security Payload (ESP)

• A member of the IPsec protocol suite. In IPsec it provides origin

authenticity, integrity and confidentiality protection of packets.
• ESP also supports encryption-only and authentication-only configurations,
but using encryption without authentication is strongly discouraged
because it is insecure.
• Two modes in ESP:
(i) Tunnel mode
(ii) Transport mode ESP
• Transport mode
• In transport mode, only the payload of the IP packet is usually encrypted
and/or authenticated. The routing is intact, since the IP header is neither
modified nor encrypted; however, when the authentication header is
used, the IP addresses cannot be translated, as this will invalidate the hash
value.
• The transport and application layers are always secured by hash, so they
cannot be modified in any way.
• Tunnel mode
• In tunnel mode, the entire IP packet is encrypted and/or authenticated.
• It is then encapsulated into a new IP packet with a new IP header.
• Tunnel mode is used to create virtual private networks for network-to-
network communications (e.g. between routers to link sites), host-to-
network communications (e.g. remote user access) and host-to-host
communications (e.g. private chat).
• Tunnel mode supports NAT traversal.

NAT traversal : https://supportforums.cisco.com/document/64281/how-does-nat-t-work-ipsec

Common Protocols and Standards
• Domain Name Server Security (DNSSEC)
• Generic Security Services API (GSSAPI)
• Secure Sockets Layer (SSL)
• Secure Hypertext Transfer Protocol (SHTTP)
• Security Tokens
• BlackDuck
• OpenLogic
Domain Name Server Security (DNSSEC)
• A protocol for secure distributed name services.
• DNSSEC is also a suite of IETF specifications for securing certain
kinds of information provided by the DNS as used on IP
networks.
• It is a set of extensions to DNS which provide to DNS clients
(resolvers):
• Origin authentication of DNS data
• Data integrity
• Authenticated denial of existence
• Widely believe by deploy DNSSEC is critically important for
securing Internet as a whole but deployment has been
hampered by the difficulty.
Generic Security Service API (GSSAPI)
• Provides an authentication, key exchange and encryption interface
to different cryptographic algorithms and systems.
• GSSAPI is an application programming interface for programs to
access security services.
• The GSSAPI interface provides 5 groups of services:
• Credential Management Services
• Context-Level Services
• Authentication Services
• Confidentiality Services
• Support Services
Secure Socket Layer (SSL)
• One of the two protocol for secure WWW connections.
• Originally developed by Netscape in 1994 as an open standard protocol.
• Operates at layer 4 of OSI model.
• Features:
• Encrypts data so that no one who intercepts is able to read it.
• Can assure a client that they are dealing with the real server they intended to
connect to.
• Can prevent any unauthorized clients from connecting to the server.
• Prevents anyone from meddling (interfering) with data going to or coming from the
server.
• Service applied: SSL server authentication, SSL client authentication, an encrypted
SSL connection
Secure Hypertext Transfer Protocol (SHTTP)
• Another protocol for WWW secure connections.
• SHTTP is a secure message-oriented communications protocol designed for use
in conjunction with HTTP.
• More flexible than SSL.
• Features:
• A web protocol developed by Netscape
• Built into browsers
• Encrypts and decrypts user page requests and web pages that are returned by web server
• Based on netscape’s SSL
• Whereas SSL creates a connection over which any amount of data can be sent securely
Internet Protocol Security (IPSec)
• A suite of protocols for securing IP communications by authenticating
and/or encrypting each IP packet in a data stream.
• IPSec also includes protocol for cryptographic key establishment.
• Operates in layer 3 of OSI model.
• More flexible because it can be use to protect layer 4 of OSI model.
• Features:
• A popular VPN solution.
• A popular public/private key encryption algorithm.
• Uses the 40-bit DES algorithm; suitable for general business use.
• But sensitive and financial data sent over insecure networks may need a more
secure encryption scheme.
Security Token
• A physical device that an authorized user of computer services is
given to ease authentication.