Lecture 2.1 Gluing IP with Ethernet · Gluing IP with Ethernet ARP and related security issues...

1

Giuseppe Bianchi

Lecture 2.1Lecture 2.1

Gluing IP with EthernetGluing IP with Ethernet

ARP and related security issuesARP and related security issues

Giuseppe Bianchi

IP addresses (review)IP addresses (review)� 32 bit string

� Bit-wise notation�the natural notation

� dotted notation:

� 4 x 8 bits�each 8 bit = 0:255 integer

�intended for humans

� Address structure

� Network Address + host number�Identified by netmask

» 255.255.252.0

�Or network prefix» /22

� Belongs to network whose IP is:�IPaddr & netmask

10010011101000110001011010000010

10010011 . 10100011 . 00010110 . 10000010

147 . 163 . 22 . 130

10010011.10100011.00010110.10000010

11111111.11111111.11111100.00000000

/22 network prefix

Net: 10010011.10100011.00010100.00000000

Net: 147.163.20.0/22

2

Giuseppe Bianchi

NetAddressNetAddress computation (Masking)computation (Masking)

Local Host Interface:

147.163.21.910010011.10100011.00010101.00001001

147.163.21.9

Netmask:

255.255.248.0 (/21)11111111.11111111.11111000.00000000

NetAddress Computation:Bit-wise AND

(IP_addr)&(netmask)10010011.10100011.00010000.00000000

On which network the host is connected?

(need externally provided netmask)

Result: host is on network 147.163.16.0 /21

Giuseppe Bianchi

Another exampleAnother example

� IP address 147.163.22.130

� Network prefix:

� /22 (equivalently: 255.255.252.0)

� It is an IP address for a HOST

� Simple: not all 0’s in host part

� Which belongs to network 147.163.20.0/22

� Simple: just set 0’s in host part

10010011.10100011.00010110.10000010

11111111.11111111.11111100.00000000

10010011.10100011.00010110.10000010

10010011.10100011.00010100.00000000

3

Giuseppe Bianchi

Three types of IP addressesThree types of IP addresses

host, network, broadcasthost, network, broadcast

� Network: all 0’s in host address

� Broadcast: all 1’s in host address

� Host: otherwise

� TEST:

� 147.163.0.128 (prefix: /26)

� Network? Host? Broadcast?

� 147.163.14.3 (prefix: /30)


� 174.163.20.255 (prefix: /22)


Think in binary! And everything becomes trivial….

Giuseppe Bianchi

Routing a Packet (direct forwarding)Routing a Packet (direct forwarding)

� Route packet 147.163.22.130

� Starting from interface 147.163.21.9

� With network mask 255.255.252.0

Local Host Interface:

147.163.21.910010011.10100011.00010101.00001001

Destination IPaddr:

147.163.22.13010010011.10100011.00010110.10000010

147.163.22.130

147.163.21.9

Netmask:

255.255.252.011111111.11111111.11111100.00000000

Local interface and destination address

are on same network!!147.163.20.0/22

10010011.10100011.00010100.00000000

Bitwise AND

�� We may give packet to datalink network for delivery

4

Giuseppe Bianchi

GoingGoing through a through a RouterRouter

((indirectindirect forwardingforwarding))

160.80.80.1

• At least one router on the network• Local router IP interface: destination for all packets addressed outside the local physical network

160.80.99.1

(160.80.99.1)&(255.255.248.0) =

= 160.80.96.0

!= 160.80.80.0 (not on this net!)

Send to 160.80.80.1:

he knows more… 160.80.82.29

Netmask 255.255.248.0

Net_id 160.80.80.0/21

Giuseppe Bianchi

Routing table lookupRouting table lookup132.43.3.5 132.43.0.6 208.0.1.12 208.0.1.7

Net132.43.0.0

Net208.0.1.0R1 R2 R3

10.12.1.32

Net10.0.0.0

Other nets

Net 193.33.9.0

208.0.2.8

Dest net /mask Next Hop

132.43.0.0 /16 Direct forward

208.0.1.0 /24 Direct forward

10.0.0.0 /8 132.43.3.5

208.0.2.0 /24 208.0.1.7

193.33.9.0 /24 208.0.1.7

208.1.1.0 /24 132.43.3.5

R2 routing table

Net 208.0.2.0

208.1.1.0

default 132.43.3.5

IP dest: 208.1.1.14

For (rows in rtab)

IP_dest&mask == dest_net?

Found:

208.1.1.0

Lookup?

goto 132.43.3.5

5

Giuseppe Bianchi

Route print (Route print (DOS,unixDOS,unix))shows routing table of your PCshows routing table of your PC

(remember: your PC is a simple IP router)(remember: your PC is a simple IP router)

===========================================================================

Active Routes:

Network Destination Netmask Gateway Interface Metric

0.0.0.0 0.0.0.0 10.163.57.1 10.163.57.77 1

10.163.57.0 255.255.255.0 10.163.57.77 10.163.57.77 1

10.163.57.77 255.255.255.255 127.0.0.1 127.0.0.1 1

10.255.255.255 255.255.255.255 10.163.57.77 10.163.57.77 1

127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1

224.0.0.0 224.0.0.0 10.163.57.77 10.163.57.77 1

255.255.255.255 255.255.255.255 10.163.57.77 10.163.57.77 1

Default Gateway: 10.163.57.1

===========================================================================

Giuseppe Bianchi

Forwarding a Packet

Address Resolution Protocol (ARP)

RFC 826

Basic concepts summarized in RFC 1180, section 4

6

Giuseppe Bianchi

Problem statementProblem statement

�Routing decision for packet X taken:

�You are arrived to the final network: go directly to host X

�You are NOT arrived: go through router interface Y

�Routing decision result:

�an IP address on THIS network

�Problem: how can we send data to the interface?

�Need to use physical network facilities!

�Three issues:�Encapsulate packet in datalink frame

�Deliver according to local Networking Technology (e.g. Ethernet)

�Send the frame to the destionation

» Which is NOT an IP address, but an hardware address!

Giuseppe Bianchi

Address Resolution ProtocolAddress Resolution Protocol

48 bit Ethernet Address

ARP RARP

32 bit IP address

ARP: RFC 826

Here described for Ethernet, but

valid for more general networks:

designed for any datalink with

broadcast capabilities

� Dynamic mapping

� not a concern for application & user

� not a concern for system administrator!

� Any network layer protocol

� not IP-specific

� supported protocol in datalinklayer

� not a datalink layer protocol !!!!

� Need datalink with broadcasting capability

� e.g. ethernet shared bus

� Note: ARP NOT STRICTLY NECESSARY!

� May have manual IP�MAC mapping�Tedious, error prone, requires manual

updating» E.g. when attaching a new PC must

touch all others

7

Giuseppe Bianchi

ARP ideaARP idea

????Not me!

Who has IP address

131.175.15.124 ??

It’s me! I have 0:0:a2:32:5a:3

131.175.15.8 131.175.15.12 131.175.15.124

�Send broadcast request

�receive unicast response

Giuseppe Bianchi

ARP request/replyARP request/replyEncapsulation in Ethernet FrameEncapsulation in Ethernet Frame

Ethernet sourceaddress

Ethernet destination

address

frametype ARP Request / Reply CRC

6 bytes 6 bytes 2B 28 bytes (for IP) 4 bytes

�Ethernet Destination Address�ff:ff:ff:ff:ff:ff (broadcast) for ARP request

�Ethernet Source Address �of ARP requester

�Frame Type�ARP request/reply: 0x0806�RARP request/reply: 0x8035�IP datagram: 0x0800

Protocoldemultiplexingcodes!

8

Giuseppe Bianchi

ARP request/reply formatARP request/reply format0 7 8 15 16 31

Protocol Type

Dest MAC address (bytes 2-5)

Sender MAC address (bytes 0-3)

Hardware len Protocol len ARP operation

Hardware Type

Sender IP address (bytes 0-1)Sender MAC address (bytes 4-5)

Sender IP address (bytes 2-3) Dest MAC address (bytes 0-1)

Dest IP address (bytes 0-3)

Hardware type: 1 for ethernetProtocol type: 0x0800 for IP (0000.1000.0000.0000)

� the same of Ethernet header field carrying IP datagram!

Hardware len = 6 bytes) for ethernetProtocol len = 4 bytes for IPARP operation: 1=request; 2=reply; 3/4=RARP req/reply

28

bytes

Giuseppe Bianchi

Sample ARP request/replySample ARP request/reply

IP: 131.175.15.8

MAC: 0:0:8c:3d:54:1 IP: 131.175.15.24

MAC: 0:4f:33:3:ee:67

Ethernet Packet: ARP reply

00:4f:33:03:ee:67

0x06 0x04

0x0806

00:00:8c:3d:54:01

0x0001 0x0800

0x0002

00:4f:33:03:ee:67

131.175.15.24

00:00:8c:3d:54:01

131.175.15.8

checksum

00:00:8c:3d:54:01

0x06 0x04

0x0806

FF:FF:FF:FF:FF:FF

0x0001 0x0800

0x0001

00:00:8c:3d:54:01

131.175.15.8

00:00:00:00:00:00

131.175.15.24

checksum

Ethernet Packet: ARP REQUEST

dest MAC

src MAC

ARP frame type

Ethernet / IP

MAC=6 / IP=4 / rq=1,rpl=2

src MAC

src IP

dest MAC

dest IP

Ethernet checksum

9

Giuseppe Bianchi

ARP cacheARP cache

�Avoids arp request for every IP datagram!

�Entry lifetime defaults to 20min�deleted if not used in this time

�3 minutes for “incomplete” cache entries (i.e. arp requests to non existent host)

�it may be changed in some implementations

» in particularly stable (or dynamic) environments

�arp -a to display all cache entries

C:\Documents and Settings\Giuseppe>arp -a

Interfaccia: 160.80.82.29 --- 0x2

Indirizzo Internet Indirizzo fisico Tipo

160.80.80.1 00-b0-8e-31-64-54 dinamico

160.80.81.106 00-c0-f0-3c-32-42 dinamico

160.80.82.1 00-b0-8e-31-64-54 dinamico

160.80.88.207 00-03-93-ba-fd-a0 dinamico

Giuseppe Bianchi

Test: Test: arparp cachingcaching

try a traceroute or ping to check ARP caching!

�First packet generally delays more

� includes an ARP request/reply!

C:\Documents and Settings\Giuseppe>ping 160.80.80.2

Esecuzione di Ping 160.80.80.2 con 32 byte di dati:

Risposta da 160.80.80.2: byte=32 durata=1ms TTL=64

Risposta da 160.80.80.2: byte=32 durata<1ms TTL=64



Statistiche Ping per 160.80.80.2:

Pacchetti: Trasmessi = 4, Ricevuti = 4, Persi = 0 (0% persi),

Tempo approssimativo percorsi andata/ritorno in millisecondi:

Minimo = 0ms, Massimo = 1ms, Medio = 0ms

10

Giuseppe Bianchi

ARP cache updatingARP cache updating

�ARP requests carry requestor IP/MAC

pair

�ARP requests are broadcast

�thus, they MUST be read by everyone

�Therefore, it comes for free, for every

computer, to update its cache with

requestor pair

�Cannot do this with ARP reply, as it is unicast!

Giuseppe Bianchi

Proxy ARPProxy ARPRFC 1027RFC 1027

�Device that responds to an ARP request on

behalf of some other machine

�allows having ONE logical (IP) network composed of more

physical networks

�especially important when different techologies used (e.g.

100 PC ethernet + 2 PC dialup SLIP)

IP: 131.175.15.24

ARP request

for 131.175.15.24

ARP reply

on behalf of 131.175.15.24

returns router MAC address! Then router will forward

packets to remote host

11

Giuseppe Bianchi

Gratuitous ARPGratuitous ARP�APR request issued by an IP address and

addressed to the same IP address!!

�Clearly nobody else than ME can answer!

�WHY asking the network which MAC address do I have???

�Two main reasons:

�determine if another host is configured with the same IP

address

�in this case respond occurs, and MAC address of duplicated

IP address is known.

�Use gratuitous ARP when just changed hardware address

�all other hosts update their cache entries!

�A problem is that, despite specified in RFC, not all ARP

cache implementations operate as described….

Giuseppe Bianchi

ARP: not only ARP: not only thisthis mechanism!mechanism!

�Described mechanism for broadcast

networks (e.g. based on shared media)

�Non applicable for non broadcast

networks

�in this case OTHER ARP protocols are used

�e.g. distributed ARP servers

�e.g. algorithms to map IP address in network

address

12

Giuseppe Bianchi

SecuritySecurity issuesissues in in SwitchedSwitched LANsLANs

Giuseppe Bianchi

SwitchSwitch vsvs hubhub securitysecuritySome people Some people saysay: :

““SwitchesSwitches are more are more securesecure thanthan hubshubs””

� An unsupported“legend”

� Modivated by the fact that

� Malicious user may sniff hub traffic �It is broadcasted on

all ports

� While he cannot sniff switched traffic�It is forwarded only

on properdestination port

Switch

SNIFFER

???

The truth: Switched LANs remain extremely vulnerable to attacks!!

13

Giuseppe Bianchi

ARP ARP weaknessesweaknesses

�ARP maps IP address into reachable MAC address

�ARP does not involve any authentication mechanism

�ARP replies are considered trustable

�Many OS do accept unsolicited ARP replies

�i.e. not only the ones following an ARP request

�Vulnerable OSs:�windows 95-98-2000-NT-XP

�Linux

�Non (or better: less) vulnerable OSs�Sun Solaris

Giuseppe Bianchi

ARP ARP PoisoningPoisoning

Switch

Attacker

160.80.80.100

0044-5511-2222

Victim 1

160.80.80.10

0044-5511-1111

Victim 2

160.80.80.11

0044-5511-3333

I am 160.80.80.11

MAC 0044-5511-2222

I am 160.80.80.10

MAC 0044-5511-2222

Arp –a

160.80.80.11 0044-5511-2222

Arp –a

160.80.80.10 0044-5511-2222

“poison” ARP cache of victims – make them believe hacker MAC is associated to the destination IP

1. (against dumb OSs): spoof ARP replies

2. (against smart OSs): spoof ICMP packet to solicit an ARP request

immediately after, spoof ARP reply

Attacker: safer (!!) on switched LAN (only victims see ARP replies)

rather than on HUB (monitoring computer might get alerted)

14

Giuseppe Bianchi

ResultResult: Man In The Middle : Man In The Middle attackattack!!

Switch

Attacker

(sniffs & forwards)

(but may tamper, etc)

160.80.80.100

0044-5511-2222

IP forwarding enabled

Victim 1

160.80.80.10

0044-5511-1111

Victim 2

160.80.80.11

0044-5511-3333

IP.DST=160.80.80.11

MAC 0044-5511-2222

Arp –a

160.80.80.11 0044-5511-2222

Arp –a

160.80.80.10 0044-5511-2222

IP.DST=160.80.80.11

MAC 0044-5511-3333

How to Enable TCP/IP Forwarding in Windows XP:

http://support.microsoft.com/default.aspx?scid=kb;en-us;315236&Product=winxp

Once in the middle, MANY things can be done…

Giuseppe Bianchi

DefenseDefense againstagainst ARP ARP poisoningpoisoningstaticstatic ARP (note: ARP (note: otherother defensesdefenses availableavailable))

Arp -a

� Indirizzo Internet Indirizzo fisico Tipo

� 160.80.80.1 00-b0-8e-31-64-54 dinamico

Arp –s 160.80.80.1 00-b0-8e-31-64-54

Arp -a

� Indirizzo Internet Indirizzo fisico Tipo

� 160.80.80.1 00-b0-8e-31-64-54 statico

If you have windows, consider that this works only for XP!!

BUG in win9x and win2000: static = persistent (never expires but can be modified) ☺☺☺☺

15

Giuseppe Bianchi

PortPort StealingStealing /1 /1 maliciousmalicious usageusage of bridge of bridge learninglearning capabilitiescapabilities

Switch

Attacker

160.80.80.100

0044-5511-2222

Victim

160.80.80.10

0044-5511-1111

Router

160.80.80.1

0044-5511-3333

Forwarding DB

0044-5511-1111 P1 13

P1 P2

�Initial situation:

�Victim is downloading remote information from router

Giuseppe Bianchi

PortPort StealingStealing /2/2

Switch

Attacker

160.80.80.100

0044-5511-2222

Victim

160.80.80.10

0044-5511-1111

Router

160.80.80.1

0044-5511-3333

Forwarding DB

0044-5511-1111 P1 13

0044-5511-2222 P2 5

P1 P2

� Attack:

� Attacker sends Ethernet frame with�Source address = Victim address

�Destination address = attacker address

D=0044-5511-2222S=0044-5511-1111

Frame filtered by switch:

(attacker MAC already in forwading DB)

Non visible to others!

16

Giuseppe Bianchi


Switch

Attacker

160.80.80.100

0044-5511-2222

Victim

160.80.80.10

0044-5511-1111

Router

160.80.80.1

0044-5511-3333

Forwarding DB

0044-5511-1111 P1 13

0044-5511-1111 P2 0

0044-5511-2222 P2 5

P1 P2

�Switch updates forwarding DB

�Traffic diverted to port P2!

� attacker has “stolen” switch port from victim

Giuseppe Bianchi


� May now transform into man in the middle attach�Works also with static ARPed victim

� After receiving frame:�Send broadcast ARP request to victim’s IP

�Victim ARP reply restores switch port

�Forward tampered frame

�Re-steal port and repeat

� Easy to say, much more difficult to do…�lose some frames

�Disclose many ARP requests that may alert

� Probably, proper application of port stealing is sniffing the initial part of a session �The one which contains passwords ☺

� Defense:

� “intelligent” switch (with port security functionalities)�port security feature example: allow only ONE MAC entry per port

17

Giuseppe Bianchi

MAC MAC FloodingFlooding

� overloaded switch (forwarding DB full) �� "hub" mode.

� broadcasts all network traffic to every computer in your network.

� Idea: ARP Poison the switch forwarding DB!

� By sending a LARGE number of spoofed ARP replies with variousSRC/DST addresses�Public domain tools capable of O(150.000) MAC entries / min

� While the switch is in “hub” mode, SNIFF!

� Defense

� port security limits number of MAC connected to port

� when this number overflows, port goes shutdown (but many otheralternatives are possible on commercial switches)

Giuseppe Bianchi

Ricordarsi di accennare a:Ricordarsi di accennare a:

�DNS spoofing

�DHCP spoofing

�ICMP redirect

�Come fare ARP poisoning su

solaris (ICMP echo request)

18

Giuseppe Bianchi

Lecture Lecture 2.22.2

Getting an IP address Getting an IP address

RARP/BOOTP/DHCPRARP/BOOTP/DHCP

Giuseppe Bianchi

Getting an IP address:

Reverse Address Resolution

Protocol (RARP)

19

Giuseppe Bianchi

The problemThe problem�Bootstrapping a diskless terminal

�this was the original problem in the 70s and 80s

�Reverse ARP [RFC903]

�a way to obtain an IP address starting from MAC address

�Today problem: dynamic IP address assignment

�limited pool of addresses assigned only when needed

�RARP not sufficiently general for modern usage

�BOOTP (Bootstrap Protocol - RFC 951): significant changes to RARP (a different approach)

�DHCP (Dynamic Host Configuration Protocol - RFC 1541): extends and replaces BOOTP

Giuseppe Bianchi

RARP packet formatRARP packet formatalmost identical to ARP. Differences:almost identical to ARP. Differences:

Src addrDest addrftyp:

0x8035

RARP Request / Reply CRC

6 bytes 6 bytes 2B 28 bytes (for IP) 4 bytes

0 7 8 15 16 31

Protocol Type

Dest MAC address (bytes 2-5)

Sender MAC address (bytes 0-3)

Hardware len Protocol len oper: 3 (RARP req) or 4 (RARP reply)

Hardware Type

Sender IP address (bytes 0-1)Sender MAC address (bytes 4-5)

Sender IP address (bytes 2-3) Dest MAC address (bytes 0-1)

Dest IP address (bytes 0-3)

20

Giuseppe Bianchi

RARP Request/replyRARP Request/replyIP = ????

MAC = 0:0:8c:3d:54:1

My MAC address is

0:0:8c:3d:54:1.

What is my IP address??

Broadcast request

Your IP is131.175.21.53

Unicast reply

Giuseppe Bianchi

RARP limitsRARP limits

� Network traffic

� for reliability, multiple RARP servers need to be configured on the same Ethernet�to allow bootstrap of terminals even when one server is down

� But this implies that ALL servers simultaneously respond to RARP request�contention on the Ethernet occurs

� RARP requests not forwarded by routers

� being hardware level broadcasts...

� Allows only to retrieve the IP address information

� and what about all the remaining full set of TCPIP configuration parameters???�Netmask?

�name of servers, proxies, etc?

�other proprietary/vendor/ISP-specific info?

� This is the main reason that has driven to engineer and use BOOTP and DHCP

21

Giuseppe Bianchi

Getting an IP address:

Dynamic Host Configuration Protocol

(DHCP)

Material taken from:

RFC 2131, RFC 2132, RFC 1542

Giuseppe Bianchi

BOOTP/DHCP approachBOOTP/DHCP approach

� Client/Server model

� Requests/Replies = UDP datagrams�destination IP = 255.255.255.255

� source IP = 0.0.0.0

�destination (server) port: UDP 67

� source (client) port: UDP 68

� To cross routers

� No more dependent on physical medium

� DHCP = evolution of BOOTP

� Advanced capabilities for reusing network addresses

� Additional configuration options

� Same BOOTP message format�But more space for configuration information

�312 bytes options field vs 64 bytes vendor-extensions field

� Backward compatible with BOOTP

22

Giuseppe Bianchi

DHCP DHCP basicsbasics

� Goal: host “full” configuration

� Assign IP address

� Assign Subnet Mask

� Assign gateway IP address

� Assign DNS server

� Assign SMTP server

� Assign <xxx> server

� … assign vendor-extensions (provider-specific) configuration parameters …

� Two basic components

� A protocol�To deliver host-specific configuration parameters

�Same BOOTP message format

� A database mechanism�To manage the allocation of a pool of IP addresses to hosts

Giuseppe Bianchi

ManagingManaging IP IP addressesaddresses

� Three mechanisms for IP addressallocation

� Automatic allocation �Permanent (random) IP address

� Dynamic allocation (lease)� IP assigned for a limited period of time

�Or until host explicitly relinquishes address

�Whenever possible, DCHP tries to reassign the same IP

� Manual allocation�Permament (static) IP address

�Assigned by human network administrator

�DCHP just used to convey it to host

�Eliminate error-prone manual configuration

� DHCP may coexist with manually configured hosts

DHCP Database

IP Address1

IP Address2

IP Address3

DHCP Database

IP Address1

IP Address2

IP Address3

IP Address2

IP Address1

DHCP

Server

DHCP

Client

DHCP

Client

23

Giuseppe Bianchi

ProtocolProtocol basicsbasics44--way way handshakehandshake

DHCP Client DHCP Server

1. Discover

3. Request

2. Offer

4. Ack

DHCPDATABASE

MACaddr - IPaddrlease time

� Terminology:

� DHCP client: host requesting configuration parameters using DHCP

� DHCP server: host returning configuration parameters to DHCP clients.

� Binding: collection of configuration parameters, including at least an IP address, associated with or "bound to" a DHCP client. Bindings are managed by DHCP servers.

Giuseppe Bianchi

Works Works withwith Multiple DHCP Multiple DHCP serversserversneededneeded forfor reliabilityreliability

Client

DHCPDISCOVER DHCPDISCOVER

DHCPOFFER

DHCPOFFER

DHCPREQUEST DHCPREQUEST

DHCPACK

DHCPRELEASE

24

Giuseppe Bianchi

1) DHCP DISCOVER1) DHCP DISCOVER

DHCPDISCOVERDHCPDISCOVER

IP.src = 0.0.0.0

IP.dst = 255.255.255.255

DHCP ServerDHCP client

Hardware Address = 0800F10100EE

IP header

DHCP

IP.src = 0.0.0.0: no address assigned yet!

Broadcast request: server IP not known

Client identification:

Hardware address (MAC)

or a unique client identifier (may differ)

Discover may include options

e.g. desired IP address, leased time

Giuseppe Bianchi

2) DHCP OFFER2) DHCP OFFER

DHCPDISCOVERDHCPDISCOVER

IP.src = 0.0.0.0

IP.dst = 255.255.255.255

DHCP ServerDHCP client


IP header

DHCP

Broadcast response: host has no IP address

but if unicast possible, better

Host can recognize his offer from internal

Client identification (HWaddr, client_id)

DHCPOFFERDHCPOFFER

IP.src = 131.107.3.24

IP.dst = 255.255.255.255

Offered IP address = 131.107.8.13

Client hardware address = 0800...

Subnet mask = 255.255.255.0

Length of lease = 72 hours

Server identifier = 131.107.3.24

25

Giuseppe Bianchi

3) DHCP REQUEST3) DHCP REQUEST

DHCPREQUESTDHCPREQUEST

Source IP address = 0.0.0.0

Dest. IP address = 255.255.255.255

DHCP serverDHCP client


Requested IP address = 131.107.8.13


Includes chosen Server identifier

to deal with multiple DHCP servers

Includes accepted IP address

Broadcast request

to alert NON selected DHCP servers

(decline their offer)

Giuseppe Bianchi

4) DHCP ACK4) DHCP ACK



Dest. IP address = 255.255.255.255

DHCPACKDHCPACK


Dest. IP address = 255.255.255.255

DHCP serverDHCP client


Requested IP address = 131.107.8.13


Offered IP address = 131.107.8.13

Client hardware address = 0800...

Subnet mask = 255.255.255.0

Length of lease = 72 hours


(… full configuration…)

Server binds configuration

and sends full config to client

Broadcast response

same situation as OFFER

(offered IP address not still valid)

(but if unicast possible, better)

26

Giuseppe Bianchi

FailureFailure casescases

� IP address “bound” to client only at DHCPACK

� IP offered might be bound to someone else meanwhile�Not very logical, but permitted

�If this occurs, server responds with DHCPNAK

� Further double-checks necessary

� Client may perform ARP to check IP address validity

� Server may “ping” (ICMP echo request) address�Before and/or after assignment

� If, for any reason, configuration problems are found in DHCPACK, client further responds with a DCHPDECLINE message �E.g. client detects that assigned address is already in use

� Restart procedure upon DHCPNAK reception or DHCPDECLINE transmission

� But wait for a while (typically>10s)

Giuseppe Bianchi

DHCP operation

Details and example traces

27

Giuseppe Bianchi

DHCP DHCP MessageMessage formatformat

transaction ID (xid)

operation

Seconds elapsed

548

Bytes

+

20 IP

+

8 UDP

=

576

(max UDP)

Hardware type

0 7 8 15 16 31

Hardware len hops

Flags (bit1=broadcast, other 15 unused)

Client IP address (ciaddr)

‘Your’ (client) IP address (yiaddr)

DHCP Server IP address (siaddr)

Gateway (DHCP relay agent) IP address (giaddr)

Client Hardware address (chaddr, 16 bytes)

server host name - string (sname, 64 bytes)

boot file name - string (file, 128 bytes) – for bootstrap purposes (BOOTP)

options (variable, up to 312 bytes)

Giuseppe Bianchi

DHCP DHCP messagemessage fieldsfields /1/1� op = operation (message type)

� 1 = BOOTREQUEST (C�S)

� 2 = BOOTREPLY (S�C)

� htype/hlen: same as ARP

� Htype: 1 byte only (vs 2 bytes ARP)

� Example – Ethernet: htype=0x01 hlen=0x06

� Xid = Transaction ID

� Randomly chosen 32 bit string

� To match requests/replies

� Seconds

� From boot time? Or from first request (see RFC 1542)?

� Semantically imprecise, an unused in practice

� File = boot file name

� For bootstrapping purposes

� May be overloaded with options

� Sname = server host name

� May be overloaded with options

28

Giuseppe Bianchi

DHCP DHCP messagemessage fieldsfields /2/2� hops = used through routers

� Initially set to 0

� flags = B000.0000.0000.0000

� B: 1=broadcast reply required; 0=may use unicast reply

� All other 15 bits reserved (must be set to 0)

� chaddr = Client Hardware Address

� E.g Ethernet 6 bytes address

� ciaddr = client IP address

� Only filled if client already has an IP address PROPERLY assigned

� Never filled if address allocation under progress� in BOUND, RENEW or REBINDING states

� yiaddr = “your” (client) IP address

� Offered/assigned by DHCP server

� siaddr = address of server to use in next bootstrap

� giaddr = gateway address

� Relay agent IP address

� Used when relay agents occur (i.e. crossing routers)

Giuseppe Bianchi

Message type: Boot Request (1)Hardware type: EthernetHardware address length: 6Hops: 0Transaction ID: 0x4612d464Seconds elapsed: 10Bootp flags: 0x0000 (Unicast)

0... .... .... .... = Broadcast flag: Unicast.000 0000 0000 0000 = Reserved flags: 0x0000

Client IP address: 0.0.0.0 (0.0.0.0)Your (client) IP address: 0.0.0.0 (0.0.0.0)Next server IP address: 0.0.0.0 (0.0.0.0)Relay agent IP address: 0.0.0.0 (0.0.0.0)Client hardware address: 00:0c:6e:0e:f1:60Server host name not givenBoot file name not givenMagic cookie: (OK)Option 53: DHCP Message Type = DHCP DiscoverOption 57: Maximum DHCP Message Size = 548Option 50: Requested IP Address = 10.163.57.124Option 51: IP Address Lease Time = infinityOption 55: Parameter Request List

1 = Subnet Mask3 = Router6 = Domain Name Server12 = Host Name15 = Domain Name17 = Root Path23 = Default IP Time-to-Live28 = Broadcast Address29 = Perform Mask Discovery31 = Perform Router Discover33 = Static Route40 = Network Information Service Domain41 = Network Information Service Servers42 = Network Time Protocol Servers

Option 60: Vendor class identifier = "Linux 2.4.22-acpi i686"Option 61: Client identifier

Hardware type: EthernetClient hardware address: 00:0c:6e:0e:f1:60

End OptionPadding

DHCP DHCP

DISCOVERDISCOVER

29

Giuseppe Bianchi

DHCP DHCP

OFFEROFFER

Message type: Boot Reply (2)Hardware type: EthernetHardware address length: 6Hops: 0Transaction ID: 0x4612d464Seconds elapsed: 10Bootp flags: 0x0000 (Unicast)


Client IP address: 0.0.0.0 (0.0.0.0)Your (client) IP address: 192.168.100.18 (192.168.100.18)Next server IP address: 192.168.100.1 (192.168.100.1)Relay agent IP address: 0.0.0.0 (0.0.0.0)Client hardware address: 00:0c:6e:0e:f1:60Server host name not givenBoot file name not givenMagic cookie: (OK)Option 53: DHCP Message Type = DHCP OfferOption 54: Server Identifier = 192.168.100.1Option 51: IP Address Lease Time = 2 minutesOption 1: Subnet Mask = 255.255.255.0Option 3: Router = 192.168.100.1Option 6: Domain Name Server = 192.168.100.1Option 15: Domain Name = "prova.it"End OptionPadding

Giuseppe Bianchi

DHCP DHCP

REQUESTREQUEST

Message type: Boot Request (1)Hardware type: EthernetHardware address length: 6Hops: 0Transaction ID: 0x4612d464Seconds elapsed: 10Bootp flags: 0x0000 (Unicast)


Client IP address: 0.0.0.0 (0.0.0.0)Your (client) IP address: 0.0.0.0 (0.0.0.0)Next server IP address: 0.0.0.0 (0.0.0.0)Relay agent IP address: 0.0.0.0 (0.0.0.0)Client hardware address: 00:0c:6e:0e:f1:60Server host name not givenBoot file name not givenMagic cookie: (OK)Option 53: DHCP Message Type = DHCP RequestOption 57: Maximum DHCP Message Size = 548Option 54: Server Identifier = 192.168.100.1Option 50: Requested IP Address = 192.168.100.18Option 51: IP Address Lease Time = 2 minutesOption 55: Parameter Request List

1 = Subnet Mask3 = Router6 = Domain Name Server12 = Host Name15 = Domain Name17 = Root Path23 = Default IP Time-to-Live28 = Broadcast Address29 = Perform Mask Discovery31 = Perform Router Discover33 = Static Route40 = Network Information Service Domain41 = Network Information Service Servers42 = Network Time Protocol Servers

Option 60: Vendor class identifier = "Linux 2.4.22-acpi i686"Option 61: Client identifier

Hardware type: EthernetClient hardware address: 00:0c:6e:0e:f1:60

End OptionPadding

30

Giuseppe Bianchi

DHCP DHCP

ACKACK

Message type: Boot Reply (2)Hardware type: EthernetHardware address length: 6Hops: 0Transaction ID: 0x4612d464Seconds elapsed: 10Bootp flags: 0x0000 (Unicast)


Client IP address: 0.0.0.0 (0.0.0.0)Your (client) IP address: 192.168.100.18 (192.168.100.18)Next server IP address: 192.168.100.1 (192.168.100.1)Relay agent IP address: 0.0.0.0 (0.0.0.0)Client hardware address: 00:0c:6e:0e:f1:60Server host name not givenBoot file name not givenMagic cookie: (OK)Option 53: DHCP Message Type = DHCP ACKOption 54: Server Identifier = 192.168.100.1Option 51: IP Address Lease Time = 2 minutesOption 1: Subnet Mask = 255.255.255.0Option 3: Router = 192.168.100.1Option 6: Domain Name Server = 192.168.100.1Option 15: Domain Name = "prova.it"End OptionPadding

Giuseppe Bianchi

OptionsOptions� First 4 bytes of the optionfield:

� Reserved for “magic cookie”�dotted decimal: 99.130.83.99

�Hexadecimal: 63.82.53.63

� fixed length options:

� Just 1 byte tag (code)

� Only two cases: �0 (0x00, pad)

�255 (0xFF, end options)

� variable length option

� 1 byte TAG (code)�uniquely identifies option

� 1 byte LEN�size of data field, bytes

� LEN bytes DATA Tag

1 byte

Len

1 byteParameter exchanged

00000000

1 byte

11111111

1 bytePAD: END:

31

Giuseppe Bianchi

A taste of BOOTP/DHCP A taste of BOOTP/DHCP optionsoptionscomplete list: RFC 2132complete list: RFC 2132

1 4 Subnet mask

12 n Host Name

35 4 ARP cache timeout (s)

36 1 0/1 (0 = use ethernet II encapsulation; 1= use 802.3 encapsulation)

Many other for setting IP and TCP parameters. Some examples:

- TTL to use in IP

- settings for PATH MTU Discovery (aging time; plateau table)

- static routes (IPaddr – Gateway) to add in local routing table

Giuseppe Bianchi

BOOTP/DHCP BOOTP/DHCP optionsoptions forfor

variousvarious server server selectionsselections

6 n address #1 address #2 ……

� Network administrator may offer a number of services

� based on network servers (or gateways)

� Options 3-11 (and many other) list server IP addresses

� In order of preference

� Examples:

� 3= gateways (routers) on client subnet

� 4= time servers

� 6= DNS name servers

� 7= log servers

� 8= RFC 865 cookie servers

� 9= RFC 1179 line printer servers

� …

n multiple of 4

� 41= Network Information Servers

� 42= Network Time Protocol Servers

� 45= NetBIOS Datagram Distribution Servers (NBDD - RFC 1000-1001)

� 48= X-windows system font servers

� 49= X Window System Display Manager

� 68= Mobile IP home agent

� 69= SMTP servers

� 70= POP3 servers

e.g.

32

Giuseppe Bianchi

VendorVendor--specificspecific optionoption

�Allows DHCP to support any proprietaryconfiguration

�Vendor-specific

�Not intelligible to non-vendor clients and DHCP servers

43 n Vendor-specific information

T1 n1 data1 Tk nk Data k… … … …

�Vendor identification:

�Option 60: vendor class identifier option

�String of n octets

Giuseppe Bianchi

Subset of Subset of DHCPDHCP--specificspecific optionsoptions

((notnot BOOTP)BOOTP)

50: Requested IP Address 50 4 IP address

51: IP Address Lease Time 51 4 Lease time (s)

52: option overload 52 1 1/2/31= 'file' field used to hold options

2= 'sname' field used to hold options

3= both fields used to hold options

53: DHCP Message Type 53 1 1-81=DHCPDISCOVER 2=DHCPOFFER

3=DHCPREQUEST 4=DHCPDECLINE

5=DHCPACK 6=DHCPNAK

7=DHCPRELEASE 8=DHCPINFORM

54: Server Identifier 54 4 IP address

57: DHCP Max msg size 57 2 L1 L2≥ than IP=576 (DHCP=548)

Which is the minimum legal value

33

Giuseppe Bianchi

ParameterParameter requestrequest

� Selective request of configuration parameters

� not all clients need all possible parameters (a lot!)

� Some default configurations may be OK

� Via the “parameter request list” option (#55)

� N bytes

� Each byte is a code tag �#code = requested parameter

�Server will respond with option #code

55: Parameter Request List 55 n c1 c2 … cn

� Parameter suggestion possible

� For network address�Via 'requested IP address' option

� For lease time�Via 'IP address lease time‘

� Other (minor) suggestions possible

Giuseppe Bianchi

ClientClient IdentifierIdentifier

�Unique client name

�May differ from MAC address

�Very important extension/generalization!!

�Very general coding allowed through option 61

61 n type addr

Type/addr = ARP coding (hardware type / hardware address – full list in RFC 1700)

If type=0, addr = any string (typically, fully qualified domain name)

34

Giuseppe Bianchi

ReusingReusing a a permanentpermanent IP IP addressaddresse.g. e.g. reconfigurereconfigure after system after system rebootreboot

Client

DHCPREQUEST DHCPREQUEST

DHCPACK

DHCPACK

� Client does not have an IP address available

� Hence broadcast request and broadcast response

� But has a requested IP address known from history (to suggest), And a client identifier (unique)

� A configuration is already pre-stored in the DHCP server(s)

� If in multiple servers, this is consistent

� Only servers with KNOWLEDGE of previous configuration will respond� Hence multiple response is consistent

� No need for 4-way handshake

� This is how BOOTP worked in the past

� Special failure case: host moved to another subnet

� Servers return DHCPNAK � at this point 4-way handshake is restarted

Giuseppe Bianchi

RenewingRenewing a a leaselease

� Dynamically allocated client - possible states:

� BOUND�Lease has been obtained

� RENEWING�T1=50% of the lease time has expired (+/- small rand)

�Client attempts to contact THE SERVER that has originally issuedthe address

�Unicast DHCPREQUEST

� REBINDING�T2=87.5% of the lease time has expired (+/- small rand)

�Client attempts to contact ALL SERVERS

�Broadcast DHCPREQUEST

� T1, T2 can be set to other values

� Via options

68: Renewal (T1) Time Value 68 4 T1 setting (s)

69: Rebinding (T2) Time Value 69 4 T2 setting (s)

35

Giuseppe Bianchi


in in renewingrenewing state (T1=60sec)state (T1=60sec)

Frame 11 (590 bytes on wire, 590 bytes captured)Arrival Time: Mar 10, 2004 16:26:23.016035000Time delta from previous packet: 60.007015000 secondsIP Source: 192.168.100.18 (192.168.100.18)IP Destination: 192.168.100.1 (192.168.100.1)Source port: bootpc (68)Destination port: bootps (67)

Bootstrap ProtocolMessage type: Boot Request (1)Hardware type: EthernetHardware address length: 6Hops: 0Transaction ID: 0xd2e0ab07Seconds elapsed: 10Bootp flags: 0x0000 (Unicast)


Client IP address: 192.168.100.18 (192.168.100.18)Your (client) IP address: 0.0.0.0 (0.0.0.0)Next server IP address: 0.0.0.0 (0.0.0.0)Relay agent IP address: 0.0.0.0 (0.0.0.0)Client hardware address: 00:0c:6e:0e:f1:60....Option 53: DHCP Message Type = DHCP Request....

Giuseppe Bianchi

DHCPACKDHCPACKasas responseresponse toto renewingrenewing requestrequest

Frame 12 (342 bytes on wire, 342 bytes captured)Arrival Time: Mar 10, 2004 16:26:23.017271000Time delta from previous packet: 0.001236000 secondsIP Source: 192.168.100.1 (192.168.100.1)IP Destination: 192.168.100.18 (192.168.100.18)Source port: bootps (67)Destination port: bootpc (68)

Bootstrap ProtocolMessage type: Boot Reply (2)Hardware type: EthernetHardware address length: 6Hops: 0Transaction ID: 0xd2e0ab07Seconds elapsed: 10Bootp flags: 0x0000 (Unicast)


Client IP address: 192.168.100.18 (192.168.100.18)Your (client) IP address: 192.168.100.18 (192.168.100.18)Next server IP address: 192.168.100.1 (192.168.100.1)Relay agent IP address: 0.0.0.0 (0.0.0.0)Client hardware address: 00:0c:6e:0e:f1:60....Option 53: DHCP Message Type = DHCP ACKOption 54: Server Identifier = 192.168.100.1Option 51: IP Address Lease Time = 2 minutes....

36

Giuseppe Bianchi

SummarySummary of DHCP of DHCP messagesmessages(basic (basic messagesmessages))

� DHCPDISCOVER (C��S, broadcast)

� Goal: locate available servers.

� DHCPOFFER (S��C, unicast or broadcast)

� in response to DHCPDISCOVER

� offer of configuration parameters.

� DHCPREQUEST (C��S, broadcast – unicast on renew)

� May come for: 1. Client responding to offer: requests offered parameters from one

server and implicitly declines offers from all others- Contains server identifier option (54)

2. Client verifying a previously allocated address (e.g. after system reboot)

3. Client extending a lease1. Contains valid ciaddr

� DHCPACK (S��C, unicast or broadcast)

� commits configuration parameters

Giuseppe Bianchi

SummarySummary of DHCP of DHCP messagesmessages((failurefailure + + additionaladditional messagesmessages))

� DHCPNAK (S��C, unicast or broadcast)

1. Incorrect address request (e.g. client has moved to another subnet)

2. client's lease has expired

� DHCPDECLINE (C��S, broadcast)

� Client has discovered (via external means) that address is already in use

� Notifies to server

� DHCPRELEASE (C��S, unicast)

� Not necessary for correct DHCP operation

� release of allocated network address (cancels remaining lease)�E.g. upon graceful shut-down

� DHCPINFORM (C��S, broadcast)

� New command (first time in rfc 2131)

� client already has a VALID IP �i.e. is NOT checking or renewing a binding

� Just asks for additional (local) configuration

37

Giuseppe Bianchi

State State diagramdiagram ((simplifiedsimplified))

SELECTING

REQUESTING

BOUND

RENEWING REBINDING

INIT

DHCPACK

87.5% expired:

Send broadcast

DHCPREQUEST

DHCPACK DHCPACK

50% expired

Send unicast

DHCPREQUEST

Lease cancelled

DHCPRELEASE

Send DHCPDISCOVER

collect

DHCPOFFER

and select

Send DHCPREQUEST

Lease expired

or any network halt

DHCPNACK

Giuseppe Bianchi

DHCP operation across routers

38

Giuseppe Bianchi

Public

Internet

Public

Internet

DeMilitarized

Zone (DMZ)

DHCP

Server

Firewall

Home

Agent

Call

Server

DMZ

router

External

WWW/FTP

Server

External

DNS

Server

Mail

Forwarder

Mail

Server

Server Farm

Employees

Subnet 1

DHCP

Server

Other

Subnets

DHCP DHCP serversservers maymay bebe placedplaced

behind behind routersrouters

Giuseppe Bianchi

Client of different subnetClient of different subnetissuesissues

� 1 DHCP server per each subnet: not reasonable

� Consider the case of a department with several subnets

� Issue 1: broadcast does not cross subnet scope

� Broadcast is limited to a single subnet

� How to allow DHCP requests/replies cross routers?

� Issue 2: client address needs to be consistent with client subnet

� Assress assigned to a client MUST be consistent with client subnet

39

Giuseppe Bianchi

BOOTP (DHCP) BOOTP (DHCP) relayrelay agentagent� Solution proposed for BOOTP

� And fully inherited by DHCP

� Typically a router

� But not necessarily – can be a host

� One relay agent per each subnet

� Must be reached via broadcast request

� Relay agent contacts selectedDHCP server(s)

� Relay policy (which servers and why): sysadmin decision�based on address range

�Based on chaddr

�Load balancing (requires care with DHCP!)

� Relay addressing: �may be unicast, multicast or

broadcast (on selected routerinterfaces)

Subnet ASubnet A

Subnet CSubnet CSubnet BSubnet B

Relay agent

Relay agent

Giuseppe Bianchi

RelayRelay agentagent

�Acts as a proxy

�Intercepts C�S request (port 67)

�Modify DHCP request�Sets giaddr with the IP address of the interface that has

received the DHCP request» Since this interface is on the same subnet of the client, the

DHCP server will be able to find out which subnet the client isattached to

�Updates hops counter

�Recomputes UDP checksum (of course…)

�Forwards request to DHCP server(s)�Unicast, multicast or broadcast addressing

�S��C: relays only to end clients

�no multi-hop allowed

�server must use relay agent address in replies

Lecture 2.1 Gluing IP with Ethernet · Gluing IP with Ethernet ARP and related security issues...

Documents

Transcript of Lecture 2.1 Gluing IP with Ethernet · Gluing IP with Ethernet ARP and related security issues...