Basic elements of IP and its interac2on with Ethernet IP addressing, Forwarding, ARP, ARP poisoning Marco Bonola, Lorenzo Bracciale Corso di Fondamen2 di Re2 e Segnali Prof. Giuseppe Bianchi A.A. 2010
What we are gong to see... Internet Protocol as a common language to interconnect Networks of different technologies Interac2on between Ethernet and IP Address Resolu2on Protocol with the help of Wireshark Some IP and ARP management with Linux A simple yet powerful aoack ARP poisoning Real deployment LINUX
Internet Protocol Basics
Internet Protocol IP What do we need it for? There are many different LAN technologies (Wifi, Ethernet ) because there are many different needs: wireless connec2vity: UMTS, WiFi, WiMax high speed cable data transfer: FDDI Cheap cable data transfer: Ethernet Low energy consump2on: bluetooth, zigbee How do different hosts on different LAN communicate with each others? Needs a common language! InterNet Protocol
Internet Protocol Mo2va2on The Internet Protocol is designed for use in interconnected systems of packetswitched computer communica2on networks. [...] The internet protocol provides for transmifng blocks of data called datagrams from sources to des)na)ons [...] hop://www.iea.org/rfc/rfc791.txt GPRS UMTS WiFi Internet WiMAX source Token Ring Ethernet des2na2on
Internet Protocol Actors Hosts Routers
IP Address Anatomy Each IPv4 host MUST have an UNIQUE 32 bit iden2fier called IP Address Example: 11010001 01010101 10000001 01100011 Humans don t like long binary string and prefer to use the dooed decimal nota2on: Example 209.85.129.99 human representa2on machine representa2on Well, also IP address expressed in dooed decimal nota2on are hard to remember. Names sounds beoer Example extra service 209.85.129.99 < DNS > www.google.it
Internet Protocol Model of Opera2on What is a ROUTER (Gateway)? A Router interconnects two or more LAN 1 " and implement IP to forward datagrams between these networks. It has one IP address for each LAN it connects 1 not 100% correct, but for our scope it's ok like this ADSL link Op2cal Fiber link WiMAX link "whatever" link WiFi LAN Source: 160.80.103.147 "Whatever" LAN... Des2na2on: 72.14.234.14 Ethernet LAN
Internet Protocol Model of Opera2on "IP datagrams are routed from one internet module to another through individual networks based on the interpreta2on of an internet address" (RFC 791) Applica2on data is encapsulated in IP datagram and sent to des2na2on (we'll se later on how...) Basically for each received datagram, IP looks at the des2na2on IP address and determines whether: 1. the packet is for us the content of the IP datagram is passed to "higher levels" 2. the packet is for someone else a. Router: IP "finds out" the next hop on the same network b. Host: the datagram is discarded This simple behavior is repeated hop by hop from SOURCE to DESTINATION
Example Let we go on Facebook! (wireshark analysis) Traceroute
A prac2cal example Traceroute
IPv4 datagram snapshot en.wikipedia.org/wiki/ipv4
How routers find the way????? to facebook Idea! Each router knows the best next hop for all the possible des2na2ons! Not too smart there are 2^32 possible addresses Idea! We can ask for each packet! With 10 Gbps??? We need a way to group IP addresses and to allow quick lookup
The Mask A mask is a set of 32bit with some 1 followed by 0 Example: 1111.1111 1111.1111 1111.1111 0000.0000 255 255 255 0 /24 binary dooed decimal slash prefix 192.168.1.0 with mask 255.255.255.0 defines a range: from 192.168.1.0 to 192.168.1.255 if we bitwise AND of all these IP addresses with the mask, we obtain the same result: 192.168.1.0
Rou2ng Table How does IP determines the next HOP? A special table that maps a "des2na2on" to a "next hop" is looked up Major fields Des2na2on: host or network Mask: used to match the des2na2on Next Hop: IP address (on the same network of the output device) of the next IP host to which we send the packet Output device: physical device used to send the packet Des)na)on Mask Next HOP Output device 192.168.100.0 255.255.255.0 * eth0 0.0.0.0 0.0.0.0 192.168.100.1 eth0
Forwarding look up algorithm For each received packet ("non local" dest. IP address) for each Rou2ng Table entry the IP des2na2on address is ANDed with the Mask field the result of the previous opera2on is compared with the des2na2on field: if the 2 values match, the packet is passed to the resul2ng output device (and sent to the next hop... we'll see later on how) Otherwise, do nothing and consider the next entry If mul2ple entries match, choose the one with biggest mask (longest prefix match) The last entry is called the "default GW" entry it matches always, but it is the lastest entry to check according to the longest prefix match
Also host has rou2ng tables Host Rou2ng Tables why send packet to a router if the des2na2on is in my LAN?
Forwarding look up example Des)na)on Mask Next HOP Output device 8.8.8.10 255.255.255.255 100.0.0.1 eth1 192.168.1.0 255.255.255.0 * eth0 5.0.0.0 255.255.0.0 200.0.0.1 eth2 4.0.0.0 255.0.0.0 default 0.0.0.0 100.0.0.1 eth3 Example: let we see some rou2ng tables
Private IP addressing IP addresses are not as many as you might think 2^32 addresses = 4 294 967 296 Some are reserved (broadcast, network, link local, experimental, military, etc...) Think of all the devices you have that can access the internet... 3 IP address classes are reserved as "private" 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16 Non routable addresses Network Address Transla2on NAT (BAD! BAD! BAD!)
IP and Ethernet interac2on
IP encapsula2on into L2 frames How IP datagrams are physically delivered to des2na2on? Do they fly over birds? (see RFC 1149) IP datagrams are passed to the L2 device driver and encapsulated within L2 frames The specific technology of the output depends on the output device indicated by the matching rou2ng table entry (from now on Ethernet) MAC source/des2na2on address associated to IP source/ des2na2on address of the IP datagram The specific L2 technology is used to send the frame At des2na2on, the Ethernet driver check the MAC address (and the CRC). If the frame is locally addressed, it is passed to the IP layer. Otherwise it is discarded.
MAC ADDRESSES CHANGES IN EACH HOP IP ADDRESSES REMAIN THE SAME Don t believe? Let we sniff packets from a router!
...Is there something missing? Rou2ng decision result: an IP address on this subnet How can we send data to the interfaces? Need to use physical network facili2es! Encapsulate packet in datalink frame Deliver according to local Networking Technology (e.g. Ethernet) to the des2na2on Des2na2on is NOT an IP address but an hardware address We didn't say anything about MAC address
Address Resolu2on Protocol Dynamic mapping not a concern for applica2on & user not a concern for system administrator! Any network layer protocol not IP specific Supported protocol in datalink layer not a datalink layer protocol!!!! Need datalink with broadcas2ng capability e.g. Ethernet shared bus Note: ARP NOT STRICTLY NECESSARY! May have manual IP MAC mapping Tedious, error prone, requires manual upda2ng E.g. when aoaching a new PC must touch all others 32 bit IP address ARP RARP 48 bit Ethernet Address ARP: RFC 826 Here described for Ethernet, but valid for more general networks: designed for any datalink with broadcast capabilides
ARP idea 131.175.15.8 131.175.15.12 131.175.15.124???? Not me!???? That's me! Who has IP address 131.175.15.124?? Send broadcast request
ARP idea 131.175.15.8 131.175.15.12 131.175.15.124 That s me! 0:0:a2:32:5a:3 Receive unicast response
ARP Cache Avoids arp request for every IP datagram! Entry life2me defaults to 20min deleted if not used in this 2me 3 min for incomplete cache entries (arp requests to non existent host) it may be changed in some implementa2ons in par2cularly stable (or dynamic) environments Upda2ng the cache ARP requests carry requestor IP/MAC pair ARP requests are broadcast thus, they MUST be read by everyone Therefore, it comes for free, for every computer, to update its cache with requestor pair Cannot do this with ARP reply, as it is unicast!
Sample ARP request/reply Wireshark capture Arp cache
ARP request/reply Encapsula2on in Ethernet Frame 6 bytes 6 bytes 2B 28 bytes (for IP) 4 bytes Ethernet des2na2on address Ethernet source address type ARP Request / Reply Ethernet Destination Address ff:ff:ff:ff:ff:ff (broadcast) for ARP request Ethernet Source Address of ARP requester CRC Frame Type ARP request/reply: 0x0806 RARP request/reply: 0x8035 IP datagram: 0x0800 Protocol demul2plexing codes!
ARP request/reply format 0 7 8 15 16 31 Hardware Type Protocol Type Hardware len Protocol len ARP opera2on Sender MAC address (bytes 0 3) Sender MAC address (bytes 4 5) Sender IP address (bytes 2 3) Dest MAC address (bytes 2 5) Dest IP address (bytes 0 3) Sender IP address (bytes 0 1) Dest MAC address (bytes 0 1) 28 bytes Hardware type: 1 for ethernet Protocol type: 0x0800 for IP (0000.1000.0000.0000) the same of Ethernet header field carrying IP datagram! Hardware len = 6 bytes (for ethernet) Protocol len = 4 bytes for IP ARP opera2on: 1=request; 2=reply; 3/4=RARP req/reply
Sample ARP request/reply IP: 131.175.15.8 MAC: 0:0:8c:3d:54:1 IP: 131.175.15.24 MAC: 0:4f:33:3:ee:67 Ethernet Packet: ARP REQUEST Ethernet Packet: ARP reply FF:FF:FF:FF:FF:FF 00:00:8c:3d:54:01 0x0806 0x0001 0x0800 0x06 0x04 0x0001 00:00:8c:3d:54:01 131.175.15.8 00:00:00:00:00:00 131.175.15.24 checksum dest MAC src MAC ARP frame type Ethernet / IP MAC=6 / IP=4 / rq=1,rpl=2 src MAC src IP dest MAC dest IP Ethernet checksum 00:00:8c:3d:54:01 00:4f:33:03:ee:67 0x0806 0x0001 0x0800 0x06 0x04 0x0002 00:4f:33:03:ee:67 131.175.15.24 00:00:8c:3d:54:01 131.175.15.8 checksum
ARP Cache Linux ip neighbor arp tables management
ARP poisoning Theory
ARP Poisoning Weaknesses: ARP does not involve any authen2ca2on mechanism Many OS accept unsolicited ARP replies How: Spoof ARP replies Spoof ICMP packet to solicit an ARP request then spoof ARP replay (against smart OS) This aoack is safer in a switched LAN, where only the vic2ms see ARP replies, rather then on HUB
Arp poisoning I m 10.0.0.1 SWITCH 00:00:00:00:00:44 STA2 10.0.0.2 00:00:00:00:00:22 STA3 10.0.0.3 00:00:00:00:00:33 STA1 10.0.0.1 00:00:00:00:00:11
Arp poisoning Destination MAC Address IP address 00:00:00:00:00:44 10.0.0.1 00:00:00:00:00:33 10.0.0.3 SWITCH 00:00:00:00:00:44 SWITCH STA2 10.0.0.2 00:00:00:00:00:22 STA3 10.0.0.3 00:00:00:00:00:33 STA1 10.0.0.1 00:00:00:00:00:11
ARP poisoning Prac2ce