Knowledge of the structure of Internet Protocol (IP) packets is a fundamental part of understanding the Internet and how information moves from one point to another. The benefits of such knowledge extend to virtually all networking disciplines, not the least of which is intrusion detection. Rules-based intrusion-detection mechanisms, for example, can flag packets as suspicious if their structure mimics that of a known malicious string. While this is happening, another rule might cause an action in response to a packet that has no conceivable reason to exist, as when both the SYN and RST flags are set. There are many ways to probe and attack from within a packet, and the problem only gets worse as a network gets larger. The shotgun approach of enabling all possible Intrusion Detection Systems (IDS) rules is sure to fail in most environments, particularly when busy, high-speed circuits threaten to overtax IDS deployments that must decode every packet on the wire. In IP networks, bit-level expertise cannot be overvalued when you are designing solutions or choosing the most appropriate defense technologies.
The topic of this chapter—the structure and functions of TCP/IP—is uniquely appropriate in any discussion of intrusion-detection techniques. This chapter begins with a clarification of key terms and concepts, and then it discusses the genesis of current reference models that were introduced in the early 1980s. Following that is a detailed examination of TCP/IP, and the final section describes modern networking.
Key Terms and Concepts
It is important to clarify certain key terms that this chapter uses. Readers who know the standards that are under review by more than one name will see them here as TCP/IP and the OSI Model, which represent Transmission Control Protocol over Internet Protocol and Open Systems Interconnection, respectively. Because all the popular terms are essentially correct, it is best to declare this common ground before the details are discussed.
When reading technical information or preparing for a network-analysis effort, it helps to have certain issues and concepts in mind. These items serve that purpose regarding TCP/IP and the OSI Model:
All implementations are not created equal. Conforming to standards made by developers and manufacturers is practically voluntary.
In nearly all real-world cases, the OSI Model nomenclature is used in documents and discussions, regardless of the technology.
Although it can be made to work, communication between TCP/IP and the OSI Model systems can have undesirable effects, at least in the form of more difficult implementation.
Brief History of the Internet
The goal that was realized by the creation of this protocol mix, which is often called a “protocol stack,” is a means for open communication between disparate computers. The driving forces behind the Internet was the United States Department of Defense (DoD), specifically the Defense Advanced Research Projects Agency (DARPA), and two international organizations: the International Organization for Standardization (ISO) and the International Telecommunications Union (ITU).
DARPA began work on its network, ARPANET, in 1968, which went into full production in 1970. At the time, the protocol in use was the ARPANET Network Control Program (NCP) host-to-host protocol, and the first five nodes added belonged to Bolt, Beranek, and Newman (BBN); Stanford University; UCLA; UC Santa Barbara; and the University of Utah.
The number of nodes on ARPANET grew considerably over the next few years, which lead to various problems that were largely viewed as symptoms of technical limitations. In July 1980, the Office of the Secretary of Defense directed that a set of DoD standard protocols be used on all defense networks. The protocols have the following official designations:
RFC 791, Internet Protocol
RFC 793, Transmission Control Protocol
These are the most current RFC numbers and descriptions; the authoritative organization of the day was the Internet Configuration Control Board (ICCB), who designated the original releases as RFC 760, DoD Standard Internet Protocol and RFC 761, DoD Standard Transmission Control Protocol.
In the mid to late 1970s, the ITU and ISO were working independently to develop an open set of standards for network architectures. This presented significant challenges that DARPA did not encounter, which, by comparison, operated in a controlled environment. The ISO and ITU architects faced the daunting task of convincing equipment manufacturers to agree with each and every standard.
ISO and ITU established a positive vendor relationship with Honeywell Information Systems, which worked with the international teams. In 1984, the ITU and ISO teams merged their respective standards work into a single document, and much of the final product came from Honeywell engineers. The standards document was released under the umbrella name Open Systems Interconnection, which is now referred to as the OSI Reference Model (or simply the OSI Model). The cooperating international organizations designate the specification as follows:
ITU-T, X-Series Recommendation X.200
ISO 7498, Open Systems Interconnection, Basic Reference Model
The ARPANET transition to TCP/IP happened between October 1981 and October 1983. During this time, the protocols were intensely researched and scrutinized by their developers. The official release came on January 1, 1983, and the Internet was born. The headstart that was gained by the development period and 1983 release date is said to be the reason that TCP/IP is now the global standard for Internet communications. Now that you have an abridged knowledge of the history of the Internet it’s time to explore the OSI Model and TCP/IP.
Layered Protocols
Internet hosts communicate by using a special software mechanism called layers (or layered protocols). The OSI Model has seven layers, and TCP/IP has four.
Note - The depiction of layers might depend on which reference document is chosen as the authoritative model. Although most Internet Engineering Task Force (IETF) documents reference TCP/IP as having the four layers shown in Figure 1-1, RFC 1983, “Internet User’s Glossary,” lists the number of layers at five. Commercial documents also reflect this difference, but Cisco Systems, the current and long-standing leader in network technologies, teaches in CCENT/CCNA ICND1 Official Exam Certification Guide (Odom 2007) that TCP/IP has four layers.
Figure 1-1 makes it easy to understand why the world is comfortable with TCP/IP as the Internet standard protocol suite, but it still uses the OSI Model terms in documents and discussions. The end result is the same with both versions, but TCP/IP has an edge over the OSI Model in terms of simplicity. The Internet Society can divide TCP/IP into two areas of responsibility in support of developers and users: The lower three layers (link, Internet, and transport) are the communication layers, which focus on networking requirements, and the application layer covers host software. On the other hand, the OSI Model gives the technical community a clear set of terms for communication between humans. A minor point is the fact that many readers interpret Figure 1-1 to be based on “incorrect” names. For example, the link layer is also known as the access layer and media access layer.
TCP/IP and OSI Model comparison
As previously mentioned, OSI Model nomenclature is used in nearly all discussions and documents, even though TCP/IP is the Internet standard. Figure 1-1 shows that TCP/IP is at Layer 2 if the counting starts at the bottom and moves up; however, because it is functionally the same as the OSI Model network layer, referring to it as a Layer 3 protocol causes no problems.
Industry technical parlance involves specific names for data units in the context of the TCP/IP and OSI Model layers. For the data link layer, the term is frames, the network layer term is packets, and the transport layer term is segments. In the broader context of the Internet, a unit of data is called a datagram (or an IP datagram). This is a case of TCP/IP terminology being applied to the OSI Model layers, but it is technically accurate. Architects of the OSI Model devised a more elegant way to describe data chunks. OSI Model documents use the term Protocol Data Unit (PDU) for all units of data and, as a differentiator between layers, it simply uses the layer number as a prefix to PDU. As such, a TCP/IP Ethernet frame is an OSI Model Layer 2 PDU. Note that the word datagram is sometimes used interchangeably with PDU or packet in RFCs and commercial documents. Table 1-1 lists the TCP/IP and OSI Model layers and functions.
Table 1-1 OSI Model Layers
TCP/IP Layer | OSI Layer | Name | Function |
4 (commonly referred to as Layer 7) | 7 | Application | Facilitates communication services to user and network support applications. For example, the Simple Mail Transfer Protocol (SMTP) is a user application, and the Simple Network Management Protocol (SNMP) is a network-support application. |
6 | Presentation | Performs code conversion when data is represented by different codes, such as Extended Binary Coded Decimal Interchange Code (EBCDIC) and the American Standard Code for Information Interchange (ASCII). | |
5 | Session | Starts, controls, and ends communications sessions; manages full-duplex and half-duplex conversation flows. | |
3 (commonly referred to as Layer 4) | 4 | Transport | Connection-oriented; responsible for congestion control and error recovery; assembles long data streams into smaller segments at the sending host and reassembles at the receiving host (segmentation); reorders segments that are received out of order (resequencing). |
2 (commonly referred to as Layer 3) | 3 | Network | Provides logical addressing and end-to-end delivery of packets. IP is routed at this layer by routing protocols, such as Open Shortest Path First (OSPF) or Routing Information Protocol (RIP). |
1 (commonly referred to as Layer 2 with references to Layer 1) | 2 | Data Link | Places data into frames for transmission over a single link. Examples are Ethernet and Fiber Distributed Data Interface (FDDI). |
1 | Physical | Interface to the physical network infrastructure. Handles bit-level encoding and manages electrical characteristics of the circuit. |
Consider an analogy of what is required for a personal computer in Redmond, Washington, to converse with a mainframe computer in Armonk, New York:
The first, and most obvious, requirement is that both computers must be physically connected to a network that, in turn, has physical connectivity between the locations.
The computers need to be told that they can talk and decipher the communication that comes their way as being real or garbage (errors).
At least one of the computers in the conversation must know the address of the other computer and the wherewithal to initiate the data communication.
The data traffic might be heavy, so both computers need to know how to go with the flow and have their data arrive in one piece at the other end.
The participants must have the sense not to talk at the same time. They must know when to shut up!
Knowing that they are foreign to each other, an interpreter must be available.
The personal computer and mainframe can exchange information.
Disregarding that this analogy is fiction, the conversation became easier because traffic cops along the route did not spend time meeting all the same requirements. All they needed was physical connectivity, a common language for communication, and a list of recipient addresses that they could share.
The casual analogy of two computers that need to talk as people do describes a seven-layer communication model. Reality departs from such an analogy, mostly because of these details:
Same-layer interaction. The layered networking model has a peer-to-peer interaction between equal layers on different computers.
Adjacent-layer interaction. Layered networking involves an interaction between adjacent layers on the same computer.
The same-layer interaction is how each layer communicates its intended action to its peer on the receiving end of a connection. Adjacent-layer interaction involves attaching a PDU to a protocol header as it moves through the layers, which is a process called encapsulation. As its name implies, a header is at the front of the transmitted data and is the first thing that the receiving host interprets. It contains source and destination addresses, and it can include error checking or other fields. Figure 1-2 and Figure 1-3 show same-layer and adjacent-layer communications.
OSI Model same-layer and adjacent-layer interactions
TCP/IP same-layer and adjacent-layer interactions
An example using TCP/IP hosts shows how layered protocols enable communication. Assume that a host application program needs to send data to another host that is several hops away. Figure 1-4 illustrates the following steps:
