What is paris traceroute?
find different possible routes based on load balancing scheme on the route
-> vary header fields that are within the first 28 octets…
=> TCP sequence number
=> UDP checksum field (requires maniupulation of payload to ensure correctness of checksum..)
ICMP combination of ICMP identifier and sequence number…
=> but still fails on per packet load balancing…
What was the basic task of the network layer?
forward IP datagrams to destination IP subnet/host/interface
-> use IP address as locator and identifier
network part and host part
What steps are there in IP datagram delivary?
use network prefix to deliver IP packet to right network
once network is reached use L3 address to deliver to the right interface
What protocols exist in the Network layer?
IP protocol
addressing conventions
packet format
packet handling conventions
routing protocols
path selection
RIP, OSPF, BGP
ICMP protocol
error reporting
router signaling
What is a subnet?
device interfaces with same subnet part of IP address
can physically reach each other without intervening router
What parts are there to an IP address?
network part -> address network
host part -> adress interface of a host
What was the most notable fix to address space exhaustino (aside from Ipv6?)
private addresses
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
How can one identify ICMP in an IP header?
TOS -> 0x00 for ICMP
Protocol -> 0x0001 for ICMP
Additinal fields in the optinos
type
code
checksum
type-dependent part of header
data (optional)
What classes of ICMP messages are there?
Query messages
only kind of ICMP message that generate another ICMP message
error messages
contain IP header and at least first 8 Byte of packet that caoused the ICMP error to be generated
allows receiving ICMP module to associate the message with a particular protocol and process (port number)
What is ping?
checks if host is reachable, alive
uses ICMP echo request / reply
copy packet data request reply
What is traceroute?
allows to follow path taken by pakcet
send UDP/TCP packets with increasing TTKL to (unlikely) port
ICMP replies: time exceed; last ICMP message: port unreachable
Can traceroute change? How to avoid?
yes -> e.g. load balancing…
-> hash packet headers and forward the same hash values on the same path to have the same paths for the same connection…
What further traceroute types exist?
yarrp
stateless
highly paralell
scamper
all in one tool
IPv4 and IPv6
built in alias resolutiontool
MDA
tries to identify all possible paths
crafts specific packets to find new paths
large overhead
MDA-lite
optimized MDA implementations
tradeoff between performance and completeness
Does ARP need any configuratoin?
no -> plug and play
What operation codes for ARP exst?
01: request
02: reply
03: reverse request
04: reverse reply (for RARP)
What is proxy arp?
Host or router responds to ARP Request that arrives from one of its connected networks for a host that is on another of its connected networks.
What are possible uses of Proxy ARP?
Transparent subnet gatewaying
Two LANs sharing same IP subnet, connected via router
Host joining LAN via dialup link
Dialup router employs Proxy ARP
Host joining LAN via VPN
Host separated via firewall
What optimizations were done to arp?
build arp tables that keep IP MAC mapping of already looked up mappings…
-> ARP request only sent in case there is no entry for specific IP in ARP table…
How to deal wiht hosts that changes in resect to ARP caches?
expiration timer associated to each entry in ARP table
-> entry removed upon timer expiration
some implementations send ARP request to revalidate before removing table entry
some implementations remeber when ARP table entries were used to avoid removing implrtant entries…
What happens if an ARP request is made for a non-existing host?
Several ARP requests are made with increasing time intervals between requests
Eventually, ARP gives up
Whar are Gratuitous ARP Requests
A host sends an ARP request for its own IP address
Useful for detecting if an IP address has already been assigned.
What vulnerabilities exist in ARP?
ARP request and replies can be forged as ARP does no authentication of request and replies
ARP is stateless -> replies can be sent without corresponding ARP request…
according to proto specification -> Node receiving ARP packet must update local ARP cache with information in sender fields, even if node lareaday has entry for IP address of sender in its ARP cache (arp request and reply packets)
What are typical ARP exploitatoins?
ARP poisoning
-> redirect IP traffic from/to hosts
can also be performed by hosts within a WPA-2 protected wlan
How are routing and forwarding connected?
routing -> change forwarding table
forwarding -> lookup forwarding table
Last changed2 years ago