# TCP/IP: The Language Of The Internet

TCP/IPÂ (Transport Control Protocol/Internet Protocol) is the language'' of the Internet. Anything that can learn to speak TCP/IP'' can play on the Internet. This is functionality that occurs at the Network (IP) and Transport (TCP) layers in the ISO/OSI Reference Model. Consequently, a host that has TCP/IP functionality (such as Unix, OS/2, MacOS, or Windows NT) can easily support applications (such as Netscape's Navigator) that uses the network.

## Open Design

One of the most important features of TCP/IP isn't a technological one: The protocol is an open'' protocol, and anyone who wishes to implement it may do so freely. Engineers and scientists from all over the world participate in the IETF (Internet Engineering Task Force) working groups that design the protocols that make the Internet work. Their time is typically donated by their companies, and the result is work that benefits everyone.

# IP

As noted, IP is a network layer'' protocol. This is the layer that allows the hosts to actually talk'' to each other. Such things as carrying datagrams, mapping the Internet address (such as 10.2.3.4) to a physical network address (such as 08:00:69:0a:ca:8f), and routing, which takes care of making sure that all of the devices that have Internet connectivity can find the way to each other.

UNDERSTANDING IP

IP has a number of very important features which make it an extremely robust and flexible protocol. For our purposes, though, we're going to focus on the security of IP, or more specifically, the lack thereof.

# Attacks Against IP

A number of attacks against IP are possible. Typically, these exploit the fact that IP does not perform a robust mechanism forÂ authenticationÂ , which is proving that a packet came from where it claims it did. A packet simply claims to originate from a given address, and there isn't a way to be sure that the host that sent the packet is telling the truth. This isn't necessarily a weakness,Â per seÂ , but it is an important point, because it means that the facility of host authentication has to be provided at a higher layer on the ISO/OSI Reference Model. Today, applications that require strong host authentication (such as cryptographic applications) do this at the application layer.

# IP Spoofing

This is where one host claims to have the IP address of another. Since many systems (such as router access control lists) define which packets may and which packets may not pass based on the sender's IP address, this is a useful technique to an attacker: he can send packets to a host, perhaps causing it to take some sort of action.

IP SESSION HIJACKING

This is a relatively sophisticated attack, first described by Steve Bellovin. This is very dangerous, however, because there are now toolkits available in the underground community that allow otherwise unskilled bad-guy-wannabes to perpetrate this attack. IP Session Hijacking is an attack whereby a user's session is taken over, being in the control of the attacker. If the user was in the middle of email, the attacker is looking at the email, and then can execute any commands he wishes as the attacked user. The attacked user simply sees his session dropped, and may simply login again, perhaps not even noticing that the attacker is still logged in and doing things.

For the description of the attack, let's return to our large network of networks in FigureÂ
4. In this attack, a user on hostÂ AÂ is carrying on a session with hostÂ G. Perhaps this is aÂ telnetÂ session, where the user is reading his email, or using a Unix shell account from home. Somewhere in the network betweenÂ AÂ andÂ GÂ sits hostÂ HÂ which is run by a naughty person. The naughty person on hostÂ HÂ watches the traffic betweenÂ AÂ andÂ G, and runs a tool which starts to impersonateÂ AÂ toÂ G, and at the same time tellsÂ AÂ to shut up, perhaps trying to convince it thatÂ GÂ is no longer on the net (which might happen in the event of a crash, or major network outage). After a few seconds of this, if the attack is successful, naughty person has hijacked'' the session of our user. Anything that the user can do legitimately can now be done by the attacker, illegitimately. As far asÂ GÂ knows, nothing has happened.

This can be solved by replacing standardÂ
telnet-type applications with encrypted versions of the same thing. In this case, the attacker can still take over the session, but he'll see only gibberish'' because the session is encrypted. The attacker will not have the needed cryptographic key(s) to decrypt the data stream fromÂ G, and will, therefore, be unable to do anything with the session.

# TCP

TCP is a transport-layer protocol. It needs to sit on top of a network-layer protocol, and was designed to ride atop IP. (Just as IP was designed to carry, among other things, TCP packets.) Because TCP and IP were designed together and wherever you have one, you typically have the other, the entire suite of Internet protocols are known collectively as TCP/IP.'' TCP itself has a number of important features that we'll cover briefly.

GUARANTEED PACKET DELIVERY

Probably the most important is guaranteed packet delivery. HostÂ AÂ sending packets to hostÂ BÂ expects to get acknowledgments back for each packet. IfÂ BÂ does not send an acknowledgment within a specified amount of time,AÂ will resend the packet.
Â

Applications on hostÂ BÂ will expect a data stream from a TCP session to be complete, and in order. As noted, if a packet is missing, it will be resent byÂ A, and if packets arrive out of order,Â BÂ will arrange them in proper order before passing the data to the requesting application.

This is suited well toward a number of applications, such as aÂ telnetÂ session. A user wants to be sure every keystroke is received by the remote host, and that it gets every packet sent back, even if this means occasional slight delays in responsiveness while a lost packet is resent, or while out-of-order packets are rearranged.
Â

It is not suited well toward other applications, such as streaming audio or video, however. In these, it doesn't really matter if a packet is lost (a lost packet in a stream of 100 won't be distinguishable) but itÂ doesÂ matter if they arrive late (i.e., because of a host resending a packet presumed lost), since the data stream will be paused while the lost packet is being resent. Once the lost packet is received, it will be put in the proper slot in the data stream, and then passed up to the application.

# UDP

UDPÂ (User Datagram Protocol) is a simple transport-layer protocol. It does not provide the same features as TCP, and is thus considered unreliable.'' Again, although this is unsuitable for some applications, it does have much more applicability in other applications than the more reliable and robust TCP.