- The internetwork address of a machine.
- It is unique universally ( for a local network, universe is the small local network)
- It is implemented in software.
- IP address is the logical address in TCP/IP protocol suite.
Physical Address:
- At physical level, a host or a router is recognized by its Physical address
- Physical address is useful only in local network.
- It has to be unique locally but doesn't need to be unique universally.
- It is usually ( but not always) implemented in HARDWARE.
- MAC address is a physical address.
Static Mapping:
- To create a table containing the IP to MAC address mapping.
- Table is stored on each machine on the network.
- Limitation: Physical address of a machine may change for many reasons.
- Limitation: Static mapped table has to be updated periodically.
Dynamic Mapping:
- Using ARP, RARP to find either the IP or the MAC address of a machine.
ARP (Address Resolution Protocol)
- If sender has the local IP address, and needs to know the Physical address to send a packet in local network, it uses ARP protocol.
- ARP is used for dynamic mapping.
- Maps LOGICAL ADDRESS to PHYSICAL ADDRESS.
- ARP packet contains the (IP, MAC) of sender and (IP) of receiver, and is sent to BROADCAST address FF:FF:FF:FF:FF:FF ( all 1s).
- All hosts receive the packet but only the intended recipient recognizes the IP address and sends back an ARP Response Packet. The response is UNICAST only to the ENQUIRER.
- ARP request is Broadcast & ARP response is UNICAST.
RARP ( Reverse Address resolution Protocol)
- Dynamically Maps PHYSICAL address to LOGICAL ADDRESS
- When a DISKLESS machine wants to get its OWN LOGICAL address after a reboot, it sends a RARP to BROADCAST FF:FF:FF:FF:FF:FF ( all 1s) address.
- Response is sent by the RARP SERVER as UNICAST.
- Alternatives to RARP: BOOTP & DHCP ( provides additional info like subnet mask also)
- RARP Server does not provide info like subnet mask, which is required by a diskless host.
WHAT IS ARP Spoofing?
- ARP spoofing or ARP cache poisoning is a technique by which an attacker sends (spoofed) Address Resolution Protocol (ARP) messages onto a local area network.
- The aim is to associate the attacker's MAC address with the IP address of another host, such as the default gateway, causing any traffic meant for that IP address to be sent to the attacker instead.
- The attack can only be used on networks that use the Address Resolution Protocol
- ARP Spoofing can be used for DoS & MITM attacks.
Prevention?
- Connection-less, Unreliable , best effort delivery service.
- Provides addressing and routing capabilities for each data packet.
- Used as transmission mechanism by TCP/IP Protocol.
- Data is packed in a Datagram
- Datagrams can take different routes and arrive out of order.
- Datagrams might be duplicated.
- Doesn't keep track of route.
- Doesn't order the packets.
ICMP: INTERNET CONTROL MESSAGE PROTOCOL
- IP protocol lacks the ability to report errors & to check if a particular host is alive.
- ICMP compensates for the lack of error control & query facilities in IP protocol.
- ICMP is a companion of IP protocol.
- ICMP protocol is a Transport layer protocol, but its packets are not directly sent to the Data Link Layer. They are first encapsulated INSIDE an IP datagram.
ICMP Error Reporting
- ICMP always reports errors to the original Source ONLY.
- ICMP error message will NEVER be responsed with an ICMP error message
- ICMP error message is NOT generated for a datagram with MULTICAST Address.
- ICMP error message will NOT be generated for a special IP address ( 127.0.0.1, 0.0.0.0)
- Destination Unreachable: ICMP message is generated in response to destination(host or protocol or port) unreachable.
- Source Quench : ICMP message is generated if there Congestion at the router or destination, slow down babe! (Sender)
- Time Exceeded
- Parameter Problem ( ambiguity or missing field in datagram)
- Redirection: Host's (non-router) routing table is updated statically. A method of updating the routing table is to send the packet to wrong router. It will be redirected to the correct router and an ICMP message will be sent to the host to update its routing table.
ICMP for Diagnostic purposes
Echo-request & echo-reply ICMP messages:
- Used to check if the host is able to communicate with the destination host or router.
- Used to check if intermediate routers are working.
- Used to check if IP protocols on source & destination are working properly.
- Echo-request is sent by the Sender.
- Echo-reply is sent by the destination.
Time stamp request & time-stamp reply ICMP messages:
- Used to calculate the round-trip time between source & destination even if their clocks are not synchronized.
Address mask request & Reply ICMP messages:
- Used to find out host's own address mask from a router.
- May be used in combination with RARP(to find IP) in case of diskless hosts.
How does Ping work? PING - Packet internet groper command.
- Ping is a network utility which can generate a series of ICMP echo-request & echo reply messages to test the reachability of a host.
- It also provides statistical information about RoundTrip time by sending its own time stamp in the optional data section of the ICMP echo-request & echo reply message.
- Ping program has to be stopped using CTRL+C otherwise it goes on.
- Ping prints - TTL, packet loss, number of packets sent, number of packets received etc.
- TTL part of the Ping command = number of maximum hops allowed
How does traceroute (UNIX) work
- Traceroute is used to trace the route of a packet from source to destination.
- Traceroute uses two error messages - TIME EXCEEDED & Destination Unreachable
- Traceroute program sends an IP packet using UDP (destined to the wrong port).
- The TTL of the IP packet is incrementally set to 1,2,3,4,5 until the destination is reached.
- Each router on the path to the destination will decrement the TTL and whenever TTL 0 is reached the router will send back an ICMP "Time Exceeded" error message along with its own IP address.
- Traceroute also calculates the round trip time for each of these intermediate routers
- In each of these messages the UDP packet is sent to a port that is not supported by UDP. When the packet reaches the destination and TTL=0 it WILL NOT throw a "Time exceeded" error. However, the destination host sends an ICMP "Destination Unreachable" packet, because the port number is wrong. This error message indicates that the destination has been reached.