Subsection 4.2.1 IP
IP stands for
internet protocol and it was devised to allow creating a network of networks. The network of networks that uses it primarily is the Internet, although you could use IP in other scenarios as well. IP is largely concerned with
routing traffic across and to networks. The protocol was first detailed by the IEEE in 1974 and comes from the Advanced Research Projects Agency Network (ARPANET) project, which created the first large, packet-switched network.
Most people are familiar with
IP addresses, the unique number given to a host participating in an IP network. Currently there are two main versions of the IP protocol,
IPv4 and
IPv6, and one of the major differences is in how man IP addresses are available. IPv4 supports 32 bit addresses and IPv6 supports 128 bit addresses. To give an idea of how big of a change that is, we have currently allocated all possible IPv4 addresses, but with IPv6 we could give an address to every grain of sand on the beaches of earth and still not run out.
Example 4.2.1.
IPv6 Security Implications
From a security standpoint, the way addresses are used in IPv4 vs IPv6 has big consequences. Since there aren’t enough IPv4 addresses a typical internet user is assigned a local address that gets translated to an external IPv4 address when they route their packets through their router. This is referred to as
Network Address Translation (
NAT) and is usually handled by an all-in-one device that also makes sure external entities cannot connect to the internal network.
With IPv6 addresses each host on that same
internal network can be given an external IPv6 address. A
basic IPv6 router may simply pass the packets to the network without blocking connections to the internal network. If the machines are not hardened or a firewall is not put in place/enabled the machines could be subject to attack.
As a computer security specialist it is important to test not only IPv4 connectivity, but also IPv6 to ensure that your network is configured appropriately.
Subsection 4.2.2 ICMP
Internet Control Message Protocol (
ICMP) is largely used to send messages between systems when IP doesn’t work. For example, lets say we tried to connect to a host but our router doesn’t know how to get there. Our router can send us an ICMP
Destination Unreachable message to let us know that something is going wrong. Because ICMP messages work at the network layer, we will receive this message even if there is an issue with the internet layer.
The most common use for ICMP is the
ping command.
ping sends an ICMP echo request to check to see if a host is up. By responding to the request with the data included in the request we can assume that the host is up and functioning.
ICMP is also used in the
traceroute command.
traceroute incrementally increase the
Time To Live (
TTL) field of ICMP packets and watches for
TTL Exceeded messages to determine what route packets are taking to get to a host. Example
traceroute output is shown below:
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 ryan.njitdm.campus.njit.edu (172.24.80.1) 0.217 ms 0.200 ms 0.252 ms
2 ROOter.lan (192.168.2.1) 5.790 ms 5.765 ms 6.275 ms
3 * * *
4 B4307.NWRKNJ-LCR-21.verizon-gni.net (130.81.27.166) 19.166 ms 19.144 ms 21.097 ms
5 * * *
6 0.ae1.GW7.EWR6.ALTER.NET (140.222.2.227) 12.376 ms 14.634 ms 0.ae2.GW7.EWR6.ALTER.NET (140.222.2.229) 9.805 ms
7 209.85.149.208 (209.85.149.208) 9.782 ms 10.331 ms 9.192 ms
8 * * *
9 dns.google (8.8.8.8) 11.313 ms 9.761 ms 9.758 ms
Despite the usefulness of ICMP, ICMP packets from external sources are often ignored. Network engineers use ICMP to troubleshoot their own networks, but it would be a security issue to allow outside parties to do the same. As such, do not expect all external hosts to respond to pings. They may still be up, but you’ll need to figure out
another way to detect them.
