SY110: Intro to the TCP/IP Stack: Network Layer



Intro to the TCP/IP Stack: Network Layer

Learning Outcomes

After completing these activities, you should be able to:



Introduction to the Network Layer

NIPRNet

The NIPRNet (pronounced nippernet) is the name for the DoD subset of the Internet that carries sensitive but UNCLASSIFIED data. Access to the NIPRNet is controlled in that all data crossing the NIPRNet/Internet boundary must pass through a DoD-owned router, and hosts on the NIPRNet resolve names using DNS servers operated by the DoD Network Information Center.

The NIPRNet (Non-secure Internet Protocol Routed Network) and classified DoD computer networks use the TCP/IP Stack that you are learning about. So, best practices from the Internet apply to DoD networks, but vulnerabilities from the Internet also apply. Ships and other warfighting platforms are connected to the NIPRNet and multiple classified networks through Internet Protocol (IP).

Layer 3 of the TCP/IP Stack, or the Network Layer, involves routing, which is the logical processing of data across networks. The Network layer is responsible for interconnecting networks (internetworks) and expands on the concepts introduced by ARPA Net into the globally interconnected infrastructure known as the Internet. This layer is the IP part in TCP/IP and is one of dozens of protocols that allow for different systems to internetwork together.

Internet Protocol Addressing Overview

Internet Protocol (IP) address format. IP network addressing schemes serve as the foundation of computer networks. IP's ability to enable logical decisions to determine the best path to a destination host anywhere in the world is the purpose of IP routing. An IP address format consists of four octets, with each octet separated by a decimal. We call these parts octets because 8 bits comprise each octet. If we select an IP address that a USNA user on the Yard might have, let's say that 10.60.145.241 is the host IP address. Four octets is equivalent to four bytes, which is equivalent to a 32-bit address scheme. 

|   10   .   60   .   145  .   241  | ip address
|00001010 00111100 10010001 11110001| bits

Classful Networks. Initially proposed in 1981 under RFC 791, the 32-bit IP addressing scheme seemed to provide an unlimited supply of addresses, 232 or 4,294,967,296 of them!! To provide an organizational breakdown for assigning groups of IP addresses to public and private entities, classful networks were developed. Simply categorized as A-E, classful networks provide the largest block of IP addresses to Class A. How can we remember where one class ends and the next begins? Look at the binary of the IP address's first octet in this next table. Each class has a default subnet mask, which we explain next.

Network Class IP Network Range First Octet Binary Default Subnet Mask Purpose
Class A 0-127.0.0.0 0xxxxxxx 255.0.0.0 Assign to Large Organizations
Class B 128-191.0.0.0 10xxxxxx 255.255.0.0 Assign to Medium Organizations
Class C 192-223.0.0.0 110xxxxx 255.255.255.0 Assign to Small Organizations
Class D 224-239.0.0.0 1110xxxx N/A Multicast
Class E 240-255.0.0.0 1111xxxx N/A Reserved

Subnet Masks. Every IP address assigned to a host has two parts, identified by a subnet mask: the network portion and the host portion. The subnet mask is like an IP address in that it consists of four octets. The subnet mask is unlike an IP address in that all the 1s are on the left (in the most significant part) and all the 0s are on the right. When aligned with an IP address, the subnet mask indicates the network portion of the IP address with 1s and the host portion of the IP address with 0s. Given the default subnet masks in the table above, you can imagine that as more network bits are allocated in Class B and C networks, the number of networks increases and the number of hosts decreases. 

|  255   .   0    .   0    .   0    | Class A Subnet
|11111111 00000000 00000000 00000000| bits
|--NET---|---------- HOST ----------|

|  255   .  255   .   0    .   0    | Class B Subnet
|11111111 11111111 00000000 00000000| bits
|---- NETWORK ----|----- HOST ------|

|  255   .  255   .  255   .   0    | Class C Subnet
|11111111 11111111 11111111 00000000| bits
|-------- NETWORK ---------|- HOST -|
  
Networks = 27 -2 = 126 (We subtract 2 for the two reserved networks, 0 and 127.)
   Hosts = 224-2 = 16,777,214 (per Class A Network)


Networks = 214   = 16,384
   Hosts = 216-2 = 65,534 (per Class B Network)


Networks = 221   = 2,097,152
   Hosts = 28 -2 = 254 (per Class C Network)
There's no place like 127.0.0.1

The loopback network allows network devices to test internal components to ensure proper function but applications can use the same loopback to send data to other applications within the same system. Run netstat -an | findstr "127.0.0.1" within PowerShell to see the ports open on the loopback address. This is also a technique for obfuscating network traffic before sending it out on an interface connected to a network, which has been documented with Maze Ransomware.

Why are 0 and 127 in the first octet reserved (that is, not allowed to be assigned to a host)? Glad you noticed that! NICs need a method to troubleshoot internal components when something is not working correctly. A loopback address allows for a simple test but RFC 1122 specifically allocates the entire 127 Class A network for making the address 127.0.0.1 available for troubleshooting. The world lost out on the potential for an additional 16,777,214 hosts to be connected to the Internet 🤔

Why do we subtract 2 from the number of hosts?

  1. The first address (all 0s in the host portion of the binary IP address) is not assignable to a host because it is the network address. The network address, along with the subnet mask (usually in CIDR notation), identifies the entire address space of an IP network. For example, 10.0.0.0/8 is shorthand for: 10.0.0.0 through 10.255.255.255 with the subnet mask 255.0.0.0.
  2. The last address (all 1s in the host portion of the binary IP address) is not assignable to a host because it is the broadcast address. A host will set the destination address of an IP packet to the broadcast address to send the packet to all hosts on the network. For example, 10.255.255.255 is the broadcast address of the 10.0.0.0/8 network.

Subnetting Math.

Subnetting involves AND bitwise operations. Other bitwise operators include NOT, OR, and XOR, as these are a few of the fundamental, low-cost computational techniques that require less resources than arithmetic operations. An example of each bitwise operator are as follows: 

     NOT 1010 (dec 10)
       = 0101 (dec 5)
Logical negation- opposite values,
  where (1=0), (0=1)
         1010 (dec 10)
    AND  1100 (dec 12) 
       = 1000 (dec 8)
Logical AND- matching values =1
  where (1 and 1 =1), (0 and 0 =0), (1 and 0 =0), (0 and 1 =0)
         1010 (dec 10)
     OR  1100 (dec 12)
       = 1110 (dec 14)
Logical inclusive OR- when both bits in the position is 0, otherwise the value is 1
  where (1 or 1 =1), (0 or 0 =0), (1 or 0 =1), (0 or 1 =1)
         1010 (dec 10)
    XOR  1100 (dec 12)
       = 0110 (dec 6)
Logical exclusive OR- when opposite values =1
  where (1 xor 1 =0), (0 xor 0 =0), (1 xor 0 =1), (0 xor 1 =1)

Using the workstation example with IP of 10.60.145.241 with a 255.255.255.0 subnet mask, we conduct the bitwise AND operation to determine the network:

     00001010 00111100 10010001 11110001 | 10.60.145.241
 AND 11111111 11111111 11111111 00000000 | 255.255.255.0
   = 00001010 00111100 10010001 00000000 | 10.60.145.0

Classless Networks. It's unlikely for an organization with a Class A network to deploy 16 million hosts. Subnetting allows for the ability to break apart large networks into smaller Classless Inter-Domain Routing networks. In contrast, Class C networks with 254 hosts might be too small and supernetting allows for combining networks into a larger one.

As an example, let's assign an IP address of 10.60.145.241 and a subnet mask of 255.255.255.0 to a host. This assignment is a CIDR network for not using the classful, default subnet of 255.0.0.0 for Class A networks. 

|00001010 00111100 10010001 11110001| bits
|   10   .   60   .   145  .   241  | ip address
|         network          |  host  | field
|  255   .  255   .  255   .    0   | subnet mask
|11111111 11111111 11111111 00000000| bits

Classless Inter-Domain Routing comes with its own "CIDR notation," which simply provides a shorthand way to identify the variable length subnet mask (VLSM). After the IP address, use a slash / followed by a number to indicate the number of subnet mask bits are in the network portion. For example, the default Class A subnet mask (255.0.0.0) on the above IP address would be 10.60.145.241/8. But since the IP address in the diagram has the non-default subnet mask, we can write it as 10.60.145.241/24 because 255.255.255.0 has 24 network bits.

Private Networks. Wait...there's more! What if an academic institution needs to test different networking protocols without advertising routes to other network devices? Great, let's designate a network in each of the classful addressing schemes for this purpose. RFC1918 is infamous in the networking community for providing private addressing schemes that are non-routable across public networks. This RFC implementation, when combined with Network Address Translation (NAT) is actually something that has saved the Internet as the Regional Internet Registries (RIR) anticipated running out of IP addresses by 2012 and officially exhausted all addresses in 2019 (RIPE NCC, 2019).

Network Class Private IP Networks Default Subnet Mask
Class A 10.0.0.0 255.0.0.0
Class B 172.[16-31].0.0 255.255.0.0
Class C 192.168.[0-255].0 255.255.255.0

Network Address Translation (NAT). We've learned that each host on the Internet has an IP Address, and that network packets get routed based on the destination host's IP Address. In general, that's true. We've also learned that the IPv4 address space is essentially all allocated. There are plenty of IPv6 addresses, but we won't discuss the details of IPv6 in this course. However, there is another workaround for the limited IPv4 address space, called Network Address Translation, or NAT. We discuss the operation of NAT in this course because it's very widely used, and because it has some security relevance.

Thanks to private IP Addresses, local networks can contain thousands or even millions of hosts, even though an organization only has a much smaller number of "public" assigned IP Addresses through its ISP. When packets leave the local network and enter the public internet, they must receive a routable IP Address. What we need is a process by which the internal (non-routable, or private) IP Address can be mapped to its equivalent external, or public IP Address. This mapping has to remain consistent for "conversations" between hosts, like the TCP connections we discussed previously.

NAT allows multiple network hosts to share a single, public IP address, translating them from private to public addressing schemes. Network devices and servers can be configured to provide this service and is common in household networking devices, often configured with Class C private addresses of 192.168.1.1. Within the networking layer, a NAT gateway replaces the some data in the packet header and stores them in a table that manages internal (private) and external (public) connections. Maximizing the use of the private addressing scheme bought the RIR seven additional years before running out of IP addresses.

Diagram of NAT

The way NAT works is as follows. When Host A (local) sends a packet to Site B (remote), the network packet is constructed with Site B's IP Address as the destination, and host A's address as the source. However, Host A's address is local-only. The packet goes through an intermediary host (a router or computer) at the local network perimeter, where NAT occurs. In NAT, Host A's IP Address is replaced with one of the local network's available public IP Addresses as the source. In addition, the source port number on the packet is reassigned to a number that uniquely identifies the connection with Host A. The mapping between Host A's local IP Address and port number (for this connection) and the source IP Address and port number in the packet are stored in a table by the intermediary. When packets return from Site B, the same mapping has to happen in reverse, since Site B does not know the real IP/port for Host A. This process works because there are a large number of port numbers (0-65535) we can use to fill the translation table.

From a security standpoint, the key impact is that potential attackers on the Internet can't easily scan private IP space for vulnerable hosts. Any host with an IP Address that's public can be scanned, and some of the host's vulnerabilities potentially discovered. With NAT, your host is "hidden," in a way, behind the translation. Although NAT came about primarily to address the shortage of assignable public IPv4 addresses, one reason it remains popular is the security benefit. Even with the rise of IPv6 deployment all around the world, IPv4 with NAT remains a very popular implementation choice in commercial, educational, and home networks.

Activity: Revealing your Public IP

There are several ways to reveal the public IP address used on the network. Most involve Google Searching for websites that will reveal the source IP conducting a GET Request to the website. Since it's past 6-wks of the semester, let's improve your shell skills.

  1. Open PowerShell
  2. Run curl ipinfo.io
The curl command sends a GET request to a web address, ipinfo.io. The status return, an HTTP Response, should return a Status Code: 200 signifying the connection was successful.

IPv4 v. IPv6. Sure, there might not be exactly 232 or 2128
addresses but that's still a lot, right?
IPv6. Initially proposed in 1995, IPv6 was developed to be the successor of the 32-bit IP addressing scheme (IPv4). The RFC8200 specification expanded to a 128-bit addressing scheme, or 2128, for IPv6 networks. It seems like a lot of addresses but that's what was also likely stated in 1981! So where can all of those devices come from or go to if we have quintillions of addresses to cover every square millimeter on the planet?? Where else but to infinity and beyond 🚀!

IPv4 is not compatible with IPv6 and has to be translated, potentially slowing its adoption. NAT is not only helping extend the use of IPv4 but NAT64 and NAT46 - NAT 4 to 6 (NAT46) and vice versa - are helping with efforts needed to allow intercommunications between the two different standards. Take a look at the adoption of IPv6 over time with Google's IPv6 stat tracker.

Internet Protocol Routing Overview

Routers are network devices that function primarily at layer 3. They are dedicated appliances or servers that gather network information by learning and building route tables of neighboring devices and networks. Routers use routing protocols to learn about and decide how to route packets between networks. The two types of routing protocols are Interior Gateway Protocol (IGP) and Exterior Gateway Protocols (EGP). As the names imply, IGPs use routing protocols that are specific in learning routes internal to an enterprise network (like when an organization has more than one router, this is how they learn about each other) and EGPs internetwork between enterprise networks, or Autonomous Systems (AS). This might look familiar from the curl command that determined the public-facing IP address as the org value returned contained an AS. 

PS C:\Users\m9999> curl ipinfo.io/json

StatusCode        : 200
StatusDescription : OK
Content           : {
                      "ip": "136.160.90.6",
                      "hostname": "c-136-160-90-6.gonavy.usna.edu",
                      "city": "Annapolis",
                      "region": "Maryland",
                      "country": "US",
                      "loc": "38.9786,-76.4918",
                      "org": "AS6059 University of Maryland"
RawContent        : HTTP/1.1 200 OK

Hops and TTL. Each layer 3 device data passes through is considered a hop. The first hop for any packet to leave a network is the default gateway. Packets must be routed by a router serving as the default gateway whenever the destination is not on the local IP network. Network engineers that design and configure IP addresses will typically develop standards from industry best practices, which assigns the first or last host IP address of a network to a router. The time-to-live (TTL) is the maximum number of hops a packet will attempt to reach a destination before it expires. Every time a packet passes through a hop, its TTL decrements. This prevents packets stuck in a routing loop from saturating an area of a network.


Route Poisoning ☠ Redirecting Internet Traffic for Military Espionage
A 2018 paper published in the journal Military Affairs by researchers from the US Naval War College and Tel Aviv university documented route poisoning of an Exterior Gateway Protocol by a China Telecom in order to redirect Internet traffic, enabling state-sponsored military and corporate espionage.

Routing Issues:

Gmail Scenario. So far, we've covered the how the Application Layer provides services and the Transport Layer connects these services end-to-end. Now, we take one step deeper into the TCP/IP Stack by exploring how the Network Layer provides an internetwork path for packets conveying the Layer 4 UDP datagrams and TCP segments. The introduction of routing in this lesson means that our scenario now needs to incorporate routers. As our diagram continues to grow, you may need to scroll to see its right end.

  1. Your laptop's application layer generates a DNS query (#1) and passes it down to your laptop's transport layer.
  2. Your laptop's transport layer encapsulates the DNS query (#1) in a UDP datagram (#2) and passes the datagram to your laptop's network layer. The source port number is an arbitrary ephemeral port number, and the destination port number is the default for DNS (53).
  3. Your laptop's network layer encapsulates the UDP datagram (#2) in an IP packet (#3) and passes the packet to your laptop's data link layer. The source IP address is your laptop's IP address (10.60.145.241), and the destination IP address is the DNS server's IP address (10.1.74.10).
    **See the next lesson for what happens below the network layer.**
    The DNS server's network layer receives the deencapsulated IP packet (#3), deencapsulates the UDP datagram (#2) and passes the UDP datagram (#2) up to the DNS server's transport layer. The DNS server's transport layer receives the deencapsulated UDP datagram (#2), deencapsulates the DNS query (#1), and passes the DNS query (#1) up to the DNS server's application layer.
  4. The DNS server's application layer processes the DNS query (#1), generates a DNS response (#4), and passes the DNS response (#4) down to the DNS server's transport layer.
  5. The DNS server's transport layer encapsulates the DNS response (#4) in a UDP datagram (#5) and passes the UDP datagram (#5) to the DNS server's network layer. For the port numbers, the DNS server uses the same port numbers for the response as were used for the query. As such, the source port number for this response matches the port through which it received the query (port 53), and the destination port number for this response matches the port through which the DNS client transmitted the query (port 54321).
  6. The DNS server's network layer encapsulates the UDP datagram (#5) in an IP packet (#6) and passes the IP packet (#6) down to the DNS server's data link layer.
    **See the next lesson for what happens below the network layer.**
    Your laptop's network layer receives the deencapsulated IP packet (#6), deencapsulates the UDP datagram (#5), and passes the UDP datagram (#5) up to the transport layer. Your laptop's transport layer receives the deencapsulated UDP datagram (#5), deencapsulates the DNS response (#4), and passes the DNS response (#4) up to the application layer.
  7. Now that your laptop has the IP address for mail.google.com (172.217.12.229), your laptop's application layer generates an HTTPS request (#7) for the Gmail web server and passes it down to your laptop's transport layer.
  8. Your laptop's transport layer recognizes the need for a TCP connection and encryption to support HTTPS, so it conducts the TCP three-way handshake and negotiates the TLS configuration with the Gmail web server (#8). We explored these steps in greater detail in the previous lesson but will summarize them from here on down the TCP/IP Stack. The source port number (54322) is merely incremented from the last assigned ephemeral port number, and the destination port number is the default for HTTPS (443). Because TCP is connection-oriented, your laptop and the Gmail web server will use these same established sockets for all remaining TCP communications in this session.
  9. Your laptop's transport layer and the Gmail web server's transport layer both use their respective network layer to convey all TCP segments between them. At each hop (each Layer 3 device) between source and destination, the router examines the Layer 3 IP packet header, compares the destination IP address to its route table, and decides which way it should forward the packet. Every device's network layer passes packets down to its data link layer (to be conveyed across the network) and receives deencapsulated packets from its data link layer. Although each TCP segment (three segments for the three-way handshake and at least two segments for the TLS negotiation) gets encapsulated in its own IP packet, we summarize these communications here to keep the diagram and this description succinct. We show the individual IP packets per UDP datagram in the DNS query/response part of the scenario.
  10. Now that your laptop has an encrypted connection with the Gmail web server, your laptop's transport layer encrypts and then encapsulates the HTTPS request (#7) in a TCP segment (#10) and passes the segment to your laptop's network layer.
  11. Your laptop's network layer encapsulates the TCP segment (#10) in an IP packet (#11) and passes the IP packet (#11) to your laptop's data link layer.
    **See the next lesson for what happens below the network layer.**
    The Gmail web server's network layer receives the deencapsulated IP packet (#11), deencapsulates the TCP segment (#10), and passes the TCP segment (#10) up to the Gmail web server's transport layer. The Gmail web server's transport layer receives the deencapsulated TCP segment (#10), deencapsulates and then decrypts the HTTPS request (#7), and passes the HTTPS request (#7) up to the Gmail web server's application layer.

How DHCP works at Layer 3

We've learned how DHCP is an application layer protocol that uses UDP at the transport layer. Remember that DHCP exists to dynamically configure a host's IP address, so when the application loads into memory to run as a process, the host does not yet have an IP address. A host will send a DHCP Discovery packet with 0.0.0.0 as the source IP address and 255.255.255.255 as the destination IP address, which is a network-agnostic broadcast address that routers will not forward unless explicitly configured to do so for DHCP specifically. Upon receiving the DHCP Discovery packet, the DHCP server will send a DHCP Offer packet. To accept the DHCP Offer, the DHCP client sends a DHCP Request, and the server responds with a DHCP Acknowledgement to finalize the IP address assignment. Using the ipconfig network utility, you can see the fields that the DHCP server assigns to the client highlighted in white. The green highlight indicates fields that the client configures based on its DHCP experience. 

PS C:\Users\m9999> ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : host01
   Primary Dns Suffix  . . . . . . . : academy.usna.edu
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : academy.usna.edu
                                       usna.edu

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . : academy.usna.edu
   Description . . . . . . . . . . . : Realtek USB GbE Family Controller #2
   Physical Address. . . . . . . . . : C0-3E-BA-AF-5E-43
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.60.145.241(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Wednesday, October 6, 2023 1:03:30 AM
   Lease Expires . . . . . . . . . . : Friday, October 22, 2023 1:03:36 AM
   Default Gateway . . . . . . . . . : 10.60.145.1
   DHCP Server . . . . . . . . . . . : 10.1.74.10
   DNS Servers . . . . . . . . . . . : 10.1.74.10
   NetBIOS over Tcpip. . . . . . . . : Enabled


Layer 3 Network Utilities

The ipconfig /all command in Windows PowerShell displays the network configuration information for the host. From the Data Link layer lesson, the Physical Address displayed Media Access Controller (MAC) information for the Network Interface Card (NIC) installed on the host. The next set of network configuration information to look at will pertain to the Network layer, which includes IPv4 Address, Subnet Mask, and the Default Gateway.

Ping and tracert are network utilities that leverage Internet Control Message Protocol (ICMP) (a Layer 3 protocol) for performing network diagnostics. ICMP sends packets to determine whether a system is online. While this can be an effective tool in troubleshooting network connectivity, security devices may prevent its use across different networks but, for maintaining a fundamental understanding of its use, we're going to ping the DHCP server. In the ipconfig output earlier in this page, you'll see that the DHCP server is 10.1.74.10, therefore, execute the command ping 10.1.74.10 to send ICMP request to the server. Since the DHCP server is expected to be online, a reply will be provided through ICMP response indicating that the server is responding to the requests.

If you send a ping to a system that is not online the program will respond with a "Request timed out" message.

The tracert utility also uses ICMP. In this case, TTL increments instead of decrementing to evaluate each hop, or route, as it traverses the network. The number of hops to mail.google.com resulted in 14 from the host shown below, with the last USNA router being maryland-r2-gi0_0_0s2001.net.usna.edu [136.160.88.12]. 

PS C:\Users\m9999>ping 10.1.74.10

Pinging 10.1.74.10 with 32 bytes of data:
Reply from 10.1.74.10: bytes=32 time=1ms TTL=59
Reply from 10.1.74.10: bytes=32 time=2ms TTL=59
Reply from 10.1.74.10: bytes=32 time<1ms TTL=59
Reply from 10.1.74.10: bytes=32 time=1ms TTL=59

Ping statistics for 10.1.74.10:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 2ms, Average = 1ms

C:\Users\m9999>ping 10.1.74.99

Pinging 10.1.74.99 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 10.1.74.99:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

PS C:\Users\m9999>tracert mail.google.com

Tracing route to googlemail.l.google.com [172.217.12.229]
over a maximum of 30 hops:

  1     1 ms     1 ms     1 ms  hopper-4b-as1-v401.gw.usna.edu [10.60.145.1]
  2     1 ms     1 ms     1 ms  hopper-1a-ag1-v2x19.net.usna.edu [10.48.1.226]
  3     1 ms     3 ms     1 ms  yard-d2-v3x70.net.usna.edu [10.32.2.192]
  4     1 ms     1 ms     1 ms  usna-c1-v2x13.net.usna.edu [10.0.1.25]
  5     3 ms     1 ms     1 ms  border-d2-v2x17.net.usna.edu [10.0.1.34]
  6     2 ms     1 ms     2 ms  border-f3-te0_6s3001.net.usna.edu [10.4.16.5]
  7     2 ms     2 ms     2 ms  maryland-r2-gi0_0_0s2001.net.usna.edu [136.160.8
8.12]
  8     2 ms     2 ms     2 ms  ten2-4.usna-core.net.ums.edu [136.160.255.57]
  9     3 ms     3 ms     2 ms  ten2-3.annap-gw.net.ums.edu [136.160.254.145]
 10     4 ms     4 ms     4 ms  hun2-1.ashburn-core.net.ums.edu [131.118.255.250
]
 11    11 ms     9 ms     3 ms  ten3-4.umbc-core.net.ums.edu [131.118.255.178]
 12     5 ms     4 ms     5 ms  108.170.240.97
 13     5 ms     4 ms     5 ms  72.14.234.135
 14     4 ms     4 ms     4 ms  iad30s15-in-f5.1e100.net [172.217.12.229]

Trace complete.

Activity: Hacking Google and USNA Bank is Open for Business!!

Now that you have a fundamental understanding of the Network, Transport, and Application Layer of the TCP/IP Stack, we're going to apply your knowledge in manipulating your computer's hosts file to redirect DNS requests to the servers we desire. DNS is a hierarchical structure that starts with your local hosts file. Let's work through how your computer resolves URLs when browsing the World-Wide Web (WWW).

  1. Open Notepad++ as an administrator.
  2. Edit the C:\Windows\System32\drivers\etc\hosts file.
      Append the file with the following lines:
             usna.co.uk
             google.com
      65.61.137.117    usnabank.com
  3. Save the hosts file in Notepad++.
  4. Open a browser and go to usna.co.uk/.
  5. Open another browser tab and go to google.com/~m9999, replacing the 9999 with your own alpha.
  6. In the last browser tab, go to https://usnabank.com and observe the warning signs, proceeding to the site.
  7. Identify observations and security implications.
    • Conduct a DNS lookup for usna.co.uk: nslookup usna.co.uk
    • Conduct a DNS lookup for google.com: nslookup google.com
    • Was a DNS query submitted for usna.co.uk?
  8. Important: Be sure to restore the hosts file to its original by removing the entries we appended and saving it!

nslookup should not have resolved usna.co.uk, indicating that the local hosts file resolved that domain to IP . Conduct a reverse DNS lookup for and it resolves to ward-rweb-08.academy.usna.edu, the server that hosts https://courses.cyber.usna.edu/, however, http://courses.cyber.usna.edu/ also runs on that server allowing access with a domain mismatch. What was the situation for google.com? Your browser still processed your midn website as if it were hosted on google.com! Additionally, https://usnabank.com at least provided a warning but what are several other security concerns when evaluating the upper levels of the TCP/IP Stack and how your computer handles DNS?

Security tools look for programs attempting to modify your hosts file and will alert you to its potential malicious actions. Also, it is important to remove the entries made in the hosts file to bring your system back to its original state - please don't forget to do that!

Supplemental Media:

Local Network/Inter-Network Demo (credit: Aaron Herber, USNA 2012): This demo illustrates how packets are sent within a single network and between hosts on different networks. Additionally, it has a nice animation for ARP requests, which is how a host builds up an ARP table, the table that matches IP addresses to MAC addresses for hosts on the same network.

How IP Addresses Work

Review Questions:

  1. How does the Network layer interact with the Data Link layer?
  2. What is the difference between a switch and a router?
  3. What is the difference between IPv4 and IPv6?
  4. What are the properties of IPv4 addressing schemes?
  5. What is the purpose of Private Networks and how are they used with NAT?
  6. What are some of the challenges with Network layer routing?
  7. What are some of the network utilities related to the Network layer and their purpose?


References

  1. Network Working Group, "RFC 1918 - Address Allocation for Private Internets", Internet Engineering Task Force, Feb. 1996.
  2. Network Working Group, "RFC 1122 - Requirements for Internet Hosts -- Communication Layers", Internet Engineering Task Force, Oct. 1989.
  3. DARPA Internet Program, "RFC 791 - Protocol Specification", Internet Engineering Task Force, Sep. 1981.
  4. IBM Knowledge Center, "Comparison of IPv4 and IPv6", IBM. Retrieved Jul 10, 2019.
  5. Lifewire, "How IP Network Routing Works", Lifewire, Jul. 2019. Retrieved Jul 10, 2019.