DOCSLIB.ORG

Fragmentation Considered Vulnerable: Blindly Intercepting and Discarding Fragments

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Fragmentation Considered Vulnerable: Blindly Intercepting and Discarding Fragments Fragmentation Considered Vulnerable: Blindly Intercepting and Discarding Fragments Yossi Gilady and Amir Herzbergz Dept. of Computer Science, Bar Ilan University [email protected], [email protected] Abstract depends on implementation details, e.g., we found Win- dows platforms to be more vulnerable than Linux sys- We show that fragmented IPv4 and IPv6 traffic is vul- tems; however, Linux systems are also vulnerable, in nerable to DoS, interception and modification attacks practical scenarios, with a more sophisticated attack. by a blind (spoofing-only) attacker. We demonstrated a Our adversary model is a blind (i.e., non eavesdrop- weak attacker causing over 94% loss rate and intercept- ping) attacker who is capable of spoofing. The vul- ing more than 80% of data between peers. All attacks nerabilities we present allow such attackers to perform are practical, and validated experimentally on popular in- devastating Denial of Service attacks on legitimate IP dustrial and open-source products, with realistic network traffic in standard network settings, as well as to inter- setups (involving NAT or tunneling). The interception cept (expose) and hijack (modify) traffic in common net- attack requires a zombie behind the same NAT or tunnel- work topologies, where Network Address port Transla- gateway as the victim destination; the other attacks only tors (NAT) devices are used. require a puppet (adversarial applet/script in sandbox). The complexity of our attacks depends on the pre- Like many or most previous attacks on IP [8], our dictability of the IP Identifier (ID) field and are simpler attacks exploit weaknesses in IP’s fragmentation mech- for implementations, e.g. Windows, which use globally- anisms. While conceptually simple, fragmentation in- incrementing IP IDs. Most of our effort went into extend- volves some subtle issues and several related vulnera- ing the attacks for implementations, e.g. Linux, which bilities. Probably the most significant vulnerabilities so use per-destination-incrementing IP IDs. far were implementation bugs, which were exploited for very effective DoS attacks: Teardrop [1], Rose [2], and Ping of Death [13] (see survey in [3]). However, these 1 Introduction critical implementation bugs were long ago fixed and may still exist only in few relic systems. Furthermore, The Internet Protocol (IP) is the primary protocol that es- our work exploits specification vulnerabilities, not an im- tablishes the Internet. It is one of the most basic, widely plementation bug. deployed and used protocols, as well as one of the old- We are aware of only three known specification vul- est (dated back to 1974), simplest and most well known nerabilities related to fragmentation. The first uses and studied. There are many implementations of IP, in- specially-crafted fragments to bypass filtering by fire- cluding many embedded and other systems still using walls and intrusion-detection systems; this is discussed ancient implementations, and new implementations are and addressed in [19, 14]. The two others are DoS vul- developed constantly, esp. with the advance of mobile, nerabilities: fragment cache overflow [10] and fragment ubiquitous internetworking. Naturally, over the years mis-association [9]; however, both of these have a very there were many abuses of vulnerabilities in the IP spec- small impact - the maximal loss rate we were able to ifications (IPv4 [15] and IPv6 [6]). There was also an cause (or found reported) was less than 0.1%. impressive effort to identify and fix such vulnerabilities; In contrast, we present highly-effective attacks against see [8]. fragmented traffic. Like previous attacks, the attacks do It is therefore rather disturbing that in this paper we not assume MitM capabilities, and can be launched by present significant, exploitable vulnerabilities in both a mere spoofing (blind) adversary; and like [10, 9], they IPv4 and IPv6. The vulnerabilities result from problems exploit a specification problem and not (just) an imple- in the specifications; the severity of the exploits we found mentation bug. 1 Our attacks are based on predicting the IP-ID value from Alice. The harder challenge is to predict the IP- used in packets between the victim source and destina- ID when the victim (Bob) is not behind a NAT at all, or tion, and then exploiting the predicted IP-ID to cause when the attacker does not control a zombie behind such packet loss, interception or modification (for fragmented NAT. This is what we do in the rest of the paper. packets); Zalewski’s note [18] provided an early hint of In Section 3 we show how to expose the IP-ID using this attack vector. Indeed, once we can predict the IP-ID, only a puppet PuZo, i.e., code restricted within sandbox it is easy to cause fragment loss: the attacker sends one (e.g., applet, script), rather than a ‘real zombie’. Further- tiny spoofed fragment with the expected IP-ID (and the more, these attacks work not only when Bob is ‘behind’ victim source and destination addresses). Once the legiti- a NAT, but also in two other common scenarios: when mate fragments arrive, the attacker’s fragment will match PuZo runs on Bob’s machine, and when Alice and Bob some of them, resulting in wrong reassembly and packet are connected by a tunnel and PuZo is also connected via loss. Modification (of only part of the packet) works sim- the tunnel (with Alice), as illustrated in Figure 2. ilarly, except that the attacker has to carefully construct his fragment so that its content will replace the desired S PuZo Tunnel parts of the original payload. In certain (common) sce- LAN Internet LAN narios, interception is also easy: when the attacker con- A B GWA GWB trols a zombie machine behind the same Network Ad- Alice Bob dress Translator (NAT) as the destination, as illustrated Mal in Figure 1, he can intercept a packet by changing the destination port specified in the first fragment. Details of Figure 2: A Tunnel Topology, one of the three topologies these attacks are in Section 2. for the ID-Exposing Attack (see text). An IP in IP tunnel exists from LANA to LANB, GWA uses a per-destination = i id = i id Zombie IP identifier counter and PuZo is an end host running ad- versarial code (possibly a puppet restricted to sandbox - Internet NAT LAN Alice see Subsection 3.3). S is some network server that PuZo id = i + 1 id = i + 1 may receive data from, and Alice and Bob are honest Bob hosts in LANA and LANB respectively. Mal Note that in the tunnel scenario, since Alice uses per- Figure 1: One scenario where obtaining the IP-ID is destination IP-ID counters, then packets sent to PuZo ‘easy’. Alice uses one (per destination) identifier for all will use a separate counter than the one used for pack- hosts behind the NAT. Zombie observes a packet he re- ets to Bob. However, we show that PuZo can help the ceives from Alice and obtains the current per-destination attacker expose the IP-ID used by GW to send packets identifier that Alice also uses for Bob. Mal is a blind A to GW , hence communication over the tunnel is vulner- adversary that controls Zombie. B able to the loss, interception and modification attacks as outlined above (and described in Section 2). Of course, if The main remaining challenge is prediction of the IP- the communication is cryptographically-protected (e.g., ID value. In the popular family of Windows R operating IPsec tunneling), then interception and modification may systems, this is not much of a challenge. These systems be meaningless. use a single, global IP-ID counter for all destinations, In Section 3 we assume that there is no legitimate traf- so the attacker can simply predict the IP-ID of a sender fic during the ID-exposing process. In Section 4, we by receiving any packet from him (including common present an attack that requires initial knowledge of the responses such as ICMP echo/error or TCP RST/SYN- IP-ID (e.g., by applying previous attack during period of ACK). Hence, these systems are vulnerable to loss, inter- no traffic), and then ‘maintains’ this knowledge, while ception and modification attacks as outlined above (and also discarding most of the legitimate traffic. This is a described in Section 2). very efficient attack, but since most legitimate traffic is Most of our effort went to efficiently predict the IP- lost, it is mainly useful for DoS. In the full version of ID for other operating systems, e.g. Linux, which use this paper [7] we present two improvements to the ID- per-destination IP-ID counters. In the (common) NAT exposing attack (presented in Section 3) to handle con- scenario of Figure 1, the prediction is still easy (and de- current legitimate traffic; this attack has higher overhead scribed in Section 2): since Alice uses the same destina- and complexity. tion IP address (of the NAT) to send packets to both Zom- Our attacks apply only to fragmented traffic. Is there bie and Bob, then Zombie receives the current value of (still) lots of fragmented traffic? There is significant ef- the relevant IP-ID counter whenever he receives a packet fort to avoid fragmentation; in particular, IPv6 supports 2 only source fragmentation (and avoids fragmentation by [6] uses a (32-bit) identifier field and specifically recom- routers as in IPv4). This follows the seminal work of mends using a counter to update it, explicitly allowing Kent and Mogul [11] which mainly presented perfor- either a per-destination or a global IP-ID counter. mance and reliability concerns. However, avoiding frag- An attacker can usually learn the value of a global IP- mentation is not trivial.
Load more

Recommended publications
  • Many Slides Borrowed from Ben Zhao, Christo Wilson, & Others
    12. Network Attacks Blase Ur and David Cash (many slides borrowed from Ben Zhao, Christo Wilson, & others) February 7th, 2020 CMSC 23200 / 33250 Network threat model • Network scanning • Attacks on confidentiality (e.g., eavesdropping) • Attacks on integrity (e.g., spoofing, packet injection) • Attacks on availability (e.g., denial of service (DoS)) Scanning and observing networks Network Scanning: Ping • Essential, low-level network utility • Sends a “ping” ICMP message to a host on the internet $ ping 66.66.0.255 PING 66.66.0.255 (66.66.0.255) 56(84) bytes of data. 64 bytes from 66.66.0.255: icmp_seq=1 ttl=58 time=41.2 ms • Destination host is supposed to respond with a “pong” – Indicating that it can receive packets • By default, ping messages are 56 bytes long (+ some header bytes) – Maximum size 65535 bytes • What if you send a ping that is >65535 bytes long? Ping of Death • $ ping –s 65535 66.66.0.255 – Attack identified in 1997 – IPv6 version identified/fixed in 2013 Network Scanning: Traceroute • traceroute — hops between me and host – Sends repeated ICMP reqs w/ increasing TTL Port Scanning • What services are running on a server? Nmap • 5 seconds to scan a single machine!! SYN scan Only send SYN Responses: • SYN-ACK — port open • RST — port closed • Nothing — filtered (e.g., firewall) Port Scanning on Steroids • How do you speed up scans for all IPv4? – Don’t wait for responses; pipeline – Parallelize: divide & conquer IPv4 ranges – Randomize permutations w/o collisions • Result: the zmap tool – Scan all of IPv4 in 45mins (w/ GigE cxn) – IPv4 in 5 mins w/ 10GigE Eavesdropping Tools: Wireshark, tcpdump, Bro, … Steps: 1.
    [Show full text]
  • Ip Fragmentation
    NETWORKING CASE STUDY IN STEM EDUCATION - IP FRAGMENTATION M. Mikac1, M. Horvatić2, V. Mikac2 1Inter-biz, Informatic Services (CROATIA) 2University North (CROATIA) Abstract In the last decade, or even longer, computer networking has been a field that cannot be overseen in technical and STEM education. While technological development and affordable prices brought powerful network devices to the end-user, all the networking principles are still based (and probably will remain so) on old protocols developed back in the ‘60s and the ‘70s of the twentieth century. Therefore, it can be expected that understanding the basics of networking principles is something that future engineers should be familiar with. The global network of today, the Internet, is based on a TCP/IP stack of protocols. That is the fact that is not to be changed - the most important change that seems to be predictable will be wider acceptance and usage of a newer version of Internet Protocol (IP) - IPv6 increases its adoption in the global network but it is still under 30%. Even though different modifications of certain transport (TCP, UDP) and network (IP) protocols appeared, essentially the basics are still based on old protocols and most of the network traffic is still using the good old TCP/IP stack. In order to explain the basic functional principles of today’s networks, different kinds of case studies in real-networks or emulated environments can be introduced to students. Among those, one of the case studies we use in our education is related to explaining, the so-called, IP fragmentation - the process that sometimes "automagically" appears in IP network protocol-based networks when certain constraints are met.
    [Show full text]
  • WHITE PAPER Distributed Denial of Service
    WHITE PAPER Distributed Denial of Service DDoS Attack Testing and Verification Solutions OVERVIEW “Xena recreates complex First seen around 2000, Distributed Denial-of-Service (DDoS) attacks are a serious traffic so client and server threat to businesses around the world. Attackers use multiple hosts to swamp targets with bogus traffic, paralyzing the network and potentially costing the victims millions of communicate in exactly dollars. There are many security systems for preventing DDoS attacks – and they all need to be thoroughly tested and verified prior to being activated. the same order as the Xena offers a complete test solution for DDoS mitigation and network security with captured traffic to ensure high-performance products and ample features. Going beyond generating DDoS traffic, Xena’s solutions can help companies test their security products and operators test realistic network scenarios networks and detect flaws, thereby ensuring business continuity and preserve business for the DUT”. integrity. WHITE PAPER Xena Networks – Global Price/Performance Leaders in Gigabit Ethernet Testing – www.xenanetworks.com Distributed Denial of Service DDoS Attack Testing and Verification Solutions Contents INTRODUCTION ................................................................................................................... 3 DDOS Attacks and Business Disruption ........................................................................... 4 Understanding Different DDoS Attacks ..........................................................................
    [Show full text]
  • DNS Threats November, 2015
    DNS Threats November, 2015 This document contains brief descriptions of a number of potential DNS threats. Direct DNS amplification Direct DNS amplification attacks are aimed at congesting DNS server outbound bandwidth. They start by sending a large number of DNS queries, specially crafted so that they result in a very large response that can reach up to 70 times the size of the request. Since DNS relies on the User Datagram Protocol (UDP), the attacker can use a small volume of outbound traffic to cause the DNS server to generate a much larger volume, resulting in congestion of the DNS server’s upload and eventually a denial of service (DoS). Reflection Reflection attacks use a third-party DNS server (typically an open recursive name server) in the Internet to propagate a DoS or DDoS attack by sending queries to the recursive server. Recursive servers will process queries from any IP address, and they return responses. The attack spoofs the DNS queries it sends by including the victim’s IP address as the source IP in the query, so that the query has the victim’s server information rather than the attacker’s. So when the recursive name server receives the requests, it sends all the responses to the victim’s IP address. A high volume of such “reflected” traffic can bring down the victim’s site. Distributed reflection DoS Distributed reflection DoS (DrDoS) attacks combine reflection with amplification that significantly increases the size of the response to the initial queries—and the likelihood that the victim’s server will be overwhelmed.
    [Show full text]
  • Cyber Attacks Explained: Dos and Ddos
    CYBER ATTACKS EXPLAINED: DOS AND DDOS With this article, we begin a new series on the major kinds of cyber attacks that weaken the IT security infrastructure within organisations. With the rapid spread of Internet technologies and applications, the number of those seeking to break into systems is also increasing — usually to gain fame, money, or to damage the target’s reputation. The first to be covered in this series is the Denial of Service attack (DoS) and the distributed version (DDoS). We will learn how these attacks work technically, and discuss ways to stop them at the network entry point. The fundamental technique behind a DoS attack is to make the target system busy. In a computer server, when a network packet is being received, all components (right from the network interface card or NIC to the application running under the OS) are participating to ensure successful delivery of that packet. The NIC must monitor the Ethernet frames meant for it, align data and pass it to the network card driver, which then adds its own intelligence and passes it to the OS, which takes it to the application. Each component involved can exhibit some form of vulnerability, and DoS attacks are devised to exploit one or more of these, to penetrate into the system. Let’s now understand the basics of the TCP/IP protocol, which uses a handshake between the sender and receiver. Figure 1 shows how a healthy TCP handshake takes place, and how a SYN flood attack compares with it. Figure 1: A healthy TCP handshake When the sender wants to communicate, it sends a SYN packet with its own IP address as the source, and the receiver’s IP address as the destination.
    [Show full text]
  • Cisco − IP Fragmentation and PMTUD Cisco − IP Fragmentation and PMTUD Table of Contents
    Cisco − IP Fragmentation and PMTUD Cisco − IP Fragmentation and PMTUD Table of Contents IP Fragmentation and PMTUD.........................................................................................................................1 Introduction..............................................................................................................................................1 IP Fragmentation and Reassembly...........................................................................................................1 Issues with IP Fragmentation............................................................................................................3 Avoiding IP Fragmentation: What TCP MSS Does and How It Works...........................................4 Problems with PMTUD.....................................................................................................................6 Common Network Topologies that Need PMTUD...........................................................................9 What Is PMTUD?..................................................................................................................................11 What Is a Tunnel?..................................................................................................................................11 Considerations Regarding Tunnel Interfaces..................................................................................12 The Router as a PMTUD Participant at the Endpoint of a Tunnel..................................................13
    [Show full text]
  • (DOS) Testing Ixchariot
    TEST PLAN Denial of Service (DOS) Testing IxChariot www.ixiacom.com 915-6681-01, 2005 Contents Overview of Denial of Service functionality in IxChariot..................................3 A brief outline of the DoS attack types supported in IxChariot...................... 4 Test Case 1: Ping Attack on Oracle Traffic........................................................5 Test Case : VoIP and TCP SYN Attacks...........................................................8 Copyright © 2005 Ixia. All rights reserved. The information in this document is furnished for Ixia informational use only, is subject to change 6601 W. Agoura Road without notice, and should not be construed as a commitment by Ixia. Ixia assumes no Calabasas, CA 9130 responsibility or liability for any errors or Phone: (818) 871-1800 inaccuracies that may appear in this document. Ixia and the Ixia logo are trademarks of Ixia. All Fax: (818) 871-1805 other companies, product names, and logos are Email: [email protected] trademarks or registered trademarks of their respective holders. Internet: www.ixiacom.com Copyright © Ixia, 005 Denial of Service (DOS) Testing: Sample Test Plans Denial of Service (DOS) Testing: Sample Test Plans Denial of Service (DoS) attacks are a reality for most organizations with connections to the public Internet. In order to protect yourselves from the potential hazards of network hackers and malicious coders, a set of devices and software- based tools such as DUTs, intrusion detection systems (IDS), remote access solutions (VPN) and sophisticated routers and L4-7 application switches have been developed to effectively block malicious traffic and protect the organization’s data and information infrastructure. Leveraging the advanced functionality of Ixia hardware, IxChariot is now capable of generating line-rate traffic that emulates common DoS attack types while at the same time generating and measuring the performance of application traffic (VoIP, Internet, enterprise) that is being sent over the network.
    [Show full text]
  • Dos Attack Prevention Using Rule-Based Sniffing Technique and Firewall in Cloud Computing
    125 E3S W eb of C onferences , 21004 (2019) https://doi.org/10.1051/e3sconf/201912521004 ICENIS 2019 DoS Attack Prevention Using Rule-Based Sniffing Technique and Firewall in Cloud Computing Kagiraneza Alexis Fidele1,2*, and Agus Hartanto2 1 Data Entry and Update Taxpayer’s Registry in Rwanda Revenue Authority (RRA) Kigali-Rwanda 2 Master of Information System, School of Postgraduate Studies Diponegoro University, Semarang – Indonesia Abstract. Nowadays, we are entering an era where the internet has become a necessary infrastructure and support that can be applied as a means of regular communication and data service. In these services, cloud- based on servers has an essential role as it can serve numerous types of devices that are interconnected with several protocols. Unfortunately, internet cloud servers become the main target of attacks such as Denial of Service (DoS), Distributed Denial of Service (DDoS). These attacks have illegal access that could interfere in service functions. Sniffing techniques are typically practiced by hackers and crackers to tap data that passes through the internet network. In this paper, sniffing technique aims to identify packets that are moving across the network. This technique will distinguish packet on the routers or bridges through a sniffer tool known as snort connected to a database containing the attack pattern. If the sniffing system encounters strange patterns and recognizes them as attacks, it will notify to the firewall to separate the attacker's original Internet Protocol (IP) address. Then, communication from the attacker's host to the target will be discontinued. Consequently, the identified attack activity will stop working, and the service will proceed to run.
    [Show full text]
  • ASF Series Ddos Mitigation Datasheet
    ASF Application DDoS Mitigation DATASEET ASF Series Application Security Firewall provides enterprise-grade application DDoS (Distributed Denial of Service) mitigation solution, which helps defend critical business applications in the enterprise data center from DDoS attacks and other threats. Array Networks ASF Series employ the sophisticated 64-bit SpeedCore™ multi-core processing architecture, providing comprehensive and accurate DoS andDDoSattack detection and mitigation for business-critical applications. The ASF Series provide granularattack mitigation controland improve attack detectionaccuracy and minimize false positives with the traffic baseline learning feature, dynamic refreshingof defense profile based on the learned traffic baseline, and the client source verification function. Product Function Description Combination of Detection and Cleaning ASF Series provides a high-performance DDoS engine, which can accurately detect and identify Layer 3 to Layer 7 DDoS attacks and DoS attacks with the help of session tracking and source verification mechanisms. After detecting DDoS attacks, ASF Series will generate and execute automatic blacklist to quickly clean the malicious traffic in the mixed traffic for the defense objects. In addition, ASF Series allows attack detection and traffic cleaning to be deployed together or separately. Enterprise-grade DDoS Mitigation ASF Series provide Layer 3 to Layer 7 DDoS mitigation, capable of mitigating volumetric DDoS attacks, protocol-based DDoS attacks, and application layer attacks with latency of microseconds. ASF Series supports providing granular and unique DDoS mitigation for different applications using DDoS profiles. Once defense objects are created, automatic DDoS profiles will provide the default DDoS mitigation for them. The traffic baseline learning function then allows the appliance to learn the traffic baseline of the applications and thus dynamic refresh the defense parameters for the automatic profiles.
    [Show full text]
  • RFC 8900: IP Fragmentation Considered Fragile
    Stream: Internet Engineering Task Force (IETF) RFC: 8900 BCP: 230 Category: Best Current Practice Published: September 2020 ISSN: 2070-1721 Authors: R. Bonica F. Baker G. Huston R. Hinden O. Troan F. Gont Juniper Networks Una�liated APNIC Check Point Software Cisco SI6 Networks RFC 8900 IP Fragmentation Considered Fragile Abstract This document describes IP fragmentation and explains how it introduces fragility to Internet communication. This document also proposes alternatives to IP fragmentation and provides recommendations for developers and network operators. Status of This Memo This memo documents an Internet Best Current Practice. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on BCPs is available in Section 2 of RFC 7841. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at https://www.rfc-editor.org/info/rfc8900. Copyright Notice Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
    [Show full text]
  • 07-Fragmentation+Ipv6+NAT Posted.Pptx
    IP Fragmentation & Reassembly Network links have MTU (maximum transmission unit) – the largest possible link-level frame Computer Networks • different link types, different MTUs • not including frame header/trailer fragmentation: • in: one large datagram but including any and all headers out: 3 smaller datagrams above the link layer Large IP datagrams are split up reassembly Lecture 7: IP Fragmentation, (“fragmented”) in the network IPv6, NAT • each with its own IP header • fragments are “reassembled” only at final destination (why?) • IP header bits used to identify and order related fragments IPv4 Packet Header Format IP Fragmentation and Reassembly 4 bits 4 bits 8 bits 16 bits Example: 4000-byte datagram unique per datagram hdr len Type of Service MTU = 1500 bytes usually IPv4 version per source (bytes) (TOS) Total length (bytes) 3-bit One large datagram length ID IP fragmentation use Identification 13-bit Fragment Offset fragflag offset flags becomes several =4000 =x =0 =0 upper layer protocol 20-byte to deliver payload to, Time to Protocol Header Checksum Header smaller datagrams e.g., ICMP (1), UDP (17), Live (TTL) 1480 bytes in offset = TCP (6) • all but the last fragments data field 1480/8 Source IP Address must be in multiple of 8 length ID fragflag offset Destination IP Address bytes =1500 =x =MF =0 e.g. timestamp, • offsets are specified in record route, Options (if any) length ID fragflag offset source route unit of 8-byte chunks =1500 =x =MF =185 • IP header = 20 bytes (1 Payload (e.g., TCP/UDP packet, max size?) length ID fragflag offset
    [Show full text]
  • TCP/IP Illustrated TCP/IP Illustrated, Volume 1 the Protocols W
    TCP/IP Illustrated TCP/IP Illustrated, Volume 1 The Protocols W. Richard Stevens Contents Preface Chapter 1. Introduction 1.1 Introduction 1.2 Layering 1.3 TCP/IP Layering 1.4 Internet Addresses 1.5 The Domain Name System 1.6 Encapsulation 1.7 Demultiplexing 1.8 Client-Server Model 1.9 Port Numbers 1.10 Standardization Process 1.11 RFCs 1.12 Standard, Simple Services 1.13 The Internet 1.14 Implementations 1.15 Application Programming Interfaces 1.16 Test Network 1.17 Summary Chapter 2. Link Layer 2.1 Introduction 2.2 Ethernet and IEEE 802 Encapsulation 2.3 Trailer Encapsulation 2.4 SLIP: Serial Line IP 2.5 Compressed SLIP file:///F|/USER/DonahuJ/tcpip/tcpip_ill/index.htm (1 of 9) [1/23/2002 10:11:12 AM] TCP/IP Illustrated 2.6 PPP: Point-to-Point Protocol 2.7 Loopback Interface 2.8 MTU 2.9 Path MTU 2.10 Serial Line Throughput Calculations 2.11 Summary Chapter 3. IP: Internet Protocol 3.1 Introduction 3.2 IP Header 3.3 IP Routing 3.4 Subnet Addressing 3.5 Subnet Mask 3.6 Special Case IP Address 3.7 A Subnet Example 3.8 ifconfig Command 3.9 netstat Command 3.10 IP Futures 3.11 Summary Chapter 4. ARP: Address Resolution Protocol 4.1 Introduction 4.2 An Example 4.3 ARP Cache 4.4 ARP Packet Format 4.5 ARP Examples 4.6 Proxy ARP 4.7 Gratuitous ARP 4.8 arp Command 4.9 Summary Chapter 5. RARP: Reverse Address Resolution Protocol 5.1 Introduction 5.2 RARP Packet Format 5.3 RARP Examples 5.4 RARP Server design 5.5 Summary Chapter 6.
    [Show full text]