Closely related to IP is the Internet Control Message Protocol (ICMP). More than two dozen different ICMP message types are available to assist with network communications. Examples include messages for testing whether a network address is alive, returning notifications of error conditions, and querying IP configuration settings at a particular node. From a security perspective, arbitrary ICMP messages should not be allowed through the firewall if they specify explicit destination network addresses found in your private network. One of the most important security guidelines for attaching your private network to the Internet is that any information about your private network is useful to a hacker. Therefore, you should practice information hiding as much as possible. Because ICMP messages can be used to explore your private network, be careful about what you allow into your private network. As you will see, a firewall can provide a solution for this and related problems.

Each IP packet contains a header portion and a data portion. The important values are the source and destination address. Other values include a time to live (TTL) that controls the lifetime of the packet. The IP layer itself does not guarantee delivery of a packet. Assurances for error-free delivery of packets also do not exist. No flow control is included in IP itself. Clogging a system by sending it many IP packets is not difficult, and thus launches a denial-of-service attack. Layers that sit on top of IP must implement techniques for handling errors, flow control, and the recovery of lost packets.

The 32-bit IP address is divided into different address classes by breaking the bits into groups. Addresses frequently are manipulated in dotted decimal notation consisting of four octets. Example addresses include 198.32.102.25, 127.0.0.1, and 9.34.10.1. The octets in the first address are 198, 32, 102, and 25. The addresses assigned and controlled by the Internet Activities Board (IAB) are organized into a hierarchy with each decimal representing a branch in the tree. The first three octets of an address usually represent different subnetworks (subnets), each with one or more network nodes attached. Depending on the address class and the number of bits allocated for the last octet, 256 or more nodes (0[nd]255) might appear on a subnet. No particular security problems are associated with the address classes, so more details are not given here but can be found in the references.

The Internet is divided into many subset networks that are connected by gateways and routers. Although technically different, both gateways and routers are responsible for correctly forwarding packets on through the Internet until the packets reach their destinations. Each packet that travels across the Internet moves one hop at a time. That is, a routing node, such as a gateway or router, moves the packet to the next routing node until the packet finally reaches its target.

Flexibility in the addressing scheme of IP permits one to specify a broadcast address for the destination of a packet. Essentially, you are permitted to specify a wildcard for one of the octets that is interpreted to mean “send this packet to all nodes in this subnet.” For example, sending the broadcast address 198.21.54.255 would send the packet to all nodes in the subnet with a prefix of 198.21.54. The value 255 symbolizes the wildcard. A packet with destination address of 198.21.255.255 would be delivered to even more nodes.

The multicast backbone (Mbone) is a special class of IP addresses that allows for encapsulation of many IP packets into a single packet. Standard IP unicast sends a message to a single target address. Broadcast sends the message to all addresses in a subnet. Multicast sends a message to a group of IP addresses. The Mbone can provide significant performance improvements for Internet traffic. Because the Mbone address represents several targets, it saves network overhead that would occur by sending a single unicast packet to each address individually. This advantage is not without security implications as you will see when you read about firewalls later in this chapter.

Probing Network Paths

At each hop, the TTL field is decremented once. If the TTL reaches the number 1, but the packet has not reached its destination, the last node holding the packet returns an ICMP message to the originating node indicating that the TTL has expired.

The traceroute application can be used to find the route that a packet will take across a network. By taking advantage of the TTL decrement and timeout relation, traceroute can find a network path. The algorithm sets TTL to 2, sends the packet to a target IP address, and receives the TTL expiration message and the IP address of the node that sent it. Because the last node to decrement the TTL and notice the expiration sends the ICMP timeout message, traceroute can map the path that the packet is hopping through to a destination IP address. By incrementing the TTL by one each time and keeping track of the IP address returned in the timeout, traceoute can construct the list of nodes in the path to the target address. When the destination node is finally reached, a different ICMP message is returned, thus completing the algorithm. The dynamic routing nature of the Internet may yield a different path each time. However, you should be able to see how traceroute helps a hacker discover interesting characteristics about your network, including its physical layout.

Problems at the IP Layer

Before looking at some the network layers above IP, take a look at the common hacks against IP. Most of these attacks succeed because of the open nature of the Internet. If packets are sent unencrypted between systems, then an adversary somewhere along the path can sniff the network and read information contained in the packets fairly easily. Two pieces of information that must always be in the clear are the source and destination IP addresses. Otherwise, intermediate gateways and routers on the Internet could not forward packets properly.