| Previous | Table of Contents | Next |
Sitting above the IP layer is a connectionless protocol known as UDP. Why does UDP exist? Programmers could write directly to the IP layer for network applications but that would not provide enough granularity and control. Several applications communicating simultaneously with the IP layer would need to coordinate in order to ensure the proper processing of incoming packets. To add another layer of abstraction, UDP was created.
A UDP packet contains a source and destination address like IP but also adds a new abstraction called the port. A port is a 16-bit number for a conceptual communication endpoint much like the ports on the back of your computer. Each port is uniquely addressable by the UDP layer. The port and IP address together form a socket address. The socket address can be used to uniquely communicate with a particular application running on the tip of UDP/IP.
Ports are integers that range from 0 to 65535. As a convention in UNIX, ports from 0[nd]1,024 are reserved for privileged processes. Most UNIX implementations honor this guideline, but ready access to network source code or PC computers means this assumption will not always be met. Reserved ports were used as a simple form of access control for network applications. A user communicating to a program running on a privileged or reserved port on another system might feel secure that the program was not a Trojan Horse planted by a nonprivileged user. However, this is no longer guaranteed to be true in today’s world.
Because UDP is connectionless, it operates by dropping packets on the IP layer. UDP also lacks reliable message deliver, flow control, and error recovery. Applications running at layers above UDP must provide these services. Because UDP does not incur any overhead for setting up and tearing down a virtual connection, it is faster. Unfortunately, these same features make UDP easy to spoof.
As a convention port numbers 0[nd] 1,023 are reserved for privileged processes. In most operating systems, only privileged processes may open a connection to one of these reserved ports. As in the case of IP address impersonation, access to PCs with TCP/IP is sufficient for circumventing this tradition. The consequence is that no applications should assume the other half of a connection is trustworthy simply because the other port in use is in the reserved range. This practice is no different from trusting an IP address.
The biggest security concern for UDP is address impersonation. Because all of the flow control and resiliency for UDP traffic must be supplied by the application running above UDP in the stack, it is fairly easy to spoof UDP-based applications. Few firewall administrators will permit UDP packets into the secure network when they arrive from the untrusted Internet.
A connection oriented communications session layer is provided by TCP layered over IP. TCP provides for reliable message delivery and retransmits lost or damaged packets. Sequence numbers are included in the protocol to facilitate reassembly of fragmented packets. Thus, applications written to use TCP/IP do not need to worry about packets delivered out of order nor packets that are broken into fragments. TCP/IP handles these issues before delivering the datagram to the application layer.
The session between the communicating endpoints is maintained as a virtual connection. Although the network packets may take different routes depending on network congestion, the peer applications communicating over TCP/IP, are given the appearance of having a persistent network connection. The endpoints of the session are identified by socket addresses as in UDP. However, the TCP connection is uniquely recognized based on the 4-tuple formed by source IP address, source port, destination IP address, and destination port. This capability simplifies programming for servers that must handle multiple concurrent client-server sessions.
TCP guarantees in order delivery for packets. This type of delivery is accomplished through the use of sequence numbers in the packets. Both sides of the connection choose a separate, initial sequence number to be used during packet exchanges. Successive packets contain incremental values of the sequence number.
TCP differs from UDP in a fundamental way. A UDP packet is characterized by the socket upon which it communicates. A socket address consists of the combination of an IP address with a specific port number. The TCP connection is uniquely identified by a pair of socket addresses. The 4-tuple source address, source port, destination address, and address port uniquely identifies the TCP/IP session.
Because much of the Internet traffic runs on the TCP/IP layers, you need to understand security problems with TCP. The next few sections describe popular attacks.
Address Impersonation
Like both IP and UDP, address impersonation is a threat to applications running on the TCP protocol. The TCP protocol is slightly more difficult to impersonate than UDP because TCP provides flow control and reliable delivery and consequently contains facilities in the protocol to detect anomalous conditions. TCP packets contain a sequence number that makes address impersonation a little harder.
| Previous | Table of Contents | Next |