Computer Network Reading Notes-network layer, Computer Network Reading Notes

Computer Network Reading Notes-network layer, Computer Network Reading Notes

Network Layer

It is responsible for the best effort to forward data packets between different networks, based on the IP address of the data packet forwarding, if packet loss is not responsible for the loss of retransmission, is not responsible for the transmission order.

Network Device and data forwarding process

A vro is a layer-3 device, because it can see the network layer address and select a route based on the network layer address. A vswitch is a layer-2 device, that is, it can store bits, then, read the MAC address in the control information of the data frame on the data link layer, and forward the data based on the MAC address on the data frame. The Hub is a device working on the physical layer and can only forward the bit stream, the function is to extend the transmission distance of bit streams and enlarge the signal. Data transmission is delivered to the transport layer through the application layer. The Transport Layer divides the data delivered by the upper layer into data segments and numbers them before being delivered to the network layer, the network layer adds the source IP address and destination IP address for the so-called data packets and then submits them to the lower data link layer. The data link layer obtains the upper-layer data packets, add the source MAC address and target MAC address, encapsulate it as a data frame, and then deliver it to the lower layer. Finally, the physical layer converts the data frame to a bit stream for transmission over the physical line. Receiving data is a reverse process of data transmission and a process of unpacking.

Note: In the control information of the data frame at the data link layer, the source IP address and destination IP address determine the data start and end points, the physical MAC address is used to determine the start device of data transmission and the address of the next device.

Network Layer Protocol

We can see that the network layer protocols are ARP, IP, ICMP, and IGMP. ARP provides services for the IP protocol and IP provides services for the ICMP/IGMP protocol, although they all belong to the network layer protocol, they also have the relationship between the upper and lower layers, and there is also a problem of who serves.

ARP Protocol

IP packets are usually sent over Ethernet. Ethernet devices do not recognize 32-bit IP addresses: they transmit Ethernet packets at 48-bit Ethernet addresses. Therefore, the IP drive must convert the destination IP address to the destination IP address of the Ethernet network. There is a static or algorithm ing between the two addresses. You often need to view a table. Address Resolution Protocol (ARP) is the Protocol used to determine these images. When ARP is working, an Ethernet broadcast packet containing the desired IP address is sent. The destination host, or another system that represents the host, responds with a packet containing an IP address and an ethernet address pair. The sender caches the IP address to save unnecessary ARP communication.

We can see that our IP address inet is 192.168.220.132, and the local subnet Mask is 255.255.255.255.0. Therefore, we can ping different network segments such as 202.200.112.200, however, when we use the arp-a command to find that the addresses of different network segments cannot be resolved, and when we ping 192.168.220.2 (the same network segment), we use the arp-a command again, we can find that the arp Address Resolution Protocol helps us resolve the MAC address of the IP address 192.168.220.2 of the same network segment. This also proves that the ARP Protocol resolves the MAC address of the target IP Address by sending a broadcast packet, and the broadcast packet cannot be cross-routed, therefore, it is only applicable to the same CIDR block but not across CIDR blocks.

Note:

To bind (modify) an arp cache, run the arp-s [ip address] [mac address] command.

ARP Spoofing

ARP spoofing (ARP spoofing), also known as ARP poisoning oning (ARP virus) or ARP attacks, is an ARP attack) is an attack technology. This attack can allow attackers to obtain packets or even tamper with data packets on the LAN, and prevent a specific computer or all computers from connecting to the network.

ARP spoofing works by sending fake ARP packets to the network, especially to the gateway. The purpose is to make the traffic sent to a specific IP address be mistakenly sent to a place replaced by an attacker. Therefore, attackers can transfer the traffic to a gateway (passive Packet sniffing, passive sniffing) or tamper with the traffic before forwarding (man-in-the-middle attack ). Attackers can also export ARP packets to non-existent MAC addresses to block service attacks, such as netcut.

For example, if a certain IP address is 192.168.0.254 and its MAC address is 00-11-22-33-44-55, this ARP record is generated in the ARP table on the computer on the network. When attackers launch an attack, a large number of ARP packets have tampered with the MAC address 192.168.0.254 as 00-55-44-33-22-11. If the computer on the network writes the forged ARP to its own ARP table and the computer connects to another computer through the Network Gateway, the packet will be directed to the MAC address 00-55-44-33-22-11, therefore, attackers can intercept packets from the MAC address, tamper with the packets, and send them back to the real gateway, or do nothing, making the network unable to connect.

Simple case analysis: Here is a simple case to illustrate the core steps of ARP spoofing. Assume that in a lan, there are only three hosts A, B, and C, and C is an attacker.

The attacker listens to the MAC address on the LAN. It can perform spoofing activities only when it receives a flood ARP Request from two hosts. Host A and host B both flood ARP requests. Attackers now have the IP addresses and MAC addresses of two hosts and start attacks. The attacker sends an ARP Reply to host B, sets the sender IP address in the protocol header to the IP address of A, and the sender mac address to the MAC address of the attacker. After receiving ARP Reply, host B updates its ARP table and changes the MAC address (IP_A, MAC_A) of host A to (IP_A, MAC_C ). When host B wants to send data packets to host A, it encapsulates the Link header of the data packet based on the ARP table and sets the destination MAC address to MAC_C instead of MAC_A. When the switch receives the packet sent by B to A, it forwards the packet to attacker C Based on the target MAC address (MAC_C) of the packet. After receiving the packet, the attacker can save it and send it to A for eavesdropping. Attackers can also tamper with the data before sending data packets to A, causing damage.

Prevention and control methods:

The best way to prevent ARP attacks is to use static ARP for each computer on the network. However, it is not feasible in large networks, because the ARP table of each computer needs to be updated frequently.

Proper use:

ARP spoofing is also valid. One is to force a non-logged-on computer to redirect its webpage to the logon page in a network, so that the network can be used only after logon. In addition, some network devices or servers with backup mechanisms also need to use ARP spoofing to route the information to the standby device when the device fails.