TCP/IP protocol details volume 1 Study Notes series 3-IP Routing

Source: Internet
Author: User
Tags ping and traceroute

TCP/IP protocol details volume 1 Study Notes series 3-IP Routing

Chapter 9 IP routing

This chapter describes the basis of the TCP/IP protocol cluster. IP routing ensures that the correct transmission path can be found for the datagram. If it cannot be found, the sender will be notified of a failure to issue the message.


The information used in the route finding process is maintained in two ways: each host maintains its own route table and prints the current route table using route print in windows ). Generally, there is only one Nic on the host, so the route table is relatively simple, including a loop back interface 127.0.0.1) and the currently used IP address. If there is no Nic, then there is only a loop back address. All the data packets sent to 127.0.0.1 and localhost are forwarded to the IP input table before they are sent to the common Ethernet driver layer at the link layer. After the data sent to the IP address is sent to the link layer, the link layer checks that the address is itself and then sends the data to the IP address input table.

For the datagram sent to another address, the selected interface is the network card, all sent to the network card. The default route is also used.

If multiple NICs are installed, you can enable the route forwarding function for the windows Server version, that is, you can use it as a router. If only one network card is installed, the forwarding function is also used. In fact, "where to come, where to go" cannot achieve the goal of "routing.

In this way, when the host receives a data report, it first checks whether it is sent to itself. If yes, it is normal communication and can be processed directly. If not, you can decide whether to directly discard the datagram or find a suitable forwarding rule from the network interface based on whether or not route forwarding is enabled.

If you decide to forward the data, it will actually involve "finding the path ". Each host and router have a route table. First, check the table items pointing to the host in the routing table to see if any entry is the destination address to be sent. If yes, it is directly sent to the host. If not, check the table items pointing to the network number to see if the network to which the host is sent has records. If it is found, it is sent to the interface that the network is going through. If none of these are found, the datagram is sent to the default route for processing by the default route. Generally, more table items are routed by default, and more information can be found to the destination. If the default route cannot be found, it is sent to its default route until the top layer. If the top-level Core Router still cannot be found, it indicates that the datagram is indeed unable to find the destination, and the router returns an ICMP message, telling the sender that the host is "Network inaccessible ", or "host inaccessible ". The specific information is determined by the vro, but most of them receive "inaccessible hosts.

These are annoying. Imagine an example in life:

I want to take a train to Lhasa and take a bus to Hangzhou Railway Station. There were no direct trains in Hangzhou before the Qinghai-Tibet line was opened to the public. :)) It is equivalent to finding the host "Lhasa" and not knowing which Railway Bureau network number it belongs ), it sends me to Xuzhou default route station ). Xuzhou station cannot be found, but it knows that the host "Lhasa" belongs to the west, maybe the network number "Zhengzhou Bureau" knows, so it sent me to "Zhengzhou ". There is no direct car in Zhengzhou, And it will send me to the closer "Xining ". Then at Xining Railway Station, I learned that the Qinghai-Tibet line is not fully connected. So I was told that "the host is not accessible", but Lhasa is not accessible.

In my life, I had to live in Hangzhou again. On the Internet, the datagram sent to "Xining" will not be sent back, And the router railway station) simply throws "I" and then notifies the Hangzhou police.

This is a process of finding the path. If you finally find it at the end of the day, of course you are all happy, then you can "clench your hand" and find the organization. The next step is unrelated to routing.

From this process, we can see the importance of route table items. If the route table information is detailed and can be found on each host, all the data packets sent to the router can be delivered smoothly, just as there are vehicles from Hangzhou station to different parts of the country. However, such requirements are unrealistic. The number of hosts on the network is infinite, just like the number of railway stations in China. To ensure that each host has a project, the router must have a large capacity to store these records, the efficiency of searching entries in this large route table is also a problem. As a result, the current router structure, each layer of routers save local routing information. Send the unhandled data packets to the default route for processing. This reduces the requirements for a single router.

Then there is the problem of creating and updating route information. Host power-on Shutdown and router power-on Shutdown are unpredictable. That is to say, the route information may be uncertain. This one-minute route is still available, in the next minute, you may not be able to shut down, crash, or be attacked ...). In this case, the routing information must be updated in time to avoid incorrect routing.

The basic routing information is generally created during system startup, such as the default routing configuration. You can use the route add command to manually add a static route. More routing information is constantly enriched in the communication process, that is, the router is "learned" by itself. This is similar to ARP. In the LAN, if you want to report data to another host, for example, from A to B. If A does not know where B is at the beginning, send an ARP request to ask where B is. B answers his MAC address after receiving the message, and the ARP daemon combines the mac ip address with the IP address of B to save it. When data is sent to B next time, you don't have to ask again. Send the data directly to the corresponding MAC address and use arp-a to check the current arp table items ). A vro is similar. if it knows that an interface can be sent, it is saved. The difference is that ARP works at the link layer and below the IP layer, and the router processes this information, which is much more complicated than the ARP daemon.

Vrouters can be "learned. Learn the route notification packet ICMP datagram from other routers ). Vro about 9 ~ Send a route notification packet once every 10 minutes. When the router receives the packet, it updates its corresponding entries. This kind of learning is passive. When a vro is started, it sends a route request message, which is also an ICMP datagram). Other vrouters will respond and reply to the route notification message, in this way, the router can actively learn the routing information on other routers.

Another way to modify route information is through ICMP redirection packets. After I was sent from the Hangzhou station to Xuzhou, Xuzhou station thought that I should be directly sent to Zhengzhou without having to take a detour, so it informed the Hangzhou station, in the future, all passengers like me will be sent directly to Zhengzhou. After receiving the message, Hangzhou will update the route information, that is, redirect.

Of course, the host must have strict requirements for receiving ICMP redirection requirements and updating route information. The four requirements for the 4.4BSD system to receive ICMP redirection are listed. I have never touched on this system, and I wrote a book a few years ago. The current network environment is more complex than that at the time. Because these links are easy to be maliciously exploited.

The content in the book says something I am interested in.

Arp and routing are used to explore the path. Arp is used for LAN, while routing is used for Wan is not strictly divided. This is generally the case ). For flexibility, the information can be modified through icmp datagram. Once it can be modified, all relevant data traffic will be redirected to other places in the future. This poses a risk that may be exploited.

The arp Protocol specifies that if an arp datagram is received from another host, the corresponding IP address and MAC address in the datagram must be used to update the saved information in the arp cache, the information sent to this IP address will be sent to the new MAC. In this way, an ICMP datagram can be constructed to forge an arp information and implement arp spoofing.

The popular arp spoofing process is as follows: Assume that A is a lan with B and C, and each has an IP address. A has full trust in B, but has limits on C, such as filtering all data from C, or limiting some ports. C is inferior to B. C feels unfair. The reason why B wants to get the same treatment is diverse. The result is the same anyway ). In this way, C began to work, and directly asked the Administrator that it would not work, so he had to secretly replace B's position.

1. First, crash B. If B is still online, arp spoofing after C is blocked.

2. Change C to B's IP address, so that A can be cheated to make A think it is B.

3. Issue a forged arp packet to associate the IP address of B with the MAC address of C.

4. all Hosts receive the arp packet and update the arp cache according to the content. Therefore, all data sent to B is now sent to C, and all hosts that receive the data sent from C are considered B. B is dead at this moment, and I don't know at all.

This deception is difficult to implement. It can only be used within the LAN. First, we need to deal with B. If B doesn't get it, it will be very difficult later. In addition, there are fewer and fewer open services targeting IP addresses, and other restrictions are generally added, making it difficult to replace B.
I know two cases of this deception: one is in a forum where some netizens say that they use this method to implement network management software and use it to shield some websites, all requests sent to the IP address of the blocked website are forwarded to other websites without using a proxy server. This is a good idea. The other is the afternoon of July 22, September 15). During a security meeting, the website is "Hacked" and the webpage cannot be opened normally. According to website Members, another host of the hosting service provider is hacked. arp spoofing is used to transfer requests to normal web pages to the hacked host. As a result, a "Attack and Defense confrontation" was implemented on the site. One continuously sent spoofing packets and transferred the access; the other continuously sent normal packets and retrieved the access. So during this period of access to the web page, a normal Web page suddenly appeared, the page turned black when refreshing, and then refreshed and normal wonders. Unfortunately, I was at work and did not see it with my own eyes.

The routing information may also be forged. The route notification information updates the route table of other routers. If a forged route notification is sent, the normal route table of the router is damaged. This implementation is relatively difficult, and the implementation of ICMP redirection is much less difficult.

Arp spoofing can only be implemented within the LAN. If you want to achieve the same purpose on the wide area network, you must combine ICMP spoofing.

Arp spoofing can be used to transfer traffic, but there are limits on the transfer. It cannot be transferred to a vro, that is, arp information cannot be different from the proxy ARP information ). In this way, even if the arp information of other hosts is refreshed to the MAC address of the vro, the data is only addressable in the LAN, that is, not sent to the vro. In this case, an ICMP spoofing message must be sent again, indicating that the MAC sent to the router is correct. After the host receives the message, it can achieve the goal. C completely replaces B. What follows is like an intruder's mood.

In this sense, any machine's Sniffer can be used to track all communication data ).

As mentioned above, I still only have an understanding of the concept and principle and a summary of these aspects. It is not enough to achieve the level of practice. Network Packet Capture is now available, but it is still early to talk about protocol analysis. It is difficult to even construct RAW Socket. If you want to use other methods, it is even more difficult.

Related Articles]

  • TCP/IP Study Notes (4)-ICMP protocol, ping and Traceroute
  • TCP/IP protocol details volume 1 Study Notes Series 2
  • Description and three parameters of TCP/IP protocol

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.