How to Cheat at Securing Windows 2000 TCP/IP
guarantee delivery. IP does not try to detect or recover from lost, out-of-sequence, delayed, or
duplicated packets. IP is the foundation of the TCP/IP protocol suite.
The Three-Way Handshake
Computers using TCP to communicate have both a send window and a receive window. At
the beginning of a TCP communication, the protocol uses a three-way handshake to
establish the session between the two computers. Because TCP (unlike its Transport layer
sibling, UDP) is connection oriented, a session, or direct one-to-one communication link,
must be created prior to sending and receiving of data. The client computer initiates the
communication with the server (the computer whose resources it wants to access). The
handshake includes the following steps:
1. Sending of a SYN (synchronization request) segment by the client machine. An
initial sequence number, sometimes just referred to as the ISN, is generated by the
client and sent to the server, along with the port number the client is requesting to
connect to on the server
2. Sending of an ACK message and a SYN message back to the client from the
server. The ACK segment is the client’s original ISN plus 1, and the server’s SYN is
an unrelated number generated by the server itself. The ACK acknowledges the
client’s SYN request, and the server’s SYN indicates the intent to establish a session
with the client. The client and server machines must synchronize one another’s
sequence numbers.
3. Sending of an ACK from the client back to the server, acknowledging the
server’s request for synchronization. This ACK from the client is, as you might
have guessed, the server’s ISN plus 1. When both machines have acknowledged
each other’s requests by returning ACK messages, the handshake has been
successfully completed and a connection is established between the two.
NOTE
Packets are often referred to as datagrams at this level. These datagrams contain the
source and destination IP addresses, which will be translated to MAC (physical)
addresses at a lower layer.
IP receives TCP segments (or UDP for connectionless communications such as
broadcasts) and then passes it down to the Network layer. Before handing it down, however, IP
performs an important function: It looks at the destination IP address on the packet and then
consults its local routing table to determine what to do with the packet. It can pass the data to the
network card (or if it is a multihomed system, determine which of the attached network cards to
pass it to), or it can discard it. When a Windows 2000 computer starts, the routing table is
constructed. Certain entries, such as the addresses for the loopback, the local network, and the
default gateway (if configured in TCP/IP properties) are added automatically. Other routes can be
added by ICMP messages from the gateway, by dynamic routing protocols (RIP or OSPF), or you
can manually add routes using the route command at the command prompt.
ARP
The Address Resolution Protocol resolves IP addresses to Media Access Control (MAC)
addresses. MAC addresses are unique IDs that are assigned to network interface devices. ARP
uses a broadcast, after checking the ARP cache, to send out a query that contains the IP address of
the destination host, which replies with its MAC address. When the request is answered, both the
Copyright 2003 by Syngress Publishing, All rights reserved 10