table of Contents
1.2, the composition of the IP address
1.3, IP address classification
02, IP data packet composition
In the previous article " Ethernet Packet Structure ", it can be seen that the figure shows the data structure of the IP protocol
The IP protocol (Internet Protocol) is also called the Internet Protocol. The IP protocol works at the IP layer. It is one of the core protocols of the entire TCP/IP protocol stack. The upper layer protocols rely on the services provided by the IP protocol. The IP protocol is responsible for transferring data The report is sent from the source host to the target host, using the IP address as the unique identification code. All TCP, UDP, ICMP and IGMP data are transmitted in IP datagram format. Its characteristics are as follows:
Unreliable (unreliable): It cannot guarantee that the IP packet can successfully reach the destination. IP only provides the best transmission service. If a certain error occurs, such as a router temporarily running out of buffers, IP has a simple error handling algorithm: discard the datagram, and then send an ICMP message to the source. Any required reliability must be provided by the upper layer (such as TCP).
Connectionless: IP does not maintain any state information about subsequent datagrams. The processing of each data packet is independent of each other. This also shows that IP datagrams can be received out of the order in which they were sent. If a source sends two consecutive datagrams to the same destination (first A, then B), each datagram is routed independently and may choose different routes, so B may arrive before A Arrivals.
01, IP address
1.1 Introduction
The most common way of IP protocol in life is IP address, if the following figure
IP address (InternetProtocol Address), abbreviated as IPAdress, is an address format for uniformly addressing hosts on the Internet, also known as network protocol (IP protocol) address. It assigns a logical address to every network and every host on the Internet. Common IP addresses are divided into two major categories: IPv4 and IPv6. Currently, IPv4 is widely used. Currently, IPv4 is almost exhausted. The next stage is bound to be Upgrade the version to IPv6; unless otherwise specified, the IP address we generally refer to refers to IPv4.
1.2 , IP composed of address
The IP address consists of two parts:
Network part (NETWORK)
Host part (HOST)
Network ID: Indicate that the specific network segment is the same network segment and can be pinged.
Host ID: Indicate a specific node, that is, a specific computer number in a network.
According to the number of bits occupied by the network part, IP addresses are classified according to the following rules.
1.3 , IP address classification
There are five types of IP addresses: A, B, C, D, and E. Among them, A, B, and C are commonly used IP addresses, and D and E are special addresses.
Type A: (1.0.0.0-126.0.0.0) (default subnet mask: 255.0.0.0 or 0xFF000000) The first byte is the network number, and the last three bytes are the host number. The front of this type of IP address is "0", so the network number of the address is between 1 and 126. Generally used in large networks.
Type B: (128.0.0.0-191.255.0.0) (default subnet mask: 255.255.0.0 or 0xFFFF0000) The first two bytes are the network number, and the last two bytes are the host number. The front of this type of IP address is "10", so the network number of the address is between 128 and 191. Generally used in medium-scale networks.
Type C: (192.0.0.0-223.255.255.0) (subnet mask: 255.255.255.0 or 0xFFFFFF00) The first three bytes are the network number, and the last byte is the host number. The front of this type of IP address is "110", so the network number of the address is between 192 and 223. Generally used in small networks.
Class D: It is a multicast address. The front of this type of IP address is "1110", so the network number of the address is between 224 and 239. Generally used for multicast users.
Type E: It is a reserved address. The front of this type of IP address is "1111", so the network number of the address is between 240 and 255.
1.4 , special IP address
1. Loopback address
A network address such as 127.xXX is called a loopback address (usually 127.0.0.1). The loopback address provides convenience for the testing of the local network software and process communication. Data packets sent to this address will not be output to the physical network, but sent to the loopback interface of the system. Data packets that use the loopback address as the destination address should not appear on the network. The loopback address makes the Class A address one less network number.
2. Network address
It is mainly used to identify different networks. It does not point to a specific host or device, but to identify a collection of hosts or network devices that belong to the same network. For any P address, take all the host numbers in its address structure to 0 to get the network address where the host is located. For example, if the IP address of a certain host is 134.89.32.33, it belongs to a class B address, and the following two host number bytes are all 0, then the network address of this host is 134.89.0.0. When a data packet arrives on a network, the router of the network first determines whether the destination network of the data packet matches the local network number. If the two addresses do not match, the router will forward the data packet according to the appropriate algorithm; there are only two If the addresses match each other, the router will find the corresponding host number to match the host, and finally send the data packet to the specified host. The network address occupies a host number under each network number in the three types of addresses: A, B, and C.
3. Direct broadcast address
In a network, the direct broadcast address refers to the IP address obtained by taking all 1s of the corresponding host number. The broadcast address represents all network devices in the network. This address can be used to transmit data to all network devices in the same network segment. . For example: a standard Class C address 202.197.15.44, because its network number is composed of the first 3 bytes, the host number is only the last byte, the address obtained by taking all the host number bits to 1 is 202.197.15.255, this address It is the broadcast address of this network. The direct broadcast address is the same as the network address mentioned above, which also prevents a host number in a certain network from being assigned to a specific host.
The network address and broadcast address structure of the three types of networks of A, B, and C are as follows:
Type A: The network address is: x.0.0.0, and the broadcast address is: X.255.255.255;
Type B: The network address is: xx0.0, and the broadcast address is: XX255.255;
Type C: The network address is: xxx0, and the broadcast address is: XXX255.
4. Restricted broadcast address
The 32 bits of the IP address are all 1, that is, "255.255.255.255", which represents local restricted broadcast. This address is used to send broadcast information to all hosts in the local network. The broadcast address is essentially a class E address.
5. A specific host on this network
When the user wants to communicate with a specific host within the network, he can set all the bytes corresponding to the network number to 0 to simplify. For example, when a host with a class B address sends a data packet, the destination IP address in the data packet is 0.0.11.32, it means that the data packet is to be sent to the host with the host number of 11.32 in the network. This address is essentially a class A address.
6. The host of this network
The 32 bits of the IP address are all 0s, that is, "0.0.0.0", which means the host on this network. This address needs to communicate with a host when it is started, but does not know its own IP address. At this time, in order to obtain a valid IP address, the host will send a data packet to the limited broadcast address and use all 0 addresses to identify itself. The receiver knows that the sender does not have an IP address, it will use a special way to send the response, this address should not be used as the destination address. This address is essentially a class A address.
The special IP addresses in the above 6 cannot be assigned to any host, but the following private addresses can be assigned to multiple hosts. Of course, these hosts are not related to each other, and they are in different LANs.
| Address category |
Address range |
Number of network numbers |
| Class A |
10.0.0.0~10.255.255.255 |
1 |
| Type B |
172.16.0.0~172.31.255.255 |
16 |
| Type C |
192.168.0.0~192.168.255.255 |
256 |
1.5 , subnet mask
The standard IP address uses a two-layer address structure of network number and host code, so that when a large number of individual users and small LAN users access the Internet, even assigning a Class C network to them will cause a lot of waste of IP addresses. Moreover, with With the rapid growth of the number of Internet users at present, the allocation of IP addresses has become extremely tense, and the practice of assigning a network number to each physical network has become very unrealistic.
Therefore, an extended packet addressing scheme is now popular to save the use of network numbers. This method is called subnet addressing. The subnet mask divides the network into several subnets to avoid excessive host congestion or congestion. Too little and IP waste. The subnet mask and the IP address are "ANDed" to separate the network address and host address in the IP address, which is used to determine whether the IP address is on the local network or on the remote network. At present, the hosts on the Internet basically support subnet addressing.
The composition of the subnet mask
Like the IP address, the subnet mask is an address composed of a 32-bit binary number. The 32-bit subnet mask corresponds to the 32-bit IP address. If a certain bit of the IP address is a network address, the subnet mask is 1, otherwise 0.
note:
The number of consecutive 1s on the left represents the length of the network number, and the number of consecutive 0s on the right represents the length of the host number.
Representation method of subnet mask
1. Dotted decimal notation.
Convert from binary to decimal, and every 8 bits are separated by dots.
For example: the binary subnet mask is 11111111.11111111.11111111.00000000, which means 255.255.255.0.
2. CIDR slash notation.
IP address/n.
Example 1: 192.168.1.100/24, its subnet mask is represented as 255.255.255.0, and its binary representation is 11111111.11111111.11111111.00000000.
The relationship between subnet mask and IP address
According to the IP address and subnet mask, calculate the network address:
①. Convert the IP address and subnet mask into binary numbers.
② Do the "AND" operation between the IP address and the subnet mask in binary form.
③ Convert the result obtained into decimal system to get the network address.
Give a chestnut:
IP address: 192.168.10.215
Subnet mask: 255.255.255.0
Subnetting
Note that this part is a bit convoluted, no need to study carefully. There are tools to help us calculate. We know the principle and can use the tools proficiently.
Take C subnet division as an example
Divide the network 192.168.0.0255.255.255.0 into 4 subnets.
Analysis: If you want to divide into 4 subnets, you need to move the subnet mask two bits to the right, so that the first and second bits become network bits, which can be divided into 4 subnets.
Because the binary numbers 0 and 1 are arranged and combined in two digits, there are only these 4 types, respectively: 00, 01, 10, 11, as shown in the figure below.
00 is A subnet
01 is the B subnet
10 is the C subnet
11 is the D subnet
Borrowing 2 bits of the host, so the subnet mask + 2 bits, from the original 255.255.255.0 (/24) to 255.255.255.192 (/26).
Conclusion: Class C network is equally divided into 4 subnets, and the subnet mask is moved 2 bits to the right, and it can be equally divided into 4 subnets, that is, 2^2.
Subnetting results
Final Results:
The network address of A subnet: 192.168.0.0/26, available address (192.168.0.1~192.168.0.62), broadcast address: 192.168.0.63/26.
The network address of B subnet: 192.168.0.64/26, available address (192.168.65~192.168.0.126), broadcast address: 192.168.0.127.
The network address of C subnet: 192.168.0.128/26, available address (192.168.129~192.168.0.190), broadcast address: 192.168.0.191.
The network address of D subnet: 192.168.0.192/26, available address (192.168.193/26~192.168.0.254), broadcast address: 192.168.0.255.
This part just needs to be understood well. We don't need to manually calculate these in daily life. Just understand the principle and there are tools to help us calculate.
https://www.sojson.com/convert/subnetmask.html
The calculation is the same as above.
02, IP data packet composition
It can be seen from the above that the IP protocol type is 0800
The structure of the IP data packet is as shown in the figure below,
(1) Version: occupies 4 digits and refers to the version of the IP protocol. The version of the IP protocol used by both parties must be the same. The currently widely used IP protocol version number is 4 (ie, IPv4). Regarding IPv6, this article will not explain.
(2) Header length: occupies 4 digits, and the largest decimal value that can be represented is 15. Please note that the unit of the number represented by this field is a 32-bit word length (a 32-bit word length is 4 bytes), and the header length includes option bytes. Therefore, when the IP header length is 1111 (that is, 15 decimal ), the header length reaches 60 bytes. When the length of the header of the IP packet is not an integer multiple of 4 bytes, the last padding field must be used to fill it. Therefore, the data part always starts at an integer multiple of 4 bytes, which is more convenient when implementing the IP protocol. The disadvantage of the header length being limited to 60 bytes is that it may not be enough sometimes. But this is done in the hope that users will minimize overhead. The most commonly used header length is 20 bytes (that is, the header length is 0101), and no options are used at this time. Since the Ethernet MTU is 1500 and the commonly used IP header is 20 bytes, the maximum IP data is 1480 bytes.
(3) Differentiated services: 8 positions are used to obtain better services. This field was called the service type in the old standard, but it has not actually been used. In 1998, the IETF renamed this field as Differentiated Services (DS). This field only works when using differentiated services. This field is mainly used to describe the types of services urgently needed in current IP datagrams, such as minimum delay, maximum throughput, maximum reliability, and minimum cost. When the router forwards the datagram, it can choose the most reasonable routing path for the datagram according to the value of this field.
(4) Total length: The total length refers to the length of the sum of the header and the data, in bytes. The total length field is 16 bits, so the maximum length of the datagram is 216-1=65535 bytes. Each data link layer below the IP layer has its own frame format, including the maximum length of the data field in the frame format, which is called the Maximum Transfer Unit (MTU). When a datagram is encapsulated into a link layer frame, the total length of the datagram (that is, the header plus the data part) must not exceed the MTU value of the data link layer below. The data length is 46~1500 bytes. As for why the minimum is 46, as explained in the previous article " Ethernet Header Data ", Ethernet requires a minimum of 46 bytes.
(5) Identification (identification) occupies 16 digits. The IP software maintains a counter in the memory. Each time a datagram is generated, the counter is incremented by 1, and this value is assigned to the identification field. But this "identification" is not a sequence number, because IP is a connectionless service, and there is no problem of sequential reception of datagrams. When a datagram must be fragmented because its length exceeds the MTU of the network, the value of this identification field is copied to the identification field of all datagrams. The value of the same identification field enables each datagram after fragmentation to be finally reassembled into the original datagram correctly.
(6) Flag: occupies 3 digits, but currently only 2 digits are meaningful.
● The lowest bit in the flag field is marked as MF (More Fragment). MF=1 means that there are "fragmented" datagrams behind. MF=0 means this is the last of several datagram fragments
● The one bit in the middle of the flag field is marked as DF (Don't Fragment), which means "cannot be fragmented". Fragmentation is allowed only when DF=0.
(7) Chip offset: 13 digits. The slice offset indicates the relative position of a slice in the original group after the longer group is sliced. That is, relative to the beginning of the user data field, where does the slice start. The chip offset uses 8 bytes as the offset unit. This means that the length of each fragment must be an integer multiple of 8 bytes (64 bits).
note:
Identifiers, flags, and fragment offsets are used in IP data fragmentation, and IP fragmentation will be explained in detail later.
(8) Time to live: occupies 8 bits. The commonly used English abbreviation for the time to live field is TTL (Time To Live), which indicates the life of the datagram in the network. This field is set by the source of the datagram. Its purpose is to prevent undeliverable datagrams from going around the Internet indefinitely, thus consuming network resources in vain. The original design uses seconds as the unit of TTL. Every time it passes through a router, the TTL is subtracted from the period of time the datagram is consumed by the router. If the time consumed by the datagram on the router is less than 1 second, the TTL value is reduced by 1. When the TTL value is 0, the datagram is discarded. This field specifies how many routes the data packet passes through before it will be discarded (this reflects the unreliability of the IP protocol packet, it does not guarantee that the data will be delivered). Every time an ip data packet passes through a router, The TTL value of the packet will decrease by 1, and when the TTL of the packet becomes zero, it will be automatically discarded. The maximum value of this field is 255, which means that a protocol packet will be discarded when it travels 255 times in the router. Depending on the system, this number is different, usually 32 or 64. The Tracerouter tool It works with this principle. The -m option of tranceroute requires a maximum value of 255, which is because the TTL is only 8 bits in the IP protocol.
(9) Protocol: It occupies 8 bits. The protocol field indicates which protocol is used for the data carried in this datagram, so that the IP layer of the destination host knows which processing procedure should be handed over the data part.
(10) The first checksum: occupies 16 places. This field only checks the header of the datagram, but does not include the data part. This is because every time a datagram passes through a router, the router must recalculate the header checksum (some fields, such as time to live, flags, slice offset, etc., may change). Not checking the data part can reduce the workload of calculation.
(11) Source IP address: occupies 32 bits, that is, IP address.
(12) Destination IP address: occupies 32 bits, that is, IP address.
Analyze the IP data structure in wireshark software as follows:
03, IP fragmentation analysis
Fragmentation means that when the data to be transmitted is larger than the maximum transmission unit (MTU), it needs to be divided into multiple packets and then sent to the other party one by one. We are reviewing the picture below.
The above figure tells us that a frame of Ethernet IP data can carry a maximum of 1500 bytes.
So we need IP fragmentation. As mentioned above, the identification, flag, and fragment offset of the IP header information will be explained in detail during IP fragmentation.
Identification: Confirm whether these fragmented packets originate from the same data packet
Flag: 1bit is reserved, 2bit means "cannot be fragmented". Fragmentation is allowed only when DF=0. 3bit means that MF=1 means that there are "fragmented" datagrams behind. MF=0 means this is the last of several datagram fragments
FragmentOffset: Fragment address offset of data packet
example:
If you are not familiar with the IP protocol, the first time you see the picture above, you will wonder if the length of the first packet is 1500, but the offset of the second packet is 1480? Because the IP protocol generally has 20 bytes of header data, students who are puzzled can scroll up, as explained above.
After receiving data from the upper layer, IP must determine which interface to send data from (by routing) based on the IP address, and perform MTU query. If the data size exceeds the MTU, data fragmentation is performed. The data fragmentation is transparent to the upper and lower layers, and the data will only be reassembled when it reaches the destination, but don’t worry, the IP layer provides enough information to reassemble the data.
In the IP header, the 16-bit identification number uniquely records the ID of an IP packet, and IP fragments with the same ID will be reassembled; and the 13-bit fragment offset records the position of an IP fragment relative to the entire packet; and this The two 3bit flags in the middle indicate whether there is a new fragment after the fragment. These three flags constitute all the information of the IP fragments, and the recipient can use this information to reorganize the IP data (even if the later fragments arrive earlier than the previous fragments, this information is sufficient).
For the above example, we can use wieshark software to capture the packet and have a look, use the following command:
ping -n 1 192.168.0.102 -l 4000
-n 1 means only ping once
-l 4000 means send 4000 bytes
Three data packet analysis:
As you can see, when the data is submitted to the network layer, because the data exceeds the maximum transmission unit, it is fragmented. The above picture verifies the functions of DF and MF, and verifies that the packet identification of IP fragmentation (Identification) is Consistent. The maximum byte of each data packet is MTU-IP header = 1500-20 = 1480.
Here, share the captured files of wireshark, you can analyze it by yourself,
Click to download , if you don't have download coins, you can follow the official account to get it.
04, IP fragmentation attack
The fragmented message constructed by the hacker, but the last fragmented message is not sent to the receiver, which causes the receiver to allocate memory space for all fragmented messages. However, since the last fragmented message will never reach, the receiver The memory of the party cannot be released in time (the receiver will start a fragmentation reassembly timer. If the reassembly cannot be completed within a certain period of time, it will send an ICMP reassembly timeout error message to the sender, as long as the attack is broken Fragments are sent enough and fast enough to easily fill up the receiver's memory, so that the receiver has no memory resources to process normal services, thereby achieving the effect of a DOS attack.
Click to view the album where this article is located, STM32F207 network development
Pay attention to the official account, and receive article updates as soon as possible .
