Network Security - Data Link Layer Security Protocols

Enterprise 2023-05-17 06:57:31 views: null

508de614799f4b4d945f07869f1d1417.gif

  • About the author: A cloud computing network operation and maintenance personnel, sharing the technology and dry goods of network and operation and maintenance every day. 

  •  Motto: Keep your head down and hurry on your way, be respectful

  • Personal homepage: Homepage of Netdou

Table of contents

 

foreword

1. Introduction to Data Link Layer Security Protocol

1. Data link security

2. LAN data link layer protocol

1. Link Local Area Network (LAN)

 2. Wide area network (WAN)

3. IEEE802 LAN data link layer protocol

(1) The data link layer includes Logical Link Control (LLC)

 (2) Media Access Control (MAC) sublayer

 (3) IEEE802.3 MAC data format

4. LAN data link layer protocol security issues

(1) Listening problem in shared Ethernet

(2) ARP broadcast problem in switched Ethernet

 

foreword

This chapter will explain the security protocol on the data link layer

1. Introduction to Data Link Layer Security Protocol

Each layer of communication has its own unique security issues, and network security issues should be addressed at multiple protocol layers for different weaknesses. In terms of security, the communication link at the data link layer (second protocol layer) is the weak link.

In this chapter, we will focus on security issues related to the data link layer.

3e22738983224845800ab18262750a6d.png

1. Data link security

Data link layer security refers to the secure exchange of data between nodes in the data link. It is manifested in the following two aspects.

  • (1) Data confidentiality. Prevent data from being illegally eavesdropped during data exchange.
  • (2) Data integrity. Prevent data from being illegally tampered with during data exchange.

Data confidentiality and integrity in the process of data exchange are mainly realized through cryptography, that is, the two parties must use a consistent encryption algorithm to negotiate on data confidentiality and key exchange algorithms, and reach a consensus agreement; in data exchange During the process, the communication parties must perform data encryption and data authentication processing according to the agreement reached to ensure the confidentiality and integrity of the data.

2333d5b797b04b68a9e8181d173bb6b1.png The data link layer security protocol enhances the security of the data link layer protocol, that is, the functions and processes of security algorithm negotiation and data encryption/decryption processing are added on the basis of the data link layer.

2. LAN data link layer protocol

The data link layer mainly provides data transmission services for communication between nodes on a network segment or a segment of media. The data link layer provides the error handling and flow control functions of the data link, converts the unreliable data link into a reliable data link, completes the sending and receiving of data frames at the same time, and provides the network layer with the function of transmitting data and process.

According to the different network scales, the protocols of the data link layer can be divided into two categories:

1. Link Local Area Network (LAN)


The data link layer protocol in (LAN) mainly connects local nodes to each other through the local area network (L.AN) link to realize data communication.

561608ddba394ae59797457047b47d1c.png

 2. Wide area network (WAN)

The data link layer protocol of the wide area network (WAN), which mainly realizes data communication between remote nodes through the wide area network.

75132bde975043bcb079824d3a3b7fba.png

 The data link layer protocols of different physical links are different:

The data link layer protocol of the local link generally adopts the IEEE802 LAN protocol standard

The data link layer protocol of the WAN link mainly adopts the point-to-point protocol (PPP)

3. IEEE802 LAN data link layer protocol

The IEEE802 specification defines how the network card accesses the transmission medium (such as optical cable, twisted pair, wireless, etc.), and how to transmit data on the transmission medium, and also defines the connection establishment, maintenance and removal methods between network devices that transmit information. 

0f987c0ff2d54d419c13ac4877cf3d22.png

 Products that follow the IEEE802 standard include network cards, bridges, routers, and other components used to build local networks.

The data link layer includes a logical link control (LLC) sublayer and a medium access control (MAC) sublayer.

(1) The data link layer includes Logical Link Control (LLC)

Logical Link Control (LLC) is the upper layer part of the data link layer in the LAN, and the logical link control protocol is defined in IEEE 802.2. The user's data link service provides a unified interface for the network layer through the LLC sublayer.

141ddc3c6ca84b629791be1847b7c30d.png

 (2) Media Access Control (MAC) sublayer

Medium access control (medium access control) is referred to as MAC. It is to solve the problem of how to allocate the right to use the channel when there is competition in the use of the shared channel in the local area network .

The main function of the MAC sublayer is to control access to the transmission medium. The MAC sublayer has the following two basic functions.

  • (1) Data encapsulation, including frame combination before transmission and frame analysis/error detection during and after reception.
  • (2) Media access control, including frame transmission initialization and transmission failure recovery.

 (3) IEEE802.3 MAC data format

  • f551b87e15b542a9ba943dbb15daa50e.png(1) Preamble - 7 bytes. 1 and 0 in the field are used interchangeably, the receiving station knows the imported frame through this field, and this field provides a method for synchronously receiving the receiving part of the physical layer frame and leading the bit stream. 
  • (2) Start-of-Frame Delimiter - 1 byte. In the field, 1 and 0 are used alternately, and the end is two consecutive 1s, indicating that the next bit is a reused bit of a reused byte using the destination address.
  • (3) Destination Address - 6 bytes. This field is used to identify the station that needs to receive the frame.
  • (4) Source Addresses - 6 bytes. This field is used to identify the station that sent the frame.
  •   (5) Length/Type (Length/Type)-2 bytes. If the optional format is used to form the frame structure, this field indicates both the size of the MAC client data contained in the frame data field and the frame type ID.
  • (6) Data (Data) is a set of arbitrary value sequences of r (46n1500) bytes. The total frame size is at least 64 bytes.
  • (7) Frame Check Sequence (Frame Check Sequence) - 4 bytes. This sequence includes a 32-bit cyclic redundancy check (CRC) value, generated by the sending MAC and calculated by the receiving MAC to check for corrupted frames.

4. LAN data link layer protocol security issues

Each layer of communication presents its own unique problems. The communication connection of the data link layer (second layer) is a relatively weak link, and the main security issues are as follows.

(1) Listening problem in shared Ethernet

In shared Ethernet, communication is carried out by broadcasting. In theory, all hosts in the same broadcast domain can access the data packets transmitted on the physical medium.

But under normal circumstances, a network host should only receive and respond to two types of data frames: data frames matching its own hardware address and broadcast frames sent to all hosts.

4601cd5bcbc0491382626f44f0ace806.png

 In an actual system, the sending and receiving of data is done by the network card, and each Ethernet card has a globally unique Ethernet address. It is a 48-bit binary number. There is a data packet filter built in the Ethernet card, which is used to receive data packets and broadcast data packets with the MAC address of its own network card as the communication purpose, and discard all other irrelevant data packets. In order to save the CPU from doing unnecessary processing on irrelevant packets, this is the way Ethernet cards work under normal circumstances.

6fc03e7dce644abba552bd520d8f9052.png In this working mode, the Ethernet card only transmits the part of the received data packet related to this machine upwards. However, the data packet filter can be disabled by programming. After it is disabled, the network card will pass all received data packets upwards, so that the software on the upper layer can monitor the communication between other computers in the Ethernet. This working mode is Promiscuous Mode. Most network cards support promiscuous mode, making it possible to use ordinary network cards as network probes.

1dbe95a63d1048b1828c22a3a6edde96.png

 Implementing network listening is very easy. On the one hand, this is convenient for network administrators; on the other hand, ordinary users can easily intercept network communications, which poses a great threat to the confidentiality of user data communications.

(2) ARP broadcast problem in switched Ethernet

In addition to the promiscuous working mode of the Ethernet card, the implementation of monitoring in switched Ethernet also utilizes the ARP redirection technology.

fac5f41c57c74d0d969e8a231b65b230.png

 ARP (Address Resolution Protocol) is one of the basic protocols of the TCP/IP protocol stack. ARP provides address resolution services, which are used to map 32-bit IP addresses to 48-bit hardware addresses (MAC addresses) of Ethernet, so that packets can be encapsulated into Ethernet frames for transmission. Meanwhile, the main function of ARP is to bind the IP address of the upper layer with the physical address of the lower layer.

e280de4c9d884cc7b629ebc339a480fd.png Although the ARP protocol is an efficient data link layer protocol, as a LAN protocol, it is based on mutual trust between hosts, so there are certain security risks. The content is as follows.

  • (1) The host address mapping table is dynamically updated based on the cache, which is a feature of the ARP protocol and also one of security issues. Since normal MAC address refreshes between hosts have a time limit, if the address cache on the attacked host is successfully modified before the next update, it can be counterfeited.
  • (2) ARP requests are broadcasted. This problem is unavoidable. It is precisely because the host does not know the MAC address of the communication partner that it needs to perform an ARP broadcast request. In this way, the attacker can fake the ARP reply and compete with the machine that the broadcaster really wants to communicate with. It is also possible to determine when hosts within a subnet will refresh their MAC address caches to determine the maximum time for spoofing.
  • (3) ARP response packets can be sent at will. The ARP protocol is stateless. Any host can respond even when there is no request. As long as the response is valid, the host that receives the response packet can unconditionally refresh the local cache according to the content of the response packet.
  • (4) ARP response does not require authentication. The ARP protocol is a LAN protocol. At the beginning of the design, due to the consideration of transmission efficiency, no security precautions were taken at the data link layer. There is no need for authentication when using the ARP protocol to exchange MAC. As long as it receives the ARP response packet from the LAN, it will refresh the MAC/IP pair in the local cache.

 Creation is not easy, please pay attention, like, collect, thank you~   


 

 

Guess you like

Origin blog.csdn.net/yj11290301/article/details/129162206
Recommended
Ranking
#2019110700005
What materials and procedures are required for patent transfer
What is the blockchain Ethereum triplet state root transaction root receipt root
Front-end study notes 04 --- About the insertion of html pictures and videos
Documents required for the filing of WeChat Mini Programs in special industries, the filing process of WeChat Mini Programs in special industries, how to file WeChat Mini Programs in special industries
2017 Qingdao-site tournament I The Squared Mosquito Coil
[BZOJ3165][HEOI2013]Segment (line segment tree without marking)
Kettle series: KettleEasyExpand, an open source Kettle universal plugin by Ma Jinju
The latest tutorial on making framework for iOS
DAX Section 6: Statistical Functions
Daily
More
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)

Code World

© 2018 codetd.com