by Rik Farrow, updates by Corey Nachreiner
The Internet Protocol (the IP in TCP/IP) makes the Internet possible. IP also makes it possible for attackers anywhere in the world to attempt to break into your systems and networks. Here's how IP routing works, and some suggestions for gaining deeper understanding of IP.
IP has two great features that contributed to its success today: it works the same all over the world, and it can travel over any communication medium -- Ethernet, frame relay, wireless, whatever. When IP was first developed as an experiment in the late 70s, no one had created a networking protocol that could do either of those things.
The Envelope, Please...
IP networks function by routing packets to destinations. Let me unpack that sentence just a bit. "Routing" is what happens when a networked computer receives a chunk of information and decides where to send it. That chunk of information is called a packet, with each packet comprised of two parts: a header, and a data payload. What destination is the packet routed to? The one specified in its header.
It's a little hard to see packets on a network, and perhaps a little hard to understand how routing works, so I can explain IP routing better by comparing it to something familiar. In place of packets, think of the type of letter you mail to pay your bills -- regular ol' US postal mail. The letter is enclosed in an envelope which shows where to send the letter to (in IP terms, the destination address). The envelope also shows a return address (which IP calls the source address). So the envelope resembles the IP header. The contents of the letter equate with an IP packet's body, or payload.
Okay, now imagine that you drop the letter in a mailbox, the entry point to the mail network. Sooner or later, a postal employee will come around and empty the mailbox, and truck the contents to a mail sorting facility. The letter, now one part of a huge heap of mail, travels through machines, and gets sent to a person (or a machine) that makes the first routing decision. The sorter scans the destination address, and asks, where should I send this letter? The sorter puts the letter into the appropriate slot, where the letter is gathered up with other letters heading the same general direction. All these actions resemble what happens to an IP packet as a router sorts Internet traffic. The router checks the destination address in the header and sends the packet on.
Later, the letter arrives at another mail sorting facility. Another person (or machine) examines the destination address, and makes another routing decision. (In an IP network, this would be a second router.) For both US mail and IP, the sorters (routers) make these decisions without consulting, filtering, or changing the message within the envelope (the data in the packet). And no sorter (router) consults any other sorter about what it should do with this letter.
Eventually, the letter arrives at the post office in the region specified in the destination, and the letter is routed to a particular mail person for delivery. If at any point in this process, some sorter determines the letter cannot be delivered, it is sent back to the return address (or, in IP, the source address).
We can push this postal analogy a bit further. Envelopes bear more than just a street address; they also specify a person or entity at that address. In IP, the equivalent is a port address, which specifies one of potentially tens of thousands of ports on a computer waiting for the arrival of a packet. (The port is not physical; it's just a logical construct, invented to help with this kind of routing.) The IP address is used to route the packet to a particular computer or network device (for example, a networked printer). The port address specifies which application the packet should be delivered to when it reaches that computer (for example, Telnet, HTTP/Web, or SMTP/mail). The combination of an IP address and a port is called a socket.
The biggest difference between IP packet travel on the Internet and surface mail, is that IP routing is blindingly faster. I have timed packets traveling from Colorado to Moscow and back, and the entire round trip took less than a second.
If you'd like to "see" how this routing occurs, try the tracert command on Windows systems, or traceroute if you are using UNIX or Linux. On an Windows system, pull up CMD, the command prompt application. Type tracert www.watchguard.com (or any Web site name or IP address), and press Enter. You'll see how many routers a packet must pass through from your PC to the destination address.
When Packets Attack
Using IP, anyone connected to the Internet can send packets anywhere else on the Internet. If you don't use a firewall, packets can travel right up to your computer and, whether you want them to or not, attempt to use applications that are listening at your ports.
Someone can also send random packets, lots of them, to your computer. Imagine if a Superbowl TV commercial advertised that people might win a million dollars by sending a postcard to an address. By mistake, the ad displayed your address. You'd get buried in mail! In that huge pile, it would take you longer to find the letter from your Uncle Bob, because you'd have to look through all the other letters as well. You might feel so overwhelmed that you throw the whole pile out, and with it, unknowingly, your refund from the IRS. In the world of Internet security, we would call a similar flood of packets that you don't want or need, a Denial of Service attack (DoS). That's because when your server is flooded, performance slows down, then stops as the server starts refusing (denying) packets. Legitimate customers or colleagues trying to communicate with you during this flood are denied service. Your firewall may stop the flood from reaching your computer, but the flood will still overflow the path leading to your firewall. You won't be able to use the Internet until the attack stops.
Iceberg, Dead Ahead
IP packets travel using the simple steps outlined above. Of course in the space allotted for this article, I have revealed just the tip of the iceberg and left out a lot of details. You can learn tons more by reading the best book ever written about IP: TCP/IP Illustrated by Rich Stevens, featured in our December "Best in 2000" book list. Or consult the classic, covering IP from a security viewpoint: Building Internet Firewalls by Brent Chapman and Elizabeth Zwicky.
For a real brain-bender, go to the source and read the RFCs, the documents that include the standards for the Internet. There are over 3,000 RFCs, but only a handful are considered standards. In particular, RFC 791 defines IP, and discusses the IP header information I explained here. (Or, if you need a break, check out a laughable alternative IP routing method in RFC 1149.)
IP really is the foundation of the Internet. Studying it will help you understand the terms thrown around in technical discussions; make it easier for you to grasp more advanced network concepts; and help you make more informed decisions when configuring your Firebox. Check it out—learning IP will take a lot of the mystery out of what your network is doing. Or at least it'll help you understand US mail better.