|
| Current Newswire:
Laurent Constantin: Testing a router or firewallMay 04, 2001, 18:56 (10 Talkback[s])(Other stories by Laurent Constantin) Testing a router or firewall
IntroductionThe life of a router is punctuated by several important steps :
Basic ideaThe basic idea about tests is to send a packet on one side of the router.Then, on the other side :
MethodWe do not present a generic high level method. Indeed, every network administrator has its own way to setup a device or to solve a problem.We emphasis on the low level method by presenting key points, which can be linked together in order to construct the high level method of every person. The key points are :
Tool usedIn order to illustrate examples, the free network testing tool lcrzoex is used. Lcrzoex is available at :http://www.laurentconstantin.com/us/lcrzo/ [main server] http://go.to/laurentconstantin/us/lcrzo/ [backup server] http://laurentconstantin.est-la.com/us/lcrzo/ [backup server] Other tools or network libraries (tcpdump, snoop, ipsend, netcat, telnet, libnet, libpcap, etc.) can also be used, but I choose lcrzoex because it incorporates all we need in one program. How to send a packet ?Well, it depends on protocols supported by our network. For example, in this paper, we focus on IP over Ethernet, and ICMP/UDP/TCP.Which kind of packets to send ?The kind of sent packets depends on several factors :
What's the difference between IP level and Ethernet level ?When a packet is sent at IP level, the local IP stack :
When a packet is sent at Ethernet level, it is directly sent on the network without going through the IP stack. It is more complicated because the user has to set Ethernet addresses, but can allow to do tricky things. To obtain the Ethernet address of a computer on the LAN, use "lcrzoex 2" : # lcrzoex 2 192.168.10.2 ip address : 192.168.10.2 ethernet address : 00:40:95:46:11:23Don't forget that the destination Ethernet address has to be set to :
How to send an ICMP packet at IP level ?We can use "lcrzoex 65" :# lcrzoex 65 source address [255.255.255.255]: 192.168.10.1 destination address [1.2.3.4]: 192.168.11.3 IP options []: type (between 0 and 255)[8]: 8 code (between 0 and 255)[8]: 0 packet's data ['hello' 0D 0A]: 12345678 'my data' IP______________________________________________________________________. |version | ihl | tos | totlen | |___ 4___|___ 5___|_______ 0_______|____________0023h= 35_____________| | id |xxDfMf fragoffset | |____________822Bh=33323____________|0_0_0__________0000h= 0__________| | ttl | protocol | header checksum | |_____80h=128_____|_____01h= 1_____|_______________235Ah________________| | source | |______________________________192.168.10.1_____________________________| | destination | |______________________________192.168.11.3_____________________________| ICMP____________________________________________________________________. | type | code | checksum | |_____08h= 8_____|_____00h= 0_____|____________3F01h=16129_____________| 12 34 56 78 6D 79 20 64 61 74 61 # .4Vxmy dataThe example 66 is identical, but takes its parameters from command line : # lcrzoex 66 192.168.10.1 192.168.11.3 8 0 How to send an ICMP packet at Ethernet level ?We can use "lcrzoex 68" :# lcrzoex 68 send on which device [eth0]: source address [aa:bb:cc:dd:ee:ff]: 00:40:33:E0:2C:42 destination address [ff:ff:ff:ff:ff:ff]: 00:40:95:46:41:BC source address [255.255.255.255]: 192.168.10.1 destination address [1.2.3.4]: 192.168.11.3 IP options []: type (between 0 and 255)[8]: 8 code (between 0 and 255)[8]: 0 packet's data ['hello' 0D 0A]: 12345678 'my data' ETH_____________________________________________________________________. | 00:40:33:e0:2C:42 vers 00:40:95:46:41:BC type : 0x0800 | |_______________________________________________________________________| IP______________________________________________________________________. |version | ihl | tos | totlen | |___ 4___|___ 5___|_______ 0_______|____________0023h= 35____________| | id |xxDfMf fragoffset | |____________F3D2h=62418____________|0_0_0__________0000h= 0_________| | ttl | protocol | header checksum | |_____80h=128_____|_____01h= 1_____|_______________B1B2h_______________| | source | |______________________________192.168.10.1_____________________________| | destination | |______________________________192.168.11.3_____________________________| ICMP____________________________________________________________________. | type | code | checksum | |_____08h= 8_____|_____00h= 0_____|____________3F01h=16129____________| 12 34 56 78 6D 79 20 64 61 74 61 # .4Vxmy dataThe example 69 is identical, but takes its parameters from command line : # lcrzoex 69 eth0 00:40:33:E0:2C:42 00:40:95:46:41:BC 192.168.10.1 192.168.11.3 8 0 How to send an UDP packet at IP level ?We can use "lcrzoex 37" :# lcrzoex 37 source address [255.255.255.255]: 192.168.10.1 destination address [1.2.3.4]: 192.168.11.3 IP options []: source port (between 0 and 65535)[2345]: 1234 destination port (between 0 and 65535)[53]: packet's data ['hello' 0D 0A]: Do you want an Empty string or the Default string ? (key eEdD)[d]: IP______________________________________________________________________. |version | ihl | tos | totlen | |___ 4___|___ 5___|_______ 0_______|____________0023h= 35____________| | id |xxDfMf fragoffset | |____________31C2h=12738____________|0_0_0__________0000h= 0_________| | ttl | protocol | header checksum | |_____80h=128_____|_____11h= 17_____|_______________73B3h_______________| | source | |______________________________192.168.10.1_____________________________| | destination | |______________________________192.168.11.3_____________________________| UDP_____________________________________________________________________. | source port | destination port | |____________04D2h= 1234____________|____________0035h= 53____________| | length | checksum | |____________000Fh= 15____________|____________1795h= 6037____________| 68 65 6C 6C 6F 0D 0A # hello..The example 38 is identical, but takes its parameters from command line : # lcrzoex 38 192.168.10.1 192.168.11.3 1234 53 How to send an UDP packet at Ethernet level ?We can use "lcrzoex 40" :# lcrzoex 40 send on which device [eth0]: source address [aa:bb:cc:dd:ee:ff]: 00:40:33:E0:2C:42 destination address [ff:ff:ff:ff:ff:ff]: 00:40:95:46:41:BC source address [255.255.255.255]: 192.168.10.1 destination address [1.2.3.4]: 192.168.11.3 IP options []: source port (between 0 and 65535)[2345]: 1234 destination port (between 0 and 65535)[53]: packet's data ['hello' 0D 0A]: Do you want an Empty string or the Default string ? (key eEdD)[d]: ETH_____________________________________________________________________. | 00:40:33:e0:2C:42 vers 00:40:95:46:41:BC type : 0x0800 | |_______________________________________________________________________| IP______________________________________________________________________. |version | ihl | tos | totlen | |___ 4___|___ 5___|_______ 0_______|____________0023h= 35____________| | id |xxDfMf fragoffset | |____________F2CBh=62155____________|0_0_0__________0000h= 0_________| | ttl | protocol | header checksum | |_____80h=128_____|_____11h= 17_____|_______________B2A9h_______________| | source | |______________________________192.168.10.1_____________________________| | destination | |______________________________192.168.11.3_____________________________| UDP_____________________________________________________________________. | source port | destination port | |____________04D2h= 1234____________|____________0035h= 53____________| | length | checksum | |____________000Fh= 15____________|____________1795h= 6037____________| 68 65 6C 6C 6F 0D 0A # hello..The example 41 is identical, but takes its parameters from command line : # lcrzoex 41 eth0 00:40:33:E0:2C:42 00:40:95:46:41:BC 192.168.10.1 192.168.11.3 1234 53 How to send a TCP packet at IP level ?We can use "lcrzoex 48" :# lcrzoex 48 source address [255.255.255.255]: 192.168.10.1 destination address [1.2.3.4]: 192.168.11.3 IP options []: source port (between 0 and 65535)[2345]: 1234 destination port (between 0 and 65535)[53]: 80 bit syn (between 0 and 1)[0]: 1 bit ack (between 0 and 1)[0]: bit rst (between 0 and 1)[0]: seqnum (between 0 and 4294967295)[3145138187]: acknum (between 0 and 4294967295)[2039479918]: 0 TCP options []: packet's data ['hello' 0D 0A]: Do you want an Empty string or the Default string ? (key eEdD)[d]: e IP______________________________________________________________________. |version | ihl | tos | totlen | |___ 4___|___ 5___|_______ 0_______|____________0028h= 40____________| | id |xxDfMf fragoffset | |____________344Eh=13390____________|0_0_0__________0000h= 0_________| | ttl | protocol | header checksum | |_____80h=128_____|_____06h= 6_____|_______________712Dh_______________| | source | |______________________________192.168.10.1_____________________________| | destination | |______________________________192.168.11.3_____________________________| TCP_____________________________________________________________________. | source port | destination port | |____________04D2h= 1234____________|____________0050h= 80____________| | seq num | |_________________________BB77000Bh=3145138187__________________________| | ack num | |_________________________00000000h= 0__________________________| |dataoff | . . UrAk PuRsSyFi| window | |___ 5___|___ 0____0_0_0_0__0_0_1_0_|____________05DCh= 1500____________| | checksum | urgent pointer | |____________DC0Eh=56334____________|____________0000h= 0____________|The example 49 is identical, but takes its parameters from command line : # lcrzoex 49 192.168.10.1 192.168.11.3 1234 80 1 0 0 2222222 0 How to send a TCP packet at Ethernet level ?We can use "lcrzoex 51" :# lcrzoex 51 send on which device [eth0]: source address [aa:bb:cc:dd:ee:ff]: 00:40:33:E0:2C:42 destination address [ff:ff:ff:ff:ff:ff]: 00:40:95:46:41:BC source address [255.255.255.255]: 192.168.10.1 destination address [1.2.3.4]: 192.168.11.3 IP options []: source port (between 0 and 65535)[2345]: 1234 destination port (between 0 and 65535)[53]: 80 bit syn (between 0 and 1)[0]: 1 bit ack (between 0 and 1)[0]: bit rst (between 0 and 1)[0]: seqnum (between 0 and 4294967295)[4293488417]: acknum (between 0 and 4294967295)[1610530550]: 0 TCP options []: packet's data ['hello' 0D 0A]: Do you want an Empty string or the Default string ? (key eEdD)[d]: e ETH_____________________________________________________________________. | 00:40:33:e0:2C:42 vers 00:40:95:46:41:BC type : 0x0800 | |_______________________________________________________________________| IP______________________________________________________________________. |version | ihl | tos | totlen | |___ 4___|___ 5___|_______ 0_______|____________0028h= 40____________| | id |xxDfMf fragoffset | |____________113Dh= 4413____________|0_0_0__________0000h= 0_________| | ttl | protocol | header checksum | |_____80h=128_____|_____06h= 6_____|_______________943Eh_______________| | source | |______________________________192.168.10.1_____________________________| | destination | |______________________________192.168.11.3_____________________________| TCP_____________________________________________________________________. | source port | destination port | |____________04D2h= 1234____________|____________0050h= 80____________| | seq num | |_________________________FFE96F21h=4293488417__________________________| | ack num | |_________________________00000000h= 0__________________________| |dataoff | . . UrAk PuRsSyFi| window | |___ 5___|___ 0____0_0_0_0__0_0_1_0_|____________05DCh= 1500____________| | checksum | urgent pointer | |____________A084h=41092____________|____________0000h= 0____________|The example 52 is identical, but takes its parameters from command line : # lcrzoex 52 eth0 00:40:33:E0:2C:42 00:40:95:46:41:BC 192.168.10.1 192.168.11.3 1234 80 1 0 0 2222222 0 How to verify the arrival of a packet ?To check if a packet arrives on a network, we have to use a sniffer. We might however encounter problems :
To display packets "lcrzoex 7" can be used : # lcrzoex 7 Choose the print profile 1 - header and data in synthetic aspect 2 - header (without ethernet) and data in synthetic aspect 3 - header and data in array aspect 4 - header in array aspect and data in dump 5 - header in array aspect and data in mixed 6 - header and data in hexa aspect 7 - header in hexa aspect and data in dump 8 - header in hexa aspect and data in mixed 9 - personnalized profile Choose the profile (between 1 and 9)[4]: 4 ETH_____________________________________________________________________. | 00:40:33:e0:c2:24 vers 00:40:95:46:14:cb type : 0x0800 | |_______________________________________________________________________| IP______________________________________________________________________. |version | ihl | tos | totlen | |___ 4___|___ 5___|_______ 0_______|____________0054h= 84____________| | id |xxDfMf fragoffset | |____________0052h= 82____________|0_0_0__________0000h= 0_________| | ttl | protocol | header checksum | |_____40h= 64_____|_____01h= 1_____|_______________E502h_______________| | source | |______________________________192.168.10.1_____________________________| | destination | |______________________________192.168.10.3_____________________________| ICMP____________________________________________________________________. | type | code | checksum | |_____08h= 8_____|_____00h= 0_____|____________AA90h=43664____________| A1 02 00 00 7B D7 E1 3A 61 57 03 00 08 09 0A 0B # ....{..:aW...... 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B # ................ 1C 1D 1E 1F 20 21 22 23 24 25 26 27 28 29 2A 2B # ...~ !"#$%&'()*+ 2C 2D 2E 2F 30 31 32 33 34 35 36 37 # ,-./01234567 Various displaying methods can be selected (choice 1 to 9). How to simulate a testing computer ?When computer A wants to reach computer B :
So, when we simulate a computer, we have to answer to ARP requests, in order to inform other computers. For example, to simulate the presence of 192.168.10.2, and saying its Ethernet address is 12:34:56:78:90:ab, we can use : # lcrzoex 131 eth0 12:34:56:78:90:ab 192.168.10.2 First exampleIn this example, we want to verify that :
So, the testing procedure is :
Second exampleIn this example, we want to verify that :
Third exampleIn this example, we want to verify that :
Other examplesSeveral other examples could be written using the same methods. This is left as an exercise for the reader.ConclusionValidating the configuration of a router is a long task, mainly if we want to verify the security of the device. The knowledge of key points, and the usage of generic tools can however simplify administrators' job. This paper only described the tests which can be done. Using these tests and they knowledge, administrators can elaborate their own method to configure or secure a router or a firewall. |