Networking Connection Establishment

Big Picture

If you’re like me then understanding Networking does not come easily. This is why I wanted to include my notes on how connections are typically established. Here I will talk about Internet Key Exchange, protocols that deal with authentication, TCP vs UDP connections, and how traffic is encrypted to provide secure communications.

Internet Key Exchange (IKE) and Mechanisms

IKE serves as the negotiation framework for secure sessions, especially in VPN deployments. It blends Diffie-Hellman mechanics with additional cryptographic tools to coordinate security settings and exchange keying material. This enables VPN endpoints to build encrypted tunnels for protected data transmission. Beyond VPN applications, IKE supports user and device authentication. It frequently pairs with complementary technologies like RSA for key operations and signatures, plus AES for bulk data encryption.

Secure key exchange is critical for establishing encrypted communications between different parties across untrusted networks. The strength of any encryption depends on keeping keys secret, making the exchange mechanism itself a vital security component. Different approaches offer varying trade-offs between security, performance, and implementation complexity. Key exchange protocols enable two endpoints to derive a common secret over public channels through cryptographic mathematical operations. Once established, this shared secret protects all subsequent data transfers between them.

Common Key Exchange Algorithms

Diffie-Hellman (DH) pioneered the concept of deriving shared secrets between parties. Both sides collaborate mathematically to create matching keys that secure their messages. This forms the backbone of protocols like TLS for HTTPS connections.

The primary vulnerability is man-in-the-middle attacks. This is when adversaries attempt to intercept key exchange negotiations, pose as legitimate endpoints, and substitute their own keys to eavesdrop or manipulate traffic. Additionally, traditional finite-field implementations demand more computational resources than elliptic curve variants at equivalent security strengths, creating challenges for resource-constrained devices.

RSA (Rivest–Shamir–Adleman) exploits the mathematical asymmetry between multiplying large primes (easy) and factoring their products (computationally infeasible). This one-way function creates secure key generation.

RSA serves multiple security functions such as message encryption and signing, SSL/TLS transport protection, digital signature creation and verification, authentication in systems like Kerberos PKINIT, and safeguarding sensitive documents and personal information.

Elliptic Curve Diffie-Hellman (ECDH) modernizes the original DH approach using elliptic curve mathematics. It delivers superior efficiency and stronger security per key bit. Common uses include TLS session establishment, forward secrecy protection (preventing retrospective decryption even after key compromise), and VPN authentication through IKE.

ECDSA (Elliptic Curve Digital Signature Algorithm) applies elliptic curve cryptography to digital signatures, offering streamlined authentication with additional security properties.

Operating Modes

Main Mode uses a three-phase negotiation where different security elements are exchanged sequentially. This staged approach maximizes security and flexibility but increases connection establishment time.

Aggressive Mode condenses negotiations into two phases, bundling all parameters into the initial exchange. This accelerates connection setup but sacrifices identity protection, making it less secure than main mode.

Pre-Shared Keys (PSK)

PSKs are optional secrets distributed to both parties beforehand for mutual authentication. They establish trust and seed the encryption of follow-on communications. Distribution must occur through out-of-band secure channels which could be either separate protected communications or physical key transfer.

While PSKs strengthen authentication, they introduce operational challenges. Secure distribution is complex, and any compromise through interception undermines the entire session’s security. The decision to use PSKs depends on balancing these authentication benefits against deployment and management overhead.

Authentication protocols form the security backbone of modern networks by verifying the identity of users and devices. Without these standardized mechanisms, networks would be vulnerable to unauthorized access and impersonation attacks. Beyond identity verification, these protocols enable secure information exchange, protecting data confidentiality and integrity across network communications.

Common Authentication Protocols

Kerberos–Operates through a Key Distribution Center (KDC) that issues tickets for authentication in domain environments, enabling single sign-on across networked resources.

SRP (Secure Remote Password)–Password-based protocol employing cryptographic protection against eavesdropping and man-in-the-middle interception.

SSL/TLS–Cryptographic protocols securing network communications. TLS succeeded SSL and remains the standard for internet communication security, encrypting data in transit.

OAuth–Open authorization standard letting users grant third-party application access to their resources without exposing passwords.

OpenID–Decentralized system allowing single identity use across multiple websites, simplifying user authentication management.

SAML (Security Assertion Markup Language)–XML-based framework for exchanging authentication and authorization information between trusted parties.

Authentication Factor Methods add an additional layer of security by combining two different authentication methods. Most popular are something you know like passwords or a code emailed to a specified account or phone number number; or combining with something you are like facial ID.

2FA (Two-Factor Authentication)–Combines two distinct verification factors for enhanced security
MFA (Multi-Factor Authentication)–Uses multiple verification types: knowledge (passwords), possession (phones), or biometrics (fingerprints)
FIDO (Fast IDentity Online)–Industry consortium developing open standards for passwordless strong authentication

PKI (Public Key Infrastructure)– Framework for secure information exchange using public/private key pairs for encryption and digital signatures.

SSO (Single Sign-On)–Allows one set of credentials to access multiple applications, reducing password fatigue while maintaining security.

Legacy Password Protocols would be anything that transmits credential information in plaintext or some other eaisly discoverable format.

PAP (Password Authentication Protocol)–Transmits passwords in plaintext, highly insecure by modern standards
CHAP (Challenge Handshake Authentication Protocol)–Uses three-way handshake for identity verification without transmitting passwords directly

EAP (Extensible Authentication Protocol)–Flexible framework supporting multiple authentication technologies, allowing organizations to choose verification methods matching their security requirements.

SSH (Secure Shell)–Network protocol for encrypted remote access, command execution, and file transfer. Uses strong encryption to prevent eavesdropping and supports multiple authentication methods.

HTTPS–Secure HTTP variant using SSL/TLS encryption for web communications. Prevents third-party interception and provides server authentication, standard for secure web browsing.

Wireless Authentication Protocols

LEAP (Lightweight EAP) is Cisco’s wireless authentication protocol using EAP for mutual authentication and RC4 encryption. However, it’s vulnerable to dictionary attacks and has been deprecated in favor of more secure alternatives.

PEAP (Protected EAP) is a secure tunneling protocol for wireless and wired networks built on EAP with TLS encryption. Uses server-side certificates for authentication and supports multiple client authentication methods including passwords, certificates, and biometrics. Widely deployed in enterprise environments.

Security Comparison: LEAP vs PEAP

PEAP uses server-side public key certificates while LEAP relies on shared secrets negotiated between endpoints. PEAP encrypts MSCHAPv2 hashes; LEAP transmits them unencrypted. PEAP supports robust algorithms like AES and 3DES, while LEAP uses the weaker RC4 cipher. Despite improvements, both protocols have known vulnerabilities and have been largely supplanted by EAP-TLS in security-conscious deployments.

Best Practices for Physical Connections

For wired connections and remote access, SSL/TLS-based protocols like SSH and HTTPS provide strong default security. They use robust cryptographic algorithms protecting authentication data from interception and tampering. They support PKI and digital certificates authentication for server verification, mitigating man-in-the-middle attacks and they’re widely implemented across operating systems and devices, ensuring easy deployment and broad support. These protocols are purpose-built for remote access scenarios where wireless-specific protocols like LEAP or PEAP would be impractical or inappropriate.

TCP vs UDP

Recall that Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) serve different purposes in internet data transmission. TCP handles critical data like web pages and emails, while UDP manages real-time applications such as video streaming and online gaming.

TCP operates as a connection-oriented protocol, guaranteeing complete data delivery between systems. Think of it like a phone call where both parties maintain an active connection until one hangs up. When transmission errors occur, the receiver requests retransmission of missing data. This reliability comes at a performance cost that is TCP is slower due to the overhead of error checking and recovery mechanisms.

UDP takes a connectionless approach, prioritizing speed over guaranteed delivery. There’s no verification that received data is complete or error-free. If packets go missing during transmission, no retransmission request is sent. Some data loss is acceptable in exchange for faster overall throughput, making UDP ideal for latency-sensitive applications.

IP Packet Structure

Internet Protocol packets function as the network layer’s data transmission unit in the OSI model. Each packet consists of two components: the header (routing and control information) and the payload (actual data content). Consider an IP packet like postal mail. The envelope is the header containing sender/recipient addresses and routing instructions, while the letter inside represents the payload data.

IP Header Fields

Version–IP protocol version in use
Internet Header Length–Header size measured in 32-bit words
Class of Service – Data transmission priority level
Total Length–Complete packet size in bytes
Identification (ID)–Fragment identification for reassembly (16-bit field ranging 0-65535)
Flags–Fragmentation indicators
Fragment Offset–Fragment position within original packet
Time to Live–Maximum network lifetime for the packet
Protocol–Transport protocol identifier (TCP, UDP, etc.)
Checksum–Header error detection
Source/Destination–Origin and target addresses
Options–Additional routing parameters
Padding–Word-length alignment

Identifying Multi-Homed Hosts

Systems with multiple IP addresses across different networks can be identified through IP ID field analysis. This field assigns unique sequential numbers to packets from the same source. Network traffic investigation in Wireshark might reveal:

IP 192.168.5.75.5060 > 192.168.5.1.5060: SIP, length: 1329, id 2001

IP 192.168.5.75.5060 > 192.168.5.1.5060: SIP, length: 1329, id 2002

IP 192.168.5.75.5060 > 192.168.5.1.5060: SIP, length: 1329, id 2003

IP 172.16.8.150.5060 > 192.168.5.1.5060: SIP, length: 1329, id 2004

IP 172.16.8.150.5060 > 192.168.5.1.5060: SIP, length: 1329, id 2005

IP 172.16.8.150.5060 > 192.168.5.1.5060: SIP, length: 1329, id 2006

Two different source addresses (192.168.5.75 and 172.16.8.150) are sending to 192.168.5.1, but the continuous IP ID sequence strongly suggests both addresses belong to a single host.

IP Record-Route Field

The Record-Route option tracks the complete path to a destination. When the target responds with an ICMP Echo Reply, all intermediate device addresses are logged in the IP header. Here is an example of what output would look like from the ping command:

$ ping -c 1 -R 172.20.50.200

PING 172.20.50.200 (172.20.50.200) 56(124) bytes of data.

64 bytes from 172.20.50.200: icmp_seq=1 ttl=63 time=11.7 ms

RR: 10.15.22.50

172.20.0.1

172.20.50.200

10.15.22.1

10.15.22.50

This output shows the complete round-trip path, meaning which steps it took to reach the targeted ip address.

Outbound: 10.15.22.50 → 172.20.0.1 → 172.20.50.200
Return: 172.20.50.200 → 10.15.22.1 → 10.15.22.50

Traceroute Mechanism

Traceroute is a powerful tool that allows you to map out networks by the node. It provides more precise path tracing using TCP timeout methodology that will map out every hop between a source and destination.

Send TCP SYN packet with TTL=1 to the destination
Each router decrements TTL by 1 before forwarding
When TTL reaches 0 at a router, it drops the packet and returns ICMP Time-Exceeded
Record the responding router’s IP address
Increment TTL by 1 and repeat
Continue until receiving TCP SYN/ACK or RST from the actual destination

TCP Segments

TCP packets (called segments) consist of headers and payloads, encapsulated within IP packets. Header fields include:

Source/Destination Ports–Sending and receiving application endpoints
Sequence Number–Data ordering information
Acknowledgment Number–Successful receipt confirmation
Control Flags–Message state indicators (end of transmission, acknowledgment, retransmission requests)
Window Size–Receiver buffer capacity
Checksum–Error detection for header and payload
Urgent Pointer–Critical data notification

The payload carries the actual transmitted data, similar to conversation content between two parties.

UDP Datagrams

UDP transmits small data packets (datagrams) without establishing connections beforehand. Data flows directly to targets without preliminary handshakes. When using traceroute with UDP (standard on Unix systems), reaching the destination generates “Destination Unreachable” and “Port Unreachable” ICMP messages, confirming the target was reached. This is because a UDP traceroute will send packets to high, random UDP ports (typically 33434 and incrementing) that are unlikely to have any service listening. As the UDP packets hop through routers toward the destination, each router with an expired TTL sends back an ICMP “Time Exceeded“ message, revealing that hop’s IP address. When the packet finally reaches the destination host with sufficient TTL, the target receives a UDP packet destined for a port with no listening service.

Blind Spoofing Attacks

Blind spoofing manipulates data on networks without observing target responses. Attackers falsify IP header fields including source/destination addresses and ports. By sending TCP packets with forged Initial Sequence Numbers (ISN is the field specifying the first packet’s sequence number), attackers can trick targets into establishing connections without proper handshakes. This technique disrupts network connection integrity, severs device communications, monitors traffic flows, and intercepts sensitive information transmitted between network endpoints.

Encryption and Cryptography

Recall that encryption uses complex maths to modify data in a way that hides it from prying eyes through a process that can be undone to reveal the plaintext. It’s used to hide payment details, emails, and personal information. It ensures confidentiality and preventing tampering. Digital keys enable encryption through symmetric or asymmetric processes. Modern cryptographic methods with extensive key lengths provide robust security that’s currently impractical to compromise. While asymmetric techniques emerged relatively recently, they’ve become the dominant approach in digital communications.

Symmetric Encryption

Symmetric encryption (secret key encryption) employs a single key for both encryption and decryption operations. Both senders and receivers must possess identical keys to properly decode transmitted data. Security fails if the secret key is exposed or compromised. Key distribution, storage, and exchange represent critical vulnerabilities in symmetric systems. This is because you need a secure method to exchange the secret key to establish secure transmission of your data. Advanced Encryption Standard (AES) and Data Encryption Standard (DES) are the most commonly used symmetric algorithms, deployed for encrypting large data volumes like hard drive files or network transmissions. AES currently represents the most secure symmetric cipher for now.

Asymmetric Encryption

Asymmetric encryption (public-key encryption) operates with paired keys. The public key encrypts the data and is openly shared, while the private key decrypts data and is kept secret. Anyone can use a recipient’s public key to encrypt messages, but only the holder of the corresponding private key can decrypt them. Rivest–Shamir–Adleman (RSA), Pretty Good Privacy (PGP), and Elliptic Curve Cryptography (ECC) are prominent asymmetric methods.

Asymmetric encryption offers superior security grounded in computationally difficult mathematical problems resistant to basic attacks. It eliminates the key exchange problem plaguing symmetric methods since public keys can be freely distributed, secret key exchange becomes unnecessary. Additionally, asymmetric systems enable authentication through digital signatures.

Data Encryption Standard (DES)

DES is a symmetric block cipher combining one-time pad, permutation, and substitution techniques applied to bit sequences. Encryption and decryption use identical keys. The 64-bit key structure includes 8 checksum bits, yielding an effective 56-bit key length. To counter frequency analysis attacks, DES encrypts 64-bit plaintext blocks into 64-bit ciphertext blocks rather than individual characters.

Triple DES (3DES) extends DES security through three-stage processing: encrypt with key one, decrypt with key two, encrypt with key three. While more secure than standard DES through triple encryption rounds, the 56-bit key limitation persists. AES succeeded DES, providing enhanced security through longer keys and becoming today’s predominant symmetric encryption technology.

Advanced Encryption Standard (AES)

AES surpasses DES by supporting 128-bit, 192-bit, or 256-bit keys for encryption/decryption operations. AES outperforms DES in speed due to more efficient algorithm architecture, allowing simultaneous processing of multiple data blocks. This parallel processing capability accelerates encryption/decryption and is critical when handling massive data volumes. AES appears in numerous applications and protocols such as IPsec, SSH, VoIP, PGP, OpenSSL, and WLAN IEEE 802.11i.

Cipher Modes

Cipher modes define how block cipher algorithms process plaintext messages. Block ciphers operate on fixed-size chunks (typically 64 or 128 bits). The cipher mode determines how these blocks are processed and combined to encrypt arbitrary-length messages. Here are some of the more commonly used cipher methods.

Electronic Code Book (ECB)–Generally discouraged due to vulnerability to pattern-based attacks. Fails to effectively mask data patterns, allowing statistical analysis to reveal plaintext elements in applications like web services.

Cipher Block Chaining (CBC)–Standard for disk encryption and email security. Default AES mode implemented in TrueCrypt, VeraCrypt, TLS, and SSL protocols.

Cipher Feedback (CFB)–Optimized for real-time data stream encryption including network communications and file transit operations. Used in Public-Key Cryptography Standards (PKCS) and Microsoft BitLocker.

Output Feedback (OFB)–Designed for data stream encryption like real-time communications. Considered superior for streaming data due to keystream generation methodology. Implemented in PKCS and SSH protocols.

Counter (CTR)–Encrypts real-time data streams in AES implementations including network communications, disk encryption, and time-sensitive scenarios. Examples include IPsec and Microsoft BitLocker.

Galois/Counter (GCM)–Provides simultaneous confidentiality and integrity protection for wireless communications, VPNs, and secure communication protocols requiring both guarantees.