Is an identifier which is assigned to each computer and other components?

5.3 Identifiers

Identifiers play an important role in the 5G System, for example, the permanent and temporary subscriber identities are constructed to identify not only a particular subscriber, but also the network function(s) where the permanent and temporary subscriber records are stored. In this chapter we take a brief look on some of the most important identifiers in 5GS.

The main permanent subscription identifier is the Subscription Permanent Identifier (SUPI) that is allocated to each subscriber to the 5G System. The Subscription Concealed Identifier (SUCI) is a privacy preserving identifier containing a concealed SUPI. In addition, temporary identifiers (5G-GUTI, 5G-S-TMSI) are used in the vast majority of signaling flows in order to support user confidentiality protection. The equipment is identified separately from the subscription and each 5G UE has a Permanent Equipment Identifier (PEI).

Subscription Permanent Identifier – SUPI

The SUPI may either contain IMSI or network-specific identifier (used for private networks). The SUPI is privacy protected over the radio using the Subscription Concealed Identifier (SUCI).

Subscription Concealed Identifier – SUCI

The Subscription Concealed Identifier (SUCI) is a privacy preserving identifier containing the concealed SUPI. The SUCI is a one-time use subscription identifier and a different SUCI is generated after the SUCI has been used.

The SUPI and SUCI are represented in the form a Network Access Identifier (NAI).

The username part of the NAI representation of a SUCI can take the following forms:

for the null-scheme:

type < supi type >.hni < home network identifier >.rid < routing indicator >.schid < protection scheme id >.userid < MSIN or Network Specific Identifier SUPI username >

for the Scheme Output for Elliptic Curve Integrated Encryption Scheme Profile A and Profile B:

type < supi type >.hni < home network identifier >.rid < routing indicator >.schid < protection scheme id >.hnkey < home network public key id >.ecckey < ECC ephemeral public key value >.cip < ciphertext value >.mac < MAC tag value >

for HPLMN proprietary protection schemes:

type < supi type >.hni < home network identifier >.rid < routing indicator >.schid < protection scheme id >.hnkey < home network public key id >. out < HPLMN defined scheme output >

The SUPI Type identifies the type of the SUPI concealed in the SUCI.

Home Network Identifier identifies the home network of the subscriber.

Routing Indicator is set to 0 unless the Home Network operator partitions AUSF and UDM where the routing indicator helps identify the AUSF and UDM to use.

Protection Scheme Identifier Identifies the protection scheme.

Home Network Public Key Identifier is used to identify the key used for SUPI protection.

Scheme Output, it represents the output of a public key protection scheme or a HPLMN specific protection scheme.

For further details on SUPI and SUCI see Chapter 8, 3GPP TS 33.501 and 3GPP TS 23.003.

Permanent Equipment Identifier – PEI

A Permanent Equipment Identifier (PEI) is allocated to each 5G UE. The PEI parameter consist of a PEI type and either IMEI or IMEISV.

The International Mobile Station Equipment Identity (IMEI) and International Mobile station Equipment Identity and Software Version Number (IMEISV) are the defined the same way as in EPS, For further details see 3GPP TS 23.003.

5G Globally Unique Temporary Identifier – 5G-GUTI

5G-GUTI is assigned to the UE by the 5GC (AMF). The 5G-GUTI can be re-assigned by the AMF at any time.

As detailed in 3GPP TS 23.003 the 5G-GUTI is structured as:

< 5G-GUTI > := < GUAMI > < 5G-TMSI >

5G-TMSI is a temporary subscriber identifier assigned by an AMF and unique within the GUAMI.

The Globally Unique AMF ID (GUAMI) identifies one or more AMF(s) and is structured as:

< GUAMI > := < MCC > < MNC > < AMF Region ID > < AMF Set ID > < AMF Pointer >

The AMF Region ID identifies the region, AMF Set ID uniquely identifies the AMF Set within the AMF Region and AMF Pointer identifies one or more AMFs within the AMF Set.

5G-S-TMSI is the short form of the 5G-GUTI that is used e.g. during Paging and Service Request for more efficient radio signaling:

< 5G-S-TMSI > := < AMF Set ID > < AMF Pointer > < 5G-TMSI >

The relations between AMF Region, AMF Set, GUAMI and temporary identifiers are illustrated in Fig. 5.2.

Generic Public Subscription Identifier – GPSI

The Generic Public Subscription Identifier (GPSI) is a public identifier e.g. used for addressing a 3GPP subscription from an external network. The GPSI can be an MSISDN (a phone number) or an External Identifier in form of [email protected]

16.3.3 Support for Non-Public Networks

16.3.3.1 Introduction

A Non-Public Network (NPN) is intended for the sole use of a private entity such as an enterprise. The NPNs may be deployed as a completely standalone network, or they may be integrated by a PLMN (i.e. public network), e.g. they may be offered as a Network Slice of a PLMN.

When an NPN is deployed as a Standalone NPN (SNPN), the NPN does not rely on network functions provided by a PLMN.

When an NPN is deployed as a Public Network Integrated NPN (PNI-NPN), the NPN is made available via the PLMN. There are different options how an PNI-NPN can be provided, e.g. access to the NPN can be made available using dedicated DNNs, or a Network Slice can be dedicated to an NPN with various levels of shared resources and Network Functions between the NPN and the PLMN.

Fig. 16.7 shows a high-level description of example deployment options for NPN.

Fig. 16.7. Examples of NPN deployment options.

16.3.3.3 Access to PLMN services via an SNPN, and access to SNPN services via a PLMN

It is possible for a UE that has successfully registered with an SNPN to access PLMN services as depicted in Fig. 16.8. The UE first registers in the SNPN and establishes a PDU Session for obtaining IP connectivity via the SNPN to discover and establish connectivity to an N3IWF provided by the PLMN. The connectivity to the N3IWF in the PLMN re-uses the same functionality as specified for untrusted Non-3GPP access via NWu. The UE, using the credentials of the PLMN, then registers to the AMF in the PLMN via the ‘NWu-PLMN’ and ‘N1-PLMN’ to be able to access the services provided by the PLMN.

Fig. 16.8. Access to PLMN services via a Non-Public Network.

In a similar way, a UE that has successfully registered with a PLMN may perform another registration with an SNPN, using the credentials of that SNPN, following the same principles as described above, and in Fig. 16.8, but with the SNPN exchanged with a PLMN, and the PLMN exchanged with an SNPN.

When the UE moves between access networks from an SNPN to a PLMN, service continuity for PDU Sessions established in the PLMN via the SNPN can be achieved by re-using the procedure ‘Handover of a PDU Session procedure from untrusted non-3GPP to 3GPP access’ described in Chapter 15. The procedure maintains IP address preservation, and a seamless experience can be achieved if the UE is able to keep simultaneous access to both the NPN and the PLMN access networks. Again, similar service continuity for PDU Sessions established in the SNPN via the PLMN can be achieved using the same procedure.

4.8 ZigBee AES 128-Bit Security

The ZigBee security suite is built on the Advanced Encryption (AES-128 bit) Standard, a well-respected block cipher algorithm published by the National Institute of Standards and Technology (NIST). To read more about AES, go to http://www.nist.gov.

If you read the security section in the ZigBee specification, you might get a headache. The language is pretty thick, and there are a lot of security options, including security levels, a variety of key types, CCM*, and so on. Security encompasses 120 pages of the 534-page ZigBee specification. But from an application standpoint, ZigBee security is simple. It is always there.

That's right! There are no code changes or special parameters to set on a data request to include security. It's just there (see Figure 4.28).

ZigBee both encrypts and authenticates packets. The encrypted portion (the NWK payload), cannot be understood by any nodes sniffing the air. This includes sensitive customer data, such as billing or medical records, or any other application payload, including what clusters, profile, and endpoints are used.

ZigBee authenticates the entire frame. Authentication is required in order to prevent replay attacks and to prevent any node from falsely injecting a packet into the network. A replay attack is simple to perform. Set an 802.15.4 device listening on a channel or set of channels. When a packet is heard, replay it byte-for-byte. ZigBee will simply throw away these packets, perhaps after a delay.

Denial of service is another type of wireless attack, and is something that's very difficult to prevent. I can write a small bit of code (no, I'm not providing it in the book!) that constantly transmits. Any radios within hearing range will not be able to transmit because all of the bandwidth is used. This is the equivalent to someone cutting the power to a building, or cutting the office broadband connection to the Internet. With ZigBee, using signal strength (LQI) makes it fairly easy to track down the culprit.

ZigBee uses a 128-bit key for the entire network, called a network key. It is assumed that if a node is allowed on a ZigBee network, it is trusted. This is similar to allowing someone in your home. You at least trust them not to steal the silver.

Some applications require additional security beyond the network key, for example, if multiple customers will be sharing the same network, but each customer may have his own sensitive data. In order to secure data on shared networks of this type, some vendors use a different AES 128-bit key to secure the APS payload. (this method is available to both ZigBee 2006 and ZigBee 2007 stacks.) Others use a link key, as described in ZigBee 2007 specification.

In short, ZigBee provides a very strong, solid, security solution.

Here is a challenge. Using only the over-the-air octets below, determine the AES 128-bit key. Just to make it easier, the following command is an HA OnOff Toggle command, that is, a switch is toggling a Home Automation Light:

0000:61 88 2c aa 1a 00 00 6fa.,*...o0008:79 48 02 00 00 6f 79 0ayH...oy.0010:3c 28 03 00 00 00 00 3c <(.....>0018:03 98 07 c2 50 00 00 8f...BP...0020:8b 0d f3 67 15 08 5a 11..sg..Z.0028:da 03 83 09 9c ae .. ..Z.......

The example in this section, Example 4-11 ZigBee Security, uses the standard HA on/off light and switch. Notice that there is no special source code for this example on the Web site or in this book, just the BeeKit solution file and the capture file. No special source code is required to demonstrate security, because ZigBee secures packets automatically.

To follow the example with hardware using the Freescale NSK Kit, compile and download the following projects into the respective boards:

Chapter04\Example4-11 ZigBee Security\NcbZcHaOnOffLight.mcp

Chapter04\Example4-11 ZigBee Security\SrbZedHaOnOffSwitch.mcp

The example is on channel 25, PAN ID 0x0f00. Follow these steps (this example uses the standard Freescale user interface):

After downloading the images, boot both boards

Press SW1 on both nodes to form/join the network

Once joined, press SW3 on both nodes to bind them

Press LSW1 on both nodes to go to application mode

Press SW1 on the switch (SRB board) to toggle the remote light, securely

When creating new projects in BeeKit, be sure to enable security in the BeeKit Project Wizard as seen in Figure 4.29.

Due to code-size restrictions on the HCS08, Freescale disables security by default, so it can include more of the other features of ZigBee. If you enable security, especially in the Home Automation applications, you will probably need to disable some other features. Look at the ZDP and HA over-the-air commands for likely candidates. Many of these may not be required by your application. Or you can use the generic application as a starting point.

BeeKit allows you to export the entire project, or just properties. Unlike setting the channel list or PAN ID, which only requires exporting properties (a relatively fast operation), changing the security setting requires exporting the entire project again. In the case of this example, security was enabled from the start.

Some public profiles, like Home Automation, transmit the key in the clear to joining nodes to allow any node to join any network, simply and easily. Another mechanism, called Join Enable, is used to prevent unauthorized nodes from joining the network.

If using a more restrictive public profile, such as Commercial Building Automation or a private profile, ZigBee allows the use of a pre-configured key. Pre-configured keys are never sent over the air. The node must already “know” the key, usually through some configuration tool, or as pre-installed at the factory.

If the protocol analyzer (such as Daintree SNA) doesn't know the key, the decode will look similar to the following code:

Frame 40 (Length=48 bytes)

Frame Length: 48 bytes

Link Quality Indication: 145

IEEE 802.15.4

Frame Control: 0x8861

Sequence Number: 44

Destination PAN Identifier: 0x1aaa

Destination Address: 0x0000

Source Address: 0x796f

Frame Check Sequence: Correct

ZigBee NWK

Frame Control: 0x0248

.... .... .... ..00=Frame Type: NWK Data (0x00)

.... .... ..00 10..=Protocol Version (0x02)

.... .... 01.. ....=Discover Route: Enable route discovery (0x01)

.... ...0 .... ....=Multicast

.... ..1. .... ....=Security: Enabled

.... .0.. .... ....=Source Route

.... 0... .... ....=Destination IEEE Address: Not Included

...0 .... .... ....=Source IEEE Address: Not Included

000. .... .... ....=Reserved

Destination Address: 0x0000

Source Address: 0x796f

Radius=10

Sequence Number=60

ZigBee AUX

Security Control: 0x28

 .... .101=Security Level: 5

 ...0 1...=Key Identifier: Network (0x01)

 ..1. ....=Extended Nonce: Sender Address Field: Present (0x01)

 00.. ....=Reserved: (0x00)

Frame Counter: 0x03

Source Address: 0x0050c20798033c00

Key Sequence Number: 0x00

MIC: ae:9c:09:83

NWK Payload Decryption Failed: 8f:8b:0d:f3:67:15:08:5a:11:da:03

Did you notice that decryption failed? MAC, NWK, and AUX headers are not encrypted. Only the payload of the NWK frame is encrypted (the APS and ZCL frames). However, the entire frame is authenticated. Not a single bit can change without re-authenticating using the proper 128-bit key. Note that the security bit is enabled in the NWK Frame Control field.

Once the sniffer knows the key, the packet can be properly decoded. Take a look at the same packet when the sniffer knows the key:

Frame 40 (Length=48 bytes)

Frame Length: 48 bytes

Link Quality Indication: 145

IEEE 802.15.4

Frame Control: 0x8861

Sequence Number: 44

Destination PAN Identifier: 0x1aaa

Destination Address: 0x0000

Source Address: 0x796f

Frame Check Sequence: Correct

ZigBee NWK

 Frame Control: 0x0248

 .... .... .... ..00=Frame Type: NWK Data (0x00)

 .... .... ..00 10..=Protocol Version (0x02)

 .... .... 01.. ....=Discover Route: Enable route discovery (0x01)

 .... ...0 .... ....=Multicast

 .... ..1. .... ....=Security: Enabled

 .... .0.. .... ....=Source Route

 .... 0... .... ....=Destination IEEE Address: Not Included

 ...0 .... .... ....=Source IEEE Address: Not Included

 000. .... .... ....=Reserved

 Destination Address: 0x0000

 Source Address: 0x796f

 Radius=10

 Sequence Number=60

ZigBee AUX

Security Control: 0x28

.... .101=Security Level: 5

...0 1...=Key Identifier: Network (0x01)

..1. ....= Extended Nonce: Sender Address Field: Present (0x01)

00.. ....=Reserved: (0x00)

Frame Counter: 0x03

Source Address: 0x0050c20798033c00

Key Sequence Number: 0x00

MIC: ae:9c:09:83

ZigBee APS

 Frame Control: 0x00

 Destination Endpoint: 0x08

 Cluster Identifier: On/off (0x0006)

 Profile Identifier: HA (0x0104)

 Source Endpoint: 0x08

 Counter: 0x22

ZigBee ZCL

 Frame Control: 0x01

 .... ..01=Frame Type: Command is specific to a cluster (0x01)

 .... .0..=Manufacturer Specific=false (0x00)

 .... 0...=Direction: From the client server (0x00)

 0000 ....=Reserved: Reserved (0x00)

 Transaction Sequence Number: 0x42

 Command Identifier: Toggle (0x02)

Now the frame looks like the standard toggle command on the HA OnOff Cluster in the decoded APS and ZCL frames above.

To summarize, ZigBee security both encrypts, which prevents rogue nodes from listening to sensitive data, and authenticates, to prevent rogue nodes from injecting false data or commands into the network. If a node is allowed to join the network, it is considered “trusted.” However, applications that share a network infrastructure that contain data that should not be seen by other nodes in the network can further encrypt using a link key, or with application-level security.

ZigBee both authenticates and encrypts packets using the AES 128-bit standard.

ZigBee supports security automatically. No special coding necessary.

20.6.1 ZigBee Components and Network Topologies

A ZigBee system consists of several components. The most basic is the device. A device can be a full-function device (FFD) or reduced-function device (RFD). A network includes at least one FFD, operating as the personal area network (PAN) coordinator. The FFD can operate in three modes: a PAN coordinator, a coordinator, or a device. An RFD is intended for applications that are extremely simple and do not need to send large amounts of data. An FFD can talk to reduced-function or full-function devices, while an RFD can only talk to an FFD.

ZigBee supports three types of topologies: star topology, peer-to-peer topology, and cluster tree (see Figure 20.5).

In the star topology, communication is established between devices and a single central controller, called the PAN coordinator. The PAN coordinator may be powered by mains while the devices will most likely be battery powered. Applications that benefit from this topology are home automation, personal computer (PC) peripherals, toys, and games.

After an FFD is activated for the first time, it may establish its own network and become the PAN coordinator. Each star network chooses a PAN identifier, which is not currently used by any other network within the radio sphere of influence. This allows each star network to operate independently.

In the peer-to-peer topology, there is also one PAN coordinator. In contrast to star topology, any device can communicate with any other device as long as they are in range of one another. A peer-to-peer network can be ad hoc, self-organizing, and self-healing. Applications such as industrial control and monitoring, wireless sensor networks and asset and inventory tracking would benefit from such a topology. It also allows multiple hops to route messages from any device to any other device in the network. It can provide reliability by multipath routing.

The cluster-tree topology is a special case of a peer-to-peer network in which most devices are full-function devices and an RFD may connect to a cluster-tree network as a leaf node at the end of a branch. Any of the full-function devices can act as a coordinator and provide synchronization services to other devices and coordinators. However, only one of these coordinators is the PAN coordinator.

The PAN coordinator forms the first cluster by establishing itself as the cluster head (CLH) with a cluster identifier (CID) of zero, choosing an unused PAN identifier, and broadcasting beacon frames to neighboring devices. A candidate device receiving a beacon frame may request to join the network at the cluster head. If the PAN coordinator permits the device to join, it will add this new device to its neighbor list. The newly joined device will add the cluster head as its parent in its neighbor list and begin transmitting periodic beacons such that other candidate devices may then join the network at that device. Once application or network requirements are met, the PAN coordinator may instruct a device to become the cluster head of a new cluster adjacent to the first one. The advantage of the clustered structure is the increased coverage at the cost of increased message latency.

3.1.5 5G system identifiers

In the 3GPP mobile network system, the 5G system identifiers play an important role in identifying the UE in order to support essential network operations to provide services for the UE. Proper design of the UE identifier also ensures the protection of the UE’s privacy and confidentiality as well as to safeguard the 5G system security. Prior to 5G, privacy and confidentiality of the UE were guaranteed only when the UE was authenticated. In 5G, this loophole has been fixed with the introduction of the Subscriber Concealed Identifier (SUCI) and the enhancement of the UE authentication and authorization procedures.

The 5G system defines the subscriber identifier independently of the UE identifier. The format of the UE identifier has been revised to support various access types (e.g., fixed line, WiFi, satellite, etc.) because the 5G system provides converged network solutions.

The following is the list of 5G system identifiers:

Subscription Permanent Identifier (SUPI)

Subscriber Concealed Identifier (SUCI)

5G Globally Unique Temporary Identity (5G-GUTI)

Permanent Equipment Identifier (PEI)

AMF Name

Data Network Name (DNN)

Internal-Group Identifier

Generic Public Subscription Identifier

AMF UE NGAP ID

UE Radio Capability ID

5G NR Radio Network Temporary Identifier (RNTI)

Each of the above identifiers are briefly described as follows. For further details, TS 23.501 can be referenced.

Subscription Permanent Identifier (SUPI):

It is a global unique identifier for subscriber provisioned in UDM/UDR

It is used only within 3GPP system

International Mobile Subscriber Identify (IMSI) can still be used as SUPI, so that interworking with Evolved Packet System (EPS) is feasible.

IMSI:=

The use of generic NAI as defined by IETF RFC 7542 provides wider range of SUPI.

NAI:= @

SUPI must include the home network identification in order to support roaming

Subscriber Concealed Identifier (SUCI):

One-time use subscription identifier that has the following information

SUCI:= Network Identifier>

SUPI Type – It identifies the type of the SUPI concealed in the SUCI.

Home Network Identifier: It identifies the home network of the subscriber. When the SUPI Type is an IMSI, the Home Network Identifier is composed of MCC and MNC. When the SUPI type is a Network Access Identifier, the Home Network Identifier is the domain name (e.g., [email protected]).

Routing Indicator: It is assigned by the home network operator and provisioned within the USIM and is used with the Home Network Identifier to route the Authentication traffic to UDM that contains the subscriber’s information.

Protection Scheme Identifier: It is used to identify the profile for the protection scheme on SUPI.

Home Network Public Key Identifier: It represents a public key provisioned by the HPLMN and is used to identify the key used for SUPI protection. In the case of null-scheme being used, this data field shall be set to the value as 0.

Protection Scheme Output: It contains the concealed SUPI.

Designed for privacy and confidential protection for UE by concealing SUPI.

Subscription-specific part is encrypted with home network public key.

Encrypted by UE using a ECIES-based protection scheme with the public key of the home network that was securely provisioned to the USIM during the USIM registration.

Only the MSIN part of the SUPI is concealed, MCC+MNC part is not concealed.

5G Globally Unique Temporary Identity (5G–GUTI):

A temporary subscription identifier that can be used to identify the last serving AMF which allocation the 5G–GUTI to retrieve the UE’s security context

It comprises a Globally Unique AMF Id (GUAMI) and a 5G Temporary Mobile Subscriber Id (5G–TMSI), where GUAMI identifies the assigned AMF and 5G–TMSI identifies the UE uniquely within the AMF.

5G-GUTI:= <5G-TMSI>

GUAMI:=

AMF Identifier:=

where AMF Region ID identifies the region, AMF Set ID uniquely identifies the AMF Set within the AMF Region and AMF Pointer identifies one or more AMFs within the AMF Set.

The AMF may decide to assign a new 5G–GUTI to the UE anytime.

In order to enable more efficient radio resources (especially in Paging and Service Request), a new identifier called 5G–S–TMSI is introduced as a shortened form of 5G–GUTI to be used over the air interface. 5G-S-TMSI:= <5G–TMSI>

Common 5G-GUTI can be assigned to both 3GPP and non-3GPP access

Permanent Equipment Identifier (PEI):

Defined for 3GPP UE to access the 5G system.

Different formats for different UE types and use cases. For example:

IMEI:=

IMEISV:=

UE must support a PEI with IMEI format when using 3GPP access technology.

IMEI is the only format supported in Rel-15 for PEI.

AMF Name:

It is used to identify an AMF.

It is a globally unique FQDN.

At a given time, GUAMI with distinct AMF Pointer value is associated to one AMF name only.

Data Network Name (DNN):

A DNN is equivalent to an Access Point Name (APN).

The DNN may be used to:

Select a AMF and UPF(s) for a PDU Session

Select N6 interface(s) for a PDU Session

Determine policies to apply to the PDU Session

Internal-Group Identifier:

Identify the group(s) that the UE belongs and apply to nonroaming case at this point.

It is part of the subscription data for the UE in UDR.

UE can belong only to a limited number of groups.

It is provided by UDM to the SMF as part of the SM Subscription data and by the SMF to PCF (when PCC applies to a PDU session).

The SMF may use this information to apply local policies and to store this information in the Charging Data Record (CDR).

The PCF may use this information to enforce AF requests.

Generic Public Subscription Identifier (GPSI):

A public identifier used both inside and outside of the 3GPP system.

It is either an MSISDN or an External Identifier (e.g., NAI)

MSISDN:=

External Id:= @

It is used to address a 3GPP subscription in different external data networks.

5G-Core maintains the mapping between GPSI and SUPI, however, they are not necessarily one-to-one relationship.

AMF UE NGAP ID:

An identifier is used to identify the UE in AMF on N2 reference point.

It is allocated by AMF and is sent to 5G-AN.

It is unique per AMF set.

It may be updated by AMF without changing AMF.

UE Radio Capability ID:

It is used to uniquely identify a set of UE radio capabilities (i.e., UE Radio Capability information).

Two types – assigned by the serving PLMN (PLMN-assigned) or by the UE manufacturer (UE manufacturer-assigned)

gNB Id

It identifies a gNB within Public Land Mobile Network (PLMN).

NR Cell Id (NCI) contain gNB Id field.

Global gNB Id

It identifies a gNB at the global scale. It is constructed from PLMN and gNB Id.

It uses same MCC and MNC as used in NR Cell Global Identifier (NCGI). NCGI is used to identify NR cells globally. The NCGI is constructed from the PLMN identity the cell belongs to and the NR Cell Identity (NCI) of the cell.

IP Addresses

Ethernet networking requires some configuration, implementation, and equipment. A simple method of seeing how TCP/IP works is by linking two computers together to communicate and share resources.

Once you've chosen two machines to network, you'll need to give each machine a unique IP address. IP addressing is a unique 32-bit logical address divided into two main parts, the network number and the host number, and is part of the network layer protocol. An IP address follows a simple format and can be subdivided and used to create addresses for subnetworks. Every host within a TCP/IP network is assigned its own unique IP address. There can't be two hosts within a single network with the same IP address as this will create confusion within the network. Imagine if you were a visitor to a new city and noticed there were two completely different hotels with the exact same address – you'd be confused, too!

To assign an IP address to two machines so they may communicate via TCP/IP, do the following:

Install a NIC in each machine (if not already built in).

Configure the proper driver on the NIC for the workstation's operating system.

Configure TCP/IP by assigning a unique IP address on each node with a common 24-bit subnet. For example, assign node 1 the IP address of 10.0.0.1, with a 24-bit mask 255.255.255.0. Configure the other workstation as 10.0.0.2 with the same 24-bit mask. This will allow them to communicate via TCP/IP.

Connect both workstations via a hub, switch, or a crossover cable.

Configure your Windows OS to be a client on a network.

You can accomplish this by right-clicking MY COMPUTER > PROPERTIES > NETWORK IDENTIFICATION. Change both work groups to be identical or they won't be able to share resources.

IP Address Format

The 32-bit IP address is grouped in four 8-bit octets, separated by dots and represented in dotted decimal notation. Each bit in the octet has a binary weight (128, 64, 32, 16, 8, 4, 2, 1) with a minimum value of zero and a maximum value for an octet of 255. Figure 4-9 illustrates the basic format of an IP address.

Figure 4-9. Anatomy of an IP address.

Also referred to as a dot address, it includes four octets of 8 bits presented as three or fewer decimal digits separated by periods. For example: 192.168.100.100 or, in 32-bit binary language,11000000.10101000.1100100.1100100.

The network identifier and host identifier within the IP address designate its place within that network. Both of the previous examples are the same IP address: 192.168 is the network identifier and 100.100 is the host identifier. If you split the network into subnet groups the network identifier stays the same, but the subnet is identified by the first 100 octet (or 1100100), and the last digits, or second 100, recognize the device. Both the subnet and the device numbers thus become the host identifiers.

III.D Subnet Masks

Once the network number has been assigned by the IANA, the hostid can be assigned locally. Consider an IP network number of 132.181.0.0.16 bits are assigned for the network number which means a unique number out of a pool of 216 = 65536 is possible. Out of 65536 combinations, the pattern consisting of all 1s (broadcast) cannot be used. In addition, the pattern consisting of all 0s (the network itself) should not be used for host number assignments.

Figure 17 shows the network number 132.181.0.0 (Network 1) connected to the Internet using a router and all traffic for network 132.181.0.0 is sent to the router for that network. It is possible (but unrealistic) to have 65534 hosts on this network.

If the company decides to segment this network to better fit the business units then a new numbering structure for the hostid field is required. A different network number assignment that belongs to Class A, B, or C could be used, but this involves applying for a new network number assignment even though many hostid bit patterns on network 1 are not in use. Therefore some of the bits from the hostid field are used to distinguish between the two networks and leave the rest for the host number assignments. This is called subnet-ting, and the resulting networks are called subnets. The scheme for subnetting is documented in RFC 950.

Figure 18 shows that a second network (Network 2) can be connected using the same router if it has an unused port. The first byte of the hostid field is used to specify this subnet number. Network 1 has a subnet number of 1, Network 2 a subnet number of 2.

Subnetting enables a network to be broken into smaller networks using the same network number assignment and has the following advantages:

Simplified administration

Improved security

Restructuring of internal networks without affecting external networks

Simplified administration results from the capability to use routers to partition networks using logical boundaries and allows smaller networks to be administered independently and more efficiently.

Subnets allow the network to be structured internally without the rest of the network being aware of changes in the internal network structure. In Fig. 18 the internal network has been divided into two subnets, but traffic arriving from the external network still is sent to the network address 132.181.0.0. It is the responsibility of the router that belongs to the organization to make a distinction between IP addresses belonging to its various subnets. An important benefit of the internal network being “invisible” to external networks is that an organization can achieve this internal restructuring without having to obtain an additional network number from the IANA which further conserves this scarce resource. Also because the structure of the internal subnetworks is not visible to external networks, use of subnets results in improved network security.

Figure 19 shows the relationship between different fields of an IP address and its subnetworks. Routers are used to interconnect these subnets. The routers must also know how many bits of the hostid field are being used for subnets. Thus it can analyze the hostid filed in conjunction with the “subnet mask.” The subnet mask is required at the time that an IP address is also specified and is expressed in dotted decimal notation like the IP address.

The subnet mask is used by routers and hosts to interpret the hostid field in such a way that they can determine how many bits are being used for subnetting. The mask is a 32-bit number that divides the hostid field into the subnet number and the host number according to the following rules:

1s in subnet mask correspond to position of the netid and subnet number in the IP address.

0s in subnet mask correspond to the position of host number in the IP address.

Figure 20 shows an application of this rule to a Class B network number used for subnetting. Eight bits of the hostid field are being used for the subnet number while the remaining 8 bits are used to specify the hostid on a particular subnet. The subnet mask is a 32-bit pattern and is written in a dotted decimal notation. A group of 8 1s corresponds to a decimal value of 255, thus the subnet mask can be written as 255.255.255.0

If a subnet mask of 255.255.0.0 is used for a Class B address, then no subnetting is being used. A Class B address has 16 bits of netid field. This netid field is accounted for by the first two 255s (255.255) in the 255.255.0.0 subnet mask value. The remaining value of 0.0 must correspond to the host number. No 1s are in the subnet mask for the subnet number or field, thus no subnetting is being used.

If the same subnet mask value of 255.255.0.0 is used for a Class A address, it shows that subnetting is being used as a Class A address has 8 bits of netid field. This netid field is accounted for by the first 255 in the 255.255.0.0 subnet mask. The remaining 255 must correspond to the subnet number, which is 8 bits long.

If a subnet mask of 255.255.255.0 is used for a Class C address, then no subnetting is being used. A Class C address has 24 bits of netid field which accounts for by the first three 255s (255.255.255) in the 255.255.255.0 subnet mask. The remaining value of 0 must correspond to the host number. No 1s are in the subnet mask for the subnet number field, thus no subnetting is being used.

A subnet mask of 255.255.0.0 for a Class C address is illegal as a Class C address has 24 bits of netid field, but the first two 255s in 255.255.0.0 account for only 16 bits of the netid. At least another 255 are needed to cover the remaining 8 bits of netid.

An IP address and its subnet mask can be represented in “slash” notation. For example, an IP address of 192.55.12.120 and subnet mask of 255.255.255.240 can be combined and expressed as 192.55.12.120/28 where 28 represents the number of 1s in the mask starting from the left. The following table specifies the equivalence between the binary and decimal values for subnet masks.

Subnet size (bits)Bit patternDecimal value110000000128211000000192311100000224411110000240511111000248611111100252711111110254

Consider the following example:

Given an IP address of 192.55.12.120 and subnet mask of 255.255.255.240. Determine the values of: Subnet number, Host number and Directed broadcast number

The network address is formed from the binary AND of the IP address and mask, viz:

The host address is formed from the binary AND of the IP address and the NOT mask, viz:

The broadcast address for this subnet is formed from the binary OR of the IP address and the NOT mask, viz:

Collecting Subject System Details

☑ System details are helpful for providing context to the live response and post-mortem forensic process, establishing an investigative time line, and identifying the subject system in logs and other forensic artifacts.

► Obtain the following subject system details:

System date and time

System identifiers

Network configuration

Enabled protocols

System uptime

System environment

System Uptime

► Determine how long the subject system has been running, or the system uptime.

•

Knowing that the subject system has not been rebooted since malware was installed can be important, motivating digital investigators to look more closely for deleted processes and other information in memory that otherwise might have been destroyed.

•

To determine system uptime, invoke the uptime13 utility from your trusted toolkit, as shown in Figure 1.12.

Figure 1.12. Querying a system with the uptime command