220 likes | 328 Views
TCP/IP. CIS 218/238. Internet Protocol (IP). The Internet Protocol (IP) is responsible for ensuring that data is transferred between two Intenret hosts based on a 32 bit address.
E N D
TCP/IP CIS 218/238
Internet Protocol (IP) • The Internet Protocol (IP) is responsible for ensuring that data is transferred between two Intenret hosts based on a 32 bit address. • To be ROUTABLE, a protocol must specify a NETWORK ADDRESS for each device that exists on the network. The network address usually consists of a network number and a host or workstation number and a route out of the local network (gateway). • All TCP/IP enabled devices connected to the Internet have an Internet Protocol (IP) address.. The Internet Assigned Numbers Authority (IANA) is the organization responsible for assigning IP addresses to Internet Service Providers (ISPs) and deciding which ones should be used for the public Internet and which ones should on private networks.
IP Addressing • Network numbers are specified by a “class” designated by the value of the first number in the address. The network number encompasses one or more of the octet values as indicated by the SUBNET MASK, host portion is indicated by the zero position in the mask. • (IP) Version 4 addresses consist of 4 numbers valued 0-255 separated by periods; so called “dotted quad” notation. IP addresses are in reality a string of 32 binary digits or bits. For ease of use, network engineers often divide these 32 bits into four sets of 8 bits (or octets), each representing a number from 0 to 255. Each number is then separated by a period (.) to create the familiar dotted decimal notation, so-called dotted quad notation is for readability. This “dotted quad” number contains both the network and host number delineated by a subnet mask. • IP address “classes” are assigned by the value of the first octet – A: 0-127, B: 128-191, C: 192-223, D: 224-239, E: 240-248 etc. • The subnet mask represents 1’s in the network portion, zeros in the host portion of the number. Normal subnet masks are assigned by class A: 8 bits, B: 16 bits, C 24 bits. • Only IP network classes A, B and C are of concern for host addressability. Class D and E are special purpose address classes used for other functions like IGMP.
IP Address Rules Address Rules - Network addresses 0, 127 and 255 are reserved values; 0 and 255 are broadcast; 127 is for local loopback. Network addresses starting with 224 – 239 are reserved for IGMP processes. - Host addresses 0 (or all zeros) and 255 (all 1’s) are not allowed as they are reserved for broadcast - IP network addresses 10.0.0.0, 127.0.0.0 (Loopback) 172.16.0.0 – 172.27.31.255, 192.168.0.0 and 169.254.0.0 are reserved for private Intranets - All other class A-C addresses are available for use on the public Internet. Except the Private IP address range. - Private addresses cannot be used on the Internet (not routed) though used o internal networks. This this problem is overcome by Network Address Translation - NAT. • Whether or not your computer has a network interface card it will have a built-in IP address with which network-aware applications can communicate with one another. This IP address is defined as 127.0.0.1 and is frequently referred to as localhost.
IP Protocols • The two most popular transportation mechanisms used in IP are Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). • TCP provides a communication service at an intermediate level between an application program and the Internet Protocol (IP). TCP is a “guaranteed” delivery mechanism as opposed to UDP which simply delivers packets as sent. • When the type of transport protocol has been determined, the TCP/UDP header is then inspected for the "port" value, which is used to determine which network application on the computer should process the data. • Certain programs are assigned specific ports as recognized by the Internet Consortium Reqest for Comment (RFC). For example, port 80 is reserved for HTTP Web traffic, and port 25 is reserved for SMTP e-mail. Ports below 1024 are reserved for privileged system functions, and those above 1024 are generally reserved for non-system third-party applications.
TCP/IP Network Model • Note the link layer is undefined in the IP protocol suite.
User Datagram Protocol (UDP) • UDP is a connectionless protocol. Sometimes described as a “stateless” protocol. Data is sent on a "best effort" basis with the machine that sends the data having no means of verifying whether the data was correctly received by the remote machine. • UDP is usually used for applications in which the data sent is not mission-critical. It is also used when data needs to be broadcast to all available servers on a locally attached network where the creation of dozens of TCP connections would consume excessinve resources.
Transport Control Protocol (TCP) • TCP opens up a virtual connection between the client and server programs running. TCP keeps track of the packets sent by giving each one a sequence number with the remote server sending back acknowledgment packets confirming correct delivery. The sender keeps a record of each packet it sends, and waits for acknowledgment before sending the next packet. • This technique requires the receiver to respond with an acknowledgment message as it receives the data. The number of bytes waited before acknowledgement is known as the TCP “window” size. This window size can change based on network performance and reliability – a so-called “sliding” window size. • Programs that use TCP therefore have a means of detecting connection failures and requesting the retransmission of missing packets. TCP is a connection-oriented (stateful) protocol. • The sender also keeps a timer from when the packet was sent, and retransmits a packet if the timer expires. The timer is needed in case a packet gets lost or corrupted.
TCP Connection Establishment • Before exchanging data on a TCP session, a connection must be established on the destination (service) port. • The host initiating the connection sends a segment with the SYN bit set in TCP header. The target replies with a segment with the SYN and ACK bits set, to which the originating server replies with a segment with the ACK bit set. This SYN, SYN-ACK, ACK mechanism is often called the "three-way handshake". • Before a client attempts to connect with a server, the server must first bind to a port to open it up for connections: this is called a passive open. Once the passive open is established, a client may initiate an active open. • To establish a connection, the three-way (or 3-step) handshake occurs: - The active open is performed by the client sending a SYN to the server. - In response, the server replies with a SYN-ACK. - Finally the client sends an ACK back to the server.
TCP Connection Establishment • At this point, both the client and server have received an acknowledgment of the connection. Usually when a connection is made from a client computer requesting data to the server that contains the data: • The client selects a random previously unused "source" port greater than 1024 and queries the server on the "destination" port specific to the application. If it is an HTTP request, the client will use a source port of, say, 2049 and query the server on port 80 (HTTP) . • The server recognizes the port 80 request as an HTTP request and passes on the data to be handled by the Web server software. When the Web server software replies to the client, it tells the TCP application to respond back to port 2049 of the client using a source port of port 80. • The client keeps track of all its requests to the server's IP address and will recognize that the reply on port 2049 isn't a request initiation for "NFS", but a response to the initial port 80 HTTP query.
TCP Connection Example • Here is a modified packet trace obtained from an ethereal program: hostA -> hostB TCP 1443 > http [SYN] Seq=9766 Ack=0 Win=5840 Len=0 hostB -> hostA TCP http > 1443 [SYN, ACK] Seq=8404 Ack=9767 Win=5792 Len=0 hostA -> hostB TCP 1443 > http [ACK] Seq=9767 Ack=8405 Win=5840 Len=0 hostA -> hostB HTTP HEAD/HTTP/1.1 hostB -> hostA TCP http > 1443 [ACK] Seq=8405 Ack=9985 Win=54 Len=0 hostB -> hostA HTTP HTTP/1.1 200 OK hostA -> hostB TCP 1443 > http [ACK] Seq=9985 Ack=8672 Win=6432 Len=0 hostB -> hostA TCP http > 1443 [FIN, ACK] Seq=8672 Ack=9985 Win=54 Len=0 hostA -> hostB TCP 1443 > http [FIN, ACK] Seq=9985 Ack=8673 Win=6432 Len=0 hostB -> hostA TCP http > 1443 [ACK] Seq=8673 Ack=9986 Win=54 • In this trace, the sequence number represents the serial number of the first byte of data in the segment. So in the first line, a random value of 9766 was assigned to the first byte and all subsequent bytes for the connection from this host will be sequentially tracked. This makes the second byte in the segment number 9767, the third number 9768 etc. The acknowledgment number or Ack, not to be confused with the ACK bit, is the byte serial number of the next segment it expects to receive from the other end, and the total number of bytes cannot exceed the Win or window value that follows it. If data isn't received correctly, the receiver will re-send the requesting segment asking for the information to be sent again. The TCP code keeps track of all this along with the source and destination ports and IP addresses to ensure that each unique connection is serviced correctly.
Data Transfer • The data portion of the IP packet contains a TCP or UDP segment sandwiched inside. Only the TCP segment header contains sequence information, but both the UDP and the TCP segment headers track the port being used. The source/destination port and the source/destination IP addresses of the client & server computers are then combined to uniquely identify each data flow. - During data transfer, TCP enforces: - Ordered data transfer - the destination host rearranges according to sequence numbe - Retransmission of lost packets - any cumulative stream not acknowledged will be retransmitted - Discarding duplicate packets - Error-free data transfer - Flow control - limits the rate a sender transfers data to guarantee reliable delivery. When the receiving host's buffer fills, then next acknowledgement contains a 0 in the window size, to stop transfer and allow the data in the buffer to be processed - Congestion control – using TCP sliding window • The communication then continues with a series of segment exchanges, each with the ACK bit set. When one of the servers needs to end the communication, it sends a segment to the other with the FIN and ACK bits set, to which the other server also replies with a FIN-ACK segment also. The communication terminates with a final ACK from the server that wanted to end the session.
TCP Connection Termination • The connection termination phase uses, at most, a four-way handshake, with each side of the connection terminating independently. When an endpoint wishes to stop its half of the connection, it transmits a FIN packet, which the other end acknowledges with an ACK. Therefore, a typical tear-down requires a pair of FIN and ACK segments from each TCP endpoint. • A connection can be "half-open", in which case one side has terminated its end, but the other has not. The side that has terminated can no longer send any data into or receive any data from the connection, but the other side can (but generally if it tries, this should result in no acknowledgment and therefore a timeout, or else result in a positive RST, and either way thereby the destruction of the half-open socket). • It is also possible to terminate the connection by a 3-way handshake, when host A sends a FIN and host B replies with a FIN & ACK (merely combines 2 steps into one) and host A replies with an ACK. This is the most common method of connection termination. It is possible for both hosts to send FINs simultaneously then both just have to ACK. This could possibly be considered a 2-way handshake since the FIN/ACK sequence is done in parallel for both directions.
TCP Connection Termination • Some host TCP stacks may implement a "half-duplex" close sequence, as Linux or HP-UX do. If such a host actively closes a connection but still has not read all the incoming data the stack already received from the link, this host will send a RST instead of a FIN. • This allows a TCP application to be sure that the remote application has read all the data the former sent - waiting the FIN from the remote side when it will actively close the connection. • Unfortunately, the remote TCP stack cannot distinguish between a Connection Aborting RST and this Data Loss RST - both will cause the remote stack to throw away all the data it received, but the application still didn't read. Some application protocols may violate the OSI model layers, using the TCP open/close handshaking for the application protocol open/close handshaking - these may find the RST problem on active close. • Each IP packet has a Time to Live (TTL) section that keeps track of the number of network devices the packet has passed through to reach its destination. The server sending the packet sets the initial TTL value, and each network device that the packet passes through then reduces this value by 1. If the TTL value reaches 0, the network device will discard the packet. This mechanism helps to ensure that bad routing on the Internet won't cause packets to aimlessly loop around the network without being removed. TTLs therefore help to reduce the clogging of data circuits with unnecessary traffic.
TCP Session States • Because TCP is a “stateful” protocol, session status is kept track of as it moves from state-to-state: • Common TCP Session States: LISTEN SYN-SENT SYN-RECEIVED ESTABLISHED FIN-WAIT-1 FIN-WAIT-2 CLOSE-WAIT CLOSING LAST-ACK TIME-WAIT CLOSED
TCP Session States • TCP session states are displayed on a TCP/IP host using the netstat –an command: • netstat -an Active Connections Proto Local Address Foreign Address State TCP 0.0.0.0:135 0.0.0.0:0 LISTENING TCP 0.0.0.0:445 0.0.0.0:0 LISTENING TCP 10.218.186.109:139 0.0.0.0:0 LISTENING TCP 10.218.186.109:1072 1 72.24.17.70:1533 ESTABLISHED TCP 10.218.186.109:1343 172.24.17.63:1352 CLOSE_WAIT TCP 10.218.186.109:1345 172.24.8.58:30999 ESTABLISHED TCP 192.168.201.26:139 0.0.0.0:0 LISTENING TCP 192.168.201.26:2116 192.234.16.5:443 TIME_WAIT TCP 192.168.201.26:2126 192.234.16.5:443 ESTABLISHED UDP 0.0.0.0:427 *:* UDP 0.0.0.0:445 *:* UDP 0.0.0.0:1045 *:*
TCP Session States • LISTEN: represents waiting for a connection request from any remote TCP and port. (usually set by TCP servers). • SYN-SENT: represents waiting for the remote TCP to send back a TCP packet with the SYN and ACK flags set. (usually set by TCP clients). • SYN-RECEIVED: represents waiting for the remote TCP to send back an acknowledgment after having sent back a connection acknowledgment to the remote TCP. (usually set by TCP servers). • ESTABLISHED: represents that the port is ready to receive/send data from/to the remote TCP. (set by TCP clients and servers). • TIME-WAIT: represents waiting for enough time to pass to be sure the remote TCP received the acknowledgment of its connection termination request. According to RFC 793 a connection can stay in TIME-WAIT for a maximum of four minutes. • FIN-WAIT, FIN-WAIT-2, CLOSE-WAIT, CLOSING , LAST-ACK, TIME-WAIT, CLOSED all relate to various states of TCP session termination depending on the method used (described above)
ICMP Protocol and TCP/IP • ICMP provides a suite of error, control, and informational messages for use by the operating system. • IP packets will occasionally arrive at a server with corrupted data due to any number of reasons including a bad connection; electrical interference, or even misconfiguration. The server will usually detect this by examining the packet and correlating the contents to what it finds in the IP header's error control section. It will then issue an ICMP reject message to the original sending machine saying that the data should be re-sent because the original transmission was corrupted. • ICMP also includes echo and echo reply messages used by the Linux ping command to confirm network connectivity. ICMP TTL expired messages are also sent by network devices back to the originating server whenever the TTL in a packet is decremented to zero. • Note there is a UDP echo command that performs thae same function as ICMP PING. ON some systems the PING command can be used for either protocol.
Common TCP/UDP Port Numbers • Application Port # Echo (UDP PING) UDP: 7 FTP TCP: 20, 21 TELNET TCP: 23 SMTP TCP: 25 DNS UDP: 53 DHCP UDP: 67 (server) 68 (client) TFTP UDP: 69 HTTP: TCP:80
Address Resolution Protocol (ARP) • ARP is a Link Layer protocol that resolves IP addresses to local area network (LAN) MAC addresses. This function is an add-on to the original TCP/IP protocol suite because TCP/IP was originally created as a wide-area network protocol, not a LAN protocol. • On Ethernet networks, these packets use an EtherType of 0x0806, and are sent to the broadcast MAC address of FF:FF:FF:FF:FF:FF. • On a local network the target IP address will “hear” the broadcast ARP request and repsond with an ARP response reversing MAC and IP source and destination IP address, substituting it’s own MAC address for the broadcast address on the repsonse packet. If the IP address is not on the loca lsubnet, the TCP/IP stack will “arp” for the nearest gateway addres s to that IP address. • ARP tables are usually kept in memory for a limited period of time. After an entry times out, the ARP broadcast process must be repeated. • The arp –a command can usually is used to display the in-memory ARP table: - >arp –a Interface: 10.218.186.104 --- 0x10005 Internet Address Physical Address Type 10.218.186.6 00-d0-01-e4-c4-00 dynamic
Common TCP/IP Commands • ping (address): establish network connectivity to a specific address using ICMP or UDP. • traceroute, tracert (address): trace the network “gateways” to a specific address. Used to trace the networks you go thru to get there. • arp –a: dump the in-memory ARP table. • netstat: display network statistics info such as routing table (-rn) or sessions (-an). • ifconfig, ipconfig: display or set network interface information (UNIX, Windows). • telnet (address) <port #>: in addition to the traditional usage, also used by network engineers for simple “port scanning”. That is, is this application <port#> open on server at (address). • nslookup – resolve DNS name to IP address or vice-versa • hostname – display hostname • ss – system sockets