TCP/IP Protocols Connection-oriented protocols (TCP) – Guarantee that packets arrive intact, in sequence, and without errors – Sacrifice speed for reliability Connectionless protocols (UDP) – Send packets without regard for guaranteed delivery – Sacrifice reliability for speed
TCP 3-Way Handshake (Session Establishment) To establish a connection, the three-way (or 3-step) handshake occurs: - The active open is performed by the client sending a SYN to the server. (S/R) counters set. - In response, the server replies with a SYN-ACK. (R/S) counters set. - Finally the client sends an ACK back to the server.
TCP/IP Applications TCP / UDP Applications are defined by a destination port #. Reserved port #’s (< 1024) are assigned by RFC. Registered ports 1025 – 49151 are for IANA approved (not necessarily RFC). Source port #’s are (usually) random port #’s greater than 1024 (or 2048. 4096. 8192) depending on TCP/IP stack. Common TCP application ports: FTP (20, 21) SSH (22) TELNET (23) SMTP (25) HTTP (80) HTTPS (443)
TCP Session Transfer During data transfer, TCP enforces: - Ordered data transfer - the destination host rearranges according to sequence numbe - Retransmission of lost packets - any cumulative stream not acknowledged will be retransmitted - Discarding duplicate packets - Error-free data transfer - Flow control - limits the rate a sender transfers data to guarantee reliable delivery. When the receiving host's buffer fills, then next acknowledgement contains a 0 in the window size, to stop transfer and allow the data in the buffer to be processed - Congestion control – using TCP sliding window
TCP Session Termination The connection termination phase uses, at most, a four-way handshake, with each side of the connection terminating independently. When an endpoint wishes to stop its half of the connection, it transmits a FIN packet, which the other end acknowledges with an ACK. Therefore, a typical tear-down requires a pair of FIN and ACK segments from each TCP endpoint. A connection can be "half-open", in which case one side has terminated its end, but the other has not resulting in a timeout, or a RST, and termination half-open session. With the possible result of lost data. There is no way for thje other side of the session to detemine if this is a Data Loss Reset versus a Connection Aboort Reset. Connection termination by a 3-way handshake can also occur when host A sends a FIN and host B replies with a FIN & ACK and host A replies with an ACK.
TCP Session States Displayed by “netstat –an”. Some OSes allow options to display the process controlllng an open port – “netstat –ban” under Windows, “netstat –pan” under LINUX. Or “lsof” as an option under some UNIXes. LISTEN represents waiting for a connection request from any remote TCP and port. (usually set by TCP servers) SYN-SENT represents waiting for the remote TCP to send back a TCP packet with the SYN and ACK flags set. (usually set by TCP clients) SYN-RECEIVED represents waiting for the remote TCP to send back an acknowledgment after having sent back a connection acknowledgment to the remote TCP. (usually set by TCP servers) ESTABLISHED represents that the port is ready to receive/send data from/to the remote TCP. (set by TCP clients and servers) TIME-WAIT represents waiting for enough time to pass to be sure the remote TCP received the acknowledgment of its connection termination request. According to RFC 793 a connection can stay in TIME-WAIT for a maximum of four minutes. FIN-WAIT, FIN-WAIT-2, CLOSE-WAIT, CLOSING, LAST-ACK, CLOSED all relate to various states of TCP session termination depending on the method used.
TCP/IP TTL Each IP packet has a Time to Live (TTL) section that keeps track of the number of network devices the packet has passed through to reach its destination. The server sending the packet sets the initial TTL value, and each network device that the packet passes through then reduces this value by 1. If the TTL value reaches 0, the network device will discard the packet. See the TRACEROUTE command. This mechanism helps to ensure that bad routing on the Internet won't cause packets to aimlessly loop around the network without being removed. TTLs therefore help to reduce the clogging of data circuits with unnecessary traffic.
TCP/IP and the LAN IP was originally designed as a WAN protocol. Address Resolution Protocol ARP is a Link Layer protocol that resolves IP addresses to LAN MAC addresses on the local area network segment (Layer 2) that a host is connected to. On Ethernet networks, these packets use an EtherType of 0x0806, and are sent to the broadcast MAC address of FF:FF:FF:FF:FF:FF. On a local network the target IP address will “hear” the broadcast ARP request and respond with an ARP response reversing MAC and IP source and destination IP address, substituting it’s own MAC address for the broadcast address on the response packet. All local LAN segment communication via IP uses ARP. Even when routing to a different network, the host ARPs for the gateway to that network. ARP entries matching IP to MAC address are kept in memory on the local host in the “arp cache” for a TCP stack determined period of time; which is displayed with the command “arp –a” or the equivalent command.
TCP stack datasets (UNIX/LINUX) /etc/services maps port numbers to named services mostly IANA reserved ports under 1024 (RFC 1700) and proprietary registered ports thru 49151. /etc/networks maps network numbers to network names as seen by the server. /etc/protcols maps IP protocol names to IP protocol as seen by the server. /etc/nsswitch.conf maps name lookup procedures for all services that references names /etc/host.conf maps TCP/IP name lookup procedures for all services that references TCP/IP names. /etc/hosts contains local, static host to IP name-address mappings. /etc/resolv.conf contains information for locating TCP/IP name/address mappings from a separate (DNS) server. /etc/named.conf contains information for the TCP stack DNS Server configuration