Presentation on theme: "Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”."— Presentation transcript:
1 Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.
2 Chapter 8TCP/IPThis chapter examines the underlying communications software required to supportdistributed applications in businesses and other organizations. We will see that therequired software is substantial. To make the task of implementing this communicationssoftware manageable, a modular structure known as a protocol architectureis used. The emergence of the Internet as a fundamental component in enterprisenetworks has meant that the TCP/IP suite has become the protocol architecture thatis most important for business data communications students to know.The transition to IP-based telecommunications has become so widespread thatis beginning to spawn new buzzwords: everything over IP (EOIP) and IP over everything(IPOE). This transition has taken hold in both business enterprises and otherorganizations, including the U.S. Defense Department and its Defense InformationSystems agency [JONE09]. EOIP has become the Holy Grail of enterprise networksand it fuels business interest in converged networks. EOIP encourages the developmentof IP applications for all major types of business data (voice, video, image, anddata) as well as IP-based, or IP-compliant, telecommunications transport.There is a lot to the multifaceted TCP/IP suite, so we begin this chapterby introducing a simple protocol architecture consisting of just three modules, orlayers. This will allow us to present the key characteristics and design featuresof a protocol architecture without getting bogged down in details. With thisbackground, we are then ready to examine the world’s most important protocolarchitecture: TCP/IP (Transmission Control Protocol/Internet Protocol). TCP/IPis an Internet-based standard and is the framework for developing a completerange of computer communications standards. Virtually all computer vendorsnow provide support for this architecture. Open Systems Interconnection (OSI)is another standardized architecture that is often used to describe communicationsfunctions but that is now rarely implemented. For the interested reader, OSIis covered in Appendix L.Following a discussion of TCP/IP, the important concept of internetworking isexamined. Inevitably, a business will require the use of more than one communicationsnetwork. Some means of interconnecting these networks is required, and thisraises issues that relate to the protocol architecture.
3 The Need for a Protocol Architecture Computer communicationsThe exchange of information between computers for the purpose of cooperative actionComputer networkTwo or more computers interconnected via a communication networkA protocol is used for communication between entities in different systemsEntityAnything capable of sending or receiving informationExamples are user application programs, file transfer packages, database management systems, electronic mail facilities, and terminalsSystemA physically distinct object that contains one or more entitiesExamples are computers, terminals, and remote sensorsThe exchange of information between computers for the purpose of cooperativeaction is generally referred to as computer communications . Similarly, whentwo or more computers are interconnected via a communication network, the setof computer stations is referred to as a computer network . Because a similar level ofcooperation is required between a terminal and a computer, these terms are oftenused when some of the communicating entities are terminals.In discussing computer communications and computer networks, two conceptsare paramount:• Protocols• Computer communications architecture, or protocol architectureA protocol is used for communication between entities in different systems.The terms entity and system are used in a very general sense. Examples ofentities are user application programs, file transfer packages, database managementsystems, electronic mail facilities, and terminals. Examples of systems arecomputers, terminals, and remote sensors. Note that in some cases the entity andthe system in which it resides are coextensive (e.g., terminals). In general, anentity is anything capable of sending or receiving information, and a system is aphysically distinct object that contains one or more entities.
4 ProtocolA set of rules governing the exchange of data between two entitiesKey elements:SyntaxIncludes such things as data format and signal levelsSemanticsIncludes control information for coordination and error handlingTimingIncludes speed matching and sequencingFor two entities to communicate successfully, they must “speak the same language.”What is communicated, how it is communicated, and when it is communicated must conformto mutually agreed conventions among the entities involved. The conventionsare referred to as a protocol , which may be defined as a set of rules governingthe exchange of data between two entities. The key elements of a protocol areas follows:• Syntax: Includes such things as data format and signal levels• Semantics: Includes control information for coordination and error handling• Timing: Includes speed matching and sequencingAppendix 8B provides a specific example of a protocol, the Internet standardTrivial File Transfer Protocol (TFTP).
5 Protocol Architecture Having introduced the concept of a protocol, we can now introduce the conceptof a protocol architecture . It is clear that there must be a high degree of cooperationbetween the two computer systems engaged in a cooperative application. Instead ofimplementing the logic for this as a single module, the task is broken up into subtasks,each of which is implemented separately. The result is a layered architecture,with peer entities at each layer performing subtasks appropriate to the layer. As anexample, Figure 8.1 suggests the way in which a file transfer facility could be implementedbetween two computer systems connected by a network. Three modules areused. Tasks 3 and 4 in the preceding list could be performed by a file transfer module .The two modules on the two systems exchange files and commands. However, ratherthan requiring the file transfer module to deal with the details of actually transferringdata and commands, the file transfer modules each rely on a communications servicemodule . This module is responsible for making sure that the file transfer commandsand data are reliably exchanged between systems. The manner in which a communicationsservice module functions is explored subsequently. Among other things, thismodule would perform task 2. Finally, the nature of the exchange between the twocommunications service modules is independent of the nature of the network thatinterconnects them. Therefore, rather than building details of the network interfaceinto the communications service module, it makes sense to have a third module, anetwork access module , that performs task 1 by interacting with the network.To summarize, the file transfer module contains all the logic that is unique tothe file transfer application, such as transmitting passwords, file commands, and filerecords. These files and commands must be transmitted reliably. However, the same sortsof reliability requirements are relevant to a variety of applications (e.g., electronic mail,document transfer). Therefore, these requirements are met by a separate communicationsservice module that can be used by a variety of applications. The communicationsservice module is concerned with assuring that the two computer systems are active andready for data transfer and for keeping track of the data that are being exchanged toassure delivery. However, these tasks are independent of the type of network that isbeing used. Therefore, the logic for actually dealing with the network is put into a separatenetwork access module. If the network to be used is changed, only the networkaccess module is affected.Thus, instead of a single module for performing communications, there is astructured set of modules that implements the communications function. That structureis referred to as a protocol architecture . An analogy might be useful at this point.Suppose an executive in office X wishes to send a document to an executive in office Y.The executive in X prepares the document and perhaps attaches a note. This correspondsto the actions of the file transfer application in Figure 8.1. Then the executivein X hands the document to a secretary or administrative assistant (AA). The AA inX puts the document in an envelope and puts Y’s address and X’s return address onthe outside. Perhaps the envelope is also marked “confidential.” The AA’s actionscorrespond to the communications service module in Figure 8.1. The AA in X thengives the package to the shipping department. Someone in the shipping departmentdecides how to send the package: mail, UPS, or express courier. The shipping departmentattaches the appropriate postage or shipping documents to the package andships it out. The shipping department corresponds to the network access module ofFigure 8.1. When the package arrives at Y, a similar layered set of actions occurs. Theshipping department at Y receives the package and delivers it to the appropriateAA or secretary based on the name on the package. The AA opens the package andhands the enclosed document to the executive to whom it is addressed.Another important aspect of a protocol architecture is that modules in differentsystems communicate with peer modules on the same level. Thus, the file transfermodule can focus on what it wants to communicate to a peer file transfer module on theother system (represented by the dotted line between the two modules in Figure 8.1).In the remainder of this section, we generalize the example of Figure 8.1 topresent a simplified protocol architecture. Following that, we look at the real-worldexample of TCP/IP.
6 Three-Layer ModelDistributed data communications involves three primary components:NetworksComputersApplicationsThree corresponding layersNetwork access layerTransport layerApplication layerIn very general terms, distributed data communications can be said to involve threeagents: applications, computers, and networks. In Chapter 10, we look at severalapplications; examples include file transfer and electronic mail. These applicationsexecute on computers that typically support multiple simultaneous applications.Computers are connected to networks, and the data to be exchanged are transferredby the network from one computer to another. Thus, the transfer of data from oneapplication to another involves first getting the data to the computer in which the applicationresides and then getting it to the intended application within the computer.With these concepts in mind, it appears natural to organize the communicationtask into three relatively independent layers: network access layer, transport layer,and application layer.
7 Network Access LayerConcerned with the exchange of data between a computer and the network to which it is attachedThe specific software used at this layer depends on the type of network to be usedDifferent standards have been developed for circuit switching, packet switching and LANsIEEE 802 is a standard that specifies the access to a LANThe network access layer is concerned with the exchange of data between a computerand the network to which it is attached. The sending computer must provide thenetwork with the address of the destination computer, so that the network may route thedata to the appropriate destination. The sending computer may wish to invoke certainservices, such as priority, that might be provided by the network. The specific softwareused at this layer depends on the type of network to be used; different standards havebeen developed for circuit switching, packet switching, local area networks (LANs),and others. For example, IEEE 802 is a standard that specifies the access to a LAN;this standard is described in Part Three. It makes sense to put those functions having todo with network access into a separate layer. By doing this, the remainder of the communicationssoftware, above the network access layer, need not be concerned aboutthe specifics of the network to be used. The same higher-layer software should functionproperly regardless of the particular network to which the computer is attached.
8 Concerned with reliable transfer of information between applications Transport LayerConcerned with reliable transfer of information between applicationsMechanisms for providing reliability are essentially independent of the nature of the applicationsAssurance that all of the data arrive at the destination application and that the data arrive in the same order in which they were sentThe transport layer is a common layer shared by all applications where these mechanisms can be collectedRegardless of the nature of the applications that are exchanging data, there isusually a requirement that data be exchanged reliably. That is, we would like to beassured that all of the data arrive at the destination application and that the dataarrive in the same order in which they were sent. As we shall see, the mechanismsfor providing reliability are essentially independent of the nature of the applications.Thus, it makes sense to collect those mechanisms in a common layer shared by allapplications; this is referred to as the transport layer .
9 Contains the logic needed to support the various user applications Application LayerContains the logic needed to support the various user applicationsA separate module is needed for each different type of application such as file transfer, that is peculiar to that applicationFinally, the application layer contains the logic needed to support the varioususer applications. For each different type of application, such as file transfer, a separatemodule is needed that is peculiar to that application.
10 Protocol Architectures Figure 8.2 shows three computers connected to a network. Each computer contains software at thenetwork access and transport layers and software at the application layer for oneor more applications. For successful communication, every entity in the overallsystem must have a unique address. In our three-layer model, two levels of addressingare needed. Each computer on the network has a unique network address;this allows the network to deliver data to the proper computer. Each applicationon a computer has an address that is unique within that computer; this allows thetransport layer to support multiple applications at each computer. These latteraddresses are known as service access points (SAPs) , or ports , connoting the factthat each application is individually accessing the services of the transport layer.Figure 8.2 indicates that modules at the same level (peers) on different computerscommunicate with each other by means of a protocol. An application entity(e.g., a file transfer application) in one computer communicates with an applicationin another computer via an application-level protocol (e.g., the File TransferProtocol). The interchange is not direct (indicated by the dashed line) but is mediatedby a transport protocol that handles many of the details of transferring databetween two computers. The transport protocol is also not direct, but relies on anetwork-level protocol to achieve network access and to route data through thenetwork to the destination system. At each level, the cooperating peer entities focuson what they need to communicate to each other.Let us trace a simple operation. Suppose that an application, associated withport 1 at computer A, wishes to send a message to another application, associatedwith port 2 at computer B. The application at A hands the message over to its transportlayer with instructions to send it to port 2 on computer B. The transport layerhands the message over to the network access layer, which instructs the network tosend the message to computer B. Note that the network need not be told the identityof the destination port. All that it needs to know is that the data are intendedfor computer B.
11 Protocols in a Simplified Architecture To control this operation, control information, as well as user data, must betransmitted, as suggested in Figure 8.3. Let us say that the sending application generatesa block of data and passes this to the transport layer. The transport layer maybreak this block into two smaller pieces for convenience, as discussed subsequently.To each of these pieces the transport layer appends a transport header , containingprotocol control information. The combination of data from the next higher layerand control information is known as a protocol data unit (PDU) ; in this case, it isreferred to as a transport PDU. Transport PDUs are typically called segments . Theheader in each segment contains control information to be used by the peer transportprotocol at computer B. Examples of items that may be stored in this headerinclude the following:• Source port: This indicates that application that sent the data.• Destination port: When the destination transport layer receives the segment, itmust know to which application the data are to be delivered.• Sequence number: Because the transport protocol is sending a sequence ofsegments, it numbers them sequentially so that if they arrive out of order, thedestination transport entity may reorder them.• Error-detection code: The sending transport entity may include a code that isa function of the contents of the segment. The receiving transport protocolperforms the same calculation and compares the result with the incomingcode. A discrepancy results if there has been some error in transmission. Inthat case, the receiver can discard the segment and take corrective action.This code is also referred to as a checksum or frame check sequence.The next step is for the transport layer to hand each segment over to the networklayer, with instructions to transmit it to the destination computer. To satisfythis request, the network access protocol must present the data to the network witha request for transmission. As before, this operation requires the use of controlinformation. In this case, the network access protocol appends a network accessheader to the data it receives from the transport layer, creating a network accessPDU, typically called a packet . Examples of the items that may be stored in theheader include the following:• Source computer address: Indicates the source of this packet.• Destination computer address: The network must know to which computer onthe network the data are to be delivered.• Facilities requests: The network access protocol might want the network tomake use of certain facilities, such as priority.Note that the transport header is not “visible” at the network access layer;the network access layer is not concerned with the contents of the transportsegment.The network accepts the network packet from A and delivers it to B. Thenetwork access module in B receives the packet, strips off the packet header, andtransfers the enclosed transport segment to B’s transport layer module. The transportlayer examines the segment header and, on the basis of the port field in theheader, delivers the enclosed record to the appropriate application, in this case thefile transfer module in B.
12 Standardized Protocol Architectures Vendors like standards because they make their products more marketableCustomers like standards because they enable products from different vendors to interoperateTwo protocol architectures have served as the basis for the development of interoperable protocol standards:TCP/IP suiteOSI reference modelA widely used proprietary scheme is IBM’s Systems Network Architecture (SNA)When communication is desired among computers from different vendors, thesoftware development effort can be a nightmare. Different vendors use differentdata formats and data exchange protocols. Even within one vendor’s product line,different model computers may communicate in unique ways.Now that computer communications and computer networking are ubiquitous,a one-at-a-time special-purpose approach to communications software developmentis too costly to be acceptable. The only alternative is for computer vendors toadopt and implement a common set of conventions. For this to happen, standards areneeded. Such standards would have two benefits:• Vendors feel encouraged to implement the standards because of an expectationthat, because of wide usage of the standards, their products would be lessmarketable without them.• Customers are in a position to require that the standards be implemented byany vendor wishing to propose equipment to them.Two protocol architectures have served as the basis for the development ofinteroperable protocol standards: the TCP/IP suite and the OSI reference model.TCP/IP is by far the most widely used interoperable architecture. OSI, thoughwell known, has never lived up to its early promise. There is also a widely usedproprietary scheme: IBM’s Systems Network Architecture (SNA). Although IBMprovides support for TCP/IP, it continues to use SNA, and this latter architecturewill remain important for some years to come. The remainder of the chapter looksin some detail at TCP/IP. OSI and SNA are summarized in Appendices I and F,respectively.
13 TCP/IP Architecture Organized into five relatively independent layers: Result of protocol research and development conducted on the experimental packet- switched network, ARPANETProtocol suite consists of a large collection of protocols that have been issued as Internet standards by the Internet Activities Board (IAB)No official TCP/IP modelOrganized into five relatively independent layers:Application layerHost-to-host, or transport layerInternet layerNetwork access layerPhysical layerTCP/IP is a result of protocol research and development conducted on the experimentalpacket-switched network, ARPANET, funded by the Defense AdvancedResearch Projects Agency (DARPA), and is generally referred to as the TCP/IPsuite. This protocol suite consists of a large collection of protocols that have beenissued as Internet standards by the Internet Activities Board (IAB). Appendix Bprovides a discussion of Internet standards.There is no official TCP/IP model as there is in the case of OSI. However, based onthe protocol standards that have been developed, we can organize the communicationtask for TCP/IP into five relatively independent layers:• Application layer• Host-to-host, or transport layer• Internet layer• Network access layer• Physical layer
14 TCP is the most commonly used protocol at the transport layer TCP/IP LayersTCP is the most commonly used protocol at the transport layerThe Internet Protocol (IP) is used at the internet layer to provide the routing function across multiple networksA router is a device that connects two networks and whose primary function is to relay data from one network to the other on a route from the source to the destination end systemThe network access layer provides the attached network with the information needed to reach a router that connects the network to the next network on the route to the destinationThe physical layer is concerned with specifying the characteristics of the transmission medium, the nature of the signals, the data rate, and related mattersThe application layer and transport layer correspond to the top two layersdescribed in the three-layer model of Section 8.1. At the transport layer, TCP is themost commonly used protocol.In those cases where two devices are attached to different networks, proceduresare needed to allow data to traverse multiple interconnected networks. This isthe function of the internet layer. The Internet Protocol (IP) is used at this layer toprovide the routing function across multiple networks. This protocol is implementednot only in the end systems but also in routers. A router is a device that connects twonetworks and whose primary function is to relay data from one network to the otheron a route from the source to the destination end system.The network access layer was also discussed in our three-layer model. Let usconsider the case in which two computers that wish to communicate are both connectedto the same network, such as the same LAN or the same wide area network(WAN). The sending computer must provide the network with the address of thedestination computer, so that the network may route the data to the appropriate destination.In the case in which the two communicating computers are not connected tothe same network, the data transfer must occur as a sequence of hops across multiplenetworks. In this latter case, the network access layer is concerned with access to onenetwork along the route. Thus, from the source computer, the network access layerprovides the attached network with the information needed to reach a router thatconnects this network to the next network on the route to the destination.The physical layer covers the physical interface between a data transmissiondevice (e.g., workstation, computer) and a transmission medium or network. Thislayer is concerned with specifying the characteristics of the transmission medium,the nature of the signals, the data rate, and related matters.
15 TCP/IP ConceptsFigure 8.4 indicates how the TCP/IP architecture is configured for communications.Compare this with Figure 8.2. The architectural difference is the inclusion of theinternet layer, which allows for multiple networks connected by routers. Some sortof network access protocol, such as the Ethernet or Wi-Fi logic, is used to connect acomputer to a network. This protocol enables the host to send data across the networkto another host or, in the case of a host on another network, to a router. IP isimplemented in all end systems and routers. It acts as a relay to move a block of datafrom one host, through one or more routers, to another host. TCP is implementedonly in the end systems; it keeps track of the blocks of data being transferred toassure that all are delivered reliably to the appropriate application.The figure highlights the levels of addressing of the TCP/IP architecture. Eachhost on a network must have a unique network address that identifies the host onthat network. In addition, each host has a unique global Internet address; this allowsthe data to be delivered to the proper host. This address is used by IP for routingand delivery. Each application within a host must have port number that is uniquewithin the host; this allows the host-to-host protocol (TCP) to deliver data to theproper process.
16 PDUs in the TCP/IP Architecture As was shown in Figure 8.3 for a three-layer architecture, it is relatively easy totrace the operation of the four-layer TCP/IP model. For a transfer between applicationsin hosts A and B, control information as well as user data must be transmitted,as suggested in Figure 8.5. Let us say that the sending process generates a block ofdata and passes this to TCP. TCP appends control information known as the TCPheader, forming a TCP segment. The control information is to be used by the peerTCP entity at host B.Next, TCP hands each segment over to IP, with instructions to transmit it to B.These segments must be transmitted across one or more networks and relayedthrough one or more intermediate routers. This operation, too, requires the use ofcontrol information. Thus IP appends a header of control information to each segmentto form an IP datagram . An example of an item stored in the IP header is thedestination host address (in this example, B).Finally, each IP datagram is presented to the network access layer for transmissionacross the first network in its journey to the destination. The network accesslayer appends its own header, creating a packet, or frame. The packet is transmittedacross the network to router J. The packet header contains the information that thenetwork needs in order to transfer the data across the network.At router J, the packet header is stripped off and the IP header examined. Onthe basis of the destination address information in the IP header, the IP module inthe router directs the datagram out across network 2 to B. To do this, the datagram isagain augmented with a network access header.When the data are received at B, the reverse process occurs. At each layer, thecorresponding header is removed, and the remainder is passed on to the next higherlayer, until the original user data are delivered to the destination process.
17 TCP and UDP Most TCP/IP applications use TCP for transport layer TCP provides a connection (logical association) between two entities to regulate flow check errorsUDP (User Datagram Protocol) does not maintain a connection, and therefore does not guarantee delivery, preserve sequences, or protect against duplicationFor most applications running as part of the TCP/IP architecture, the transport layerprotocol is TCP. TCP provides a reliable connection for the transfer of data betweenapplications. A connection is simply a temporary logical association between twoprocesses in different systems. For the duration of the connection each process keepstrack of segments coming from and going to the other process, in order to regulatethe flow of segments and to recover from lost or damaged segments.
18 TCP and UDP HeadersFigure 8.6a shows the header format for TCP, which is a minimum of20 octets, or 160 bits. The Source Port and Destination Port fields identify theapplications at the source and destination systems that are using this connection.The Sequence Number, Acknowledgment Number, and Window fields provideflow control and error control. The checksum is a 16-bit frame check sequenceused to detect errors in the TCP segment. For the interested reader, Appendix 8Aprovides more detail.In addition to TCP, there is one other transport-level protocol that is in commonuse as part of the TCP/IP suite: the User Datagram Protocol (UDP). UDP doesnot guarantee delivery, preservation of sequence, or protection against duplication.UDP enables a process to send messages to other processes with a minimum ofprotocol mechanism. Some transaction-oriented applications make use of UDP; oneexample is SNMP (Simple Network Management Protocol), the standard networkmanagement protocol for TCP/IP networks. Because it is connectionless, UDP hasvery little to do. Essentially, it adds a port addressing capability to IP. This is bestseen by examining the UDP header, shown in Figure 8.6b.
19 IP HeadersFor decades, the keystone of the TCP/IP architecture has been IP. Figure 8.7a showsthe IP header format, which is a minimum of 20 octets, or 160 bits. The header,together with the segment from the transport layer, forms an IP-level PDUreferred to as an IP datagram or an IP packet. The header includes 32-bit sourceand destination addresses. The Header Checksum field is used to detect errors in theheader to avoid misdelivery. The Protocol field indicates which higher-layer protocolis using IP, such as TCP or UDP. The ID, Flags, and Fragment Offset fields are usedin the fragmentation and reassembly process. For the interested reader, Section 8.4provides more detail.In 1995, the Internet Engineering Task Force (IETF), which develops protocolstandards for the Internet, issued a specification for a next-generation IP,known then as IPng. This specification was turned into a standard in 1996 knownas IPv6. IPv6 provides a number of functional enhancements over the existing IP.It is designed to accommodate the higher speeds of today’s networks and the mixof data streams, including graphic and video, which are becoming more prevalent.But the driving force behind the development of the new protocol was the need formore addresses. The current IP uses a 32-bit address to specify a source or destination.With the explosive growth of the Internet and of private networks attached tothe Internet, this address length became insufficient to accommodate all systemsneeding addresses. As Figure 8.7b shows, IPv6 includes 128-bit source and destinationaddress fields.Ultimately, all installations using TCP/IP are expected to migrate from thecurrent IP to IPv6, but this process will take many years, if not decades.
20 TCP/IP Applications SMTP (Simple Mail Transfer Protocol) Supports a basic electronic mail facility by providing a mechanism for transferring messages among separate hostsFeatures include mailing lists, return receipts, and forwardingFTP (File Transfer Protocol)Sends files from one system to another on user commandBoth text and binary files are accommodatedSSH (Secure Shell)Provides a secure remote login capability which enables a user at a terminal or personal computer to logon to a remote computer and function as if directly connected to that computerA number of applications have been standardized to operate on top of TCP. Wemention a few of the most common here.The Simple Mail Transfer Protocol (SMTP) supports a basic electronic mailfacility, by providing a mechanism for transferring messages among separate hosts.Features of SMTP include mailing lists, return receipts, and forwarding. SMTPdoes not specify the way in which messages are to be created; some local editingor native electronic mail facility is required. Once a message is created, SMTPaccepts the message and makes use of TCP to send it to an SMTP module onanother host. The target SMTP module will make use of a local electronic mailpackage to store the incoming message in a user’s mailbox. SMTP is examined inmore detail in Chapter 10.The File Transfer Protocol (FTP) is used to send files from one system to anotherunder user command. Both text and binary files are accommodated, and theprotocol provides features for controlling user access. When a user wishes to engagein file transfer, FTP sets up a TCP connection to the target system for the exchangeof control messages. This connection allows user ID and password to be transmittedand allows the user to specify the file and file actions desired. Once a file transfer isapproved, a second TCP connection is set up for the data transfer. The file istransferred over the data connection, without the overhead of any headersor control information at the application level. When the transfer is complete, thecontrol connection is used to signal the completion and to accept new file transfercommands.SSH (Secure Shell) provides a secure remote logon capability, which enables auser at a terminal or personal computer to logon to a remote computer and functionas if directly connected to that computer. SSH also supports file transfer betweenthe local host and a remote server. SSH enables the user and the remote server toauthenticate each other; it also encrypts all traffic in both directions. SSH traffic iscarried on a TCP connection.
21 TCP/IP Applications HTTP (HyperText Transfer Protocol) Connects client systems to Web servers on the InternetIts primary function is to establish a connection with the server and send HTML pages back to the user’s browserSNMP (Simple Network Management Protocol)A widely used network monitoring and control protocolHTTP (HyperText Transfer Protocol) connects client systems to Web serverson the Internet or on an internet. Its primary function is to establish a connectionwith the server and send HTML pages back to the user’s browser. It is also usedto download files from the server either to the browser or to any other requestingapplication that uses HTTP.SNMP (Simple Network Management Protocol) is a widely used networkmonitoring and control protocol. Data are passed from SNMP agents, which arehardware and/or software processes reporting activity in each network device(hub, router, bridge, etc.) to the workstation console used to oversee the network.The agents return information contained in an MIB (Management InformationBase), which is a data structure that defines what is obtainable from the deviceand what can be controlled (turned off, on, etc.).
22 Protocols in the TCP/IP Protocol Suite Each layer in the TCP/IP suite interacts with its immediate adjacent layers. Atthe source, the application layer makes use of the services of the transport layerand provides data down to that layer. A similar relationship exists at the interfacebetween the transport and internet layers and at the interface of the internet andnetwork access layers. At the destination, each layer delivers data up to the nexthigher layer.This use of each individual layer is not required by the architecture. AsFigure 8.8 suggests, it is possible to develop protocols that directly invoke the servicesof any one of the layers. Most applications require a reliable transport protocol andthus make use of TCP. Some special-purpose applications do not need the servicesof TCP. Some of these applications, such as SNMP, use another transport protocolknown as the User Datagram Protocol (UDP); others may make use of IP directly.Applications or other protocols that do not involve internetworking and that do notneed TCP have been developed to invoke the network access layer directly.
23 Table 8.1 Internetworking Terms In most cases, a LAN or WAN is not an isolated entity. An organization may havemore than one type of LAN at a given site to satisfy a spectrum of needs. An organizationmay have multiple LANs of the same type at a given site to accommodate performanceor security requirements. And an organization may have LANs at varioussites and need them to be interconnected via WANs for central control of distributedinformation exchange.Table 8.1 lists some commonly used terms relating to the interconnection ofnetworks, or internetworking. An interconnected set of networks, from a user’s point ofview, may appear simply as a larger network. However, if each of the constituent networksretains its identity, and special mechanisms are needed for communicating acrossmultiple networks, then the entire configuration is often referred to as an internet , andeach of the constituent networks as a subnetwork . The most important example of aninternet is referred to simply as the Internet. As the Internet has evolved from its modestbeginnings as a research-oriented packet-switching network, it has served as thebasis for the development of internetworking technology and as the model for privateinternets within organizations. These latter are also referred to as intranets . If anorganization extends access to its intranet, over the Internet, to selected customers andsuppliers, then the resulting configuration is often referred to as an extranet .Each constituent subnetwork in an internet supports communication amongthe devices attached to that subnetwork; these devices are referred to as hosts , orend systems (ESs) . In addition, subnetworks are connected by devices referred toin the ISO documents as intermediate systems (ISs) . ISs provide a communicationspath and perform the necessary relaying and routing functions so that data can beexchanged between devices attached to different subnetworks in the internet.Two types of ISs of particular interest are layer 2 switches and routers . The differencesbetween them have to do with the types of protocols used for the internetworkinglogic. We look at the role and functions of bridges in Chapter 12. The roleand functions of routers were introduced in the context of IP earlier in this chapter.However, because of the importance of routers in the overall networking scheme, itis worth providing additional comment in this section.Another type of IS is the gateway , which connects two or more subnetworksor internets that differ in some way. When two networks differ in the protocol bywhich they offer service to hosts, a gateway may translate one protocol into theother or otherwise facilitate interoperation of hosts. An example of an application levelgateway is one that translates between two different mail transfer protocols.(This table is located on page 222 in the text)
24 Routers Equipment used to interconnect independent networks Essential functions:Provide a link between networksProvide for the routing and delivery of data between end systems attached to different networksProvide these functions without requiring modifications of the networking architecture of any of the attached networksInternetworking is achieved by using intermediate systems, or routers, to interconnecta number of independent networks. Essential functions that the router mustperform include the following:1. Provide a link between networks.2. Provide for the routing and delivery of data between end systems attached todifferent networks.3. Provide these functions in such a way as to not require modifications of thenetworking architecture of any of the attached networks.
25 Router IssuesThe router must accommodate a number of differences among networks:Addressing schemesNetworks may use different schemes for assigning addresses to devicesMaximum packet sizePackets from one network may have to be broken into smaller pieces to be transmitted on another network (fragmentation)InterfacesThe hardware and software interfaces to various networks differReliabilityOperations should not depend on an assumption of network reliabilityPoint 3 means that the router must accommodate a number of differencesamong networks, such as the following:• Addressing schemes: The networks may use different schemes for assigning addressesto devices. For example, an IEEE 802 LAN uses 48-bit binary addressesfor each attached device; an ATM network typically uses 15-digit decimaladdresses (encoded as 4 bits per digit for a 60-bit address). Some form of globalnetwork addressing must be provided, as well as a directory service.• Maximum packet sizes: Packets from one network may have to be brokeninto smaller pieces to be transmitted on another network, a process knownas fragmentation . For example, Ethernet imposes a maximum packet size of1500 bytes; a maximum packet size of 1600 bytes is common on frame relaynetworks. A packet that is transmitted on a frame relay network and picked upby a router for forwarding on an Ethernet LAN may have to be fragmentedinto two smaller ones.• Interfaces: The hardware and software interfaces to various networks differ.The concept of a router must be independent of these differences.• Reliability: Various network services may provide anything from a reliableend-to-end virtual circuit to an unreliable service. The operation of the routersshould not depend on an assumption of network reliability.The preceding requirements are best satisfied by an internetworking protocol,such as IP, that is implemented in all end systems and routers.
26 Internetworking Example Figure 8.9 depicts a configuration that we will use to illustrate the interactionsamong protocols for internetworking. In this case, we focus on a server attachedto a frame relay WAN and a workstation attached to an IEEE 802 LAN such asEthernet, with a router connecting the two networks. The router provides a linkbetween the server and the workstation that enables these end systems to ignorethe details of the intervening networks. For the frame relay network, what we havereferred to as the network access layer consists of a single frame relay protocol. Inthe case of the IEEE 802 LAN, the network access layer consists of two sublayers:the logical link control (LLC) layer and the media access control (MAC) layer. Forpurposes of this discussion, we need not describe these layers in any detail, but theyare explored in subsequent chapters.
27 Operation of TCP/IP: Action at Sender Figures 8.10 through 8.12 outline typical steps in the transfer of a block of data,such as a file or a Web page, from the server, through an internet, and ultimately toan application in the workstation. In this example, the message passes through justone router. Before data can be transmitted, the application and transport layers inthe server establish, with the corresponding layers in the workstation, the applicableground rules for a communication session. These include character code to be used,error-checking method, and the like. The protocol at each layer is used for this purposeand then is used in the transmission of the message.(Figure is on page 225 in text)
28 Operation of TCP/IP: Action at Router (Figure is on page 226 in text)
29 Operation of TCP/IP: Action at Receiver (Figure is on page 227 in text)
30 Virtual Private Network (VPN) Consists of a set of computers that interconnect by means of a relatively unsecure networkMakes use of encryption and special protocols to provide securityIn today’s distributed computing environment, the virtual private network (VPN)offers an attractive solution to network managers. In essence, a VPN consists of a setof computers that interconnect by means of a relatively unsecure network and thatmake use of encryption and special protocols to provide security. At each corporatesite, workstations, servers, and databases are linked by one or more LANs. The LANsare under the control of the network manager and can be configured and tuned forcost-effective performance. The Internet or some other public network can be usedto interconnect sites, providing a cost savings over the use of a private network andoffloading the WAN management task to the public network provider. That samepublic network provides an access path for telecommuters and other mobile employeesto log on to corporate systems from remote sites.But the manager faces a fundamental requirement: security. Use of a publicnetwork exposes corporate traffic to eavesdropping and provides an entry pointfor unauthorized users. To counter this problem, the manager may choose from avariety of encryption and authentication packages and products. Proprietary solutionsraise a number of problems. First, how secure is the solution? If proprietaryencryption or authentication schemes are used, there may be little reassurance inthe technical literature as to the level of security provided. Second is the question ofcompatibility. No manager wants to be limited in the choice of workstations, servers,routers, firewalls, and so on by a need for compatibility with the security facility. Thisis the motivation for the IP security (IPsec) set of Internet standards.
31 IP Security (IPsec)Provides the capability to secure communications across a LAN, across private and public WANs, and across the InternetExamples of its use include:Secure branch office connectivity over the InternetSecure remote access over the InternetEstablishing extranet and intranet connectivity with partnersEnhancing electronic commerce securityPrincipal feature is that it can encrypt and/or authenticate all traffic at the IP levelThus, all distributed applications, including remote logon, client/server, , file transfer, and Web access can be securedIPsec provides the capability to secure communications across a LAN, across privateand public WANs, and across the Internet. Examples of its use include the following:• Secure branch office connectivity over the Internet: A company can build asecure VPN over the Internet or over a public WAN. This enables a businessto rely heavily on the Internet and reduce its need for private networks, savingcosts and network management overhead.• Secure remote access over the Internet: An end user whose system is equippedwith IPsec protocols can make a local call to an Internet service provider (ISP)and gain secure access to a company network. This reduces the cost of tollcharges for traveling employees and telecommuters.• Establishing extranet and intranet connectivity with partners: IPsec can beused to secure communication with other organizations, ensuring authenticationand confidentiality and providing a key exchange mechanism.• Enhancing electronic commerce security: Even though some Web and electroniccommerce applications have built-in security protocols, the use of IPsecenhances that security. IPsec guarantees that all traffic designated by the networkadministrator is both encrypted and authenticated, adding an additionallayer of security to whatever is provided at the application layer.The principal feature of IPsec that enables it to support these varied applicationsis that it can encrypt and/or authenticate all traffic at the IP level. Thus, alldistributed applications, including remote logon, client/server, , file transfer,Web access, and so on, can be secured.
32 An IP Security Scenario Figure 8.13 is a typical scenario of IPsec usage. An organization maintainsLANs at dispersed locations. Nonsecure IP traffic is conducted on each LAN. Fortraffic off-site, through some sort of private or public WAN, IPsec protocols are used.These protocols operate in networking devices, such as a router or firewall, that connecteach LAN to the outside world. The IPsec networking device will typicallyencrypt and compress all traffic going into the WAN, and decrypt and decompresstraffic coming from the WAN; these operations are transparent to workstations andservers on the LAN. Secure transmission is also possible with individual users whodial into the WAN. Such user workstations must implement the IPsec protocols toprovide security.
33 Benefits of IPsec Some of the benefits of IPsec are as follows: Provides stronger security to routers and firewallsIs resistant to bypass within a firewallIs transparent to applicationsIs transparent to end usersCan provide security for individual users if neededSome of the benefits of IPsec are as follows:• When IPsec is implemented in a firewall or router, it provides strong securitythat can be applied to all traffic crossing the perimeter. Traffic within a companyor workgroup does not incur the overhead of security-related processing.• IPsec in a firewall is resistant to bypass if all traffic from the outside must useIP and the firewall is the only means of entrance from the Internet into theorganization.• IPsec is below the transport layer (TCP, UDP) and so is transparent to applications.There is no need to change software on a user or server system whenIPsec is implemented in the firewall or router. Even if IPsec is implemented inend systems, upper-layer software, including applications, is not affected.• IPsec can be transparent to end users. There is no need to train users on securitymechanisms, issue keying material on a per-user basis, or revoke keyingmaterial when users leave the organization.• IPsec can provide security for individual users if needed. This is useful foroff-site workers and for setting up a secure virtual subnetwork within anorganization for sensitive applications.
34 IPsec Functions IPsec provides three main facilities: An authentication-only function referred to as Authentication Header (AH)A combined authentication/encryption function called Encapsulating Security Payload (ESP)A key exchange functionIPsec provides three main facilities: an authentication-only function referred toas Authentication Header (AH), a combined authentication/encryption functioncalled Encapsulating Security Payload (ESP), and a key exchange function. ForVPNs, both authentication and encryption are generally desired, because it is importantboth to (1) assure that unauthorized users do not penetrate the VPN and(2) assure that eavesdroppers on the Internet cannot read messages sent over theVPN. Because both features are generally desirable, most implementations arelikely to use ESP rather than AH. The key exchange function allows for manualexchange of keys as well as an automated scheme.
35 Summary Chapter 8: TCP/IP Internetworking RoutersThe TCP/IP architectureTCP/IP layersOperation of TCP/IPTCP and UDPIP and IPv6TCP/IP applicationsProtocol interfacesA simple protocol architectureThe need for a protocol architectureThree-layer modelStandardized protocol architecturesVirtual private networks and IP securityIPsecApplications of IPsecBenefits of IPsecIPsec functionsChapter 8 summary.Chapter 8: TCP/IP