Dr. Andy Wu BCIS 4630 Fundamentals of IT Security NETWORKING (3)
What About Layer 4 “Addresses”? Layer 3 (IP) only takes care of host-to-host communication. It doesn’t care which process (program) will use which packet it delivers. –Its job is done when a packet reaches its destination IP address. Layer 4 (Transport) is responsible for process-to- process communication. –After getting rid of the Layer 3 header, the remainder of the packet (datagram) is passed up to Layer 4. –Layer 4 on the destination computer thus reads the information transmitted from Layer 4 on the origin. 2
Layer 4 Communication There are two types of communication at Layer 4: –TCP is like registered mail, which guarantees delivery to the intended recipient (process). –UDP is like first-class mail and is best-of-effort delivery. There is no guarantee of delivery to the intended recipient (process). Processes decide which service to use based on the task at hand, just like how we choose between registered vs. first-class mail depending on the importance of the mail involved. –For example, DNS uses UDP for DNS name queries but TCP for zone transfers (synchronization of information in the DNS database). 3
Ports In current computing environments, network communications usually uses client/server architecture. Client is the requester for information; server serves information to the client. For example, when you visit a website, your computer is the client and the web server is the server. Client initiates the communication. For the packets to go to the correct process on the server for the type of information requested (e.g., going to web server for HTML files), each process on the server must be easily located. This locator is called a “port”. Ports are numbered, just like piers or docks are numbered along waterfront, e.g., on Fisherman’s Wharf, San Francisco, –To watch seals, go to Pier 39. –To take ferries, go to Pier 41. 4
5
Ephemeral Ports Servers, however, don’t have to have pre-knowledge of which port the client will use for communication. It’s practically impossible because the number of potential clients is limitless. Therefore, when initiating communication, the client picks a port (an ephemeral port) through which it wants to receive information from the server. The client uses the very first packet in the communication to notify the server the client-side port number to use for this session. –The process that requests the information (e.g., web browser) then awaits it behind that particular port. When the server returns a packet, it knows which port to send it to on the client. The client-side port is “ephemeral” because it doesn’t have to be tied to the process after the communication is over. 6
Reserved Ports To avoid chaos, port numbers on the server must be reserved for common process and this made public information. Most of port numbers on servers are between 0 and 1023 and are called well known port numbers. However, application developers may take advantage of ports that are 1024 or higher. As long as there is general consensus regarding which application commonly uses which port, these registered ports can be used to establish communication with the server for the related process without pre-knowledge of behind which port the process is awaiting incoming connections. –For example, MySQL uses Port 3306 by default. The important corollary – By looking at the open ports on a server, we can deduce what processes are running on that server. 7
IANA Port Ranges The Internet Assigned Numbers Authority (IANA), the same organization that assigns IP addresses, manages port numbers. 8 Port TypePort NumbersDescription Well-Known Ports0 – 1,023Assigned and controlled by IANA. Reserved for the most universal applications. Registered Ports1,024 – 49,151Not assigned or controlled by IANA. Can only be registered with IANA to avoid duplication. Dynamic Ports49,152 – 65,535 Neither registered or controlled. Often used by a private protocol that only a particular organization uses.
Important Port Numbers 9
TCP vs. UDP UDP is a “connectionless” protocol. –Very few error recovery services – this is done by applications. –Unreliable protocol – No guarantee of delivery. –For network services not affected by occasional lost or dropped packets. TCP is a connection-oriented protocol. –Data delivery is guaranteed. –Does this with flow control and error correction. 10
TCP Flow Control Both hosts have a sliding window (they can be of different sizes). –It defines the number of bytes (actually, “chucks” of data, or segments) that the host can send without worrying about an acknowledgment from the other host. When the window slides to a portion of the buffer, that portion is “freed up” for transmission. When an acknowledgment is received, the windows “slides” over to the next batch of bytes get to be sent. 11
TCP Error Correction TCP is reliable because if the recipient receives a segment from the sender successfully, it will let the sender know. –Oddly, it does this not by saying “I got it” but rather, “Give me the next piece.” –This mechanism is called forward acknowledgment. If the recipient doesn’t receive a segment, it will also let the sender know, using the same acknowledgment mechanism. –In this case, instead of asking for the next piece, it asks for a piece that the sender has sent previously. –The sender interprets this as indication that the previously-sent segment was lost somehow in transmission. –The sender then resends the segment. –This will be done again until the recipient gets the segment. Obviously, to do this, each segment must have some sort of “ID”. This ID is called sequence number, or SEQ. 12
TCP Sequence Numbers A sequence number is just a very long number and is quasi-randomly generated. For either side of the connection, two types of SEQ numbers are involved: –An initial SEQ (used in connection establishment) –SEQs assigned to the data transmitted During connection establishment (handshake), each host (client and server) must let the other one know where its SEQs will start. –Usually, the two hosts will have very different SEQs. 13
Initial Sequence Numbers In the very first segment, the client (info requester) will tell the server (info provider) – this is my first SEQ number. This is the Initial Sequence Number (ISN). The server’s answer, following the mechanism of forward acknowledgment, is to ask for the segment with the “ID” of ISN client + 1. The next segment going from the client to the server thus has the SEQ of ISN client + 1. At the same time the server acknowledges the receipt of the first segment from the client, it also tells the client ISN server. The client acknowledges this by asking for the segment identified by ISN server + 1. The next segment going from the client to the server thus has the SEQ of ISN server
Subsequent Sequence Numbers During the handshake stage the SEQ number of the second segment from a host is 1 over its previous SEQ (i.e., ISN). The numbering of subsequent segments (i.e., SEQ of data segments) is done differently. They are based on byte numbers. 15
Byte Numbers Most, if not all, data have to be transmitted over a number of chunks (segments). TCP doesn’t read the data taken from the application layer. So it doesn’t divide data into segments based on units used in application layers (a page of document, a row in database, etc.). TCP simply line up the bytes comprising the data, sequentially, from the first to the last byte. The bytes are numbered sequentially. Each segment has an “ID”, which simply is the sequence number of the first byte in the segment. 16
SEQ Numbers of Data Segments Since each byte is numbered and each segment (composed by a predetermined number of bytes) is identified by the sequence number of the first byte in the segment, we have: SEQ n = SEQ n-1 + Segment Size n-1 Therefore, if the byte number of the first byte of the 9 th segment is 5000, and the size of the 9 th segment is 600 bytes, then the SEQ number of the 10 th segment is: SEQ 10 = SEQ 9 + Segment Size 9 = = 5600 Using SEQ numbers, segments can arrive in any order and at different times. –The receiving host will use the SEQs to line up the segments in the right order. In other words, the stream of bytes that comprise the data will be restored at the destination host. 17
18
Error Correction Expressed in SEQs The receiver doesn’t send out an ACK for each segment it receives. Forward acknowledgement is cumulative. If the sender sends chunks # 202, 402, and 602, and it receives the ACK of 802, it knows that all three segments have arrived safe and sound. If it receives an ACK of 602, it knows that it should resend chunk #
TCP Segment Format 20
TCP Segment Format Source Port (16 bits) Destination Port (16 bits) Sequence Number (32 bits) Acknowledgement Number (32 bits) Control (6 bits) –URG: The value of the urgent pointer field is valid –ACK: The value of the acknowledgement field is valid –PSH: Request for push –RST: Reset the connection –SYN: Synchronize sequence numbers –FIN: Terminating the connection Window (16 bits) –For flow control 21
Important TCP Header Fields Source Port (16 bits) Destination Port (16 bits) Sequence Number (32 bits) Acknowledgement Number (32 bits) Control Bits (aka flags; 1 bit each; 1 means on; 0 means off) –URG: The value of the urgent pointer field is valid –ACK: The value of the acknowledgement field is valid –PSH: Request for push –RST: Reset the connection –SYN: Synchronize sequence numbers –FIN: Terminating the connection Window (16 bits) –For flow control 22
TCP Three-Way Handshake Source: Wendell Odom, Cisco CCNA Certification Guide. 23
UDP Datagram Format 24
Internet Protocol IP is unreliable. It works on the best-effort basis. –It relegates the work of error detection to higher layers (TCP, application, etc.). When a packet is too large to deliver (which often is the case), IP divides it into smaller packets (fragmentation). Packets can arrive out of sequence. IP relies on information contained in the IP header to reassemble them into the original-size packet and pass it to the Transport layer. 25
Layer 3: IP Packet 26
IP Header Fields 27
Important IP Header Fields Version (4 bits) –The version of the IP protocol. IHL (4 bits) –The total length of the datagram header. It is needed because the header can vary from 20 to 60 bytes. Total Length (16 bits) –Header length + length of the data coming from upper layers. –Total length has a maximum of 65,535 bytes. Protocol (8 bits) –Higher layer protocol that uses the services. –Know the values for TCP, UDP, ICMP, IGMP. Source Address (32 bits) Destination Address (32 bits) 28
Important IP Header Fields Fragmentation (13 bits) –Each Data Link Layer protocol has its own frame format, incl. the maximum size of the data field (Maximum Transfer Unit, MTU). –An IP datagram may have to be broken down into smaller units to fit into the Layer 2 frame. When a datagram is fragmented, each fragment has its own header with most of the fields identical except: flags, fragmentation offset, and total length. –The fragmentation offset is the offset of the data in the original datagram that indicates the relative position of this fragment in the entire packet. 29