NETWORKING

Dr. Andy Wu

BCIS 4630 Fundamentals of IT Security

2

Overview• OSI Model• Addressing

– DNS, IP, MAC address– Address resolution

• Layer 4 communication– Port numbers– TCP flow control and error correction

• Headers– TCP, UDP, IP

• ICMP

3

OSI Model• Network communications protocols are developed using the

Open System Interconnection (OSI) model.• An ISO standard for worldwide communications. • The OSI model defines a framework for implementing

protocols in seven distinct layers.• Each layer makes use of the services of the layer below it to

provide a set of specific services to the layer above it. • Adjacent layers communicate with each other through a well-

defined interface, so that in principle, we could change one layer or even completely rewrite it without affecting the others.

4

OSI LayersLayer Function Examples

Application User interfaceProgram level communication

HTTP, SMTP

Presentation Presentation format of dataData conversion if needed

ASCII, JPEG, MP3, Encryption

Session Establish and maintain communication channels OS, Application access scheduling

Transport Reliable or unreliable end-to-end communicationIdentifies upper layer processes that will receive data

TCP, UDP, SPX

Network Logical addressing and routingDelivering packets from source to destination

IP, IPX

Data Link Transforming physical layer into a reliable link and presenting it to upper layersIncludes MAC (802.3) and LLC (802.2) sublayers

Ethernet

Physical Transmission of bit stream over physical mediumSignaling

EIA/TIA 568B

5

OSI Mnemonic

Away Application

Pizza Presentation

Sausage Session

Throw Transport

Not Network

Do Data Link

Please Physical

6

Encapsulation

• When data is passed down from higher layers to lower ones, each layer creates its header and places the data given to it by the next-higher layer behind its own header, thereby encapsulating the higher layer’s data.

• The Data Link layer also creates a trailer.

7

Encapsulation – Layer 4

8

Encapsulation – Layer 3

9

Encapsulation – Layer 2

10

Network Communication

11

Decomposition – Layer 2

12

Decomposition – Layer 3

13

Decomposition – Layer 4

14

Protocol Data Unit• A term that describes a set of bytes that includes the layer’s header and

trailer (if any) and all data encapsulated.• From Layer X’s perspective, the higher-layer headers and the user data

form one large data field.

Layer(s) PDU

Application, Presentation, Session Data

TransportTCP SegmentUDP Datagram

Network IP Packet

Data Link Frame

Physical Bit

15

Address Translation

16

Types of Addresses• Communications between network computers (hosts)

would be impossible without unique addresses for each host.

• Computers on a local network use MAC addresses to communicate with each other.

• To access hosts on remote networks, such as those on the Internet, a computer needs to know their IP addresses.– Routers will route the packets to the destination network by

looking up those IP addresses in the routers’ routing tables.

• IP addresses are difficult for humans to memorize, so DNS Names (e.g., www.unt.edu) are used by humans.

17

Address Resolution• Therefore, two types of address translation (resolution) are

essential to network communications.– DNS Name-IP Address Resolution

• When a person uses a human-readable address like www.unt.edu, that address must be resolved into an IP address.

– IP-MAC Address Resolution• Scenario 1: If that IP address is local, the resolution of the IP address

into MAC address takes place right away.• Scenario 2: If that IP address is remote, the packet is routed to the

remote network first. Then, once the packet gets to the remote network, it is resolved into a MAC address on that network.

• In both scenarios, the host owning that MAC address will take care of the packet.

18

DNS-IP Resolution• Domain Name Service (DNS) translates user friendly names

(called Fully Qualified Domain Names, or FQDNs) into IP addresses. – For example, www.unt.edu = 129.120.188.44

• The DNS server handles DNS queries by examining its local records to see if it knows the answer.

• If it does not, the DNS server queries higher level domain servers. They check records or query the server above them and so on until a match is found.

• A domain’s DNS servers maintain a database that records all DNS name-IP mappings inside the domain, including those for web servers, directory servers, email servers, hosts, etc.

19

Layer 3: IP Addresses

• It is common to express the 32-bit IP addresses in a decimal form (dotted decimal notation).– The address is divided from the high-order bit to the

low-order bit into four 8-bit units called octets. – IP addresses are normally written as four separate

decimal octets delimited by a period (a dot).– Each octets has eight bits and each bit has two

possible values: 0 and 1. – Thus, in decimal terms, an octet can have 28 or 256

possible values, ranging from 0 to 255.

20

Layer 3: IP Addresses• An IP address is broken down into two portions: Network ID and Host ID.

– Without subnetting, the end of the network ID falls on a 8-bit boundary (e.g., the 16th bit in a Class B subnet).

– The network ID, or network address, identifies the nodes that are located on the same logical network.

– The host ID, or host address, identifies a node within a network.• An address with a host ID of all zeros is not assigned to any host. It is

reserved to define the network itself (network address, e.g., “the 132.170.0.0 network”).

• If the host ID is all 1s, the address is a broadcast address (e.g., 132.170.255.255). It is used to send a packet to all hosts on a specific network. It can only be a destination address; no host can be assigned this address.

21

IP Addresses

Source: Davies and Lee, Windows Server 2003 TCP/IP Protocols and Services.

Class A

Class B

Class C

22

CIDR Notation

• A shorthand for subnet masks (n.n.n.n stands for an IP address). It indicates the number of bits that are set to 1 in the mask.– n.n.n.n/8 for class A default mask, equivalent to

255.0.0.0– n.n.n.n/16 for class B default mask, equivalent to

255.255.0.0– n.n.n.n/24 for class C default mask, equivalent

to 255.255.255.0

23

Private Addresses• An organization can use any IP addresses for its

network, as long as it is not connected to the Internet.• If it wants to use the addresses on the Internet,

however, it has to apply for them from Internet Corporation for Assigned Names and Numbers (ICANN).

• Three blocks of addresses are reserved for private networks.

Class A: 10.0.0.0 – 10.255.255.255Class B: 172.16.0.0 – 172.31.255.255Class C: 192.168.0.0 – 192.168.255.255

• Private addresses are not routable on the Internet.

24

Layer 2: MAC Addresses• MAC address is a unique, 48-bit hardware address

assigned to a device by the manufacturer. – Each manufacturer is assigned a specific block of MAC

addresses (the first 24 bits). – The manufacturer assigns the device a unique address (the

second 24 bits).– No two devices can share the same MAC address.– For one system to send data to another on the local

network, it must first find out the destination system’s MAC address.

25

IP-MAC Address Resolution

• To find a MAC address, the Address Resolution Protocol (ARP) is used.

• Using an ARP request, the sending system will broadcast a query – “who is 129.120.188.44”?

• This broadcast query is examined by every host on the local network, but only the system whose IP address is 129.120.188.44 will respond.

26

IP-MAC Address Resolution• That system will send back a response that says “I’m

129.120.188.44 and my MAC address is 00:07:e9:7c:c8:aa.” • The sending system will then format the packet for delivery

and drop it on the network media, with the MAC address of the destination host.

• If a host cannot find the destination host in this way, the packet is forwarded to the default gateway, which is the computer/router that knows how to route those packets.

• What happens if the receiving “host” is 129.120.255.255?– The broadcast MAC address is all Fs.

27

Broadcast• Used in one-to-everyone communications.• A broadcast IP address is designed to be processed by every IP

node on the same network segment.• It is in the format of

– Class A: nnn.255.255.255– Class B: nnn.nnn.255.255– Class C: nnn.nnn.nnn.255

• The broadcast IP packet is addressed at the Data Link layer using the network technology's broadcast address. – For example, for Ethernet and Token Ring networks, all IP broadcasts

are sent using the Ethernet and Token Ring broadcast address 0xFF-FF-FF-FF-FF-FF.

28

Unicast

• Used in one-to-one communications.• A packet is sent from an individual source to

an individual destination.• In a hub-connected network, all hosts on the

network segment see the packet.• In normal mode, however, all hosts except

the intended receipt will pick up and process the packet.

29

What About Layer 4 “Addresses”?• Layer 3 (IP) only takes care of host-to-host

communication. It doesn’t care which process (program) will use which packet it delivers.– Its job is done when a packet reaches its destination IP

address.• Layer 4 (Transport) is responsible for process-to-

process communication.– After getting rid of the Layer 3 header, the remainder of the

packet (datagram) is passed up to Layer 4.– Layer 4 on the destination computer thus reads the

information transmitted from Layer 4 on the origin.

30

Layer 4 Communication• There are two types of communication at Layer 4:

– TCP is like registered mail, which guarantees delivery to the intended recipient (process).

– UDP is like first-class mail and is best-of-effort delivery. There is no guarantee of delivery to the intended recipient (process).

• Processes decide which service to use based on the task at hand, just like how we choose between registered vs. first-class mail depending on the importance of the mail involved.– For example, DNS uses UDP for DNS name queries but TCP for

zone transfers (synchronization of information in the DNS database).

31

Ports• In current computing environments, network communications usually uses

client/server architecture.• Client is the requester for information; server serves information to the

client. For example, when you visit a website, your computer is the client and the web server is the server.

• Client initiates the communication. For the packets to go to the correct process on the server for the type of information requested (e.g., going to web server for HTML files), each process on the server must be easily located.

• This locator is called a “port”. Ports are numbered, just like piers or docks are numbered along waterfront, e.g., on Fisherman’s Wharf, San Francisco, – To watch seals, go to Pier 39.– To take ferries, go to Pier 41.

32

33

Ephemeral Ports• Servers, however, don’t have to have pre-knowledge of which port the

client will use for communication. It’s practically impossible because the number of potential clients is limitless.

• Therefore, when initiating communication, the client picks a port (an ephemeral port) through which it wants to receive information from the server.

• The client uses the very first packet in the communication to notify the server the client-side port number to use for this session.– The process that requests the information (e.g., web browser) then awaits it

behind that particular port.• When the server returns a packet, it knows which port to send it to on the

client.• The client-side port is “ephemeral” because it doesn’t have to be tied to the

process after the communication is over.

34

Reserved Ports• To avoid chaos, port numbers on the server must be reserved for

common process and this made public information.• Most of port numbers on servers are between 0 and 1023 and are called

well known port numbers.• However, application developers may take advantage of ports that are

1024 or higher. As long as there is general consensus regarding which application commonly uses which port, these registered ports can be used to establish communication with the server for the related process without pre-knowledge of behind which port the process is awaiting incoming connections.– For example, MySQL uses Port 3306 by default.

• The important corollary – By looking at the open ports on a server, we can deduce what processes are running on that server.

35

IANA Port Ranges• The Internet Assigned Numbers Authority (IANA), the same organization that assigns IP

addresses, manages port numbers.

Port Type Port Numbers Description

Well-Known Ports 0 – 1,023 Assigned and controlled by IANA. Reserved for the most universal applications.

Registered Ports 1,024 – 49,151 Not assigned or controlled by IANA. Can only be registered with IANA to avoid duplication.

Dynamic Ports 49,152 – 65,535

Neither registered or controlled. Often used by a private protocol that only a particular organization uses.

36

Important Port NumbersFTP-Data TCP 20

FTP-Control TCP 21

Secure Shell Login (SSH) TCP 22

Telnet TCP 23

SMTP TCP 25

DNS TCP/UDP 53

Trivial FTP (TFTP) UDP 69

HTTP TCP 80

NetBIOS Name Service TCP/UDP 137

NetBIOS Session Service TCP/UDP 139

Secure Socket Layer TCP 443

37

TCP vs. UDP

• UDP is a “connectionless” protocol. – Very few error recovery services – this is done by

applications. – Unreliable protocol – No guarantee of delivery.– For network services not affected by occasional lost

or dropped packets.• TCP is a connection-oriented protocol.

– Data delivery is guaranteed.– Does this with flow control and error correction.

38

TCP Flow Control• Both hosts have a sliding window (they can be of

different sizes).– It defines the number of bytes (actually, “chucks” of data,

or segments) that the host can send without worrying about an acknowledgment from the other host.

• When the window slides to a portion of the buffer, that portion is “freed up” for transmission.

• When an acknowledgment is received, the windows “slides” over to the next batch of bytes get to be sent.

39

TCP Error Correction• TCP is reliable because if the recipient receives a segment from the

sender successfully, it will let the sender know.– Oddly, it does this not by saying “I got it” but rather, “Give me the next piece.”– This mechanism is called forward acknowledgment.

• If the recipient doesn’t receive a segment, it will also let the sender know, using the same acknowledgment mechanism.– In this case, instead of asking for the next piece, it asks for a piece that the

sender has sent previously.– The sender interprets this as indication that the previously-sent segment was

lost somehow in transmission.– The sender then resends the segment.– This will be done again until the recipient gets the segment.

• Obviously, to do this, each segment must have some sort of “ID”. This ID is called sequence number, or SEQ.

40

TCP Sequence Numbers• A sequence number is just a very long number and is

quasi-randomly generated.• For either side of the connection, two types of SEQ

numbers are involved:– An initial SEQ (used in connection establishment)– SEQs assigned to the data transmitted

• During connection establishment (handshake), each host (client and server) must let the other one know where its SEQs will start.– Usually, the two hosts will have very different SEQs.

41

Initial Sequence Numbers• In the very first segment, the client (info requester) will tell the server (info

provider) – this is my first SEQ number. This is the Initial Sequence Number (ISN).

• The server’s answer, following the mechanism of forward acknowledgment, is to ask for the segment with the “ID” of ISNclient + 1.

• Therefore, for the client the SEQs for data segments start with a SEQ of ISNclient + 2.

• At the same time the server acknowledges the receipt of the first segment from the client, it also tells the client ISNserver.

• The client acknowledges this by asking for the segment identified by ISNserver + 1.

• So, the data segments sent from the server start with ISNserver + 2.

• What about segment afterwards?

42

Stream Orientation of TCP• Most, if not all, data have to be transmitted over a number of

chunks (segments).• TCP doesn’t read the data taken from the application layer. So it

doesn’t divide data into segments based on units used in application layers (a page of document, a row in database, etc.).

• TCP simply line up the bytes comprising the data, sequentially, from the first to the last byte.

• The bytes are numbered sequentially, and the numbering starts with SEQ + 2.

• Each segment has an “ID”, which simply is the sequence number of the first byte in the segment.

43

SEQ Numbers for Data• The first data segment has a SEQ1 = ISN + 2.• Since each byte is numbered and each segment (composed

by a predetermined number of bytes) is identified by the sequence number of the first byte in the segment, we have:

SEQ2 = SEQ1 + Size of Segment• Subsequently,

SEQ3 = SEQ2 + Size of Segment– And so on and so forth.

• Using SEQ numbers, segments can arrive in any order and at different times. – The receiving host will use the SEQs to line up the segments in

the right order. In other words, the stream of bytes that comprise the data will be restored at the destination host.

44

45

Error Correction Expressed in SEQs• The receiver doesn’t send out an ACK for each

segment it receives.• Forward acknowledgement is cumulative.• If the sender sends chunks # 202, 402, and 602,

and it receives the ACK of 802, it knows that all three segments have arrived safe and sound.

• If it receives an ACK of 602, it knows that it should resend chunk #602.

46

TCP Segment Format

47

TCP Segment Format• Source Port (16 bits)• Destination Port (16 bits)• Sequence Number (32 bits)• Acknowledgement Number (32 bits)• Control (6 bits)

– URG: The value of the urgent pointer field is valid– ACK: The value of the acknowledgement field is valid– PSH: Request for push– RST: Reset the connection– SYN: Synchronize sequence numbers– FIN: Terminating the connection

• Window (16 bits)– For flow control

48

Important TCP Header Fields• Source Port (16 bits)• Destination Port (16 bits)• Sequence Number (32 bits)• Acknowledgement Number (32 bits)• Control Bits (aka flags; 1 bit each; 1 means on; 0 means off)

– URG: The value of the urgent pointer field is valid– ACK: The value of the acknowledgement field is valid– PSH: Request for push– RST: Reset the connection– SYN: Synchronize sequence numbers– FIN: Terminating the connection

• Window (16 bits)– For flow control

49

TCP Three-Way Handshake

Source: Wendell Odom, Cisco CCNA Certification Guide.

50

UDP Datagram Format

51

Internet Protocol• IP is unreliable. It works on the best-effort basis.

– It relegates the work of error detection to higher layers (TCP, application, etc.).

• When a packet is too large to deliver (which often is the case), IP divides it into smaller packets (fragmentation).

• Packets can arrive out of sequence. IP relies on information contained in the IP header to reassemble them into the original-size packet and pass it to the Transport layer.

52

Layer 3: IP Packet

53

IP Header Fields

54

Important IP Header Fields• Version (4 bits)

– The version of the IP protocol.• IHL (4 bits)

– The total length of the datagram header. It is needed because the header can vary from 20 to 60 bytes.

• Total Length (16 bits)– Header length + length of the data coming from upper layers.– Total length has a maximum of 65,535 bytes.

• Protocol (8 bits)– Higher layer protocol that uses the services.– Know the values for TCP, UDP, ICMP, IGMP.

• Source Address (32 bits)• Destination Address (32 bits)

55

Important IP Header Fields• Fragmentation (13 bits)

– Each Data Link Layer protocol has its own frame format, incl. the maximum size of the data field (Maximum Transfer Unit, MTU).

– An IP datagram may have to be broken down into smaller units to fit into the Layer 2 frame.

• When a datagram is fragmented, each fragment has its own header with most of the fields identical except: flags, fragmentation offset, and total length.– The fragmentation offset is the offset of the data in the original

datagram that indicates the relative position of this fragment in the entire packet.

56

Internet Control Message Protocol• Internet Control Message Protocol (ICMP) is a control and

information protocol, which is used to determine:– Remote network’s availability.– Length of time to reach a remote network. – The best route for packets to reach a remote network.

• ICMP can handle the flow of traffic, telling other network devices to “slow down” transmission speeds if packets are coming in too fast.

• ICMP is not connection-oriented (uses UDP). – Designed to carry small messages quickly. – Has minimal overhead. – Has minimum impact to bandwidth.

57

ICMP Message Types• ICMP messages are used to exchange information about

network host status, traffic condition, etc. Two important fields in an ICMP message are:– Type: A one-byte field to indicate the kind of ICMP message.– Code: For message of certain types, a one-byte Code field may

have a value to further identify a message. • For example, a ping command goes from one host to

another and receive a response from the latter. Two types of ICMP messages are involved in this process:– Echo Request– Echo Reply

58

ICMP MessagesType Description Code Description

0 Echo Reply

3 Destination Unreachable 0 Network unreachable

1 Host unreachable

3 Port unreachable

6 Destination network unknown

7 Destination host unknown

4 Source Quench

5 Redirect Message

8 Echo Request