Documente Academic
Documente Profesional
Documente Cultură
TCP/IP
Page 1
Page 1
CONTENTS
INTRODUCTION TO TCP/IP IP LAYER PROTOCOLS IP OVER LAN / MAN / WAN TCP/IP : TRANSPORT LAYER TCP/IP : APPLICATIONS IP NETWORK INTERCONNECTIONS NETWORK ADMINISTRATION SECURITY IP VERSION 6
Alcatel University - 8AS 90145 0007 VT ZZA Ed.02 - June 2000
TCP/IP
Page 2
Page 2
TCP/IP
Page 3
Page 3
DEFINITIONS
Network architecture covers all the hardware and software resources for interchanging data between two remotely located data processing systems The OSI model (Open Systems Interconnection) is a 7-layer architecture for communication between two open systems Communication between layers is defined by the concept of service Communication between peer layers is defined by the concept of communication protocol The TCP/IP architecture incorporates only three functional layers
Alcatel University - 8AS 90145 0007 VT ZZA Ed.02 - June 2000
TCP/IP
Page 4
IP : NETWORK PROTOCOL
1.1 Fundamental concepts of TCP/IP When two data processing systems want to communicate, numerous problems of very different types have to be solved. The functions required for communication must be structured in the same way, hence the need for standardization. In the field of long haul networks, the ITU (International Telecommunications Union (formerly CCITT)) is responsible for most standardization. It has brought together both public and private telecoms Operators and telecom manufacturers from all countries to develop and distribute the most well known standards such as X.25, X.400, ISDN, V.24, etc. The standardization of local area networks is mainly the responsibility of the IEEE (Institute of Electrical and Electronics Engineers), and its committee 802. The ISO (International Standards Organization), which is dependent on the United Nations, plays a major role in networks and telecommunications. It has defined a reference model and is the only organization which can qualify a standard. In France, it is represented by AFNOR. In addition to these official organizations, manufacturers and software publishers also produce standards. When a product becomes widely used, it becomes a "de facto" standard. Ethernet (Digital, Intel, Xerox) and NetWare (Novell) are examples of manufacturer standards. TCP/IP architecture is a particular type of manufacturer standard, although not originated by manufacturers.
Page 4
FUNCTIONAL STRUCTURE
Transport Network
TCP/IP
Page 5
Layer 6
Layer 5 Layer 4
: :
Layer 3
Layer 2
Layer 1
Page 5
ENCAPSULATION
Layer (N+1)
(N+1) - PDU
(N)-PCI
(N) - SDU
Layer (N)
(N) - PDU
PDU : Protocol Data Unit SDU : Service Data Unit PCI : Protocol Control Information
Convention Layer 1 PDU : bit Layer 2 PDU : frame Layer 3 PDU : packet Layer 4 PDU : message
TCP/IP
Page 6
1.3 Services and Protocols Communication between adjacent layers (vertical communication) is based on the concept of service. The data unit interchanged at the service interface (transparent on a data transmission line) is called : Service Data Unit (SDU). Communication between layers on the same level (peer layers) is based on the concept of protocol. An element of protocol data is called a Protocol Data Unit (PDU).
Page 6
The connection-oriented mode is associated with the concept of reliable transfer It involves three phases: - SET-UP - TRANSFER - RELEASE Connectionless mode has only one phase: - TRANSFER
Alcatel University - 8AS 90145 0007 VT ZZA Ed.02 - June 2000
TCP/IP
Page 7
1.4 Transfer mode Information can be transported over a network in one of two modes: connection-oriented and connectionless. Connection-oriented mode entails maintaining an end-to-end connection for the duration of the dialogue between two open systems. This transport mode requires the use of resources in both systems. In involves three phases: Set-up phase to establish the connection allowing the party initiating the call to ensure that the remote terminal is present and ready to receive. Transfer phase, generally involving simultaneous bidirectional (Full-duplex) transfer. Both communicating machines can send and receive at the same time. Since the connection-oriented service is considered reliable, regular acknowledgements are sent during communication to guarantee that data is routed correctly. Release phase, used by the two machines to ensure that data still in transit is not lost. This is called a negotiated disconnection. An abrupt disconnection can be initiated by one of the two parties but may lead to data loss.
Connectionless datagram mode entails sending data over the network with no guarantee of correct delivery. There is no end-to-end continuous signal regarding the status of transfers. This service is generally not guaranteed reliable. Its main advantages are simplicity of implementation and performance.
Page 7
RELIABLE TRANSFER
The concept of reliable transfer involves 3 functions: - SEQUENCING - ERROR RECOVERY - FLOW CONTROL
TCP/IP
Page 8
The concept of reliable transfer is mainly associated with connection-oriented mode. It provides a way of guaranteeing that PDUs are routed from end to end in the order in which they were sent. Sequencing can be achieved by numbering or quantifying PDUs. Error recovery combines two functions: error detection and error correction. In general, detection is handled by an acknowledgement mechanism and correction by retransmission. The purpose of flow control is to prevent data loss in the event of congestion. It allows the receiver to control and even stop data transmission by the sender.
Page 8
CLIENT-SERVER MODEL
A machine (host) running a SERVER software package (process), responds to requests sent by a CLIENT It is always the CLIENT that sends requests to the server
TCP/IP
Page 9
In the client-server model, the client initiates dialogue and waits for confirmation from the server. If the server accepts the client, it can send requests to which the server responds. The term client-server application is now reserved for a category of applications (generally, but not necessarily, network applications) in which application processing is distributed between client and server. TCP/IP is an architecture based on networked Client-Server relations.
Page 9
ARCHITECTURES
OSI Architecture
Application Presentation Session Transport Network Link Physical VT, FTAM, X400,CMIP ASN.1 X409 ISO 8326 TP0, ..., TP4 X.25 PLP Internet 8473
Novell Architecture
TCP/IP Architecture Telnet FTP, NFS SMTP HTTP SNMP TCP UDP IP
Microsoft Architecture
NCP SAP
S.M.B. NetBios
NetBeui
HDLC, LAP-B, FR, ATM, X21, V35, S,T Copper, FO, Microwave WAN
802.2 802.x
There are three main types of architecture: Proprietary architectures These are the oldest types of architecture (defined before the OSI model). The lower layers of these architectures can use standard protocols. For example, Microsoft or Novell architectures can communicate with TCP/IP layers 3 and 4. SNA is IBM's architecture. Standardized architecture A set of services and protocols defined by the ISO within the framework of the OSI model. Although the lower layers (1 to 3) are widely used, the higher layers of the OSI model seem to be limited to administrations. TCP/IP standard architecture TCP/IP is a network architecture for connection of and communication between any type of hardware over any type of network. TCP/IP is rapidly becoming a universal architecture.
Page 10
TCP/IP
Page 11
The organization supervising all TCP/IP developments is the IAB (Internet Activities Board). It is independent of all manufacturers. It has recently been recognized by the ISO as an independent organization for defining standards. The IAB has two main "task forces": IRTF Internet Research Task Force : responsible for TCP/IP research and development responsible for the Internet
IETF
Another entity manages Internet access addresses and RFC (requests for comments) numbers: NIC (Network Information Centre). Its French counterpart is the AFNIC: Association Franaise pour le Nommage Internet en Coopration. The IETF and NIC are the two main authorities for both Operators and commercial companies.
Page 11
The RFCs published by the IETF are the equivalent of ITU recommendations RFCs have no version N , but the number is changed on each update. Everyone can contribute Document references on protocols and services Technical publications on networks Since 1969 (ARPANET) : more than 2300 RFCs Freely available over the Internet (www.internic.net) Not all RFCs are equivalent to standards
State
Standard Draft standard Proposed Experimental Informational
Status
Required Recommended Elective Limited use Not recommended
TCP/IP
Page 12
Any new protocol studied and/or implemented is submitted to the IAB in the form of an RFC study document. The IAB (via the NIC) then assigns it a state and a status. The state and status are changed during formalization of the protocol described, its functionalities, implementations, etc. The different states of an RFC are listed below: Standard protocol : Official standard for TCP/IP architecture. exist and have been in operation for some time. Tested products
Draft standard protocol : Potential standard. Additional tests are required. These tests will be submitted once again to the IAB for approval and validation. Proposed Standard Protocol : Potential standard. Numerous tests are still to be carried out. The tested protocol will definitely be reviewed and improved. Experimental protocol : Protocol in the experimental phase. protocol must not be implemented by any operational system. This type of
RFCs are assigned a reference N (and any RFCs made obsolete), and the references, name, company, etc of the author or authors. Many servers relay RFCs over the Internet according to theme or N . standards, they are therefore freely accessible. Unlike the
Page 12
TCP/IP ARCHITECTURE
ping
IGP / EGP
ICMP
FDDI MAN
Network layer: IP ICMP ARP EIGRP OSPF Transport layer: TCP UDP TELNET SMTP DNS TFTP/FTP SNMP NFS RPC XDR HTTP : : : : : : : : : : : Transmission Control Protocol User Datagram Protocol TELecommunication NETwork Simple Mail Transfer Protocol Domain Name System Trivial / File Transfer Protocol Simple Network Management Protocol Network File System Remote Procedure Call eXternal Data Representation Hyper Text Transport Protocol : : : : : Internet Protocol Internet Control Message Protocol Address Resolution Protocol Bootstrap Protocol/Dynamic Host Configuration Protocol Enhanced Inter Gateway Protocol Open Shortest Path First
BOOTP/DHCP :
Page 13
True or False
IP was created in the beginning of the 80 s, when the first PCs appeared. The OSI model has been defined in order to classify TCP/IP protocols. Both IP and X25 protocols allow to transmit data, but with different advantages A reliable transfer must be transmitted by a reliable physical bearer. Client/Server architecture is very often used in applications based on IP. IRTF et IETF are organizations depending on the DARPA All the protocols of TCP/IP architeture are defined in the RFCs. False False True False True False True
TCP/IP
Page 14
Page 14
TCP/IP
Page 15
Page 15
TCP/IP
Page 16
Adaptation to the physical network (fragmentation/reassembly) The IP protocol manages packet sizes adapted to the frame size limits at link level (MTU : Maximum Transmit Unit). (Eg. : 1500 octets for Ethernet, 8 Kbytes for Token Ring, etc). IP has a mechanism for fragmenting segments received from a higher layer so that they can be sent on the physical network. Fragmentation, if required, is performed in the routers used.
Time To Live Each packet is sent with the life span, or "time-to-live", defined by the value in the TTL field of the IP header. The counter is initialized by the packet sender and decremented by unity each time it crosses a router. When it hits 0 in a router, the packet is destroyed. An ICMP packet is then returned to the sender.
Multiplexing a number of higher level protocols IP manages N level 4 protocols. A "type" field identifies the protocol transported. Eg: TCP, UDP, Routing, etc.
Dynamic and auto-adaptive routing Routing is the IP protocol's basic functionality. packet from end to end. It serves mainly to route the
Page 16
IP : MEDIATION LAYER
LAN Ethernet LAN Token Ring WAN X.25, FR, ATM PSTN-ISDN
WAN ppp
PSTN ISDN
Internet
FDDI
TCP/IP
Page 17
Restrictions Guaranteed routing The IP protocol provides a datagram service. The IP packet sender does not keep a record of the packet sent, which means that it is not capable of retransmitting the packet if it does not reach its destination. The IP protocol therefore has no acknowledgement mechanism. Error checking The checksum computed for IP is applied only to the IP packet header and used by IP recipients (mainly routers) to check that the packet has not been altered by protocol internal management. Error monitoring is handled by link level protocols. Flow control There is no mechanism for managing buffer saturation in routers. Congestion results in packet loss. Data resequencing Packets sent are routed independently to individual recipients (datagram mode principle). They can take different paths and be received in a sequence different from the transmission sequence. The IP protocol does not guarantee sequencing of the packets transmitted (IP-SDU).
Page 17
IP ADDRESSES (V4)
10010110 150 .
00001010 10 .
00010100 20 .
00011110 30
In IP V4, an address is coded on 32 bits It is represented by the decimal value of each of the 4 octets, separated by a dot It consists of two fields: - Net ID field - Host ID field The field separator position is variable It is identified using the concept of address class
Alcatel University - 8AS 90145 0007 VT ZZA Ed.02 - June 2000
TCP/IP
Page 18
Network logical addresses used by the IP layer are 32-bit addresses configured manually or dynamically. These addresses are independent of physical addresses. A static or dynamic mechanism is therefore required to link these two types of address. Any IP station can be reached using different types of address supported by LANs but not by telecom WANs. Unicast address (individual) Each IP machine (that is, a machine with TCP/IP connectivity) has a unique individual address. Note that in contrast to the uniqueness of MAC unicast addresses, IP logical address uniqueness must be guaranteed by the administrator if there is no DHCP server. Broadcast address Any IP machine can be reached using a broadcast address and therefore process the appropriate packet. This type of address means that all stations in the network can be addressed using a single packet. This functionality does not exist on telecom networks. Multicast address (group) This type of address defines a group in which an N-machine subset of all machines can be reached. Addressing is not configurable and is generally application-based or linked to routing protocols.
Page 18
IP ADDRESSES : CLASSES
Net Id
Host Id
Net Id
Host Id
TCP/IP
Page 19
32-bit IP addresses consist of two fields: The net ID field first and host id field last. Two stations on the same physical local network can intercommunicate only if they belong to the same IP logical network. Two stations on two different IP networks can intercommunicate only via a router. The position of the network and host field separator depends on the 32-bit address values used. These values are organized in address classes. Addresses in which the first octet has a decimal value between 1 and 126 are class A addresses. The first octet then represents the network number and the other three octets the host number. Addresses in which the first octet has a decimal value between 128 and 191 are class B addresses. The first two octets then represent the network number, and the last two octets the host number. Addresses in which the first octet has a decimal value between 192 and 223 are class C addresses. The first three octets represent the network number and the last octet the host number.
Page 19
IP ADDRESSES : CLASSES
Nets : 128
Class A : NET ID 1st octet, Host ID 3 octets. 1st octet value from 1 to 126 Nets : 16 384 Hosts : 65 534
Class B : NET ID 2 octets, Host ID 2 octets. 2nd octet value from 128 to 191
Hosts : 254
Class C : NET ID 3 octets, Host ID 1 octet. 1st octet value from 192 to 223
TCP/IP
Page 20
These address classes have resulted in wastage, in particular in regard to class B addresses because of the significant differences in capability between a class B network and a class C network.
Higher values (225 to 254) are class E addresses reserved for the IETF.
Page 20
IP ADDRESSES : FEATURES
150.10.0.0 represents any host on network 150.10 Value 1 : represents ALL Hosts 150.10.255.255 represents all hosts on network 150.10 127.X.X.X addresses are LOOPBACK addresses These addresses are never sent over the network
TCP/IP
Page 21
Some forms of address are reserved. The all-0 and all-1 forms are special values. 0.0.0.0 This address represents any machine not yet assigned an address. It use is allowed on startup (on booting, before determining the true unicast address). It is not a valid network address. network n + machine n set to 0 : Eg. : 150.10.0.0 Represents this network. network n set to 0 + machine n : Eg. : 0.0.20.30 The machine on this network. 127.x.x.x This address is reserved for loopback (local loop). It represents the machine and can be used for intercommunication between local processes. Client and server implemented in the same host. A packet with destination address 127.0.0.1 is looped in the IP layer and therefore never leaves the machine.
Page 21
IP ADDRESSES : FEATURES
Any station can be reached at its UNICAST address Eg. : 150.10.20.30 Any station can be reached at its BROADCAST address Selected broadcast Eg. : 150.10.255.255 Restricted broadcast : 255.255.255.255 Any station can be reached at its MULTICAST address MULTICAST addresses are structured : 224.X.X.X They are class D addresses and represent ALL hosts in a group IP V6 does not support Broadcasts but introduces the concept of ANYCAST: Any (at least one) host in a group
Alcatel University - 8AS 90145 0007 VT ZZA Ed.02 - June 2000
TCP/IP
Page 22
network n + machine n set to 1 : Eg. : 160.10.255.255 Selected broadcast for broadcasting on another network.
225.255.255.255 : Restricted broadcast for broadcasting on the physical network and not crossing routers (except in special configurations). 224.0.0.9 : Represents the Multicast address of routers running the RIP Version 2 routing protocol.
Page 22
IP ADDRESSES : MASK
The function of routing is to reach any host in a network Eg. : 150.10.0.0 The HOST part of the UNICAST address must be masked Eg. : 150.10.20.30 must be converted to 150.10.0.0 A logical AND must be applied to the UNICAST address and the mask value Configuring a mask entails: Setting the NET part to 1 and the Host part to 0 It is therefore sufficient to know the class Eg. : for network 150.10, class B, the mask will be: 255.255.0.0
Alcatel University - 8AS 90145 0007 VT ZZA Ed.02 - June 2000
TCP/IP
Page 23
Any IP machine must have at least one network mask, required for the routing function.
The mask is used to specify the net part (user, server or router) which the station must choose to route the IP packet.
Page 23
IP ADDRESSES : MASK
150
10
TCP/IP
Page 24
When processing a packet, IP applies a LOGICAL AND to the unicast address generated and the configured mask value. The objective is to obtain a logical AND result in the form: Net ID (n). 0, where n depends on the class so that the packet can be routed to the appropriate network. This means that once unicast address 150.10.20.30 has been applied, mask 255.255.0.0 will be presented in the form 150.10.0.0 for interrogating the routing table.
Page 24
IP ADDRESSES : FEATURES
IP network 192.1.1.0
192.1.1.1 192.1.1.2 192.1.1.3
Requirements Two stations separated by router: Different network N s Two stations connected with no router: Same network N s On same network: Different host N s
128.15.1.13 128.15.187.1
IP network 128.15.0.0
Alcatel University - 8AS 90145 0007 VT ZZA Ed.02 - June 2000
TCP/IP
Page 25
In order to "exist", a station must have a unicast address and associated mask. The address of a router (generally default address) allows it to avoid being shut in to its own network. The station derives its "routing table" on the basis of this information.
Page 25
Logical network N1
Logical network N2
Packet ready to send C:\netstat -r network address 0.0.0.0 127.0.0.0 150.10.0.0 150.10.20.30 255.255.255.255 150.10.255.255 224.0.0.0 network mask 0.0.0.0 255.0.0.0 255.255.0.0 255.255.255.255 255.255.255.255 255.255.255.255 224.0.0.0 Gateway addr. 150.10.20.31 127.0.0.1 150.10.20.30 127.0.0.1 150.10.20.30 150.10.20.30 150.10.20.30
Routing table
metric 1 1 1 1 1 1 1
Page 26
The IP layer which has a packet to send must determine the interface to which the packet must be delivered. This amounts to deciding the layer 2 (LAN, MAN or WAN) to which the IP must "pass" the datagram. It interrogates the routing table using the netstat r command to identify the interface to be used.
Page 26
Logical network N1
Logical network N2
Routing table
LAN
Interface
ARP cache
No Entry
ARP cache
08 20 02 12 63 48
150.10.20.30
TCP/IP
Page 27
After identifying the interface, the IP must know the type of protocol associated with the interface, depending on whether the procedure is LAN/MAN or not. This is because layer 2 will have to define a physical destination address associated with the layer 3 address. For LAN/MANs, this address is supplied by an ARP cache managed dynamically using ARP requests so that IP and MAC address can be mapped. An interesting feature of these requests is that they are Broadcast by layer 2. The broadcast function does not exist on WAMs and manual mapping is required. ATM represents a special case since it can be implemented on a LAN, MAN or WAN, in which case ARP mechanisms are provided by servers.
Page 27
ADDRESSING BY SUBNETWORK
Network 2 160.10.0.0 Network 1 150.10.0.0 S/Network 3 S/Network 1 S/Network 2 Network 3 170.10.0.0
TCP/IP
Page 28
Subnetworks are used to partition the network and segregate message flows.
The number of subnetworks depends on the number of bits reserved in the Host Id field.
Page 28
ADDRESSING BY SUBNETWORK Example: Class B address 150.10.0.0 can be subnetted using one of the masks below, depending on the number of subnetworks required
N of bits 2 3 4 5 6 7 8 9 etc.
Alcatel University - 8AS 90145 0007 VT ZZA Ed.02 - June 2000
A second addressing level: subnetwork. The basic unicast address consisting of: <network n> <machine n > can be extended to: <network n> <subnetwork n > <machine n> The network n part remains unchanged (same addressing class, A, B or C). The subnetwork n part occupies some of the space reserved for the machine number. Its length in terms of bits varies (in contrast to the network part which varies in terms of the number of octets). The machine n part occupies the remaining space and its length also varies in terms of the number of bits.
The main advantage of this type of addressing lies in the fact that a single network (class A, B or C) can be subdivided into N IP logical subnetworks with exactly the same interconnection and routing rules as for single-level conventional hierarchical addressing.
Page 29
ADDRESSING BY SUBNETWORK
160.10.128.0
TCP/IP
Page 30
160.10.20.128.0
160.10.84.30
160.10.148.30
Page 30
RFC 1918
The following network numbers are not routed on the Internet
Class A 10.0.0.0
Natural segregation of private traffic from Internet traffic Requires the presence of an address translator Network Address Translator (Router function) The NAT does not replace the FireWall and/or Proxy Server
TCP/IP
Page 31
Page 31
ADDRESS TRANSLATION
Firewall
Internet
Translator
ISP
Translator location In the Firewall In the router Types of translation N private @ to 1 public @ N private @ to M public @ 1 private @ to 1 public @
Example : N to M
Alcatel University - 8AS 90145 0007 VT ZZA Ed.02 - June 2000
TCP/IP
Page 32
The NAT (Network Address Translation) function solves the problem associated with the shortage of public addresses, and also provides protection for stations in the private network.
n private addresses can be associated with a single public address (front end router address). The router then separates flows by identifying client-server pairs in terms of application addressing (port N s).
Page 32
DF MF
TIME TO LIVE
Frame header
IP packet
Physical frame
CRC
TCP/IP
Page 33
VERSION (4 bits): IP version number. Current version: 4. LENGTH (4 bits): Total length of IP header expressed in 32-bit words. value: 5 (min=5, max=15 depending on the option field). TOTAL LENGTH (16 bits): IP datagram total length in octets. Default value: 20. SERVICE TYPE (8 bits): Type of service required based on the following criteria: reliability, bit rate, network transfer time. Rarely used (value 0). FLAGS (3 bits): bit 0 : bit 1 (Don't Fragment) : bit 2 (More Fragment) : 0 1 = fragmentation not allowed / 0 = fragmentation allowed 1 = intermediate fragmentation / 0 = last fragmentation Default
OFFSET (13 bits): Displacement relative to the first packet in the event of fragmentation. Default value: 0 (offset min=0, offset max=8191). IDENTIFICATION (16 bits): SDU identification. If fragmentation is used, each fragment has the same identification. TTL (Time To Live): Life span of the IP datagram expressed in seconds, but more often in number of hops. Default value:15 (min=0, max=255). PROTOCOL: Higher layer protocol code. TCP, UDP, ICMP, OSPF CHECKSUM: Header integrity check. SOURCE ADDRESS: IP address of the sending machine. DESTINATION ADDRESS: IP address of the recipient machine. OPTIONS: Options associated with the IP protocol: routing, route discovery, security, etc.
Page 33
ICMP packet
Network 1
Network 2
Network 3
TCP/IP
Page 34
ICMP is an administration protocol for managing the network layer. information on events relating to IP protocol.
It provides
Most ICMP messages are generated by routers and sent to packet senders to notify a problem in routing an IP packet. ICMP monitors the IP protocol. ICMP is implemented over IP. ICMP PDUs are routed on the network layer. ICMP sends information in a datagram to the IP packet sender in the following cases: destruction (in a router) following a routing problem, destruction following a life span (TTL) problem, destruction following an error in the header, destruction following a router buffer saturation problem,
- information relating to the recipient IP machine's accessibility. A better route may be possible using another router. In addition, ICMP manages basic information relating to the IP layer.
Page 34
15
TYPE CHECKSUM
CODE
Frame header
IP header
DATA
ICMP packet
CRC
TCP/IP
Page 35
The main ICMP messages sent by routers are listed below: Flow control ICMP_SOURCE_QUENCH Allows a gateway (or host) to notify network congestion and ask the sender to slow down transmission. No check is run on whether the source has effectively slowed down. Similarly, there is no message to tell the source that it can speed up again. Time_out ICMP_TIME_OUT This message indicates packet destruction due to TTL expiry. Header error ICMP_HEADER_ERROR Reports detection of an error making the datagram unusable. Checksum errors are not handled in this way since, in this case, the sender's IP address is not reliable. Errors generally relate to options. Error report ICMP_UNREACHABLE_DEST Notifies the sender of a datagram that it has not been delivered to the recipient. Generally indicates a routing problem or unavailable station.
Page 35
Network 1
Network 2
Network 3
IP
ICMP
ECHO REPLY
Note: a ping in itself checks IP layer activity only, and not the network board
Alcatel University - 8AS 90145 0007 VT ZZA Ed.02 - June 2000
TCP/IP
Page 36
The ping command is used to test host or router accessibility. The command uses the ICMP echo function. An ICMP packet (echo request) is sent and its receipt initiates transmission of a return ICMP packet (echo reply). These packets contain data whose length is configurable. There are numerous options for enhancing the ping command. The main responses to the ping are: Host is alive Reply from host Or in the event of a problem: Host unreachable Network unreachable No answer from host Time out Etc.
Page 36
ICMP REDIRECT
Network 3 Network 2
Server
2 R1 3 1 5
Default gateway:
R2
R1
Client
TCP/IP
Page 37
The ICMP_REDIRECT message is used by a gateway to tell a host that a better gateway exists. In general, this occurs when two gateways are present on the same network, and a host in the network has out of date routing tables leading it to use the less appropriate gateway. The message is not used between two gateways. The example above shows a conventional case of route optimization from a client station: 1 : First packet sent for the server to the default gateway. 2 : Router R1 transmits the packet to router R2. 3 : Router R1 tells the client that there is a shorter path for reaching the server's logical network: ICMP Redirect. 4 : Router R2 transmits the packet to the server. 5 : The client sends subsequent packets directly to router R2. All IP machines must be capable of interpreting a received ICMP_REDIRECT message.
Page 37
Traceroute is a software tool for identifying nodes crossed by an IP datagram sent to a remote machine. Traceroute is based on the use of "TTL exceeded" ICMP messages.
A B
TTL=1
R1
TTL=2
R2
TTL= 3
R3
...
Rn
TTL= n
TCP/IP
Page 38
Page 38
DHCP client
DHCP client
DHCP client
DHCP server
TCP/IP
Page 39
The widespread use of TCP/IP machines (PC terminals) on local networks has significantly increased administrator workload, and therefore the risk of errors associated with manual address management. The most common error is allocation of duplicated addresses. The BOOTP protocol (allowing diskless stations or X terminals to boot up on the network) provides mechanisms allowing a station which does not exist on the network to contact a server, even though it does not know its address. The DHCP protocol uses BOOTP as a support and provides a high degree of interchange flexibility for allocating an address dynamically. Dynamic Host Configuration Protocol is defined in the RFCs below: RFC 1533 "DHCP Options and BOOTP Vendor Extensions" RFC 1534 "Interoperation Between DHCP and BOOTP" RFC 1541 "Dynamic Host Configuration Protocol" DHCP has a facility for permanently storing client configuration parameters and dynamically or statically allocating an IP address. The server then supplies the address of the default gateway, together with the mask value. Depending on the type of network operation, a server can provide other information such as the address of the DNS server. The allocation can be either permanent or temporary. The function is described in terms of a "lease" which the client has to renew periodically.
Page 39
INITIALIZATION
DHCP DISCOVER
Source Address: 0.0.0.0 Dest. Address: 255.255.255.255
DHCP client
DHCP server
TCP/IP
Page 40
In the initialization phase, the client sends a discover request by IP broadcast over the network. By default, the DHCP server must be on the same IP network since 255.255.255.255 restricted broadcast does not cross any routers. However, it is possible to overcome this problem by configuring the router so that it extends UDP broadcasts to the address of the server.
Page 40
SERVER SELECTION
DHCP OFFER
Source Address: 150.10.20.30 Dest. Address: 255.255.255.255 IP Address: 150.10.20.31 Subnet Mask: 255.255.0.0 Server Identifier: 150.10.20.30 Lease Length: 48 Hours
DHCP client
150.10.20.30
DHCP server
TCP/IP
Page 41
On receiving the discover, the server or servers make an offer containing an IP address, a mask and lease length, together with any other configuration information, at the administrator's initiative.
Page 41
DHCP REQUEST
Source Address: 0.0.0.0 Dest. Address: 255.255.255.255 Req IP Address: 150.10.20.31 Server Identifier: 150.10.20.30 Requested Parameters........
150.10.20.30
DHCP client
DHCP server
TCP/IP
Page 42
The DHCP client may make a selection if more than one server is offered, and then send a request to the selected server. However, these interchanges are still executed by IP broadcast.
Page 42
ATTACHMENT
DHCP ACK
Source Address: 150.10.20.30 Dest. Address: 255.255.255.255 IP Address: 150.10.20.31 Subnet Mask: 255.255.0.0 Server Identifier: 150.10.20.30 Lease Length: 48 Hours Default Gateway: 150.10.20.35 Other Requested Parameters....
150.10.20.30
DHCP client
DHCP server
TCP/IP
Page 43
The DHCP server selected sends an acknowledgement (DHCP ACK) containing the address initially sent during the exploratory phase and a lease length valid for this address, together with TCP/IP network configuration parameters for the client. After receiving the acknowledgement, the client is attached and can now operate on the TCP/IP network and terminate the startup procedure. Client computers with the appropriate facility can store the received address locally so that it can be used on subsequent startups. When the lease is about to expire, the client attempts to renew the lease with the DHCP server. If the current lease cannot be renewed, the client receives a new IP address.
Page 43
RENEWAL
DHCP REQUEST
Source Address: 150.10.20.31 Dest. Address: 150.10.20.30 Req IP Address: 150.10.20.31 Server Identifier: 150.10.20.30 Requested Parameters........
150.10.20.30
TCP/IP
Page 44
Page 44
REATTACHMENT
DHCP REQUEST
Source Address: 150.10.20.31 Dest. Address: 255.255.255.255 Req IP Address: 150.10.20.31 Server Identifier: 150.10.20.30 Requested Parameters........
DHCP server
TCP/IP
Page 45
Page 45
EXTENDED INTERSECTION
Extended
Extended
DHCP server 1
150.10.20.1 to 150.10.20.100
150.10.20.75 to 150.10.20.175
DHCP server 2
Page 46
Page 46
True or False
IP is named this way because it can interconnect any type of networks. An IP characteristic is as follow : Best Effort Delivery ; So, it s a protocol ideal for voice transmission. A broadcast packet never goes through routers. The mask is used for IP packets routing. A router has several IP addresses, one per each connected network. ICMP goal is to allow IP packets to go correctly to the destination. An IP host can not work correctly if DHCP is not managed. True False
TCP/IP
Page 47
Page 47
TCP/IP
Page 48
Page 48
IP
TCP/IP
Page 49
Page 49
Source
48 bits
Type
16 bits
IP Header
Data
0x0800
IP datagram
Destination
48 bits
Source
48 bits
Data length
16 bits
DSAP
8 bits
SSAP
8 bits
Ctrl
8 bits
IP header
Data
IP datagram
TCP/IP
Page 50
The ISO 8802 standard is split into a number of parts: ISO 8802.1 defines the general organization of layers 1 and 2.
- ISO 8802.2 defines the higher part of layer 2, called LLC (LOGICAL LINK CONTROL), including a number of protocol types. The "type" field in the Ethernet DIX V2 standard is used to detect the higher level protocol. Standard 802.3 replaces this field with a length field, defining the length of the information field. However, it is still possible for these two methods to co-exist on the same LAN since the maximum length is 1500 octets and protocol type codes are set to a higher value.
Page 50
A B Router
Eth(B) = 080026235577 ARP Reply
ARP Request Mac Broadcast IP(A) = 150.10.20.30 IP(B) = 150.10.20.31 Eth(A) = 00 10 7B 38 52 EC Eth(B) = ?
TCP/IP
Page 51
The IP network logical address facilitates end-to-end addressing on a virtual IP network. Local routing using successive approximation (physical network) is based on MAC layer physical addressing. It is therefore necessary to map the destination IP address (intermediate router to end user machine) to the MAC address of this recipient. On broadcast networks (that is, networks with an MAC broadcast address), the ARP protocol handles address resolution dynamically. It updates a table (ARP cache) mapping IP and MAC addresses. It is based on a two-frame interchange: request sent by the IP machine with an IP packet to send to an IP machine whose MAC address it does not know. broadcast over the LAN (does not cross routers). contains the IP address to be mapped, among other information. reply sent by a machine (recognizing its IP address in the request) to the machine making the request. contains the required MAC address.
Page 51
A B
Router
ARP Request Mac Broadcast IP(A) = 150.10.20.30 IP(B) = 160.10.20.31 Eth(A) = 00 10 7B 38 52 EC Eth(B) = ?
TCP/IP
Page 52
If the IP recipient is not on the same logical network as the machine sending the request, the MAC address received is not that of the final recipient, but the address of a recipient on the LAN (that is, the gateway router providing access to the destination network). Since the gateway router replies instead of the recipient, the operation is called proxy ARP.
Page 52
POINT-TO-POINT PROTOCOL PPP is a layer 2 protocol (HDLC type) Usable on transparent circuit with synchronous or asynchronous transmision Basic functionalities Link configuration and link option negotiation Protocol multiplexing by encapsulation and identification Link quality testing and error detection Authentication Header compression Choice of CRC Incorporates sub-protocols LCP (Link Control Protocol) IPCP (IP Control Protocol) NCP: Network Control Protocol
Alcatel University - 8AS 90145 0007 VT ZZA Ed.02 - June 2000
TCP/IP
Page 53
Two protocols are used to implement IP in transparent mode on a serial link or PSTN/ISDN circuit. The historic standard is SLIP (Serial Line IP). This very simple method, limited to Asynchronous Serial transmission (low rate), is now practically obsolete. PPP is a much more complete protocol and can even be used for direct transmission on a very high rate SDH link. PPP fully defines line management (layers 1 and 2), the encapsulation method and higher level (layer 3) protocol management using the serial link as the layer 2 bearer. It incorporates three elements: Datagram encapsulation method: Link control protocol: LCP. Network control protocol: NCP (layer 3 management protocols). IP control protocol: IPCP.
Page 53
PPP AUTHENTICATION PAP Password Authentication Protocol Plain text password CHAP Challenge Handshake Authentication Protocol
Secret password Challenge (random) Challenge (random) Secret password
MD 5
MD 5
PPP client
Reply
rcvd
OK or OK
Alcatel University - 8AS 90145 0007 VT ZZA Ed.02 - June 2000
= calc
TCP/IP
PPP server
Page 54
PPP incorporates identification and authentication mechanisms. Password Authentication Protocol (PAP) is used for simple identification by interchanging a password associated with a user name. However, the password is transmitted "in plain text", and the number of attempts is unlimited. The CHAP protocol is more effective. Challenge Handshake Authentication Protocol works on the principle of a "question of the day". Identification-authentication involves an encrypted interchange and only one attempt is permitted. In addition, the encrypted sequence is not permanent and copying it does not guarantee access. Each time the link is established, a new challenge is proposed. The PPP protocol also has a callback mechanism for guaranteeing security on switched access (for example, ISDN).
Page 54
LAN 1
@X121 R1 @X121 R3
LAN 3
@X121 R2
TCP/IP
Page 55
Packet mode, X.25 and FR wide area networks are based on setting up virtual circuits either statically or dynamically. It is therefore necessary to implement a module for managing these circuits transparently for IP. Since broadcast mechanisms do not exist on these networks, it is not possible to dynamically load the ARP cache. For this reason, the link must be established manually between the IP address and either the X.121 address for an SVC (Switched Virtual Circuit), or the LCN (Logical Channel Number) for a PVC (Permanent Virtual Circuit). The use of X.25 for transporting IP datagrams incorporates a special feature. Encapsulation is used from layer 3 to layer 3. The IP datagram is encapsulated in an X.25 data packet which itself is encapsulated in an X.25 frame.
Page 55
LAN 1
LAN 3 FR network
DLCI R23 DLCI R32
TCP/IP
Page 56
The use of Frame Relay for IP transport has now replaced X.25. The same principle is used, except that to date Frame Relay is used in PVC mode only, and therefore setup/release phase management is not required for the virtual circuit. Mapping layer 3 and layer 2 addresses consists of associating the IP address of the remote router with a logical connection identifier, called the Data Link Connection Identifier (DLCI).
Page 56
LAN 1
Address table
@IP R1 Wan --> VPI/VCI R31 @IP R2 Wan --> VPI/VCI R32
Frame Relay
Alcatel University - 8AS 90145 0007 VT ZZA Ed.02 - June 2000
TCP/IP
Page 57
The use of ATM for IP transport is at present mainly reserved for operator and very large business backbones. The operating principle is the same as for Frame Relay. ATM is also used in permanent virtual circuit mode, and the IP address of the remote router is mapped to the VPI-VCI (Virtual Path Identifier-Virtual Circuit Identifier) identifying the circuit.
Page 57
True or False
IP packets are segmented into packets of 1500 bytes for delivery to the lower layer. ARP allows to find an IP host by knowing the MAC address. PPP is a protocol at the same layer as Ethernet 2 LANs may be connected through the PSTN using PPP. 2 PCs can be connected together by serial link, in order to make an IP network. This local network can be connected to the Internet, by linking one of them by modem. As IP can be placed above any type of physical network, it can be implemented in the mobile networks. An IP host may be a router, by only adding specific software.
Alcatel University - 8AS 90145 0007 VT ZZA Ed.02 - June 2000
True True
TCP/IP
Page 58
Page 58
TCP/IP
Page 59
Page 59
APPLICATION-ORIENTED ADDRESSING
Appli X Client
Appli Y Server
Appli Z Server
Appli X Server
Appli Y Client
Station A
Station B
TCP - UDP IP
TCP - UDP IP
TCP/IP
Page 60
Layer 4 (transport) provides an end-to-end service between communicating applications (processes). In TCP/IP architecture, two transport protocols are used to perform this function. The transport service provided by Transmission Control Protocol (TCP: reliable transport mode) and User Datagram Protocol (UDP: non-assured transport mode for transactional traffic) is an addressing service for communication between two application processes. Any process wanting to communicate with a remote process is identified on the transport layer by a port number (encoded on 16 bits). A complete layer 4 address therefore incorporates two fields: IP address identifying the Host on the logical network, port number identifying the application within the host.
In TCP/IP terminology, this address is called a "socket". Each application process has an address of this type. Two processes therefore communicate by associating two sockets. An application stream (communication channel) between two processes is defined by: - local IP address, local port number, remote IP address, remote port number, type of transport. The "type of transport" field allows either TCP or UDP transport to be used for a given application.
Page 60
Number 20/tcp 21/tcp 23/tcp 25/tcp 53/udp 67/udp 68/udp 69/udp 79/tcp 80/tcp 88/udp 109/tcp 110/tcp 111/udp 161/udp 162/udp 512/tcp 513/tcp 520/udp
Services file
Protocol Keyword ftp-data ftp telnet smtp domain bootps bootpc tftp finger www-http kerberos pop2 pop3 sunrpc snmp snmptrap exec login router
File Transfer Protocol [Default Data] File Transfer Protocol [Control] Telnet Simple Mail Transfer Protocol Domain Name Server Bootstrap Protocol Server Bootstrap Protocol Client Trivial File Transfer Protocol Finger World Wide Web HTTP Kerberos Post Office Protocol - Version 2 Post Office Protocol - Version 3 SUN Remote Procedure Call SNMP SNMP TRAP Remote Process Execution Remote Login RIP
TCP/IP
Page 61
Port numbers can be assigned in three ways: port number specified in the code, port number read in a configuration file, port number assigned by the system.
The port number is assigned to the client when it requests a connection (TCP) or when it sends data (UDP). Port numbers are reserved. They are used by standard application services such as ftp, telnet, etc. The application connection is always initiated by the Client, and the server monitors the port representing the application. Two client-server relations cannot be confused since each session is assigned a port number dynamically (port mapper function), and the application address also consists of two data fields: Application port n , static - session port N , dynamic Application port N s known to the system are listed in the services file.
Page 61
Connection-oriented mode 3 Phases : Set-up - Transfer - Release Reliable transfer mode Fragmentation (octet stream) Guaranteed sequencing Error recovery (timer protection) Window flow control "Forced delivery" option PSH flag "Urgent data" option URG flag
TCP/IP
Page 62
Sequencing The TCP layer is capable of fragmenting data it receives. Although the TCP service is a "continuous octet stream" service, TCP sequences the segments transmitted by allocating sequence numbers. The sequence number representing a volume of data is also used for acknowledgement purposes. Error recovery Since IP is by design not reliable, TCP must know how to detect loss of octets and recover this condition. Detection is based on a timed acknowledgement mechanism, and recovery is based on retransmission. Flow control The flow control mechanism in TCP window. This window represents a volume of receiving at a given time. The receiver therefore manages the connected. Since transfer is full-duplex, the same ends (send and receive). is based on the use of an anticipation octets which the receiver is capable of window for the sender to which it is independent mechanism is used at both
In the event of congestion, failure to update the window results in transfer termination, avoiding data loss. TCP uses a set of pointers for managing operating mechanisms.
Page 62
TCP client A
<SYN> Snd SEQ N : 3256 <ACK> Snd SEQ N : 3257 Ack SEQ N : 2651
TCP server B
<ACK> <SYN> Snd SEQ N 2650 Ack SEQ N3257
IP network
IP
TCP/IP
Page 63
Connection phase During this phase, the transport connection is set up between the two remote processes. Each end of the link initializes the connection using the SYN pointer. Each request is acknowledged by the ACK pointer and Seq N +1. This means that there are two logical connections between the two processes: one for each transmission direction, each set up on the send side. These two connections are totally independent (characteristics / parameters, use, etc).
Page 63
Client Appli
TCP
SYN 3256
IP network
TCP
Server Appli
S e t u p T r a n s f e r
ACK 3257, SYN 2650 ACK 2651 PSH 3257, ACK 2651, lg=100
ACK 3357, PSH 2651, lg=500 ACK 3151 ACK 3357, PSH 3151, lg=200 ACK 3357, PSH 3351, lg=600
ACK 3951
TCP/IP
Page 64
Transfer phase During this phase, the two processes simultaneously interchange a bidirectional octet stream (TCP-PDU). For TCP, the unit of transfer is the segment. Each segment contains n octets of the N octets in the message sent by the application. TCP does not therefore provide a block transmission service. It provides a send/receive service for a linear stream of octets with no separator and no structure. The application process cannot force TCP to delimit the blocks it sends. The remote process must be capable of rebuilding the blocks received and therefore finding the block separators (applications!) in the linear stream of octets received from TCP. Information transfer by TCP is guaranteed in sequence, error free and with no losses. Transfer reliability is guaranteed by acknowledgement mechanisms, send/receive sequence numbers and the ACK pointer. A PUSH pointer forces delivery without waiting for a complete segment, such as transmission of a single character, and an URG pointer forces transmission even if the window is blocked for flow control purposes.
Page 64
TCP client A
<END> Snd SEQ N 3357 <ACK> Snd SEQ N 3258 Ack SEQ N3952
TCP server B
IP network
IP
TCP/IP
Page 65
Disconnection phase This phase consists of two fully asynchronous sub-phases. TCP disconnection is secured insofar as it must be executed at both ends. In fact, there is a send disconnection for each TCP layer. This disconnection is acknowledged and any data not sent is sent before the disconnect TCP-PDU. On receiving a disconnect request, the TCP knows that the sender has no further data to send. The receiving TCP can continue to send. Disconnection is complete when TCP has sent its request. This type of disconnection is normal and guaranteed with no loss of data. The END pointer is used for disconnection. A sudden disconnection facility exists: Use of the RESET pointer (possible data loss).
Page 65
TCP : FORMAT
0 7 SOURCE PORT N DESTINATION PORT N SEND SEQUENCE NUMBER ACKNOWLEDGEMENT NUMBER OFFSET RESERVED WINDOW CHECKSUM URGENT POINTER OPTIONS + PADDING URG ACK PSH RST SYN FIN 15
TCP segment
crc
TCP/IP
Page 66
SOURCE PORT: TCP port of the application sending the segment. DESTINATATION PORT: TCP port of the application receiving the segment. SEQUENCE NUMBER: Sequence number of TCP segment sent. ACKNOWLEDGEMENT NUMBER: Acknowledgement number for the TCP segment sequence number. OFFSET: Indicates the position of the data in the segment from the beginning of the header (expressed in number of 32-bit words). CHECKSUM: TCP segment check, pseudo-header containing the destination IP address. WINDOW: Number of octets which can be transmitted before acknowledgement. URGENT POINTER: Segment contains urgent data (if URG = 1). FLAGS: URG ACK PSH RST SYN END : : : : : : Indicates presence of urgent data in the segment Acknowledgement number validation Indicates that data must be sent immediately (push) Indicates a connection reset (connection break) Connection set-up End of connection: release Allows interchange of optional information between modules (not used).
OPTIONS:
Page 66
Connectionless mode transport protocol Transactional traffic oriented Also used by applications which have control over transmissions (eg.: tftp) In network terms, reduced overhead compared to TCP UDP packet checksums calculated in a pseudo-header (UDP header + source and destination IP addresses sent are replaced by IP source and IP local ports in receive mode) Used by NFS, BOOTP, TFTP, SNMP, RIP, ...
Alcatel University - 8AS 90145 0007 VT ZZA Ed.02 - June 2000
TCP/IP
Page 67
UDP protocol can be thought of as an empty layer offering a simple layer 4 addressing service. It does not improve the service provided by the IP layer. It provides a simultaneous bidirectional transport service in datagram mode (block-oriented). UDP protocol therefore has only one T-PDU: a data PDU! UDP provides the following service: creation of send or receive ports, receipt of T-PDU with data communication and the sender's socket reference (IP address, port number), data sending with processing of parameters forming the send and receive T-SAP (socket).
Page 67
UDP : FORMAT
15
DATA
UDP segment
CRC
TCP/IP
Page 68
SOURCE PORT
DESTINATION PORT :
LENGTH
CHECKSUM
UDP packet integrity check (checksum calculation is optional and a 0 value indicates that the checksum has not been calculated). Same checksum calculation method as in IP and TCP.
Page 68
SOCKET INTERFACE
Development interface for communication between remote processes The "socket" interface is derived from BSD UNIX 4.2. It generalizes interprocess communication and allows development of network-based client-server applications Sockets are used as interfaces with communication protocols Among other things, they allow a port N (application) to be associated with an IP address (host) They make TCP/IP protocols transparent to applications
TCP/IP
Page 69
Each application process using TCP/IP is identified by a data pair consisting of the machine's IP address and a local port number (relative to the machine). This reference is called the socket and therefore represents the programming interface for access to the Transport service in TCP/IP architecture. The reference consists of a set of primitives for accessing TCP and UDP transport services. The interface provides a resource for communication between Client and Server processes. The two processes can be running on the same machine or on two remote machines. A socket is a communication point with a domain, name and type. Domain: Specifies the type of protocol used: UNIX : process on the same UNIX machine. INET : remote processes communicating via TCP/IP protocol.
Name: Defines the socket reference. The reference content varies according to the socket domain. Type: Determines the way in which data is routed. In the TCP/IP domain, there are three possible types: STREAM, DATAGRAM or RAW.
Page 69
True or False
All the applications must use TCP or UDP to access the IP network. If an application is associated to a port number, it means that this application is connected to the Internet at this moment. The checksum on the TCP/UDP header also allows to verify parts of the IP header. TCP is defined as reliable because it has 3 working steps : Establishment, Transfer, Release. A WEB server will always listen on its dedicated port (port 80). Either, this server will not work at all. All TCP messages must be acknowldeged. If UDP is used to send data, the transmission may become reliable by adding controls in the application layer part.
TCP/IP
False False
True False
False
True True
Page 70
Page 70
Complete the following protocols stack : Applications Ping, traceroute, ... Applications protocols Sockets (Port + @IP)
TCP (Reliability,
Robust)
UDP
(Speed, Simple)
ICMP
IP
(Routage)
LAN
RTC
ATM
X25
TCP/IP
Page 71
Page 71
TCP/IP
Page 72
Page 72
NAME SERVICE
The user manipulates server names and the network manipulates a server IP address. Problems: Finding an IP address based on a host name More than one type of name TCP/IP name: standard Used by applications such as http, ftp, smtp, snmp, Netbios name: Windows/Microsoft name Used by Netbios applications (SMB sharing, )
TCP/IP
Page 73
Page 73
"Static" resolution Host (standard) or lmhosts (Netbios) file 150.10.20.30 Mon_Host 150.10.20.31 Ton_Host "Dynamic" resolution DNS Standard TCP/IP name resolution Replaces the hosts file WINS Netbios resolution Replaces broadcasts and lmhosts file
TCP/IP
Page 74
DNS (Domain Name Service) is a standard protocol for resolving machine names (symbolic) into IP logical addresses (used by communication protocols). It is especially designed for large TCP/IP networks (DNS is used on the Internet). Historically, TCP/IP users directly specify the IP addresses of the corresponding applications. These addresses are then replaced locally by host names using a hosts file. Nowadays, DHCP servers have a facility for managing the hosts file.
Page 74
DNS RESOLUTION
History Impossible to load a hosts file into all Internet stations Domain Name Service standardized by RFC Principle Names organized hierarchically in a Domain Name Tree Simple request / response interchange protocol Uses UDP and TCP Cooperation between servers forming a network
TCP/IP
Page 75
For very large networks, maintaining local "mapping" files soon became impossible. Initially, for the Internet, the NIC had a file with all existing (name, IP address) pairs which stations could download via ftp. These mechanisms were superseded by a network of DNS servers. The DNS system is therefore both a system for naming machines in a TCP/IP network and an address resolution protocol (mapping machine names and IP addresses).
Page 75
.
ru com fr jp
alcatel
alcatel
alcatel
co
mow
www.mow.alcatel.ru
usa
www.usa.alcatel.com
europe
www.europe.alcatel.fr
alcatel
www.alcatel.co.jp
TCP/IP
Page 76
DNS is based on the concept of a naming hierarchy which involves partitioning the naming space and arranging it as a tree. A machine name will therefore be complex and referenced relative to the location of the machine on the tree. This type of name breakdown and mapping administration (name, IP address) is similar to the hierarchical organization in a large company with divisions split into departments which in turn are divided into sections. Each manager on each hierarchical level has a degree of authority and autonomy within his or her domain. DNS is based on this principle and a machine name becomes: - hostname.sub_domain. ... .root_domain where: hostname : machine name (lowest level), sub_domain : intermediate administration subdomain, root_domain : highest administration domain (on the tree).
Page 76
Open to all Com : Commercial (highest demand!) Edu : universities Net : network domain companies Org : miscellaneous organizations Int : international (little used) Reserved for United States Gov : American government And also Mil : American military Firm : Business (to alleviate .com) Shop : Trader Country (ISO naming) Web : Company working for the Web Fr : France Arts : Culture and events Rec : Recreation and leisure Uk : United Kingdom Info : Content editors, media Ru : Russia Nom : Personal home pages
Alcatel University - 8AS 90145 0007 VT ZZA Ed.02 - June 2000
TCP/IP
Page 77
Each name (except on the lowest level) represents a DNS domain which forms an administration and autonomous management entity over which an administrator has authority and therefore manages internal mapping (name, IP address). Internet naming is based on the principles above. Root domain names are listed below: edu : gov : com : mil : fr, us : Note: The example is incomplete and does not show the full extent of the current name space on the Internet. The hierarchy has no specific root. On the Internet, the NIC (AFNIC in France) is the authority managing subdomain assignment. The tree structure in independent of physical network structure. Universities and schools, Government agencies, Businesses, Military administrations, Countries (France, United States).
Page 77
RECURSIVE SEARCH
.
2 3
Root servers
com
4 5
fr alcatel europe
www.europe.alcatel.fr
Alcatel University - 8AS 90145 0007 VT ZZA Ed.02 - June 2000
www : 198.64.191.11
TCP/IP
Page 78
For system security (in the event of failures), the name server (primary server) function is duplicated in one or more secondary name servers. On initialization and then at regular intervals (programmable period), each secondary name server downloads the domain local mapping database from the primary server. Each name solver must know of the existence of these secondary servers and be capable of switching over to a secondary server if the primary server does not respond. Name / address translation is handled by name servers which cooperate and respond to requests sent by client programs called name solvers. At design level, each domain has a name server which resolves domain internal mapping by cooperating with adjacent name servers (higher or lower level). The name solver generates a request specifying the machine name (full name) and type of resolution required (recursive or non-recursive). For non-recursive resolution, the name server returns a list of servers to be contacted. In this case, the name solver (client) contacts another name server.
Page 78
4 3
A
Forwarder : B 1
www.europe.alcatel.fr ?
Alcatel University - 8AS 90145 0007 VT ZZA Ed.02 - June 2000
TCP/IP
Page 79
If there is no local translation function, the server uses the procedure below: for recursive resolution: The name server contacts other name servers and returns a response (positive or negative) to the client name solver. for non-recursive resolution: The server returns a list of name servers likely to know the name-IP address mapping. The client name solver then sends the request to another name server. Note: This mechanism means that all clients must know at least one name server and that all name servers know at least one other server. Performance: A cache mechanism exists in each name server. It stores previous mappings for names outside the domain (local mappings are in the database). Each entry stored contains a TTL (Time to live). The cache is therefore regularly refreshed. Some name solvers keep their own list of translations already executed. In this case, a request from a user program can be resolved without sending a request (network) to a server.
Page 79
FTP
ftp>
Client
x y 21
Server
20
TCP IP
Control connection, Port 21 File transfer initialization and parameters Activation of remote commands Data connection, Port 20 Information transfer (files, results, ...)
Alcatel University - 8AS 90145 0007 VT ZZA Ed.02 - June 2000
TCP/IP
Page 80
The FTP application satisfies the client-server model by allowing access to the remote files, regardless of the OS run by each system. FTP facilitates: creation, deletion, renaming of remote files/directories, two-way transfer of ASCII, binary or EBCDIC files, navigation through the remote file management system, with directory content display, file transfer between two remote hosts, controlled by the local host, writing local macrocommands, with parameter transfer and limited loops, a condensed file name list using special characters, file name character substitution for non-UNIX remote machines using a different syntax, and complex pattern substitutions in the names of files transferred.
Page 80
Server (150.10.20.31)
Connection
Transfer
QUIT
Disconnection
TCP/IP
Page 81
FTP requires two connections: A control connection (always using port 21 on the server) for commands and responses controlling the transfer. A data connection (always using port 20 on the FTP server) for interchanging the data. A data connection is opened, used then closed for each file transfer.
Each local reference on the client side consists of a port number dynamically assigned by the system. Interchanges on the control connection define the nature of the transfer or service requested. They include identification information as well as requests and error messages. The data connection is normally set up by the server when information transfer is about to start. In practice, the accepting port is always provided for the data connection initiator via the control connection: either by the client in a special command (PORT...) sent to the server before initiating transfer, or by the server in response to a command asking it to wait for data connection receipt.
FTP transfer can be protected by login mechanisms, user_name, password. Similarly, it is possible to restrict the client to a home_directory with read-only access, for example.
Page 81
FTP user commands depend on implementations Commands are executed either locally or in the remote machine. Example: lcd : change local directory cd : change remote directory Some commands are redundant Example: bye and quit, get and recv, put and send, etc
append ascii bell binary bye cd close delete debug dir form get hash glob
help lcd ls mdelete mdir mget mkdir mls mode mput open prompt put pwd
quit quote recv remotehelp rename rmdir send sendport status struct tenex trace ? !
TCP/IP
Page 82
Responses sent by the ftp server consist of a decimal digit triplet, followed by a space character then a comment not defined by the protocol. The three digits in the triplet each have a particular meaning. The first digit defines the response category. 1yz introduces a preliminary response (before command execution), 2yz introduces a positive termination response, 3yz introduces a positive intermediate response, 4yz introduces a negative termination response due to a phenomenon which is probably temporary, which means that a positive response is likely if the command is repeated, 5yz introduces a negative termination response which is probably conclusive (pointless repeating the command).
The second digit defines the domain to which the response relates. x0z indicates a response concerning the syntax, x1z indicates a response concerning general information, x2z indicates a response concerning connection set-up / release, x3z indicates a response concerning identification / authentication, x4z is unspecified, x5z denotes a response concerning file management.
The third digit identifies each response with the same categories and domains.
Page 82
Web Server
TCP/IP
Page 83
Page 83
1 Client Hello
4 Data Exchange
Client sends a "hello" message to the target server Server returns a digital certificate containing the server's public key Client generates a random session key and returns the key encrypted using the server's public key Once secured protocol has been established, all documents are sent encrypted symmetrically in both directions (RC4)
TCP/IP
Page 84
SSL is an intermediate layer between TCP/IP and its applications. It is independent of the application protocol and provides a set of APIs for applications. Security: The connection is private. Creation of a protected channel between client and server. Terminal identities can be authenticated. The connection is safe (alteration, modification). Key generator and hash functions. Negotiation and session management protocols. X.509 format certificates. RC4 : MD5 40-bit symmetric encryption: Integrity, DSS: Signature 512 bits. Various protocols for: Negotiating security parameters. Mutual authentication (TLS). Instantiation of negotiated security parameters.
SSL components:
Encryption algorithms:
- Error report. SSL uses reserved IANA ports. https (HTTP with SSL, port 443), snews (NNTP with SSL, port 563), ssmtp (SMTP with SSL, port 465), ssl-ldap (port 636), spop3 (96)
Page 84
ELECTRONIC MESSAGING : E-MAIL POP A.Dupont's POP server in domain aile.com Message sent by albert.dupont@aile.com to jacques.dupond@alcatel.fr SMTP
SMTP
IMAP
TCP/IP
Page 85
SMTP protocol (Simple Mail Transfer Protocol) is extremely widely used for exchanging interpersonal mail over a TCP/IP network. In contrast to OSI, SMTP incorporates no sophisticated presentation concepts or powerful retry mechanisms. In common with the main TCP/IP architecture applications, SMTP is based on simplicity and pragmatism. The main SMTP RFCs are: RFC 821 for the protocol, RFC 822 for mail message format and RFC 974 for the message routing method. Command Domain Mailbox : : : Request sent by the client SMTP. Hierarchic structured address of a host in the messaging system. Sequence of characters of any length denoting a user. The standard naming rule stipulates that an address consists of two fields, "user" and "domain", separated by the "address" character: @ Command positive or negative acknowledgement. SMTP responses follow exactly the same rules as FTP responses and consist of a three-character code followed by an additional information field for human operators rather than automated processes.
Response
Page 85
SMTP Client
TCP connection set-up to server port 25 220 Server ready
SMTP Server
Connection Synchronization
HELLO SMTP client
250 Server SMTP OK MAIL FROM username 250 Sender Ok RCPT TO username1 250 Recipient Ok RCPT TO username2 550 User unknown DATA 354 Enter mail; end with <CRLF> <CRLF> Message ... <CRLF> <CRLF> 250 Mail accepted QUIT 221 Service closing transmission channel TCP connection release
Message transfer
Disconnection
TCP/IP
Page 86
SMTP operates on a single TCP connection initialized by the user client. SMTP acts both as a UA (User Agent) and MTA (Message Transfer Agent) in terms of OSI messaging. However, in SMTP the transfer is always initiated by the sender. This means that, under normal circumstances, a connection from SMTP client to SMTP server to receive mail is never set up. Interchanges are based on a very simple principle. Set up the TCP connection. Synchronize the two SMTPs. Specify the sender's identity. Specify recipient identity or identities. Send the message. Terminate the connection.
Note: It is so easy to attach a file to an e-mail message that nowadays many servers become saturated with large attached files, impeding their primary function.
Page 86
TELNET
Client
Server
23
TCP IP
TCP IP
Characters typed on the keyboard are sent to the telnet server All characters received from the server are displayed All characters displayed are received from the server
Alcatel University - 8AS 90145 0007 VT ZZA Ed.02 - June 2000
TCP/IP
Page 87
The TELNET (Telecommunication Network) protocol is in fact a combination of two completely different concepts which are often confused: TELNET is first and foremost a virtual presentation standard for communication between two processes on any two machines (not necessarily UNIX). It provides two basic services: firstly, a virtual terminal (NVT, Network Virtual Terminal) comprising in particular minimal presentation common to all machines implementing TELNET. secondly, a set of PDUs allowing two cooperating processes to negotiate miscellaneous options.
TELNET is also the name frequently given to the application used by a terminal (or process) for accessing the operating system of another machine. In this case, login, identification and authentication procedures are used. These concepts are associated with each machine and are not therefore defined in the TELNET standard.
NVT presentation. TELNET is normally used between a real terminal and an application process. However, it can be used between two terminals or two processes. In any case, the process or processes are responsible for adapting the actual presentation used locally to the NVT virtual presentation. It is also possible, using negotiation PDUs, to change all or some of the NVT presentation rules. However, changes must be implemented by common agreement and any implementation must know how to manage standard NVT presentations.
Page 87
TELNET
Client Telnet : PC
TCP connection
IAC DO ECHO
OK to negotiate
TELNET DATA : Cisco> IAC WILL ECHO IAC DO SUPPRESS-GO-AHEAD IAC WILL TERMINAL_TYPE IAC WONT NAWS (Negotiate About Window Size) IAC SB (Start of Subnegotiation Parameters) DATA : ANSI IAC SE (End of Subnegotiation Parameters)
Page 88
TELNET provides an option negotiation mechanism so that processes can negotiation some options. There are two types of option: options whose implementation or non-implementation is sufficient in itself (for example, the echo option). These options are negotiated using the WILL, WONT, DO, DONT PDUs. options whose implementation requires additional information (for example, actual terminal_type indication). In this case, SB and SE PDUs are used. However, the PDUs above must have been used beforehand to negotiate the implementation of such options.
Page 88
TFTP
Trivial File Transfer Protocol - RFC 1350 TFTP is a file transfer protocol based on connectionless mode transport (UDP port 69). TFTP is used to transfer files in ASCII and BINARY mode. TFTP provides limited security (no user identification) and for this reason its use must be limited. TFTP protocol is based on five packet types. Each packet sent from client to server must be acknowledged. TFTP is sometimes used for downloading configurations over the network (terminal server, X terminals, router, etc).
Alcatel University - 8AS 90145 0007 VT ZZA Ed.02 - June 2000
TCP/IP
Page 89
TFTP protocol (Trivial File Transfer Protocol) is a basic file transfer application. It complies with a client-server model for single file transfer between two machines using UDP transport protocol. It is very simple to implement, very economic in terms of disk, ROM and CPU resources, and particularly suited to downloading diskless machines. In practice, it is installed in the diskless machine's ROM and run after RARP or BOOTP type protocols which determine the equipment's IP address. The TFTP client sends a request to a TFTP server at "wellingtonia port" 69 on the server. The client's source port is allocated by the system. The request defines the transfer characteristics. It initializes a TFTP application connection which entails associating a free port number chosen by the server (port number dynamically allocated by the system on the sendto) with the client's port number (source port number in the request). When the connection has been correctly set up, transfer is executed in "send and wait" mode. The sender sends the file in fixed size blocks (512 octets) and waits for an acknowledgement before sending the next block. Blocks are numbered. A block of less than 512 octets indicates the end of file. Timers are started by sender and receiver. This means that the loss of a data block or acknowledgement does not stop the transfer. The last data block must be acknowledged. The receiver then assumes that the transfer has terminated successfully. An impossible request or error during transfer causes transmission of an error packet which terminates the process and ends the transfer.
Page 89
NFS Network File System - RFC 1094 (specified by SUN Microsystems) NFS is used for file sharing in heterogenous environment NFS protocol is based on RPCs (Remote Procedure Call) NFS is hardware and system-independent. It is based on a presentation layer: XDR (eXternal Data Representation)
TCP/IP
Page 90
The Network File System allows each user to access files which can be physically located on other machines, without explicit copy transfer. NFS was designed to be independent of the operating system. In particular, files can be shared by UNIX machines and also by UNIX and PC machines in DOS or OS/2, etc. The NFS service therefore provides access to remote file systems. A machine is an NFS server if it allows other machines access to all or part of its local file system. An NFS server is said to "export" or "share" its files, which means that it allows clients to access exported files. An NFS server receives a number of requests and returns a result in a response. A machine is an NFS client if it accesses files exported by an NFS server. An NFS client is said to "import" files. Importing allows a client machine to access remote files using read/write operations resulting in RPC request transmission (Remote Procedure Call). NFS uses RPCs and XDR (eXternal Data Representation). It is usually implemented using UDP transport.
Page 90
RPC protocol allows a program running on machine A to call a routine on machine B and remotely execute some of its operations.
CLIENT Request
SERVER 4
Service user
Service provider
1
Response 3
Port Mapper
TCP/IP
Page 91
Remote procedure call (SUN) is used by a process to call a procedure (function) to be executed on another machine. RPCs provide: a mechanism for addressing the remote procedure, a mechanism for encoding parameters, a call mechanism (transmission of an RPC request), execution of the remote procedure.
The RPC service model is a client-server model in which the distributed application is divided into two parts: a client part: This part of the application requests a service not provided locally. calls the service procedure. a server part: This part of the application is asked to provide a service. remotely. It
It is called
For the user, an RPC service is a set of procedures. These procedures are combined on a program and version basis. A port number is associated with a program number. An RPC request is therefore sent to the program using the port number. The request contains the program number, version, and number of the procedure to be executed in the program, among other things. To make a remote procedure call, a client must locate the program called using the port number. To do this, it can call a special service in the machine supporting the server: port mapper.
Page 91
X-Window Clients
X11 protocol
X-Window server
TCP/IP
Page 92
X_WINDOW or X is a multi-window graphical interface. It is very widely used in the TCP/IP and UNIX world and has been adopted by all workstation manufacturers and by X/OPEN in the portability guide (XPG4). X_WINDOW provides a basic service and is generally used on a supplementary layer offering high level services for graphic interface management. The two most widely used high level graphic interfaces are Motif (supplied by OSF) and OPEN LOOK (supplied by Sun Microsystems). Nowadays, X-WINDOW is used, via the X.11 protocol, to run local or remote applications with local graphic display. A single process (SERVER) controls all the input-output (physical level). It is responsible for creating and manipulating screen windows, displaying text or graphics and managing input (keyboard and mouse). The implementation of an X server is closely linked to the hardware. It is run locally on a workstation, graphics terminal or in emulation mode on a Windows station, and interprets messages from client applications. Any application designed to use the facilities provided by an X server is considered a client. The client communicates with the server in asynchronous mode over the TCP/IP network.
Page 92
TCP/IP
Page 93
Page 93
TCP/IP
Page 94
Page 94
GATEWAY
Definition The concept of gateway is used in the application layer Eg. : SNA gateway on Digital machine By extension, this concept is applied to all layers and especially the lower layers "Network" gateways are then seen as level N interconnection equipment Terminology Repeater : level 1 gateway Bridge : level 2 gateway Router : level 3 gateway Special case IP gateway = IP router = Level 3 gateway Switch = level 2 switch (Ethernet, ATM, etc) = level 2 gateway
TCP/IP
Page 95
Two networks are interconnected by intermediate equipment known by the generic term of "gateway". The OSI has formalized the concept of gateway. It is characterized using the criteria of action level and action mode. The action level is the level at which the gateway operates. It is in fact the highest OSI level concerned. Higher levels do not see the gateway.
The action mode is the way in which the gateway handles conversion. It can map PDUs with adaptations (headers, sizes, nature) where required, or map SDUs. In all cases, layers (1) to (N-1) on both sides do not see one another and can generally be different. Gateway names have been standardized: repeater : bridge router : : level 1 gateway, level 2 gateway (MAC), level 3 gateway.
In general, the term "gateway" is used where the above three terms (repeater, bridge, router) are not applicable. However, in TCP/IP terminology, a gateway is a router.
Page 95
REPEATER
205m
Example: 100BaseT
5m 100m
100m
Page 96
Repeaters were initially used for extending the physical bearer by repeating the signal. A repeater is first and foremost a regenerator. Repeaters are widely used in Ethernet networks for integrating physical networks using different bearers such as 10 Base 5 coax, 10 Base 2 coax and 10 Base T twisted pairs. In this case, the repeater combines the AUI, BNC and RJ45 interface. The Hub is the basic element of a 10 or 100 Base T network and is in fact a multiport repeater.
Page 96
BRIDGE
Bridging
LAN 2
Filtering
D
TCP/IP
Page 97
Interconnection is handled on layer 2. Bridges do not take account of layer 3 protocols carried in frames. They direct traffic by MAC addressing. They are totally transparent to layer 3 or higher protocols. There are two types of bridge: transparent filtering bridge used in Ethernet LANs. algorithm for loop resolution. "Source routing" bridge used in Token Ring LANs. It uses the Spanning Tree
A transparent filtering bridge handles three functions: self-training: a bridge locates stations dynamically using the "source MAC address" field. It determines the position of each station. filtering: when the bridge deduces that the sender and receiver of a frame are in the same segment (on the same side of the bridge) it does not send the frame to the other network (flow optimization). bridging: when the bridge receives a frame whose recipient is on the other network (or unknown), it regenerates the frame and sends it to the other network. An unknown recipient is a station which has not yet indicated its presence by sending a frame.
For Ethernet bridges, an option allows filtering for each type of protocol.
Page 97
BRIDGE : LIMITATIONS
LAN 1
Dest@ Mac C Src@ Mac A ...
Port 2
Dest@ Mac B Src@ Mac A ...
Port 0
BRIDGE Port 1
Bridging
Filtering
A bridge between two Ethernet segments is used primarily to create two separate collision domains. Otherwise, it is used to interconnect two remote physical networks. However, if there are more than two segments to interconnect, the bridge becomes a handicap since it will transmit on all segments if the source and destination do not belong to the same segment. In this case, a router is required.
Page 98
ROUTER
A Network 1
Dest@ IP C Src@ IP A ...
Network 3
Port 2
Dest@ IP B Src@ IP A ...
Port 0 Port 1
Routing
Routing Table - Network 1 Connected to port 0 - Network 2 Connected to port 1 - Network 3 Connected to port 2 D
C Network 2
TCP/IP
Page 99
Interconnection is handled on layer 3. A router is therefore associated with a network protocol (there are multi-protocol routers). Routers direct traffic by analyzing the layer 3 address. Routers are totally transparent to layer 4 and higher protocols. As its name suggests, a router routes an incoming packet to the correct output according to the destination address. A router only receives packets which it can switch. A bridge receives all frames sent on the local network. Packets are either sent directly by the sending station, or sent by another router. The products below are available on the market: Single-protocol router The router processes the packets of only one network protocol. Multi-protocol router The router processes packets for more than one network protocol. Each network protocol is independent (separate routing tables, different routing protocols). Bridge router (B-Router) A bridge router acts as a bridge for some protocols and as a router for others: "If it cannot bridge a protocol, it routes it".
Page 99
ROUTER
Network interconnection
network 3 170.10.0.0 network 1 150.10.0.0 LL, ISDN network 2 160.10.0.0
R1
R2
A
@MAC R1 @IP B
@IP B DATA @IP B @MAC R2 @IP B DATA @IP B @MAC B @IP B DATA @IP B
DATA
Network 1
DATA
R1 R2 B
Alcatel University - 8AS 90145 0007 VT ZZA Ed.02 - June 2000
Network 3
DATA
Network 2
DATA
TCP/IP
Page 100
The IP router determines the route to be taken to reach the recipient IP machine. The accessibility of an IP machine is determined on the basis of the principle below: "an IP router is required between two IP machines with different network numbers [and subnetwork numbers, where applicable]." A TCP/IP network therefore consists of a set of logical subnetworks interconnected by routers. Note: A routing table does not contain all accessible networks with associated routers. In general, the last entry in the table is a default entry and contains a default router IP address for all packets which the router is unable to switch to an explicit route. In addition, a routing table contains information concerning the relative distance of each accessible network.
Page 100
ROUTING
STATIC a route corresponds to a given address Eg. : Network 150.10.0.0 accessible via R1 in one hop DYNAMIC Routers interchange routing information for choosing the best route based on different criteria Questions: What information is interchanged? When is the information interchanged? What entity is information interchanged with? Choice criteria : metric simple : number of hops multiple : bit rate, load, reliability, etc.
Alcatel University - 8AS 90145 0007 VT ZZA Ed.02 - June 2000
TCP/IP
Page 101
Static routing is the simplest. A line configured manually in the routing table indicates the interface to be used and, where applicable, the next router to be reached to send the packet to the destination network. Eg. : route add net 150.10.0.0 160.10.20.30 1. This route indicates that to reach network 150.10.0.0, the IP packet must be sent to router 160.10.20.30, reached in one hop. Dynamic routing has the advantage of automatic recognition and updating. Dynamic routing involves identifying what information is to be transmitted between routers, when, and where to. It also determines the criteria for choosing the best route. information called "metrics". The choice is based on
The minimum metric is the minimum number of hops, but there are other criteria such as bit rate, delay, load and even financial cost.
Page 101
ROUTING
Convergence time length of the routing update delay Volume of information to be interchanged low to very high Routing table size Impossible to control without an address hierarchy Impossible to control without a network hierarchy CIDR : Classless Inter Domain Routing Associates the concept of geographic prefix with class C IP addresses Eg. : 194.150.160.170 -- > 194 represents France Autonomous System Combines a significant number of networks in a single entity
Alcatel University - 8AS 90145 0007 VT ZZA Ed.02 - June 2000
TCP/IP
Page 102
Convergence time depends on the type of update (cyclic or event-driven). It can vary from a few hundred milliseconds to a few minutes. One consequence of this is that a route seen as available can in fact be blocked, and vice versa. The frequency and extent of updates (entire table or modified lines only) affects the volume interchanged which ultimately must not exceed user traffic. For large networks, it is important to limit the size of routing tables (listing all possible connections is not viable). There are two solutions: CIDR (Classless Inter Domain Routing) and autonomous systems are solutions to this problem, using hierarchical addressing which does not exist in IP (based only on the concept of the net to be reached).
Page 102
Routing architecture Division of the Internet into Autonomous Systems Protocol types "Internal" (IGP) : RIP, OSPF, IS-IS, EIGRP "External" (EGP) : BGP-4
Net 1 Net 1 AS 1 Net 2 Net 3 OSPF Net 1 E.G.P. I.G.P.
Alcatel University - 8AS 90145 0007 VT ZZA Ed.02 - June 2000
AS 3
Net 2 AS 2 Net 4
TCP/IP
Net 3 EIGRP
Page 103
An autonomous system is a way of assigning the same reference to a set of networks. The AS N is an official number assigned by the NIC (Network Information Centre). It is a 16-bit number which is inserted before the IP header. It is managed (added or deleted) only by boundary routers operating on an EGP. To date, approximately 2500 autonomous systems exist, "masking" hundreds of thousands of networks. France Tlcom is an AS.
Page 103
ROUTING : CATEGORIES
Distance Vector Routers interchange routing tables cyclically The best route has the least routers to be crossed Convergence time is lengthy Volume is significant There is a risk of looping Few processor resources are required RIP, Routing Information Protocol (IETF) IGRP, Inter Gateway Routing Protocol (Cisco) EIGRP Enhanced Inter Gateway Routing Protocol (Cisco)
Alcatel University - 8AS 90145 0007 VT ZZA Ed.02 - June 2000
TCP/IP
Page 104
There are two main routing categories: Distance vector routing and link state routing. A third category, path vector routing, is specific to BGP4 protocol. Distance vector routing is the earliest category. Routers perform only one task: interchanging routing tables. This has the advantage of simplicity. With the exception of EIGRP, the main disadvantages include high volume, slow convergence and risk of looping.
Page 104
ROUTING : CATEGORIES
LINK STATE Each router builds a network map Routers interchange link states on an event basis The best route incurs the lowest cost Convergence time is low Volume is low No risk of looping The process is bulky OSPF, Open Shortest Path First (IETF) IS-IS , Intermediate System to Intermediate System (ISO)
TCP/IP
Page 105
Link state protocols are reputed to offer higher performance but also use up more processing resources. Each router builds a network map from its own viewpoint, based on link information received. This principle eliminates the risk of looping. Routers transmit only those link states which have changed, and when the change occurs, convergence is very fast. Updating is said to be by "flooding" and as fast as packet transmission speed. The volume of data interchanged is very low. The main disadvantage is that the router recomputes its routes each time the state of a link changes.
Page 105
ROUTING : CATEGORIES
PATH VECTOR Changes in the Link State Routes are described using the path taken Each router builds a network map Routers interchange path attributes on an event basis The best path incurs the least cost (including financial) Convergence time is fast Volume is low No risk of looping BGP4, Border Gateway Protocol (IETF)
TCP/IP
Page 106
BGP4 is the path vector protocol. In fact, it is a link state protocol which also supplies the route path in terms of a list of the autonomous systems crossed. BGP can be considered as an application based on TCP.
Page 106
True or False
Internet is made of plenty of networks connected by routers. An IP network can contain several LANs Intelligents bridges can analyse the IP header to route packets better. Internet is shared in zones to decrease routing management traffic. Routing protocols were implemented from the beginning of Internet 30 years ago. Any IP host must know the IP address of a router to communicate with other hosts. Each time a packet enters a router, OSPF is used in order to find the right route to destination. True True False True True False
False
TCP/IP
Page 107
Page 107
TCP/IP
Page 108
Page 108
ADMINISTRATION
MANAGING CONFIGURATIONS
Mechanisms to manage and set up resources
Norms / Standards
CMIS / CMIP
Common Management Information Service / Protocol
MANAGING EVENTS
Detection, location, restart on incident, alarms
CMOT
CMIS/CMIP Over TCP/IP
MANAGING COSTS
Allocating and distributing loads
SNMP
Simple Network Management Protocol
TCP/IP
Page 109
SNMP protocol (Simple Network Management Protocol) began as a standardized protocol for managing TCP/IP networks, but nowadays is applicable to both PABXs and Frame Relay equipment. Its main advantage lies in its very general nature and in the fact that it can be extended using private objects. SNMP can be used for the administration of TCP/IP machines as well as modems, bridges and dedicated routers. SNMP administration is not hampered by costly and mutually incompatible proprietary administration tools.
Page 109
MANAGER Graphics tool providing the man/machine interface The Manager sends requests and receives responses to administration commands HP Openview and SunNet Manager are SNMP Managers AGENT The agent is the Server for Client Manager requests Manager and Agent dialogue via SNMP An agent can extend SNMP requests in proprietary format (agent proxy) SNMP Agents manipulate objects MIB Management Information Base MIB I and II describe more than 200 standardized objects
Alcatel University - 8AS 90145 0007 VT ZZA Ed.02 - June 2000
TCP/IP
Page 110
SNMP is based on a few simple ideas: Network Agents which are software administrative components resident in network administerable components (IP layers, TCP layer, router, monitoring equipment, etc). Network Management Stations for processing administrative information from Network Agents and providing management services for operators. These are tools such as HP Openview and SunNet Manager. each Network Agent maintains a management database (MIB: Management Information Base) consisting of a set of objects representing administerable elements in the network. The types of objects stored in MIBs, object content, object identification techniques and the MIBs themselves are standardized by INTERNET RFCs.
Page 110
SNMP ADMINISTRATION
Manager
Server Agent
MIB
MIB
Router
snmp
Agent
MIB
Bridge
MIB
MIB
proprietary
Alcatel University - 8AS 90145 0007 VT ZZA Ed.02 - June 2000
TCP/IP
Page 111
SNMP is simply the protocol for dialogue between a Network Manager and a Network Agent. The protocol is designed to facilitate three actions: Network Manager interrogation of Eg. : Number of packets sent per second. a Network Agent's MIB contents.
Modification by the Network Manager of Network Agent MIB contents. Eg : Modifying the colour of a router icon for a threshold of 1000 packets per second. Unsolicited transmission of information messages by the Network Agent to the Network Manager. Eg : alarm generation.
The protocol does not have any sophisticated commands, such as reboot. This is because any command must be equivalent to modifying an MIB parameter. The solution chosen is bound to be the most general solution.
Page 111
MANAGER
Get_request (object,object,...) Get_response (value,value,...) Get_Next_request (object,object,...)
1 2 3
MIB
Get_response (value,value,...)
Set_request ((object,value),...)
MIB
Get_response (value,value,...)
Agent Alert
MIB
Trap (infos)
TCP/IP
Page 112
SNMP defines a set of rules for the administration of a heterogeneous network. It is a protocol for information interchange between the administration station and entities managed on the network. SNMP architecture is based on the client/server model. The network administration station is an SNMP client. The entities managed on the network are SNMP servers. SNMP uses UDP transport (some manufacturers however implement it over TCP).
Page 112
OSI tree
ISOITU 3
ITU 2
Internet Branches
Directory ( 1.3.6.1.1 ) OSI directory in TCP/IP Mgmt ( 1.3.6.1.2 ) Standard MIB (MIB I and II) Experimental ( 1.3.6.1.3 ) IAB trials Private ( 1.3.6.1.4 ) Manufacturer private MIBs
TCP/IP
Private 4
Page 113
The MIB is the management information base. Management information and administration parameters are organized in a tree structure. The MIB provides an organized and general view of information managed on the network. Information in the MIB is located at a tree node and represented by a number. Rather than relating to the databases themselves, which depend primarily on the different implementations, TCP/IP architecture is primarily applicable to defining types of objects in MIBs and the way in which these object types are identified. Object types The structure of an object type defined by SMI (Structure of Management Information) is fully compliant with ASN.1 and mainly hierarchical. SMI is located at the point in the hierarchy administered by the IAB (Internet Authority Board). The root of the object type tree defined by ASN.1 has no name and has three branches: an ITU branch (number 0) introducing objects administered by the ITU (formerly CCITT). an ISO branch (number 1) introducing objects administered by the ISO. a JOINT-ISO-ITU branch (number 2).
Page 113
Directory 1
Mgmt 2
Experimental 3
Private 4
MIB-2 1
At System 3 1 Interface 2
ICMP 5 IP 4 TCP 6
UDP 7 EGP 8
CMOT 9 Trans. 10
TCP/IP
SNMP 11
Page 114
The ISO node comprises a number of branches, including: an ORG branch (number 3) for other national or international organizations. This branch itself has a number of branches, one of which is assigned to the NIST, which has handed administration over to the DOD. a DOD branch (number 6) managed by the DOD. The DOD itself Authority Board). has assigned branch number 1 to the IAB (Internet
Any point on the tree is therefore defined by a sequence of numbers for each of the nodes crossed to reach the object: the INTERNET node is referenced 1.3.6.1. Note the following: iso org dod internet MIB MIB I incorporates 114 objects in eight groups, and MIB II 170 objects in ten groups. However, it is possible to make some comments. The group structure on the first level is used to access the following information: OBJECT IDENTIFIER ::= { 1 } OBJECT IDENTIFIER ::= { iso 3 } OBJECT IDENTIFIER ::= { iso org 6 } OBJECT IDENTIFIER ::= { iso org dod 1 }
Page 114
Examples of variables
SysUpTime : Time elapsed since last startup (System) IfNumber : Number of network interfaces (Interface) ATTable : MAC-IP address translation table (Addr. Trans.) IPdefaultTTL : Time to live value for IP packets (Interface) IPInReceives : Number of datagrams received (IP) IPForwDatagrams : Number of datagrams forwarded (IP) IPOutNoRoutes : Number of packets routed in error (IP) IPReasmOKs : Number of packets reassembled correctly (IP) IPFragOKs : Number of packets fragmented (IP) IPRoutingTable : Routing table (IP) ICMPInEchos : Number of "Echo Request" PDUs received (IP) TCPMaxConn : Maximum number of TCP connections allowed (TCP) TCPInSegs : Number of TCP segments received (TCP) UDPInDatagrams : Number of UDP datagrams received (UDP)
Alcatel University - 8AS 90145 0007 VT ZZA Ed.02 - June 2000
TCP/IP
Page 115
Page 115
ANALYSIS OF IP NETWORKS
Solution 1:
"conventional" analyzer
Analyzer R1 R2 Local area network 2 Local area network 3 Analyzer
Analyzer
Solution 2:
Probe
Administration station
Page 116
Page 116
True or False
The MIB content is sent from the manager to the agent using the SNMP protocol. Some objects are defined in MIB I and II for standard equipments, but each firm may create his own objects hierarchy. SNMP is a pragmatical protocol like any other protocol from IP world. SNMP is simple and not reliable (over UDP), so a few constructors use it. Other network management architectures exist : Q3 (with CMIP) and CORBA Without network management, an equipment can not be set up. Analysing the IP branch of the MIB II, all the characteristics of this protocol can be retrieved (like those described in this document about IP introduction) False True
TCP/IP
Page 117
Page 117
Section 8 SECURITY
TCP/IP
Page 118
Page 118
SECURITY
System security Password verification Minimum privileges assigned to server processes Filtering on protocols Filtering router Firewall Proxy Server Information encryption SSL S/MIME User authentication Kerberos SecurID Radius
Alcatel University - 8AS 90145 0007 VT ZZA Ed.02 - June 2000
TCP/IP
Page 119
Some TCP/IP protocols are flawed, as detailed below: ARP (no authentication from recipient), ICMP (destination unreachable, redirection messages), RIP (incorrect routing information), TELNET, FTP (password in plain text), TFTP (no password). Some known Internet attacks are listed below: TCP Splicing 1) 2) 3) The pirate monitors the client-server connection. The pirate saturates the client station. The pirate replaces the client in dialogue with the server.
TCP Flooding 1) 2) 3) The pirate floods the server with connection requests containing an invalid source address. The server responds (ACK, SYN) and reserves buffers. No response follows. Actual clients risk service denial.
LAND Attack TCP Flooding with @IP, source port N = @IP, dest port N
Page 119
INTRANET
ISP
Filtering router
I N T E R N E T
TCP/IP
Page 120
Filtering is effective on: Authorized IP addresses. Authorized Client-Server combinations. Communication protocol fields (IP, ICMP, TCP, UDP). Authorized application port numbers.
Page 120
ISP
Firewall
I N T E R N E T
TCP/IP
Page 121
Firewalls provide the same facilities but are more extensive than restriction lists. The principle is similar. Filtering based on communication protocol. Filtering based on applications. Filtering based on users. Log files and usage statistics. Possible management of complex networks: VPN : Virtual Private Network. DMZ : Demilitarized Zone. NAT : Network Address Translation.
Page 121
ISP
Proxy Server
I N T E R N E T
TCP/IP
Page 122
Application filtering (HTTP, FTP, etc) A user connection is required for each type of service. - difficult if the application is not supported by the proxy. Optimizes the bandwidth towards the Internet by using a disk cache for information viewed on the Internet. Effective filtering of authorized/prohibited sites. Address masking: a unique address for the Internet.
Page 122
INFORMATION SECURITY
OBJECTIVES
Integrity Data must not be altered Authentication The recipient must be sure of the sender's identity Confidentiality Data must not circulate unencrypted Non-Repudiation The recipient must hold a proof of sending
TCP/IP
Page 123
Symmetric key encryption DES (Data Encryption Standard): Created by IBM, 56-bit key. Rapid information encryption.
Triple DES (up to 168 bits): Triple encryption with three different keys.
RC2 and RC4: Created by RSA Data Security, variable length key. Faster than DES.
The key length determines the encryption quality: 40 bits : weak key 56 bits : robust key 168 bits : inviolable
Page 123
Mr X
Mrs Y
Mr X creates the message and encrypts it using the key known to himself and Mrs Y He sends the encrypted message over the network Mrs Y receives the encrypted message and decodes it using the key
TCP/IP
Page 124
Page 124
Mr X
Mrs Y's public key
Mrs Y
Mrs Y creates two keys, one private and known to no-one else, and one public which is circulated over the network Mr X creates the message and encrypts it using Mrs Y's public key He sends the encrypted message over the network Mrs Y receives the encrypted message and decodes it using a private key (only she can decode the message, guaranteeing that no-one other than Mr X and Mrs Y can read the message) If Mrs Y wants to reply, she uses Mr X's public key
Alcatel University - 8AS 90145 0007 VT ZZA Ed.02 - June 2000
TCP/IP
Page 125
Page 125
Information confidentiality
xxxxxxxxx xxxxxx xxxxxxx Session key
Mr X
Mrs Y
Mr X encrypts the message using a symmetric key created specifically for this purpose. Mr X then encrypts the session key using Mrs Y's public key and sends all this information to Mrs Y. Mrs Y decodes the session key using her private key, then decodes the message using the session key.
Alcatel University - 8AS 90145 0007 VT ZZA Ed.02 - June 2000
TCP/IP
Page 126
Page 126
Section 9 IP VERSION 6
TCP/IP
Page 127
Page 127
IP VERSION 6
Addressing space running out 128-bit addresses Routing table size 128-bit addresses organized hierarchically Lack of security Authentication mechanism Incorporation of new services Machine mobility Simplicity of configuration New applications (multimedia, VoD, remote control, ...) New version of IP protocol extends the addressing and routing function broadcasts superseded by anycasts introduces quality of service information (real time applications, multipoint, security, etc)
Alcatel University - 8AS 90145 0007 VT ZZA Ed.02 - June 2000
TCP/IP
Page 128
Page 128
IP V6 : HEADER
32 bits 4 bits Vers Pri. Payload Length 16 bits Flow Label Next Header 8 bits Source Address (128 bits) 40 octets Hop Limit
Page 129
Header extension for options: IPv6 options are placed in separate headers, inserted between the IPv6 header and the transport layer header. Easy introduction of new data. Option field length no longer limited to 40 octets.
Autoconfiguration: "plug and play": Mobility management. Easy renumbering on change of service provider. Address server (DHCP : Dynamic Host Configuration Protocol).
Multipoint (Multicast) included in base: For routers and clients. scope = best routing for multicast packets. "Marking" of special flows (Flow Label): Real time applications, Quality of service. Priority of control traffic.
Page 129
IP V6 ADDRESSING
Unicast address general format 3 5 16
Provider identifier
16
32
Subnetwork identifier
32
Not used
@ MAC interface
TCP/IP
Page 130
16 octets (instead of 4 in the current version) Notation: ABCD:A987:8765:6543:FEDC:BA98:7654:3210 AB98:0:0:0:7:467:AEDC:500 AB98::7:467:AEDC:500 3 broad categories of address: Multicast 1 packet to N machines. Anycast 1 packet to at least one machine. Unicast 1 packet to one machine. 5 address classes: 1 Multicast, 1 Anycast, 3 Unicast. Differentiated in initial address bits.
Page 130
True or False
To entirely secure a private network, we just have to install a firewall in order to connect to the Internet. A proxy server is a singular router; so, it s also an IP host. IP v6 evolution is necessary, because of a penury of addresses. False
True True
Exercice
From home, you want to connect to a commercial Internet site in order to buy a CD on-line. Please complete the schema of the following page by drawing and naming the networks transitted to reach the Internet site, as well as their equipments Show and name the protocols used to make this connection work.
TCP/IP
Page 131
Page 131
SHTTP/SSL/TCP/IP/...
Your PC
LAN
Server Y
Modem
AS
IP/PPP
ISP
Proxy
TCP/IP
SNMP Manager
Page 132
Page 132
Glossary : A - I
ARP BOOTP DHCP DNS FTP HTML HTTP IAB IETF IP IRTF ITU-T
Address Resolution Protocol Boot Protocol Dynamic Host Configuration Protocol Domain Name Service File Transfer Hyper Text Markup Language Hyper Text Transfer Protocol Internet Activities Board Internet Ingineering Task Force Internet Protocol Internet Research Task Force International Telecommunications Union - Telecom
TCP/IP
Page 133
Page 133
Glossary : L - R
LAN MAN MIB NIC OSI OSPF PDU POP PPP RFC RPC
Local Access Network Metropolitan Access Network Model Information Base Network Information Center Open System Interconnexion Open Shortest Path First Packet Data Unit Post Office Protocol Point to Point Protocol Request For Comment Remote Procedure Call
TCP/IP
Page 134
Page 134
Glossary : S - Z
Service Data Unit Secured HTTP Serial Link Internet Protocol Simple Mail Transfer Protocol Simple Network Management Protocol Secured Socket Layer Transmission Control Protocol User Datagram Protocol World Wide Web
TCP/IP
Page 135
Page 135