Transport Layer Protocols TCP and UDP

Transport Control Protocols

The function of the Transport Layer is to insure packets have no errors and that all packets arrive and are correctly reassembled. Two protocols are used: User Datagram Protocol.

Applications
Packet Packet

Provides unreliable, connectionless delivery service using Internet Protocol. Application programs utilizing UDP accepts full responsibility for packet reliability including message loss, duplication, delay, out of sequence, multiplexing and connectivity loss.

TCP
Packet

UDP
Packet

IP
Packet

Transmission Control Protocol.

Hardware

Provides a reliable, connection delivery service using Internet Protocol. It provides reliable packet delivery, packet sequencing, error control, multiplexing.

TCP and UDP pass IP packets to the applications

2

L.Krist NVCC

Connectionless vs Connection-oriented Protocols

Connection-oriented Two

computers connect before sending any data, sender lets receiver know that data is on the way; recipient acknowledges receipt of data (ACK) or denies receipt (NACK). The ACKing and NACKing is called handshaking. (Type supported by TCP). Reliable, but carries overhead burden. Connectionless Computers involved know nothing about each other or the data being sent. Makes no attempt to cause networks senders and receivers to exchange information about their availability or ability to communicate with one another, best effort delivery. (Type supported by IP, UDP). Not reliable, but faster and may be good enough. Also upper layer apps may worry about errors and reliability processing, so no need to do it twice.

L.Krist NVCC

Transport Layer Ports

Port numbers are used to keep track of different conversations that cross the network at the same time. Port numbers identify which upper layer service is needed, and are needed when a host communicates with a server that uses multiple services.

Both TCP and UDP use port numbers to pass to the upper layers. Port numbers have the following ranges: 0-255 used for public applications, 0-1023 also called wellknown ports, regulated by IANA. Numbers from 255-1023 are assigned to marketable applications 1024 through 49151 Registered Ports, not regulated. 49152 through 65535 are Dynamic and/or Private Ports .
L.Krist NVCC 4

Some Well-Known TCP Ports

Port Application Description

9 7 19 20 21 23 25 53 79 80 88 110 119 161 179 513

Discard Echo Chargen FTP-Data FTP-CMD Telnet SMTP DOMAIN Finger HTTP Kerberos POP3 NNTP SMTP BGP Rlogin

Discard all incoming data port Echo Exchange streams of data port File transfer data port File transfer command port Telnet remote login port Simple Mail Transfer Protocol port Domain Name Service Obtains information about active users Hypertext Transfer Protocol port Authentication Protocol PC Mail retrieval service port Network news access port Network Management Border Gateway Protocol Remote Login In
L.Krist NVCC 5

Ports for Clients

Clients and servers both use ports to distinguish what process each segment is associated with. Source ports, which are set by the client, are determined dynamically, usually a randomly assigned a number above 1023.

Source Port 1. Client requests a web page from server 2. Server responds to client
1032 80

Destination Port
80 1032

L.Krist NVCC

Protocols and Port Numbers

APPLICATION LAYER
Source Port 5512

Telnet

Destination Port 23

TRANSPORT LAYER

TCP Header

NETWORK LAYER
IP Header

6
Source IP Address; 128.66.12.2 Destination IP Address; 128.66.13.1

DATA LINK LAYER

ETHERNET
PREAMBLE DESTINATION ADDR 00 00 1B 12 23 34 SOURCE ADDR 00 00 1B 09 08 07 FIELD TYPE IP HEADER TCP HEADER DATA FCS

L.Krist NVCC

Protocols and Port Numbers

APPLICATION LAYER
TFTP
Source Port 5512

TRANSPORT LAYER

UDP

Destination Port 69

NETWORK LAYER

IP Header

17
Source IP Address; 128.66.12.2 Destination IP Address; 128.66.13.1

DATA LINK LAYER

ETHERNET
PREAMBLE DESTINATION ADDR 00 00 1B 12 23 34 SOURCE ADDR 00 00 1B 09 08 07 FIELD TYPE IP HEADER TCP HEADER DATA FCS

L.Krist NVCC

TCP Operation

TCP is a connection-oriented protocol. TCP provides the following major services to the upper protocol layers:

Connection-oriented data management to assure the end-to-end transfer of data across the network(s). Reliable data transfer to assure that all data is accurately received, in sequence and with no duplicates. Stream-oriented data transfer takes place between the sender application and TCP and the receiving application and TCP.

To stream is to send individual characters not blocks or frames.

Prior to data transmission, hosts establish a virtual connection via a synchronization process. The synch process is a 3-way handshake, which ensures both sides are ready to transfer data and determines the initial sequence numbers. Sequence numbers give hosts a way to acknowledge what they have received. TCP header contain SYN bits, or flags, to achieve this.
L.Krist NVCC 9

TCP Synchronization or 3-Way Handshake

TCP is a connection oriented protocol. Communicating hosts go through a synchronization process to establish a virtual connection. This synchronization process insures that both sides are ready for data transmission and allows the devices to determine the initial sequence numbers.

Sequence numbers are reference numbers between the two devices. The sequence numbers give each host a way to ACK the SYN, so the receiver knows which connection request the sender is responding to.

Send SYN Seq = x Receive SYN Seq = y ACK = x + 1

Receive SYN Seq = x Send SYN Seq = y ACK = x + 1 Receive ACK ACK = y + 1
10

Send ACK ACK = y + 1

L.Krist NVCC

Denial of Service Attacks

DoS attacks are designed to deny services to legitimate users. DoS attacks are used by hackers to overwhelm and crash systems. SYN flooding is a DoS attack that exploits the three way handshake.

1.
2. 3.

Hacker initiates a SYN but spoofs the source IP address. Target replies to the unreachable IP address and waits for final ACK. Hackers floods target with false SYN requests tying up its connection resources, preventing it from responding to legitimate connection requests.

Send SYN Send SYN Send SYN Send SYN Send SYN Send SYN

Receive SYN

Send SYN/ACK

To defend against these attacks, decrease the connection timeout period and increase the connection queue size. Software also exists that can detect these types of attacks and initiate defensive measures.
L.Krist NVCC 11

TCP Windows and Flow Control

Data often is too large to be sent in a single segment. TCP splits the data into multiple segments. TCP provides flow control through windowing to set the pace of how much data is sent at a time IE how many bytes per window, and how many windows between ACKs.
Window Size = 1 Window Size = 3

L.Krist NVCC

12

Windowing and Window Size

Window size determines the amount of data that you can transmit before receiving an acknowledgment. This is how TCP assists in congestion control. Sliding window refers to the fact that the window size is negotiated dynamically during the TCP session. Expectational acknowledgment means that the acknowledgment number refers to the octet that is next expected. If the source receives no acknowledgment, it knows to retransmit at a slower rate.
L.Krist NVCC 13

Fast enough for you?

I didnt get all of that, slow down.

Sequence and ACK Numbers

Each TCP segment is numbered before transmission so that the receiver will be able to properly reassemble the bytes in their original order.

They also identify missing data pieces so the sender can retransmit them.
Only the missing segments need to be re-transmitted.

Positive Acknowledgement and Retransmission

TCP utilizes PAR to control data flow and confirm data delivery.

Source sends packet, starts timer, and waits for ACK. If timer expires before source receives ACK, source retransmits the packet and restarts the timer.

L.Krist NVCC

14

TCP Encapsulation
0 15 16

31

VERS HLEN
4 bits 4 bits 16 bits

TOS
8 bits

Total Length
16 bits

Identification TTL
8 bits

Flags
3 bits

Fragment Offset
13 bits

Protocol
8 bits

Checksum
16 bits

Source IP Address
32 bits

IP Header

Destination IP Address
32 bits

IP Options(if any)
32 bits

IP Datagram

Source Port
16 bits 32 bits

Destination Port
16 bits

Sequence Number Acknowledgement Number

32 bits

Offset Reserved U A P R S F 6 bits

4 bits

Receive Window Size

16 bits

TCP Header

Checksum
16 bits

Urgent Pointer
16 bits

Options (if any)

TCP Data (if any)

ETHERNET PREAMBLE
8

DESTINATION ADDRESS
6

SOURCE ADDRESS
6

FIELD TYPE
2

IP HEADER

TCP HEADER

DATA
0-65535

FCS
4

L.Krist NVCC

15

TCP Segment Format

Number of the calling port Used to ensure correct sequencing of the arriving data Next expected TCP octet Number of 32-bit words in the header set to zero Control setup and termination of session Indicates the end of the urgent data Upper layer protocol data
L.Krist NVCC 16

Number of the called port

Number of octets sender is willing to accept

Details on TCP Fields

Sequence Number. TCP numbers each byte in the TCP data with a sequence number.

The sequence number identifies the first byte in the data segment being transmitted from the sending TCP to the receiving TCP.

Acknowledgement Number. The acknowledgement number contains the next sequence number the receiving station (sending the acknowledgement) expects to receive. The Acknowledgement flag is set.

Offset. It is perhaps more descriptive to call this field the TCP Header Length. This field is required because the length of the options field is variable. It indicates where the TCP header ends and the data begins. The header is 20 bytes without the options field.

Reserved. This field is reserved for future use and is set to zero. TCP software uses the 6 Code Bits to determine the purpose and contents of the segment.

Urg This flag indicates that this segment contains an Urgent pointer field. The Urgent Pointer field is explained below. 1 = Urgent, 0 = Not Urgent. Ack This flag indicates that this segment contains an Acknowledgement field. 1 = Ack, 0 = No Ack. Psh The segment requests a Push. TCP software usually gathers enough data to fill the transmit buffer prior to transmitting the data. 1 = Push, 0 = No Push. If an application requires data to be transmitted even though a buffer may not be full then a PUSH flag bit is set. At the receive side the PUSH makes the data available to the application without delay. Reset This field will Reset the connection. 1 = Reset, 0 = No Reset. Syn This flag field is used to Synchronize sequence numbers to initiate a connection. 1 = Syn, 0 = No Syn Fin The Finish flag bit is used to indicate the termination of a connection. 1 = Fin, 0 = No Fin.

Urgent Pointer. This field presents a way for the sender to transmit emergency data to the receiver. The URG flag must be set.

The Urgent Pointer is a 16 bit positive offset that is added to the sequence number field in the TCP header to obtain the sequence number of the last byte of the urgent data. The application determines where the urgent data starts in the data stream. The field is normally used by the application to indicate the pressing of an interrupt key during Telnet/Rlogin or a file transfer abort during FTP.

L.Krist NVCC

17

UDP/TCP Operation Comparison

There are two protocols at Layer 4 TCP and UDP. Both TCP and UDP use IP as their underlying protocol. TCP must be used when applications need to guarantee the delivery of a packet. When applications do not need a guarantee, UDP is used. UDP is often used for applications and services such as real-time audio and video. These applications require less overhead. They also do not need to be re-sequenced since packets that arrive late or out of order have no value.
0 15 16 - 31

TCP
Connection-oriented delivery Uses windows and ACKs Full header Sequencing Provides reliability FTP, HTTP, SMTP, and DNS

UDP
Connectionless delivery, faster No windows or ACKs Smaller header, less overhead No sequencing Relies on app layer protocols for reliability DNS, TFTP, SNMP, and DHCP

UDP segment format

31 - 47 48 63 64

Source Port

Destination Port

Length
L.Krist NVCC

Checksum

Data
18

User Datagram Protocol

0 15 16 31

UDP Source Port UDP Message Length Data

UDP Destination Port UDP Checksum

. . .
ETHERNET PREAMBLE
8

FCS
DESTINATION ADDRESS
6

SOURCE ADDRESS
6

FIELD TYPE
2

IP HEADER

UDP DATAGRAM
4

8-1500

UDP is a connectionless, unreliable Transport level service protocol. It is primarily used for protocols that require a broadcast capability, i.e RIP. It provides no packet sequencing, may lose packets, and does not check for duplicates.

It is used by applications that do not need a reliable transport service. Application data is encapsulated in a UDP header which in turn is encapsulated in an IP header.

UDP distinguishes different applications by port number which allows multiple applications running on a given computer to send /receive datagrams independently of one another.
L.Krist NVCC 19

UDP Port Numbers

Echo Discard Daytime 7 9 13 Echo user datagram back to user Discard user datagrams Report time in a user friendly fashion

Quote Chargen Nameserver Sql-Net BOOTPS BOOTPC TFTP POP3 SunRPC NTP SNMP SNMP-trap IRC IPX SysLog RIP NFS

17 19 53 66 67 68 69 110 111 123 161 162 194 213 514 520 2049

Return "Quote of the day" Character generator Domain Name Server Oracle Sequel Network Server port to download configuration information Client port to receive configuration information Trivial File Transport Protocol Post Office Protocol - V3 Sun Remote Procedure Call Network Time Protocol Used to receive network management queries Used to receive network problem reports. Internet Relay Chat IPX - IP Tunneling System Log Routing Information Protocol Network File Service
L.Krist NVCC

20

Packet Analysis
Ethereal and dns-moviefone.pkt trace

L.Krist NVCC

21