CIT 384: Network Administration TCP CIT 384: Network Administration
CIT 384: Network Administration Topics UDP TCP QoS Security Application Presentation Session Transport Network Data Link Physical CIT 384: Network Administration
UDP: User Datagram Protocol Simple datagram transport layer protocol. Each application output generates one UDP datagram, which produces one IP datagram. Trades reliability for speed Sends datagrams directly to unreliable IP layer. 16-bit port numbers Identify sending and receiving processes. Applications DNS, SNMP, TFTP, VOIP, streaming video RFC 768 CIT 384: Network Administration
CIT 384: Network Administration UDP Header Figure 11.2 from TCP/IP Illustrated, Vol 1. CIT 384: Network Administration
CIT 384: Network Administration UDP Example: TFTP Trivial File Transfer Protocol No authentication TFTP Session: sun16 > tftp at204m02 tftp> get readme.txt Received 1024 bytes in 0.2 seconds. tftp> quit CIT 384: Network Administration
CIT 384: Network Administration TFTP Packet Types Packet types read a file (filename, ascii/binary) write a file (filename, ascii/binary) file data block ACK error CIT 384: Network Administration
CIT 384: Network Administration TFTP Packet Diagram Figure 15.1, TCP/IP Illustrated, Vol. 1 CIT 384: Network Administration
CIT 384: Network Administration TFTP Session Trace at204m02 > snoop udp sun16 0.00000 sun16 -> at204m02 TFTP Read "2sun" (netascii) 0.00498 at204m02 -> sun16 TFTP Data block 1 (512 bytes) 0.00136 sun16 -> at204m02 TFTP Ack block 1 0.00010 at204m02 -> sun16 TFTP Data block 2 (300 bytes) (last block) 5 0.00119 sun16 -> at204m02 TFTP Ack block 2 2sun is a 764-byte file CIT 384: Network Administration
CIT 384: Network Administration TFTP Security Feature: no username/password required TFTP used for diskless hosts to boot. How to protect /etc/passwd? Limit TFTP server filesystem access. Generally only can access /tftpboot directory. CIT 384: Network Administration
TCP: Transmission Control Protocol Connection-oriented Must establish connection before sending data. 3-way handshake. Reliable byte-stream TCP decides how to divide stream into packets. ACK, timeout, retransmit, reordering. 16-bit source and destination ports. FTP(21), HTTP(80), POP(110), SMTP(25) CIT 384: Network Administration
CIT 384: Network Administration TCP Reliability Breaks data into best-sized chunks. After sending segment, maintains timer; if no ACK within time limit, resends segment. Sends ACK on receipt of packets. Discards pkts on bad checkum of header and data. Receiver resequences TCP segments so data arrives in order sent. Receiver discards duplicate segments. Flow control: only sends as much data as receiver can process. CIT 384: Network Administration
CIT 384: Network Administration TCP Header Figure 17.2 from TCP/IP Illustrated, Vol 1. CIT 384: Network Administration
CIT 384: Network Administration TCP Header Source Port: 16-bit source identifier Destination Port: 16-bit destination identifier Sequence Number: 32-bit segment identifier. Acknowledgment: next sequence number expected by sender of ACK TCP is full duplex so both sides of connection have own set of sequence numbers CIT 384: Network Administration
Sequence Numbers and ACKs Sequence=1, 1000 bytes Sequence=1001, 1000 bytes ACK=2002 ACK specifies next byte to be received, i.e. it acknowledges receipt of all bytes up to but not including the ACK number. CIT 384: Network Administration
Errors and Retransmission Sequence=1, 1000 bytes Sequence=1001, 1000 bytes ACK=1001 Sequence=1001, 1000 bytes Sender also sets retransmission timer. If no ACK received by the time the timer expires, then sender retransmits the segments sent since timer was set. CIT 384: Network Administration
CIT 384: Network Administration TCP Flow Control Window size: number of bytes receiver is willing to accept Sender must stop sending if window full and no ACK received yet. Window starts small, then grows until errors occur. CIT 384: Network Administration
TCP Header Flags (Code Bits) URG: urgent pointer is valid ACK: acknowledgement number is valid PSH: rcvr should pass data to app asap RST: reset connection SYN: synchronize sequence numbers to initiate a connection FIN: sender is finished sending data CIT 384: Network Administration
CIT 384: Network Administration TCP Options Header length: length of header in 32-bit words (20bytes default–60bytes w/ options) End of option list (kind=0) NOP (kind=1) Used to pad fields to 32-bit boundary Maximum Segment Size (MSS) (kind=2) Len=4 (length includes kind + len bytes) 16-bit MSS Default: 536 data + 20 TCP hdr + 20 IP hdr Window Scale Factor (kind=3) Timestamp (kind=8) CIT 384: Network Administration
CIT 384: Network Administration TCP Connections Establishment 3-way handshake Connection Trace Termination Normal Termination Reset CIT 384: Network Administration
Connection Establishment Protocol Requester (client) sends a SYN segment, specifying the port number of the server to which it wants to connect and the client’s initial sequence number (ISN). Server responds with SYN segment containing server’s ISN. Server acknowledges client’s SYN by ACKing the client’s ISN+1. Client acknowledges server SYN by ACKing server’s ISN+1. CIT 384: Network Administration
CIT 384: Network Administration TCP 3-way Handshake Figure 2.2, UNIX Network Programming CIT 384: Network Administration
Connection Establishment Test at204m02> /usr/sbin/snoop sun09 at204m02> nc sun09 22 SSH-1.99-OpenSSH_3.7.1p2 ^C If no services running, start your own: at204m02> nc -l -p 8192 CIT 384: Network Administration
CIT 384: Network Administration TCP Connection Trace at204m02 -> sun09 TCP D=22 S=37519 Syn Seq=477982308 Len=0 Win=24820 Options=<nop,nop,sackOK,mss 1460> sun09 -> at204m02 TCP D=37519 S=22 Syn Ack=477982309 Seq=3227257622 Len=0 Win=24820 Options=<nop,nop,sackOK,mss 1460> at204m02 -> sun09 TCP D=22 S=37519 Ack=3227257623 Seq=477982309 Len=0 Win=24820 CIT 384: Network Administration
Connection Termination Protocol As TCP is full duplex, each side must terminate half of the connection as follows: Send FIN segment (active close) Other side ACKs w/ FIN sequence number +1 Half-closed connections Side that sent FIN can still receive data. Example: ssh fasthost sort < words.txt CIT 384: Network Administration
CIT 384: Network Administration TCP Disconnection Figure 2.3, UNIX Network Programming CIT 384: Network Administration
Connection Termination Test at204m02> /usr/lib/sendmail -bd at204m02> /usr/sbin/snoop port 25 sun09>nc at204m02 25 220 at204m02.lc3net ESMTP Sendmail 8.11.7+Sun/8.11.7; Mon, 29 Mar 2004 14:09:40 -0500 (EST) quit CIT 384: Network Administration
TCP Disconnection Trace at204m02 -> sun09 TCP D=33042 S=25 Fin Ack=3597541820 Seq=872479258 Len=0 Win=24820 sun09 -> at204m02 TCP D=25 S=33042 Ack=872479259 Seq=3597541820 Len=0 Win=24820 sun09 -> at204m02 TCP D=25 S=33042 Fin Ack=872479259 Seq=3597541820 Len=0 Win=24820 at204m02 -> sun09 TCP D=33042 S=25 Ack=3597541821 Seq=872479259 Len=0 Win=24820 CIT 384: Network Administration
CIT 384: Network Administration TCP Reset Connection Refused > telnet at204m02 8192 Trying 10.1.0.90... telnet: Unable to connect to remote host: Connection refused Packet Trace sun09 -> at204m02 TCP D=8192 S=33048 Syn Seq=3848454475 Len=0 Win=24820 Options=<nop,nop,sackOK,mss 1460> at204m02 -> sun09 TCP D=33048 S=8192 Rst Ack=3848454476 Win=0 CIT 384: Network Administration
CIT 384: Network Administration TCP Reset (cont.) Connection Abort Any queued data is thrown away. Other side is informed of abnormal close. Packet Detail: One side sends RST. Other side aborts connection. There is no ACK sent in response. CIT 384: Network Administration
Half-Open Connections Connections where one side has aborted or closed connection w/o knowledge of other. Client or server host has crashed. DOS attack: requester sends SYN, doesn’t respond to SYN+ACK. CIT 384: Network Administration
Example List of TCP Ports TCP: IPv4 (netstat –na output) Local Addr Rmt Addr State ---------- -------------------- *.111 *.* LISTEN *.32771 *.* LISTEN *.32772 *.* LISTEN *.32773 *.* LISTEN *.32774 *.* LISTEN *.4045 *.* LISTEN *.22 *.* LISTEN *.2049 *.* LISTEN *.515 *.* LISTEN *.80 *.* LISTEN *.6000 *.* LISTEN *.22 10.17.0.23.32827 ESTABLISHED *.2049 10.17.0.23.799 ESTABLISHED CIT 384: Network Administration
CIT 384: Network Administration TCP Servers Local Address *.80 means that it will accept connections on any network interface on TCP port 80. Foreign Address *.* means that the server will accept connections from any source host and port. Conn=(src IP, src port, dst IP, dst port) All connections to same server will have same dst IP and port, but will have different source IPs and ports Kernel maintains queue of ~5 incoming connections for each server. CIT 384: Network Administration
CIT 384: Network Administration Sockets Each TCP or UDP connection is a socket. Source IP Source port (chosen randomly >1024) Destination IP Destination port CIT 384: Network Administration
Quality of Service Problems Throughput (bandwidth) Amount of data transferred per unit time. Latency (delay) Time packets take to reach their destination. Jitter Variation in latency. Loss Packets are lost in transit. TCP will retransmit them, increasing latency. UDP will ignore. Out of Order Packets arrive out of order and have to be re-ordered, increasing latency (TCP) or loss (UDP.) CIT 384: Network Administration
CIT 384: Network Administration QoS Minimum Needs App Bandwidth Latency Jitter Loss VoIP Low 2-way video Medium 1-way video Interactive web app High File xfer CIT 384: Network Administration
CIT 384: Network Administration References James Boney, Cisco IOS in a Nutshell, 2nd edition, O’Reilly, 2005. Cisco, Cisco Connection Documentation, http://www.cisco.com/univercd/home/home.htm Cisco, Internetworking Basics, http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/introint.htm Wendell Odom, CCNA Official Exam Certification Library, 3rd edition, Cisco Press, 2007. Priscilla Oppenheimer and Joseph Bardwell, Troubleshooting Campus Networks, Addison-Wesley, 2002. W. Richard Stevens, TCP/IP Illustrated, Addison-Wesley, 1994. CIT 384: Network Administration