Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.

Similar presentations


Presentation on theme: "Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”."— Presentation transcript:

1 Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.

2 Chapter 8 TCP/IP This chapter examines the underlying communications software required to support distributed applications in businesses and other organizations. We will see that the required software is substantial. To make the task of implementing this communications software manageable, a modular structure known as a protocol architecture is used. The emergence of the Internet as a fundamental component in enterprise networks has meant that the TCP/IP suite has become the protocol architecture that is most important for business data communications students to know. The transition to IP-based telecommunications has become so widespread that is beginning to spawn new buzzwords: everything over IP (EOIP) and IP over everything (IPOE). This transition has taken hold in both business enterprises and other organizations, including the U.S. Defense Department and its Defense Information Systems agency [JONE09]. EOIP has become the Holy Grail of enterprise networks and it fuels business interest in converged networks. EOIP encourages the development of IP applications for all major types of business data (voice, video, image, and data) as well as IP-based, or IP-compliant, telecommunications transport. There is a lot to the multifaceted TCP/IP suite, so we begin this chapter by introducing a simple protocol architecture consisting of just three modules, or layers. This will allow us to present the key characteristics and design features of a protocol architecture without getting bogged down in details. With this background, we are then ready to examine the world’s most important protocol architecture: TCP/IP (Transmission Control Protocol/Internet Protocol). TCP/IP is an Internet-based standard and is the framework for developing a complete range of computer communications standards. Virtually all computer vendors now provide support for this architecture. Open Systems Interconnection (OSI) is another standardized architecture that is often used to describe communications functions but that is now rarely implemented. For the interested reader, OSI is covered in Appendix L. Following a discussion of TCP/IP, the important concept of internetworking is examined. Inevitably, a business will require the use of more than one communications network. Some means of interconnecting these networks is required, and this raises issues that relate to the protocol architecture.

3 The Need for a Protocol Architecture
Computer communications The exchange of information between computers for the purpose of cooperative action Computer network Two or more computers interconnected via a communication network A protocol is used for communication between entities in different systems Entity Anything capable of sending or receiving information Examples are user application programs, file transfer packages, database management systems, electronic mail facilities, and terminals System A physically distinct object that contains one or more entities Examples are computers, terminals, and remote sensors The exchange of information between computers for the purpose of cooperative action is generally referred to as computer communications . Similarly, when two or more computers are interconnected via a communication network, the set of computer stations is referred to as a computer network . Because a similar level of cooperation is required between a terminal and a computer, these terms are often used when some of the communicating entities are terminals. In discussing computer communications and computer networks, two concepts are paramount: • Protocols • Computer communications architecture, or protocol architecture A protocol is used for communication between entities in different systems. The terms entity and system are used in a very general sense. Examples of entities are user application programs, file transfer packages, database management systems, electronic mail facilities, and terminals. Examples of systems are computers, terminals, and remote sensors. Note that in some cases the entity and the system in which it resides are coextensive (e.g., terminals). In general, an entity is anything capable of sending or receiving information, and a system is a physically distinct object that contains one or more entities.

4 Protocol A set of rules governing the exchange of data between two entities Key elements: Syntax Includes such things as data format and signal levels Semantics Includes control information for coordination and error handling Timing Includes speed matching and sequencing For two entities to communicate successfully, they must “speak the same language.” What is communicated, how it is communicated, and when it is communicated must conform to mutually agreed conventions among the entities involved. The conventions are referred to as a protocol , which may be defined as a set of rules governing the exchange of data between two entities. The key elements of a protocol are as follows: • Syntax: Includes such things as data format and signal levels • Semantics: Includes control information for coordination and error handling • Timing: Includes speed matching and sequencing Appendix 8B provides a specific example of a protocol, the Internet standard Trivial File Transfer Protocol (TFTP).

5 Protocol Architecture
Having introduced the concept of a protocol, we can now introduce the concept of a protocol architecture . It is clear that there must be a high degree of cooperation between the two computer systems engaged in a cooperative application. Instead of implementing the logic for this as a single module, the task is broken up into subtasks, each of which is implemented separately. The result is a layered architecture, with peer entities at each layer performing subtasks appropriate to the layer. As an example, Figure 8.1 suggests the way in which a file transfer facility could be implemented between two computer systems connected by a network. Three modules are used. Tasks 3 and 4 in the preceding list could be performed by a file transfer module . The two modules on the two systems exchange files and commands. However, rather than requiring the file transfer module to deal with the details of actually transferring data and commands, the file transfer modules each rely on a communications service module . This module is responsible for making sure that the file transfer commands and data are reliably exchanged between systems. The manner in which a communications service module functions is explored subsequently. Among other things, this module would perform task 2. Finally, the nature of the exchange between the two communications service modules is independent of the nature of the network that interconnects them. Therefore, rather than building details of the network interface into the communications service module, it makes sense to have a third module, a network access module , that performs task 1 by interacting with the network. To summarize, the file transfer module contains all the logic that is unique to the file transfer application, such as transmitting passwords, file commands, and file records. These files and commands must be transmitted reliably. However, the same sorts of reliability requirements are relevant to a variety of applications (e.g., electronic mail, document transfer). Therefore, these requirements are met by a separate communications service module that can be used by a variety of applications. The communications service module is concerned with assuring that the two computer systems are active and ready for data transfer and for keeping track of the data that are being exchanged to assure delivery. However, these tasks are independent of the type of network that is being used. Therefore, the logic for actually dealing with the network is put into a separate network access module. If the network to be used is changed, only the network access module is affected. Thus, instead of a single module for performing communications, there is a structured set of modules that implements the communications function. That structure is referred to as a protocol architecture . An analogy might be useful at this point. Suppose an executive in office X wishes to send a document to an executive in office Y. The executive in X prepares the document and perhaps attaches a note. This corresponds to the actions of the file transfer application in Figure 8.1. Then the executive in X hands the document to a secretary or administrative assistant (AA). The AA in X puts the document in an envelope and puts Y’s address and X’s return address on the outside. Perhaps the envelope is also marked “confidential.” The AA’s actions correspond to the communications service module in Figure 8.1. The AA in X then gives the package to the shipping department. Someone in the shipping department decides how to send the package: mail, UPS, or express courier. The shipping department attaches the appropriate postage or shipping documents to the package and ships it out. The shipping department corresponds to the network access module of Figure 8.1. When the package arrives at Y, a similar layered set of actions occurs. The shipping department at Y receives the package and delivers it to the appropriate AA or secretary based on the name on the package. The AA opens the package and hands the enclosed document to the executive to whom it is addressed. Another important aspect of a protocol architecture is that modules in different systems communicate with peer modules on the same level. Thus, the file transfer module can focus on what it wants to communicate to a peer file transfer module on the other system (represented by the dotted line between the two modules in Figure 8.1). In the remainder of this section, we generalize the example of Figure 8.1 to present a simplified protocol architecture. Following that, we look at the real-world example of TCP/IP.

6 Three-Layer Model Distributed data communications involves three primary components: Networks Computers Applications Three corresponding layers Network access layer Transport layer Application layer In very general terms, distributed data communications can be said to involve three agents: applications, computers, and networks. In Chapter 10, we look at several applications; examples include file transfer and electronic mail. These applications execute on computers that typically support multiple simultaneous applications. Computers are connected to networks, and the data to be exchanged are transferred by the network from one computer to another. Thus, the transfer of data from one application to another involves first getting the data to the computer in which the application resides and then getting it to the intended application within the computer. With these concepts in mind, it appears natural to organize the communication task into three relatively independent layers: network access layer, transport layer, and application layer.

7 Network Access Layer Concerned with the exchange of data between a computer and the network to which it is attached The specific software used at this layer depends on the type of network to be used Different standards have been developed for circuit switching, packet switching and LANs IEEE 802 is a standard that specifies the access to a LAN The network access layer is concerned with the exchange of data between a computer and the network to which it is attached. The sending computer must provide the network with the address of the destination computer, so that the network may route the data to the appropriate destination. The sending computer may wish to invoke certain services, such as priority, that might be provided by the network. The specific software used at this layer depends on the type of network to be used; different standards have been developed for circuit switching, packet switching, local area networks (LANs), and others. For example, IEEE 802 is a standard that specifies the access to a LAN; this standard is described in Part Three. It makes sense to put those functions having to do with network access into a separate layer. By doing this, the remainder of the communications software, above the network access layer, need not be concerned about the specifics of the network to be used. The same higher-layer software should function properly regardless of the particular network to which the computer is attached.

8 Concerned with reliable transfer of information between applications
Transport Layer Concerned with reliable transfer of information between applications Mechanisms for providing reliability are essentially independent of the nature of the applications Assurance that all of the data arrive at the destination application and that the data arrive in the same order in which they were sent The transport layer is a common layer shared by all applications where these mechanisms can be collected Regardless of the nature of the applications that are exchanging data, there is usually a requirement that data be exchanged reliably. That is, we would like to be assured that all of the data arrive at the destination application and that the data arrive in the same order in which they were sent. As we shall see, the mechanisms for providing reliability are essentially independent of the nature of the applications. Thus, it makes sense to collect those mechanisms in a common layer shared by all applications; this is referred to as the transport layer .

9 Contains the logic needed to support the various user applications
Application Layer Contains the logic needed to support the various user applications A separate module is needed for each different type of application such as file transfer, that is peculiar to that application Finally, the application layer contains the logic needed to support the various user applications. For each different type of application, such as file transfer, a separate module is needed that is peculiar to that application.

10 Protocol Architectures
Figure 8.2 shows three computers connected to a network. Each computer contains software at the network access and transport layers and software at the application layer for one or more applications. For successful communication, every entity in the overall system must have a unique address. In our three-layer model, two levels of addressing are needed. Each computer on the network has a unique network address; this allows the network to deliver data to the proper computer. Each application on a computer has an address that is unique within that computer; this allows the transport layer to support multiple applications at each computer. These latter addresses are known as service access points (SAPs) , or ports , connoting the fact that each application is individually accessing the services of the transport layer. Figure 8.2 indicates that modules at the same level (peers) on different computers communicate with each other by means of a protocol. An application entity (e.g., a file transfer application) in one computer communicates with an application in another computer via an application-level protocol (e.g., the File Transfer Protocol). The interchange is not direct (indicated by the dashed line) but is mediated by a transport protocol that handles many of the details of transferring data between two computers. The transport protocol is also not direct, but relies on a network-level protocol to achieve network access and to route data through the network to the destination system. At each level, the cooperating peer entities focus on what they need to communicate to each other. Let us trace a simple operation. Suppose that an application, associated with port 1 at computer A, wishes to send a message to another application, associated with port 2 at computer B. The application at A hands the message over to its transport layer with instructions to send it to port 2 on computer B. The transport layer hands the message over to the network access layer, which instructs the network to send the message to computer B. Note that the network need not be told the identity of the destination port. All that it needs to know is that the data are intended for computer B.

11 Protocols in a Simplified Architecture
To control this operation, control information, as well as user data, must be transmitted, as suggested in Figure 8.3. Let us say that the sending application generates a block of data and passes this to the transport layer. The transport layer may break this block into two smaller pieces for convenience, as discussed subsequently. To each of these pieces the transport layer appends a transport header , containing protocol control information. The combination of data from the next higher layer and control information is known as a protocol data unit (PDU) ; in this case, it is referred to as a transport PDU. Transport PDUs are typically called segments . The header in each segment contains control information to be used by the peer transport protocol at computer B. Examples of items that may be stored in this header include the following: • Source port: This indicates that application that sent the data. • Destination port: When the destination transport layer receives the segment, it must know to which application the data are to be delivered. • Sequence number: Because the transport protocol is sending a sequence of segments, it numbers them sequentially so that if they arrive out of order, the destination transport entity may reorder them. • Error-detection code: The sending transport entity may include a code that is a function of the contents of the segment. The receiving transport protocol performs the same calculation and compares the result with the incoming code. A discrepancy results if there has been some error in transmission. In that case, the receiver can discard the segment and take corrective action. This code is also referred to as a checksum or frame check sequence. The next step is for the transport layer to hand each segment over to the network layer, with instructions to transmit it to the destination computer. To satisfy this request, the network access protocol must present the data to the network with a request for transmission. As before, this operation requires the use of control information. In this case, the network access protocol appends a network access header to the data it receives from the transport layer, creating a network access PDU, typically called a packet . Examples of the items that may be stored in the header include the following: • Source computer address: Indicates the source of this packet. • Destination computer address: The network must know to which computer on the network the data are to be delivered. • Facilities requests: The network access protocol might want the network to make use of certain facilities, such as priority. Note that the transport header is not “visible” at the network access layer; the network access layer is not concerned with the contents of the transport segment. The network accepts the network packet from A and delivers it to B. The network access module in B receives the packet, strips off the packet header, and transfers the enclosed transport segment to B’s transport layer module. The transport layer examines the segment header and, on the basis of the port field in the header, delivers the enclosed record to the appropriate application, in this case the file transfer module in B.

12 Standardized Protocol Architectures
Vendors like standards because they make their products more marketable Customers like standards because they enable products from different vendors to interoperate Two protocol architectures have served as the basis for the development of interoperable protocol standards: TCP/IP suite OSI reference model A widely used proprietary scheme is IBM’s Systems Network Architecture (SNA) When communication is desired among computers from different vendors, the software development effort can be a nightmare. Different vendors use different data formats and data exchange protocols. Even within one vendor’s product line, different model computers may communicate in unique ways. Now that computer communications and computer networking are ubiquitous, a one-at-a-time special-purpose approach to communications software development is too costly to be acceptable. The only alternative is for computer vendors to adopt and implement a common set of conventions. For this to happen, standards are needed. Such standards would have two benefits: • Vendors feel encouraged to implement the standards because of an expectation that, because of wide usage of the standards, their products would be less marketable without them. • Customers are in a position to require that the standards be implemented by any vendor wishing to propose equipment to them. Two protocol architectures have served as the basis for the development of interoperable protocol standards: the TCP/IP suite and the OSI reference model. TCP/IP is by far the most widely used interoperable architecture. OSI, though well known, has never lived up to its early promise. There is also a widely used proprietary scheme: IBM’s Systems Network Architecture (SNA). Although IBM provides support for TCP/IP, it continues to use SNA, and this latter architecture will remain important for some years to come. The remainder of the chapter looks in some detail at TCP/IP. OSI and SNA are summarized in Appendices I and F, respectively.

13 TCP/IP Architecture Organized into five relatively independent layers:
Result of protocol research and development conducted on the experimental packet- switched network, ARPANET Protocol suite consists of a large collection of protocols that have been issued as Internet standards by the Internet Activities Board (IAB) No official TCP/IP model Organized into five relatively independent layers: Application layer Host-to-host, or transport layer Internet layer Network access layer Physical layer TCP/IP is a result of protocol research and development conducted on the experimental packet-switched network, ARPANET, funded by the Defense Advanced Research Projects Agency (DARPA), and is generally referred to as the TCP/IP suite. This protocol suite consists of a large collection of protocols that have been issued as Internet standards by the Internet Activities Board (IAB). Appendix B provides a discussion of Internet standards. There is no official TCP/IP model as there is in the case of OSI. However, based on the protocol standards that have been developed, we can organize the communication task for TCP/IP into five relatively independent layers: • Application layer • Host-to-host, or transport layer • Internet layer • Network access layer • Physical layer

14 TCP is the most commonly used protocol at the transport layer
TCP/IP Layers TCP is the most commonly used protocol at the transport layer The Internet Protocol (IP) is used at the internet layer to provide the routing function across multiple networks A router is a device that connects two networks and whose primary function is to relay data from one network to the other on a route from the source to the destination end system The network access layer provides the attached network with the information needed to reach a router that connects the network to the next network on the route to the destination The physical layer is concerned with specifying the characteristics of the transmission medium, the nature of the signals, the data rate, and related matters The application layer and transport layer correspond to the top two layers described in the three-layer model of Section 8.1. At the transport layer, TCP is the most commonly used protocol. In those cases where two devices are attached to different networks, procedures are needed to allow data to traverse multiple interconnected networks. This is the function of the internet layer. The Internet Protocol (IP) is used at this layer to provide the routing function across multiple networks. This protocol is implemented not only in the end systems but also in routers. A router is a device that connects two networks and whose primary function is to relay data from one network to the other on a route from the source to the destination end system. The network access layer was also discussed in our three-layer model. Let us consider the case in which two computers that wish to communicate are both connected to the same network, such as the same LAN or the same wide area network (WAN). The sending computer must provide the network with the address of the destination computer, so that the network may route the data to the appropriate destination. In the case in which the two communicating computers are not connected to the same network, the data transfer must occur as a sequence of hops across multiple networks. In this latter case, the network access layer is concerned with access to one network along the route. Thus, from the source computer, the network access layer provides the attached network with the information needed to reach a router that connects this network to the next network on the route to the destination. The physical layer covers the physical interface between a data transmission device (e.g., workstation, computer) and a transmission medium or network. This layer is concerned with specifying the characteristics of the transmission medium, the nature of the signals, the data rate, and related matters.

15 TCP/IP Concepts Figure 8.4 indicates how the TCP/IP architecture is configured for communications. Compare this with Figure 8.2. The architectural difference is the inclusion of the internet layer, which allows for multiple networks connected by routers. Some sort of network access protocol, such as the Ethernet or Wi-Fi logic, is used to connect a computer to a network. This protocol enables the host to send data across the network to another host or, in the case of a host on another network, to a router. IP is implemented in all end systems and routers. It acts as a relay to move a block of data from one host, through one or more routers, to another host. TCP is implemented only in the end systems; it keeps track of the blocks of data being transferred to assure that all are delivered reliably to the appropriate application. The figure highlights the levels of addressing of the TCP/IP architecture. Each host on a network must have a unique network address that identifies the host on that network. In addition, each host has a unique global Internet address; this allows the data to be delivered to the proper host. This address is used by IP for routing and delivery. Each application within a host must have port number that is unique within the host; this allows the host-to-host protocol (TCP) to deliver data to the proper process.

16 PDUs in the TCP/IP Architecture
As was shown in Figure 8.3 for a three-layer architecture, it is relatively easy to trace the operation of the four-layer TCP/IP model. For a transfer between applications in hosts A and B, control information as well as user data must be transmitted, as suggested in Figure 8.5. Let us say that the sending process generates a block of data and passes this to TCP. TCP appends control information known as the TCP header, forming a TCP segment. The control information is to be used by the peer TCP entity at host B. Next, TCP hands each segment over to IP, with instructions to transmit it to B. These segments must be transmitted across one or more networks and relayed through one or more intermediate routers. This operation, too, requires the use of control information. Thus IP appends a header of control information to each segment to form an IP datagram . An example of an item stored in the IP header is the destination host address (in this example, B). Finally, each IP datagram is presented to the network access layer for transmission across the first network in its journey to the destination. The network access layer appends its own header, creating a packet, or frame. The packet is transmitted across the network to router J. The packet header contains the information that the network needs in order to transfer the data across the network. At router J, the packet header is stripped off and the IP header examined. On the basis of the destination address information in the IP header, the IP module in the router directs the datagram out across network 2 to B. To do this, the datagram is again augmented with a network access header. When the data are received at B, the reverse process occurs. At each layer, the corresponding header is removed, and the remainder is passed on to the next higher layer, until the original user data are delivered to the destination process.

17 TCP and UDP Most TCP/IP applications use TCP for transport layer
TCP provides a connection (logical association) between two entities to regulate flow check errors UDP (User Datagram Protocol) does not maintain a connection, and therefore does not guarantee delivery, preserve sequences, or protect against duplication For most applications running as part of the TCP/IP architecture, the transport layer protocol is TCP. TCP provides a reliable connection for the transfer of data between applications. A connection is simply a temporary logical association between two processes in different systems. For the duration of the connection each process keeps track of segments coming from and going to the other process, in order to regulate the flow of segments and to recover from lost or damaged segments.

18 TCP and UDP Headers Figure 8.6a shows the header format for TCP, which is a minimum of 20 octets, or 160 bits. The Source Port and Destination Port fields identify the applications at the source and destination systems that are using this connection. The Sequence Number, Acknowledgment Number, and Window fields provide flow control and error control. The checksum is a 16-bit frame check sequence used to detect errors in the TCP segment. For the interested reader, Appendix 8A provides more detail. In addition to TCP, there is one other transport-level protocol that is in common use as part of the TCP/IP suite: the User Datagram Protocol (UDP). UDP does not guarantee delivery, preservation of sequence, or protection against duplication. UDP enables a process to send messages to other processes with a minimum of protocol mechanism. Some transaction-oriented applications make use of UDP; one example is SNMP (Simple Network Management Protocol), the standard network management protocol for TCP/IP networks. Because it is connectionless, UDP has very little to do. Essentially, it adds a port addressing capability to IP. This is best seen by examining the UDP header, shown in Figure 8.6b.

19 IP Headers For decades, the keystone of the TCP/IP architecture has been IP. Figure 8.7a shows the IP header format, which is a minimum of 20 octets, or 160 bits. The header, together with the segment from the transport layer, forms an IP-level PDU referred to as an IP datagram or an IP packet. The header includes 32-bit source and destination addresses. The Header Checksum field is used to detect errors in the header to avoid misdelivery. The Protocol field indicates which higher-layer protocol is using IP, such as TCP or UDP. The ID, Flags, and Fragment Offset fields are used in the fragmentation and reassembly process. For the interested reader, Section 8.4 provides more detail. In 1995, the Internet Engineering Task Force (IETF), which develops protocol standards for the Internet, issued a specification for a next-generation IP, known then as IPng. This specification was turned into a standard in 1996 known as IPv6. IPv6 provides a number of functional enhancements over the existing IP. It is designed to accommodate the higher speeds of today’s networks and the mix of data streams, including graphic and video, which are becoming more prevalent. But the driving force behind the development of the new protocol was the need for more addresses. The current IP uses a 32-bit address to specify a source or destination. With the explosive growth of the Internet and of private networks attached to the Internet, this address length became insufficient to accommodate all systems needing addresses. As Figure 8.7b shows, IPv6 includes 128-bit source and destination address fields. Ultimately, all installations using TCP/IP are expected to migrate from the current IP to IPv6, but this process will take many years, if not decades.

20 TCP/IP Applications SMTP (Simple Mail Transfer Protocol)
Supports a basic electronic mail facility by providing a mechanism for transferring messages among separate hosts Features include mailing lists, return receipts, and forwarding FTP (File Transfer Protocol) Sends files from one system to another on user command Both text and binary files are accommodated SSH (Secure Shell) Provides a secure remote login capability which enables a user at a terminal or personal computer to logon to a remote computer and function as if directly connected to that computer A number of applications have been standardized to operate on top of TCP. We mention a few of the most common here. The Simple Mail Transfer Protocol (SMTP) supports a basic electronic mail facility, by providing a mechanism for transferring messages among separate hosts. Features of SMTP include mailing lists, return receipts, and forwarding. SMTP does not specify the way in which messages are to be created; some local editing or native electronic mail facility is required. Once a message is created, SMTP accepts the message and makes use of TCP to send it to an SMTP module on another host. The target SMTP module will make use of a local electronic mail package to store the incoming message in a user’s mailbox. SMTP is examined in more detail in Chapter 10. The File Transfer Protocol (FTP) is used to send files from one system to another under user command. Both text and binary files are accommodated, and the protocol provides features for controlling user access. When a user wishes to engage in file transfer, FTP sets up a TCP connection to the target system for the exchange of control messages. This connection allows user ID and password to be transmitted and allows the user to specify the file and file actions desired. Once a file transfer is approved, a second TCP connection is set up for the data transfer. The file is transferred over the data connection, without the overhead of any headers or control information at the application level. When the transfer is complete, the control connection is used to signal the completion and to accept new file transfer commands. SSH (Secure Shell) provides a secure remote logon capability, which enables a user at a terminal or personal computer to logon to a remote computer and function as if directly connected to that computer. SSH also supports file transfer between the local host and a remote server. SSH enables the user and the remote server to authenticate each other; it also encrypts all traffic in both directions. SSH traffic is carried on a TCP connection.

21 TCP/IP Applications HTTP (HyperText Transfer Protocol)
Connects client systems to Web servers on the Internet Its primary function is to establish a connection with the server and send HTML pages back to the user’s browser SNMP (Simple Network Management Protocol) A widely used network monitoring and control protocol HTTP (HyperText Transfer Protocol) connects client systems to Web servers on the Internet or on an internet. Its primary function is to establish a connection with the server and send HTML pages back to the user’s browser. It is also used to download files from the server either to the browser or to any other requesting application that uses HTTP. SNMP (Simple Network Management Protocol) is a widely used network monitoring and control protocol. Data are passed from SNMP agents, which are hardware and/or software processes reporting activity in each network device (hub, router, bridge, etc.) to the workstation console used to oversee the network. The agents return information contained in an MIB (Management Information Base), which is a data structure that defines what is obtainable from the device and what can be controlled (turned off, on, etc.).

22 Protocols in the TCP/IP Protocol Suite
Each layer in the TCP/IP suite interacts with its immediate adjacent layers. At the source, the application layer makes use of the services of the transport layer and provides data down to that layer. A similar relationship exists at the interface between the transport and internet layers and at the interface of the internet and network access layers. At the destination, each layer delivers data up to the next higher layer. This use of each individual layer is not required by the architecture. As Figure 8.8 suggests, it is possible to develop protocols that directly invoke the services of any one of the layers. Most applications require a reliable transport protocol and thus make use of TCP. Some special-purpose applications do not need the services of TCP. Some of these applications, such as SNMP, use another transport protocol known as the User Datagram Protocol (UDP); others may make use of IP directly. Applications or other protocols that do not involve internetworking and that do not need TCP have been developed to invoke the network access layer directly.

23 Table 8.1 Internetworking Terms
In most cases, a LAN or WAN is not an isolated entity. An organization may have more than one type of LAN at a given site to satisfy a spectrum of needs. An organization may have multiple LANs of the same type at a given site to accommodate performance or security requirements. And an organization may have LANs at various sites and need them to be interconnected via WANs for central control of distributed information exchange. Table 8.1 lists some commonly used terms relating to the interconnection of networks, or internetworking. An interconnected set of networks, from a user’s point of view, may appear simply as a larger network. However, if each of the constituent networks retains its identity, and special mechanisms are needed for communicating across multiple networks, then the entire configuration is often referred to as an internet , and each of the constituent networks as a subnetwork . The most important example of an internet is referred to simply as the Internet. As the Internet has evolved from its modest beginnings as a research-oriented packet-switching network, it has served as the basis for the development of internetworking technology and as the model for private internets within organizations. These latter are also referred to as intranets . If an organization extends access to its intranet, over the Internet, to selected customers and suppliers, then the resulting configuration is often referred to as an extranet . Each constituent subnetwork in an internet supports communication among the devices attached to that subnetwork; these devices are referred to as hosts , or end systems (ESs) . In addition, subnetworks are connected by devices referred to in the ISO documents as intermediate systems (ISs) . ISs provide a communications path and perform the necessary relaying and routing functions so that data can be exchanged between devices attached to different subnetworks in the internet. Two types of ISs of particular interest are layer 2 switches and routers . The differences between them have to do with the types of protocols used for the internetworking logic. We look at the role and functions of bridges in Chapter 12. The role and functions of routers were introduced in the context of IP earlier in this chapter. However, because of the importance of routers in the overall networking scheme, it is worth providing additional comment in this section. Another type of IS is the gateway , which connects two or more subnetworks or internets that differ in some way. When two networks differ in the protocol by which they offer service to hosts, a gateway may translate one protocol into the other or otherwise facilitate interoperation of hosts. An example of an application level gateway is one that translates between two different mail transfer protocols. (This table is located on page 222 in the text)

24 Routers Equipment used to interconnect independent networks
Essential functions: Provide a link between networks Provide for the routing and delivery of data between end systems attached to different networks Provide these functions without requiring modifications of the networking architecture of any of the attached networks Internetworking is achieved by using intermediate systems, or routers, to interconnect a number of independent networks. Essential functions that the router must perform include the following: 1. Provide a link between networks. 2. Provide for the routing and delivery of data between end systems attached to different networks. 3. Provide these functions in such a way as to not require modifications of the networking architecture of any of the attached networks.

25 Router Issues The router must accommodate a number of differences among networks: Addressing schemes Networks may use different schemes for assigning addresses to devices Maximum packet size Packets from one network may have to be broken into smaller pieces to be transmitted on another network (fragmentation) Interfaces The hardware and software interfaces to various networks differ Reliability Operations should not depend on an assumption of network reliability Point 3 means that the router must accommodate a number of differences among networks, such as the following: • Addressing schemes: The networks may use different schemes for assigning addresses to devices. For example, an IEEE 802 LAN uses 48-bit binary addresses for each attached device; an ATM network typically uses 15-digit decimal addresses (encoded as 4 bits per digit for a 60-bit address). Some form of global network addressing must be provided, as well as a directory service. • Maximum packet sizes: Packets from one network may have to be broken into smaller pieces to be transmitted on another network, a process known as fragmentation . For example, Ethernet imposes a maximum packet size of 1500 bytes; a maximum packet size of 1600 bytes is common on frame relay networks. A packet that is transmitted on a frame relay network and picked up by a router for forwarding on an Ethernet LAN may have to be fragmented into two smaller ones. • Interfaces: The hardware and software interfaces to various networks differ. The concept of a router must be independent of these differences. • Reliability: Various network services may provide anything from a reliable end-to-end virtual circuit to an unreliable service. The operation of the routers should not depend on an assumption of network reliability. The preceding requirements are best satisfied by an internetworking protocol, such as IP, that is implemented in all end systems and routers.

26 Internetworking Example
Figure 8.9 depicts a configuration that we will use to illustrate the interactions among protocols for internetworking. In this case, we focus on a server attached to a frame relay WAN and a workstation attached to an IEEE 802 LAN such as Ethernet, with a router connecting the two networks. The router provides a link between the server and the workstation that enables these end systems to ignore the details of the intervening networks. For the frame relay network, what we have referred to as the network access layer consists of a single frame relay protocol. In the case of the IEEE 802 LAN, the network access layer consists of two sublayers: the logical link control (LLC) layer and the media access control (MAC) layer. For purposes of this discussion, we need not describe these layers in any detail, but they are explored in subsequent chapters.

27 Operation of TCP/IP: Action at Sender
Figures 8.10 through 8.12 outline typical steps in the transfer of a block of data, such as a file or a Web page, from the server, through an internet, and ultimately to an application in the workstation. In this example, the message passes through just one router. Before data can be transmitted, the application and transport layers in the server establish, with the corresponding layers in the workstation, the applicable ground rules for a communication session. These include character code to be used, error-checking method, and the like. The protocol at each layer is used for this purpose and then is used in the transmission of the message. (Figure is on page 225 in text)

28 Operation of TCP/IP: Action at Router
(Figure is on page 226 in text)

29 Operation of TCP/IP: Action at Receiver
(Figure is on page 227 in text)

30 Virtual Private Network (VPN)
Consists of a set of computers that interconnect by means of a relatively unsecure network Makes use of encryption and special protocols to provide security In today’s distributed computing environment, the virtual private network (VPN) offers an attractive solution to network managers. In essence, a VPN consists of a set of computers that interconnect by means of a relatively unsecure network and that make use of encryption and special protocols to provide security. At each corporate site, workstations, servers, and databases are linked by one or more LANs. The LANs are under the control of the network manager and can be configured and tuned for cost-effective performance. The Internet or some other public network can be used to interconnect sites, providing a cost savings over the use of a private network and offloading the WAN management task to the public network provider. That same public network provides an access path for telecommuters and other mobile employees to log on to corporate systems from remote sites. But the manager faces a fundamental requirement: security. Use of a public network exposes corporate traffic to eavesdropping and provides an entry point for unauthorized users. To counter this problem, the manager may choose from a variety of encryption and authentication packages and products. Proprietary solutions raise a number of problems. First, how secure is the solution? If proprietary encryption or authentication schemes are used, there may be little reassurance in the technical literature as to the level of security provided. Second is the question of compatibility. No manager wants to be limited in the choice of workstations, servers, routers, firewalls, and so on by a need for compatibility with the security facility. This is the motivation for the IP security (IPsec) set of Internet standards.

31 IP Security (IPsec) Provides the capability to secure communications across a LAN, across private and public WANs, and across the Internet Examples of its use include: Secure branch office connectivity over the Internet Secure remote access over the Internet Establishing extranet and intranet connectivity with partners Enhancing electronic commerce security Principal feature is that it can encrypt and/or authenticate all traffic at the IP level Thus, all distributed applications, including remote logon, client/server, , file transfer, and Web access can be secured IPsec provides the capability to secure communications across a LAN, across private and public WANs, and across the Internet. Examples of its use include the following: • Secure branch office connectivity over the Internet: A company can build a secure VPN over the Internet or over a public WAN. This enables a business to rely heavily on the Internet and reduce its need for private networks, saving costs and network management overhead. • Secure remote access over the Internet: An end user whose system is equipped with IPsec protocols can make a local call to an Internet service provider (ISP) and gain secure access to a company network. This reduces the cost of toll charges for traveling employees and telecommuters. • Establishing extranet and intranet connectivity with partners: IPsec can be used to secure communication with other organizations, ensuring authentication and confidentiality and providing a key exchange mechanism. • Enhancing electronic commerce security: Even though some Web and electronic commerce applications have built-in security protocols, the use of IPsec enhances that security. IPsec guarantees that all traffic designated by the network administrator is both encrypted and authenticated, adding an additional layer of security to whatever is provided at the application layer. The principal feature of IPsec that enables it to support these varied applications is that it can encrypt and/or authenticate all traffic at the IP level. Thus, all distributed applications, including remote logon, client/server, , file transfer, Web access, and so on, can be secured.

32 An IP Security Scenario
Figure 8.13 is a typical scenario of IPsec usage. An organization maintains LANs at dispersed locations. Nonsecure IP traffic is conducted on each LAN. For traffic off-site, through some sort of private or public WAN, IPsec protocols are used. These protocols operate in networking devices, such as a router or firewall, that connect each LAN to the outside world. The IPsec networking device will typically encrypt and compress all traffic going into the WAN, and decrypt and decompress traffic coming from the WAN; these operations are transparent to workstations and servers on the LAN. Secure transmission is also possible with individual users who dial into the WAN. Such user workstations must implement the IPsec protocols to provide security.

33 Benefits of IPsec Some of the benefits of IPsec are as follows:
Provides stronger security to routers and firewalls Is resistant to bypass within a firewall Is transparent to applications Is transparent to end users Can provide security for individual users if needed Some of the benefits of IPsec are as follows: • When IPsec is implemented in a firewall or router, it provides strong security that can be applied to all traffic crossing the perimeter. Traffic within a company or workgroup does not incur the overhead of security-related processing. • IPsec in a firewall is resistant to bypass if all traffic from the outside must use IP and the firewall is the only means of entrance from the Internet into the organization. • IPsec is below the transport layer (TCP, UDP) and so is transparent to applications. There is no need to change software on a user or server system when IPsec is implemented in the firewall or router. Even if IPsec is implemented in end systems, upper-layer software, including applications, is not affected. • IPsec can be transparent to end users. There is no need to train users on security mechanisms, issue keying material on a per-user basis, or revoke keying material when users leave the organization. • IPsec can provide security for individual users if needed. This is useful for off-site workers and for setting up a secure virtual subnetwork within an organization for sensitive applications.

34 IPsec Functions IPsec provides three main facilities:
An authentication-only function referred to as Authentication Header (AH) A combined authentication/encryption function called Encapsulating Security Payload (ESP) A key exchange function IPsec provides three main facilities: an authentication-only function referred to as Authentication Header (AH), a combined authentication/encryption function called Encapsulating Security Payload (ESP), and a key exchange function. For VPNs, both authentication and encryption are generally desired, because it is important both to (1) assure that unauthorized users do not penetrate the VPN and (2) assure that eavesdroppers on the Internet cannot read messages sent over the VPN. Because both features are generally desirable, most implementations are likely to use ESP rather than AH. The key exchange function allows for manual exchange of keys as well as an automated scheme.

35 Summary Chapter 8: TCP/IP Internetworking
Routers The TCP/IP architecture TCP/IP layers Operation of TCP/IP TCP and UDP IP and IPv6 TCP/IP applications Protocol interfaces A simple protocol architecture The need for a protocol architecture Three-layer model Standardized protocol architectures Virtual private networks and IP security IPsec Applications of IPsec Benefits of IPsec IPsec functions Chapter 8 summary. Chapter 8: TCP/IP


Download ppt "Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”."

Similar presentations


Ads by Google