1. 23.1 Chapter 23 Process-to-Process Delivery: UDP, TCP, and SCTP Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

2. 23.2 Transport layer duties

3. 23.3 23-1 PROCESS-TO-PROCESS DELIVERY Overview: The transport layer is responsible for process-to-process delivery—the delivery of a packet, part of a message, from one process to another. Two processes communicate in a client/server relationship.

4. 23.4 The transport layer is responsible for process-to-process delivery – the delivery of a packet, part of a message, from one process to another. Note

5. 23.5 Figure 23.1 Types of data deliveries

6. 23.6 Client/Server Paradigm

7. 23.7 Client/Server Paradigm If several people in the office need to communicate with remote personnel via SMS, it is not necessary to equip each computer with a GSM modem. Headwind SMS suite allows to share one GSM modem between several computers. The computer connected with a GSM modem (server) must be equipped with Headwind GSM Modem Driver, which uses DCOM (Distributed Component Object Model) technology to provide access to the SMS capabilities to other computers (clients) in the network.

8. 23.8 Client/Server Paradigm Operating systems today support both multiuser and multiprogramming environments.

9. 23.9 Addressing

10. 23.10 Addressing

11. 23.11 Addressing

12. 23.12 Figure 23.2 Port numbers

13. 23.13 Figure 23.3 IP addresses versus port numbers

14. 23.14 Addressing In the Internet model, the port numbers are 16-bit integers between 0 and 65,535.

15. 23.15 Summary In the client-server paradigm, an application program on the local host, called the client, needs services from an application program on the remote host, called a server. The server program is assigned a universal port number called a well-known port number. The client program is assigned a random port number called the ephemeral port number.

16. 23.16 IANA* Ranges Well Known Ports: 0 to 1023 Registered Ports: 1024 to 49,151 Dynamic Ports: 49,152 to 65,535 * Internet Assigned Number Authority

17. 23.17 Figure 23.4 IANA ranges

18. 23.18 Socket Addresses Process to Process delivery needs two identifiers, IP address, and port number, at each end to make a connection.

19. 23.19 Figure 23.5 Socket address

20. 23.20 Socket Addresses A Transport Layer protocol needs a pair of socket addresses; the client socket address and the server socket address.

21. Review The transport layer is where data is encapsulated into segments. These segments are then sent using either TCP or UDP protocols. TCP is a connection-oriented protocol, which means the sender does not send any data to the destination node until the destination node acknowledges that it is listening to the sender. 23.21

22. TCP Ports A port is the logical, not physical component, of a TCP connection. Every TCP connection requires a source and destination port in addition to any other addressing scheme, such as IP addressing. The port identifies the service that is running. In TCP packets, ports are identified using a 16- bit number. TCP packets have two such fields: source port and destination port. 23.22

23. TCP Ports Ports also help network administrators to identify, stop, or disable services that are not really needed. As a network administrator or IT professional, you should be familiar with ports and control their use. Open ports are an invitation for attacks. Port numbers can go up to 65,535 but only the first 1023 ports are considered well-known. Let’s check www.iana.org for a list of well-known ports.www.iana.org 23.23

24. State Table example 23.24

25. 23.25 Figure 23.6 Multiplexing and demultiplexing

26. 23.26 Figure 23.7 Error control

27. 23.27 Figure 23.8 Position of UDP, TCP, and SCTP in TCP/IP suite

28. 23.28 23-2 USER DATAGRAM PROTOCOL (UDP) Overview: The User Datagram Protocol (UDP) is called a connectionless, unreliable transport protocol. It does not add anything to the services of IP except to provide process-to-process communication instead of host-to-host communication.

29. 23.29 Table 23.1 Well-known ports used with UDP

30. UDP - Summary UDP is a fast but unreliable protocol that also operates on the transport layer of the TCP/IP stack. UDP is unreliable because it does not verify whether the receiver is listening or ready to receive. This is the reason why UDP is also known as a connectionless protocol. Although unreliable, UDP is widely used on the Internet because of its speed. Higher layers of the TCP/IP stack are responsible for providing reliability. 23.30

31. 23.31 In UNIX, the well-known ports are stored in a file called /etc/services. Each line in this file gives the name of the server and the well-known port number. We can use the grep utility to extract the line corresponding to the desired application. The following shows the port for FTP. Note that FTP can use port 21 with either UDP or TCP. Example 23.1

32. 23.32 Example 23.1 (continued) SNMP uses two port numbers (161 and 162), each for a different purpose.

33. 23.33 Figure 23.9 User datagram format

34. 23.34 UDP length = IP length – IP header’s length Note

35. 23.35 Figure 23.10 Pseudoheader for checksum calculation

36. 23.36 Figure 23.11 shows the checksum calculation for a very small user datagram with only 7 bytes of data. Because the number of bytes of data is odd, padding is added for checksum calculation. The pseudoheader as well as the padding will be dropped when the user datagram is delivered to IP. Example 23.2

37. 23.37 Figure 23.11 Checksum calculation of a simple UDP user datagram

38. 23.38 Figure 23.12 Queues in UDP

39. 23.39 23-3 TCP Overview: TCP is a connection-oriented protocol; it creates a virtual connection between two TCPs to send data. In addition, TCP uses flow and error control mechanisms at the transport level. TCP Services TCP Features Segment A TCP Connection Flow Control Error Control Topics discussed in this section:

40. 23.40 Table 23.2 Well-known ports used by TCP

41. 23.41 Figure 23.13 Stream delivery

42. 23.42 Figure 23.14 Sending and receiving buffers

43. 23.43 Figure 23.15 TCP segments

44. 23.44 The bytes of data being transferred in each connection are numbered by TCP. The numbering starts with a randomly generated number. Note

45. 23.45 Example Imagine a TCP connection is transferring a file of 6000 bytes. The first byte is numbered 10,010. What are the sequence numbers for each segment if data are sent in five segments with the first four segments carrying 1000 bytes and the last segment carrying 2000 bytes? Solution The following shows the sequence number for each segment: Segment 1 ==> sequence number: 10,010 (range: 10,010 to 11,009) Segment 2 ==> sequence number: 11,010 (range: 11,010 to 12,009) Segment 3 ==> sequence number: 12,010 (range: 12,010 to 13,009) Segment 4 ==> sequence number: 13,010 (range: 13,010 to 14,009) Segment 5 ==> sequence number: 14,010 (range: 14,010 to 16,009)

46. 23.46 The value in the sequence number field of a segment defines the number of the first data byte contained in that segment. Note

47. 23.47 The value of the acknowledgment field in a segment defines the number of the next byte a party expects to receive. The acknowledgment number is cumulative. Note

48. 23.48 Figure 23.16 TCP segment format

49. 23.49 Header fields  Source port address: A 16-bit value that defines the port number of the application program in the host that is sending the segment  Destination port address: A 16-bit value that defines the port number of the application program in the host that is receiving the segment  Sequence number: A 32-bit value that defines the number assigned to the first byte of data contained in this segment  Acknowledge number: A 16-bit value that defines the byte number that the sender of the segment is expecting to receive from the other party  Header length: A 4-bit value that indicates the number of 4-byte words in the TCP header  Reserved: A 6-bit field reserved for future use  Control: A 6-bit field that defines 6 different control bits or flags, as shown in figure 22.15

50. 23.50 Header fields (cont.)  Window size: A 16-bit value in bytes that the other party must maintain  Checksum: A 16-bit checksum; its calculation follows the UDP procedure  Urgent pointer: A 16-bit value, which is valid only if the urgent flag is set, is used when the segment contains urgent data  Options: There can be up to 40 bytes of optional information in the TCP header

51. 23.51 Figure 23.17 Control field

52. 23.52 Table 23.3 Description of flags in the control field

53. The TCP three-way handshake process : Host A sends a TCP packet with the SYN flag set (that is, a SYN packet) to Host B. After receiving the packet, Host B sends Host A its own SYN packet with an ACK flag (a SYN-ACK packet) set. In response to the SYN-ACK packet from Host B, Host A sends Host B a TCP packet with the ACK flag set (an ACK packet). 23.53

54. TCP SEGMENT HEADERS As an IT professional, it is important for you to clearly understand the critical components of a TCP header. Hackers usually try to exploit these components to discover vulnerabilities and perform attacks. Critical components include: TCP flags Initial Sequence Number (ISN) Source and destination port 23.54

55. Initial Sequence Number (ISN) Let’s define ISN as a 32-bit number that tracks the packets received by the node and enables the reassembly of large packets that have been broken up into smaller packets. Two hosts exchange their ISNs during steps 1 and 2 of the TCP three-way handshake. 23.55

56. Note of Interest Kevin Mitnick, the legendary hacker, is now a security consultant to corporations worldwide and a cofounder of Defensive Thinking. Find out more about him at http://en.wikipedia.org/wiki/Kevin_Mitnick http://en.wikipedia.org/wiki/Kevin_Mitnick 23.56

57. 23.57 Figure 23.18 Connection establishment using three-way handshaking  Since steps 2 and 3 can occur at the same time, they can be combined into one step

58. 23.58 A SYN segment cannot carry data, but it consumes one sequence number. Note

59. 23.59 A SYN + ACK segment cannot carry data, but does consume one sequence number. Note

60. 23.60 An ACK segment, if carrying no data, consumes no sequence number. Note

61. 23.61 SYN Flooding The connection establishment procedure in TCP is susceptible to a serious security problem called the SYN flooding attack.

62. 23.62

63. 23.63 SYN Flooding The TCP server then sends the SYN + ACK segments to the fake clients, which are lost. During this time, however, a lot of resources are occupied without being used. If, during this short time, the number of SYN segments is large, the server eventually runs out of resources and may crash. This SYN flooding attack belongs to a type of security attack known as a denial-of-service attack, in which an attacker monopolizes a system with so many service requests that the system collapses and denies service to every request.

64. 23.64 SYN Flooding Some implementations of TCP have strategies to alleviate the effects of a SYN attack. Some have imposed a limit on connection requests during a specified period of time. Others filter out datagrams coming from unwanted source addresses. One recent strategy is to postpone resource allocation until the entire connection is set up, using what is called a cookie. SCTP, the new transport layer protocol that we discuss in the next section, uses this strategy.

65. 23.65 Figure 23.19 Data transfer

66. 23.66 Figure 23.20 Connection termination using three-way handshaking

67. 23.67 The FIN segment consumes one sequence number if it does not carry data. Note

68. 23.68 The FIN + ACK segment consumes one sequence number if it does not carry data. Note

69. 23.69 Structure of the OSI Reference Model (continued)

70. 23.70 Structure of the OSI Reference Model Communication between peer layers is “virtual” In reality, communications pass up and down the protocol stacks on both machines As data gets passed from layer to layer, it’s divided into data units appropriate for the layer Protocol data units (PDUs) are passed as a self-contained data structure from layer to layer Encapsulation process adds “headers” to allow successful delivery of each layer’s payload Decapsulation strips header information on way up No layer can pass information directly to its peer counterpart except for the Physical layer

71. 23.71 Transport Layer Layer 4; PDU: segment Manages end-to-end transfer of data Segments long data streams into chunks Resequences chunks into original data on receipt Includes error checks to ensure error-free delivery Handles flow control E.g., TCP (TCP/IP) and SPX (from IPX/SPX) Layer 4 problems include a corrupt protocol stack and segments that are too large for the medium between the source and destination networks The latter forces Network layer to fragment segments, which causes performance degradation

72. 23.72 Transport Layer (continued)

73. 23.73 Network Layer Layer 3; PDU: packet Handles addressing messages for delivery Translates logical addresses into physical addresses Determines how to route transmissions from sender to receiver (routing process) Traffic cop for network activity and handles routing and access control (during routing process) E.g., IP (from TCP/IP) and IPX (from SPX/IPX) Possible problems: incorrect IP addresses or subnet masks, incorrect router configuration, and router operation errors

74. 23.74 Network Layer

75. 23.75 Understanding Types of Data Frames Unicast frame: addressed to only one computer Adapters read the frames and pass them to higher layers only if the destination address in the frame header matches their own address Broadcast frame: created for all computers on a network Destination address is a value of all binary 1s Multicast frame: created for any computers on a network that “listen” to a shared network address A special kind of address allows any interested receiver to read these data streams

76. 23.76 Connectionless Versus Connection- Oriented Protocols Protocols that use connectionless delivery place data on the network and assume it will get through Connectionless protocols aren’t entirely reliable Are fast: little overhead, don’t waste time establishing/managing/tearing down connections Connection-oriented protocols are more reliable and, consequently, slower Two computers establish a connection before data transfer begins In a connection, data is sent in an orderly fashion Ensures that all data is received and is accurate, or that suitable error messages are generated

77. 23.77 Protocols in a Layered Architecture

78. 23.78 Transport Protocols Transport protocols can be connection- oriented (reliable) or connectionless (best-effort) delivery Transmission Control Protocol (TCP) Responsible for reliable data delivery in TCP/IP Sequential Packet Exchange (SPX) Novell’s connection-oriented protocol used to guarantee data delivery NetBIOS/NetBEUI NetBIOS establishes/manages communications between computers and provides naming services NetBEUI provides data transport services for these communications

79. 23.79 TCP/IP Network Layer Protocols Internet Protocol version 4 (IPv4) is a Network layer protocol that provides source and destination addressing and routing for the TCP/IP suite Connectionless protocol; fast but unreliable Internet Control Message Protocol (ICMP) is a Network layer protocol used to send error and control messages between systems or devices The Ping utility uses ICMP to request a response from a remote host to verify availability Address Resolution Protocol (ARP) resolves logical (IP) addresses to physical (MAC) addresses

80. 23.80 IP, ICMP, and ARP in Action

81. 23.81 TCP/IP Transport Layer Protocols Transmission Control Protocol (TCP) is the primary Internet transport protocol Connection oriented using a three-way handshake Message fragmentation and reassembly Uses acknowledgements to ensure that all data was received and to provide flow control User Datagram Protocol (UDP) is connectionless Generally faster, although less reliable, than TCP Doesn’t segment data or resequence packets Doesn’t use acknowledgements for reliability Used by NFS and DNS

82. 23.82 TCP/IP Application Layer Protocols Domain Name System (DNS) Session layer name-to-address resolution protocol Hypertext Transport Protocol (HTTP) To transfer Web pages from Web server to browser File Transfer Protocol (FTP) For file transfer and directory and file manipulation Telnet Remote terminal emulation; operates at layers 7-5 Simple Mail Transport Protocol (SMTP) Operates at layers 7-5; provides messaging services

83. 23.83 Flow Control TCP uses a sliding window, as discussed in Chapter 11, to handle flow control.

84. 23.84 Figure 23.22 Sliding window

85. 23.85 A sliding window is used to make transmission more efficient as well as to control the flow of data so that the destination does not become overwhelmed with data. TCP sliding windows are byte-oriented. Note

86. 23.86 Note: The size of the window at one end is determined by the lesser of two values: receiver window (rwnd) or congestion window (cwnd). The receiver window is the value advertised by the opposite end in a segment containing acknowledgement.

87. 23.87 Sender buffer  The buffer contains bytes that a host can send before worrying about acknowledgement from the other host

88. 23.88 Receiver window  The receiver window establishes how many bytes the receiver can store

89. 23.89 Sender buffer and sender window  We have flow control if the sender creates a window –the sender window- with a size less than or equal to the size of the receiver window

90. 23.90 Sliding the sender window  Messages from the receiver change the position of the sender window.

91. 23.91 Expanding the sender window  If the receiving process consumes data faster than it receives, the size of the receiver window expands

92. 23.92 Shrinking the sender window  If the receiving process consumes data more slowly than it receives data, the size of the receiver window decreases

93. 23.93 What is the value of the receiver window (rwnd) for host A if the receiver, host B, has a buffer size of 5000 bytes and 1000 bytes of received and unprocessed data? Example 23.4 Solution The value of rwnd = 5000 − 1000 = 4000. Host B can receive only 4000 bytes of data before overflowing its buffer. Host B advertises this value in its next segment to A.

94. 23.94 What is the size of the window for host A if the value of rwnd is 3000 bytes and the value of cwnd is 3500 bytes? Example 23.5 Solution The size of the window is the smaller of rwnd and cwnd, which is 3000 bytes.

95. 23.95 Figure 23.23 (next slide) shows an unrealistic example of a sliding window. The sender has sent bytes up to 202. We assume that cwnd is 20 (in reality this value is thousands of bytes). The receiver has sent an acknowledgment number of 200 with an rwnd of 9 bytes (in reality this value is thousands of bytes). The size of the sender window is the minimum of rwnd and cwnd, or 9 bytes. Bytes 200 to 202 are sent, but not acknowledged. Bytes 203 to 208 can be sent without worrying about acknowledgment. Bytes 209 and above cannot be sent. Example 23.6

96. 23.96 Figure 23.23 Example 23.6

97. 23.97 Some points about TCP sliding windows: ❏ The size of the window is the lesser of rwnd and cwnd. ❏ The source does not have to send a full window’s worth of data. ❏ The window can be opened or closed by the receiver, but should not be shrunk. ❏ The destination can send an acknowledgment at any time as long as it does not result in a shrinking window. ❏ The receiver can temporarily shut down the window; the sender, however, can always send a segment of 1 byte after the window is shut down. Note

98. 23.98 Error Control TCP is a reliable transport layer protocol. This means that an application program that delivers a stream of data to TCP relies on TCP to deliver the entire stream to the application program on the other end in order, without error, and without any part lost or duplicated

99. 23.99 ACK segments do not consume sequence numbers and are not acknowledged. Note TCP uses acknowledgements to conform the receipt of data segments. Control segments that carry no data but consume a sequence number are also acknowledged.

100. 23.100 In modern implementations, a retransmission occurs if the retransmission timer expires or three duplicate ACK segments have arrived. Note The heart of the error control mechanism is the retransmission of segments. When a segment is corrupted, lost, or delayed, it is retransmitted.

101. 23.101 No retransmission timer is set for an ACK segment. Note Note that no retransmission occurs of segments that do not consume sequence numbers. In particular, there is no transmission for an ACK segment.

102. 23.102 Data may arrive out of order and be temporarily stored by the receiving TCP, but TCP guarantees that no out-of-order segment is delivered to the process. Note Out-of-order segments:

103. Key Terms ACK —A TCP flag that acknowledges a TCP packet with SYN-ACK flags set. connection-oriented —A method of transferring data over a network that requires a session connection before data is sent. With TCP/IP, this step is accomplished by sending a SYN packet. connectionless — With a connectionless protocol, no session connection is required before data is transmitted. UDP and IP are examples of connectionless protocols. initial sequence number (ISN) —A number that keeps track of what packets a node has received. Internet Assigned Numbers Authority (IANA) — The organization responsible for assigning IP addresses. 23.103

104. Key Terms Internet Control Message Protocol (ICMP) —The protocol used to send informational messages and test network connectivity. port —The logical component of a connection that identifies the service running on a network device. For example, port 110 is the POP3 mail service. protocol —A language used to transmit data across a network infrastructure. 23.104

105. Key Terms session hijacking—An attack on a network that requires guessing ISNs. See also initial sequence number (ISN). SYN —A TCP flag that signifies the beginning of a session. SYN-ACK —A reply to a SYN packet sent by a host. 23.105

106. Key Terms TCP flag —The six flags in a TCP header are switches that can be set to on or off to indicate the status of a port or service. three-way handshake —The method the transport layer uses to create a connection-oriented session. 23.106

107. Key Terms Transmission Control Protocol/Internet Protocol (TCP/IP) —The main protocol used to connect computers over the Internet. User Datagram Protocol (UDP) —A fast, unreliable transport layer protocol that is connectionless. 23.107

108. 23.108 23-4 SCTP Overview: Stream Control Transmission Protocol (SCTP) is a new reliable, message-oriented transport layer protocol. SCTP, however, is mostly designed for Internet applications that have recently been introduced. These new applications need a more sophisticated service than TCP can provide. SCTP Services and Features Packet Format An SCTP Association Flow Control and Error Control Topics discussed in this section:

109. 23.109 UDP UDP is a message-oriented protocol. A process delivers a message to UDP, which is encapsulated in a user datagram and sent over the network. UDP conserves the message boundaries; each message is independent of any other message.

110. 23.110 TCP TCP is a byte-oriented protocol. It receives a message or messages from a process, stores them as a stream of bytes, and sends them in segments.

111. 23.111 SCTP SCTP combines the best features of UDP and TCP. SCTP is a reliable message- oriented protocol

112. 23.112 Table 23.4 Some SCTP applications

113. 23.113 An association in SCTP can involve multiple streams. Note

114. 23.114 Figure 23.27 Multiple-stream concept

115. 23.115 Figure 23.28 Multihoming concept

116. 23.116 SCTP “Packets” Data are carried as data chunks, control information is carried as control chunks.

117. 23.117 Figure 23.29 Comparison between a TCP segment and an SCTP packet

118. 23.118 SCTP “Packets” Steps 1 through 8 – p. 739 -740.

119. 23.119 SCTP “Packets” Steps 1 through 8 – p. 739 -740.

120. 23.120 SCTP “Packets” Steps 1 through 8 – p. 739 -740.

121. 23.121 SCTP association allows multiple IP addresses for each end. Note

122. 23.122 In SCTP, a data chunk is numbered using a TSN (Transmission Sequence Number). Note

123. 23.123 To distinguish between different streams, SCTP uses an SI (Stream Identifier). Note

124. 23.124 To distinguish between different data chunks belonging to the same stream, SCTP uses SSNs (Stream Sequence Numbers). Note

125. 23.125 TCP has segments; SCTP has packets. Note

126. 23.126 In SCTP, control information and data information are carried in separate chunks. Note

127. 23.127 Figure 23.30 Packet, data chunks, and streams

128. 23.128 Data chunks are identified by three items: TSN, SI, and SSN. TSN is a cumulative number identifying the association; SI defines the stream; SSN defines the chunk in a stream. Note TSN = Transmission Sequence Number SI = Stream Identifier SSN = Stream Sequence Number

129. 23.129 In SCTP, acknowledgment numbers are used to acknowledge only data chunks; control chunks are acknowledged by other control chunks if necessary. Note

130. 23.130 Figure 23.31 SCTP packet format

131. 23.131 In an SCTP packet, control chunks come before data chunks. Note

132. 23.132 Figure 23.32 General header

133. 23.133 Table 23.5 Chunks

134. 23.134 A connection in SCTP is called an association. Note

135. 23.135 No other chunk is allowed in a packet carrying an INIT or INIT ACK chunk. A COOKIE ECHO or a COOKIE ACK chunk can carry data chunks. Note

136. 23.136 Figure 23.33 Four-way handshaking

137. 23.137 In SCTP, only DATA chunks consume TSNs; DATA chunks are the only chunks that are acknowledged. Note

138. 23.138 Figure 23.34 Simple data transfer

139. 23.139 The acknowledgment in SCTP defines the cumulative TSN, the TSN of the last data chunk received in order. Note

140. 23.140 Figure 23.35 Association termination

141. 23.141 Figure 23.36 Flow control, receiver site

142. 23.142 Figure 23.37 Flow control, sender site

143. 23.143 Figure 23.38 Flow control scenario

144. 23.144 Figure 23.39 Error control, receiver site

145. 23.145 Figure 23.40 Error control, sender site