Site icon Tutorial

TCP/IP & IPv6

Certify and Increase Opportunity.
Be
Govt. Certified Linux Administrator

TCP/IP provides end-to-end connectivity specifying how data should be formatted, addressed, transmitted, routed and received at the destination. The TCP/IP model and related protocols are maintained by the (IETF) or Internet Engineering Task Force. The Internet protocol suite and the layered protocol stack design were in use before the OSI model was established. It has four abstraction layers, each with its own protocols. It has four abstraction layers, each with its own protocols. From highest to lowest, the layers are

Internet Protocol

The OSI physical layer and data link layer do not define how to deliver data between devices interconnected with multiple devices. The OSI network layer provides the end-to-end delivery of data between endpoints with any type of physical network in between. The network layer specifies data routing. IP is the primary protocol in the Internet Layer of the Internet Protocol Suite and has the task of delivering datagrams from the source host to the destination host solely based on the addresses. For this purpose, IP defines datagram structures that encapsulate the data to be delivered. It also defines addressing methods that are used to label the datagram source and destination. OSI network layer has following functions which include

IP Packets – IP packets are composed of a header and payload as shown

IP Header

The IPv4 packet header consists of

After those 160 bits, optional flags can be added of varied length, which can change as per protocol used, then data that packet carries is added. An IP packet has no trailer. However, an IP packet is often carried as the payload inside an Ethernet frame, which has its own header and trailer.

IP Routing – Data packet is routed from source to destination by passing through one or more routers and networks. The IP Routing protocols enable routers to build up a forwarding table to relate an final destination address with next hop addresses. Various protocols used in routing are BGP (Border Gateway Protocol), IS-IS (Intermediate System – Intermediate System), OSPF (Open Shortest Path First) and RIP (Routing Information Protocol).

IP routing is done on a hop-by-hop basis. IP does not know the complete route to any destination (except directly connected). IP routing provides the IP address of the next-hop router to which the data is sent and the next-hop router is assumed to be closer to destination. IP routing performs the following actions

If none of the steps works, the datagram is undeliverable. If the undeliverable datagram was generated on this host, a “host unreachable” or “network unreachable” error is normally returned to the application that generated the datagram. Each entry in routing table has

IP routing protocols load routing tables with valid, loop-free routes and involves functions as

Every routing protocols publicizes it’s routes as

IP Addressing – An IP address is a 32 bit binary number, looks like the following

00000100 10000000 00000011 00000001

It is divided into four 8-bit chunks, called octet, and represented into decimal number for humans to understand like 4.128.3.1 An IP address consists of two parts

Hosts on a network can communicate with devices in the same network by MAC address but for different networks, a router to move data is needed. Each LAN has a unique network ID and all hosts on that network have same network ID but different host ID. A network ID enables a router to put a packet onto the correct network segment. To decide which network is correct, the router looks up a routing table, which is a table contains entries for network addresses (network ID + all host bits set to 0). Each network interface uses a unique IP address.

A, B, and C Classes of Networks – IP addresses are broken into classes to accommodate different sizes of networks as

The block at the beginning and end of each class is called network address and broadcast address, respectively. These two special IP addresses are reserved and detailed as

The list of the Class A, B, C, D, E IP address is summarized as

Class Leading bits Start End Network Bits Host Bits
A 0.0.0.0 127.255.255.255 8 24
B 10 128.0.0.0 191.255.255.255 16 16
C 110 192.0.0.0 223.255.255.255 24 8
D 1110 224.0.0.0 239.255.255.255

The Internet Corporation for Assigned Network Numbers (ICANN, www.icann.org) is in charge for universal IP address assignment and ICANN, assigns regional authority to other cooperating organizations.

IP Subnetting – Many hosts in the same network segment, adds heavy data transfer thus, the packets become slow because of collision and retransmission, which can be avoided by using subnetting. Subnetting divides a single network address into many segments with each segment having its own unique address by placing routers between network segments and all network segments are connected to the Internet by a single gateway router thus, hiding the actual details of internal network but, is shown as the only IP network address. Other benefits of subnetting are

A subnet is defined by changing the bit mask of the IP address, or create subnets by “borrowing” bits from the default host bits. A subnet address includes the original classful network portion plus a subnet field also called, the extended network prefix. Due to subnet field, the mask becomes longer than default mask for address classes. In subnet mask, the network bits are represented by 1s and host bits by 0s with the result of a bit-wise logical ‘AND’ operation between the IP address and the subnet mask results in a network Address or number or subnet address. A subnet mask is only used locally but referred as a standard IP address elsewhere.

Before sending a packet, host determines if destination address is on the local network by comparing the network bits in destination address with the network bits of sender. If both are same, data transfer uses the ARP process to bind the destination IP address to the destination MAC address else, the sender forwards the data to MAC address of the default gateway which routes the packet cross different subnets.

Using a subnet mask of 255.255.255.192, an 192.168.123.0 network then becomes four networks 192.168.123.0, 192.168.123.64, 192.168.123.128 and 192.168.123.192. These four networks would have as valid host addresses

192.168.123.1-62, 192.168.123.65-126, 192.168.123.129-190 and 192.168.123.193-254

The network part is expressed in CIDR notation and written as the first address of a network, followed by a slash character (/), and ending with the bit-length of the prefix like, 192.168.1.0/24 is the prefix of network starting at given address, having 24 bits allocated for the network prefix, and the remaining 8 bits reserved for host addressing. The IPv6 address specification 2001:db8::/32 is a large network with 296 addresses, having a 32-bit routing prefix. In IPv4 the network prefix is also specified in the form of the subnet mask, which is expressed in quad-dotted decimal representation like an address. For example, 255.255.255.0 is the network mask for the 192.168.1.0/24 prefix. Another example of subnetting explains the concept –

Original Network Address & Subnet Mask:        192.168.6.0 255.255.255.0

New Subnet Mask:        255.255.255.192

Bits Borrowed:             192.168.6.11|000000

# of possible networks: 4

Each Sub-Network address increments by 64

1st Network      192.168.6.0

1st Usable         192.168.6.1

Last Usable       192.168.6.62

Broadcast          192.168.6.63

2nd Network     192.168.6.64

1st Usable         192.168.6.65

Last Usable       192.168.6.126

Broadcast          192.168.6.127

3nd Network     192.168.6.128

1st Usable         192.168.6.129

Last Usable       192.168.6.190

Broadcast          192.168.6.191

4nd Network     192.168.6.192

1st Usable         192.168.6.193

Last Usable       192.168.6.254

Broadcast          192.168.6.255

Host & Router Routing

Host Routing – Hosts actually use some simple routing logic when choosing where to send a packet. This two-step logic is as follows

Router Routing – When a router gets a packet that is not destined for it, the router deliver it to either the destination host or to another router, as per the logic

PING – It is a utility used to test the reach ability of a host on an Internet Protocol (IP) network and to measure the round-trip time for messages sent from the originating host to a destination computer. Ping operates by sending Internet Control Message Protocol (ICMP) echo request packets to the target host and waiting for an ICMP response. In the process it measures the time from transmission to reception (round-trip time) and records any packet loss.

The ping command can be run with various command line switches to enable special operational modes, like specifying packet size used, automatic repeated operation and time stamping. Ping may be abused as a simple form of denial-of-service attack in the form of a ping flood, in which the attacker overwhelms the victim with ICMP echo request packets.

Command Result
ping <ip address> It PINGs a remote host by IP address, succeed if the network path and the remote host are working and the PINGs are not blocked.
ping <host name> It PINGs a host by name. If DNS is working, it will succeed.

IPv6

IPv6 (Internet Protocol version 6) is a set of specifications from the Internet Engineering Task Force (IETF) that’s essentially an upgrade of IP version 4 (IPv4). The basics of IPv6 are similar to those of IPv4 — devices can use IPv6 as source and destination addresses to pass packets over a network, and tools like ping work for network testing as they do in IPv4, with some slight variations.

The most obvious improvement in IPv6 over IPv4 is that IP addresses are lengthened from 32 bits to 128 bits. This extension anticipates considerable future growth of the Internet and provides relief for what was perceived as an impending shortage of network addresses. IPv6 also supports auto-configuration to help correct most of the shortcomings in version 4, and it has integrated security and mobility features.

IPv6 features include:

IPv6 Packet – An IPv6 packet has two parts: a header and payload.

The header consists of a fixed portion with minimal functionality required for all packets and may be followed by optional extensions to implement special features.

The fixed header occupies the first 40 octets (320 bits) of the IPv6 packet. It contains the source and destination addresses, traffic classification options, a hop counter, and the type of the optional extension or payload which follows the header. This Next Header field tells the receiver how to interpret the data which follows the header. If the packet contains options, this field contains the option type of the next option. The “Next Header” field of the last option, points to the upper-layer protocol that is carried in the packet’s payload.

Extension headers carry options that are used for special treatment of a packet in the network, e.g., for routing, fragmentation, and for security using the IPsec framework. Without special options, a payload must be less than 64KB. With a Jumbo Payload option (in a Hop-By-Hop Options extension header), the payload must be less than 4 GB. Unlike with IPv4, routers never fragment a packet. Hosts are expected to use Path MTU Discovery to make their packets small enough to reach the destination without needing to be fragmented.

IPv6 Addressing – An IPv6 address is made of 128 bits divided into eight 16-bits blocks. Each block is then converted into 4-digit Hexadecimal numbers separated by colon symbols. For example, given below is a 128 bit IPv6 address represented in binary format and divided into eight 16-bits blocks:

0010000000000001 0000000000000000 0011001000111000 1101111111100001 0000000001100011 0000000000000000 0000000000000000 1111111011111011

Each block is then converted into Hexadecimal and separated by ‘:’ symbol:

2001:0000:3238:DFE1:0063:0000:0000:FEFB

Even after converting into Hexadecimal format, IPv6 address remains long.

Transport Control Protocol (TCP)

The transport layer or layer 4 defines functions of error recovery and flow control. Both the OSI model and TCP/IP model call this layer the transport layer. The main features supported by TCP and/or UDP are

Function Description
Multiplexing using ports Receive hosts to correct application for which the data is destined as per the port number.
Error recovery or reliability Numbering and acknowledging data with sequence and acknowledgment header fields.
Flow control using windowing Using window sizes to protect buffer space.
Connection establishment

and termination

 Initialize port numbers and Sequence and Acknowledgment fields.
Ordered data transfer

and data segmentation

 Segmenting bytes from upper-layer for transmission and delivery to upper-layer processes at receiving device, in same order.

Transport Layer Protocols – TCP and UDP – Both TCP and UDP differ as TCP provides for retransmission for error recovery and avoid congestion by flow control, but UDP does not. Hence, TCP provides a wide variety of services to applications, whereas UDP does not.

UDP with few services needs fewer bytes in its header compared to TCP, resulting in fewer bytes of overhead in the network. UDP does not slow down data transfer where TCP may. Further, voice over IP (VoIP) and video over IP, do not need error recovery, so they use UDP.

Transmission Control Protocol Segment – TCP segment structure is

The TCP header consists of 11 fields, of which only 10 are required. The eleventh field is optional and called “options”. The details of TCP header fields are

TCP Timestamps – TCP timestamps, defined in RFC 1323, can help TCP determine in which order packets were sent. TCP timestamps are not normally aligned to the system clock and start at some random value. Many operating systems will increment the timestamp for every elapsed millisecond; however the RFC only states that the ticks should be proportional. There are two timestamp fields

Ports & Their Multiplexing – TCP and UDP both uses port multiplexing so that the computer can run many applications, like web browser, e-mail client software, an Internet VoIP application (like Skype), etc. Multiplexing enables the receiving computer to know which application to give the data to.

Multiplexing is done by assigning different port numbers to applications and adding this port number information in segment to synchronize both sender and receiver. The data from different applications operating on a network device are multiplexed at the sending device using port numbers and demultiplexed at the receiving device, again using port numbers. The two 16 bit fields in the TCP Header, Source port and Destination port identifies the port number which the application is listening at the sending device and receiving device. Since port number is a 16 bit number, the maximum possible value is 65535 ((2^16)-1). The port numbers are divided into three ranges.

Multiplexing relies on a concept called a socket which consists of

Few popular TCP/IP Applications and ports are listed

Port Number Description
20 FTP – Data
21 FTP – Control
22 SSH Remote Login Protocol
23 Telnet
25 Simple Mail Transfer Protocol (SMTP)
80 HTTP
109 POP2
110 POP3
115 Simple File Transfer Protocol (SFTP)
119 Newsgroup (NNTP)
137 NetBIOS Name Service
139 NetBIOS Datagram Service
143 Interim Mail Access Protocol (IMAP)
150 NetBIOS Session Service
161 SNMP
179 Border Gateway Protocol (BGP)
194 Internet Relay Chat (IRC)
389 Lightweight Directory Access Protocol (LDAP)
396 Novell Netware over IP
443 HTTPS
444 Simple Network Paging Protocol (SNPP)
445 Microsoft-DS
546 DHCP Client
547 DHCP Server

TCP Error Recovery – TCP provides for reliable data transfer or reliability or error recovery by numbering data bytes using the sequence and acknowledgment fields in the header. TCP was designed to recover from node or line failures where the network propagates routing table changes to all router nodes but, TCP is slow to initiate recovery.

TCP treats the data as a stream of bytes. It logically assigns a sequence number to each byte. The TCP packet has a header says, “This packet starts with byte 379642 and contains 200 bytes of data.” The receiver can detect missing or incorrectly sequenced packets. TCP acknowledges data that has been received and retransmits data that has been lost. The error recovery is done end-to-end between the client and server. For example a server sending 1000 bytes of data to client and a sequence number 1000 is used in the TCP header. The server sends another 1000 bytes of data with sequence number 2000 and yet another 1000 bytes of data with sequence number 3000. Next the client sends acknowledgement to the server for successfully receiving of 3000 bytes. The 4000 in the acknowledgement field implies the next byte to be received.

A fundamental notion in the design is that every octet of data sent over a TCP connection has a sequence number. Since every octet is sequenced, each of them can be acknowledged. The acknowledgment mechanism employed is cumulative so that an acknowledgment of sequence number X indicates that all octets up to but not including X have been received. This mechanism allows for straight-forward duplicate detection in the presence of retransmission. Numbering of octets within a segment is that the first data octet immediately following the header is the lowest numbered, and the following octets are numbered consecutively.

It is essential to remember that the actual sequence number space is finite, though very large. This space ranges from 0 to 2**32 – 1. Since the space is finite, all arithmetic dealing with sequence numbers must be performed modulo 2**32. This unsigned arithmetic preserves the relationship of sequence numbers as they cycle from 2**32 – 1 to 0 again. There are some subtleties to computer modulo arithmetic, so great care should be taken in programming the comparison of such values.

TCP Sliding Window Protocol – A sliding window algorithm places a buffer between the application program and the network data flow. For TCP, the buffer is usually in the operating system kernel.

Data received from the network is stored in the buffer, from whence the application can read at its own pace. As the application reads data, buffer space is freed up to accept more input from the network. The window is the amount of data that can be “read ahead” – the size of the buffer, less the amount of valid data stored in it. Window announcements are used to inform the remote host of the current window size.

If the local application can’t process data fast enough, the window size will drop to zero and the remote host will stop sending data. After the local application has processed some of the queued data, the window size rises, and the remote host starts transmitting again.

On the other hand, if the local application can process data at the rate it’s being transferred, sliding window still gives us an advantage. If the window size is larger than the packet size, then multiple packets can be outstanding in the network, since the sender knows that buffer space is available on the receiver to hold all of them. Ideally, a steady-state condition can be reached where a series of packets (in the forward direction) and window announcements (in the reverse direction) are constantly in transit. As each new window announcement is received by the sender, more data packets are transmitted. As the application reads data from the buffer (remember, we’re assuming the application can keep up with the network), more window announcements are generated. Keeping a series of data packets in transit ensures the efficient use of network resources.

Flow Control Using Windowing – Consider a high CPU speed host transmitting data to a slow CPU speed. Obviously, the high CPU speed host will be able to drown the slower one with data. Thus, flow control is needed to pace the data transfer at an acceptable speed.

Request/reply flow control requires each data packet to be acknowledge by the remote host before the next packet is sent. Sliding window algorithms, used by TCP, permit multiple data packets to be in simultaneous transit, making more efficient use of network bandwidth. Finally, Internet’s Unreliable Delivery Model allows packets to be discarded if network resources are not available, and demands that protocols make provisions for retransmission.

TCP implements flow control by using the sequence, acknowledgment and window fields in the header. The window field specify the maximum number of unacknowledged bytes which are allowed to be outstanding at any instant in time. The window starts small and then grows until errors occur thus also called a dynamic window. As the actual sequence and acknowledgment numbers grow over time, the window is also called a sliding window. The working is done as

If an acknowledgment is received before window is completed, a new window start and the sender continues sending data until the current window is completes. Windowing mechanism is also called as positive acknowledgment and retransmission or PAR.

Data Segmentation and Ordered Data Transfer – Different data-link protocols have different limit on maximum transmission unit ( MTU) that can be sent inside a data link layer frame. Hence, MTU is size of largest layer 3 packet fitted in a frame’s data field like for Ethernet, IP packet is less than 1500 bytes hence, TCP segments data into smaller pieces, called segments usually 1460-byte blocks and assigns sequence number to them. TCP at receiver, reassembles the segments and also recovers lost segments.

During transmission, the segments may be received out of order thus, TCP at receiver end performs ordered data transfer by reassembling the data into original order like if segments arrive with the sequence numbers 1500, 3500, and 2500, each with 1000 bytes of data, the receiver can reorder them without retransmission. The TCP header and the data field together are called a TCP segment or L4 PDU as TCP is a Layer 4 protocol.

TCP Connection Establish and Terminate – Connection establishment refer to process of initializing sequence and acknowledgment fields and agreeing on the port number to use. It is an three-way process and connection establishment uses 2 bits in flag fields of TCP header called the SYN and ACK flags. SYN means “Synchronize the sequence numbers,” used to initialize sequence numbers and the ACK field means “The Acknowledgment field is valid in this header” for acknowledging the sequence received. For a connection to be established, the two end stations must synchronize on each other’s initial TCP sequence numbers. This initial exchange ensures that lost data can be recovered. The steps for synchronization are

Because step 2 and 3 are combined into one message, it is called a three-way handshake, as

TCP connection termination is a four- step process which uses an additional flag, called FIN bit. (or “finished”). The connection termination phase uses a four-way handshake, with each side of the connection terminating independently. When an endpoint wishes to stop its half of the connection, it transmits a FIN packet, which the other end acknowledges with an ACK. Therefore, a typical tear-down requires a pair of FIN and ACK segments from each TCP endpoint. After the side that sent the first FIN has responded with the final ACK, it waits for a timeout before finally closing the connection, during which time the local port is unavailable for new connections; this prevents confusion due to delayed packets being delivered during subsequent connections.

It is also possible to terminate the connection by a 3-way handshake, when host A sends a FIN and host B replies with a FIN & ACK (merely combines 2 steps into one) and host A replies with an ACK.

TCP establishes and terminates connections between the endpoints, whereas UDP does not hence, depending upon the connection management protocols are

UDP (User Datagram Protocol) – UDP is a connectionless and unacknowledged protocol which transmits messages with “best effort” without any check for the delivery for segments. UDP depends on upper-layer protocols for reliability. In a network, broadcast and unicast messages are carried by UDP and protocols that use UDP include TFTP, SNMP, NFS and DNS. The UDP header consists of only 4 fields with two being optional (highlighted) as

UDP has no reordering or recovery mechanism. However, UDP provides data transfer and multiplexing using port numbers as TCP but, UDP uses lesser bytes of overhead and processing than TCP. Hence, applications using UDP should be tolerant of the lost data. VoIP uses UDP as time to discover and re-transmit lost voice packet adds too much delay. Similarly any DNS request failure will be retried.

tcpdump

tcpdump is a common packet analyzer that runs under the command line. It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. Distributed under the BSD license.

Tcpdump prints out a description of the contents of packets on a network interface that match the boolean expression; the description is preceded by a time stamp, printed, by default, as hours, minutes, seconds, and fractions of a second since midnight. It can also be run with the -w flag, which causes it to save the packet data to a file for later analysis, and/or with the -r flag, which causes it to read from a saved packet file rather than to read packets from a network interface. It can also be run with the -V flag, which causes it to read a list of saved packet files. In all cases, only packets that match expression will be processed by tcpdump.

When tcpdump finishes capturing packets, it will report counts of:

Syntax

tcpdump [ -AbdDefhHIJKlLnNOpqStuUvxX# ] [ -B buffer_size ] [ -c count ] [ -C file_size ] [ -G rotate_seconds ] [ -F file ] [ -i interface ] [ -j tstamp_type ] [ -m module ] [ -M secret ] [ –number ] [ -Q in|out|inout ] [ -r file ] [ -V file ] [ -s snaplen ] [ -T type ] [ -w file ] [ -W filecount ] [ -E spi@ipaddr algo:secret,… ] [ -y datalinktype ] [ -z postrotate-command ] [ -Z user ] [ –time-stamp-precision=tstamp_precision ] [ –immediate-mode ] [ –version ] [ expression ]

OPTIONS

Examples

Back to Tutorial

Apply for Linux Administration Certification Now!!

http://www.vskills.in/certification/Certified-Linux-Administrator

Exit mobile version