Module 10 – Intermediate TCP/IP

standguideNetworking and Communications

Oct 26, 2013 (3 years and 1 month ago)

75 views

Ch. 10


Intermediate TCP/IP

CCNA 2 version 3.0

Rick Graziani

Cabrillo College

Rick Graziani graziani@cabrillo.edu

2

Note to instructors


If you have downloaded this presentation from the Cisco Networking
Academy Community FTP Center, this may not be my latest version of
this PowerPoint.


For the latest PowerPoints for all my CCNA, CCNP, and Wireless
classes, please go to my web site:



http://www.cabrillo.cc.ca.us/~rgraziani/


The username is
cisco

and the password is
perlman

for all of
my materials.


If you have any questions on any of my materials or the curriculum,
please feel free to email me at graziani@cabrillo.edu (I really don’t
mind helping.) Also, if you run across any typos or errors in my
presentations, please let me know.


I will add “(Updated


date
)” next to each presentation on my web site
that has been updated since these have been uploaded to the FTP
center.

Thanks! Rick

Rick Graziani graziani@cabrillo.edu

3

Note


It is important for networking professionals to have a very good
understanding of TCP/IP.


Various devices communicate using the multiple protocols of the
TCP/IP protocol suite.


A networking professional needs to know how these protocols function
and interact with each other in order to properly understand, analyze
and troubleshoot networking issues.


This chapter is only an introduction to this information and also a
review of CCNA 1.


I strongly suggest taking a separate course in the TCP/IP protocol
suite, in addition to system administration courses such as those for
Microsoft Windows (MCSE/MCSA) or Unix/Linux certifications.


This presentation:


CCNA 2 Module 10


Corrections to CCNA 2 Module 10


Other sources, Stevens, etc.

Rick Graziani graziani@cabrillo.edu

4

Interesting Reading


Although, published in 1994, written by the
late Richard Stevens, it is still regarded as
the definitive book on TCP/IP.

TCP/IP Illustrated, Vol. 1
W. Richard Stevens
Addison
-
Wesley Pub Co
ISBN: 0201633469

Where Wizards Stay Up Late
Katie Hafner and Matthew Lyon
ISBN 0613181530




Very enjoyable reading and you do
not have to be a networking geek to
enjoy it!


National Bestseller

Rick Graziani graziani@cabrillo.edu

5

Overview

Students completing this module should be able to:


Describe TCP and its function



Describe TCP synchronization and flow control



Describe UDP operation and processes



Identify common port numbers



Describe multiple conversations between hosts



Identify ports used for services and clients



Describe port numbering and well known ports



Understand the differences and the relationship between
MAC addresses, IP addresses, and port numbers



Rick Graziani graziani@cabrillo.edu

6

TCP Operation


IP

is best effort delivery.


The transport layer (
TCP
) is responsible
reliability

and
flow control

from source to destination.


This is accomplished using:


sliding windows (flow control)


sequencing numbers and acknowledgments (reliability)


synchronization (establish a virtual circuit)


Note
:
Although straight
-
forward in its operation, TCP can be a very
complicated protocol in its operation. Most of the details regarding
TCP are beyond the scope of this module and presentation
.

Rick Graziani graziani@cabrillo.edu

7


IP Packet has a Protocol field that specifies whether the
segment is TCP or UDP.

Connection
-
oriented

Connectionless

Connectionless

TCP Operation

Rick Graziani graziani@cabrillo.edu

8

Application
Header + data

Application
Header + data

IP Protocol
Field = 17

IP Protocol
Field = 6

Rick Graziani graziani@cabrillo.edu

9

TCP


TCP

--

a connection
-
oriented, reliable protocol; provides
flow control

by providing sliding windows, and
reliability

by providing sequence
numbers and acknowledgments.


TCP re
-
sends anything that is not received and supplies a
virtual
circuit

between end
-
user applications.


The advantage of TCP is that it provides guaranteed delivery of the
segments.

Rick Graziani graziani@cabrillo.edu

10

Synchronization or 3
-
way handshake


For a connection to be established, the two end stations must
synchronize on each other's initial TCP sequence numbers (ISNs).


Sequence numbers are used to track the order of packets and to
ensure that no packets are lost in transmission.


The initial sequence number is the starting number used when a TCP
connection is established.


Exchanging beginning sequence numbers during the connection
sequence ensures that lost data can be recovered.

TCP Header

Rick Graziani graziani@cabrillo.edu

11

The following example and for more info…

Inside the TCP Handshake

http://www.nwconnection.com/2000_03/hand30/

“Laura Chappell writes technical training books for podbooks.com
(
http://www.podbooks.com
) and is a senior protocol analyst at
NetAnalysis Institute.”

“Ms. Chappell also makes a pretty mean margarita. (For more information
about NetAnalysis Institute, visit
http://www.netanalysis.org
.)”

Rick Graziani graziani@cabrillo.edu

12


Only part of the TCP
headers are displayed.


Packet 1: source: 130.57.20.10 dest.:130.57.20.1

TCP:
-----

TCP header
-----


TCP: Source port = 1026


TCP: Destination port = 524


TCP: Initial sequence number = 12952


TCP: Next expected Seq number= 12953


TCP: .... ..1. = SYN


TCP: Window = 8192


TCP: Checksum = 1303 (correct)


TCP: Maximum segment size = 1460 (TCP Option)



Packet 2: source: 130.57.20.1 dest: 130.57.20.10

TCP:
-----

TCP header
-----


TCP: Source port = 524


TCP: Destination port = 1026


TCP: Initial sequence number = 2744080


TCP: Next expected Seq number= 2744081


TCP: Acknowledgment number = 12953


TCP: .... ..1. = SYN


TCP: Window = 32768


TCP: Checksum = D3B7 (correct)


TCP: Maximum segment size = 1460 (TCP Option)


Packet 3: source: 130.57.20.10 dest: 130.57.20.1

TCP:
-----

TCP header
-----


TCP: Source port = 1026


TCP: Destination port = 524


TCP: Sequence number = 12953


TCP: Next expected Seq number= 12953


TCP: Acknowledgment number = 2744081


TCP: ...1 .... = Acknowledgment


TCP: Window = 8760


TCP: Checksum = 493D (correct)


TCP: No TCP options

Rick Graziani graziani@cabrillo.edu

13

Denial of Service (DoS) Attacks


DoS attacks are a common method that hackers utilize to
halt system response.


One type of DoS is known as SYN flooding.


SYN flooding exploits the normal three
-
way handshake
and causes targeted devices to ACK to source addresses
that will not complete the handshake.

Rick Graziani graziani@cabrillo.edu

14

TCP FSM (FYI)

Rick Graziani graziani@cabrillo.edu

15

DoS Syn Flooding Attack


Hacker initiates a synchronization but spoofing the source IP address.


Spoofing: using another’s IP address, real or not (one meaning)


The receiving device replies to the non
-
existent, (SYN ACK)


Receiving device place process in a wait state while waiting to receive the final
ACK from the initiator.


The waiting request is placed in a connection queue or a holding area in
memory.


This waiting state requires the attacked device to commit system resources,
such as memory, to the waiting process until the connection timer times out.


Hackers will flood the attacked host with these false SYN requests utilizing all of
its connection resources to respond and wait for false connections, preventing it
from responding to legitimate connection requests.

Rick Graziani graziani@cabrillo.edu

16

DoS Syn Flooding Attack


To defend against these attacks, system administrators
may decrease the connection timeout period and increase
the connection queue size (not recommended).


Software also exists that can detect these types of attacks
and initiate defensive measures.

Rick Graziani graziani@cabrillo.edu

17


If a flood of incoming request packets have invalid source IP addresses, sessions never
get established and remain as half
-
open connections. Many TCP implementations are
only able to handle a small number of outstanding connections per port therefore these
ports are effectively unavailable until the half
-
open connections time
-
out (typically 75
seconds). Additionally this attack may also cause the server to exhaust its memory or
waste processor cycles in maintaining state information on these connections.


Firewall vendors such as Checkpoint, Cisco, and Raptor have incorporated features into
their products to shield your downstream systems from SYN attacks.

The Cisco IOS
TM

TCP Intercept


http://www.cisco.com/warp/public/cc/pd/iosw/iore/prodlit/576_pp.htm

TCP Intercept Commands


http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_r/srprt3/
srdenl.htm

For more information… (Cisco)

Rick Graziani graziani@cabrillo.edu

18

Windowing and Window Sizes


Both of these are example of simple windowing.


This is
not

an example of sliding windows.


Window size refers to the number of bytes that are transmitted before
receiving an acknowledgment.


After a host transmits the window
-
size number of bytes, it must receive
an acknowledgment before any more data can be sent.


The window size determines how much data the receiving station can
accept at one time.

Rick Graziani graziani@cabrillo.edu

19

Simple Windowing


TCP is responsible for breaking data into segments.


With a window size of 1, each segment carries only one byte of data
and must be acknowledged before another segment is transmitted.
This results in inefficient host use of bandwidth.


The purpose of windowing is to improve flow control and reliability.


Unfortunately, with a window size of 1, you see a very inefficient use of
bandwidth.

TCP Header

Rick Graziani graziani@cabrillo.edu

20

Simple Windowing

TCP Window Size


TCP uses a window size, number of bytes, that the receiver is willing to
accept, and is usually controlled by the receiving process.


TCP uses
expectational acknowledgments
, meaning that the
acknowledgment number refers to the next byte that the sender of the
acknowledgement expects to receive.


A larger window size allows more data to be transmitted pending
acknowledgment.


Note: The sequence number being sent identifies the first byte of data
in that segment.

Rick Graziani graziani@cabrillo.edu

21

Simple Windowing

TCP Full
-
duplex service: Independent Data Flows


TCP provides full
-
duplex service, which means data can be flowing in
each direction, independent of the other direction.


Window sizes, sequence numbers and acknowledgment numbers are
independent of each other’s data flow.


Receiver sends acceptable window size to sender during each
segment transmission (flow control)


if too much data being sent, acceptable window size is reduced


if more data can be handled, acceptable window size is increased


This is known as a Stop
-
and
-
Wait windowing protocol.

Rick Graziani graziani@cabrillo.edu

22

Sliding Windows


Note: The following slides on Sliding Windows contains
corrections to the on
-
line curriculum followed by my slides
on Sliding Windows.

Rick Graziani graziani@cabrillo.edu

23

Sliding Window Protocol


Sliding window algorithms are a method of flow control for network data
transfers using the receivers Window size.


The
sender

computes its
usable window
, which is how much data it can
immediately send.


Over time, this sliding window moves to the rights, as the receiver
acknowledges data.


The receiver sends acknowledgements as its TCP receive buffer empties.


The terms used to describe the movement of the left and right edges of this
sliding window are: (
These will be demonstrated in the following slides
.)

1. The left edge closes (moves to the right) when data is sent and acknowledged.

2. The right edge opens (moves to the right) allowing more data to be sent. This
happens when the receiver acknowledges a certain number of bytes received.

3. The middle edge open (moves to the right) as data is sent, but not yet
acknowledged.

Octets sent

Not ACKed

Usable Window

Can send ASAP

Working Window size

Usable Window

Can send ASAP

Initial Window size

Sliding Windows

Rick Graziani graziani@cabrillo.edu

24

1

2

3

4

5

6

7

8

9

10

11

12

13

1

2

3

4

5

6

7

8

9

10

11

12

13

1

2

3

4

5

6

7

8

9

10

11

12

13

1

2

3

4

5

6

7

8

9

10

11

12

13

1

2

3

Host A
-

Sender

Host B
-

Receiver


Host B gives Host A a window size of 6 (octets or bytes).


Host A begins by sending octets to Host B: octets 1, 2, and 3 and slides
it’s window over showing it has sent those 3 octets.


Host A will
not

increase its
usable window

size by 3, until it receives an
ACKnowldegement from Host B that it has received some or all of the
octets.


Host B, not waiting for all of the 6 octets to arrive, after receiving the
third octet sends an expectational ACKnowledgement of “4” to Host A.

ACK 4

Octets sent

Not ACKed

Usable Window

Can send ASAP

Window size = 6

Octets received

Rick Graziani graziani@cabrillo.edu

25

1

2

3

4

5

6

7

8

9

10

11

12

13

1

2

3

4

5

6

7

8

9

10

11

12

13

1

2

3

4

5

6

7

8

9

10

11

12

13

1

2

3

4

5

6

7

8

9

10

11

12

13

1

2

3

4

5

6

7

8

9

10

11

12

13

1

2

3

ACK 4


Host A does not have to wait for an acknowldegement from Host B to keep
sending data, not until the window size reaches the window size of 6, so it
sends octets 4 and 5.


Host A receives the acknowledgement of ACK 4 and can now
slide

its window
over to equal 6 octets, 3 octets sent


not ACKed plus 3 octets which can be
sent asap.

4

5

1

2

3

4

5

6

7

8

9

10

11

12

13

1

2

3

4

5

6

7

8

9

10

11

12

13

ACK 6

Host B
-

Receiver

Host A
-

Sender

Octets sent

Not ACKed

Usable Window

Can send ASAP

Window size = 6

Rick Graziani graziani@cabrillo.edu

26

1

2

3

4

5

6

7

8

9

10

11

12

13

1

2

3

4

5

6

7

8

9

10

11

12

13

1

2

3

4

5

6

7

8

9

10

11

12

13

1

2

3

4

5

6

7

8

9

10

11

12

13

1

2

3

4

5

6

7

8

9

10

11

12

13

1

2

3

ACK 4

4

5

1

2

3

4

5

6

7

8

9

10

11

12

13

1

2

3

4

5

6

7

8

9

10

11

12

13

ACK 6

Host B
-

Receiver

Host A
-

Sender

Octets sent

Not ACKed

Usable Window

Can send ASAP

Window size = 6

1

2

3

4

5

6

7

8

9

10

11

12

13

7

6

9

8

1

2

3

4

5

6

7

8

9

10

11

12

13

1

2

3

4

5

6

7

8

9

10

11

12

13

1

2

3

4

5

6

7

8

9

10

11

12

13

1

2

3

4

5

6

7

8

9

10

11

12

13

Rick Graziani graziani@cabrillo.edu

27


Default 8K for Windows, 32K for Linux,


There are various unix/linux/microsoft programs that allow you to modify the default
window size.


I do not recommend that you modify these unless you know what you are doing.


“Disclaimer:

Modifying the registry can cause serious problems that may
require you to reinstall your operating system. We cannot guarantee that
problems resulting from modifications to the registry can be solved. Use the
information provided at your own risk.”


NOTE
: I take no responsibility for this software or any others!

Sliding Windows

Rick Graziani graziani@cabrillo.edu

28

ORNL TCP Web100 Bandwidth Test


http://lin
-
ks.greatplains.net/noc/measurement/tcpbw100.php

TCP/Web100 bandwidth test v4.2

click START to begin

running 10s outbound test... 107 Kbs outbound

running 10s inbound test... 1207 Kbs inbound



web100 Connection Variables:


Round Trip times were sampled 611 times


for a total time of 72770 millisecs


giving an average RTT of: 119.0 millisecs(0.119 secs)

You received 1126 packets


of size 1360 from the remote host


and it took a total of 10475.0 millisecs

Maximum Expected Bandwidth: 392 Kbs

Good Data Stream
--
No retransmits!

You are advertising a window of 17680 bytes

The remote host is advertising a window of 5840 bytes

The Remote Host has a send buffer of 128000 bytes


and a receive buffer of 128000 bytes

Buffer sizes are very important in determining the


advertised window sizes. Larger window sizes can


help increase thruput. If your window is smaller


than the remote host, your should investigate


increasing your socket buffer sizes.

Rick Graziani graziani@cabrillo.edu

29

Sequencing numbers


The data segments being transmitted must be reassembled once all the data is
received.


No guarantee that the data will arrive in the order it was transmitted.


TCP applies sequence numbers to the data segments


Sequencing numbers indicate to the destination device the correct order in
which to put the bytes when they are received.



These sequencing numbers also act as reference numbers so that the receiver
will know if it has received all of the data.


They also identify the missing data pieces to the sender so it can retransmit the
missing data.

This is only if one octet
was sent at a time.

Rick Graziani graziani@cabrillo.edu

30


Sender: The value in the sequence number is the first byte in the data stream.


Question: How does the receiver know how much data was sent, so it knows what value
to send in the acknowledgement?


Receiver: Using the sender’s IP packet and TCP segment information, the value of the
ACK is:


IP Packet Length (IP): Total length


Header length


-

TCP header length (TCP): Header length


-------------------------------------------------


Length of data in TCP segment



ACK = Last Sequence Number ACKed + Length of data in TCP segment



Check Sequence Number to check for missing segments and to sequence out
-
of
-
order
segments.


Remember that the ACK is for the sequence number of the byte you expect to receive.
When you ACK 101, that says you've received all bytes through 100. This ignores
Selective Acknowledgments or SACK.

Technical FYI on Sequencing numbers

Part of
TCP
Header

Rick Graziani graziani@cabrillo.edu

31

Positive Acknowledgment and
Retransmission (PAR)


PAR: The source sends a packet, starts a timer, and waits
for an acknowledgment before sending the next packet.


If the timer expires before the source receives an
acknowledgment, the source retransmits the packet and
starts the timer over again.


TCP uses expectational acknowledgments in which the
acknowledgment number refers to the next octet that is
expected.


UDP

Rick Graziani graziani@cabrillo.edu

33

UDP Operation


UDP does
not

use windowing or acknowledgments so application layer
protocols must provide error detection.


The Source Port field is an optional field used only if information needs
to return to the sending host.


When a destination router receives a routing update, the source router
is not requesting anything so nothing needs to return to the source.


This is regarding only
RIP

updates.


BGP

uses TCP,
IGRP

is sent directly over IP.
EIGRP

and
OSPF

are also sent directly over IP with their own way of handling
reliability.

Rick Graziani graziani@cabrillo.edu

34

UDP Operation

Rick Graziani graziani@cabrillo.edu

35

Port Numbers (TCP and UDP)

Rick Graziani graziani@cabrillo.edu

36

Application
Header + data

Application
Header + data

Port numbers are used to know
which application the receiving
host should pass the “Data” to.

Port Numbers

Rick Graziani graziani@cabrillo.edu

37

TCP Header

Rick Graziani graziani@cabrillo.edu

38


Application software developers have agreed to use the
well
-
known
port numbers

that are defined in RFC 1700.


For example, any conversation bound for an
Telnet

application uses
the standard port number
23
.

TCP Header

Port Numbers

Rick Graziani graziani@cabrillo.edu

39


Conversations that do not involve an application with a well
-
known port number
are, instead, assigned port numbers that are randomly selected from within a
specific range.


These port numbers are used as source and destination addresses in the TCP
segment.


Some ports are reserved in both TCP and UDP, although applications might
not be written to support them.


(
Curriculum
) Port numbers have the following assigned ranges:


Numbers below 255 are reserved for public applications



Numbers from 255
-
1023 are assigned to companies for marketable
applications



Numbers above 1023 are unregulated



(
RFC
) The range for assigned ports managed by the IANA is 0
-
1023.:
http://www.iana.org/assignments/port
-
numbers


The
Well Known Ports

are those from
0 through 1023.

(This is updated
information as of 11
-
13
-
2002. Before then, 0


255 were considered well
known ports.)


The
Registered Ports

are those from
1024 through 49151


The
Dynamic and/or Private Ports

are those from
49152 through 65535


Port Numbers

Rick Graziani graziani@cabrillo.edu

40

http://www.iana.org/assignments/port
-
numbers


The Well Known Ports are assigned by the IANA and on
most systems can only be used by system (or root)
processes or by programs executed by privileged users.


The Registered Ports are listed by the IANA and on most
systems can be used by ordinary user processes or
programs executed by ordinary users. The IANA registers
uses of these ports as a convenience to the community.


The Dynamic and/or Private Ports are those from 49152
through 65535

Rick Graziani graziani@cabrillo.edu

41

Port Numbers


For more of an explanation of port numbers and examples, go to:


http://www.iana.org/assignments/port
-
numbers


Rick Graziani graziani@cabrillo.edu

42


End systems use port numbers to select the proper application.


Originating source port numbers, usually a value larger than 1023,
are dynamically assigned by the source host.

TCP Header

TCP Header

Port Numbers

Rick Graziani graziani@cabrillo.edu

43

Notice the difference in how source and destination port numbers
are used with clients and servers:

Client:


Destination Port = 23 (telnet)


Source Port = 1028 (dynamically assigned)


Server:


Destination Port = 1028 (source port of client)


Source Port = 23 (telnet)

TCP Header

Rick Graziani graziani@cabrillo.edu

44

1031

Second http session from the between the
same client and server. Same destination port,
but different source port to uniquely identify this
web session.

80

80

1030

http to
www.cisco.com

http to
www.cisco.com

Dest. Port = 80 Send
packets to web
server application

Dest. Port = 80 Send
packets to web
server application

This example shows two separate browser windows to the same URL. TCP/IP uses
source port numbers to know which information goes to which window.

Rick Graziani graziani@cabrillo.edu

45

What makes each connection unique?


Connection defined by the pair of numbers:


source IP address
,
source port


destination IP address
,
destination port



Different connections can use the same destination port on server host
as long as the source ports or source IPs are different.

Rick Graziani graziani@cabrillo.edu

46


Note:
In actuality, when you open up a single web page, there are usually
several TCP sessions created, not just one.


Example of multiple TCP connections for a single http session.

www.cisco.com

www.google.com

Source IP

TCP or
UDP

Source Port

Destination IP

Destination Port

Connection State

netstat command

Ch. 10


Intermediate TCP/IP

CCNA 2 version 3.0

Rick Graziani

Cabrillo College