Ch' 10 Intermediate TCPIP - PowerPoint PPT Presentation

1 / 45
About This Presentation
Title:

Ch' 10 Intermediate TCPIP

Description:

A networking professional needs to know how these protocols function and ... Very enjoyable reading and you do not have to be a networking geek to enjoy it! ... – PowerPoint PPT presentation

Number of Views:39
Avg rating:3.0/5.0
Slides: 46
Provided by: facultyVa3
Category:

less

Transcript and Presenter's Notes

Title: Ch' 10 Intermediate TCPIP


1
Ch. 10 Intermediate TCP/IP
  • CCNA 2 version 3.0
  • Some concepts in this presentation were
    introduced by Rick Graziani, Instructor at
    Cabrillo College in California
  • Prof. Yousif

2
Note
  • It is important for networking professionals to
    have a very good understanding of TCP/IP.
  • Various devices communicate using the multiple
    protocols of the TCP/IP protocol suite.
  • A networking professional needs to know how these
    protocols function and interact with each other
    in order to properly understand, analyze and
    troubleshoot networking issues.
  • This chapter is only an introduction to this
    information and also a review of CCNA 1.
  • I strongly suggest taking a separate course in
    the TCP/IP protocol suite, in addition to system
    administration courses such as those for
    Microsoft Windows (MCSE/MCSA) or Unix/Linux
    certifications.
  • This presentation
  • CCNA 2 Module 10
  • Corrections to CCNA 2 Module 10
  • Other sources, Stevens, etc.

3
Interesting Reading
TCP/IP Illustrated, Vol. 1 W. Richard Stevens
Addison-Wesley Pub Co ISBN 0201633469
Where Wizards Stay Up Late Katie Hafner and
Matthew Lyon ISBN 0613181530
  • Very enjoyable reading and you do not have to be
    a networking geek to enjoy it!
  • National Bestseller
  • Although, published in 1994, written by the late
    Richard Stevens, it is still regarded as the
    definitive book on TCP/IP.

4
Overview
  • Students completing this module should be able
    to
  • Describe TCP and its function
  • Describe TCP synchronization and flow control
  • Describe UDP operation and processes
  • Identify common port numbers
  • Describe multiple conversations between hosts
  • Identify ports used for services and clients
  • Describe port numbering and well known ports
  • Understand the differences and the relationship
    between MAC addresses, IP addresses, and port
    numbers

5
TCP Operation
  • IP is best effort delivery.
  • The transport layer (TCP) is responsible
    reliability and flow control from source to
    destination.
  • This is accomplished using
  • sliding windows (flow control)
  • sequencing numbers and acknowledgments
    (reliability)
  • synchronization (establish a virtual circuit)
  • Note Although straight-forward in its
    operation, TCP can be a very complicated protocol
    in its operation. Most of the details regarding
    TCP are beyond the scope of this module and
    presentation.

6
TCP Operation
Connection-oriented
Connectionless
Connectionless
  • IP Packet has a Protocol field that specifies
    whether the segment is TCP or UDP.

7
Application Header data
IP Protocol Field 17
Application Header data
IP Protocol Field 6
8
TCP
  • TCP -- a connection-oriented, reliable protocol
    provides flow control by providing sliding
    windows, and reliability by providing sequence
    numbers and acknowledgments.
  • TCP re-sends anything that is not received and
    supplies a virtual circuit between end-user
    applications.
  • The advantage of TCP is that it provides
    guaranteed delivery of the segments.

9
Synchronization or 3-way handshake
TCP Header
  • For a connection to be established, the two end
    stations must synchronize on each other's initial
    TCP sequence numbers (ISNs).
  • Sequence numbers are used to track the order of
    packets and to ensure that no packets are lost in
    transmission.
  • The initial sequence number is the starting
    number used when a TCP connection is established.
  • Exchanging beginning sequence numbers during the
    connection sequence ensures that lost data can be
    recovered.

10
The following example and for more info
  • Inside the TCP Handshake
  • http//www.nwconnection.com/2000_03/hand30/
  • Laura Chappell writes technical training books
    for podbooks.com (http//www.podbooks.com) and is
    a senior protocol analyst at NetAnalysis
    Institute.
  • Ms. Chappell also makes a pretty mean margarita.
    (For more information about NetAnalysis
    Institute, visit http//www.netanalysis.org.)

11
Packet 1 source 130.57.20.10
dest.130.57.20.1 TCP ----- TCP header -----
TCP Source port 1026 TCP
Destination port 524 TCP Initial
sequence number 12952 TCP Next expected
Seq number 12953 TCP ....
..1. SYN TCP Window
8192 TCP Checksum 1303
(correct) TCP Maximum segment size
1460 (TCP Option)
Packet 2 source 130.57.20.1 dest
130.57.20.10 TCP ----- TCP header -----
TCP Source port 524 TCP
Destination port 1026 TCP Initial
sequence number 2744080 TCP Next
expected Seq number 2744081 TCP
Acknowledgment number 12953 TCP
.... ..1. SYN TCP Window
32768 TCP Checksum
D3B7 (correct) TCP Maximum segment size
1460 (TCP Option)
Packet 3 source 130.57.20.10 dest
130.57.20.1 TCP ----- TCP header -----
TCP Source port 1026 TCP
Destination port 524 TCP Sequence
number 12953 TCP Next expected
Seq number 12953 TCP Acknowledgment
number 2744081 TCP ...1
.... Acknowledgment TCP Window
8760 TCP Checksum
493D (correct) TCP No TCP options
  • Only part of the TCP headers are displayed.

12
Denial of Service (DoS) Attacks
  • DoS attacks are a common method that hackers
    utilize to halt system response.
  • One type of DoS is known as SYN flooding.
  • SYN flooding exploits the normal three-way
    handshake and causes targeted devices to ACK to
    source addresses that will not complete the
    handshake.

13
DoS Syn Flooding Attack
  • Hacker initiates a synchronization but spoofing
    the source IP address.
  • Spoofing using anothers IP address, real or not
    (one meaning)
  • The receiving device replies to the non-existent,
    (SYN ACK)
  • Receiving device place process in a wait state
    while waiting to receive the final ACK from the
    initiator.
  • The waiting request is placed in a connection
    queue or a holding area in memory.
  • This waiting state requires the attacked device
    to commit system resources, such as memory, to
    the waiting process until the connection timer
    times out.
  • Hackers will flood the attacked host with these
    false SYN requests utilizing all of its
    connection resources to respond and wait for
    false connections, preventing it from responding
    to legitimate connection requests.

14
DoS Syn Flooding Attack
  • To defend against these attacks, system
    administrators may decrease the connection
    timeout period and increase the connection queue
    size (not recommended).
  • Software also exists that can detect these types
    of attacks and initiate defensive measures.

15
For more information (Cisco)
  • If a flood of incoming request packets have
    invalid source IP addresses, sessions never get
    established and remain as half-open connections.
    Many TCP implementations are only able to handle
    a small number of outstanding connections per
    port therefore these ports are effectively
    unavailable until the half-open connections
    time-out (typically 75 seconds). Additionally
    this attack may also cause the server to exhaust
    its memory or waste processor cycles in
    maintaining state information on these
    connections.
  • Firewall vendors such as Checkpoint, Cisco, and
    Raptor have incorporated features into their
    products to shield your downstream systems from
    SYN attacks.
  • The Cisco IOSTM TCP Intercept
  • http//www.cisco.com/warp/public/cc/pd/iosw/iore/p
    rodlit/576_pp.htm
  • TCP Intercept Commands
  • http//www.cisco.com/univercd/cc/td/doc/product/so
    ftware/ios121/121cgcr/secur_r/srprt3/srdenl.htm

16
Windowing and Window Sizes
  • Both of these are example of simple windowing.
  • This is not an example of sliding windows.
  • Window size refers to the number of bytes that
    are transmitted before receiving an
    acknowledgment.
  • After a host transmits the window-size number of
    bytes, it must receive an acknowledgment before
    any more data can be sent.
  • The window size determines how much data the
    receiving station can accept at one time.

17
Simple Windowing
TCP Header
  • TCP is responsible for breaking data into
    segments.
  • With a window size of 1, each segment carries
    only one byte of data and must be acknowledged
    before another segment is transmitted. This
    results in inefficient host use of bandwidth.
  • The purpose of windowing is to improve flow
    control and reliability.
  • Unfortunately, with a window size of 1, you see a
    very inefficient use of bandwidth.

18
Simple Windowing
  • TCP Window Size
  • TCP uses a window size, number of bytes, that the
    receiver is willing to accept, and is usually
    controlled by the receiving process.
  • TCP uses expectational acknowledgments, meaning
    that the acknowledgment number refers to the next
    byte that the sender of the acknowledgement
    expects to receive.
  • A larger window size allows more data to be
    transmitted pending acknowledgment.
  • Note The sequence number being sent identifies
    the first byte of data in that segment.

19
Simple Windowing
  • TCP Full-duplex service Independent Data Flows
  • TCP provides full-duplex service, which means
    data can be flowing in each direction,
    independent of the other direction.
  • Window sizes, sequence numbers and acknowledgment
    numbers are independent of each others data
    flow.
  • Receiver sends acceptable window size to sender
    during each segment transmission (flow control)
  • if too much data being sent, acceptable window
    size is reduced
  • if more data can be handled, acceptable window
    size is increased
  • This is known as a Stop-and-Wait windowing
    protocol.

20
Sliding Windows
  • Note The following slides on Sliding Windows
    contains corrections to the on-line curriculum
    followed by my slides on Sliding Windows.

21
Sliding Windows
Working Window size
Initial Window size
Octets sent Not ACKed
Usable Window Can send ASAP
Usable Window Can send ASAP
  • Sliding Window Protocol
  • Sliding window algorithms are a method of flow
    control for network data transfers using the
    receivers Window size.
  • The sender computes its usable window, which is
    how much data it can immediately send.
  • Over time, this sliding window moves to the
    right, as the receiver acknowledges data.
  • The receiver sends acknowledgements as its TCP
    receive buffer empties.
  • The terms used to describe the movement of the
    left and right edges of this sliding window are
    (These will be demonstrated in the following
    slides.)
  • 1. The left edge closes (moves to the right) when
    data is sent and acknowledged.
  • 2. The right edge opens (moves to the right)
    allowing more data to be sent. This happens when
    the receiver acknowledges a certain number of
    bytes received.
  • 3. The middle edge open (moves to the right) as
    data is sent, but not yet acknowledged.

22
Host A - Sender
Host B - Receiver
1
2
Octets received
Window size 6
3
Octets sent Not ACKed
Usable Window Can send ASAP
ACK 4
  • Host B gives Host A a window size of 6 (octets or
    bytes).
  • Host A begins by sending octets to Host B octets
    1, 2, and 3 and slides its window over showing
    it has sent those 3 octets.
  • Host A will not increase its usable window size
    by 3, until it receives an ACKnowldegement from
    Host B that it has received some or all of the
    octets.
  • Host B, not waiting for all of the 6 octets to
    arrive, after receiving the third octet sends an
    expectational ACKnowledgement of 4 to Host A.

23
Host B - Receiver
Host A - Sender
1
Window size 6
2
Octets sent Not ACKed
Usable Window Can send ASAP
3
ACK 4
4
5
ACK 6
  • Host A does not have to wait for an
    acknowldegement from Host B to keep sending data,
    not until the window size reaches the window size
    of 6, so it sends octets 4 and 5.
  • Host A receives the acknowledgement of ACK 4 and
    can now slide its window over to equal 6 octets,
    2 octets sent not ACKed plus 4 octets which can
    be sent asap.

24
Host B - Receiver
Host A - Sender
1
Window size 6
2
Octets sent Not ACKed
Usable Window Can send ASAP
3
ACK 4
4
5
ACK 6
6
7
8
9
25
Sliding Windows
  • Default 8K for Windows, 32K for Linux,
  • There are various unix/linux/microsoft programs
    that allow you to modify the default window size.
  • I do not recommend that you modify these unless
    you know what you are doing.
  • Disclaimer Modifying the registry can cause
    serious problems that may require you to
    reinstall your operating system. We cannot
    guarantee that problems resulting from
    modifications to the registry can be solved. Use
    the information provided at your own risk.
  • NOTE I take no responsibility for this software
    or any others!

26
TCP/Web100 bandwidth test v4.2 click START to
begin running 10s outbound test... 107 Kbs
outbound running 10s inbound test... 1207 Kbs
inbound web100 Connection Variables
Round Trip times were sampled 611 times
for a total time of 72770 millisecs giving
an average RTT of 119.0 millisecs(0.119
secs) You received 1126 packets of size 1360
from the remote host and it took a total of
10475.0 millisecs Maximum Expected Bandwidth 392
Kbs Good Data Stream--No retransmits! You are
advertising a window of 17680 bytes The remote
host is advertising a window of 5840 bytes The
Remote Host has a send buffer of 128000 bytes
and a receive buffer of 128000 bytes Buffer sizes
are very important in determining the
advertised window sizes. Larger window sizes
can help increase thruput. If your window is
smaller than the remote host, your should
investigate increasing your socket buffer sizes.
  • ORNL TCP Web100 Bandwidth Test
  • http//lin-ks.greatplains.net/noc/measurement/tcpb
    w100.php

27
Sequencing numbers
This is only if one octet was sent at a time.
  • The data segments being transmitted must be
    reassembled once all the data is received.
  • No guarantee that the data will arrive in the
    order it was transmitted.
  • TCP applies sequence numbers to the data segments
  • Sequencing numbers indicate to the destination
    device the correct order in which to put the
    bytes when they are received.
  • These sequencing numbers also act as reference
    numbers so that the receiver will know if it has
    received all of the data.
  • They also identify the missing data pieces to the
    sender so it can retransmit the missing data.

28
Technical FYI on Sequencing numbers
Part of TCP Header
  • Sender The value in the sequence number is the
    first byte in the data stream.
  • Question How does the receiver know how much
    data was sent, so it knows what value to send in
    the acknowledgement?
  • Receiver Using the senders IP packet and TCP
    segment information, the value of the ACK is
  • IP Packet Length (IP) Total length
    Header length
  • - TCP header length (TCP) Header length
  • -------------------------------------------
    ------
  • Length of data in TCP segment
  • ACK Last Sequence Number ACKed Length of
    data in TCP segment
  • Check Sequence Number to check for missing
    segments and to sequence out-of-order segments.
  • Remember that the ACK is for the sequence number
    of the byte you expect to receive. When you ACK
    101, that says you've received all bytes through
    100. This ignores Selective Acknowledgments or
    SACK.

29
Positive Acknowledgment and Retransmission (PAR)
  • PAR The source sends a packet, starts a timer,
    and waits for an acknowledgment before sending
    the next packet.
  • If the timer expires before the source receives
    an acknowledgment, the source retransmits the
    packet and starts the timer over again.
  • TCP uses expectational acknowledgments in which
    the acknowledgment number refers to the next
    octet that is expected.

30
UDP
31
UDP Operation
  • UDP does not use windowing or acknowledgments so
    application layer protocols must provide error
    detection.
  • The Source Port field is an optional field used
    only if information needs to return to the
    sending host.
  • When a destination router receives a routing
    update, the source router is not requesting
    anything so nothing needs to return to the
    source.
  • This is regarding only RIP updates.
  • BGP uses TCP, IGRP is sent directly over IP.
    EIGRP and OSPF are also sent directly over IP
    with their own way of handling reliability.

32
UDP Operation
33
Port Numbers (TCP and UDP)
34
Application Header data
Port Numbers
Port numbers are used to know which application
the receiving host should pass the Data to.
Application Header data
35
TCP Header
36
Port Numbers
TCP Header
  • Application software developers have agreed to
    use the well-known port numbers that are defined
    in RFC 1700.
  • For example, any conversation bound for an Telnet
    application uses the standard port number 23.

37
Port Numbers
  • Conversations that do not involve an application
    with a well-known port number are, instead,
    assigned port numbers that are randomly selected
    from within a specific range.
  • These port numbers are used as source and
    destination addresses in the TCP segment.
  • Some ports are reserved in both TCP and UDP,
    although applications might not be written to
    support them.
  • (Curriculum) Port numbers have the following
    assigned ranges
  • Numbers below 255 are reserved for public
    applications
  • Numbers from 255-1023 are assigned to companies
    for marketable applications
  • Numbers above 1023 are unregulated
  • (RFC) The range for assigned ports managed by the
    IANA is 0-1023. http//www.iana.org/assignments/p
    ort-numbers
  • The Well Known Ports are those from 0 through
    1023. (This is updated information as of
    11-13-2002. Before then, 0 255 were considered
    well known ports.)
  • The Registered Ports are those from 1024 through
    49151
  • The Dynamic and/or Private Ports are those from
    49152 through 65535

38
http//www.iana.org/assignments/port-numbers
  • The Well Known Ports are assigned by the IANA and
    on most systems can only be used by system (or
    root) processes or by programs executed by
    privileged users.
  • The Registered Ports are listed by the IANA and
    on most systems can be used by ordinary user
    processes or programs executed by ordinary users.
    The IANA registers uses of these ports as a
    convenience to the community.
  • The Dynamic and/or Private Ports are those from
    49152 through 65535

39
Port Numbers
  • For more of an explanation of port numbers and
    examples, go to
  • http//www.iana.org/assignments/port-numbers

40
Port Numbers
TCP Header
TCP Header
  • End systems use port numbers to select the proper
    application.
  • Originating source port numbers, usually a value
    larger than 1023, are dynamically assigned by the
    source host.

41
TCP Header
  • Notice the difference in how source and
    destination port numbers are used with clients
    and servers
  • Client
  • Destination Port 23 (telnet)
  • Source Port 1028 (dynamically assigned)
  • Server
  • Destination Port 1028 (source port of client)
  • Source Port 23 (telnet)

42
Second http session between the same client and
server. Same destination port, but different
source port to uniquely identify this web session.
Dest. Port 80 Send packets to web server
application
http to www.cisco.com
Dest. Port 80 Send packets to web server
application
http to www.cisco.com
1031
80
80
1030
  • This example shows two separate browser windows
    to the same URL. TCP/IP uses source port numbers
    to know which information goes to which window.

43
  • What makes each connection unique?
  • Connection defined by the pair of numbers
  • source IP address, source port
  • destination IP address, destination port
  • Different connections can use the same
    destination port on server host as long as the
    source ports or source IPs are different.

44
TCP or UDP
Source IP
Destination IP
Connection State
Destination Port
Source Port
www.cisco.com
netstat command
  • Note In actuality, when you open up a single web
    page, there are usually several TCP sessions
    created, not just one.
  • Example of multiple TCP connections for a single
    http session.

45
Ch. 10 Intermediate TCP/IP
  • CCNA 2 version 3.0
Write a Comment
User Comments (0)
About PowerShow.com