The application program at the originating host passes its data, the destination address, and other parameters required to the transport layer as arguments in a system call.
Figure 1-4![]()
Data transmission
The transport layer encapsulates the data by attaching it to a header that it has created and then passes it to the Internet layer.
The Internet layer encapsulates the data inside an IP header and passes it to the link layer.
The link layer (in this example, Ethernet) encapsulates the data as a frame inside an Ethernet header and trailer for transmission by the physical media.
Data is encoded as bits on the physical medium. This is called electrical encoding.
The Ethernet frame arrives at the interface of a router that is on the same segment. The router also has a connection to the wide area network (WAN). This router functions as a gateway.1
The IP packet is extracted and routed to the next hop in the path. At this point, the entire operation is internal to the router, which effectively switches the packet from its Ethernet interface to a WAN interface; in this example, it is a serial interface. This is path switching, not switched Ethernet.
The serial interface is configured to use high-level data link control (HDLC) as the WAN protocol, so the packet is encapsulated inside an HDLC frame, and then forwarded over the WAN to the next hop in the path. HDLC is a Layer 2 protocol in OSI terminology.
At each hop, the IP packet is extracted, switched to an outbound interface, and encapsulated as required for transmission to the next hop.
Routing along the way to the final destination is facilitated by routing protocol operations in each hop. Path selection is based on IP address tables (routing tables) and routing algorithms, such as Open Shortest Path First (OSPF) and Interior Gateway Routing Protocol (IGRP). Large networks that are logically divided into “domains” also use special routing protocols for interdomain path selection, such as Border Gateway Protocol (BGP).
At the destination router, the IP packet is extracted and switched to an outbound Ethernet interface; the destination host is on this segment.
The packet is encapsulated inside an Ethernet header and trailer.
The Ethernet frame is encoded in electrical bits, transmitted over the physical medium, and delivered to the interface of the destination host.
The Internet layer extracts the IP packet from the Ethernet frame and passes it to the transport layer.
The transport layer ensures that all segments are in order and delivers the data to the host application program.
TCP/IP Protocol Suite
Specifications in RFC 1122, “Requirements for Internet Hosts—Communication Layers,” state that Internet hosts must implement at least one protocol from each layer of the TCP/IP protocol suite. In light of the fact that the link, Internet, and transport layer protocols must be operational for an implementation to work, it might appear as though the IETF is “requiring the obvious.” Additional details clarify the requirement by distinguishing two categories of application layer protocols: user protocols that provide services to users, and support protocols that enable common system functions. RFC authors explain that the most common examples of each are as follows:
Application layer user protocols. Telnet, File Transfer Protocol (FTP), and Simple Mail Transfer Protocol (SMTP).
Application layer support protocols. Simple Network Management Protocol (SNMP), BOOTP, Reverse Address Resolution Protocol (RARP), and Domain Name System (DNS).
Tables 1-2 through 1-5 offer brief definitions of these protocols and others that are widely used today. To be consistent with typical industry language, OSI Model terms describe the layers at which each protocol operates.
Table 1-2 Application Layer Protocols
Application Layer Protocol | Description |
Domain Name System (DNS) | A data query service that is used primarily to translate human-readable system names into IP addresses. The query parameter is an Internet host name that is associated with the address. It is called the Domain Name System instead of Host Name System because its services are of a global nature. For example, a Web site’s host name can be as simple as ABCD; the fully qualified domain name (FQDN) would be ABCD.com, assuming that it is operated by a commercial entity. Country domain names, such as .us or .uk, are based on ISO specification 3166. |
File Transfer Protocol (FTP) | Enables users to transfer files to and from other hosts. Typically, FTP is used to transfer large files that are not e-mail friendly, such as images, hefty database files, or in my case, wedding photos from the wedding photographer. |
Hyper Text Transfer Protocol (HTTP) | Used on the Internet to transfer hypertext markup language (HTML) files. Since its creation, an increasing number of applications have been built for transferring information in Web pages with HTTP as the foundation. |
Simple Mail Transfer Protocol (SMTP) | Transfers electronic mail. SMTP is completely transparent to users. Behind the scenes, SMTP connects to remote machines and transfers mail messages much like FTP transfers files. |
Simple Network Management Protocol (SNMP) | The Internet standard protocol for device management. It reads data from device Management Information Base (MIB) tables, which can create performance and health reports. SNMP also sets parameters in remote devices, and it supports real-time event and alert generation. Software in the managed device is called an SNMP agent, while software at the operator’s end of the network is called a network management system. |
Kerberos | A widely supported security protocol for centralized authentication management. Kerberos uses a special application, called an authentication server, to validate passwords and encryption schemes. |
Network File System (NFS) | A network file-sharing protocol developed by Sun Microsystems. It allows computers to access and use files on other systems over the network as if they were on a local disk. This is accomplished by a distributed file system scheme. It is the de facto Internet standard for remote file management. |
Telnet | The Internet standard protocol for remote terminal connection services. Although it is intended for a hands-on user, many shops employ automation scripts that periodically open Telnet sessions to perform a particular function. This is negative from both security and performance perspectives because it transfers results over the network in unencrypted packets and generates much overhead traffic. Telnet is being replaced by Secure Shell (SSH), which provides encrypted and secure remote terminal access. |
Server Message Block (SMB) | A network file-sharing protocol developed by Microsoft. It allows computers to access and use files on other systems over the network as if they were on a local disk. |
Trivial File Transfer Protocol (TFTP) | A simplified version of FTP. It lacks security and uses UDP for transport services (as opposed to TCP). TFTP has fewer capabilities than FTP and is used frequently in an automated fashion without generating an undue amount of network overhead traffic. |
Table 1-3 Session Layer Protocols
Session Layer Protocol | Description |
Remote Procedure Call (RPC) Session layer | Implements the client-server model of distributed computing. Its main function is to remotely request the execution of a particular process. |
Table 1-4 Transport Layer Protocols
Transport Layer Protocol | Description |
Secure Shell (SSH) | Used for secure remote login capabilities over an otherwise unsecured network. It is slowly replacing Telnet as the preferred method of remotely accessing devices. SSH has three components: Secure Shell Transport Layer Protocol (SSH-TRANS), which provides server authentication and integrity; User Authentication Protocol (SSH-USERAUTH), which runs over the transport layer and authenticates the client side user to the server; and the Connection Protocol (SSH-CONNECT), which runs over SSH-USERAUTH and multiplexes the encrypted tunnel into logical channels. |
Transmission Control Protocol (TCP) | The Internet standard transport layer protocol. It is connection oriented, which is why it is classified as a reliable transport protocol, and stream oriented. It is responsible for congestion control, error recovery, and segment assembly and sequencing, which is how it reorders data streams that arrive out of order. |
User Datagram Protocol (UDP) | The Internet standard for connectionless transport layer services. The word user indicates its role to support management functions, unlike TCP, which is part of how payload data is transmitted successfully over the Internet. SNMP uses the UDP protocol because its nature is such that maintaining a connection is unnecessary. Other applications might use UDP for performance reasons because it has none of the limitations imposed by having to maintain a connection. UDP offers better response times than TCP, but it has no error-recovery functions, which are left to higher layer protocols designed for use with UDP services. |
Table 1-5 Internet Layer Protocols
Internet Layer Protocol | Description |
Internet Control Message Protocol (ICMP) | An extension to IP that facilitates the generation of error messages and test packets, and it manages informational messages. It has been a part of the TCP/IP protocol suite from the beginning, and it is an important part of making IP work. It is so important, in fact, that RFC 1122, “Requirements for Internet Hosts—Communication Layers,” states a requirement that “the Internet layer of host software MUST implement both IP and ICMP.” |
Internet Protocol (IP) | The packet-switching protocol for TCP/IP; it uses logical addressing. |
Although developers have latitude for implementing the TCP/IP protocol suite, there are some stringent requirements to consider. A good example is the robustness principle, which stresses that software is written in such a way that it deals with every conceivable error condition. The principle also involves performance in a network-friendly manner and drives the point home with specific verbiage, such as “be liberal in what you accept and conservative in what you send.”
To clarify, for applications that do not require reliable transport services, UDP is available. This is called a UDP/IP application, and it is distinct from TCP/IP.
The nuts and bolts of protocol operations exist as fields within the bit-level structure of each data unit, whether it is a frame, segment, or packet. According to the layered protocol discussion so far, those particular units, or chunks, of data will at some point exist within the same logical structure. The concept was described at a high level in the layered communications example earlier in this chapter (specifically at Step 4). At that point, application data and an application layer header—if required, an attribute that is unique to the application—were encapsulated inside an Ethernet header and trailer along with transport and Internet layer headers. The role of a TCP/IP protocol header is to convey information to the other layers and to its peer of the same protocol at the other end of the path. (This is the adjacent-layer and same-layer interactions, respectively.) Figure 1-5 shows application data encapsulated as an Ethernet frame, an IP packet, and a TCP segment.
Datagram encapsulation
A common vehicle for malicious network activity is an altered header field. Attackers capture all (or part) of a message so that it can be used for illegal purposes. The first line of defense is to know which headers are subject to legitimate change and which headers need to be fixed at a specific value, either because of protocol requirements or local security policies. The following list includes high-level categories for expected header behavior. Detailed IP header information is displayed later in this chapter:
Inferred. Values that can be inferred from other values. An example is packet length.
Static. Values in these fields are expected to be constant throughout the packet stream’s life; they must be communicated at least once. The IP version number is an example.
Static-Def. Static fields whose values define a packet stream. IP source and destination addresses are in this classification.
Static-Known. Static fields that are expected to have well-known values and do not need to be communicated, such as an IP version 4 (IPv4) header length field.
Changing. These fields are expected to vary randomly within a limited value set or range; the TTL field is an example.
Internet Protocol
IP is a primary protocol of the OSI Model and, as its name suggests, an integral part of TCP/IP. Although the word Internet appears in its name, IP is not restricted to use on the global Internet, where it is implemented on all participating hosts. So, what’s in a name? Readers interested in Internet history may enjoy visiting one of several Web sites that the Internet Society sponsors. The society rests at the top of a loosely formed organization of engineers, researchers, operators, and visionaries from the academic community. The IETF is connected to that hierarchy and, through its working groups, keeps the Internet running and is involved in its continued evolution. The URL for the IETF site is http://www.ietf.org/.
Because it is connectionless and uses logical addressing, IP is easily ported to networks that are isolated from the Internet. It is an excellent choice for managers of enterprise networks who need efficient, machine-to-machine communications today, but must prepare for Internet connectivity tomorrow. As a practical matter, when compared with non-IP networks, an existing IP infrastructure is cheaper to migrate to the Internet or to an extranet2 connection with another organization. NetWare environments, where IPX is a competing protocol, face bigger challenges as the need for growth becomes a reality.
A key concept about IP is that it is a routed protocol, not a routing protocol. An IP packet knows where it is going in the network because it holds addressing information that is unique to its destination. Furthermore, it can only be destined for an IP host, which is termed as such because it contains an IP address. To reach that destination, the packet depends on a routing protocol to direct its path by creating routing tables in infrastructure devices (hence the term router). The dependency of routed protocols on routing protocols is only a small sample, albeit an important one, of a larger set of interactions between software entities that keep the electronic world connected.
IP serves two basic purposes: addressing and fragmentation. The protocol is rigidly structured, and the logical part of its addressing capabilities does not imply a logical or virtual circuit. Fragmentation and reassembly is used for traversing networks3 where transmission units are smaller than at the packet’s source.
Engineers who have supported Ethernet segments might have a better grasp of what connectionless means, at least in the context of TCP/IP. They learned quickly enough that, however voluminous the trouble calls were from first-level support personnel, collisions were generally a good thing. As a shared medium, Ethernet reported collisions when multiple hosts transmitted simultaneously, mainly so some would back off and wait in line to retransmit. Too many collisions were symptomatic of error conditions, but more often than not, there was no cause for alarm. Just as “management events” might have been a better term than “collisions,” connectionless is a better term than “unreliable” when discussing IP. One of the reasons that IP is a robust, efficient protocol is that it leaves time-consuming tasks, such as looking up addresses in routing tables, to resident modules in devices along its path. By design, it is not involved in connection establishment and has no flow-control mechanism. When reliable delivery is necessary, the connection-oriented, higher layer protocol, TCP, produces that service.