Professional Documents
Culture Documents
Unit 1: Introduction, Understanding the Purpose and Function of Networking Models, Networking Model, Network Interface, Media Access Control, Network Interface Hardware/Software, OSI Model, The Microsoft Model, TCP/IP Protocol Suite.
Unit - 2: Host-to-Host Transport, Transmission Control Protocol, User Datagram Protocol, Application, NetBIOS over TCP, Windows Internet Name Service Server Message Block/Common Internet File System, Internet Printing Protocol, Windows Sockets, Telnet Dynamic Host Configuration Protocol Simple Mail Transport Protocol Post Office Protocol - Internet Message Access Protocol - Hypertext Transport Protocol Network News Transfer Protocol - File Transfer Protocol - Domain Naming System Routing Information Protocol - SNMP
Unit - 3: IP Addressing - Converting from Decimal to Binary - Network ID and Host ID - Rules for Network IDs - Rules for Host IDs - Class A - Class B - Class C - Class D and Class E
Unit - 4: Determine the Number of Host Bits to Be Used-Determine the New Sub netted Network IDs - Determine the IP Addresses for Each New Subnet Creating the Subnet Mask - Public and Private IP Addresses - Basic IP Routing - Name and Address Resolution - Host Name Resolution - How Packets Travel from Network to Network - IP Routing Tables - Route Processing - Physical Address Resolution - Inverse ARP - Proxy ARP - Static and Dynamic IP Routers Routing
Unit - 5: Exam Objectives Fast Track Self Test Example of a Simple Glassful Network Summary of Exam Objectives
References: 1) Richard Stevens, Advanced programming in the UNIX Environment, Addison Wesley, 1999. 2) Richard Stevens, UNIX Network Programming Volume 1,2, Prentice Hall International,1998. 3) William Stallings, Data and Computer Communications, 5th edition, PHI, 1997.
The TCP/IP Model - This model is sometimes called the DOD model since it was designed for the department of defense. It is also called the internet model because TCP/IP is the protocol used on the internet. OSI Network Model - The International Standards Organization (ISO) has defined a standard called the Open Systems Interconnection (OSI) reference model. This is a seven layer architecture listed in the next section.
The International Standards Organization (ISO) has defined a standard called the Open Systems Interconnection (OSI) reference model. This is a seven layer architecture listed below. Each layer is considered to be responsible for a different part of the communications. This concept was developed to accommodate changes in technology. The layers are arranged here from the lower levels starting with the physical (hardware) to the higher levels. 1. Physical Layer - The actual hardware. Concerned with the connection between the computer and the network. 2. Data Link Layer - Data transfer method (802x ethernet). Puts data in frames and ensures error free transmission. Also controls the timing of the network transmission. IEEE divided this layer into the two following sublayers. 1. Media Access Control (MAC) - Used to coordinate the sending of data between computers. The 802.3, 4, 5, and 12 standards apply to this layer. If you hear someone talking about the MAC address of a network card, they are referring to the hardware address of the card. 2. Logical Link control (LLC) - Maintains the Link between two computers by establishing Service Access Points (SAPs) which are a series of interface points. IEEE802.2. 3. Network Layer - IP network protocol. Routes messages using the best path available. Concerned with message priority, status, and data congestion. 4. Transport Layer - TCP, UDP. Provides properly sequenced and error free transmission. Recombines fragmented packets. 5. Session Layer - Determines when the session is begun or opened, how long it is used, and when it is closed. concerned with security and name recognition.
6. Presentation Layer - ASCII or EBCDEC data syntax. Makes the type of data transparent to the layers around it. Used to translate date to computer specific format such as byte ordering. It may include compression. It prepares the data, either for the network or the application depending on the direction it is going. 7. Application Layer - Provides the ability for user applications to interact with the network. Many protocol stacks overlap the borders of the seven layer model. Transmission Control Protocol (TCP) provides the function of session and some of the transport layer. The Internet Protocol (IP) provides the function of the rest of the transport and most of the network layer. Netware Core Protocol (NCP) provides the function of the application, presentation, and the session layer. When we talk about Local Area Network (LAN) technology the IEEE 802 standard may be heard. This standard defines networking connections for the interface card and the physical connections, describing how they are done. The 802 standards were published by the Institute of Electrical and Electronics Engineers (IEEE). The 802.3 standard is called Ethernet. The ethernet standard data encapsulation method is defined by RFC 894. RFC 1042 defines the IP to link layer data encapsulation for networks using the IEEE 802 standards. The 802 standards define the two lowest levels of the seven layer network model and primarily deal with the control of access to the network media. The network media is the physical means of carrying the data such as network cable. The control of access to the media is called media access control (MAC). The 802 standards are listed below:
802.1 - Internetworking 802.2 - Logical Link Control * 802.3 - Ethernet or CSMA/CD, Carrier-Sense Multiple Access with Collision detection LAN * 802.4 - Token-Bus LAN * 802.5 - Token Ring LAN * 802.6 - Metropolitan Area Network (MAN) 802.7 - Broadband Technical Advisory Group 802.8 - Fiber-Optic Technical Advisory Group 802.9 - Integrated Voice/Data Networks 802.10 - Network Security 802.11 - Wireless Networks 802.12 - Demand Priority Access LAN, 100 Base VG-AnyLAN
*The ones with stars should be remembered in order for network certification testing.
Contention
o o
Carrier-Sense Multiple Access with Collision Detection (CSMA/CD) - Used by Ethernet Carrier-Sense Multiple Access with Collision Avoidance
Token Passing Demand Priority - Describes a method where intelligent hubs control data transmission. A computer will send a demand signal to the hub indicating that it wants to transmit. The hub will respond with an acknowledgement that will allow the computer to transmit. The hub will allow computers to transmit in turn. An example of a demand priority network is 100VG-AnyLAN (IEEE 802.12). It uses a star-bus topology.
Polling - A central controller, also called the primary device will poll computers, called secondary devices, to find out if they have data to transmit of so the central controller will allow them to transmit for a limited time, then the next device is polled.
Network interface
The most important PC device is the network interface card (NIC). Each computer on the network, including the servers, is required to have one installed. It is the NIC that provides connectivity between the PC and the network's physical medium, the copper or fiber-optic cable. NICs provide computers with a connection to the network, but they also handle an important data-conversion function. Data travels in parallel on the PCI's bus system, but the network medium demands a serial transmission. The transceiver, a transmitter and receiver, on the NIC has the ability to move data from parallel to serial and vice versa. This isn't any different than an automobiles travelling down a multi-lane superhighway where all lanes must merge into one lane. Network interface cards also have the ability of supplying a basic addressing system that can be used to get data from one computer to another on the network. The hardware or MAC address is burned into a ROM chip on the NIC. This is referred to as the MAC address because the Media Access Control (MAC) layer is acutally a sublayer of the OSI model's Data Link layer. Most of the new motherboards available today for PCs and servers have the network interface card integrated with the motherboard. Older computers and some newer computers do not provide onboard network interfaces which will equire a NIC to be added. Network interface may refer to:
Network interface controller, the device a computer uses to connect to a computer network Network interface device, a demarcation point for a telephone network
The MAC sublayer provides the means to access the the physical medium used for Network communication. The MAC sublayer also communicates with the Logical Link Control (LLC) sub-layer above it allowing it to access and speak to the upper layer network LLC Data Link protocols such as IP. MAC MAC Addresses Physical
The MAC sub-layer must supply a 48-bit (6 byte) address. The MAC address is most frequently represented as 12 hexadecimal digits. The MAC address uniquely identifies a specific network device and MAC addresses must be unique on a given LAN. The first 12-bit portion of the MAC address identifies the vendor of the network device; the next 12-bit portion identifies the unique id of the device itself. When looking at a hexadecimal representation of the MAC address, the first six hexadecimal digits identify the vendor and the last six hexadecimal digits identify the specific network interface card.
Here are some examples of what a MAC address looks like. There is some difference in how they are displayed on different types of computers. The hexadecimal digits are the same, but they are separated or grouped differently when displayed. Different companies like to show MAC addresses different ways. MAC Address 00:00:0C:12:B1:CF 00000C-12B1CF 00-00-0C-12-B1-CF As Displayed by Vendor/Manufacturer Cisco, Unix/SUN, Linux ProCurve Switches Microsoft Command Used to display MAC ifconfig -a show bridge ipconfig /all
Manufacturers of network interface adaptor cards 'burn' a MAC address into the memory of the chips on every card they produce. The pattern of bits in the first set of 24 bits of the MAC address is assigned to a specific vendor. Cisco was assigned the hexadecimal prefix '00000C' to use on their first set of network interface adaptors. In the case of the protocols specified in the IEEE's 802.x series of documents, the first 24 bits of a MAC address identify the vendor-manufacturer of the network interface card and the last 24 bits identify the card itself, or more precisely, the last 24 bits identifies the specific host the network inteface card is attached to. The 24 bits used to identify a host allows for up to 16.7 million unique card addresses on one network. Since there are more than 16.7 million computers in the world, this clearly isn't enough addresses for every computer on earth, is it? Duplicate MAC Addresses Manufacturers re-use MAC addresses and they ship cards with duplicate addresses to different parts of the United States or the World so that there is only a very small chance two computers with network cards with the same MAC address will end up on the same network. MAC addresses are 'burned' into the Network Interface Card (NIC), and cannot be changed. See ARP and RARP on how IP addresses are tranlated into MAC addresses and vice versa. In order for a network device to be able to communicate, the MAC address it is using must be unique. No other device on that local network subnet can use that MAC address. If two devices have the same MAC address (which occurs more often than network administrators would like), neither computer can communicate properly. On an Ethernet LAN, this will cause a high number of collisions. Duplicate MAC addresses on the same LAN are a problem. Duplicate MAC addresses separated by one or more routers is not a problem since the two devices won't see each other and will use the router to communicate. MAC Frame Format Since there are various types of Network Interfaces (Ethernet, Token Ring, FDDI etc.) the MAC frame format differs by protocol according to its design. However most will have at a minimum the following fields: The MAC protocol encapsulates a SDU (payload data) by adding a 14 byte header (Protocol Control Information (PCI)) before the data and appending a 4-byte (32-bit) Cyclic Redundancy Check (CRC) after the data. The entire frame is preceded by a small idle period (the minimum inter-frame gap, 9.6 microsecond (S)) and a 8 byte preamble (including the start of frame delimiter).
MAC encapsulation of a packet of data Header The header consists of three parts:
A 6-byte destination address, which specifies either a single recipient node (unicast mode), a group of recipient nodes (multicast mode), or the set of all recipient nodes (broadcast mode). A 6-byte source address, which is set to the sender's globally unique node address. This may be used by the network layer protocol to identify the sender, but usually other mechanisms are used (e.g. arp). Its main function is to allow address learning which may be used to configure the filter tables in a bridge. A 2-byte type field, which provides a Service Access Point (SAP) to identify the type of protocol being carried
MAC Control Field or type The MAC control field contains all information used for flow control, connection establishment and teardown as well as error control. Not all protocols provide for establishment/teardown, flow control and error recovery. The content of this field is dependent upon the specified standards for that particular data link layer protocol (Ethernet, Token Ring, FDDI etc.) DESTINATION / SOURCE MAC Fields The source MAC address field contains the MAC address of the source machine--the transmitting device (since some computers with MAC addresses aren't called computers--cell phones have MAC addresses), and the destination device is the receiver. The destination MAC is closer to the 'front' (left side in the diagram) of the frame for easier scanning, mostly because it is the destination device that is important as that is the device we are trying to reach. When the receiver responds to the frame, it will use the source address to generate the destination portion of the frame it sends out. In other words, the source MAC in the frame received becomes the destination MAC in the frame transmitted as a response. LLC PDU Field When talking about network communication protocols such as Ethernet or FDDI or Token Ring, they are described as being Physical and Data Link layer protocols--they perform functions that are said to be Physical and Data Link Layer functions as listed in the OSI Model of networking. For Ethernet and Token Ring the Data Link layer is described as being broken into two sub-layers, the MAC sublayer (for the MAC address and Media Access Control functions) and the Logical Link Control sublayer LLC. The Logical Link Control Packet Data Unit field (LLC PDU) contains data from the from the LLC sub-layer of the data link layer protocol (eg. Ethernet, FDDI, Token Ring etc.). The LLC information is used to keep track of which piece of data is sent to which IP address and application. For example, the LLC information helps a web browser keep track of which data being received is part of an image in a web page, and which data is the text in the body of the web page itself. CRC Checksum Field The final field in an Ethernet MAC frame is called a 'checksum' that is the product of a Cyclic Redundancy Check (CRC check). A CRC check is a mathematical forumula that uses the data as input and produces a numeric result that is almost as unique as the input data. Using the CRC checksum value it is possible to verify the the integrity of the frame. Before transmitting the frame, the source computer calculates the checksum and places the checksum value in this field. The receiving computer looks at the same data in the frame and also calculates the checksum. If the CRC it calculates is different from the CRC checksum in the CRC checksum field, the CRC check has failed. Frames that fail this checksum test are discarded because there is a near certainty that the frame is damaged.
A 32-bit CRC provides error detection in the case where line errors (or transmission collisions in Ethernet) result in corruption of the MAC frame. Any frame with an invalid CRC is discarded by the MAC receiver without further processing. The MAC protocol does not provide any indication that a frame has been discarded due to an invalid CRC. The link layer CRC therefore protects the frame from corruption while being transmitted over the physical mediuym (cable). A new CRC is added if the packet is forwarded by the router on another Ethernet link. While the packet is being processed by the router the packet data is not protected by the CRC. Router processing errors must be detected by network or transport-layer checksums.
Virtual Network Adapters Certain types of network adapters have no hardware component but rather consist of software only. These are often called virtual adapters in contrast to a physical adapter. Virtual adapters are commonly found in virtual private networks (VPNs). A virtual adapter may also be used with research computers or IT business servers that run virtual machine technology.
OSI model
The Open Systems Interconnection model (OSI model) is a product of the Open Systems Interconnection effort at the International Organization for Standardization. It is a way of sub-dividing a communications system into smaller parts called layers. A layer is a collection of conceptually similar functions that provide services to the layer above it and receives services from the layer below it. On each layer an instance provides services to the instances at the layer above and requests service from the layer below. History In 1978, work on a layered model of network architecture was started and the International Organization for Standardization (ISO) began to develop its OSI framework architecture. OSI has two major components: an abstract model of networking, called the Basic Reference Model or seven-layer model, and a set of specific protocols. Data unit Layer Function
7. Application Network process to application Data Host layers 5. Session Segments 4. Transport Packet Media layers Frame Bit 3. Network 2. Data Link 1. Physical 6. Presentation Data representation, encryption and decryption, convert machine dependent data to machine independent data Interhost communication End-to-end connections and reliability, flow control Path determination and logical addressing Physical addressing Media, signal and binary transmission
The layered approach to network communications provides the following benefits: reduced complexity improved teaching and learning modular engineering accelerated evolution interoperable technology standard interfaces As the information to be sent descends through the layers of a system it looks less and less like human language and more and more like the 1s and 0s that a computer understands.
Layer 1: Physical Layer The physical layer is concerned with the interface to the transmission medium. At the physical layer, data is transmitted onto the medium (e.g. coaxial cable or optical fiber) as a stream of bits. So, the physical layer is concerned, not with networking protocols, but with the transmission media on the network. The physical layer defines the electrical, mechanical, procedural, and functional specifications for activating, maintaining, and deactivating the physical link between end systems. This layer puts 1's & 0's onto the wire. Characteristics specified by the physical layer include voltage levels timing of voltage changes physical data rates maximum transmission distances physical connectors To understand the function of the Physical Layer, contrast it with the functions of the Data Link Layer. Think of the Physical Layer as concerned primarily with the interaction of a single device with a medium, whereas the Data Link Layer is concerned more with the interactions of multiple devices (i.e., at least two) with a shared medium. The major functions and services performed by the Physical Layer are:
Establishment and termination of a connection to a communications medium. Participation in the process whereby the communication resources are effectively shared among multiple users. For example, contention resolution and flow control. Modulation, or conversion between the representation of digital data in user equipment and the corresponding signals transmitted over a communications channel. These are signals operating over the physical cabling (such as copper and optical fiber) or over a radio link.
Devices:Hubs, FDDI Hardware, Fast Ethernet, Token Ring Hardware. Layer 2: Data Link Layer The Data Link Layer provides the functional and procedural means to transfer data between network entities and to detect and possibly correct errors that may occur in the Physical Layer. Originally, this layer was intended for point-to-point and point-to-multipoint media, characteristic of wide area media in the telephone system. This layer is responsible for providing reliable transit of data across a physical link. The data-link layer is concerned with physical addressing; Bridges, Transparent Bridges, Layer 2 Switches network topology; CDP line discipline (how end systems will use the network link) error notification ordered delivery of frames flow control Frame Relay, PPP, SDLC, X.25, 802.3, 802.3, 802.5/Token Ring, FDDI. At the data-link layer, the bits that come up from the physical layer are formed into data frames, using any of a variety of data-link protocols. Frames consist of fields, containing bits. The data-link layer is subdivided into two sub layers: the logical link control (LLC) sub layer
Layer 3: Network Layer The Network Layer provides the functional and procedural means of transferring variable length data sequences from a source host on one network to a destination host on a different network, while maintaining the quality of service requested by the Transport Layer (in contrast to the data link layer which connects hosts within the same network). The Network Layer performs network routing functions, and might also perform fragmentation and reassembly, and report delivery errors. Routers operate at this layersending data throughout the extended network and making the Internet possible. This is a logical addressing scheme values are chosen by the network engineer. The addressing scheme is not hierarchical. Careful analysis of the Network Layer indicated that the Network Layer could have at least three sublayers: 1. Subnetwork Access - that considers protocols that deal with the interface to networks, such as X.25; 2. Subnetwork Dependent Convergence - when it is necessary to bring the level of a transit network up to the level of networks on either side; 3. Subnetwork Independent Convergence - which handles transfer across multiple networks. The network layer is the domain of routing. Routing protocols select optimal paths through the series of interconnected networks. Network layer protocols then move information along these paths. One of the functions of the network layer is "path determination". Path determination enables the router to evaluate all available paths to a destination and determine which to use. It can also establish the preferred way to handle a packet. After the router determines which path to use it can proceed with switching the packet. It takes the packet it has accepted on one interface and forwards it to another interface or port that reflects the best path to the packet's destination. Devices:IP, IPX, Routers, Routing Protocols (RIP, IGRP, OSPF, BGP etc), ARP, RARP, ICMP.
Layer 4: Transport Layer The Transport Layer provides transparent transfer of data between end users, providing reliable data transfer services to the upper layers. The Transport Layer controls the reliability of a given link through flow control, segmentation/desegmentation, and error control. Some protocols are state and connection oriented. This means that the Transport Layer can keep track of the segments and retransmit those that fail. The Transport layer also provides the acknowledgement of the successful data transmission and sends the next data if no errors occurred. You can think of the transport layer of the OSI model as a boundary between the upper and lower protocols. The transport layer provides a data transport service that shields the upper layers from transport implementation issues such as the reliability of a connection. The transport layer provides mechanisms for: multiplexing upper layer applications the establishment, maintenance, and orderly termination of virtual circuits information flow control transport fault detection and recovery Although not developed under the OSI Reference Model and not strictly conforming to the OSI definition of the Transport Layer, typical examples of Layer 4 are the Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). Devices:TCP, UDP, SPX and Sliding Windows.
Layer 5: Session Layer The Session Layer controls the dialogues (connections) between computers. It establishes, manages and terminates the connections between the local and remote application. It provides for full-duplex, half-duplex, or simplex operation, and establishes checkpointing, adjournment, termination, and restart procedures. Half-duplex conversations require a good deal of session layer control, because the start and end of each transmission need to be monitored. Most networks are of course capable of full-duplex transmission, but in fact many conversations are in practice half-duplex. The OSI model made this layer responsible for graceful close of sessions, which is a property of the Transmission Control Protocol, and also for session checkpointing and recovery, which is not usually used in the Internet Protocol Suite. The Session Layer is commonly implemented explicitly in application environments that use remote procedure calls. Devices:Some examples of session layer protocols and interfaces are: Concurrent database access Remote Procedure Call (RPC) NetBIOS Names AppleTalk Session Protocol (ASP) Digital Network Architecture
Layer 6: Presentation Layer The Presentation Layer establishes context between Application Layer entities, in which the higher-layer entities may use different syntax and semantics if the presentation service provides a mapping between them. If a mapping is available, presentation service data units are encapsulated into session protocol data units, and passed down the stack. This layer provides independence from data representation (e.g., encryption) by translating between application and network formats. The presentation layer transforms data into the form that the application accepts. This layer formats and encrypts data to be sent across a network. It is sometimes called the syntax layer. It provides a common format for transmitting data across various systems, so that data can be understood, regardless of the types of machines involved. The presentation layer concerns itself not only with the format and representation of actual user data, but also with data structure used by programs. Therefore, the presentation layer negotiates data transfer syntax for the application layer. Devices: Encryption EBCDIC and ASCII GIF & JPEG The original presentation structure used the basic encoding rules of Abstract Syntax Notation One (ASN.1), with capabilities such as converting an EBCDIC-coded text file to an ASCII-coded file, or serialization of objects and other data structures from and to XML.
Layer 7: Application Layer The Application Layer is the OSI layer closest to the end user, which means that both the OSI application layer and the user interact directly with the software application. This layer interacts with software applications that implement a communicating component. Such application programs fall outside the scope of the OSI model. Application layer functions typically include identifying communication partners,
determining resource availability, and synchronizing communication. When identifying communication partners, the application layer determines the identity and availability of communication partners for an application with data to transmit. When determining resource availability, the application layer must decide whether sufficient network or the requested communication exist. In synchronizing communication, all communication between applications requires cooperation that is managed by the application layer. It's services are often part of the application process. Main functions are: identifies and establishes the availability of the intended communication partner. synchronizes the sending and receiving applications. establishes agreement on procedures for error recovery and control of data integrity. determines whether sufficient resources for the intended communications exist. Some examples of application layer implementations include:
On OSI stack: o FTAM File Transfer and Access Management Protocol o X.400 Mail o Common management information protocol (CMIP) On TCP/IP stack: o Hypertext Transfer Protocol (HTTP), o File Transfer Protocol (FTP), o Simple Mail Transfer Protocol (SMTP) o Simple Network Management Protocol (SNMP)
Devices: Browsers Search engines E-mail programs Newsgroup and chat programs Transaction services Audio/video conferencing Telnet SNMP
Figure 20: OSI Reference Model and TCP/IP Model Layers Network Interface Layer As its name suggests, this layer represents the place where the actual TCP/IP protocols running at higher layers interface to the local network. This layer is somewhat controversial in that some people don't even consider it a legitimate part of TCP/IP. This is usually because none of the core IP protocols run at this layer. Despite this, the network interface layer is part of the architecture. It is equivalent to the data link layer (layer two) in the OSI Reference Model and is also sometimes called the link layer. You may also see the name network access layer. On many TCP/IP networks, there is no TCP/IP protocol running at all on this layer, because it is simply not needed. For example, if you run TCP/IP over an Ethernet, then Ethernet handles layer two (and layer one) functions. However, the TCP/IP standards do define protocols for TCP/IP networks that do not have their own layer two implementation. These protocols, the Serial Line Internet Protocol (SLIP) and the Point-toPoint Protocol (PPP), serve to fill the gap between the network layer and the physical layer. They are commonly used to facilitate TCP/IP over direct serial line connections (such as dial-up telephone networking) and other technologies that operate directly at the physical layer. Internet Layer This layer corresponds to the network layer in the OSI Reference Model (and for that reason is sometimes called the network layer even in TCP/IP model discussions). It is responsible for typical layer three jobs, such as logical device addressing, data packaging, manipulation and delivery, and last but not least, routing. At this layer we find the Internet Protocol (IP), arguably the heart of TCP/IP, as well as support protocols such as ICMP and the routing protocols (RIP, OSFP, BGP, etc.) The new version of IP, called IP version 6, will be used for the Internet of the future and is of course also at this layer. (Host-to-Host) Transport Layer This primary job of this layer is to facilitate end-to-end communication over an internetwork. It is in charge of allowing logical connections to be made between devices to allow data to be sent either unreliably (with no guarantee that it gets there) or reliably (where the protocol keeps track of the data sent and received to
make sure it arrives, and re-sends it if necessary). It is also here that identification of the specific source and destination application process is accomplished The formal name of this layer is often shortened to just the transport layer; the key TCP/IP protocols at this layer are the Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). The TCP/IP transport layer corresponds to the layer of the same name in the OSI model (layer four) but includes certain elements that are arguably part of the OSI session layer. For example, TCP establishes a connection that can persist for a long period of time, which some people say makes a TCP connection more like a session. Application Layer This is the highest layer in the TCP/IP model. It is a rather broad layer, encompassing layers five through seven in the OSI model. While this seems to represent a loss of detail compared to the OSI model, I think this is probably a good thing! The TCP/IP model better reflects the blurry nature of the divisions between the functions of the higher layers in the OSI model, which in practical terms often seem rather arbitrary. It really is hard to separate some protocols in terms of which of layers five, six or seven they encompass. (I didn't even bother to try in this Guide which is why the higher-level protocols are all in the same chapter, while layers one through four have their protocols listed separately.) Numerous protocols reside at the application layer. These include application protocols such as HTTP, FTP and SMTP for providing end-user services, as well as administrative protocols like SNMP, DHCP and DNS.
Network Devices (Hubs and routers) are placed outside of the core areas. Network devices are discussed in a section on "Expanding your network". This omission is probably because of the models emphasis on simplicity. As a result of not having a category for network devices, network cards are grouped along with the network media. Microsoft Model Overview Before Windows NT 3.1 was released, users had to obtain the TCP/IP protocol suite from a third party, and then install it. This was necessary for users to connect to the network, which in turn usually resulted in a number of issues. When it came to network communication, the TCP/IP software which was obtained and installed often functioned differently to that of the particular operating system. With the release of Windows NT 3.1, TCP/IP was included as a component of the operating system. Because of TCP/IP being built into the operating system, integration existed between networking functionality in the OS.
The Microsoft model modularily defines hardware and software; and the actual connections between these components that enable networking. The Microsoft model provides a standard platform for application developers and programmers that enable developers to use standard interfaces that provide specific functionality which they can use to develop applications. The Microsoft model is therefore mainly utilized by application developers and programmers. The advantages of using the Microsoft model are:
Decreased application development time Common interfaces are provided for users Simplifies application usage.
Understanding Boundary Layers Boundary layers are interfaces which exist at the boundaries of functionality. By interacting between the layer above and beneath it, the boundary layers actually provide the interfaces between layers. The Boundary layers defined in the Microsoft model are:
Network Driver Interface Specification (NDIS) Boundary layer: The Network Driver Interface Specification (NDIS) Boundary layer relates to the Network Interface layer of the DoD model, and the Data-link layer of the OSI model. The NDIS Boundary layer therefore functions at the bottom of the stack. The NDIS Boundary layer provides the following:
o o
Standard functions which enable transport protocols to utilize any network device driver which works at this layer. Programming flexibility and reliability to developers
Transport Driver Interface Boundary (TDI) Boundary layer: This is the gateway between the Transport layer and the Session layer in the OSI model. It provides the interface which developers can utilize to access functions of the Transport layer, and functions at the Session layer of the OSI model. Application Program Interface Boundary (API) Boundary layer: This is the interface that enables developers to access Application layer protocols, including:
o o o
Domain Name Service (DNS) Dynamic Host Configuration Protocol (DHCP) Windows Internet Name Service (WINS) Windows Sockets (WinSock) Messaging APIs NetBIOS Telephony
Understanding Component Layers The Component layers provide the following functionality
Network Transport Protocols: The network transport protocols enable applications to transmit and receive data across the network. Common network transport protocols include:
o o o o
o o o
NDIS Wrapper: The NDIS wrapper is implemented via the ndis.sys file. This is the software code that encircles the NDIS device drivers. The NDIS wrapper is a library of common NDIS functions which both the MAC protocols and TCP/IP can utilize. The NDIS wrapper assists in reducing platform dependencies when network interface devices are developed. File System Drivers: The file system drivers function at the Presentation layer and Session layer of the OSI model, and include the:
o o
Redirector: Requests to access a shared file is sent to the Redirector. The Redirector then chooses the proper Transport layer protocol. Server service: Requests to access a local file are sent to the Server service, which then provides the access to the local file. WinSock API: The WinSock API provides standardized access to datagram and session services over:
Applications and User Mode Services: APIs provide access to the lower transport protocols:
o
The WinSock API enables applications to communicate with the lower layers.
o o o
Telephony API (TAPI): TAPI provide the standardized interface to network protocols for different telephony applications. Messaging API (MAPI): MAPI enables applications to interface with messaging services through one interface. NetBIOS API: The NetBIOS API is mainly supported in Windows Server 2003 to enable backward compatibility.
UNIT II
Transport Layer
The Transport Layer's responsibilities include end-to-end message transfer capabilities independent of the underlying network, along with error control, segmentation, flow control, congestion control, and application addressing (port numbers). End to end message transmission or connecting applications at the transport layer can be categorized as either connection-oriented, implemented in Transmission Control Protocol (TCP), or connectionless, implemented in User Datagram Protocol (UDP). It is also here that identification of the specific source and destination application process is accomplished The Transport Layer can be thought of as a transport mechanism, e.g., a vehicle with the responsibility to make sure that its contents (passengers/goods) reach their destination safely and soundly, unless another protocol layer is responsible for safe delivery. The Transport Layer provides this service of connecting applications through the use of service ports. Since IP provides only a best effort delivery, the Transport Layer is the first layer of the TCP/IP stack to offer reliability. IP can run over a reliable data link protocol such as the High-Level Data Link Control (HDLC). Protocols above transport, such as RPC, also can provide reliability. For example, the Transmission Control Protocol (TCP) is a connection-oriented protocol that addresses numerous reliability issues to provide a reliable byte stream:
data arrives in-order data has minimal error (i.e. correctness) duplicate data is discarded lost/discarded packets are resent includes traffic congestion control
The newer Stream Control Transmission Protocol (SCTP) is also a reliable, connection-oriented transport mechanism. It is Message-stream-oriented not byte-stream-oriented like TCP and provides multiple streams multiplexed over a single connection. It also provides multi-homing support, in which a connection end can be represented by multiple IP addresses (representing multiple physical interfaces), such that if one fails, the connection is not interrupted. It was developed initially for telephony applications (to transport SS7 over IP), but can also be used for other applications. User Datagram Protocol is a connectionless datagram protocol. Like IP, it is a best effort, "unreliable" protocol. Reliability is addressed through error detection using a weak checksum algorithm. UDP is typically used for applications such as streaming media (audio, video, Voice over IP etc) where on-time arrival is more important than reliability, or for simple query/response applications like DNS lookups, where the overhead of setting up a reliable connection is disproportionately large. Real-time Transport Protocol (RTP) is a datagram protocol that is designed for real-time data such as streaming audio and video. TCP and UDP are used to carry an assortment of higher-level applications. The appropriate transport protocol is chosen based on the higher-layer protocol application. For example, the File Transfer Protocol expects a reliable connection, but the Network File System (NFS) assumes that the subordinate Remote Procedure Call protocol, not transport, will guarantee reliable transfer. Other applications, such as VoIP, can tolerate some loss of packets, but not the reordering or delay that could be caused by retransmission. The applications at any given network address are distinguished by their TCP or UDP port. By convention certain well known ports are associated with specific applications. (See List of TCP and UDP port numbers.)
TCP makes it possible to put datagrams back in order when coming from the IP protocol TCP enables the data flow to be monitored so as to avoid network saturation TCP allows data to be formed in variable length segments in order to "return" them to the IP protocol TCP makes it possible to multiplex data, i.e. so that information coming from distinct sources (applications for example) on the same line can be circulated simultaneously Finally, TCP allows communication to be courteously started and ended
The aim of TCP Using the TCP protocol, applications can communicate securely (thanks to the TCP protocol's acknowledgements system), independently from the lower layers. This means that routers (which work in the internet layer) only have to route data in the form of datagrams, without being concerned with data monitoring because this is performed by the transport layer (or more specifically by the TCP protocol). During a communication using the TCP protocol, the two machines must establish a connection. The originator machine (the one which requests the connection) is called the client, while the recipient machine is called the server. So it is said that we are in a Client-Server environment. The machines in such an environment communicate in online mode, i.e. the communication takes place in both directions. To enable the communication and all the controls which accompany it to operate well, the data is encapsulated, i.e. a header is added to data packets which will enable the transmissions to be synchronised and ensure their reception. Another feature of TCP is the ability to control the data speed using its capability to issue variably sized messages, these messages are called segments. TCP segment structure: Transmission Control Protocol accepts data from a data stream, 'segments' it into chunks, and adds a TCP header creating a TCP segment. The TCP segment is then encapsulated into an IP packet. A TCP segment is "the packet of information that TCP uses to exchange data with its peers."
Note that the term TCP packet is now used interchangeably with the term TCP segment. Although in the original RFC segment usually referred to the TCP unit of data, datagram to the IP unit and packet to the data communications network unit: Processes transmit data by calling on the TCP and passing buffers of data as arguments. The TCP packages the data from these buffers into segments and calls on the internet module [e.g. IP] to transmit each segment to the destination TCP. A TCP segment consists of a segment header and a data section. The TCP header contains 10 mandatory fields, and an optional extension field (Options, pink background in table). The data section follows the header. Its contents are the payload data carried for the application. The length of the data section is not specified in the TCP segment header. It can be calculated by subtracting the combined length of the TCP header and the encapsulating IP segment header from the total IP segment length (specified in the IP segment header). TCP Header Bit offset 0 32 64 96 128 160 ...
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Source port
Destination port
Window Size
Source port (16 bits) identifies the sending port Destination port (16 bits) identifies the receiving port Sequence number (32 bits) has a dual role:
If the SYN flag is set, then this is the initial sequence number. The sequence number of the actual first data byte (and the acknowledged number in the corresponding ACK) are then this sequence number plus 1. If the SYN flag is clear, then this is the accumulated sequence number of the first data byte of this packet for the current session.
Acknowledgment number (32 bits) if the ACK flag is set then the value of this field is the next sequence number that the receiver is expecting. This acknowledges receipt of all prior bytes (if any). The first ACK sent by each end acknowledges the other end's initial sequence number itself, but no data. Data offset (4 bits) specifies the size of the TCP header in 32-bit words. The minimum size header is 5 words and the maximum is 15 words thus giving the minimum size of 20 bytes and maximum of 60 bytes, allowing for up to 40 bytes of options in the header. This field gets its name from the fact that it is also the offset from the start of the TCP segment to the actual data. Reserved (4 bits) for future use and should be set to zero Flags (8 bits) (aka Control bits) contains 8 1-bit flags
CWR (1 bit) Congestion Window Reduced (CWR) flag is set by the sending host to indicate that it received a TCP segment with the ECE flag set and had responded in congestion control mechanism (added to header by RFC 3168). ECE (1 bit) ECN-Echo indicates If the SYN flag is set, that the TCP peer is ECN capable. If the SYN flag is clear, that a packet with Congestion Experienced flag in IP header set is received during normal transmission (added to header by RFC 3168). URG (1 bit) indicates that the Urgent pointer field is significant ACK (1 bit) indicates that the Acknowledgment field is significant. All packets after the initial SYN packet sent by the client should have this flag set. PSH (1 bit) Push function. Asks to push the buffered data to the receiving application. RST (1 bit) Reset the connection SYN (1 bit) Synchronize sequence numbers. Only the first packet sent from each end should have this flag set. Some other flags change meaning based on this flag, and some are only valid for when it is set, and others when it is clear. FIN (1 bit) No more data from sender
Window size (16 bits) the size of the receive window, which specifies the number of bytes (beyond the sequence number in the acknowledgment field) that the receiver is currently willing to receive (see Flow control and Window Scaling) Checksum (16 bits) The 16-bit checksum field is used for error-checking of the header and data Urgent pointer (16 bits) if the URG flag is set, then this 16-bit field is an offset from the sequence number indicating the last urgent data byte Options (Variable 0-320 bits, divisible by 32) The length of this field is determined by the data offset field. Options 0 and 1 are a single byte (8 bits) in length. The remaining options indicate the total length of the option (expressed in bytes) in the second byte. Some options may only be sent when SYN is set; they are indicated below as [SYN].
0 (8 bits) - End of options list 1 (8 bits) - No operation (NOP, Padding) This may be used to align option fields on 32-bit boundaries for better performance. 2,4,SS (32 bits) - Maximum segment size (see maximum segment size) [SYN] 3,3,S (24 bits) - Window scale (see window scaling for details) [SYN] 4,2 (16 bits) - Selective Acknowledgement permitted. [SYN] (See selective acknowledgments for details) 5,N,BBBB,EEEE,... (variable bits, N is either 10, 18, 26, or 34)- Selective ACKnowlegement (SACK). These first two bytes are followed by a list of 1-4 blocks being selectively acknowledged, specified as 32-bit begin/end pointers. 8,10,TTTT,EEEE (80 bits)- Timestamp and echo of previous timestamp (see TCP timestamps for details) 14,3,S (24 bits) - TCP Alternate Checksum Request. [SYN] 15,N,... (variable bits) - TCP Alternate Checksum Data.
(The remaining options are obsolete, experimental, not yet standardized, or unassigned)
Protocol operation
TCP protocol operations may be divided into three phases. Connections must be properly established in a multi-step handshake process (connection establishment) before entering the data transfer phase. After data transmission is completed, the connection termination closes established virtual circuits and releases all allocated resources.
A TCP connection is managed by an operating system through a programming interface that represents the local end-point for communications, the Internet socket. During the lifetime of a TCP connection it undergoes a series of state changes:
1. LISTEN : In case of a server, waiting for a connection request from any remote client. 2. SYN-SENT : waiting for the remote peer to send back a TCP segment with the SYN and ACK flags set. (usually set by TCP clients) 3. SYN-RECEIVED : waiting for the remote peer to send back an acknowledgment after having sent back a connection acknowledgment to the remote peer. (usually set by TCP servers) 4. ESTABLISHED : the port is ready to receive/send data from/to the remote peer. 5. FIN-WAIT-1 6. FIN-WAIT-2 7. CLOSE-WAIT 8. CLOSING 9. LAST-ACK 10. TIME-WAIT : represents waiting for enough time to pass to be sure the remote peer received the acknowledgment of its connection termination request. According to RFC 793 a connection can stay in TIME-WAIT for a maximum of four minutes. 11. CLOSED
i.e. a number linked to an application type which, when combined with an IP address, makes it possible to uniquely determine an application which is running on a given machine. Reliability of transfers The TCP protocol makes it possible to ensure reliable data transfer, although it uses the IP protocol, which does not include any monitoring of datagram delivery. In reality, the TCP protocol has an acknowledgement system enabling the client and server to ensure mutual receipt of data. When a segment is issued, a sequence number is linked to it. Upon receipt of a data segment, the recipient machine will return a data segment where the ACK flag is set to 1 (in order to signal that it is an acknowledgement) accompanied by an acknowledgement number equal to the previous sequence number.
In addition, using a timer which starts upon receipt of a segment at the level of the originator machine, the segment is resent when the time allowed has passed, because in this case the originator machine considers that the segment is lost... However, if the segment is not lost and it arrives at the destination, the recipient machine will know, thanks to the sequence number that it is a duplication and will only retain the last segment arrived at the destination... Establishing a connection Considering that this communication process, which takes place using data transmission and acknowledgement, is based on a sequence number, the originator and recipient machines (client and server) must know the initial sequence number of the other machine. Establishing the connection between two applications is often done according to the following schema:
The TCP ports must be open The application on the server is passive, i.e. the application is listening, awaiting a connection The application on the client makes a connection request to the server where the application is passive open. The application on the client is said to be "active open"
The two machines must then synchronise their sequences using a mechanism commonly called a three ways handshake that is also found during the closure of the session. This dialogue makes it possible to start the communication, it takes place in three stages, as its name indicates:
In the first stage the originator machine (the client) transmits a segment where the SYN flag is set to 1 (to indicate that it is a synchronisation segment), with a sequence number N which is called the initial sequence number of the client. In the second stage, the recipient machine (the server) receives the initial segment coming from the client, then sends it an acknowledgement which is a segment where the ACK flag is set to 1 and the SYN flag is set to 1 (because it is again a synchronisation). This segment contains the sequence number of this machine (the server) which is the initial sequence number for the client. The most
important field in this segment is the acknowledgement field which contains the initial sequence number for the client, incremented by 1. Finally, the client transmits an acknowledgement which is a segment where the ACK flag is set to 1 and the SYN flag is set to 0 (it is no longer a synchronisation segment). Its sequence number is incremented and the acknowledgement number represents the initial sequence number for the server incremented by 1.
Following this sequence involving three exchanges the two machines are synchronised and communication can begin! There is a hacking technique, called IP spoofing, which allows this approval link to be corrupted for malicious purposes! Sliding window method In many cases, it is possible to limit the number of acknowledgements, in order to relieve traffic on the network, by fixing a sequence number at the end of which an acknowledgement is required. This number is in fact stored in the window field of the TCP/IP header. This method is effectively called the "sliding window method" because to some extent a range of sequences is defined that does not need acknowledgements and which moves as acknowledgements are received.
In addition, the size of this window is not fixed. In fact, the server can include the size of the window which seems most suitable in its acknowledgements by storing it in the window field. So, when the acknowledgement indicates a request to increase the window, the client will move the right border of the window.
Conversely, in the case of a reduction, the client will not move the right border of the window towards the left but wait for the left border to advance (with the arrival of the acknowledgements).
Ending a connection The client can request to end a connection in the same way as the server. Ending a connection is done in the following way:
One of the machines sends a segment with the FIN flag set to 1, and the application puts itself in a waiting state, i.e. it finishes receiving the current segment and ignores the following ones. After receipt of this segment, the other machine sends an acknowledgement with the FIN flag set to 1 and continues to send the segments in progress. Following this, the machine informs the application that a FIN segment has been received, then sends a FIN segment to the other machine, which closes the connection.
Packet structure
UDP is a minimal message-oriented Transport Layer protocol that is documented in IETF RFC 768. UDP provides no guarantees to the upper layer protocol for message delivery and the UDP protocol layer retains no state of UDP messages once sent. For this reason, UDP is sometimes referred to as Unreliable Datagram Protocol. UDP provides application multiplexing (via port numbers) and integrity verification (via checksum) of the header and payload. If transmission reliability is desired, it must be implemented in the user's application. bits 0 15 16 31 0 Source Port Number Destination Port Number Length Checksum 32 64 Data
The UDP header consists of 4 fields, each of which is 2 bytes (16 bits). The use of two of those is optional in IPv4 (pink background in table). In IPv6 only the source port is optional (see below). Source port number This field identifies the sender's port when meaningful and should be assumed to be the port to reply to if needed. If not used, then it should be zero. If the source host is the client, the port number is likely to be an ephemeral port number. If the source host is the server, the port number is likely to be a well-known port number. Destination port number
This field identifies the receiver's port and is required. Similar to source port number, if the client is the destination host then the port number will likely be an ephemeral port number and if the destination host is the server then the port number will likely be a well-known port number. Length A field that specifies the length in bytes of the entire datagram: header and data. The minimum length is 8 bytes since that's the length of the header. The field size sets a theoretical limit of 65,535 bytes (8 byte header + 65,527 bytes of data) for a UDP datagram. The practical limit for the data length which is imposed by the underlying IPv4 protocol is 65,507 bytes (65,535 8 byte UDP header 20 byte IP header). Checksum The checksum field is used for error-checking of the header and data. If no checksum is generated by the transmitter, the field uses the value all-zeros. This field is not optional for IPv6.
NetBIOS Names
NetBIOS names are used to identify machines and workgroups and form the key building blocks of the NBT system. The names are limited to sixteen characters that are always in upper case. The sixteenth character of a NetBIOS name is used to indicate the type of service the name refers to. A Windows machine will thus own several names that vary only by their sixteenth character. NetBIOS names are usually encoded into a special 32 character format which makes them un-readable unless they are decoded. There are four separate services that are used to implement KFSensor emulates each one of these as described in the following sections. Service Port Description Windows networking.
NetBIOS UDP 137 NBNS is also known as Windows Internet Name Service (WINS). Name Service The job of NBNS is to match IP addresses with NetBIOS names and allow (NBNS) queries to be made of the matches. The name service is usually the first service that will be attacked. A visitor will need the information it can provide to begin a session on the other services. NetBIOS Datagram UDP 138 The Datagram service is used receive broadcasts of SMB packets via UDP. This service receives a lot of legitimate traffic from other Windows machines on the LAN as they broadcast their names and services. It is rare for an attacker to use this service, unless they are trying to add their machine to the windows network. TCP 139 The Session Service is used to handle NBT sessions. NBT sessions are a light weight protocol used to contain an SMB session. The SMB protocol and sessions based on it are used to provide the complex functionality of the services supported by Window's networking; such as file and print sharing. This is the service that attackers will be most interested in. SMB Direct TCP 445 In Windows 2000 Microsoft introduced an implementation of SMB that does not
need NBT to communicate. This service is in practice the same as the NetBIOS Session Service, but without the additional NBT protocol around the SMB session. The SMB Direct is not supported in older Windows versions. The older hacker tools do not target this service, instead they go for the NetBIOS Session Service.
Client requests for name resolution are sent directly to a WINS server. If the WINS server can resolve the name, it sends the IPv4 address directly to the client. As a result, a broadcast is not needed and broadcast traffic is reduced. However, if the WINS server is unavailable or does not have the appropriate mapping, the WINS client can still use a broadcast in an attempt to resolve the name. The WINS database is updated dynamically so that it is always current. This process allows NetBIOS name resolution on networks using DHCP and eliminates the need for local or centralized Lmhosts files. WINS provides computer browsing capabilities across subnets and domains. Computer browsing provides the list of computers in My Network Places.
Name registration Each WINS client is configured with the IPv4 address of a WINS server. When a WINS client starts, it registers its NetBIOS names and their corresponding IPv4 addresses with its WINS server. The WINS server stores the clients NetBIOS name-to-IPv4 address mappings in its database.
Name renewal All NetBIOS names are registered on a temporary basis so that if the original owner stops using a name, a different host can use it later. At defined intervals, the WINS client renews the registration for its NetBIOS names with the WINS server. Name resolution A WINS client can obtain the IPv4 addresses for NetBIOS names by querying the WINS server. Name release When a NetBIOS application no longer needs a NetBIOS name, such as when a NetBIOS-based service is shut down, the WINS client sends a message to the WINS server to release the name.
These processes are described in greater detail in the following sections. All WINS communications between WINS clients and WINS servers use unicast NetBIOS name management messages over User Datagram Protocol (UDP) port 137, the reserved port for the NetBIOS Name Service. Name Registration When a WINS client initializes, it registers its NetBIOS names by sending a NetBIOS Name Registration Request message directly to its configured WINS server. NetBIOS names are registered when NetBIOS services or applications start, such as the Workstation, Server, and Messenger services. If the NetBIOS name is unique and another WINS client has not already registered the name, the WINS server sends a positive Name Registration Response message to the WINS client. This message contains the amount of time, known as the Time to Live (TTL), that the NetBIOS name is registered to the WINS client. The TTL is configured on the WINS server. When a Duplicate Name Is Found If a duplicate unique name is registered in the WINS database, the WINS server sends a challenge to the currently registered owner of the name as a unicast NetBIOS Name Query Request message. The WINS server sends the challenge three times at 500-millisecond intervals. If the current registered owner responds to the challenge successfully, the WINS server sends a negative Name Registration Response message to the WINS client that is attempting to register the duplicate name. If the current registered owner does not respond to the WINS server, the server sends a positive Name Registration Response message to the WINS client that is attempting to register the name and updates its database with the new owner. When WINS Servers are Unavailable A typical WINS client is configured with a primary and a secondary WINS server, although you can configure more than two WINS servers. A WINS client makes three attempts to register its names with its primary WINS server. If the third attempt gets no response, the WINS client sends name registration requests to its secondary WINS server (if configured) and any additional servers that have been configured. If none of the WINS servers are available, the WINS client uses local broadcasts to register its NetBIOS names. Name Renewal To continue using the same NetBIOS name, a client must renew its registration before the TTL it received in the last positive Name Registration Response message expires. If the client does not renew the registration,
the WINS server removes the NetBIOS name from its database. After that point, other computers cannot resolve the NetBIOS name to the address of the former owner and another client can register the name for itself. Name Refresh Request Every WINS client attempts to renew its NetBIOS names with its primary WINS server by sending a NetBIOS Name Refresh message when half of the TTL has elapsed or when the computer or the service restarts. If the WINS client does not receive a NetBIOS Name Registration Response message, the client sends another refresh message to its primary WINS server every 10 minutes for one hour. If none of these attempts is successful, the client then tries the secondary WINS server every 10 minutes for one hour. The client continues to send refresh messages to the primary server for an hour and then to the secondary server for an hour until either the name expires or a WINS server responds and renews the name. If the WINS client succeeds in refreshing its name, the WINS server that responds to the NetBIOS Name Refresh message resets the renewal interval. If the WINS client fails to refresh the name on either the primary or secondary WINS server during the renewal interval, the name is released. Name Refresh Response When a WINS server receives the NetBIOS Name Refresh message, the server sends the client a positive Name Registration Response message with a new TTL. Name Release When a NetBIOS application running on a WINS client is closed, NetBT instructs the WINS server to release the unique NetBIOS name used by the application. The WINS server then removes the NetBIOS name mapping from its database. The name release process uses the following types of messages:
Name Release Request The Name Release Request message includes the clients IPv4 address and the NetBIOS name to be removed from the WINS database.
Name Release Response When the WINS server receives the Name Release Request message, the server checks its database for the specified name. If the WINS server encounters a database error or if a different IPv4 address maps to the registered name, the server sends a negative Name Release Response message to NetBT on the WINS client. Otherwise, the WINS server sends a positive Name Release Response message and then designates the specified name as inactive in its database. The positive Name Release Response message contains the released NetBIOS name and a TTL value of 0.
Microsoft Windows, where it was known as "Microsoft Windows Network" before the subsequent introduction of Active Directory. SMB could refer to:
the SMB protocol specification the "server" and "workstation" services that implement the protocol on Windows the Samba daemons that implements the protocol on Unix and Unix-like systems NetBIOS transport used by SMB on legacy versions of Windows the DCE/RPC services that use SMB as an authenticated inter-process communication channel (over named pipes) the "Network Neighborhood" protocols which primarily (but not exclusively) run as datagram services directly on the NetBIOS transport
Connection establishment messages consist of commands that start and end a redirector connection to a shared resource at the server. Namespace and File Manipulation messages are used by the redirector to gain access to files at the server and to read and write them. Printer messages are used by the redirector to send data to a print queue at a server and to get status information about the print queue. Miscellaneous messages are used by the redirector to write to mailslots and named pipes.
Microsoft Windows 2000, Microsoft Windows NT, Microsoft Windows 98, Microsoft Windows 95 Microsoft OS/2 LAN Manager Microsoft Windows for Workgroups UNIX VMS Macintosh IBM LAN Server DEC PATHWORKS Microsoft LAN Manager for UNIX 3Com 3+Open MS-Net
CIFS complements Hypertext Transfer Protocol (HTTP) while providing more sophisticated file sharing and file transfer than older protocols, such as FTP. CIFS is shown servicing a user request for data from a networked server in Figure.
Figure: CIFS Architecture When there is a request to open a shared file, the I/O calls the redirector, which in turn requests the redirector to choose the appropriate transport protocol. For NetBIOS requests, NetBIOS is encapsulated in the IP protocol and transported over the network to appropriate server. The request is passed up to the server, which sends data back to satisfy the request. Components in the redirector provide support for CIFS, such as:
Rdbss.sys All kernel-level interactions are encapsulated in this driver. This includes all cache managers, memory managers, and requests for remote file systems so the specified protocol can use the requested server. Mrxsmb.sys This mini-redirector for CIFS has commands specific to CIFS. Mrxnfs.sys This mini-redirector for the Network File System (NFS) provides support for NFS. Mrxnfs.sys is included in Services for Unix.
In Windows NT 4.0, Windows Internet Name Service (WINS), and Domain Name System (DNS) name resolution was accomplished by using TCP port 134. Extensions to CIFS and NetBT now allow connections directly over TCP/IP with the use of TCP port 445. Both means of resolution are still available in Windows 2000. It is possible to disable either or both of these services in the registry. Features that CIFS offers are: Integrity and Concurrency CIFS allows multiple clients to access and update the same file while preventing conflicts by providing file sharing and file locking. File sharing and file locking is the process of allowing one user to access a file at a time and blocking access to all other users. These sharing and locking mechanisms can be used over the Internet and intranets. They also permit aggressive caching and read-ahead and write-behind without loss of integrity. File caches of buffers must be cleared before the file is usable by other clients. These capabilities ensure that only one copy of a file can be active at a time, preventing data corruption. Optimization for Slow Links The CIFS protocol has been tuned to run well over slow-speed dial-up lines. The effect is improved performance for users who access the Internet using a modem.
Security CIFS servers support both anonymous transfers and secure, authenticated access to named files. File and directory security policies are easy to administer. Performance and Scalability CIFS servers are highly integrated with the operating system, and are tuned for maximum system performance. Unicode File Names File names can be in any character set, not just character sets designed for English or Western European languages. Global File Names Users do not have to mount remote file systems, but can refer to them directly with globally significant names (names that can be located anywhere on the Internet), instead of ones that have only local significance (on a local computer or LAN). Distributed File Systems (DFS) allows users to construct an enterprise-wide namespace. Uniform Naming Convention (UNC) file names are supported so a drive letter does not need to be created before remote files can be accessed.
Implementation
IPP is implemented using the Hypertext Transfer Protocol (HTTP) and inherits all of the HTTP streaming and security features. For example, authorization can take place via HTTP's Digest access authentication mechanism, GSSAPI, or via public key certificates. Encryption is provided using the SSL/TLS protocollayer, either in the traditional always-on mode used by HTTPS or using the HTTP Upgrade extension to HTTP (RFC 2817. Streaming is supported using HTTP chunking. IPP uses the traditional client-server model, with clients sending IPP request messages with the MIME media type "application/ipp" in HTTP POST requests to an IPP printer. IPP request messages consist of key/value pairs using a custom binary encoding followed by an "end of attributes" tag and any document data required for the request. The IPP response is send back to the client in the HTTP POST response, again using the "application/ipp" MIME media type. Among other things, IPP allows a client to: 1. 2. 3. 4. 5. query a printer's capabilities submit print jobs to a printer query the status of a printer query the status of one or more print jobs cancel previously submitted jobs
IPP uses TCP with port 631 as its well-known port. IPP implementations such as CUPS also use UDP with port 631 for IPP printer discovery.
Products using the Internet Printing Protocol include, among others, CUPS which is part of Mac OS X and many BSD and Linux distributions and is the reference implementation for IPP/2.0 and IPP/2.1, Novell iPrint, and Microsoft Windows, starting with Windows 2000.[1] Windows XP and Windows Server 2003 offer IPP printing via HTTPS. Windows Vista, Windows 7, Windows Server 2008 and 2008 R2 also support IPP printing over RPC in the "Medium-Low" security zone. For reasons speculative Microsoft dropped support of secure IPP via SSL with Windows Server 2008.
Windows Sockets
the Windows Sockets API (WSA), which was later shortened to Winsock, is a technical specification that defines how Windows network software should access network services, especially TCP/IP. It defines a standard interface between a Windows TCP/IP client application (such as an FTP client or a web browser) and the underlying TCP/IP protocol stack. The nomenclature is based on the Berkeley sockets API model used in BSD for communications between programs. Initially, all the participating developers resisted the shortening of the name to Winsock for a long time, since there was much confusion among users between the API and the DLL library file (winsock.dll) which only exposed the common WSA interfaces to applications above it. Users would commonly believe that only making sure the DLL file was present on a system would provide full TCP/IP protocol support.
Specifications
Version 1.0 (June 1992) defined the basic operation of Winsock. It was kept very close to the existing interface of Berkeley sockets to simplify porting of existing applications. A few Windows-specific extensions were added, mainly for asynchronous operations with message-based notifications. Although the document didn't limit support to TCP/IP, TCP and UDP were the only protocols explicitly mentioned. Most vendors only delivered TCP/IP support, although Winsock from DEC included DECNet support as well. Version 1.1 (January 1993) made many minor corrections and clarifications of the specification. The most significant change was the inclusion of the gethostname() function. Versions 2.0.x (May 1994 onwards) had internal draft status, and were not announced as public standards. Version 2.1.0 (January 1996) was the first public release of the Winsock 2 specification. Version 2.2.0 (May 1996) included many minor corrections, clarifications, and usage recommendations. It was also the first version to remove support for 16-bit Windows applications. Version 2.2.1 (May 1997) and Version 2.2.2 (August 1997) introduced minor functionality enhancements. Mechanisms were added for querying and receiving notification of changes in network and system configuration. The IPv6 Technical Preview for Windows 2000 (December 2000) saw the first implementation of RFC 2553 (March 1999, later obsoleted by RFC 3493), a protocol-independent API for name resolution, which would become part of Winsock in Windows XP.
Telnet
Telnet is a network protocol used on the Internet or local area networks to provide a bidirectional interactive text-oriented communications facility using a virtual terminal connection. User data is interspersed in-band with Telnet control information in an 8-bit byte oriented data connection over the Transmission Control Protocol (TCP).
Telnet was developed in 1969 beginning with RFC 15,extended in RFC 854, and standardized as Internet Engineering Task Force (IETF) Internet Standard STD 8, one of the first Internet standards. Historically, Telnet provided access to a command-line interface (usually, of an operating system) on a remote host. Most network equipment and operating systems with a TCP/IP stack support a Telnet service for remote configuration (including systems based on Windows NT). Because of security issues with Telnet, its use for this purpose has waned in favor of SSH. The term telnet may also refer to the software that implements the client part of the protocol. Telnet client applications are available for virtually all computer platforms. Telnet is also used as a verb. To telnet means to establish a connection with the Telnet protocol, either with command line client or with a programmatic interface. For example, a common directive might be: "To change your password, telnet to the server, login and run the passwd command." Most often, a user will be telnetting to a Unix-like server system or a network device (such as a router) and obtain a login prompt to a command line text interface or a characterbased full-screen manager.
Security
When Telnet was initially developed in 1969, most users of networked computers were in the computer departments of academic institutions, or at large private and government research facilities. In this environment, security was not nearly as much of a concern as it became after the bandwidth explosion of the 1990s. The rise in the number of people with access to the Internet, and by extension, the number of people attempting to hack other people's servers made encrypted alternatives much more of a necessity. Experts in computer security, such as SANS Institute, recommend that the use of Telnet for remote logins should be discontinued under all normal circumstances, for the following reasons:
Telnet, by default, does not encrypt any data sent over the connection (including passwords), and so it is often practical to eavesdrop on the communications and use the password later for malicious purposes; anybody who has access to a router, switch, hub or gateway located on the network between the two hosts where Telnet is being used can intercept the packets passing by and obtain login and password information (and whatever else is typed) with any of several common utilities like tcpdump and Wireshark. Most implementations of Telnet have no authentication that would ensure communication is carried out between the two desired hosts and not intercepted in the middle. Commonly used Telnet daemons have several vulnerabilities discovered over the years.
These security-related shortcomings have seen the usage of the Telnet protocol drop rapidly, especially on the public Internet, in favor of the Secure Shell (SSH) protocol, first released in 1995. SSH provides much of the functionality of telnet, with the addition of strong encryption to prevent sensitive data such as passwords from being intercepted, and public key authentication, to ensure that the remote computer is actually who it claims to be. As has happened with other early Internet protocols, extensions to the Telnet protocol provide Transport Layer Security (TLS) security and Simple Authentication and Security Layer (SASL) authentication that address the above issues. However, most Telnet implementations do not support these extensions; and there has been relatively little interest in implementing these as SSH is adequate for most purposes.
intervention by a network administrator. It also provides a central database for keeping track of computers that have been connected to the network. This prevents two computers from accidentally being configured with the same IP address. In the absence of DHCP, hosts may be manually configured with an IP address. Alternatively IPv6 hosts may use stateless address autoconfiguration to generate an IP address. IPv4 hosts may use link-local addressing to achieve limited local connectivity. In addition to IP addresses, DHCP also provides other configuration information, particularly the IP addresses of local caching DNS resolvers. Hosts that do not use DHCP for address configuration may still use it to obtain other configuration information. There are two versions of DHCP, one for IPv4 and one for IPv6. While both versions bear the same name and perform much the same purpose, the details of the protocol for IPv4 and IPv6 are sufficiently different that they can be considered separate protocols.
available, a new protocol was developed based on the client-server model. It resembled the Simple Mail Transfer Protocol (SMTP), but was tailored for exchanging newsgroup articles. A newsreader, also known as a news client, is a software application that reads articles on Usenet, either directly from the news server's disks or via the NNTP. The well-known TCP port 119 is reserved for NNTP. When clients connect to a news server with Transport Layer Security (TLS), TCP port 563 is used. This is sometimes referred to as NNTPS.
Versions
There are three versions of the Routing Information Protocol: RIPv1, RIPv2, and RIPng. RIP version 1 (RIPv1). This is a simple distance vector protocol. It has been enhanced with various techniques, including Split Horizon and Poison Reverse in order to enable it to perform better in somewhat complicated networks. The longest path cannot exceed 15 hops. RIP uses static metrics to compare routes. The maximum datagram size is 512 bytes not including the IP or UDP headers. RIP version 2 (RIPv2). This version added several new features. External route tags.
Subnet masks. Next hop router addresses. Authentication. Multicast support. RIPng RIPng (RIP next generation), defined in RFC 2080, is an extension of RIPv2 for support of IPv6, the next generation Internet Protocol. The main differences between RIPv2 and RIPng are:
Support of IPv6 networking. While RIPv2 supports RIPv1 updates authentication, RIPng does not. IPv6 routers were, at the time, supposed to use IPsec for authentication. RIPv2 allows attaching arbitrary tags to routes, RIPng does not; RIPv2 encodes the next-hop into each route entries, RIPng requires specific encoding of the next hop for a set of route entries.
Network Interface Identification: Like a street address, the IP address provides unique identification of the interface between a device and the network. This is required to ensure that the datagram is delivered to the correct recipients. Routing: When the source and destination of an IP datagram are not on the same network, the datagram must be delivered indirectly using intermediate systems, a process called routing. The IP address is an essential part of the system used to route datagrams.
IP Address Versions: IP version 4: Currently used by most network devices. However, with more and more computers accessing the internet, IPv4 addresses are running out quickly. Just like in a city, addresses have to be created for new neighborhoods but, if your neighborhood gets too large, you will have to come up with an entire new pool of addresses. IPv4 is limited to 4,294,967,296 addresses. IP version 5: This is an experimental protocol for UNIX based systems. In keeping with standard UNIX (a computer Operating System) release conventions, all odd-numbered versions are considered experimental. It was never intended to be used by the general public. IP version 6: The replacement for the aging IPv4. The estimated number of unique addresses for IPv6 is 340,282,366,920,938,463,463,374,607,431,768,211,456 or 2^128.
Here is a sample octet conversion when not all of the bits are set to 1.
0 1000001 0 64 0 0 0 0 0 1 (0+64+0+0+0+0+0+1=65)
And this is sample shows an IP address represented in both binary and decimal.
10. 1. 23. 19 (decimal) 00001010.00000001.00010111.00010011 (binary)
These octets are broken down to provide an addressing scheme that can accommodate large and small networks. There are five different classes of networks, A to E. This document focuses on addressing classes A to C, since classes D and E are reserved and discussion of them is beyond the scope of this document. Class D IP addresses are reserved for the multicast group ant cannot be assigned to hosts and the E class IP addresses are the experimental addresses and cannot be assigned to the people. Every IP address consists of 4 octets and 32 bits. Every participating host and the devices on a network such as servers, routers, switches, DNS, DHCP, gateway, web server, internet fax server and printer have their own unique addresses within the scope of the network. TCP/IP protocols are installed by default with the Windows based operating systems. After the TCP/IP protocols are successfully installed you need to configure them through the Properties Tab of the Local Area Connection.
IP Addressing Tips
A Network ID cannot be All 0s A host ID cannot be All 1 because this represents a broadcast address for the local network. Each host must have a unique host portion of the IP address. All hosts on the same network segment should have the same network id. A host address cannot be 127 because 127 has been reserved for the loop back functionalities.
Subnet Mask
An IP (Internet Protocol) address is a unique identifier for a single device (node or host connection) on an IP network. It is a 32 bit binary number that ranges from 0 to 4294967295. This means that theoretically, the Internet can contain approximately 4.3 billion unique objects This binary number is usually represented as 4 decimal values, each representing 8 bits (octets), in the range 0 to 255 separated by decimal points. This is known as dotted decimal notation. IP address is a communications protocol used from the smallest private network to the massive global Internet.
Increments of an IP Address:
0.0.0.0 0.0.0.1 increment 252 hosts
0.0.0.254 0.0.0.255 0.0.1.0 0.0.1.1 increment 252 hosts 0.0.1.254 0.0.1.255 0.0.2.0 0.0.2.1 increment 4+ billion hosts 255.255.255.255 Subnetting and Subnet Mask A subnetwork, or subnet, describes networked computers and devices that have a common, designated IP address routing prefix. Every IP address consists of two parts, one identifying the network and one identifying the node. The Class of the address and the subnet mask determine which part belongs to the network address and which part belongs to the node address. Routers are used to manage traffic and form borders between subnets. Subnetting is used to break the network into smaller, more efficient subnets to prevent excessive rates of Ethernet packet collision in a large network. These subnets can be arranged hierarchically, with the organizations network address space partitioned into a tree-like structure. A significant feature of subnetting is the subnet mask. Similar to IP addresses, a subnet mask contains four bytes (32 bits) and is often written using the same dotted-decimal notation. Applying a subnet mask to an IP address allows you to identify the network and node parts of the address. The network bits are represented by the ones in the mask, and the node bits are represented by the zeros which are identical to the subnet length. A subnet mask cannot replace an IP address; however they do work together and not independently. Applying the subnet mask to an IP address splits the address into two parts, an extended network address and a host address. The subnet mask determines the size of a subnet and pinpoints where the end points on the subnet ar, if the IP address within the subnet is known. The mask aspect in a subnet mask comes from the fact that it conceals the host bits and leaves the Network ID that starts the subnet. If the beginning and size of the subnet is known, the end of the subnet (Broadcast ID) can be defined. The Network ID is the official designation for a particular subnet, and the ending number is the broadcast address that every device on a subnet listens to. Uses of Subnet Masks
Identifies a Network Isolates the Network ID and Host ID Determines the number of host/terminals that could be used on the same network Reduces Network traffic
Network Identifier (Network ID): A certain number of bits, starting from the left-most bit, is used to identify the network where the host or other network interface is located. This is also sometimes called the network prefix or even just the prefix. Host Identifier (Host ID): The remainder of the bits are used to identify the host on the network.
Note: By convention, IP devices are often called hosts for simplicity, as I do throughout this Guide. Even though each host usually has a single IP address, remember that IP addresses are strictly associated with network-layer network interfaces, not physical devices, and a device may therefore have more than one IP address.
Basic IP Address Division: Network ID and Host ID The fundamental division of the bits of an IP address is into a network ID and host ID. Here, the network ID is 8 bits long, shown in cyan, and the host ID is 24 bits in length.
Mid-Octet IP Address Division Since IP addresses are normally expressed as four dotted-decimal numbers, educational resources often show the division between the Network ID and Host ID occurring on an octet boundary. However, its essential to remember that the dividing point often appears in the middle of one of these eight-bit numbers. In this example, the Network ID is 20 bits long and the Host ID 12 bits long. This results in the third number of the original IP address, 157, being split into 144 and 13. The place where the line is drawn between the network ID and the host ID must be known in order for devices such as routers to know how to interpret the address. This information is conveyed either implicitly or explicitly depending on the type of IP addressing in use. I describe this in the following topic.
of the first octet are 10. The remaining bits can be any combination of ones and zeroes. This is normally represented as 10xx xxxx (shown as two groups of four for readability.) Thus, the binary range for the first octet can be from 1000 0000 to 1011 1111. This is 128 to 191 in decimal. So, in the classful scheme, any IP address whose first octet is from 128 to 191 (inclusive) is a class B address. In Table to shown the bit patterns of each of the five classes, and the way that the first octet ranges can be calculated. In the first column is the format for the first octet of the IP address, where the xs can be either a zero or a one. Then I show the lowest and highest value for each class in binary (the fixed few bits are highlighted so you can see that they do not change while the others do.) I then also show the corresponding range for the first octet in decimal.
Table 44: IP Address Class Bit Patterns, First-Octet Ranges and Address Ranges IP Address Class Class A Class B Class C Class D Class E First Octet of IP Address 0xxx xxxx 10xx xxxx 110x xxxx 1110 xxxx 1111 xxxx Lowest Value of First Octet (binary) 0000 0001 1000 0000 1100 0000 1110 0000 1111 0000 Highest Value of First Octet (binary) 0111 1110 1011 1111 1101 1111 1110 1111 1111 1111 Range of First Octet Values (decimal) 1 to 126 128 to 191 192 to 223 224 to 239 240 to 255 Octets in Network ID / Host ID 1/3 2/2 3/1 Theoretical IP Address Range 1.0.0.0 to 126.255.255.255 128.0.0.0 to 191.255.255.255 192.0.0.0 to 223.255.255.255 224.0.0.0 to 239.255.255.255 240.0.0.0 to 255.255.255.255
Key Concept: In the classful IP addressing scheme, the class of an IP address is identified by looking at the first one, two, three or four bits of the address. This can be done both by humans working with these addresses and routers making routing decisions. The use of these bit patterns means that IP addresses in different classes fall into particular address ranges that allow an addresss class to be determined by looking at the first byte of its dotted-decimal address.
IP Address Class Bit Assignments and Network/Host ID Sizes This illustration shows how the 32 bits of IP address are assigned for each of the five IP address classes. Classes A, B and C are the normal classes used for regular unicast addresses; each has a different dividing point between the Network ID and Host ID. Classes D and E are special and are not divided in this manner. Now, recall that classes A, B and C differ in where the dividing line is between the network ID and the host ID: 1 for network and 3 for host for class A, 2 for each for class B, and 3 for network and 1 for host for class C. Based on this division, I have highlighted the network ID portion of the IP address ranges for each of classes A, B and C. The plain text corresponds to the range of host IDs for each allowable network ID. Figure 62 shows graphically how bits are used in each of the five classes. Let's look at class C. The lowest IP address is 192.0.0.0 and the highest is 223.255.255.255. The first three octets are the network ID, and can range from 192.0.0 to 223.255.255. For each network ID in that range, the host ID can range from 0 to 255.
IP Addresses Classes
Class A The binary address for the class A starts with 0. The range of the IP addresses in the class A is between 1 to 126 and the default subnet mask of the class A is 255.0.0.0. Class A supports 16 million hosts on each of 125 networks. An example of the class A is 10.10.1.1. Class A is used for the large networks with many network devices. Class B The binary address for the class B starts with 10. The range of the IP address in the class B is between 128 to 191 and the default subnet mast for the class B is 255.255.0.0. Class B supports 65,000 on each of 16,000 networks. An example of the class B address is 150.10.10.10. Class B addresses scheme is used for the medium sized networks. Class C The binary address for the class C starts with 110. The range of the IP addresses in the class C is between 192 to 223 and the default subnet mask for the class C is 255.255.255. Class C hosts 254 hosts on each of 2 million networks. An example of the Class C IP address is 210.100.100.50. Class C is used for the small networks with less then 256 devices and nodes in a network.
Class D The binary addresses for the class D starts with 1110 and the IP addresses range can be between 224 to 239. An example of the class D IP address is 230.50.100.1 Class E The binary address can starts with 1111 and the decimal can be anywhere from 240 to 255. An example of the class E IP address is 245.101.10.10 It is very important to know that all the computers in the same network segment should have the IP addresses for the same class i.e. form A, B or C. Note: It is common to see resources refer to the network ID of a classful address as including only the significant bits, that is, only the ones that are not common to all networks of that class. For example, you may see a Class B network ID shown in a diagram as having 14 bits, with the 10 that starts all such networks shown separately, as if it were not part of the network ID. Remember that the network ID does include those bits as well; it is 8 full bits for Class A, 16 for Class B and 24 for Class C. In the case of Class D addresses, all 32 bits are part of the address, but only the lower 28 bits are part of the multicast group address; see the topic on multicast addressing for more.
In decimal, this is 211.77.20.1. 2. The second host address has the number 2 for the host ID, or 00010 in binary. Its binary value is: 11010011 01001101 00010100 00000010 In decimal, this is 211.77.20.2 I'm sure you get the picture already; the third host will be 211.77.20.3, the fourth 211.77.20.4 and so on. There is a maximum of 30 hosts in each subnet, as we saw before. So, the last host in this subnet will be found by substituting 30 (11110 in binary) for the host ID bits, resulting in a decimal address of 211.77.20.30.
Figure 80: Determining Host Addresses For A Class C Network This diagram shows how both subnet addresses and host addresses are determined in a two-step process. The subnet addresses are found by substituting subnet ID values (shown in red) for the subnet ID bits of the network. Then, for any given subnet address, we can determine a host address
by substituting a host number (shown in blue) for the host ID bits within that subnet. So, for example, host #2 in subnet #6 has 110 for the subnet ID and 00010 for the host ID, resulting in a final octet value of 11000010 or 194. We can do the same thing for each of the other subnets; the only thing that changes is the values in the subnet ID bits. Let's take for example, subnet #6. It has 110 for the subnet bits instead of 000. So, its subnet base address is 211.77.20.192, or: 11010011 01001101 00010100 11000000 We assign hosts to this subnet by substituting 00001, then 00010, then 00011 for the host ID bits as before: 1. The first host address is: 11010011 01001101 00010100 11000001 Or 211.77.20.193. 2. The second host address is: 11010011 01001101 00010100 11000010 Or 211.77.20.194. And so on, all the way up to the last host in the subnet, which is 211.77.20.222. Figure 80 shows graphically how subnet and host addresses are calculated for this sample network. Class B Host Address Determination Example We can do the same thing for our Class B network, naturally. The address of that network is 166.113.0.0. Now, say we want to define the hosts that go in subnet #13. We substitute 13 in binary (01101) for the subnet ID bits, to get the following subnet address, shown with the subnet ID bits highlighted and the host ID bits highlighted and underlined: 10100110 01110001 01101000 00000000 This is the subnet address 166.113.104.0. Now, we have 11 bits of host ID, so we can have a maximum of 2,046 hosts. The first is found by substituting 000 00000001 for the host ID bits, to give an address of 166.113.104.1. The second host is 166.113.104.2, and so on. The last is found by substituting 111 11111110, to give an address of 166.113.111.254. Note that since the host ID bits extend over two octets, two octets change as we increment the host ID, unlike our Class C example. The broadcast address is 166.113.111.255. "Shortcuts" For Quickly Computing Host Addresses As you can see, defining the host IDs is really quite straight-forward. If you can substitute bits and convert to decimal, you have all you need to know. You can also see that as was the case with defining the subnet addresses, there are patterns that you can use in defining host IDs and understanding how they work. These generally define ways that we can more quickly determine certain host addresses by working directly in decimal instead of bothering with binary substitutions. This is a bit more complex conceptually, so only proceed if you are feeling a bit brave. The following are some of the shortcuts you can use in determining host IP addresses in a subnet environment:
First Host Address: The first host address is always the subnet address with the last octet incremented by 1. So, in our class C example, subnet #3's base address is 211.77.20.96. The first host address in subnet #3 is thus 211.77.20.97. Subsequent Host Addresses: After you find the first host address, to get the next one you just add one to the last octet of the previous address. If this makes the last octet 256 (which can happen only if there are more than 8 host ID bits) you wrap around this to zero and increment the third octet. Directly Calculating Host Addresses: If the number of host ID bits is 8 or less, you can find host #N's address by adding N to the last octet's decimal value. For example, in our class C example, subnet #3's base address is 211.77.20.96. Therefore, host #23 in this subnet has an address of 211.77.20.119.
If there are more than 8 bits in the host ID, this only works for the first 255 hosts, after which you have to wrap around and increase the value of the third octet. Consider again subnet #13 in our Class B example, which has a base address of 166.113.104.0. Host #214 on this subnet has address 166.113.104.0, but host #314 isn't 166.113.104.314. It is 166.113.105.58 (host #255 is 166.113.104.255, then host #256 is 166.113.105.0, and we count up 58 more (314-256) to get to #314, 166.113.105.58).
o
Range Of Host Addresses: The range of hosts for any subnet is determined as follows:
First Address: Base address of subnet with last octet incremented by one. Last Address: Base address of next subnet after this one, less two in the last octet (which may require changing a 0 in the last octet to 254 and reducing the value of the third octet by 1).
Broadcast Address: The broadcast address for a subnet is always one less than the base address of the subsequent subnet. Or alternately, one more than the last real host address of the subnet. So, for subnet #17 in our Class B example, the broadcast address is 166.113.143.255.
Did I just confuse you? Well, remember, these are shortcuts and sometimes when you take a shortcut you get lost. J Just kidding, it's really not that hard once you play around with it a bit. In closing, remember the following quick summary when working with IP addresses in a subnet environment: 1. The network ID is the same for all hosts in all subnets, and all subnets in the network. 2. The subnet ID is the same for all hosts in each subnet, but unique to each subnet in the network. 3. The host ID is unique within each subnet. Each subnet has the same set of host IDs. 4. Subnetting is fun!
o o o
Type "cmd" in the drop down arrow box next to Open. Then click OK. This will open the command prompt. Type "ipconfig" to bring up the network configurations of your computer and press "Enter" on your keyboard. Locate the line that says "IP Address," IPv4 Address" or something similar. Follow the dotted lines over to the right to locate your IP address.
Windows 2000 IP Configuration Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : IP Address. . . . . . . . . . . . : 192.168.1.101 Subnet Mask . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . : 192.168.1.1 As seen in the above example, the IP address as well as other important network information is listed when using the "ipconfig" command. If you have more than one network adapter, e.g. a wireless adapter and network adapter you'll see each adapter listed when using this command. Home network and corporate network users This information is the IP address of your computer in your network. If you're computer is connected to the Internet the IP address shown in this screen will more than likely not be the IP address other people and web pages see. To determine this IP address easily see the below online service section. Graphical representation of network settings Microsoft Windows XP users may get a GUI representation of their network by right-clicking the network icon in their systray and selecting "Status." Within the "Local Area Connection Status" window click the "Support" tab. Microsoft Windows 98 users may also get a GUI representation of their network settings by clicking Start / Run and typing "ipconfig" in the run line. Unfortunately, not all versions of Windows have this feature.
As seen from the above example, users will commonly see the network settings for all their network devices when running the "ifconfig" command. First in the above example we have the network settings for the "lo" or "local loopback", next is the actual network settings of your network adapter. Home network and corporate network users This information is the IP address of your computer in your network. If you're computer is connected to the Internet the IP address shown in this screen will more than likely not be the IP address other people and web pages see. To determine this IP address easily see the below online service section. Apple Macintosh Users 1. From the Apple menu, select the "Apple System Profiler" 2. Open the "Network overview" 3. Open "TCP/IP" Within this window the user will be able to see the computer's network information including the IP address.
Computers within a private network are each assigned a unique address in order to exchange files and share resources with one another. The network router, which routes information, will pass data back and forth among the connected computers, using the respective addresses. But how do computers on a private network connect to the Internet? Assuming the network has Internet connectivity, the computer connected to the digital subscriber line (DSL) modem is assigned a public IP address by the Internet Service Provider (ISP). This single public IP address is used to identify the network on the Internet. Now the networks router acts as a gatekeeper between the private network and the public Internet. Using a built-in Network Address Translator (NAT), the router passes requests to the Internet using the assigned public IP address. Returning data is routed back to the public IP address, with the router determining which private IP address requested the information. In essence, the private IP address is daisy-chained to the public IP address through processes in the router. A public IP address can be static or dynamic. A static public IP address does not change and is used primarily for hosting webpages or services on the Internet. Some gamers also prefer static IPs for interactive gaming. A dynamic public IP address is chosen from a pool of available addresses and changes each time
one connects to the Internet. Most people have a dynamic public IP address, as it is the standard type of public IP address assigned when purchasing Internet connectivity. Various freeware programs are available online that will display your computers assigned public IP address for you. To see private IP addresses you can open your routers configuration dialogs, or if using Windows XP, type ipconfig at the command prompt. The command prompt is available through Start -> All Programs -> Accessories -> Command Prompt. To leave the command prompt window, type exit. What are Public IP Addresses? A public IP address is assigned to every computer that connects to the Internet where each IP is unique. Hence there cannot exist two computers with the same public IP address all over the Internet. This addressing scheme makes it possible for the computers to find each other online and exchange information. User has no control over the IP address (public) that is assigned to the computer. The public IP address is assigned to the computer by the Internet Service Provider as soon as the computer is connected to the Internet gateway. A public IP address can be either static or dynamic. A static public IP address does not change and is used primarily for hosting webpages or services on the Internet. On the other hand a dynamic public IP address is chosen from a pool of available addresses and changes each time one connects to the Internet. Most Internet users will only have a dynamic IP assigned to their computer which goes off when the computer is disconnected from the Internet. Thus when it is re-connected it gets a new IP. What are Private IP Addresses? An IP address is considered private if the IP number falls within one of the IP address ranges reserved for private networks such as a Local Area Network (LAN). The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private networks (local networks):
10.0.0.0 10.255.255.255 (Total Addresses: 16,777,216) 172.16.0.0 172.31.255.255 (Total Addresses: 1,048,576) 192.168.0.0 192.168.255.255 (Total Addresses: 65,536)
Private IP addresses are used for numbering the computers in a private network including home, school and business LANs in airports and hotels which makes it possible for the computers in the network to communicate with each other. Say for example, if a network X consists of 10 computers each of them can be given an IP starting from 192.168.1.1 to 192.168.1.10. Unlike the public IP, the administrator of the private network is free to assign an IP address of his own choice (provided the IP number falls in the private IP address range as mentioned above). Devices with private IP addresses cannot connect directly to the Internet. Likewise, computers outside the local network cannot connect directly to a device with a private IP. It is possible to interconnect two private networks with the help of a router or a similar device that supports Network Address Translation. If the private network is connected to the Internet (through an Internet connection via ISP) then each computer will have a private IP as well as a public IP. Private IP is used for communication within the network where as the public IP is used for communication over the Internet. Most Internet users with a DSL/ADSL connection will have both a private as well as a public IP. You can know your private IP by typing ipconfig command in the command prompt. The number that you see against IPV4 Address: is your private IP which in most cases will be 192.168.1.1 or 192.168.1.2. Unlike the public IP, private IP addresses are always static in nature.
Unlike what most people assume, a private IP is neither the one which is impossible to trace (just like the private telephone number) nor the one reserved for stealth Internet usage. In reality there is no public IP address that is impossible to trace since the protocol itself is designed for transparency.
Figure 93: IP Routing and Routing Tables This diagram shows a small, simple internetwork consisting of four LANs each served by a router. The routing table for each lists the router to which datagrams for each destination network should be sent, and is color coded to match the colors of the networks. Notice that due to the triangle, each of R1, R2 and R3 can send to each other. However, R2 and R3 must send through R1 to deliver to R4, and R4 must use R1 to reach either of the others. Routing Tables in an Example Internetwork Lets consider an example (see Figure 93) with routers R1, R2 and R3 connected in a triangle, so that each router can send directly to the others, as well as to its own local network. Suppose R1's local network is 11.0.0.0/8, R2's is 12.0.0.0/8 and R3's is 13.0.0.0/8. (I'm just trying to keep this simple. ) R1 knows that any datagram it sees with 11 as the first octet is on its local network. It will also have a routing entry that says that any IP address starting with 12 should go to R2, and any starting with 13 should go to R3. Let's suppose that R1 also connects to another router, R4, which has 14.0.0.0/8 as its local network. R1 will have an entry for this local network. However, R2 and R3 also need to know how to reach 14.0.0.0/8, even though they don't connect to it its router directly. Most likely, they will have an entry that says that any datagrams intended for 14.0.0.0/8 should be sent to R1. R1 will then forward them to R4. Similarly, R4 will send any traffic intended for 12.0.0.0/8 or 13.0.0.0/8 through R1. Note: There is a difference between a routable protocol and a routing protocol. IP is a routable protocol, which means its messages (datagrams) can be routed. Examples of routing protocols are RIP or BGP, which are used to exchange routing information between routers.
IP Routing
Abstract
This chapter describes how IPv4 and IPv6 forward packets from a source to a destination and the basic concepts of routing infrastructure. A network administrator must understand routing tables, route
determination processes, and routing infrastructure when designing IP networks and troubleshooting connectivity problems.
Chapter Objectives
After completing this chapter, you will be able to:
Define the basic concepts of IP routing, including direct and indirect delivery, routing tables and their contents, and static and dynamic routing. Explain how IPv4 routing works with the TCP/IP component of Windows, including routing table contents and the route determination process. Define IPv4 route aggregation and route summarization. Configure Windows hosts, static routers, and dynamic routers for routing. Define network address translation and how it is used on the Internet. Explain how IPv6 routing works with the IPv6 component of Windows, including routing table contents and the route determination process. Configure hosts and static routers for the IPv6 component of Windows. Define the use of the Route, Netsh, Ping, Tracert, and Pathping tools in IPv4 and IPv6 routing.
IP Routing Overview
IP routing is the process of forwarding a packet based on the destination IP address. Routing occurs at a sending TCP/IP host and at an IP router. In each case, the IP layer at the sending host or router must decide where to forward the packet. For IPv4, routers are also commonly referred to as gateways. To make these decisions, the IP layer consults a routing table stored in memory. Routing table entries are created by default when TCP/IP initializes, and entries can be added either manually or automatically.
Direct delivery occurs when the IP node (either the sending host or an IP router) forwards a packet to the final destination on a directly attached subnet. The IP node encapsulates the IP datagram in a frame for the Network Interface layer. For a LAN technology such as Ethernet or Institute of Electrical and Electronic Engineers (IEEE) 802.11, the IP node addresses the frame to the destinations media access control (MAC) address. Indirect delivery occurs when the IP node (either the sending host or an IP router) forwards a packet to an intermediate node (an IP router) because the final destination is not on a directly attached subnet. For a LAN technology such as Ethernet or IEEE 802.11, the IP node addresses the frame to the IP routers MAC address.
Direct and indirect delivery In Figure 5-1, when sending packets to Host B, Host A performs a direct delivery. When sending packets to Host C, Host A performs an indirect delivery to Router 1, Router 1 performs an indirect delivery to Router 2, and then Router 2 performs a direct delivery to Host C.
IP Routing Table
A routing table is present on every IP node. The routing table stores information about IP destinations and how packets can reach them (either directly or indirectly). Because all IP nodes perform some form of IP routing, routing tables are not exclusive to IP routers. Any node using the TCP/IP protocol has a routing table. Each table contains a series of default entries according to the configuration of the node, and additional entries can be added manually, for example by administrators that use TCP/IP tools, or automatically, when nodes listen for routing information messages sent by routers. When IP forwards a packet, it uses the routing table to determine:
The next-hop IP address For a direct delivery, the next-hop IP address is the destination address in the IP packet. For an indirect delivery, the next-hop IP address is the IP address of a router.
The next-hop interface The interface identifies the physical or logical interface that forwards the packet.
Destination Either an IP address or an IP address prefix. Prefix Length The prefix length corresponding to the address or range of addresses in the destination. Next-Hop The IP address to which the packet is forwarded. Interface
Metric A number that indicates the cost of the route so that IP can select the best route, among potentially multiple routes to the same destination. The metric sometimes indicates the number of hops (the number of links to cross) in the path to the destination.
Directly-attached subnet routes Routes for subnets to which the node is directly attached. For directly-attached subnet routes, the Next-Hop field can either be blank or contain the IP address of the interface on that subnet.
Remote subnet routes Routes for subnets that are available across routers and are not directly attached to the node. For remote subnet routes, the Next-Hop field is the IP address of a neighboring router.
Host routes A route to a specific IP address. Host routes allow routing to occur on a per-IP address basis.
Default route Used when a more specific subnet or host route is not present. The next-hop address of the default route is typically the default gateway or default router of the node.
Manually Static IP routers have routing tables that do not change unless a network administrator manually changes them. Static routing requires manual maintenance of routing tables by network administrators. Static routers do not discover remote routes and are not fault tolerant. If a static router fails, neighboring routers do not detect the fault and inform other routers.
Automatically Dynamic IP routers have routing tables that change automatically when the routers exchange routing information. Dynamic routing uses routing protocols, such as Routing Information Protocol (RIP) and Open Shortest Path First (OSPF), to dynamically update routing tables. Dynamic routers discover remote routes and are fault tolerant. If a dynamic router fails, neighboring routers detect the fault and propagate the changed routing information to the other routers on the network.
Dynamic Routing
Dynamic routing is the automatic updating of routing table entries to reflect changes in network topology. A router with dynamically configured routing tables is known as a dynamic router. Dynamic routers build and maintain their routing tables automatically by using a routing protocol, a series of periodic or on-demand messages that contain routing information. Except for their initial configuration, typical dynamic routers
require little ongoing maintenance and, therefore, can scale to larger networks. The ability to scale and recover from network faults makes dynamic routing the better choice for medium, large, and very large networks. Some widely used routing protocols for IPv4 are RIP, OSPF, and Border Gateway Protocol 4 (BGP-4). Routing protocols are used between routers and represent additional network traffic overhead on the network. You should consider this additional traffic if you must plan WAN link usage. When choosing a routing protocol, you should pay particular attention to its ability to sense and recover from network faults. How quickly a routing protocol can recover depends on the type of fault, how it is sensed, and how routers propagate information through the network. When all the routers on the network have the correct routing information in their routing tables, the network has converged. When convergence is achieved, the network is in a stable state, and all packets are routed along optimal paths. When a link or router fails, the network must reconfigure itself to reflect the new topology by updating routing tables, possibly across the entire network. Until the network reconverges, it is in an unstable state. The time it takes for the network to reconverge is known as the convergence time. The convergence time varies based on the routing protocol and the type of failure, such as a downed link or a downed router. The Routing and Remote Access service in the Microsoft Windows Server 2003 operating systems supports the RIP and OSPF IPv4 routing protocols but no IPv6 routing protocols.
Distance Vector Distance vector routing protocols propagate routing information in the form of an address prefix and its distance (hop count). Routers use these protocols to periodically advertise the routes in their routing tables. Typical distance vector-based routers do not synchronize or acknowledge the routing information they exchange. Distance vector-based routing protocols are easier to understand and configure, but they also consume more network bandwidth, take longer to converge, and do not scale to large or very large networks.
Link State Routers using link state-based routing protocols exchange link state advertisements (LSAs) throughout the network to update routing tables. LSAs consist of address prefixes for the networks to which the router is attached and the assigned costs of those networks. LSAs are advertised upon startup and when a router detects changes in the network topology. Link state-based routers build a database of LSAs and use the database to calculate the optimal routes to add to the routing table. Link state-based routers synchronize and acknowledge the routing information they exchange. Link state-based routing protocols consume less network bandwidth, converge more quickly, and scale to large and very large networks. However, they can be more complex and difficult to configure.
Path Vector Routers use path vectorbased routing protocols to exchange sequences of autonomous system numbers that indicate the path for a route. An autonomous system is a portion of a network under the same administrative authority. Autonomous systems are assigned a unique autonomous system identifier. Path vectorbased routers synchronize and acknowledge the routing information they exchange. Path vectorbased routing protocols consume less network bandwidth, converge more
quickly, and scale to networks the size of the Internet. However, they can also be complex and difficult to configure. IPv4 Routing IPv4 routing is the process of forwarding an IPv4 packet based on its destination IPv4 address. IPv4 routing occurs at a sending IPv4 host and at IPv4 routers. The forwarding decision is based on the entries in the local IPv4 routing table.
Destination Can be either an IPv4 address or an IPv4 address prefix. For the IPv4 routing table of the TCP/IP component of Windows, this column is named Network Destination in the display of the route print command.
Network Mask The prefix length expressed in subnet mask (dotted decimal) notation. The subnet mask is used to match the destination IPv4 address of the outgoing packet to the value in the Destination field. For the IPv4 routing table of the TCP/IP component of Windows, this column is named Netmask in the display of the route print command.
Next-Hop The IPv4 address to which the packet is forwarded. For the IPv4 routing table of the TCP/IP component of Windows, this column is named Gateway in the display of the route print command. For direct deliveries, the Gateway column lists the IPv4 address assigned to an interface on the computer.
Interface The network interface that is used to forward the IPv4 packet. For the IPv4 routing table of the TCP/IP component of Windows, this column contains an IPv4 address assigned to the interface.
Metric A number used to indicate the cost of the route so that the best route, among potentially multiple routes to the same destination, can be selected. The metric can indicate either the number of links in the path to the destination or the preferred route to use, regardless of number of links.
IPv4 routing table entries can store the following types of routes:
Directly attached subnet routes For directly attached subnet routes, the Next-Hop field is the IPv4 address of the interface on that subnet.
Remote subnet routes For remote subnet routes, the Next-Hop field is the IPv4 address of a neighboring router. Host routes
For IPv4 host routes, the destination is a specific IPv4 address, and the network mask is 255.255.255.255.
Default route The default route is used when a more specific subnet or host route is not found. The default route destination is 0.0.0.0 with the network mask of 0.0.0.0. The next-hop address of the default route is typically the default gateway of the node.
server at one level knows the name of the servers that are responsible for subdomains in zones below it at the next level. Suppose we start with the fully-qualified domain name (FQDN) C.B.A.. Formally, every name resolution begins with the root of the treethis is why the root name servers are so important. It's possible that the root name servers are authoritative for this name, but probably not; that's not what the root name servers are usually used for. What the root name server does know is the name of the server responsible for the top-level domain, A.. The name server for A. in turn may have the information to resolve C.B.A. It's still fairly high-level, though, so C.B.A is probably not directly within its zone. In that case, it will not know the address we seek, but it will know the name of the server responsible for B.A.. In turn, that name server may be authoritative for C.B.A., or it may just know the address of the server for C.B.A., which will have the information we need. As you can see, it is very possible that several different servers may be needed in a name resolution. Key Concept: Since DNS name information is stored as a distributed database spread across many servers, name resolution cannot usually be performed using a single request/response communication. It is first necessary to find the correct server that has the information that the resolver requires. This usually requires a sequence of message exchanges, starting from a root name server and proceeding down to the specific server containing the resource records that the client requires. DNS Name Resolution Techniques The DNS standards actually define two distinct ways of following this hierarchy of servers to discover the correct one. They both eventually lead to the right device, but they differ in how they assign responsibility for resolution when it requires multiple steps. Iterative Resolution When a client sends an iterative request to a name server, the server responds back with either the answer to the request (for a regular resolution, the IP address we want) or the name of another server that has the information or is closer to it. The original client must then iterate by sending a new request to this referred server, which again may either answer it or provide another server name. The process continues until the right server is found; the method is illustrated in Figure 243. In this example, the client is performing a name resolution for C.B.A. using strictly iterative resolution. It is thus responsible for forming all DNS requests and processing all replies. It starts by sending a request to the root name server for this mythical hierarchy. That server doesnt have the address of C.B.A., so it instead returns the address of the name server for A.. The client then sends its query to that name server, which points the client to the server for B.A.. That name server refers the client to the name server that actually has the address for C.B.A., which returns it to the client. Contrast to Figure 244
Figure 243: Iterative DNS Name Resolution Recursive Resolution When a client sends a recursive request to a name server, the server responds back with the answer if it has the information sought. If it doesn't, the server takes responsibility for finding the answer by becoming a client on behalf of the original client and sending new requests to other servers. The original client only sends one request, and eventually gets the information it wants (or an error message if it is not available). This technique is shown in Figure 244. This is the same theoretical DNS resolution that I showed in Figure 243, but this time, the client asks for the name servers to perform recursive resolution and they agree to do so. As in the iterative case, the client sends its initial request to the root name server. That server doesnt have the address of C.B.A., but instead of merely returning to the client the address of the name server for A., it sends a request to that server itself. That name server sends a request to the server for B.A., which in turn sends a request to the server for C.B.A.. The address of C.B.A. is then carried back up the chain of requests, from the server of C.B.A. to that of B.A., then A., then the root, and then finally, back to the client.
The hierarchical domain name system, organized into zones, each served by a name server
The configured host name for the computer as displayed in the output of the Hostname tool. This name is compared to the destination host name. A local text file in the same format as the 4.3 Berkeley Software Distribution (BSD) UNIX \etc\hosts file. This file maps host names to IP addresses. For TCP/IP for Hosts file Windows XP and Windows Server 2003, the contents of the Hosts file are loaded into the DNS client resolver cache. For more information, see "The DNS Client Resolver Cache" in this chapter. A server that maintains a database of IP address-to-host name mappings and has the DNS server ability to query other DNS servers for mappings that it does not contain.
Table 7-1 Standard Methods of Host Name Resolution Table 7-2 lists the additional methods used by TCP/IP for Windows XP and Windows Server 2003 to resolve host names. Resolution Method DNS client resolver cache NetBIOS name cache NetBIOS name server (NBNS) Local broadcast Lmhosts file Description A random access memory (RAM)-based table of the entries listed in the local Hosts file and the names that were attempted for resolution by using a DNS server. A RAM-based table of recently resolved NetBIOS names and their associated IPv4 addresses. A server that resolves NetBIOS names to IPv4 addresses, as specified by Requests for Comments (RFCs) 1001 and 1002. The Microsoft implementation of an NBNS is a Windows Internet Name Service (WINS) server. Up to three NetBIOS Name Query Request messages are broadcast on the local subnet to resolve the IPv4 address of a specified NetBIOS name. A local text file that maps NetBIOS names to IPv4 addresses for NetBIOS processes running on computers located on remote subnets.
There are many methods of linking computers together, the most well-used of which are copper wires, fiber optics and radio waves. Information can be transmitted through electrical impulses over copper wire, light impulses over fiber optics or radio waves from one computer to another. The section on types of network links discusses this topic in more detail. How Do Computers Know How to Talk to Each Other? When you hear someone speaking in an unfamiliar language, you cannot understand what she is saying, even though your ear is picking up the sound waves coming from her vocal chords. Similarly, computers on a network will not be able to communicate unless they are able to speak the same "language." The languages by which computers communicate over a network are called protocols. Protocols tell computers how to send and receive data and what to do with the data after they receive it. Computers send data in small pieces instead of all at once. Since the data is digital, it is already divided into bits, so sending the data piece by piece is easy. These pieces of data are then sent in packets across the network. A packet is the computer equivalent of an envelope. On the outside of the envelope are a source address, a destination address and some basic synchronization information. Inside the envelope is the original data as well as protocol information. For more details, see the diagram of a packet in a later section. Multiple protocols can be used during data transmission. For example, one protocol might be used to determine how the packet is routed through the network, another protocol could be used to resolve any congestion problems that the packet encounters during transmission and yet another protocol could tell the recipient computer how to interpret the data it is receiving. You can think of protocols as placing the original data in another envelope. When a packet arrives at its destination, therefore, the first envelope, which has address information, is stripped off the packet and the next envelope is examined. After analyzing the protocol instructions, that envelope is removed and the next is examined. This process continues until the original data is recovered. Basic protocols are usually installed as hardware or are part of the basic operating system of a computer. TCP/IP, IPX, and AppleShare are examples of such protocols and are the three most commonly used protocols at Princeton. For more information see the section on network protocols. Other protocols are specific to certain types of applications. The transfer of web pages, for example, uses a protocol called HyperText Transfer Protocol, or HTTP. These types of protocols are discussed in the network applications section. How Does a Packet Travel through a Network? Let's say that I want to send information to one of the servers here at Princeton. Here's how it would happen: My computer would take the first chunk of the data I want to send and wrap it in a protocol envelope. This envelope would then be passed to my network card that is connected via copper wire, for example, to the rest of the network. The network card would put another envelope around the data and then transmit the whole packet over the wire. Any gateways connected to that wire would look at the destination address for the packet and, if possible, pass the packet farther along the path towards its destination. This process would be repeated at other gateways along the packet's path until the final gateway transmits the packet to its final destination. The destination computer would then strip off the envelopes and process the data.
Address Resolution Protocol - (ARP) A method for finding a host's Ethernet address from its Internet address. The sender broadcasts an ARP packet containing the Internet address of another host and waits for it (or some other host) to send back its Ethernet address. Each host maintains a cache of address translations to reduce delay and loading. ARP allows the Internet address to be independent of the Ethernet address but it only works if all hosts support it.
The Address Resolution Protocol (ARP) is a computer networking protocol for determining a network host's Link Layer or hardware address when only its Internet Layer (IP) or Network Layer address is known. This function is critical in local area networking as well as for routing internetworking traffic across gateways (routers) based on IP addresses when the next-hop router must be determined. ARP was defined by RFC 826 in 1982. It is Internet Standard STD 37. ARP has been implemented in many types of networks, such as Internet Protocol (IP), CHAOS, DECNET, Xerox PARC Universal Packet, Token Ring, FDDI, IEEE 802.11 and other LAN technologies, as well as the modern high capacity networks, such as Asynchronous Transfer Mode (ATM). Packet structure The Address Resolution Protocol uses a simple message format that contains one address resolution request or response. The size of the ARP message depends on the upper layer and lower layer address sizes, which are given by the type of networking protocol (usually IPv4) in use and the type of hardware or virtual link layer that the upper layer protocol is running on. The message header specifies these types, as well as the size of addresses of each. The message header is completed with the operation code for request (1) and reply (2). The payload of the packet consists of four addresses, the hardware and protocol address of the sender and receiver hosts. The principal packet structure of ARP packets is shown in the following table which illustrates the case of IPv4 networks running on Ethernet. In this scenario, the packet has 48-bit fields for the sender hardware address (SHA) and target hardware address (THA), and 32-bit fields for the corresponding sender and target protocol addresses (SPA and TPA). Thus, the ARP packet size in this case is 28 bytes.
Internet Protocol (IPv4) over Ethernet ARP packet bit offset 0 16 32 48 64 07 Hardware type (HTYPE) Protocol type (PTYPE) Hardware address length (HLEN) Protocol address length (PLEN) 8 15
(next 16 bits) (last 16 bits) Sender protocol address (SPA) (first 16 bits) (last 16 bits) Target hardware address (THA) (first 16 bits) (next 16 bits) (last 16 bits) Target protocol address (TPA) (first 16 bits) (last 16 bits)
Hardware type (HTYPE) This field specifies the Link Layer protocol type. Example: Ethernet is 1. Protocol type (PTYPE) This field specifies the upper layer protocol for which the ARP request is intended. For IPv4, this has the value 0x0800. The permitted PTYPE values share a numbering space with those for Ethertype. Hardware length (HLEN) Length (in octets) of a hardware address. Ethernet addresses size is 6. Protocol length (PLEN) Length (in octets) of addresses used in the upper layer protocol. (The upper layer protocol specified in PTYPE.) IPv4 address size is 4. Operation Specifies the operation that the sender is performing: 1 for request, 2 for reply. Sender hardware address (SHA) Hardware (MAC) address of the sender. Sender protocol address (SPA) Upper layer protocol address of the sender. Target hardware address (THA)
Hardware address of the intended receiver. This field is ignored in requests. Target protocol address (TPA) Upper layer protocol address of the intended receiver.
Inverse ARP
Inverse Address Resolution Protocol - (InARP) Additions to ARP typically used for Frame Relay. Frame Relay stations route frames of a higher level protocol between LANs, across a Permanent Virtual Circuit. These stations are identified by their Data Link Control Identifier (DLCI), equivalent to an Ethernet address in a LAN itself. InARP allows a station to determine a protocol address (e.g. IP address) from a DLCI. This is useful if a new virtual circuit becomes available. Signalling messages announce its DLCI, but without the corresponding protocol address it is unusable: no frames can be routed to it. Reverse ARP (RARP) performs a similar task on an Ethernet LAN, however RARP answers the question "What is my IP Address?" whereas InARP answers the question "What is your protocol address?".
Proxy ARP
ARP was designed to be used by devices that are directly connected on a local network. Each device on the network should be capable of sending both unicast and broadcast transmissions directly to each other one. Normally, if device A and device B are separated by a router, they would not be considered local to each other. Device A would not send directly to B or vice-versa; they would send to the router instead at layer two, and would be considered two hops apart at layer three. Why Proxy ARP Is Needed In contrast to the normal situation, in some networks there might be two physical network segments connected by a router that are in the same IP network or subnetwork. In other words, device A and device B might be on different networks at the data link layer level, but on the same IP network or subnet. When this happens, A and B will each think the other is on the local network when they look to send IP datagrams. In this situation, suppose that A wants to send a datagram to B. It doesn't have B's hardware address in the cache, so it begins an address resolution. When it broadcasts the ARP Request message to get B's hardware address, however, it will quickly run into a problem: B is in fact not on A's local network. The router between them will not pass A's broadcast onto B's part of the network, because routers don't pass hardware-layer broadcasts. B will never get the request and thus A will not get a reply containing Bs hardware address. Proxy ARP Operation The solution to this situation is called ARP proxying or Proxy ARP. In this technique, the router that sits between the local networks is configured to respond to device A's broadcast on behalf of device B. It does not send back to A the hardware address of device B; since they are not on the same network, A cannot send directly to B anyway. Instead, the router sends A its own hardware address. A then sends to the router, which forwards the message to B on the other network. Of course, the router also does the same thing on A's behalf
for B, and for every other device on both networks, when a broadcast is sent that targets a device not on the same actual physical network as the resolution initiator. This is illustrated in Figure 50. In this small internetwork, a single router connects two LANs that are on the same IP network or subnet. The router will not pass ARP broadcasts, but has been configured to act as an ARP proxy. In this example, device A and device D are each trying to send an IP datagram to the other, and so each broadcasts an ARP Request. The router responds to the request sent by Device A as if it were Device D, giving to A its own hardware address (without propagating Device As broadcast.) It will forward the message sent by A to D on Ds network. Similarly, it responds to Device D as if it were Device A, giving its own address, then forwarding what D sends to it over to the network where A is located.
Figure 50: ARP Proxy Operation Proxy ARP provides flexibility for networks where hosts are not all actually on the same physical network but are configured as if they were at the network layer. It can be used to provide support in other special situations where a device cannot respond directly to ARP message broadcasts. It may be used when a firewall is configured for security purposes. A type of proxying is also used as part of the Mobile IP protocol, to solve the problem of address resolution when a mobile device travels away from its home network. Key Concept: Since ARP relies on broadcasts for address resolution, and broadcasts are not propagated beyond a physical network, ARP cannot function between devices on different physical networks. When such operation is required, a device, such as a router, can be configured as an ARP proxy to respond to ARP requests on the behalf of a device on a different network.
Advantages of Proxy ARP The main advantage of proxy ARP is that it can be added to a single router on a network and does not disturb the routing tables of the other routers on the network. Proxy ARP must be used on the network where IP hosts are not configured with a default gateway or do not have any routing intelligence. Disadvantages of Proxy ARP Hosts have no idea of the physical details of their network and assume it to be a flat network in which they can reach any destination simply by sending an ARP request. But using ARP for everything has disadvantages. These are some of the disadvantages:
It increases the amount of ARP traffic on your segment. Hosts need larger ARP tables in order to handle IP-to-MAC address mappings. Security can be undermined. A machine can claim to be another in order to intercept packets, an act called "spoofing." It does not work for networks that do not use ARP for address resolution. It does not generalize to all network topologies. For example, more than one router that connects two physical networks.
Subnet Masks
A subnet mask allows you to identify which part of an IP address is reserved for the network, and which part is available for host use. If you look at the IP address alone, especially now with classless inter-domain routing, you can't tell which part of the address is which. Adding the subnet mask, or netmask, gives you all the information you need to calculate network and host portions of the address with ease. In summary, knowing the subnet mask can allow you to easily calculate whether IP addresses are on the same subnet, or not. Determining network and host portions of an IP address using a subnet mask To determine what the network address is for any given IP address, you merely have to convert both octal addresses into binary, and do a bitwise AND operation. An example using an IP address of 156.154.81.56 used with a network mask of 255.255.255.240 follows:
IP Address:
10011100.10011010.01010001.00111000
As you can see, the network address for the IP address and subnet mask in question is 156.154.81.48. To determine the how many hosts are possible to be on this same subnet, it is a simple operation. Count the number of bits from the right until you get to the first "1" in the binary network address display. That number will be the power you raise 2 to for the calculation of
possible number of hosts. You must also subtract two from the result because one address is reserved for broadcast and network addresses. This leaves you with the final algorithm of 2^n-2. In this case there are 4 bits of 0 in the network address, leaving you with 2^4-2 hosts possible, or 14 hosts. This means that your network address is 156.54.81.48, that you have a range of addresses available to hosts from 156.154.81.49 156.154.81.62, and that the broadcast address for this network is 156.154.81.63. Are subnet masks necessary? Subnet masks are critical to communications on an IP network. Network devices use the IP address targets and defined netmask to determine if the network the host is on is a local subnet, or a remote network. This is important because devices act differently depending on the result. If the subnet is local, the device will send an ARP request to retrieve the MAC or hardware address of the system in question to communicate over the data-link layer. If the address is found to be on a remote network, then the network device routes packets to the gateway in it's routing table that is set to handle that network. If no routing table entry is found matching that network, the packets are routed to the default route. If no default route is defined, the packets are dropped with nowhere left to go.
UNIT V
Classful network:
A classful network is a network addressing architecture used in the Internet from 1981 until the introduction of Classless Inter-Domain Routing in 1993. The method divides the address space for Internet Protocol Version 4 (IPv4) into five address classes. Each class, coded in the first four bits of the address, defines either a different network size, i.e. number of hosts for unicast addresses (classes A, B, C), or a multicast network (class D). The fifth class (E) address range is reserved for future or experimental purposes.
Background
Originally, a 32-bit IPv4 address was logically subdivided into the network number field, the mostsignificant 8 bits of an address, which specified the particular network a host was attached to, and the local address, also called rest field (the rest of the address), which uniquely identifies a host connected to that network. This format was sufficient at a time when only a few large networks existed, such as the ARPANET which was assigned the network number 10, and before the wide proliferation of local area networks (LANs). As a consequence of this architecture, the address space supported only a low number (254) of independent networks, and it became clear very early on that this would not be enough.
The new addressing architecture was introduced by RFC 791 in 1981 as a part of the specification of the Internet Protocol. It divided the address space into primarily three address formats, henceforth called address classes, and left a fourth range reserved to be defined later. The first class, designated as Class A, contained all addresses in which the most significant bit is zero. The network number for this class is given by the next 7 bits, therefore accommodating 128 networks in total, including the zero network, and including the existing IP networks already allocated. A Class B network was a network in which all addresses had the two most-significant bits set to 1 and 0. For these networks, the network address was given by the next 14 bits of the address, thus leaving 16 bits for numbering host on the network for a total of 65536 addresses per network. Class C was defined with the 3 high-order bits set to 1, 1, and 0, and designating the next 21 bits to number the networks, leaving each network with 256 local addresses. The leading bit sequence 111 designated an "escape to extended addressing mode", which was later subdivided in to Class D (1110) for multicast addressing, while leaving as reserved for future use the 1111 block designated as Class E.
Size of Size of Leading network rest bits number bit bit field field 0 10 110 1110 8 16 24 not defined not defined 24 16 8 not defined not defined
Class
Number of networks
Start address
End address
1111
not defined
not defined
240.0.0.0
255.255.255.255
The number of addresses usable for addressing specific hosts in each network is always 2 N - 2 (where N is the number of rest field bits, and the subtraction of 2 adjusts for the use of the all-bits-zero host portion for network address and the all-bits-one host portion as a broadcast address. Thus, for a Class C address with 8 bits available in the host field, the number of hosts is 254.
Bit-wise representation
In the following table:
n indicates a binary slot used for network ID. H indicates a binary slot used for host ID. X indicates a binary slot (without specified purpose)
Class B 128. 0. 0. 0 = 10000000.00000000.00000000.00000000 191.255.255.255 = 10111111.11111111.11111111.11111111 10nnnnnn.nnnnnnnn.HHHHHHHH.HHHHHHHH Class C 192. 0. 0. 0 = 11000000.00000000.00000000.00000000 223.255.255.255 = 11011111.11111111.11111111.11111111 110nnnnn.nnnnnnnn.nnnnnnnn.HHHHHHHH Class D 224. 0. 0. 0 = 11100000.00000000.00000000.00000000 239.255.255.255 = 11101111.11111111.11111111.11111111 1110XXXX.XXXXXXXX.XXXXXXXX.XXXXXXXX Class E 240. 0. 0. 0 = 11110000.00000000.00000000.00000000 255.255.255.255 = 11111111.11111111.11111111.11111111 1111XXXX.XXXXXXXX.XXXXXXXX.XXXXXXXX
2. You are working in a word processing program, which is run from the file server. Your data comes back to you in an unintelligible manner. Which layer of the OSI model would you investigate? 1. Application layer 2. Presentation layer 3. Session layer 4. Network layer 5. Datalink layer
3. IEEE subdivided the datalink layer to provide for environments that need connectionless or connection-oriented services. What are the two layers called?
1. Physical
2. MAC
3. LLC
4. Session
5. IP
4. You are working with graphic translations. Which layer of the OSI model is responsible for code formatting and conversion and graphic standards. 1. Network layer 2. Session layer 3. Transport layer 4. Presentation layer 5. Which is the best definition of encapsulation? 1. Each layer of the OSI model uses encryption to put the PDU from the upper layer into its data field. It adds header and trailer information that is available to its counterpart on the system that will receive it. 2. Data always needs to be tunneled to its destination so encapsulation must be used. 3. Each layer of the OSI model uses compression to put the PDU from the upper layer into its data field. It adds header and trailer information that is available to its counterpart on the system that will receive it. 4. Each layer of the OSI model uses encapsulation to put the PDU from the upper layer into its data field. It adds header and trailer information that is available to its counterpart on the system that will receive it. 6. Routers can be configured using several sources. Select which of the following sources can be used. 1. Console Port 2. Virtual Terminals 3. TFTP Server 4. Floppy disk 5. Removable media
7. Which memory component on a Cisco router contains the dynamic system configuration? 1. ROM 2. NVRAM 3. Flash 4. RAM/DRAM 8. Which combination of keys will allow you to view the previous commands that you typed at the router? 1. ESC-P 2. Ctrl-P 3. Shift-P 4. Alt-P 9. Which commands will display the active configuration parameters? 1. show running-config 2. write term 3. show version 4. display term 10. You are configuring a router, which prompt tells you that you are in the privileged EXEC mode? 1. @ 2. > 3. ! 4. : 5. # 11. What does the command IP name-server 255.255.255.255? accomplish? 1. It disables domain name lookup. 2. It sets the domain name lookup to be a local broadcast. 3. This is an illegal command. 4. The command is now defunct and has been replaced by IP server-name ip any 12. The following selections show the command prompt and the configuration of the IP network mask. Which two are correct? 1. Router(config-if)#netmask-format { bitcount | decimal | hexadecimal } 2. Router#term IP netmask-format { bitcount | decimal | hexadecimal } 3. Router(config-if)#IP netmask-format { bitcount | decimal | hexadecimal } 4. Router#ip netmask-format { bitcount | decimal | hexadecimal }
15. Which layer is responsible for flow control with sliding windows and reliability with sequence numbers and acknowledgments? 1. Transport 2. Application 3. Internet 4. Network Interface 16. Which processes does TCP, but not UDP, use? 1. Windowing 2. Acknowledgements
3. Source Port
4. Destination Port
17. Select which protocols use distance vector routing? 1. OSPF 2. RIP 3. IGRP
4. PPP
Probable Answers:
1. 2 5. 2 9. 1 13. 1 2. 1 6. 1,2,3 10. 5 14. 1 3. 3,4 7. 4 11. 4 15. 2,3 4. 4 8. 2 12. 3