Ch. 10

1
Ch. 10 Intermediate TCP/IP

• CCNA 2 version 3.0
• Some concepts in this presentation were
  introduced by Rick Graziani, Instructor at
  Cabrillo College in California
• Prof. Yousif

2
Note

• It is important for networking professionals to
  have a very good understanding of TCP/IP.
• Various devices communicate using the multiple
  protocols of the TCP/IP protocol suite.
• A networking professional needs to know how these
  protocols function and interact with each other
  in order to properly understand, analyze and
  troubleshoot networking issues.
• This chapter is only an introduction to this
  information and also a review of CCNA 1.
• I strongly suggest taking a separate course in
  the TCP/IP protocol suite, in addition to system
  administration courses such as those for
  Microsoft Windows (MCSE/MCSA) or Unix/Linux
  certifications.
• This presentation
• CCNA 2 Module 10
• Corrections to CCNA 2 Module 10
• Other sources, Stevens, etc.

3
Interesting Reading
TCP/IP Illustrated, Vol. 1 W. Richard Stevens
Addison-Wesley Pub Co ISBN 0201633469
Where Wizards Stay Up Late Katie Hafner and
Matthew Lyon ISBN 0613181530

• Very enjoyable reading and you do not have to be
  a networking geek to enjoy it!
• National Bestseller

• Although, published in 1994, written by the late
  Richard Stevens, it is still regarded as the
  definitive book on TCP/IP.

4
Overview

• Students completing this module should be able
  to
• Describe TCP and its function
• Describe TCP synchronization and flow control
• Describe UDP operation and processes
• Identify common port numbers
• Describe multiple conversations between hosts
• Identify ports used for services and clients
• Describe port numbering and well known ports
• Understand the differences and the relationship
  between MAC addresses, IP addresses, and port
  numbers

5
TCP Operation

• IP is best effort delivery.
• The transport layer (TCP) is responsible
  reliability and flow control from source to
  destination.
• This is accomplished using
• sliding windows (flow control)
• sequencing numbers and acknowledgments
  (reliability)
• synchronization (establish a virtual circuit)
• Note Although straight-forward in its
  operation, TCP can be a very complicated protocol
  in its operation. Most of the details regarding
  TCP are beyond the scope of this module and
  presentation.

6
TCP Operation
Connection-oriented
Connectionless
Connectionless

• IP Packet has a Protocol field that specifies
  whether the segment is TCP or UDP.

7
Application Header data
IP Protocol Field 17
Application Header data
IP Protocol Field 6
8
TCP

• TCP -- a connection-oriented, reliable protocol
  provides flow control by providing sliding
  windows, and reliability by providing sequence
  numbers and acknowledgments.
• TCP re-sends anything that is not received and
  supplies a virtual circuit between end-user
  applications.
• The advantage of TCP is that it provides
  guaranteed delivery of the segments.

9
Synchronization or 3-way handshake
TCP Header

• For a connection to be established, the two end
  stations must synchronize on each other's initial
  TCP sequence numbers (ISNs).
• Sequence numbers are used to track the order of
  packets and to ensure that no packets are lost in
  transmission.
• The initial sequence number is the starting
  number used when a TCP connection is established.
  
• Exchanging beginning sequence numbers during the
  connection sequence ensures that lost data can be
  recovered.

10
The following example and for more info

• Inside the TCP Handshake
• http//www.nwconnection.com/2000_03/hand30/
• Laura Chappell writes technical training books
  for podbooks.com (http//www.podbooks.com) and is
  a senior protocol analyst at NetAnalysis
  Institute.
• Ms. Chappell also makes a pretty mean margarita.
  (For more information about NetAnalysis
  Institute, visit http//www.netanalysis.org.)

11
Packet 1 source 130.57.20.10
dest.130.57.20.1 TCP ----- TCP header -----
TCP Source port 1026 TCP
Destination port 524 TCP Initial
sequence number 12952 TCP Next expected
Seq number 12953 TCP ....
..1. SYN TCP Window
8192 TCP Checksum 1303
(correct) TCP Maximum segment size
1460 (TCP Option)
Packet 2 source 130.57.20.1 dest
130.57.20.10 TCP ----- TCP header -----
TCP Source port 524 TCP
Destination port 1026 TCP Initial
sequence number 2744080 TCP Next
expected Seq number 2744081 TCP
Acknowledgment number 12953 TCP
.... ..1. SYN TCP Window
32768 TCP Checksum
D3B7 (correct) TCP Maximum segment size
1460 (TCP Option)
Packet 3 source 130.57.20.10 dest
130.57.20.1 TCP ----- TCP header -----
TCP Source port 1026 TCP
Destination port 524 TCP Sequence
number 12953 TCP Next expected
Seq number 12953 TCP Acknowledgment
number 2744081 TCP ...1
.... Acknowledgment TCP Window
8760 TCP Checksum
493D (correct) TCP No TCP options

• Only part of the TCP headers are displayed.

12
Denial of Service (DoS) Attacks

• DoS attacks are a common method that hackers
  utilize to halt system response.
• One type of DoS is known as SYN flooding.
• SYN flooding exploits the normal three-way
  handshake and causes targeted devices to ACK to
  source addresses that will not complete the
  handshake.

13
DoS Syn Flooding Attack

• Hacker initiates a synchronization but spoofing
  the source IP address.
• Spoofing using anothers IP address, real or not
  (one meaning)
• The receiving device replies to the non-existent,
  (SYN ACK)
• Receiving device place process in a wait state
  while waiting to receive the final ACK from the
  initiator.
• The waiting request is placed in a connection
  queue or a holding area in memory.
• This waiting state requires the attacked device
  to commit system resources, such as memory, to
  the waiting process until the connection timer
  times out.
• Hackers will flood the attacked host with these
  false SYN requests utilizing all of its
  connection resources to respond and wait for
  false connections, preventing it from responding
  to legitimate connection requests.

14
DoS Syn Flooding Attack

• To defend against these attacks, system
  administrators may decrease the connection
  timeout period and increase the connection queue
  size (not recommended).
• Software also exists that can detect these types
  of attacks and initiate defensive measures.

15
For more information (Cisco)

• If a flood of incoming request packets have
  invalid source IP addresses, sessions never get
  established and remain as half-open connections.
  Many TCP implementations are only able to handle
  a small number of outstanding connections per
  port therefore these ports are effectively
  unavailable until the half-open connections
  time-out (typically 75 seconds). Additionally
  this attack may also cause the server to exhaust
  its memory or waste processor cycles in
  maintaining state information on these
  connections.
• Firewall vendors such as Checkpoint, Cisco, and
  Raptor have incorporated features into their
  products to shield your downstream systems from
  SYN attacks.
• The Cisco IOSTM TCP Intercept
• http//www.cisco.com/warp/public/cc/pd/iosw/iore/p
  rodlit/576_pp.htm
• TCP Intercept Commands
• http//www.cisco.com/univercd/cc/td/doc/product/so
  ftware/ios121/121cgcr/secur_r/srprt3/srdenl.htm

16
Windowing and Window Sizes

• Both of these are example of simple windowing.
• This is not an example of sliding windows.
• Window size refers to the number of bytes that
  are transmitted before receiving an
  acknowledgment.
• After a host transmits the window-size number of
  bytes, it must receive an acknowledgment before
  any more data can be sent.
• The window size determines how much data the
  receiving station can accept at one time.

17
Simple Windowing
TCP Header

• TCP is responsible for breaking data into
  segments.
• With a window size of 1, each segment carries
  only one byte of data and must be acknowledged
  before another segment is transmitted. This
  results in inefficient host use of bandwidth.
• The purpose of windowing is to improve flow
  control and reliability.
• Unfortunately, with a window size of 1, you see a
  very inefficient use of bandwidth.

18
Simple Windowing

• TCP Window Size
• TCP uses a window size, number of bytes, that the
  receiver is willing to accept, and is usually
  controlled by the receiving process.
• TCP uses expectational acknowledgments, meaning
  that the acknowledgment number refers to the next
  byte that the sender of the acknowledgement
  expects to receive.
• A larger window size allows more data to be
  transmitted pending acknowledgment.
• Note The sequence number being sent identifies
  the first byte of data in that segment.

19
Simple Windowing

• TCP Full-duplex service Independent Data Flows
• TCP provides full-duplex service, which means
  data can be flowing in each direction,
  independent of the other direction.
• Window sizes, sequence numbers and acknowledgment
  numbers are independent of each others data
  flow.
• Receiver sends acceptable window size to sender
  during each segment transmission (flow control)
• if too much data being sent, acceptable window
  size is reduced
• if more data can be handled, acceptable window
  size is increased
• This is known as a Stop-and-Wait windowing
  protocol.

20
Sliding Windows

• Note The following slides on Sliding Windows
  contains corrections to the on-line curriculum
  followed by my slides on Sliding Windows.

21
Sliding Windows
Working Window size
Initial Window size
Octets sent Not ACKed
Usable Window Can send ASAP
Usable Window Can send ASAP

• Sliding Window Protocol
• Sliding window algorithms are a method of flow
  control for network data transfers using the
  receivers Window size.
• The sender computes its usable window, which is
  how much data it can immediately send.
• Over time, this sliding window moves to the
  right, as the receiver acknowledges data.
• The receiver sends acknowledgements as its TCP
  receive buffer empties.
• The terms used to describe the movement of the
  left and right edges of this sliding window are
  (These will be demonstrated in the following
  slides.)
• 1. The left edge closes (moves to the right) when
  data is sent and acknowledged.
• 2. The right edge opens (moves to the right)
  allowing more data to be sent. This happens when
  the receiver acknowledges a certain number of
  bytes received.
• 3. The middle edge open (moves to the right) as
  data is sent, but not yet acknowledged.

22
Host A - Sender
Host B - Receiver
1 2 3 4 5 6 7 8 9 10 11 12 13
1 2 3 4 5 6 7 8 9 10 11 12 13
1 2 3 4 5 6 7 8 9 10 11 12 13
1
2
Octets received
Window size 6
3
Octets sent Not ACKed
Usable Window Can send ASAP
1 2 3 4 5 6 7 8 9 10 11 12 13
ACK 4

• Host B gives Host A a window size of 6 (octets or
  bytes).
• Host A begins by sending octets to Host B octets
  1, 2, and 3 and slides its window over showing
  it has sent those 3 octets.
• Host A will not increase its usable window size
  by 3, until it receives an ACKnowldegement from
  Host B that it has received some or all of the
  octets.
• Host B, not waiting for all of the 6 octets to
  arrive, after receiving the third octet sends an
  expectational ACKnowledgement of 4 to Host A.

23
Host B - Receiver
Host A - Sender
1 2 3 4 5 6 7 8 9 10 11 12 13
1 2 3 4 5 6 7 8 9 10 11 12 13
1 2 3 4 5 6 7 8 9 10 11 12 13
1
Window size 6
2
Octets sent Not ACKed
Usable Window Can send ASAP
3
1 2 3 4 5 6 7 8 9 10 11 12 13
ACK 4
1 2 3 4 5 6 7 8 9 10 11 12 13
4
5
1 2 3 4 5 6 7 8 9 10 11 12 13
1 2 3 4 5 6 7 8 9 10 11 12 13
ACK 6

• Host A does not have to wait for an
  acknowldegement from Host B to keep sending data,
  not until the window size reaches the window size
  of 6, so it sends octets 4 and 5.
• Host A receives the acknowledgement of ACK 4 and
  can now slide its window over to equal 6 octets,
  2 octets sent not ACKed plus 4 octets which can
  be sent asap.

24
Host B - Receiver
Host A - Sender
1 2 3 4 5 6 7 8 9 10 11 12 13
1 2 3 4 5 6 7 8 9 10 11 12 13
1 2 3 4 5 6 7 8 9 10 11 12 13
1
Window size 6
2
Octets sent Not ACKed
Usable Window Can send ASAP
3
1 2 3 4 5 6 7 8 9 10 11 12 13
ACK 4
1 2 3 4 5 6 7 8 9 10 11 12 13
4
5
1 2 3 4 5 6 7 8 9 10 11 12 13
1 2 3 4 5 6 7 8 9 10 11 12 13
ACK 6
1 2 3 4 5 6 7 8 9 10 11 12 13
6
7
1 2 3 4 5 6 7 8 9 10 11 12 13
1 2 3 4 5 6 7 8 9 10 11 12 13
1 2 3 4 5 6 7 8 9 10 11 12 13
8
9
1 2 3 4 5 6 7 8 9 10 11 12 13
25
Sliding Windows

• Default 8K for Windows, 32K for Linux,
• There are various unix/linux/microsoft programs
  that allow you to modify the default window size.
• I do not recommend that you modify these unless
  you know what you are doing.
• Disclaimer Modifying the registry can cause
  serious problems that may require you to
  reinstall your operating system. We cannot
  guarantee that problems resulting from
  modifications to the registry can be solved. Use
  the information provided at your own risk.
• NOTE I take no responsibility for this software
  or any others!

26
TCP/Web100 bandwidth test v4.2 click START to
begin running 10s outbound test... 107 Kbs
outbound running 10s inbound test... 1207 Kbs
inbound web100 Connection Variables
Round Trip times were sampled 611 times
for a total time of 72770 millisecs giving
an average RTT of 119.0 millisecs(0.119
secs) You received 1126 packets of size 1360
from the remote host and it took a total of
10475.0 millisecs Maximum Expected Bandwidth 392
Kbs Good Data Stream--No retransmits! You are
advertising a window of 17680 bytes The remote
host is advertising a window of 5840 bytes The
Remote Host has a send buffer of 128000 bytes
and a receive buffer of 128000 bytes Buffer sizes
are very important in determining the
advertised window sizes. Larger window sizes
can help increase thruput. If your window is
smaller than the remote host, your should
investigate increasing your socket buffer sizes.

• ORNL TCP Web100 Bandwidth Test
• http//lin-ks.greatplains.net/noc/measurement/tcpb
  w100.php

27
Sequencing numbers
This is only if one octet was sent at a time.

• The data segments being transmitted must be
  reassembled once all the data is received.
• No guarantee that the data will arrive in the
  order it was transmitted.
• TCP applies sequence numbers to the data segments
  
• Sequencing numbers indicate to the destination
  device the correct order in which to put the
  bytes when they are received.
• These sequencing numbers also act as reference
  numbers so that the receiver will know if it has
  received all of the data.
• They also identify the missing data pieces to the
  sender so it can retransmit the missing data.

28
Technical FYI on Sequencing numbers
Part of TCP Header

• Sender The value in the sequence number is the
  first byte in the data stream.
• Question How does the receiver know how much
  data was sent, so it knows what value to send in
  the acknowledgement?
• Receiver Using the senders IP packet and TCP
  segment information, the value of the ACK is
• IP Packet Length (IP) Total length
  Header length
• - TCP header length (TCP) Header length
• -------------------------------------------
  ------
• Length of data in TCP segment
• ACK Last Sequence Number ACKed Length of
  data in TCP segment
• Check Sequence Number to check for missing
  segments and to sequence out-of-order segments.
• Remember that the ACK is for the sequence number
  of the byte you expect to receive. When you ACK
  101, that says you've received all bytes through
  100. This ignores Selective Acknowledgments or
  SACK.

29
Positive Acknowledgment and Retransmission (PAR)

• PAR The source sends a packet, starts a timer,
  and waits for an acknowledgment before sending
  the next packet.
• If the timer expires before the source receives
  an acknowledgment, the source retransmits the
  packet and starts the timer over again.
• TCP uses expectational acknowledgments in which
  the acknowledgment number refers to the next
  octet that is expected.

30
UDP
31
UDP Operation

• UDP does not use windowing or acknowledgments so
  application layer protocols must provide error
  detection.
• The Source Port field is an optional field used
  only if information needs to return to the
  sending host.
• When a destination router receives a routing
  update, the source router is not requesting
  anything so nothing needs to return to the
  source.
• This is regarding only RIP updates.
• BGP uses TCP, IGRP is sent directly over IP.
  EIGRP and OSPF are also sent directly over IP
  with their own way of handling reliability.

32
UDP Operation
33
Port Numbers (TCP and UDP)
34
Application Header data
Port Numbers
Port numbers are used to know which application
the receiving host should pass the Data to.
Application Header data
35
TCP Header
36
Port Numbers
TCP Header

• Application software developers have agreed to
  use the well-known port numbers that are defined
  in RFC 1700.
• For example, any conversation bound for an Telnet
  application uses the standard port number 23.

37
Port Numbers

• Conversations that do not involve an application
  with a well-known port number are, instead,
  assigned port numbers that are randomly selected
  from within a specific range.
• These port numbers are used as source and
  destination addresses in the TCP segment.
• Some ports are reserved in both TCP and UDP,
  although applications might not be written to
  support them.
• (Curriculum) Port numbers have the following
  assigned ranges
• Numbers below 255 are reserved for public
  applications
• Numbers from 255-1023 are assigned to companies
  for marketable applications
• Numbers above 1023 are unregulated
• (RFC) The range for assigned ports managed by the
  IANA is 0-1023. http//www.iana.org/assignments/p
  ort-numbers
• The Well Known Ports are those from 0 through
  1023. (This is updated information as of
  11-13-2002. Before then, 0 255 were considered
  well known ports.)
• The Registered Ports are those from 1024 through
  49151
• The Dynamic and/or Private Ports are those from
  49152 through 65535

38
http//www.iana.org/assignments/port-numbers

• The Well Known Ports are assigned by the IANA and
  on most systems can only be used by system (or
  root) processes or by programs executed by
  privileged users.
• The Registered Ports are listed by the IANA and
  on most systems can be used by ordinary user
  processes or programs executed by ordinary users.
  The IANA registers uses of these ports as a
  convenience to the community.
• The Dynamic and/or Private Ports are those from
  49152 through 65535

39
Port Numbers

• For more of an explanation of port numbers and
  examples, go to
• http//www.iana.org/assignments/port-numbers

40
Port Numbers
TCP Header
TCP Header

• End systems use port numbers to select the proper
  application.
• Originating source port numbers, usually a value
  larger than 1023, are dynamically assigned by the
  source host.

41
TCP Header

• Notice the difference in how source and
  destination port numbers are used with clients
  and servers
• Client
• Destination Port 23 (telnet)
• Source Port 1028 (dynamically assigned)
• Server
• Destination Port 1028 (source port of client)
• Source Port 23 (telnet)

42
Second http session between the same client and
server. Same destination port, but different
source port to uniquely identify this web session.
Dest. Port 80 Send packets to web server
application
http to www.cisco.com
Dest. Port 80 Send packets to web server
application
http to www.cisco.com
1031
80
80
1030

• This example shows two separate browser windows
  to the same URL. TCP/IP uses source port numbers
  to know which information goes to which window.

43

• What makes each connection unique?
• Connection defined by the pair of numbers
• source IP address, source port
• destination IP address, destination port
• Different connections can use the same
  destination port on server host as long as the
  source ports or source IPs are different.

44
TCP or UDP
Source IP
Destination IP
Connection State
Destination Port
Source Port
www.cisco.com
netstat command

• Note In actuality, when you open up a single web
  page, there are usually several TCP sessions
  created, not just one.
• Example of multiple TCP connections for a single
  http session.

45
Ch. 10 Intermediate TCP/IP

• CCNA 2 version 3.0