Ways of Looking at Computer Communication

Layers

1. Application-to-Application - the APPLICATION LAYER
2. Program-to-program delivery - the TRANSPORT LAYER
3. Computer-to-computer - the NETWORK LAYER
4. Hardware-to-hardware - the SUBNET LAYER

Application to Application

• Library and OS calls

Program to Program (alias port to port)

• TCP segments
• UDP datagrams

Computer to Computer

• IP packets
• IP addresses
• ICMP messages

Hardware to hardware

• Ethernet frames
• MAC addresses
• Modems
• Routers, switches
• Copper
• NIC == 32-bit IP Address

IP Address Classes

• 126 networks, each 16M addresses
• high bit 0 = 0,1,2,3,4,5,6,7 hex
• 10.x.x.x (0Axxxxxx) is private
• no 0.x.x.x or 127.x.x.x -- see below

• 16K networks, each 64K addresses
• high bits 10 = 8,9,A,B hex
• 172.16.x.x thru 172.31.x.x ( AC08xxxx thru AC1Fxxxx) is private

• 2 million networks, each 254 addresses
• high bits 110 = C,D hex
• 192.168.x.x (C0 A8 xx xx) is private

• special - multicast
• high bits 1110 = E hex

• special - unallocated
• high bits 1111 = F hex

Ports

• A port is a number that is attached to a specific application program
• Carried along with ip address to fully identify source or destination
• Range is 0 - 65535
• 1-1023 are PRIVILEGED, reserved for "well-known" applications, assigned by committee
• 1024-65535 are UNPRIVILEGED, dynamically assigned as needed by software.
• Common privileged ports are:
  • 21 - ftp
  • 23 - telnet
  • 25 - smtp
  • 43 - whois
  • 53 - nameserver
  • 79 - finger
  • 80 - http
  • 110 - pop3
  • 119 - nntp
  • 123 - ntp
  • 443 - https

Packets

• An individual IP message is called a packet.
• If the data to be sent is larger than can fit in one packet (the MTU, or maximum transmission unit) then it is carved up into multiple packets.
• There are three types of packets:
  • ICMP - control and status messages, error messages
  • UDP - unreliable but faster data transfer
  • TCP - reliable but slower data transfer
• All packets contain a packet header, containing (usually) the following:
  • source and destination IP addresses
  • type of packet
  • message type and subtype (ICMP only)
  • source and destination ports (UDP or TCP only)
  • sequence and acknowledgement numbers, flags, checksum (TCP only)

What's Used for What?

The three types of packet are normally used for the following:

• ICMP - As mentioned, used for errors, control, and status, not for transfer of data. The error generated if you try to send something to an unreachable address is a typical example. Also, the "ping" operation is implemented using ICMP.
• UPD - Used for sending non-critical data. It's possible that a UDP transmission goes into a black hole, and there's no way for the sender to know this except by getting tired of waiting for a response. There's absolutely no way to know if a UDP transmission was corrupted somewhere along the way. Typical UDP uses include:
  • NTP (network time protocol) requests for clock synchronization
  • Requests to and responses from Domain Name Service (DNS) servers.
  • Streaming audio, where speed is needed and the extra overhead of TCP is too costly.
• TCP - Used when reliable two-way communication is needed.
  • Each TCP packet has a sequence number and a checksum, so if it is inaccurate (or if it never arrives at all), this can be detected and the packet resent. If they arrive out of order, this can be corrected.
  • The receipt of EVERY TCP packet is specifically acknowledged back to the sender, and this feedback makes the error rate of TCP very low, even if the network itself has noise, dropouts, mis-routed packets, or whatever.

Typical TCP Connection

Three different flags are used to coordinate TCP/IP communication. Let's assume you click on a link in your web browser. Here's what happens:

1. The URL is parsed to get a host name which is translated into an IP address.
2. The browser is assigned a random unprivileged port for this connection (e.g., 12345)
3. An HTTP message is constructed by the browser and sent to TCP.
4. TCP constructs a TCP message and sends it to IP
5. IP wraps it in a IP packet header with a SYN (synchronize) flag, sends it to the server IP, port 80.
6. The server sends a message with SYN and ACK (acknowledge) flags set, back to your IP address, port 12345.
7. The client (your browser) sends ACK back to host.
8. Data starts flowing, with each packet containing an ACK flag, and each acknowledged with an ACK back to the sender.
9. When transmission is complete, one machine sends ACK FIN (finish).
10. The other end sends ACK (to acknowledge receipt) and then its own ACK-FIN.
11. The original (the one which initiated the teardown) sends ACK.
12. Now that the program-to-program communication is over, port 12345 will be unassigned.

The SYN, SYN-ACK, ACK at startup and ACK-FIN, (ACK, ACK-FIN), ACK at teardown are often referred to as the "three-way handshake" of TCP. Note that after the original SYN to get things started, every single packet has the ACK flag set.

Typically, a system using TCP/IP (TCP over IP) will wait a reasonable amount of time for the ACK to come back for each packet, and if not, the missing-in-action packet is simply re-sent. A packet is never discarded by a sender until its ACK is received. At worst, the recipient might get two copies of the packet, and one is silently discarded.

Firewall Concepts

Normal firewall activity takes place at the packet level and is therefore called Packet Filtering.

• A firewall program examines each incoming or outgoing packet and decides its fate (accept, deny, or bounce) according to rules which have been pre-established.
• The rules are organized into chains or tables, which are applied to the packet under consideration in order until one matches.
• If no rules match, the default action (whatever that has been defined to be) will be taken.
• Firewalls basically can have one of two philosophies:
  1. Deny all packets by default and explicitly allow only those which match a rule to get by.
  2. Accept every packet unless there is an explicit rule against it.
• There are two programs with most distributions of Linux to perform these functions:
  • ipchains, the older and somewhat less flexible program,
  • iptables (aka Netfilter), the replacement, as of 2001.
• A packet filtering program can test for anything in the packet header as described above, destination or source IP address or port, flags, etc. Here's the sort of thing a firewall program might do:
  • An incoming packet with a source IP address in one the three "private" ranges is illegal and should be deleted
  • Ditto, anything allegedly from YOUR OWN IP address must be illegal. (Even if you try to send something to yourself, the "from" address in the received packet will say 127.0.0.1.)
  • Since the tests can be done in combination, one could filter out anything inbound for port 23 (telnet) EXCEPT those from two or three "trusted" IP addresses.
• Deny (i.e., discard) is usually preferable to bouncing something, because the bounce message itself tells a cracker that (a) your machine exists, (b) it's running Linux, and (c) it's running a firewall -- three pieces he didn't have before.

How NAT Works

Network Address Translation, aka Masquerading, is also done at the packet filtering level. This is commonly used when several machines behind a firewall share the same electrical connection to the Internet -- a gateway. It's really a pretty simple scheme:

• Every time an application starts sending IP packets to the gateway with a destination IP address in the "outside world", the firewall software assigns that application a brand-new "dummy" port number, picked at random.
• For every outgoing packet, the firewall REPLACES the original "from" port number (assigned by the application on one of the networked machines) with the new "dummy" number assigned by the firewall, replaces the original "from" IP address with its own, and re-sends the packet to the Internet. Thus, all outgoing requests look like they came from some port (program) on the gateway machine.
• For every incoming packet, the firewall software looks up the destination port, replaces the IP address and "true" port number associated with that "dummy" port, and re-sends the message onto the internal network.
• Thus, the application program believes it is sending and receiving messages from the remote server, while the remote server believes it is sending and receiving messages from the gateway machine.