TCP/IP Protocols
Define the purpose, function, and/or use of the following protocols within TCP/IP: IP, TCP, UDP, FTP, TFTP, SMTP, HTTP, HTTPS, POP3/IMAP4, Telnet, ICMP, ARP, and NTP.
As discussed in Chapter 5, “Overview of Network Protocols,” the TCP/IP protocol suite is made up of many different protocols, each of which performs a specific task or function. The Network+ exam focuses on the following, which are some of the most commonly used and encountered protocols.
The following sections look at the functions of these protocols and their purposes.
Internet Protocol (IP)
IP, which is defined in RFC 791, is the protocol used to transport data from one node on a network to another. IP is connectionless, which means that it doesn't guarantee the delivery of data; it simply makes a best effort to do so. To ensure that transmissions sent via IP are completed, a higher-level protocol such as TCP is required.
In addition to providing best-effort delivery, IP also performs fragmentation and reassembly tasks for network transmissions. Fragmentation is necessary because the maximum transmission unit (MTU) size is limited in IP. In other words, network transmissions that are too big to traverse the network in a single packet have to be broken up into smaller chunks and reassembled at the other end. Another function of IP is addressing. IP addressing is a complex subject, so there is a more detailed discussion of it later in this chapter, in the section “IP Addressing.”
Transmission Control Protocol (TCP)
TCP, which is defined in RFC 793, is a connection-oriented protocol that uses IP as its transport protocol. Being connection oriented means that TCP requires a session to be established between two hosts before communication can take place. TCP provides reliability to IP communications. Specifically, TCP adds features such as flow control, sequencing, and error detection and correction. For this reason, higher-level applications that need guaranteed delivery use TCP rather than its lightweight and connectionless brother, UDP.
NOTE
SYN Flooding A problem with the TCP SYN/ACK system is that the TCP/IP protocol stack assumes that each of the SYN requests it receives is genuine. Although this is normally the case, crackers can also exploit this trust as a weakness by using an attack known as a SYN flood. In a SYN flood, large numbers of SYN requests are directed at a host, but the source address to which the system attempts to send an ACK is false, and therefore there is no acknowledgement of the ACK. The host, assuming that the lack of response is attributable to a network problem, keeps the SYN connections open for a period of time as a “just in case” precaution, and during this time, the connection cannot be used by another host. If enough false SYN requests are directed at a server, the result is that there aren't any connections left to service legitimate requests. To guard against this occurrence, some applications and operating systems have strategies that determine when a false connection is made, which helps prevent SYN flooding.
How TCP Works
When TCP wants to open a connection with another host, it follows this procedure:
1. | |
2. |
The target host opens a connection for the request and sends back an acknowledgment message called an ACK (or SYN ACK). |
3. |
The host that originated the request sends back another acknowledgment, saying that it has received the ACK message and that the session is ready to be used to transfer data. |
When the data session has been completed, a similar process is used to close the session. This three-step session establishment and acknowledgment process is referred to as the TCP three-way handshake.
TCP is a reliable protocol because it has mechanisms that can accommodate and handle errors. These mechanisms include timeouts, which cause the sending host to automatically retransmit data if its receipt is not acknowledged within a given time period.
User Datagram Protocol (UDP)
UDP, which is defined in RFC 768, is the brother of TCP. Like TCP, UDP uses IP as its transport protocol, but the big difference is that UDP does not guarantee delivery like TCP does. In a sense, UDP is a “fire and forget” protocol; it assumes that the data sent will reach its destination intact. In fact, the checking of whether data is delivered is left to upper-layer protocols.
Unlike with TCP, with UDP there is no establishment of a session between the sending and receiving hosts, which is why UDP is referred to as a connectionless protocol. The upshot of this is that UDP has a much lower overhead than TCP. In fact, a TCP packet header has 14 fields. A UDP packet header has 4. Therefore, UDP is much more efficient than TCP. In applications that don't need the added features of TCP, UDP is much more economical in terms of bandwidth and processing effort.
File Transfer Protocol (FTP)
As its name suggests, FTP provides for the uploading and downloading of files from a remote host that is running FTP server software. As well as uploading and downloading files, FTP allows you to view the contents of folders on an FTP server and rename and delete files and directories if you have the necessary permissions. FTP, which is defined in RFC 959, uses TCP as a transport protocol to guarantee delivery of packets.
FTP has security mechanisms that are used to authenticate users. However, rather than create a user account for every user, you can configure FTP server software to accept anonymous logons. When you do this, the username is anonymous, and the password is normally the user's email address. Most FTP servers that offer files to the general public operate in this way.
In addition to being very popular as a mechanism for distributing files to the general public over networks such as the Internet, FTP is also popular with organizations that need to frequently exchange large files with other people or organizations. For example, the chapters in this book were sent between the authors and Que Publishing using FTP. Such a system is necessary because the files we exchange are larger than can be accommodated using email.
All the common network operating systems offer FTP server capabilities, although whether you use them depends on whether you have a need for FTP services. All popular workstation operating systems offer FTP client functionality, although it is common to use third-party utilities such as CuteFTP and SmartFTP instead. Figure 6.1 shows an FTP session with the site ftp.redhat.com, from the FTP command-line client included with Windows 2000. Notice that this is an anonymous logon.
Figure 6.1. An FTP session, using the Windows 2000 FTP client.
FTP assumes that files being uploaded or downloaded are straight text (that is, ASCII) files. If the files are not text, which is quite likely, the transfer mode has to be changed to binary. With sophisticated FTP clients, such as CuteFTP, the transition between transfer modes is automatic. With more basic utilities, you have to perform the mode switch manually.
EXAM TIP
FTP Commands On the Network+ exam, you might be asked to identify the appropriate FTP command to use in a given situation.
Unlike some of the other protocols discussed in this chapter that perform tasks transparently to the user, FTP is an application-layer service that is called upon frequently. Therefore, it can be useful to know some of the commands that are supported by FTP. If you are using a client such as CuteFTP, you might never need to use these commands, but they are useful to know in case you find yourself using a command-line FTP client. Table 6.1 lists some of the most commonly used FTP commands.
Trivial File Transfer Protocol (TFTP)
A variation on FTP is TFTP, which is also a file transfer mechanism. However, TFTP does not have either the security capability or the level of functionality that FTP has. TFTP, which is defined in RFC 1350, is most often associated with simple downloads, such as those associated with transferring firmware to a device such as a router and booting diskless workstations.
NOTE
TFTP and the OSI Model TFTP is an application-layer protocol that uses UDP, which is a connectionless transport-layer protocol. For this reason, TFTP is referred to as a connection-less file transfer method.
Another feature that TFTP does not offer is directory navigation. Whereas in FTP, commands can be executed to navigate around and manage the file system, TFTP offers no such capability. TFTP requires that you request not only exactly what you want, but also the particular location. Unlike FTP, which uses TCP as its transport protocol to guarantee delivery, TFTP uses UDP.
Simple Mail Transfer Protocol (SMTP)
SMTP, which is defined in RFC 821, is a protocol that defines how mail messages are sent between hosts. SMTP uses TCP connections to guarantee error-free delivery of messages. SMTP is not overly sophisticated, and it requires that the destination host always be available. For this reason, mail systems spool incoming mail so that users can read it at a later time. How the user then reads the mail depends on how the client accesses the SMTP server.
NOTE
Sending and Receiving Mail SMTP can be used for both sending and receiving mail. POP and IMAP can be used only for receiving mail.
Hypertext Transfer Protocol (HTTP)
HTTP, which is defined in RFC 2068, is the protocol that allows text, graphics, multimedia, and other material to be downloaded from an HTTP server. HTTP defines what actions can be requested by clients and how servers should answer those requests.
In a practical implementation, HTTP clients (that is, Web browsers) make requests in an HTTP format to servers running HTTP server applications (that is, Web servers). Files that are created in a special language such as Hypertext Markup Language (HTML) are returned to the client, and the connection is closed.
EXAM TIP
HTTP and UDP HTTP is connectionless protocol that uses UDP as a transport protocol. You should know this for the exam.
HTTP uses a uniform resource locator (URL) to determine what page should be downloaded from the remote server. The URL contains the type of request (for example, http://), the name of the server being contacted (for example, www.novell.com), and optionally the page being requested (for example, /support). The result is the syntax that Internet-savvy people are familiar with: http://www.novell.com/support.
Hypertext Transfer Protocol Secure (HTTPS)
One of the downsides of using HTTP is that HTTP requests are sent in clear text. For some applications, such as e-commerce, this method of exchanging information is not suitable—a more secure method is needed. The solution is HTTPS. HTTPS uses a system known as Secure Sockets Layer (SSL), which encrypts the information that is sent between the client and the host.
For HTTPS to be used, both the client and server must support it. All popular browsers now support HTTPS, as do Web server products, such as Microsoft Internet Information Server (IIS), Apache, and almost all other Web server applications that provide sensitive applications. When you are accessing an application that uses HTTPS, the URL starts with https rather than http—for example, https://www.mybankonline.com.
Post Office Protocol/Internet Message Access Protocol (POP/IMAP)
Both POP, which is defined in RFC 1939, and IMAP, the latest version of which is defined in RFC 1731, are mechanisms for downloading, or pulling, email from a server. They are necessary because, although the mail is transported around the network via SMTP, users cannot always read it immediately, so it must be stored in a central location. From this location, it needs to be downloaded, which is what POP and IMAP allow you to do.
EXAM TIP
POP and IMAP POP and IMAP can be used to download, or pull, email from a server, but they cannot be used to send mail. That function is left to SMTP, which can both send and receive.
NOTE
Web-Based Mail—The Other, Other Email Although there are many good points about accessing email by using POP and IMAP, such systems rely on servers to hold the mail until it is downloaded to the client system. In today's world, a more sophisticated solution to anytime/anywhere email access is needed. For many people, that solution is Web-based mail. Having an Internet-based email account allows you to access your mail from anywhere and from any device that supports a Web browser. Recognizing the obvious advantages of such a system, all the major email systems have, for some time, included Web access gateway products.
POP and IMAP are very popular, and many people now access email through applications such as Microsoft Outlook, Netscape Communicator, and Eudora, which are POP and IMAP clients.
One of the problems with POP is that the password used to access a mailbox is transmitted acros the network in clear text. This means if someone wanted to, he or she could determine your POP password with relative ease. This is an area in which IMAP offers an advantage over POP. It uses a more sophisticated authentication system, which makes it harder for someone to determine a password.
Telnet
Telnet, which is defined in RFC 854, is a virtual terminal protocol. It allows sessions to be opened on a remote host, and then for commands to be executed on that remote host. For many years, Telnet was the method by which multiuser systems such as mainframes and minicomputers were accessed by clients. It was also the connection method of choice for Unix systems. Today, Telnet is still commonly used for accessing routers and other managed network devices.
One of the problems with Telnet is that it is not secure. As a result, remote session functionality is now almost always achieved by using alternatives such as Secure Shell (SSH).
Internet Control Message Protocol (ICMP)
ICMP, which is defined in RFC 792, is a protocol that works with the IP layer to provide error checking and reporting functionality. In effect, ICMP is a tool that IP uses in its quest to provide best-effort delivery.
ICMP can be used for a number of functions. Its most common function is probably the widely used and incredibly useful ping utility. ping sends a stream of ICMP echo requests to a remote host.
If the host is able to respond, it does so by sending echo reply messages back to the sending host. In that one simple process, ICMP enables the verification of the protocol suite configuration of both the sending and receiving nodes and any intermediate networking devices.
However, ICMP's functionality is not limited to just the use of the ping utility. ICMP is also able to return error messages such as Destination Unreachable and Time Exceeded messages. (The former message is reported when a destination cannot be contacted and the latter when the time to live (TTL) of a datagram has been exceeded.)
In addition to these and other functions, ICMP is able to perform source quench. In a source quench scenario, the receiving host is not able to handle the influx of data at the same rate as the data is being sent. To slow down the sending host, the receiving host sends ICMP source quench messages, telling the sender to slow down. This action prevents packets from being dropped and having to be re-sent.
ICMP is a very useful protocol. Although ICMP operates largely in the background, the ping utility alone makes it one of the most valuable of the protocols discussed in this chapter.
Address Resolution Protocol (ARP)
ARP, which is defined in RFC 826, is responsible for resolving IP addresses to Media Access Control (MAC) addresses. When a system attempts to contact another host, IP first determines whether the other host is on the same network it is on, by looking at the IP address. If IP determines that the destination is on the local network, it consults the ARP cache to see if it has a corresponding entry.
If there is not an entry for the host in the ARP cache, a broadcast on the local network asks the host with the target IP address to send back its MAC address. The communication is sent as a broadcast because without the target system's MAC address, the source system is unable to communicate directly with the target system.
Because the communication is a broadcast, every system on the network picks it up. However, only the target system replies because it is the only device whose IP address matches the request. The target system, recognizing that the ARP request is targeted at it, replies directly to the source system. It is able to do this because the ARP request contains the MAC address of the system that sent it. If the destination host is determined to be on a different subnet than the sending host, the ARP process is performed against the default gateway and then repeated for each step of the journey between the sending and receiving hosts.
EXAM TIP
ARP Functions The function of ARP is to resolve the IP address of a system to the MAC address of the interface on that system. Do not confuse ARP with DNS or WINS, which also perform resolution functions, but for different things.
Network Time Protocol (NTP)
NTP, which is defined in RFC 958, is the part of the TCP/IP protocol suite that facilitates the communication of time between systems. The idea is that one system configured as a time provider transmits time information to other systems that can be both the time receivers and the time providers to other systems.
Time synchronization is very important in today's IT environment because of the distributed nature of applications. Two very good examples of situations where time synchronization is important are email and directory services systems. In each of the these cases, having time synchronized between devices is important because without it there would be no way of keeping track of changes to data and applications.
In many environments, external time sources such as radio clocks, global positioning system (GPS) devices, and Internet-based timeservers are used as sources for NTP time. In others, the BIOS clock of the system is used. Regardless of what source is used, the time information is communicated between devices by using NTP.
NOTE
NTP Rules Specific guidelines dictate how NTP should be used. These “rules of engagement” can be found at www.eecis.udel.edu/~mills/ntp/servers.htm.
NTP server and client software is available for a wide variety of platforms and devices. If you are looking for a way to ensure time synchronization between devices, you should look to NTP as a solution.
REVIEW BREAK: TCP/IP Protocol Suite Summary
The details of each of protocols discussed in the preceding sections are summarized in Table 6.2. You can use this table for review before you take the Network+ exam.