Mirrors/Zines
1
0
Fork 0
mirror of https://github.com/fdiskyou/Zines.git synced 2025-03-09 00:00:00 +01:00
Code Issues Releases Wiki Activity
Zines/phrack/33/8.txt

525 lines
23 KiB
Text
Raw Permalink Normal View History

1st import into tree
2016-12-14 22:07:35 +00:00
==Phrack Inc.==
Volume Three, Issue Thirty-Three, File 8 of 13
A TCP/IP Tutorial : Behind The Internet
Part One of Two
September 12, 1991
by The Not
Table of Contents
1. Introduction
2. TCP/IP Overview
3. Ethernet
4. ARP
1. Introduction
This tutorial contains only one view of the salient points of TCP/IP,
and therefore it is the "bare bones" of TCP/IP technology. It omits
the history of development and funding, the business case for its
use, and its future as compared to ISO OSI. Indeed, a great deal of
technical information is also omitted. What remains is a minimum of
information that must be understood by the professional working in a
TCP/IP environment. These professionals include the systems
administrator, the systems programmer, and the network manager.
This tutorial uses examples from the UNIX TCP/IP environment, however
the main points apply across all implementations of TCP/IP.
Note that the purpose of this memo is explanation, not definition.
If any question arises about the correct specification of a protocol,
please refer to the actual standards defining RFC.
The next section is an overview of TCP/IP, followed by detailed
descriptions of individual components.
2. TCP/IP Overview
The generic term "TCP/IP" usually means anything and everything
related to the specific protocols of TCP and IP. It can include
other protocols, applications, and even the network medium. A sample
of these protocols are: UDP, ARP, and ICMP. A sample of these
applications are: TELNET, FTP, and rcp. A more accurate term is
"internet technology". A network that uses internet technology is
called an "internet".
2.1 Basic Structure
To understand this technology you must first understand the following
logical structure:
----------------------------
| network applications |
| |
|... \ | / .. \ | / ...|
| ----- ----- |
| |TCP| |UDP| |
| ----- ----- |
| \ / |
| -------- |
| | IP | |
| ----- -*------ |
| |ARP| | |
| ----- | |
| \ | |
| ------ |
| |ENET| |
| ---@-- |
----------|-----------------
|
----------------------o---------
Ethernet Cable
Figure 1. Basic TCP/IP Network Node
This is the logical structure of the layered protocols inside a
computer on an internet. Each computer that can communicate using
internet technology has such a logical structure. It is this logical
structure that determines the behavior of the computer on the
internet. The boxes represent processing of the data as it passes
through the computer, and the lines connecting boxes show the path of
data. The horizontal line at the bottom represents the Ethernet
cable; the "o" is the transceiver. The "*" is the IP address and the
"@" is the Ethernet address. Understanding this logical structure is
essential to understanding internet technology; it is referred to
throughout this tutorial.
2.2 Terminology
The name of a unit of data that flows through an internet is
dependent upon where it exists in the protocol stack. In summary: if
it is on an Ethernet it is called an Ethernet frame; if it is between
the Ethernet driver and the IP module it is called a IP packet; if it
is between the IP module and the UDP module it is called a UDP
datagram; if it is between the IP module and the TCP module it is
called a TCP segment (more generally, a transport message); and if it
is in a network application it is called a application message.
These definitions are imperfect. Actual definitions vary from one
publication to the next. More specific definitions can be found in
RFC 1122, section 1.3.3.
A driver is software that communicates directly with the network
interface hardware. A module is software that communicates with a
driver, with network applications, or with another module.
The terms driver, module, Ethernet frame, IP packet, UDP datagram,
TCP message, and application message are used where appropriate
throughout this tutorial.
2.3 Flow of Data
Let's follow the data as it flows down through the protocol stack
shown in Figure 1. For an application that uses TCP (Transmission
Control Protocol), data passes between the application and the TCP
module. For applications that use UDP (User Datagram Protocol), data
passes between the application and the UDP module. FTP (File
Transfer Protocol) is a typical application that uses TCP. Its
protocol stack in this example is FTP/TCP/IP/ENET. SNMP (Simple
Network Management Protocol) is an application that uses UDP. Its
protocol stack in this example is SNMP/UDP/IP/ENET.
The TCP module, UDP module, and the Ethernet driver are n-to-1
multiplexers. As multiplexers they switch many inputs to one output.
They are also 1-to-n de-multiplexers. As de-multiplexers they switch
one input to many outputs according to the type field in the protocol
header.
1 2 3 ... n 1 2 3 ... n
\ | / | \ | | / ^
\ | | / | \ | | / |
------------- flow ---------------- flow
|multiplexer| of |de-multiplexer| of
------------- data ---------------- data
| | | |
| v | |
1 1
Figure 2. n-to-1 multiplexer and 1-to-n de-multiplexer
If an Ethernet frame comes up into the Ethernet driver off the
network, the packet can be passed upwards to either the ARP (Address
Resolution Protocol) module or to the IP (Internet Protocol) module.
The value of the type field in the Ethernet frame determines whether
the Ethernet frame is passed to the ARP or the IP module.
If an IP packet comes up into IP, the unit of data is passed upwards
to either TCP or UDP, as determined by the value of the protocol
field in the IP header.
If the UDP datagram comes up into UDP, the application message is
passed upwards to the network application based on the value of the
port field in the UDP header. If the TCP message comes up into TCP,
the application message is passed upwards to the network application
based on the value of the port field in the TCP header.
The downwards multiplexing is simple to perform because from each
starting point there is only the one downward path; each protocol
module adds its header information so the packet can be de-
multiplexed at the destination computer.
Data passing out from the applications through either TCP or UDP
converges on the IP module and is sent downwards through the lower
network interface driver.
Although internet technology supports many different network media,
Ethernet is used for all examples in this tutorial because it is the
most common physical network used under IP. The computer in Figure 1
has a single Ethernet connection. The 6-byte Ethernet address is
unique for each interface on an Ethernet and is located at the lower
interface of the Ethernet driver.
The computer also has a 4-byte IP address. This address is located
at the lower interface to the IP module. The IP address must be
unique for an internet.
A running computer always knows its own IP address and Ethernet
address.
2.4 Two Network Interfaces
If a computer is connected to 2 separate Ethernets it is as in Figure
3.
----------------------------
| network applications |
| |
|... \ | / .. \ | / ...|
| ----- ----- |
| |TCP| |UDP| |
| ----- ----- |
| \ / |
| -------- |
| | IP | |
| ----- -*----*- ----- |
| |ARP| | | |ARP| |
| ----- | | ----- |
| \ | | / |
| ------ ------ |
| |ENET| |ENET| |
| ---@-- ---@-- |
----------|-------|---------
| |
| ---o---------------------------
| Ethernet Cable 2
---------------o----------
Ethernet Cable 1
Figure 3. TCP/IP Network Node on 2 Ethernets
Please note that this computer has 2 Ethernet addresses and 2 IP
addresses.
It is seen from this structure that for computers with more than one
physical network interface, the IP module is both a n-to-m
multiplexer and an m-to-n de-multiplexer.
1 2 3 ... n 1 2 3 ... n
\ | | / | \ | | / ^
\ | | / | \ | | / |
------------- flow ---------------- flow
|multiplexer| of |de-multiplexer| of
------------- data ---------------- data
/ | | \ | / | | \ |
/ | | \ v / | | \ |
1 2 3 ... m 1 2 3 ... m
Figure 4. n-to-m multiplexer and m-to-n de-multiplexer
It performs this multiplexing in either direction to accommodate
incoming and outgoing data. An IP module with more than 1 network
interface is more complex than our original example in that it can
forward data onto the next network. Data can arrive on any network
interface and be sent out on any other.
TCP UDP
\ /
\ /
--------------
| IP |
| |
| --- |
| / \ |
| / v |
--------------
/ \
/ \
data data
comes in goes out
here here
Figure 5. Example of IP Forwarding a IP Packet
The process of sending an IP packet out onto another network is
called "forwarding" an IP packet. A computer that has been dedicated
to the task of forwarding IP packets is called an "IP-router".
As you can see from the figure, the forwarded IP packet never touches
the TCP and UDP modules on the IP-router. Some IP-router
implementations do not have a TCP or UDP module.
2.5 IP Creates a Single Logical Network
The IP module is central to the success of internet technology. Each
module or driver adds its header to the message as the message passes
down through the protocol stack. Each module or driver strips the
corresponding header from the message as the message climbs the
protocol stack up towards the application. The IP header contains
the IP address, which builds a single logical network from multiple
physical networks. This interconnection of physical networks is the
source of the name: internet. A set of interconnected physical
networks that limit the range of an IP packet is called an
"internet".
2.6 Physical Network Independence
IP hides the underlying network hardware from the network
applications. If you invent a new physical network, you can put it
into service by implementing a new driver that connects to the
internet underneath IP. Thus, the network applications remain intact
and are not vulnerable to changes in hardware technology.
2.7 Interoperability
If two computers on an internet can communicate, they are said to
"interoperate"; if an implementation of internet technology is good,
it is said to have "interoperability". Users of general-purpose
computers benefit from the installation of an internet because of the
interoperability in computers on the market. Generally, when you buy
a computer, it will interoperate. If the computer does not have
interoperability, and interoperability can not be added, it occupies
a rare and special niche in the market.
2.8 After the Overview
With the background set, we will answer the following questions:
When sending out an IP packet, how is the destination Ethernet
address determined?
How does IP know which of multiple lower network interfaces to use
when sending out an IP packet?
How does a client on one computer reach the server on another?
Why do both TCP and UDP exist, instead of just one or the other?
What network applications are available?
These will be explained, in turn, after an Ethernet refresher.
3. Ethernet
This section is a short review of Ethernet technology.
An Ethernet frame contains the destination address, source address,
type field, and data.
An Ethernet address is 6 bytes. Every device has its own Ethernet
address and listens for Ethernet frames with that destination
address. All devices also listen for Ethernet frames with a wild-
card destination address of "FF-FF-FF-FF-FF-FF" (in hexadecimal),
called a "broadcast" address.
Ethernet uses CSMA/CD (Carrier Sense and Multiple Access with
Collision Detection). CSMA/CD means that all devices communicate on
a single medium, that only one can transmit at a time, and that they
can all receive simultaneously. If 2 devices try to transmit at the
same instant, the transmit collision is detected, and both devices
wait a random (but short) period before trying to transmit again.
3.1 A Human Analogy
A good analogy of Ethernet technology is a group of people talking in
a small, completely dark room. In this analogy, the physical network
medium is sound waves on air in the room instead of electrical
signals on a coaxial cable.
Each person can hear the words when another is talking (Carrier
Sense). Everyone in the room has equal capability to talk (Multiple
Access), but none of them give lengthy speeches because they are
polite. If a person is impolite, he is asked to leave the room
(i.e., thrown off the net).
No one talks while another is speaking. But if two people start
speaking at the same instant, each of them know this because each
hears something they haven't said (Collision Detection). When these
two people notice this condition, they wait for a moment, then one
begins talking. The other hears the talking and waits for the first
to finish before beginning his own speech.
Each person has an unique name (unique Ethernet address) to avoid
confusion. Every time one of them talks, he prefaces the message
with the name of the person he is talking to and with his own name
(Ethernet destination and source address, respectively), i.e., "Hello
Jane, this is Jack, ..blah blah blah...". If the sender wants to
talk to everyone he might say "everyone" (broadcast address), i.e.,
"Hello Everyone, this is Jack, ..blah blah blah...".
4. ARP
When sending out an IP packet, how is the destination Ethernet
address determined?
ARP (Address Resolution Protocol) is used to translate IP addresses
to Ethernet addresses. The translation is done only for outgoing IP
packets, because this is when the IP header and the Ethernet header
are created.
4.1 ARP Table for Address Translation
The translation is performed with a table look-up. The table, called
the ARP table, is stored in memory and contains a row for each
computer. There is a column for IP address and a column for Ethernet
address. When translating an IP address to an Ethernet address, the
table is searched for a matching IP address. The following is a
simplified ARP table:
------------------------------------
|IP address Ethernet address |
------------------------------------
|223.1.2.1 08-00-39-00-2F-C3|
|223.1.2.3 08-00-5A-21-A7-22|
|223.1.2.4 08-00-10-99-AC-54|
------------------------------------
TABLE 1. Example ARP Table
The human convention when writing out the 4-byte IP address is each
byte in decimal and separating bytes with a period. When writing out
the 6-byte Ethernet address, the conventions are each byte in
hexadecimal and separating bytes with either a minus sign or a colon.
The ARP table is necessary because the IP address and Ethernet
address are selected independently; you can not use an algorithm to
translate IP address to Ethernet address. The IP address is selected
by the network manager based on the location of the computer on the
internet. When the computer is moved to a different part of an
internet, its IP address must be changed. The Ethernet address is
selected by the manufacturer based on the Ethernet address space
licensed by the manufacturer. When the Ethernet hardware interface
board changes, the Ethernet address changes.
4.2 Typical Translation Scenario
During normal operation a network application, such as TELNET, sends
an application message to TCP, then TCP sends the corresponding TCP
message to the IP module. The destination IP address is known by the
application, the TCP module, and the IP module. At this point the IP
packet has been constructed and is ready to be given to the Ethernet
driver, but first the destination Ethernet address must be
determined.
The ARP table is used to look-up the destination Ethernet address.
4.3 ARP Request/Response Pair
But how does the ARP table get filled in the first place? The answer
is that it is filled automatically by ARP on an "as-needed" basis.
Two things happen when the ARP table can not be used to translate an
address:
1. An ARP request packet with a broadcast Ethernet address is sent
out on the network to every computer.
2. The outgoing IP packet is queued.
Every computer's Ethernet interface receives the broadcast Ethernet
frame. Each Ethernet driver examines the Type field in the Ethernet
frame and passes the ARP packet to the ARP module. The ARP request
packet says "If your IP address matches this target IP address, then
please tell me your Ethernet address". An ARP request packet looks
something like this:
---------------------------------------
|Sender IP Address 223.1.2.1 |
|Sender Enet Address 08-00-39-00-2F-C3|
---------------------------------------
|Target IP Address 223.1.2.2 |
|Target Enet Address <blank> |
---------------------------------------
TABLE 2. Example ARP Request
Each ARP module examines the IP address and if the Target IP address
matches its own IP address, it sends a response directly to the
source Ethernet address. The ARP response packet says "Yes, that
target IP address is mine, let me give you my Ethernet address". An
ARP response packet has the sender/target field contents swapped as
compared to the request. It looks something like this:
---------------------------------------
|Sender IP Address 223.1.2.2 |
|Sender Enet Address 08-00-28-00-38-A9|
---------------------------------------
|Target IP Address 223.1.2.1 |
|Target Enet Address 08-00-39-00-2F-C3|
---------------------------------------
TABLE 3. Example ARP Response
The response is received by the original sender computer. The
Ethernet driver looks at the Type field in the Ethernet frame then
passes the ARP packet to the ARP module. The ARP module examines the
ARP packet and adds the sender's IP and Ethernet addresses to its ARP
table.
The updated table now looks like this:
----------------------------------
|IP address Ethernet address |
----------------------------------
|223.1.2.1 08-00-39-00-2F-C3|
|223.1.2.2 08-00-28-00-38-A9|
|223.1.2.3 08-00-5A-21-A7-22|
|223.1.2.4 08-00-10-99-AC-54|
----------------------------------
TA
BLE 4. ARP Table after Response
4.4 Scenario Continued
The new translation has now been installed automatically in the
table, just milli-seconds after it was needed. As you remember from
step 2 above, the outgoing IP packet was queued. Next, the IP
address to Ethernet address translation is performed by look-up in
the ARP table then the Ethernet frame is transmitted on the Ethernet.
Therefore, with the new steps 3, 4, and 5, the scenario for the
sender computer is:
1. An ARP request packet with a broadcast Ethernet address is sent
out on the network to every computer.
2. The outgoing IP packet is queued.
3. The ARP response arrives with the IP-to-Ethernet address
translation for the ARP table.
4. For the queued IP packet, the ARP table is used to translate the
IP address to the Ethernet address.
5. The Ethernet frame is transmitted on the Ethernet.
In summary, when the translation is missing from the ARP table, one
IP packet is queued. The translation data is quickly filled in with
ARP request/response and the queued IP packet is transmitted.
Each computer has a separate ARP table for each of its Ethernet
interfaces. If the target computer does not exist, there will be no
ARP response and no entry in the ARP table. IP will discard outgoing
IP packets sent to that address. The upper layer protocols can't
tell the difference between a broken Ethernet and the absence of a
computer with the target IP address.
Some implementations of IP and ARP don't queue the IP packet while
waiting for the ARP response. Instead the IP packet is discarded and
the recovery from the IP packet loss is left to the TCP module or the
UDP network application. This recovery is performed by time-out and
retransmission. The retransmitted message is successfully sent out
onto the network because the first copy of the message has already
caused the ARP table to be filled.
_______________________________________________________________________________
Reference in a new issue Copy permalink