testout 13 march (2).pdf
Document Details

Uploaded by FoolproofTopaz
Jefferson
Tags
Related
- Level 4 - CN4015 (Introduction to Computer Systems and Networks) Lecture 6 - OSI Model Protocols PDF
- Computer Networks and Data Comuncation-LEC4 PDF
- Lecture 3 & 4 Networking Standards and the OSI Model
- Networks 511 - Topic 3: OSI Model & Software Defined Networking
- Computer Networks: OSI Model & TCP/IP - Lecture Notes
- Computer Networks: Chapter 7
Full Transcript
The OSI Model In this lesson, we're going to talk about the OSI reference model. The OSI reference model can be a bit intimidating at first. Most students are overwhelmed by it, but understanding the OSI model will help you in everyday networking activities and will make troubleshooting network prob...
The OSI Model In this lesson, we're going to talk about the OSI reference model. The OSI reference model can be a bit intimidating at first. Most students are overwhelmed by it, but understanding the OSI model will help you in everyday networking activities and will make troubleshooting network problems a lot easier. The OSI reference model was designed in 1983. Delegates from a bunch of different major computer and telecommunications companies met and decided that there needed to be a standardized method of implementing network communications. Up until this point, most networking equipment tended to be proprietary. This meant you had to buy your hosts, network interfaces, and network connecting medium all from the same vendor. If you mixed equipment from different vendors, there's a good chance that your network wouldn't work. The rationale for creating the OSI model was to design a standardized network communications model to create consistency within the industry. Another objective of the OSI model was to make network communications modular, meaning network products wouldn't be proprietary anymore. Using modularity, network equipment could be purchased from multiple vendors and it would work together. Without the OSI model, we would still be in a world of proprietary networking. The OSI Model divides network communication down the communication between two hosts into layers. These layers break process into general tasks. Seven Layers of Communication The OSI model provides seven different layers of communication. The host on the left is the sender, and the host on the right is the receiver. When a message is sent from the sender over here, the message goes through all the layers of the OSI model before being transmitted across the network. This model allows standardized communications between these layers on different devices in a network. An application functioning at the application layer of the model doesn't need to know how sessions between devices are handled or what physical medium is being used. It only needs to know is how to format the information according to its layer specifications and then send it to the next layer. The next layer then processes that information according to its specifications, and then forwards it to the next layer. This process continues until the information is transmitted to the receiving device. When the information arrives at the receiver, the same process is used, but in reverse. Each layer processes the information according to its specifications and then sends it up to the next layer until it finally reaches the receiving device's application layer. You need to memorize the seven layers of the OSI model: the physical layer, the data link layer, the network layer, the transport layer, the session layer, the presentation layer, and the application layer. Summary In this video, we learned about why the OSI model was created, how it got rid of the need to buy proprietary equipment, and how it created modular networking components, and we also learned about the seven layers in the OSI model and how information is passed between layers on a sending and receiving device. OSI Model Layers A basic understanding of each of the OSI model layers and what they do will help a ton when it comes to troubleshooting network problems. Now, before we talk about the individual OSI model layers, let's review how the OSI| model layers are commonly grouped. Grouping OSI Layers One wayto group the OSI model layers is to separate the bottom two layers from the top five layers. This is done because the bottom layers of the OSI model are related to the network architecture, or physical hardware. The bottom layers dictate how devices are connected and how data is transmitted. The top five layers are the networking protocols, such as TCP/IP. These layers aren't really concerned with the hardware as much as with the software and the applications on the computer. Another common way to group the OSI model is to separate the two middle layers - layers three and four - from the top, creating three groups. The top layers are called the application layers, the middle layers are called the transport layers, and the bottom layers are the architecture layers. Now, with this grouping, the top layers handle service protocols, such as HTTP, DNS, and other service related protocols. And the middle layers handle how messages get from one device to another through the network, but isn't really concerned with the physical devices of the network. Because the OSI model layers are numbered number instead of their name. Let's review each layer in more detail. The Application Layer seven through one, often they will be referred to by their At the top we have layer seven: the application layer. This layer is responsible for integrating network services with the operating system. The application layer provides an interface between an application running on the system and the rest of the network. It doesn't referto the application itself. Some of the protocols associated with the application layer include HTTP, FTP, TFTP, and SMTP. We refer to these protocols as belonging to the application layer, but in reality most of these protocols extend down through the session layer. In fact, many services or protocols actually span multiple layers. That's the case with many of these protocols; most of them will extend to the session layer. This is because programmers create protocols and services that function through multiple layers. However, when we describe these protocols, we do so at the highest layer that they function at, which is the application layer for these protocols here. The Presentation Layer The presentation layer can be thought of as the formatting layer. This layer deals with syntax, encryption, and compression. One example of this is a Web site using the HTTP encrypted, the HTTP protocol. When data is protocol doesn't do this. Instead, the SSL protocol encrypts the data at the presentation layer. At layer five we have the session layer, which is responsible for creating sessions between communication devices. Each client connection is called a session. An example of this is multiple clients connected to a Web server. Each connected client is identified as a session. The Session Layer The session layer uses a session ID to identify unique sessions. This keeps the data stream separated so that information requested by one client isn't sent to another client. The session layer is also responsible for terminating sessions. The Transport Layer The transport layer is responsible for delivering data on a network. The transport layer receives data from the upper layers and segments it. For example, suppose you're downloading a 4 MB file from a Web site. The transport layer knows that a 4 MB file can't be sent all at once, so it segments the data. It divides data into smaller blocks called segments and identifies each block with a sequence number. The sequence order. The sequence number helps the receiving device reassemble the segment blocks in the right number also helps identify any segments that got lost in transit, allowing a device to request retransmission of a lost segment. The transport layer is also responsible for flow control between two hosts. If data is being sent too fast or too slow, the receiving device can send a message telling the sending device to slow down or speed up. TCP and UDP Protocols Two specific protocols that are used at the transport layer are TCP and UDP. TCP is referred to as a connection-oriented protocol because it takes advantage of sequencing, error correction, and flow control to ensure that data sent from upper layers is received at the receiving device. UDP is referred to as a connectionless protocol, because it is more concerned with moving data through the network, without necessarily ensuring that everything arrives at the destination device. Port Numbers The transport layer assigns port numbers. A port is a number which running on a server. For instance, you could install a Web identifies an upper layer service server and an email server on the same physical server system. Information received from lower levels needs to be redirected to the appropriate service running on the server. This is done using port numbers at the transport layer. Each service is associated with a unique port number, such as 80 for HTTP or 25 for SMTP. By using a port number, the transport layer can identify the upper layer protocol that the data is intended for. The Network Layer The network layer is responsible for moving data between systems throughout the internetwork and is where routing happens. Routing takes a message sent from a device to a router to another router maybe through several routers - to the destination device. Routing protocols specify how each router identifies destination networks and the path data should take to arrive at that destination network. IP Address Assignment One very important thing that happens at the network layer is the assignment of IP addresses. This is why the IP address is often referred to as a network layer address, or a layer three address. When a segment is passed off to the network layer, the source and destination IP addresses are added to the segment, and the data then becomes a packet. The Data Link Layer The data link layer is responsible for interfacing between the physical transmission media - the physical devices - and the network layer. This layer is divided into two sub layers. The top sublayer is called the logical link control sub layer, or LLC, and provides the interface between the lower layers and the upper layers. The bottom layer is called the media access control sublayer, or MAC, and is responsible for identifying how devices can access the physical medium. The data link layer is where the MAC address is assigned. When a packet arrives from the network layer, the MAC address is added to the packet. Data at this layer is called a frame. A frame is the network layer packet with the MAC address of the source and destination devices added. Also included in a frame is a Cyclic Redundancy Check, or CRC. This is a mathematical value that helps the receiving device identify any errors that may have occurred during transmission. The data link layer also defines the logical topology of the network, or how devices access the media. The Physical Layer The physical layer is where we work with physical hardware. The physical layer also includes protocols that identify the cables, connectors, and devices that can be used on the network. For example, we could use the CAT6 protocol to define the type of cables used in the network and the RJ-45 protocol to define the connectors to use. At this point, the data that comes down to the physical layer is just a series of bits; it becomes electrical impulses, or light pulses, or some kind of a radio signal depending on the physical medium used. By understanding the general function of each of the OSI model layers, you can more easily troubleshoot a network and effectively communicate with other network administrators. Summary In this lesson, we talked about the different ways to group the OSI model layers and what each layer is responsible for. The upper three layers are the protocols that deal with data. The session layer creates session IDs to distinguish between client communications. The transport layer and network layers are responsible for delivering segments and packets through the network. And the lower two OSI model layers are responsible for sending data between devices. OSI Model Communications The OSI model is a theoretical model of describing networking and network communications. In this video, we're going to describe how data is sent between two devices on a network, breaking down the process by OSI model layers. Communication Process We're going to use the OSI model to show how a webpage is transmitted from one host to another. We have two devices in a network. This device is the source device. It's using an application layer protocol (HTTP) to create a web page. It wants to send the page to this computer, which is the destination device. Sending Data First, it will compress and encrypt the data at the presentation layer, then append the session ID at the session layer. The data goes to the transport layer. Segmentation The transport layer breaks the data into blocks called segments and appends a port number to identify which top-layer application needs to receive the data on the destination device. Each segment is passed to the network layer. Packets The network layer appends the source and destination IP addresses to create a packet. Frames The packet is then passed to the data link layer which adds the source and destination MAC as well as the CRC. addresses, The packet is now called a frame. The frame is sent to the physical device where it is translated into some kind of a signal, such as electrical, radio, or light. Bits This frame then becomes a signal that represents a series of zeros and ones. Each data point in this string is called a bit. The network interface prepares this signal and sends it out on the transmission medium. The destination device receives this series of bits and interprets them as a frame. It looks at the MAC addresses and the CRC, and then removes them. It passes the data to the network layer as a packet. The IP addresses within the packet are examined and removed, and the packet is forwarded to the transport layer as a segment. The segment is then examined, the port number is looked at, and it is forwarded up the OSI model layer to the appropriate application specified by the port number. The session ID is used, the encryption is removed, and the data is presented in its original form to the application that needs to interpret it; in this case, a browser. Receiving Data Data flows down through the layers of the OSI model on the sending system, and is transformed at each layer. Data is broken down into segments, which are then transformed into packets, then frames, and then bits. On the receiving device, the bits are converted back to frames, then to packets, then into segments, and the segments are reassembled into the original data. Summary Using the OSI model to describe how devices talkto each other, we see data being transformed at each layerto get it ready to be sent through the network. At the upper layers, encryption, formatting, and session numbers are added to the data. At the middle layers, data is broken down into segments associated with a port number, then given the IP address. At the lower levels, packets are transformed into frames that include the source and destination MAC addresses, and frames are transformed into bits for transmission through the network. Receiving devices do all this in reverse, converting bits to frames, then to packets and segments, and finally back to the original data. 6 OSI Model Layer Functions The following table describes the functions performed at each OSI model layer. Physical (Layer 1) The Physical layer of the OSI model sets standards for sending and receiving electrical signals between devices. Protocols at the Physical layer identify: « Conversion of digital data (bits) to electric pulses, radio waves, or pulses of light. « Specifications for cables and connectors. « The physical topology. Bits are data segments at the Physical layer. NICs, repeaters, hubs, WAPs, and modems function in Layer 1. Data Link (Layer 2) The Data Link layer has two sublayers: e The LLC is the upper sublayer. It: o Is aninterface between the MAC sublayer and the Network layer. o Provides flow control and transmission for analog and/or digital streams of over a shared link for the logical link. o The MAC layer is the lower sublayer. The MAC sublayer: o Controls the hardware. o Provides flow control and transmission for analog and/or digital streams of over a shared link. Frames are data segments at the Data Link layer. Switches, bridges and NICs, and WAPs function in Layer 2. The Data Link layer defines the rules and procedures for hosts as they access the Physical layer. These rules and procedures define: « How physical network devices are identified on the network by defining a unique hardware address (physical or MAC address). « How and when devices have access to the LAN and can transmit on the network medium (media access control and logical topology). « How to verify that the data received from the Physical layer is error free (using parity and cyclic redundancy check (CRC)). « How devices control the rate of data transmission between hosts (flow control). Network (Layer 3) The Network layer describes how data is routed across networks and on to the destination. Network layer: « Identifies hosts and networks by using logical addresses. « Maintains a list of known networks and neighboring routers. « Determines the next network point where data should be sent. To select the optimal path for data, routers use a routing protocol that takes various factors into account, such as the number of hops in the path, link speed, and link reliability. A packet is a data segment at the Network layer. Transport (Layer 4) The Transport layer provides a transition between the upper and lower layers of the OSI model. The transition makes the upper and lower layers transparent to each other. Transport layer functions include: « End-to-end flow control. « Port and socket number assignment. « Segmentation, sequencing, and combination. « Connection services, either reliable (connection-oriented) or unreliable (connectionless) delivery of data. A data segment is a unit of data at the Transport layer. Session (Layer 5) The Session layer manages the sessions in which data are transferred. A session refers to each client connection. Session layer functions include: « Management of multiple sessions. A server can concurrently maintain thousands of sessions. « Assignment of a session ID number to each session to keep data streams separate. 8 « The setup, maintenance, and teardown of communication sessions. Presentation (Layer 6) The Presentation layer formats (presents) data in a form compatible for receipt by the Application layer or the destination system. Specifically, the Presentation layer: « Formats and translates data between systems. « Negotiates data transfer syntax between systems. It converts character sets to the correct format. « Encapsulates data into message envelopes. It encrypts and compresses the data. « Restores data through decryption and decompression. Application (Layer 7) The Application layer integrates network functionality into the host operating system and enables communication between network clients and services. « The Application layer does not include specific applications that provide services, but rather provides the capability for services to operate on the network. « Most Application layer protocols operate at multiple layers down to the Session and even Transport layers. However, these protocols are classified as Application layer protocols because they start at the Application layer (the Application layer is the highest layer they operate in). « Services typically associated with the Application layer include: o Hypertext Transfer Protocol (HTTP) o Telnet o File Transfer Protocol (FTP) o Trivial File Transfer Protocol (TFTP) o Simple Network Management Protocol (SNMP) TCP/IP Model Layers The TCP/IP model incorporates the general concepts and structure of the OSI model. The layers of the TCP/IP model are as follows: Application layer The Application layer corresponds to the Session, Presentation, and Application layers of the OSI model. Protocols associated with the Application layer include: « o FTP HTTP o Telnet « Simple Mail Transfer Protocol (SMTP) « Domain Name System (DNS) « SNMP Transport layer The Transport layer matches the Transport of the OSI| model. This layer is responsible for: « Error checking and reliable packet delivery. « Breaking the data stream into segments. « Assigning sequence numbers so the packets can be reassembled correctly on the remote side after transport. Protocols associated with the Transport layer include: « Transport Control Protocol (TCP) « User Datagram Protocol (UDP) Internetwork layer The Internetwork layer is comparable to the Network layer of the OSI model. It is responsible for moving packets through a network. This involves: « Addressing hosts. « Making routing decisions to identify how the packet traverses the network. 10 Protocols associated with the Internetwork layer include: « Address Resolution Protocol (ARP) « Internet Control Message Protocol (ICMP) « Internet Group Management Protocol (IGMP) Network layer The Network layer, (sometime called the Link Layer) corresponds to the Physical and Data Link layers of the OSI model. It is responsible for describing the physical layout of the network and formatting messages on the transmission medium. Data Encapsulation and PDUs Let's look at the Transmission Control Protocol/Internet Protocol model, or TCP/IP model, and how it encapsulates data as it moves through its different layers. Then we'll look at some of the naming conventions for the TCP/IP model. Request Encapsulated Let's say that this system is a workstation that runs a web browser, and you've sent out a request to go to cisco.com. That request is encapsulated into what's called an HTTP GET, one of the most common methods used to retrieve or send a piece of data over the internet. HTTP (HyperText Transfer Protocol) is the protocol in the application layer that supports web requests. So, that request is put into a body of data and sent all the way down the model. It's important to recognize that, as data moves from top to bottom in our model, it moves from what you saw on screen down closer to the wire. In that journey, the data is changed. It may be manipulated, formatted, or have things added to it. But, the web request you originally made from your application is still there. It's just being prepared for the next part of the journey. Once HTTP has put together the HTTP GET request, this piece of data is sent down to the transport layer. Destination Port Added One of the most important things that the transport layer does is add the destination port to your request. Port 80 is for HTTP, so that's going to be embedded within the data. Since TCP for all HTTP is being used requests, there will be extra fields there that have to do with reliability, connection-oriented services, acknowledgments, and so on. Those are added in by that hand-shaking safety mechanism built into the protocol. But we'll just focus on the addressing for now. 11 Segments Made Once the data has an HTTP GET request and a port number attached to it, it's commonly called a segment. Another name for it is the transport layer PDU, or protocol data unit. It holds the information that the transport layer added above. Segments are passed down to the internet layer. At this stage, the data receives the IP address of both the source and the destination. Packets Formed Once the internet layer has added the IP addresses, this entire thing is called a packet. It's also called an internet layer, or network layer, PDU. MAC Address Added Next, this packet is brought down to the link layer. Its job is to add physical addressing. So, it adds MAC addresses, or media access control addresses, to the data. This is the destination, and this is the source. The source MAC from, and the destination MAC address is the card you're sending is the next network device in line, the one that gets you closerto your final destination. It may not be the web server you're trying to reach; it could be a local router that gets you one hop closer. As the data goes down the model, it becomes larger as new information is added to it. Frames Made By the time the data gets to the bottom, it's called a frame. It's also called a link layer, or data link layer, PDU. You could say that a frame is a packet with extra headers added to it on the bottom, and a packet is just a segment with extra fields and headers attached. A segment is encapsulated within a packet, and a packet is encapsulated within a frame. This is how these models work from a sender's perspective. Remember, we wanted to send out a web request to get a web page. But, no matter what we try to do in our application, the data will always have to go through these changes to make it happen. All this information is added to the original data in order to make it safer to address, get it to the right service, and provide acknowledgment that it was received. Now let's look at it from the perspective of the receiving side. This frame was sent through the network; maybe across multiple switches, or potentially multiple routers. It was finally received at the web server itself. The web server looks at the destination MAC address field, and sees its own number. So, it knows this card is intended for itself. It can then pass it up to its own internet layer. If its own IP address is confirmed in here, then it will also check other safety and reliability features if necessary. 12 Once all the data is validated, it's sent up to the Transport layer that runs within the web server. It verifies the port number; in this case, it's port 80. This means the incoming request is intended as a web request. So, the Transport layer passes the data up to HTTP on the Application layer, which retrieves the page that we wanted. Encapsulated and De-Encapsulated On the sending side, data is encapsulated from top to bottom. On the receiving side, those layers are removed, or de-encapsulated, from the bottom to the top. By the time it gets to the top of the receiver, those layers and fields are no longer important. Only the original data request made by the client's system is left. When you pass back the web page, the data will have to go through all the same steps again. Every piece of data, sent or received, has to go through this logic each time. Summary And that's all for our discussion about data encapsulation and PDUs. In this lesson, we talked about how the TCP/IP model organizes, formats, and prepares data for transmission. We also discussed how the data is encapsulated and de-encapsulated as it passes through the layers of TCP/IP. Data Encapsulation TCP/IP Model The following graphic gives you a high-level view of data encapsulation using the TCP/IP model. The callout numbers refer to the numbered descriptions below the graphic. APPLICATION TRANSPORT SEGMENT INTERNET LINK PACKET FRAME TCP/UDP HEADER 1P HEADER FRAME HEADER 01110100 01100101 01110011 01110100 01101111 01110101 01110100 00100000 00100011 00110001 1. The Application layer prepares the data to be sent through the network. 2. The Transport layer breaks the data into pieces called segments. The Transport layer adds sequencing and control information. 13 3. The Internet layer converts the segments into packets. The Internet layer adds logical network and device addresses. 4. The Link layer converts the packets into frames. The Link layer adds physical device addressing information and a frame check sequence (FCS) footer for error detection. It also converts the frames into bits (Os and 1s) for transmission across the transmission media. Destination Host On the destination host, the process operates in reverse, with bits from the network medium sent to the Link layer and processed up the model to the destination Application layer. Data Encapsulation Key Points The following can help you remember how data moves through the data encapsulation HON = process. Application layer: data. Transport layer: segments. Internet layer: packets containing logical addresses. Link layer: framing that adds physical addresses and bits that are transmitted on the network medium. Data Encapsulation OSI Model The encapsulation process works in the same manner using the OSI model. As data travels through the OSI model layers, it is broken into segments at the Transport layer. Logical addresses are added at the Network layer, making each segment a packet. The Data Link layer creates frames from each packet using the physical device (MAC) address. Frames are converted to bits at the Physical layer. 14 Address Resolution Protocol (ARP) In this lesson, we'll go over the Address Resolution Protocol, or ARP. This protocol enables systems to dynamically discover the MAC, or media access control, addresses of other systems that they're trying to communicate with. Every system on the network has its own IP address. For example, let's suppose that my workstation's IP address is 172.16.0.1. IP addresses are 4 bytes in length, so each of these numerals represents 1 byte of information. IP is a layer 3 address (in other words, Discovers MAC The system the network layer). Addresses here also has a burnt-in physical MAC address, which is 6 bytes in length. Let's just make up a number here. This may not look like a numberto you, but that's because MAC addresses are expressed in hexadecimal notation. That means you can have letters and numbers. Each one of these represents a byte. Those two numbers uniquely identify me from both a card perspective and a network, or routing, perspective. Now, let's diagram a very simple network with two directly connected systems. Station A is here, and Station B is here. Each of these systems has an IP address and a MAC address. Let's assign Station Ato.0.1, and Station B to.0.2. Station Ais 172.16.0.1, and Station B is 172.16.0.2. | won't write down their MAC addresses, but these would be 6-byte addresses, like we saw earlier. If A'is trying to send data to B, it needs to create a packet and then wrap it in a frame. Packets contain the sender's IP and the receiver's IP. So, when Station A is building the packet, it has to place both its own IP and Station B's IP into the packet header. At this point, there still isn't physical address of any system attached to the data. That's what the frame's going to hold. Once the packet is built, ARP's purpose is to enable station A to dynamically discover the MAC address of Station B. If Station A has never talked to Station B, it won't know the MAC address. But, once a station has communicated with another node on the network, it'll remember the MAC address for future use. Sends Broadcast Frames What ARP does is send out a broadcast frame. A broadcast frame is a piece of data intended for all recipients. It's a special MAC address built into the frame. It's made up of all binary 1s. 15 Each byte corresponds to 8 bits. 6 times 8 is 48, so there are 48 consecutive bits. That's what's going into the destination MAC address field of the frame. When the frame goes out, it'll be received by Station B and then by anyone else that may be on that network. B will pick it up and say, "Oh, you're looking for my IP address. That's me." Replies as Unicast B will recognize that an ARP called an ARP request is coming in. It'll respond to A with an ARP request. The ARP reply comes back as a unicast intended directly for A. Station B is telling Station A, "So, you're asking for my MAC Once A receives that ARP reply. This process is address? Well, here itis." reply, itll add an entry in the ARP table and store it locally. In the future, if it needs to reach the IP address of 172.16.0.2, it'll send it to this MAC address. Entries on the ARP table only stay there only for a certain period of time. A Windows it for a few minutes. Some PCs will remember network devices will remember it for hours. It all depends on the network device that maintains the table. The purpose of the ARP table is to allow a system to build frames that target remote MAC addresses. Whenever you need to send a packet to a system that's on the same you don't know the MAC network as you, and address, ARP sends out a broadcast to request that information. Summary And that's all for this video. In this lesson, we talked about the purpose of the ARP, which is to dynamically discover the MAC addresses of systems we want to send packets to. If you know the system's IP address, which is a layer 3 function--a packet function--then you can use ARP to discover the corresponding MAC address of that system. This is so you can encapsulate the packet within a frame and then send the frame to that system. Remember that ARP requests go out as broadcasts, and ARP that provide the MAC address you're looking for. replies come back as unicasts Packets and Frames In this video, we're going to talk about packets and frames, the type of information built into each, and how they're both used to transmit data across a network. It's important to know these concepts in orderto understand both routing and switching. First, let's look at how packets and frames are created using the Transmission Control Protocol/Internet Protocol model, the TCP/IP model. The TCP/IP Model 16 In the TCP/IP model, the Internet layer is where the processes of routing and IP addressing happen. In this stage, a piece of data is called a packet. IP addresses are logical; this means they're software. They're configured by you or a network process on your system. Data Link Layer After packets are generated, they're sent down to the Data Link layer for processing. The Data Link layer is responsible for adding the MAC sender and the receiver. MAC addresses, or Media Access Control addresses, of both the addresses are physical. They're burnt into the network port of a system. At this point, the data is called a frame. Packet Created Let's see how this process works. In this example, we have Workstations A and B trying to communicate. A is trying to send a piece of data to B. A knows its own IP and MAC address. The first thing A will do is create a packet, which contains the data that needs to be sent. Workstation A creates a packet out of that data on the Network layer of the TCP/IP model. To show that, I'll add a series of fields in front that contain the source IP address and the destination IP address. Since A isn't directly connected to B, the data will go through several different network devices to get there. There are a couple of switches in place and a couple of routers in the middle. Routers also have IP addresses and MAC addresses, like every other system on a network. Frame Created The first thing that Workstation A will do after it creates this packet is put it into a frame and deliver it to the next hop in the route (Workstation B). The first hop between A and B is this router, here. More specifically, it's this interface on the router. As we'll see later, the switches enable frame processing, but they're not considered next hops for packets. Let's give these routers IP addresses as well. The IP address of this interface is a.a.a.a, and the IP address of the second interface is b.b.b.b. Note that the destination IP is not a.a.a.a. The destination IP is always the last node, or final node, that you're trying to talk to. Destination and Source MAC Address Added The frame adds fields in front of the packet. This is done at Layer 2, or the Data Link layer. These fields include the destination MAC address and the source MAC address. The source MAC address is A. But the destination MAC address is the MAC address of this interface on the router--not Workstation B. We have the IP addresses here, but no MAC To get the router's destination MAC addresses are shown. So, I'm going to put the router in here. address, A will use the Address Resolution Protocol, or ARP, process if it hasn't talked to the router yet. It'll be able to auto-discover the MAC address. Once it's discovered, A places that field in here, and now we have a fully built frame. Frame Processed 17 The frame you're seeing on top here is the frame required to get from Workstation A to Router 1. That frame is then sent out onto network and transmitted across this segment. Then it's received by this interface on the router. Once the router receives the frame, it looks at the MAC address up here and sees its own. Now it knows that this frame was intended for itself. The router then removes the frame's header , which was only necessaryto get the piece of data to that router. Then the router examines the packet's destination IP address. The router realizes that the destination IP address is accessible only by sending the data to Router 2. So, Router 1 takes the exact same packet it received and puts a new frame header in front. The source IP address and destination IP address are still there. This portion didn't change. It's the same packet that A created and sent to the router. Packet Reframed for Each Hop The new frame contains the destination MAC address and the source MAC address for Router 1 and Router 2. This is the second hop of the journey. The first frame got the data from A to Router 1. This second frame takes the data from Router 1 to Router 2. This is a hop-by-hop mechanism. uses a different frame with different MAC Every hop addresses, but the packet information is preserved from end to end. Next, Router 2 receives the data. Router 2 sees its own destination MAC address in there, and it knows the frame was intended for itself. Then Router 2 strips off the MAC header and looks at the destination IP field. It sees that the destination IP address of Workstation B is connected to the same network it's on. So, the final hop of the journey is to create a frame with a destination MAC address of 2222 and the source MAC address of Router 2. The last frame of the journey takes the data from Router 2 to Workstation B. To get the data from A to B, we created one packet. Router 1 and Router 2 examined this packet as it traversed the network. But, on each leg of the journey, a new frame was created to get it closer and closer. It finally made it all the way to B. In this case, one packet was encapsulated three times in three separate frames. In a real network, your final destination could be even farther away, maybe 17 hops or more. Summary That's it for this discussion of packets and frames. In this video, we learned how packets are built and encapsulated within frames and how they move across the network. 18 IP-based Communications During IP-based communications between two network hosts, the following processes oceur: 1. The data to be transferred is encapsulated on the sending host by moving from the top layer of the TCP/IP or OSI model to the bottom. The data is transmitted on the network medium. If necessary, the data is transferred to various routers that forward the data to the appropriate network. The data is delivered to the destination host. The received data is de-encapsulated on the destination host by moving from the bottom layer of the TCP/IP or OSI model to the top. Process Details Source host encapsulation The data to be transferred is encapsulated on the sending host from the top layer of the TCP/IP or OSI model to the bottom. The following events occur: 1. The Application layer prepares the data to be sent through the network by encoding it using the appropriate Application layer protocol. The Transport layer receives the data stream from the Application layer and: o Breaks it into smaller chunks called segments. o Adds a Transport layer header to each segment. The header identifies the source port, the destination port as well as sequencing and control information. The Internet layer converts the segments into packets by adding an Internet layer header that specifies source and destination IP addresses for each packet. IP addresses are 32-bit (4-byte) logical address that can be assigned, unassigned, and reassigned as needed. The Link layer converts the packets into frames by adding a Link layer header that specifies source and destination media access control (MAC) addresses for each frame. A MAC address: o Is a48-bit (6-byte) address that is physically assigned in the firmware of all network interfaces. o Uniquely identifies each interface on the network. 19 5. o s displayed using hexadecimal notation. Each frame is converted into bits and transmitted across the network media. Network transmission The source and destination IP addresses are used to determine whether the hosts reside on the same network or on different networks: « Ifthey reside on the same network, the data can be sent directlyto the destination « host. The Address Resolution Protocol (ARP) is used to determine the MAC address of the host using the destination IP address: 1. The sending host checks its ARP cache to see if it already has an IP-to-MAC address mapping for the host. If so, it transmits the frames to the destination host's MAC address. If not, it must use the remaining steps to determine the appropriate MAC address. 2. The sending host sends out an ARP broadcast frame addressed to all MAC addresses on the subnet to ask for the hardware address of the host with the destination IP address. 3. The host with the destination IP address responds to the ARP broadcast with a unicast transmission containing its MAC address. All other hosts ignore the broadcast. 4. The sending host caches the destination host's MAC address in its ARP cache. 5. The source MAC address of the frames is set to the MAC address of the sending system and the destination MAC address is set to the MAC address of the receiving system. 6. The sending host transmits the frames to the destination host's MAC address. If they reside on different networks, the packets must be forwarded from router to router until they reach the appropriate destination network and host. The following occurs in this situation: 1. If it's not already cached, the source system uses ARP to determine the MAC address of the first hop router interface that is connected to the same network segment as the source host (usually the default gateway router). 2. The source MAC address of the frames is set to the MAC address of the sending system, but the destination MAC address is set to the MAC address of the router interface identified with ARP. 3. The frames are transmitted to the first router. 4. The first router: = Removes the frame header information and examines the packets in the transmission for their source and destination IP addresses. 20 = = = Uses ARP to discover its MAC address (if it's not already cached and if the destination host is on a network that is directly connected to the router). Re-encapsulates the packets in new frames with the destination host's MAC address. Transmits the frames directlyto the destination host. If the destination host is not on a directly-connected network, the remaining steps oceur. « « « « « « 5. The router uses its routing table to determine the next router the packets should be sent to. 6. The router re-encapsulates the packets in the transmission in new frames. 7. The source MAC address of the frames is set to the MAC address of the local router interface and the destination MAC address is set to the MAC address of the next hop router interface. 8. The router transmits the frames to the MAC address of the next hop router interface. The routing process repeats until the packets arrive at a router that is directly connected to same network as the destination host. The router receives the frames and removes the frame headers. The router examines the packets. It recognizes that the destination host resides on a network that is directly connected to the router. If necessary, the router uses ARP to determine the MAC address of the destination system. The router re-encapsulates the packets in new frames. The source MAC address of the frames is set to the MAC address of the router interface. The destination MAC address is set to the MAC address of the destination host. The frames are transmitted to the destination host. Destination host de-encapsulation The data received is de-encapsulated on the destination host by moving from the bottom layer of the TCP/IP or OSI model to the top. 1. The Link layer converts bits received on the network medium into frames and passes them to the Internet layer. 2. The Internet layer extracts the packets from the frames and passes them to the Transport layer. 3. The Transport layer receives packets and uses sequencing and error control information to request retransmission of any missing or damaged packets. 21 4. The Transport layer uses sequencing information to convert the packets into segments and passes them to the Application layer. 5. The Application layer uses the appropriate Application layer protocol to convert the segments back into the original data stream from the application on the source host. MTU If there are multiple paths to a distant network, a routing protocol assigns a metricto each directly connected network link. The metric value can be thought of as the cost of sending a packet over that link. The metric is used when determining the best path to a network. The maximum transmission unit (MTU) setting on a router determines the maximum payload size for a frame. While payload size is not usually included in a metric, it is sometimes used as a tie-breaker when two links or paths have the same cost. Three-Way Handshake and TCP Flags We've talked about data encapsulation, packets and frames. Now we're going to spend some time talking about TCP. If you recall, TCP is a connection-oriented protocol that uses a three-way handshake to establish a connection with a system port. TCP Flags TCP packets have flag indicators. Two of these indicators are SYN and ACK. SYN starts a connection between two systems. ACK acknowledges that a packet has been received. There are other flag options as well. Any of these indicators can be turned on or off using a packet crafter. Three-Way Handshake The three-way handshake occurs when you're trying to use TCP to connect to a port. As indicated by the name, the handshake has three steps. Example Let's say, for example, Computer 1 wants to connect with Computer 2. Computer 1 sends a SYN packet to Computer 2. Computer 2 receives the packet and sends a SYN/ACK packet to Computer 1. Computer 1 receives the SYN/ACK packet and replies back with an ACK is complete. Open Scan 22 packet, and the connection A full connect, or a full open scan, completes a full three-way handshake on all ports. Open respond with a SYN/ACK, ports and closed ports respond with an RST flag, ending the attempt. This can be a good scan for IT administrator who's trying to see what ports are open or closed but, for hackers and other malicious intruders this scan isn't very helpful, so it's not frequently used. Basically, you knocked on the door, they answered, and you introduced yourself. Stealth Scan A stealth scan, also known as a half-open scan, sends a SYN packet to a port. The three-way handshake doesn't occur because the original system doesn't reply with the final ACK. At this point, you've discovered an open port. But because an ACK packet wasn't sent, a connection wasn't actually made, and there is no security log. Remember when you were a kid, and you knocked on the neighbor's door, ran away, and watched to see if he answered? That's pretty much what you just did here. This scan is more appealing to hackers so you as a cyber defense analyst need to be aware of it and safeguard against it. Xmas Tree Scan A Xmas tree scan gets its name because all of the flags are turned on, and the packet is basically lit up like a Christmas tree. The recipient has no idea what to do with this packet, so it's either ignored or dropped. If you get an RST packet, you know the port is closed. If you don't get a response, the port may be open. Idle Scan The last port scan we'll talk about is the idle scan. This scan is a lot more complicated, but it's stealthy and effective. Idle Scan The hacker finds a target machine, but wants to avoid getting caught, so she finds another system to take the blame. This is frequently called a zombie machine because, to the hacker, it's disposable, and it creates a good distraction. The scan directs all requests through the zombie machine. If that zombie machine is flagged, the hacker can simply create another zombie machine and continue working. As a security analyst you should know about this scan and safeguard your ports against any possible attacks. Summary That's it for this lesson. In this video we talked about the TCP protocol. We talked about three-way handshakes, TCP flags, and different scans you can conduct using those flags. We described the open scan, stealth scan, Xmas tree scan, and the idle scan. Now you've learned how flag manipulation can help you find open ports. 23 TCP is a connection-oriented protocol that uses a three-way handshake to establish a connection with a system port. When examining a TCP packet, you'll notice the flag indicators. Two of these indicators are SYN and ACK. SYN starts a connection between two systems. ACK acknowledges that a packet has been received. There are other flag options as well. You can turn any of these indicators on or off using a packet crafter. This lesson covers the following topics: « « Three-way handshake TCPflags Three-Way Handshake The three-way handshake occurs when TCP tries to connect to make a secure connection. As indicated by the name, the handshake has three steps: 1. Computer 1 sends a SYN packet to Computer 2. 2. Computer 2 receives the packet and sends a SYN/ACK packet to Computer 1. 3. Computer 1 receives the SYN/ACK packet and replies with an ACK packet. The connection is then complete. TCP Flags The following table describes TCP flags. Flag Description SYN Starts a connection between hosts. ACK Acknowledges the receipt of a packet. FIN Indicates that no additional information will be sent. RST Resets a connection. URG Flags a packet as urgent. PSH Directs the sending system to send buffered data. 24