Ways of Looking at Computer Communication
- Application-to-Application - the APPLICATION LAYER
- Program-to-program delivery - the TRANSPORT LAYER
- Computer-to-computer - the NETWORK LAYER
- Hardware-to-hardware - the SUBNET LAYER
Application to Application
Program to Program (alias port to port)
- TCP segments
- UDP datagrams
Computer to Computer
- IP packets
- IP addresses
- ICMP messages
Hardware to hardware
- Ethernet frames
- MAC addresses
- Routers, switches
- NIC == 32-bit IP Address
IP Address Classes
A. 0.0.0.0 thru 127.255.255.255 (00 00 00 00 - 7F FF FF FF)
B. 188.8.131.52 thru 184.108.40.206 (80 00 00 00 - BF FF FF FF)
- 126 networks, each 16M addresses
- high bit 0 = 0,1,2,3,4,5,6,7 hex
- 10.x.x.x (0Axxxxxx) is private
- no 0.x.x.x or 127.x.x.x -- see
C. 192.0.0.0 thru 220.127.116.11 (C0 00 00 00 - DF FF FF FF)
- 16K networks, each 64K addresses
- high bits 10 = 8,9,A,B hex
- 172.16.x.x thru 172.31.x.x ( AC08xxxx thru AC1Fxxxx) is private
D. 18.104.22.168 thru 22.214.171.124 (E0 00 00 00 - EF FF FF FF)
- 2 million networks, each 254 addresses
- high bits 110 = C,D hex
- 192.168.x.x (C0 A8 xx xx) is private
E. 240.0.0.0 thru 255.255.255.255 (F0 00 00 00 - FF FF FF FF)
- special - multicast
- high bits 1110 = E hex
Special: 127.x.x.x Loopback. Normally only 127.0.0.1 is used
- special - unallocated
- high bits 1111 = F hex
- A port is a number that is attached to a specific application
- Carried along with ip address to fully identify source or
- Range is 0 - 65535
- 1-1023 are PRIVILEGED, reserved for "well-known" applications,
assigned by committee
- 1024-65535 are UNPRIVILEGED, dynamically assigned as needed by
- Common privileged ports are:
- 21 - ftp
- 23 - telnet
- 25 - smtp
- 43 - whois
- 53 - nameserver
- 79 - finger
- 80 - http
- 110 - pop3
- 119 - nntp
- 123 - ntp
- 443 - https
- An individual IP message is called a packet.
- If the data to be sent is larger than can fit in one packet (the
MTU, or maximum transmission unit) then it is carved up into multiple
- There are three types of packets:
- ICMP - control and status messages, error messages
- UDP - unreliable but faster data transfer
- TCP - reliable but slower data transfer
- All packets contain a packet header, containing (usually) the
- source and destination IP addresses
- type of packet
- message type and subtype (ICMP only)
- source and destination ports (UDP or TCP only)
- sequence and acknowledgement numbers, flags, checksum (TCP only)
What's Used for What?
The three types of packet are normally used for the following:
- ICMP - As mentioned, used for errors, control, and status, not for
transfer of data. The error generated
if you try to send something to an unreachable address is a typical example.
Also, the "ping" operation is implemented using ICMP.
- UPD - Used for sending non-critical data. It's possible that a
UDP transmission goes into a black hole, and there's no way for the
sender to know this except by getting tired of waiting for a response.
There's absolutely no way to know if a UDP transmission was corrupted
somewhere along the way.
Typical UDP uses include:
- NTP (network time protocol) requests for clock synchronization
- Requests to and responses from Domain Name Service (DNS) servers.
- Streaming audio, where speed is needed and the extra overhead of
TCP is too costly.
- TCP - Used when reliable two-way communication is needed.
- Each TCP packet has a sequence number and a checksum, so if it is
inaccurate (or if it never arrives at all), this can be detected and
the packet resent. If they arrive out of order, this can be corrected.
- The receipt of EVERY TCP packet is specifically acknowledged back
to the sender, and this feedback makes the error rate of TCP very low,
even if the network itself has noise, dropouts, mis-routed packets,
Typical TCP Connection
Three different flags are used to coordinate TCP/IP communication.
Let's assume you click on a link in your web browser. Here's what
- The URL is parsed to get a host name which is translated into an
- The browser is assigned a random unprivileged port for this
connection (e.g., 12345)
- An HTTP message is constructed by the browser and sent to TCP.
- TCP constructs a TCP message and sends it to IP
- IP wraps it in a IP packet header with a SYN (synchronize) flag,
sends it to the server IP, port 80.
- The server sends a message with SYN and ACK (acknowledge) flags set, back to your IP
address, port 12345.
- The client (your browser) sends ACK back to host.
- Data starts flowing, with each packet containing an ACK flag, and
each acknowledged with an ACK back to the sender.
- When transmission is complete, one machine sends ACK FIN (finish).
- The other end sends ACK (to acknowledge receipt) and then its own
- The original (the one which initiated the teardown) sends ACK.
- Now that the program-to-program communication is over, port 12345
will be unassigned.
The SYN, SYN-ACK, ACK at startup and ACK-FIN, (ACK, ACK-FIN), ACK at
teardown are often referred to as the "three-way handshake" of TCP. Note
that after the original SYN to get things started, every single packet
has the ACK flag set.
Typically, a system using TCP/IP (TCP over IP) will wait a reasonable amount
of time for the ACK to come back for each packet, and if not, the
missing-in-action packet is simply re-sent. A packet is never discarded by a
sender until its ACK is received. At worst, the recipient might get two copies
of the packet, and one is silently discarded.
Normal firewall activity takes place at the packet level and is
therefore called Packet Filtering.
- A firewall program examines each incoming or outgoing packet and
decides its fate (accept, deny, or bounce) according to rules which
have been pre-established.
- The rules are organized into chains or tables, which are applied
to the packet under consideration in order until one matches.
- If no rules match, the default action (whatever that has been
defined to be) will be taken.
- Firewalls basically can have one of two philosophies:
- Deny all packets by default and explicitly allow only those which
match a rule to get by.
- Accept every packet unless there is an explicit rule against it.
- There are two programs with most distributions of Linux to perform
- ipchains, the older and somewhat less flexible program,
- iptables (aka Netfilter), the replacement, as of 2001.
- A packet filtering program can test for anything in the packet
header as described above, destination or source IP address or port,
flags, etc. Here's the sort of thing a firewall program might do:
- An incoming packet with a source IP address in one the three
"private" ranges is illegal and should be deleted
- Ditto, anything allegedly from YOUR OWN IP address must be
illegal. (Even if you try to send something to yourself, the "from"
address in the received packet will say 127.0.0.1.)
- Since the tests can be done in combination, one could filter out
anything inbound for port 23 (telnet) EXCEPT those from two or three
"trusted" IP addresses.
- Deny (i.e., discard) is usually preferable to bouncing something,
because the bounce message itself tells a cracker that (a) your
machine exists, (b) it's running Linux, and (c) it's running a firewall --
three pieces he didn't have before.
How NAT Works
Network Address Translation, aka Masquerading, is also done at the
packet filtering level. This is commonly used when several machines
behind a firewall share the same electrical connection to the Internet
-- a gateway. It's really a pretty simple scheme:
- Every time an application starts sending IP packets to the gateway with
a destination IP address in the "outside world", the firewall software
assigns that application a brand-new "dummy" port number, picked at
- For every outgoing packet, the firewall REPLACES the original
"from" port number (assigned by the application on one of the
networked machines) with the new "dummy" number assigned by the
firewall, replaces the original "from" IP address with its own, and
re-sends the packet to the Internet. Thus, all outgoing requests look like
they came from some port (program) on the gateway machine.
- For every incoming packet, the firewall software looks up the
destination port, replaces the IP address and "true" port number
associated with that "dummy" port, and re-sends the message onto the
- Thus, the application program believes it is sending and receiving
messages from the remote server, while the remote server believes it
is sending and receiving messages from the gateway machine.