Network Lessons: Network Protocols(TCP/IP, POP, SMTP, HTTP, FTP,UDP,DHCP,DNS,HTTPS,ARP,SSH )

When computers were restricted to standalone systems, there was little need for mechanisms to communicate between them. However, it wasn’t long before the need to connect computers for the purpose of sharing files and printers became a necessity. Establishing communication between network devices required more than a length of cabling; a method or a set of rules was needed to establish how systems would communicate. Protocols provide that method.

It would be nice if a single protocol facilitated communication between all devices, but this is not the case. A number of protocols can be used on a network, each of which has its own features, advantages, and disadvantages. What proto- col you choose can have a significant impact on the network’s functioning and performance. This section explores some of the more common protocols you can expect to work with as a network administrator.

IP, which is defined in RFC 791, is the protocol used to transport data from one node on a network to another. IP is connectionless, which means that it doesn’t guarantee the delivery of data; it simply makes its best effort to do so. To ensure that transmissions sent via IP are completed, a higher-level protocol such as TCP is required.

In addition to providing best-effort delivery, IP also performs fragmentation and reassembly tasks for network transmissions. Fragmentation is necessary because the maximum transmission unit (MTU) size is limited in IP. In other words, net- work transmissions that are too big to traverse the network in a single packet have to be broken into smaller chunks and reassembled at the other end. Another function of IP is addressing. IP addressing is a complex subject.

TCP, which is defined in RFC 793, is a connection-oriented protocol that uses IP as its transport protocol. Being connection-oriented means that TCP estab- lishes a mutually acknowledged session between two hosts before communica- tion takes place. TCP provides reliability to IP communications. Specifically, TCP adds features such as flow control, sequencing, and error detection and correction. For this reason, higher-level applications that need guaranteed deliv- ery use TCP rather than its lightweight and connectionless brother,   UDP.

How TCP Works

When TCP wants to open a connection with another host, it follows this pro- cedure:

1.     It sends a message called a SYN to the target host.

2.     The target host opens a connection for the request and sends back an acknowledgment message called an ACK (or SYN ACK).

3.     The host that originated the request sends back another acknowledg- ment, saying that it has received the ACK message and that the session is ready to be used to transfer data.

UDP, which is defined in RFC 768, is the brother of TCP. Like TCP, UDP uses IP as its transport protocol, but the big difference is that UDP does not guaran- tee delivery like TCP does. In a sense, UDP is a “fire and forget” protocol; it assumes that the data sent will reach its destination intact. In fact, the checking of whether data is delivered is left to upper-layer protocols.Unlike TCP, with UDP no session is established between the sending and receiving hosts, which is why UDP is called a connectionless protocol. The upshot of this is that UDP has much lower overhead than TCP. In fact, a TCP packet header has 14 fields, whereas a UDP packet header has only four fields. Therefore, UDP is much more efficient than TCP. In applica- tions that don’t need the added features of TCP, UDP is much more eco- nomical in terms of bandwidth and processing effort.

As its name suggests, FTP provides for the uploading and downloading of files from a remote host running FTP server software. As well as uploading and downloading files, FTP allows you to view the contents of folders on an FTP server and rename and delete files and directories if you have the necessary per- missions. FTP, which is defined in RFC 959, uses TCP as a transport protocol to guarantee delivery of packets.

FTP has security mechanisms used to authenticate users. However, rather than create a user account for every user, you can configure FTP server software to accept anonymous logons. When you do this, the username is anonymous, and the password normally is the user’s email address. Most FTP servers that offer files to the general public operate in this way.

In addition to being popular as a mechanism for distributing files to the gener- al public over networks such as the Internet, FTP is also popular with organiza- tions that need to frequently exchange large files with other people or organiza- tions. For example, the chapters in this book were sent between the author and Que Publishing using FTP. Such a system is necessary because the files we exchange are sometimes larger than can be easily accommodated using email.

All the common network operating systems offer FTP server capabilities, although whether you use them depends on whether you need FTP services. All popular workstation operating systems offer FTP client functionality, although it is common to use third-party utilities such as CuteFTP and SmartFTP instead.

FTP assumes that files being uploaded or downloaded are straight text (that is, ASCII) files. If the files are not text, which is likely, the transfer mode has to be changed to binary. With sophisticated FTP clients, such as CuteFTP, the tran- sition between transfer modes is automatic. With more basic utilities, you have to perform the mode switch manually.

Unlike some of the other protocols discussed in this chapter that perform tasks transparent to the user, FTP is an application layer service that is called upon frequently. Therefore, it can be useful to know some of the commands support- ed by FTP. If you are using a client such as CuteFTP, you might never need to use these commands, but they are useful to know in case you find yourself using a command-line FTP client. Table 4.3 lists some of the most commonly used FTP commands.

One of the big problems associated with FTP is that it is considered insecure. Even though simple authentication methods are associated with FTP, it is still susceptible to relatively simple hacking approaches. In addition, FTP transmits data between sender and receiver in an unencrypted format. By using a packet sniffer, a hacker could easily copy packets from the network and read the con- tents. In today’s high-security computing environments, a more robust solution is needed.

That solution is the Secure File Transfer Protocol, which, based on Secure Shell (SSH) technology, provides robust authentication between sender and receiver. It also provides encryption capabilities, which means that even if packets are copied from the network, their contents remain hidden from prying eyes.

SFTP is implemented through client and server software available for all com- monly used computing platforms.

A variation on FTP is TFTP, which is also a file transfer mechanism. However, TFTP does not have the security capability or the level of functionality that FTP has. TFTP, which is defined in RFC 1350, is most often associated with simple downloads, such as those associated with transferring firmware to a device such as a router and booting diskless workstations.

Another feature that TFTP does not offer is directory navigation. Whereas in FTP commands can be executed to navigate and manage the file system, TFTP offers no such capability. TFTP requires that you request not only exactly what you want but also the particular location. Unlike FTP, which uses TCP as its transport protocol to guarantee delivery, TFTP uses UDP.

SMTP, in RFC 821, is a which is defined in RFC 821, is a protocol that defines how mail messages are sent between hosts. SMTP uses TCP connections to guarantee error-free delivery of messages. SMTP is not overly sophisticated, and it requires that the destination host always be available. For this reason, mail systems spool incoming mail so that users can read it later. How the user then reads the mail depends on how the client accesses the SMTP server.

HTTP, which is defined in RFC 2068, is the protocol that allows text, graphics, multimedia, and other material to be downloaded from an HTTP server. HTTP defines what actions can be requested by clients and how servers should answer those requests.

In a practical implementation, HTTP clients (that is, web browsers) make requests in an HTTP format to servers running HTTP server applications (that is, web servers). Files created in a special language such as Hypertext Markup Language (HTML) are returned to the client, and the connection is closed.HTTP uses a uniform resource locator (URL) to determine what page should be downloaded from the remote server. The URL contains the type of request (for example, http://), the name of the server being contacted (for example, www.microsoft.com), and optionally the page being requested (for example,

/support). The result is the syntax that Internet-savvy people are familiar with: http://www.microsoft.com/support.

One of the downsides of using HTTP is that HTTP requests are sent in clear text. For some applications, such as e-commerce, this method of exchanging information is unsuitable—a more secure method is needed. The solution is HTTPS. HTTPS uses a system known as Secure Socket Layer (SSL), which encrypts the information sent between the client and host.

For HTTPS to be used, both the client and server must support it. All popular browsers now support HTTPS, as do web server products, such as Microsoft Internet Information Server (IIS), Apache, and almost all other web server applications that provide sensitive applications. When you are accessing an application that uses HTTPS, the URL starts with https rather than http—for example, https://www.mybankonline.com.

Both POP3, which is defined in RFC 1939, and IMAP4, the latest version of which is defined in RFC 1731, are mechanisms for downloading, or pulling, email from a server. They are necessary because, although the mail is transport- ed around the network via SMTP, users cannot always read it immediately, so it must be stored in a central location. From this location, it needs to be down- loaded, which is what POP and IMAP allow you to do.

POP and IMAP are popular, and many people now access email through appli- cations such as Microsoft Outlook, Netscape Communicator, and Eudora, which are POP and IMAP clients.

One of the problems with POP is that the password used to access a mailbox is transmitted across the network in clear text. This means that if someone want- ed to, he could determine your POP password with relative ease. This is an area in which IMAP offers an advantage over POP. It uses a more sophisticated

authentication system, which makes it more difficult for someone to determine a password.

Telnet, which is defined in RFC 854, is a virtual terminal protocol. It allows ses- sions to be opened on a remote host, and then commands can be executed on that remote host. For many years, Telnet was the method by which clients accessed multiuser systems such as mainframes and minicomputers. It also was the connection method of choice for UNIX systems. Today, Telnet is still com- monly used to access routers and other managed network devices.

One of the problems with Telnet is that it is not secure. As a result, remote ses- sion functionality is now almost always achieved by using alternatives such as SSH.

Created by students at the Helsinki University of Technology, Secure Shell (SSH) is a secure alternative to Telnet. SSH provides security by encrypting data as it travels between systems. This makes it difficult for hackers using packet sniffers and other traffic-detection systems. It also provides more robust authen- tication systems than Telnet.

Two versions of SSH are available—SSH1 and SSH2. Of the two, SSH2 is con- sidered more secure. Also note that the two versions are incompatible. So, if you are using an SSH client program, the server implementation of SSH that you are connecting to must be the same version.

Although SSH, like Telnet, is associated primarily with UNIX and Linux sys- tems, implementations of SSH are available for all commonly used computing platforms, including Windows and Macintosh. As discussed earlier, SSH is the foundational technology for Secure File Transfer Protocol (SFTP).

ICMP, which is defined in RFC 792, is a protocol that works with the IP layer to provide error checking and reporting functionality. In effect, ICMP is a tool that IP uses in its quest to provide best-effort delivery.

ICMP can be used for a number of functions. Its most common function is probably the widely used and incredibly useful ping utility. ping sends a stream of ICMP echo requests to a remote host. If the host can respond, it does so by sending echo reply messages back to the sending host. In that one simple process, ICMP enables the verification of the protocol suite configuration of both the sending and receiving nodes and any intermediate networking devices.

However, ICMP’s functionality is not limited to the use of the ping utility. ICMP also can return error messages such as Destination unreachable and Time exceeded. (The former message is reported when a destination cannot be contacted and the latter when the time to live [TTL] of a datagram has been exceeded.)

In addition to these and other functions, ICMP performs source quencft. In a source quench scenario, the receiving host cannot handle the influx of data at

the same rate as the data is being sent. To slow down the sending host, the receiving host sends ICMP source quench messages, telling the sender to slow down. This action prevents packets from being dropped and having to be re- sent.

ICMP is a useful protocol. Although ICMP operates largely in the background, the ping utility alone makes it one of the most valuable of the protocols dis- cussed in this chapter.

ARP, which is defined in RFC 826, is responsible for resolving IP addresses to Media Access Control (MAC) addresses. When a system attempts to contact another host, IP first determines whether the other host is on the same network it is on by looking at the IP address. If IP determines that the destination is on the local network, it consults the ARP cache to see whether it has a correspon- ding entry. The ARP cache is a table on the local system that stores mappings between data link layer addresses (the MAC address or physical address) and network layer addresses (IP addresses). Here’s a sample of the ARP cache:

Interface: 192.168.1.66 --- 0x8

Internet Address

Physical Address

Type

192.168.1.65

00-1c-c0-17-41-c8

dynamic

192.168.1.67

00-22-68-cb-e2-f9

dynamic

192.168.1.254

00-18-d1-95-f6-02

dynamic

224.0.0.2

01-00-5e-00-00-02

static

239.255.255.250

01-00-5e-7f-ff-fa

static

If the ARP cache doesn’t have an entry for the host, a broadcast on the local net- work asks the host with the target IP address to send back its MAC address. The communication is sent as a broadcast because without the target system’s MAC address, the source system cannot communicate directly with the target system.

Because the communication is a broadcast, every system on the network picks it up. However, only the target system replies, because it is the only device whose IP address matches the request. The target system, recognizing that the ARP request is targeted at it, replies directly to the source system. It can do this because the ARP request contains the MAC address of the system that sent it. If the destination host is determined to be on a different subnet than the sending host, the ARP process is performed against the default gateway and then repeat- ed for each step of the journey between the sending and receiving host. When you work with the ARP cache, you can make entries either dynamically or statically. With dynamic entries, the ARP cache is updated automatically. The ARP cache is maintained with no intervention from the user. Dynamic entries are the ones most used. Static entries are configured manually using the arp -s command. The static entry becomes a permanent addition to the ARP cache until it is removed using the arp -d command.

Reverse Address Resolution Protocol (RARP) performs the same function as ARP, but in reverse. In other words, it resolves MAC addresses to IP addresses. RARP makes it possible for applications or systems to learn their own IP address from a router or Domain Name System (DNS) server. Such a resolution is use- ful for tasks such as performing reverse lookups in DNS. RARP is defined in RFC 903.

NTP, which is defined in RFC 958, is the part of the TCP/IP protocol suite that facilitates the communication of time between systems. The idea is that one sys- tem configured as a time provider transmits time information to other systems that can be both time receivers and time providers for other systems.

Time synchronization is important in today’s IT environment because of the distributed nature of applications. Two good examples of situations in which time synchronization is important are email and directory services systems. In

each of these cases, having time synchronized between devices is important, because without it there would be no way to keep track of changes to data and applications.

In many environments, external time sources such as radio clocks, global posi- tioning system (GPS) devices, and Internet-based time servers are used as sources of NTP time. In others, the system’s BIOS clock is used. Regardless of what source is used, the time information is communicated between devices by using NTP.

Network News Transfer ProtocolNetwork News (NNTP) is a protocol associ- ated with posting and retrieving messages to and from newsgroups. A newsgroup is a discussion forum hosted on a remote system. By using NNTP client soft- ware, like that included with many common email clients, users can post, reply to, and retrieve messages.

Although web-based discussion forums are slowly replacing newsgroups, demand for newsgroup access remains high. The distinction between web-based discussion forums and NNTP newsgroups is in the fact that messages are retrieved from the server to be read. In contrast, on a web-based discussion forum, the messages are not downloaded. They are simply viewed from a remote location.

NNTP, which is defined in RFC 977, is an application layer protocol that uses TCP as its transport mechanism.

Secure Copy Protocol (SCP) is another protocol based on SSH technology. SCP provides a secure means to copy files between systems on a network. By using SSH technology, it encrypts data as it travels across the network, thereby

securing it from eavesdropping. It is intended as a more secure substitute for Remote Copy Protocol (RCP). SCP is available as a command-line utility, or as part of application software for most commonly used computing platforms.

Even when the Internet was growing at a relatively slow pace, such a mechanism was both cumbersome and prone to error. It was obvious that as the network grew, a more automated and dynamic method of performing name resolution was needed. DNS became that method.As you can see, the host’s IP address is listed, along with the corresponding host- name. It is possible to add to a HOSTS file aliases of the server names, which in this example are s1 and mailserver. All the entries have to be added manually, and each system to perform resolutions has to have a copy of the file.

Even when the Internet was growing at a relatively slow pace, such a mechanism was both cumbersome and prone to error. It was obvious that as the network grew, a more automated and dynamic method of performing name resolution was needed. DNS became that method.DNS solves the problem of name resolution by offering resolution through servers configured to act as name servers. The name servers run DNS server software, which allows them to receive, process, and reply to requests from sys- tems that want to resolve hostnames to IP addresses. Systems that ask DNS servers for a hostname-to-IP address mapping are called resolvers or DNS clients. Figure 4.2 shows the DNS resolution process.

Because the DNS namespace (which is discussed in the following section) is large, a single server cannot hold all the records for the entire namespace. As a result, there is a good chance that a given DNS server might not be able to resolve the request for a certain entry. In this case, the DNS server asks anoth- er DNS server if it has an entry for the host.

Network Lessons

ad

Friday, January 29, 2016

aa

Blog Archive