-------------------------
Week 04 Notes for CST8165
-------------------------
-Ian! D. Allen - idallen@idallen.ca

Remember - knowing how to find out an answer is more important than
memorizing the answer.  Learn to fish!  RTFM!  (Read The Fine Manual)

Classful addressing, Figure 5:
  http://www.garykessler.net/library/tcpip.html#IPadd

TCP vs UDP - SOCK_STREAM vs SOCK_DGRAM
--------------------------------------

Reference: http://beej.us/guide/bgnet/output/htmlsingle/bgnet.html#twotypes

Internet four layer stack has IP at layer 2:
 Figure 2: http://www.garykessler.net/library/tcpip.html#arch

    4 - application layer
    3 - TCP/UDP (transport/host layer)
    2 - IP (Internet/gateway layer)
    1 - network/hardware layer

Q: Name the four Internet network stack layers

Network layer - ARP
  http://www.garykessler.net/library/tcpip.html#ARP

Q: What does ARP stand for and how is it used in Internet networking?

Internet layer - IP
 - IP has no port information; only IP addresses
   Figure 4: http://www.rfc-editor.org/rfc/rfc791.txt
   Figure 4: http://www.garykessler.net/library/tcpip.html#IP
   - simple http://www.freesoft.org/CIE/Topics/79.htm
 - large amounts of data are "fragmented" into multiple IP packets
   - the IP Identification field numbers the fragments for later re-assembly

Q: True/False - the IP packet header contains port numbers

Q: Looking at Figure 4, what is the longest total length theoretically
   possible for an IP packet?

Transport layer - UDP and TCP also have "port" numbers
  Protocols and ports: http://www.garykessler.net/library/tcpip.html#transport

 - UDP is essentially raw IP plus port numbers; still unreliable
   See the RFC: http://www.rfc-editor.org/rfc/rfc768.txt  (only 3 pages!)
   - used in DNS and TFTP

 - TCP is like UDP with reliable transmission added
   See the RFC: http://www.rfc-editor.org/rfc/rfc793.txt (85 pages!)

Q: Why aren't the source and destination addresses in the TCP/UDP header?

Q: Why is the UDP RFC 3 pages but the TCP RFC is 85 pages?

Most Port Numbers have to be Registered with IANA
 - IANA: Internet Assigned Numbers Authority
 - Master IANA List of ports: http://www.iana.org/assignments/port-numbers
 - ports are in three ranges: "Well Known", "Registered", "Dynamic/Private"
 - you SHOULD NOT use a "Well Known" or "Registered" port without first
   registering it with IANA.

Q: What port numbers lie in the "Well Known" range?

Q: T/F your Internet application can use any port it wants outside of
   the "Well Known" range

ICMP - Internet Control Message Protocol
----------------------------------------
Ref: http://www.freesoft.org/CIE/Topics/81.htm

Q: Is the delivery of ICMP messages guaranteed?

Q: What is ICMP used for on the Internet (name two functions)?

Q: What popular program uses ICMP echo packets?
   http://www.freesoft.org/CIE/Topics/53.htm

Q: How does traceroute use ICMP to map a packet route?
   http://www.freesoft.org/CIE/Topics/54.htm

Q: Traceroute is not reliable.  What can go wrong (describe two things)?
   http://www.freesoft.org/CIE/Topics/54.htm

Understanding UDP
-----------------
Ref: http://www.rfc-editor.org/rfc/rfc768.txt  (only 3 pages!)
     http://www.freesoft.org/CIE/RFC/1122/72.htm 

"The User Datagram Protocol UDP [UDP:1] offers only a minimal
 transport service -- non-guaranteed datagram delivery -- and gives
 applications direct access to the datagram service of the IP layer.
 UDP is used by applications that do not require the level of service
 of TCP or that wish to use communications services (e.g., multicast
 or broadcast delivery) not available from TCP.

 UDP is almost a null protocol; the only services it provides over IP
 are checksumming of data and multiplexing by port number. Therefore,
 an application program running over UDP must deal directly with
 end-to-end communication problems that a connection-oriented protocol
 would have handled -- e.g., retransmission for reliable delivery,
 packetization and reassembly, flow control, congestion avoidance,
 etc., when these are required. The fairly complex coupling between IP
 and TCP will be mirrored in the coupling between UDP and many
 applications using UDP. "

- unreliable, no retransmission: "fire and forget"
- a very thin layer added inside an IP packet
- adds "ports" to IP and little else: any reliability or
  retransmission work has to be done by the application
- recall that the TCP RFC is 85 pages; that's an indication of how hard
  it would be to make your application turn UDP into a reliable protocol!
- big user of UDP is DNS queries and replies

Q: What four fields are added to IP by a UDP packet header?

Q: What purpose is the "pseudo header" used in calculating a checksum?

Understanding TCP
-----------------

Ref: http://www.rfc-editor.org/rfc/rfc793.txt (85 pages!)
     http://www.ssfnet.org/Exchange/tcp/tcpTutorialNotes.html
     http://www4.informatik.uni-erlangen.de/Projects/JX/Projects/TCP/tcpstate.html

 "TCP provides a connection oriented, reliable, byte stream service.
  The term connection-oriented means the two applications using TCP
  must establish a TCP connection with each other before they can
  exchange data. It is a full duplex protocol, meaning that each TCP
  connection supports a pair of byte streams, one flowing in each
  direction. TCP includes a flow-control mechanism for each of these
  byte streams that allows the receiver to limit how much data the
  sender can transmit. TCP also implements a congestion-control
  mechanism."

Q: Does TCP include flow-control and/or congestion control?

Q: Can a TCP connection be on one-way or must it always be two way?

Q: What purpose is the "pseudo header" used in calculating a checksum?

Handshaking: 3 way open, 4 way close including SYN, ACK, FIN etc
  - http://www.garykessler.net/library/tcpip.html#connect
 "This three-way handshake is sometimes referred to as an exchange of
  "syn, syn/ack, and ack" segments. It is important for a number of
  reasons. For individuals looking at packet traces, recognition of
  the three-way handshake is how to find the start of a connection.
  For firewalls, proxy severs, intrusion detectors, and other systems,
  it provides a way of knowing the direction of a TCP connection setup
  since rules may differ for outbound and inbound connections."

Q: Outline the TCP flags used in the basic TCP 3-way handshake.
   Clearly indicate which is server and which is client.

You can attack some servers by doing many partial handshakes:
 - http://www.vijaymukhi.com/vmis/tcp.htm (syn flood attack)

Q: How does a syn-flood attack work?

See the TCP state transition diagram:
   http://www4.informatik.uni-erlangen.de/Projects/JX/Projects/TCP/tcpstate.html
   http://www.ssfnet.org/Exchange/tcp/tcpTutorialNotes.html#ST
 - client and server both start in the CLOSED state
 - graph arrows are labelled with transitions <Expect>[/<Send>]
   where <Expect> indicates either an incoming packet with a flag set,
   (e.g. ACK, FIN) or a deliberate change to another state (e.g. "Passive
   Open", "Close", "Send").
 - RFC1122 says RFC793 has an error on what is sent on the transition
   from SYN_SENT directly to SYN_RCVD: should be sending SYN,ACK, not SYN

Q: Looking at the TCP state transition diagram, into which state will
   a program move if it is currently in state SYN_SENT and it receives a
   TCP packet with just the SYN flag set?  When it makes that state
   transition, what flags will it set in the next outgoing packet?

- after the three-way handshake, an open TCP connection communicates with
  ACK always set
  - ACKs and are cumulative - one number indicates the highest
    contiguous set of successfully received bytes
  - no provision for "selective ACK" in vanilla TCP
    - you can't say you got packets 1, 2, and 5
  - "selective ACK (SACK)" capability was added later as a TCP Option
    - RFC1072/RFC2018 describe the TCP SACK option
    http://www.tcpipguide.com/free/t_TCPNonContiguousAcknowledgmentHandlingandSelective-4.htm
- buffering is possible; use PSH to "push" data out at either end

The TCP header is much more complex than the UDP header
  http://www.ssfnet.org/Exchange/tcp/tcpTutorialNotes.html#TH
 - has to handle issues dealing with reliability, flow control, congestion

Q: T/F The single 32-bit TCP header Acknowledgement number lets you
   know the sequence number of the last successfully received byte of data

Q: T/F The single 32-bit TCP header Acknowledgement number allows a
   machine to selectively acknowledge packets, e.g. byte ranges such
   as I got packets 1, 2, and 4 (but not 3).

Q: T/F Selective Acknowledgment is a TCP option that has to be negotiated

TCP Windowing - how it works
  http://www.tcpipguide.com/free/t_TCPNonContiguousAcknowledgmentHandlingandSelective.htm
  - windows allow multiple packets to be waiting acknowledgement
  - better use of bandwidth; less waiting