Easy-to-understand illustrated network knowledge - Part 2

Continuing from the previous article "​​Easy-to-understand illustrated online interview knowledge - Part 1​​"

Regarding network knowledge, in the last article we learned about the network layer. Today we will learn about the transport layer protocol.

UDP protocol

Introduction to UDP Protocol

UDP is the abbreviation of User Datagram Protocol. Its Chinese name is User Datagram Protocol. It is a connectionless transport layer protocol in the OSI (Open System Interconnection) model, providing simple and unreliable transaction-oriented information transmission services.

UDP Features

The main features of UDP are connectionless state, no need to establish a connection, small packet header overhead, fast speed, etc. Therefore, UDP is generally used in streaming media applications, voice communication, and video conferencing applications.

• Connectionless state: UDP protocol does not need to establish a connection before sending data, which reduces the overhead and delay before sending data. TCP needs to maintain the connection state in the end system, which includes the receiving and sending buffers, congestion control parameters, and sequence number and confirmation number parameters.
• No need to establish a connection: UDP can transmit data without any preparation, and UDP has no delay. TCP requires a three-way handshake before data transmission.
• Small packet header overhead: The UDP header has only 8 bytes of overhead, and the TCP segment has 20 bytes of header overhead.
• Fast speed: When using the UDP protocol, as long as the application process transmits data to UDP, UDP will package the data into a UDP segment and immediately pass it to the network layer. TCP has a congestion control function. It will determine the congestion of the Internet before sending. If the Internet is extremely congested, the sender of TCP will be suppressed. TCP has a congestion control function. It will determine the congestion of the Internet before sending. If the Internet is extremely congested, the sender of TCP will be suppressed.
• UDP multiplexing and splitting: The sender may have multiple processes that need to send datagrams. UDP receives datagrams from different processes, and each process is assigned a port number. After adding the UDP header, UDP sends the datagram to the network layer. The sender's UDP processes datagrams from multiple processes, which is called UDP multiplexing. The receiver processes each process separately according to the port number received, which is called UDP splitting. In fact, this multiplexing and splitting is just an aggregation function of UDP, because the UDP protocol itself has a destination port and a source port, and multi-process sending and interfaces are based on ports. Obviously, this can achieve multiplexing and splitting of multiple processes.

Knowing the characteristics of the UDP protocol, let's look at the flow chart of the UDP packet from the OSI model:

1. Application data is sent through the application process port and assembled into application messages.
2. The application layer message data adds a UDP header at the transport layer, which is called a UDP segment.
3. The UDP segment adds an IP header at the network layer and is called an IP data packet.
4. The IP data packet is sent to the data link layer and the Ethernet frame header and trailer are added to form an Ethernet frame.
5. Finally, the frame is converted into bits and transmitted through the network medium. The process of passing data down layer by layer in the protocol stack and adding headers and trailers is called encapsulation. If data is passed up layer by layer, the process of removing headers and trailers is called unpacking.

UDP protocol message components

The UDP protocol consists of four parts: source port number, destination port number, UDP length, and UDP checksum. The UDP header consists of 8 bytes, and each component occupies 2 bytes, or 16 bits. Let's look at the protocol message diagram below:

1. Source and destination port number fields: 16 bits. They have the same function as the port number field in the TCP data segment, and are used to identify the application processes at the source and destination ends.
2. Length field: 16 bits. Indicates the total length of the UDP header and UDP data.
3. Checksum field: occupies 16 bits. Used to check the UDP header and UDP data. Unlike TCP, this field is optional for UDP, while the checksum field in the TCP data segment is required.

UDP service implementation

The UDP protocol and TCP protocol work differently, but they both establish port-to-port communication. Port is a concept that was born with the transport layer. To implement a UDP communication service, you call the operating system's API to build a socket. A socket is a programming interface of the operating system that represents a network communication. Below we illustrate the UDP call implementation based on the programming interface.

Both IP protocol and UDP are connectionless. IP protocol mainly delivers to the target host through IP address, while UDP delivers to the specified network application through port.

TCP

Introduction to TCP Protocol

TCP is the Transmission Control Protocol, a connection-oriented transmission protocol that provides reliable, full-duplex communication services on the unreliable Internet. TCP provides transmission connection management mechanisms, error control, flow control, congestion control, etc.

TCP Features

The main features of the TCP protocol are connection-oriented, full-duplex communication, establishment and release of reliable connections, flow control and congestion control, and support for stream interfaces.

• Connection-oriented: The source process establishes a transmission connection between the specified port and the specified port of the destination process. Once the connection is established, the two communicating processes can send and receive data streams on this connection. Connection-oriented transmission services can well ensure the reliability of data stream transmission.
• Full-duplex communication: Full-duplex concept: bidirectional transmission of signals (A->B and B->A) can be performed simultaneously. TCP allows full-duplex communication. After the transmission connection between two application processes is established, the client and server processes can send and receive data streams at the same time. TCP uses a cache mechanism on both the sending and receiving sides. The sending cache is used to store the data that the process is about to send. After receiving the message segments, the receiving cache stores them in the receiving cache and waits for the receiving process to read the data sent by the other party.
• Establishing and releasing reliable connections: In order to ensure the reliability of establishing and releasing transmission connections, TCP uses the "three-way handshake" mechanism to prevent request errors caused by invalid connection request packets during the connection establishment phase. When releasing the transmission connection, TCP uses the "four-way handshake" mechanism to ensure that all datagrams that have been sent when the connection is closed can correctly reach the destination port.
• Flow control and congestion control: TCP uses a sliding window method with variable size for flow control. The send window size is agreed upon by both parties when the connection is established. During the communication process, the sender can randomly and dynamically adjust the send window size according to its own resource situation, and the receiver will follow the sender to adjust the receive window.
• Support stream interface: TCP provides a stream interface (Stream Interface), which can be used by application processes to send continuous data streams. The TCP transmission connection provides a "pipeline" to ensure that the data stream "flows" correctly from one end to the other end. TCP does not interpret the content of the data stream. The interpretation of the data stream is handled by the applications of both parties.

TCP protocol message composition

The TCP segment consists of two parts: the header and the data. The first 20 bytes of the TCP header are fixed, called the TCP fixed header, followed by a 4×N-byte option section. The TCP protocol is shown in the figure:

1. Source Port and Destination Port: Each occupies 16 bits. They represent the source port number and destination port number of the message respectively.
2. The source port and destination port fields in the TCP message are added to the source IP address and destination IP address fields in the IP message to form a 4-tuple <source port, source IP address, destination port, destination IP address>, which can uniquely identify a TCP connection.
3. Sequence Number, Acknowledgment Number and Advertised Window: The sequence number and acknowledgment number each occupy 32 bits, and the advertised window occupies 16 bits.
4. Header Length: 4 bits. Indicates the length of the TCP header. The value is calculated in 32-bit units. For example, if the TCP fixed header is 20 bytes, the header length is 5.
5. Flags: occupies 6 bits. Used to distinguish different types of TCP messages. The flags currently used are SYN, ACK, FIN, RST, PSH, and URG.
6. Checksum: It is used exactly the same as the checksum field in UDP. It is calculated by calculating the entire TCP message header, the TCP message datagram, and the pseudo header consisting of the source address, destination address, protocol, and TCP length fields from the IP message header. The checksum field in the TCP message field is required.
7. Options: The most commonly used option field is the Maximum Segment Size (MSS), which is usually used to limit the maximum length of segment data.

TCP service implementation

There are two modes in TCP network programming, one is server mode and the other is client mode. The server mode creates a service program, waits for the client user to connect, and processes the user's request after receiving the user's connection request; the client mode connects according to the address and port of the destination server, sends a request to the server, and processes the server's response.

About the programming process of server mode:

1. Socket initialization: User demand for a socket determines the socket options.
2. Socket and port binding: Bind a socket to an address structure. After binding, when designing network programs, the IP address, port address, protocol type and other parameters represented by the socket are operated according to the binding value.
3. Since a server needs to satisfy connection requests from multiple clients, and the server can only process a limited number of client connection requests at a time, the server needs to set the length of the server queue. The server will set this parameter when listening for connections to limit the length of the queue of connection requests waiting to be processed by the server in the client.
4. After the client sends a connection request, data can be read from or sent to the socket file descriptor.
5. When the server has finished processing the data and wants to end the communication process with the client, it needs to close the socket connection.

For the server mode, please refer to the following figure:

Three handshakes, four waves scenario interview

First, let's look at the TCP establishment and end diagram:

Question 1: Why is TCP handshake three times? Not two or four times?

• Three-way handshake actually means that when establishing a TCP connection, the client and server need to send a total of 3 packets.
• The main purpose of the three-way handshake is to confirm whether the receiving and sending capabilities of the other party are normal, so as to prepare for the subsequent reliable transmission. A three-way handshake is required to confirm whether the receiving and sending capabilities of the other party are normal. After the client sends to the server for the first time and the server replies to the client, the client will know that the server has the ability to send and receive. At this time, the server knows that the client has the ability to send, but the receiving ability is still uncertain. When the client replies to the server again, the server will know that the client also has the ability to send and receive.
• The secondary function of the three-way handshake is to reduce attacks on the server by users who maliciously forge data packets. A large number of attack data packets may occupy the queue of unfinished three-way handshakes, making it impossible for normal connections that need to provide services to come in. With the third handshake, if the server does not receive the ACK of the attack datagram, it will try to resend the SYN+ACK message. If the connection cannot be made after multiple retries, the server will close the connection, effectively reducing the resource damage caused by SYN attacks.

Question 2: Why does it take four waves to close the connection?

• When the server receives the client's FIN data packet (the first wave), the server will not close immediately. Why not close immediately? Because the data may not be sent yet. The server will first send ACK to tell the client that I have received your disconnection request (the second wave), please give me some time to send the remaining data packets. After sending, it will send a FIN packet to the client to indicate that it is now possible to disconnect (the third wave). After receiving the FIN packet, the client sends an ACK to confirm the disconnection message to the server (the fourth wave).
• TCP allows unidirectional data transmission. When the active closing party closes the connection, the passive party can send data for a long time without calling close. At this time, the connection is in a semi-closed state. This feature is caused by the mutual independence of TCP's bidirectional channels, which also means that four handshakes must be performed to close the connection.

Question 3: Why does the party that actively disconnects have to wait for 2MSL in the TIME-WAIT state?

• MSL (Maximum Segment Lifetime) The value of MSL in Linux is fixed at 30 seconds, so the TIME_WAIT time is 60 seconds.
• Without this TIME_WAIT, the port can be reused for a new connection. At this time, the passive party's FIN message may arrive again, which may be repeated by the router or resent by the passive party without receiving the ACK. In this way, a normal new connection will be mistakenly closed by the repeated old FIN. Keeping TIME_WAIT can handle the resent FIN.
• Waiting for 2 times MSL actually allows ACK to be lost once. If an ACK is lost, the passive party's retransmitted FIN will arrive within the second MSL, and TIME_WAIT can handle it.

Question 4: What is a SYN attack?

• SYN (synchronous) is a handshake signal used when TCP/IP establishes a connection. SYN attack is a type of DDoS attack that exploits TCP protocol defects and consumes CPU and memory resources by sending a large number of half-connected requests.
• Solution to SYN attack: Modify the waiting number:

 sysctl -w net . ipv4 . tcp_max_syn_backlog = 2048

• Enable SYN Cookie. Its principle is that when the TCP server receives a TCP SYN packet and returns a TCP SYN+ACK packet, it does not allocate a dedicated data area, but calculates a cookie value based on the SYN packet. When receiving a TCP ACK packet, the TCP server checks the legitimacy of the TCP ACK packet based on the cookie value. If it is legitimate, it allocates a dedicated data area to process future TCP connections.

 sysctl -w net . ipv4 . tcp_syncookies = 1

• Modify the number of retries. Set the number of retransmissions to 0. If no response is received from the client, the connection will be immediately discarded. The default setting is 5 times.

 sysctl -w net . ipv4 . tcp_syn_retries = 0