Talk about TCP's three-way handshake and four-way wave

[[400134]]

This article is reprinted from the WeChat public account "Mu Xiaonong", the author is Mu Xiaonong. Please contact Mu Xiaonong's public account to reprint this article.

1. Introduction to Transmission Control Protocol TCP

1.1 Introduction

TCP (Transmission Control Protocol) is a connection-oriented, reliable, byte-stream-based transport layer communication protocol.

TCP is a connection-oriented, reliable, byte-stream-based transport layer communication protocol. TCP packages user data into segments, starts a timer after sending, confirms the data received at the other end, reorders out-of-order data, and discards duplicate data.

TCP regards connection as the most basic object. Each TCP connection has two endpoints, which we call sockets. The port number is concatenated with the IP address to form a socket, for example, 192.1.1.6:50030

1.2 Features

Connection-oriented, reliable, byte stream-based transport layer communication protocol

The TCP layer that divides the application layer data stream into segments and sends them to the target node

The data packets have sequence numbers. If the other party receives them, they will send an ACK confirmation. If they are not received, they will retransmit.

Use checksums to verify that data has not been erroneously transmitted.

2. TCP Header

1. Source Port/Destination Port: They each occupy 2 bytes, indicating where the message comes from (source port) and to which upper layer protocol or application (destination port). When performing TCP communication, the client usually uses a temporary port number automatically selected by the system, while the server usually uses a well-known service port number or a self-specified port number (for example, the DNS protocol corresponds to port 53, and the HTTP protocol corresponds to port 80).

2. Sequence Number: Occupies four bytes. TCP is byte stream oriented. Each byte in the byte stream transmitted in a TCP connection is numbered in sequence. For example, if the sequence number field value of a message is 107, and the data it carries has a total of 100 fields, if the next message comes, the sequence number starts from 207 (100+107). The starting sequence number of the entire byte stream to be transmitted must be set when the connection is established. The sequence number field value in the header refers to the sequence number of the first byte of the data sent in this message segment.

3. Acknowledgment Number: 4 bytes, which is the sequence number of the first data byte expected to be received from the other party in the next message segment. If the acknowledgment number = N, it means that all data up to sequence number N-1 have been received correctly. For example, B receives a message sent by A, whose sequence number field is 301, and the data length is 200 bytes, which means that B has correctly received the data from A up to sequence number 500 (301+200-1). Therefore, B hopes to receive the next data sequence number of A is 501, so B will set the ACK acknowledgment number to 501 in the acknowledgment segment sent to A.

4. Data Offset: 4 bytes. Indicates how far the data start of the TCP segment is from the start of the segment. This field actually indicates the length of the TCP segment header. Since there are option fields with uncertain lengths in the header, the data offset field is necessary. The unit is 32-bit words, which is 4 bytes. The maximum representation of 4-bit binary is 15, so the data offset is the maximum 60 bytes of the TCP header.

5. Reserved: 6 bytes. Reserved field

6. TCP Flags: Control bit, composed of eight flag bits, each flag bit represents the control function. We mainly introduce the six commonly used TCP Flags.

• URG (urgent pointer flag): When URG=1, it indicates that the urgent pointer field is valid. It tells the system that there is urgent data in this segment and it should be transmitted as soon as possible (equivalent to high-priority data) instead of being transmitted in the original queue order. For example, a long program has been sent to run on the host. But later some problems were found and the program needed to be canceled. Therefore, the user issued an interrupt command from the keyboard. If urgent data is not used, these two characters will be stored at the end of the receiving TCP buffer. Only after all the data has been processed will these two characters be delivered to the receiving application process. Doing so wastes a lot of time.
• ACK (Acknowledgement Number Flag): When ACK=1, the acknowledgment number field is valid. When ACK=0, the acknowledgment number is invalid. TCP stipulates that after the connection is established, all transmitted segments must set ACK to 1.
• PSH (push flag): When two application processes communicate interactively, sometimes the application process at one end hopes to receive a response from the other party immediately after typing a command. In this case, TCP can use the push operation. At this time, the sender TCP sets PSH to 1 and immediately creates a segment to send out. When the receiving TCP receives the segment with PSH=1, it delivers it to the receiving application process as soon as possible, instead of waiting until the entire buffer is filled before delivering it upward.
• RST (Reset Connection Flag): A serious error occurs in the TCP connection (such as due to a host crash or other reasons), and the connection must be released and then the transport connection is reestablished. It can be used to reject an illegal segment or refuse to open a connection.
• SYN (Synchronous Sequence Number, used in the process of establishing a connection): It is used to synchronize the sequence number when establishing a connection. When SYN=1 and ACK=0, it indicates that this is a connection request segment. If the other party agrees to establish a connection, SYN=1 and ACK=1 should be used in the corresponding segment. Therefore, SYN is set to 1 to indicate that this is a connection request or connection acceptance.
• FIN (finish flag, used to release the connection): When FIN=1, it indicates that the sender of this message segment has sent all the data and requests to release the transport connection.

7. Window: It is a means of TCP flow control. The window here refers to the Receiver Window (RWND). It tells the other party how many bytes of data the TCP receive buffer can accommodate, so that the speed of sending data can be controlled.

8. Checksum: The check range includes the header and data, which are filled by the sender. The receiver performs the CRC algorithm on the TCP segment to check whether the TCP segment is damaged during transmission. This is also an important guarantee for TCP reliable transmission.

9. Urgent Pointer: The urgent pointer is only meaningful when URG=1. It indicates the number of bytes of urgent data in this segment (normal data follows the end of urgent data). Therefore, the urgent pointer indicates the position of the end of the urgent data in the segment. When all urgent data is processed, TCP tells the application to resume normal operation. It is worth noting that urgent data can be sent even when the window is zero.

10. TCP Options: Variable length, up to 40 bytes. When "options" are not used, the TCP header length is 20 bytes.

3. TCP three-way handshake

The so-called three-way handshake is to establish a TCP connection, which means that when establishing a TCP connection, the client and the server need to send a total of 3 packets to confirm the establishment of the connection. In socket programming, this process is triggered by the client executing connect. The whole process is shown in the figure below:

In the TCP/IP protocol, the TCP protocol provides reliable connection services and uses a three-way handshake to establish a connection.

First handshake: When establishing a connection, the client sends a SYN packet (syn=j) to the server and enters the SYN_SEND state, waiting for the server to confirm. SYN: Synchronize Sequence Numbers.

Second handshake: When the server receives the SYN packet, it must confirm the client's SYN (ack=j+1) and send a SYN packet (syn=k) at the same time, that is, a SYN+ACK packet. At this time, the server enters the SYN_RECV state;

The third handshake: The client receives the SYN + ACK packet from the server and sends a confirmation packet ACK (ack=k+1) to the server. After this packet is sent, the client and server enter the ESTABLISHED (TCP connection successful) state, completing the three-way handshake.

3.1 Why is a three-way handshake required to establish a connection?

• In order to initialize the initial value of the sequence number and achieve reliable data transmission, both parties of the TCP protocol must maintain a sequence number to identify which of the sent data packets have been received by the other party. The three-way handshake process is a necessary step for both parties to inform each other of the starting value of the sequence number and confirm that the other party has received the starting value of the sequence number.
• If there are only two handshakes, at most only the starting sequence number of the connection initiator can be confirmed, and the sequence number selected by the other party cannot be confirmed.

3.2 Hidden danger of the first handshake - SYN timeout

1. Analysis of the cause of the problem:

1. The server receives the client's SYN, but does not receive an ACK confirmation when replying to the SYN and ACK
2. The server keeps retrying until it times out. Linux waits 63 seconds by default before disconnecting; (repeat 5 times [excluding the first time], starting from 1 second, and doubling each time you retry: 1+2+4+8+16+32=63 seconds)

2. Protection measures against SYN Flood:

When the SYN queue is full, the SYN cookie [source port + destination port + timestamp] will be sent through the tcp_syncookies parameter

If it is a normal connection, the Client will send back the SYN Cookie and establish the connection directly;

3.3 Keep-alive mechanism:

What if the Client fails after we establish a connection?

Send a keep-alive detection message to the other party, and continue to send if no response is received;

If the number of attempts reaches the keep-alive detection number and no response is received, the connection is terminated;

4. TCP's four waves

The so-called Four-Way Wavehand, which terminates a TCP connection, means that when a TCP connection is disconnected, the client and the server need to send a total of 4 packets to confirm the disconnection. In socket programming, this process is triggered by either the client or the server executing close. The whole process is shown in the figure below:

Since TCP connection is full-duplex, each direction must be closed separately. The principle is that when one party completes the data sending task, it sends a FIN to terminate the connection in this direction. Receiving a FIN only means that there is no data flow in this direction, that is, no more data will be received, but data can still be sent on this TCP connection until FIN is sent in this direction. The party that closes first will perform an active close, while the other party will perform a passive close.

• First wave: The client sends a FIN to close the data transmission from the client to the server, and the client enters the FINWAIT1 state
• Second wave: After receiving FIN, the server sends an ACK to the client, confirming that the sequence number is the received sequence number + 1 (the same as SYN, one FIN occupies one sequence number), and the server enters the CLOSE_WAIT state
• The third wave: The server sends a FIN to close the data transmission from the server to the client, and the server enters the LAST_ACK state
• Fourth handshake: After the client receives the FIN, the client enters the TIME_WAIT state, and then sends an ACK to the server, confirming that the sequence number is the received sequence number + 1. The server enters the CLOSED state, completing four handshakes.

1. Why is there a TIME_WAIT state?

After receiving the end segment from the server, the client connection will not directly enter the CLOSED state, but will move to the TIME_WAIT state. In this state, the client connection has to wait for a period of 2MSL, which is twice the maximum lifetime of the segment, before it can be completely closed. There are two main reasons for this:

• Make sure there is enough time for the other party to receive the ACK packet
• Avoid confusion between old and new connections

2. Why is a four-way handshake required to disconnect?

Because TCP connection is a full-duplex network protocol, it allows both parties to send and receive data at the same time. It also allows the connection in both directions to be closed independently to avoid the situation where the client has finished sending data and sends FIN to the server to close the connection, while the server has not yet finished sending data to the client. Therefore, closing a TCP connection requires four handshakes. Each time a connection in one direction is closed, two handshakes, FIN and ACK, are required. Both the sender and the receiver need FIN and ACK messages.

3. Reasons why a large number of CLOSE_WAIT states appear on the server

This is because the other party closed the socket connection, and we were busy reading or writing and did not close the connection in time.

When the client sends a FIN signal before the server for some reason, the server will be closed passively. If the server does not actively close the socket and send FIN to the client, the server socket will be in CLOSEWAIT state (not LASTACK state). Generally speaking, a CLOSEWAIT will last at least 2 hours (the system default timeout is 7200 seconds, which is 2 hours). If the server program causes a lot of CLOSEWAIT to consume resources for some reason, the system will usually crash before the release moment.

Solution: 1. Check the code, especially the code that releases resources 2. Check the configuration, especially the thread configuration that handles the request

Check code for Linux:

 netstat -n|awk '/^tcp/{++S[$NF]}END{for(a in S) print a,S[a]}'  

V. Conclusion

This concludes the discussion of TCP's three-way handshake and four-way wave. I haven't written a technical article for a long time. I wrote a few and felt it was pretty good. The above is the blogger's understanding. If there are any poorly written parts, you can discuss or ask questions in the comment section.