Come and have a look!!! TCP/IP knowledge points that you often overlook

Internet Layer Protocol

In the DoD model, the Internet layer has two functions: routing and providing a single network interface to the upper layer. The protocols in other layers do not provide functions related to routing. This complex and important task is completely completed by the Internet layer. The second responsibility of the Internet layer is to provide a single network interface to the upper layer protocols. Without this layer, application developers will need to write "hooks" to various network access protocols in each application. This is not only troublesome, but also requires multiple versions of the application - Ethernet version, wireless version, etc. To avoid this problem, IP provides a single network interface to the upper layer protocol. In this way, IP will work with various network access protocols.

In networking, not all roads lead to Rome, but all roads lead to IP. All protocols at the Internet layer and above use IP. Don't forget this. In the DoD model, all paths traverse IP. The next few sections will introduce the Internet layer protocols:

• Internet Protocol (IP);
• Internet Control Message Protocol (ICMP);
• Address Resolution Protocol (ARP);
• Reverse Address Resolution Protocol (RARP);
• Proxy ARP;
• Free ARP.

1. IP

IP (Internet Protocol) is the Internet layer, and the other protocols in this layer are just support for it. IP has a global view, and it can be said that it has "everything under its eyes", in this sense, it knows all the interconnected networks. It can do this because all machines in the network have a software (logical) address, which is called an IP address.

IP looks at the address of each packet and then uses routing tables to determine where to send the packet next, choosing the best path. The network access layer protocols at the bottom of the DoD model do not think about the entire network like IP does, they only deal with physical links (local networks).

To identify a device on a network, you need to answer two questions: Which network is the device on? And what is its ID on that network?

To the first question, the answer is the software (logical) address (the right street); to the second, the answer is the hardware address (the right mailbox). All hosts on a network have a logical ID, called an IP address, which is a software (logical) address and contains valuable encoded information that greatly simplifies the complex task of routing. (RFC 791 discusses IP.)

IP receives data segments from the host to host layer and divides them into datagrams (packets) when necessary. At the receiving end, IP reassembles the datagrams into segments. Each datagram contains the IP addresses of the sender and receiver. When a router (layer 3 device) receives a datagram, it makes a routing decision based on the destination IP address of the packet.

Figure 3-7 shows the IP header, which should give you an idea of ​​what the IP protocol does every time the upper layers send user data to prepare the data for sending to the remote network.

The IP header contains the following fields:

• Version IP version number.
• Header Length The length of the header in 32-bit words.
• Priority and Type of Service The Type of Service indicates how the datagram should be handled. The first 3 bits are the priority bits, currently called the differentiated services bits.
• Total Length The length of the entire packet, including header and data.
• Identifies a unique IP group value, used to distinguish different datagrams.
• Flag indicating whether segmentation is done.
• The segment offset provides segmentation and reassembly capabilities when packets are too large to fit in a single frame. It also allows for different MTUs (Maximum Transmission Units) on the Internet.
• The survival time is the survival time specified when the packet is generated. If the TTL expires before the packet reaches the destination, the packet will be discarded. This can prevent IP packets from being continuously transmitted in the network in search of a destination.
• The port of the protocol layer above the protocol (port 6 for TCP and port 7 for UDP). Network layer protocols such as ARP and ICMP are also supported (in some analyzers, this field is called the type field). We will discuss this field in more detail later.
• The header checksum is the result of performing a CRC on the header.
• Source IP address The 32-bit IP address of the sender.
• Destination IP Address The 32-bit IP address of the recipient.
• Options are used for network testing, debugging, security, etc.
• The data is located after the option field and is the upper layer data.

Below is a P packet captured by a network analyzer. Note that all the header information discussed previously is included.

The Type field is important. It is usually a protocol field, but this analyzer treats it as an IP Type field. If the header does not contain information about the protocol of the next layer, IP will not know how to handle the data in the packet. In the previous example, the Type field tells IP to hand the data segment to TCP.

Figure 3.8 illustrates how the network layer learns the protocol used by the transport layer when it needs to hand a packet to an upper-layer protocol.

In this example, the protocol field tells IP to send the data to TCP port 6 or UDP port 17. However, if the data is sent to an upper-layer service or application, it will be either UDP or TCP. The data may also be sent to the Internet Control Message Protocol (ICMP) Address Resolution Protocol (ARP) or other types of network layer protocols.

Table 3-3 lists some other common protocols that may be specified in the protocol field.

NOTE: For a complete list of protocol numbers that the Protocol field can contain, see www.iana.org/assignments/protocol-numbers.

2. ICMP

ICMP (Internet Control Message Protocol) runs at the network layer and is used by IP to obtain multiple services. ICMP is a management protocol that provides message sending and receiving services for IP. Its messages are transmitted in the form of IP datagrams. RFC 1256 is an ICMP annex that provides hosts with the ability to discover routes to gateways.

ICMP packets have the following characteristics:

• Can provide information about network failures to the host;
• Encapsulated in IP datagram.

The following are some common events and messages related to ICMP.

▶ Destination Unreachable If a router can no longer forward an IP datagram, it will use ICMP to send a message to the sender to notify the sender of this situation. For example, as shown in Figure 3-9, interface E0 of router Lab_B has failed.

When host A sends a packet to host B, the Lab_B router will send an ICMP destination unreachable message back to host A.

▶ Buffer Full If the router memory buffer used to receive datagrams is full, the router will send this message using ICMP until the congestion is relieved.

▶ Exceeding hop count/time For each IP datagram, a maximum number of routers (hops) is specified that it can traverse. If a datagram reaches this limit before reaching its destination, the last router to receive the datagram will delete it. The router will then send an obituary using ICMP to let the sender know that its datagram has been deleted.

▶ Ping Packet Internet Groper (Ping) uses ICMP echo request and reply messages to check the physical and logical connectivity of machines in the internetwork.

▶ Traceroute Traceroute uses ICMP timeouts to discover the path that packets take as they travel through the internetwork.

Note: Ping and Traceroute (also called Trace, and tracert in Microsoft Windows) both allow you to verify the address configuration of your internetwork.

Below is an ICMP echo request captured by a network analyzer

Notice anything unusual here? Although ICMP runs at the Internet (network) layer, it still uses IP to send out Ping requests. Did you notice this? In the P header, the value of the type field is 0x01, which indicates that the data in the datagram belongs to the ICMP protocol. Don't forget that all roads lead to Rome, and all segments or data must be transmitted through IP.

Note: In the data portion of the packet, the program Ping uses the alphabet as the payload, and the payload usually defaults to about 100B. Of course, if you do Ping from a Windows host, it will think the alphabet ends at W, and not use X, Y, and Z, so when it reaches the end of the alphabet it will restart at A. You can verify this.

If you read Chapter 2 about the data link layer and the various frames, you will be able to tell from the previous output what kind of Ethernet frame is used. Only the fields destination hardware address, source hardware address, and Ether-Type are shown, and only Ethernet_II frames use the Ether-Type field.

Before we delve into the ARP protocol, let's look at another use of ICMP. Figure 3-10 shows an internetwork (it contains a router, so it is an internetwork). Serverl (10.1.2.2) remotely logs in to 10.1.1.5 in DOS prompt mode. What kind of response do you think Server1 will receive? Since Serverl will send the Telnet data to the default gateway (which is a router), the latter will discard the packet because it does not have the network 10.1.1.0 in its routing table. Therefore, Server1 will receive an ICMP destination unreachable message.

3. ARP

ARP (Address Resolution Protocol) looks up the hardware address of a host based on a known IP address. It works like this: When IP needs to send a datagram, it must tell the network access layer protocol, such as Ethernet or wireless, the hardware address of the target end. (The upper layer protocol has already told it the IP address of the target end.) If IP does not find the hardware address of the target host in the ARP cache, it will use ARP to learn this information.

As a detective for IP, ARP interrogates the local network by sending a broadcast asking the machine with a specific IP address to reply using its hardware address. So ARP basically translates a software (IP) address into a hardware address, such as the Ethernet card address of the target host, and then learns the location of that address on the LAN through a broadcast. Figure 3-11 shows ARP on a local network.

!NOTE: ARP resolves IP addresses to Ethernet (MAC) addresses.

The following output shows an ARP broadcast. Note that since the target hardware address is unknown, its hexadecimal representation is set to all Fs (binary representation is all 1s). This is a hardware address broadcast:

4. RARP

If the IP host is a diskless computer, it does not know its IP address at first, but it does know its MAC address. The diskless machine can use RARP (Reverse Address Resolution Protocol) as shown in Figure 3-12 to learn its IP address by sending a packet containing the diskless computer's MAC address and a request for the IP address assigned to that MAC address. A dedicated machine called a RARP server will respond to this, thus resolving the identity crisis. RARP uses the information it knows (i.e., the machine's MAC address) to learn the machine's IP address, thereby completing the identity identification.

NOTE: RARP resolves Ethernet (MAC) addresses to IP addresses.

5. Proxy ARP

In the network, we cannot configure multiple default gateways for the host. Think about it, if the default gateway (router) fails, what will happen? The host cannot automatically send data to another router, and you have to reconfigure the host. But proxy ARP can help the host go to the remote subnet without configuring routing or even the default gateway.

One of the advantages of using proxy ARP is that we can enable it on one router in the network without affecting the routing tables of other routers in the network. However, there is also a serious drawback to using proxy ARP: using proxy ARP will increase the traffic on the network segment, and the host's ARP table will be larger than usual to handle all the IP address to MAC address mappings. By default, all Cisco routers are configured with proxy ARP, and if you don't think you will use it, you should disable it.

A final note about Proxy ARP is that it is not a separate protocol, but rather a service that a router runs on behalf of other devices (usually PCs) that prevent those devices from querying remote devices, even though they appear to be on the same subnet as the remote devices.

This enables the router to provide its own MAC address in response to ARP queries, thereby resolving the remote IP address to a valid MAC address.