69 Now that Part I of the book has discussed the building blocks of communica- tion (the OSI model) and some techniques on how to analyze those communi- cations, it’s time to start discussing what makes communications happen—the protocols. This next part of the book discusses the core TCP/IP protocols that allow all other upper-layer protocols to operate. The approach is once again layer by layer, starting with Internet Protocol (IP) in this chapter and moving on to the most complex core protocol, Transmission Control Protocol (TCP). It is important to understand how the bottom layered protocols such as IP work before you begin trying to understand the higher-layer protocols. Since each of the higher-layer protocols (such as UDP and TCP) use the services of the lower-layer protocols (such as IP), it’s important to understand the impact of each layer’s responsibility to the entire communications process. Such under- standing is critical in troubleshooting situations. I begin this chapter with a review of Layer 2 communications and how the limitations of Layer 2 create a need for Layer 3 protocols. Then, instead of generic layer descriptions, I begin the discussion of the actual functions of the protocols at each layer, starting in this chapter with IP and other supporting protocols at the network layer. Inside the Internet Protocol CHAPTER 3 06 429759 Ch03.qxd 6/26/03 8:57 AM Page 69 Reviewing Layer 2 Communications The next sections provide a quick review of what Part I revealed about the functions of Layer 2. Multiplexing Layer 2 packets encapsulate the data of all other upper-layer protocols. As is discussed in Chapter 1, Ethertypes are used by Layer 2 to determine the desti- nation Layer 3 protocol of the data. For example, Figure 3-1 shows a decoded IP packet. Notice how even though you tend to think of Ethernet as a bottom-layer protocol (it resides at Layer 2), the analyzer shows it listed under the Ethernet Header section of the decode panel. Analyzers decode the packet detail in reverse, showing you first the lower layers and then, as you scroll down, the upper layers, listed in the decode panel as IP, UDP, and NetBIOS Name Service. In the decode panel, you can see that the packet has several protocols inside of it. Starting with Ethernet at the data link layer, then the Internet Protocol, on top of that you have the User Datagram Protocol, and then finally NetBIOS. Figure 3-1 IP packet decode. 70 Chapter 3 06 429759 Ch03.qxd 6/26/03 8:57 AM Page 70 Looking at the Ethernet Header section of the decode panel, you can see that the Ethertype value is 0800, which indicates to the data link layer that the next upper-layer protocol is IP. When the data link layer receives the frame off the wire and sees the Ethertype value of 0800, it knows to start decoding the next portion of the packet as IP. Your protocol analyzers use the same method to figure out what the next layer is that needs to be decoded, by looking at the Ethertype. Error Control In Chapter 1 I discussed the Ethernet CRC and how it’s used to protect data being transferred across the local media. In Figure 3-1 you can see that the ana- lyzer also performs the same CRC calculation that our NIC cards do to confirm that the frame was received without error. (This is shown at the bottom of the decode panel under the FCS—Frame Check Sequence section.) This kind of confirmation is important in troubleshooting because you want to be able to guarantee the integrity of the data you are seeing in your analyzer at each layer. Because the CRC is calculated over the entire contents of the frame, you have a pretty good guarantee that what you have received is exactly what the source station sent. NOTE Although this book is primarily concerned with Layers 3 and up, it is still important to understand how errors are detected at Layer 2 since reliable protocols such as TCP attempt to mitigate those errors in order to guarantee data delivery. In the Chapter 6 discussion of TCP, you can see how that happens. Addressing At Layer 2, nodes on the network are addressed by the burned-in addresses on their network interface cards (NICs), called MAC addresses. Each NIC listens for its own MAC address over the wire, and upon “hearing” it, copies the frame off the wire, parses it, and forwards it along to the proper network layer protocol indicated by the Ethertype value. The NIC also listens for the broad- cast address, and when configured to, the specific multicast addresses. CROSS-REFERENCE You will see how multicast addresses are used in the next case study on NetBEUI, as well as learn the drawbacks of broadcast packets. In Figure 3-1, you can see in the decode panel under the Ethernet Header section that a source station with MAC address 0C-10-A4-AD-1E-75 has trans- mitted an IP packet to the destination station with MAC address FF-FF-FF-FF- FF-FF. If you recall from Chapter 1, this destination address is the broadcast address. It will become clearer later in this chapter why the broadcast address is used in certain situations. For now, understand that it is used to address “all stations” on the local media. Inside the Internet Protocol 71 06 429759 Ch03.qxd 6/26/03 8:57 AM Page 71 Case Study: NetBEUI Communications The three functions of data link protocols I have just reviewed—multiplexing, error control, and addressing—are also apparent in functions of the higher- layer protocols. However, before jumping immediately into IP, I want to take a look at how a simple protocol called NetBIOS actually uses the services of the data link layer. The same processes and functions performed by NetBIOS are also performed by IP. Those same functions exist in almost any protocol suite. Once you are familiar with them in NetBIOS, or even IP, you can map them to another protocol very easily. NetBIOS is an application program interface (API) developed by Sytec, Inc., for IBM. It originally operated on proprietary Sytec data link protocols until IBM migrated the use to its Token Ring networking architecture. To allow older Net- BIOS based applications to continue working on its platforms, IBM also imple- mented a NetBIOS driver on its PC LAN Support Program. At around the same time, Microsoft developed its LAN Manager system, which used NetBIOS. In the strictest sense, NetBIOS is not a protocol but an API. NetBIOS stands for Net- worked Basic Input/Output System, and early on was an extension of a com- puter BIOS. The NetBIOS API provided a rich set of functions for which application developers could write applications that would communicate over a network. By itself NetBIOS has no communication functionality unless com- bined with something called the NetBIOS Extended User Interface, or simply Net- BEUI. The combination of the two is what is referred to as the NetBEUI protocol, or simply the NetBIOS Frames Protocol. NetBIOS is a very simple protocol that I can use to illustrate some of the functions that occur on networks. Computers on a NetBEUI (or NetBIOS) network each have a unique 16- character NetBIOS name. For a node to communicate via NetBEUI it needs to first obtain the NetBIOS name of the destination node. Each node uses this name to establish a NetBIOS session with the destination computer. For exam- ple, assume that you have two stations, Node1 and Node2. Assume that Node1 wants to transfer a file to Node2; there are certain processes that Node1 must complete in order to do this. Table 3-1 shows these processes and the layer of the OSI model they belong to, and the next few sections of this chap- ter discuss each process. Table 3-1 NetBIOS Communications by Layer PROCESS OSI LAYER Name resolution Session layer Reliable connection setup Transport layer NetBIOS session setup Session layer Application processes Application layer 72 Chapter 3 06 429759 Ch03.qxd 6/26/03 8:57 AM Page 72 Wait! Where is the network layer? There is none with NetBIOS. Not all pro- tocols religiously follow the OSI model in a strict sense. In the case of a Net- BIOS network, there is no network layer. All communication is done at Layer 2, the MAC layer. Because of this, NetBIOS isn’t routable, because it has no net- work layer addressing. I will talk more about the limitations at the MAC Layer later in the chapter, but first I want to get into more detail on the process a Net- BIOS node uses to communicate. Name Resolution The first frame in Figure 3-2 is a perfect example of how multicast packets are used. The frame’s MAC layer address, shown in the decode pane, is 03-00-00- 00-00-01 (dashes used to separate octets). This destination address is a reserved multicast address and is used by the NetBEUI protocol. Any station configured with the NetBEUI protocol listens for this multicast MAC address. Further, Figure 3-3 breaks down the first octet of the NetBIOS multicast address down into binary; in this figure, you can see how the multicast/ broadcast bit is actually set to one. Figure 3-2 NetBIOS name query. Inside the Internet Protocol 73 06 429759 Ch03.qxd 6/26/03 8:57 AM Page 73 Figure 3-3 NetBIOS multicast address. Why is this packet’s destination a multicast address? To answer that you must first step back and think about the order of communications. In order for one station to transfer data to or from another station over the local media (that is, the data link layer), it’s going to need to know the MAC address of the des- tination station. Furthermore, the source station is going to need a mechanism for finding that out. NetBIOS uses what is called a NetBIOS Name Query Frame. In Frame 1 of Figure 3-2, you see the source station (Kevin_98) send out a Name Query Frame to the NetBIOS multicast address. Name Query Frames allow a station to ask all stations on the Layer 2 network if they have a specific name, in this case SERVER. For all stations to receive this frame, it’s going to have to be sent as a broadcast or multicast address. Any station configured for the NetBEUI protocol is going to be listening for that NetBIOS multicast address. When the station hears it on the wire, that station processes the frame. Any station with the name of SERVER is going to reply with a NetBIOS Name Recognize Frame. Figure 3-4 illustrates the station SERVER replying to the sta- tion Kevin_98. The source station that sent out the original NetBIOS Name Query notes the source MAC address of the responding station. Reliable Connection Setup Every protocol suite uses some method of reliable transport. NetBEUI, even though it does not have a network layer, does have a transport layer. However NetBEUIs’ transport layer may not be located exactly where you think it would. In Figure 3-2, you see in the summary pane something called LLC in Frames 3 to 6. This is actually an extended option of the LLC 802.3 framing method that allows reliable communications. It is called Logical Link Control Type 2. Even though the transport layer functionality is technically located in the data link layer, it’s still a transport function. NetBIOS Multicast Address 03 - 00 Functional Address Indicator Bit (used in Token Ring) Broadcast/Multicast Bit Universal/Local Bit -00-00- -00 01 00000011 00000011 74 Chapter 3 06 429759 Ch03.qxd 6/26/03 8:57 AM Page 74 Figure 3-4 NetBIOS name recognized. TIP Such arrangements are not uncommon in protocol suites. Just remember that the OSI model is not a hard-and-fast rule on where a layer’s functionality is located. NetBIOS Session Setup After the reliable connection setup is done via LLC Type 2, NetBIOS needs to create its own session setup. This setup creates a logical NetBIOS session layer connection between the two stations. Then and only then can the application layer start to do its job. Referring back to Figure 3-2 again, Frame 7 is the NetBIOS Session Request, and Frame 9 is the NetBIOS Session Response, confirming that the session has been set up. Application Process After our session layer and transport layer protocols have finished their respective setup functions, the application layer is allowed to do its job. The application layer could be anything from an FTP session to an SMB server logon or SQL database transaction. Regardless of the application layer in use, Inside the Internet Protocol 75 06 429759 Ch03.qxd 6/26/03 8:57 AM Page 75 it’s important to know that the application layer cannot begin its job unless the lower layers (in this case the session and transport layers) are finished with their jobs. Limitations of Layer 2 Communication Networks Now that you have seen how a two-node NetBIOS network functions, I want to extrapolate on that example. How would a 2,000-node NetBIOS network function? Answer: It would function the same way. However, there is a point of diminishing returns for Layer 2 networks. When a shared Ethernet segment starts hitting its capacity, you separate it by using bridges (also known as switches). In order for a bridge to know what ports to forward, each frame to each bridge must maintain a list of all MAC addresses on the network. Because bridges operate at the MAC layer, you will- have more broadcasts to contend with. Recall the multicast address used by NetBIOS to perform Name Queries. Bridges forward multicast addresses to all ports, and all NetBIOS stations must examine those multicast packets. Each packet generates a CPU interrupt. Therefore, large amounts of broadcast traf- fic can actually start consuming CPU cycles of workstations to the point that performance degrades. What is the answer to mitigating the problems of huge MAC address tables and broadcasts on Layer 2 networks? The answer is routing. “But,” you may say, “I thought you said NetBIOS isn’t routable.” It isn’t. But it can be routed when used in conjunction with a network layer protocol such as IP. I show how this works in Chapter 8. By separating the network segments with routers you create what are called broadcast domains. A broadcast domain is a defined area over which broadcast traffic propagates. Layer 2 networks separated by bridges (or switches) forward broadcasts; routers, though, do not forward broadcast traffic. In a Layer 2 network of 5,000 nodes, each bridge has to store all 5,000 MAC addresses in its bridge tables to know where it needs to forward frames. By implementing routing, however, you can separate the network into 10 subnets of 500 nodes. This separation reduces the size of the MAC address tables, and more importantly, reduces the level of broadcast traffic each node sees. Now, each subnet has only 500 nodes worth of broadcast traffic to handle, not 5,000. Broadcast domains have another name you may have heard of, VLANs. A Virtual LAN (VLAN) is simply a broadcast domain that can be configured “vir- tually” inside of a switch. In the past when networks were separated by routers, each router had a separate physical connection to each subnet. With VLANs, the separation of networks is done with the software inside of a switch by grouping certain ports together into a VLAN. Routers don’t have to 76 Chapter 3 06 429759 Ch03.qxd 6/26/03 8:57 AM Page 76 be physical anymore either. The Cisco Catalyst Series of switches has a router blade called a Route-Switch-Module that can have virtual interface connec- tions to any VLAN. Placing all routing and bridging into a single device is known as collapsed backbone networking. The backbone of the network is now literally the backplane of the switch. Network Layer Protocols Unlike data link protocols, network layer protocols do not rely on the data link layer addresses for end-to-end communication between nodes, although they do rely on MAC addresses for transmission on the local media. Network layer protocols add another layer of addressing for communications between nodes. Very similar to how NetBIOS uses computer names, network layer protocols (IP is one such protocol) have their own naming method, called network layer addresses. Network layer protocols are routed protocols. Bridges forward packets by examining the destination MAC addresses; routers forward pack- ets by examining the network layer address. Each network layer protocol uses its own type of addressing. When you design a network with more than one broadcast domain you are in essence creating a routed network. Since broad- casts are terminated at the router boundary, you can no longer use Layer 2 communications to reach other broadcast domains. Instead you communicate via Layer 2 to a router that can reach other broadcast domains. This router then makes a forwarding decision based on the address in the network layer proto- col. The router then uses Layer 2 communications to reach the destination host. Figure 3-5 shows what happens when a packet is sent through a router versus when it is sent through a bridge. When a packet is forwarded by a bridge, the MAC addresses stay the same since the destination MAC address is truly the address of the interface in the destination host. When a packet is forwarded by a router, the MAC addresses change. The destination MAC address is replaced with the MAC address of the next Layer 2 device in the path, whether it is another router or the destina- tion node. The source address is replaced by the router’s own MAC address on that network. The router will also modify other fields in the IP (Layer 3) sec- tion of the packet. Because of this, it will need to recalculate the Ethernet CRC before transmitting the packet out onto the local media. In the next section of this chapter, you will see how packets are sent to and forwarded by routers. In a routed network the network, layer address is what is used to make forwarding decisions, not the MAC address. The MAC source and destination change as packets pass through routers, but the IP source and destination addresses remain the same. Inside the Internet Protocol 77 06 429759 Ch03.qxd 6/26/03 8:57 AM Page 77 Figure 3-5 Bridge/router frame forwarding. 00-00-0C-45-4A-3B 192.168.1.1 00-00-0C-AB-C1-9F 172.16.1.1 Bridge 192.168.1.200 00-04-5A-76-F3-29 192.168.1.100 00-10-A4-84-7A-08 Source and Destination MAC addresses did not change after forwarding through bridge Source IP Addr Dest IP Addr Source MAC Addr Dest MAC Addr 00-10-A4-84-7A-08 192.168.1.100 192.168.1.200 00-04-5A-76-F3-29 Source IP Addr Dest IP Addr Source MAC Addr Dest MAC Addr 00-10-A4-84-7A-08 192.168.1.100 192.168.1.200 00-04-5A-76-F3-29 Router 172.16.1.105 00-04-5A-76-F3-29 192.168.1.100 00-10-A4-84-7A-08 Source IP Addr Dest IP Addr Source MAC Addr Dest MAC Addr 00-10-A4-84-7A-08 192.168.1.100 192.168.1.100 00-00-0C-45-4A-3B Source IP Addr Dest IP Addr Source MAC Addr Dest MAC Addr 00-00-0C-AB-C1-9F 192.168.1.100 192.168.1.100 00-04-5A-76-F3-29 78 Chapter 3 06 429759 Ch03.qxd 6/26/03 8:57 AM Page 78 [...]... Study: Incomplete ARP Figure 3- 15 presents a firewall segment consisting of a router and two Sun firewalls 101 102 Chapter 3 Who has IP 10. 132 . 236 .10? Tell 192.168.5.20 Router 10. 132 . 236 .2 IP 10. 132 . 236 .10 is 01-10- 13- 22 -36 -10 IP 10. 132 . 236 .10 is 01-10- 13- 22 -36 -10 10. 132 . 236 .0 255.255.255.0 10 Figure 3- 15 10 Incomplete ARP network Both firewalls are running what is called a hot standby system, allowing one... 80 Chapter 3 Client X Client Y Client Z 00-7A-3D-4C -33 -14 00-7A-3D-84 -31 -45 00-7A-3D-15-B2- 23 IP: 172.16.1.1 IP: 172.16.1.2 IP: 172.16.1 .3 Client A Client B Client C IP: 172.16.1.1 MAC : 00-5C-7A-84- 13- 75 Server Figure 3- 6 IP and NetBEUI network A node using the IP protocol has one or more IP addresses, depending on how many adapters are configured for use with IP Consider an example Figure 3- 6 shows... Notice how the high-order bits 7 through 3 don’t change throughout the range of addresses This commonality of the bits can be advertised by the prefix mask 89 90 Chapter 3 Network Assigned a Class B Address of 130 .10.0.0/255.255.0.0 130 .10 .3. 0 255.255.255.0 130 .10.1.0 255.255.255.0 130 .10.2.0 255.255.255.0 130 .10.4.0 255.255.255.0 Router 130 .10.5.0 255.255.255.0 Figure 3- 10 Classful networks example Essentially,... subnet mask is a 32 -bit number that you use to apply a calculation to the IP address to obtain the host’s network This calculation is called a logical AND operation A logical AND operation is a binary logic operation used by computers Without getting into the details of binary math, the basics of the AND operation are that a 1 AND 0 = 0 and a 1 AND 1 = 1 The subnet mask is a pattern of ones and zeros you... address and the broadcast address Figure 3- 9 shows an example of the “This” address and the broadcast address Due to the reservation of the “This” address and broadcast address, each IP network range loses two addresses Table 3- 2 shows some IP networks and the amount of hosts available on each subnet Classful Addressing IP address ranges are categorized by class of address The first 3 bits of the 32 bit... only 128, 32 , 8, and 4 can be subtracted, so only those binary bits are set to a one So, to convert 172 (the first number of the example IP address): 172 decimal = 172 44 12 4 – – – – 128 = 44 32 = 12 8 = 4 4 = 0 Bit Bit Bit Bit 7 5 3 2 = = = = 1 1 1 1 81 82 Chapter 3 So, 172 decimal equals 10101100 binary 16 decimal = 16 – 16 = 0 Bit 4 = 1 And 16 decimal equals 00010000 binary 15 decimal = 15 7 3 1 –... 65 534 Class C 192–2 23 1100 255.255.255.0 254 Class D 224– 239 1110 Undefined Class E 240–254 1111 Undefined Address classes provide a simple method of subnet masking Any addresses in the range of 1.0.0.0 to 126.255.255.254 have a 255.0.0.0 mask; 128.0.0.0 to 191.255.255.254, a 255.255.0.0 mask; and 192.0.0.0 to 2 23. 255.255.254, a 255.255.255.0 mask The predefined subnet masks are known as Class A, B, and. .. and C masks, respectively Sharp-eyed readers might have noticed that between the Class A and Class B ranges the 127.0.0.0 range is missing This range is among one of the several ranges and addresses that are reserved for special purposes by the IANA Other address ranges reserved are shown in Table 3- 3 Table 3- 3 Reserved IP Address Ranges ADDRESS SUBNET MASK DESCRIPTION 0.0.0.0 255.0.0.0 “This” network... sender’s protocol address and compare it to the Sender’s MAC address, you see that the 1 03 104 Chapter 3 firewall was simply copying the 32 -bit IP address into the MAC address field and putting a 01 in the first octet After we contacted the vendor, they showed us a method of manually setting the firewall’s virtual MAC address to something that wasn’t a multicast packet When you are troubleshooting problems... zero, and the eight’s place a one The following shows some examples of decimal and binary numbers 15425 decimal = 10,000 + 5000 + 400 + 20 + 5 10101 binary = 16 + 0 + 4 + 0 + 1 234 decimal = 200 + 30 + 4 111 binary = 4 + 2 + 1 IP addresses are simply 32 -bit numbers represented by dotted decimal notation Each of the 4 bytes (32 bits) is separated at octet boundaries by a decimal Each byte has 8 bits that . 172.16.1.1 Client A IP: 172.16.1.2 Client B IP: 172.16.1 .3 Client C Client Y 00-7A-3D-84 -31 -45 Client Z 00-7A-3D-15-B2- 23 80 Chapter 3 06 429759 Ch 03. qxd 6/26/ 03 8:57 AM Page 80 NetBEUI clients could access. multicast/ broadcast bit is actually set to one. Figure 3- 2 NetBIOS name query. Inside the Internet Protocol 73 06 429759 Ch 03. qxd 6/26/ 03 8:57 AM Page 73 Figure 3- 3 NetBIOS multicast address. Why is this packet’s. do with NetBEUI and more to do with how their networks were set up with a combination of bridging and routing. Server Client X IP: 172.16.1.1 MAC : 00-5C-7A-84- 13- 75 00-7A-3D-4C -33 -14 IP: 172.16.1.1 Client