&RIIHH+RXVH 3XEOLF,3$GGUHVVHV    333(WKHUQHW 7HVW&RQQHFWLRQ          1$7   :L)L $FFHVV3RLQW '\QDPLF ,3$GGUHVVHV ^` '6/ 0RGHP   /LQX[3&  ,QWHUQHW URXWHUILUHZDOO'+&3 1$7'16  '\QDPLF ,3$GGUHVVHV ^` VZ LWF K  +RPH ^`   5RXWHU )LUHZDOO 1$7    ,QWHUQDO 1HWZRUN  '0= 1HWZRUN  (QWHUSULVH &RIIHH+RXVH 3XEOLF,3$GGUHVVHV    333(WKHUQHW 7HVW&RQQHFWLRQ          1$7   :L)L $FFHVV3RLQW '\QDPLF ,3$GGUHVVHV ^` '6/ 0RGHP   /LQX[3&  ,QWHUQHW URXWHUILUHZDOO'+&3 1$7'16  '\QDPLF ,3$GGUHVVHV ^` VZ LWF K  +RPH ^`   5RXWHU )LUHZDOO 1$7    ,QWHUQDO 1HWZRUN  '0= 1HWZRUN  (QWHUSULVH Praise for the First Edition of TCP/IP Illustrated, Volume 1: The Protocols “This is sure to be the bible for TCP/IP developers and users Within minutes of picking up the text, I encountered several scenarios that had tripped up both my colleagues and myself in the past Stevens reveals many of the mysteries once held tightly by the everelusive networking gurus Having been involved in the implementation of TCP/IP for some years now, I consider this by far the finest text to date.” —Robert A Ciampa, network engineer, Synernetics, division of 3COM “While all of Stevens’ books are readable and technically excellent, this new opus is awesome Although many books describe the TCP/IP protocols, Stevens provides a level of depth and real-world detail lacking from the competition He puts the reader inside TCP/IP using a visual approach and shows the protocols in action.” —Steven Baker, networking columnist, Unix Review “TCP/IP Illustrated, Volume 1, is an excellent reference for developers, network administrators, or anyone who needs to understand TCP/IP technology TCP/IP Illustrated is comprehensive in its coverage of TCP/IP topics, providing enough details to satisfy the experts while giving enough background and commentary for the novice.” —Bob Williams, vice president, Marketing, NetManage, Inc “ [T]he difference is that Stevens wants to show as well as tell about the protocols His principal teaching tools are straightforward explanations, exercises at the ends of chapters, byte-by-byte diagrams of headers and the like, and listings of actual traffic as examples.” —Walter Zintz, UnixWorld “Much better than theory only W Richard Stevens takes a multihost-based configuration and uses it as a travelogue of TCP/IP examples with illustrations TCP/IP Illustrated, Volume 1, is based on practical examples that reinforce the theory—distinguishing this book from others on the subject, and making it both readable and informative.” —Peter M Haverlock, consultant, IBM TCP/IP Development “The diagrams he uses are excellent and his writing style is clear and readable In sum, Stevens has made a complex topic easy to understand This book merits everyone’s attention Please read it and keep it on your bookshelf.” —Elizabeth Zinkann, sys admin “W Richard Stevens has produced a fine text and reference work It is well organized and very clearly written with, as the title suggests, many excellent illustrations exposing the intimate details of the logic and operation of IP, TCP, and the supporting cast of protocols and applications.” —Scott Bradner, consultant, Harvard University OIT/NSD This page intentionally left blank TCP/IP Illustrated, Volume Second Edition This page intentionally left blank TCP/IP Illustrated, Volume The Protocols Second Edition Kevin R Fall W Richard Stevens Originally written by Dr W Richard Stevens Revised by Kevin Fall Upper Saddle River, NJ • Boston • Indianapolis • San Francisco New York • Toronto • Montreal • London • Munich • Paris • Madrid Capetown • Sydney • Tokyo • Singapore • Mexico City &RGH &KHFNVXP ,GHQWLILHU $OO&RPSRQHQWV &RPSRQHQW 5HVHUYHG 2SWLRQV Figure 8-40     The Certification Path Advertisement message The sender requests a particular certificate by position index, provided as the value of the Component field The value 65535 indicates all certificates in the path rooted at an identity given within an attached Trust Anchor option The Identifier field holds the value received in a corresponding Solicitation message It is set to for unsolicited Advertisement messages that are sent to the All Nodes multicast address The All Components field indicates the total number of components in the entire certification path, including the trust anchor Note that a single advertisement message is recommended to avoid fragmentation, so such messages contain only a single component The Component field gives the index in the certification path of the associated certificate (provided in an attached Certificate option) The recommended order for sending advertisements for an N-component certification path is (N - 1, N - 2, , 0) Component N need not be sent as it is already present from the trust anchor 8.5.6 ICMPv6 Neighbor Discovery (ND) Options As with many of the protocols of the IPv6 family, a set of standard protocol headers are defined, and one or more options may also be included ND messages may contain zero or more options, and some options can occur more than once However, with certain messages some of the options are mandatory The general format for ND options is given in Figure 8-41 408 ICMPv4 and ICMPv6: Internet Control Message Protocol    7\SH ELWV  /HQJWK ELWV &RQWHQWV'HSHQGRQ7\SH YDULDEOH Figure 8-41 ND options are variable-length and begin with a common TLV arrangement The Length field gives the total length of the option in 8-byte units (including the Type and Length fields) All ND options start with an 8-bit Type and an 8-bit Length field, supporting options of variable length, up to 255 bytes Options are padded to 8-byte boundaries, and the Length field gives the total length of the option in 8-byte units The Type and Length fields are included in the value of the Length field, which has a minimum value of Table 8-5 gives a list of 25 standard options that have been defined as of mid-2011 (plus the experimental values) The official list may be found in [ICMP6TYPES] Table 8-5 IPv6 ND option types, defining reference, use, and description Type Name Reference Use/Comment [RFC4861] Source Link-Layer Address Target Link-Layer Address Prefix Information Redirected Header [RFC4861] [RFC6275] [RFC4861] MTU [RFC4861] NMBA Shortcut Limit [RFC2491] Advertisement Interval [RFC6275] Home Agent Information [RFC6275] 10 11 Source Address List Target Address List CGA [RFC3122] [RFC3122] [RFC3971] 12 RSA Signature [RFC3971] Sender’s link-layer address; used with NS, RS, and RA messages Target’s link-layer address; used with NA and Redirect messages An IPv6 prefix or address; used with RA messages Portion of original IPv6 datagram; used with Redirect messages Recommended MTU; used with RA messages, IND Advertisement messages Hop limit for “shortcut attempt”; used with NS messages Sending interval of unsolicited RA messages; used with RA messages Preference and lifetime to be an MIPv6 HA; used with RA messages (H bit on) Host’s addresses; used with IND messages Target addresses; used with IND messages Crypto-based address; used with secure Neighbor Discovery (SEND) messages Credential for host signature (SEND) [RFC4861] Section 8.5 Neighbor Discovery in IPv6 Table 8-5 409 IPv6 ND option types, defining reference, use, and description (continued ) Type Name Reference Use/Comment 13 14 15 16 17 Timestamp Nonce Trust Anchor Certificate IP Address/Prefix [RFC3971] [RFC3971] [RFC3971] [RFC3971] [RFC5568] 19 Link-Layer Address [RFC5568] 20 [RFC5568] 24 25 Neighbor Advertisement ACK Route Information Recursive DNS Server [RFC4191] [RFC6106] 26 27 28 31 RA Flags Extension Handover Key Request Handover Key Reply DNS Search List [RFC5175] [RFC5269] [RFC5269] [RFC6106] 253, 254 Experimental [RFC4727] Anti-replay timestamp (SEND) Anti-replay random number (SEND) Indicates credential type (SEND) Encodes a certificate (SEND) Care-of or NAR addresses; used with FMIPv6 PrRtAdv messages Desired next access point or mobile node’s address; used with FMIPv6 RtSolPr or PrRtAdv messages Tells mobile about next valid CoA; used with RA messages Route prefix/preferred router list IP address of DNS server; added to RA messages Expands space for RA flags FMIPv6—request key using SEND FMIPv6—key reply using SEND DNS domain search names; added to RA messages [RFC3692]-style experiments 1/2 8.5.6.1 Source/Target Link-Layer Address Option (Types 1, 2) The Source Link-Layer Address option (type 1; see Figure 8-42) is supposed to be included in ICMPv6 RS messages, NS messages, and RA messages whenever used on a network supporting link-layer addressing It specifies a link-layer address associated with the message More than one of these options may be included for nodes with more than one address    7\SH RU  /HQJWK /LQN/D\HU$GGUHVV YDULDEOH Figure 8-42 The Source (type 1) and Target (type 2) Link-Layer Address options The Length field gives the length of the entire option, including the address, in units of bytes (e.g., an IEEE Ethernet-type address would have the value of in the Length field) 410 ICMPv4 and ICMPv6: Internet Control Message Protocol The Target Link-Layer Address option (type 2), which uses a similar format, must be provided in an NA message when responding to multicast solicitations This option is also typically included in Redirect messages (discussed previously) and must be included in such messages when operating on an NBMA network 8.5.6.2 Prefix Information Option (Type 3) The Prefix Information option (PIO), provided on RA messages and Mobile Prefix Advertisement messages, indicates the IPv6 address prefixes and (in some cases) complete IPv6 addresses of individual nodes present on the link (see Figure 8-43) In cases where multiple prefixes or addresses are reported, multiple copies of this option may be included in a single message A router is supposed to include a PIO for each prefix it uses An R bit field set to indicates that the Prefix field contains the entire global IPv6 address of the sending router, rather than just its prefix with the remaining bits of the prefix field being or its link-local address (present in the Source IP Address field of the containing IPv6 datagram) This is useful for Mobile IPv6 home agent discovery, and home agents sending router advertisements must include this option with the R bit field set for at least one prefix     7\SH /HQJWK 3UHIL[/HQJWK ELWV /$5 5HVY ELWV [...]... 503 10 .11 .6 Spanning Address Families: IPv4 and IPv6 504 10 .11 .7 Lack of Flow and Congestion Control 505 10 .12 Translating UDP/IPv4 and UDP/IPv6 Datagrams 505 10 .13 UDP in the Internet 506 10 .14 Attacks Involving UDP and IP Fragmentation 507 10 .15 Summary 508 10 .16 References 508 Chapter 11 Name Resolution and the Domain Name System (DNS) 51 11. 1 Introduction 511 11 .2 The DNS Name Space 512 11 .2 .1 DNS... and Split DNS 565 11 .7 Open DNS Servers and DynDNS 567 11 .8 Transparency and Extensibility 567 11 .9 Translating DNS from IPv4 to IPv6 (DNS64) 568 11 .10 LLMNR and mDNS 569 11 .11 LDAP 570 11 .12 Attacks on the DNS 5 71 11. 13 Summary 572 11 .14 References 573 Chapter 12 TCP: The Transmission Control Protocol (Preliminaries) 12 .1 579 Introduction 579 12 .1. 1 ARQ and Retransmission 580 12 .1. 2 Windows of Packets... Syntax 514 11 .3 Name Servers and Zones 516 11 .4 Caching 517 11 .5 The DNS Protocol 518 11 .5 .1 DNS Message Format 520 11 .5.2 The DNS Extension Format (EDNS0) 524 11 .5.3 UDP or TCP 525 11 .5.4 Question (Query) and Zone Section Format 526 11 .5.5 Answer, Authority, and Additional Information Section Formats 526 11 .5.6 Resource Record Types 527 xviii Contents 11 .5.7 Dynamic Updates (DNS UPDATE) 11 .6 555 11 .5.8... with UDP 493 10 .8 .1 Example 493 Interaction between IP Fragmentation and ARP/ND 496 Maximum UDP Datagram Size 497 10 .10 .1 Implementation Limitations 497 10 .10 .2 Datagram Truncation 498 UDP Server Design 498 10 .11 .1 IP Addresses and UDP Port Numbers 499 10 .11 .2 Restricting Local IP Addresses 500 10 .11 .3 Using Multiple Addresses 5 01 10 .11 .4 Restricting Foreign IP Address 502 10 .11 .5 Using Multiple Servers... xxii Contents 16 .9.3 TCP Westwood and Westwood+ 779 16 .9.4 Compound TCP 779 16 .10 Buffer Bloat 7 81 16 .11 Active Queue Management and ECN 782 16 .12 Attacks Involving TCP Congestion Control 785 16 .13 Summary 786 16 .14 References 788 Chapter 17 TCP Keepalive 793 17 .1 Introduction 793 17 .2 Description 795 17 .2 .1 Keepalive Examples 797 17 .3 Attacks Involving TCP Keepalives 802 17 .4 Summary 802 17 .5 References... 470 9.7 References 4 71 Chapter 10 User Datagram Protocol (UDP) and IP Fragmentation 10 .1 Introduction 473 473 10 .2 UDP Header 474 10 .3 UDP Checksum 475 10 .4 Examples 478 10 .5 UDP and IPv6 4 81 10.5 .1 Teredo: Tunneling IPv6 through IPv4 Networks 482 Contents xvii 10 .6 UDP-Lite 487 10 .7 IP Fragmentation 488 10 .7 .1 Example: UDP/IPv4 Fragmentation 488 10 .8 10 .9 10 .10 10 .11 10 .7.2 Reassembly Timeout 492 Path... 5 81 12 .1. 3 Variable Windows: Flow Control and Congestion Control 583 12 .1. 4 Setting the Retransmission Timeout 584 Introduction to TCP 584 12 .2 .1 The TCP Service Model 585 12 .2.2 Reliability in TCP 586 12 .3 TCP Header and Encapsulation 587 12 .4 Summary 5 91 12.5 References 5 91 12.2 Chapter 13 TCP Connection Management 595 13 .1 Introduction 13 .2 TCP Connection Establishment and Termination 595 13 .2 .1 TCP. .. 8 91 DNS Security (DNSSEC) 894 18 .10 .1 DNSSEC Resource Records 896 18 .10 .2 DNSSEC Operation 902 18 .10 .3 Transaction Authentication (TSIG, TKEY, and SIG(0)) 911 18 .10 .4 DNSSEC with DNS64 915 DomainKeys Identified Mail (DKIM) 915 18 .11 .1 DKIM Signatures 916 18 .11 .2 Example 916 18 .12 Attacks on Security Protocols 918 18 .13 Summary 919 18 .14 References 922 Glossary of Acronyms 933 Index 963 This page intentionally... and Protection against Wrapped 13 .4 13 .5 13 .6 13 .7 Sequence Numbers (PAWS) 608 13 .3.5 User Timeout (UTO) Option 611 13 .3.6 Authentication Option (TCP- AO) 612 Path MTU Discovery with TCP 612 13 .4 .1 Example 613 TCP State Transitions 616 13 .5 .1 TCP State Transition Diagram 617 13 .5.2 TIME_WAIT (2MSL Wait) State 618 13 .5.3 Quiet Time Concept 624 13 .5.4 FIN_WAIT_2 State 625 13 .5.5 Simultaneous Open and Close... xxxiii Chapter 1 1 .1 1.2 Introduction Architectural Principles 2 1. 1 .1 Packets, Connections, and Datagrams 3 1. 1.2 The End-to-End Argument and Fate Sharing 6 1. 1.3 Error Control and Flow Control 7 Design and Implementation 8 1. 2 .1 Layering 8 1. 2.2 Multiplexing, Demultiplexing, and Encapsulation in Layered Implementations 1. 3 1. 4 1. 5 10 The Architecture and Protocols of the TCP/ IP Suite 13 1. 3 .1 The ARPANET ... (DNS) 51 11. 1 Introduction 511 11 .2 The DNS Name Space 512 11 .2 .1 DNS Naming Syntax 514 11 .3 Name Servers and Zones 516 11 .4 Caching 517 11 .5 The DNS Protocol 518 11 .5 .1 DNS Message Format 520 11 .5.2... Extensibility 567 11 .9 Translating DNS from IPv4 to IPv6 (DNS64) 568 11 .10 LLMNR and mDNS 569 11 .11 LDAP 570 11 .12 Attacks on the DNS 5 71 11. 13 Summary 572 11 .14 References 573 Chapter 12 TCP: The... 902 18 .10 .3 Transaction Authentication (TSIG, TKEY, and SIG(0)) 911 18 .10 .4 DNSSEC with DNS64 915 DomainKeys Identified Mail (DKIM) 915 18 .11 .1 DKIM Signatures 916 18 .11 .2 Example 916 18 .12 Attacks