6 Introduction to TCP/IP

Question 1

What is TCP/IP ?

Answer 1

The Transmission Control Protocol/Internet Protocol (TCP/IP). It specifies how data is exchanged over the internet by providing end-to-end communications that identify how it should be broken into packets, addressed, transmitted, routed and received at the destination.

Question 2

Department of Defense (DoD) model:

Answer 2

Process/Application
Host-to-Host
Internet
Network Access

Question 3

Internet Layer Protocols:

Answer 3

The main workhorse of TCP/IP is the Internet Protocol (IP). IP is responsible for managing logical network addresses and getting data from point A to point B, even if there are dozens of points in between.

Three support protocols at this layer:

Internet Control Message Protocol (ICMP) - is responsible for delivering error messages.

Address Resolution Protocol (ARP) - resolves logical IP addresses to physical MAC addresses built into network cards.

Reverse ARP (RARP) - resolves MAC addresses to IP addresses.

Question 4

Host-to-Host Layer Protocols:

Answer 4

At this layer there are two alternatives within the TCP/IP suite: TCP and UDP. TCP guarantees packet delivery through the use of a virtual circuit and data acknowledgments, UDP does not. Because of this, TCP is referred to as connection-oriented, whereas UDP is connectionless. Because UDP is connectionless, it is
faster, but only by milliseconds. When a client makes a request of a server, it does so on a specific port to make sure that the right application on the server hears the request.

There are 65,536 ports, numbered from 0 to 65535. Ports 0 through 1023 are called the
well-known ports and are assigned to commonly used services, and 1024 through 49151 are called the registered ports. All the ports from 49152 to 65535 are free to be used by application vendors.

Question 5

Common Port Numbers:

Answer 5

Service Protocol Port
FTP TCP 20, 21
SSH TCP 22
Telnet TCP 23
SMTP TCP 25
DNS TCP/UDP 53
DHCP UDP 67, 68
TFTP UDP 69
HTTP TCP 80
POP3 TCP 110
NetBIOS/NetBT TCP 137, 139
IMAP4 TCP 143
SNMP UDP 161, 162
LDAP TCP 389
HTTPS TCP 443
SMB/CIFS TCP 445
RDP TCP 3389

Question 6

Process/Application Layer Protocols:

Answer 6

Most of the protocols within the TCP/IP suite are at the Process/Application layer.

Question 7

Port 20/21—File Transfer Protocol (FTP):

Answer 7

The File Transfer Protocol (FTP) — transfer files, upload/download files from one host to another, copy files, list and manipulate directories, and view file contents. FTP is unsecure. It transmits usernames and passwords in plain text. For secure file transfers, other options include Secure FTP (SFTP) and FTP Secure (FTPS). FTP uses two TCP connections for communication. Port 20 is used to send the data files between the client and the server and Port 21 is used for pass control information.

Question 8

Port 22—Secure Shell (SSH):

Answer 8

Secure Shell (SSH) uses port 22 and provides a secure way to access a remote systems terminal and set up a secure Telnet session for remote logins or for remotely executing programs and transferring files.

Question 9

Port 23—Telnet:

Answer 9

Terminal emulation protocol. Someone using Telnet can log into another machine and “see” the remote computer in a window on their screen. User can manage files on that remote machine just as if they were logged in locally. Telnet is unsecure, data transmitted, including passwords, is sent in plain text. SSH overcomes this by encrypting the traffic, including usernames and passwords.

Question 10

Port 25—Simple Mail Transfer Protocol (SMTP):

Answer 10

Simple Mail Transfer Protocol (SMTP) is the protocol used to send email from mail server to mail server as well as from a mail server to an email client. It’s designed to send only (push protocol). An email client locates its email server by querying the DNS server for a mail exchange (MX) record. After the server is located, SMTP is used to push the message to the email server, which will then process the message for delivery.

Question 11

Port 53—Domain Name System (DNS)

Answer 11

Domain Name System (DNS) uses port 53 and translates domain names (URLs) into IP addresses.

Question 12

Port 67/68—Dynamic Host Configuration Protocol (DHCP)

Answer 12

Dynamic Host Configuration Protocol (DHCP) dynamically assigns IP addresses and other IP configuration information to network clients.

Question 13

Port 69—Trivial File Transfer Protocol (TFTP)

Answer 13

Trivial File Transfer Protocol (TFTP) is lighter-weight FTP protocol. It can transfer files much like FTP, but it’s much simpler and faster.

Differences:

Authentication:
(TFTP) - None required
(FTP) - Username / password (although you
may be able to use anonymous)

Protocol used:
(TFTP) UDP (connectionless)
(FTP) TCP (connection-oriented)

Number of commands: (TFTP) 5
(FTP) About 70

Primary use:
(TFTP) Transmitting configurations to and from network devices
(FTP) Uploading and downloading files

Question 14

Port 80—Hypertext Transfer Protocol (HTTP)

Answer 14

HTTP manages the communication between a web server and client, and it lets you connect to and view content on the Internet. Information transmitted by HTTP is in plain text (not secure).

Question 15

Port 110—POP3

Answer 15

Post Office Protocol 3 (POP3) - downloading email. It’s been replaced in most installations by IMAP4 because IMAP4 includes security and more features than POP3.

Question 16

Port 137/139—Network Basic Input/Output System (NetBIOS)/NetBIOS over TCP/IP (NetBT)

Answer 16

Network Basic Input/Output System (NetBIOS) is an application programming interface (API) that allows computers to communicate with each other over the network. It works at Layer 5 of the OSI model. Consequently, it needs to work with another network protocol to handle the functions of Layer 4 and below. NetBIOS running over TCP/IP is called NetBT,
or NBT.

Specifically, NetBIOS provides three services:
Naming service, for name registration and resolution
Datagram distribution service, for connectionless communication
Session management service, for connection-oriented communication

Question 17

Port 143—Internet Message Access Protocol (IMAP)

Answer 17

Internet Message Access Protocol (IMAP) is a secure protocol designed to download email.
Its current version is version 4, or IMAP4. It’s the client-side email management protocol of choice, having replaced the unsecure POP3. Most current email clients, such as Microsoft Outlook and Gmail, are configured to be able to use either IMAP4 or POP3.

Advantages over POP3:
IMAP4 works in connected and disconnected modes. With POP3, the client makes a connection to the email server, downloads the email, and then terminates the connection.
IMAP4 allows the client to remain connected to the email server after the download, so soon as another email enters the inbox, IMAP4 notifies the email client, which can then download it. IMAP4 also lets you store the email on the server, as opposed to POP3, which requires you to download it. IMAP4 allows multiple clients to be simultaneously connected to the same inbox. This can be useful for smartphone users who have both Outlook on their workstation and their smartphone email client operational at the same time or for cases where multiple users monitor the same mailbox, such as on a customer service account. IMAP4 allows each connected user or client to see changes made to messages on the server in real time.

Question 18

Port 161/162—Simple Network Management Protocol (SNMP)

Answer 18

Simple Network Management Protocol (SNMP) gathers and manages network performance information. On your network, you might have several connectivity devices, such as routers and switches. A management device called an SNMP server can be set up to collect data from these devices (called agents) and ensure that your network is operating properly. Although SNMP is mostly used to monitor connectivity devices, many other network devices are SNMP-compatible
as well. The most current version is SNMPv3.

Question 19

Port 389—Lightweight Directory Access Protocol (LDAP)

Answer 19

Lightweight Directory Access Protocol (LDAP) is a directory services protocol. LDAP is designed to access information stored in an information directory typically known as an LDAP directory or LDAP database. LDAP provides you with the access, regardless of the client platform from which you’re working. You can also use access control lists (ACLs) to set up who can read and change entries in the database using LDAP. Often works in conjunction with Active Directory to provide user authentication and management in a network. It is the successor to the DAP (Directory Access Protocol).

Question 20

Port 443—Hypertext Transfer Protocol Secure (HTTPS)

Answer 20

Hypertext Transfer Protocol Secure (HTTPS) can be used to encrypt traffic between a web server and client securely. Connections are secured using either Secure Sockets Layer (SSL) or Transport Layer Security (TLS).

Question 21

Port 445—Server Message Block (SMB)/Common Internet File System (CIFS)

Answer 21

Server Message Block (SMB) is a protocol originally developed by IBM but then enhanced by Microsoft, IBM, Intel, and others. It’s used to provide shared access to files, printers, and other network resources and is primarily implemented by Microsoft systems. In a way, it can function a bit like FTP only with a few more options, such as the ability to connect to printers, and more management commands. It’s also known for its ability to make network resources easily visible through various Windows network apps (such as Network in File Explorer).
Common Internet File System (CIFS) is a Microsoft-developed enhancement of the SMB protocol, which was also developed by Microsoft. The intent behind CIFS is that it can be used to share files and printers between computers, regardless of the operating system that they run. It’s the default file and print sharing protocol in Windows.

Question 22

Port 3389—Remote Desktop Protocol (RDP)

Answer 22

Remote Desktop Protocol (RDP) allows users to connect to remote computers and run programs on them. When you use RDP, you see the desktop of the computer you’ve signed into on your screen. The computer in front of you is the client and the computer you’re logging into is the server. RDP client software is available for Windows, Linux, macOS, iOS, and Android. Microsoft’s RDP client software is called Remote Desktop Connection. The server uses its own video driver to create video output and sends the output to the client using RDP. RDP also supports sound, drive, port, and network printer redirection.

Question 23

What is a host ?

Answer 23

To communicate on a TCP/IP network, each device needs to have a unique IP address. Any device with an IP address is referred to as a host. This can include servers, workstations, printers, routers, and other devices. If you can assign it an IP address, it’s a host. As an administrator, you can assign the host’s IP configuration information manually, or you can have it automatically assigned by a DHCP server. On the client, this is done through the network adapter’s TCP/IP properties.

Question 24

What is an IPv4 address ?

Answer 24

An IPv4 address is a 32-bit hierarchical address that identifies a host on the network. It’s typically written in dotted-decimal notation, such as 192.168.10.55. Each of the numbers in this example represents 8 bits (or 1 byte) of the address, also known as an octet.

Question 25

Parts of the IP Address:

Answer 25

Each IP address is made up of two components: the network ID and the host ID.

The network portion of the address always comes before the host portion.

All host addresses on a network must be unique.

On a routed network (such as the Internet), all network addresses must be unique as well.

Neither the network ID nor the host ID can be set to all 0s. A host ID portion of all 0s means “this network.”

Neither the network ID nor the host ID can be set to all 1s. A host ID portion of all 1s means “all hosts on this network,” commonly known as a broadcast address.

Computers are able to differentiate where the network ID ends and the host address begins through the use of a subnet mask. This is a value written just like an IP address and may look something like 255.255.255.0.

To communicate using IPv4, each computer is required to have an IP address and correct subnet mask. A third component, called a default gateway, identifies the IP address of the device that will allow the host to connect outside of the local network. This is typically your router, and it’s required if you want to communicate with computers outside of your local network.

Question 26

IPv4 Address Classes:

Answer 26

Class A networks are defined as those with the first bit set as 0 (decimal values from 0 to 127) and are designed for very large networks. The default network portion for Class A networks is the first 8 bits, leaving 24 bits for host identification. Because the network portion is only 8 bits long (and 0 and 127 are reserved), there are only 126 Class A network addresses available. The remaining 24 bits of the address allow each Class A network to hold as many as 16,777,214 hosts.
Default subnet mask: 255.0.0.0

Class B networks always have the first 2 bits set at 10 (decimal values from 128 to 191) and are designed for medium-sized
networks. The default network portion
for Class B networks is the first 16 bits, leaving 16 bits for host identification. This
allows for 16,384 (214) networks, each with as many as 65,534 (216 – 2) hosts attached.
Default subnet mask: 255.255.0.0

Class C networks have the first three bits set at 110 (decimal values from 192 to 223) and are designed for smaller networks. The default network portion for Class C networks is the first 24 bits, leaving 8 bits for host identification. This allows for 2,097,152 (221) networks, but each network can have a maximum of only 254 (28 – 2) hosts. Most companies have Class C network addresses.
Default subnet mask: 255.255.255.0

Question 27

Classless Inter-Domain Routing

Answer 27

The default subnet masks for each class of address are by no means the only subnet masks that can be used. To provide additional addressing flexibility, there is classless inter-domain routing (CIDR). This is just a fancy of way of saying, “You don’t have
to use the default subnet masks.” From a practical standpoint, CIDR minimizes the concept of IP address classes and primarily focuses on the number of bits that are used as part of the network address.

CIDR values:
Subnet mask Notation
255.0.0.0 /8
255.128.0.0 /9
255.192.0.0 /10
255.224.0.0 /11
255.240.0.0 /12
255.248.0.0 /13
255.252.0.0 /14
255.254.0.0 /15
255.255.0.0 /16
255.255.128.0 /17
255.255.192.0 /18
255.255.224.0 /19
255.255.240.0 /20
255.255.248.0 /21
255.255.252.0 /22
255.255.254.0 /23
255.255.255.0 /24
255.255.255.128 /25
255.255.255.192 /26
255.255.255.224 /27
255.255.255.240 /28
255.255.255.248 /29
255.255.255.252 /30

The /8 through /15 notations can be used only with Class A network addresses; /16 through /23 can be used with Class A and B network addresses; /24 through /30 can be used with Class A, B, and C network addresses. You can’t use anything more than /30, because you always need at least 2 bits for hosts.

Question 28

Public vs. Private IP Addresses

Answer 28

All addresses used on the Internet are called public addresses. Only one computer can use any given public address at one time. The problem is that the world ran out of public IP addresses while the use of TCP/IP was growing. To address this, a solution was devised to allow for the use of TCP/IP without requiring the assignment of a public address (to use private addresses). Private addresses are not routable on the Internet. They were intended for use on private networks only which freed us from the requirement that all addresses be globally unique. This essentially created an infinite number of IP addresses that companies could use within their own network walls. This created a new one problem. The private addresses that all of these computers have aren’t globally unique, but they need to be in order to access the Internet. A service called Network Address Translation (NAT) was created to solve this problem. NAT runs on your router and handles the translation of private, nonroutable IP addresses
into public IP addresses. There are three ranges reserved for private, nonroutable IP
addresses:

Class / IP address range / Default subnet mask / Number of hosts
A / 10.0.0.0–10.255.255.255 / 255.0.0.0 / 16.7 million
B / 172.16.0.0–172.31.255.255 / 255.240.0.0 / 1 million
C / 192.168.0.0–192.168.255.255 / 255.255.0.0 / 65,536

Question 29

How private addresses work:

Answer 29

These private addresses cannot be used on the Internet and cannot be routed externally.
The fact that they are not routable on the Internet is actually an advantage because a network administrator can use them essentially to hide an entire network from the Internet. This is how it works: The network administrator sets up a NAT-enabled router, which functions as the default gateway to the Internet. The external interface of the router has a public IP address assigned to it that has been provided by the ISP, such as 155.120.100.1.
The internal interface of the router will have an administrator-assigned private IP address
within one of these ranges, such as 192.168.1.1. All computers on the internal network will then also need to be on the 192.168.1.0 network. To the outside world, any request coming from the internal network will appear to come from 155.120.100.1. The NAT router translates
all incoming packets and sends them to the appropriate client. This type of setup is very
common today.

Question 30

What is DHCP ?

Answer 30

A DHCP server is configured to provide IP configuration information to clients automatically (dynamically), in what is called a lease. The client must periodically request a renewed lease or a new lease. The following configuration information is typically provided in a lease:

IP address

Subnet mask

Default gateway (the “door” to the outside world)

DNS server address

Address Pool
This is the range of addresses that the server can give out to clients.

Lease Durations
IP addresses given out by the DHCP server are leased to clients, and the lease has an expiration time. Before the lease expires, the client (if it’s online) will typically renegotiate to receive a new lease. If the lease expires, then the address becomes available to assign to another client.

Address Reservations
Some IP addresses can be reserved (it’s appropriately named a DHCP reservation) for specific clients, based on the client’s MAC address. This is particularly useful for devices that need to have a static IP address, such as printers, servers, and routers.

Scope Options
These provide extra configuration items outside of the IP address and subnet mask. The most common items are the address of the default gateway (the router) and DNS servers.

Question 31

How DHCP Works

Answer 31

DHCP clients need to be configured to obtain an IP address automatically. This is done by going into the network card’s properties and then the TCP/IP properties. When the client boots up, it will not have an IP address. To ask for one, it will send a DHCP DISCOVER broadcast out on the network. If a DHCP server is available to hear the broadcast, it will respond directly to the requesting client using the client’s MAC address as the destination address.

Question 32

Automatic Private IP Addressing

Answer 32

Automatic Private IP Addressing (APIPA) is a TCP/IP standard used to automatically configure IP-based hosts that are unable to reach a DHCP server. APIPA addresses are in the 169.254.0.0–169.254.255.255 range, with a subnet mask of 255.255.0.0. Typically, the only time that you will see this is when a computer is supposed to receive configuration information from a DHCP server but for some reason that server is unavailable. Even while configured with this address, the client will continue to broadcast for a DHCP server so that it can be given a real address once the server becomes available.

Question 33

What is the The DNS Server ?

Answer 33

If a company wants to host its own website, it also needs to maintain two public DNS servers with information on how to get to the website. (Two servers are required for redundancy.) An advantage of using ISPs or web hosting companies to host the website is that they are then also responsible for managing the DNS servers. Each DNS server has a database, called a zone file, which maintains records of hostname to IP address mappings. Five columns of information are presented. From left to right, they are as follows:

The name of the server or computer, for example, www.

IN, which means Internet.

The record type.

The address of the computer.

Comments, preceded by a semicolon. It’s used to make notes for the administrator without affecting functionality.

Question 34

Common DNS record types:

Answer 34

SOA - Start of Authority. It signifies the authoritative DNS server for that zone.

NS - Name Server. It’s the name or address of the DNS server for that zone. Helps point to where internet applications like a web browser can find the IP address for a domain name.

MX - Mail Exchange. It’s the name or address of the email server. Shows where emails for a domain should be routed to; makes it possible to direct emails to a mail server.

A - The “A” in A record stands for “address.” An A record shows the IP address for a specific hostname or domain.

CNAME - Canonical Name. It’s an alias; it allows multiple names to be assigned to the same host or address.

TXT - Text record. Used to enter human-readable or machine-readable data. Today, text records are used primarily for email spam prevention and domain ownership verification.

Question 35

Spam Management

Answer 35

DNS, through the use of TXT records, can help email servers determine if incoming messages are from a trusted source. Three standards used to battle email spam are Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC).

SPF authenticates an email server based on its IP address. In an SPF TXT record, the administrator specifies all servers that are legitimate email senders for that domain, based on their IP addresses.

DKIM authenticates using encryption through a public-private key pair. Each email sent by the server includes a digital signature in the headers, which has been encrypted by the server’s private key. When the receiving email server gets the message, it finds the server’s registered public key, which is used to decrypt the message. If the key pair is incorrect, the message is flagged as a fake.

DMARC builds on both SPF and DKIM and essentially combines them together into one framework. It’s not an authentication method , it allows a domain owner to decide how they want email from their domain to be handled if it fails either an SPF or a DKIM authentication. Options include doing nothing,
quarantining the email (sending to a spam folder), or rejecting the email.

Question 36

What is IPv6 ?

Answer 36

A new version of TCP/IP has been developed, called IPv6. It uses 128-bit addresses. It’s backward compatible with and can run on the computer at the same time as IPv4. IPv6 doesn’t use a subnet mask.

The new address is composed of eight 16-bit
fields, each represented by four hexadecimal digits and separated by colons. The letters in an IPv6 address are not case sensitive. IPv6 uses three types of addresses: unicast, anycast, and multicast.

A unicast address identifies a single node on the network.

An anycast address refers to one that has been assigned to multiple nodes.

A multicast address is one used by multiple hosts, and is used to communicate to groups of computers.

Address Ranges:

0:0:0:0:0:0:0:0 Equals ::, and is equivalent to 0.0.0.0 in IPv4. It usually means that the host is not configured.

0:0:0:0:0:0:0:1 Also written as ::1. Equivalent to the loopback address of 127.0.0.1 in IPv4.

2000::/3 Global unicast address range for use on the Internet.

FC00::/7 Unique local unicast address range.

FE80::/10 Link local unicast range.

FF00::/8 Multicast range.

Question 37

2 types of Virtual Networks

Answer 37

Virtual local area networks (VLAN)

Virtual private networks (VPN)

Question 38

What are Virtual Local Area Networks ?

Answer 38

The virtual local area network (VLAN) is designed to help segment physical networks into multiple logical (virtual) networks. VLANs are created by using a managed switch. The switch uses Spanning Tree Protocol (STP) to manage configurations and to ensure that there are no infinite network loops. A VLAN can provide the following benefits:

Broadcast traffic is reduced. Physical network segments can be logically subdivided, reducing broadcast traffic and speeding network performance.

Security is increased. Computers on the same physical network can be isolated from each other to provide an additional layer of security.

Computers in multiple locations can belong to the same VLAN. This is one major thing that routers can’t do with subnetting. With multiple switches configured appropriately,
computers at different physical locations can be configured to be on the same VLAN.

Reconfiguring networks is easier. With VLANs, if someone moves physical desk locations, their VLAN membership can carry with them, so there is less network reconfiguration needed.

Question 39

What are Virtual Private Networks ?

Answer 39

A VPN is a secure (private) network connection that occurs through a public network. The private network provides security over an otherwise unsecure environment. VPNs can be used to connect LANs together across the Internet or other public networks, or they can be used to connect individual users to a corporate network. From the server side, a VPN requires dedicated hardware or a software package running on a server or router. Clients use specialized VPN client software to connect, most often over a broadband Internet link.

Question 40

What is UDP ?

Answer 40

User datagram protocol (UDP) sends data without establishing a verified connection to the target destination, making it a connectionless protocol. Due to this lack of verified connection, the UDP protocol is also considered unsecure.