2 TCP/IP

Question 1

What does TCP/IP stand for ?

Answer 1

Transmission Control Protocol/Internet Protocol

Question 2

The DoD (Department of Defense) Model

Answer 2

The DoD model is basically a condensed version of the OSI model that comprises four instead of seven layers:

• Process/Application layer
• Host-to-Host layer or Transport layer
• Internet layer
• Network Access layer or Link layer

Question 3

Telnet

Answer 3

Telnet’s specialty is terminal emulation. It allows a user on a remote client machine, called the Telnet client, to access the resources of another machine, the Telnet server, in order to access a command-line interface. Telnet achieves this by making the client machine appear as though it were a terminal directly attached to the local network. This projection is actually a software image—a virtual terminal that can interact with the chosen remote host. A major drawback is that there are no encryption techniques available within the Telnet protocol, so everything must be sent in clear text—including passwords! Users begin a Telnet session by running the Telnet client software and then logging into the Telnet server. Telnet uses an 8-bit, byte-oriented data. connection over TCP, which makes it very thorough. It’s still in use today because it is so simple and easy to use, with very low overhead, but again, as with everything sent in clear text, it’s not recommended in production.

Question 4

Secure Shell (SSH)

Answer 4

Secure Shell (SSH) protocol sets up a secure session that’s similar to Telnet over a standard TCP/IP connection. It’s used for doing things like logging into systems, running programs on remote systems and moving files from one system to another, and it does all of this while maintaining an encrypted connection. The client must send the data encrypted.

Question 5

File Transfer Protocol (FTP)

Answer 5

File Transfer Protocol (FTP) actually lets us transfer files, and it can accomplish this between any two machines using it. But FTP isn’t just a protocol; it’s also a program. Operating as a protocol, FTP is used by applications. As a program, it’s employed by users to perform file tasks by hand. FTP also allows for access to both directories and files and can accomplish certain types of directory operations, such as relocating into different ones. Even when employed by users manually as a program, FTP’s functions are limited to listing and manipulating directories, typing file contents and copying files between hosts. It can’t execute remote files as programs.

Question 6

Trivial File Transfer Protocol (TFTP)

Answer 6

Trivial File Transfer Protocol (TFTP) is the stripped-down, stock version of FTP. It’s the protocol of choice if you know exactly what you want and where to find it because it’s so fast and easy to use. But TFTP doesn’t offer the abundance of functions that FTP does because it has no directory-browsing abilities, meaning that it can only send and receive files. It’s heavily used for managing file systems on Cisco devices. This compact little protocol also skimps in the data department, sending much smaller blocks of data than FTP. Also, there’s no authentication as with FTP, so it’s even more insecure. Few sites support it because of the inherent security risks.

Question 7

Simple Network Management Protocol (SNMP)

Answer 7

Simple Network Management Protocol (SNMP) collects and manipulates valuable network information. It gathers data by polling the devices on the network from a network management station (NMS) at fixed or random intervals, requiring them to disclose certain information, or even asking for certain information from the device. In addition, network devices can inform the NMS station about problems as they occur, so the network administrator is alerted. When all is well, SNMP receives something called a baseline—a report delimiting the operational traits of a healthy network. This protocol can also stand as a watchdog over the network, quickly notifying managers of any sudden turn of events. These network watchdogs are called agents, and when aberrations occur, agents send an alert called a trap to the management station.

Question 8

Hypertext Transfer Protocol (HTTP)

Answer 8

It’s used to manage communications between web browsers and web servers and opens the right resource when you click a link, wherever that resource may actually reside. In order for a browser to display a web page, it must first find the exact server that has the right web page, plus the exact details that identify the information requested. This information must be then be sent back to the browser. Nowadays, it’s highly doubtful that a web server would have only one page to display! Your browser can understand what you need when you enter a Uniform Resource Locator (URL), which we usually refer to as a web address. Each URL defines the protocol used to transfer data, the name of the server, and the particular web page on that server.

Question 9

Hypertext Transfer Protocol Secure (HTTPS)

Answer 9

Hypertext Transfer Protocol Secure (HTTPS) is also known as Secure Hypertext Transfer Protocol. It uses Secure Sockets Layer (SSL) and keeps data being sent encrypted. Since Microsoft supported HTTPS, it became the de facto standard for securing web communication.

Question 10

Network Time Protocol (NTP)

Answer 10

Protocol that’s used to synchronize the clocks on our computers to one standard time source (typically, an atomic clock). Network Time Protocol (NTP) works by synchronizing devices to ensure that all computers on a given network agree on the time. So many of the transactions done today are time and date stamped.

Question 11

Domain Name Service (DNS)

Answer 11

Domain Name Service (DNS) resolves hostnames—specifically, Internet names, such as www.google.com. An IP address identifies hosts on a network and the Internet as well. DNS allows you to use a domain name to specify an IP address. You can change the IP address as often as you want and no one will know the difference. To resolve a DNS address from a host, you’d type in a URL on a browser, which would hand the data to the Application layer interface to be transmitted on the network. The application would look up the DNS address and send a UDP request to your DNS server to resolve the name. If your first DNS server doesn’t know the answer to the query, then the DNS server forwards a TCP request to its root DNS server. Once the query is resolved, the answer is transmitted back to the originating host, which means the host can now request the information from the correct web server. DNS is used to resolve a fully qualified domain name (FQDN).

Question 12

Dynamic Host Configuration Protocol (DHCP)/Bootstrap
Protocol (BootP)

Answer 12

Dynamic Host Configuration Protocol (DHCP) assigns IP addresses to hosts. It allows for easier administration and works well in small to very large network environments. Many types of hardware can be used as a DHCP server, including a Cisco router. DHCP differs from BootP in that BootP assigns an IP address to a host but the host’s hardware address must be entered manually in a BootP table. You can think of DHCP as a dynamic BootP, but remember that BootP is also used to send an operating system that a host can boot from. DHCP can’t do that. Even so, there’s still a lot of information a DHCP server can provide to a host when the host is requesting an IP address from the DHCP server. Here’s a list of the most common types of information a DHCP server can provide:

■ IP address
■ Subnet mask
■ Domain name
■ Default gateway (routers)
■ DNS server address
■ WINS server address
A client that sends out a DHCP Discover message in order to receive an IP address sends out a broadcast at both layer 2 and layer 3.
■ The layer 2 broadcast is all F s in hex, which looks like this: ff:ff:ff:ff:ff:ff.
■ The layer 3 broadcast is 255.255.255.255, which means all networks and all hosts.

DHCP is connectionless, which means it uses User Datagram Protocol (UDP) at the Transport layer. The Transport layer is also known as the Host-to-Host layer.

Question 13

The four-step process a client takes to receive an IP address from a DHCP server using “DORA” (Discover, Offer, Request, Acknowledgment) :

Answer 13

1. The DHCP client broadcasts a DHCP Discover message looking for a DHCP server (Port 67).
2. The DHCP server that received the DHCP Discover message sends a layer 2 unicast DHCP Offer message back to the host.
3. The client then broadcasts to the server a DHCP Request message asking for the offered IP address and possibly other information.
4. The server finalizes the exchange with a unicast DHCP Acknowledgment message.

Question 14

DHCP Conflicts

Answer 14

A DHCP address conflict occurs when two hosts use the same IP address. During IP address assignment, a DHCP server checks for conflicts using the Ping program to test the availability of the address before it’s assigned from the pool. If no host replies, then the DHCP server assumes that the IP address is not already allocated. To provide extra protection against IP conflict issue, the host can broadcast for its own address. A host uses something called a gratuitous ARP to help avoid a possible duplicate address. The DHCP client sends an ARP broadcast out on the local LAN or VLAN using its newly assigned address to solve conflicts before they occur. So, if an IP address conflict is detected, the address is removed from the DHCP pool (scope). And it’s really important to remember that the address will not be assigned to a host until the administrator resolves the conflict by hand!

Question 15

Automatic Private IP Addressing (APIPA)

Answer 15

You can add IP information by hand, known as static IP addressing, but later Windows operating systems provide a feature called Automatic Private IP Addressing (APIPA). With APIPA, clients can automatically self-configure an IP address and subnet mask—basic IP information that hosts use to communicate—when a DHCP server isn’t available. The IP address range for APIPA is 169.254.0.1 through 169.254.255.254. The client also configures itself with a default Class B subnet mask of 255.255.0.0. But when you’re in your corporate network working and you have a DHCP server running, and your host shows that it’s using this IP address range, it means that either your DHCP client on the host is not working or the server is down or can’t be reached due to some network issue.

Question 16

The Host-to-Host or Transport Layer Protocols

Answer 16

The main purpose of the Host-to-Host layer is to shield the upper-layer applications from the complexities of the network.

■ Transmission Control Protocol (TCP)
■ User Datagram Protocol (UDP)

Question 17

Transmission Control Protocol (TCP)

Answer 17

Transmission Control Protocol (TCP) takes large blocks of information from an application and breaks them into segments. It numbers and sequences each segment so that the destination’s TCP stack can put the segments back into the order the application intended. After these segments are sent on the transmitting host, TCP waits for an acknowledgment of the receiving end’s TCP virtual circuit session, retransmitting any segments that aren’t acknowledged. Before a transmitting host starts to send segments down the model, the sender’s TCP stack contacts the destination’s TCP stack to establish a connection. This creates a virtual circuit , and this type of communication is known as connection-oriented. During this initial handshake, the two TCP layers also agree on the amount of information that’s going to be sent before the recipient’s TCP sends back an acknowledgment. With everything agreed upon in advance, the path is paved for reliable communication to take place. TCP is a full-duplex, connection-oriented, reliable, and accurate protocol, but establishing all these terms and conditions, in addition to error checking, is no small task. TCP is very complicated, and so not surprisingly, it’s costly in terms of network overhead. And since today’s networks are much more reliable than those of yore, this added reliability is often unnecessary. Most programmers use TCP because it removes a lot of programming work, but for real-time video and VoIP, User Datagram Protocol (UDP) is often better because using it results in less overhead.

Question 18

User Datagram Protocol (UDP)

Answer 18

User Datagram Protocol (UDP) is the scaled-down economy model of TCP and requires less bandwidth on a network. It does a good job of transporting information that doesn’t require reliable delivery like when reliability is already taken care of at the Process/Application layer. Network File System (NFS) handles its own reliability issues, making the use of TCP both impractical and redundant. UDP does not sequence the segments and does not care about the order in which the segments arrive at the destination. It just sends the segments off and forgets about them. It doesn’t follow through, check up on them, or even allow for an acknowledgment of safe arrival. Because of this, it’s referred to as an unreliable protocol. This does not mean that UDP is ineffective, only that it doesn’t deal with reliability issues at all. Furthermore, UDP doesn’t create a virtual circuit, nor does it contact the destination before delivering information to it. Because of this, it’s also considered a connection-less protocol. Since UDP assumes that the application will use its own reliability method, it doesn’t use any itself. TCP for reliability or UDP for faster transfers. It’s important to know how this process works because if the segments arrive out of order, which is commonplace in IP networks, they’ll simply be passed up to the next layer in whatever order they were received. This can result in some seriously garbled data! On the other hand, TCP sequences the segments so they get put back together in exactly the right order.

Question 19

Summary of TCP and UDP

Answer 19

TCP
* Sequenced
* Reliable
* Connection-oriented
* Virtual circuit
* Acknowledgments
* Windowing flow control

UDP
* Unsequenced
* Unreliable
* Connectionless
* Low overhead
* No acknowledgment
* No windowing or flow control of any type

Question 20

TCP / UDP Port Numbers

Answer 20

TCP
* Telnet 23
* SMTP 25
* HTTP 80
* FTP 20, 21
* DNS 53
* HTTPS 443
* SSH 22
* POP3 110
* IMAP4 143

UDP
* SNMP 161
* TFTP 69
* DNS 53
* BootP/DHCP 67
* NTP 123

Question 21

The Internet Layer Protocols

Answer 21

In the DoD model, there are two main reasons for the Internet layer’s existence: routing and providing a single network interface to the upper layers. None of the other upper- or lower-layer protocols have any functions relating to routing—that complex and important task belongs entirely to the Internet layer. The Internet layer’s second duty is to provide a single network interface to the upper-layer protocols. Without this layer, application programmers would need to write “hooks” into every one of their applications for each different Network Access protocol. This would not only be a pain in the neck, but it would lead to different versions of each application—one for Ethernet, another one for wireless, and so on. To prevent this, IP provides one single network interface for the upper-layer protocols. With that mission accomplished, it’s then the job of IP and the various Network Access protocols to get along and work together. All paths through the DoD model go through IP. Here’s a list of the important protocols at the Internet layer:

■ Internet Protocol (IP)
■ Internet Control Message Protocol (ICMP)
■ Address Resolution Protocol (ARP)

Question 22

Internet Protocol (IP)

Answer 22

Internet Protocol (IP) essentially is the Internet layer. The other protocols found here merely exist to support it. All the machines on the network have a software or logical address called an IP address. IP looks at each packet’s address. Then, using a routing table, it decides where a packet is to be sent next, choosing the best path to send it upon. The protocols of the Network Access layer at the bottom of the DoD model don’t possess IP’s enlightened scope of the entire network; they deal only with physical links (local networks). Identifying devices on networks requires answering these two questions: Which network is it on? And what is its ID on that network? The first answer is the software address, or logical address. The second answer is the hardware address. All hosts on a network have a logical ID called an IP address. This is the software, or logical, address and contains valuable encoded information, greatly simplifying the complex task of routing. IP receives segments from the Host-to-Host layer and fragments them into datagrams (packets) if necessary. IP then reassembles datagrams back into segments on the receiving side. Each datagram is assigned the IP address of the sender and that of the recipient. Each router or switch (layer 3 device) that receives a datagram makes routing decisions based on the packet’s destination IP address.

Question 23

Internet Control Message Protocol (ICMP)

Answer 23

Internet Control Message Protocol (ICMP) works at the Network layer and is used by IP for many different services. ICMP is basically a management protocol and messaging
service provider for IP. Its messages are carried as IP datagrams. ICMP packets have the following characteristics:

■ They can provide hosts with information about network problems.
■ They are encapsulated within IP datagrams.

Question 24

Address Resolution Protocol (ARP)

Answer 24

Address Resolution Protocol (ARP) finds the hardware address of a host from a known IP address. Here’s how it works: When IP has a datagram to send, it must inform a Network Access protocol, such as Ethernet or wireless, of the destination’s hardware address on the local network. If IP doesn’t find the destination host’s hardware address in the ARP cache, it uses ARP to find this information. As IP’s detective, ARP interrogates the local network by sending out a broadcast asking the machine with the specified IP address to reply with its hardware address. So basically, ARP translates the software (IP) address into a hardware address.

Question 25

IP Addressing

Answer 25

An IP address is a numeric identifier assigned to each machine on an IP network. It designates the specific location of a device on the network. An IP address is a software address, not a hardware address—the latter is hard-coded on a network interface card (NIC) and used for finding hosts on a local network. IP addressing was designed to allow hosts on one network to communicate with a host on a different network regardless of the type of LANs the hosts are participating in.

Question 26

IP Terminology

Answer 26

Bit - A bit is one digit, either a 1 or a 0.

Byte - A byte is 7 or 8 bits, depending on whether parity is used.

Octet - An octet, made up of 8 bits, is just an ordinary 8-bit binary number. The terms byte and octet are completely interchangeable.

Network address - This is the designation used in routing to send packets to a remote network—for example, 10.0.0.0, 172.16.0.0, and 192.168.10.0.

Broadcast address - The address used by applications and hosts to send information to all nodes on a network is called the broadcast address. Examples of layer 3 broadcasts include 255.255.255.255, which is any network, all nodes; 172.16.255.255, which is all subnets and hosts on network 172.16.0.0; and 10.255.255.255, which broadcasts to all subnets and hosts on network 10.0.0.0.

Question 27

The Hierarchical IP Addressing Scheme

Answer 27

An IP address consists of 32 bits of information. These bits are divided into four sections, referred to as octets or bytes, with each containing 1 byte (8 bits). You can depict an IP
address using one of three methods:

Dotted-decimal: 172.16.30.56
Binary: 10101100.00010000.00011110.00111000
Hexadecimal: AC.10.1E.38

Question 28

Network Addressing

Answer 28

The network address identifies each network. Every machine on the same network shares that network address as part of
its IP address (the IP address 172.16.30.56, 172.16 represents the network address. 30.56 represents the node (host)
address.

Question 29

Network Classes

Answer 29

Classes of networks based on network size. Subdividing an IP address into a network and node address is determined by the class designation of one’s network.

IP Address: 32 bits
8bit - 8bit - 8bit - 8bit

Class A
Network - Host - Host - Host
0xxxxxxx
0-127

Class B
Network - Network - Host - Host
10xxxxxx
128-191

Class C
Network - Network - Network - Host
110xxxxx
192-223

Class D
Multicast
1110xxxx
224-239

Class E
Research
1111xxxx
240-255

Question 30

Network Address Range: Class A

Answer 30

The first bit of the first byte in a Class A network address must always be 0xxxxxxx. This means a Class A address must be between 0 and 127

00000000 = 0
01111111 = 127

0 and 127 are not valid in a Class A network because they’re reserved addresses

Question 31

Network Address Range: Class B

Answer 31

In a Class B network, the RFCs state that the first bit of the first byte must always be turned on but the second bit must always be 10xxxxxx

Class B network:
10000000 = 128
10111111 = 191

A Class B network is defined when the first byte is configured from 128 to 191.

Question 32

Network Address Range: Class C

Answer 32

For Class C networks, the RFCs define the first 3 bits of the first octet as always 110xxxxx

Class C network:
11000000 = 192
11011111 = 223

Question 33

Network Address Ranges: Classes D and E

Answer 33

The addresses between 224 to 255 are reserved for Class D and E networks. Class D (224–239) is used for multicast addresses and Class E (240–255) for scientific purposes.

Question 34

Network Addresses: Special Purpose

Answer 34

Network address of all 0s Interpreted to mean “this network or segment.”

Network address of all 1s Interpreted to mean “all networks.”

Network 127.0.0.1 Reserved for loopback tests. Designates the local node and allows that node to send a test packet to itself without generating network traffic.

Node address of all 0s Interpreted to mean “network address” or any host on a specified network.

Node address of all 1s Interpreted to mean “all nodes” on the specified network; for example, 128.2.255.255 means “all nodes” on network
128.2 (Class B address).

Entire IP address set to all 0s Used by Cisco routers to designate the default route. Could also mean “any network.”

Entire IP address set to all 1s (same as 255.255.255.255)
Broadcast to all nodes on the current network; sometimes called an “all 1s broadcast” or local broadcast.

Question 35

What happens if a DHCP conflict is detected ?

Answer 35

If a DHCP conflict is detected, either by the server sending a ping and getting a response or by a host using a gratuitous ARP (arp’ing for its own IP address and seeing if a host responds), then the server will hold that address and not use it again until it is fixed by an administrator.

Question 36

What is a gratuitous ARP ?

Answer 36

A host uses something called a gratuitous ARP (Address Resolution Protocol) to help avoid a possible duplicate address. The DHCP client sends an ARP broadcast out on the local LAN or VLAN with its newly assigned address to find out if another host replies, and this helps solve conflicts before they occur.

Question 37

DHCP Discover

Answer 37

The client that sends out a DHCP Discover message in order to receive an IP address sends out a broadcast at both layer 2 and layer 3. The layer 2 broadcast is all Fs in hex, or ff:ff:ff:ff:ff:ff. The layer 3 broadcast is 255.255.255.255, which means any networks and all hosts. DHCP is connectionless, which means it uses User Datagram Protocol (UDP) at the Transport layer, also called the Host-to-Host layer.

Question 38

Multicast Addresses

Answer 38

The range of multicast addresses starts with 224.0.0.0 and goes through 239.255.255.255.

Question 39

Private Addressing

Answer 39

Class A private address range:
10.0.0.0 - 10.255.255.255.

Class B private address range:
172.16.0.0 - 172.31.255.255

Class C private address range:
192.168.0.0 - 192.168.255.255.

Question 40

What are all the components of a “frame” sent over the network ?

Answer 40

Frames are 64 bytes (doesn’t include Preamble and SFD)

Preamble
Start Frame Delimeter (SFD)
Destination (6 bytes / header)
Source (6 bytes / header)
Type (2 bytes / header)
Frame Check Sequence (FCS) (4 bytes / trailing)