Transport layer of Computer Network Foundation

Transport Layer Overview

• Transport layer improves communication services to the application layer above it
• When the two hosts in the edge part of the network use the function of the kernel part of the network for end-to-end communication, only the host's protocol stack has the transport layer, and the routers in the network and the Hing part use only the next three layers when forwarding packets.

• The network layer provides logical communication between hosts, and the transport layer provides end-to-end logical communication between application processes. Transport layer has the function of multiplexing and splitting.
-

All application processes in the application layer can be transferred to the IP layer (the network layer) through the transport layer, which is reuse . When the transport layer receives data from the IP layer, it must deliver the specified application process, which is split .

• The message is delivered to a particular process through the protocol port number , that is, although the end of the communication is the application process, we simply pass the message to the destination host with a suitable port of destination, and the remaining work (i.e. the final delivery destination process) has TCP to complete.

Both the source and destination ports are available in the header format for both UDP and TCP.

port numbers commonly used on the server side

Application Process	FTP	TELNET	SMTP	DNS	TFTP	HTTP	SNMP	SNMP (TRAP)
Well-known port numbers	21st	23	25	53	69	80	161	162

Transport Layer Protocol

TCP corresponds to the protocol:
(1) FTP: Defines the file transfer protocol, using 21 ports.
(2) Telnet: Telnet protocol, a port for remote login, using 23 ports, users can connect to the computer remotely as their own identity, can provide communication services based on DOS mode.
(3) SMTP: Mail delivery protocol for sending messages. The server is open with port number 25th.
(4) POP3: It corresponds to SMTP and POP3 is used to receive mail. The POP3 protocol uses 110 ports.
(5) HTTP: A transfer protocol that transmits hypertext to a local browser from a Web server.
protocol for UDP:
(1) DNS: Used for the domain name resolution service to convert the domain name address to an IP address. DNS is using port 53rd.
(2) SNMP: Simple Network Management protocol, using port 161th, is used to manage network equipment. Because of the many network devices, the non-connected service embodies its advantages.
(3) TFTP (trival file tran sensitive word er protocal), a simple document transfer protocol that uses UDP services on well-known port 69.
(4) NFS, BOOTP

UDP Overview

The User Datagram Protocol UDP only adds a little bit of functionality on top of the IP datagram service, which is the function of multiplexing and splitting and error detection .

1. UDP Main Features:

1. UDP is non-connected, thus reducing overhead and delay before sending data
2. UDP uses the best effort to deliver and does not guarantee reliable delivery, so the host does not need to maintain a complex link state table
3. Udpshi for message-oriented. Deliver a complete message at once. Therefore, the application must select the appropriate size of the message. If the message is too long and UDP delivers it to the IP layer, the IP layer may be fragmented at the time of transmission, which reduces the efficiency of the IP layer. Conversely, if the message is too short, UDP will give it to the IP layer, the IP datagram header relative length is too large, which also reduces the efficiency of the IP layer.
4. UDP has no congestion control. Therefore, congestion on the network does not cause the sending rate of the source host to decrease.
5. UDP supports one-to-many, multi-pair, and many-to-many interactive communications.
6. The header overhead of UDP is small, only 8 bytes, shorter than the first 20 bytes of TCP.

2. UDP header Format

3. Port Separation

当运输层从IP层收到UDP数据报时，就根据首部中的目的端口，把UDP数据报通过相应的端口，上交最后的终点-应用进程。![这里写图片描述](http://img.blog.csdn.net/20160409150220676)如果接收方UDP发现收到的报文中的目的端口号不正确（即不存在对应于该端口号的应用进程），就丢弃该报文，并由网际控制报文协议ICMP发送“端口不可达”差错报文给发送放。

4. Calculation of inspection and

The pseudo header of 12 bytes is added to the UDP user datagram before the test is computed. The so-called "pseudo-header" is simply added to the UDP user datagram at the time of calculation and validation, and a temporary UDP user datagram is obtained. The test is calculated based on this temporary UDP user datagram. The pseudo-header neither transmits downward nor submits upward, but only for the purpose of calculating the test and.

The IP datagram is checked and only the header of the IP datagram is checked, but the UDP test and the data part are checked together.
The exact process of calculation is still a book.

TCP TCP Overview

• TCP provides a connection-oriented , reliable byte-stream service.
• TCP provides reliable delivery , error-free, not lost, not duplicated, and arrives sequentially.
• Provides full- duplex communication , both ends of the TCP connection with send cache and receive cache, used to temporarily store two-way communication data.
• In a TCP connection, only two parties communicate with each other on a one-to-one. Broadcast and multicast cannot be used with TCP
• TCP uses checksums, acknowledgements, and retransmission mechanisms to ensure reliable transmission
• TCP Usage Cumulative acknowledgement
• TCP uses the sliding window mechanism to achieve traffic control by dynamically changing the size of the window for congestion control

three handshakes and four waves

three-time handshake
The so-called three-time handshake (Three-way handshake) means that when a TCP connection is established, the client and server are required to send a total of 3 packets.

The purpose of the three-time handshake is to connect the server to the specified port, establish a TCP connection, and synchronize the serial number and confirmation number of both parties, exchanging TCP window size information. In socket programming, the client executes connect (). Will trigger a three-time handshake.

• First handshake (Syn=1, seq=x):

  The client sends a TCP SYN flag to the 1 packet, indicating the port of the server to which the client intends to connect, as well as the initial ordinal X, which is saved in the header Number field of the Sequence.

  After sending, the client enters the SYN_SEND state.

• Second handshake (syn=1, Ack=1, Seq=y, acknum=x+1):

  The server sends back a confirmation packet (ACK) reply. That is, the SYN flag bit and the ACK flag bit are all 1. Server-side choose their own isn serial number, put in the Seq domain, while the confirmation number (acknowledgement numbers) is set to the customer's ISN plus 1, that is, x+1.
  After sending, the server side enters the SYN_RCVD state.

• Third Handshake (ack=1,acknum=y+1)

  The client sends a confirmation packet (ACK) again, the SYN flag bit is the 0,ACK flag bit of 1, and the server sends an ACK to the ordinal field +1, which is sent to the other in the OK field, and the data segment is written in +1 of the ISN

  After sending, the client enters the ESTABLISHED state, and when the server receives the packet, it also enters the ESTABLISHED state, and the TCP handshake ends.

The three-time handshake process is as follows:

Wave four times

The removal of TCP connections requires the sending of four packets, so called Four waves (Four-way handshake), also known as the improved three-time handshake. Either the client or the server can initiate a wave gesture, and in socket programming, any party performs a close () operation to generate a wave.

• Wave for the first time (FIN=1,SEQ=X)

Assuming that the client wants to close the connection, the client sends a package with a FIN flag position of 1, indicating that no data can be sent, but can still accept the data.

After sending, the client enters the fin_wait_1 state.

• Second Wave (ack=1,acknum=x+1)

The server-side confirms the client's FIN package, sends a confirmation packet, indicates that it has accepted the client's request to close the connection, but is not ready to close the connection.

After sending, the server side enters the close_wait state, the client receives this confirmation packet, enters the fin_wait_2 state, waits for the server side to close the connection.

• Wave for the third time (fin=1,seq=y)

When the server is ready to close the connection, send the end connection request to the client, and the FIN is set to 1.

After sending, the server side enters the Last_ack state, waiting for the last ACK from the client.

• Wave for the fourth time (ack=1,acknum=y+1)

The client receives a shutdown request from the server, sends a confirmation packet, and enters the time_wait state, waiting for an ACK packet that may appear to require retransmission.

After the server receives this acknowledgement package, it closes the connection and enters the CLOSED state.

The client waits for a fixed time (two maximum segment life cycle, 2msl,2 Maximum Segment Lifetime), does not receive the server side of the ACK, the server side has been properly shut down the connection, so he also closed the connection, into the CLOSED state.

Four times waved as follows:

SYN attack

• What is a SYN attack (syn Flood)?

During a three-time handshake, the TCP connection before the server sends Syn-ack is called a half-connection (Half-open Connect) before the ACK is received by the client. The server is in the SYN_RCVD state at this time. When an ACK is received, the server can be transferred to the established state.

Syn attack refers to the attack client in a short period of time to forge a large number of non-existent IP addresses, to the server constantly send SYN packets, the server replies to the confirmation packet, and wait for the customer's confirmation. Because the source address does not exist, the server needs to be constantly re-sent until time-out, these forged SYN packets will take a long time to occupy the disconnected queue, the normal SYN request is discarded, causing the target system to run slowly, serious people can cause network congestion or even system paralysis.

SYN attack is a typical dos/ddos attack.

• How do I detect a SYN attack?

The detection of SYN attacks is very convenient, when you see a large number of semi-connected state on the server, especially the source IP address is random, basically can be concluded that this is a SYN attack. You can use the system's own netstats command to detect SYN attacks on Linux/unix.

• How to defend against SYN attacks?

SYN attacks cannot be completely blocked unless the TCP protocol is redesigned. What we do is to mitigate the damage of SYN attacks as much as possible, and there are several common methods of defending SYN attacks:

1. Shorten time-out (SYN timeout)
2. Increase the maximum number of half connections
3. Filter Gateway Protection
4. SYN Cookie Technology

TCP Message Segment header format

TCP is byte-stream oriented, but the data unit transmitted by TCP is a segment of packets.
The first 20 bytes of the header of the TCP message segment are fixed. The back 4n (n is an integer) byte is an option that increases as needed. Therefore, the minimum length of the TCP header is 20 bytes.

1. Source Port and Destination port: Each accounted for 2 bytes, through the port to achieve the split function.

2. Serial Number: 4 bytes. TCP is a byte-stream oriented. Each byte in a stream that is transmitted in a TCP connection is numbered sequentially.

3. Confirmation Number: 4 bytes, is expected to receive the other side of the next message of the first data byte ordinal. If the confirmation number is =n, it indicates that all data up to the ordinal N-1 have been received correctly.

4. Data offset: 4 bits , which indicates how far from the beginning of the TCP message segment the data at the beginning of the TCP segment is. This field actually indicates the first ministerial degree of the TCP segment. The Data offset field is necessary because there is also an indeterminate length option field in the header. The maximum number that the 4-bit binary can represent is 15, so the data offset maximum is 60 bytes, which is the maximum length of the TCP header (that is, the option length cannot exceed 40 bytes)

5. Reservations: 6-digit, reserved for future use, but should currently be placed at 0;

The following 6 control bits describe the nature of this section

6. Emergency Urg: when Urg=1, indicates that the emergency pointer field is valid. It tells the system that there are urgent data in this segment and should be transmitted as soon as possible rather than in the original queue order.

7. Confirm ACK: The confirmation Number field is valid only when ack=1. The confirmation number is invalid when ack=0. TCP provides that all transmitted message segments must have an ACK set 1 after the connection is established.

8. Push PSH: When two application processes are communicating interactively, sometimes the application process at one end wants to be able to receive a response immediately after typing a command. In this case, TCP can use push operations. At this point, the sender TCP puts PSH to 1 and immediately creates a message segment to send out. The receiver TCP receives the PSH=1 message segment and delivers the receiving application process as quickly as possible, instead of waiting until the entire cache is filled and then up.

9. Reset rst: when rst=1 indicates a serious error in the TCP connection, the connection must be released before re-establishing the transport connection. RST 1 is also used to reject an illegal message segment or to refuse to open a connection.

10. Synchronous syn: used to synchronize serial numbers when connection is established. When Syn=1 and ack=0, it indicates that this is a connection request message segment. If the other party agrees to establish a connection, the syn=1 and ack=1 should be used in the message segment of the response. So the SYN is set to 1 to indicate that this is a connection request or a connection acceptance message.

11. Terminate fin: used to release a connection. When Fin=1, the data of the sender of this segment is sent, and a transport connection is required to be released.

12. Window: occupies 2 bytes. The window refers to the receiving window of the party sending the section of the article (not its own sending window). The window tells the other side : from the first paragraph of this section of the confirmation number, the receiver is currently allowed to send the amount of data. This limitation is due to the limited data cache space of the receiving party. In summary, the window field clearly indicates the amount of data that is now allowed to be sent. The window values are constantly changing dynamically.

13. Test and: account for 2 bytes. The scope of inspection and field inspection includes both the header and the data section. As with the UDP user datagram, the 12-byte pseudo header is added to the front of the TCP segment when the test is computed.

14. Emergency pointer: 2 bytes. The emergency pointer only makes sense when urg=1, which indicates the number of bytes of emergency data in this section (after the emergency data is finished). Therefore, the emergency pointer indicates the position of the end of the emergency data in the message segment. note that emergency data can be sent even when the window is zero.
15. Options: variable length, up to 40 bytes.

traffic control for TCP congestion control of TCP

Transport layer of Computer Network Foundation