TCP IP


IPV4 Header

  • Version: ipv4 or ipv6
  • IHL: Internet Header Length
  • DSCP: QoS
  • ECN: (Explicit Congestion Notification) end-to-end network notification congestion
  • Total Length: length
  • Identification: IP ID
  • Flags: bit 0: Reserved must be 0 |bit 1: Don't Fragment (DF)|bit 2: More Fragments (MF) Fragment Offset
  • Time To Live: TTl
  • Protocol: example of protocol num 1 : ICMP | 2 : IGMP | 6 : TCP | 17: UDP | 41: ENCAP | 89: OSPF
  • Header Checksum
  • Source IP Address
  • Destination IP Address

IPV6 Header

  • Version: ipv6
  • DSCP: QoS
  • ECN: Explicit Congestion Notification (ECN)
  • Flow Label: This label is used to maintain the sequential flow of the packets belonging to a communication. (20-bits)
  • Payload Length:(16-bits)
  • Next Header: This field is used to indicate either the type of Extension Header if TCP or UDP or ...(8-bits)
  • Hop Limit: Time To Live(8-bits)
  • Source IP Address
  • Destination IP Address

IPv6 NDP

Network discovery Protocol
We have 5 types of messages
Router solicitation:
  • when a host joins the network, it will send a ROUTER SOLICITATION to discover the ipv6 capable router
  • source = link-local address of the host
  • destination = ff02::2
Router Advertisement:
  • The router will send a ROUTER ADVERTISEMENT periodically and will reply to a ROUTER SOLICITATION with a unicast ROUTER ADVERTISEMENT.
  • Source = link-local address of the host
  • Destination = ff02::1 or IPv6 address of the host who sends the Router Solicitation
  • Link prefixes, MTU, specific routes, if we are using SLAAC
Neighbour solicitation:
  • The function of arp is replaced by Neighbor Solicitation Host sends a Neighbor solicitation to discover its neighbour
  • Source = IP = host ipv6
  • Destination = IP = ff02::1:ff00:100
Neighbour advertisement:
  • The Neighbour advertisement is a reply message to the Neighbor Solicitation
  • Destination and source are unicast
Redirect:
  • Same as link ipv4, a redirect message

SLAAC_IP Stateless Address Autoconfiguration
SLAAC leaves the hosts the ability to get their IP address from the RA message. The IPv6 network prefix is advertised by the router advertisements in the NDP protocol. which is a EUI-64 address check
example:
If mac is = to aabb.cc00.010 and router IP is = 2001::1/64 Host slaac IP will be = 2001::A8BB:CCFF:FE00:100 you divide the first 3 and the last 3 and add FFFE in between


The migration techniques
1 - Dual-Stack:
IPv4 and IPv6 coexist in the same devices and networks. These methods imply the use of both protocols in parallel in the devices.
2 - Translators:
Translation from IPv4 to IPv6 and from IPv6 to IPv4 to allow communication between them. ( NAT - PAT )
3 - Tunneling:
Transport of IPv6 packets in IPv4 tunnels and IPv4 packets in IPv6 tunnels are ideal when the core doesn’t support IPv6. ( MPLS with 6 PE or 6VPE, GRE , ... )
 

TCP

1- Start the conversation:
- SYN send by host
- SYN-ACK reply by server
- ACK reply back from host


2- Conversation:
  • The sequence number identifies the order of the bytes sent from each computer so that the data can be reconstructed in order, regardless of any packet reordering or packet loss that may occur during transmission.
  • The sequence number of the first byte is chosen by the transmitter for the first packet, which is flagged SYN. This number can be arbitrary and should, in fact, be unpredictable to defend against TCP sequence prediction attacks.
  • Acknowledgements (ACKs) are sent with a sequence number by the data receiver to tell the sender that data has been received to the specified byte.
  • Reliability is achieved by the sender detecting lost data and retransmitting it. TCP uses two primary techniques to identify loss. Retransmission timeout (abbreviated as RTO) and duplicate cumulative acknowledgements (DupAcks).
  • ACK number is the data byte number that the recipient will be expecting in the next packet
  • The sequence number is incremented by the data size

3- END conversation :
- ACK-FIN sent by host
- ACK-FIN reply by server
- ACK reply back from the host

4- MSS
- The maximum segment size (MSS) is the largest amount of data, specified in bytes, that TCP is willing to receive in a single segment.
- MSS should be set small enough to avoid IP fragmentation

5- TCP checksum

6- Window size:
The size of the receive window, which specifies the number of window size units that the sender of this segment is currently willing to receive

7- Window scaling:
The window scale option is used only during the TCP 3-way handshake. Both sides must send the option in their SYN segments to enable window scaling in either direction.

8- SACKs:
Selective acknowledgements (SACKs) are used to give more explicit feedback on which packets have been received. This greatly improves TCP's ability to retransmit the right packets.

9- PSH (1 bit):
Push function. Asks to push the buffered data to the receiving application.

10- RST (1 bit):
Reset the connection
 

DHCP

- DISCOVERY
This is the first packet sent from the host is a broadcast packet
source= sender's MAC; destination=FF:FF:FF:FF:FF:FF
- OFFER
source= sender's MAC; destination=client mac address
The packet contains the IP address that the server is offering, the subnet mask, the lease duration, and the IP address of the DHCP server making the offer, GATEWAY, DNS, TFTP ...
- REQUEST
source= sender's MAC; destination=FF:FF:FF:FF:FF:FF
A client can receive DHCP offers from multiple servers, but it will accept only one DHCP offer.
Based on the required server identification option in the request and broadcast messaging, servers are informed of whose offer the client has accepted.
- ACKNOWLEDGE
This packet includes the lease duration and any other configuration information that the client might have requested.
At this point, the IP configuration process is completed.

 

DNS

DNS primarily uses the User Datagram Protocol (UDP) on port number 53 to serve requests. DNS queries consist of a single UDP request from the client followed by a single UDP reply from the server. When the length of the answer exceeds 512 bytes and both client and server support EDNS, larger UDP packets are used. Otherwise, the query is sent again using the Transmission Control Protocol (TCP). TCP is also used for tasks such as zone transfers. Some resolver implementations use TCP for all queries.

DNS query steps
Usually, The computer will first check the Operating System and its cache memory. If it doesn't find the IP address for the requested domain name, it will send a query to the next level to what is called the "Resolver Server" which is usually your ISP.
When the "Resolver" receives the query, it will check its own cache memory to find an IP address. If it can't find it, it will send the query to the next level, which is the Root Server.
When the "Root Server" receives the query for the requested domain name, it will not know what the IP Address is, but it knows where to send the resolver to help it find the IP address.
The "Root Server" will direct the "Resolver" to the TLD (Top Level Domain) Server for the ".com" domain. The resolver will now ask the TLD to provide the IP address for the requested domain name. In turn, the TLD server will not know the IP address for the Requested Website.
The TLD will direct the "Resolver" to the next and final level, which are the authoritative name servers. When the ANS receives the query from the resolver, the name server will respond with the IP address for the website.
Finally, the resolver will tell the computer the IP address for the server. Once the "Resolver" receives the IP address, it will store it in its cache memory in case it receives another query for the same website, so it doesn't have to go through all the steps over again.
 

Good Read

DNS wiki

Good Read

TCP Wiki

 

List of titles