IP addresses allow for the routing of packets between networks. However, IP makes no guarantees about delivery. The transport layer is responsible for the reliable transport of and regulation of data flow from source to destination. This is accomplished using sliding windows and sequencing numbers along with a synchronization process that ensures each host is ready and willing to communicate.

To understand reliability and flow control, think of a student who studies a foreign language for one year. Now imagine the student visits a country where the language is used. In conversation, the student must ask people to repeat their words (for reliability) and to speak slowly, so the student can understand the words (flow control). The transport layer, Layer 4 of the OSI model, provides these services to Layer 5 by way of TCP.

• First, one host initiates a connection by sending a synchronization (SYN) packet indicating its initial sequence number of x with a certain bit in the header set to indicate a connection request. This bit is set in the acknowledgment number field of the TCP header (also referred to as the code field). 
• Second, the other host receives the packet, records the sequence number of x, replies with an acknowledgment of x + 1, and includes its own initial sequence number of y. The acknowledgment number of x + 1 means the host has received all octets up to and including x, and is expecting x + 1 next.
• Finally, the initiating host responds with a simple acknowledgment (ACK) of y + 1 (host B’s sequence number + 1), indicating it received the previous ACK which finalizes the connection process.

It is important to understand that sequence numbers are a part of initiating communication between the two devices. They act as reference starting numbers between the two devices. The sequence numbers give each host a way to ACK the SYN so that the receiver knows the sender is responding to the proper connection request.

Interactive Media Activity Drag and Drop: TCP Synchronization After completing this activity, the student will be able to understand TCP synchronization.

Web Links 3-Way Handshake http://www.cs.panam.edu/~meng/ Course/CS6345/ Notes/chpt-6/node8.html

The three-way handshake begins when the initiating host sends a synchronization (SYN) packet. The SYN packet would include the source IP address and the destination IP address. This source and destination address information is used by the recipient to send the SYN/ACK packet back to the initiating device.

In a DoS attack, the hacker initiates a synchronization but spoofs the source IP address. Spoofing is a term used when the receiving device replies to a non-existent, unreachable IP address and then is placed in a wait-state while waiting to receive the final ACK from the initiator. The receiving device replies to a non-existent, unreachable IP address and then is placed in a wait state while waiting to receive the final ACK from the initiator. The waiting request is placed in a connection queue or a holding area in memory. This waiting state requires the attacked device to commit system resources, such as memory, to the waiting process until the connection timer times out. Hackers will flood the attacked host with these false SYN requests utilizing all of its connection resources to respond and wait for false connections, preventing it from responding to legitimate connection requests.

To defend against these attacks, system administrators may decrease the connection timeout period and increase the connection queue size. Software also exists that can detect these types of attacks and initiate defensive measures.

Web Links Denial of Service (DoS) Attack Resources http://www.denialinfo.com/

Once the data is segmented, it must be transmitted to the destination device. One of the services provided by TCP is flow control, which regulates how much data is sent during a given transmission period. The process of flow control is known as windowing.

Window size determines the amount of data that can be transmitted at one time before receiving an acknowledgment from the destination. After a host transmits the window-sized number of bytes, the host must receive an acknowledgment that the data has been received before it can send any more data. For example, with a window size of 1, each individual segment must be acknowledged before sending the next segment.

TCP utilizes a sliding window when determining transmission size. A sliding window allows for devices to negotiate a window size to allow for more than one byte to be sent during a single transmission. This sliding window also allows the destination device to indicate to the source a need to decrease or increase the amount of data being sent because it is incapable at that time of dealing with that much data.

Interactive Media Activity Matching: Windowing After completing this activity, the student will be able to understand windowing.

Web Links Windowing Packets http://howto.lycos.com/l ycos/step/ 1,,5+30+34556+34645+34650,00.html

These sequencing numbers also act as reference numbers so that the receiver will know if it has received all of the data. They also identify the missing data pieces to the sender so it can retransmit the missing data. This offers increased efficiency since the sender only needs to re-transmit the missing segments instead of the entire set of data.

Each TCP segment is numbered before transmission. Notice that following the destination port in the segment format is the sequence number portion. At the receiving station, TCP uses the sequence numbers to reassemble the segments into a complete message. If a sequence number is missing in the series, that segment is re-transmitted.

Acknowledgement is a common step in the synchronization process which includes sliding windows and data sequencing. In a TCP segment, the sequence number field is followed by the acknowledgment number field, also referred to as the code field. This field is where acknowledgments, or ACKs, (as well as SYN) are indicated.

One problem with the unreliable IP protocol is that there is no verification method for determining that data segments actually reached their destination. So data segments may be constantly forwarded with no knowledge as to whether or not they were actually received. TCP utilizes positive acknowledgment and retransmission to control data flow and confirm data delivery.

Positive acknowledgment and retransmission (PAR) is a common technique many protocols use to provide reliability. With PAR, the source sends a packet, starts a timer, and waits for an acknowledgment before sending the next packet. If the timer expires before the source receives an acknowledgment, the source retransmits the packet and starts the timer over again. TCP uses expectational acknowledgments in which the acknowledgment number refers to the next octet that is expected.

Windowing is a flow control mechanism requiring that the source device receive an acknowledgment from the destination after transmitting a certain amount of data. With a window size of three, the source device can send three octets to the destination. It must then wait for an acknowledgment. If the destination receives the three octets, it sends an acknowledgment to the source device, which can now transmit three more octets. If, for some reason, the destination does not receive the three octets, possibly due to overflowing buffers, it does not send an acknowledgment. Because the source does not receive an acknowledgment, it knows that the octets should be retransmitted and that the transmission rate should be slowed.

Lab Activity Lab Exercise: Multiple Active Host Sessions This lab will show port usage on a single host attached to a router.

Interactive Media Activity Interactivity: TCP Sliding Windows After completing this activity, the student will be able to understand window size.

Web Links TCP - Positive Acknowledgment and Re-transmission http://www.it.iitb.ac.in/~jaju/ tutorials/net/tcpip/ node22.html

Both TCP and UDP use IP as their underlying Layer 3 protocol. In addition, TCP and UDP are used by various application layer protocols. TCP provides services for applications, such as FTP, HTTP, SMTP, and DNS. UDP is the transport layer protocol used by DNS, TFTP, SNMP, and DHCP.

TCP must be used when applications need to guarantee that a packet arrives intact, in sequence, and unduplicated. The overhead associated with ensuring delivery of the packet is sometimes a problem when using TCP. Not all applications need to guarantee delivery of the data packet, so they use the faster, connectionless delivery mechanism afforded by UDP. The UDP protocol standard, described in RFC 768, is a simple protocol that exchanges segments without acknowledgments or guaranteed delivery.

UDP does not use windowing or acknowledgments so application layer protocols must provide error detection. The Source Port field is an optional field used only if information needs to return to the sending host. When a destination router receives a routing update, the source router is not requesting anything so nothing needs to return to the source. There is no exchange of information or data. The Destination Port field specifies the application to which UDP needs to pass the protocol. A DNS request from a host to a DNS server would have a Destination Port field of 53, the UDP port number for DNS. The Length field identifies the number of octets in the UDP segment. The UDP checksum is optional but should be used to ensure that the data has not been damaged during transmission. For transport across the network, UDP is encapsulated within the IP packet.

Once a UDP segment arrives at the destination IP address, a mechanism must exist which allows the receiving host to determine the exact destination application. Destination ports are used for this purpose. If a host is running both TFTP and DNS services, it must be able to determine what service the arriving UDP segments need. The Destination Port field in the UDP header determines the application to which a UDP segment will be delivered.

Web Links UDP - Internet User Datagram Protocol http://www.networksorcery.com/ enp/ protocol/ udp.htm

At any given moment, thousands of packets providing hundreds of different services traverse a modern network. In many cases, servers provide for a multitude of services which causes unique problems for the addressing of packets. If a server is running both SMTP and WWW, it uses the destination port field to determine what service the source is requesting. The source cannot construct a packet destined for just the server IP address because the destination would not know what service was being requested. A port number must be associated with the conversation between hosts to ensure that the packet reaches the appropriate service on the server. Without a way to distinguish between different conversations, the client would be unable to send both an email and browse a web page, using one server at the same time. A method for transport layer conversations to be separated must be used.

Hosts running TCP/IP associate ports at the transport layer with certain applications. Port numbers are used to keep track of different conversations that cross the network at the same time. Port numbers are needed when a host is communicating with a server running multiple services. Both TCP and UDP use port or socket numbers to pass information to the upper layers.

Application software developers have agreed to use the well-known port numbers that are defined in RFC1700. Any conversation bound for the FTP application uses the standard port number 21. Conversations that do not involve applications with well-known port numbers are assigned port numbers that have been randomly selected from within a specific range. These port numbers are used as source and destination addresses in the TCP segment.

Port numbers have the following assigned ranges:

• Numbers below 255 are reserved for public applications
• Numbers from 255-1023 are assigned to companies for marketable applications
• Numbers above 1023 are unregulated

End systems use port numbers to select proper applications. Source port numbers are dynamically assigned by the originating host, and are usually a number larger than 1023. Port numbers in the range of 0-1023 are controlled by the Internet Assigned Numbers Authority.

Post office box numbers are a good analogy for port numbers. A piece of mail may be sent to a zip code, city, and P.O. box. The zip code and city direct mail to the correct general mail facility while the P.O. box ensures the item is delivered to the one individual to whom the mail is addressed. Similarly, the IP address gets the packet to the correct server, but the TCP or UDP port number guarantees the packet is passed to the correct application.

Services running on hosts must have a port number assigned to them so communication can occur. A remote host attempting to connect to a service expects that service to use specific transport layer protocols and ports. Some ports, defined in RFC 1700 are known as the well-known ports, and reserved in both TCP and UDP.

These well-known ports define applications that run above the transport layer protocols. For instance, a server running the FTP service will forward TCP connections using ports 20 and 21 from clients to its FTP application. In this way, the server can determine exactly what service a client is requesting. TCP and UDP use port numbers to determine the correct service to which requests are forwarded.

Web Links Ports and Services http://www.spirit.com/Resources/ ports.html

Whenever a client connects to a service on a server, a source and destination port must be specified. TCP and UDP segments contain fields for source and destination ports. Destination ports, or ports for services, are normally defined using the well-known ports. Source ports set by the client are determined dynamically.

In general, a client determines the source port by randomly assigning a number above 1023. For instance, a client attempting to communicate with a web server uses TCP and assigns the destination port as 80 and the source port as 1045. When the packet arrives at the server, it passes up to the transport layer and eventually to the HTTP service which operates at port 80. The HTTP server responds to the clients request with a segment which uses port 80 as the source and 1045 as the destination. In this way, clients and servers use ports to distinguish what process the segment is associated with.

Web Links Standard TCP and UDP Protocols http://www.stearns.org/mason/ mason-6.html

A good analogy can be made with a normal letter. The address on a letter consists of a name, street, city, and state. These can be compared to the port, MAC, and IP address used for network data. The name on the envelope would be equivalent to a port number, the street address is the MAC, and the city and state is the IP address. Multiple letters can be mailed to the same street address, city and state, but contain different names on the letters. For instance, two letters could be mailed to the same house with one addressed to “John Doe” and the other to “Jane Doe”. This is analogous to multiple sessions with different port numbers.

• TCP operation description
• Synchronization process (three-way handshake)
• Denial-of-service attacks
• Windowing and window size
• Sequencing numbers
• Positive ACK
• UDP operation
• Multiple conversations between hosts
• Ports for services
• Ports for clients
• Port numbering and well-known ports
• Example of multiple sessions between hosts
• Comparison of MAC addresses, IPaddresses, and port numbers