How TCP/IP Protocol Works - Part 2
By Gabriel Torres on April 10, 2012
In our How TCP/IP Protocol Works tutorial we’ve explained the basic architecture of TCP/IP protocol and how the basic protocols involved (like TCP, UDP and IP) worked. Now it is time to get a little bit deeper, explaining other protocols and other TCP/IP functionalities we didn’t cover before, like Telnet, SSH, TFTP, DHCP, DNS, ICMP, RIP, OSPF, BGP, ARP and more.
It is important to keep in mind that there is several other protocols related to TCP/IP stack and we are only explaining the most important ones.
Terminal services allow you to enter remotely on a server and have access to its shell (i.e., to its command prompt), like if you were personally in front of its keyboard and video monitor. The three most common terminal protocols are Telnet, Rlogin and SSH (Secure Shell). All do the same thing, but on SSH the connections are encrypted and thus safer. If you have to manage a server remotely, prefer using SSH instead of Telnet or Rlogin, because since Telnet and Rlogin connections aren’t encrypted, someone using a “sniffer” program – which is a kind of program that allows a hacker to read packets that are being transferred on a network – can read everything you type, including passwords.
Telnet, Rlogin and SSH are Application layer protocols and use the TCP protocol on the Transport layer, Telnet using port 23, Rlogin using port 513 and SSH using port 22.
One of the most famous Terminal client program for Windows that allows Telnet, Rlogin and SSH connections is called PuTTY (Windows comes with a Telnet utility – which can be accessed going to Start, Run, Telnet – but it doesn’t come with a SSH one).
TFTP (Trivial File Transfer Protocol)
On the first part of this tutorial we have explained about FTP, an Application layer protocol for transferring files using the TCP protocol on the Transport layer.
TFTP is a protocol for the same kind of application – transferring files – but based on UDP protocol on the Transport layer.
As you may remember, the difference between TCP and UDP is that while TCP checks whether each data packet arrived correctly at destination, UDP does not. Another difference is that TCP reorder packets that may have arrived out-of-order, while UDP doesn’t.
On the other hand, because it does not use this acknowledge system nor any reordering system, UDP packets are smaller (since UDP header is smaller than TCP header) and also require less computational power to be processed – as reordering and acknowledging aren’t necessary. It will be the application – not the protocol – that will be in charge of these functions.
For daily usage, TFTP protocol has no use, as FTP is far more reliable. However there is one kind of application that take advantage of TFTP and you should know about it: diskless remote boot (also known as RIPL, Remote Initial Program Loading).
You can have a computer with no hard disk drive or any other storage media and configure it to boot from the network, i.e., load the operating system and programs from a server. The program for loading the operating system remotely needs to be stored on a very small ROM memory located on the network card from the diskless computer. As it will need a protocol for transferring files, TFTP suits better than FTP, as TFTP clients are far smaller than FTP clients, fitting the network card ROM memory – for you to have an idea, the size of the largest ROM chips used for remote booting is only 64 KB (yes, kilobytes).
In summary, TFTP is an Application layer protocol using UDP protocol (using port 69) on the Transport layer.
All computers connected to a TCP/IP network need to be configured with an IP address. Without an IP address a computer cannot “talk” to others on the network.
Imagine a large network with hundreds of computers. Configuring them one-by-one would chaotic! Also, think about Internet Service Providers (ISPs): they would have to teach every customer how to configure their computer and give them IP addresses by phone – and keep track of these addresses, as two computers cannot have the same IP address.
In order to make this configuration easier, there is a protocol called DHCP, which allows computers to receive their configuration through a DHCP server. This is the default configuration for all computers nowadays. So when you turn on your computer, it asks the DHCP server of your network (located at your ISP if you are a home user connected to the Internet) “hey, give me my IP address!” and voilá, your computer is configured. If you have built a small network using a broadband router, the router will also incorporate a DHCP server, so it will be in charge of assigning IP address to the computers connected to it.
Besides the IP address the DHCP server also sends other configuration information, like the IP address of the DNS server your computer should use (we will explain what is this in the next page), the default gateway (the IP address of the router of your network – i.e., if your computer cannot find the target computer on your local network, to which address it should send the packet to be forwarded) and the subnet mask (which is used for addressing reasons that are not the scope of the present tutorial).
With the use of a DHCP server the network administrator can configure all computers of a network from a central location, making his/her life easier.
DHCP is an Application layer protocol, using the UDP protocol on the Transport layer. It uses ports 67 and 68. DHCP replaced an old protocol called BOOTP and on older books you may find references to BOOTP instead of DHCP. Everything that is said about BOOTP is valid for DHCP, as DHCP is 100% backward compatible with BOOTP (DHCP offers more options than BOOTP, though).
As you already know, on TCP/IP networks each computer has a unique virtual address, called IP address. However for us, humans, names are easier to memorize than numbers.
DNS allows the use of names as alias for IP addresses. For example, it is easier to memorize the name of our website than the IP address that our web server is using – we are sure it is easier to memorize hardwaresecrets.com than 18.104.22.168.
When you enter http://www.hardwaresecrets.com on your web browser, DNS protocol enters in action, contacting a DNS server and asking it which IP address is associated with www.hardwaresecrets.com. The DNS server will answer 22.214.171.124 and then your web browser will know which IP address to use on this connection.
The DNS server your web browser will use is the DNS server your computer is configured to use – all computers that are connected to the Internet have a field for configuring the IP address of at least one DNS server. Usually this configuration is done automatically by via DHCP.
If the DNS server doesn’t know the name you asked, it will contact another DNS server with a higher hierarchy in order to learn about this name/IP address.
All entries on DNS servers have a “time to live” (a.k.a. TTL) field, which tells the server for how long that information is valid. When the information is expired, it should be updated by contacting again the DNS server with a higher hierarchy. This is done so if the IP address of a server has changed, the maximum time you will need to wait in order to learn what is the new IP address for that server will be its DNS TTL field – which can hang from a few hours to a few days.
DNS is an Application layer protocol, and DNS queries are done using the UDP protocol port 53 on the Transport layer. As we have already explained, UDP does not check whether the packet arrived or not at destination but, on the other hand, it is faster, as its header is smaller and less computational power is needed to process it, as the acknowledge scheme isn’t used.
An easy way to play with DNS queries is through the use of the nslookup command, available both on the Windows prompt as on Unix systems (like Linux – depending on your Linux flavor this command may be called host, not nslookup).
On Windows, try clicking on Start, Run and then enter Cmd and hit Enter. There try nslookup www.hardwaresecrets.com. You will get the IP address associated with this name (126.96.36.199). You can also do the other way around, you can enter an IP address to find out if there is a server name associated with it (if you enter our IP address you will get a different server name, as we host two different websites on the same server). Play around with this command so you can understand more how DNS works; it won’t damage your PC!
By the way, DNS allows more than one name to be associated with one given IP address. This allows you to host more than one website on a single server, for example. When you access a server that has more than one website hosted, your web browser will reach it through its IP address (learned through a DNS query, like we explained), while the server will check for the name you are using on your web browser to know which website deliver to you.
ICMP is used to send out control messages to routers. It is an Internet layer protocol, working together with IP protocol. It can be used in several situations that may be necessary for one router to instruct another router about something – usually when one router gets a datagram that it can’t deliver, it reply back to the router that send the datagram with an ICMP message explaining why it couldn’t deliver the datagram.
Some of the control messages that can be sent using ICMP are:
Routing can be static or dynamic. While on small networks static routing is used – i.e., datagrams always travel by the exact same path to reach their destination – on the Internet or big networks dynamic routing is necessary.
With dynamic routing, routers can change routes on the fly, if they feel that there are better paths for reaching a given destination. For example, if there is more than one way to reach a given destination and the current route is longer than another available route, the routers can reconfigure themselves to use the shorter route. Here “long” and “short” refers to the number of existing hops (i.e., routers) in the way. Shorter routes are not necessarily the fastest, as we will explain.
The communication between the routers in order to reprogram their routing tables is done using a routing protocol. The three most well known dynamic routing protocols are RIP (Routing Information Protocol), OSPF (Open Shortest Path First) and BGP (Border Gateway Protocol).
If routers are using RIP protocol, they will send out their routing tables to all routers they have access to every 30 seconds. Routing table is a table containing all networks the routers know how to reach and also the distance (given in hops) to them.
When receiving a new routing table from another router, each router can see if there is any network on that list that has a shorter path than the one that it is currently configured to use. If there is, the router will reconfigure itself to use this new shorter path.
The problem is that the shorter paths are not always the best, as RIP protocol does not implement any way to check the performance of that path. It also doesn’t check for congestion or if the path is really available. So a longer route may be faster.
RIP uses UDP on port 520.
Despite its name, OSPF protocol doesn’t look for the shortest path, but for the fastest. When routers use OSPF protocol, they check the status of other routers they have access to from time to time sending a hello message. From that message they know if a router is online and what is its status. Another difference is that using OSPF routers know all the paths that can be used to reach a given destination, while on RIP routers know only the shortest path. A third difference is that RIP-based routers will send out their routing tables every 30 seconds, which raise network traffic.
Another difference is that OSPF-based routers allow load balancing: if there is more than one route to a given destination, the router may divide datagrams between them in order to lower the individual traffic on each one of them.
OSPF works directly on the Internet layer with IP protocol, thus it doesn’t use TCP or UDP protocols.
BGP is a protocol targeted to huge networks, like the Internet – in fact BGP is the protocol used by routers on the net. As such, it is classified as an external gateway protocol, while RIP and OSPF are classified as internal gateway protocols – as they are used on networks that are under the same administration.
BGP group routers and computers that are under the same administration into a unit called autonomous system (AS) – for example, all routers and computers that belong or are connected to the same Internet service provider (ISP) are part of the same AS. While running inside the same autonomous system BGP is called IBGP (Internal), while running between two different autonomous systems BGP is called EBGP (External).
BGP is far more complex than RIP and OSPF, as it uses several different criteria (called attributes) to determine which is the best route to take: Weight, Local preference, Multi-exit discriminator, Origin, AS_path, Next hop and Community.
Unlike RIP, BGP-based routers only sends out what is new on their routing tables instead of sending the whole table from time to time, helping to decrease the network traffic. Another difference between BGP and RIP is that BGP checks from time to time if a given path is online or not.
BGP uses TCP on port 179.
ARP (Address Resolution Protocol) in charge of learning what is the MAC address (i.e., the physical address) of a computer that has a given IP address and RARP (Reverse Address Resolution Protocol) does the opposite: it is in charge of finding out what is the IP address of a computer with a given MAC address.
While a datagram is being transmitted over the Internet the MAC address of the target computer is not needed – the routers in the middle of the road are only interested in delivering the datagram to the target network. But once the packet arrives the target network, the router connected to that network needs to know the MAC address of the target computer, as it will deliver the datagram locally (probably using the Ethernet protocol).
For example, if the target IP address is 188.8.131.52, when the datagram arrives at the router of the 184.108.40.206 network, it will ask to all computers (when a message is sent to all computers it is called broadcast message) using ARP protocol: “hey, which computer is 220.127.116.11?”. Then the computer that is using this IP address will answer “that’s me!”.
Of course sending broadcast messages all the time congests the network, so the router will keep a table of known IP addresses and their corresponding MAC addresses, so it won’t need to ask the same question again when it receives a new datagram targeted to 18.104.22.168.
RARP, on the other hand, was used in the past by PCs without a hard disk drive or any other boot media using remote boot. Since this kind of computer don’t have an operating system installed, they don’t know which IP address they are going to use, so they need to know which IP address they should use in order to start loading the operating system from the remote boot server. As you can see, this is exactly the same role as DHCP and since nowadays all networks use a DHCP server, the use of RARP became obsolete.
Both ARP and RARP work on the Network Interface layer.
Below you will find a list of other “famous” TCP/IP-related protocols and functionalities that you may hear about: