banner
Bai

Bai

写代码菜的一批 🤣
twitter
telegram
tg_channel
pixiv
github
bilibili
whatsapp
HomeArchives

Fifteen Questions about TCP/IP Protocol

#小知识286
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The text discusses various aspects of TCP networking, including the layers of the TCP network stack, the three-way handshake for establishing a TCP connection, the four-way handshake for terminating a TCP connection, the purpose of SYN/FIN consuming a sequence number, the concept of half-open connection queues and SYN Flood attacks, the principles of TCP Fast Open, the use of timestamps in TCP packets, the calculation of TCP retransmission timeout, TCP flow control, the principles of TCP keep-alive and heartbeat mechanisms, the concept of TCP port numbers, and the differences between TCP and UDP protocols. It also mentions the usage of Telnet, netstat, tcpdump, and Wireshark for network analysis and troubleshooting.

1. What is the network layer?#

TCP network layer is generally divided into four layers, although there is also a claim that it is five layers.

  1. Application layer (HTTP): Encapsulates data packets.
  2. Transport layer (TCP): Adds TCP headers, including port numbers and other information.
  3. Network layer (IP): Adds IP headers, including IP addresses and other information.
  4. Network interface layer (ARP): Adds Ethernet headers, including MAC addresses and other information.

Advantages of network layering:

  • Independence of each layer: Limits the scope of dependencies, uses standardized interfaces between layers, and layers do not need to know how the upper and lower layers work. Adding or modifying an application layer protocol will not affect the transport layer protocol.
  • Flexibility: For example, routers do not need the application and transport layers, so after layering, routers can load fewer protocol layers.
  • Easy testing and maintenance: Improves testability, can test specific layers independently, and if a layer has a better implementation, it can be replaced as a whole.
  • Promotes standardization: Clear division of functions between layers facilitates standardization.

2. What is the three-way handshake of TCP? Why not two or four?#

  1. The client sends SYN to the server, seq = x.
  2. The server sends SYN to the client, seq = y, ACK = x+1.
  3. The client sends ACK = y+1 to the server.

Two-way handshake is not enough because it cannot determine the server's receiving ability.
Four-way handshake is unnecessary and will cause resource waste.

3. What is the four-way handshake of TCP? Why not three?#

  1. The client sends FIN to the server, seq = x+2, ACK = y+1.
  2. The server sends ACK = x+3 to the client.
  3. After sending the remaining data, the server sends FIN to the client, seq = y+1.
  4. The client sends ACK = y+2 to the server.

Three-way handshake is not enough and will cause delay in sending ACK and FIN from the server. If the delay is too long, the client will resend the disconnect request, causing resource waste.

4. Why do SYN/FIN consume a sequence number even though they do not contain data?#

Anything that requires confirmation from the other party consumes a sequence number in TCP packets.

5. What is a half-open connection queue? What is SYN Flood attack?#

In a SYN Flood attack, the client sends a large number of forged IP packets with SYN flags, and the ACK+SYN replies from the server go to an (unknown) IP address. This will cause a large number of connections on the server to be in the SYN_RCVD state, and the server's half-open connection queue size is also limited. If the queue is full, it can lead to the inability to process normal requests.

6. How does TCP Fast Open work?#

TCP Fast Open (TFO) is an extension protocol based on the original TCP protocol. Its main principle is to start transmitting data when sending the first SYN packet. However, it requires that the client has already completed a normal three-way handshake before.

Fast Open consists of two stages: Requesting Fast Open Cookie and Starting TCP Fast Open.

Advantages of TCP Fast Open:
It can eliminate one round-trip time (RTT) and prevent SYN-Flood and similar attacks.

7. What is the use of timestamps in TCP packets?#

The TCP Timestamps Option consists of four parts: kind, length, sender timestamp, and echo timestamp.

The first use is to calculate RTT, and the second is to prevent sequence number wraparound. Even if the same sequence number is used, different packets can be distinguished using timestamps.

8. How is the timeout retransmission time of TCP calculated?#

Retransmission TimeOut (RTO) is the timeout retransmission time of TCP.

Classic solution:
Applicable when the RTT is small, using Smoothed Round Trip Time (SRTT).
The SRTT time is updated using the latest RTT.
SRTT = α × SRTT + (1-α) × RTT

9. What is TCP flow control?#

The sender puts the sent data into the send buffer, and the receiver puts the received data into the receive buffer. The size of the actual receive buffer controls the sender's sending.
The receiver informs the client of its receive window, which is the free space in the receive buffer.

Status of sender's packets:

  • Sent and confirmed
  • Sent but not confirmed
  • Not sent but can be sent (receiver has space to receive)
  • Not sent and cannot be sent (receiver has no space to receive)

If the sender's speed is slow, there will be a large amount of pending bytes to be sent.
If the sender's speed is fast, there will be a large amount of unconfirmed bytes.

10. How does TCP keep-alive work?#

Keep-alive sends probe packets at regular intervals to check if the connection's peer is alive. However, the default keepalive time is too long (7200s) and is not meaningful. Usually, a heartbeat mechanism is implemented at the application layer.

What is a heartbeat mechanism?
Sending messages to the server at regular intervals and being able to respond to messages from the server.

Scenarios for long connections:

  • Games
  • Instant messaging
    Without a heartbeat mechanism, if the network is disconnected, the other party will not know.
    If the client is disconnected, the server does not know and still maintains the connection, which is an additional invalid system overhead.

Why do we need a heartbeat mechanism:

  • In devices installed in NAT and firewall networks, it keeps the channel record.
  • Detect network disconnection of the other party in a timely manner to take appropriate measures.

How to implement a heartbeat mechanism:

  • TCP-level heartbeat only verifies whether the network connection is abnormal.
  • Application-level heartbeat verifies whether the service interface is abnormal.

Why not use TCP-level heartbeat?
If the application layer connection is successful, then the transport layer where TCP is located must also be successful.

11. What are TCP port numbers?#

  • Source port: Local port
  • Destination port: Server port
    Maximum of 65536, so it is from 0 to 65535.

Here are some common port numbers:

  • 21: FTP (File Transfer Protocol) port, used for file upload and download.
  • 22: SSH (Secure Shell) port, used for secure remote login and command execution.
  • 25: SMTP (Simple Mail Transfer Protocol) port, used for email transmission.
  • 80: HTTP (Hypertext Transfer Protocol) port, used for web browser access to websites.
  • 110: POP3 (Post Office Protocol version 3) port, used for email client to receive mail.
  • 143: IMAP (Internet Message Access Protocol) port, used for email client to receive mail.
  • 443: HTTPS (Hypertext Transfer Protocol Secure) port, used for secure web browser access to websites.
  • 3306: MySQL database port, used for data storage and retrieval.
  • 3389: Microsoft Remote Desktop port, used for remote management and control of computers.
    These are just a few common port numbers, and there are many other port numbers that can be used for various communication protocols and applications.

12. TCP scenario questions#

Question 1:
A TCP connection is established between host A and host B. Host A sends two TCP packets to host B, with sizes of 500 and 300 respectively. The sequence number of the first packet is 200. After receiving the two packets, what is the acknowledgment number returned by host B?
500+300+200 = 1000

Question 2:
After receiving an IP packet, how do you know which protocol (TCP or UDP) it should be delivered to in the upper layer?
The IP packet header has a protocol field, TCP is 6, UDP is 17.

Question 3:
TCP provides a byte stream service, and both the sender and receiver do not keep track of record boundaries. How should the application provide its own record identification?

The application uses its own agreed-upon rules to identify record boundaries, such as using a carriage return + line feed ("\r\n"), as in the Redis communication protocol.

13. What are the differences between TCP and UDP?#

TCP is a connection-oriented, reliable, byte-stream transport layer protocol.
UDP is a connectionless transport layer protocol.

  • Connection-oriented: Refers to the connection between the client and server, establishing a connection through a three-way handshake before communication.

  • Reliability:

  1. TCP is stateful: TCP accurately records which data has been sent, received, and not received, and ensures that data packets arrive in order without errors.
  2. TCP is controllable: If there is packet loss or poor network conditions, TCP will adjust its sending speed or retransmit based on the specific situation.

14. Usage of Telnet and netstat#

  • To check if a remote port is open, the syntax is: telnet [ip] [port]
  • Used to query network conditions, such as: netstat -ano

15. Tcpdump and Wireshark#

Used for packet capture, for example, to view the three-way handshake and four-way handshake.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.