4.1 Two services provided by the network Layer

The network layer is concerned with getting packets from the source to the destination address along the network path.

In the field of computer networks, there has been a long debate about what services the network layer should provide to the transport layer (” connection-oriented “or” connectionless “). The essence of the debate is: ** Who is responsible for reliable delivery in computer communications? End system?

Two types of services: what services should the network layer provide to the transport layer?

  • Virtual circuit service
  • Datagram service

4.1.1 Virtual Circuit Service

A virtual circuit indicates that this is only a logical connection along which packets are sent in a store-and-forward fashion, rather than actually establishing a physical connection.

Note: Circuit-switched telephone communication is preceded by the establishment of a real connection. So packet-switched virtual connections are similar to circuit-switched connections, but not identical.

All packets H1 sends to H2 are transmitted along the same virtual circuit.

4.1.2 Datagram service

The network layer up only provides simple, flexible, connectionless, best-effort datagram services.

The network does not need to establish a connection before sending packets. Each packet (that is, an IP datagram) is sent independently of the packet before and after it (it is not numbered).

The network layer offers no quality-of-service promises. That is, packets transmitted may be wrong, lost, repeated and out of order (not reaching the destination in order), and of course there is no guarantee of the time of packet transmission.

Best efforts to deliver benefits:

  • Since transport networks do not provide reliable end-to-end transport services, routers in the network can be relatively simple and inexpensive (compared with switches in a telecommunications network).
  • If communication between processes in the host (that is, the end system) needs to be reliable, then the transport layer in the host of the network is responsible (including error handling, flow control, and so on).
  • The advantages of adopting this design idea are: the cost of the network is greatly reduced, the operation mode is flexible, and it can adapt to a variety of applications.
  • The fact that the Internet has grown to the size it is today is a testament to the correctness of this design philosophy.

Contrasting aspects Virtual circuit payment service Datagram service
Train of thought Reliable communication should be guaranteed by the network Reliable communication should be guaranteed by the user host
Establishment of a connection There must be Don’t need
Destination address Used only during the connection establishment phase, each group uses a short virtual circuit number Each group has the complete address of the end point
Packet forwarding Packets belonging to the same virtual circuit are forwarded by the same route Each group selects an independent route for forwarding
When a node fails All virtual circuits that pass through the failed node are disabled Failed nodes may lose groups and some routes may change
Grouping order Always arrive at the destination in the order sent The destination is not necessarily in the order in which it is sent
End-to-end error handling and flow control It can be the responsibility of the network or the user host The user host is responsible

4.2 Virtual Internet

4.2.1 Network interconnection Devices

An intermediate device is also called an intermediate system or a relay system

  • Physical layer relay system: repeater
  • Data link layer relay system: bridge or switch
  • Network layer relay system: router
  • Relay systems above the network layer: gateway (address of router interface)

4.2.2 Network interconnection problems

For interconnected networks to communicate, there are many problems to be solved, such as:

  • Different addressing schemes
  • Different maximum packet lengths
  • Different network access mechanisms
  • Different timeout controls
  • Different error recovery methods
  • Different status reporting methods
  • Different router selection techniques
  • Different user access controls
  • Different services (connection-oriented and connectionless)
  • Different management and control methods

4.2.3 Interconnection network and virtual interconnection network

(1) The meaning of virtual interconnection network
  • The so-called virtual interconnection network is also the logical interconnection network, which means that the heterogeneity of the physical interconnection network is objective, but we can use IP protocol to make these different performance of the network from the user seems to be a unified network.
  • The virtual interconnection network using IP protocol can be referred to as IP network for short.
  • The advantage of using a virtual interconnection network is that when hosts on the Internet communicate, it is as if they are communicating on the same network, without seeing the details of the specific network heterogeneity of interconnection.
(2) IP protocol introduction

IP is one of the two most important protocols in TCP/IP system. Four other protocols are used with the IP protocol:

  • Address Resolution Protocol (ARP)
  • Reverse Address Resolution Protocol (RARP)
  • Internet Control Message Protocol (ICMP)
  • Internet Group Management Protocol (IGMP)

4.3 IP Hierarchy

4.3.1 Hierarchical IP Addresses

(1) Hierarchical IP address The 32-bit IP address is divided into network ids and host ids.

A network address (also known as a network number) uniquely identifies each network. Each computer on the same network shares the same network address and uses it as part of its OWN IP address.

  • The first bit of A class A address is 0
  • The first two bits of a class B address are 10
  • The first three digits of a class C address are 110
  • The first four bits of a Class D address are 1110
  • The first four digits of a class E address are 1111

(2) special addresses

  1. Loopback address: 127.0.0.1
  2. Windows system set the address to automatically obtain IP, if the assignment is not successful, the preset IP is used, but it can not access other websites, that is, the Internet: 169.254.0.0
  3. Private addresses, reserved Class A addresses that can be used by businesses or schools: 10.0.0.0
  4. Private address: 32 reserved class B addresses: 172.16.0.0 to 172.31.0.0
  5. Private address. Reserved 255 class C addresses: 192.168.0.0 to 192.168.255.0

The Internet cannot access private addresses

4.3.2 Functions of a Subnet mask

A subnet mask is also called a network mask or an address mask. It is used to specify which bits of an IP address identify the subnet where the host resides and which bits identify the bitmask of the host. A subnet mask cannot exist alone. It must be used together with an IP address (the subnet mask and IP address perform and operation). A subnet mask is used to divide an IP address into a network address and a host address.

Hosts cannot be all 0s or all 1s: all 0s indicate this network segment, and all 1s indicate broadcasts

4.3.3 Unclassified addressing CIDR

Historical overview

As early as 1987, RFC1009 specified that several different subnet masks could be used simultaneously in a subnetted network. Variable length VLSM subnet mask can further improve the utilization of IP address resources.

CIDR is further studied on the basis of variable-length subnet masks.

In 1992, nearly half of class B addresses were allocated. To solve the problem of address exhaustion, the IETF developed a method of category-free addressing.

There are two main characteristics of CIDR:

(1) CIDR eliminates the traditional concepts of class A, B, and C addresses and subnets, thus allowing more efficient allocation of IPv4 address space.

CIDR divides the 32-bit IP address into two parts: the first part is a “network prefix”, which identifies the network, and the second part identifies the host. CIDR therefore moves IP addresses from tertiary addressing (using subnet masks) back to secondary addressing. The notation is:

IP address ::= {< network prefix >, < host number >}

CIDR also uses “slash notation”, or CIDR notation, in which the IP address is followed by a slash “/” and then the number of digits occupied by the network prefix.

(2) CIDR combines contiguous IP addresses with the same network prefix into a CIDR address block.

By knowing any address in the CIDR address block, we can know the start (minimum) and maximum address of the block

4.3.4 MAC address

The MAC address determines the next hop, and the IP address determines the destination address.

(1) ARP protocol

Is responsible for IP address resolution into MAC address, by broadcast

(2) ARP cheating

For example, routers M1, M2, M3, M1 and M2 should communicate directly, but when M1 obtains M2MAC address, M3 overwrites M2’s address with its own address. Similarly, when M2 obtains the MAC address of M1, M3 overwrites M1’s address with its own address. In this case, packets communicated by M1 and M2 are sent to M3 and then forwarded by M3 to M2 and M1, which is ARP spoofing.

(3) How to identify ARP spoofing

Use ARP -A to check whether the resolved MAC address is the same as that of a normal machine. If the MAC address is different, arp spoofing is involved

(4) If the router caches an incorrect MAC address, how to solve the problem

With network diagnostics/fixes, all caches will be cleared

(5) Reverse ARP

MAC Address Apply for an IP address

4.3.5 Fields in IP datagram header

4.3.5 IP Forwarding Packet Flow

Data routing: Routers forward datagrams on different network segments

Unimpeded network conditions: can go back

Routers along the route must know the interface to which the next hop to the destination IP address network (source IP address network) is destined

4.4 Internet Control Message Protocol, ICMP

4.4.1 overview

In order to forward IP datagrams more efficiently and improve the chances of successful delivery, the Internet Control message protocol ICMP is used at the Internet layer. ICMP allows hosts or routers to report errors and provide reports of related exceptions.

ICMP packets are sent as IP layer datagrams and the header of the datagram.

4.4.2 Types of ICMP Packets

There are two types of ICMP packets, namely, ICMP error report packets and ICMP query packets.

The first four bytes of an ICMP packet are in the same format and contain three fields: type, code, and check. The next four bytes are related to the type of ICMP. The length of the last data field depends on the ICMP type.

(1) Error report message

The following are common ICMP packet types

ICMP Packet Type The value of the type ICMP Packet type
Error report message 3 Out of reach
Error report message 11 For more than
Error report message 12 Parameters of the problem
Error report message 5 Redirect
Ask a message 8 or 0 Echo a request or reply
Ask a message 13 or 14 Timestamp request or reply

Note: The IP datagram header checks and does not check the content of the IP datagram. Therefore, it cannot guarantee that the resulting ICMP message is not error free.

(1) Destination unreachable: when the router or host fails to deliver the datagram, it sends the destination unreachable message to the source point.

(2) Time out: When the router receives the data report with the survival time of 0, it discards the data report and sends the time-out message to the source point. When an endpoint cannot receive all the datagram slices of a datagram within a predetermined period of time, it discards all received datagram slices and sends a time-out message to the source.

(3) Parameter problem: if the value of some fields in the header of the datagram received by the router or destination host is incorrect, the router discards the datagram and sends the packet with parameter problem to the source point.

(4) Route change (redirection) : The router sends the packet to change the route to let the host know that it should send the datagram to another router next time

ICMP Error report packet composition:

All data fields in ICMP error report packets have the same format. Extract the header and the first 8 bytes of the data field of the RECEIVED IP packet for error reporting as the data field of the ICMP packet. Together with the first 8 bytes of the corresponding ICMP error report message, an ICMP error report message is formed.

The first 8 bytes of the data field of the received datagram are extracted to obtain the port number of the transport layer (for TCP and UDP) and the sending sequence number of the transport layer packet (for TCP).

ICMP error report packets should not be sent in the following cases

  • No longer sends ICMP error report packets for ICMP error report packets.
  • ICMP error report packets are not sent for subsequent packets of the first fragmented packet.
  • For the datagrams with multicast addresses, ICMP error report packets are not sent.
  • For datagrams with a special address (such as 127.0.0.1 or 0.0.0.0), ICMP error report packets are not sent.
(2) Query message

Common ICMP query messages are as follows:

1. Echo request and reply: ICMP echo request packets are queries sent by a host or router to a specific destination host. The host that receives this packet must send an ICMP reply packet to the source host or router. The query message is used to test whether the destination station is reachable and to understand its related status.

2. Timestamp request and Reply: An ICMP timestamp request message is the date and time when a host or router replies to the current message. In the ICMP timestamp reply message, there is a 32-bit field in which the integer written represents the number of seconds from the date of January 1, 1900 to the current time. Timestamp requests and replies can be used for clock synchronization and time measurement.

4.4.3 Application Examples of ICMP

(1) Detecting PING between packet networks

Used to test the connectivity between two hosts.

PING (Packet InterNet Groper) uses ICMP to send request and reply packets. PING is an example of the application layer directly using network-layer ICMP. It doesn’t go over TCP or UDP.

The working process

For example, a PC accesses Baidu.com through the PING command to test its connectivity. The PC sends four ICMP echo request packets in succession. If the Baidu server works properly and responds to the ICMP echo request, it sends back an ICMP echo reply message.

The return ICMP packets have time stamps, so it is easy to find the return time.

(2) the tracert

Function: Tracks the path of a group from source to destination.

The value is traceroute on UNIX and tracert on Windows.

The working principle of

Tracert sends a series of IP packets from the source host to the destination host. The packets encapsulate UDP user packets that cannot be delivered. The TTL of the first datagram P1 is set to 1. When P1 reaches the first router R1 on the path, router R1 accepts it and then reduces the TTL by one. Since TTL is equal to zero, R1 discards P1 and sends an ICMP elapsed error message to the source host.

The source host then sends a second datagram, P2, and sets the TTL to 2. P2 goes to router R1 first. R1 receives the TTL minus and forwards it again to router R2. R2 received P2 with a TTL of 1, but after subtracting one TTL became zero. R2 discards P2 and sends an ICMP time-out error message to the source host. And so it goes on and on. When the last datagram has just arrived at the destination host, the TTL of the datagram is 1. The host does not forward datagrams or decrease the TTL value by one. However, IP packets encapsulate UDP user packets at the transport layer that cannot be delivered. Therefore, the destination host sends an ICMP destination unreachable error message to the source host.

In this way, the source host achieves its goal, because the ICMP packets sent by these routers and the final destination host provide exactly the routing information the source host wants to know — the IIP addresses of the routers seen by the destination host and the round-trip time to each of them.

4.5 VIRTUAL Private Network VPN

Citation:

The basic function

A virtual private network (VPN) is used to establish a private network on a public network for encrypted communication. ** is widely used in enterprise networks. **VPN gateway realizes remote access by encrypting data packets and converting the destination address of the data packets. ** can be achieved by server, hardware, software and other ways.

The working principle of

  • Generally, a VPN gateway adopts a dual network adapter structure, and external network adapters use public IP addresses to access the Internet.

  • Terminal A on network 1 accesses terminal B on network 2. The destination IP address of the access packet sent by terminal A is the internal IP address of terminal B.

  • The VPN gateway of network 1 checks the destination address when receiving the access packet sent by terminal A. If the destination address belongs to the address of network 2, the packet is encapsulated. The encapsulation method varies according to the VPN technologies used, and A new VPN packet is constructed. The encapsulated original packets are used as the load of VPN packets. The target ADDRESS of VPN packets is the external ADDRESS of the VPN gateway on network 2.

  • The VPN gateway of network 1 sends the VPN packet to the Internet. Because the target ADDRESS of the VPN packet is the external ADDRESS of the VPN gateway of network 2, the VPN packet is correctly sent to the VPN gateway of network 2 by routes on the Internet.

  • The VPN gateway of network 2 checks the received data packet. If the data packet is sent from the VPN gateway of network 1, the VPN gateway determines that the data packet is a VPN packet and decompackets the data packet. In the process of packet unpacking, the VPN packet header is stripped, and then the packet is reversely processed and restored to the original packet.

  • The VPN gateway of network 2 sends the restored original packet to the destination terminal B. The destination address of the original packet is the IP address of terminal B, so the packet can be correctly sent to terminal B. From the point of view of terminal B, it receives A packet as if it had been sent directly from terminal A.

  • The packet from terminal B back to terminal A is processed in the same way as above, so that terminals in the two networks can communicate with each other.