The Open Systems Interconnection (OSI) model describes network communication by subdividing the data flow into abstraction layers. This model was published as an ISO standard in 1984 and comprises seven independent layers. A similar model with only four layers, known as the TCP/IP interconnection model, was proposed in RFC 1122 (1989). The TCP/IP model does not consider physical specifications, so it has no counterpart to the physical layer of the OSI model. Moreover, the three top layers in the OSI model are not distinguished in the TCP/IP model.
The four layers of the TCP/IP model (link, internet, transport, and application) are illustrated in the diagram on the left. The link layer receives the full ethernet frame (left column). It reads and interprets the frame header (red) and footer (blue), and regards the remaining part as data (green), to be passed uninterpreted to the next layer. The internet layer (second column) expects an IP packet and interprets the first part of the data as the IP header (yellow). It hands off the rest as a TCP/UDP packet to the transport layer (third column) which in turn reads and strips off its header (orange). The application layer only sees the green part in the fourth column. Each layer is discussed in a dedicated section.
EXERCISES()The local network connection of a host is called its link. The link layer is responsible for transmitting packets between two hosts on the same link, that is, between directly connected nodes. The link layer includes the protocols which maintain link states such as the Address Resolution Protocol (ARP). Several link types exist, the ubiquitous ethernet being the only one to be discussed here. For ethernet links, the protocol is specified in terms of the media access control (MAC) addresses of ethernet frames.
SUBSECTION(«Ethernet Bridging»)
An ethernet bridge connects two or more networks by relaying ethernet frames between the participating devices. This is described in an official standard, the first revision of which was published in 1990. This standard can be implemented within a dedicated hardware device, for example a network switch, or in software as part of the operating system. Many soft- and hardware implementations exist, which are compatible to each other as they all implement the same protocol. Since ethernet bridges operate on the link layer, they are transparent to higher level protocols like IP.
At the core of each bridge implementation there is the forwarding database whose entries are indexed by the MAC addresses that have recently been seen. Each time the bridge receives an ethernet frame, the destination MAC address is looked up in the database to determine the device to which the frame should be relayed. If no entry exists, the frame is sent to all devices except the one it came from, with the expectation that all devices but one will ignore the frame. This is called flooding. From the source address of the (single) reply a new database entry is created. This prevents further flooding. Entries are removed from the database by aging: If no frames have been received from a MAC address for the duration of a time interval called aging time, the entry is removed from the database.
The Linux ethernet bridge implementation dates back to 1999. Two
different tools are available to create and configure bridges:
brctl(8) and bridge(8). The exercises of this
section aim to get the reader started with both tools.
A bridge can accommodate physical devices like eth0
as well as virtual devices. On Linux systems the common approach
to equip virtual machines with network interfaces employs the
virtual ethernet (veth) device driver. This driver provides
virtual pairs of devices where each pair represents an ethernet
tunnel. Ethernet frames received by one end appear on its pair. To
set up the network interface for a virtual machine, one end of the
pair is added to a bridge on the host system while the other end
represents the ethernet device of the virtual machine.
traceroute(1) or tracepath(8). arp(8) command prints the kernel's network
neighbour cache. Explain the purpose of this cache and the difference
to the forwarding database of an ethernet bridge. eth0
interface, create a bridge and add eth0 to the bridge.
Then configure the bridge device in the same way the physical interface
was configured before. Run brctl showmacs to see MAC
addresses and the aging timer. ip link add v1
type veth peer name v2 and bring up the two interfaces with
ip link set up v1 and similar for v2. Add
the v1 end to the bridge. Configure an IP address on
the v2 end of the pair (ip addr add 192.168.42.42
dev v2). Add an entry for the IP routing table with
ip route add 192.168.42.42/32 dev v2. Start the nc(1)
tool in listening mode and send IP traffic through the bridge
by starting nc(1) a second time to connect to
192.168.42.42. brctl(8) and bridge(8). Compare the
feature sets of these tools. These days the term "internet" has acquired a rather broad meaning in that it refers to all kind of network services. However, in the context of the TCP/IP interconnection model, the internet layer is named aptly because its purpose is to send packets across different networks, thereby enabling inter-networking. More precisely, packets are routed from the source network to the destination network, where both networks are identified by IP interface addresses. Although both the prevalent IPv4 and the next-generation IPv6 variant are being deployed actively worldwide, we shall only discuss IPv4 here.
The first part of each IP packet is the IP header, which is usually 20 byte long. Besides the source and destination addresses, it contains an 8 bit protocol number which refers to the data portion of the packet.
IP only provides an unreliable datagram transmission facility, which means that packets may be lost, arrive multiple times, or out of order. Moreover, packets can be fragmented or defragmented.
EXERCISES() ip addr show. Run host
a.b.c.d for the IP addresses and discuss the result. ifconfig and ip addr
show. Both commands print the netmask of each network, but
in different ways. Explain which part of the output of the
ip command contains the netmask. The desktop is configured to route packets which are not destined for the local network through a dedicated machine, called the router. In particular, all internet traffic is sent to the router. The router has two IP addresses: one address in the local network and a public NAT address. As traffic passes from the desktop through the router to the web server in the internet, the source address of each IP packet (the local address of the desktop) is changed on the fly to the public NAT address of the router. The router tracks each active connection. When a reply arrives at the router, it uses the connection tracking data stored during the outbound phase to determine the address in the local network to which to forward the reply. This time it overwrites the destination address of the IP packet with the local address of the desktop.
NAT can be seen as providing a kind of privacy mechanism because machines on the internet cannot monitor which hosts are sending and receiving traffic. They only see the NAT address. NAT has also downsides though: Pinpointing the source of a problem becomes harder, and encryption becomes more difficult. For example you can not encrypt the IP address because the router must be able to change it.
») HOMEWORK(« Run tracepath wikipedia.org. Explain how this command
works and how it can be used to identify networking problems.
»)
SECTION(«Transport Layer»)
The protocols of the transport layer provide message transfer services which are on one hand independent of the underlying network type, and on the other hand independent of the application. Different network services on running on the same host are distinguished by port numbers, which are 16 bit identifiers. Several well known port numbers are are associated with specific applications. The two dominant transport layer protocols on top of IP, TCP and UDP, are discussed in the following subsections.
SUBSECTION(«The User Datagram Protocol»)The User Datagram Protocol (UDP) is the simplest transport-layer protocol, built as a thin layer on top of IP. For this reason, it offers only the same best-effort service as IP itself. For example, there is no detection of duplicate or reordered packets, no protection against packet loss or network congestion. However, UDP generates checksums to catch transmission errors. Being a connectionless protocol, only minimal internal state about the connection is maintained. This makes UDP suitable for applications which need to avoid the overhead of setting up a TCP connection, or in situations where on-time arrival is more important than reliability.
SUBSECTION(«The Transmission Control Protocol»)The Transmission Control Protocol (TCP) provides reliable, ordered delivery of a stream and a classic window-based congestion control. In contrast to UDP, TCP provides a stream which is independent of any packet boundaries. TCP is used extensively by many applications. Besides HTTP (the Hypertext Transfer Protocol), also FTP (the File Transfer protocol), SMTP (Simple Mail Transfer Protocol), SSH (Secure Shell) all sit on top of TCP.
EXERCISES() /etc/services and find the TCP port
numbers for http (web), ssh and smtp (email).
ls /proc/sys/net/ipv4/udp* and ls
/proc/sys/net/ipv4/tcp* to see the available UDP and TCP
parameter settings, and to compare the complexity of UDP and TCP. netstat -pant to see active TCP sockets. nmap localhost to determine the listening
TCP sockets. nc -l $((19853 +
UID))). Invite your neighbour to chat with you by connecting
to your netcat process. ip tcpmetrics to see recent TCP peers and
discuss the output. Application layer protocols define how the server side of a network service communicates with clients that connect to the server by connecting a specific TCP or UDP port. Services are often associcated with port numbers which can be registred at the Internet Assigned Numbers Authority (IANA).
Examples for application layer protocols which are employed on top of TCP are the Hypertext Transfer Protocol (HTTP, port 80) and the Secure Shell Protocol (SSH, port 22). On top of UDP sit the Domain Name System (DNS, port 53), the Dynamic Host Configuration Protocol (DHCP, ports 67 and 68) and the Network Time Protocol (NTP, port 123).
We won't discuss any specific application layer protocols here. Instead, we look at some client programs.
SUBSECTION(«The Name Service Switch») Every Unix system needs a couple of (usually small) system databases
for proper operation. Besides the user database, there are other
databases for Unix group membership, the known hosts, network
protocols, and more. Traditionally, there was only a single source for
this information in the form of a configuration file per database, for
example /etc/hosts for the hosts database. The format of
each database file is described in the POSIX standard and in section
5 of the user manuals. This approach works well if the databases
and the number of hosts which need to share the same databases are
small. Larger organizations, however, have a need to maintain this
information centrally by means of some network service. The
Lightweight Directory Access Protocol (LDAP) and the
Domain Name System (DNS) are popular choices for the user
and the host/domain databases. Often the entries of the centralized
network database have to be merged with the entries of the local file
in /etc. This calls for a flexible method which lets the
administrator specify the sources of information and the search order.
Sun Microsystems came up with a clean solution to this problem named
Name Service Switch (NSS) for the Solaris operating system.
This solution was ported to most other Unix operating systems. The
implementation used on GNU/Linux systems is part of the GNU
C Library (glibc). The central configuration file for NSS is
/etc/nsswitch.conf.
SSH, the secure shell, is a popular client/server software package for logging into a remote machine. The name is a little misleading, though. For one, SSH is not a shell; it merely provides a method to run a shell. Second, it can do much more than just log in and start the shell. It features a secure encrypted communication channel between two hosts, and this channel can be utilized in interesting ways on both ends. In the exercises we look at TCP port forwarding, some useful configuration options, and public key authorization.
EXERCISES() /etc/resolv.conf to get the IP address
of your nameserver(s). Then run dig @$IP $DOMAIN MX
where $IP is the nameserver IP address, and
$DOMAIN is the domain of your email adress, e.g.
tuebingen,mpg.de. Determine the hostname of the mail server
from the output and run nc $MAILHOST 25 to send a mail
to yourself. Hint: HELO $MAILHOST, mail from:
<$LOGNAME@$DOMAIN>, rcpt to: <$LOGNAME@DOMAIN>,
data. /etc/passswd, /etc/shadow,
and /etc/group to manually create a user account.
Use the cryptout program below to
generate the second field of /etc/shadow containing
the encrypted password. hosts line in
/etc/nsswitch.conf. host $HOSTNAME always print the same IPv4
address as ping $HOSTNAME? nc localhost 22 to determine the SSH server
version. -L option for local port
forwarding. Check that you can log in with ssh -p 12345
localhost. ssh_config(5) man page for
NoHostAuthenticationForLocalhost and ponder if it is a good
idea to set this to yes. Host and Hostname entries
to your ssh config file so that you can log in with ssh
hostname, even though hostname does not resolve
on your local network. ~C to open the ssh command
prompt. Use a suitable -L command to add a local port
forward to the existing connection. Type ~? to see
the available escape sequences. Host *.eb.local and ProxyJump
cgw.tuebingen.mpg.de to your ssh config file. Then type
ssh olt.eb.local. Check ssh(1) to learn how
this works. The various layers and protocols discussed earlier in this chapter
dealt with the communication between hosts which are connected by
a network. The Linux-specific Netlink Interface, however,
does not fit into this picture because it is a messaging system
for passing network-related information between the kernel and a
user space program, and vice-versa. Among other uses, tools like
ip(8) and ifconfig(8) employ Netlink
to configure network devices. Netlink is implemented on top of the
socket infrastructure, so the communication link between a user space
program and the kernel is estabished by means of the usual system calls
socket(2), bind(2), connect(2),
and messages are transferred by calling sendmsg(2)
and recvmsg(2).
There are several netlink families which select the
kernel subsystem to communicate with. We shall only be concerned
with the NETLINK_ROUTE family, which is used to
modify network routes, IP addresses, and more. The details of
NETLINK_ROUTE are described in rtnetlink(7)
while netlink(7) covers the general interface and the
currently assigned families.
A Netlink message starts with a 16 byte header as defined by
struct nlmsghdr. To report errors to userspace, Netlink
provides a message type that encapsulates an error header defined
by struct nlmsgerr. Both structures are declared in
in include/linux/netlink.h. Full Netlink messsages,
including the Netlink header are transferred. Therefore the user space
program has to implement a parser for both regular Netlink messages
and Netlink error messages, as well as a primitive for setting up
properly formatted Netlink messages to be sent to the kernel. Several
user space libraries aim to help the programmer with this repetetive
and error-prone task, the minimalistic Netlink library
(libmnl) being the most popular one.
#include <stdlib.h>
#include <crypt.h>
#include <stdio.h>
#include <sys/random.h>
static const char set[] =
"abcdefghijklmnopqrstuvwxyz"
"ABCDEFGHIJKLMNOPQRSTUVWXYZ"
"0123456789./";
int main(int argc, char **argv)
{
unsigned char rnd[2], salt[2], *result;
if (argc < 2)
exit(EXIT_FAILURE);
if (getrandom(rnd, 2, 0) < 0)
exit(EXIT_FAILURE);
salt[0] = set[rnd[0] & 63];
salt[1] = set[rnd[1] & 63];
result = crypt(argv[1], salt);
if (!result)
exit(EXIT_FAILURE);
printf("%s\n", result);
exit(EXIT_SUCCESS);
}