CCNA 2 Third Edition Web: Chapter 10

Overview ........................................................................................................................................ - 2 -
TCP operation ............................................................................................................................... - 3 -
Synchronization or three-way handshake ................................................................................ - 4 -
Denial of service attacks ............................................................................................................. - 6 -
Windowing and window size....................................................................................................... - 8 -
Sequencing numbers ................................................................................................................. - 10 -
Positive acknowledgments ....................................................................................................... - 12 -
UDP operation ............................................................................................................................ - 14 -
Multiple conversations between hosts .................................................................................... - 16 -
Ports for services........................................................................................................................ - 19 -
Ports for clients ........................................................................................................................... - 22 -
Port numbering and well-known port numbers ...................................................................... - 24 -
Example of multiple sessions between hosts ........................................................................ - 25 -
Comparison of MAC addresses, IP addresses, and port numbers .................................... - 26 -
Summary...................................................................................................................................... - 27 -
Overview

Routers use the IP address information in an IP packet header to determine the interface to which a packet
should be switched based on its destination. Since IP does not ensure that the packet reaches the
destination, it is described as an unreliable, connectionless protocol, that uses best-effort delivery. If packets
are dropped in route, arrive in the wrong order, or are transmitted faster than the receiver can accept them,
IP alone cannot correct the problem. To address these problems, IP relies on TCP. This module describes
TCP and its functions and introduces UDP, another important Layer 4 protocol.

Each layer within the OSI reference model has various functions. These functions are independent of the
other layers. Each layer expects to receive services from the layer beneath it, and each layer provides
certain services to the layer above it. The application, presentation, and session layers of the OSI model,
which are all considered to be part of the application layer in the TCP/IP model, access the services of the
transport layer through logical entities called ports. This module will introduce the concept of ports and will
explain the critical importance of ports and port numbers in data networking.

This module covers some of the objectives for the CCNA 640-801, INTRO 640-821, and ICND 640-811
exams. -

Students who complete this module should be able to perform the following tasks:

 Describe TCP and its functions

 Describe TCP synchronization and flow control
 Describe UDP operation and processes
 Identify common port numbers
 Describe multiple conversations between hosts
 Identify ports used for services and clients
 Describe port numbering and well known ports
 Understand the differences and the relationship between MAC addresses, IP addresses, and port
numbers

-2-
TCP operation

This page will explain how the transport layer provides reliability and flow control.

IP addresses allow for the routing of packets between networks. However, IP makes no guarantees about
delivery. The transport layer is responsible for the reliable transport of and regulation of data flow from
source to destination. This is accomplished through the use of sliding windows and sequencing numbers
along with a synchronization process. This process ensures that each host is ready and willing to
communicate.

To understand reliability and flow control, think of a student who studies a foreign language for one year.
Now imagine the student visits a country where the language is used. The student must ask people to repeat
their words for reliability and to speak slowly for comprehension, which relates to the concept of flow control.
The transport layer, which is Layer 4 of the OSI model, uses TCP to provide these services to Layer 5.

The next page will describe the concept of synchronization.

-3-
Synchronization or three-way handshake

This page will explain the synchronization process that TCP uses. The process is also called a three -way
handshake.

TCP is a connection-oriented protocol. Prior to data transmission, the two communicating hosts go through a
synchronization process to establish a virtual connection for each session between hosts. This
synchronization process ensures that both sides are ready for data transmission and allows the devices to
determine the initial sequence numbers for that session. This process is known as a three-way handshake.
This is a three-step process that establishes the virtual connection between the two devices. It is also
important to note that the three-way handshake is initiated by a client host. To establish a TCP session, the
client host will use the well-known port number of the service it wishes to contact on a server host.

In step one, the initiating host (client) sends a synchronization (SYN flag set) packet to initiate a connection.
This indicates that a packet has a valid initial Sequence Number value in this segment for this session of x.
The SYN bit set in the header indicates a connection request. The SYN bit is single bit in the code field of the
TCP segment header. The Sequence Number is a 32 bit field TCP segment header.

In step two, the other host receives the packet, records the Sequence Number of x from the client, and
replies with an acknowledgment (ACK flag set). The ACK control bit set indicates that the Acknowledgment
Number field contains a valid acknowledgment value. The ACK flag is a single bit in the code field of the
TCP segment header and the Acknowledgment Number is a 32 bit field TCP segment header. Once a
connection is established, the ACK flag is set for all segments during the session. The Acknowledgment

-4-
Number field contains the next sequence number that this host is expecting to receive (x + 1). The
Acknowledgment Number of x + 1 means the host has received all bytes up to and including x, and expects
to next receive byte x + 1. The host also initiates a return session. This includes a TCP segment with its own
initial Sequence Number value of y and with the SYN flag set.

In step three, the initiating host responds with a simple Acknowledgment Number value of y + 1, which is the
Sequence Number value of Host B + 1. This indicates that it received the previous acknowledgment and
finalizes the connection process for this session.

It is important to understand that initial sequence numbers are used to initiate communication between two
devices. They act as reference starting numbers between the two devices. The sequence numbers give
each host a way to acknowledge so that the receiver knows the sender is responding to the proper
connection request.

The Interactive Media Activity will help students understand synchronization.

The next page will discuss denial of service attacks.

-5-
Denial of service attacks

This page will teach students about denial of service (DoS) attacks. DoS attacks are designed to deny
services to legitimate hosts that try to establish connections. DoS attacks are commonly used by hackers to
halt system responses. One type of DoS is known as SYN flooding. SYN flooding exploits the normal three -
way handshake and causes targeted devices to acknowledge to source addresses that will not complete the
handshake.

The three-way handshake begins when the initiating host sends a SYN packet. The SYN packet includes the
source IP address and the destination IP address. This source and destination address information is used
by the recipient to send the acknowledgment packet back to the initiating device.

In a DoS attack, the hacker initiates a SYN but spoofs the source IP address. Spoofing is a term used when
the receiving device replies to a non-existent, unreachable IP address and then is placed in a wait state until
it receives the final acknowledgment from the initiator. The waiting request is placed in a connection queue
or a holding area in memory. This wait state requires the attacked device to use system resources, such as
memory, until the connection timer times out. Hackers will flood the attacked host with false SYN requests to
utilize all of its connection resources and prevent it from responding to legitimate connection requests.

-6-
To defend against these attacks, system administrators may decrease the connection timeout period and
increase the connection queue size. Software also exists that can detect these types of attacks and initiate
defensive measures.

The next page will discuss the concept of windowing.

-7-
Windowing and window size

This page will explain how TCP uses windows to provide flow control.

The amount of data that needs to be transmitted is often too large to be sent in a single data segment. In this
case, the data must be broken into smaller pieces to allow for proper data transmissi on. TCP is responsible
for breaking data into segments. This can be compared to the way that small children are fed. Their food is
cut into smaller pieces that their mouths can accommodate. Additionally, a device may not be able to receive
data as quickly as the source can send it. The device may be busy with other tasks or the sender may be a
more robust device.

Once the data is segmented, it must be transmitted to the destination device. One of the services provided
by TCP is flow control, which regulates how much data is sent during a given transmission period. The
process of flow control is known as windowing.

Window size determines the amount of data that can be transmitted at one time before the destination
responds with an acknowledgment. After a host transmits the window-sized number of bytes, the host must
receive an acknowledgment that the data has been received before it can send any more data. For example,
if the window size is 1, each byte must be acknowledged before the next byte is sent.

-8-
TCP utilizes windowing to dynamically determine transmission size. Devices negotiate a window size to
allow a specific number of bytes to be transmitted before an acknowledgment.

This process of dynamically varying the window size increases reliability. The window size can be varied
based upon acknowledgments.

The Interactive Media Activity will help students understand the concept of windowing.

The next page describes TCP sequence numbers.

-9-
Sequencing numbers

This page explains how TCP uses sequence numbers for reliable data transmissions.

TCP breaks data into segments. After the synchronization process occurs and the window size has been
established, the data segments are transported from the sender to the receiver. The data segments must be
reassembled after all the data is received. There is no guarantee that the data will arrive in the order it was
transmitted. TCP applies sequence numbers to the data segments that are transmitted so that the receiver
can reassemble the bytes in their original order. This way, if TCP segments arrive out of order, the segments
will still be assembled correctly.

These sequencing numbers also act as reference numbers so that the receiver will know if it has received all
of the data. They also identify the missing data pieces to the sender so it can retransmit the missing data.
This offers increased efficiency since the sender only needs to resend the missing segments instead of the
entire set of data.

Each TCP segment is numbered before transmission.

- 10 -
The sequence number portion comes after the destination port in the segment format. At the receiving
station, TCP uses the sequence numbers to reassemble the segments into a complete message. If a
sequence number is missing in the series, that segment is retransmitted.

The next page discusses positive acknowledgments.

- 11 -
Positive acknowledgments
This page explains how positive acknowledgments are used to enhance reliability.

Acknowledgment is a common step in the synchronization process, which includes sliding windows and dat a
sequencing. In a TCP segment, the sequence number field is followed by the Acknowledgment Number field.
This field is where tracking of transmitted and received bytes are indicated.

One problem with the IP protocol is that there is no verification method to determine if data segments reach
their destination. So data segments may be constantly forwarded with no knowledge as to whether or not
they were actually received. TCP uses positive acknowledgment and retransmission (PAR) to control data
flow and confirm data delivery.

Many protocols use PAR to provide reliability. With PAR, the source sends a packet, starts a timer, and waits
for an acknowledgment before it sends the next packet in the session. If the timer expires before the source
receives an acknowledgment, the source retransmits the packet and resets the timer. The acknowledgment
is provided by the value of Acknowledgment Number and the ACK flag set in the TCP header. TCP uses
expectational acknowledgment in which the Acknowledgment Number value refers to the next octet that is
expected as part of the TCP session.

Windowing is a flow control mechanism that requires the source device to receive an acknowledgment from
the destination after a specific amount of data bytes has been transmitted. With a window size of three, the
source device can send three octets to the destination. It must then wait for an acknowledgment of these
bytes. If the destination receives the three octets, it sends an acknowledgment to the source device, which
can then transmit three more octets. If the destination does not receive the three octets, it does not send an
acknowledgment. This may be caused by overflowing buffers or packets lost in transit. Since the source

- 12 -
does not receive an acknowledgment, it knows that the octets should be retransmitted and that the window
size should be reduced. This window size reduction provides the receiving host less bytes to process from its
buffers before more data arrives. This effectively slows the communication between hosts to provide more
reliability between the hosts.

The Lab Activity will teach students how to enable and monitor multiple host sessions. The Interactive Media
Activity will help students become more familiar with windows.

The next page will explain how UDP works.

- 13 -
UDP operation

This page will explain the similarities and differences between TCP and UDP.

The TCP/IP protocol stack contains many different protocols, each designed to perform a certain task. IP
provides Layer 3 connectionless transport through an internetwork. TCP enables connection-oriented,
reliable transmission of packets at Layer 4 of the OSI model. UDP provides connectionless, unreliable
transmission of packets at Layer 4 of the OSI model.

Both TCP and UDP use IP as their Layer 3 protocol. In addition, TCP and UDP are used by various
application layer protocols. TCP provides services for applications such as FTP, HTTP, SMTP, and DNS.
UDP is the transport layer protocol used by DNS, TFTP, SNMP, and DHCP.

TCP must be used when applications need to guarantee that a packet arrives intact, in sequence, and
unduplicated. The overhead necessary to ensure delivery of a packet is sometimes a problem with TCP. Not
all applications need to guarantee delivery of the data packet, so they use the faster, connectionless delivery
mechanism afforded by UDP. The UDP protocol standard is described in RFC 768.

UDP does not use windowing or ACKs so application layer protocols must provide error detection.

- 14 -
The Source Port field is an optional field used only if informat ion needs to return to the sending host. When a
destination router receives a routing update, the source router is not requesting anything so nothing needs to
return to the source. There is no exchange of information or data. The Destination Port field specifies the
application to which UDP needs to pass the protocol. A DNS request from a host to a DNS server would
have a Destination Port field of 53, the UDP port number for DNS. The Length field identifies the number of
octets in the UDP segment. The UDP checksum is optional but should be used to ensure that the data has
not been damaged during transmission. For transport across the network, UDP is encapsulated within the IP
packet.

Once a UDP segment arrives at the destination IP address, a mechanism must exist which allows the
receiving host to determine the exact destination application. Destination ports are used for this purpose. If a
host is running both TFTP and DNS services, it must be able to determine what service the arriving UDP
segments need. The Destination Port field in the UDP header determines the application to which a UDP
segment will be delivered.

- 15 -
Multiple conversations between hosts

This page will explain how hosts handle multiple conversations at the same time.

At any given moment, thousands of packets that provide hundreds of different services travel through a
modern network. Many servers use a multitude of services and this causes unique problems for the
addressing of packets. If a server is running both SMTP and HTTP, it uses the des tination port field to
determine what service the source is requesting.

The source cannot construct a packet destined for just the server IP address because the destination would
not know what service was being requested. A port number must be associated with the conversation
between hosts to ensure that the packet reaches the appropriate service on the server. If a server could not
distinguish between different conversations, a client could not send an e-mail and browse a Web page at the
same time. A method for transport layer conversations to be separated must be used.

Hosts running TCP/IP associate ports at the transport layer with certain applications. Port numbers are used
to keep track of different conversations that cross the network at the same t ime. Port numbers are needed
for a host to communicate with a server that uses multiple services. Both TCP and UDP use port or socket
numbers to pass information to the upper layers.

Application software developers have agreed to use the well-known port numbers that are defined in
RFC1700. Any conversation bound for the FTP application uses the standard port number 21.

- 16 -
Conversations that do not involve applications with well-known port numbers are assigned port numbers that
have been randomly selected from within a specific range. These port numbers are used as source and
destination addresses in the TCP segment.

Port numbers have the following assigned ranges:

 The Well Known Ports are those from 0 through 1023

 The Registered Ports are those from 1024 through 49151
 The Dynamic and/or Private Ports are those from 49152 through 65535

- 17 -
Systems initiating communication requests use port numbers to select proper applications. Source port
numbers for these requests are dynamically assigned by the originating host, and are usually a number
larger than 1023. Port numbers in the range of 0-1023 are considered public port numbers and are controlled
by the Internet Assigned Numbers Authority (IANA).

Post office box numbers are a good analogy for port numbers. A piece of mail may be sent to a zip code,
city, and P.O. box. The zip code and city direct mail to the correct general mail facility while the P.O. box
ensures the item is delivered to the one individual to whom the mail is addressed. Similarly, the IP addres s
gets the packet to the correct server, but the TCP or UDP port number guarantees the packet is passed to
the correct application.

The next page will discuss well-known ports

- 18 -
Ports for services

This page introduces port numbers that are used for different services.

Services running on hosts must have a port number assigned to them so communication can occur. A
remote host attempting to connect to a service expects that service to use specific transport layer protocols
and ports. Some ports, which are defined in RFC 1700, are known as the well-known ports. These ports are
reserved in both TCP and UDP.

- 19 -
- 20 -
These well-known ports define applications that run above the transport layer protocols. For example, a
server that runs FTP will use ports 20 and 21 to forward TCP connections from clients to its FTP application.
This allows the server to determine which service a client requests. TCP and UDP use port numbers to
determine the correct service to which requests are forwarded.

The next page will discuss ports in greater detail.

- 21 -
Ports for clients

This page will discuss source ports, which are set by clients.

Whenever a client connects to a service on a server, a source and destination port must be specified. TCP
and UDP segments contain fields for source and destination ports.

Destination ports, or ports for services, are normally defined using the well-known ports. Source ports set by
the client are determined dynamically.

- 22 -
In general, a client determines the source port by randomly assigning a number above 1023. For example, a
client that attempts to communicate with a Web server will use TCP and assign the destination port as 80
and the source port as 1045. When the packet arrives at the server, it moves up to the transport layer and
eventually to the HTTP service, which operates at port 80. The HTTP server responds to the clients request
with a segment that uses port 80 as the source and 1045 as the destination. Clients and servers use ports to
distinguish which process each segment is associated with.

The next page will teach students about the three categories of port numbers.

- 23 -
Port numbering and well-known port numbers

This page will discuss the three categories of port numbers.

Port numbers are represented by 2 bytes in the header of a TCP or UDP s egment. This 16-bit value can
result in port numbers ranging from 0 to 65535. The three categories of port numbers are well -known ports,
registered ports, and dynamic or private ports. The first 1023 ports are well-known ports. These ports are
used for well-known network services such as FTP, Telnet, or DNS.

Registered ports range from 1024 to 49151. Ports between 49152 and 65535 are defined as dynamic or
private ports.

The Interactive Media Activity will help students become more familiar with port num bers.

The next page will give an example of multiple sessions.

- 24 -
Example of multiple sessions between hosts

This page will explain how port numbers are used to track multiple sessions that can occur between hosts.
The source and destination port numbers combine with the network address to form a socket. A pair of
sockets, one on each host, forms a unique connection. For instance, a host might have a Telnet connection
through port 23 and an Internet connection through port 80. The IP and the MAC addresses would be the
same because the packets are received from the same host. Therefore, each conversation on the source
side needs its own port number, and each service requested needs its own port number.

In the Lab Activity, students will enable HTTP on a router and observe well-known ports.

The next page will discuss the three types of addresses.

- 25 -
Comparison of MAC addresses, IP addresses, and port numbers

This page will describe the three types of addresses in reference to the OSI model. Port numbers are l ocated
at the transport layer and are serviced by the network layer. The network layer assigns the logical address,
or IP address, and is then serviced by the data link layer, which assigns the physical address, or MAC
address.

A good analogy can be made with a normal letter. The address on a letter consists of a name, street, city,
and state. These can be compared to the port, MAC, and IP address used for network data. The name on
the envelope would be equivalent to a port number, the street address is the MAC, and the city and state is
the IP address. Multiple letters can be mailed to the same street address, city and state, but contain different
names on the letters. For instance, two letters could be mailed to the same house with one addressed to
“John Doe” and the other to “Jane Doe”. This is analogous to multiple sessions with different port numbers.

This page concludes this lesson. The next page will summarize the main points from this module.

- 26 -
Summary

This page summarizes the topics discussed in this module.

The transport layer of the OSI model is responsible for the reliable transport and regulation of data flow from
a source to a destination. TCP makes sure that each host on the network is ready and willing to
communicate.

A three-way handshake is a process that ensures that each side is ready for data transmission and allows
each device to determine the initial sequence number. A three-way handshake starts with a host initiating a
connection. The other host receives a packet, records a sequence number and then replies with an ACK.
The initiating host then responds back and finalizes the connection.

DoS attacks are designed to deny services to legitimate hosts that attempt to establish connections. It is
used by hackers to halt system response. SYN flooding is one type of DoS attack. It exploits the normal
three-way handshake and causes targeted devices to ACK to source addresses that will not complete the
handshake. Spoofing occurs when a receiving device replies to a non-existent, unreachable IP address and
is placed in a wait state until it receives the final ACK from the initiator. In addition to software specifically
created as a defense against these kinds of attacks, an administrator can decrease the connection timeout
period and increase the connection queue size.

Breaking data into smaller pieces is called segmenting and is done with TCP. Once the data is segmented, it
must be transmitted to the destination device. TCP applies sequence numbers to the data segments so that
the receiver can reassemble the bytes properly and the sender knows when all the segments have been
received. Windowing is the process of flow control that regulates how much data is sent during a given
transmission period. TCP uses a sliding window when determining transmission size. A sliding window
allows for devices to negotiate a window size to allow for more than one byte to be sent during a single
transmission.

- 27 -
Many protocols use PAR to provide reliability. With PAR, the source sends a packet, starts a timer, and waits
for an ACK before it sends the next packet. If the timer expires before the source receives an ACK, the
source retransmits the packet and resets the timer. TCP uses expectational ACKs in which the
Acknowledgment Number refers to the next octet that is expected.

UDP provides connectionless, non-guaranteed transmission of packets at Layer 4 of the OSI model. Since
UDP does not use windowing or acknowledgments, application layer protocols must provide error detection.

A port number must be associated with the conversation between hosts to ensure that the packet reaches
the appropriate service on the server. Port numbers have the following assigned ranges:

 The Well Known Ports are those from 0 through 1023

 The Registered Ports are those from 1024 through 49151
 The Dynamic and/or Private Ports are those from 49152 through 65535

The three methods of addressing include port numbers, which are located at the transport layer and serviced
by the network layer. The network layer assigns the logical or IP address and the data link layer assigns the
physical or MAC address.

- 28 -