Computer Networks (BCS502)

Module 5-Application Layer

INTRODUCTION
• The application layer provides services to the user.
• Communication is provided using a logical connection, which means that the two
application layers assume that there is an imaginary direct connection through which
they can send and receive messages.

Providing Services
• All communication networks that started before the Internet were designed to provide
services to network users.
• The protocols in this layer do not provide services to any other protocol in the suite;
they only receive services from the protocols in the transport layer.
 • This means that protocols can be removed from this layer easily.
• New protocols can be also added to this layer as long as the new protocols can use the
services provided by one of the transport-layer protocols.
Standard and Nonstandard Protocols
• The protocols used in the first four layers of the TCP/IP suite need to be standardized
and documented.
• They normally become part of the package that is included in operating systems such
as Windows or UNIX.
• However, the application-layer protocols can be both standard and nonstandard.

Standard Application-Layer Protocols

• There are several application-layer protocols that have been standardized and
documented by the Internet authority.
• Each standard protocol is a pair of computer programs that interact with the user and
the transport layer to provide a specific service to the user.

Nonstandard Application-Layer Protocols

• A private company can create a new customized application protocol to communicate

with all of its offices around the world using the services provided by the first four
layers of the TCP/IP protocol suite without using any of the standard application
programs.
• It is the creation of a nonstandard (proprietary) protocol, which does not need the
approval of the Internet authorities if privately used, that has made the Internet so
popular worldwide.

Application-Layer Paradigms
• To use the Internet, we need two application programs to interact with each other,
running on two different devices.
• The two programs need to send messages to each other through the Internet
infrastructure.
• Two paradigms have been developed: the client-server paradigm and the peer-to-peer
paradigm.
Traditional Paradigm: Client-Server
• The traditional paradigm is called the client-server paradigm.
• In this paradigm, the service provider is called the server process; it runs continuously,
waiting for another application program, called the client process, to make a connection
through the Internet and ask for service.
• The server process must be running all the time; the client process is started when the
client needs to receive service.
 • For example, a telephone directory center in any area can be thought of as a server; a
subscriber that calls and asks for a specific telephone number can be thought of as a
client.
• Although the communication in the client-server paradigm is between two application
programs, the role of each program is totally different. We cannot run a client program
as a server program or vice versa.
• Figure 25.2 shows an example of a client-server communication in which three clients
communicate with one server to receive the services provided by this server.

• One problem with this paradigm is that even a powerful computer may become
overwhelmed if a large number of clients try to connect to the server at the same time.
• Another problem is that there should be a service provider willing to accept the cost
and create a powerful server for a specific service.
• Several traditional services are still using this paradigm, including the World Wide Web
(WWW) and its vehicle HyperText Transfer Protocol (HTTP), file transfer protocol
(FTP), secure shell (SSH), e-mail, and so on.
New Paradigm: Peer-to-Peer
• A new paradigm, called the peer-to-peer paradigm (P2P paradigm) has emerged to
respond to the needs of some new applications.
• In this paradigm, there is no need for a server process to be running all the time and
waiting for the client processes to connect.
• The responsibility is shared between peers.
• A computer connected to the Internet can provide service or receive service. A computer
can even provide and receive services at the same time.
 • For example, if an Internet user has a file available to share with other Internet users,
there is no need for the file holder to become a server and wait for other users to connect
and retrieve the file.
• Although the peer-to-peer paradigm has been proved to be easily scalable and cost-
effective, there are also some challenges.
• The main challenge has been security; it is more difficult to create secure
communication between distributed services than between those controlled by some
dedicated servers.
• The other challenge is applicability; it appears that not all applications can use this new
paradigm.
• There are some new applications, such as BitTorrent, Skype, IPTV, and Internet
telephony, that use this paradigm.
Mixed Paradigm
• An application may choose to use a mixture of the two paradigms by combining the
advantages of both.
• For example, a light-load client-server communication can be used to find the address
of the peer that can offer a service.
• When the address of the peer is found, the actual service can be received from the peer
by using the peer-to peer paradigm.

CLIENT-SERVER PROGRAMMING
• In a client-server paradigm, communication at the application layer is between two
running application programs called processes: a client and a server.
 • A client is a running program that initializes the communication by sending a request;
a server is another application program that waits for a request from a client.
• The server handles the request received from a client, prepares a result, and sends the
result back to the client.
• This definition of a server implies that a server must be running when a request from a
client arrives, but the client needs to be run only when it is needed.
Application Programming Interface
• A computer program is normally written in a computer language with a predefined set
of instructions that tells the computer what to do.
• If we need a process to be able to communicate with another process, we need a new
set of instructions to tell the lowest four layers of the TCP/IP suite to open the
connection, send and receive data from the other end, and close the connection.
• A set of instructions of this kind is normally referred to as an application programming
interface (API).
• An interface in programming is a set of instructions between two entities. In this case,
one of the entities is the process at the application layer and the other is the operating
system that encapsulates the first four layers of the TCP/IP protocol suite.

• Several APIs have been designed for communication. Three among them are common:
socket interface, Transport Layer Interface (TLI), and STREAM.
• Socket interface started in the early 1980s at UC Berkeley as part of a UNIX
environment.
• The socket interface is a set of instructions that provide communication between the
application layer and the operating system.
• The idea of sockets allows us to use the set of all instructions already designed in a
programming language for other sources and sink, such as a keyboard (a source), a
monitor (a sink), or a file (source and sink).
• We can use the same instructions to read from or write to sockets.
Sockets
• Although a socket is supposed to behave like a terminal or a file, it is not a physical entity
like them; it is an abstraction.
• It is an object that is created and used by the application program.
• The client thinks that the socket is the entity that receives the request and gives the
response; the server thinks that the socket is the one that has a request and needs the
response.
• If we create two sockets, one at each end, and define the source and destination addresses
correctly, we can use the available instructions to send and receive data.
• The rest is the responsibility of the operating system and the embedded TCP/IP protocol.

Socket Addresses
• A socket address should first define the computer on which a client or a server is
running, uniquely defined by its IP address.
• However, several client or server processes may be running at the same time on a
computer, which means that we need another identifier to define the specific client or
server involved in the communication.
 • An application program can be defined by a port number, a 16-bit integer.
• A socket address should be a combination of an IP address and a port number as shown
in Figure 25.7.

Finding Socket Addresses

How can a client or a server find a pair of socket addresses for communication? The situation
is different for each site.

Server Site
The server needs a local (server) and a remote (client) socket address for communication.
Local Socket Address
• The local (server) socket address is provided by the operating system.
• The operating system knows the IP address of the computer on which the server process
is running.
• The port number of a server process, however, needs to be assigned. If the server
process is a standard one defined by the Internet authority, a port number is already
assigned to it.
• For example, the assigned port number for a Hypertext Transfer Protocol (HTTP) is the
integer 80.
• If the server process is not standard, the designer of the server process can choose a port
number, in the range defined by the Internet authority, and assign it to the process.
Remote Socket Address
• The remote socket address for a server is the socket address of the client that makes the
connection.
• The server can find this socket address when a client tries to connect to the server.
• The client socket address, which is contained in the request packet sent to the server,
becomes the remote socket address that is used for responding to the client.

Client Site
• The client also needs a local (client) and a remote (server) socket address for
communication.
Local Socket Address
• The local (client) socket address is also provided by the operating system.
• The operating system knows the IP address of the computer on which the client is
running.
• The port number, however, is a 16-bit temporary integer that is assigned to a client
process each time the process needs to start the communication.
Remote Socket Address
When a client process starts, it should know the socket address of the server it wants to connect
to.
Two situations in this case:
1. Sometimes, the user who starts the client process knows both the server port number
and IP address of the computer on which the server is running. This usually occurs in
situations when we have written client and server applications and we want to test them.
2. The client process normally knows the port number because it should be a well-known
port number, but the IP address can be obtained using another client-server application
called the Domain Name System (DNS).
• DNS acts as a directory in the Internet, that maps the server name to the IP address of
the computer running that server.

Using Services of the Transport Layer

There are three common transport-layer protocols in the TCP/IP suite: UDP, TCP, and SCTP.
Most standard applications have been designed to use the services of one of these protocols.

UDP Protocol
• UDP provides connectionless, unreliable, datagram service. Connectionless service
means that there is no logical connection between the two ends exchanging messages.
• Each message is an independent entity encapsulated in a datagram.
• UDP is not a reliable protocol. UDP is not a reliable protocol. It does not ask the sender
to resend the corrupted or lost datagram.
• UDP is message-oriented. It gives boundaries to the messages exchanged.
• An application program may be designed to use UDP if it is sending small messages
and the simplicity and speed is more important for the application than reliability.
• For example, some management and multimedia applications fit in this category.

TCP Protocol
• TCP provides connection-oriented, reliable, byte-stream service.
• TCP requires that two ends first create a logical connection between themselves by
exchanging some connection-establishment packets.
 • This phase, which is sometimes called handshaking, establishes some parameters
between the two ends, including the size of the data packets to be exchanged, the size
of buffers, and so on.
• After the handshaking process, the two ends can send chunks of data in segments in
each direction.
• For example, if some bytes are lost or corrupted, the receiver can request the resending
of those bytes, which makes TCP a reliable protocol.
• TCP also can provide flow control and congestion control.
• One problem with the TCP protocol is that it is not message-oriented; it does not put
boundaries on the messages exchanged.
• Most of the standard applications that need to send long messages and require reliability
may benefit from the service of the TCP.

SCTP Protocol
• SCTP provides a service which is a combination of the two other protocols.
• Like TCP, SCTP provides a connection-oriented, reliable service, but it is not byte
stream oriented.
• It is a message-oriented protocol like UDP. In addition, SCTP can provide multi-stream
service by providing multiple network-layer connections.
• SCTP is normally suitable for any application that needs reliability and at the same time
needs to remain connected, even if a failure occurs in one network-layer connection.

Iterative Communication Using UDP

• Although several client programs can access the same server program at the same time,
the server program can be designed to respond iteratively or concurrently.
• An iterative server can process one client request at a time; it receives a request,
processes it, and sends the response to the requestor before handling another request.
• When the server is handling the request from a client, the requests from other clients,
need to be queued and wait for the server to be freed.
• The received and queued requests are handled in the first-in, first-out fashion.
Sockets used for UDP
• In UDP communication, the client and server use only one socket each. The socket
created at the server site lasts forever; the socket created at the client site is closed
(destroyed) when the client process terminates.
• Different clients use different sockets, but the server creates only one socket and
changes only the remote socket address each time a new client makes a connection.
• This is logical, because the server does know its own socket address, but does not know
the socket addresses of the clients who need its services; it needs to wait for the client
to connect before filling this part of the socket address.
Flow Diagram
• UDP provides a connectionless service, in which a client sends a request and the server
sends back a response.
• There are multiple clients, but only one server. Each client is served in each iteration of
the loop in the server. There is no connection establishment or connection termination.
• Each client sends a single datagram and receives a single datagram.
• If a client wants to send two datagrams, the second datagram needs to wait for its turn.
The diagram also shows the status of the socket after each action.
Server Process
• The server makes a passive open, in which it becomes ready for the communication,
but it waits until a client process makes the connection.
• It creates an empty socket. It then binds the socket to the server and the well-know port.
• The server then issues a receive request command, which blocks until it receives a
request from a client and the response is sent back to the client.
• The server now starts another iteration waiting for another request to arrive (an infinite
loop).
Iterative Communication Using TCP
• TCP is a connection-oriented protocol. Before sending or receiving data, a connection
needs to be established between the client and the server.
• After the connection is established, the two parties can send and receive chunks of data
as long as they have data to do so.

Sockets Used in TCP

• The TCP server uses two different sockets, one for connection establishment and the
other for data transfer.
• First one is the listen socket and the second connection socket.
 • The reason for having two types of sockets is to separate the connection phase from the
data exchange phase.
• A server uses a listen socket to listen for a new client trying to establish connection.
• After the connection is established, the server creates a socket to exchange data with
the client and finally to terminate the connection.
• The client uses only one socket for both connection establishment and data exchange.

Flow Diagram
Below figure shows a simplified flow diagram for iterative communication using TCP. There
are multiple clients, but only one server. Each client is served in each iteration of the loop.
Server Process
• The TCP server process, like the UDP server process, creates a socket and binds it, but
these two commands create the listen socket to be used only for the connection
establishment phase.
• The server process then calls the listen procedure, to allow the operating system to start
accepting the clients, completing the connection phase, and putting them in the waiting
list to be served.
• The server process now starts a loop and serves the clients one by one.
• If the list is empty, the accept procedure blocks until there is a client to be served. When
the accept procedure returns, it creates a new socket for data transfer.
• At this time the client and server can exchange data.
Client Process
The client flow diagram is almost similar to the UDP version except that the client data-transfer
box needs to be defined for each specific case.

Concurrent Communication
• A concurrent server can process several client requests at the same time. This can be
done using the available provisions in the underlying programming language.
• In C, a server can create several child processes, in which a child can handle a client.
• In Java, threading allows several clients to be handled by each thread.
World Wide Web and HTTP
• World Wide Web The idea of the Web was first proposed by Tim Berners-Lee in 1989
at CERN, the European Organization for Nuclear Research.
• The Web today is a repository of information in which the documents, called web pages,
are distributed all over the world and related documents are linked together.
• The popularity and growth of the Web can be related to: distributed and linked.
• Distribution allows the growth of the Web. Each web server in the world can add a new
web page to the repository and announce it to all Internet users without overloading a
few servers.
• Linking allows one web page to refer to another web page stored in another server
somewhere else in the world.
• The linking of web pages was achieved using a concept called hypertext.
• Today, the Web is used to provide electronic shopping and gaming. One can use the
Web to listen to radio programs or view television programs whenever one desires.
Architecture
• The WWW today is a distributed client-server service, in which a client using a browser
can access a service using a server.
• The service provided is distributed over many locations called sites. Each site holds one
or more web pages. A simple web page has no links to other web pages; a composite
web page has one or more links to other web pages. Each web page is a file with a name
and address.
Example:
Assume we need to retrieve a scientific document that contains one reference to another text
file and one reference to a large image. The main document and the image are stored in two
separate files (file A and file B) in the same site; the referenced text file (file C) is stored in
another site. Since we are dealing with three different files, we need three transactions if we
want to see the whole document.
Web Client (Browser)
• A variety of vendors offer commercial browsers that interpret and display a web page,
and all of them use nearly the same architecture.
• Each browser usually consists of three parts: a controller, client protocols, and
interpreters.

• The controller receives input from the keyboard or the mouse and uses the client
programs to access the document.
• After the document has been accessed, the controller uses one of the interpreters to
display the document on the screen.
• The client protocol can be one of the protocols described later, such as HTTP or FTP.
• The interpreter can be HTML, Java, or JavaScript, depending on the type of document.
Some commercial browsers include Internet Explorer, Netscape Navigator, and Firefox.
Web Server
• The web page is stored at the server. Each time a request arrives, the corresponding
document is sent to the client.
• To improve efficiency, servers normally store requested files in a cache in memory;
memory is faster to access than a disk.
• A server can also become more efficient through multithreading or multiprocessing.
• In this case, a server can answer more than one request at a time. Some popular web
servers include Apache and Microsoft Internet Information Server.

Uniform Resource Locator (URL)

• A web page, as a file, needs to have a unique identifier to distinguish it from other web
pages.
• To define a web page, we need three identifiers: host, port, and path.
• We need to tell the browser what client server application we want to use, which is
called the protocol.
• We need four identifiers to define the web page. The first is the type of vehicle to be
used to fetch the web page; the last three make up the combination that defines the
destination object (web page).
Protocol. The first identifier is the abbreviation for the client-server program that we need in
order to access the web page. For example, HTTP and FDP.
Host. The host identifier can be the IP address of the server or the unique name given to the
server. the name is normally the domain name that uniquely defines the host, such as
gmail.com.
Port. The port, a 16-bit integer, is normally predefined for the client-server application. For
example, if the HTTP protocol is used for accessing the web page, the well-known port number
is 80.
Path. The path identifies the location and the name of the file in the underlying operating
system. For example, /top/next/last/myfile is a path that uniquely defines a file named myfile.
To combine these four pieces together, the uniform resource locator (URL) has been designed;
it uses three different separators between the four pieces as shown below:

Web Documents
The documents in the WWW can be grouped into three broad categories: static, dynamic, and
active.
Static Documents
• Static documents are fixed-content documents that are created and stored in a server.
The client can get a copy of the document only.
• The contents in the server can be changed, but the user cannot change them.
• When a client accesses the document, a copy of the document is sent.
• Static documents are prepared using one of several languages: HyperText Markup
Language (HTML), Extensible Markup Language (XML), Extensible Style Language
(XSL), and Extensible Hypertext Markup Language (XHTML).

Dynamic Documents
• A dynamic document is created by a web server whenever a browser requests the
document.
• When a request arrives, the web server runs an application program or a script that
creates the dynamic document.
• The server returns the result of the program or script as a response to the browser that
requested the document.
• An example of a dynamic document is the retrieval of the time and date from a server.
• Dynamic document documents are prepared using the scripting languages such as Java
Server Pages (JSP), which uses the Java language for scripting, or Active Server Pages
 (ASP), a Microsoft product that uses Visual Basic language for scripting, or
ColdFusion.

Active Documents
• For many applications, we need a program or a script to be run at the client site. These
are called active documents.
• For example, suppose we want to run a program that creates animated graphics on the
screen or a program that interacts with the user.
• The program definitely needs to be run at the client site where the animation or
interaction takes place.
• When a browser requests an active document, the server sends a copy of the document
or a script. The document is then run at the client (browser) site.
• Java applets or JavaScripts are used to create an active document.

HyperText Transfer Protocol (HTTP)

• The HyperText Transfer Protocol (HTTP) is used to define how the client-server
programs can be written to retrieve web pages from the Web.
• An HTTP client sends a request; an HTTP server returns a response. The server uses
the port number 80; the client uses a temporary port number.
• HTTP uses the services of TCP, which is a connection-oriented and reliable protocol.

Nonpersistent versus Persistent Connections

• In the web pages, if objects to be retrieved, are located on different servers, we need to
create a new TCP connection for retrieving each object.
• However, if some of the objects are located on the same server, we have two options:
to retrieve each object using a new TCP connection(nonpersistent connection) or to
make a TCP connection and retrieve them all(persistent connection).

Nonpersistent Connections
• In a nonpersistent connection, one TCP connection is made for each request/response.
The following lists the steps in this strategy:
1. The client opens a TCP connection and sends a request.
2. The server sends the response and closes the connection.
3. The client reads the data until it encounters an end-of-file marker; it then closes the
connection.
• In this strategy, if a file contains links to N different pictures in different files (all located
on the same server), the connection must be opened and closed N + 1 times.
• The nonpersistent strategy imposes high overhead on the server because the server
needs N+1 different buffers each time a connection is opened.
 • For each connection, TCP requires at least three handshake messages to establish the
connection, but the request can be sent with the third one.
• After the connection is established, the object can be transferred. After receiving an
object, another three handshake messages are needed to terminate the connection.

Persistent Connections
• HTTP version 1.1 specifies a persistent connection by default. In a persistent
connection, the server leaves the connection open for more requests after sending a
response.
• The server can close the connection at the request of a client or if a time-out has been
reached.
• The sender usually sends the length of the data with each response. The length of the
data is not known in case when a document is created dynamically or actively.
• In these cases, the server informs the client that the length is not known and closes the
connection after sending the data so the client knows that the end of the data has been
reached.
• Time and resources are saved using persistent connections. Only one set of buffers and
variables needs to be set for the connection at each site.
 • The round trip time for connection establishment and connection termination is saved.
• Only one connection establishment and connection termination is used, but the request
for the image is sent separately.

Message Formats
• The HTTP protocol defines the format of the request and response messages. Each
message has four sections.
• The first section in the request message is called the request line; the first section in the
response message is called the status line. The other three sections have the same names
in the request and response messages.
Request Message:
• The first line in a request message is called a request line. There are three fields in this
line separated by one space and terminated by two characters (carriage return and line
feed). The fields are method, URL, and version.
• The method field defines the request types. In version 1.1 of HTTP, several methods
are defined.

• Most of the time, the client uses the GET method to send a request. In this case, the
body of the message is empty.
• The HEAD method is used when the client needs only some information about the web
page from the server.
• The response message in this case has only the header section; the body section is
empty.
• The PUT method is the inverse of the GET method; it allows the client to post a new
web page on the server (if permitted).
• The POST method is used to send some information to the server to be added to the
web page or to modify the web page.
• The TRACE method is used for debugging; the client asks the server to echo back the
request to check whether the server is getting the requests.
• The DELETE method allows the client to delete a web page on the server if the client
has permission to do so.
 • The CONNECT method was originally made as a reserve method; it may be used by
proxy servers.
• Finally, the OPTIONS method allows the client to ask about the properties of a web
page.
After the request line, we can have zero or more request header lines. Each header line sends
additional information from the client to the server.

Response Message:
A response message consists of a status line, header lines, a blank line, and sometimes a body.

• The first line in a response message is called the status line. There are three fields in
this line separated by spaces and terminated by a carriage return and line feed.
• The first field defines the version of HTTP protocol, currently 1.1.
 • The status code field defines the status of the request. It consists of three digits.
• The codes in the 100 range are only informational, the codes in the 200 range indicate
a successful request.
• The codes in the 300 range redirect the client to another URL, and the codes in the 400
range indicate an error at the client site.
• Finally, the codes in the 500 range indicate an error at the server site. The status phrase
explains the status code in text form.
After the status line, we can have zero or more response header lines. Each header line sends
additional information from the server to the client. Some header names commonly used in a
response message:

Example: GET method

Example: PUT method

Conditional Request
• A client can add a condition in its request. In this case, the server will send the requested
web page if the condition is met or inform the client otherwise.
• For example, the client can send the header line If-Modified-Since with the request to
tell the server that it needs the page only if it is modified after a certain point in time.
Request:

Response:
Cookies
• The World Wide Web was originally designed as a stateless entity. A client sends a
request; a server responds.
• Today the Web has other functions that need to remember some information about the
clients; some are listed below:
1. Websites are being used as electronic stores that allow users to browse through the
store, select wanted items, put them in an electronic cart, and pay at the end with a
credit card.
2. Some websites need to allow access to registered clients only.
3. Some websites are used as portals: the user selects the web pages he wants to see.
4. Some websites are just advertising agencies.
For these purposes, the cookie mechanism was devised

Creating and Storing Cookies

The creation and storing of cookies depend on the implementation; however, the principle is
the same.
1. When a server receives a request from a client, it stores information about the client in
a file or a string. The information may include the domain name of the client, the
contents of the cookie a timestamp, and other information.
2. The server includes the cookie in the response that it sends to the client.
3. When the client receives the response, the browser stores the cookie in the cookie
directory, which is sorted by the server domain name.
Using Cookies
When a client sends a request to a server, the browser looks in the cookie directory to see if it
can find a cookie sent by that server. If found, the cookie is included in the request. When the
server receives the request, it knows that this is an old client, not a new one.
How a cookie is used:
1. An electronic store (e-commerce) can use a cookie for its client shoppers. When a client
selects an item and inserts it in a cart, a cookie that contains information about the item,
such as its number and unit price, is sent to the browser. If the client selects a second
item, the cookie is updated with the new selection information, and so on. When the
client finishes shopping and wants to check out, the last cookie is retrieved and the total
charge is calculated.
2. The site that restricts access to registered clients only sends a cookie to the client when
the client registers for the first time. For any repeated access, only those clients that
send the appropriate cookie are allowed.
3. A web portal uses the cookie in a similar way. When a user selects her favorite pages,
a cookie is made and sent. If the site is accessed again, the cookie is sent to the server
to show what the client is looking for.
4. A cookie is also used by advertising agencies. An advertising agency can place banner
ads on some main website that is often visited by users. The advertising agency supplies
 only a URL that gives the advertising agency’s address instead of the banner itself.
When a user visits the main website and clicks the icon of a corporation, a request is
sent to the advertising agency. The advertising agency sends the requested banner, but
it also includes a cookie with the ID of the user. The advertising agency has compiled
the interests of the user and can sell this information to other parties.
Example:
Web Caching: Proxy Servers
• HTTP supports proxy servers. A proxy server is a computer that keeps copies of
responses to recent requests.
• The HTTP client sends a request to the proxy server. The proxy server checks its cache.
• If the response is not stored in the cache, the proxy server sends the request to the
corresponding server.
• Incoming responses are sent to the proxy server and stored for future requests from
other clients.
• Hence, the proxy server acts as both server and client.
• The proxy server reduces the load on the original server, decreases traffic, and improves
latency.
Proxy Server Location
The proxy servers are normally located at the client site. We can have a hierarchy of proxy
servers, as shown below:
1. A client computer can also be used as a proxy server, in a small capacity, that stores
responses to requests often invoked by the client.
2. In a company, a proxy server may be installed on the computer LAN to reduce the load
going out of and coming into the LAN.
3. An ISP with many customers can install a proxy server to reduce the load going out of
and coming into the ISP network.

• In the above example, the proxy server is installed in the local network.
• When an HTTP request is created by any of the clients (browsers), the request is first
directed to the proxy server.
• If the proxy server already has the corresponding web page, it sends the response to the
client.
• Otherwise, the proxy server acts as a client and sends the request to the web server in
the Internet.
• When the response is returned, the proxy server makes a copy and stores it in its cache
before sending it to the requesting client.
Cache Update
The proxy server can store the list of sites whose information remains the same for a while. For
example, a news agency may change its news page every morning. Another recommendation
is to add some headers to show the last modification time of the information. The proxy server
can then use the information in this header to guess how long the information would be valid.
HTTP Security
HTTP does not provide security. However, HTTP can be run over the Secure Socket Layer
(SSL). In this case, HTTP is referred to as HTTPS. HTTPS provides confidentiality, client and
server authentication, and data integrity.

File Transfer Protocol (FTP)

• FTP is the standard protocol provided by TCP/IP for transferring a file from one host
to another.
• The challenges are, the two systems may use different file name conventions, they may
have different ways to represent data, may have different directory structures.
• All of these problems have been solved by FTP in a very simple and elegant approach.
• Although we can transfer files using HTTP, FTP is a better choice to transfer large files
or to transfer files using different formats.

Basic model of FTP

• The client has three components: the user interface, the client control process, and the
client data transfer process.
• The server has two components: the server control process and the server data transfer
process. The control connection is made between the control processes.
• The data connection is made between the data transfer processes. Separation of
commands and data transfer makes FTP more efficient

Two Connections
• The two connections in FTP have different lifetimes. The control connection remains
connected during the entire interactive FTP session.
 • The data connection is opened and then closed for each file transfer activity.
• It opens each time commands that involve transferring files are used, and it closes when
the file is transferred. FTP uses two well-known TCP ports: port 21 is used for the
control connection, and port 20 is used for the data connection.
Control Connection
• It uses the NVT ASCII character set as used by TELNET. Communication is achieved
through commands and responses.
• Each line is terminated with a two-character (carriage return and line feed) end-of-line
token.
FTP Commands:

• Every FTP command generates at least one response. A response has two parts: a three-
digit number followed by text.
• The numeric part defines the code; the text part defines needed parameters or further
explanations.
• The first digit defines the status of the command. The second digit defines the area in
which the status applies. The third digit provides additional information.
Responses in FTP:

Data Connection
The data connection uses the well-known port 20 at the server site. However, the creation of a
data connection is different from the control connection. The following shows the steps:
1. The client, issues a passive open using an ephemeral port. This must be done by the
client as the client issues the commands for transferring files.
2. Using the PORT command the client sends this port number to the server.
3. The server receives the port number and issues an active open using the well known
port 20 and the received ephemeral port number.

Communication over Data Connection

To transfer files through the data connection, the client must define the type of file to be
transferred, the structure of the data, and the transmission mode. Before sending the file through
the data connection, we prepare for transmission through the control connection.
File Type:
FTP can transfer one of the following file types across the data connection: ASCII file,
EBCDIC file, or image file.
Data Structure:
FTP can transfer a file across the data connection using one of the following interpretations of
the structure of the data: file structure, record structure, or page structure. The file structure
format is a continuous stream of bytes. In the record structure, the file is divided into records.
This can be used only with text files. In the page structure, the file is divided into pages, with
each page having a page number and a page header. The pages can be stored and accessed
randomly or sequentially.
Transmission Mode:
FTP can transfer a file across the data connection using one of the following three transmission
modes: stream mode, block mode, or compressed mode. The stream mode is the default mode;
data are delivered from FTP to TCP as a continuous stream of bytes. In the block mode, data
can be delivered from FTP to TCP in blocks. In this case, each block is preceded by a 3-byte
header. The first byte is called the block descriptor; the next two bytes define the size of the
block in bytes.
File Transfer
File transfer occurs over the data connection under the control of the commands sent over the
control connection.

Example:

Security for FTP

• The FTP protocol was designed when security was not a big issue.
• Although FTP requires a password, the password is sent in plaintext (unencrypted),
which means it can be intercepted and used by an attacker.
• The data transfer connection also transfers data in plain text, which is insecure.
• To be secure, one can add a Secure Socket Layer between the FTP application layer and
the TCP layer. In this case FTP is called SSL-FTP.
Electronic Mail
Electronic mail (or e-mail) allows users to exchange messages. e-mail is considered a one-way
transaction. The users run only client programs when they want and the intermediate servers
apply the client/server paradigm.
Architecture
• In the common scenario shown below, the sender and the receiver of the e-mail, Alice
and Bob respectively, are connected via a LAN or a WAN to two mail servers.
• The administrator has created one mailbox for each user where the received messages
are stored.
• A mail box is part of a server hard drive, a special file with permission restrictions.
• Only the owner of the mailbox has access to it. The administrator has also created a
queue to store messages waiting to be sent.

• A simple e-mail from Alice to Bob takes nine different steps. Alice and Bob use three
different agents: a user agent (UA), a message transfer agent (MTA), and a message
access agent (MAA).
• When Alice needs to send a message to Bob, she runs a UA program to prepare the
message and send it to her mail server.
• The mail server at her site uses a queue (spool) to store messages waiting to be sent.
• The message, however, needs to be sent through the Internet from Alice’s site to Bob’s
site using an MTA.
• Here two message transfer agents are needed: one client and one server. The server
needs to run all the time because it does not know when a client will ask for a
connection.
• The client, on the other hand, can be triggered by the system when there is a message
in the queue to be sent.
• The user agent at the Bob site allows Bob to read the received message.
 • Bob later uses an MAA client to retrieve the message from an MAA server running on
the second server.
• Bob needs another pair of client-server programs: message access programs.
• This is because an MTA client-server program is a push program: the client pushes the
message to the server.
• Bob needs a pull program. The client needs to pull the message from the server.

User Agent
• The first component of an electronic mail system is the user agent (UA).
• It provides service to the user to make the process of sending and receiving a message
easier.
• A user agent is a software package (program) that composes, reads, replies to, and
forwards messages.
• It also handles local mailboxes on the user computers.
• There are two types of user agents: command-driven and GUI-based.
• A command-driven user agent normally accepts a one character command from the
keyboard to perform its task.
• Modern user agents are GUI-based. They contain graphical user interface (GUI)
components that allow the user to interact with the software by using both the keyboard
and the mouse.
• Some examples of GUI-based user agents are Eudora and Outlook.

Sending Mail
• The mail has an envelope and a message. The envelope usually contains the sender
address, the receiver address, and other information.
• The message contains the header and the body. The header of the message defines the
sender, the receiver, the subject of the message, and some other information. The body
of the message contains the actual information to be read by the recipient.
Receiving Mail
• If a user has mail, the UA informs the user with a notice. If the user is ready to read the
mail, a list is displayed in which each line contains a summary of the information about
a particular message in the mail box.
• The summary usually includes the sender mail address, the subject, and the time the
mail was sent or received. The user can select any of the messages and display its
contents on the screen.

Addresses
• To deliver mail, a mail handling system must use an addressing system with unique
addresses.
• In the Internet, the address consists of two parts: a local part and a domain name,
separated by an @ sign.

• The local part defines the name of a special file, called the user mailbox, where all the
mail received for a user is stored for retrieval by the message access agent.
• The second part of the address is the domain name. An organization usually selects one
or more hosts to receive and send e-mail; they are sometimes called mail servers or
exchangers.
Mailing List or Group List
• Electronic mail allows one name, an alias, to represent several different e-mail
addresses; this is called a mailing list.
• Every time a message is to be sent, the system checks the recipient’s name against the
alias database; if there is a mailing list for the defined alias, separate messages, one for
each entry in the list, must be prepared and handed to the MTA.

Message Transfer Agent: SMTP

e-mail needs three uses of client-server paradigms to accomplish. The first and the second are
Message Transfer Agents (MTAs), the third is Message Access Agent (MAA).

Protocols used in electronic mail

• The formal protocol that defines the MTA client and server in the Internet is called
Simple Mail Transfer Protocol (SMTP).
• SMTP is used between the sender and the sender’s mail server and between the two
mail servers.
• A mail access protocol is needed between the mail server and the receiver.

Commands and Responses

• SMTP uses commands and responses to transfer messages between an MTA client and
an MTA server.
• The command is from an MTA client to an MTA server; the response is from an MTA
server to the MTA client.
• Each command or reply is terminated by a two character (carriage return and line feed)
end-of-line token.
The format of a command consists of a keyword followed by zero or more arguments. SMTP
defines 14 commands.
A response is a three digit code that may be followed by additional textual information.
Mail Transfer Phases
The process of transferring a mail message occurs in three phases: connection establishment,
mail transfer, and connection termination.
Connection Establishment:
After a client has made a TCP connection to the well known port 25, the SMTP server starts
the connection phase. This phase involves the following three steps:
1. The server sends code 220 (service ready) to tell the client that it is ready to receive
mail. If the server is not ready, it sends code 421 (service not available).
2. The client sends the HELO message to identify itself, using its domain name address.
This step is necessary to inform the server of the domain name of the client.
3. The server responds with code 250 (request command completed) or some other code
depending on the situation.
Message Transfer:
After connection has been established between the SMTP client and server, a single message
between a sender and one or more recipients can be exchanged. This phase involves eight steps.
Steps 3 and 4 are repeated if there is more than one recipient.
1. The client sends the MAIL FROM message to introduce the sender of the message. It
includes the mail address of the sender (mailbox and the domain name).
2. The server responds with code 250 or some other appropriate code.
3. The client sends the RCPT TO (recipient) message, which includes the mail address of
the recipient.
4. The server responds with code 250 or some other appropriate code.
5. The client sends the DATA message to initialize the message transfer.
6. The server responds with code 354 (start mail input) or some other appropriate message.
7. The client sends the contents of the message in consecutive lines. Each line is ter
minated by a two-character end-of-line token (carriage return and line feed). The
message is terminated by a line containing just one period.
8. The server responds with code 250 (OK) or some other appropriate code.
Connection Termination:
After the message is transferred successfully, the client terminates the connection. This phase
involves two steps.
1. The client sends the QUIT command.
2. The server responds with code 221 or some other appropriate code.

Message Access Agent: POP and IMAP

• The first and second stages of mail delivery use SMTP. The third stage needs a pull
protocol; the client must pull messages from the server. Hence, uses a message access
agent.
• The two message access protocols are: Post Office Protocol, version 3 (POP3) and
Internet Mail Access Protocol, version 4 (IMAP4).
Figure 26.15 shows the position of these two protocols.
Post Office Protocol, version 3 (POP3)
• POP3 is simple but limited in functionality. The client POP3 software is installed on
the recipient computer; the server POP3 software is installed on the mail server.
• Mail access starts with the client when the user needs to download its e-mail from the
mailbox on the mail server.
• The client opens a connection to the server on TCP port 110. It then sends its user name
and password to access the mailbox.
• The user can then list and retrieve the mail messages, one by one.

• POP3 has two modes: the delete mode and the keep mode. In the delete mode, the mail
is deleted from the mailbox after each retrieval.
• In the keep mode, the mail remains in the mailbox after retrieval. The delete mode is
normally used when the user is working at her permanent computer and can save and
organize the received mail after reading or replying.
• The keep mode is normally used when the user accesses her mail away from her primary
computer. The mail is read but kept in the system for later retrieval and organizing.

Internet Mail Access Protocol, version 4 (IMAP4)

IMAP4 is similar to POP3, but it has more features; IMAP4 is more powerful and more
complex.
IMAP4 provides the following extra functions:
1. A user can check the e-mail header prior to downloading.
 2. A user can search the contents of the e-mail for a specific string of characters prior to
downloading.
3. A user can partially download e-mail. If bandwidth is limited and the e-mail contains
multimedia with high bandwidth requirements.
4. A user can create, delete, or rename mailboxes on the mail server.
5. A user can create a hierarchy of mailboxes in a folder for e-mail storage.

Multipurpose Internet Mail Extensions (MIME)

• Electronic mail has a simple structure. It can send messages only in NVT 7-bit ASCII
format.
• It cannot be used for languages other than English. Also, it cannot be used to send binary
files or video or audio data.
• MIME is a supplementary protocol that allows non-ASCII data to be sent through e-
mail.
• MIME transforms non-ASCII data at the sender site to NVT ASCII data and delivers it
to the client MTA to be sent through the Internet.
• The message at the receiving site is transformed back to the original data.

MIME Headers
MIME defines five headers, which can be added to the original e-mail header section to define
the transformation parameters.

MIME-Version:
This header defines the version of MIME used. The current version is 1.1
Content-Type:
This header defines the type of data used in the body of the message. The content type and the
content subtype are separated by a slash. Depending on the subtype, the header may contain
other parameters. MIME allows seven different types of data.

Content-Transfer-Encoding:
This header defines the method used to encode the messages into 0s and 1s for transport. The
five types of encoding methods are listed below.

In the Base64 encoding, data, as a string of bits, is first divided into 6-bit chunks.
 Base64 Conversion
Each 6-bit section is then converted into an ASCII character according to below table:

Base64 converting table

• Base64 is a redundant encoding scheme; that is, every six bits become one ASCII
character and are sent as eight bits. We have an overhead of 25 percent.
• In quoted-printable, if a character is ASCII, it is sent as it is. If a character is not ASCII,
it is sent as three characters. The first character is the equal sign (=). The next two
characters are the hexadecimal representations of the byte.
 Quoted-printable
Content-ID:
• This header uniquely identifies the whole message in a multiple message environment.
Content-Description
• This header defines whether the body is image, audio, or video.

Web-Based Mail
E-mail is such a common application that some websites today provide this service to anyone
who accesses the site. Three common sites are Hotmail, Yahoo, and Google mail.
Case I:
• In the first case, Alice, the sender, uses a traditional mail server; Bob, the receiver, has
an account on a web-based server.
• Mail transfer from Alice’s browser to her mail server is done through SMTP. The
transfer of the message from the sending mail server to the receiving mail server is still
through SMTP.
• However, the message from the receiving server (the web server) to Bob’s browser is
done through HTTP.
Case II:
• In the second case, both Alice and Bob use web servers, but not necessarily the same
server.
• Alice sends the message to the web server using HTTP transactions.
• The server at the Alice site passes the message to the SMTP client and sends it to the
server at the Bob site using SMTP protocol.
• Bob receives the message using HTTP transactions. However, the message from the
server at the Alice site to the server at the Bob site still takes place using SMTP protocol.

E-Mail Security
The e-mail protocol does not provide any security provisions. However, e-mail exchanges can
be secured using two application-layer securities. They are, Pretty Good Privacy (PGP) and
Secure/Multipurpose Internet Mail Extensions (S/MIME).

TELNET
TELNET is a remote logging protocol, which is an abbreviation for TErminaL NETwork.
Although TELNET requires a logging name and password, it is vulnerable to hacking because
it sends all data including the password in plaintext (not encrypted). This limitation is resolved
in another protocol, Secure Shell (SSH).
1. The simple plaintext architecture of TELNET allows us to understand the issues and
challenges related to the concept of remote logging.
2. Network administrators often use TELNET for diagnostic and debugging purposes.

Local versus Remote Logging

• When a user logs into a local system, it is called local logging. As a user types at a
terminal, the keystrokes are accepted by the terminal driver.
• The terminal driver passes the characters to the operating system. The operating system
interprets the combination of characters and invokes the desired application program or
utility.
 • With remote logging, the user sends the keystrokes to the terminal driver where the
local operating system accepts the characters but does not interpret them.
• The characters are sent to the TELNET client, which transforms the characters into a
universal character set called Network Virtual Terminal (NVT) characters and delivers
them to the local TCP/IP stack.
• In the remote machine, the characters are delivered to the operating system and passed
to the TELNET server, which changes the characters to the corresponding characters
understandable by the remote computer.
• The characters are passed to the operating system through a pseudoterminal driver,
which pretends that the characters are coming from a terminal. The operating system
then passes the characters to the appropriate application program.

Network Virtual Terminal (NVT)

• The mechanism to access a remote computer is complex. This is because every
computer and its operating system accepts different combination of characters as
tokens.
• For example, the end-of-file token in a computer running the DOS operating system is
Ctrl+z, while the UNIX operating system recognizes Ctrl+d.
• TELNET solves this problem by defining a universal interface called the Network
Virtual Terminal (NVT) character set.
• Via this interface, the client TELNET translates characters (data or commands) that
come from the local terminal into NVT form and delivers them to the network.
• The server TELNET, on the other hand, translates data and commands from NVT form
into the form acceptable by the remote computer.
Below figure shows the concept.

• For data, NVT normally uses the NVT ASCII. This is an 8-bit character set in which
the seven lowest order bits are the same as US ASCII and the highest order bit is 0.
• To send control characters from client to server or vice versa, NVT uses an 8-bit
character set in which the highest order bit is set to 1.

Options
TELNET lets the client and server negotiate options before or during the use of the service.
Options are extra features available to a user with a more sophisticated terminal. Users with
simpler terminals can use default features.
User Interface
The operating system defines an interface with user-friendly commands. Examples of interface
commands:

SECURE SHELL (SSH)

Secure Shell (SSH) was originally designed to replace TELNET. There are two versions of
SSH: SSH-1 and SSH-2, which are totally incompatible. The first version, SSH-1, is now
deprecated because of security flaws in it.

Components
SSH is an application-layer protocol with three components, as shown in below figure.

SSH Transport-Layer Protocol (SSH-TRANS)

• Since TCP is not a secured transport-layer protocol, SSH first uses a protocol that
creates a secured channel on top of the TCP.
• This new layer is an independent protocol referred to as SSH-TRANS.
• The client and server first use the TCP protocol to establish an insecure connection.
Then they exchange several security parameters to establish a secure channel on top of
the TCP.
• The services provided by this protocol are:
1. Privacy or confidentiality of the message exchanged
2. Data integrity, which means that it is guaranteed that the messages exchanged
between the client and server are not changed by an intruder.
3. Server authentication, which means that the client is now sure that the server is the
one that it claims to be.
4. Compression of the messages, which improves the efficiency of the system and
makes attack more difficult.
SSH Authentication Protocol (SSH-AUTH)
• After a secure channel is established between the client and the server and the server is
authenticated for the client.
• The client authentication process in SSH is very similar to the Secure Socket Layer
(SSL). Authentication starts with the client, which sends a request message to the server.
• The request includes the user name, server name, the method of authentication, and the
required data.
• The server responds with either a success message, which confirms that the client is
authenticated, or a failed message, which means that the process needs to be repeated
with a new request message.
SSH Connection Protocol (SSH-CONN)
• One of the services provided by the SSH-CONN protocol is multiplexing. SSH-CONN
takes the secure channel established by the two previous protocols and lets the client
create multiple logical channels over it.
 • Each channel can be used for a different purpose, such as remote logging, file transfer,
and so on.

Applications
SSH is a general-purpose protocol that provides a secure connection between a client and
server.
SSH for Remote Logging
Several free and commercial applications use SSH for remote logging. For example, PuTTy,
by Simon Tatham, which is a client SSH program that can be used for remote logging. Another
application program is Tectia, which can be used on several platforms.

SSH for File Transfer

• One of the application programs that is built on top of SSH for file transfer is the Secure
File Transfer Program (sftp).
• The sftp application program uses one of the channels provided by the SSH to transfer
files. Another common application is called Secure Copy (scp).
• This application uses the same format as the UNIX copy command, cp, to copy files.

Port Forwarding
• With port forwarding, we can use the secured channels available in SSH to access an
application program that does not provide security services.
• The SSH port forwarding mechanism creates a tunnel through which the messages
belonging to other protocols can travel.
• This mechanism is referred to as SSH tunneling. Below figure shows the concept of
port forwarding for securing the FTP application.

Format of the SSH Packets

Below figure shows the format of packets used by the SSH protocols.
 • The length field defines the length of the packet but does not include the padding. One
to eight bytes of padding is added to the packet to make the attack on the security
provision more difficult.
• The cyclic redundancy check (CRC) field is used for error detection. The type field
designates the type of the packet used in different SSH protocols. The data field is the
data transferred by the packet in different protocols.

DOMAIN NAME SYSTEM (DNS)

• A user wants to use a file transfer client to access the corresponding file transfer server
running on a remote host.
• The user knows only the file transfer server name, such as afilesource.com. However,
the TCP/IP suite needs the IP address of the file transfer server to make the connection.
• The following six steps map the host name to an IP address:
1. The user passes the host name to the file transfer client.
2. The file transfer client passes the host name to the DNS client.
3. The DNS client sends a message to a DNS server with a query that gives the file
transfer server name using the known IP address of the DNS server.
4. The DNS server responds with the IP address of the desired file transfer server.
5. The DNS server passes the IP address to the file transfer client.
6. The file transfer client now uses the received IP address to access the file transfer
server.
Name Space
• The names assigned to machines must be unique because the addresses are unique.
• A name space that maps each address to a unique name can be organized in two ways:
flat or hierarchical.
• In a flat name space, a name is assigned to an address. A name in this space is a sequence
of characters without structure. The main disadvantage of a flat name space is that it
cannot be used in a large system such as the Internet because it must be centrally
controlled to avoid ambiguity and duplication.
• In a hierarchical name space, each name is made of several parts. The first part can
define the nature of the organization, the second part can define the name of an
organization, the third part can define departments in the organization, and so on.
• In this case, the authority to assign and control the name spaces can be decentralized.
The organization can add suffixes (or prefixes) to the name to define its host or
resources.
Domain Name Space
To have a hierarchical name space, a domain name space was designed. In this design the names
are defined in an inverted-tree structure with the root at the top. The tree can have only 128
levels: level 0 (root) to level 127.

Label
Each node in the tree has a label, which is a string with a maximum of 63 characters. The root
label is a null string (empty string). DNS requires that children of a node have different labels,
which guarantees the uniqueness of the domain names.
Domain Name
• Each node in the tree has a domain name. A full domain name is a sequence of labels
separated by dots (.). The domain names are always read from the node up to the root.
• The last label is the label of the root (null). This means that a full domain name always
ends in a null label, which means the last character is a dot because the null string is
nothing.
 • If a label is terminated by a null string, it is called a fully qualified domain name
(FQDN). If a label is not terminated by a null string, it is called a partially qualified
domain name (PQDN).
• A PQDN starts from a node, but it does not reach the root. It is used when the name to
be resolved belongs to the same site as the client. Here the resolver can supply the
missing part, called the suffix, to create an FQDN.

Domain
A domain is a subtree of the domain name space. The name of the domain is the name of the
node at the top of the subtree. Below figure shows some domains. Note that a domain may
itself be divided into domains.
Distribution of Name Space
• The information contained in the domain name space must be stored. However, it is
very inefficient and also not reliable to have just one computer store such a huge amount
of information.
• It is inefficient because responding to requests from all over the world places a heavy
load on the system. It is not reliable because any failure makes the data inaccessible.

Hierarchy of Name Servers

• The solution to these problems is to distribute the information among many computers
called DNS servers.
• We let the root stand alone and create as many domains (subtrees) as there are first-
level nodes.
• Because a domain created this way could be very large, DNS allows domains to be
divided further into smaller domains (subdomains).
• Each server can be responsible (authoritative) for either a large or small domain.
• We have a hierarchy of servers in the same way that we have a hierarchy of names.

Zone
• Since the complete domain name hierarchy cannot be stored on a single server, it is
divided among many servers.
• What a server is responsible for or has authority over is called a zone.
• If a server accepts responsibility for a domain and does not divide the domain into
smaller domains, the “domain” and the “zone” refer to the same.
• The server makes a data base called a zone file and keeps all the information for every
node under that domain.
• However, if a server divides its domain into subdomains and delegates part of its
authority to other servers, “domain” and “zone” refer to different things.
• The information about the nodes in the subdomains is stored in the servers at the lower
levels.
Root Server
• A root server is a server whose zone consists of the whole tree. A root server usually
does not store any information about domains but delegates its authority to other
servers, keeping references to those servers.
• There are several root servers, each covering the whole domain name space. The root
servers are distributed all around the world.

Primary and Secondary Servers

• DNS defines two types of servers: primary and secondary. A primary server is a server
that stores a file about the zone for which it is an authority.
• It is responsible for creating, maintaining, and updating the zone file. It stores the zone
file on a local disk.
• A secondary server is a server that transfers the complete information about a zone from
another server (primary or secondary) and stores the file on its local disk.
• The secondary server neither creates nor updates the zone files. If updating is required,
it must be done by the primary server, which sends the updated version to the secondary.
• The primary and secondary servers are both authoritative for the zones they serve.
• The idea is not to put the secondary server at a lower level of authority but to create
redundancy for the data so that if one server fails, the other can continue serving clients.

DNS in the Internet

DNS is a protocol that can be used in different platforms.
In the Internet, the domain name space (tree) was originally divided into three different
sections: generic domains, country domains, and the inverse domains.
Generic Domains
The generic domains define registered hosts according to their generic behavior. Each node in
the tree defines a domain, which is an index to the domain name space database.

The first level in the generic domains section allows 14 possible labels. These labels describe
the organization types.

Country Domains
• The country domains section uses two-character country abbreviations (e.g., us for
United States).
• Second labels can be organizational, or they can be more specific national designations.
• The United States, for example, uses state abbreviations as a sub division of us (e.g.,
ca.us.).
• The address uci.ca.us. can be translated to University of California, Irvine, in the state
of California in the United States.
Resolution
• Mapping a name to an address is called name-address resolution. DNS is designed as a
client-server application.
• A host that needs to map an address to a name or a name to an address calls a DNS
client called a resolver. The resolver accesses the closest DNS server with a mapping
request.
• If the server has the information, it satisfies the resolver; otherwise, it either refers the
resolver to other servers or asks other servers to provide the information.
• A resolution can be either recursive or iterative.

Recursive Resolution
Assume that an application program running on a host named some.anet.com needs to find the
IP address of another host named engineering.mcgraw-hill.com to send a message to. The
source host is connected to the Anet ISP; the destination host is connected to the McGraw-Hill
network.

• The application program on the source host calls the DNS resolver (client) to find the
IP address of the destination host.
• The resolver, which does not know this address, sends the query to the local DNS server
(for example, dns.anet.com) running at the Anet ISP site (event 1).
 • We assume that this server does not know the IP address of the destination host either.
It sends the query to a root DNS server(event 2).
• Root servers do not normally keep the mapping between names and IP addresses, the
query is sent to this top-level-domain server (event 3).
• We assume that this server does not know the name-address mapping of this specific
destination, but it knows the IP address of the local DNS server in the McGraw-Hill
company (for example, dns.mcgraw-hill.com).
• The query is sent to this server (event 4), which knows the IP address of the destination
host.
• The IP address is now sent back to the top-level DNS server (event 5), then back to the
root server (event 6), then back to the ISP DNS server, which may cache it for the future
queries (event 7), and finally back to the source host (event 8).

Iterative Resolution
• In iterative resolution, each server that does not know the mapping sends the IP address
of the next server back to the one that requested it.
• Normally the iterative resolution takes place between two local servers; the original
resolver gets the final answer from the local server.
• Messages shown by events 2, 4, and 6 contain the same query. However, the message
shown by event 3 contains the IP address of the top-level domain server, the message
shown by event 5 contains the IP address of the McGraw-Hill local DNS server, and
the message shown by event 7 contains the IP address of the destination.
• When the Anet local DNS server receives the IP address of the destination, it sends it
to the resolver (event 8).

Caching
• When a server asks for a mapping from another server and receives the response, it
stores this information in its cache memory before sending it to the client.
• If the same or another client asks for the same mapping, it can check its cache memory
and resolve the problem.
 • However, to inform the client that the response is coming from the cache memory and
not from an authoritative source, the server marks the response as unauthoritative.
• Caching speeds up resolution, but it can also be problematic. If a server caches a
mapping for a long time, it may send an outdated mapping to the client.
• To counter this, two techniques are used. First, the authoritative server always adds
information to the mapping called time to live (TTL). It defines the time in seconds that
the receiving server can cache the information.
• After that time, the mapping is invalid and any query must be sent again to the
authoritative server.
• Second, DNS requires that each server keep a TTL counter for each mapping it caches.
The cache memory must be searched periodically and those mappings with an expired
TTL must be purged.

Resource Records
The zone information associated with a server is implemented as a set of resource records. In
other words, a name server stores a database of resource records. A resource record is a 5-tuple
structure, as shown below:
(Domain Name, Type, Class, TTL, Value)
• The domain name field is what identifies the resource record. The value defines the
information kept about the domain name.
• The TTL defines the number of seconds for which the information is valid.
• The class defines the type of network. The type defines how the value should be
interpreted. Below table lists the common types and how the value is interpreted for
each type.

DNS Messages
To retrieve information about hosts, DNS uses two types of messages: query and response.
Both types have the same format as shown below.
 • The identification field is used by the client to match the response with the query. The
flag field defines whether the message is a query or response. It also includes status of
error.
• The next four fields in the header define the number of each record type in the message.
The question section consists of one or more question records. It is present in both query
and response messages.
• The answer section consists of one or more resource records. It is present only in
response messages. The authoritative section gives information (domain name) about
one or more authoritative servers for the query.
• The additional information section provides additional information that may help the
resolver.

Encapsulation
DNS can use either UDP or TCP. In both cases the well-known port used by the server is port
53. UDP is used when the size of the response message is less than 512 bytes because most
UDP packages have a 512-byte packet size limit.
If the size of the response message is more than 512 bytes, a TCP connection is used. In that
case, one of two scenarios can occur:
1. If the resolver has prior knowledge that the size of the response message is more than
512 bytes, it uses the TCP connection. For example, if a secondary name server (acting
as a client) needs a zone transfer from a primary server, it uses the TCP connection
because the size of the information being transferred usually exceeds 512 bytes.
2. If the resolver does not know the size of the response message, it can use the UDP port.
However, if the size of the response message is more than 512 bytes, the server truncates
 the message and turns on the TC bit. The resolver now opens a TCP connection and
repeats the request to get a full response from the server.

Registrars
New domains added to DNS through a registrar, a commercial entity accredited by ICANN. A
registrar first verifies that the requested domain name is unique and then enters it into the DNS
database. A fee is charged. Today, there are many registrars; their names and addresses can be
found at
http://www.intenic.net
To register, the organization needs to give the name of its server and the IP address of the server.

DDNS
• In DNS, when there is a change, such as adding a new host, removing a host, or
changing an IP address, the change must be made to the DNS master file.
• These types of changes involve a lot of manual updating. The size of today’s Internet
does not allow for this kind of manual operation.
• The DNS master file must be updated dynamically.
• The Dynamic Domain Name System (DDNS) therefore was devised to respond to this
need. The information is sent, usually by DHCP to a primary DNS server. The primary
server updates the zone.
• The secondary servers are notified either actively or passively. In active notification,
the primary server sends a message to the secondary servers about the change in the
zone, whereas in passive notification, the secondary servers periodically check for any
changes.
• In either case, after being notified about the change, the secondary server requests
information about the entire zone (called the zone transfer).
• To provide security and prevent unauthorized changes in the DNS records, DDNS can
use an authentication mechanism.

Security of DNS
Applications such as Web access or e-mail are heavily dependent on the proper operation of
DNS. DNS can be attacked in several ways including:
1. The attacker may read the response of a DNS server to find the nature or names of sites
the user mostly accesses. This type of information can be used to find the user’s profile.
To prevent this attack, DNS messages need to be confidential.
2. The attacker may intercept the response of a DNS server and change it or create a totally
new bogus response to direct the user to the site or domain the attacker wishes the user
to access. This type of attack can be prevented using message origin authentication and
message integrity.
 3. The attacker may flood the DNS server to overwhelm it or eventually crash it. This type
of attack can be prevented using the provision against denial-of-service attack.
To protect DNS, IETF has devised a technology named DNS Security (DNSSEC) that provides
message origin authentication and message integrity using a security service called digital
signature. DNSSEC, however, does not provide confidentiality for the DNS messages. There
is no specific protection against the denial-of service attack in the specification of DNSSEC.
However, the caching system protects the upper-level servers against this attack to some extent.