Network Layer Functions, IPv4, Switching, NAT, ARP, RARP, DHCP, and More

Posted on Dec 23, 2024 in Computers

Network Layer Functions

The network layer is the lowest one in the OSI model that is concerned with actually getting data from one computer to another, even if it is on a remote network. In contrast, the data link layer only deals with devices that are local to each other.

  • Logical Addressing: Every device that communicates over a network has a logical address, sometimes called a layer three address. For example, Internet Protocol (IP) is the network layer protocol, and every machine has an IP address.
  • Routing: Moving data across a series of interconnected networks is probably the defining function of the network layer.
  • Datagram Encapsulation: The network layer normally encapsulates messages received from higher layers by placing them into datagrams with a network layer header.
  • Fragmentation and Reassembly: The network layer must send messages down to the data link layer for transmission. Some data link layer technologies have limits on the length of any message that can be sent.
  • Error Handling and Diagnostics: Special protocols are used at the network layer to allow devices that are logically connected, or that are trying to route traffic, to exchange information about the status of hosts on the network or the devices themselves.

IPv4 Header Format

Packets in the IPv4 layer are called datagrams. A datagram is a variable-length packet consisting of two parts: header and data.

  1. VER: This field contains the IP protocol version.
  2. HLEN: This is the length of the IP header in multiples of 32 bits without the data field.
  3. Service Type: The service type is an indication requested for this IP datagram.
  4. Total Length: Specifies the total length of the datagram, header and data, in octets.
  5. Identification: This is a unique number assigned by the sender used with fragmentation.
  6. Flags: Contain control flags. The first bit is reserved and must be zero; the second bit is DF (Do Not Fragment), 0 means allow fragmentation; the third is MF (More Fragments), 0 means that this is the last fragment.
  7. Fragment Offset: Used to reassemble the full datagram. The value in this field contains the number of 64-bit segments (header bytes are not counted) contained in earlier fragments.
  8. TTL (Time To Live): Specifies the time (in seconds) the datagram is allowed to travel.

Circuit, Packet, and Message Switching

Circuit SwitchingPacket SwitchingMessage Switching
There is a physical connection between the receiver.No physical path is established between transmitter and receiver.No physical path is set in advance between transmitter and receiver.
All the packets use the same pathPacket travels independently.Packets are stored and forwarded.
Needs an end-to-end path before the data transmission.No need for an end-to-end path before data transmission.Same as packet switching.
Reserves the entire bandwidth in advance.Does not reserve the bandwidth in advance.Same as packet switching.
Charge is based on distance and time, but not on traffic.Charge is based on both the number of bytes and connection time.Charges are based on the number of bytes and distance.
Waste of bandwidth is possible.No waste of bandwidth.No waste of bandwidth.
Congestion occurs per minute.Congestion occurs for each packet.No congestion or very little congestion.
It cannot support store-and-forward transmission.It supports store-and-forward transmission.It also supports store-and-forward transmission.
Not suitable for handling interactive traffic.Suitable for handling interactive traffic.Same as circuit switching.
Recording of a packet can never happen with circuit switching.Recording of a packet is possible.Same as packet switching.

Network Address Translation (NAT)

Within the company, every machine has a unique address of the form 10.X.Y.Z. When a packet leaves the company premises, it passes through the NAT box that converts the internal IP source address 10.0.0.1. The NAT box is often combined in a single device with a firewall. It is also possible to integrate the NAT box into the company router. Whenever an outgoing packet enters the NAT box, the 10.X.Y.Z. SA is replaced by the company’s true IP address. In addition, the TCP source port field is replaced by an index into the NAT box’s 65536-entry translation table. This table entry contains the original IP address and original source port. Finally, both the IP and TCP header checksums are recomputed and inserted into the packet. When a process wants to establish a TCP connection with a remote process, it attaches itself to an unused TCP port on its own machine. The process also supplies a destination port to tell who to give the packet to on the remote side.

Network Layer ARP

The Address Resolution Protocol (ARP) maps an IP address (logical address) to a MAC address (physical address) to enable communication over a physical network. The process works as follows:

  1. Resolution Need: When a host or router needs to send an IP packet to another device on the same network, it knows the destination’s IP address but requires its MAC address to encapsulate the packet in a frame for transmission.
  2. ARP Request: The sender broadcasts an ARP request on the network. This request includes the sender’s IP and MAC address and the target device’s IP address.
  3. ARP Response: The device with the matching IP address responds with an ARP reply, providing its MAC address directly to the sender.
  4. Caching for Efficiency: To avoid repeated requests, ARP caches recently resolved IP-to-MAC address mappings in memory. These cached entries are used for subsequent communications until they expire.

By dynamically resolving IP to physical addresses, ARP allows seamless communication between devices on the same physical network.

RARP

A diskless machine uses a TCP/IP Internet protocol called RARP to obtain its IP address from a server. RARP uses the same message format as ARP. RARP allows for multiple physical network types. The RARP message is sent from one computer to another encapsulated in the data portion of a network frame.

RARP performs the following steps to obtain an IP address from the server:

a) The sender broadcasts the RARP request to all the other hosts present in the network.

b) The RARP request packet contains the physical address of the sender.

c) All the hosts receiving the RARP request packet process it, but only the authorized host which can serve RARP service responds to the RARP request packet. Such hosts are known as RARP servers.

d) The authorized RARP server replies directly to the requesting host with the RARP response packet, which contains the IP address for the sender. ARP translates unique hardware addresses into Internet addresses on the Ethernet local area network (LAN) adapter.

Distance Vector Routing

The distance vector routing algorithm is a dynamic routing algorithm. It was designed mainly for small network topologies. The distance vector routing algorithm is sometimes called by other names, most commonly the distributed Bellman-Ford routing algorithm and the Ford-Fulkerson algorithm. The term distance vector derives from the fact that the protocol includes its routing updates with a vector of distances, or hop counts. In this algorithm, each router maintains a routing table indexed by, and containing one entry for, each router in the subnet. This entry contains two parts:

a. The preferred outgoing line to use for that destination.

b. An estimate of the time or distance to that destination.

The metric used might be the number of hops, time delay in milliseconds, the total number of packets queued along the path, etc. Assume that delay is used as a metric and that the router knows the delay to each of its neighbors. All nodes exchange information only with their neighboring nodes. Nodes participating in the same local network are considered neighboring nodes. By performing calculations for each neighbor, a router can find out which estimate seems the best and use that estimate and the corresponding line in its new routing table. The old routing table is not used in the calculation.

UDP

UDP is a simple, datagram-oriented, transport layer protocol. This protocol is used in place of TCP. UDP is a connectionless protocol that provides no reliability or flow control mechanisms. It also has no error recovery procedures. The UDP datagram contains a source port number and a destination port number. The source port number identifies the port of the sending application process. The destination port number identifies the receiving process on the destination host machine. The UDP length field is the length of the UDP header and the UDP data in bytes. The minimum value for this field is 8 bytes.

TCP vs UDP

TCPUDP
TCP is connection-oriented.UDP is connectionless.
TCP connection is byte stream.UDP connection is message stream.
TCP does not support multicasting and broadcasting.UDP supports broadcasting.
It provides error control and flow control.It does not provide flow control and error control.
TCP supports full-duplex transmission.UDP does not support full-duplex transmission.
TCP is reliable.UDP is unreliable.
TCP packet is called a segment.UDP packet is called a user datagram.

SCTP

SCTP is a reliable transport protocol operating on top of a potentially unreliable connectionless packet service such as IP. It offers acknowledged, error-free, non-duplicated transfer of datagrams (messages). Detection of data corruption, loss of data, and duplication of data is achieved by using checksums and sequence numbers. A selective retransmission mechanism is applied to correct loss or corruption of data. Stream Control Transmission Protocol (SCTP) is a Transport Layer Protocol, serving in a similar role to the popular protocols Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). It provides some of the same service features of both, ensuring reliable, in-sequence transport of messages with congestion control.

Request Reply Message Format

HTTP (Hypertext Transfer Protocol) is a client-server protocol used for transmitting data over the internet. In a typical HTTP communication, a client sends an HTTP request message to a server, and the server sends back an HTTP response message. An HTTP request message consists of the following components:

  • Request Line: The first line of the request message, which includes the method, request URI, and the HTTP version.
  • Method: Indicates the request method such as GET, POST, PUT, DELETE, etc.
  • Request URI: Indicates the resource the client wishes to access, such as a webpage or image.
  • HTTP Version: Indicates the version of the HTTP protocol being used.
  • Request Headers: Additional information about the request, such as the type of content being requested, the format of the request body, and the origin of the request.
  • Request Body: An optional field that contains additional data sent by the client, such as form data or JSON payload.

An HTTP response message consists of the following components:

  • Response Line: The first line of the response message, which includes the HTTP version, status code, and reason phrase.
  • HTTP Version: Indicates the version of the HTTP protocol being used.
  • Status Code: Indicates the result of the request, such as 200 for success, 404 for not found, etc.
  • Reason Phrase: A short text describing the status code.
  • Response Headers: Additional information about the response, such as the type of content being sent, the format of the response body, and the server that handled the request.
  • Response Body: Contains the data returned by the server, such as the requested webpage or image.

Sockets

There are three main types of sockets:

  1. Stream Sockets (TCP)
  2. Datagram Sockets (UDP)
  3. Raw Sockets
  • Stream Sockets, also known as TCP sockets, provide a reliable, stream-oriented connection. Data is read and written as a continuous stream of bytes. This type of socket is used for most common network protocols, such as HTTP and FTP.
  • Datagram Sockets, also known as UDP sockets, provide a connectionless, datagram-oriented service. Data is read and written as discrete packets, and there is no guarantee that packets will arrive in the order they were sent. This type of socket is used for protocols that do not require the level of reliability provided by stream sockets, such as DNS and SNMP.
  • Raw Sockets allow direct access to the underlying transport protocol. They are used for creating custom protocols or for gaining access to low-level network information.

The following are the various socket primitives used in a connection-oriented client-server approach:

  1. socket() – Creates a socket.
  2. bind() – Binds a socket to a specific address and port.
  3. listen() – Listens for incoming connections on a socket.
  4. accept() – Accepts an incoming connection.
  5. connect() – Connects to a remote socket.

File Transfer Protocol (FTP)

File Transfer Protocol (FTP) is a standard mechanism in TCP/IP networks for transferring files between computers. It addresses challenges such as differences in text and data representation, file naming conventions, and directory structures across systems, making file transfers seamless.

FTP establishes two separate TCP connections between the client and server: a control connection (on port 21) for commands and responses and a data connection (on port 20) for transferring files. This separation ensures efficiency, as the control connection uses simple communication rules while the data connection handles more complex tasks due to the variety of data types. The use of TCP ensures reliable file transfer. The control connection remains active throughout the session, managing interactions between the client and server, while the data connection is established as needed for file transfers. The client architecture typically consists of three components, while the server has two.

This dual-connection model allows FTP to efficiently handle file transfer operations and adapt to differences between systems. Its design, incorporating standard ports and reliable transport mechanisms, has made FTP a widely used protocol for file transfers on the internet. A diagram, if included, would illustrate the FTP connection model, highlighting the roles of the control and data connections.

Telnet

Telnet stands for Terminal Network and is a general-purpose client-server application program. It enables users to remotely log in to a machine, run applications, and establish a session on a remote server. Provides a bi-directional, byte-oriented communication facility. Allows standard interfacing between terminal devices and terminal-oriented processes.

  • Client-Server Model: A Telnet client on the user’s machine communicates with a Telnet server on the remote machine.
  • Key functions: Interacting with the user terminal on the local host. Exchanging messages with the Telnet server.
  • Connections: TCP protocol is used. Port 23 is reserved for Telnet communication.

The client sends keystrokes, which are interpreted and displayed on the remote machine. Communication Process: The Telnet client connects to the Telnet server on the host machine’s TCP port 23. The server processes interactions with applications on the host.

Dynamic Host Configuration Protocol (DHCP)

Dynamic Host Configuration Protocol (DHCP) is used to address the limitations of the Bootstrap Protocol (BOOTP), which is a static configuration protocol requiring manual IP assignment. BOOTP binds physical addresses to IP addresses but cannot adapt to changes, requiring manual intervention. DHCP automates the process, allowing computers to join networks and obtain IP addresses without administrative effort, functioning as plug-and-play networking. It supports two types of address allocation:

  • Static Address Allocation: IP addresses are manually assigned and stored in a static database. DHCP remains backward compatible with BOOTP for static binding.
  • Dynamic Address Allocation: DHCP maintains a pool of available IP addresses and dynamically assigns temporary addresses to clients. These addresses are leased for a specified period. If the lease expires, the client can renew it, release it, or request a new one.

Active vs Passive Attacks

ActivePassive
An attack where the system’s resources or data are altered or disrupted.An attack where data is monitored or observed without altering the system.
To modify, disrupt, or destroy data.To gather or eavesdrop on information.
Involves direct interaction with the system or network.Does not involve direct interaction; remains hidden.
  • Data modification
  • Denial of Service (DoS)
  • Man-in-the-middle attack
  • Eavesdropping
  • Traffic analysis
  • Intercepting unencrypted messages
Causes damage to data integrity, availability, or functionality.Focuses on loss of confidentiality only.
Easier to detect due to noticeable changes or disruptions.Difficult to detect as there are no visible changes.
Use encryption, firewalls, intrusion detection systems (IDS).Use encryption, VPNs, and secure protocols like HTTPS.

Symmetric vs Asymmetric Encryption

SymmetricAsymmetric
Uses a single key for both encryption and decryption.Uses a pair of keys: a public key for encryption and a private key for decryption.
Difficult to share securely, as the same key must be shared between sender and receiver.Easier to distribute the public key openly while keeping the private key secure.
Faster due to simpler mathematical operations.Slower, as it involves more complex computations.
Security depends on the key length and secrecy of the key. If the key is compromised, security is lost.Security is based on the difficulty of deriving the private key from the public key, making it more secure against key compromise.
Suitable for encrypting large volumes of data.Suitable for secure key exchange, digital signatures, and encrypting small amounts of data.
Difficult to manage for large systems due to the need to securely distribute and store the same key.Easier to manage because public keys can be freely shared, and only the private key needs to be kept secure.
A single key is used for both processes.Different keys are used for encryption (public) and decryption (private).
Stronger with longer keys, but vulnerable to brute-force attacks if the key is short.Stronger in terms of public key infrastructure but computationally expensive.

S/MIME

S/MIME is a Secure / Multipurpose Internet Mail Extension. It is a security enhancement to the MIME Internet e-mail format standard. RFC 822 defines a format for text messages that are sent using electronic mail. The REC 822 standard applies only to the contents.

Cryptographic Algorithms in S/MIME

  • S/MIME incorporates three public key algorithms.
  • Digital signature standard
  • Diffie-Hellman
  • Triple DES.
  • RFC 2119 specifies the requirement level for S/MIME.
  • MUST
  • SHOULD.
  • MUST: The definition is an absolute requirement of the specification. An implementation must include this feature or function to be in conformance with the specification.
  • SHOULD: There may exist valid reasons in particular circumstances to ignore this feature or function, but it is recommended that an implementation include the feature or function.

Firewall

Internet connectivity is essential for the organization, enabling access to the outside world. Also, it is a threat to the organization if not secured from intrusions (unauthorized access/users). A firewall is inserted between the Internet and LAN for security purposes. The firewall protects the LAN from Internet-based attacks and also provides security and audits.

  • A firewall may be a hardware or a software program running on a secure host computer.
  • A firewall is placed at the junction or gateway between the two networks.
  • A firewall must have at least two network interfaces: one for the network it is intended to protect and one for the network it is exposed to.
  • A firewall is placed between a private or corporate network and a public network (Internet).
  1. Network Level: This guards the entire network from unauthorized intrusion. An example of this technology is packet filtering, which simply reviews all information coming into a network and rejects the data that does not meet a predefined set of criteria.
  2. Application Level: This technology controls access on an application-by-application basis. For example, proxy servers can be set up to permit access to some applications, such as HTTP, while blocking access to others, such as FTP.