Understand the correct posture of TCP/IP three-way handshake and four-way wave

background

I have been in a long-distance relationship with my girlfriend for more than a year. In order to maintain the relationship, I propose to video chat once a night.

From a good start, it has persisted for more than a year now.

question

Sometimes during the chat, my network or her network may be bad, the video will be stuck, and the voice of the other party will not be heard, and it will resume after a while.

The two parties in the middle may have to constantly confirm whether the network is restored, but sometimes:

Her: "Can you hear me?"

Me: "Okay, how about you?",

Her: "Hey, can you hear me?"

Me: "Okay, I can hear you, how about you?"

Her: "Can you hear me?"

.....

This situation is very painful, so how can we find a simple way to make sure that both of them can hear each other's voice, and the other party can also hear their own voice?

Note: The following plots are purely fictitious

 

plan

Why is TCP connection establishment three-way handshake instead of two or four?

TCP, called Transmission Control Protocol, is a reliable transport layer protocol with IP protocol number 6.

By the way, in principle, no data transmission can be guaranteed to be absolutely reliable, and the three-way handshake is only a basic need to ensure reliability.

As an everyday example, when we are on the phone, we have the following conversation:

 

Corresponds to the communication between client and server:

Hence the following dialogue:

Me: 1+1 equals how much?

She: What is 2,2+2?

me: 4

First, the two make an agreement

1. When you feel that the network situation is not right, any party can initiate an inquiry

2. In any case, if no reply is received within 5 seconds after the inquiry is initiated, the network is considered to be unreachable.

3. In the case of network failure, wait for 1min to initiate an inquiry after the router

 

For me, after initiating the query "1+1 equals how many"

1. If no reply is received within 5s, the network is considered unreachable

2. If a reply is received, I confirm ①I can hear her message ②She can hear my message, and then reply with the answer to her question

For her, when things don't feel right online

1. If she does not receive my inquiry, she initiates an inquiry

2. If she receives "1+1 equals how many", she confirms ① she can hear my message, and then replies the answer to my question and her question "2, 2+2 equals how many"

3. If she doesn't receive my reply "4" within 5s, she confirms ②I can't hear her message

4. If she receives my reply "4" within 5s, she confirms ②I can hear her message

In this way, if the above dialogue is completed, it proves that both parties can confirm that they can hear each other's voice, and the other party can also hear their own voice!

Can this story explain why TCP needs three handshakes... 囧

 

About the Four Waves

First, the client sends a FIN to the server, requesting to close the data transmission.

When the server receives the client's FIN, it sends an ACK to the client, where the value of ack is equal to FIN+SEQ

The server then sends a FIN to the client telling the client application to close.

When the client receives the FIN from the server, it replies with an ACK to the server. The value of ack is equal to FIN+SEQ

 

 

Why wave 4 times?

Make sure that the data can be transferred completely.

When the passive party receives the FIN message notification from the active party, it only means that the active party has no more data to send to the passive party.

But not necessarily all the data of the passive party is completely sent to the active party, so the passive party will not close SOCKET immediately, it may also need to send some data to the active party,

Then send the FIN message to the active party, telling the active party to agree to close the connection, so the ACK message and the FIN message here are sent separately in most cases.

 

 

 

 

 

 

 

1. TCP packet format

  TCP packet format diagram:

 

 

  There are several fields in the above figure that need to be highlighted:

  (1) Sequence number: Seq sequence number, occupying 32 bits, used to identify the byte stream sent from the TCP source end to the destination end, which is marked when the initiator sends data.

  (2) Confirmation sequence number: Ack sequence number, occupying 32 bits, only when the ACK flag bit is 1, the confirmation sequence number field is valid, Ack=Seq+1.

  (3) Flag bits: a total of 6, namely URG, ACK, PSH, RST, SYN, FIN, etc., the specific meanings are as follows:

  (A) URG: Urgent pointer is valid.

  (B) ACK: Confirm that the serial number is valid.

  (C) PSH: The receiver should deliver this message to the application layer as soon as possible.

  (D) RST: Reset the connection.

  (E)SYN: Initiate a new connection.

  (F) FIN: Release a connection.

 

 have to be aware of is:

  (A) Do not confuse the acknowledgment number Ack with the ACK in the flag bit.

  (B) Confirmer Ack=Initiator Req+1, both ends are paired. 

 

Two or three handshakes

TCP (Transmission Control Protocol) Transmission Control Protocol

TCP is a host-to-host layer transmission control protocol, providing reliable connection services, using three-way handshake confirmation to establish a connection

The bit code is the tcp flag bit, and there are 6 kinds of signs:

 

SYN (synchronous establishment of connection)

ACK (acknowledgement confirmation)

PSH (push transmission)

FIN (finish end)

RST (reset reset)

URG (urgent emergency)

 

Sequence number

Acknowledge number 

establish

 

  The so-called three-way handshake (Three-Way Handshake) is to establish a TCP connection, which means that when a TCP connection is established, the client and the server need to send a total of 3 packets to confirm the establishment of the connection . In socket programming, this process is triggered by the client executing connect. The whole process is shown in the following figure:

 

 

  (1) The first handshake: The client sets the flag SYN to 1, randomly generates a value seq=J, and sends the data packet to the server. The client enters the SYN_SENT state and waits for the server to confirm.

 

  (2) The second handshake: After the server receives the data packet, the flag bit SYN=1 knows that the client requests to establish a connection, and the server sets both the flag bits SYN and ACK to 1, ack (number )=J+1, and randomly generates a The value seq=K, and the data packet is sent to the Client to confirm the connection request, and the Server enters the SYN_RCVD state .

 

  (3) The third handshake: After the client receives the confirmation, it checks whether the ack is J+1 and whether the ACK is 1. If it is correct, the flag bit ACK is set to 1, ack=K+1, and the packet is sent. To the server, the server checks whether the ack is K+1 and whether the ACK is 1. If it is correct, the connection is established successfully. The client and the server enter the ESTABLISHED state , complete the three-way handshake, and then the client and the server can start to transmit data.

 

 

  SYN attack :

  In the three-way handshake process, after the Server sends SYN-ACK, the TCP connection before receiving the ACK from the Client is called a half-open connect. At this time, the Server is in the SYN_RCVD state . After receiving the ACK, the Server transfers to ESTABLISHED condition. A SYN attack means that the client forges a large number of non-existing IP addresses in a short period of time, and continuously sends SYN packets to the server. The server replies with an acknowledgement packet and waits for the confirmation from the client. Since the source address does not exist, the server needs to constantly reload Until the timeout is reached , these forged SYN packets will occupy the unconnected queue for a long time, causing normal SYN requests to be discarded because the queue is full , causing network congestion or even system paralysis. SYN attack is a typical DDOS attack. The way to detect SYN attack is very simple, that is, when there are a large number of semi-connected states on the server and the source IP address is random, it can be concluded that it has been attacked by SYN. ​​Use the following command to make it in force:

  #netstat -nap | grep SYN_RECV

  

 

Three or four waves

 The three-way handshake is familiar, and the four-way wavehand is estimated to be. The so-called Four-Way Wavehand terminates the TCP connection, which means that when a TCP connection is disconnected, the client and the server need to send a total of 4 packets to confirm the connection. disconnect. In socket programming, this process is triggered by either the client or the server executing close. The whole process is shown in the following figure:

 

  Since the TCP connection is full-duplex, each direction must be closed separately. This principle is that when one party completes the data transmission task, it sends a FIN to terminate the connection in this direction. Receiving a FIN only means that There is no data flow in this direction, that is, no more data will be received, but data can still be sent on this TCP connection until FIN is also sent in this direction. The side that shuts down first will perform an active shutdown, while the other side will perform a passive shutdown, as depicted in the diagram above.

 (1) Wave for the first time: The client sends a FIN to close the data transfer from the client to the server, and the client enters the FIN_WAIT_1 state.

  (2) The second wave: After the server receives the FIN, it sends an ACK to the client, confirming that the serial number is the received serial number + 1 (same as SYN, one FIN occupies one serial number), and the server enters the CLOSE_WAIT state.

 (3) The third wave: The server sends a FIN to close the data transfer from the server to the client, and the server enters the LAST_ACK state.

  (4) The fourth wave: After the client receives the FIN, the client enters the TIME_WAIT state, and then sends an ACK to the server, confirming that the serial number is the received serial number + 1, and the server enters the CLOSED state, completing the four waveds.

 

 

  The above is the case where one party actively shuts down and the other party passively shuts down. In practice, there will also be cases where active shutdown is initiated at the same time. The specific process is as follows:

  

  The process and status are very clear in the above figure, so I won't repeat them here. You can refer to the previous four wave analysis steps.

 

4. Notes

  There are usually typical interview questions about the three-way handshake and the four-way wave, which are provided here for reference by XDJMs in need:

  (1) What is the three-way handshake or process? What about the four-way handshake? The answer is the previous analysis.

  (2) Why is it a three-way handshake to establish a connection, but a four-way wave to close the connection?

 

  This is because the server in the LISTEN state, after receiving the SYN message for the connection establishment request, sends the ACK and SYN in one message to the client. When closing the connection, when receiving the FIN message from the other party, it only means that the other party no longer sends data but can still receive data , and not all data is sent to the other party, so the party can immediately close or send some data. After the data is sent to the other party, the FIN message is sent to the other party to express the agreement to close the connection now. Therefore, the own ACK and FIN are generally sent separately.