[Computer Network Stereotype] Computer Network (1)

What are the protocols and functions of each layer of computer network?

The computer network system can be roughly divided into the following three types, OSI seven-layer model, TCP/IP four-layer model and five-layer model.

OSI seven-layer model: large and comprehensive, but more complicated, and there is a theoretical model first, and there is no practical application.
TCP/IP four-layer model: It is summarized by the development of practical applications. In essence, TCP/IP only has the top three layers, and the bottom layer has no specific content. The TCP/IP reference model does not really describe this layer. realization.
Five-layer model: The five-layer model only appears in the computer network teaching process. This is a compromise between the seven-layer model and the four-layer model. It is concise and can explain the concept clearly.

The main functions of each layer of the seven-layer network architecture:

Application layer: Provides interactive services for applications. There are many application layer protocols in the Internet, such as domain name system DNS, HTTP protocol supporting World Wide Web applications, SMTP protocol supporting e-mail, etc.
Presentation layer: mainly responsible for data format conversion, such as encryption and decryption, conversion and translation, compression and decompression, etc.
Session layer: Responsible for establishing, maintaining, and terminating communication between two nodes in the network. For example, the server verifies user login is completed by the session layer.
Transport layer: sometimes translated as the transport layer, which provides general data transmission services to the host process. This layer mainly has the following two protocols:
- TCP: Provide connection-oriented and reliable data transmission services;
- UDP: Provides connectionless, best-effort data transmission services, but does not guarantee the reliability of data transmission.
Network layer: Select the appropriate routing and switching nodes to ensure timely data transmission. It mainly includes the IP protocol.
Data Link Layer: The data link layer is often referred to simply as the link layer. Assemble the IP data packets passed down from the network layer into frames, and transmit the frames on the links of adjacent nodes.
Physical layer: realize the transparent transmission of bit streams between adjacent nodes, and shield the differences in transmission media and communication methods as much as possible.

The difference between TCP and UDP?

	UDP	TCP
Is it connected	no connection	connection-oriented
Is it reliable	Unreliable transmission, no use of flow control and congestion control	Reliable transmission, using flow control and congestion control
Is it in order	out of order	Ordered, messages may be out of order during transmission, TCP will reorder
transfer speed	quick	slow
Number of connection objects	Support one-to-one, one-to-many, many-to-one and many-to-many interactive communication	Only one-to-one communication
transfer method	message-oriented	stream-oriented
head overhead	The header overhead is small, only 8 bytes	The minimum of the header is 20 bytes, and the maximum is 60 bytes
Applicable scene	Suitable for real-time applications (IP telephony, video conferencing, live broadcast, etc.)	Suitable for applications requiring reliable transfers, such as file transfers

Summary : TCP is used when it is necessary to achieve reliable transmission at the transport layer, and UDP is used for communications that have high requirements for high-speed transmission and real-time performance. TCP and UDP should be used as needed according to the application purpose.

What are the application scenarios corresponding to UDP and TCP?

TCP is connection-oriented and can guarantee the reliable delivery of data, so it is often used for:

FTP file transfer
HTTP / HTTPS

UDP is connectionless, it can send data at any time, and the processing of UDP itself is simple and efficient, so it is often used for:

Communication with a small amount of packets, such as DNS, SNMP, etc.
Video, audio and other multimedia communications
broadcast communication

application layer protocol	application	transport layer protocol
SMTP	e-mail	TCP
Telnet	remote terminal access	TCP
HTTP	world wide web	TCP
FTP	file transfer	TCP

application layer protocol	application	transport layer protocol
DNS	domain conversion	UDP
TFTP	file transfer	UDP
SNMP	network management	UDP
NFS	remote file server	UDP

Explain in detail the three-way handshake mechanism of TCP?

insert image description here

The first handshake: the client requests to establish a connection, sends a synchronization message (SYN=1) to the server , and selects a random number seq = x as the initial sequence number , and enters the SYN_SENT state, waiting for the server to confirm.
The second handshake: After receiving the connection request message, if the server agrees to establish a connection, it will send a synchronization confirmation message (SYN=1, ACK=1) to the client , the confirmation number is ack = x + 1, and select A random number seq = y is used as the initial sequence number, and the server enters the SYN_RECV state at this time.
The third handshake: After receiving the confirmation from the server , the client sends a confirmation message (ACK=1) to the server , the confirmation number is ack = y + 1, the sequence number is seq = x + 1, the client and The server enters the ESTABLISHED state and completes the three-way handshake.

Why is there a three-way handshake instead of two?

1. Prevent the expired connection request message from being sent to the server suddenly, resulting in errors and waste of resources.
In the case that the connection can be established after two handshakes between the two parties, assuming that the client sends a segment A requesting to establish a connection, A cannot reach the server temporarily due to network reasons, and the server will not return a confirmation message if it cannot receive the request segment part. The client resends the request message segment B when it has not received a response for a long time. This time B arrives at the server successfully, and the server immediately returns a confirmation message and enters the ESTABLISHED state. After receiving the confirmation message, the client also enters ESTABLISHED state, the two parties establish a connection and transmit data, and then disconnect normally.
At this time, the A message segment that arrives belatedly arrives at the server, and the server immediately returns a confirmation message and enters the ESTABLISHED state, but the client that has entered the CLOSED state cannot accept the confirmation message segment, let alone enter the ESTABLISHED state, which will This causes the server to wait unilaterally for a long time, resulting in a waste of resources.
Two or three handshakes can allow both parties to confirm that the sending and receiving capabilities of themselves and the other party are normal .
The first handshake: the client only sends the request segment, and nothing can be confirmed, but the server can confirm that its own receiving ability and the sending ability of the other party are normal; the second handshake: the client can confirm its own sending ability
and receiving ability Normal, the sending ability and receiving ability of the other party are normal;
the third handshake: the server can confirm that its sending ability and receiving ability are normal, and the sending ability and receiving ability of the other party are normal; it can be seen that the
three-way handshake can allow both parties to confirm the sending and receiving capabilities of themselves and the other party All normal, so you can happily communicate.
3. Inform the other party of its own initial serial number value , and confirm receipt of the other party's initial serial number value . One of the reasons why TCP achieves reliable data transmission is that the sequence number field and the confirmation sequence number field
are maintained in the TCP message segment. Through these two fields, both parties can know which of the data they have sent has been confirmed by the other party. . The values of these two fields will be incremented based on the value of the initial sequence number. If it is a two-way handshake, only the initial sequence number of the initiator can be confirmed, while the initial sequence number of the other party cannot be confirmed.

Why a three-way handshake instead of four?

The three-way handshake can already confirm that the sending and receiving capabilities of both parties are normal, both parties know that each other is ready, and can also complete the confirmation of the initial serial numbers of both parties, so there is no need for a fourth handshake.

The first handshake: the server confirms that the "receive by itself, send by the client" message function is normal.
The second handshake: the client confirms that the message function of "send by itself, receive by itself, receive by the server, and send by the client" is normal, and the client believes that the connection has been established.
The third handshake: The server confirms that the function of "sending by itself and receiving by the client" is normal. At this time, both parties have established a connection and can communicate normally.

What is a SYN flood attack? How to prevent it?

SYN flood attack is a kind of DOS attack. It utilizes the defect of TCP protocol and consumes CPU and memory resources by sending a large number of semi-connection requests.

principle:

In the three-way handshake process, the second step: the TCP connection [SYN/ACK]after the server sends the packet (the second packet) and before receiving the client’s [ACK]packet (the third packet) is called a half -open connect . At this time, the server In SYN_RECV(sync received, waiting for client response) state. If it is received from the client [ACK], the TCP connection is successful, if not, the request will be resent continuously until it succeeds.
The attacker of the SYN attack forges a large number of non-existent IP addresses in a short period of time , continuously sends [SYN]packets to the server, the server replies with [SYN/ACK]packets, and waits for the client's confirmation. Since the source address does not exist, the server needs to resend continuously until it times out.
These forged [SYN]packets will occupy the unconnected queue for a long time, affecting the normal SYN, causing the target system to run slowly, network congestion and even system paralysis.

Detection: When you see a lot of semi-connected states on the server , especially if the source IP address is random , you can basically conclude that this is a SYN attack.

Prevention:

Filter gateway protection through firewalls, routers, etc.
Prevent by strengthening the TCP/IP protocol stack, such as increasing the maximum number of semi-connections and shortening the timeout period.
SYN cookies technology. SYN Cookies is a means to modify the three-way handshake on the TCP server side to prevent SYN flood attacks.

During the three-way handshake connection phase, the last ACK packet is lost, what will happen?

Server:

The third ACK is lost in the network, then the status of the TCP connection on the server is SYN_RECV (synchronization has been received), and according to the TCP timeout retransmission mechanism, it will wait for 3 seconds, 6 seconds, and 12 seconds before resending SYN+ACK packet, so that the client resends the ACK packet.
If the ACK response from the client is still not received after the specified number of retransmissions, the server will automatically close the connection after a period of time.

client:

The client thinks that the connection has been established . If the client sends data to the server, the server will RST包respond with (Reset, flag reset, used to close the connection abnormally). At this point, the client knows that the third handshake failed.

Describe in detail the four waved process of TCP?

insert image description here

The first wave: the client sends a connection release message (FIN=1, ACK=1) to the server , actively closes the connection, and waits for the confirmation from the server.
- Sequence number seq = m, that is, the sequence number of the last byte of the message sent by the client last time + 1
- Confirmation number ack = n, that is, the sequence number of the last byte of the message sent by the server last time + 1
The second wave: After receiving the connection release message, the server immediately sends an acknowledgment message (ACK=1), the sequence number seq = n, and the acknowledgment number ack = m + 1.
- At this time, the TCP connection is in a half-closed state, that is, the connection from the client to the server has been released, but the connection from the server to the client has not yet been released. This means that the client has no data to send, but the server may still send data to the client.
The third wave: the server sends a connection release message (FIN=1, ACK=1) to the client , actively closes the connection, and waits for A’s confirmation.
- Sequence number seq = p, that is, the sequence number of the last byte of the message sent by the server last time + 1.
- Confirmation number ack = m + 1, which is the same as the second wave, because the client has not sent data during this time
The fourth wave: After receiving the connection release message from the server, the client immediately sends an acknowledgment message (ACK=1), the sequence number seq = m + 1, and the acknowledgment number is ack = p + 1.
- At this point, the client enters TIME-WAITthe state. Note that the client-to-TCP connection has not been released yet, and it will 2*MSLenter the state only after the (longest message segment lifetime) time has elapsed CLOSED. As long as the server receives the confirmation from the client, it will immediately enter CLOSEDthe state. It can be seen that the time for the server to end the TCP connection is earlier than that of the client.

Why is there a three-way handshake when connecting, but a four-way handshake when closing?

After the server receives the client's FIN segment (the first wave), there may still be some data to be transmitted, so the connection cannot be closed immediately, but it will respond and return an ACK segment (the second wave). Next, the data may continue to be sent. After the data is sent, the server will send a FIN message to the client (the third wave), indicating that the data has been sent and requesting to close the connection. The server's ACK and FIN are generally sent separately , resulting in one more wave, so a total of four waves are required.

Why must the TIME-WAIT state of the client wait for 2MSL (Maximum Segment Lifetime)?

Make sure that the ACK message can reach the server, so that the server can close the connection normally.
When waving for the fourth time, the ACK packet of the fourth waving from the client may not necessarily reach the server. The server will retransmit the FIN/ACK message over time. If the client has disconnected at this time, it will not be able to respond to the second request from the server. In this way, the server will not receive the confirmation of the FIN/ACK message for a long time. Unable to gracefully disconnect.

MSL is the longest time a segment can live on the network. The client waits for 2MSL time, that is 【客户端 ACK 报文 1MSL 超时 + 服务端 FIN 报文 1MSL 传输】, it can receive the FIN/ACK message retransmitted by the server, and then the client retransmits the ACK message once, and restarts the 2MSL timer. This ensures that the server can be shut down normally.

If the FIN resent by the server is not successfully transmitted to the client within 2MSL, the server will continue to timeout and retry until the connection is disconnected.
Prevents invalid connection request segments from appearing in subsequent connections.

TCP requires that the same sequence number not be used within 2MSL.
After the client sends the last ACK message segment, and after 2MSL, it can ensure that all message segments generated within the duration of the connection will disappear from the network. In this way, such old connection request segments will not appear in the next connection. Or even if these obsolete messages are received, it may not be processed.

What if the connection is established, but the client fails?

Through the timer + timeout retry mechanism , try to get confirmation until the end will automatically disconnect. Specifically, TCP has a keep-alive timer . Every time the server receives data from the client, the timer will be reset, and the time is usually set to 2 hours .
If no data from the client is received within 2 hours, the server will start to retry: send a probe segment every 75 minutes, if the client still does not respond after sending 10 probes in a row, then the server will consider the connection to be closed disconnected.

What are the consequences of having too many TIME-WAIT states? How to deal with it?

From the perspective of the server, closing a large number of Client connections in a short period of time will cause a large number of TIME_WAIT connections on the server, seriously consuming the server's resources. At this time, some clients will show that they cannot connect.
From the client side, too much TIME_WAIT on the client side will cause the port resources to be occupied, because there are only 65536 ports, and if they are full, new connections cannot be created.
Solution:

The server can SO_REUSEADDRavoid the TIME_WAIT state by setting the socket option, this socket option tells the kernel, even if this port is busy (in
TIME_WAIT state), please go ahead and reuse it.

Adjust system kernel parameters, modify /etc/sysctl.conffiles, that is, modify net.ipv4.tcp_tw_reuseandtcp_timestamps

# 表示开启重用。允许将 TIME-WAIT sockets 重新用于新的TCP连接，默认为0，表示关闭；
net.ipv4.tcp_tw_reuse = 1 
# 表示开启 TCP 连接中 TIME-WAIT sockets 的快速回收，默认为0，表示关闭。
net.ipv4.tcp_tw_recycle = 1

Forcibly close, send RST packet to skip the TIME_WAIT state and directly enter the CLOSED state. The RST packet is used to forcibly close the TCP connection. When the host needs to close the connection as soon as possible (or the connection times out, the port or the host is unreachable), the RST packet will be sent.

Is TIME_WAIT the state of the server? Or the state of the client?

TIME_WAIT is the state that the party that actively disconnects will enter. Under normal circumstances, it is the state that the client is in; the server is generally set not to actively close the connection.

TIME_WAIT needs to wait for 2MSL. In the case of a large number of short connections, TIME_WAIT will be too much, which will also consume a lot of system resources. For the server, specify KeepAlive in the HTTP protocol (the browser reuses a TCP connection to handle multiple HTTP requests), and the browser actively disconnects the connection, which can reduce the problem of the server to a certain extent.

How does the TCP protocol ensure reliability?

TCP mainly provides methods such as checksum, sequence number/acknowledgment response, timeout retransmission, sliding window, congestion control and flow control to achieve reliable transmission.

Checksum : Through the checksum method, the receiving end can detect whether there are errors or abnormalities in the data. If there is an error, it will directly discard the TCP segment and resend it.
Serial Number/Confirmation Reply :

The role of the serial number is not only the role of the response. With the serial number, the received data can be sorted according to the serial number, and the data with repeated serial numbers can be removed.
In the process of TCP transmission, each time the receiver receives data, it will confirm the response to the transmitter. That is to send an ACK message, which contains a corresponding confirmation sequence number, telling the sender what data has been received and where to send the next data.
Sliding window : The sliding window not only improves the efficiency of message transmission, but also avoids the exception that the sender sends too much data and the receiver cannot handle it normally.
Timeout retransmission : Timeout retransmission refers to the time between the sent data packet and the receipt of the confirmation packet. If it exceeds this time, it will be considered as packet loss and needs to be retransmitted. The maximum timeout is calculated dynamically.
Congestion control : In the process of data transmission, network congestion may be caused by network status problems. At this time, a congestion control mechanism is introduced to improve performance while ensuring TCP reliability.
Flow control : If host A keeps sending data to host B, regardless of host B's ability to accept, it may cause host B's receiving buffer to be full and unable to accept data, which will cause a large amount of data packet loss and cause retransmission mechanism. In the process of retransmission, if the condition of the receiving buffer of host B is still not improved, a lot of time will be wasted on retransmitting data, reducing the efficiency of data transmission. Therefore, the flow control mechanism is introduced, and host B tells host A the size of its own receiving buffer, so that host A can control the amount of data sent. Flow control is related to the window size in the TCP protocol header .

Tell me about the sliding window of TCP in detail?

During data transmission, if the transmitted data is relatively large, it needs to be split into multiple data packets for transmission. The TCP protocol needs to confirm the data before sending the next data packet. In this way, time will be wasted waiting for the acknowledgment packet link. In order to avoid this situation, TCP introduces the concept of window. The window size refers to the maximum value that can continue to send data packets without waiting for an acknowledgment packet.
insert image description here

The left side of the sliding window is the packet that has been sent and confirmed , and the right side of the sliding window is the packet that has not yet come .

The sliding window is also divided into two parts: one is the packets that have been sent but not confirmed , and the other is the packets waiting to be sent in the window .
As the sent packets are continuously acknowledged, the packets waiting to be sent within the window will also be sent continuously. The entire window will move to the right, allowing groups that have not yet had their turn to enter the window.

It can be seen that the sliding window plays a role of current limiting , that is to say, the size of the current sliding window determines the rate at which TCP sends packets , and the size of the sliding window depends on the minimum between the congestion control window and the flow control window. value .

Tell me about congestion control in detail?

TCP uses a total of four algorithms to achieve congestion control :

slow start (slow-start);
Congestion avoidance (congestion avoidance);
fast retransmit ;
Fast recovery .

The sender maintains a cwndstate variable called the congestion window. When the value of cwnd decreases to the initial threshold of congestion window reduction cwndssthresh, the congestion avoidance algorithm is used instead.

Slow start : Do not send a large amount of data at the beginning, and gradually increase the size of the congestion window from small to large.

Congestion avoidance : The congestion avoidance algorithm makes the congestion window grow slowly, that is, the sender's congestion window is cwnd+1 not doubled every time a round-trip time RTT passes. In this way, the congestion window grows slowly according to a linear law.

Fast retransmission : We can eliminate some unnecessary congested packets and improve network throughput. For example, the receiver sends a repeated confirmation immediately after receiving an out-of-sequence segment, instead of waiting for the confirmation when sending data. Fast retransmission rules: As long as the sender receives three repeated acknowledgments in a row, it should immediately retransmit the message segment that the other party has not received, without having to continue to wait for the set retransmission timer to expire.

insert image description here
Fast recovery : mainly in conjunction with fast retransmission. When the sender receives three repeated confirmations in a row, it executes the "multiplicative reduction" algorithm ssthreshto halve the threshold (in order to prevent network congestion), but then does not execute the slow start algorithm , because if the network is congested, it will You will not receive several repeated confirmations, and receiving three repeated confirmations indicates that the network condition is OK.

insert image description here