This article is shared from the Huawei Cloud Community " Decrypting TCP Connection Disconnection: The Mystery of Four Waves and the Security of Data Transmission ", author: Hardworking Xiaoyu.

TCP connection dropped

In today's digital era, the Internet has become an indispensable part of people's lives. On the basis of the Internet, the TCP protocol plays a key role, responsible for the reliable transmission of data in the network. In the process of establishing a TCP connection, we have already understood the process and principle of the three-way handshake. However, the establishment of a connection is only a part of the TCP protocol. Equally important is the disconnection process of the connection. This article will focus on the disconnection process of the TCP connection, including the process and state changes of waving four times, as well as why waving four times is needed and why the TIME_WAIT state is needed. By deeply understanding the process of TCP connection disconnection, we can better understand the principles of network communication.

TCP four wave process and status changes

TCP disconnection requires four waves. Both parties have the ability to actively disconnect. Once disconnected, various "resources" in the host will be released. Then we will explain in detail the principle and process of TCP's four waves!

When the client intends to close the connection, it sends a message with the FIN flag in the TCP header set to 1, that is, a FIN message. Subsequently, the client enters the FIN_WAIT_1 state.
When the server receives the message, it will send an ACK response message to the client and enter the CLOSED_WAIT state.
After receiving the ACK response message from the server, the client enters the FIN_WAIT_2 state.
After the server waits for the data to be processed, it will also send a FIN message to the client and then enter the LAST_ACK state.
After receiving the FIN message from the server, the client will reply with an ACK response message and enter the TIME_WAIT state.
Once the server receives the ACK response message, it enters the CLOSE state, so that the server completes the closing of the connection.
After 2MSL for a period of time, the client automatically enters the CLOSE state, so that the client also completes the closing of the connection.

During the disconnection process of the TCP connection, we can observe that each direction needs to send a FIN message and receive an ACK message, so this process is usually called four waves.

One thing to note is that only the party that actively initiates closing the connection will enter the TIME_WAIT state. This is because after closing the connection, the client needs to wait for a period of time (usually twice the maximum segment survival time, that is, 2MSL) to ensure that the server receives its own ACK response message. The purpose of this is to prevent delayed segments from appearing on closed connections and ensure reliable closing of the connection. The server does not need to wait for this period of time, so there is no TIME_WAIT state.

Why does it take four times to wave?

In order to better understand why it takes four waves to wave, let us review the process of sending a FIN packet between both parties. So we can understand why four waves are needed.

When the client sends a FIN to the server when closing the connection, it simply means that the client is no longer sending data, but it can still receive data.

When the server receives the client's FIN message, it will first reply with an ACK response message. However, the server may still have data to process and send, so it will wait until it no longer sends data before sending a FIN message to the client to express its agreement to close the connection now.

Through the above process, we can see that the server usually needs to wait for the completion of data sending and processing, so the server's ACK and FIN are usually sent separately, which results in one more wave than the three-way handshake.

Why is the waiting time of TIME_WAIT 2MSL?

MSL is Maximum Segment Lifetime, which is the maximum survival time of a packet. It indicates the longest time that a packet exists in the network. After this time, the packet will be discarded. Because the TCP protocol is based on the IP protocol, the IP header has a TTL field, which indicates the maximum number of routes that the datagram can pass. Each time it passes through a router, the TTL value is reduced by 1. When the TTL value is 0, the datagram will be discarded and an ICMP message will be sent to notify the source host.

The difference between MSL and TTL is the unit. The unit of MSL is time, and TTL is the number of routing hops passed. Therefore, in order to ensure that the packet has died naturally, the MSL should be greater than or equal to the time when the TTL consumption reaches 0.

A reasonable explanation for TIME_WAIT waiting for 2 times MSL is: there may be packets from the sender in the network. When these packets are processed by the receiver, it sends a response to the other party, so the round trip takes 2x longer. It is to ensure that the last ACK is received by the server. If it is not received, sufficient time must be given for the server's third wave of FIN to be retransmitted.

For example, if the passive closing party does not receive the last ACK message for disconnection, it will trigger a timeout and resend the FIN message. After the other party receives the FIN message, it will resend the ACK to the passive closing party, so the round trip will take 2 MSLs.

2MSL time starts from when the client sends ACK after receiving FIN. If within the TIME_WAIT time, because the client's ACK is not transmitted to the server, and the client receives a FIN message resent by the server, the 2MSL time will be re-timed.

In Linux systems, the default 2MSL time is 60 seconds, that is, one MSL is 30 seconds. The time the Linux system stays in the TIME_WAIT state is fixed at 60 seconds. In the Linux kernel code, its definition is named TCP_TIMEWAIT_LEN:

#define TCP_TIMEWAIT_LEN (60*HZ) /* how long to wait to destroy TIME-WAIT 
                                    state, about 60 seconds  */

If you want to modify the length of TIME_WAIT, you can only modify the value of TCP_TIMEWAIT_LEN in the Linux kernel code and recompile the Linux kernel.

Why do we need TIME_WAIT state?

The TIME_WAIT state exists to ensure reliable closing of network connections. Only the party that actively initiates closing the connection (that is, the active closing party) will have the TIME_WAIT state.

There are two main reasons for the need for TIME_WAIT state:

Prevent "old" packets with the same "quad" from being received: In network communication, each TCP connection is uniquely identified by the four elements of source IP address, source port number, destination IP address, and destination port number. , called "quad". When one party actively closes the connection and enters the TIME_WAIT state, it can still receive delayed data packets from the other party within a period of time. This is because there may be delayed transmission of data packets in the network. If there is no TIME_WAIT state, these delayed data packets may be incorrectly delivered to new connections, causing data confusion. By maintaining the TIME_WAIT state, you can prevent old packets from interfering with new connections.
Ensure that the party that "passively closes the connection" can be closed correctly: When the passive closing party of the connection receives the FIN message from the active closing party (indicating that the connection is closed), it needs to send a confirmation ACK message to the active closing party to complete the connection. of closure. However, the network is unreliable and ACK messages may be lost during transmission. If the active closing party closes the connection before receiving the ACK message, the passive closing party will not be able to complete the connection closing normally. The existence of the TIME_WAIT state ensures that the passive closing party can receive the last ACK message, thereby helping it to close the connection normally.

Prevent packets from old connections

Assuming that the TIME-WAIT state does not have an appropriate waiting time or the time is too short, serious problems may occur after delayed data packets arrive.

For example, the SEQ = 301 message sent by the server before closing the connection is delayed by the network. Then the TCP connection for the same port is reused and the delayed SEQ=301 reaches the client. In this case, the client may receive the expired message normally, leading to serious problems such as data corruption.

In order to solve this problem, TCP designed a mechanism, that is, after 2MSL, it is enough for the data packets in both directions of the connection to be discarded. In this way, the data packets of the original connection disappear naturally in the network, and the data packets that reappear must be generated by the newly established connection, thus avoiding problems such as data confusion.

Make sure the connection is closed correctly

The role of the TIME-WAIT state is to wait for enough time to ensure that the last ACK message can be received by the passive shutdown party and help it shut down normally.

Assuming that TIME-WAIT does not have an appropriate waiting time or is too short, disconnection may cause the following problems:

For example, if the last ACK message sent by the client is lost in the network during the four waves, and the client's TIME-WAIT state is too short or not set, the client will directly enter the CLOSE state, and the server It will always be in LAST-ACK state. In this case, the connection cannot be closed gracefully.

In addition, when the client initiates a SYN request to establish a connection, if the server sends an RST message to the client, the connection establishment process will be terminated.

If TIME-WAIT waits long enough, the following two things will happen:

The server normally receives the last ACK message of four waves, thus closing the connection normally.
When the server does not receive the last ACK message of four waves, it will resend the FIN connection closing message and wait for a new ACK message.

Therefore, after the client waits for 2MSL in the TIME-WAIT state, it can ensure that the connections on both sides can be closed normally.

Here is another popularization of relevant knowledge. Most of the three-way handshake and four-way wave are not mentioned. Why is ack sent when waving for the third time? Isn't it normal to just send the fin?

In the TCP protocol, except for the first SYN packet of the initial connection, in which the ACK field is set to 0, all other TCP packets will have the ACK field set to 1. The purpose of this ACK field is to confirm that the receiver has successfully received the data. If there is data that needs to be sent, the TCP protocol will send the data with an ACK to confirm the other party's data. If data is lost during transmission, TCP will retransmit the data. The ACK field is necessary in the TCP header. If these 32 bits are empty, then simply make the ACK field of all message segments except the initial message segment valid.

Summarize

The TCP connection needs to be disconnected through the process of four waves. Both parties have the ability to actively disconnect, and after disconnection, various resources will be released. The process of waving four times involves the interaction of both parties sending FIN and ACK messages to ensure reliable transmission of data and correct closing of the connection. Among them, the actively closing party will enter the TIME_WAIT state and wait for a period of time to ensure that the other party has received the final ACK message. The TIME_WAIT state exists to prevent packets from old connections from interfering with new connections and to ensure that the passive closing party can close the connection normally. The reason the wave is required four times is to ensure complete transfer of data and reliable closing of the connection. The TIME_WAIT state waits for 2 times MSL to ensure that all data packets in the network have disappeared.

Click to follow and learn about Huawei Cloud’s new technologies as soon as possible~

TCP Connection Broken: Why Wave Four Times