User Tools

Site Tools


linux:internet-protocol-suite-networking

Internet Protocol Suite: Networking, Part 1

Date: Mon Oct 8 2018

ARP (Address Resolution Protocol)

ARP or Address Resolution Protocol is used to map a network address like the IP address to the ethernet address (MAC, Media Access Control address or hardware address). Routers use ARP or MAC addresses to enable communication inside networks (w/in subnets).

Here's the output on my Ubuntu virtual machine (10.163.36.80) running on my desktop:

$ arp -e
Address                  HWtype  HWaddress           Flags Mask  Iface
_gateway                 ether   28:6f:7f:68:92:40   C           enp0s3
10.163.36.13             ether   fc:4d:d4:39:f8:e8   C           enp0s3

And this displays any missing or substituted IP addresses (that is, we can see that gateway is mapped to 10.163.36.1. And I just happen to know that 10.163.36.13 points to my physical desktop computer.

$ arp -an
? (10.163.36.1) at 28:6f:7f:68:92:40 [ether] on enp0s3
? (10.163.36.13) at fc:4d:d4:39:f8:e8 [ether] on enp0s3

Internet Layer

IP (Internet Protocol)

IP is a way to uniquely identify a host on a network. If that network is subnetted, then a host's IP address will be a part of the subnet and not exposed directly to the Internet.

E.g., my IP address on my desktop is 10.163.36.13/24 (ip a), via a wired connection (eno1) and my neighbor's IP address is 10.163.36.65/24. We're both on the same subnet, but if we both, using our respective wired connected computers, Google 'what's my IP address', then we both get back 128.163.8.25. This is the same for the virtual machine I'm using that's running Ubuntu, connected via a bridge network.

Thus, w/o any additional information, all traffic coming from our computers and going out to the Internet looks like it's coming from the same IP address (128.163.8.25). And in reverse, all traffic coming from outside our network first goes to 128.163.8.25 before it's routed to our respective computers.

On the other hand, my laptop, just a few feet away from me, is connected to UK wireless, and not wired, and has this IP address: 10.47.142.2/16 (wlp3s0). You can see there's a different pattern with this IP address, and later we'll learn how we know that, as a result, this laptop is on an different subnet. In the meantime, if I use a browser on this laptop and ask Google for my IP address, it'll tell me: 128.163.237.14.

ICMP

ICMP or Internet Control Message Protocol is a protocol used to send error messages, e.g., to check if a host is down. When we use ping, we're using the ICMP protocol.

Transport Layer

TCP or Transmission Control Protocol is responsible for the transmission of data and for making sure the data arrives at its destination w/o errors.

UDP or User Datagram Protocol performs a similar function as TCP, but it doesn't error check. If data is lost, then it's lost but it's still sent. UDP is useful for conducting voice over internet calls or for streaming video, such as through YouTube. In fact, YouTube uses a type of UDP transmission called QUIC, which adds a level of encryption to the protocol. QUIC was developed by Google.

The above protocols, as well as others, each contain header information. The first part of the header will contain source address, then comes destination address, and so forth. Aside from a few other parts, this is the primary information that an IP header contains.

TCP and UDP headers will contain a bit more information, including port information for both source and destination, sequence (SYN) information for data packets, acknowledgment (ACK) information for the ACK number, as well as data and error checking if it's TCP.

A port associates a process with a network service. Ports provide a way to distinguish and filter all traffic through an IP address. E.g., all traffic going to IP address X.X.X.X:80 indicates that this is http traffic for the http service. Other common ports include:

  • 21: FTP
  • 22: SSH
  • 25: SMTP
  • 53: DNS
  • 143: IMAP
  • 443: HTTPS
  • 587: SMTP Secure
  • 993: IMAP Secure

There's a complete list on your Linux systems and it's located in the following file:

less /etc/services

See also the Wikipedia page: List of TCP and UDP port numbers

Routing

On my virtual machine on my desktop (bridge connection), I can see the network information for my machine (some output removed / truncated for clarity):

$ ip a
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 08:00:27:f2:36:19 brd ff:ff:ff:ff:ff:ff
    inet 10.163.36.80/24 brd 10.163.36.255 scope global dynamic enp0s3
       valid_lft 685860sec preferred_lft 685860sec
    inet6 fe80::a00:27ff:fef2:3619/64 scope link 
       valid_lft forever preferred_lft forever

Alternatively:

$ ifconfig
enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.163.36.80  netmask 255.255.255.0  broadcast 10.163.36.255
        inet6 fe80::a00:27ff:fef2:3619  prefixlen 64  scopeid 0x20<link>
        ether 08:00:27:f2:36:19  txqueuelen 1000  (Ethernet)
        RX packets 101740  bytes 14652618 (14.6 MB)
        RX errors 0  dropped 356  overruns 0  frame 0
        TX packets 1784  bytes 178630 (178.6 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

The above two commands report IP information a little different. ip a reports that my IP address is:

inet 10.163.36.80/24

That information includes both the IP address, the netmask information, and the broadcast information. That is, that /24 is important info.

With ifconfig, the information is reported separately:

  • inet 10.163.36.80
  • netmask 255.255.255.0
  • broadcast 10.163.36.255

We'll learn how to interpret this soon.

Int the meantime, here's the routing table on my Ubuntu Bridge VM:

$ ip route
default via 10.163.36.1 dev enp0s3 proto dhcp src 10.163.36.80 metric 100 
10.163.36.0/24 dev enp0s3 proto kernel scope link src 10.163.36.80 
10.163.36.1 dev enp0s3 proto dhcp scope link src 10.163.36.80 metric 100

And then on my physical machine:

$ ip route
default via 10.163.36.1 dev eno1 proto dhcp metric 100
10.163.36.0/24 dev eno1 proto kernel scope link src 10.163.36.13 metric 100
169.254.0.0/16 dev eno1 scope link metric 1000

Since both machines are on the same network, they both state the following path:

  1. all packets originating at 10.163.36.80 (for Ubuntu VM) or 10.163.36.13 (for physical machine) are routed through 10.163.36.1 on the subnet defined as 10.163.36.0/24.
  2. In the second ip route output, you'll notice the IP address 169.254.0.0/16. This is called the link-local address. This is a local address that is assigned to a device in the absence of either static or dynamic IP assignment (via, e.g., a router).

The ip command is a relatively new command that is replacing other commands, like arp and ifconfig. Read the man page in ip for more info, and compare to this command, which gives the same info as above but organized a bit differently:

$ route -n
Kernel IP routoing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.163.36.1     0.0.0.0         UG    100    0        0 eno1
10.163.36.0     0.0.0.0         255.255.255.0   U     100    0        0 eno1
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 eno1

In any case, we can put this information together, and say something like this:

10.163.36.13/24 : subnet address / subnet mask
10.163.36.255   : broadcast address
10.163.36.1     : router/gateway
169.254.0.0/16  : Link-local address

This all translates into:

10.163.36.13 <----> 10.163.36.0/24 <---> 10.163.36.1 <---> 128.163.48.6
 IP Address             Network           Gateway           Public
                        Subnet            Router            Router
                        Mask

Misc:

Don't do this on a public network, but you can tell me what this means:

$ png -b 10.163.36.255
WARNING: pinging broadcast address
PING 10.163.36.255 (10.163.36.255) 56(84) bytes of data.

--- 10.163.36.255 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2046ms

$ arp -a
? (10.163.36.176) at 3c:07:54:5a:99:0e [ether] on eno1
? (10.163.36.80) at 08:00:27:f2:36:19 [ether] on eno1
? (10.163.36.19) at 00:40:58:06:b3:fd [ether] on eno1
? (10.163.35.124) at e8:39:35:8d:bb:03 [ether] on eno1
lcli-310.prt.uky.edu (10.163.36.41) at 00:26:73:29:fe:25 [ether] on eno1
kls4mapprt.prt.uky.edu (10.163.36.6) at a4:5d:36:b6:1a:34 [ether] on eno1
? (10.163.36.77) at 0c:4d:e9:b8:cd:fc [ether] on eno1
? (10.163.36.92) at 00:21:b7:5a:19:f6 [ether] on eno1
? (10.163.36.43) at 00:21:b7:04:50:fc [ether] on eno1
? (10.163.36.49) at 0c:4d:e9:98:e9:e8 [ether] on eno1
? (10.163.36.69) at 50:9a:4c:7f:47:6d [ether] on eno1
? (10.163.36.8) at 48:4d:7e:de:bd:c6 [ether] on eno1
? (10.163.36.31) at 68:5b:35:cb:b1:da [ether] on eno1
_gateway (10.163.36.1) at 28:6f:7f:68:92:40 [ether] on eno1
celt.prt.uky.edu (10.163.36.160) at 00:26:73:1d:e9:99 [ether] on eno1
? (10.163.36.142) at 00:3e:e1:c4:4a:a6 [ether] on eno1
? (10.163.36.95) at 78:7b:8a:db:9c:b2 [ether] on eno1

Here's how to disable and then enable a connection on a machine. Note that eno1 is the name of my network card/device. You'd have to replace it with the name of yours. If it's a wireless card, it should begin with a 'w':

sudo ip link set eno1 down
sudo ip link set eno1 up

IPv6 subnetting

We're not going to get into subnetting with IPv6, but if you're interested, this is a nice article:

IPv6 subnetting overview

linux/internet-protocol-suite-networking.txt · Last modified: 2019/01/21 11:17 by seanburns