Transport Layer (UDP, TCP, NAPT, QUIC)

What are tasks of the transport layer (with an eye towards UDP and TCP)?

Tasks

• Data End-to-End

  • Goal: "Source process <-> destination process"

  • No longer just the node, rather processes

  • Additional addressing info: port

• Reliability: stream of bytes arriving at the receiver process exactly as they were sent by the sender process (TCP)

• Flow Control: prevent receiver overload

• Congestion Control: prevent network infrastructure overload

What are typical properties of connection-oriented communication?

Properties: Reliability, Flow Control, Congestion Control

What are characteristics of UDP?

UDP (User Datagram Protocol) characteristics:

• Uncertain, no guarantees (packets: lost, duplicates, order)

• Connectionless: replies are optional

• Uses IP

• UDP = IP + Addressing multiple "targets"

What is the value for UDP in the IPv4 protocol/IPv6 next-header field?

Value = 17

What is the structure of the UDP header?

Header structure:

What is part of the checksum UDP-header-field?

source IP, dest. IP, protocol and UDP length from the IP header, the UDP header and application data

• Consequence: Layer 3 (IP) and layer 4 (UDP) are closely related

What are properties of TCP?

TCP (tranmission control protocol) properties:

• Bytestream (continuous stream of octets): TCP itself (dynamically) determines the ideal packet size in each case -> avoid fragmentation

• Reliability: Immune to packet loss, reordering, duplicates...

• Full duplex

• Connection oriented

• Multiplexing: ports (like UDP)

• Flow Control: ACKs with Window-Size; Pipelining; ...

• Congestion Control: not in the base RFC, but many extensions 

What is the structure of the TCP header?

Structure:

• Source and Destination Port: port number

• Sequence Number: number of the next byte of data to be sent in the byte stream

• ACK number: number of the next expected byte (also: everything received OK up to that)

• Data Offset (due to options): Variable header length because of options

• Flags: SYN, RST, FIN, PSH, CWR, ECE

• Window: Size of the receive and therefore the transmit window

• Checksum: includes pseudoheaders as in UDP

• Urgent Pointer

• Optional Options (+Padding)

Explain the TCP flags

TCP Flags:

• SYN: Synchronization of SQNs when establishing a connection

• RST: Abbruptly terminating (resetting) the connection

• FIN: End of data transfer (final)

• PSH: Deliver data to application as quickly as possible; no buffering (push)

• CWR: congestion window reduced (=ack)

• ECE: congestion experienced (=info)

What are some TCP options that are agreed upon during the TCP handshake?

TCP options:

• Maximum Segment Size

• Window Shift Count = Window Scale Factor

• Selective ACK (SACK)

• Timestamps Option (TSopt)

• CookieOpt for TCP Fast Open

• Multipath TCP (MPTCP)

• Sequence Numbers

• Window Size

• ECN

Draw an examplatory TCP-conversation with that includes the handshake, data transfer and connection close

Draw a complete status diagram for TCP

1. What information do the standard TCP-ACKs hold?

What information do the standard TCP-ACKs hold?

Cumulative ACK: Ack X means that all data up to and including byte X-1 have been received completed and correctly; data from sequence number X onwards are now expected

What are selective ACKs in TCP?

Selective ACK

1. Agreement when stablishing a connection; extension to cumulative ACK

2. Confirmation of several (non-contiguous) data areas

3. Transfer via TCP options

What is the goal of delayed ACK and piggy back ACK?

Confirm more than 1 packet with an ACK

How does delayed ACK work?

Only send ACK after timeout, not after eich received TCP-package

How does piggy back ACK work?

Send ACKs together with data in the opposite direction

What buffers are used in TCP, and why are they necessary?

Buffers in TCP:

• TCP uses transmit buffers (to hold data to be sent) and receive buffers (to hold received data temporarily).

• These are necessary because TCP is a duplex connection, meaning it allows simultaneous two-way communication.

What is the Bandwidth-Delay Product, and why should the window size be larger than this value?

Bandwidth-Delay Product:

• It represents the amount of data that can "fill the pipe" during a round trip: Bandwidth×Round-Trip Time (RTT)

• The sliding window size (or buffer size) should be larger than this value to fully utilize the network link's capacity.

• If the buffer is smaller, the connection's available bandwidth will be underutilized.

What is pipelining in TCP, and how do the transmission and receive buffers work in this process?

Pipelining in TCP:

• TCP sends data in a pipeline-like manner:

  • Data flows from the transmission buffer of one host to the receive buffer of the other. 

  • At the same time, ACKs and responses flow in the opposite direction. 

• This ensures smooth, bidirectional communication and efficient utilization of the connection.

Show TCP sliding window in a diagram

Sliding window:

What is meant by the term MTU?

MTU = Maximum Transmission Unit: maximum data length of an ethernet frame on a link

What is meant by the term PMTU?

PMTU = Path MTU: min of all MTUs on path

What is meant by the term MSS?

MSS = Maximum Segment Size as agreed upon in TCP-handshake: maximum TCP data length

How do the former relate to each other?

MSS = PMTU - sizeof(IP-header) - sizeof(TCP-header)

What is the silly window syndrome in TCP?

When the remaining window size is very small and the sender sends that little amount of data:

What is the retransmission timeout (RTO) in TCP?

How long to wait for an ACK until we resend the segment

1. RTO > RTT + Delayed ACK Time

Which methods are there to calculate the RTT?

Methods for RTT:

1. Direct measurement

2. Using historical smoothed value (average RTT)

3. Using smoothed value with variance (average RTT and variance)

How to calculate the RTO from the "basic" smooth RTT?

RTO from "basic" smooth RTT:

How to calculate the RTO with variance?

With Variance:

1. First measurement R: init SRTT = R and RTTVAR = R/2

   1. RTO = SRTT + max(G, 4 * RTTVVAR)

   2. G = clock granularity, e.g. 100 msec

2. Subsequent measurements:

   1. RTTVAR = (1 - 1/4) RTTVAR + 1/4 | SRTT - R |

   2. SRTT = (1 - 1/8) SRTT + 1/8 R

   3. RTO = max(1, SRTT + max(G, 4 * RTTVAR))

What should one do if a segment times out?

Double RTO, but keep in 60 seconds range:

1. RTO = min(60, 2 * RTO)

What is a Triple ACK, and what does it indicate?

Triple ACK: Three duplicate ACKs; indicates segment loss.

Why does TCP wait for 3 duplicate ACKs before retransmitting a segment?

Wait for 3 ACKs: Avoid retransmission due to reordering

How does fast retransmit improve performance compared to waiting for the RTO?

Fast Retransmit: Retransmit before RTO is over, therefore reducing latency

What happens to delayed ACK behavior when a segment is lost?

Delayed ACK behavior on Loss: delayed ACKs are no longer used after segment loss, receiver immediately sends duplicate ACKs to inform the sender of the missing segment.

What is the purpose of SACK, and how does it enhance retransmission efficiency?

Purpose of SACK: allows the receiver to inform sender of which segments were received successfully, even if out of order

What happens to already retransmitted segments when the missing segment is retransmitted?

Handling already transmitted segments: not retransmitted; continue with new data.

What is the congestion window?

Congestion window = how many packets may be sent without having received an ack

1. Aim: detect available bandwidth - without creating congestion

2. We could send more (window size), but we don't until we receive an Ack

   1. Window size: overloading the receiver

   2. Congestion Window: overloading the transmission path

3. Starts "low" and increases (linear) with received acks (different to slow start!)

4. Is reduced (multiplicative, e.g. 0.5) when a segment is lost

How does it compare with the window size?

Slow Start: double size every RTT, u ntil window size reached, segment loss, or threshhold reached

What is meant by "slow start" in the context of the congestion window?

Many short connections -> available resources unused (due to slow start)

What could be potential parameters for different congestion avoidance algorithms?

Parameters:

1. Aims: low loss, high bandwidth, lossy links, variable-rate links, low delay

2. Requirements regarding implementation: sender-only, sender&receiver, sender&receiver&routers

3. Different feedback mechanisms: segment loss, delay, loss&delay, explicit signalling

How does CUBIC congestion avoidance work?

CUBIC:

1. Fast growth at start to use available bandwidth

2. Increase only slowly around last packet loss (= we are probably at the maximum)

3. If no packet loss after that point, fast probing (= packet loss was "unfortunate accident")

Due to which problem does TCP Fast Open exist?

Problem:

• Sending Host is allowed to send data with initial SYN packet

• Receiving Host is FORBIDDEN from delivering it to the application (=upper layers) until the 3 way handshake has been completed

• Data can always be sent with the Sending-Host -> Receiving-Host ACK

What is the solution that TCP Fast Open provides?

Solution:

1. Perform cookie-request in initial SYN

2. Receive TFO cookie as response in SYN, ACK

3. Subsequent connections can use that TFO cookie to immediately send data with first SYN
   

   

What is the main use-case of NAT?

When private IPs have to be translated to public IPs

What is the generic core functionality of NAT?

Gateway translates IP addresses (and perhaps also UDP or TCP port numbers) of transmitted IP datagrams

What are variants of NAT?

NAT variants:

1. Static NAT = Server NAT = 1:1 NAT = Destination NAT

2. Dynamic NAT = Client NAT = Hide NAT = Source NAT = SNAT, also called overloading or masquerading

What are private IP addresses?

Private IPs:

• 10.0.0.0/8

• 172.16.0.0/12

• 192.168.0.0/16

What happens in static NAT = destination NAPT = DNAT?

Server with only 1 public IP-address, same external IP but different ports, translated to different internal IPs but same port:

1. Consequence: internal hosts are reachable from the outside, even if they did not initiate the connection

What happens in dynamic NAT = masquerading = source NAPT = SNAT?

Translation table for IP addresses (and ports) is not static, but is generated dynamically when needed, e.g. when an internal client wants to access an external server

1. Consequence: internal hosts are only reachable when they initiated the communication

How does the NAT translation table work?

Via connection tracking, router keeps track of connections, e.g. by TCP port or ICMP identifier

What is carrier grade NAT?

When the ISP doesn't directly assign public IPs but has an intermediate network with a dedicated gateway that then performs NAT

What is a consequence of carrier grade NAT?

No server possible from the ISP customer side

Is there NAT for IPv6?

No NAT for IPv6 at all - this is not intended

• Exception: IPv6 to IPv7 Network Prefix Translation, where solely the network prefix is replaced

What are advantages of NAT?

Advantages:

1. Saves a lot of IP addresses; important for IPv4

2. Is required for load balancing

3. Partly seen as a security function (mehh...)

What are disadvantages of NAT?

Disadvantages:

1. Breaks the concept of datagram networks in IP traffic

2. Increases the complexity of tunneling and encryption (VPNs)

3. Increases the complexity of administration, e.g. DNS name resolution for internal and external IP addresses

4. IP addresses and port numbers transmitted at higher protocol levels must be translated too! Concept of Application-Level-Gateways (Proxies) with knowledge of the respective application protocol

What protocol does HTTP/1 use?

TCP, but with:

• maximum 2 connections per browser to 1 server

• slow start

• many resources

• 1 resource/connection only

• slow!

What protocol does HTTP/2 use?

TCP, but with:

• request multiplexing

• server push

• compression

• prioritization of streams

• better, than HTTP/1, but head-of-line blocking is still possible (first request unanswered)

1. Uses UDP: based on QUIC

What protocol does HTTP/3 use?

Uses UDP: based on QUIC

• The application layer remains the same as it has been since

• HTTP/1: verbs, status codes, cookies, caching...

• Encryption now mandatory

• New way of compressing headers

• Permanent connection: waiting for tab/window... close

1. No closing the connection when all page data was receieved!

Compare HTTP/3 multiplexing with the older HTTP versions

1. 

What is QUIC?

A L4 protocol based on UDP

• Similar to TCP in terms of goals, but lower latency

• Alternative to TCP: generally usable, not just HTTP/3

What are key properties of QUIC?

Properties:

• Integration of TLS into the connection setup: before 3-way TCP HS, then TLS handshake

• Userspace instead of kernel: intended to enable faster improvement of algorithms

• Encryption is packet-based: lost packet does not hinder decryption of others

• Connection IDs instead of IP addresses: allows for IP change during connection

• TCP Fast Open - Equivalent

• Potential future extensions:

  • Forward Error Correction

  • Multipath QUIC

  • Unreliable delivery (= same as UDP, but encrypted)

What are problems of QUIC?

Problems:

• All metadata is encrypted too: No more monitoring at the network level (maybe advantage?)

• Currently (?) no proxy support

• Middleboxes, e.g. firewall: filtering much harder

  • Is this an inbound or outbound connection

  • When does the connection end (NAT!)?

  • Fallback-to-TCP: IF UDP doesn't work, then classic TCP is used

  • Firewall are effectively stateless -> UDP hole punching

• More computation power needed

What are benefits of QUIC?

Benefits:

• Faster connections for end users

• Faster connections for servers: higher cpu load, but faster responses

• The higher the bandwidth and the smaller the amount of data, the greater the speed advantage

Why is DDoS defense more difficult in QUIC compared to TCP?

1. DDos Defense in QUIC:

   1. QUIC uses UDP, so it lacks TCP-like SYN cookies, making amplification attacks easier

What is an amplification attack, and how does QUIC mitigate it?

Amplification Attack and Mitigation:

• Attack: Small spoofed packet triggers a large server response to a victim

• Mitigation: Server can only send at most 3x the data it received until the client's IP is validated

Why is padding required in QUIC initial packets, and how much data must the client send?

Padding in Inital Packets:

• Clients must send at least 1200 bytes in the inital packet to ensure sufficient data for amplification control. Padding is added if the data is smaller.

How does QUIC prevent server resource exhaustion during initial connections?

Preventing Server Resource Exhaustion:

• Servers use a Retry mechanism (cheap test) to verify the client before performing costly cryptographic operations

How does QUIC validate new client and server IP addresses to prevent abuse?

Validating New Addresses:

• Servers require address validation tokens before sending data to a new client address

• Clients reject suspicious server address (e.g., private or loopback addresses)