CompTIA Network+ Guide to Networks, Ninth Edition Module 4: Protocols

TCP/IP Core Protocols

  • TCP/IP is a suite of protocols that includes TCP, IP (IPv4 and IPv6), UDP, ARP, among others.
  • TCP/IP protocols add a header to data inherited from the layer above it.
    • Layers 7, 6, and 5: Data and instructions, known as payload, are generated by applications running on the source host.
    • Layer 4: A Transport Layer protocol, usually TCP or UDP, adds a header to the payload. This includes a port number to identify the receiving application.
    • Layer 3: The Network layer adds its own header, creating a packet.
    • Layer 2: The packet is passed to the Data Link layer on the NIC, which encapsulates the data with its own header and trailer, creating a frame.
    • Layer 1: The Physical layer on the NIC receives the frame and places the transmission on the network.
  • The receiving host decapsulates the message at each layer in reverse order and presents the payload to the receiving applications.
  • In transit, transmissions might pass through a number of connectivity devices.
  • Connectivity devices are specialized devices that allow two or more networks or multiple parts of one network to connect and exchange data.
  • Connectivity devices are identified by the highest OSI layer they read and process.

TCP (Transmission Control Protocol)

  • TCP operates in the transport layer of the OSI model.
  • Three characteristics of TCP:
    • Connection-oriented: TCP ensures that a connection or session is established by using a three-step process called a three-way handshake.
    • Sequencing and checksums: TCP sends a character string called a checksum that is checked by the destination host, along with a sequence number for each segment.
    • Flow control: TCP gauges the rate of transmission based on how quickly the recipient can accept data.
  • The TCP three-way handshake establishes a session before TCP transmits actual data.
    • Step 1: A request for a connection (SYN).
    • Step 2: A response to the request (SYN/ACK).
    • Step 3: A connection is established (ACK).
  • After the three initial messages, the payload or data is sent.
  • Sequence numbers are increased by the number of bits included in each received segment to confirm that the correct length of the message was received.

UDP (User Datagram Protocol)

  • UDP is an unreliable, connectionless protocol.
  • No three-way handshake is performed.
  • UDP does not guarantee delivery of data.
  • UDP provides no error checking, sequencing, or flow control.
  • This makes UDP more efficient than TCP.
  • Useful for live audio or video transmissions over the Internet.
  • Also more efficient for carrying messages that fit within one data packet.
  • A UDP header contains only four fields: Source port, Destination port, Length, and Checksum.
  • The use of the Checksum field in UDP is optional in IPv4 but required in IPv6.

IP (Internet Protocol)

  • IP operates at the network layer of the OSI model.
  • It specifies where data should be delivered and identifies the data’s source and destination IP addresses.
  • IP enables TCP/IP to internetwork, allowing it to traverse more than one LAN segment and more than one type of network through a router.
  • IP is an unreliable, connectionless protocol, meaning it does not guarantee delivery of data, and no session is established before data is transmitted.
  • IP depends on TCP to ensure messages are put back together in the right order and to ensure each message reaches the correct application on the receiving host.
  • IPv6 uses a different packet format than IPv4 and can accommodate the much longer IPv6 addresses.
  • There is no Fragment offset field in IPv6.
  • IPv6 hosts adjust their packet sizes to fit the requirements of the network before sending IPv6 messages.

ICMP (Internet Control Message Protocol)

  • ICMP is a core network layer protocol that reports on the success or failure of data delivery.
  • ICMP can indicate the following:
    • When part of a network is congested.
    • When data fails to reach its destination.
    • When data has been discarded because the allotted TTL has expired.
  • ICMP announces transmission failures to the sender but does not correct errors it detects.
  • It provides critical information for troubleshooting network problems.
  • ICMPv6 on IPv6 networks performs the functions of ICMP and ARP on IPv4 networks.

ARP (Address Resolution Protocol) on IPv4 Networks

  • ARP works in conjunction with IPv4 to discover the MAC address of a host or node on the local network.
  • It maintains a database that maps IP addresses to MAC addresses on the local network.
  • ARP is a Layer 2 protocol that uses IP in Layer 3 and relies on broadcasting.
  • ARP operates only within its local network.
  • The ARP table is the database of IP-to-MAC address mappings.
    • Dynamic entries are created when a client makes an ARP request that could not be satisfied by data already in the ARP table.
    • Static entries are those someone entered manually using the ARP utility (arp command).
  • To view a Window’s workstation’s ARP table, enter the command: arp -a.

NDP (Neighbor Discovery Protocol)

  • IPv6 devices learn about other devices on their networks through a process called neighbor discovery.
  • NDP (Neighbor Discovery Protocol) information carried in ICMPv6 messages automatically detects neighboring devices and automatically adjusts when nodes fail or are removed.
  • NDP offers several ICMPv6 message types:
    • RA (router advertisement).
    • RS (router solicitation).
    • Redirect.
    • NS (neighbor solicitation).
    • NA (neighbor advertisement).

Ethernet

  • Ethernet is the most important data link layer standard.
  • It is capable of running on a variety of network media.
  • Ethernet offers excellent throughput at a reasonable cost.
  • It is the most popular network technology used on modern LANs.
  • Ethernet II is the current standard.
  • Ethernet adds both a header and a trailer to the payload, creating a frame around the payload.
  • The header and FCS make up the 18-byte “frame” around the data.
  • The data portion of an Ethernet frame may contain from 46 to 1500 bytes.
  • MTU (maximum transmission unit) is the largest size that routers in a message’s path will allow at the Network Layer.

Encryption Protocols

  • Encryption protocols use a mathematical code, called a cipher, to scramble data into a format that can be read only by reversing the cipher.
  • The purpose of encryption is to keep information private.
  • Encryption methods are primarily evaluated by three benchmarks:
    • Confidentiality.
    • Integrity.
    • Availability.
  • The principles above form the standard security model called the CIA triad.

Key Encryption

  • A key is a random string of characters woven into original data’s bits, generating a unique data block called ciphertext.
  • The key is created according to a specific set of rules (algorithms).
  • Key encryption can be separated into two categories:
    • Private key encryption.
    • Public key encryption.

IPsec (Internet Protocol Security)

  • IPsec is an encryption protocol suite that defines rules for encryption, authentication, and key management for TCP/IP transmissions.
  • IPsec creates secure connections in five steps:
    • IPsec initiation.
    • Key management.
    • Security negotiations.
    • Data transfer.
    • Termination.
  • Operates in two modes:
    • Transport mode.
    • Tunnel mode.

SSL (Secure Sockets Layer) and TLS (Transport Layer Security)

  • Both SSL and TLS are methods of encrypting TCP/IP transmissions.
  • Both protocols work side by side and are widely known as SSL/TLS or TLS/SSL.
  • When a client and server establish an SSL/TLS connection, they establish a unique session, which is an association between client and server.
  • The session is defined by an agreement on a specific set of encryption techniques.
  • A session is created by an SSL handshake protocol.
  • The handshake protocol allows client and server to authenticate.
  • This handshake is similar to a TCP three-way handshake.

Remote Access Protocols

  • Remote access is a service that allows a client to connect with and log on to a server, LAN, or WAN in a different geographical location.
  • Remote access requires a type of RAS (remote access server).
    • Dedicated devices.
    • Software running on a server.
  • Types of remote access include:
    • Remote file access.
    • Terminal emulation, also called remote virtual computing.
    • VPN (virtual private network).

Remote File Access

  • FTP (File Transfer Protocol) provides remote file access.
  • Three related technologies include the following:
    • FTPS (FTP Secure or FTP over SSL) offers an added layer of protection for FTP using SSL/TLS.
    • SFTP (Secure FTP) is a file-transfer version SSH that includes encryption and authentication for transferring files.
    • TFTP (Trivial FTP) is a simple protocol similar to FTP except that it includes no authentication or security for transferring files.

Terminal Emulation

  • A terminal emulator is software that allows a user on one computer (client) to control another computer (host or server).
  • Examples of command-line software: Telnet and SSH.
  • Examples of GUI-based software: Remote Desktop for Windows, join.me, VNC, Team Viewer.
  • Telnet is a terminal emulation utility that allows an administrator or other user to control a computer remotely.
    • It provides little security for establishing a connection (poor authentication).
    • It provides no security for transmitting data (no encryption).
  • SSH (Secure Shell) is a collection of protocols that provides for secure authentication and encryption.
    • Guards against a number of security threats like unauthorized access to a host, IP spoofing, interception of data in transit, DNS spoofing.
  • Secure connection requires SSH running on both client and server, and allows for password authentication using public and private key generation.

VPNs (Virtual Private Networks)

  • A VPN is a network connection encrypted from end to end that creates a private connection to a remote network.
  • A VPN is sometimes referred to as a tunnel.
  • VPNs can be classified according to three models:
    • Site-to-site VPN.
    • Client-to-site VPN (also called host-to-site VPN or remote-access VPN).
    • Host-to-host VPN.

Remote Access Policies

  • Common requirements of a good remote access policy:
    • Remote access devices must be up to date with patches, anti-malware software, and a firewall.
    • Device access must be controlled by a strong password or biometric measures.
    • Passwords must be strong and must be changed periodically.
    • The device’s internal and external storage devices must be encrypted.
    • Company and customer data must be kept secure.
    • The loss or theft of any devices used for remote access must be reported immediately.
    • Encrypted VPN software must be used to remotely access company network resources.
    • While remotely connected to the company network, the device must not be connected to the open Internet or any other network not fully owned or controlled by the employee.
    • Remote sessions must be terminated when not in use.

Troubleshooting Network Issues

  • netstat displays TCP/IP statistics and details about TCP/IP components/connections on a host.
    • Information that can be obtained from the netstat command includes:
      • The port on which a TCP/IP service is running.
      • Which network connections are currently established for a client.
      • How many messages have been handled by an interface since it was activated.
      • How many data errors have occurred on a particular network interface.
  • tracert or traceroute:
    • Windows tracert utility uses ICMP echo requests to trace the path from one networked node to another, identifying all intermediate hops between the nodes.
    • Linux, UNIX, and OS X systems use the traceroute utility to send UDP messages to a random port on the destination node (concept is the same as tracert).

Solving Common Network Problems

  • Duplicate MAC Addresses:
    • Two devices on the same network with the same MAC address is a problem.
    • MAC addresses can be impersonated, which is a security risk called spoofing.
    • It happens most often when managing multiple virtual devices on a large network.
    • Most switches will detect the problem and produce helpful error messages.
    • Then it’s a matter of tracking down which virtual devices have the same MAC address and update each device’s configuration.
  • Hardware Failure - when a router, switch, NIC, or other hardware goes down:
    • Use tracert or traceroute to track down malfunctioning routers and other devices on larger networks.
    • Get more accurate trace feedback on a questionable router by targeting a node on the other side of that router, rather than aiming for that router itself.
    • Use ping to test for network connectivity.