Network Fundamentals Pt.2
Disclaimer: This article is meant to be long with the aim of truly getting concepts across to readers, and compiling simple yet valuable networking concepts for beginners.
In the last article we covered what a network is, endpoint & network devices, and we also took a look at both the physical and logical sides of a network. At the very end, I spoke briefly about how the logical side of network data is divided into layers, with each layer containing its own set of protocols. I gave a brief example of these protocols called IP & TCP (Internet Protocol & Transmission Control Protocol). Here, we’re going to be taking a look at these different layers, the protocols these layers contain, the significance they hold, and the role each of them play in network communication.
THE DATA (logical side)
Previously, we talked a lot (or I did) about networks and what makes up a network, but we never really popped the “front-hood” open and had a look at what’s underneath — you know what I’m talking about, I’m talking about the “candy of a wrapper”, the “drop of a beat”, the “crème de la crème”; I’m talking about the “essence of a network”. In the essence of network communication lies the data itself, but what does that data contain?
First and foremost, it contains the intended message that was meant to be sent by the server or received by the client. In the technical-sense we (hackers) call that the “payload”. Moreover, when you opened this page/article on your web-browser the text itself was the core message, and that is exactly what the payload is (in this case), the text itself.
Next we have (and this is the spicy part) what’s technically referred to as the “overhead”. The overhead here is a reference to chunks of data that attach themselves onto the payload and contain extremely essential information that is required for the successful delivery of the payload on a network. Remember when we discussed how the logical side of a network has layers, these layers form that chunk of data referred to as the overhead. You can also think of the overhead as all the essential meta-data that is the required to either find, fetch or deliver the payload or the intended message. In addition, it can also be seen as the cost of communicating on a network, and that would actually be the most accurate definition of the term (generally speaking).
If only we were able to put these layers (the overhead/data chunks) under a hypothetical microscope, I wonder what we’d see… Well fortunately for you, and for the sake of better understanding network communication something similar has already been done. There are several educational models that exist to accomplish that very task — two of these models will be the focus of this article. One is called the OSI or “Open Systems Interconnection” Model and the other is the “TCP/IP” or “DOD” Model.
Briefly On Data Encapsulation & De-encapsulation
Before I start breaking down the models I want you to keep in mind a couple of things:
Imagine if you were hiding something inside a Matryoshka doll.
First you would have to put the object inside the bottom base of the inner-most doll & then you would have to close/encapsulate the object with the upper base of the doll. After which, you would have to put every other doll one by one from the inner-most doll to the outer-most doll until you end up with one big Matryoshka doll. Furthermore, if you were taking the doll apart you would reverse the process till you got to the object hidden inside it. In this analogy, the object you’re hiding represents the payload data, the upper-half of the doll represents the overhead/data-chunk header that attaches to the payload, the lower half of the doll represents the trailer (when applicable), and each whole doll of a different size represents a new & complete data chunk called a PDU or Protocol Data Unit.
Similarly, when data is traveling from “point to point” it is constantly getting encapsulated (when sent) or de-encapsulated (when received), at each layer of either model before it is sent out on the wire or in the air. What does that really mean? It simply means that when you want to send a message or make any type of communication to other devices on a network you will be sending your intended/core message or payload as well as several subsequent pieces of protocol data (overhead) that are attaching themselves onto our payload to get the message through. So, what happens is that our payload data will remain intact while different chunks of overhead data get attached to it forming what we call a “Protocol Data Unit” or PDU. I want you to think about this happening in steps or layers — which is exactly what the models you will see below are there to show you. A PDU is formed at each layer of the OSI model with sub-layers (when applicable) and protocol data inside of it. A sub-layer is the division of one layer into two other layers containing overhead data or more specifically protocol data.
When the first PDU is formed (at layer 7) the data has already went through it’s first layer and then proceeds to the next layer where more essential protocol/overhead data is attached/encapsulated forming a newer PDU. And pretty much the same thing keeps happening where the data passes through all layers and is sent over several networks from one point to the next (point to point) until it finally reaches the final network and is de-encapsulated completely. De-encapsulation is the process I just described above but in reverse — starting from layer 1 all the way to layer 7 until it reaches the payload. Different PDUs in different layers are distinguishable by name. For example the PDU formed at layer 4 is called a “Segment”, at layer 3 is called a “Packet”, at layer 2 a “Frame”, and at layer 1 a “Bit”.
Keep in mind that these models are conceptual in nature, and do not represent every type of network data exchange that occurs. Despite that, they are still a standard, and a crucial stepping stone for every beginner (especially an aspiring ethical-hacker or network engineer) looking to really understand network data exchange and communication.
As you can see we have the OSI model to the left of the figure containing a multitude of layers (1–7). On the far right of the table is the TCP/IP model containing it’s own layers (1–4). At the very middle of the table is a list of some shared Protocols between the layers of both models that form the PDUs each layer contains. Take the time to really absorb both models and their shared protocols, because this will be the base to understanding the medium upon which hacking takes place.
Model Breakdown
When it comes to the OSI model we have a total of 7 layers. Each layer is made up of one or more protocol(s) and sometimes data-check or integrity-check mechanisms that make sure that the complete payload was sent without any errors, tampering, or data loss. Most commonly, You will see such mechanisms implemented in layers 2 and 4.
Consider that the sequence I’m moving at to explain each model is the sequence of de-encapsulation which breaks down the PDU from layers 1 -7 instead of layers 7–1 (encapsulation) — hence why there will be other PDUs inside an already existing PDU as you will see below…
1- PHYSICAL LAYER
At the physical layer or layer 1 we have most physical network interface devices or components that are made with certain specifications. For example if you were to make a direct connection from your computer to your router you would use an Ethernet cable, and you would find that your computer would also have an Ethernet port to complete the connection. This connection was made possible through the Ethernet specification, that is a layer 1 & layer 2 standard. Additionally, if you were to make a wireless connection then you would be connecting wirelessly to your router through the Wi-Fi specification, that is also a layer 1 & 2 standard. These specifications are collectively agreed upon by vendors that manufacture these devices to create a standard that makes it easier for everyone to connect to the Internet & communicate with each other in the same way without any complications or limitations for end users. The IEEE or “Institute of Electrical and Electronics Engineers” is a professional institution that creates such standards (approved by ISO or “International Organization for Standardization”) and refers to them with numbers. Most notably, the IEEE 802.x family (x being a variable representing numbers 1 through 12) where IEEE 802.2 is the Ethernet standard, & IEEE 802.11 is the Wi-Fi standard.
Note that standardization is not only the case in this layer, but also throughout all of the OSI model or even the TCP/IP model. Also note that most layer 1 devices are usually also layer 2 and 3 devices — such is the case with a router.
Making physical (electrical) and wireless (radio wave) network connections by communicating/interfacing with the NIC inside your device is the only thing this layer knows. For this reason the only devices that are exclusively layer 1 are hubs & repeaters. Both these devices’ only function is to take in data and spit it out without any regard to who it’s meant for. The only difference is the hub does it through a wire (Ethernet) & the repeater does it without a wire (wirelessly) through signals/waves.
To sum up, this layer is responsible for connecting LANs or private networks (local area network/Intranet) to network devices that directly or indirectly reach out to WANs or public networks (wide area network/Internet) to reach other endpoint devices. The data is traveling in the form of bits at this layer.
2- DATA-LINK LAYER
At layer 2 or the Data-Link layer we have two sub-layers the MAC (“Media Access Control”) and the LLC (“Logical Link Control”) sub-layers. After which comes the previously encapsulated layer 3 PDU “Packet” (containing previous protocol data and the payload/user-data) followed by a trailer containing error-checking code (FCS) forming our layer 2 PDU called a “Frame”. It looks something like this:
2.1- MAC SUB-LAYER
The MAC sub-layer contains the MAC/Physical address protocol that is a globally unique six-field & 12-digit hexadecimal number address specific to your Network Card(s).
It is a NIC identifier or NIC address that any network endpoint device has. The main role this layer accomplishes (through MAC addressing) is to uniquely identify each network endpoint device on a local network (LAN or WLAN) in order to deliver the data to that exact device with the help of layer 2 devices (switches/bridges). You can think of the MAC address protocol’s function as a binding address that binds your IP (when assigned or leased) to the hardware device itself or the NIC (again through MAC) with the unique hexadecimal number. You can count on the fact that if you were to pop-open a network analyzer software like “Wireshark” to dissect or see the network data activity you will most definitely see your MAC address in the mix of it all. For the sake of clarity it’s absolutely essential for you to know that even all network devices (such as routers) get assigned addresses and also have a MAC address of their own (meaning they contain an embedded NIC). Note that this layer marks the transition from physical to logical.
2.2- LLC SUB-LAYER
On the other hand, the LLC or “Logical Link Control” sub-layer holds the responsibility of establishing either a connection-less or a connection-oriented data exchange/transfer. What does that mean? Whenever you see these two terms it’s important that you recognize that we are talking about data transmission or simply the transfer of data. I will only briefly discuss this sub-layer as the rest of the info on it would be out-of-scope for this article.
Important Note: Before most payload data is sent on a network it is first segmented (divided) into several parts/pieces & then each divided part is encapsulated by the sender before it is de-encapsulated by the receiver and then put together by the receiving end or intended recipient.
> A connection-oriented data exchange simply means that a connection (virtual circuit) is established, maintained, & agreed upon before the payload data starts traveling across different ends of the network. We will take a closer look at this in Layer 4 with TCP.
>A connection-less data exchange is the opposite & does not care about establishing & maintaining a connection — in this type of exchange the payload data is simply delivered and it’s job will have been done without making sure if the data is received & thus it is not a reliable data communication method. An example of this method of exchange is UDP which we will also take a closer look at in (Layer 4).
Lastly, this layer has a field located at the end or in the “trailer” of the frame that is also responsible for error-checking. This is done by storing a code (FCS -Frame Check Sequence) corresponding and uniquely identifying each Frame (PDU at layer 2) in the trailer (end) of the PDU — that is later checked during de-encapsulation by the receiving end(s). The most common FCS algorithm is the CRC or Cyclic Redundancy Check.
Practical demonstration of the significance of the data-link layer would be evident throughout the use of Switches (layer 2 devices) — where data would be directed to the correct switch & after that the correct switch-port (thus the correct device) by utilizing the MAC address of the switch followed by the MAC address of the device, respectively.
Finally, if you’re still having trouble seeing the difference between IP & MAC addresses remember that IP (Layer 3 protocol) is the address typically used to find a specific network or network node & the MAC (Layer 2 protocol) is the address typically used to find a specific machine/device inside that network — where the IP of that device would be linked to it’s MAC address. Furthermore, ARP (Address Resolution Protocol) tables contain records of which MAC address is leased or assigned to what IP and are constantly updated or accessed through ARP requests. When a device requests an ARP it’s almost quite literally saying: “Okay, so I have this IP. What is it’s MAC address?”. ARP tables are commonly found in Switches and Routers. If you must know, ARP is considered a layer 3 protocol (OSI), but you’ll find other sources arguing that it’s a layer 2 protocol — from my perspective it lies in between as it ties in both layers (IP and MAC) together.
3- NETWORK LAYER
Layer 3 or the Network layer has three main responsibilities, but unlike layer 2 doesn’t really have any sub-layers in its packet (PDU).
It’s first role is packet forwarding which involves sending packets to different network segments from one node to the next until the packets reach the desired network segment. A network segment is a part/fraction of a LAN — since LANs in every corporation or office are usually sub-netted which (again) means it’s cut up into several pieces just like a pizza usually is. “Sub-netting” is the technical word used to express the division of a network through IP.
It’s second role is network routing which defines how networks will route the data to get to the desired recipient or end-point device. Specifically this refers to the routing protocols in use to route/direct the information from one router (layer 3 device) to the other until the data reaches the correct network or router. Why is this necessary? Well, for starters a router can usually only see (by default) other networks it is immediately connected to physically or wirelessly.
So, for example if you had three routers (A, B, and C) connected to each other sub-sequentially — where Router A is connected to Router B & Router B is connected to Router C, then Router A would only typically be able to send data to Router B & Router C would only be able to send data to Router B as well. The only router that would be able to see and send to both is Router B. Why is that? The answer is simple! Only Router B is immediately physically connected to both, and thus able to see & send to both without the use of any routing protocols. Furthermore, the only way we would be able to send data from Router A to C would be by routing the data to B and then through that node (router B) hand it over to C. Hence, that is where our precious routing protocols come into play. A routing algorithm/protocol would share unknown information of the network topology (that we briefly talked about in Pt.1 of “Network Fundamentals”) to neighboring networks or routers to make the passage of data faster or even possible & then chooses the best route (depending on the routing protocol that is deployed).
Unfortunately, this is all I will cover on network routing protocols for this article, but if you are curious on the subject I do encourage you to do more research on your own.
3.1- Internet Protocol (IPv4, IPv6)
As you now know any device or node that communicates on a network needs an IP address. There are two common ways your device gets assigned an IP address in a LAN environment— the manual way (static IP) or the automatic way (DHCP — Dynamic Host Control Protocol).
>>The manual method involves assigning an IP address yourself, in which case the IP address will be reserved to the device and will not change unless you change it yourself. Hence why it’s referred to as a “static IP”.
>>The automatic method is the more common way most devices get an IP address and it involves a layer 7 (Application layer) protocol called DHCP. Briefly, DHCP will assign or lease your device a temporary IP address that will expire after a time. This built-in system (that DHCP defaults to) was put in place in order to keep IP addresses available and in order to not run out of them…in case your device goes dormant and never connects to the network again. Another important function of DHCP is to avoid IP address conflicts. A conflict will occur when two devices have the same IP address which is a big problem that goes against the whole concept of addresses to begin with.
Moving on, it is important to note that there are two versions of Internet Protocol (IP) — there’s IP version 4, which is the most commonly used protocol & then there’s IP version 6. The general difference between both is the address itself — where IPv4 would offer less IPs and IPv6 would offer significantly more aiming to be an upgrade or alternative network addressing protocol that would aid in solving the limited number of IPs IPv4 offers.
3.2- NAT and A Brief History on Internet Protocol
Historically, when IP & the Internet were first created to send data on networks they were not meant to be used on a wide-scale. For this reason IP addresses were limited and when the Internet as we know it started to take shape large corporations bought out all IP addresses. Not to mention the fact that there weren’t nearly enough IPs to cover every device in every household with both the growing number of demographic population as well as devices. What was the solution to this ever-growing problem? The solution is in the title — it’s NAT or Network Address Translation.
Have you ever wondered why (if ever) the IP you are assigned on LAN or private network has almost no significance on the actual web/internet? The answer (again!) to this question is NAT. What is NAT? NAT functions by indirectly separating the IP you are assigned by your router (private IP) from the IP you would get assigned to connect to the public network (public IP or the Internet) & then works on translating all private IPs within the LAN to one public IP allowing you access to the Internet. For the sake of better understanding — a public IP is the IP you would purchase or pay for from your ISP (Internet Service Provider). How does that solve our problem? Well, as mentioned above there would be the separation of both IPs (public & private) after which any request made to communicate outside the private network (LAN) would then be sent to your router and then your NAT enabled router would route that data outside the network to your ISP that would then translate to your public IP (that you are paying for) with NAT, and out to the public network or “The Internet” it goes… This solves our problem of IP scarcity by assigning only one public IP per household or ISP subscription.
The Network layer’s third & final role is providing one network interface upon which the upper layers of the OSI model (Transport layer, Session Layer, Presentation Layer, & Application Layer) rely on without having to worry about which interface (Ethernet, Wifi, etc...) to deal with. Without this Programmers will have to resort to writing different versions of online applications for each different interface.
3.3- Internet Control Message Protocol (ICMP)
Now that we’ve established what the main roles of the network layer is and that it’s PDU travels in the form of Packets or Data-grams it’s essential that we explore different kinds of packets this layer sends.
ICMP packets exist within an IP packet inside the IP header and their role is to provide some sort of feedback or act as a messaging system/service within this layer. If you’ve ever used the “Ping” (Packet Internet Groper) tool before you should know that this tool uses ICMP packets to provide us with information on whether the physical and logical connectivity of the network is functional and working as it should. In the same way that it accomplishes this task it also informs the sending device/host if the data it is sending was not able to reach it’s destination device/host at this layer.
Lets take for example Alice & Bob. Lets say that Alice is trying to reach Bob with a certain message on a local/intra network. In order for the message to reach Bob it has to go through 2 different routers & if for whatever reason one of the routers was unable to relay the packets intended for it’s recipient then it will send a packet referred to as an ICMP packet informing the sending device/host that the destination host is unreachable. Depending on what application you’re using you might be able to directly see this message or a different error message is triggered by a higher level application that you are using indicating you to check your connectivity. There are many different reasons for why ICMP packets can be sent and I will not be covering them in this article but again I do encourage you to research and find out about different cases on your own.
4- TRANSPORT LAYER
As the name suggests this layer is basically the shuttle bus of network communication. It’s main job is to ensure the transportation of the data from the sender application to it’s recipient. This layer’s main task is accomplished through the use of 2 main protocols, one that is connection-oriented and reliable & another that is both connection-less and unreliable. The former, being TCP or Transmission Control Protocol & the latter being UDP or User Datagram Protocol. On a fundamental level, both TCP & UDP handle the transportation of data through the use of ports.
4.1- Briefly on Ports
If you’ve never heard of ports before think about a port as the equivalent to what an IP is on the Network Layer or Layer 3. Moreover, a port is like the room number or floor or even the door to any application or service that communicates over the internet (or any network for that matter). Without a port the data wouldn’t know which application to go to when it gets to an end-point device! With that in mind, you must also know that there are standardized or known ports for common services and network-capable technologies that we use on a daily-basis. Take for example a website, when you try to load any website you are communicating to a web-server not only through an IP address but also over a port. Additionally since the protocol you will be using is HTTPS (which is the encrypted/secure version of the older deprecated HTTP protocol on port 80 or 8080) then that means the port would usually be 443. Keep in mind that on the internet a public IP address is always unique, but the port on all websites over the internet remains 443 (for websites using HTTPS not HTTP).
4.2- TCP (Transmission Control Protocol)
Now lets talk about what makes TCP unique and reliable. A large part of why TCP is considered a reliable & connection-oriented protocol is because before data or the “Payload” is sent by any network-aware application or service using TCP, the sender’s TCP stack will first have to establish a connection or “virtual-circuit” with the recipient TCP stack. What that means is that the connecting TCP stack would first have to send an initial message (SYN flag) that is tracked with a sequence number, then receive a response back that is tracked with both a sequence and acknowledgment number (SYN-ACK flag) and finally send an acknowledgment (ACK flag) back to the recipient verifying that it has received the response for it’s original message. This is what is referred to as the “TCP 3-way Handshake”.
This connection being established is why TCP is a dubbed a “connection-oriented” protocol which brings us to the second main characteristic of TCP that is reliability. If you’re already asking yourself “what happens if the initial message in a handshake gets dropped? or if the data sent after the handshake is established gets dropped ?” well then you’re almost already there! It’s pretty basic…TCP keeps track of messages it sends through sequence numbers & acknowledgment numbers and the protocol is able to tell when a message is not received through these tracking numbers in which case it will wait for an allotted (default) time and then send the message again for the duration of it’s TTL (Time to Live). This gives TCP the ability to track messages and know which messages were sent or not sent (for them to be re-sent if a response is established in time) …hence why it’s dubbed a “reliable” transmission protocol.
TCP’s PDU is called a “segment” and the TCP header that makes up the overhead of each segment must always contain a destination and source port of the sender & receiver respectively among other things such as the sequence and/or acknowledgment numbers (when applicable). Below is a a basic illustration of a TCP PDU or “Segment”.
Now, you might be thinking to yourself “why are there sequence numbers in TCP ?” and while a good answer to that is the fact that TCP is a reliable protocol (which I’ve said for the 100th time now) and while that is true it’s actually not the full or real reason. A bigger reason why TCP uses “sequencing” or why sequence numbers exist (also why the PDU on layer 4 is called a “segment” ) is because when data reaches the 4th layer the data is segmented and divided into smaller segments or pieces after a connection is established (3-way TCP handshake) with the other endpoint’s TCP stack and that happens before the TCP header is attached (forming a segment PDU). With that said, when the data exchange is completed the receiving TCP stack will now put together all those segmented pieces of data using these sequence numbers!
So if TCP is so reliable and ensures that the data will successfully reach it’s target then why is UDP even a thing? Why not just use TCP all the time? Well, while TCP is a great protocol and seems to check all the boxes one aspect where it seems to fall short is it’s heavy reliance or use of overhead. Since all the data is being split into these smaller pieces each of these segmented pieces of data has to have a TCP header and while each of these headers might not be significant in size they add-up and cause higher bandwidth consumption on a network which is costly to handle (meaning potentially a bigger need for more network equipment) which is precisely where UDP comes in to save the day!
4.3- UDP (User Data-gram Protocol)
As you now know UDP does not use any of the features found in TCP and is an unreliable and connection-less protocol. So it does not create a connection between hosts (connection-less) and it does not use sequence numbers (unreliable) to re-order the data once it has been segmented on layer 4 — instead it just sends out the data and does not care about anything else…UDP assumes or relies on the fact that mechanisms in the application or service on layer 7 implement and take care of successful delivery and integrity data-checks. Meaning that the programmers developing the service or application who choose to use UDP as their layer 4 protocol have to be the ones to code similar features (to TCP) into the sockets they have created. A socket is simply the code (from a programming perspective) used to bind a program to a port and define the use of IP (v4 or v6) and thus make the program network-capable or aware.
That’s all for now… Please stick around for the next and final article in the series of Networking Fundamentals Pt.3 to know more about the Application Layer from a Hacker’s perspective. Where I will be showcasing the importance of this layer for any aspiring hacker.
Now that you’ve had a sneak peak of what’s to come in part 3 of this article I hope you will be joining me in the next one. Cheers!
~Any1
