Microsoft Windows XP Networking Inside Out

2 Chapter

Layer 7: The Application Layer

The application layer is only concerned with determining the state of communications between two applications. The goal is to determine if the resources are available to initiate communication between two or more hosts as well as find out if participating computers are capable of successful communication. There are a large number of individual protocols and applications operating at layer 7. Even though many of these items provide services on their own, they are more often integrated to provide a feature rich environment for users. One example would be combining Telnet and File Transfer Protocol (FTP) with the intention of enabling remote management and file transfer. Telnet and FTP are described in the following list. All of the following items reside in the application layer of the OSI model.

Hypertext Transfer Protocol (HTTP) The content rich portion of the Internet known as the World Wide Web is composed of applications such as Web page server software and protocols such as HTTP. HTTP defines how Web page information is transferred from servers to Web browser software such as Microsoft Internet Explorer. The Web browser’s job is to interpret this information and display it to you.

File Transfer Protocol (FTP) This protocol was developed to provide file transfer and management services between networked computers. It is used most often to move files from one computer to another. Although FTP is a protocol, it is also a command-line executable program in Windows XP. In addition to moving files from one place to another, FTP can be used for creating directories, deleting files and directories, and renaming the contents of directories, as well as performing other file management functions.

Trivial File Transfer Protocol (TFTP) TFTP provides file transfer services similar to FTP, but without the bells and whistles. FTP can browse file structures and perform basic file management, whereas TFTP can only move files. The user or application calling on TFTP must know the exact location and name of the file to be moved ahead of time. In addition, TFTP does not support any higher-level functions such as creating folders or using authentication. This reduced feature set, combined with small packet size, makes TFTP-based communications faster than FTP-based communications.

note TFTP is used by a wide range of network equipment manufacturers as the preferred method for updating the firmware on their networking equipment. Because TFTP is often used as a service by user-friendly, graphical applications, the user is generally unaware of what is going on behind the scenes.

Post Office Protocol (POP) and Internet Message Access Protocol (IMAP)

POP is the most commonly used protocol for allowing graphical clients to view e-mail messages stored on remote mail servers. However, it is being supplanted by IMAP, which is more efficient and more secure than POP.

Chapter 2: Configuring TCP/IP and Other Protocols

Telnet Telnet was created years ago when terminal emulation was the only way to access another computer. It is a protocol designed to allow remote clients to connect to servers and initiate terminal emulation. Terminal emulation means that you create a virtual session between the client and a remote server, allowing the client computer to issue commands to the remote server as if the commands were being typed from a dumb terminal directly connected to the server. This feature proves useful when users need access to resources on other computers that are physically distant. Telnet capabilities can be combined with other programs, such as FTP, so that users can issue local commands on a remote server as well as move files between the two hosts.

Layer 6: The Presentation Layer

The purpose of the processes operating at the presentation layer is primarily to act as a translator for services operating at the application layer. Often, this takes the form of moving data from a proprietary data type to a universal type and back again. For example, data from the higher application layer is converted from the format that the application uses to a standardized format, and then back again. These conversions allow the layers below the presentation layer (layers 1 to 5) to interact with data in a standardized form. This shields processes at the application layer and the lower layers from having to be aware of data types other than their own. These processes send and receive data in the form they expect to and are unaware of this hidden conversion process. The final outcome is interoperability at the application level. A user on a Windows XP computer can create a document and save it to a server where a user

on an Apple Macintosh computer can then gain access to the file. This involves more than a single process to accomplish, but much of the work is done by services at the presentation layer.

Converting data types is only the beginning of the functions specified at the presentation layer. Some other common functions such as compression/decompression and data encryption/decryption are also defined at this layer. When a user file is written to a hard disk, a process at the presentation layer might encrypt that file to protect it from unwanted eyes. The application with which the file is being written need not be aware that this decryption or encryption process is even occurring.

File sharing protocols that transfer files across the network to and from network shares function at the presentation layer.

Layer 5: The Session Layer

Chapter 2

2 Chapter

and how it is done are addressed. Communication between any two computers on a network can be in one of three modes: simplex, half-duplex, or full-duplex.

●Simplex communication is one-way communication from a sender to a receiver. This mode is almost entirely passive: The receiver takes no action during the communication process. On most networks, this form of communication is not widely used.

●When a half-duplex communications process is negotiated, each of the communication partners agrees that one host will transmit at a time. Unlike simplex communication, half-duplex is bidirectional with both hosts actively participating in the communications process. This form of communication is typically negotiated when either of the hosts is incapable of transmitting and receiving data at the same time. Half-duplex communication is still relatively common, particularly where legacy equipment and software is still in use.

●Full-duplex communication is fully bidirectional and synchronous, meaning that each participating host can send and receive data at the same time (synchronous), and both hosts actively participate in the communication (bidirectional). Full-duplex is the most robust form of communication. It allows both hosts to transmit and receive at will. Full-duplex communication is widely supported by current networking hardware and applications.

Once the communications rules have been established, the second step is to actually move the data from one host to another. The details of signaling and packaging data are handled by processes at other layers, so the data transfer step is fairly simple.

Once communication has occurred, the third step of the three-step process occurs, which is known as release. Release is an agreement between the participating hosts that communication is no longer desired. Once both hosts agree that they have done what they need to, the communications process formally ends.

The following list describes two of the more widely used session layer protocols and processes:

●Remote Procedure Call (RPC). RPC is widely used in client/server environments. RPC is often used to enable the processing of file requests when the requesting computer and host computer utilize different operating system platforms. RPC is also used for a wide range of interoperability functions.

●Network File System (NFS). NFS was developed by Sun Microsystems for UNIX computers using the TCP/IP protocol suite. NFS allows any remote resource (such as a mapped drive) to be treated as if it were a local resource.

Layer 4: The Transport Layer

The transport layer primarily serves the function of breaking apart and reassembling data (known as segmenting or segmentation) from processes and applications operating

Chapter 2: Configuring TCP/IP and Other Protocols

in layers 5–7. Although there are many data modifying operations occurring in the upper three layers, such as converting data formats, layer 4 is the first layer where larger pieces of data are broken into smaller components (segments) for transmission. Layer 4 protocols manage the process of sending and receiving this newly segmented data and are responsible for establishing logical connections with various communication partners. All of the physical connectivity is handled by processes operating at the lower layers (1–3) and their respective processes and protocols. The transport layer masks the underlying events from the upper-level protocols, acting as a twilight zone between

the applications that want to communicate and the software and hardware components involved in the actual transmission of data across a network. In this role, layer 4 services conceal the existence of the physical components of the network from applications operating in the upper layers.

Chapter 2

2 Chapter

routing) from one network to another. This map is also known as a routing table. Routers come in a variety of forms and range from hardware routers such as the Cisco 2600 series to PC-based routers that use Windows Routing and Remote Access Services (RRAS).

There are many layer 3 protocols; the most important ones are IP, Address Resolution Protocol (ARP), Reverse Address Resolution Protocol (RARP), and Internet Control Message Protocol (ICMP). Each of these protocols provides address resolution services to network devices utilizing network layer services. TCP/IP networks would not be possible without the services these protocols provide.

Layer 2: The Data-link Layer

The data-link layer is responsible for making sure that data sent across the network is delivered to the proper physical device. It is at the data-link layer that physical addressing of network adapters exists. Network layer addresses such as IP are often transitory and user defined, whereas network addresses are either statically assigned by the user or dynamically assigned using Dynamic Host Configuration Protocol (DHCP). Physical addresses on the other hand are hard-coded onto the network interface, and they are designed to be permanent and universally unique. These physical addresses are known as Media Access Control (MAC) addresses; for example, each NIC has a MAC address that can be used to identify the source or destination of a data stream.

Data-link Layer Addresses vs. Network Layer Addresses

Why is the network layer needed at all if NIC devices have a hard-coded, globally unique address? The answer is that trying to manage a global map of how to reach every known MAC address would simply be impossible. No single device could maintain this mapping, and the addresses are not designed to ease routing. Network layer protocols such as IP are specifically designed to break down the task of routing data in a large internetwork into small, manageable chunks in which network segments can maintain local routing information and pass along remote data to other hosts. This process of network packet management and routing is often referred to as packet switching.

In the TCP/IP protocol stack, data-link layer services add the physical addressing information to packets received from network layer services. Once this new information is encoded onto the packet, the new data is known as a frame. Encapsulation into a frame is the last step before physical transmission occurs at layer 1.

One of the unique traits of the data-link layer is the presence of two sublayers: the Logical Link Control (LLC) upper sublayer and the Media Access Control (MAC) lower sublayer. The LLC layer acts as an intermediary between the logical upper OSI layers

that are concerned with data types and logical addressing and the lower OSI layer that is only concerned with physical interfaces and signaling protocols. One of the ways the LLC bridges the layers together is by managing transmission timing and providing the working parts of flow control.

The MAC sublayer is responsible for generating the new frames that encapsulate packets from the transport layer. These frames are made up of binary values (1’s and 0’s). This binary format is all the physical layer (layer 1) understands. Besides making one last data change, the MAC layer performs some basic data integrity checks. The cyclical redundancy check (CRC) ensures—by means of a complex calculation—that data reconstructed out of the bits received from the physical layer is intact.

Services at the MAC sublayer control which kind of media access method is used. The media are the physical components of the network such as interfaces and cabling. These MAC sublayer methods determine how these components are controlled. The goal of these methods is to prevent hosts from communicating on top of each other, which causes data loss. Typically, one of three methods is used:

●Contention-based media access. This method requires that any host wanting to transmit must have control over the network segment to which it is connected. Each communicating host contends for control of the segment. It is possible for more than one host on a network to transmit at a time (under certain conditions). When this happens, the data from two transmitting computers collides, and the net result is data loss. This method is used in a common type of network called Ethernet.

●Token passing. This kind of media access involves the use of a special frame called a token. The token is passed from one computer to another in a round robin fashion. Any computer can transmit if it has possession of the token, and there is no data attached to the token. Once the host decides to transmit, the data is added to the token frame and forwarded to the next host. When the targeted recipient receives the token, it pulls the data off, and then forwards the empty token back into the ring. This method ensures that only one host transmits at a time, and data collisions are not possible.

To learn more about Ethernet and token passing networks, see Chapter 3, “Creating Network Connections.”

●Polling media access. This method involves a central authority such as a server that polls all the devices on the network and literally asks them if they have anything to transmit. When a host replies with a positive acknowledgment, the polling computer authorizes the transmission. A computer on a polling network cannot transmit unless given permission by the central authority, and the computer must wait for its turn in the polling cycle before it can request such permission.

Chapter 2

2 Chapter

The network components that exist at the physical layer have only one function: generating signals along the physical cabling and interfaces on the network. Although there are a variety of methods for generating signals on the network, both analog and digital, the goal is the same: Each method seeks to transmit binary data. The actual devices that exist at the physical layer consist of cables (or wireless connections using radio waves or infrared light), plugs connected to the cabling, and the receiver jacks along with the signaling equipment attached to network adapters (or transmitter/receiver devices for wireless communications).

Understanding TCP/IP in Depth

The majority of networks either support or depend on the TCP/IP protocol suite. Windows networks are certainly no exception, and Windows XP can use TCP/IP for any network—from large domains to small home networks.

To understand how TCP/IP really works, it is important to understand its inner workings. The TCP/IP protocol suite spans nearly the entire seven layers of the OSI model. The most important layers to understand (with respect to TCP/IP) are layers 3 (network), 4 (transport), and 7 (application).

note TCP/IP was originally designed by the United States Defense Advanced Research Projects Agency (DARPA), the central R&D organization for the U.S. Department of Defense. It was designed to map directly to the DARPA model of networking protocols rather than the OSI reference model. However, because TCP/IP can be (and most commonly is) described in terms of the OSI model, as are most of the other protocols discussed in this chapter, OSI will be the focus.

Chapter 2: Configuring TCP/IP and Other Protocols

example, a user’s computer located in the Atlanta marketing department of the Tailspin Toys company might be given the FQDN user09.mktg.atlanta.tailspintoys.com.

How then can a computer’s FQDN be resolved to an IP address (and back again)? In the early days of the Internet, only a handful of computers were connected. At that time, all computers depended on a file known as a host file to turn user-friendly names such as mailserver into the IP addresses needed to reach the site. With relatively few computers using networks, this system worked well. However, as the Internet began to grow, it became apparent that a new, more flexible system for tracking address-to-name mappings was needed. Also, because the host file was centrally stored, every computer needed to copy the file from a common source. When the prospect of thousands of network hosts became a reality, it became clear that the system would have to include the distribution of the mapping information as well.

The solution to this problem is the Domain Name System (DNS). DNS uses a lightweight (easy to process), hierarchical, distributed, and flexible database that maps FQDNs to their corresponding IP addresses. DNS is a highly expandable naming system that can accommodate the naming needs of any network (it’s used to uniquely identify every Web site and resource on the Internet). DNS databases use a client/server model in which any computer trying to match a domain name to an IP address is known as a resolver. These servers house a portion of the DNS IP-to-name mappings and have information about where to forward requests they cannot process. Because DNS is hierarchical, no DNS server has to maintain the records for the entire Internet, and DNS is not crippled by the loss of one server.

DNS is dependable and can support private networks (networks using a range of reserved IP addresses that are unavailable to the Internet as a whole) as well as networks publicly accessible via the Internet. DNS is the standard for both Active Directory– based Windows networks and for the Internet, and computers in a pure Active Directory environment must use DNS to identify themselves.

DNS functions by using unique FQDNs. When an FQDN is requested, the name is resolved into an IP address step by step until the desired server is discovered. Let’s say that a server named Server12 resides in the domain named tailspintoys.com. The server’s FQDN would be server12.tailspintoys.com. If you need to contact this server from a different domain, perhaps to access a file, the process behind the scenes might follow these steps:

1Your initial request to access the server is sent to a DNS server in your domain. If the name is held directly in the server’s database, the IP address is returned and the transaction is over.

2If the name is not stored locally on the DNS server, it sends a request to a root server. Because the server12.tailspintoys.com name is not stored locally on the root server, it sends a response containing the address of a DNS server that provides addresses for .com domains.

Chapter 2

2 Chapter

Part 1: Windows XP Networking

3The local DNS server resends its request to resolve the name server12.tailspintoys.com to the .com server.

4Because the requested name is not stored locally on the .com server, it sends a response containing the address of the tailspintoys.com server, which is stored on the .com server.

5The DNS server sends a DNS request to resolve the name server12.tailspintoys.com to the tailspintoys.com server.

6Because the requested name is stored locally on the tailspintoys.com server, it sends a response containing the IP address of server12.tailspintoys.com.

7The local DNS server then sends the IP address for server12.tailspintoys.com to the requesting client computer, which can communicate with it directly.

This example is a worst-case scenario. In reality, both the network client and individual DNS servers along the way would likely maintain a temporary copy, or cache, of the recent DNS requests that have been made of them. This allows them to immediately service the DNS requests from local memory rather than rerunning the entire painstaking query process every time a query is made. This dramatically reduces the number of iterations made by the local DNS server on behalf of its client (or eliminates the need for the client to do a DNS lookup altogether if it has the address in its own cache).

note The downside of this caching process is that it can take some time for changes to a machine’s FQDN-to-IP-address mapping to propagate to DNS servers across the Internet. DNS servers do occasionally clear out the contents of their local caches to prevent a long-term breakdown in name resolution services, but until this refreshing process takes place, remote changes can make locally cached DNS data unreliable.

There are even products, such as TweakMaster from Hagel Technologies, that can be installed on Windows XP to maintain a long-term cache of commonly used IP

addresses (such as for the Microsoft Internet Explorer Favorites list). If these addresses rarely change (which is most likely the case), this cache can improve the experience of using TCP/IP by eliminating the need for name resolution altogether. These programs can refresh their cache lists on a scheduled basis to keep the cache up-to-date.

Even at its worst, however, the process of resolving an FQDN to an IP address is completely transparent to the user, who simply indicates the FQDN of the server he or she wants to communicate with. DNS handles the rest in the background.

For more information on how Active Directory domains use DNS, see “Understanding Active Directory Domains,” page 311.

WINS is another method used for resolving a host name to an IP address. WINS originated to provide remote name resolution services for Network Basic Input/Output System (NetBIOS) computer names. NetBIOS is a protocol that was designed by Microsoft and IBM in the 1980s. It remained the standard for Microsoft networks until the introduction of Windows 2000. With NetBIOS, a computer would have a short name such as BOBSPC. However, pure Active Directory networks no longer rely on NetBIOS or WINS. They now use DNS, a far more commonly accepted standard for computer naming and system name resolution.

Dynamic and Static Addressing

Although computers can be assigned permanent (or static) IP addresses manually, the process can be complex, and mistakes can easily be made that cause network communications to fail. As machines are added or removed from the network, the network needs to be reconfigured, involving administrative overhead. When TCP/IP was first introduced, many network administrators were resistant to its adoption because it was difficult to manually assign and manage IP addresses, and to troubleshoot problems that arose when numbers were incorrectly assigned.

An alternative is to have the network itself assign and maintain the network addresses of its clients: This is known as dynamic addressing. DHCP is the primary mechanism for performing dynamic addressing today. DHCP servers can automatically handle the assignment of IP addresses and related addressing information to clients through a

Windows Evolution from WINS to DNS

WINS and DNS provide comparable services for name resolution, and they are both recognized, public protocols. So, what would be the reason for the move from WINS to DNS by recent Windows operating systems? Although Windows has supported DNS as a resolution protocol since its inception, WINS was the preferred method for LAN name-to-address resolution until the advent of Active Directory network services in Windows 2000. With Active Directory, DNS became the prominent name resolution method. One of the reasons for the change is the wide support for DNS as a resolution protocol. Although WINS was a public standard, it never gained the wide acceptance that DNS has enjoyed from its roots in the Internet. With the progress towards integrating local network services with Internet services and a general push towards widely distributed networks, DNS became the logical successor for WINS. WINS is still in use on many older Windows-based networks, but the shift to integrated DNS services will no doubt continue.

Chapter 2