TCP Transport Layer # 102 - Sequence and Acknowledgement Numbers

·        Sequence numbers are generated differently by operating systems based on coded algorithms

o   SEQ and ACK number fields are 32-bits which makes a possibility of 2^32 = 4E9

·        When new connection is started, the sender has to generate Initial Sequence Number (ISN)

o   It's important to generate random ISN to avoid hijacking TCP session. How it works?

 

 

·        NMAP can be used to identify how easy is the algorithm to generate ISN

o   ISN will be seen in SYN TCP packet sent from sender ---> receiver & receiver ----> sender

·        Let's examine full session

Packet#1 (3-WAY TCP Handshake   S -----> SYN -----> R)

Packet#2 (3-WAY TCP Handshake    S <----- SYN/ACK <----- R)

Packet#3 (3-WAY TCP Handshake   S -----> ACK -----> R)

Packet#4 (Data Transmission   S -----> R)

 

o   Because this is SSL session the client is sending Client Hello

o   This packet and previous packet were from sender to receiver and have same SEQ=1

·        Because previous sender to receiver segment size was zero bytes  (SYN/ACK packets don't carry application data)

Packet#5 (R -----> ACK -----> S)

 

o   Next packet from receiver has ACK = SEQ (1) + 205 = 206 bytes, i.e. the receiver got the previous 205-bytes segment and waiting for next one

o   This receiver packet and previous receiver packet are having same SEQ=1

·        This is because previous segment from receiver to sender size was zero bytes (Packet#2)

Packet#6 (Data Transmission    R -----> S)

 

o   As part of SSL handshake, the server responds with Server Hello

·        Because Server Hello contains server certificate chains, the application data size is greater than sender MSS value (1460 bytes)

·        Accordingly you will notice that Packets 6 - 8 and 10 - 12 are TCP segments which belong to single application data (labeled as reassembled PDU)

§  To recap, this is the reason for encapsulating application data over transport layer instead of sending it directly over IP layer because application layer don't have mechanisms for error/flow control. Sending such large data as one packet over IP layer will get it dropped because typical Ethernet networks are limited to 1500-bytes without fragmentation. Transport layer manages the segmentation and transportation of this data.

o   The receiver could have sent Server Hello before Previous ACK (Packet#5) because the sender window size in Packet#4 was 66048 bytes

·        The order of sending packets is subject to the operating system

·        The only caveat is to make sure that ACK is sent before retransmission timer expires at sender

o   SEQ is still '1' because previous segment size was zero bytes

o   ACK is still '206' because not data received from sender yet

·        Note that receiver keeps sending ACK flag although previous ACK already sent. This is to avoid sender retransmission timer expiry

o   Segment Size is 93 bytes

 

Packet#7 (Data Transmission    R -----> S)

 

o   As mentioned earlier, this packet is continuation of same application data

o   SEQ = 1 + 93 = 94 bytes

o   ACK = 206 bytes (no segments received from sender)

o   Segment size = 1360-bytes

Packet#8 (Data Transmission    R -----> S)

o   As mentioned earlier, this packet is continuation of same application data

o   SEQ = 94 + 1360 = 1454 bytes

o   ACK = 206 bytes (no segments received from sender)

o   Segment size is 1360 bytes

o   You can see that receiver sent 93 + 1360 + 1360 = 2813 bytes to sender without receiving ACK yet because sender window size in Packet#4 was 66048 bytes

Packet#9 (Data Transmission    S -----> R)

o   This is an ACK packet from sender to receiver before receiver retransmission timer expiry

o   SEQ = 206-bytes

o   ACK = 1454 + 1360 = 2814 bytes

o   Segment size = 0-bytes because SYN/ACK packets don't carry application data

 

TCP Transport Layer # 101

·        TCP protocol runs in the Transport layer

o   Transport layer is responsible to establish/tear-down sessions (called virtual connections)

·        TCP is one type of Transport layer protocols which defines how to establish/tear-down sessions and how to transmit upper-layers

·        TCP uses a combination of headers between sender and receiver to manage each session

o   Application data is carried over these sessions (which is a combination of application headers and raw-data)

·        Why not to send application data over IP Layer directly instead of introducing Transport Layer?

·        Application Data don't have mechanisms to avoid data loss and corruption therefore they are encapsulated over transport layer which enable features like error detection, retransmissions, etc. For example, HTTP protocol which carries HTTP data don't have headers for error detection or recovery. However, because its encapsulated over TCP, lost data segments will be detected and retransmitted

 

 

·        Summary of TCP headers, size of each header and role of each header

 

·        TCP Windowing

o   TCP protocol divides the actual application data into segments

o   The size of each segment is communicated using TCP Option Max Segment Size (MSS) during session handshake

o   Because of TCP reliability each segment needs to be acknowledged with ACK Flag packet

o   While sender is waiting for ACK packet, it will send other TCP segments for faster communication

o   The number of segments allowed to be sent without receiving ACK packets for them is called Window Size

·        Window Size will be selected by operating system

·        Max possible Windows Size is 2^16 = 65,536 bytes

·        This means for MSS 1420 bytes, the max number of segments to be sent without ACK = 65536 / 1420 = 46.1521 segments

·        If no ACK received for X-Allowed packets within timeout, the sender will retransmit

 

Example#1

Host B is sending data to Host A, using a window size equal to one. This means that Host B is expecting an "ACK" for each data segment it sends to Host A. Once the first data segment is sent, Host A receives it and sends an "ACK 2" to Host B. You might be wondering why "ACK 2" and not just "ACK"?

The "ACK 2" is translated by Host B to say: 'I acknowledge (ACK) the packet you just sent me and I am ready to receive the second (2) segment'. So Host B gets the second data segment ready and sends it off to Host A, expecting an "ACK 3" response from Host A so it can send the third data segment for which, as the picture shows, it receives the "ACK 3".

However, if it received an "ACK 2" again, this would mean something went wrong with the previous transmission and Host B will retransmit the lost segment. We will see how this works in the Acknowledgments section later on.

Example#2

 

We have a window size equal to 3, which means that Host B can send 3 data segments to Host A before expecting an "ACK" back. Host B sends the first 3 segments (Send 1, Send 2 and Send 3), Host A receives them all in good condition and then sends the "ACK 4" to Host B. This means that Host A acknowledged the 3 data segments Host B sent and awaits the next data segments which, in this case, would be 4, 5 and 6

 

·        TCP Acknowledgment. How it works?

o   TCP uses positive acknowledgement retransmission method

o   In this method, the sender will transmit segments based on the received windows size

o   Once the sender transmits, it will start a timer to track the ACK response

o   If no ACK response received, sender will transmit the segments again

o   Additionally, if the receiver gets packets not in right sequence, it sends ACK message to sender indicating to retransmit the missing segment

Troubleshooting DOT1X and Radius in IOS and IOS-XE

• To verify the status of RADIUS server from NAD, use the command show aaa server

 

4507#sh aaa servers 

 

RADIUS: id 3, priority 1, host 10.10.22.30, auth-port 1812, acct-port 1813

     State: current UP, duration 10862s, previous duration 0s

     Dead: total time 0s, count 0

     Quarantined: No

     Authen: request 1, timeouts 0, failover 0, retransmission 0

             Response: accept 0, reject 1, challenge 0

             Response: unexpected 0, server error 0, incorrect 0, time 16ms

             Transaction: success 1, failure 0

             Throttled: transaction 0, timeout 0, failure 0

     Author: request 0, timeouts 0, failover 0, retransmission 0

             Response: accept 0, reject 0, challenge 0

             Response: unexpected 0, server error 0, incorrect 0, time 0ms

             Transaction: success 0, failure 0

             Throttled: transaction 0, timeout 0, failure 0

     Account: request 0, timeouts 0, failover 0, retransmission 0

             Request: start 0, interim 0, stop 0

             Response: start 0, interim 0, stop 0

             Response: unexpected 0, server error 0, incorrect 0, time 0ms

             Transaction: success 0, failure 0

             Throttled: transaction 0, timeout 0, failure 0

     Elapsed time since counters last cleared: 3h1m

     Estimated Outstanding Access Transactions: 0

     Estimated Outstanding Accounting Transactions: 0

     Estimated Throttled Access Transactions: 0

     Estimated Throttled Accounting Transactions: 0

     Maximum Throttled Transactions: access 0, accounting 0

     Requests per minute past 24 hours:

             high - 1 hours, 23 minutes ago: 1

             low  - 3 hours, 1 minutes ago: 0

             average: 0

 

 

• The command show authentication session interface x/x shows the status of the interface

 

4507#sh authentication sessions interface g1/27

            Interface:  GigabitEthernet1/27

          MAC Address:  b8ca.3aca.8f8f

           IP Address:  10.11.1.71

            User-Name:  B8-CA-3A-CA-8F-8F

               Status:  Authz Success

               Domain:  DATA

       Oper host mode:  multi-auth

     Oper control dir:  both

        Authorized By:  Authentication Server

          Vlan Policy:  N/A

      Session timeout:  3600s (local), Remaining: 2549s

       Timeout action:  Reauthenticate

         Idle timeout:  N/A

    Common Session ID:  0AAA00020001F45660C7C74C

      Acct Session ID:  0x00020413

               Handle:  0x0E000486

 

Runnable methods list:

       Method   State

       mab      Authc Success

 

• Since the authentication is using MAB, you can check MAB details using the command show mab interface x/x

 

4507#sh mab interface g1/27 details 

MAB details for GigabitEthernet1/27

-------------------------------------

Mac-Auth-Bypass           = Enabled

 

MAB Client List

---------------

Client MAC                = b8ca.3aca.8f8f

Session ID                = 0AAA00020001F45660C7C74C

MAB SM state              = TERMINATE

Authen Status             = SUCCESS

 

• You can clear the current authentication using clear authentication session interface x/x or shutdown the interface
• Navigate to ISE > Operations > RADIUS > Live Logs to see the current logs
• Navigate to ISE > Operations > RADIUS > Live Sessions to see the current active sessions
• Navigate to ISE > Operations > Troubleshoot Diagnostics to check the current logs from NAD devices (Pass/Fail)
• Navigate to ISE > Operations > Troubleshoot Diagnostics > Endpoint Debugging 
• Enter endpoint MAC address and start debugging
• This will generate a log file for all actions taken in ISE related to endpoint
• Navigate to ISE > Context Visibility > Endpoint > filter by Mac address to check the status of endpoint (Connected, Disconnected, Rejected)
• Be aware of endpoints in rejected state due of Suppression of Failed Requests feature
• You can release the endpoints in rejected state 
• You can test radius authentication from NAD using the command test aaa group radius radtest #radius-key# new-code (this is hidden but should be entered)
• To very dot1x EAP messages use the command debug dot1x packets

 

Jul 27 14:29:13.268 GST: dot1x-packet:EAPOL pak Tx - Ver: 0x3  type: 0x0 

Jul 27 14:29:13.268 GST: dot1x-packet: length: 0x0005

Jul 27 14:29:13.268 GST: dot1x-packet:EAP code: 0x1  id: 0x1  length: 0x0005

Jul 27 14:29:13.268 GST: dot1x-packet: type: 0x1 

Jul 27 14:29:13.268 GST: dot1x-packet:[d4be.d974.0d4c, Gi1/0/25] EAPOL packet sent to client 0xBB0001EC

 

• To verify MAB messages use the command debug mab all
• For windows 7 implementation, you need to install the following hotfixes

https://supportforums.cisco.com/t5/security-blogs/getting-past-intermittent-unexplained-802-1x-problems-on-windows/ba-p/3104109

 

 

In IOS-XE, debug radius command won't show the output of dot1x and authentication messages. These has change and can be seen as traces from session manager process (SMD).

 

request platform software trace rotate all       …. To rotate the traces in memory to files in crashinfo directory

 

Change the trace level from notice (default) to info

 

set platform software trace smd switch active R0 aaa verbos 

set platform software trace smd switch active R0 dot1x-all verbos

set platform software trace smd switch active R0 radius verbos 

set platform software trace smd switch active R0 mab verbos 

 

View the traces (you can combine the outputs with pipe)

 

show platform software trace message smd switch active R0 | i radius|dot1|mab|aaa

 

To reset the trace levels for all modules, use the command 

 

set platform software trace smd switch active R0 all-modules