Monday, February 15, 2021

TCP Transport Layer # 102 - Sequence and Acknowledgement Numbers


·        Sequence numbers are generated differently by operating systems based on coded algorithms

o   SEQ and ACK number fields are 32-bits which makes a possibility of 2^32 = 4E9

·        When new connection is started, the sender has to generate Initial Sequence Number (ISN)

o   It's important to generate random ISN to avoid hijacking TCP session. How it works?

 

 


·        NMAP can be used to identify how easy is the algorithm to generate ISN

o   ISN will be seen in SYN TCP packet sent from sender ---> receiver & receiver ----> sender

·        Let's examine full session

Packet#1 (3-WAY TCP Handshake   S -----> SYN -----> R)

Packet#2 (3-WAY TCP Handshake    S <----- SYN/ACK <----- R)

Packet#3 (3-WAY TCP Handshake   S -----> ACK -----> R)

Packet#4 (Data Transmission   S -----> R)

 

o   Because this is SSL session the client is sending Client Hello

o   This packet and previous packet were from sender to receiver and have same SEQ=1

·        Because previous sender to receiver segment size was zero bytes  (SYN/ACK packets don't carry application data)

Packet#5 (R -----> ACK -----> S)

 

o   Next packet from receiver has ACK = SEQ (1) + 205 = 206 bytes, i.e. the receiver got the previous 205-bytes segment and waiting for next one

o   This receiver packet and previous receiver packet are having same SEQ=1

·        This is because previous segment from receiver to sender size was zero bytes (Packet#2)

Packet#6 (Data Transmission    R -----> S)

 

o   As part of SSL handshake, the server responds with Server Hello

·        Because Server Hello contains server certificate chains, the application data size is greater than sender MSS value (1460 bytes)

·        Accordingly you will notice that Packets 6 - 8 and 10 - 12 are TCP segments which belong to single application data (labeled as reassembled PDU)

§  To recap, this is the reason for encapsulating application data over transport layer instead of sending it directly over IP layer because application layer don't have mechanisms for error/flow control. Sending such large data as one packet over IP layer will get it dropped because typical Ethernet networks are limited to 1500-bytes without fragmentation. Transport layer manages the segmentation and transportation of this data.

o   The receiver could have sent Server Hello before Previous ACK (Packet#5) because the sender window size in Packet#4 was 66048 bytes

·        The order of sending packets is subject to the operating system

·        The only caveat is to make sure that ACK is sent before retransmission timer expires at sender

o   SEQ is still '1' because previous segment size was zero bytes

o   ACK is still '206' because not data received from sender yet

·        Note that receiver keeps sending ACK flag although previous ACK already sent. This is to avoid sender retransmission timer expiry

o   Segment Size is 93 bytes

 

Packet#7 (Data Transmission    R -----> S)

 

o   As mentioned earlier, this packet is continuation of same application data

o   SEQ = 1 + 93 = 94 bytes

o   ACK = 206 bytes (no segments received from sender)

o   Segment size = 1360-bytes


Packet#8 (Data Transmission    R -----> S)

o   As mentioned earlier, this packet is continuation of same application data

o   SEQ = 94 + 1360 = 1454 bytes

o   ACK = 206 bytes (no segments received from sender)

o   Segment size is 1360 bytes

o   You can see that receiver sent 93 + 1360 + 1360 = 2813 bytes to sender without receiving ACK yet because sender window size in Packet#4 was 66048 bytes

Packet#9 (Data Transmission    S -----> R)

o   This is an ACK packet from sender to receiver before receiver retransmission timer expiry

o   SEQ = 206-bytes

o   ACK = 1454 + 1360 = 2814 bytes

o   Segment size = 0-bytes because SYN/ACK packets don't carry application data

 


No comments:

Post a Comment

DNS Performance Troubleshooting

When you are troubleshooting internet performance, there are different parts of the connection should be verified:   ·         DNS Pe...