Linux Networking-concepts

I have written a number of networking HOWTOs in the past, and it occurred to me that there's a hell of

pile of jargon in each one. I had three choices: my other two were ignoring the problem and explaining the

terms everywhere. Neither was attractive.

The point of Free software is that you should have the freedom to explore and play with the software systems

you use. I believe that enabling people to experience this freedom is a noble goal; not only do people feel

empowered by the pursuit (such as rebuilding a car engine) but the nature of the modern Internet and Free

software allows you to share the experience with millions.

But you have to start somewhere, so here we are.

(C) 2000 Paul `Rusty' Russell. Licenced under the GNU GPL.

2. What is a `computer network'? 2

2 What is a `computer network'?

A computer network is just a set of stu_ for nodes to talk to each other (by `nodes' I mean computers, printers,

Coke machines and whatever else you want). It doesn't really matter how they are connected: they could

use _ber-optic cables or carrier pigeons. Obviously, some choices are better than others (especially if you

have a cat).

Usually if you just connect two computers together, it's not called a network; you really need three or more

to become a network. This is a bit like the word `group': two people is just a couple of guys, but three

can be an `group'. Also, networks are often hooked together, to make bigger networks; each little network

(usually called a `sub-network') can be part of a larger network.

The actual connection between two computers is often called a `network link'. If there's a bit of cable running

out of the back of your machine to the other machines, that's your network link.

There are four things which we usually care about when we talk about a computer network:


If you simply connect your four computers at home together, you have what is called a LAN (Local

Area Network). If everything is within walking distance, it's usually called a LAN, however many

machines are connected to it, and whatever you've built the network out of.

The other end of the spectrum is a WAN (Wide Area Network). If you have one computer in Lahore,

Pakistan, one in Birmingham, UK and one in Santiago, Chile, and you manage to connect them, it's

a WAN.

Topology: The Shape

Draw a map of the network: lines are the

2 (network links), and each node is a dot. Maybe each line leads into a central node like a big star,

meaning that everyone talks through one point (a `star topology'):

o o o

\_ | _/




/ | \

o o o

Maybe everyone talks in a line, like so:


| |

| |

| o

| |

o |


Or maybe you have three subnetworks connected through one node:


o | o--o--o

| | |

o--o--o--o--o o

\ |

2. What is a `computer network'? 3


/ |

o--o--o--o--o o

| | |

o | o--o


You'll see many topologies like these in real life, and many far more complicated.

Physical: What It's Made Of

The second thing to care about is what you've built the network out of. The cheapest is `sneakernet',

where badly-dressed people carry _oppy disks from one machine to the others. Sneakernet is almost

always a 2 (LAN). Floppies cost less than $1, and a solid pair of sneakers can be got for around $20.

The most common home network system is used to connect to far bigger networks, called a `modem'

(for MODulator/DEModulator), which turns a normal phone connection into a network link. It turns

the stu_ the computer sends into sounds, and listens to sounds coming from the other end to turn

them back into stu_ for the computer. As you can imagine, this isn't very e_cient, and phone lines

weren't designed for this use, but it's popular because phone lines are so common and cheap: modems

sell for less than $50, and phone lines usually cost a couple of hundred dollars a year.

The most common way to connect machines into a LAN is to use Ethernet. Ethernet comes in

these main _avors (listed from oldest to newest): Thinwire/Coax/10base2, UTP (Unshielded Twisted

Pair)/10baseT and UTP/100baseT. Gigabit ethernet (the name 1000baseT is starting to get silly) is

starting to be deployed, too. 10base2 wire is usually black coaxial cable, with twist-on T-pieces to

connect them to things: everyone gets connected in a big line, with special `terminator' pieces on the

two ends. UTP is usually blue wire, with clear `click-in' phone-style connectors which plug into sockets

to connect: each wire connects one node to a central `hub'. The cable is a couple of dollars a meter,

and the 10baseT/10base2 cards (many cards have plugs for both) are about $30. 100baseT cards,

which can also speak 10baseT as well, are ten times faster, and about $100.

On the other end of the spectrum is Fiber; a continuous tiny glass _lament wrapped in protective

coating which can be used to run between continents. Fiber costs thousands.

We usually call each connection to a node a `network interface', or `interface' for short. Linux gives

these names like `eth0' for the _rst ethernet interface, and `fddi0' for the _rst _ber interface. The

`/sbin/ifcon_g' command lists them.

Protocol: What It's Speaking

The _nal thing to care about is the language the two are speaking. When two 2 (modems) are talking

to each other down a phone line, they need to agree what the di_erent sounds mean, otherwise it

simply won't work. This convention is called a `protocol'. As people discovered new ways of encoding

what the computer says into smaller sounds, new protocols were invented; there are at least a dozen

di_erent modem protocols, and most modems will try a number of them until they _nd one the other

end understands.

Another example is the 2 (100baseT) network mentioned above: it uses the same physical 2 (network

links) (2 (UTP)) as 2 (10baseT) above, but talks ten times as fast.

These two protocols are what are called `link-level' protocols; how stu_ is handed over the individual

network links, or `one hop'. The word `protocol' also refers to other conventions which are followed, as

we will see next.

3. What is the `Internet'? 4

3 What is the `Internet'?

The Internet is a 2 (WAN) which spans the entire globe: it is the largest computer network in existence. The

phrase `internetworking' refers to connecting separate networks to build a larger one, hence `The Internet'

is the connection of a whole pile of subnetworks.

So now we look at the list above and ask ourselves: what is the Internet's size, physical details and protocols?

The size is already established above: it's global.

The physical details are varied however: each little sub-network is connected di_erently, with a di_erent

layout and physical nature. Attempts to map it in a useful way have generally met with abject failure.

The protocols spoken by each link are also often di_erent: all of the 2 (link-level protocols) listed above are

used, and many more.

3.1 How Does The Internet Work?

The question then arises: how come every node on the Internet can talk to the others, if they all use di_erent

link-level protocols to talk to each other?

The answer is fairly simple: we need another protocol which controls how stu_ _ows through the network.

The link-level protocol describes how to get from one node to another if they're connected directly: the

`network protocol' tells us how to get from one point in the network to any other, going through other links

if necessary.

For the Internet, the network protocol is the Internet Protocol (version 4), or `IP'. It's not the only protocol

out there (Apple's AppleTalk, Novell's IPX, Digital's DECNet and Microsoft's NetBEUI being others) but

it's the most widely adopted. There's a newer version of IP called IPv6, but it's still not common.

So to send a message from one side of the globe to another, your computer writes a bit of Internet Protocol,

sends it to your modem, which uses some modem link-level protocol to send it to the modem it's dialed up

to, which is probably plugged into a terminal server (basically a big box of modems), which sends it to a

node inside the ISP's network, which sends it out usually to a bigger node, which sends it to the next node...

and so on. A node which connects two or more networks is called a `router': it will have one 2 (interface)

for each network.

We call this array of protocols a `protocol stack', usually drawn like so:

[ Application: Handles Porn ] [ Application Layer: Serves Porn ]

| ^

v |

[ TCP: Handles Retransmission ] [ TCP: Handles Retransmission ]

| ^

v |

[ IP: Handles Routing ] [ IP: Handles Routing ]

| ^

v |

[ Link: Handles A Single Hop ] [ Link: Handles A Single Hop ]

| |


So in the diagram, we see Netscape (the Application on top left) retrieving a web page from a web server

(the Application on top right). To do this it will use `Transmission Control Protocol' or `TCP': over 90% of

the Internet tra_c today is TCP, as it is used for Web and EMail.

4. This IP Thing 5

So Netscape makes the request for a TCP connection to the remote web server: this is handed to the TCP

layer, which hands it to the IP layer, which _gures out which direction it has to go in, hands it onto the

appropriate link layer, which transmits it to the other end of the link.

At the other end, the link layer hands it up to the IP layer, which sees it is destined for this host (if not,

it might hand it down to a di_erent link layer to go out to the next node), hands it up to the TCP layer,

which hands it to the server.

So we have the following breakdown:

1. The application (Netscape, or the web server at the other end) decides who it wants to talk to, and

what it wants to send).

2. The TCP layer sends special packets to start the conversation with the other end, and then packs the

data into a TCP `packet': a packet is just a term for a chunk of data which passes through a network.

The TCP layer hands this packet to the IP layer: it then keeps sending it to the IP layer until the

TCP layer at the other end replies to say that it has received it. This is called `retransmission', and

has a whole heap of complex rules which control when to retransmit, how long to wait, etc. It also

gives each packet a set of numbers, which mean that the other end can sort them into the right order.

3. The IP layer looks at the destination of the packet, and _gures out the next node to send the packet

to. This simple act is called `routing', and ranges from really simple (if you only have one modem,

and no other network interfaces, all packets should go out that interface) to extremely complex (if you

have 15 major networks connected directly to you).

4 This IP Thing

So the role of the IP layer is to _gure out how to `route' packets to their _nal destination. To make this

possible, every interface on the network needs an `IP address'. An IP address consists of four numbers

separated by periods, like `'. Each number is between zero and 255.

Interfaces in the same network tend to have neighboring IP addresses. For example, `' sits

right next to the machine with the IP address `'. Remember also that a router is a node with

interfaces on more than one network, so the router will have one IP address for each interface.

So the Linux Kernel's IP layer keeps a table of di_erent `routes', describing how to get to various groups of

IP addresses. The simplest of these is called a `default route': if the IP layer doesn't know better, this is

where it will send a packet onwards to. You can see a list of routes using `/sbin/route'.

Routes can either point to a link, or a particular node which is connected to another network. For example,

when you dial up to the ISP, your default route will point to the modem link, because that's where the entire

world is.

Rusty's ISP's ~~~~~~~

Modem Modem { }

o------------------o { The Net }

{ }


But if you have a permanent machine on your network which connects to the outside world, it's a bit more

complicated. In the diagram below, my machine can talk directly to Tridge and Paul's machines, and to the

_rewall, but it needs to know that packets heading the rest of the world need to go to the _rewall, which

will pass them on. This means that you have two routes: one which says `if it's on my network, just send it

straight there' and then a default route which says `otherwise, send it to the _rewall'.

4. This IP Thing 6

o Tridge's

| Work Machine ~~~~~~~

Rusty's | { }

Work Machine o--------+-----------------o--{ The Net }

| Firewall { }

| ~~~~~~~

o Paul's

Work Machine

4.1 Groups of IP Addresses: Network Masks

There is one last detail: there is a standard notation for groups of IP addresses, sometimes called a `network

address'. Just like a phone number can be broken up into an area pre_x and the rest, we can divide an IP

address into a network pre_x and the rest.

It used to be that people would talk about `the 1.2.3 network', meaning all 256 addresses from to Or if that wasn't a big enough network, they might talk about the `1.2 network' which meant all

addresses from to

We usually don't write ` -'. Instead, we shorten it to `'. This weird `/16' notation

(it's called a `netmask') requires a little explanation.

Each number between the dots in an IP address is actually 8 binary digits (00000000 to 11111111): we write

them in decimal form to make it more readable for humans. The `/16' means that the _rst 16 binary digits

is the network address, in other words, the `1.2.' part is the the network (remember: each digit represents 8

binary digits). This means any IP address beginning with `1.2.' is part of the network: `' and `'

are, and `' is not.

To make life easier, we usually use networks ending in `/8', `/16' and `/24'. For example, `' is a

big network containing any address from to (over 16 million addresses!).

is smaller, containing only IP addresses from to is smaller still, containing

addresses to

To make things confusing, there is another way of writing netmasks. We can write them like IP addresses:

Finally, it's worth noting that the very highest IP address in any network is reserved as the `broadcast

address', which can be used to send a message to everyone on the network at once.

Here is a table of network masks:

Short Full Maximum Comment

Form Form #Machines

/8 / 16,777,215 Used to be called an `A-class'

/16 / 65,535 Used to be called an `B-class'

/17 / 32,767

/18 / 16,383

/19 / 8,191

/20 / 4,095

/21 / 2,047

/22 / 1,023

/23 / 511

/24 / 255 Used to be called a `C-class'

/25 / 127

5. Machine Names and IP Addresses 7

/26 / 63

/27 / 31

/28 / 15

/29 / 7

/30 / 3

5 Machine Names and IP Addresses

So every interface on every node has an IP address. It was realized quite quickly that humans are pretty

bad at remembering numbers, so it was decided (just like phone numbers) to have a directory of names. But

since we're using computers anyway, it's nicer to have the computer look up the names for us automatically.

Hence we have the Domain Name System (DNS). There are nodes with well known IP addresses which

programs can ask to look up names, and return IP addresses. Almost all programs you will use are capable

of doing this, which is why you can put `' into Netscape, instead of `'.

Of course, you need the IP address of at least one of these `name servers': usually these are kept in the

`/etc/resolv.conf' _le.

Since DNS queries and responses are fairly small (1 packet each), the TCP protocol is not usually used: it

provides automatic retransmission, ordering and general reliability, but at a cost of sending extra packets

through the network. Instead we use the very simple `User Datagram Protocol', which doesn't o_er any of

the fancy TCP features we don't need.

6 Di_erent Services: Email, Web, FTP, Name Serving

In the earlier example, we showed Netscape sending a TCP request to a web server running on another node.

But imagine that the node with the web server is also running an Email server, an FTP server and a name

server: how does it know which server the TCP connection is for?

This is where TCP and UDP have a concept of `ports'. Every packet has space for a `destination port',

which says what service the packet is for. For example, TCP port 25 is the mail server, and TCP port 80 is

the web server (although sometimes you _nd web servers on di_erent ports). A list of ports can be found in


Also, if two Netscape windows are both accessing di_erent parts of the same web site, how does the Linux

box running Netscape sort out the TCP packets coming back from the web server?

This is where the `source port' comes in: every new TCP connection gets a di_erent source port, so everyone

can tell them apart, even if they are going to the same destination IP address and the same destination port.

Usually the _rst source port given will be 1024, and will increase over time.

7 Dialup Interfaces: PPP

When you dial your modem to an ISP, and it connects to their modem, the kernel doesn't just shove IP

packets through it. There is a protocol called `Point-to-Point Protocol', or `PPP', which is used to negotiate

with the other end before any packets are allowed through. This is used by the ISP to identify who is dialed

up: on your Linux box, a program called the `PPP daemon' handles your end of the negotiation.

Because there are so many dialup users in the world, they usually don't have their own IP address: most

ISPs will assign you one of theirs temporarily when you dial up (the PPP daemon will negotiate this). This

is often called a `dynamic IP address', as separate from a `static IP address' which is the normal case where

8. What Packets Look Like 8

you have your own address permanently. Usually they are assigned by modem: the next time you dial up,

you will probably get a di_erent modem in the modem pool, and hence a di_erent IP address.

8 What Packets Look Like

For the exceptionally curious (and the curiously exceptional), here is a description of what a packet actually

looks like. There are several tools which watch what packets are passing in and out of your Linux box: the

most common one is `tcpdump' (which understands more than TCP these days). Such programs are known

as `packet sni_ers'.

The start of each packet says where it's going, where it came from, the type of the packet, and other

administrative details. This part is called the `packet header'. The rest of the packet, containing the actual

data being transmitted, is usually called the `packet body'.

So any IP packet begins with an `IP header': at least 20 bytes long. It looks like (this diagram stolen

shamelessly from RFC 791):


|Version| IHL |Type of Service| Total Length |


| Identification |Flags| Fragment Offset |


| Time to Live | Protocol | Header Checksum |


| Source Address |


| Destination Address |


The important _elds are the Protocol, which indicates whether this is a TCP packet (number 6), a UDP

packet (number 17) or something else, the Source IP Address, and the Destination IP Address.

Now, if the protocol _elds says this is a TCP packet, then a TCP header will immediately follow this IP

header: the TCP header is also at least 20 bytes long:


| Source Port | Destination Port |


| Sequence Number |


| Acknowledgment Number |


| Data | |U|A|P|R|S|F| |

| Offset| Reserved |R|C|S|S|Y|I| Window |

| | |G|K|H|T|N|N| |


| Checksum | Urgent Pointer |


The most important _elds here are the source port, and destination port, which says which service the packet

is going to (or coming from, in the case of reply packets). The sequence and acknowledgement numbers are

used to keep packets in order, and tell the other end what packets have been received. The ACK, SYN,

RST and FIN _ags (written downwards) are single bits which are used to negotiate the opening (SYN) and

closing (RST or FIN) of connections.

9. Summary 9

Following this header comes the actual message which the application sent (the packet body). A normal

packet is up to 1500 bytes: this means that the most space the data can take up is 1460 bytes (20 bytes for

the IP header, and 20 for the TCP header): over 97%.

9 Summary

So the modern Internet uses IP packets to communicate, and most of these IP packets use TCP inside.

Special nodes called `routers' connect all the little networks together into larger networks, and pass these

packets through to their destination. Most normal machines are only attached to one network (ie. have only

one interface), and so are not routers.

Every interface has a unique IP address, which look like `': interfaces in the same network will have

related IP addresses, with the same start, the same way that phone connections in the same area have the

same pre_x. These network addresses look like IP addresses, with a `/' to say how much of them is the

pre_x, eg `' means the _rst two digits is the network address: each digit represents 8 bits.

Machines are given names by the Domain Name Service: programs ask name servers to give them the IP

address, given a name like `'. This IP address is then used as the destination IP address

to talk to that node.

Rusty is really bad at writing documentation, especially for beginners.



10 Thanks

Thanks to Alison, for sitting through the original terrible draft, and telling me how shit it was, in the nicest

possible way.

11 Index

_ 2 (100baseT)

_ 2 (10base2)

_ 2 (10baseT)

_ 4.1 (Broadcast address)

_ 2 (Coax, Coaxial cable)

_ 2 (Computer network)

_ 4 (Default route)

_ 6 (Destination port)

_ 5 (DNS, Domain Name Service)

_ 7 (Dynamic IP address)

_ 2 (Ethernet)

11. Index 10

_ 2 (Fiber)

_ 2 (Gigabit Ethernet)

_ 2 (Hop)

_ 2 (Hub)

_ 3 (Internet)

_ 3.1 (IP, Internet Protocol)

_ 4 (IP address)

_ 8 (IP header)

_ 3.1 (IPv4, IP version 4)

_ 3.1 (IPv6, IP version 6)

_ 2 (LAN, Local Area Network)

_ 2 (Link-level protocol)

_ 2 (Modem)

_ 5 (Name server)

_ 4.1 (Netmask)

_ 4.1 (Network address, network mask)

_ 2 (Network interface, interface)

_ 2 (Network link)

_ 3.1 (Network protocol, protocol)

_ 2 (Node)

_ 8 (Packet body)

_ 8 (Packet header)

_ 8 (Packet sni_er)

_ 1 (Packet)

_ 6 (Port, TCP port, UDP port)

_ 7 (PPP, Point-to-Point Protocol)

_ 7 (PPP daemon)

_ 3.1 (Protocol stack)

_ 2 (Retransmission)

_ 4 (Route)

_ 3.1 (Router)

_ 2 (Routing)

11. Index 11

_ 2 (Sneakernet)

_ 6 (Source port)

_ 2 (Star-topology)

_ 7 (Static IP address)

_ 2 (Sub-network)

_ 3.1 (TCP, Transmission Control Protocol)

_ 8 (TCP header)

_ 2 (Terminator)

_ 2 (Topology)

_ 5 (UDP, User Datagram Protocol)

_ 2 (UTP, Unshielded Twisted Pair)

_ 2 (WAN, Wide Area Network)

No comments: