In our last article we talked about switches and routers, two of the basic building blocks of the internet. In that article we mentioned that wires, switches and routers comprise the first three “layers” of a larger internet stack.
Today, we will zoom out and discuss what the other layers are up to Layer 7. We will analyze a message sent across the internet and witness its journey through all these layers.
Let’s go over the OSI model first. The OSI (Open Systems Interconnection) model consists of seven “layers of the internet.” They are named:
- 1) Physical
- 2) Datalink
- 3) Network
- 4) Transport
- 5) Session
- 6) Presentation
- 7) Application
The Physical, Datalink, and Network layers we’ve talked about in our last article, consisting of ethernet cables, MAC addresses, and IP addresses.
The Transport layer most commonly uses the TCP and UDP protocols to manage the ports that computers use to connect with each other. TCP in particular provides error checking and authentication to ensure the data is correct (see our next article for details). The Session layer is responsible for maintaining the connection between computers. The Presentation layer is where you’ll see formatting of the information being communicated, such as file types and encryption. Finally the Application layer is for end-user software such as a web browsers, and it uses a wide variety of protocols including HTTP and FTP.
TCP/IP model: Special Case of the OSI Model
The TCP/IP model has the exact same layers for the first four layers; Physical, Datalink, Network, and Transport. But it combines layers 5, 6, and 7 into the Application Layer. This is because many things in Layer 5 and 6 were dealt with in layer 4 and 7, as technology progressed.
In recent years, the TCP/IP model has become more popular, while the OSI model leaves its legacy as the application layer is still referred to as layer 7.
Let’s say we have a network setup exactly like in the picture above. Your computer is connected to a switch, then a router, another switch, then to a server. You want to access a website that is hosted on the server. In your browser, you type in the URL of the website and hit enter.
Your message will be sent first to the DNS server within your network, in order to figure out what IP the URL is representing. Now that you know what IP the website server has you can send your GET request to display the website.
As the contents of the GET request pass through the various layers, headers are added to the data which contain information useful to the server at delivery.
The message is first encapsulated in an HTTPS header, containing information about the type of request. Then it is encapsulated in a Layer 4 (TCP) header, which contains the source and destination ports. Messages at Layer 4 are divided into segments. The message will then be encapsulated in a Layer 3 header, containing the source and destination IP addresses. The segments will henceforth be known as packets. The packets will be processed by Layer 2, which attaches both a head and a tail to the data. At this stage the packets are now called frames. Finally, the message is sent over ethernet cables (Layer 1 hardware) to the router.
Upon arrival at the router, the router de-capsulates the message to figure out what IP to send it to. An ARP frame goes out to retrieve the MAC address of the destination IP. The router re-encapsulates the message with a Layer 2 head and tail. The second switch (in the server’s private network) receives and sends this message to the server.
The server de-encapsulates every layer to open the HTTPS message. It now knows that you sent a GET request to be able to display the website. The server sends the contents of the webpage to you, repeating the process all over again.
To cover the transport layer in more detail, we’re going to talk about the two main protocols, TCP and UDP. TCP (Transmission Control Protocol) is the more reliable one incorporating confirmation of data being received. UDP(User Datagram Protocol) sends information without verification and hence is the faster one.
In TCP, there is a three way handshake that a client makes with a server. A SYN packet sent by the client, followed by a SYN ACK packet sent by the server, then finally an ACK packet sent by the client. SYN means synchronization and ACK means acknowledgement.
This handshake occurs so that the client and server can confirm whether messages are received and can make sure everything is reliably handled.
In UDP, messages from the client are just thrown at the server without verification. This does make the process a lot faster, but some downsides are that packets can be lost in the transaction, or duplicates of messages can be received. All of this and more will be covered in our next article.
SafeHouse is trying to enhance the security of communications across networks such as in the example above. We want to do this through dynamic honeypots to fool hackers. Read more at www.safehouse.dev.