2nd floor , 14/96,
OSI Seven-Layer Model
OSI Seven-Layer Model
In the 1980s, the European-dominated International Standards Organization (ISO)
began to develop its Open Systems Interconnection (OSI) networking suite. OSI has
two major components: an abstract model of networking (the Basic Reference
Model, or seven-layer model), and a set of concrete protocols. The standard
documents that describe OSI are for sale and not currently available online.
Parts of OSI have influenced Internet protocol development, but none more than the
abstract model itself, documented in OSI 7498 and its various addenda. In this
model, a networking system is divided into layers. Within each layer, one or more
entities implement its functionality. Each entity interacts directly only with the layer
immediately beneath it, and provides facilities for use by the layer above it. Protocols
enable an entity in one host to interact with a corresponding entity at the same layer
in a remote host.
The seven layers of the OSI Basic Reference Model are (from bottom to
The Physical Layer describes the physical properties of the various
communications media, as well as the electrical properties and
interpretation of the exchanged signals. Ex: this layer defines the size of
Ethernet coaxial cable, the type of BNC connector used, and the
The Data Link Layer describes the logical organization of data bits
transmitted on a particular medium. Ex: this layer defines the framing,
addressing and check summing of Ethernet packets.
The Network Layer describes how a series of exchanges over various
data links can deliver data between any two nodes in a network. Ex: this
layer defines the addressing and routing structure of the Internet.
The Transport Layer describes the quality and nature of the data
delivery. Ex: this layer defines if and how retransmissions will be used to
ensure data delivery.
The Session Layer describes the organization of data sequences larger
than the packets handled by lower layers. Ex: this layer describes how
request and reply packets are paired in a remote procedure call.
The Presentation Layer describes the syntax of data being transferred.
Ex: this layer describes how floating point numbers can be exchanged
between hosts with different math formats.
The Application Layer describes how real work actually gets done. Ex:
this layer would implement file system operations.
Here are some of the fundamental parts of a network:
• Network - A network is a group of computers connected together in a way that allows
information to be exchanged between the computers.
• Node - A node is anything that is connected to the network. While a node is typically a
computer, it can also be something like a printer or CD-ROM tower.
• Segment - A segment is any portion of a network that is separated, by a switch, bridge
or router, from other parts of the network.
• Backbone - The backbone is the main cabling of a network that all of the segments
connect to. Typically, the backbone is capable of carrying more information than the
individual segments. For example, each segment may have a transfer rate of 10 Mbps
(megabits per second), while the backbone may operate at 100 Mbps.
• Topology - Topology is the way that each node is physically connected to the network
(more on this in the next section).
• Local Area Network (LAN) - A LAN is a network of computers that are in the same
general physical location, usually within a building or a campus. If the computers are far
apart (such as across town or in different cities), then a Wide Area Network (WAN) is
• Network Interface Card (NIC) - Every computer (and most other devices) is
connected to a network through an NIC. In most desktop computers, this is an Ethernet
card (normally 10 or 100 Mbps) that is plugged into a slot on the computer's
• Media Access Control (MAC) address - This is the physical address of any device --
such as the NIC in a computer -- on the network. The MAC address, which is made up
of two equal parts, is 6 bytes long. The first 3 bytes identify the company that made the
NIC. The second 3 bytes are the serial number of the NIC itself.
• Unicast - A unicast is a transmission from one node addressed specifically to another
• Multicast - In a multicast, a node sends a packet addressed to a special group address.
Devices that are interested in this group register to receive packets addressed to the
group. An example might be a Cisco router sending out an update to all of the other
• Broadcast - In a broadcast, a node sends out a packet that is intended for transmission
to all other nodes on the network.
LAN switches rely on packet-switching. The switch establishes a connection between two
segments just long enough to send the current packet. Incoming packets (part of an Ethernet
frame) are saved to a temporary memory area (buffer); the MAC address contained in the frame's
header is read and then compared to a list of addresses maintained in the switch's lookup table.
In an Ethernet-based LAN, an Ethernet frame contains a normal packet as the payload of the
frame, with a special header that includes the MAC address information for the source and
destination of the packet.
Packet-based switches use one of three methods for routing traffic:
Cut-through switches read the MAC address as soon as a packet is detected by the switch. After
storing the 6 bytes that make up the address information, they immediately begin sending the
packet to the destination node, even as the rest of the packet is coming into the switch.
A switch using store-and-forward will save the entire packet to the buffer and check it for CRC
errors or other problems before sending. If the packet has an error, it is discarded. Otherwise, the
switch looks up the MAC address and sends the packet on to the destination node. Many switches
combine the two methods, using cut-through until a certain error level is reached and then
changing over to store-and-forward. Very few switches are strictly cut-through, since this provides
no error correction.
A less common method is fragment-free. It works like cut-through except that it stores
the first 64 bytes of the packet before sending it on. The reason for this is that most
errors, and all collisions, occur during the initial 64 bytes of a packet.
Network Address Translation (NAT) Makes Private IPs Public
Your router/firewall will frequently be configured to give the impression to other
devices on the Internet that all the servers on your home/office network have a valid
public IP address, and not a "private" IP address. This is called network address
translation (NAT) and is often also called IP masquerading in the Linux world.
There are many good reasons for this, the two most commonly stated are:
• No one on the Internet knows your true IP address. NAT protects your home
PCs by assigning them IP addresses from "private" IP address space that
cannot be routed over the Internet. This prevents hackers from directly
attacking your home systems because packets sent to the "private" IP will
never pass over the Internet.
• Hundreds of PCs and servers behind a NAT device can masquerade as a
single public IP address. This greatly increases the number of devices that
can access the Internet without running out of "public" IP addresses.
You can configure NAT to be one to one in which you request your ISP to assign
you a number of public IP addresses to be used by the Internet-facing interface of
your firewall and then you pair each of these addresses to a corresponding server on
your protected private IP network. You can also use many to one NAT, in which the
firewall maps a single IP address to multiple servers on the network.
As a general rule, you won't be able to access the public NAT IP addresses from
servers on your home network. Basic NAT testing requires you to ask a friend to try
to connect to your home network from the Internet.
The MAC Address
The media access control (MAC) address can be equated to the serial number of the
NIC. Every IP packet is sent out of your NIC wrapped inside an Ethernet frame that
uses MAC addresses to direct traffic on your locally attached network.
MAC addresses therefore have significance only on the locally attached network. As the
packet hops across the Internet, its source/destination IP address stays the same, but the
MAC addresses are reassigned by each router on the way using a process called ARP.
How ARP Maps the MAC Address to Your IP Address
The Address Resolution Protocol (ARP) is used to map MAC addresses to network
IP addresses. When a server needs to communicate with another server it does the
1. The server first checks its routing table to see which router provides the next
hop to the destination network.
2. If there is a valid router, let's say with an IP address of 192.168.1.1, the server
checks its ARP table to see whether it has the MAC address of the router's
NIC. You could very loosely view this as the server trying to find the Ethernet
serial number of the next hop router on the local network, thereby ensuring
that the packet is sent to the correct device.
3. If there is an ARP entry, the server sends the IP packet to its NIC and tells the
NIC to encapsulate the packet in a frame destined for the MAC address of the
4. If there is no ARP entry, the server issues an ARP request asking that router
192.168.1.1 respond with its MAC address so that the delivery can be made.
When a reply is received, the packet is sent and the ARP table is
subsequently updated with the new MAC address.
5. As each router in the path receives the packet, it plucks the IP packet out of
the Ethernet frame, leaving the MAC information behind. It then inspects the
destination IP address in the packet and use its routing table to determine the
IP address of the next router on the path to this destination.
6. The router then uses the "ARP-ing" process to get the MAC address of this
next hop router. It then reencapsulates the packet in an Ethernet frame with
the new MAC address and sends the frame to the next hop router. This
relaying process continues until the packet reaches the target computer.
7. If the target server is on the same network as the source server, a similar
process occurs. The ARP table is queried. If no entry is available, an ARP
request is made asking the target server for its MAC address. Once a reply is
received, the packet is sent and the ARP table is subsequently updated with
the new MAC address.
8. The server will not send the data to its intended destination unless it has an
entry in its ARP table for the next hop. If it doesn't, the application needing to
communicate will issue a timeout or time exceeded error.
9. As can be expected, the ARP table contains only the MAC addresses of devices
on the locally connected network. ARP entries are not permanent and will be
erased after a fixed period of time depending on the operating system used.
Collision is a logical network segment where data packets can "collide" with one another
for being sent on a shared medium, in particular in the Ethernet networking protocol. This
is an Ethernet term used to describe a network scenario wherein one particular device
sends a packet on a network segment, forcing every other device on that same segment to
pay attention to it.
A group of Ethernet or Fast Ethernet devices in a CSMA/CD LAN that are connected by
repeaters and compete for access on the network. This situation is typically found in a
hub environment where each host segment connects to a hub that represents only one
collision domain and only one broadcast domain. Only one device in the collision domain
may transmit at any one time, and the other devices in the domain listen to the network in
order to avoid data collisions. Collisions decrease network efficiency; if two devices
transmit simultaneously, a collision occurs, and both devices must retransmit at a later
The basic strategy goes like this:
• A computer listens on the cable to see if another computer is transmitting, which
is indicated by a voltage change on the cable. If busy, the computer waits and
• When the cable is not busy, a computer attempts to transmit.
• Another computer may attempt to transmit at the same time, which causes a
• Both computers that attempted to transmit must back off, wait a random period of
time, and then attempt to transmit again.
Computers on the network detect collisions by looking for abnormally changing voltages.
Signals from multiple systems overlap and distort one another. Overlapping signals will
push the voltage above the allowable limit. This is detected by attached computers, which
reject the corrupted frames (called runts).
Broadcast domain is a logical division of a computer network, in which all nodes can
reach each other by broadcast at the data link layer.
In terms of current popular technologies: Any computer connected to the same Ethernet
repeater or switch is a member of the same broadcast domain. Further, any computer
connected to the same set of inter-connected switches/repeaters is a member of the same
broadcast domain. Routers and other higher-layer devices form boundaries between
This is as compared to a collision domain, which would be all nodes on the same set of
inter-connected repeaters, divided by switches and learning bridges. Collisions domains
are generally smaller than, and contained within, broadcast domains
Internet Control Message Protocol (ICMP)
The Internet Control Message Protocol (ICMP) is one of the core protocols of the
Internet protocol suite. It is chiefly used by networked computers' operating systems to
send error messages—indicating, for instance, that a requested service is not available or
that a host or router could not be reached.
From a strictly technical perspective, ICMP functions at the transport layer of the OSI
model. However, it differs in purpose from other transport protocols such as TCP and
UDP in that it is typically not used to send and receive data between end systems. It is
usually not used directly by user network applications, with some notable exceptions
being the ping tool and traceroute. As such, ICMP is often considered to be a "network"
End System (ES) is not responding, when an IP network is not reachable, when a node is
overloaded, when an error occurs in the IP header information, etc. The protocol is also
frequently used by Internet managers to verify correct operations of End Systems (ES)
and to check that routers are correctly routing packets to the specified destination address.
ICMP messages generated by router R1, in response to message sent by H0 to H1 and
forwarded by R0. This message could, for instance be generated if the MTU of the link
between R0 and R1 was smaller than size of the IP packet, and the packet had the Don't
Fragment (DF) bit set in the IP packet header.The ICMP message is returned to H0, since
this is the source address specified in the IP packet that suffered the problem.
An ICMP message consisting of 4 bytes of PCI and an optional message payload.
The format of an ICMP message is shown above. The 8-bit type code identifies the types
of message. This is followed by the first few bytes of the packet that resulted in
generation of the error message. This payload is, for instance used by a sender that
receives the ICMP message to perform Path MTU Discovery so that it may determine IP
destination address of the packet that resulted in the error.
The figure below shows the encapsulation of ICMP over an Ethernet LAN using an IP
network layer header, and a MAC link layer header and trailer containing the 32-bit
Encapsulation for a complete ICMP packet (not showing the Ethernet preamble)
It is the responsibility of the network layer (IP) protocol to ensure that the ICMP message
is sent to the correct destination. This is achieved by setting the destination address of the
IP packet carrying the ICMP message. The source address is set to the address of the
computer that generated the IP packet (carried in the IP source address field) and the IP
protocol type is set to "ICMP" to indicate that the packet is to be handled by the remote
end system's ICMP client interface.
A version of ICMP has also been defined for IPv6, called ICMPv6. This subsumes all the
equivalent functions of ICMP for IPv4 and adds other network-layer functions.
The Ping Application
The "ping" program contains a client interface to ICMP. It may be used by a user to
verify an end-to-end Internet Path is operational. The ping program also collects
performance statistics (i.e. the measured round trip time and the number of times the
remote server fails to reply. Each time an ICMP echo reply message is received, the ping
program displays a single line of text. The text printed by ping shows the received
sequence number, and the measured round trip time (in milliseconds). Each ICMP Echo
message contains a sequence number (starting at 0) that is incremented after each
transmission, and a timestamp value indicating the transmission time.
Use of the ping program to test whether a particular computer ("sysa") is operational.
The operation of ICMP is illustrated in the frame transition diagram shown above. In this
case there is only one Intermediate System (IS) (i.e. IP router). In this case two types of
message are involved the ECHO request (sent by the client) and the ECHO reply (the
response by the server). Each message may contain some optional data. When data are
sent by a server, the server returns the data in the reply which is generated. ICMP packets
are encapsulated in IP for transmission across an internet.
The Traceroute Application
The "traceroute" program also contains a client interface to ICMP. Like the "ping"
program, it may be used by a user to verify an end-to-end Internet Path is operational, but
also provides information on each of the Intermediate Systems (i.e. IP routers) to be
found along the IP Path from the sender to the receiver. Traceroute uses ICMP echo
messages.The program starts by sending an ICMP Echo request message with an IP
destination address of the system to be tested and with a Time To Live (TTL) value set to
1. The first system that receives this packet decrements the TTL and discards the
message, since this now has a value of zero. Before it deletes the message, the system
constructs an ICMP error message (with an ICMP message type of "TTL exceeded") and
returns this back to the sender. Receipt of this message allows the sender to identify
which system is one link away along the path to the specified destination.
• The sender repeats this two more times, each time reporting the system that
received the packet. If all packets travel along the same path, each ICMP error
message will be received from the same system. Where two or more alternate
paths are being used, the results may vary.
• If the system that responded was not the intended destination, the sender repeats
the process by sending a set of three identical messages, but using a TTL value
that is one larger than the previous attempt. The first system forwards the packet
(decrementing the TTL value in the IP header), but a subsequent system that
reduces the TTL value to zero, generates an ICMP error message with its own
source address. In this way, the sender learns the identity of another system along
the IP path to the destination.
• This process repeats until the sender receives a response from the intended
destination (or the maximum TTL value is reached).
• Some Routers are configured to discard ICMP messages, while others process
them but do not return ICMP Error Messages. Such routers hide the "topology" of
the network, but also can impact correct operation of protocols. Some routers will
process the ICMP Messages, providing that they do not impose a significant load
on the routers, such routers do not always respond to ICMP messages. When
"traceroute" encounters a router that does not respond, it prints a "*" character.
Time to live of IP datagrams
In IPv4, time to live (TTL) is an 8-bit field in the Internet Protocol (IP) header. It is the
9th octet of 20. The time to live value can be thought of as an upper bound on the time
that an IP datagram can exist in an internet system. The TTL field is set by the sender of
the datagram, and reduced by every host on the route to its destination. If the TTL field
reaches zero before the datagram arrives at its destination, then the datagram is discarded
and an ICMP error datagram (11 - Time Exceeded) is sent back to the sender. The
purpose of the TTL field is to avoid a situation in which an undeliverable datagram keeps
circulating on an internet system, and such a system eventually becoming swamped by
such immortal datagrams. In theory, time to live is measured in seconds, although every
host that passes the datagram must reduce the TTL by at least one unit. In practice, the
TTL field is reduced by one on every hop. To reflect this practice, the field is named hop
limit in IPv6.