TCPIP

TCP/IP

In practice, virtually all WebLogic networking occurs over the TCP/IP protocol suite.

TCP/IP stands for Transport Control Protocol/Internet Protocol, which probably doesn't tell you much. In computer jargon, a protocol is a published set of standards used to define the order and nature of communication across a network. The idea behind protocols is to give programmers working on network software a set of rules which, if followed precisely, will enable two programs written entirely independently of one another (for example, Internet Explorer and the WebLogic server) to open a session, communicate information, and disengage from one another gracefully.

Technically, TCP/IP is not one protocol but rather a collection of them. The TCP portion concerns itself with formatting data into discrete units called packets, transmitting those packets across the network, and ensuring that they made it across safely. The IP portion is concerned with network addressing and the routes the packets take on their journey across the network.

IP Addresses

An IP address is a 32-bit number which, when used in conjunction with a netmask , identifies the position of a host on a network. IP addresses are usually written in dotted octet form:

 145.186.47.50 

Note that this format is for the convenience of the human reader only. The computer deals with the 32-digit binary number directly. To make IP address values pronounceable, we place dots at the byte boundaries and translate the byte values into decimal numbers .

It is also worth noting that the number of available IP addresses is limited by the 32-bit length. Just as a 3-digit decimal number may take on only 1000 possible values:

 10  3  = 1000 

where 10 is the number of possible values of an individual digit and 3 is the length of the number, similarly, the number of possible IP addresses is limited to 2 (the number of possible values of an individual digit) to the 32nd power (the length of the number).

 2  32  = 4294967296 

4294967296 sounds like a large number and in fact is, but it is not infinitely large. Lamentably, a side effect of dividing IP addresses into classes (see "Address Classes," below) is that there are far fewer than that number of addresses availablefew enough that we are in fact running out. There is a plan to change the IP address standard from 32 to 128 bits, but actually doing this will be at least as big a pain in the butt as Y2K was hyped to be. ^[1]

^[1] It so happens that, like every other able-bodied programmer in the world, I spent a certain amount of time working on the Y2K problem. As you may recall, Y2K was caused by shortsighted programmers of the cold-war era failing to provide adequate space in their variables for a four-digit year. The solution was for shortsighted programmers of the late '90's (actually that's 1990's, ha-ha) to implement solutions like the following:

 if (2_digit_year > = 50) then          {          let century = 19          } else          {          let century = 20          } 

This will, of course, work fine until the year 2049, at which point any legacy code which uses one of these so-called "fixes" will have to be hunted down and repaired again. I sometimes suspect that if mankind's nature turns out to have a fatal flaw, it will not be lack of compassion or warmongering or any of that other hippie stuff, but rather that we don't handle numbers all that well.

You will probably notice that most of the examples in this book used addresses in the range 192.168.100.1192.168.100.255. These aren't real addresses, at least not ones that you can get to from the Internet. They are part of a range of addresses that was set aside for private networks not connected to the Internet. As such, they are perfect for examples. Because they are not publicly accessible, they are more difficult to hack.

A common configuration option for WebLogic server is to have a single publicly accessible IP address that is presented to the public. All requests go to that IP. At the site, however, the requests are intercepted by a load balancer or HTTP server and routed to a collection of server machines on a private subnet not accessible to the public. The theory is that this configuration reduces the number of machines accessible to the public and thereby reduces the chance of a security breach.

Netmask

Perhaps the steepest portion of the TCP/IP learning curve is the concept of netmasking. Recall that dividing the 32-bit address up into four tidy little 1-byte chunks was just a convenience for humans . In practice, the boundary can be anywhere , not just at the byte boundaries.

The location of the boundary between the network bits and the host bits is defined by the netmask.

In order to understand netmasking, you have to know how to translate dotted octet numbers into their corresponding binary values. In decimal arithmetic we have a ones place, a tens place, a hundreds place, and so on.

Similarly, in binary arithmetic there is a 1's place, a 2's place, a 4's place, an 8's place, and so on.

An Illustrative Example

If you've ever worked a cash register, you know that the way to make change is to hand over the largest denomination that won't be over your limit.

Say you owe a customer $28. You can't give her a $100 bill or a $50 bill, because that would be more than you owe her. The largest bill that is less than what you owe is a $20. For purposes of illustration, let's say you hand it over now, rather than waiting until you have all of her change counted out:

Now you owe her $8.00. You can't give her another 20, because that would be too much change. Nor will a $10 work. The largest bill that is less than you owe is a $5. So, give her that and adjust the subtotals accordingly

You can't give her another $5, because that would be too much. The largest bill that won't put you over the limit is the $1. Hand it over.

Can you give her another $1 bill? Yes, because $1 is less than the amount you still owe, $2.00. Hand it over.

Once again, the largest value which is less than or equal to the amount you still owe is the $1 bill, so give her a third $1.

Decimal to Binary

The process of translating decimal into binary is very similar. In this sequence of examples, 0 is 0, 1 is 1, and the dash (-) is used as a place holder to show that we don't know what the value is yet. Therefore, when we start off, we have eight dashes, one for each bit in a byte:

 - - - - - - - - 

Say you want to know the binary value for the number 137. The leftmost bit value in a byte is 128. Because 128 is less than 137, you can use it, so mark a 1 in the leftmost bit:

 1 - - - - - - - - 

which puts us in the state of

You can't use 64, because that's greater than 9, so mark a 0 in the 64's place:

 1 0 - - - - - - - 

Similarly, you can't use 32 or 16 (the next two possibilities), because both of those are greater than your "Still Owe" value of 9. Therefore, you need to mark a 0 in the 32's place to indicate it is unused and another 0 in the 16's place for the same reason:

 1 0 0 0 - - - - - 

Now we're down to the 8's place, and 8 is in fact less than our Still Owe value of 9. So, mark a 1 in the 8's place to indicate that it is to be used:

 1 0 0 0 1 - - - 

which leaves us with:

The remainder of the answer is probably obvious, but I'm going to go through it for purposes of illustration. The next "denomination" lower than 8 is 4. 4 is greater than our Still Owe value of 1, so we can't use it. Mark a 0 in the 4's place

 1 0 0 0 1 0 - - 

Our next lower denomination, 2, is also greater than our Still Owe value of 1. Mark a 0 in the 2's place.

 1 0 0 0 1 0 0 - 

At long last, we come to the 1's place. Because 1 is equal to our Still Owe value, we have the happy privilege of marking a 1 in the 1's place and terminating this exercise.

 1 0 0 0 1 0 0 1 

We now know that the binary representation of the decimal number 137 is 10001001. The same process can be used to determine the binary representation of any decimal number less than or equal to 255, which is the largest possible 8-bit number.

Converting Netmasks to Binary

Because IP addresses and netmasks are, by convention, presented to you already broken up into 1-byte segments, the process described above should carry you through your networking career. For example, the netmask

 255.255.252.0 

converts into the following four 8-bit segments:

 11111111.11111111.11111100.00000000 

Another common netmask, 255.255.255.0, converts as follows :

 11111111.11111111.11111111.00000000 

Using Netmasks

The netmask concept is very simple. As I said earlier, the netmask defines the boundary between the host portion of an IP address and the network portion.

For example, say we have an IP address of 145.186.47.50. The corresponding binary value is:

 145.186.47.50 = 10010001.10111010.00101111.00110010 

Say that this IP address is used with a netmask of 255.255.252.0, which has a binary value of:

 255.255.252.0 = 11111111.11111111.11111100.00000000 

The way to determine which portion of your address is network and which is host is to stack the IP address value on top of the netmask. Any bit in the IP address that has a corresponding value of 1 in the underlying netmask is in the network portion of the IP address. Any bit in the IP address which has a corresponding value of in the underlying netmask is part of the host portion of the IP address:

 IP Address:   10010001.10111010.00101111.00110010 Netmask:      11111111.11111111.11111100.00000000 Network Part: 10010001.10111010.001011 Host Part:                            11.00110010 

Address Classes

IP addresses are divided into classes based on the number of network bits they contain.

Name Resolution

As members of the browsing public, we are accustomed to thinking of Web addresses in terms of their domain names . A domain name is an address of the form:

www.abc-corp.com

You may be surprised to learn that those names are of almost no use to your computer. Computers almost never care about English names for things. In order to connect to your server and start downloading information, the Web browser that wishes to be your client must know two things about you:

the IP address of your machine

the port which your server is monitoring

However, in all likelihood , when users try to connect to your Web site, all they will have is your domain name. How do we get from the

www.abc-corp.com

printed on your business card to the IP address and port number that the networking software cares about?

The first step in the process is name resolution. Name resolution is the process of looking up the IP address associated with a domain name. Name resolution usually occurs without any help from the end- user . When you install networking software on your PCsuch as the kind provided by your Internet service providerpart of the installation process is to tell your machine where to go when it needs some name resolution done.

Usually, name resolution is performed by large, powerful server machines that are dedicated to that one task. Most of them run software called DNS, the Domain Name Service. Not every machine that runs DNS contains every single address of the Internet. DNS servers store only the addresses that are most popular among their client base. When they are asked to resolve a domain name that they are not familiar with, they pass the question on to another DNS server. The details of the name-resolution process aren't really important to you as an administrator. The key point to remember is this:

When you decide to add a new Web site to your server, you must make sure that the Internet at large knows that the domain name you are supporting is associated with the IP address of your server. The actual mechanics of this process are probably outside of your control. In practice, DNS registration is usually accomplished by picking up the phone and calling your Internet service provider. Tell them that you want the domain name that you are hosting to be registered in DNS as belonging to your IP address. Generally this process takes a couple of hours on hold and $50 or so. You should also allow a couple of days for news of the change to travel from the DNS software of your ISP out to the world at large.

Once you have found an unclaimed domain name that you can live with and registered it with DNS, the worst is over.

Depending on your architecture, you may choose to use a hardware or software tool to perform address translation. In address translation an external IP addressas, for instance, one associated with a Web siteis mapped to one or more internal Web addresses. This technique is common on large sites where load balancing is necessary.

Ports

Let us assume that the example browser has contacted a DNS server and that name resolution has been completed successfully. Now the browser knows the IP address of the machine that it wants to communicate with.

However, you may recall my saying a couple of pages ago that in order to make a network connection, the client browser also needs to know what port the Web server will be listening on. The machine associated with the IP address you found may be running multiple network services (FTP, telnet, . . .). Each of these services must respond in different requests in different ways. How does it keep them separated? The answer is ports.

A port is a secondary number associated with an IP address. Ports come in the range 165535. Rather than asking each individual machine which service it associates with which port, it has become customary for all machines connected to the Internet to use the same port for the same services. The term for this custom is "well-known port." The well-known port for Web service is number 80. When connecting across the Secure Socket Layer (SSL), port 43 is also used.

Depending on the limitations of your hardware, ports may also undergo address translation. For example, secure HTTP traffic (port 443) and nonsecure HTTP traffic (port 80) can be routed to different servers.

Sockets

A socket is a network programming construct that enables two machines to communicate across a network. A socket is defined by the IP address of the originating machine, the IP address of the terminating machine, and the port which they are using in order to communicate.

Socket connections are requested by the client browser. If there is a server process (such as WebLogic) on the machine at the IP address requested by the client, monitoring the well-known port associated with Web connections, that server will accept the connection. At that point, a socket is created.

The actual transmission of Web pages occurs across the socket connection.

Protocol

The term protocol, as used in computer science, is derived from the term protocol as used in human interaction. Just as diplomats and debutantes have all sorts of rituals that they perform to facilitate a smooth interaction between parties, so do computers. The idea is that computers aren't versatile enough to improvise, so the order and nature of each requestand each response to each requestmust be rigidly defined.

All network services use some sort of protocol. Sometimes, as in the case of FTP (File Transfer Protocol) and HTTP (HyperText Transfer Protocol) the names reflect this. The protocol associated with the World Wide Web is HTTP.

SSL

The Secure Socket Layer, or SSL, is a protocol used to communicate securely across a network. In principle, an SSL layer can be added to almost any network application. In practice, you will most frequently see SSL used in the HTTPs protocol.

Briefly, SSL communication occurs as follows.

• A client sets up a nonsecure socket connection to a server.

• The client transmits a list of ciphers which it is prepared to use in this session.

• The server selects a cipher from the list provided by the client.

• Depending on the particular cipher chosen , the server sends one or more of the following:

  a temporary, or ephemeral key

  a certificate containing information about the server's identity and a cryptographic key

• The client validates the server's identity according to the particular protocols.

• The client and server exchange information encrypted using each other's public keys.

It is worth noting that once an SSL session has been successfully negotiated, the details of the encryption are transparent to the SSL developer. SSL libraries have been created in Java, C, and other languages.