WEBVTT 0:00:02.840000 --> 0:00:08.020000 Hello and welcome to this video on the TCP three-way handshake. 0:00:08.020000 --> 0:00:12.320000 In this video, the topics I'm going to cover is the purpose of the three 0:00:12.320000 --> 0:00:18.220000 -way handshake. I'm going to define things called TCBs and sockets. 0:00:18.220000 --> 0:00:22.220000 We're going to look at the difference between TCP active opens and TCP 0:00:22.220000 --> 0:00:27.340000 passive opens. We're going to look at what specifically within the TCP 0:00:27.340000 --> 0:00:32.900000 header is used to work with the three-way handshake. 0:00:32.900000 --> 0:00:39.560000 I'm going to do an animation of how TCP connections are created. 0:00:39.560000 --> 0:00:44.520000 So the TCP three-way handshake, what is its purpose? 0:00:44.520000 --> 0:00:48.960000 So if you've been watching any of my videos on TCP or you've learned about 0:00:48.960000 --> 0:00:54.320000 TCP elsewhere, you've probably learned that one of the big differentiators 0:00:54.320000 --> 0:01:00.200000 of TCP versus UDP is that TCP is what's called connection oriented. 0:01:00.200000 --> 0:01:04.440000 And one of the things that I stress when I stress what that means is that 0:01:04.440000 --> 0:01:10.020000 TCP before it sends any data to a destination, first validates, is that 0:01:10.020000 --> 0:01:11.400000 destination alive? 0:01:11.400000 --> 0:01:12.760000 Is he actually there? 0:01:12.760000 --> 0:01:16.760000 If the destination is there, then he says, okay, let me negotiate some 0:01:16.760000 --> 0:01:21.760000 parameters with you up front that's going to control the flow of the sequence 0:01:21.760000 --> 0:01:24.180000 of data we're going to exchange back and forth. 0:01:24.180000 --> 0:01:28.920000 The TCP three-way handshake is the critical component in doing all of 0:01:28.920000 --> 0:01:33.800000 that. So it starts the process of opening a connection. 0:01:33.800000 --> 0:01:37.640000 It proves the existence of the destination. 0:01:37.640000 --> 0:01:42.620000 It establishes what the initial sequence numbers are going to be for TCP 0:01:42.620000 --> 0:01:47.460000 segments. And there's an exchange of parameters that takes place. 0:01:47.460000 --> 0:01:52.500000 Now, in order to understand the TCP three -way handshake, we have to understand 0:01:52.500000 --> 0:01:54.400000 some terminology first. 0:01:54.400000 --> 0:01:58.500000 This terminology of TCBs and sockets. 0:01:58.500000 --> 0:02:00.640000 So what is a TCB? 0:02:00.640000 --> 0:02:04.200000 It stands for a transmission control block. 0:02:04.200000 --> 0:02:05.680000 Transmission control block. 0:02:05.680000 --> 0:02:09.760000 And like this says here, this is a block of memory space allocated by 0:02:09.760000 --> 0:02:16.540000 a CPU to maintain state information for a single TCP session. 0:02:16.540000 --> 0:02:21.900000 Now, in that TCP, in that TCB, that transmission control block, a big 0:02:21.900000 --> 0:02:26.180000 part of it is TCP socket information. 0:02:26.180000 --> 0:02:29.660000 So what is in a transmission control block? 0:02:29.660000 --> 0:02:32.240000 Well, if I was to draw it here, just to give you sort of a conceptual 0:02:32.240000 --> 0:02:39.820000 idea, let's say that you are your source. 0:02:39.820000 --> 0:02:44.160000 So you, the source, are 1.1.1. 0:02:44.160000 --> 0:02:48.960000 And you just opened up a web browser. 0:02:48.960000 --> 0:02:52.700000 So that's going to be HTTP. 0:02:52.700000 --> 0:03:01.260000 And you're going to be going to a destination of 2222. 0:03:01.260000 --> 0:03:05.840000 Well, a transmission control block is going to be created for that. 0:03:05.840000 --> 0:03:10.080000 So for example, part of that transmission control block is going to be 0:03:10.080000 --> 0:03:12.000000 your IP information. 0:03:12.000000 --> 0:03:14.480000 1.1.1.1 is going to be you. 0:03:14.480000 --> 0:03:16.800000 You're going to be going to 2222. 0:03:16.800000 --> 0:03:21.300000 Another part of that transmission control block is going to be the destination 0:03:21.300000 --> 0:03:24.000000 port number you're going to use. 0:03:24.000000 --> 0:03:28.480000 Which in this case, if you're doing HTTP, is going to be port number 80, 0:03:28.480000 --> 0:03:31.860000 you're going to come up with a random source port number to keep track 0:03:31.860000 --> 0:03:39.280000 of this individual session of information, which might be 51,002. 0:03:39.280000 --> 0:03:43.000000 So that's going to be in there. 0:03:43.000000 --> 0:03:49.920000 You're also going to have, as data is coming in and going out, that data 0:03:49.920000 --> 0:03:52.500000 is going to be stored in memory. 0:03:52.500000 --> 0:03:58.500000 Okay, maybe for this particular session, memory cell location number A, 0:03:58.500000 --> 0:04:02.180000 all the way through memory cell location number Z is where all that memory 0:04:02.180000 --> 0:04:02.860000 is going to be stored. 0:04:02.860000 --> 0:04:05.360000 So that's also going to be here in this transmission control block. 0:04:05.360000 --> 0:04:10.360000 Well, to say memory location A through Z, that's going to be where all 0:04:10.360000 --> 0:04:12.560000 the information is actually stored. 0:04:12.560000 --> 0:04:16.280000 And a lot of other stuff, your sliding window mechanism, you know, bytes 0:04:16.280000 --> 0:04:26.740000 received, bytes transmitted, everything TCP needs to keep track of the 0:04:26.740000 --> 0:04:30.840000 session and the flow of the session and what's currently outstanding, 0:04:30.840000 --> 0:04:32.180000 what currently needs to be acknowledged. 0:04:32.180000 --> 0:04:37.440000 All of that will be kept here inside this transmission control block. 0:04:37.440000 --> 0:04:42.100000 So, how is this created? 0:04:42.100000 --> 0:04:44.020000 How's the transmission control block created? 0:04:44.020000 --> 0:04:45.540000 Well, I just showed you one way. 0:04:45.540000 --> 0:04:49.740000 One way is where you decide you're going to start at HTTP. 0:04:49.740000 --> 0:04:51.160000 You pulled open a web browser. 0:04:51.160000 --> 0:04:52.720000 You pulled open a web page. 0:04:52.720000 --> 0:04:58.960000 There's two ways this could happen. 0:04:58.960000 --> 0:05:02.120000 So one way is what's called an active open. 0:05:02.120000 --> 0:05:03.620000 And that's what I just drew. 0:05:03.620000 --> 0:05:05.760000 And we'll look at that again on the next slide. 0:05:05.760000 --> 0:05:08.400000 And there's also something called passive opens. 0:05:08.400000 --> 0:05:12.520000 So just to recap what I just talked about, TCP active opens, this happens 0:05:12.520000 --> 0:05:17.020000 on you. Your TCP client, your smart phone, your tablet, your laptop. 0:05:17.020000 --> 0:05:21.100000 The moment you open up an application, the moment you open up a new browser 0:05:21.100000 --> 0:05:24.140000 and your web browser, anything that you're going to do, you're going to 0:05:24.140000 --> 0:05:28.580000 do it. And the moment you open up a new browser, you're going to open 0:05:28.580000 --> 0:05:29.780000 up a transmission control block. 0:05:29.780000 --> 0:05:35.340000 And this is that transmission control block is not going to be created 0:05:35.340000 --> 0:05:38.860000 until you start the application request. 0:05:38.860000 --> 0:05:40.720000 So that's why we call it an active open. 0:05:40.720000 --> 0:05:45.760000 You had to actively do something to get TCP to recognize, oh, I should 0:05:45.760000 --> 0:05:50.720000 probably create a TCP. 0:05:50.720000 --> 0:05:55.560000 Then once your transmission control block is created, now you can send 0:05:55.560000 --> 0:05:57.340000 out your TCP send. 0:05:57.340000 --> 0:05:59.240000 Keith, what's a TCP send? 0:05:59.240000 --> 0:06:00.280000 Oh, we'll get there. 0:06:00.280000 --> 0:06:01.020000 That's coming up. 0:06:01.020000 --> 0:06:06.220000 But just be aware that you can't send out anything related to TCP until 0:06:06.220000 --> 0:06:09.980000 your transmission control block is sitting there ready and waiting to 0:06:09.980000 --> 0:06:16.820000 go. By the way, on this slide it says ISN, that stands for initial sequence 0:06:16.820000 --> 0:06:20.220000 number. The initial sequence number that you're going to be putting in 0:06:20.220000 --> 0:06:23.340000 your very first TCP segment. 0:06:23.340000 --> 0:06:26.800000 Now what about the other side? 0:06:26.800000 --> 0:06:33.460000 The TCP server. So you've got your TCP server sitting out there and they're 0:06:33.460000 --> 0:06:35.660000 recognizing in advance certain things. 0:06:35.660000 --> 0:06:40.200000 So for example, if I have a web server, okay, if I have a web server, 0:06:40.200000 --> 0:06:43.680000 a Linux or a Ubuntu server or something like that, and it's running Apache 0:06:43.680000 --> 0:06:50.720000 or some web server application, I'm going to put my files in there, my 0:06:50.720000 --> 0:06:54.640000 graphics, whatever my web page content is, and then I'm going to basically 0:06:54.640000 --> 0:06:58.800000 turn on the web service in that server. 0:06:58.800000 --> 0:07:01.240000 Now that server is not sending anything out. 0:07:01.240000 --> 0:07:04.380000 By turning on the web service, I'm basically turning on his listening 0:07:04.380000 --> 0:07:09.020000 ability to listen to incoming TCP requests. 0:07:09.020000 --> 0:07:13.460000 So he is creating what's called a passive connection or what's called 0:07:13.460000 --> 0:07:20.280000 a passive open. So he's going to create a transmission control block just 0:07:20.280000 --> 0:07:23.280000 like I sort of drew, but some of the elements in there are going to be 0:07:23.280000 --> 0:07:27.480000 undefined. For example, in that block, he's going to put down his own 0:07:27.480000 --> 0:07:31.840000 IP address, but the IP address of the other end of the session, well, 0:07:31.840000 --> 0:07:32.780000 that hasn't happened yet. 0:07:32.780000 --> 0:07:34.300000 So that's going to be empty. 0:07:34.300000 --> 0:07:37.500000 That's waiting to be filled in by some client saying, hey, I'd like to 0:07:37.500000 --> 0:07:40.000000 talk to you. The port numbers. 0:07:40.000000 --> 0:07:44.080000 Well, for talking about I just started up the HTTP service in that server. 0:07:44.080000 --> 0:07:45.880000 He will create the port number of 80. 0:07:45.880000 --> 0:07:47.380000 He's listening on that. 0:07:47.380000 --> 0:07:49.120000 But what's the port number coming in? 0:07:49.120000 --> 0:07:50.220000 He doesn't know yet. 0:07:50.220000 --> 0:07:52.780000 He's passively waiting to find that out. 0:07:52.780000 --> 0:07:58.240000 So that's what a passive open is all about. 0:07:58.240000 --> 0:08:00.200000 All right. So let's see. 0:08:00.200000 --> 0:08:03.620000 How does TCP initiate a connection? 0:08:03.620000 --> 0:08:06.300000 You may have heard of the TCP three way handshake. 0:08:06.300000 --> 0:08:08.160000 What exactly is happening there? 0:08:08.160000 --> 0:08:11.720000 And in order to do that, we're going to be focusing primarily on the control 0:08:11.720000 --> 0:08:17.080000 flags field inside the TCP header. 0:08:17.080000 --> 0:08:23.380000 Okay. So number one, a transmission control block is created as a result 0:08:23.380000 --> 0:08:26.300000 of a passive open on the receiver. 0:08:26.300000 --> 0:08:29.600000 Like I said, the receiver is, for example, your web server. 0:08:29.600000 --> 0:08:33.140000 You just went in there and you activated the web application. 0:08:33.140000 --> 0:08:35.020000 He's now listening. 0:08:35.020000 --> 0:08:37.900000 He has just created a passive open. 0:08:37.900000 --> 0:08:43.580000 Now he sits there for minutes or hours or days until somebody needs to 0:08:43.580000 --> 0:08:49.560000 use him. Now, few miles or thousands of miles away, somebody opens up 0:08:49.560000 --> 0:08:52.740000 their client and they create an active open. 0:08:52.740000 --> 0:08:57.880000 They open up their web browser and they type in Google.com or something 0:08:57.880000 --> 0:09:03.060000 like that. That creates a transmission control block on them, which is 0:09:03.060000 --> 0:09:04.920000 concerned an active open. 0:09:04.920000 --> 0:09:06.340000 So what are they going to do? 0:09:06.340000 --> 0:09:12.460000 Well, they're going to send a TCP message from sender to receiver. 0:09:12.460000 --> 0:09:16.340000 Now here's the thing. 0:09:16.340000 --> 0:09:22.140000 When you open up your web browser, most likely, like 99% of us, it defaults 0:09:22.140000 --> 0:09:24.260000 to some home page, right? 0:09:24.260000 --> 0:09:25.160000 Whatever your home page is. 0:09:25.160000 --> 0:09:27.420000 Hopefully your home page is I need.com. 0:09:27.420000 --> 0:09:30.200000 If it's not, change it there right now. 0:09:30.200000 --> 0:09:32.380000 But let's say your home page is not I need.com. 0:09:32.380000 --> 0:09:35.680000 Let's say it's Google as an example, typical home page. 0:09:35.680000 --> 0:09:37.900000 All right. So here you go. 0:09:37.900000 --> 0:09:40.480000 You just open up your browser. 0:09:40.480000 --> 0:09:41.900000 You open up a tab in your browser. 0:09:41.900000 --> 0:09:45.640000 Go into Google. All right. 0:09:45.640000 --> 0:09:49.380000 With a little box where you can type in, please give me I and E. 0:09:49.380000 --> 0:09:53.660000 Okay. So, but in order to display that, okay, now to you, it looks like, 0:09:53.660000 --> 0:09:54.400000 oh, there it is. 0:09:54.400000 --> 0:09:55.160000 It displayed it. 0:09:55.160000 --> 0:10:01.340000 But things had to happen in the background to see that Google tab in the 0:10:01.340000 --> 0:10:09.380000 first place. So what had to happen is the HTTP process had to start up. 0:10:09.380000 --> 0:10:18.160000 It had to create an HTTP get request or get message, which basically was 0:10:18.160000 --> 0:10:23.440000 a message saying, hey, Google.com, I'm trying to get your home page. 0:10:23.440000 --> 0:10:24.940000 I'm trying to get that. 0:10:24.940000 --> 0:10:27.520000 So that's what the application creates. 0:10:27.520000 --> 0:10:31.360000 Then HTTP says, hey, TCP, I need you. 0:10:31.360000 --> 0:10:33.260000 I need to use your services. 0:10:33.260000 --> 0:10:35.800000 So that's when this happened. 0:10:35.800000 --> 0:10:39.920000 The active open, and we create a transmission control block with all those 0:10:39.920000 --> 0:10:41.680000 fields I talked about in there. 0:10:41.680000 --> 0:10:45.640000 Source IP address, destination IP address, port numbers, pointers to the 0:10:45.640000 --> 0:10:48.460000 various memory locations and where those are going to be. 0:10:48.460000 --> 0:10:50.700000 Transmission control block was open. 0:10:50.700000 --> 0:10:56.600000 Now, we can't send this HTTP get message yet because we don't even know 0:10:56.600000 --> 0:10:59.220000 if the Google web server is alive at this point. 0:10:59.220000 --> 0:11:03.720000 So now we have to do the three-way handshake to find out if he's alive. 0:11:03.720000 --> 0:11:05.860000 So this is the process that happens. 0:11:05.860000 --> 0:11:12.200000 So the process that happens is TCP sends its very first segment. 0:11:12.200000 --> 0:11:15.800000 Now, this segment does not have your HTTP inside of it. 0:11:15.800000 --> 0:11:19.220000 It's basically just a TCP header all by itself. 0:11:19.220000 --> 0:11:20.880000 There's no data behind it. 0:11:20.880000 --> 0:11:24.740000 It's an IP header followed by a TCP header, and that's it. 0:11:24.740000 --> 0:11:32.560000 And in the TCP header, in the control field, let's go back here. 0:11:32.560000 --> 0:11:35.880000 Let's just go back to this for just a second. 0:11:35.880000 --> 0:11:42.540000 Remember how the TCP header had the control flags that we see right here? 0:11:42.540000 --> 0:11:47.280000 Well, one of those control flags is called the SIN flag. 0:11:47.280000 --> 0:11:51.040000 It stands for Synchronize, meaning I want to synchronize a session with 0:11:51.040000 --> 0:11:54.160000 you. This is my very first TCP segment. 0:11:54.160000 --> 0:11:55.580000 I'd like to synchronize with you. 0:11:55.580000 --> 0:11:57.620000 Synchronize like sequence numbers. 0:11:57.620000 --> 0:12:02.700000 There's another flag in here called the ACK flag. 0:12:02.700000 --> 0:12:12.660000 So now that we know that, let's go back to where we just were. 0:12:12.660000 --> 0:12:14.720000 Okay, so here we see this. 0:12:14.720000 --> 0:12:21.080000 So here we see this is our TCP segment going out and it has the SIN bit 0:12:21.080000 --> 0:12:23.640000 set in the control flags. 0:12:23.640000 --> 0:12:25.540000 What does X stand for? 0:12:25.540000 --> 0:12:27.780000 That's his initial sequence number. 0:12:27.780000 --> 0:12:30.740000 Our TCP header has to have a sequence number in it. 0:12:30.740000 --> 0:12:32.380000 So this is going to be some random number. 0:12:32.380000 --> 0:12:34.440000 You can't predict what that's going to be. 0:12:34.440000 --> 0:12:35.620000 It's going to be some random number. 0:12:35.620000 --> 0:12:37.800000 In this case, we're just saying it's X. 0:12:37.800000 --> 0:12:41.280000 So right now the sender is saying, hey, are you there? 0:12:41.280000 --> 0:12:44.820000 And by the way, this is going to be going to, if we were talking about 0:12:44.820000 --> 0:12:53.320000 HTTP, the destination port number in here will be 80. 0:12:53.320000 --> 0:12:56.940000 And then we'll have an IP header in front of this. 0:12:56.940000 --> 0:13:00.480000 So this is the sender's way of saying, you know, knock, knock, knock, 0:13:00.480000 --> 0:13:02.560000 receiver. Are you alive? 0:13:02.560000 --> 0:13:06.680000 If you are alive, are you listening to HTTP on port number 80? 0:13:06.680000 --> 0:13:08.720000 Can you let me know if you're there? 0:13:08.720000 --> 0:13:13.360000 That's the purpose of this initial first TCP segment. 0:13:13.360000 --> 0:13:19.280000 Now the receiver, if he is alive, has to respond to that. 0:13:19.280000 --> 0:13:23.020000 So he receives the sin with sequence number X. 0:13:23.020000 --> 0:13:25.400000 He's going to generate his own sin. 0:13:25.400000 --> 0:13:30.880000 Because remember, the very first time I talk to you in this direction, 0:13:30.880000 --> 0:13:33.520000 I raise the sin flag. 0:13:33.520000 --> 0:13:35.160000 You only see that once. 0:13:35.160000 --> 0:13:39.200000 Now you and I might end up exchanging thousands or tens of thousands of 0:13:39.200000 --> 0:13:43.580000 TCP segments over the course of our talking, but the very first one I 0:13:43.580000 --> 0:13:46.440000 send to you, I'm going to raise the sin flag. 0:13:46.440000 --> 0:13:51.000000 And the very first one you send to me, you're going to raise the sin flag. 0:13:51.000000 --> 0:13:55.700000 After that, we'll lower that flag and we will never exchange the sin flag 0:13:55.700000 --> 0:14:00.620000 ever again. So right here, this is the very first time the receiver is 0:14:00.620000 --> 0:14:02.340000 talking to the sender. 0:14:02.340000 --> 0:14:07.360000 So he generates his own sin and he puts his own sequence number in there. 0:14:07.360000 --> 0:14:08.940000 So this is kind of interesting. 0:14:08.940000 --> 0:14:13.140000 Notice how there's a sequence number that started in this direction and 0:14:13.140000 --> 0:14:16.500000 there's another sequence number that starts in this direction. 0:14:16.500000 --> 0:14:20.220000 So this X is going to increment every single time something goes from 0:14:20.220000 --> 0:14:24.820000 left to right and Y is going to increment every single time something 0:14:24.820000 --> 0:14:28.920000 goes from right to left. 0:14:28.920000 --> 0:14:35.200000 So notice that in this sin, here the server, the receiver saying, yep, 0:14:35.200000 --> 0:14:38.940000 I'm alive, I'm here, I acknowledge you. 0:14:38.940000 --> 0:14:43.680000 So in the acknowledgment packet, I put whatever your number was plus one. 0:14:43.680000 --> 0:14:48.560000 So if the initial sequence number was, for example, 85, here he'll say 0:14:48.560000 --> 0:14:55.880000 86, which means I'm acknowledging that I have received up to but not including 0:14:55.880000 --> 0:14:56.620000 any other sequence number. 0:14:56.620000 --> 0:15:00.580000 This is called forward explicit acknowledgments here, the way TCP does 0:15:00.580000 --> 0:15:08.800000 that. So the sender now knows that the receiver is alive. 0:15:08.800000 --> 0:15:14.860000 But just like the sender just got an acknowledgment of his sequence number, 0:15:14.860000 --> 0:15:18.260000 he needs to acknowledge the receiver sequence number. 0:15:18.260000 --> 0:15:23.540000 And this is the third part of the three way handshake. 0:15:23.540000 --> 0:15:27.580000 He generates what's called an ACK. 0:15:27.580000 --> 0:15:30.460000 Now this is just another TCP segment. 0:15:30.460000 --> 0:15:35.920000 All three of these arrows here represent three distinct IP packets. 0:15:35.920000 --> 0:15:40.140000 Each IP packet has a TCP header with no data behind it. 0:15:40.140000 --> 0:15:44.780000 All we're doing is using the TCP header to raise and lower the sin or 0:15:44.780000 --> 0:15:49.380000 ACK flags and to set sequence numbers. 0:15:49.380000 --> 0:15:58.560000 So at this point, because the sender has sent out this third thing right 0:15:58.560000 --> 0:16:00.900000 here, he goes into the established state. 0:16:00.900000 --> 0:16:03.640000 He says, OK, this is established. 0:16:03.640000 --> 0:16:07.620000 I'm ready to start sending data to the receiver. 0:16:07.620000 --> 0:16:10.840000 He can see me. I know he's there. 0:16:10.840000 --> 0:16:12.920000 He's acknowledged my sequence number. 0:16:12.920000 --> 0:16:14.300000 We're good to go. 0:16:14.300000 --> 0:16:18.400000 And as soon as this TCP segment gets all the way over to the receiver 0:16:18.400000 --> 0:16:23.740000 and the receiver sees, OK, he acknowledged my sequence number. 0:16:23.740000 --> 0:16:28.860000 Now the receiver can go into the established state. 0:16:28.860000 --> 0:16:34.180000 And that is how the TCP three way handshake works. 0:16:34.180000 --> 0:16:37.400000 Thank you for watching this video, and I hope you found it useful.