address autoconfiguration – The IPv6 ND process of automatically configuring IPv6 addresses on an interface.
address resolution – The IPv4 (using ARP) or IPv6 (using ND) process that resolves the MAC address for a next-hop IP address.
Address Resolution Protocol (ARP) – A protocol that uses broadcast traffic on the local network to resolve an IPv4 address to its MAC address.
ARP – See Address Resolution Protocol.
ARP cache – A table for each interface of static or dynamically resolved IPv4 addresses and their corresponding MAC addresses.
ICMP – See Internet Control Message Protocol.
ICMPv6 – Internet Control Message Protocol for IPv6.
IGMP – See Internet Group Management Protocol.
Internet Control Message Protocol (ICMP) – A protocol in the IPv4 Internet layer that reports errors and provides troubleshooting facilities.
Internet Control Message Protocol for IPv6 (ICMPv6) – A protocol in the IPv6 Internet layer that reports errors, provides troubleshooting facilities, and hosts ND and MLD messages.
Internet Group Management Protocol (IGMP) – A protocol in the IPv4 Internet layer that manages multicast group membership on a subnet.
Internet Protocol (IP) – For IPv4, a routable protocol in the IPv4 Internet layer that addresses, routes, fragments, and reassembles IPv4 packets. Also used to denote both IPv4 and IPv6 sets of protocols.
IP – See Internet Protocol.
IPv4 – The Internet layer in widespread use on the Internet and on private intranets. Another term for IP.
IPv6 – The new Internet layer that will eventually replace the IPv4 Internet layer.
MLD – See Multicast Listener Discovery.
Multicast Listener Discovery (MLD) – A set of three ICMPv6 messages that hosts and routers use to manage multicast group membership on a subnet.
name resolution – The process of resolving a name to an address.
ND – See Neighbor Discovery.
neighbor cache – A cache maintained by every IPv6 node that stores the IPv6 address of a neighbor and its corresponding MAC address. The neighbor cache is equivalent to the ARP cache in IPv4.
Neighbor Discovery (ND) – A set of ICMPv6 messages and processes that determine relationships between neighboring nodes. Neighbor Discovery replaces ARP, ICMP router discovery, and the ICMP Redirect message used in IPv4.
Network Basic Input/Output System (NetBIOS) – A standard API for user applications to manage NetBIOS names and access NetBIOS datagram and session services.
NetBIOS – See Network Basic Input/Output System.
router discovery – A Neighbor Discovery process in which a host discovers the local routers on an attached subnet.
TCP – See Transmission Control Protocol.
Transmission Control Protocol (TCP) – A reliable, connection-oriented Transport layer protocol that runs on top of IP.
UDP – See User Datagram Protocol
User Datagram Protocol (UDP) – An unreliable, connectionless Transport layer protocol that runs on top of IP.
Windows Sockets – A commonly used application programming interface (API) that Windows applications use to transfer data using TCP/IP.
A NetBIOS name is a 16-byte name that identifies a NetBIOS application on the network. A NetBIOS name is either a unique (exclusive) or group (nonexclusive) name. When a NetBIOS application communicates with a specific NetBIOS application on a specific computer, a unique name is used. When a NetBIOS process communicates with multiple NetBIOS applications on multiple computers, a group name is used.
The NetBIOS name identifies applications at the Session layer of the OSI model. For example, the NetBIOS Session service operates over TCP port 139. Because all NetBT session requests are addressed to TCP destination port 139, a NetBIOS application must use the destination NetBIOS name when it establishes a NetBIOS session.
An example of a process using a NetBIOS name is the file and print sharing server service on a Windows–based computer. When your computer starts up, the server service registers a unique NetBIOS name based on your computer’s name. The exact name used by the server service is the 15-character computer name plus a 16th character of 0x20. If the computer name is not 15 characters long, it is padded with spaces up to 15 characters long. Other network services also use the computer name to build their NetBIOS names, and the 16th character is typically used to identify each service.
When you attempt to make a file-sharing connection to a computer running Windows by specifying the computer’s name, the Server service on the file server that you specify corresponds to a specific NetBIOS name. For example, when you attempt to connect to the computer called CORPSERVER, the NetBIOS name corresponding to the Server service is CORPSERVER <20>. (Note the padding using the space character.) Before a file and print sharing connection can be established, a TCP connection must be created. For a TCP connection to be created, the NetBIOS name CORPSERVER <20> must be resolved to an IPv4 address. NetBIOS name resolution is the process of mapping a NetBIOS name to an IPv4 address.
For more information about NetBT and NetBIOS name resolution methods, see Chapter 11, “NetBIOS over TCP/IP.”
Application Programming Interfaces
Windows networking applications use two main application programming interfaces (APIs) to access TCP/IP services in Windows: Windows Sockets and NetBIOS. Figure 2-6 shows these APIs and the possible data flows when using them.
Figure 2-6 Architecture of the Windows Sockets and NetBIOS APIs
Some architectural differences between the Windows Sockets and NetBIOS APIs are the following:
NetBIOS over TCP/IP (NetBT) is defined for operation over IPv4. Windows Sockets operates over both IPv4 and IPv6.
Windows Sockets applications can operate directly over the IPv4 or IPv6 Internet layers, without the use of TCP or UDP. NetBIOS operates over TCP and UDP only.
Packet Multiplexing and Demultiplexing
When a sending host sends an IPv4 or IPv6 packet, it includes information in the packet so that the data within the packet can be delivered to the correct application on the destination. The inclusion of identifiers so that data can be delivered to one of multiple entities in each layer of a layered architecture is known as multiplexing. Multiplexing information for IP packets consists of identifying the node on the network, the IP upper layer protocol, and for TCP and UDP, the port corresponding to the application to which the data is destined. The destination host uses these identifiers to demultiplex, or deliver the data layer by layer, to the correct destination application. The IP packet also includes information for the destination host to send a response.
IP contains multiplexing information to do the following:
Identify the sending node (the Source IP Address field in the IPv4 header or the Source Address field in the IPv6 header).
Identify the destination node (the Destination IP Address field in the IPv4 header or the Destination Address in the IPv6 header).
Identify the upper layer protocol above the IPv4 or IPv6 Internet layer (the Protocol field in the IPv4 header or the Next Header field of the IPv6 header).
For TCP segments and UDP messages, identify the application from which the message was sent (the Source Port in the TCP or UDP header).
For TCP segments and UDP messages, identify the application to which the message is destined (the Destination Port in the TCP or UDP header).
TCP and UDP ports can use any number between 0 and 65,535. Port numbers for client-side applications are typically dynamically assigned when there is a request for service, and IANA pre-assigns port numbers for well-known server-side applications. The complete list of pre-assigned port numbers is listed on .
All of this information is used to provide multiplexing information so that:
The packet can be forwarded to the correct destination.
The destination can use the packet payload to deliver the data to the correct application.
The receiving application can send a response.
When a packet is sent, this information is used in the following ways:
The routers that forward IPv4 or IPv6 packets use the Destination IP Address field in the IPv4 header or the Destination Address in the IPv6 header to deliver the packet to the correct node on the network.
The destination node uses the Protocol field in the IPv4 header or the Next Header field of the IPv6 header to deliver the packet payload to the correct upper-layer protocol.
For TCP segments and UDP messages, the destination node uses the Destination Port field in the TCP or UDP header to demultiplex the data within the TCP segment or UDP message to the correct application.
TCP Three-Way Handshake
A TCP connection is initialized through a three-way handshake. The purpose of the three-way handshake is to synchronize the sequence number and acknowledgment numbers of both sides of the connection and to exchange TCP window sizes. The following steps outline the process for the common situation when a client computer contacts a server computer:
1. The client sends a TCP segment to the server with an initial sequence number for the connection and a window size indicating the size of a buffer on the client to store incoming segments from the server.
2. The server sends back a TCP segment containing its chosen initial sequence number, an acknowledgment of the client’s sequence number, and a window size indicating the size of a buffer on the server to store incoming segments from the client.
3. The client sends a TCP segment to the server containing an acknowledgment of the server’s sequence number.
TCP uses a similar handshake process to end a connection. This guarantees that both hosts have finished transmitting and that all data was received.
To use TCP, an application must supply the IP address and TCP port number of the source and destination applications. A port provides a location for sending segments. A unique number identifies each port. TCP ports are distinct and separate from UDP ports even though some of them use the same number. Port numbers below 1024 are well-known ports that the Internet Assigned Numbers Authority (IANA) assigns. Table 2-9 lists a few well-known TCP ports.
TCP Port Number
FTP (data channel)
FTP (control channel)
HTTP used for the World Wide Web
NetBIOS session service
Transmission Control Protocol (TCP)
TCP is a reliable, connection-oriented delivery service. Connection-oriented means that a connection must be established before hosts can exchange data. Reliability is achieved by assigning a sequence number to each segment transmitted. TCP peers, the two nodes using TCP to communicate, acknowledge when they receive data. A TCP segment is the protocol data unit (PDU) consisting of the TCP header and the TCP payload, also known as a segment. For each TCP segment sent containing data, the receiving host must return an acknowledgment (ACK). If an ACK is not received within a calculated time, the TCP segment is retransmitted. RFC 793 defines TCP.
Table 2-8 lists and describes the key fields in the TCP header.
TCP port of sending application.
TCP port of destination application.
Sequence number of the first byte of data in the TCP segment.
Sequence number of the next byte the sender expects to receive from its TCP peer.
Current size of a memory buffer on the host sending this TCP segment to store incoming segments.
A simple mathematical calculation that is used to check for bit-level errors in the TCP segment.
Multicast Listener Discovery (MLD)
MLD is the IPv6 equivalent of IGMP version 2 for IPv4. MLD is a set of ICMPv6 messages exchanged by routers and nodes, enabling routers to discover the set of IPv6 multicast addresses for which there are listening nodes for each attached interface. Like IGMPv2, MLD discovers only those multicast addresses that include at least one listener, not the list of individual multicast listeners for each multicast address. RFC 2710 defines MLD.
Unlike IGMPv2, MLD uses ICMPv6 messages instead of defining its own message structure. The three types of MLD messages are:
Multicast Listener Query Routers use Multicast Listener Query messages to query a subnet for multicast listeners.
Multicast Listener Report Multicast listeners use Multicast Listener Report messages to either report interest in receiving multicast traffic for a specific multicast address or to respond to a Multicast Listener Query message.
Multicast Listener Done Multicast listeners use Multicast Listener Done messages to report that they might be the last multicast group member on the subnet.
Windows Server 2008 and Windows Vista also support MLD version 2 (MLDv2), specified in RFC 3810, which allows IPv6 hosts to register interest in source-specific multicast traffic with their local multicast routers. A host running Windows Server 2008 or Windows Vista can register interest in receiving IPv6 multicast traffic from only specific source addresses (an include list) or from any source except specific source addresses (an exclude list).
A highly useful aspect of IPv6 is its ability to automatically configure itself without the use of an address configuration protocol, such as Dynamic Host Configuration Protocol for IPv6 (DHCPv6). By default, an IPv6 host can configure an address for use on the subnet for each interface. By using router discovery, a host can also determine the addresses of routers, additional addresses, and other configuration parameters. Router Advertisement messages indicate whether an address configuration protocol should be used. RFC 4862 defines IPv6 address autoconfiguration.
For more information about IPv6 address autoconfiguration, see Chapter 6 “Dynamic Host Configuration Protocol.”
Router discovery is the process through which hosts attempt to discover the set of routers on the local subnet. In addition to configuring a default router, IPv6 router discovery also configures the following:
The default setting for the Hop Limit field in the IPv6 header.
A determination of whether the node should use an address configuration protocol, such as Dynamic Host Configuration Protocol for IPv6 (DHCPv6), for addresses and other configuration parameters.
The list of subnet prefixes defined for the link. Each subnet prefix contains both the IPv6 subnet prefix and its valid and preferred lifetimes. If indicated, the host uses the subnet prefix to create an IPv6 address configuration without using an address configuration protocol. A subnet prefix also defines the range of addresses for nodes on the local link.
The IPv6 router discovery processes are the following:
IPv6 routers periodically send multicast Router Advertisement messages on the subnet advertising their existence as routers and other configuration parameters such as address prefixes and the default hop limit.
IPv6 hosts on the local subnet receive the Router Advertisement messages and use their contents to configure addresses, a default router, and other configuration parameters.
A host that is starting up sends a multicast Router Solicitation message. Upon receipt of a Router Solicitation message, all routers on the local subnet send a unicast Router Advertisement message to the host that sent the router solicitation. The host receives the Router Advertisement messages and uses their contents to configure addresses, a default router, and other configuration parameters.