CS402 Study Guide

Unit 3: The Application Layer

3a. Use the Domain Name System (DNS) protocol to map hostnames to IP addresses

  • What is the use of resource record type A in a DNS table?
  • What DNS record allows you to create aliases for a particular domain?

The domain name system is the mechanism used to translate host or domain names into IP addresses. Every domain can contain a set of "resource records''. The most common and most important record will be, of course, the IP addresses associated with the domain. This record is identified as type A. However, DNS has evolved to include much more information than just the IP address. Examples of such records are:

  • The CNAME (Canonical Name) provides a domain name and allows for aliases to be created
  • HINFO (Host Information) provides the information or description of the host and allows people to find what kind of machine and operating system a domain corresponds to
  • The NS (Name Server) specifies name servers
  • SOA (Start of Authority) provides the name and information of the primary source of information of the name server's zone, such as the email address of its administrator
  • A (Address) is the IP Address of a host
  • MX (Mail Exchange) specifies the name of a host that will accept email for the specified domain
  • PTR (Pointer) points to another domain
  • TXT(Text) is used by a domain to identify itself in a way that provides information that the administrator wants to be known

The DNS table will contain the domain name, time to live, class, type, and value, in addition to the records described above. Time to live is the time that the record will remain in the table before being removed. A typical value is 86,400 which means that the record will be removed after 86,400 seconds (one day). The class provides information about the record. If you are dealing with the internet, the only class that you will see in these tables is class IN. Although other non-Internet classes have been defined, they are almost never used.

Consider this example of a DNS table:

Study the table in detail and understand what each record is telling you. What will happen if someone sends an email with the address xyz@cs.uprm.pr.edu?

To review, see The Domain Name System and Domain Name System (DNS).


3b. Compare and contrast the Simple Mail Transfer Protocol (SMTP), Post Office Protocol (POP), and Internet Message Access (IMAP) protocols to send and retrieve email

  • What email retrieve protocol is designed to leave the email in the server for easy access from anywhere later?
  • Is SMTP based on a peer-to-peer architecture?

SMTP is the application used to send out email messages from an email client to an email server. SMTP operates over TCP port 25, or port 465 for secure transmission. In order for the server to establish the SMTP connection, it must be listening on 25 or 465. Once the email arrives at the server, it is the job of a protocol like POP or IMAP to retrieve the email and make it available to the user. POP and IMAP are both solid protocols, but each has advantages and disadvantages. POP normally downloads messages to the client and then removes them from the server, which quickly frees up space. However, POP requires a lot of discipline from users, since the email will no longer be available in the server once it is retrieved. IMAP, on the other hand, is designed to leave messages on the server, and messages can be retrieved from anywhere using different devices. If you need access to your email anytime and anywhere with multiple devices, you should use IMAP. You will need more storage space on your server if you use IMAP. IMAP runs on the default TCP port 143 for unsecure connections and port 993 for secure connections. POP uses the default TCP port 110, or port 995 for secure connections. IMAP allows for multiple users to be connected and manipulate email, while POP only allows for one client to be connected to the server.

To review, see Electronic Mail.


3c. Describe the use of Hypertext Transfer Protocol (HTTP) for the generation and management of web-based applications

  • What is the basic difference between HTTP and HTML?

The world wide web was developed in the early 90s as a mechanism to share documents anywhere on earth by the use of hyperlinks. There are three important components of the world wide web: a standard addressing scheme, a standard document format, and a standardized protocol for efficient retrieval of documents. These are:

  • URI, or Uniform Resource Identifier, is a character string that uniquely identifies a resource on the internet. The most known type of URI is the URL, which identifies the address of a web page. URL is not the only type of URI. For example, the SIP protocol uses a SIP-specific URI to identify the address of sending and receiving nodes.
  • HTML, or HyperText Markup Language, defines the format of the documents that are exchanged on the web. It uses tags or markup text to set fonts, colors, and other effects on the text displayed on webpages. The browser does not display the markup text or tags, but uses them to interpret the content of the page.
  • HTTP, or HyperText Transport Protocol, is a client-server protocol in which the client sends a request and the server returns a response. HTTP servers listen by default on TCP port 80, although 8080 is also used. HTTPS is the secure version, and operates by default on port 443.

To review message format and HTTP request types, see HyperText Transfer Protocol.


3d. Use the telnet and File Transfer Protocol (FTP) applications to open remote connections and transfer files between hosts in a network

  • What is the best way to securely and quickly transfer a file between two hosts in your network?

The File Transfer Protocol, FTP, was popular in the late 1990s and early 2000s. FTP has lost some popularity today, although it is still in use and should be understood. TFTP was developed in parallel with FTP as an option for "quick and dirty" file transfer between two systems. The main difference between FTP and TFTP was the requirement for user login used by FTP, while TFTP does not require user login. It is still used, but typically only to do quick insecure transfers.

When security became an important requirement, FTP ceased to be the protocol of choice. FTP provided authentication but files were transferred in open text. Network developers quickly came up with FTPS to provide such security. FTPS was built to provide FTP transfer through an SSL or TLS tunnel. Although it accomplished the task and provided security, it was hard to deploy and cumbersome to use. FTPS is now rarely used, and many consider it to be an obsolete protocol.

Instead, users moved to SFTP, which was much more popular and easier to deploy and implement. SFTP was developed as an extension of SSH but with full protocol capabilities. FTPS is now considered deprecated, and you should not consider it in your environment. The only problem with SFTP is when going across a firewall when transferring files outside of your organization. In situations like that, it would be appropriate to secure your FTP connection using encryption like SSL. HTTP, of course, could always be an option. However, HTTP is designed to transfer files from server to client.

To review, see SSH Protocols.


3e. Improve system reliability by using client-server and peer-to-peer models

  • Which model, between peer-to-peer or client-server, provides better connectivity and availability instead of focusing on sharing data?

In a client-server architecture, there are a series of clients connected to a server. In a peer-to-peer model, clients and servers are not different, each node can act as a client or a server. Peer-to-peer is a model normally used by distributed computing applications. Peer-to-peer networks are typically less secure than client-server, since security is handled by individual computers. However, since data is distributed between many systems, there is not a single point of failure. Because of this, peer-to-peer networks can provide higher connectivity and availability than their client-server counterparts. In a system where sensitive information needs to be protected, the client-server models are preferred, but for content delivery organizations, peer-to-peer models should probably be considered first. If your company has a single printer shared by many users, a client-server architecture would be the way to go.

Review Client-Server to see the main differences between the peer-to-peer model and the client-server model. Peer-to-Peer will give you a better understanding of applications where peer-to-peer is a better fit than client-server.


3f. Illustrate the use of Session Initiation Protocol (SIP) to initiate and control multimedia sessions

  • What is the INFO SIP request used for?
  • What information is found in the SDP portion of a SIP request?

The Session Initiation Protocol (SIP) is a text-based, application-level protocol used for setting up, changing, and terminating multimedia sessions between participants on a TCP/IP setting. Typical uses of SIP include IP Telephony, Instant Messaging (voice, video, chat), interactive games, and virtual reality.

Described on RFC 326, SIP handles the setup, modification, and tear-down of multimedia sessions. It is based on an HTTP-like request/response transaction model. SIP normally runs on top of UDP but can optionally run over TCP or TLS.

SIP is a powerful protocol that provides for all of the following:

  • User Location: Finds the location of the end-user wanted for communication; supports address resolution, name mapping, and call redirection
  • User Availability: Finds out if the end-user is available and willing to start a session, and informs the requester if the endpoint was unavailable and why (already on the phone, didn't answer, and so on)
  • User Capabilities: Determine the appropriate media and media parameters to be used (via SDP), determines the lowest level of services, and defaults to the capabilities that can be handled by everyone
  • Session Setup: Establishes the session and "rings" the user, and supports mid-session changes like adding another endpoint or changing the media characteristics
  • Session Management: Keeps an eye on the session and indicates when session parameters are being modified
  • Session transfer and termination: Transfers a call from one end user to a different one, and terminates the sessions between all parties at the end of a session

SIP is based on a client-server architecture. A User Agent is a piece of software present in every SIP end station. A User Agent Client (UAC) sends requests, while a User Agent Server (UAS) receives requests and sends responses.

Clients send requests and receive responses. Examples of clients are phones and PSTN gateways. The server receives requests and sends back responses. A series of servers are:

  • Proxy Server: act as intermediate devices by relaying call signaling, or by providing other functions like authentication, authorization, network access control, and security
  • Registrar Server: accept registration requests from users and maintains information of user whereabouts at a Location Server
  • Redirect Server: provide clients with information about the next hop that they should send their messages; the clients then contact the next hop or server directly
  • Location Server: used by redirect or proxy servers to obtain information about a user's possible whereabouts; maintains a database of SIP/IP address mappings

The SIP protocol is based on a request/response transaction mode. Its request methods are:

  • INVITE: user is invited to a session
  • ACK: confirm a session establishment
  • BYE: terminates a session
  • CANCEL: cancels a pending invite
  • OPTIONS: to inquire the server or other devices, such as checking media capabilities before using an invite
  • REGISTER: to bind a user address with a SIP registrar
  • SUBSCRIBE: subscribe users to certain events; users should be notified if that event occurs
  • NOTIFY: notify a subscribed user that an event has occurred.
  • MESSAGE: sip method to actually send instant messages.
  • INFO: transfer information during a session (such as typing on the keyboard or change of status)
  • NEGOTIATE: to negotiate various kinds of parameters, such as security mechanisms
  • REFER: to tell the receiver to contact a different user using the contact information provided (like call transfer)

Responses contain a Status Code and a Reason Phrase. For example, a response of code 200 means that it is OK. Other response classes are:

  • 1xx: Provisional – request received, processing, ringing (180), trying (100)
  • 2xx: Success – ok (200), accepted (202)
  • 3xx: Redirection – moved temporarily (302)
  • 4xx: Client Error – unauthorized (401), busy here (486)
  • 5xx: Server error – timeout (504)
  • 6xx: Global Failure – busy everywhere (600)

Addresses in SIP are expressed as a Uniform Resource Identifier, URI. The URI identifies the user with a unique address. An example of a SIP URI would be sip:bob@xyz.org or sip:9781112222@xyz.org.

The Session Description Protocol is a portion of the SIP message that describes:

  • Media streams (sessions can include multiple streams of differing content like audio, video, data, control, and application)
  • Addresses
  • Ports used for each stream
  • Payload types for each media stream type
  • Start and stop times, useful for broadcast sessions like television or radio
  • Originator, for broadcast sessions

This is an example of a SIP Invite request. SIP agent at sip:9781118484@ is trying to establish a session at sip:9781118484@ The SDP portion includes the call type, audio using port 49756, and the codecs that can be used listed as a=. Make sure you understand all lines of this request.

INVITE sip:5081113434@;SIP/2.0
Via: SIP/2.0/UDP;branch=z9hG4b
From: <sip:9781118484@>;tag=f33c8a7c
To: <sip:5081113434@;user=phone>
Call-ID: 3c2670a47ef4-t6ik7rk30zgf@snom190
Max-Forwards: 70
Contact: <sip:9781118484@>
User-Agent: snom190/3.60s
Session-Expires: 3600
Content-Type: application/sdp
Content-Length: 275
o=root 1747056259 1747056259 IN IP4
c=IN IP4
t=0 0
m=audio 49756 RTP/AVP 2 4 0 101
a=rtpmap: 0: PCMU/8000

This request is followed by the following response:

SIP/2.0 200 OK
Via: SIP/2.0/UDP;branch=z9hG4bK
From: <sip:5081113434@nfl.com>;tag=32d7a8c0-13c4
To: <sip:5081113434@>;tag=003094c
Call-ID: 6c3328642c0833b761bf838d51bfbaed@nfl.com
Date: Mon, 27 Nov 2006 23:45:30 GMT
Server: CSCO/7
Contact: <sip:5081113434@>
Content-Type: application/sdp
Content-Length: 199
o=Cisco-SIPUA 128 23815 IN IP4
s=SIP Call
c=IN IP4
t=0 0
m=audio 19888 RTP/AVP 0 101
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000

The call has been accepted and the appropriate parameters agreed, including to use codec PCMU/8000.

This is an example of a typical SIP Session where John establishes a session with Dan:

The call is going through a proxy server. Once Dan's agent accepts the call, John will acknowledge and the media session using RTP is opened. Study this figure in detail and look carefully at the requests and responses. Notice that once the call has started, SIP uses the real-time protocol RTP to provide end-to-end delivery services, which is tightly coupled with RTCP to monitor the quality of service and to convey information about the participants.

To review SIP, see SIP and RTP, which also gives an overview of the full SIP process including the RTP and RTCP protocols.


3g. Describe Secure Shell (SSH)-based applications

  • Why would you use an SSH-based application instead of an SSH-based application?
  • What TCP port number is used for SSH-based applications?

SSH, or secure shell, was developed as a replacement for the Telnet protocol from the early days of networking. Telnet was developed in the late 60s as a way to connect remotely. However, in the early days of the internet, security was not a big requirement. In those early protocols, information was sent in plaintext, including sensitive information such as passwords. SSH was developed with built-in encryption technology to provide data integrity and security while doing such operations in the network.

Telnet operates over TCP port 23, while SSH operates over TCP port 22. SSH is often compared or confused with TLS. Although they are both security protocols, there is a subtle difference between them. While SSH encrypts data to allow for secure remote login, TLS (as well as its predecessor SSL) creates an encrypted tunnel where files can be securely transferred between two hosts. SSH provides for secure data transmission, while TLS ensures the integrity and privacy of the message. TLS runs on port 443, which is used every time you use encrypted HTTPS applications. One popular application that uses SSH is puTTY. SSH uses public-key encryption.

To review the SSH protocol, including a comparison of FTPS with SFTP, see SSH Protocols.


3h. Describe and use the Simple Network Management Protocol (SNMP)

  • What is the name of the collection of all managed devices in an SNMP system?
  • What does this SNMP Wireshark capture mean?

SNMP is the network management system used by the TCP/IP system. SNMP, described in RFC 1157, is layered on top of UDP. The basic elements of an SNMP system are:

  • Network elements or nodes containing a processing entity called an agent responsible for performing the management functions requested by a management station
  • Network Management stations (NMS) is the software that executes management applications to monitor and control managed elements
  • A management protocol used to communicate management information between the management stations and the agents in the network elements
  • Management information, such as variables; a collection of these variables is called a Management Information Base, MIB

An SNMP NMS monitors and controls a managed node. It does that by issuing requests directed to the Agent residing in the managed node. Managed nodes could be routers, switches, modems, printers, and many more.

The agent is software that resides in the managed node. It interprets the request from the manager and performs function according to what is asked. As an example of managed objects, consider the variable that SNMP refers to as SwPortState. This variable describes the actual state of a port in a switch device, which could be up (value 1) or down (value 0). It is a read-write type variable that can be read by the manager to obtain its value and change if needed from up to down or vice versa. Another example of a MIB variable is the SysUpTime which describes the time since the network management system was last re-initialized. This is, of course, a read-only variable that can be read but not changed. Each SNMP transaction occurs in a PDU (Protocol Data Unit). The four types of request PDUs are GET, GETNEXT, SET, and TRAP. A single PDU can GET or SET one or multiple variables.

Every variable in a MIB has two names: the textual name, such as SysDescr, and the proper name or Object ID (OID), such as This will be followed by an instance number, like 0. To read or write a given MIB variable, you perform a GET or SET with the variable OID sent as part of the PDU. All OIDs in the universe are globally unique and fit into a hierarchical tree. For example, the OID hierarchy for TCP/IP will be:

The SysDescr variable follows the path of iso.org.dod.internet.private. Since all private variables fall under that node, they all have OID beginning with The OID for the SysUpTime variable is Notice that this variable falls under the mgmt node. Every management variable will have a prefix. In the sample Wireshark trace above, you can see an SNMP GET with an OID of, so the NMS is trying to get Instance 0 of SysUpTime. Also notice from this actual trace, that the SNMP request is sent in UDP with port number 161. 

All MIB variables' OIDs follow a specific ordering in the tree. This ordering is used by GET-NEXT, which simply says to get the next variable in the tree that follows the given OID. You provide an OID with a GET-NEXT and rather than getting the value for that OID you will get the next variable in the tree. The response can then be used in a new GET-NEXT and that will provide the next variable. Continue doing this recursively to transverse the whole agent's tree (which is called a MIB-Walk).

TRAP PDUs are used by the Agent to alert the manager of an extraordinary event when it senses that something out of the ordinary happens to it. Available TRAP PDUs are:

  • coldStart(0): The device has powered up
  • warmStart(1): The device has rebooted
  • linkDown(2): A link has gone down
  • linkUp(3): A link has transitioned to up
  • authenticationFailure(4): A wrong community string was used
  • egpNeighborLoss(5): A neighbor has gone down
  • enterpriseSpecific: Vendor-specific; as many as a vendor wants to define

To review, see Simple Network Management Protocol.


3i. Explain the role of socket programming in application processing

  • What primitive in network socket programming is used to assign a socket to a port number and IP address?

The basis for network I/O in BSD UNIX centers on an abstraction known as the socket API. A socket can be thought of as a generalization of the UNIX file access mechanism that provides an endpoint for communication. As with file access, application programs request the operating system to create a socket when one is needed. The system returns a small integer that the application program uses to reference the newly created socket. The application can choose to supply a destination address each time it uses the socket (such as when sending UDP datagrams). Otherwise, it can bind the destination address to the socket and avoid specifying the destination repeatedly (such as when making a TCP connection). Socket communications perform like UNIX files or devices, so they can be used with traditional operations like read and write.

When writing a socket program you will need to start by defining a socket type and address format. You will also want to assign the socket to a port number and IP address using the BIND primitive. When you open a socket and establish a connection, you are connecting two processes together. Notice, though, that the way sockets are defined, the connection could be between processes on two different computers or within the same computer but it does not have to be that way. You could use sockets to connect two processes within the same computer. But for all practical purposes, sockets are normally created to connect processes in two different machines.

To review, see SocketServer.


Unit 3 Vocabulary 

This vocabulary list includes terms and acronyms that might help you with the review items above and some terms you should be familiar with to be successful in completing the final exam for the course.

Try to think of the reason why each term is included.

  • DNS
  • SMPT
  • IMAP
  • POP
  • HTTP
  • HTML
  • URI
  • FTP
  • TFTP
  • SFTP
  • FTPS
  • Telnet
  • Client-Server Architecture
  • Peer-to-peer Architecture
  • SIP
  • SSH
  • SNMP
  • NMS
  • Agent
  • PDU
  • MIB
  • MIB variable
  • OID
  • MIB Walk
  • Socket