Oct 202011
 

Din experienta pe care am acumulat-o la Join Telecom in lucrul cu clientii, combinata cu studiile si literatura de specialitate, reiese faptul ca utilizatorii de Internet nu numai ca nu isi pun intrebarile corecte ci si obtin raspunsuri incorecte, in majoritatea cazurilor prin manipulari publicitare care initial le iau ochii, apoi banii, ca urmare a semnarii de contracte paguboase, uneori pe termen lung si fara posibilitatea de a rezilia.

Accesul la Internet, care ofera utilizatorului final de la entertainement pana la cultura, informare de orice natura, are inca o latura tehnica destul de pronuntata. Alegerile tehnice proaste pot influenta masiv experienta de lucru pe Internet a utilizatorului final. Lipsa experientei si, de multe ori a unei comparatii corecte, face ca multi utilizatori sa considere ca fiind excelente solutii care sunt in realitate de calitate mediocra.

Articolul de fata incearca sa educe utilizatorul final in scopul invatarii acestuia care sunt alegerile corecte si in ce context trebuie acestea efectuate.

1. Adrese IP

Adresa IP este acel numar care identifica in mod unic un calculator care este legat la Internet. Unicitatea adresei IP este necesara, la fel cum este necesara unicitatea unui numar de telefon. Daca doua persoane ar avea acelasi numar de telefon, cum le-am mai putea deosebi?

Tehnic, o adresa IP este un numar pe patru octeti, iar pentru simplificarea notatiei si pentru usurinta memorarii, cei patru octeti au fost separati cu puncte, astfel incat o adresa IP are forma A.B.C.D, unde A,B,C si D sunt numere cuprinse intre 0 si 255.

La origine, exista un singur model de adrese IP, toate fiind Publice (adica vizibile din Internet direct, de la oricare alta adresa IP). Datorita faptului ca numarul adreselor IP este limitat la putin peste 4 miliarde (256*256*256*256=4.294.967.296), odata cu explozia Internetului brusc acest numar a devenit insuficient pentru nevoile actuale. O persoana poate utiliza simultan peste 5-6 adrese IP: doua laptopuri, un desktop, un telefon mobil cu wifi, routerul wifi si un prieten in vizita.

Porturi

Toata lumea a auzit de porturi, putini sunt cei care stiu ce sunt si la ce servesc.

Legatura dintre doua calculatoare se efectueaza pe modelul introducerii unui stecher intr-o priza de curent(socket in engleza). Priza este dispozitivul care ofera energie (in cazul calculatoarelor, ofera informatie), iar stecherul este cel care culege informatia dorita.

Dat fiind ca orice calculator trebuie sa poata accesa simultan informatie variata de la mai multe surse, trebuie sa aiba mai multe stechere.

La fel un server care ofera informatie, trebuie sa poata oferi simultan informatii catre mai multi destinatari, cu alte cuvinte trebuie sa aiba mai multe prize.

Dat fiind ca modul de comunicare este bidirectional, un canal de comunicatii al unui calculator oarecare poate fi atat priza cat si stecher, in functie de directia in care circula informatia. Canalul de comunicare este acea legatura priza-stecher, in care atat priza cat si stecherul au cate un numar alocat, identic sau diferit.

Cineva a stabilit ca orice calculator poate avea maxim 65535 porturi, din care primele 1024 au fost rezervate pentru servicii standard, iar restul au fost lasate libere pentru utilizare la libera alegere.

Modul general de utilizare al porturilor

Calculatoarele end-user (client) sunt de regula consumatoare de informatie (fac download), pe cand serverele sunt donatoare de informatie (fac upload). In realitate, prin intermediul unui canal de comunicatie informatia circula bidirectional, insa este favorizata una din directii. Cand deschideti o pagina de internet, calculatorul dumneavoastra efectueaza o cerere catre server iar acesta raspunde cu continutul paginii cerute. Cererea este de dimensiuni mici, insa pagina poate fi de dimensiuni uriase. De aici si favorizarea circulatiei intr-un sens. In acest caz, la nivelul conexiunii dumneavoastra se considera ca faceti download (descarcati informatie) pe cand la nivelul sererului apare un upload (o transmitere de informatie).

La calculatoarele client, sistemul de operare, oricare ar fi el, in momentul initierii unei conexiuni, cauta un stecher (port de iesire) care este liber, si realizeaza o conexiune intre acest port si portul (priza) serverului. In momentul stabilirii unei noi conexiuni, de regula se utilizeaza portul imediat urmator celui utilizat anterior pentru a stabili o conexiune cu noul server, insa nu este o regula de baza. Conexiunile sunt memorate intr-o tabela in memorie, pentru a se identifica in mod unic canalele de comunicatie.

De regula, o conexiune are notatia A.B.C.D:P-X.Y.Z.T:R , unde A.B.C.D este adresa IP originatoare, P este portul originator, X.Y.Z.T  este adresa IP de destinatie iar R este portul destinatie.

O intrebare care se ridica in mod natural, este aceasta: cum poate fi accesata o aceeasi pagina web de doua ori simultan de pe acelasi calculator?

Simplu:

La prima conexiune sistemul de operare client aloca, sa zicem, portul 32005.

In tabela de conexiuni va aparea legatura: A.B.C.D:32005 – X.Y.Z.T:80

unde A.B.C.D este adresa IP client, X.Y.Z.T este adresa IP a serverului, portul 32005 este portul alocat dinamic de catre sistemul de operare client, iar portul 80 este portul utilizat in mod normal pentru vizualizarea unei pagini web (protocol http).

La a doua conexiune sistemul de operare client aloca, portul urmator, 32006.

In tabela de conexiuni va aparea legatura: A.B.C.D:32006 – X.Y.Z.T:80

Dupa cum se vede, cele doua legaturi sunt unice, iar sistemul de operare identifica canalele de comunicatie in mod unic.

Adrese IP Publice

Adresele IP au forma A.B.C.D, unde A,B,C si D sunt cifre cuprinse intre 0 si 255. Notatia este o simpla conventie, evident ar fi fost posibil sa se aleaga la inceput si alta forma, insa daca aceasta este in uz, trebuie sa traim cu ea si sa nu ne punem intrebari suplimentare.

Toate adresele de la 0.0.0.0 la 255.255.255.255 sunt adrese publice, cu exceptia celor private si a celor speciale (vezi mai jos).

Adrese IP Private

Cineva destept a introdus conceptul de adrese private in scopul maririi numarului de adresare posibil. Astfel, adresele de la 192.168.0.0 la 192.168.255.255, 10.0.0.0 la 10.255.255.255 si 172.16.0.0 la 172.31.255.255 au fost scoase din Internet si puse deoparte pentru uz privat (de unde si denumirea de adrese private).

Adresele private:

– nu pot exista in Internet, din moment ce au fost scoase din lista de adrese valide;

– au nevoie de un translator (router, gateway) pentru a putea accesa internetul;

– pot fi utilizate de catre oricine, fara aprobare prealabila, in constructia unei retele private.

Adresele private au nevoie de un translator care sa efectueze conexiuni in numele lor si de aceea calculatorul care joaca rol de translator necesita de regula o putere de calcul semnificativa, daca are de tradus (translatat) multe adrese IP private. Este acelasi sistem utilizat la telefonia clasica, cu numere de interior intr-o institutie. Centralistul sau centrala telefonica este punctul in care se strang toate apelurile din interior si sunt translatate catre exterior. Translatarea adreselor IP private este numita NAT (Network Address Translation).

Practic, daca notam:

A.B.C.D = adresa IP a clientului cu adresa privata;

X.Y.Z.T = adresa IP a serverului care trebuie accesat;

K.L.M.N = adresa IP a translatorului;

P = portul de iesire al clientului;

R1 = portul de iesire al translatorului inspre Internet;

R2 = portul de iesire al translatorului inspre reteaua locala, cea cu adrese private;

S = portul de intrare al serverului;

Clientul A.B.C.D:P face o cerere catre X.Y.Z.T:S

Translatorul observa cererea, o translateaza, adica genereaza la randul lui cererea:

K.L.M.N:R1 – X.Y.Z.T:S

Cand se intoarce raspunsul pe canalul X.Y.Z.T:S – K.L.M.N:R1, translatorul trimite raspunsul catre clientul cu adresa privata:

K.L.M.N:R2 – A.B.C.D:P

Astfel, legatura dintre client si server este realizata prin intermediul translatorului in mod unic, utilizand aceasi regula de memorare a tabelelor de conexiuni.

Adrese APIPA (Automatic Private IP Addressing)

Adresele 169.254.0.1 pana la 169.254.255.254 sunt de asemenea adrese private, cu o utilizare speciala, in cazul in care un client face o cerere de adresa IP dar nu exista nici un server care sa i-o aloce. In acest caz, clientul isi auto-aloca in mod aleator o adresa Ip din acest interval. Daca apare un conflict (adresa auto-generata este deja in uz), exista un mecanism care detecteaza acest conflict iar procesul de auto-generaer se reia pana la disparitia conflictului.

2. Modele de conexiuni Client

2.1 Conexiunea cu adrese IP Publice

Conexiunea cu adrese IP publice este cea mai avantajoasa, deoarece in circuitul conexiunii dintre client si server nu exista intermediari de tipul NAT, iar transmiterea informatiei de la client la server si inapoi se face de catre circuite comutate, extrem de rapide, care nu interpreteaza si nu modifica informatia transmisa.

2.1.1 Conexiunea cu adrese IP Publice fixe (rezervate)

In cazul in care clientului i se aloca intotdeauna aceasi adresa IP publica, clientul poate, in plus fata de a fi un simplu client, sa devina de asemenea un server: calculatorul poate fi accesat intotdeauna de pe Internet, de oriunde, avand certitudinea ca este vorba intotdeauna despre acelasi calculator si nu de catre altul.

2.1.2 Conexiunea cu adrese IP Publice variabile (nerezervate)

In anumite cazuri, de regula in momentul in care furnizorul de Internet nu dispune de suficiente adrese IP pe cati clienti are, se practica alocarea de adrese IP publice variabile (este cazul RDS, Astral, Romtelecom). In acest caz, detinatorul calculatorului client nu poate sti ce adresa IP i s-a alocat, sau daca aceasta s-a modificat intre timp, si astfel nu isi poate utiliza calculatorul pe post de server, pentru a oferi servicii sau pur si simplu pentru a-si accesa calculatorul din alta retea de Internet. Clientul, in acest caz, este redus la nivelul de consumator

2.1.2 Conexiunea cu adrese IP Private.

Este cazul UPC, Astral, Romtelecom, Vodafone, Orange, Cosmote.

In acest caz nu numai ca calculatorul client nu mai poate fi accesat din afara sub nici o forma, dar existenta unui NAT la nivel macro, care deserveste sute sau mii de clienti simultan, poate conduce, si chiar conduce in anumite situatii, la:

– intarzieri semnificative din cauza ca translatorul NAT nu are putere suficienta de calcul in acel moment (este supra-aglomerat de cereri);

– nu poate efectua tranzactiile deoarece tabelele de NAT sunt pline:

In exemplul de mai sus am aratat ca un translator NAT are nevoie sa utilizeze doua porturi pentru a satisface cu succes cererea unui singur client pe un port. Cum insa numarul lui propriu de porturi este limitat la 65535, inseamna ca, indiferent de cat de puternic ar fi, nu poate satisface mai mult de (65535-1024)/2=32255 cereri simultane. orice alte cereri suplimentare fata de aceasta cifra sunt pur si simplu ignorate, creand intarzieri, de regula masive, la client.

Luand, din practica, un numar mediu de 200 de conexiuni per calculator client, acestea necesita 400 de conexiuni la nivelul NAT, micsorand numarul de calculatoare pe care un NAT le poate deservi simultan la doar 164. In momentul scrierii acestui articol, calculatorul meu avea 1496 de conexiuni simultane cu diversi. In cazul in care as fi utilizat un NAT si toti clientii ar fi fost in acesi situatie cu calculatorul meu, acesta nu ar fi putut prelucra informatia de la mai mult de 65535/2/1496 = 21 de calculatoare!

In mod evident, tabelele NAT sunt dinamice iar informatia despre un anumit canal de legatura dispare odata cu expirarea timpului de viata al acestuia (TTL=Time To Live), lasand libera calea catre efectuarea altor conexiuni. Problema nu dispare insa in totalitate si nu putine sunt cazurile de aparitie a asa-numitului bottleneck – strangulare a legaturii.

3. Rutere si WiFi

In afara retelelor de cartier, care utilizeaza rutere cu adrese IP publice fixe pentru stabilirea legaturii dintre clientii lor si restul Internetului, aproape toti ceilalti ISP care se adreseaza segmentului rezidential utilizeaza rutarea cu NAT (cu adrese private) sau cu adrese publice variabile., din cauza resurselor limitate de adrese IP pe care le au la dispozitie

Ruterele wifi montate la clienti preiau adresa publica sau privata alocata clientului si o retranslateaza catre mai multe adrese private. Aceste aparate au procesoare de mica sau medie putere, utilizate la translatarea cererilor clientului, conducand in final la:

– posibile pierderi de conexiuni;

– intarzieri in realizarea conexiunilor din cauza NAT si/sau a partii radio;

– imposibilitatea realizarii de conexiuni peer-to-peer (sau adresa publica la adresa publica – legaturi directe intre calculatoare din Internet);

Ruterele Wifi sunt si cele care cauzeaza cele mai multe probleme in retele, multe fiind de provenienta dubioasa sau prost construite. Am intalnit un numar foarte mare de cazuri in care disparitia alimentarii cu energie electrica pentru o perioada scurta, de 1-2 secunde, au condus la resetarea informatiilor din router iar acesta a trebuit reconfigurat, proces care nu este la indemana unui necunoscator.

Aug 272011
 

After having been recently bitten by Ethernet’s flow control mechanism, I decided to learn about this somewhat obscure but commonly used facet of modern networks. This post is a summary of what I discovered about it and its associated benefits and dangers.

What is flow control?

Ethernet flow control, or 802.3x, is a way for a network device to tell its immediate neighbor that it is overloaded with data, such as when a device is receiving data faster than it can process it. It allows for an overloaded device to send out a special Ethernet frame, called a pause frame, that asks the device on the other end of the wire to stop sending data temporarily. If the receiving device honors the pause frame then the sending device has time to catch up on the stack of received data that it hasn’t had time to process yet.

There also exists an older method for flow control called “back pressure” that is used in half-duplex environments (i.e. non-switched Ethernet). It consists of the overloaded device “jamming” the medium temporarily until it has the ability to accept more data. I don’t know much about half-duplex flow control, and thus I won’t mention it again; everything here applies solely to full-duplex flow control via 802.3x. Also, TCP has a mechanism for performing its own flow control that is entirely different from Ethernet’s flow control; I will not be fully explaining TCP’s flow control method here, as it would merit a lengthy discussion itself.

Rules of the game

When thinking about Ethernet flow control, it is important to keep several things in mind:

  1. Flow control operates at a lower layer than TCP or IP, and thus is independent of them. Put another way, flow control is capable of being used regardless of what higher-level protocols are put on top of it. An important side-effect of this is that neither TCP nor IP know what Ethernet’s flow control is doing; they operate under the assumption that there is no flow control other than what they may or may not provide themselves.
  2. Flow control functions between two directly connected network devices, and flow control frames are never forwarded between links. Thus, two computers that are connected via a switch will never send pause frames to each other, but could send pause frames to the switch itself (and vice versa: the switch can send pause frames to the two computers).
  3. Pause frames have a limited duration; they will automatically “expire” after a certain amount of time. The expiration time is set by the device that transmits the pause frame.
  4. A paused link is not a discriminator of protocols; it will prevent any data from being passed across the link other than more pause frames.

Perhaps you have begun to see some issues with flow control in light of some of the above points. Let’s start looking at them.

TCP breakage

Okay, it isn’t true, TCP doesn’t stop working when flow control is enabled. However, an important part of it does stop working correctly: its own flow control mechanism. TCP flow control uses a more complex mechanism of timeouts and acknowledgement segments to determine when a remote device is overloaded. It basically sends at a faster and faster pace until it sees that some of its sent data isn’t getting to the remote device and then slows down. This allows TCP to utilize network links in a somewhat intelligent manner, as an overloaded network or device will cause some TCP segments to be lost and thus cause the sender to send data at a slower rate.

Now consider what happens when Ethernet flow control is mixed with TCP flow control. Let’s assume that we have two directly connected computers, one of which is much slower than the other. The faster sending computer starts sending lots of data to the slower receiving computer. The receiver eventually notices that it is getting overloaded with data and sends a pause frame to the sender. The sender sees the pause frame and stops sending temporarily. Once the pause frame expires, the sender will resume sending its flood of data to the other computer. Unfortunately, the TCP engine on the sender will not recognize that the receiver is overloaded, as there was no lost data — the receiver will typically stop the sender before it loses any data. Thus, the sender will continue to speed up at an exponential rate; because it didn’t see any lost data, it will send data twice as fast as before! Because the receiver has a permanent speed disadvantage, this will require the receiver to send out pause frames twice as often. Things start snowballing until the receiver pauses the sender so often that the sender starts dropping its own data before it sends it, and thus finally sees some data being lost and slows down.

Is this a problem? In some ways it isn’t. Because TCP is a reliable protocol, nothing is ever really “lost”; it is simply retransmitted and life goes on. Ethernet flow control accomplishes the same thing as TCP flow control in this situation, as they both slow down the data transmission to the speed that the slower device can handle. There are some arguments to be made for there being an awkward overlap between the two flow control mechanisms, but it could be worse.

Unfortunately, it does get worse.

Head-of-line blocking

In the last example, I considered the case where two computers were directly connected to each other. This example is too simplistic to be of much use — when was the last time you saw two directly connected computers? It is a bit of a rarity. Let’s now look at what happens when you introduce a switch into the mix. For our purposes, let us assume that the switch fully supports Ethernet flow control and that it is willing to use it. Our new setup will consist of two desktop computers and one file server, all of which are attached to the switch. It isn’t any fun to make everything perfect, so let’s also say that one of the desktops has a 10 Mbps connection to the switch while the other desktop and the server have 100 Mbps connections.

This setup is usually fine — the 10 Mbps connection will be slower than the others, but it doesn’t cause too many problems, just slower service to the one desktop. Things could get ugly, though, if Ethernet flow control is enabled on the switch. Imagine that the 10 Mbps desktop requests a large file from the file server. The file server begins to send the file to the desktop initially at a slow rate, but quickly picks up steam. Eventually, the file server will start to send data to the desktop at 11 Mbps, which is more than the poor 10 Mbps connection can handle. Without flow control enabled on the switch, the switch would start to simply drop data segments destined to the desktop, which the file server would notice and start to throttle back its sending rate.

With flow control enabled on the switch, though, the switch takes a very different approach; it will send out its own pause frames to any port that is sending data to the now-overloaded 10 Mbps port. This means that the file server will receive a pause frame from the switch, requesting it to cease all transmissions for a certain amount of time. Is this a problem? Yes! Because pause frames cease all transmissions on the link, any other data that the file server is sending will be paused as well, including data that may be destined to the 100 Mbps desktop computer. Eventually the pause will expire and the file server will continue sending out data. Unfortunately, the TCP mechanism on the file server will not know that anything is wrong and will continue sending out data at faster and faster speeds, thus overloading the 10 Mbps desktop again. As before, the cycle will keep repeating itself until the file server starts dropping its own data. Unlike the previous situation, the innocent 100 Mbps desktop bystander is penalized and will see its transfers from the file server drop to 10 Mbps speeds.

This situation is called head-of-line blocking, and it is the major reason why Ethernet flow control is somewhat dangerous to use. When enabled on network switches, it can create situations where one slow link in a network can bring the rest of the network to a crawl. It gets especially bad if the backbones in your network have flow control enabled; it should be obvious by this point just how bad that could get.

When to enable flow control

So what should you do? Should you completely disable flow control on all computers and switches? Not necessarily. It is generally safe to leave flow control enabled on computers. Switches, though, should either have flow control disabled or configured such that they will honor received pause frames but will never send out new pause frames. Some Cisco switches are even permanently configured this way — they can receive pause frames but never emit them. To be honest, the complete answer to flow control is somewhat more complicated than this (e.g. you could probably enable pause frame emission if a switch port is connected to a slow backplane), but the safest bet is to disable flow control when given the option.

ref: http://virtualthreads.blogspot.com/2006/02/beware-ethernet-flow-control.html

Switch to mobile version
Advertisment ad adsense adlogger