Network Fundamentals Part 4

The Application Layer

1st August 2023.

The Application Layer is the highest layer in the TCP/IP Model. It represents the application settings and code. It is the most complicated to explain as well.

I’m not discussing the more complicated OSI model in depth here. Applications generally contains hierarchies within themselves, that is why the OSI model have 3 software layers, while the TCP/IP model only has one. Applications are not technically a part of the networking anyway; since an application doesn’t necessarily need network connectivity to function.

What defines an application

In computer technical terms: An application is a piece of software that helps a user to complete a task. The term is synonymous to “a program”. An application can be installed on a computer, or a phone, or it could be web-based; running on a remote machine on the Internet.

An application does not necessarily just run from one machine, but different functions are spread across different servers. For example:

• User Interactions through a webGUI can be handled by a web-server

• Stored data can be accessed on the database-server

• Tasks are being processed on a compute-server

They are all a part of one application, but their functions are spread out for security and scalability purposes, and they use the underlying TCP/IP infrastructure to communicate with each other.

What is not an application

What is not classified as applications are system software that runs in the background of an operating system, or malicious/harmful software that are triggered without the users intent, so called malware, spyware, computer viruses and so on.

Note: on Linux you can install htop to view applications and background processes).

the htop application

Nevertheless, for the TCP/IP model, they are all treated equally. Perhaps the application layer should really be called the software layer, because that’s what it’s really about.

Privacy Considerations Regarding the Application Layer

The most concerning thing about the application layer is what information you consent to giving out. There are steps to protect your physical addresses, device hardware addresses and your IP addresses in their respective layers. But with an application, the software code could simply just ask for that information, like find my phone services. Consider Cross Device Chaining for another example.

And it’s not just limited to machine identification and location. How many webpages have your phone number, home address or pictures of driving license?

In an upcoming post I will discuss more in-depth about the consequences of these privacy issues.

Well-Known Network Applications

There are applications that are used to make it easier to connect computers to a network. They are using the reserved TCP/UDP port numbers between 0-1023. There are two protocols in particular that are good for everyone to have a basic knowledge about.

DNS = Domain Name Service

DNS runs generally over UDP port 53 but the more secure variant runs over TCP port 53. It is the protocol that translates for example easydns.com to 2620:49:8:1003::29. It is a client/server protocol, meaning that a DNS client communicates with a DNS server.

Client/Server Communication concept

DNS works just like a phonebook that keeps records of persons with their respective phone number, addressees and postal codes. Likewise a DNS Server keeps records of FQDNs = Fully Qualified Domain Names or SANs = Subject Alternative Names and other records. Without DNS, you would have to manually type in IP addresses in your browser to reach websites.

A FQDN is the primary DNS record for a specific address. It is divided into two parts:

• The hostname of the system;

• Followed by the domain name.

An example of a FQDN would then look like this: “hostname.example.com”. A SAN is any additional name for the same address, like “host.example.com”

DNS in action

1. A DNS client is asking it’s configured server on how to get to “easydns.com” with a DNS Query.

2. A home router acting as a default gateway is often also a DNS forwarder. That means that the clients are configured with the IP address of the router for their DNS server, and the router will forward the DNS queries to a public DNS server; that has all the records for the public Internet. Then the router may cache the response for a certain time so other clients can get the information faster.

3. The public DNS responds to the DNS query with a DNS response message that is sent back to the client, via the DNS forwarder.

DHCP = Dynamic Host Control Protocol

DHCP is another client/server application that is used to assign IP addresses and DNS server automatically. Without DHCP, user would have to manually set IPv4 addresses on their equipment. DHCP uses following UDP ports:

For DHCP using IP version 4:

• UDP port 67 for traffic destined to DHCP Servers

• UDP port 68 for traffic destined to DHCP Clients

For Stateful DHCP using IP version 6:

• UDP port 547 for traffic destined to DHCP Servers

• UDP port 546 for traffic destined to DHCP Clients

Note: DHCP for IPv6 is quite different and is not used so often in home environments; because IPv6 clients are capable of finding out it’s IPv6 prefix and DNS server using the ND = Neighbor Discovery Protocol.

DHCP in action

I’m only going to describe how DHCP works on IPv4 networks, as IPv6 is not so relevant for fundamental knowledge:

All clients installed with Windows, Apple or Linux OS comes with a DHCP client installed by default.

Step 1: When a client goes online and checks it’s network settings. It realizes it is configured for DHCP so it sends a broadcast message called DHCP Discover.

Note: A DHCP broadcast message is sent to all devices in the same Layer 2 segment with:

• a source MAC address of it’s network adapter;

• destination MAC address of FF:FF:FF:FF:FF:FF;

• and a source and destination IP address of 0.0.0.0.

Note: Do you remember what a Layer 2 segment is from Part 1?

Step 2: All clients will drop the message but the home router, that is most likely also configured to be a DHCP server, will analyze the request and send a DHCP Offer back to the clients MAC address. The offer contains information about:

• a valid IPv4 address;

• the subnet mask for the segment;

• the default gateway (the routers IPv4 address that is used to get to the Internet);

• and a DNS server, which in many cases will be the same as the default GW.

Step 3: The client sends a response back to the router, accepting the offer with a DHCP Request Message, asking the server if it’s still OK to use it.

Step 4: The server sends a DHCP Acknowledgement back to the client and make a note in it’s “Leased address table” where it keeps track of all it’s leased addresses.

Ofcourse, the DHCP and the DNS protocol involves more technical details than what I have described so far. I’m only trying to briefly explain how it works with so few technical details as possible. If you want more in-depth descriptions:

• https://www.geeksforgeeks.org/dynamic-host-configuration-protocol-dhcp/

• https://www.cloudflare.com/learning/dns/what-is-dns/

Troubleshooting the Application Layer

From a user perspective, everything might look like it is the networks fault, even if…

• The application you try to login to have wrong credentials or an expired user account

• The application have the wrong network settings

• The application may try to reach some database that the user account does not have sufficient privileges to access

• The DNS server address could be misconfigured or unreachable

• The DHCP server is not reachable so the client can’t get an IPv4 address.

… and probably countless of more examples exist out there that may look like a network problem, but technically isn’t. The underlying communication may work perfectly fine, but either the problem relies in the software itself, or behind the keyboard. Make sure you read whatever error code you receive in detail before you start checking the cables, or hassle the network guy.