关于网络分层，和网络安全的一些总结

最近半个月，把《计算机网络》看完了

看完主要有一个疑问，就是发现TCP/IP模型中，各层的职责虽然划分得很明确，但是实际的实现中（各种协议），其实存在垮层依赖的现象。比如说，在应用层为了与另一台主机中的进程通信，既需要了解传输层的端口号（TCP），又需要了解网络层的主机地址（IP）

这个疑问也不知道该去问谁，所以就到stackoverflow上发帖问了国际友人。问答的原文贴下：http://stackoverflow.com/questions/18002775/layer-dependence-about-network

引用

i have a question about network layer, that is:

as we all know, in layer architecture, the N+2 layer should only depends on the N+1 layer, while knows nothing about N layer. for example, in a typical application, the web layer should only depends on the business logic layer, but not the data access layer

when it comes to computer network, things seem to be different. In application layer, program has to know not only transmition layer(TCP port), but also network layer(IP address)

this confuse me, what do you think about this?

thanks for your help.

引用

generally you are right. Unfortunately borders between layers in networks are kinda blurry, not just because we have a standard which is not used (OSI) and de facto standard which does not enforce the idea you mentioned, but also because the protocols are often not strictly bound to one layer but can do stuff on more then one of them. Good amount of protocols is developed before the OSI model and before they were standardized and then it was already too late to make some radical changes. So there are protocols that are considered to be between two layers (or on both layers) like MPLS, ARP etc. And protocols that are based on another protocol which is on the same layer, like OSPF that runs on top of IP even if they are considered to be on L3.

What you mentioned is another example. The reason for that is that addressing is not done on the most-upper layer (application layer) but on network layer (for host/network adapter) and transport layer (for process/application). So you need to know the IP address and port number (and actually a protocol) to be able to address the remote application. That's where the network sockets come in as an gateway (or API) between application and the network. So, even if you are technically correct about defying the principle of layered model, you are not really doing anything on L3 or L4 (but you can;) ). You don't need to fragment packets, handle retransmissions or worry about error corrections etc., you are just passing down the required addressing information when creating a socket.

TCP/IP is more oriented towards the feasibility of implementation, where OSI is more concerned about the standard then the implementation of that standard. This has it's bad and good sides. The ability to freely implement the protocol can be an advantage if you use that power well and since you are not strictly bound to some specification you can do some things more efficiently... or fail epically. The drawbacks of mixing 'responsibilities' are obvious and great example are protocols like H.323 which embed the IP addresses inside user's payload so if you want to do NAT for example you need to inspect the payload, change IP addresses, recalculate checksums, and stuff like that instead of just handling the translation on network layer.

Why are stuff still like this? Probably because there is no easy way to change any of that because of sheer number of devices and protocols, applications, etc that needs to be updated and this takes a lot of time. Just look at the speed of adopting IPv6 which has been around for more then 15 years.

最主要的原因是，如今用到的大部分的实现，都是在标准制定之前开发的。在标准制定之后，这些协议已经被广泛地应用了，仅仅为了符合标准，而去做大面积的修改，实际上是非常困难的

联想到应用开发，一般也有明确的分层。包括几个原则：

1、依赖接口，不依赖实现
2、下层不可依赖上层
3、N+1层仅依赖N层，不跨层依赖

现在感觉，真正重要的其实是划分每层的职责，以及确定服务的接口。然后第一个和第二个原则是必须遵守的。而是否允许跨层依赖，以及是否允许同一层依赖，要看具体的情况，不需要太纠结

比如在business logic这层，可能存在很多业务逻辑组件，是否应该允许它们之间互相调用呢？理论上说，不互相调用当然是最好的，但是实践中会发现保持这个约束很难。在必要的时候，互相调用也没关系，但是同样应该依赖接口，而不能依赖具体的实现。分层不是根据调用的次数来划分的，并不是说存在3次接口调用，就一定代表架构里有4层。分层本身就是逻辑上的，所以应该看提供的服务是否是在一个层面上

另外在网络安全那一章，谈到了authentication（认证）和authorization（授权）的区别

一般的权限控制这2个部分都会涉及。简言之，校验用户身份是否正确，是authentication，而判断用户能做什么事，则是authorization

比如一个进程声称来自用户alice，要删除文件xxx.old。那么对于文件服务器来说，判断该进程是否属于alice属于认证，判断是否有权限删除文件属于授权

对于加密算法，有一个Kerckhoff原则。即算法本身必须是公开的，加密的只是密钥。如果算法和密钥都是公开的，那就不能算加密（ciper）了，只能算编码（encode），比如Base64算法，就不能算一种加密算法

另外看到一种典型的组网模式，在内网和DMZ区域之间，用防火墙隔离。外部用户可以直接访问到DMZ区域中的服务器，但是不能直接访问内网。联系我们的系统，反向代理是放在DMZ区域的，而应用和数据库服务器，都在内网里，中间用防火墙隔离