CIW:Internetworking Professional: Study Guide. Exam 1D0-460

Author: Patrick T. Lane

47 downloads 1490 Views 6MB Size Report

This content was uploaded by our users and we assume good faith they have the permission to share this book. If you own the copyright to this book and it is wrongfully on our website, we offer a simple DMCA procedure to remove your content from our site. Start by pressing the button below!

Report copyright / DMCA form

DOWNLOAD PDF

CIW

™:

Internetworking Professional Study Guide

Patrick T. Lane, Rod Hauser

San Francisco • London Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Associate Publisher: Neil Edde Acquisitions and Developmental Editor: Heather O’Connor Editor: Suzanne Goraj Production Editor: Teresa L. Trego Technical Editor: Rod Jackson, Warren Wyrostek Graphic Illustrator: Tony Jonick, Rappid Rabbit Electronic Publishing Specialist: Jill Niles Proofreaders: Dave Nash, Nelson Kim, Emily Hsuan Indexer: Ted Laux CD Coordinator: Dan Mummert CD Technician: Kevin Ly Book Designer: Bill Gibson Cover Designer: Archer Design Cover Illustrator/Photographer: Jeremy Woodhouse, PhotoDisc This book was developed and published by Sybex Inc., under a license from ProsoftTraining. All Rights Reserved. Original Advanced E-Commerce and Site Design training material © 2001 ComputerPREP, Inc. Copyright © 2002 Sybex Inc. 1151 Marina Village Parkway, Alameda, CA 94501. World rights reserved. No part of this publication may be stored in a retrieval system, transmitted, or reproduced in any way.including but not limited to photocopy, photograph, magnetic, or other record, without the prior agreement and written permission of the publisher. Library of Congress Card Number: 2002104177 ISBN: 0-7821-4083-1 SYBEX and the SYBEX logo are either registered trademarks or trademarks of SYBEX Inc. in the United States and/or other countries. The CIW logo and ComputerPREP, Inc. are trademarks of ProsoftTraining.com Some screen reproductions made using Jasc® Paint Shop Pro®. Copyright © 1992-2002 Jasc Software, Inc. All Right Reserved. Some screen reproductions produced with FullShot 99. FullShot 99 © 1991-1999 Inbit Incorporated. All rights reserved. FullShot is a trademark of Inbit Incorporated. The CD interface was created using Macromedia Director, COPYRIGHT 1994, 1997-1999 Macromedia Inc. For more information on Macromedia and Macromedia Director, visit http://www.macromedia.com . Netscape Communications, the Netscape Communications logo, Netscape, and Netscape Navigator are trademarks of Netscape Communications Corporation. Netscape Communications Corporation has not authorized, sponsored, endorsed, or approved this publication and is not responsible for its content. Netscape and the Netscape Communications Corporate Logos are trademarks and trade names of Netscape Communications Corporation. All other product names and/or logos are trademarks of their respective owners. Internet screen shots using Microsoft Internet Explorer 5.5 reprinted by permission from Microsoft Corporation. TRADEMARKS: SYBEX has attempted throughout this book to distinguish proprietary trademarks from descriptive terms by following the capitalization style used by the manufacturer. The author and publisher have made their best efforts to prepare this book, and the content is based upon final release software whenever possible. Portions of the manuscript may be based upon pre-release versions supplied by software manufacturer(s). The author and the publisher make no representation or warranties of any kind with regard to the completeness or accuracy of the contents herein and accept no liability of any kind including but not limited to performance, merchantability, fitness for any particular purpose, or any losses or damages of any kind caused or alleged to be caused directly or indirectly from this book. Photographs and illustrations used in this book have been downloaded from publicly accessible file archives and are used in this book for news reportage purposes only to demonstrate the variety of graphics resources available via electronic access. Text and images available over the Internet may be subject to copyright and other rights owned by third parties. Online availability of text and images does not imply that they may be reused without the permission of rights holders, although the Copyright Act does permit certain unauthorized reuse as fair use under 17 U.S.C. Section 107. Manufactured in the United States of America 10 9 8 7 6 5 4 3 2 1

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

To Our Valued Readers: The Certified Internet Webmaster (CIW) program from ProsoftTraining™ has established itself as one of the leading Internet certifications in the IT industry. Sybex has partnered with ProsoftTraining to produce Study Guides ? like the one you hold in your hand ? for the Associate, Master Administrator, and Master Designer tracks. Each Sybex book is based on official courseware and is exclusively endorsed by ProsoftTraining. Just as ProsoftTraining is committed to establishing measurable standards for certifying IT professionals working with Internet technologies, Sybex is committed to providing those professionals with the skills and knowledge needed to meet those standards. It has long been Sybex’s desire to help bridge the knowledge and skills gap that currently confronts the IT industry. The authors and editors have worked hard to ensure that this CIW Study Guide is comprehensive, indepth, and pedagogically sound. We’re confident that this book will meet and exceed the demanding standards of the certification marketplace and help you, the CIW certification candidate, succeed in your endeavors. Good luck in pursuit of your CIW certification!

Neil Edde Associate Publisher—Certification Sybex, Inc.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Software License Agreement: Terms and Conditions The media and/or any online materials accompanying this book that are available now or in the future contain programs and/or text files (the "Software") to be used in connection with the book. SYBEX hereby grants to you a license to use the Software, subject to the terms that follow. Your purchase, acceptance, or use of the Software will constitute your acceptance of such terms. The Software compilation is the property of SYBEX unless otherwise indicated and is protected by copyright to SYBEX or other copyright owner(s) as indicated in the media files (the “Owner(s)”). You are hereby granted a single-user license to use the Software for your personal, noncommercial use only. You may not reproduce, sell, distribute, publish, circulate, or commercially exploit the Software, or any portion thereof, without the written consent of SYBEX and the specific copyright owner(s) of any component software included on this media. In the event that the Software or components include specific license requirements or end-user agreements, statements of condition, disclaimers, limitations or warranties ("End-User License"), those End-User Licenses supersede the terms and conditions herein as to that particular Software component. Your purchase, acceptance, or use of the Software will constitute your acceptance of such End-User Licenses. By purchase, use or acceptance of the Software you further agree to comply with all export laws and regulations of the United States as such laws and regulations may exist from time to time.

period, you may obtain a replacement of identical format at no charge by sending the defective media, postage prepaid, with proof of purchase to: SYBEX Inc. Product Support Department 1151 Marina Village Parkway Alameda, CA 94501 Web: http://www.sybex.com After the 90-day period, you can obtain replacement media of identical format by sending us the defective disk, proof of purchase, and a check or money order for $10, payable to SYBEX.

Disclaimer

Software Support Components of the supplemental Software and any offers associated with them may be supported by the specific Owner(s) of that material, but they are not supported by SYBEX. Information regarding any available support may be obtained from the Owner(s) using the information provided in the appropriate read.me files or listed elsewhere on the media. Should the manufacturer(s) or other Owner(s) cease to offer support or decline to honor any offer, SYBEX bears no responsibility. This notice concerning support for the Software is provided for your information only. SYBEX is not the agent or principal of the Owner(s), and SYBEX is in no way responsible for providing any support for the Software, nor is it liable or responsible for any support provided, or not provided, by the Owner(s).

Warranty SYBEX warrants the enclosed media to be free of physical defects for a period of ninety (90) days after purchase. The Software is not available from SYBEX in any other form or media than that enclosed herein or posted to www.sybex.com. If you discover a defect in the media during this warranty

SYBEX makes no warranty or representation, either expressed or implied, with respect to the Software or its contents, quality, performance, merchantability, or fitness for a particular purpose. In no event will SYBEX, its distributors, or dealers be liable to you or any other party for direct, indirect, special, incidental, consequential, or other damages arising out of the use of or inability to use the Software or its contents even if advised of the possibility of such damage. In the event that the Software includes an online update feature, SYBEX further disclaims any obligation to provide this feature for any specific duration other than the initial posting. The exclusion of implied warranties is not permitted by some states. Therefore, the above exclusion may not apply to you. This warranty provides you with specific legal rights; there may be other rights that you may have that vary from state to state. The pricing of the book with the Software by SYBEX reflects the allocation of risk and limitations on liability contained in this agreement of Terms and Conditions.

Shareware Distribution This Software may contain various programs that are distributed as shareware. Copyright laws apply to both shareware and ordinary commercial software, and the copyright Owner(s) retains all rights. If you try a shareware program and continue using it, you are expected to register it. Individual programs differ on details of trial periods, registration, and payment. Please observe the requirements stated in appropriate files.

Copy Protection The Software in whole or in part may or may not be copyprotected or encrypted. However, in all cases, reselling or redistributing these files without authorization is expressly forbidden except as specifically provided for by the Owner(s) therein.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Acknowledgments I would like to thank my wife Nancee for all of her support and encouragement, and compliment the patience of my sons Owen, Malcolm and Reece during this project. Maybe now that this project is over, I’ll connect Owen and Malcolm's computers to the network. I hope that this book helps developing professionals grow both technically and professionally, because ongoing learning is important. I would like to thank several individuals for guiding my learning, most of all my parents, Richard and Alice, and also several teachers and professors: Bob Graves, Rollie Freel, Harlan Graber, Ed Hill and Tony deLaubenfels. You have all helped me appreciate concise thinking and expand my enjoyment of the relationships between the abstract and real, and the synergy between humanity and technology. Thanks to the staff at CIW and Sybex, and the whole project crew. Many thanks to GNU contributors everywhere, to Linus Torvalds and the entire Linux community for keeping computers fun for the next few decades. --Rod Hauser I would like to thank his wife, Susan, for her support and ability to make him see the lighter side of life during the time-consuming development of the CIW Foundations, CIW Internetworking Professional, and CIW Security Professional books. I would also like to thank Jud Slusser for his wisdom and long-view approach toward certification, and James Stanger for his technical expertise. I would also like to thank Heather O’Connor for the opportunity to author CIW books for Sybex. --Patrick Lane

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Introduction The Prosoft CIW (Certified Internet Webmaster) certification affirms that you have the essential skills to create, run, and update a website. These skills are exactly what employers in today’s economy are looking for, and you need to stay ahead of the competition in the current job market. CIW certification will prove to your current or future employer that you are serious about expanding your knowledge base. Obtaining CIW certification will also provide you with valuable skills, including basic networking, web page authoring, internetworking, maintaining security, and website design, and expose you to a variety of vendor products made for web design and implementation. This book is meant to help you prepare for the Certified Internet Webmaster Internetworking Professional Exam 1D0-460. The Internetworking Professional exam is one of the exams that make up the Master CIW Administrator Certification. The Internetworking Professional exam focuses on network architecture; identifying infrastructure components; monitoring and analyzing network performance; and designing, managing, and troubleshooting enterprise TCP/IP networks. Each element of the Master CIW Administrator Certification validates your expertise in key skills that are cross-platform. Windows NT and Windows 2000 are widely used in businesses, and enterprise and midsize businesses continue to rely on commercial Unix while deploying Linux in test and production environments. For the best study preparation for the CIW Master Administrator sequence, you will want to have both a Windows system and a Linux system, to configure, perform exercises, and generally learn to use. You may already have two or more systems as a home network. Although those new to internetworking may focus on the differences between versions of Windows, versions of commercial Unix, and different Linux distributions, the skills and knowledge of a Master Administrator—both certifiable knowledge and realworld skills—are based on utilities and concepts that remain the same regardless of version or revision. Throughout this series, Windows 2000 and Linux are used.

The Certified Internet Webmaster Program The CIW Internet skills certification program is aimed at professionals who design, develop, administer, secure, and support Internet- or intranet-related services. The CIW certification program offers industry-wide recognition of

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

xxii

Introduction

an individual’s Internet and web knowledge and skills, and certification is frequently a factor in hiring and assignment decisions. It also provides tangible evidence of a person’s competency as an Internet professional; holders of this certification can demonstrate to potential employers and clients that they have passed rigorous training and examination requirements that set them apart from non-certified competitors. All CIW certifications are endorsed by the International Webmasters Association (IWA) and the Association of Internet Professionals (AIP).

CIW Associate The first step toward CIW certification is the CIW Foundations exam. A candidate for the CIW Associate certification and the Foundations exam has the basic hands-on skills and knowledge that an Internet professional is expected to understand and use. Foundations skills include basic knowledge of Internet technologies, network infrastructure, and web authoring using HTML. The CIW Foundations program is designed for all professionals who use the Internet. The job expectations of a CIW Associate, or person who has completed the program and passed the Foundations exam, include: Understanding Internet, networking, and web page authoring basics Application of Foundations skills required for further specialization

There are a few prerequisites for becoming a CIW Associate. For instance, although you need not have Internet experience in order to start Foundations exam preparation, you should have an understanding of Microsoft Windows.

Table I.1 shows the CIW Foundations exam and the corresponding Sybex Study Guide that covers the CIW Associate certification. TABLE I.1

The CIW Associate Exam and Corresponding Sybex Study Guide

Exam Name Exam Number Sybex Study Guide Foundations 1D0-410

CIW: Foundations Study Guide

(ISBN 0-7821-4081-5)

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Introduction

xxiii

CIW accepts score reports from CIW Associate candidates who have passed the entry-level CompTIA i-Net+ exam (IKO-001) and will award Foundations certification to these individuals. For more information regarding the i-Net+ and other CompTIA exams, visit

www.comptia.org/

.

After passing the Foundations exam, students become CIW Associates and can choose from four Master CIW certification tracks, by choosing a path of interest and passing the required exams: Master CIW Designer Master CIW Administrator CIW Web Site Manager Master CIW Enterprise Developer CIW Security Analyst

Master CIW Designer The Master Designer track is composed of two exams, each of which represents a specific aspect of the Internet job role: Site Designer E-Commerce Designer Site Designer Exam The CIW Site Designer applies human-factors principles to designing, implementing, and maintaining hypertext-based publishing sites. The Site Designer uses authoring and scripting languages, as well as digital media tools, plus provides content creation and website management. E-Commerce Designer Exam The CIW E-Commerce Designer is tested on e-commerce setup, human-factor principles regarding product selection and payment, and site security and administration. Table I.2 shows the CIW Site Designer and E-Commerce Designer exams and the corresponding Sybex Study Guide for each of these steps toward the CIW Master Designer certification.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

xxiv

Introduction

TABLE I.2

Table I.2 The Master Designer Exams and Corresponding Sybex Study Guides

Exam Names Exam Numbers Sybex Study Guide CIW: Site and E-Commerce Design

Site Designer 1D0-420

Study Guide

E-Commerce

(ISBN 0-7821-4082-3)

CIW: Site and E-Commerce Design

1D0-425

Study Guide

Designer

(ISBN 0-7821-4082-3)

Master CIW Administrator The CIW Administrator is proficient in three areas of administration: Server Internetworking Security In each of these areas, specific skills are tested in the context of Windows and Unix or Linux. After passing each test, you become a CIW Professional in that specific area. Server Administrator Exam

The CIW Server Administrator manages

and tunes corporate e-business infrastructure, including web, FTP, news, and mail servers for midsize to large businesses. Server administrators configure, manage, and deploy e-business solutions servers. Internetworking Professional Exam The Internetworking Professional defines network architecture, identifies infrastructure components, and monitors and analyzes network performance. The CIW Internetworking Professional is responsible for the design and management of enterprise TCP/IP networks. Security Professional Exam The CIW Security Professional implements policy, identifies security threats, and develops countermeasures using firewall systems and attack-recognition technologies. As a CIW Security Professional, you are responsible for managing the deployment of e-business transactions and payment security solutions.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Introduction

xxv

The Exams in the Master Administrator track are listed in Table I.3. TABLE I.3

The Master Administrator Exams and Corresponding Sybex Study Guides.

Exam Names Exam Numbers Sybex Study Guide Server

1D0-450

Guide

Administrator Internetwork-

CIW: Server Administrator Study

1D0-460

(ISBN 0-7821-4085-8)

CIW: Internetworking Professional Study Guide

ing Profes-

(ISBN 0-7821-4083-1)

sional Security Professional

1D0-470

CIW: Security Professional Study Guide

(ISBN 0-7821-4084-X)

Other CIW Certifications Prosoft also offers three additional certification series in website management, enterprise development, and security analysis. Master CIW Web Site Manager The Web Site Manager certification is composed of two Internet job role series exams (Site Designer 1D0-420 and Server Administrator 1D0-450) and two additional language exams (JavaScript 1D0-435 and Perl Fundamentals 1D0-437) from the CIW Web Languages series. Master CIW Enterprise Developer The Enterprise Developer certification is composed of three Internet job role series (Application Developer 1D0-430, Database Specialist 1D0-441, and Enterprise Specialist 1D0442) and three additional language/theory series (Web Languages, Java Programming, and Object-Oriented Analysis). CIW Security Analyst The Security Analyst certification recognizes those who have already attained a networking certification and demonstrated (by passing the CIW Security Professional 1D0-470 exam) that they have the in-demand security skills to leverage their technical abilities against internal and external cyber threats. For more information regarding all of Prosoft’s certifications and exams, visit www.ciwcertified.com .

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

xxvi

Introduction

Special Features in This Book What makes a Sybex Study Guide the book of choice for over 500,000 certification candidates across numerous technical fields? We take into account not only what you need to know to pass the exam, but what you need to know to apply what you’ve learned in the real world. Each book contains the following: Objective Information

Each chapter lists at the outset which CIW

objective groups are going to be covered within. Assessment Test Directly following this Introduction is an Assessment Test that you can take to help you determine how much you already know about networking protocols, network management, and advanced TCP/IP concepts and practices. Each question is tied to a topic discussed in the book. Using the results of the Assessment Test, you can figure out the areas where you need to focus your study. Of course, we do recommend you read the entire book. Exam Essentials To review what you’ve learned, you’ll find a list of Exam Essentials at the end of each chapter. The Exam Essentials section briefly highlights the topics that need your particular attention as you prepare for the exam. Key Terms and Glossary

Throughout each chapter, you will be intro-

duced to important terms and concepts that you will need to know for the exam. These terms appear in italic within the chapters, and a list of the Key Terms appears just after the Exam Essentials. At the end of the book, a detailed glossary gives definitions for these terms, as well as other general terms you should know. Review Questions, complete with detailed explanations Each chapter is followed by a set of Review Questions that test what you learned in the chapter. The questions are written with the exam in mind, meaning that they are designed to have the same look and feel as what you’ll see on the exam. Hands-on Exercises

Throughout the book, you’ll find exercises

designed to give you the important hands-on experience that is critical for your exam preparation. The exercises support the topics of the chapter, and they walk you through the steps necessary to perform a particular function.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Introduction

xxvii

Interactive CD Every Sybex Study Guide comes with a CD complete with additional questions, flashcards for use with a palm device or PC, and a complete electronic version of this book. Details are in the following section.

What’s on the CD? Sybex’s CIW: Internetworking Professional Study Guide companion CD includes quite an array of training resources and offer numerous test simulations, bonus exams, and flashcards to help you study for the exam. We have also included the complete contents of the study guide in electronic form. The CD’s resources are described here: CIW Internetworking Professional Study The Sybex E-book for the Guide Many people like the convenience of being able to carry their

whole study guide on a CD. They also like being able to search the text via computer to find specific information quickly and easily. For these reasons, the entire contents of this study guide are supplied on the CD, in PDF format. We’ve also included Adobe Acrobat Reader, which provides the interface for the PDF contents as well as search capabilities. The Sybex CIW Edge Tests The Edge Tests are a collection of multiplechoice questions that will help you prepare for your exam. There are three sets of questions: Two bonus exams designed to simulate the actual live exam. All the Review Questions from the Study Guide, presented in an electronic test engine. You can review questions by chapter or by objective area, or you can take a random test. The Assessment Test. Sybex CIW Flashcards for PCs and Palm Devices

The “flashcard” style

of question offers an effective way to quickly and efficiently test your understanding of the fundamental concepts covered in the exam. The Sybex CIW Flashcards set consists of 100 questions presented in a special engine developed specifically for this study guide series. We have also developed, in conjunction with Land-J Technologies, a version of the flashcard questions that you can take with you on your Palm OS PDA (including the Palm and Visor PDAs).

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

xxviii

Introduction

White Papers Network technology continues to evolve at a fast pace, and as a CIW Internetworking Professional, you will often find others looking to you for information regarding emerging technologies. Four white papers have been included on the CD, including information on Voice over IP, multicasting, and ongoing SNMP developments. None of these white papers are testable material; rather, they extend the tested skills of a CIW Internetworking Professional with knowledge of what technologies are just now arriving. Supplemental Files Some of the Exercises in this book reference downloadable software, open source utilities, and Request for Comment information. All of these have been included on the CD, for your convenience should you need them when Internet access is not available.

How to Use This Book This book provides a solid foundation for the serious effort of preparing for the exam. To best benefit from this book, you may wish to use the following study method: 1. Take the Assessment Test to identify your weak areas. 2. Study each chapter carefully. Do your best to fully understand the information. 3. Study the Exam Essentials and Key Terms to make sure you are familiar with the areas you need to focus on. 4. Answer the review questions at the end of each chapter. If you prefer to answer the questions in a timed and graded format, install the Edge Tests from the book’s CD and answer the chapter questions there instead of in the book. 5. Take note of the questions you did not understand, and study the corresponding sections of the book again. 6. Go back over the Exam Essentials and Key Terms. 7. Go through the study guide’s other training resources, which are included on the book’s CD. These include electronic flashcards, the electronic version of the chapter review questions (try taking them by objective), and the two bonus exams.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Introduction

xxix

To learn all the material covered in this book, you will need to study regularly and with discipline. Try to set aside the same time every day to study, and select a comfortable and quiet place in which to do it. If you work hard, you will be surprised at how quickly you learn this material. Good luck!

Exam Registration CIW certification exams are administered by Prometric, Inc. through Prometric Testing Centers and by Virtual University Enterprises (VUE) testing centers. You can reach Prometric at (800) 380-EXAM or VUE at (952) 9958800, to schedule any CIW exam.

You may also register for your exams online at www.vue.com

www.prometric.com

or

.

Exams cost $125 (U.S.) each and must be paid for in advance. Exams must be taken within one year of payment. Candidates can schedule exams up to six weeks in advance or as late as one working day prior to the date of the exam. To cancel or reschedule an exam, contact the center at least two working days prior to the scheduled exam date. Same-day registration is available in some locations, subject to space availability. Where same-day registration is available, registration must occur a minimum of two hours before test time. When you schedule the exam, the testing center will provide you with instructions regarding appointment and cancellation procedures, ID requirements, and information about the testing center location. In addition, you will receive a registration and payment confirmation letter from Prometric or VUE.

Tips for Taking the CIW Internetworking Professional Exam Here are some general tips for achieving success on your certification exam: Arrive early at the exam center so that you can relax and review your study materials. During this final review, you can look over tables and lists of exam-related information. Read the questions carefully. Don’t be tempted to jump to an early exactly what the question is asking. conclusion. Make sure you know

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

xxx

Introduction

For questions you’re not sure about, use a process of elimination to get rid of the obviously incorrect answers first. This improves your odds of selecting the correct answer when you need to make an educated guess. Mark questions that you aren’t sure of and return to them later. Quite often something in a later question will act as a reminder or give you a clue to the correct answer of the earlier one.

Contacts and Resources Here are some handy websites to keep in mind for future reference: Prosoft Training and CIW Exam Information

www.CIWcertified.com

Prometric

www.prometric.com

VUE Testing Services

www.vue.com

Sybex Computer Books

www.sybex.com

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Assessment Test 1. In the Internet architecture model, routing occurs at which layer? A. Transport B. Network C. Internet D. Network Access 2. Which message will be sent by a node to indicate its Data-Link layer address? A. Neighbor Solicitation B. Neighbor Advertisement C. Router Advertisement D. Redirect 3. Which of the following utilities uses ICMP? A. dig B. nslookup C. ping D. telnet 4. ARP is used to perform which of the following functions? A. ARP verifies uniqueness of a given IP address. B. ARP determines the MAC address for a given IP address. C. ARP converts a 48-bit MAC address into a 32-bit IP address. D. ARP resolves a given MAC address to an IP address. 5. Which DHCP header field denotes whether a packet is a request or a reply? A. Transaction ID B. Operation C. Flags D. Options

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

xxxii Assessment Test

6. Which packet will be sent by an IPv6 host attempting stateless autoconfiguration? A. Router Solicitation B. Router Advertisement C. Neighbor Advertisement D. Group Membership Query 7. What is the hexadecimal value for 255 (decimal), or 11111111 11111111 11111111 11111111 (binary)? A. B9 B. A0 C. CE D. FF 8. What is the default algorithm for the Encrypted Security Payload? A. MD5 B. DES C. DES-CBC D. SPI 9. Which of the following is a description of the WarmStart trap? A. The sending agent reinitialized, but neither the agent’s configuration nor the protocol entity implementation was altered. B. A communication link opened. C. The sending agent reinitialized, but the agent’s configuration and protocol entity implementation changed. D. A nongeneric trap occurred, identified with information in the Specific Trap Type field and the Enterprise field.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Assessment Test xxxiii

10. Which of the following protocols is used by FTP? A. UDP B. TCP C. ICMP D. IGMP 11. Which type of record is used to resolve a reverse DNS lookup? A. A B. CNAME C. PTR D. SOA 12. What is the purpose of a

redirect

message?

A. To redirect traffic to a closer gateway B. To redirect queries to another name server C. To redirect traffic to another network D. To redirect a client connection to another host 13. Which of the following IP addresses is a valid Internet host address? A. 127.69.201.11 B. 206.255.101.49 C. 29.201.54.0 D. 123.45.69.101 14. What is the command to send a single ping from a Windows system to 10.1.2.3? A. ping -c 1 10.1.2.3 B. ping -i 10.1.2.3 C. ping -i 1 10.1.2.3 D. ping -n 1 10.1.2.3

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

xxxiv Assessment Test

15. Which of the following RFCs stipulates that the official way to name the OID is to refer to it by its number? A. RFC 1155 B. RFC 1215 C. RFC 1157 D. RFC 1850 16. How many blocks of the IP address space have been reserved by the ICANN for private networks? A. Four B. Three C. Two D. Seven 17. Which value is incremented on the primary server each time records are updated? A. serial B. refresh C. retry D. expire 18. What defines a managed node? A. The device supports SNMP. B. The node has an agent installed. C. A managed node works with the chosen management protocol. D. The device has the ability to trigger automatic responses. 19. How many hosts could exist on the network 208.142.34.32/255.255.255.224? A. 16 B. 14 C. 30 D. 32

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Assessment Test xxxv

20. Which of the following is a step in fault management? A. Isolate the problem. B. Provide a solution. C. Provide root cause. D. Determine symptoms. 21. Which field in an OSPF header contains the source address for the originating router? A. Authentication B. Router Identification C. Area ID D. Authentication Type 22. Select the binary representation of the subnet mask 255.255.240.0. A. 11111111 11111111 11111000 00000000 B. 11111111 11111111 11110000 00000000 C. 11111111 11111111 11000000 00000000 D. 11111111 11111111 00011111 00000000 23. What type of traffic typically traverses port 1080? A. HTTPS B. HTTP C. SOCKS D. ICP 24. What defines a managed node? A. The device supports SNMP. B. The node has an agent installed. C. A managed node works with the chosen management protocol. D. The device has the ability to trigger automatic responses.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

xxxvi Assessment Test

25. What is an

active close

?

A. An ACK sent by a server initiating a session closure B. A SYN sent by a client requesting a new session to replace an existing session C. A FIN sent by a server to initiate a session closure D. A FIN sent by a client to initiate a session closure 26. Which of the following is a feature of the

ttcp

utility?

A. It uses only TCP. B. It avoids the three-way handshake. C. It functions at both the Network and Data-Link layers. D. It contains authentication information. 27. At which layer of the OSI/RM does RMON operate? A. The Application layer B. The Network layer C. The Data-Link layer D. The Transport layer 28. Which of the following is NOT an IP header field? A. Flags B. Time To Live C. Header Length D. Datagram Checksum 29. What is NOT a feature of TCP? A. Data delivery in sequence B. Guaranteed delivery of data C. Data redundancy D. Session management between source and destination

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Assessment Test xxxvii

30. Why is SNMP so widely used? A. Low resource requirements, portability, wide vendor support B. It is required for enterprise networks C. The root servers authenticate IP addresses using SNMP D. Network Management is not widely used 31. Which of the following ping6 command lines would be used with Windows 2000 to specify eight ping packets, with DNS resolution, to fe80::280:5fff:fee2:dd33

?

A. ping6 –a –n 8 fe80::280:5fff:fee2:dd33 B. ping6 –n –t 8 fe80::280:5fff:fee2:dd33 C. ping6 –a –t 8 fe80::280:5fff:fee2:dd33 D. ping6 –a –l 8 fe80::280:5fff:fee2:dd33 32. Convert 1001001001001001 to hexadecimal. A. A249 B. A24A C. 9249 D. 9429 33. Which command-line utility is used on Windows 2000 to determine IP address and Ethernet MAC information? A. winipcfg B. ifconfig -a C. ifconfig /all D. ipconfig /all 34. Name one significant performance improvement between HTTP version 1.0 and 1.1. A. Data compression B. Improved authentication C. Persistent connections D. Support for more graphics formats

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

xxxviii Assessment Test

35. Mobile IP support was contributed from which developmental ancestor of IPv6? A. SIP B. PIP C. CATNIP D. CLNP 36. Which header is the “last” unencrypted header? A. Authentication extension header B. Routing extension header C. Encrypted Security Payload header D. Security Parameters Index header 37. Which of the following protocols uses UDP? A. SMTP B. SNMP C. FTP D. Telnet 38. What is SMTP an abbreviation for? A. Simple Mail Transfer Protocol B. Simple Management Tool Protocol C. Simple Modem Telnet Protocol D. Simple Mail Transit Protocol 39. Which of the following is NOT used to abbreviate an IPv6 address? A. Drop all leading zeros. B. Replace each null integer with a single zero. C. Replace each null integer with a double colon. D. Replace null integers with a double colon.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Assessment Test xxxix

40. Why would you choose to implement IPv6 with stateful configuration when stateless autoconfiguration does not require a server? A. Stateful configuration is easier to implement. B. Stateful configuration can pass additional configuration information. C. Stateful configuration offers less security. D. Stateful configuration requires more router configuration. 41. A system has an Ethernet MAC address of 00-04-76-48-9A-CA. What is its IEEE EUI address? A. 00-04-76-FF-FE-48-9A-CA B. 00-04-76-48-FF-FE-9A-CA C. 02-04-76-48-FF-FE-9A-CA D. 02-04-76-FF-FE-48-9A-CA 42. What role did the U.S. Department of Defense play in the evolution of the Internet? A. It increased the connection speeds between various sites to 1.5Mbps. B. It created the ARPANET in 1968, which later came under the jurisdiction of the National Science Foundation. C. It expanded Internet access to universities and businesses by installing 56Kbps telephone lines in strategic areas. D. It offered financial incentives to private companies to join the Internet. 43. Internetworking professionals should be most familiar with which branch of the MIB tree? A. 1.3.6.1 B. 1.3.1.6 C. 1.3.6.1.3 D. 1.3.1.1.6

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

xl Assessment Test

44. Where is the hosts file located on Windows 2000? A. %systemroot\system32\drivers\hosts B. %systemroot\system32\drivers\etc\hosts C. %systemroot\system32\etc\hosts D. %systemroot\system32\hosts 45. Which of the following will display open network sockets on a Unix or Linux host? A. netstat -s B. netstat -a C. ping -s D. ping -c 46. Since TCP is reliable

, why would an application use UDP?

A. UDP offers superior packet sequencing with fixed header length. B. UDP is less prone to congestion. C. UDP provides a more efficient use of network bandwidth. D. UDP is used only by older applications. 47. What makes File Transfer Protocol an efficient method of transferring files? A. On-the-fly data compression B. FTP uses two TCP ports, one for control and one for data C. FTP’s encrypted authentication headers D. No additional encoding or decoding of data is required

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Answers to Assessment Test 1. C. Routing occurs at the Internet layer of the Internet Architecture model. The Network layer is responsible for routing in the OSI/RM model, but there is no layer named “Network” in the IA model. See Chapter 1 for more information. 2. B. The Neighbor Advertisement is sent by routers or hosts to show Data-Link layer address, either in response to a Neighbor Solicitation or unsolicited, to indicate a Data-Link layer address change. See Chapter 11 for more information. 3. C. Ping uses ICMP. See Chapter 1 for more information. 4. C. ARP resolves an IP address to a MAC address, logical to physical. IP is OSI/RM Layer 3, and MAC is OSI/RM Layer 2. See Chapter 2 for more information. 5. B. The Operation field in both DHCP and BootP denotes request or reply. See Chapter 2 for more information. See Chapter 2 for more information. 6. A. The Router Solicitation message is broadcast to attempt stateless autoconfiguration. The Router Advertisement and Group Membership Query are sent by the router, not the host, and the Neighbor Advertisement is a response to Data-Link layer address queries, not part of autoconfiguration. See Chapter 11 for more information. 7. D. FF is the hexadecimal equivalent of 32 bits, all set to one, or 255 decimal, one less than 2

32

. See Chapter 2 for more information.

8. C. The Data Encryption Standard (DES) has several modes. The Cipher Block Chaining mode, DES-CBC, is the default encryption algorithm for the security payload. See Chapter 10 for more information. 9. A. The WarmStart indicates that the agent has reinitialized, but no configuration or protocol changes occurred. See Chapter 7 for more information.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

xlii Assessment Test

10. B. File Transfer Protocol uses TCP on ports 21 and 20, by default. See Chapter 1 for more information. 11. C. The PTR record is used to resolve an IP address to a host name. See Chapter 5 for more information. 12. A. The ICMP redirect sends traffic to a closer gateway to the destination IP address. See Chapter 6 for more information. 13. D. The other addresses are network, loopback, and broadcast addresses, not valid IP addresses. See Chapter 2 for more information. 14. D. On Windows, the

-n option is used to specify the number of pings

to send, while on Unix and Linux, the See Chapter 6 for more information.

-c performs the same function.

15. A. RFC 1155 stipulates that the official way to name the OID is by number. See Chapter 8 for more information. 16. B. ICANN has reserved three ranges, 10.0.0.0 through 10.255.255.255, 172.16.0.0 through 172.31.255.255, and 192.168.0.0 through 192.168.255.255. See Chapter 7 for more information. 17. A. The serial value is incremented with each change, indicating to secondary servers that they need to get the update. See Chapter 5 for more information. 18. B. The agent makes a node managed. This does not require SNMP, and may even vary from the selected management protocol, using a gateway agent. See Chapter 7 for more information. 5 19. C. Five bits are used for the host portion, and 2 = 32, but two addresses are not available, the network (all zeros) and broadcast (all

ones) combinations, resulting in 30 usable addresses. See Chapter 7 for more information. 20. C . All of these are steps in fault management except root-cause analysis, although a managed system may help to determine root cause. See Chapter 7 for more information.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Answers to Assessment Test xliii

21. B. Router Identification is the 32-bit IP address of the router sending the OSPF packet. See Chapter 7 for more information. 22. B. The octets of 255 are sets of eight ones, while 240 = 128 + 64 + 32 + 16, represented by ones in the first four bits of the next octet. See Chapter 7 for more information. 23. C. Port 1080 is for SOCKS proxy servers. See Chapter 4 for more information. 24. B. The agent makes a node managed. This does not require SNMP, and may even vary from the selected management protocol, using a gateway agent. See Chapter 7 for more information. 25. C. The active close is performed by the server, using the FIN flag. See Chapter 4 for more information. 26. B. The

ttcp utility can use UDP or TCP (default) and functions at the

Network and Transport layers with no additional security features. See Chapter 9 for more information. 27. A. RMON operates at the Application layer, but monitors layers 1 and 2 of the OSI/RM. RMON-2 adds support for monitoring of all levels between 3 and 7. See Chapter 8 for more information. 28. D. The only checksum in an IP packet is the Header Checksum. See Chapter 7 for more information. 29. C. No duplicate data is carried by TCP. See Chapter 4 for more information. 30. A. SNMP is widely used because it is simple both as a protocol and to implement, and supported by many vendors. It is not required, has nothing to do with root servers, and is used in small medium and large businesses. See Chapter 1 for more information. 31. A. The – t option is used to repeatedly ping an address, not to specify a number of pings, and – l is used to specify send buffer size. See Chapter 9 for more information.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

xliv Assessment Test

32. C. Consider each four-bit component of the 16-bit value, as each four bits can be expressed as a single hexadecimal digit: 1001=9, 0010=2, 0100=4, 1001=9 resulting in 9249 hexadecimal. See Chapter 10 for more information. 33. D.

Winipcfg

is used on Windows 95/98 and

ifconfig

is a Linux or

Unix command. Ipconfig is used on Windows NT and 2000. See Chapter 2 for more information. 34. C. HTTP 1.1 uses persistent connections, rather than creating a connection for each page requested. This improves performance by reducing unnecessary Internet traffic. See Chapter 1 for more information. 35. B. PIP contained efficient routing and Mobile IP support. See Chapter 9 for more information. 36. C. The Encrypted Security Payload extension header is the last unencrypted information, followed by payload data and authentication data. The Authentication extension header and Routing extension header both come before the ESP, and therefore must be unencrypted, while the Security Parameters Index is a field of the ESP, not a header. See Chapter 10 for more information. 37. B. Simple Network Management Protocol uses UDP. See Chapter 1 for more information. 38. A. SMTP is the Internet standard for transferring e-mail messages between mail servers. E-mail clients would not use SMTP, but often POP or IMAP for a client-to-server connection. See Chapter 1 for more information. 39. C. You may not replace each null integer with a double colon, as this could result in using more than one double colon, which is not allowed. See Chapter 10 for more information. 40. B. Gateway, DNS server, and other information can be passed to hosts with stateful configuration. Although stateless autoconfiguration is easier to implement, it offers less security, and requires little or no router configuration. See Chapter 11 for more information.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Answers to Assessment Test xlv

41. D. The IEEE EUI address conversion changes a 48-bit MAC address to a 64-bit EUI address by inserting the FF-FE values between the third and fourth bytes of the 48-bit address. In addition, the first byte must not be zero, as it is reserved, so the EUI conversion makes this byte 02. See Chapter 10 for more information. 42. B. The Department of Defense Advanced Research Projects Agency (ARPA) provided funding in 1968 to connect four universities with what was then dubbed ARPANET. See Chapter 1 for more information. 43. A. The iso.org.dod.internet node is 1.3.6.1 of the MIB tree. See Chapter 8 for more information. 44. B. The

..\drivers\etc\

directory contains the hosts file, and is off

the %systemroot\system32 directory information. 45. B. The

netstat

. See Chapter 5 for more

command will show network status, the

-a option

will show specific protocols and ports, and those that are open will be marked as LISTEN . A netstat -s Chapter 6 for more information.

will display usage statistics. See

46. C. UDP can provide for a faster, unreliable delivery of data, without the overhead of session management. See Chapter 4 for more information. 47. D. FTP’s binary mode for transferring files requires no encoding or decoding of data, unlike MIME email attachments. While some FTP servers support compression, this does not make the protocol efficient, and although FTP uses ports 20 and 21 for control and data connections, that has no bearing on throughput or efficiency of the transfer. FTP does not use encryption. See Chapter 1 for more information.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Chapter

1

The Internet and TCP/IP

CIW EXAM OBJECTIVE AREAS COVERED IN THIS CHAPTER: Define the Internet infrastructure, including but not limited to: the National Science Foundation network (NSFnet), the Internet Society (ISOC), key internetworking protocols. Identify essential elements of the Internet and locate Requests for Comments (RFCs) that define them, including but not limited to: the Open Systems Interconnection (OSI) reference model, the Internet architecture model, Transmission Control Protocol/Internet Protocol (TCP/IP), various Internet protocols. Define the functions of application-layer Internet protocols, including but not limited to: Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), Simple Network Management Protocol (SNMP).

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

T

he success of many businesses, academic institutions, hospitals,

and even governments can be chalked up to networks. Networks provide an efficient system of connections so that users can file-share, communicate, create, research, and learn together, even though the associated users are miles or even continents apart. Networks are extremely popular for a very basic reason: they allow users to share data quickly. In the past, users had to place files on a floppy disk or print them and physically deliver them to the destination. Such “sneakernet” solutions may be appropriate or necessary in some situations, but when it comes to organizing and expediting the daily operation of a business, no better means exists than a well-run network. Networks allow information to be distributed quickly and easily between two or more computers. This is achieved with a system of protocols, cables, hardware, and (in some instances) other media, such as wireless technology. A network is two or more computers that share information via a physical medium and a protocol. Networking can include a small business network in one building, for instance, which is called a local area network (LAN), and a network can also connect many different LANs over a long distance in a wide area network (WAN). A series of WANs can extend to a worldwide “internetwork” that connects millions of users, such as the Internet. Before you learn more about the Internet, internetworking, and the protocols involved with networking, you must understand how networks have traditionally functioned.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Networking Past and Present

3

Networking Past and Present

T raditionally, whenever an organization chose a network, it tried to ensure that it chose and used only one type of network product. Such choices began the era of homogeneous, vendor-centric networks. Most organizations chose one vendor, such as Novell, IBM, or Microsoft, to provide their networking solution because a one-vendor network ensures a minimum of training for employees and IT professionals. The reasoning was that using the same network type made network communication as simple as possible. As you pursue your career, it is quite possible that you will work with many different types of networks, such as Unix, Novell NetWare, Windows NT, and Windows 2000. At one time, you would probably have used only one type of network at each company. Thus, you would have had to familiarize yourself with the new network and networking protocol or topology with each new job. After learning the latest protocols in order to pass the CIW Internetworking Professional exam, however, you will have learned all you need to know to apply yourself to any available network. Over the past decade, a fundamental change has occurred in networking. Before, you would have had to learn each networking system separately in order to run any one of them; now, many different types of networks can be connected to ensure that different organizations and divisions can communicate directly with one another in a timely way. The task of working with different, or heterogeneous, systems such as the Internet has been given its own name: internetworking . This type of networking represents quite a change. With a traditional networking solution, an organization could communicate with itself on its own network. However, to communicate with others, it had to resort to non-network delivery methods, such as traditional mail. The motivation behind the developments that allow networks to connect with one another has been the need for different organizations to transfer information across large geographic areas as rapidly as possible. Given this change in how organizations operate with various networks, you will probably have to connect different types of networks into a single logical network in which each type can communicate with the others.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

4

Chapter 1

The Internet and TCP/IP

Overview of TCP/IP

T

CP/IP

(Transmission Control Protocol/Internet Protocol) is a set of rules that allows computers from different vendors with various operating systems and capabilities (mainframes to desktop computers) to communicate. Since it was adopted in 1983 by the major networks that made up the Internet, TCP/IP has far exceeded expectations. Today, it is the most widely used networking protocol suite in the world and is the protocol that powers the Internet, the world’s largest WAN. In this section, we’ll discuss Internet architecture and common protocols used on the Internet, including more about TCP/IP and serial link protocols. We will also discuss and analyze Request for Comments (RFC) documents, which define and reference Internet protocols.

TCP/IP and Interoperability Even though TCP/IP is the most popular network protocol, many networks today use protocols other than TCP/IP. The default networking protocol for Novell NetWare networks was IPX/SPX until Novell NetWare 5 was released and the default became TCP/IP. Many Novell networks still use both IPX/SPX and TCP/IP and are very productive as a result, but non-TCP/ IP networks need not completely abandon the networking protocol they have traditionally used in order to function with other networks. In fact, they can use one protocol internally and use TCP/IP as the protocol that will transport information between their network and another. If one network used a networking protocol such as NetBEUI and another used IPX/SPX, they could not communicate with each other. Networks in this situation could employ special devices, called gateways, to translate between different networking protocols, but a much more effective solution would be to adopt TCP/IP to help the two networks communicate. As you can see in Figure 1.1, TCP/IP can allow different types of networks to communicate with one another. Using something as simple as a router, TCP/IP allows your existing LAN or WAN to operate with another. It may also function in parallel with other protocols operating through the same NIC. Because of this, it serves as an ideal bridge that allows existing LANs and WANs to act as backbones for an enterprise.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Overview of TCP/IP

FIGURE 1.1

5

TCP/IP and interoperability VA X

IBM SNA Network IBM Compatible Workstation

Server

IBM AS/400

Micro VAX

Standard Ethernet Router Macintosh

Laser printer

FDDI Ring

Token Ring

Internetworking and the Corporate Network TCP/IP has emerged as the dominant internetworking protocol because it allows different systems to work together. Such cross-platform capability means that legacy systems, such as IBM SNA, can communicate with newer client/server solutions, such as Unix, Windows NT, Windows 2000, Macintosh, and Novell networks. Older mainframe networks and the latest PC-based networks can communicate with one another, as well. Because it is vendor-neutral, TCP/IP allows internetworking professionals to connect each system without sacrificing the strengths inherent in any operating system or networking method. TCP/IP for internetworking has been attractive because it allows corporations and networks to use past investments as wisely as possible. Therefore, even though the Internet and internetworking are revolutionary, this protocol presents an attractive alternative to businesses that do not want to discard an entire system. With careful planning and problem solving, organizations can make sure that their older systems can communicate with any other system on their internetwork.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

6

Chapter 1

The Internet and TCP/IP

Evolution of the Internet

T he Internet was formed in 1968, when the U.S. Department of Defense Advanced Research Projects Agency (ARPA) funded what would become the first global computer network, the Advanced Research Projects ARPANET Agency Network ( ). The ARPANET was launched in 1969 and connected four universities: two University of California campuses, the Stanford Research Institute, and the University of Utah. The network allowed university and government engineers to research and work from any location on the network. ARPANET’s design featured multiple hosts and multiple connections among those hosts (see Figure 1.2), which greatly reduced the chances of total network failure. There was no central hub, which would have created a point of vulnerability; rather, control was spread throughout the network. This decentralization resulted in a robust and reliable network that would continue to function even if many of the hosts were incapacitated. FIGURE 1.2

Multiple connections among hosts

In the early 1980s, the Unix operating system from University of California, Berkeley, supported TCP/IP, and in 1981 TCP/IP became an official Internet standard. On January 1, 1983, TCP/IP was adopted as the Internet’s official protocol. In the late 1980s, the Department of Defense decommissioned the ARPANET, and all sites transferred to the National Science Foundation (NSF) NSFnet . The NSF is an independent agency of the U.S. network, called the government that promotes the advancement of science and engineering. The NSF increased the number of NSFnet supercomputers to five in 1986 and added access to more networks, expanding the range of sites for businesses, universities, and government and military installations. These centers were

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Evolution of the Internet

7

connected with 56Kbps telephone lines that created regional networks, with each supercomputing “center” as a hub for connections in a given region. In 1987, the NSFnet became known as the Internet. Traffic on the network increased significantly. In 1989, the NSFnet was upgraded to support a 1.5Mbps connection speed by contracting Merit Network, Inc. In the years that followed, more private companies joined the Internet, and now technologies exist to reach speeds over 1Gbps. The hardware and communications links required to connect to the Internet were funded by a combination of private and government money. In 1995, the NSF decommissioned the NSFnet and gradually turned the Internet over to a consortium of private telecommunication companies, including Sprint, UUNet, PSINet, and MCI.

If you want to expand on the history of the Internet, a good resource is a book by Katie Hafner and Matthew Lyon, “Where Wizards Stay Up Late: The Origins of the Internet” (Simon & Schuster, 1996; also available in several e-book formats). The book focuses on the people, universities, and technologies that helped create the Internet.

Internet-Related Authorities Internet Society (ISOC) The authority for the Internet rests with the a voluntary membership organization whose objective is to promote global

. ISOC is

information exchange using Internet technology. You can visit the Internet Society at www.isoc.org . ISOC elects volunteers who are responsible for the technical management Internet Archiand direction of the Internet; these volunteers are called the tecture Board (IAB)

.

Internet Engineering Task Another volunteer organization, called the Force (IETF) , meets regularly to discuss operational and near-term Internet

technical problems. Recommendations made via working groups within the IETF can be sent to the IAB to be declared Internet standards. The IETF chairman and the area managers form the

Internet Engineering Steering

Group (IESG)

. Another organization, called the

Internet Research Task Force (IRTF)

, is

responsible for network research and the development of new technology. The Internet Research Steering Group (IRSG) sets priorities and coordinates research activities. Figure 1.3 displays the ISOC structure.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

8

Chapter 1

FIGURE 1.3

The Internet and TCP/IP

ISOC structure

ISOC IAB Organization IRTF

IETF BOARD

IRSG

IESG

Working Groups Research Groups

Area 1

Area 8

Requests for Comments (RFCs) Requests for Comments (RFCs)

are published documents of interest to the

Internet community. They include detailed information about standardized Internet protocols, such as IP and TCP, and those in various stages of development. They also include informational documents regarding protocol standards, assigned numbers (e.g., port numbers), host requirements (e.g., Data-Link, Network, Transport, and Application OSI layers), and router requirements. RFCs are identified by number. The higher the number, the more recent the RFC. Be sure you are viewing the most recent RFC during your research. A recommended RFC reference site is located at www.rfc-editor.org/ rfc.html

.

If an RFC has been updated, the index listing (i.e., the RFC editor query results) will state the replacement RFC number. Be aware that not all sites update RFCs regularly, so verify that your mirror site is current, or go directly to

rfc-editor.org

.

Protocol States Before a protocol becomes a standard, it passes through several maturitylevel states: experimental , proposed , draft , and standard . If a protocol becomes obsolete, it is classified as historic. To progress through the steps,

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Evolution of the Internet

9

the protocol must be recommended by the Internet Engineering Steering Group (IESG) of the Internet Engineering Task Force (IETF). Maturity-Level Protocol States Maturity level of protocol states simply indicates the level of review and testing that has been performed with a protocol state. Like many other characteristics of the Internet, there are no hard and fast rules regarding how long or how many people review a protocol before it moves from one state to another. Experimental Protocols that should be used only in a lab situation. They are not intended for operation on systems other than those participating in the experiment. Proposed Protocols that may be considered for future standardization. Testing and research are encouraged—optimally, by several groups. These protocols will most likely be revised before progressing to the next stage. Draft Protocols being seriously considered by the IESG to become Internet standards. Testing is encouraged, test results are analyzed, and feedback is requested. All input should be sent to the IESG. Changes are often made at the draft stage; the protocol must then return to the proposal stage. Standard

Protocols determined by the IESG to be official standard pro-

tocols on the Internet. Standard protocols are of two types: those that apply to the entire Internet and those that apply only to certain networks. Additional Protocol States The Additional Protocol States are ones that exist distinct from maturity level, but are not directly tied to developmental state. Historic

Protocols that have been replaced by more recent ones or that

never received enough interest to develop. Historic protocols are very unlikely to become Internet standards. Informational

Protocols developed outside of the IETF/IESG (e.g., pro-

tocols developed by vendors or other standardization organizations). These protocols are posted for the benefit of the Internet community.

Internet Standards A protocol, or set of related protocols, that has been standardized is indexed as an STD (Standard), such as STD 5. All protocols, even STDs, are indexed as RFCs because RFCs are never deleted, but only change protocol states. For

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

10

Chapter 1

The Internet and TCP/IP

instance, TCP is STD 7, as well as RFC 793. In some cases, several RFCs may become one STD. For instance, IP, ICMP, and IGMP are indexed as STD 5, even though three RFCs exist: RFCs 791, 792, and 1112, respectively. You will learn about these protocols in the next section.

Reference RFCs You should be familiar with the following important reference RFCs. Internet Official Protocol Standards, RFC 2800, STD 1

Lists the cur-

rent Internet protocol standards, as well as the current protocol state of all RFCs. Assigned Numbers, RFC 1700

Lists the current status of parameters,

such as numbers and keywords, used on the Internet. It includes the assigned Internet protocol numbers for Internet protocols. For instance, IP is represented by the decimal number four. It also includes well-known and registered port assignments. You will learn about assigned numbers throughout the book. Requirements for Internet Hosts, RFC 1122 and 1123 A pair of RFCs that define Internet host software requirements. They define the unique requirements of protocols within the Internet architecture and list the features and implementation details of the protocols, (e.g., protocol specifications identified as

must

, must not

, should

, should

not

, and may ).

Requirements for IP Version 4 Routers, RFC 1812 Defines the unique requirements of IPv4 Internet routers. It updates the historic RFC 1716, Router Requirements, to include current router technology.

OSI Reference Model

T he Open Systems Interconnection reference model ( defined by the International Organization for Standardization (

OSI/RM ISO

) was ). Intro-

duced in 1983, the OSI/RM has three practical functions: It gives developers necessary, universal concepts so they can develop and perfect protocols. It explains the framework used to connect heterogeneous systems. In other words, it allows clients and servers to communicate even if they are using different applications and operating systems. All they need is a common protocol, such as TCP/IP or IPX/SPX.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

OSI Reference Model

11

It describes the process of packet creation. You will learn more about packet creation shortly. Network function can be described using the OSI model, and network protocols can be created to function as described by the model, just as a building is constructed from a blueprint. For instance, Novell NetWare, Microsoft Windows NT, Windows 2000, and Unix are network operating systems supporting various protocol suites that can be described using the OSI/RM. This common framework allows these network operating systems ( NOS s) to interoperate, and may help an internetworking professional to architect a network or troubleshoot a problem. Also, when protocols, such as IP and IPX, are discussed, they are usually linked to their OSI layer. For example, both IP and IPX are found at the OSI/RM Network layer. The OSI/ RM provides the concepts and nomenclature you need to be able to discuss packet creation and networking protocols. Table 1.1 lists the seven layers of the OSI/RM and describes each layer’s function. TABLE 1.1

Layers of the OSI/RM

Layer

Layer Number Description

Application 7

The interface to the end user in an OSI environment; supports file transfer, network management, and other services.

Presentation 6

Responsible for providing useful transformations on data to support a standardized application interface and general communication services. For example, it converts text from American Standard Code for Information Interchange (ASCII) to Extended Binary Coded Decimal Interchange Code (EBCDIC).

Session

5

Establishes, manages, and terminates connections (sessions) between cooperating applications. This layer adds traffic flow information, as well.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

12

Chapter 1

TABLE 1.1

The Internet and TCP/IP

(continued)

Layers of the OSI/RM

Layer

Layer Number Description

Transport 4

Provides reliable, transparent transportation between end points (i.e., the source and destination hosts). It also supports end-to-end error recovery and flow control. Connectionoriented (stateful) protocols reside at this layer.

Network 3

Responsible for forwarding and routing datagrams. Connectionless (stateless) protocols reside at this layer.

Data-Link 2

Provides reliable data transfer across the physical link. Frames are transmitted with the necessary synchronization, error control, and flow control. In short, it prepares the information so that it can be sent to the physical wire. In the IEEE 802 series of LAN standards (a group of popular network standards that you will learn about in this book), the Data-Link layer is divided into two sublayers, the Logical Link Control (LLC) layer and the Media Access Control (MAC) layer. The LLC is responsible for error and flow control and the MAC layer is responsible for placing data on the wire.

Physical 1

Concerned with transmission of unstructured bit stream over a physical link. Responsible for the mechanical, electrical, and procedural characteristics to establish, maintain, and deactivate the physical link.

How the Layers Communicate As shown in Figure 1.4, the OSI model describes interaction between the individual layers, as well as between hosts on a network.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

OSI Reference Model

13

FIGURE 1.4 OSI model layers

Client

Server

Application

Application

Presentation

Presentation

Session

Session

Transport

Transport

Network

Network

Data Link

Data Link

Physical

Physical

A client/server example will be used to explain how the OSI/RM typically works. In the figure, the left column contains the seven OSI/RM layers that exist on the client. The right column contains the same seven layers that exist on the server. If the client sends a request to the server, the request might begin with a mouse click by the user on a web page hyperlink (Application layer). The request travels down the OSI/RM until it reaches the Data-Link layer, where it is placed onto a wire, cable, or whatever network medium is used (the Physical layer). The client’s request travels across the wire until it reaches the server. The server’s Data-Link layer pulls the request off the wire (Physical layer) and sends it up the server’s OSI/RM. When the request arrives at the server’s Application layer, the request is processed. The server then returns a response—for instance, a new web page—to the client, using the same method. In networking, information such as the client’s request and the server’s response is sent across the network in packets. Packets are discussed in the next section.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

14 Chapter 1 The Internet and TCP/IP

Packets

A

packet is a fixed piece of information sent across a network. Whenever you send information across any network, you begin the packet creation pro-

cess. A packet consists of three elements: a header, the actual data, and a trailer.

Many networking professionals use the terms “packet,” “datagram,” and “frame” interchangeably. Although this usage is accurate most of the time, “packet” is a generic term for any piece of information passed through a network. A datagram is a packet at the Network layer of the OSI/RM. A frame is a packet at the Data-Link layer (used to traverse an Ethernet network). Although they have distinct, strict meanings, these terms are used synonymously, even by networking professionals. It may be important to infer correct meaning from context, or to verify usage by another professional by referring to the appropriate OSI layer.

As shown in Figure 1.5, the header contains several different pieces of information, such as addressing information or an alert signal to the incoming computer. FIGURE 1.5 Packet structure

Header

Data

Trailer

The preceding figure also shows that the packet contains the original data, such as a portion of an e-mail message. The trailer usually contains information

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Packets 15

cyclic redundancy check

that validates the packet. For example, it could contain (CRC) information.

Cyclic Redundancy Check A CRC is a mathematical calculation that allows the receiving computer to verify that the packet is valid. When a sending host transmits a packet, it calculates a CRC, then adds this information to the trailer. When the receiving host reads the packet, it runs its own CRC, then compares it with the CRC stored in the trailer. If the two match, the packet is not damaged, and the receiving host processes the packet. If the CRCs do not match, the receiving host discards the entire packet.

Packet Creation: Adding Headers The packet creation process begins with Layer 7 of the OSI/RM (the Application layer), and continues through Layer 1 (the Physical layer). For example, when you send an e-mail message or transfer a file from one computer to another, this message or file undergoes a transformation from a discrete (i.e., complete) file into smaller pieces of information called packets. Beginning with the Application layer of the OSI/RM, the file continues to be divided until the initial, discrete message becomes a number of smaller, more manageable pieces of information sent at the Physical layer. As shown in Figure 1.6, each layer adds its own information, called a header

, to the packet. This information enables each layer to communicate with the others, and also allows the receiving computer to process the message. FIGURE 1.6 Headers added at each level of OSI/RM

Application

Application Data AH

Presentation

Application Data + AH

Session

PH

Application Data + AH + PH

SH

Transport

Application Data + AH + PH + SH

Network

Application Data + AH + PH + SH + TH

Data Link

Application Data + AH + PH + SH + TH + NH

Physical

Bits (1 and 0s)

Copyright ©2002 SYBEX, Inc., Alameda, CA

TH NH DLH

www.sybex.com

16 Chapter 1 The Internet and TCP/IP

Packet Creation: Removing Headers You have already seen how a sending host creates a packet. When a receiving host processes a packet, it reverses the packet creation process and removes each header, beginning with Layer 1 (the Physical layer) and ending with Layer 7. All that is left at the end of this process is the original, unaltered data, which the host can then use. This procedure of network communication by packet creation, transmission, and processing is similar regardless of network topology or protocol. Many networking protocol suites exist that follow this process of network packet creation, and models for both general and specific network technologies exist. However, the OSI reference model is just that, a reference model that may be applied to any other specific model or protocol.

TCP/IP

O

n January 1, 1983, the major networks that made up the Internet adopted the Transmission Control Protocol/Internet Protocol (TCP/IP) suite as the Internet’s official protocol. One reason for the Internet’s explosive growth and powerful communication ability is its adoption of this suite, which was originally developed in Berkeley, California. TCP/IP is the default protocol for the following network operating systems: Windows NT 4.0, 2000 Unix NetWare 5 and newer Currently, the Internet fully supports TCP/IP version 4. However, TCP/IP version 6 (known as IPv6) is being tested and is expected to gain full support in the coming decade. You will learn more about TCP/IP in future chapters, but some of its basic principles are discussed in the following section.

A Collection of Protocols TCP

TCP/IP is a suite of protocols that includes Transmission Control Protocol ( Internet Protocol ( Message Protocol (

IP

), User Datagram Protocol (

ICMP

UDP

), Address Resolution Protocol (

Copyright ©2002 SYBEX, Inc., Alameda, CA

),

), Internet Control ARP

), and many

www.sybex.com

Internet Architecture and Protocols 17

others that will be discussed later in this book. Each of these protocols has a specific function. TCP TCP ensures reliable communication and uses ports to deliver packets. It also fragments and reassembles messages, using a sequencing function to ensure that packets are reassembled in the correct order. IP IP is a connectionless protocol responsible for providing addresses of each computer and for performing routing. IP version 4 uses 32-bit addresses. The address scheme falls into five classes, only three of which are available for standard network addressing. The original plan was to assign Class A addresses to large networks, Class B to medium-sized networks, and Class C to smaller networks. Class D addresses are used for multicasting, and Class E addresses are experimental. You will learn more about these classes later in this book. Thirty-two-bit IP addresses are divided into halves: the network portion and the host portion. The subnet mask helps determine which bits form the network and host portions.

An Open Standard TCP/IP is not tied to any one vendor, and therefore allows heterogeneous networks to communicate efficiently. It uses the Internet architecture model that divides its protocols into four layers. Each layer is responsible for specific communication tasks and coincides with layers in the OSI/RM. Note that several Internet architecture models exist, each slightly different from the others. A four-layer version was selected for this book.

Throughout this book we will often refer to the OSI reference model. Both the OSI/RM and the Internet model are often referenced by internetworking professionals. The CIW Internetworking Professional exam references the Internet model.

Internet Architecture and Protocols

S imilar to other networking models, the

Internet architecture model

divides protocols into layers. Each layer is responsible for specific communication tasks. The Internet architecture model consists of four layers, each

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

18 Chapter 1 The Internet and TCP/IP

coinciding with layers in the Open Systems Interconnection (OSI) reference model. Figure 1.7 illustrates the Internet architecture model, and Table 1.2 describes the OSI reference model and the Internet architecture equivalents. FIGURE 1.7 Internet architecture model

Application Layer Transport Layer Internet Layer Network Access Layer

TABLE 1.2 OSI Reference Model Layers and Internet Architecture Equivalents

OSI Reference Model Layer

Internet Architecture Equivalent

Application

Application

Presentation Session

Transport

Transport

Network

Internet

Data-Link

Network Access

Physical

Each layer of the Internet architecture involves protocols, and each protocol has an associated RFC. This section describes common protocols used on the Internet by layer. These protocols will be discussed in detail throughout the book. Each protocol is listed with its respective RFC(s). Figure 1.8 illustrates their relationships within the Internet architecture.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Internet Architecture and Protocols 19

FIGURE 1.8 Internet protocols and Internet architecture

Network Access Layer The Network Access layer corresponds to the Physical and Data-Link layers of the OSI reference model. The Network Access layer accepts higher-layer packets and transmits them over the attached network, handling all the hardware details of interfacing with the network media. This layer usually consists of: The operating system’s device driver The corresponding interface card The physical connections For Ethernet-based local area networks, the data sent over the media is referred to as Ethernet frames, which range in size from 64 to 1,518 bytes (1,514 bytes without the cyclic redundancy check). The Network Access layer components can vary considerably, depending on the technologies that are responsible for placing data on the network media and pulling data off. Examples include: Local area networks (LANs) uted Data Interface (FDDI)

Ethernet, Token Ring, and Fiber Distrib-

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

20 Chapter 1 The Internet and TCP/IP

Wide area networks (WANs) nous transfer mode (ATM)

Frame Relay, serial lines, and asynchro-

Internet Layer The Internet layer corresponds to the Network layer of the OSI model. It is responsible for addressing and routing packets on TCP/IP networks. A packet received from the Transport layer is encapsulated in an IP packet. Based on the destination host information, the Internet layer uses a routing algorithm to determine whether to deliver the packet locally or send it to a default gateway. The following are protocols used at the Internet layer: Internet Protocol (IP) Internet Control Message Protocol (ICMP) Internet Group Management Protocol (IGMP) Address Resolution Protocol (ARP) Reverse Address Resolution Protocol (RARP) The Internet layer of the Internet architecture uses the following protocols to address and route packets on TCP/IP networks.

Internet Protocol (IP)—RFC 791, STD 5 The Internet Protocol (IP) is the basic data-transfer method used throughout the Internet. It is responsible for IP addressing and performs the routing function, which selects a path to send data to the destination IP address. Data is sent in the form of packets, also called datagrams. A packet is selfcontained, independent of other packets; it does not require an acknowledgment and carries information sufficient for routing from the originating host to the destination host. IP defines how routers are to process packets, when error messages are to be generated, and under what conditions packets are to be discarded.

Internet Control Message Protocol (ICMP)—RFC 792, STD 5 The Internet Control Message Protocol (ICMP) is the troubleshooting protocol of TCP/IP. ICMP is specified in RFCs 844, 1256, and 1788. It allows

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Internet Architecture and Protocols 21

Internet hosts and gateways to report errors through ICMP messages. If a problem occurs on a TCP/IP network, an ICMP message will probably be generated.

Internet Group Management Protocol (IGMP)— RFC 1112, STD 5 The Internet Group Management Protocol (IGMP) is used for multicasting. In multicasting, one source sends a message to a group of subscribers (multicast groups). For multicast delivery to be successful, members must identify themselves and the groups that interest them to local multicast-enabled routers. IGMP allows users to join and maintain membership in multicast groups.

Address Resolution Protocol (ARP)—RFC 826, STD 37 The Address Resolution Protocol (ARP) translates Internet addresses to physical addresses, such as an Ethernet’s 48-bit physical address, also called Media Access Control, or MAC, addresses. For example, assume two hosts are on a network, node1 and node2. Node1 knows the IP address of node2. However, if node1 wants to send a packet to node2, it must know the physical, or hardware, address of node2. To resolve the IP address to the hardware address, ARP sends a local broadcast and obtains the hardware address. Once the address resolution is complete, ARP stores the information in an ARP cache for future requests. The ARP cache entry remains in the ARP cache for different lengths of time, depending on the operating system.

Reverse Address Resolution Protocol (RARP)— RFC 903, STD 38 The Reverse Address Resolution Protocol (RARP) performs (as its name implies) the reverse function of ARP. It uses a node’s hardware address to request an IP address. RARP is generally used during initialization for diskless workstations to obtain an IP address. For example, when a diskless workstation initializes, RARP reads the node’s unique hardware address and broadcasts a RARP request over the network, asking for an IP address. A RARP server responds to the request and provides an IP address.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

22 Chapter 1 The Internet and TCP/IP

Transport Layer The Transport layer of the Internet architecture corresponds to the Transport and Session layers of the OSI model. The Transport layer accepts Application layer data and provides the flow of information between two hosts. The following two protocols are found at the Transport layer: Transmission Control Protocol (TCP) User Datagram Protocol (UDP) The Transport layer also divides the data received from the Application layer into smaller pieces (i.e., packets) before passing them to the Internet layer.

The Transport layer is also known as the Host-to-Host layer, the End-to-End layer, or the Source-to-Destination layer.

The Transport layer of the Internet architecture uses the following protocols to provide a flow of information between hosts.

Transport Control Protocol (TCP)—RFC 793, STD 7 The Transport Control Protocol (TCP) provides session management between the source and destination systems. It ensures that data is delivered in sequence, and that no duplicate data is sent. TCP is used with applications that communicate by establishing a session before transferring data, such as FTP and Telnet.

User Datagram Protocol (UDP)—RFC 768, STD 6 The User Datagram Protocol (UDP) provides a simple packet form of communication. One UDP packet is created for each output operation by an application, and a session is not necessary. Unlike TCP, UDP does not provide congestion control or packet sequencing, or send acknowledgments. It also does not retransmit lost packets or guarantee reliability. UDP is a connectionless protocol that is used by the Trivial File Transfer Protocol (TFTP) and the Simple Network Management Protocol (SNMP).

Application Layer The Application layer of the Internet architecture corresponds to the Presentation and Application layers of the OSI model. The Application layer interacts with the Transport layer protocols to send or receive data.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Internet Architecture and Protocols 23

Users can invoke application programs such as remote terminal protocol (Telnet), File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP) or Simple Network Management Protocol (SNMP) for access to nodes on the Internet.

The Application layer is also referred to as the Process layer.

The Application layer of the Internet architecture uses the following protocols to process and transmit data.

Hypertext Transfer Protocol (HTTP)—RFCs 1945 and 2616 The Hypertext Transfer Protocol (

HTTP

) is used to transport HTML docu-

ments (web pages) across the Internet. HTTP requires a client program on one end (a browser) and a web server on the other, both running TCP/IP. HTTP establishes a web server session and transmits HTML pages to a client browser. HTTP 1.0 establishes a new protocol connection for each page requested, which creates unnecessary Internet traffic. HTTP 1.1 uses persistent connections, which allow multiple downloads with one connection. Both the client and server must support HTTP 1.1 to benefit.

File Transfer Protocol (FTP)—RFC 959, STD 9 The File Transfer Protocol (

FTP

) is a system for transferring files between

computers on a TCP/IP network. FTP offers an efficient and quick way to transfer files because it does not require the encoding and decoding data, which is necessary when using other methods such as sending files as e-mail attachments. FTP allows files to be uploaded to a server. HTTP usually allows only client downloads from the server.

Trivial File Transfer Protocol (TFTP)—RFC 1350, STD 33 TFTP ) is used for initializing diskless systems. It Trivial File Transfer Protocol ( works with the Bootstrap Protocol (BootP). TFTP uses UDP, whereas FTP uses

TCP. Because TFTP is simple and small, it can be embedded in ROM, which is ideal for diskless workstations seeking network configurations upon initialization.

Telnet (Remote Terminal Protocol)—RFCs 854 and 855, STD 8 Telnet

is a terminal emulation protocol developed for ARPANET. It allows

a user to log on and run programs from a remote system. Telnet is normally used by a client terminal, or terminal emulator software on a PC.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

24 Chapter 1 The Internet and TCP/IP

Network News Transfer Protocol (NNTP)—RFC 977 NNTP

The Network News Transfer Protocol (

) allows sites on the Internet

to exchange Usenet news articles, which are organized into topics such as “programming in C++” or “international trade issues.” To use newsgroups, you must have access to an NNTP server with which you are authorized to read and post news.

Gopher—RFC 1436 Gopher

is a menu-based program used to find resources on the Internet. It is very similar in concept and practice to today’s Web: Users follow links from site to site in search of information. It was one of the first tools developed to pull the Internet together so users could access the entire Internet rather than just one site. Gopher servers have been largely replaced by web servers.

Simple Mail Transfer Protocol (SMTP)—RFC 821, STD 10 The Simple Mail Transfer Protocol (

SMTP

) is the Internet standard protocol

for transferring e-mail messages from one computer to another. It specifies how two mail systems interact. SMTP is often used with Post Office Protocol 3 (POP3), which is a standard Internet mail server that uses SMTP’s messaging protocol. POP3 stores incoming e-mail until users authenticate and download it. POP3 is defined in RFC 1939 and STD 53.

Simple Network Management Protocol (SNMP)— RFC 1157, STD 15 The Simple Network Management Protocol (

SNMP

) is used for managing

TCP/IP networks. It is a standardized management scheme that vendors can support. Thus all SNMP-compliant network devices can be centrally managed by an SNMP manager. SNMP also offers low resource requirements, portability, and wide acceptance.

Domain Name System (DNS)—RFCs 1034 and 1035, STD 13 DNS ) is a mechanism used on the Internet to The Domain Name System ( translate host computer names into Internet (IP) addresses. It is one of the

most universal methods of centralized name resolution. For example, when a user requests the fully qualified domain name (FQDN) www.companyname .com , DNS servers translate the name to the IP address 201.198.24.108.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

OSI/RM Protocol Examples 25

Bootstrap Protocol (BootP)—RFCs 951 and 2132 The Bootstrap Protocol (

BootP

) is an alternative to RARP. BootP allows

diskless workstations to determine not only their IP addresses but also additional parameters, such as default gateways, and the addresses of particular servers, such as a DNS server. RARP provides only an IP address.

Dynamic Host Configuration Protocol (DHCP)—RFC 2131 The Dynamic Host Configuration Protocol (

DHCP

) is based on BootP. Like

BootP, it is designed to assign Internet addresses and additional parameters, such as default gateways and DNS servers, to nodes on a TCP/IP network. Unlike BootP’s, DHCP addresses and parameters can change with time (hence the term “dynamic”). DHCP servers can temporarily lease addresses and parameters for a fixed period of time to a client, then reassign the information to another client when the lease expires.

OSI/RM Protocol Examples

T he networking protocols listed in this section are examples of common protocols that operate within the OSI/RM layers. It is important to recognize that each of these protocols exists in the Internet architecture model. They are provided here in the context of the OSI reference model for the additional detail provided by that model.

Application Layer Protocols Application layer protocols, often called Upper-Layer protocols, allow applications to speak to one another across a network. More common Application layer protocols include: Simple Mail Transfer Protocol (SMTP) from host to host. Bootstrap Protocol (BootP)

Used to send e-mail messages

Responsible for sending TCP/IP address

configuration information to hosts. File Transfer Protocol (FTP)

Used to transfer files between two hosts.

Hypertext Transfer Protocol (HTTP) TCP/IP suite protocol to interconnect World Wide Web servers with browsers requesting web pages.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

26 Chapter 1 The Internet and TCP/IP

AppleTalk Filing Protocol (AFP) Used exclusively in AppleTalk networks; allows such networks to exchange files. Simple Network Management Protocol (SNMP) TCP/IP protocol suite for troubleshooting and managing networks, regardless of architecture. Server Message Block (SMB) Protocol

Used in Microsoft networks;

allows clients to work closely with servers. Specifically, it allows clients and servers to access files and request other services. X.500 Protocol

Manages online directories of users and resources; an

OSI directory protocol. The Lightweight Directory Access Protocol (LDAP) is used to access X.500 directories. NetWare Core Protocol (NCP)

Allows files and printers to be shared

on a Novell NetWare network. Network File System (NFS) Protocol shared on a Unix network.

Allows files and printers to be

Transport Layer Protocols The Transport layer provides reliable data delivery. Protocols used at this layer include: Transmission Control Protocol (TCP)

Part of the TCP/IP suite; helps

provide reliable delivery and manages sessions. Sequenced Packet Exchange (SPX) Protocol Part of the IPX/SPX protocol suite; similar to TCP in that it manages communication sessions. NWLink Protocol

The Microsoft implementation of IPX/SPX protocol.

AppleTalk Transaction Protocol (ATP) Part of the AppleTalk networking suite; provides reliable transmissions between hosts. NetBEUI Protocol

Allows different applications on different computers

using NetBIOS to communicate with one another; a nonroutable protocol.

Network Layer Protocols Network layer protocols provide routing information to routers and addresses to hosts. Network protocols include: Internet Protocol (IP) Part of the TCP/IP suite; responsible for addressing hosts and routing packets in any network running TCP/IP, including the Internet.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Major Networking Protocols Suites 27

Internetwork Packet Exchange (IPX) the Novell IPX/SPX suite. NWLink Protocol

Provides addressing services for

The Microsoft implementation of IPX/SPX.

Datagram Delivery Protocol (DDP) Part of the AppleTalk networking suite; a best-effort packet (also called datagram) delivery protocol. NetBEUI

Allows different applications on different computers using

NetBIOS to communicate with one another; a nonroutable protocol.

Data-Link Layer Protocols Data-Link layer protocols provide reliable data transfer across the physical link. Data-Link layer protocols include: Ethernet

This LAN protocol was created by Xerox, Digital Equipment Corporation, and Intel. It is the most popular LAN technology. Frame Relay

This WAN protocol uses variable-length packets and

allows high-speed connections using shared network facilities. X.25

This WAN protocol is a precursor to Frame Relay technology. It was developed in the early 1970s and was the first packet-switching network standard. You will learn more about many of these protocols throughout this book.

Major Networking Protocols Suites

S everal networking protocols and architectures exist, all based on the OSI/RM. You were introduced to TCP/IP and IPX/SPX briefly in a previous section; however, many additional protocols are used for networking. This section will explain several important networking protocol properties. Following are some important networking protocols: TCP/IP IPX/SPX NetBEUI AppleTalk Data-Link Control (DLC) Systems Network Architecture (

SNA

)

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

28 Chapter 1 The Internet and TCP/IP

Protocol Characteristics Understanding TCP/IP is central to internetworking, and is dealt with throughout this book. This section will deal with the other identified major networking protocols. There are some characteristics that can be used to classify and differentiate the behavior and use of protocols.

Connection-Oriented (Stateful) and Connectionless (Stateless) Protocols Some network protocols require that a host establish a connection, or session, before it transfers information. Because of this requirement, sessionoriented (i.e., connection-oriented) protocols are often called stateful protocols. A state is the name given to a session. Connection-oriented protocols are more reliable because they first gain a system’s attention, prepare it to receive information, then send the information. However, connection-oriented protocols require more system overhead, and are not always appropriate for certain networking tasks. An example of a connection-oriented protocol is TCP. Other network protocols do not require a previously established session; they rely on a “best-effort” technology that sends the information, hoping that it will reach the other system. This protocol type is called connectionless, or stateless. An example of a stateless protocol is IP, which provides addresses for the TCP/IP suite. Many connectionless protocols send information by means of short messages called datagrams. Receiving a phone call, for example, is a connection-oriented activity, mainly because it requires you to establish a continuous session before you can communicate. You can also immediately acknowledge that you received the information a caller has sent you, and this acknowledgment is part of that session. Sending a message via the U.S. Postal Service, however, is a connectionless activity because you do not initiate a continuous connection to transmit the message. You simply send the message and hope that it arrives. Rather than being able to send an immediate acknowledgment that the package was received, the recipient would have to send another message indicating that your message arrived. Although it might be tempting to regard a connection-oriented protocol as more important or reliable, this is not necessarily the case. Each protocol type has its own use in a network.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Major Networking Protocols Suites 29

Routable and Nonroutable Protocols Some protocols can travel through LANs and WANs and beyond because they Routable can pass through a router. protocols include TCP/IP and IPX/SPX. Nonroutable protocols use predefined, or static, routes that cannot be

changed. Some protocols are nonroutable because they do not use the functions of the OSI/RM Network layer. Nonroutable protocols include NetBEUI, NetBIOS, Systems Network Architecture (SNA), Local Area Transport (LAT), and the Data-Link Control (DLC) protocols. You will learn more about routing later in the book. To effectively use a nonroutable protocol, you can add a bridge (discussed later in the book) to your network or encapsulate the nonroutable protocol within a routable protocol, such as TCP/IP. Encapsulation is also called tunneling.

IPX/SPX Novell, Inc. developed this once-dominant LAN and WAN protocol. Like TCP/IP, IPX/SPX is a protocol suite rather than a single protocol. Microsoft also supports IPX/SPX, although the corporation has renamed it NWLink (NetWare Link).

IPX Internetwork Packet Exchange (IPX) is a connectionless protocol that resides at the Network layer of the OSI/RM. It is responsible for network addressing and forwarding packets to their destination, an action called routing.

SPX Sequenced Packet Exchange (SPX) is a connection-oriented Transport layer protocol that uses services provided by IPX. SPX provides reliability to IPX: It ensures that packets arrive intact at their destination. Because this protocol resides at the Transport layer, it ensures reliable data delivery and manages sessions.

IPX/SPX Advantages and Disadvantages IPX/SPX is not a vendor-neutral protocol. It was developed by Novell and is used mostly with Novell NetWare networks. TCP/IP has eclipsed IPX/SPX

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

30 Chapter 1 The Internet and TCP/IP

as the standard enterprise protocol due to its open nature. However, IPX/ SPX is still common and it has always performed better than TCP/IP. Although IPX/SPX is not supported on the Internet, thousands of IPX/ SPX WANs use private networks or virtual private networks (VPNs) to communicate over long distances (you will learn about WANs, private networks, and VPNs later in this book). Novell has adopted TCP/IP as its default protocol in Novell NetWare 5, although the company still supports IPX/SPX. IPX/SPX Frame Type IPX/SPX can use different frame types. Administrators can choose between the IEEE 802.2 or IEEE 802.3 frame types (you will learn about IEEE standards later in this book). Novell NetWare 3.12 and later default to the IEEE 802.2 frame type. Previous versions defaulted to IEEE 802.3. If you are using IPX/SPX and cannot make a connection, check to see whether your system’s frame type is compatible with those used by the rest of the network.

Novell NetWare Layers Novell NetWare protocols can be classified using the Internet architecture model. Each layer includes the following protocols: Network Access layer protocols Internet layer protocol

Ethernet, token ring, and ARCNET

IPX

Transport layer protocols

SPX and Packet Exchange Protocol (PEP)

Application layer protocols

Error, Echo, Service Advertisement Protocol

(SAP) and others Figure 1.9 lists several Novell NetWare protocols. FIGURE 1.9 Novell NetWare protocols

NCP RIP ERROR ECHO PEP

SPX SAP IPX

Ethernet

Logical Link Control

ARCNET

Ethernet ARCNET

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Major Networking Protocols Suites 31

NetBEUI NetBEUI

(pronounced “Net-boo-ee”) is an acronym for Network Basic

Input/Output System (NetBIOS) Enhanced User Interface. It was first developed by IBM, but Microsoft has since implemented it as a solution for its peer-to-peer networks. NetBEUI is a nonroutable protocol, which limits its usefulness to small non-routed networks.

NetBIOS NetBIOS

stands for Network Basic Input/Output System. It was originally

designed as a standard to let computers communicate with a local area network. NetBEUI extended this standard, hence the name NetBIOS Enhanced, or Extended, User Interface. Because NetBEUI is declining in popularity, NetBIOS is mainly used as a programming interface for applications. It resides at the Session layer (Layer 5) of the OSI/RM. NetBIOS can operate over NetBEUI, as well as over routable protocols such as TCP/IP and IPX/SPX. Microsoft Windows computers up to and including NT use NetBIOS names to identify one another and communicate on a network. Windows 2000 includes support for NetBIOS but does not require it.

AppleTalk AppleTalk is used only in Apple networks, and is thus proprietary. AppleTalk Phase II allows this protocol to work with others. Rather than using the term “domain” or “network,” AppleTalk divides groups of computers into zones.

Data-Link Control (DLC) IBM originally developed DLC to enable client machines to work with mainframes. However, Hewlett-Packard for a period of time had adopted DLC as a means to connect its laser printers to LANs.

Systems Network Architecture (SNA) IBM introduced SNA in 1974 as a mainframe network architecture. Because it is an architecture, it includes a network topology and a series of protocols. The SNA model is quite similar to the OSI/RM. In fact, SNA inspired the creation of the OSI/RM.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

32 Chapter 1 The Internet and TCP/IP

The SNA market is valued at about $20 billion per year. Even though it is an older architecture, it is still widely used within mainframe networks, in some AS-400 implementations, and on many Unix platforms that connect to these networks.

Multiprotocol Networks

N

etworks commonly use two routable protocols, such as TCP/IP and IPX/SPX, although this combination could cause problems with system overhead in large, heavily visited sites. Such a combination provides system redundancy and can speed connectivity. Sometimes routable and nonroutable protocols should be combined, even in a routed network. A nonroutable protocol such as NetBEUI could be quite useful in a LAN and WAN situation because it can deliver traffic to local computers without the overhead associated with TCP/IP. If a user sends a message to an employee in the same LAN, NetBEUI will handle all of this transaction. However, if someone sends a message to a recipient on another LAN (activity that involves a router), the system will automatically use a routable protocol such as TCP/IP.

You should also consider, however, that using multiple protocols can increase the time it takes to maintain and troubleshoot a network. In addition, the more protocols you use, the more system overhead you create.

De-multiplexing De-multiplexing

is the process a destination computer uses to strip each layer of headers from the incoming packet resulting in the payload. It is an excellent way to show how the Internet protocols work within the Internet architecture. Figure 1.10 displays the de-multiplexing process. You can refer to this diagram throughout the book.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Multiprotocol Networks 33

FIGURE 1.10 De-multiplexing of protocols Telnet

FTP

TFTP

TCP

SNMP

UDP

IGMP

ICMP

RARP

IP

ARP

Ethernet

As a packet is received by a network operating system, each layer’s header is removed, and the packet is passed to the appropriate protocol at the next layer. Thus, although many Ethernet datagrams may be received, some will be RARP or ARP, while others will be IP. While each of these would have a similar header at the Physical layer, the uncovered layers further define which protocols and applications receive each type of communication.

Specialized Serial Interface Protocols Many users access the Internet from home using a modem. The point of presence ( POP ) is the location where a user dials into the Internet via a modem. ISP ). The term may also be Usually the POP is an Internet Service Provider ( used to denote the point where a long-distance carrier connects to a local telephone company. If a local company does not exist, the POP is the line connected to the user. Modem connections are often made over a standard telephone and use the Serial Line Internet Protocol (SLIP) Point-to-Point Protocol (PPP) or nect to an ISP. The following sections describe these protocols. Serial Line

to con-

Internet Protocol (SLIP) is a protocol devised to allow a computer with a Point-to-Point Protocol modem to connect to the Internet over a phone line. (PPP)

is an improved version of SLIP that includes more options for authentication and more robust communication control.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

34 Chapter 1 The Internet and TCP/IP

Point-to-Point Protocol (PPP)—RFC 1661, STD 51 Point-to-Point Protocol (PPP) is an encapsulation method for sending IP packets over a serial link. It was created in 1991 by the IETF and supports both asynchronous and synchronous links. Therefore, it can run on standard phone lines, full-duplex links such as Integrated Services Digital Networks (ISDNs), and high-speed T1 and T3 lines. PPP uses the Link Control Protocol (LCP)

to establish, configure, and test

a connection during the logon process. This protocol allows both computers to negotiate, and provides greater reliability. PPP also enables password protection using the Password Authentication Protocol (PAP) and the Challenge Handshake Authentication Protocol (CHAP)

. PPP has a family of specific Network layer protocols, called Network

NCP s). NCPs exist for IP, AppleTalk, and DECnet. For Control Protocols ( example, the NCP for IP allows hosts to negotiate compression headers. Fig-

ure 1.11 displays the basic components and process for PPP and SLIP, which is discussed in the next section. FIGURE 1.11 Connecting to the Internet via SLIP or PPP

Internet Router

Ethernet SLIP/PPP

Modem Workstation

Modem Service Provider

Multilink Point-to-Point Protocol (PPP-MP)—RFC 1990 If a user connects to his or her ISP using a standard ISDN line, PPP typically uses one 64Kbps B channel for transmission. To obtain a higher transmission speed, two or more B channels can be bridged using Multilink PPP. For example, two ISDN 64Kbps B channels can be combined for a transmission rate of 128Kbps.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Summary 35

Serial Line Internet Protocol (SLIP)—RFC 1055, STD 47 Serial Line Internet Protocol (SLIP) is a simple form of encapsulation for sending IP packets over serial lines. SLIP can be used on RS-232 serial ports and is usually used to connect home users to the Internet with a standard phone line. SLIP supports asynchronous links. Automated scripts are generally used to automate the logon process. SLIP is an older protocol that has been widely replaced by PPP for the following reasons: SLIP supports only IP, whereas PPP has implementations that support protocols in addition to IP. SLIP does not support authentication. Authentication is the process of identifying a user who is logging on to a system. It usually requires a username and a password.

Summary

I n this chapter, you defined the term “internetwork” and compared it with traditional networking. You learned about the importance of TCP/IP and the corporate environment, and how TCP/IP can use your existing LANs and WANs as backbones for interoperability. Next, you studied the evolution of the Internet and its organizations, including the ISOC, IAB, IETF, and IRTF, as well as how TCP/IP relates to standards such as the OSI/RM and IPX/SPX. You reviewed the four layers of the Internet architecture model: Application, Transport, Internet, and Network Access, and aligned the Internet architecture model with the OSI reference model. You reviewed RFCs, including the different states of protocols, STDs versus RFCs, and reference RFCs. You also defined common Internet protocols and matched them to their corresponding Internet layers as well as to the RFC/STD for each. You identified key internetworking protocols and explained the need for multiprotocol networks.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

36 Chapter 1 The Internet and TCP/IP

Key Terms

B efore you take the exam, be certain you are familiar with the following terms: ARP

NCP

ARPANET

NetBEUI

BootP

NetBIOS

Challenge Handshake Authentication

network

Protocol (CHAP) cyclic redundancy check (CRC)

NFS

de-multiplexing

NNTP

DHCP

nonroutable

DNS

NOS

draft

NSFnet

Ethernet

OSI/RM

experimental

packet

Frame Relay

Password Authentication Protocol (PAP)

FTP

Point-to-Point Protocol (PPP)

fully qualified domain name (FQDN) POP Gopher

proposed

header

RARP

HTTP

Requests for Comments (RFCs)

ICMP

routable

IGMP

Serial Line Internet Protocol (SLIP)

Internet architecture

SMB

Internet Architecture Board (IAB) SMTP

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Exam Essentials 37

Internet Engineering Steering Group (IESG)

SNA

Internet Engineering Task Force (IETF) SNMP Internet Research Steering Group (IRSG)

SPX

Internet Research Task Force (IRTF) standard Internet Society (ISOC)

STD

internetworking

TCP

IP

TCP/IP

IPX

Telnet

ISO

TFTP

ISP

UDP

Link Control Protocol (LCP)

X.25

Exam Essentials Be able to define “internetwork” and explain this concept’s importance in today’s data communications marketplace. An internetwork is a group of several LANs and WANs that operate under different network operating systems and are connected and function together, sharing information between corporate, government, or individual entities. Internetworking has eliminated the need for IS administrators to learn networking protocols for all network operating systems, allowing them to communicate using TCP/IP. Understand how TCP/IP can use your existing LANs and WANs as backbones for interoperability. TCP/IP can function in parallel with existing protocols, allowing heterogeneous equipment and protocols to speak a common language and communicate. Be able to relate internetworks to the concept of the corporate enterprise network. A series of WANs may create an “internetwork” consisting of private or public networks. Historically, a corporate enterprise network

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

38 Chapter 1 The Internet and TCP/IP

was private, with leased lines connecting corporate network nodes. With the rise of the Internet, corporations use public Internet connections to quickly and inexpensively expand corporate network access points, and individuals have personal access to published information. Know the evolution of the Internet. The Internet grew from ARPANET, which connected four universities in 1969, into a global research network in the 1980s, called NSFnet until it was dubbed “the Internet” in 1987. In 1995 the National Science Foundation network was decommissioned, as a consortium of private telecommunications companies provided global connectivity that continues to expand. Be able to define and discuss Internet-related organizations, such as ISOC, IAB, IETF, and IRTF. These are all volunteer organizations dedicated to maintaining and enhancing the Internet and promoting global information exchange. The Internet Society (ISOC) is the global authority for the Internet. The Internet Architecture Board (IAB) is responsible for managing long-term technical direction of the Internet, while the Internet Engineering Task Force (IETF) focuses on solving operational and shortterm technical problems. The Internet Research Task Force (IRTF) researches and develops new network technologies. Understand how TCP/IP relates to standards such as SNA, OSI, and IPX/SPX. TCP/IP is an open standard, while SNA and IPX/SPX are proprietary standards. The OSI reference model is the basis for all of these networking protocols. Be able to identify key internetworking protocols and explain the need for multiprotocol networks. TCP/IP can function in parallel with other protocols such as SNA, IPX/SPX, and NetBEUI, allowing for interoperability between heterogeneous systems. Each protocol has strengths and weaknesses, although TCP/IP has been shown to be extremely robust and flexible. In some situations, a proprietary protocol such as SNA or IPX is desired or offers advantages, which results in multiprotocol networks. Be able to define and describe the Internet architecture model.

The

Internet architecture model uses four layers to describe the relationship and communication of different network elements. The Application layer includes both layers 6 and 7 of the OSI/RM. The Transport layer includes both layers 4 and 5 of the OSI/RM.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Exam Essentials 39

Know the nature, purpose, and operational essentials of TCP/IP. IP is an open set of protocols that uses ports and Internet addresses to

TCP/

allow computers with different operating systems, network topologies, and protocols to communicate. Important elements of IP are TCP, UDP, and ICMP. TCP and UDP reside at Layer 4 of the OSI/RM while ICMP is at Layer 3. Be able to define and describe various Internet protocols. a fully qualified domain name with an IP address.

DNS associates

ARP resolves an IP address to a Media Access Control (MAC) address. RARP resolves a Media Access Control (MAC) address to an IP address. Understand the operation of Point-to-Point Protocol (PPP) and Multilink PPP. PPP is an encapsulation method for sending IP packets over a serial link, either synchronously or asynchronously. PPP uses Link Control Protocol (LCP) to establish and configure a connection, including authenticating with PAP or CHAP. After connecting, PPP uses Network Control Protocols (NCPs) to negotiate communication with various protocols (e.g., IP). PPP can also bridge ISDN B channels in order to attain a higher transmission rate. Be able to find RFCs and download them from the Internet. for Comment can be found at www.rfc-editor.org/rfc.html

Requests . Some

important RFCs are 2800, 1700, 1122, 1123, and 1812. Many other RFCs are important in various contexts.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

40 Chapter 1 The Internet and TCP/IP

Review Questions 1. Internetworking is defined as: A. the application of vendor-centric networking principles. B. the drive to simplify network communication. C. the method used by an organization to communicate with itself. D. the task of working with different, or heterogeneous, systems. 2. Which of the following items does TCP/IP use to allow a LAN to operate with another LAN? A. A network interface card B. A router C. A repeater D. A protocol gateway 3. Which of the following statements describes the advantages TCP/IP offers to corporate networks? A. TCP/IP encourages corporate networks to rely on single platforms. B. TCP/IP discourages corporations from relying on older mainframe networks. C. TCP/IP requires corporations to rely on a single vendor. D. TCP/IP allows corporations to use legacy systems to communicate with any other system on their internetwork. 4. What was the purpose of ARPANET? A. It was designed to allow government and researchers to interact and to work from any location on the network. B. It was designed to decrease the number of connections among hosts in a network. C. It was designed to concentrate network control within a central hub. D. It was designed to safely shut down a network in which many of the hosts were incapacitated.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Review Questions 41

5. When did the NSFnet become known as the Internet? A. 1969 B. 1980 C. 1986 D. 1987 6. Which of the following protocols is often used with POP and IMAP on a server? A. HTTP B. FTP C. SMTP D. SNMP 7. Which of the following statements accurately describes the relationship of TCP/IP to IPX/SPX? A. TCP/IP and IPX/SPX are both networking protocols. B. TCP/IP and IPX/SPX are both vendor-neutral protocols. C. TCP/IP and IPX/SPX are both vendor-specific protocols. D. TCP/IP provides better performance than IPX/SPX. 8. The packet creation process begins with: A. Layer 2 (the Data-Link layer) of the OSI/RM. B. Layer 4 (the Transport layer) of the OSI/RM. C. Layer 1 (the Physical layer) of the OSI/RM. D. Layer 7 (the Application layer) of the OSI/RM.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

42 Chapter 1 The Internet and TCP/IP

9. Which of the following features accurately describes multiprotocol networks? A. They decrease the time it takes to troubleshoot a network. B. They combine routable protocols only. C. They increase the time it takes to maintain a network. D. They combine nonroutable protocols only. 10. The Internet architecture divides protocols into: A. packets B. layers C. nodes D. Ethernet frames 11. Which of the following terms is used to classify a protocol being seriously considered as an Internet Standard? A. Proposed B. Informational C. Draft D. Common 12. Which of the following Internet architecture layers is responsible for addressing and routing packets on TCP/IP networks? A. The Internet layer B. The Application layer C. The Transport layer D. The Network Access layer

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Review Questions 43

13. Which of the following protocols is known as the troubleshooting protocol of TCP/IP? A. File Transfer Protocol (FTP) B. Hypertext Transfer Protocol (HTTP) C. Address Resolution Protocol (ARP) D. Internet Control Message Protocol (ICMP) 14. Which of the following statements accurately describes the Point-toPoint Protocol (PPP)? A. It supports only asynchronous links. B. It uses the Dynamic Host Configuration Protocol (DHCP) to establish and test a connection during the logon process. C. It supports both asynchronous and synchronous links. D. It is designed to assign Internet addresses. 15. Requests for Comments (RFCs) are identified by: A. length B. number C. content D. author 16. In the Internet architecture model, the physical media exists at which layer? A. Transport B. Network C. Internet D. Network Access

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

44 Chapter 1 The Internet and TCP/IP

17. Which group holds authority for the Internet? A. IAB B. IETF C. ISOC D. IRTF 18. Which group creates Internet standards? A. IAB B. ISOC C. IETF D. IRTF 19. Which RFC governs behavior of multicasting? A. 1112 B. 792 C. 1945 D. 1256 20. RFC 793 pertains to which OSI and Internet architecture layers? A. Network Access B. Transport C. Application D. Internet

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Answers to Review Questions 45

Answers to Review Questions 1. D. Internetworking deals with connecting different systems, or connecting networks that communicate using different protocols, often crossing vendor-centric and vendor-neutral principles, sometimes making the network more complex rather than simpler. 2. B. A router is used to connect LANs, while a network interface card connects to a LAN, and a repeater extends a single LAN. A protocol gateway performs a specific function between networks, but does not connect the LANs at the network level like a router does. 3. D. TCP/IP allows multiprotocol networks to communicate, using an open standard that is implemented by many vendors in order to communicate between single-vendor, proprietary systems. 4. A. ARPANET originally connected four universities in California, Utah, and Connecticut, so that university and government researchers could work collaboratively from any of those locations. 5. D. In 1980 the ARPANET was decommissioned and turned over to the National Science Foundation, and renamed NSFnet. The network expanded with regional hubs and 56Kbps connections, and became known as the Internet in 1987. 6. C. Simple Mail Transport Protocol (SMTP) is used to transfer e-mail between servers, and is often run in conjunction with POP3 and IMAP, protocols for client e-mail access. 7. A. Both are networking protocols, but it is important to recognize the errors in the other answers. IPX/SPX is vendor-specific and comes from Novell, while TCP/IP is vendor-neutral. Absolute statements about performance are never absolutely true, and case studies and research can be usually be found to support opposing sides, but IPX/ SPX typically outperforms TCP/IP. 8. D. Applications initiate packets, thus packet creation begins at Layer 7 of the OSI/RM.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

46 Chapter 1 The Internet and TCP/IP

9. C. Multiprotocol or heterogeneous networks have become common, combining both routable and nonroutable protocols, increasing both troubleshooting and maintenance time for networks. 10. B. The Internet architecture defines four layers: Network Access, Internet, Transport, and Application. 11. C. The Draft stage of RFCs immediately precedes the Standard stage. However, if changes are made during consideration as a Draft RFC, the RFC must return to Proposal stage. 12. A. The Internet layer is responsible for addressing and routing packets. This should not be confused with its peer in the OSI/RM, the Network layer, which is not analogous to the Internet architecture Network Access layer. 13. D. ICMP operates at the Internet layer of the Internet architecture model, below the Transport layer, so that ICMP messages may pass information about errors in the Transport layer. 14. C. PPP supports synchronous and asynchronous links over modems and other connection methods. 15. B. RFCs are sequentially numbered. 16. D. The Physical layer and Data-Link layer reside within the Network Access layer of the Internet architecture model. 17. C. The Internet Society (ISOC) is a voluntary membership organization whose objective is to promote global information exchange using Internet technology. 18. C. The Internet Engineering Task Force (IETF), creates standards, known as Request for Comments (RFCs), which progress through Experimental, Proposed, Draft, and Standard stages. 19. A. IGMP, Internet Group Management Protocol is RFC 1112, STD 5. 20. B. RFC 793 governs the Transport Control Protocol, TCP, in the Transport layer.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Chapter

The OSI Logical and Network Access Layers

2

CIW EXAM OBJECTIVE AREAS COVERED IN THIS CHAPTER: Identify and define Internet Protocol version 4 (IPv4) addressing concepts, including but not limited to: the concept of uniqueness, IP address classes, reserved addresses and networks, subnet address calculation, IEEE LAN standards, packet analysis, Address Resolution Protocol (ARP). Define the functions and roles of the Bootstrap Protocol (BootP) and the Dynamic Host Configuration Protocol (DHCP) server and client.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

W

hether you are architecting a new network, connecting

networks, or troubleshooting a network problem, it is vital that you understand what happens at the lowest layers of the network, the physical and logical link layers of the OSI reference model. Distances between hubs and switches are important to building a stable network that performs as specified. Troubleshooting a network problem, whether a performance problem or a loss of connectivity, often requires determining whether there is a problem with the physical medium or the physical-logical address resolution. The Network Access layer of the Internet architecture model is equivalent to the OSI reference model’s layers 1 and 2, Physical and Data-Link, respectively. Common LAN standards that exist at the Network Access layer include Ethernet. It is important to understand how an Ethernet network Media Access Control (typically 10BaseT or 10/100) running TCP/IP resolves ( MAC ) addresses to IP addresses. To explain this process, we will study the Address Resolution Protocol ( ARP ) in detail. This process happens at the Network layer of the OSI, which is equivalent to the Internet layer of the Internet Architecture model. Although ARP can be discussed in the context of network protocols of the Internet layer because of the information that it passes to those protocols, it is important to recognize that ARP works at the Network Access layer, allowing TCP/IP to function on an Ethernet network. Institute of Electrical and The chapter will begin with a brief discussion of Electronics Engineers (IEEE)

LAN standards. Then you will study Ethernet headers, including the header fields and addressing scheme. Finally, you will Reverse Address learn about ARP and how it relates to Ethernet, and how Resolution Protocol ( RARP ) functions. Internet Protocol addressing, unique-

ness, and reserved addresses will also be explained, providing important information for planning IP address allocation. BootP and DHCP are services for providing dynamic allocation of IP addresses, but must themselves be allocated IP addresses to dole out. They will be covered in detail for managing IP address allocation.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Determining Ethernet Addresses

49

Ethernet

T he Institute of Electrical and Electronics Engineers, Inc., or IEEE, establishes standards on several electrical and information technologies. The IEEE 802 series of standards specifies various local area network (LAN) and IEEE 802.3 metropolitan area network (MAN) technologies. For example, IEEE 802.2 is a MAC standard that is used with Logical Link Control (LLC) to describe a specification that is based on and is very close to the original

Ethernet standard. The IEEE 802.2/802.3 standard is defined in RFC 1042. Ethernet , a predecessor to the IEEE 802.2/802.3, was developed by DEC, Intel, and Xerox (DIX) in 1973 as a broadcast system for communication between systems. The first version, referred to as experimental Ethernet, operated at 3Mbps and used eight-bit addresses. This version was later upgraded to Ethernet version 1 and then to Ethernet version 2. The current version was developed in 1982, transmits at 10Mbps, and uses 48-bit, often represented as 12 hexadecimal digits, for its MAC addresses. Ethernet is defined in RFC 894.

The CIW Internetworking certification focuses on Ethernet, because it is the most widely used and one of the most successful LAN technologies.

To transmit data on an Ethernet or IEEE 802 series network, a station must make sure no other transmission is already in progress. If no other station is transmitting, the sender can begin immediately. Collisions occur when two or more stations sense the channel is idle and begin to transmit simultaneously. In the event of a collision, all transmission ceases while the colliding stations are notified. The colliding stations then wait a random amount of time before transmitting. This access method is called Collision Detection (CSMA/CD ).

Carrier Sense Multiple Access with

Determining Ethernet Addresses

T his section discusses how to locate Ethernet address information on Linux, Windows NT/2000/XP, and Windows 95/98/Me. You will learn the commands used to gather the information as well as the results of obtaining

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

50

Chapter 2

The OSI Logical and Network Access Layers

your node’s hardware address. A node is a network connection capable of network intertransmitting and receiving network information, typically a face card (NIC)

or a network interface on a router. Note that a server or workstation may have more than one network interface, and a router will usually have multiple interfaces. The hardware address is a 48-bit value encoded on the network card by the manufacturer. The hardware or physical address is usually expressed in hexadecimal, as a 12-character, colon-delimited value such as 00:10:4B:9C:27:13. Hexadecimal-to-decimal conversions and decimal-to-hexadecimal conversions are covered in detail in Chapter 10. A brief review should suffice at this point in the book. Hexadecimal is a base-16 counting system, where each digit carries a value between zero and 15, for a total of 16 digits. The familiar decimal system is base-10, and the binary system is base-2. It is important to know these fundamentals, as equivalent amounts of information are often expressed in other formats. Each digit in hexadecimal is represented by either a number or a letter: 0 through 9 followed by A through F. The hexadecimal values of 0 through 9 are the decimal values 0 through 9, respectively, and the hexadecimal values of A through F are the decimal values 10 through 15, respectively. Hence the hexadecimal number 54CE can be converted to the decimal numbers 5, 4, 12, and 14 for each place—but remember that each place carries a base-16 value, so the 12 value from the C, in the second place from the right, is 12

´ 16, not the

familiar 12 ´ 10 or “twelve tens” from the base-10 decimal system. Any two-digit hexadecimal can be represented by four binary bits; therefore, 48 bits binary are equivalent to 12 digits hexadecimal. So 54CE in hexadecimal has a value of 21710. For more details on the arithmetic, look at Chapter 10. The first six hexadecimal digits (the first three bytes) of a hardware address are always the same for a single hardware manufacturer, such as 3com. The hardware address on the network card does not change over time or even if the NIC is moved, because it is coded onto a chip on the NIC at the factory, by the manufacturer. The method for determining MAC address varies by operating system.

Linux There are many instances when you will need to determine the hardware address of a system or NIC. If you are troubleshooting a DHCP-assigned IP address, you will need to know a system’s hardware address (also called the

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Determining Ethernet Addresses

51

MAC address) in order to identify the DHCP request and reply. How do you determine a system’s MAC address? In Linux, you can determine the Ethernet address of your system by using the ifconfig (interface configuration) command. For most configurations in Linux, you must be logged on as root for the Ethernet address to be displayed. The following is an example of using the ifconfig

command. At the Linux shell prompt (#), enter:

# ifconfig Results similar to the following will appear, depending on your NIC and network configuration: eth0 Link encap:Ethernet HWaddr 00:A0:24:55:29:E8 inet addr:10.1.3.1 Bcast:10.1.3.255 mask:255.255.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:17 errors:0 dropped:0 overruns:0 frame:0 TX packets:95 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 Interrupt:9 Base address:0x300 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:3924 Metric:1 RX packets:22 errors:0 dropped:0 overruns:0 frame:0 TX packets:22 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 As you can see, the Ethernet address is 00.A0.24.55.29.E8.

If the information is not displayed as above, try issuing

ifconfig -a

in order

to display all interface information. Also, note that the loopback address does not have a hardware address, as it is a logical address and not a physical one. If your system has multiple interfaces, you will see:

eth0, eth1, eth2

. . . etc.

Windows 2000 Whether you are troubleshooting a server or a client, there are many scenarios when you will need to use a hardware address to resolve a problem or to answer a question. You can use the ipconfig (IP configuration) command to determine your network card’s Ethernet address in Windows 2000,

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

52

Chapter 2

The OSI Logical and Network Access Layers

as well as in Windows NT and Windows XP. Execute the mand with the /all option. At the command prompt, enter:

ipconfig

com-

ipconfig /all Results similar to the following will appear in Windows 2000, depending on your NIC and network configuration: Windows 2000 IP Configuration: Host Name sybex Primary DNS Suffix Node Type Hybrid IP Routing Enabled No WINS Proxy Enabled No Ethernet adapter Local Area Connection: Connection-specific DNS Suffix Description 3COM EtherLink XL 10/100 PCI Physical Address 00-00-1C-3A-62-BD DHCP Enabled No IP Address 192.168.3.13 Subnet Mask 255.255.255.0 Default Gateway 192.168.3.1 DNS Servers The Ethernet address appears as 00-00-1C-3A-62-BD.

As a future internetworking professional, you may encounter client workstations running one of these versions of Windows: Windows 95/98/Me. You can use the

winipcfg

(Windows IP configuration) command to determine your

network card’s Ethernet address in Windows 95/98/Me. Select the Start button and choose Run. The run command line will appear. Enter

Winipcfg .

It is important to see the difference between ipconfig and ifconfig Windows 2000/NT/XP and Linux or Unix, respectively, as well as remem-

, for

bering ipconfig ’s cousin winipcfg for Windows 95/98/Me. Try these configurations on your own system and see for yourself.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Ethernet Headers

53

Ethernet Headers

T he Ethernet header encapsulates data before sending it across the physical network wire. Recall from our earlier discussion of packet creation in the OSI reference model that each layer adds header information to the packet as it is created, and removes it as the packet is received. The Ethernet header is the last header to be added, and it uses a hardware address to locate the destination node. A set of rules called Address Resolution Protocol, or ARP, discovers the hardware address of the destination computer, used in the destination field of the Ethernet header. We’ll discuss ARP after examining the Ethernet header fields. Figure 2.1 describes the Ethernet header, followed by an explanation of each field. When the Ethernet header encapsulates a data packet, the resulting packet is called an Ethernet frame. FIGURE 2.1

Ethernet header and data

Destination Hardware Address

Source Hardware Address

Type

Data

CRC

Ethernet Header Fields Following is a description of Ethernet header fields. Destination hardware address (six bytes)

The target’s hardware address.

Remember that six bytes is 48 bits, the length of a NIC card’s hardware or MAC address. Source hardware address (six bytes) Type (two bytes)

The sender’s hardware address.

Identifies the data type, in hexadecimal format, fol-

lowing the Ethernet header. For example: IP packet

0800

ARP request/reply

0806

RARP request/reply

8035

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

54

Chapter 2

The OSI Logical and Network Access Layers

Data (46 to 1500 bytes) The data itself, which will vary depending on the type, such as an IP packet. The minimum data size is 46 bytes. Padding bytes are included to ensure the minimum size is always reached. Cyclic redundancy check, or CRC (four bytes)

A checksum that checks

for errors in the Ethernet frame.

Protocol Analyzers Protocol analyzers allow network administrators to analyze data sent across a network. The data is “captured” by the protocol analyzer as it is transmitted across the network. Once captured, it can be closely studied. For instance, the Ethernet header, which indicates the hardware addresses of both the source and the destination nodes, can be viewed. In the following exercises, you will install a protocol analyzer and analyze Ethernet headers. EXERCISE 2.1

Installing a protocol analyzer on Linux In this exercise, you will install a protocol analyzer called Ethereal, a network analyzer, on Linux. Installation procedures will vary depending on the version. These instructions were written for ethereal-0.8.9-4.

1. Locate the

ethereal-0.8.9-4.i386.rpm

installation file. Obtain it

from the CD or download the RPM from either .com or

http://www.ethereal

http://ss1.ciwcertified.com/internetworking

.

2. To install the RPM, enter the following command: Host#

rpm –i ethereal-0.8.9-4.i386.rpm

Exercise 2.2 and Exercise 2.4 require two computers on an Ethernet network in order to capture and view Ethernet packets. Exercises 2.2 and 2.4 will refer to System A and System B. Throughout the rest of this book, System A will refer to a system running Linux and System B will refer to a system running Windows 2000. These could be connected with an Ethernet hub or with a crossover cable. If you have only one system, you may do all of the steps except for capturing packets. While it is possible to perform nearly all of the exercises in the book using a single system that dual-boots either Linux or Windows 2000, it is recommended that a networking professional have one of each system for these exercises.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Ethernet Headers

55

EXERCISE 2.2

Capturing and viewing Ethernet headers using Ethereal on Linux In this exercise, you will use the Ethereal Network Analyzer on Linux to capture network packets and analyze the Ethernet headers.

1. On System A, start the X Window System, if the graphical display is not already enabled, by entering: Host#

startx

2. To start Ethereal, open a terminal and enter: Host#

ethereal –n

3. Ethereal will open. The

–n option will display only IP addresses in

your results, because you have not configured DNS.

4. To generate packets, open a new terminal and enter: Host #

ping [System B's IP address]

5. Capture network packets by selecting the Capture menu and choosing Start. The Preferences window will appear. Select OK, which causes Ethereal to capture all packets on the network by default.

6. The Capture/Playback window will appear. It displays the number of packets captured as well as a general breakdown by protocol.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

56 Chapter 2 The OSI Logical and Network Access Layers

EXERCISE 2.2 (continued)

7. To view the packets you captured, click the Stop button in the Capture/ Playback window. Your screen may resemble the example below.

8. When you have captured packets, open the terminal window by issuing the

ping command and select Ctrl+C to stop the ping process.

Close the terminal.

9. Save the Ethereal file as

Ethernet-linux

in your root folder.

10. Select the File menu and choose Close.

Ethereal Network Analyzer captures all packets on the network from all nodes. To view only the packets sent between System A and System B, you must create and apply a filter.

Steps 1 through 4 below are useful only if your systems are on a network with other computers generating network traffic. If your two systems are the only computers on the network, you do not need to perform these steps.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Ethernet Headers 57

EXERCISE 2.3

Creating a Capture Filter in Ethereal 1. To create a filter before capturing packets, select the Capture menu and choose Start. The Preferences window will appear.

2. Select the Filter button. In the Filter Name field, enter Linux Capture. In the Filter String field, enter the following:

[System B's IP address] and [System A’s IP address]

3. Select the New button. Your new capture’s filter name will appear in the window, as shown in the example below.

4. Select Save and OK twice to begin the capture. 5. The Capture/Playback window will appear. Ping System A from System B. After several replies, view the packets you captured by clicking the Stop button. Only the packets between System A and System B will be captured on the network.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

58 Chapter 2 The OSI Logical and Network Access Layers

EXERCISE 2.3 (continued)

6. To analyze an Ethernet header, select the first ICMP Echo packet, which is an Echo request. Next, scroll to the top of the middle window. You will find the Ethernet II header. The Ethernet II header provides the services required by the OSI/RM Data-Link layer. In an Ethernet network, the destination and source hardware address, as well as the data type, are found in the Ethernet header, as shown below.

7. To locate the destination hardware information, expand the Ethernet header by clicking the + sign next to Ethernet II in the middle pane. It will change to a – sign and display the data. Note the Ethernet header information for source and destination hardware addresses, and note the protocol type.

8. Notice which computer is the destination computer and which computer is the source.

9. Select the first ICMP Echo reply packet (usually the second ICMP packet) from your capture. Note the Ethernet header information for source and destination hardware addresses, and note the protocol type.

10. Note again which computer is the destination computer and which computer is the source.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Internet Addressing 59

Note that every packet has an Ethernet header. It is required on an Ethernet network because the Ethernet 48-bit address (not the 32-bit IP address) is used to locate the actual destination at the Network Access layer. Later in the chapter, you will see how ARP resolves IP addresses to Ethernet addresses.

Introduction to Internet Addressing

Y ou have already seen Internet Protocol addresses in use, in the previous exercises. It is important to recognize the rules and limitations of IP addressing in order to architect a network or to merge existing networks. For a host to communicate with a remote host over the Internet, it must know the remote host’s Internet address. Each host, or node, has its own 32-bit Internet address, or IP address, that identifies it as distinct from any other host on the Internet. This section discusses the current version of Internet Protocol (IP) addressing used on the Internet and most TCP/IP networks today, IPv4, and the fundamental concepts that make up IPv4: Internet address structure, binary versus decimal format, address classes, addressing rules, reserved addresses, and address ranges.

Internet Addressing

T o ensure that each user on the Internet has a unique IP address, a central authority called the International Corporation of Assigned Names and Numbers (ICANN) issues all Internet addresses. The organization that previously handled this responsibility, the Internet Assigned Numbers Authority (IANA), was funded and overseen by the United States government. The ICANN is a private, nongovernment organization that performs the same tasks: Internet address space allocation, protocol parameter assignments, DNS management, and root server management. To learn more about the ICANN, visit www.icann.org .

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

60 Chapter 2 The OSI Logical and Network Access Layers

network Most Internet addresses contain the tion. The network portion precedes the host portion:

portion

and the host

por-

network portion. host portion Internet addresses are specified by four fields, also called octets, separated by periods: field1.field2.field3.field4 They are typically written in dotted decimal notation. Each field has a value ranging from 0 to 255, as demonstrated by the following Internet address: 208.157.24.111 In this example, the network portion is 208.157.24, and the host portion is 111. To help distinguish the network portion from the host portion, Internet addresses are divided into classes, which are described later in this chapter.

Decimal vs. Binary Format IP addresses are called “32-bit addresses” because each field is actually a byte, and a byte equals eight bits. An IP address has four bytes; hence the total is 32 bits. 8 + 8 + 8 + 8 = 32

The term “octet” is often used to identify IP address fields. It originated during early TCP/IP experimentation on computers that did not use eight-bit bytes, such as DEC-10 systems. Because most systems now use bytes, this book will refer to the IP address fields as bytes.

To determine the bit value of an Internet address, the address must be converted from decimal to binary format. Binary format is a combination of zeros and ones that computers use to process information. The binary equivalent is determined by calculating the value of each bit within each byte, from left to right, as shown in Figure 2.2. Spend a few minutes memorizing these bit values, as they will be used throughout this chapter.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Internet Address Classes 61

FIGURE 2.2 Decimal value of each bit

Bit Value 128 64 32 16

842

1

If an IP address’s binary value is 01111001, you can determine the decimal value by adding the corresponding bit values that equal 1 (using Figure 2.2). For example: 01111001 = 0 + 64 + 32 + 16 + 8 + 0 + 0 + 1 = 121 The arithmetic shown above can be understood in more detail as each binary digit’s value is calculated, as shown below, and the results added. (0x128) + (1x64) + (1x32) + (1x16) + (1x8) + (0x4) + (0x2) + (1x1) = 121 Table 2.1 illustrates this process more graphically. TABLE 2.1 Converting binary 01111001 to decimal 128 64 32 16 8421 Binary bits 0 1 1 11001

Bit value 0 64 32 16 8001

You can do this for each byte in the 32-bit Internet address. For example: 10000011 11100010 00001000 11001000 = 131.226.8.200

Internet Address Classes

W

ithout a classification system, the 3,720,314,628 possible Internet addresses would have no structure. To provide structure, IP addresses are categorized into classes. Classes can be determined by looking at the first byte of an Internet address.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

62 Chapter 2 The OSI Logical and Network Access Layers

Internet addresses are divided into five classes: A, B, C, D, and E. The characteristics of each class are detailed in Figure 2.3, followed by an explanation of each. FIGURE 2.3 Address classes Class A: Range 0.0.0.0 to 127.255.255.255 Starting Binary Value

0

Network (1 byte)

Host (3 bytes)

126 Networks

16,777,214 Hosts

Class B: Range 128.0.0.0 to 191.255.255.255 Starting Binary Value

1

0

Network (2 bytes)

Host (2 bytes)

16,384 Networks

65,534 Hosts

Class C: Range 192.0.0.0 to 223.255.255.255 Starting Binary Value

10 1

Network (3 bytes)

Host (1 byte)

2,097,152 Networks

254 Hosts

Class D: Range 224.0.0.0 to 239.255.255.255 Starting Binary Value

110 1

Multicasting—network (4 bytes)

Class E: Range 240.0.0.0 to 247.255.255.255 Starting Binary Value

1 110 1

Experimental/reserved for future use

Before learning about address classes, note that neither the entire network nor the entire host portion of an IP address can contain all binary zeros or ones. In decimal values, 255 usually means “broadcast” and a 0 value means “this network.” You will learn more about IP addressing rules later in this chapter.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Internet Address Classes 63

Class A Addresses Class A addresses use the first eight bits for the network portion and the remaining 24 bits for the host portion. They provide the potential for 126 networks with 16,777,214 hosts each. The first byte specifies the network number and class; it can range from 1 to 126 (127 is a reserved loopback address). The first bit of a Class A network address is always a 0bit. The following is an example of a Class A address (the first byte is the network address): 121.1.1.32 The bit equivalent is: 01111001 00000001 00000001 00100000

Class B Addresses Class B addresses use 16 bits each for the network and host portions. They provide the potential for 16,384 networks with up to 65,534 hosts each. The first two bytes specify the network number and class; the first byte can range from 128 to 191. The first two bits of a Class B network address are always The following is an example of a Class B address (the first two bytes are

10 .

the network address): 168.100.1.32 The bit equivalent is: 10101000 01100100 00000001 00100000

Class C Addresses Class C addresses use 24 bits for the network portion and eight bits for the host portion. They provide the potential for 2,097,152 networks with up to 254 hosts each. The first three bytes specify the network number and class; the first byte can range from 192 to 223. The first three bits of a Class C network address are always 110 . The following is an example of a Class C address (the first three bytes are the network address): 205.96.224.32 The bit equivalent is: 11001101 01100000 11100000 00100000

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

64 Chapter 2 The OSI Logical and Network Access Layers

Class D Addresses Class D addresses

support multicasting. With multicasting, a datagram is

targeted to a group that is identified by a network address only (no host portion exists). The first byte can range from 224 to 239. The first four bits of a Class D network address are always 1110 . The following is an example of a Class D address (all four bytes are the network address): 230.5.124.62 The bit equivalent is: 11100110 00000101 01111100 00111110

Class E Addresses Class E addresses are reserved for future use. The first byte can range from 240 to 247. The first five bits of a Class E network address are always

11110 .

While it might seem logical to allow the Class E reserved addresses to range from 240 to 254, this address range remains reserved, and different RFCs have been proposed regarding how to finish allocating these addresses, which is fundamentally done bit by bit. You will see the importance of the host portion and network portion again in the next chapter, as it applies to routing. The 32-bit Internet address must be unique. It is typically written in dotted decimal notation. The following is an example of the address notation. Dotted decimal:

131.226.8.200

32-bit address:

10000011 11100010 00001000 11001000

Notice that this is a Class B address because the first byte is between 128 and 191. Also, the address contains four bytes: The first and second bytes network (131.226) refer to the portion of the address, and the third and fourth bytes (.8.200) refer to the

host

portion.

IP Addressing Rules

I nternet addresses must follow several guidelines to function properly. Although you have learned about the ranges of Class A, B, and C addresses, not all addresses within these ranges can be used as network node addresses. This section describes the exceptions.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

IP Addressing Rules 65

All IP addressing rules are based on the fundamental rule that the network and host portions cannot be all binary ones or zeros.

Broadcast Addresses Broadcast addresses are used to send messages to all network nodes. The network and/or host IP address portions are all binary ones, which usually coincide with the decimal 255 value. Broadcast addresses are used only for destination addresses, and cannot be used for source addresses. The following four types exist: Limited broadcast

Both the network and the host portions consist of

binary ones. This type is used for configuring hosts when they boot up, broadcasting to all hosts on the segment, with 255.255.255.255. For example, a computer without an IP address can broadcast this address to obtain an IP address (e.g., from a DHCP or BootP server, described later). Net-directed broadcast This address is used to broadcast to all hosts in a network. For example, if the network portion of your IP address is 192.34.200 and the host portion is 12, your computer can broadcast messages to all network hosts by using the destination address 192.34.200.255. Subnet-directed broadcast If a network is divided into several subnets, a broadcast can be limited to the hosts within a subnet. You will learn about subnets in the next chapter. All-subnets-directed broadcast If a network is divided into several subnets, a broadcast can be sent to all hosts within all network subnets. This type of broadcast has become obsolete; multicasting (see Class D addresses) is preferred.

Network Addresses Network addresses are used by routers to identify a network. The network portion consists of the network address, but the host portion consists of binary zeros (netid.0.0.0). For instance, the network address 192.168.3.0 could not be used as a host address.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

66 Chapter 2 The OSI Logical and Network Access Layers

Special-Case Source Addresses The special-case source address is used when a computer does not have an IP address. It is used only during the initialization process. In one type of specialcase source address, the network and host IP address portions are all binary zeros (0.0.0.0). This address is used when a computer initializes and requests an IP address (e.g., from a DHCP or BootP server) for itself. Although the computer broadcasts a request for an IP address, its source address is initially 0.0.0.0, until it is assigned a network IP address.

Loopback Address The loopback address, 127, cannot be used as a network address. This address allows a client and server on the same host to communicate with each other. The loopback address is ideal for testing and troubleshooting. For example, if your computer hosts a web server and you enter

http://

127.0.0.1 in your web browser’s address field (as a client), you will access the website even though the server is on the same system. The loopback address can also be used to test local TCP/IP functionality with the ping utility. For Unix and Windows NT/2000 systems, the loopback address is listed in the /etc/hosts file and is typically 127.0.0.1 with the assigned name localhost . The loopback range actually spans 127.0.0.1 through 127.255.255.254, with 127.0.0.0 and 127.255.255.255 being broadcast addresses.

Reserved IP Addressing

T he ICANN has reserved three blocks of the IP address space for private networks (as defined in RFC 1918): 10.0.0.0 through 10.255.255.255 172.16.0.0 through 172.31.255.255 192.168.0.0 through 192.168.255.255 Reserved or private IP addresses are often used for company networks for a number of reasons. Public IP addresses are limited in number, and have a cost. The majority of computers used in business networks do not require a uniquely addressable IP, and security and management of services provided to the company’s internal network can be easily managed with appropriate

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Address Resolution Protocol 67

gateways. The ICANN suggests that companies use these network IDs if the company fits into one of the following categories: 1. Its hosts do not require access to other enterprise or Internet hosts. 2. Its hosts’ Internet needs can be handled by mediating gateways (e.g., Application-layer gateways). For example, its hosts might require only limited Internet services, such as e-mail, FTP, newsgroups, and web browsing. These private network addresses have no global meaning. Therefore, Internet routers are expected to reject (filter) routing information about them (the rejection will not be treated as a routing protocol error). The benefits of using private network addresses include: Conservation of globally unique IP addresses when global uniqueness is not required. More flexibility in enterprise design because of availability of large address space—a company may purchase only a Class C range, a small number of IP addresses, but may choose to use a Class B or Class A private range for their internal network, for flexibility and growth Prevention of IP address clashes when an enterprise gains Internet connectivity without receiving addresses from the ICANN. The drawbacks of using private network addresses include: Possible reduction of an enterprise’s flexibility to access the Internet. If your company eventually decides to provide Internet connectivity to some or all of your hosts, you will need to renumber part or all of your company. If your company merges with another company and all hosts use private network addresses, you will probably need to combine several private networks into one. Addresses within the combined private network may not be unique, and you will need to renumber hosts to accommodate identical IP addresses.

Address Resolution Protocol

T he Address Resolution Protocol (ARP) is used to resolve hardware addresses (MAC) from software addresses (IP). Within the OSI reference model, ARP allows a Layer 2 address to be resolved, or matched to a given

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

68 Chapter 2 The OSI Logical and Network Access Layers

Layer 3 address, an IP address. This process is dynamic: A node (a computer, whether client or server) can replace its NIC (which will give the node a new hardware address) and ARP will still resolve the same IP address to the new hardware address, assuming the same IP address is used with the new NIC. Assume there are two hosts, node1 and node2, on a TCP/IP Ethernet network. Node1 knows the IP address of node2. However, node1 cannot send data to node2 because TCP/IP and Ethernet use different address schemes. For node1 and node2 to communicate, a protocol is needed to resolve IP addresses to Ethernet addresses. ARP is this protocol. As shown in Figure 2.4, ARP resolves OSI/RM Layer 3 (Network) addresses to OSI/RM Layer 2 (Data-Link) addresses—for example, a 32-bit IP address to an Ethernet 48-bit physical address. ARP is defined in RFC 826. FIGURE 2.4 Resolving IP addresses to Ethernet addresses IP address (32-bit)

Ethernet address (48-bit)

When a user executes a TCP/IP command, such as Telnet or FTP, the system usually generates ARP messages. Only after the local system knows the destination system’s physical address will Telnet or FTP connections be established.

ARP Description Dynamic binding or resolution is used with ARP to solve the mapping problem. The following is an example of how resolution with ARP works. When host node1 needs to resolve the Internet address for host node2 to a MAC address, it broadcasts a special packet that asks node2 to respond with its physical address. This message is known as the

ARP

request packet. Although all hosts on the network receive the request, only the node that recognizes its Internet address responds with its physical address. This message is referred to as an ARP reply.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Address Resolution Protocol 69

Hosts that use ARP maintain a cache of recently acquired Internet-tophysical-address bindings so they do not have to use ARP repeatedly. The average time an ARP entry remains in a Unix ARP cache is 20 minutes. On Windows NT/2000, the average time is two minutes. However, if an ARP entry in an NT/2000 machine’s ARP cache is queried within the two-minute period, it will stay in the cache for 10 minutes. The command for viewing the ARP cache on Windows is: arp –a This command generates the following result: Interface: 192.168.3.13 on Interface 0x1000003 Internet Address Physical Address Type 192.168.3.11 00-60-83-7c-24-a2 dynamic 192.168.3.15 00-60-97-24-db-df dynamic 192.168.3.1 00-aa-00-38-e7-c3 dynamic The command for viewing the ARP cache on Linux is: arp This command generates the following result: Address HWtype HWaddress Flags Mask Iface 192.168.3.11 ether 00-60-83-7c-24-a2 C eth0 192.168.3.15 ether 00-60-97-24-db-df C eth0 192.168.3.1 ether 00-aa-00-38-e7-c3 C eth0 The sender’s Internet-to-physical-address binding is included in every ARP broadcast. Thus, receivers update the Internet-to-physical-address binding information in their caches before processing an ARP packet.

ARP Header The ARP header is 28 bytes long. Figure 2.5 displays the ARP header, followed by a description of each field. Note that the header format consists of 32-bit “words.” This format is used for illustrative purposes, so the header can be understood and explained. The ARP header consists of seven 32-bit words, which equals 28 bytes.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

70 Chapter 2 The OSI Logical and Network Access Layers

FIGURE 2.5 ARP header 0

31 Hardware Type

Protocol Type

Hardware Length Protocol Length

Operation

Source Hardware Address

Source Hardware Address

Source IP Address

Source IP Address

Destination Hardware Address

Destination Hardware Address

Destination IP Address

ARP Header Fields An ARP message is encapsulated in an Ethernet frame. The Ethernet header frame type field for ARP packets is set to hexadecimal 0806. Destination Hardware Address (16 bits)

Target’s hardware address

(six bytes for Ethernet). Source Hardware Address (16 bits) Hardware Type (16 bits)

Sender’s hardware address (continued).

Defines the hardware address type (one for

Ethernet). Protocol Type (16 bits)

Defines the protocol address type (0x0800 for

IP addresses). It is the same value as the Ethernet frame’s Type field. Hardware Length (eight bits) Size, in bytes, of the hardware address (the value is six bytes [48 bits] for Ethernet). Protocol Length (eight bits) Size, in bytes, of the protocol address (the value is four bytes [32 bits] for IP). Operation (16 bits)

Defines the ARP type: 1=ARP request 2=ARP reply

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Address Resolution Protocol 71

Source Hardware Address (32 bits) bytes for Ethernet). Source IP Address (16 bits)

Sender’s hardware address (six

Sender’s protocol address (four bytes for IP).

Source IP Address (16 bits)

Sender’s protocol address (continued).

Destination Hardware Address (32 bits)

Target’s hardware address

(continued). Destination IP Address (32 bits)

Target’s protocol address (four bytes

for IP).

EXERCISE 2.4

Viewing the ARP cache in Linux In this exercise, you will view the ARP cache, then add and delete ARP entries.

1. At the Linux bash (

# ) prompt, enter:

arp

2. View the ARP entries in your ARP cache. If an entry does not exist for System B’s computer, create one by entering the following command at the bash prompt:

ping [System B’s IP address]

3. Press Ctrl+C to stop the ping process. View the ARP cache again by entering:

arp An ARP entry should exist for System B in the ARP cache.

4. Note System B’s ARP entry, the IP and hardware addresses. Note: If you have additional entries in your ARP cache, try to determine what nodes may be represented. For example, are there other computers on your network? If so, create additional entries, use the

ping command to reach other systems on the network

besides System B.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

72 Chapter 2 The OSI Logical and Network Access Layers

EXERCISE 2.4 (continued)

5. To delete an ARP entry, use the

-d option. At the bash prompt, enter:

arp –d [System B's IP address]

6. View the ARP cache by entering: arp System B’s ARP entry will no longer display the hardware address. It should state

Hwaddress (incomplete)

.

EXERCISE 2.5

Viewing the ARP cache in Windows 2000 In this exercise, you will view the ARP cache, then add and delete ARP entries.

1. Open the Command Prompt window and enter: arp –a

2. View the ARP entries in your ARP cache. If an entry does not exist for System A’s computer, create one by entering the following command at the command prompt:

ping [System A's IP address]

3. View the ARP cache again by entering: arp -a An ARP entry should exist for your System A in the ARP cache.

4. Note your System A’s ARP entry, the IP and hardware addresses. Note: If you have additional entries in your ARP cache, try to determine what nodes may be represented. Do you have other computers on your network? To create additional entries, use the

ping command

to reach other systems on the network besides System A.

5. To delete an ARP entry, use the

-d option. At the command prompt,

enter:

arp –d [System A's IP address]

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Reverse Address Resolution Protocol (RARP) 73

EXERCISE 2.5 (continued)

6. View the ARP cache by entering: arp –a Your System A’s ARP entry should no longer exist.

Reverse Address Resolution Protocol (RARP)

R everse Address Resolution Protocol (RARP) is used to resolve MAC addresses to IP addresses, the reverse of ARP. The most common use of this is by diskless systems to find their Internet addresses on the network. The diskless system broadcasts a RARP request, which provides its physical hardware address on the network. A RARP server then sends a RARP reply, usually unicast, which specifies the diskless station’s IP address, as shown in Figure 2.6. FIGURE 2.6 Specifying a diskless station’s IP address Ethernet address (48-bit)

IP address (32-bit)

Typically, diskless systems rely on RARP during initialization. Support for RARP can be provided in ROM because it is small and simple. At least one RARP server must be on the network for RARP to work.

RARP Description The RARP header has the same length as the ARP header (28 bytes) and is also encapsulated in the data field portion of the Ethernet frame. It allows a machine to determine not only its own Internet address, but also those of other systems. All machines receive the request, but only the RARP server processes the request and sends a reply. The RARP header is similar to the ARP header. The differences are as follows: frame type field The Ethernet header packets is set to hexadecimal 8035.

for RARP request and replay

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

74 Chapter 2 The OSI Logical and Network Access Layers

The operation

field defines RARP message types:

3=RARP request 4=RARP reply

Address and Parameter Allocation Overview

F or a TCP/IP network administrator, two critical tasks are assigning and managing IP addresses and parameters. Central management of TCP/IP network configurations for hosts—such as IP addresses, subnet masks, and default gateways—can drastically reduce the amount of time and effort spent on network management. With centralized address and parameter allocation, client systems do not require manual TCP/IP configuration. Instead, they get their TCP/IP configuration parameters during initialization, or when they release and renew their TCP/IP network configurations. In this chapter, you will learn about two popular address and parameter allocation protocols: Bootstrap Protocol (BootP) and Dynamic Host Configuration Protocol (DHCP). Both DHCP and BootP allow you to manage IP addresses from a central location. DHCP is an extension of BootP that supports several mechanisms to allocate addresses.

Bootstrap Protocol (BootP)

B ootP provides a means for diskless workstations to determine IP addresses and parameters. It is defined in RFC 951. BootP requests and replies are encapsulated in UDP headers that are, in turn, encapsulated in IP headers for delivery. Replies have the same format as requests. BootP is usually used with Trivial File Transfer Protocol (TFTP). BootP was created as an alternative to RARP. It is often used instead of RARP because RARP has two fundamental problems: Only IP addresses are assigned using RARP. Routers do not forward RARP requests. RARP servers must reside on all physical network segments where their functionality is needed.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Dynamic Host Configuration Protocol (DHCP) 75

BootP can return information such as IP addresses, subnet masks, default gateway addresses, and name server addresses. It can also traverse routers, provided the router is BootP-enabled (most routers support BootP). The BootP header is illustrated in Appendix E. Like other TCP/IP applications, BootP is a client/server program. The server application runs on the designated BootP server system, and the client is typically in ROM on diskless systems. Most client systems use BootP to discover their IP addresses, then use TFTP to obtain the operating system or X server software.

Dynamic Host Configuration Protocol (DHCP)

D HCP is the most popular protocol designed to assign Internet configuration information dynamically on TCP/IP networks. It is defined in RFC 2131. DHCP is an extension of BootP. DHCP users can interoperate with BootP systems; this interoperability is described in RFCs 1534 and 2132. The differences between DHCP and BootP are as follows: DHCP offers finite address leases, allowing network addresses to be reused. DHCP offers additional configuration options. DHCP has a variable vendor-specific data field, called the Options field, which must be 312 bytes or larger. BootP allows only 64 bytes for vendor-specific data. Many applications require a larger area, so DHCP is often the best choice. Like BootP, DHCP can also traverse routers, providing the router is DHCP enabled (routers support DHCP using a DHCP relay agent).

DHCP Relay Agents In order for a router to forward DHCP and/or BootP packets, the router must be RFC 1542–compliant. RFC 1542 specifies the clarifications and extensions of BootP, which also apply to DHCP. If a router complies with RFC 1542, the router will forward DHCP and BootP packets. If a router is not RFC 1542–compliant, DHCP and BootP packets will not travel beyond the local network. Therefore, clients that do not reside on the

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

76 Chapter 2 The OSI Logical and Network Access Layers

same network as the DHCP server will be unable to receive IP configurations via DHCP or BootP. A DHCP relay agent can solve this problem. One DHCP relay agent can be placed on each network that is behind a router that is not RFC 1542–compliant. When a DHCP client on the network requests an IP address, the request is forwarded to the DHCP relay agent on that network. The DHCP relay agent is configured to forward the request directly to the DHCP server that resides on another network.

How DHCP Works discover mesAt boot time, the client system sends a DHCP message, called a sage . This broadcast message is processed by all nodes on the local segment.

It may be forwarded to all DHCP server systems if the routers are BootP enabled, or if a DHCP relay agent exists on the network. This action is known as the initializing state . Each DHCP server that receives this message responds with an

offer mes-

sage

. The offer message contains only an IP address. Each DHCP server reserves the address it offers so that another client cannot be given the same address (however, DHCP servers may have several outstanding offers at any given time). The client system collects all configuration offerings from DHCP servers and enters a selecting state . The client chooses a configuration on a first-come, first-served basis and sends a request message that identifies the DHCP server requesting state for the selected offer. This action is known as the . Each DHCP server that received the original discover message receives the request message. However, only the selected DHCP server sends a DHCP acknowledgment message

. This message contains the address sent earlier to

the client, along with additional TCP/IP configuration parameters and a valid lease for the address. The lease also includes the expiration date and time of the DHCP lease. Other DHCP servers return the offered addresses to their free address pools. bound state The DHCP client receives the acknowledgment and enters a The client can now complete its startup process and communicate with other

.

nodes on the TCP/IP network. Figure 2.7 illustrates the DHCP process during DHCP client initialization.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Dynamic Host Configuration Protocol (DHCP) 77

FIGURE 2.7 DHCP initialization process Discover Offer Request Acknowledgment

DHCP Implementation As a part of configuring the DHCP server, administrators need to specify a pool of IP addresses that the server can choose from and lease to the DHCP client. Each implementation will depend entirely on your network’s needs. In the Windows 2000 Server system environment, an administrator can configure DHCP parameters by working with the DHCP snap-in. In Linux, configurations are accomplished using the /etc/dhcpd.conf file. These tools allow you to configure address allocations, leases, and many other options. Two common types of DHCP address allocation are dynamic and manual allocation. Networks often use a combination of the following allocation types: Dynamic allocation A temporary IP address is assigned to a client. The address either expires or is released by the client. Therefore, one address can be reused by multiple clients over time. Manual allocation (client reservation) An IP address is assigned to a client by the network administrator. DHCP is merely used to transmit that specific assigned address and parameter configuration to the client.

DHCP Header The DHCP header is very similar to the BootP header. The differences are that the BootP Vendor Extensions field has been renamed the Options field in DHCP. The Options field was enlarged to be at least 312 bytes and have a variable length. This enlargement allows many more configuration options. Also, the unused BootP field became the DHCP Flags field. Figure 2.8 illustrates the DHCP header.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

78 Chapter 2 The OSI Logical and Network Access Layers

FIGURE 2.8 DHCP header format Operation Hardware Type Hardware Length Hops Transaction ID Seconds

Flags Client IP Address

Your IP Address Server IP Address Gateway IP Address

Client Hardware Address (16 bytes) Server Host Name (64 bytes) Boot Filename (128 bytes)

Options (variable)

Following is a description of the DHCP header fields. Operation (eight bits)

Specifies whether the message is a BootP request

(1) or a reply (2). DHCP continues to use the BOOTREQUEST and BOOTREPLY message types. Hardware Type (eight bits) The type of network hardware interface. This field is set to 1 for 10MB Ethernet. Hardware Length (eight bits)

Length of the hardware address. The

length is six for 10MB Ethernet. Hops (eight bits) Initially set to zero by the client. Relay agents use this field if they forward the message. Transaction ID (32 bits)

A random number set by the client. It is used

by the client to match a request message with a reply. Seconds (16 bits)

Clocked by the client as it starts the address acquisi-

tion process. It may be used by a secondary DHCP server to respond after a certain amount of time, which may indicate the primary DHCP server is not responding.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Dynamic Host Configuration Protocol (DHCP) 79

Flags (16 bits) Allows clients that cannot accept unicast DHCP messages before TCP/IP is configured to accept them. Client IP Address (32 bits) If the client system knows its IP address, it enters it in this field. Otherwise this field is set to zero. Your IP Address (32 bits)

Set by the server; specifies the client system’s

IP address. Server IP Address (32 bits)

IP address of the DHCP server.

Gateway IP Address (32 bits) initializing through a relay agent.

IP address of a relay agent. Used when

Client Hardware Address (16 bytes)

The client’s hardware address; for

example, the 48-bit Ethernet address of the system sending the DHCP request message. Server Host Name (64 bytes) Boot Filename (128 bytes)

Host name of the server’s IP address. Path name of the file from which the client

system needs to boot. Options (variable length)

Contains vendor-specific options for DHCP.

EXERCISE 2.6

Configuring a DHCP server with Linux In this exercise, you will install the DHCP server for Linux on System A. The dhcpd (DHCP daemon) is designed to answer requests from DHCP and BootP clients. However, BootP clients will retain their TCP/ IP configurations indefinitely because “leases” do not exist in BootP.

Note: The DHCP server must have a static IP address. Note: For the exercises in this chapter to function efficiently, remove all existing DHCP servers that your network may be using. Either disconnect your network from the existing DHCP server, or stop (or disable) the DHCP server.

1. Log on to System A as root. 2. Ensure that the DHCP RPMs are installed on your system. To determine whether they are installed, enter: Host#:

rpm –qa | grep dhcp

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

80 Chapter 2 The OSI Logical and Network Access Layers

EXERCISE 2.6 (continued)

3. If they’re not installed, locate the RPMs on the Red Hat Linux CD or on the supplemental CD, and enter the following (RPM versions will vary depending on the version of Red Hat Linux installed):

rpm –i dhcp-2.0-12.i386.rpm dhcpcd-1.3.18pl8-6.i386.rpm

4. DHCP is configured in the

etc/dhcpd.conf

file, which you need to

create. Whenever you make changes to this file, you must restart dhcpd. To create the file, enter: Host#:

touch /etc/dhcpd.conf

5. DHCP keeps a list of assigned leases in the

dhcpd.leases

file, which

you also need to create. This file enables dhcpd to track leases through system restarts and server reboots because the file’s contents are flushed to disk when a lease is assigned. The empty dhcpd.leases

file must exist before the service can start. To create

the file, enter: Host#:

touch /var/lib/dhcp/dhcpd.leases

6. To configure DHCP, open the

dhcpd.conf

file you created. For

example, enter: Host#:

vi /etc/dhcpd.conf

7. Enter the network address and the subnet mask of the network that the DHCP server will be allocating. This entry is called a declaration. Enter:

subnet [your network address] netmask 255.255.255.0

8. Enter the range of IP addresses that System A’s DHCP server will allocate. This entry is also called a declaration. For this exercise, your range will consist of only System B’s IP address with 100 added, and System A’s IP address with 100 added. For example, if System B’s IP address is 192.168.3.11 and yours is 192.168.3.13, enter

range 192.168.3.111 192.168.3.113

. The range should con-

sist of lower to higher addresses. Enter: subnet [System A’s network address] netmask 255.255.255.0 {

range [System B's adjusted IP address] [System A’s adjusted IP address];

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Dynamic Host Configuration Protocol (DHCP) 81

EXERCISE 2.6 (continued)

9. Enter the default and maximum lease time, in seconds, for the leases allocated by this DHCP server. Common values are 86400 (24 hours), 604800 (one week), and 2592000 (30 days). For example, enter: subnet [System A’s IP address] netmask 255.255.255.0 { range [System B's adjusted IP address] [System A’s adjusted IP address];

default-lease-time 86400; max-lease-time 604800;

10. You can enter parameters to be allocated to your DHCP client. In this exercise, you will allocate a subnet mask and default gateway to the client. You can also add domain name servers using the option domain-name-servers

parameter. To learn about additional

parameters, access the dhcpd.conf manual. To allocate a subnet mask and default gateway, enter: subnet [System A’s IP address] netmask 255.255.255.0 { range [System B's adjusted IP address] [System A’s adjusted IP address]; default-lease-time 86400; max-lease-time 604800;

option subnet-mask 255.255.255.0; option routers [default gateway]; }

11. Save the file. The following is a sample file: subnet 192.168.3.0 netmask 255.255.255.0 { range 192.168.3.111 192.168.3.113; default-lease-time 86400; max-lease-time 604800; option subnet-mask 255.255.255.0; option routers 192.168.3.1; }

12. Start the DHCP server by entering: Host#:

/etc/rc.d/init.d/dhcpd start

13. Verify that the server is working by entering: Host#

/etc/rc.d/init.d/dhcpd status

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

82 Chapter 2 The OSI Logical and Network Access Layers

EXERCISE 2.6 (continued)

14. View the

dhcpd.leases

file on the DHCP server to determine

whether the DHCP server allocated a DHCP lease to a client. Enter:

Host#: vi /var/lib/dhcp/dhcpd.leases

15. If your DHCP server allocated a lease, it will be listed in the file. 16. Quit the

dhcpd.leases

file.

EXERCISE 2.7

Creating a DHCP reservation with Linux In this exercise, you will create a DHCP reservation on the DHCP server (System A) for System B, the client.

1. To create a reservation, you will add information to the

dhcpd.conf

file. The reservation will not be part of the range you specified in the previous exercise. Instead, it will be the next available IP address after your range (you can reserve an IP address in the range if you prefer). For example, if your range is 192.168.3.113 the following to the

range 192.168.3.111

, the reserved address will be 192.168.3.114. Add dhcpd.conf

file (note that you must remove the

last curly bracket from your previous entry):

} host [System B's host name] { hardware Ethernet [System B's hardware address]; fixed-address [an IP address outside your range]; } }

2. Save the file. The following is a sample file. Remember to use colons in the hardware address: subnet 192.168.3.0 netmask 255.255.255.0 { range 192.168.3.111 192.168.3.113; default-lease-time 86400; max-lease-time 604800; option subnet-mask 255.255.255.0; option routers 192.168.3.1; host student11 { hardware Ethernet 00:80:5F:EA:C6:10; fixed-address 192.168.3.114; } }

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Dynamic Host Configuration Protocol (DHCP) 83

EXERCISE 2.7 (continued)

3. Restart the DHCP server by entering: Host#:

/etc/rc.d/init.d/dhcpd restart

4. Verify that the server is working by entering: Host#

/etc/rc.d/init.d/dhcpd status

5. Renew System B’s DHCP client configuration by issuing

ipconfig

/renew at the Windows command prompt. It should be configured with the reserved IP address specified in the

6. View the

dhcpd.leases

dhcpd.conf

file.

file to determine whether the DHCP server

allocated the DHCP reservation to the client. Enter:

Host#: vi /var/lib/dhcp/dhcpd.leases

7. Note that reservations do not appear in the

dhcpd.leases

addresses allocated from the range appear in the

file. Only

dhcpd.leases

file, even if the reserved address exists in the range. You must track your reservations separately.

8. Quit the

dhcpd.leases

file.

EXERCISE 2.8

Installing the DHCP service on Windows 2000 In this exercise, you will install the DHCP server for Windows 2000 on System B.

Note: You will need to turn off the DHCP server on System A, and change the configuration for System A to DHCP instead of static.

1. To add the DHCP service, select Start Settings Control Panel Add/Remove Programs. Click Add/Remove Windows Components from the left-hand menu. The Windows Components Wizard opens.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

84 Chapter 2 The OSI Logical and Network Access Layers

EXERCISE 2.8 (continued)

2. Scroll down and highlight Networking Services and click the Details button. Select the Dynamic Host Configuration Protocol (DHCP) Server and select OK.

3. Click the Next button. The DHCP service installs. When the Wizard is complete, click Finish. Select the Close button to exit the Add/ Remove Programs window. No restart is required. Your computer is a DHCP server.

EXERCISE 2.9

Configuring the DHCP server on Windows 2000 In this exercise, System A—the DHCP server in Exercise 2.6—becomes the DHCP client, while System B—formerly the client system— becomes the DHCP server and distributes IP addresses.

1. Select the Start menu, then choose Programs Administrative Tools DHCP.

2. By default, your system is identified as a DHCP server. Your host name and IP address will appear in the DHCP window. If the service is not running, select your host name in the left pane. The Status in the right-hand pane should change to Running.

Note: The DHCP server must have a static IP address.

3. Next, you must create a scope, or range, or IP address that the DHCP server will allocate. Right-click your host name and select New Scope. You can also select the Action menu and select New Scope. The New Scope Wizard will appear. Select Next.

4. In the Scope Name window, provide a name and description for your scope. For instance, enter your system’s name, Student13

Scope, with a description (optional).

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Dynamic Host Configuration Protocol (DHCP) 85

EXERCISE 2.9 (continued)

5. In the IP Address Range window, you will determine the scope of IP addresses that the DHCP server will allocate to systems. Use System A’s current IP address for the start address and the IP address that is one higher for the end address. For example, if System A’s IP address is 192.168.3.11, your IP address range will be: Start Address: 192.168.3.11 End Address: 192.168.3.12 Enter the start address and end address in the proper fields. Then enter the subnet mask of your network, which is 255.255.255.0. Your screen should appear similar to the example below (the IP addresses will vary).

6. Select Next. 7. In the Add Exclusions window, you can add any range of addresses to exclude from the range you defined in the previous window. For this exercise, leave the fields blank. You need not exclude any addresses. Select Next.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

86 Chapter 2 The OSI Logical and Network Access Layers

EXERCISE 2.9 (continued)

8. In the Lease Duration window, notice the default lease of eight days. This duration can be set depending on your network needs. For this exercise, use the default lease. Select Next.

9. The Configure DHCP Options window will appear. You will configure additional DHCP options, such as a default gateway, later in this chapter. Select No, I Will Configure These Options Later. Click Next.

10. To complete the New Scope Wizard, select Finish. 11. To activate the new scope, right-click Scope in the left pane and select Activate. You can also highlight the scope, select the Action menu, and choose Activate.

12. The DHCP window will display the new scope you created. 13. To create a reservation, expand the Scope folder in the left pane. Right-click Reservations and choose New Reservation. The New Reservation window will appear. Fill in the fields listed in Table 2.2. Your screen will appear similar to the example below (the data will vary).

14. Select Add and Close. You might receive a dialog box stating that the reservation may not be correct. If so, make sure System A’s hardware address is correct. Leave the DHCP window open.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Dynamic Host Configuration Protocol (DHCP) 87

TABLE 2.2 Reserving a DHCP Client

Field

Data Description

Reservation

Enter the name of System A. This entry is used for your

Name

information only. For example, enter SystemA.

IP Address Enter the IP address you want to reserve for System A. In this case, enter an IP address from the scope you created.

Note: Select an IP address other than System A’s current static IP address. This will help you confirm that the DHCP client actually received an IP address from the DHCP server. For example, if System A’s IP address is 192.168.3.11, then enter 192.168.3.12, which is the “End Address” of your scope (see step 5 of Exercise 2.8). MAC

Enter System A’s hardware address. Do not use hyphens

Address

or colons. For example, enter 00805EAC652.

Note: Hyphens are not allowed in the MAC address field. Description Enter additional information about System A. For example, enter Reserved IP Address for System A.

In the next exercise, you will configure System B as a DHCP client.

EXERCISE 2.10

Configuring a DHCP client on Windows 2000 In this exercise, you will configure a DHCP client to accept an IP configuration automatically.

Note: Complete this exercise on the computer that does not have the DHCP server installed.

1. To become a DHCP client, right-click the My Network Places icon on the Desktop and select Properties. The Network And Dial-up Connections window will open. Right-click the Local Area Connection icon and select Properties. Highlight the Internet Protocol (TCP/IP) component and choose the Properties button. The Internet Protocol (TCP/IP) Properties window will appear.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

88 Chapter 2 The OSI Logical and Network Access Layers

EXERCISE 2.10 (continued)

2. Notice that your computer has a

static

IP address. You have at least

a manually configured IP address, subnet mask, and default gateway, as shown below.

3. Note your IP address, subnet mask, and default gateway. You will need this information to reconfigure your machine later.

4. To become a DHCP client and obtain your TCP/IP network configurations dynamically, select the Obtain An IP Address Automatically and the Obtain DNS Server Address Automatically radio buttons. The Obtain DNS Server Address Automatically radio button will appear after you select the Obtain An IP Address Automatically radio button. Select OK.

5. To exit the Internet Protocol (TCP/IP) Properties window, select OK twice.

6. To view your new TCP/IP network configurations, open the Command Prompt window and enter:

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Dynamic Host Configuration Protocol (DHCP) 89

EXERCISE 2.10 (continued) ipconfig /all You should obtain an IP address from the DHCP server’s scope. Note that you do not have a default gateway. The DHCP server was not configured to allocate a default gateway. Your screen will resemble the one below (the IP address will vary).

Notice that the DHCP server address is System A’s IP address, because System A is the DHCP server and System B is the DHCP client.

7. To release the TCP/IP network configuration, enter the following at the command prompt:

ipconfig

/release

The TCP/IP network configuration will be released. What is your TCP/IP network configuration now? To find out, enter:

ipconfig

/all

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

90 Chapter 2 The OSI Logical and Network Access Layers

EXERCISE 2.10 (continued) You will receive data similar to the response shown below.

8. Your computer no longer has a valid IP address. It is using the special-case source address (0.0.0.0). Notice that your subnet mask is also set to 0.0.0.0. Also note that the DHCP server address is no longer System A’s IP address. Instead, it is a broadcast address. The broadcast address is used to obtain the DHCP client network configuration upon initialization and renewal (after a release). To receive new TCP/IP network configurations, enter:

ipconfig

/renew

The valid configuration will automatically appear. In the next exercise, you will configure System B’s DHCP server to allocate additional TCP/IP network configuration data: the default gateway. Leave the Command Prompt window open.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Dynamic Host Configuration Protocol (DHCP) 91

EXERCISE 2.11

Configuring a DHCP server to allocate a default gateway on Windows 2000 In this exercise, you will configure your DHCP server to allocate a default gateway to the DHCP client.

1. Open the DHCP snap-in (select Start Programs Administrative Tools DHCP). To add additional configuration parameters for your DHCP clients, right-click Server Options in the left pane and select Configure Options. The Server Options window will open. This window will allow you to select options for the scope you created in Exercise 2.8, such as adding a default gateway or DNS servers to the configuration data.

2. To add a default gateway, select the 003 Router check box. 3. To select the IP address for the default gateway, enter the IP address of your network’s default gateway in the Data Entry IP address section. For example, if your network is 192.168.3.0, enter 192.168.3.1. Select the Add button. Your screen will resemble the example below.

4. Select OK. The Router IP address will appear in the DHCP snap-in. Close the DHCP snap-in.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

92 Chapter 2 The OSI Logical and Network Access Layers

Whether the DHCP client or server is running on Linux, Windows, or another operating system, the server can be configured to send additional parameters, such as gateway address or DNS servers. DHCP clients can receive and use that information, regardless of whether or not the client OS is the same as the DHCP server OS.

EXERCISE 2.12

Removing the DHCP server using Windows 2000 In this exercise, you will remove the DHCP server. You need not reconfigure the computer to its original static IP address because it never changed. A DHCP server must always have a static IP address.

1. To remove the DHCP server service, select Start Settings Control Panel Add/Remove Programs. Click Add/Remove Windows Components from the left-hand menu. The Windows Components Wizard will open.

2. Scroll down and highlight Networking Services and then click the Details button. Deselect the Dynamic Host Configuration Protocol (DHCP) Server and select OK.

3. Click the Next button. When the Wizard is complete, click Finish. Select the Close button to exit the Add/Remove Programs window. No restart is required. The DHCP service is removed. You are no longer a DHCP server.

Summary

I n this chapter, you learned about the Ethernet standard, including an analysis of the Ethernet header and its function. You installed a protocol analyzer and captured packets on a TCP/IP 10BaseT Ethernet network, taking note that every packet needs an Ethernet header because IP addresses have a different address scheme from Ethernet MAC addresses. This chapter covered the basics of IP addressing and reserved addresses, and you noted the importance of IP address allocation, whether public or private ranges.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Key Terms 93

You have seen the importance of mapping logical to physical addresses, learning that Address Resolution Protocol (ARP) is used to resolve IP addresses to Ethernet MAC addresses. Reverse Address Resolution Protocol (RARP) was also detailed in this chapter, for resolving MAC addresses to IP addresses. You learned that the two protocols used for centrally managing address and parameter allocation for TCP/IP hosts are BootP and DHCP, and that DHCP is an important configuration service to offer on a LAN, but it must be allocated IP addresses for it to dynamically assign them. BootP is an alternative to RARP that allows parameters other than IP addresses to be allocated, and provides the ability to traverse routers. DHCP is an extension to BootP that allows even more parameters to be allocated, as well as giving the ability to offer finite address leases that can be reused when they expire. Finally, in installing, configuring, and experimenting with a DHCP server and client using both Windows 2000 and Linux, you gained hands-on experience with a vital skill, configuring dynamic host IP allocation services. The key elements of this chapter—the concepts of physical and logical addressing at Layer 2 and Layer 3 of the OSI model, and IP addressing, public and private ranges, and netmasks—are concepts that you will internalize as you continue to use them in your career as an internetworking professional.

Key Terms

B efore you take the exam, be certain you are familiar with the following terms: Address Resolution Protocol Institute of Electrical and Electronics Engineers (IEEE) ARP

MAC

Carrier Sense Multiple Access with Collision Detection

Media Access Control

CSMA/CD

network interface card (NIC)

Ethernet

RARP

IEEE 802.2

Reverse Address Resolution Protocol

IEEE 802.3

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

94 Chapter 2 The OSI Logical and Network Access Layers

Exam Essentials Be able to identify the Institute of Electrical and Electronics Engineers (IEEE) LAN standards. The IEEE LAN standards include 802.2 and 802.3 frame types for Ethernet LANs. Be able to identify fields in the Address Resolution Protocol (ARP) header. Fields in the ARP header include: Hardware Type, Protocol Type, Hardware Length, Protocol Length, Operation, Source Hardware Address, Source IP Address, Destination Hardware, and Destination IP Address. Understand IP addressing and the concept of uniqueness.

IPv4 address-

ing assigns a 32-bit number, often noted as a dotted decimal, to a specific Internet host interface. Each IP address is unique, with address blocks assigned by ICANN. Be able to define IP address classes currently used on the Internet. Class A addresses use eight bits for network and 24 bits for host, the first byte ranging from 1 to 126. Class B addresses use the first 16 bits for network and 16 bits for host, the first byte ranging from 128 to 191. Class C addresses use the first 24 bits for network and eight bits for host, the first byte ranging from 193 to 223. Class D addresses use the entire 32 bits for network, and are for multicast networks, with the first byte ranging from 224 to 239. Class E addresses are reserved for future use, the first byte ranging from 240 to 247. Be able to determine reserved IP addressing.

ICANN has reserved three

ranges for private networks. These address ranges are not valid Internet host IP addresses, although they may exist on networks connected to the Internet. 10.0.0.0 through 10.255.255.255 172.16.0.0 through 172.31.255.255 192.168.0.0 through 192.168.255.255

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Exam Essentials 95

Know the function of Reverse Address Resolution Protocol (RARP). RARP is a protocol by which a diskless workstation may request an IP address and have it assigned. Know the function and roles of the BootP server and client.

A BootP

server provides IP addresses to clients, providing a single IP address for each MAC address. The clients request and receive their IP address as they initialize, reducing client configuration and administration. Know the function and roles of the DHCP server and client.

DHCP

servers provide IP addresses to clients for a period of time called a lease. When a lease expires, the IP address may be renewed or a new IP address issued. DHCP may also provide additional information, such as gateway and DNS server. The DHCP client initiates the transaction with a broadcast message called a discover message, to which the server replies. Be able to compare and contrast RARP, BootP, and DHCP.

RARP

allowed diskless workstations to automatically obtain an IP address and configuration, but was very limited. BootP allowed administrators to pass extended gateway and DNS server information, but did not provide a mechanism for reallocating IP addresses, once assigned. DHCP extended BootP to provide lease time and further information fields. Understand the difference between manual and dynamic address allocation. Manual address allocation is performed workstation by workstation, with a single IP address assigned and manually configured at each workstation. Dynamic address allocation is performed by setting all workstations to dynamically request an IP address. A server, typically a DHCP server, is configured to service requests and provide IP addresses, as well as gateway and DNS server information, to each workstation at boot time.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

96 Chapter 2 The OSI Logical and Network Access Layers

Review Questions 1. Which series of Institute of Electrical and Electronics Engineers (IEEE) standards specifies various LAN technologies? A. The 207 series B. The 803 series C. The 702 series D. The 802 series 2. What is the purpose of protocol analyzers? A. They are used to resolve hardware addresses to software addresses. B. They are used to analyze data sent across a network. C. They are used to execute TCP/IP commands. D. They are used to encapsulate ARP messages in an Ethernet frame. 3. What is the name of the data packet once it is encapsulated by the Ethernet header? A. Destination node B. Frame C. ARP packet D. Ethernet address 4. How long is the ARP header? A. 28 bytes B. 32 bytes C. 16 bytes D. 56 bytes

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Review Questions 97

5. Which of the following fields belongs to the ARP header? A. Cyclic redundancy check B. ARP reply C. Destination Hardware Address D. ARP request 6. Which of the following accurately describes ARP? A. ARP resolves OSI/RM Layer 1 addresses to OSI/RM Layer 2 addresses. B. ARP resolves Internet architecture model Layer 2 addresses to OSI/ RM Layer 4 addresses. C. ARP resolves OSI/RM Layer 3 addresses to OSI/RM Layer 2 addresses. D. ARP resolves Internet architecture model Layer 4 addresses to Internet architecture model Layer 3 addresses. 7. How is the RARP header similar to the ARP header? A. RARP and ARP headers have the same length. B. Both RARP and ARP headers allow a machine to determine its Internet address. C. The Ethernet header frame type field for both RARP and ARP packets is set to hexadecimal 0806. D. The operation field defines both ARP and RARP types as follows: 1=ARP and RARP request; 4=ARP and RARP reply. 8. In order for a router to forward DHCP packets, the router must be: A. RFC 915–compliant B. RFC 951–compliant C. RFC 1105–compliant D. RFC 1542–compliant

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

98 Chapter 2 The OSI Logical and Network Access Layers

9. Which of the following statements accurately characterizes BootP? A. BootP was created as an alternative to RARP. B. BootP is never used with TFTP. C. BootP replies are formatted differently than BootP requests. D. Very few routers support BootP. 10. What is the name of a DHCP message sent by a client system at boot time? A. A request message B. An acknowledgment message C. An initializing message D. A discover message 11. Which of the following fields is a part of the DHCP header and contains the address of the DHCP relay agent? A. Server Hardware Address B. Server IP Address C. Gateway IP Address D. Gateway Hardware Address 12. Which of the following characteristics accurately describes dynamic address allocation in DHCP? A. A permanent IP address is assigned to a client. B. One address can be reused by multiple clients over time. C. An IP address is assigned to a client by the network administrator. D. The allocated address never expires.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Review Questions 99

13. Which of the following characteristics accurately describes the Operation field of the DHCP header? A. The Operation field specifies the type of network hardware interface. B. The Operation field specifies the client’s hardware address. C. The Operation field specifies whether the message is a request or a reply. D. The Operation field specifies the host name of the server’s IP address. 14. Which of the following is an example of a dotted quad notation? A. www.passivE.energy.org B. 1F:07:74:AC C. 206.196.96.4 D. ftp://kernel.org:21 15. What is the network portion of the IP address 150.199.1.11? A. 11 B. 150 C. 150.199 D. 150.199.1 16. What is the network portion of the IP address 209.163.190.74? A. 74 B. 190.74 C. 209.163 D. 209.163.190

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

100 Chapter 2 The OSI Logical and Network Access Layers

17. What is the host portion of the IP address 101.121.54.69? A. 69 B. 54.69 C. 101.121 D. 121.54.69 18. The first two bits of a Class B IP address are always: A. 10. B. 01. C. 00. D. 11. 19. Which of the following does

not

describe a broadcast address?

A. The binary host or network portion is all zeros. B. The address is not a valid source address. C. Broadcast addresses are used to send to multiple hosts. D. The decimal value is usually 255. 20. Why cache ARP replies? A. In order to dynamically reassign IP addresses B. So that the results may be passed to ARP servers C. To improve disk performance D. Because caching reduces broadcast network traffic

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Answers to Review Questions 101

Answers to Review Questions 1. D. The 802 series of IEEE standards defines various LAN technologies, including 802.3 and 802.2 Ethernet frame types and 802.11 wireless networking. 2. B. Protocol analyzers capture raw data sent across the network and perform packet analysis. 3. B. The Ethernet header creates the frame for datagram transmission on Ethernet. 4. A. Seven 32-bit words make up the 28-byte ARP header. 5. C. The destination hardware address must be in the ARP header. 6. C. ARP resolves an IP address to a MAC address. IP is OSI/RM Layer 3, and MAC is OSI/RM Layer 2. 7. A. The frame types and operation fields differ from ARP to RARP, while header length remains the same. B is obviously incorrect since ARP and RARP do not perform the same function, but rather complementary functions. 8. D. RFC 1542 specifies the extensions of BootP, which apply to DHCP and are necessary for DHCP requests to be forwarded. 9. A. BootP was created as an alternative to RARP, with more functionality. 10. D. A DHCP client sends a discover message that is broadcast to the local network. 11. C. The Gateway IP Address field contains the address of the relay agent.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

102 Chapter 2 The OSI Logical and Network Access Layers

12. B. One key concept behind DHCP is that the assignment is and can change over time. This makes for more efficient use of IP

dynamic

,

address space, because permanent allocations are not needed, and one IP address may be used by several clients, although not simultaneously. 13. C. DHCP requests and replies are very similar. The Operation field defines which type the packet represents. 14. C. A dotted quad is an IP address, expressed as four octets separated by decimal points. 15. C. The address given is a Class B address, with a possible 65,534 hosts, specified by the last two octets. The network portion is the first two octets. 16. D. The IP address given is a Class C address, therefore the host portion is 74 and the network portion is 209.163.190. 17. D. The last three octets are the host portion of a Class A address. 18. A. Class B IP addresses always begin with a binary 10, the first byte ranging from 128 to 191. 19. A. The binary host/network portion is all ones in a broadcast address. 20. D. Broadcast messages are inefficient, requiring each node to receive the packet, but they are the only way to resolve Ethernet addresses from IP addresses. Caching ARP results allows hosts to avoid using ARP repeatedly.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Chapter

3

Subnetting and Routing

CIW EXAM OBJECTIVE AREAS COVERED IN THIS CHAPTER: Identify and define Internet Protocol version 4 (IPv4) addressing concepts, including subnet addressing. Define the processes of routing, including but not limited to: direct versus indirect routing, static versus dynamic routing, interior versus exterior protocols and gateways.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

M

any networks, large and small, make up the Internet, and

not all networks, small or large, have the same organization. Most networks are divided into subnetworks that make up one network. Subnetting and Subnetworks routing go hand in hand. are a useful way to organize hosts within a network into logical groups. Thus, one network can be divided into

several “sub” networks. Many companies have a different subnetwork for each department in their organization. Subnetworks are also useful when network standards limit your network’s ability to grow. For instance, a 10BaseT Ethernet network allows a segment length of only 100 meters, or 328 feet. To extend the network, you can create several subnetworks from the existing network address and connect each subnetwork’s nodes to a router. Then configure the router to forward packets between the subnetworks. A well-designed set of subnetworks may also make more efficient use of network bandwidth, reducing congestion or utilization level, and resulting in fewer collisions and better network performance. The only way to identify the network, subnetwork, and host portions of an IP address is to introduce a second element, called the subnet mask. The subnet mask is a mandatory element of TCP/IP. It is always configured with an IP address; they work as a pair on a system. A system’s IP address and subnet mask is the minimum requirement for TCP/IP configuration. Subnet routing allows numerous subnetworks to exist within a network. The host bits are divided into two groups: subnetwork and host. For example, subnetting would borrow from the lower-order 16 bits (the host bits) for a Class B network and the lower-order eight bits for a Class C network. A subnetwork address consists of the following three portions: network portion | subnetwork portion | host portion

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Subnet Masks

105

In this chapter, you will learn more about subnets and subnet masks. You will also learn how routing fits into IP’s functions. Finally, we will cover advanced routing protocols. You’ll discover that the tasks detailed in this chapter require more arithmetic than those in other chapters as well as some calculation. You may find these exercises challenging or tedious as you see them for the first time, but you will need to learn and internalize the concepts of subnet masks and routing in your future as an Internetworking Professional. These formulas for finding subnets are fundamental to internetworking. Jumping into this material headfirst and completing these tasks thoroughly will really help establish your confidence and leadership in a real-world administration role. As pointed out earlier, most real-world networking scenarios involve heterogeneous platforms. Some exercises in this chapter are designed to give you experience working with both Windows and Linux platforms. Many of the exercise steps need to be performed on Linux, designated as System A, or performed on Windows, designated System B. For many exercises, a single system booting both operating systems is sufficient, while for certain steps it is useful to have both Linux and Windows systems connected at the same time. Throughout, System A will refer to a Linux system and System B will refer to a Windows system.

Subnet Masks

A

subnet mask , also called a net mask , is a 32-bit number (similar to an IP address) with a one-to-one correspondence between each of the 32 bits

in the Internet address. Subnet masks serve two main purposes. First, subnet masks distinguish the network and host portions of an IP address. Because the system does not know which bits in the host field are to be interpreted as the subnetwork part of the Internet address, the system refers to the subnet mask for this information. Second, the subnet mask tells the system which bits of the Internet address should be interpreted as the network, subnetwork, and host address. The simplest type of subnet mask is the default subnet mask. By default, each eight-bit field is turned on (255—all binary ones) or off (0—all binary zeros), depending on the address class (A, B, or C).

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

106

Chapter 3

Subnetting and Routing

The following list identifies the default subnet masks for Class A, B, and C addresses. Class D and E addresses do not have hosts, and therefore do not require subnet masks. 255.0.0.0

Class A (default)

255.255.0.0

Class B (default)

255.255.255.0

Class C (default)

Subnet masks specify whether a destination address is local or remote. Note that the subnet mask is used to “mask” the network address, so only the host address remains. In routing, this is extremely important. It allows a computer to determine whether a destination address is intended for a computer on the same (local) or a different (remote) network. If the destination address is on the same network, the information can be transmitted locally. If the destination address is on a different network, the information must be sent to a router, which can locate the remote network. Remember that although we represent IP addresses and net masks in decimal form, that is for human convenience—routers and hosts actually use the binary values consisting of ones and zeros. Each binary bit has a value of one or zero, and when a router or host performs a comparison or calculation, it will use Boolean arithmetic, somewhat different from our familiar decimal math. The subnet mask identifies whether the destination address is local or ANDing remote through a process called . The network portion of an Internet address can be determined by using the Boolean AND operation with the Internet address and the subnet mask. This process is internal to TCP/IP, but understanding its function is important. When the computer is initialized, it uses the ANDing function with its local IP address and local subnet mask. Whenever it sends information to a destination address, it uses the ANDing function again with the destination address and the local subnet mask. If the value matches the initial ANDing function result, it is a local destination. If the value is different, it is a remote address. The ANDing function compares two bits, and gives a single bit as a result. The and the subnet mask are “1.” result is only “1” if both the IP address bit To use the ANDing function, convert your local IP address and subnet mask into binary form. For the following example, your IP address is 131.226.85.1 and your subnet mask is 255.255.0.0 . Calculate each corresponding bit using the following rules: 1 and 1 = 1 Any other combination = 0

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Subnet Masks

107

When your computer initializes, the ANDing process calculates the following result: Local IP address

10000011 11100010 01010101 00000001

Local subnet mask 11111111 11111111 00000000 00000000 First ANDing result 10000011 11100010 00000000 00000000 By converting the ANDing result to decimal value, the process reveals that the network portion of the address is 131.226 . Your computer uses the ANDing result from the initialization process to determine whether all future destination addresses are local or remote. For example, you are sending information to the destination address 131.226.50.4 . Destination IP address 10000011 11100010 00110010 00000100 Local subnet mask 11111111 11111111 00000000 00000000 Second ANDing result 10000011 11100010 00000000 00000000 The network address found is

131.226 . Compare the first and second

ANDing results. Because they are the same, the data is sent locally, and the router will not be used. If they were different, the data would be sent through a router to the remote network. This understanding of IP address and subnet masks is vital to network design. One of the most important parts of designing a network is properly calculating the custom subnet masks.

Custom Subnet Masks As a network administrator, suppose you obtain one network address from the ICANN, but you need several networks in your corporation. You can divide the one network address into several subnets by creating a custom subnet mask. Unlike the default subnet mask, the custom subnet mask borrows bits from the host portion of the IP address. This section will explain the procedure for subnetting a network address into multiple subnets. In the following section, you will learn how to create X number of subnets for a network. Assume that your company has a network address assigned by the ICANN, and you must divide that one network address into several subnetworks. Determining custom subnet masks is a step-by-step process. The first step is to determine the number of subnets required.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

108

Chapter 3

Subnetting and Routing

Step 1: Determine the Number of Subnets Needed In order to determine the number of subnets needed, you should consider departmental and organizational needs. Although it is possible that an entire organization could be on a single subnet, for this example we are going to say that you need to create six subnets to separate departments. Suppose the ICANN assigns you the following Class C network address: 210.199.10.0 Because your company has only 100 employees, the Class C address should be adequate (recall that Class C addresses can have up to 254 hosts). The network address uses the first three bytes, and the host addresses are limited to the last byte: netid.netid.netid.hostid The custom subnet mask borrows bits from the host portion of the IP address and uses these bits in the creation of subnets. Keep in mind that as you borrow from the host bits, you are going to be using some of the address space to create the subnets, and you will no longer get the entire 254 hosts from your Class C address. To determine the number of host bits to borrow, use Step 2.

Step 2: Determine the Number of Bits to Borrow To determine the number of bits to borrow from the host portion, you must know the number of subnetworks required for your network. In this example, the number of subnetworks is six. Use the following formula to determine the number of bits required if your network uses a classless routing protocol, such as Open Shortest Path First (OSPF) or Border Gateway Protocol version 4 (BGPv4): n

2 = number of subnetworks required n = number of bits to borrow from the host address In this example, the value 3 fits the equation: n

2 =6 3

2 =6 In order to arrive at the value of 3, consider n=2 and n=3. For n=2, the value of 2 2 (i.e., 4) is insufficient for the number of networks that we need. 3 For n=3, the value of 2 (i.e., 8) is greater than (and must be greater than or equal to) the desired number of networks, six. Therefore, at least three bits

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Subnet Masks

109

must be borrowed from the host address. Most routing protocols today are classless, and support the Classless Interdomain Routing (CIDR) protocol, explained in detail later in this chapter. Classless routing protocols supply the prefix-length (subnet mask) with each route. If you implement classful routing protocols on your network, you must subtract 2 in the equation. Classful routing protocols, such as the Routing Information Protocol version 1 (RIPv1), do not supply the subnet mask or prefix-length with each route. n

2 – 2 = number of subnetworks required n = number of bits to borrow from the host address Earlier we said that borrowing host bits to create subnets “uses” some of the available address space that is being divided. The –2 in the equation reflects that usage, and is derived from the fact that the first and last subnets cannot be used. The first subnet cannot be used because it contains the address of the network from which the subnets are created. The last subnet cannot be used because it contains the broadcast address for the whole network. Once again, the value 3 fits this equation so at least three bits must be borrowed from the host address, as follows: n

2 –2=6 3

2 –2=6

Subtracting 2 in the formula ensures that both classless and classful routing protocols will function on your networks.

Why? Why did you have to subtract 2 in the equation to support classful routing protocols? To answer this question, you can reference RFC 950, which first defined subnetting. RFC 950 prohibited the use of the all-zeros and all-ones subnet. However, since the introduction of classless routing protocols, subnetting has changed. Nowadays, routers require that routing table updates include both the route and the prefix-length (subnet mask) pair. This inclusion allows the router to distinguish between the route to the entire network and the route to the all-zeros subnet. It also allows the router to distinguish between a broadcast to the entire network and a broadcast to the all-ones subnet.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

110

Chapter 3

Subnetting and Routing

Because a classful routing protocol does not recognize a prefix-length (subnet mask) when advertising routes, it can become easily confused. For example, the routing entries 210.199.10.0/24 and 210.199.10.0/27 would be identified as the same network address 210.199.10.0. To avoid this problem, the all-zeros and all-ones subnets are removed from networks implementing classful routing protocols. These are the largest portions of the address space that is made unavailable by creating subnets. Also, the first and last addresses of a subnet serve as network and broadcast addresses for that subnet, so they are no longer available for host addresses. To understand how the all-zeros and all-ones subnets are determined, you must look at the binary value of the host portion of the network address 210.199.10.0, which is all zeros. 00000000 We have already determined that because you need six subnetworks, you must borrow three bits from the host portion to use for the network portion. Another way to look at this is to calculate the bit value of how many subnets you need—in this case, six—and to note how many bits are required to specify that number. Examine Figure 3.1 to determine the bit value of six: 00000110 FIGURE 3.1

Octet bit values

Bit Value 128 64 32 16

842

1

This is really just another method of arriving at the number of bits needed for a specific subnetting scenario, the same number that we arrived at using the formula 2

n

– 2 =6.

Although you calculated the number of bits needed (three) using the lowerorder bits, they are borrowed from the higher-order bits because the network portion is borrowing them.

Three bits are required to determine the value of six. Therefore, you will borrow three bits from the host address for your subnet mask, as determined by the equation. This explains why three bits were chosen, but we must go one step further to understand why 2 was subtracted in the equation.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Subnet Masks

111

The maximum number of networks or hosts in an IP address is determined by computing the total number of bit combinations. Three bits allow eight combinations of binary ones and zeros in those three bits, but we will show the entire last octet, focusing on the three bits borrowed for the network portion: 000 00000 001 00000 010 00000 011 00000 100 00000 101 00000 110 00000 111 00000 If you look at the list of combinations, which two cannot be used? Answer: the bit combinations with the binary values

000 and 111 , because

these subnets can confuse classful and classless routers when they interact. Therefore, two of the possible subnetworks are invalid, and must be subtracted in the equation. Keep in mind that although we’ve shown the entire last octet of the IP address, we’ve left the last five digits all zeros, but these five digits will take on varying values to represent hosts.

Step 3: Determine the Subnet Mask To determine the subnet mask, you must determine the value of the borrowed bits. Host bits are always borrowed from the highest-order bits (the left side of the byte). Switch the borrowed bits to binary ones: 11100000 Review Figure 3.1 to determine the bit value of the borrowed bits. The three highest-order bit values are: 128 + 64 + 32 + 0 + 0 + 0 + 0 + 0 = 224 The value of the borrowed bits is the value used for the host portion of the subnet mask. Because you are subnetting a Class C address, you will set the network portion of the subnet mask to binary ones (255.255.255), and the host portion to 224. The subnet mask is: 255.255.255.224

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

112 Chapter 3 Subnetting and Routing

Step 4: Determine the Maximum Number of Hosts To determine the maximum number of hosts per subnet, switch the host portion bits to binary ones. Because the subnet mask is using three bits of the host portion, five bits are left: 00011111 Use the following equation to determine the maximum number of hosts per subnetwork: n

2 – 2 = maximum number of hosts per subnetwork n = number of host bits In this example, insert the number 5 for

n:

5

2 – 2 = 30 Once again, the number 2 is subtracted in the equation because two of the possible hosts cannot be used: the host with the binary value 11111 , and the host with the binary value 00000 . The host and network addresses cannot be all binary ones or zeros. The maximum number of hosts per subnetwork is 30. This should work well with the conditions that we have been given, for six subnets and a total of 100 hosts. The six subnetworks of 30 hosts each will support 180 hosts. Unless more than 30 hosts need to be on the same subnet, we are in excellent shape, and have only a few more parameters to calculate.

Step 5: Determine the Subnetwork Addresses To determine the IP address ranges for each subnet, you must use the lowestorder bit borrowed from the host portion: 128 + 64 +

32 + 0 + 0 + 0 + 0 + 0 = 224

The value is 32. Therefore, the first subnetwork address will be 32. Each additional subnetwork will be a multiple of 32 until the subnet mask value, which is 224, is reached. Note that only six networks can be created until the subnet mask value is reached (the subnet mask value cannot be a network address). Network address #1: 210.199.10.32 Network address #2: 210.199.10.64 Network address #3: 210.199.10.96 Network address #4: 210.199.10.128 Network address #5: 210.199.10.160 Network address #6: 210.199.10.192

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Subnet Masks 113

Why? To understand why 32 is used for determining the subnetwork addresses, you must analyze the value of the borrowed subnet bits. In this example, three bits are borrowed. The value of each of the possible combinations of the borrowed subnet bits provides the subnetwork addresses (excluding binary values of all ones and all zeros). 128 + 64 + 32 + 0 + 0 + 0 + 0 + 0 = 224 In binary, the possible combination values equal the valid subnetwork addresses: 000 00000 = 0 (not valid) 001 00000 = 32 010 00000 = 64 011 00000 = 96 100 00000 = 128 101 00000 = 160 110 00000 = 192 111 00000 = 224 (not valid) Note that these octets match exactly the octets identified at the end of Step 2.

Step 6: Determine the Address Ranges In Class C subnetworks, the host addresses will range between the subnetwork addresses (because two host addresses cannot be used), as shown in Table 3.1. Note that each range does not use all the available addresses because the network address cannot be the host address; it contains all binary zeros for the host portion. Similarly, the last address in each range is all binary ones, which would be interpreted as a subnet-directed broadcast. The address range represents all of the valid host addresses on the subnetwork. The subnet mask used in each of the subnets is 255.255.255.224. TABLE 3.1 IP address ranges for subnetworks

Subnet

Subnetwork Address

1

210.199.10.32 210.199.10.33 through

Address Range

Broadcast Address 210.199.10.63

210.199.10.62

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

114 Chapter 3 Subnetting and Routing

(continued)

TABLE 3.1 IP address ranges for subnetworks

Subnet

Subnetwork Address

2

210.199.10.64 210.199.10.65 through

Address Range

Broadcast Address 210.199.10.95

210.199.10.94 3

210.199.10.96 210.199.10.97 through

210.199.10.127

210.199.10.126 4

210.199.10.128 210.199.10.129 through

210.199.10.159

210.199.10.158 5

210.199.10.160 210.199.10.161 through

210.199.10.191

210.199.10.190 6

210.199.10.192 210.199.10.193 through

210.199.10.223

210.199.10.222

Why? In Step 5, you calculated the borrowed subnet bit values. To determine the address range of each subnetwork, determine the lowest and highest value of the remaining host bits (excluding binary values of all ones and all zeros), as displayed in Table 3.2. TABLE 3.2 Determining address ranges for each subnetwork

Borrowed Subnet Bits Host Bits Remaining, Range Octet Value Range 001

010

011

100

00001

001 00001 = 33

11110

001 11110 = 62

00001

010 00001 = 65

11110

010 11110 = 94

00001

011 00001 = 97

11110

011 11110 = 126

00001

100 00001 = 129

11110

100 11110 = 158

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Classless Interdomain Routing (CIDR) 115

TABLE 3.2 Determining address ranges for each subnetwork

(continued)

Borrowed Subnet Bits Host Bits Remaining, Range Octet Value Range 101

110

00001

101 00001 = 161

11110

101 11110 = 190

00001

110 00001 = 193

11110

110 11110 = 222

EXERCISE 3.1

Developing IP addressing schemes for an intranet using reserved IP addresses In this exercise, plan an intranet addressing scheme with two subnets using the reserved IP network address 172.16.0.0. Each subnet should have five computers. The subnets should be connected with a router (default gateways are optional for this exercise). Draw a diagram of the network, clearly identifying each computer’s IP address and subnet mask.

In addition to reserved IP addresses and subnetting, another way to conserve IP addresses is a technique called Classless Interdomain Routing (CIDR) .

Classless Interdomain Routing (CIDR)

C IDR is a way to minimize the number of routing table entries. It is specified in RFCs 1519, 1520, and 1877. CIDR is also referred to as supernetting, as described in RFC 1518. The basic concept in CIDR is to allocate multiple IP addresses so they can be summarized into a smaller number of routing table entries. CIDR consists of the following two basic procedures: Distributing the allocation of Internet address space to ISPs Providing a mechanism for the aggregation of routing information through supernetting

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

116 Chapter 3 Subnetting and Routing

Before CIDR was introduced, each Internet address needed its own routing table entry in the Internet backbone’s routing table. To keep the routing table from growing too large as the Internet grew, the Internet Engineering Task Force (IETF) created CIDR. CIDR relies on supernetting to summarize multiple Internet addresses into one routing table entry. This strategy allows entire blocks of Internet address space to be condensed into one routing table entry. Not only does this simplify routing tables, it allows routers to operate more efficiently, handling more routes in the same number of entries in the routing table, or regaining space in their routing table. These blocks of Internet address space were issued to different ISPs. The ISPs were then responsible for allocating Internet addresses to clients. This hierarchical sub-allocation of addresses implies that clients that are allocated addresses from an ISP are, for routing purposes, part of that ISP and will be routed within its infrastructure. Therefore, each ISP and all the address space it allocates to clients can be represented on the Internet backbone’s routing table as one supernetted address. For routers to understand the supernetted address formats, each router must support CIDR. CIDR is meant as an intermediate fix for the eventual depletion of Internet addresses and the unmanageable growth of the routing table. When a router’s hardware (processor and memory) is unable to handle additional routing table entries, network growth is halted, and routers that are handling large amounts of traffic while their routing table is full may drop packets and lose traffic. This fix will continue to be implemented until it is replaced by a long-term solution, such as IPv6, a topic we will discuss later in this text. When you summarize multiple Internet addresses into one routing table entry, you can address a site that has 14 different IP addresses, or address 10 different sites in that one routing table entry. For example, if a company needs 2,000 host IDs, the ICANN could save a Class B address and use CIDR to assign eight Class C addresses instead (254 ´ 8 = 2,032). This method preserves 63,502 unique IP addresses. Furthermore, these eight Class C addresses can be collapsed into one routing entry. This strategy relieves routers of additional workload by reducing routing table entries. Subnetting borrows bits from the host ID and masks them as a network ID. Conversely, CIDR supernetting borrows bits from the network ID and masks them as the host IDs. Suppose a company requests 4,000 hosts. Because that company is unlikely to receive a Class B address, you can determine the number of Class C addresses that will be needed, which is 16 (because 254

´ 16 = 4,064).

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

IP and Routing 117

The ICANN might fulfill the request by giving the company 16 Class C network addresses, such as 208.138.4.1 through 208.138.19.254. What subnet mask will work to supernet these Class C addresses? One way is to determine the value (a power of 2) that will achieve the needed number of hosts. In this case, 2

12

– 2 = 4,094, which will accommodate the requested

4,000 hosts. Therefore, 12 bits are needed for the host ID. We’ve been allocated Class C addresses, which already have eight bits available for host id, but we need 12 bits to address all 4,000 hosts with one supernetted set of our Class Cs. We borrow these four bits from the network portion, for a total of 12 bits for the host portion. As these four bits are removed from the third octet of the Class C, consider how the value of the third octet changes. Initially, the net mask for the Class C is 255.255.255.0, so the third octet starts out as all ones, but borrowing the last four bits makes it 1111 0000 . The value of the third octet, leaving four bits remaining for the network ID, is 240 (128 + 64 + 32 + 16 = 240). The subnet mask used to supernet this block of 16 Class C addresses is 255.255.240.0. Instead of distributing the network address as multiple Class C addresses, the ICANN will distribute one network address in CIDR notation (currently, all network addresses are assigned this way): 208.138.4.0/20 In this address, 20 is the number of bits used for the subnet mask, as follows: 255.255.240.0 = 11111111 11111111 11110000 00000000 CIDR notation displays the first network address, followed by the subnet mask bits used. It is important to recognize the relationship between subnetting and routing, and how the design of IP relates to routing. We will now focus on IP’s role in the routing process and the IP header, as well as how to capture and analyze IP packets.

IP and Routing

I P performs the routing function, which determines the path that data will travel across networks. This data is sent in packets, also called datagrams. A packet is self-contained, independent of other packets, and does not require an acknowledgment. It carries sufficient information for routing from the originating host to the destination host. Packets might traverse several networks before reaching their destination host.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

118 Chapter 3 Subnetting and Routing

Packets are routed transparently, and not necessarily reliably, to the destination host. The Transport or Application layer is responsible for ensuring reliability. Because no explicit connection-establishment phase exists, IP is said to be a connectionless protocol. IP can be summarized as a best-effort service that is: Connectionless Not necessarily reliable Routing can be summarized as: One of the most important IP functions The process that determines the path that packets will travel across networks The current version of IP, version four (IPv4), has a header that consists of 10 fixed header fields, two addresses, and options. The length of an IPv4 packet header is usually 160 bits (20 bytes) unless options are present. Figure 3.2 illustrates an IPv4 packet header. The figure consists of six 32-bit words, which is 24 bytes (options are present). If data does not fill a 32-bit word, bit “padding” is often used to complete it. FIGURE 3.2 IPv4 packet header O

16

31

Hdr. Lth. Service

Ver.

Datagram Length Flags

Datagram Identification # TTL

Protocol

Fragment Offset

Header Checksum

Source Address Destination Address

Options

The IP packet header contains several important fields. Version (four bits)

Identifies the IP version, currently version 4.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

IP and Routing 119

Header Length (four bits) Specifies the length of the IP packet header. Header length values are expressed in the number of 32-bit words in the header, which is usually five unless options are present. Service (eight bits)

Indicates reliability, precedence delay, and through-

put parameters. Also known as the Type Of Service (TOS) field. Datagram Length (16 bits) Defines the total packet length, including the header, in bytes. The datagram length does not include the header used at the Network Access layer (e.g., Ethernet header). Datagram Identification Number (16 bits) Uniquely identifies a packet for fragmentation and assembly purposes. This unique number is copied into each fragment of a particular datagram so it can be assembled. Flags (three bits)

Used for fragmentation and reassembly.

Fragment Offset (13 bits) belongs.

Indicates where in the packet this fragment

Time To Live (eight bits)

Measured in one-second intervals, with a

maximum of 255 seconds. This field is also known as the TTL field. Routers usually remove one second from the TTL field for each second that they retain a packet before passing it on. Even if the packet is passed on in less than a second, the TTL field is decremented by a minimum of one, so the TTL field is sometimes called the “hop” field. Protocol (eight bits) Defines the next protocol level that is to receive the data field at the destination. If the protocol field is set to 1, it is an ICMP packet; if 6, it is TCP; if 17, it is UDP.

Even though ICMP and IGMP are incorporated at the Internet layer, they are encapsulated in IP packets.

Header Checksum (16 bits) calculates only the IP header. Source Address (32 bits) Destination Address (32 bits)

Used for error detection. The checksum

Identifies the source system’s IP address. Identifies the IP address of the final or

destination system.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

120 Chapter 3 Subnetting and Routing

Options

Indicates optional information for the packet, such as: Security Loose or strict source routing Error reporting Timestamping Debugging

For example, the

source-routing option

enables the sender to specify the

path that a packet should traverse over the Internet. Both loose and strict source routing specify a routing path. Loose source routing

allows multiple network hops between successive

Internet addresses on the list. Strict source routing implies that the Internet addresses specify the exact path the packet must follow to get to the destination host; an error results if a router cannot forward the packet to the specified node.

EXERCISE 3.2

Capturing IP packets using Ethereal for Linux In this exercise, you will generate and capture packets using Ethereal and Linux. You will capture packets using System A, running Linux, and generate network traffic for the capture from System B. You will analyze the packets to determine the source and destination addresses, and to determine various packet header values.

1. In an X session, open a terminal and enter: Host#

ethereal -n

Warning: If you are on a busy network, you may need to apply a filter to focus your capture.

2. Select the Capture menu and choose Start. Select OK to begin the capture.

3. Ping System A from System B. After several replies, view the packets you captured by clicking the Stop button.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

IP and Routing 121

EXERCISE 3.2 (continued)

4. Ethereal will display the packets captured in the connectivity test. You will have a screen capture similar or identical to the Ethernet capture from the previous chapter. However, now you will focus on the Internet layer, not the Network Access layer.

5. Locate the first ICMP packet and highlight it. In the middle window, expand the Internet Protocol section, as shown in the example below.

Now that you’ve gained insights into subnetting and the structure of the IP Routing header, we’ll cover routing. is an extremely important function of IP. It is the process of choosing a path over which to send packets. The device that performs this task is called a router, which forwards packets from one physical network to another. Your knowledge of IP will enable you to see the correlation between IP, subnetting, and routing.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

122 Chapter 3 Subnetting and Routing

Routing

R outing is the process of selecting a path that data will travel across networks. The Internet layer, or the Network layer (Layer 3) of the Open Systems Interconnection reference model (OSI/RM), performs the routing function. A packet, or datagram, carries sufficient information for routing from the originating host to the destination host (for example, IP or IPX address). Packets may traverse several networks before reaching their destination host. Packets are routed transparently, and not necessarily reliably, to the destination host. The term “transparent,” when applied to routing, means that after the routing hardware and software are installed, changes are undetectable by users because the routing process is largely automated. The complexity of routing is not visible to the user. The Transport or Application layer is responsible for reliability, which ensures that the data arrives at the other end. Routing can be summarized as: One of the most important IP functions The process that determines the path that packets will travel across networks Routing can be divided into two general classifications: direct and indirect. If two computers on the same physical network need to communicate, the packets do not require a router. The computers are considered to be on the same local network. In an Ethernet/802.3 TCP/IP network, the sending entity encapsulates the packet in an Ethernet frame, binds the destination Internet address to an Ethernet address, and transmits the resulting frame directly to its destination. This process is referred to as direct routing . The Address Resolution Protocol (ARP) is an example of a direct routing protocol. The destination system is on the same physical network if the network portions of the source and destination addresses are the same. This example holds true with a single network connected by hubs or switches. If two computers that are not on the same physical network need to communicate, they must send the IP packet to a router for delivery. They are located on remote networks. Whenever a router is involved in communicaindirect routing tion, the activity is considered . In the next exercise, you will use a TCP/IP command called

traceroute

that

can determine whether direct or indirect routing is used to reach a destination

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Routing 123

node. If the destination node is on the same local network, the packets will be delivered by direct routing, but if default gateway is used to send the packet to a remote network, indirect routing will be used. The traceroute command can determine the path between source and destination systems. It also provides information on round-trip propagation time between each router and the source system. Users can gain an understanding of local and remote networks by studying information returned by this command. The command format for Windows 2000 is: tracert ip_address In this command,

ip _address identifies the destination system. For

example, if your IP address is 192.168.3.13, then you would use the following command prompt entry: tracert 192.168.3.11 Because the destination host is on the local network, this command will result in the following one-hop response: Tracing route to 192.168.3.11 over a maximum of 30 hops: 1 <10ms <10ms <10ms 192.168.3.11 Trace complete. The command format for Linux is: traceroute ip_address The traceroute

command functions the same as the

tracert

command.

EXERCISE 3.3

Determining a local or remote destination node using Windows 2000 In this exercise, you will use the Windows 2000

tracert

command to

determine whether the destination computer requires a router to forward a packet to another network.

Note: You must have either Internet access or two systems on the same network for this exercise to succeed.

1. At the command prompt, enter the following: tracert

[target system’s IP address]

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

124 Chapter 3 Subnetting and Routing

EXERCISE 3.3 (continued)

2. The response should resemble the following (depending on your target’s IP address): 1 <10 ms <10 ms <10 ms SystemA [192.168.3.11] Only one hop was required because the packet went directly to the destination. A router was not required because the destination node was on the same network.

3. Trace a packet to a remote network. Note: You must have Internet access for this section to succeed. At the prompt, enter the following:

tracert

192.36.148.17

4. The response will depend on your default gateway and destination node. The first entry is the router (default gateway). Many hops were required because the packet destination was not on the local network. To access the remote network, the packet was directed to the default gateway (recall the ANDing process), which routed the packet to the destination network.

EXERCISE 3.4

Determining a local or remote destination node using Linux 1. Repeat the previous exercise, using the Linux

traceroute

Now that you have seen one aspect of routing by using the

command.

traceroute

command, we will dig deeper into the underlying process of routing. Routing involves the following two key elements: The sending host must know which router to use for a given destination; the router is determined by the default gateway. The default gateway is

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Routing 125

the IP address of the router on your local network; this router will route the packet to the destination network. The router must know where to send the packet; the destination is determined by the router’s routing information table.

Routing Information Tables A routing information table is a database maintained by all hosts on a network. The table contains the location of all networks in relation to the hosts’ location. This section will discuss how routers use routing information tables to determine the next router to send a packet. When a packet arrives at the router, the router examines the packet’s destination network, then checks its own routing information table. It determines the next router to send the packet, and forwards the packet to that router. In some cases, the destination network is attached to the router, in which case the packet has reached its destination network. Figure 3.3 illustrates a simplified routing table so you can understand the basic process. FIGURE 3.3 Routing information table

Router 2 Routing Information Table

Network Router Hops X Router1 2 Y Router2 1 Z Router3 2

Network X

Network Z Router 1

Router 2

Router 3

Network Y

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

126 Chapter 3 Subnetting and Routing

Static vs. Dynamic Routing

S tatic routers contain routing information tables that must be built and updated manually. If a certain route does not exist in the static routing table, the router will be unable to communicate with that network. A dynamic router communicates with other dynamic routers to calculate routes automatically using routing protocols such as RIP and OSPF. Dynamic routers can exchange information about routes of known networks. When a route changes, the routers automatically update themselves by recalculating routes. In the next exercise, you will configure a static routing information table. You should be familiar with the following two commands: route and ping .

The route Command The route command is used to view or modify network routing tables on Windows 2000 and Linux. The command format is as follows: route [option] The route command has three options that you should know for Windows 2000. They are as follows: print

: displays the routing table.

add : adds a route to the routing table. delete

: deletes a route from the routing table.

All hosts/nodes on a TCP/IP network have a routing table, but it usually only includes the host’s own IP address, the loopback address, and the default gateway for the segment. If the host is also a router, the routing table will be more detailed. To view the routing table in Windows, enter print

at a Command Prompt, and for Linux/Unix/BSD use the

route route com-

mand at a root prompt. A multi-homed host will have a longer routing table to include each interface, whether or not the host performs routing.

The ping Command The ping command is used to test connectivity between source and destination systems. The command format is as follows: ping [ip address]

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Static vs. Dynamic Routing 127

In this format, ip _address identifies the remote system. You will learn more about the ping command later in the book.

Note that this exercise should not be performed remotely, but from the console. Also, while the commands and underlying concepts are common to multiple distributions of Linux and to most flavors of Unix, the specific steps of this exercise rely on the Red Hat netconfig program launching successfully during an X session.

EXERCISE 3.5

Configuring a static routing table using Linux In this exercise, you will remove and add entries to a routing table using Linux.

1. Log on as root to an X Window session. 2. Remove your default gateway. For instance, at the command line, enter:

netconfig The netconfig program will start. Select Yes. Enter your IP address and net mask (subnet mask). Make sure that the Default Gateway (IP) field is blank and select OK. You can also remove your default gateway by using the linuxconf program. Enter

linuxconf

at the command line, remove the default

gateway from the Config Networking Client Tasks Routing And Gateways Set Defaults field, then select Accept and Act/ Changes (activate changes).

3. Test connectivity by pinging a computer on the remote classroom network. For example, enter the following:

ping 192.168.x.y In this syntax,

x is the remote network number and

y is a host number

on the remote network. You should be unsuccessful because the default gateway has been removed.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

128 Chapter 3 Subnetting and Routing

EXERCISE 3.5 (continued)

4. At the command line, enter the following: route The routing table will appear.

5. To define a static route, the entry should contain the following variables:

route add -net network-ID gw default-gateway netmask subnet-mask For example, enter the following:

route add -net 192.168.

x .0 gw 192.168.

z .1

netmask 255.255.255.0 In this syntax,

x is the remote network number and

z is your default

gateway.

6. View the routing table. Your entry should appear. 7. At the command line, ping a computer on the remote classroom network. You should successfully ping the IP address of the remote classroom network. Even though you removed the default gateway, you manually configured the routing table to communicate with the remote classroom network.

8. Experiment with the routing table. Before concluding this exercise, delete the entries you added by replacing the command

add with

del . Restore your default gateway.

Routing does not change the original packet at the Network layer and higher. The Network, Transport, Session, Presentation, and Application layers remain unchanged during the routing process. For example, the source IP address is always the IP address of the original system, and the destination IP address is always the target, or destination, system. The following example will track an IP packet traveling across an Ethernet/802.3 LAN. The OSI/RM will be referenced. When a packet arrives at a router, the network interface software at the Data-Link layer delivers the packet to the Network layer for processing. The router checks its routing information table to determine the next system address, or hop, to which the packet will be sent. When the next hop IP address

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Routing Protocols 129

is determined, the router does not store the next address in the IP header (the IP header only contains the original source and destination IP address—no field exists to hold the IP address of the next hop). Instead, the Network layer resolves the next hop’s IP address to the next hop’s hardware address using ARP, then discards that IP address. It then passes the packet and the next hop’s hardware address to the network interface software at the Data-Link layer. The packet is encapsulated in a frame, and the frame is transmitted over the transmission media at the Physical layer. The frame travels across the transmission media with the next hop’s hardware address, as well as with the original destination system’s IP address. When the frame arrives at the next hop, the network interface software at the Data-Link layer removes the hardware address and delivers the packet to the Network layer for further processing. The router checks its routing information table. At this point, the packet may have reached its destination network. If so, the router will forward the packet to the destination network host (or firewall/proxy server in many cases). If the packet has not reached its destination network, the router forwards the packet to the next hop, and the process repeats itself. In the simplest sense, neither the router nor the packet needs to know anything about the networks connecting the source and destination hosts. However, some routing protocols can optimize network performance by using some information about the networks connecting source and destination hosts.

Routing Protocols

W

hile routing is often defined as the process of selecting a path that

routing protocols data will travel across networks, routing also includes which determine how routers share information and how they report routing

,

table changes to each other. Routing protocols enable networks to dynamically change without the need to enter static routing table entries for each adjustment. Following are the two basic types of routing protocols. Interior routing protocols

Used within an organization’s network.

Examples are RIP and OSPF. Exterior routing protocols Used outside an organization’s network. EGP and BGP are examples of such protocols.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

130 Chapter 3 Subnetting and Routing

An autonomous system

is managed by a single organizational entity, which

includes all networks and routers managed by that entity. If routers belong to different autonomous systems and they exchange routing information, the routers are considered

exterior

gateways. Routers within an autonomous system

are called interior gateways.

Some large autonomous networks may actually use exterior routing protocols internally, in order to manage regional networks, but this is not usually the case.

Routing Information Protocol (RIP) Routing Information Protocol (RIP)

is a simple interior routing protocol. It

is also a distance-vector protocol, which means it determines the best route by measuring the smallest number of hops, called the hop count, between the source and the destination. TCP/IP, IPX/SPX, and AppleTalk have their own distance-vector protocols that are incompatible with one another: IP RIP, IPX RIP, and AppleTalk Routing Table Maintenance Protocol (RTMP), respectively. RIP is recommended on small networks because it is easy to implement and manage. It requires minimal router processing and bandwidth requirements. Two versions of RIP are used: RIPv1 and RIPv2. RIPv1 is defined in RFC 1058; RIPv2 is defined in RFC 2453. RIPv2 is an Internet standard. No changes were made to the basic protocol in the newer version, but information was added. For example, RIPv2 supports multicasting. The RIPv1 header uses the first four bytes to specify the command (request, reply) and the version number (RIPv1 or RIPv2). The following 20 bytes are used to specify the routing information for the packet. If only one route is advertised, the RIP header will be 24 bytes. A maximum of 25 routes can be advertised to create a RIP header of 504 bytes (4 + 20 which keeps the RIP header smaller than 512 bytes.

´ 25 = 504),

Figure 3.4 illustrates the components of the RIPv1 header. The RIPv1 header contains several important fields. Command (eight bits) number).

Used to specify operations (listed by command

1. Request for partial or full routing information. 2. Response containing network-distance pairs.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Routing Protocols 131

3. Turn on trace mode (obsolete). 4. Turn off trace mode (obsolete). 5. Reserved for Sun Microsystems internal use (poll). 6. Reserved for Sun Microsystems internal use (poll-entry). Version (eight bits)

Specifies the RIP version, which is RIPv1.

Address Family (16 bits)

Has a value of 2, which signifies IP addresses.

The next 20 bytes of the RIPv1 header specify the address family, which includes the associated IP address and metric fields. Twenty-five routes can be advertised using this 20-byte format. IP Address (32 bits)

Specifies the IP address of the address family.

Metric (32 bits) Indicates how many hop counts away the destination host is located. The metric is limited to 15 hop counts. FIGURE 3.4 RIPv1 header format 0

8

16

Command (1-6) Version (1)

31 Must Be Zero

Address Family

Must Be Zero IP Address Must Be Zero

Must Be Zero Metric Address Family

Must Be Zero IP Address Must Be Zero Must Be Zero Metric ...

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

132 Chapter 3 Subnetting and Routing

RIPv2 includes new extensions to RIPv1. No changes were made to the protocol itself; more information was added. The fields in RIPv1 marked “must be zero” have been used in RIPv2. Also, the newer version supports multicasting. Figure 3.5 illustrates the components of the RIPv2 header. FIGURE 3.5 RIPv2 header format 0

8

16

Command (1-6) Version (2)

31 Routing Domain

Address Family

Route Tag 32-Bit IP Address 32-Bit IP Subnet Mask

31-Bit Next-Hop IP Address Metric (1-16) (24 More Routes Possible. Use Same Format as Previous 20 Bytes [Address Family—Metric(1-16)].)

The RIPv2 header contains several important fields. Command (eight bits)

Used to specify operations (listed by command

number; see RIPv1 header for description). Version (eight bits)

Specifies the RIP version, which is RIPv2.

Routing Domain (16 bits)

Identifies the routing service to which each

packet belongs; enables a single router to run multiple instances of RIP, each in its own routing domain. Address Family (16 bits)

Has a value of 2, which signifies IP addresses.

The next 20 bytes of the RIPv2 header specify the address family, which includes the associated IP address and metric fields. Twenty-five routes can be advertised using this 20-byte format. Route Tag (16 bits) Supports exterior gateway protocols, such as EGP and BGP, by carrying an autonomous system number. IP Address (32 bits)

Specifies the IP address of the address family.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Routing Protocols 133

Subnet Mask (32 bits)

Corresponds with the IP address.

Next-Hop IP Address (32 bits)

Identifies where the packets should be

sent; corresponds with the destination IP address. If this value equals 0, destination packets are sent to the system transmitting the RIP message. Metric (32 bits)

Indicates how many hop counts away the destination

host is located. The metric is limited to 15 hop counts. RIP routers transmit their routing tables to neighboring RIP routers at fixed 30-second intervals. On Ethernet networks, the routing tables are broadcast. These routing update messages are appropriate for network topology changes because the routing tables automatically update as changes occur. Each router builds its routing tables from its neighbor’s information. For example, if a router states it can reach network X in two hops, then its neighbor will assume it can reach network X in three hops. If a router receives several different hop counts from several different routers, then the lowest hop count is entered in the routing table. After a router has calculated all the routes for which it has received information, it transmits its own routing table to its neighbors. Entries in a RIP routing table include the destination, the next hop, the metric, and various timers. The metric is the hop count to the ultimate destination. RIP has several general disadvantages, listed here. The fact that RIP broadcasts routing tables on an Ethernet network at fixed intervals can generate a great deal of traffic. If many RIP routers exist on a network, RIP can consume almost all the bandwidth. RIP can require a lengthy convergence time. Convergence is the time required for all network routers to receive information. If you have many RIP routers, routing tables require time to travel down the chain and update all routers. During the convergence time, packets can be routed incorrectly and lost on the network, never delivered before their TTL expires. The count-to-infinity problem occurs when a link between two routers is broken and the remaining routers recalculate the hop count to “infinity.” Infinity means unreachable. The maximum hop count of a RIP router is usually 15, depending on the RIP implementation. Infinity is usually set to one more, which would be 16 in this case.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

134 Chapter 3 Subnetting and Routing

In Figure 3.6, Router3 calculates one hop to reach Network X. Therefore, Router2 calculates two hops to reach Network X, and Router1 calculates three hops. If Router3 malfunctions, Router2 will update its routing table from Router1, which calculates Network X at three hops. Therefore, Router2 will calculate four hops. Router1 will then use Router2’s data to calculate five hops, and so forth, until both routers reach infinity. FIGURE 3.6 RIP count-to-infinity disadvantage

Network X Router 1

Router 2

Router 3

To address the count-to-infinity problem, two solutions have been implemented: split horizon and poison reverse. Each solution has its drawbacks. Split horizon

Routers do not broadcast all destination networks to

neighboring routers. In the previous figure, Router1 does not advertise routes for Network X. If Router3 fails, incorrect data from Router1 will not interfere with Router2. Network X will be unreachable. Split horizon decreases RIP traffic, but increases convergence time. Poison reverse When split horizon is disabled, poison reverse is automatically enabled. Routers advertise unreachable (16 hops) to certain neighboring routers. In the previous figure, Router2 calculates two hops from Network X. It advertises that data to Router1, and Router1 calculates three hops from Network X. However, Router2 advertises that Network X is unreachable (16 hops) to Router3. If Router3 fails, Router2 will remove the route to Network X, and advertise that Network X is unreachable to Router1. Poison reverse decreases convergence time, but increases RIP traffic.

Open Shortest Path First (OSPF) Open Shortest Path First (OSPF)

is a complex interior routing protocol developed by the Internet Engineering Task Force (IETF). The latest version of OSPF, version 2, is specified in RFC 2328 and is an Internet standard protocol. OSPF was designed to replace RIP and solves many of its shortcomings. As you learned previously, RIP is a distance-vector protocol, which determines the shortest number of hops between the source system and the destination system. No emphasis is placed on factors such as available bandwidth, multiple connections, or security.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Routing Protocols 135

OSPF can make better decisions than RIP because it is a link-state protocol. This technology gives OSPF the following advantages over RIP. OSPF allows rapid convergence and reduces network traffic. of transmitting its routing tables at fixed intervals, link-state protocols

Instead

only transmit their routing tables when a change occurs. OSPF eliminates the count-to-infinity problem. It relies on first-hand instead of second-hand information. It determines the best path by sharing information with neighboring OSPF routers and calculating routes on more than just the hop count. OSPF supports variable length subnetting.

A complex network may

have multiple subnet masks, which must be supported by the routing protocol. Although RIPv2 supports variable length subnet masks, OSPF is recommended because it is more efficient. OSPF, which was designed for TCP/IP networks, uses IP directly. Rather than using TCP or UDP, OSPF has its own Protocol field value of 89 in the IP header. OSPF contains the following practical features. Various types of service routing

OSPF makes it possible to install mul-

tiple routes to a given destination. Each route can be defined on the basis of a service, such as high bit rate or security. Load balancing

If multiple routes exist to a given destination and all

routes are identically priced, OSPF distributes traffic evenly over all routes. Network areas OSPF provides the ability to partition a network into areas, which allows growth and organization. Each area’s internal topology is hidden from other areas. Authenticated exchanges All exchanges between routers using the OSPF protocol are authenticated. OSPF allows the use of various authentication schemes. This feature is important because only trusted systems should propagate routing information. Defined route support network-specific routes. Routing table updates

OSPF allows the definition of host-specific or

Updates occur when necessary rather than at regular

intervals. This feature reduces traffic on the network and saves bandwidth.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

136 Chapter 3 Subnetting and Routing

There are five different types of OSPF messages, as follows. Each OSPF message starts with a fixed 24-byte header. Hello

Establishes and maintains neighbor relationships.

Database description Exchanged between neighboring routers when adjacency is being initialized. The message describes the contents of the database. Link status request Used by the neighboring router to request up-todate information if parts of the database are outdated. Link status update

Implements Link State Advertisement (LSA) flooding;

carries multiple LSAs one hop further from their destination. LSAs are used by routers to detect and advertise each other’s routes. Link status acknowledgment

Packets that acknowledge the flooding of

LSAs. Multiple LSA acknowledgments can be sent with one link status acknowledgment. Figure 3.7 illustrates the components of the OSPF header. FIGURE 3.7 OSPFv2 header format 0

8

16

Version (2)

31

Type

Packet Length

Router Identification Area ID

Checksum

Authentication Type Authentication

Authentication

The OSPF header includes several important fields. Version (8 bits) Type (8 bits)

The current OSPF version number, which is version 2. Identifies the OSPF message as one of the five existing types.

Packet Length (16 bits)

Specifies OSPF packet length in bytes; includes

the OSPF header.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Routing Protocols 137

Router Identification (32 bits) Identifies the IP address of the source router (the gateway sending the message). Area ID (32 bits) Identifies the area to which this packet belongs (always a single area). If a packet travels over a virtual link, it uses the 0.0.0.0 backbone area ID. Checksum (16 bits) Contains the standard IP checksum for the OSPF packet, except for the 64-bit Authentication field. Authentication Type (16 bits)

Specifies the type of authentication to be

used for the OSPF packet. Authentication (64 bits) Implements the specified authentication scheme identified in the Authentication Type field. If the Type field indicates 0, no authentication will be implemented. If the Type field indicates 1, a simple password will be used. If the Type field indicates 2, cryptographic authentication will be utilized. All other authentication type numbers are reserved by the ICANN for assignment.

Exterior Gateway Protocol (EGP) Exterior Gateway Protocol (EGP) is an older exterior routing protocol. It communicates reachability information between autonomous systems. EGP has been largely replaced by Border Gateway Protocol (BGP), which is discussed in the next section. EGP is specified in RFC 827. EGP is a path-vector protocol, which means it spans multiple autonomous systems. Recall that an autonomous system is managed by a single organizational entity, which includes all networks and routers managed by that entity. If routers belong to different autonomous systems and exchange routing information, the routers are considered exterior within an autonomous system are considered interior gateways.

gateways. Routers

Path-vector protocols, such as EGP, maintain a routing information table that lists the autonomous systems used to reach a particular destination. Path-vector protocols are also called policy routing protocols. EGP provides routing table information between the Internet’s backbone routers, and between the backbone routers and the domain router(s) chosen to act as exterior gateways by an organization. Two tables can be maintained by an organization’s exterior gateway: one with interior routes obtained through RIP or OSPF, and another with exterior routes using EGP or BGP.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

138 Chapter 3 Subnetting and Routing

Although EGP is still widely used, it has a few shortcomings, including the following: EGP was designed when the Internet consisted of a single backbone. It is insufficient for today’s multiple-backbone network. EGP routers are set up with static routes that designate which routers can exchange routing tables. This capability provides security but not scalability.

Border Gateway Protocol (BGP) Border Gateway Protocol (BGP) A newer exterior routing protocol is EGP, BGP is a path-vector protocol. It is used between the NSFnet backbone

. Like

and some regional networks. A BGP system exchanges network reachability information with other BGP subsystems. It includes the full path of autonomous systems through which the traffic must pass to reach these networks. BGPv1 is specified in RFC 1163. Version 4 of BGP supports the routing table aggregation procedures demanded by Classless Interdomain Routing (CIDR). BGPv4 is specified in RFC 1771. BGPv4 can control the list of destinations from which it accepts packets by implementing arbitrary routing policies. These policies are based on the path-vector protocol. Border routers that link two adjacent autonomous systems can announce paths. Each path contains the list of network prefixes it has reached and autonomous systems it has crossed. Because it has a list of all these transit systems, each path can detect loops. This capability allows it to deny paths that have already passed through its own autonomous system. All of the routing protocols discussed are aimed at efficiently passing Internet Protocol (IP) traffic throughout the Internet. Recall that IP is used at the Internet layer of the Internet architecture (or the Network layer of the OSI reference model). IP packets or datagrams are the basic unit of data transfer used throughout the Internet. Routing is the method of directing those packets to their destination.

Summary

T he task of determining subnet masks is vital to architecting or combining networks, and it is important for an internetworking professional to literally know these things forward and backward. Internetworking sometimes

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Key Terms 139

requires creating a proper subnet mask from scratch, based on a desired number of hosts, but as often requires examining an existing subnet mask to determine how many more hosts may be added to a network. Understanding CIDR, direct versus indirect routing, and static versus dynamic routing is also essential to network administration. Understanding the fundamentals of interior routing protocols, including RIP and OSPF, and exterior routing protocols, including EGP and BGP, will help you to distinguish yourself, not only as someone knowledgeable with routers but also as a skilled internetworking professional. Finally, understanding the information located in IP header fields, determining the function of each header field, and knowing how routers handle IP packets means mastering concepts intrinsic to routing. Routers large and small are the key elements to connecting global networks and the Internet, and a sound understanding of these principles can carry you far, whether architecting or troubleshooting networks.

Key Terms

B efore you take the exam, be sure you are familiar with the following terms: ANDing

route

Border Gateway Protocol (BGP) routing Classless Interdomain Routing (CIDR)

Routing Information Protocol (RIP)

direct routing

routing protocols

Exterior Gateway Protocol (EGP) subnet mask Indirect routing

subnet routing

net mask

subnetworks

Open Shortest Path First (OSPF) traceroute (tracert) Ping

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

140 Chapter 3 Subnetting and Routing

Exam Essentials Understand the use of private addresses in intranet design. addresses allow network administrators to conserve valid Internet

Private IP

addresses by placing client workstations behind a firewall, proxy, or router performing network address translation (NAT) or masquerading. Know the functions of the Internet layer.

The Internet layer is the layer

at which IP protocol packets are routed from host to host, or passed between networks by routers. The Internet layer of the Internet architecture model is equivalent to Layer 3, the Network layer, of the OSI/RM. Know the routing function and describe how it relates to the Internet layer. The routing function is the process that determines which path packets will travel across networks. This function occurs at the Internet layer, whether it is being performed by a dedicated router or a host with routing capabilities. Be able to identify the IP header fields and describe the purpose of each field. The IPv4 header has 10 fixed header fields, two addresses, and options, totaling 160 bits plus options. Important fields are Version, Header Length, Service, Datagram Length, Datagram ID Number, Flags, Fragment Offset, Time To Live, Protocol, Header Checksum, Source Address, Destination Address, and Options. Most of these fields are selfexplanatory. Datagram Length and ID Number, Flags, and Fragment Offset are used for packet fragmentation and reassembly. Know the difference between direct and indirect routing, and determine whether a route is direct or indirect. Direct routing is when a host can immediately deliver a packet to the destination host on the same LAN, using ARP to determine destination. Indirect routing is when packets must traverse one or more routers in order to reach the destination host, on a different network. Understand the routing process and know the function of routing information tables. The default gateway (often a router) forwards a packet to the appropriate network, or to another router closer to the destination. Routing information tables contain information regarding networks and their location relative to the host’s network. When a packet reaches a router, the router consults its routing information table in order to determine where to pass the packet to.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Exam Essentials 141

Be able to compare static routing with dynamic routing. Static routing is when the routes are configured manually and do not change. Dynamic routing can be performed by protocols such as RIP and OSPF, which can dynamically update routing information to reflect changes in the network, without requiring a manual update of static routes. Static routes entail less processing overhead, but require manual updates. Dynamic routing requires less manual configuration maintenance, but more processing power to perform routing protocols Know the difference between interior and exterior routing protocols, and identify routing protocols within each category. Interior protocols such as RIP and OSPF are used to make efficient use of internal network resources. Exterior routing protocols such as EGP and BGP allow organizations to share network information with neighboring networks, improving traffic flow across multiple networks. Understand the differences and similarities between the Routing Information Protocol (RIP) and Open Shortest Path First (OSPF), and the advantages and disadvantages of each. OSPF was designed to overcome several problems associated with RIP, including fixed intervals for routing table broadcasts and lengthy convergence times. OSPF is able to factor in available bandwidth and multiple connections, and creates a more rapid convergence of network routing information, as well as solving the count-to-infinity problem. Know the Exterior Gateway Protocol (EGP) and the Border Gateway Protocol (BGPv4).

EGP carries reachability information between autono-

mous networks. BGP exchanges full path reachability information between BGP systems. BGPv4 supports CIDR and arbitrary routing policies. Understand distance-vector, link-state, and path-vector protocols. is a distance-vector protocol, OSPF is a link-state protocol, and EGP is a

RIP

path-vector protocol. Distance-vector protocols share the number of hops to specific networks, so that a low hop count can be selected as the route. OSPF includes these metrics, and additional factors such as bandwidth, multiple connections, and load balancing. Path-vector, or policy routing protocols, list systems used to reach specific destinations. Understand Classless Interdomain Routing (CIDR). You should be familiar with Classless Interdomain Routing and its importance. CIDR is used to aggregate multiple networks into single routing entries. One motivation for CIDR was the unmanageable growth of routing table entries, as well as Internet address depletion.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

142 Chapter 3 Subnetting and Routing

Review Questions 1. What is the name of the organization that issues all Internet addresses? A. The Internet Engineering Steering Group B. The Association of Internet Address Assignments C. The International Corporation of Assigned Names and Numbers D. The Internet Architecture Board 2. Why are Internet addresses called “32-bit addresses”? A. Because each address field is a byte, and a byte equals eight bits B. Because each address field contains 32 bits C. Because older systems such as DEC-10 used decimal bit values of 32 D. Because the 3.7 billion Internet addresses possible are divided into 32 subgroups 3. Which of the following IP header fields is also called the “hop” field? A. Time To Live (TTL) B. Flags C. Service D. Fragment Offset 4. The benefits of private network addresses include: A. conserving globally unique IP addresses when global uniqueness is not required. B. reducing an enterprise’s ability to access the Internet. C. requiring hosts to access other Internet hosts. D. allowing a one-to-one correspondence between the network portion of each client’s Internet address.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Review Questions 143

5. Which of the following statements is true of a valid IP address? A. Class A addresses use the first 24 bits for the host portion and the remaining eight bits for the network portion. B. A valid IP address will always support multicasting. C. A valid IP address belongs to one of seven address classes. D. Neither the entire network portion nor the entire host portion of an IP address can contain all binary zeros or ones. 6. Which of the following characteristics accurately describes subnetworks? A. Subnet masks allow up to 256 subnetworks to exist within a network. B. A subnet mask is mandatory for systems to communicate across subnetworks. C. The subnet mask is an IP address. D. A typical network’s host bits are divided into three groups: host, subnetwork, and subnet mask. 7. The first step in determining custom subnet masks is to: A. determine the number of bits to borrow. B. determine the maximum number of hosts per subnetwork. C. determine the number of subnets needed. D. determine the address ranges for each subnetwork. 8. Classless Interdomain Routing (CIDR) is also referred to as: A. ANDing B. masking C. subnetting D. supernetting

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

144 Chapter 3 Subnetting and Routing

9. Which of the following statements describes a characteristic of direct routing? A. The Network layer of the OSI/RM performs the direct routing function. B. A default gateway is used to send a packet to a remote network. C. The destination node is on the same local network as the source node. D. A router is required to forward an IP packet to another network. 10. Which of the following statements accurately describes an aspect of the routing process? A. Packets are routed transparently and not necessarily reliably to the destination host. B. Only one hop is required to send a packet to a destination host on a remote network. C. The router need not know where to send the packet. D. The traceroute

command is used to determine the appropriate

router to use for a given destination. 11. A routing information table is a database maintained by: A. a single host on a network. B. all hosts on a network. C. a default gateway. D. the IP address of a router. 12. Which of the following characteristics accurately describes dynamic routing? A. Dynamic routers contain routing information tables that must be updated manually. B. Dynamic routers can exchange information about routes of known networks. C. The ping command is used to manipulate network routing tables on Windows 2000 and Linux. D. Dynamic routers use BootP to report routing table changes with one another.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Review Questions 145

13. RIP and OSPF are examples of: A. autonomous network protocols. B. exterior routing protocols. C. exterior gateways. D. interior routing protocols 14. Which of the following accurately characterizes a distance-vector protocol? A. The TCP/IP distance-vector protocol is compatible with the AppleTalk distance-vector protocol. B. A distance-vector protocol requires maximal router processing and bandwidth requirements. C. A distance-vector protocol determines the best route by measuring the smallest number of hops between source and destination. D. A distance-vector protocol does not support multicasting. 15. Which of the following is an advantage of OSPF over RIP? A. OSPF supports variable length subnetting. B. OSPF transmits its routing tables at fixed intervals. C. OSPF calculates routes solely on the hop count. D. OSPF allows the use of only one authentication scheme. 16. Which of the following statements accurately describes EGP and BGP? A. EGP and BGP are both equally sufficient for today’s multiplebackbone Internet. B. EGP and BGP are both path-vector protocols. C. EGP and BGP are both specified in RFC 827. D. EGP and BGP both provide equal scalability.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

146 Chapter 3 Subnetting and Routing

17. What is the purpose of CIDR? A. CIDR is used to prevent the allocation of Internet address space to ISPs. B. CIDR allows each Internet address to have its own routing table entry in the Internet backbone’s routing table. C. CIDR is designed to be a permanent fix for the eventual depletion of Internet addresses. D. CIDR is designed to minimize the number of routing table entries and conserve Internet address space. 18. Internet Protocol (IP) can be summarized as a best-effort service that is: A. connection oriented. B. always reliable. C. connectionless. D. nonroutable. 19. Routing can be summarized as: A. the process that prevents data from colliding on the Internet. B. the process that determines the path that packets will travel across networks. C. the process of creating hops between destinations on a network. D. the process that prevents fragmentation at the IP layer. 20. Which of the following statements is true of IPv4? A. IPv4 has a header that consists of eight fixed header fields, four addresses, and options. B. IPv4 has a header that consists of 10 fixed header fields, two addresses, and options. C. The IPv4 header uses 128-bit addresses. D. The Datagram Length field in the IP packet header specifies the length of the packet header.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Answers to Review Questions 147

Answers to Review Questions 1. C. ICANN issues all Internet addresses. 2. A. Internet addresses consist of 32 binary value (0 or 1) bits, often divided into four one-byte fields, called octets because a byte is eight bits. 3. A. The TTL field is decremented with each hop. Packets whose TTL have expired are usually no longer forwarded. 4. A. Not only does using private address space conserve unique global IP addresses, but it increases an enterprise’s ability to access the Internet, may be used for hosts that do not need to be accessed from the many-to-one Internet, and allows a correspondence between each client’s visible Internet address and the clients.

5. D. A network or host portion of an IP address that is all ones is a broadcast, not a valid host address, and a portion that is all zeros denotes a network. 6. B. The subnet mask is a mandatory component of a TCP/IP configuration, allowing the host portion of the 32-bit IP address to be split into subnetwork portion and host portion. 7. C. Determining the number of subnets needed, then the number of hosts per subnet, is required in order to determine the other elements. 8. D. Supernetting is the method of aggregating networks into a single addressable network, to reduce routing table entries. 9. C. Direct routing is performed when source and destination nodes are on the same local network, and the packets do not pass through a router, but are instead “routed” directly to the destination. 10. A. The

traceroute

command is used for troubleshooting, and

although routers do not need to know the complete route to a packet’s destination, they need to know a route that is in the right direction. A number of hops may be required to send a packet to a destination.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

148 Chapter 3 Subnetting and Routing

11. B. Each host maintains a routing information table containing the host’s own IP address, loopback, and default gateway. Routers and hosts involved in routing typically have more extensive routing tables. 12. B. Dynamic routing protocols such as RIP and OSPF allow routers to automatically update routes, as network information changes. 13. D. RIP and OSPF are interior routing protocols, configured between routers within an autonomous network. 14. C. A distance-vector protocol measures only the number of hops, and no other factors of the route. 15. A. Answers B, C, and D are all elements of RIP. 16. B. EGP and BGP are both path-vector protocols, but BGP provides superior scalability. 17. D. CIDR minimizes routing table entries and conserves address space, but is a temporary fix for address depletion, allocating address space to ISPs. 18. C. IP is not necessarily reliable, it is routable, and it is not connection oriented. 19. B. Routing is the process of directing network traffic towards each packet’s destination. 20. B. IPv4 has only two addresses, source and destination. By process of elimination, A, C, and D are wrong, as IPv6 uses 128-bit addresses, and Datagram Length specifies total packet length, not header length.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Chapter

4

Transport Layer

CIW EXAM OBJECTIVE AREA COVERED IN THIS CHAPTER: Identify the purpose, elements and functions of Internet architecture model layers, including but not limited to: Network Access layer, Internet layer, Transport layer.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

T

he Transport layer (also known as the Host-to-Host layer, the

End-to-End layer, or the Source-to-Destination layer) of the Internet architecture model provides flow control between two hosts. It divides the data received from the Application layer into packets, and then reassembles the data when it reaches its destination. The Transport layer corresponds to the Transport and Session layers of the OSI model. It accepts Application-layer data and passes it to the Internet layer on the source host, then passes the Internet-layer data to the Application layer on the destination host. Depending on the application and its needs, the Transport layer will send and receive data using two different protocols: Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). In this chapter, you will learn about these protocols and the mechanisms that they use to establish connections to ports through which they communicate. You will also have a chance to use a packet sniffer to view Transportlayer packets and analyze the differences between them.

TCP

T

ransmission Control Protocol (TCP)

provides a byte-stream service

connection-oriented for the Internet Transport layer that is and reliable. TCP is connection-oriented because two machines must contact one another

through a TCP connection before transferring data. Only two end points are communicating. Once the session is established, TCP provides session management between the source and destination systems. TCP is reliable

because it divides application data into segments, sends

acknowledgments, retransmits unacknowledged segments, calculates checksums on headers and data, resequences data upon arrival, discards duplicate data, and provides flow control.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

TCP

151

service so that an application on the destinaTCP includes a byte-stream tion system can determine how to read the bytes sent by a source system’s

application. The byte-stream service consists of a stream of bytes across the TCP connection. The application, not the protocol, is responsible for determining the byte-stream contents. In general, the categories of services provided by TCP include: Management of an established session between a source and a destination system Data delivery in sequence No duplicate data Guaranteed delivery of data

TCP Header Understanding the TCP header will help you to comprehend the services that TCP provides. Prior to the development of Transmission Control Protocol, the services mentioned above (reliable, connection-oriented) had to be coded into each individual application, if desired. We’ll examine how these services have been implemented efficiently at the Transport layer, by examining the header that is added to packets by TCP. The TCP header is usually 160 bits (20 bytes) unless options are present (up to 60 bytes). It is encapsulated in the IP datagram. Figure 4.1 illustrates the TCP header with the most common option type: the Maximum Segment Size (MSS) option. FIGURE 4.1

TCP header 0

16 Source Port #

31 Destination Port #

Sequence Number Acknowledgment Number

HDR. Length RESVD.

U R P R S F R S S S Y I G T H T N N

Checksum Opt. Type Opt. Length

Copyright ©2002 SYBEX, Inc., Alameda, CA

Window

Urgent Pointer Max Segment Size

www.sybex.com

152

Chapter 4

Transport Layer

The TCP header contains several important fields that contain vital information. Source Port (16 bits)

Identifies the source port. When a client makes a

request to a server, the source port can be viewed as the client application’s port number for the initial connection. Destination Port (16 bits)

Identifies the destination port. When a client

makes a request to a server, the destination port can be viewed as the server application’s port number for the initial connection. Sequence Number (32 bits) Indicates the sequence number of the first data byte in the segment, except when SYN (the flag that refers to synchronized sequence numbers) is present. If SYN is present, the sequence number is a randomly selected number. Acknowledgment Number (32 bits) A piggy-backed acknowledgment that contains the sequence number of the next octet that the TCP entity expects to receive. Header Length (four bits)

Specifies the number of 32-bit words (4 bytes)

in the header. The value is 5 (5 words 4 bytes = 20 bytes) unless options are present, in which case you can have a maximum of 15 (which results in 60 bytes: 15 words 4 bytes = 60 bytes). Reserved (six bits) Reserved for future use. These bits are not currently used, but were set aside for possible use when TCP was architected. Flags (six bits): URG

The urgent pointer. It indicates that urgent data has been

placed in the data stream. ACK An acknowledgment. It identifies acknowledgment information in the packet. PSH

The push function. It forces TCP to release data.

RST

Resets the connection. It quickly terminates a TCP connection.

SYN

Synchronizes the sequence numbers. This bit is set to 1 for the

first two packets for any connection that uses TCP at the Transport layer. FIN Means no more data will be transmitted from the sender. It is the normal way to terminate a TCP connection.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

TCP

153

Window (16 bits) Flow-control credit allocation, in bytes. Contains the number of data octets, beginning with the one indicated in the acknowledgment field, that the sender is willing to accept. This field controls the size of the window: the total size of all the packets that the sending computer sends to the receiving computer between acknowledgements. Since the field is 16 bits, the largest number that can be represented by 16 bits is 216 = 65,536 bytes. Window size is dynamic, called a sliding window, responding to the capacity of the receiving computer (NIC) to accept and acknowledge packets. A receiving computer that has many TCP sessions open will reduce the window size on these connections in order to avoid dropping packets. Checksum (16 bits)

Used for error detection.

Urgent Pointer (16 bits) Points to the byte following the urgent data. Thus the receiver can determine how much urgent data is included in the message. Option Type (eight bits) Specifies the maximum acceptable segment size (see Maximum Segment Size [MSS] field). Currently, only one option, option 2, is defined. Option Length (eight bits) is four bytes long.

Specifies the option’s length. Option 2 (MSS)

Maximum Segment Size (MSS) (16 bits)

The most common TCP

option type. Specifies the largest segment size that TCP will transmit to the other node. The MSS information is exchanged during the TCP session establishment.

Applications That Use TCP There are many higher-layer applications that use TCP services, more than use UDP. Why is TCP a more popular protocol than UDP? Because Transmission Control Protocol performs functions that allow application developers to rely upon TCP rather than writing additional code into each application for the same functionality. TCP is so widely used that the Internet is often said to run TCP/IP, though a more accurate description would be to say that the Internet uses IP, which includes TCP and UDP. Most of the network traffic on the Internet consists of a handful of TCP applications. Some of the most common applications that use TCP include: Telnet File Transfer Protocol (FTP)

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

154

Chapter 4

Transport Layer

Simple Mail Transfer Protocol (SMTP) Hypertext Transfer Protocol (HTTP) There are many more applications that use TCP. HTTP, SMTP, and FTP are among the top protocols for global Internet use. E-mail (SMTP) continues to be the largest bandwidth use, followed closely by web traffic (HTTP) and file transfer (FTP). Telnet is an extremely useful protocol that can be used to connect to other services, such as SMTP and HTTP. Each Application layer protocol that uses TCP services is associated with a unique port number, called a TCP port. TCP ports will be discussed later in this chapter.

TCP Negotiation Process The TCP header’s flag field includes URG, ACK, PSH, RST, SYN, and FIN flags, each of which is a single bit with a value of zero or one. The settings of these flags are vital for a server and client to establish and terminate a basic TCP connection. This negotiation of a TCP connection is an important first step in establishing a session, and is the basis for TCP’s connectionoriented, reliable services. Three flags—SYN, ACK, and FIN—accomplish this process, but SYN and ACK are the only two flags used for requesting and accepting an initial TCP connection. SYN

Synchronizes the sequence numbers.

FIN

Signals that no more data will be transmitted from the sender.

ACK

Identifies acknowledgment information in the packet.

Establishing a TCP Connection: SYN, ACK To establish the TCP connection, a

three-way handshake

must be completed.

The handshake is required before the nodes can send and receive data. The three-way handshake (using the client/server model, for this example) consists of the following steps: 1. The client (or requesting end) performs an

active open

by activating

the SYN flag in the TCP header. The TCP header also contains: The desired port number for connection.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

TCP

155

Initial Sequence Number The sequence number field with the (ISN) . This number is generated randomly and is used to synchro-

nize the client and server when they transfer data on what is called the byte stream. 2. The server performs a that specifies:

passive open

by sending its own SYN to the client

The server’s ISN. An acknowledgment (ACK) of the client’s SYN. 3. Finally, the client returns an ACK to the server. The connection is established, and client and server can now transfer data using the byte stream. Figure 4.2 illustrates this entire process. FIGURE 4.2

Establishing TCP connection

Active open: SYN flag, ISN and desired port number. Passive open: SYN flag, ISN and ACK. ACK.

Terminating a TCP Connection: FIN, ACK Because TCP connections are full duplex, terminating a TCP connection requires four steps. Full duplex means that data can flow in both directions, independent of one another. Therefore, both connections must be closed. To close TCP connections properly, either host can send a FIN (i.e., activate the FIN flag in the TCP header). When one host receives a FIN, it must close data flowing in the other direction by sending a FIN to the application at the other end. Most applications close data flow in both directions at the end of a session. However, closing only one direction and operating in a halfclosed mode is possible. The four basic steps for terminating a TCP connection are: 1. The server performs an

active close

by activating the FIN flag (the client

usually exits the application, but the server initiates the TCP connection

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

156

Chapter 4

Transport Layer

termination). This action terminates the data flow from the server to the client. 2. The client performs a

passive close

by sending an ACK to the server.

3. The client also sends its own FIN to the server to terminate data flow from the client to the server. 4. Finally, the server sends an ACK back to the client. The TCP connection is terminated. Figure 4.3 illustrates this entire process. FIGURE 4.3

Terminating TCP connection Active close: FIN flag, stops server to client data flow. Passive close: ACK. Passive close: FIN flag, stop client to server data flow. ACK.

Normally, the FIN is created by the application. However, the ACK that responds to each FIN is automatically generated by TCP.

EXERCISE 4.1

Analyzing a TCP connection We have used Ethereal in previous exercises to examine network packets. In this exercise, you will examine screen captures of Ethereal with Linux to analyze the TCP establishment and termination processes. These packets were captured between an FTP client and FTP server. The Ethereal screen shot displays the packets captured in the FTP transfer. Although no data was downloaded, a TCP connection was established and terminated. The TCP connection was established with the first TCP packet between the client IP address and the server IP address.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

TCP

157

(continued)

EXERCISE 4.1

1. Examine the first TCP packet of a TCP three-way handshake, as highlighted below.

2. Compare the TCP fields in the illustration above (the middle window) with the header fields in Figure 4.1. The packet sniffer protocol descriptions basically match the header fields and their values.

3. In the illustration above, Packet 1 is the TCP active open request. Identify the activated flag bit (e.g., SYN, ACK, and/or FIN), destination port number, and initial sequence number.

4. Identify the flags available. Note that active flags have a bit value of 1. If you have the resources available (two systems connected by Ethernet), use Ethereal on Linux to capture the network traffic of an FTP session between two systems. Locate the active open request as shown in the illustration above, then examine the following packets that complete the TCP negotiation, as described below.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

158

Chapter 4

Transport Layer

EXERCISE 4.1

(continued)

5. Packet 2 is the passive open. It is sent from the FTP server to the FTP client. Identify the activated flag bit(s) and the initial sequence number.

6. Packet 3 is the final step of the three-way handshake. Identify the activated flag bit.

7. Next, you will identify the TCP termination packets. Note that no file transfer was necessary in order to open and terminate the TCP session. Locate the active close, which is the first TCP packet with the FIN flag activated. Note that although you closed the FTP connection from the client, the server initiates the termination because it received the

bye command. This command terminates the TCP

connection from the server to the client. This step corresponds to Packet 16 in the illustration below.

8. Locate the second termination packet. It originates with the client and contains the passive close, which is the client’s ACK for the server’s FIN. This step corresponds to Packet 17 in the illustration above.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

User Datagram Protocol (UDP)

159

EXERCISE 4.1 (continued)

9. Locate the third termination packet, which is also part of the passive close. It terminates the TCP connection from the client to the server using the FIN flag, as shown in Packet 18 in the illustration above.

10. Locate the fourth termination packet. This packet originates from the server and acknowledges the client’s FIN; it is the last step of the TCP termination process. This step corresponds to Packet 19 in the illustration above.

User Datagram Protocol (UDP)

U

ser Datagram Protocol (UDP) provides a simple datagram form of communication at the Transport layer. One UDP packet is created for each

output operation by an application, which is encapsulated into one IP datagram and transmitted across a network. In TCP, an application’s output is usually unrelated to what is transmitted in an IP datagram because it is a stream-oriented protocol. UDP is different from TCP because UDP does not provide congestion control, use acknowledgments, retransmit lost datagrams, or guarantee reliability. Instead, UDP offers a faster transport of data, with less overhead for the connection and for individual packets.

UDP Header Because UDP does not offer many services, the UDP header is smaller than the TCP header. Figure 4.4 illustrates the UDP header. FIGURE 4.4 UDP header 0

16

31

Source Port #

Destination Port #

Message Length

Checksum

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

160 Chapter 4 Transport Layer

The UDP header contains the following fields of information. Source Port (16 bits)

Identifies the port number of the service that

generated the message on the source node. Destination Port (16 bits)

Identifies the port number of the service on

the target node. Message Length (16 bits) Specifies the number of bytes in the UDP packet (includes UDP header and data). Checksum (16 bits)

Optional; a checksum value of 0 implies that the

checksum was not computed. UDP headers are always 64 bits in length, and have no optional headers. The checksum calculation is optional, but the field is always 16 bits in length, and the UDP header is always 64 bits.

Applications That Use UDP Higher-layer applications that use UDP must address problems related to congestion control, flow control, and reliability. Applications that use the services of UDP include: Network File System (NFS) Trivial File Transfer Protocol (TFTP) Simple Network Management Protocol (SNMP) Domain Name System (DNS) Each Application layer protocol that uses the services of UDP is associated with a unique port number, called a UDP port. We will now discuss in detail the TCP and UDP ports.

TCP and UDP Ports

T CP and UDP protocol headers contain both source and destination port numbers. These port numbers are addresses by which processes can be identified. Each port number is a 16-bit integer value that identifies a communication channel to a specific user process. For example, FTP uses TCP ports 21 and 20, and DNS uses both TCP port 53 and UDP port 53.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

TCP and UDP Ports 161

To list the services and ports associated with them, examine the services file located in the /etc directory for Unix or Windows NT/2000, and in the systemroot directory for Windows; or review RFC 1700. Although TCP and UDP port numbers occasionally coincide (such as for DNS), they are independent of one another. The Internet Assigned Numbers Authority (IANA) typically tries to reserve both TCP and UDP ports for a given application, even if an application uses only TCP or UDP. Table 4.1 lists the standard port assignments. TABLE 4.1 Port assignments in the Internet domain

Port Number Range

Description

1 to 1023

Well-known/reserved port numbers

1024 to 65535

Registered port numbers

Well-Known Port Numbers well-known port numbers Also called reserved port numbers, range from 1 to 1023 and are controlled by the IANA. They are used by TCP and UDP to

identify well-known services that a host can provide. No process is allowed to bind to a well-known port unless its effective user ID is 0 (having the equivalent of root, administrator, or superuser privileges). Because of this privileged port requirement, well-known port numbers are sometimes called numbers

. Table 4.2 lists selected well-known port numbers and their services.

TABLE 4.2 Selected Well-Known Port Numbers and Services 20

FTP (data)

21

FTP (control)

22

SSH

23

Telnet

25

SMTP

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

162 Chapter 4 Transport Layer

(continued)

TABLE 4.2 Selected Well-Known Port Numbers and Services 53

DNS Domain replies

80

HTTP

110

POP3

111

Sunrpc portmapper

137

Netbios name service

138

Netbios datagram service

139

Netbios session service

143

IMAPv2

161

SNMP

162

SNMP trap

220

IMAPv3

389

LDAP

443

HTTPS

For more service port associations, consult the

/etc/services

file of your

Linux system.

Registered Port Numbers registered port numbers The IANA does not control , although they do track them. These port numbers range from 1024 to 65535 and are considered

nonprivileged. Therefore, any process can use them. Ephemeral (short-lived or transitional) port numbers are unique port numbers typically assigned to client processes. The server process determines the ephemeral port number from the TCP or UDP header and thereby knows the process with which to communicate at the remote system.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Key Terms 163

Summary

T he Transport layer of the Internet architecture utilizes key network protocols: Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). Using a packet sniffer, network packets can be captured and protocols that use TCP and UDP for communication can be evaluated. This fundamental analysis of network traffic as it is being transmitted on the wire is an important real-world skill. Although it will probably not be necessary for you to perform these tasks on a daily basis, they are vital elements of the most basic understanding of networks. In analyzing a TCP connection from establishment through termination, key processes in networking can be documented. TCP’s three-way handshake is a common and crucial concept, important for troubleshooting any TCP application or protocol. The TCP flags are important for quickly identifying key transmissions, and are crucial in firewall design and analysis. A solid understanding of TCP and UDP behavior and typical application port assignments will provide you with ready and professional analytic skills for architecting or troubleshooting internetworking issues and solutions.

Key Terms

B efore you take the exam, be certain you are familiar with the following terms: connection-oriented

three-way handshake

ephemeral

Transmission Control Protocol (TCP)

Initial Sequence Number (ISN) User Datagram Protocol (UDP) registered port numbers

well-known port numbers

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

164 Chapter 4 Transport Layer

Exam Essentials Know the functions of the Transport layer. You should be familiar with the Transport layer and how it fits into the OSI model. The fourth layer of the OSI model, the Transport layer, provides connection establishment, flow control and session termination between hosts. Know the TCP header fields and the purpose of each field.

TCP

header includes source and destination ports, sequence number, acknowledgement number, header length, flags, window, checksum, the urgent pointer, option type, option length, and maximum segment size. Understand the TCP negotiation process. The TCP negotiation is often called the three-way handshake, with an initial SYN client packet requesting a session, a SYN/ACK response from the server, and the client ACK of the server’s SYN (with ISN). Know the steps of session establishment and termination.

A TCP session

is established by completion of the three-way handshake, the TCP negotiation requested by a client but controlled by the server. The session terminates in four steps: one FIN and one ACK to and from each direction, server to client and client to server. Know and understand the UDP header fields and their respective purposes. The UDP header is simply four 16-bit fields, denoting Source Port, Destination Port, Message Length, and Checksum. Your knowledge of the fields and their functions is vital to the exam and to your understanding of User Datagram Protocol. Know TCP/UDP ports, including well-known and registered port numbers. TCP and UDP use 16-bit ports, ranging from 0 through 65535 to differentiate type of service. While all of these port numbers are listed by IANA, they are authoritative only over the first 1024 ports, numwell-known bers zero through 1023, called port numbers, also known as regreserved or privileged ports. The port numbers 1024 and higher are istered

port numbers, also known as unprivileged or ephemeral ports.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Review Questions 165

Review Questions 1. The Transport layer of the Internet architecture model is also known as: A. the Protocol Resolution layer B. the Data Reassembly layer C. the Host-to-Host layer D. the Packet Analysis layer 2. Which pair of the following protocols does the Transport layer use to send and receive data? A. NNTP and SNMP B. ARP and RARP C. TCP and UDP D. PPTP and BootP 3. Which of the following TCP header fields specifies the number of 32-bit words in the header? A. Header Length B. Option Length C. Window D. Maximum Segment Size 4. What is the function of the SYN flag in the TCP header? A. The SYN flag signals that no more data will be transmitted from the sender. B. The SYN flag identifies acknowledgment information in the packet. C. The SYN flag specifies the port number for connection. D. The SYN flag synchronizes the sequence numbers.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

166 Chapter 4 Transport Layer

5. Which of the following steps is usually performed last when terminating a TCP connection? A. The client sends a FIN flag to the server to terminate data flow. B. The server performs an active close by activating the FIN flag. C. The server sends an ACK flag back to the client. D. The client performs a passive close by sending an ACK flag to the server. 6. Which of the following fields is part of the UDP header? A. Sequence Number B. Destination Port C. Acknowledgment Number D. Maximum Segment Size 7. What is another name for well-known port numbers? A. Registered port numbers B. Reserved port numbers C. Common port numbers D. Ephemeral port numbers 8. Why doesn’t the UDP header include a header length field? A. All UDP packets are the same size B. UDP headers are a fixed length C. The header length field is included in the checksum field D. UDP header length is determined by the application

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Review Questions 167

9. Which of these things would UDP packet header?

never

be associated with either a TCP or

A. 16-bit checksum field B. 32-bit sequence number field C. 16-bit source port field D. 32-bit destination address field 10. Which of the following uses

both

TCP and UDP?

A. SMTP B. DNS C. POP3 D. SNMP 11. What is another name for registered port numbers? A. well-known port numbers B. ephemeral port numbers C. reserved port numbers D. privileged port numbers 12. Which of the following services operates on more than one TCP port number? A. DNS B. DHCP C. FTP D. HTTPS

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

168 Chapter 4 Transport Layer

13. Which port does SNMP use? A. 161 B. 88 C. 119 D. 389 14. If a client connects to a DNS server to request a record, (e.g. using nslookup) what range should the client request originate from? A. Port 53 B. Port 1080 C. between 0 and 1023 D. between 1024 and 65535 15. What is a

passive close

?

A. A signal sent by a server closing a TCP connection B. A flag sent by a client closing a UDP connection C. A FIN sent by a client requesting a TCP connection close D. An ACK sent by a client acknowledging a TCP session close 16. Which of the following is

not

a part of the TCP three-way handshake?

A. Client sends SYN request to server. B. Server sends SYN with random initial session number. C. Server sends ACK accepting client session. D. Client sends ACK to the server using the byte stream.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Review Questions 169

17. The Initial Sequence Number refers to: A. UDP packet sequencing B. Prioritized packet handling within IGMP C. A random TCP session assigned by a server D. A name server’s origination designation in

/etc/named.conf

18. Which of the following TCP flags is used to rapidly terminate a TCP connection? A. RST B. URG C. PSH D. FIN 19. What does a UDP checksum of zero indicate? A. The datagram is incomplete and should be discarded. B. This is an occasional result, and should match the packet contents checksum. C. The datagram was altered in transit. D. The checksum was not calculated. 20. Which of these applications uses UDP? A. NNTP B. NFS C. Kerberos D. UUCP

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

170 Chapter 4 Transport Layer

Answers to Review Questions 1. C. The Transport layer connects host-to-host data, usually as client/ server connections for various applications. 2. C. Transmission Control Protocol and User Datagram Protocol are the two types of Transport-layer traffic. 3. A. Header Length is a four-bit field specifying the number of 32-bit words in the header. 4. D. The SYN flag indicates a new session is being established, and the sequence numbers are synchronized with acknowledgement of the SYN request (packet). 5. C. The server controls the TCP session, both initiating and finalizing the closure of the TCP session. The final step is sending the ACK back to the client that the TCP session is closed. 6. B. Destination Port is an attribute shared by both TCP and UDP headers. All of the other attributes are only for TCP connections. 7. B. Ephemeral and Registered both apply to port numbers above 1023. The well-known port numbers are Reserved. 8. B. Unlike TCP, UDP packets have a smaller, fixed-length header. 9. D. The 32-bit destination address field is integral to the IP packet header, at Layer 3, and is not related to services performed by either TCP or UDP at Layer 4. 10. B. DNS uses both TCP and UDP. 11. B. Ephemeral port numbers are the same as registered port numbers, being ports 1024 through 65535. The other three answers all refer to ports 0 through 1023.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Answers to Review Questions 171

12. C. FTP in standard (non-passive) mode opens a connection on port 21, then uses that connection as a control channel while passing data on a subsequent connection established on port 20, by default. 13. A. SNMP uses port 161, 88 is Kerberos, 119 is NNTP, and 389 LDAP. 14. D. The client request should originate from a non-privileged port, while the server reply will be upon the typical service port, 53 in this example. 15. D. The

passive close

is the acknowledgement by the client that the

server is terminating a TCP session. 16. D. The misleading part of these answers is that parts B and C both happen in the same step, the SYN/ACK sent by the server. The byte stream referred to in D is not available until after the client ACKnowledges the server’s SYN and ISN. 17. C. A pseudo-random process is used to assign ISN when a server initiates a session with a client. 18. A. RST resets a connection, quickly terminating it, while FIN and ACK terminate a connection in the traditional, slower way. 19. D. A zero in this field indicates that the UDP packet was sent without checksum calculated. 20. B. NFS uses UDP for a stateless connection to file shares.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Chapter

5

Domain Name System

CIW EXAM OBJECTIVE AREA COVERED IN THIS CHAPTER: Define the Domain Name System (DNS), including but not limited to: purpose, architecture, record types.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

N

ame resolution is the process of matching a name to an

address, such as a computer’s host name to an IP address. Without name resolution, users would need to memorize complex numeric addresses (such as IP addresses) each time they wanted to communicate with a web server, or even send an e-mail message. It is important to note that name resolution was created to assist people, not computers. Domain One of the most universal methods of name resolution is the . DNS is used on the Internet and most TCP/IP net-

Name System (DNS)

works. Understanding its function, process, and implementation will allow you to administer DNS within your own network and smoothly transition to the Internet. Before experimenting with DNS, you should understand the origin of DNS: the hosts file.

The Hosts File

U

ntil DNS was implemented, a single file called the

hosts

table was

managed and updated by the Stanford Research Institute Network Information Center (SRI-NIC). Whenever network administrators needed the latest hosts table for their name servers, they downloaded it from the SRI-NIC FTP server. As the Internet grew, this file became very large and difficult to manage, and no longer provided an effective way to distribute name-to-address data. The hosts file on your computer is similar to the hosts table used earlier for the Internet. The hosts file is a simple text file that is referenced locally by applications and commands for name-to-address resolution. Computers

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

The Hosts File

175

always check the hosts file first, even if the computer is configured to use DNS. The format for entries is as follows: Internet-address official-host-name aliases For the hosts file to provide local diagnostics, the loopback address (127.0.0.1) must be included. After the loopback address is entered, you can add any IP address and corresponding host name that you require (the number sign [#] is used for comments). For example: # List the loopback address. 127.0.0.1 localhost # You can list as many IP to host addresses as you need. # These entries will override your system's DNS settings. 192.168.3.15 student15 patrick 195.49.35.195 www.iso.ch iso The hosts file entries are read sequentially. Both Unix and Windows use the hosts file. Linux stores the hosts file in /etc/hosts and it can be edited in any text editor, such as the vi text editor. Windows 2000 stores it in %systemroot\system32\drivers\etc\hosts

and it can be edited using

the Notepad text editor.

EXERCISE 5.1

Modifying the Linux hosts file In this exercise, you will add entries to a hosts file to access local hosts using Linux.

1. Log on as root. 2. You will open and modify the

/etc/hosts

file using the vi text editor.

At the command prompt, enter:

vi /etc/hosts

3. Move the cursor to the first blank line at the bottom of the hosts file. Select the I key to enter vi’s Insert mode.

4. Enter the IP address of a host on your network. For example, you could enter your Windows 2000 System A IP address, such as 192.168.3.11.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

176

Chapter 5

Domain Name System

(continued)

EXERCISE 5.1

5. Press the spacebar to create a space after the IP address. On the same line, enter a fictitious host name for this IP address. For example, you could enter www.sybexrocks.com, heather, or yourname

.com.

6. Press the spacebar to create another space after the fictitious host name. On the same line, enter an alias for the host name (optional).

7. Your host’s entry should be formatted so that it resembles the following example:

192.168.3.11 www.sybexrocks.com heather

8. Press the Esc key to exit vi’s Insert mode. Write and quit the file by entering: : wq

9. At the command prompt, ping the fictitious host name you created. For example, enter:

ping www.sybexrocks.com or

ping heather You should successfully ping the IP address of the host on your subnet. The hosts file resolves the name locally, so any host name you choose can be used.

10. Edit the hosts file to include another host. When finished experimenting, remove the host entries you added. They might interfere with the upcoming DNS exercises.

EXERCISE 5.2

Modifying the Windows 2000 hosts file In this exercise, you will add entries to a hosts file to access local hosts using Windows 2000.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

The Hosts File

(continued)

EXERCISE 5.2

1. Log on as 2. Open

177

.

administrator

Windows 2000 Explorer

. Access the hosts file at:

%systemroot\system32\drivers\etc

3. Double-click the hosts file and open it using Notepad. 4. A loopback address should appear. If not, the first host entry should be:

127.0.0.1 localhost

5. For the next entry, enter the IP address of a host on your subnet (e.g., System B). Follow it with a fictitious host name for this IP address. For example, you could enter www.cybexrocks.com, heather, or

yourname

.com. Enter an alias for the host name (you

can enter several). For example:

192.168.3.11 www.cybexrocks.com heather crayon

6. Save and exit the hosts file. 7. At the command prompt, ping the fictitious host name you created. For example, enter:

ping www.cybexrocks.com or

ping heather or

ping crayon You should successfully ping the IP address of the host on your subnet. The hosts file resolves the name locally, so any host name you choose can be used.

8. Edit the hosts file to include another host. When finished experimenting, remove all the host entries you added. They might interfere with the DNS in further exercises.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

178

Chapter 5

Domain Name System

DNS

T he Domain Name System was invented in 1984 by Paul Mockapetris in response to the difficulty he was having managing the hosts table. It is the Internet’s system for linking all the host names and IP addresses on the Internet. DNS is a distributed database that exists on name servers across the Internet and it is a decentralized system: It does not depend on one source for updates, and one server does not store all the data. These days the ICANN is responsible for DNS management.

DNS Hierarchy DNS is hierarchical and distributed. It consists of three levels—root-level, top-level, and second-level domains—and is often referred to as the domain name space. Figure 5.1 shows the domain name space. FIGURE 5.1

Domain name space

.(root)

ie

se

com

mx

net

xyz

user1 ftp

ch

iso

user2 www

Following is a description of each level in the DNS hierarchy. When considering the hierarchy of DNS names, it is important to remember that the hierarchy from top to bottom reads from right to left. That is, if you want to examine a domain name, the highest hierarchies are furthest to the right. Root-level domain

Top of the hierarchy. The root-level domain contains

entries for all the primary or master servers (discussed in the next section) for each top-level domain. The root-level domain is updated daily and replicated on servers across the Internet. It is expressed by a period (.). This period is usually removed from the end of domain names (for example, www.company.com instead of www.company.com.).

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

DNS

179

Top-level domain One level below the root-level domain. The top-level domain consists of categories found at the end of domain names, such as .com or .uk. It divides domains into organizations (.org), businesses (.com), countries (.uk), and other categories. The top-level Internet domains are described in Tables 5.1 through 5.3. The first seven domains are associated with the United States and are assigned by the InterNIC. However, the majority of top-level domains are country codes. Each country assigns domain names using its own standards. The third type of top-level Internet domains is designated by category; these domains were recently approved by the ICANN.

TABLE 5.1

Top-Level Internet Domains—Original

Top-Level Domain—Original Description com

Commercial organizations

edu

Educational institutions

gov

Government institutions

mil

Military

net

Network support centers (ISPs)

org

Other organizations (originally nonprofit)

int

International organizations (rarely used; country codes used instead)

TABLE 5.2

Top-Level Internet Domains—ISO Country Codes

Top-Level Domain—Country Codes Description au

Australia

ca

Canada

ch

Switzerland

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

180

Chapter 5

TABLE 5.2

Domain Name System

(continued)

Top-Level Internet Domains—ISO Country Codes

Top-Level Domain—Country Codes Description

TABLE 5.3

fr

France

ie

Ireland

mx

Mexico

se

Sweden

uk

United Kingdom

us

United States

Top-Level Internet Domains—Categories

Top-Level Domain—Categories Description aero

Travel industry

biz

Businesses

coop

Cooperatives

info

Content and research-related sites

museum

Museums

name

Personal Web addresses

pro

Professional

Second-level domain

One level below the top-level domain.

Second-level

domains include the businesses and institutions that register their domain names with the top-level domains (through their respective registrars). Second-level domains include registered names such as: iso.ch amazon.com

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

DNS

181

Second-level domains can also be categories of top-level domains. For example, the United States domain (us) is categorized into a second-level domain for each state, such as California: ca.us Companies and academic institutions in the United Kingdom are also categorized, as shown respectively: co.uk ac.uk Finally, second-level domains can be subdivided into subdomains. For example, a subdomain of company.com may be: sales.company.com A host computer of that subdomain may be identified as: user1.sales.company.com

DNS Components DNS consists of two key components: the server component, called the Name Server, and the client component, called the Name Resolver or just “resolver.” The entire hierarchy that has been described above is made up of name servers, but each of those performs both client and server functions of DNS. All systems that use DNS must have a resolver, the software on the client that makes the DNS requests. It is important to recognize the separate components, client and server, and their roles and labels, particularly when troubleshooting a failed name resolution. Name server A server that supports name-to-address translation and runs the DNS service, responding to requests for domain name information. Name resolver

Software that uses the services of one or more name servers

to resolve an unknown request. For example, if a host requests www.novell .com , and the DNS server does not have the name information, it will use the name resolver software to ask another name server on the DNS hierarchy. DNS clients and servers use name resolver software. In Unix, the resolver is actually a group of routines that resides in the C library /usr/ lib/libc.a . In Windows, the TCP/IP properties have a DNS section that must be configured with the IP addresses of the DNS servers. For both Unix and Windows, names may be resolved locally (on the client system, without querying a DNS server) if the requested host is listed in the hosts file, described in detail later.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

182 Chapter 5 Domain Name System

DNS Server Types

D NS follows the standard client/server model: The client makes a request, and the server attempts to fulfill that request. DNS servers can fill several different roles, depending on the organization’s needs. No matter what role the server takes, the client must specify the name server’s domain name or IP address. The following server types are included in the DNS model: Root server Primary or master server Secondary or slave server Caching and caching-only server Forwarding server

Root Server A root server

can identify all top-level domains on the Internet. If a client

requests information about a host in another domain, any server (except the slave server) can communicate that request to the root server. The list of Internet root servers can be obtained at ftp.rs.internic.net/ domain/named.ca . Some root servers that exist on the Internet are: a.root-servers.net. (formerly ns.internic.net.) b.root-servers.net. (formerly ns1.isi.edu.) c.root-servers.net. (formerly c.psi.net.) d.root-servers.net. (formerly terp.umd.edu.) e.root-servers.net. (formerly ns.nasa.gov.) f.root-servers.net. (formerly ns.isc.org.) Note that the period (.) at the end of each root server name specifies that the server name is the absolute domain name. Without the period, the server name is relative to the current domain.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

DNS Server Types 183

Primary or Master Server A primary server

is the authority for a domain and maintains the DNS data-

bases for its zone. The Unix Berkeley Internet Name Domain (BIND) commaster server munity calls a primary server a . You will learn about BIND in this chapter. Companies and ISPs that implement their own DNS and participate on the Internet require a primary server. A primary server loads its database from a file on a local disk. This file is called the DNS zone file. It contains the set of records for a domain. Administrators add hosts to a domain by typing records into this file. For example, if your DNS server is the primary server for company.com, you would enter your users (user1.company.com) and services, such as mail servers (pop3.company.com) and file servers (content.company.com), and their respective IP addresses into the company.com zone file. Microsoft DNS uses a GUI for adding hosts to the zone. Unix BIND requires text file entries. A primary server can be the primary server for multiple domains; it can also be a primary server for some domains and a secondary server for others.

Secondary or Slave Server A secondary server

receives its authority and database from the primary

slave server server. The Unix BIND community calls a secondary server a Secondary servers provide fault tolerance, load distribution, and easier

.

remote name resolution for the primary DNS server. When the secondary server first starts, it requests the zone file for a given domain from the primary server. The secondary server then periodically checks with the primary name server to determine whether it needs to update its data.

Both a primary and a secondary DNS server are required for full DNS registration. If your company is configuring a DNS server for internal use only, a secondary DNS server is not necessary.

For the secondary DNS server to provide fault tolerance, make certain that it is on a separate subnet and physical segment, so that a single hardware failure (e.g. router, hub, or switch) will not affect both primary and secondary DNS servers.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

184 Chapter 5 Domain Name System

Caching and Caching-Only Server All servers cache the information they receive until the time specified in the caching server Time To Live (TTL) field expires. A stores the IP-address-tohost-name translation information until the data expires. A caching-only

server is not authoritative for any zone. Instead, this server processes queries by asking other servers for information. For instance, if your company does not implement its own DNS, it can use a caching server. If the caching server does not have a cached entry for a certain host, it will forward the request to the primary or secondary DNS server of the ISP that provides DNS service for your company. The caching server will store that entry until the entry expires.

Forwarding Server Also referred to as forwarders, these servers process recursive requests that forwarding server slave servers cannot resolve locally. A has access to the Internet and can be a primary, secondary, or caching server. The configura-

tion files on slave servers specify which systems the slaves access as forwarders. Without forwarders, your system does not have access to the root servers on the Internet.

DNS Hierarchy Example

Y ou work at company XYZ with the domain name xyz.com. You send an e-mail message to a person at the International Organization for Standardization (ISO), which has the domain name iso.ch. Before your computer sends the message, it needs the IP address of the iso.ch mail server. 1. Your computer sends a DNS request to your configured name server. 2. Your name server queries itself for the requested entry. If any entry does not exist in its cache, it will forward the request to the Internet’s root servers. 3. A root server will send your name server the reference information for the requested domain’s (iso.ch) primary and secondary name servers.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

DNS Records 185

4. Your name server will query the iso.ch primary (or secondary) name server for the request record. The request will be fulfilled with the iso.ch name server sending the requested IP address. 5. Your name server will provide your computer with your request’s IP address.

DNS Records

E

DNS record very domain consists of DNS records. A is an entry in a DNS database (on a primary server) that provides additional routing and

resolution information. Many different types of records can be configured, but only a few are needed for full address resolution and routing. Table 5.4 lists the most common DNS records. TABLE 5.4 Common DNS Records

DNS Record

Function

Internet (IN)

Identifies Internet records; precedes most DNS record entries.

Name Server (NS)

Identifies DNS servers for the DNS domain. This record is automatically created when you create a new primary zone.

Start Of Authority

Identifies the DNS server that is the best source of

(SOA)

information for the DNS domain. Because several backup DNS servers may exist, this record identifies the primary server for the specified DNS domain.

Address (A)

The most commonly used record; associates a host to an IP address. For example, you can establish an association between an IP address and a web server by creating an address record.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

186 Chapter 5 Domain Name System

(continued)

TABLE 5.4 Common DNS Records

DNS Record

Function

Canonical Name

Creates an alias for a specified host. For example,

(CNAME)

server1.company.com can be given the canonical name “WWW” (web servers are commonly named WWW). A CNAME record creates an alias to the server1.company.com host.

Mail Exchanger

Identifies a server used to process and deliver e-mail

(MX)

for the domain.

Pointer (PTR)

Performs reverse DNS lookups. Typically, DNS resolves a host name to an IP address. The PTR record allows DNS to resolve an IP address to a host name.

These records are the most common and widely used. Many other types of records can be created with DNS for different functions.

Unix and DNS

T he most common implementation of Unix DNS is the Berkeley Internet Name Domain (BIND). In BIND, DNS is implemented using the following database files with the “named” service: named.ca named.local domain_name.hosts rev.domain_name.hosts named.boot Domain_name is the domain that the DNS server supports. The following sections discuss these files in more detail.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Unix and DNS 187

named.ca The named.ca (name daemon cache) file holds information on root name servers that is needed to initialize the cache of internal domain name servers. It is located on your machine at /var/named/named.ca . To ensure that your file is current, check the InterNIC root server file at ftp.rs.internic.net/domain/named.ca . The named.ca file resembles the following (root servers exist for A through M): ; formerly NS.INTERNIC.NET ; . 3600000 IN NS A.ROOT-SERVERS.NET. A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4 ; ; formerly NS1.ISI.EDU ; . 3600000 NS B.ROOT-SERVERS.NET. B.ROOT-SERVERS.NET. 3600000 A 128.9.0.107 ; ; formerly C.PSI.NET ; . 3600000 NS C.ROOT-SERVERS.NET. C.ROOT-SERVERS.NET. 3600000 A 192.33.4.1 ; ; formerly TERP.UMD.EDU ; . 3600000 NS D.ROOT-SERVERS.NET. D.ROOT-SERVERS.NET. 3600000 A 128.8.10.90 ;

named.local The named.local file is required to cover the loopback network. You use the loopback network when you ping the local host. The administrator is responsible for performing this network mapping for the local host. This file is located in the /var/named directory.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

188 Chapter 5 Domain Name System

Perhaps the best way to explain the contents of lowing example:

named.local

is by the fol-

; Contains local host name information @ IN SOA ngtclassic.ngt.com. root.ngt.com. ( 94073101 ; serial#, date & edition 36000 ; refresh time in sec. 3600 ; retry after one hour 3600000; expire after 1000 hours 36000; default ttl is 10 hours ) IN NS ngtclassic.ngt.com. 1 IN PTR localhost. Table 5.5 explains each of the entries found in the previous example. TABLE 5.5 Summary of

named.local

Entries

Entry

Explanation

@

A variable defined in the .conf

named.boot

and

named

files. The domain is assigned to this parameter.

In the above example, @ has the value

ngt.com

.

ngtclassic.ngt.com Name of the server that holds the DNS records. This entry must be defined in the hosts file.

root.ngt.com

The e-mail address for the person responsible for the DNS server. The e-mail address is [email protected]

root.ngt.com

, not

, because the @ symbol is reserved, as

explained in the first entry of this table.

serial

Used for notifying the secondary servers, and so forth, that the primary server has been updated. The value is incremented each time a change is made to the primary server.

refresh

This value determines how often the secondary servers need to contact the primary servers for updates.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Unix and DNS 189

named.local

TABLE 5.5 Summary of

Entries

(continued)

Entry

Explanation

retry

If the secondary server fails to contact the primary server, it will wait a specified period of time as defined by retry before attempting to contact the primary server. Determines how long the secondary server will store

expire

its DNS records after that period of time they are discarded.

Identifies that the authoritative name server is

IN NS ngtclassic.ngt.com

ngtclassic.ngt.com.

1 IN PTR localhost Reverse lookup for localhost address, which is 127.0.0.1. An entry for localhost must be in your hosts file, as well.

domain_name.hosts The domain_name.hosts

file lists the IP addresses of all machines in the

domain (where domain_name is the domain that the DNS server will support). This file must be created by the root user in the directory var/named The domain_name.hosts

file resembles the following:

@ IN SOA ngtclassic.ngt.com. root.ngt.com.( 94073101 ; 36000 ; 3600 ; 3600000 ; 36000 ) IN NS ngtclassic.ngt.com. ngtsol IN A 192.136.118.220 ngtcs1 IN A 192.136.118.231

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

.

190 Chapter 5 Domain Name System

rev.domain_name.hosts The rev.domain_name.hosts

file contains address-to-name mappings in

the reverse order (where domain_name is the domain the DNS server will support). This file must also be created by the root user in the directory /var/named . The rev.domain_name.hosts

file resembles the following:

@ IN SOA ngtclassic.ngt.com. root.ngt.com. ( 94073101 ; 36000 ; 3600 ; 3600000 ; 36000 ;) IN NS ngtclassic.ngt.com 220 IN PTR ngtsol.ngt.com 231 IN PTR ngtcs1.ngt.com

named.boot (BIND version 4) This file holds the initialization parameters required for the named daemon. Red Hat Linux versions earlier than 5.2 use the BIND version 4 initialization file, which is called The named.boot

named.boot . file resembles the following, which is an example for

the domain ngt.com. All IP addresses in this domain are of the format 192.168.120. X . domain ngt.com directory /var/named primary ngt.com ngt.hosts primary 120.168.192.IN-ADDR.ARPA rev.ngt.hosts primary 0.0.127.IN-ADDR.ARPA named.local cache named.ca Table 5.6 explains each of the entries found in

named.boot

Copyright ©2002 SYBEX, Inc., Alameda, CA

.

www.sybex.com

Unix and DNS 191

named.boot

TABLE 5.6 Summary of

Entries

Entry

Explanation

domain

Refers to the domain name; in this example, ngt.com.

directory

Indicates where all the DNS files required by the named daemon are located.

primary ngt.com ngt.hosts

Identifies the file to be used for hostname-to-IP-address resolution.

primary 120.168.192.IN-ADDR.ARPA

Identifies the file to be used for IP-

rev.ngt.hosts

address-to-host-name resolution. Note that the 120.168.192 is the reverse of the IP address 192.168.120.

X

primary 0.0.127.IN-ADDR.ARPA

Identifies the file to be used for the

named.local

loopback address.

cache named.ca

Identifies the file that holds information about the root servers.

named.conf (BIND Version 8) The named.conf file holds the initialization parameters required for the named daemon. Red Hat Linux versions 5.2 and later use the BIND version 8 initialization file, which is called named.conf . The named.conf file resembles the following, which is an example for the domain ngt.com. All IP addresses in this domain are of the format 192.168.120. X . options { directory "/var/named"; }; zone "ngt.com" { type master; file "ngt.hosts"; };

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

192 Chapter 5 Domain Name System

zone "120.168.192.IN-ADDR.ARPA" { type master; file "rev.ngt.hosts"; }; zone "0.0.127.IN-ADDR.ARPA" { type master; file "named.local"; }; zone "." { type hint; file "named.ca"; }; Table 5.7 explains each of the entries found in any TABLE 5.7 Summary of

named.conf

named.conf

file.

Contents

Entry

Explanation

options {

Indicates the location of all the

directory /var/named";

DNS files required by the named

};

daemon.

zone "ngt.com" {

Identifies the file to be used for

type master;

host-name-to-IP-address

file "ngt.hosts";

resolution.

};

zone "120.168.192.IN-ADDR.ARPA" {

Identifies the file to be used for IP-

type master;

address-to-host-name resolution.

file "rev.ngt.hosts";

Note that the 120.168.192 is the

};

reverse of the IP address 192.168.120.

X .

zone "0.0.127.IN-ADDR.ARPA" {

Identifies the file to be used for

type master;

the loopback address.

file "named.local"; };

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Unix and DNS 193

named.conf

TABLE 5.7 Summary of

(continued)

Contents

Entry

Explanation

zone "." {

Identifies the file that holds

type hint;

information on the root servers.

file "named.ca"; };

resolv.conf The resolv.conf

file is configured on DNS client systems. It contains the

domain name and IP address of the name server. It is located at resolv.conf and should resemble the following:

/etc/

domain ngt.com nameserver 192.136.118.54 Table 5.8 summarizes the files used in the Linux BIND name server implementation.

TABLE 5.8 Summary of Linux BIND Name Server Files Filename

Location Function

named.ca

/var/

Holds information about root

named/

name servers that is needed to initialize the cache of internal domain name servers.

named.local

domain_name.hosts

/var/

Required to cover the loop-

named/

back network.

/var/

Lists the IP addresses of all

named/

machines in the domain.

rev.domain_name.hosts /var/

named.boot

(BIND version 4)

named.conf

(BIND version 8)

Contains address-to-name named/

mappings in the reverse order.

/etc

Used by the named daemon to start the primary server.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

194 Chapter 5 Domain Name System

(continued)

TABLE 5.8 Summary of Linux BIND Name Server Files

Filename

Location Function

resolv.conf

/etc

Configured on DNS client systems.

EXERCISE 5.3

Configuring a Linux DNS primary server In this exercise, you will configure a DNS server for the psybecks.com domain. You will configure one machine with the named service that came with Red Hat Linux. The other machine will be configured as a Linux DNS client. The named daemon should have been installed during Linux installation.

1. Log on as root. 2. Make sure all entries except the loopback address are removed from the hosts file.

Note: Complete the remaining steps on the designated DNS server only.

3. Verify that the named daemon is configured to run on bootup. To check, access the Linux bash prompt (#) and run the ntsysv utility at:

/usr/sbin/ntsysv

4. Make sure the DNS service “named” is checked. Select OK. Reboot the machine if necessary and log on as root.

5. Access the file

named.ca

at:

/var/named/named.ca

6. Open the file using the vi text editor by entering: vi named.ca

7. Browse the Internet root servers with the arrow keys. How many root servers are listed? How are they categorized?

8. Quit the

named.ca

file by entering:

:q

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Unix and DNS 195

EXERCISE 5.3 (continued)

9. In the same directory, use vi to open the file

named.local

. Enter:

vi named.local

10. View the

named.local

file. The root account on the local host will be

the Start Of Authority (SOA). The Name Server (NS) and the loopback Pointer (PTR) will be set to the local host because the DNS server is running on this system. (You can also add your domain, psybecks .com., instead of local host.) The file should match the following: @ IN SOA localhost. root.localhost. ( 1997022700 ; serial 28800 ; refresh 14400 ; retry 3600000 ; expire 36000 ) ; minimum IN NS localhost. 1 IN PTR localhost.

Tech Note: FQDNs must end in a period. In this exercise, you are using localhost. The leading cause of DNS mistakes is missing or incorrectly placed periods.

11. To quit the file, you must access vi’s command mode by pressing the Esc key. Then, to quit the file, enter:

:q

12. The next file,

domain_name.hosts

, must be created in the same

directory. To save time, make a copy of the

named.local

file because

much of the data is duplicated. At the bash prompt (#), enter:

cp named.local psybecks.hosts A second copy of

named.local

psybecks.hosts

is created and renamed

.

13. Edit psybecks.hosts

by entering:

vi psybecks.hosts

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

196 Chapter 5 Domain Name System

EXERCISE 5.3 (continued)

14. Enter vi’s edit mode and add both System A and System B’s IP addresses and host names. Note that the PTR localhost has been removed. Your

psybecks.hosts

file should resemble the following,

except for the actual system and network numbers: @ IN SOA localhost. root.localhost. ( 1997022700 ; serial 28800 ; refresh 14400 ; retry 3600000 ; expire 36000 ; minimum IN NS localhost. SystemA IN A 192.168.Z.Y SystemB IN A 192.168.Z.U

15. When you are finished with

psybecks.hosts

, press the Esc key. Enter:

:wq This will save (write) and close the file.

16. The next file, /var/named

rev.domain_name.hosts

, will also be created in the

directory. At the bash prompt (#), enter:

cp psybecks.hosts rev.psybecks.hosts

17. A second copy of

psybecks.hosts

rev.psybecks.hosts

is created and renamed

.

18. Edit psybecks.hosts

by entering:

vi rev.psybecks.hosts

19. Use vi’s edit mode to change the hosts to the reverse order. Your rev.psybecks.hosts

file should resemble the following, except for

the actual system and group numbers: @ IN SOA localhost. root.localhost. ( 1997022700 ; serial 28800 ; refresh 14400 ; retry 3600000 ; expire 36000 ) ; minimum IN NS localhost. A IN PTR SystemA.psybecks.com B IN PTR SystemB.psybecks.com

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Unix and DNS 197

EXERCISE 5.3 (continued)

20. When you are finished with

psybecks.hosts,

press the Esc key. Enter:

:wq This will write and close the file.

21. The last DNS server file to configure is the initilization file for the named daemon. If you are using Red Hat 5.2 or later, advance to Step 25. If you are using a version of Red Hat Linux that is earlier than version 5.2, proceed with the next step and continue until Step 24. You can then advance to Step 29. The last DNS server file to configure is the

named.boot

file. Access

the file at:

/etc/named.boot

22. Open the file with vi by entering: vi named.boot

23. Use the vi edit mode to change the

named.boot

file to match the

following (add your group number and network number): domain classroomX.com directory /var/named primary psybecks.com psybecks.hosts primary Z.168.192.IN-ADDR.ARPA rev.psybecks.hosts primary 0.0.127.IN-ADDR.ARPA named.local cache . named.ca

24. When you are finished, press the Esc key. Enter: :wq This will write and close the file.

25. The following steps (25 through 28) are for Red Hat version 5.2 or later. Advance to Step 29 if you are using a version of Red Hat earlier than 5.2.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

198 Chapter 5 Domain Name System

EXERCISE 5.3 (continued) This file holds the initialization parameters required for the named daemon: / etc /named.conf

26. Open the file with vi by entering: vi named.conf

27. Use the vi edit mode to change the

named.conf

file to match the

following, adding your group number and network number in the appropriate areas: options { directory "/var/named"; }; zone "psybecks.com" { type master; file "psybecks.hosts"; }; zone "Z.168.192.IN-ADDR.ARPA" { type master; file "rev.psybecks.hosts"; }; zone "0.0.127.IN-ADDR.ARPA" { type master; file "named.local"; }; zone "." { type hint; file "named.ca"; };

28. When you are finished, select the Esc key. Enter the following: :w This will write the file to disk. Close the file by entering the following:

:q

29. To restart the named daemon, enter the following: ndc restart

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Unix and DNS 199

EXERCISE 5.4

Configuring a Linux DNS client In this exercise, you will configure a DNS client running Linux.

Note: Complete the following steps on the designated DNS client.

1. Make sure all entries except the loopback address are removed from the hosts file.

2. Access the file

resolv.conf

at:

/etc/resolv.conf

3. Open the file using the vi text editor. Enter: vi resolv.conf

4. Use the vi edit mode to change the

resolv.conf

file. It should match

the following, except for the group, network, and student number: domain psybecks.com nameserver 192.168.Z.Y

5. When you are finished, press the Esc key. Enter: : wq

6. To test name resolution, access the Linux bash prompt (#) and ping System B. For example, enter:

ping SystemB In this syntax, B is another system on the network that you have listed in your DNS files for these exercises. You should be successful. If not, review the data you entered in the DNS server files. This test actually tests both the DNS lookup and the network connection. To separate troubleshooting DNS issues from network problems, ping the IP address, then the host name. If both return errors, or both are successful, then the problem is likely elsewhere. If the IP address ping returns, but the host name ping does not, you have a DNS configuration problem.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

200 Chapter 5 Domain Name System

EXERCISE 5.4 (continued)

7. Ping the DNS client from the DNS server. Were you successful? Why not? Have you configured the

resolv.conf

file for the DNS

server?

8. Configure the DNS server

resolv.conf

file and ping the DNS client.

You should be successful because you added both yourself and System B to the

psybecks.hosts

and

rev.psybecks.hosts

files.

The DNS server can be its own DNS client.

Windows 2000 and DNS

W

indows 2000 Server relies on DNS as its primary name resolution option. This feature is a change from NT 4.0, which favors the Windows Internet Naming Service (WINS). The DNS component of Windows 2000 runs as a service. By default, Windows 2000 installs a caching-only server. Creating your own forward and reverse zones is relatively simple. The service is a fully functional DNS server and can be easily implemented for an intranet. It can also function as a master DNS server that can be registered with the InterNIC. Windows 2000 uses graphical user interface (GUI) tools to create DNS zone files. Each time you use the DNS service interface wizards and dialog boxes, you are either creating a new zone file or creating entries within a zone file. You create and modify entries within zones by manipulating the standard Windows text boxes and radio buttons.

Dynamic DNS Windows 2000 Server allows you to use its standard version of DNS or its new Dynamic DNS (DDNS) server. Essentially, DDNS allows the DNS server to update itself automatically whenever a DDNS client’s host name or IP address changes. Microsoft has, in essence, made its DNS similar to WINS, in that its DNS server can dynamically update itself. DDNS is also

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Windows 2000 and DNS 201

documented in RFCs 2535, 2136, and 3007. The client must have the compatible DNS client software installed in order for it to update the DNS server’s records. All flavors of Microsoft Windows 2000, for example, have built-in DDNS clients. All clients are automatically configured to search for a DDNS server so that they can participate in DDNS. However, the DDNS feature is not activated by default. Linux systems do not have a DDNS client installed by default, although DDNS clients for Linux are available. However, even systems that are not configured with DDNS can benefit. For example, suppose that a Windows 2000 server named james.sybex.com changes its IP address and reports to a Windows 2000 DNS server with DDNS properly configured. A simple Linux client will still be able to query the Windows 2000 DNS server and get the updated IP information about james.sybex.com. However, suppose that the Linux client now changes its IP information. This unmodified Linux client will not be able to report its changed IP address information to the Windows 2000 server unless it is configured with DDNS software. You will not implement Dynamic DNS in this chapter. This information is included so that you can be aware of its function.

EXERCISE 5.5

Installing a Windows 2000 master (primary) DNS server In this exercise, you will install the Windows 2000 DNS service on your system.

1. To add the DNS service, select Start Settings Control Panel Add/Remove Programs. Click Add/Remove Windows Components from the left-hand menu. The Windows Components Wizard opens.

2. Scroll down and highlight Networking Services and click the Details button. Select the Domain Name System (DNS), then select OK.

3. Click the Next button. The DNS service installs. The installation might require the latest service pack disk. When the Wizard is complete, click Finish. Select the Close button to exit the Add/Remove Programs window. No restart is required. Your computer is now a DNS server.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

202 Chapter 5 Domain Name System

EXERCISE 5.6

Creating a Windows 2000 DNS server zone In this exercise, you will create a master DNS server on your Windows 2000 system. This exercise uses a fictional server zone called student10 in a domain called classroom.com but you may substitute your own server zone if you like.

1. Note the fully qualified domain name for your Windows 2000 system. 2. Note your IP address. Note: This IP address is the address of your master (i.e., primary) DNS server.

3. Highlight and expand the icon that represents your computer by clicking the + icon. You should see the forward and reverse zone icons. In the right pane, you should see a message entitled Configure The DNS Server.

4. Click the Forward Lookup Zone icon. 5. Right-click the Forward Lookup Zone icon, then click the New Zone button.

6. The New Zone Wizard will appear, as shown below.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Windows 2000 and DNS 203

EXERCISE 5.6 (continued)

7. Click Next. 8. Select the Standard Primary radio button if it is not already selected by default.

9. Select Next. 10. The Zone Name section will appear. Enter the name of the domain you selected in Step 1 (e.g., student10.com).

11. Click Next. 12. When the Zone File section appears, notice that the name of the zone file is already in the Create A New File With This File Name field. Leave this default, then click Next.

13. You will be informed that the zone is complete. Review the settings, then click Finish.

14. You will return to the DNS MMC snap-in. You should now see the new zone you have created, as shown below. This example shows the student10.com zone added to the student10 machine.

15. Click the icon for the zone you just created. Use your own given DNS information. For example, if you are using the student10.com domain as shown in the preceding figure, select the student10.com icon.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

204 Chapter 5 Domain Name System

EXERCISE 5.6 (continued)

16. You should see two new files in the right window, as shown in the next illustration. These files tell you how this zone is configured. The first file is the Start Of Authority (SOA) record. The second is the Name Server (NS) record for this zone.

17. Double-click the Start Of Authority entry. You will see a dialog box that resembles the following.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Windows 2000 and DNS 205

EXERCISE 5.6 (continued)

18. You will see your own zone information. From this point, you can customize any of the values presented, including the refresh and retry intervals, the expiration date, and the TTL information. Note the additional tabs. Each is designed to customize how this particular zone operates. Leave all default settings for now.

19. Select the General tab. This tab further configures universal settings for the zone. These settings override the global settings you viewed in a previous exercise. Notice the Allow Dynamic Updates dropdown box. This feature allows your zone to use DDNS. Leave this setting at No (the default) for now.

20. Click Cancel.

In the previous exercise, you created a primary zone and viewed the available settings. In the next exercise, you will create host entries.

EXERCISE 5.7

Creating Windows 2000 DNS records In this exercise, you will create static DNS records on the primary Windows 2000 DNS server, beginning with a record for System B, the Windows 2000 system.

1. In the DNS MMC snap-in, expand the icon for your computer name, then expand the Forward Lookup Zone icon.

2. Highlight the zone you created in the preceding exercise.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

206 Chapter 5 Domain Name System

EXERCISE 5.7 (continued)

3. Windows 2000 DDNS will create a dynamic entry for all DDNScompliant clients in your zone with DDNS enabled, but it is still useful to create static entries for the machine that is the primary DNS server. Right-click the new forward lookup zone and select New Host, as shown below.

4. The New Host dialog box will appear, as shown below.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Windows 2000 and DNS 207

EXERCISE 5.7 (continued)

5. In the Name section, enter student10, or the server name for the DNS zone that you created in the previous exercise, which is also your primary DNS server. Do not add the domain part of the name when creating the address record. The domain is automatically appended to the host name.

6. In the IP Address section, enter the IP address of your computer. Warning: Do not select the Create Associated Pointer (PTR) Record entry. You have not yet created a reverse DNS lookup zone, and Windows 2000 will return an error.

7. Click the Add Host button. 8. Click OK to acknowledge that you have created the host entry. 9. Click Done to enter the record into the DNS database. 10. Right-click your zone icon again and select the Other New Records option.

11. Scroll down the list and click the CNAME option. 12. Click the Create Record button. 13. When the New Resource Record dialog box appears, enter www in the Alias Name (Uses Parent Domain If Left Blank) text box.

14. In the Fully Qualified Name For Target Host field, enter your FQDN (w2k.student10.com, or a name appropriate to the domain you selected.)

15. Click OK. 16. Click Done. You will see that a new CNAME record has been created. 17. Repeat the relevant steps to create a record for another system on your network, as well as CNAME records for at least two systems.

18. After you have added records for three additional systems, create an alias (i.e., a CNAME entry) called sybex for one of the hosts.

Note: You can assign the alias to a host name that is not part of the current domain. For example, you could assign the alias to the host name server1.company.com.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

208 Chapter 5 Domain Name System

In the previous exercise, you created DNS records on your Windows 2000 DNS server. In the next exercise, you will configure your server as a client to itself so you can test your master server.

EXERCISE 5.8

Configuring a Windows 2000 client 1. Log on as Administrator. 2. Right-click the My Network Places icon and select Properties. The Network And Dial-up Connections dialog box appears.

3. Right-click the Local Area Connection icon and select Properties. 4. Highlight the Internet Protocol (TCP/IP) icon, then select the Properties button to access the General tab.

5. Make sure the Use The Following DNS Server Addresses radio button is selected.

6. Enter your own server’s IP address in the Preferred DNS Server field. 7. Click the Advanced button. 8. Select the DNS tab. 9. Make sure that the Append These DNS Suffixes (In Order) dialog box is selected.

10. Select the entry in the Append These DNS Suffixes (In Order) and click the Edit button. The TCP/IP Domain Suffix dialog box appears.

11. Enter the domain name you selected in an earlier exercise. If, for example, you are in the student10.com domain, enter student10 .com in this field.

12. Click OK. 13. In the DNS Suffix For This Connection field, enter the same domain name (e.g., student10.com, if this is your assigned domain name).

14. Click OK, then click OK twice more to return to the Network And Dial-up Connections window. Minimize this window.

15. Right-click the My Computer icon and select Properties.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Windows 2000 and DNS 209

EXERCISE 5.8 (continued)

16. Select the Network Identification tab, then click the Properties button. 17. Your system should read student10, unless you are using a second Windows 2000 system as the client system on your network.

18. Click the More button. 19. Change the Primary DNS Suffix Of This Computer field to read student10.com, or the domain name selected in a previous exercise.

20. Click OK twice. 21. Click OK to acknowledge that you must restart your system. 22. Click OK again, then click Yes to restart your system. 23. When your system restarts, log on and test your DNS server. Open a Command Prompt window and ping your own system by using its FQDN (e.g., student10.student10.com) and then its CNAME entry of www.

24. You should be successful. If not, review the data you entered in the DNS server configuration.

Note: If you are not successful, retrace the steps of this exercise and the previous exercise. Have you configured the DNS server as a DNS client?

25. Open a Command Prompt window and ping the remote host named sybex (you created this CNAME alias earlier) as shown:

ping sybex

26. Open Event Viewer by selecting Start Programs Administrative Tools Event Viewer.

27. Select the DNS Server icon. View any messages that have been generated by double-clicking them. You should see entries concerning the records you have created. If any problems exist, the system will notify you about these, as well.

28. Exit Event Viewer.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

210 Chapter 5 Domain Name System

In the previous exercise, you configured a master DNS server in Windows 2000. However, you cannot use nslookup efficiently yet because you need to add a reverse lookup zone.

EXERCISE 5.9

Creating a reverse lookup DNS zone and associated records for the master (primary) server In this exercise, you will create reverse lookup DNS records on your Windows 2000 DNS server. To create these records, you will need to

create a primary zone called

in-addr.arpa, where <

network

>

is the reverse of the network portion of the server’s IP address.

1. Open the DNS MMC snap-in. 2. Click the Reverse Lookup Zone icon, then right-click the icon and select New Zone.

3. Click Next. Then select the Standard Primary radio button, then click Next.

4. The Zone name will be the network portion of your IP address in reverse order. For example, if your IP address is 192.168.4.10 and the subnet mask is 255.255.255.0, the network portion would be 192.168.4. You would then enter 192.168.4. The server will reverse the numbers and add the

in-addr.arpa

extension automatically.

Note: When adding the in-addr.arpa numbers, do not reverse them yourself. Windows 2000 will do this for you. Unlike Windows NT 4.0, Windows 2000 expects you to simply enter the network portion of your IP address in forward order (192.168.4).

5. Click Next twice, then Finish. 6. Once you are back in the DNS snap-in, click the new reverse zone. Now, create a new PTR record for your own server. Right-click the new reverse zone you just created.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Windows 2000 and DNS 211

EXERCISE 5.9 (continued)

7. Select the New Pointer button, as shown in the following illustration.

8. The New Resource Record dialog box will appear, as shown below.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

212 Chapter 5 Domain Name System

EXERCISE 5.9 (continued)

9. In the Host IP Number text box, enter only the host portion of your master DNS server’s IP address. For example, if your IP address is 192.168.4.10, enter 10. As you will remember, reverse DNS maps IP addresses to names. The trick of reverse DNS is creating a zone for each network, with individual entries for the host IP address.

10. In the Host Name text box, enter the FQDN for your master DNS server. For example, if you created this server on student10.student10 .com, then you would enter student10.student10.com in this text box.

Note: This step is vital for troubleshooting purposes. The nslookup program, for example, will not work properly unless you create a reverse DNS lookup entry for the DNS server. The reason for this is that nslookup conducts a reverse DNS lookup search when connecting to the DNS server.

11. Click OK. 12. You will see a new entry in the reverse DNS lookup zone you created, as shown below.

Note: Windows 2000 automatically creates additional reverse zones, including one for the loopback address (127.0.0.1) and for low-order and high-order broadcast addresses (0 and 255).

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Windows 2000 and DNS 213

EXERCISE 5.9 (continued)

13. Open a Command Prompt window and use nslookup to query your server. When you are finished, type exit to quit nslookup. Minimize the Command Prompt window.

14. Now that you have created a reverse DNS zone for your network, it is much easier to add a PTR record for any host you subsequently add. All you need to do is select the Create The Associated Pointer (PTR) Record check box. If the proper reverse DNS zone exists, the system will create the reverse entry automatically. This feature works only for hosts you add after creating the proper reverse DNS zone.

Note: Remember that reverse DNS zones are specific to the network IP address. If, for example, you needed to add a record for the system named randy, and this host had an IP address of 192.168.7.4 in a standard Class C network, you would have to create a new reverse lookup zone for the 192.168.7.0 network range.

15. Click the Forward Lookup Zones icon. 16. Click the Student10 Forward Lookup Zone. Right-click it and select New Host.

17. Enter a new host that is on the network into the Name (Uses Parent Domain Name If Blank) field.

18. Enter that host’s IP address in the IP Address field. 19. Select the Create The Associated Pointer (PTR) Record check box. 20. Click Add Host. 21. Click OK to acknowledge that you have added this host. Note: If you receive an error informing you that the proper reverse DNS zone must be present, check your work to make sure you entered the correct information when creating the reverse DNS zone. The most common mistake is reversing the network IP address, which you don’t need to do because Windows 2000 does this automatically.

22. Click the Done button.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

214 Chapter 5 Domain Name System

EXERCISE 5.9 (continued)

23. Repeat the relevant steps to create additional entries for each forward entry you manually created in the previous exercise.

24. Remove the DNS service from your system and the DNS client configurations before proceeding to the following chapter. Although the configurations worked well for these exercises, they might interfere with proper name resolution during later exercises.

Summary

A lthough the role of DNS is not particularly flashy or impressive, associating domain names with IP addresses remains a vital component of the Internet. Not only is DNS a fundamental building block of the Internet and a key component of internetworking, but it is a factor in a tremendous number of internetworking problems and solving those problems. Having configured a DNS server and client in both Linux and Windows 2000, you have a greater understanding of how a DNS server functions. DNS follows the traditional client/server model, and both client and server components may coexist on a single machine. While the application that performs DNS functions is only one of many applications, it should be one of the first considerations when troubleshooting at or above the routing layer, and one of the first tasks when architecting or combining networks.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Exam Essentials 215

Key Terms

B efore you take the exam, be certain you are familiar with the following terms: Address (A)

master server

caching server

Name Server (NS)

Canonical Name (CNAME)

Pointer (PTR)

DNS record

primary server

Domain Name System (DNS)

resolver

Dynamic DNS (DDNS)

root server

forwarding server

secondary server

hosts

slave server

Mail Exchanger (MX)

Start Of Authority (SOA)

Exam Essentials Be able to define and configure hosts files.

The hosts file is a text file

that contains IP address, fully qualified domain names, and aliases of Internet (or private network) hosts. Knowing how to configure hosts files is vital not only for the CIW exam but also for basic internetworking. Understand the Domain Name System (DNS) and its evolution. Domain Name System evolved, beginning in 1984, in order to eliminate

The

the distribution of a growing hosts file. The hosts file still exists, but no longer contains all of the host names and IP addresses for every host connected to the Internet, as it once did, it contains only references and aliases local to the machine it resides on.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

216 Chapter 5 Domain Name System

Know the DNS architecture, and be able to diagram the relationships among DNS root servers, master servers, and client systems. DNS is a hierarchical distributed database with root servers managed by members of ICANN, master servers managed by individuals and organizations, and client systems that rely upon this hierarchy to resolve domain names to IP addresses. Know DNS records and list the record types. NS, SOA, A, CNAME, MX, and PTR records.

DNS records include IN,

Understand the relationships among Unix, Windows, and DNS. and Windows use the same underlying files to define and populate DNS

Unix

zones. The location of these files is different for Unix and Windows systems. The graphical interface for Windows 2000 automatically reverses IP addresses for the reverse lookup in-addr.arpa file.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Review Questions 217

Review Questions 1. Which of the following elements is a recommended entry for the hosts file? A. The loopback address B. The network address C. The subnet mask D. The proxy server address 2. Which of the following accurately describes the Domain Name System? A. DNS is a centralized system that depends on one source for updates. B. DNS was invented in 1994. C. DNS is hierarchical and distributed. D. DNS consists of five levels. 3. Which of the following types of DNS servers processes queries by asking other servers for information, then stores the data until it expires? A. Top-level domain server B. Primary server C. Secondary server D. Caching-only server 4. Which of the following DNS records is used to perform reverse DNS lookup? A. Start Of Authority B. Canonical Name C. Mail Exchanger D. Pointer

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

218 Chapter 5 Domain Name System

5. Which of the following is a database file used to implement DNS in BIND? A. domain_name.local B. named.local C. local.boot D. rec.named.hosts 6. What is the function of the

named.ca file?

A. The named.ca file is required to cover the loopback network. B. The named.ca file holds the initialization parameters required for the named daemon. C. The named.ca file lists the IP addresses of all machines. D. The named.ca file holds information on root name servers. 7. In which directory on a Unix DNS server would you locate the zone file? A. /var/named/domain_name/ B. /etc/named/ C. /drivers/etc/named/ D. /var/named/ 8. What does a reverse DNS lookup do? A. Resolve an IP address to a FQDN B. Provide a server with a client’s host name C. Return a numerical IP address from a host name D. Match the network and host portions of an IP address 9. After modifying a DNS configuration on a Windows client, what is needed to apply the modified configuration? A. Add the client to the server zone. B. Click Apply in the graphical interface. C. Log out and log back in. D. Reboot the system.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Review Questions 219

10. What does the

C

in CNAME stand for?

A. Canonical B. Computer C. Configured D. Control 11. Which record type is most common? A. A B. CNAME C. IN D. PTR 12. Which record type associates an IP address with a host name? A. A B. CNAME C. MX D. PTR 13. What is the purpose of the

refresh

value in

named.local

?

A. It forces the local client to refresh zone files periodically. B. It indicates that a DNS server is a caching server. C. It specifies the frequency that slaves contact masters. D. This period is how often root servers are queried. 14. Which of the following is NOT an original top-level Internet domain? A. biz B. com C. edu D. gov E. mil

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

220 Chapter 5 Domain Name System

15. Why was the Domain Name System devised? A. To provide redundancy and failover capabilities B. Sheer creativity C. In order to provide distributed control of domain names D. To avoid large and frequent updates of the hosts file 16. What is the software called that requests DNS information? A. named B. bind C. resolver D. queries 17. In which file should you specify name server, domain, and search order? A. /var/named.boot B. /var/named.conf C. /etc/resolv.conf D. /etc/named.conf 18. How is the administrative contact e-mail address listed in a Unix DNS configuration file (e.g., for root) A. root B. root.localhost C. root@localhost D. root@fully-qualified–domain.com

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Review Questions 221

19. Which of the following is true of the reverse zone file? A. IP octets are reversed. B. IP addresses are stored in binary 32-bit format. C. The reverse zone file is optional. D. The reverse zone file contains information for both IP to host and host to IP mappings. 20. Which of these files is obsolete with BIND version 8? A. named.conf B. named.local C. named.boot D. named.ca

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

222 Chapter 5 Domain Name System

Answers to Review Questions 1. A. The loopback address provides important functionality for networked systems, and should be in every hosts file. 2. C. DNS was invented in 1984 to replace a centralized system with a hierarchical and distributed system, arguably with three levels of hierarchy. 3. D. A caching server has no authority, therefore it has no authoritative zone files; it only caches information from other DNS servers in order to fulfill DNS requests more quickly. 4. D. The Pointer record allows DNS to resolve an IP address to a host name. 5. B. The name daemon, “named,” uses the

named.local

file to define

the localhost loopback address. 6. D. The

named.ca file holds root name server information, and is

available from

ftp://ftp.rs.internic.net/domain/named.ca

7. D. Zone files, with filenames < network

>.in-addr.arpa

domain_name.hosts , are located in

. and

/var/named/

on

Unix and Linux systems. 8. A. Reverse DNS resolves an IP address into a fully qualified domain name. 9. D. Even in Windows 2000, the client must reboot after modifying the DNS configuration. 10. A. The Canonical Name record creates an alias for a given host. 11. C. The Internet record is used for most DNS records. 12. A. The Address record links an IP address to a host name.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Answers to Review Questions 223

13. C. Refresh value in seconds determines how often a secondary server needs to contact the primary server for updates. 14. A. The biz domain is a recent addition to top-level domains. 15. D. The hosts file was getting large and requiring frequent updates and downloads. 16. C. The resolver software is the specific component that requests the IP address (or host name) from a DNS server. 17. C. The resolv.conf file should have name server, domain name, and DNS server search order. 18. B. The @ symbol has special meaning and is not used to denote e-mail contact. 19. A. In the reverse zone file, the octets of the network portion of the IP address are reversed. 20. C. The

named.boot

replaced with

file is not used in BIND version 8, but has been

named.conf

.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Chapter

6

Troubleshooting TCP/IP

CIW EXAM OBJECTIVE AREA COVERED IN THIS CHAPTER: Identify troubleshooting tools, and troubleshoot a TCP/IP network.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

T

CP/IP networks can be as fickle as they are flexible. Many

tools are available to troubleshoot TCP/IP networks. Because these tools are commonly used with TCP/IP networks, many of them can be modified and used across any platform running the TCP/IP suite. Sometimes the information that you need to identify a TCP/IP issue resides in a simple text file. This chapter introduces the most important files, utilities, and commands for troubleshooting, and will teach you how to use them.

Network Files

E very administrator of a TCP/IP network should be well acquainted with the following network files. As you learn about each, note the similarities and differences between the Unix and Windows 2000 implementations. The key network files include: protocols

(Unix) and

protocol

(Windows 2000)

services xinetd.conf

(Unix only)

All three of these files provide information vital to the IP configuration on a system. A typo or error in one of these files may result in unusual or unexpected behavior of the system’s networking.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Network Files

The

protocols

protocol

(Unix) and

Each line of the protocols

227

(Windows 2000) Files

(Unix) or

protocol

(Windows 2000)

file describes

the protocols used at the Internet layer of the TCP/IP protocol stack as defined by RFC 1700 (Assigned Numbers). Each line is formatted as follows: official-protocol-name protocol # aliases Both Unix and Windows 2000 use the information in the

protocol

file. It is stored in /etc (Unix), or %\WINNT\system32\drivers\etc dows 2000), and can be easily edited using the vi text editor in Unix or the

(s ) (Win-

Notepad text editor in Windows. If you have developed your own application protocol that uses the raw socket interface, it must be listed in the protocol

( s ) file.

The number listed for each protocol is included in the Protocol field of the IP header. That number defines the next protocol level to receive the Data field at the destination. In both operating systems, the file displays the following (selected) information, which will vary depending on customization: # ip 0 IP # pseudo protocol number icmp 1 ICMP # internet control message protocol igmp 2 IGMP # internet group management protocol ggp 3 GGP # gateway-gateway protocol tcp 6 TCP # transmission control protocol egp 8 EGP # exterior gateway protocol pup 12 PUP # PARC universal packet protocol udp 17 UDP # user datagram protocol idp 22 IDP # Xerox internet datagram protocol raw 255 RAW # RAW IP interface

The

services File The services file contains port numbers for well-known services as defined by RFC 1700 (Assigned Numbers). Any application that wants to reserve a port number must specify it in the

A listing in the

services

services

file.

file does not mean an application is supported. The

service name and port number are only a small part of a functional application.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

228

Chapter 6

Troubleshooting TCP/IP

The format of each line is as follows: service-name port/protocol aliases Both Unix and Windows 2000 use the (Unix), or %\WINNT\system32\drivers\etc easily edited using the vi text Windows.

services file. It is stored in /etc (Windows 2000), and can be

editor in Unix or the Notepad text editor in

Services such as Telnet, FTP, and TFTP are defined in this file. By examining it, you can determine the port numbers on which these services are available. In both operating systems, the file displays the following (selected) information, which will vary depending on customization: # tcpmux 1/tcp echo 7/tcp echo 7/udp discard 9/tcp sink null discard 9/udp sink null systat 11/tcp users daytime 13/tcp daytime 13/udp netstat 15/tcp chargen 19/tcp ttytst source chargen 19/udp ttytst source ftp-data 20/tcp ftp 21/tcp telnet 23/tcp smtp 25/tcp mail time 37/tcp timserver time 37/udp timserver name 42/udp nameserver whois 43/tcp nicname # usually to sri-nic domain 53/udp domain 53/tcp bootps 67/udp bootpc 68/udp http 80/tcp

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Network Files

229

kerberos 88/udp kdc # kerberos authentication kerberos 88/tcp kdc # kerberos authentication hostnames 101/tcp hostname # usually to sri-nic Consulting this file will not determine whether or not a service is running on a given port, but does define which ports are associated with which services. One service of particular interest when troubleshooting is the daemon, the Internet “super server.” On many systems, inetd has been replaced with a newer version with extended capabilities, xinetd configuration and function of xinetd file, and by files in the /etc/xinetd.d

The

xinetd.conf

File and the

The xinetd.conf

is defined in the directory.

/etc/xinetd.d

inetd . The

/etc/xinetd.conf

Directory

file is exclusive to Unix. It is stored in

/etc

and can be

easily edited using the Unix vi text editor. The xinetd daemon manages TCP/ IP network services daemons according to information contained in the /etc/xinetd.d directory . To configure the processes running in xinetd, edit the respective service file, such as /etc/xinetd.d/telnet or the /etc/ xinetd.d/wu-ftpd rc .d/init .d /xinetd

file, and send a SIGHUP signal to xinetd or enter / restart .

etc /

Each file in the /etc/xinetd.d directory contains the information required to manage a particular network service. Each file displays information specific to that service, which will vary depending on customization. For instance, the

/etc/xinetd/telnet

file is shown below:

# default: on # description: The telnet server serves telnet sessions; # it uses unencrypted username/password pairs # for authentication. service telnet { flags = REUSE socket_type = steam wait = no user = root server = /usr/sbin/in.telnetd log_on_failure += USERID }

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

230

Chapter 6

Troubleshooting TCP/IP

To stop the telnet service, you can comment out the and restart xinetd.

service

telnet

line

EXERCISE 6.1

Locating, viewing and comparing TCP/IP information on Linux and Windows 2000 In this exercise, you will attempt to locate and view the services

, and

etc/xinetd.d/

protocol

(s ),

files on both Linux and Windows 2000

(if applicable). Use the vi text editor in Linux and the Notepad text editor in Windows 2000 to view the files. 1.Locate the

protocol

(s ) file, on each platform.

2.Locate the

services

file, on each platform.

3.Locate the

xinetd.conf

or

inetd.conf

file, on each platform.

After locating each file, compare the Unix contents to its Windows counterpart.

The aforementioned text files provide valuable information about network services for a given system. Troubleshooting a network issue often involves examining how packets travel across a TCP/IP network, or how they are handled by remote systems. The protocol designed specifically to perform these tasks is ICMP.

Internet Control Message Protocol (ICMP)

T he

Internet Control Message Protocol (ICMP)

is the troubleshooting

protocol of TCP/IP and a required part of the TCP/IP stack. ICMP is specified in RFC 792, and operates at Layer 3 of the OSI reference model. It allows Internet hosts and gateways to report errors through ICMP messages. These messages are encapsulated in the data portion of the IP packet and are ultimately targeted for the IP software module at the source system. When an ICMP message arrives at the source system, the IP software module handles the problem itself and does not pass it to the user process.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Internet Control Message Protocol (ICMP) 231

ICMP provides a single mechanism for all Internet control and information messages. If a problem occurs on a TCP/IP network, an ICMP message will likely be generated, such as a source-quench message or an echo-request/echo-reply query message. When datagrams arrive too quickly for a host or gateway to process, the host or gateway queues them in its memory temporarily. If the traffic continues, the host or gateway eventually exhausts its memory and must discard additional datagrams that arrive. To relieve this congestion, source-quench machines use ICMP source-quench messages. A message is a request for the source to reduce its current rate of datagram transmission. Usually, a congested gateway or host sends one source-quench message for every datagram it discards. Gateways often use more sophisticated congestion control techniques. Another type of ICMP message is the echo-request and echo-reply messages. The ping command uses ICMP to generate ICMP echo-request and echo-reply messages. System and network administrators commonly use the mand to test reachability results. There are several ICMP message types.

ping com-

Although each ICMP message has its own format, all ICMP messages begin with the same three fields: Type (8-bit integer message) Code (8 bits)

Identifies the message.

Provides further information about the message type.

Checksum (16 bits)

Used for error detection.

In addition, ICMP messages that report errors always include the header and the first 64 data bits of the datagram causing the problem. Figure 6.1 illustrates the ICMP message header. FIGURE 6.1 ICMP message header 0

8 Type

16 Code

31 Checksum

(Contents Depend on Message Type and Code)

Tables 6.1 and 6.2 list the ICMP error and query message types used in IPv4.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

232 Chapter 6 Troubleshooting TCP/IP

TABLE 6.1 ICMP Error Messages

ICMP Message Error Timer Exceeded A datagram was discarded because its Time To Live (TTL) field reached 0, or a fragment was discarded because it was on the reassembly queue for too long (reassembly timer expired). Parameter

An IP header error occurred.

Problem Destination

The network may be unreachable for a number

Unreachable

of reasons: protocol or port number may not be available on the target network, or destination node may be down.

Source Quench A network device is discarding datagrams due to lack of resources. For example, a router might be overloaded and requesting nodes to slow the rate of generated data. Redirect

A gateway closer to a destination IP address exists.

TABLE 6.2 ICMP Query Messages ICMP Message

Query

Echo Request/Echo

Sends an echo-request message to test

Reply

reachability; receiver responds by sending an echo-reply message.

Timestamp Request/

Computes network delay between two timestamp

Timestamp Reply

reply network devices.

Information Request/

Finds address of local IP network.

Information Reply Subnet Mask Request/

Sends subnet mask request; receiver responds

Subnet Mask Reply

by sending subnet mask reply message.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Troubleshooting Network Problems 233

ICMP message types can be particularly important when isolating or verifying a network issue.

Troubleshooting Network Problems

D ifferent utilities are used to determine the location of a network problem. Use the following commands for general network troubleshooting: ping traceroute

or tracert

netstat If a system seems to be unreachable, a quick ping will give a success or failure. If packets are being lost, dropped or blocked, traceroute will usually show where the network is letting you down. If you are looking for detailed information about a system’s network state, the established connections and open ports can be shown with netstat. Each utility has a specific purpose, and they may need to be used in sequence or combination. These commands should be on any system that has IP networking installed. Using these tools to identify and solve problems is one of the internetworking professional’s trademark skills.

ping The ping utility, which results in ICMP echo-request and echo-reply messages, is used to test reachability between source and destination systems. Ping can also be used to test the function of the local IP stack, where address is 127.0.0.1 or localhost for the loopback interface. The com-

ip_

mand format for Linux and Windows 2000 is: ping ip_address In this format, ip _address identifies the remote system. However, each operating system uses slightly different options. Table 6.3 lists several Linux options.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

234 Chapter 6 Troubleshooting TCP/IP

ping

TABLE 6.3 Linux

Options

Option

Description

-c count

Stops pinging after sending and receiving

count

number

of ping packets. flood ping

-f

Outputs packets as fast as they return, or 100 per second, whichever is higher. Only superusers can use this option.

wait

-i

Waits

-s packetsize

wait

seconds between sending ping packets.

Specifies number of bytes to be sent. The default is 56, but with the ICMP header data of 8 bytes, it becomes 64 data bytes.

For example, the Linux bash prompt (#) entry: ping –c 2 192.168.3.13 will result in the following response: PING 192.168.3.13 (192.168.3.13): 56 data bytes 64 bytes from 192.168.3.13: icmp_seq=0 ttl=128 time=0.7ms 64 bytes from 192.168.3.13: icmp_seq=1 ttl=128 time=0.5ms Table 6.4 lists several Windows 2000 options. ping

TABLE 6.4 Windows 2000

Options

Option Description -t

Pings the specified host until interrupted.

-n

count

Stops after sending

count

-s

count

Specifies the timestamp for

-l

size

Specifies the buffer size to send.

number of ping packets. count

number of ping packets sent.

For example, the command prompt entry: ping –n 2 192.168.3.13

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Troubleshooting Network Problems 235

will result in the following response: Pinging 192.168.3.13 with 32 bytes of data: Reply from 192.168.3.13: bytes=32 time<10ms TTL=64 Reply from 192.168.3.13: bytes=32 time<10ms TTL=64 To stop continuous testing in both systems, press Ctrl + C.

traceroute The traceroute command can be used to determine the path between the source and destination systems. This command also provides information on round-trip propagation time between each router and the source system. The command format for Linux is: traceroute

ip_address

In the example,

ip _address identifies the remote system. Table 6.5 lists

several Linux options. traceroute

TABLE 6.5 Linux

Options

Option

Description

-n

Host names will not be resolved to addresses at each hop.

-m maximum_hops

Specifies the maximum number of hops the utility will search for the target; the default is 30 hops.

-w

timeout

Specifies the time (in seconds) to wait for each reply. The default is five seconds.

-g

host-list

Specifies a loose source route gateway.

For example, the Linux bash prompt (#) entry: traceroute SystemB will result in the following one-hop response because it is on the same subnet: traceroute to systemb.classroom.com (192.168.3.11), 30 hops max, 40 byte packets 1 systemb.classroom.com.3.168.192.in-addr.arpa (192.168.3.11) 0.671 ms 0.545 ms 0.498 ms

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

236 Chapter 6 Troubleshooting TCP/IP

The command format for Windows 2000 is: tracert ip_address In the example, ip _address identifies the remote system. Table 6.6 lists several Windows 2000 options. tracert

TABLE 6.6 Windows 2000

Options

Option

Description

-d

Host names will not be resolved to addresses at each hop. maximum_hops

-h

Specifies the maximum number of hops the utility will search for the target; the default is 30 hops.

-w

timeout

Specifies the time (in milliseconds) to wait for each reply.

-j

host-list

Specifies a loose source route along a host list.

For example, the command prompt entry: tracert SystemA will result in the following one-hop response because it is on the same subnet: Tracing route to systema.classroom.com (192.168.3.11) over a maximum of 30 hops: 1 <10ms <10ms <10ms systema.classroom.com.3.168.192 .in-addr.arpa [192.168.3.11] Trace complete.

netstat The netstat command displays the contents of various network-related data structures. More specifically, it displays information about packets processed by your system on the network. The command format for Linux and Windows 2000 is: netstat options

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Troubleshooting Network Problems 237

Table 6.7 lists commonly used options with the both operating systems. TABLE 6.7

netstat

netstat

command for

Options

Option

Description

-a

Shows the state of all sockets.

-n

Reports Internet addresses as numbers and not symbols.

-r

Displays the system’s routing tables.

-s

Provides statistics on packets processed by your system.

-i (Linux only) Shows the state of the interfaces that have been autoconfigured. -e (Windows only) Displays Ethernet statistics, such as number of bytes received and sent, as well as unicast and non-unicast packets.

The Linux netstat command will provide many statistics without any options. For example, the Linux bash prompt (#) entry: netstat will result in the following (partial, sample) response: Active Internet Connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 stag.my.net:ssh no.my.net:1748 *.* tcp 0 0 stag.my.net:ftp no.my.net:1249 *.* Active UNIX domain sockets (w/o servers) Proto RefCnt Flags Type State I-Node Path unix 10 [] DGRAM 432 /dev/log unix 2 [] STREAM CONNECTED 912 unix 2 [] DGRAM

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

238 Chapter 6 Troubleshooting TCP/IP

The Windows 2000 netstat command by itself displays only established active connections. To display all active connections, use the – aoption. For example, the command prompt entry: netstat -a will result in the following response: Active Connections Proto Local Address Foreign Address State TCP student13:1026 0.0.0.0:0 LISTENING TCP student13:135 0.0.0.0:0 LISTENING TCP student13:135 0.0.0.0:0 LISTENING TCP student13:1025 0.0.0.0:0 LISTENING TCP student13:1025 localhost:1026 ESTABLISHED TCP student13:1026 localhost:1025 ESTABLISHED TCP student13:137 0.0.0.0:0 LISTENING TCP student13:138 0.0.0.0:0 LISTENING TCP student13:nbsession 0.0.0.0:0 LISTENING UDP student13:135 *.* UDP student13:nbname *.* UDP student13:nbdatagram *.*

Troubleshooting Name and Address Problems

P roblems can arise from literally any layer of the network model. In many instances, it is necessary to determine or verify a name or address, whether at the Media Access Control layer of Ethernet or within the Domain Name System of a public or private IP network. Use the following commands for name and address troubleshooting: ifconfig

(Linux)

ipconfig

(Windows 2000)

arp nslookup hostname Properly used, these commands will allow you to isolate and identify name and address problems.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Troubleshooting Name and Address Problems 239

ifconfig (Linux) The Linux

ifconfig

command is used to assign an Internet address to a net-

work interface, such as Ethernet. It is used at boot time to configure interfaces to a running state. Once running, ifconfig is only needed for system tuning and debugging. If no argument, such as an interface device, is given, the status of all currently defined interface devices. The

ifconfig

displays

ifconfig

command

is also used to display and configure interfaces on Unix and BSD systems, but the –a flag may need to be added in order to display all interfaces. The command format is: ifconfig interface options The following example of the

ifconfig

command:

ifconfig eth0 yields the following results: eth0 Link encap:Ethernet HWaddr 00.A0.24.55.29.E8 inet addr:10.1.2.3 Bcast:10.255.255.255 Mask:255.0.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 metric:1 RX packets:17 errors:0 dropped:0 overruns:0 TX packets:95 errors:0 dropped:0 overruns:0` Interrupt:9 Base address:0x300 The ifconfig command is also used to turn Ethernet interfaces on and off using the up and down option flags, from a software point of view. In order for ifconfig to work, an interface must be physically present and have the appropriate driver compiled into the kernel, or as a module, and loaded into memory. For example, ifconfig eth0 down ifconfig eth0 up Keep in mind that the above options rely on existing configuration files, often kept in /etc , or a subdirectory such as /etc/sysconfig/ . There are many additional options available to fully specify configuration of the interface, for example: ifconfig eth0 up 192.168.1.50 ifconfig eth0 up 192.168.1.50/24 ifconfig eth0 up 192.168.1.50 netmask 255.255.255.0 ifconfig eth0 up 192.168.1.50 netmask 255.255.240.0

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

240 Chapter 6 Troubleshooting TCP/IP

Note that the first three commands perform the same function. The first relies upon the default net mask for a Class C address, the second uses CIDR “slash 24” notation, and the third specifies the net mask in dotted quad notation. The last example provides a non-default network mask. Consult the Unix online manual pages for further configuration options.

ipconfig (Windows 2000) The Windows 2000

ipconfig

command is used to display the Windows 2000

IP configuration. By default, this command displays only the IP address, subnet mask, and default gateway. The command format is: ipconfig options To view all the IP-related configuration information, use the / The following example of the ipconfig command with the /

all option. all option.

ipconfig /all Results similar to the following will appear in Windows 2000, depending on your NIC and network configuration: Windows 2000 IP Configuration: Host Name windoze Primary DNS Suffix Node Type Hybrid IP Routing Enabled No WINS Proxy Enabled No Ethernet adapter Local Area Connection: Connection-specific DNS Suffix Description 3COM EtherLink XL 10/100 PCI Physical Address 00-00-1C-3A-62-BD DHCP Enabled No IP Address 192.168.3.13 Subnet Mask 255.255.255.0 Default Gateway 192.168.3.1 The ipconfig command is also used by DHCP clients to renew and release IP addresses from a DHCP server. If no adapter name is specified, all IP leases will be released.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Troubleshooting Name and Address Problems 241

For example: ipconfig /release ipconfig /renew

adapter adapter

arp The arp command displays and modifies the Internet-to-physical address translation tables used by the Address Resolution Protocol (ARP). Hosts that use ARP maintain a cache of recently acquired Internet-tophysical address bindings so they need not use ARP repeatedly. The average time an ARP entry remains in a Unix ARP cache is 20 minutes. On Windows 2000, the average time is two minutes. However, if an ARP entry in a Windows 2000 machine’s ARP cache is queried within the two-minute period, it will stay in the cache for 10 minutes. The command for viewing the ARP cache on Windows 2000 is: arp –a This command generates the following result: Interface: 192.168.3.13 on Interface 0x1000003 Internet Address Physical Address Type 192.168.3.11 00-60-83-7c-24-a2 dynamic 192.168.3.15 00-60-97-24-db-df dynamic 192.168.3.1 00-aa-00-38-e7-c3 dynamic The command for viewing the ARP cache on Linux is: arp This command generates the following result: Address HWtype Hwaddress Flags Mask Iface 192.168.3.11 ether 00-60-83-7c-24-a2 C eth0 192.168.3.15 ether 00-60-97-24-db-df C eth0 192.168.3.1 ether 00-aa-00-38-e7-c3 C eth0 The sender’s Internet-to-physical address binding is included in every ARP broadcast. Thus, receivers update the Internet-to-physical address binding information in their caches before processing an ARP packet. To delete an entry from the ARP cache, the following format is used: arp -d ip_address where ip _address is the IP address of an existing address in your ARP cache. For instance, you can enter arp – d 192 .168 .3 .11 to delete a 192.168.3.11 IP address from the ARP cache.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

242 Chapter 6 Troubleshooting TCP/IP

nslookup The nslookup

command is an interactive program to query Internet domain

name servers. The user has the option to request a specific name server to provide information about a given host or get a list of all hosts in a given domain. By default, the command will query the DNS server for which the system is configured. The command format for Linux and Windows 2000 is: nslookup options address The following example of the

nslookup

command:

nslookup displays the following results, depending on your system’s DNS configuration: Default Server: ns1.sprintlink.net Address: 204.117.214.10 To query a specific DNS host within a domain, enter the host name after the nslookup command. The host name must be contained in a DNS zone hosted by the server you are querying, or you will receive a Nonexistent Host/Domain error. The command: nslookup ss1 displays the IP resolution data of the specified host. In this example, it displays the FQDN and IP address of the ss1 host. Server: ns1.sprintlink.net Address: 204.117.214.10 Non-authoritative answer: Name: ss1.ciwcertified.com Address: 204.248.81.217 To obtain a list of all nodes in a given domain, such as ciwcertified.com, execute the following sequence of commands: nslookup > ls ciwcertified.com You must have permission to list the domain with the DNS administrator. If not, you will receive the ***Can’t List Domain: Query Refused error.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Troubleshooting Analysis 243

hostname The hostname

command prints the name of the current host, as it is often

given before the system login: prompt. The information on the host name is maintained on some Unix systems in the file hostname. xx0 , where xx0 refers to the interface type. The following example of the

hostname command in Linux and Win-

dows 2000: hostname yields the following result: systema.classroom.com

Troubleshooting Analysis

T roubleshooting the performance of a TCP/IP network in today’s distributed computing environment requires analyzing the effect of client and server activity on your systems, the network, and your client/server applications. Typically, the end user is the first to notice if a network is performing poorly. This chapter identifies elements that affect the performance of TCP/IP networks. You will also learn how parameters associated with your systems, the network, and your client/server applications can be optimized to minimize network problems. Troubleshooting exercises throughout the chapter will associate the key concepts with actual network performance problems. Timely identification of bottlenecks is key to maintaining consistent performance. Most users are not tolerant of client/server network applications that perform inconsistently—fast one day and slow the next. So the first objective is to bring about consistency in the performance. However, to detect inconsistencies, an administrator must have something to measure against, namely a baseline of normal network performance.

Baseline A baseline is a recording of network activity, obtained through documentation and monitoring, that serves as an example for comparing future network activity. Baselines should be recorded when a network is running correctly. If problems are introduced to the network, the new network behavior can be compared to the baseline. Baselines can be used to determine bottlenecks, identify heavy traffic patterns, and analyze daily network usage and protocol patterns.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

244 Chapter 6 Troubleshooting TCP/IP

EXERCISE 6.2

Establishing a baseline of network traffic to your system using Windows 2000 In this exercise, you will use Performance Monitor and Windows 2000 to determine a baseline for the number of packets per second sent to your system over your network. Performance Monitor allows you to collect data for a particular variable over time. This baseline will allow you to determine the amount of network traffic sent to your system during normal traffic periods.

1. Desktop: To create a baseline of packets per second (packets/sec) sent to your system over the network, you will log the packet statistics and view them using a graph tool. Open Performance Monitor by selecting Start Programs Administrative Tools Performance.

2. Performance: To log your network traffic, expand Performance Logs And Alerts in the left pane. Right-click Counter Logs and select New Log Settings.

3. Performance: In the New Log Settings field, enter baseline-1 and select OK. The configuration window opens. The General tab appears by default.

4. General tab: The General tab allows you to add counters for the statistics you want to collect. These counters will be included in your log. Select Add.

5. General tab: In the Performance Object field, select Network Interface. In the Select Counters From List field, select Packets/sec. In the Select Instances From List field, make sure your NIC is highlighted. Click Add and then Close. The packets/sec counter will display in the Counters field.

6. General tab: Enter the sampling interval. For this step, change the Interval value to 5 seconds. This means that Performance Monitor will sample your network traffic statistics once every five seconds. If you are capturing statistics over a longer period of time, you might want to increase this value. You will be collecting statistics only for a minute or two.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Troubleshooting Analysis 245

EXERCISE 6.2 (continued)

7. Log Files tab: Select the Log Files tab. Notice the saved location of the log file. By default, it is saved in

C:\PerfLogs

.

8. Log Files tab: In the End File Names With drop-down menu, select yyyymmddhh. This will allow the log filename to identify the year, month, day, and hour that the statistics were gathered.

9. Schedule tab: Select the Schedule tab. You can configure the program to stop and start your logs whenever you want. For example, you might want to start the log during a heavy traffic time on your network, such as the beginning of the workday.

10. Schedule tab: In this step, you will start and stop the log manually. Select Manually (using the shortcut menu) for both the Start Log and the Stop Log sections.

11. General tab: Select the General tab. The filename should display the “yyyymmddhh” format you selected in Step 8. Your screen should resemble the example below:

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

246 Chapter 6 Troubleshooting TCP/IP

EXERCISE 6.2 (continued)

12. General tab: Select OK. The baseline-1 log is created and listed in the right pane of the Performance window.

13. Performance: To start the log, right-click baseline-1 and select Start. The icon will turn green.

14. Desktop: Generate a minimal amount of network traffic to your computer using TCP/IP utilities and protocols. For example, ping System B from System A, copy a file to it, or access your web server (if available). You can also ping traffic to yourself. Generate a minimal amount of traffic for several minutes.

15. Performance: To stop the log, right-click baseline-1 and select Stop. The icon will turn red. You have created the baseline log.

16. Performance: To view the packets/sec statistics in a graph, select System Monitor from the left pane.

17. System Monitor: In the right pane, click the View Log File Data button (the cylinder icon) on the toolbar. In the Select Log File window, locate the baseline-1 file you created. It should be located in the

C:\PerfLogs

folder. Select Open. The graph will be empty.

18. System Monitor: To view the statistics, you must add the packets/ sec counter to the graph. Select the Add button (the + icon) on the toolbar. In the Performance Object field, select Network Interface. In the Select Counters From List field, select Packets/sec. Click Add and then Close. Your packet statistics will display in the graph using the default settings.

Note: Your packet statistics might be unreadable owing to the small number of packets/sec. The following steps will configure the graph to display your statistics.

19. System Monitor: To change the default settings and make the chart more useful, right-click the chart and select Properties.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Troubleshooting Analysis 247

EXERCISE 6.2 (continued)

20. Source tab: Select the Source tab. You can adjust the time range you want the graph to display. For instance, if you want to see the traffic range from 9:00

A .M

. to 9:05

A .M

. in your statistics, you can

adjust the Total Range bar by dragging the left or right side. For this step, do not change the time range. You will view the total range. The Source tab is displayed below.

21. Data tab: Select the Data tab. In the Width field, select a Width size of your choice. Change the Scale field to 1.0.

22. Graph tab: Select the Graph tab. In the Title field, enter the title Baseline-1 Network Packets/Sec. In the Vertical Axis field, enter Number of Packets/Sec. In the Show section, select the Vertical Grid, Horizontal Grid, and Vertical Scale Numbers check boxes.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

248 Chapter 6 Troubleshooting TCP/IP

EXERCISE 6.2 (continued)

23. Graph tab: In the Vertical Scale fields, enter a Maximum of 10 and a Minimum of 0. Your screen will resemble the one shown below.

24. Graph tab: Select the OK button. Your screen should resemble the following illustration, depending on the network traffic sent and received by your system.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Troubleshooting Analysis 249

EXERCISE 6.2 (continued)

25. System Monitor: To show your baseline to other people, right-click the chart and select Save As. Enter the filename baseline-1 and select Web Page (*.htm) as the file type. Save the file to the

C:\PerfLogs

folder. You can distribute the baseline web page to anyone who needs the information; they can then view it on a browser, with some additional requirements detailed at the end of Exercise 6.3. You have created a packets-per-second baseline for your network. You will use this file to compare future network traffic.

EXERCISE 6.3

Comparing network traffic against a baseline in Windows 2000 In this exercise, you will use Performance Monitor and Windows 2000 to graph network traffic and compare it with the baseline from the previous exercise.

1. Repeat Steps 1 through 13 from Exercise 6.2, except name the new log baseline-2.

2. Desktop: Generate a maximum amount of network traffic using TCP/IP utilities and protocols, such as

ping –t [destination]

.

3. Performance: To stop the log, right-click baseline-2 and select Stop. The icon will turn red. You have created the comparison log to compare against your baseline-1 log.

4. Performance: To view the packets/sec statistics in a graph, select System Monitor from the left pane.

5. System Monitor: In the right pane, select the New Counter Set button (blank paper icon) on the toolbar. The baseline-1 chart will be cleared.

6. System Monitor: In the right pane, click the View Log File Data button (the cylinder icon) on the toolbar. In the Select Log File window, locate the baseline-2 C:\PerfLogs

file you just created. It should be located in the folder. Select Open. The graph will be empty.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

250 Chapter 6 Troubleshooting TCP/IP

EXERCISE 6.3 (continued)

7. System Monitor: To view the statistics, you must add the packets/ sec counter to the graph. Select the Add button (the + icon) on the toolbar. In the Performance Object field, select Network Interface. In the Select Counters From List field, select Packets/sec. Click Add and then Close. Your packet statistics will display in the graph using the graph settings you created in the previous exercise.

8. System Monitor: The packets might exceed 10 packets/sec, which causes the graph lines to extend beyond the vertical chart numbers. To change the settings and increase the chart vertical numbering, right-click the chart and select Properties.

9. Graph tab: Select the Graph tab. Change the title to Baseline-2 Network Packets/Sec. Extend the Vertical scale to include your maximum number of packets/sec. For example, change the maximum to 7000.

10. Data tab: Select the Data tab. You can change the line graph color, as well as the line width. Change the scale to 1.0.

11. System Monitor: Select OK. Your screen should resemble the one shown below.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Identifying Performance Degradation 251

EXERCISE 6.3 (continued)

12. System Monitor: Right-click the chart and select Save As. Enter the filename baseline-2 and select Web Page (*.htm) as the file type. Save the file to your

13. Desktop: Open

C:\PerfLogs baseline-1.htm

folder.

and baseline-2.htm

in your browser.

Toggle between the two files. You should see a significant difference between the number of packets per second generated in each file. In a network environment, this difference is often the first sign of problems.

14. Performance: Exit the Performance Monitor.

Certain guidelines must be followed if you send the baseline HTM files to another system. First of all, the system must have Windows 2000 and Performance Monitor installed. To view the baseline HTM file, it must be copied with the respective log file to the corresponding locations. For instance, to view the baseline-2.htm web page, the

baseline-2.htm

be placed in the same folder, such as the

file and the baseline-2 log must C:\PerfLogs

folder, or on the Desk-

top. Sample baseline files are included on the Supplemental Files CD, in the baseline folder.

Monitoring network performance and establishing baselines of normal traffic are important tasks for maintaining a smoothly running network. Without performing these tasks, identifying utilization and planning for growth can be very difficult. In the next section, we will discuss how to identify specific factors that can slow network performance.

Identifying Performance Degradation

T here are many scenarios where the performance of an application crosses the line from disappointing to unacceptable. A client/server network application that performed consistently but has recently become inconsistent typically indicates that one or more resources are being used to their limits. A weekly accounting report that normally takes three hours to process may begin taking five or six hours. A 2MB file that is distributed around the globe

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

252 Chapter 6 Troubleshooting TCP/IP

in minutes may start taking hours. Is the problem in the network, or in the systems? Which systems, clients or servers? Which elements of the network, or which networks? The issue of performance degradation is an important one, because it is apparent to one or many end users, but the technical details allowing their networked application to work are not their responsibility, but yours. While complex, there are many simple questions and a logical order to analyzing system performance. The first and most important question to ask is “What changed?” You can ask this question not only of yourself and about technical configurations, but of the end user. Perhaps their accounting report is parsing more data, or their network connection was changed from 100Mbps to 10Mbps. You can find the source of the problem, and resolve it.

System Key to performance of client/server applications are the systems that the application runs on. For a true client/server application, there are components both on the client system and on one or more servers. A three-tier architecture might involve resources on two or three servers, in addition to the client system. The application might be waiting on any of the following system resources: The CPU on the node on which the client portion of the application runs The CPU on the node on which the server portion of the application runs The CPU on the server node that the application needs to access (for example, a server that runs a database in a three-tier application) Memory on the node on which the client portion of the application runs Memory on the node on which the server portion of the application runs Memory on the server node that the application needs to access

Network Even if a connection is established, and traffic is flowing between client and server, sometimes the performance is not acceptable. High network utilization can be difficult to pinpoint, particularly if performance degradation is not consistent. If network performance drops at the same time each day or week, scheduled administrative jobs and user logins can be examined. The

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Identifying Performance Degradation 253

network resources that can affect the performance of an application, regularly or sporadically, include the following: The LAN on which the client node is configured The LAN on which the (operating system or application) server node is configured The LAN on which the application server node is configured The WAN that connects the client node to the server node (depending on where the client and server applications run with respect to the network) Communication device architecture and configuration Protocols in use between the application client and server nodes

Client/Server Applications Determining the usage of critical system and network resources is not enough. The design and architecture of the client/server application and how the application server is configured and managed are extremely important factors in performance analysis. The application might be performing poorly because the application architecture and the server were poorly designed. The following factors should be considered. Is most of the data accessed by end users read-only or read-write? Which options does the application server provide to maximize performance on a single processor system? Which options does the application server provide to maximize performance on a multiprocessor system? What is the effect on performance? It is possible that the application server processes may be busy but the system is underused. How can you improve system use with the application server processes? What is the application server architecture? Is it centralized or decentralized? Why? Is this arrangement consistent with the network architecture? On the application side, the application architecture and how it is coded can significantly affect the utilization of system and network resources. For example, how is version control implemented? Does the network architecture include a mechanism for showing system and network load over time as changes to the application are implemented?

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

254 Chapter 6 Troubleshooting TCP/IP

Client/Server Application Considerations Client/server application development and implementation over a network often require both a network administrator and an application developer, or administrative and development teams or departments. Many elements of application tuning may be addressed strictly from the network and system side, for an existing application, but some can only be addressed by code changes. Whether dealing with a legacy application that is no longer under development, a current application that is being maintained and updated, or a new application that is being developed for initial deployment, all of these considerations are useful to maintain a stable and efficient network application. To determine how client/server applications perform, you must address the following areas: Application architecture in terms of systems and networks Application architecture in terms of modules (screens, routines) Version control Testing Table 6.8 lists client/server application elements and the factors that a developer and network administrator must consider. TABLE 6.8 Application Elements and Considerations Application Element Developer/Network Administrator Considerations Software

Determine the software that was used to develop the application.

End-user application

Determine how the end user invokes or gains

interface

access to the application. Identify the systems involved in this initialization process.

Modules, routines,

Describe the application in terms of each of its

or screens in the

elements. Each element (routine) might use the

application

network or system differently, and each module must be analyzed individually.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Identifying Performance Degradation 255

(continued)

TABLE 6.8 Application Elements and Considerations

Application Element Developer/Network Administrator Considerations Processing (front

The developer might have the choice to write a

end versus back end)

module that requires either:

Business rules

• Significant use of system resources on the server host

Computation

or

• Significant use of system resources on the client host. The developer should select one. Determine whether most processing will be done at the front end or the back end. For example, the processing of all business rules can be executed at the front end while all computation is done at the back end.

Module execution

For each module, determine which part of the

and systems

module executes on which system.

Version control

Name the version control system in use. Define the

system

methodology to introduce version changes.

CPU use

Important. Characterize the CPU use on each system (client and server) for each module. If a given module requires significant CPU resources on a given system, determine whether any change can be made to the application to provide the functionality but improve the use of CPU resources.

Network use

Characterize the network use of all segments (client LAN, WAN, server LAN) for each module. Further, determine: • Protocol used by the module.

• Number of packets generated by each module. • Number of acknowledgments per module.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

256 Chapter 6 Troubleshooting TCP/IP

(continued)

TABLE 6.8 Application Elements and Considerations

Application Element Developer/Network Administrator Considerations • Average packet size for all data exchanged for a specific module. • Total number of bits exchanged for a specific module. Determine whether any change can be made to the application to provide the functionality but improve the use of network resources.

Establishing Guidelines To solve the problem of inconsistently or poorly performing applications, you must establish specific guidelines in the following areas. System environment Network environment Client/server applications

System Environment The system environment includes system hardware and operating system. The client/server application executes on at least two systems but may run on more. Typically, three critical systems are associated with the execution of the client/server application. The first is the user’s PC, or the front-end GUI interface. The second is the system that functions as a file server for the user’s PC. The application executable resides on the file server system. This system is sometimes called an application server rather than a file server. Finally, there is the host that is configured as the server for data, which may be a file server or a database serving rows and tables to the client or to the application server. The reason that the number of systems varies is because there are several possible software architectures for any network application. The configuration of all systems must be clearly defined in order to manage, troubleshoot, and tune your network performance. The important configuration elements include the processor, memory, network interface, and

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Identifying Performance Degradation 257

disk. These configuration elements remain the same whether you are examining a server, a client workstation, or a router or proxy system. A processor that is too slow for the amount of activity expected from it will bottleneck an application’s performance, whether that processor resides on a server, a client workstation, or a router in between. While your primary concern might be for routers and network infrastructure, it is important to be able to discuss server and workstation configurations and performance with application developers and system administrators in order to get an overall view of an application’s environment. Processor Type of CPU (Intel Pentium; Digital Alpha; Sun SPARC, UltraSPARC, or HyperSPARC; MIPS; or other). Number of CPUs. What is the maximum number of CPUs that can be installed on this system? Is the application SMP-aware, or will adding CPUs have a negligible effect? Memory Real memory. How much memory is installed on the system? What is the maximum amount of memory that could be installed? Virtual memory. How much secondary memory has been configured on the system? What is the maximum amount of memory that the operating system supports? Network interface What type of network interface has been configured on the system? Are the interface and operating system optimized to transmit the Maximum Transmission Unit (MTU) defined by the protocol in use? Are the network interface and operating system optimized to take advantage of the system’s bus? For example, is USB preferable to ISA or PCI? Disk What type of disk controller and drive are installed on the system? Is RAID implemented? Hardware or software RAID? What level? Table 6.9 lists system elements and the factors a network administrator must consider for them.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

258 Chapter 6 Troubleshooting TCP/IP

TABLE 6.9 System Elements and Considerations

System Element

Network Administrator Considerations

Client system configuration Determine the processor on the client system: Intel Pentium, Digital Alpha, or MIPS. Determine the clock speed: 233MHz, 1GHz. Operating system server

Determine the processor on the operating

configuration

system server: Intel Pentium, Digital Alpha, or MIPS. Determine the clock speed: 233MHz, 1GHz.

Application server

Determine the processor on the application

configuration

server system: Intel Pentium, Digital Alpha, or MIPS. Determine the clock speed: 233MHz, 1GHz.

Installed memory/

Determine whether the system is configured

maximum memory on

optimally for the client/server and other

client system

applications.

Installed memory/

Determine whether the system is configured

maximum memory on

optimally for the client/server and other

server system

applications.

Installed memory/

Determine whether the application system is

maximum memory on

configured optimally for the client/server

application system server

and other applications.

Virtual memory/maximum

Determine whether the system is configured

virtual memory on client

optimally for the client/server and other

system (if applicable)

applications.

Virtual memory/maximum

Determine whether the system is configured

virtual memory on server

optimally for the client/server and other

system (if applicable)

applications.

Network interface on client

Determine the interface: Ethernet, Token

system

Ring, and/or FDDI.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Operating System Performance 259

(continued)

TABLE 6.9 System Elements and Considerations

System Element

Network Administrator Considerations

Network interface on

Determine the interface: Ethernet, Token

operating system server

Ring, and/or FDDI.

Network interface on

Determine the interface: Ethernet, Token

application server

Ring, and/or FDDI.

Operating System Performance

O

ne of the key elements of troubleshooting or tuning performance of a client/server application is examining each component of the system. In order to examine each part of the application, you must accurately determine and state which components of the client/server application run on which systems. Once you have listed the elements of your client/server application, you can check how they are performing, using operating system utilities for performance monitoring. This section will discuss Unix and Windows 2000, as well as performance monitoring tools for each operating system. Many configuration changes may be made to either Unix or to Windows 2000, any one of which may affect system performance. We will not be comparing overall performance between operating systems, nor will we discuss in great detail the individual operating system performance, because one of the most significant factors in performance is the application that is most important to a specific site. These tools and techniques are valid for monitoring operating system performance at any site and with any application.

Unix On Unix systems, you can use the following commands to provide information on how the system is performing: vmstat ps uptime top

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

260 Chapter 6 Troubleshooting TCP/IP

vmstat The vmstat (virtual memory statistics)

command provides information on

virtual memory, disk access, and CPU use. The results provided by this command are averaged from the time the system was initialized. To obtain information on peak system activity (which may indicate potential system bottlenecks), specify an interval as an argument to the vmstat command. For CPU statistics, specify an interval of about two seconds. For disk statistics, specify an interval of 60 seconds. The vmstat command sleeps for the interval defined. Typically, if the CPU idle time is greater than 20 percent, it implies that the system is either I/O-bound or memory-bound. CPU idle time includes the following information about the CPU time: The CPU is not in use because it has nothing to do. The CPU is waiting for memory. The CPU is waiting for I/O. Examine the vmstat output under the data columns described in Table 6.10. TABLE 6.10

vmstat

Output Data Columns

Column Description r

Provides information on jobs that are currently runnable. If this number is high, it implies that the CPU is forced to switch between runnable jobs. This number might indicate that the system is CPU-bound.

b

Provides information on jobs sleeping at negative priority, usually because a process is waiting for disk, tape, or other resources. If this number is high and CPU idle time is high, the system may be I/O -bound.

w

Specifies the number of jobs that executed in the previous 20 seconds and have been swapped out. If this field is non-zero, the system may not have sufficient memory.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Operating System Performance 261

ps The ps command with options such as

aux and ef provides useful information

on processes running on the system. Check the information provided on: Per-process CPU use (look in the %CPU column) Per-process memory use (look in the %MEM column) Current state of the process (look in the STAT column) Identify the processes that are consistently the highest users of CPU and/ or memory. Note that the memory information provided relates to physical memory and does not include the memory used by the kernel or the instruction segment for each process. Examine the STAT column; if the process is ever in the RW state, the system may be experiencing memory problems, specifically a shortage of memory. RW implies that the system swapped out a process that either was running or had run recently, with each flag having a meaning: R means that a process is runnable, while W indicates that it has no resident pages—in other words, this runnable process has been swapped to the virtual memory on disk. This is a pretty bad sign for system performance, much worse than having a sleeping (S) process swapped to disk.

uptime The uptime

command provides useful information on:

The length of time the system has been running The number of users on the system Load averages of active jobs in the system for the previous 1, 5, and 15 minutes The kernel maintains information on the count averages of active jobs in the system for the previous 1, 5, and 15 minutes. The first load number provides information on the current CPU load. If the number is greater than four, the system may be CPU-bound.

top The top command is not a standard utility on every version of Unix, but is commonly implemented on Linux, Unix, and BSD systems. Top provides

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

262 Chapter 6 Troubleshooting TCP/IP

important information about processes and process states and resource utilization for CPU, memory, and swap space. Top also provides uptime, user information, and a list of top CPU-utilizing processes. FIGURE 6.2 Top output

Much of the information shown by the top command can be obtained from the other utilities described in this section. The display of top, however, presents information in an organized format on a single screen, and updates the display every five seconds or at specified intervals. Some useful switches are listed below. -s

secure mode, non-interactive

-d

delay for refresh (in seconds)

-c

show command line

If a system is experiencing high utilization of CPU or disk, top will help you to identify the resource-hogging process(es), for termination or tuning. Identifying the most CPU-intensive processes will often lead you to an obvious problem, but a more difficult troubleshooting may require more digging. The meanings of the columns shown by top are listed below. TABLE 6.11

vmstat

Output Data Columns

Column Description PID

Process ID

USER Userid that a process is running under

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Operating System Performance 263

TABLE 6.11

vmstat

Output Data Columns

(continued)

Column Description PRI Priority of the process Nice value of the process

NI

SIZE Size of the process, code plus data plus allocated stack, in kilobytes

RSS Total amount of physical memory used by the process SHARE Amount of shared memory used by the process STAT State of a task Size of library pages in use (not shown for ELF processes)

LIB

%CPU Share of CPU time since last screen update, expressed as a percentage of total CPU time per processor

%MEM Share of physical memory used by the process TIME Total CPU time that a process (and children) have used Process’s command name, or truncated name

COMMAND

The state (STAT) of a task is important to troubleshoot or diagnose a runaway or long-running process. The letters in this column can also be shown with the

ps aux command. Process states are shown below.

R Runnable (often called running) S Sleeping W Swapped to virtual memory (disk) Z Zombie process, dead but retaining allocated process table space < Trailing indicator of negative nice value N Trailing indicator of positive nice value

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

264 Chapter 6 Troubleshooting TCP/IP

Top provides useful information, but at the cost of system resources. Often you will see top listed as one of the top CPU-using processes. This is all running processes on a system. because of the polling that top does on Running top can consume as much as five to ten percent of a system’s CPU time.

Windows 2000 On Windows 2000 systems, you can use the Performance Monitor to provide information on system performance: It monitors applications, memory and excessive paging, disk activity, and network traffic. Information and data can be displayed graphically (charts) or as text (reports). You used the Performance Monitor earlier in this chapter to determine a baseline for network packets/sec on your network interface card. Performance Monitor uses objects, instances, and counters. An object is a mechanism for identifying and using a system resource, such as a processor. An instance is the object number if more than one “instance” of the object exists. For example, if a system has multiple disk drives, the object is “disk drives,” instance 0 maps to disk drive 1, and instance 1 maps to disk drive 2. A counter is the variable that will be measured, such as “Disk Write Bytes/sec.”

Applications Performance Monitor identifies how applications use memory, microprocessors, and disk I/Os. To accomplish this, Performance Monitor uses the following four key counters. Working Set

The current number of memory bytes used by a process.

% Processor Time is busy.

The percentage of elapsed time that a processor

File Read Operations/sec

The rate of read operations on peripheral

devices. File Write Operations/sec devices.

The rate of write operations on peripheral

Memory Monitoring memory is an important factor in system performance. Constant paging places a significant drain on system performance because disk I/O is involved. Excessive paging induces slow performance, and if the systempaging file is too small, performance will degrade. The paging file should be 12MB more than your system’s RAM.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Operating System Performance 265

The object used in monitoring memory is the pages/sec counter and it calculates the number of pages that can be read from a disk.

Disk Activity Disk usage statistics help balance the load on network servers. Monitoring disk activity identifies the most popular share points, so administrators can move them to faster servers. Disk I/O statistics help determine disproportionate loads on virtual memory. The following two disk objects exist: Physical disk: For troubleshooting and capacity planning. Logical disk (partition): For obtaining free disk space statistics or determining the source of activity on a physical disk. These objects are not turned on by default because they increase disk access time. To turn on the counters, enter diskperf - y at the command prompt and reboot. After you have collected activity usage statistics, turn the disk counters off by entering diskperf - n and rebooting. To balance disk workload, use the Physical Disk object with the % Disk Time counter. It indicates the percentage of time a drive is active. If % Disk Time is high, check the Disk Queue Length to determine how many system requests are waiting for disk access. If Disk Queue Length and % Disk Time values are consistently high, upgrade the disk drive or move files to another disk or server. The number of waiting I/O requests should not exceed one-and-a-half to two times the number of spindles in the physical disk. To track disk performance, use the Physical Disk object and the Avg. Disk sec/Transfer counter. This indicates how much time a disk takes to fulfill requests. If Avg. Disk sec/Transfer is high, perhaps the disk controller is constantly retrying the disk because of failures. Most disks have a high average disk transfer rate of three-tenths of a second. A missed disk revolution adds about 16 ms to average disk transfer time.

Network Traffic Similar to disk activity, network traffic can also identify bottlenecks using the following key counters and objects: Processor object, % Processor Time counter work load is low, suspect the processor.

Copyright ©2002 SYBEX, Inc., Alameda, CA

If high (85%+) and net-

www.sybex.com

266 Chapter 6 Troubleshooting TCP/IP

Physical Disk object, % Disk Time and Disk Queue Length counters If both are high, suspect the disk. Memory object, Pages/sec counter single disk, suspect memory. Server object, Bytes Total/sec counter

If consistently greater than five for a

If approximately equivalent to

maximum transfer rate of the network, segment the network.

Network Environment

F rom a network perspective, significant differences exist between running a client/server application over a local area network (LAN) and running the same application over a wide area network (WAN). The impact of network latency is more pronounced on a WAN. This difference is primarily because many WAN segments are 56Kbps or 1.5Mbps, whereas most LAN segments are 10Mbps or 100Mbps. Propagation delay and delays introduced due to routers processing packets will affect the performance of the client/server application. These delays may be more pronounced on WANs than on LANs. In the network area, an application’s performance can be affected by the following: Protocol stack Routing architecture Routing protocol Router configuration Router hops WAN environment LAN environment Table 6.12 summarizes network elements and the factors a network administrator must consider for them.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Network Environment 267

TABLE 6.12 Network Elements and Considerations

Network Element

Network Administrator Considerations

Protocol stack (single

Determine whether communication between

or multiple)

the client and server applications runs over a single protocol stack, such as TCP/IP, or multiple protocol stacks.

Protocol stack on client

Determine the protocol stack: TCP/IP, Novell

system segment

NetWare (IPX/SPX), AppleTalk, SNA, and/or DECnet.

Protocol stack on

Determine the protocol stack: TCP/IP, Novell

server system

NetWare (IPX/SPX), AppleTalk, SNA, and/or

segment

DECnet.

Data rate on client

Determine the data rate: Ethernet (10/100/

and/or server system

1000Mbps), Token Ring (4/16Mbps), or FDDI

segment

(100Mbps).

Data rate on WAN

Determine the data rate: Frame Relay (56Kbps,

(if applicable)

256Kbps), T1 (1.5Mbps), T3 (45Mbps), or ATM.

Average use on client

Determine how the LAN segment to which the

segment (business

client system is connected is performing.

hours only) Average use on server

Determine how the LAN segment to which the

segment (business

server system is connected is performing. If the

hours only)

load on the server segment is consistently high, it could impact the performance of the client/ server application, even if the application itself does not place a significant load on the network.

Average use on WAN

Determine the load on the WAN.

segment (business hours only)

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

268 Chapter 6 Troubleshooting TCP/IP

(continued)

TABLE 6.12 Network Elements and Considerations

Network Element

Network Administrator Considerations

Dominant protocol on

Determine whether the dominant protocol is

client LAN segment

IPX/SPX or TCP/IP. Within the protocol stack, determine the protocol seen most on the client LAN segment. For example, if TCP/IP is the dominant protocol stack, does NFS, XWS, NIS, RIP, SNMP or some other protocol generate the most packets on the network?

Dominant protocol on

Determine whether the dominant protocol is

server LAN segment

IPX/SPX or TCP/IP. Within the protocol stack, determine the protocol seen most on the server LAN segment. For example, if TCP/IP is the dominant protocol stack, does NFS, XWS, NIS, RIP, SNMP or some other protocol generate the most packets on the network?

Dominant protocol on

Determine whether the dominant protocol is IPX/

WAN segment

SPX or TCP/IP. Within the protocol stack, determine the protocol seen most on the WAN. For example, if TCP/IP is the dominant protocol stack, does NFS, XWS, NIS, RIP, SNMP or some other protocol generate the most packets on the network?

Routing protocol

Determine the routing protocol: RIPv1, RIPv2, OSPF, or IGRP.

Dynamic routing tables Determine whether the routed daemon (or some other routing process) is running on the system. Determine whether the

route

command is used

to define static routes. Number of links (hops)

Determine the impact of network latency on the

between client and

performance of the application. Is there a way to

server systems

reduce the number of hop counts between the client application and the server application? If yes, is it consistent with the network architecture? If it is not consistent with the network architecture, what network issues are involved? Typically, what is the latency in the router to process a packet?

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Network Environment 269

(continued)

TABLE 6.12 Network Elements and Considerations

Network Element

Network Administrator Considerations

Client system router

Determine whether the performance of the

CPU use

application is affected due to a busy router. The router may be so busy that it cannot keep up with the number of packets it needs to process.

Server system router

Determine whether the performance of the

CPU use

application is affected due to a busy router. The router may be so busy that it cannot keep up with the number of packets that it needs to process.

Client system router—

Verify that the Maximum Transmission Unit

LAN segment MTU

(MTU) is set to the highest value defined by the LAN technology in use.

Client system router—

Verify that the MTU is set to the highest value

WAN segment MTU

defined by the WAN technology in use.

Server system router—

Verify that the MTU is set to the highest value

LAN segment MTU

defined by the LAN technology in use.

Server system router—

Verify that the MTU is set to the highest value

WAN segment MTU

defined by the WAN technology in use.

To summarize, the following information is essential to determining whether the network is the bottleneck: Average use of the LAN segments that connect the client and server. Peak use of key systems such as client node, operating system server, and application server node. Frame size distribution on key LAN and WAN segments. Use this information to determine whether the application or application server has any parameters or options that affect packet size. Protocol types on key LAN and WAN segments. Which protocols place the most load on the network? Is there a way to optimize network load by examining where systems are located on the network?

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

270 Chapter 6 Troubleshooting TCP/IP

Duplicate IP Addresses As you know, each IP address on a network must be unique. In large networks, accidentally assigning duplicate IP addresses is not uncommon. This situation causes IP address conflicts because two nodes are assigned the same IP address. If duplicate IP addresses exist, the duplicate nodes will experience difficulty in network communication, and may not function on the network. As a client, your system may have difficulty connecting to systems with duplicate IP addresses, and may connect to an entirely different system than intended. The arp command helps troubleshoot IP address conflicts on the same physical network. Because it lists both the physical and the IP address, you can verify whether you have connected to the correct computer. Windows 2000 also offers the Event Viewer, which automatically identifies the hardware address of the conflicting computer.

EXERCISE 6.4

Troubleshooting duplicate address problems in Windows 2000 In this exercise, configure two of your computers with the same IP address, identify the symptoms, and see how the duplication affects all the systems on the network. Then you will trace the duplication using Event Viewer.

1. On the desktop, right-click My Network Places and select Properties. Right-click Local Area Connection and select Properties. Choose Internet Protocol (TCP/IP) and click Properties.

2. Change your IP address so that System A and System B are identical. For example, if one computer is 192.168.3.13, then both computers should be 192.168.3.13. Do not change the subnet mask and default gateway. Select OK. The TCP/IP error shown below will appear on the system that changes its IP address.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Network Environment 271

EXERCISE 6.4 (continued)

3. Select OK. 4. If you have more than two systems, use each duplicate system to ping other computers on the subnet. Can both systems reach the other systems? If not, which computer cannot?

5. Each duplicate system should run the

ipconfig

command at

the command prompt. You should discover that one of the duplicate systems appears to no longer exist on the network due to the duplicated IP address. The IP address will remain the same, but the subnet mask is set to 0.0.0.0 for the duplicate system. If there are duplicate names, the IP address on the system with the duplicate name will be set to 0.0.0.0.

6. On the system that was alerted of the duplicate IP address (the System Error in the illustration above), open Event Viewer and identify the hardware address of the conflicting computer. The Event Detail window will appear similar to the one shown below.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

272 Chapter 6 Troubleshooting TCP/IP

EXERCISE 6.4 (continued)

7. Locate the computer with this hardware address, and restore the original IP address.

8. Ping the former duplicate systems on your network.

Summary

I n this chapter, you learned about important tools for identifying and troubleshooting TCP/IP network problems. You accessed the

protocol

(s ),

services , and xinetd files, and you were introduced to ICMP and ICMP message types, the protocol designed for identifying problems within IP. We covered TCP/IP troubleshooting commands and utilities, including ping , traceroute /tracert , netstat , ifconfig /ipconfig , arp , nslookup , and hostname , and you learned about the factors that affect the performance of TCP/IP networks, which include your systems, the network, and your client/ server applications. All of these elements are vital to maintaining an efficient network. A true networking professional will have familiarity with all of these elements of system and application performance, even if the primary responsibility for those elements is not yours. You established a network baseline, and you identified areas for bottlenecks and traffic congestion. You also identified and isolated duplicate IP addresses. Throughout the chapter, you compared implementations of TCP/ IP on Unix and Windows 2000 platforms. Remember that the IP standards are open and published documents, but that certain implementations of the IP standard will vary on different platforms.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Exam Essentials 273

Key Terms

B efore you take the exam, be certain you are familiar with the following terms: arp

ping

hostname

ps

ifconfig

source-quench

Internet Control Message Protocol (ICMP)

traceroute

ipconfig

top

netstat

uptime

nslookup

vmstat (virtual memory statistics)

Exam Essentials Understand useful network files, such as protocol(s), services the xinetd files. These files contain valuable information about local

, and

TCP/IP settings. Because these files dictate how TCP/IP is configured on a machine, they are important to check, particularly when troubleshooting. Know Internet Control Message Protocol (ICMP) concepts.

ICMP

operates at Layer 3 of the OSI reference model, which is important in order to pass errors and control messages regarding TCP and UDP at Layer 4. ICMP messages let a server or client know fundamental IP issues such as timer exceeded and destination unreachable, and allow network administrators to test connectivity or query network information. Know ICMP message types. Error messages include Timer Exceeded, Parameter Problem, Destination Unreachable, Source Quench, and Redirect. Query messages include Echo, Timestamp, Information, and Subnet Mask. Queries each have a request/reply flag.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

274 Chapter 6 Troubleshooting TCP/IP

Understand general network troubleshooting commands. common and useful network troubleshooting commands are

The most ping ,

traceroute (Unix) or tracert (Windows), and netstat . These are used to test connectivity, routing, and network status. On Unix or Linux, ifconfig

is important for configuring or viewing network interfaces,

while a similar command on Windows systems is Know name and address troubleshooting commands. Name System is an important factor to troubleshoot. The

ipconfig

.

The Domain nslookup com-

mand will query the default name server, hostname will show the name of the current host, and arp will allow you to determine a system’s hardware address for a given IP address. Understand factors that can affect the performance of TCP/IP or intranet applications. The system CPU or memory on the client or server, or on the LAN or WAN network, can affect performance. Architecture or configuration of the system or the network can also improve or decrease performance. The application architecture is perhaps most important. Be able to identify potential areas for bottlenecks and traffic congestion. WAN links are common bottlenecks, because it is relatively expensive to provide a high bandwidth connection over a wide area link, and a handful of high bandwidth users may saturate a lower bandwidth link. Disk I/O on the client can be faster than accessing a server disk over a slow WAN connection. Insufficient RAM, on either server or client, can result in excessive paging of virtual memory (disk), which is thousands of times slower than physical memory (RAM).

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Review Questions 275

Review Questions 1. What is the purpose of the

services

file?

A. It contains the information required to manage a particular network service daemon. B. It describes the protocols used at the Internet layer of the TCP/IP protocol stack. C. It contains port numbers for well-known services, such as Telnet, FTP, and HTTP. D. It is used to implement arbitrary routing policies based on the path-vector protocol. 2. In which of the following file pairs are both files exclusive to Unix? A. xinetd.conf B. services C. protocols D. services

and services and protocols and xinetd.conf and protocol

3. Which of the following statements accurately characterizes ICMP? A. ICMP provides a single mechanism for all Internet control and information messages. B. ICMP is not a required part of the TCP/IP stack. C. All ICMP messages begin with the same four fields. D. The ICMP source-quench message specifies that an IP header error occurred.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

276 Chapter 6 Troubleshooting TCP/IP

4. What is the purpose of the command?

ping general network troubleshooting

A. It is used to determine the path between the source and destination systems. B. It is used to test reachability between source and destination systems. C. It is used to display the contents of various network-related data structures. D. It is used to display information about packets processed by a system on the network. 5. What is the purpose of the command?

ipconfig

name and address troubleshooting

A. It is used to display and modify the Internet-to-Ethernet address translation tables used by ARP. B. It is used to assign an Internet address to a network interface, such as Ethernet. C. It is used to query Internet domain name servers. D. It is used to display the Windows 2000 IP configuration. 6. Which of the following factors is an example of a system resource that can affect the performance of an application? A. The LAN on which the client node is configured B. Memory on the node on which the client portion of the application runs C. Communication device architecture and configuration D. Protocols in use between the application client and server nodes 7. For client/server applications, which of the following performance considerations applies to client system configuration? A. Determine the processor on the application server system. B. Determine the interface. C. Determine the processor on the client system. D. Determine whether the system is configured optimally for the client/server and other applications.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Review Questions 277

8. Which of the following Unix/Linux commands provides information about virtual memory, disk access, and CPU use? A. The ps command B. The vmstat command C. The ping command D. The uptime command 9. Which of the following statements accurately describes an object used by the Windows 2000 Performance Monitor? A. An object is a mechanism for identifying and using a system resource. B. An object is a mechanism for maintaining information on the count averages of active jobs in the system for the previous 1, 5, and 15 minutes. C. An object is the variable that will be measured as part of the monitoring process. D. An object specifies the length of time a system has been running. 10. What two objects exist for use in monitoring disk activity on Windows 2000 systems? A. Physical and logical B. Server and physical C. Logical and % Disk Time D. % Disk Time and diskperf 11. Which of the following statements accurately characterizes performance in the network environment? A. Few differences exist between running a client/server application over a LAN and running the same application over a WAN. B. Propagation delays may be more pronounced on WANs than on LANs. C. The impact of network latency is more pronounced on a LAN. D. An application’s performance cannot be affected by router configuration factors.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

278 Chapter 6 Troubleshooting TCP/IP

12. Which of the following statements accurately characterizes duplicate IP addresses? A. If duplicate IP addresses exist, the duplicate nodes will not experience difficulty in network communication. B. The ps command helps identify the hardware address of a computer with a duplicate address. C. The arp command helps troubleshoot IP address conflicts on the same physical network. D. Duplicate IP addresses are more common in small networks than in large networks. 13. What is the protocol number (in the IP header) for TCP? A. 2 B. 6 C. 7 D. 18 14. What is the protocol number (in the IP header) for UDP? A. 5 B. 6 C. 9 D. 17 15. Which is the preferred method for disabling a service offered through xinetd? A. Remove the binary file that runs as a daemon. B. Comment out the “service” line in configuration file in xinetd.d/ . C. Comment out the “service” line in

xinetd.conf

D. Delete the service configuration file from E. Rename the service configuration file in

/etc/

.

/etc/xinetd.d/ /etc/xinetd.d/

Copyright ©2002 SYBEX, Inc., Alameda, CA

. .

www.sybex.com

Review Questions 279

16. What type of message will a client system generate when it is unable to accept traffic as quickly as a server is sending the information? A. defragmentation MTU resize B. parameter problem C. echo-request D. source-quench 17. How can you remove an address from a local ARP cache? A. arp -d [internet address] B. arp -r [internet address] C. arp -d [hardware address] D. arp -r [hardware address] 18. How can you use

nslookup

to query a specific, non-default

name server? A. Specify the name or IP address of the desired name server after the target IP address or host name. B. Use the -n switch with

nslookup

.

C. You cannot query specific name servers directly, you must allow the DNS hierarchy to resolve the query. D. Use the /forward

switch to request that your default name server

forward the query to a specified name server. 19. Which of the following tools will allow you to determine how many network segments connect you to a host? A. ping B. nslookup C. traceroute

(or

tracert

)

D. arp

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

280 Chapter 6 Troubleshooting TCP/IP

20. What can you do to improve performance of a client/server application? A. Increase network bandwidth between client and server. B. Add RAM to client systems. C. Add RAM to application servers. D. Recode the application to optimize the traffic for your specific configuration needs. E. All of the above

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Answerts to Review Questions 281

Answerts to Review Questions 1. C. The services file contains names and port assignments for various TCP and UDP protocol assignments. 2. C. The services file exists on both Unix and NT/2000, but the Windows equivalent to /etc/protocols on Unix is the Windows protocol

file. The

xinetd.conf

file has no Windows equivalent.

3. A. ICMP is the error and control mechanism for IP, and exists at Layer 3 of the OSI model. 4. B. Ping is designed to test reachability or connectivity between systems. 5. D. The ipconfig command is used to show Windows 2000 and NT IP configuration state. 6. B. Memory is the only system resource listed among the options. 7. C. The processor on the client system is an important element of performance analysis. 8. B. The

vmstat command provides information on virtual memory,

disk, and CPU use. 9. A. An object is an abstraction that is used to represent functionality or information. While objects are most often used by software developers writing or reading code, in PerfMon they are a mechanism for identifying and using a system resource, which may have many variables measures, over different lengths of time. 10. A. Physical disk objects and logical disk (partition) information are the two types of objects for monitoring disk performance. 11. B. WAN connections are usually slower, with less bandwidth and more latency than a LAN connection. A system’s performance may suffer over a WAN link, while performing admirably over a LAN.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

282 Chapter 6 Troubleshooting TCP/IP

12. C. Duplicate IP addresses will cause problems. The useful in troubleshooting IP address duplications.

arp command is

13. B. TCP has protocol 6, both in the IP header and in the /etc/protocols

file

14. D. UDP has protocol 17 in both the IP header, and in the /etc/protocols

file

15. B. All of these will work. Commenting out the “service” line of the configuration file in /etc/xinetd.d/ will prevent the service from starting through xinetd, and is the preferred method. 16. D. A source-quench is the ICMP message used to slow or stop the flow of packets. 17. A. The -d option is used with the system’s Internet address to remove an ARP cache entry (in Unix or Windows). 18. A. You may specify a name server to query on the command line, after the target. Both the query target and the name server to query may be in either IP address or domain name format. 19. C. The traceroute command will display each network segment, with ICMP replies returning from each consecutive router. may improve system performance. Appropriate 20. E. All of these choices troubleshooting and diagnostics will allow you to select the choice that

is appropriate for your environment.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Chapter

Network Management Essentials

7

CIW EXAM OBJECTIVE AREA COVERED IN THIS CHAPTER: Explain key network management architectures, protocols, and components, including but not limited to: SNMP, OSI network management model.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

C

orporate networks continue to grow in size and complexity,

and managing them presents an ongoing challenge. To be a successful administrator, you must be able to effectively manage a network, which requires you to first familiarize yourself with the concepts, terms, and procedures common to the practice. The world has moved toward hyper-distributed, Internet-based computing architectures, and the need for central access to information about resources has increased accordingly. A centralized management scheme can allow you to troubleshoot network problems, as well as configure and manage devices quickly and efficiently. However, centralization requires systems on the network to speak a common language, enabling them to exchange information about packets, protocols, and network data.

Network Management

T ransmission Control Protocol/Internet Protocol (TCP/IP) provides a helpful example for a network management solution: It is a scalable, vendorneutral, open communication standard. Because it allows heterogeneous systems to communicate efficiently, TCP/IP has fueled the growth of the Internet, and has become the dominant protocol in local area networks (LANs), wide area networks (WANs), and metropolitan area networks (MANs). TCP/IP was developed to solve various problems, and it has succeeded admirably. Similarly, administrators need a network management framework and protocol that provides vendor-neutral, cross-platform control of heterogeneous networks. This management protocol must be scalable, functional, and relatively easy to learn. As shown in Figure 7.1, a network management architecture must work with various elements, including servers, routers, and clients from different vendors.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Network Management

FIGURE 7.1

285

Typical heterogeneous network Head Office Server

Printer

Desktop computer

Management Console

Ethernet

Workstation

Ethernet

Router

Router

Frame Relay Server

Printer

Printer

Router

Router

Ethernet

Workstation

Desktop computer

Ethernet

Desktop computer

Workstation Branch

Server

This need has led to the formulation of various network management strategies, some proprietary, others overly complex. Nevertheless, those interested in managing networks want to implement universal network management goals and strategies.

Management Protocols Management protocols have been developed specifically for performing netSimple Network Management Protocol work management functions. (SNMP)

is the most commonly implemented management protocol.

Although SNMP uses its own nomenclature at times, you should learn some widely used terms and principles of network management in order to implement SNMP properly. Another management protocol,

Common Management

Information Protocol (CMIP)

, is a network management protocol sponsored by the ISO that was once a competitor to SNMP.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

286

Chapter 7

Network Management Essentials

Finding the ideal network management protocol is probably as unlikely as finding the ideal network. For some, SNMP is ideal, and for most SNMP fulfills all of their needs for a network management protocol. Others prefer the more ambitious Common Management Information Protocol, detailed in RFC 1189, or a proprietary offering. Whatever the choice, a network management protocol and strategy are vital to establishing consistency in the configuration and management of heterogeneous systems, and providing growth and organization in the network. The strategy should also establish the guidelines and procedures for monitoring and troubleshooting a network. Above all, a management system worth adopting should have as little effect as possible on the network it is monitoring. In addition to this cardinal rule, a management protocol should also be easy to learn. Finally, it should be as simple as possible so that it will continue working, even in the most adverse conditions. These three qualities facilitate wide implementation. Additionally, the management system or protocol should: Control corporate strategic assets from a central position. Provide remote systems management. Operate independently of the system it monitors. Support multiple protocols. Operate as transparently as possible. Manage complexity. Improve service. Balance various needs, including applications, systems, and technologies. Reduce downtime with fast response time. Control costs. A network management protocol provides a common means for reading and writing management information between a network management station and a node. You will learn about NMSs later in this chapter. A separate management protocol gives diverse managed nodes and management systems a universal means to communicate. Examples of network management protocols include the Standard Gateway Management Protocol (SGMP), as well as SNMP and CMIP.

Proprietary Solutions Although most sophisticated network devices, such as routers, switches, and bridges, contain their own management systems, such systems are not inde-

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Management Functional Areas (MFAs)

287

pendent of the devices they manage. Moreover, many proprietary management systems do not lend themselves to easy, centralized, remote management. Even those that do, however, present a problem: In a large, complex network, remembering the workings of each management program or scheme would be difficult. The key, then, is a universal protocol and accompanying scheme that are as simple as possible.

Open Solutions To standardize the development of networks and management schemes, the International Organization for Standardization (ISO) issued the 7498 series of documents, delivered in four parts, that outlined the OSI model. The 7498-1 specification detailed the now familiar seven-layer OSI/RM and associated elements. The fourth section, 7498-4, outlined five Management Functional Areas (MFAs) that administrators should consider when developing a network management plan. Although the developers of SNMP did not use this model, it nevertheless provides the necessary vocabulary that allows you to approach network management and understand how SNMP works.

Visit

www.iso.ch

to obtain ISO documents.

Management Functional Areas (MFAs)

T he ISO MFA model does not require the implementation of any specific protocol. Although SNMP and CMIP tend to be associated with TCP/ IP, they do not require it to run. Additionally, SNMP does not adhere to many of the ISO standards, mainly because those standards are often needlessly complex and therefore impractical. Not even SNMP Version 3 incorporates the ISO network management standards. Still, the MFA does provide a framework that allows developers and network managers to share a vocabulary when formulating and implementing a management solution. The MFA separates the task of network management into five discrete categories that allow you to organize your management efforts into one paradigm. As shown in Figure 7.2, the categories are fault, configuration, accounting, performance, and security management. To facilitate remembering the model, many administrators call it the FCAPS model.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

288

Chapter 7

FIGURE 7.2

Network Management Essentials

FCAPS Management Functional Areas model

Fault Management Configuration Management Accounting Management Performance Management Security Management

Fault Management The most widely deployed concept of the ISO model, fault management pertains to the proper operation of a network and all its components. The definition of a fault is critical to this concept. A fault is not necessarily an error or a failure, but an abnormality. Administrators must be able to determine when a device has failed and act quickly. Accordingly, the objective of fault management is to detect and log network problems or device failures. A fault management system should also notify the administrator automatically in case of a problem. The administrator should then be able to isolate the problem from the rest of the network and correct it remotely. If a fault occurs, some management stations can even fix some network problems automatically. Fault management helps create a reliable network because it allows an administrator to quickly detect problems and begin appropriate recovery procedures. The most important element of fault management is to determine priority. Especially on a large network, you must determine which resources are the most important. The fault management process involves the following three steps: 1. Determine symptoms. 2. Isolate the problem. 3. Provide a solution.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Management Functional Areas (MFAs)

289

To provide a solution, you must first test it on all your important subsystems. You should also record this solution for future reference. Some management systems display messages in the color codes explained in Table 7.1 to record network information. TABLE 7.1

Color Code for Errors

Color

Error Code

Green

No errors.

Yellow

May have problems.

Red

Device is in a state of error and is no longer in service.

Blue

Device is running but has experienced an error.

Orange

Configuration error.

Gray

No information about the device is available.

Purple

Device is being queried or polled.

Configuration Management Configuration management is the ability to initialize, identify, configure, and control the devices in a network. It also involves understanding the context in which a particular component is operating. Knowing the function of individual systems is usually not enough. You also need to know about the systems that work together, as well as how each system interacts with the others. In short, the key to effective configuration management is to learn the effect your configuration settings have on your network hardware. An effective management solution will attempt to create a configuration inventory and store it centrally so that you can determine how to manage, or even reconfigure, this information. Once you create and maintain a database, you can search it for clues concerning a problem. This database will form an information store that will enable you to troubleshoot your network intelligently even if a key employee is unavailable. Configuration information also includes details of the network’s topology. This includes a physical map of the network, and an understanding of

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

290

Chapter 7

Network Management Essentials

the logical flow of information through it. Finally, because configuration management deals with setting system policies, as well as establishing auditing and monitoring practices, it is closely related to fault management.

Name Management Determining the types of devices you will manage is called name management. Name management is a subset of configuration management. Once you have identified an entity by name or type, you can monitor or manage it using a predefined set of options. In summary, configuration management addresses the following areas. Initial network configuration

You should place all important configu-

ration information into a database that is available to the network. This task is, in many ways, the most important step when configuring any network. Configuration information might include anything that would help you operate the managed node more efficiently. For example, you might want the security policy to be readily available, along with lists of your NIC type, SOCKS server, application gateway addresses, TCP/IP address ranges, common configuration problems, and so forth. Observing the current state of the network

This area involves observ-

ing individual network nodes and viewing the state of the entire network. Altering network relationships Managing configuration often requires you to alter the way different systems interact with one another. Systems initialization and termination

Configuration management

deals with the ability to centrally stop and start services, and to initialize, terminate, and reboot a network node, such as a server or router. Software distribution

If you want to configure a network, you must

have access to the software that runs it. Software might include operating systems, applications, and patches. Reporting the network’s status

As a network manager, you must

always note (in writing) any relevant information and make it centrally available in case you need it later.

Accounting Management The objective of accounting management is to measure network access by user, device, or subnetwork, always with the purpose of determining its operating cost.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Management Functional Areas (MFAs)

291

Accounting management pertains to charging various departments for Information Technology (IT) services. Often, these “charges” are not actual monetary transactions, but merely a way to track the amount of time that administrators spend helping particular individuals or departments. Network administrators usually log numerous hours assisting specific groups or departments with various services. Accounting management attempts to discover the total number of transactions, number of bytes, and number of packets. The account management aspect of network management is also responsible for billing departments, verifying costs, and budgeting for future expenses. Account management is vital in forecasting the need for future network resources. This process is ongoing, especially in growing companies interested in determining the productivity of specific departments and network elements.

Performance Management Performance management consists of two categories: monitoring and controlling. Monitoring is the tracking of a managed entity to determine whether it is operating within given thresholds. In most situations, network administrators define the thresholds, or baselines, for managed entities. Controlling is the ability to adjust a managed entity to correct any performance problems. The performance management process is mostly reactive in the sense that you must first get the network to perform, then monitor it. The process is as follows: 1. Gather performance data, based on variables of interest: Network throughput User response times Line utilization 2. Monitor each system device and variable to determine a baseline, or threshold. Sample network activity at various times throughout the day. Determine peak times. Identify when the traffic is most congested.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

292

Chapter 7

Network Management Essentials

Security Management The objective of security management is to control access to network resources according to specific guidelines you set. Key security issues include password management, key distribution, and controlling access to resources. A proper security management scheme generally partitions network resources into authorized and unauthorized areas, using security management subsystems to do so. Effective security management also includes actively maintaining and monitoring log files, which can indicate potential security threats and weaknesses. Security management subsystems help identify sensitive network resources. These subsystems also help find network access points and then determine which points require further security. For example, you could use a packet filtering firewall to secure access between your network and the Internet. You should also use logging to ensure that users are not gaining improper access to sensitive files and network information. Since the advent of the Internet and its use as a business tool, security has become a major concern in networking.

Security management is different from operating system and physical security. Security management pertains mostly to access policies, logging, auditing, encryption, and authentication schemes.

Network Management Model

T o accomplish the five management goals of the FCAPS model, the ISO and SNMP creators settled on a common model. This model for network and system management consists of four elements: A managed node (for example, a network host with an agent) An information base (for example, an SNMP Management Information Base) A network management station, complete with an NMS application (for example, HP OpenView) A network management protocol (for example, SNMP) Figure 7.3 provides a simple map of a typical implementation of the network management model.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Network Management Model

FIGURE 7.3

293

Network management model Network Management Station (NMS)

Linux Server Router Agent MIB

Agent MIB

Managed Node

Managed Node

Management Protocol

Managed Node

Managed Node

Managed Node

Agent MIB

Windows 2000 Server

Agent MIB

Agent MIB

Novell Server

Windows Client

Managed Node

Agent MIB

Linux Client

The network management model accounts for different types of devices, as well as any vendor capable of supporting an agent-and-management protocol. Agents provide a way to manage a network regardless of architecture, vendor, or machine configuration.

Managed Nodes managed If a network device has an agent placed on it, it is called a node, or a node . Nodes can be repeaters, routers, gateways, firewalls, individual systems

such as a workstation, and servers. Managed nodes must support protocols that enable key network systems to communicate with them. The one characteristic that binds these diverse elements is that the NMS regards them as something to manage.

Agents Agents

The primary characteristic of a node is that it contains an agent.

are

software modules that compile information about the managed devices on which they physically reside. They collect information about the managed node, then provide it to the NMS. Agents also define the parameters that an NMS can monitor or configure. The information collected by the agents is

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

294

Chapter 7

Network Management Essentials

stored in the management database, which resides on the NMS. In SNMP, this management database is called a Management Information Base (MIB). However, different management systems use different names.

Traversals and Traps Most network management protocols provide two ways for you to gain information from agents: traversals and traps. As shown in Figure 7.4, a traversal

operation is one from which the NMS sends queries, or requests, to the agent. SNMP favors the traversal method, for reasons that will be explained later. FIGURE 7.4

A traversal operation—an NMS querying an agent

Query NMS

Agent

The second method is called a trap. As shown in Figure 7.5, an agent generates a trap, which is sent automatically to an NMS. A trap operation is interrupt-driven, meaning that an agent will send a trap to an NMS in response to an extraordinary event. FIGURE 7.5 A trap—an agent sending a trap, or alert, to NMS Management Alert NMS

Agent

Another of the fundamental differences between a query (e.g., a traversal operation) and a trap is that you must preconfigure an agent to send a trap when certain conditions are met. For example, you could configure an agent to respond to a system reboot. Every time the system containing the agent reboots, the agent will send a message, or trap, to the NMS stating that this has occurred. Using an NMS, you can conduct a query whenever you want.

Polling One of the chief benefits of an enterprise-grade NMS application is the ability to establish a map of the network, then automate queries to each of the nodes. These automated queries are sent by an NMS. Whenever an agent

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Network Management Model 295

receives these queries, it returns special messages telling the NMS whether the node is running or not. With polling, an administrator can obtain certain information quickly. This information does not include specialized messages, such as information concerning routing tables, or whether the hard drive is getting too full. Polling information only indicates whether the system has restarted, has been reconfigured and then restarted, or is simply out of service. Establishing a polling system is time-consuming. Polling is loosely related to a trap, mainly because it involves the use of trap messages. However, polling is different from a trap because polling is initiated by the NMS, whereas a trap is always initiated by the agent after a significant, pre-specified condition.

Proxy Agents A proxy agent works for and on behalf of another device. Sometimes an agent cannot communicate directly with the NMS, either because it does not share the same protocol or because the NMS requires the help of a proxy to ease the administrative burden. You can establish the following different types of proxies: Caching

If a device becomes too busy as you manage it, you can estab-

lish a proxy agent that stores frequently requested information. Caching also helps reduce processor load on a particular device. Administrative caching

A proxy agent can authenticate requests sent to

the NMS so you can reduce its administrative load. Multi-transport protocol support

A proxy agent can provide a way for

an agent on a subnetwork running a different network protocol to communicate with an NMS. Another name for this type of proxy is a gateway proxy. Multi-management protocol support

A proxy agent can allow two

proxy agents from different management protocols to communicate with the same NMS. Often an agent cannot be installed on a certain corporate network device because the device might not have sufficient memory or storage space to accommodate the agent. In this situation, you can install a proxy to monitor this device, as shown in Figure 7.6. In many cases, a proxy can also reside directly on a device, but the device will be completely unaware of its presence, or the fact that it is participating in a network management scheme.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

296 Chapter 7 Network Management Essentials

FIGURE 7.6 Management by proxy

Device Managed by Proxy

The proxy agent "listens" to the device, which is incapable of transmitting information Proxy Agent

NMS

Such a proxy monitors signals emitted by a noncompliant device. For example, it can help monitor the number of packets passing through it, or it can determine the device’s temperature. A proxy can determine numerous additional aspects and functions. As the previous figure shows, the NMS can query the proxy agent, which then attempts to access information from the managed device by listening to its functions. It then responds to the NMS with the information. The proxy can also send traps when it detects an extraordinary event from the managed device.

Gateway Agents Sometimes a proxy that translates between two management protocols or acts as a bridge between two different network protocols is called a gateway agent. As shown in Figure 7.7, a proxy allows an NMS to query an agent that uses a different version of the same management protocol. If the device you want to manage supports only SNMPv2c, but you are running SNMPv1, you could use a proxy to receive and forward information from this incompatible device. Proxies can also help translate between different network protocols. A gateway agent can enable an agent running on an IPX/SPX network to convey information to a TCP/IP network.

The term “gateway agent” is sometimes used to denote an agent that forwards information from a device that does not natively support any type of management. However, this usage is largely inaccurate because in network management, the term “gateway” implies an act of translation.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Network Management Model 297

FIGURE 7.7 Proxy agent protocol conversion

Agent (SNMP version 2c)

NMS (Running version 1 of SNMP)

Gateway proxy agent

Caching and Network Management Topologies Proxy agents can consolidate multiple nodes under a single network address, as well as provide additional security. Therefore, you can implement different management architectures, or topologies, as you will learn in the next section.

Information Base You have learned how agents gather information about a network resource, or node. As shown in Figure 7.8, each agent requires an information base, which structures and organizes the data kept by the agent. SNMP calls its information base a

Management Information Base (MIB)

.

FIGURE 7.8 Information base on a managed node Node Agent

Information Base

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

298 Chapter 7 Network Management Essentials

Although calling an information base a database of information is tempting, this terminology is not entirely correct. An information base simply describes how the agent should structure the management information. In no way does an information base store the information. Neither does it inform the NMS whether any information exists. In the same way that a networking diagram outlines the network’s ability to work, an information base describes an agent’s ability to retrieve and report information.

Network Management System (NMS) A Network Management System (NMS) is a system that supports a network management protocol. An NMS consists of agents and one or more systems that aggregate and organize information from the agents. In addition to supporting the protocol, the NMS houses the application or applications necessary to process and access information from entities (in other words, managed nodes) on the network. For example, if you decide to use SunNet manager or HP OpenView, you have chosen an NMS application. In general, the primary function of an NMS is to authenticate requests and implement a viable administrative model. The application facilitates the requests and the model. The NMS collects information sent to it from a node and, depending on the content and context of the received information, reacts accordingly. As discussed previously, an NMS can query an agent, or it can receive traps. An NMS also polls certain nodes to determine their status. Another name for an NMS is a “manager,” “management console,” or “management entity.” Still other networking professionals simply call an NMS a network management station. An enterprise-grade NMS application should include the following key elements: An easily learned interface. For NT, it should have a graphical user interface (GUI). For Unix systems, the interface should be as functional as possible, even if it is not a GUI. The ability to receive and process traps. The capacity to poll agents. A way to password-protect the application. Many ways to scale the product to size. An easily updated query database.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Network Management Model 299

Solid technical support. Reporting mechanisms, including the ability to port information to a database, or to HTML. The previous model does not limit itself to any one vendor, operating system, or program.

Dual-Role Entities As you might expect, a dual-role entity is a system that is both a manager and a node. Another name for a dual-role entity is a mid-level manager. Such an entity therefore houses an NMS, as well as an agent, as shown in Figure 7.9. A dual-role entity could even house a proxy as well, if this network were using multiple versions of a protocol, or even multiple protocols. FIGURE 7.9 System acting as dual-role entity

Node Agent MIB

NMS/Node Agent MIB

Node Agent MIB

Dual-role entities work with proxies to help establish three different hierarchical architectures, which will be discussed in the next section.

Although thinking of network managers and agents in terms of client and server is tempting, it is not at all accurate. Because “client” and “server” carry so many implicit meanings, be sure to adhere strictly to “manager” and “agent,” or “NMS” and “agent.”

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

300 Chapter 7 Network Management Essentials

Network Management Architecture

T he final component of a successful network management strategy is to determine the layout of your management systems. The management architecture a company chooses to implement will be determined by its network management strategy. The three possible network management architectures are: Centralized Distributed Hierarchical

Centralized Architecture In a centralized network management architecture, all queries are sent to a single management system. All management applications are installed on the central NMS, which responds to all trap messages sent from managed nodes. As represented in Figure 7.10, a single management system is solely responsible for polling nodes to query for information. FIGURE 7.10 Centralized management architecture

NMS

Agent Agent Agent Agent

Centralized Architecture Strengths and Weaknesses In this type of architecture, your information is easy to manage. It is ideal for small to medium-sized networks. However, an NMS in this type of architecture can become overburdened quite easily. Since the agents initiate the traps, the NMS can be bombarded by numerous traps and be quickly overwhelmed.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Network Management Architecture 301

Distributed Architecture As shown in Figure 7.11, at least two peer network management systems collectively manage all system elements in a distributed management architecture. You can organize a distributed architecture geographically, or you can make each NMS responsible for specific types of network devices. FIGURE 7.11 Distributed management architecture

NMS

Agent Agent Agent Agent

NMS

Agent Agent Agent Agent

Distributed Architecture Strengths and Weaknesses Because management applications are distributed across several management systems, you can ensure that each NMS will not be overburdened. Such load balancing is important in medium- to large-sized networks. In addition to load balancing, this architecture is also more fault-tolerant. In a distributed architecture, an NMS can poll the other NMS or NMSs to verify availability, and generate an alert if needed. In a distributed architecture, network management information is not centrally maintained, which can lead to mismanagement of system data. You will not be able to easily centralize information when polling your network, which may increase the administrative burden. This model also tends to limit the benefit of a centralized network management model. Because NMSs can send only messages back and forth to each other, they cannot update each other’s query or result databases.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

302 Chapter 7 Network Management Essentials

Hierarchical Architecture A hierarchical system combines a centralized system with a distributed system. It is by far the most complex architecture, but it provides the strengths of the centralized and distributed architectures. As shown in Figure 7.12, you still use a centralized NMS, but it coordinates only queries sent out from additional NMS entities. FIGURE 7.12 Hierarchical management architecture

Centralized NMS

NMS

Agent Agent Agent Agent

NMS

Agent Agent Agent Agent

Hierarchical Architecture Strengths and Weaknesses The hierarchical approach is centralized, so you can delegate various tasks and responsibilities to systems on the network. Thus, you can centrally maintain and store information, yet still ensure that distributed systems remain responsible for processing queries and responses. Management applications are distributed across several management systems, with a central system accepting information from all the submanagement applications.

Alternative Architectures Proxies and dual-role entities enable you to further relieve the stress placed on the NMS. They also enable you to retain a central management structure and implement alternative architectures. See Figure 7.13.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

SNMP Overview 303

FIGURE 7.13 Typical network management topology enabled by proxy Network Management System (NMS)

Management Entity

Network Management Protocol Network Agent

Agent Proxy

MIB

MIB

SNMP Overview

R egardless of architecture or specific NMS selected for implementation, you will need to understand Simple Network Management Protocol. To understand SNMP and implement it efficiently, you must first understand its history. Although SNMP is currently in its third version (SNMPv3), SNMPv1 is by far the most widely implemented. To understand the future of SNMP, you need to know about some of the issues concerning its development. We’ll cover the high points in SNMP’s evolution, and will discuss specific ways to implement SNMP, its processes, and its architecture. To help you understand the practical side of SNMP, you will install an NMS application and an agent on Windows 2000. This section also discusses the services that enable SNMP to operate. Because Unix systems are so common, you will learn the procedures for installing an NMS and agent on a Unix operating system as well.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

304 Chapter 7 Network Management Essentials

Popularity of SNMP SNMP is relatively easy to learn and inexpensive to implement. The main reason to choose SNMP is for managing a network using TCP/IP. SNMP works with a variety of networks, but it was originally developed for use with TCP/IP. Further, a large SNMP knowledge base exists, which is helpful when you have problems or questions as well as when you need to hire consultants and employees. Although early SNMP versions lack security, progress is being made to offer more complex authentication and encryption techniques to the protocol.

Simplicity Vendors have supported SNMP because it is relatively simple to operate from an NMS application, and creating MIB objects for SNMP devices is relatively easy. When an enterprise wants to support SNMP, it can simply create an MIB according to the MIB tree to include with its agent. Another reason that SNMP is popular is that it does not propose a rigid administrative structure. All you need to conduct a query in SNMPv1 is the network address of a node and the correct community name. The NMS need never be part of a domain or any other administrative unit.

Wide Industry Support Due to its relative simplicity, hundreds of vendors support SNMP. Due to the grass-roots nature of the Internet, many developers have created MIBs and agents that support SNMP as well.

Wise Use of Resources SNMP requires fewer system and network resources because it has relatively low memory and CPU cycle requirements. Although other management schemes exist, not one has been able to equal the power and simplicity of SNMP.

Standardization and Stability An open standard is developed through voluntary efforts, usually from members of the Internet community. To become an Internet standard, SNMP was tested and approved by the Internet Architecture Board (IAB). Such approval generally implies a usable, stable protocol.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

SNMP Overview 305

SNMP has been deemed stable by thousands of networking administrators. This recommendation is perhaps the most important to the protocol.

Centralized Administration Because SNMP is based on a query-response mechanism, it centralizes authority and allows you to manage information from one location.

Portability Because SNMP is a protocol, any hardware device or software operating system can use it. Vendors need only make sure that their products conform to SNMP rules. If so, SNMP enables transparent management of those devices.

History of SNMP After TCP/IP became the standard Internet protocol in 1983, networks became increasingly connected and global. As networking became more important, it was necessary to develop a protocol that met as many of the FCAPS requirements as possible, but could also be easily implemented. A chronology of the important events concerning SNMP’s evolution follows. SNMP was introduced in 1989 by the IAB. It was originally intended to be a management standard for TCP/IP networks running over Ethernet networks. It is based on SGMP and incorporates a limited use of ISO standards, including the use of objects, hierarchical tree structures, and so forth.

Chronology 1987

Development began on SGMP in March. It was accepted as a draft standard RFC in November. For more details on SGMP, examine RFC 1028.

1988

The IAB met to choose between HEMS, CMOT, and SGMP. SGMP was adopted but slated to be replaced by the more complete CMOT. To help administrators move from SGMP to CMOT, several IAB members created a new framework called the Simple Network Management Protocol. They intended to use SNMP as a bridge between SGMP and CMOT. Eventually SNMPv1 became the ideal bridge for the third version of SNMP, which is complete.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

306 Chapter 7 Network Management Essentials

August 1988

The Internet Standard Network Management Framework was created with the release of three RFCs: 1065, 1066, and 1067. These RFCs were replaced by RFCs 1155, 1156, and 1098, respectively.

April 1989

RFC 1098 recommended SNMP as the preferred TCP/IP management protocol.

May 1990

RFC 1157 replaced RFC 1098, and SNMP became a management standard protocol.

March 1991

The MIB-I and MIB-II standards were released (RFCs 1212 and 1213, respectively). RFC 1215 defines SNMP traps.

The RFC standardization process uses two different categories to discuss the same protocol. First, an RFC notes the protocol’s progress through the actual standardization process. That is, it states whether the protocol is a standard, a draft standard, or merely a proposal. Second, an RFC notes its importance to the actual implementation of a protocol. That is, it notes whether the information in the RFC is required, recommended, elective, or not recommended. Given these two categories, it is possible for a protocol to be a standard but have only elective status. SNMPv1, for example, uses four standard protocols, all of which have recommended status.

SNMPv1 SNMPv1 was intentionally simplified because its creators argued that some network management was better than none at all. Although subsequent versions are more complex, they still build upon SNMPv1. Table 7.2 lists the RFCs that provide the original framework for SNMPv1.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

SNMP Overview 307

TABLE 7.2 Essential SNMPv1 RFCs

Name

RFC Description

Status

Structure of

1155 Describes the SNMP MIB

Standard/

(including the OID), the use of

Management Information

Recommended

the BER, and SNMP’s limited use of the ASN.1 language. Also describes the use of the NMS and agents.

Simple Network

1157 Describes the workings of

Management

the actual protocol used

Protocol

in SNMP.

Concise MIB Definitions

1212 The first MIB document.

Standard

Standard

Often referred to as MIB-I, so do not confuse it with the SMIv2 that describes the structure of the SNMPv2 series.

Management Information

1213 Completes the MIB

Standard

description for SNMPv1. MIB-II is fully compatible

Base II

with RFC 1212. Added MIB groups include transmission and SNMP.

Additional SNMPv1 Standards As SNMP became popular, it was ported to other transport protocols, including IPX/SPX (RFC 1420), AppleTalk (RFC 1419), and various OSI protocols (RFC 1418). All these RFCs are standards and hold elective status. RFC 1215 provides information about defining traps.

SNMPv2 SNMPv2 never became a standard. Several different versions, or flavors, of SNMPv2 are in use. These include SNMPv2c, SNMPv2u and SNMP2*. The most commonly implemented version is SNMPv2c.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

308 Chapter 7 Network Management Essentials

The main reason that SNMPv2 did not attain standardization is that its developers could not agree on how to incorporate security while retaining SNMP’s wide implementation. As the number of RFCs in the following table suggests, the standardization process for SNMPv2 was drawn out. Nevertheless, it is an important part of SNMP because it enabled the SNMP developers to efficiently allow NMS-to-NMS communication, provide authentication and encryption, and make data transfers easier, yet still retain wide application. Table 7.3 lists the RFCs for SNMPv2. TABLE 7.3 Essential SNMPv2 RFCs

Name

RFC Description

SMI for SNMPv2 2578 Determines the syntax, encoding, and structure

Status Draft Standard/ Elective

of MIB objects for SNMPv2.

Textual Conventions for SNMPv2

2579 Describes how to create

Conformance

2580 Explains how to map

Statements for

an MIB.

and define objects.

Draft Standard/ Elective Draft Standard/ Elective

SNMPv2 Protocol Operations for SNMPv2

1905 Specifically describes how SNMP processes

Draft Standard/ Elective

PDUs.

Transport Mappings for SNMPv2

1906 Describes how to move from one internetworking

Draft Standard/ Elective

transport protocol to another.

MIB for SNMPv2 1907 Defines the objects for the System and SNMP

Draft Standard/ Elective

groups. It also shows how SNMPv2 agents and NMS function.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

SNMP Overview 309

TABLE 7.3 Essential SNMPv2 RFCs

(continued)

Name

RFC Description

Status

Coexistence

2576 Explains compatibility

Proposed

and proxy issues.

Between SNMPv1 and SNMPv2

Standard

Experimental RFCs for SNMPv2 include the following: Administrative Infrastructure for SNMPv2 (RFC 1909) Community-based SNMPv2 (RFC 1901) User-based Security Model for SNMPv2 (RFC 1910) The MIB-II has changed significantly from SNMPv1 to SNMPv2. This revision is contained in four documents: (RFC 2863), IP MIB UDP MIB (2013).

(2011),

The Interfaces Group

IP Forwarding MIB, TCP MIB

MIB

(2012), and

SNMPv3 Development on SNMPv3 began in late 1997, and the first proposed standards (beginning with RFC 2261) were produced in January 1998. RFC 2571 provides the following goals for this developing protocol: Use existing materials as much as possible. SNMPv3 is heavily based on previous work, informally known as SNMPv2u and SNMPv2. Address the need for security in SNMP, which is considered the most important deficiency in SNMPv1 and SNMPv2c. Make it possible to move portions of the architecture forward in the standards track, even if consensus has not been reached on all pieces. Define an architecture that allows for longevity of the SNMP frameworks that have been and will be defined. Keep SNMP as simple as possible. Make it relatively inexpensive to deploy a minimal conforming implementation.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

310 Chapter 7 Network Management Essentials

Make it possible to upgrade portions of SNMP, as new approaches become available, without disrupting an entire SNMP framework. Table 7.4 lists the core SNMPv3 RFCs. TABLE 7.4 SNMPv3 RFCs

Name

RFC Description

Status

Architecture for Describing SNMP

2571 Provides a manage-

Proposed Standard/

ment overview for

Management

SNMPv3 management,

Frameworks

including processes

Elective

and terminology.

Message

2572 Describes the duties

Processing and

of the dispatcher, as

Dispatching

well as the message

Proposed Standard/ Elective

processing, security, and access control subsystems.

SNMPv3 Applications

2573 Describes the five SNMP applications

Proposed Standard/ Elective

that employ an SNMP engine as described in RFC 2271.

User-based

2574 Specifically addresses

Security Model

the security elements

(USM)

of SNMPv3.

View-based

2575 Further explains how

Access Control

to securely access

Model (VACM)

management informa-

Proposed Standard/ Elective

Proposed Standard/ Elective

tion. Also discusses remote administration of the access control list.

SNMPv3 also allows programmers to extend agents. See RFC 2741, a proposed standard.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

The Structure of Management Information (SMI) 311

SNMPv3 MIB Modules RFCs 1213 ( MIB-II

) and 1643 ( Etherlike Interface Type

), both introduced in

SNMPv1, are the full standards that explain the SNMPv3 implementation. Bridge MIB Draft standards include the following RFCs: 1493 ( ( Parallel Printer Interface Type MIB ( OSPF version 2 MIB

), and 2115 (

), 1724 (

RIP version 2 MIB

), 1660 ), 1850

Frame Relay DTE Interface Type MIB

).

Many more proposed and experimental standards exist; we will discuss some of them later in the book and in White Paper B.

SNMP Extensions Most manufacturers have created extensions to SNMP that allow it to work with various physical networks (such as FDDI) and networking protocols (such as X.25 and ATM). It is impossible to list all of these extensions, but you should be aware that vendors constantly introduce enterprise-specific MIBs. Until recently, some vendors have supported only SNMPv1. Many decided to skip SNMPv2 and support SNMPv3 when it is fully implemented by the networking community. SNMPv1 MIBs, therefore, are the most widely supported by SNMP products.

The Structure of Management Information (SMI)

B efore you learn about the SNMP process, you must be familiar with Structure of Management Information (SMI)

the . The SMI is a “master document” in the sense that it explains how to name, structure, and encode SNMP management information. An SNMP SMI document usually stipulates three requirements. First, it states that each object type must have a name, or object identifier, for which it creates an MIB tree. Second, it names a syntax, or grammar, to be used. Third, it stipulates an encoding scheme.

The first SNMP SMI is found in RFC 1155. The second SMI is found in RFC 2578.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

312 Chapter 7 Network Management Essentials

The Object Identifier The chief practice defined by any SMI document is the creation and use of an object identifier (OID)

. The OID names an object in an information base. The SMI also lists two languages that determine the syntax and encoding of messages: ASN.1 and BER. Remember that the SMI provides the set of rules used to name (or identify), create (or construct), and transfer manageable objects (or MIBs) on a node. Do not confuse these three procedures. The following are the essential concepts of SMI.

Naming an Object: Object Identifiers and the MIB Tree You have already learned that SNMP calls its information base a Management Information Base. Any SMI first specifies a hierarchical management tree of managed objects, or MIBs. A networking protocol SMI does not actually define any objects. It does, however, specify how objects should be defined. SNMP objects are defined by the MIB-I and MIB-II standards, not by the SMI. All protocols define objects; however, SNMP is less rigorous in its object definition scheme, mainly because a complex object scheme tends to limit the support of the protocol. As shown in Figure 7.14, the MIB tree structure is similar to that of a hard disk, with a root, subdirectories, and files within the subdirectories. The subdirectories are often seen as the branches under the root, and the managed objects are sometimes called branches.

The following figure does not list all the nodes in the MIB tree. For now, you should understand how the SMI structures the MIB hierarchy.

Each piece of information in the tree is called a labeled node, or object. A labeled node is referred to by its OID, which must be unique. It can have subtrees, which may also contain other labeled nodes. If the labeled node does not have subtrees, it contains a value called an object. You can refer to an OID either by number or by name. You will learn more about the specifics of the MIB later in this book.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

The Structure of Management Information (SMI) 313

FIGURE 7.14 MIB tree Root

ISO 1

ITU

...

Org 3

DOD 6

Internet 1

Directory 1

Mgmt 2

Experimental 3

Private 4

MIB 1

System 1

Interfaces 2

IP Forwarding 1

Addr-Trans 3

IPDefaultTTL 2

Enterprises 1

IP 4

ICMP 5

IPInReceives 3

TCP 6

...

UDP 7

...

SNMP 11

UDPInDatagrams 1

...

Creating an MIB: Syntax and Encoding When a computer vendor creates a unique MIB object for a product, such as a router, the MIB must be coded according to the SMI standard. To ensure a usable syntax, the writers of the SMI chose to use the already existing ASN.1 (pronounced “ASN dot 1”) language. The SMI uses the BER to explain how to send SNMP information in machine-readable code. Both languages are discussed in the following sections.

ASN.1 Abstract Syntax Notation 1(ASN.1)

is a data representation format devel-

oped by the International Organization for Standardization and is used by SNMP to create actual MIB objects. While ASN.1 uses variables and statements as would any programming language (such as C, C++, or even JavaScript), it is not a programming language, but can be characterized as a

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

314 Chapter 7 Network Management Essentials

metalanguage. ASN.1 forms the basis for a human-readable syntax of the MIB tree. This syntax is used within an MIB to provide its structure. Because this language existed long before SNMP, SNMP developers were able to use only certain aspects of it, thereby making MIB development as simple as possible. The major contribution of ASN.1 is that it provides a vendorneutral, cross-platform standards-based language that allows developers to describe the workings of protocols, systems, and machines. Without ASN.1, network managers would not have sufficient grammar to create an MIB.

Basic Encoding Rules (BER) Whereas ASN.1 provides human-readable code, the

Basic Encoding Rules

(BER)

is a standard that provides a way for information to be transferred across a network. Specifically, it breaks up the ASN.1 values into octets, which the network can then process and transmit. BER encodes SNMP messages by using the basic encoding translation syntax language.

The SNMP Process

Y ou are already familiar with the NMS-to-agent process, as well as how the agent can send traps. Except for NMS-to-NMS communication, all SNMP tasks can be accomplished with five types of commands. Each comProtocol Data Unit (PDU) mand is contained within a , which is simply an SNMP message encapsulated in an IP packet. The commands are:

GetRequest

(sent by NMS)

GetNextRequest GetResponse SetRequest

(sent by NMS)

(sent by agent) (sent by NMS)

Trap (sent by agent) You will learn more about PDU formats in this book.

Querying MIB Variables Whenever an NMS sends out a

GetRequest

or GetNextRequest

, it is query-

ing, or traversing, an MIB variable, which is in one of two formats. It can be

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

The SNMP Process 315

scalar, which is a simple list, or it can be tabular, which is a more complex representation of the agent’s information. Another common name for querying an entire MIB is “walking.” You will issue walk commands in this chapter.

NMS-to-Agent PDUs Whenever an NMS wants to query an agent, it sends out the GetRequest PDU. To obtain the next value on the MIB tree, it will transmit a GetNextRequest PDU. If an NMS needs to alter a certain MIB variable, it will send a SetRequest PDU. Figure 7.15 illustrates this process and summarizes the interaction of these requests. FIGURE 7.15 SNMP management process GetRequest GetNextRequest NMS (SNMP Manager)

SetRequest

Managed Node (SNMP Agent)

Traps GetResponse

Agent-to-NMS PDUs Upon receiving a GetRequest or GetNextRequest PDU, an agent inspects the value of its MIB variables. When it obtains the information from its MIB, the agent then responds to the request by sending a GetResponse PDU, which includes the original request followed by the requested information. The GetResponse message traversal is also illustrated in the previous figure. Whenever an NMS sends a successful GetRequest or GetNextRequest PDU, an agent will respond with a GetResponse PDU. This latter message will have an identification number that pairs it to the original NMS request. This number is important because the NMS can then make sense out of the transaction.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

316 Chapter 7 Network Management Essentials

Trap PDU The SNMP trap PDU is an unsolicited command type that agents send to a manager after sensing a prespecified condition. This process is also demonstrated in the previous figure. A PDU that contains a GetRequest or GetNextRequest

command allows an NMS to identify SNMP variables.

Network Discovery Before you can use an NMS, you must learn about the managed devices on the network. To do this, an NMS will perform the network discovery process. An NMS has many resources available to enact discovery, ranging from the obvious to the sophisticated. It is important to remember to combine various strategies so that discovery is as efficient as possible. Efficiency in this case is determined by methods that are as accurate as possible, and that do not degrade network performance. The crudest discovery method includes sending an Internet Control Message Protocol (ICMP) packet to each network device. The NMS then waits for return packets to determine which devices exist on the network. However, such messages are not as accurate as others. It is possible, and even likely, that such a method will not find all the relevant nodes. Also, if a network is subnetting, running a firewall, or using a VPN, it is possible that less sophisticated methods will not find all the necessary network nodes. Crude discovery methods also carry the risk of flooding the network with discovery and response messages, thus violating the SNMP cardinal rule that a management protocol should not significantly degrade network performance. Other discovery strategies take more sophisticated approaches. For example, an NMS can query the ARP cache on a system. It can also attempt to read the routing tables. Others listen to Routing Information Protocol (RIP) and Open Shortest Path First (OSPF) broadcasts. However, even more advanced discovery methods have limited effectiveness. You will likely have to manually configure your NMS application so it will recognize and monitor all the hosts you want to include.

Network Discovery and the PDU When an NMS finishes discovering a network, it sends out a sacrificial GetRequest message to each host on the network. If the NMS receives a GetResponse packet, it will then recognize that this node supports SNMP.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

The SNMP Process 317

Often an NMS will not support certain protocol versions. Therefore, the discovery process might misdiagnose a managed node. In this case, you will have to either install a proxy or otherwise standardize your management system.

The Network Map Many Network Management Systems, such as HP OpenView, create a graphical display of your network’s physical structure. This display is called a network map. It is relatively simple to implement, and it is scalable: You can add or delete node icons as the actual systems pass into and out of your SNMP management architecture. However, establishing a properly managed network is an arduous process. It takes a great deal of time to perform correctly, even if it seems rather simple. One of the reasons configuration takes so much time is because you must apply network management principles, such as the FCAPS model, properly. However, once the process of configuring an NMS application is completed, you will be able to manage your network efficiently, so it is more than worth the time you will spend.

The NMS Management Database After the NMS retrieves information from an agent on a node, you can store information about managed nodes for later retrieval. To do this, an effective NMS program provides a database, or log, which you can use to save queries that allow you to analyze the network over a period of time. This database allows you to manage performance as well as configuration.

Security and the NMS Application Any NMS application must be able to secure the information contained in it. Although little can be done about security at the protocol level if you are running SNMPv1 or SNMPv2c, your NMS should allow you to create passwords that keep unauthorized individuals from accessing and manipulating the network map.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

318 Chapter 7 Network Management Essentials

SNMP Architecture

S NMP architecture includes an NMS, an agent, and the message format. SNMP versions 2 and 3 significantly change the terminology and augment SNMP’s capabilities. The fundamental structure of an SNMP message, however, remains essentially the same between versions.

The SNMP Message As shown in Figure 7.16, the SNMP message includes a version number, a community name, and a field for the PDU type. These fields comprise the SNMP header. The rest of the message contains a request ID, error index, and any number of name/value pairs. FIGURE 7.16 SNMP message format

Version (0) Community

PDU Type (0-3)

Request ID

Error Status (0-5)

Error Index Name

Value

SNMP Header SNMP Message

Figure 7.17 illustrates the SNMP header. The header is of particular importance because it determines how the entire message will be handled by the manager and agent. It also contains the community name, which is central to authentication. FIGURE 7.17 SNMP header SNMP Header

Version Community PDU Type

Because the header enables an SNMP packet to function, it is important for you to study its elements.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

SNMP Architecture 319

The Version Identifier The version identifier specifies the SNMP version, which is set at 0 for SNMPv1, 1 for SNMPv2, and 2 for SNMPv3.

Community Name A community name specifies which NMS can query and configure an agent. Both the NMS and the agent should be configured with the same community name. When an NMS sends an SNMP command to an agent, the community name is included in the message that identifies the sender and receiver of the information. The agent determines whether that community name is on its list of accepted community names. If the community name in the message does not match the list, the agent discards the packet. This process enables a basic level of authentication, which can be easily compromised. You will learn more about community names later in this chapter.

PDU Type This field contains the request, response, and trap messages discussed previously. Table 7.5 shows the different values of PDU type, with an indication of the packet format required for each type of request. TABLE 7.5 PDU Information

PDU Type

Description

PDU Number

Packet Format

GetRequest

Used by managers to gather

0

Get / Request

1

Get / Request

2

Get / Request

information from agents. A reply will be sent from the agent in the form of a GetResponse PDU type.

GetNextRequest Used by managers to traverse arrays and MIB trees. Agents reply with a GetResponse.

GetResponse Sent by agents in reply to GetRequest or GetNextRequest messages.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

320 Chapter 7 Network Management Essentials

(continued)

TABLE 7.5 PDU Information

PDU Type

Description

PDU Number

Packet Format

SetRequest

Sent by managers to

3

Get / Request

4

Trap

agents that set variable values. Sent by agents to managers

Trap

when an event occurs that requires the manager’s attention.

SNMP and TCP/IP Because SNMP requires a connectionless protocol, it uses UDP for transport. UDP is part of the IP suite. A connectionless service is one that does not establish a session prior to sending the information. Instead, it sends information in datagrams and relies on a “best effort” delivery scheme, much the same way a person relies on a postal service when sending mail. IP provides the addressing information for the NMS or agent. Figure 7.18 illustrates SNMP encapsulation. FIGURE 7.18 SNMP message encapsulation IP Datagram

USP Datagram

SNMP Message

IP Header

20 bytes

UDP Header SNMP Header

SNMP Packet

8 bytes

Notice that the IP and UDP headers are the only known values. The size of the remainder of the IP datagram—the SNMP message—is determined by ASN.1 and the BER.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

SNMP Architecture 321

UDP Ports and Communication Generally, the NMS listens for trap messages on UDP port 162, which means that agents will direct messages to port 162 on the NMS. Agents listen for NMS messages on UDP port 161; therefore, an NMS will generally send messages to port 161. Because SNMP uses two different port numbers, both agents and managers can execute on the same system as two independent processes. RFC 1157 stipulates the use of ports in regards to SNMP.

Sending Information: Sockets Just because an agent listens on port 161 does not mean that an NMS must use port 161 to send. Likewise, just because an NMS listens for agent responses on 162 does not mean that an agent must use port 162 to send a message. Whenever an agent or NMS wants to send a message, it will dynamically form a socket, which is, in effect, the linkage of a UDP port number with an IP address. In the socket creation process, UDP will allocate any UDP port as long as it is above the well-known port numbers, which include 1 through 1023. Some NMS and agent vendors, however, do not dynamically generate sockets and instead stipulate that the NMS and agents should transmit messages using ports 161 or 162.

Some manufacturers create agents that do not use ports 161 and 162 as specified in RFC 1157. For example, the agent that comes with Microsoft Windows uses port 161 both to send and receive non-trap messages.

UDP and Reliability It is tempting to regard SNMP as less reliable because it uses a UDP datagram rather than a TCP connection. From a management point of view, however, UDP is in fact no less reliable than TCP. If a network connection is severed, not even a connection-oriented protocol can ensure communication. Even if UDP were less reliable in the sense that it does not guarantee delivery, the creators of SNMP chose UDP to minimize the effect (number and size of packets) that SNMP messages would have on the network.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

322 Chapter 7 Network Management Essentials

Common NMS Applications Because SNMP is an open standard, many NMS programs are available. These programs support a large number of systems, including all varieties of Unix and Windows. Do not judge an NMS application solely by its interface. While each NMS may provide a command-line or a graphical interface, either interface may provide a detailed, configurable implementation of management protocol. A command-line NMS application can be rather simple, such as the Microsoft SNMPUTIL program, or it can be quite complex and thorough, such as the many Unix-based applications. Enterprise-grade NMS applications such as SunNet Manager, Scotty, and HP OpenView offer many options for configuring your SNMP management system. Any NMS application should allow you to implement the FCAPS model as easily as possible, which is why many administrators prefer programs such as HP OpenView. Some of the more popular NMS applications are discussed below.

Ipswitch WhatsUp Gold Ipswitch WhatsUp Gold is a simple NMS with a graphical interface. While it enables you to conduct simple queries of SNMP agents, it does not provide all of the functionality of an enterprise grade NMS, and uses Ipswitch’s proprietary management scheme.

Scotty The Scotty NMS is written in an interpreted language called TCL/TK and will run on many Unix platforms, including Linux. It supports agents written in SNMPv1, SNMPv2, or SNMPv3.

HP OpenView Hewlett-Packard OpenView was originally based on the OSI network management model. It has become the industry-standard NMS program, and supports both Unix and Windows systems. HP also provides a suite of related applications; third-party vendors such as Synoptics Optivity Tools provide additional capabilities as well. The OpenView Distributed Management Architecture is based on the HP OpenView Windows (OVw) graphical user interface. SNMP Platform Services support the following SNMP elements: MIBs Event monitoring

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

SNMP Architecture 323

Information retrieval functions Enterprise-specific MIBs The SNMP browser enables administrators to query, display, and graph MIB values. The IP discovery and mapping function monitors the network for any changes in topology, configuration, or status. These changes are recorded in its database. The database also records SNMP events and traps for later display. Another benefit of OpenView is that Hewlett-Packard has created the OpenView Solution Partners program, which tests and certifies third-party applications to operate in an OpenView environment. The HP OpenView Suite contains additional programs that extend the OpenView abilities. For example, the NetMetrix add-on allows you to use RMON MIBs. HP AdvanceStack Assistant allows you to manage repeaters and switches created by Hewlett-Packard. The main function of HP OpenView is to automate SNMP discovery and monitoring. It also allows you to set up your entire network and wait for information from the agents. The information can come through polling or agent traps. In OpenView, polling occurs when you establish a series of timed queries that provide information about a particular agent installed on a device.

NetScout The NetScout NMS application allows you to use SNMP in many flavors of Unix, as well as Windows. In many ways, it is similar to HP OpenView or SunNet manager: It allows you to issue queries and SetRequest commands, and conduct polling. NetScout also has extensive RMON support, allowing you to retrieve information from RMON probes you have placed on your network.

IBM AIX NetView/6000 The IBM centralized network management system, NetView, was introduced in 1986. NetView was written to work with mainframes. The protocol used with NetView network management applications is called the Network Management Vector Transport (NMVT). The NetView/6000 enables IBM NetView to manage heterogeneous networks. You can use it as a stand-alone product or with the centralized NetView system.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

324 Chapter 7 Network Management Essentials

SunNet Manager Product Architecture The SunNet Manager GUI displays a representation of the network you want to manage. The services SunNet Manager provides are called management applications. These applications initiate management tasks and collect information. SunNet Manager also has agents that access the devices or elements being managed. SunNet Manager uses proxy agents to gather information about non-Sun machines. All agents return information, called attributes, to the management station. The attributes of a managed object are described in a portion of the management database (MDB) called the agent schema. The information an agent collects is specific. For example, the hostmem agent will return memory information about a machine, while the SNMP agent returns information about SNMP objects.

EXERCISE 7.1

Installing an SNMP NMS and Agent on Linux In this exercise, you will install the Linux UCD SNMP RPMs. The process installs the SNMP daemon and provides many useful SNMP utilities that you will use throughout the book. These utilities provide the functionality of an NMS, although they are not as powerful as an NMS application such as Scotty. The installation also provides a Linux agent.

1. Log on as root. 2. Ensure that the SNMP RPMs are installed on your system. To determine whether they are installed, enter: Host#:

rpm –qa | grep snmp

3. The following RPMs should appear (your version may differ): ucd-snmp-4.1.2-8 ucd-snmp-devel-4.1.2-8 ucd-snmp-utils-4.1.2-8

Note: The ucd-snmp-devel RPM is not required for the Linux SNMP exercises.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

SNMP Architecture 325

EXERCISE 7.1 (continued)

4. If not installed, locate the RPMs on the Red Hat Linux CD or from the supplemental files on the CD, and enter the following all on one line (RPM versions will vary depending on the version of Red Hat Linux installed): Host#:

rpm –i ucd-snmp-4.1.2-8.i386.rpm ucd-snmp-utils-4.1.2-8.i386.rpm

5. You will use SNMP later in this chapter to test your agent installation and learn more about the MIB tree structure. The SNMP utilities you just installed are command based, but have all the functionality required for using SNMP.

Agents As you have already learned, agents reside on managed nodes. They usually await a query or poll from an NMS. However, a network administrator can configure agents to provide notification when an unusual event occurs. The agent then generates a trap message and sends it to an NMS. Such a message is said to be asynchronous, mainly because it is not instigated by the NMS. When an agent sends a trap message, the NMS can respond accordingly by notifying the network administrator or correcting the problem. An agent can send only a limited amount of information in a trap message because SNMP agents are designed to impact the network as little as possible. Table 7.6 describes the seven defined trap messages for an SNMP agent. TABLE 7.6 Defined Trap Messages

Trap

Description

ColdStart

The sending protocol entity reinitialized.

WarmStart

The sending agent reinitialized, but neither the agent’s configuration nor the protocol entity implementation was altered.

LinkDown

A communication link failed.

LinkUp

A communication link opened.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

326 Chapter 7 Network Management Essentials

TABLE 7.6 Defined Trap Messages

Trap

(continued)

Description

EgpNeighborLoss An EGP peer neighbor failed. AuthenticationFailure The agent received an incorrect community name from the NMS.

EnterpriseSpecific A nongeneric trap occurred, identified with information in the Specific Trap Type field and the Enterprise field.

Agents augment the query-response model, and are not meant to replace NMS-generated queries. Many networking administrators limit the use of traps because they can overburden a network. Consider the consequences of a power outage, for example, in which all the systems in a network must be restarted. In addition to possible Dynamic Host Configuration Protocol (DHCP) traffic and network-related broadcasts, the SNMP agents would all transmit ColdStart messages, which could cause a problem. Therefore, it is important to deploy traps wisely.

Third-Party Agents You can obtain agents with varied capabilities from a third party. Some provide more security options; others allow you to configure more detailed threshold settings. You can also obtain agents that use different versions of SNMP. If you want to read more about traps, consult RFC 1215, for Defining Traps for Use with the SNMP

A Convention

.

Agents and Windows 2000 Server Windows 2000 supports agents as an SNMP service. If you want to install the agent, you must first install the SNMP service by selecting Start Settings Control Panel Add/Remove Programs, and clicking the Add/Remove Windows Components button. Choose the Management and Monitoring Tools check box and click the Details button to select the Simple Network Management Service Protocol service. Click OK, click Next, and then click Finish to install the service. As with other services, if you reconfigure the SNMP configurations, you must restart for the changes to take effect. To see a listing of all SNMP services running under Windows 2000 Server, select Start Programs Administrative Tools Services. Scroll down and identify the Windows SNMP services.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

SNMP Architecture 327

Although you install only one service for SNMP, it actually uses two subprocesses, or services. The first is called snmp.exe, which processes and sends GetRequest messages, and sends GetResponse messages in reply. The second service, called snmptrap.exe, listens for traps sent from an NMS.

For a more detailed view of SNMP’s interaction with Windows 2000 Server, you can consult the Windows Registry to see exactly how it works. Select Start, Run, and enter regedt32 . You should see REGEDT32, a program that views and configures the Registry. You can use this program as an alternative to the easier-to-use GUI to configure Windows. The Registry is organized similarly to a hard drive. Different areas of the Registry, called keys, help configure the computer. To view all SNMP-related values known by Windows, consult the following key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\SNMP. The Registry entries for the SNMP service are listed beneath the SNMP key. Trap entries are listed beneath the SNMPTRAP key, as shown in Figure 7.19. FIGURE 7.19 Windows Registry, showing SNMP Registry keys

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

328 Chapter 7 Network Management Essentials

The SNMP keys will be present only if you have installed the Windows SNMP service.

Configuring an SNMP Agent in Windows 2000 Server After you install the SNMP agent, you must configure it. As part of this process, you must work with three different tabs presented to you by the SNMP Service Properties window. Access the SNMP Service Properties window by selecting Start Programs Administrative Tools Services. Right-click the SNMP Service and select Properties. The SNMP configuration tabs for Agent, Traps, and Security are located in this window. The Agent Tab This tab, shown in Figure 7.20, allows you to customize messages that come from the agent. This service provides the location of the server, as well as the proper person to call if a problem occurs. This tab also allows you to configure the SNMP agent to work with different device types, such as routers, bridges, or workstations. FIGURE 7.20 SNMP Agent tab in Windows 2000

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

SNMP Architecture 329

The Contact field allows you to enter the appropriate person’s e-mail address or pager number in case of a report. The Location field allows you to provide the physical location of the system on which the agent is installed. The Service section identifies the TCP/IP services provided by Windows. The options refer to devices and values that SNMP can monitor at each layer of the OSI/RM. Each of the values specified in these tabs corresponds to MIB-I and MIB-II SNMP variables, such as sysContact, sysLocation, and sysServices. You will learn more about the names of relevant SNMP variables and groups in a later chapter. Table 7.7 provides a detailed explanation of each check box found in the Service section of the Agent tab, shown in the preceding figure. As you read through this table, note that the most relevant check boxes are Applications, Internet, and End-to-End.

TABLE 7.7 Services Group Field Descriptions Service

Description

Physical Check this box if your server manages a device that resides at Layer 1 of the OSI/RM (for example, a repeater if managed through a port on a Windows 2000 machine).

Applications Check this box if your server supports applications that use TCP/IP. For example, you could use SNMP to monitor the use of FTP and Telnet programs. This setting monitors Layer 7 of the OSI/RM. You should always leave this box checked.

Datalink and subnetwork

Check this box if your server manages devices that operate at Layer 2 of the OSI/RM (the Data-Link layer). You would select this setting if you wanted to use Windows 2000 as a proxy to manage a bridge.

Internet Check this box only if your server functions as an IP gateway (in other words, a router).

End-to-end Check this box if your server is an IP host (in other words, any system such as a workstation). You should always leave this box checked.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

330 Chapter 7 Network Management Essentials

The Traps Tab Figure 7.21 shows the SNMP Service Properties Traps tab, which allows you to provide the community name for all traps that will be sent. If you enter “public” in this field, any trap this agent sends will contain this name. Remember that community names are case-sensitive and are included in the SNMP trap message. FIGURE 7.21 SNMP Traps tab in Windows

The Trap Destinations section identifies the NMS that will receive the trap event. If it is left blank, the trap will be sent to every host on the subnet. If you populate the window with network addresses, then the trap messages will go to only those destinations. You can enter either a Fully Qualified Domain Name or an IP address for the NMS.

The Security Tab The SNMP Service Properties Security tab, shown in Figure 7.22, is used to configure the systems from which the agent will accept queries. The Send

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

SNMP Architecture 331

Authentication Trap check box will configure the agent to send a trap message when the agent is queried with the wrong community name. The trap message will help indicate whether unauthorized polls of your Windows 2000 Server are taking place. This option is selected by default. FIGURE 7.22 SNMP Security tab in Windows

The Accepted Community Names section allows you to configure the community names that an NMS can use to query the agent. If an SNMP message without the proper community name is received, the message will be discarded and no reply sent. The default community name is “public.” By default, the Security tab restricts the NMS from writing to and creating MIB entries using SNMP set requests. It denies set requests by permitting read-only rights. You can change these rights by selecting the community name and clicking the Edit button. Allow the host to process SNMP set requests by selecting Read Write. Allow the host to create new entries in the SNMP tables by selecting Read Create. The host will not process any SNMP requests if you select None. The default setting allows any host to query the agent, but you can configure it to allow only certain hosts. You can even limit your agent so that it will accept queries from only one IP address or host name.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

332 Chapter 7 Network Management Essentials

If you have no name in the Accepted Community Names field, the agent will accept messages from any NMS, regardless of the community name the NMS uses.

SNMP Agents and Windows 95/98/Me To obtain SNMP agents for Windows 95/98/Me, you must install them as a network management service. The 95/98/Me files are found in the

\ADMIN\

NETTOOLS\SNMPdirectory of the installation CD. You can then configure your service from the Network Configuration window. When prompted for the source files, select the Have Disk option, search for the then continue installation.

SNMP.inf file,

You can obtain the Windows 95/98/Me SNMP agent from various websites, including www.microsoft.com . Once you have found the SNMP executable file, you must extract it. The file will expand into several files, which you can then access as you configure Windows 95/98/Me TCP/IP to use the SNMP service.

SNMP Agents and Unix SNMP agents are installed on Unix machines as daemons. The most common SNMP daemon is snmpd. The SNMP distribution shipped with Red Hat Linux is UCD SNMP. Named for the University of California Davis, which initiated it, the UCD SNMP home page is located at http://net-snmp .sourceforge.net/ Linux installation CD.

. The UCD SNMP RPMs are included on the Red Hat

Unix SNMP daemons have been quick to support all three versions of SNMP. The Linux versions of UCD support SNMPv1, SNMPv2 and SNMPv3. By default, SNMPv1 is used.

Configuring a UCD SNMP Agent Once UCD SNMP is installed, the agent is ready to function. UCD SNMP agents are configured using the /etc/snmp/snmpd.conf file. By default, it is configured to use SNMPv1 and the following. Default community name:

Public.

Access:Read only. Queries: The agent will only respond to queries to the system MIB group.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

SNMP Architecture 333

You will configure the UCD SNMP agent throughout the book. In the next exercise, you will query system’s SNMP agent using the default agent configurations.

Agents and Internetworking Because SNMP was originally designed to test routing equipment, most routers are designed to support some version of SNMP. Because routers work at Level 3 of the OSI/RM, they also tend to be the most sophisticated elements. Many routers, such as those made by Cisco, contain interfaces that allow you to configure them remotely or locally. The SNMP agents are already included; you simply activate them, then configure the SNMP community name and other relevant information. Other routers, such as those made by 3COM, require SNMP to manage all elements of the router. You can manage other network equipment, such as switches, bridges, and hubs, using SNMP. Whereas almost any switch or bridge will natively support SNMP, only a “smart” hub can be managed. Also called “managed hubs,” these pieces of equipment often contain their own management software that allows you to configure the hub’s SNMP agent. If the hub does not allow direct SNMP management, it is possible to use a proxy to monitor some of its more basic attributes, such as the amount of network traffic, its temperature, and so forth. The first RMON specification was designed exactly for this purpose. The RMON2 specification allows you to monitor information at all levels of the OSI/RM.

EXERCISE 7.2

Requesting system information from an SNMP agent in Linux In this exercise, you will confirm that the SNMP daemon is running on your system. Then you will issue the

snmpwalk

system information about your computer. The

command to request snmpwalk

command

uses GetNext requests to query an SNMP agent’s MIB tree for information. In this case, the SNMP agent is your computer, and the MIB group you will query is called the system group. You will learn more about SNMP requests and MIBs later in the next chapter.

1. Confirm that the SNMP daemon is running by entering the following: Host#:

/etc/rc.d/init.d/snmpd status

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

334 Chapter 7 Network Management Essentials

EXERCISE 7.2 (continued)

2. If it is not running, enter the following: Host#:

/etc/rc.d/init.d/snmpd start

3. To query your SNMP agent and request system information, enter: Host#:

snmpwalk –Of localhost public system | more

4. In this command, the names on output.

–Of option (capital letter O) requests full OID Public

specifies the default community name.

System is the OID name in the MIB tree (also accessed by entering .1.3.6.1.2.1.1).

Note: By default, UCD SNMP commands will search MIB-II if an OID is not present. Therefore, if you are querying MIB-II, you need not specify the entire OID.

5. The first reply from the agent is a system description. From the output, note MIB version, host name, and kernel version and installation date.

6. What other information could be useful from the output? To gain additional access to the MIB tree, you will need to configure your SNMP agent using the

/etc/snmp/snmpd.conf

file. You will configure

the agent later in this book.

EXERCISE 7.3

Installing an SNMP agent on Windows 2000 In this exercise, you will configure your Windows 2000 Server to become an agent using the SNMP service.

1. Desktop: To add the SNMP service, select Start Control Panel Add/Remove Programs. Click Add/Remove Windows Components from the left-hand menu. The Windows Components Wizard opens.

2. Components Wizard: Scroll down and highlight Management And Monitoring Tools and click the Details button. Select Simple Network Management Protocol and select OK.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

SNMP Architecture 335

EXERCISE 7.3 (continued)

3. Components Wizard: Click the Next button. The SNMP service installs. When the Wizard is complete, click Finish. Select the Close button to exit the Add/Remove Programs window. No restart is required. Your computer is an SNMP agent.

4. Desktop: To configure the SNMP agent, you must access the SNMP Service Properties window. Select Start Programs Administrative Tools Services. Right-click the SNMP Service and select Properties. The SNMP configuration tabs for Agent, Traps, and Security are located in this window. The three tabs enable you to determine exactly how you want your agent to behave.

5. SNMP Service Properties: Select the Agent tab. In the Contact field, enter your first and last name. In the Location field, enter your network name and your computer name (for example, psybecks—SystemB) as the location of the server. In the Service section, be sure that only the Applications and End-to-End check boxes are selected.

6. SNMP Service Properties: Select the Traps tab. Because the common community name used is “public,” enter public in the Community Name field and click Add To List.

7. SNMP Service Properties: In the Trap Destinations section, click the Add button. Enter System A’s IP address and click Add.

8. SNMP Service Properties: Select the Security tab. Be sure it is configured to send authentication traps, and that it will accept packets from any SNMP host. These settings are the defaults.

9. SNMP Service Properties: When the configurations are complete, click OK.

10. Services Snap-in: Verify that the SNMP service is installed and running in the Services snap-in. You should notice that the SNMP Trap Service is installed but not running. For this service to start, it is recommended that you set it to begin automatically when Windows restarts. Right-click the SNMP Trap Service and select Properties. The General tab will appear by default in the Properties window. In the Startup drop-down menu, select Automatic. Click OK.

11. Services Snap-in: Close the Services Snap-in.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

336 Chapter 7 Network Management Essentials

You have now installed an agent on both Linux and Windows systems. You have also seen how Windows supports SNMP traps and agents as two separate services. You will continue to use SNMP in the next chapter.

Summary

I n this chapter, you learned about the need for an open network management standard, as well as what to look for when you implement a network management system. You also learned about the FCAPS model, which helps categorize the five primary concerns of network management. You learned about the network management model, and how it consists of four components: a network management station (NMS), a network agent, an information base, and a network management protocol. Finally, you learned about network management architecture—centralized, distributed, and hierarchical—which will help you implement an appropriate and successful management strategies for your company. Critical to a successful implementation is understanding SNMP. We traced the history of SNMP. SNMPv1 was limited in its design so it could be applied as widely as possible. Versions 2 and 3 were created to address some of SNMP’s shortcomings. Next, you discovered the basic purpose of the SMI, the MIB tree, OID, ASN.1, and BER. You learned that the SNMP process involves the use of an NMS and agent that share queries by means of a PDU. You also learned about the type of PDU sent from an NMS, and the types sent by an agent. And you learned how an NMS uses port 162 to listen for agent messages, and how an agent listens on port 161. Finally, you installed several NMS applications, and you configured an agent for a Linux and Windows systems. Because SNMP is a cross-platform standard, you are not limited to Windows 2000 or any other system for your NMS or agents. If your network contains both Windows 2000 and Linux systems, you can query a Windows agent from a Linux NMS, and vice versa. Heterogeneous systems are common on any network today, and managing all systems well is the realm of an internetworking professional.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Exam Essentials 337

Key Terms

B efore you take the exam, be certain you are familiar with the following terms: Abstract Syntax Notation

Network Management

1(ASN.1)

System (NMS)

Agents

object identifier (OID)

Basic Encoding Rules (BER)

Protocol Data Unit (PDU)

Common Management

Simple Network Management

Information Protocol (CMIP)

Protocol (SNMP)

managed node

Structure of Management Information (SMI)

Management Information

traversal

Base (MIB)

Exam Essentials

N

ow that you have completed this chapter, you should be able to:

Understand the importance of network management.

Network man-

agement enables you to manage a network efficiently, to monitor and troubleshoot network problems. Be able to identify the components of an effective management strategy. An effective management system will centralize control, provide remote systems management, operate independently of the system, support multiple protocols, manage complexity, improve service, and reduce downtime. Be able to identify the elements of the OSI Network Management Functional Areas model. MFAs consist of fault management, configuration management, accounting management, performance management, and security management, sometimes abbreviated as FCAPS.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

338 Chapter 7 Network Management Essentials

Be able to identify the elements of a managed network. A managed network consists of managed nodes, an information base, a network management station, and a network management protocol. Know the network management architecture types.

Network manage-

ment types are centralized, distributed, and hierarchical. Know the history of SNMP. SNMP was introduced in 1989 to bridge existing management protocols and increase standardization and interoperability. While later versions of SNMP are more complex, they still build on SNMPv1’s simple, open structure. Some vendors have created extensions to SNMP, often out of a desire to implement some elements of SNMPv2, prior to that version becoming a standard. This industry fragmentation contributed to most vendors skipping SNMP. Now many vendors offer SNMPv3 support, although many still only support SNMPv1. Understand the general purpose of the Structure of Management Information (SMI), the Management Information Base (MIB) tree, an object identifier (OID), the Abstract Syntax Notation One (ASN.1) and the Basic Encoding Rules (BER). SMI is the master document defining rules for an SNMP implementation. SMI defines manageable objects in an MIB tree, unique OIDs for each type of object and uses ASN.1 to define how these objects and their status are expressed. BER provides rules for encoding SNMP messages for transmission across a network. Understand the SNMP process. Either an agent or an NMS may initiate SNMP communications. A request of an agent made by the NMS is called a traversal , while a request or alert from an agent to the NMS is called a trap . Each command is contained within a Protocol Data Unit. There are five types of commands: GetRequest, GetNextRequest, GetResponse, SetRequest, and Trap. Know the SNMP architecture.

SNMP consists of an NMS, an agent,

and the message format. The message includes version number, community name, and field for PDU type. Be able to identify key SNMP communication methods.

SNMP commu-

nicates using UDP. Standard SNMP implementations communicate on ports 161 and 162 for agent-to-NMS and NMS-to-agent communications.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Review Questions 339

Review Questions 1. Which of the following statements accurately characterizes the need for network management? A. The need for central access to information has decreased in today’s decentralized, heterogeneous internetworking environment. B. Centralized management schemes diminish the ability to troubleshoot network problems. C. A complex network management system is more efficient under adverse conditions than a simple system. D. Corporate networks are growing in size and complexity. 2. Which of the following is the most widely deployed concept of the ISO Management Functional Areas model? A. Configuration management B. Security management C. Fault management D. Performance management 3. In the FCAPS model, name management is a subset of: A. accounting management. B. performance management. C. security management. D. configuration management. 4. Which of the following is the first step in the performance management process? A. Gather performance data, based on variables of interest. B. Monitor system devices to determine a baseline. C. Observe individual network nodes. D. Measure network access by user.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

340 Chapter 7 Network Management Essentials

5. What is the primary characteristic of a managed node in the ISO network management model? A. A node is different from a network host with an agent. B. A node contains an agent. C. A node is a repeater, a router, a gateway, or a firewall. D. A node typically does not contain an agent. 6. Which of the following types of proxy agents can authenticate requests sent to the NMS? A. Multi-management protocol support B. Administrative caching C. Caching D. Multi-transport protocol support 7. What is responsible for structuring and organizing data on an SNMP agent? A. The MIB B. The NMS C. The relay agent D. The managed node 8. Which of the following statements describes a hierarchical network management architecture? A. A hierarchical system is decentralized. B. A hierarchical system contains at least two peer network management systems. C. A hierarchical system is ideal for small to medium-sized networks. D. A hierarchical system combines a centralized system with a distributed system.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Review Questions 341

9. Which of the following statements accurately describes SNMP? A. Despite its power, SNMP generally requires greater system and network resources than other management schemes. B. SNMP centralizes authority and allows you to manage information from one location. C. SNMP is currently in its second version (SNMPv2). D. One of SNMP’s strengths is its security. 10. Which of the following is the most commonly implemented version of SNMPv2? A. SNMPv2c B. SNMPv2u C. SNMPv2.1 D. SNMP2* 11. The chief practice defined by any SMI document is the creation and use of: A. upgrades to SNMP. B. an SNMP extension. C. an object identifier. D. an SNMP engine. 12. Which of the following describes ASN.1? A. ASN.1 provides a way for information to be transferred across a network by breaking values into octets. B. ASN.1 was developed several years after SNMP. C. ASN.1 does not use variables and statements as other languages, such as JavaScript, do. D. ASN.1 is a language used by SNMP to create MIB objects.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

342 Chapter 7 Network Management Essentials

13. BER uses the basic encoding translation syntax language to encode: A. labeled nodes. B. MIB variables. C. subtrees. D. SNMP messages. 14. Which of the following SNMP commands is sent by an agent? A. GetRequest B. SetRequest C. GetResponse D. GetNextRequest 15. Which of the following fields is found in SNMPv1 and SNMPv2c message headers? A. The error status field B. The community field C. The name field D. The request ID field 16. On which of the following UDP ports does the NMS listen for trap messages? A. Port 126 B. Port 162 C. Port 161 D. Port 116

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Review Questions 343

17. Which NMS is most widely implemented? A. Scotty B. SunNet Manager C. IBM NetView D. HP OpenView 18. Which of the following is NOT a network management protocol? A. SGMP B. SNMP C. STMP D. CMIP 19. Which of the following trap messages indicates that the sending protocol entity has reinitialized? A. WarmStart B. LinkDown C. ColdStart D. AuthenticationFailure 20. What does the A in the FCAPS model stand for? A. Authentication management B. Access control C. Administrative management D. Accounting management

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

344 Chapter 7 Network Management Essentials

Answers to Review Questions 1. D. Network management may not solve all of the problems of network growth and complexity, but it is a valuable process for centralizing a network’s information. 2. C. Fault management is most widely deployed, which implies that it is the most widely desired by both technical and managerial IT staff. 3. D. Configuration management includes name management. 4. A. Performance data in a managed network is based on variables of interest. These variables must be defined before a baseline can be measured. 5. B. A managed node can be many things, beyond repeater, router, gateway, or firewall, including any host with an agent, because the defining factor is that it contains an agent. 6. B. An administrative caching proxy agent is implemented to reduce administrative load on a central NMS. A caching proxy agent that is not an administrative caching agent cannot authenticate on behalf of the NMS. 7. A. The MIB is the repository for information collected by SNMP agents. 8. D. A hierarchical system contains no peers, but retains a central authority, combining centralized and distributed elements. It is not appropriate for small networks. 9. B. SNMP is designed to centralize information management. 10. A. Of the various flavors of SNMPv2, v2c is the most commonly implemented of version 2—but remember that SNMPv1 is the most widely supported, and SNMPv3 is the most complete protocol.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Answers to Review Questions 345

11. C. The OID is the primary focus of the SMI document, which is not directly related to SNMP, but SNMP is an implementation of the definitions of the SMI. 12. D. ASN.1 predates SNMP, uses variables and statements, and is independent of transferring data across networks. It is used by SNMP to create MIB objects. 13. D. SNMP messages are encoded by BER, hence their name Basic Encoding Rules. 14. C. Trap and GetResponse are sent by the agent. 15. B. Version number, community field, and PDU type are in the SNMP header. 16. B. The NMS listens for agent messages on port 162. 17. D. HP OpenView has the most market share in network management. 18. C. SGMP is the Standard Gateway Management Protocol, SNMP is Simplified Network Management Protocol, and CMIP is Common Management Information Protocol. 19. C. ColdStart indicates that the entity an agent is active on has reinitialized. 20. D. Accounting management is often used to track departmental use of a managed network.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Chapter

The Management Information Base and

8

Enterprise SNMP

CIW EXAM OBJECTIVE AREA COVERED IN THIS CHAPTER: Explain key network management architectures, protocols and components, including but not limited to: SNMP, OSI network management model.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

T

o administer a network effectively, you need to understand

how to access Management Information Base (MIB) variables properly. This task requires you to know the location of the groups on the MIB tree. Accessing the MIB tree nodes requires that you understand the two MIB specifications (MIB-I and MIB-II). You must also follow a specific procedure when accessing an instance of an MIB variable that resides in a group. Part of this procedure involves differentiating between a scalar and a tabular (in other words, array) variable, as well as understanding that one variable, or “leaf node,” can contain multiple instances that help you understand the operation of a particular entity on your network. This chapter will help you further understand both the theory and the practice of SNMP.

The MIB Tree

R FC 1155 stipulates that every managed object must have a name. It also stipulates that it be unique, and based in a hierarchical relationship so that whenever an entity creates a network device, it can easily add SNMP support to it. Whenever a new MIB is developed, it is organized on the MIB tree. The object identifier namespace is administrated by the International International TelecommuOrganization for Standardization (ISO) and the nication Union (ITU)

. The namespace is not limited to object identifiers for network management, but includes names for any kind of object. The ISO and ITU organizations delegate responsibility for managing subsets of the namespace to other organizations. For example, the U.S. Department of

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

The MIB Tree

349

Defense manages the iso.org.dod subtree. The iso.org.dod.Internet.mgmt .mib object identifier is used for the MIB database, as described below, and the iso.org.dod.Internet.private.enterprises is used for additional MIB database vendor-specific object identifiers. ISO Document 824 defines the numerical sequences for how an object identifier (OID) should operate. Figure 8.1 shows the first two levels of the MIB tree used by SNMP. FIGURE 8.1

Root and second level of MIB tree Root

ITU 0

ISO 1

Joint ISO/ITU 2

Officially, the highest level has no alphanumeric designation, but is often referred to as “root,” “unnamed,” or “unlabeled.” All directly attached branches are called branches, groups, or children. The three highest-level branches are ITU (0), ISO (1), and ISO/ITU (2). The relevant node for most network administrators is the ISO, which has an OID of 1. You can also call it by its alphanumeric name (ISO).

Earlier, the ITU was called the CCITT. The RFCs often refer to the CCITT when discussing the 0 and 2 portions of the MIB tree.

The ISO Branch The ISO branch has four children, or groups, beneath it. They are international standard (0), registration-authority (1), member-body (2), and identifiedorganizations, or org (3). The registration-authority is reserved as specified in ISO 8824, and a member-body is denoted by a three-digit numerical country code assigned by ISO 4166 to each ISO/IEC member. These organizations have International Code Designator (ICD) values as given in ISO 6523. The most relevant node for the current discussion is identified-organizations, which could be referred to as 1.3, or iso.org. The name “identified-organizations” is often shortened to “org,” which is considered sound practice by the creators of SNMP and networking professionals. See Figure 8.2.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

350

Chapter 8

FIGURE 8.2

The Management Information Base and Enterprise SNMP

ISO branch children

Figure 8.3 shows only a selected part of the third through fifth levels of the MIB tree, which include identified-organizations. In the figure, they are called org (3) in accordance with the convention mentioned above. FIGURE 8.3

MIB tree from root to Internet node

The dod node is one of the children under 1.3 (org). Its numerical value is 1.3.6. You can also refer to it as iso.org.dod. The Internet node is the next relevant child of dod. You can refer to it either as iso.org.dod.Internet or 1.3.6.1.

Some syntaxes will require you to include the root (.) node in the OID numberical value, such as .1.3.6.1.

The Internet Node and Its Children The Internet is a subtree under dod, and has an OID of 1.3.6.1. The subtrees defined under the Internet OID are directory (1), management (2), experimental (3), and private (4). See Figure 8.4. This branch will probably be the

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

The MIB Tree

351

most relevant for most internetworking professionals. Although you will see how the second SMI (SMIv2) adds fourth and fifth nodes below Internet, the second and fourth groups shown in Figure 8.4 will likely remain the most important. FIGURE 8.4

Internet subtree groups for SMIv1

Internet 1

Directory 1

Management 2 Experimental 3 Private 4

Directory (1) is reserved for future use with the X.500 service. Objects in this subtree are also the most widely implemented. The experimental (3) node is reserved for experimental protocols and for various MIBs that will probably become standards but are still under development. Private (4) specifies objects that are defined unilaterally. The enterprises node (1.3.6.1.4.1) lies beneath the private node. Each subtree beneath enterprises is assigned to a single company (i.e., enterprise), such as Cisco, Microsoft, or Sun. An enterprise is an organization that has registered its own extensions to the MIB. To reach the private node beneath the Internet entry, enter 1.3.6.1.4, or refer to iso.org.dod.Internet.private. The most relevant node that lies beneath private is enterprises (iso.org .dod.Internet.private.enterprises, or 1.3.6.1.4.1). The enterprise node contains vendor-specific MIBs for a large and growing number of devices and systems. For example, all managed objects specific to Hewlett-Packard are located under iso.org.dod.Internet.private.enterprise.dec, which has the numerical equivalent of 1.3.6.1.4.1.36. The management node is coterminous with, or lies on the same level as, private. It is important because it contains essential system information relevant to the Internet and TCP/IP. For example, it contains the system, interfaces, address translation, IP, ICMP, TCP, UDP, and EGP groups, among others. For now, you need to understand that SMIv1 includes four groups beneath the Internet entry, and that these four groups contain additional system and vendor-specific information.

Referring to MIB Groups: A Short SNMP Example RFC 1155 stipulates that the official way to name the OID is to refer to it by its number. As you have seen, however, you can refer to an object’s OID by

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

352

Chapter 8

The Management Information Base and Enterprise SNMP

number or by name. The name is officially called the short text description. The number is a series of integers separated by periods. Each method is equally effective in specifying the exact traversal of the MIB tree, although both SMIv1 and SMIv2 refer to the tree by numbers. For example, if you want the system description of a specific agent, the NMS could query the numerical identity, which is 1.3.6.1.2.1.1.1. Alternatively, you could refer to the same object as iso.org.dod.Internet.mgmt.mib.system .sysDescr. Figure 8.5 shows a selection of the OID name space. FIGURE 8.5

Object identifier name space Root

ISO 1

ISO/ITU 2

...

Org 3

DOD 6

Internet 1

Directory 1

Mgmt 2

Experimental 3

Private 4

MIB 1

System 1

Interfaces 2

IP Forwarding 1

Enterprises 1

Addr-Trans 3

IPDefaultTTL 2

IP 4

ICMP 5

IPInReceives 3

TCP 6

...

UDP 7 EGP 8

UDPInDatagrams 1

...

You can construct either numeric or short text OIDs by starting at the root of the MIB tree and separating each hierarchy with periods. The object identifier for the leaf node ipForwarding is iso.org.dod.internet.mgmt.mib .ip.ipForwarding, or 1.3.6.1.2.1.4.1.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

MIB Terminology

353

MIB Terminology

A s you previously learned, any component or setting that can be managed on an agent is considered a managed object. The MIB is the total of all managed objects on an agent. MIBs define the objects that an NMS can query and configure. You need to understand that an MIB is not a database. MIBs define the manageable objects contained on an agent. The first Internet-standard MIB was designed to include the lowest number of objects that would be useful for managing network nodes. An SNMP MIB uses five data types: IpAddress, Counter, Gauge, TimeTicks, and Opaque. The values for each of these are discussed below. IpAddress An octet string that has four octets stored in the manner of a standard TCP/IP address. Currently, this field is fashioned after an IPv4 address. Counter An object, a non-negative integer that increases until it reaches some maximum value. Gauge An object, a non-negative integer that may increase or decrease. You can set a gauge value from 0 to 4294967295. A gauge value establishes a logical toggle switch in the sense that it will remain dormant until the device being monitored reaches a specified limit. It will then remain active until the value falls beneath that limit. TimeTicks An object, a non-negative integer that counts hundredths of a second since an event occurred. Each TimeTicks variable must use a value of one-hundredth of a second. The maximum limit for a TimeTicks value is 497 days. Opaque

Creates new data types not created by SMIv1.

MIBs use some common terms, as well: MIB object

Specifies information that can be accessed by the SNMP

agent on a managed node. Entity

Any managed node that has an SNMP agent.

DisplayString PhysAddress

Describes how to print ASCII strings. Specifies how to format physical network addresses.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

354

Chapter 8

The Management Information Base and Enterprise SNMP

MIB-I The original MIB used by SNMP was developed in 1988 and published in RFC 1156. It was supplemented by RFC 1212. These two documents formed the MIB-I standard, and defined more than 100 configurable managed objects. The managed objects were divided into eight object groups, which are listed below: System object group (1.3.6.1.2.1.1) Interface object group (1.3.6.1.2.1.2) Address translation object group (1.3.6.1.2.1.3) Internet Protocol (IP) object group (1.3.6.1.2.1.4) Internet Control Message Protocol (ICMP) object group (1.3.6.1.2.1.5) Transmission Control Protocol (TCP) object group (1.3.6.1.2.1.6) User Datagram Protocol (UDP) object group (1.3.6.1.2.1.7) Exterior Gateway Protocol (EGP) object group (1.3.6.1.2.1.8) Users soon noticed that it was difficult for agents to allow complete configuration with these eight groups. Every SNMP agent MIB must allow for these groups. See Figure 8.6.

MIB-II The MIB-II specification was developed in 1990. It was first published in RFC 1158 and was updated by RFC 1213 in March 1991. MIB-II expanded the original eight object groups to 11. Originally, the groups contained 171 objects. The main goal of MIB-II was to create new objects for network management. MIB-II incorporated the entire MIB-I specification into its structure and provided the additional functionality required by SNMPv2. The new object groups are: Transmission object group (1.3.6.1.2.1.9) CMOT object group ( 1.3.6.1.2.1.10) SNMP object group (1.3.6.1.2.1.11) In addition to providing three new object groups, MIB-II added more managed objects to the original eight groups, now providing more than 180 manageable objects. Figure 8.7 illustrates that the three new groups reside next to the groups defined by MIB-I. The new groups do not replace any of the groups defined in MIB-I.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

MIB Terminology

FIGURE 8.6

355

MIB-I Root

ITU 0

ISO 1

Joint ISO/ITU 2

Org 3

DOD 6

Internet 1

Directory 1

Mgmt 2

Experimental 3

Private 4

MIB 1

Enterprises 1

3Com 43

System 1

FIGURE 8.7

Interfaces 2

Addr-Trans 3

IP 4

ICMP 5

TCP 6

UDP 7 EGP 8

MIB-II additions

Root

ITU 0

ISO 1

Joint ISO/ITU 2

Org 3

DOD 6

Internet 1

Directory 1

Mgmt 2

Experimental 3

Private 4

MIB-II 1

Enterprises 1

Oracle 111

System 1

Inter faces 2

Addr-Trans 3

IP 4

...

Copyright ©2002 SYBEX, Inc., Alameda, CA

Trans 9

CMOT 10 SNMP 11

www.sybex.com

356

Chapter 8

The Management Information Base and Enterprise SNMP

MIB Groups

T he MIB object groups make up the configurable managed objects defined by MIB-I and MIB-II. The enterprises and management groups are the most often-used groups. Each resides off the Internet group, as you might recall from Figure 8.5. They represent vendor-specific items and TCP/IPrelated counters, respectively.

Groups Residing Off the Enterprises Group

M

ore than 3,000 object identifiers reside off the enterprises group. As shown in Figure 8.8, each vendor has its own number off the 1.3.6.1.4.1 tree. Some vendors have more than one group, such as Microsoft, which has both the LAN Manager and Microsoft groups. FIGURE 8.8

Selected vendors off the enterprises group Enterprises 1.3.6.1.4.1

Cisco 1.3.1.4.1.9

Silicon Graphics 1.3.6.1.4.1.59

Novell 1.3.6.1.4.1.23

Microsoft 1.3.6.1.4.1.311

LAN Manager 1.3.6.1.4.1.77

O'Reilley and Associates 1.3.6.1.4.1.2035

Qualcomm, Inc. 1.3.6.1.4.1.1449

Each of the vendor nodes, or groups, contains still other groups that enable each vendor to provide specific SNMP support for each of its products. Table 8.1 presents additional vendors that reside off the enterprises group.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Groups Residing Off the Enterprises Group

TABLE 8.1

357

Vendors Represented in Enterprises Group

Vendor

OID

IBM

1.3.6.1.4.1.2

Unix

1.3.6.1.4.1.4

Cisco

1.3.6.1.4.1.9

Hewlett-Packard

1.3.6.1.4.1.11

Novell

1.3.6.1.4.1.23

MIT

1.3.6.1.4.1.20

NSFNET

1.3.6.1.4.1.25

Hughes LAN Systems

1.3.6.1.4.1.26

Sun Microsystems

1.3.6.1.4.1.42

3Com

1.3.6.1.4.1.43

MIPS Computer Systems

1.3.6.1.4.1.57

Silicon Graphics

1.3.6.1.4.1.59

NASA

1.3.6.1.4.1.71

Boeing

1.3.6.1.4.1.73

AT&T

1.3.6.1.4.1.74

LAN Manager

1.3.6.1.4.1.77

CERN

1.3.6.1.4.1.96

SNMP Research

1.3.6.1.4.1.99

Oracle

1.3.6.1.4.1.111

Tektronix

1.3.6.1.4.1.128

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

358

Chapter 8

TABLE 8.1

The Management Information Base and Enterprise SNMP

Vendors Represented in Enterprises Group

(continued)

Vendor

OID

Banyan Systems

1.3.6.1.4.1.130

Motorola

1.3.6.1.4.1.161

Unisys

1.3.6.1.4.1.223

Compaq

1.3.6.1.4.1.232

Microsoft

1.3.6.1.4.1.311

Lotus

1.3.6.1.4.1.334

Intel

1.3.6.1.4.1.343

Symantec

1.3.6.1.4.1.393

US Robotics

1.3.6.1.4.1.429

Qualcomm

1.3.6.1.4.1.1449

Netscape Communications

1.3.6.1.4.1.1450

Bell South Wireless

1.3.6.1.4.1.1451

IEEE 802.5

1.3.6.1.4.1.2043

Vendor Subgroups The previous vendor groups would logically have subnodes that allow you to access and control variables residing on individual equipment, such as routers, computers, and applications. For example, if you were to enter 1.3.6.1.3.1.77.1.2.25 into an NMS application that supported this type of query, you would be able to access the svUsrTable, which contains information concerning the Windows 2000 accounts database. Of course, you would need to access the variable instances, and use the correct community name for the MIB object, but once you have this information and the proper TCP/IP address, you would be able

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Groups Residing Off the Management Group

359

to access sensitive account information for a particular server. Even though SNMP cannot obtain passwords, obtaining all the usernames and account names for a server represents a significant security risk. Therefore, SNMPv2 incorporates more rigorous security. Adding new definitions in an order specified by the MIB tree is often important. For example, when adding Microsoft MIBs, you must first make sure that you have added the files in this order: mibII.mib , wins.mib lmmib2.mib

, and

.

Groups Residing Off the Management Group

T

he MIB-II group stands in between the management node and the other groups, as shown in Figure 8.9. However, most administrators simply refer to these groups as residing off the management group in the MIB tree. You have already seen how MIB-II describes three additional groups (1.3.6.1.2.9 through 1.3.6.1.2.11). FIGURE 8.9

Groups beneath management and MIB-II nodes

Management 1.3.6.1.2

MIB II 1.3.6.1.2.1

System 1.3.1.2.1.1

Interfaces 1.3.6.1.2.1.2

Address Translation 1.3.6.1.2.1.3

IP 1.3.6.1.2.1.4

ICMP 1.3.6.1.2.1.5

UDP 1.3.6.1.2.1.7

EGP 1.3.6.1.2.1.8

TCP 1.3.6.1.2.1.6

Transmission 1.3.6.1.2.1.10

SNMP 1.3.6.1.2.1.11

CMOT 1.3.6.1.2.1.9

See Appendix C for a description of the MIB groups residing off the management group, as listed in Figure 8.9. You will notice that some of the

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

360

Chapter 8

The Management Information Base and Enterprise SNMP

groups allow objects to include additional information, including whether an NMS can change the MIB’s value. If it can, the MIB is listed as read/write. Otherwise, it is read-only. Groups that reside off the management group are not vendor-specific and relate to the operation of TCP/IP. These groups are of particular interest because they help determine critical network factors, such as router congestion. The following list provides an overview of the groups residing off the management group. System group (1.3.6.1.2.1.1) The system group includes information about the system on which the entity resides. Objects in this group are useful for fault management and configuration management. Interfaces group (1.3.6.1.2.1.2) The interfaces object group contains information about each interface on a network device. This group provides useful information on fault management, configuration management, performance management, and accounting management. Address translation group (1.3.6.1.2.1.3)

The address translation

group helps to determine physical address information. IP group (1.3.6.1.2.1.4) This group provides information about IP in the following areas: errors and types of IP packets seen, IP addresses in the entity, IP routing-table entries, and IP address-to-address mapping. The IP group includes objects that support fault, configuration, performance, and accounting management. ICMP group (1.3.6.1.2.1.5) The ICMP group contains objects that provide more information about ICMP on the entity. The entity is responsible for processing every ICMP packet received. This requirement affects the entity’s overall performance. TCP group (1.3.4.1.2.1.6)

This group provides information about TCP

on the entity. UDP group (1.3.6.1.2.1.7) The UDP group provides information about UDP on the entity. Its objects specify information about current UDP applications accepting datagrams on the entity. This group does not provide information about current connections because UDP is not a connectionoriented protocol. EGP group (1.3.6.1.2.1.8)

The Exterior Gateway Protocol (EGP) pro-

vides information on how one network can reach other IP networks. EGP

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Accessing MIB Variables 361

group objects provide information about EGP on the entity. The objects describe fault, configuration, performance, and accounting management information. CMOT group (1.3.6.1.2.1.9)

This group exists only for historical rea-

sons. No objects are defined in this group. Transmission group (1.3.6.1.2.1.10) This group provides information about specific media used at the Physical and Data-Link layers of the OSI/ RM. At present, Token Ring and FDDI objects are being defined. SNMP group (1.3.6.1.2.1.11) This group provides information about SNMP packets entering and leaving the entity. SNMP group objects describe all five areas of network management: fault, performance, accounting, security, and configuration.

Accessing MIB Variables

A n MIB uses variables to store information. Whenever you use an NMS to query an agent, the agent can refer to two types of variables in the MIB to obtain and relay information. The first type of variable is a

simple

variable

, called a scalar variable. The second type of list is more complex, array variable and is called a tabular variable or an . Whenever a variable occurs and is used, this is called an instance of a variable. An MIB uses variable instances to allow the agent to obtain information. To properly query an agent, you must append the proper suffix to the OID so that you access the proper instance of the variable. If you do not perform this step, you will be making one of two mistakes: You will be attempting to query a non-leaf node, which is expressly forbidden, or you will receive information you did not expect. Therefore, you must be familiar with how to access both types of variable instances.

SNMP often refers to parts of the MIB tree as nodes. However, the word “node” also refers to any host that is managed by TCP/IP. Be sure you understand the context in which “node” is used.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

362 Chapter 8 The Management Information Base and Enterprise SNMP

Accessing Simple Variables The following discussion describes the UDP MIB group. Figure 8.10 illustrates the UDP MIB subtree. FIGURE 8.10 MIB subtree for UDP group UDP 7

UDPInDatagrams 1

UDPNoPorts 2

UDPInErrors 3

UDPOutDatagrams 4 UDPTable 5

UDPEntry 1

UDPLocalAddress 1

UDPLocalPort 2

When SNMP must access the instance of a simple, or scalar, variable, a suffix is needed. You need only append this suffix to the end of the MIB object identifier. For simple variables, a suffix of zero refers to the instance of the variable. A manager uses the GetRequest message to obtain the instance of a variable from an agent. For example, assume a manager transmits a GetRequest agent to obtain the instance of the variable udpInErrors

message to an . udpInErrors has

the MIB object identifier: 1.3.6.1.2.1.7.3 To access the instance of this variable, the manager must use the following object identifier in the message transmitted to the agent: 1.3.6.1.2.1.7.3.

0

Again, the key to accessing the proper instance is knowing that it is a scalar variable, and then adding the number zero (0) to it.

Accessing Array Variables Accessing an array, or tabular, variable is more complex because you must work with information stored in tabular form. In many ways, accessing columnar, or array, variables is much like using a relational database.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Accessing MIB Variables 363

Another name for an array variable is columnar variable, because each variable in a tabular array is arranged in a table (for example, one column (for example, such as

udpLocalAddress

udpEntry and

udpTable

), usually with

). The column can have multiple variables,

udpLocalPort

.

According to the MIB standard specification, queries for variable instances can be performed only on leaf nodes. For example, the instances of the udpTable and udpEntry variables shown in the previous figure cannot be queried, because they are not leaf nodes. Accessing elements of an array requires using the OID for the node representing the array element that must be read. For example, the following object identifier identifies the udpLocalPort variable in the array: 1.3.6.1.2.1.7.5.1.2 In the following discussion, you will focus on the

udpTable array ,so

assume that the array holds four entries with the values shown in Table 8.2. TABLE 8.2 Sample Values of

udpTable

Array

udpLocalAddress

udpLocalPort

0.0.0.0

161

0.0.0.0

162

0.0.0.0

2000

0.0.0.0

7777

index for the The question remains: How do you access the array udpLocalPort variable? How do you specify interest in the second instance of

the array element udpLocalPort (with the value 162)? To access this element, you must issue a GetRequest message where the value of the entire column is appended as the suffix to the object identifier used above. 1.3.6.1.2.1.7.5.1.2.

0.0.0.0.162

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

364 Chapter 8 The Management Information Base and Enterprise SNMP

Sending a GetRequest message with the above object identifier would generate a reply message containing the value of the udpLocalPort

, namely

162. This response is useless because you are required to specify the value contained in the variable you are looking for, and such a query would expect you to already know what that variable is. How can you solve this problem?

The GetNextRequest Message To access the elements of an array, you must use the GetNextRequest message. The GetNextRequest message Protocol Data Unit (PDU) traverses all the elements of an array tree structure, and allows you to properly query an MIB variable table. Knowing that all variables are sorted lexicographically is important. For example, the array shown in Table 8.2 is sorted in Table 8.3. TABLE 8.3 Sorted Array

Object Identifier

Value

1.3.6.1.2.1.7.5.1.1.0.0.0.0.161

0.0.0.0

1.3.6.1.2.1.7.5.1.1.0.0.0.0.162

0.0.0.0

1.3.6.1.2.1.7.5.1.1.0.0.0.0.2000

0.0.0.0

1.3.6.1.2.1.7.5.1.1.0.0.0.0.7777

0.0.0.0

1.3.6.1.2.1.7.5.1.2.0.0.0.0.161

161

1.3.6.1.2.1.7.5.1.2.0.0.0.0.162

162

1.3.6.1.2.1.7.5.1.2.0.0.0.0.2000

2000

1.3.6.1.2.1.7.5.1.2.0.0.0.0.7777

7777

The following example illustrates how the GetNextRequest message operates. Suppose you want to retrieve the array values for the udpLocalPort

vari-

able. You initially issue a GetNextRequest message with the following OID: get-next-request: 1.3.6.1.2.1.7.5.1.2

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Accessing MIB Variables 365

The agent will respond with the first element that is lexicographically larger than the OID specified. In this example, the reply would be: 1.3.6.1.2.1.7.5.1.2.0.0.0.0.161 = 161 Upon receiving this reply, the manager can issue another request message: get-next-request: 1.3.6.1.2.1.7.5.1.2.0.0.0.0.161 The reply will be: 1.3.6.1.2.1.7.5.1.2.0.0.0.0.162 = 162 and so forth. Upon issuing the last GetNextRequest message: get-next-request: 1.3.6.1.2.1.7.5.1.2.0.0.0.0.7777 the reply corresponds to the next OID lexicographically larger than the above. This OID would probably be the first simple variable from the EGP group. (The group that immediately follows the UDP group, EGP, has MIB number 8.) The response could be: 1.3.6.1.2.1.8.1.0 = 8517 which corresponds to the egpInMsgs MIB variable with an example value of 8517. By observing that the prefix for udpTable is not present in the OID in the reply message, you know that this is the end of the table.

EXERCISE 8.1

Querying an instance of a scalar MIB variable in Linux In this exercise, you will use the

snmpget

command in Linux to inspect

simple MIB variables. You must have the

1. Inspect the MIB variable

sysDescr

ucd-smnp

utilities installed.

on your system by querying the

SNMP agent installed on your own host. This variable is the first one listed in the system subtree. Use the numeric object identifier in the query; do not use the shorthand human-readable form. Enter the following: # snmpget localhost public .1.3.6.1.2.1.1.1.0

2. Repeat Step 1, but use the shorthand human-readable form. # snmpget localhost public system.sysDescr.0

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

366 Chapter 8 The Management Information Base and Enterprise SNMP

EXERCISE 8.1 (continued)

3. As you learned in the last chapter, by default the SNMP daemon responds only to queries to the system MIB group. To allow more access to the MIB tree, you must modify the

/etc/snmp/snmp.conf

agent file. To modify it, enter: # vi /etc/snmp/snmpd.conf

4. Scroll through the file and locate the following entries that restrict access to the system MIB group: # Third, create a view # for us to let the group have rights to: # name incl/excl subtree mask (optional) view systemview included system

5. Access vi’s insert mode by pressing the i key. In the subtree column, replace the “system” MIB subtree with “.1”, as shown: # Third, create a view # for us to let the group have rights to: # name incl/excl subtree mask (optional) view systemview included

.1

6. Allowing access to the .1 subtree permits access to the ISO branch, which includes all of the widely used branches in the MIB tree.

7. Press the Esc key. Write and quit the file by entering: :wq

8. To activate the change, you must restart the SNMP daemon. Enter: # /etc/rc.d/init.d/snmpd restart

9. Inspect the MIB variable

udpOutDatagrams

on your system by query-

ing the SNMP agent installed on your own host. Use the numeric object identifier in the query. The

udpOutDatagrams

belongs to the

UDP subtree, which has object identifier 7. Enter the following, and note the results: # snmpget localhost public .1.3.6.1.2.1.7.4.0

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Accessing MIB Variables 367

EXERCISE 8.1 (continued)

10. Repeat Step 9, but use the shorthand human-readable form: # snmpget localhost public udp.udpOutDatagrams.0

11. Use the netstat program to examine the statistics of the UDP protocol and verify that the number of transmitted UDP datagrams (packets sent) approximately corresponds to the value reported in previous steps (remember that additional UDP packets may have been transmitted during the time between these two steps). Enter: # netstat –s –udp

12. Note the number of sent UDP packets reported.

EXERCISE 8.2

Querying an instance of an array MIB variable in Linux In this exercise, you will use UCD SNMP from System A, generating requests to inspect an MIB table, which stores information in array, or tabular, variables, on System B. As you work your way through this exercise, consider what you have learned about MIB tree variables, as well as the difference between scalar and array variables.

1. To accesses the

udpTable

, enter:

# snmpgetnext [SystemB IP address] public udp.udpTable

2. You should receive a response similar to the following (your results will be slightly different): udp.udpTable.udpEntry.udpLocalAddress.0.0.0.0.111 = IpAddress: 0.0.0.0

3. Notice that the OID now has extra values appended to it automatically by SNMP. This is because the GetNextRequest PDU went from the udpTable specified by

(1.3.6.1.2.1.7.5) object to the first table entry, which is udpEntry

to find the first instance of

(1.3.6.1.2.1.7.5.1). SNMP then queried this line udpLocalAddress

(1.3.6.1.2.1.7.5.1.1),

which is the name of the first column in the table.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

368 Chapter 8 The Management Information Base and Enterprise SNMP

EXERCISE 8.2 (continued)

4. Following

udpLocalAddress

zeroes of

is the value of

0 .0 .0 .0 .111 . The four

0 .0 .0 .0 .111 identify an IP address value of

0. 0. 0. 0, which

means that the port has not been assigned an IP address, but is ready to receive one. The first nonzero entry after

udpLocalAddress

is 111 . This value is the number of the local port being used. The equal sign next to it indicates the information that will be displayed in the address

udpLocalAddress

column of the

udpTable

, which is IP

0 .0 .0 .0 .

5. To view the second table entry in the the udpTable

udpLocalAddress

column of

, you will issue another GetNextRequest PDU. The

request message will automatically take you to the next

udpEntry

.

Enter the following command (your local port value may be different): # snmpgetnext [SystemB IP address] public

udp.udpTable.udpEntry.udpLocalAddress.0.0.0.0.111

6. The second

udpEntry

may resemble the following:

udp.udpTable.udpEntry.udpLocalAddress.0.0.0.0.161 = IpAddress: 0.0.0.0

7. To view the data in the second column, named

udpLocalPort

, you

must issue several more GetNextRequest PDUs (optional). The first udpLocalPort

variable will resemble the following:

udp.udpTable.udpEntry.udpLocalPort.0.0.0.0.111 = 111

8. To view all the

udpTable

variables at once, enter the following:

# snmpwalk [SystemB IP address] public udp.udpTable

9. Identify the first

udpLocalPort

entry, which should resemble the

variable from Step 7.

10. Because the the snmptable

udpTable

information is difficult to read in this format,

command exists to display array variables in an

easy-to-read format. Enter: # snmptable [SystemB IP address] public udp.udpTable

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Implementing SNMP 369

EXERCISE 8.2 (continued) Examine the information you receive, noting udpLocalPort

udpLocalAddress

11. Issue a GetNextRequest PDU on the last snmpwalk

and

information. udpEntry

listed in the

results from Step 8. For example, enter the following

request (your local port value will be different): # snmpgetnext [SystemB IP address] public

udp.udpTable.udpEntry.udpLocalPort.0.0.0.0.518

12. The GetNextRequest message takes you beyond the

udpTable

into

the snmp group (1.3.6.1.2.1.11). Note that the GetNextRequest PDU takes you through instances of the

udpTable

, then beyond it to the

snmp group, skipping the egp, cmot, and transmission MIB groups.

13. Use the netstat program with the –

s option to examine the state of

the UDP protocol and verify that the number of transmitted UDP datagrams approximately corresponds to the value reported in previous steps. (Remember that additional UDP packets may have been transmitted during the time between these two steps.) Note the number of UDP packets sent during this exercise.

Implementing SNMP

N

ow that you have a detailed understanding of MIB-I and MIB-II data structures, we can apply that knowledge to the task of implementing SNMP. SNMPv1 is the foundation for all subsequent versions of SNMP. It is also the most widely implemented management protocol. For example, Microsoft supports this version in its Windows operating systems, and most manufacturers, such as Cisco, 3Com, and IBM, still create agents that conform to this standard. Therefore, to bring practical skills to the workplace, you must understand this version. You should understand SNMPv1 for other reasons as well. To understand more recent developments, such as SNMPv2 and SNMPv3, you must first understand the workings of the SNMPv1 Protocol Data Unit (PDU), because it provides the foundation.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

370 Chapter 8 The Management Information Base and Enterprise SNMP

SNMPv1 Message Format

T he official name for an SNMP message is an Application Protocol Data Unit (APDU). However, most internetworking professionals call an SNMP message a PDU. You have learned about how both NMS applications and agents work with PDUs. Now you need a more detailed view of the inner workings of a PDU, and how it actually accomplishes the task of network management. Each of the five PDU types has a specific format. Each PDU begins with a header identifying it as a GetRequest, GetNextRequest, GetResponse, SetRequest, or Trap message, followed by the fields of that message type.

GetRequest The NMS application issues a GetRequest command to an agent to retrieve a specific value from the MIB. The GetRequest command is simple and straightforward. It retrieves a single value. Figure 8.11 illustrates the SNMP GetRequest PDU field. FIGURE 8.11 SNMP GetRequest PDU field

PDU Type=0

Request ID

Err Status Err Index

Object Identifier

The GetRequest PDU field contains four fields of its own, in addition to the PDU type. PDU Type

This header identifies the type of command contained in the

SNMP message. The PDU type is set to 0 to indicate a Request ID

Get command.

This is a value to identify the SNMP message. Because

SNMP uses UDP, a connectionless transport protocol, several requests can be made, and responses can be received out of sequence. The Request ID is used to associate requests with the responses received by agents. Error Status

This field is not used in a

Get command, and is always set

to 0.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

SNMPv1 Message Format 371

Error Index to 0.

This field is not used in a

Object Identifier is issued.

Get command, and is always set

This is the MIB object ID on which the

Get command

GetNextRequest The NMS application issues a

GetNextRequest

command to an agent to

retrieve the next consecutive value from the MIB. For example, if an NMS issues GetNextRequest for the first value in an agent’s MIB, it will receive the information for either the next instance of that first value or the second value. This sequence may seem a bit confusing, but GetNextRequest

com-

mands are used to retrieve large amounts of information from an agent in a linear fashion. Figure 8.12 illustrates the SNMP GetNextRequest PDU field. FIGURE 8.12 SNMP GetNextRequest PDU field

PDU Type=1

Request ID

Object Identifier

Err Status Err Index

The GetNextRequest PDU field contains four fields of its own, in addition to the PDU type. PDU Type This header identifies the type of command contained in the SNMP message. The PDU type is set to 1 to indicate a GetNext command. Request ID

This is a value to identify the SNMP message. Because

SNMP uses UDP, a connectionless-based transport protocol, several requests can be made, and responses can be received out of sequence. The Request ID is used to associate requests with the responses received by agents. Error Status to 0.

This field is not used in a

Get command, and is always set

Error Index to 0.

This field is not used in a

Get command, and is always set

Object Identifier value on which the

This is the MIB object ID that precedes the requested GetNext command is issued.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

372 Chapter 8 The Management Information Base and Enterprise SNMP

GetResponse When an agent receives a GetRequest or GetNextRequest, it will first determine whether the requesting host is authorized to make the request. It does so by checking the community name. If the host is authorized, the agent will retrieve the information requested and respond with a GetResponse message, which includes the original request as well as the requested information. Figure 8.13 illustrates the SNMP GetResponse PDU field. FIGURE 8.13 SNMP GetResponse PDU field

PDU Type=2

Request ID

Err Status Err Index

Object Identifier

Note that a GetResponse PDU will always be paired with the GetRequest or GetNextRequest message sent from the query. This pairing allows the NMS to properly organize all the queries. The GetResponse PDU field contains four fields of its own, in addition to the PDU type. PDU Type This header identifies the type of command contained in the SNMP message. The PDU type is set to 2 to indicate a GetResponse command. Request ID

This is a value to identify the SNMP message. Because

SNMP uses UDP, a connectionless-based transport protocol, several requests can be made, and responses can be received out of sequence. The Request ID is used to associate requests with the responses received by agents. The GetResponse Request ID will correspond with a Get, GetNext, or SetRequest ID from a management station. Error Status This field reports error messages encountered during the processing of the Get or GetNext SNMP messages that the management system initially issued. Table 8.4 describes the errors contained within this field.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

SNMPv1 Message Format 373

TABLE 8.4 SNMPv1 Error Messages

Message

Description

Value

NoError

Returned when an operation is successful. 0

TooBig

The response message is too big to send.

1 2

NoSuchName Occurs for two reasons: • The agent does not support the specified OID.

• There is no OID to go in response to a GetNextRequest PDU.

BadValue

Response to a SetRequest that specifies a bad

3

value or data type.

ReadOnly

This message occurs when you attempt to write

4

to a variable that is read-only.

GenErr

An SNMP-generated error specified while read-

5

ing or writing an MIB variable. It applies to all protocols.

Error Index

This field contains additional error information that can be

used to determine the source of the problem. Object Identifier This is the MIB object ID on which the command was issued.

Get or GetNext

SetRequest An NMS application issues a

SetRequest

command to change the value of

an MIB object on an agent. The NMS can configure agents remotely using the SetRequest. The SetRequest PDU is quite important, because some router vendors, such as Bay Networks, use SNMP to provide a universal means to program their routers. Figure 8.14 illustrates the SNMP SetRequest PDU field.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

374 Chapter 8 The Management Information Base and Enterprise SNMP

FIGURE 8.14 SNMP SetRequest PDU field

PDU Type=3

Request ID

Err Status Err Index

Object Identifier

The SetRequest PDU field contains four fields of its own, in addition to the PDU type. PDU Type

This header identifies the type of command contained in the

SNMP message. The PDU type is set to 3 to indicate a

Set command.

Request ID This is a value to identify the SNMP message. Because SNMP uses UDP, a connectionless-based transport protocol, several requests can be made, and responses can be received out of sequence. The request ID is used to associate requests with the responses received by agents. Error Status to 0.

This field is not used in a

Set command, and is always set

Error Index

This field is not used in a

Set command, and is always set

to 0. Object Identifier is issued.

This is the MIB object ID on which the

Set command

Trap The agent issues a trap message when a specified event has occurred. For example, if an agent has been configured to notify the NMS when an error occurs, the agent will issue a Trap command that is sent to a preconfigured NMS or to multiple NMSs. Figure 8.15 illustrates the SNMP Trap PDU field. FIGURE 8.15 SNMP Trap PDU field

PDU Type=4

Enterprise

Agent Address

Generic Trap

Specific Trap

Time Stamp

Variable Values

The Trap PDU field contains six fields of its own, in addition to the PDU type.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

SNMPv1 Error Messages 375

PDU Type This header identifies the type of command contained in the SNMP message. The PDU type is set to 4 to indicate a Trap message. Enterprise This field contains the information in the MIB object sysObjectID. This information includes a description of the agent that issued the Trap message. Agent Address message. Generic Trap

This is the IP address of the agent that issued the Trap

This field contains an error code indicating one of the

generic Trap messages (coldStart, warmStart, linkDown, linkUp, authenticationFailure, egpNeighborLoss, enterpriseSpecific). Whenever you analyze a trap and notice that its type is Generic, you know that this field contains some sort of error message. Specific Trap

If the enterpriseSpecific

code is contained within the

Generic Trap field, this field will contain the device-specific code generated by the event that caused the trap to be issued. Time Stamp

This is the time at which the Trap message was generated;

this value is obtained from the MIB object sysUpTime. Variable Values the Trap message.

This field is used to add additional values relevant to

Regardless of PDU type, the Basic Encoding Rules (BER) is responsible for dividing the messages into discrete sizes. You should understand that the BER will break up the messages into random sizes, as opposed to predetermined fixed sizes. Therefore, one GetResponse PDU could be larger or smaller than another GetResponse PDU.

SNMPv1 Error Messages

E rror messages are different from trap messages. Whereas a trap message alerts you to a problem about your network, an error message is sent whenever the normal NMS/agent relationship encounters difficulty. For

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

376 Chapter 8 The Management Information Base and Enterprise SNMP

example, if an NMS issues a query with an OID that an agent cannot support, the agent will return a GetResponse PDU that contains the errors listed in Table 8.4. These messages are contained in the Error Status field.

SNMPv1 Drawbacks

S ome of the factors that made SNMP so popular have also contributed to its weaknesses. The two problems are security and lack of scalability. SNMPv1 developers knew about these drawbacks, but allowed them so that the protocol would receive wide support.

Security The main drawback of SNMP is its lack of security. The creators of SNMPv1 deliberately chose a low-security model so the protocol would gain quick, wide acceptance. However, whenever an SNMP agent communicates with an NMS, it uses a weak authentication scheme, known as trivial authentication.

Trivial Authentication: The Community Name community name As you learned earlier, a specifies which NMS can query and configure an agent. When an NMS sends an SNMP command to an

agent, a community name is included in the message that identifies the proper sender and receiver of the information. The agent determines whether that community name is on its list of accepted community names. These community names are simple text strings. The default community name to read MIB objects on an agent is “public.” The default community name to set and configure MIB objects on an agent is “private.”

Lack of Encryption SNMPv1 transmits community name information in cleartext, which means that a hacker can capture packets and gain valuable information. Using a simple packet-sniffing program, anyone on the network or internetwork can discover the community name, as well as other information about the agent and NMS.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

SNMPv1 Drawbacks 377

Practical Concerns Because of SNMPv1’s weak authentication scheme, individual users may be open to intrusion. For example, if a network administrator is using SNMPv1 to control a router and does not change the default community name (public), someone can reprogram the router. SNMP can set and read values, including the number of hops, IP addresses, subnet masks, and default gateways. Therefore, you must consider security when using SNMPv1 on your network.

EXERCISE 8.3

Changing an agent’s community name in Linux In this exercise, you will see how changing a community name can help secure SNMP in Linux. public

1. By default, the SNMP daemon responds only to queries to the community name. To add security, change the community name by modifying the

/etc/snmp/snmpd.conf

agent file on each SNMP

agent. Enter: # vi /etc/snmp/snmpd.conf

2. Scroll through the file and locate the first agent configuration step: # First, map the community name "public" # into a "security name" # sec.name source community com2sec notConfigUser default public

3. Access vi’s insert mode by pressing the i key. Replace the community name with

public

Sybex , as shown:

# First, map the community name "public" # into a "security name" # sec.name source community com2sec notConfigUser default

sybex

4. Press the Esc key. Write and close the file by entering: :wq

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

378 Chapter 8 The Management Information Base and Enterprise SNMP

EXERCISE 8.3 (continued)

5. To activate the change, you must restart the SNMP daemon. Enter: # /etc/rc.d/init.d/snmpd restart

6. Enter the request: # snmpwalk localhost public ip You should not receive any response except “End of MIB.”

7. Issue the same request, but use the new community name. You should be successful.

8. Change the community name back to public. After you reconfigure your agent, remember to stop and start the SNMP daemon. As you have seen, changing a community name helps provide some security for your network.

EXERCISE 8.4

Checking the accounts database in Windows 2000 Server In this exercise, you will check the accounts database in Windows 2000 Server. You will add a unique account name so that you can verify that you are sending and receiving unique data from the SNMP query. While this may not be particularly important in a test network or in a very small network, it is a useful technique for isolating and troubleshooting SNMP queries in a busy managed network.

1. Desktop: Go to Start Programs Administrative Tools Computer Management.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

SNMPv1 Drawbacks 379

EXERCISE 8.4 (continued)

2. Computer Management: Expand System Tools and Local Users And Groups. Select the Users folder to display system users. Note the accounts listed. They should somewhat resemble the example below.

3. Users: Add an account by right-clicking the Users folder and selecting New User.

4. New User: Enter any name you want into the Username field. For example, you could use “user33” or any username that is unique to your network.

5. New User: Enter a password in the Password field. Because security is not of any concern here, you can use password, or make it the same as the username. Be sure to confirm the password.

6. New User: Deselect the User Must Change Password At Next Logon check box.

7. New User: Select the Password Never Expires check box.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

380 Chapter 8 The Management Information Base and Enterprise SNMP

EXERCISE 8.4 (continued)

8. New User: Your screen should resemble the one below.

9. New User: Select the Create button. 10. New User: Select Close. Exit the Computer Management snap-in. You have now viewed your accounts database, and you have added an account. Normally, this would be one of the few ways you could view such sensitive information.

EXERCISE 8.5

Obtaining Windows 2000 accounts using an NMS application In the following exercise, you will query an SNMP agent on your Windows 2000 Server. Specifically, you will use the

snmpwalk

utility from

your Linux System A to view the entire agent MIB on your Windows 2000 System B. There are many applications, such as IpSwitch’s Ping Pro, that will perform this same functionality from a Windows system.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

SNMPv1 Drawbacks 381

EXERCISE 8.5 (continued)

1. Use the

snmpwalk

command in conjunction with

grep to parse the

MIB tree. # snmpwalk [SystemB IP address] public |grep User Note that

grep is case-sensitive, and the SNMP MIB is both upper

and lower case. To make the same use the

grep command case insensitive,

–i switch, such as:

# snmpwalk [SystemB IP address] public |grep –i user You could specify a similar query using

snmpget and the Server

User Table OID, which is 1.3.6.1.4.1.77.1.2.25.

2. You should receive a list of every MIB object containing the string “User”, similar to the following: host.hrSystem.hrSystemNumUsers.0 = Gauge: 4 host.hrSWRun.hrSWRunTable.hrSWRunEntry.hrSWRunName.928 = "Wuser32.exe"

3. Notice that you have obtained all the usernames used by Windows 2000 Server.

4. Verify that SNMP Community names are case sensitive with the following query: #:

snmpwalk [SystemB IP address] Public

You should receive no response, as shown below, due to the simple case change from “public” to “Public”. Timeout: No Response from 192.168.1.42 As you can see, SNMP can reveal sensitive information to any NMS that knows your server’s IP address, the community name, and the proper MIB tree syntax. Although SNMP cannot obtain the password information, no server should be allowed to reveal such information so readily.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

382 Chapter 8 The Management Information Base and Enterprise SNMP

EXERCISE 8.6

Changing an agent’s community name in Windows 2000 In this exercise, you will see how changing a community name can help secure SNMP.

1. Desktop: To configure the SNMP agent, you must access the SNMP Service Properties window. Select Start Programs Administrative Tools Services. Right-click the SNMP Service and select Properties. The SNMP configuration tabs for Agent, Traps, and Security are located in this window.

2. SNMP Service: Select the Security tab. 3. Security tab: Notice that the Accepted Community Names field lists the public community name.

4. Security tab: Select Add, then enter sybex as the community name. The Community Rights field should remain READ ONLY.

Note: The Accepted Community Names field is case sensitive, so be sure not to capitalize the name.

5. Security tab: Highlight “public” and click Remove. Your screen will resemble the one below.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

SNMPv1 Drawbacks 383

EXERCISE 8.6 (continued)

6. Security tab: Select OK. 7. Services: Windows services often require you to restart them so that your configuration changes take effect. Right-click the SNMP Service and select Restart. Close the Services snap-in.

8. Desktop: Repeat the SNMP query from the previous exercise. #:

snmpwalk [SystemB IP address] public |grep –i user

You should not receive any response.

9. Issue the same query, but use the new community name sybex. You should be successful. #:

snmpwalk [SystemB IP address] sybex |grep –i user

10. SNMP Service: Change the community name back to public. After you reconfigure your agent, remember to restart the SNMP agent service. As you have seen, changing a community name helps provide some security for your network.

Limited Communication Paths When an agent sends a trap message, it can send the message only to a preconfigured list of NMSs. Furthermore, SNMPv1 provides no means for managers to communicate with one another to provide a distributed management scheme. Because SNMPv1 does not handle NMS-to-NMS communication, it limits the management architecture. In the previous chapter, you learned about centralized, distributed, and hierarchical management structures. With SNMPv1, you can only create a centralized model. One of the results of this limited management architecture is that it quickly overloads an NMS.

No Multiprotocol Support SNMPv1 was designed explicitly for TCP/IP. After it became the standard in actual practice, developers wanted to port it to other internetworking protocols. However, SNMPv1 cannot support any other protocol.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

384 Chapter 8 The Management Information Base and Enterprise SNMP

SNMPv2 and SNMPv3 The SNMPv2 and SNMPv3 committees have worked to resolve the shortcomings of SNMPv1. However, their efforts have run into difficulty, mainly because they create a more complex, and possibly less widely accepted, protocol. You can learn more about SNMPv2 and SNMPv3 in White Paper B on the CD. In the following exercises, you will configure Ethereal to capture packets sent between System A and System B.

EXERCISE 8.7

Capturing SNMP packets with Ethereal in Linux In this exercise, you will install and use Ethereal to capture network packets and analyze SNMPv1 PDUs used by default with UCD SNMP. You will capture GetNextRequest and GetResponse PDUs. You will then answer some questions to understand key elements.

1. Install the Ethereal Network Analyzer for Linux, if not already installed. Locate the

ethereal-0.8.9-4.i386.rpm

installation file.

Obtain it from the supplemental CD or download the RPM from http://www.ethereal.com

.

2. To install the RPM, enter the following command: #

rpm –i ethereal-0.8.9-4.i386.rpm

3. To start Ethereal, open a terminal and enter: #

ethereal –n

4. Select the Capture menu and choose Start. The Preferences windows will appear.

5. To display only the packets between System A and System B, you must create a capture profile. Select the Filter button. In the Filter Name field, enter SystemA-B Capture. In the Filter String field, enter:

host [SystemA IP address] and host [SystemB IP address]

6. Select the New button. Your new capture’s filter name will appear in the window. Select OK twice to begin the capture.

7. Minimize the Capture/Playback window and Ethereal.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

SNMPv1 Drawbacks 385

EXERCISE 8.7 (continued)

8. Open a new terminal and enter the following: # snmpwalk [SystemB IP address] public

.1.3.6.1.4.1.2021.4

9. This OID accesses the memory variables (.4) on your system, which uses the enterprise UC Davis MIB branch (.

1. 3 .6 .1 .4 .1 .2021 ) for your

system.

10. Maximize your Capture/Playback window and click the Stop button. 11. Ethereal will display the packets captured in the

snmpwalk

request.

Locate the first SNMP packet, as displayed in the example below.

12. You should see several GetNextRequest and GetResponse messages. In the first window, highlight the first GetNextRequest PDU. In the second window, you should see a detailed list of the SNMP GetNextRequest PDU.

13. In the second window, scroll to the top and notice that the PDU is encapsulated in an IP packet. Then, notice that the actual transport is UDP.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

386 Chapter 8 The Management Information Base and Enterprise SNMP

EXERCISE 8.7 (continued)

14. Scroll down to the GetNextRequest PDU header and note the message size, SNMP version, and community name. Consider how easy it was to obtain the community name of the PDU.

15. Find the GetResponse PDU. In the second window, scroll to the top of the PDU header, and examine the entire packet. Note the message size and request ID and error status.

16. View the remaining headers. 17. Save the packet capture as snmpcapturev1-linux, then close it and quit Ethereal.

The UCD-SNMP software uses SNMPv1 by default. Windows 2000 also uses SNMPv1. You can tell this by reading the version header, which reports 00 as the version in hexadecimal. Because SNMP uses a zero-based counting system, this version is SNMPv1. Therefore, SNMP is reporting its version number as 0, which Ethereal reports as version 1. You also should have noticed that the community name is easily stolen. Furthermore, someone could easily tamper with packets and then retransmit them. A hacker can obtain valuable information, or even manipulate SNMPmanaged devices.

EXERCISE 8.8

Sending and analyzing SNMPv1 traps in Linux In this exercise, you will send a link-up trap from an SNMP agent. If a managed device has a power failure and then returns to normal operation, it can signal an NMS by sending the link-up trap. You will manually send the link-up trap from your agent, then capture and analyze the packet using tcpdump.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

SNMPv1 Drawbacks 387

EXERCISE 8.8 (continued)

1. SNMP traps are sent from the agent using the following example format (values will vary, depending on the trap and the entities involved): snmptrap –v 1 [snmptrap command and version] receiving-host [hostname or address, usually of the NMS] public [community name] enterprises .ucdavis [enterprise OID] sending-agent [hostname or address of agent] 3 [generic-trap identifier (3=link up)(2=link down)] 0 [specific-trap identifier (not used)] '' [uptime] interfaces.iftable.ifentry .ifindex.2 [OID for agent's interface data] i [type (i=interface)] 2 [value (2=eth0)]

2. Before you send an SNMP trap, start tcpdump by entering: # tcpdump dst [SystemB IP address] This command will capture only incoming packets to your system. If tcpdump is not installed, locate the RPM on the Linux Installation CD or from your Supplemental CD and install it.

3. Open a new terminal and send an SNMP link-up trap to System B. Enter: # snmptrap –v 1 [SystemB IP address] public

enterprises.ucdavis [SystemA IP address] 3 0 '' interfaces.iftable.ifentry.ifindex.2 i 2 You should not receive a response.

4. Open the tcpdump window. Press Ctrl+C to stop the packet capture. Locate the packet that resembles the following output (host name and IP addresses may differ): 19:59:25.602847 eth0 < 192.168.3.11.1024 > localhost.localdomain.snmp-trap: Trap(49) E:2021 [192.168.3.11] linkUp 1223928 interfaces.ifTable.ifEntry.ifIndex.2=2

5. This packet contains the data that the NMS processes. View the trap and note the source port of the SNMP trap and the enterprise OID.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

388 Chapter 8 The Management Information Base and Enterprise SNMP

Remote Network Monitoring MIB (RMON)

T he

Remote Network Monitoring MIB (RMON)

allows you to further customize the way you configure and obtain information from your network. Although RMON is considered part of the MIB-II standard and does not require any modifications to SNMP, it is useful in that it allows real-time monitoring of a network from sources other than the NMS. Because realtime, remote monitoring of heterogeneous networks is so important, you need to understand the theory of RMON. You must also understand how to poll an agent; polling is a fundamental skill used in RMON and all SNMP versions.

What Is RMON? RMON is a powerful set of MIB definitions that augment the existing MIBII tree. They are part of SNMP in that they provide a vendor-neutral solution to monitoring and configuring specific network settings. However, rather than relying on the NMS-agent relationship, an RMON probe operates as if it were a network management system (NMS). This operation is made possible by special MIB definitions. The RMON probe can monitor systems on your network, even though it is technically not a part of the NMS. Because the RMON agent conducts the polling, the NMS is not directly involved, and therefore the RMON agent, or “probe,” is considered to be remotely managing the system. Also, using RMON, you can gather statistics from systems that cannot contain an agent, so in this sense, RMON operates as a proxy device. If the network device sends or receives packets, RMON can monitor it automatically. You can configure RMON to communicate with the NMS after a certain time. The communication operates through the sending of trap messages. An NMS can also poll an RMON MIB to gain information. An RMON MIB is similar to a standard proxy agent, but with one key difference. Whereas a proxy installation requires an agent to participate with an NMS in the query-response process, an RMON MIB can reside on any device capable of receiving an agent and operate without ever receiving command instructions from an NMS. Furthermore, this RMON MIB can query virtually any other device on the network, and that device will be unaware that it is part of a management architecture. RMON can also observe networks residing across a router. Such capabilities reduce network overhead.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Remote Network Monitoring MIB (RMON) 389

They also allow you to create an advanced network monitoring system that can inform you of as many details as you want. Such transparent control of a network is always desirable because it allows you to gain maximum control with minimum administrative overhead. It also saves network bandwidth, because RMON gives much more detailed information concerning your network, yet it generally releases fewer PDUs on the network. Even a large collection of individual agents sending replies and traps to an NMS cannot give a network manager the “big picture” perspective that a proper RMON implementation can deliver. Furthermore, if you deploy too many agents and traps, you may swamp a network. Whereas some internetworkers have turned to proprietary network monitoring programs such as the Performance Monitor program in Windows 2000, RMON allows administrators to obtain a detailed analysis of diverse network entities using a portable, scalable solution.

Defining RMON The RMON MIB specification is defined by six core RFCs: 2819, 1213, 2011, 2012, 2013, and 1513. RFC 2819 (“Remote Network Monitoring Management Information Base”) defines the RMON MIB that works with TCP/IP Internets, as well as defining the nine groups that form the RMON MIB. It focuses primarily on Ethernet network implementations. RFC 1213 is the SMIv2, which you learned about earlier. RFCs 2011, 2012, 2013 update RFC 1213, explaining how to extend MIB-II for the RMON specification. These three updates to the MIB-II specification describe RMON capabilities for TCP/IP networks. Due to the popularity of Token Ring networks at the time of its writing, RFC 1513 extends the RMON definition to accommodate them, adding a tenth group to the RMON specification. Eventually, new RFCs will appear, defining additional network types. Because it is part of SNMP, RMON operates at the Application layer of the OSI/RM, but monitors only the first and second layers. RMON2 monitors at all levels between layers 3 and 7.

Although you may want to refer to the first RMON specification as RMON1, it is simply called RMON. RMON2 represents an enhanced specification.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

390 Chapter 8 The Management Information Base and Enterprise SNMP

Both RMON and RMON2 are incorporated into the MIB-II tree and lie beneath the MIB-II subtree, along with the system, interfaces, address translation, IP, ICMP, and additional groups. Figure 8.16 shows the MIB-II node and some of the subnodes, including the RMON group. RMON has an object identifier (OID) of 16, which makes its MIB tree address 1.3.6.1.2.1.16 (iso.org.dod.internet.mgmt.mib-II.rmon). FIGURE 8.16 Assorted MIB-11 subnodes, including RMON MIB-II 1.3.6.1.2.1

System 1

IP 4

SNMP 11

...

... RMON 16

RMON Goals RFC 2819 states several goals for RMON MIB. First, the designers of RMON wished to create an MIB that allowed an agent to conduct remote monitoring even if the NMS is not polling the agent. Remember, an agent can either respond to NMS queries or send traps. The key difference with RMON is that it can collect information without having to communicate with the NMS, a feature known as offline operation. The second goal is to provide proactive monitoring. This goal is closely related to the first, in that the designers wanted to create an MIB that allowed continuous connections. The third goal was to enable the MIB to provide relevant data to the NMS. The phrase used in RFC 2819 is “valueadded information,” which means that RMON attempts to return preprocessed information that a network administrator can immediately interpret. Rather than simply providing a stream of information, a properly configured RMON agent can mark areas in this information that are of interest to an administrator, such as the specific nodes that have triggered an event, when the event occurred, and the specific packets or events that caused the problem. This information marking can greatly reduce the time spent troubleshooting a network issue. The final RMON goal is to allow multiple, concurrent NMS queries, recognizing that many companies use several NMSs in their networks.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Key Terms 391

Summary

I n this chapter, you learned about the difference between MIB-I and MIB-II, the syntax of an MIB, and how to access scalar and array, or tabular, variables. You studied the enterprises and management groups and learned that each is vital to administering a network. You also learned the importance of MIB definitions, and you practiced naming and accessing MIB variables using SNMP programs. The SNMPv1 PDUs are essential to understanding subsequent versions of SNMP. You learned about the five PDUs used by SNMPv1, including GetRequest, GetNextRequest, GetResponse, SetRequest, and Trap. You also learned about the authentication process in SNMPv1, and how to set a community name on an agent. To this end, you learned how SNMPv1 uses the trivial authentication scheme. You also learned how to work with SNMP commands, and discovered how each PDU is composed by studying several PDUs in Ethereal and tcpdump. Last, you reviewed the purpose and benefits of RMON.

Key Terms

B efore you take the exam, be certain you are familiar with the following terms: array variable

Remote Network Monitoring MIB (RMON)

community name

simple variable

International Telecommunication

trap

Union (ITU)

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

392 Chapter 8 The Management Information Base and Enterprise SNMP

Exam Essentials

N

ow that you have completed this chapter, you should be able to:

Understand the Management Information Base (MIB) tree in detail. The MIB tree is a hierarchical tree falling within the iso.org.dod.internet.mgmt group. MIB groups include system, interfaces, address translation, IP, ICMP, TCP, UDP, and EGP. Know the purpose of an object identifier (OID).

An OID denotes a

unique type of object within the MIB tree. Multiple instances of an object type may exist within a single agent. Be able to define MIB terminology.

An MIB object specifies informa-

tion that can be accessed by the SNMP agent; an entity is a managed node, with an SNMP agent; DisplayString describes how to print ASCII strings; and PhysAddress describes formatting of a physical network address. Understand the MIB query process. or SetRequest GetResponse

A GetRequest

, GetNextRequest

,

is sent by an NMS to an agent, which replies with , or initiates a

Trap .

Identify the five SNMPv1 message formats. GetRequest Request , GetResponse , SetRequest , and Trap .

, GetNext-

Be able to describe the construction of a Protocol Data Unit (PDU). PDU contains fields pertinent to the type of SNMP message being used. Know the common SNMPv1 error messages.

A

NoError , TooBig ,

NoSuchName , BadValue , ReadOnly , and GenErr are the SNMPv1 error codes. Be able to discuss SNMPv1 and security.

SNMPv1 did not address

security concerns, and allows trivial network sniffing or protocol analysis to gain community name. This design shortcoming was recognized and accepted as an element of completing a simple management protocol to speed implementation. Understand Remote Network Monitoring (RMON) and be able to identify its goals. RMON was created to implement a system that would allow distributed, remote, offline monitoring and preprocessing of collected information, thereby reducing overall network load. RMON also provides proactive monitoring with continuous connections, and support for polling entities that do not support an agent.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Review Questions 393

Review Questions 1. How many children, or groups, does the MIB-II group of the MIB tree have? A. Three children B. Eight children C. Eleven children D. One hundred eighty children 2. The name “identified-organizations” is typically shortened to: A. id-org. B. i/o. C. org. D. iden. 3. Which of the following subtrees under the private group specifies objects that belong to specific companies? A. Management B. MIB C. Enterprises D. Companies 4. What are the five data types used by an SNMP MIB? A. IpAddress, Counter, Gauge, TimeTicks, Opaque B. NoError, TooBig, NoSuchName, BadValue, ReadOnly C. PDU Type, Request ID, Error Status, Error Index, Object Identifier D. System, Interfaces, IP, TCP, UDP

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

394 Chapter 8 The Management Information Base and Enterprise SNMP

5. Which of the following describes the MIB Counter data type? A. A non-negative integer that may increase or decrease B. An octet string that stores four octets C. A non-negative integer that increases until it reaches some maximum value D. A non-negative integer that counts hundredths of a second since an event occurred 6. Which of the following groups that reside off the management group provides information about routing-table entries? A. The SNMP group B. The IP group C. The system group D. The interfaces group 7. To properly query an agent, you must: A. first query a non-leaf node. B. use the GetNextRequest message. C. use the shorthand human-readable form of the OID. D. append the proper suffix to the OID. 8. What command does an NMS issue to retrieve the next consecutive value from the MIB? A. GetRequest B. GetNextRequest C. GetNex t Response D. GetResponse

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Review Questions 395

9. An NMS application can configure agents remotely using the: A. SetRequest. B. GetNextRequest. C. GetRequest. D. GetResponse. 10. Which of the following error messages might occur when the agent does not support the specified OID? A. NoSuchName B. BadValue C. GenErr D. TooBig 11. SNMPv1’s management architecture capability is limited to: A. the centralized model. B. the hierarchical model. C. the peer model. D. the distributed model. 12. Which of the following statements gives a benefit of RMON? A. An RMON agent receives all command instructions from an NMS. B. You can gain a “big picture” perspective at the cost of network congestion. C. You can gather statistics from systems that cannot contain an agent. D. An RMON agent queries almost any network device with the permission of the particular device.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

396 Chapter 8 The Management Information Base and Enterprise SNMP

13. Which of the following monitoring systems was designed to allow continuous monitoring? A. SNMPv1 B. SNMPv2c C. SNMPv3 D. RMON 14. IP falls under which of the MIB nodes under Internet? A. Private B. Directory C. Experimental D. Management 15. Which of these is true of RMON? A. RMON cannot process information. B. RMON may function without interacting with the NMS. C. RMON generates more network traffic than similar monitoring with SNMP. D. RMON fails to provide real-time monitoring. 16. Which node of the MIB tree contains the Enterprise group? A. mgmt B. directory C. iso/itu D. org

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Review Questions 397

17. Which Internet subtree group is most widely implemented? A. Directory B. Management C. Experimental D. Private 18. Which of these UCD-SNMP commands is invaluable for retrieving or searching an entire MIB of an agent? A. snmpget B. snmpgetnext C. snmpwalk D. snmptable 19. Which object contains the Windows accounts database? A. svAcctTable B. svUsers C. svUsrTable D. svSamDb 20. How many fields in a GetNextRequest PDU, excluding the PDU type header? A. Four B. Five C. Six D. Seven

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

398 Chapter 8 The Management Information Base and Enterprise SNMP

Answers to Review Questions 1. C. Three groups were added to the MIB by MIB-II. 2. C. The org branch is an abbreviation for identified organizations. 3. C. The Enterprises group contains objects specific to vendors. 4. A. The other answers are errors, header fields, and five of the SNMP management groups. 5. C. The counter is non-negative and may only increase, until it reaches a maximum value. 6. B. The IP group provides routing information. 7. D. Without the proper suffix to the OID, information from the wrong instance may be returned. 8. B. The

GetNextRequest

is issued from the NMS to traverse the

agent MIB. 9. A. The

SetRequest

is sent by the NMS to configure an agent.

10. A. NoSuchName is returned by the agent if a specified OID does not exist in the agent’s MIB. 11. A. The centralized architecture is the only one supported by SNMPv1, although some devices that include support for SNMPv1 may also support v2 or v3. 12. C. Systems that cannot contain an agent may be queried by an RMON agent, which is one of the advantages of RMON. 13. D. Continuous monitoring was one of the design goals of RMON, while SNMP agents cannot respond if their node is offline. 14. D. IP is under the MIB node of Management, 1.3.6.1.2.1.4, iso.org.dod.internet.mgmt.mib.ip.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Answers to Review Questions 399

15. B. Offline operation is one of the key features of RMON, allowing preprocessing of information before passing it to the NMS. 16. D. The org node contains the dod.internet.private.enterprises group. 17. A. The Directory subtree is most widely implemented of these peer trees. 18. C. The snmpwalk command will traverse an entire MIB, returning each parameter and value. 19. C. The svUsrTable contains Windows 2000 account names, but not passwords. 20. A . The four are: Request ID, Error Status, Error Index, and Object Identifier.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Chapter

IPv6—Internals and IPv4 Comparison

9

CIW EXAM OBJECTIVE AREA COVERED IN THIS CHAPTER: Define and use IPv6 address architecture

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

O

ur discussions of SNMP earlier in the book included impor-

tant elements of the protocol’s evolution and descriptions of industry implementations. Similarly, as SNMPv3 compares to SNMPv1, the latest and most useful version of IP, IPv6, has not been widely deployed, while IPv4 continues to be the most common version of Internet Protocol. To properly administer the TCP/IP suite, you must understand the future of the Internet Protocol (IP). This chapter will explain the next version of IP, called IP version 6. The IPv6 overhaul affects many aspects of IP, including addressing, administration, network management, security, and routing. This chapter will focus on the shortcomings of IPv4, the history of IPv6, and an in-depth view of the similarities and differences between IPv4 and IPv6.

Introduction to IPv6

W

ith the popularity of the Internet growing at an exponential rate,

the current addressing scheme is in danger of running out of IP addresses. It is also creating unmanageable routing tables for the Internet ’s backbone routers. IPv6 addresses these problems and will allow the Internet to function for generations. IPv6 tackles addressing and routing-table problems, and improves the protocol as well. For example, the IPv6 header has been simplified, which makes it more efficient and less demanding of administrative overhead.

The new version of IP should logically be version 5 instead of version 6. However, the version number 5 has been allocated to ST. ST is an experimental “stream” protocol that was created to carry real-time services in parallel with IP.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

The Need for IPv6

403

The Need for IPv6

T he IPv4 Internet has approximately 4 billion unique IP addresses available for use, including those reserved by certain organizations and companies. At the current rate of address consumption, all addresses will be distributed sometime between the years 2005 and 2015. Some would assume that the effectiveness of using private IP ranges internally, combined with IP masquerading and Network Address Translation (NAT) at Internet gateways, mitigates this shortage. These factors do not eliminate the problem, but only postpone it. In addition to running out of addresses, the need for a new Internet protocol results from the inadequacy of routing tables. This is not a problem for most organizations, which usually use default gateways for routing traffic to external destinations. However, it is a problem for the Internet’s backbone routers, which must keep the addresses for all networks on the Internet. As more and more companies get online, the backbone routing tables are growing at increasing rates and becoming unmanageable.

Methodology for Determining Required Number of IP Addresses To determine the number of IP addresses needed in the future, the following methodology was used. As computers become more prevalent in modern-day life, it is likely that every person will have more than one computer. Assuming that technology continues to increase at the same rate, computers will begin to appear in our lives in places we have yet to imagine. For example, your car will be connected directly to the Internet so it can download road maps for the area in which you are driving. Therefore, your car will need an IP address. It is also possible that all your modern appliances will be connected to the Internet. You might be able to start cooking dinner from your office by accessing your stove directly over the Internet. These ideas may seem far-fetched, but when determining a new addressing scheme, these factors must be considered. It would be safe to assume that every person would then need 100 to 200 IP addresses. Estimating that the earth’s population may be 10 billion in the year 2020 that works out to 2 to 4 trillion addresses.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

404

Chapter 9

IPv6—Internals and IPv4 Comparison

History of IPv6

T he name initially given to the next version of IP was IP Next Generation, or IPng. In 1992, the Internet Society (ISOC) met to discuss possible solutions to the Internet’s addressing and routing table problems. A prime motivation for this discussion was the realization that the 32-bit IP address space was beginning to be used up, as unique IP addresses were being allocated at a startling rate. An attempt was made to revise the Connectionless Network Protocol (CLNP), which was part of the Open Systems Interconnection (OSI) model developed by the International Organization for Standardization (ISO). CLNP had been superseded during the initial development of the Internet Protocol (IP). However, it offered larger addresses and many felt it could be improved to fulfill the needs of the modern Internet. The CLNP draft was withdrawn during an Internet Engineering Task Force (IETF) meeting a few weeks later. This withdrawal led to a two-year period of competition. Each competing design group was organized and managed by the Internet Engineering Steering Group (IESG). A committee called the IPng Directorate was formed to choose the best IPng design candidate.

Candidates The following section lists some of the early design candidates and each design’s highlights.

TCP and UDP over Bigger Addresses (TUBA)—RFC 1347 TUBA was the name given to the CLNP proposal. It uses 20-byte Network Service Access Point (NSAP) addresses, which allow for trillions of addresses. It also has an installed base because many protocols were designed with it, such as Intermediate System-to-Intermediate System (IS-IS), which is used for dynamic routing between routers. These protocols are already designed and implemented. Furthermore, TCP and UDP can easily run on top of CLNP. The TUBA counterarguments were that CLNP is limited and inefficient. During its development, a very robust but slow checksum was created. It did not use key ICMP elements or 32-bit word boundaries. It also lacked Internet Protocol improvements such as Mobile IP and multicast IP.

CATNIP—RFC 1707 CATNIP evolved from a protocol named TP/IX (RFC 1475) and proposed changing TCP at the same time as IP. It also proposed a new routing protocol

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

IPv4 vs. IPv6: Key Differences

405

that would speed packet processing. TP/IX evolved into CATNIP, which defined a packet format that would be compatible with IP, CLNP, and Novell IPX. The CATNIP proposal was incomplete at the time of the Directorate’s decision.

Simple Internet Protocol Plus (SIPP)—RFC 1710 SIPP evolved from Simple IP, or SIP. It proposed increasing IP addresses to 64 bits and removing obsolete IP features. The IP Option field would be replaced by encapsulation, which would create a fixed IP header length. SIP absorbed a proposal called Pip, which was an efficient routing technique based on routing directive lists. Pip also included support for IP improvements, such as Mobile IP. The goal was to keep Pip’s routing flexibility and SIP’s coding efficiency. The successful merge resulted in Simple IP Plus, or SIPP.

The Decision The IPng Directorate took all the proposals into consideration and eventually chose SIPP as the basis for the new protocol. The Directorate published its first recommendation in July 1994. This decision is documented in RFC 1719. Many additional modifications went into the proposed SIPP protocol, particularly the address length. SIPP initially called for a 64-bit address that was later modified to a 128-bit address. The name was later changed to IPv6. The IPv6 specification is defined in RFC 2460.

IPv4 vs. IPv6: Key Differences

T hree fundamental problems were identified with IPv4: the lack of available network addresses, the lack of host addresses, and the difficulty of managing backbone routing tables. The solutions to these problems are the key differences between IPv4 and IPv6, which can be identified by comparing the IPv4 and IPv6 headers. IPv6 increases the size of host addresses from 32 32 bits to 128 bits, increasing the IP address space from 2 to 2 128 unique IP addresses. Although you will learn that some of these addresses have specific

uses, this is still a huge increase.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

406

Chapter 9

IPv6—Internals and IPv4 Comparison

IPv4 Header To understand IPv6, you must be familiar with IPv4. The IPv4 header has the following characteristics: It is 20 bytes in length (without options). It contains 10 fields of information and a source and destination address. The 10 fields account for 12 bytes of the 20-byte length. Figure 9.1 illustrates the IPv4 header. FIGURE 9.1

IPv4 header O

16 Ver.

31

Hdr. Lth. Service

Datagram Length Flags

Datagram Identification # TTL

Protocol

Fragment Offset

Header Checksum

Source Address

Destination Address

Options

The IPv4 header contains several important fields. Version (four bits)

Identifies the IP version. The current IP version is 4.

Header Length (four bits)

Specifies the length of the IP packet

header. Header length values are expressed as the number of 32-bit words in the header (usually five unless options are present). Service (eight bits)

Indicates reliability, precedence delay, and through-

put parameters. Also known as the Type of Service (TOS) field. Datagram Length (16 bits)

Defines the total datagram length, including

the header, in bytes. The datagram length does not include the header used at the Network Access layer (e.g., Ethernet header). Datagram ID Number (16 bits): Uniquely identifies a datagram using the source address, destination address, and user protocol.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

IPv4 vs. IPv6: Key Differences

Flags (three bits)

407

Used for fragmentation and reassembly.

Fragment Offset (13 bits)

Indicates where in the datagram this fragment

belongs. Time To Live (eight bits) Measured in one-second intervals, maximum of 255 seconds. Also known as the TTL field. Protocol (eight bits)

Defines the next protocol level to receive the data

field at the destination. If the protocol field is set to 1, it is an ICMP packet; if 6, it is TCP; if 17, it is UDP. Header Checksum (16 bits)

Used for error detection. The checksum

calculates only the IP header. Source Address (32 bits)

Identifies the IP address of the source system.

Destination Address (32 bits) destination system. Options (variable length)

Identifies the IP address of the final or

Indicates optional information for the data-

gram, such as: Security Loose or strict source routing Error reporting Time stamping Debugging

IPv6 Header The IPv6 header has the following characteristics: It is 40 bytes in length (fixed). It contains six fields of information and a source and destination address. The six fields account for eight bytes of the 40-byte length. It is larger than the IPv4 header, but simpler and more compact. The IPv6 header will be discussed in more detail later in the chapter. The following section concentrates on the changes to IPv4.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

408

Chapter 9

IPv6—Internals and IPv4 Comparison

IPv4 Removed Fields

O

ne of the goals of IPv6 is to simplify the IP header. The simplification process can be summarized in four key points. IPv6 assigns a fixed format for all IP headers. IPv6 removes the header checksum. IPv6 removes the hop-by-hop segmentation procedure. IPv6 removes the Type of Service field. Seven IPv4 fields were deemed obsolete during IPv6 development. The following section identifies each removed field and explains why it was retired.

Fixed Format for IP Headers The IPv6 fixed header length and format make the following IPv4 fields obsolete. Header Length field

No longer necessary because IPv6 headers are

always 40 bytes. extension Options field No longer necessary because IPv6 uses separate headers after the IPv6 header. The extension headers provide many of the

same services as the Options field.

No Header Checksum IPv6 removes the Checksum field. Checksums are used to validate the integrity of a packet, header, file, and so forth. It may seem initially that this opens the door for corrupted packets; however, a significant gain in packet-processing speed occurs by removing this field. The problems that will arise from corrupted IP headers are very small because the packet itself is verified at different layers. The topology over which the packets are traveling (Ethernet, ATM circuits, PPP links) will determine the types of checksums processed on the packets. By removing the header checksum, IPv6 speeds the processing and routing of packets.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

IPv4 Removed Fields

409

No Hop-by-Hop Segmentation Removing the hop-by-hop segmentation (fragmentation) procedure from the IP header makes the following IPv4 fields obsolete: Datagram Identification Number field Flags field Fragment Offset field In IPv4, these fields allow TCP/IP entities to send large packets over networks without considering whether or not the intermediate relays can handle the packet size. If the packet is too large, these fields enable routers to fragment the large packets and reassemble them at the receiving end. This procedure is convenient for the sender, but it requires routers to perform the fragmentation work, which degrades router performance. It also creates additional work when a fragment is lost: The entire packet—not just the fragment—must be resent. sender to discover IPv6 solves the fragmentation problem by allowing the the maximum packet size that can be sent between the sender and receiver.

This process is called Maximum Transmission Unit (MTU) Discovery and uses the ICMPv6 Packet Too Big message, which will be discussed in a later chapter. If senders do not implement the MTU Discovery procedures, they can simply send the smallest payload size allowed. Path MTU Discovery is defined in RFC 1981. If an IPv6 sender uses MTU Discovery and realizes it needs to transmit a packet that is larger than a network segment’s MTU, it will add an extension header called the Fragment header. The Fragment header enables the sender to fragment the large packets to meet the MTU requirements and the destination system to successfully reassemble the fragments. This process removes all fragmentation responsibility from the intermediate relays. The Fragment header is discussed later in this chapter.

No Type of Service Field The last field removed from IPv4 is the Type of Service field. Normally, this field is used to set options for the widest, shortest, cheapest, or safest routes. However, most applications do not use this field, so it is removed from the flow . RFCs 1752 and 2460 IPv6 header. IPv6 has an elusive definition of state that this field allows labeling of packets belonging to particular flows

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

410

Chapter 9

IPv6—Internals and IPv4 Comparison

for which the sender requests special handling, such as a non-default quality of service or real-time service. Just as the IPv4 TOS field has been rarely used, it is possible that handling of the IPv6 Flow Label may be implemented differently by different vendors.

IPv4 Revised Fields

I n addition to simplifying the header, IPv6 renames and modifies some of the IPv4 fields to streamline its process. Datagram Length field is changed to the Payload Length field. Protocol field is changed to the Next Header field. Time To Live (TTL) field is changed to the Hop Limit field.

Datagram Length Field

‚

Payload Length Field

The IPv4 Datagram Length field is renamed the Payload Length field in IPv6. These fields are essentially the same: They indicate the size of the packet. In IPv4, the Datagram Length field includes the size of the IPv4 header as well as all the data appended to it. For example, if a client sends a TCP packet of 100 bytes, IPv4 appends a 20-byte IP header (no options). The Datagram Length field reports the entire packet length of 120 bytes. In IPv6, the Payload Length does not include the size of the IP header because all IPv6 headers have a fixed length of 40 bytes. The Payload Length field contains a 16-bit value, treated as an unsigned integer giving the number of bytes in the following IPv6 datagram, after the 40-byte packet header. Therefore, in the previous paragraph’s example of a client with a TCP packet of 100 bytes, the Payload Length field would report a packet size of 100 bytes when handled by IPv6 instead of IPv4.

Protocol Field

‚

Next Header Field

The IPv4 Protocol field is renamed the Next Header field in IPv6. The Protocol field identifies the type of information that immediately follows the IP header. In IPv4, TCP and UDP data usually follows the IP header.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

IPv6 New Fields 411

However, in IPv6, an extension header (the Fragment header) may follow the IPv6 header instead of a Transport layer protocol. Therefore, a more generic name was needed to identify both extension headers and Transport layer protocols.

Time To Live (TTL) Field

‚

Hop Limit Field

The IPv4 TTL field is renamed the Hop Limit field in IPv6. IPv4 uses the TTL field to ensure that old or useless packets do not endlessly route through the network. When a packet is created, it is normally given a TTL measured in seconds. However, most packets are routed in milliseconds instead of seconds, so most routers simply reduce the TTL by one second for every hop. The problem is that routers can queue a packet for an undetermined amount of time. If a packet sits on a router for a few seconds, its TTL is significantly reduced from one hop, which could prevent the packet from reaching its final destination. The Hop Limit field works on the same principle as TTL, except that it measures hops instead of seconds. If an IPv6 packet is queued at a router, its hop limit count will only be reduced by one, regardless of how long the packet is queued.

IPv6 New Fields

T wo new fields are created for the IPv6 header. These fields are called Flow Label and Class, and are used primarily for handling real-time traffic. Real-time traffic is still being researched, and very few standards have been created on the subject. Flow Label field

Used by the sender to label packets that require special

handling by IPv6 routers. It will eventually be used for real-time service and non-default quality of service. The field is set to zero when the source host or router does not support the Flow Label field’s functions. It is specified in RFC 1809, Using the Flow Label Field in IPv6. Class field Used by the sender and/or forwarding routers to IPv6 packets. The Class field will identify and distinguish IPv6 packets

prioritize

between different classes. It is also called the Traffic Class field.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

412 Chapter 9 IPv6—Internals and IPv4 Comparison

The header fields that are removed, renamed, or created in the IPv6 header are listed in Table 9.1. Only one header field, referenced above but not in the table below, does not change between IPv4 and IPv6—the version field. TABLE 9.1 IPv4 to IPv6 Header Changes

Removed IPv4 Fields Revised IPv4 Fields

New IPv6 Fields

Header Length

Flow Label

Datagram Length Payload Length

Options

Protocol Next Header

Checksum

Time To Live (TTL) Hop Limit

Class

Data Identification Number

Flags Fragment Offset Type of Service

EXERCISE 9.1

Capturing IPv4 packets for comparison with IPv6 In this exercise, you will install Network Monitor for Windows 2000 and capture IPv4 packets. If you have already installed Network Monitor, skip the installation section and start at Step 4. You will use Network Monitor for the remainder of the book.

1. To add the Network Monitor, select Start Settings Control Panel Add/Remove Programs. Click Add/Remove Windows Components from the left-hand menu. The Windows Components Wizard opens.

2. Scroll down and highlight Management And Monitoring Tools and click the Details button. Select the Network Monitor Tools and select OK.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

IPv6 Header in Detail 413

EXERCISE 9.1 (continued)

3. Click the Next button. The Network Monitor Tools install. When the Wizard is complete, click Finish. Select the Close button to exit the Add/Remove Programs window. No restart is required. Network Monitor is installed.

4. Open Network Monitor. 5. Select the Capture menu and choose Start. 6. Minimize Network Monitor. 7. Open the command prompt. Enter the following: ping [SystemA IPv4 address]

8. Maximize Network Monitor. 9. After the transmission is complete, select the Capture menu and choose Stop and View. Network Monitor will display the packets captured in the connectivity test.

10. Save the file as

IPv4ping.cap

and close it. A sample

IPv4ping.cap

file is located in the CD-ROM that accompanies the book. Minimize Network Monitor. You will compare this capture with an IPv6 capture later in the chapter.

Although we’ve reviewed some key elements of IPv6, now you will further study the functions of IPv6 by exploring the IPv6 header in detail. Because the IPv6 header is a fixed length without an Options field, IPv6 completes the same IPv4 Options field tasks with extension headers. Extension headers are often not used; thus IPv6 can run more efficiently. A close look at the IPv6 extension headers will help you understand their functions. You will then download and install the IPv6 stack for Windows 2000, capture IPv6 packets, analyze them, and compare them with IPv4 packets.

IPv6 Header in Detail

T he header is the main focus of IPv6. It contains all the addressing and control information for the data packet. The header consists of six fields and the source and destination addresses. The header is 40 bytes long: The fields

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

414 Chapter 9 IPv6—Internals and IPv4 Comparison

use eight bytes and the address information uses 32 bytes. The IPv6 specifications are defined in RFC 2460. Figure 9.2 illustrates the IPv6 header. FIGURE 9.2 IPv6 header O

16 Ver.

31

Class

Flow Label

Payload Length

Next Header Hop Limit

Source Address (128 bits)

Destination Address (128 bits)

The IPv6 header contains several important fields. Version (four bits)

Identifies the IP version (in this case, version 6).

Class (eight bits) traffic.

Identifies the priority of a packet; for use in real-time

Flow Label (20 bits) time traffic.

Used to address a series of packets; for use in real-

Payload Length (16 bits)

Defines the length of the packet, not including

the IP header. The packet length does not include the header used at the Network Access layer (e.g., Ethernet header). Next Header (eight bits) Identifies the information following the IP header. Normally, transport protocols (e.g., TCP or UDP) follow the IP header; IPv6 can insert a series of extension headers between the IP header and the transport protocol header. Hop Limit (eight bits)

Determines the number of hops the packet can

travel before being discarded. The default hop limit is 255. This field is decremented by one by each router that forwards the datagram. Source Address (128 bits) Destination Address (128 bits)

Identifies the IP address of the source system. Identifies the IP address of the final or

destination system.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

IPv6 Extension Headers 415

IPv6 Extension Headers

O

ne of the objectives of IPv6 is to provide additional options for specialcase packets. This concept is not new; IPv4 includes an Options field after the IP header. The IPv4 options include specifications for security, source routing, recording, and time-stamping. However, these options are rarely used because additional packet processing is required, and this added routing significantly affects performance. IPv6 handles these types of options with extension headers. Extension headers are located after the IP header and before the data payload. They are similar to IPv4 options, yet they do not require a significant amount of additional processing. The extension headers are defined in RFC 2460. Different types of extension headers can be used to provide several options, ranging from source routing to security. All extension headers have one common field: the Next Header field. The IPv6 Next Header field identifies the extension header that directly follows the IP header. A packet can contain more than one extension header, but extension headers are not required. The following section will cover the Hop-by-Hop, Destination Options, Routing, and Fragment extension headers. The Authentication and Encrypted Security Payload (ESP) extension headers will be covered in Chapter 10, “IPv6 Address Architecture, Routing, and Security.”

Hop-by-Hop Extension Header The Hop-by-Hop extension header is used to pass optional information to all nodes along a packet’s delivery path. It is given the value 0 in the preceding header’s Next Header field. Figure 9.3 illustrates the Hop-by-Hop extension header. FIGURE 9.3 Hop-by-Hop extension header Next Header Hdr. Ext. Length Options

The Hop-by-Hop extension header contains several fields.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

416 Chapter 9 IPv6—Internals and IPv4 Comparison

Next Header (eight bits) header.

Identifies the header that follows the current

Header Extension Length (eight bits)

Identifies the length of the header.

Options (variable length) Used to pass specific instructions and information to the intermediate nodes. It contains one or more type-length-value (TLV) options. TLV options are discussed in Section 4.2 of RFC 2460.

Destination Options Extension Header The Destination Options extension header passes additional parameters to the destination system. This header does not need to be processed by intermediate relays. It is given the value of 60 in the preceding header’s Next Header field. Figure 9.4 illustrates the Destination Options extension header. FIGURE 9.4 Destination Options extension header Next Header Hdr. Ext. Length Options

The Destination Options extension header contains three fields. Next Header (eight bits) header.

Identifies the header that follows the current

Header Extension Length (eight bits) Options (variable length)

Identifies the length of the header.

Used to pass specific instructions and infor-

mation to the destination host. Similar to the Hop-by-Hop extension header, it contains one or more type-length-value (TLV) options. TLV options are discussed in Section 4.2 of RFC 2460.

Routing Extension Header The routing extension header is used to specify routes for a packet. It lists one or more intermediate relays through which the packet must be routed on its way to the destination node. The IPv4 Loose Source and Record Route options are similar to the IPv6 Routing extension header. The Routing extension header is given the value of 43 in the preceding header’s Next

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

IPv6 Extension Headers 417

Header field. Figure 9.5 illustrates a Routing extension header with the routing type of 0 (standard). FIGURE 9.5 Routing extension header O

16 Next Header

Hdr. Ext. Length

31 Routing Type+0

Segments Left

Reserved

Address (1)

Address (2)

The Routing extension header contains several fields. Next Header (eight bits) header.

Identifies the header that follows the current

Header Extension Length (eight bits)

Identifies the length of the header.

Routing Type (eight bits)

Identifies the routing type, set to 0.

Segments Left (eight bits)

Specifies the number of segments left in the

route list. The value can range from 0 to 23. Reserved (32 bits) Initially intended for use in the first specification of IPv6. This field was difficult to implement, so it is now set to 0. Addresses (128 bits) Specifies the addresses to be used for the static route. In this example, only two addresses are listed, but as many addresses as necessary can be listed to determine the specific route.

Fragment Extension Header The Fragment extension header divides packets that are larger than the MTU. As we discussed in the preceding section, the IPv6 header no longer fragments packets. Packets that are larger than the MTU are now handled by the sending systems, not the intermediate routers.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

418 Chapter 9 IPv6—Internals and IPv4 Comparison

IPv4 relies on the routers to fragment packets, thus allowing the sending system to send packets of any size. IPv6 requires the sending system to handle its own packet fragmentation using the Fragment extension header. It is given the value of 44 in the preceding header’s Next Header field. Figure 9.6 illustrates the Fragment extension header. FIGURE 9.6 Fragment extension header O

16 Next Header

Reserved

31 Fragment Offset

Res M

Identification

The Fragment extension header contains several fields. Next Header (eight bits) header. Reserved (eight bits)

Identifies the header that follows the current

Reserved for future use.

Fragment Offset (13 bits) RES (two bits) M (one bit)

Identical to the IPv4 Fragment Offset field.

Reserved for future use. Specifies whether more fragments will follow.

Identification (32 bits)

Uniquely identifies each IP packet.

IPv6 Extension Header Order

A n IPv6 packet need not contain every extension header, or even a single extension header. If a packet does contain one or more extension headers, they should be placed in a specific order. Extension headers are processed in the order received. For example, the first header is normally the Destination header. An intermediate relay (in other words, a router) processes the IP header and then determines where the Destination header is intended for. If the header is intended for the final destination, the intermediate router will not process the packet but will simply forward the packet.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

IPv6 Extension Header Order 419

The recommended order for extension headers, including the IPv6 header, is: 1. IPv6 header 2. Hop-by-Hop extension header 3. Destination Options extension header (first) 4. Routing extension header (type 0) 5. Fragment extension header 6. Authentication extension header 7. Encrypted Security Payload extension header 8. Destination Options extension header (second) 9. Upper-layer header (payload)

The Destination Options header is listed twice because the placement of the Destination Options header depends on the option type identified within the extension header. The first Destination Options header is used for option types that will pass information to the destination IPv6 address, as well as to the following addresses listed in the Routing extension header. The second Destination Options header is used for option types that must be processed only by the final destination.

Figure 9.7 illustrates how extension headers can be daisy-chained. FIGURE 9.7 Extension header daisy-chain format IPv6 Header

TCP Header + Data

Next Header = TCP

IPv6 Header Next Header = Routing

Routing Header Next Header = TCP

TCP Header + Data

IPv6 Header Next Header = Routing

Routing Header Next Header = Fragment

Fragment Header Next Header = TCP

Copyright ©2002 SYBEX, Inc., Alameda, CA

TCP Header + Data

www.sybex.com

420 Chapter 9 IPv6—Internals and IPv4 Comparison

Windows 2000 and IPv6

W

indows 2000 supports a limited version of IPv6, available for download at the Microsoft Research (MSR) site. You will download, install, and experiment with the basic IPv6 utilities supported by the MSR release. The IPv6 download also includes a parser for Network Monitor that enables IPv6 packet sniffing. This utility requires a separate installation but is included in the MSR release.

IPv6 Utilities Many IPv4 utilities work similarly with IPv6. Table 9.2 lists several utilities available with the MSR download. TABLE 9.2 IPv6 Utilities IPv6 Utility

Options

ipv6

if [ifindex]—interface configuration nc [ifindex [address]]—neighbor cache rc [ifindex address]—route cache

ping6

- t —ping the destination repeatedly - a —resolve addresses to host names - n [count]—number of echo requests to send - l [size]—send buffer size - w[timeout]—timeout (in milliseconds) to wait for replies - s [srcaddr]—source address (required for link-local destinations)

tracert6

- d —do not resolve addresses to host names - h [maximum hops]—maximum number of hops to search for destination - w[timeout]—wait timeout (in milliseconds) for each reply - s [srcaddr]—identify source address to use

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Windows 2000 and IPv6 421

(continued)

TABLE 9.2 IPv6 Utilities

IPv6 Utility

Options

ttcp

Two types:

Transaction/Transmission

ttcp

– t [options] host—incoming packets

Control Protocol (T/TCP): a

ttcp

– r [options]—outbound packets

modification of TCP used for

Common options:

client/server transactions.

-u—utilize UDP instead of TCP

Speeds up transactions by

-p##—specify port number to send

avoiding three-way hand-

or listen

shakes and shortening the

-l ##—specify length of buffers written or

TIME_WAIT state.

read from the network

EXERCISE 9.2

Installing the IPv6 stack for Windows 2000 In this exercise, you will locate, download, and install the Windows 2000 IPv6 stack. The IPv6 stack is to be used for educational and testing purposes only. The MSR IPv6 stack runs separately from the IPv4 stack, and these exercises will not interfere with normal IPv4 operations or configurations.

Tech Note: This exercise was written using MSR IPv6 release 1.4. If a more recent download exists, download it and access the

readme.txt

file. Modify the installation sections as needed.

1. Access the Microsoft Research IPv6 binary file (

msripv6-bin-1.4.exe

)

from the supplemental disk and save it to your desktop. You can also download the IPv6 binary from the Microsoft Research site at http://www.research.microsoft.com/msripv6/

.

2. Double-click the EXE file. The WinZip Self-Extractor will open. Select the Unzip button and accept the default location of \ipv6kit

. The source files will be extracted to the

C:\ipv6kit

folder. Click Close.

3. Right-click My Network Places and select Properties. Right-click Local Area Connection and select Properties. Click the Install button and select Protocol. Click Add and the Have Disk button.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

422 Chapter 9 IPv6—Internals and IPv4 Comparison

EXERCISE 9.2 (continued)

4. Enter the path of the extracted IPv6 files: \ipv6kit

5. The Select Network Protocol window will appear with MSR IPv6 Protocol highlighted. Select OK. After installation is complete, the MSR IPv6 Protocol will appear in the General tab in the Components Checked Are Used By This Connection field.

6. Click the Close button. Exit the Network and Dial-up Connections window.

7. Open the command prompt and enter: ipv6 if This command will display the IPv6 interface configurations for your computer. Because MSR IPv6 uses stateless address autoconfiguration, the computer is configured automatically (you will learn about address autoconfiguration later in this book). Your screen should resemble the example below.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Windows 2000 and IPv6 423

EXERCISE 9.2 (continued) Interface 4 identifies the link-level address (the hardware address) of the computer: 00-80-5f-e2-dd-33 The IPv6 address is identified by the Interface 4 preferred address, which is: fe80::280:5fff:fee2:dd33 Interface 3 indicates the IPv4 address, which is 192.168.3.11.

8. Note the hardware and IPv6 addresses for your computer. 9. Leave the Command Prompt window open.

EXERCISE 9.3

Installing the IPv6 parsers for Network Monitor In this exercise, you will install the IPv6 parsers for the Windows 2000 Network Monitor. These parsers enable Network Monitor to decipher IPv6 packets. You downloaded the parser files during the MSR IPv6 binary download.

1. At the command prompt, access the directory for the IPv6 parsers install files by entering:

cd \ipv6kit\netmon

2. In the

c:\ipv6kit\netmon

directory, run the setup command and

specify the location of the actual Windows 2000 Network Monitor files. Enter: c:\ipv6kit\netmon>

setup c:\winnt\system32\netmon

The following files are replaced: parser.ini

, mac.ini

Two new files are added:

, and

tcpip.dll tcpip.ini tcpip6.dll

, netmon.ini

,

. and

Copyright ©2002 SYBEX, Inc., Alameda, CA

tcpip6.ini

.

www.sybex.com

424 Chapter 9 IPv6—Internals and IPv4 Comparison

EXERCISE 9.3 (continued) To learn more about these files, access the

readme.txt

file in the

ipv6kit

3. Minimize the command prompt.

Linux and IPv6

T he Linux 2.2.14-5.0 kernel and later allow users to reconfigure the kernel to support IPv6. Reconfiguring the kernel manually is beyond the scope of this book, but many current versions of Linux include support for IPv6. Some distributions that are known to support IPv6 are Red Hat 6.2 x . Here are some and 7. x , Debian, SuSE 7.1 and newer, and Mandrake 8. commands that you can use to test whether IPv6 support is already included

on your Linux system. Use the uname command to determine kernel version, shown in bold. # uname –a Linux sixer.sy.net 2000 i586 unknown

2.2.15-2.5.0

#1 Sat Feb 5 00:13:43 EST~CA

If your Linux system is connected to the Internet, you should upgrade the kernel to 2.2.19 or to the latest 2.4 kernel, available at ftp.kernel.org Look for IPv6 utilities in

/usr/sbin

.

.

# ls /usr/sbin |grep 6 ping6 tracepath6 traceroute6 Once the kernel is reconfigured, you must ensure that your applications support IPv6. Then you must create IPv6 network configuration files and script files so you can set up IPv6 connections. If you are interested in implementing IPv6 with Linux, visit IPv6-HOWTO/IPv6-HOWTO.html

www.bieringer.de/linux/IPv6/ .

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Linux and IPv6 425

If you are interested in upgrading an older Linux kernel to one that supports IPv6, visit

www.kernel.org

x , or 2.4.

and download the latest Linux 2.2.

Instructions for installing the kernel are also found at linux/IPv6/IPv6-HOWTO/IPv6-HOWTO.html

y kernel.

www.bieringer.de/ .

EXERCISE 9.4

Capturing IPv6 packets for comparison with IPv4 In this exercise, you will use Network Monitor with Windows 2000, System B, to capture IPv6 network packets. These packets will be compared with the IPv4 packets you captured in Exercise 9.1. Use the ping6 command from System A if your version of Linux has it installed, or use a second Windows 2000 system to ping System B.

1. Note System A’s IPv6 address (Interface 4 preferred address). 2. Open Network Monitor. 3. Select the Capture menu and choose Start. 4. Minimize Network Monitor. 5. To generate IPv6 packets, maximize the command prompt and enter:

ping6 [SystemA IPv6 address] If you are performing the

ping6

from Windows, your screen will

resemble the one shown below.

6. Maximize Network Monitor. 7. After the transmission is complete, select the Capture menu and choose Stop and View. Network Monitor will display the packets captured in the connectivity test.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

426 Chapter 9 IPv6—Internals and IPv4 Comparison

EXERCISE 9.4 (continued)

8. Double-click the first ICMP6 Echo Request or Echo Reply packet. Expand the IP6 header. Your screen should resemble the one below.

9. Save the file as

IPv6ping.cap

. A sample

IPv6ping.cap

file is

located in the supplemental CD. Leave the file open.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Linux and IPv6 427

EXERCISE 9.4 (continued)

10. Open IPv4ping.cap

, the file created earlier in the chapter. If you do

not have access to two IPv6 systems, examine the sample files located on the supplemental CD. Double-click the first ICMP packet. Your screen should resemble the one below.

11. Take a few minutes to compare the IPv4ping.cap

IPv6ping.cap

file with the

file. When you are finished, note the length of the

IPv4 and IPv6 headers.

12. Also note the total length of the IPv4 packet, and the payload length (from the header value) of the IPv6 packet, as well as the total length of the IPv6 packet.

13. Compare your IPv6 address with your Ethernet (hardware) address, and consider how this could ensure unique IP addresses globally.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

428 Chapter 9 IPv6—Internals and IPv4 Comparison

Summary

I n this chapter, you studied the problems facing IPv4: network and host address shortages and unmanageable routing tables. Even in today’s fastpaced, technology-centric workplace, history is important, and avoiding repeating the errors of (sometimes recent) history are one aspect of the breadth of knowledge expected of an internetworking professional. You learned about the history of IPv6 and how it compares with IPv4. For example, IPv6 is a more efficient, simplified protocol that requires fewer header fields. You learned why each field was changed in the IPv6 development process, and became aware of some similarities and differences tied to field changes. You also discovered solutions that IPv6 provides, including 128-bit addresses, MTU discovery, and extension headers. You studied the IPv6 header and its extension headers in detail, including extension header order. You reviewed the functions of the Hop-by-Hop, Destination Options, Routing, and Fragment extension headers, and you learned how they will streamline routing. You also studied the recommended extension header order, an important element of IPv6. You installed IPv6 on Windows 2000, and examined your Linux system to determine existing IPv6 functionality, and installed Windows 2000 Network Monitor parser. Finally, you captured IPv4 packets and IPv6 packets and compared them. Remember that examining packets at this level may not be a common task for an internetworking professional, but the skill and detailed knowledge of functionality at this level is expected.

Key Terms

B efore you take the exam, be certain you are familiar with the following terms: Connectionless Network Protocol

Simple Internet Protocol Plus

(CLNP)

(SIPP)

IP Next Generation

type-length-value (TLV)

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Exam Essentials 429

Exam Essentials Be able to describe the need for IPv6. The main factor driving IPv6 development is the ongoing depletion of available IPv4 addresses, as more and more devices use an Internet address. Another factor is overburdened routers, with overflowing routing tables, and the processing overhead of fragmenting packets if a destination or intermediate network has a smaller MTU. Be able to compare and contrast the IPv4 and IPv6 headers.

IPv4 has a

20-byte header with 10 fields, plus source and destination address, and additional option fields, resulting in a header of variable length. IPv6 has a fixed-length header, 40 bytes in length, with six fields and a source and destination address, and the possibility of using extended headers. The only field that is identical in both headers is Version. Identify removed, revised, and new header fields in IPv6. IPv6 removes the Header Length, Options, Checksum, Data Identification Number, Flags, Fragment Offset, and Type of Service fields. The IPv4 Datagram field becomes Payload Length in IPv6, Protocol becomes Next Header, and Time To Live (TTL) becomes Hop Limit. New fields in IPv6 are the Flow Label and Class fields. Know each IPv6 header field and its function.

There are six IPv6

header fields. The Version field identifies the IP version. The Class field identifies the priority of a packet. The Flow Label field is used to address a series of packets. The Payload Length field defines the length of the packet, not including the header. The Next Header field identifies information following the IP header—e.g., TCP, UDP, or extension header. The Hop Limit field determines the number of hops a packet can travel before being discarded. Source and Destination Address fields are each 128 bits and complete the header. Be familiar with IPv6 extension header types.

There are five IPv6

extension header types: Hop-by-Hop, Destination Options, Routing, Fragment, Authentication, and Encrypted Security Payload. Be able to describe Hop-by-Hop, Destination Options, Routing, and Fragment extension headers. The Hop-by-Hop extension header contains Next Header, Header Extension Length, and Options fields, and is

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

430 Chapter 9 IPv6—Internals and IPv4 Comparison

used to pass instructions to intermediate nodes. The Destination Options extension header also contains Next Header, Header Extension Length, and Options fields, and is used to pass instructions to the destination host. The Routing extension header contains six fields—Next Header, Header Extension Length, Routing Type, Segments Left, Reserved, and Addresses— and specifies addresses to be used for a static route. The Fragment extension header also contains six fields—Next Header, Reserved, Fragment Offset, RES, M (more), and Identification, fields used to identify packet fragments for reassembly at their destination. Understand how IPv6 extension header types affect routing performance. IPv6 extension headers typically offer better performance from routers, because routers do not need to perform fragmentation. Similar to IPv4, if security and routing options are used, there is slightly more processing overhead for routers, but if these extension headers are not used, IPv6 is more efficient. Identify IPv6 extension header order and explain its significance. Extension headers are processed in the order that they are received. If a router encounters an extension header that is intended for the final destination, the router will stop processing headers and simply forward the packet. Extension headers should be in the following order: IPv6, Hopby-Hop, Destination Options (first), Routing, Fragment, Authentication, Encrypted Security Payload, Destination Options (second), followed by an Upper-layer header, indicating payload. Be able to compare and contrast IPv4 packets with IPv6 packets.

IPv4

packets have shorter headers than IPv6, but the header length varies more with IPv4. IPv6 packets have the longer 128-bit address fields for both source and destination, which includes hardware address. Payloads of both IPv4 and IPv6 are identical, for identical connections.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Review Questions 431

Review Questions 1. In addition to running out of unique IP addresses, the need for a new Internet protocol results from: A. The inefficiency of IP compared with CLNP. B. The dwindling need for multicast IP and Mobile IP. C. The growing lack of network support for 128-bit addresses. D. The inadequacy of routing tables. 2. What was the goal of Pip? A. Pip was designed to use 20-byte Network Service Access Point addresses. B. Pip was developed as an efficient routing technique based on routing directive lists. C. Pip was designed to run on top of CLNP. D. Pip was expected to handle 128-bit addresses. 3. Which of the following IPv4 fields has been revised because IPv6 headers are a fixed length? A. The Datagram Length field B. The Protocol field C. The Time To Live field D. The Fragment Offset field 4. Which of the following characteristics describes a change to the IPv6 header from the IPv4 header? A. IPv6 removes the headers related to the hop-by-hop segmentation procedure. B. IPv6 adds a Header Checksum field. C. IPv6 uses a variable format for all IP headers. D. IPv6 adds a Type of Service field.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

432 Chapter 9 IPv6—Internals and IPv4 Comparison

5. What is the function of the Class field in the IPv6 header? A. It is used by the sender to label packets that require special handling by IPv6 routers. B. It is used by the sender to prioritize IPv6 packets. C. It ensures that old or useless packets do not endlessly route through the network. D. It enables the sender to fragment large packets to meet MTU requirements. 6. Which of the following accurately describes the IPv6 header? A. The header is 36 bytes long: The fields use six bytes and the address information uses 30 bytes. B. The header is 44 bytes long: The fields use eight bytes and the address information uses 36 bytes. C. The header is 40 bytes long: The fields use eight bytes and the address information uses 32 bytes. D. The header is 34 bytes long: The fields use six bytes and the address information uses 28 bytes. 7. What is the function of the Hop Limit field in the IPv6 header? A. It identifies the hop priority of a packet. B. It determines the number of hops a packet can travel before being discarded. C. It defines the length of the packet (not including the IP header). D. It determines the Maximum Transmission Unit (MTU) size limit for each hop a packet can travel. 8. Which of the following describes the Destination Options extension header? A. It must be processed by intermediate relays. B. It is used to pass optional information to all nodes along a packet’s delivery path. C. It passes additional parameters to the destination system. D. It contains four fields.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Review Questions 433

9. What is the recommended order for IPv6 extension headers? A. IPv6 header, Hop-by-Hop, Destination Options (first), Routing, Fragment, Authentication, Encrypted Security Payload, Destination Options (second), Upper-layer header (payload) B. IPv6 header, Hop-by-Hop, Routing, Fragment, Authentication, Encrypted Security Payload, Destination Options (first), Destination Options (second), Upper-layer header (payload) C. IPv6 header, Hop-by-Hop, Destination Options (first), Authentication, Fragment, Routing, Encrypted Security Payload, Destination Options (second), Upper-layer header (payload) D. IPv6 header, Hop-by-Hop, Destination Options (first), Destination Options (second), Routing, Fragment, Authentication, Encrypted Security Payload, Upper-layer header (payload) 10. The IPv4 Loose Source and Record Route options are similar to: A. The IPv6 Routing extension header. B. The IPv6 Fragment extension header. C. The IPv6 Hop-by-Hop extension header. D. The IPv6 Destination Options extension header. 11. Which of the following Windows IPv6 utilities can display the neighbor cache? A. The ipv6 utility B. The ttcp utility C. The ping6 utility D. The tracert6 utility 12. What is the function of the

if option of the Windows ipv6 utility?

A. Neighbor cache B. Send buffer size C. Route cache D. Interface configuration

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

434 Chapter 9 IPv6—Internals and IPv4 Comparison

13. Which command line would be used in Windows 2000 to trace an IPv6 route, without resolving host names? A. tracert6 -d B. tracert6 -h C. tracert6 –w D. tracert6 -s 14. Which protocol eventually became IPv6? A. CATNIP B. CLNP C. SIPP D. TUBA 15. How many fields, not including options, source, or destination address, are in the IPv4 header? A. Six B. Seven C. 10 D. 12 16. How many fields, not including options, source, or destination address, are in the IPv6 header? A. Six B. Seven C. 10 D. 12

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Review Questions 435

17. Extension headers fit between which of the following? A. Ethernet header and IPv6 headers B. IPv6 header and transport headers C. TCP and UDP headers D. ICMPv6 and ARP headers 18. If the Destination Options (first) extension header exists, which of the following is true? A. The Authentication header is flawed. B. Options for both Destination and intermediate routers are included. C. Source routing is enabled. D. The packet is fragmented. 19. The value of 44 in the Next Header field refers to which extension header? A. Routing B. Hop-by-Hop C. Destination Options D. Fragmentation 20. What is the purpose of the M field in the Fragment extension header? A. It indicates offset. B. It indicates more fragments. C. It identifies the fragment. D. It identifies the Maximum Fragment Size.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

436 Chapter 9 IPv6—Internals and IPv4 Comparison

Answers to Review Questions 1. D. IPv6 is driven by overflowing routing tables, as well as by the need for more IP addresses. 2. B. PIP was absorbed by SIP, becoming SIPP, and contributed efficient routing and support for Mobile IP. 3. A. The IPv4 Datagram Length field included the entire packet length, including header, while the Payload Length field is just that—the packet payload length—because the header is a fixed length. 4. A. IPv6 removes the Header Checksum, and uses a fixed format for all IP headers, also removing IPv4 Type of Service field. Although Hop-by-Hop is an extension header in IPv6, it does not relate to segmentation, because MTU discovery is done before transmission of packets in IPv6. 5. B. The Routing Options extension header is used for special handling options by routers, the Hop Limit would ensure that packets die, and MTU discovery is not header-oriented in IPv6 packets. 6. C. If you cannot remember how many bytes of header fields exist, do the math on two IPv6 addresses: source + destination, 128 bits each = 256 bits or 32 bytes. 7. B. The Hop Limit is functionally similar to the IPv4 TTL field, and has nothing to do with packet length, MTU, or packet prioritization. 8. C. The Destination Options extension header contains three fields, is not processed by intermediate relays, and indicates to routers that they may stop processing extension headers. 9. A. Recall that Destination Options (second) is near the end, while Destination Options (first) is near the beginning—third, to be exact. Also, remember that Routing and Fragmentation are adjacent, and both security extension headers, Authentication and Encrypted Security Payload, are adjacent.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Answers to Review Questions 437

10. A. Fragment and Destination Options have nothing to do the functions of Source Routing or Record Route. While Record Route could be confused with Hop-by-Hop, this field is used to pass specific TLV options to each node, not to record the route. 11. A. The other utilities have specific functions as indicated by their names, while ipv6 shows only interface configuration, neighbor cache, and route cache. 12. D. The if option indicates interface. Route cache is shown with the rc option, neighbor cache with nc , and send buffer size is not shown at all by the ipv6 utility. 13. A. The –

doption, “Do not resolve addresses to hostnames,” is correct.

The – hoption is used with tracert6 to specify a maximum number of hops, -w to specify a wait timeout, and – sto identify a source address to use. 14. C. CLNP development was halted just before the IPng (next generation) discussions began. TUBA had even more addresses than IPv6, and CATNIP proposed changing TCP at the same time as IP but was not completed when SIPP was selected for IPv6. 15. C. The IPv4 header includes fields for Version, Header Length, Service, Datagram Length, Datagram ID Number, Flags, Fragment Offset, Time To Live, Protocol, and Header Checksum. 16. A. The IPv6 header includes fields for Version, Class, Flow Label, Payload Length, Next Header, and Hop Limit. 17. B. The IPv6 extension header fits between the IPv6 header and upper layer transport headers such as TCP or UDP, but not or UDP.

between

TCP

18. B. The first Destination Options field is for information that is for the Destination host and that needs to be processed by routers listed in the Routing extension header.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

438 Chapter 9 IPv6—Internals and IPv4 Comparison

19. D. Destination Options are given a value of 60 in the preceding header’s Next Header field, Hop-by-Hop a value of zero, Routing a value of 43, Fragmentation a value of 44. 20. B. The M field in the Fragment extension field is a one-bit field, indicating whether or not there are more fragments following.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Chapter

IPv6 Address Architecture, Routing,

10

and Security

CIW EXAM OBJECTIVE AREAS COVERED IN THIS CHAPTER: Define and use IPv6 address architecture. Identify IPv6 routing and security issues.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

I

Pv6 addresses are more than just larger IPv4 addresses. IPv6 uses

an address structure beyond the network, subnet, and host portions of the IPv4 address. As in Chapter 3, “Subnetting and Routing,” there is arithmetic in this chapter. Some of this may seem tedious, but it is important to understand each step of the arithmetic, should that level of detail be required of you as an internetworking professional. The hierarchical approach of IPv6 addresses allows greater flexibility, so IPv6 will last for generations. IPv6 also improves the protocol by reducing backbone routing table entries and providing security at the Internet layer. This chapter will discuss the new routing hierarchy using Aggregatable Global Unicast addresses, as well as examining how protocols such as BGPv4, IDRP, OSPF, and RIP will be reengineered for IPv6. You will also learn about the two methods of Internetlayer security offered: authentication and confidentiality. All of these features are based on the IPv6 addressing architecture, defined in RFC 2373.

IPv6 Address Architecture

T here are three fundamental differences between IPv4 addresses and IPv6 addresses: length, notation, and number system. The most noticeable difference is the length of the address. IPv4 addresses are 32 bits in length, divided into four eight-bit integers. IPv6 addresses are 128 bits in length, divided into eight 16-bit integers. IPv4 addresses are expressed in dotted decimal notation (and sometimes known as dotted quads). IPv6 addresses are expressed in colon notation, with eight fields rather than four. Put simply, each section of an IPv4 address is separated by a period, whereas each section of an IPv6 address is separated by a colon.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

IPv6 Address Architecture

441

Another significant change to IP addresses is how they are expressed. IPv4 addresses are expressed in decimal form. IPv6 addresses are expressed in hexadecimal form. Following are examples (these addresses are not related). IPv4 address 207.199.55.165 IPv6 address A342:0000:0000:0000:123F:0000:0034:EA3D

Hexadecimal Numbers The IPng Directorate chose hexadecimal form to identify integers because the results are much more compact. If you represented each integer in decimal notation, the result would range from 0 to 65535. If you represented each integer in binary notation, the result would range from 0 to 1111111111111111. Hexadecimal numbers use a base-16 system, whereas decimal numbers use a base-10 system. This means that hexadecimal systems are not limited to the numerals 0 through 9, but also use the first six letters of the alphabet, A through F. Each hexadecimal letter has a decimal equivalent, as shown in Table 10.1. The hexadecimal values of 0 through 9 are equal to the decimal values 0 through 9. TABLE 10.1

Hexadecimal Values

Hexadecimal Value

Decimal Equivalent

A

10

B

11

C

12

D

13

E

14

F

15

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

442

Chapter 10

IPv6 Address Architecture, Routing, and Security

Hexadecimal-to-Decimal Conversion To convert an IPv6 16-bit hexadecimal integer to decimal (one-eighth of an w

IPv6 address), use the following formula, where D is the decimal value: decimal values, and w(16

3

x (16

)+

2

y (16

)+

1

z

)+

, x , y , and z are the hexa-

D

(16 0 ) =

To explain the process, we will convert the hexadecimal integer 54CE into a decimal number. 1. Convert each hexadecimal value to a decimal number: Hexadecimal: 54CE Decimal: 5, 4, 12, 14 2. Associate each decimal number with the appropriate formula variable: w=5,

x =4,

y =12,

z =14

and

3. Enter the decimal numbers into the formula: w(16

3

)+

x (16

3

5(16 ) + 4(16

2 2

)+

y (16

) + 12(16

1

z (16

)+ 1

0

D

)=

) + 14(16

0

D

5(4096) + 4(256) + 12(16) + 14(1) = 20480 + 1024 + 192 + 14 = 21710 =

D

)=

D

D

Use a scientific calculator to check the work. Enter 21710 in decimal, and select the hexadecimal value. The conversion will result in 54CE.

The Windows operating system contains a scientific calculator. To locate the calculator, select Start

Programs

Accessories

Calculator, then select

“Scientific” from the View menu. Linux provides several calculators; use the which

command to locate xcalc, gcalc, or kcalc, or locate them in your

X Window menus.

Hexadecimal-to-Binary Conversion If you are learning hexadecimal notation for the first time, it is important for you to perform each step manually (e.g., with paper and pencil), in order to

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

IPv6 Address Architecture

443

internalize the relationship between base-16 and base-10 number systems. To convert an IPv6 hexadecimal value to a binary, follow these steps. 1. Convert each hexadecimal integer to a decimal number: Hexadecimal: 54CE Decimal: 5, 4, 12, 14 2. Because each decimal number represents four bits of the 16-bit value, translate each decimal number into a four-bit binary value: Decimal: 5, 4, 12, 14 Binary: 0101, 0100, 1100, 1110 3. Place the binary values together, left to right: 0101010011001110 Use a scientific calculator to check the work. Enter 0101010011001110 in binary, and select the hexadecimal value. The conversion will result in 54CE.

EXERCISE 10.1

Converting hexadecimal, decimal and binary values In this exercise, you will convert IPv6 addresses to decimal and binary values, and vice versa. Do not use a calculator until you are checking your work.

1. Convert the following IPv6 addresses to decimal values. Write your answers using colon notation (e.g., 16945:0:0:0:12:144:8432:32).

a. FE80:0000:0000:0000:123F:00FF:FE34:0000 b. 234F:0000:000E:00F1:324F:10FF:FE01:FF59

2. Convert the same IPv6 addresses to binary values. Write your answers using colon notation.

a. FE80:0000:0000:0000:123F:00FF:FE34:0000 b. 234F:0000:000E:00F1:324F:10FF:FE01:FF59

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

444 Chapter 10 IPv6 Address Architecture, Routing, and Security

EXERCISE 10.1 (continued)

3. Convert the following binary values to an IPv6 address (the binary value is printed on three lines due to its size). 1111 1110 1000 0000 : 0000 0000 0000 0000 : 0000 0000 0000 0000 : 0000 0000 0000 0000: 0000 0010 1010 0000 : 1010 1010 1111 1111 : 1111 1110 0000 0000 : 0010 0000 0010 0110

4. Challenge: Convert the following decimal values to an IPv6 address. 16945:0:0:0:12:255:65024:32

5. Challenge: Convert your computer’s IPv4 address into an IPv6 hexadecimal value (hint: 207.199.55.165 = 0000:0000:0000:0000: 0000:0000:CFC7: 37A5). If you do not have an IPv4 address, create a fictitious one.

6. Check your answers using a scientific calculator.

IPv6 Address Abbreviation

Y ou can abbreviate IPv6 addresses in several ways. The easiest is to drop all leading zeros. Any integer that starts with a zero and is followed by a non-zero can be referenced by the non-zero number. For example: 00A3=A3 Also, if an integer is all zeros, it can be expressed simply as a single zero. For example: Address A342:0000:0000:0000:123F:0000:0034:EA3D Abbreviation A342:0:0:0:123F:0:34:EA3D

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

IPv6 Address Abbreviation 445

Double-Colon Convention Another way to abbreviate IPv6 addresses is by excluding null integers. A null integer is an integer that is all zeros. To abbreviate the null integer, follow these rules: Include a double colon in place of null integers (between the non-null integers). For example: Address 2E22:1234:5678:0000:324F:54CE:9432:3253 Abbreviation 2E22:1234:5678::324F:54CE:9432:3253 If several null integers occur side by side, the entire group can be abbreviated as a double colon. For example: Address 234F:0000:0000:0000:324F:54CE:9432:3253 Abbreviation 234F::324F:54CE:9432:3253 Do not use the double colon twice (or three times) in one address. It would then be impossible to accurately expand the address to its full notation (address expansion is discussed in the next section). Study the following examples of the double-colon convention. Address 0000:0000:0000:9123:ABE3:23FC:2342:0000 Abbreviation #1 ::9123:ABE3:23FC:2342:0000 Abbreviation #2 0000:0000:0000:9123:ABE3:23FC:2343:: Abbreviation #3 ::9123:ABE3:23FC:2343:0 Abbreviation #4 0:0:0:9123:ABE3:23FC:2342:0

Expanding IPv6 Addresses When expanding abbreviated IPv6 addresses, take the integers to the left of the double colon and align them to the left of the address. Then take the integers to the right of the double colon and align them to the right of the address. Add zeros between the two sets until eight 16-bit integers exist. All the missing integers between the two sets of numbers will be null.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

446 Chapter 10 IPv6 Address Architecture, Routing, and Security

The following example expands an abbreviated IPv6 address. Abbreviation CE54:3253:F234::9432:324F Expanded address CE54:3253:F234:0000:0000:0000:9432:324F

EXERCISE 10.2

Abbreviating and expanding IPv6 addresses In this exercise, you will abbreviate and expand IPv6 addresses. Note that several solutions exist for each question. One address may be impossible to abbreviate or expand.

1. Abbreviate the following IPv6 addresses. a. 2FE2:0021:0000:0001:FE55:00FF:FECD:000E b. FE80:0000:0000:0000:0E0F:EFFF:FE87:0000

2. Expand the following IPv6 addresses. a. 3001:2D1::FF12:0:1EFF:FE02:0 b. ::CFC7:37A5 c. 49A0::9ABC:B333:FF:FE21::

Address Types

T hree different types of IPv6 addresses exist: unicast, multicast, and anycast. Unicast

is the new name for the point-to-point address in IPv4. A unicast

address is assigned to a single entity. When establishing communication to a unicast address, it can be considered a one-to-one communication. The most common type of unicast address is the Aggregatable Global Unicast address, discussed in detail later in this chapter. Multicast

is used to reference a group of systems by a single IP address. Multicast addresses are assigned to a group, and any entity that is a group member will respond to a message sent to the group multicast address. A multicast address is a one-to-many communication. Multicast address format and types will be discussed later in this chapter.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

IPv6 Address Assignments 447

Anycast

is similar to multicast because an anycast address references a group of systems. The difference between multicast and anycast addresses is in the transmission of data. When communicating to an anycast address, the closest member of the anycast group is found, and the message is sent only to that member of the group. For example, to locate the nearest name server, a node may use a generic anycast address for “name server.” The routing system is responsible for sending the request to the nearest name server. Many servers that provide network services will have generic anycast addresses in IPv6, such as file servers and time servers. Anycasting is currently in the experimental stage.

IPv6 Address Assignments

T he IPv6 developers understand that address assignments must be revisited in the future. Initial address assignments will use fixed addresses, similar to IPv4, with prefixes. The IPv6 address allocation management is defined in RFC 1881. Prefixes will define the type of IPv6 address being sent over the network, which will determine how a packet is handled. Network interface cards may have several IPv6 addresses, each with a different prefix, depending on the destination or network function required. For example, a NIC may have an Aggregatable Global Unicast address to communicate with computers in different corporations, and a link-local address for computers on the same link. Table 10.2 lists several currently defined address prefixes. TABLE 10.2 IPv6 Address Prefixes

Address Prefix (binary) Definition 0000 0000

Reserved

0000 001

Reserved for NSAP

0000 010

Reserved for IPX

001

Aggregatable Global Unicast addresses

100

Reserved for Geographic-based Unicast addresses

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

448 Chapter 10 IPv6 Address Architecture, Routing, and Security

TABLE 10.2 IPv6 Address Prefixes

(continued)

Address Prefix (binary) Definition 1111 1110 10

Link-local addresses

1111 1110 11

Site-local addresses

1111 1111

Multicast addresses

An IPv6 address that starts with 001 will be an Aggregatable Global Unicast address, which is similar to the unique point-to-point Internet address in IPv4. You will learn more about Aggregatable Global Unicast addresses in the next section. Prefixes can be specified by appending a slash to the end of an IPv6 address, followed by the number of prefix bits. This information is used by routers to identify the high-order bits of an address. For example, the IPv6 address FE80:0000:0000:0000:0E0F:EFFF:FE87:0000/10 identifies the first 10 bits as the link-local address prefix. Therefore, routers will not forward this address. A system can have several addresses associated with it. The address your system will use depends on which type of destination address you are sending to: An Aggregatable Global Unicast address—used for destinations across the Internet. A site-local address—cannot be routed on the Internet; used for destinations between two stations within a single site. A link-local address—used by stations on the same physical link. If your system is connected to an IPv4 network, your system may also use an IPv4-based address, which allows IPv6 packets to traverse IPv4 networks. You will learn about IPv4-based addresses later in this chapter. At this point, 70 percent of the available IPv6 address space remains unassigned, which will allow for a great deal of experimentation and change in the future.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Aggregatable Global Unicast Addresses 449

Aggregatable Global Unicast Addresses

T he first addresses assigned in IPv6 will be Aggregatable Global Unicast addresses. The ICANN will distribute these IPv6 addresses.

Aggregatable

Global Unicast

addresses are fixed addresses that contain five sections: prefix, Top-Level Aggregator (TLA), Next-Level Aggregator (NLA), Site-Level Aggregator (SLA), and host address. The Aggregatable Global Unicast address is specified in RFC 2374, and the TLA and NLA assignment rules are TLA and NLA Assignment Rules defined in the Internet draft illustrates the structure of an Aggregatable Global Unicast address.

. Figure 10.1

FIGURE 10.1 Aggregatable Global Unicast address format Prefix (3 bits) Starting Binary 001 Value

TLA

NLA

SLA

13 bits

32 bits

16 bits

Host Address 64 bits

Top-Level Aggregator (TLA) The TLA identifies the backbone providers of the IPv6 Internet. Thirteen bits allows for 8,192 of these exchange points. The number of backbone providers can be expanded in the future by adding additional prefixes.

Next-Level Aggregator (NLA) The NLA replaces the subscriber identifier in IPv4. It can be considered the second tier of the address structure. This level will consist of long-haul providers, similar to the TLA, but will greatly simplify the routing structure because it will create a hierarchy so that addresses allocated by an ISP can be treated as a single supernetted address.

Site-Level Aggregator (SLA) The SLA will usually identify individual sites on the IPv6 network. If a company changes providers, it may change its NLA, but its SLA and TLA will most likely remain the same.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

450 Chapter 10 IPv6 Address Architecture, Routing, and Security

Host Address Many of the host addresses (also called Interface IDs) in IPv6 are based on IEEE 802 48-bit hardware addresses. It is now possible to make computer IP addresses unique by basing the host addresses on Ethernet addresses. This process was impossible in IPv4 because the entire address was only 32 bits. IEEE EUI-64 IPv6 host addresses will use the format, based on the IEEE 802 48-bit address. The format inserts the hexadecimal value of FF-FE between the third and fourth bytes of the 48-bit address, thus making it a 64-bit address. The method works for both Ethernet and IEEE 802 48-bit addresses. For example, the Ethernet address A2-67-97-6B-FE-34 would become the IEEE EUI-64 host address A2-67-97-FF-FE-6B-FE-34.

The seventh higher-order bit of an IEEE EUI-64 address, called the “u” bit, must always be set to 1. Therefore, any Ethernet address starting with 00 will become 02 when converted to IEEE EUI-64 format. This is because 0:0:0:0 is a valid EUI, but it conflicts with special IPv6 addresses. The seventh higher-order bit is set to 0 when creating the host address through other processes.

EXERCISE 10.3

Converting your IEEE 802 address to an IEEE EUI-64 address In this exercise, you will use the IEEE EUI-64 conversion process to create an IPv6 host address for your computer.

1. Identify your computer’s IEEE 802 address (Ethernet MAC address). 2. Insert the two bytes of hexadecimal value, FF-FE, between the third and fourth bytes of your Ethernet address. Note your IEEE EUI-64 address.

3. Identify your computer’s IPv6 address and note the 64-bit host address.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Special Unicast Addresses 451

EXERCISE 10.3 (continued)

4. Compare the 64-bit host address of your IPv6 address (Step 3) with the IEEE EUI-64 address (Step 2). Are they the same? Why or why not? Is the seventh higher-order bit set to 1? If not, correct the problem and note the new IEEE EUI-64 address in the space provided.

Special Unicast Addresses

Y ou should become familiar with the following five IPv6 unicast addresses: IPv4-based, loopback, unspecified, site-local, and link-local. IPv4-based

IPv6 addresses can be created from IPv4 addresses by

adding a 96-bit prefix of null integers. The IPv4 32-bit address can remain the same; no hexadecimal conversion is necessary. For example, 207.199.55.165 translates to the IPv6 address ::207.199.55.165. This combination of dotted decimal and double colon formats will be used during the IPv4-to-IPv6 transition period. Loopback Similar to IPv4, but uses the IPv6 address 0:0:0:0:0:0:0:1. Used to send an IP packet to the same computer that sent it. Unspecified

All integers are null (0:0:0:0:0:0:0:0, or ::). Used when a

source node has not been assigned an IPv6 address (i.e., before DHCP configuration). The unspecified address is also used by control messages. An example would be when a source address is required, but none is available. The unspecified address is then used instead. Site-local

Used for internal networks. For example, a company using

TCP/IP without Internet access can use site-local addresses. Site-local addresses are not forwarded by Internet routers, but can be forwarded by non-Internet routers within an organization. These addresses use the prefix 1111 1110 11, followed by zeros, the SLA, and the host address, as illustrated in Figure 10.2. Therefore, when (and if) the company connects to the Internet, only the prefix, TLA, and NLA will be changed.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

452 Chapter 10 IPv6 Address Architecture, Routing, and Security

FIGURE 10.2 Site-local address format Prefix (10 bits)

Host Address

SLA

Starting Binary 1111 111011 Value

38 bits = 0

16 bits

64 bits

Link-local Used by computers on the same local network (within a link). Link-local addresses are not forwarded by routers of any type. These addresses use the prefix 1111 1110 10, followed by zeros, then the host address. The link-local address format is illustrated in Figure 10.3. FIGURE 10.3 Link-local address format Prefix (10 bits)

Host Address

Starting Binary 1111 111010 Value

64 bits

54 bits = 0

Multicast Addresses

T he IPv6 designers made sure all IPv6 nodes (hosts and routers) could support IPv6 multicasting. The multicast design evolved from the experience gained from experimentation on the MBone since 1992 and Dartnet since 1988. The multicast address is more efficient than a broadcast because packets are not sent to every entity on a cable, only to a select group. The IPv6 multicast address assignments are defined in RFC 2375. Routers are responsible for routing multicast packets to destination hosts. The IPv6 address format, shown in Figure 10.4, begins with the eight-bit multicast prefix of 1111 1111. FIGURE 10.4 IPv6 multicast address format Prefix (8 bits) Starting Binary 1111 1111 Value

Flags Scope 4 bits

4 bits

Group Identifier 112 bits

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Multicast Addresses 453

Flags The four-bit flags are used for transient addresses (in other words, those not permanently assigned by the ICANN). These bits allow groups having a multicast session to establish a temporary multicast address. When the session ends, the address is released. The multicast session directory tool selects these addresses at random, and a collision-detection algorithm ensures that they are unique.

Scope The four-bit scope maintains a proper scope for a multicast group. For example, a value of eight (organization local scope) would make sure an internal video conference is not transmitted to the Internet while it is multicasted over the company network.

Group Identifier The group identifier determines which multicast group is represented by the address. Table 10.3 lists a sample of multicast group identifiers used in IPv6. TABLE 10.3 Sample of Multicast Group Identifiers

Address

Group Identifier

FF0X:0:0:0:0:0:0:0

Reserved

FF02:0:0:0:0:0:0:1

All nodes’ addresses

FF02:0:0:0:0:0:0:2

All routers’ addresses

FF02:0:0:0:0:0:0:6

OSPF designated routers

FF02:0:0:0:0:0:0:7

ST routers

FF02:0:0:0:0:0:0:8

ST hosts

FF02:0:0:0:0:0:0:B

Mobile agents

FF0X:0:0:0:0:0:0:108

Sun NIS+ information service

FF0X:0:0:0:0:0:0:10C

IETF-1-VIDEO

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

454 Chapter 10 IPv6 Address Architecture, Routing, and Security

(continued)

TABLE 10.3 Sample of Multicast Group Identifiers

Address

Group Identifier

FF02:0:0:0:0:0:1:1

Link name

FF02:0:0:0:0:0:1:2

All DHCP agents

FF02:0:0:0:0:0:1:3

All DHCP servers

FF02:0:0:0:0:0:1:4

All DHCP relays

Fixed Length vs. Variable Length

T he original IPv6 plan included variable-length IPv6 addresses instead of fixed-length addresses. This requirement would make the Aggregatable Global Unicast address TLA, NLA, SLA, and host address portions vary, depending on the allocation needs of providers and organizations. A good way to demonstrate this concept is by geographic zones. For example, China would need many more addresses than the Republic of the Marshall Islands (RMI) because their populations differ by billions. China could be allocated 10 billion addresses, whereas the RMI could be allocated only one million. The host address portion of the RMI would be made much smaller to conserve address space. In the future, the RMI’s population may grow beyond one million and require additional IPv6 addresses. To accommodate additional addresses, their TLAs, NLAs, and SLAs could be modified to allow for more addresses. Conversely, China’s address structure could also be modified to allow for fewer addresses. Variable-length addresses increase IPv6 growth flexibility, but make it difficult to renumber networks in the provider-based Internet. For example, if a company changed service providers in a variable-length IPv6 address scheme, it might be forced to change its TLA, NLA, SLA, and host addresses because each of these lengths would vary between providers. In a fixed model, it might need to change only its NLA, which would require replacing a 32-bit value with a 32-bit value, instead of a 29-bit value with a 25-bit value, and so forth.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

IPv6 Routing 455

IPv6 Routing

F or a router to maintain the most efficient route to all remote networks, it needs an entry for every network in its local routing table. Given the number of networks currently registered on the Internet, this requirement is not feasible for most companies. Most routers do not have a specific entry in their routing tables for each network on the Internet; they simply pass all packets for unknown networks to their default routes. However, the Internet’s backbone routers must have routing tables that include entries for all networks. As the number of networks increases, so does the size of each routing table, which is making backbone routing tables unmanageable. One of the IPv6 goals was to address this problem. IPv6 provides a means for aggregating network routes.

CIDR to Aggregate Network Routes IPv4 addressed the current routing table problems by using Classless Interdomain Routing (CIDR). CIDR operates on the principle that the network portion of an IPv4 address is a fixed length. Network numbers are replaced by variable-length prefixes. The prefixes are then assigned to organizations. These prefixes can be used to identify a group of networks instead of a single network. IPv6 builds on the concept of CIDR by using Aggregatable Global Unicast addresses. Aggregatable Global Unicast addresses use a fixed-length prefix: Top-Level Aggregate (TLA), Next-Level Aggregate (NLA), and Site-Level Aggregate (SLA) each have a defined prefix within the 128-bit address. All routes to a provider’s clients will go directly to the provider’s routers. This activity provides a hierarchical database of aggregatable network routes.

The TLA was initially named the “Provider-ID.” Its name was changed to “Top-Level Aggregate” to de-emphasize commercial-based reliance, and concentrate on the routing properties instead.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

456 Chapter 10 IPv6 Address Architecture, Routing, and Security

Aggregatable Routing Hierarchy

A n aggregatable routing hierarchy will ensure that routing tables are smaller because SLA routers can use NLA routers as default routes, and NLA routers can use TLA routers as default routes. Conversely, TLA routers will only need routing table entries for TLA and NLA routers, and NLA routers will only need routing table entries for NLA and SLA routers. There is currently room for 8,192 TLA exchange points. The routing aspects of the IPv6 transition are detailed in RFC 2185. Figure 10.5 illustrates the concept of a hierarchical database of aggregatable network routes. FIGURE 10.5 Aggregatable routing hierarchy concept TLA

NLA

TLA

TLA

NLA

NLA

SLA

SLA

SLA

SLA

SLA

SLA

Hosts

Hosts

Hosts

Hosts

Hosts

Hosts

Notice the relationship between the aggregatable routing hierarchy and the Aggregatable Global Unicast address format, shown in Figure 10.6. Do you see any similarities to the Domain Name System (DNS) hierarchy? FIGURE 10.6 Aggregatable Global Unicast address structure Prefix (3 bits) Starting Binary 001 Value

TLA

NLA

SLA

13 bits

32 bits

16 bits

Host Address 64 bits

For example, suppose a company has an SLA router with the following IPv6 prefix (use Figures 10.5 and 10.6 for reference): 2FE2:21:EE00:AC1::/64

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Multicast Routing 457

If a host within this site requests an Aggregatable Global Unicast address (e.g., a remote destination—note that the host would use a site-level or linklevel address if it was an internal destination), the SLA router will forward the packet to its “default” NLA router, or a neighboring SLA router. The NLA router could have the IPv6 prefix: 2FE2:21:EE00::/48 If the NLA router has a routing entry for the destination SLA prefix, it will forward the packet to that SLA router, which will deliver it to the destination. If it does not have a router entry for the destination SLA, it will forward the packet to its “default” TLA router, or a neighboring NLA router. The TLA router could have the following IPv6 prefix: 2FE2:21::/16 If the TLA router has a routing entry for the destination NLA prefix, it will forward the packet to that NLA router, which will deliver it to the SLA and then the destination. If it does not have a router entry for the destination NLA, it will forward the packet to a neighboring TLA router, which will check its routing tables and forward it until the NLA entry is discovered. Note that the TLA routing tables only require entries for NLA routers and other TLA routers. Therefore, all TLA routers will probably have all NLA router entries.

To learn about router renumbering for IPv6, consult “Router Renumbering for IPv6,” the Internet Draft by M. Crawford and R. Hinden.

Multicast Routing

E arlier in this chapter, you learned about IPv6 multicast addresses. Internet Delivering multicast packets is the router’s responsibility. Routers use Control Message Protocol version 6 (ICMPv6) group management messages

to handle IPv6 multicast routing. ICMPv6 will be discussed in detail in the next chapter. The three group management messages used are equivalent to the IPv4 Internet Group Management Protocol (IGMP)

Copyright ©2002 SYBEX, Inc., Alameda, CA

messages. The procedures

www.sybex.com

458 Chapter 10 IPv6 Address Architecture, Routing, and Security

for joining multicast groups are also the same as for IPv4. The main difference is that IGMP messages have been absorbed by ICMPv6. The group membership messages are as follows. Group Membership Query (type 130)

Sent by routers to determine

which local stations are members of a particular group. Group Membership Report (type 131) Sent by stations to indicate membership in a particular group. Sent in response to a router’s Group Membership Query. Group Membership Reduction (type 132) membership in a particular group.

Sent by stations to terminate

Each message has the same format but a different Type field value (130, 131, or 132). Figure 10.7 illustrates an ICMPv6 message header. FIGURE 10.7 Group management ICMPv6 message header O

8 Type

16 Code

Maximum Response Delay

31 Checksum Unused

Multicast Address

The ICMPv6 group management header includes the following fields: Type (eight bits)

Identifies the message type.

Code (eight bits)

Unused (set to 0).

Checksum (16 bits)

Used for error detection.

Maximum Response Delay (16 bits) Used in query messages (type 130). Identifies the maximum time, in milliseconds, that responding report messages can be delayed. Set to 0 for report and termination messages. Unused (16 bits)

Unused (set to 0).

Multicast Address (128 bits) Contains the IPv6 multicast address, which depends on the multicast function.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

IPv6 Routing Protocols 459

Multicast routing is still being researched for deployment on the Internet, on an internetwork called the MBone. The IPv4 MBone is currently the stateof-the-art environment for deploying multicast routing. The MBone could be reconstructed using OSPF for IPv6 (which will be discussed later in this chapter). Multicast routing will continue to be refined before IPv6 is officially released.

IPv6 Routing Protocols

R outing protocols must be updated to support IPv6 addresses and prefixes. In some cases, the protocols must be changed completely. In other cases, elements of IPv4 routing protocols have been absorbed into IPv6 in order to gain additional routing functionality, such as with IGMP described above. The following section details the routing protocol changes.

BGPv4 to IDRP One of the most common protocols used on the Internet is the Border Gateway Protocol (BGP). The current version of BGP, version 4, is used to connect a series of subnetworks through a single autonomous system. BGPv4 has been optimized to work specifically with the Internet—so well, in fact, that applying it to IPv6 is difficult. BGPv4 is only capable of handling 32-bit addresses, which poses a problem for IPv6’s 128-bit addresses. The IPv6 designers recommended not updating BGPv4 but using the Interdomain Routing Protocol (IDRP) instead. Note that several vendors are creating IPv6-compatible BGP versions regardless of the IPv6 designers’ recommendation. The IPv6 BGP specifications are defined in RFC 2858. IDRP is a routing protocol based on many of the same concepts as BGP. IDRP has the following advantages over BGPv4: BGPv4 uses TCP to exchange messages between routers. IDRP messages are carried over a bare datagram service. BGPv4 is a single-address routing protocol; it can only route 32-bit addresses. IDRP can route several different address types, including 128-bit addresses. BGPv4 uses a 16-bit field length to identify autonomous networks. IDRP uses a variable-length field to address domains.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

460 Chapter 10 IPv6 Address Architecture, Routing, and Security

BGPv4 identifies all intermediate autonomous systems for a particular route. IDRP builds upon the hierarchical routing concept proposed by IPv6.

Updating Interior Routing Protocols to Work with IPv6 In the previous section, exterior routing protocols were discussed. It is also important to consider interior routing protocols used within an organization’s network. The two most common interior routing protocols are Open Shortest Path First (OSPF) and Routing Information Protocol (RIP).

Open Shortest Path First (OSPF) OSPF is the recommended routing protocol to use for IPv6 interior routing. The eventual version, specified in the Internet Draft “OSPF for IPv6,” will be compatible with IPv4 and IPv6. OSPF has been in use for a long time and has been updated to stay current with all routing changes (OSPFv2 is an Internet standard). For IPv6 to work with OSPF, a few modifications are needed: All routing tables kept within OSPF must be updated to work with IPv6 addresses. This requirement will require IPv6 addresses to run in parallel with the IPv4 routing tables.

Routing Information Protocol (RIP) RIP is a simple protocol used by small networks. The advantage to using RIP is that it is easy to set up and implement, but RIP is considered inferior to OSPF because it cannot be easily implemented in a large network environment. When determining whether to reengineer RIP and make it compatible with IPv6, the developers decided not to recommend RIP, and chose OSPF instead. Regardless, several vendors are creating IPv6-compatible RIP versions. The IPv6 RIP specifications are defined in RFC 2080.

IPv6 Security

I n previous versions of the Internet Protocol, very few measures were provided for security. Currently, most security implementations used on the Internet are retrofitted to work with IPv4, and are implemented through applications. The security architecture for IP is defined in RFC 2401.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

IPv6 Security 461

The designers of IPv6 decided to include security at the Internet layer from the start. Implementation at this layer frees applications from dealing with certain types of security. IPv6 provides the following two basic types of security: Authentication Confidentiality Both methods are implemented through IPv6 extension headers, which are documented in RFC 2460: IPv6 Specifications (proposed standard).

IPv6 Authentication Authentication means verifying the identity of the sender of information. Because IPv4 is unable to confirm sender information at the Internet level, IPv6 uses an Authentication extension header to guarantee the sender’s identity. When the Authentication header is used, the upper-layer protocols (TCP, UDP, and so forth) do not change their behavior. The authentication header is defined specifically in RFC 2402. To implement authentication, both the sender and the receiver typically agree on a common algorithm to verify the sender. The default IPv6 algorithm is Message Digest 5 (MD5) . In the future, other algorithms might be used in place of MD5; however, MD5 is specified as the default to provide compatibility. Authentication using keyed MD5 is defined in RFC 1828.

Authentication Extension Header The Authentication extension header verifies the identity of the sender of information. Figure 10.8 illustrates the Authentication extension header. FIGURE 10.8 Authentication extension header O

16 Next Header Payload Length

31 Reserved

Security Parameters Index (SPI) Sequence Number Field Authentication Data

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

462 Chapter 10 IPv6 Address Architecture, Routing, and Security

The Authentication extension header contains the following fields: Next Header (eight bits)

Identifies the header that follows the current

header. Payload Length (eight bits) Reserved (16 bits)

Determines the length of the payload.

Reserved for future use.

Security Parameters Index (SPI) (32 bits)

Identifies the security associa-

tion for the datagram. If zero, there is no security association. Values from 1 through 255 are reserved. Sequence Number Field (32 bits)

Uniquely identifies each packet.

Authentication Data (variable length) verify the sender.

Identifies the algorithm used to

IPv6 Confidentiality Confidentiality means hiding the information that is transferred from sender to receiver. IPv4 implements this form of security with upper-layer protocols. By contrast, IPv6 implements confidentiality at the Internet layer with an Encrypted Security Payload (ESP) extension header, defined in RFC 2406. ESP encrypts all information following the extension headers (i.e., it encrypts the payload). It is always the last IPv6 extension header in the daisy chain, and is the last “visible” header, as shown in Figure 10.9. FIGURE 10.9 ESP encryption Unencrypted

IPv6 Header

Extension Headers

Encrypted

ESP Header

Encrypted Data

Authentication Data

Only the receiving party can decrypt the data. Any captured information will be unusable. An in-depth discussion of encryption techniques and algorithm strengths is beyond the scope of this book. Like any technology, encryption technology continues to evolve, and algorithms and key lengths that may seem very secure today might be easily cracked and broken in a few years. IPv6 security allows for stronger, non-default algorithms to be implemented as encryption technology evolves, without re-architecting the IPv6 protocol.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

IPv6 Security 463

Typical Encrypted Security Payload (ESP) Extension Header The ESP extension header provides information for the receiving party about the encrypted data (payload) in each packet. Although information about the encrypted data is provided, the decryption of the data is still only possible by the receiving entity, as the decryption key is not included in the transmission, but only referenced by the security association. The focus of this text, and of internetworking professionals, is generally not upon encryption technology, but on the implementation for internetworking—in this case, IPv6 packets. The ESP extension header format depends on the encryption algorithm being used. Note the similarities to the Authentication extension header. Figure 10.10 illustrates a typical ESP extension header. FIGURE 10.10 Typical ESP extension header O

8

16

31

32 bit SPI 32 bit Sequence Number

Encrypted Data and Parameters

Authentication Data

The typical ESP extension header contains the following fields: Security Parameters Index (SPI) (32 bits) Sequence Number (32 bits)

Identifies the security association.

Uniquely identifies each packet.

Encrypted Data and Parameters (variable length) the encryption used and the payload. Authentication Data (variable length) verify the sender.

Varies depending on

Identifies the algorithm used to

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

464 Chapter 10 IPv6 Address Architecture, Routing, and Security

Cipher Block Chaining Mode of the Data Encryption Standard (DES-CBC) Cipher Block Chaining mode

The default algorithm used for ESP is called the of the Data Encryption Standard (DES-CBC)

. DES-CBC uses a variable-

length Initialization Vector (IV) where the encrypted data begins. It is defined in RFC 1829. Although ESP uses DES-CBC by default, other algorithms can be selected once a security association is established. Figure 10.11 illustrates an ESP extension header using DES-CBC. FIGURE 10.11 ESP extension header with DES-CBC O

8

16

31

32 bit SPI 32 bit Sequence Number

Initialization Vector (IV)

Payload Data

Padding

Padding Length Payload Type

The ESP extension header with DES-CBC contains the following fields: Security Parameters Index (SPI) (32 bits) Sequence Number (32 bits)

Identifies the security association.

Uniquely identifies each packet.

Initialization Vector (IV) (variable length)

Uses 32-bit word variables.

Content results from a random number generator. IV ensures that the first message words cannot be predicted by hackers. Payload Data (variable length) Padding (variable length) Padding Length (eight bits)

Varies depending on the payload.

Ensures that messages end on a 64-bit boundary. Specifies length of the padding used.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Summary 465

Payload Type (eight bits)

Identifies the type of payload (for example, TCP).

Payload and Authentication data follow the ESP header. Regardless of encryption algorithm and information contained in the ESP header, the payload data is all encrypted, and neither visible nor processed by intermediate routers as it passes through an IPv6 network.

Summary

I n this chapter, you compared and contrasted IPv4 addresses with IPv6 addresses. You saw that the IPv6 address is longer, and that it uses colon notation and hexadecimal integers. To better understand the address relationship, you converted IPv6 addresses between hexadecimal, decimal, and binary values, just as the earlier chapter on IPv4 routing focused only on decimal and binary conversions. Performing these tasks is a bit tedious, and learning which bits hold important values is a long process, because of the many different contexts for each concept. This is a trademark skill of a true internetworking professional: not only is the information you have learned accessible to you, but the importance of a particular string of bits should be recognized in the appropriate context. You also learned how to abbreviate and expand IPv6 addresses. You identified the three IPv6 address types: unicast, multicast, and anycast. You learned that IPv6 addresses will be initially allocated using the Aggregatable Global Unicast address format. After formatting your Ethernet address into an IPv6 host address using the IEEE EUI-64 process, you studied the specialcase unicast addresses. You learned the advantages and disadvantages of fixed-length and variable-length addresses, and how each affects renumbering. You learned about IPv6 routing and security. You saw how IPv6 routing will solve the problem of unmanageable Internet backbone routing tables by providing a routing hierarchy using aggregate network routes, and that these routes are based on Aggregatable Global Unicast addresses. You learned about routing protocols, including the recommended exterior protocol change from BGPv4 to IDRP, and that the recommended interior routing protocol will be OSPF. You also explored IPv6 security, which allows authentication and confidentiality to be implemented at the Internet layer instead of the Application layer. Finally, you studied the Authentication extension header, as well as the Encrypted Security Payload (ESP) extension header.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

466 Chapter 10 IPv6 Address Architecture, Routing, and Security

Key Terms

B efore you take the exam, be certain you are familiar with the following terms: Aggregatable Global Unicast

Internet Group Management Protocol (IGMP)

anycast

Message Digest 5 (MD5)

Cipher Block Chaining mode of the

multicast

Data Encryption Standard (DES-CBC) Encrypted Security Payload (ESP)

Next-Level Aggregator (NLA)

IEEE EUI-64

Site-Level Aggregator (SLA)

Interdomain Routing Protocol (IDRP) Top-Level Aggregator (TLA) Internet Control Message Protocol version 6 (ICMPv6)

unicast

Exam Essentials Be able to describe IPv6 address architecture, including length and format. The IPv6 address architecture uses 128-bit addresses in a colondelimited format, with eight fields of four hexadecimal digits in each field. Be able to convert IPv6 addresses between hexadecimal, decimal, and binary values. The formula for converting a hexadecimal value to a dec2 1 0 imal value is w(16 3 ) + x(16 ) + y(16 ) + z(16 ) = D where wxyz is D a four-digit hexadecimal number and is the resulting decimal value.

Recall that 16 3 =4096, 16 2 = 256 , 16 1 = 16 and 16 0 = 1 . To convert a hexadecimal number to binary, recall that each hexadecimal digit can be represented by four binary digits, ranging from 0000 to 1111 to match the hex digits 0 through F. Know how to abbreviate and expand IPv6 addresses.

Remember that

only one double colon may be used in an IPv6 abbreviated address, but it may represent multiple adjacent null fields in the IPv6 address. The

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Exam Essentials 467

IPv6 address 0000:0000:FE02:0000:0000:0000:BACA:1234 could be abbreviated as either :: FE02:0000:0000:0000:BACA:1234 or 0000:0000:FE02::BACA:1234 but not as ::FE02::BACA:1234, because the two double colons make it impossible to accurately expand the null fields. When multiple groups of null fields exist, a single zero can be used to represent the entire field, such as 0:0:FE02::BACA:1234 Identify address types in IPv6: unicast, multicast, and anycast. addresses begin with 001 (Aggregatable Global Unicast—the most com-

Unicast

mon) or 100 (Geographic-based Unicast). Multicast addresses begin with 1111 1111. Be able to define the Aggregatable Global Unicast address format. The Aggregatable Global Unicast address format contains five sections: prefix, TLA, NLA, SLA, and host address. Understand address hierarchy, including Top-Level Aggregate (TLA), Next-Level Aggregate (NLA), and Site-Level Aggregate (SLA). 8,192 IPv6 Top-Level Aggregators link together the IPv6 backbone, and

Up to

support a tier of Next-Level Aggregators that provide services to SiteLevel Aggregators. While this hierarchy contains more layers than the IPv4 model for providers, it also solves many issues of growth and scalability of routers that continue to be significant challenges to large IPv4 service providers. Be able to define the IPv6 multicast address format. IPv6 multicast addresses begin with the eight-bit multicast prefix of 1111 1111, and have fields for Flags, Scope, and Group Identifier. Identify the five special-case IPv6 unicast addresses. The five specialcase IPv6 unicast addresses are IPv4-based, loopback, unspecified, sitelocal, and link-local. Know why Classless Interdomain Routing (CIDR) will be replaced by the Top-Level Aggregator (TLA) in the IPv6 address. The TLA allows the top-level backbone routers to have a routing table of finite size while allowing for significant growth in number or nodes. By architecting this efficiency into the protocol, it will make manageable the long-term growth of the Internet, and the growth of routing tables. Understand the aggregatable routing hierarchy concept.

The hierarchy

of TLA, NLA, and SLA ranges of bits within the IPv6 address creates a

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

468 Chapter 10 IPv6 Address Architecture, Routing, and Security

hierarchy of routes. Routers at each level can efficiently process only the component of the IPv6 address that pertains to their role as TLA, NLA, or SLA, with default upstream routes toward the backbone continuing to be efficient at larger routers than possible with CIDR. Be able to describe IPv6 multicast routing, including group management messages. Multicast routing in IPv6 is controlled by ICMPv6, in the same way that IPv4 handles multicast routing. Group management messages in IPv6 come in three types, Group Membership Query, Group Membership Report, and Group Membership Reduction, all three of which come from IGMP, an IPv4 protocol absorbed by IPv6. Understand why the IPv6 proposed standard recommends using Interdomain Routing Protocol (IDRP) instead of BGPv4. BGP has been specifically engineered to be efficient with IPv4, and is not suitable for the longer addresses of IPv6. IDRP, in contrast, was engineered to perform similar functions for routing, but with variable address lengths including 128-bit and 32-bit addresses. Understand why the IPv6 proposed standard recommends using Open Shortest Path First (OSPF) instead of Routing Information Protocol (RIP). Although RIP is easy to implement, it is not easily implemented in a large network environment, and one of the goals of IPv6 is to provide architecture for large networks, internetworked. Understand IPv6 security features such as authentication and confidentiality. Authentication is the means for verifying an identity— in the context of IPv6, authenticating the identity of the sender. Confidentiality is the hiding of information from other parties, in the context of IPv6, keeping the data secret as it is sent from sender to receiver, even if this information crosses the public Internet. Be able to compare Internet-layer security to Application-layer security. IPv6 provides encryption and authentication security services at the Internet layer, Layer 3 of the OSI Reference Model, as a part of the IPv6 protocol. With IPv4, encryption and authentication are all handled at higher layers, the Transport through Application layers of the OSI/RM. The effect of the lower-layer security provided by IPv6 is to reduce the number of layers that have no security, and enhance the security of the overall system by increasing the confidence of data integrity and increasing the difficulty of impersonating, crafting, or “spoofing” network packets.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Exam Essentials 469

Know the functions of the Authentication and Encrypted Security Payload (ESP) extension headers. The Authentication extension header contains information that, in conjunction with the encrypted authentication data that it describes, verifies the identity of the sender of the information. The ESP extension header provides confidentiality, by providing information about the encrypted payload and its security association, without providing information useful to brute-force decryption. Identify Authentication extension header fields.

The Authentication

extension header contains Next Header, Payload Length, Reserved, Security Parameters Index, Sequence Number, and Authentication Data fields. Identify Encrypted Security Payload (ESP) extension header fields.

ESP

extension header fields include Security Parameters Index (SPI), Sequence Number, Encrypted Data and Parameters, and Authentication Data fields. The Encrypted Data and Parameters fields vary with different algorithms. With DES-CBC, Initialization Vector, Payload Data, Padding, Padding Length, and Payload Type fields are added.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

470 Chapter 10 IPv6 Address Architecture, Routing, and Security

Review Questions 1. Which of the following accurately describes a difference between IPv4 and IPv6 addresses? A. IPv4 addresses are 64 bits in length, and IPv6 addresses are 128 bits in length. B. IPv4 addresses are expressed in colon notation, and IPv6 addresses are expressed as dotted quads. C. IPv4 addresses are divided into four 16-bit integers, and IPv6 addresses are divided into eight 32-bit integers. D. IPv4 addresses are expressed in decimal form, and IPv6 addresses are expressed in hexadecimal form. 2. Which of the following is the formula used for hexadecimal-to-decimal w , x , y , and z are the hexadecimal conversion of IP addresses (where values, and

D

is the decimal value)?

A. w(32 3 ) + x(32 B. w(4 3 ) + x(4

2

2

) + y(32

1

) + z(32

0

)=D

0

)=D

) + y(4 1 ) + z(4 0 ) = D

C. w(16 3 ) + x(16 D. w(8 3 ) + x(8

2

2

) + y(16

1

) + z(16

) + y(8 1 ) + z(8 0 ) = D

3. What is a null integer? A. An integer that is all zeros B. An integer that is represented in an abbreviated IPv6 address by two sets of double colons C. An integer that starts with a zero and is followed by a non-zero D. An integer that has been abbreviated and expanded

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Review Questions 471

4. Which of the following can be used to abbreviate IPv6 addresses? A. Drop any integer that starts with a non-zero and is followed by a zero. B. Express a group of null integers as a single zero followed by a single colon. C. Use the double-colon convention. D. Use the double colon twice in one address. 5. Which of the following describes a unicast address type? A. A unicast address is used to reference a group of systems by a single IP address. B. A unicast address is a one-to-many communication. C. A unicast address is assigned to a group. D. A unicast address is assigned to a single entity. 6. Which of the following is the currently defined address prefix for an Aggregatable Global Unicast address? A. 100 B. 001 C. 1111 1111 D. 0000 010 7. What is the purpose of the Top-Level Aggregator? A. The TLA simplifies the routing structure by creating centralized control. B. The TLA identifies individual sites on the IPv6 network. C. The TLA identifies the backbone providers of the IPv6 Internet. D. The TLA replaces the subscriber identifier in IPv4.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

472 Chapter 10 IPv6 Address Architecture, Routing, and Security

8. Which of the following describes a link-local address? A. It’s used to send an IP packet to the same computer that sent it. B. It’s used to convert IPv4 addresses into IPv6 addresses by adding a prefix of null integers. C. It’s used when a source node has not been assigned an IPv6 address (in other words, before DHCP configuration). D. It’s used by computers on the same local network. 9. Which of the following statements describes an advantage of Aggregatable Global Unicast addresses over CIDR? A. It operates on the principle that the network portion of an address is a fixed length. B. It replaces network numbers with variable-length prefixes. C. It provides a hierarchical database of aggregatable network routes. D. It provides an entry for every network in its local routing table. 10. Which of the following characterizes an aspect of the aggregatable routing hierarchy? A. SLA routers can use TLA routers as default routes. B. There is currently room for 4,096 TLA exchange points. C. NLA routers can use TLA routers as default routes. D. TLA routing tables do not require entries for NLA routers or other TLA routers. 11. To handle IPv6 multicast routing, routers use: A. IGMP. B. ARP. C. ICMPv6. D. OSPF.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Review Questions 473

12. What is the function of the Group Membership Query message? A. It’s sent by stations to indicate membership in a particular group. B. It’s sent by routers to determine which local stations are members of a particular group. C. It’s sent by stations to terminate membership in a particular group. D. It’s sent by routers to determine the name of a particular member. 13. Which of the following describes an advantage of IDRP over BGPv4? A. IDRP uses a 32-bit field to address domains, whereas BGPv4 uses a 16-bit field to identify autonomous networks. B. IDRP and BGPv4 are both single-address routing protocols, but IDRP can route 128-bit addresses instead of 32-bit addresses. C. IDRP messages are carried over a bare datagram service, whereas BGPv4 uses TCP to exchange messages between routers. D. IDRP identifies all intermediate autonomous systems for any particular route, whereas BGPv4 builds on the hierarchical routing concept of IPv4. 14. What is the recommended routing protocol to use for IPv6 exterior routing? A. RIPv6 B. OSPF for IPv6 C. BGPv4 D. IDRP 15. What is the purpose of the Authentication Data field of the Authentication extension header? A. It uniquely identifies each packet. B. It identifies the algorithm used to verify the sender. C. It identifies the security association. D. It identifies the data that follows the current header.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

474 Chapter 10 IPv6 Address Architecture, Routing, and Security

16. IPv6 uses an ESP extension header to implement confidentiality at the: A. Internet layer. B. Network Access layer. C. Application layer. D. Transport layer. 17. What is the purpose of a Padding field, such as the one used in the ESP extension header with DES-CBC? A. It ensures that the first message words cannot be predicted by hackers. B. It specifies length of the padding used. C. It specifies the security association. D. It ensures that messages end on a certain boundary. 18. What is the decimal value of the hexadecimal number A0B0? A. 11,120 B. 41,136 C. 43,776 D. 177,920 19. Convert the hexadecimal value of C40F to binary. A. 1100010000001111 B. 1101010000001111 C. 1110010100001111 D. 1100010100001111 20. What it the default algorithm for the authentication header? A. MD5 B. DES C. DES-CBC D. ESP

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Answers to Review Questions 475

Answers to Review Questions 1. D. IPv4 addresses are 32 bits in length, expressed as dotted quads, and IPv6 addresses are divided into eight 16-bit integers. 2. C. Recall that hexadecimal is a base 16 system, so each digit carries a value equal to 16 n where n is the number of places to the left of the 3

decimal, just as an evaluation of the decimal 1000 = 1(10 0(10 1) + 0(10 0 ).

) + 0(10 2 ) +

3. A. A null integer in an IPv6 address may be abbreviated by a double colon, but the definition of a null integer has nothing to do with abbreviation, expansion, or IPv6. A null integer is simply a field or value that is zero, or all zeroes. 4. C. You may not drop any non-zero values from an IPv6 address, nor may you use the double colon twice in one address. When you replace a null integer with a zero, you do so for a single null integer, not for a group of null integers. 5. D. Multicast is a one-to-many communication, which references a group of systems by a single IP address. Anycast is similar to multicast in that a single message is sent to a group, but also similar to unicast in that the message is sent to a single member of the group, which is responsible for repeating the message to the group. 6. B. 100 is reserved for Geographic-based Unicast addresses, 1111 1111 for multicast, and 0000 010 for IPX. 7. C. The TLA creates a hierarchy, but does not centralize control, nor does it identify individual sites. The NLA replaces the subscriber identifier in IPv4. 8. D. Link-local addresses are not forwarded by routers, have nothing to do with IPv4 to IPv6 conversion, and are a valid IPv6 address, therefore not pre-DHCP configuration. The only remaining answer is a valid description of link-local addresses.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

476 Chapter 10 IPv6 Address Architecture, Routing, and Security

9. C. CIDR operates on the principle that the network portion of an address is a fixed length, while IPv6 Aggregatable Global Unicast addresses use a fixed-length prefix of TLA, NLA, and SLA, which results in a hierarchy of aggregatable network routes. Providing a route to every network, in a single routing table, has never been feasible. 10. C. Each hierarchy may use the next level up as default routes, so SLA routers can use NLA routers, and NLA routers can use TLA routers. There is room for 8,192 TLA routers, so TLA routers may reference only other TLA routers in their routing tables. 11. C. ICMPv6 group management messages are functionally equivalent to IPv4 IGMP messages. IGMP does not exist in IPv6, because of the enhancements to ICMP made for version 6. 12. B. The Group Membership Query is sent by routers, not stations, to determine membership, not names. 13. C. BGPv4 can route only 32-bit addresses, but IDRP uses variablelength fields and can route different address types, including 128-bit and 32-bit addresses, building on the hierarchical routing concept of IPv6. 14. D. Many vendors are creating IPv6-compatible versions of BGP, regardless of IPv6 designers’ recommendation. RIP and OSPF are interior routing protocols. 15. B. The Sequence Number field uniquely identifies each packet, the Security Parameters Index identifies the security association, and the Next Header and Payload Length identify the data (or header) following the current header. 16. A. IPv4 implements confidentiality with upper-layer protocols, at the Transport or Application layers. No confidentiality is implemented at the Network Access layer. IPv6 brings confidentiality all the way to the Internet layer, layer 3 of the OSI/RM.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Answers to Review Questions 477

17. D. Ensuring that messages end on a 64-bit boundary, which makes brute-force decryption techniques a bit more difficult, improves payload security. 18. B. A0B0 = A(16

3

)+0(16

2

)+B(16 1 )+0(16 0 ) Evaluate each digit of A0B0

10(16 3 )+0(16 2 )+11(16

1

)+0(16 0 ) Evaluate hex digits to decimal

10(4096)+0(256)+11(16)+0(1) Evaluate exponents 40960 + 0 +176 +0

Remove parentheses (multiply)

41,136

Sum

19. A. 1101010000001111 =D40F, 1110010100001111 =E50F, and 1100010100001111 =C50F 20. A. The Message Digest 5 (MD5) algorithm is the default for IPv6 authentication header validation, not for payload encryption.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Chapter

11

Migrating to IPv6

CIW EXAM OBJECTIVE AREA COVERED IN THIS CHAPTER: Identify issues related to migration from IPv4 to IPv6, including but not limited to: mechanisms proposed by the Simple Internet Transition, dual IP stack strategy, the 6Bone

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

F

or the transition to IPv6 to take place, many issues must be

considered and goals must be set. The most important goal is to allow IPv4 and IPv6 to interoperate. Next, IPv6 hosts and routers must not be interdependent: They must be deployed in an incremental and highly diffuse manner. The third goal declares that the transition must be as simple as possible for administrators and end users to implement. The IETF discusses and creates transition techniques in its Next Generation Transition Working Group, called NGTrans. This chapter will discuss IPv6 autoconfiguration, and techniques to accomplish transition goals and ensure a successful IPv6 migration. In an effort to simplify the Internet Protocol, IPv6 developers designed the protocol to reduce the amount of time required for network management tasks, particularly address configuration. Two automatic address configuration types exist in IPv6: stateless autoconfiguration and stateful configuration. IPv6 uses plug-and-play autoconfiguration for these functions and also provides a media-independent address resolution protocol. IPv6 uses the Neighbor Discovery (ND) protocol to help meet these goals; Internet Control Message Protocol version 6 this protocol in turn uses (ICMPv6) messages. To understand the reduced network management and

address resolution provided with IPv6, you must first become familiar with ND and ICMPv6.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Internet Control Message Protocol Version 6 (ICMPv6)

481

Neighbor Discovery (ND) Protocol

A utomatic address configuration uses the IPv6 protocol called Discovery (ND)

Neighbor

, which is defined in RFC 2461. ND is responsible for:

Allowing hosts to find routers Enabling nodes (hosts and routers) to determine one another’s DataLink layer addresses Enabling nodes to discover the existence of other nodes Enabling nodes to maintain reachability information Providing nodes with path status to active neighbors Neighbor Discovery uses ICMPv6 messages to complete these tasks. The ICMPv6 messages used by ND include Router Solicitation, Router Advertisement, Neighbor Solicitation, Neighbor Advertisement, and Redirect. Pay special attention to these messages in the following sections. Several of the ND ICMPv6 message headers will be analyzed throughout this chapter.

Internet Control Message Protocol Version 6 (ICMPv6)

I

nternet Control Message Protocol (ICMP)

was revised during the cre-

ation of IPv6 and is specified in RFC 2463. As a result, the IPv4 ICMP is not compatible with the IPv6 version. To indicate this change, the new ICMPv6 header is identified by a Type 2 header instead of a Type 1 header. The following other notable differences exist: Streamlined protocol IGMP inclusion Extended formats fields.

Functions no longer used by IPv4 are removed.

IPv4 IGMP multicast control functions are incorporated. Some fields are enlarged to handle the larger IPv6

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

482

Chapter 11

Migrating to IPv6

ICMPv6 Header Even though IPv4 and IPv6 are not compatible, the ICMPv6 header follows the same general format of IPv4 ICMP. The type, code, checksum, and variable-length body remain, and the message body’s format varies, depending on the ICMP message type. Figure 11.1 illustrates an ICMPv6 message header. FIGURE 11.1

ICMPv6 message header 0

8

16

Type

Code

31 Checksum

Message (Contents Depend on Message Type and Code)

The ICMPv6 header includes the following fields. Type (eight bits)

Identifies the message type.

Code (eight bits)

Provides further information about the message type.

Checksum (16 bits)

Used for error detection.

Message (variable length)

Contains the message itself. ICMPv6 mes-

sages will be identified in Tables 11.2 through 11.5.

ICMPv6 Messages The changes to IPv6 have rendered many IPv4 ICMP message types obsolete. However, the added responsibilities of ICMPv6 have created additional message types. Table 11.1 summarizes the new and removed message types in ICMPv6. TABLE 11.1

Message Type Changes in ICMPv6

ICMP Message Types Added to ICMPv6

Removed from ICMPv6

Packet Too Big

Source Quench

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Internet Control Message Protocol Version 6 (ICMPv6)

TABLE 11.1

Message Type Changes in ICMPv6

483

(continued)

ICMP Message Types Added to ICMPv6

Removed from ICMPv6

Group Membership Query Timestamp Request/Timestamp Reply

Group Membership Report Information Request/Information Reply Group Membership

Subnet Mask Request/Subnet Mask Reply

Reduction Router Solicitation

Router Advertisement Neighbor Solicitation Neighbor Advertisement

The ICMPv6 specifications currently define 14 different message types, as shown in Tables 11.2 through 11.5. Table 11.2 lists the ICMPv6 error messages. TABLE 11.2

ICMPv6 Error Messages

Type ICMPv6 Message Error 1 Destination Unreachable

The network may be unreachable for a number of reasons: The port or address may be unreachable; a route may not currently exist; or you may be prohibited from communicating with the destination.

2 Packet Too Big

This is a Maximum Transmission Unit (MTU) discovery message. If a packet is too large for a network segment’s MTU, the source system will receive the Packet Too Big message along with the correct MTU. The sender will retransmit the original message with the new MTU. The process repeats until the packet reaches its destination.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

484

Chapter 11

TABLE 11.2

Migrating to IPv6

ICMPv6 Error Messages

(continued)

Type ICMPv6 Message Error A packet was discarded because its Hop

3 Time Exceeded

Limit field reached zero. It also indicates whether a fragment was lost.

An IP header error occurred.

4 Parameter Problem

Table 11.3 lists the ICMPv6 query messages. TABLE 11.3

ICMPv6 Query Messages

Type ICMPv6 Message Query Sends an echo-request message to test

128 Echo Request

reachability. Destination responds by sending an echo-

129 Echo Reply

reply message.

Table 11.4 lists the ICMPv6 group membership messages. TABLE 11.4

ICMPv6 Group Membership Messages

Type ICMPv6 Message Group Membership Function 130 Group Membership Query

Sent by routers to determine which local

131 Group Membership Report

Sent by stations to indicate membership in

stations are members of a particular group.

a particular group. Sent in response to a router’s Group Membership Query.

132 Group Membership Reduction

Sent by stations to terminate membership in a particular group.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Plug-and-Play Autoconfiguration

485

Table 11.5 lists the ICMPv6 Neighbor Discovery messages. TABLE 11.5

ICMPv6 Neighbor Discovery Messages

Type ICMPv6 Message Neighbor Discovery Function Sent by hosts to request an immediate router

133 Router

advertisement, instead of waiting for the next

Solicitation

scheduled advertisement.

134 Router Advertisement

Sent by routers on a schedule or in response to Router Solicitation messages. Contains information such as address prefixes for address autoconfiguration. Sent by nodes (hosts and routers) to determine

135 Neighbor

the Data-Link layer addresses of nodes on the

Solicitation

same link. Also used to verify cached Data-Link layer addresses and for duplicate-address detection. Sent by nodes in response to Neighbor

136 Neighbor Advertisement

Solicitation messages, such as responding Data-Link layer addresses. Unsolicited messages can be sent by a node to indicate a Data-Link layer address change. Sent by routers to inform hosts that a better

137 Redirect

first hop exists.

Plug-and-Play Autoconfiguration

A ddress management is one of the biggest challenges facing IP network administrators. Over the years, many advances have been made within the protocols that allow administrators much more flexibility with address configuration and management. IPv6 expands on these practices with what is known as plug-and-play autoconfiguration, not to be confused with the inconsistently implemented hardware standard of the same name.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

486

Chapter 11

Migrating to IPv6

Autoconfiguration completes the following tasks: Creates a link-local address Verifies that the link-local address is unique on a link Determines the information that will be autoconfigured: addresses, other information, or both The following two autoconfiguration mechanisms can be used together or separately: Stateless autoconfiguration Stateful configuration

Stateless Autoconfiguration stateless autoconfiguration IPv6 provides a process known as , by which clients can automatically configure their own IP addresses with or without IPv6

routers. IPv6 stateless address autoconfiguration is defined in RFC 2462. When a system is initialized, it must first determine its hardware, or DataLink layer, address. Once it has determined this address, it uses ND to send an ICMPv6 Router Solicitation message over the network. If a router is not available, the host will use its hardware address to create a link-local IPv6 address. This address will be the only IPv6 address used by this machine, unless an IPv6 router is added to the network. If an IPv6 router is available, it will respond to the solicitation message by sending a Router Advertisement. The Router Advertisement contains the router’s prefix. The host will combine the router prefix with the linklocal address the host created, possibly creating an Aggregatable Global Unicast address (depending on the router prefix). To ensure uniqueness, each node runs a Duplicate Address Detection algorithm on the address. If the address is unique, the node will assign it to an interface. The Duplicate Address Detection algorithm is run in both stateless autoconfiguration and stateful configuration.

Router Solicitation Message Header The ND ICMPv6 Router Solicitation message is sent by hosts to request an immediate Router Advertisement, instead of waiting for the next scheduled advertisement.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Plug-and-Play Autoconfiguration

487

The IPv6 header contains the following key field information. Source IPv6 Address

The source link-local address or the unspecified

address (if no address has been assigned). Destination IPv6 Address Hop Limit Priority

Usually the all-routers multicast address.

255. 15.

Authentication Extension Header If an Authentication header security association exists, the source should include this extension header. The Router Solicitation message header is illustrated in Figure 11.2. FIGURE 11.2

ICMPv6 Router Solicitation message header 0

8

16

Type

Code

31 Checksum

Reserved Options

The Router Solicitation message header contains the following fields. Type (eight bits)

133.

Code (eight bits)

0.

Checksum (16 bits) Reserved (32 bits)

Used for error detection. Unused field. Must be set to zero by the sender and

ignored by the receiver. Options (variable length)

Contains the source node’s Data-Link layer

address (if known). Future versions may allow more option types, hence the variable length.

Router Advertisement Message Header The Router Advertisement message is sent by routers on a schedule or in response to Router Solicitation messages. These messages contain information such as address prefixes for host autoconfiguration.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

488

Chapter 11

Migrating to IPv6

The IPv6 header contains the following key field information. Source IPv6 Address

Must be the source link-local address.

Destination IPv6 Address

Usually the all-nodes multicast address, or

the link-local address of the node that sent the router solicitation. Hop Limit Priority

255. 15.

Authentication Extension Header If an Authentication header security association exists, the source should include this extension header. The Router Advertisement message header is illustrated in Figure 11.3. FIGURE 11.3

ICMPv6 Router Advertisement message header 0

8

16

Type

31

Code

Max Hop Limit

MO

Checksum

Reserved

Router Lifetime

Reachable Time Retransmit Time Options

The Router Advertisement message header contains the following fields. Type (eight bits)

134.

Code (eight bits)

0.

Checksum (16 bits)

Used for error detection.

Max Hop Limit (eight bits) Specifies the default value for the IPv6 header hop limit field. Value of zero indicates an unspecified hop limit by this router. M (one bit)

Managed address configuration flag. When set, nodes use

stateful configuration and stateless autoconfiguration. O (one bit) Other address configuration flag. When set, nodes use stateful configuration for all non-address configuration.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Plug-and-Play Autoconfiguration 489

Reserved (six bits) Unused field. Must be set to zero by the sender and ignored by the receiver. Router Lifetime (16 bits) The lifetime, in seconds, associated with the default router. The lifetime spans from 0 to 65535 seconds (18.2 hours). The value only applies if the router is considered a default router. If the value is zero, it is not a default router. Therefore, it should not appear on the default router list. Reachable Time (32 bits)

The length of time, in milliseconds, a node

considers a neighbor to be reachable. Time is calculated by the last reachability confirmation. This field is used by the Neighbor Unreachability Detection algorithm (see the following Note). A value of zero indicates the reachable time is unspecified for this router.

The Neighbor Unreachability Detection algorithm allows a node to check the reachability “state” of paths between itself and its neighbor nodes. Please note that router-to-router reachability checks are not necessary if routing protocols exist that perform the same task. If a path fails, the solution will depend on the neighbor. If the neighbor is a host, address resolution will be repeated. If the neighbor is a router, another router will be used. Neighbor Unreachability Detection is only used for unicast address destinations.

Retransmit Time (32 bits) The length of time, in milliseconds, a Neighbor Solicitation message is retransmitted. This field is used by address resolution and the Neighbor Unreachability Detection algorithm. A value of zero indicates that the retransmit time is unspecified for this router. Options (variable length) Currently, the options field can contain the following three types of information. The Data-Link layer address of the source node sending this router advertisement. The MTU for links that have variable MTUs. The prefix used by hosts for address autoconfiguration. A router on-link should include all prefixes (all prefixes except its linklocal address) so that multihomed hosts can choose the correct interface for sending packets.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

490 Chapter 11 Migrating to IPv6

Advantages and Disadvantages of Stateless Autoconfiguration The main advantage of stateless autoconfiguration is its ease of use. This facility is described as follows: No server is needed. No host configuration is necessary. Minimal (if any) router configuration is necessary. However, several disadvantages exist as well. They are described as follows: Lack of security: Provides no means to determine whether the client requesting the IP configuration information is an authorized entity or an intruder. Lack of configuration parameters: Prevents clients from receiving any other TCP/IP configuration parameters, such as name server or default gateway addresses. Clients usually need more than an IP address for network connectivity. Stateless autoconfiguration is ideal when administrators are not concerned with specific IP addresses, but only that each IP address is unique and routable.

Stateful Configuration Stateful configuration

offers tighter control over IP addresses and more con-

figuration options than stateless autoconfiguration. It requires an address server to assign addresses to clients from an address pool. An administrator must configure the addresses that will be allocated, as well as the duration of the allocation. Stateful configuration can pass additional configuration information to the requesting system, such as the IP addresses of name servers and default gateways. It can also implement basic authentication security and determine whether to allocate an IP address to the system, depending on the system’s identity. The Dynamic Host Configuration Protocol (DHCP) is currently the main server implementation of IPv4 and IPv6. The IPv6 version is defined in the Internet draft Dynamic Host Configuration Protocol for IPv6 (DHCPv6).

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Address Resolution 491

Advantages and Disadvantages of Stateful Configuration The main advantages of stateful configuration are as follows: It allows additional configuration parameters for the requesting systems. It provides basic authentication to determine which systems can receive configuration data. The disadvantages are as follows: It requires a server. It requires an administrator. Stateless autoconfiguration and stateful configuration can complement each other by allowing a host to configure its IP address with stateless autoconfiguration, and then receiving additional information from stateful configuration.

Address Resolution

I Pv4 has a variety of protocols that handle address resolution. The most common implementation is the Address Resolution Protocol (ARP) used on Ethernet and FDDI networks. The designers of IPv6 did not want to drastically change the way IPv4 address resolution is performed. To meet this objective, they used the ND protocol—more specifically, the ICMPv6 Neighbor Solicitation and Neighbor Advertisement messages of ND. The advantage of using IPv6 ND for address resolution is that it is mediaindependent. When using IPv4, ARP works on Ethernet and FDDI networks, but a different address resolution protocol is needed for broadband networks such as ATM. By including the ND methods in an IPv6 ICMP message, the same methods can be used regardless of media. The overall process is straightforward and operates similarly to ARP: A Neighbor Solicitation message is sent by a node (host or router) to determine the destination node’s Data-Link layer address. The destination node will respond with a Neighbor Advertisement message containing its Data-Link layer address, which will be sent to the requesting node.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

492 Chapter 11 Migrating to IPv6

The neighbor cache can be viewed to verify the state of ND address resolution. It defines the reachability state of all neighbors. The basic format is as follows: [interface] [ipv6 address] [hardware address] [reachability state] The following five possible reachability states exist (not including permanent). Incomplete The Data-Link layer address is undetermined because address resolution is in progress. Reachable

The neighbor has been reachable within the last 10 seconds.

Stale It is unknown whether the neighbor is reachable. Packets must be sent to this neighbor to test reachability. Reachability confirmations will not be attempted. Delay It is unknown whether the neighbor is reachable. Packets were recently sent to this neighbor, but the probe process (see the following state) will be delayed. This delay allows time for upper-layer protocols to provide reachability confirmation. Probe

It is unknown whether the neighbor is reachable. The system is

sending unicast Neighbor Solicitation messages to verify reachability.

Neighbor Solicitation Message Header The Neighbor Solicitation message is sent by nodes (hosts and routers) to determine the Data-Link layer addresses of nodes on the same link. It includes the Data-Link layer address of the node sending the Neighbor Solicitation message. The message is also used to verify cached Data-Link layer addresses and detect duplicate addresses. The IPv6 header contains the following key field information. Source IPv6 Address

An address assigned to the source node’s interface

or the unspecified address (if a duplicate address has been detected). Destination IPv6 Address

Usually the solicited-node multicast address

for address resolution, or a unicast target address. Hop Limit

255.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Address Resolution 493

Priority

15.

Authentication Extension Header

If an Authentication header security

association exists, the source should include this extension header. The Neighbor Solicitation message header is illustrated in Figure 11.4. FIGURE 11.4 ICMPv6 Neighbor Solicitation message header 0

8

16

Type

Code

31 Checksum

Reserved

Target Address

Options

The Neighbor Solicitation message header contains the following fields. Type (eight bits)

135.

Code (eight bits)

0.

Checksum (16 bits) Reserved (32 bits)

Used for error detection. Unused field. Must be set to zero by the sender and

ignored by the receiver. Target Address (128 bits) The IPv6 address of the solicitation target (cannot be a multicast address). Options (variable length) Contains the source node’s Data-Link layer address. Future versions may allow more option types, hence the variable length.

Neighbor Advertisement Message Header The Neighbor Advertisement message is sent by nodes in response to Neighbor Solicitation messages, such as the solicited node’s Data-Link layer address. Unsolicited Neighbor Advertisement messages can also be sent by a node to indicate a Data-Link layer address change.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

494 Chapter 11 Migrating to IPv6

The IPv6 header contains the following key field information. Source IPv6 Address

An address assigned to the source node’s interface.

Destination IPv6 Address

Usually the source address of the node that

sent the neighbor solicitation. If that address is the unspecified address, the all-nodes multicast address is used. If the advertisement is unsolicited (for example, scheduled), then the all-nodes multicast address is used. Hop Limit Priority

255. 15.

Authentication Extension Header If an Authentication header security association exists, the source should include this extension header. The Neighbor Advertisement message header is illustrated in Figure 11.5. FIGURE 11.5 ICMPv6 Neighbor Advertisement message header 0

8

16

Type

Code

RSO

31 Checksum

Reserved

Target Address

Options

The Neighbor Advertisement message header contains the following fields. Type (eight bits)

136.

Code (eight bits)

0.

Checksum (16 bits) R (one bit)

Used for error detection.

Router flag. When set, it indicates that the sender is a router.

This flag is used by the Neighbor Unreachability Detection process to determine whether a router has become a host. S (one bit)

Solicited flag. When set, it indicates that the message is

a Neighbor Solicitation Response. This flag is used by the Neighbor Unreachability Detection process to confirm reachability.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Address Resolution 495

O (one bit) Override flag. When set, it will override the existing cache entry and update the Data-Link layer address. Reserved (29 bits) Unused field. Must be set to zero by the sender and ignored by the receiver. Target Address (128 bits)

If the advertisement was solicited, this field

contains the Target Address field address from the Neighbor Solicitation message. If not solicited, it contains Data-Link layer address changes. Options (variable length)

Contains the Data-Link layer address of the

source node (the sender of the Neighbor Advertisement). Future versions may allow more option types, hence the variable length.

EXERCISE 11.1

Using Neighbor Discovery for address resolution In this exercise, you will use Windows 2000 to view your neighbor cache, create ICMPv6 Neighbor Solicitation and Neighbor Advertisement packets, and analyze the packets using Network Monitor.

1. Open the command prompt. Enter the following command: ipv6 nc In this syntax,

nc is the neighbor cache option.

2. View your system’s neighbor cache and examine the first two entries. Note the state of the neighbor cache entries (i.e., incomplete, reachable, stale, delay, or probe).

3. View your system’s IPv4 ARP cache by entering the following at the command prompt:

arp –a

4. Compare the ARP cache format to the IPv6 neighbor cache, and note similarities and differences.

5. To capture ND address resolution packets, open Network Monitor. 6. Select the Capture menu and choose Start. 7. Minimize Network Monitor.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

496 Chapter 11 Migrating to IPv6

EXERCISE 11.1 (continued)

8. To generate IPv6 ND packets, maximize the command prompt and enter the following:

ping6 System A’s IPv6 address

9. Maximize Network Monitor. 10. After the transmission is complete, select the Capture menu and choose Stop and View. Network Monitor will display the packets captured in the connectivity test.

11. Save the file as

IPv6-ND.cap

. A sample

IPv6-ND.cap

file is located

in the supplemental disk.

12. Double-click the first ICMPv6 Neighbor Solicitation packet. Your screen should resemble Figure 11.6.

13. Note the following information: The IPv6 address of the host sending the Neighbor Solicitation address. The target IPv6 address that the host is attempting to resolve (to a Data-Link layer address). The Data-Link layer address of the source.

14. Double-click the first ICMPv6 Neighbor Advertisement packet. Be sure it is the response to the ICMPv6 Neighbor Solicitation packet. Your screen should resemble Figure 11.7.

15. Note the following information: The Data-Link layer address that the Neighbor Solicitation message requested The target ICMPv6 address of the Neighbor Advertisement, and compare with the address that the host was attempting to resolve in Step 13

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Address Resolution 497

EXERCISE 11.1 (continued) Consider the following questions: What indicates that this Neighbor Advertisement is a response to a Neighbor Solicitation and not a scheduled advertisement? Is the Neighbor Advertisement sender a router or a host? How can you tell? Will the advertised Data-Link layer address update the neighbor cache in the destination computer?

16. Save the file (if necessary), and exit Network Monitor. 17. Open the command prompt. Enter the following command to view the neighbor cache:

ipv6 nc

18. Has the state of any neighbor cache entries changed? Why or why not?

FIGURE 11.6 IPv6 Neighbor Solicitation packet

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

498 Chapter 11 Migrating to IPv6

FIGURE 11.7 IPv6 Neighbor Advertisement packet

Simple Internet Transition (SIT) Mechanisms

S IT is a set of protocol mechanisms designed to facilitate the transition to IPv6. SIT accomplishes the goals stated previously. It will be implemented in hosts and routers, and will include guidelines for IPv6 deployment and addressing issues. Mechanisms described in SIT are detailed in RFC 2185, Routing Aspects of IPv6 Transition Transition Mechanisms , and RFC 2893, for IPv6 Hosts and Routers

. SIT begins by ensuring that IPv4 and IPv6 hosts can interoperate up to the

point that IPv4 addresses are no longer available. After that, it will allow IPv6 and IPv4 to interoperate indefinitely but within a limited scope. IPv4 will never become obsolete with SIT.

SIT Features The following SIT features will help provide a smooth transition to IPv6. Low cost

Minimal work, if any, is required to update or deploy new

IPv6 systems. An update to the operating system or TCP/IP stack will most likely be free for download from each host and router vendor.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Dual IP Stacks 499

Simple address transition can still use IPv4 addresses.

IPv4 routers and hosts that upgrade to IPv6

Few prerequisites Before hosts can use IPv6 name resolution, DNS servers must be upgraded to handle IPv6 address records. Routers have no such prerequisites. No upgrade schedule IPv4 routers and hosts can be upgraded one at a time. Network administrators can transition using their own schedules; host and router vendors can create IPv6 products at their own paces. Once the update is installed or deployed on all Internet hosts and routers, the transition to IPv6 will be complete. However, IPv4 will continue to exist on the Internet for several generations.

SIT Mechanisms The following techniques are implemented using SIT. Dual IP stacks All hosts and routers in the initial stages of transition will have both IPv4 and IPv6 stacks, which means they will be capable of running both versions. IPv4 address compatibility

IPv4 addresses can be embedded in IPv6

addresses (as discussed later in this chapter, in “IPv4 Address Compatibility”) to allow backward-compatibility. IPv6-in-IPv4 tunneling

IPv6 packets will be encapsulated in IPv4 head-

ers to travel network segments without IPv6-capable routers. Tunneling is used on the 6Bone, a virtual network for testing IPv6 on the Internet.

Dual IP Stacks

T he IPv4-to-IPv6 transition will use a dual IP stack approach, enabling the IPv6 Internet to be deployed in parallel with the IPv4 Internet. This strategy is integral to the transition’s success because all IPv6 hosts will need to be IPv4-compliant to communicate with the existing Internet. The name service will determine which stack is needed.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

500 Chapter 11 Migrating to IPv6

Dual IP Stack Support IPv4 and IPv6 are similar in principle; only minor developments (a few kilobytes of downloaded code) are needed to convert an IPv4 computer to a dual-stack computer. Dual IP stack upgrades include the following four main areas: IPv6 code (basic IPv6, ICMPv6, and Neighbor Discovery) TCP/UDP handling with IPv6 (minor modifications to allow bigger addresses) Sockets/Winsock library modifications to support IPv6 addresses and interface extensions Name service interface Routers will require more transition work than hosts because little overlap exists between IPv4 and IPv6 routing code. However, the concept of routers supporting two protocols is not new: Many routers currently support more than one Internet-layer protocol, such as IPv4 and Novell IPX. Upgrades to IPv4 routers include: IPv6 forwarding code IPv6 routing protocols IPv6 management protocols IPv6 transition mechanisms

IPv6 Name Service Dual-stack transition requires that DNS servers be updated to support IPv6. The process is well under way: Many DNS servers have already been modified to handle 128-bit addresses. The DNS extensions required to support IPv6 are specified in RFC 1886. To support IPv6, name servers require a new record. Typically, DNS servers address IPv4 addresses with a host record or “A” record. IPv6 records will be referenced by using “AAAA” records. DNS is easily converted to use IPv6 because it is an upper-layer protocol. Linux, Unix, and Windows 2000 are all capable of supporting DNS records for IPv6. The configuration varies slightly between these systems, as

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Dual IP Stacks 501

expected. In Linux or Unix, you will edit or create the zone file to create an AAAA record for the IPv6 entry for a host, and create reverse zone file for reverse lookups. These files are typically found in /var/named/ and can be edited with vi or any text editor. In Windows, you will access the zone file through the Programs Administrative Tools DNS graphical tool. To add an IPv6 record to a Windows DNS server with the dual IP stack, simply right-click on the host in the DNS tool and select Other New Records, then select the IPv6 Host record to enter the system’s host name and IPv6 address. The record that is created is still an AAAA record for an IPv6 host address; it is only the method of accessing the zone file that varies, although the underlying files are text on both platforms. Your entry should look something like Figure 11.8: FIGURE 11.8 Entering an IPv6 DNS AAAA record

If you have forgotten the system’s IPv6 address, you can obtain it by entering the ipv6-if command at the command prompt. Microsoft DNS did not support reverse lookups for IPv6 addresses at the time of this writing. BIND has supported AAAA name records since version 8, and included functionality for these record types in versions as early as 4.9.4, although the functionality was undocumented. Regardless of the operating system for the DNS server, it

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

502 Chapter 11 Migrating to IPv6

is valid to have the same host name for A and AAAA records. DNS will determine which address to use based on the application or utility that requests name resolution. If you configure an IPv6 DNS server as a separate system from your IPv4 DNS system, you will need to add it to the name servers for each client that you want to have both IPv4 and IPv6 name resolution, but if you are adding IPv6 functionality and host names to an existing IPv4 DNS server, no client DNS configuration changes will be required.

IPv4 Address Compatibility

I Pv6 addresses can embed in IPv4 addresses using a combination of dotted decimal and double colon formats. This feature allows the IPv4 32-bit address to remain the same; no hexadecimal conversion is necessary. Adding a 96-bit prefix of null integers embeds IPv4 addresses, as illustrated in Figure 11.9. Using this format, the IPv4 address 192.168.3.13 translates to the abbreviated IPv6 address ::192.168.3.13. FIGURE 11.9 IPv4-compatible address 0:0:0:0:0:0 96 bits

IPv4 Address 32 bits

IPv4-address compatibility is important during the transition because it allows IPv6 hosts to use IPv4 networks as virtual interfaces for accessing IPv6 routers and hosts. This process is known as “tunneling,” and you will learn more about it in the next section.

EXERCISE 11.2

Testing IPv4-compatible address formats In this exercise, you will use an IPv4-compatible address to verify an IPv6 connection.

1. Note or determine the IPv4 address for System B.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

IPv6-in-IPv4 Tunneling: The 6Bone 503

EXERCISE 11.2 (continued)

2. Note the IPv6 address that is compatible with System B’s IPv4 address.

3. From a shell prompt on System A, test connectivity using the IPv4compatible address. Enter: # ping6 System B’s IPv4-compatible address

Note: If you do not have a Linux system with the IPv6 compatibility and the

ping6

command, you may do this step from a second

Windows 2000 system with the dual IP stack installed.

4. Did you receive a reply? Note the responding address. 5. Compare the IPv6 address that is compatible with System B’s IPv4 address in hexadecimal format. Use the scientific calculator in Windows 2000. For example, 192.168.3.13 translates to the IPv6 address ::C0A8:030D.

6. Test connectivity using an IPv4-compatible address in hexadecimal format. Enter:

ping6 System B’s IPv4-compatible hexadecimal address

7. Did you receive a reply? Note the responding address.

IPv6-in-IPv4 Tunneling: The 6Bone

T he IPv6 Backbone is referred to as the

6Bone

. It is a virtual network

on the Internet for IPv6 testing that uses IPv6-in-IPv4 tunneling. The 6Bone consists of a set of IPv6 routers linked by tunnels. Each IPv6 router is called a region , or island , and has an IPv6 network attached to it. This network of islands connected by tunnels creates an IPv6 virtual network on top of the existing Internet, as shown in Figure 11.10.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

504 Chapter 11 Migrating to IPv6

FIGURE 11.10 6Bone

Tunnel Island 1

Island 2

6Bone IPv4 Internet

Tunnel

Tunnel Island 3 Tunnel

IPv6 Host

Dual IP Stack Router

Island 4 IPv6 Host

The 6Bone is a test bed for most IPv6 research and will eventually be absorbed into the IPv6 Internet. At the time of this writing, 39 countries hosted 6Bone sites. Research on the 6Bone includes: Testing new host and router software Testing routing protocols such as OSPFv6, RIPv6, BGPv4+, and IDRP Testing address allocation and management procedures Testing functionality of IPv6, including security, real-time support, and address autoconfiguration The following two steps are required to join the 6Bone: 1. Prepare an island. 2. Install a connection. Each island needs IPv6-capable hosts and at least one IPv6-capable router. However, a system need not be part of an island to connect to the 6Bone. Isolated IPv6 hosts may join the 6Bone if they are running a dual IP stack by tunneling to an IPv6 router on the 6Bone.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

IPv6-in-IPv4 Tunneling: The 6Bone 505

Tunneling Process Tunnels allow IPv6 traffic to pass through non-IPv6-enabled sections of the Internet. To accomplish this, IPv6 packets are encapsulated in IPv6-overIPv4 packets, as illustrated in Figure 11.11. The routers between the islands function as if they were processing regular IPv4 packets. The encapsulating IPv4 header is stripped off at the end of the tunnel and processed by the IPv6 router (or host). FIGURE 11.11 Figure 11.11 IPv6-in-IPv4 tunneling IPv6 Header

Payload

IPv6 Packet

IPv4 Header

IPv6 Header

Payload

IPv6-in-IPv4 Packet

Tunnels consist of two end-to-end IPv4 addresses, an MTU, and a TTL. The IPv4 protocol field is set to 41, which is the value for an IPv6 payload. The IPv4 packet length will equal 60 bytes (IPv4 header without extensions and IPv6 header) plus the IPv6 Payload field value. Tunnel MTU must be selected carefully to avoid fragmentation. Routers at both ends of a tunnel must monitor the tunnel’s MTU. If not set accurately, fragment reassembly procedures by the end routers will consume memory and time. Lost fragments can cause the remaining fragment TTLs to run out, then the entire IPv6 packet will be resent. This problem has appeared with MBone tunneling, which uses IP-in-IP. It is hoped that it will not be repeated by the 6Bone. Because IPv4 routing is dynamic, tunnels may be longer than expected. The packet should have a sufficient TTL to accommodate many hops.

An IPv6 packet considers a tunnel to consist of one hop. Therefore, the IPv6 hop count will be reduced by only one unit when relayed by the end router.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

506 Chapter 11 Migrating to IPv6

Connecting to the 6Bone Tunneling can be accomplished between two routers that connect islands on the 6Bone, or between an isolated IPv6 host and a 6Bone router (or host). This section will describe the process of connecting an isolated host to the 6Bone, as illustrated in Figure 11.12. FIGURE 11.12 Remote host connecting to an IPv6 network Isolated IPv6 Host Tunnel

IPv6 Host

Dual-Stack Router

6Bone Island IPv6 Host

Without an IPv6 router, IPv6 hosts can only communicate with IPv6 hosts on the same link. For an isolated host to connect to the 6Bone, the following four requirements must be met: The isolated host must have a dual-IP-stack configuration and a unique Internet IPv4 address. The IPv4 address of the IPv6 router must be known. The IPv6 router must accept and forward encapsulated packets. Correct parameters must be set for the tunnel (particularly the MTU and TTL). To locate an IPv6 router or host, you can contact organizations on the 6Bone and request that they “sponsor” your system. To learn more about obtaining a sponsor, visit the 6Bone web site at www.6bone.net and locate the “How to Join the 6Bone” link. Once you have found a sponsor, you will need the IPv4 address of its IPv6 router or host, also known as a tunnel endpoint.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

IPv6-in-IPv4 Tunneling: The 6Bone 507

Configuring the tunnel parameters will depend on your vendor’s implementation of IPv6, as follows. Windows 2000 The Carpenter/Moore 6to4 method allows IPv6 sites to easily connect with one another over the existing IPv4 Internet infrastructure. For specifics, read the MSR 6to4 documentation at www.research .microsoft.com/msripv6/docs/6to4.htm . A web service called IPv6 Tunnel Broker is an Internet Information Server (IIS) plug-in that allows IPv6 systems to tunnel over the IPv4 Internet to access IIS web services. You can read about it and other Microsoft IPv6 services at .microsoft.com/msripv6/msripv6.htm . Linux

www.research

You need several scripts and tools to enable your system to commu-

nicate with the tunnel endpoint. For instructions, visit the Linux IPv6 home page at www.bieringer.de/linux/IPv6 . You can locate the quick link “Connecting to the 6Bone through PPP with a dynamically allocated IPv4 address.” The instructions work for PPP and direct Internet connections.

To learn more about vendor implementations for hosts and routers, visit the IPng web page at

http://playground.sun.com/pub/ipng/html

and locate

the “IPv6 Implementations” link.

Connecting to Isolated Hosts If your computer is on the 6Bone (i.e., an IPv6 network) and is IPv4-capable, connecting to an IPv4 isolated host with dual IP stacks is easy. This process is the reverse of connecting to the 6Bone, as described in the previous section. The IPv6 host contacts the IPv4 host using an IPv4-compatible address, which has the prefix 0:0:0:0:0:0. The IPv6 host will immediately encapsulate the IPv6 packet and transmit it using an end-to-end IPv4 tunnel. The outbound packets will use the following addresses: Destination (tunnel endpoint): the last 32 bits of the IPv4-compatible address. Source: the outbound interface’s IPv4 address. Because all hosts with dual IP stacks accept encapsulated IPv6 packets, the packet will arrive successfully at the destination computer. The destination host will remove the IPv4 header and access the IPv6 packet.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

508 Chapter 11 Migrating to IPv6

Summary

I n this chapter, you learned detailed functionality of ICMPv6 and how to transition an existing IPv4 host or network to use IPv6. Earlier chapters described the need for IPv6 and the overall architecture, and finally there is a payback for the internetworking professional—the reduced network management of stateless autoconfiguration and stateful configuration. You also studied the new address resolution method of Neighbor Discovery (ND), which uses ICMPv6 messages not included in ICMPv4. You studied the ICMPv6 messages that have been removed and revised from ICMPv4. After an in-depth look at stateless autoconfiguration, stateful configuration, and address resolution, including ICMPv6 message headers, you captured and analyzed the address resolution packets on your network. Finally, you identified reachability states in your neighbor cache. You learned that the key goal of IPv6 transition is to make it as smooth as possible. You studied a set of protocol mechanisms called Simple Internet Transition mechanisms designed to make this goal a reality. These mechanisms outline many of the host and router aspects detailed in RFCs 2185 and 1933. You examined the dual-IP-stack strategy and we discussed configuring a DNS server to resolve IPv6 addresses. You also created IPv4-compatible addresses and tested them with both Linux and Windows systems. Finally, you discovered the 6Bone and its functions, you learned how IPv6-in-IPv4 tunneling allows the 6Bone to exist on the IPv4 Internet, and you studied the 6Bone connection process. One sign of a professional administrator is that they recognize when to expend effort to reach a new level of functionality. IPv6 offers new functionality, and a smooth transition process. Some of the features developed specifically for IPv6 have been back-ported into IPv4, but it is only a matter of time and IPv4 address depletion before a global push to migrate to IPv6 occurs. You are ready now.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Exam Essentials 509

Key Terms

B efore you take the exam, be certain you are familiar with the following terms: 6Bone

Neighbor Discovery (ND)

Internet Control Message Protocol (ICMP)

Region

Internet Control Message Protocol

stateful configuration

version 6 (ICMPv6) island

stateless autoconfiguration

neighbor cache

Exam Essentials Identify IPv6 elements that reduce network management overhead. Address configuration in particular is less time-consuming with IPv6. Autoconfiguration—both stateless autoconfiguration and stateful configuration—as well as Neighbor Discovery reduce network management time spent assigning IP addresses and DHCP scopes. Understand Neighbor Discovery and its functions.

Neighbor Discovery

is a protocol that allows nodes on a segment to automatically identify other local nodes, both routers and hosts. ND allows hosts to find routers, and routers to advertise their presence. ND also enables all nodes, routers and hosts, to resolve Data-Link layer addresses, to discover and maintain reachability information about other nodes, and to provide path status to active neighbors. Be able to compare and contrast ICMPv6 with ICMPv4.

ICMPv6 is

not compatible with ICMPv4, as it integrates IGMP routing, handled separately in IPv4, and streamlines local address resolution with Neighbor Discovery messages. Some ICMP fields were expanded to handle the larger addresses of IPv6.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

510 Chapter 11 Migrating to IPv6

Identify removed, revised, and new ICMPv6 message types. ICMPv6 removes IPv4 functions no longer needed such as Source Quench, and both the Request and Reply messages for Timestamp, Information, and Subnet Mask IPv4 message types. Destination Unreachable, Packet Too Big, Time Exceeded, Parameter Problem, and Redirect are revised, but perform similar functions as their ICMPv4 counterparts. Be able to define the IPv6 plug-and-play processes of stateless autoconfiguration and stateful configuration. Stateless autoconfiguration is a process by which an IPv6 node may request an address, and if none is provided, may create its own address and verify the uniqueness of that address on the local link. In stateful configuration, a server (typically DHCP) assigns an IPv6 address to the requesting node, and may also pass additional information. Understand Router Solicitation and Router Advertisement ICMPv6 messages, and know how they function with stateless autoconfiguration. A Router Solicitation message is sent by hosts, requesting an immediate response from a local router. The Router Advertisement is sent by routers on a schedule or in response to a Solicitation message, and contains address prefix information for stateless autoconfiguration. If no router is found, the host will use its hardware address to create a link-local IPv6 address. Identify ICMPv6 message headers.

ICMPv6 message headers include

five message types for Neighbor Discovery: Router Solicitation, Router Advertisement, Neighbor Solicitation, Neighbor Advertisement, and Redirect. Error messages include Destination Unreachable, Packet Too Big, Time Exceeded, and Parameter Problem. Queries include Echo Request and Echo Reply. Group membership messages are Group Membership Query, Group Membership Report, and Group Membership Reduction. Be able to explain address resolution using Neighbor Discovery. Neighbor Discovery uses ICMPv6 messages to locate a local router, or to determine if none exist, and to identify other IPv6 hosts on the local segment. A Neighbor Solicitation is sent to determine the destination node’s Data-Link layer address, which returns with a Neighbor Advertisement message. This information is kept in the neighbor cache.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Exam Essentials 511

Be able to compare Neighbor Discovery to Address Resolution Protocol (ARP). Neighbor Discovery performs the same function on IPv6 networks that ARP does on IPv4 networks. A benefit of ND is that it will operate with any media, while ARP was created for Ethernet and will only work with certain other media. Neighbor Discovery is included in the IPv6 protocol, as ICMPv6 messages, while ARP messages are a separate protocol from IPv4. Understand the Simple Internet Transition (SIT) mechanisms.

SIT pro-

vides IPv4 address compatibility, IPv6 in IPv4 tunneling, and dual IP stacks, all of which combine to make the migration to IPv6, and coexistence of IPv4 and IPv6, as simple as possible. Know the issues involved in IPv4-to-IPv6 migration, including addressing and DNS. The dual stack transition requires that DNS servers be upgraded to support IPv6, and many already support this. IPv6 host names are referenced in DNS with AAAA records, and like any migration, the DNS changes are important to a smooth migration. Routers require more transition work than hosts, because little overlap exists between IPv4 and IPv6 routing code. Understand the dual IP stack strategy and how it will be supported. Dual IP stack upgrades allow hosts and routers to work with both IPv4 and IPv6 in the same configuration, so the IPv6 upgrades may be deployed in parallel to the existing IPv4 infrastructure. IPv4 will remain in use for generations. Know the purpose of the 6Bone. The 6Bone is a virtual network on the Internet for research and testing of IPv6 features, such as testing host and router software, routing protocols, address allocation and management procedures, functionality and security of IPv6. Be able to define tunneling and relate it specifically to the 6Bone. Tunneling to the 6Bone is the process of creating an IPv4 tunnel between two dual IP stack routers. This tunnel carries IPv6 packets encapsulated in IPv4 packets across the IPv4 Internet to and from the 6Bone, the IPv6 backbone. A tunnel can also exist between an isolated host with a dual IP stack and a dual IP stack router on the 6Bone.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

512 Chapter 11 Migrating to IPv6

Review Questions 1. Which of the following ICMPv6 message types is used to indicate a packet that exceeds the MTU for a given network segment? A. Source Quench B. Packet Too Big C. Timestamp Request D. Subnet Mask Reply 2. Which of the following describes a difference between IPv4 ICMP and ICMPv6? A. ICMPv6 includes the functions of the IPv4 IGMP. B. IPv4 IGMP multicast control functions are removed in ICMPv6. C. ICMPv6 fields are reduced in size to accommodate smaller IPv6 fields. D. The ICMPv6 header is identified by a Type 1 header instead of a Type 2 header. 3. Which of the following IPv4 ICMP message types has been removed in ICMPv6? A. Router Solicitation B. Group Membership Reduction C. Neighbor Advertisement D. Subnet Mask Request/Subnet Mask Reply 4. Which of the following ICMPv6 error messages indicates a packet was discarded because its hop limit reached zero? A. Echo Request B. Group Membership Reduction C. Time Exceeded D. Packet Too Big

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Review Questions 513

5. Which of the following describes a characteristic of stateless autoconfiguration? A. It allows clients to automatically configure their own IP addresses with or without IPv6 routers. B. It offers tighter control over IP addresses and more configuration options than the other type of autoconfiguration. C. It can pass additional configuration information to the requesting system, such as the IP addresses of name servers and default gateways. D. It requires a server and an administrator. 6. Which of the following describes the Reachable state in IPv6 address resolution? A. Packets must be sent to this neighbor to test reachability. B. The neighbor has been reachable within the last 10 seconds. C. The Data-Link layer address is undetermined because address resolution is in progress. D. The system is sending unicast Neighbor Solicitation messages to verify reachability. 7. What message is sent by nodes to determine the Data-Link layer address of nodes on the same link? A. Neighbor Advertisement B. Address Resolution Protocol (ARP) C. Neighbor Solicitation D. Echo Request 8. How long will IPv4 continue to exist on the Internet once the transition to IPv6 is complete? A. For one year B. For several generations C. For six months D. Permanently

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

514 Chapter 11 Migrating to IPv6

9. Which of the following describes a dual IP stack upgrade to a host (as opposed to a router upgrade)? A. IPv6 forwarding code B. IPv6 code (basic IPv6, ICMPv6, and ND) C. IPv6 management protocols D. IPv6 transition mechanisms 10. To support IPv6, name servers require: A. socket modifications. B. a new record type. C. a host record. D. an additional upper-layer protocol. 11. Which of the following IPv6 addresses is the equivalent of the IPv4 address 208.100.13.200? A. fe80::208.100.13.200 B. 208:100:13:200 C. 208.100::13.200 D. ::208.100.13.200 12. What is another name for each IPv6 region? A. Tunnel B. Island C. Host D. Backbone

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Review Questions 515

13. Which of the following is a requirement for an isolated host to join the 6Bone using tunneling? A. The host must have the IPv6 address of the tunnel endpoint. B. The host must have only the IPv6 stack installed. C. The host must have a dual-IP stack configuration and a unique IPv4 address. D. Tunneling is not used to join the 6Bone. 14. Which of the following accurately describes a tunneling connection to the 6Bone? A. A 6Bone tunnel connects two IPv6 routers. B. A 6Bone tunnel passes IPv6 packets encapsulated in IPv4 packets. C. A 6Bone tunnel requires both a dual IP stack and an IPv6 capable router. D. A 6Bone tunnel passes IPv4 packets encapsulated in IPv6 packets. 15. Why is MTU important for tunneling to the 6Bone? A. Because IPv4 routing can fragment packets, a high MTU will overload destination routers as they reassemble fragmented packets. B. If the MTU is too low, a tunnel will be very slow. C. IPv6 MTU is dynamically determined, but too high an MTU will cause excessive renegotiation of the MTU by tunnel endpoints. D. If the MTU is set too high, packet loss will occur if different routes handle the same traffic. 16. Which of the following describes a “tunnel endpoint” for connecting to the 6Bone? A. The IPv6 address of the connecting router B. The IPv6 address of the connecting host C. The IPv6 address of the “sponsor” 6Bone router D. The IPv4 address of the “sponsor” IPv6 router

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

516 Chapter 11 Migrating to IPv6

17. Besides MTU, what parameter is vital for correct configuration of a tunnel to the 6Bone? A. Hop Limit B. Time Exceeded C. TTL D. Flow Label 18. Which process is performed during both stateless autoconfiguration and in stateful configuration? A. Neighbor Unreachability Detection B. Duplicate Address Detection C. Neighbor Solicitation D. Neighbor Discovery 19. Which comparison of IPv4 and IPv6 hardware address resolution is correct? A. IPv6 Neighbor Discovery is media-independent B. IPv4 ARP and RARP are more flexible than IPv6 ND C. IPv6 eliminates caching of hardware addresses D. MAC addresses used by IPv4 are not used at all in IPv6 addressing. 20. Which of the following is NOT a step performed during both stateless autoconfiguration and stateful configuration? A. Determine information to be autoconfigured. B. Create a link-local address. C. Determine the host name. D. Verify uniqueness of a link-local address.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Answers to Review Questions 517

Answers to Review Questions 1. B. Source Quench, Timestamp Request/Reply, and Subnet Mask Request/Reply have been removed from ICMPv6. 2. A. The IGMP multicast functions are included in ICMPv6, which has a larger field size and a Type 2 header. 3. D. The other three message types were

added

to ICMPv6.

4. C. The ICMPv6 Time Exceeded indicates that a Hop Limit field has been decremented to zero. 5. A. The other three features listed are features of stateful configuration, not stateless autoconfiguration. 6. B. If packets must be sent, this neighbor is Stale. If address resolution is in progress, the neighbor is Incomplete, and if the system is sending unicast Neighbor Solicitation messages, the address resolution state is Probe. 7. C. The Neighbor Advertisement message is sent in response to Neighbor Solicitation, Echo Request is a ping, and ARP is the IPv4 IP-to-hardware resolution protocol. 8. B. The compatibility between IPv4 and IPv6 not only will ease the transition, it will also allow legacy IPv4 devices and addresses to continue to exist on an IPv6 Internet for generations. 9. B. IPv6 forwarding code, management protocols, and transition mechanisms are all elements of a router upgrade to support IPv6, not a host upgrade. 10. B. IPv4 addresses are referenced with a host record or “A” record in DNS. The new IPv6 record type is the “AAAA” record type in DNS. For some DNS software, this is no longer a “new” record type.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

518 Chapter 11 Migrating to IPv6

11. D. IPv4 addresses may be written in mixed mode annotation, with a double colon to denote multiple null fields, and dotted quad notation to denote decimal rather than hexadecimal values, and for readability. 12. B. A tunnel is how an IPv6 region connects to another island, through the IPv4 Internet, a host is simply a system, and the backbone is the main set of routers and connections. 13. C. The host must have both a dual-IP stack configuration, in order to be able to perform IPv4 tunneling, and a unique IPv4 address, in order to be referenced by the other end of the tunnel. 14. B. The tunneling connection to the 6Bone passes IPv6 packets encapsulated in IPv4 packets over the current IPv4 Internet. A router is not required, if an isolated host has a dual IP stack installed, in order to tunnel to a router or another host. 15. A. IPv4 routers can fragment packets, but a low MTU will prevent this. The dynamic MTU determined by IPv6 is not possible with IPv4 intermediate routers. Packet loss may occur if MTU is too high, but because of processing fragments, not routes. 16. D. The tunnel endpoint is defined by the IPv4 address of the 6Bone router, which is both IPv4 and IPv6 capable. The IPv4 address of the connecting host could be considered a tunnel endpoint, if the host is isolated, with a dual IP stack configuration, but that option is not listed. 17. C. The TTL is important for the tunnel, which is an IPv4 tunnel. All of the other parameters listed are IPv6 parameters, and do not pertain to the tunnel. 18. B. The Duplicate Address Detection algorithm is performed in both stateless autoconfiguration and stateful configuration, while the Neighbor Unreachability Detection algorithm is for determining reachability state between existing neighbors, and the Neighbor Solicitation is also a post-configuration process. Neighbor Discovery is the entire process.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Answers to Review Questions 519

19. A. IPv6 ND is media independent, while IPv4 ARP and RARP only work on Ethernet and FDDI, while broadband networks require a different address resolution protocol. IPv6 still caches hardware addresses, but it is called a neighbor cache rather than an ARP cache. The MAC address is used in IPv6 to ensure uniqueness. 20. C. All of these are performed in both stateful configuration and stateless autoconfiguration, except determining host name. This is independent of the IPv6 address configuration process.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Glossary

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

522

Glossary

6Bone

A virtual network for testing IPv6 on the Internet.

Abstract Syntax Notation 1 (ASN.1)

A data representation format

developed by the ISO and used by SNMP to create MIB objects. address The logical or physical address of a system, commonly a 32-bit IPv4 address, a 128-bit IPv6 address, or a 48-bit Ethernet MAC address. In DNS, an A record is an address record that associates an IP address with a host’s fully qualified domain name. address autoconfiguration The dynamic assignment of IP addresses. Includes stateless and stateful methods of autoconfiguration. Also known as plug-and-play autoconfiguration. Address Resolution Protocol (ARP)

The protocol used to map Network

Access layer addresses (such as Ethernet) to Internet addresses. Advanced Research Projects Agency Network (ARPANET) A computer network funded by ARPA, which served as the basis for early networking research and was the backbone during the development of the Internet. agent

A TCP/IP software module that compiles, stores, and provides

information about the managed device on which it resides. agent discovery In Mobile IP, when home agents and foreign agents indicate their availability on each service link. agent registration

In Mobile IP, when a foreign network registers its

care-of address to its home agent. Aggregatable Global Unicast

An IPv6 address type that is both unique

within the IPv6 address space and aggregatable, hence routable through an IPv6 network. alias

A short, easy-to-remember name. Used in system initialization files such as .cshrc or .profile . Also used to simplify e-mail addresses. American National Standards Institute (ANSI)

An organization

responsible for approving standards in the United States. These standards are referred to as ANSI standards. ANSI is a member of the International Organization for Standardization (ISO).

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Glossary

523

anycast address Similar to multicast; references a group of systems. Transmits data by finding the closest member and sending messages only to that member of the group. Found in IPv6. application gateway

Systems that inspect all packets addressed to a user-

level application. Inspection occurs at the Application and Network layers of the OSI model. Application layer

1. Layer 7 and top layer of the OSI reference model.

Defines how user applications interact with the network. 2. The Internet architecture layer in which TCP/IP interacts with hosts and users. Corresponds to the Presentation and Application layers of the OSI model. Also called the Process layer. arp

A command that displays and modifies the Internet-to-Media Access

Control (MAC)-address translation tables used by the Address Resolution Protocol. array variable

An MIB variable that holds multiple values in a table or an

array. asymmetric encryption A security measure commonly known as publickey encryption. Two keys, one public and one private, are used to encrypt and decrypt data. attenuation

A decrease in magnitude of current, voltage, or power of a

signal in transmission between points. authentication acknowledgment when it receives correct information. authentication key

A message sent by a RADIUS server

The key a RADIUS system sends to identify itself to a

client system. authentication reject

A message sent by a RADIUS server when it

receives incorrect information. authentication request message The first step in RADIUS authentication server systems. Includes information on the specific communication server sending the message, the port where the connection was received, and the user name and password specified by the remote user.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

524

Glossary

autonomous system A system managed by a single organizational entity, including all its networks and gateways. backbone The highest level in the computer network hierarchy, to which smaller networks typically connect. backbone router

A high-speed router used as a foundation for connec-

tivity in large or memory-intensive networks. bandwidth

The amount of information, sometimes called traffic, that can

be carried on a network at one time; the difference between the highest and lowest frequencies of a transmission channel. Basic Encoding Rules (BER) A standard for the way information is broken up into octets and transferred across a network, used to encode SNMP messages. big-endian A format for storing or transmitting binary data in which the most significant bit comes first. The Internet’s standard network bit order is big-endian. BootP

The Bootstrap Protocol. A TCP/IP Application-layer protocol that

supports RARP functionality and provides additional features such as file names; uses the services of UDP and IP. Border Gateway Protocol (BGP)

A routing protocol used to exchange

network reachability information with other BGP subsystems; connects a series of subnetworks through a single autonomous system. bridge

A device that connects networks with the same or different data-

link protocols and enables them to communicate; operates at the Data-Link layer of the OSI model. broadcast all stations.

The transmission of data from one source indiscriminately to

broadcast-and-prune brouter

Any multicast routing protocol that is source-based.

A networking device that functions as both a bridge and a router.

caching server

A name server that has no authoritative records or zone

files but provides improved DNS services to a LAN by caching information retrieved from other name servers.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Glossary

canonical name (CNAME) a specified host.

525

Type of DNS record that contains an alias for

Carrier Sense Multiple Access/Collision Detection (CSMA/CD) process by which Ethernet devices test their LAN segment before transmit-

The

ting, to determine whether another device is already transmitting. CCITT An organization that sets international communication standards, now known as the ITU (International Telecommunication Union)—the Comité Consultatif International Télégraphique et Téléphonique (French), also known as the International Consultative Committee on Telephony and Telegraphy. centralized architecture

A network management scheme in which all

queries are sent to a single management system. Certificate Authority

Entity that issues and verifies digital certificates for

use in Public Key Infrastructure and e-commerce applications. cipher

The process of translating or encrypting plain text into ciphertext.

Cipher Block Chaining Data Encryption Standard (DES-CBC)

An IP

packet header that allows information to be transferred in a way that makes illicitly captured information largely useless to the hacker. ciphertext

Encrypted text; also called a cryptogram. Unreadable until it is

decrypted with a key. Class

An IPv6 field that prioritizes packets.

Class D address

The block of addresses reserved for multicasting,

including addresses 224.0.0.0 through 239.255.255.255. Reserved addresses include 224.0.0.0 through 224.0.0.255. Classless Interdomain Routing (CIDR)

A method that allocates and

specifies Internet addresses by replacing network numbers with variablelength prefixes. IPv6 builds on this idea by using a Provider field. (Multiple IP addresses can be summarized into one routing table entry using supernetting.) client

A system or application that requests a service from another com-

puter (called the server). co-located care-of address

The temporary local IP address that a mobile

node associates with one of its network interfaces.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

526

Glossary

Common Management Information Protocol (CMIP) A featureful network management protocol sponsored by the ISO, once a competitor to the simpler SNMP. community name

Text string that provides a trivial authentication for

SNMP agents, allowing an NMS with the correct community name setting to query and configure SNMP agents. Computer Emergency Response Team (CERT)

An organization devoted

to dealing with computer-related security issues. Maintains information on how to solve specific security problems and publishes security advisories. Computer Incident Advisory Capability (CIAC) A group of computer scientists that assists the U.S. Department of Energy (DOE) with security. Computer Security Resource Clearinghouse (CSRC) An organization that provides help and information on security-related issues. Operated by the U.S. National Institute of Standards and Technologies (NIST). configuration management device.

The configurable parameters of a managed

Connectionless Network Protocol (CLNP) A part of the OSI model developed by ISO. Though superseded by initial development of IP, CLNP was submitted as a candidate to replace IPv4 because of CLNP’s large address space. connectionless protocol

Any protocol in which no explicit, preestab-

lished connection is made. connection-oriented protocol Any protocol that depends on two machines contacting each other through a TCP connection before sending data. Core-Based Tree (CBT) A shared-tree multicast routing protocol. The CBT multicast delivery tree involves a single router, which is the root of the tree, often called a rendezvous point. cyclic redundancy check (CRC) A mathematical calculation that allows the receiving computer to verify a packet’s integrity. Data Encryption Standard (DES) A widely used form of private-key encryption originated by IBM in 1977. Applies a 56-bit key to each 64-bit block of data.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Glossary

527

datagram In packet switching, a self-contained packet, independent of other packets, that does not require acknowledgment, and that carries information sufficient for routing. Datagram Length field

Indicates the size of the packet in IPv4. In IPv6,

this field is called Payload Length. delivery trees

Multicast trees.

de-multiplexing

The process a receiving computer uses to strip each layer

of protocol headers from the incoming packets and process the payload. denial-of-service (DoS) attack

A security intrusion that incapacitates the

service of a particular entity, allowing a hacker to engage in IP spoofing; can also make an entity perform in an abnormal fashion. Digital Certificate

A file issued by a Certificate Authority that contains

plaintext and encryption information including a copy of the certificate holder's public key, their name, a serial number, expiration date and encryption algorithms. Also containing a digital signature of the issuing authority, so that the certificate can be verified. Often conforming to the x.509 standard for digital certificates. digital signature

An electronic stamp added to a message that uniquely

identifies its source and verifies its contents at the time of the signature. direct routing The process by which two computers on the same network communicate; does not require the use of a router. Distance Vector Multicasting Routing Protocol (DVMRP)

Used with

the MBone; a distance-vector protocol based on the Routing Information Protocol (RIP). The first widely implemented routing protocol. distributed architecture A network management scheme in which several peer network management systems collectively manage all system elements. distribution trees

Multicast trees.

Domain Name System (DNS)

A hierarchical system of servers (name

servers) that provide information to associate domain names with IP addresses. downstream

In multicasting, the direction of travel away from the source.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

528

Glossary

Draft

A state for Internet RFCs that immediately precedes Standard.

Dynamic DNS (DDNS)

A protocol developed to allow hosts with dynam-

ically configured IP addresses to update their DNS entry upon configuration. Dynamic Host Configuration Protocol (DHCP) Protocol that allows clients on a LAN to broadcast a request for configuration information, receive a response from a DHCP server, and automatically configure IP address, network mask, and other parameters such as gateway and DNS search order. dynamic routing Routing performed by a dynamic router, which communicates with other routers and periodically updates itself. Echo Reply message A message reply sent by a client host to an administrator host to test TCP/IP connections. Echo Request message

A message sent by an administrator host to a

client host to test TCP/IP connections. Encrypted Security Payload (ESP) In IPv6, an extension header that encrypts all information following the header. Only the receiving party can decrypt the data. end stations

Members of a multicast group with one multicast address;

must initiate group membership by expressing interest. ephemeral ports Unique port numbers typically assigned to client processes by applications and services. Ethernet Widely used LAN technology created by Xerox, Digital Equipment, and Intel. Experimental explicit-join

The initial state for Internet RFCs. A shared-tree multicast protocol.

extension headers

In IPv6, located after the IP header and before the data

payload. Similar to IPv4 Options field. Extension headers include Hop-byHop, Destination Options, Routing, and Fragment. exterior gateway

A gateway to an autonomous system that exchanges

information with a gateway to a separate autonomous system.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Glossary

529

Exterior Gateway Protocol (EGP) A routing protocol that provides information to the Internet core system by communicating reachability between exterior gateway systems. Exterior Routing Protocol

Any routing protocol used outside an organi-

zation’s network. File Transfer Protocol (FTP) TCP/IP protocol operating on ports 21 and 20 designed to transfer files between hosts. Finger A program that displays information associated with a user account on the system. firewall A system of hardware and software gateways designed to restrict, manage, and authenticate the flow of information between a secure network and the Internet; a security barrier. Flow An IPv6 field that determines how a series of packets is handled from a sender to a recipient. foreign agent

A router on the mobile node’s visiting network. A mobile

node must register with the foreign agent. foreign agent care-of address foreign network

A foreign agent’s IP address.

In Mobile IP, the network with which a mobile agent

registers. forwarding server

A name server connected to the Internet that processes

recursive requests that slave servers cannot resolve locally. May be a primary, secondary, or caching server. Frame Relay

WAN protocol that uses variable length packets over shared

network facilities. frequently asked questions (FAQ)

A summary of answers to questions

on a given topic. Fully Qualified Domain Name (FQDN)

Domain name consisting of a

host name and network name, such as www.amazon.co.uk, where www is the host name and .amazon.co.uk the network name.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

530 Glossary

gated Gateway daemon (pronounced “gate-dee”). A program that allows the gateway to collect information from one autonomous system and to advertise routes to another autonomous system. gateway

A networking device that converts one protocol stack to another.

Generic Record Encapsulation (GRE)

A general tunneling protocol that

can encapsulate protocols other than IP. Gopher

A menu-based program once used to find programs and resources

on the Internet. gratuitous ARP

The process of informing other hosts of the physical, or

MAC, address when a host boots up. hacker An unauthorized user who illegally penetrates a computer network to access and manipulate data. header

Information added to the beginning of a packet by each

protocol layer. Header Checksum home agent

Field used to validate the integrity of an IPv4 packet.

A router on a mobile node’s home network.

home network In Mobile IP, the network with which the mobility agent normally associates. hop The route data travels on the Internet from router to router, with each router visit considered a “hop.” hop-by-hop segmentation

The procedure used by IPv4 that allows TCP/

IP entities to send large packets without considering whether the hops or inbetween relays can handle a large packet. host

A computer that other computers can use to gain information.

host name A system’s DNS name, distinct from its Fully-Qualified Domain Name, and independent of the Windows NetBIOS name. Also, the command used to display the host name. host group A group of users represented by one group address; a key concept in multicasting.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Glossary 531

host-specific route

A static entry added to a routing table.

Host-to-Host layer

Another name for the Transport layer of the Internet

architecture. hub A device that connects computers in star-configured networks; a repeater or bridge. Hypertext Transfer Protocol (HTTP) The protocol used to transfer web pages across the Internet, primarily on port 80. ICMP router advertisement

The message a router posts to present itself

to the network. IEEE EUI-64 format

Format for IPv6 host addresses that is based on the

IEEE 48-bit Ethernet MAC address. ifconfig A command used on Linux, Unix, and BSD systems that assigns an Internet address to a network interface, such as an Ethernet card. Without parameters, or with the –a option, ifconfig all of a system’s configured interfaces.

will display information about

implicit-join Any source-based protocol that assumes every member wants to receive traffic for every group. indirect routing

The process by which two computers on different net-

works communicate; requires the use of a router. initial sequence number (ISN)

A randomly generated number used to

synchronize client and server when they transfer data on a byte stream. Predictable, non-random ISNs can be a security problem. insider attack

Unintended or unauthorized behavior by legitimate net-

work users. The most common type of security threat. Institute of Electrical and Electronics Engineers (IEEE)

An organization

that establishes standards on several electrical and information technologies, particularly well known for 802.2/802.3 LAN standards. Interdomain Routing Protocol (IDRP) A routing protocol based on many of the same concepts as BGP. Carries messages over a bare datagram service, routes several different address types, uses a variable-length field to address domains, and builds on the hierarchical routing concept of IPv6.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

532 Glossary

interior gateway interior routing

A gateway within an autonomous system. Any routing protocol used within an organization’s network.

internal IP network

A TCP/IP network not connected to the Internet.

International Corporation for Assigned Names and Numbers (ICANN) The organization responsible for Internet address space allocation, protocol parameter assignment, Domain Name System (DNS) management, and root server management. International Organization for Standardization (ISO)

Organization

dedicated to creating standards. International Telecommunication Union (ITU)

A standards organiza-

tion that shares responsibility for administration of the MIB namespace with the ISO. The ITU was formerly known as the CCITT. Internet

A collection of packet-switched and broadcast networks that are

connected via gateways; the world’s largest computer network. Internet architecture

A layered abstraction of network communication

consisting of Network Access, Internet, Transport, and Application layers. Many different Internet architecture models exist; the CIW program has selected this model for the certification. Internet Architecture Board (IAB) A technical advisory board of the Internet Society; it oversees the Internet Engineering Task Force (IETF) as well as the Internet standards process, and it publishes and manages Requests for Comments (RFCs). Internet Control Message Protocol (ICMP) A protocol that helps TCP/ IP software run correctly; it relays messages when a host is unavailable. A required part of the TCP/IP stack responsible for reporting errors. Internet Control Message Protocol version 6 (ICMPv6) A revision of the ICMP protocol for IPv6 that includes IGMP as well as other modifications. Internet Engineering Steering Group (IESG)

Chairman and geographic

area managers of the IETF. Internet Engineering Task Force (IETF) Organization divided into working groups focused on operational issues of the Internet; makes recommendations to the IAB.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Glossary 533

Internet Group Messaging Protocol (IGMP) A nonroutable protocol that allows users to identify themselves to local multicast-enabled routers. A part of ICMP in IPv6. Internet layer

The layer of the Internet architecture in which IP, ICMP,

and IGMP reside; responsible for encapsulating information from the Transport layer. Corresponds to the Network layer of the OSI model. Internet Packet Exchange (IPX)

Novell’s proprietary Network Layer

(Layer 3) protocol that works on LANS and WANS. Internet Protocol (IP)

The data-transmission standard for the Internet.

Performs route discovery and route selection for packets on the Internet or an intranet, supporting Transport layer protocols TCP and UDP. Internet Relay Chat (IRC) municate in real time.

A protocol that allows Internet users to com-

Internet Research Steering Group (IRSG)

Global group that prioritizes

and coordinates Internet-related research activities. Internet Research Task Force (IRTF)

Global group that develops and

tests new Internet technologies. Internet Service Provider (ISP) An entity that provides a network connection and sometimes other services such as DNS for an individual or an organization to connect to the Internet. Internet Society (ISOC) The global authority organization for the Internet, consisting of volunteers. internetworking The process of building, connecting, and maintaining networks, typically heterogeneous but usually with TCP/IP. IP

Internet Protocol, the most widely deployed network protocol in the

world. IP exists at Layer 3 of the OSI/RM, and at the Internet Layer of the Internet architecture model. IP supports both TCP and UDP, Layer 4 protocols. IP address

A site-dependent identifier for a node; the numerical address

assigned to a specific computer and used by the Internet to transfer information. IP datagram

A packet processed at the Internet layer; an IP packet.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

534 Glossary

IP header The portion of a packet, preceding the actual data, containing source and destination addresses, error checking, and other fields. IP Next Generation (IPng) The working name given to the next version of IP, when the ISOC began discussing possible solutions to the Internet’s addressing and routing problems. IP packet

A packet processed at the Internet layer; an IP datagram.

IP tunneling

The embedding of other protocols by IP within itself; used in

Virtual Private Networks (VPNs), Mobile IP, Multicast IP, and many other processes. ipconfig A Windows 2000/NT/XP command that displays pertinent configuration information. Can release and renew addresses obtained from a DHCP server. IPv4 Internet Protocol version 4. The current IP standard; uses 32-bit addresses. IPv4 header

A 20-byte packet header containing 10 fixed header fields,

two addresses, and options. IPv6

Internet Protocol version 6. The proposed IP standard that uses 128-

bit addresses and hexadecimal code instead of integers, and incorporates a more efficient header. Other features include autoconfiguration, stateful configuration, Neighbor Discovery (ND), and address renumbering. IPv6 header A 40-byte packet header containing six fields, and source and destination addresses. island

In multicasting, a region.

keepalive message A message sent by the Border Gateway Protocol (BGP) to detect failure of a link or host on the other end of a TCP connection. Kerberos A proprietary key management scheme between unknown principals who want to communicate securely. Uses symmetric algorithms and acts as a trusted third party that knows the identities of the organizations asking to communicate, but does not reveal such information. Link Control Protocol (LCP) link during the logon process.

Protocol for establishing and testing a PPP

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Glossary 535

little-endian A format for storing or transmitting binary data in which the least significant bit comes first. local area network (LAN) A group of computers connected within a confined geographic area; users share files and services. local traffic

An IP datagram in an autonomous system that has a source or

destination address within that system. loose source routing

A routing method that enables the sender to specify

the path a packet should travel over the Internet. Media Access Control (MAC) address

The hardware address of a device

connected to a network. mail exchanger (MX) managed node

DNS record identifying e-mail server for a domain.

Any device with an SNMP agent installed and active.

Management Information Base (MIB)

The organizational structure for

the data collected by SNMP agent(s). masquerade attack A security threat in which a potential intruder pretends to be something or someone other than what he or she is. master server

The primary name server and DNS authority for a domain.

Maximum Transmission Unit (MTU) discovery

The process of deter-

mining the maximum packet size that can be sent between the sender and the receiver. MBone

Internet Multicast Backbone. A specific part of the Internet estab-

lished to transmit multicast traffic; a virtual network on top of the Internet. Message Digest 5 (MD5)

A security algorithm that turns a variable-

length message into a fixed-length hash. minimal encapsulation A form of tunneling that saves header space by eliminating the duplication of several fields. Mobile IP

A host IP address that is mobile between networks, as long as

network connectivity is available.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

536 Glossary

Mobile IP agent advertisement An ICMP router advertisement with a mobility agent advertisement extension that non-mobile routers and agents ignore. mobile node

A host or router that changes its point of attachment on a

network or between subnets. mobility agent mrouted

Foreign and home agents used in Mobile IP.

A Unix program used on the original version of the MBone.

Along with DVMRP, it allowed routers to support multitasking. multicast

A method of transmitting a single packet or stream of packets to

a destination network or router, which then repeats that same information to multiple recipients. multicast address

An address that refers to a group of hosts by using a

single IP address; identified by IPv4 Class D addresses. Multicast Extensions to Open Shortest Path First (MOSPF) A backwardcompatible addition to OSPF that adds support for multicasting; uses sourcebased trees, but is an explicit-join routing protocol. Multicast Exterior Gateway Protocol

A protocol that facilitates multi-

cast routing at the Internet Service Provider and across all Internet routers. Multicast Interior Gateway Protocol cast routing at the intranet level.

A protocol that facilitates multi-

multicast tree A multicast delivery route; synonymous with distribution trees and delivery trees. multicasting

Communication between a single sender and multiple

receivers on a network. multihomed autonomous system

An autonomous system with connec-

tions to multiple other autonomous systems; does not carry transit traffic. name server (NS)

A DNS record that identifies name servers for a domain.

National Institute of Standards and Technology (NIST)

An organization

responsible for informing and advising the government on computer science and technology activities. Operates the Computer Security Resource Clearinghouse (CSRC).

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Glossary 537

National Science Foundation Network (NSFNET) The forerunner of the Internet, based on ARPANET’s architecture. From 1985 until recently, the backbone communication infrastructure for the Internet. neighbor cache

In IPv6, a cache of neighbor nodes’ MAC addresses and

IP addresses. Neighbor Discovery (ND) in IPv6.

Protocol for autodetection of neighbor nodes

NetBEUI NetBIOS Enhanced User Interface, a nonroutable protocol widely used in peer to peer networking. NetBIOS Network Basic Input/Output System, the standard interface to networks on IBM-compatible PCs. netmask

Network mask that, in conjunction with an IP address, allows a

TCP/IP node to communicate on a network or subnet. netstat A program that displays the contents of various network-related data structures, including active connections, packets processed by the system, routing tables, and Ethernet statistics. NetWare Core Protocol (NCP)

Protocol that allows files and printers to

be shared on a Novell NetWare network. network Two or more computers that share information via a transmission medium and a protocol. Network Access layer The Internet architecture layer that contains the physical aspects of the network, including the network adapter card. Corresponds to the Physical and Data-Link layers of the OSI model. network control protocols (NCPs) communication with various protocols.

Protocols that allow PPP to negotiate

Network File System (NFS) A file storage standard that enables users of Unix and other operating systems to share files and directories. Network Information Center The Internet NIC (InterNIC) is managed by AT&T and Network Solutions, Inc., to provide directory, database, and registration services for Internet users.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

538 Glossary

network interface card (NIC) A physical device that connects a computer system bus to a network. Often called a network adapter. Network Management System (NMS) A system that supports a network management protocol, consisting of agents and one or more systems that aggregate and organize information collected by the agents. network operating system (NOS) An operating system designed to interact with network interfaces and provide system services to network clients—e.g. Unix, Linux, BSD, NetWare (and some would say Windows 2000/NT). Next Level Aggregator (NLA)

In IPv6, the second tier of entities that will

form a hierarchy in an IPv6 global network. Also a field in the IPv6 header, and a class of IPv6 addresses. node Any entity on a network that can be managed. A computer or other addressable device attached to a network; a host. nonroutable

A protocol or message that cannot be routed between net-

works, and is only valid for the network segment where it originates. nslookup

Command to perform DNS lookups.

null integer

An integer that is all zeros; found in IPv6.

object identifier (OID) offered load

The name or label of an object in an information base.

The actual load or traffic demand presented to a local network.

one-way encryption

The process of encrypting data with a specific

algorithm; precludes discovery of the original value. Open Shortest Path First (OSPF) An interior routing protocol that dynamically updates information by sending only updates to the routing table; considers factors such as bandwidth, security, and multiple connections. open standard

A standard developed through voluntary efforts by the

Internet community, with open, published processes for development and documentation, often including open source code for implementation. Open Systems Interconnection reference model (OSI/RM)

An abstract

model of network function, designed to codify universal concepts and improve protocol development; particularly important for heterogeneous systems.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Glossary 539

Options field packet

In IPv4, a field that resides after the IP header.

The most generic term for a piece of information sent across a

network. packet Internet groper (ping) The basic program used to test TCP/IP connections. Uses ICMP broadcasts to send Echo Request messages that invoke Echo Reply messages. packet switching

A method of transmitting messages through a commu-

nication network. Long messages are divided into short packets, which are then transmitted, as in message switching (though usually more efficient and rapid than message switching). Password Authentication Protocol (PAP)

An authentication protocol

available to PPP during the logon process. performance management managed entity. piggybacking

The monitoring and controlling of a

A technique used to increase acknowledgment efficiency

during packet transmission. The receiving station includes a response number in the message header when it sends a user data packet. ping A command commonly used to test reachability of a system using ICMP echo request messages. Derived from Packet INternet Groper. pipelining

A technique used to increase acknowledgment efficiency during

packet transmission. Several packets are sent, and the acknowledgment signifies receipt of these packets and all lower-numbered packets. plug-and-play autoconfiguration

Address autoconfiguration.

point of attachment The point at which a host connects with a RAS server, an ISP, or the Internet. point of presence (POP) A site that connects to the Internet using telecommunications equipment, multiprotocol routers, and digital leased lines; also called a local access point. Point-to-Point Protocol (PPP)

A communications protocol used to send

and receive IP data packets over serial lines.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

540 Glossary

Point-to-Point Tunneling Protocol (PPTP) A protocol that allows users and corporations to securely extend their networks over the Internet using RAS servers. Essential in creating Virtual Private Networks (VPNs). Pointer (PTR)

A DNS record that allows a reverse DNS lookup, resolution

of a name from an IP address. policy-based routing A routing method that features the ability to choose between paths when multiple alternatives exist and to control information distribution. Post Office Protocol (POP)

Protocol for e-mail clients to connect to a

mail server and receive mail. primary server Process layer Proposed

The authoritative or master DNS server for a domain. The Application layer of the Internet architecture.

A state for Internet RFCs, between Experimental and Draft.

Protocol Data Unit (PDU) The basic information format used by SNMP for transmitting SNMP commands between agent and NMS; essentially an SNMP message encapsulated in an IP packet. Protocol field In IPv4, identifies the type of information that immediately follows the IP header. In IPv6, this field is renamed the Next Header field, and headers can be inserted between the IP and TCP/UDP headers. Protocol(s) file

Describes the Internet protocols used on the network

Assigned Numbers as defined by RFC 1700 ( Protocol Protocols ( ) and Unix ( ) computers.

). Used on Windows 2000

Protocol Independent Multicast-Dense Mode (PIM-DM)

A source-

based, broadcast-and-prune multicast routing protocol similar to DVMRP. Not dependent on a unicast routing protocol. Protocol Independent Multicast-Sparse Mode (PIM-SM) A shared-tree multicast routing protocol (therefore explicit-joined) capable of using both source-based and shared-tree types. proxy Address Resolution Protocol (ARP)

A protocol that allows a

router to answer a local ARP request for a remote destination.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Glossary 541

ps A command used on Unix, Linux, and BSD systems to display the process table. region

A multicast-enabled section of the Internet; the MBone.

registered port numbers from 1024 to 65535.

Ports that ICANN does not control, ranging

registration reply In Mobile IP, a registration reply message received by a mobile node from either the foreign agent (which received it from the home agent) or the home agent itself (if the mobile code is a co-located care-of address). Remote Authentication Dial-In User Service (RADIUS) A distributed security solution that allows networks to forward authentication requests over the Internet; specified in RFC 2865, User Service (RADIUS) .

Remote Authentication Dial In

Remote Network Monitoring MIB (RMON)

An element of the MIB-II

standard that allows real-time remote monitoring without an NMS. remote procedure call (RPC)

A protocol used to request a service from a

remote host. Also known as a function call or a subroutine call. rendezvous point A router that lies at the root of the delivery tree when using the Core-Based Tree (CBT) protocol in Multicast IP. repeater

A low-level device that amplifies electrical signals on a cable and

boosts them over a large network. Request for Comments (RFC)

A document that defines, describes, and

explains Internet standards, practices, and protocols. The name “request for comments” comes from the procedure, which developed into a standard Internet practice, of defining an open standard through discussion and requesting comments on proposals from developers and interested parties within the entire Internet community. resolver Software that requests an IP address for a specific host name (resolution) from a DNS server. Reverse Address Resolution Protocol (RARP) A protocol used by diskless Unix systems and X terminals to determine their Internet addresses at boot time.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

542 Glossary

root server An Internet DNS server that is responsible for being able to identify all top-level domains on the Internet. routable A protocol or message that may be passed via a router to another network and remain valid. route

Command used to display a system’s routing table, the routes that

packets will be directed to. routed

Route daemon (pronounced “route-dee”). Responsible for com-

municating with directly connected hosts and networks. Can be used for dynamic routing on Unix systems. router A device that routes packets between networks based on Networklayer addresses. routing

The process of selecting a path over which to send packets in a

network. routing domain A collection of systems and subnetworks that operate according to the same routing procedures; wholly contained within a single administrative domain. Routing Information Protocol (RIP)

A route discovery protocol that uses

broadcasts; not used by IP because of its performance limitations. routing protocols mation and function.

Protocols that allow routers to efficiently share infor-

routing update message A message passed through the network by the Routing Information Protocol (RIP) that reflects network topology changes and causes routers to update their tables. RPC port management service A service that provides a standard process for SunOS client applications to determine the port number of any remote server application. RSA

A commonly used encryption algorithm that uses public-key encryp-

tion. Name is taken from the creators’ initials: Ronald Rivest, Adi Shamir, and Leonard Adleman. secondary server A DNS server that synchronizes zone files from a primary server, and serves as a secondary source for DNS in the event of timeouts or a primary server failure.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Glossary 543

Secure Sockets Layer (SSL) A popular security scheme that encrypts all communication between a client and a server using RSA data security. Sequenced Packet Exchange Protocol (SPX) Protocol developed by Novell as part of their IPX/SPX suite; connection oriented. Serial Line Internet Protocol (SLIP)

A protocol that allows IP traffic

over dial-up (serial) lines. Rarely used because of the additional flexibility offered by PPP. Server Message Block (SMB) Protocol used for file and print sharing on Windows systems, and available on Unix, Linux, and BSD through the Samba package. Services file

A file that contains port numbers for well-known services as Assigned Numbers

defined by RFC 1700 (

).

shared-tree Any protocol that demands a host be joined before the data is transmitted to a multicast group. Simple Gateway Monitoring Protocol (SGMP)

A protocol that man-

ages Internet routers. Simple Internet Protocol Plus (SIPP)

A protocol developed to experi-

ment with 64-bit IP addresses, subsequently integrated into IPv6. Simple Mail Transfer Protocol (SMTP) The Internet standard protocol for transmitting e-mail messages. Specifies how two mail systems interact, as well as the format of control messages they exchange to transfer mail. Simple Network Management Protocol (SNMP)

A network manage-

ment protocol developed in order to provide a basic and implementable management protocol. simple variable

An MIB variable that holds a single scalar value.

Site Level Aggregator (SLA) A third tier of the IPv6 hierarchy, identifying individual sites on the IPv6 network. Also a field in the IPv6 header and a class of IPv6 addresses. slave server

A DNS server that synchronizes zone files from a master

server, and serves as a secondary source for DNS in the event of timeouts or a master server failure.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

544 Glossary

socket

An end point of communication.

source-based

Any protocol that uses data it collects to probe the net-

work’s edges for active receivers. source-quench message A message sent by the Internet Control Message Protocol (ICMP) to relieve congestion at hosts and gateways. Source-to-Destination layer Standard (STD)

The Transport layer of the Internet architecture.

A state of Internet RFCs, after Draft.

Start of Authority (SOA)

A DNS record that identifies the DNS server

that is the best source of information for a domain, the primary server. stateful autoconfiguration A process in which IP addresses are dynamically assigned after having first established a session (e.g., Microsoft DHCP service). stateful inspection

An inspection method used in firewalls that monitors

inbound activity for suspicious behavior. stateless autoconfiguration A process in which IP addresses are dynamically assigned without having first established a session. static routing Routing performed by a static router, which must be built and updated manually. strict source routing A routing method that requires Internet addresses to specify the exact path a datagram will follow. Structure of Management Information (SMI)

A document that explains

how to name, structure, and encode SNMP management information, found in RFCs 1155, Structure and Identification of Management Information for TCP/IP-based Internets Version 2 (SMIv2)

, and 2578,

Structure of Management Information

.

stub autonomous system An autonomous system with a single connection to one other autonomous system; carries only local traffic. subnet

A part of a larger IP address.

subnet address

An extension of the Internet addressing scheme that

allows a site to use a single Internet address for multiple physical networks.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Glossary 545

subnet mask A required element of an IP configuration that works with the IP address to define a subnetwork. subnet routing single network. subnetwork

A process that allows many subnetworks to exist within a

A useful way to organize hosts within a network into logical

groups. summarization

The process of addressing one site in a network with multiple

IP addresses, or addressing multiple sites with one routing table entry. switch

A station that makes routing decisions and relays packets through

a network. symmetric encryption A security scheme in which a single key is issued to encrypt and decrypt data; commonly called private-key encryption. Systems Network Architecture (SNA)

A network topology and system

of protocols introduced by IBM, initially as a mainframe architecture. TCP header

The portion of a packet preceding the actual data that contains

source and destination addresses, error checking, and other fields. A TCP header is encapsulated in the IP datagram, and is usually 160 bits (20 bytes). Telnet

The Internet standard protocol for remote terminal connection service.

Terminal Access Controller Access Control System (TACACS) remote access authentication protocol specified in RFCs 927, Identification Telnet Option times Called TACACS

three-way handshake

A TACACS User

, and 1492, An Access Control Protocol, Some, and extended by Cisco Systems. The process involving three packets that is

required to initiate a TCP connection between client and server functions, SYN, ACK/SYN, and ACK packets. Time To Live (TTL) An IPv4 field that uses time limits to ensure old or useless packets will not remain on the network. In IPv6, TTL is renamed the Hop field and measures hops instead of seconds. top

A public domain utility which displays and updates information about

the top resource-using processes on the system.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

546 Glossary

top-level aggregator (TLA) architecture network.

The backbone aggregators of the global IPv6

top-level domain (TLD) The domain that contains organizations, businesses, universities, and so forth. traceroute (tracert)

A command used to determine the path and number

of hops between source and destination systems. transit autonomous system

An autonomous system that has connec-

tions to multiple other autonomous systems; carries local and transit traffic. transit traffic

An IP datagram in an autonomous system that does not

have a source or destination address within that system. Transmission Control Protocol (TCP) The protocol used at the Transport layer of the Internet architecture; provides reliable connection-orientated byte-stream service. Transport layer 1. Layer 4 of the OSI reference model. Controls the flow of data between systems, defines message-structuring protocols, and checks for errors in transmissions. 2. The Internet architecture layer that provides the flow of information between two hosts using TCP and UDP; corresponds to the Transport and Session layers of the OSI model. trap

SNMP message issued by an agent when a specified event occurs.

trap door attack

A security threat in which a hacker creates a hole

through which to reenter a system and gain full access to it. traversal

Term relating to the query of an SNMP MIB tree for a specific

piece of information, whether a short text or numerical OID query. Trivial File Transfer Protocol (TFTP) A protocol that provides a connectionless way to send files; does not require authentication nor provide directory visibility. Described in RFC 1350, Trojan (horse)

The TFTP Protocol (Revision 2)

.

A security threat in which a file is modified to produce an

unauthorized, unintended operation. tunnel

A virtual point-to-point connection that allows multicast traffic to

pass through non-multicast-enabled sections of the Internet.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

Glossary 547

type-length value (TLV) nisms are encoded.

The format in which general extension mecha-

UDP header The portion of a packet preceding the actual data that contains source and destination addresses, error checking, and other fields. unicast

Communication between one source sending data and one source

receiving it. unicast address

The term used in IPv6 for what was called a point-to-

point address in IPv4. upstream

The direction of travel toward the source in multicasting; an

upstream packet is one that incoming. uptime Amount of time that a system has been running since powered on or rebooted. Also a Unix, Linux, or BSD command used to display this amount of time. Also a measurement of availability for enterprise systems— e.g., “Five nines” is 99.999% uptime. Usenet

A collection of thousands of Internet computers, newsgroups, and

newsgroup members using the Network News Transfer Protocol (NNTP) to exchange information. User Datagram Protocol (UDP) A connectionless protocol that adds a checksum and additional processing of information (including port numbers) in the packet header, but does not require establishing a session for transmission. Resides at the Transport layer. Virtual Private Network (VPN)

An extension of a corporation’s intranet

across the Internet; accessible to users with proper authentication as if they were on the LAN. vmstat Virtual memory statistics. A command on Unix, Linux, and BSD systems to display virtual memory usage and state. Voice over IP (VoIP)

The process of converting analog voice signals to

digital data and transmitting it over an IP network. When the IP packets reach their destination, they are converted back into audio. well-known ports Commonly used port numbers, also called reserved port numbers, ranging from 1 to 1023.

Copyright ©2002 SYBEX, Inc., Alameda, CA

www.sybex.com

548 Glossary

winipcfg A command used in Windows 95/98/Me systems to display TCP/ IP configuration information. World Wide Web (WWW or W3) Also known as the Web. A distributed Internet hypertext information system based on HTTP and HTML, created by researchers at the European Laboratory for Particle Physics (CERN) in Switzerland. X.25

WAN protocol that was a precursor to Frame Relay technology, the

first packet-switching network standard, introduced in the early 1970s. X.500

CCITT standard for directories for OSI networks.

xinetd One of the most important network daemons on a Unix system. xinetd.conf Checks the specifications of the and services files for incoming connection requests. xinetd.conf A Unix-specific file that manages the turn manages a particular network service.

xinetd

Copyright ©2002 SYBEX, Inc., Alameda, CA

daemon, which in

www.sybex.com