IP Addressing and Subnetting, Including IPv6

With over 1,000,000 copies of our MCSE, MCSD, CompTIA, and Cisco study guides in print, we have come to know many of yo...

Author: J. D. Wegner

316 downloads 1956 Views 55MB Size Report

This content was uploaded by our users and we assume good faith they have the permission to share this book. If you own the copyright to this book and it is wrongfully on our website, we offer a simple DMCA procedure to remove your content from our site. Start by pressing the button below!

Report copyright / DMCA form

DOWNLOAD PDF

With over 1,000,000 copies of our MCSE, MCSD, CompTIA, and Cisco study guides in print, we have come to know many of you personally. By listening, we've learned what you like and dislike about typical computer books. The most requested item has been a web-based service that keeps you current on the topic of the book and related technologies. In response, we have created s o l u t i o n s @s y n .q r e s s . c o m, a service that includes the following features: 9A one-year warranty against content obsolescence that occurs as the result of vendor product upgrades. We will provide regular web updates for affected chapters. 9Monthly mailings that respond to customer FAQs and provide detailed explanations of the most difficult topics, written by content experts exclusively for s o l u t i o n s @ s y n .q r e s s . c o m. 9Regularly updated links to sites that as our editors have determined offer valuable additional information on key topics. 9Access to "Ask the Author ''~ customer query forms that allow readers to post questions to be addressed by our authors and editors. Once you've purchased this book, browse to www. syngress,

c o m l s o lut ions.

To register,you will need to have the book handy to verifyyour purchase. Thank you for giving us the opportunity to serve you.

This Page Intentionally Left Blank

INCLUDING

S

X N G R E S S'

S y n g r e s s Media, Inc., the author(s), a n d any p e r s o n or firm involved in the writing, editing, or p r o d u c t i o n (collectively "Makers") of this book ("the Work") do not g u a r a n t e e or w a r r a n t the r e s u l t s to be obtained from the Work. T h e r e is no g u a r a n t e e of any kind, e x p r e s s e d or implied, regarding the Work or its contents. The Work is sold AS IS a n d WITHOUT WARRANTY. You m a y have other legal rights, which vary from state to state. In no event will M a k e r s be liable to you for damages, including any loss of profits, lost savings, or o t h e r incidental or c o n s e q u e n t i a l d a m a g e s arising out from the Work or its contents. B e c a u s e some s t a t e s do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation m a y not apply to you. You s h o u l d always u s e r e a s o n a b l e case, including b a c k u p a n d other appropriate precautions, w h e n working with c o m p u t e r s , networks, data, a n d files. Syngress Media@ a n d Syngress@ are registered t r a d e m a r k s of Syngress Media, Inc. "Career Advancement T h r o u g h Skill E n h a n c e m e n t TM" is a t r a d e m a r k of Syngress Media, Inc. B r a n d s and product n a m e s mentioned in this book are t r a d e m a r k s or service m a r k s of their respective companies. KEY 001 002 003 004 005 006 007 008 009 010

SERIAL NUMBER JF87NBH615 KFJB876AAZ LK1AN65498 FH766T1NA9 JF786B12BV NN7 FH419AS FF8AF73198 776FNGF67B 7683NG5T99 WE67822VMA

PUBLISHED BY S y n g r e s s Media, Inc. 800 H i n g h a m Street Rockland, MA 0 2 3 7 0 IP ADDRESSING AND SUBNETTING INCLUDING IPv6

Copyright 9 2000 by S y n g r e s s Media, Inc. All rights reserved. Printed in the United States of America. Except as p e r m i t t e d u n d e r the Copyright Act of 1976, no p a r t of this publication m a y be r e p r o d u c e d or distributed in a n y form or by a n y m e a n s , or stored in a d a t a b a s e or retrieval system, w i t h o u t the prior written p e r m i s s i o n of the publisher, with the exception t h a t the p r o g r a m listings m a y be entered, stored, a n d executed in a c o m p u t e r system, b u t they m a y not be r e p r o d u c e d for publication. Printed in the United S t a t e s of America 1 2 3 4 5 6 7 8 9 0 ISBN: 1-928994-01-6 Copy Editor: Adrienne Rebello Technical Editor: Mark Blanchet Indexer: Robert Saigh P r o d u c t Line Manager: Eva B a n a s z e k

Proofreader: J i m Melkonian Graphic Artists: Emily E a g a r a n d Vesna Williams Co-Publisher: Richard Kristof, Global Knowledge

We would like to acknowledge the following people for their kindness and support in making this book possible. Richard Kristof, D u n c a n Anderson, Jennifer Gould, Robert Woodruff, Kevin Murray, Dale Leatherwood, Shelley Everett, Laurie Hedrick, Rhonda Harmon, Lisa Lavallee, and Robert Sanregret of Global Knowledge, for their generous access to the IT industry's best courses, instructors and training facilities. Ralph Troupe and the team at Rt. 1 Solutions for their invaluable insight into the challenges of designing, deploying and supporting worldclass enterprise networks. Karen Cross, Kim Wylie, Harry Kirchner, J o h n Hays, Bill Richter, Michael Ruggiero, Kevin Votel, Brittin Clark, S a r a h Schaffer, Luke Kreinberg, Ellen Lafferty and Sarah MacLachlan of Publishers Group West for sharing their incredible marketing experience and expertise. Peter Hoenigsberg, Mary Ging, Caroline Hird, Simon Beale, J u l i a Oldknow, Kelly Burrows, J o n a t h a n Bunkell, Catherine Anderson, Peet Kruger, Pia Rasmussen, Denelise L'Ecluse, R o s a n n a Ramacciotti, Marek Lewinson, Marc Appels, Paul Chrystal, Femi Otesanya, and Tracey Alcock of Harcourt International for making certain t h a t our vision remains worldwide in scope.

From Global Knowledge At Global Knowledge we strive to s u p p o r t the multiplicity of learning styles required by our s t u d e n t s to achieve s u c c e s s as technical professionals. As the world's largest IT training company, Global Knowledge is uniquely positioned to offer these books. The expertise gained each year from providing instructor-led training to h u n d r e d s of t h o u s a n d s of s t u d e n t s worldwide h a s b e e n c a p t u r e d in book form to e n h a n c e your learning experience. We hope t h a t the quality of these books d e m o n s t r a t e s our c o m m i t m e n t to y o u r lifelong learning success. W h e t h e r you choose to learn t h r o u g h the written word, c o m p u t e r b a s e d training, Web delivery, or instructor-led training, Global Knowledge is committed to providing you with the very b e s t in each of these categories. For those of you who know Global Knowledge, or those of you who have j u s t found u s for the first time, our goal is to be y o u r lifelong competency partner. T h a n k y o u r for the opportunity to serve you. We look forward to serving y o u r needs again in the future. W a r m e s t regards,

Duncan Anderson President a n d Chief Executive Officer, Global Knowledge

vi

C a m e r o n B r a n d o n (MCSE, CNE, CNA, MCSE+Internet, A+, Network+) works as a Network E n g i n e e r / A d m i n i s t r a t o r in Portland, Oregon, a n d he specializes in Windows NT with BackOffice Integration. He helped in Intel Corporation's large-scale migration at its Oregon facility to Windows NT. C a m e r o n completed all of his certifications in five m o n t h s , d e m o n s t r a t i n g t h a t d e t e r m i n a t i o n a n d a strong sense of direction are the key to s u c c e s s in one's career.

Ryan Russell (CCNA, CCNP) h a s been employed in the networking field for more t h a n 10 years, including more t h a n five years working with Cisco equipment. He h a s held IT positions ranging from help d e s k s u p p o r t to network design, providing him with a good perspective on the challenges t h a t face a network manager. Recently, Ryan h a s b e e n doing mostly inform a t i o n security work involving network security a n d firewalls. He h a s completed his CCNP a n d holds a Bachelor of Science degree in C o m p u t e r Science. John Pherson (Microsoft MCSE a n d MCT, Novell Master CNE a n d Master CNI, a n d Certified Cisco S y s t e m s Instructor), h a s more t h a n 18 years of technical-consulting a n d t e c h n i c a l - m a n a g e m e n t experience in the c o m p u t er industry, specializing in networking technologies a n d operating systems. He also h a s a B.S. in B u s i n e s s Administration. J o h n h a s been a m e m b e r of several CompTIA (Computer I n d u s t r y Technology Association) committees responsible for the growth a n d direction of the A+ Certification. He is also a contributing a u t h o r to several books, including CCNA S t u d y Guide (Osborne/McGraw-Hill, 1998) a n d the MCSE: Networking Essentials S t u d y Guide (Osborne/McGraw-Hill, 1998). He is a m e m b e r of American Mensa, Ltd. J o h n is currently employed as a n Instructional C o n s u l t a n t at Global Knowledge in Dallas, TX., a n d he also provides i n d e p e n d e n t network consulting services.

vii

J.D. Wegner is a founder a n d director of The E m p o w e r m e n t Group, Inc. He h a s been working with c o m p u t e r s for over 30 years. The last twelve of those, he h a s be e n involved with the design, installation a n d s u p p o r t of d a t a networks. As a n i n s t r u c t o r a n d Course Director for Global Knowledge, he h a s p r e s e n t e d topics ranging from Internetworking with TCP/IP to Web Security to IP Address M a n a g e m e n t to t h o u s a n d s of IT professionals in the U.S. a n d abroad. His clients include m a n y of the Fo rtu n e 500 as well as several g o v e r n m e n t agencies. He lives in Hickory, North Carolina with his wife, Laurie, a n d their two children, David an d Sarah. Robert Rockell h a s been at Sprint I n t e r n e t Services for the p a s t 3 years. He c u r r e n t l y work s in the Operations Engineering d e p a r t m e n t , where he a n d his group are responsible for top-level technical escalation of all I n t e r n e t operation problems. In addition, Rob r u n s an IPv6 n e t w o r k with over 50 c u s t o m e r s attached. If interested, you can join the 6Bone t h r o u g h Rob's n e t w o r k by writing hi m at [email protected].

Technical Editor Marc Blanchet ([email protected]) is a n etwo rk engineer working at Viagenie Inc. as a c o n s u l t a n t in n e t w o r k security, n e t w o r k architect u r e s a n d electronic commerce for companies, organisations a n d governm e n t s . He h a s be e n involved in TCP/IP since 1983. Marc wrote a book in F r e n c h entitled TCP/IP Simpli.fii p u b l i s h e d at Iditions Logiques. At the I n t e r n e t Engineering T a s k Force (IETF), he h a s b een involved in m a n y working groups, especially in IPv6 group, for which he wrote a few stand a rd d o c u m e n t s . One of those is a b o u t IPv6 a d d r e s s a s s i g n m e n t s . Marc is also a n architect of the IPv6 CA*Net n etw o rk a n d the 6tap IPv6 exchange. He is a regular s p e a k e r at conferences an d gives courses a b o u t TCP/IP, Security, IPv6 a n d other related subjects.

viii

contents

PREFACE m y th is Rook is Necessary Content of this Book Editor'sj Acknowledgments CHAPTER ' IP Addr

Ch

xix xx xxi Mi

1 2 3 5 6

7 8

Add

;o 10 10 12

Exa

13

PUrpOSj

13

The Ba Wh Cor

19

19 21 nn

1.5

Decir-,,jl F r v ii:-nlmt Mask Values Crea!.!i< T l a r k 4 for Various Networking Problems Add InleracE ion Res ec2 Addresses Detenninirg tlw f i a n ~ of c Acfdrrsses within Subnets

23 26 27

30 31

x

Contents Determining S u b n e t Addresses Given a Single Address and Mask 32 Interpreting Masks 34 Reserved Addresses 35 Summary 36 FAQs 37

CHAPTER 2 Creating an Addressing Plan for Fixed-Length Mask Networks Introduction Determine Addressing Requirements Review Your Internetwork Design How Many S u b n e t s Do You Need? How Many IP Addresses Are Needed in Each S u b n e t ? What a b o u t Growth? Choose the Proper Mask Consult the Tables Use U n n u m b e r e d Interfaces Ask for a Bigger Block of Addresses Router Tricks Use S u b n e t Zero Obtain IP Addresses From Your Organization's Network Manager From Your ISP From Your Internet Registry Calculate Ranges of IP Addresses for Each S u b n e t Doing It the Hard Way Worksheets S u b n e t Calculators Allocate Addresses to Devices Assigning S u b n e t s Assigning Device Addresses Sequential Allocation Reserved Addresses Grow Towards the Middle D o c u m e n t Your Work Keeping Track of What You've Done Paper

39 40 40 40 41 42 44 45 45 46 47 47 49 50 51 51 52 53 53 55 57 58 58 60 61 61 61 62 62 62

Contents Spreadsheets Databases In Any Case Summary FAQs Exercises S u b n e t t i n g Tables Class A S u b n e t t i n g Table Class B S u b n e t t i n g Table Class C S u b n e t t i n g Table S u b n e t Assignment Worksheet

CHAPTER 3 Private Addressing and Subnetting Large Networks Introduction Strategies to Conserve Addresses CIDR VLSM Private Addresses Addressing Economics An Appeal Public vs Private Address Spaces Can I Pick My Own? RFC 1 9 1 8 ~ P r i v a t e Network Addresses The Three-Address Blocks Considerations Which to Use When Strategy for S u b n e t t i n g a Class A Private Network The Network The Strategy Address A s s i g n m e n t The H e a d q u a r t e r s LANs The WAN Links from H e a d q u a r t e r s to the Distribution Centers The Distribution Center LANs The WAN Links from the DC to the Stores The Store LANs

62 63 63 64 64 65 67 67 73 77 79

87 88 88 89 90 90 91 94 94 95 96 97 98 100 i01 102 103 105 105 105 106 107 107

xi

xii

Contents Results Summary FAQs Exercises

CHAPTER 4 Network Address Translation Introduction Hiding Behind the Router/Firewall What Is NAT?. How Does NAT Work? Network Address Translation (Static) How Does Static NAT Work? Double NAT Problems with Static NAT Configuration Examples Windows NT 2000 Cisco IOS Linux IP Masquerade Network Address Translation (Dynamic) How Does Dynamic NAT Work? Problems with Dynamic NAT Configuration Examples Cisco IOS Port Address Translation (PAT) How Does PAT Work? Problems with PAT Configuration Examples Windows NT 2000 Linux IP Masquerade Cisco IOS What Are the Advantages? What Are the Performance Issues? Proxies and Firewall Capabilities Packet Filters Proxies Stateful Packet Filters Stateful Packet Filter with Rewrite Why a Proxy Server Is Really Not a NAT

108 110 110 111

113 114 114 119 120 120 122 123 126 130 131 135 137 139 141 142 144 144 145 147 152 154 154 156 157 161 162 165 166 168 173 173 174

Contents Shortcomings of SPF Summary FAQs References & Resources RFCs IP Masquerade/Linux Cisco Windows NAT Whitepapers Firewalls

CHAPTER 5 Variable-Length Subnet Masking Introduction Why Are Variable-Length Masks Necessary?. Right-sizing Your Subnets More Addresses or More Useful Addresses? The Importance of Proper Planning Creating and Managing Variable-Length Subnets Analyze Subnet Needs Enumerate Each Subnet and Number of Required Nodes Determine Which Mask to Use in Each Subnet Allocate Addresses Based on Need For Each Subnet Routing Protocols and VI~M Class C VI~M Problem Completing the Class C Problem Template-based Address Assignment Su m m a ry FAQs

CHAPTER 6 Routing Issues Introduction Classless Interdomain Routing From Millions to Th o u sa nds of Networks ISP Address Assignment Using CIDR Addresses Inside Your Network Contiguous Subnets

178 180 183 187 187 187 188 188 189 189

191 192 192 194 196 198 198 199

199 200 201 206 206 210 214 218 220

223 224 225 231 233 235 236

xiii

xiv

Contents IGRP EIGRP EIGRP Concepts RIP- i R e q u i r e m e n t s C o m p a r i s o n with IGRP Routing Update Impact RIP-2 R e q u i r e m e n t s OSPF Configuring OSPF Routing Update Impact OSPF I m p l e m e n t a t i o n R e c o m m e n d a t i o n s BGP R e q u i r e m e n t s IBGP a n d EBGP R e q u i r e m e n t s Loopback Interfaces Summary FAQs

CHAPTER 7 Automatic Assignment of IP Addresses with BOOTP and DHCP Objectives Introduction The Role of Dynamic Address A s s i g n m e n t A Brief History Address M a n a g e m e n t with These Tools The BOOTP Packet Field Descriptions and C o m m e n t s OP HTYPE HLEN HOPS XID SECS FLAG CIADDR YIADDR SIADDR GIADDR CHADDR SNAME

237 242 243 244 247 248 250 251 255 258 265 267 272 275 276 278

281 282 283 284 286 288 288 289 289 290 290 290 291 291 291 291 292 292 292 293

Contents

FILE VEND/OPTION BOOTP Process Details Client BOOTREQUEST Server BOOTREPLY Field Values in the BOOTREPLY p a c k e t The BOOTP Server D a t a b a s e How Does DHCP Work? DHCP Process Overview DHCP Process Details DHCP-Specific Options Interoperation between DHCP a n d BOOTP DHCP Address Scopes Comparing BOOTP a n d DHCP How BOOTP Works BOOTP Process Overview DHCP / BOOTP Options BOOTP Options from RFC 1497 IP Layer P a r a m e t e r s per Host IP Layer P a r a m e t e r s per Interface Link Layer P a r a m e t e r s per Interface TCP P a r a m e t e r s Application a n d Service P a r a m e t e r s BOOTP, DHCP, a n d Routed Networks The BOOTP Relay Agent The Role of the GIADDR Other Fields Involved HOPS CHADDR, YIADDR, HTYPE, HLEN, FLAG SECS UDP Port N u m b e r IP TTL Field ALL Other Fields BOOTP I m p l e m e n t a t i o n Checklist DHCP I m p l e m e n t a t i o n Checklist Summary FAQs

293 293 294 294 295 296 297 298 299 301 304 309 310 311 312 312 313 314 318 320 322 323 323 328 329 330 331 331 332 332 332 333 333 333 334 335 336

xv

xvi

Contents CHAPTER 8 Multicast Addressing What Is Multicast? Mapping IP Multicast to the Link Layer Joining the Group IGMP Multicast Routing Protocols Mbone Multicast Addresses Transient and Permanent Addresses Generic Assignments IANA Assignments Scope of Multicast Addresses Using TTL Administrative Scopes IP Stacks and Multicast Why Multicast? Efficiency of Bandwidth Usage and Scaling Discovering Efficient Channel Industry Summary FAQ References

CHAPTER 9 IPv6 Addressing Introduction IPv6 Addressing Basics IPv6 Addressing Scheme Characteristics Version Traffic Class Flow Label Payload Length Next Header Hop-by-Hop Options Header Destination Options Header I Routing Header Fragment Header Authentication Header Encrypted Security Payload Header

339 340 341 341 342 342 343 344 344 344 345 346 346 347 348 348 349 349 35O 35O 351 351

353 354 354 357 358 358 358 359 360 360 361 361 362 362 363

Contents

Destination Options Header II Hop Limit Source Address Destination Address More Bits! A More Flexible Hierarchical Organization of Addresses FP: Format Prefix TLA ID RES NLA ID SLA ID Interface ID Minimizing the Size of Routing Tables Global Addresses for the Internet and Local Addresses for Intranet IPv6 Benefits Increased IP Address Size Increased Addressing Hierarchy Support Simplified Host Addressing Simpler Autoconfiguration of Addresses Improved Scalability of Multicast Routing The Anycast Address The Need for Further Development The Multihoming Problem The 6Bone Su m m a ry FAQ CHAPTER 10 The IPv6 Header Introduction Expanded Addressing Simplified Header Improved Support for Extension and Option Flow and Flow Labeling Authentication and Privacy IPv6 Header IPv4 Header

363 364 364 364

365

370 372 373 373 374 374 374 376 381

387

388 389 394 396 398 403

406

406 409 410 411

413 414 415 417 417 418 419 420 422

xvii

xviii

Contents

Extension Headers Hop-by-Hop Option Header Routing Header Fragment Header Authentication Header Encapsulating Security Payload Destination Options Header Upper-Layer Protocol Issues Summary FAQs References

APPENDIX A Address Assignment Introduction Registries Provider-Based Assignments Cost of an IP Address How to Find an IPv4 Address Delegation How to Find an IPv6 Address Delegation Internet Governance Summary

INDEX

424 430 433

438 442 445

446 449

449 450

451

453 454 454 455 456 456 458 458 459

461

xx

Preface

Why this Book is Necessary I n t e r n e t Protocol (IP), the n e t w o r k protocol of the Internet, is s e e n as the protocol for the convergence of t e l e p h o n y a n d data. A d d r e s s i n g is a n i m p o r t a n t p a r t of n e t w o r k engineering, either in the t e l e p h o n y world or the I n t e r n e t world. One of the r i c h e s t p a r t s of IP is its a d d r e s s i n g . A d d r e s s i n g h a s b e e n so well designed in IP t h a t the I n t e r n e t h a s grown from t h r e e c o m p u t e r s to h u n d r e d s of millions of c o m p u t e r s , u s e d in d a y - t o - d a y w o r k a n d fun, while r e m a i n i n g efficient. As y o u will see, t h i s b o o k d i s c u s s e s two v e r s i o n s of IP: IPv4 a n d IPv6. The c u r r e n t I n t e r n e t is IPv4 ( I n t e r n e t Protocol v e r s i o n 4), a n d t h e n e w I n t e r n e t b e g i n n i n g to be deployed is b a s e d on IPv6 ( I n t e r n e t Protocol v e r s i o n 6). This b o o k d e s c r i b e s a d d r e s s i n g for both versions. A l t h o u g h m a n y b o o k s cover TCP/IP, no b o o k really goes into as m u c h d e p t h w i t h all i s s u e s related to IP a d d r e s s i n g as this one does. The i n t e n d e d a u d i e n c e of this c o m p r e h e n s i v e , i n t e r m e d i a t e level b o o k is s o m e o n e with a t e c h n i c a l or m a n a g e m e n t b a c k g r o u n d , w h o u n d e r s t a n d s the b a s i c s of T C P / I P a n d w a n t s a complete h a n d b o o k related to a d d r e s s i n g . A d d r e s s i n g is so i m p o r t a n t in a n y n e t w o r k i n g world t h a t a misu n d e r s t a n d i n g c a n have i m p o r t a n t c o n s e q u e n c e s . For example, a poorly designed a d d r e s s i n g a r c h i t e c t u r e for a large n e t w o r k c a n c a u s e the organization to r e n u m b e r the whole network, w h i c h c a n involve a long d o w n - t i m e as well as instability d u r i n g the r e n u m b e r ing p h a s e . This c a n cost a lot of money. But, at the s a m e time, a good a d d r e s s i n g a r c h i t e c t u r e costs no money, j u s t good p l a n n i n g a n d good u n d e r s t a n d i n g of the issues. This is one r e a s o n w h y this b o o k exists.

Preface

Content of this Book C h a p t e r 1, "Addressing a n d S u b n e t t i n g Basics," d i s c u s s e s the IPv4 a d d r e s s i n g architecture, which is the basis of this book. Classes a n d s u b n e t t i n g are key in the IPv4 design. Once you u n d e r s t a n d IP a d d r e s s e s , C h a p t e r 2, "Creating a n Addressing Plan for FixedLength Ma sk Networks," tells you how to m a k e an a d d r e s s plan for y o u r network. If y o u r n e t w o r k is not connected to the Internet, or if you u s e a n y kind of n e t w o r k a d d r e s s t r a n s l a t i o n (NAT) device, you are going to u s e the private a d d r e s s e s reserved for t h a t purpose. Private a d d r e s s e s are detailed in C h a p t e r 3, "Private Addressing a n d S u b n e t t i n g Large Networks." If you us e NAT, or simply w a n t to k n o w a b o u t it, t h e n you s h o u l d read C h a p t e r 4, "Network Address Translation," which is a comprehensive c h a p t e r on this technology. Although m o s t n e t w o r k s can have a good a d d r e s s plan u s i n g s t a n d a r d s u b n e t t i n g techniques, some n e t w o r k s need variablelength s u b n e t m a s k s (VLSM), mostly b e c a u s e they are not b a l a n c e d in the ratio of n u m b e r of ne t w or ks to n u m b e r of hosts. VLSM is covered in C h a p t e r 5, "Variable-Length S u b n e t Masking." IP a d d r e s s i n g is the basis of routing; C h a p t e r 6, "Routing Issues," deals with all the details of routing as they relate to addressing. IP requires more configuration in c o m p a r i s o n with other LAN protocols. These i s s u e s have been resolved by BOOTP a n d DHCP, whi c h are covered in C h a p t e r 7, "Automatic A s s i g n m e n t of IP Addresses with BOOTP a n d DCHP." M u l t i c a s t provides a w a y to have o n e - t o - m a n y or m a n y - t o m a n y p a c k e t s by giving the g r o u p of d e s t i n a t i o n h o s t s a specific a n d special IP a d d r e s s in the class D range. This is a great a n d innovative w a y to u s e IP a d d r e s s i n g , a n d it is covered in C h a p t e r 8, "Multicast Addressing." Since the growth rate of the I n t e r n e t is p h e n o m e n a l , engineers developed a new version of the IP protocol, called IPv6, w h ich brings new s c h e m e s of addressing. With addressing, IPv6 enables

xxi

xxii

Preface

autoconfiguration, renumbering, efficient routing on the backbone, etc. Chapters 9 and 10, "IPv6 Addressing" and '~I'he IPv6 Header," d i s c u s s IPv6 and its h e a d e r and addressing s t r u c t u r e in depth. The entire book covers the technology of IP addressing. In addition, you need to get a range of a d d r e s s e s for your network. The Annex d i s c u s s e s a d d r e s s a s s i g n m e n t s and registration. This book d e m o n s t r a t e s t h a t IP addressing is a very i m p o r t a n t feature of IP, which h a s evolved over time, as the Internet and other organizations needed change. The new version of IP, IPv6, continues to use addressing as an i m p o r t a n t tool for network engineering.

Editor's Acknowledgments I would like to t h a n k Eva B a n a s z e k and Matt Pedersen from Syngress Media for their support; my colleagues of Viag6nie (Florent Parent, R6gis Desmeules, and Annie Morin)with w h o m I always have good discussions on technical issues t h a t enrich my own experience; H61ene Richard, our technical writer, who reviewed my own chapters, and finally my wife, for all her patience. I hope you will enjoy this comprehensive book on IP addressing. ~Marc Blanchet

2

Chapter 1 * Addressing and Subnetting Basics

IP Address Basics IPv4 a d d r e s s i n g is u s e d to a s s i g n a logical a d d r e s s to a p h y s i c a l device. T h a t s o u n d s like a lot to t h i n k a b o u t , b u t a c t u a l l y it is very simple. TWo devices in a n E t h e r n e t n e t w o r k c a n e x c h a n g e i n f o r m a t i o n b e c a u s e e a c h of t h e m h a s a n e t w o r k i n t e r f a c e c a r d w i t h a u n i q u e E t h e r n e t a d d r e s s t h a t exists in t h e p h y s i c a l E t h e r n e t n e t work. If device A w a n t s to s e n d i n f o r m a t i o n to device B, device A will n e e d to k n o w t h e E t h e r n e t a d d r e s s of device B. Protocols like Microsoft NetBIOS r e q u i r e t h a t e a c h device b r o a d c a s t its a d d r e s s so t h a t t h e o t h e r devices m a y l e a r n it. IP u s e s a p r o c e s s called t h e A d d r e s s R e s o l u t i o n Protocol. In e i t h e r case, t h e a d d r e s s e s a r e h a r d w a r e a d d r e s s e s a n d c a n be u s e d on t h e local p h y s i c a l n e t w o r k .

Addressing and Subnetting Basics

9Chapter 1

W h a t h a p p e n s if device B, on a n E t h e r n e t network, w a n t s to s e n d i n f o r m a t i o n to device C on a t o k e n - r i n g n e t w o r k ? T h e y c a n n o t c o m m u n i c a t e directly b e c a u s e t h e y are on different p h y s i c a l networks. To solve the a d d r e s s i n g p r o b l e m s of b o t h device A a n d B, we u s e a h i g h e r layer protocol s u c h as IPv4. IPv4 allows u s to a s s i g n a logical a d d r e s s to a p h y s i c a l device. No m a t t e r w h a t c o m m u n i c a t i o n m e t h o d is in use, we c a n identify a device by a u n i q u e logical a d d r e s s t h a t c a n be t r a n s l a t e d to a p h y s i c a l a d d r e s s for a c t u a l i n f o r m a t i o n transfer.

Classful Addressing-Structure and Size of Each Type The d e s i g n e r s of IPv4 faced a n a d d r e s s i n g dilemma. In t h e early d a y s of I n t e r n e t development, n e t w o r k s were small a n d n e t w o r k i n g devices were big. A n o t h e r i s s u e w a s the future. In the early 1970s, the e n g i n e e r s c r e a t i n g the I n t e r n e t were n o t a w a r e of t h e coming c h a n g e s in c o m p u t e r s a n d c o m m u n i c a t i o n s . The i n v e n t i o n of local a r e a n e t w o r k i n g a n d p e r s o n a l c o m p u t e r s w a s to have a m o m e n t o u s i m p a c t on f u t u r e n e t w o r k s . Developers u n d e r s t o o d t h e i r c u r r e n t e n v i r o n m e n t a n d c r e a t e d a logical a d d r e s s i n g s t r a t e g y b a s e d on t h e i r u n d e r s t a n d i n g of n e t w o r k s at the time. T h e y k n e w t h e y n e e d e d logical a d d r e s s i n g a n d d e t e r m i n e d t h a t a n a d d r e s s c o n t a i n i n g 32 bits w a s sufficient for t h e i r needs. As a m a t t e r of fact, a 32-bit a d d r e s s is large e n o u g h to provide 232 or 4 , 2 9 4 , 9 6 7 , 2 9 6 individual a d d r e s s e s . Since all n e t w o r k s were n o t going to be the s a m e size, the a d d r e s s e s n e e d e d to be g r o u p e d t o g e t h e r for a d m i n i s t r a t i v e p u r p o s e s . S o m e g r o u p s n e e d e d to be large, s o m e of m o d e r a t e size, a n d s o m e small. T h e s e a d m i n i s t r a t i v e g r o u p i n g s were called a d d r e s s classes.

3

4

Chapter 1

9Addressing and Subnetting Basics

IPv4 a d d r e s s e s are e x p r e s s e d in dotted decimal notation. For example, a 32-bit a d d r e s s m a y look like t h i s in binary:

011111101000100000000001 O0101111 To m a k e it easier to read, we t a k e the 32-bit a d d r e s s a n d g r o u p it in blocks of eight bits like this:

01111110 10001000 00000001 00101111

Addressing and Subnetting Basics

9Chapter 1

Finally, we c o n v e r t e a c h e i g h t - b i t b l o c k to d e c i m a l a n d s e p a r a t e t h e d e c i m a l v a l u e s w i t h p e r i o d s or "dots." T h e c o n v e r t e d IPv4 a d d r e s s , e x p r e s s e d a s a d o t t e d d e c i m a l a d d r e s s , is" 126.136.1.47

It is c e r t a i n l y e a s i e r to r e m e m b e r t h a t y o u r IP a d d r e s s is 1 2 6 . 1 3 6 . 1 . 4 7 i n s t e a d of r e m e m b e r i n g a s t r i n g of b i t s s u c h a s 01111110100010000000000100101111.

W h a t Is a N e t w o r k ? W h e n t a l k i n g a b o u t IP a d d r e s s i n g , it is i m p o r t a n t to u n d e r s t a n d w h a t t h e w o r d "network" m e a n s . A n e t w o r k is a g r o u p of c o m p u t i n g devices c o n n e c t e d t o g e t h e r b y s o m e t e l e c o m m u n i c a t i o n s m e d i u m . It m a y be a s s m a l l a s a w o r k g r o u p in t h e a c c o u n t i n g d e p a r t m e n t or a s large a s all of t h e c o m p u t e r s in a large c o m p a n y , s u c h a s G e n e r a l Motors. F r o m a n a d d r e s s i n g perspective, all c o m p u t e r s in a n e t w o r k c o m e u n d e r t h e a d m i n i s t r a t i o n of t h e s a m e o r g a n i z a t i o n . If y o u w a n t to s e n d i n f o r m a t i o n to a c o m p u t e r , y o u c a n identify t h e c o m p u t e r b y its IP a d d r e s s a n d k n o w t h a t t h e IP a d d r e s s is a s s i g n e d to a c o m p a n y . T h e IP n e t w o r k c a n locate t h e c o m p u t i n g r e s o u r c e s of t h e c o m p a n y b y l o c a t i n g t h e n e t w o r k . T h e n e t w o r k is identified b y a network number. N e t w o r k n u m b e r s a r e a c t u a l l y IP a d d r e s s e s t h a t identify all of t h e IP r e s o u r c e s w i t h i n a n o r g a n i z a t i o n . As y o u c a n see in F i g u r e 1.1, s o m e o r g a n i z a t i o n s will r e q u i r e very large n e t w o r k s w i t h lots of a d d r e s s e s . O t h e r n e t w o r k s will be smaller, a n d still o t h e r n e t w o r k s will n e e d a limited n u m b e r of a d d r e s s e s . T h e d e s i g n of t h e IPv4 a d d r e s s s p a c e t o o k t h i s factor into a c c o u n t .

6

Chapter 1

9Addressing and

Subnetting Basics

Figure 1.1 Networks and the Internet.

Class A The l a r g e s t g r o u p i n g of a d d r e s s e s is t h e class A group. Class A netw o r k a d d r e s s e s c a n be identified by a u n i q u e bit p a t t e r n in t h e 32-bit address.

Onnnnnnn 11111111 11111111 11111111 I n t h e p r e c e d i n g group, y o u will see a 32-bit r e p r e s e n t a t i o n of a class A a d d r e s s . The first 8 bits of a class A a d d r e s s indicate t h e n e t w o r k n u m b e r . The r e m a i n i n g 24 bits c a n be modified by the a d m i n i s t r a t i v e u s e r of t h e n e t w o r k a d d r e s s to r e p r e s e n t a d d r e s s e s f o u n d on their "local" devices. In t h e r e p r e s e n t a t i o n above, t h e "n's" i n d i c a t e the location of t h e n e t w o r k n u m b e r bits in t h e a d d r e s s . The "l's" r e p r e s e n t t h e locally a d m i n i s t e r e d portion of t h e a d d r e s s . As y o u c a n see, t h e first bit of a class A n e t w o r k a d d r e s s is always a zero. With t h e first bit of class A a d d r e s s always zero, t h e class A netw o r k n u m b e r s begin at 1 a n d e n d at 127. With a 2 4 - b i t locally a d m i n i s t e r e d a d d r e s s space, t h e total n u m b e r of a d d r e s s e s in a

Addressing and Subnetting Basics

9Chapter 1

c l a s s A n e t w o r k is 224 or 1 6 , 7 7 7 , 2 1 6 . E a c h n e t w o r k a d m i n i s t r a t o r w h o receives a c l a s s A n e t w o r k c a n s u p p o r t 16 million h o s t s . B u t r e m e m b e r , t h e r e are only 127 p o s s i b l e c l a s s A a d d r e s s e s in t h e design, so only 127 large n e t w o r k s are possible. Here is a list of c l a s s A n e t w o r k n u m b e r s : 10.0.0.0 44.0.0.0 101.0.0.0 127.0.0.0 Notice t h a t t h e s e n e t w o r k n u m b e r s r a n g e b e t w e e n 1.0.0.0 a n d 127.0.0.0, t h e m i n i m u m a n d m a x i m u m n u m b e r s .

Class B T h e n e x t g r o u p i n g of a d d r e s s e s is t h e c l a s s B g r o u p . C l a s s B netw o r k a d d r e s s e s c a n be identified by a u n i q u e bit p a t t e r n in t h e 32bit a d d r e s s . l O n n n n n n n n n n n n n n 11111111 11111111

In t h e p r e c e d i n g e x a m p l e , y o u will see a 3 2 - b i t r e p r e s e n t a t i o n of a c l a s s B a d d r e s s . T h e first 16 bits of a c l a s s B a d d r e s s i n d i c a t e t h e n e t w o r k n u m b e r . The r e m a i n i n g 16 bits c a n be modified by t h e a d m i n i s t r a t i v e u s e r of t h e n e t w o r k a d d r e s s to r e p r e s e n t a d d r e s s e s f o u n d on t h e i r "local" h o s t s . A c l a s s B a d d r e s s is identified b y t h e 10 in t h e first 2 bits. With t h e first 2 bits of c l a s s B a d d r e s s c o n t a i n i n g 10, t h e c l a s s B n e t w o r k n u m b e r s b e g i n a t 128 a n d e n d a t 191. T h e s e c o n d d o t t e d d e c i m a l in a c l a s s B a d d r e s s is also p a r t of t h e n e t w o r k n u m b e r . A 16-bit locally a d m i n i s t e r e d a d d r e s s s p a c e allows e a c h c l a s s B netw o r k to c o n t a i n 2~6 or 6 5 , 5 3 6 a d d r e s s e s . T h e n u m b e r of c l a s s B n e t w o r k s available for a d m i n i s t r a t i o n is 16,384. Here is a list of c l a s s B n e t w o r k n u m b e r s : 137.55.0.0 129.33.0.0

7

8

Chapter 1 *

Addressing and Subnetting Basics

190.254.0.0 150.0.0.0 168.30.0.0 Notice t h a t t h e s e n e t w o r k n u m b e r s r a n g e b e t w e e n 128.0.0.0 a n d 1 9 1 . 2 5 5 . 0 . 0 , t h e m i n i m u m a n d m a x i m u m n u m b e r s , respectively. And r e m e m b e r t h a t the first two dotted decimal n u m b e r s are i n c l u d e d in t h e n e t w o r k n u m b e r since t h e n e t w o r k n u m b e r in a class B a d d r e s s is 16 bits long.

Class C The n e x t g r o u p i n g of a d d r e s s e s is t h e class C group. Class C netw o r k a d d r e s s e s c a n be identified by a u n i q u e bit p a t t e r n in t h e 32-bit address. 1 1 0 n n n n n n n n n n n n n n n n n n n n n 11111111

In t h e p r e c e d i n g example, y o u will see a 3 2 - b i t r e p r e s e n t a t i o n of a class C a d d r e s s . The first 24 bits of a class C a d d r e s s indicate t h e n e t w o r k n u m b e r . The r e m a i n i n g 8 bits c a n be modified by t h e a d m i n i s t r a t i v e u s e r of the n e t w o r k a d d r e s s to r e p r e s e n t a d d r e s s e s f o u n d on t h e i r "local" h o s t s . A class C a d d r e s s is identified by t h e 110 in t h e first 3 bits. With t h e first 3 bits of class C a d d r e s s c o n t a i n i n g 110, t h e class C n e t w o r k n u m b e r s begin at 192 a n d e n d at 223. The s e c o n d a n d t h i r d d o t t e d d e c i m a l s in a class C a d d r e s s are also p a r t of t h e netw o r k n u m b e r . An 8-bit locally a d m i n i s t e r e d a d d r e s s s p a c e allows e a c h class C n e t w o r k to c o n t a i n 28 or 256 a d d r e s s e s . The n u m b e r of class C n e t w o r k s available for a d m i n i s t r a t i o n is 2 , 0 9 7 , 1 5 2 . Here is a list of class C n e t w o r k n u m b e r s : 204.238.7.0 192.153.186.0 199.0.44.0 191.0.0.0 222.222.31.0

Addressing and Subnetting Basics 9Chapter 1

Notice t h a t t h e s e n e t w o r k n u m b e r s r a n g e b e t w e e n 1 9 2 . 0 . 0 . 0 a n d

223.255.255.0, t h e m i n i m u m a n d m a x i m u m n u m b e r s , respectively. A n d r e m e m b e r t h a t t h e first t h r e e d o t t e d d e c i m a l n u m b e r s are i n c l u d e d in t h e n e t w o r k n u m b e r s i n c e t h e n e t w o r k n u m b e r in a c l a s s C a d d r e s s is 24 bits long. To s u m m a r i z e , e a c h of t h e t h r e e IP a d d r e s s c l a s s e s h a s t h e c h a r a c t e r i s t i c s s h o w n in Table 1.1.

Table 1.1 Address Class Characteristics

Class

Network Bits

Host Bits

Total Networks

Total Addresses

A B C

8 16 24

24 16 8

127 16,384 2,097,152

16,777,216 65,536 256

9

10

Chapter1 Addressing and Subnetting Basics 9

Add, ress Assignments

One t a s k of a d d r e s s m a n a g e m e n t is a d d r e s s a s s i g n m e n t . As y o u begin t h e p r o c e s s of a d d r e s s allocation, y o u m u s t u n d e r s t a n d h o w the a d d r e s s e s are u s e d in the network. S o m e devices will be a s s i g n e d a single a d d r e s s for a single interface. O t h e r devices will have multiple interfaces, e a c h requiring a single a d d r e s s . Still o t h e r devices will have multiple interfaces a n d s o m e of the interfaces will have multiple a d d r e s s e s .

Single Address per Interface A device c o n n e c t e d to a n e t w o r k m a y have one or m a n y n e t w o r k i n g i n t e r f a c e s t h a t require a n IP a d d r e s s . A w o r d p r o c e s s i n g w o r k s t a t i o n in y o u r n e t w o r k h a s a single E t h e r n e t interface (see Figure 1.2). It n e e d s only one IP a d d r e s s . Figure 1.2 Single address per interface.

Multihomed Devices A r o u t e r is a n e t w o r k i n g device u s e d to t r a n s f e r IP d a t a g r a m s from one p h y s i c a l n e t w o r k to another. The r o u t e r by its very n a t u r e a n d f u n c t i o n will have m o r e t h a n one interface a n d will require a n IP a d d r e s s for e a c h interface. Devices with m o r e t h a n one interface are called multihomed, a n d the p r o c e s s is called multihoming.

Addressing and Subnetting Basics * Chapter 1

In Figure 1.3, t h e r o u t e r h a s two interfaces. One interface is a t t a c h e d to t h e t o k e n - r i n g n e t w o r k a n d t h e o t h e r interface is a t t a c h e d to t h e E t h e r n e t network. This is a m u l t i h o m e d device. Figure

1.3 Multihomed device.

A s s i g n i n g IP a d d r e s s e s to devices is a simple p r o c e s s (see Figure 1.4). A n e w device is installed in the n e t w o r k a n d t h e a d d r e s s a d m i n i s t r a t o r selects a n u n u s e d a d d r e s s of t h e g r o u p of available a d d r e s s e s . The i n f o r m a t i o n is provided to t h e u s e r of t h e device a n d t h e device is configured. The a d d r e s s given to t h e u s e r m u s t be from t h e s a m e a d d r e s s g r o u p as all o t h e r devices on t h e s a m e n e t w o r k or t h e IP d a t a t r a n s m i s s i o n r u l e s will n o t work. The IP d a t a t r a n s m i s sion r u l e s will be d i s c u s s e d in a later chapter. The a c t u a l c o n f i g u r a t i o n p r o c e s s for IP a d d r e s s e s varies from o p e r a t i n g s y s t e m to o p e r a t i n g s y s t e m a n d from device to device, so c o n s u l t y o u r s y s t e m d o c u m e n t a t i o n for i n s t r u c t i o n s . An i m p o r t a n t final step r e q u i r e s t h a t a careful n o t a t i o n a b o u t a s s i g n m e n t of t h e a d d r e s s be m a d e in t h e a d d r e s s a d m i n i s t r a t o r s ' d o c u m e n t a t i o n so t h a t t h e a d d r e s s is n o t a s s i g n e d to a n o t h e r device.

11

12

Chapter 1

9Addressing and Subnetting Basics

Figure 1.4 IP address configuration.

Multinetting--Multiple Addresses per Interface It is a l s o p o s s i b l e t h a t c e r t a i n d e v i c e s will h a v e i n t e r f a c e s w i t h m o r e t h a n o n e IP a d d r e s s a s s i g n e d . H e r e is a n e x a m p l e : A n e w I n t e r n e t site is u n d e r d e v e l o p m e n t for a s m a l l c o r p o r a t i o n . T h e n e t w o r k a d m i n i s t r a t o r k n o w s t h a t t h e site will g r o w in t h e f u t u r e , b u t t o d a y t h e r e is n o n e e d for a c o m p l e x n e t w o r k . A s e r v e r is i n s t a l l e d t h a t will b e u s e d a s a W e b server, ftp server, m a i l server, a n d t h e c o r p o r a t i o n ' s D N S server. Later, w h e n t h e u s e of t h e n e t w o r k s e r v i c e s g r o w s , n e w s e r v e r s will b e u s e d for e a c h of t h e f u n c tions. W h e n t h e t i m e c o m e s to a d d r e s s t h e c u r r e n t server, t h e a d m i n i s t r a t o r h a s a c h o i c e . A s i n g l e IP a d d r e s s c a n b e u s e d o n t h e s e r v e r a n d later, w h e n t h e n e w s e r v e r s a r e n e e d e d , n e w IP a d d r e s s e s c a n b e a s s i g n e d to t h e m . A n o t h e r w a y of a s s i g n i n g a d d r e s s e s c a n b e u s e d . T h e a d m i n i s t r a t o r c a n a s s i g n f o u r IP a d d r e s s e s to t h e server. E a c h IP a d d r e s s will m a t c h t h e IP a d d r e s s to b e u s e d in t h e f u t u r e o n n e w s e r v e r s . T h e a d m i n i s t r a t o r n o w k n o w s w h a t a d d r e s s e s will

Addressing and Subnetting Basics

9Chapter 1

be u s e d a n d c a n c r e a t e DNS e n t r i e s for t h e n e w devices w i t h t h e c o r r e c t a d d r e s s e s . T h e p r o c e s s of p r o v i d i n g m o r e t h a n one IP a d d r e s s on a n i n t e r f a c e is often called multinetting or secondary

addressing.

Examples A s s i g n i n g s e c o n d a r y a d d r e s s e s on Cisco r o u t e r s is d o n e u s i n g lOS c o n f i g u r a t i o n c o m m a n d s . Here is a n e x a m p l e of h o w to a s s i g n a prim a r y IP a d d r e s s a n d two s e c o n d a r y IP a d d r e s s e s to a n E t h e r n e t interface: interface ethernet 0 ip address 183.55.2.77 255.255.255.0 ip address 204.238.7.22 255.255.255.0 secondary ip address 88.127.6.209 255.255.255.0 secondary

T h e r o u t e r ' s E t h e r n e t 0 i n t e r f a c e n o w h a s a d d r e s s e s in t h e 183.55.0.0 network, the 204.238.7.0 network, and the 88.0.0.0 network.

Purpose of Subnetting W h e n t h e IP protocol w a s d e s i g n e d , t h e n e t w o r k s a n d c o m p u t e r s w e r e very different t h a n t h e y are today. W i t h t h e a d v e n t of local a r e a n e t w o r k s (LANS) a n d p e r s o n a l c o m p u t e r s , t h e a r c h i t e c t u r e of t h e c o m p u t e r n e t w o r k s c h a n g e d . I n s t e a d of h a v i n g big c o m p u t e r s c o m m u n i c a t i n g over low-speed, wide a r e a n e t w o r k s , we h a d s m a l l c o m p u t e r s c o m m u n i c a t i n g over fast, local a r e a n e t w o r k s . To i l l u s t r a t e w h y IP s u b n e t t i n g is n e c e s s a r y , let's t a k e a look a t h o w IP s e n d s d a t a g r a m s . A n d to m a k e it e a s y to u n d e r s t a n d , let's c o m p a r e t h e p r o c e s s to s e n d i n g m a i l a t t h e p o s t office. If y o u h a v e a m e s s a g e to s e n d to a m e m b e r of y o u r local family, y o u c a n deliver it to t h e family m e m b e r b y w r i t i n g it d o w n on a piece of p a p e r a n d giving it directly to h i m or her. IP n e t w o r k s do t h e s a m e thing. If a n IP d a t a g r a m is to be s e n t to a c o m p u t e r on t h e s a m e p h y s i c a l n e t w o r k , t h e two devices c a n c o m m u n i c a t e directly (see F i g u r e 1.5).

13

14

Chapter 1 * Addressing and Subnetting Basics

Figure 1.5 IP network with no subnetting.

T h e device 200. I. 1.98 w a n t s to c o m m u n i c a t e w i t h 200. i. 1.3. S i n c e t h e y a r e on t h e s a m e E t h e r n e t n e t w o r k , t h e y c a n c o m m u n i c a t e directly. T h e y a r e also on t h e s a m e IP n e t w o r k , so c o m m u n i c a t i o n c a n t a k e place w i t h o u t t h e h e l p of a n y o t h e r devices. Let's go b a c k to o u r p o s t office analogy. O n e of t h e c h i l d r e n h a s n o w m o v e d o u t of t h e h o u s e a n d h a s g o n e to college. To c o m m u n i c a t e w i t h t h a t child, y o u will n e e d to h a v e s o m e help. You write a letter, p u t it in a n envelope, a n d m a i l it. T h e p o s t office m a k e s s u r e t h a t y o u r l e t t e r r e a c h e s t h e a d d r e s s e e . C o m p u t i n g devices w o r k a c c o r d i n g to t h e s a m e principle. To c o m m u n i c a t e w i t h devices n o t in t h e s a m e p h y s i c a l n e t w o r k , t h e c o m p u t i n g device n e e d s s o m e help. H e r e is h o w it is done: In t h e i l l u s t r a t i o n in F i g u r e 1.6, J a m e s w a n t s to s e n d a m e s s a g e to S a r a h . T h e y a r e all p a r t of t h e s a m e IP n e t w o r k , 1 5 3 . 8 8 . 0 . 0 , b u t n o t a p a r t of t h e s a m e p h y s i c a l n e t w o r k . As a m a t t e r of fact, J a m e s ' c o m p u t e r is on a t o k e n - r i n g n e t w o r k in Los Angeles. S a r a h ' s m a c h i n e is l o c a t e d on a n E t h e r n e t n e t w o r k in P h i l a d e l p h i a . A conn e c t i o n b e t w e e n t h e two n e t w o r k s is r e q u i r e d .

Addressing and Subnetting Basics

9Chapter 1

Figure 1.6 Two networks, different locations.

J u s t like t h e p o s t office h e l p s to deliver t h e letter to t h e s t u d e n t in college, r o u t e r s help J a m e s to s e n d a m e s s a g e to S a r a h over t h e wide a r e a n e t w o r k f r o m Los Angeles to P h i l a d e l p h i a (see F i g u r e 1.7). T h e IP p r o c e s s m u s t s e n d t h e m e s s a g e f r o m J a m e s to t h e router. T h e r o u t e r will s e n d it to o t h e r r o u t e r s u n t i l t h e m e s s a g e finally r e a c h e s t h e r o u t e r on S a r a h ' s n e t w o r k . T h e n t h e r o u t e r on S a r a h ' s n e t w o r k will s e n d it to S a r a h ' s m a c h i n e . T h e r o u t e r s e n a b l e IP to s e n d i n f o r m a t i o n f r o m one p h y s i c a l n e t w o r k to a n o t h e r . How does IP k n o w t h a t S a r a h ' s m a c h i n e is n o t on t h e s a m e p h y s i c a l n e t w o r k a s J a m e s ' s ? IP m u s t d e t e r m i n e t h a t S a r a h ' s m a c h i n e is on a different p h y s i c a l n e t w o r k b y u s i n g t h e logical IP a d d r e s s i n g s c h e m e . In t h i s i n s t a n c e , t h e a d d r e s s a d m i n i s t r a tor m u s t a s s i s t t h e n e t w o r k m a n a g e r s b y b r e a k i n g t h e 1 5 3 . 8 8 . 0 . 0 n e t w o r k into s m a l l e r c o m p o n e n t s a n d place a b l o c k of a d d r e s s e s on e a c h p h y s i c a l n e t w o r k . E a c h b l o c k of a d d r e s s e s t h a t a p p l y to e a c h p h y s i c a l n e t w o r k is k n o w n a s a s u b n e t .

15

16

Chapter 1 Figure

9Addressing and Subnetting Basics

1.7 Inter/Intranet connectivity.

In F i g u r e 1.8, J a m e s ' m a c h i n e is n o w f o u n d in t h e 1 5 3 . 8 8 . 2 4 0 . 0 s u b n e t . S a r a h ' s is in t h e 1 5 3 . 8 8 . 3 . 0 s u b n e t . W h e n J a m e s s e n d s a m e s s a g e to S a r a h , t h e IP p r o c e s s d e t e r m i n e s t h a t S a r a h is in a diff e r e n t s u b n e t a n d s e n d s t h e m e s s a g e to t h e r o u t e r for f o r w a r d i n g . Let's see h o w s u b n e t s a re d e t e r m i n e d a n d h o w IP devices decide to f o r w a r d d a t a g r a m s to a ro u t er .

Addressing and Subnetting Basics

9Chapter 1

Figure 1.8 Two locations, subnetted.

Continued

17

18

Chapter 1

9Addressing and Subnetting Basics

Addressing and Subnetting Basics

9Chapter 1

The Basic Fixed-Length Mask To help t h e IP device u n d e r s t a n d t h e s u b n e t t i n g u s e d in t h e network, IP d e s i g n e r s d e s c r i b e d t h e p r o c e s s of u s i n g a s u b n e t m a s k in RFC950.

What the Mask Does S i m p l y s t a t e d , t h e m a s k is u s e d to i n d i c a t e t h e l o c a t i o n of t h e s u b n e t field in a n IP a d d r e s s . W h a t d o e s t h a t m e a n ? In t h e p r e v i o u s figu r e s , 1 5 3 . 8 8 . 0 . 0 is t h e n e t w o r k a d d r e s s . It is a c l a s s B a d d r e s s , w h i c h m e a n s t h a t t h e first 16 b i t s of t h e a d d r e s s is t h e n e t w o r k n u m b e r . J a m e s ' m a c h i n e is in t h e 1 5 3 . 8 8 . 2 4 0 . 0 s u b n e t . How do we determine that? J a m e s is in t h e 1 5 3 . 8 8 . 0 . 0 n e t w o r k . T h e a d m i n i s t r a t o r r e s e r v e d t h e n e x t 8 b i t s to hold t h e s u b n e t n u m b e r . In t h e p r e c e d i n g e x a m ple, J a m e s is in t h e 2 4 0 s u b n e t . If J a m e s ' IP a d d r e s s w e r e 1 5 3 . 8 8 . 2 4 0 . 2 2 , J a m e s w o u l d be in t h e 1 5 3 . 8 8 . 0 . 0 n e t w o r k , in t h e

19

20

Chapter 1

9Addressing and Subnetting Basics

2 4 0 s u b n e t of t h a t n e t w o r k , a n d w o u l d h a v e a h o s t a d d r e s s of 22 in t h a t s u b n e t . All devices w i t h i n t h e 1 5 3 . 8 8 . 0 . 0 n e t w o r k w i t h a t h i r d octet of 2 4 0 a re a s s u m e d to be on t h e s a m e p h y s i c a l n e t w o r k a n d in the same subnet, the 240 subnet. T h e s u b n e t m a s k is u s e d to i n t e r p r e t a d d r e s s e s to u n d e r s t a n d h o w t h e y a r e s u b n e t t e d . T h e m a s k is m a d e u p of 32 bits, j u s t like t h e IP a d d r e s s . T h e r e a r e c e r t a i n m a s k s t h a t a r e n a t u r a l or d e f a u l t to t h e t h r e e c l a s s e s of a d d r e s s e s . T h e d e f a u l t or n a t u r a l m a s k for t h e c l a s s A a d d r e s s is 2 5 5 . 0 . 0 . 0 . In t h i s case, t h e m a s k i n d i c a t e s t h a t t h e first 8 b i t s r e p r e s e n t t h e n e t w o r k n u m b e r a n d m u s t be u s e d w h e n e v a l u a t i n g a c l a s s A a d d r e s s for s u b n e t t i n g . If a device h a s a c l a s s A a d d r e s s a s s i g n e d a n d h a s a m a s k of 2 5 5 . 0 . 0 . 0 , t h e r e is no s u b n e t t i n g in t h a t netwo rk . If a device h a s a c l a s s A a d d r e s s a n d h a s a m a s k t h a t is n o t 2 5 5 . 0 . 0 . 0 , t h e n e t w o r k h a s b e e n s u b n e t t e d a n d t h e device is in a s u b n e t of t h e c l a s s A n e t w o r k .

No subnetting 88.0.0.0 255.0.0.0 Subnetting 125.0.0.0 255.255.255.0 In t h e p r e c e d i n g e x a m p l e , t h e 1 2 5 . 0 . 0 . 0 n e t w o r k h a s b e e n s u b n e t t e d . T h e m a s k is n o t t h e d e f a u l t m a s k so we k n o w t h a t t h e n e t w o r k h a s b e e n s u b n e t t e d . W h a t d o e s t h e r e s t of t h e m a s k m e a n ? As s t a t e d earlier, t h e m a s k is u s e d to i n d i c a t e t h e location of t h e s u b n e t field in a n IP a d d r e s s . Let's look a t w h a t m a k e s u p a m a s k .

Addressing and Subnetting Basics 9Chapter 1

Components of a Mask T h e m a s k is a 3 2 - b i t b i n a r y n u m b e r t h a t is e x p r e s s e d in d o t t e d deci m a l n o t a t i o n . By default, t h e m a s k c o n t a i n s two fields, t h e n e t w o r k field a n d t h e h o s t field. T h e s e c o r r e s p o n d to t h e n e t w o r k n u m b e r a n d t h e locally a d m i n i s t e r e d p a r t of t h e n e t w o r k a d d r e s s . W h e n y o u s u b n e t , y o u a r e a d j u s t i n g t h e w a y y o u view t h e IP a d d r e s s . If y o u a r e w o r k i n g w i t h a c l a s s B n e t w o r k a n d are u s i n g t h e s t a n d a r d m a s k , t h e r e is no s u b n e t t i n g . F o r e x a m p l e , in t h e a d d r e s s a n d m a s k in t h e following e x a m p l e t h e n e t w o r k is i n d i c a t e d b y t h e first two 2 5 5 e n t r i e s a n d t h e h o s t field is i n d i c a t e d b y t h e e n d i n g 0.0. 1 53.88.4.240 255.255.0.0

T h e n e t w o r k n u m b e r is 1 5 3 . 8 8 a n d t h e h o s t n u m b e r is 4 . 2 4 0 . In o t h e r w o r d s , t h e first 16 b i t s a r e t h e n e t w o r k n u m b e r a n d t h e r e m a i n i n g 16 b i t s a r e t h e h o s t n u m b e r . W h e n we s u b n e t a network, we increase the h i e r a r c h y from n e t w o r k a n d h o s t to network, s u b n e t a n d host. If we were to s u b n e t the 153.88.0.0 n e t w o r k with a s u b n e t m a s k of 255.255.255.0, we will be adding a n additional piece of information. O u r view c h a n g e s in t h a t we will be adding a s u b n e t field. As with the previous example, 153.88 is still the n e t w o r k n u m b e r . With a m a s k of 255.255.255.0, the third octet is u s e d to tell u s where the s u b n e t n u m b e r is located. The s u b n e t n u m b e r is .4 and, finally, the h o s t n u m b e r is 240. The locally a d m i n i s t e r e d portion of the n e t w o r k a d d r e s s c a n be subdivided into s u b n e t w o r k s by u s i n g the m a s k to tell u s the location of the s u b n e t field. We allocate a certain n u m b e r of bits to the s u b n e t field a n d the r e m a i n d e r is t h e n the n e w h o s t field. In the following example, we took the 16-bit h o s t field t h a t comes with a class B a d d r e s s a n d broke it down into a n 8-bit s u b n e t field a n d a n 8-bit h o s t field. 255.255.255.0 for a class B network Network

Network

Subnet

Host

255 11111111

255 11111111

255 11111111

0 00000000

21

22

Chapter I

9Addressing and Subnetting Basics

Bina ry Determination of Mask Values How do y o u d e t e r m i n e w h i c h m a s k to u s e ? On the s u r f a c e it is a fairly simple process. You first d e t e r m i n e h o w m a n y s u b n e t s are r e q u i r e d in y o u r network. This m a y r e q u i r e you to do a lot of r e s e a r c h into the n e t w o r k a r c h i t e c t u r e a n d design. Once y o u k n o w h o w m a n y s u b n e t s y o u will need, you c a n decide h o w m a n y s u b n e t bits are n e e d e d to provide y o u with a s u b n e t field big e n o u g h to hold the n u m b e r of s u b n e t s y o u need. W h e n a n e t w o r k is in the design p h a s e , the n e t w o r k a d m i n i s t r a tor d i s c u s s e s the design with the a d d r e s s a d m i n i s t r a t o r . They conclude t h a t t h e r e will be a total of 73 s u b n e t s in the c u r r e n t design a n d t h a t a class B a d d r e s s will be used. To develop the s u b n e t m a s k , we n e e d to k n o w h o w big the s u b n e t field m u s t be. The locally a d m i n i s t e r e d portion of a class B a d d r e s s c o n t a i n s 16 bits. R e m e m b e r t h a t the s u b n e t field is a portion of t h e s e 16 bits. The challenge is to d e t e r m i n e h o w m a n y bits are r e q u i r e d to store the decimal n u m b e r 73. Once we k n o w how m a n y bits are n e e d e d to store t h e decimal n u m b e r 73, we c a n d e t e r m i n e w h a t the m a s k s h o u l d be. The first step is to convert the decimal n u m b e r 73 to binary. The n u m b e r of bits in the b i n a r y n u m b e r is seven.

73 decimal= 1001001 binary So we n e e d to reserve the first 7 bits of the locally a d m i n i s t e r e d portion of the s u b n e t m a s k for the s u b n e t field a n d the r e m a i n d e r will be the h o s t field. In t h e e x a m p l e below, we are reserving the first 7 bits for the s u b n e t field, i n d i c a t e d by the 1 bits, a n d the r e m a i n d e r to the h o s t field, i n d i c a t e d by the 0 bits. 11111110 00000000

If we convert this b i n a r y i n f o r m a t i o n into decimal for the s u b n e t m a s k a n d a d d it to t h e portion of the m a s k for the n e t w o r k n u m b e r , we will have the entire s u b n e t m a s k n e c e s s a r y .

Addressing and Subnetting Basics * Chapter 1

11111110=254 decimal 00000000=0 decimal 255.255.254.0 is the mask

Remember, 255.255.0.0 is the default m a s k for a class B address. We have replaced the locally administered portion of the mask, the .0.0, with the 254.0 t h a t depicts the s u b n e t t i n g scheme. The 254.0 portion tells the software t h a t the first 7 bits of the locally administered portion of the a d d r e s s is the s u b n e t field a n d the r e m a i n d e r is the host field. Of course, if the s u b n e t m a s k n u m b e r s change, the interpretation of the s u b n e t field changes.

Decimal Equivalent Mask Values Tables 1.2, 1.3, and 1.4 show the possible s u b n e t m a s k s t h a t can be u s e d in class A, class B, and class C networks. Table 1.2 Class A Subnet Table

i

I

Subnets 2

6 1 14 i

i

I

3O

|

Mask

4,194,302

255.192.0.0

2,097,150

255.224.0.0

1,048,574

255.240.0.0

524,286

255.248.0.0

i

I

2 3

262,142

255.252.0.0

126

i

131,070 1 65,534

255.254.0.0

254

i

i

6

510

32,766

255.255.0.0

i

4,094

4,094

15 i

10

255.255.224.0 255.255.240.0

16 i

i

8,190

2,046 i

14 i

11 i

.

18 17

9

255.255.192.0

i

19 | i

i

i

16,382

1,022 i

120

8

255.255.128.0

i

21

7

i

i

22

I

5

i

i

i

4 a

'62 !

Hosts

Subnet Host Bits Bits

12

13 i

|

12

Continued

23

24

Chapter 1 ~ Addressing and Subnetting Basics

Subnets

Hosts

Mask

Subnet Bits

Host Bits

8,190

2,046

255.255.248.0

13

11

16,382

1,022

255.255.252.0

14

10

32,766

510

255.255.254.0

15

65,534

254

255.255.255.0

16

131,070

126

255.255.255.128

17

262,142

62

255.255.255.192

18

524,286

30

255.255.255.224

19

1,048,574

14

255.255.255.240

20

2,097,150

255.255.255.248

21

4,194,302

255.255.255.252

22

Hosts

Mask

Subnet Bits

16,382

255.255.192.0

14

8,190

255.255.224.0

13

14

4,094

255.255.240.0

12

30

2,046

255.255.248.0

11

62

1,022

255.255.252.0

10

126

510

255.255.254.0

254

254

255.255.255.0

510

126

255.255.255.128

1022

62

255.255.255.192

10

2046

30

255.255.255.224

11

4094

14

255.255.255.240

12

Table 1.3 Class B Subnet Table

Subnets

Host Bits

Continued

Addressing and Subnetting Basics

9Chapter 1

Mask

Subnet Host Bits Bits

8,190

255.255.255.248

13

16,382

255.255.255.252

14

Hosts

Mask

Subnet Host Bits Bits

62

255.255.255.192

30

255.255.255.224

14

255.255.255.240

Subnets

Hosts

Table 1.4 Class C Subnet Table

Subnets

14 30

255.255.255.248

62

255.255.255.252

T h e s e s u b n e t m a s k t a b l e s c a n m a k e it e a s i e r for y o u to determ i n e w h i c h s u b n e t m a s k to u s e for a n y given s i t u a t i o n . Look a t t h e t a b l e s for j u s t a m i n u t e a n d notice w h a t h a p p e n s . As y o u go d o w n t h e table, t h e n u m b e r of s u b n e t s i n c r e a s e s a n d t h e n u m b e r of h o s t s in e a c h s u b n e t t h e n d e c r e a s e s . Why?. Look a t t h e r i g h t - h a n d side of e a c h table. As t h e n u m b e r of s u b n e t bits i n c r e a s e s , t h e n u m b e r of h o s t bits d e c r e a s e s . Since we h a v e a fixed n u m b e r of b i t s to w o r k w i t h in e a c h c l a s s of n e t w o r k a d d r e s s , e a c h bit c a n be u s e d in only one w a y - - s p e c i f i e d b y t h e m a s k . E a c h bit m u s t be e i t h e r a s u b n e t bit or a h o s t bit. An i n c r e a s e in t h e n u m b e r of s u b n e t bits c a u s e s a r e d u c t i o n in t h e n u m b e r of h o s t bits. Notice too t h a t t h e t a b l e s are different sizes for e a c h c l a s s of a d d r e s s . B e c a u s e of t h e 24-bit, 16-bit a n d 8-bit h o s t fields for c l a s s A, B, a n d C n e t w o r k s , respectively, we h a v e t h r e e different tables.

25

26

Chapter 1

9Addressing and Subnetting Basics

Creating Masks for Various Networking Problems The t a b l e s m a k e it e a s y to locate the correct m a s k for y o u r n e t w o r k ing problem. C o n s i d e r the following problems: Bob w a s given a class A n e t w o r k to administer. He n e e d s to s u b n e t the n e t w o r k into 1,045 s u b n e t s with 295 devices in the largest s u b n e t . He looks u p the s u b n e t a n d device n u m b e r s in the class A table a n d finds t h a t the following five entries c a n be u s e d to solve his problem. W h i c h s h o u l d he u s e ?

2,046 4,094 8,190 16,382

8,190 4,094 2,046 1,022

255.255.224.0 255.255.240.0 255.255.248.0 255.255.252.0

11 12 13 14

13 12 11 10

32,766

510

255.255.254.0

15

9

Bob m u s t select one m a s k to use. As he looks at his possible solutions, he also h a s to u n d e r s t a n d a n o t h e r factor involved in his decision: the growth of the network. Will his c o m p a n y a d d m o r e s u b n e t s in the future, or will e a c h s u b n e t get bigger, or b o t h ? If the n u m b e r of s u b n e t s will increase w i t h o u t a n increase in devices in each s u b n e t , Bob could select 2 5 5 . 2 5 5 . 2 5 4 . 0 as his m a s k a n d be comfortable with his decision. If the n u m b e r of devices in e a c h s u b n e t will increase, he could select 255.255.259..0 as his m a s k . Depending on the physical protocol in use, there m a y be practical limits to the n u m b e r of devices in each s u b n e t . In some networks, having more t h a n 100 physical devices in a n e t w o r k s e g m e n t or s u b n e t m a y seriously i m p a c t the usability of the network. Using realistic e s t i m a t e s of devices in each s u b n e t is essential to s u b n e t t i n g success. In a n o t h e r example, S a r a h is in c h a r g e of a small c o r p o r a t e netw o r k w i t h two E t h e r n e t s e g m e n t s a n d t h r e e t o k e n - r i n g s e g m e n t s . They are c o n n e c t e d t o g e t h e r with one router. E a c h s u b n e t will cont a i n no m o r e t h a n 15 devices. S a r a h h a s b e e n a s s i g n e d a class C n e t w o r k a d d r e s s . As S a r a h looks at the class C table, s h e finds t h a t t h e following e n t r y m a y be u s e d to solve the p r o b l e m as described:

16

130

]255.255.224

13

15

Addressing and Subnetting Basics

9Chapter 1

T h e only e n t r y t h a t allows five s u b n e t s w i t h 15 devices is 255.255.255.224. If y o u h a v e a good i d e a of t h e n u m b e r of s u b n e t s a n d t h e n u m b e r of h o s t s in e a c h s u b n e t , y o u c a n u s e t h e s e t a b l e s to find t h e p r o p e r m a s k . It is a l w a y s i m p o r t a n t to k n o w if t h e n u m b e r of s u b n e t s will g r o w in t h e f u t u r e or if t h e n u m b e r of h o s t s in t h e s u b n e t s will grow. O n c e t h e g r o w t h fa c t o rs h a v e b e e n i n c l u d e d in t h e c u r r e n t n e e d , c h e c k t h e t a b l e s to d e t e r m i n e y o u r m a s k .

Add resses and Mask Interaction Let's review t h e c o n c e p t of IP a d d r e s s e s . An IP a d d r e s s identifies a device on a n e t w o r k . IP a d d r e s s e s a re a s s i g n e d from c l a s s e s t h a t c o n t a i n different g r o u p s of a d d r e s s e s . E a c h IP n e t w o r k h a s a n e t w o r k n u m b e r . E a c h IP s u b n e t h a s t h e n e t w o r k n u m b e r of its p a r e n t n e t w o r k a n d a s u b n e t n u m b e r . T h e s u b n e t n u m b e r c a n be f o u n d b y l o c a t i n g t h e s u b n e t field in t h e s u b n e t m a s k . If y o u h a v e a n IP a d d r e s s of 1 5 3 . 8 8 . 4 . 2 4 0 w i t h a m a s k of 2 5 5 . 2 5 5 . 2 5 5 . 0 , y o u k n o w t h a t y o u h a v e a n a d d r e s s in t h e 1 5 3 . 8 8 . 0 . 0 n e t w o r k . You k n o w y o u a r e in s u b n e t .4 b e c a u s e t h e t h i r d o ctet of t h e m a s k s a y s t h a t all 8 b i t s of t h e a d d r e s s in t h e t h i r d octet m a k e u p t h e s u b n e t n u m b e r . By t h e way, all devices w i t h a 1 5 3 . 8 8 in t h e first two o c t e t s a re in t h e s a m e n e t w o r k a n d all devices w i t h a 4 in t h e t h i r d octet a r e in t h e s a m e s u b n e t . W h y is that? In a c l a s s B n e t w o r k , t h e first 16 b i t s a r e t h e n e t w o r k n u m b e r . If devices h a v e t h e i d e n t i c a l first 16 bits, t h e y a r e in t h e s a m e n e t w o r k w i t h a c l a s s B a d d r e s s . W h e n y o u w a n t to s e n d a d a t a g r a m from t h e s o u r c e a d d r e s s to t h e t a r g e t a d d r e s s , IP h a s to m a k e a r o u t i n g decision. Look a t t h e following example:

Source 1 53.88.4.240 Target 1 53.89.98.254

Network 10011001 10011001

Network 01011000 01011001

Subnet 00000100 01100010

Host 11110000 11111110

27

28

Chapter

1

Addressing and Subnetting Basics

9

Notice t h a t t h e s e are different networks. They are b o t h class B a d d r e s s e s , b u t the first 16 bits do n o t m a t c h . They are different; therefore, IP " a s s u m e s " t h e y are on different physical n e t w o r k s a n d will s e n d t h e d a t a g r a m to the r o u t e r for forwarding to the t a r g e t device. IP only looks at s u b n e t t i n g w h e n the n e t w o r k n u m b e r s of t h e two a d d r e s s e s are the same. We h a d m e n t i o n e d earlier t h a t the s u b n e t m a s k h e l p s u s locate the s u b n e t n u m b e r . Here is a n o t h e r example:

Source 1 53.88.4.240 Target 153.88.192.254 Mask 255.255.255.0

Network 10011001 1 O011 O01 11111111

Network 01011000 01011000 11111111

Subnet 00000100 11000000 11111111

Host 11110000 11111110 00000000

In t h i s example, you will see t h a t we have modified the t a r g e t a d d r e s s . We have also a d d e d a s u b n e t m a s k t h a t we c a n u s e to d e t e r m i n e s u b n e t t i n g . Notice the m a s k , 255.255.255.0. The first two 2 5 5 s in t h e m a s k p o i n t to the n e t w o r k portion of the a d d r e s s since we are u s i n g a class B a d d r e s s . The t h i r d 255 is the location of the s u b n e t field in the locally a d m i n i s t e r e d portion of the a d d r e s s e s . The o n e s in the m a s k point to the s u b n e t bits. Are t h e s e two devices in t h e s a m e s u b n e t ? Look at t h e bits in the t h i r d octet of e a c h a d d r e s s . The s o u r c e a d d r e s s h a s a b i n a r y s u b n e t field of 0 0 0 0 0 1 0 0 a n d t h e t a r g e t a d d r e s s h a s a b i n a r y s u b n e t field of 1 1 0 0 0 0 0 0 . Since t h e s e two b i n a r y n u m b e r s are n o t the s a m e , t h e s e two devices are in different s u b n e t s a n d the s o u r c e device will s e n d d a t a g r a m s to the r o u t e r for delivery to the t a r g e t device in the t a r g e t network. So far we have b e e n working with the e a s i e s t s u b n e t t i n g , the 2 5 5 . 2 5 5 . 2 5 5 . 0 m a s k . Using a m a s k of 2 5 5 . 2 5 5 . 2 5 5 . 0 allows u s to i n t e r p r e t the a d d r e s s by r e a d i n g the dotted decimal a d d r e s s . For example, a n a d d r e s s of 1 6 5 . 2 2 . 1 2 9 . 6 6 c o n t a i n s the n e t w o r k a d d r e s s 165.22.0.0. The s u b n e t n u m b e r is 129. The h o s t n u m b e r is 66. E a c h portion of t h e dotted decimal a d d r e s s c o n t a i n s a d d r e s s inform a t i o n t h a t is e a s y to interpret. W h a t h a p p e n s w h e n the m a s k is n o t so simple? In the n e x t example, we will w o r k with a class B network, 160.149.0.0. The

Addressing and Subnetting Basics 9Chapter 1

s u b n e t m a s k s e l e c t e d by t h e a d m i n i s t r a t o r s is 2 5 5 . 2 5 5 . 2 5 2 . 0 . This gives t h e n e t w o r k 62 s u b n e t s w i t h 1022 devices in e a c h s u b n e t . Let's see w h a t h a p p e n s w h e n we try to d e t e r m i n e t h e s u b n e t i d e n t i t y of two devices:

Source 160.149.115.8 Target 160.149.117.201 Mask 255.255.252.0

Network 10100000

Network 10010101

Subnet 01110011

Host 00001000

10100000

10010101

01110101

11001001

11111111

11111111

11111100

00000000

The n e t w o r k p o r t i o n of t h e two a d d r e s s e s in t h e e x a m p l e above is identical, so t h e y are in t h e s a m e n e t w o r k . The s u b n e t p o r t i o n of t h e m a s k c o n t a i n s 6 bits, so t h e first 6 bits of t h e t h i r d octet cont a i n s t h e s u b n e t n u m b e r . The first 6 bits of t h e t h i r d octet is 0 1 1 1 0 0 for 115 a n d 0 1 1 1 0 1 for 117. T h e s e devices are in different s u b n e t s . D a t a g r a m s s e n t from t h e s o u r c e m a c h i n e w o u l d h a v e to be s e n t to t h e r o u t e r to r e a c h t h e t a r g e t device. W h y a r e t h e s e two devices in different s u b n e t s ? First, t h e y are in t h e s a m e n e t w o r k a n d are c a n d i d a t e s for b e i n g in t h e s a m e s u b n e t . T h e s u b n e t p o r t i o n of t h e m a s k s a y s t h a t t h e first 6 bits of t h e t h i r d octet of e a c h a d d r e s s c o n t a i n s t h e s u b n e t n u m b e r . In c o m p a r i n g t h e s u b n e t p o r t i o n of t h e two a d d r e s s e s , bit p a t t e r n s do n o t m a t c h . T h e y a r e in different s u b n e t s . Here is a n o t h e r example:

Source 160.149.115.8 Target 160.149.114.66 Mask 255.255.252.0

Network 10100000 10100000 11111111

Network 10010101 1 O010101 11111111

Subnet 01110011 0111 O010 11111100

Host 00001000 01000010 00000000

In t h i s e x a m p l e 1 6 0 . 1 4 9 . 1 1 5 . 8 a n d 1 6 0 . 1 4 9 . 1 1 4 . 6 6 are in t h e s a m e n e t w o r k a n d s u b n e t . Look a t t h e t h i r d octet. W h e r e t h e o n e s bit exist in t h e m a s k , t h e bits in b o t h a d d r e s s e s are identical, indic a t i n g t h a t t h e y are in t h e s a m e s u b n e t . E v e n t h o u g h t h e t h i r d octet c o n t a i n s 114 in one a d d r e s s a n d 115 in t h e other, t h e y are in t h e s a m e s u b n e t b e c a u s e t h e s i g n i f i c a n t bits are t h e s a m e in b o t h addresses.

29

30

Chapter 1

9Addressing and Subnetting Basics

Reserved and Restricted Addresses W h e n a s s i g n i n g a d d r e s s e s to devices in n e t w o r k s a n d / o r s u b n e t s , t h e r e a r e s o m e a d d r e s s e s t h a t c a n n o t be u s e d . We r e s e r v e two a d d r e s s e s in a n y n e t w o r k or s u b n e t to u n i q u e l y identify two s p e c i a l f u n c t i o n s . T h e first r e s e r v e d a d d r e s s is t h e n e t w o r k or s u b n e t a d d r e s s . T h e n e t w o r k a d d r e s s is t h e a d d r e s s t h a t i n c l u d e s t h e n e t w o r k n u m b e r a n d a h o s t field filled w i t h b i n a r y zeros. 2 0 0 . 1 . 1 . 0 , 1 5 3 . 8 8 . 0 . 0 , a n d 10.0.0.0 a r e n e t w o r k a d d r e s s e s . T h e s e a d d r e s s e s identify t h e n e t w o r k a n d c a n n o t be a s s i g n e d to a device. A n o t h e r r e s e r v e d a d d r e s s is t h e b r o a d c a s t a d d r e s s . W h e n u s e d , it is m e a n t to a t t r a c t t h e a t t e n t i o n of all devices in t h e n e t w o r k . T h e n e t w o r k b r o a d c a s t a d d r e s s is t h e n e t w o r k n u m b e r followed b y a h o s t field of b i n a r y ones. T h e a d d r e s s e s s h o w n in t h e e x a m p l e b e l o w are network b r o a d c a s t addresses: 200.1.1.255, 153.88.255.255, and 1 0 . 2 5 5 . 2 5 5 . 2 5 5 . Since t h i s a d d r e s s is s u p p o s e d to a t t r a c t t h e a t t e n tion of every device, it c a n n o t be u s e d on a n y single device. We also r e s t r i c t a d d r e s s e s in s u b n e t s . E a c h s u b n e t h a s a s u b n e t a d d r e s s a n d a b r o a d c a s t a d d r e s s . Like t h e n e t w o r k a d d r e s s a n d

Addressing and Subnetting Basics 9Chapter 1

b r o a d c a s t a d d r e s s , t h e s e a d d r e s s e s c a n n o t be a s s i g n e d to devices a n d c o n t a i n h o s t fields of all zeros a n d all o n e s for t h e s u b n e t address and subnet broadcast.

Subnet Add. 153.88.4.0 Broadcast 153.88.4.255 Mask 255.255.255.0

Network 10011001 10011001 11111111

Network 01011000 01011000 11111111

Subnet 00000100 00000100 11111111

Host 00000000 11111111 00000000

In t h i s e x a m p l e , t h e s u b n e t a d d r e s s is s h o w n w i t h all z e r os in t h e h o s t field, a n d t h e b r o a d c a s t a d d r e s s is s h o w n w i t h all o n e s in t h e h o s t field. R e g a r d l e s s of t h e size of t h e s u b n e t field or h o s t field, t h e bit s t r u c t u r e of all z e ro s in t h e h o s t field is t h e s u b n e t a d d r e s s , a n d all o n e s in t h e h o s t field is t h e s u b n e t b r o a d c a s t a d d r e s s .

Determining the Range of Addresses within Subnets O n c e y o u h a v e d e t e r m i n e d w h a t m a s k to u s e a n d u n d e r s t a n d t h e special s u b n e t a d d r e s s and s u b n e t b r o a d c a s t address, you can b e g i n t h e p r o c e s s of d e t e r m i n i n g w h a t a d d r e s s e s a r e going to be a s s i g n e d to specific devices. To do t h a t , y o u will n e e d to "calculate" w h i c h a d d r e s s e s a r e in e a c h s u b n e t . E a c h s u b n e t will c o n t a i n a r a n g e of a d d r e s s e s w i t h t h e s a m e n e t w o r k a n d s u b n e t n u m b e r . T h e difference will be in t h e h o s t n u m b e r s . Below is a n e x a m p l e of a se t of a d d r e s s e s in a s u b n e t of a class C network.

Network Address 200.1.1.0 Subnet Mask 255.255.255.248 Subnet 1 Address Mask

11111000 00001000 00001001

200.1.1.8 200.1.1.9

Subnet Address Host 1

31

32

Chapter 1

9Addressing and

00001010 00001011 00001100 00001101 00001110 00001111

Subnetting Basics

200.1.1.10 200.1.1.11 200.1.1.12 200.1.1.13 200.1.1.14 200.1.1.1 5

Host 2 Host 3 Host 4 Host 5 Host 6 Subnet Broadcast

In t h e p r e c e d i n g example, we are u s i n g the 2 0 0 . 1 . 1 . 0 class C network. The s u b n e t m a s k is 2 5 5 . 2 5 5 . 2 5 5 . 2 4 8 . S u b n e t t i n g c a n only o c c u r in the f o u r t h octet in a class C a d d r e s s . E a c h s u b n e t c a n cont a i n six devices u s i n g this m a s k . In creating the a d d r e s s e s for s u b n e t n u m b e r 1, notice t h a t the s u b n e t field of e a c h a d d r e s s is 0 0 0 0 1 . The s u b n e t field is i n d i c a t e d by the 11111 portion of the f o u r t h octet of the m a s k . The s u b n e t field exists in the first five bits of the f o u r t h octet. The r e m a i n i n g 3 bits are u s e d to indicate the h o s t field. The h o s t field for e a c h a d d r e s s i n c r e a s e s from 000 for the s u b n e t a d d r e s s to 111 for the s u b n e t b r o a d c a s t a d d r e s s . The a d d r e s s e s t h a t c a n be a s s i g n e d to specific h o s t s i n c r e a s e from 001 to 110, the b i n a r y e q u i v a l e n t of decimal 1 to decimal 6. So w h y do the a d d r e s s es look the w a y t h e y do? We simply c o m b i n e the s u b n e t n u m b e r , 0 0 0 0 1 , w i t h e a c h h o s t field, 000 t h r o u g h 111, a n d convert e a c h a d d r e s s from b i n a r y to decimal. We begin w i t h 2 0 0 . 1 . 1 . 8 (00001000) a n d e n d with 2 0 0 . 1 . 1 . 1 5 (00001111). In this case, we d o n ' t c h a n g e t h e 200.1.1. p a r t of the a d d r e s s b e c a u s e t h a t is the n e t w o r k n u m ber. More i n f o r m a t i o n a n d the p r o c e s s e s u s e d to develop a n a d d r e s s ing p l a n will be f o u n d in C h a p t e r 2.

Determining Subnet Addresses Given a Single Address and Mask If y o u have a n IP a d d r e s s a n d a s u b n e t m a s k , y o u c a n d e t e r m i n e t h e s u b n e t w h e r e the device is located. The s t e p s are as follows: 0

Convert the locally a d m i n i s t e r e d portion of the a d d r e s s to binary.

Addressing and Subnetting Basics

9Chapter 1

2.

C o n v e r t t h e locally a d m i n i s t e r e d p o r t i o n of t h e m a s k to binary.

3.

Locate t h e h o s t field in t h e b i n a r y a d d r e s s a n d r e p l a c e w i t h zeros.

4.

C o n v e r t t h e b i n a r y a d d r e s s to d o t t e d d e c i m a l n o t a t i o n . You now have the subnet address.

5.

Locate t h e h o s t field in t h e b i n a r y a d d r e s s a n d r e p l a c e w i t h ones.

6.

C o n v e r t t h e b i n a r y a d d r e s s to d o t t e d d e c i m a l n o t a t i o n . You now have the subnet broadcast address.

E v e r y t h i n g b e t w e e n t h e s e two n u m b e r s r e p r e s e n t s IP a d d r e s s e s t h a t m a y be a s s i g n e d to devices. T h e following is a n e x a m p l e of h o w to u s e t h i s p r o c e s s . T h e a d d r e s s of t h e device is 2 0 4 . 2 3 8 . 7 . 4 5 a n d t h e s u b n e t m a s k is 2 5 5 . 2 5 5 . 2 5 5 . 2 2 4 . S i n c e t h i s is a c l a s s C a d d r e s s , s u b n e t t i n g o c c u r s in t h e f o u r t h octet. Address 200.1.1.45 Mask 255.255.255.224

00101101 11100000

Convert host to zeros Conver host to ones

00100000 00111111

.32 Subnet Address .63 Subnet Broadcast

T h e h o s t field is l o c a t e d in t h e l a s t 5 b i t s of t h e a d d r e s s . R e p l a c i n g t h e h o s t field w i t h zeros a n d c o n v e r t i n g t h e b i n a r y n u m b e r to d e c i m a l gives u s t h e s u b n e t a d d r e s s . R e p l a c i n g t h e h o s t field w i t h o n e s r e s u l t s in t h e s u b n e t b r o a d c a s t a d d r e s s . T h e a d d r e s s 2 0 0 . 1 . 1 . 4 5 s u b n e t t e d w i t h a m a s k of 2 5 5 . 2 5 5 . 2 5 5 . 2 2 4 is in t h e s u b n e t 2 0 0 . 1 . 1 . 3 2 . T h e a d d r e s s e s t h a t c a n be a s s i g n e d in t h i s s u b net are 200.1.1.33 t h r o u g h 200.1.1.62.

33

34

Chapter 1 * Addressing and Subnetting Basics

Interpreting Masks Dec

Binary

0 128 192 224 240 248 252 254 255

00000000 10000000 11000000 11100000 11110000 11111000 11111100 11111110 11111111

E a c h s u b n e t m a s k is m a d e u p of b i n a r y v a l u e s a n d is r e p r e s e n t ed in d o t t e d d e c i m a l n o t a t i o n . T h e allowable d e c i m a l v a l u e s t h a t c a n be u s e d in t h e m a s k a r e s e e n in F i g u r e 1.23. In o r d e r to u s e t h e s e v a l u e s , t h e r e m u s t be a 2 5 5 i m m e d i a t e l y to t h e left. T h e s u b n e t m a s k b i t s m u s t be c o n t i g u o u s . For e x a m p l e , a m a s k of 2 5 5 . 2 5 5 . 0 . 2 2 4 is n o t a p p r o p r i a t e . We a r e s o m e t i m e s a s k e d "How m a n y b i t s a r e in t h e m a s k ? " T h e q u e s t i o n is a n s w e r e d b y e x p r e s s i n g t h e n u m b e r of b i t s in t h e m a s k w i t h r e l a t i o n to t h e c l a s s of a d d r e s s . F o r i n s t a n c e , if a m a s k of 2 5 5 . 2 5 5 . 2 5 4 . 0 is u s e d w i t h a c l a s s B a d d r e s s , t h e r e a r e 7 b i t s in t h e m a s k . It m a y look like t h e r e a r e a total of 23 bits, w h i c h t h e r e are. To clearly e x p r e s s t h e s u b n e t t i n g , however, we m u s t s a y t h a t t h e m a s k is a 7-bit m a s k for a c l a s s B a d d r e s s . Only 7 b i t s of t h e total 23 b i t s a r e u s e d for s u b n e t t i n g . T h e r e m a i n i n g 16 b i t s c o m e with the class B address. T h i s m a y s e e m like a silly little p o i n t b u t it c a n lead to a very b a d m i s c o m m u n i c a t i o n . If I tell y o u I h a v e a 6-bit m a s k , w h a t d o e s t h a t m e a n ? W i t h o u t t h e c l a s s of a d d r e s s , t h e m a s k c o u l d be 2 5 5 . 2 5 2 . 0 . 0 , 2 5 5 . 2 5 5 . 2 5 2 . 0 , or 2 5 5 . 2 5 5 . 2 5 5 . 2 5 2 . E a c h of t h e s e m a s k s is a 6-bit m a s k , b u t t h e y a p p l y to different c l a s s e s of a d d r e s s e s a n d give u s a c o m p l e t e l y different s u b n e t p i c t u r e .

Addressing and Subnetting Basics 9Chapter 1

Reserved Addresses E a r l i e r in t h e c h a p t e r we t a l k e d a b o u t c e r t a i n r e s e r v e d a d d r e s s e s . Specifically we s a i d t h a t t h e n e t w o r k a d d r e s s , n e t w o r k b r o a d c a s t address, the subnet address, and the subnet broadcast address c o u l d n o t be a s s i g n e d to a n y device or h o s t . T h i s is to avoid confus i o n on t h e p a r t of t h e IP s o f t w a r e t h a t is r e s p o n s i b l e for t r a n s p o r t ing t h e IP d a t a g r a m s . T h e s e a d d r e s s e s do n o t u n i q u e l y identify a n y p a r t i c u l a r device. IP devices m a y s e n d d a t a g r a m s u s i n g t h e b r o a d c a s t a d d r e s s , b u t t h e b r o a d c a s t a d d r e s s m e a n s everyone. A single device c a n n o t be everyone, it m u s t h a v e a u n i q u e a d d r e s s . We n e e d to r e m o v e t h e r e s e r v e d a d d r e s s e s f r o m o u r a d d r e s s calc u l a t i o n a n d do so b y u s i n g a special f o r m u l a to d e t e r m i n e h o w m a n y h o s t s a r e available in a s u b n e t or n e t w o r k . If y o u k n o w t h e n u m b e r of b i t s in t h e h o s t field of a n a d d r e s s , y o u c a n c a l c u l a t e t h e n u m b e r of devices in t h e n e t w o r k or s u b n e t . T h e f o r m u l a t h a t we u s e is:

2n_2 In t h i s f o r m u l a , n r e p r e s e n t s t h e n u m b e r of b i t s in t h e s u b n e t or h o s t field. We s u b t r a c t two to r e m o v e t h e two r e s e r v e d a d d r e s s e s f r o m t h e c a l c u l a t i o n . In t h e following e x c e r p t of t h e c l a s s C s u b n e t t i n g table, y o u c a n see t h e r e s u l t s of u s i n g t h i s f o r m u l a .

Subnets

Hosts

Mask

Subnet Host Bits Bits

14

14

255.255.255.240

4

4

U s i n g a s u b n e t m a s k of 2 5 5 . 2 5 5 . 2 5 5 . 2 4 0 , we h a v e 4 b i t s in t h e s u b n e t field. T h e n u m b e r of bit p a t t e r n s t h a t exist in 4 b i t s is 24 or 16. T h e y a r e a s follows: 0000 0001 0010 0011

0100 0101 0110 0111

1000 1001 1010 1011

1100 1101 1110 1111

35

36

Chapter 1

9Addressing and

Subnetting Basics

Removing the two r e s e r v e d bit p a t t e r n s , 0 0 0 0 a n d 1111, from t h e possible s u b n e t v a l u e s leaves u s with 14 s u b n e t n u m b e r s to use. This s a m e c a l c u l a t i o n also applies to the bits in t h e h o s t field.

Summary In this chapter, y o u have l e a r n e d a b o u t t h e IPv4 32-bit a d d r e s s s t r u c t u r e . You've s e e n t h e c o m p o n e n t s of a n IPv4 a d d r e s s , l e a r n e d a b o u t the c l a s s e s of a d d r e s s e s , a n d f o u n d o u t exactly h o w m a n y a d d r e s s e s are available in e a c h class. You t h e n l e a r n e d w h y we s u b n e t a n d h o w we s u b n e t . You've discovered t h e c o n t e n t s of t h e s u b n e t m a s k a n d h o w t h e s u b n e t m a s k is created. You were s h o w n t h e p r o c e s s u s e d to convert decimal n u m b e r to b i n a r y a n d b i n a r y n u m b e r s to decimal. The c o n t e n t s of s u b n e t m a s k t a b l e s were m a d e available a n d the p r o c e s s of selecting a s u b n e t m a s k for a n e t w o r k i n g p r o b l e m w a s described.

Addressing and Subnetting Basics

9Chapter 1

Finally, y o u w e r e s h o w n h o w to d e t e r m i n e if two a d d r e s s e s w e r e in t h e s a m e s u b n e t a n d w h i c h a d d r e s s e s w e r e in a s u b n e t . Additionally, y o u ' v e l e a r n e d w h i c h a d d r e s s e s c o u l d n o t be u s e d on IP devices.

255 11111111

139 10001011

T h i s forces t h e a d d r e s s a d m i n i s t r a t o r to c a l c u l a t e e a c h a d d r e s s individually. T h e r e is also no c o n t i n u o u s r a n g e of a d d r e s s e s in e a c h s u b n e t . It is too c o n f u s i n g a n d too difficult to s u b n e t u s i n g s t r a n g e a n d w o n d e r f u l m a s k s like t h e p r e c e d i n g one. Select y o u r m a s k s f r o m t h e t a b l e s in t h e c h a p t e r .

Q" I c o n f u s e m y a d d r e s s w i t h m y m a s k . How c a n I tell t h e difference? A" T h e m a s k will a l w a y s h a v e 2 5 5 in t h e first octet. T h e a d d r e s s will n e v e r h a v e 2 5 5 in t h e first octet.

Q: How c a n I be s u r e t h a t t h e m a s k I select for m y n e t w o r k is correct? A" It is a l w a y s a good q u e s t i o n . T h e a n s w e r is "You c a n n o t I " E v e n if y o u did t h e c o r r e c t r e s e a r c h a n d c r e a t e d t h e b e s t p o s s i b l e m a s k w i t h c u r r e n t i n f o r m a t i o n , c h a n g e s in n e t w o r k d e s i g n a n d n e t w o r k a d m i n i s t r a t i o n m a y force y o u to modify t h e a d d r e s s i n g

37

38

Chapter 1

9Addressing and Subnetting Basics

structure. That would m e a n t h a t the m a s k you selected m a y not be appropriate. The best suggestion is to m a k e sure there is plenty of room for growth in s u b n e t s and hosts in each s u b n e t w h e n you select your m a s k and create your addressing plan. Q" Why do I need to know the decimal-to-binary conversion?

A: To u n d e r s t a n d fully how s u b n e t t i n g works, it is n e c e s s a r y to u n d e r s t a n d how the bits in the m a s k and the a d d r e s s are related. To see the relationship, it is often n e c e s s a r y to view the a d d r e s s e s in binary along with the binary r e p r e s e n t a t i o n of the mask. Without decimal-to-binary conversion, it is difficult to view the relationship.

40

Chapter 2

9Creating

an Addressing Plan for Fixed-Length Mask Networks

Introduction M a n y organizations, especially smaller ones, u s e f i x e d - m a s k a d d r e s s i n g . F i x e d - m a s k a d d r e s s i n g is easier to u n d e r s t a n d a n d simpler to i m p l e m e n t t h a n v a r i a b l e - m a s k a d d r e s s i n g . In f i x e d - m a s k n e t w o r k s , every device u s e s the s a m e m a s k a n d all s u b n e t s have the s a m e n u m b e r of available a d d r e s s e s ~ t h e y ' r e all the s a m e size. In C h a p t e r 1 we l e a r n e d a b o u t IP a d d r e s s e s a n d the b a s i c s of m a s k o p e r a t i o n a n d s u b n e t t i n g . In this chapter, we'll detail the s t e p s y o u n e e d to take to a s s i g n a p p r o p r i a t e IP a d d r e s s e s to t h o s e devices t h a t n e e d t h e m . We'll also s h o w y o u s o m e effective a n d s u r prisingly simple tools to m a k e the job easier. Your choice of r o u t i n g protocols c a n affect y o u r choice of m a s k . Of the p o p u l a r r o u t i n g protocols, RIP (version 1) a n d IGRP i m p o s e c e r t a i n r e q u i r e m e n t s on a d d r e s s i n g ~ a l l devices on all s u b n e t s m u s t u s e t h e s a m e m a s k . In o t h e r words, y o u are forced into a f i x e d - l e n g t h - m a s k a d d r e s s i n g plan. If y o u u s e RIP (version 2), OSPF, or EIGRP, t h e n y o u c a n still c h o o s e to u s e the s a m e m a s k for e a c h s u b n e t , b u t the protocols do n o t d e m a n d it.

Determine Addressing Requirements W h e n y o u n e e d to develop a n IP a d d r e s s i n g plan, w h e t h e r it is for fixed- or v a r i a b l y - s u b n e t t e d n e t w o r k s , y o u have to s t a r t by determ i n i n g exactly w h a t y o u r n e e d s are. As y o u recall, IP a d d r e s s e s c o n t a i n i n f o r m a t i o n t h a t helps r o u t e r s deliver d a t a g r a m s to the p r o p e r d e s t i n a t i o n n e t w o r k s or s u b n e t s . Since s u c h a close relationship exists b e t w e e n IP a d d r e s s e s a n d their t a r g e t n e t w o r k s e g m e n t s , y o u m u s t be careful to d e t e r m i n e the p r o p e r r a n g e of a d d r e s s e s for e a c h n e t w o r k or s u b n e t .

Review Your Internetwork Design We s t a r t by reviewing o u r n e t w o r k d o c u m e n t a t i o n . If this is a newly d e s i g n e d IP network, you'll n e e d the design specifications. If the

Creating an Addressing Plan for Fixed-Length Mask Networks

9Chapter 2

n e t w o r k h a s b e e n in o p e r a t i o n for s o m e time, y o u c a n u s e t h e "as built" d o c u m e n t a t i o n . T h e s e s p e c i f i c a t i o n s s h o u l d i n c l u d e i n f o r m a tion s u c h as" 9 T h e n u m b e r a n d type of devices on e a c h LAN s e g m e n t 9 An i n d i c a t i o n of w h i c h of t h o s e devices n e e d a n IP a d d r e s s 9 T h e devices c o n n e c t i n g t h e s e g m e n t s , for e x a m p l e : r o u t e r s , bridges, and switches.

How Many Subnets Do You Need? As y o u review y o u r design, identify a n d list e a c h s u b n e t , n o t i n g t h e n u m b e r of IP a d d r e s s e s n e e d e d in each. T a k e a look a t F i g u r e 2.1. Figure

2.1 Sample Network Layout.

41

42

C h a p t e r 2 * Creating an Addressing Plan for Fixed-Length Mask Networks

O n e definition of a r o u t e r is t h a t it is a device t h a t i n t e r c o n n e c t s networks. Routers and layer-3 switches operate by forwarding packets from one n e t w o r k to a n o t h e r so t h a t t h e p a c k e t gets one s t e p closer to its final d e s t i n a t i o n . E a c h i n t e r f a c e on a r o u t e r n e e d s a u n i q u e IP a d d r e s s . F u r t h e r m o r e , e a c h i n t e r f a c e ' s IP a d d r e s s m u s t b e l o n g to a different n e t w o r k or s u b n e t . P u t a n o t h e r way, e a c h r o u t e r i n t e r f a c e defines a n e t w o r k or s u b n e t . This l a s t s t a t e m e n t is t h e c a u s e of m u c h "weepin' a n d wailin'" on t h e p a r t of IP n e t w o r k administrators. Look a g a i n a t F i g u r e 2.1 in light of o u r r o u t e r s ' c o n f i g u r a t i o n n e e d s . R o u t e r l h a s four interfaces---one LAN i n t e r f a c e a n d t h r e e WAN i n t e r f a c e s . T h e r e f o r e R o u t e r l n e e d s four IP a d d r e s s e s , a n d e a c h of t h o s e a d d r e s s e s n e e d s to be in a different n e t w o r k or s u b net. Now look a t R o u t e r 2 . It h a s two i n t e r f a c e s ~ a LAN i n t e r f a c e a n d a WAN interface. Therefore, two a d d r e s s e s are n e e d e d , one in e a c h of two n e t w o r k s or s u b n e t s . T h e s a m e c a n be s a i d for t h e o t h e r two b r a n c h office r o u t e r s . Let's tally w h a t we h a v e so far. T h e H e a d q u a r t e r s r o u t e r n e e d s four a d d r e s s e s a n d e a c h of t h e b r a n c h r o u t e r s n e e d s two, for a total of t e n a d d r e s s e s . Does t h a t m e a n t h a t t h e r e are t e n s u b n e t s ? Look again: R o u t e r 1 a n d R o u t e r 2 are c o n n e c t e d to t h e s a m e s u b n e t (labeled B in F i g u r e 2.1). R o u t e r 1 s h a r e s c o n n e c t i o n s w i t h R o u t e r 3 a n d R o u t e r 4 in t h e s a m e way. So we see a total of s e v e n s u b n e t s : four are LANs a n d t h r e e are WAN c o n n e c t i o n s . Do y o u n e e d to allocate IP a d d r e s s r a n g e s for all of t h e m ? In general, t h e a n s w e r is yes. As w i t h m o s t topics in t h e IT i n d u s t r y , t h e p r e c i s e a n s w e r is m o r e c o m p l i c a t e d t h a n t h a t .

How Many IP Addresses Are Needed in Each Subnet? Now t h a t y o u k n o w h o w m a n y different s u b n e t s ( a d d r e s s ranges) y o u need, it's time to d e t e r m i n e , for e a c h s u b n e t , h o w m a n y devices n e e d a d d r e s s e s . T h e b a s i c guideline h e r e is t h a t e a c h i n t e r f a c e t h a t will b e "talking IP" n e e d s a n IP a d d r e s s . Here are s o m e e x a m p l e s :

Creating an Addressing Plan for Fixed-Length Mask Networks * Chapter 2

9

R o u t e r s : one IP a d d r e s s p e r i n t e r f a c e (see t h e n e x t s e c t i o n for a d i s c u s s i o n on unnumbered interfaces).

9 W o r k s t a t i o n s : g e n e r a l l y one a d d r e s s . 9

Servers: g e n e r a l l y one a d d r e s s u n l e s s t h e s e r v e r is multihomed (has m o r e t h a n one interface).

9

Printers: one a d d r e s s if t h e y are c o m m u n i c a t i n g w i t h a p r i n t s e r v e r via IP, or if t h e y h a v e a n i n t e g r a t e d p r i n t s e r v e r f e a t u r e (like t h e HP JetDirect). If t h e p r i n t e r is a t t a c h e d to t h e serial or parallel p o r t of a n o t h e r device, it d o e s n o t n e e d a n IP a d d r e s s .

9

Bridges: n o r m a l l y b r i d g e s do n o t c o m m u n i c a t e u s i n g IP, so t h e y do n o t n e e d a n a d d r e s s . However, if t h e b r i d g e is managed using an SNMP-based network management s y s t e m , it will n e e d a n a d d r e s s , b e c a u s e t h e d a t a collection a g e n t is a c t i n g a s a n IP host.

9

H u b s : s a m e a s bridges.

9

L a y e r - 2 s w i t c h e s : s a m e a s bridges.

9

L a y e r - 3 switches: s a m e a s r o u t e r s .

In T a b l e 2. I, y o u c a n see t h e n u m b e r of v a r i o u s devices on e a c h LAN of o u r s a m p l e o r g a n i z a t i o n .

Table 2.1 Devices in the Sample Network LAN

Devices

Headquarters

20 workstations, 2 servers, 1 managed hub, 1 network-attached printer, 1 router

Morganton Branch

11 workstations, 2 network-attached printers, 1 router 12 workstations, 1 router 5 workstations, 1 server, 1 router

Lenoir Branch Hickory Branch

Is t h e t a b l e c o m p l e t e ? No. W h a t ' s missing?. R e m e m b e r t h a t e a c h r o u t e r i n t e r f a c e n e e d s a n IP a d d r e s s , too. Also, w h a t a b o u t t h e WAN links?

43

44

Chapter 2

9Creating an Addressing Plan for Fixed-Length Mask Networks

Table 2.2 s u m m a r i z e s o u r a c t u a l needs, on a s u b n e t - b y - s u b n e t basis.

Table 2.2

Number of IP Addresses Needed

Subnet

IP A d d r e s s e s

Headquarters Morganton Lenoir Hickory WAN1 WAN2 WAN3

25 14 13 7 2 2 2

After a d d i n g the WAN links a n d r o u t e r a d d r e s s e s , we c a n say t h a t we n e e d 7 s u b n e t s , with a n y w h e r e from 2 to 25 IP a d d r e s s e s in each.

W h a t a b o u t Growth? D a t a n e t w o r k s s e e m to h a v e a life of their own. It is a r a r e n e t w o r k t h a t does n o t c h a n g e a n d grow. As y o u r u s e r s b e c o m e comfortable w i t h the a p p l i c a t i o n s t h e y u s e via the network, t h e y will s t a r t to a s k for m o r e features. You will p r o b a b l y find t h a t y o u will be a d d i n g u s e r s , applications, servers a n d i n t e r n e t w o r k i n g devices t h r o u g h o u t the life of y o u r network. W h e n y o u design a n a d d r e s s i n g plan, m a k e s u r e y o u allow e n o u g h r o o m for growth b o t h in the n u m b e r of s u b n e t s r e q u i r e d a n d t h e n u m b e r of a d d r e s s e s r e q u i r e d in e a c h s u b n e t . The a m o u n t of growth d e p e n d s a l m o s t entirely on y o u r organization. W h a t k i n d of e x p a n s i o n p l a n s does y o u r organization have? Are you m o r e likely to a d d u s e r s / s e r v e r s , or n e w b r a n c h offices? Are t h e r e a n y merge r s / a c q u i s i t i o n s a n t i c i p a t e d for y o u r f u t u r e ?

Creating an Addressing Plan for Fixed-Length Mask Networks

9Chapter 2

Choose the Proper Mask T h e n e x t s t e p in c r e a t i n g y o u r a d d r e s s i n g p l a n is c h o o s i n g a m a s k to be u s e d in y o u r n e t w o r k . Going b a c k to h o w a m a s k w o r k s , r e m e m b e r t h a t e a c h bit in t h e m a s k d e t e r m i n e s h o w t h e c o r r e s p o n d i n g bit in t h e IP a d d r e s s is i n t e r p r e t e d . W h e r e t h e r e is a z e r o - b i t in t h e m a s k , t h e c o r r e s p o n d ing bit of t h e IP a d d r e s s is p a r t of t h e i n t e r f a c e (host) identifier. W h e r e t h e r e is a o n e - b i t in t h e m a s k , t h e c o r r e s p o n d i n g bit of t h e IP a d d r e s s is p a r t of t h e n e t w o r k or s u b n e t identifier. So, t h e n u m b e r of z e r o - b i t s in t h e m a s k d e t e r m i n e s t h e n u m b e r of b i t s in t h e h o s t field of a n IP a d d r e s s , a n d t h u s t h e n u m b e r of p o s s i b l e IP a d d r e s s e s for e a c h s u b n e t . R e m e m b e r t h e f o r m u l a 2n-2 (where n is t h e n u m b e r of bits)? W o r k i n g b a c k w a r d s , y o u c a n determ i n e t h e n u m b e r of h o s t b i t s r e q u i r e d in t h e IP a d d r e s s given t h e n u m b e r of a d d r e s s e s n e e d e d . T h e i d e a is to find t h e s m a l l e s t v a l u e for n w h e r e t h e f o r m u l a 2n-2 gives y o u t h e n u m b e r of a d d r e s s e s needed.

For e x a m p l e , if y o u n e e d 25 a d d r e s s e s in a s u b n e t , t h e r e m u s t be a t l e a s t five h o s t b i t s in t h e IP a d d r e s s . T h a t is, t h e r e m u s t be a t l e a s t five z e r o s in t h e m a s k : 24-2 = 14 (not enough); 25-2 = 30 (enough). If y o u n e e d 1500 a d d r e s s e s , t h e r e m u s t be a t l e a s t 11 z e r o s in t h e m a s k (211-2 = 2046).

Consult the Tables If y o u ' v e b e e n given a "classfull" b l o c k of a d d r e s s e s to u s e ~ t h a t is, a n e n t i r e c l a s s A, B, or C n e t w o r k a d d r e s s ~ t h e n y o u c a n refer to t h e c o r r e s p o n d i n g s u b n e t t a b l e s a t t h e e n d of t h e c h a p t e r . T h o s e t a b l e s c a n g u i d e y o u to t h e p r o p e r m a s k to c h o o s e a n d h o w to allocate a d d r e s s r a n g e s . Let's look a t o u r s a m p l e n e t w o r k s h o w n in F i g u r e 2.1. After o u r a n a l y s i s , T a b l e 2.2 s h o w e d t h a t we n e e d to s u p p o r t s e v e n s u b n e t s , a n d t h e m a x i m u m n u m b e r of a d d r e s s e s n e e d e d in a n y s u b n e t is 25. Let's a s s u m e we've b e e n given c l a s s C n e t w o r k 1 9 2 . 1 6 8 . 1 5 3 . 0 to u s e in o u r o r g a n i z a t i o n .

45

46

Chapter 2

9Creating an Addressing Plan for Fixed-Length Mask Networks

Table 2.3 is a t r a d i t i o n a l (RFC 950) class C s u b n e t t i n g table. C o n s u l t i n g this table, we c a n try to find a n a p p r o p r i a t e m a s k .

Table 2.3

# Subnet Bits

Class C Subnet Table # Host # Subnets Bits # Hosts

2

14

Mask

62

255.255.255.192

30

255.255.255.224

14

255.255.255.240

30

255.255.255.248

62

255.255.255.252

C a n y o u locate a m a s k t h a t will s u p p o r t seven s u b n e t s with 25 h o s t s e a c h ? No; a m a s k of 2 5 5 . 2 5 5 . 2 5 5 . 2 2 4 gives u s e n o u g h h o s t addresses, but not enough subnets, and 255.255.255.240 supports e n o u g h s u b n e t s , b u t n o t e n o u g h h o s t a d d r e s s e s . Now w h a t ? In t h i s s i t u a t i o n , y o u have four options: I. Use u n n u m b e r e d interfaces. 2. Ask for a bigger block of a d d r e s s e s . 3. Play s o m e tricks w i t h y o u r router. 4. Use " s u b n e t zero."

Use U n n u m b e r e d Interfaces M a n y p o p u l a r r o u t e r s t o d a y provide a f e a t u r e k n o w n as u n n u m bered interfaces or IP u n n u m b e r e d . This f e a t u r e c a n be u s e d w h e n t h e interface c o n n e c t s to a p o i n t - t o - p o i n t network, s u c h as a leased 5 6 k or T1 line. W h e n y o u u s e t h i s feature, the p o i n t - t o - p o i n t netw o r k does n o t n e e d IP a d d r e s s e s a n d c a n be omitted from the total n u m b e r of s u b n e t s . If we took a d v a n t a g e of this f e a t u r e in o u r s a m ple network, we w o u l d n e e d to provide a d d r e s s e s only for the LAN

Creating an Addressing Plan for Fixed-Length Mask Networks

9Chapter 2

s e g m e n t s . This c a n lead to s u b s t a n t i a l s a v i n g s in t h e n u m b e r of IP a d d r e s s e s n e e d e d . We'll look a t s o m e e x a m p l e s in t h e n e x t section. O n e d i s a d v a n t a g e of u s i n g u n n u m b e r e d i n t e r f a c e s is t h a t y o u c a n n o t directly a c c e s s t h o s e i n t e r f a c e s for t e s t i n g or m a n a g e m e n t p u r p o s e s . So y o u will h a v e to m a k e a choice for m a n a g e a b i l i t y or for a d d r e s s c o n s e r v a t i o n . In m o s t n e t w o r k s , t h e choice will be clear, b a s e d on t h e n e e d s of t h e o r g a n i z a t i o n . In o t h e r n e t w o r k s , y o u m a y j u s t h a v e to m a k e a j u d g e m e n t call. U s i n g u n n u m b e r e d i n t e r f a c e s in o u r e x a m p l e e l i m i n a t e s t h e n e e d for t h r e e s u b n e t s ~ t h e t h r e e WAN c o n n e c t i o n s . Now we n e e d only four s u b n e t s , a n d a m a s k of 2 5 5 . 2 5 5 . 2 5 5 . 2 2 4 w o u l d be a p p r o priate.

A s k for a Bigger Block of A d d r e s s e s If y o u h a d two c l a s s C a d d r e s s e s , y o u c o u l d u s e one for t h e H e a d q u a r t e r s LAN, a n d s u b n e t t h e o t h e r for t h e b r a n c h LANs a n d WAN links. For e x a m p l e , if y o u w e r e a l l o c a t e d two c l a s s C a d d r e s s e s ( 1 9 2 . 1 6 8 . 8 . 0 a n d 192.168.9.0), y o u c o u l d u s e 1 9 2 . 1 6 8 . 8 . 0 w i t h t h e m a s k 2 5 5 . 2 5 5 . 2 5 5 . 0 for t h e H e a d q u a r t e r s LAN. For t h e r e m a i n i n g LANs a n d WAN l i n k s we c a n s u b n e t 1 9 2 . 1 6 8 . 9 . 0 w i t h t h e m a s k 2 5 5 . 2 5 5 . 2 5 5 . 2 2 4 . This gives u s six s u b n e t s w i t h 30 h o s t a d d r e s s e s e a c h ~ p l e n t y to cover o u r n e e d s .

Router Tricks Most r o u t e r s allow y o u to a s s i g n m o r e t h a n one IP a d d r e s s to a n interface. This f e a t u r e is called multinetting or secondary interfaces. T h u s , y o u c a n a c t u a l l y s u p p o r t m o r e t h a n one s u b n e t on a single r o u t e r interface. In o u r s a m p l e n e t w o r k , y o u c o u l d u s e t h e m a s k 2 5 5 . 2 5 5 . 2 5 5 . 2 4 0 (which gives y o u 14 s u b n e t s a n d 14 h o s t a d d r e s s es), t h e n a s s i g n two a d d r e s s e s on t h e H e a d q u a r t e r s LAN i n t e r f a c e of t h e router.

47

48

Chapter 2 *

Creating an Addressing Plan for Fixed-Length Mask Networks

Now we have 28 a d d r e s s e s available on the H e a d q u a r t e r s LAN. Pretty h a n d y , right? Yes, b u t at a price. R e m e m b e r t h a t the I n t e r n e t Protocol (IP) d e t e r m i n e s local vs r e m o t e delivery u s i n g the IP a d d r e s s . If y o u r w o r k s t a t i o n is c o m m u n i c a t i n g with a h o s t on a n o t h e r s u b n e t (as d e t e r m i n e d b y y o u r m a s k a n d the target IP address), the d a t a g r a m s will be delivered to y o u r default g a t e w a y (router). T a k e a look at Figure 2.2.

Figure 2.2 Multiple subnets on a LAN segment.

Creating an Addressing Plan for Fixed-Length Mask Networks

9Chapter 2

W S 1 is on one IP n e t w o r k , a n d W S 2 a n d t h e s e r v e r a r e on a n o t h e r . T h e y (and t h e router) a r e all on a single LAN s e g m e n t (i.e., t h e y a r e all c o n n e c t e d to t h e s a m e E t h e r n e t hub). W h e n W S 2 w a n t s to c o m m u n i c a t e w i t h t h e server, t h e IP softw a r e in W S 2 d e t e r m i n e s t h a t , b a s e d on t h e m a s k of 2 5 5 . 2 5 5 . 2 5 5 . 0 , t h e s e r v e r is on t h e s a m e IP n e t w o r k / s u b n e t . So, W S 2 will s e n d a p a c k e t directly to t h e server. W h a t h a p p e n s w h e n WS 1 w a n t s to t a l k to t h e s e r v e r ? Are t h e y on t h e s a m e IP n e t w o r k ? T h e y a r e n ' t , so W S 1 will s e n d t h e p a c k e t s to its d e f a u l t g a t e w a y (Router 1). R o u t e r l will t h e n f o r w a r d t h e p a c k ets to t h e p r o p e r n e t w o r k for t h e server. T h u s , e a c h p a c k e t t r a n s m i t t e d b e t w e e n W S 1 a n d t h e s e r v e r will a p p e a r on t h e E t h e r n e t s e g m e n t twice---once f r o m WS 1 to t h e r o u t e r a n d a g a i n f r o m t h e r o u t e r to t h e s e r v e r (and vice-versa).

U s e S u b n e t Zero To h e l p avoid p o t e n t i a l i n t e r o p e r a b i l i t y p r o b l e m s , c o n s e r v a t i v e n e t w o r k m a n a g e r s still follow t h e original s p e c i f i c a t i o n a n d c h o o s e n o t to u s e t h e all zeros a n d all o n e s s u b n e t s . If t h i s is t h e p a t h y o u c h o o s e to follow, t h e n y o u m u s t s u b t r a c t two f r o m t h e n u m b e r of s u b n e t s s h o w n in e a c h r o w of t h e t a b l e s a t t h e e n d of t h e c h a p t e r . In s o m e c a s e s , s u c h a s t h e e x a m p l e w e ' r e w o r k i n g on, it m a y be n e c e s s a r y to go a h e a d a n d u s e t h e a d d i t i o n a l s u b n e t s . In o u r e x a m p l e , y o u c o u l d c h o o s e to u s e 2 5 5 . 2 5 5 . 2 5 5 . 2 2 4 a s y o u r m a s k , w h i c h gives y o u e n o u g h h o s t a d d r e s s e s . By u s i n g s u b n e t zero, y o u w o u l d h a v e e n o u g h s u b n e t s to cover y o u r n e e d s .

49

50

Chapter 2

9Creating an Addressing Plan for Fixed-Length Mask Networks

For m o r e practice c h o o s i n g the correct m a s k for y o u r network, please refer to the exercises at the e n d of the chapter.

"Previous versions of this document also noted that subnet numbers must be neither 0 nor-1, and must be at least two bits in length. In a ClDR world, the subnet number is clearly an extension of the network prefix and cannot be interpreted without the remainder of the prefix. This restriction of subnet numbers is therefore meaningless in view of ClDR and may be safely ignored."

Obtain IP Addresses If y o u have a l r e a d y b e e n given a block of a d d r e s s e s to use, a n d t h a t block is sufficient for y o u r needs, y o u m a y proceed to the n e x t step (calculating the a p p r o p r i a t e a d d r e s s r a n g e s for e a c h subnet). If y o u have n o t b e e n given a n y a d d r e s s e s , or if y o u d e t e r m i n e t h a t the a d d r e s s e s you've b e e n given are n o t sufficient, t h e n y o u will n e e d to o b t a i n one or m o r e blocks of a d d r e s s e s . You s h o u l d try t h e s e t h r e e s o u r c e s in order: I. Your organization's n e t w o r k m a n a g e r 2. Your I n t e r n e t Service Provider 3. The I n t e r n e t A d d r e s s Registry

Creating an Addressing Plan for Fixed-Length Mask Networks

9Chapter 2

From Your Organization's Network Manager In m o s t o r g a n i z a t i o n s of a n y size a t all, t h e r e is, or a t l e a s t t h e r e s h o u l d be, one p e r s o n (or a s m a l l group) r e s p o n s i b l e for a l l o c a t i n g IP a d d r e s s e s to i n d i v i d u a l s a n d g r o u p s . Your first s o u r c e of IP a d d r e s s es w o u l d be s u c h a r e s o u r c e .

From Your ISP If y o u r o r g a n i z a t i o n d o e s n o t h a v e a c e n t r a l a l l o c a t i o n r e s o u r c e , or if y o u are t h a t r e s o u r c e , t h e n y o u m a y h a v e to go o u t s i d e y o u r organiz a t i o n to o b t a i n t h e a d d r e s s e s . If y o u p l a n to c o n n e c t to t h e I n t e r n e t , t h e n y o u m u s t u s e e i t h e r g l o b a l l y - u n i q u e a d d r e s s e s , or p r i v a t e a d d r e s s e s a n d n e t w o r k a d d r e s s t r a n s l a t i o n (refer to C h a p t e r s 3 a n d 4). If y o u do n o t p l a n to c o n n e c t to t h e I n t e r n e t (really?), t h e n t e c h n i c a l l y , y o u c a n u s e a n y a d d r e s s e s y o u w a n t . However, RFC 1918 r e c o m m e n d s t h a t y o u u s e t h e a d d r e s s e s set a s i d e for s u c h p u r p o s e s . Again, refer to C h a p t e r 3 for details. To o b t a i n g l o b a l l y - u n i q u e a d d r e s s e s , y o u s h o u l d c o n t a c t y o u r I n t e r n e t service p r o v i d e r (ISP) a n d p r e s e n t y o u r r e q u e s t . You will be a l l o c a t e d a b l o c k of a d d r e s s e s t h a t is a s u b s e t of t h e b l o c k t h a t y o u r ISP h a s b e e n a s s i g n e d .

51

52

Chapter 2 * Creating an Addressing Plan for Fixed-Length Mask Networks

From Your Internet Registry The ultimate source for IP a d d r e s s e s is the I n t e r n e t Registry t h a t h a s jurisdiction in y o u r country. There are currently three regional registries: 9 ARIN: American Registry of I n t e r n e t N u m b e r s (www.arin.net). ARIN h a s jurisdiction for North America, S o u t h America, s u b - - S a h a r a n Africa, a n d the Caribbean. 9 RIPE NCC (www.ripe.net). E u r o p e a n Registry. 9 APNIC (www.apnic.net). Asia Pacific Registry. RFC 2050 describes in more detail the policies regarding IP a d d r e s s allocation.

Creating an Addressing Plan for Fixed-Length Mask Networks * Chapter 2

Calculate Ranges of IP Addresses for Each Subnet Let's recap. So far we have 9 Determined our addressing requirements 9 Chosen the proper m a s k 9 O b t a i n e d sufficient IP a d d r e s s e s . Now it's time to d e t e r m i n e the a p p r o p r i a t e r a n g e of a d d r e s s e s for each subnet.

Doing It the Hard Way If y o u find y o u r s e l f w i t h o u t a n y tools, y o u c a n always fall b a c k to the m a n u a l m e t h o d . T h e r e are s h o r t c u t s floating a r o u n d "on the grapevine" t h a t w o r k in c e r t a i n c i r c u m s t a n c e s , b u t n o t in others. The following p r o c e d u r e w o r k s with all c l a s s e s of a d d r e s s e s a n d all m a s k s . Let's apply the p r o c e d u r e to o u r s a m p l e network. First, identify the n u m b e r of locally a d m i n i s t e r e d bits in y o u r n e t w o r k a d d r e s s . In o u r example, we've b e e n a s s i g n e d a class C netw o r k (192.168.153.0). Class C n e t w o r k s have 24 n e t w o r k bits a n d 8 local bits. Second, m a k e a place for e a c h of the local bits---eight of t h e m in o u r example:

Next, u s i n g the m a s k , we d e s i g n a t e t h e s u b n e t bits a n d t h e h o s t bits. In o u r example, we c h o s e 2 5 5 . 2 5 5 . 2 5 5 . 2 2 4 as o u r m a s k . C o n s u l t i n g Table 2.3, we see t h a t this m a s k specifies t h r e e s u b n e t bits a n d five h o s t bits.

Subnet I

Host

53

54

Chapter 2

9Creating an Addressing Plan for Fixed-Length Mask Networks

Now we c a n s t a r t p l u g g i n g in v a r i o u s c o m b i n a t i o n s of valid bit p a t t e r n s a s we l e a r n e d in C h a p t e r 2. T h r e e bits c a n be c o m b i n e d in 23 (8) c o m b i n a t i o n s a s listed: 000 001 010 011

100 101 110 111

In o u r e x a m p l e , we c h o s e to u s e s u b n e t zero, so we'll s t a r t there. Filling in t h e valid s u b n e t bits into o u r t e m p l a t e , we h a v e Subnet

I

Host

_o o_ o _ I x x x x x R e m e m b e r , for e a c h s u b n e t t h e r e are four m e a n i n g f u l a d d r e s s e s : 9 T h e s u b n e t a d d r e s s (host bits all zero) 9 T h e first a s s i g n a b l e IP a d d r e s s 9 T h e l a s t a s s i g n a b l e IP a d d r e s s 9 T h e b r o a d c a s t a d d r e s s (host bits all ones) So o u r first s u b n e t looks like this" Subnet

I

"'"

I

OOOLO OOOLO

00011 OOOll

Host 0 0 0 0 = 0 (subnetaddress) 0 0 0 1 = 1 ( s u b n e t + 1) 1 1 1 0 = 30 ( b r o a d c a s t - 1) 1 1 1 1 = 31 (broadcast address)

T h e first s u b n e t a d d r e s s is 1 9 2 . 1 6 8 . 1 5 3 . 0 , t h e r a n g e of a d d r e s s es a s s i g n a b l e to v a r i o u s devices is 1 9 2 . 1 6 8 . 1 5 3 . 1 t h r o u g h 1 9 2 . 1 6 8 . 1 5 3 . 3 0 , a n d t h e b r o a d c a s t a d d r e s s for t h e s u b n e t is

192.168.153.31. If we r e p e a t t h e p r o c e s s for t h e o t h e r s u b n e t s , we s i m p l y u s e a different s u b n e t bit p a t t e r n for each. T h e s e c o n d s u b n e t w o u l d be c a l c u l a t e d a s follows:

Creating an Addressing Plan for Fixed-Length Mask Networks

Subnet 001 OOl

Host 0 0 0 0 0=32(subnetaddress) 0 0 0 0 1 = 3 3 ( s u b n e t + 1)

001 001

111 111

.

.

.

.

.

.

9Chapter 2

1 0 = 62 (broadcast- 1) 1 1 = 63 (broadcast address)

C o n t i n u i n g t h r o u g h all eight possible s u b n e t s , we c a n r i z e in Table 2.4.

summa-

Table 2.4 Summary of Addresses for the Example Network

Subnet Address

First Assignable

Last Assignable

Broadcast Address

192.168.153.0

192.168.153.1

192.168.153.30

192.168.153.31

192.168.153.32

192.168.153.33

192.168.153.62

192.168.153.63

192.168.153.64

192.168.153.65

192.168.153.94

192.168.153.95

192.168.153.96

192.168.153.97

192.168.153.126

192.168.153.127

192.168.153.128

192.168.153.129

192.168.153.158

192.168.153.159

192.168.153.160

192.168.153.161

192.168.153.190

192.168.153.191

192.168.153.192

192.168.153.193

192.168.153.222

192.168.153.223

192.168.153.224

192.168.153.225

192.168.153.254

192.168.153.255

Table 2.4, along with all o t h e r possibilities for a n y n e t w o r k / m a s k c o m b i n a t i o n , c a n also be f o u n d at the e n d of this chapter.

Worksheets "Doing it the h a r d way" c a n be intellectually satisfying. However, w h e n y o u w a n t to get real w o r k done, s o m e simple tools c a n often save y o u a lot of time. For example, a series of t a b u l a r w o r k s h e e t s c a n serve the d u a l p u r p o s e of helping y o u calculate a d d r e s s r a n g e s

55

56

Chapter

2 *

Creating an Addressing Plan for Fixed-Length Mask Networks

a n d t r a c k i n g the a s s i g n m e n t of a d d r e s s e s to devices on y o u r network. Table 2.5 is the b e g i n n i n g few rows of a s u b n e t a s s i g n m e n t w o r k s h e e t . The full w o r k s h e e t (with a d d r e s s e s from zero to 255) is located at the end of the chapter.

Table 2.5 Subnet Assignment Worksheet

The w o r k s h e e t provides a visual reference to the a d d r e s s e s t h a t are valid for e a c h s u b n e t , r e g a r d l e s s of the m a s k used. For example, if we h a d c h o s e n a m a s k of 2 5 5 . 2 5 5 . 2 5 5 . 2 4 8 , the r a n g e of a d d r e s s e s available in the first s u b n e t w o u l d be 1 9 2 . 1 6 8 . 1 5 3 . 1 t h r o u g h 1 9 2 . 1 6 8 . 1 5 3 . 6 . The s e c o n d s u b n e t w o u l d c o n t a i n

Creating an Addressing Plan for Fixed-Length Mask Networks

9Chapter 2

1 9 2 . 1 6 8 . 1 5 3 . 9 t h r o u g h 1 9 2 . 1 6 8 . 1 5 3 . 1 4 . T h i s is t h e s a m e r e s u l t t h a t we w o u l d h a v e o b t a i n e d b y doing t h e c a l c u l a t i o n s "the h a r d way" or b y u s i n g t h e s u b n e t t i n g tables. T h e s e c o n d b e n e f i t of a w o r k s h e e t like t h i s is t h a t it is s e l f - d o c u m e n t i n g . As y o u a s s i g n s u b n e t s , y o u c a n write in t h e c o l u m n ( u n d e r t h e a p p r o p r i a t e m a s k ) descriptive i n f o r m a t i o n a b o u t t h e s u b n e t ~ w h e r e it is located, t e c h n i c a l c o n t a c t , etc. You c a n also t r a c k indiv i d u a l a d d r e s s a s s i g n m e n t s b y filling in i n f o r m a t i o n in t h e A s s i g n e d To c o l u m n . T h e w o r k s h e e t is also scaleable. E a c h w o r k s h e e t c a n d o c u m e n t a single c l a s s C n e t w o r k . If y o u h a v e to t r a c k a l l o c a t i o n s for a c l a s s B n e t w o r k , y o u c a n u s e one w o r k s h e e t to d o c u m e n t e a c h g r o u p of 2 5 6 a d d r e s s e s , t h e n one m o r e w o r k s h e e t to s h o w a s u m m a r y of t h e groups.

Subnet Calculators P r o b a b l y t h e e a s i e s t w a y to c a l c u l a t e a d d r e s s r a n g e s is to u s e a s u b n e t calculator. T h e r e a r e m a n y s u c h c a l c u l a t o r s available on t h e I n t e r n e t a s f r e e w a r e or s h a r e w a r e . (See t h e FAQs for s o u r c e s . ) U s i n g t h e IP S u b n e t C a l c u l a t o r from Net3 G r o u p ( w w w . n e t 3 g r o u p . c o m ) , we c a n c a l c u l a t e t h e a d d r e s s r a n g e s for t h e s u b n e t s in o u r s a m p l e n e t work. First, we tell t h e c a l c u l a t o r t h a t we a r e u s i n g n e t w o r k 1 9 2 . 1 6 8 . 1 5 3 . 0 (a c l a s s C a d d r e s s ) , a n d a m a s k of 2 5 5 . 2 5 5 . 2 5 5 . 2 2 4 a s s h o w n in F i g u r e 2.3. T h e n , we s i m p l y click on t h e Subnets/Hosts t a b to reveal t h e u s a b l e a d d r e s s r a n g e s a s s h o w n in F i g u r e 2.4. Again, t h e r e s u l t s s e e n h e r e m a t c h t h o s e o b t a i n e d m a n u a l l y a n d f r o m w o r k s h e e t s . By clicking t h e b u t t o n above t h e CIDR tab, t h e c a l c u l a t o r will copy t h e t a b l e s h o w n to t h e W i n d o w s clipboard. You c a n t h e n p a s t e t h e t a b l e into a s p r e a d s h e e t or o t h e r tools for f u r t h e r manipulation.

57

58

Chapter 2 * Creating an Addressing Plan for Fixed-Length Mask Networks

Figure 2.3 IP Subnet Calculator.

Allocate Addresses to Devices We've finally arrived at t h e goal of the e x e r c i s e ~ t o allocate individu a l a d d r e s s e s to the IP devices in o u r network.

Assigning Subnets The first step is to a s s i g n s u b n e t s to a p p r o p r i a t e n e t w o r k s e g m e n t s . Revisiting o u r n e t w o r k s e g m e n t s (from Table 2.2) we c a n n o w a d d a t h i r d c o l u m n for the s u b n e t s a s s i g n e d to e a c h s e g m e n t , as s h o w n in Table 2.6.

Creating an Addressing Plan for Fixed-Length Mask Networks

9Chapter 2

Figure 2.4 Assignable address ranges.

Is t h i s t h e only w a y to a s s i g n the s u b n e t s ? Absolutely not: Pick a n y of t h e eight s u b n e t s a n d a s s i g n t h e m to a n y of t h e seven netw o r k s e g m e n t s . Technically, it m a k e s no difference at all w h i c h s u b n e t is a s s i g n e d to w h i c h s e g m e n t . The only factor to c o n s i d e r h e r e is e a s e of u s e a n d d o c u m e n t a t i o n . Notice t h a t s u b n e t zero w a s allocated to one of t h e WAN links. Since we c a n ' t be totally conservative h e r e ~ w e m u s t u s e s u b n e t zero, we'll allocate it to a n e t w o r k s e g m e n t t h a t is l e a s t likely to have i n t e r o p e r a b i l i t y p r o b l e m s . The idea h e r e is t h a t m o s t r o u t e r s p u r c h a s e d in t h e l a s t few y e a r s do s u p p o r t t h e s u b n e t zero f e a t u r e without any problems.

59

60

Chapter 2

9Creating an Addressing Plan for Fixed-Length Mask Networks

Table 2.6 Subnet Assignment Subnet

IP Addresses

Subnet(s)

Headquarters

25

192.168.153.32

Morganton

14

192.168.153.64

Lenoir

13

192.168.153.96

Hickory

192.168.153.128

WAN1

192.168.153.160

WAN2

192.168.153.192

WAN3

192.168.153.0

Assigning Device Addresses Once you've assigned s u b n e t s to the various n e t w o r k segments, it's time to assign individual a d d r e s s e s to devices t h a t need them. Here again is where the w o r k s h e e t s come in handy. Let's assign a d d r e s s es for the Hickory s u b n e t in our sample network. Table 2.7 contains a n o t h e r excerpt from the a d d r e s s a s s i g n m e n t worksheet.

Table 2.7 Subnet Assignment Worksheet~Hickory

Creating an Addressing Plan for Fixed-Length Mask Networks

9Chapter 2

Again, t h e r e is no o n e correct w a y to do t h e s e a s s i g n m e n t s ~ i t ' s u p to you. T h e r e are basically t h r e e schools of t h o u g h t on the m a t ter: s e q u e n t i a l allocation, reserved a d d r e s s e s , a n d "grow t o w a r d s the middle."

Sequential Allocation In Table 2.7, we s i m p l y a s s i g n e d the n e x t available IP a d d r e s s to e a c h device w i t h o u t too m u c h r e g a r d to the type or f u n c t i o n of the device. The a d v a n t a g e s to this a p p r o a c h are flexibility, a n d no w a s t ed a d d r e s s e s . The d i s a d v a n t a g e s include no order or s c h e m e of a s s i g n m e n t , a n d no w a y to d e t e r m i n e the f u n c t i o n of the device b a s e d on its a d d r e s s .

Reserved Addresses The s e c o n d a p p r o a c h c o n s i s t s of reserving a r a n g e of a d d r e s s e s in e a c h s u b n e t for v a r i o u s functions. For example,

Routers: Servers: Misc: Workstations:

first three addresses next five addresses next five addresses (printer, smart hubs, etc.) all remaining addresses.

The a d v a n t a g e h e r e is t h a t y o u (and y o u r s u p p o r t stafI) c a n readily d e t e r m i n e the k i n d of device b a s e d on its a d d r e s s . Conversely, given a device, you c a n d e t e r m i n e its a d d r e s s . The m a i n d i s a d v a n t a g e is t h a t the reserved a d d r e s s e s c a n go u n u s e d , while t h e r e m a y be a n e e d for m o r e a d d r e s s e s in o t h e r f u n c t i o n a l groups.

Grow Towards the Middle The t h i r d t e c h n i q u e is to a s s i g n the m a i n s u b n e t r o u t e r the first available a d d r e s s on the s u b n e t , t h e n a s s i g n the n e x t h i g h e r a d d r e s s e s in s e q u e n c e to o t h e r i n t e r n e t w o r k i n g a n d s u p p o r t devices. W o r k s t a t i o n s are a s s i g n e d a d d r e s s e s from the top of t h e a d d r e s s r a n g e down, as needed.

61

62

Chapter 2

9Creating an Addressing Plan for Fixed-Length Mask Networks

This t e c h n i q u e allows all available a d d r e s s e s to be used, while p r e s e r v i n g s o m e kind of f u n c t i o n a l consistency. Use the t e c h n i q u e with w h i c h y o u are m o s t comfortable. M a n y a d m i n i s t r a t o r s u s e a c o m b i n a t i o n of the t h r e e t e c h n i q u e s .

Document Your Work C o n g r a t u l a t i o n s ! You've completed the a s s i g n m e n t of IP a d d r e s s e s to all the n e t w o r k e d devices t h a t n e e d t h e m . Time to r e l a x ~ a l m o s t .

Keeping Track of What You've Done You've s p e n t quite a bit of time so far working out the details of this project. A small additional i n v e s t m e n t of time c a n yield big dividends down the road. Yes, we're talking a b o u t d o c u m e n t a t i o n ~ a g a i n . If you've u s e d the w o r k s h e e t m e t h o d of allocation a d d r e s s e s , t h e n y o u r w o r k is done. If y o u u s e d a n IP c a l c u l a t o r or the b a c k of a n a p k i n , y o u s h o u l d p r o b a b l y t r a n s f e r y o u r w o r k to s o m e t h i n g m o r e permanent.

Paper At t h e very least, write d o w n w h a t y o u have done: 9 A d d r e s s Blocks o b t a i n e d 9 Mask chosen 9 Subnets assigned 9 IP a d d r e s s e s a s s i g n e d (and to whom) Keep y o u r n o t e s w h e r e t h e y c a n be u p d a t e d w h e n t h i n g s change.

Spreadsheets With a little work, y o u c a n create a significant s o u r c e of i n f o r m a t i o n b y p u t t i n g y o u r a s s i g n m e n t d a t a into a s p r e a d s h e e t . Create c o l u m n s for:

Creating an Addressing Plan for Fixed-Length Mask Networks

9Chapter 2

9 IP a d d r e s s 9 Date a s s i g n e d 9 A s s i g n e d to 9 C o n t a c t i n f o r m a t i o n (phone, fax, e-mail) 9 Device type M a n y s p r e a d s h e e t a p p l i c a t i o n s provide for a simple d a t a e n t r y form to a s s i s t in loading the information. T h r o u g h o u t t h e life of y o u r n e t w o r k y o u c a n query, sort, a n d r e p o r t on i n f o r m a t i o n in the s p r e a d s h e e t to give y o u a s s i g n m e n t s by n a m e , by a d d r e s s , by type, by date, a n d so on. W h e n the time c o m e s for a n u p g r a d e , w o u l d n ' t it be nice to have a w a y to identify quickly the a d d r e s s e s a n d locations of all y o u r r o u t e r s ?

Databases J u s t a b o u t a n y t h i n g y o u c a n do with a s p r e a d s h e e t , y o u c a n do with a d a t a b a s e application as well. Most d a t a b a s e software will allow y o u to create i n p u t forms with d a t a validation to help keep errors out, a n d m o s t provide r e p o r t - w r i t i n g capability to p r o d u c e s t a n d a r d a n d a d hoc reports. The IP a d d r e s s allocation d a t a b a s e does n o t have to be very s o p h i s t i c a t e d to be effective. A simple o n e - t a b l e d a t a b a s e in Microsoft Access, for example, c a n provide a p p r o p r i a t e i n f o r m a t i o n for a very large organization. M a n y n e w Network M a n a g e m e n t a p p l i c a t i o n s n o w on the m a r k e t provide a s s e t m a n a g e m e n t f u n c t i o n s w h e r e n e t w o r k e d devices are tracked. Use t h e s e facilities to record allocation a n d c o n t a c t inform a t i o n as listed earlier.

In Any Case No n e t w o r k is static. U s e r s come a n d go; a p p l i c a t i o n s j u s t s e e m to keep coming. T e c h n o l o g y c h a n g e s . M a n y n e t w o r k d e s i g n e r s are replacing r o u t e r s with l a y e r - 2 a n d l a y e r - 3 switches. Keep y o u r docu m e n t a t i o n u p to date! O u t of date i n f o r m a t i o n is, in s o m e ways, w o r s e t h a n no i n f o r m a t i o n at all.

63

64

Chapter 2

9Creating an Addressing Plan for Fixed-Length Mask Networks

Summary In this chapter, we have p r e s e n t e d the steps required to develop an effective IP addressing plan for networks with fixed m a s k s . First, we determined the n u m b e r of IP a d d r e s s e s and s u b n e t s actually needed, with some hints for squeezing the m o s t out of the a d d r e s s e s you've been given. Using s u b n e t t i n g tables, we determined the proper m a s k to use. Next came the calculation of appropriate a d d r e s s ranges using m a n u a l techniques, worksheets, or s u b n e t calculators. We t h e n assigned IP a d d r e s s e s to those devices t h a t needed them. Finally, we d i s c u s s e d the importance of properly d o c u m e n t i n g our work.

Creating an Addressing Plan for Fixed-Length Mask Networks

9Chapter 2

Q: W h e r e c a n I get a s u b n e t c a l c u l a t o r ?

A: URLs:

http: //www. net3group, com/download, asp

Downloadable stand-alone application that runs under W i n 95/98/NT.

http ://www. cisco, com/techtools / ip_addr .html

Online calculator. http: //www. ccci. com/subcalc/download.htm

J a v a - b a s e d calculator. http ://www. ajw. com/ipcalc .htm

C a l c u l a t o r for t h e P a l m Pilot.

Exercises 1. You've b e e n a s s i g n e d a " / 2 3 " CIDR block. How m a n y t r a d i t i o n a l class C n e t w o r k s does t h a t r e p r e s e n t ? W h a t is t h e e q u i v a l e n t n e t m a s k ? How m a n y total h o s t a d d r e s s e s does t h e block cover? 2. W h a t m a s k w o u l d y o u u s e if y o u n e e d e d to divide a class B n e t w o r k into 2 0 0 s u b n e t s with 100 a d d r e s s e s n e e d e d in e a c h ? 3. Two r o u t e r s are c o n n e c t e d via a leased T1 line. Do t h e s e r o u t e r i n t e r f a c e s n e e d a n IP a d d r e s s ? W h y or w h y n o t ? 4. U n d e r w h a t c i r c u m s t a n c e s w o u l d y o u u s e a f i x e d - l e n g t h subnetting scheme? 5. Using a n y m e t h o d y o u prefer, c a l c u l a t e t h e a d d r e s s r a n g e s for all the s u b n e t s c r e a t e d in a class B n e t w o r k u s i n g t h e m a s k 2 5 5 . 2 5 5 . 2 5 4 . 0 . Use t h e all-zeros a n d a l l - o n e s s u b n e t s . 6. W h a t size CIDR block w o u l d y o u a s k for if y o u n e e d e d 4 2 0 s u b n e t s with 170 h o s t a d d r e s s e s e a c h ? 7. W h y c a n ' t y o u u s e a m a s k of 2 5 5 . 2 5 5 . 2 5 5 . 2 5 4 ? 8. W h y s h o u l d y o u b o t h e r d o c u m e n t i n g y o u r a d d r e s s a s s i g n m e n t s ?

65

66

Chapter 2

*

Creating an Addressing Plan for Fixed-Length Mask Networks

1. 2 class C's; 2 5 5 . 2 5 5 . 2 5 4 . 0 ; 512 a d d r e s s e s 0

There are two possible masks: 255.255.255.0 and 255.255.255.128. Since we were not given any information about growth, we need to pick the one most likely to meet our future needs. The most c o m m o n choice would probably be 255.255.255.0 since it is easy to use and allows some growth in the n u m b e r of s u b n e t s and significant growth in the size of each subnet.

3. In general, the a n s w e r is yes. However, if the r o u t e r s s u p p o r t t h e "IP u n n u m b e r e d " feature, t h e y do not. 4. You m u s t use a fixed-length subnetting scheme if you are using a routing protocol t h a t does not support variable--length subnetting. Of the c o m m o n IP routing protocols in use today, RIP (v. 1) and Cisco's IGRP require fixed-length subnetting. RIP2, EIGRP, and OSPF s u p p o r t variable-length subnetting. When using those protocols, you st///may w a n t to choose fixed-length subnetting for simplicity. 5.

128 s u b n e t s as f o l l o w s : N . N . 0 . 0 - N.N. 1.255 N.N.2.0 - N.N.3.255 N.N.4.0-

N.N.5.255

, I ~

N.N.254.0 - N.N.255.255 0

B a s e d on the 1 7 0 - a d d r e s s r e q u i r e m e n t , y o u w o u l d choose a m a s k of 2 5 5 . 2 5 5 . 2 5 5 . 0 . In o t h e r words, y o u n e e d eight bits to cover t h e h o s t a d d r e s s e s . You n e e d a n o t h e r nine bits to cover the n u m b e r of s u b n e t s for a total need of 17 bits. Since a n IP a d d r e s s is 32 bits long, a n d y o u n e e d 17 for y o u own use, y o u w o u l d a s k for a (32 - 17) or 15-bit block ( / 1 5 in CIDR notation).

7. The h o s t field n e e d s to be at least two bits long. A h o s t field of all zeros d e n o t e s the s u b n e t a d d r e s s , a n d a h o s t field of all ones is the b r o a d c a s t a d d r e s s for t h a t s u b n e t . 8. To help with f u t u r e a s s i g n m e n t s , to a s s i s t with t r o u b l e s h o o t i n g activities, to help with u p g r a d e s , to p r e v e n t duplicate a d d r e s s assignments.

C r e a t i n g a n A d d r e s s i n g Plan f o r F i x e d - L e n g t h M a s k N e t w o r k s

9C h a p t e r 2

Subnetting Tables Note t h a t these tables comply with RFC.

Class A Subnetting Table # Subnet Bits 1

2 3

8,388,608

255.128.0.0

4 t 8

22 21

'4,194,302 2,097,150

255.192.0.0 255.224.0.0

2

9

Mask

,

16

20

1,048,574

255.240.0.0

5

32

19

524,286

255.248.0.0

6

64

18

262,142

255.252.0.0

7

128

17

131,070

255.254.0.0

8

256

16

65,534

255.255.0.0

9

512

15

32,766

255.255.128.0

10

1,024

14

16,382

255.255.192.0

11

2,048

13

8,190

255.255.224.0

12

4,096

12

4,094

255.255.240.0

13

8,192

11

2,046

255.255.248.0

14

16,384

10

1,022

255.255.252.0

15

32,768

9

510

255.255.254.0

65,536

8

254

255.255.255.0

131,072

7

126

18

1262,144

6

62

19

524,288

5

30

255.255.255.224

2O

] ,048,576

4

14

255.255.255.240

6

255.255.255.248

2

255.255.255.252

17

9

23

# Subnets

4

16

|

!

# Host Bits # Hosts 9 ,

21 22

,

2,097,152 4,194,304

3 2

i

|

9

255.255.255.128 255.255.255.192

9

|

67

68

Chapter 2 ~ Creating an Addressing Plan for Fixed-Length Mask Networks

Subnet

First Host

Last Host

Subnet Broadcast

1 Bit (255.128.0.0) N.0.0.1 N.0.0.0 N. 128.0.1 N.128.0.0

N.127.255.254 N.255.255.254

2 Bits (255.192.0.0) N.0.0.0 N.0.0.1 N.64.0.0 N.64.0.1 N.128.0.0 N.128.0.1 N.192.0.0 N.192.0.1

N.63.255.254 N.127.255.254 N.191.255.254 N.255.255.254

N.63.255.255 N.127.255.255 N.191.255.255 N.255.255.255

3 Bits (255.224.0.0) N.0.0.0 N.0.0.1 N.32.0.0 N.32.0.1

N.31.255.254 N.63.255.254

N.31.255.255 N.63.255.255

N.192.0.0 N.224.0.0

N.223.255.254 N.255.255.254

N.223.255.255 N.255.255.255

N.15.255.254 N.31.255.254

N.15.255.255 N.31.255.255

N.239.255.254 N.255.255.254

N.239.255.255 N.255.255.255

5 Bits (255.248.0.0) N.0.0.0 N.0.0.1 N.8.0.0 N.8.0.1

N.7.255.254 N.15.255.254

N.7.255.255 N.15.255.255

N.240.0.0 N.248.0.0

N.247.255.254 N.255.255.254

N.247. 255.255 N.255.255.255

N.3.255.254 N.7.255.254

N.3.255.255 N.7.255.255

N.192.0.1 N.224.0.1

4 Bits (255.240.0.0) N.0.0.0 N.0.0.1 N.16.0.0 N.16.0.1 9

~

N.127.255.255 N.255.255.255

,

N.224.0.0 N.240.0.0

N.224.0.1 N.240.0.1

N.240.0.1 N.248.0.1

6 Bits (255.252.0.0) N.0.0.0 N.0.0.1 N.4.0.0 N.4.0.1

Creating an Addressing Plan for Fixed-Length Mask Networks

N.248.0.0 N.252.0.0

N.248.0.1 N.252.0.1

9Chapter 2

N.251.255.254 N.255.255.254

N.251.255.255 N.255.255.255

N.0.0.1 N.2.0.1

N.1.255.254 N.3.255.254

N.1.255.255 N.3.255.255

N.252.0.1 N.254.0.1

N.253.255.254 N.255.255.254

N.253.255.255 N.255.255.255

8 Bits (255.255.0.0) N.0.0.0 N.0.0.1 N.1.0.0 N.1.0.1

N.0.255.254 N.1.255.254

N.0.255.255 N.1.255.255

N.254.0.0 N.255.0.0

N.254.255.254 N.255.255.254

N.254.255.255 N.255.255.255

7 Bits (255.254.0.0) N.0.0.0 N.2.0.0 9

,

~

N.252.0.0 N.254.0.0

N.254.0.1 N.255.0.1

9 Bits (255.255.128.0) N.0.0.0 N.0.128.0 N.1.0.0 N.1.128.0

N.0.0.1 N.0.128.1 N.1.0.1 N.1.128.1

N.0.127.254 N.0.255.254 N.1.127.254 N.1.255.254

N.0.127.255 N.0.255.255 N.1.127.255 N.1.255.255

N.255.0.0 N.255.128.0

N.255.0.1 N.255.128.1

N.255.127.254 N.255.255.254

N.255.127.255 N.255.255.255

N.0.63.254 N.0.127.254 N.0.191.254 N.0.255.254 N.1.63.254 N.1.127.254

N.0.63.255 N.0.127.255 N.0.191.255 N.0.255.255 N.1.63.255 N.1.127.255

10 Bits (255.255.192.0) N.0.0.0 N.0.64.0 N.0.128.0 N.0.192.0 N.1.0.0 N.1.64.0

N.0.0.1 N.0.64.1 N.0.128.1 N.0.192.1 N.1.0.1 N.1.64.1

69

70

Chapter 2

9Creating an Addressing Plan for Fixed-Length Mask Networks

N.255.128.0 N.255.192.0

N.255.191.254 N.255.255.254

N.255.191.255 N.255.255.255

N.0.0.1 N.0.32.1 N.0.64.1

N.0.31.254 N.0.63.254 N.0.127.254

N.0.31.255 N.0.63.255 N.0.127.255

N.255.192.1 N.255.224.1

N.255.223.254 N.255.255.254

N.255.223.255 N.255.255.255

N.0.0.1 N.0.16.1 N.0.32.1

N.0.1 5.254 N.0.31.254 N.0.47.254

N.0.1 5.255 N.0.31.255 N.0.47.255

N.255.224.1 N.255.240.1

N.255.239.254 N.255.255.254

N.255.239.255 N.255.255.255

N.0.0.1 N.0.8.1 N.0.16.1

N.0.7.254 N.0.1 5.254 N.0.23.254

N.0.7.255 N.0.1 5.255 N.0.23.255

N.255.240.1 N.255.248.1

N.255.247.254 N.255.255.254

N.255.247.255 N.255.255.255

N.0.0.1 N.0.4.1 N.0.8.1

N.0.3.254 N.0.7.254 N.0.11.254

N.0.3.255 N.0.7.255 N.0.11.255

N.255.248.1 N.255.252.1

N.255.251.254 N.255.255.254

N.255.251.255 N.255.255.255

N.255.128.1 N.255.192.1

11 Bits (255.255.224.0) N.0.0.0 N.0.32.0 N.0.64.0 9

,

~

N.255.192.0 N.255.224.0

12 Bits (255.255.240.0) N.0.0.0 N.0.16.0 N.0.32.0 9

9

~

N.255.224.0 N.255.240.0

13 Bits (255.255.248.0) N.0.0.0 N.0.8.0 N.0.16.0 9

~

~

N.255.240.0 N.255.248.0

14 Bits (255.255.252.0) N.0.0.0 N.0.4.0 N.0.8.0 9

,

~

N.255.248.0 N.255.252.0

Creating an Addressing Plan for Fixed-Length Mask Networks

1 5 Bits (255.255.254.0) N.O.O.0 N.O.O.l N.O.2.0 N.0.2.1 N.0.4.0 N.0.4.1

Chapter 2

N.0.1.254 N.0.3.2 54 N.O. 5.2 54

N.0.1.255 N.0.3.255 N.0.5.255

N.255.253.254 N.255.255.254

N.255.253.255 N.255.255.255

N.0.0.254 N.0.1.254 N.0.2.254

N.0.0.255 N.0.1.255 N.0.2.255

N.255.254.254 N.255.255.254

N.2 5 5.2 54.2 55 N.255.255.255

N.0.0.126 N.O.O .2 54 N.O.l . I 2 6 N.0.1.254

N.0.0.127 N.0.0.255 N.O.l . I 27 N.0.1.255

N.255.255.126 N.2 55.255.254

N.255.255.127 N.255.255.255

N.0.0.62 N.0.0.126 N.0.0.190 N.0.0.254 N.0.1.62

N.0.0.63 N.0.0.127 N.0.1.191 N.0.1.255 N.0.1.63

N.255.255.190 N.255.255.254

N.255.255.191 N.255.255.255

... N.255.252.0 N.2 5 5.2 54.0

N.255.252.1 N.255.254.1

16 Bits (255.255.255.0) N.O.O.0 N.O.O.l N.O.l .O N.O.l.l N.0.2.0 N.0.2.1

... N.255.2 54.0 N.255.255.0

N.2 55.254.1 N.255.255.1

17 Bits (255.255.255.1 28) N.O.O.0 N.O.O.l N.0.0.128 N.0.0.129 N.O.l .O N.O.l .I N.O.l . I 2 8 N.0.1.129

... N.255.255.0 N.255.255.128

N.255.255.1 N.255.255.129

1 8 Bits (255.255.255.1 92) N.O.O.0 N.O.O.l N.O .O .64 N.0.0.65 N.0.0.128 N.0.0.129 N.0.0.192 N.0.0.193 N.O.l .I N.O.l .O

... N.255.255.128 N.255.255.192

N.255.255.129 N.255.255.193

71

72

Chapter 2

9Creating an Addressing Plan for Fixed-Length Mask Networks

19 Bits (255.255.255.224) N.0.0.0 N.0.0.32 N.0.0.64 N.0.0.96

N.0.0.1 N.0.0.33 N.0.0.65 N.0.0.97

N.0.0.30 N.0.0.62 N.0.0.94 N.0.0.126

N.0.0.31 N.0.0.63 N.0.0.95 N.0.0.127

N.255.255.192 N.255.255.224

N.255.255.193 N.255.255.225

N.255.255.222 N.255.255.254

N.255.255.223 N.255.255.255

N.0.0.1 N.0.0.16 N.0.0.33

N.0.0.14 N.0.0.30 N.0.0.46

N.0.0.15 N.0.0.31 N.0.0.47

N.255.255.225 N.255.255.241

N.255.255.238 N.255.255.254

N.255.255.239 N.255.255.255

N.0.0.1 N.0.0.9 N.0.0.17

N.0.0.6 N.0.0.14 N.0.0.22

N.0.0.7 N.0.0.15 N.0.0.23

N.255.255.241 N.255.255.249

N.255.255.246 N.255.255.254

N.255.255.247 N.255.255.255

N.0.0.3 N.0.0.7 N.0.0.11

20 Bits (255.255.255.240) N.0.0.0 N.0.0.16 N.0.0.32 ~

N.255.255.224 N.255.255.240

21 Bits (255.255.255.248) N.0.0.0 N.0.0.8 N.0.0.16 ~

N.255.255.240 N.255.255.248

22 Bits (255.255.255.252) N.0.0.0 N.0.0.4 N.0.0.8

N.0.0.1 N.0.0.5 N.0.0.9

N.0.0.2 N.0.0.6 N.0.0.10

N.255.255.248 N.255.255.252

N.255.255.249 N.255.255.253

N.255.255.250 N.255.255.254

N.255.255.251 N.255.255.255

Creating an Addressing Plan for Fixed-Length Mask Networks

9Chapter 2

Class B Subnetting Table # Subnet Bits

# Subnets

# Host Bits # Hosts

Mask

1

2

15

32,766

255.255.128.0

2

4

14

16,382

255.255.192.0

3

8

13

8,190

255.255.224.0

4

16

12

4,094

255.255.240.0

5

32

11

2,046

255.255.248.0

6

64

10

1,022

255.255.252.0

7

128

9

510

255.255.254.0

8

256

8

254

255.255.255.0

9

512

7

126

255.255.255.128

10

1,024

6

62

255.255.255.192

11

2,048

5

30

255.255.255.224

12

4,096

4

14

255.255.255.240

13

8,192

3

6

255.255.255.248

14

16,384

2

2

255.255.255.252

Subnet

First Host

Last Host

Subnet Broadcast

1 Bit (255.255.128.0) N.N.0.0 N.N.0.1 N.N.128.0 N.N.128.1

N.N.127.254 N.N.191.254

N.N.127.255 N.N.191.255

2 Bits (255.255.192.0) N.N.0.0 N.N.0.1 N.N.64.0 N.N.64.1 N.N. 128.0 N.N. 128.1 N.N. 192.0 N.N. 1 9 2 . 1

N.N.63.254 N.N.127.254 N.N. 191.254 N.N.255.254

N.N.63.255 N.N.127.255 N.N. 191.255 N.N.255.255

73

74

Chapter 2

9Creating an Addressing Plan for Fixed-Length Mask Networks

3 Bits (255.255.224.0) N.N.0.0 N.N.0.1 N.N 32.0 N.N.32.1

N.N.64.0 9

,

N.N.64.1

N.N.31.254 N.N.63.254 N.N.95.254

N.N.31.255 N.N.63.255 N.N.95.255

N.N. 1 9 2 . 1 N.N.224.1

N.N.223.254 N.N.255.254

N.N.223.255 N.N.255.255

N.N.16.1 N.N.32.1

N.N.1 5.254 N.N.31.254 N.N.47.254

N.N.1 5.255 N.N.31.255 N.N.47.255

N.N.224.1 N.N.240.1

N.N.239.254 N.N.255.254

N.N.239.255 N.N.255.255

N.N.7.254 N.N.1 5.254 N.N.23.254

N.N.7.255 N.N.1 5.255 N.N.23.255

N.N.247.254 N.N.255.254

N.N.247.255 N.N.255.255

N.N.8.1

N.N.3.254 N.N.7.254 N.N.11.254

N.N.3.255 N.N.7.255 N.N.11.255

N.N.248.1 N.N.252.1

N.N.251.254 N.N.255.254

N.N.251.255 N.N.255.255

,

N.N. 192.0 N.N.224.0

4 Bits ( 2 5 5 . 2 5 5 . 2 4 0 . 0 ) N.N.0.0 N.N.0.1

N.N 16.0 N.N.32.0 9

~

,

N.N.224.0 N.N.240.0

5 Bits ( 2 5 5 . 2 5 5 . 2 4 8 . 0 ) N.N.0.0 N.N.0.1 N.N 8.0 N.N.8.1 N.N. 16.0 N.N. 1 6 . 1 9

,

,

N.N.240.0 N.N.248.0

N.N.240.1 N.N.248.1

6 Bits ( 2 5 5 . 2 5 5 . 2 5 2 . 0 ) N.N.0.0 N.N.0.1 N.N 4.0 N.N.4.1

N.N.8.0 9

~

i

N.N.248.0 N.N.252.0

Creating an Addressing Plan for Fixed-Length Mask Networks

7 Bits (255.255.254.0) N.N.O.0 N.N.O.l N.N 2.0 N.N.2.1 N.N.4.0 N.N.4.1

Chapter 2

N.N.1.254 N.N.3.254 N.N. 5.254

N.N.1.255 N.N.3.255 N.N.5.255

N.N.2 53.2 54 N .N.255.254

N.N.2 53.255 N.N.255.255

N.N .0.254 N.N.1.254 N.N.2.254

N.N.0.255 N.N.1.255 N.N.2.255

N.N.2 54.254 N.N.255.254

N.N.254.255 N.N.255.255

N.N.0.126 N.N.0.2 54 N.N.1.126 N.N.1.254

N.N.0.127 N.N.0.255 N.N.1.127 N.N.1.255

N.N.255.126 N.N.255.254

N.N.255.127 N.N.255.255

N.N.0.62 N.N.0.126 N.N.0.190 N.N.0.254 N.N.1.62

N.N.0.63 N.N.0.127 N.N.O.191 N.N.0.255 N.N.1.63

N.N.255.190 N.N.2 5 5.254

N.N.255.191 N.N.255.255

... N.N.252.0 N. N.254.0

N.N.252.1 N.N.254.1

8 Bits (255.255.255.0) N.N.O.0 N.N.O.l N.N 1.0 N.N.l.l N.N.2.0 N.N.2.1

... N. N.2 54.0 N.N.255.0

N .N.2 54.1 N.N.255.1

9 Bits (255.255.255.1 28) N.N.O.0 N.N.O.l N.N 0.128 N.N.0.129 N.N.l.l N.N.l .O N.N.1.128 N.N.1.129

... N.N.255.0 N.N.255.128

N.N.255.1 N.N.255.129

10 Bits (255.255.255.192) N.N.O.0 N.N.O.l N.N 0.64 N.N.0.65 N.N 0.128 N.N.0.129 N.N.0.192 N.N.0.193 N.N.l .O N.N.l.l

... N.N.255.128 N.N.255.192

N.N.255.129 N.N.255.193

75

76

Chapter 2

9Creating an Addressing Plan for Fixed-Length Mask Networks

11 Bits (255.255.255.224) N.N.0.0 N.N 0.32 N.N 0.64

N.N.0.1 N.N.0.33 N.N.0.65

N.N.0.30 N.N.0.62 N.N.0.94

N.N.0.31 N.N.0.63 N.N.0.95

N.N.255.192 N.N.255.224

N.N.255.192 N.N.255.225

N.N.255.222 N.N.255.254

N.N.255.223 N.N.255.255

N.N.0.1 N.N.0.17 N.N.0.33

N.N.0.14 N.N.0.30 N.N.0.46

N.N.0.15 N.N.0.31 N.N.0.47

N.N.255.225 N.N.255.241

N.N.255.238 N.N.255.254

N.N.255.239 N.N.255.255

N.N.0.1 N.N.0.9 N.N.0.17

N.N.0.6 N.N.0.14 N.N.0.22

N.N.0.7 N.N.0.1 5 N.N.0.23

N.N.255.241 N.N.255.249

N.N.255.246 N.N.255.254

N.N.255.247 N.N.255.255

12 Bits (255.255.255.240) N.N.0.0 N.N 0.16 N.N 0.32 9

,

~

N.N.255.224 N.N.255.240

13 Bits (255.255.255.248) N.N.0.0 N.N 0.8 N.N 0.16 9

~

~

N.N.255.240 N.N.255.248

14 Bits (255.255.255.252) N.N.0.0 N.N 0.4 N.N 0.8

N.N.0.1 N.N.0.5 N.N.0.9

N.N.0.2 N.N.0.6 N.N.0.10

N.N.0.3 N.N.0.7 N.N.0.11

N.N.255.248 N.N.255.252

N.N.255.249 N.N.255.253

N.N.255.250 N.N.255.254

N.N.255.251 N.N.255.255

,

Creating an Addressing Plan for Fixed-Length Mask Networks

9Chapter 2

Class C Subnetting Table # Subnet

Bits

# Host

Bits

# Hosts

Mask

1

126

255.255.255.128

2

62

255.255.255.192

3

30

255.255.255.224

Subnet

# Subnets

16

4

14

255.255.255.240

32

3

6

255.255.255.248

64

2

2

255.255.255.252

First Host

Last Host

Broadcast

1 Bit (255.255.255.128) N.N.N.0

N.N.N.1

N.N.N.128

N.N.N.129

Subnet

N.N.N.126 N.N.N.254

N.N.N.127 N.N.N.255

N.N.N.62 N.N.N. 126 N.N.N. 190 N.N.N.254

N.N.N.63 N.N.N. 127 N.N.N. 191 N.N.N.255

2 Bits (255.255.255.192) N.N.N.0 N. N.N.64 N. N. N. 128 N.N.N. 1 92

N.N.N.1 N.N.N.65 N.N.N. 129 N.N.N. 1 93

3 Bits (255.255.255.224) N.N.N.0 N.N.N.32 N.N.N.64

N.N.N.1 N.N.N.33 N.N.N.65

N.N.N.30 N.N.N.62 N.N.N.94

N.N.N.31 N.N.N.63 N.N.N.95

N. N.N.96 N.N.N. 128 N.N.N. 160

N.N.N.97 N.N.N. 129 N.N.N. 161

N.N.N. 126 N.N.N. 1 58 N.N.N. 190

N.N.N. 127 N.N.N. 1 59 N.N.N. 191

N.N.N. 192

N.N.N. 193

N.N.N.222

N.N.N.223

N.N.N.224

N.N.N.225

N.N.N.254

N.N.N.255

77

78

Chapter 2

Creating an Addressing Plan for Fixed-Length Mask Networks

4 Bits (255.255.255.240) N.N.N.0 N.N.N.l N.N.N.16 N.N.N.17 N.N.N.32 N.N.N.33

N.N.N.14 N.N.N.30 N.N.N.46

N.N.N.15 N.N.N.31 N. N. N.47

N.N.N.238 N.N.N.254

N.N.N.239 N.N.N.255

N.N.N.6 N.N.N.14 N.N.N.22

N.N.N.7 N.N.N.15 N.N.N.23

N. N.N.246 N.N.N .254

N.N.N .247 N.N.N.255

N.N.N.2 N.N.N.6 N.N.N.10

N.N.N.3 N.N.N.7 N.N.N.11

N.N.N.250 N.N.N .254

N.N.N.251 N.N.N.255

... N.N.N.224 N.N.N.240

N.N.N.225 N.N.N.241

5 Bits (255.255.255.248) N.N.N.0 N.N.N.l N.N.N.8 N.N.N.9 N.N.N.16 N.N.N.17

... N.N.N.240 N.N.N.248

N.N .N.241 N.N .N .249

6 Bits (255.255.255.252) N.N.N.0 N.N.N.l N.N.N .4 N.N.N.5 N.N.N.8 N.N.N.9

... N.N .N.248 N.N .N.2 52

N .N.N.249 N.N.N.253

Creating an Addressing Plan for Fixed-Length Mask Networks

9Chapter 2

Subnet Assignment Worksheet

Continued

79

80

Chapter 2

9Creating an Addressing Plan for Fixed-Length Mask Networks

Continued

Creating an Addressing Plan for Fixed-Length Mask Networks

9Chapter 2

Continued

81

82

Chapter 2

9Creating an Addressing Plan for Fixed-Length Mask Networks

Continued

Creating an Addressing Plan for Fixed-Length Mask Networks

9Chapter 2

Continued

83

84

Chapter 2

9Creating an Addressing Plan for Fixed-Length Mask Networks

Continued

Creating an Addressing Plan for Fixed-Length Mask Networks

9Chapter 2

Continued

85

86

Chapter 2

9Creating an Addressing Plan for Fixed-Length Mask Networks

88

Chapter 3 *

Private Addressing and Subnetting Large Networks

Introduction You've h e a r d it said: "We're r u n n i n g o u t of IP addresses!" Really?. In the IP (version 4) a r c h i t e c t u r e , we u s e 32-bit a d d r e s s fields. With 32-bits in o u r a d d r e s s e s , t h e r e are 232 u n i q u e a d d r e s s e s available. T h a t ' s over four billion a d d r e s s e s ! We k n o w t h a t the I n t e r n e t h a s experienced e x p o n e n t i a l g r o w t h over the last few years, b u t even with c o n t i n u e d growth, it's unlikely t h a t we'll see a n y w h e r e n e a r four billion m a c h i n e s on the I n t e r n e t a n y time soon. So w h e r e ' s the p r o b l e m ? The p r o b l e m exists in the g r a n u l a r i t y of a d d r e s s allocation. Prior to Classless I n t e r - D o m a i n Routing (CIDR), a d d r e s s e s were allocated in classful blocks. T h a t is, if y o u n e e d e d m o r e a d d r e s s e s t h a n a class C n e t w o r k provided, y o u got a class B n e t w o r k a d d r e s s ; if y o u n e e d e d m o r e t h a n a class B provided, y o u got a class A n e t w o r k a d d r e s s . T h o s e were the only t h r e e choices. (Not m a n y o r g a n i z a t i o n s a c t u a l l y got class A a d d r e s s e s , of course.) A l t h o u g h t h e r e are indeed over 4 billion u n i q u e IP a d d r e s s e s available with the c u r r e n t version of IP, the n u m b e r of u n i q u e netw o r k n u m b e r s is m u c h less. In fact, t h e r e are only 126 class A netw o r k s , a b o u t 16,000 class B n e t w o r k s , a n d a b o u t 2 million class C n e t w o r k s . This design h a s led to w i d e s p r e a d w a s t e of globallyu n i q u e IP a d d r e s s e s .

Strategies to Conserve Addresses In the 1970s, the a r c h i t e c t s of the I n t e r n e t envisioned a n i n t e r n e t w o r k with d o z e n s of n e t w o r k s a n d h u n d r e d s of nodes. They developed a design w h e r e a n y n o d e on the i n t e r n e t w o r k w a s r e a c h a b l e by a n y o t h e r node. B a c k then, no one could have g u e s s e d the effect n e w a p p l i c a t i o n s like t h e World Wide Web a n d vastly i n c r e a s e d b a n d w i d t h w o u l d have on the n u m b e r of people i n t e r e s t e d in participating in "the Net." On t h e I n t e r n e t today, t h e r e are t e n s of t h o u s a n d s of n e t w o r k s a n d millions of nodes. Unfortunately, the original

Private Addressing and Subnetting Large Networks

9Chapter 3

design h a s n o t scaled well. The i n c r e a s e d n u m b e r of n e t w o r k s joining t h e I n t e r n e t h a s s t r a i n e d r o u t e r technology, a n d the s h e e r n u m b e r of p a r t i c i p a n t s h a s s t r a i n e d the limits of IP a d d r e s s i n g as it w a s originally designed. S o m e c o m p r o m i s e s h a d to be m a d e to allow the I n t e r n e t to c o n t i n u e its growth. Several strategies have b e e n developed a n d i m p l e m e n t e d to help the I n t e r n e t c o m m u n i t y cope with its growing pains. T h e y help r e d u c e the load on the I n t e r n e t r o u t e r s a n d help u s u s e globallyu n i q u e IP a d d r e s s e s m o r e efficiently. T h e s e strategies include: 9 CIDR 9 Variable-Length S u b n e t M a s k i n g (VLSM) 9 Private A d d r e s s i n g

CIDR Classless I n t e r - D o m a i n R o u t i n g (CIDR), specified in RFCs 1517, 1518, a n d 1519, w a s i n t r o d u c e d in S e p t e m b e r 1993 as a w a y to r e d u c e r o u t e r table growth. As a side effect, it h a s h e l p e d r e d u c e the w a s t e of IP a d d r e s s e s by r e d u c i n g the g r a n u l a r i t y of allocation. Now, i n s t e a d of full class A, B, or C n e t w o r k s , o r g a n i z a t i o n s c a n be allocated a n y n u m b e r of a d d r e s s e s . (Normally, a d d r e s s e s are allocated in even p o w e r s of two to allow CIDR to realize its m a x i m u m benefit, b u t in reality, a n y n u m b e r of a d d r e s s e s c a n be allocated.) For example, if y o u n e e d e d 3 , 0 0 0 a d d r e s s e s for y o u r n e t w o r k , a single class C n e t w o r k (256 a d d r e s s e s ) w o u l d be insufficient. If, however, y o u were a s s i g n e d a class B n e t w o r k (65,536 addresses), t h e r e w o u l d be over 6 2 , 0 0 0 a d d r e s s e s wasted! With CIDR, y o u c a n be allocated a block of 4 , 0 9 6 a d d r e s s e s - - e q u i v a l e n t to 16 class C n e t w o r k s ( a / 2 0 in CIDR notation). This block of a d d r e s s e s will cover y o u r a d d r e s s i n g n e e d s now, allow r o o m for growth, a n d u s e global a d d r e s s e s efficiently. CIDR is covered in C h a p t e r 6.

89

90

Chapter 3 *

Private Addressing and Subnetting Large Networks

VLSM Variable-Length S u b n e t M a s k (VLSM) is a t e c h n i q u e u s e d to conserve IP a d d r e s s e s by tailoring the m a s k to e a c h s u b n e t . S u b n e t s t h a t n e e d m a n y a d d r e s s e s will u s e a m a s k t h a t provides m a n y a d d r e s s e s . T h o s e t h a t n e e d fewer a d d r e s s e s will u s e a different m a s k . The idea is to a s s i g n "just the right a m o u n t " of a d d r e s s e s to each subnet. M a n y o r g a n i z a t i o n s have p o i n t - t o - p o i n t WAN links. Normally, t h e s e links c o m p r i s e a s u b n e t with only two a d d r e s s e s required. O u r s u b n e t t i n g tables given in C h a p t e r 2 tell u s t h a t 2 5 5 . 2 5 5 . 2 5 5 . 2 5 2 is the a p p r o p r i a t e m a s k to u s e for t h o s e s u b n e t s . B u t t h a t m a s k w o u l d never do for a typical LAN w h e r e t h e r e are d o z e n s (if n o t h u n d r e d s ) of h o s t s in a s u b n e t . By u s i n g a r o u t i n g protocol t h a t s u p p o r t s V I ~ M , we c a n u s e a block of a d d r e s s e s m u c h m o r e efficiently. V I ~ M is explained in m o r e detail in C h a p t e r 5.

Private Addresses By far, t h e m o s t effective s t r a t e g y for conserving globaUy-unique (public) IP a d d r e s s e s involves n o t u s i n g a n y at all! If y o u r e n t e r p r i s e n e t w o r k will be u s i n g T C P / I P protocols, b u t will n o t be c o m m u n i c a t ing with h o s t s on the global Internet, y o u d o n ' t n e e d to u s e public IP a d d r e s s e s . The I n t e r n e t Protocol simply r e q u i r e s t h a t all h o s t s in the i n t e r c o n n e c t e d n e t w o r k have u n i q u e a d d r e s s e s . If the i n t e r n e t w o r k is limited to y o u r organization, t h e n the IP a d d r e s s e s n e e d only be u n i q u e w i t h i n y o u r organization. Today, m a n y (if n o t most) o r g a n i z a t i o n s w a n t to have at least s o m e ability to c o m m u n i c a t e over the Internet. Does t h a t m e a n t h e s e o r g a n i z a t i o n s m u s t u s e public a d d r e s s e s ? Yes it d o e s ~ b u t it does n o t m e a n t h a t all of the devices in t h a t n e t w o r k m u s t have public a d d r e s s e s . S u c h n e t w o r k s c a n still u s e private a d d r e s s e s a n d a t e c h n i q u e called Network A d d r e s s T r a n s l a t i o n (NAT) to convert t h o s e private (inside) a d d r e s s e s to public (outside) a d d r e s s e s . NAT is d i s c u s s e d in C h a p t e r 4.

Private Addressing and Subnetting Large Networks

9Chapter 3

Addressing Economics IPv6 is fixing the problem of the limited address space of IPv4. Until IPv6 is fully deployed, we m u s t make use of the IP addressing system we have. Sometimes, the networks we m u s t support are not IPaddress friendly. For example, consider the sample network in Figure 3.1.

Figure 3.1 A sample network.

In the n e t w o r k s h o w n in Figure 3.1, we have multiple I2kNs at the h e a d q u a r t e r s location a n d several b r a n c h offices t h a t e a c h have one LAN. The h e a d q u a r t e r s r o u t e r is acting as a "collapsed b a c k bone," c o n n e c t i n g all the h e a d q u a r t e r s LANs and, via leased lines, the b r a n c h office routers. The organization h a s b e e n a s s i g n e d class B a d d r e s s 172.16.0.0, w h i c h provides 6 5 , 5 3 6 u n i q u e a d d r e s s e s .

91

92

Chapter 3

9Private Addressing and

Subnetting Large Networks

As we m e n t i o n e d in C h a p t e r 2, the serial links c o n n e c t i n g r o u t e r s n e e d their own IP a d d r e s s e s . In a p o i n t - t o - p o i n t n e t w o r k s u c h as the dedicated leased lines s h o w n in Figure 3.1, e a c h of t h e links is a n individual s u b n e t .

Table 3.1 lists the v a r i o u s s u b n e t s a n d the a d d r e s s i n g requirem e n t s for each.

Table 3.1 Sample Network Addressing Needs

1

# Hosts 50 110 190 150

1

150

Branches

60

30

WAN Links

60

2

Location

# Subnets

Headquarters

1 1 1

In this example, the n e t w o r k is u s i n g RIP (version I) as the routing protocol, so e a c h s u b n e t m u s t u s e the s a m e m a s k . Using guidelines d i s c u s s e d in C h a p t e r 2, we identify the largest s u b n e t in o u r n e t w o r k . One of the s u b n e t s at the H e a d q u a r t e r s location n e e d s 190 a d d r e s s e s . C o n s u l t i n g t h e tables in C h a p t e r 2, we see t h a t

Private Addressing and Subnetting Large Networks

9Chapter 3

2 5 5 . 2 5 5 . 2 5 5 . 0 is t h e m o s t a p p r o p r i a t e m a s k to u s e b e c a u s e it provides 2 5 4 u n i q u e a d d r e s s e s in e a c h s u b n e t . T a b l e 3.2 s h o w s j u s t h o w inefficient it c a n be to u s e a single, fixed m a s k for all s u b n e t s .

Table 3.2 Sample Network Address Analysis

Location

# Subnets

Interfaces

Subnet Unused

Total Unused

Headquarters

1

50

204

204

1

110

144

144

1

190

64

64

150

104

104

150

104

104

1

Branches

60

30

224

13,440

WAN Lin ks

60

2

252

15,120

The H e a d q u a r t e r s s u b n e t s are sized appropriately, even allowing for some growth. The b r a n c h office s u b n e t s provide m a n y more a d d r e s s e s t h a n will actually be used. The biggest w a s t e occurs in the WAN links. Since the sample network is u s i n g point-to-point links between headq u a r t e r s a n d the b r a n c h e s , we will never need more t h a n two a d d r e s s e s in each subnet. If you add u p the n u m b e r s , there are a total of 2,570 a d d r e s s e s needed, b u t we are allocating 125 s u b n e t s with 254 a d d r e s s e s each for a total of 31,750 addresses. As you c a n see, we're not u s i n g our class B network a d d r e s s very efficiently. The situation is even worse t h a n it first appears. We see there are over 29,000 u n u s e d a d d r e s s e s in the s u b n e t s we are using; we're only u s i n g 125 of the possible 256 subnets available. If you include the other 131 s u b n e t s with 254 possible a d d r e s s e s each, we have a g r a n d total of 62,454 u n u s e d addresses. In other words, we're u s i n g j u s t u n d e r 4 percent of the total a d d r e s s e s provided by o u r class B network number. This inefficient u s e of a d d r e s s e s is one of the m a i n c a u s e s of IP a d d r e s s exhaustion. If we c o u l d u s e V I ~ M , t h e s u b n e t s w o u l d be sized m o r e a p p r o priately, b u t t h e l a r g e r p r o b l e m r e m a i n s . We w o u l d still be u s i n g only a b o u t 4 p e r c e n t of o u r total c l a s s B space.

93

94

Chapter 3

9Private Addressing and

Subnetting Large Networks

An Appeal RFC 1917, p u b l i s h e d in F e b r u a r y 1996, is titled "An Appeal to the I n t e r n e t C o m m u n i t y to R e t u r n U n u s e d IP Networks to the IANA." It cites the growing problem of IP a d d r e s s e x h a u s t i o n a n d a s k s ad min istrators to be good "netizens" a n d r e t u r n blocks of IP a d d r e s s e s to the I n t e r n e t Assigned N u m b e r s Authority for reallocation. It suggests three alternatives: Q

Q

0

If you a r e n' t going to connect to the public Internet, you don't need globally-addresses. Use private a d d r e s s e s instead. If you have a portable block of addresses, r e t u r n the block to the IANA a n d us e a d d r e s s e s supplied by y o u r u p s t r e a m I n t e r n e t Service Provider. If you have a large block of public addresses, b u t only need a small portion of them, r e t u r n the large block to IANA a n d r e q u e s t a smaller block of addresses. This would be the appropriate action for our example n e t w o r k considered earlier.

Public vs Private Address Spaces The I n t e r n e t Protocol requires t h a t each interface on a n e t w o r k h a s a u n i q u e address. If the scope of y o u r n e t w o r k is global, t h e n the a d d r e s s e s m u s t be globally-unique. S u c h is the case with the Internet. Since global u n i q u e n e s s m u s t be a s s u r e d , a centralized a u t h o r i t y m u s t be responsible for m a k i n g s u re IP a d d r e s s assignm e n t s are m a d e correctly a n d fairly. For the last few years, this h a s been the function of the IANA. The I n t e r n e t h a s be e n rapidly expanding in b o t h n u m b e r of connected n e t w o r k s a n d n u m b e r of new applications. The 1990s have seen b o t h the commercialization a n d the internationalization of the Internet. To meet the d e m a n d s of a growing I n t e r n e t co mmu n ity , the IANA is being replaced by the I n t e r n e t Corporation for Assigned Names a n d N u m b e r s {ICANN).

Private Addressing and Subnetting Large Networks

9Chapter 3

If a n o r g a n i z a t i o n w a n t s to u s e IP protocols a n d a p p l i c a t i o n s in its network, b u t h a s no i n t e n t i o n of c o n n e c t i n g its n e t w o r k to t h e global I n t e r n e t , t h e IP a d d r e s s e s it u s e s n e e d n o t be globally-unique. A n e t w o r k of this type is called a private network, a n d t h e a d d r e s s e s u s e d are called private a d d r e s s e s .

Can I Pick My Own? If y o u are deploying IP on a private network, y o u c a n u s e a n y IP a d d r e s s e s y o u wish, as long as y o u a d h e r e to t h e n o r m a l IP a d d r e s s i n g rules. Before y o u go crazy a n d u s e a n entire class A a d d r e s s for e a c h s u b n e t , c o n s i d e r t h e following possibilities: 1.

Most o r g a n i z a t i o n s will e v e n t u a l l y choose to i m p l e m e n t s o m e k i n d of c o n n e c t i o n to t h e I n t e r n e t ~ i f for no o t h e r r e a s o n t h a n to e x c h a n g e e-mail.

2.

T h e r e m a y be a m e r g e r or a c q u i s i t i o n in y o u r f u t u r e t h a t m i g h t r e q u i r e j o i n i n g y o u r n e t w o r k to one or m o r e o t h e r networks.

As a n example, s u p p o s e y o u n e e d e d a class C a d d r e s s for a s m a l l n e t w o r k t h a t will n o t be c o n n e c t e d to t h e I n t e r n e t (see F i g u r e 3.2). You c h o s e to u s e 2 0 7 . 4 6 . 1 3 0 . 0 as y o u r n e t w o r k a d d r e s s a n d configured all y o u r devices accordingly. As soon as y o u finish getting e v e r y t h i n g set up, y o u r b o s s decides to i m p l e m e n t I n t e r n e t email. You c o n s u l t y o u r friendly n e i g h b o r h o o d ISP w h o tells y o u n o t to worry. T h e y c a n u s e a trick called Network A d d r e s s T r a n s l a t i o n (see C h a p t e r 4) t h a t will allow y o u to keep u s i n g y o u r a d d r e s s e s a n d give y o u a c c e s s to t h e I n t e r n e t . Great! E v e r y t h i n g w o r k s j u s t fine except for one t h i n g ~ y o u c a n ' t a c c e s s www. microsoft, com.

95

96

Chapter

3

9Private Addressing and

Subnetting Large Networks

Figure 3.2 The danger of picking your own addresses. 1ou

If Your ISP (using NAT)

Microsoft www.microsoft.com

The class C a d d r e s s 2 0 7 . 4 6 . 1 3 0 . 0 h a s b e e n officially a s s i g n e d to Microsoft, w h i c h u s e s it in its Web server farm. W h e n y o u try to a c c e s s t h e Microsoft Web site, t h e DNS (Domain N a m e System) resolves t h e n a m e to IP a d d r e s s 2 0 7 . 4 6 . 1 3 0 . 1 4 . W h e n y o u r b r o w s e r s e n d s a n HTTP r e q u e s t to t h e t a r g e t a d d r e s s , the IP software t h i n k s (rightly so) t h a t the a d d r e s s is inside y o u r n e t w o r k a n d does n o t forw a r d it to t h e router. The l e s s o n h e r e is t h a t t h e r e is a r i s k in d r e a m i n g u p y o u r own IP a d d r e s s e s - - e v e n if y o u never i n t e n d to c o n n e c t to t h e global Internet.

RFC 1918

Private Network Addresses

In t h e m i d s t of t h e explosive I n t e r n e t g r o w t h in t h e early 1990s, RFC 1597 s u g g e s t e d a w a y to help conserve g l o b a l l y - u n i q u e IP a d d r e s s e s . The idea w a s to set aside t h r e e blocks of a d d r e s s e s t h a t

Private Addressing and Subnetting Large Networks

9Chapter 3

w o u l d n e v e r be officially allocated to a n y organization. T h e s e blocks could t h e n be u s e d in a n y a n d every private n e t w o r k w i t h o u t fear of d u p l i c a t i n g a n y officially a s s i g n e d IP a d d r e s s e s in o t h e r organizations.

In F e b r u a r y 1996, RFC 1597 w a s u p d a t e d a n d m a d e obsolete by RFC 1918, a n d w a s a s s i g n e d the "Best C u r r e n t Practice" s t a t u s .

The Three-Address Blocks RFC 1918 d e s i g n a t e s t h r e e r a n g e s of IP a d d r e s s e s as private: 9

10.0.0.0-10.255.255.255

9

172.16.0.0-172.31.255.255

9

192.168.0.0-192.168.255.255

The first of t h e s e a d d r e s s blocks is e q u i v a l e n t to a t r a d i t i o n a l class A a d d r e s s . In CIDR n o t a t i o n , it w o u l d be 1 0 . 0 . 0 . 0 / 8 . RFC 1918 calls it a 2 4 - b i t block of a d d r e s s e s b e c a u s e only 8 of the 32 bits is fixed; the o t h e r 24 bits are available for local a d m i n i s t r a t i o n . E i t h e r way, the r a n g e c o n t a i n s 1 6 , 7 7 7 , 2 1 6 u n i q u e a d d r e s s e s ~ e n o u g h to s u p p l y even the largest n e t w o r k s . The s e c o n d block is called a 2 0 - b i t block a n d is e q u i v a l e n t to 16 t r a d i t i o n a l class B n e t w o r k s , or a / 1 2 block in CIDR terminology. This block c o n t a i n s 1 , 0 4 8 , 5 7 6 a d d r e s s e s .

97

98

Chapter

3

Private Addressing and Subnetting Large Networks

9

Finally, the third block is k n o w n as a 16-bit block a n d is equivalent to 2 5 6 class C n e t w o r k s . This 16-bit prefix s u p p l i e s 6 5 , 5 3 6 different IP a d d r e s s e s . Table 3.3 s u m m a r i z e s the private a d d r e s s blocks defined by RFC 1918.

Table 3.3 Private IP Address Blocks

Address Block

Classful Equivalent

Prefix Length /8

Number of Addresses

10.0.0.010.255.255.255

1 class A 256 class B 65,536 class C

172.16.0.0172.31.255.255

16 class B 4,096 class C

/12

1,048,576

192.168.0.0192.168.255.255

1 class B 256 class C

/16

65,536

16,777,216

Considerations A n y o n e c a n u s e a n y of t h e a d d r e s s blocks in Table 3.3 in a n y netw o r k at a n y time. The m a i n t h i n g to r e m e m b e r is t h a t devices u s i n g t h e s e a d d r e s s e s will n o t be able to c o m m u n i c a t e with o t h e r h o s t s on t h e I n t e r n e t w i t h o u t s o m e k i n d of a d d r e s s t r a n s l a t i o n . Here are s o m e t h i n g s to t h i n k a b o u t w h e n deciding to u s e private a d d r e s s i n g in y o u r network:

N u m b e r of a d d r e s s e s . One of the m a i n benefits of u s i n g private a d d r e s s e s is t h a t y o u have plenty to w o r k with. Since y o u are n o t u s i n g globally-unique a d d r e s s e s (a scare resource), y o u d o n ' t n e e d to be conservative. In the e x a m p l e n e t w o r k s h o w n in Figure 3.1, y o u could u s e a n entire class B equivalent a d d r e s s block w i t h o u t feeling guilty. Even t h o u g h y o u w o u l d be u s i n g only 4 p e r c e n t of t h e available a d d r e s s e s , y o u are n o t h o a r d i n g a valuable commodity.

Private Addressing and Subnetting Large Networks

9Chapter 3

Security. Using private a d d r e s s e s c a n also e n h a n c e the s e c u r i t y of y o u r n e t w o r k . Even if p a r t of y o u r n e t w o r k is c o n n e c t e d to t h e Internet, no one o u t s i d e y o u r n e t w o r k will be able to r e a c h y o u r devices. Likewise, no one from inside y o u r n e t w o r k will be able to r e a c h h o s t s on the Internet. RFC 1918 specifies that: "...routing i n f o r m a t i o n a b o u t private n e t w o r k s shall n o t be p r o p a g a t e d on i n t e r - e n t e r p r i s e links, a n d p a c k e t s with private s o u r c e or d e s t i n a t i o n a d d r e s s e s s h o u l d n o t be f o r w a r d e d a c r o s s s u c h links. R o u t e r s in n e t w o r k s n o t u s i n g private a d d r e s s space, especially t h o s e of I n t e r n e t service providers, are expected to be configured to reject (filter out) r o u t i n g i n f o r m a t i o n a b o u t private n e t w o r k s . "

Limited scope. The r e a s o n y o u have all t h e s e a d d r e s s e s available is t h a t y o u r n e t w o r k will n o t be c o n n e c t e d to t h e global Internet. If, later, y o u w i s h to c o m m u n i c a t e over the Internet, y o u m u s t o b t a i n official (globally-unique a n d routable) a d d r e s s e s a n d either r e n u m b e r y o u r devices or u s e NAT.

Renumbering. Anytime y o u switch to or from private a d d r e s s i n g , y o u will n e e d all y o u r IP devices. M a n y w o r k s t a t i o n s to o b t a i n IP up rather than assigning

to r e n u m b e r (change the IP a d d r e s s of) o r g a n i z a t i o n s are setting u p their u s e r a d d r e s s e s a u t o m a t i c a l l y w h e n booting a fixed IP a d d r e s s to the w o r k s t a t i o n s .

99

100

Chapter 3

9Private Addressing and Subnetting Large Networks

This facility requires t h a t at least one Dynamic Host Configuration Protocol (DHCP) server be set u p for the organization. DHCP is described in RFC 2131 a n d d i s c u s s e d in more detail in C h a p t e r 7.

Joining Networks. If you join y o u r n e t w o r k with a n o t h e r t h a t h a s u s e d private addressing, you m a y find t h a t some devices have conflicting addresses. For example, let's say you chose to u s e the 24-bit block of private a d d r e s s e s (network 10). You assigned the a d d r e s s 10.0.0.1 to the first r o u t e r on the first subnet. Now you merge with a n o t h e r organization a n d m u s t join y o u r networks. Unfortunately, the a d m i n i s t r a t o r of the other n e t w o r k chose to assign a d d r e s s 10.0.0.1 to one of its routers. According to IP a d d r e s s i n g rules, b o t h devices c a n n o t u s e the s a m e address. Further, the two r o u t e r s are probably on different s u b n e t s , so not only do you have to assign a different a d d r e s s to the router, you m u s t assign different s u b n e t a d d r e s s e s as well. Again, the solutions include r e n u m b e r i n g a n d NAT.

Which to Use When According to RFC 1918: "If a suitable s u b n e t t i n g s c h e m e can be designed a n d is s u p p o r t e d by the e q u i p m e n t concerned, it is advisable to u s e the 24-bit block (class A network) of private a d d r e s s space a n d m a k e a n a d d r e s s i n g plan with a good growth path. If s u b n e t t i n g is a problem, the 16-bit block (class C networks), or the 20-bit block (class B networks) of private a d d r e s s space can be used." The concept of s u b n e t t i n g w as i n t r o d u c e d into the IP world in A u g u s t 1985 (RFC 950). Since m o s t IP software m o d u l e s in u s e today were developed after t h a t time, they do u n d e r s t a n d how to do subnetting. So go a h e a d a n d use the 10 n e t w o r k for private a d d r e s s i n g u n l e s s you have good r e a s o n s to do otherwise. By u s i n g the 24-bit block, you have 24 bits to play with w h e n designing a private a d d r e s s i n g scheme.

Private Addressing and Subnetting Large Networks

*

Chapter 3

Strategy for Subnetting a Class A Private Network W h e n it c o m e s to developing a n a d d r e s s i n g p l a n for a private network, the r u l e s are exactly the s a m e as for a n y o t h e r IP network. O u r goals for the a d d r e s s i n g p l a n are as follows: S i m p l i c i t y . We w a n t the p l a n to be as simple as possible so t h a t as m a n y people as possible c a n u n d e r s t a n d it. W h e n we look at the IP a d d r e s s of a p a r t i c u l a r device, we s h o u l d be able to easily d e d u c e w h a t k i n d of device it is a n d w h e r e it is in o u r n e t w o r k w i t h o u t h a v i n g to refer to v o l u m e s of d o c u m e n t a t i o n . E a s e of A d m i n i s t r a t i o n . We w a n t the p l a n to be e a s y to i m p l e m e n t a n d m a i n t a i n . The p l a n s h o u l d allow r o o m for a n t i c i p a t e d growth and, if possible, m a k e r o o m for u n a n t i c i p a t e d growth or o t h e r c h a n g e s . E f f i c i e n c y . As nice as it is for the p l a n to be u n d e r s t a n d a b l e by the h u m a n s t h a t have to m a i n t a i n it, the r o u t e r s have to live with the p l a n every time a p a c k e t n e e d s to be forwarded to a n o t h e r s u b n e t . Therefore, the p l a n s h o u l d n o t place a h e a v y b u r d e n on the r e s o u r c e s of o u r r o u t e r s . Ideally, the p l a n s h o u l d b u i l d in a d d r e s s i n g h i e r a r c h i e s t h a t allow the r o u t i n g t a b l e s to be k e p t at a relatively small size. Router

D o c u m e n t a t i o n . We w a n t to be able to describe the p l a n in a few s h o r t s t a t e m e n t s w i t h o u t a lot of e x p l a n a t i o n s . Following the guidelines of C h a p t e r 2, we n o w p r e s e n t a n e x a m ple of a large organization t h a t h a s decided to i m p l e m e n t private IP a d d r e s s i n g in its i n t e r n e t w o r k . The p r o c e d u r e is the s a m e ~ c h o o s e a m a s k , allocate the s u b n e t bits, a n d d e t e r m i n e the r a n g e of a d d r e s s es for e a c h s u b n e t .

101

102

Chapter

3

9Private Addressing and

Subnetting Large Networks

The Network The n e t w o r k t h a t we'll s t u d y h e r e is relatively stable. There are a b o u t 3 0 0 0 retail stores owned by the c o m p a n y a n d no store h a s m o r e t h a n 12 IP devices in it. Reports from m a n a g e m e n t c o n s u l t a n t s indicate t h a t this n u m b e r s h o u l d suffice for the m e d i u m t e r m . E a c h store is c o n n e c t e d to its regional d i s t r i b u t i o n c e n t e r via a l e a s e d p o i n t - t o - p o i n t line. T h e r e are c u r r e n t l y 18 regional d i s t r i b u t i o n centers, w i t h e a c h c e n t e r s u p p o r t i n g no m o r e t h a n 200 stores. D i s t r i b u t i o n c e n t e r s have two p h y s i c a l n e t w o r k s for a d m i n i s t r a t i o n , a n d one s u p p o r t i n g the w a r e h o u s e . The largest of the a d m i n LANs h a s 80 IP devices on it, a n d t h e w a r e h o u s e LAN n e e d s 120 a d d r e s s e s . E a c h d i s t r i b u t i o n c e n t e r is c o n n e c t e d b a c k to h e a d q u a r t e r s via two parallel T3 links. The h e a d q u a r t e r s c a m p u s h a s 14 LANs c o n n e c t e d by r o u t e r s to t h e c o r p o r a t e b a c k b o n e network. The largest of the h e a d q u a r t e r s LANs h a s 230 IP devices on it. Figure 3.3 s h o w s a high-level overview of the c o r p o r a t e network. We c a n s u m m a r i z e the a d d r e s s i n g n e e d s of the n e t w o r k in Table 3.4.

Table 3.4

Sample Network Addressing Analysis

F r o m the i n f o r m a t i o n in Table 3.4 we c a n o b t a i n the n u m b e r of s u b n e t s n e e d e d (7,305) a n d the n u m b e r of a d d r e s s e s n e e d e d in the l a r g e s t s u b n e t (230).

Private Addressing and Subnetting Large Networks Figure

9Chapter 3

3.3 A large network.

The Strategy There are m a n y correct solutions to this a d d r e s s i n g problem, a n d a r g u m e n t s c a n be m a d e for all of them. Since o u r first goal is simplicity, we'll try to keep the p l a n as simple as possible. Since all the

103

104

Chapter

3 *

Private Addressing and Subnetting Large Networks

software we're u s i n g u n d e r s t a n d s s u b n e t t i n g , we'll follow t h e advice given in RFC 1918 a n d u s e t h e 2 4 - b i t b l o c k ~ t h a t is, n e t w o r k 10. Now t h a t we k n o w we h a v e 24 b i t s to w o r k with, h o w s h a l l we allocate t h e m ? We look for c l u e s in t h e s t r u c t u r e of t h e n e t w o r k we are s t u d y i n g . T h e r e s e e m to be t h r e e levels of h i e r a r c h y : 9

Headquarters

9

Distribution Centers

9

Stores

C a n we s o m e h o w fit t h a t h i e r a r c h y into o u r a d d r e s s i n g s c h e m e ? Before we delve too deeply into this, we n e e d to decide a c o u p l e of t h i n g s . First, will we u s e fixed- or v a r i a b l e - l e n g t h s u b n e t m a s k s ? U s i n g t h e "keep it simple" strategy, let's try u s i n g t h e fixed m a s k a p p r o a c h , s i n c e it is e a s i e r to d e s i g n a n d m a i n t a i n . O u r n e x t s t e p is to decide on a m a s k to use. Looking a t o u r c l a s s A s u b n e t t i n g t a b l e s in C h a p t e r 2, we decide on 2 5 5 . 2 5 5 . 2 5 5 . 0 . C o u l d we h a v e p i c k e d a n o t h e r ? S u r e , b u t m o s t people w o u l d agree t h a t 2 5 5 . 2 5 5 . 2 5 5 . 0 is t h e e a s i e s t m a s k to w o r k with. T h e t a b l e s tell u s we n o w h a v e 6 5 , 5 3 5 s u b n e t s to w o r k with, e a c h s u p p l y i n g 2 5 4 a d d r e s s e s . This s h o u l d w o r k nicely. Now we h a v e o u r IP a d d r e s s s t r u c t u r e laid o u t before us: 9 N e t w o r k ID: 8 b i t s 9

S u b n e t ID: 16 b i t s

9

H o s t ID: 8 bits

S i x t e e n bits is r e p r e s e n t e d in d o t t e d d e c i m a l n o t a t i o n a s two d e c i m a l n u m b e r s . P e r h a p s we c a n r e d u c e t h e c o m p a n y n e t w o r k h i e r a r c h y to two levels: Region a n d Store. We c a n do t h i s if we call t h e h e a d q u a r t e r s "Region 0." U s i n g t h i s a p p r o a c h , we c a n try to m a k e o u r IP a d d r e s s e s look s o m e t h i n g like this:

IO.R.S.H

Private Addressing and Subnetting Large Networks

9Chapter 3

w h e r e R is t h e r e g i o n n u m b e r , S is t h e s t o r e n u m b e r , a n d H is t h e h o s t ID. If we c a n m a k e t h i s work, t h e IP a d d r e s s e s will be a l m o s t s e l f - d o c u m e n t i n g ~ a very d e s i r a b l e f e a t u r e indeed.

Address Assignment Let's get d o w n to b u s i n e s s . In T a b l e 3.3 we identified five different s u b n e t g r o u p s . Looking a t e a c h g r o u p , we m u s t decide on w h a t t h e IP a d d r e s s e s s h o u l d look like.

Table 3.5 Headquarters Subnets Description

Address Range

Backbone

10.0.0.1-10.0.0.254

LAN 1

10.0.1.1-10.0.1.254

LAN 2

10.0.2.1-10.0.2.254

LAN 14

10.0.14.1-10.0.14.254

The Headquarters LANs We s t a t e d t h a t we s h o u l d call t h e h e a d q u a r t e r s "Region 0." T h e r e a r e 15 LANs in t h i s g r o u p . Let's u s e 10.0.L.0 for t h i s g r o u p , w h e r e L is 0 for t h e b a c k b o n e , a n d 1 - 1 4 for t h e a d m i n i s t r a t i v e LANs. T h e LANs a t t h e h e a d q u a r t e r s l o c a t i o n a r e s u m m a r i z e d in T a b l e 3.5.

The WAN Links from Headquarters to the Distribution Centers Again, t h e r e a r e a n u m b e r of w a y s to a s s i g n t h i s g r o u p of a d d r e s s es. Let's u s e 1 0 . 1 0 0 + R . 0 . 0 a n d 1 0 . 2 0 0 + R . 0 . 0 for t h e two WAN l i n k s to e a c h r e g i o n a l d i s t r i b u t i o n center. Here, R is t h e r e g i o n n u m b e r . T a b l e 3.6 s u m m a r i z e s t h e s e a s s i g n m e n t s .

105

106

Chapter 3

9Private Addressing and Subnetting Large Networks

Table 3.6 Headquarters WAN Links

Description

Addresses

HQ to Region 1

10.101.0.1 & 10.101.0.2 10.201.0.1 & 10.201.0.2

HQ to Region 2

10.102.0.1 & 10.102.0.2 10.202.0.1 & 10.202.0.2

9

,

.

HQ to Region 18

9

~

,

10.118.0.1 & 10.118.0.2 10.218.0.1 & 10.218.0.2

T h e D i s t r i b u t i o n C e n t e r I.ANs We d o n ' t w a n t to collide with the store LANs here, so we'll s t a r t o u r allocation from the top of the list. The t h r e e DC LANs will be a d d r e s s e d u s i n g the f o r m s 10.R.255.0, 10.R.254.0, a n d 10.R.253.0. T a b l e 3.7 s h o w s the plan.

Table 3.7 Distribution Center Subnets

Private Addressing and Subnetting Large Networks

9Chapter 3

T h e WAN L i n k s from the DC to t h e S t o r e s Following t h e lead of the HQ-DC links, the link from region R to store S will look like 10.100+R.S.0 (Table 3.8).

Table 3.8 Distribution Center WAN Links

T h e Store LANs Finally, we're d o w n to the largest group. Since this is the largest group, we'll m a k e t h e s e a d d r e s s e s as s t r a i g h t f o r w a r d as possible. As we s t a t e d earlier, the LAN in store S in region R will have the a d d r e s s 10.R.S.0. Table 3.9 s h o w s s o m e s a m p l e s of store LAN addresses.

107

108

Chapter 3 *

Private Addressing and Subnetting Large Networks

Table 3.9 Store Subnets Description

Address Range

Region 1, Store 1

10.1.1.1-10.1.1.254

Region 1, Store 2

10.1.2.1-10.1.2.254

Region 1, Store 200

10.1.200.1-1 0.1.200.254

Region 6, Store 107

10.6.107.1-10.6.107.254

Region 18, Store 5

10.18.5.1-10.18.5.254

Results T h e p l a n s e e m s to work. Here a g a i n a r e t h e goals we e s t a b l i s h e d earlier, a n d s o m e d i s c u s s i o n of h o w well o u r p l a n m e e t s t h e goals.

S i m p l i c i t y , ease of a d m i n i s t r a t i o n , and d o c u m e n t a t i o n . We're u s i n g t h e s a m e n e t m a s k ( 2 5 5 . 2 5 5 . 2 5 5 . 0 ) in every s u b n e t . We h a v e a single s t r u c t u r e for e a c h of t h e five t y p e s of s u b n e t s in o u r n e t w o r k . B e c a u s e we a r e u s i n g p r i v a t e a d d r e s s i n g , we h a v e p l e n t y of a d d r e s s i n g s p a c e to w o r k with. We h a v e u s e d t h i s s p a c e to give o u r a d d r e s s e s s o m e intelligence. S o m e n o t e w o r t h y f e a t u r e s of o u r p l a n are: I.

A n y a d d r e s s w i t h a zero in t h e s e c o n d b y t e refers to a device a t t h e h e a d q u a r t e r s location.

2.

Any a d d r e s s w i t h a t h r e e - d i g i t v a l u e in t h e s e c o n d b y t e refers to a WAN l i n k b e t w e e n a d i s t r i b u t i o n c e n t e r a n d e i t h e r a s t o r e (third b y t e > 0) or t h e h e a d q u a r t e r s l o c a t i o n (third b y t e = 0).

3.

All o t h e r a d d r e s s e s refer to devices on LANs e i t h e r in t h e DC or in a store.

Rou ter Efficiency. Will e a c h r o u t e r in t h e c o m p a n y ' s i n t e r n e t w o r k n e e d to list all 7 3 0 5 s u b n e t s ? We s u r e h o p e not! O u r a d d r e s s i n g s c h e m e n e e d s to allow for route s u m m a r i z a t i o n . To t a k e full a d v a n t a g e of r o u t e s u m m a r i z a t i o n a n d k e e p o u r r o u t i n g t a b l e s d o w n to t h e i r a b s o l u t e m i n i m u m size, t h e

Private Addressing and Subnetting Large Networks

9Chapter 3

s t r u c t u r e of o u r a d d r e s s e s n e e d s to follow exactly the a c t u a l h i e r a r c h y of p h y s i c a l c o n n e c t i o n s . U n f o r t u n a t e l y , this is n o t the case with the a d d r e s s i n g p l a n we have j u s t developed. Let's look again at the p l a n in Table 3.10. Table 3.10 Sample Network Address Structure Subnet Group

IP Address Structure

Headquarters LANs

10.0.1.0-10.0.15.0

HQ - DC links

10.100+R.0.0

DC LANs

10.R.253.0-10.R.255.0

DC- Store links

10.100+R.S.0

Store LANs

10.R.S.0

In the ideal case, the c o r p o r a t e r o u t e r w o u l d n e e d to h a v e only 19 entries: one for the c o r p o r a t e b a c k b o n e , a n d one for e a c h of the regions. To m a k e t h a t h a p p e n , all of the a d d r e s s e s a s s o c i a t e d with a region w o u l d have to s h a r e a c o m m o n prefix. T h a t is, t h e y m u s t all have t h e first several bits in c o m m o n . This is not the case in o u r plan. For example, the d i s t r i b u t i o n IdkN in region 5 w o u l d have the a d d r e s s 10.5.255.0. The link from t h a t d i s t r i b u t i o n c e n t e r to store 17 w o u l d be 10.105.17.0. The only prefix t h e s e two a d d r e s s e s have in c o m m o n is the n e t w o r k ID (10) i t s e l f ~ n o t very helpful. Does this m e a n we have to a b a n d o n o u r p l a n ? No, it doesn't. A l t h o u g h o u r p l a n is not ideal for r o u t e s u m m a r i z a t i o n , it well m a y be good e n o u g h . With s o m e careful c o n f i g u r a t i o n of the regional r o u t e r s , we c a n r e p r e s e n t e a c h region with t h r e e e n t r i e s in the corp o r a t e r o u t e r ' s table. One e n t r y w o u l d r e p r e s e n t all of the DC a n d store LANs, a n d t h e r e w o u l d be one e n t r y for e a c h of the WAN links b e t w e e n the c o r p o r a t e r o u t e r a n d the DC. The c e n t r a l r o u t e r w o u l d t h e n h a v e less t h a n a h u n d r e d entries in its r o u t i n g t a b l e ~ a very reasonable number. The r o u t e r s at e a c h d i s t r i b u t i o n c e n t e r w o u l d h a v e a n e n t r y for e a c h of the WAN links, store LANs, a n d DC LANs, totaling a bit over

109

110

Chapter 3

9Private Addressing and Subnetting Large Networks

4 0 0 entries. C u r r e n t r o u t e r technology is able to h a n d l e t h a t n u m b e r of entries very easily. Given t h a t the r o u t e r s will not be overwhelmed by the routing table sizes, a n d given t h a t the a d d r e s s i n g plan p r e s e n t e d h a s some desirable features, we will go a h e a d a n d deploy the plan as presented.

Summary The d e s i g n e r s of the I n t e r n e t Protocol never d r e a m e d t h a t t h e r e w o u l d be millions of h o s t s on over 100,000 n e t w o r k s p a r t i c i p a t i n g in the I n t e r n e t . At the time, a fixed 32-bit a d d r e s s looked like it w o u l d be m o r e t h a n e n o u g h to serve the a d d r e s s i n g n e e d s of the I n t e r n e t for y e a r s to come. And it h a s . However, as the I n t e r n e t cont i n u e s to grow, m o r e a n d m o r e p r e s s u r e is being p u t on the u s e r c o m m u n i t y to u s e globally-unique IP a d d r e s s e s efficiently. This p r e s s u r e h a s lead to policy c h a n g e s at the I n t e r n e t Registries a n d to n e w t e c h n i q u e s to conserve a d d r e s s e s . One of t h o s e t e c h n i q u e s is to u s e private a d d r e s s e s , as specified in RFC 1918. There are b o t h benefits a n d d r a w b a c k s to u s i n g private a d d r e s s e s .

Q" C a n I u s e V I ~ M in private n e t w o r k s ?

A: Absolutely! T h e r e ' s no h a r m in u s i n g a d d r e s s e s wisely, even if y o u have a very large supply.

Private Addressing and Subnetting Large Networks

Q: W h y

9Chapter 3

is n e t w o r k 10 i n c l u d e d in the private a d d r e s s r a n g e s ?

A: Class A n e t w o r k 10 w a s the a d d r e s s u s e d by the old ARPANET, the p r e c u r s o r of t o d a y ' s Internet. Network 10 w a s d e c o m m i s s i o n e d in the 1980s a n d we u s e it t o d a y to h o n o r its auspicious beginnings.

Q:

C a n I u s e private a d d r e s s e s a n d public a d d r e s s e s in m y network?

A: Yes. Since the public a n d private a d d r e s s e s u s e different n e t w o r k prefixes, t h e y will n e e d to be on s e p a r a t e p o r t s of a router. In o t h e r words, t h e y w o u l d n e e d to be s e p a r a t e s u b n e t s of y o u r network. The devices with public a d d r e s s e s will be able to c o m m u n i c a t e on the Internet, t h o s e with private a d d r e s s e s will not.

Q:

I've got a n e t w o r k with private a d d r e s s e s . Now I w a n t to c o n n e c t to the I n t e r n e t . C a n I?

A: Yes, y o u have two options. First, y o u c a n o b t a i n public a d d r e s s e s a n d r e n u m b e r y o u r IP devices. Second, y o u (or y o u r ISP) c a n i m p l e m e n t Network A d d r e s s T r a n s l a t i o n (NAT) to t r a n s l a t e y o u r private a d d r e s s e s to public a d d r e s s e s . NAT is covered in C h a p t e r 4.

Exercises 0

In o u r s a m p l e network, we were u n a b l e to m a x i m i z e the benefits of r o u t e s u m m a r i z a t i o n b e c a u s e of the w a y we allocated the a d d r e s s e s . W i t h o u t going to variable m a s k s , design a n a d d r e s s i n g s t r u c t u r e for o u r s a m p l e n e t w o r k t h a t is completely hierarchical.

111

112

Chapter 3 * Private Addressing and Subnetting Large Networks

2. Why should ISPs filter out any references to private address blocks? 3. How does CIDR contribute to a d d r e s s allocation efficiency?.

Answers I

Q

Use five or six of the 16 s u b n e t bits to r e p r e s e n t the regions. These bits will be the first bits in the s u b n e t field. The r e m a i n i n g ten or eleven bits will r e p r e s e n t the s u b n e t s in the region. For example, if we u s e d five bits for the region ID a n d 11 bits for the s u b n e t within the region, we can allocate 32 regions with 2048 s u b n e t s in each region. The a d d r e s s e s would line u p like this:

Headquarters:

10.0.0.0 through 10.7.255.255

Region 1: 10.8.0.0 through 10.15.255.255 Region 2:10.16.0.0 through 10.23.255.255, etc. This plan would be efficient (from the router's point of view), b u t not very intuitive.

0

0

Since private a d d r e s s blocks are not, by definition, globallyunique, there m a y be (and in fact are) m a n y n e t w o r k s u s i n g the s a m e addresses. If routing information a b o u t those n e t w o r k s or p a c k e t s containing those a d d r e s s e s were allowed on the Internet, the I n t e r n e t r o u t e r s would become confused at best, m i s r o u t i n g packets. At worst, they would become hopelessly congested, c a u s i n g massive c o m m u n i c a t i o n failures.

By reducing the g r a n u l a r i t y of a d d r e s s allocation. Prior to CIDR, a n organization w a s allocated 256 a d d r e s s e s (class C), 65,536 a d d r e s s e s (class B), or 16,777,216 a d d r e s s e s (class A). With CIDR, almost a n y n u m b e r of a d d r e s s e s can be allocated, r e d u c i n g the w a s t e associated with the previous scheme.

114

C h a p t e r 4 * Network Address Translation

Introduction This c h a p t e r covers Network Address T r a n s l a t i o n (NAT). In its simplest form, NAT c h a n g e s n e t w o r k layer (layer 3) a d d r e s s e s as they p a s s t h r o u g h some device, s u c h as a r o u t e r or firewall. In theory, other layer 3 protocols can be translated, s u c h as AppleTalk or IPX, as well as other layers (such as layer 2). In practice, it's u s u a l l y done only with IP a d d r e s s e s at layer 3. Becau se this is a TCP/IP book, this c h a p t e r will focus exclusively on IP. We will d e m o n s t r a t e , however, t h a t simply changing the layer 3 a d d r e s s is insufficient, a n d t h a t t r a n s p o r t layer (layer 4), a n d often higher layer, information m u s t also be affected. Therefore, our disc u s s i o n will also include TCP a n d UDP, as well as application layer (layer 7) protocols. We will d i s c u s s not only w h a t NAT is a n d how it works, b u t also w h a t the problems a n d s h o r t c o m i n g s are. This c h a p t e r is not a b o u t n e t w o r k security; however, the i s s u e s s u r r o u n d i n g NAT often intersect with those of security applications. In some cases, p a r t i c u l a r types of NAT m a k e the m o s t sense in the context of a security application. Many of the commercial NAT i m p l e m e n t a t i o n s are p a r t of a security package. Given that, we will be covering some security information as it relates to NAT, t h o u g h NAT by itself is not necessarily security technology.

Hiding Behind the Router/Firewall The ideas b e h i n d NAT b e c a m e popularized in early firewall solutions. These early firewalls were mostly proxy-based. A good example is the FireWall ToolKit (FWTK). A proxy (in the firewall context) is a piece of software t h a t fetches some information on behalf of a client, s u c h as a Web page. The client c o m p u t e r a s k s the proxy for a p a r t i c u l a r Web page (it gives it the URL) a n d awaits reply. The proxy will t h e n fetch the Web page, a n d r e t u r n it to the client. W h a t ' s the point of t h a t ? First, the a d m i n i s t r a t o r of the proxy c a n often p r o g r a m a list of things the client isn't allowed to do. For example, if it's a Web proxy at a company, the proxy a d m i n i s t r a t o r

Network Address Translation * Chapter 4

m a y c h o o s e to block access to www. playboy, com. Second, the proxy m i g h t be able to p e r f o r m some c a c h i n g or o t h e r optimization. If 50 people visit w w w . s y n g r e s s . c o m every day, the proxy could keep a copy of the Web page, a n d w h e n a client a s k s for it, all t h e p r o x y h a s to do is c h e c k if t h e r e have b e e n a n y c h a n g e s . If not, it p a s s e s along t h e copy h a s stored, a n d the client typically gets to see the page m o r e quickly. U s u a l l y in this type of proxy configuration, t h e clients have b e e n blocked from retrieving Web pages from the I n t e r n e t directly, so t h e y are forced to u s e the proxy if t h e y w a n t to view Web pages. This is often done with p a c k e t filtering on the router. Simply stated, the r o u t e r is configured only to allow the proxy to pull Web p a g e s from the Internet, a n d no o t h e r m a c h i n e . T h e r e s u l t of this type of d e s i g n is t h a t i n s i d e clients n o w t a l k only to t h e proxy, a n d no longer t a l k directly to o t h e r h o s t s on t h e I n t e r n e t . T h e p r o x y only n e e d s to a c c e p t r e q u e s t s from t h e "inside" a n d fulfill t h e m . This m e a n s t h a t o t h e r m a c h i n e s on t h e I n t e r n e t no longer n e e d to s p e a k to inside clients directly, even for replies. Therefore, t h e firewall a d m i n i s t r a t o r c a n c o n f i g u r e t h e i r r o u t e r or firewall to b l o c k all c o m m u n i c a t i o n s b e t w e e n t h e inside a n d outside m a c h i n e s . This forces all c o m m u n i c a t i o n s t h r o u g h t h e proxy. Now, t h e only m a c h i n e t h e o u t s i d e c a n t a l k to (if all is c o n f i g u r e d correctly) is t h e proxy. This d r a m a t i c a l l y r e d u c e s t h e n u m b e r of m a c h i n e s t h a t o u t s i d e r s c a n a t t a c k directly. T h e p r o x y a d m i n i s t r a tor t a k e s p a r t i c u l a r care to m a k e s u r e t h e p r o x y m a c h i n e is as s e c u r e as possible, of c o u r s e . Figure 4.1 is a d i a g r a m of w h a t it looks like, logically. This p r o c e s s h a s b e e n highly simplified for p u r p o s e s of d i s c u s sion, b u t the principles are there: a clear division of inside a n d outside, a n d a p o i n t b e t w e e n t h e m . This point b e t w e e n the two is s o m e t i m e s called a choke point. In o u r diagram, the c h o k e point is the proxy a n d filtering r o u t e r together.

115

116

Chapter 4

9Network Address Translation

Figure 4.1 Retrieving a Web page through a proxy.

Network Address Translation

9Chapter 4

T h i s is a simplified firewall a r c h i t e c t u r e . I s s u e s o u t s i d e of t h e s c o p e of t h i s c h a p t e r c o m e into p l a y w h e n d e s i g n i n g a real firewall, s u c h as: 9

Is p r o x y s o f t w a r e available for all n e e d e d p r o t o c o l s ?

9

How is t h e p a c k e t filtering c o n f i g u r e d on t h e r o u t e r ?

9

H o w d o e s t h e Web b r o w s e r s o f t w a r e o n t h e client k n o w to t a l k to t h e proxy?.

9

How d o e s t h e p r o x y k n o w w h i c h m a c h i n e s a r e o n t h e inside, and which are outside?

T h e p o i n t of t h e d i s c u s s i o n in t h i s c h a p t e r is n o t w h a t a p r o x y firewall a r c h i t e c t u r e looks like, b u t r a t h e r , a side effect of it. We a l r e a d y k n o w t h a t all traffic on t h e I n t e r n e t f r o m t h i s n e t w o r k origin a t e s f r o m t h e proxy. T h i s m e a n s t h a t t h e I n t e r n e t only "sees" t h e IP a d d r e s s of t h e p r o x y server. We also k n o w t h a t t h e I n t e r n e t c a n ' t r e a c h t h e client m a c h i n e s on t h e inside. As far a s t h e I n t e r n e t is c o n c e r n e d , t h i s m e a n s t h a t t h i s site n e e d s only one IP a d d r e s s , w h i c h is t h a t of t h e proxy. Recall f r o m C h a p t e r 3 t h a t a d d r e s s s p a c e is c o n s i d e r e d s c a r c e a t p r e s e n t , a n d t h a t c e r t a i n IP a d d r e s s r a n g e s , r e f e r r e d to a s t h e priv a t e IP a d d r e s s r a n g e s , h a v e b e e n set aside. T h e s e r a n g e s a r e c u r r e n t l y listed in t h e d o c u m e n t RFC 1918, available a t http: //www. cis. ohio-state, edu/htbin/rfc/rfcl918 .html

a s well a s a t a n u m b e r of o t h e r Web sites. If y o u h a p p e n to r e a d t h r o u g h t h e RFC, you'll see t h a t it r e n d e r s R F C s 1627 a n d 1597 (an older v e r s i o n of RFC 1918) obsolete. RFC 1627 a t t e m p t s to m a k e a c a s e a g a i n s t p r i v a t e IP a d d r e s s r a n g e s . A p p a r e n t l y , RFC 1627 lost b e c a u s e it h a s b e e n d e c l a r e d obsolete b y one t h a t explicitly allows p r i v a t e a d d r e s s r a n g e s . T h e o t h e r R F C s

117

118

Chapter 4 * Network Address Translation

c a n be r e a c h e d at the p r e v i o u s URL (there are links at the top of t h a t Web page). Following is a quote from RFC 1918, w h i c h defines the private a d d r e s s spaces, a n d w h e n t h e y s h o u l d be used: "For s e c u r i t y r e a s o n s , m a n y e n t e r p r i s e s u s e application layer g a t e w a y s to c o n n e c t their i n t e r n a l n e t w o r k to the I n t e r n e t . The i n t e r n a l n e t w o r k u s u a l l y does n o t have direct a c c e s s to t h e I n t e r n e t , t h u s only one or m o r e g a t e w a y s are visible from the I n t e r n e t . In this case, the i n t e r n a l n e t w o r k c a n u s e n o n - u n i q u e IP n e t w o r k n u m b e r s . " As p a r t of the r e a s o n for h a v i n g private a d d r e s s e s , the RFC recognizes t h a t m a n y c o m p a n i e s a l r e a d y have application layer gatew a y s (proxies) in place. Therefore, it w o u l d be u s e f u l to have a set of a d d r e s s e s t h a t c a n be r e u s e d internally, as long as n o n e of t h o s e m a c h i n e s n e e d s to talk to o t h e r m a c h i n e s directly. The RFC also r e c o m m e n d s t h a t companies who wish to employ s u c h a proxy obtain a d d r e s s space from Internet Service Providers (ISPs). In recent years, m o s t of the a d d r e s s space h a s b e e n allocated to ISPs, r a t h e r t h a n directly to companies, as it u s e d to be. A big p a r t of the r e a s o n for this is to keep routing tables on Internet core routers as small as possible. If a block of a d d r e s s e s is given to a n ISP, t h e n the other ISPs can hold a route to t h a t single block, r a t h e r t h a n having a n entry for each of the separate network ranges in the block, as would be the case ff those a d d r e s s ranges were given to various companies. By today's rules, you pretty m u c h have to be a n ISP to get a d d r e s s space allocated to you permanently. For more information a b o u t how ISPs obtain a n d assign addresses, please see C h a p t e r 6. If you r u n a proxy architecture, it will be fairly easy to get some addresses from your ISP, and you will need relatively few. With this architecture, you are free to use the RFC 1918 addresses inside your network, a n d still have Internet access for your internal client machines.

Network Address Translation

9Chapter 4

This type of a r c h i t e c t u r e is in very c o m m o n u s e today. M a n y c o m p a n i e s , especially large ones, have s o m e sort of firewall or proxy device t h a t does the direct c o m m u n i c a t i o n on the I n t e r n e t . Even c o m p a n i e s t h a t h a v e b e e n on the I n t e r n e t long e n o u g h to h a v e t h e i r own a d d r e s s s p a c e f r e q u e n t l y u s e this type of a r c h i t e c t u r e , t h o u g h m o s t l y for s e c u r i t y r e a s o n s . Now t h a t we h a v e s o m e idea w h a t proxies are, h o w exactly does t h a t relate to NAT?. Well, a c t u a l l y n o t m u c h ~ p r o x i e s a r e n ' t NAT. T o w a r d s t h e end of the chapter, we explain why. However, t h e disc u s s i o n is i m p o r t a n t , b e c a u s e proxies form p a r t of the h i s t o r y of w h y NAT exists.

What Is NAT? The i d e a b e h i n d NAT is s i m i l a r to one of t h e b e n e f i t s of proxies: h i d i n g y o u r i n t e r n a l a d d r e s s e s . The u s u a l r e a s o n for w a n t i n g to h i d e a d d r e s s e s is t h e one we m e n t i o n e d ~ I n t e r n e t a c c e s s for i n s i d e client m a c h i n e s . At a h i g h level, t h e e n d r e s u l t is t h e s a m e . The I n t e r n e t s e e s a valid I n t e r n e t a d d r e s s (a p u b l i c a d d r e s s ) , p r o b a b l y a s s i g n e d by y o u r ISP, a n d y o u r i n s i d e m a c h i n e s are using private addresses. T h e r e is a t l e a s t one o t h e r r e a s o n y o u m i g h t w a n t to u s e NAT if y o u ' r e u s i n g t h e RFC 1918 a d d r e s s e s : W h a t if y o u r c o m p a n y m e r g e s w i t h a n o t h e r o n e ? U s u a l l y , t h e two c o m p a n i e s will w a n t to l i n k i n t e r n a l n e t w o r k s to facilitate b u s i n e s s c o m m u n i c a t i o n s . However, if b o t h c o m p a n i e s h a d p r e v i o u s l y b e e n u s i n g t h e s a m e RFC 1918 a d d r e s s r a n g e s , a conflict a r i s e s . U l t i m a t e l y , a r e n u m b e r i n g of s o m e s o r t will p r o b a b l y h a v e to be done, b u t a s a s h o r t t e r m m e a s u r e , it's p o s s i b l e to u s e a t y p e of NAT to t r a n s l a t e a d d r e s s e s b e t w e e n t h e two c o m p a n i e s to resolve conflicts. We'll r e t u r n to t h i s e x a m p l e later.

119

120

C h a p t e r 4 * Network Address Translation

To u n d e r s t a n d h o w NAT differs f r o m p r o x y i n g , we h a v e to t a k e a d e t a i l e d look at h o w NAT w o r k s .

How Does NAT Work? NAT w o r k s b y m o d i f y i n g i n d i v i d u a l p a c k e t s . It m o d i f i e s (at least) t h e l a y e r 3 h e a d e r s to h a v e a n e w a d d r e s s for t h e s o u r c e a d d r e s s , d e s t i n a t i o n a d d r e s s , or b o t h . We'll also see a n e x a m p l e w h e r e l a y e r 4 h e a d e r s a r e modified, a s well a s t h e d a t a p o r t i o n (layer 7). As we'll see, a few s m a l l v a r i a t i o n s in h o w t h e a d d r e s s e s a r e t r a n s l a t e d c a n r e s u l t in a fairly wide r a n g e of b e h a v i o r a n d feat u r e s . We'll also see t h a t for s o m e p r o t o c o l s , it will t a k e a lot m o r e t h a n s i m p l y c h a n g i n g t h e l a y e r 3 a d d r e s s e s for t h e m to f u n c t i o n w i t h NAT. T h e r e are even p r o t o c o l s t h a t c a n ' t f u n c t i o n w i t h NAT in place. T h e NAT f u n c t i o n is u s u a l l y p e r f o r m e d b y a r o u t e r or firewall. It is t h e o r e t i c a l l y p o s s i b l e for a b r i d g e (layer 2) device to do l a y e r 3 a d d r e s s t r a n s l a t i o n , a n d at l e a s t one firewall p r o d u c t on t h e m a r k e t f u n c t i o n s t h a t way. However, t h e v a s t m a j o r i t y of t h e NAT devices, or s o f t w a r e t h a t i n c l u d e s a NAT f u n c t i o n , d e p e n d s on p l a i n IP r o u t i n g to deliver p a c k e t s to it. M o s t NAT devices h a v e a n u n d e r l y i n g IP r o u t i n g function.

Network Address Translation (Static) We'll s t a r t w i t h t h e s i m p l e s t f o r m of NAT, w h i c h is called s t a t i c , or 1-to-1 t r a n s l a t i o n . T h i s is t h e m o s t i n t u i t i v e k i n d : S i m p l y s t a t e d , in s t a t i c NAT, a p a r t i c u l a r IP a d d r e s s is c h a n g e d to a n o t h e r g o i n g o n e w a y , a n d c h a n g e d b a c k going t h e o t h e r w a y . T h e c h a n g e u s u a l l y is d o n e to t h e s o u r c e a d d r e s s for o u t g o i n g p a c k e t s . F i g u r e 4 . 2 will h e l p clarify t h i s . In t h e figure, t h e a r r o w s i n d i c a t e d i r e c t i o n of p a c k e t flow (where it's b e i n g r o u t ed), S i n d i c a t e s s o u r c e a d d r e s s , a n d D i n d i c a t e s d e s t i n a t i o n address.

N e t w o r k Address Translation

9Chapter 4

Figure 4.2 Static NAT during the first two packets of the TCP handshake.

121

122

Chapter 4

9Network Address Translation

How Does Static NAT Work? Let's a s s u m e for the m o m e n t t h a t t h i s is a really s i m p l e - m i n d e d NAT; t h a t is, all it does is modify the s o u r c e or d e s t i n a t i o n a d d r e s s w h e n a p p r o p r i a t e . W h a t k i n d of w o r k does t h e NAT r o u t e r h a v e to do? First, it h a s to have s o m e idea of w h i c h direction t h e p a c k e t is traveling relative to the NAT configuration. Notice in the e x a m p l e t h a t t h e r o u t e r t r a n s l a t e s the s o u r c e in one direction, a n d the destin a t i o n in t h e other. It c a n decide w h i c h to do b a s e d on p a r t i c u l a r i n t e r f a c e s being m a r k e d as "to" or "from" interfaces. A c o n f i g u r a t i o n example, next, will m a k e t h i n g s m o r e clear. The r o u t e r also h a s to d e c r e m e n t t h e TTL a n d redo a n y c h e c k s u m s needed, b u t r o u t e r s do t h a t anyway. The e x a m p l e is also stateless, m e a n i n g t h a t the r o u t e r d o e s n ' t h a v e to k n o w w h a t w e n t on with previous p a c k e t s , if a n y t h i n g , in o r d e r to modify the c u r r e n t one. All t h e i n f o r m a t i o n it n e e d s to m o d ify t h e p a c k e t is available in the c u r r e n t packet, a n d in its configuration. Also note t h a t this type of NAT h a s no s e c u r i t y f e a t u r e s ~ a U traffic p a s s e s regardless, with j u s t a n a d d r e s s c h a n g e in the process. The idea of s t a t e i n f o r m a t i o n is very i m p o r t a n t for later NAT e x a m p l e s , a n d also for firewalls. Keep t h i s in m i n d for later discussion. This type of NAT is fairly simple to u n d e r s t a n d , b u t it isn't as u s e f u l as it m i g h t be. C o n s i d e r o u r goal of trying to have a few IP a d d r e s s e s r e p r e s e n t a g r o u p of inside m a c h i n e s . O u r e x a m p l e is 1to- 1, m e a n i n g t h e r e is no a d d r e s s savings! E a c h inside IP a d d r e s s h a s to have a m a t c h i n g o u t s i d e a d d r e s s , so t h e r e is no savings of IP a d d r e s s e s . Does this m e a n t h a t it is u s e l e s s ? No, t h e r e are a n u m b e r of s c e n a r i o s w h e r e we c a n u s e a 1-to-1 m a p p i n g of IP a d d r e s s e s . One s c e n a r i o is t h a t you've got a n i n t e r n a l m a c h i n e with a n i n t e r n a l IP a d d r e s s , a n d y o u w a n t to m a k e it r e a c h a b l e by the I n t e r n e t for s o m e r e a s o n . One w a y to do it w i t h o u t having to c h a n g e a n y t h i n g on the inside m a c h i n e is to define a static t r a n s l a t i o n for it, like we did in o u r example. If t h a t ' s done, y o u simply have to p u b l i s h t h e t r a n s l a t e d IP a d d r e s s (perhaps by a s s i g n i n g a DNS n a m e to it).

Network Address Translation

9Chapter 4

Let's c o n s i d e r a n o t h e r example, w h i c h m a t c h e s t h e one in Figure 4.2, except t h a t the d e s t i n a t i o n a d d r e s s is c h a n g e d on the first p a c k e t i n s t e a d of the s o u r c e a d d r e s s . W h e n w o u l d it be u s e f u l to c h a n g e t h e d e s t i n a t i o n a d d r e s s i n s t e a d of the s o u r c e a d d r e s s ? T h e r e is at l e a s t one type of server you generally h a v e to refer to by IP a d d r e s s : DNS servers. Imagine a s i t u a t i o n w h e r e a DNS server h a s failed, p r o b a b l y only temporarily, a n d y o u w o u l d like to h a v e y o u r inside client m a c h i n e s m a k e DNS r e q u e s t s of a n e w one witho u t h a v i n g to reconfigure t h e m all, a n d t h e n p u t t h e m b a c k w h e n the original DNS server is b a c k up.

Double NAT The l a s t static NAT e x a m p l e we w a n t to look at is often called "double NAT." Simply put, t h i s is c h a n g i n g b o t h the s o u r c e a n d d e s t i n a tion a d d r e s s e s of a packet. M a n y p r o d u c t s t h a t s u p p o r t NAT d o n ' t s u p p o r t t h i s type of configuration, u n l e s s you've got two of t h e m . U n d e r w h a t c i r c u m s t a n c e s w o u l d y o u w a n t to u s e d o u b l e NAT?. One possibility is a c o m b i n a t i o n of the p r e v i o u s two examples: You've got inside m a c h i n e s u s i n g private IP a d d r e s s , a n d y o u n e e d to have t h e m c o n n e c t to a different DNS server w i t h o u t reconfiguring t h e m . T h a t e x a m p l e is a bit contrived, t h o u g h , a n d t h e r e ' s a better one. Recall t h a t one of t h e p r o b l e m s w i t h u s i n g private IP a d d r e s s e s is the possibility of conflict w h e n y o u c o n n e c t to a n o t h e r n e t w o r k t h a t is u s i n g t h e s a m e a d d r e s s e s . Double NAT c a n help in t h i s situation, t h o u g h again, you'll p r o b a b l y w a n t to u s e this only as a temporary measure. Here's a scenario: You n e e d to c o n n e c t y o u r n e t w o r k to t h a t of a n o t h e r c o m p a n y , a n d y o u j u s t f o u n d o u t t h a t y o u b o t h are u s i n g class C 192.168.1. You h a v e to find a w a y to e n a b l e the two netw o r k s to c o m m u n i c a t e u n t i l a r e n u m b e r i n g c a n be completed. This s i t u a t i o n is far from impossible, as several firewall/NAT p r o d u c t s u s e this a d d r e s s r a n g e by default. It t u r n s o u t you've b o t h got r o u t e r s c a p a b l e of doing N A T ~ t h e s a m e r o u t e r s y o u are u s i n g to c o n n e c t to e a c h other. For o u r

123

124

Chapter 4

9Network Address Translation

e x a m p l e we'll focus on two m a c h i n e s , one on each net, t h a t have the s a m e IP a d d r e s s (see Figure 4.3).

Figure 4.3 Two networks with conflicting RFC1918 addresses.

The IP a d d r e s s e s u s e d on the link b e t w e e n the two r o u t e r s a r e n ' t p a r t i c u l a r l y i m p o r t a n t for this example, as long as t h e y d o n ' t create additional conflicts. The trick is to m a k e e a c h m a c h i n e believe t h a t the o t h e r one is at a different IP a d d r e s s . We a c c o m p l i s h this by m a k i n g the m a c h i n e on the left t h i n k t h a t the m a c h i n e on the right is IP a d d r e s s 192.168.2.2, while the m a c h i n e on the right t h i n k s t h a t the m a c h i n e on the left is 192.168.3.2. This is still static NAT: e a c h m a c h i n e h a s a 1-to-1 m a p p i n g to a n o t h e r IP a d d r e s s . However, in this example, since we're going t h r o u g h two NAT r o u t e r s , we're going to t r a n s l a t e twice. The first r o u t e r will c h a n g e the s o u r c e a d d r e s s on the packet, a n d the s e c o n d r o u t e r will c h a n g e t h e d e s t i n a t i o n a d d r e s s on the packet. Double NAT. Let's w a l k t h r o u g h a n e x a m p l e of the m a c h i n e on the left sending a p a c k e t to t h e m a c h i n e on the right (see Figure 4.4). Since t h e m a c h i n e on the left a s s u m e s it's simply c o m m u n i c a t ing w i t h a n o t h e r m a c h i n e at 192.168.2.2, it s e n d s its p a c k e t to t h e local r o u t e r for forwarding, as it n o r m a l l y would. At this point, r o u t e r A is going to c h a n g e the s o u r c e a d d r e s s on the packet, to hide t h e fact t h a t it c a m e from a 192.168.1 n e t (see Figure 4.5).

Network Address Translation

9Chapter 4

Figure 4.4 Source address is 192.168.1.2, destination address is 192.168.2.2.

The d e s t i n a t i o n a d d r e s s r e m a i n s 1 9 2 . 1 6 8 . 2 . 2 at this point, a n d r o u t e r A u s e s its n o r m a l r o u t i n g tables to determ i n e w h e r e the 192.168.2 n e t w o r k is, a n d f o r w a r d s the packet. In this case, it f o r w a r d s the p a c k e t to r o u t e r B. R o u t e r B is going to p e r f o r m its t r a n s l a t i o n next, a n d it c h a n g e s the d e s t i n a t i o n a d d r e s s from 1 9 2 . 1 6 8 . 2 . 2 to 1 9 2 . 1 6 8 . 1 . 2 (see Figure 4.6). F i g u r e 4.5 Source address is now 192.168.3.2, destination address is still 192.168.2.2.

125

126

Chapter 4

9Network Address Translation

Figure 4.6 Source address is 192.168.3.2, destination address is now 192.168.1.2.

Now the m a c h i n e on the right receives the packet, a n d t h a t m a c h i n e believes it h a s received a p a c k e t from 192.168.3.2. P a c k e t s traveling from the m a c h i n e on the right to the m a c h i n e on the left will go t h r o u g h a similar, b u t reversed process. In this manner, the two machines with the s a m e address, which would normally never be able to communicate with each other, are able to do so. Naturally, to m a k e this type of scenario usable in real life, it will probably require some clever DNS setup as well. The DNS server for the m a c h i n e on the left would be configured so t h a t the n a m e s of the m a c h i n e s on the right resolve to 192.168.3 addresses, and so on.

Problems with Static NAT So far, we've ignored the p r o b l e m s with NAT, a n d t h e y are significant. The b a s i c p r o b l e m is t h a t n o t all n e t w o r k a d d r e s s i n f o r m a t i o n is in the n e t w o r k a d d r e s s h e a d e r s (IP layer). A fair n u m b e r of protocols, for v a r i o u s r e a s o n s , include a d d r e s s i n f o r m a t i o n in the d a t a portion of the p a c k e t s . We'll look at a few examples. One of the m o s t p r o b l e m a t i c protocols for NAT is the File T r a n s f e r Protocol (FTP). However, b e c a u s e FTP is so c o m m o n , m o s t NATs deal w i t h it properly. W h a t ' s difficult a b o u t FTP? First of all, it p a s s e s IP a d d r e s s e s in t h e d a t a s t r e a m , in ASCII. Second, it p a s s e s t h e s e a d d r e s s e s to

Network Address Translation

9Chapter 4

i n f o r m t h e o t h e r m a c h i n e on w h i c h IP a d d r e s s a n d p o r t it will be l i s t e n i n g for r e v e r s e c o n n e c t i o n s . In t h e d e f a u l t m o d e , w h e n a n FTP client w a n t s to receive a file, it l i s t e n s on a p o r t n u m b e r a s s i g n e d b y t h e o p e r a t i n g s y s t e m , a n d i n f o r m s t h e s e r v e r of t h a t p o r t n u m b e r a n d its IP a d d r e s s . T h e s e r v e r t h e n c o n t a c t s t h e client a n d delivers t h e file. T h i s p r o b l e m g e t s w o r s e w h e n s e c u r i t y or o t h e r t y p e s of NAT a r e c o n s i d e r e d , w h i c h we'll look a t later. T h i s m e a n s t h a t t h e NAT s o f t w a r e h a s to be able to s p o t t h e IP a d d r e s s e s w h e n t h e y a r e b e i n g sent, a n d be able to modify t h e m . FTP also i n t r o d u c e s t h e p r o b l e m of s t a t e . U n f o r t u n a t e l y for t h e NAT s o f t w a r e designer, t h e IP a d d r e s s i n f o r m a t i o n m a y be split a c r o s s m o r e t h a n one p a c k e t . T h i s m e a n s t h a t t h e NAT s o f t w a r e also h a s to k e e p t r a c k of w h a t it w a s d o i n g on t h e l a s t p a c k e t a s well a s t h e c u r r e n t one. T h i s is k n o w n a s m a i n t a i n i n g s t a t e i n f o r m a t i o n ; m o s t NAT devices u s e s t a t e t a b l e s to m a i n t a i n t h i s type of i n f o r m a t i o n . F i g u r e 4.7 c o n t a i n s a p a c k e t c a p t u r e of t h e p r o b l e m in action.

Figure 4.7 Packet containing the FTP PORT command. IP:

IP

Header

IP: IP:

Version

IP:

Type

=

of

4,

header

service

=

length

= 20

bytes

00

IP:

000 . . . . .

IP:

... 0

....

= normal

delay

IP-

....

0...

= normal

throughput

= normal

reliability

IP: IP:

..... Total

0..

length

IP:

Identification

IP:

Flags

= routine

:

66

=

3437 =

bytes

4X

IP:

.1 . . . . . .

= don' t

IP:

. .0 . . . . .

=

IP:

Fragment

IP:

Time

IP-

Protocol

IP:

Header

checksum

IP:

Source

address

to

offset live

=

last

0 bytes

=

128

=

6

=

fragment fragment

seconds/hops (TCP)

410F =

(correct) [208.25.87.11]

Continued

127

128

Chapter 4

9Network

Address Translation

IP:

Destination

IP:

No

address

=

[130.212.2.65]

options

IP" TCP.

header

TCP TCP: TCP:

Source

TCP:

Destination

port

= 4585 port

TCP:

Sequence

TCP:

Next

TCP:

Acknowledgment

TCP:

Data

TCP:

Flags

= 21

number

expected

(FTP)

= 353975087

Seq

number=

number

353975113

= 1947234980

offset

= 20 b y t e s = 18

TCP:

. .0 . . . . .

=

TCP:

... 1

....

= Acknowledgment

TCP:

....

i...

= Push

TCP:

.....

TCP:

......

TCP:

.......

(No u r g e n t

0..

=

(No r e s e t )

0.

=

(No SYN)

0 :

(No FIN)

TCP : Window

= 8030

TCP:

Checksum

: 1377

TCP:

No

TCP:

TCP

pointer)

(correct)

options

[26 B y t e s

of

data]

TCP: FTP:

File

Transfer

Data

Protocol

FTP: FTP:

Line

1:

PORT

2 0 8 , 2 5 , 8 7 , ii, 1 7 , 2 3 4

FTP:

Figure 4 . 7 is a p a c k e t from the m i d d l e of a n FTP s e s s i o n , cont a i n i n g the PORT c o m m a n d . B e h i n d the s c e n e s , FTP is b a s i c a l l y a text protocol, w i t h b i n a r y t r a n s f e r s a d d e d onto it. The c o m m a n d y o u s e e at the b o t t o m on the figure, PORT 2 0 8 , 2 5 , 8 7 , 1 1 , 1 7 , 2 3 4 , is the client i n f o r m i n g the server w h a t port it will be l i s t e n i n g on for receiving data. I h a d j u s t c o n n e c t e d to the server a n d m y client s e n t a n a d d r e s s a n d port n u m b e r to w h i c h the server c o u l d c o n n e c t in order to s e n d its w e l c o m e banner.

Network Address Translation

9Chapter 4

Let's t a k e a look at the c o m m a n d . The PORT p a r t is fairly evident: it is telling the server w h a t port it c a n c o n n e c t to. The first four n u m b e r s , 2 0 8 , 2 5 , 8 7 , 1 1 , are simply the client's IP a d d r e s s ~ i f y o u look at t h e top of the figure (source address), it is 2 0 8 . 2 5 . 8 7 . 1 1 . The n e x t two n u m b e r s are the port n u m b e r , split into two bytes. Notice t h a t the c u r r e n t s o u r c e port is 4585. The client in this case is a W i n d o w s 98 m a c h i n e , a n d like m o s t o p e r a t i n g s y s t e m s , W i n d o w s allocates p o r t s sequentially. To convert 17,234 into a single n u m b e r , follow this conversion routine: Multiply the first n u m b e r (on the left) by 256, a n d t h e n a d d the s e c o n d n u m b e r ~ i n this case, 1 7 * 2 5 6 + 2 3 4 = 4 5 8 6 . So, o u r client is telling the server to c o n n e c t to 2 0 8 . 2 5 . 8 7 . 1 1 at port 4586. E v e r y t h i n g w o r k e d as expected, a n d the b a n n e r w a s properly displayed on the FTP client. B u t h a d NAT b e e n in use, the NAT softw a r e w o u l d have to recognize the PORT c o m m a n d , a n d modify the n u m b e r for the IP a d d r e s s inside the packet. In this example, all fields were c o n t a i n e d in the s a m e p a c k e t (as t h e y often are). However, t h e y m a y be split a c r o s s m o r e t h a n one packet, so the NAT software m u s t be p r e p a r e d to h a n d l e t h a t possibility. If t h e NAT software is able to modify the PORT c o m m a n d correctly, all still w o r k s well. The h e a d e r s are c h a n g e d , a n d the PORT c o m m a n d ( s ) are c h a n g e d to m a t c h , accordingly. Now FTP c a n w o r k p r o p e r l y a c r o s s static NAT. T h a t ' s only one protocol h a n d l e d as a special c a s e ~ t h e r e are lots more. Real-world NAT i m p l e m e n t a t i o n s m u s t deal with t h e s e in order to be useful to c o n s u m e r s . It's fairly c o m m o n for NAT v e n d o r s to provide a list of protocols for w h i c h t h e y do or do n o t w o r k correctly. The basic p r o b l e m lies with protocols t h a t p a s s a d d r e s s a n d port i n f o r m a t i o n as p a r t of the d a t a portion of the p a c k e t s . W h e n the IP h e a d e r s are c h a n g e d , the d a t a portion m u s t also be c h a n g e d to m a t c h . If this is n o t done, t h e n the protocol m o s t likely will n o t w o r k properly. T h e r e is at least one o t h e r category of protocols t h a t have problems, even with static NAT. C e r t a i n protocols exist t h a t c a n detect w h e n the IP h e a d e r s have b e e n c h a n g e d , a n d will refuse to w o r k

129

130

Chapter 4

9Network Address Translation

w h e n a c h a n g e is detected. Usually, t h e s e are c r y p t o g r a p h i c protocols. A p r i m e e x a m p l e is the IPSec A u t h e n t i c a t e H e a d e r (AH) protocol. W i t h o u t going into too m u c h IPSec detail, t h e idea b e h i n d this protocol is t h a t it is s o m e t i m e s u s e f u l to k n o w for s u r e t h a t the IP a d d r e s s with w h i c h y o u are c o m m u n i c a t i n g is w h o it claims to be. The two IP a d d r e s s e s c o m m u n i c a t i n g u s i n g IPSec AH have s h a r e d c r y p t o g r a p h i c keys with w h i c h to verify c e r t a i n types of information. W h e n one of t h e s e devices p u t s t o g e t h e r a packet, it i n c l u d e s a large n u m b e r with it, w h i c h is a f u n c t i o n of n e a r l y all the i n f o r m a t i o n in t h e packet, as well as t h e c r y p t o g r a p h i c key. W h e n t h e device at the o t h e r e n d sees the packet, it c a n go t h r o u g h a similar process, a n d d e t e r m i n e if t h e p a c k e t h a s b e e n t a m p e r e d with. If it detects a n y t a m p e r i n g , it d i s c a r d s the p a c k e t as invalid. IPSec AH will see NAT as t a m p e r i n g ( u n a u t h o r i z e d modification to t h e headers) a n d drop the p a c k e t s as being invalid. Here is a protocol t h a t c a n n o t w o r k with NAT, b e c a u s e of its design. There are n o t a large n u m b e r of protocols like this, a n d t h e y are u s u a l l y complex e n o u g h t h a t n e t w o r k a n d firewall a d m i n i s t r a t o r s are often involved in their configuration, so t h e y s h o u l d be a w a r e of the i s s u e s , a n d be able to w o r k a r o u n d t h e m . Be aware, t h o u g h , t h a t s o m e ISPs employ NAT on their n e t w o r k s . Also, s o m e Virtual Private N e t w o r k (VPN) p r o d u c t s u s e IPSec, a n d t h e s e p r o d u c t s often will n o t w o r k over a n ISP t h a t does NAT or a n y type of firewalling.

Configuration Examples In this chapter, o u r configuration e x a m p l e s will be u s i n g Cisco's IOS, W i n d o w s NT 2000, a n d Linux. Specifically, we'll be u s i n g Cisco IOS 11.3 or h i g h e r (on the m a i n Cisco r o u t e r line), a n d Red H a t Linux 6.0. Note t h a t s o m e o t h e r Cisco devices, s u c h as the 77x ISDN r o u t e r s , s u p p o r t NAT as well, b u t t h e y u s e a different n u m b e r ing s c h e m e for their software. We u s e W i n d o w s NT 2 0 0 0 b e c a u s e this is the first version of W i n d o w s NT to include built-in NAT capabilities. At the time of this writing, NT2000 is still beta. This f e a t u r e

Network Address Translation * Chapter 4

is expected to be p r e s e n t in the final version, b u t t h e r e is always a possibility it w o n ' t be or t h a t it will be slightly c h a n g e d . The softw a r e p a c k a g e we'll be u s i n g on Linux is called IP M a s q u e r a d e , w h i c h c o m e s with t h e m o s t r e c e n t v e r s i o n s of all the Linux d i s t r i b u tions. The "References a n d Resources" section at the e n d of the c h a p t e r provides URLs for d o c u m e n t s c o n t a i n i n g i n f o r m a t i o n a b o u t NAT, i n c l u d i n g i n f o r m a t i o n a b o u t w h i c h exact v e r s i o n s of the Cisco lOS i n c l u d e NAT f e a t u r e s , a n d w h e r e to o b t a i n IP M a s q u e r a d e if it isn't a l r e a d y i n c l u d e d with y o u r distribution. This c h a p t e r a s s u m e s t h a t t h e a p p r o p r i a t e software is a l r e a d y installed, a n d t h a t y o u have a b a s i c familiarity with the o p e r a t i n g s y s t e m .

W i n d o w s NT 2 0 0 0 Windows NT 2 0 0 0 i n c l u d e s a f e a t u r e called I n t e r n e t C o n n e c t i o n S h a r i n g (ICS). (ICS is also i n c l u d e d in Windows 98 S e c o n d Edition.) ICS is i n t e n d e d to allow d i a l - u p u s e r s to provide I n t e r n e t a c c e s s to o t h e r m a c h i n e s a t t a c h e d via a LAN. It does t h a t well, b u t it's p r e t t y s i n g l e - m i n d e d , so it's n o t very flexible. The o u t s i d e interface m u s t be a d i a l - u p connection; t h a t is, if y o u r I n t e r n e t a c c e s s m e t h o d is via a LAN c o n n e c t i o n (such as a cable m o d e m or m o s t DSL setups) you c a n ' t u s e ICS with it. To a c c o m m o d a t e inside m a c h i n e s on the LAN, t h e NT 2 0 0 0 box configures its LAN interface to be 192.168.0.1, a n d t u r n s itself into a DHCP server a n d DNS proxy. The c o n f i g u r a t i o n of the LAN interface m i g h t very well c a u s e conflicts if t h o s e services a l r e a d y exist, so be careful. We'll a s s u m e t h a t NT 2 0 0 0 is a l r e a d y installed properly, t h a t t h e I2kN interface is functioning properly, a n d t h a t t h e r e is a correctly defined I n t e r n e t dialu p connection. We'll s t a r t with t h e n e t w o r k control panel, s h o w n in Figure 4.8. In Figure 4.8, we c a n see the LAN c o n n e c t i o n a n d t h e I n t e r n e t d i a l - u p connection. The I n t e r n e t c o n n e c t i o n is g r a y e d - o u t to indicate t h a t it's n o t u p at the m o m e n t .

131

132

Chapter 4

9Network Address Translation

Figure 4.8 Windows 2000 Network connections window.

To configure ICS, right-click on the I n t e r n e t dial-up c o n n e c t i o n a n d select Properties. W h e n the Properties w i n d o w c o m e s up, click on t h e I n t e r n e t C o n n e c t i o n S h a r i n g tab, s h o w n in Figure 4.9. C h e c k i n g on the E n a b l e I n t e r n e t C o n n e c t i o n S h a r i n g box e n a b l e s ICS. Optionally, y o u c a n configure the NT 2 0 0 0 m a c h i n e to dial the I n t e r n e t a u t o m a t i c a l l y w h e n a n inside m a c h i n e tries to a c c e s s the Internet. C h e c k i n g on this option also e n a b l e s the DHCP server, so again be s u r e t h e r e isn't a l r e a d y a DHCP server before y o u c h e c k this on. The s h o r t version of this configuration e x a m p l e is t h a t inside m a c h i n e s will n o w a c t u a l l y be able to access the I n t e r n e t (after y o u

Network Address Translation Figure 4.9

9Chapter 4

Dial-up properties window, ICS tab.

d i a l - u p , of course). However, since we're d i s c u s s i n g s t a t i c NAT, we'll dig a little d e e p e r into w h a t ICS c a n do. Strictly s p e a k i n g , ICS doesn ' t do s t a t i c NAT (we'll d i s c u s s t h a t l a t e r in t h e c h a p t e r ) , b u t it c a n p e r f o r m s o m e of t h e s a m e behavior. Notice t h a t t h e r e is a S e t t i n g s b u t t o n a t t h e b o t t o m of t h e s c r e e n : If y o u click on t h a t , a n d t h e n select t h e Services tab, y o u will see s o m e t h i n g like t h e s c r e e n s h o w n in F i g u r e 4.10. In o u r e x a m p l e , t h e r e is a l r e a d y a service defined, called "telnet." By default, t h i s list is e m p t y . If we click on edit, we will see t h e s c r e e n s h o w n in F i g u r e 4.11. In t h e Service p o r t n u m b e r field, we've got 23 (which is t h e d e f a u l t p o r t for a T e l n e t server}. T h e protocol is TCP, a n d t h e N a m e field is p o r t a b e a s t , w h i c h is j u s t t h e n a m e of a m a c h i n e on o u r example inside network.

133

134

Chapter 4

9Network Address Translation

Figure 4.10 ICS Services tab, Telnet service selected.

Figure 4.11 Definition of Telnet service.

Network Address Translation

9Chapter 4

Since ICS doesn't do real static NAT, inside m a c h i n e s can get out, but outside m a c h i n e s can't get in. The Services feature lets you explicitly allow certain services to be reachable from the outside. In our case, we've made it possible for the outside to Telnet to portabeast. ICS automatically handles FTP properly.

Cisco IOS Of the t h r e e o p e r a t i n g s y s t e m s we're covering, Cisco's lOS h a s the m o s t flexible NAT software. Using it, we're able to do a t r u e static NAT configuration. This e x a m p l e w a s done on a 2621 router, w h i c h h a s two F a s t E t h e r n e t ports. Here's w h a t the r e l e v a n t portion of the configuration looks like before we start: Using 827 out of 29688 bytes !

version 12.0 service timestamps debug uptime service timestamps log uptime service password-encryption !

hostname NAT !

enable secret 5

enable password 7 !

ip subnet-zero [ [

interface FastEthernet0/0 ip address 192.168.0.1 255.255.255.0 [

no ip directed-broadcast

interface Serial0 / 0 no ip address !

no ip directed-broadcast

interface FastEthernet0/l

135

136

Chapter 4

9Network Address Translation

ip address 130.214.99.254 255.255.255.0 no ip directed-broadcast ip classless

ip route 0.0.0.0 0.0.0.0 130.214.99.1 no ip http server I I

line con 0 transport input none line aux 0 line vty 0 4

password 7 xxxxxxxxxxx login

no scheduler allocate end

Interface F a s t E t h e r n e t 0 / 0 is our inside interface, w h i c h u s e s the 1 9 2 . 1 6 8 . 0 net. 1 3 0 . 2 1 4 . 9 9 is our o u t s i d e net, r e p r e s e n t i n g the p a t h to the Internet for this example. There is an inside m a c h i n e at 1 9 2 . 1 6 8 . 0 . 2 that we w a n t to be able to get out, so we're going to a s s i g n it an o u t s i d e address: NAT(config)

#interface fastethernet 0/0

NAT(config-if)

#ip nat inside

NAT(config-if)

#int fastethernet 0/i

NAT(config-if)

#ip nat outside

NAT (config-if)

#exit

NAT(config)

#ip nat inside source static 192.168.0.2 130.214.99.250

The first step is to m a r k the inside and o u t s i d e interfaces, w h i c h is d o n e with the ip n a t inside and ip nat o u t s i d e c o m m a n d s . Next, we tell the router to do an IP m a p p i n g . The c o m m a n d (global this time, rather t h a n an interface c o m m a n d ) is again ip nat. We're m a p ping an inside a d d r e s s and t r a n s l a t i n g the s o u r c e a d d r e s s (destination a d d r e s s t r a n s l a t i o n is also p o s s i b l e with IOS). It's a static m a p p i n g , and we're translating 1 9 2 . 1 6 8 . 0 . 2 to 1 3 0 . 2 1 4 . 9 9 . 2 5 0 .

Network Address Translation

9Chapter 4

This is a true static mapping, and only the one inside m a c h i n e is fully reachable from the outside at the 1 3 0 . 2 1 4 . 9 9 . 2 5 0 address. As mentioned, the 10S supports destinaUon address mapping as well. It can also do double NAT with just one physical router, if you need it.

Linux IP Masquerade Our Linux box (Red Hat 6.0) also h a s two LAN interfaces. IP Masquerade comes standard with Red Hat 6.0, and can be u s e d with other versions and distribuUons of Linux, although you m a y have to install it yourself. InstrucUons are available on how to do so; check the "References and Resources" section at the end of this chapter. Our example begins with the LAN interfaces already configured and working properly. Here is the output from the ffconfig command: eth0

Link encap-Ethernet

HWaddr 00-80:C8-68:C8.44

inet addr:130.214.99.253

Bcast:130.214.99.255

UP BROADCAST RUNNING MULTICAST

MTU-1500

Mask:255.255.255.0

Metric-i

RX packets:547 errors:0 dropped:0 overruns:0 frame:0 TX packets.10 errors-0 dropped:0 overruns-0 carrier-0 collisions:0 txqueuelen:100 Interrupt:ll Base address:0xfc00 ethl

Link encap:Ethernet inet addr-192.168.0.1

HWaddr 00:60:97:8A:9D:30 Bcast-192.168.0.255

UP BROADCAST RUNNING MULTICAST

MTU:I500

Mask:255.255.255.0 Metric:l

RX packets:35 errors:0 dropped:0 overruns:0 frame:0 TX packets:3 errors:0 dropped:0 overruns-0 carrier-0 collisions-0 txqueuelen:100

Interrupt :3 Base address :0x300

io

Link encap- Local Loopback inet addr-127.0.0.1

UP LOOPBACK RUNNING

Mask- 255.0.0.0 MTU:3924

Metric:l

RX packets:48 errors:0 dropped:0 overruns:0 frame:0 TX packets:48 errors:0 dropped:0 overruns:0 carrier:0 collisions-0 txqueuelen-0

137

138

Chapter 4

9

Network Address Translation

The a d d r e s s i n g s e t u p is very close to t h a t of the router. Interface e t h l is o u r inside network, again 192.168.0, a n d interface e t h 0 is o u r o u t s i d e interface. With IP M a s q u e r a d e , the a d d r e s s to w h i c h t h e inside is t r a n s l a t e d is d e t e r m i n e d by w h i c h direction traffic is routed. It will u s e the IP a d d r e s s of the o u t s i d e interface. Here's t h e r o u t e table ( o u t p u t from t h e n e t s t a t - r n c o m m a n d ) : Kernel IP routing table Destination

Gateway

Genmask

Flag MSS

Window

irtt

Iface

130.214.99.253

0.0.0.0

255.255.255.255

UH

0

0

0

eth0

192.168.0.0

0.0.0.0

255.255.255.0

U

0

0

0

ethl

130.214.99.0

0.0.0.0

255.255.255.0

U

0

0

0

eth0

127.0.0.0

0.0.0.0

255.0.0.0

U

0

0

0

Io

0.0.0.0

130.214.99.1

0.0.0.0

UG

0

0

0

eth0

Since the default r o u t e (0.0.0.0) is t o w a r d s 1 3 0 . 2 1 4 . 9 9 . 1 , w h i c h is r e a c h a b l e via the eth0 interface, all traffic will exit via t h a t interface (unless it's d e s t i n e d for the 1 9 2 . 1 6 8 . 0 net). Therefore, the IP a d d r e s s for the eth0 interface (130.214.99.253) will be u s e d as the translated source address. IP M a s q u e r a d e replies on the OS doing routing, so r o u t i n g m u s t be e n a b l e d (it's disabled by default). To t u r n r o u t i n g on, i s s u e this command: echo

"i">

/proc/sys/net/ipv4/ip_forward

This will t u r n forwarding on, b u t only until the n e x t reboot (or if it's t u r n e d b a c k off m a n u a l l y in a similar m a n n e r ) . To t u r n it on p e r m a n e n t l y in Red Hat, you'll w a n t to edit t h e / e t c / s y s c o n f i g / n e t w o r k file, a n d c h a n g e the line t h a t reads: FORWARD_IPV4=false

to" FORWARD_IPV4:true

T h a t t a k e s care of the forwarding (routing). The n e x t step is to install a m a s q u e r a d e policy t h a t will t r a n s l a t e traffic the w a y we w a n t . IP M a s q u e r a d e h a n d l e s FTP properly; in fact, t h e r e is a special loadable m o d u l e t h a t n e e d s to be installed for FTP. I s s u e this command:

Network Address Translation

9Chapter 4

/sbin/modprobe ip_masq_ftp

F r o m its n a m e , it's p r e t t y obvious w h a t this m o d u l e is for. T h e r e are several m o d u l e s like this for IP M a s q u e r a d e , a n d we'll t a k e a look at m o r e later in the chapter. Next, we'll set s o m e t i m e o u t values: /sbin/ipchains - M - S

3600 60 180

The first n u m b e r (3600) specifies h o w m a n y s e c o n d s idle TCP c o n n e c t i o n s will stick a r o u n d (in this case, a n hour). The s e c o n d n u m b e r i n d i c a t e s h o w long after the FIN e x c h a n g e the c o n n e c t i o n is t r a c k e d , a n d the l a s t n u m b e r i n d i c a t e s h o w long UDP c o n n e c t i o n s will be k e p t a r o u n d w i t h o u t a n y traffic. Finally, we p u t in the a c t u a l IP M a s q u e r a d e rules: /sbin/ipchains -P forward deny /sbin/ipchains -A forward -s 192.168.0.2/32 -j MASQ

{192.168.0.2 is still o u r inside m a c h i n e for the example.} At t h i s point, o u r inside m a c h i n e will be able to get to the I n t e r n e t . You w o n ' t w a n t to type t h e s e c o m m a n d s in every time you reboot, so typically you'll w a n t to p u t t h e m in a shell script in / e t c / r c . d so t h a t t h e y r u n on s t a r t u p .

Network Address Translation (Dynamic) Static NAT is 1-to-1 NAT. D y n a m i c NAT is m a n y - t o - m a n y NAT. Note t h a t 1 - t o - m a n y NAT is a special case of m a n y - t o - m a n y NAT {a s u b set}, a n d w o n ' t really be d i s c u s s e d as a s e p a r a t e i s s u e here. If y o u c a n do m a n y - t o - m a n y NAT, y o u c a n also do 1 - t o - m a n y NAT. We've s e e n h o w 1-to-1 NAT works, a n d we've also s h o w n t h a t it d o e s n ' t r e d u c e the r e q u i r e d n u m b e r of IP a d d r e s s e s . This is w h e r e d y n a m i c NAT c o m e s in. D y n a m i c NAT w o r k s by t r a n s l a t i n g a n u m b e r of i n t e r n a l IP a d d r e s s to a n u m b e r {usually a s m a l l e r number} of e x t e r n a l IP a d d r e s s e s . It does so by d y n a m i c a l l y c r e a t i n g 1-to-1 NAT m a p p i n g s on the fly, as needed. Then, t h r o u g h traffic m o n i t o r i n g a n d timers, it d e s t r o y s the m a p p i n g s as needed, a n d frees u p

139

140

Chapter 4

9Network Address Translation

o u t s i d e IP a d d r e s s e s for n e w inside clients. You m a y have a l r e a d y s p o t t e d a problem, b u t hold t h a t t h o u g h t for the section on PAT, later in the chapter. Here's o u r e x a m p l e scenario: You've got a n i n t e r n a l network, 10.0.0.x, with a b o u t 50 m a c h i n e s on it. You get a n I n t e r n e t connection, b u t y o u r ISP c a n give y o u only 16 a d d r e s s e s , 1 9 2 . 1 3 8 . 1 4 9 . 0 t h r o u g h 1 9 2 . 1 3 8 . 1 4 9 . 1 5 . B e c a u s e of s t a n d a r d s u b n e t t i n g issues, 0 a n d 15 c a n ' t be used, 1 is u s e d by the ISP's router, a n d 2 is y o u r router, leaving only 3 t h r o u g h 14, or 12 a d d r e s s e s . Naturally, y o u w a n t to provide I n t e r n e t a c c e s s for all y o u r inside m a c h i n e s ; t h a t ' s w h a t y o u got the I n t e r n e t c o n n e c t i o n for. The s e t u p looks like t h a t s h o w n in Figure 4.12. We k n o w from p r e v i o u s d i s c u s s i o n t h a t we could do it with only 1 IP a d d r e s s a n d a proxy server. For this example, to avoid t h e extra theoretical e x p e n s e of a n e w dedicated server, we're going to m a k e u s e of d y n a m i c NAT.

Figure 4.12 Connecting to the Internet through ISP, 16 addresses

assigned.

We've a l r e a d y identified the r a n g e of available IP a d d r e s s e s , 1 9 2 . 1 3 8 . 1 4 9 . 3 t h r o u g h 1 9 2 . 1 3 8 . 1 4 9 . 1 4 . O u r r o u t e r will be prog r a m m e d with t h o s e a d d r e s s e s as a n o u t s i d e pool a n d 10.0.0.x as a n inside pool. The w o r d "pool" in this context simply refers to a r a n g e of IP a d d r e s s e s . To k n o w h o w to do the d y n a m i c NAT, the r o u t e r will n e e d to k n o w for w h i c h IP a d d r e s s e s it is responsible.

Network Address Translation

9Chapter 4

T h i s is m o r e i n t u i t i v e for t h e o u t s i d e IP a d d r e s s e s , b e c a u s e t h e r o u t e r n e e d s to be i n f o r m e d of h o w m a n y of t h e IP a d d r e s s e s it c a n u s e for NAT. T h e i n s i d e pool is a little less intuitive. W h y n o t j u s t NAT a n y a d d r e s s f r o m t h e i n s i d e ? T h e r e a r e a c o u p l e of r e a s o n s : First, y o u m i g h t w a n t to d e s i g n a t e a c e r t a i n p o r t i o n of y o u r i n s i d e n e t to go to one o u t s i d e pool, a n d a n o t h e r to go to a different o u t side pool. S e c o n d , y o u m i g h t n e e d to do s t a t i c NAT for c e r t a i n m a c h i n e s , s a y a m a i l server, a n d y o u d o n ' t w a n t t h a t p a r t i c u l a r machine being dynamically translated.

How Does Dynamic NAT Work? W h a t does a r o u t e r h a v e to do to i m p l e m e n t d y n a m i c NAT?. We've a l r e a d y d i s c u s s e d briefly all t h e e l e m e n t s a r o u t e r n e e d s in o r d e r to i m p l e m e n t d y n a m i c NAT. It n e e d s a s t a t e table, it n e e d s to h a v e a n i d e a of w h e n a c o n n e c t i o n s t a r t a n d s t o p s , a n d it n e e d s to h a v e a timer. We've a l r e a d y s e e n h o w s t a t i c NAT w o r k s . For t h e d y n a m i c NAT d i s c u s s i o n , we'll a s s u m e t h a t a w o r k i n g s t a t i c NAT w i t h s t a t e t a b l e s a n d protocol specifics is in place, a n d e x p a n d on t h a t . T h e first m a j o r c h a n g e is t h a t t h e s t a t i c NAT m a p p i n g will no l o n g e r be h a r d c o d e d (i.e., m a n u a l l y c o n f i g u r e d b y a n a d m i n i s t r a t o r ) , b u t will be p a r t of a n o t h e r t a b l e t h a t t h e r o u t e r c a n c h a n g e a s n e e d e d . W h e n we s t a r t , t h e t a b l e will be e m p t y , a n d t h e r e will be no 1-to-1 m a p pings. T h e t a b l e will r e m a i n t h i s w a y u n t i l a n i n s i d e m a c h i n e tries to c o n n e c t to t h e I n t e r n e t . Let's t a k e a m o m e n t to p o i n t o u t t h a t t h i s is a slight s e c u r i t y i m p r o v e m e n t over s t a t i c NAT. W i t h s t a t i c NAT, a n y m a c h i n e on t h e I n t e r n e t c a n a t t e m p t to c o n n e c t to t h e o u t s i d e IP a d d r e s s in a s t a t i c NAT m a p p i n g a t a n y time, a n d t h e y will be allowed t h r o u g h to t h e inside. W i t h d y n a m i c NAT, t h e d e f a u l t for t h e o u t s i d e IP a d d r e s s e s is no m a p p i n g . T h u s , w h e n t h e m a p p i n g t a b l e is e m p t y , a n y a t t e m p t s to t h e o u t s i d e IP a d d r e s s e s s h o u l d be futile, a s t h e y m a p to no i n s i d e m a c h i n e s a t t h e time. T h i s is n o t y e t sufficient for s e c u rity p u r p o s e s , b u t it is a n i m p r o v e m e n t .

141

142

Chapter 4

9Network Address Translation

W h e n a n inside m a c h i n e a t t e m p t s to c o n n e c t to t h e I n t e r n e t , t h e r o u t e r will c o n s u l t its table, a n d p i c k a n available u n u s e d o u t s i d e IP a d d r e s s . In o u r e x a m p l e , since t h e t a b l e is c u r r e n t l y e m p t y , it will likely p i c k t h e first one. It will t h e n c r e a t e a n e n t r y in t h e m a p p i n g table, a n d c r e a t e a (temporary) s t a t i c m a p p i n g from t h e i n s i d e m a c h i n e ' s IP a d d r e s s to t h e o u t s i d e IP a d d r e s s it h a s c h o s e n . Note t h a t t h e r o u t e r ' s i d e a of a c o n n e c t i o n a t t e m p t to t h e I n t e r n e t m a y be very simplistic: a s s o o n a s it gets a n y p a c k e t from t h e i n s i d e dest i n e d for t h e o u t s i d e , it m a y c r e a t e a m a p p i n g . T h e r o u t e r will also s t a r t a t i m e r a t t h i s point. As long a s t h e i n s i d e m a c h i n e is s e n d i n g traffic out, or s o m e t h i n g on t h e I n t e r n e t is s e n d i n g traffic in (via t h a t o u t s i d e IP a d d r e s s ) t h e m a p p i n g will r e m a i n . Every t i m e a p a c k e t is p a s s e d t h a t is p a r t of t h a t m a p p i n g , t h e t i m e r is reset. T h e r e are two w a y s t h e m a p p i n g will be r e m o v e d . T h e first is t h a t t h e c o n n e c t i o n is s t o p p e d n o r m a l l y . For e x a m p l e , t h e FTP sess i o n is done, a n d t h e client h a s quit. For t h i s to work, t h e r o u t e r h a s to h a v e a n i d e a of w h a t t h e e n d of a c o n n e c t i o n looks like. F o r TCP c o n n e c t i o n s , t h i s is relatively easy, a s t h e r e are p a r t i c u l a r flags t h a t i n d i c a t e t h e e n d of a c o n n e c t i o n . Of c o u r s e , for t h e r o u t e r to w a t c h for t h e e n d of a c o n n e c t i o n , it w o u l d h a v e h a d to w a t c h for one to s t a r t . We'll t a l k m o r e a b o u t h o w t h i s w o r k s in t h e s e c t i o n on PAT. T h e s e c o n d w a y a m a p p i n g is d e s t r o y e d is t h a t no traffic is s e n t for t h e d u r a t i o n of t h e timer. W h e n t h e t i m e r r u n s out, t h e a s s u m p t i o n is t h a t a n y c o m m u n i c a t i o n s m u s t be finished, a n d t h e m a p p i n g is r e m o v e d . N a t u r a l l y , while t h i s one i n s i d e m a c h i n e is c o m m u n i c a t i n g on t h e I n t e r n e t , o t h e r i n s i d e m a c h i n e s m a y b e g i n to a s well, a n d t h e y w o u l d get t h e i r o w n i n d i v i d u a l m a p p i n g s .

Problems with Dynamic NAT By now, t h e p r o b l e m s w i t h d y n a m i c NAT m a y be evident. If we a s s u m e t h e s i m p l i s t i c model, w h e r e t h e r o u t e r c r e a t e s a m a p p i n g a s s o o n a s a n y p a c k e t goes f r o m a n i n s i d e m a c h i n e to t h e I n t e r n e t , a n d only gets r e l e a s e d w h e n a t i m e r expires, m a p p i n g s a r e going to

Network Address Translation

9Chapter 4

t e n d to s t i c k a r o u n d . If we've got 50 i n s i d e m a c h i n e s a n d only 14 o u t s i d e a d d r e s s e s , t h e r e a r e going to be p r o b l e m s a t c e r t a i n t i m e s of t h e day, like m o r n i n g s a n d l u n c h t i m e w h e n e v e r y o n e w a n t s to a c c e s s t h e Web. How c a n t h i s p r o b l e m be solved? O n e w a y to h e l p alleviate it is to provide m o r e o u t s i d e IP a d d r e s s e s . In o u r e x a m p l e , t h i s i s n ' t p r a c t i c a l s i n c e we got j u s t so m a n y f r o m t h e ISP. Besides, it s e e m s clear t h a t t h e r e is a possibility t h a t all 50 i n s i d e m a c h i n e s m i g h t w a n t to a c c e s s t h e I n t e r n e t a t t h e s a m e t i m e s o m e d a y , a n d we w o u l d n e e d 50 o u t s i d e a d d r e s s e s . At t h a t point, we m i g h t a s well be b a c k a t s t a t i c NAT, a n d t h e r e w o u l d still be no a d d r e s s savings. A n o t h e r possibility is to try to r e d u c e t h e a m o u n t of t i m e t h a t a m a p p i n g s t i c k s a r o u n d . T h i s will give i n s i d e m a c h i n e s a b e t t e r c h a n c e a t g e t t i n g o u t a t p e a k times. We c o u l d r e d u c e t h e timer, b u t t h a t w o u l d i n c r e a s e t h e c h a n c e s t h a t it m i g h t expire while a n i n s i d e m a c h i n e is a w a i t i n g a r e s p o n s e f r o m a slow s e r v e r on t h e I n t e r n e t . T h i s w o u l d be effectively b r o k e n , a n d c o u l d r e s u l t in p a c k e t s r e a c h ing t h e w r o n g i n t e r n a l client. T h e o t h e r w a y to r e d u c e t h e a m o u n t of t i m e is to i m p r o v e t h e r o u t e r ' s r e c o g n i t i o n of w h e n c o n n e c t i o n s a r e complete. However, t h i s a d d s a fair a m o u n t of complexity. Often, a client will h a v e m u l t i p l e c o n n e c t i o n s o p e n to t h e I n t e r n e t a t a given time. T h i s is especially t r u e for Web s u r f i n g , for e x a m p l e . E a c h different e l e m e n t on a Web p a g e is r e t r i e v e d a s a s e p a r a t e c o n n e c t i o n , a t l e a s t u n d e r HTI'P 1.0. If y o u c o n n e c t to a Web p a g e w i t h 10 p i c t u r e s , t h a t will r e s u l t in at l e a s t 11 c o n n e c t i o n s ~ l for t h e HTML page, a n d 10 for t h e p i c t u r e s . So, a r o u t e r c a n ' t s i m p l y w a t c h for t h e e n d of a n y c o n n e c t i o n , it h a s to w a t c h for t h e e n d of e v e r y c o n n e c t i o n . T h e r o u t e r h a s to k n o w h o w m a n y c o n n e c t i o n s a r e t a k i n g place, w h i c h m e a n s it h a s to w a t c h for t h e b e g i n n i n g s of c o n n e c t i o n s in o r d e r to c o u n t t h e m . T h i s is all h a n d l e d in y e t a n o t h e r table. E a c h t i m e a c o n n e c t i o n s t a r t s , a n e n t r y is c r e a t e d in t h e table. E a c h of t h e s e t a b l e e n t r i e s m a y h a v e t h e i r o w n timer, r a t h e r t h a n u s i n g one global t i m e for t h e w h o l e i n s i d e m a c h i n e . T h i s w o r k s p r e t t y well for c o n n e c t i o n - o r i e n t ed p r o t o c o l s like TCP, w h e r e t h e r e is a c l e a r b e g i n n i n g a n d e n d to

143

144

Chapter 4

9Network Address Translation

c o n n e c t i o n s , b u t it d o e s n ' t w o r k quite as well for c o n n e c t i o n l e s s protocols like UDP a n d ICMP, so for t h o s e we're b a c k to timers. All in all, d y n a m i c NAT (as s t a t e d here) isn't very workable. It s e e m s clear in o u r e x a m p l e t h a t if 14 people on the inside are actively u s i n g the I n t e r n e t at a given m o m e n t , no additional inside people will get to u s e the Internet. Clearly, s o m e t h i n g t h a t c a n g u a r a n t e e fair a c c e s s for a n arbit r a r y n u m b e r of inside m a c h i n e s s i m u l t a n e o u s l y is needed. T h a t ' s w h y d y n a m i c NAT d o e s n ' t w o r k exactly the w a y we said; this is covered in detail in the PAT section.

Configuration Examples U n f o r t u n a t e l y , c o n f i g u r a t i o n e x a m p l e s for m a n y - t o - m a n y d y n a m i c NAT will be p r e t t y sparse. In fact, o u t of o u r t h r e e examples, only Cisco lOS s u p p o r t s m a n y - t o - m a n y NAT.

Cisco IOS We're going to look at a m a n y - t o - m a n y e x a m p l e u s i n g lOS. For this example, we're b a c k to the first config we looked at (no NAT config yet). Here are the c o m m a n d s : NAT(config) #interface fastethernet 0/0 NAT(config-if) #ip nat inside NAT(config-if)#int

fastethernet 0/i

NAT(config-if) #ip nat outside NAT (config-if) #exit

NAT(config)#ip nat pool dynpool 130.214.99.200 130.214.99.250 netmask 255.255.255.0 NAT(config)#ip nat inside source list 1 pool dynpool overload NAT(config)#access-list 1 permit 192.168.0.0 0.0.0.255

The first five lines are the s a m e as before. The n e x t line defines a pool, n a m e d dynpool,, w h i c h is a r a n g e of IP a d d r e s s e s from 1 3 0 . 2 1 4 . 9 9 . 2 0 0 t h r o u g h 1 3 0 . 2 1 4 . 9 9 . 2 5 0 . W h e n the r o u t e r u s e s t h e m , it will u s e t h e m as if t h e y h a d a s u b n e t m a s k of 255.255.255.0.

N e t w o r k Address Translation

9 Chapter 4

Next is the NAT c o m m a n d , w h i c h s t a r t s w i t h ip n a t inside source, like the other. In this case, t h o u g h , we're going to m a t c h a g a i n s t a n a c c e s s list to pick u p o u r s o u r c e a d d r e s s e s . The t r a n s l a t ed a d d r e s s e s will be from a pool n a m e d dynpool. The overload keyword m e a n s t h a t potentially t h e r e will be m o r e inside a d d r e s s e s t h a n t h e r e are a d d r e s s e s in the pool, a n d the r o u t e r is to h a n d l e t h a t s i t u a t i o n in a p a r t i c u l a r w a y (see the n e x t section on PAT). Finally, we define list 1, w h i c h we referenced in the p r e v i o u s comm a n d . List 1 is s i m p l y the inside IP a d d r e s s range. With this configuration, w h e n a n inside m a c h i n e w a n t s to get out, the r o u t e r will a s s i g n it a n IP a d d r e s s from the pool d y n a m i c a l ly. W h e n this configuration w a s tested, IP a d d r e s s .200 w a s assigned.

Port Address Translation (PAT) T h e r e is a w a y to a d d r e s s the p r o b l e m s with static a n d d y n a m i c NAT, to allow m o r e t h a n one inside m a c h i n e to s h a r e one o u t s i d e IP a d d r e s s . It's called Port A d d r e s s T r a n s l a t i o n , or PAT. S o m e folks m a y also t h i n k of PAT as being d y n a m i c NAT since, as we'll see, PAT is really n e c e s s a r y for d y n a m i c NAT to f u n c t i o n properly. In o t h e r cases, v e n d o r s will refer to PAT simply as "NAT" a n d you'll have to look at the listed capabilities of the p r o d u c t to d e t e r m i n e exactly w h a t type it is. In Firewall-1, w h i c h is a very p o p u l a r firewall produ c t from C h e c k p o i n t , PAT is referred to as "hide NAT," m a k i n g reference to the fact t h a t m a n y inside IP a d d r e s s e s c a n "hide" b e h i n d one IP a d d r e s s . The r e a s o n for the n a m i n g c o n f u s i o n is twofold: First, NAT is defined for a given p r o d u c t by the m a r k e t i n g d e p a r t m e n t s of t h a t vendor, so t h e r e is b o u n d to be s o m e confusion. Second, PAT is really the d o m i n a n t form of NAT in u s e t o d a y (though static NAT is s o m e t i m e s a n e c e s s a r y p a r t of the s e c u r i t y architecture). So, m a n y v e n d o r s of PAT-capable p r o d u c t s oversimplify, a n d j u s t call t h e whole collection of f e a t u r e s NAT. As w i t h a n y p r o d u c t evaluation, if y o u ' r e c o n s i d e r i n g p u r c h a s i n g a p r o d u c t , t a k e a look at the technical d o c u m e n t a t i o n to see exactly w h a t the capabilities are.

145

146

Chapter 4

9Network Address Translation

So w h a t ' s t h e p r o b l e m w i t h two i n s i d e m a c h i n e s s h a r i n g t h e s a m e o u t s i d e IP a d d r e s s anyway?. C o l l i s i o n s ~ n o t collisions in t h e E t h e r n e t s e n s e , if you've s t u d i e d E t h e r n e t a t all, b u t r a t h e r colliding p o r t n u m b e r s a n d IP a d d r e s s e s . Let's look a t t h e naive v e r s i o n of s h a r i n g a n o u t s i d e a d d r e s s . TWo m a c h i n e s on t h e i n s i d e t r a n s m i t r e q u e s t s to t h e I n t e r n e t . W h e n t h e replies c o m e b a c k , t h e y b o t h c o m e b a c k to t h e o u t s i d e IP a d d r e s s . How c a n t h e r o u t e r decide w h i c h of t h e two IP a d d r e s s e s on t h e i n s i d e t h e p a c k e t s s h o u l d be s e n t to? Let's look a t a m o r e involved v e r s i o n of a NAT r o u t e r t h a t is trying to u s e one o u t s i d e IP a d d r e s s for m o r e t h a n one i n s i d e m a c h i n e . In t h e s e c t i o n on d y n a m i c NAT, we d i s c u s s e d a r o u t e r t h a t is c a p a ble of t r a c k i n g i n d i v i d u a l c o n n e c t i o n s a s t h e y p a s s t h r o u g h a n d a r e t r a n s l a t e d . A d d i n g t h i s c a p a b i l i t y w o u l d s e e m to c o r r e c t t h e p r o b l e m of t h e r o u t e r n o t k n o w i n g w h i c h IP a d d r e s s to s e n d t h e p a c k e t b a c k to. It c a n s i m p l y s c a n t h r o u g h t h e t a b l e a n d look for a c o n n e c t i o n t h a t t h e c u r r e n t p a c k e t s e e m s to m a t c h . W h e n t h e r o u t e r finds t h e m a t c h , it looks u p t h e i n s i d e IP a d d r e s s t h a t c o n n e c t i o n b e l o n g s to, a n d f o r w a r d s it to t h a t m a c h i n e , after p r o p e r t r a n s l a t i o n , of c o u r s e . Does this w o r k ? Not quite yet. B a c k to the i s s u e of collisions: Imagine t h a t two inside m a c h i n e s , w h i c h s h a r e the s a m e outside IP a d d r e s s , w a n t to m a k e a q u e r y of the ISP's DNS server. Since t h e DNS server is m a i n t a i n e d by the ISP, it's "on the Internet" from the client's point of view. At least, it's on t h e far side of t h e NAT r o u t e r from t h e client, so t h e r e will be a t r a n s l a t i o n on the w a y out. Let's t a k e a look at w h a t k i n d of i n f o r m a t i o n m i g h t be in the c o n n e c t i o n table we've b e e n talking about. Certainly, t h e r e are IP a d d r e s s e s : I n t e r n e t IP a d d r e s s (the server), inside IP a d d r e s s (real inside m a c h i n e address), a n d outside IP a d d r e s s (the a d d r e s s the inside m a c h i n e is t r a n s l a t e d to). A n o t h e r obvious t h i n g to t r a c k is the TCP a n d UDP port n u m b e r s for t h o s e types of connections, b o t h s o u r c e a n d d e s t i n a t i o n ports. For o u r example, let's a s s u m e all of this is tracked. B a c k to t h e clients t a l k i n g to t h e DNS server: T h e y will be s e n d ing p a c k e t s to t h e s a m e s e r v e r IP a d d r e s s , a n d t h e s a m e p o r t n u m b e r (UDP p o r t 53 for client DNS queries). We a l r e a d y k n o w t h e y

Network Address Translation

9Chapter 4

s h a r e the s a m e o u t s i d e IP a d d r e s s , so in the c o n n e c t i o n table for t h e s e two s e p a r a t e "connections" (in q u o t e s b e c a u s e UDP is c o n n e c tionless), t h e I n t e r n e t IP a d d r e s s is the s a m e , the o u t s i d e IP a d d r e s s is the s a m e , a n d the d e s t i n a t i o n p o r t n u m b e r is the s a m e . The inside IP a d d r e s s e s are different, a n d the s o u r c e p o r t n u m b e r s are p r o b a b l y different. The r e q u e s t s go o u t with no problem. The p r o b l e m is, two r e q u e s t s from two s e p a r a t e inside m a c h i n e s look very similar, a n d p r o b a b l y only differ on the s o u r c e p o r t a n d d a t a p o r t i o n of the packet. W h e n a reply c o m e s b a c k to the o u t s i d e IP a d d r e s s , the only differentiating factor at t h a t time (since the r o u t e r d o e s n ' t k n o w w h i c h inside IP a d d r e s s to s e n d to; t h a t ' s w h a t it's trying to figure out) is the s o u r c e port. More specifically, it looks at w h a t is n o w the destin a t i o n p o r t (source a n d d e s t i n a t i o n p o r t get r e v e r s e d on replies), decides w h i c h of the two inside m a c h i n e s w a s u s i n g t h a t as a s o u r c e port, a n d s e n d s it to t h a t one. T h e r e ' s w h e r e the possibility for collision c o m e s in. Most operating s y s t e m s will s t a r t allocating s o u r c e p o r t s at 1,025, a n d w o r k t h e i r w a y u p sequentially. T h e r e ' s a very good c h a n c e t h a t at s o m e point, the two inside m a c h i n e s will h a p p e n to be u s i n g the s a m e s o u r c e p o r t at the s a m e m o m e n t , trying to talk to the s a m e IP a d d r e s s on the I n t e r n e t , as the s a m e d e s t i n a t i o n port. E v e r y t h i n g m a t c h e s except for the inside IP a d d r e s s , w h i c h is n o t good since t h a t ' s t h e u n k n o w n piece of i n f o r m a t i o n w h e n the p a c k e t arrives at the o u t s i d e IP a d d r e s s on the router. The p r o b l e m lies in the fact t h a t the h e a d e r s in the two r e q u e s t s are the s a m e , b u t t h e d a t a portion differs. The NAT device h a s to d e t e r m i n e w h i c h p a c k e t goes to w h i c h inside m a c h i n e .

How Does PAT Work? Statistically, we've got a s m a l l e r c h a n c e of h a v i n g a conflict t h a n we did with s t r a i g h t d y n a m i c NAT. Still, we'd like to m a k e t h e c h a n c e of conflict negligible. This is w h e r e PAT c o m e s in. If y o u h a d n ' t a l r e a d y g u e s s e d from the n a m e , PAT w o r k s by t r a n s l a t i n g p o r t n u m b e r s

147

148

Chapter 4

9Network Address Translation

a l o n g w i t h IP a d d r e s s e s . Specifically, w h e n it t r a n s l a t e s t h e s o u r c e a d d r e s s on t h e w a y out, it also t r a n s l a t e s t h e s o u r c e port. If t h e r o u t e r is careful n o t to c r e a t e conflicts w h e n it c h o o s e s n e w s o u r c e ports, t h i s s o l u t i o n w o r k s well a n d e l i m i n a t e s conflicts, a t l e a s t for TCP a n d UDP. S o m e e x t r a t r i c k s a r e s o m e t i m e s n e e d e d for ICMP, w h i c h h a d no p o r t n u m b e r s p e r se. Now, t h e r o u t e r h a s a u n i q u e p o r t n u m b e r to r e f e r e n c e w h e n all t h e o t h e r i n f o r m a t i o n m a t c h e s a n o t h e r c o n n e c t i o n . PAT e n a b l e s a very large n u m b e r of i n s i d e m a c h i n e s to s h a r e even j u s t one o u t s i d e IP a d d r e s s . How m a n y exactly?. It's difficult to give a n e x a c t n u m b e r , s i n c e it d e p e n d s on u s a g e p a t t e r n s , so let's m a k e s o m e a s s u m p tions. A s s u m e t h a t t h e limit factor will be m a n y i n s i d e m a c h i n e s c o m m u n i c a t i n g w i t h a single I n t e r n e t IP a d d r e s s at one time. T h e w o r s t c a s e will p r o b a b l y be UDP, s i n c e we're s t u c k u s i n g t i m e r s to e m u l a t e c o n n e c t i o n s (to k n o w w h e n t h e y ' r e done). Let's s a y t h e t i m e r is s e t for two m i n u t e s . T h a t is, after two m i n u t e s of no p a c k ets f r o m e i t h e r side, t h e c o n n e c t i o n is d e c l a r e d over. T h e p o s s i b l e r a n g e of p o r t n u m b e r s is 0 to 6 5 , 5 3 5 , so t h e t h e o r e t i c a l limit is 6 5 , 5 3 6 s i m u l t a n e o u s c o n n e c t i o n s . T h i s a s s u m e s t h a t t h e y a r e all h a p p e n i n g a t t h e s a m e time, e i t h e r b e c a u s e t h e y all s t a r t a t t h e s a m e t i m e a n d h a v e to w a i t two m i n u t e s , or b e c a u s e t h e c o n n e c t i o n s a r e active l o n g e r t h a n t h a t , a n d it b u i l d s u p to t h a t level. T h i s is for one o u t s i d e IP a d d r e s s . If a flavor of d y n a m i c IP is b e i n g u s e d , m u l t i p l y t h a t n u m b e r b y t h e n u m b e r of IP a d d r e s s e s b e i n g u s e d for d y n a m i c NAT w i t h PAT. R e m e m b e r , t h a t a p p l i e s only if all t h e clients w a n t to t a l k to t h e s a m e m a c h i n e on t h e I n t e r n e t . If y o u c o n s i d e r all t h e m a c h i n e s on t h e I n t e r n e t , t h e c h a n c e s for conflict d r o p to n e a r l y zero. C h a n c e s a r e good t h a t in t h e real world, you'll e x h a u s t t h e m e m o r y of y o u r NAT device before y o u s t a r t r e a c h i n g a n y t h e o r e t i c a l limits. W h a t is t h e s e c u r i t y s i t u a t i o n w i t h PAT?. It's s t a r t i n g to look a lot better. An o u t s i d e IP a d d r e s s no l o n g e r c o r r e s p o n d s to a single i n s i d e IP a d d r e s s ; it n o w d e p e n d s on t h e c o n n e c t i o n . T h i s m e a n s t h a t if a n e w c o n n e c t i o n a t t e m p t is m a d e to t h e o u t s i d e a d d r e s s , it will n o t m a t c h a n y t h i n g in t h e c o n n e c t i o n table, a n d will t h e r e f o r e

Network Address Translation

9Chapter 4

n o t h a v e a n i n t e r n a l IP a d d r e s s to c o n n e c t to. At least, t h a t ' s t h e m o s t c o m m o n b e h a v i o r w h e n a n I n t e r n e t m a c h i n e tries to c o n n e c t to a n o u t s i d e a d d r e s s . It's t h e o r e t i c a l l y p o s s i b l e to d e s i g n t h e PAT so t h a t a p a r t i c u l a r o u t s i d e IP a d d r e s s m a p s to a p a r t i c u l a r i n s i d e a d d r e s s ( c o m b i n e d s t a t i c NAT a n d PAT). F o r a s e c u r i t y a p p l i c a t i o n , y o u w o u l d n o t w a n t t h a t behavior. A n o t h e r "gotcha" to look o u t for is t h a t t h e o u t s i d e IP a d d r e s s i s n ' t t h e IP a d d r e s s of t h e NAT device for t h a t interface. For e x a m p l e , w i t h s o m e r o u t e r s it's p o s s i b l e to u s e t h e r o u t e r ' s o w n o u t s i d e IP a d d r e s s for PAT. In t h a t case, conn e c t i o n a t t e m p t s to t h e o u t s i d e IP a d d r e s s will c o n n e c t to t h e router, w h i c h m a y n o t be desirable. M a n y PAT i m p l e m e n t a t i o n s only allow a p a r t i c u l a r i n s i d e pool to m a p to a single o u t s i d e IP a d d r e s s . P r e s u m a b l y , t h i s is b e c a u s e j u s t a b o u t a n y size i n s i d e n e t w o r k c a n m a p to a single o u t s i d e IP address. Let's t a k e a look a t w h a t t h e s e c o n n e c t i o n t a b l e s we've b e e n disc u s s i n g m i g h t look like. T h e y i n c l u d e i n s i d e s o u r c e IP a d d r e s s , o u t side s o u r c e IP a d d r e s s , d e s t i n a t i o n I n t e r n e t IP a d d r e s s , original s o u r c e port, t r a n s l a t e d s o u r c e port, d e s t i n a t i o n port, t r a n s p o r t protocol, FIN flags, a n d timer. FIN flags w o u l d be a c o u p l e of s i m p l e flags to i n d i c a t e t h a t a FIN e x c h a n g e h a s b e e n d o n e for one of t h e two d i r e c t i o n s . TCP c o n n e c t i o n s , if closed properly, close e a c h direction s e p a r a t e l y , so we n e e d to t r a c k e a c h direction. W h e n b o t h flags a r e set, t h e w h o l e c o n n e c t i o n is done. If a RST o c c u r s i n s t e a d , t h e flags a r e n ' t n e e d e d , a n d t h e c o n n e c t i o n is d o n e i m m e d i a t e l y . F i g u r e 4 . 1 3 c o n t a i n s a d i a g r a m of a p o s s i b l e c o n n e c t i o n , w h i c h we c a n u s e a s a n e x a m p l e . In t h e d i a g r a m , t h e i n s i d e m a c h i n e is 10.0.0.2, t h e r o u t e r ' s o u t s i d e IP a d d r e s s is 1 9 2 . 1 3 8 . 1 4 9 . 1 , a n d t h e s e r v e r w e ' r e c o n t a c t i n g on t h e I n t e r n e t is 2 0 7 . 2 4 4 . 1 1 5 . 1 7 8 . T h e line b e t w e e n t h e Web s e r v e r a n d t h e r o u t e r r e p r e s e n t s t h e I n t e r n e t b e t w e e n t h e two.

149

150

Chapter 4

9Network Address Translation

Figure 4.13 Simple PAT arrangement, using a router's o w n outside IP address.

The inside m a c h i n e s e n d s a SYN p a c k e t to port 80 on the Web server, u s i n g a source port of 1030. Here's w h a t the table entry mi ght look like:

FIN Desti- TransDesti- TransFIN DestiSource nation lated Source nation lated Protocol Source nation Timer Port Port Address Address Address Port

!10.0.0.2 207.244. 192.138. 1030 115.178 149.1

80

5309

TCP

Off

Off

2:00

All of the labels t h a t indicate direction are from the point of view of the first packet, the SYN packet, going from the inside to the outside. Many of the items will be reversed for p a c k e t s going the other way, b u t the r o u t e r will keep t r a c k of t h a t by noting into wh ich interface the p a c k e t arrived. Here's a r o u g h block di a gr a m of the SYN p a c k e t h e a d e r s j u s t leaving the inside machine:

Destination Address

Destination Source Address Port

Source Port

Flags

207.244.115.178

10.0.0.2

1030

SYN

80

Network Address Translation 9Chapter 4 H e r e is t h e s a m e p a c k e t after it p a s s e s t h r o u g h t h e r o u t e r :

Destination Address

Destination Source Address Port

Source Port

Flags

207.244.115.178

192.138.149.1

5309

SYN

80

Notice t h a t t h e s o u r c e a d d r e s s a n d s o u r c e p o r t h a v e b o t h b e e n t r a n s l a t e d . H e r e ' s t h e reply p a c k e t from t h e Web server:

Destination Address

Destination Source Address Port

Source Port

Flags

192.138.149.1

207.244.115.178

80

SYN-ACK

5309

S o u r c e a n d d e s t i n a t i o n h a v e b e e n r e v e r s e d , a n d t h e flag is n o w SYN-ACK. T h i s is t h e p a c k e t t h a t will arrive a t t h e o u t s i d e of t h e r ou ter. T h e r o u t e r h a s to m a k e its d e c i s i o n w i t h t h e s e m a i n fields. All t h e r o u t e r h a s to do is m a t c h t h e f o u r l e f t m o s t fields to t h e conn e c t i o n table. If t h e r e is a m a t c h , it r o u t e s t h e p a c k e t a n d r e s t o r e s t h e original s o u r c e a d d r e s s a n d s o u r c e p o r t (now d e s t i n a t i o n a d d r e s s a n d port):

Destination Address

Destination Source Address Port

Source Port

Flags

10.0.0.2

207.244.11 5.178

80

SYN-ACK

1030

T h e a d d r e s s a n d p o r t t h e r o u t e r n e e d s to t r a n s l a t e t h e p a c k e t b a c k a r e s i m p l y looked u p in t h e c o n n e c t i o n table. T h e c o n n e c t i o n t a b l e e n t r y will r e m a i n u n t i l one of t h r e e c o n d i t i o n s a r e met: []

B o t h s e t s of FIN p a c k e t s a r e received

9 A RST p a c k e t is s e n t b y e i t h e r e n d 9 The timer runs out

151

152

Chapter 4

9Network Address Translation

T h e t i m e r is c h e c k e d periodically to see if t i m e h a s r u n out. In a d d i t i o n , e a c h t i m e a p a c k e t is r o u t e d for t h i s c o n n e c t i o n , t h e t i m e r is r e s e t to two m i n u t e s , or w h a t e v e r o t h e r v a l u e is u s e d . UDP w o r k s m u c h t h e s a m e , e x c e p t t h e r e a r e no FIN or RST p a c k e t s to i n d i c a t e t h e e n d of a c o n n e c t i o n , so only a t i m e r is relied on to e n d UDP c o n n e c t i o n s .

Problems with PAT W h a t k i n d of p r o b l e m s exist w i t h PAT?. PAT h a s all of t h e p r o b l e m s of s t a t i c NAT (i.e., h a v i n g to t r a n s l a t e a d d r e s s e s t h a t a p p e a r in t h e d a t a p o r t i o n of p a c k e t s ) , p l u s a c o u p l e of n e w ones. O u r d i s c u s s i o n of PAT w a s b a s e d a r o u n d t h e i d e a of a fully f u n c t i o n i n g s t a t i c NAT. So a n y p r o t o c o l s t h a t p a s s IP a d d r e s s e s in t h e d a t a p o r t i o n of p a c k ets, like FTP, s h o u l d be h a n d l e d . Well, n o t quite. T h e s h a r i n g of a n o u t s i d e IP a d d r e s s t h a t gives u s t h e a l m o s t - f i r e w a l l effect of n o t allowing m a c h i n e s on t h e I n t e r n e t to c o n n e c t i n s i d e w o r k s a g a i n s t u s here. Again, FTP s e r v e s a s a good e x a m p l e of t h e p r o b l e m . We'll a s s u m e t h e d a t a p o r t i o n of t h e p a c k e t s (the FTP P O R T c o m m a n d ) is g e t t i n g modified properly. So w h a t h a p p e n s w h e n t h e FTP s e r v e r tries to c o n n e c t to t h e o u t s i d e IP a d d r e s s a t t h e p o r t s u p p l i e d ? T h e r e is no e n t r y in t h e c o n n e c t i o n t a b l e to p e r m i t it, a n d it will fail. T h e s o l u t i o n is obvious. While t h e NAT s o f t w a r e modifies t h e P O R T c o m m a n d (and n o w it h a s to c h a n g e t h e p o r t p a s s e d in t h e s a m e m a n n e r a s it does for o t h e r c o n n e c t i o n s ) , it also c r e a t e s a n e n t r y in t h e c o n n e c t i o n table. For t h i s e x a m p l e , refer b a c k to F i g u r e 4.9. T h i s time, t h e protocol will be FTP i n s t e a d of HTrP. After t h e initial c o n n e c t i o n h a s b e e n m a d e , t h e c o n n e c t i o n t a b l e looks like this: DestiTransDestiSource nation lated Source nation Address Address Address Port Port 10.0.0.2 207.244. 192.138. 1042 21 115.178 149.1

Translated FIN Port Protocol Source 6123 TCP Off

FIN Destination Timer Off

2:00

Network Address Translation

9Chapter 4

At s o m e p o i n t d u r i n g t h e c o n n e c t i o n , t h e FTP client will i s s u e a PORT c o m m a n d . For o u r e x a m p l e , we'll u s e PORT 1 0 , 0 , 0 , 2 , 4 , 1 9 . The p o r t n u m b e r s e c t i o n 4 , 1 9 t r a n s l a t e s to 1043 in decimal, w h i c h is w h a t p o r t t h e OS will h a n d o u t next. T h e r o u t e r will h a v e to t r a n s l a t e t h i s PORT c o m m a n d . If we a s s u m e t h e n e x t t r a n s l a t e d p o r t t h e r o u t e r m a k e s available is 6 1 7 7 , t h e PORT c o m m a n d b e c o m e s PORT 1 9 2 , 1 3 8 , 1 4 9 , 1 , 2 4 , 3 3 . (The PORT c o m m a n d w o r k s in bytes: 2 4 * 2 5 6 + 3 3 = 6177.) In addition, t h e r o u t e r m u s t a d d t h i s n e w p o r t to t h e c o n n e c t i o n table. Now t h e t a b l e looks like this: FIN Desti- TransTransDestiSource nation lated FIN DestiSource nation lated Address Address Address Port Protocol Source nation Timer Port Port 10.0.0.2 207.244. 192.138. 1042 115.178 149.1

21

6123

TCP

Off

Off

2:00

10.0.0.2 207.244. 192.138. 1043 115.178 149.1

20

6177

TCP

Off

Off

2"00

Now, w i t h t h i s addition, PAT p r o p e r l y h a n d l e s FTP. T h e d a t a c o n n e c t i o n will be h a n d l e d a s a s e p a r a t e c o n n e c t i o n , a n d will be r e m o v e d u n d e r t h e s a m e c i r c u m s t a n c e s a s a n y o t h e r TCP c o n n e c tion. We h a v e finally a c h i e v e d o u r goal of IP a d d r e s s s a v i n g s , w h i c h is t h e driving factor for w a n t i n g to u s e NAT in t h e first place.

With t h i s type of s e t u p , PAT w o r k s well. T h e r e is one s m a l l "gotcha" t h a t c o m e s u p on occasion. T h e r e really i s n ' t a n y good reas o n to do so, b u t s o m e s e r v e r s on t h e I n t e r n e t will p a y special a t t e n t i o n to t h e s o u r c e p o r t t h a t is u s e d w h e n t h e y are b e i n g conn e c t e d to. This c o m e s u p m o s t often w i t h DNS. Traditionally, w h e n two DNS s e r v e r s c o m m u n i c a t e u s i n g UDP, t h e y will u s e p o r t 53 a s a

153

154

Chapter 4

9Network Address Translation

d e s t i n a t i o n port, as well as t h e i r s o u r c e port. This is a m a t t e r of c o n v e n t i o n r a t h e r t h a n a h a r d a n d fast rule. If we're t r a n s l a t i n g t h e s o u r c e a d d r e s s , t h o u g h , t h e r e could be a problem. T h e r e are a few sites on t h e I n t e r n e t t h a t have configured their DNS servers to a c c e p t c o n n e c t i o n s only from p o r t 53. This h a s come u p in the p a s t with b o t h a p p l e . c o m a n d intel.com, b u t t h e y a r e n ' t the only ones. It c a n be difficult to get o t h e r s to c h a n g e to s u i t you, so if y o u find y o u r s e l f h a v i n g t r o u b l e w i t h a part i c u l a r DNS server, y o u m a y h a v e to c h a n g e t h e t r a n s l a t i o n for y o u r i n t e r n a l DNS server to static so t h a t t h e s o u r c e port of 53 i s n ' t c h a n g e d on t h e w a y out. This applies only if y o u r u n y o u r own inside DNS servers. If y o u u s e y o u r ISP's DNS servers (which w o u l d be outside), t h e n m o s t likely y o u w o n ' t have a problem.

Configuration Examples In a way, a l m o s t all t h e c o n f i g u r a t i o n e x a m p l e s ( m i n u s t h e Cisco static NAT example) have b e e n PAT examples. At their cores, ICS a n d IP M a s q u e r a d e are PAT p r o d u c t s , even if y o u ' r e only t r a n s l a t i n g one a d d r e s s to another, lOS c a n do it or not, d e p e n d i n g on h o w y o u configure it. Even so, we'll t a k e a n o p p o r t u n i t y to go into a little m o r e d e p t h , a n d look at a few m o r e examples. The r e a s o n for the r u s e so far is that, practically s p e a k i n g , NAT (without PAT) d o e s n ' t a c t u a l l y work. All of t h e p r o b l e m s we've disc u s s e d so far m a k e plain NAT u n u s a b l e .

W i n d o w s NT 2 0 0 0 T h e r e really i s n ' t a lot m o r e to s a y a b o u t ICS from t h e first example. It's a PAT p r o d u c t , a n d all t h e inside IP a d d r e s s e s are forced to 192.168.0, a n d are p o r t - t r a n s l a t e d o u t u s i n g t h e single d i a l - u p a d d r e s s . T h e r e is, however, a n o t h e r option we h a v e n ' t looked at yet. T h e r e w a s a n o t h e r t a b on the w i n d o w b r o u g h t u p by t h e S e t t i n g s b u t t o n , as s h o w n in Figure 4.14.

Network Address Translation

9Chapter 4

Figure 4.14 ICS reverse connection setup.

M u c h like t h e Services s c r e e n , special a p p l i c a t i o n h a n d l i n g c a n be defined here. T h i s is i n t e n d e d to cover b e h a v i o r like FTP exhibits, w h e r e a r e v e r s e c o n n e c t i o n n e e d s to be m a d e . Unlike t h e FTP h a n dlers we've s e e n t h o u g h , t h i s is a little less flexible. W i t h t h e FTP h a n d l e r s , j u s t t h e one p o r t n e e d e d is o p e n e d long e n o u g h for t h e c o n n e c t i o n to be m a d e . In t h i s case, we're b e i n g invited to leave a r a n g e of p o r t s o p e n b a c k to t h e i n s i d e for a s long a s t h e service is in u s e . T h i s also t e n d s to invite m o r e conflicts, since h a v i n g a p o r t on t h e o u t s i d e o p e n gives u s all t h e p r o b l e m s of m a n y - t o - o n e NAT. E v e n so, u s i n g t h i s m a y m a k e it p o s s i b l e to get a n a p p l i c a t i o n w o r k ing t h a t o t h e r w i s e w o u l d n ' t . It's b e t t e r to h a v e t h e o p t i o n t h a n not. Since t h e p r o d u c t is still b e t a , d o c u m e n t a t i o n is scarce. I k n o w p a s s i v e FTP w o r k s w i t h no special c o n f i g u r a t i o n b e c a u s e I tried it. It's likely t h a t o t h e r p r o t o c o l s a r e h a n d l e d in a special way, too, b u t Microsoft h a s n ' t told u s w h i c h o n e s yet. P r o b a b l y t h e b i g g e s t i s s u e w i t h ICS is t h a t it w o r k s only w i t h d i a l - u p , a n d t h a t it forces D H C P on you. T h i s m e a n s it w o n ' t w o r k w i t h cable m o d e m s , DSL, or a n y t e c h n o l o g y t h a t w a n t s to c o n n e c t via a LAN interface. Microsoft sells a m u c h h i g h e r e n d p r o d u c t called Microsoft Proxy S e r v e r (MSP). It's m u c h m o r e flexible, b u t it r e t a i l s for $ 1 0 0 0 US.

155

156

C h a p t e r 4 * Network Address Translation

There are o t h e r c o m m e r c i a l s o l u t i o n s t h a t fill in the price g a p s b e t w e e n free a n d $1000. To find a list of c o m m e r c i a l NAT p r o d u c t s for NT, c o n s u l t the "References a n d Resources" section, later. I've p e r s o n a l l y h a d very good l u c k with Sygate, of w h i c h the m o s t expensive version (unlimited inside users) costs only a b o u t $ 3 0 0 US.

Linux IP Masquerade IP M a s q u e r a d e is also doing PAT, even w h e n w o r k i n g on j u s t one inside IP a d d r e s s . C h a n g i n g o u r static NAT to m a n y - t o - 1 PAT is very simple. C h a n g e the line: /sbin/ipchains

-A forward -s 192.168.0.2/32

-j MASQ

-A f o r w a r d - s

-j MASQ

to" /sbin/ipchains

192.168.0.0/24

w h i c h will t a k e care of the whole inside s u b n e t . T h e r e is a good set of d o c u m e n t s on h o w to u s e IP M a s q u e r a d e ; links to t h e m c a n be f o u n d in the "References a n d Resources" section. If y o u p l a n to deploy IP M a s q u e r a d e in p r o d u c t i o n , y o u owe it to y o u r s e l f to r e a d t h e m . You will also n e e d to r e a d the IP C h a i n s d o c u m e n t a t i o n (notice the i p c h a i n s c o m m a n d we're u s i n g to configu r e IP Masquerade). IP C h a i n s is the built-in firewall for Linux kernel 2 . 2 . x . IP M a s q u e r a d e is n o t sufficient to keep y o u r s y s t e m secure. Let's t a k e a look at s o m e o t h e r a s p e c t s of IP M a s q u e r a d e . We k n o w t h e r e ' s a m o d u l e t h a t specifically h a n d l e s FTP. W h a t o t h e r m o d u l e s are t h e r e ? If y o u recall, the c o m m a n d t h a t installed the FTP h a n d l e r w a s m o d p r o b e . The c o m m a n d m o d p r o b e -I will list all m o d u l e s available for install. In t h a t list, t h e s e stick out: /lib/modules/2.2.5-15 / ipv4 / ip_masq_vdol ive. o /lib/modules/2.2.5-15 / ipv4 / ip_masq_user, o

/lib/modules/2.2.5-15 / ipv4/ip_masq_raudio, o

/lib/modules/2.2.5-15 / ipv4 / ip_masq_quake, o

/lib/modules/2.2.5-15 / ipv4 / ip_masq_portfw, o

Network Address Translation

9Chapter 4

/lib/modules/2.2.5-15 / ipv4/ip_masq_mfw, o / i ib/modules / 2.2.5-15 / ipv4 / ip_masq_irc, o / i ib/modules / 2.2.5-15 / ipv4 / ip_masq_f tp. o /lib/modules/2.2.5-15 / ipv4/ip_masq_cuseeme, o / lib/modules / 2.2.5-15 / ipv4 / ip_masq_auto fw. o

Our FTP m o d u l e is in the list, a n d j u d g i n g by the n a m e s , there are o b v i o u s l y IP M a s q u e r a d e m o d u l e s . Several of t h o s e are i m m e d i ately r e c o g n i z a b l e , a n d are k n o w n to c a u s e difficulty w h e n u s e d w i t h firewalls or NAT. T h e s e i n c l u d e FTP, Real Audio, Q u a k e , IRC (specifically, DCC send), C U S e e M e , a n d VDOLive. There is a place w h e r e IP M a s q u e r a d e h a n d l e r s c a n be o b t a i n e d , a n d o n e s t h a t don't exist c a n e v e n be r e q u e s t e d . P l e a s e t a k e a look at the "References a n d R e s o u r c e s " s e c t i o n of this c h a p t e r for details.

Cisco IOS We've a l r e a d y s e e n the Cisco PAT, too---that's w h a t the "overload" c o n f i g u r a t i o n w a s . T h i s variation g e t s all i n s i d e m a c h i n e s to go o u t u s i n g the router's o w n IP address" NAT(config)#ip

nat inside source list 1 interface

NAT(config)#access-list 1 permit 192.168.0.0

fastethernet

0/i overload

0.0.0.255

T h i s tells the router to u s e a c c e s s list 1 ( m a t c h all 1 9 2 . 1 6 8 . 0 a d d r e s s e s ) a n d to t r a n s l a t e u s i n g the router's o w n IP a d d r e s s for f a s t e t h e r n e t 0 / 1 as the s o u r c e a d d r e s s . Here's a full w o r k i n g config for this" version 12.0

service timestamps debug uptime

service timestamps

log uptime

service password-encryption !

hostname NAT enable secret 5 xx~oc<xxx

157

158

Chapter 4

9Network Address Translation

enable password 7 xxxxxxxx !

ip subnet-zero

interface FastEthernet0/0 ip address 192.168.0.1

255.255.255.0

no ip directed-broadcast !

ip nat inside

interface Serial0/0 no ip address !

no ip directed-broadcast

interface FastEthernet0/l ip address 130.214.99.254

255.255.255.0

no ip directed-broadcast ip nat outside I

ip nat inside source list 1 interface fastethernet

0/i overload

ip classless ip route 0.0.0.0

0.0.0.0 130.214.99.1

no ip http server access-list

1 permit 192.168.0.0

0.0.0.255

line con 0 transport input none line aux 0 line vty 0 4 password 7 xxxxxxx login I

no scheduler allocate end

Naturally, if you w a n t to u s e this config, you'll have to correct IP a d d r e s s e s and interface n a m e s . Also, the p a s s w o r d s have b e e n

Network Address Translation

9

Chapter 4

c r o s s e d out, so p u t t h o s e in m a n u a l l y . It's a l w a y s a good i d e a to s a n i t i z e y o u r r o u t e r c o n f i g u r a t i o n files before y o u let a n y o n e else see them. T h i s type of c o n f i g u r a t i o n (having all i n s i d e m a c h i n e s t r a n s l a t e to 1 o u t s i d e IP) is often u s e f u l w h e n c o n n e c t i n g to a n ISP. T h e Cisco h a s a n o t h e r i n t e r e s t i n g f e a t u r e t h a t we h a v e n ' t looked a t yet. T h e lOS lets y o u e x a m i n e t h e c o n n e c t i o n tables! We looked a t s o m e t h e o r e t i c a l e x a m p l e s before, a n d n o w we c a n look a t s o m e real ones. H e r e ' s a n e x a m p l e f r o m t h e s t a t i c NAT c o n f i g u r a t i o n on lOS: NAT#sho ip nat trans Pro Inside global

Inside local

tcp 130.214.99.250-1055

192.168.0.2-1055

Outside local 130.214.250.9-23

Outside global 130.214.250.9-23

Cisco d o e s n ' t e x p o s e t h e FIN flag or t i m e r s . Also, notice t h a t t h e r e a r e f o u r a d d r e s s : p o r t pairs. T h a t ' s b e c a u s e t h e lOS c a n do d o u b l e NAT i n s i d e one box. In t h i s case, i n s i d e m a c h i n e 1 9 2 . 1 6 8 . 0 . 2 h a d T e l n e t t e d (port 23) to 1 3 0 . 2 1 4 . 2 5 0 . 9 . T h e s o u r c e a d d r e s s w a s t r a n s l a t e d to 1 3 0 . 2 1 4 . 9 9 . 2 5 0 . O n t h e left, y o u c a n see t h a t t h e t r a n s p o r t protocol is TCP. H e r e ' s a n e x a m p l e f r o m t h e d y n a m i c NAT config ( u s i n g a pool of outside addresses): NAT#sho ip nat trans Pro Inside global

Inside local

Outside local

Outside global

udp 130.214.99.200:1063 192.168.0.2:1063

130.214.250.43:53 130.214.250.43:53

tcp 130.214.99.200:1068 192.168.0.2:1068

130.214.250.9:23

130.214.250.9:23

tcp 130.214.99.200:1066 192.168.0.2:1066

130.214.250.9:23

130.214.250.9:23

udp 130.214.99.200:1067 192.168.0.2:1067

130.214.250.43:53 130.214.250.43:53

tcp 130.214.99.200:1064 192.168.0.2:1064

130.214.250.9:23

udp 130.214.99.200:1065 192.168.0.2:1065

130.214.250.43:53 130.214.250.43:53

130.214.250.9:23

T h e a d d r e s s pool s t a r t s a t 1 3 0 . 2 1 4 . 9 9 . 2 0 0 , a n d t h a t a d d r e s s w a s p i c k e d for t h e s a m e m a c h i n e for all c o n n e c t i o n s . Here, we see m o r e T e l n e t c o n n e c t i o n s , a n d a few DNS c o n n e c t i o n s (UDP p o r t 53).

159

160

Chapter 4

9Network Address Translation

Here's the state table d u r i n g our PAT e x a m p l e , w h e n all i n s i d e m a c h i n e s are going o u t as the router's IP address: Pro Inside global

Inside local

Outside local

Outside global

icmp 130.214.99.254:256 192.168.0.2:256

130.214.250.9:256 130.214.250.9:256

udp 130.214.99.254:1069 192.168.0.2:1069

130.214.250.43:53 130.214.250.43:53

tcp 130.214.99.254:1070 192.168.0.2:1070

130.214.250.9:23

130.214.250.9:23

Here, we've got TCP, UDP, a n d ICMP. Notice t h a t the ICMP conn e c t i o n s h a v e w h a t a p p e a r s to be a port n u m b e r n e x t to t h e m . S o m e NAT d e v i c e s will i m p o s e state i n f o r m a t i o n on ICMP in order to be able to d i s t i n g u i s h it. It's u n c l e a r if that's w h a t ' s h a p p e n i n g here, b u t it's p o s s i b l e t h a t the router h a s r e p l a c e d part of the ping s t r e a m w i t h 2 5 6 , or s o m e r e p r e s e n t a t i o n of it, a n d this is h o w it's t r a c k i n g that. Here is w h a t the table l o o k s like d u r i n g a n FTP s e s s i o n , u s i n g the PAT config: NAT#sho ip n a t t r a n s Pro

Inside global

Inside local

Outside local

Outside global

tcp 130.214.99.254:1080 192.168.0.2:1080

192.138.151.73:21 192.138.151.73:21

tcp 130.214.99.254:1081 192.168.0.2:1081

192.138.151.73:20 192.138.151.73:20

NAT#sho ip n a t trans Pro

Inside global

Inside local

Outside local

Outside global

tcp 130.214.99.254:1082 192.168.0.2:1082

192.138.151.73:20 192.138.151.73:20

tcp 130.214.99.254:1080 192.168.0.2:1080

192.138.151.73:21 192.138.151.73:21

The first listing is j u s t after a n ls c o m m a n d w a s i s s u e d in the FTP client. We c a n s e e our c o n n e c t i o n o u t to port 21, a n d the reverse c o n n e c t i o n b a c k from port 20. The s e c o n d list is after a n o t h er ls c o m m a n d . Notice the p r e v i o u s r e v e r s e - c o n n e c t i o n entry is gone. Finally, if n e e d to, it's p o s s i b l e to e m p t y the t r a n s l a t i o n table

manually: NAT#clear ip n a t trans NAT#show ip n a t trans IETF WORK

*

Network Address Translation

*

Chapter 4

What Are the Advantages? If you've r e a d the previous sections in this chapter, y o u p r o b a b l y a l r e a d y have a p r e t t y good idea of the a d v a n t a g e s of u s i n g NAT. Primarily, it allows y o u to u s e a relatively small n u m b e r of public IP a d d r e s s e s to c o n n e c t a large n u m b e r of inside m a c h i n e s to the Internet. It also b u y s you s o m e flexibility in h o w y o u c o n n e c t to other networks.

161

162

Chapter 4

9Network Address Translation

The goal of u s i n g a small n u m b e r of IP a d d r e s s e s on y o u r NAT device for m a n y inside m a c h i n e s is u s u a l l y the motivating factor b e h i n d w a n t i n g to u s e NAT. This goal is achieved in the real world t h r o u g h a p a r t i c u l a r type of NAT, called PAT. PAT allows m a n y inside m a c h i n e s to u s e a small n u m b e r of IP a d d r e s s e s (often as few as one) to c o n n e c t to the Internet. NAT also gives y o u s o m e flexibility in h o w y o u h a n d l e c h a n g e s or o u t a g e s . S o m e t i m e s a m a c h i n e goes d o w n or moves, a n d r a t h e r t h a n reconfigure m a n y client m a c h i n e s , y o u ' d like to t r a n s l a t e a d d r e s s e s on the r o u t e r to point to the n e w server, or to a n existing server at a n e w a d d r e s s . This c a n also be useful for t e m p o r a r i l y dealing with a d d r e s s conflicts.

What Are the Performance Issues? W h a t is the cost in p e r f o r m a n c e for all of these NAT features? Not m a n y h a r d n u m b e r s are available. For NT's ICS, p e r f o r m a n c e is probably a m o o t point, since it h a s to involve a dial-up interface. Certainly ICS will function fast e n o u g h to m a x o u t a dial-up connection. IP M a s q u e r a d e could have some meaningful testing done to it, b u t I'm n o t aware of a n y p e r f o r m a n c e testing t h a t h a s b e e n done. In addition, Linux is very m u c h a moving target. C h a n g e s come quickly, a n d they m a y include p e r f o r m a n c e e n h a n c e m e n t s . Linux also r u n s on a wide variety of platforms, so ff y o u r u n into a p e r f o r m a n c e bottleneck while u s i n g IP Masquerade, you'll probably be able to scale it u p with better h a r d w a r e . Cisco h a s provided some r o u g h n u m b e r s here: ht tp: //www. c i sco. com/warp/publ ic / 4 5 8 / 4 i. html #Q6

Cisco gives n u m b e r s for t h r e e of their r o u t e r platforms: 4500, 4700, a n d 7500. The 4 5 0 0 is able to r u n at a b o u t 7 . 5 - 8 . 0 M b p s on 10Mb E t h e r n e t for all p a c k e t sizes. The 4 7 0 0 is able to r u n at 10 M b p s on 10Mb E t h e r n e t for all p a c k e t sizes. The 7 5 0 0 t h r o u g h p u t r a n g e s from 24 M b p s for 6 4 - b y t e p a c k e t s , to 96 M b p s for 1500-byte packets on F a s t E t h e r n e t .

Network Address Translation * Chapter 4

Of course, for all t h r e e NAT p a c k a g e s we've b e e n looking at, this d e p e n d s on w h a t else t h e s e p l a t f o r m s are doing. If t h e NT ICS server is r u n n i n g a CPU-intensive g a m e at the time, p e r f o r m a n c e m a y dip. If the Cisco r o u t e r is also p e r f o r m i n g a n e n c r y p t i o n on the traffic, p e r f o r m a n c e will drop there, too. It's n o t s u r p r i s i n g t h a t t h e r e s h o u l d be s o m e delay w h e n performing NAT v e r s u s j u s t plain routing. At a high level, t h e r o u t i n g f u n c t i o n is relatively simple: 1.

Receive the packet.

2.

Verify c h e c k s u m s .

3.

C o n s u l t the r o u t i n g table.

4.

D e c r e m e n t the TI'L field.

5.

Recalculate the c h e c k s u m s .

6.

Transmit.

C o m p a r e this with the f u n c t i o n s n e e d e d for NAT: 1.

Receive the packet.

2.

Verify c h e c k s u m s .

3.

If e n t e r e d o u t s i d e the interface, c h e c k if t h e r e is a m a t c h i n g c o n n e c t i o n table entry.

4.

C o n s u l t the r o u t i n g table.

5.

C h e c k if the o u t b o u n d interface is m a r k e d for NAT.

6.

D e t e r m i n e p o r t i o n s of the p a c k e t to be modified.

7.

If it is the first p a c k e t in a n e w connection, create a table entry.

8.

If it is a PORT c o m m a n d or similar, rewrite t h e d a t a portion a n d create a n e w table entry.

,

If it is a FIN packet, remove t h e table entry.

10.

Modify the p a c k e t as needed.

11.

Recalculate c h e c k s u m s .

12.

Transmit.

163

164

Chapter 4

9Network Address Translation

Even if t h e r e is e n o u g h CPU speed, t h e r e will still have to be a s m a l l l a t e n c y increase, as t h e s e s t e p s will require n u m b e r s m e m o r y l o o k u p a n d writes. The good n e w s is t h a t u n d e r m o s t c i r c u m s t a n c e s , p e r f o r m a n c e w o n ' t be a n issue. Usually NAT will be a problem only w h e n r o u t e r s are a l r e a d y u n d e r a h e a v y load.

Network Address Translation

9Chapter 4

Proxies and Firewall Capabilities Now t h a t we've covered in d e p t h w h a t NAT is a n d h o w it works, let's d i s c u s s security. So far, we've only covered firewalls indirectly, m e n t i o n i n g t h e m h e r e a n d t h e r e while d i s c u s s i n g NAT. Let's begin with s o m e b a s i c definitions, a n d later get to how firewalls are similar to, a n d different from, NAT p a c k a g e s . W h a t is a firewall? T h a t ' s a bit of a religious issue, as firewall m e a n s different t h i n g s to different people. The original m e a n i n g of firewall w a s a barrier, often in a s t r u c t u r e , d e s i g n e d to t a k e a cert a i n a m o u n t of time to b u r n t h r o u g h d u r i n g a fire. For example, a b u i l d i n g m a y have s o m e walls or p o r t i o n s of walls t h a t are firewalls, d e s i g n e d to c o m p a r t m e n t a l i z e a fire for a c e r t a i n a m o u n t of time, to limit d a m a g e . S o m e people liken firewalls in the electronic s e c u r i t y s e n s e to t h e s e b a r r i e r s , saying t h e y are d e s i g n e d to d e t e r i n t r u d e r s for a period of time, a n d to c o m p a r t m e n t a l i z e p a r t s of the network. So, if t h e r e is a b r e a c h in one portion of a network, the o t h e r s a r e n ' t i n s t a n t l y affected, too. O t h e r folks will a r g u e t h a t a firewall is f e a t u r e s X, Y, a n d Z, with X, Y, a n d Z being w h a t e v e r f e a t u r e s t h e y desire in a firewall. S o m e say t h a t the firewall is the portion of a s e c u r i t y a r c h i t e c t u r e t h a t s t o p s traffic. O t h e r s say it i n c l u d e s the pieces t h a t allow c e r t a i n types of traffic. The folks who p a r t i c i p a t e in t h e s e d i s c u s s i o n s are the philosop h e r s of firewalls. T h e s e d i s c u s s i o n s often t a k e place on mailing lists d e d i c a t e d to firewalls. W h a t ' s a little d i s t u r b i n g is t h a t t h e s e folks, s o m e of w h o m i n v e n t e d firewalls, c a n ' t agree on terminology. Realistically, firewalls are defined by c o m p a n i e s who sell produ c t s called firewalls. It t u r n s o u t t h a t the s i t u a t i o n isn't as b a d as it m i g h t seem, b e c a u s e n e a r l y all of t h e s e p r o d u c t s have a n u m b e r of f e a t u r e s in c o m m o n . We'll be t a k i n g t h a t road, so we'll be d i s c u s s i n g features.

165

166

Chapter 4

9Network Address Translation

Packet Filters Networks, by their n a t u r e , are designed to p a s s as m u c h as possible, as quickly as possible. The original r o u t e r s h a d no n e e d of intentionally blocking things, except p e r h a p s for c o r r u p t packets. T h a t is, c o r r u p t in the s e n s e t h a t the a p p r o p r i a t e c h e c k s u m s d o n ' t m a t c h . S u p p o s e d l y , in the early d a y s of the Internet, s e c u r i t y w a s n ' t m u c h of a concern. I've h e a r d at least a few stories t h a t indicate t h a t people w a n t e d to s t a r t filtering certain k i n d s of traffic d u e to errors. Someone, s o m e w h e r e , m a d e a configuration error, a n d traffic s t a r t s flying t h a t c a u s e s s o m e o n e s o m e w h e r e else some trouble. T h u s were b o r n p a c k e t filters. P a c k e t filters are w h a t t h e y s o u n d like---devices t h a t filter p a c k ets. Very c o m m o n l y t h e y are r o u t e r s , b u t t h e y c a n also be generalp u r p o s e hosts, s u c h as Windows NT or Linux. The earliest p a c k e t filters w o u l d have b e e n able to block p a c k e t s b a s e d on the IP a d d r e s s e s c o n t a i n e d within. Later, t h e y w o u l d be able to block p a c k ets b a s e d on port n u m b e r s . M o d e r n p a c k e t filters c a n filter on a variety of criteria. T h e s e include IP a d d r e s s e s , port n u m b e r s , t r a n s p o r t type, c e r t a i n flags in TCP h e a d e r s , a n d more. T h e s e p a c k e t filters have long b e e n u s e d as p a r t of a traditional p r o x y / s c r e e n i n g r o u t e r firewall a r c h i t e c t u r e (see the "Proxies" section, next). Typically, t h e y will be u s e d to block types of traffic t h a t a r e n ' t allowed by policy. They c a n also be u s e d reactively to block a t t a c k s after t h e y have b e e n detected (i.e., block all traffic from a p a r t i c u l a r a d d r e s s range). Traditional p a c k e t filters (PF) have the c h a r a c t e r i s t i c t h a t t h e y d o n ' t c h a n g e packets, a n d t h e y d o n ' t have state. In o t h e r words, a PF c a n only p a s s or not p a s s a packet, a n d it c a n only m a k e t h a t decision b a s e d on i n f o r m a t i o n in the c u r r e n t packet. In addition, PFs are statically configured, m e a n i n g t h a t t h e y c a n ' t c h a n g e the illter rules b a s e d on traffic. M a n y p a c k e t filters have a w a y to filter on "established," w h i c h w o u l d s e e m to indicate t h a t t h e y are able to t r a c k c o n v e r s a t i o n s in

Network Address Translation

9Chapter 4

p r o g r e s s . In fact, to a PF, "established" simply m e a n s t h a t t h e ACK bit is set in t h e TCP header. PFs h a v e s o m e s e r i o u s limitations as firewalls. Let's go b a c k to the p r o b l e m of h o w to h a n d l e FTP. Say y o u have a n inside m a c h i n e t h a t y o u w a n t to allow FTP a c c e s s out. The control c h a n n e l c o n n e c tion is easy. The filter rule s a y s inside IP c a n go to a n y IP o u t s i d e at port 21. Next, y o u c a n t u r n on the allowed e s t a b l i s h e d rule to allow e s t a b l i s h e d p a c k e t s from a n y o u t s i d e IP to the inside IP. At this point, the control c o n n e c t i o n will work, a n d y o u ' r e relatively protected. The p r o b l e m b e c o m e s h o w to h a n d l e the reverse c o n n e c t i o n s . The first p a c k e t b a c k h a s only the ACK bit on, so the e s t a b l i s h e d rule will n o t help there. You d o n ' t k n o w w h a t p o r t the inside IP will be w a i t i n g on, only t h a t it's p r o b a b l y above 1023. With a PF, t h o u g h , all y o u c a n do is a d d a rule t h a t s a y s to allow p a c k e t s from a n y IP, TCP port 20, to a n y IP at TCP p o r t > 1023. This o p e n s u p a m a s s i v e s e c u r i t y hole, as m a c h i n e o p e r a t i n g s y s t e m s r u n services at p o r t s above 1023. M a n y of t h e s e services have k n o w n s e c u r i t y holes. A n y o n e who figures o u t t h a t y o u allow a c c e s s to all inside IP a d d r e s s e s at all p o r t s above 1023, if the s o u r c e p o r t h a p p e n s to be 20, c a n a t t a c k you. For t h e clever attacker, t h e firewall m i g h t as well n o t be there. FTP is s i m p l y a familiar example. If y o u t a k e a look at the h a n dlers t h a t are available for IP M a s q u e r a d e , you'll see m a n y m o r e e x a m p l e s of protocols t h a t would have to be h a n d l e d in t h e s a m e way. However, if y o u h a d a special m a c h i n e t h a t d i d n ' t h a v e a n y vuln e r a b l e services r u n n i n g above 1023, a n d h a d o t h e r w i s e b e e n specially s e c u r e d a n d locked down, it w o u l d p r o b a b l y be a c c e p t a b l e to configure the PF to allow traffic only to it in this m a n n e r , d e p e n d i n g on the local s e c u r i t y policy. S u c h a m a c h i n e is often called a bastion host. The p r o b l e m is, t h e s e m a c h i n e s t e n d to be less u s e f u l to everyd a y u s e r s , so t h e y really c a n ' t be p u t on everyone's d e s k to a c t as t h e i r m a i n p r o d u c t i v i t y m a c h i n e . So, w h a t c a n the m a c h i n e be u s e d for? It c a n act as a proxy.

167

168

Chapter 4

9Network Address Translation

Proxies Proxies were d i s c u s s e d s o m e w h a t at the b e g i n n i n g of this chapter. A proxy is a m a c h i n e , often a b a s t i o n host, t h a t is configured to fulfill r e q u e s t s on b e h a l f of o t h e r m a c h i n e s , u s u a l l y inside m a c h i n e s . We'll get into the details of h o w the proxy a c t u a l l y w o r k s in a m o m e n t . Imagine n o w t h a t we've configured o u r PF to allow traffic only from the I n t e r n e t to the proxy. Since we've configured it well, the fact t h a t the I n t e r n e t c a n get to p o r t s above 1023 is n o t a m a j o r c o n c e r n . Additionally, a n o t h e r PF b e t w e e n the proxy a n d the inside w o u l d be u s e f u l to help keep m a l i c i o u s inside u s e r s from a t t a c k i n g the proxy. O u r a r c h i t e c t u r e looks like t h a t s h o w n in Figure 4.15.

Figure 4.15 Protected proxy server.

It's i m p o r t a n t to note t h a t Figure 4.15 is m o r e a logical d i a g r a m t h a n a p h y s i c a l one. A l t h o u g h we could i m p l e m e n t all of the pieces s h o w n to achieve the desired effect, it m a y n o t be n e c e s s a r y . For example, the d i a g r a m w o u l d s e e m to indicate t h a t the proxy h a s two i n t e r f a c e s ~ i t could, b u t u s u a l l y doesn't. Traffic m a y e n t e r a n d leave the s a m e interface w i t h o u t c a u s i n g difficulty if a d d r e s s e s are m a n aged properly on the filtering r o u t e r s . Also, with a flexible e n o u g h r o u t e r acting as PF, this design c a n be done with one 3-interface r o u t e r r a t h e r t h a n two 2-interface r o u t e r s . However, this d i a g r a m m a k e s it m u c h easier to visualize d a t a flow. The inside PF h a s a n o t h e r f u n c t i o n b e s i d e s protecting the proxy from inside u s e r s . S h o u l d the proxy be c o m p r o m i s e d in s o m e way, it m a y help p r o t e c t the inside a g a i n s t the proxy itself. This c o n c e p t is i m p o r t a n t , a n d it's called a DMZ (Demilitarized Zone). The t e r m

Network Address Translation

9Chapter 4

DMZ h a s a c o u p l e of different m e a n i n g s to t h e firewaU p h i l o s o p h e r s a s well. S o m e p u r i s t s call it t h e n e t w o r k j u s t o u t s i d e t h e o u t s i d e i n t e r f a c e of a firewall (or in o u r case, o u t s i d e t h e o u t s i d e PF). T h e definition we'll be u s i n g is "a n e t w o r k s e g m e n t t h a t t r u s t s n e i t h e r t h e i n s i d e n o r t h e o u t s i d e , a n d is n o t t r u s t e d b y t h e inside." T h e w o r d t r u s t in t h i s c a s e implies u n f e t t e r e d n e t w o r k a c c e s s . F o r e x a m p l e , t h e I n t e r n e t at large t r u s t s everyone, a s e v e r y o n e g e t s a c c e s s . T h e i n s i d e n e t w o r k t r u s t s no one, a n d no one g e t s d i r e c t a c c e s s to t h e inside. P r a c t i c a l l y s p e a k i n g , m o s t folks c o n s i d e r a DMZ to be a t h i r d i n t e r f a c e on t h e firewall (the first a n d s e c o n d i n t e r f a c e s b e i n g t h e i n s i d e a n d outside). So h o w exactly does a p r o x y w o r k ? We'll s t a r t w i t h t r a d i t i o n a l proxies. Basically, t h e p r o x y a c t s a s a s e r v e r to i n s i d e m a c h i n e s , a n d a s a client to t h e I n t e r n e t . I n s i d e m a c h i n e s h a v e to u s e e i t h e r modified software, or a p r o c e d u r a l c h a n g e to m a k e u s e of t h e proxy. T r a d i t i o n a l p r o x i e s a r e n o t r o u t e r s , a n d in fact t h e r o u t i n g code s h o u l d be t u r n e d off or c o m p i l e d o u t of a b a s t i o n h o s t t h a t is to be a t r a d i t i o n a l proxy. If y o u s e n d a p a c k e t t o w a r d s a proxy, a n d its d e s t i n a t i o n IP a d d r e s s i s n ' t t h e p r o x y ' s a d d r e s s , t h e p r o x y will j u s t t h r o w t h e p a c k e t away. In all of o u r NAT e x a m p l e s , t h e d e s t i n a t i o n a d d r e s s of p a c k e t s a l w a y s r e m a i n e d (except for t h e d o u b l e NAT e x a m p l e s ) t h a t of its u l t i m a t e d e s t i n a t i o n , s o m e h o s t on t h e I n t e r n e t . Proxies w o r k differently, a n d clients h a v e to c h a n g e t h e i r b e h a v i o r accordingly. T h e first r e q u i r e m e n t is t h a t t h e d e s t i n a t i o n IP a d d r e s s m u s t be t h a t of t h e p r o x y server, n o t t h e s e r v e r t h e u s e r a c t u a l l y w a n t s on t h e I n t e r n e t . Let's look a t a s i m p l e (contrived) e x a m p l e : Telnet. W i t h a NAT-type solution, y o u w o u l d s i m p l y T e l n e t to t h e n a m e or a d d r e s s y o u w a n t e d . Let's d e s i g n a n i m a g i n a r y p r o x y to h a n d l e Telnet. First, we write o u r p r o g r a m to l i s t e n for n e t w o r k c o n n e c tions, a n d p i c k a p o r t on t h e p r o x y on w h i c h to r u n it. T h e p o r t c o u l d be 23, r e p l a c i n g t h e r e g u l a r T e l n e t m e c h a n i s m (if any) on t h e p r o x y m a c h i n e , or we c o u l d r u n it on its o w n port. F o r o u r e x a m p l e , we'll p i c k p o r t 2 0 0 0 . O u r p r o g r a m will a c c e p t TCP c o n n e c t i o n s , a n d t h e n p r o m p t for a n a m e or IP a d d r e s s . O n c e it gets t h e n a m e , it

169

170

Chapter 4

9Network Address Translation

a t t e m p t s to c o n n e c t to t h a t n a m e at p o r t 23. Once the c o n n e c t i o n is m a d e a n d o u t p u t from p o r t 23 on the o u t s i d e m a c h i n e is s e n t to the inside m a c h i n e , a n y s u b s e q u e n t o u t p u t from the inside m a c h i n e (i.e., the u s e r typing) is s e n t to the o u t s i d e m a c h i n e . So, a n inside u s e r who w a n t s to Telnet o u t m u s t n o w Telnet to the proxy at p o r t 2000, a n d e n t e r the n a m e of the m a c h i n e to w h i c h t h e y really w a n t to Telnet. If it c o n n e c t s , t h e y will see the o u t p u t from it, a n d will be able to type i n p u t for it. Of c o u r s e in the real world, the Telnet protocol isn't t h a t simple, a n d o u r e x a m p l e isn't quite sufficient. However, it i l l u s t r a t e s the b a s i c idea: have the inside client inform the proxy of w h a t it w a n t s . The proxy m a k e s the c o n n e c t i o n on b e h a l f of the client, retrieves s o m e data, a n d p a s s e s it b a c k to the client. P a s s a n y i n p u t from t h e client to t h e server. How is FTP looking?. The p r o b l e m r e m a i n s the same: the reverse c o n n e c t i o n s . The proxy does the s a m e trick as a PAT device, b u t in a slightly different m a n n e r . The control c h a n n e l c o n n e c t i o n (to p o r t 21) w o r k s m o r e or less like the Telnet proxy e x a m p l e j u s t given, u n t i l t h e PORT c o m m a n d . U p o n identifying the PORT c o m m a n d in t h e d a t a s t r e a m , it c h a n g e s it in the s a m e m a n n e r t h a t a PAT device would, a n d s u b s t i t u t e s its own a d d r e s s . The proxy also a s k s the OS for a n available port, b e g i n s listening on t h a t port, a n d s e n d s t h a t p o r t n u m b e r . It h a s to keep a copy of the original PORT c o m m a n d for later reference. W h e n the o u t s i d e server c o n n e c t s b a c k to t h e proxy, the proxy o p e n s a c o n n e c t i o n to the inside m a c h i n e in the original PORT c o m m a n d a n d s e n d s the data. So w h a t does a u s e r on t h e inside who w a n t s to u s e FTP have to do differently?. T h a t p r e s e n t s a problem. With o u r Telnet example, it's p r e t t y e a s y to see h o w to get extra i n p u t from the user. The 0 p r o b l e m with FTP is t h a t t h e r e are m a n y , m a n y different t y p e s of FTP client p r o g r a m s . T h e s e r a n g e from c o m m a n d - l i n e text clients w h e r e u s e r s have lots of o p p o r t u n i t y to e n t e r i n p u t , to fully GUI FTP clients, w h e r e n e a r l y everything is point-and-click. One s t r a t e g y is to have t h e inside u s e r p u t in a special u s e r n a m e . For example, i n s t e a d of e n t e r i n g a n o n y m o u s , t h e y w o u l d

Network Address Translation

9Chapter 4

e n t e r a n o n y m o u s @ f t p , example, com. This would i n s t r u c t the proxy to u s e t h e u s e r n a m e a n o n y m o u s , a n d c o n n e c t to t h e FTP server ftp. example, com. The p a s s w o r d w o u l d be s u p p l i e d u n c h a n g e d . This w o r k s for a n y FTP client w h e r e the u s e r is p r o m p t e d for a u s e r n a m e a n d p a s s w o r d . Problem is, w h e n Web b r o w s e r s follow a n FTP link, t h e y a u t o m a t i c a l l y u s e a n o n y m o u s a n d w h a t e v e r e-mail a d d r e s s you've got p r o g r a m m e d into y o u r browser. They d o n ' t stop to p r o m p t . Web b r o w s e r s are a p r o b l e m in general. How is the u s e r u s i n g a b r o w s e r s u p p o s e d to get the b r o w s e r to c o n n e c t to t h e proxy, a n d h o w are t h e y to s u p p l y the URL of the real site to the proxy?. T h e r e are tricks t h a t c a n be tried, s u c h as p u t t i n g in special URLs a n d t r e a t i n g the proxy as a Web server. T h e s e w o r k theoretically, t h o u g h with p r o b l e m s , b u t t h e s e m e c h a n i s m s a r e n ' t very practical. U s e r s will tire of t h e m quickly a n d complain. T h e r e is a s e p a r a t e tactic t h a t c a n be u s e d for proxy access: special client software. Basically, this m e a n s t h a t the client software is modified to a c c e s s a proxy server, so t h a t the u s e r does the s a m e t h i n g as t h e y m i g h t if t h e y were directly c o n n e c t e d to the I n t e r n e t , a n d the software t a k e s care of u s i n g the proxy. So, w h e n t h e u s e r r u n s the special Telnet p r o g r a m , it h a n d l e s c o n t a c t i n g the proxy a n d i n f o r m i n g the proxy a b o u t w h i c h server is desired, t r a n s p a r e n t ly. All the u s e r h a s to do is Telnet to the server t h e y w a n t , u s i n g the special Telnet client. Theoretically, this c a n be done to a n y client p r o g r a m , so t h a t u s e r s d o n ' t have to be b o t h e r e d with the details. The p r o b l e m is, t h e r e are m a n y , m a n y client p r o g r a m s , m o s t of w h i c h d o n ' t have publicly available s o u r c e code for modification. Also, t h e r e are potentially m a n y , m a n y proxy protocols, if e a c h site c r e a t e d t h e i r own proxy software. Obviously, s o m e s t a n d a r d s w o u l d be useful. The c u r r e n t l y u s e d proxy protocol s t a n d a r d s are SOCKS a n d CERN proxy, b u t we w o n ' t get into the details. The CERN proxy protocol grew o u t of a proxy f e a t u r e of the CERN H T r P server, a n d as y o u m i g h t g u e s s it's a n H'FrP proxy. It w a s i m p o r t a n t b e c a u s e t h e r e w a s s u p p o r t for t h e protocol s t a r t i n g w i t h t h e early Web b r o w s e r s .

171

172

Chapter 4

9Network Address Translation

SOCKS enjoyed similar early b r o w s e r s u p p o r t , with the a d v a n t a g e t h a t it c a n proxy a r b i t r a r y p o r t n u m b e r s . Of course, y o u r SOCKS proxy server m u s t still be able to h a n d l e the protocol t h a t m a t c h e s the p o r t n u m b e r . SOCKS also c a m e with a few r e w r i t t e n client p r o g r a m s , like rteln e t a n d rftp. T h e s e were "SOCKSified" v e r s i o n s of the Telnet a n d FTP p r o g r a m s . They are UNIX s o u r c e code, so c h a n c e s are y o u could compile v e r s i o n s for m o s t UNIX platforms. Later, t h i r d - p a r t y W i n d o w s a p p l i c a t i o n s s t a r t i n g a p p e a r i n g with SOCKS s u p p o r t . Nowadays, if a client p r o g r a m s u p p o r t s t h e u s e of a proxy, it u s u a l l y h a s SOCKS s u p p o r t . More i n f o r m a t i o n a b o u t SOCKS c a n be f o u n d in t h e section "References a n d Resources." The idea of SOCKS being able to s u p p o r t a r b i t r a r y p o r t s begs t h e question: Is t h e r e s u c h a t h i n g as a generic proxy?. Indeed, t h e r e is. It's p o s s i b l e to proxy a s t r e a m of d a t a a s s u m i n g t h a t t h e r e are no reverse c o n n e c t i o n s , a n d so forth. T h a t is, a s s u m e it looks r a t h e r like a Telnet connection. S u c h a proxy is often called a circuit-level proxy, or a plug gateway (after t h e plug-gw f e a t u r e in G a u n t l e t , a p o p u l a r p r o x y - b a s e d c o m m e r c i a l firewaU). SOCKS proxies typically c a n s u p p o r t s u c h a n a r r a n g e m e n t , if desired. Yet a n o t h e r w a y to h a n d l e getting the client r e q u e s t to the proxy is to modify the IP s t a c k on the client to do so. This software is typically called a shim. The Microsoft Proxy Server w o r k s this way; it s u p p l i e s a s h i m for Microsoft W i n d o w s clients. MSP also s u p p o r t s the SOCKS protocol, for n o n - W i n d o w s clients. In this m a n n e r , MSP is able to s u p p o r t a r b i t r a r y client p r o g r a m s on the W i n d o w s platform, as long as the protocols are simple, or a h a n d l e r h a s a l r e a d y b e e n designed. Finally, before we leave the topic of proxies, s o m e proxies n o w have a t r a n s p a r e n c y option, w h i c h c h a n g e s the model of h o w proxies u s e d to work. As d i s c u s s e d , t r a d i t i o n a l proxies require the clients to b e h a v e differently. T r a n s p a r e n t proxies c a n act as r o u t e r s a n d proxy c o n n e c t i o n s automatically, m u c h like a PAT device. T h e s e proxies have the i m p o r t a n t a d v a n t a g e t h a t t h e y do n o t require a n y

Network Address Translation

9Chapter 4

special software or configuration of the client. So w h a t ' s the difference b e t w e e n PAT a n d a t r a n s p a r e n t proxy?. This is d i s c u s s e d in detail later in this chapter, in "Why a Proxy Server Is Really Not a NAT."

Stateful Packet Filters D u r i n g the time t h a t proxies were evolving, so were PFs. The ability to keep simple state i n f o r m a t i o n w a s a d d e d to PFs, a n d t h u s were b o r n Stateful P a c k e t Filters (SPFs). An SPF could, for example, w a t c h a PORT c o m m a n d go by, a n d only allow b a c k the port t h a t w a s m e n t i o n e d , r a t h e r t h a n h a v i n g to let t h r o u g h everything above 1023. R a t h e r t h a n j u s t let in every TCP p a c k e t t h a t h a d the ACK bit set, it could let in j u s t t h e ones t h a t c o r r e s p o n d e d to o u t g o i n g packets. The small a d d i t i o n of being able to t r a c k w h a t w e n t on before a d d s a n a m a z i n g a m o u n t of power to the simple PF. Very few plain SPFs a c t u a l l y exist. T h a t ' s b e c a u s e t h e y a l m o s t all a d d yet a n o t h e r ability, w h i c h will be d i s c u s s e d shortly. An e x a m p l e of a n SPF as described is a Cisco r o u t e r u s i n g reflexive a c c e s s lists. T h e s e a c c e s s lists have the ability to modify t h e m s e l v e s s o m e w h a t , b a s e d on o t h e r a c c e s s list lines being m a t c h e d .

Stateful Packet Filter with Rewrite The p r e c e d i n g definition of SPF is n o t a widely a c c e p t e d one. Despite its u s e of the w o r d filter in the middle, w h e n m o s t people d i s c u s s SPFs, t h e y m e a n a device t h a t c a n also modify p a c k e t s as t h e y p a s s t h r o u g h . Adding this capability theoretically gives the SPF complete control over p a c k e t s . The p a c k e t rewrite also p u t s one f e a t u r e into the SPF engine in p a r t i c u l a r ~ N A T . Recall t h a t the r e q u i r e m e n t s for NAT are: t h e ability to rewrite p a c k e t s , a n d the ability to t r a c k t h a t i n f o r m a t i o n . As it t u r n s out, the c o n n e c t i o n tables n e e d e d to do PAT are basically t h e s a m e as t h o s e n e e d e d to do SPF. So, if y o u c a n do SPF, it's p r e t t y e a s y to a d d PAT, a n d vice versa.

173

174

Chapter 4

9Network Address Translation

T h e r e are m a n y c o m m e r c i a l e x a m p l e s of S P F - b a s e d firewalls, even if t h e y u s e a different t e r m for the u n d e r l y i n g technology. The m a r k e t - s h a r e leader, C h e c k p o i n t ' s Firewall-1, is b a s e d on SPF, w h i c h t h e y call Stateful Multi-Layer I n s p e c t i o n (SMLI). A n o t h e r popu l a r e x a m p l e is Cisco's PIX firewall. We w o n ' t go into a lot of detail a b o u t how SPF w o r k s ~ i f y o u u n d e r s t a n d the details b e h i n d PAT, y o u u n d e r s t a n d SPF. The t a b l e s t h a t n e e d to be m a i n t a i n e d to p e r f o r m a n SPF f u n c t i o n are the s a m e as t h o s e n e e d e d to do PAT. An SPF firewall n e e d s to do at l e a s t the s a m e a m o u n t of w o r k as a PAT device, a n d s h o u l d ideally a d d on a fair a m o u n t more, to allow for b e t t e r d a t a validation a n d c o n t e n t filtering.

Why a Proxy Server Is Really Not a NAT At this point, it's a p p r o p r i a t e to d i s c u s s the differences b e t w e e n proxies a n d NAT. For p u r p o s e s of this d i s c u s s i o n , all flavors of NAT, PFs, a n d SPFs are equivalent. T r a n s p a r e n t proxies are a little bit of a special case, b u t t h e y will be t r e a t e d as t r a d i t i o n a l proxies for this discussion. At a very high level, proxies a n d NAT a p p e a r to be the same; t h e y b o t h let y o u hide m a n y m a c h i n e s b e h i n d a n IP a d d r e s s . They b o t h modify the d a t a s t r e a m as it goes by to a c c o u n t for the c h a n g e of a d d r e s s . They b o t h keep s t a t e a b o u t m o r e c o m p l i c a t e d protocols, in o r d e r to h a n d l e t h e m correctly. It t u r n s o u t t h a t the e n d s m i g h t be the s a m e , b u t the m e a n s are very different. At a low level, the i n t e r n a l s of the device (a proxy or NAT device) h a n d l e the p a c k e t in completely different ways. The b a s i c difference boils down to this: For NAT, the b a s i c u n i t being w o r k e d on is the packet; for a proxy, all of its w o r k is done on a d a t a s t r e a m . Let's d i s c u s s w h a t t h a t m e a n s , s t a r t i n g with the proxy. W h e n a p a c k e t is received by a server, the server first d e t e r m i n e s if t h e p a c k e t is i n t e n d e d for it (i.e., if the d e s t i n a t i o n a d d r e s s is one of its a d d r e s s e s ) . In the case of a t r a d i t i o n a l proxy, it will be. The p a c k e t t h e n u n d e r g o e s a p r o c e s s of being p a s s e d u p the IP s t a c k of the server. If the p a c k e t belongs to a n existing connection, the d a t a

Network Address Translation

9Chapter 4

p o r t i o n of t h e p a c k e t is extracted, a n d placed into a buffer for the proxy p r o g r a m to read. If it's a n e w connection, a n e w buffer is created a n d t h e proxy p r o g r a m is notified t h a t t h e r e is a n e w connection to service, b u t t h e p r o c e s s is otherwise t h e s a m e . W h e n the proxy n e e d s to s e n d s o m e t h i n g , a reverse p r o c e s s h a p pens. The i n f o r m a t i o n t h e proxy n e e d s to s e n d is placed into a n o u t p u t buffer. The T C P / I P software on the server will t h e n pull i n f o r m a t i o n o u t of t h e buffer, p u t it into p a c k e t s , a n d s e n d it. U n d e r t h e IP protocol, p a c k e t s c a n be a wide r a n g e of sizes. Large p a c k e t s m a y be split u p into f r a g m e n t s in o r d e r to cross netw o r k s t h a t c a n h a n d l e only f r a m e s u p to a p a r t i c u l a r size. For example, a 2 0 0 0 - b y t e p a c k e t w o u l d have to be split into at least two p a r t s to cross a n E t h e r n e t s e g m e n t with a n MTU of 1500 bytes. On a proxy server, the IP s t a c k will p u t the f r a g m e n t s t o g e t h e r before it places t h e d a t a into the buffer. Ideally, f r a g m e n t s w o n ' t h a p p e n . W h e n possible, h o s t s will n o t t r a n s m i t p a c k e t s t h a t will have to be f r a g m e n t e d . A h o s t d o e s n ' t always have a w a y to d e t e r m i n e w h e t h e r or n o t a f r a g m e n t will n e e d to be m a d e along the w a y a c r o s s a network, so often the b e s t the h o s t c a n do is to n o t t r a n s m i t p a c k e t s bigger t h a n its local network. The goal of t h e f r a g m e n t d i s c u s s i o n is to i l l u s t r a t e a point: The n u m b e r of p a c k e t s t h a t e n t e r a proxy server d o n ' t n e c e s s a r i l y e q u a l t h e n u m b e r of p a c k e t s t h a t come out. For a n overly simplified e x a m ple, a proxy server m a y receive a single p a c k e t t h a t c o n t a i n s "Hello World!" However, w h e n it t r a n s m i t s it b a c k out, it m a y be as two p a c k e t s : "Hello" a n d "World!" The reverse m a y h a p p e n as well. In fact, the proxy i n p u t s only the s t r i n g of c h a r a c t e r s , a n d o u t p u t s t h e m to a different buffer, possibly m a k i n g c h a n g e s to t h e m . It doesn't c o n c e r n itself with h o w the p a c k e t gets divided. W h e n it sees a n FTP PORT c o m m a n d , it r e a d s it in, decides on h o w it s h o u l d be c h a n g e d , a n d o u t p u t s t h e c h a n g e d version. It d o e s n ' t n e e d to do a n y t h i n g special if the c o m m a n d e n d s u p being longer or shorter. C o n t r a s t this with a NAT device. W h e n the IP s t a c k of a NAT device gets a p a c k e t t h a t is n o t a d d r e s s e d to it, w h i c h is n o r m a l l y w h a t will h a p p e n , it will try to r o u t e t h e packet. D u r i n g t h e r o u t i n g p r o c e s s is w h e n t h e NAT device h a s a n o p p o r t u n i t y to o p e r a t e on

175

176

Chapter 4

9Network Address Translation

t h e packet. Except for f r a g m e n t s a n d a couple of special cases, NAT is one p a c k e t in, one p a c k e t out. The p a c k e t will be basically the s a m e size as well. W h e n a PORT c o m m a n d s t a r t s t h r o u g h , t h e NAT device h a s to keep the p a c k e t s as i n t a c t as possible. This m e a n s t h e r e m a y have to be a special piece of code to e x p a n d or s h r i n k a p a c k e t to a c c o m m o d a t e a longer or s h o r t e r a d d r e s s . W h e n fragm e n t s arrive, the NAT device typically will have to p e r f o r m r e a s s e m bly as well. A l t h o u g h f r a g m e n t s are p a c k e t s in their own right, t h e y are also pieces of a larger packet. T a k e n as a whole piece, t h e p a c k ets in a n d p a c k e t s o u t c o u n t still holds. W h a t are the s e c u r i t y implications for the two m e t h o d s ? T h e r e are pros a n d cons for each. There exist types of a t t a c k s t h a t rely on the exact s t r u c t u r e of a packet. With a proxy, since the p a c k e t s are t o r n apart, t h e r e is little c h a n c e of this type of a t t a c k s u c c e e d i n g a g a i n s t inside hosts. However, since t h e proxy h a s to p r o c e s s the p a c k e t itself, it m a y fall prey to the a t t a c k r a t h e r t h a n the inside host. A NAT device w o u l d likely n o t fall victim to the s a m e type of a t t a c k , b u t it m i g h t p a s s it along to the inside host, a n d have it succeed there. F o r t u n a t e l y , t h e s e types of a t t a c k s are a l m o s t always Denial of Service (DOS) a t t a c k s , w h i c h m e a n t h e y t e n d to c r a s h things, b u t d o n ' t r e s u l t in a violation of i n f o r m a t i o n integrity. In one case, the firewaU c r a s h e s . In a n o t h e r case, t h e firewall s t a y s functional, b u t the inside h o s t goes down. Neither is a n a b s o l u t e l y b e t t e r choice, a n d it d e p e n d s on the preference of the firewall a d m i n i s t r a tor. No one w a n t s their firewall going down, b u t on the o t h e r h a n d , its job is to p r o t e c t the inside. The o t h e r big difference b e t w e e n NAT a n d proxy is d a t a validation a n d modification. There are a n u m b e r of proxy p a c k a g e s o u t t h e r e t h a t t a k e a m o r e conservative s e c u r i t y stance. T h a t is, t h e y c o n t a i n proxies for protocols t h a t the d e s i g n e r s were r e a s o n a b l y s u r e t h e y could validate well. T h e y h a d a n idea of w h a t allowable v a l u e s are, a n d designed their proxy to w a t c h for those, a n d m a k e corrections if needed. In s o m e cases, if it looks like a protocol h a s s o m e i n h e r e n t p r o b l e m s , t h e y w o u l d n o t p r o d u c e a proxy for it, t h e r e b y d i s c o u r a g i n g c u s t o m e r s from u s i n g t h a t protocol.

Network Address Translation

9Chapter 4

M a n y NAT p a c k a g e s s e e m to t a k e a different tact. They will do the b a r e m i n i m u m n e c e s s a r y to get a protocol to p a s s , a n d t h e y often try to p a s s as m a n y protocols as possible. They also t e n d to be more open by default; t h a t is, if a c o n n e c t i o n a t t e m p t is m a d e from the inside a n d the protocol is u n k n o w n , it will try to p a s s it anyway. Now, this isn't a fair c o m p a r i s o n . I've c o m p a r e d the b e s t proxies a g a i n s t the w o r s t NAT i m p l e m e n t a t i o n s . Naturally, t h e r e are produ c t s from b o t h c a m p s t h a t m e e t in the middle, a n d a good firewall a d m i n i s t r a t o r c a n m a k e a NAT/SPF secure, a n d a b a d one c a n misconfigure a good proxy. Still, the t e n d e n c i e s are there: NAT devices typically only go above layer 4 w h e n it's n e e d e d to m a k e the protocol w o r k (like the FTP example). Proxies always w o r k above layer 4, a n d even the s i m p l e s t ones (circuit-level proxies) operate at layer 5. The a s s u m p t i o n is, of course, t h a t the h i g h e r u p the s t a c k t h e y go, the m o r e secure. All of this is a religious a r g u m e n t t h o u g h , b e c a u s e y o u d o n ' t b u y a c o n c e p t u a l firewall, y o u b u y a n a c t u a l p r o d u c t . E a c h p r o d u c t m u s t be e v a l u a t e d on its own merit. The o t h e r point t h a t m a k e s a lot of the a r g u i n g pointless is t h a t the lines b e t w e e n SPF a n d proxy are blurring. The latest v e r s i o n s of m o s t of the c o m m e r c i a l firewalls include f e a t u r e s b o t h from the proxy world a n d the SPF world, r e g a r d l e s s of w h i c h b a c k g r o u n d t h e y c a m e from. For example, in Firewall-1, t h e r e are a n u m b e r of "security servers" i n c l u d e d t h a t optionally c a n be activated in place of a NAT-style p a c k e t passing. T h e s e typically include extra capabilities, s u c h as extra a u t h e n t i c a t i o n , s t r i p p i n g o u t of u n d e s i r a b l e cont e n t (such as J a v a or ActiveX) a n d blocking of p a r t i c u l a r sites by n a m e or URL. M a n y of the proxy firewalls have gone t r a n s p a r e n t . In order for a proxy to be t r a n s p a r e n t , it h a s to c h a n g e its b e h a v i o r s o m e w h a t . The s h o r t e x p l a n a t i o n is t h a t t h e y have to p e r f o r m a SPF-type f u n c t i o n to deliver the p a c k e t s to the proxy software, w h e n t h e y w e r e n ' t a d d r e s s e d to the proxy in the first place.

177

178

Chapter 4

9

Network Address Translation

Shortcomings of SPF There are plenty of SPF shortcomings to discuss, b u t only in a security context. In t e r m s of functionality, all the p r o d u c t s work well. There are performance differences and administration differences, b u t if the p r o d u c t claims to p a s s a particular protocol, it u s u a l l y does. Proxies are generally slower, simply b e c a u s e they do more to the information as it goes through. They strip h e a d e r s off, p u t t h e m on, allocate sockets, and do a lot of buffering and copying of data. SPFs skip a lot of this work. For protocols without a lot of work to do, this is an advantage. For protocols t h a t should be handled carefully, this is bad. There seems to be a c o n s e n s u s t h a t handling complicated protocols is easier with proxy-style software t h a n with NAT style. It seems t h a t the idea of being able to toss the unit of the packet m a k e s the process easier, at least for TCP protocols. Being able to pick between the two in a single package is one advantage to having the lines between SPF and proxy blur. The firewall designer can pick the best tool for the protocol. The t r a n s p a r e n c y option for proxies is a very good feature. Not having to change the software on all the inside machines, and not having to s u p p o r t those changes, can be a huge advantage. A subtle bit of information is lost with this option, though. With traditional proxies, especially with a r c h i t e c t u r e s where there is a separate program for each protocol, there is never any question a b o u t which protocol was desired. For example, if the u s e r contacted the Telnet proxy, you could be sure they w a n t e d to use the Telnet protocol. If they contacted the HTTP proxy, clearly they w a n t HTTP. If you've s p e n t any time surfing the Web, you've probably noticed t h a t some URLs specify a different port number. For example, instead of: h t t p ://www. example, com

y o u see: h t t p ://www. example, com: 8080

Network Address Translation

9Chapter 4

In t h i s case, r a t h e r t h a n c o n t a c t i n g t h e Web s e r v e r a t p o r t 80 (which is t h e d e f a u l t for HTTP), we've explicitly told it to c o n t a c t a Web s e r v e r via p o r t 8 0 8 0 . For a t r a d i t i o n a l proxy, t h i s is n o t a p r o b lem. It k n o w s y o u w a n t HTTP, a n d it k n o w s y o u w a n t to do it over port 8080. T h i s w o r k s b e c a u s e t h e p r o x y is forcing t h e client to specify b o t h protocol a n d p o r t explicitly. Let's look a t t h e s a m e s i t u a t i o n w i t h a t r a n s p a r e n t proxy. T h e client i s n ' t c o n f i g u r e d in a n y s p e c i a l way. T h e u s e r m i g h t n o t even realize t h e r e is a firewall t h e r e . Now, t h e client i s n ' t specifying t h e protocol to t h e proxy, b e c a u s e it d o e s n ' t k n o w a p r o x y is there. So, w h e n it c o n t a c t s p o r t 80, t h e p r o x y h a s to m a k e a n a s s u m p t i o n - - i t will a s s u m e ( a l m o s t a l w a y s correctly) t h a t t h i s is HTI'P, a n d will h a n d l e it a s s u c h . W h a t a b o u t w h e n t h e b r o w s e r specifies p o r t 8 0 8 0 ? T h e p r o x y h a s to m a k e a n o t h e r a s s u m p t i o n . Port 8 0 8 0 is p r e t t y c o m m o n l y u s e d a s a n o n s t a n d a r d HTI'P port, b u t n o t always. T h e p r o x y m u s t e i t h e r p i c k HTTP or a circuit-level proxy. T h i s is c o m m o n l y configurable. W h a t h a p p e n s in t h i s s i t u a t i o n ? h t t p ://www. example, corn: 21

S o m e j o k e r on t h e I n t e r n e t h a s r u n h i s Web s e r v e r on p o r t 21, a n d y o u r u s e r h a s clicked on a link to it. T h e p r o x y h a s to m a k e a n a s s u m p t i o n ~ i t ' s going to a s s u m e t h i s is t h e FTP protocol. C h a n c e s are, t h i s c o n n e c t i o n w o n ' t w o r k v e r y well. So, we've lost s o m e i n f o r m a t i o n b y going t r a n s p a r e n t . We've forced t r a n s p a r e n t p r o x i e s to m a k e a s s u m p t i o n s a b o u t p r o t o c o l s b a s e d on p o r t n u m b e r s . T h i s will w o r k well m o s t of t h e time, b u t t h e r e is a l w a y s a w e i r d e x c e p t i o n s o m e w h e r e . S P F s suffer f r o m t h e s a m e p r o b l e m a s well. S o m e folks h a v e a r g u e d t h a t a n S P F - t y p e a r c h i t e c t u r e m a k e s it too e a s y for a firewall a d m i n i s t r a t o r to do s o m e t h i n g risky. In o t h e r w o r d s , S P F s m a y be m o r e flexible in t h e r a n g e of t h i n g s t h e y c a n be m a d e to allow, a n d t h a t m a y be too t e m p t i n g . T h i s is largely u n t r u e n o w a n y w a y , s i n c e m o s t p r o x i e s i n c l u d e s i m i l a r capabilities.

179

180

Chapter 4

9Network Address Translation

Most firewalls come with s o m e sort of GUI for configuring t h e r u l e s of w h a t is allowed a n d w h a t isn't. T h e s e c a n be very convenient for m a i n t a i n i n g large rule sets. S o m e m o r e - e x p e r i e n c e d firewall a d m i n i s t r a t o r s have c o m p l a i n e d t h a t this c a n be a h i n d r a n c e to u n d e r s t a n d i n g exactly w h a t t h e firewall is u p to. T h e y c o m p l a i n t h a t by p u t t i n g simplicity on top of a complex p r o d u c t , it gives the illusion to t h e novice a d m i n i s t r a t o r t h a t t h e y c o m p r e h e n d everything t h a t is going on. In o t h e r words, it provides a false s e n s e of security.

Summary Network A d d r e s s T r a n s l a t i o n (NAT} c h a n g e s a p a c k e t ' s layer 3 a d d r e s s as it p a s s e s t h r o u g h a NAT device. O t h e r protocols like IPX could also be t r a n s l a t e d , b u t t h e v a s t majority of the c o m m e r c i a l NAT i m p l e m e n t a t i o n s p e r f o r m NAT on IP a d d r e s s e s . Often, simply c h a n g i n g layer 3 protocols is insufficient, a n d h i g h e r layer i n f o r m a tion m u s t be modified as well. NAT a n d s e c u r i t y are often u s e d together. The ideas b e h i n d NAT p r o b a b l y c a m e from early p r o x y - b a s e d firewall solutions. Proxy servers allow a d m i n i s t r a t o r s to filter traffic for content, a n d to m a k e it a p p e a r to o u t s i d e n e t w o r k s t h a t everyt h i n g is c o m i n g from one IP a d d r e s s . The proxy a d m i n i s t r a t o r u s u a l l y configures a filtering r o u t e r (i.e., a p a c k e t filter) to block direct a c c e s s from inside-out, a n d outsidein. The c o n f i g u r a t i o n allows only inside m a c h i n e s to c o m m u n i c a t e directly with the proxy. This forces inside clients to u s e t h e p r o x y if t h e y w a n t a c c e s s to the o u t s i d e net. This single point in the n e t w o r k w h e r e all traffic is forced to p a s s t h r o u g h (on the w a y to the Internet, at least) is called a c h o k e point. Care is t a k e n to configure t h e proxy server to be as s e c u r e as possible. A side-effect of a proxy firewall is t h a t t h e o u t s i d e n e e d s to see only one IP a d d r e s s . This c a n r e d u c e t h e n e e d e d publicly r o u t a b l e IP a d d r e s s e s to one. RFC 1918 recognizes this, a n d m a k e s a n u m b e r of IP a d d r e s s r a n g e s available for private use, b e h i n d proxy servers or NAT firewalls. A NAT device u s u a l l y acts as a router.

Network Address Translation

9Chapter 4

T h e r e a r e s e v e r a l t y p e s of NAT. T h e first type is s t a t i c NAT, a 1to- 1 m a p p i n g b e t w e e n two IP a d d r e s s e s . In one direction, e i t h e r t h e s o u r c e or d e s t i n a t i o n a d d r e s s is t r a n s l a t e d ; in t h e o t h e r direction, t h e r e v e r s e h a p p e n s . Typically, t h e s o u r c e a d d r e s s is t h e one t h a t is t r a n s l a t e d , b u t t h e r e a r e u s e s for t r a n s l a t i n g t h e d e s t i n a t i o n a d d r e s s a s well. O n e p o s s i b l e u s e for t r a n s l a t i n g t h e d e s t i n a t i o n a d d r e s s is r e d i r e c t i n g client m a c h i n e s to a different s e r v e r w i t h o u t h a v i n g to r e c o n f i g u r e t h e m . A NAT r o u t e r h a s to differentiate b e t w e e n i n t e r f a c e s , typically b y m a r k i n g one "inside" a n d t h e o t h e r "outside" in o r d e r to k n o w w h e n to t r a n s l a t e , a n d w h e t h e r to t r a n s l a t e s o u r c e or d e s t i n a t i o n a d d r e s s es. B e c a u s e of t h e 1-to-1 m a p p i n g , s t a t i c NAT s a v e s no a d d r e s s space. A n o t h e r i n t e r e s t i n g v a r i a t i o n of s t a t i c NAT is called d o u b l e NAT, which changes both the source and destination addresses at the s a m e time. T h i s c a n be u s e f u l for c o n n e c t i n g two n e t w o r k s t h a t u s e the same addresses. A s t a t i c NAT i m p l e m e n t a t i o n t h a t s i m p l y t r a n s l a t e s l a y e r 3 a d d r e s s e s a n d d o e s n ' t c h a n g e t h e d a t a s t r e a m a t all m a y h a v e p r o b l e m s w i t h c e r t a i n protocols. A classic e x a m p l e of a protocol t h a t p a s s e s IP a d d r e s s e s in t h e d a t a s t r e a m is t h e FTP protocol. In o r d e r for a s t a t i c NAT (or a n y NAT for t h a t m a t t e r ) i m p l e m e n t a t i o n to w o r k w i t h FTP, it m u s t modify t h e FTP P O R T c o m m a n d a s it goes by. T h i s m u s t also w o r k if t h e P O R T c o m m a n d is split a c r o s s m o r e t h a n one packet. A n o t h e r flavor of NAT is d y n a m i c NAT. D y n a m i c NAT is s i m i l a r to s t a t i c NAT, e x c e p t t h a t it is m a n y - t o - m a n y , or m a n y - t o - 1 , a n d t h e s t a t i c m a p p i n g s a r e d o n e on t h e fly o u t of a pool of a d d r e s s e s . P r o b l e m s for a d d r e s s c o n t e n t i o n m a y arise, however, if t h e r e a r e m o r e i n s i d e a d d r e s s e s t h a n o u t s i d e a d d r e s s e s . To h e l p w i t h t h i s p r o b l e m , t h e NAT device will a t t e m p t to d e t e c t w h e n a m a p p i n g is no l o n g e r n e e d e d . S t r a t e g i e s for t h i s m a y i n c l u d e t i m e r s , a n d w a t c h ing for p a c k e t s t h a t i n d i c a t e t h e e n d of c o n n e c t i o n s . To t r a c k t h e s e i t e m s , d y n a m i c NAT m u s t m a i n t a i n a c o n n e c t i o n t a b l e to t r a c k IP a d d r e s s e s , p o r t n u m b e r , FIN bits, a n d t i m e r s . E v e n w i t h t h e s e m e c h a n i s m s , d y n a m i c NAT c a n still easily r e s u l t in

181

182

Chapter 4

9Network Address Translation

r e s o u r c e contention, a n d in inside m a c h i n e s n o t being able to get out. A f u r t h e r r e f i n e m e n t is needed. Port A d d r e s s T r a n s l a t i o n is a type of NAT t h a t allows m o r e t h a n one inside m a c h i n e to s h a r e a single o u t s i d e IP a d d r e s s s i m u l t a n e ously. This is a c c o m p l i s h e d by t r a n s l a t i n g p o r t s as well as IP a d d r e s s e s . W h e n a n inside m a c h i n e m a k e s a c o n n e c t i o n out, its s o u r c e p o r t a n d a d d r e s s m a y be t r a n s l a t e d . The NAT r o u t e r will t r a c k w h i c h s o u r c e p o r t s are in use, a n d will avoid conflicts w h e n picking n e w s o u r c e ports. PAT finally achieves the a d d r e s s savings desired, a n d also achieves s o m e level of security. PAT k e e p s a c o n n e c t i o n table similar to t h a t of d y n a m i c NAT. In addition, PAT h a s to d y n a m i c a l l y o p e n p o r t s as n e e d e d to h a n d l e protocols with reverse c o n n e c t i o n s , like FTP. Most existing NAT s o l u t i o n s are PAT-based, a n d have the ability to do static NAT as needed. NAT's m a j o r f e a t u r e is a d d r e s s savings. In addition, it c a n be u s e d to t e m p o r a r i l y w o r k a r o u n d c e r t a i n types of n e t w o r k p r o b l e m s . NAT typically carries s o m e small p e r f o r m a n c e cost, b u t it's u s u a l l y negligible except u n d e r the h e a v i e s t n e t w o r k loads. Proxies a n d firewalls have a s o m e w h a t different m i s s i o n t h a n NAT, t h o u g h t h e y often are u s e d together. Firewalls are a b o u t secur i t y ~ s e c u r i t y in this context m e a n s controlling n e t w o r k connections. Historically, t h e r e are several types of firewalls: Proxies, P a c k e t Filters (PFs), a n d Static P a c k e t Filters (SPFs). Proxies w o r k by h a v i n g clients c o n n e c t to t h e m i n s t e a d of to the final i n t e n d e d server. The proxy will t h e n retrieve the desired content, a n d r e t u r n it to the inside client. Like NAT, proxies m u s t u n d e r s t a n d s o m e of the protocols t h e y p a s s in order to h a n d l e t h e m properly. PFs are often u s e d in c o n j u n c t i o n with proxies to achieve the p r o t e c t i o n needed, a n d to create the choke point to force all traffic t h r o u g h the proxy. P a c k e t filters d o n ' t m a i n t a i n state, a n d m u s t often leave large port r a n g e s o p e n to a c c o m m o d a t e protocols like FTP. Like NAT, PFs are u s u a l l y r o u t e r s . SPFs are PFs with state. In addition, a l m o s t all SPFs c a n rewrite p a c k e t s as needed. If a n SPF is able to rewrite p a c k e t s , it

Network Address Translation

9Chapter 4

c a n t h e o r e t i c a l l y do a n y t h i n g to p a c k e t s a s n e e d e d , i n c l u d i n g implem e n t i n g NAT if desired. T h e c o n n e c t i o n t a b l e s n e e d e d for PAT a r e a b o u t t h e s a m e a s t h o s e n e e d e d for SPF. NAT (and SPF) differs s u b s t a n t i a l l y f r o m a p r o x y in t e r m s of h o w it i m p l e m e n t s its f e a t u r e s . For NAT, t h e b a s i c u n i t w o r k e d on is a w h o l e p a c k e t . F o r a proxy, it's a d a t a s t r e a m . T h e m a j o r p r a c t i c a l difference is t h a t a p r o x y will t e a r a p a c k e t all t h e w a y a p a r t , a n d m a y r e a s s e m b l e it a s m o r e or fewer p a c k e t s . A NAT device will a l w a y s k e e p t h e s a m e n u m b e r of p a c k e t s in a n d out. M o s t firewalls on t h e m a r k e t a t p r e s e n t a r e a h y b r i d of p r o x y a n d S P F technology. T h e m a i n a d v a n t a g e to t h i s is t h a t t h e y a r e able to be t r a n s p a r e n t , r e q u i r i n g no special s o f t w a r e or c o n f i g u r a tion on t h e i n s i d e client m a c h i n e s .

Visit t h e Web site for t h e v e n d o r t h a t p r o d u c e s t h e p r o g r a m . Often, t h e y m a i n t a i n a FAQ a b o u t h o w to get t h e i r protocol to c o o p e r a t e w i t h firewalls. In s o m e c a s e s , it m a y be a s i m p l e o p t i o n t h a t is s e t a b l e on t h e client p r o g r a m . In o t h e r c a s e s , t h e r e will be i n s t r u c t i o n on h o w to c o n f i g u r e y o u r firewall to m a k e it work. C h e c k w i t h y o u r firewall v e n d o r to see if t h e r e is a n u p d a t e to h a n d l e t h e protocol. M o s t firewall v e n d o r s m a i n t a i n a Web site w i t h s e a r c h a b l e c o n t e n t , a n d y o u c a n s e a r c h for t h e protocol in q u e s t i o n .

183

184

Chapter 4

9Network Address Translation

C h e c k the firewall logs to see if t h e r e are reverse c o n n e c t i o n s t h a t are coming b a c k a n d being denied. Possibly, y o u m i g h t have to u s e a protocol a n a l y z e r to try to d e t e r m i n e w h a t the protocol is u p to. Don't forget to c o n s i d e r t h a t y o u m a y n o t w a n t to p a s s this protocol. If you're very s e c u r i t y - c o n s c i o u s , y o u m a y realize t h a t t h e r e m a y be b u g s in the n e w p r o g r a m t h a t m a y pose a serious t h r e a t to y o u r network. Client-side holes have b e c o m e very c o m m o n recently. Q: W h y c a n ' t I c o n n e c t to anything?. A: This relates to w h e n y o u are first s e t t i n g u p y o u r NAT/firewall/proxy. There c a n be a large n u m b e r of r e a s o n s w h y y o u c a n ' t connect, a n y one of w h i c h will b r e a k things. Here are s o m e special t h i n g s to p a y a t t e n t i o n to" Make s u r e all of y o u r r o u t i n g is correct. If possible, y o u m i g h t t u r n off a n y NAT or s e c u r i t y f e a t u r e s t e m p o r a r i l y in order to see if p a c k e t s s e e m to flow. If not, y o u m a y have a r o u t i n g issue. If t h e y do, t h e n y o u p r o b a b l y n e e d to c h e c k y o u r s e c u r i t y configuration. Make s u r e you've allowed the traffic y o u ' r e trying to send. This s o u n d s obvious, b u t it h a p p e n s often enough. Probably the e a s i e s t place to see this is the logs. If y o u s h o w u p as haxang b e e n dropped, t h e n you h a v e n ' t allowed the traffic y o u ' r e trying to send. Make s u r e a n y ARP settings needed are in place. For some solutions t h a t require virtual IP addresses, you m a y have to p u b l i s h ARP a d d r e s s e s manually. A quick w a y to check if this is working or not is to look at the ARP table on the router. Make s u r e y o u r client configuration is correct. This applies especially if y o u ' r e u s i n g proxies. Make s u r e the client p r o g r a m is set to u s e the proxy, a n d look for typos or o t h e r m i s c o n f i g u r a t i o n s t h a t m i g h t be e a s y to miss. W h e n all else fails, y o u m a y have to u s e a protocol a n a l y z e r to see w h a t ' s actually h a p p e n i n g on the wire. Unfortunately, y o u m a y have to u s e it in several places to get the full p i c t u r e (inside the firewaU, outside, etc.).

Network Address Translation

9Chapter 4

Q: How do I verify t h a t m y a d d r e s s is being t r a n s l a t e d properly?.

A: This one is u s u a l l y p r e t t y easy. The s i m p l e s t w a y is to c o n n e c t to s o m e t h i n g t h a t tells y o u w h a t y o u r IP a d d r e s s is. If it's y o u r network, the r o u t e r i m m e d i a t e l y o u t s i d e y o u r NAT device m a y tell you. For example, if you log on to a Cisco r o u t e r a n d i s s u e the "show u s e r s " c o m m a n d , it will tell y o u the DNS n a m e or IP a d d r e s s from w h i c h y o u ' r e connecting.

If y o u ' r e a n e n d - u s e r , a n d y o u s u s p e c t y o u ' r e being t r a n s l a t e d a n d w a n t to find out, it m a y be slightly harder. If you've got a n a c c o u n t on a r o u t e r or UNIX box s o m e w h e r e on the I n t e r n e t , y o u c a n u s u a l l y find o u t t h a t way. A n o t h e r choice is a Web page t h a t i n f o r m s y o u w h a t IP a d d r e s s y o u ' r e coming from. An e x a m p l e of s u c h a page is: http" //www.anonymizer. com/3.0/snoop, cgi

Q: W h a t does a good firewall a r c h i t e c t u r e look like?

A: This is a religious q u e s t i o n (i.e., you'll get m a n y people p r e a c h i n g t h e i r favorite gospel). However, t h e r e are a few generally a c c e p t e d b e s t practices. We'll u s e a m e d i u m - s i z e d c o m p a n y as o u r example. They have a full-time I n t e r n e t link, a n d h a v e t h e i r own Web a n d e-mail servers on the p r e m i s e s . Let's a s s u m e t h e y d i d n ' t previously have a firewall, a n d n o w t h e y w a n t to install one. The Web server a n d e-mail server h a v e to be r e a c h a b l e by t h e I n t e r n e t ~ t h a t ' s their p u r p o s e . They also m u s t be r e a c h a b l e by the inside. They w a n t t h e m to be p r o t e c t e d from the I n t e r n e t as m u c h as possible. The typical s e t u p is a firewall with a DMZ, s o m e t i m e s called a three-legged or 3-interface firewall. The d i a g r a m looks like Figure 4.16.

185

186

Chapter 4 Figure

9Network Address Translation

4.16 Transparent firewall with DMZ.

In this example, the firewall does routing. It c a n be a n SPF firewall, or t r a n s p a r e n t p r o x y - - i t d o e s n ' t really matter. W h e n a n inside u s e r w a n t s to get out, t h e y m u s t traverse the firewall. W h e n either the inside or o u t s i d e w a n t s to get to the public servers, t h e y m u s t t r a v e r s e t h e firewaU. It's n o t depicted on the d i a g r a m , b u t the rules on this type of firewall w o u l d p r e v e n t the I n t e r n e t from c o n n e c t i n g to the inside. Typically, the inside w o u l d be u s i n g RFC 1918 a d d r e s s e s , a n d the firewaU w o u l d be doing PAT for t h e inside m a c h i n e s . Most likely, the rules on the firewall are set u p for at least a few inside m a c h i n e s to have a s o m e w h a t h i g h e r level of a c c e s s to the public servers, for a d m i n i s t r a t i o n p u r p o s e s . An i m p o r t a n t r e s u l t of this type of a r c h i t e c t u r e is t h a t the inside d o e s n ' t fully t r u s t the DMZ. T h a t is, the DMZ m a c h i n e s c a n ' t get b a c k inside, at least n o t for all ports. This m e a n s t h a t if t h e DMZ m a c h i n e s are c o m p r o m i s e d , the inside m a y still be protected.

Network Address Translation

9Chapter 4

References & Resources It's i m p o s s i b l e to cover every detail of NAT, proxies, a n d firewalls in a chapter, so we h a v e provided a n u m b e r of r e s o u r c e s to w h i c h y o u m a y refer. S o m e of t h e m are general, like the RFCs, a n d s o m e are very specific, s u c h as Web pages at Cisco a b o u t t h e i r NAT software. Most likely, y o u will w a n t to s c a n t h r o u g h the list a n d look for topics t h a t are of i n t e r e s t to you. In addition, if y o u are p l a n n i n g to i m p l e m e n t one of the technologies m e n t i o n e d here, y o u will n e e d to r e a d t h e r e l e v a n t d o c u m e n t a t i o n , also referenced here.

RFCs http: //www. cis. ohio-state, edu/htbin/rfc/rfcl918 .html

RFC 1918 is the c u r r e n t RFC covering private a d d r e s s s p a c e a n d NAT. The official d o c u m e n t a t i o n for the private a d d r e s s r a n g e s (10.x.x.x, 172.16.x.x- 172.31 .x.x, 192.168.x.x) is located here. In addition, the top of t h e d o c u m e n t c o n t a i n s links to r e l a t e d a n d obsolete RFCs. A related RFC t h a t isn't referenced in RFC 1918, http: //www. cis. ohio-state, edu/htbin/rfc/rfc1631 .html

is a i m e d at NAT developers a n d i m p l e m e n t e r s .

IP Masquerade/Linux http: //ipmasq. cjb.net/

This is the m a i n place to s t a r t looking for IP M a s q u e r a d e d o c u m e n tation. On t h i s page, you'll find a changelog, a link to the HOWTO" http" //members. home. net /ipmasq/ipmasq-HOWTO, html

w h i c h links to p a g e s on h o w to join a IP M a s q u e r a d e mailing list, a n d links to locations to get IP M a s q u e r a d e h a n d l e r s . The links on

187

188

Chapter 4

9

Network Address Translation

t h e page at the time of this writing were b r o k e n (may be fixed by t h e time y o u c h e c k the m a i n page), b u t this one works: http: //www. tsmservices, com/masq/ http: //www. rustcorp, com/linux/ipchains /

This is i n f o r m a t i o n a b o u t IPChains, w h i c h is n e e d e d to w o r k with IP Masquerade.

Cisco Cisco h a s several d o c u m e n t s r e g a r d i n g their NAT i m p l e m e n t a t i o n in t h e i r r o u t e r s . If you p l a n to u s e this, y o u owe it to y o u r s e l f to at l e a s t familiarize y o u r s e l f with t h e m . http: //www. cisco, com/warp/public/458 /41 .html

This is t h e Cisco NAT FAQ. http: //www. cisco, com/warp/public/70l/60 .html

This is Cisco's NAT t e c h n i c a l tips, w h e r e Cisco d o c u m e n t s w h a t protocols are a n d are n o t covered, a m o n g o t h e r things. http: //www. cisco, com/warp/public/cc/sol/mkt/ent/ndsgn/natl_wp.htm

This this tion TCP

is a Cisco NAT white paper. It's at a similar t e c h n i c a l level to chapter, b u t obviously with a Cisco focus. They cover configuraexamples, a n d a few f e a t u r e s t h a t w e r e n ' t t o u c h e d on here, like load b a l a n c i n g .

Windows http: //www. uq. net. au/-z zdmacka/the-nat-page/nat_windows, html

Here is a n excellent list of W i n d o w s - b a s e d NAT p r o d u c t s . In fact, t h e r e are several sections on NAT t h a t are w o r t h c h e c k i n g o u t there.

Network Address Translation

9

Chapter 4

My favorite low-cost Windows NAT p r o d u c t is SyGate from S y b e r g e n Networks. It's inexpensive, a n d e a s y to set up. You c a n even get a trial v e r s i o n to evaluate. Look for it here: http: //www. sygate, com/

Microsoft Proxy Server w a s m e n t i o n e d a couple of times; inform a t i o n a b o u t it c a n be f o u n d here" http: //www.microsoft. com/proxy/default .asp

If y o u ' r e t h i n k i n g a b o u t r u n n i n g it, y o u have to c h e c k o u t t h e MSProxy FAQ" http: //proxyfaq. networkgods, com/

NAT Wh itepa pers Here are a couple of i n d e p e n d e n t NAT white p a p e r s / r e s o u r c e s : http: //www. alunmi, caltech, edu/-dank/peer-nat .html

This one h a s a focus on p e e r - t o - p e e r n e t w o r k i n g a n d NAT. http ://www. kfu. com/-dwh/nat-wp .html

This one r e i t e r a t e s s o m e of the driving i s s u e s b e h i n d RFC 1918. @Work m a i n t a i n s a NAT FAQ. It's g e a r e d t o w a r d s t h e i r u s e r s , b u t c o n t a i n s s o m e u s e f u l i n f o r m a t i o n a n d definitions: ht tp: //work. home. net/whitepapers/natfaq, html

Firewalls There are several firewaU FAQs" ht tp ://www. clark, net/pub/mj r/pubs / fwfaq/

189

190

Chapter 4

9Network Address Translation

This one is p a r t i c u l a r l y good. It's very complete, a n d covers the b a s i c s well. http: //www. waterw, com/-manowar/vendor, html

This is a good collection of firewall information, in the form of a c o m p a r i s o n sheet. ftp: / /ftp. greatcircle, corn/pub/firewalls/Welcome, html

This c o n t a i n s the firewalls' mailing list a n d archive. http: //www. nfr. net/firewall-wizards/

T h e r e are a few Firewall-1 FAQs: http: //www. phoneboy, com/fwl /

The P h o n e b o y FAQ; D a m e o n k n o w s Firewall-1 well. http: //www. d r e w .

com/bastions/FWl_faq, html

Here's a s e c o n d FW-1 FAQ. You m i g h t like the organization better. http: //www2. checkpoint, com/-joe/

192

Chapter 5

9Variable-Length Subnet Masking

Introduction Variable-length s u b n e t m a s k s (VLSM) allow n e t w o r k a d m i n i s t r a t o r s to "right size" e a c h s u b n e t . With fixed-length s u b n e t m a s k s , however, e a c h s u b n e t in the n e t w o r k is the s a m e size b e c a u s e e a c h device h a s t h e s a m e s u b n e t m a s k , r e g a r d l e s s of the n e e d for a d d r e s s e s in e a c h s u b n e t . If we select a class m a s k of 2 5 5 . 2 5 5 . 2 5 4 . 0 , e a c h s u b n e t is allocated 510 a d d r e s s e s . Most LANs have a n u p p e r limit of less t h a n 150 devices d u e to traffic p a t t e r n s a n d c a p a c i t y of the p h y s i c a l LAN media. In a c t u a l fact, e a c h network, WAN or LAN, h a s a different n u m b e r of devices. With VESM, the a d d r e s s a d m i n i s t r a t o r c a n m o r e closely m a t c h the a d d r e s s i n g n e e d s of e a c h s u b n e t a n d u s e the a d d r e s s s p a c e m o r e efficiently.

Why Are Variable-Length Masks Necessary? Here is a parallel example of w h y VLSM is i m p o r t a n t . W h e n r e s t a u r a n t s sell pie, e a c h piece of the pie is the s a m e size. E a c h r e s t a u r a n t p a t r o n gets the s a m e size pie slice r e g a r d l e s s of "the need" (see Figure 5.1).

Figure 5.1 Uniform pie slices.

Variable-Length Subnet Masking

9Chapter 5

Ah, yes, the pie chart! If these people were s u b n e t s , they would all get the s a m e size s u b n e t regardless of how m a n y a d d r e s s e s they really needed. Let's look at a n o t h e r possibility in Figure 5.2. E a c h p e r s o n h a s a different appetite; they all need a different size slice of the pie.

Figure 5.2 Variable-size pie slices.

193

194

Chapter 5

*

Variable-Length Subnet Masking

W h e n s u b n e t t i n g , it m a y be n e c e s s a r y to give e a c h s u b n e t a n a p p r o p r i a t e slice of the pie b a s e d on the a c t u a l n u m b e r of a d d r e s s e s needed, r a t h e r t h a n a s s u m e t h a t all s u b n e t s n e e d the s a m e n u m b e r of a d d r e s s e s . V I ~ M is the a n s w e r to t h i s problem.

Right-sizing Your Subnets W h a t do we m e a n by right-sizing s u b n e t s ? Simply put, it is providing the right n u m b e r of a d d r e s s e s for each s u b n e t so t h a t we don't end u p wasting addresses. Figure 5.3 shows a simple network diagram.

Figure 5.3 The 153.90.0.0 network.

In this d i a g r a m t h e r e are t h r e e E t h e r n e t n e t w o r k s , one t o k e n ring network, a n d four p o i n t - t o - p o i n t WAN c o n n e c t i o n s . E a c h of t h e s e is a s u b n e t w i t h i n the total c o r p o r a t e network. The a c t u a l n u m b e r of h o s t a d d r e s s e s for e a c h s u b n e t is in Table 5.1. If we were to a s s i g n a s u b n e t m a s k of 2 5 5 . 2 5 5 . 2 5 5 . 0 for this class B a d d r e s s e d network, all s u b n e t s w o u l d be allocated 254 h o s t a d d r e s s e s . This r e s u l t s in a lot of u n u s e d a d d r e s s e s , as s h o w n in Table 5.2.

Variable-Length Subnet Masking

Table 5.1

9Chapter 5

Subnet Needs

Subnet

Hosts

A

150

B

24

C

90

D

53

E

2

F

2

G

!2

H

2

Table 5.2 Addresses Wasted

Subnet

Hosts

Allocated

Unused

A

150

254

104

24

254

230

90

254

164

53

254

201

2

254

252

2

254

252

2

254

252

2

254

252

2032

1707

Total

W h a t if we choose a s u b n e t m a s k for e a c h s u b n e t t h a t allocates a m o r e a p p r o p r i a t e n u m b e r of a d d r e s s e s in e a c h s u b n e t ? Using t h e s u b n e t m a s k i n g t a b l e s from C h a p t e r 1, we d e t e r m i n e t h a t t h e m a s k s in Table 5.3 s h o u l d be u s e d in e a c h of t h e s u b n e t s . How did we d e t e r m i n e w h i c h m a s k to u s e ? In t h e s u b n e t m a s k table for class B n e t w o r k s , we located t h e m a s k t h a t allowed t h e n u m b e r of h o s t s r e q u i r e d for e a c h s u b n e t .

195

196

Chapter5

9Variable-Length Subnet Masking

Table 5.3 Using Needs Appropriate Masks Subnet A

Hosts 150

Mask Assigned 255.255.255.0

B

24

255.255.255.224 30

6

C

90

255.255.255.128 126

36

D

53

255.255.255.192 62

9

E

2

255.255.255.252 2

0

F

2

255.255.255.252 2

0

G

2

255.255.255.252 2

0

H

2

255.255.255.252 2

0

Total

Allocated 254

480

Unused 104

155

S u b n e t A n e e d e d 150 h o s t s . In t h e c l a s s B s u b n e t m a s k t a b l e we f o u n d t h a t 2 5 5 . 2 5 5 . 2 5 5 . 0 a l l o c a t e s 2 5 4 a d d r e s s e s . We looked a t s o m e a l t e r n a t i v e s : T h e m a s k 2 5 5 . 2 5 5 . 2 5 5 . 1 9 2 a l l o c a t e s 62 a d d r e s s es a n d c a n n o t be u s e d b e c a u s e t h e n u m b e r of h o s t s is too small; on t h e o t h e r h a n d , t h e m a s k 2 5 5 . 2 5 5 . 2 5 4 . 0 a l l o c a t e s 5 1 0 h o s t s . T h i s is far too m a n y for o u r n e e d s a n d s h o u l d n o t be u s e d . T h e m a s k 2 5 5 . 2 5 5 . 2 5 5 . 0 w a s s e l e c t e d for t h e b e s t fit. T h e r e s t of t h e s u b n e t s w e r e e v a l u a t e d u s i n g t h e s a m e p r o c e s s . W h e n it c a m e to s u b n e t s E t h r o u g h H, t h e p r o c e s s w a s very simple. T h e s e s u b n e t s a re a c t u a l l y p o i n t - t o - p o i n t WAN links, a n d will h a v e no m o r e t h a n two h o s t a d d r e s s e s . S e l e c t i n g t h e m a s k w a s e a s y b e c a u s e 2 5 5 . 2 5 5 . 2 5 5 . 2 5 2 a l l o c a t e s two a d d r e s s e s to e a c h s u b n e t a n d is a n e x a c t m a t c h for o u r n e e d s .

More Addresses or More Useful Addresses? You h a v e p r o b a b l y n o t i c e d t h a t we h a v e s a v e d a d d r e s s e s in t h e V I ~ M p r o c e s s . T h a t is, we h a v e n o t p l a c e d a d d r e s s e s in s u b n e t s t h a t are n o t b e i n g u s e d . T h a t ' s n o t quite t r u e - - w i t h VLSM we h a v e a

Variable-Length Subnet Masking

9Chapter 5

m u c h c l o s e r m a t c h in a d d r e s s e s a l l o c a t e d to a d d r e s s e s n e e d e d . We do a s s i g n a d d r e s s e s to s u b n e t s t h a t a r e n o t u s e d , have as many unused

b u t w e do n o t

a d d r e s s e s a s w e do w i t h f i x e d - l e n g t h s u b n e t -

ting. T a b l e 5 . 4 gives t h e r e s u l t s of t h e VLSM p r o c e s s for o u r s i m p l e network.

Table 5.4 Address Savings

Fixed-Length Mask

Allocated 2O32

Variable-Length Masks 480

Allocated 1707 155

Did w e g e t m o r e a d d r e s s e s ? No, w e still h a v e a c l a s s B a d d r e s s . Are w e u s i n g t h e a d d r e s s e s w e h a v e b e t t e r t h a n b e f o r e ? Yes; a s a m a t t e r of fact, b e c a u s e w e u s e t h e a d d r e s s e s m o r e efficiently, VLSM a l l o w s u s to i m p l e m e n t m o r e s u b n e t s w i t h t h e s a m e c l a s s of a d d r e s s . We d i d n ' t g e t m o r e a d d r e s s e s , b u t addresses.

w e do h a v e m o r e u s e f u l

197

198

Chapter 5

9Variable-Length Subnet Masking

The Importance of Proper Planning The process of creating a VI~M s u b n e t t i n g s t r u c t u r e requires a lot of a d v a n c e d planning. A survey of the n etwo rk is required. The survey m u s t include the n u m b e r of required s u b n e t s , the n u m b e r of p l a n n e d b u t not deployed s u b n e t s , the n u m b e r of devices cu rren tly in each s u b n e t a nd the n u m b e r of p l a n n e d b u t not deployed devices in each subnet. T h a t s e e m s like a lot of work b u t is necessary. You w a n t to develop a plan t h a t covers w h a t you currently have a n d w h a t you will probably have in the future. Deciding to convert from fixed-length m a s k s to V I~M requires a large c o m m i t m e n t on the p a r t of the a d d r e s s planner, n e t w o r k m a n agers, a n d users. If a n existing n e t w o r k is c h a n g e d from fixed-length m a s k s to VI~M, the entire n e t w o r k a d d r e s s i n g s t r u c t u r e will be affected. Every s u b n e t will be assigned new a d d r e s s r a n g e s a n d the administrative b u r d e n n e c e s s a r y to complete the process will be immense. E a c h a n d every device in the n etw o rk will probably have to be r e a d d r e s s e d . Do not u n d e r e s t i m a t e the a m o u n t of work required to convert an existing n e t w o r k to VI~M. If you fail to u n d e r s t a n d your network and s u b n e t requirements adequately, you m a y develop a plan t h a t cannot be deployed successfully. For existing networks, you m a y have done a lot of work planning and implementing only to find t h a t your work m u s t be discarded. You or other administrators and u s ers m a y have readdressed t h o u s a n d s of devices only to find t h a t they m u s t be readdressed again due to a ba d address plan. The following steps will help you m a k e sure your address plan is successful the first time.

Creating and Managing Variable-Length Subnets Creating a variable-length s u b n e t m a s k a d d r e s s i n g design requires the completion of four s e p a r a t e phases. E a c h of the p h a s e s m u s t be completed before moving to the next phase.

Variable-Length Subnet Masking

9Chapter 5

1.

Analyze s u b n e t needs.

2.

E n u m e r a t e e a c h s u b n e t a n d n u m b e r of r e q u i r e d nodes.

3.

D e t e r m i n e w h i c h m a s k to u s e in e a c h s u b n e t .

4.

Allocate a d d r e s s e s b a s e d on n e e d for e a c h s u b n e t .

The details of e a c h p h a s e follow.

Analyze Subnet Needs As we m e n t i o n e d earlier, you n e e d to k n o w exactly w h a t you have t o d a y a n d w h a t y o u will n e e d t o m o r r o w for e a c h s u b n e t . A simple s p r e a d s h e e t or m a t r i x detailing e a c h s u b n e t will help you d e t e r m i n e y o u r needs. R e m e m b e r to locate a n d list all n e t w o r k s .

Enumerate Each Subnet and Number of Required Nodes W h e n the detailed n e e d s s u r v e y is completed, the m a t r i x y o u develop will c o n t a i n all of the LANs a n d WANs with the n u m b e r of h o s t s in e a c h s u b n e t (see Table 5.5). The m a t r i x in Table 5.6 c o n t a i n s the s u r v e y i n f o r m a t i o n b u t h a s b e e n sorted in d e s c e n d i n g s e q u e n c e by the total n u m b e r of h o s t s in e a c h s u b n e t in the future. The p u r p o s e of sorting the m a t r i x is to g r o u p s u b n e t s t o g e t h e r b a s e d on the n u m b e r of h o s t s in the s u b n e t s . S u b n e t s with similar n u m b e r s of h o s t a d d r e s s e s will have the s a m e s u b n e t m a s k .

199

200

Chapter

5

9V a r i a b l e - L e n g t h

Subnet

Masking

Table 5.5 Network Survey

I

Network

Location

Hosts Status Today Operational 131

Type

9

!Accounting 'Building 3,

LANEthernet

IAccounting 'Building

WAN-PPP

Operational 2

LANEthemet

Operational 72

4th floor

Link to

Building 4 Personnel

.

m

LAN100MB Ethernet 'Logistics 'Warehouse LAN-TokenI ring Shipping Warehouse L A N Ethernet "Warehouse "Warehouse "WAN-PPP to Building -Building 4, 4 link 1st floor 9

9

'Loading

m

3-4

Building 4, 1st floor 'Personnel 'Building 4, i Expansion 2nd floor

m

1Hosts Future 140

9

9

9

9

PlannedSpring 2000 Operational 81 9

m

29 |

89

9

Operational 18

!25

"Operational "2

2

2

'Loading

'WAN-PPP

Operational 2

Loading Dock ,

LANEthernet .

Operational 14

Dock to DockWarehouse Warehouse

83

link

Receiving 9

17 )

Determine Which Mask to Use in Each Subnet Using class B subnetting table, we select the s u b n e t m a s k t h a t allocates the necessary a d d r e s s e s for each s u b n e t in Table 5.7. When working with a real networking problem, m a k e sure you leave enough room for growth in each s u b n e t you specify. If you need 150 devices in a subnet, leave room for 200. If you need 40 devices, leave room for 60. Select a m a s k t h a t gives you the allocation you need today and m a y need tomorrow.

Variable-Length Subnet Masking

Table

5.6 Subnet Address Requirements

9

I

Hosts

!

I

I

I

9Chapter 5

Network

I

Location

Accounting Building 3, 4th floor Logistics

i Personnel

I

I

I

Type

I

!

I

i

I

i

I

Loading Dock

Accounting Building Link to 3-4 Building 4

LANEthernet WAN-PPP

I

! I

I

!

!

Warehouse LAN-Token- Operational 81 ring Building 4, 1st floor

i Hosts Future

Today

Operational !131

Ethernet

LANEthernet ~Personnel Building 4, LANExpansion 2nd floor 100MB Ethernet Shipping Warehouse LANi .Ethernet Receiving

I

I_AN-

Status

Operational 72 PlannedSpring 2OO0

I

140 89 83 29

I

Operational 18

i

25

Operational 14

17

Operational 2

2

i

i!

i

Warehouse Warehouse- WAN-PPP to Building Building 4, 4 link 1st floor

Operational i 2

Loading Loading WAN-PPP Dock to DockWarehouse Warehouse link

Operational 2

2 I

2

Allocate Addresses Based on Need For Each Subnet Now it is time to determine which range of a d d r e s s e s will be assigned in each subnet. With fixed-length subnetting, the ranges of a d d r e s s e s are uniform and easily determined; with variable-length m a s k subnetting, the a d d r e s s ranges are j u s t as i m p o r t a n t b u t more difficult to assign. A tool can be u s e d to help determine which a d d r e s s e s to use.

201

202

Chapter5

*

Variable-Length Subnet Masking

Table 5.7 Subnet Mask Selection

I

!

I

Network Location iType Account- Building LANing 3, 4th Ethernet floor Logistics WareLANhouse Tokenring Person- Building LANnel 4, 1st Ethernet floor Person- Building LANnel 4, 2nd 100MB Expan- floor Ethernet sion Shipping WareLANhouse Ethernet Receiv- Loading tANing Dock Ethernet Account- Building WANing Link 3-4 PPP to Building 4 WareWareWANhouse to house PPP Building Building 4 link 4, 1st floor Loading ' Loading WANDock to DockPPP WareWarehouse house link I

I

!

!

|

|

I

!

!

I

Max Hosts Hosts Subnet Hosts/ Today Future Mask Subnet' 131 140 255.255. 254 255.0

Status Operational

I

I

Operational

I

Operational

m

I

PlannedSpring 2000

I

Operational

18

25

Operational

14

17

i

9

.

81

72

J

m

I

89 83

Operational

I

,

!255.255. 126 )255.128 ,

I

|

2

I

)

|

2

I

2

~

I

I

l

2

a

~

255.255. 126 255.128 255.255. 62 255.192

|

Operational

,

I

29

Operational

I

I

I

I

J

I

I

I

255.255. 30 255.224 I

255.255. 30 255.224 I

255.255. 2 255.252 I

255.255. 2 255.252

I

255.255. 2 255.252

!

i

For the p u r p o s e s of this example, we will be s u b n e t t i n g the 172.38.0.0 class B network. The actual range of a d d r e s s e s t h a t can

Variable-Length Subnet Masking

9Chapter 5

203

be a s s i g n e d in this n e t w o r k is 172.38.0.1 t h r o u g h 1 7 2 . 3 8 . 2 5 5 . 2 5 4 . The a d d r e s s e s 1 7 2 . 3 8 . 0 . 0 a n d 1 7 2 . 3 8 . 2 5 5 . 2 5 5 are excluded as the n e t w o r k a d d r e s s a n d the n e t w o r k b r o a d c a s t a d d r e s s . To simplify allocation, divide the n e t w o r k a d d r e s s e s into 256 g r o u p s b a s e d on the t h i r d octet of the a d d r e s s . In this case, the 2 5 6 blocks are given in Table 5.8. T a b l e 5.8 Address Block Matrix i

16 32

48

64

80

196 112 128 144 160 176 192 208 224 240

17 33

49

65

81

197 113 129 145 161 177 193 209 225 241

"18 134

50

66

82

198 114 130 146 162 178 194 210 226 242

'19

35

51

67

83

199 115 131 147 163 179 195 211 227 243

20 36

52

68

84

100 116 132 148 164 180 196 212 228 244

21 L37 s3 69 85

101 117 133 149 165 181 197 213 229 245

5

L38

54

70

86

102 118 134 150 166 182 198 214 230 246

23 L39 "24 40

55

71

87

103 119 135 151 167 183 199 215 231 247

56

72

88

104 120 136 152 168 184 200 216 232 248

41 L 10 .26 L42

57

73

89

105 121 137 153 169 185 201 217 233 249

58

74

90

106 122 138 154 170 186 202 218 234 250"

11 L27 ,43

59

75

91

107 123 139 155 171 187 203 219 235 251

12

60

76

92

108 124 140 156 172 188 204 220 236 252

61

77

93

109 125 141 157 173 189 205 221 237 253j

46

62

78

94

110 126 142 158 174 190 206 222 238 254i

L47

63

79

95

111 127 143 159 175 191 207 223 239 255

6

7

8

22 i

25

9

m

28

44

L29

14 3 0 L

15 L31

,

The third octet contains the n u m b e r of each possible block of 254 addresses t h a t can be assigned if a s u b n e t m a s k of 255.255.255.0 is used. If a s u b n e t requires 300 addresses, you could use 172.38.1.0 and 172.38.2.0 to allocate a total of 510 addresses for the subnet. You would t h e n strike through the two n u m b e r s 1 a n d 2 in Table 5.8 to show t h a t the two complete 254 address blocks have been used and subsequently cannot be subdivided. Prepare a chart similar to this to keep track of the large address blocks t h a t you have used.

|

L L

204

Chapter5

*

Variable-Length Subnet Masking

For v a r i a b l e - l e n g t h m a s k s w i t h a l l o c a t i o n s less t h a n 2 5 4 a d d r e s s e s , e a c h of t h e s e b l o c k s m a y be s u b d i v i d e d . Here is h o w we will a d d r e s s t h e e x a m p l e p r o b l e m . T h e first s u b n e t we are going to allocate u s e s a s u b n e t m a s k of 2 5 5 . 2 5 5 . 2 5 5 . 0 . O n e a d d r e s s b l o c k in Table 5.8 will allocate 2 5 4 a d d r e s s e s . This is t h e n u m b e r of h o s t s available in a n a d d r e s s b l o c k w h e n t h e m a s k is 2 5 5 . 2 5 5 . 2 5 5 . 0 . We will u s e 1 7 2 . 3 8 . 1 . 0 for t h e first s u b n e t . The r a n g e of a d d r e s s e s u s e d in t h a t s u b n e t is 1 7 2 . 3 8 . 1 . 0 t h r o u g h 1 7 2 . 3 8 . 1 . 2 5 5 . In c a s e we n e e d a d d i t i o n a l s u b n e t s r e q u i r i n g a m a s k of 2 5 5 . 2 5 5 . 2 5 5 . 0 , we are r e s e r v i n g t h e b l o c k s 1 7 2 . 3 8 . 2 . 0 t h r o u g h 1 7 2 . 3 8 . 3 1 . 0 for t h a t p u r p o s e .

T h e s e c o n d a n d t h i r d s u b n e t s u s e a m a s k of 2 5 5 . 2 5 5 . 2 5 5 . 1 2 8 . This m a s k allocated o n e - h a l f of a b l o c k of 2 5 6 a d d r e s s e s . T h e r e are 128 a d d r e s s e s in one allocation a n d 128 a d d r e s s e s in t h e other. In Table 5.9 we h a v e allocated o n e - h a l f of t h e 1 7 2 . 3 8 . 3 2 . 0 b l o c k to t h e s e c o n d s u b n e t a n d t h e o t h e r h a l f to t h e s e c o n d s u b n e t . T h e 1 7 2 . 3 8 . 3 2 . 0 b l o c k is fully a l l o c a t e d a n d c a n n o t be u s e d for o t h e r s u b n e t s . In c a s e we n e e d a d d i t i o n a l s u b n e t s r e q u i r i n g a m a s k of

Variable-Length Subnet Masking

9Chapter 5

2 5 5 . 2 5 5 . 2 5 5 . 1 2 8 , we are reserving blocks 1 7 2 . 3 8 . 3 3 . 0 t h r o u g h 172.38.63.0, w h i c h will allow u s to allocate a n a d d i t i o n a l 62 s u b n e t s of 126 a d d r e s s e s .

Table 5.9 Address Assignments Network

Location

Accounting Building 3, 4th floor

Subnet Mask

Max Hosts/ Addresses Subnet Allocated

255.255.255.0

254

172.38.1.0172.38.1.255

Logistics

Warehouse 255.255.255.128

126

172.38.32.0172.38.32.127

Personnel

Building 4, 1st floor

255.255.255.128

126

172.38.32.128172.38.32.255

Personnel Expansion

Building 4, 2nd floor

255.255.255.192

62

172.38.64.64172.38.64.127

Shipping

Warehouse 255.255.255.224

30

172.38.128.32172.38.128.63

Receiving

Loading Dock

255.255.255.224

30

172.38.128.64172.38.128.95

Accounting Building Link to 3-4 Building 4

255.255.255.252

172.38.254.4172.38.254.7

Warehouse Warehouse- 255.255.255.252 to Building Building 4, 4 link 1st floor

172.38.254.8172.38.254.11

Loading Loading 255.255.255.252 Dock to DockWarehouse Warehouse link

172.38.254.12172.38.254.15

In c o m p l e t i n g this table, we a s s i g n e d a d d r e s s e s from different blocks. To d e t e r m i n e w h i c h a d d r e s s e s to u s e with different m a s k s , u s e the a d d r e s s a s s i g n m e n t t e m p l a t e s f o u n d at the end of this chapter.

205

206

Chapter 5

9Variable-Length Subnet Masking

Routing Protocols and VLSM Before y o u s t a r t a m a j o r VESM i m p l e m e n t a t i o n , t h e r e are a few part i c u l a r s t h a t m u s t be u n d e r s t o o d . First, V I ~ M is difficult to implem e n t . In o u r previous e x a m p l e we looked at a very small n u m b e r of s u b n e t s . C r e a t i n g a p l a n for a large n u m b e r of s u b n e t s is time-cons u m i n g a n d r e q u i r e s a c c u r a t e information. M a k i n g m i s t a k e s in a VLSM p l a n c a n c a u s e a lot of extra a d m i n i s t r a t i v e problems. M a n a g e r s j u s t d o n ' t a p p r e c i a t e r e n u m b e r i n g the n e t w o r k over a n d over again b e c a u s e the a d d r e s s a d m i n i s t r a t o r m a d e a small m i s t a k e or two. The s e c o n d m a j o r i s s u e is t h a t the n e t w o r k r o u t e r s m u s t be u s i n g a r o u t i n g protocol t h a t s u p p o r t s V L S M ~ t h e R o u t i n g I n f o r m a t i o n Protocol Version 2 (RIP2), the O p e n S h o r t e s t P a t h First protocol (OSPF), a n d Ciseos' EIGRP. If y o u r n e t w o r k does n o t u s e t h e s e protocols, d o n ' t u s e VLSM. The protocols s u p p o r t VLSM b e c a u s e t h e y s h a r e s u b n e t m a s k i n f o r m a t i o n a m o n g all of the r o u t e r s so t h e r o u t e r s c a n m a k e p r o p e r r o u t i n g decisions. W i t h o u t the s u b n e t m a s k i n f o r m a t i o n provided by t h e s e protocols, r o u t e r s a s s u m e t h a t all s u b n e t s have the s a m e m a s k . With VLSM t h e y d o n ' t a n d r o u t i n g will fail.

Class C VLSM Problem You m a y also n e e d to u s e V I ~ M to conserve a d d r e s s e s in a class C network. S o m e experts s a y t h a t u s i n g V I ~ M in a class C n e t w o r k is too difficult b e c a u s e of the p r o b l e m s i m p l e m e n t i n g the r e q u i r e d r o u t i n g protocols in a small network. If y o u are r u n n i n g o u t of a d d r e s s e s , y o u m a y n o t have a choice a n d VESM m a y be y o u r only solution. In this example, the o r g a n i z a t i o n h a s four o p e r a t i o n a l locations in t h e g r e a t e r Chicago area. They have received a public class C a d d r e s s a n d w i s h to s u b n e t it u s i n g V I ~ M . Since the n e t w o r k is small, the a d m i n i s t r a t o r s have decided to i m p l e m e n t the RIP2 routing protocol.

Variable-Length Subnet Masking

9Chapter 5

The choice to u s e VLSM w a s n e c e s s a r y d u e to the mix of s u b n e t s a n d sizes. T h e r e are seven s u b n e t s , a n d the largest s u b n e t will e v e n t u a l l y c o n t a i n 95 devices; u s i n g a n o r m a l fixed-length m a s k will not work. A m a s k of 2 5 5 . 2 5 5 . 2 5 5 . 2 2 4 will a c c o m m o d a t e 15 s u b n e t s b u t will allow only 14 devices in e a c h s u b n e t . A m a s k of 2 5 5 . 2 5 5 . 2 5 5 . 1 2 8 will allow 126 devices in e a c h s u b n e t b u t will allow only two s u b n e t s . VLSM is a m u s t for this i m p l e m e n t a t i o n .

Table 5.10 Class C VLSM Problem Location Accounting Chicago

Type LANEthernet

Status Operational

Hosts Today 92

95

Logistics

Schaumburg

LANEthernet

Operational

37

45

Personnel

Oak Park

LANEthernet

Operational

11

13

Executive

Oak Brook

LANEthernet

Operational

To Chicago

Schaumburg to Chicago

WAN-PPP

Operational

To Oak Park Schaumburg WAN-PPP to Oak Park To Oak Schaumburg WAN-PPP Brook to Oak Brook

Operational

Network

i

! /

Hosts Future

Operational

After reviewing the n e t w o r k i n g r e q u i r e m e n t s survey, the a d m i n i s t r a t o r s developed Table 5.10. E a c h s u b n e t is d e s c r i b e d a n d the n u m b e r of h o s t s r e q u i r e d is also i n c l u d e d in the table. The n e x t step is to d e t e r m i n e w h i c h m a s k s to u s e for e a c h s u b n e t . Table 5.11 s h o w s the s u b n e t m a s k s t h a t the a d m i n i s t r a t o r s d e t e r m i n e d were r e q u i r e d for e a c h of the s u b n e t s . The n e x t p a r t of the t a s k is to d e t e r m i n e w h i c h a d d r e s s r a n g e s to apply to e a c h s u b net. Unlike the class B problem, w h e r e we selected large blocks of a d d r e s s e s to s u b d i v i d e b a s e d on m a s k sizes, the class C p r o b l e m

207

208

9Variable-Length Subnet Masking

Chapter 5

r e q u i r e s a special t e c h n i q u e . Class C n e t w o r k s c o n t a i n 254 u s a b l e a d d r e s s e s . In the class C s u b n e t t i n g problem, we u s e a d d r e s s e s all from the s a m e 254 a d d r e s s block b u t select r a n g e s b a s e d on t h e m a s k in use.

Table 5.11 Class C VLSM Subnet Masks II

Network Location Type Status LANAccount- Chicago Operai ing Ethernet tional Logistics i Schaum- LAN'Operaburg tional Ethernet ,i

Max Hosts Hosts Subnet Hosts/ Today Future Mask Subnet 92 95 255.255. 126 255.128 37

45

255.255. 62 255.192

11

13

255.255. 14 255.240

LANOperaEthernet tional To S c h a u m -WAN- rOperaChicago burg to PPP !tional Chicago

7

9

255.255. 14 255.240

2

2

255.255. 2 255.252

To Oak Park

Personnel

i

Oak Park LANOperaEthernet tional

Executive Oak Brook

To Oak Brook

L

rSchaum- WAN!burg to PPP ~Oak Park

Operational

2

2

255.255. 2 255.252

Schaum- WANburg to PPP Oak Brook

Operational

2

2

255.255. 2 255.252

The s u b n e t t i n g t a b l e s in Figures 5.4, 5.5, a n d 5.6 s h o w a n e a s y w a y to select a d d r e s s e s for e a c h range. At the top of the t a b l e s y o u will find labels for e a c h of the possible f o u r t h octet of the s u b n e t m a s k . E a c h table h a s b e e n a s s i g n e d a label from A t h r o u g h H for e a c h g r o u p i n g of 32 available a d d r e s s e s . To a s s i g n a d d r e s s e s b a s e d on a given m a s k , select a c o l u m n for the m a s k a n d follow the colu m n d o w n u n t i l the c o l u m n ends. The a d d r e s s e s on the r i g h t - h a n d side table are i n c l u d e d in the range.

Variable-Length Subnet Masking

Chapter 5

Figure 5.4 VLSM table addresses 0 through 95.

A

B

C

I 28 1 92 224 240 248 252

1 28 I 92 224 240 248 252

128 192 224 240 248 252

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63

I

64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95

209

210

Chapter 5

9Variable-Length Subnet Masking

For example, look at Figure 5.4, table A. To a s s i g n a n a d d r e s s range based on the s u b n e t m a s k 255.255.255.248, find the c o h m m m a r k e d 248. The first range of addresses for the .248 m a s k is from 0 through 7. The second range of addresses for the .248 m a s k is from 8 through 15, etc. The third range of addresses for m a s k .252 is 8 through 11. For each m a s k number, the tables indicate the range of addresses. Referring again to table A of Figure 5.4, look at the bottom of the 128 and 192 cohlmns. You will see a down arrow indicating that you need to go to the same column in the next table to continue the process of locating addresses. As a matter of fact, to assign addresses using t h e . 128 mask, you w ~ need to view tables A, B, and C of Figure 5.4 and table D of Figure 5.5 to determine all of the possible addresses. The end of the 128 segment on table D of Figure 5.5 does not contain an arrow. The address assigtmlent stops w h e n the arrow is missing. To assign t h e . 128 addresses, you will use 0 through 31 from table A, 32 through 63 from table B, 64 through 95 from table C, and 96 through 127 from table D.

Completing the Class C Problem Table 5.12 s h o w s the c o m p l e t e d a d d r e s s a s s i g n m e n t m a t r i x for the class C V I ~ M problem. Here is how the administrator decided on which address to assign. The first location required a m a s k of 255.255.255.128. The administrator looked at the VI~M tables, located the 128 column in table A, and followed the column down until the arrow at the end of the column was missing. Remember, the arrow says look at the next table and at the location associated with address 127, and the arrow was missing (see table D). The range of addresses is 0 through 127. The next location required a m a s k of 255.255.255.192. Since all of the addresses from the first four tables were already assigned, the administrator then t u r n e d to the remaining tables E, F, G, and H. Looking at table E, the admim'strator found the 192 column and followed it down to the bottom of the table, found an arrow, and looked to table F. The end of the 192 cohlmn on table F did not contain an arrow so the admirn'strator knew t h a t the addresses for the second s u b n e t started with 128, the first address in table E, and ended with 191, the last address in table F. The range of addresses for the second s u b n e t is 128 through 191.

Variable-Length Subnet Masking

9Chapter 5

Figure 5.5 VLSM table addresses 96 through 191.

D

E

128 192 224 240 248 252

F

128 192 224 240 248 252

96 97 98 99 O0 01 O2 03 O4

o5!

!

i i

06' O7 O8 O9 10 1 2 3 4 5 6 7 8 9 20 21 22 23 24 25 26 27

128 192 224 240 248 252

i

28 29 30 31 32 33 34 35 36 37 38 39 4O 41 42 43 44 45 46 47 48 49 5O 51 52 53 154 155 156 157 158 159 i

! i

m

6O 61 62 63 64 165 166 167 168 169 170 171 172 73 74 75 76 77 78 78 8O 81 82 83 84 85 86 87 88 89 9O 91

211

212

Chapter 5

Variable-Length Subnet Masking

Figure 5.6 VLSM table addresses 192 through 255.

G

H

120 192 224 240 240 252

120 192 224 240 240 252

192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 21 1 21 2 213 214 215 216 217 21 8 21 9 220 221 222 223

224 225 226 227 228 229 230 231 232 233 234 235 236 231 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255

Variable-Length Subnet Masking

9Chapter 5

Table 5.12 Class C Address Assignments

Network

Location Subnet Mask

Accounting Chicago

255.255.255.128

Max Hosts/ Subnet

Subnet Table Column

Assigned Addresses

126

A,B,C,D

0-127

E,F

128-191

Logistics

Schaum- 255.255.255.192 burg

62

Personnel

Oak Park 255.255.255.240

14

192-207

Executive

Oak Brook

255.255.255.240

14

208-223

To Chicago Schaum- 255.255.255.252 burg to Chicago

252-255

To Oak Park Schaum- 255.255.255.252 burg to Oak Park

248-251

Schaum- 255.255.255.252 burg to Oak Brook

244-247

To Oak Brook

The n e x t two s u b n e t s r e q u i r e d a m a s k of 2 5 5 . 2 5 5 . 2 5 5 . 2 4 0 . Since all of the a d d r e s s e s h a d b e e n a s s i g n e d from t a b l e s A, B, C, D, E, a n d F, t h e a d m i n i s t r a t o r s t a r t e d w i t h table G. In table G, t h e a d m i n i s t r a t o r located the 240 c o l u m n . The first s u b n e t w a s a s s i g n e d t h e r a n g e from 192 to 207, the first g r o u p i n g in the 240 c o l u m n , a n d the s e c o n d s u b n e t w a s a s s i g n e d the r a n g e from 208 to 223, the s e c o n d g r o u p i n g in the 2 4 0 c o l u m n . The l a s t t h r e e s u b n e t s r e q u i r e d a m a s k of 2 5 5 . 2 5 5 . 2 5 5 . 2 5 2 . The only a s s i g n a b l e a d d r e s s e s are f o u n d in table H, so looking to the 252 c o l u m n in table H, the a d m i n i s t r a t o r a s s i g n e d t h e t h r e e s u b n e t s r a n g e s 2 5 2 - 2 5 5 , 2 4 8 - 2 5 1 , a n d 2 4 4 - 2 4 7 . The a d m i n i s t r a t o r s t a r t e d at the b o t t o m of the allocation to leave r o o m in case a larger allocation is n e e d e d from the top of c o l u m n H at a later time.

213

214

Chapter 5

9Variable-Length Subnet Masking

Using the s u b n e t tables f o u n d in Figures 5.4, 5.5, a n d 5.6 simplifies the p r o c e d u r e s for VESM. You m i g h t w a n t to m a k e copies of t h e s e p a g e s or create a similar s p r e a d s h e e t or form to keep t r a c k of a d d r e s s y o u have assigned. It is simple to cross o u t a d d r e s s e s as y o u a s s i g n t h e m to v a r i o u s s u b n e t s . You have a h a r d c o p y record of w h a t y o u have a s s i g n e d as well as a g r a p h i c r e p r e s e n t a t i o n of the a d d r e s s y o u have u s e d a n d the a d d r e s s e s y o u have available.

Template-based Address Assignment The following t e m p l a t e s c a n be u s e d in v a r i a b l e - l e n g t h s u b n e t t i n g w h e n the last octet of the m a s k c o n t a i n s the given value. For example, with a m a s k of 2 5 5 . 2 5 5 . 2 5 5 . 2 5 2 , y o u w o u l d look in t h e template labeled . 2 5 2 - 6 4 s u b n e t s . In t h a t template, select a r a n g e of a d d r e s s e s for u s e in the s u b n e t y o u w i s h to allocate. Once the r a n g e of a d d r e s s e s h a s b e e n allocated from a block of a d d r e s s e s , it c a n n o t be a s s i g n e d to a n o t h e r s u b n e t . E a c h of t h e s e t e m p l a t e s r e p r e s e n t s a w a y to s u b n e t the f o u r t h octet of a n y n e t w o r k a d d r e s s . 192 8 - 2 s u b n e t s

199 2 - 4 s u b n e t s

.224-8 subnets

.0

.127

.128

.255

.0

.63

.64

.127

.128

.191

.192

.255

.0

.31

.32

.63

.64

.95

.96

.127

.128

.159

.160

.191

.192

.223

.224

.255

Variable-Length Subnet Masking .240-16 subnets

.248-32 subnets

.0

.15

.16

.31

.32

.47

.48

.63

.64

.79

.80

.95

.96

.111

.112

.127

.128

.143

.144

.159

.160

.175

.176

.191

.192

.207

.208

.223

.224

.239

.240

.255

.0

.7

.8

.15

.16

.23

.24

.31

.32

.39

.40

.47

.48

.55

.56

.63

.64

.71

.72

.79

.80

.87

.88

.95

.96

.103

.104

.111

9Chapter 5

Continued

215

216

Chapter 5

9Variable-Length Subnet Masking

.248-32 subnets (continued)

.252-64 subnets

.112

.119

.120

.127

.128

.135

.136

.143

.144

.151

.152

.159

.160

.167

.168

.175

.176

.183

.184

.191

.192

.199

.200

.207

.208

.215

.216

.223

.224

.231

.232

.239

.240

.247

.248

.255

.0

.3

.4

.7

.8

.11

.12

.15

.16

.19

.20

.23

.24

.27

.28

.31

.32

.35

.36

.39

.40

.43

.44

.47 Continued

Variable-Length Subnet Masking

I.252-64 subnets (continued)

I .48

I .51

I .56

I .59

.64 .68 .72 .76 .80 .84 .88 I .92 .96 .I 00 .I 04 .I 08 .I 12 .I 16 .I 20 .I 24 .128

.67 .71 .75 .79 .83 .87 .91 I .95 .99 .I 03 .I 07 .I 1 1 .I 15 .I 19 .I 23 .I 27 .131

1.132 1.136 1.140 .I 44 .I 48

I.I 35

1.152 1.156 1.160 I .I 64 1.168

I .I 55

I .60

I .63

1.139 I .I43 .I 47 .I 51 1.159 1.163 1.167 .171

Chapter 5

217

i

1 1 1

1 1 1 1

218

Chapter 5

9Variable-Length Subnet Masking

.252-64 subnets (continued)

.172

j

.176

|

|

|

|

|

.180 .184 .188 .192

.175 .179

|

.183

|

.187

|

.191

|

.195

|

.196

.199

.200 m

|

'

|

|

|

|

.204 .208 .212 .216 .220 .224 .228

.203 ~

|

i

|

|

|

|

.232 |

|

|

|

.236 .240 .244 .248

.211 .215 .219 .223 .227 .231

m

|

'

|

|

|

|

.235 l

|

|

|

.239 .243 .247 .251 .251

.248 .252

.207

i

.255

Summary Variable-length s u b n e t m a s k i n g (VLSM) is often n e c e s s a r y w h e n a d d r e s s e s are scarce a n d you need to u s e the a d d r e s s e s you have effectively. With legacy IP networks, implementing VESM often requires a complete r e n u m b e r i n g of the entire network, so the decision to us e VLSM m u s t be m a d e with full knowledge of the required administrative processes.

Variable-Length Subnet Masking

9Chapter 5

R e g a r d l e s s of t h e r e a s o n w h y V I ~ M is i m p l e m e n t e d , it r e q u i r e s the u s e of c e r t a i n r o u t i n g protocols to be s u c c e s s f u l . RIP2, OSPF, a n d EIGRP m u s t be u s e d on y o u r n e t w o r k r o u t e r s to e n s u r e t h a t VLSM w o r k s correctly. The p r o c e s s of c r e a t i n g a VLSM a d d r e s s p l a n i n c l u d e s the following steps: 1.

Analyze s u b n e t needs.

2.

E n u m e r a t e e a c h s u b n e t a n d n u m b e r of r e q u i r e d nodes.

3.

D e t e r m i n e w h i c h m a s k to u s e in e a c h s u b n e t .

4.

Allocate a d d r e s s e s b a s e d on n e e d for e a c h s u b n e t .

S u r v e y y o u r n e t w o r k to d e t e r m i n e the n u m b e r of s u b n e t s present. D e t e r m i n e the type of n e t w o r k a n d the c u r r e n t a n d f u t u r e n u m b e r of devices in e a c h s u b n e t . Create a list of the s u b n e t s y o u have, a n d g r o u p s u b n e t s t o g e t h e r by size. With like-size s u b n e t s together, d e t e r m i n e the a p p r o p r i a t e m a s k for e a c h s u b n e t . Use s u b n e t t i n g t a b l e s A t h r o u g h H to help a s s i g n a d d r e s s e s w h e r e the f o u r t h octet of the m a s k c o n t a i n s . 128, . 192, .224, .240, .248, or .252. Once a d d r e s s e s are allocated to a s u b n e t , t h e y c a n n o t be allocated to o t h e r s u b n e t s . You m u s t keep t r a c k of a d d r e s s e s carefully w h e n y o u are c r e a t i n g the VLSM a d d r e s s p l a n to m a k e s u r e t h a t the s u b n e t allocations for one s u b n e t do n o t overlap o t h e r s u b n e t s . This often h a p p e n s w h e n a n a d d r e s s is applied twice b e c a u s e it o c c u r s in one size s u b n e t a n d in a n o t h e r size s u b n e t . No a d d r e s s r a n g e s are allowed to overlap. VLSM does save a d d r e s s , b u t if you have the ability to u s e a private a d d r e s s s p a c e with n e t w o r k or p o r t a d d r e s s t r a n s l a t i o n process, it m a y be j u s t as u s e f u l to i m p l e m e n t a fixed-length s u b n e t m a s k w i t h a private a d d r e s s space. The a d m i n i s t r a t i o n is easier a n d a d d r e s s p l a n n i n g is simpler.

219

220

Chapter 5 *

Variable-Length Subnet Masking

Q" We are r u n n i n g RIP in o u r n e t w o r k b e c a u s e it is a n e a s y r o u t i n g protocol to a d m i n i s t e r a n d b e c a u s e o u r n e t w o r k is small. C a n we use VI~M? A: RIP version 1 does n o t allow for the i m p l e m e n t a t i o n of VLSM, b u t RIP version 2 does. C h e c k to d e t e r m i n e w h i c h version of RIP y o u are u s i n g before y o u c o m m i t to V I ~ M .

Q" W h y do I have to u n d e r s t a n d all a b o u t m y n e t w o r k to do V I ~ M ? W h e n we did o u r original s u b n e t t i n g we j u s t s t a r t e d a s s i g n i n g o u r a d d r e s s e s u s i n g a m a s k a n d it w a s very simple. A: Using fLxed-length m a s k s to create y o u r a d d r e s s i n g p l a n is m u c h easier t h a n u s i n g V I ~ M . With fixed-length m a s k s , e a c h s u b n e t is the s a m e size a n d the n u m b e r of a d d r e s s e s in e a c h s u b n e t is the s a m e . A very simple p r o c e s s c a n be u s e d to a s s i g n a d d r e s s e s . With V I ~ M , everything is m o r e complex b e c a u s e all s u b n e t s are n o t all the s a m e size a n d t h e r e is no simple p r o c e s s for allocating a d d r e s s e s . Using the tables f o u n d in this c h a p t e r is a b o u t the easiest m a n u a l p r o c e s s available.

Q" W h y s h o u l d I g r o u p s u b n e t s of similar sizes t o g e t h e r before I s t a r t allocating a d d r e s s e s ?

Variable-Length Subnet Masking * Chapter 5

A: So t h a t you assign uni f or m blocks of a d d r e s s e s from similar ranges. If you choose arbitrary r a n g es of a d d r e s s e s , you might create small a d d r e s s blocks in y o u r plan t h a t c a n n o t be u s e d b e c a u s e they are too small for y o u r c u r r e n t r e q u i r e m e n t s . You might actually need some s u b n e t s t h a t have 30 a d d r e s s e s , b u t b e c a u s e you did not plan appropriately, you might be left with lots of 16 a d d r e s s blocks t h a t are not co n tig u o u s a n d c a n n o t be used.

221

This Page Intentionally Left Blank

224

Chapter 6

9

Routing Issues

Introduction This c h a p t e r will d i s c u s s the p u r p o s e of r o u t i n g a n d the m a n y i s s u e s t h a t arise from r o u t i n g in v a r i o u s n e t w o r k e n v i r o n m e n t s , from s m a l l e r n e t w o r k s to very large, complicated, d y n a m i c n e t w o r k s s u c h as the Internet. We will i n t r o d u c e the m a n y r o u t i n g protocols, s u c h as the Routing I n f o r m a t i o n Protocol (RIP), O p e n S h o r t e s t P a t h First (OSPF), a n d Border G a t e w a y Protocol (BGP), a n d d i s c u s s the c h a r a c t e r i s t i c s a n d i s s u e s involved with each. E a c h r o u t i n g protocol h a s its own set of s t r e n g t h s a n d w e a k n e s s e s t h a t y o u will n e e d to a s s e s s in o r d e r to u n d e r s t a n d h o w to i m p l e m e n t this protocol. You will also see how t h e s e r o u t i n g protocols are a d d r e s s i n g the i s s u e of the e x h a u s t i o n of available IP a d d r e s s e s , the i n t r o d u c t i o n of the IPv6 protocol, a n d the c o n c e r n for growing r o u t i n g t a b l e s on m a j o r r o u t e r s on the Internet. As m o s t people know, t h e r a t e of growth on the I n t e r n e t is phen o m e n a l , a n d u s a g e h a s i n c r e a s e d n e a r l y exponentially. Networks a n d h o s t s are being a d d e d to the I n t e r n e t , w h i c h t h r e a t e n s to eat u p every available IP a d d r e s s u n l e s s s o m e t h i n g is done. Not only is the e x h a u s t i o n of available IP a d d r e s s e s a n i m p o r t a n t issue, we also have to deal with the t r e m e n d o u s a m o u n t of r o u t i n g t h a t t a k e s place on the I n t e r n e t . R o u t e r s are n e t w o r k devices u s e d to r o u t e p a c k e t s to different n e t w o r k s on the Internet. The I n t e r n e t is c o m p o s e d of h u n d r e d s of t h o u s a n d s of different n e t w o r k s . R o u t e r s u s e a routing table, w h i c h is a n i n t e r n a l table t h a t c o n t a i n s r o u t e s to n e t w o r k s a n d o t h e r r o u t e r s . In m o s t r o u t e r s f o u n d on the I n t e r n e t , t h e s e r o u t e s are l e a r n e d d y n a m i c a l l y by the u s e of a d y n a m i c r o u t i n g protocol s u c h as RIP, IGRP, OSPF, a n d BGP, to n a m e a few. R o u t e r s s h a r e i n f o r m a t i o n with e a c h o t h e r c o n c e r n i n g the availability of p a t h s a n d the s h o r t e s t d i s t a n c e to a d e s t i n a t i o n . In the past, the r o u t i n g t a b l e s have b e e n growing as fast as the Internet; however, technology h a s n o t b e e n able to keep pace. The n u m b e r of r o u t e s a d v e r t i s e d h a s d o u b l e d every 10 m o n t h s . It w a s e s t i m a t e d t h a t t h e r e were a r o u n d 2 0 0 0 r o u t e s on the I n t e r n e t in 1990, a n d two y e a r s later t h e r e were 8 5 0 0 routes. In 1995 t h e r e were over 2 9 , 0 0 0 r o u t e s ,

Routing Issues

9Chapter 6

w h i c h r e q u i r e d a r o u n d 10MB of m e m o r y for the router. A r o u t e r r e q u i r e s a significant a m o u n t of RAM a n d CPU in o r d e r to add, modify, delete, a n d advertise t h e s e r o u t i n g tables with o t h e r r o u t e r s . The r o u t i n g tables have b e e n growing at a slower rate, a n d we n o w have a b o u t 6 5 , 0 0 0 routes. With t h e a d v e n t of Classless I n t e r d o m a i n Routing, we have b e e n able to limit significantly the g r o w t h of t h e s e r o u t i n g tables, m a k i n g t h e m m o r e m a n a g e a b l e a n d efficient.

Classless Interdomain Routing Classless I n t e r d o m a i n R o u t i n g (CIDR, p r o n o u n c e d as apple "cider") w a s developed w h e n the world w a s faced with the e x h a u s t i o n of class B a d d r e s s space a n d the explosion of r o u t i n g b e t w e e n t o n s of class C a d d r e s s e s . CIDR allows for a m o r e efficient allocation of IP a d d r e s s e s t h a n the old class A, B, a n d C a d d r e s s s c h e m e . This old s c h e m e is often referred to as "classful" a d d r e s s i n g , w h e r e a s CIDR is referred to as "classless" a d d r e s s i n g , as i l l u s t r a t e d in Figure 6.1. Figure

6.1 The prefix length of a classless address.

A n o t h e r t e r m for CIDR s u p e r n e t t i n g is prefix-based addressing. As y o u c a n see in Figure 6.1, it looks very similar to c u s t o m s u b n e t m a s k i n g , w h e r e the b o u n d a r y b e t w e e n the n e t w o r k ID a n d h o s t ID is n o t fixed. You will l e a r n later in this section j u s t h o w this s u p e r n e t t i n g is possible. If y o u are familiar with T C P / I P s u b n e t m a s k i n g , y o u will have no p r o b l e m s u n d e r s t a n d i n g the c o n c e p t of s u p e r n e t t i n g a n d classless a d d r e s s i n g . Both c o n c e p t s involve "masking" a portion of

225

226

Chapter 6

9Routing Issues

the IP a d d r e s s to reveal a n e t w o r k a d d r e s s . CIDR e x t e n d e d the successful ideas of T C P / I P s u b n e t t i n g . Some s a y t h a t if it w e r e n ' t for the a d v e n t of CIDR, the I n t e r n e t w o u l d not be functioning today. T h a t is a t e s t a m e n t to the power of CIDR, a n d the n e e d of CIDR for n e t w o r k i n g s u p e r n e t t i n g . CIDR is the b e s t hope we have for s m o o t h i n g the t r a n s i t i o n from IPv4 to IPv6. The IETF wrote the s t a n d a r d for CIDR in the early 1990s, a n d it is d e s c r i b e d in RFC 1517 t h r o u g h RFC 1520. CIDR h a s a p r i m a r y r e q u i r e m e n t for u s i n g a r o u t i n g protocol, s u c h as RIP version 2, OSPF version 2, a n d BGP version 4. CIDR h e l p s the I n t e r n e t r e d u c e the r o u t i n g overload by minimizing r o u t i n g tables a n d m a k i n g s u r e the m o s t i m p o r t a n t r o u t e s are carried b y m o s t routers, m a k i n g the p a t h to sites m u c h quicker. T h e s e r o u t i n g tables are global, a n d c o n t a i n i n f o r m a t i o n for r o u t e s a c r o s s the planet, so y o u c a n begin to see h o w large t h e s e r o u t i n g tables c a n get. The r o u t i n g tables are d a n g e r o u s l y close to a level w h e r e c u r r e n t software, h a r d w a r e , a n d people c a n no longer effectively m a n a g e them. CIDR is very similar to s u b n e t t i n g , b u t actually is a m o r e a d v a n c e d m e t h o d of s u b n e t t i n g t h a t c a n c o m b i n e n e t w o r k s into supernets; s u b n e t t i n g , on the other h a n d , involves b r e a k i n g netw o r k s into smaller, m o r e m a n a g e a b l e subnets. This is a c c o m p l i s h e d t h r o u g h the u s e of the s u b n e t m a s k , w h i c h m a s k s a portion of the IP a d d r e s s to differentiate the n e t w o r k ID from the h o s t ID. With CIDR, y o u basically eliminate the c o n c e p t of class a, b, a n d c networks, a n d replace t h e m with a generalized IP prefix consisting of a n IP a d d r e s s a n d the m a s k length. For example, a single class C a d d r e s s w o u l d a p p e a r as 1 9 5 . 1 2 9 . 1 . 0 / 2 4 , in w h i c h / 2 4 refers to the n u m b e r of bits of the n e t w o r k portion of the IP a d d r e s s . With the traditional class A, B, a n d C a d d r e s s i n g scheme, the a d d r e s s e s were identified by converting the first eight bits of the a d d r e s s to their decimal equivalent. Table 6.1 s h o w s the b r e a k d o w n of the t h r e e a d d r e s s classes, a n d h o w m a n y bits a p p e a r in the h o s t ID a n d the n e t w o r k ID.

Routing Issues

9Chapter 6

Table 6.1 The Familiar Delineations of the IP Address Classes Address Class Class A

# Network Bits 8 bits

# Hosts Bits 24 bits

Decimal Address Range 1-126

Class B

16 bits

16 bits

128-191

Class C

24 bits

8 bits

192-223

Using the old class A, B, a n d C a d d r e s s i n g s c h e m e , the I n t e r n e t could s u p p o r t the following: 126 class A n e t w o r k s t h a t could i n c l u d e u p to 1 6 , 7 7 7 , 2 1 4 hosts each 6 5 , 0 0 0 class B n e t w o r k s t h a t could include u p to 6 5 , 5 3 4 hosts each Over 2 million class C n e t w o r k s t h a t could i n c l u d e u p to 254 h o s t s e a c h As y o u c a n see, t h e r e are only t h r e e classes; every c o m p a n y or organization will have to choose the class t h a t b e s t s u p p o r t s t h e i r needs. Since it is n e a r l y i m p o s s i b l e to receive a class A or B a d d r e s s , y o u w o u l d be s t u c k with a class C a d d r e s s , w h i c h m a y or m a y n o t be s u i t a b l e for y o u r needs. If you were a s s i g n e d one class C a d d r e s s , a n d y o u only n e e d e d 10 a d d r e s s e s , y o u w o u l d be w a s t i n g 2 4 4 a d d r e s s e s . This r e s u l t s in w h a t a p p e a r s to be a condition of r u n n i n g o u t of a d d r e s s e s ; however, the p r o b l e m s t e m s m o r e from the inefficient u s e of the a d d r e s s e s . CIDR w a s developed to be a m u c h m o r e efficient m e t h o d of a s s i g n i n g a d d r e s s e s . A CIDR s u p e r n e t c o n s i s t s of n u m e r o u s c o n t i g u o u s IP a d d r e s s e s . An ISP c a n a s s i g n their c u s t o m e r s blocks of c o n t i g u o u s a d d r e s s e s to define the s u p e r n e t s . E a c h s u p e r n e t h a s a u n i q u e s u p e r n e t a d d r e s s t h a t c o n s i s t s of the u p p e r bits t h a t are s h a r e d b e t w e e n all IP a d d r e s s e s in the s u p e r n e t . For example, the following g r o u p of a d d r e s s e s are all c o n t i g u o u s ( 1 9 8 . 1 1 3 . 0 . 0 t h r o u g h 1 9 8 . 1 1 3 . 7 . 0 in decimal notation).

227

228

Chapter 6

*

Routing Issues

11000110 01110001 11000110 01110001 1100011001110001 11000110 01110001 11000110 01110001 1100011001110001 11000110 01110001

00000 00000 00000 00000 00000 00000 00000

000 00000000 O01 00000000 01000000000 011 00000000 I O0 00000000 I01 00000000 111 00000000

The s u p e m e t address for the block is I i0001 I0 011 I0001 00000 (the 21 u p p e r bits) because every address in the s u p e m e t h a s this in common. The complete supernet address consists of the address and the mask. 9 The a d d r e s s is the first 32-bit a d d r e s s in the contiguous a d d r e s s block. In o u r case this would be 11000110 0 1 1 1 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 (198.113.0.0 in decimal notation). 9 The m a s k is a 32-bit string, similar to the s u b n e t m a s k , w h i c h c o n t a i n s a set bit in the s u p e r n e t portion of the a d d r e s s . In o u r case this w o u l d be 11111111 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 ( 2 5 5 . 2 5 5 . 2 4 8 . 0 in decimal notation). The m a s k e d portion, however, c o n t a i n s the n u m b e r of bits t h a t are in the on position; in o u r case this w o u l d be 21. The complete s u p e r n e t a d d r e s s w o u l d be 1 9 8 . 1 1 3 . 0 . 0 / 2 i. The / 2 1 i n d i c a t e s t h a t the first 21 bits are u s e d to identify the u n i q u e n e t w o r k , leaving the r e m a i n i n g bits to identify the specific host. You can compare this to a n office phone system where every phone n u m b e r starts with a prefix such as 288 and ends with a unique fourdigit combination. For example, your phone n u m b e r is 288-1301, and Doug Fortune, the H u m a n Resources supervisor, h a s a phone n u m b e r of 288-2904. Most companies are set up so t h a t you can dial the unique portion of the user's phone n u m b e r as a m e a n s of internal dialing. To contact Doug, you would j u s t dial 2904, which is the unique portion of his full phone number. Continuing the example, 288, the prefix of the phone number, would be the s u p e r n e t address. Isn't it m u c h easier to dial the person's four-digit extension rather t h a n the entire seven-digit extension? Imagine if you h a d to dial the area code every time you made a local call. Also continuing the comparison, the area code resembles a s u p e r n e t address for a n area.

Routing Issues

9Chapter 6

CIDR c a n t h e n be u s e d to employ a s u p e r n e t a d d r e s s to r e p r e s e n t multiple IP destinations. Rather t h a n advertise a s e p a r a t e route for each of the m e m b e r s of the contiguous a d d r e s s space, the r o u t e r c a n now advertise the s u p e r n e t a d d r e s s as a single route, called a n aggregate route. This aggregate route will r e p r e s e n t all the destinations within the s u p e r n e t address, thereby reducing the a m o u n t of information t h a t n e e d s to be contained in the routing tables of the routers. This m a y not s e e m like m u c h of a reduction in the routing table, b u t multiply this by h u n d r e d s of r o u t e r s on the Internet, a n d you can see the effect CIDR c a n have on the n u m b e r of entries in the routing tables. Table 6.2 s h o w s h o w t h e CIDR block prefix is u s e d to i n c r e a s e t h e n u m b e r of g r o u p s of a d d r e s s e s t h a t c a n be u s e d , t h e r e b y offering a m o r e efficient u s e of a d d r e s s i n g t h a n the class A, B, or C m e t h o d .

Table 6.2 Characteristics of Each CIDR Block Prefix ClDR Block Prefix /27

# Equivalent Class C 1/8th of a Class C

# of Host Addresses 32 hosts

/26

1/4th of a Class C

64 hosts

/25

1/2 of a Class C

128 hosts

/24

1 Class C

256 hosts

/23

2 Class C

512 hosts

/22

4 Class C

1,024 hosts

/21

8 Class C

2,048 hosts

/20

16 Class C

4,096 hosts

/19

32 Class C

8,192 hosts

/18

64 Class C

16,384 hosts

/17

128 Class C

32,768 hosts

/16

256 Class C

65,536 hosts

(= 1 Class B) /15

512 Class C

131,072 hosts

/14

1,024 Class C

262,144 hosts

/13

2,048 Class C

524,288 hosts

229

230

Chapter 6

9Routing Issues

Routing Issues

9Chapter 6

At this time, the Internet is not completely CIDR-capable. Some older routers and other network devices m u s t be upgraded to support CIDR, and compatible protocols m u s t also be used. Non-CIDR-capable portions of the Internet can still fimction fine, b u t m a y be required to default towards the CIDR-capable parts of the Internet for routes that have been aggregated for nonnetwork boundaries. CIDR-capable forwarding is described as the ability of a router to maintain its forwarding table and to perform correct forwarding of IP packets without making any a s s u m p tions about the class of IP addresses. The CIDR Applicability S t a t e m e n t c o m p o s e d in S e p t e m b e r of 1993 r e q u i r e d I n t e r n e t d o m a i n s providing b a c k b o n e a n d / o r t r a n s i t service to fully i m p l e m e n t CIDR in order to e n s u r e t h a t the g r o w t h of the r e s o u r c e s r e q u i r e d by r o u t e r s will provide I n t e r n e t - w i d e connectivity. The Applicability S t a t e m e n t also r e c o m m e n d e d t h a t all o t h e r n o n b a c k b o n e a n d / o r t r a n s i t I n t e r n e t d o m a i n s also i m p l e m e n t CIDR b e c a u s e it will r e d u c e the a m o u n t of r o u t i n g b e t w e e n t h e s e d o m a i n s . At this time, individual d o m a i n s are n o t r e q u i r e d to implem e n t CIDR. Individual d o m a i n s are also n o t p r o h i b i t e d from u s i n g a n a d d r e s s i n g s c h e m e t h a t is n o t c o m p l i a n t with CIDR. It is very i m p o r t a n t to note t h a t CIDR does n o t a t t e m p t to solve the p r o b l e m of e v e n t u a l e x h a u s t i o n of the 32-bit IP a d d r e s s space. CIDR c a n a d d r e s s the short- to m i d t e r m difficulties to allow the I n t e r n e t time to c o n t i n u e f u n c t i o n i n g effectively while p r o g r e s s is m a d e on the longer t e r m solution of IP a d d r e s s e x h a u s t i o n . With the d e v e l o p m e n t of CIDR a r o u n d 1993, it w a s given at least t h r e e y e a r s as a viable solution until the d e p l o y m e n t of the l o n g - t e r m solution, IPv6 (otherwise k n o w n as IPng). The next g e n e r a t i o n of IP is a little b e h i n d schedule, b u t v e n d o r s are n o w m a k i n g their devices compliant, a n d the buzz is s t a r t i n g to s p r e a d in the I n t e r n e t c o m m u n i t y .

From Millions to Thousands of Networks For engineers, the biggest p u s h on the I n t e r n e t t o d a y is to devise a p l a n to limit the h u g e g r o w t h in available n e t w o r k s on the Internet. We have l e a r n e d in the previous section t h a t the addition of so m a n y n e t w o r k s on the I n t e r n e t h a s severely h i n d e r e d the ability to

231

232

Chapter 6 *

Routing Issues

m a i n t a i n effective r o u t i n g tables for all the n e w n e t w o r k s t h a t have b e e n added. It w a s b e c o m i n g m o r e difficult to r o u t e p a c k e t s to their d e s t i n a t i o n s b e c a u s e the r o u t e to t h e d e s t i n a t i o n w a s s o m e t i m e s n o t i n c l u d e d in the large r o u t i n g tables m a i n t a i n e d by t h e s e r o u t i n g d o m a i n s . This t h r e a t , m u c h like a t o r n a d o w a r n i n g , w a s d u e to t o u c h d o w n on the I n t e r n e t before the d r e a d e d e x h a u s t i o n of IP addresses. Now t h a t CIDR h a s come to the rescue, the p r o b l e m is to implem e n t CIDR fast enough to consolidate these networks to minimize the n u m b e r of entries in the routing tables. From the millions of networks out there, CIDR is able to consolidate contiguous IP addresses, k n o w n as s u t ~ m e t t i n g , into fewer n u m b e r s of networks t h a t contain more hosts. The only caveat with CIDR is t h a t these m u s t be contiguous class C addresses. The authority for assigning IP addresses h a s assigned large contiguous blocks of IP addresses to large Internet Service Providers. These large ISPs assign a smaller subset of contiguous addresses from their block to other ISPs or large network customers, as illustrated in Figure 6.2. The bottom line is t h a t the large ISP maintains a large block of contiguous addresses t h a t it can report to a higher authority for CIDR address aggregation. With CIDR, the large ISP does not have to report every class C address t h a t it owns; it h a s to report the prefix t h a t every class C address h a s in common. These addresses are aggregated into a single supernetted address for routing purposes. In our example, the prefix is 198.113.201, which is w h a t all IP addresses have in common. Instead of advertising six routes, we are advertising only one. That is a decrease of 83 percent. Imagine if every ISP were able to decrease the routes they advertise by this much. This can literally bring the n u m b e r of networks from millions down to thousands. Not only does this decrease the n u m b e r of networks, b u t it is a significant reduction in the n u m b e r of routing table entries. By March of 1998, the n u m b e r of global routing table entries was a r o u n d 50,000. Without CIDR, it is speculated t h a t the n u m b e r of global routes would have been nearly twice t h a t number. You can always count on the s t a n d a r d s committees behind the scenes of the Internet to deliver effective solutions w h e n adversity stares t h e m in the face.

Routing Issues

9Chapter 6

Figure 6.2 Maintaining contiguous CIDR blocks while assigning addresses.

--~ Large ISP

j Customer

Assigned6 ClassC IP Addresses: 198.113.21)1.30 198.113.201.36 198.113.201.31 198.113.201.34 198.113.201.32 198.113.201.35

Small ISP ~_,,,,. ~,

Assigned3 ClassC IP Addresses: 198.113.201.34 198.113.201.35 198.113.201.36

Assigned I ClassC IP Addresses: 198.113.21)1.36

ISP Address Assignment In the n e a r future, o r g a n i z a t i o n s are likely to u n d e r g o c h a n g e s t h a t will affect their IP a d d r e s s e s . This c a n r e s u l t from a variety of reasons, s u c h as a c h a n g e in I n t e r n e t Service Provider, s t r u c t u r a l reorganization, physically moving e q u i p m e n t , a n d n e w strategic r e l a t i o n s h i p s . An IP a d d r e s s r e n u m b e r i n g p l a n c a n r e s u l t in easier f u t u r e IP a d d r e s s m a n a g e m e n t . W h e n moving from one ISP to another, a n d CIDR is being used, it will be r e q u i r e d to r e t u r n the a d d r e s s e s t h a t were allocated to the o r g a n i z a t i o n from the ISP's original CIDR block. T h e s e a d d r e s s e s belong to a single large block of a d d r e s s s p a c e allocated to their curr e n t ISP, w h i c h acts like a n a g g r e g a t o r for t h e s e a d d r e s s e s . If y o u r a d d r e s s is a g g r e g a t e d into y o u r ISP's larger a d d r e s s block, y o u c a n t h e n be r o u t e d u n d e r their n e t w o r k a d d r e s s .

233

234

Chapter 6

9Routing Issues

W h a t if y o u leave I n t e r n e t Service Providers a n d choose to t a k e y o u r IP a d d r e s s e s with y o u ? This is a p r e d i c a m e n t for t h e original ISP w h o c a n no longer advertise t h e a d d r e s s e s as p a r t of a n aggregated CIDR block, b e c a u s e t h e r e is n o w a hole in t h e CIDR block (resulting from the loss of the IP a d d r e s s e s y o u took with you). CIDR c a n a d d r e s s this i s s u e b y requiring r o u t e r s to accept multiple m a t c h e s . W h e n a duplicate r o u t i n g m a t c h is found, the r o u t e r will s e a r c h for the r o u t e with t h e longest m a s k , w h i c h s h o u l d be t h e m o s t r e c e n t route. This is referred to as a n exception to a CIDR block, a n d is u s e d w h e n a block of c o n t i g u o u s a d d r e s s e s c a n n o t be u s e d , like t h e e x a m p l e in w h i c h we defected from one ISP to a n o t h e r a n d took o u r a d d r e s s e s with us. To c o n t a i n the g r o w t h of this r o u t i n g information, a n organization s h o u l d c h a n g e t h e s e a d d r e s s e s , w h i c h involves r e n u m b e r i n g their s u b n e t s a n d hosts. If t h e o r g a n i z a t i o n does n o t r e n u m b e r , the c o n s e q u e n c e s m a y include limited I n t e r n e t - w i d e IP connectivity i s s u e s . ISPs s o m e t i m e s have to c h a n g e to a n e w a n d larger block of a d d r e s s e s , a n d this m a y affect the o r g a n i z a t i o n t h a t c u r r e n t l y h a s a d d r e s s e s t h a t were allocated to t h e m from the original CIDR block. The e a s i e s t form of r e n u m b e r i n g is with t h e u s e of d y n a m i c a d d r e s s i n g , s u c h as D y n a m i c Host Configuration Protocol (DHCP). However, m a n y servers a n d n e t w o r k devices s u c h as r o u t e r s have static a d d r e s s e s , w h i c h will h a m p e r t h e r e n u m b e r i n g process. The m o s t i m p o r t a n t a s p e c t of the r e n u m b e r i n g p l a n is c e n t e r e d a r o u n d routing. R o u t i n g i s s u e s have b e c o m e very i m p o r t a n t , d u e to the large g r o w t h of the I n t e r n e t a n d the m a i n t e n a n c e of large r o u t ing tables t h a t a c c o m p a n y this growth. Since r o u t e r s are a key comp o n e n t to connectivity, t h e y are a large focus of the r e n u m b e r i n g plan. If y o u are n o t aggregated into y o u r ISP's larger a d d r e s s block, a n d y o u are a smaller organization, y o u are risking being d r o p p e d from the global r o u t i n g tables. T h e r e is no governing force t h a t h a s control over w h a t a d d r e s s e s are a d d e d to the global r o u t i n g tables; a n y ISP c a n m a n a g e their r o u t i n g tables as t h e y see fit. If y o u are a s m a l l e r n e t w o r k , y o u c a n still be i n c l u d e d in global r o u t i n g tables if y o u r a d d r e s s is p a r t of a larger CIDR a d d r e s s block.

Routing Issues

9Chapter 6

Using CIDR Addresses Inside Your Network The interior (intradomain) r o u t i n g protocols t h a t s u p p o r t CIDR are OSPF, RIP II, I n t e g r a t e d IS-IS, a n d EIGRP. If y o u are r u n n i n g one of t h e s e r o u t i n g protocols in y o u r i n t e r n a l network, y o u h a v e the ability to u s e CIDR a d d r e s s e s inside y o u r network. Most c o m p a n i e s a n d o r g a n i z a t i o n s do n o t have i n t e r n a l n e t w o r k s large e n o u g h to r e q u i r e CIDR a d d r e s s i n g . However, CIDR does provide m o r e t h a n j u s t efficient a d d r e s s i n g . W h e n i m p l e m e n t i n g CIDR a d d r e s s i n g in y o u r i n t e r n a l network, you have the ability to create smaller s u b n e t s t h a n those available with the c u r r e n t classful s u b n e t t i n g schemes. For example, in order to s u b n e t y o u r n e t w o r k u s i n g TCP/IP s u b n e t with a c u s t o m s u b n e t m a s k , the s m a l l e s t s u b n e t you have would still have 254 available hosts. With CIDR you c a n i m p l e m e n t fractional aggregates, the ability to take a class C a d d r e s s a n d assign fractions of it to c u s t o m e r s or y o u r i n t e r n a l s u b n e t s on y o u r own network. ISPs are now u s i n g this technology to assign 64 a n d 32 block a d d r e s s e s to c u s t o m e r s with small networks. This m a k e s efficient u s e of available class C a d d r e s s es, b e c a u s e w i t h o u t CIDR, you would be w a s t i n g the r e m a i n i n g IP a d d r e s s in the class C a d d r e s s t h a t w a s not used. This is how you c a n c o m b a t IP a d d r e s s e x h a u s t i o n within y o u r own network, j u s t like m a n y people are trying to do on the Internet. Table 6.3 shows the fractional aggregates of a single class C address.

Table 6.3 Fractions of a Class C Address Made Possible by CIDR CIDR Block Prefix

# Equivalent Class C

127

# of Host Addresses

1/8th of a Class C

32 hosts

126

1/4th of a Class C

64 hosts

125

1/2 of a Class C

128 hosts

124

1 Class C

256 hosts

With CIDR we n o w h a v e the ability n o t only to u s e a full Class C a d d r e s s , b u t also to a s s i g n fractions of the Class C, s u c h as ?th, ?th, or 1 / 8 th the n u m b e r of available a d d r e s s e s .

235

236

Chapter

6

Routing Issues

9

As we m e n t i o n e d earlier, y o u c a n also u s e this fractional class C a d d r e s s for y o u r i n t e r n a l network. The a d v a n t a g e s of this are s u b n e t t i n g n e t w o r k s into logical g r o u p i n g s of c o m p u t e r s a n d devices, isolating traffic, a n d therefore i n c r e a s i n g n e t w o r k p e r f o r m ance. You will have to u s e a CIDR-capable r o u t i n g protocol, s u c h as OSPF or RIP-2 on y o u r network. This will m a k e y o u r n e t w o r k m o r e complex a n d difficult to m a n a g e , b u t it will help y o u r e a p t h e benefits of s u b n e t t i n g t h a t we described earlier.

Contiguous Subnets The m o s t i m p o r t a n t rule to r e m e m b e r with CIDR classless a d d r e s s ing is t h a t s u b n e t s m u s t be c o n t i g u o u s . A r o u t e r c a n n o t p r o c e s s s u b n e t r o u t e s for n e t w o r k s to w h i c h it is n o t directly connected. The e x a m p l e in Figure 6.3 i l l u s t r a t e s this rule m o r e clearly. If a router is to take part in the same classful network in order to interpret the prefix length, it m u s t be connected directly to the network. In Figure 6.3, the r o u t e r is n o t a p a r t of t h e c o n t i g u o u s network, so it h a s no w a y of k n o w i n g the prefix length t h a t is being u s e d . More specifically, R o u t e r l a n d R o u t e r 2 c a n n o t advertise their r o u t e s to R o u t e r 3 b e c a u s e R o u t e r 3 is n o t a p a r t of the 2 0 1 . 3 5 . 8 8 network. The only r o u t e t h a t c a n be advertised to R o u t e r 3 is 2 0 1 . 3 5 . 8 8 . This p o s e s a p r o b l e m b e c a u s e R o u t e r 3 h a s no indication of w h i c h direction to s e n d a p a c k e t with the prefix of 2 0 1 . 3 5 . 8 8 ; it will u n d o u b t edly s e n d p a c k e t s to the w r o n g network. The p r o b l e m with t h e n e t w o r k configuration s h o w n in Figure 6.3 is t h a t the 1 9 8 . 1 1 3 . 2 0 1 n e t w o r k s are n o t c o n t i g u o u s . If we configu r e d a direction c o n n e c t i o n b e t w e e n R o u t e r l a n d Router2, we

Routing Issues

9Chapter 6

would have a contiguous network, and could benefit from CIDR addressing. The addition of Router3 injects a n o t h e r classful network between the 198.113.201 networks, t h u s m a k i n g it discontiguous.

Figure 6.3 An illegal CIDR configuration with disconnected networks.

IGRP The networking community began to realize the limitations of the RIP protocol {which we will see later in the chapter), and something had to be done. Many years ago, the Internet Engineering Task Force ( I ~ ) had not yet formalized the specifications for OSPF, so Cisco had the option of waiting for the specifications, or continuing to develop their own protocol. They chose to implement their own protocol, which turned out to be Interior Gateway Routing Protocol (IGRP). IGRP is a protocol t h a t is designed to coordinate routing between a n u m b e r of routers. There are a n u m b e r of routing goals with Cisco's IGRP protocol:

237

238

Chapter 6

9Routing Issues

9 Stable routing, even in a very large or complex n e t w o r k 9 No r o u t i n g loops s h o u l d o c c u r 9 F a s t r e s p o n s e to c h a n g i n g n e t w o r k topology 9 Low overhead, m e a n i n g IGRP s h o u l d n o t u s e m o r e b a n d w i d t h t h a n it n e e d s for its own u s e 9 Splitting traffic a m o n g parallel r o u t e s w h e n t h e y are of equal desirability 9 T a k i n g into a c c o u n t error r a t e s a n d levels of traffic on different p a t h s 9 The ability to h a n d l e multiple "types of services" with a single set of information. IGRP is i n t e n d e d for u s e within i n t e r n a l n e t w o r k s , u n d e r the m a n a g e m e n t of one organization. IGRP is also c o m m o n l y referred to as IGP (Interior G a t e w a y Protocol). IGRP is i n t e n d e d for m a i n t a i n i n g a very a c c u r a t e r e p r e s e n t a t i o n of the i n t e r n a l n e t w o r k topology. Convergence is very i m p o r t a n t w i t h i n i n t e r n a l n e t w o r k s , b e c a u s e t h e p a t h s to n e t w o r k s m u s t be quickly r e r o u t e d in the event a netw o r k link were to go down. This is n o t as i m p o r t a n t as e x t e r n a l netw o r k s , b e c a u s e m o s t c h a n g e in n e t w o r k topology o c c u r s w i t h i n n e t w o r k s , s u c h as the addition or removal of a b r o k e n link. E x t e r n a l n e t w o r k links m u s t be stable a n d c o n s i s t e n t to avoid m a j o r d i s t u r b a n c e s from m i s c o n f i g u r e d or d o w n links. EGRP (Exterior G a t e w a y R o u t i n g Protocol) is m o r e i m p o r t a n t for providing r e a s o n a b l e r o u t e s , r a t h e r t h a n optimal routes. However, IGRP is very c o n c e r n e d with providing the optimal r o u t e w h e n p a c k e t s are being routed. IGRP is a d i s t a n c e - v e c t o r protocol in w h i c h r o u t e r s (often called gateways) e x c h a n g e r o u t i n g i n f o r m a t i o n only with a d j a c e n t r o u t e r s . W h e n the a d j a c e n t r o u t e r receives the u p d a t e , it will c o m p a r e the i n f o r m a t i o n with its own r o u t i n g table. Any n e w p a t h s or d e s t i n a tions will be added. P a t h s in the a d j a c e n t r o u t e r ' s u p d a t e will also be c o m p a r e d with existing p a t h s to d e t e r m i n e if the n e w r o u t e is m o r e efficient t h a n the r o u t e t h a t c u r r e n t l y exists in the r o u t i n g table. If the n e w p a t h is better, it will replace the existing one. This is the general p r o c e d u r e u s e d in all d i s t a n c e - v e c t o r protocols.

Routing Issues

9Chapter 6

The a l t e r n a t i v e to d i s t a n c e - v e c t o r r o u t i n g is S h o r t e s t P a t h F i r s t (SPF) routing, w h i c h we will d i s c u s s in g r e a t detail in t h e section on O p e n S h o r t e s t P a t h First (OSPF). This is a l i n k - s t a t e t e c h n o l o g y in w h i c h e a c h r o u t e r c o n t a i n s a n identical d a t a b a s e . The r o u t i n g i n f o r m a t i o n e x c h a n g e c o n t a i n s a s u m m a r y of inform a t i o n c o n c e r n i n g t h e r e s t of t h e network. A collection of r o u t e r s u s i n g IGRP c o m p l e t e s t h e entire n e t w o r k topology, r e s u l t i n g in a d i s t r i b u t e d a l g o r i t h m in w h i c h e a c h r o u t e r solves only a p o r t i o n of t h e routing. Working t o g e t h e r a n d e x c h a n g i n g r o u t i n g i n f o r m a t i o n with only t h e i r a d j a c e n t r o u t e r s , t h e s e r o u t e r s c a n d e t e r m i n e t h e b e s t r o u t e a p a c k e t c a n take. In o t h e r words, no one r o u t e r n e e d s to m a i n t a i n t h e i n f o r m a t i o n for the entire network. IGRP goes b e y o n d RIP w h e n it c o m e s to metrics. The a d d e d i n f o r m a t i o n in IGRP allows the r o u t e r to m a k e m o r e intelligent choices with r e g a r d s to t h e m e t r i c cost of one r o u t e over another. RIP h a d no w a y of c h o o s i n g the r o u t e with the h i g h e s t b a n d w i d t h w h e n b o t h r o u t e s h a d t h e s a m e m e t r i c h o p count. The n e w m e t r i c s i n t r o d u c e d with IGRP include:

Topological delay t i m e . The a m o u n t of time it would take a packet to reach its destination if the network was not busy. You can incur additional delays if there is network traffic on the network.

Bandwidth of the narrowest bandwidth s e g m e n t of the path. The b a n d w i d t h in bits per second.

Channel o c c u p a n c y of the path. I n d i c a t e s h o w m u c h of t h e b a n d w i d t h is c u r r e n t l y in use. This n u m b e r will c h a n g e often as t h e n e t w o r k traffic i n c r e a s e s a n d d e c r e a s e s . Reliability of the path. Indicates the reliability of the p a t h b a s e d on the n u m b e r of packets t h a t actually arrive at the destination, based on the n u m b e r of packets t h a t were originally sent. IGRP calculates these factors with a complicated algorithm and determines the best route to take, indicated by the smallest metric value.

239

240

Chapter 6 *

Routing Issues

IGRP also h a s s u b s t a n t i a l stability features, s u c h as Holddowns, Split horizons, a n d Poison-reverse u p d a t e s , w h i c h are d e s c r i b e d as follows:

Hold-downs. Used to p r e v e n t a r e g u l a r u p d a t e m e s s a g e from r e i n s t a t i n g a r o u t e t h a t m a y have gone b a d in the past. W h e n a n e t w o r k link goes down, the n e i g h b o r i n g r o u t e r s will detect the lack of regularly s c h e d u l e d u p d a t e s , a n d d e t e r m i n e t h a t this link is not functioning. U p d a t e m e s s a g e s will t h e n begin to p e r m e a t e the n e t w o r k r e g a r d i n g the fact this r o u t e r is not functioning. If this convergence t a k e s too long, it is possible t h a t a n o t h e r r o u t e r on the n e t w o r k will advertise t h a t this r o u t e r is still f u n c t i o n i n g normally. This device potentially is advertising incorrect r o u t i n g information. A h o l d - d o w n will tell the r o u t e r s on the n e t w o r k to hold d o w n a n y of the c h a n g e s t h a t m a y affect the r o u t e s for a period of time. The h o l d - d o w n period is calculated to be j u s t slightly greater t h a n the period of time n e c e s s a r y to u p d a t e the entire n e t w o r k with a r o u t i n g change.

Split horizons. Used to avoid r o u t i n g loops b e t w e e n two routers. It is never useful to s e n d i n f o r m a t i o n a b o u t the r o u t e b a c k in the direction from w h i c h the p a c k e t w a s sent. In Figure 6.4, R o u t e r 1 will advertise a r o u t e to Network A, w h i c h it is directly connected. Router2 s h o u l d never advertise this r o u t e b a c k to R o u t e r l b e c a u s e R o u t e r l is closer to Network A. This will p r e v e n t r o u t i n g loops b e t w e e n the two routers. For example, if the interface to Network A w e n t down, Router2 m a y c o n t i n u e to inform R o u t e r 1 t h a t it c a n r e a c h Network A t h r o u g h R o u t e r l (which is itself). R o u t e r l m a y be fooled into believing this r o u t e is correct, a n d a r o u t i n g loop w o u l d t h e n occur. ( R e m e m b e r t h a t split horizons avoid only loops b e t w e e n two routers.)

Poison-reverse updates. Used to minimize loops b e t w e e n m o r e t h a n two routers. W h e n the metric is i n c r e a s i n g significantly, this m a y indicate a r o u t i n g loop. A poison-reverse u p d a t e is t h e n s e n t to the r o u t e r to place it into hold-down.

Routing Issues

9Chapter 6

Figure 6.4 Avoiding routing loops with split horizons.

A n o t h e r f e a t u r e of IGRP stability is the u s e of t i m e r s a n d variables t h a t c o n t a i n time intervals. The t i m e r s include a n u p d a t e timer, a n invalid timer, a hold-time period, a flush timer, a n d a sleep timer. 9 The u p d a t e t i m e r will specify h o w frequently the u p d a t e m e s s a g e s will be sent. The IGRP u p d a t e timer default is every 90 s e c o n d s . 9 The invalid t i m e r will specify h o w long a r o u t e r will wait if it is n o t receiving r o u t i n g u p d a t e m e s s a g e s before the r o u t e will be declared invalid. The IGRP invalid t i m e r default is t h r e e times the u p d a t e timer. 9 The h o l d - t i m e period (sometimes referred to as t h e holdd o w n period) will specify the a m o u n t of time for t h e holdd o w n period. The IGRP h o l d - t i m e default is t h r e e times the u p d a t e t i m e r p l u s ten s e c o n d s . 9 The flush t i m e r will specify h o w m u c h time s h o u l d p a s s before a r o u t e is f l u s h e d from a r o u t i n g table. The IGRP flush timer default is seven times the u p d a t e period. 9 The sleep t i m e r is the a m o u n t of time t h a t u p d a t e m e s s a g e s will be p o s t p o n e d . The sleep value s h o u l d be less t h a n the u p d a t e t i m e r b e c a u s e the r o u t i n g tables will never be s y n c h r o n i z e d if the sleep value is h i g h e r t h a n the u p d a t e timer.

241

242

Chapter 6 *

Routing Issues

EIGRP EIGRP is an e n h a n c e d version of the IGRP routing protocol, and is continually evolving. EIGRP u s e s the s a m e distance-vector-based routing t h a t IGRP uses. W h a t h a s improved is the convergence and operating efficiency. The m a i n e n h a n c e m e n t with EIGRP is the sophisticated Diffusing Update Algorithm (DUAL). This algorithm is significantly more advanced t h a n the distance-vector algorithm u s e d by RIP and previous versions of IGRP. The new algorithm was e n h a n c e d to decrease routing loops drastically. Convergence is improved by implementing a new algorithm t h a t enables all routers involved in a topology change to synchronize their internal routing tables at the same time. EIGRP is now Network Layer protocol-independent, which m e a n s it can s u p p o r t other protocol suites. One of the downfalls of EIGRP is the fact t h a t it is seen as a competitor to OSPF. EIGRP can be implemented seamlessly within a network or IGRP routers. This m a k e s it possible to benefit from the features of both protocols simultaneously, also providing an upgrade p a t h for continual migration from IGRP to EIGRP. Another benefit of this coexistence is t h a t you can strategically implement EIGRP in specific portions of your network. Cisco defines the four basic c o m p o n e n t s of EIGRP as follows:

Neighbor Discovery/Recovery. The process of dynamically learning the s t a t u s of other routers on their directly a t t a c h e d networks. Routers m u s t also continually poll their neighbors to determine if they are still functioning or reachable. This is achieved by sending Hello packets on a regular basis. Once these Hello packets are received, the routers can t h e n continue to exchange route information. Reliable Transport Protocol. Responsible for the g u a r a n t e e d delivery of packets in the correct order. For efficiency, reliability is only provided w h e n needed. This is accomplished by sending a m u l t i c a s t Hello packet to the neighbors t h a t states the packet does not have to be acknowledged. As you know, the process of

Routing Issues

9Chapter 6

r e s p o n d i n g to a c k n o w l e d g m e n t r e q u e s t s is w h a t c o n s u m e s v a l u a b l e b a n d w i d t h on a network, especially on a n E t h e r n e t n e t w o r k with a very b r o a d c a s t - i n t e n s i v e protocol. Every p a c k e t m u s t be c a p t u r e d a n d analyzed by the n e t w o r k a d a p t e r s to d e t e r m i n e if the p a c k e t is d e s t i n e d for t h e m . This c a n be very CPU-intensive as well. DUAL F i n i t e S t a t e M a c h i n e . The decision p r o c e s s for r o u t e c o m p u t a t i o n s . It is r e s p o n s i b l e for t r a c k i n g r o u t e s t h a t are advertised by all neighbors. The metric h o p c o u n t is the d i s t a n c e i n f o r m a t i o n u s e d to create loop-free p a t h s . The r o u t e s are selected b a s e d on feasible s u c c e s s o r s . A feasible s u c c e s s o r will be d i s c u s s e d later in this section.

Protocol Dependent M o d u l e s . R e s p o n s i b l e for s e n d i n g a n d receiving EIGRP p a c k e t s t h a t are e n c a p s u l a t e d in a protocol, s u c h as IP. This m o d u l e h a s s u p p o r t for m o r e protocols.

EIGRP Concepts This section describes the concepts for Cisco's EIGRP implementation. N e i g h b o r t a b l e . A table in w h i c h e a c h r o u t e r k e e p s t r a c k of n e i g h b o r i n g (adjacent) r o u t e r s . W h e n a n e w n e i g h b o r is learned, the a d d r e s s a n d interface is r e c o r d e d into the r o u t i n g d a t a b a s e . T o p o l o g y table. A table t h a t is p o p u l a t e d with protocold e p e n d a n t m o d u l e s c o n t a i n i n g all d e s t i n a t i o n s a d v e r t i s e d by the n e i g h b o r i n g r o u t e r s . E a c h e n t r y also c o n t a i n s the d e s t i n a t i o n a d d r e s s a n d list of n e i g h b o r s t h a t have advertised this p a r t i c u l a r d e s t i n a t i o n . The table also c o n t a i n s the metric a s s o c i a t e d with this d e s t i n a t i o n . This is the b e s t metric the r o u t e r u s e s a n d places in the r o u t i n g table, w h i c h is t h e n u s e d for r o u t i n g a n d for advertising this r o u t e to o t h e r r o u t e r s . F e a s i b l e s u c c e s s o r s . An e n t r y t h a t is moved from the topology table to the n e i g h b o r table w h e n t h e r e is a feasible successor. The n e i g h b o r s t h a t have a n advertised metric r o u t e t h a t is less t h a n the c u r r e n t r o u t i n g table metric are c o n s i d e r e d feasible s u c c e s s o r s . Feasible s u c c e s s o r s are r o u t e r s t h a t are d o w n s t r e a m

243

244

Chapter 6 * Routing Issues

n e i g h b o r s to the n e i g h b o r i n g router, n o t this p a r t i c u l a r router. It is the n e i g h b o r ' s neighbor. W h e n a n e i g h b o r h a s c h a n g e d its metric, or a topology c h a n g e o c c u r s on the network, t h e list of feasible s u c c e s s o r s will have to be r e c o m p u t e d . R o u t e s t a t e s . The r o u t e c a n be only one of two states: passive

or active. A r o u t e is c o n s i d e r e d passive w h e n the r o u t e r is n o t p e r f o r m i n g a r o u t e r e c o m p u t a t i o n . The r o u t e is c o n s i d e r e d active w h e n a r o u t e r is p e r f o r m i n g r o u t e c o m p u t a t i o n .

RIP-1 Requirements R o u t i n g I n f o r m a t i o n Protocol (RIP), the d i s t a n c e - v e c t o r Interior G a t e w a y R o u t i n g Protocol t h a t we d i s c u s s e d in the previous section, is u s e d by r o u t e r s to r o u t e p a c k e t s to r e m o t e n e t w o r k s . There are a few differences b e t w e e n RIP a n d IGRP t h a t we will d i s c u s s later in this section. The RIP protocol is a n interior r o u t i n g protocol, a n d the m o s t p o p u l a r of the interior r o u t i n g protocols. The RIP protocol is b a s e d on a 1970s design, a n d e m e r g e d for T C P / I P in the early 1980s. With the rapid a d v a n c e m e n t s in technology, y o u c a n see h o w technology h a s exceeded the capabilities of the RIP protocol. RIP h a s c h a n g e d very little since its emergence, a n d therefore h a s s o m e limitations in larger, m o r e complex n e t w o r k s . S o m e of t h e s e limitations have b e e n a d d r e s s e d by the n e w e r RIP-2 protocol specification. Limitations of RIP-1 include the following: 9 RIP c a n n o t s u p p o r t a n i n t e r n a l n e t w o r k with m o r e t h a n 15 h o p s w i t h i n the s a m e network. A r o u t e r c o u n t s the h o p s a p a c k e t m a k e s as it c r o s s e s o t h e r r o u t e r s on the w a y to its destination. 9 RIP c a n n o t s u p p o r t v a r i a b l e - l e n g t h s u b n e t m a s k i n g . S u b n e t t i n g is very p o p u l a r in T C P / I P - b a s e d n e t w o r k s , a n d the RIP protocol is s u b j e c t to restrictions in this type of network. A n o t h e r t e r m for this is Variable-Length S u b n e t M a s k s (VLSM), w h i c h RIP does n o t s u p p o r t .

Routing Issues

9Chapter 6

9 RIP will b r o a d c a s t u p d a t e s a b o u t every 30 seconds. B a n d w i d t h c a n be c o n s u m e d if the r o u t e r h a s a large r o u t i n g table, or t h e n e t w o r k is very large with slow links. 9 RIP h a s limited security. It is possible to o b t a i n a n u n a u t h o r i z e d list of r o u t e s from o t h e r n e i g h b o r i n g r o u t e r s , a n d it m a y be possible for a h a c k e r to inject false r o u t e s on the network. 9 Routing p r o b l e m s are difficult to d i a g n o s e in RIP. 9 RIP h a s a slower convergence time t h a n OSPF. RIP r o u t e r s have a period of hold-down, g a r b a g e collection, a n d will slowly t i m e - o u t i n f o r m a t i o n d u r i n g the convergence process. This is n o t a c c e p t a b l e in s o m e large n e t w o r k s a n d could possibly c a u s e r o u t i n g i n c o n s i s t e n c i e s . 9 RIP h a s no c o n c e p t of slow links or n e t w o r k delays. Routing decisions are only m a d e by m e t r i c s hop c o u n t s . The p a t h with the lowest hop c o u n t is the m o s t efficient, w h i c h m a y n o t be the b e s t m e t h o d b e c a u s e this does n o t t a k e into a c c o u n t the s p e e d of s o m e of t h e s e n e t w o r k links. 9 RIP n e t w o r k s are n o t hierarchical, a n d have no c o n c e p t of areas, domains, and a u t o n o m o u s systems. 9 RIP does n o t s u p p o r t c l a s s l e s s routing, w h i c h h a s b e c o m e i n c r e a s i n g l y p o p u l a r a n d n e c e s s a r y on large n e t w o r k s a n d on the I n t e r n e t . R o u t e r s periodically will e x c h a n g e r o u t i n g t a b l e s w i t h n e i g h b o r ing r o u t e r s . R o u t e r s u s i n g the RIP protocol e x c h a n g e t h e i r entire r o u t i n g table, w h i c h c a n be inefficient. For this r e a s o n , r o u t e r s are u s i n g m o r e efficient r o u t i n g protocols s u c h as O p e n S h o r t e s t P a t h First (OSPF). Figure 6.5 is a n e x a m p l e of a typical r o u t i n g table. Not everything a b o u t the RIP protocol is negative. Since it is one of the m o s t w i d e s p r e a d interior r o u t i n g protocols, RIP c a n be s u p p o r t e d a l m o s t a n y w h e r e . As m a n y n e t w o r k t e c h n i c i a n s a n d engin e e r s know, a n y protocol t h a t is a l m o s t u n i v e r s a l is a welcome a d d i t i o n b e c a u s e of the compatibility. Also, RIP is very e a s y to configure, w h i c h m a k e s it very attractive b e c a u s e of the m i n i m a l a m o u n t of configuration required.

245

246

Chapter 6

9Routing Issues

Figure 6.5 A sample RIP routing table.

Destination

Next Hop

Distance Timers

Flags

NetworkA

Routerl

5

11,12,13

x,y

NetworkB

Router2

3

11,12,13

x,y

NetworkC

Routerl

2

11,12,13

x,y

RIP classifies r o u t e r s a s p a s s i v e a n d active. An active r o u t e r will a d v e r t i s e its r o u t e s to o t h e r r o u t e r s . P a s s i v e r o u t e r s will receive t h e s e r o u t e s , b u t t h e y do n o t h a v e t h e ability to a d v e r t i s e t h e i r own r o u t e s . Typically, a r o u t e r will r u n in active mode, a n d h o s t s will r u n in p a s s i v e mode. The u p d a t e will c o n s i s t of a n IP n e t w o r k a d d r e s s a n d t h e i n t e g e r d i s t a n c e to t h a t n e t w o r k . RIP u s e s a h o p c o u n t , w h i c h , a s we d e s c r i b e d earlier, is t h e n u m b e r of r o u t e r s t h e p a c k e t will h a v e to c r o s s to r e a c h t h e d e s t i n a t i o n n e t w o r k . E a c h p a s s over a r o u t e r i n c r e a s e s t h e h o p c o u n t by one hop. RIP h a s a m a x i m u m of 15 h o p s w h e n r o u t i n g p a c k e t s to a r e m o t e n e t w o r k . T h e s e m e t r i c c o u n t s of h o p s to t h e d e s t i n a t i o n d e t e r m i n e t h e m o s t efficient route; t h a t is, t h e q u i c k e s t p a t h to t h e d e s t i n a t i o n n e t w o r k . In o t h e r w o r d s , a r o u t e w i t h 5 h o p s is m o r e efficient t h a n a r o u t e w i t h 8 h o p s . However, t h e r o u t e w i t h t h e l e a s t n u m b e r of h o p s m a y n o t be t h e f a s t e s t r o u t e to a d e s t i n a t i o n . T h e h o p s do n o t t a k e into a c c o u n t t h e s p e e d of t h e route. For example, a r o u t e w i t h 5 h o p s m a y c r o s s slower serial links in o r d e r to r e a c h a d e s t i n a t i o n , r a t h e r t h a n another route with 7 hops that crosses an Ethernet network. For t h i s r e a s o n , a r o u t e r c a n a d v e r t i s e a h i g h e r h o p c o u n t for a slow link to c o m p e n s a t e for t h e slower link. This will d e t e r t h e u s e of t h i s slower link.

Routing Issues

9Chapter 6

Comparison with IGRP T h e c o m p a r i s o n b e t w e e n RIP a n d IGRP is u s e f u l b e c a u s e RIP is u s e d for p u r p o s e s t h a t a r e s i m i l a r to IGRP. However, RIP w a s d e s i g n e d w i t h s m a l l e r n e t w o r k s in m i n d , a n d w a s n e v e r m e a n t to be u s e d in large, c o m p l e x n e t w o r k s . T h e m o s t b a s i c difference b e t w e e n t h e two p r o t o c o l s is t h e u s e of m e t r i c s . RIP u s e s a s i m p l e h o p c o u n t , w h i c h we d i s c u s s e d in t h e p r e v i o u s section. RIP h a s a h o p c o u n t of 15 w h e n r o u t i n g p a c k e t s to a r e m o t e n e t w o r k . T h e h o p c o u n t , e x p r e s s e d in a d e c i m a l f r o m 1 to 15, d e s c r i b e s t h e n u m b e r of r o u t e r s t h e p a c k e t will h a v e to p a s s before a r r i v i n g a t its d e s t i n a t i o n . S i n c e t h e m a x i m u m h o p c o u n t is 15, it m a y be difficult to r e a c h a slower n e t w o r k r e p r e s e n t e d w i t h a large h o p c o u n t . To a c c o m m o d a t e t h e full r a n g e of n e t w o r k links, s u c h a s serial a n d a s y n c h r o n o u s WAN links, t h e m e t r i c s h o u l d be i n c r e a s e d to a h i g h e r n u m b e r , s u c h a s 24. T h i s 2 4 - b i t m e t r i c c o u l d allow for m o s t reliable r o u t i n g on large, c o m p l e x n e t w o r k s , or n e t w o r k s w i t h v a r i o u s slow links. S o m e n e t w o r k s t o d a y a r e so large t h a t RIP c a n n o t p a s s p a c k e t s f r o m one e n d of t h e n e t w o r k to t h e o t h e r w i t h o u t e x h a u s t i n g t h e m a x i m u m of 15 h o p s . RIP is j u s t n o t p o s s i b l e on t h e s e large n e t w o r k s . S i n c e y o u c a n n o t j u s t i n c r e a s e t h e h o p c o u n t w i t h RIP, y o u m u s t find a n a l t e r n a t i v e . IGRP n o t only p r o v i d e s a l a r g e r m e t r i c h o p c o u n t , b u t also i n c l u d e s a few m o r e f e a t u r e s t h a t m a k e it m o r e r o b u s t t h a n RIP. IGRP c a n e x p r e s s t h e m e t r i c h o p c o u n t to i n c l u d e f a c t o r s s u c h a s delay, b a n d w i d t h , a n d reliability. RIP c a n e x p r e s s two different r o u t e s a s t h e s a m e h o p c o u n t , b u t c a n n o t t a k e into a c c o u n t t h e fact t h a t t h e s e r o u t e s m a y travel slower r o u t e s , or cons u m e m o r e b a n d w i d t h t h a n desired. IGRP c a n also split traffic a m o n g several e q u a l r o u t e s , w h i c h is n o t very e a s y to i m p l e m e n t w i t h RIP. I n s t e a d of i m p l e m e n t i n g a conf i g u r a t i o n w h e r e RIP s u p p o r t s traffic splitting, it m a y be m o r e effective to u p d a t e t h e n e t w o r k to u s e a r o u t i n g protocol o t h e r t h a n RIP. RIP u p d a t e s also c o n t a i n little i n f o r m a t i o n , s u c h a s t h e d e s t i n a t i o n s a n d t h e h o p c o u n t s (metric values). IGRP c a n s u p p o r t a n A u t o n o m o u s S y s t e m N u m b e r (ASN), w h i c h is a n u m b e r u s e d to

247

248

Chapter 6

9Routing Issues

d e s c r i b e a n area, or d o m a i n . We will l e a r n m o r e a b o u t t h e ASN in t h e s e c t i o n on B o r d e r G a t e w a y Protocol (BGP). A n d finally, RIP u s e s t h e c o n c e p t of a "default route," a r o u t e t h a t will get a p a c k e t to a d e s t i n a t i o n t h a t is n o t specified in t h e r o u t e r ' s i n t e r n a l r o u t i n g table. This c a n be c o m p a r e d to t h e d e f a u l t r o u t e r in TCP/IP, w h i c h is u s e d to s e n d a p a c k e t t h a t is d e s t i n e d for a r e m o t e n e t w o r k t h a t t h i s h o s t is u n a b l e to find. The p h r a s e , "I d o n ' t k n o w w h e r e t h i s p a c k e t is d e s t i n e d for, so y o u do s o m e t h i n g w i t h it." is u s e d to d e s c r i b e t h e c o n c e p t of t h e d e f a u l t gateway. RIP a n d s o m e o t h e r r o u t i n g p r o t o c o l s d i s t r i b u t e t h e d e f a u l t r o u t e a s if it were a p a t h to a real n e t w o r k , w h i c h in m o s t c a s e s it is not. IGRP u s e s a different a p p r o a c h to t h e d e f a u l t route. R a t h e r t h a n distribu t e t h e d e f a u l t r o u t e a s a fake route, IGRP c a n flag real n e t w o r k s (more t h a n one) a s c a n d i d a t e s for t h e d e f a u l t route. IGRP c a n s c a n all of t h e d e f a u l t r o u t e s to d e t e r m i n e w h i c h r o u t e is t h e b e s t c a n d i d a t e w i t h t h e lowest metric. This c a n d i d a t e c a n t h e n b e c o m e t h e a c t u a l d e f a u l t route.

Routing Update Impact As we d i s c u s s e d earlier, one of t h e d i s a d v a n t a g e s of RIP r o u t i n g is t h e e x t e n s i v e u s e of b r o a d c a s t s . A r o u t e r u p d a t e s its own r o u t i n g t a b l e w i t h i n f o r m a t i o n received from n e i g h b o r i n g r o u t e r s . W h e n a r o u t e r t h a t is c o n f i g u r e d to r e s p o n d h e a r s t h i s r e q u e s t , it will r e s p o n d w i t h a p a c k e t t h a t c o n t a i n s i n f o r m a t i o n on r o u t e s from its very own r o u t i n g d a t a b a s e . This r e s p o n s e p a c k e t c o n t a i n s d e s t i n a tion n e t w o r k i n f o r m a t i o n a n d m e t r i c s (hops) for r e a c h i n g t h e s e dest i n a t i o n n e t w o r k s . W h e n t h e h o s t or r o u t e r receives t h i s r o u t i n g i n f o r m a t i o n it will r e b u i l d its d a t a b a s e by a d d i n g n e w r o u t e s a n d modifying existing r o u t e s . To modify a n existing route, t h e h o s t or r o u t e r will d e t e r m i n e if t h e n e w r o u t e h a s a b e t t e r p a t h to t h e destin a t i o n , w h i c h is a lower h o p c o u n t . RIP will also delete a r o u t e t h a t c o n t a i n s m o r e t h a n 15 h o p s to t h e d e s t i n a t i o n . R o u t e s will also be r e m o v e d from t h e r o u t e r ' s d a t a b a s e if no u p d a t e s are received within a c e r t a i n period of time. This is a d y n a m i c m e a n s of p u r g i n g r o u t e s in t h e d a t a b a s e t h a t h a v e n o t b e e n u s e d recently. As we h a v e

Routing Issues

9Chapter 6

a l r e a d y d i s c u s s e d , r o u t e s are u s u a l l y b r o a d c a s t every 30 s e c o n d s , a n d r o u t e s are deleted from the r o u t e d a t a b a s e if t h e y are n o t u p d a t e d w i t h i n 180 s e c o n d s . To u n d e r s t a n d t h e cost of r o u t e s , e x a m i n e F i g u r e 6.6.

Figure 6.6 An illustration of hop count with RIR

h.

L.

~-

Network A is c o n n e c t e d to Network D t h r o u g h Network B a n d Network C. Once Network E is u p a n d r u n n i n g , p a c k e t s from Network A d e s t i n e d for Network D c a n n o w be s e n t t h r o u g h Network E, at a h o p c o u n t of 1. This hop c o u n t is less, a n d will therefore be the r o u t e of choice w h e n Network A n e e d s to c o m m u n i c a t e with Network D. If Network E were to go down, Network A w o u l d have to k n o w a b o u t it. Since RIP r e q u i r e s a r o u t e r to s e n d u p d a t e s every 30 s e c o n d s , a b r o k e n link will be l e a r n e d quickly by t h e r e s t of t h e r o u t e r s on t h e network. R e m e m b e r , if RIP does n o t receive a n u p d a t e from a n o t h e r r o u t e r in 180 s e c o n d s , t h a t r o u t e is r e m o v e d from t h e r o u t i n g d a t a b a s e b e c a u s e t h e r o u t e r believes this r o u t e is no longer available.

249

250

Chapter 6 * Routing Issues

RIP r o u t i n g u p d a t e s are very d y n a m i c , a n d c h a n g e s to the netw o r k c a n be u p d a t e d very quickly a n d accurately. For example, a c h a n g e in n e t w o r k topology c a n easily be reflected in the u p d a t e d RIP r o u t i n g u p d a t e s . T h e s e will u p d a t e the c u r r e n t entries in a r o u t e r ' s r o u t i n g table (if t h e y are present). If the r o u t e s are n o t in t h e r o u t i n g d a t a b a s e , t h e y will be added. If a r o u t e r detects a failure for a n o t h e r r o u t e r on the network, the r o u t e r c a n recalculate its r o u t e s a n d s e n d the u p d a t e d i n f o r m a t i o n to o t h e r n e i g h b o r i n g r o u t e r s , informing t h e m of the n e w route. E a c h r o u t e r t h a t receives this r o u t e u p d a t e c a n n o w u p d a t e its own d a t a b a s e a n d p r o p a g a t e the c h a n g e s to the r e m a i n i n g r o u t e r s on the network.

RIP-2 Requirements RIP version 2 w a s developed to address some of the limitations with the original version of RIP. The purpose of RIP-2 is to increase the a m o u n t of information in the packet itself, a n d to increase security, which w a s lacking in RIP version 1. Since RIP is still in widespread use, it w a s decided to increase the capabilities of RIP so organizations would not have to implement a b r a n d new routing protocol. RIP is also easier to implement compared to the rest of the interior gateway protocols. The following is a list of f e a t u r e s with the n e w RIP-2 protocol: Optional authentication. password authentication.

Most i m p l e m e n t a t i o n s u s e a simple

R o u t i n g D o m a i n field. E n a b l e s y o u to ignore logical d o m a i n s on the s a m e physical network. The default r o u t i n g d o m a i n is a s s i g n e d the value 0.

Route Tag field. Exists to s u p p o r t Exterior G a t e w a y Protocols (EGP). This field will c a r r y a u t o n o m o u s s y s t e m n u m b e r s for EGP a n d B o r d e r G a t e w a y Protocol (BGP). The I n t e r n e t is divided into d o m a i n s , or a u t o n o m o u s s y s t e m s . Interior G a t e w a y Protocols (IGPs) are the protocols u s e d w i t h i n a d o m a i n for the e x c h a n g e of r o u t i n g information. Basically, this r o u t e tag will s e p a r a t e i n t e r n a l RIP r o u t e s from e x t e r n a l ones.

Routing Issues

9Chapter 6

Subnet Mask field. C o n t a i n s a s u b n e t m a s k t h a t is applied to the IP a d d r e s s to d e t e r m i n e the h o s t n e t w o r k on w h i c h the d e s t i n a t i o n is located. N e x t Hop. F o r w a r d s p a c k e t s to the i m m e d i a t e n e x t hop. This is u s e f u l in n e t w o r k s w h e r e the r o u t e r s c a n be u s i n g r o u t i n g protocols o t h e r t h a n RIP.

Multicasting. S e n d s b r o a d c a s t p a c k e t s o u t on the network. The RIP-2 m u l t i c a s t a d d r e s s is 224.0.0.9. The m o s t i m p o r t a n t a s p e c t of RIP-2 is t h a t it is completely b a c k w a r d s - c o m p a t i b l e w i t h RIP-1, a n d c a n also r u n in RIP-1 e m u l a t i o n m o d e or RIP-1 c o m p a t i b l e mode, in addition to full RIP-2 mode. RIP-2 also k e e p s the f e a t u r e s t h a t m a d e RIP-1 so popular, s u c h as its s m a l l size, e a s y i m p l e m e n t a t i o n , a n d the ability to r u n on e m b e d d e d s y s t e m s t h a t c a n n o t afford the m e m o r y s p a c e c o n s u m e d by m o r e efficient r o u t i n g protocols. RIP h a s also b e e n redefined to s u p p o r t IPv6, w h i c h is very similar to RIP-2. Basically all t h a t h a s c h a n g e d is the h e a d e r i n f o r m a t i o n c o n t a i n e d w i t h i n the RIP packet. This m a k e s RIP easier to i m p l e m e n t in IPv6 networks; however, RIP is still n o t the m o s t ideal choice for m o d e r n n e t w o r k s . Newer r o u t i n g protocols s u c h as OSPF a n d IS-IS are h o p i n g to m a k e RIP obsolete, b u t RIP still is i m p l e m e n t e d in m o r e n e t w o r k s t h a n OSPF a n d IS-IS combined; therefore, the p u s h by s o m e to m a k e RIP-2 s u c c e s s f u l is very s t r o n g in the n e t w o r k i n g c o m m u n i t y .

251

252

Chapter 6 *

Routing Issues

OSPF w a s specifically designed for the Internet, w h i c h u s e s the IP protocol, a n d is designed with the following features: 9 A u t h e n t i c a t i o n of r o u t i n g u p d a t e s 9

TOS-based routing

9 Tagging of externaUy-derived r o u t e s 9 F a s t r e s p o n s e to topology c h a n g e s with low overhead 9 Load s h a r i n g over m e s h e d links. OSPF will a t t e m p t to o p e n the s h o r t e s t p a t h to a d e s t i n a t i o n first. This l i n k - s t a t e technology is called S h o r t e s t P a t h First (SPF), in w h i c h e a c h r o u t e r c o n t a i n s a n identical d a t a b a s e . Inside this r o u t ing d a t a b a s e is a description of a p a r t i c u l a r r o u t e r a n d its c u r r e n t state, w h i c h also i n c l u d e s the state of interfaces t h a t this r o u t e r is connecting. This is m u c h different from RIP r o u t e r s , w h i c h c a n e a c h have differing entries in their r o u t i n g d a t a b a s e s . S P F - b a s e d r o u t e r s c o n t a i n t h e d a t a b a s e for the A u t o n o m o u s S y s t e m (AS) topology. As y o u l e a r n e d earlier, the I n t e r n e t is divided into d o m a i n s , or a u t o n o m o u s systems.

A n o t h e r feature of OSPF t h a t is n o t available with RIP-i is the ability to s u p p o r t s u b n e t m a s k i n g . E a c h r o u t e t h a t is d i s t r i b u t e d b y OSPF h a s a d e s t i n a t i o n a d d r e s s a n d a s u b n e t m a s k . W h e n p a c k e t s are being routed, the r o u t e s with the longest m a t c h are given a h i g h e r priority t h a n r o u t e s with a s h o r t e r s u b n e t m a s k .

Routing Issues

9Chapter 6

O S P F is also c a p a b l e of s u p p o r t i n g four t y p e s of p h y s i c a l networks: p o i n t - t o - p o i n t , b r o a d c a s t , n o n b r o a d c a s t , a n d p o i n t - t o - m u l t i point.

P o i n t - t o - p o i n t networks. C o n s i s t of two r o u t e r s in w h i c h t h e p o i n t - t o - p o i n t i n t e r f a c e s c a n be set u p a s n u m b e r e d or u n n u m b e r e d i n t e r f a c e s . A n e t w o r k of s y n c h r o n o u s lines is a n e x a m p l e of a p o i n t - t o - p o i n t n e t w o r k .

Broadcast networks. For n e t w o r k s w i t h p o t e n t i a l l y m o r e t h a n two r o u t e r s , b u t t h e O S P F h a s t h e ability to s e n d t h e s a m e b r o a d c a s t to all of t h e r o u t e r s . An E t h e r n e t n e t w o r k is a n e x a m p l e of a b r o a d c a s t - b a s e d n e t w o r k .

Nonbroadcast networks. N e t w o r k s also w i t h p o t e n t i a l l y m o r e t h a n two r o u t e r s ; however, O S P F does n o t h a v e t h e ability to s e n d a b r o a d c a s t to all of t h e r o u t e r s . An e x a m p l e of t h i s type of n e t w o r k is X.25 or ATM.

P o i n t - t o - m u l t i p o i n t networks. R e s e m b l e a bicycle wheel, w i t h t h e m a i n r o u t e r a s t h e h u b a n d t h e o t h e r r o u t e r s b r a n c h i n g off in s p o k e s from t h e c e n t r a l h u b . This a p p e a r s very s i m i l a r in t h e o r y to t h e E t h e r n e t s t a r topology. O n e c o n c e p t of O S P F t h a t is very different from RIP is t h a t netw o r k s c a n be split into m a n y a r e a s . T h e s e a r e a s a r e d e s c r i b e d a s entirely w i t h i n a n a r e a ( i n t r a - a r e a routing) or in a n o t h e r a r e a (intera r e a routing). To r e m e m b e r t h e differences, t h i n k of t h e i n t e r - a r e a a s t h e I n t e r n e t a s o p p o s e d to a n i n t e r n a l i n t r a n e t for a n o r g a n i z a tion. W h e n O S P F n e e d s to link t o g e t h e r a r e a s , t h e y u s e t h e c o n c e p t of a b a c k b o n e , w h i c h is s i m i l a r to t h e u s e of a b a c k b o n e in a n E t h e r n e t n e t w o r k . This b a c k b o n e is m a d e u p of r o u t e r s a n d netw o r k s t h a t link t o g e t h e r different a r e a s . This b a c k b o n e m u s t be c o n t i g u o u s , w h i c h is also s i m i l a r to t h e b a c k b o n e of a n E t h e r n e t b u s n e t w o r k . I n t e r f a c e s c a n e x t e n d from t h i s b a c k b o n e to o t h e r netw o r k s . This type of r o u t i n g is called e x t e r n a l r o u t i n g b e c a u s e t h e s o u r c e a n d d e s t i n a t i o n are l o c a t e d on different n e t w o r k s .

253

254

Chapter 6 * Routing Issues

Since a n a r e a c a n be defined in s u c h a w a y t h a t t h e b a c k b o n e is n o t c o n t i g u o u s , t h e r e n e e d s to be a w a y to c o n t i n u e t h e b a c k b o n e connectivity. This is m a d e p o s s i b l e b y a virtual link. This v i r t u a l link is c o n f i g u r e d b e t w e e n a n y b a c k b o n e r o u t e r s t h a t s h a r e a link to t h i s n o n b a c k b o n e a r e a a n d f u n c t i o n a s if t h e y were direct links to t h e b a c k b o n e . A v i r t u a l link also e n a b l e s u s to p a t c h in t h e b a c k b o n e in c a s e d i s c o n t i n u i t y o c c u r s , s u c h a s w h e n a link is down. W h e n p a c k e t s n e e d to be s e n t from one a r e a to a n o t h e r , t h e y will be s e n t a l o n g t h i s b a c k b o n e . This m a k e s u s e of a n A r e a B o r d e r R o u t e r (ABR), a r o u t e r t h a t is c o n n e c t e d to t h e o r i g i n a t i n g a r e a a n d t h e n c o n n e c t e d to t h e b a c k b o n e area. The p a c k e t is t h e n s e n t a c r o s s t h e b a c k b o n e w h e r e it is received by a n o t h e r router, w h i c h is also a n o t h e r a r e a b o r d e r router. This r o u t e r t h e n s e n d s t h e p a c k e t on to its d e s t i n a t i o n . T h e r e are four t y p e s of r o u t e r s a s s o c i a t e d w i t h OSPF: I n t e r n a l routers, Area Border routers, Backbone routers, and A u t o n o m o u s S y s t e m (AS) b o u n d a r y r o u t e r s .

I n t e r n a l routers. R e s p o n s i b l e for r o u t i n g p a c k e t s w i t h i n a single area. T h e y flood t h e i n t e r n a l a r e a w i t h r o u t i n g i n f o r m a t i o n t h a t o c c u r s w i t h i n its specific area. This i n t e r n a l r o u t e r c a n also be a b a c k b o n e r o u t e r if it h a s no p h y s i c a l i n t e r f a c e s to a n o t h e r area.

Area Border routers. Are r e s p o n s i b l e for r o u t i n g p a c k e t s b e t w e e n m u l t i p l e a r e a s on w h i c h t h i s r o u t e r h a s i n t e r f a c e s .

B a c k b o n e routers. Have a p h y s i c a l i n t e r f a c e to t h e b a c k b o n e . T h e s e are often called b o r d e r r o u t e r s .

A u t o n o m o u s S y s t e m (AS) b o u n d a r y routers. E x c h a n g e i n f o r m a t i o n w i t h o t h e r a u t o n o m o u s s y s t e m s u s i n g EGP p r o t o c o l s like BGP. B a c k b o n e r o u t e r s , s o m e t i m e s referred to a s b o r d e r r o u t e r s , c a n t r e a t c e r t a i n a r e a s a s s t u b s . This m e a n s t h e b o r d e r r o u t e r s will n o t f o r w a r d a n y i n f o r m a t i o n a b o u t e x t e r n a l r o u t e s to t h e s e s t u b a r e a s . T h e s e b o r d e r r o u t e r s c a n also be c o n f i g u r e d n o t to forward a n y i n t e r n a l i n f o r m a t i o n a b o u t i n t e r n a l OSPF r o u t e s .

Routing Issues

9

Chapter 6

T h e s e f o u r t y p e s of r o u t e r s m a k e it p o s s i b l e for O S P F to divide a n a u t o n o m o u s s y s t e m into a r e a s .

Configuring OSPF To c o n f i g u r e O S P F on y o u r Cisco router, y o u n e e d to e n t e r t h e r o u t e r in config m o d e a n d e n t e r t h e following i n f o r m a t i o n . First, enable the OSPF process: router ospf <process-id>

T h e n y o u m u s t a s s i g n a r e a s to t h e i n t e r f a c e s : network <mask> <area-id>

T h e following is a n e x a m p l e of b o t h c o m p l e t e d steps: router ospf 5 network 203.11.87.156 255.255.255.0 i00

T h e n e t w o r k c o m m a n d in t h e s e c o n d s t e p is h o w we a s s i g n a r o u t e r to a n area. We m u s t specify t h e n e t w o r k or IP a d d r e s s to t h i s router, w h i c h i n c l u d e s t h e s u b n e t m a s k , in o r d e r to u s e T C P / I P to c o n n e c t to t h i s router. T h e area-id m u s t c o r r e s p o n d w i t h t h e a r e a in w h i c h t h i s r o u t e r will be placed. If y o u recall, a n a r e a is a n o t h e r n a m e for a n a u t o n o m o u s s y s t e m (AS). To u s e p a s s w o r d s w i t h O S P F r o u t e r s , w h i c h is one f e a t u r e we w e r e n o t able to t a k e a d v a n t a g e of w i t h RIPv I r o u t e r s , y o u m u s t also e n t e r t h e r o u t e r in config m o d e . T h e p a s s w o r d s s h o u l d be configured t h e s a m e for every O S P F r o u t e r in y o u r a r e a . To e n a b l e p a s s w o r d a u t h e n t i c a t i o n , e n t e r config m o d e on t h e r o u t e r a n d e n t e r t h e following i n f o r m a t i o n : IP ospf authentication-key

(this goes under the specific interface

portion) area <area-id> authentication portion)

(this goes under "router ospf <process-id>"

255

256

Chapter 6

9Routing Issues

The following is an example of both completed portions: interface Ethernetl IP address 197.13.55.110 255.255.255.0 IP ospf authentication-key february router ospf i00 network 45.113.22.188 255.0.0.0 area 200 area

200 authentication

From the preceding example you can see that our p a s s w o r d is february. Unfortunately, a n y o n e with a link analyzer can obtain this p a s s w o r d as it p a s s e s over the network. To i m p l e m e n t a more secure m e a n s of authentication, we can u s e OSPF M e s s a g e Digest Authentication. You m u s t configure the k e y (password) and a k e y - i d for each OSPF router that will participate in p a s s w o r d authentication. A link analyzer c a n n o t obtain the p a s s w o r d b e c a u s e the p a s s w o r d (key) is not p a s s e d over the network. To enable Message Digest Authentication, enter config m o d e on the router and enter the following information: IP ospf message-digest-key md5

(this goes under the specific

interface portion) area

<area-id> authentication message-digest

(this goes under "router ospf

<process-id>" portion)

The following is an example of both completed portions: interface Ethernetl IP address 197.13.55.110 255.255.255.0 IP ospf message-digest-key i0 md5 february router ospf i00 network 45.113.22.188 255.0.0.0 area 200 area

200 authentication m e s s a g e - d i g e s t

From the preceding example you can see that our p a s s w o r d is still february. Our m e s s a g e - d i g e s t - k e y is 10 and our area is still 200.

Routing Issues

9Chapter 6

We h a v e l e a r n e d a b o u t t h e b a c k b o n e , w h i c h is a c o n t i g u o u s a r e a of p h y s i c a l l i n k s . T h i s b a c k b o n e is c a l l e d " a r e a 0" a n d h a s to b e t h e c e n t e r of all o t h e r a r e a s . We c a n u s e a v i r t u a l l i n k to p r o v i d e a logical c o n n e c t i o n to t h e b a c k b o n e f r o m a n a r e a t h a t is d i s c o n n e c t e d , a s i l l u s t r a t e d in F i g u r e 6.7.

Figure 6.7 Creating a virtual link between two noncontiguous sites.

In F i g u r e 6.7, A r e a 1 d o e s n o t h a v e a p h y s i c a l , c o n t i g u o u s c o n n e c t i o n to A r e a 3. A v i r t u a l l i n k h a s b e e n c r e a t e d b e t w e e n R o u t e r l a n d R o u t e r 2 . A r e a 2 is n o w a t r a n s i t a r e a a n d R o u t e r 2 is n o w t h e e n t r y p o i n t i n t o A r e a 3. In o r d e r for t h i s v i r t u a l l i n k to w o r k , w e n e e d to e n t e r t h e O S P F r o u t e r in config m o d e a n d e n t e r s o m e i n f o r m a t i o n c o n c e r n i n g t h e link: area < a r e a - i d >

virtual-link

T h e following is a n e x a m p l e of t h e c o m p l e t e d p o r t i o n s o n b o t h routers:

257

258

Chapter 6

9Routing

Router

i#

router

ospf

area

2#

router

ospf

area

i00

2 virtual-link

Router

Issues

2.2.2.2

i00

2 virtual-link

i.i.i.i

The area-id in the p r e c e d i n g example is the t r a n s i t area, w h i c h we d e t e r m i n e d w a s Area 2. The RID is the r o u t e r ID, in w h i c h we e n t e r e d t h e IP a d d r e s s of the router.

Routing Update Impact The RIP protocol is m o r e s u i t e d to s m a l l e r n e t w o r k s b e c a u s e of the large a m o u n t of b r o a d c a s t s u s e d to u p d a t e r o u t e r s a b o u t p a t h s to r e m o t e n e t w o r k s . The OSPF protocol is well-suited to larger, d y n a m ic, m o r e c o m p l i c a t e d n e t w o r k s . RIP u p d a t e s o c c u r every 30 seconds, w h e r e a s OSPF u p d a t e s o c c u r every 30 m i n u t e s . RIP r o u t e r s s e n d the entire r o u t i n g table to n e i g h b o r i n g r o u t e r s , w h e r e a s OSPF s e n d s very small u p d a t e files to r o u t e r s w h e n e v e r t h e y detect a c h a n g e in the network, s u c h as a failed link or n e w link. W h e n r o u t e r s e x c h a n g e information, it is called convergence, w h e r e the r o u t e r s "converge" on the n e w r e p r e s e n t a t i o n of the n e t w o r k very quickly. A n e t w o r k of OSPF a n d RIP r o u t e r s c a n possibly coexist. OSPF is slowly replacing RIP as the interior g a t e w a y r o u t i n g protocol of choice. T h e s e OSPF r o u t e r s c a n s i m u l t a n e o u s l y RIP for r o u t e r - t o e n d s t a t i o n c o m m u n i c a t i o n s , a n d OSPF for r o u t e r - t o - r o u t e r c o m m u nications. For example, you c a n configure a Windows NT c o m p u t e r to p a r t i c i p a t e as a RIP r o u t e r in a RIP-routing e n v i r o n m e n t , b u t y o u c a n n o t configure this s a m e Windows NT c o m p u t e r to p a r t i c i p a t e as a n OSPF r o u t e r in a n O S P F - r o u t i n g e n v i r o n m e n t . This coexistance b e t w e e n RIP a n d OSPF m a k e s g r a d u a l m i g r a t i o n s from RIP to OSPF feasible. In fact, RIP a n d OSPF r o u t e r s c a n n o t only coexist in the s a m e network, t h e y c a n a c t u a l l y s h a r e r o u t i n g information. Figure 6.8 s h o w s the e n a b l i n g of RIP r o u t i n g on Windows NT.

Routing Issues

9Chapter 6

F i g u r e 6.8 Configuring a Windows NT computer as a RIP router.

To configure y o u r Windows NT c o m p u t e r to participate in s h aring routing u p d a t e s with other c o m p u t e r s on the network, you need to enable IP forwarding. This is done in the Network applet of the Control Panel, by selecting the TCP/IP protocol a n d viewing the properties. The Routing tab is illustrated in Figure 6.8. You also need to enable RIP in the Services applet in the Control Panel. In OSPF, a neighbor is a n o t h e r r o u t e r r u n n i n g OSPF t h a t h a s a n interface on the s a m e network. W he n discovering a n d configuring OSPF neighbors, the r o u t e r will u s e the Hello protocol to discover their neighbors a n d m a i n t a i n this relationship. On two of the types of OSPF networks, point-to-point a n d b ro ad cast, the Hello protocol will dynamically discover the neighbors. On a n o n b r o a d c a s t network, you will have to configure the neighbors manually, b e c a u s e OSPF will not have a m e a n s of contacting a n d establishing relationships with its neighbors. This Hello protocol e n s u r e s t h a t the relationships between the r o u t e r s are bidirectional. This will g u a r a n t e e t h a t every OSPF r o u t e r

259

260

Chapter 6

9Routing Issues

will s e n d as well as receive u p d a t e d r o u t e i n f o r m a t i o n to a n d from e a c h of its neighbors. The c o m m u n i c a t i o n is bidirectional w h e n the r o u t e r sees itself in the Hello p a c k e t from a n o t h e r router. I n c l u d e d in t h e Hello protocol p a c k e t is the following: 9 The r o u t e r ' s priority 9 The r o u t e r ' s Hello t i m e r a n d Dead t i m e r value 9 A list of r o u t e r s t h a t h a s s e n t the r o u t e r Hello p a c k e t s on this interface 9 This r o u t e r ' s choice of d e s i g n a t e d r o u t e r a n d b a c k u p d e s i g n a t e d router. However, this does n o t m e a n OSPF is a perfect r o u t i n g protocol as far as r o u t i n g u p d a t e s are c o n c e r n e d . In really large n e t w o r k configurations, OSPF c a n p r o d u c e a large n u m b e r of r o u t e r u p d a t e s t h a t flow b e t w e e n r o u t e r s . If a n e t w o r k c o n s i s t s of h u n d r e d s of r o u t e r s in a n e t w o r k topology t h a t is designed to be fault tolerant, the n u m b e r of l i n k - s t a t e m e s s a g e s t h a t t r a v e r s e the n e t w o r k c a n be in the t h o u s a n d s . T h e s e t h o u s a n d s of l i n k - s t a t e m e s s a g e s c a n be p r o p a g a t e d from r o u t e r to r o u t e r a c r o s s the network, c o n s u m i n g v a l u a b l e b a n d w i d t h , especially on slower WAN links. The r o u t e r s t h e n have to recalculate their r o u t i n g tables, w h i c h c a n c o n s u m e v a l u a b l e RAM a n d CPU cycles if t h e s e r o u t i n g tables are a signific a n t size. F o r t u n a t e l y for OSPF, no r o u t i n g protocol available t o d a y is c a p a b l e of minimizing r o u t i n g u p d a t e s in a very large n e t w o r k with m a n y r o u t e r s . OSPF is, however, m u c h m o r e c a p a b l e t h a n RIP at minimizing t h e s e b a n d w i d t h intensive r o u t i n g u p d a t e s . By the way, b y "link-state" we m e a n the state, or condition of a link t h a t is a d e s c r i p t i o n of the r o u t e r ' s r e l a t i o n s h i p to its n e i g h b o r i n g r o u t e r s . We t h i n k of the link as being a n interface on the router. An interface, for example, w o u l d be the IP a d d r e s s of the p h y s i c a l interface, the s u b n e t m a s k , the type of n e t w o r k to w h i c h it is connected, or the r o u t e r s c o n n e c t e d to the network. The collection of all t h e s e link-states would comprise a link-state database. The link-state algorithm states (in m u c h more complex t e r m s t h a n described here) a few steps of building a n d calculating these paths:

Routing Issues

9Chapter 6

9

U p o n initialization or u p o n a c h a n g e in r o u t i n g i n f o r m a t i o n , a r o u t e r will g e n e r a t e a l i n k - s t a t e a d v e r t i s e m e n t t h a t will r e p r e s e n t t h e collection of all t h e l i n k - s t a t e s c u r r e n t l y on t h e router.

9

In a n e v e n t called flooding, all r o u t e r s will e x c h a n g e t h i s l i n k - s t a t e i n f o r m a t i o n . T h i s flood of r o u t i n g i n f o r m a t i o n will be p r o p a g a t e d to all r o u t e r s in t h e area.

9 After e a c h r o u t e r h a s f i n i s h e d c o m p i l i n g t h e l i n k - s t a t e i n f o r m a t i o n , t h e y will b e g i n to c a l c u l a t e a S h o r t e s t P a t h T r e e to all d e s t i n a t i o n s . T h i s is very C P U - i n t e n s i v e , a s t h e r e c a n be h u n d r e d s of p a t h s t h a t n e e d to be p r o c e s s e d . T h e s e p a t h s will i n c l u d e t h e a s s o c i a t e d c o s t a n d n e x t h o p i n f o r m a t i o n to r e a c h t h o s e d e s t i n a t i o n s . If t h e r e a r e no c h a n g e s in t h e n e t w o r k topology, O S P F will n o t be very active. O S P F will n o t n e e d to e x c h a n g e l i n k - s t a t e i n f o r m a t i o n , a n d t h e r o u t e r s will t h e r e f o r e n o t n e e d to c a l c u l a t e S h o r t e s t P a t h Trees, b e c a u s e t h e y will a l r e a d y have the information processed. T h e r e a r e also different t y p e s of l i n k - s t a t e p a c k e t s , a s follows"

Router l i n k s . D e s c r i b e t h e s t a t e a n d c o s t of t h e r o u t e r ' s l i n k s to t h e area. T h e s e r o u t e r l i n k s a r e t h e i n d i c a t i o n of t h e i n t e r f a c e s on a r o u t e r b e l o n g i n g to a c e r t a i n area.

Network l i n k s . D e s c r i b e all r o u t e r s t h a t a r e a t t a c h e d to a specific s e g m e n t . T h e s e are g e n e r a t e d b y t h e D e s i g n a t e d R o u t e r (DR).

S u m m a r y l i n k s . D e s c r i b e n e t w o r k s in t h e a u t o n o m o u s s y s t e m (AS), b u t o u t s i d e of a n area. T h e s e s u m m a r y l i n k s also d e s c r i b e t h e l o c a t i o n of t h e ABSR. T h e y a r e also g e n e r a t e d b y t h e ABRs.

External l i n k s . D e s c r i b e d e s t i n a t i o n s t h a t a r e e x t e r n a l to t h e AS, or a d e f a u l t r o u t e from o u t s i d e t h e AS. T h e A S B R is r e s p o n s i b l e for i n j e c t i n g t h e e x t e r n a l link i n f o r m a t i o n into t h e autonomous system. A n o t h e r f e a t u r e of O S P F is t h a t r o u t i n g u p d a t e s a r e n o t p a s s e d a c r o s s a r e a s . R e m e m b e r t h a t a r e a s a r e s e p a r a t e d b y t h e t y p e s of

261

262

Chapter 6 *

Routing Issues

r o u t e r s t h a t we listed before, s u c h as a r e a b o r d e r r o u t e r s . If a netw o r k link were to fail, only t h e r o u t e r s inside t h a t a r e a w o u l d e x c h a n g e r o u t i n g u p d a t e information. Area b o r d e r r o u t e r s filter t h e r o u t i n g u p d a t e s from s e p a r a t e a r e a s a n d t h e b a c k b o n e . Area b o r d e r r o u t e r s c a n c o m m u n i c a t e with e a c h o t h e r a n d e x c h a n g e r o u t i n g u p d a t e information, b u t t h e y u s e special l i n k - s t a t e m e s s a g e s t h a t are a brief s u m m a r i z a t i o n of the LAN or WAN topology for t h e i r areas. Figure 6.9 i l l u s t r a t e s t h e u s e of dividing a r e a s t h a t r e p r e s e n t p h y s i c a l regions with a r e a b o r d e r r o u t e r s a t t a c h e d to the b a c k b o n e .

Figure 6.9 Dividing physical regions into areas separated by area

border routers.

Routing Issues

9Chapter 6

E a c h city does n o t w a n t to receive t h e r o u t i n g u p d a t e s from t h e o t h e r cities; therefore, t h e s e a r e a s are s e p a r a t e d by a r e a b o r d e r r o u t e r s , w h i c h c a n a n d do e x c h a n g e i n f o r m a t i o n b e t w e e n e a c h other, b u t in a s m a l l e r l i n k - s t a t e u p d a t e . You c a n also f i n e - t u n e OSPF r o u t e r s to m i n i m i z e t h e a m o u n t of u p d a t e s t h a t are u n l e a s h e d on the network, a n d therefore m i n i m i z e the r e d u c t i o n in n e t w o r k b a n d w i d t h . You c a n also f i n e - t u n e t h e r a t e of convergence, w h i c h is t h e time b e t w e e n t h e r o u t e r s receiving t h e n e w r o u t i n g i n f o r m a t i o n a n d the time t h e n e t w o r k r o u t e r s have m a d e the n e c e s s a r y a d j u s t m e n t s in t h e i r r o u t i n g tables. Table 6.4 i l l u s t r a t e s a n e x a m p l e of t h e OSPF d a t a b a s e . This outp u t is from the following c o m m a n d : show IP ospf database

OSPF R o u t e r with ID (211.231.15.67) (Process ID 10)

Table 6.4 The Complete OSPF Database Taken from an Area Border Router (ABR)

Link ID

Router Link States (Area 1 ) ADV Router

Link Count

211.231.15.67

211.231.15.67

2

211.231.16.130

211.231.16.130

2

Summary Net Link States (Area 1) Link ID

ADV Router

211.231.13.41

211.231.15.67

211.231.15.64

211.231.15.67

211.231.15.192

211.231.15.67 Router Link States (Area 0)

Link ID

ADV Router

Link Count

211.231.13.41

211.231.13.41

3

211.231.15.67

211.231.15.67

1 Continued

263

264

Chapter

6

Routing Issues

9

Net Link States (Area 0) Link ID

ADV Router

211.231.15.68

211.231.13.41 Summary Net Link States (Area 0)

Link ID

ADV Router

211.231.15.0

211.231.15.67 Summary ASB Link States (Area 0)

Link ID

ADV Router

211.231.16.130

211.231.15.67 AS External Link States

Link ID

ADV Router

Tag

0.0.0.0

211.231.16.130

10

211.231.16.128

211.231.16.130

0

We c a n begin analyzing the r e s u l t s , first s t a r t i n g with the R o u t e r Link S t a t e s section of Area 1, s h o w n in Table 6.5.

Table 6.5 The Router Link States Section of Area 1 in the OSPF Database Link ID

ADV Router

Link Count

211.231.15.67

211.231.15.67

2

211.231.16.130

211.231.16.130

2

The two entries r e p r e s e n t two r o u t e r s in this area. Both r o u t e r s have two links to Area 1, as r e p r e s e n t e d by the Link C o u n t c o l u m n . We c o n t i n u e , skipping p a s t the S u m m a r y Net Link S t a t e s section, a n d on to the n e x t R o u t e r Link S t a t e s section, w h i c h is for Area 0, s h o w n in Table 6.6.

Routing Issues

9Chapter 6

Table 6.6 he Router Link States Section of Area 0 in the OSPF Database Link ID

ADV Router

Age

Link Count

211.231.13.41 211.231.15.67

211.231.13.41 211.231.15.67

179 675

3 1

O n c e again, t h e r e a r e two r o u t e r s in t h i s area. T h e first r o u t e r h a s t h r e e l i n k s to A r e a 0, a n d t h e s e c o n d r o u t e r h a s one link to A r e a 0. T h e S u m m a r y ASB Link S t a t e s of A r e a 1 a r e listed in T a b l e 6.7.

Table 6.7 The Summary ASB Link States of Area 1 in the OSPF Database Link ID

ADV Router

Age

211.231.16.130

211.231.15.67

468

T h i s gives y o u a n i n d i c a t i o n of w h o t h e A S B R for t h e a r e a is. T h e A S B R is a r o u t e r w i t h t h e a d d r e s s of 2 1 1 . 2 3 1 . 1 6 . 1 3 0 . T h e AS E x t e r n a l Link S t a t e s i n f o r m a t i o n c o n t a i n s i n f o r m a t i o n a b o u t d e s t i n a t i o n s o u t s i d e of o u r area, s h o w n in T a b l e 6.8.

Table 6.8 The AS External Link States in the OSPF Database Link ID

ADV Router

Age

Tag

0.0.0.0

211.231.16.130

1683

10

211.231.16.128

211.231.16.130

65

0

B o t h of t h e two e x t e r n a l l i n k s t h a t a r e listed h a v e b e e n i n j e c t e d into o u r a r e a f r o m t h e OSPF.

OSPF Implementation Recommendations Consider the following list of suggestions from Nortel Networks w h e n implementing OSPF on your network (see http://support.baynetworks.com).

265

266

Chapter 6 * Routing Issues

[]

Keep t h e s a m e p a s s w o r d w i t h i n a n area, if possible.

9 Use t h e d e f a u l t timers. []

Use t h e a d d r e s s r a n g e if y o u r n e t w o r k is a s u b n e t t e d network.

9

Keep all s u b n e t s w i t h i n one area.

9 M a k e s u r e t h e AS B o r d e r R o u t e r p a r a m e t e r is e n a b l e d if t h e r o u t e r h a s a n y n o n - O S P F i n t e r f a c e s , a n d if y o u w a n t t h a t information propagated. []

Configure v i r t u a l l i n k s for e a c h a r e a b o r d e r r o u t e r t h a t d o e s n o t r e s i d e w i t h i n or directly i n t e r f a c e t h e b a c k b o n e . Every b o r d e r r o u t e r m u s t h a v e a c o n f i g u r e d p a t h to t h e b a c k b o n e .

9

If y o u h a v e a p r e f e r r e d p a t h to a d e s t i n a t i o n , edit t h e Metric C o s t p a r a m e t e r of y o u r interface. O S P F will t h e n c h o o s e t h e p a t h w i t h t h e lowest cost.

9

Configure y o u r r o u t e r s t h a t are r u n n i n g OSPF w i t h t h e s a m e t i m e r v a l u e s t h a t coincide w i t h t h e t i m e r s in y o u r o t h e r devices.

9

If t h e r e is a topology c h a n g e , s u c h a s a c h a n g e to a n a r e a or moving routers, you m u s t reconfigure the appropriate OSPF e l e m e n t s , s u c h a s t h e i n t e r f a c e s , v i r t u a l links, a n d so on.

Continued

Routing Issues

9C h a p t e r 6

BGP Requirements Border Gateway Protocol (BGP) is the de-facto s t a n d a r d for routing between A u t o n o m o u s Systems on the Internet. BGP was developed to a d d r e s s the limitations with Exterior Gateway Protocol (EGP), which was not the strongest routing protocol, although it was widely

267

268

9Routing

Chapter 6

Issues

u s e d . BGP c a n be t h o u g h t of a s t h e n e x t g e n e r a t i o n of EGP. All c o m m u n i c a t i o n s b e t w e e n I n t e r n e t Service P r o v i d e r s (ISP) is h a n d l e d via BGP-4, w h i c h is required for CIDR. B G P - 4 differs f r o m B G P - 3 j u s t a s RIP-2 differs f r o m RIP-1. B G P - 4 is also k n o w n a s B G P 4 w i t h out the hyphen. BGP allows t h e u s e of a n n o u n c e m e n t s of c l a s s l e s s r o u t e s , r o u t e s t h a t a r e n o t strictly on c l a s s A, c l a s s B, or c l a s s C n e t w o r k s . T h e s e c l a s s l e s s r o u t e s c a n be s u b n e t s or s u p e r n e t s . For m o r e i n f o r m a t i o n on s u p e r n e t s , refer to t h e s e c t i o n on CIDR. T h e p r i m a r y p u r p o s e of BGP is to a d v e r t i s e r o u t e s to o t h e r n e t w o r k s , w h i c h a r e called A u t o n o m o u s S y s t e m s (AS). BGP is also u s e ful for a d v e r t i s i n g r o u t e s to u p s t r e a m p r o v i d e r s a b o u t w h a t r o u t e s a r e available i n s i d e y o u r n e t w o r k . W h e n y o u are c o m m u n i c a t i n g w i t h a n o t h e r ISP over t h e I n t e r n e t , y o u are c o m m u n i c a t i n g w i t h t h e i r n e t w o r k , or a u t o n o m o u s s y s t e m , w h i c h is t h e m o r e a p p r o p r i ate w o r d i n g w h e n s p e a k i n g of r o u t i n g w i t h BGP. T h e b o r d e r r o u t e r s s e p a r a t e y o u r AS f r o m t h e i r AS. Every r o u t e r in y o u r AS s h o u l d k n o w t h e r o u t e to t h a t d e s t i n a t i o n AS. All AS r o u t e r s in y o u r a r e a s h o u l d c o n t a i n t h e s a m e r o u t i n g i n f o r m a t i o n , a n d y o u s h o u l d be a d v e r t i s i n g only r o u t e s t h a t y o u k n o w h o w to get to. T h e sin of BGP r o u t i n g is a d v e r t i s i n g r o u t e s t h a t y o u do n o t k n o w h o w to r e a c h . T h e r e a r e t h r e e t y p e s of c o n f i g u r a t i o n s in a n e t w o r k : Stub

a r e a s . Always e n d points. T h i s is u s u a l l y a single,

s t a t i c a l l y - r o u t e d c o n n e c t i o n f r o m a c e n t r a l site, s u c h a s a n ISP, to a r e m o t e location, s u c h a s a h o m e or office. BGP is n o t n e e d e d in s t u b a r e a c o n f i g u r a t i o n s . C e n t r a l sites w i t h a t l e a s t two staticallydefined or d y n a m i c a l l y - r o u t e d c o n n e c t i o n s to r e m o t e locations. D a t a will only flow to a n d f r o m t h e r e m o t e locations. BGP is also n o t n e e d e d in t h i s m u l t i h o m e d c o n f i g u r a t i o n .

Multihomed

areas.

C e n t r a l sites w i t h at l e a s t two c o n n e c t i o n s to r e m o t e locations. O n e c o n n e c t i o n is to a r e m o t e l o c a t i o n w i t h a n I n t e r n e t c o n n e c t i o n , a n d a n o t h e r c o n n e c t i o n is to a n a d d i t i o n a l I n t e r n e t c o n n e c t i o n . E a c h of t h e s e l o c a t i o n s is a n a u t o n o m o u s s y s t e m (AS). BGP is r e q u i r e d in t h i s c o n f i g u r a t i o n .

Transit

areas.

Routing Issues

9Chapter 6

BGP is n e e d e d in t h e c o n f i g u r a t i o n if t h e c u s t o m e r h a s multiple locations with multiple r o u t e r s , b u t he or s h e does n o t w a n t e a c h location's r o u t i n g tables to affect the others. Defining t h e s e a u t o n o m o u s s y s t e m s m a k e s its possible to u s e t h e s e t r u s t e d p a t h s b e t w e e n locations. This is the s t r a t e g y t h a t is u s e d on the I n t e r n e t to e n s u r e b e t t e r reliability a n d h i g h e r p e r f o r m a n c e . Figure 6.10 s h o u l d clearly illustrate the p u r p o s e of BGP singleh o m e d c o n n e c t i o n s to a n u p s t r e a m provider.

Figure 6.10 Routing BGP in single-homed connections.

You c a n see h o w the default r o u t e for the AS is r o u t e d t h r o u g h the default route. This default r o u t e m a k e s perfect s e n s e on a sing u l a r l y - h o m e d network, with only one c o n n e c t i o n to a n u p s t r e a m provider. F r o m the u p s t r e a m provider, it is also m u c h easier, b e c a u s e y o u r AS does n o t have a m u l t i h o m e d link to m o r e t h a n one u p s t r e a m provider. This u p s t r e a m provider c a n configure a static

269

270

Chapter 6

9Routing

Issues

route to y o u r AS. It would m a k e no sense to configure this connection be tw e e n the two ASs with a d y n amic routing protocol, b e c a u s e this link between the ASs will rarely change. If this IP a d d r e s s to y o u r AS were to change, you would simply have the u p s t r e a m provider change the static routing a d d r e s s to y o u r AS. You have be e n he a r i ng a b o u t the a u t o n o m o u s s y s t e m - - n o w , we need to describe the a u t o n o m o u s s y s t e m n u m b e r , w h ich is u s e d to r e p r e s e n t the a u t o n o m o u s s y s t e m to the Internet. Most n e t w o r k s will have only one a u t o n o m o u s s y s t e m n u mb er. W h e n you are exchanging r out e s with a n o t h e r r o u t e r speaking BGP (called a peering session), it will s t a r t out like the following: router BGP 14290 neighbor
204.118.35.166

remote-as

802

is omitted>

This c o m m u n i c a t i o n s t a r t s out by saying, "I would like to connect to ASN ( a u t o n o m o u s s y s t e m number) 14290 u s i n g BGP." The list of c o m m a n d s t h a t would initiate the routing table t r a n s f e r is omitted. If a node wishes to c onne c t with BGP peer node, the node will open a connection on TCP port 179, which is the default port. A significant a m o u n t of information is transferred, s u c h as the identification n u m b e r s , a u t h e n t i c a t i o n information, a n d protocol version n u m b e r s before the BGP u p d a t e of the routing tables can take place. The u p d a t e will not take place if the a u t h e n t i c a t i o n h a s not b e e n successful. If the u p d a t e is successful, the c h a n g e s will t h e n be p r o p a g a t e d to neighboring BGP routers. W h e n you c o m m u n i c a t e to other h o s t s a n d r o u t e r s u s in g BGP, you can m a k e semi-intelligent routing decisions, which include the b e s t p a t h to r e a c h a destination. This route contains more t h a n j u s t the first r out e r to route the p a c k e t to; it can include the complete route to the destination. You can also advertise y o u r ro u tes to neighboring routers, a n d have those r o u t e r s in t u r n advertise y o u r r o u t e s to their neighboring routers.

Routing Issues

9Chapter 6

BGP selects only one p a t h as the b e s t p a t h to a d e s t i n a t i o n . This p a t h is n o w p r o p a g a t e d to the n e i g h b o r i n g BGP r o u t e r s . Unlike s o m e r o u t i n g protocols, BGP does n o t n e e d a periodic r o u t i n g table refresh. The initial e x c h a n g e b e t w e e n two BGP r o u t e r s is the full r o u t i n g table, b u t from t h e n on, only t h e optimal p a t h s are advertised in u p d a t e m e s s a g e s to the n e i g h b o r i n g BGP r o u t e r s . This m a k e s long r u n n i n g s e s s i o n s b e t w e e n BGP r o u t e r s m o r e efficient t h a n s h o r t s e s s i o n s , b e c a u s e the a m o u n t of times the full r o u t i n g table is e x c h a n g e d on initial c o n t a c t is less. T h e r e are a c t u a l l y two types of BGP t h a t differ in t e r m s of advertising r o u t i n g information. The first is EBGP, basically referred to as BGP, w h i c h is w h a t we have b e e n d i s c u s s i n g t h u s far. This is u s e d to advertise r o u t e s to different a u t o n o m o u s s y s t e m s , w h e r e a s IBGP is u s e d to advertise r o u t e s within the s a m e a u t o n o m o u s s y s t e m .

Figure 6.11 Differentiating between interior and exterior routing with IBGP and EBGR

~

l

m

~

, fiN i l ~

Figure 6.1 1 d e m o n s t r a t e s the u s e of b o t h types of BGP protocols and the a u t o n o m o u s system. In the n e t w o r k e x a m p l e s h o w n in Figure 6.1 1, BGP first m a k e s s u r e t h a t n e t w o r k s w i t h i n the interior AS are r e a c h a b l e . Then,

271

272

Chapter 6 *

Routing Issues

b o r d e r r o u t e r s c a n e x c h a n g e r o u t i n g i n f o r m a t i o n with e a c h o t h e r r e g a r d i n g t h e s t a t u s of n e t w o r k s w i t h i n their a u t o n o m o u s s y s t e m s . EBGP is u s e d to c o m m u n i c a t e with b o r d e r r o u t e r s , a n d IBGP is u s e d w i t h i n t h e AS. J u s t like RIP, IBGP is a n interior r o u t i n g protocol t h a t c a n be u s e d for active r o u t i n g w i t h i n y o u r network. IBGP does n o t distribu t e r o u t e s as m u c h as EBGP. E a c h r o u t e r in a n IBGP c o n f i g u r a t i o n m u s t be configured to ~peer into every o t h e r r o u t e r to e x c h a n g e this i n f o r m a t i o n , w h e r e a s this is n o t n e e d e d with s t r a i g h t BGP. However, IBGP is m o r e flexible a n d provides a m o r e efficient m e a n s of controlling a n d e x c h a n g i n g t h e r o u t i n g i n f o r m a t i o n from w i t h i n a n AS.

IBGP and EBGP Requirements BGP requires a combination of hardware and software to support. The m o s t commonly u s e d implementaUons of BGP are with Cisco routers, Nortel routers, UNIX variants, BSD, a n d Linux. Nortel a n d Cisco routers are by far the m o s t c o m m o n types of routers currently supporUng BGP. We will n o w d i s c u s s t h e s t e p s r e q u i r e d to e n a b l e a n d configure BGP. First, we will a s s u m e t h a t we w a n t two r o u t e r s to c o m m u n i cate u s i n g BGP. T h e s e r o u t e r s will be called R o u t e r l a n d Router2. T h e s e r o u t e r s belong in two u n i q u e a u t o n o m o u s s y s t e m s , called AS 1 a n d AS 2, as i l l u s t r a t e d in Figure 6.12.

Figure 6.12 An example of routing between two separate autonomous systems.

134.201.56.12

134.201.56.13

Routing Issues

9

Chapter 6

We n o w n e e d to e n a b l e B G P o n t h e r o u t e r s o n e a t a time, s t a r t ing w i t h R o u t e r I: router bgp 1

a n d now the s a m e step on Router2: router bgp 2

T h e s e s t a t e m e n t s e n a b l e B G P o n t h e r o u t e r for t h e AS in w h i c h t h e y b e l o n g . We will n o w define t h e n e i g h b o r s t h a t w e w i s h to c o m m u n i c a t e w i t h via BGP. E s t a b l i s h i n g a c o n n e c t i o n b e t w e e n two n e i g h b o r s , or p e e r s , via B G P is m a d e p o s s i b l e b y t h e T C P protocol. T h e T C P c o n n e c t i o n is e s s e n t i a l for t h e B G P r o u t e r s to e s t a b l i s h a connection and exchange routing updates. The neighbor c o m m a n d is u s e d to e s t a b l i s h a T C P c o n n e c t i o n : router bgp 1 neighbor 134.201.56.13

remote-as 2

router bgp 2 neighbor 134.201.56.12

remote-as

1

T h e s e s t a t e m e n t s u s e t h e T C P / I P a d d r e s s of t h e d i r e c t l y c o n n e c t e d r o u t e r s for t h e E B G P c o n n e c t i o n . Note t h a t E B G P will b e u s e d b e c a u s e we are c o m m u n i c a t i n g with an external a u t o n o m o u s system. If we w e r e to m a k e t h e c o n f i g u r a t i o n m o r e difficult, w e c o u l d a d d a n o t h e r r o u t e r called R o u t e r 3 within o u r AS 1, a n d c r e a t e a n o t h e r AS called AS 3, a s i l l u s t r a t e d in F i g u r e 6 . 1 3 . We n e e d to m o d i f y t h e s t a t e m e n t s o n t h e r o u t e r s a s follows: Routerl# router bgp 1 neighbor 134.201.56.13

remote-as 2

neighbor 134.201.56.14

remote-as

3

273

274

Chapter 6

9

Routing Issues

Router2# router bgp 2 neighbor 134.201.56.12

remote-as

1

remote-as

1

Router4# router bgp 3 neighbor 134.201.56.12

In the p r e c e d i n g example, R o u t e r l, Router2, a n d R o u t e r 4 are r u n n i n g EBGP. Router1 a n d R o u t e r 3 are r u n n i n g IBGP. The difference b e t w e e n r u n n i n g IBGP a n d EBGP is t h a t the r e m o t e - a s n u m b e r is pointing to a n e x t e r n a l or i n t e r n a l AS. Notice also t h a t Router1 a n d R o u t e r 3 are n o t directly c o n n e c t e d , w h i c h is the case for r o u t e r i being directly c o n n e c t e d to R o u t e r 2 a n d Router4. This is a c c e p t a b l e b e c a u s e t h e r o u t e r is w i t h i n y o u r AS. As long as t h e r e is s o m e IGP r u n n i n g to c o n n e c t i n g the neighb o r i n g r o u t e r s w i t h i n the s a m e AS, this is acceptable.

Figure 6.13 Exampleof routing among three autonomous systems.

AS! ~/ Ig~llm Router3 128.201.33.117

~

L EBGP

Roulerl

AS2

\ Router2

134.201.56.13

134.201.56.12 Router4

~lg~lll

134.201.56.14 ('

A~.~

~'~ /

Routing Issues

9Chapter 6

Loopback Interfaces A n o t h e r f e a t u r e of IBGP is the u s e of l o o p b a c k interfaces, w h i c h eliminate a d e p e n d e n c y t h a t o c c u r s w h e n y o u u s e t h e IP a d d r e s s of a r o u t e r (the p h y s i c a l interface to the route). Figure 6.14 i l l u s t r a t e s the u s e of a l o o p b a c k interface specified on Router2. Figure

6.14 Specifying the Ioopback interface for reliable routing.

In Figure 6.14, R o u t e r l a n d R o u t e r 2 are b o t h r u n n i n g IBGP in AS 1. If R o u t e r l were to c o m m u n i c a t e with R o u t e r 2 by specifying the IP a d d r e s s of the E t h e r n e t interface 0, 1, 2, or 3 (as s h o w n in the figure as "E" for E t h e r n e t ~ E 0 , E 1, E2, a n d E3), a n d if the specified interface is n o t available, a TCP c o n n e c t i o n w a s n o t possible. T h e s e two r o u t e r s could n o t c o m m u n i c a t e . To p r e v e n t this from h a p p e n i n g , R o u t e r 1 w o u l d specify the l o o p b a c k interface t h a t is defined by Router2. W h e n this l o o p b a c k interface is u s e d , BGP does n o t have to rely on the p h y s i c a l interface availability w h e n m a k i n g TCP c o n n e c t i o n s . The following c o m m a n d s on b o t h of the r o u t e r s i l l u s t r a t e the u s e of specifying a l o o p b a c k interface:

275

276

Chapter 6

9Routing

Issues

Routerl# router bgp 1 neighbor 201.13.145.88 remote-as 1 Router2# loopback interface 0 IP address 201.13.145.88 255.255.255.0 router bgp 1 neighbor 180.121.33.67 remote-as 1 neighbor 180.121.33.67 update-source loopback 0

Router l will specify the a d d r e s s of the loopback interface (201.13.145.88) of Router2 in the neighbor remote-as configuration c o m m a n d . The use of this loopback interface requires t h a t Router2 also includes the neighbor update-source router configuration comm a n d in its own configuration. W h e n this neighbor update-source l o o p b a c k c o m m a n d is used, the source of the BGP TCP connections for this specified neighbor is the IP a d d r e s s of the loopback interface, a n d not the IP a d d r e s s of the physical interface.

Summary In this c h a p t e r we d i s c u s s e d the need for routing protocols a n d the m a n y types of routing protocols available. As networks vary in size a n d complexity, it is i m p o r t a n t to i m p l e m e n t the correct routing protocol to h a n d l e the network requirements. We learned t h a t smaller networks have different needs t h a n larger, more complex networks. With this in mind, a protocol designed for smaller networks c a n n o t a d d r e s s the needs of the larger network, a n d any a t t e m p t s to do so will impose restrictions a n d inhibit growth. This is evident with the Routing Information Protocol (RIP), which is a very p o p u l a r routing protocol t h a t works beautifully in smaller, less complex networks, b u t is incapable of performing on a complex network s u c h as the Internet.

Routing Issues * Chapter 6

We also d i s c u s s e d the t h r e a t of IP a d d r e s s e x h a u s t i o n on t h e I n t e r n e t a n d the c o n c e r n for large global r o u t i n g t a b l e s w i t h t h e influx of n e w n e t w o r k s on the I n t e r n e t . One of the protocols r e s p o n sible for a d d r e s s i n g t h e s e i s s u e s is C l a s s l e s s I n t e r d o m a i n R o u t i n g (CIDR). CIDR c a n also i m p l e m e n t s u p e r n e t t i n g to aggregate IP a d d r e s s e s into a large block t h a t global r o u t e r s c a n u s e i n s t e a d of a d v e r t i s i n g e a c h individual a d d r e s s . We also l e a r n e d t h a t i n t e r n a l n e t w o r k s have different r o u t i n g n e e d s w h e n m a i n t a i n i n g r o u t e r s inside a specific area. T h e s e r o u t e r s u s e a r o u t i n g protocol, s u c h as t h e d i s t a n c e - v e c t o r - b a s e d Interior G a t e w a y Routing Protocol (IGRP), to keep a n a c c u r a t e a s s e s s m e n t of the n e t w o r k topology. R o u t e r s u p d a t e t h e i r r o u t i n g t a b l e s with n e i g h b o r i n g r o u t e r s a n d a s s i g n costs to n e t w o r k links t h a t m a k e one r o u t e m o r e efficient t h a n another. E n h a n c e d Interior G a t e w a y Routing Protocol (EIGRP) h a s i m p r o v e d on IGRP in m a n y areas, s u c h as convergence, w h i c h i m p l e m e n t s a n e w a l g o r i t h m t h a t e n a b l e s all r o u t e r s involved in a topology c h a n g e to s y n c h r o n i z e t h e i r i n t e r n a l r o u t i n g t a b l e s at the s a m e time. Routing I n f o r m a t i o n Protocol (RIP) version 2 h a s also i m p r o v e d on its p r e d e c e s s o r , RIP. A l t h o u g h the first version of RIP w a s limited for large n e t w o r k use, RIP-2 h a s a d d r e s s e d s o m e of t h e s e i s s u e s , s u c h as the a d d i t i o n of a u t h e n t i c a t i o n , s u p p o r t for the s u b n e t m a s k , a n d m a i n t a i n i n g its small size a n d ease of i m p l e m e n t a t i o n . O p e n S h o r t e s t P a t h First (OSPF), like RIP, is a n o t h e r Interior G a t e w a y Protocol (IGP). We l e a r n e d t h a t OSPF is m u c h m o r e r o b u s t t h a n RIP, a l t h o u g h RIP still is very effective in s o m e i m p l e m e n t a tions. OSPF u s e s a l i n k - s t a t e technology a n d S h o r t e s t P a t h First a l g o r i t h m t h a t c a n d e t e r m i n e the m o s t efficient r o u t e m u c h b e t t e r t h a n RIP, b e c a u s e OSPF c a n also d e t e r m i n e the s p e e d of t h e link. OSPF also m a k e s u s e of a r e a s , w h i c h are u s e d to g r o u p h o s t s into logical g r o u p i n g s , m u c h like a d o m a i n . OSPF c a n r o u t e to s o m e of t h e s e a r e a s , b u t will r e q u i r e a n Exterior G a t e w a y Protocol (EGP) to c o m m u n i c a t e with o t h e r areas.

277

278

Chapter 6

9Routing Issues

Finally, in this c h a p t e r we l e a r n e d how i n f o r m a t i o n is r o u t e d o u t s i d e of a n a r e a by u s e of a protocol s u c h as Border G a t e w a y Protocol (BGP). This protocol p a s s e s i n f o r m a t i o n t h r o u g h the netw o r k b a c k b o n e to the a u t o n o m o u s s y s t e m s . C o m m u n i c a t i o n b e t w e e n I n t e r n e t Service Providers is done t h r o u g h BGP. B o r d e r G a t e w a y Protocol a d d r e s s e s the limitations of EGP, a n d is the r o u t ing protocol of choice w h e n it c o m e s to exterior routing.

Q: W h e n do I n o t n e e d to i m p l e m e n t BGP? A: W h e n y o u are s i n g u l a r l y - h o m e d , w h i c h m e a n s y o u only have one c o n n e c t i o n to the I n t e r n e t . You also do n o t n e e d BGP if y o u are n o t providing d o w n s t r e a m routing. Use a default r o u t e instead.

Q: W h e n do I have to r e n u m b e r if I a m u s i n g CIDR? A: If y o u move y o u r site from one ISP to a n o t h e r a n d y o u have b e e n u s i n g a n allocated set of a d d r e s s e s from y o u r original ISP's CIDR block, y o u will h a v e to r e t u r n t h o s e a d d r e s s e s to y o u r ISP.

Q: I a m d e t e r m i n i n g w h e t h e r to configure m y n e w n e t w o r k with RIP or OSPF. W h y s h o u l d I choose one over the other?

Routing Issues * Chapter 6

A: If y o u are i m p l e m e n t i n g a n e w network, y o u n e e d to e x a m i n e b o t h protocols to d e t e r m i n e the correct protocol for y o u r e n v i r o n m e n t . You s h o u l d u s e OSPF if y o u have a larger, c o m p l i c a t e d network. RIP w o r k s w o n d e r f u l l y for smaller, less complex n e t w o r k s a n d is still very c o m m o n in i n t e r n a l n e t w o r k s .

Q: W h y w o u l d I w a n t to i m p l e m e n t CIDR w i t h i n m y n e t w o r k ? A: B e c a u s e y o u c a n create s m a l l e r s u b n e t s t h a n are available with a s t a n d a r d class C a d d r e s s . You c a n create s u b n e t s w i t h 128, 64, or 32 h o s t s .

279

This Page Intentionally Left Blank

282

Chapter 7

9Automatic Assignment of IP Addresses with BOOTP and DHCP Objectives

Introduction This section starts with a general overview of dynamic addressing, along with a short history of the development of dynamic addressing protocols.

Continued

Automatic Assignment of IP Addresses with BOOTP and DHCP Objectives

9Chapter 7

The Role of Dynamic Address Assignment Over the l a s t two d e c a d e s we have w i t n e s s e d a t r e m e n d o u s growth in t h e size of n e t w o r k s . This growth h a s o c c u r r e d in the geographic s p r e a d of the network, as well as in the n u m b e r of n o d e s per network. J u s t w i t h i n the l a s t two decades, the c h a n g e from a h o s t b a s e d c o m p u t i n g model u s i n g t e r m i n a l s , to a c l i e n t / s e r v e r model with u s e r w o r k s t a t i o n s , h a s c a u s e d a n e x p o n e n t i a l growth in the average n u m b e r of n o d e s per network.

283

284

Chapter 7

9Automatic Assignment of IP Addresses with BOOTP and DHCP Objectives

T h e s e p h e n o m e n a have driven the n e e d for d i s t r i b u t e d m a n a g e m e n t tools, w h e r e t h o s e c h a r g e d with a d m i n i s t e r i n g the n e t w o r k c a n r e m o t e l y configure a n d m a n a g e n e t w o r k n o d e s from a central location. One of t h e s e tools is dynamic address assignment, a p r o c e s s of u s i n g a d a t a b a s e as a s o u r c e of IP a d d r e s s e s a n d related p a r a m e ters. The i n f o r m a t i o n in this d a t a b a s e is provided b y a server to clients n e e d i n g a d d r e s s configuration. T h e s e servers m a t c h a client with their a d d r e s s r e c o r d s in the d a t a b a s e a n d r e t u r n the i n f o r m a tion stored t h e r e to the client. The client t h e n sets its IP configuration u s i n g the p a r a m e t e r v a l u e s r e t u r n e d . D y n a m i c a d d r e s s a s s i g n m e n t provides several benefits to the a d m i n i s t r a t o r . It greatly r e d u c e s the time s p e n t in configuring clients, since the p r o c e s s o c c u r s a u t o m a t i c a l l y a c r o s s the n e t w o r k r a t h e r t h a n h a v i n g to visit e a c h w o r k s t a t i o n . Instead, a d m i n i s t r a t o r s s p e n d their time configuring the d a t a b a s e . It c a n also help p r e v e n t c o n f i g u r a t i o n p r o b l e m s s u c h as duplicate a d d r e s s a s s i g n m e n t s or i n p u t errors. It m a y even provide a m e c h a n i s m for recovering a n d r e u s i n g a s s i g n e d a d d r e s s e s t h a t are no longer being used. A key f e a t u r e of d y n a m i c a d d r e s s a s s i g n m e n t c o n c e r n s the protocols t h a t are u s e d b e t w e e n the r e q u e s t i n g client a n d the server w h o provides a d d r e s s information. T h e s e protocols define the p r o c e s s of o b t a i n i n g configuration information. They specify the form a t of the p a c k e t s u s e d to convey i n f o r m a t i o n b e t w e e n client a n d server, a n d m a y define the r a n g e of i n f o r m a t i o n t h a t c a n be distribu t e d to the client. The r e s t of this c h a p t e r will focus on t h e s e protocols.

A Br ief History It's ironic to note t h a t the original i m p e t u s for m u c h of the developm e n t of d y n a m i c a d d r e s s i n g protocols w a s n o t fueled directly b y the desire for r e m o t e IP a d d r e s s configuration. Rather, it w a s b a s e d on t h e n e e d to define a protocol t h a t could be u s e d to boot a diskless h o s t a c r o s s the network. The focus on diskless booting w a s a produ c t of the times, since d u r i n g the 1980s, w h e n the original BOOTP

Automatic Assignment of IP Addresses with BOOTP and DHCP Objectives

9Chapter 7

RFC w a s released, t h e r e w a s a flirtation with the d i s k l e s s w o r k s t a tion a r c h i t e c t u r e n o t u n l i k e the c u r r e n t i n t e r e s t in t e r m i n a l servers a n d " n e t w o r k c o m p u t e r s . " Diskless w o r k s t a t i o n s u s e d centralized d i s k storage, w h i c h could r e d u c e the total costs of m a s s storage d u r i n g a n era w h e n t h e s e costs were very high. They also held the p r o m i s e of g r e a t e r control over the data, centralized b a c k u p a n d a d m i n i s t r a t i o n , a n d file sharing. The c e n t r a l challenge p o s e d by the diskless w o r k s t a t i o n w a s h o w to get it booted, w h e n it h a d no drives to boot from. The s o l u t i o n involved t h e u s e of the n e t w o r k interface card, with a p r o g r a m m a b l e ROM chip t h a t c o n t a i n e d e n o u g h code to figure o u t its IP a d d r e s s , locate a server to t r a n s f e r down a boot file, a n d t h e n execute the boot file to get the r e s t of its i n s t r u c t i o n s . To e n a b l e this PROM to c o m m u n i c a t e with the servers providing a d d r e s s e s a n d boot files, several m e t h o d s were devised. Early a t t e m p t s at doing this involved the u s e of RARP (Reverse A d d r e s s Resolution Protocol). RARP is a protocol t h a t a client c a n u s e to r e q u e s t a n a d d r e s s from a RARP server, u s i n g its MAC a d d r e s s as its identifier. U n f o r t u n a t e l y , RARP w a s d e s i g n e d to o p e r a t e directly on top of the d a t a - l i n k layer, a n d t h u s does n o t u s e n e t w o r k - l a y e r (IP) a d d r e s s e s . It's therefore n o t r o u t a b l e , a n d c a n ' t be u s e d in s u b n e t t e d e n v i r o n m e n t s . The BOOTP protocol w a s defined in RFC951, r e l e a s e d in S e p t e m b e r 1985. It d e s c r i b e d a protocol t h a t w o u l d u s e a UDP d a t a gram, on top of IP, to e x c h a n g e a d d r e s s a n d booting information. The BOOTP p a c k e t c o n t a i n e d fields for the a s s i g n e d a d d r e s s , a d d r e s s of the boot file server, a n d n a m e of the boot file, a n d also provided a "vendor e x t e n s i o n s or options" field, w h i c h could convey n u m e r o u s o t h e r p a r a m e t e r s . BOOTP also w a s designed specifically to be c a p a b l e of o p e r a t i n g a c r o s s a s u b n e t t e d network, u s i n g a

BOOTP Relay agent. The DHCP protocol, first defined in RFC 1541 in October 1993, w a s d e s i g n e d to be a r e f i n e m e n t a n d e x t e n s i o n of the BOOTP protocol. It u s e d the s a m e p a c k e t s t r u c t u r e as BOOTP, b u t m a d e extensive u s e of the v e n d o r field (now called the options field) to convey DHCP-specific information. E n h a n c e m e n t s provided by DHCP i n c l u d e d the ability to define r a n g e s of a d d r e s s e s to be given out,

285

286

Chapter 7

9 Automatic Assignment of IP Addresses with BOOTP and DHCP Objectives

r a t h e r t h a n h a v i n g to provide i n d i v i d u a l e n t r i e s in a d a t a b a s e for e a c h client. It also p r o v i d e d t h e ability to l e a s e a n a d d r e s s for a finite t i m e period, a n d recover a d d r e s s e s t h a t w e r e no l o n g e r b e i n g used. S o m e of t h e m o r e r e c e n t d e v e l o p m e n t s in t h i s a r e a i n c l u d e t h e t y i n g t o g e t h e r of D H C P s e r v e r s a n d DNS servers, so t h a t d y n a m i c a d d r e s s a s s i g n m e n t s c a n be c o m m u n i c a t e d to t h e DNS server. T h e DNS s e r v e r t h e n u p d a t e s its h o s t - n a m e - t o - a d d r e s s - r e s o l u t i o n d a t a base with the proper addresses.

Address Management with These Tools T h e following s e c t i o n will e x p l a i n in detail b o t h t h e BOOTP a n d D H C P p r o c e s s e s , a n d will offer s o m e c o m p a r i s o n s b e t w e e n BOOTP a n d DHCP.

Continued

Automatic Assignment of IP Addresses with BOOTP and DHCP Objectives

9Chapter 7

287

288

Chapter 7

9Automatic Assignment of IP Addresses with BOOTP and DHCP Objectives

The BOOTP P a c k e t T h e BOOTP p a c k e t (see F i g u r e 7.1) is a s p e c i a l - p u r p o s e UDP d a t a g r a m , w h i c h is c a r r i e d i n s i d e a s t a n d a r d IP d a t a g r a m , on a v a r i e t y of d a t a - l i n k f r a m e s . T h e s o u r c e IP a d d r e s s for t h i s p a c k e t will be t h e client's IP a d d r e s s if t h e client k n o w s it, or 0 . 0 . 0 . 0 if it d o e s n ' t . T h e d e s t i n a t i o n IP a d d r e s s will be set to t h e s e r v e r a d d r e s s if k n o w n , or will be t h e local b r o a d c a s t a d d r e s s , 2 5 5 . 2 5 5 . 2 5 5 . 2 5 5 , if t h e s e r v e r a d d r e s s is u n k n o w n . T h e UDP h e a d e r will c o n t a i n BOOTP-specific s o u r c e a n d d e s t i n a tion p o r t n u m b e r s . T h e s e n u m b e r s are 68 for t h e client, a n d 67 for t h e BOOTP server. T h e client s e n d s r e q u e s t s u s i n g 67 (BOOTP server) a s t h e d e s t i n a t i o n p o r t a n d t h e s e r v e r replies u s i n g 68 (BOOTP client) a s d e s t i n a t i o n port. F i g u r e 7.1

BOOTP packet structure.

T a b l e 7.1 r e p r e s e n t s t h e field definitions w i t h i n t h e d a t a field of t h e UDP d a t a g r a m t h a t m a k e u p t h e BOOTP p a c k e t s t r u c t u r e . T h e fields a r e o r d e r e d a c c o r d i n g to t h e i r p o s i t i o n in t h e table, r e a d i n g f r o m left to right, one r o w at a time.

Field Descriptions and Comments T h i s s e c t i o n e x p l a i n s e a c h one of t h e field n a m e s listed in T a b l e 7.1. It will e x p l a i n t h e p u r p o s e of t h e field, a s well a s t h e p o s s i b l e v a l u e s t h a t t h e field c a n c o n t a i n .

Automatic Assignment of IP Addresses with BOOTP and DHCP Objectives

9Chapter 7

289

Table 7.1 Fields and Field Lengths for the BOOTP Packet 1st O c t e t

OP (1 byte)

2nd O c t e t

3rd O c t e t

4th Octet

HTYPE (1 byte) HLEN (1 byte)

|

HOPS (1 byte)

|

i

•

(4 bytes) |

SEeS (2 bytes)

FLAG (2 bytes) m

i

|

|

ClADDR (4 bytes)

YIADDR (4 bytes) SIADDR (4 bytes) GIADDR (4 bytes) CHADDR (16 bytes)

i

i |

Continues for 12 more bytes Continues for 60 more bytes Continues for 124 more bytes Continues for 60 more bytes

SNAME (64 bytes) FILE (128 bytes ) VEND (64 bytes) or OPTIONS (variable)

OP This field is set to one of two v a l u e s a s follows: 1

=

BO~QUEST,

2

:

BO~PLY

The B O O T R E Q U E S T op code is set b y t h e client w h e n t h e y w i s h to r e q u e s t services from t h e BOOTP Server. T h e BOOTREPLY op code is set by t h e s e r v e r w h e n it replies to a client r e q u e s t . T h e s e c o d e s a r e also u s e d t h e s a m e w a y w i t h DHCP.

HTYPE This is t h e h a r d w a r e a d d r e s s type. This field will c o n t a i n one of t h e v a l u e s listed in Table 7.2. T h e m o s t c o m m o n v a l u e s t o d a y w o u l d be 1 for 10MB E t h e r n e t a n d 6 for T o k e n Ring.

|

290

C h a p t e r 7 * Automatic Assignment of IP Addresses with BOOTP and DHCP Objectives

Table 7.2 Hardware Address Type Codes Name

Number

Ethernet

1

Ethernet3

2

Ether

1

Ether3

2

leee803

6

Tr

6

Token Ring

6

Pronet

4

Chaos

5

Arcnet

7

Ax.25

3

HLEN This is the length of the h a r d w a r e a d d r e s s , e x p r e s s e d in bytes. For a n E t h e r n e t interface with the s t a n d a r d MAC a d d r e s s of 48 bytes, this field w o u l d c o n t a i n 6.

HOPS This field is u s e d to indicate the n u m b e r of r o u t e r s or g a t e w a y s t h r o u g h w h i c h the BOOTP p a c k e t h a s p a s s e d . It is set to zero by the client a n d t h e n i n c r e m e n t e d as it p a s s e s t h r o u g h a router.

XID This field is a t r a n s a c t i o n identifier. It is a r a n d o m n u m b e r g e n e r a t ed by the client w h e n it s e n d s a BOOTREQUEST m e s s a g e . It will be r e t u r n e d in the server's BOOTREPLY m e s s a g e , so t h a t the client c a n m a t c h its r e q u e s t with the a p p r o p r i a t e reply.

Automatic Assignment of IP Addresses with BOOTP and DHCP Objectives

9Chapter 7

SECS This field is filled in by t h e client to indicate the e l a p s e d time since it first s e n t a BOOTREQUEST m e s s a g e . T h u s , the first m e s s a g e will have a v a l u e of zero in this field, a n d it will be i n c r e m e n t e d if t h e client h a s to s e n d several r e q u e s t s before it gets a reply. Historically, t h e r e h a s b e e n s o m e i n c o n s i s t e n c y in the u s e of this field by different i m p l e m e n t a t i o n s , b u t it w a s i n t e n d e d to be u s e d as a m e a n s of identifying p a c k e t s t h a t s h o u l d be h a n d l e d on a priority b a s i s by a forwarding agent.

FLAG In the original definition of the p a c k e t s t r u c t u r e in RFC951 ( S e p t e m b e r 1985), this field w a s labeled as u n u s e d , a n d w a s r e s e r v e d for f u t u r e e n h a n c e m e n t s . By the time t h a t RFC 1542 (October 1993) w a s written, the w o r k i n g g r o u p w a s struggling with the p r o b l e m of r e t u r n i n g boot replies to a r e q u e s t i n g client. Since the client w o u l d n o t k n o w his IP a d d r e s s until AFTER receiving the packet, it w a s often n e c e s s a r y to b r o a d c a s t the reply b a c k to the client. With this in mind, RFC 1542 r e n a m e d this field a n d specified t h a t the h i g h e s t - o r d e r bit w o u l d be set by the client to indicate t h a t a BROADCAST reply w a s required. The r e s t of the bits were r e s e r v e d for f u t u r e use, with a default setting of zero if u n u s e d .

CIADDR This client u s e s this field to indicate its c u r r e n t l y a s s i g n e d IP a d d r e s s , if the client k n o w s it. If not, it sets this field to 0.0.0.0. Since this protocol w a s designed for r e m o t e booting, BOOTP c a n be u s e d for bootfile retrieval by a client t h a t a l r e a d y k n o w s its a d d r e s s .

YIADDR The BOOTP server u s e s this field to indicate to the client the IP a d d r e s s it is being assigned. In those cases where the server u n i c a s t s a reply to the client, this a d d r e s s will be u s e d as the destination.

291

292

Chapter 7

9Automatic Assignment of IP Addresses with BOOTP and DHCP Objectives

SIADDR T h i s IP a d d r e s s is r e t u r n e d b y t h e BOOTP server, w h i c h i n d i c a t e s t h e s e r v e r t h a t will be a c c e s s e d to load t h e b o o t file u s e d in t h e seco n d s t e p of t h e b o o t p r o c e s s .

GIADDR T h o u g h t h i s field is called t h e g a t e w a y IP a d d r e s s , t h i s is a little m i s l e a d i n g , in t h a t it really refers to t h e a d d r e s s of a BOOTP r e l a y a g e n t . It is u s e d to facilitate t h e t r a n s f e r of BOOTP m e s s a g e s b e t w e e n a client a n d s e r v e r l o c a t e d on different IP s u b n e t s . T h i s a g e n t will be a n o d e on t h e client's n e t w o r k , a n d w h e n t h e a g e n t f o r w a r d s a B O O T R E Q U E S T , it c h a n g e s t h i s field from 0 . 0 . 0 . 0 to its o w n a d d r e s s . T h e n t h e BOOTP s e r v e r c a n u n i c a s t its reply to t h i s a d d r e s s on t h e client's s u b n e t . T h i s field h a s b e e n s u b j e c t to s o m e m i s i n t e r p r e t a t i o n , in t h a t it is s o m e t i m e s c o n f u s e d w i t h a r o u t e r g a t e w a y a d d r e s s for t h e client. T h i s i n t e r p r e t a t i o n h a s b e e n fueled b y t h e fact t h a t a r o u t e r c a n a c t a s a r e l a y a g e n t , in w h i c h c a s e t h e GIADDR m a y be a r o u t e r interface. To alleviate t h i s c o n f u s i o n , a n o p t i o n w a s defined in t h e VEND (options) field t h a t explicitly defines a r o u t e r (gateway) a d d r e s s . T h e client c a n u s e t h i s w h e n r e q u e s t i n g its b o o t file, in t h e s e c o n d s t a g e of t h e BOOTP p r o c e s s .

CHADDR T h i s is t h e client's h a r d w a r e a d d r e s s . It is i n t e r p r e t e d in c o n j u n c t i o n w i t h t h e HTYPE ( h a r d w a r e a d d r e s s type) field a n d t h e HLEN (hardw a r e a d d r e s s length). It is p r o v i d e d b y t h e client in a BOOTREQ U E S T m e s s a g e , a n d is u s e d b y t h e s e r v e r to identify t h e e n t r i e s in t h e BOOTP d a t a b a s e a s s o c i a t e d w i t h t h i s client. It w a s also d e s i g n e d to provide a s e r v e r w i t h a MAC a d d r e s s for t h e client, w h i c h it could s t o r e in its ARP c a c h e to avoid h a v i n g to u s e a n allo n e s b r o a d c a s t in a BOOTREPLY.

Automatic Assignment of IP Addresses with BOOTP and DHCP Objectives

9Chapter 7

SNAME T h e c l i e n t c a n u s e t h i s field to specify a p a r t i c u l a r s e r v e r f r o m w h i c h it w i s h e s to o b t a i n a b o o t file. In t h i s c a s e t h e n a m e w o u l d b e a d o m a i n n a m e t h a t c o u l d b e r e s o l v e d u s i n g a D N S s e r v e r or a H O S T S file. If t h i s is left b l a n k , t h e s e r v e r will r e t u r n a n a d d r e s s in t h e S I A D D R field t h a t specifies t h e b o o t file s e r v e r a d d r e s s for t h e client.

FILE T h i s field is u s e d to i n d i c a t e t h e n a m e of t h e b o o t file to b e d o w n l o a d e d b y t h e client in t h e s e c o n d p h a s e of t h e B O O T P p r o c e s s . T h e client c a n u s e t h i s field to r e q u e s t a p a r t i c u l a r b o o t f i l e n a m e , or t h e s e r v e r c a n u s e t h i s field to identify t h e b o o t f i l e n a m e in a B O O T R E PLY m e s s a g e , b a s e d o n a c l i e n t ' s e n t r y in t h e B O O T P d a t a b a s e .

VEND/OPTION T h i s field originally w a s d e f i n e d a s a v e n d o r - e x t e n s i o n s field, w i t h a fixed l e n g t h of 6 4 b y t e s . Later, it w a s d e f i n e d m o r e g e n e r i c a l l y a s a n OPTION field, w i t h a v a r i a b l e l e n g t h . It w a s i n t e n d e d to c o n v e y a d d i t i o n a l i n f o r m a t i o n to t h e client. U s i n g t h i s field, t h e client c o u l d specify its i n t e r e s t in a d d i t i o n a l p a r a m e t e r s , a n d t h e s e r v e r c o u l d supply parameters matching this request, provided that the requested i n f o r m a t i o n e x i s t e d in t h e B O O T P d a t a b a s e . To facilitate t h e i n t e r p r e t a t i o n of t h i s field, t h e first f o u r o c t e t s of t h e field d e s c r i b e a magic cookie, w h i c h is a v a l u e t h a t identifies t h e f o r m a t for t h e r e s t of t h e field. A v e n d o r c o u l d u s e a specific s e t of o c t e t v a l u e s to define t h e field f o r m a t , or a g e n e r i c cookie c o u l d b e u s e d to i n d i c a t e t h e s t a n d a r d o p t i o n f o r m a t , w h i c h will b e d e s c r i b e d l a t e r in t h i s c h a p t e r . T h e v a l u e s u s e d for a s t a n d a r d f o r m a t a r e 9 9 . 1 3 0 . 8 3 . 9 9 in t h e first f o u r octets.

293

294

Chapter 7

9Automatic Assignment of IP Addresses with BOOTP and DHCP Objectives

BOOTP Process Details T h e following s e c t i o n will o u t l i n e in d e t a i l t h e p r o c e s s b e t w e e n t h e c l i e n t a n d server. It i n c l u d e s a d e s c r i p t i o n of t h e p a c k e t c o n t e n t s in each direction.

Client BOOTREQUEST T h e c l i e n t will c r e a t e a p a c k e t w i t h t h e following s e t t i n g s : 9

T h e IP d e s t i n a t i o n a d d r e s s = 2 5 5 . 2 5 5 . 2 5 5 . 2 5 5 .

9 T h e IP s o u r c e a d d r e s s a n d C I A D D R = 0 . 0 . 0 . 0 , if u n k n o w n , or c l i e n t ' s a d d r e s s , if k n o w n . 9 T h e U D P h e a d e r l e n g t h field is s e t to t h e l e n g t h of t h e p a c k e t in b y t e s . 9

T h e U D P s o u r c e p o r t = 6 8 (BOOTP Client).

9 T h e U D P d e s t i n a t i o n p o r t = 6 7 (BOOTP Server). 9 T h e OP field is s e t to 1 ( B O O T R E Q U E S T ) . 9 T h e HTYPE field is s e t to t h e h a r d w a r e a d d r e s s t y p e . 9 T h e H L E N field is s e t to t h e l e n g t h of t h e h a r d w a r e a d d r e s s . 9 T h e XID field is s e t to a r a n d o m v a l u e r e p r e s e n t i n g t h e t r a n s a c t i o n identifier. 9 T h e S E C S field is s e t to z e r o if t h i s is t h e first b o o t r e q u e s t , o t h e r w i s e it is s e t to t h e t i m e s i n c e t h e first b o o t r e q u e s t . 9

T h e FLAGS field h a s t h e h i g h - o r d e r b i t s e t to o n e if t h e c l i e n t c a n o n l y r e c e i v e a b r o a d c a s t BOOTREPLY; all o t h e r b i t s a r e s e t to zero.

9 T h e G I A D D R will b e s e t to 0 . 0 . 0 . 0 . 9

T h e C H A D D R is s e t to t h e MAC a d d r e s s of t h e client.

9 T h e S N A M E field m a y b e filled in w i t h t h e n a m e of a s e r v e r f r o m w h i c h t h e c l i e n t w i s h e s to b o o t . 9 T h e FILE field m a y b e filled w i t h t h e n a m e of t h e b o o t file f r o m w h i c h t h e c l i e n t w i s h e s to b o o t . 9 T h e V E N D field m a y b e filled w i t h a list of o p t i o n a l p a r a m e t e r s t h e c l i e n t is r e q u e s t i n g .

Automatic Assignment of IP Addresses with BOOTP and DHCP Objectives

9

Chapter 7

If t h e client d o e s n o t receive a reply to a B O O T R E Q U E S T after a c e r t a i n time period, t h e client will r e t r a n s m i t t h e p a c k e t w i t h a n u p d a t e d S E C S field, s h o w i n g t h e e l a p s e d time s i n c e t h e first BOOTP request.

Server BOOTREPLY W h e n a s e r v e r receives a B O O T R E Q U E S T m e s s a g e , it will p e r f o r m t h e following c h e c k s : 9 T h e SNAME field is c h e c k e d , to see if t h e client r e q u e s t e d a specific server. If it did, a n d t h e s e r v e r d o e s n o t m a t c h t h e c u r r e n t server, t h e p a c k e t m a y be f o r w a r d e d u s i n g a BOOTP Relay a g e n t f u n c t i o n , a n d t h e GIADDR will be u p d a t e d w i t h t h e s e r v e r ' s a d d r e s s , if it is n o t a l r e a d y filled in. Alternatively, it m a y be j u s t d i s c a r d e d , d e p e n d i n g on t h e server. 9 The CIADDR field will be c h e c k e d . If it is zero, t h e s e r v e r will c h e c k t h e HTYPE, HLEN, a n d CHADDR fields a n d will u s e t h e m to identify a r e c o r d for t h i s client in t h e d a t a b a s e . If it finds a record, it p u t s t h e client's a s s i g n e d a d d r e s s in t h e YIADDR field. If no r e c o r d is f o u n d in t h e BOOTP s e r v e r ' s d a t a b a s e , t h e p a c k e t is d i s c a r d e d . 9 The s e r v e r will n o w c h e c k t h e FILE field. If a f i l e n a m e is specified, t h e s e r v e r will c h e c k it a g a i n s t its d a t a b a s e . If a m a t c h is found, t h e s e r v e r will p u t t h e c o m p l e t e p a t h to t h e filename in t h i s field. If t h e f i l e n a m e d o e s n ' t m a t c h t h e d a t a b a s e , t h e serve a s s u m e s t h e client is a s k i n g for a file t h i s s e r v e r d o e s n o t k n o w a b o u t , a n d it d r o p s t h e p a c k e t . 9 The VEND field is n o w c h e c k e d for a n y special i n f o r m a t i o n or i n s t r u c t i o n s t h a t t h e client w i s h e s to convey to t h e server. The list of v e n d o r o p t i o n s will be covered l a t e r in t h i s chapter. The s e r v e r t h e n c r e a t e s its reply p a c k e t w i t h t h e following settings: T h e IP d e s t i n a t i o n a d d r e s s = See T a b l e 7.3 to d e t e r m i n e t h e IP d e s t i n a t i o n a d d r e s s .

295

296

C h a p t e r 7 * Automatic Assignment of IP Addresses with BOOTP and DHCP Objectives

Table 7.3 o u t l i n e s t h e b e h a v i o r of t h e server in p a s s i n g b a c k t h e BOOTREPLY packet, b a s e d on t h e field c o n t e n t s of t h e BOOTREQ U E S T p a c k e t from t h e client.

Table 7.3 Values in Client Fields and Corresponding Addressing S t r a t e g y for Server

BOOTREQUEST PACKET

BOOTREPLY PACKET

ClADDR

GIADDR Broadcast Flag

UDP IP Data-Link Destination Destination Destination

nonzero

0.0.0.0

X

BOOTPC (68)

CIADDR

Client MAC address

0.0.0.0

nonzero

X

BOOTPS (67)

GIADDR

Client MAC address

0.0.0.0

0.0.0.0

BOOTPC (68)

YIADDR

CHADDR

0.0.0.0

0.0.0.0

BOOTPC (68)

255.255.255 Broadcast .255

Field Values in the BOOTREPLY p a c k e t The server will create t h e BOOTREPLY p a c k e t with t h e following field values" 9 The IP s o u r c e a d d r e s s = the a d d r e s s of t h e server. 9 The UDP h e a d e r l e n g t h field is set to t h e l e n g t h of t h e p a c k e t in bytes. 9 The UDP d e s t i n a t i o n p o r t = 68 (BOOTP Client) normally, u n l e s s r e t u r n i n g to a BOOTP Relay Agent (see Table 7.3). 9 The UDP s o u r c e port = 67 (BOOTP Server). 9 The OP field is set to 2 (BOOTREPLY). 9 The HTYPE field is u n c h a n g e d . 9 The HLEN field is u n c h a n g e d . 9 The XID field is left u n c h a n g e d , to m a t c h this reply w i t h t h e client's original r e q u e s t . 9 The S E C S field is left u n c h a n g e d .

Automatic Assignment of IP Addresses with BOOTP and DHCP Objectives

9Chapter 7

9 T h e FLAGS field is left u n c h a n g e d if t h e b r o a d c a s t bit is set. If zero, t h e s e r v e r m a y set t h e BROADCAST flag if it k n o w s t h e client c a n only receive b r o a d c a s t e d replies. 9 T h e CIADDR is left u n c h a n g e d . 9 T h e YIADDR is s e t to t h e client's a s s i g n e d IP a d d r e s s f r o m the server's database. 9 T H E SIADDR is filled in w i t h t h e s e r v e r ' s o w n IP a d d r e s s , p r o v i d i n g it will h a n d l e t h e n e x t p h a s e of t h e b o o t p r o c e s s , w h i c h involves s e r v i n g t h e b o o t file. 9 T h e GIADDR is left u n c h a n g e d . 9 T h e C H A D D R is left u n c h a n g e d . 9 T h e SNAME field is left u n c h a n g e d . 9 T h e FILE field m a y be filled w i t h t h e full p a t h a n d f i l e n a m e of t h e b o o t file for t h i s client, b a s e d on t h e d a t a b a s e record. 9 T h e VEND field m a y be filled w i t h t h e list of o p t i o n a l p a r a m e t e r s f r o m t h e d a t a b a s e record. W h e n t h e client receives t h e BOOTREPLY r e c o r d f r o m t h e server, it c h e c k s t h e fields in t h e p a c k e t to e n s u r e t h a t t h e reply is for it a n d n o t s o m e o t h e r client. It looks for a m a t c h in t h e CIADDR, CHADDR, a n d XlD fields.

The BOOTP Server Database RFC 951 i n c l u d e s a s e c t i o n t h a t o u t l i n e s a s u g g e s t e d f o r m a t for t h e BOOTP d a t a b a s e . T h i s d a t a b a s e w a s e n v i s i o n e d a s a fiat t e x t file d a t a b a s e c o m p o s e d of two s e c t i o n s , s e p a r a t e d b y a line b e g i n n i n g w i t h a p e r c e n t (%) sign. T h e first s e c t i o n c o n t a i n s a series of m a p p i n g s f r o m a g e n e r i c (short alias) n a m e to a c o m p l e t e p a t h n a m e for a b o o t file. If t h e client d o e s n o t specify a filename, a n d t h e d a t a b a s e d o e s n o t cont a i n a different f i l e n a m e for t h i s client, t h e s e r v e r will u s e t h e first n a m e listed in t h i s s e c t i o n a s t h e b o o t f i l e n a m e r e t u r n e d . T h e s e c o n d s e c t i o n c o n t a i n s listings for e a c h client, a l o n g w i t h t h e i r a s s i g n e d p a r a m e t e r s . T h e client's h a r d w a r e a d d r e s s type

297

298

Chapter 7

9Automatic Assignment of IP Addresses with BOOTP and DHCP Objectives

(HTYPE) a n d h a r d w a r e a d d r e s s (CHADDR) fields are u s e d a s t h e i n d e x to m a t c h a r e c o r d w i t h t h e r e q u e s t i n g client. B e s i d e s t h e h a r d w a r e a d d r e s s type a n d t h e a c t u a l h a r d w a r e a d d r e s s , e a c h r e c o r d c o n t a i n s t h e h o s t n a m e , t h e a s s i g n e d IP a d d r e s s , a n d a reference to t h e generic f i l e n a m e f r o m s e c t i o n one, w h i c h m a p s to a full p a t h to t h e b o o t file. It m a y also i n c l u d e a n o p t i o n a l suffix, w h i c h will be a p p e n d e d to t h e bootfile p a t h to i n d i c a t e a u n i q u e file, a s in " f i l e n a m e . c l i e n t l , filename.client2", etc. C o m m e n t lines c a n be indic a t e d b y b e g i n n i n g t h e line w i t h a # symbol. Following is a generic e x a m p l e of a BOOTP d a t a b a s e file, a s d e s c r i b e d in t h e RFC. T h e r e a r e v a r i a t i o n s to t h i s file f o r m a t b e t w e e n different BOOTP servers, b u t t h i s offers a g e n e r a l idea.

# Sample Database Format # Section one: generic name to path mappings bootfilel usr\bootfiles\boot bootfile2 alt\bin\startup % Section one ends, Section two begins host-one HTYPE1 CHADDR1 IPaddressl bootfilel suffix1 host-two HTYPE2 CHADDR2 IPaddress2 bootfile2 suffix2 T h i s s e r v e r will m a t c h t h e HTYPE a n d CHADDR of a BOOTP r e q u e s t to a r e c o r d in t h e d a t a b a s e . For e x a m p l e , if t h e s e m a t c h t h e r e c o r d for h o s t - o n e , t h e s e r v e r will r e t u r n I P a d d r e s s 1 to t h e client. It will also look a t t h e generic n a m e bootfile 1 a n d t r a n s l a t e it to t h e full p a t h n a m e u s i n g s e c t i o n one of t h e d a t a b a s e file. It will t h e n a p p e n d t h e s u f f i x l to t h e f i l e n a m e a n d r e t u r n it a s t h e full p a t h n a m e in t h e FILE field of t h e BOOTREPLY p a c k e t . T h i s full p a t h w o u l d be u s r \ b o o t f i l e s \ b o o t . s u f f i x l .

How Does DHCP Work? T h i s s e c t i o n b e g i n s w i t h a n overview of t h e D H C P p r o c e s s . It is followed b y a d e t a i l e d d e s c r i p t i o n of t h e p r o c e s s , w h i c h i n c l u d e s explan a t i o n s of t h e D H C P m e s s a g e types, a s well a s DHCP-specific o p t i o n codes. It will also a d d r e s s t h e i s s u e of BOOTP a n d D H C P i n t e r o p e r ability, a n d will c o n c l u d e w i t h a d i s c u s s i o n of D H C P a d d r e s s pools.

Automatic Assignment of IP Addresses with BOOTP and DHCP Objectives

9Chapter 7

DHCP Process Overview DHCP w a s d e s i g n e d to be a n e x t e n s i o n of, a n d r e p l a c e m e n t for, t h e BOOTP protocol. It u s e s the s a m e p a c k e t s t r u c t u r e , m a n y of the s a m e p r o c e s s e s , a n d w a s d e s i g n e d for b a c k w a r d compatibility with BOOTP. It also h a s t h e ability to u s e BOOTP Relay A g e n t s to e n a b l e c l i e n t / s e r v e r c o m m u n i c a t i o n a c r o s s s u b n e t b o u n d a r i e s . It differs from BOOTP in t h a t it provides a n u m b e r of d y n a m i c a d d r e s s i n g m e t h o d s n o t s u p p o r t e d by the earlier protocol. DHCP s u p p o r t s t h r e e a d d r e s s a s s i g n m e n t m e t h o d s . The first of t h e s e is called manual address assignment. This is r o u g h l y equivalent to the BOOTP process, w h e r e a n a d m i n i s t r a t o r m u s t m a n u a l l y configure e n t r i e s in a d a t a b a s e for e a c h client, a n d t h e client t h e n gets t h e s e p a r a m e t e r s a s s i g n e d t h r o u g h the B O O T P / D H C P process. The s e c o n d a n d t h i r d a s s i g n m e n t m e t h o d s involve t h e u s e of a DHCP-specific f e a t u r e called a n address pool or scope. In t h e s e cases, t h e a d m i n i s t r a t o r d o e s n ' t build a table c o r r e l a t i n g e a c h client w i t h a d a t a b a s e record. Instead, a pool of a d d r e s s e s is defined. The a d d r e s s e s are h a n d e d o u t on a n a s - r e q u e s t e d basis. T h e r e m a y also be a set of optional p a r a m e t e r s defined for this a d d r e s s pool t h a t are r e t u r n e d to e a c h client along with a n a d d r e s s . This alleviates the n e e d to configure e a c h client individually, b u t also m a k e s it s o m e w h a t u n p r e d i c t a b l e w h i c h a d d r e s s a given client will receive. One w a y a d d r e s s e s c a n be a s s i g n e d from the a d d r e s s pool is to provide t h e m to t h e client for a finite period of time, called a lease. This is referred to as dynamic address assignment. With a lease, a client is p a s s e d a p a r a m e t e r with t h e a d d r e s s t h a t i n d i c a t e s the m a x i m u m time it c a n hold the a d d r e s s w i t h o u t r e n e w i n g t h e lease. E a c h time t h e client reboots, it will r e n e w the lease. If it s t a y s booted for a long period of time, it will r e a c h a p o i n t called the T1 time, w h e n it will a t t e m p t to r e n e w its a d d r e s s from t h e server it w a s originally a c q u i r e d from. If it fails in this a t t e m p t , it will r e a c h a s e c o n d t h r e s h o l d called the T2 time, w h e n it will a t t e m p t to r e n e w its a d d r e s s by b r o a d c a s t i n g to a n y available server, j u s t as it did the first time it w a s a s s i g n e d a n a d d r e s s . The DHCP server k e e p s t r a c k of the a d d r e s s e s it h a n d s o u t a n d the lease periods a s s o c i a t e d with

299

300

Chapter 7

9Automatic Assignment of IP Addresses with BOOTP and DHCP Objectives

t h e m . If a client fails to r e n e w its lease, t h e D H C P s e r v e r will r e c l a i m t h e a d d r e s s a n d r e u s e it w i t h a different client. T h i s f e a t u r e is p a r t i c u l a r l y u s e f u l for e n v i r o n m e n t s w h e r e a d d r e s s e s a r e s c a r c e , or w h e r e t h e clients c o n n e c t to t h e n e t w o r k on a t e m p o r a r y b a s i s . It m a y be p o s s i b l e to u s e a lease reservation to r e s e r v e a specific a d d r e s s f r o m t h e pool for a p a r t i c u l a r client. T h e t h i r d a s s i g n m e n t m e t h o d , called automatic address assignment, u s e s t h e a d d r e s s pool, b u t i n s t e a d of u s i n g a finite lease period, t h e a d d r e s s e s a r e s i m p l y h a n d e d o u t to t h e client indefinitely. S i n c e BOOTP clients h a v e no c o n c e p t of a lease, a n d no l e a s e r e n e w a l capability, t h i s m e t h o d w o u l d allow t h e m to u s e t h e a d d r e s s pool f e a t u r e of DHCP, b u t n o t t h e l e a s i n g feature. O n e of t h e c h a l l e n g e s for t h e D H C P s e r v e r is to e n s u r e t h a t it d o e s n o t h a n d o u t a d d r e s s e s t h a t are a l r e a d y in u s e . T h e r e a r e a n u m b e r of m e c h a n i s m s t h a t h e l p achieve this. First, t h e s e r v e r a n d / o r client m a y p e r f o r m a c h e c k b y p i n g i n g t h e n e t w o r k for t h e a d d r e s s before it h a n d s it out. If it gets a r e s p o n s e , it k n o w s t h e a d d r e s s is in use. For a d d r e s s e s t h a t t h e D H C P s e r v e r provides, it k e e p s a d a t a b a s e of w h a t a d d r e s s e s h a v e b e e n a s s i g n e d to w h i c h clients, a n d t h e i r l e a s e periods. Lastly, a D H C P s e r v e r c a n specifically e x c l u d e f r o m its a d d r e s s pool t h o s e a d d r e s s e s , or a d d r e s s r a n g e s , t h a t h a v e b e e n p r e v i o u s l y a s s i g n e d to h o s t s t h r o u g h o t h e r means. B o t h t h e D H C P s e r v e r a n d t h e client m a i n t a i n a p e r s i s t e n t r e c o r d of t h e i r a d d r e s s a s s i g n m e n t s . T h i s m e a n s t h a t if t h e s e r v e r goes down, it will still r e m e m b e r all of its a d d r e s s a s s i g n m e n t s w h e n it r e b o o t s . T h e client also m a i n t a i n s a r e c o r d of its a s s i g n e d a d d r e s s a n d o t h e r p a r a m e t e r s , so t h a t if it r e s t a r t s it will be able to r e n e w its e x i s t i n g a s s i g n m e n t s w i t h t h e D H C P server, r a t h e r t h a n looking like a n e w client. T h e p r o c e s s of a s s i g n i n g a set of p a r a m e t e r s to a client is r e f e r r e d to a s binding. A client r e m a i n s b o u n d to its p a r a m e t e r s u n t i l e i t h e r its lease period expires, or it r e l i n q u i s h e s its assignments with a DHCPRELEASE message.

Automatic Assignment of IP Addresses with BOOTP and DHCP Objectives

9Chapter 7

DHCP Process Details DHCP u s e s the BOOTP p a c k e t format, with a few modifications, a n d also m a k e s u s e of the p a c k e t e x c h a n g e p r o c e s s b e t w e e n client a n d server. For example, the UDP p o r t s for DHCP a n d BOOTP are the s a m e . The OP codes u s e d by BOOTP to indicate a client BOOTREQUEST a n d a server BOOTREPLY are also u s e d by DHCP. DHCP differs in the extensive u s e of the VEND field. In DHCP, the VEND (vendor extensions) field is r e n a m e d the OPTIONS field, a n d c h a n g e d from a fixed length of 64 b y t e s to a variable l e n g t h field. E a c h DHCP m e s s a g e will c o n t a i n a DHCP Message Type option in this field, w h i c h identifies the p a c k e t ' s role in the DHCP process. In a d d i t i o n to the m e s s a g e types, DHCP also u s e s options to p a s s DHCP-specific p a r a m e t e r s s u c h as the lease period, as well as p a r a m e t e r s c o m m o n to DHCP a n d BOOTP, s u c h as the s u b n e t m a s k . E a c h m e s s a g e s e n t from a DHCP client will have a n OP code of 1 (BOOTREQUEST) a n d a d e s t i n a t i o n UDP p o r t of 67 (BOOTP Server). It m a y have different DHCP m e s s a g e types however, d e p e n d i n g on w h e t h e r it is r e q u e s t i n g a n e w a d d r e s s , r e n e w i n g a lease, or releasing a n a s s i g n m e n t . Similarly, e a c h server m e s s a g e will have a n OP code of 2 (BOOTREPLY) a n d a UDP p o r t d e s t i n a t i o n of 68 (BOOTP client) u n l e s s going t h r o u g h a BOOTP Relay agent. E a c h DHCP packet, w h e t h e r from server or client, will c o n t a i n i n f o r m a t i o n in the OPTIONS field. The first four octets will c o n t a i n the generic magic cookie, 9 9 . 1 3 0 . 8 3 . 9 9 , d i s c u s s e d earlier. It will t h e n c o n t a i n a series of option p a r a m e t e r s , of the following form:

ITAG (option code)

I SIZE

I PARAMETER VALUE

Each option takes up one byte for the TAG code, one byte for the size, and t h e n some n u m b e r of bytes, as stated in the SIZE byte, for PARAMETER VALUE. Each DHCP packet m u s t contain one of the DHCP Message type options, in addition to any other options defined. Unlike the two-step process used by BOOTP, in which a client m a k e s a BOOTREQUES; and the server responds with a BOOTREPLY, the

I

301

302

Chapter 7 9Automatic Assignment of IP Addresses with BOOTP and DHCP Objectives DHCP process normally requires four steps for a new client. In this process, the client b r o a d c a s t s a BOOTREQUEST packet with a DHCP m e s s a g e type, DHCPDISCOVER. This m e a n s it is looking for a DHCP server. The server r e s p o n d s with a BOOTREPLY m e s s a g e using the DHCP m e s s a g e type, DHCPOFFER. This m e a n s the server is offering a set of p a r a m e t e r s to the client. The client will t h e n issue a n o t h e r BOOTREQUEST packet with the DHCP m e s s a g e type, DCHPREQUEST. This informs the server t h a t the client accepts the offered p a r a m e t e r s . The server t h e n issues a final BOOTREPLY packet contaJning the DHCPACK m e s s a g e type, indicating a n acknowledgement of the client's acceptance. This process is outlined in Figure 7.2.

Figure 7.2 Normal DHCP transaction.

I-'

! I.I

I~ ~

1. DHCPDISCOVER 2. DHCPOFFER 3. DHCPREQUEST r

DHCP Client

4. DHCPACK DHCP Server

T h e r e is a g r e a t deal of flexibility, a n d t h e r e f o r e a g r e a t deal of v a r i a t i o n , in t h e DHCP p r o c e s s . For e x a m p l e , a client m a y r e q u e s t c e r t a i n p a r a m e t e r s in its D H C P D I S C O V E R or D H C P R E Q U E S T p a c k e t s . T h e client m a y also be doing a lease r e n e w a l , r a t h e r t h a n a n initial discovery, in w h i c h c a s e t h e p r o c e s s will only i n c l u d e a D H C P R E Q U E S T from t h e client, followed b y a DHCPACK from t h e server. To preserve b a c k w a r d s compatibility with BOOTP, the server will r e t u r n the a s s i g n e d IP a d d r e s s in the YIADDR field of the BOOTP packet. It m a y also include v a r i o u s configured options in its reply, conveyed w i t h i n the OPTION (VEND) field of the packet.

Automatic Assignment of IP Addresses with BOOTP and DHCP Objectives

9Chapter 7

One w a y of discovering the flexibility of the DHCP p r o c e s s is to look at the v a r i o u s DHCP Message Types a n d t h e i r p u r p o s e , outlined in Table 7.4.

Table 7.4 DHCP Message Types DHCP Message Type Message Name

Explanation

DHCPDISCOVER

Client broadcast to locate available servers.

DHCPOFFER

Server to client in response to DHCPDISCOVER with offer of configuration parameters.

DHCPREQUEST

Client message to servers either (a) requesting offered parameters from one server and implicitly declining offers from all others (b) confirming correctness of previously allocated address after system reboot or (c) extending lease.

DHCPDECLINE

Client to server indicating network address is already in use; implies that the client is checking for duplicates.

DHCPACK

Server to client with configuration parameters, including committed network address.

DHCPNAK

Server-to-client network address is incorrect or client's lease has expired.

DHCPRELEASE

Client to server relinquishing network address and canceling remaining lease.

DHCPINFORM

Client to server asking only for local configuration parameters. Client already has externally configured network address.

303

304

Chapter 7

*

Automatic Assignment of IP Addresses with BOOTP and DHCP Objectives

DHCP-SpecificOptions In a d d i t i o n to t h e DHCP M e s s a g e Type opUons, t h e r e are a n u m b e r of o t h e r DHCP-specific options t h a t convey i n f o r m a t i o n u s e f u l to t h e DHCP process. This section lists t h e option types t h a t c a n be listed in t h e V E N D / O F r l O N S field. In s o m e cases, t h e option codes are u s e d p r i m a r i l y by t h e server; in others, t h e y c a n be u s e d b y either t h e client or t h e server. T h e r e m a i n d e r of the options, w h i c h are c o m m o n to b o t h DHCP a n d BOOTP, will be listed later in this chapter.

R e q u e s t e d Address

Option Code

Length (Bytes)

Parameter Value

50

4

Requested IP address

T h e client c a n u s e t h i s o p t i o n d u r i n g a D H C P D I S C O V E R to r e q u e s t a p a r t i c u l a r IP a d d r e s s .

Lease T i m e

Option Code

Length (Bytes)

Parameter Value

51

4

Lease time (secs)

T h i s o p t i o n is u s e d in a client's D H C P D I S C O V E R or D H C P R E Q U E S T p a c k e t to r e q u e s t a specific lease t i m e for a n a d d r e s s . It is also u s e d b y t h e s e r v e r in its D H C P O F F E R p a c k e t to specify t h e lease t i m e to t h e client.

Field Overload

Option Code 52

Length (Bytes) 1

Parameter Value Field overload (1-3)

T h i s is a n i n t e r e s t i n g field. It is u s e d in t h o s e s i t u a t i o n s w h e r e t h e client a n d s e r v e r h a v e defined a m a x i m u m p a c k e t size, a n d t h e n h a v e r u n o u t of r o o m for o p t i o n s in t h e OPTIONS field. In t h i s case,

Automatic Assignment of IP Addresseswith BOOTPand DHCP Objectives 9Chapter 7 it is p o s s i b l e to u s e t h e FILE field a n d / o r t h e SNAME field to hold a d d i t i o n a l options. This field i n d i c a t e s t h e i n t e n t i o n to u s e t h o s e fields a c c o r d i n g to T a b l e 7.5.

Table 7.5 Field Overload Codes Parameter Value

Fields Being Used

1

FILE field

2

SNAME field

3

Both Fields

TFTP Server N a m e Option Code

Length (Bytes)

Parameter Value

66

Variable

Alternative TFTP server field

If we h a v e c h o s e n to u s e t h e SNAME field to hold a d d i t i o n a l options, t h i s o p t i o n c a n be specified a s a n a l t e r n a t i v e w a y to indicate t h e s e r v e r h o l d i n g t h e d e s i r e d b o o t file for a r e m o t e boot.

Bootfile N a m e Option Code

Length (Bytes)

Parameter Value

67

Variable

Alternative file field

If we h a v e c h o s e n to u s e t h e FILE field to hold options, t h i s o p t i o n p r o v i d e s a n a l t e r n a t i v e w a y of c o n v e y i n g t h e n a m e of t h e d e s i r e d b o o t file.

DHCP M e s s a g e Type Option Code

Length (Bytes)

Parameter Value

53

1

DHCP message number (1-8)

305

306

Chapter 7 Automatic 9 Assignment of IP Addresseswith BOOTPand DHCP Objectives T h i s o p t i o n is u s e d to convey t h e type of t h e D H C P m e s s a g e , a s d e s c r i b e d in t h e p r e c e d i n g section. T a b l e 7.6 o u t l i n e s t h e m e s s a g e n u m b e r s a n d a s s o c i a t e d definitions.

Table 7.6 DHCP Message Option Codes DHCP Message Number

Message Type

1

DHCPDISCOVER

2

DHCPOFFER

3

DHCPREQUEST

4

DHCPDECLINE

5

DHCPACK

6

DHCPNAK

7

DHCPRELEASE

8

DHCPINFORM

Server Identifier Option Code

Length (Bytes)

Parameter Value DHCP server address

54

Servers m a y include this in D H C P O F F E R m e s s a g e s a n d m a y also i n c l u d e it in DHCPACK a n d DHCPNAK m e s s a g e s . This allows t h e client to k n o w w h a t DHCP server provided t h e offer, a n d t h e client will store this i n f o r m a t i o n for u s e w h e n it r e n e w s its a d d r e s s with a D H C P R E Q U E S T packet. DHCP clients c a n also include this in a D H C P R E Q U E S T p a c k e t to indicate w h i c h offer it is accepting, w h e n it h a s received offers from m o r e t h a n one DHCP server. This option w a s d e s i g n e d to allow t h e DHCP server to identify itself in a reply, while reserving t h e SIADDR field in t h e BOOTP p a c k e t for t h e a d d r e s s of t h e TFTP server serving t h e boot fries for t h e r e m o t e boot process.

Parameter Request List Option Code

Length (Bytes)

Parameter Value

55

Variable

List of parameters (options codes)

Automatic Assignment of IP Addresses with BOOTP and DHCP Objectives

9Chapter 7

T h e client c a n u s e t h i s o p t i o n to specify a list of p a r a m e t e r s it w i s h e s to o b t a i n from t h e D H C P server. T h i s list c o n s i s t s of a s e r i e s of valid o p t i o n codes, e a c h t a k i n g u p one byte.

Error M e s s a g e Option Code

Length (Bytes)

56

Variable

If a cannot CLINE, convey

Parameter Value Error Message-Used with

DHCPNACK or by a client in a DHCPDECLINE

s e r v e r r e t u r n s a DHCPNACK to a client, i n d i c a t i n g t h a t it fulfill t h e client's r e q u e s t , or t h e client i s s u e s a D H C P D E r e f u s i n g t h e offer from a server, t h i s field c a n be u s e d to additional information.

M a x i m u m DHCP M e s s a g e Size Option Code

Length (Bytes)

Parameter Value

57

2

Max. DHCP message size

T h e client u s e d t h i s option, in a D H C P D I S C O V E R Y or D H C P R E Q U E S T m e s s a g e , to i n d i c a t e t h e m a x i m u m m e s s a g e size it is willing to a c c e p t .

TI R e n e w a l T i m e Option Code

Length (Bytes)

Parameter Value

58

4

T1 renewal time value (secs)

T h e s e r v e r u s e s t h i s o p t i o n to define t h e time a t w h i c h t h e client s h o u l d b e g i n to a t t e m p t r e n e w a l of its lease. A typical v a l u e for t h i s p a r a m e t e r is 50 p e r c e n t of t h e l e a s e time.

T2 R e b i n d i n g T i m e Option Code Length (Bytes)

Parameter Value

59

T2 rebinding time value (secs)

4

307

308

Chapter 7

*

Automatic Assignment of IP Addresses with BOOTP and DHCP Objectives

The server u s e s this option to define the time at w h i c h the client s h o u l d give u p trying to r e n e w a lease with the original server a n d i n s t e a d , s t a r t trying to r e b i n d to a n e w DHCP server. The default time is 87.5 p e r c e n t of the lease time.

V e n d o r C l a s s ID

Option Code

Length (Bytes)

Parameter Value

60

Variable

Vendor class ID

The original BOOTP p a c k e t definition provided the VEND field, n o w called the OPTION field, to convey vendor-specific information. The m e c h a n i s m for doing this i n c l u d e d u s i n g the first four octets of the VEND field to d e n o t e a vendor-specific magic cookie. If the field w a s being u s e d generically, it w o u l d have the v a l u e s 9 9 . 1 3 0 . 8 3 . 9 9 in t h e s e four octets. With the DHCP e x t e n s i o n to BOOTP, every p a c k e t n o w u s e s this generic cookie value. Therefore, a n o t h e r m e t h o d h a d to be provided with DHCP, to denote vendor-specific information. This option w a s d e s i g n e d to fulfill t h a t p u r p o s e . A client will include this option in a DHCPDISCOVER m e s s a g e w h e n it w i s h e s to receive vendor-specific p a r a m e t e r s . If the DHCP server c a n ' t r e s p o n d to t h e s e vendor-specific r e q u e s t s , it ignores t h e m . If it c a n r e s p o n d , it r e t u r n s the vendor-specific p a r a m e t e r s in the OPTION field u s i n g a n option code of 43 along with the r e q u e s t e d parameters.

Client Identifier

Option Code 61

Length (Bytes) Variable

Parameter Value Client identifier

This option is u s e d by DHCP clients to specify a u n i q u e identifier. This identifier will be u s e d by the DHCP server to m a t c h a specific d a t a b a s e record to a client, in the s a m e f a s h i o n as a BOOTP server. This field c a n u s e the HTYPE a n d CHADDR v a l u e s ( h a r d w a r e a d d r e s s type a n d the h a r d w a r e a d d r e s s itself) j u s t like a BOOTP

Automatic Assignment of IP Addresses with BOOTP and DHCP Objectives

9Chapter 7

server, or it c a n u s e a n a l t e r n a t i v e identifier, s u c h a s a s y s t e m ' s d o m a i n n a m e . T h e i d e n t i f i e r is r e q u i r e d to b e u n i q u e , in o r d e r to m a t c h t h e d a t a b a s e r e c o r d a n d t h e client p r o p e r l y .

Interoperation between DHCP and BOOTP B e c a u s e D H C P w a s d e s i g n e d to a r e often m e c h a n i s m s b u i l t into backward compatibility between A DHCP server provides this

be a r e p l a c e m e n t for BOOTP, t h e r e a DHCP server that preserve the a B O O T P client a n d a D H C P server. compatibility by accommodating

b o t h D H C P D I S C O V E R r e q u e s t s , a s well a s a B O O T R E Q U E S T f r o m a B O O T P client. T h e s e r v e r c a n d i s t i n g u i s h b e t w e e n t h e two b e c a u s e a D H C P client is r e q u i r e d to i n c l u d e a D H C P M e s s a g e T y p e option, b u t a B O O T P client is not. A DHCP server may maintain both a BOOTP-type database mapp i n g i n d i v i d u a l c l i e n t s to a s e t of specific p a r a m e t e r s , a n d a n a d d r e s s pool, w i t h a c o m m o n s e t of p a r a m e t e r s t h a t a r e r o u t i n e l y h a n d e d o u t w i t h t h e a d d r e s s e s . T h e s e r v e r m a y also r e s e r v e p o r t i o n s of its a d d r e s s pool for specific clients, a n d e x c l u d e r a n g e s of a d d r e s s e s w i t h i n t h e pool t h a t a r e k n o w n to b e p r e a s s i g n e d . W h e n r e c e i v i n g a client r e q u e s t , t h e s e r v e r m a y c h e c k its d a t a b a s e to see if a specific r e c o r d for t h a t client exists. If so, it r e t u r n s t h e p a r a m e t e r s in t h e d a t a b a s e r e c o r d . If not, it c a n a s s i g n p a r a m e t e r s b a s e d o n t h e c o n f i g u r a t i o n of its a d d r e s s pool. In t h i s w a y , a B O O T P c l i e n t c a n b e a s s i g n e d a n a d d r e s s f r o m a D H C P a d d r e s s pool. T h e r e a r e s o m e c o n s i d e r a t i o n s to b e a r in m i n d w h e n a B O O T P c l i e n t g e t s a n a d d r e s s f r o m a D H C P s e r v e r a d d r e s s pool. First, t h e c l i e n t h a s n o c o n c e p t of l e a s e s , so t h e a d d r e s s m u s t b e given o u t w i t h a n infinite l e a s e period. Also, t h e r e is no ability for t h e client to r e n e w a n e x i s t i n g lease, so if t h e client r e b o o t s , it will m a k e a n e w B O O T R E Q U E S T , w h i c h will r e s u l t in it b e i n g a s s i g n e d a n e w a d d r e s s f r o m t h e pool. M e a n w h i l e , t h e D H C P s e r v e r h a s s t o r e d t h e c l i e n t ' s o r i g i n a l a d d r e s s a s a n infinite lease, a n d c a n n o t r e c o v e r it for r e u s e . T h e client will also n o t e n g a g e in t h e D I S C O V E R - O F F E R R E Q U E S T - A C K N O W E D G E M E N T p r o c e s s , so t h e s e r v e r m u s t s t o r e

309

310

Chapter 7

9Automatic Assignment of IP Addresses with BOOTP and DHCP Objectives

t h e a d d r e s s a s s i g n m e n t a s s o o n a s it s e n d s t h e BOOTREPLY, r a t h e r t h a n w a i t i n g for a client r e q u e s t , in r e s p o n s e to its offer. It is also p o s s i b l e t h a t a D H C P client m a y be able to o b t a i n a d d r e s s i n f o r m a t i o n f r o m a BOOTP server. S i n c e t h e a d d r e s s inform a t i o n in e a c h c a s e is r e t u r n e d in t h e YIADDR field of t h e p a c k e t , a n d a n y o p t i o n s a r e r e t u r n e d in t h e O P T I O N S / V E N D field, t h e r e is a h i g h d e g r e e of c r o s s - c o m p a t i b i l i t y . A D H C P client in t h i s c a s e w o u l d c h e c k t h e OPTIONS field to d e t e r m i n e if t h e BOOTREPLY f r o m t h e s e r v e r i n c l u d e d a D H C P m e s s a g e type, a n d if not, it w o u l d a s s u m e it w a s t a l k i n g to a BOOTP server. In c a s e s w h e r e b o t h a D H C P a n d BOOTP s e r v e r r e s p o n d , t h e D H C P client s h o u l d a l w a y s c h o o s e t h e D H C P server.

DHCP Address Scopes In t h e p r e v i o u s s e c t i o n on BOOTP, we d i s c u s s e d t h e f o r m a t of t h e BOOTP d a t a b a s e file. D H C P s e r v e r s c a n also provide t h i s f u n c t i o n a l ity, w h i c h m a p s a specific client identifier to a set of p a r a m e t e r s r e c o r d e d in t h e d a t a b a s e for t h a t p a r t i c u l a r client. In a d d i t i o n , D H C P p r o v i d e s t h e ability to define a r a n g e of a d d r e s s e s , called a n address pool or scope. An a d d r e s s s c o p e is s i m p l y a r a n g e of a d d r e s s e s t h a t c a n be u s e d in r e s p o n s e to client r e q u e s t s . T h e r e is no o n e - t o - o n e m a p p i n g of clients to p a r a m e t e r s , b u t r a t h e r it is a f i r s t - c o m e - f i r s t - s e r v e d a p p r o a c h to a d d r e s s a s s i g n m e n t s . As t h e s e r v e r gives o u t t h e a d d r e s s e s , it r e c o r d s t h e client w h o received t h e a d d r e s s , a n d flags t h e a d d r e s s a s h a v i n g b e e n a s s i g n e d , so it d o e s n ' t u s e t h e a d d r e s s again. In a d d i t i o n to a d d r e s s e s , a n a d d r e s s scope m a y be c o n f i g u r e d w i t h a s e t of o p t i o n s t h a t will be r e t u r n e d to e a c h client w i t h t h e i r a d d r e s s a s s i g n m e n t s . T h e s e c a n be defined a t a scope level, so t h a t r a t h e r t h a n c o n f i g u r i n g e a c h client r e c o r d in a d a t a b a s e , t h e s e p a r a m e t e r s a r e s h a r e d w i t h all clients. Typical p a r a m e t e r s m i g h t be t h e s u b n e t m a s k , d e f a u l t g a t e w a y , DNS servers, etc. A D H C P s c o p e h a s t h e ability to e x c l u d e s o m e a d d r e s s e s w i t h i n its r a n g e , to avoid d u p l i c a t e a s s i g n m e n t of a d d r e s s e s a l r e a d y in u s e

Automatic Assignment of IP Addresses with BOOTP and DHCP Objectives

9Chapter 7

by statically configured h o s t s , or t h o s e getting a d d r e s s e s via s o m e other means. A DHCP server c a n also m a i n t a i n m u l t i p l e scopes, w i t h e a c h scope a n d its a s s o c i a t e d options b e i n g defined for a given s u b n e t . T h r o u g h the u s e of BOOTP Relay a g e n t s , a DHCP server m a y service clients on m u l t i p l e s u b n e t s . It c a n u s e t h e GIADDR field in the B O O T R E Q U E S T p a c k e t to d e t e r m i n e w h i c h s u b n e t t h e r e q u e s t is c o m i n g from, a n d will r e s p o n d with i n f o r m a t i o n from t h e a p p r o p r i ate scope for t h a t s u b n e t . To r e d u c e t h e r a n d o m n e s s of the a d d r e s s a s s i g n m e n t s from the a d d r e s s pool, a n a d d r e s s w i t h i n the pool m a y be set aside for a specific h o s t t h r o u g h a r e s e r v a t i o n process. This allows u s to p r e d i c t w h i c h a d d r e s s will be a s s i g n e d to t h a t client, while p r e s e r v i n g its ability to o b t a i n c o m m o n p a r a m e t e r s from the s c o p e - d e f i n e d options.

Comparing BOOTP and DHCP B o t h BOOTP a n d DHCP u s e a server to provide a u t o m a t i c IP a d d r e s s c o n f i g u r a t i o n to clients. T h e y also u s e t h e s a m e p a c k e t form a t , w h i c h w a s d e s i g n e d originally for BOOTP a n d a d o p t e d later, with modifications, for DHCP. Both protocols provide t h e m e a n s to i s s u e a n IP a d d r e s s to a client. T h e y also provide a w a y to i n d i c a t e a server a n d filename on t h a t server, w h i c h c a n be d o w n l o a d e d a n d u s e d to boot the client. T h e y b o t h also i n c l u d e t h e ability to convey o t h e r c o n f i g u r a t i o n p a r a m e t e r s as well, s u c h as t h e g a t e w a y a d d r e s s , or the a d d r e s s of DNS servers. DHCP a n d BOOTP c a n b o t h u s e d a t a b a s e s t h a t are i n d e x e d u s i n g a client identifier s u c h as t h e h a r d w a r e a d d r e s s . By m a t c h i n g this client identifier to a record in the d a t a b a s e , the server c a n locate t h e i n f o r m a t i o n r e q u e s t e d by the client, a n d t r a n s m i t it b a c k in a reply m e s s a g e . B o t h DHCP a n d BOOTP c a n m a k e u s e of BOOTP Relay Agents, w h i c h allow a client a n d server on different s u b n e t s to e x c h a n g e B O O T R E Q U E S T a n d BOOTREPLY m e s s a g e s . DHCP protocol is a n e x t e n s i o n of t h e BOOTP protocol a n d is i n t e n d e d to be a r e p l a c e m e n t for t h a t earlier protocol. DHCP m a k e s

311

312

Chapter 7

9Automatic Assignment of IP Addresses with BOOTP and DHCP Objectives

e x t e n s i v e u s e of t h e VEND field (later called t h e OPTIONS field) in t h e original BOOTP p a c k e t to convey a d d i t i o n a l i n f o r m a t i o n b e t w e e n t h e client a n d server. In a d d i t i o n to BOOTP's ability to t r a n s m i t a d d r e s s e s a n d i n f o r m a t i o n b a s e d on o n e - t o - o n e e n t r i e s in a d a t a b a s e , DHCP c a n also a s s i g n a d d r e s s e s b a s e d on a s t a t e d r a n g e of a d d r e s s e s , s o m e t i m e s called t h e address pool or scope. It also differs from BOOTP in t h a t BOOTP a s s i g n s a d d r e s s e s p e r m a n e n t l y , w h e r e a s DHCP c a n be c o n f i g u r e d to lease a d d r e s s e s for a finite period of time. It will recover t h e s e a d d r e s s e s a n d r e u s e t h e m if t h e client d o e s n o t r e n e w its lease on t h e a d d r e s s .

How BOOTP Works T h e following s e c t i o n will provide a n overview of t h e BOOTP p r o c e s s . This will be followed b y a detailed d e s c r i p t i o n of t h e BOOTP p a c k e t s t r u c t u r e . We will t h e n t a k e a m o r e detailed look a t t h e client a n d s e r v e r p r o c e s s e s t h a t o c c u r d u r i n g a BOOTP e x c h a n g e . Lastly, we will look a t a n e x a m p l e of a BOOTP d a t a b a s e file.

BOOTP P r o c e s s Overview T h e BOOTP p r o c e s s c o n s i s t s of two p h a s e s . The first p h a s e is t h e a d d r e s s a n d p a r a m e t e r a c q u i s i t i o n p h a s e , w h i c h is t h e focus of o u r i n t e r e s t . The s e c o n d p h a s e involves a c c e s s i n g a file server, typically a TFTP server, a n d d o w n l o a d i n g a file t h a t c a n be u s e d to b o o t t h e client. T h e BOOTP client f u n c t i o n a l i t y w a s d e s i g n e d to r e s i d e on a PROM t h a t is g e n e r a l l y located on t h e client's n e t w o r k i n t e r f a c e card. B o t h t h e client a n d t h e s e r v e r c o m m u n i c a t e u s i n g a s t a n d a r d p a c k e t format, w h i c h is referred to a s a BOOTP p a c k e t . A client m a k e s a B O O T R E Q U E S T a n d t h e s e r v e r r e s p o n d s w i t h a BOOTREPLY. A client m a y u s e p a c k e t fields to i n d i c a t e pieces of i n f o r m a t i o n it a l r e a d y k n o w s , s u c h a s its IP a d d r e s s , or t h e b o o t filename it w i s h e s to retrieve, or it m a y leave t h o s e fields b l a n k w h e n it w a n t s to l e a r n t h e v a l u e s from t h e server.

Automatic Assignment of IP Addresses with BOOTP and DHCP Objectives 9Chapter 7

The BOOTP p r o c e s s also provides for a forwarding function, to be p e r f o r m e d by a BOOTP Relay Agent. This a g e n t is a n o d e on the s a m e s u b n e t as a client, w h i c h is configured to p a s s r e q u e s t a n d reply m e s s a g e s b e t w e e n clients a n d servers w h e n t h e y reside on different s u b n e t s .

DHCP / BOOTP Options The last field in the original BOOTP p a c k e t specification w a s a field called the VEND field, u s e d to convey i n f o r m a t i o n called v e n d o r e x t e n s i o n s . Later RFCs modified n o t only the n a m e of this field, c h a n g i n g it to OPTIONS, b u t also c h a n g e d it from a 6 4 - b y t e fixed length to a variable length. Similarly, the i n f o r m a t i o n conveyed in t h e s e fields were r e n a m e d simply, options. E a c h option h a s b e e n t h r o u g h a review p r o c e s s by the IANA (Internet Assigned N u m b e r Authority) a n d h a s a code, s o m e t i m e s called a tag, a s s i g n e d by them. New options c a n be p r o p o s e d by r e q u e s t i n g a n e w tag code a n d t h e n s u b m i t t i n g a d e s c r i p t i o n of the option for approval. E a c h option is e x p r e s s e d as a series of bytes t h a t u s e u p s p a c e in the BOOTP p a c k e t ' s V E N D / O P T I O N field. The f o r m a t of e a c h option is as follows: First Byte

Second Byte

Succeeding Bytes

Tag or Option Code

Length of data portion

Data portion

All the options originally defined as BOOTP v e n d o r - e x t e n s i o n s have b e e n i n c o r p o r a t e d as options by DHCP. In addition, t h e r e are a series of DHCP-specific options t h a t are n o t recognized by BOOTP. T h e s e options were d i s c u s s e d in the p r e v i o u s section dealing with the DHCP process, a n d will n o t be r e p e a t e d here. For the s a k e of organization, t h e s e will be g r o u p e d into sections t h a t s h a r e a similar function. D u e to the n u m b e r of options available, it is n o t possible to explain the f u n c t i o n of e a c h one. S o m e will be familiar, w h e r e a s s o m e o t h e r s m a y be extremely o b s c u r e , h a v i n g b e c o m e obsolete, or

313

314

Chapter7 9Automatic Assignment of IP Addresseswith BOOTPand DHCPObjectives else i n t e n d e d for specific e n v i r o n m e n t s t h a t existed at the time the option w a s f o r m u l a t e d . T h e y are listed here for the s a k e of completeness.

BOOTP Options from RFC 1497 The s o u r c e u s e d for the following options list is R F C 2 1 3 2 , p u b l i s h e d in M a r c h of 1997, w h i c h i n c o r p o r a t e d option i n f o r m a t i o n from a n u m b e r of earlier RFCs, i n c l u d i n g RFCs 1497 a n d 1533. This first section i n c l u d e s t h o s e options defined in RFC 1497. The o r g a n i z a t i o n of the r e s t of this section will also follow the f o r m a t of R F C 2 1 3 2 , since it p r e s e n t s the option codes r o u g h l y in a s c e n d i n g n u m e r i c a l order. Pad

Option Code

Length (Bytes)

Parameter Value

0

1

Align on word boundaries (no data)

This option is u s e d as a filler to e x t e n d the option fields to 32-bit w o r d b o u n d a r i e s or to p a d o u t the VEND field after a n END option. End

Option Code

Length (Bytes)

255

Parameter Value End of data in field (no data)

This code indicates the end of i n f o r m a t i o n in the v e n d o r / o p t i o n field. Subnet

Mask

Option Code

Length (Bytes)

Parameter Value Client subnet mask

This code specifies the client's s u b n e t m a s k .

Automatic Assignment of IP Addresses w i t h BOOTP and DHCP Objectives

9Chapter 7

Time Offset Option Code

Length (Bytes)

Parameter Value Time offset from GMT

T h i s code c a n be u s e d to define t h e client's t i m e zone relative to G r e e n w i c h M e a n Time.

R o u t e r List Option Code

Length (Bytes) Multiples of 4

Parameter Value List of router addresses

T h i s specifies a list of r o u t e r s available to t h e client, listed in o r d e r of p r e f e r e n c e .

T i m e S e r v e r List

Option Code 4

Length (Bytes) Multiples of 4

Parameter Value List of time server addresses

T h i s specifies a list of t i m e s e r v e r s available to t h e client, in o r d e r of p r e f e r e n c e .

N a m e S e r v e r List

Option Code 5

Length (Bytes) Multiples of 4

Parameter Value List of name server addresses

T h i s specifies a list of IEN 1 16 N a m e S e r v e r s available to t h e client, in o r d e r of p r e f e r e n c e .

DNS S e r v e r List

Option Code

Length (Bytes)

Parameter Value

6

Multiples of 4

List of DNS server addresses

T h i s specifies a list of DNS S e r v e r s available to t h e client, in o r d e r of p r e f e r e n c e .

315

316

Chapter 7

9

Automatic Assignment of IP Addresses with BOOTP and DHCP Objectives

Log S e r v e r List

Option Code

Length(Bytes)

Parameter Value

7

Multiples of 4

List of log server addresses

This specifies a list of MIT-LCS UDP log servers available to the client, in order of preference.

C o o k i e S e r v e r List

Option Code

Length(Bytes)

Parameter Value

8

Multiples of 4

List of cookie server addresses

This specifies a list of R F C 8 6 5 - c o m p l i a n t cookie servers available to the client, in order of preference.

LPR S e r v e r List

Option Code

Length (Bytes)

Parameter Value

9

Multiples of 4

List of LPR server addresses

This specifies a list of Line Printer Remote (LPR) Servers available to the client, in order of preference.

I m p r e s s S e r v e r List

Option Code

Length (Bytes)

Parameter Value

10

Multiples of 4

List of impress server addresses

This specifies a list of I m a g e n I m p r e s s servers available to t h e client, in order of preference.

R e s o u r c e L o c a t i o n S e r v e r List

Option Code

Length(Bytes)

Parameter Value

11

Multiples of 4

List of resource location servers

This specifies a list of R F C 8 8 7 R e s o u r c e Location servers available to the client, in order of preference.

Automatic Assignmentof IP Addresseswith BOOTPand DHCPObjectives 9 Chapter 7 Host Name

Option Code

Length (Bytes)

Parameter Value

12

Variable

Host name of client

T h i s o p t i o n specifies client's n a m e , w h i c h m a y or m a y n o t include the domain name.

Boot File Size

Option Code

Length (Bytes)

Parameter Value Boot file length (512KB blocks)

13

T h i s o p t i o n specifies t h e size of t h e client's d e f a u l t b o o t file.

Merit Dump File

Option Code

Length (Bytes)

Parameter Value

14

Variable

Merit dump file name

T h i s o p t i o n is u s e d to define t h e p a t h a n d f i l e n a m e for t h e file to be u s e d a s a core d u m p repository, if t h e client s h o u l d c r a s h .

Domain

Name

Option Code

Length (Bytes)

Parameter Value

15

Variable

Client's Internet domain name

T h i s o p t i o n lists t h e DNS d o m a i n n a m e t h a t t h e client s h o u l d use.

Swap S e r v e r Option Code 16

Length (Bytes)

Parameter Value Swap server's IP address

T h i s o p t i o n lists t h e a d d r e s s of t h e client's s w a p server.

317

318

Chapter 7

9Automatic Assignment of IP Addresses with BOOTP and DHCP Objectives

Root Path Option Code

Length (Bytes)

Parameter Value

17

Variable

Pathname to client's root disk

This option is u s e d to define a p a t h d e s i g n a t e d as the root drive for this client.

E x t e n s i o n s Path Option Code 18

Length (Bytes)

Parameter Value

Variable

File name of extensions file

This option c a n be u s e d to define the filename of a file t h a t c a n be u s e d as a n e x t e n s i o n to the VEND/OPTIONS field. It u s e s exactly t h e s a m e f o r m a t for listing options, a n d is d e s i g n e d to be retrieved u s i n g TFTP.

IP Layer Parameters per Host O p t i o n s in the following section are c o n c e r n e d with IP n e t w o r k - l a y e r p a r a m e t e r s , as t h e y relate to the h o s t globally, r a t h e r t h a n to a part i c u l a r interface configuration.

IP Forwarding Enable/Disable Option Code

Length (Bytes)

Parameter Value

19

1

IP forwarding (enable= 1)

This option specifies w h e t h e r the client s h o u l d configure its IP layer for p a c k e t forwarding. A value of 0 m e a n s disable IP forwarding, a n d a value of 1 m e a n s enable IP forwarding.

Nonlocal Source Routing Enable/Disable Option Code 20

Length (Bytes)

Parameter Value Source route forwarding (enable= 1)

Automatic Assignment of IP Addresses with BOOTP and DHCP Objectives

~

Chapter 7

This option configures the client b e h a v i o r in r e g a r d to w h e t h e r or n o t it will forward p a c k e t s with s o u r c e - r o u t i n g i n f o r m a t i o n .

Policy Filter Option Option Code

Length (Bytes)

Parameter Value

21

Multiples of 8

Allowed source routing destination IP address/mask pairs

This option c o n t a i n s a list of IP a d d r e s s a n d m a s k pairs u s e d to specify a list of s o u r c e - r o u t i n g n e x t - h o p a d d r e s s e s u s e d for filtering. Any s o u r c e - r o u t e d d a t a g r a m w h o s e n e x t - h o p a d d r e s s does n o t m a t c h one of the filters s h o u l d be d i s c a r d e d by the client.

Maximum Datagram Reassembly Size Option Code

Length (Bytes)

22

Parameter Value Maximum datagram reassembly size in bytes

This option is u s e d to define a m a x i m u m allowable size for t h e r e a s s e m b l y of a n IP d a t a g r a m t h a t h a s b e e n f r a g m e n t e d d u r i n g t r a n s m i s s i o n a c r o s s the network.

Default IP Time-to-Live Option Code

Length(Bytes)

Parameter Value

23

1

Default IP TTI (1-255)

The value of this option will be u s e d as the default value for TTL in the IP h e a d e r of o u t b o u n d d a t a g r a m s .

Path MTU Aging Timeout Option Option Code

Length(Bytes)

Parameter Value

24

4

MTU aging timeout (secs)

The MTU ( M a x i m u m T r a n s m i s s i o n Unit) is the m a x i m u m p a c k e t size allowed on a given n e t w o r k s e g m e n t . It is periodically t e s t e d

319

320

Chapter7 Automatic 9 Assignment of IP Addresseswith BOOTPand DHCPObjectives u s i n g a polling m e c h a n i s m called P a t h MTU Discovery. This option c a n set the polling interval.

P a t h MTU P l a t e a u Table Option Code

Length (Bytes)

Parameter Value

25

Multiples of 2

List of MTU sizes to check

The P a t h MTU Discovery p r o c e s s w o r k s by cycling t h r o u g h a set of p o t e n t i a l MTU values, to find the m a x i m u m s u i t a b l e value. This option c o n t a i n s a list of MTU sizes, a r r a n g e d from s m a l l e s t to largest, t h a t this polling p r o c e s s c a n try.

IP Layer Parameters per Interface O p t i o n s in this section are i n t e n d e d to apply to a p a r t i c u l a r interface on a client. If multiple i n t e r f a c e s n e e d to be configured, the client s h o u l d i s s u e individual r e q u e s t s for e a c h interface.

I n t e r f a c e MTU O p t i o n Option Code

Length (Bytes)

Parameter Value

26

2

MTU value for interface (bytes)

This option a s s i g n s a n MTU value for a specific interface.

All S u b n e t s Are Local O p t i o n Option Code

Length (Bytes)

Parameter Value All subnet MTUs are the same (1 =yes)

27

This option tells the client w h e t h e r or n o t all s u b n e t s the client is c o n n e c t e d to s h a r e the s a m e MTU value. A value of zero i n d i c a t e s t h a t s o m e s u b n e t s m a y have s m a l l e r MTUs.

Broadcast Address Option Code 28

Length (Bytes)

Parameter Value Subnet broadcast address

Automatic Assignment of IP Addresses with BOOTP and DHCP Objectives

9

Chapter 7

This option specifies the a d d r e s s u s e d for s u b n e t b r o a d c a s t s on the interface subnet.

Perform Mask D i s c o v e r y Option Code 29

Length (Bytes) 1

Parameter Value Enable subnet mask discovery (1 =yes)

This option d e t e r m i n e s w h e t h e r or not the client will perform ICMP m a s k discovery.

Mask Supplier Option Code 30

Length (Bytes) 1

Parameter Value Respond to subnet mask ICMP request (1 =yes)

The ICMP m a s k discovery process relies on a h o s t to r e s p o n d to the m a s k requests. This option enables the h o s t to reply to m a s k discovery requests.

Perform Router D i s c o v e r y Option Code 31

Length (Bytes) 1

Parameter Value Perform router discovery (yes= 1)

This option d e t e r m i n e s w h e t h e r or not the client s h o u l d perform r o u t e r discovery (RFC 1236).

Router S o l i c i t a t i o n Address Option Code Length (Bytes) 4 32

Parameter Value Address of server for router discovery requests

This option provides the a d d r e s s of the node servicing r o u t e r discovery requests.

321

322

Chapter7 9Automatic Assignment of IP Addresseswith BOOTPand DHCPObjectives

Static Route List Option Code

Length (Bytes)

Parameter Value

33

Multiples of 8

Static routes listing destination address, next-hop router address

This option provides a list of static routes. E a c h e n t r y i n c l u d e s the d e s t i n a t i o n n e t w o r k a n d the n e x t - h o p r o u t e r a d d r e s s for t h a t destination.

Link Layer Parameters per Interface O p t i o n s in this section apply to a p a r t i c u l a r interface, a n d c o n t a i n p a r a m e t e r s related to the d a t a - l i n k layer.

Trailer Encapsulation Option Code

Length (Bytes)

Parameter Value

34

1

Use trailers with ARP (yes= 1)

This option d e t e r m i n e s w h e t h e r or n o t the client will negotiate t h e u s e of trailers with the ARP protocol as specified in RFC 893.

ARP Cache Timeout Option Code

Length (Bytes) Parameter Value

Timeout value for ARP cache entries (secs)

35

This option specifies a m a x i m u m age for ARP cache entries.

Ethernet Encapsulation Option Code

Length (Bytes) Parameter Value

36

1

Encapsulation type (Ethernet I1=0, 802.3=I)

This option is u s e d to specify the E t h e r n e t e n c a p s u l a t i o n type. Valid v a l u e s are E t h e r n e t II or 8 0 2 . 3 E t h e r n e t .

Automatic Assignment of IP Addresseswith BOOTPand DHCPObjectives 9Chapter 7

TCP P a r a m e t e r s This section c o n t a i n s p e r - i n t e r f a c e p a r a m e t e r s dealing with TCP.

TCP Default TTL Option Code

Length (Bytes) Parameter Value

37

1

TCP default TTL (1-255)

O u t b o u n d TCP p a c k e t s will have the value defined in this option e n t e r e d into the IP-level TTL field.

TCP K e e p a l i v e Interval Option Code

Length (Bytes) Parameter Value

38

4

Keepalive interval (secs)

This option defines a n interval b e t w e e n keepalive m e s s a g e s on the TCP connection. A value of 0 disables periodic keepalive m e s sages.

TCP K e e p a l i v e Garbage Option Code

Length (Bytes) Parameter Value

39

Send garbage octet (yes= 1)

This option is u s e d to preserve compatibility, w i t h o u t older TCP i m p l e m e n t a t i o n s t h a t require a n octet of r a n d o m c h a r a c t e r s as p a r t of the keepalive m e s s a g e .

Application and Service Parameters O p t i o n s in this section deal with m i s c e l l a n e o u s p a r a m e t e r s related to services or applications.

Network I n f o r m a t i o n S e r v i c e D o m a i n Option Code

Length (Bytes) Parameter Value

40

Variable

Name of client's NIS domain

323

324

Chapter 7 Automatic 9 Assignment of IP Addresseswith BOOTPand DHCPObjectives This option specifies the client's Network I n f o r m a t i o n Service (NIS) D o m a i n .

N e t w o r k I n f o r m a t i o n S e r v e r List Option Code

Length (Bytes) Parameter Value

41

Multiples of 4

List of NIS server addresses

This option specifies a list of NIS server a d d r e s s e s available to the client, in order of preference.

N e t w o r k T i m e P r o t o c o l S e r v e r List Option Code

Length (Bytes) Parameter Value

42

Multiples of 4

List of NTP server addresses

This option specifies a list of Network Time Protocol (NTP) server a d d r e s s e s available to the client, in order of preference.

Vendor-Specific Information Option Code 43

Length (Bytes) Parameter Value Variable Vendor-specific information

This option is u s e d in c o n j u n c t i o n with option code 60, The Vendor Class Identifier, to p a s s vendor-specific p a r a m e t e r s . T h e s e p a r a m e t e r s will u s e the s a m e T a g - L e n g t h - P a r a m e t e r a r r a n g e m e n t as a s t a n d a r d option code.

NetBIOS o v e r T C P / I P N a m e S e r v e r List Option Code

Length (Bytes) Parameter Value

44

Multiples of 4

List of NBNS server addresses

This option c o n t a i n s a list of NetBIOS n a m e servers t h a t c a n p e r f o r m NetBIOS n a m e - t o - a d d r e s s t r a n s l a t i o n for the client.

Automatic Assignment of IP Addresses with BOOTP and DHCP Objectives

9Chapter 7

NetBIOS o v e r T C P / I P D a t a g r a m D i s t r i b u t i o n S e r v e r List

Option Code

Length (Bytes) Parameter Value

45

Multiples of 4

List of NBDD server addresses

This o p t i o n specifies a list of NBDD s e r v e r a d d r e s s e s available to t h e client, in o r d e r of preference.

NetBIOS o v e r T C P / I P Node T y p e

Option Code

Length (Bytes) Parameter Value

46

1

NetBIOS Node type code

T h i s o p t i o n defines t h e NBT Node type of t h e client. T h i s n o d e type defines w h a t m e t h o d s t h e client will u s e to do NetBIOS n a m e r e s o l u t i o n . The v a l u e s a n d m e a n i n g s are listed in T a b l e 7.7.

Table 7.7 NetBIOS over TCP/IP Node Type Codes Hex Value

Node T y p e

Behavior

0xl

B-node

Broadcast

0x2

P-node

Use name server

0x4

M-node

Broadcast, then use name server

0x8

H-node

Use name server, then broadcast

NetBIOS o v e r T C P / I P S c o p e

Option Code Length (Bytes) Parameter Value 47

Variable

NetBIOS scope name

This o p t i o n defines t h e client a s a m e m b e r of a NetBIOS scope.

X W i n d o w S y s t e m F o n t S e r v e r List

Option Code

Length (Bytes) Parameter Value

48

Multiples of 4

List of X Windows Font server addresses

325

326

Chapter 7

9Automatic Assignment of IP Addresses with BOOTP and DHCP Objectives

This option specifies a list of X-Windows Font server a d d r e s s e s available to the client, in order of preference.

X Window S y s t e m Display Manager List Option Code 49

Length (Bytes) Parameter Value Multiples of 4 Address list of systems running X Windows Display Manager

This option specifies a list of s y s t e m s available to the client t h a t are r u n n i n g the X Window S y s t e m Display Manager.

Network I n f o r m a t i o n Service+ D o m a i n Option Code Length (Bytes) Parameter Value Name of client's NIS+ domain Variable 64 This option lists the client's NIS +(Network I n f o r m a t i o n Service Plus) domain.

Network I n f o r m a t i o n Service+ Servers List Option Code 65

Length (Bytes) Parameter Value Multiples of 4 List of NIS+ server addresses

This option provides a list of the NIS+ Servers available to the client, in order of preference.

Mobile IP H o m e A g e n t Option Code 68

Length (Bytes) Parameter Value Multiples of 4, List of Mobile IP Home Agent addresses usually 4 or 0

This option provides a list of the Mobile IP Home Agents available to the client, in order of preference. Usually t h e r e is either one of these, or none.

Automatic Assignment of IP Addresses with BOOTP and DHCP Objectives

9

Chapter 7

S i m p l e Mail Transport Protocol (SMTP) Server List Option Code Length (Bytes) Parameter Value 69

Multiples of 4

List of SMTP server addresses

This option provides a list of the SMTP Mail Servers available to the client, listed in order of preference.

Post Office Protocol (POP3) Server List Option Code Length (Bytes) Parameter Value 70

Multiples of 4

List of POP3 server addresses

This option provides a list of the POP3 Mail Servers available to the client, in order of preference.

Network News Transport Protocol (NNTP) Server List Option Code Length (Bytes) Parameter Value 71

Multiples of 4

List of NNTP server addresses

This option provides a list of the NNTP News Servers available to the client, in order of preference.

Default World Wide Web (WWW) Server List Option Code Length (Bytes) Parameter Value 72

Multiples of 4

List of WWW server addresses

This option provides a list of the Web Servers available to the client, in order of preference.

Default Finger Server List Option Code Length (Bytes) Parameter Value 73

Multiples of 4

List of Finger server addresses

This option provides a list of the Finger Servers available to the client, in order of preference.

327

328

Chapter 7

9

Automatic Assignment of IP Addresses with BOOTP and DHCP Objectives

Default I n t e r n e t Relay Chat (IRC) Server List

Option Code Length (Bytes) Parameter Value 74

Multiples of 4

List of Finger server addresses

This option provides a list of the IRC C h a t Servers available to the client, in order of preference.

S t r e e t T a l k Server List

Option Code Length (Bytes) Parameter Value 75 Multiples of 4 List of StreetTalk server addresses This option provides a list of the S t r e e t T a l k Servers available to the client, in o r d e r of preference.

StreetTalk Directory Assistance (STDA) Server List Option Code Length (Bytes) Parameter Value 76

Multiples of 4

List of STDA server addresses

This option provides a list of the STDA Servers available to the client, listed in order of preference. R F C 2 1 3 2 c o m p l e t e s this list with the DHCP-specific option codes t h a t were covered in the DHCP section of the chapter, a n d t h e n a section on h o w to p r o p o s e n e w option codes.

BOOTP, DHCP, and Routed Networks F r o m the first definitions of the BOOTP protocol, a m e c h a n i s m w a s specified t h a t could allow a BOOTP client a n d server on different s u b n e t s to e x c h a n g e BOOTP information. This m e c h a n i s m w a s first called a BOOTP F o r w a r d i n g Agent, b u t the n a m e w a s later c h a n g e d to avoid c o n f u s i o n with a r o u t e r t h a t provides r o u t i n e p a c k e t forwarding. It's n o w referred to as a BOOTP Relay Agent. Since DHCP w a s d e s i g n e d to be a n e x t e n s i o n of BOOTP, it w a s also d e s i g n e d to u s e BOOTP Relay Agents. F r o m the s t a n d p o i n t of

Automatic Assignment of IP Addresses with BOOTP and DHCP Objectives

9Chapter 7

t h e a g e n t , it d o e s n o t c a r e if t h e p a c k e t is a s t a n d a r d BOOTP p a c k et, or a BOOTP p a c k e t w i t h DHCP M e s s a g e type o p t i o n s in t h e V E N D / O P T I O N S field. E i t h e r way, t h e p r o c e s s is t h e s a m e .

The BOOTP Relay Agent W h e n a BOOTP client i s s u e s a B O O T R E Q U E S T p a c k e t , typically it does n o t k n o w t h e a d d r e s s of t h e BOOTP s e r v e r t h a t is going to reply. It t h e r e f o r e s e n d s t h i s p a c k e t o u t a s a local b r o a d c a s t w i t h a d e s t i n a t i o n a d d r e s s of 2 5 5 . 2 5 5 . 2 5 5 . 2 5 5 . Since local b r o a d c a s t s a r e n o t f o r w a r d e d b e t w e e n s u b n e t s b y a router, t h i s m e s s a g e will n e v e r r e a c h t h e s e r v e r if it is n o t on t h e s a m e s u b n e t a s t h e client. To allow t h i s p a c k e t to be forwarded, a BOOTP Relay A g e n t m u s t exist on t h e s a m e s u b n e t w i t h t h e client. T h e Relay A g e n t r e c o g n i z e s t h a t t h i s b r o a d c a s t is a B O O T R E Q U E S T b a s e d on t h e d e s t i n a t i o n UDP p o r t n u m b e r of 67, w h i c h is t h e BOOTP S e r v e r port. T h e a g e n t will t h e n f o r w a r d t h i s p a c k e t a s a u n i c a s t , w i t h t h e d e s t i n a t i o n s e t to t h e IP a d d r e s s of t h e BOOTP Server. It k n o w s w h a t a d d r e s s ( e s ) to u s e in f o r w a r d i n g t h e s e p a c k e t s b e c a u s e t h e a d d r e s s e s a r e p a r t of t h e a g e n t c o n f i g u r a t i o n . It will also receive a BOOTREPLY u n i c a s t m e s s a g e b a c k from t h e server, a n d t h e n s e n d it b a c k to t h e client on t h e local s u b n e t , typically a s a local b r o a d c a s t . The definition of t h e BOOTP Relay a g e n t did n o t specify w h e t h e r t h i s f u n c t i o n s h o u l d be i n c o r p o r a t e d into a r o u t e r (gateway) or w h e t h e r it c o u l d be a n o t h e r h o s t on t h e s a m e s u b n e t a s t h e client. E i t h e r i m p l e m e n t a t i o n is a c c e p t a b l e s i n c e t h e m a i n r e q u i r e m e n t s are t h a t : 9 T h e A g e n t h a s to be a n o d e on t h e s a m e s u b n e t a s t h e client. 9

It h a s to recognize a n d f o r w a r d t h e client r e q u e s t a s a u n i c a s t m e s s a g e to t h e server.

9

It h a s to a c c e p t u n i c a s t m e s s a g e s b a c k from t h e s e r v e r t h a t it t h e n r e s e n d s o u t on its local s u b n e t to t h e r e q u e s t i n g client.

329

330

Chapter 7

9Automatic Assignment of IP Addresses with BOOTP and DHCP Objectives

In spite of the fact t h a t either a h o s t or a r o u t e r could p e r f o r m the relay a g e n t function, it w a s s u g g e s t e d in several RFC d i s c u s sions t h a t a r o u t e r provided a logical place to i m p l e m e n t this functionality. Therefore, it is c o m m o n to h e a r references to a n RFC 1 5 4 2 - c o m p l i a n t router, w h i c h implies BOOTP Relay Agent's capability in the r o u t e r (see Figure 7.3). A l t h o u g h it w a s a valid point, it c o n t r i b u t e d to the c o n f u s i o n b e t w e e n forwarding a g e n t s a n d relay agents, a n d also c o n t r i b u t e d to a related c o n f u s i o n in the m e a n i n g of the GIADDR field in the BOOTP packet. Figure 7.3

The BOOTP Relay

Agent Process

The Role of the GIADDR The GIADDR field in the BOOTP p a c k e t plays a significant role in the f u n c t i o n i n g of BOOTP a n d DHCP a c r o s s a r o u t e d network. We have l e a r n e d t h a t the GIADDR is set to 0.0.0.0 by the client w h e n it t r a n s m i t s a BOOTREQUEST. If the B O O T P / D H C P server gets a BOOTREQUEST with the GIADDR set to all zeros, it k n o w s the client is on the local s u b n e t , a n d will r e s p o n d directly to it, u s i n g UDP d e s t i n a t i o n port 68 (BOOTP Client).

Automatic Assignment of IP Addresses with BOOTP and DHCP Objectives

9Chapter 7

If t h e s e r v e r is n o t local to t h e client, a BOOTP Relay A g e n t m u s t exist on t h e client's s u b n e t to f o r w a r d t h e p a c k e t . If t h i s is t h e case, t h e a g e n t will e x a m i n e t h e GIADDR field of t h e r e q u e s t , a n d if t h e field is all zeroes, it will place its o w n a d d r e s s in t h i s field. T h i s provides a u n i c a s t r e t u r n a d d r e s s for t h e s e r v e r to u s e in r e t u r n i n g its BOOTREPLY m e s s a g e to t h e client's s u b n e t . If t h e GIADDR is n o t zero, t h e a g e n t a s s u m e s t h e e x i s t i n g v a l u e r e p r e s e n t s a n o d e on t h e client's h o m e s u b n e t , a n d does n o t modify it. W h e n a B O O T P / D H C P s e r v e r receives a B O O T R E Q U E S T p a c k e t w i t h a n o n z e r o GIADDR, it r e c o g n i z e s t h a t t h e p a c k e t w a s f o r w a r d e d f r o m a BOOTP Relay Agent. In t h i s c a s e it modifies its r e s p o n s e in t h e BOOTREPLY p a c k e t , s e n d i n g it to t h e GIADDR a s t h e d e s t i n a tion a d d r e s s , a n d s e n d i n g it to p o r t 67 (BOOTP Server) i n s t e a d of p o r t 68 (BOOTP Client). T h i s is n e c e s s a r y b e c a u s e t h e a g e n t only r e s p o n d s to t h e s e r v e r p o r t n u m b e r , w h e t h e r t h e m e s s a g e is a client r e q u e s t or a s e r v e r r e s p o n s e . A n o t h e r u s e of t h e GIADDR is DHCP-specific: T h e D H C P s e r v e r u s e s t h e a d d r e s s listed in t h e GIADDR field to a s c e r t a i n t h e client's subnet. Using this information, the server can determine which s c o p e of a d d r e s s e s , if it h a s m u l t i p l e a d d r e s s scopes, to u s e in r e s p o n d i n g b a c k to t h e client.

Other Fields Involved In a d d i t i o n to t h e GIADDR field, t h e r e a r e a n u m b e r of o t h e r fields in t h e BOOTP p a c k e t t h a t m a y be modified b y t h e BOOTP Relay a g e n t , o u t l i n e d here.

HOPS T h e H O P S field in a B O O T R E Q U E S T f r o m a client is initially s e t to zero. E a c h t i m e t h e r e q u e s t p a c k e t c r o s s e s a n o t h e r r o u t e r b o u n d ary, t h i s field s h o u l d be i n c r e m e n t e d b y one. T h e r e is s o m e a m b i g u ity in t h e R F C s a s to w h e t h e r t h i s s h o u l d h a p p e n only if t h e a g e n t is a router, or if t h e a g e n t s h o u l d do t h i s r e g a r d l e s s of role. It s e e m s m o r e a p p r o p r i a t e to a router, since a p r o p e r l y c o n f i g u r e d r e l a y a g e n t

331

332

Chapter 7

9Automatic Assignment of IP Addresses with BOOTP and DHCP Objectives

a n d server will directly u n i c a s t b e t w e e n themselves, w i t h o u t the n e e d for a n y i n t e r m e d i a r y agents. The HOPS field w a s also i n t e n d e d to tell h o w far a w a y a client w a s from a server, allowing a t h r e s h o l d to be set b e y o n d w h i c h t h e p a c k e t will no longer be forwarded.

CHADDR, YIADDR, HTYPE, HLEN, FI AG T h e s e fields all have a role to play in helping the server a n d a g e n t d e t e r m i n e h o w t h e y s h o u l d s e n d b a c k a BOOTREPLY to the client. A p r e v i o u s section of this c h a p t e r outlined the v a r i o u s options the BOOTP Server m i g h t u s e to reply to the client b a s e d on w h e t h e r the client c a n a c c e p t u n i c a s t s or b r o a d c a s t s . Since the BOOTP Relay Agent is acting on b e h a l f of the BOOTP server, it will do the s a m e e v a l u a t i o n of t h e s e fields to d e t e r m i n e the a p p r o p r i a t e m e t h o d , unic a s t or b r o a d c a s t , to r e t u r n a reply to the client.

SECS This field allows the client to c o m m u n i c a t e h o w long it h a s b e e n trying to boot. If t h e client is forced to r e t r a n s m i t its BOOTREQUEST, this value will be nonzero, a n d c a n be u s e d to initiate priority h a n dling on the p a r t of the a g e n t a n d / o r the server.

UDP Port Number Normally, t h e client always u s e s UDP p o r t 67 (BOOTP Server) as a d e s t i n a t i o n port, a n d the server u s e s UDP port 68 (BOOTP Client) as its d e s t i n a t i o n port in a BOOTREPLY. However, a BOOTP Relay a g e n t r e s p o n d s only to p a c k e t s with the UDP port set to 67. This m e a n s if the server is s e n d i n g a BOOTREPLY m e s s a g e b a c k t h r o u g h a relay agent, it m u s t a d d r e s s this BOOTREPLY m e s s a g e to the a g e n t ' s a d d r e s s (GIADDR) with a UDP d e s t i n a t i o n port of 67 r a t h e r t h a n 68. The relay a g e n t will c h a n g e the d e s t i n a t i o n UDP port n u m b e r to 68 before it f o r w a r d s t h e p a c k e t b a c k to the client.

Automatic Assignment of IP Addresses with BOOTP and DHCP Objectives

9Chapter 7

IP T r L Field A relay a g e n t either will set the TI'L field in the IP D a t a g r a m h e a d e r to a configured default value, or it will t a k e the existing v a l u e it received, a n d d e c r e m e n t it by one. This s e e m s to be a n o t h e r specification in the RFC t h a t is m o r e s u i t a b l e to a r o u t e r - b a s e d relay agent, r a t h e r t h a n s o m e o t h e r h o s t p e r f o r m i n g a relay function.

ALL O t h e r Fields All o t h e r fields in the BOOTP p a c k e t s h o u l d be p a s s e d b e t w e e n server a n d client w i t h o u t a n y modification.

BOOTP Implementation Checklist Use the following list as a r o u g h guideline to the s t e p s you s h o u l d t a k e in i m p l e m e n t i n g BOOTP Servers: 1.

First d e t e r m i n e if you really n e e d to u s e BOOTP. If y o u are i m p l e m e n t i n g d y n a m i c a d d r e s s i n g it is very possible t h a t DHCP w o u l d be a b e t t e r choice, since DHCP server i m p l e m e n t a t i o n s c a n often a c c o m m o d a t e older BOOTP clients, as well as DHCP clients.

2.

D e t e r m i n e the r a n g e of a d d r e s s e s y o u will be issuing, as well as a n y BOOTP options t h a t y o u w i s h to convey along with the a d d r e s s a s s i g n m e n t .

3.

G a t h e r a list of the h a r d w a r e a d d r e s s e s a n d a d d r e s s types for e a c h of the BOOTP clients.

4.

D e t e r m i n e if y o u will be u s i n g the r e m o t e boot f e a t u r e s of BOOTP, or j u s t the a d d r e s s a s s i g n m e n t p h a s e . If y o u are doing r e m o t e booting, p r e p a r e the a p p r o p r i a t e boot files a n d d e t e r m i n e the directory p a t h s for t h e s e files.

5.

Create the BOOTP d a t a b a s e file, u s i n g all the i n f o r m a t i o n y o u have g a t h e r e d .

6.

Install a n d configure the BOOTP server.

7.

Configure the clients to act as BOOTP clients.

333

334

Chapter 7

*

Automatic Assignment of IP Addresses with BOOTP and DHCP Objectives

So

Test t h e functionality of the BOOTP server.

9.

C o n s i d e r the n e e d s for c r o s s - s u b n e t c o m m u n i c a t i o n b e t w e e n clients a n d servers, a n d configure a n d t e s t BOOTP Relay a g e n t s w h e r e a p p r o p r i a t e .

DHCP Implementation Checklist Use the following list as a r o u g h guideline to the s t e p s y o u s h o u l d t a k e in i m p l e m e n t i n g DHCP Servers: 1.

D e t e r m i n e the r a n g e of clients t h a t will u s e DHCP. Also d e t e r m i n e w h i c h h o s t s on the n e t w o r k will have static or reserved a d d r e s s a s s i g n m e n t s . C o n s i d e r w h e t h e r a n y BOOTP clients exist, a n d the s t r a t e g y t h a t will be u s e d by DHCP to a s s i g n their a d d r e s s e s .

2.

If n e c e s s a r y , configure a BOOTP d a t a b a s e file for u s e by the DHCP server in servicing BOOTP clients. E n s u r e t h a t a n y a d d r e s s e s i n c l u d e d in this file are n o t p a r t of a n y DHCP a d d r e s s pool.

3.

D e t e r m i n e the r a n g e of a d d r e s s e s t h a t will c o n s t i t u t e the a d d r e s s pool. If the DHCP server will service multiple s u b n e t s , d e t e r m i n e the a p p r o p r i a t e a d d r e s s scopes for e a c h s u b n e t a n d t h e a s s o c i a t e d p a r a m e t e r options t h a t y o u m a y w i s h to convey along with the a d d r e s s .

4.

Install and configure the DHCP server or servers based on the address ranges, exclusions, reserved addresses, and options t h a t will be associated with each address scope. Also decide on a n d configure an appropriate lease duration for the addresses.

5.

If multiple servers are used, c o n s i d e r p a r t i t i o n i n g e a c h a d d r e s s pool b e t w e e n two servers, to e n h a n c e reliability by providing s o m e r e d u n d a n c y .

6.

If clients a n d servers n e e d to c o m m u n i c a t e a c r o s s s u b n e t b o u n d a r i e s , configure BOOTP Relay Agents in a p p r o p r i a t e locations.

7.

Configure clients to u s e DHCP.

8.

T e s t the functionality of the DHCP server a n d Relay Agents.

Automatic Assignment of IP Addresses with BOOTP and DHCP Objectives

9Chapter 7

Summary In this c h a p t e r we d i s c u s s e d the d y n a m i c a s s i g n m e n t of IP a d d r e s s es u s i n g t h e BOOTP a n d DHCP protocols. We covered the r e a s o n s for, a n d the h i s t o r y b e h i n d , the d e v e l o p m e n t of t h e s e protocols a n d l e a r n e d in detail h o w t h e y work. BOOTP a n d DHCP are closely related protocols. Both m a k e u s e of a specially defined p a c k e t t h a t u s e s a UDP d a t a g r a m a d d r e s s e d to specific UDP ports, n a m e l y port 68 (BOOTP client) a n d p o r t 67 (BOOTP server). This p a c k e t h a s a p a y l o a d c o n s i s t i n g of fields t h a t allow it to convey a d d r e s s a s s i g n m e n t s a n d o t h e r p a r a m e t e r s , as well as the i n f o r m a t i o n a client m a y n e e d to affect a r e m o t e boot a c r o s s the network. Clients initiate this p r o c e s s with a BOOTREQUEST p a c k e t to a server, a n d the server r e s p o n d s with a BOOTREPLY packet. The BOOTP p a c k e t c o n t a i n s a Vendor e x t e n s i o n s or Options field t h a t is u s e d to p a s s a d d i t i o n a l p a r a m e t e r s to t h e client. BOOTP i s s u e s a d d r e s s a s s i g n m e n t s a n d o t h e r p a r a m e t e r s b a s e d on a fiat-file d a t a b a s e t h a t m a t c h e s a client identifier, u s u a l l y its h a r d w a r e a d d r e s s , with the set of p a r a m e t e r s listed for t h a t client. Configuration of this file is a m a n u a l a d m i n i s t r a t i v e task. DHCP w a s designed to be a n e x t e n s i o n of BOOTP. It u s e s t h e s a m e p a c k e t definition, s a m e UDP ports, a n d the s a m e BOOTREQUEST a n d BOOTREPLY m e s s a g e s , b u t it relies very heavily on the Vendor e x t e n s i o n s field, w h i c h is n o w called simply the O p t i o n s field. E a c h DHCP m e s s a g e u s e s a DHCP m e s s a g e type option code, to define a p a r t of the DHCP process, as well as o t h e r option codes to p a s s DHCP-specific, as well as generic client c o n f i g u r a t i o n parameters. DHCP provides m o r e options in t e r m s of a d d r e s s a s s i g n m e n t s . It c a n h a n d o u t a d d r e s s e s from a BOOTP-like d a t a b a s e file, or it c a n h a n d a d d r e s s e s o u t on a first-come, first-served b a s i s from a n e s t a b l i s h e d a d d r e s s pool, s o m e t i m e s called a scope. DHCP configur a t i o n c a n be m u c h s i m p l e r t h a n BOOTP, since it is n o t n e c e s s a r y to m a t c h e a c h client m a n u a l l y to a n individual a d d r e s s a s s i g n m e n t . An a d d r e s s scope c a n be defined with a set of p a r a m e t e r s , s u c h as m a s k , default gateway, default DNS servers, etc., t h a t c a n be

335

336

Chapter 7

9Automatic Assignment of IP Addresses with BOOTP and DHCP Objectives

d i s t r i b u t e d to all D H C P clients in t h a t scope. D H C P c a n also a c c o m m o d a t e m u l t i p l e s c o p e s for different s u b n e t s , e a c h w i t h its o w n s e t of p a r a m e t e r options. Unlike BOOTP, D H C P c a n also be c o n f i g u r e d to a s s i g n a d d r e s s e s for a finite t i m e period, called a lease. D H C P clients are r e q u i r e d to r e n e w t h e i r lease on a n a d d r e s s periodically, or it will be r e c l a i m e d b y t h e s e r v e r once t h e l e a s e period expires, a n d will be r e a s s i g n e d to a n e w client. T h i s is a very u s e f u l f e a t u r e w h e n clients c o n n e c t t e m p o r a r i l y to a n e t w o r k , or w h e r e t h e r e is a s h o r t a g e of IP a d d r e s s e s available. D H C P s e r v e r s m a i n t a i n a d a t a b a s e of all t h e a d d r e s s e s t h e y h a v e a s s i g n e d , to w h o m t h e y w e r e a s s i g n e d , a n d h o w long t h e l e a s e p e r i o d is. T h i s p r e v e n t s t h e s e r v e r f r o m h a n d i n g o u t d u p l i c a t e addresses. To a c c o m m o d a t e client r e q u e s t s t h a t c r o s s s u b n e t b o u n d a r i e s , t h e BOOTP specification i n c l u d e s t h e definition of a BOOTP Relay a g e n t , w h i c h l i s t e n s for client r e q u e s t s on its local s u b n e t , a n d forw a r d s t h e m a s u n i c a s t m e s s a g e s a c r o s s r o u t e r b o u n d a r i e s to t h e server. It p e r f o r m s t h e r e v e r s e f u n c t i o n for t h e s e r v e r a s well. B o t h BOOTP a n d D H C P c a n m a k e u s e of BOOTP Relay a g e n t s .

Automatic Assignment of IP Addresses with BOOTP and DHCP Objectives

9Chapter 7

Q: W h e n w o u l d I u s e BOOTP i n s t e a d of DHCP?

A: In m o s t c a s e s it is b e t t e r to u s e DHCP i n s t e a d of BOOTP, if t h e clients s u p p o r t it. This is b e c a u s e DHCP will do e v e r y t h i n g t h a t BOOTP will do a n d more. T h e c o n f i g u r a t i o n p r o c e s s w i t h BOOTP is entirely m a n u a l , a n d c a n be a f o r m i d a b l e t a s k for a large n e t w o r k . By c o n t r a s t , DHCP c a n be relatively e a s y to configure, even for large n e t w o r k s , since y o u only n e e d to define a n a d d r e s s r a n g e a n d a c o m m o n set of p a r a m e t e r s for e a c h a d d r e s s pool to service a large n u m b e r of clients.

Q. W h a t is a n RFC 1 5 4 2 - c o m p l i a n t r o u t e r ?

A: This t e r m is often f o u n d in d o c u m e n t a t i o n d e a l i n g w i t h t h e i m p l e m e n t a t i o n of DHCP a n d BOOTP. It refers to t h e definition of a BOOTP Relay A g e n t a n d t h e f u n c t i o n s of t h a t agent. S i m p l y put, a n RFC 1 5 4 2 - c o m p l i a n t r o u t e r is one t h a t c a n be c o n f i g u r e d to a c t a s a BOOTP Relay Agent. R e m e m b e r t h a t t h e relay a g e n t d o e s n o t h a v e to be a router, b u t c a n be i m p l e m e n t e d on a h o s t s y s t e m t h a t r e s i d e s on t h e s a m e s u b n e t a s t h e clients.

Q: If I c o n f i g u r e m u l t i p l e s c o p e s on a DHCP server, h o w d o e s t h e s e r v e r k n o w w h i c h s c o p e to u s e for a given client? A: T h e w a y t h a t a DHCP s e r v e r d e c i d e s on w h i c h s c o p e is to be u s e d for a given client d e p e n d s on t h e s u b n e t to w h i c h t h e client is c o n n e c t e d . This s u b n e t i n f o r m a t i o n c o m e s to t h e s e r v e r b y m e a n s of t h e GIADDR field in t h e BOOTP p a c k e t . This field is e m p t y w h e n a client is on t h e s a m e s u b n e t a s t h e server, a n d c o n t a i n s t h e a d d r e s s of t h e BOOTP Relay A g e n t otherwise. This a g e n t a d d r e s s is on t h e s a m e s u b n e t a s t h e client, so t h e s e r v e r c a n r e a d t h i s a d d r e s s to d e t e r m i n e t h e client's c o n n e c t e d subnet.

337

338

Chapter

7

9Automatic

Assignment of IP Addresses with BOOTP and DHCP Objectives

Q: How does DNS w o r k w i t h DHCP? A: T h e s h o r t a n s w e r is, "Not very well." T h e p r o b l e m is t h a t u n l e s s e a c h client is a s s i g n e d a specific a d d r e s s r e s e r v a t i o n , it is n o t possible, u n t i l after t h e fact, to d e t e r m i n e w h i c h IP a d d r e s s w a s a s s i g n e d to a client. Since t r a d i t i o n a l DNS s e r v e r implementations use a statically-configured database, this can p o s e s o m e p r o b l e m s . T h e r e are several w o r k a r o u n d s to this. T h e r e are p r o d u c t s c o m m e r c i a l l y available t h a t will link DHCP s e r v e r s a n d DNS servers, so t h a t w h e n a n a d d r e s s a s s i g n m e n t is m a d e , t h e DNS s e r v e r d a t a b a s e is u p d a t e d . In Microsoft e n v i r o n m e n t s , t h i s p r o b l e m h a s b e e n h a n d l e d u s i n g a WINS (Windows I n t e r n e t N a m e Service) server. WINS clients r e g i s t e r t h e m s e l v e s d y n a m i c a l l y w i t h t h e WINS s e r v e r after t h e y h a v e received a DHCP a d d r e s s a s s i g n m e n t . The n a m e r e s o l u t i o n p r o c e s s c h e c k s b o t h DNS a n d WINS s e r v e r s to o b t a i n a n a m e r e s o l u t i o n . As long a s t h e s a m e n a m e is b e i n g u s e d for t h e NetBIOS n a m e a n d t h e I n t e r n e t h o s t n a m e , t h i s p r o c e s s will r e s u l t in a n a m e - t o - a d d r e s s t r a n s l a t i o n for e i t h e r n a m e type.

340

Chapter 8 * Multicast

Addressing

What Is Multicast? M u l t i c a s t is a t e c h n o l o g y u s e d to a d d r e s s m u l t i p l e h o s t s a s a g r o u p . A h o s t m u l t i c a s t s to a g r o u p of h o s t s b y s e n d i n g a n IP p a c k e t to a special IP a d d r e s s t h a t identifies t h e g r o u p . An IP a d d r e s s is u s e d to d e s i g n a t e a g r o u p of h o s t s . T h e IP a d d r e s s t h a t defines a m u l t i c a s t g r o u p is in t h e r a n g e of 2 2 4 . 0 . 0 . 0 to 2 3 9 . 2 5 5 . 2 5 5 . 2 5 5 , defined a s C l a s s D a d d r e s s e s . E a c h g r o u p h a s its specific IP a d d r e s s in t h a t r a n g e , so m a n y g r o u p s c a n be defined a t t h e s a m e t i m e b y u s i n g a different IP a d d r e s s . T h e m e m b e r s h i p in a g r o u p is d y n a m i c b e c a u s e h o s t s c a n j o i n a n d leave t h e g r o u p a s t h e y w a n t . T h e m u l t i c a s t s t a n d a r d is d e s c r i b e d in RFC 1112. M u l t i c a s t is s i m i l a r to b r o a d c a s t since only one p a c k e t is s e n t to all h o s t s , w h e r e a s u n i c a s t m e a n s t h a t one p a c k e t is s e n t to one h o s t . However, m u l t i c a s t differs f r o m b r o a d c a s t b e c a u s e b r o a d c a s t ing involves s e n d i n g a p a c k e t to all h o s t s , w i t h o u t exception, on t h e specified n e t w o r k , w h e r e a s m u l t i c a s t s e n d s a p a c k e t to t h e g r o u p of h o s t s . T h o s e h o s t s t h a t a r e n o t p a r t of t h e g r o u p will n o t p r o c e s s t h e m u l t i c a s t p a c k e t s i n c e it is n o t a d d r e s s e d to t h e m . O n e typical e x a m p l e of m u l t i c a s t i n g is to l i s t e n to a videoconfere n c e u s i n g a 2 M b i t s / s e c c h a n n e l on a n e t w o r k . Not all u s e r s of a n e t w o r k m a y w a n t to l i s t e n to t h e v i d e o c o n f e r e n c e , so t h e i d e a is to j o i n t h e g r o u p , or t h e v i d e o c o n f e r e n c e in t h i s case. F u r t h e r m o r e , if 10 u s e r s of t h e s a m e p h y s i c a l n e t w o r k w a n t to l i s t e n to t h i s videoconference, then using u n i c a s t technology m e a n s using 2 M b i t s / s e c * 10 u s e r s = 20 M b i t s / s e c s u s t a i n e d for t h o s e u s e r s . More u s e r s m e a n s m o r e b a n d w i d t h u s e d . By u s i n g m u l t i c a s t , only one c h a n n e l of 2 M b i t s / s e c is u s e d , i n d e p e n d e n t l y of t h e n u m b e r of u s e r s : even 1000 u s e r s will still u s e only 2 M b i t s / s e c .

Multicast Addressing

9Chapter 8

Mapping IP Multicast to the Link Layer Like a n y o t h e r IP p a c k e t s , IP m u l t i c a s t p a c k e t s have to be m a p p e d to the link layer a d d r e s s e s . M u l t i c a s t h a s b e e n defined for the link layers of E t h e r n e t , T o k e n Ring, a n d others, like ATM. On E t h e r n e t , the low-order 23 bits of the IP m u l t i c a s t a d d r e s s is placed in the lower p a r t of t h e E t h e r n e t m u l t i c a s t a d d r e s s 0 1 - 0 0 - 5 E - 0 0 - 0 0 - 0 0 . RFC 1469 d e s c r i b e s m u l t i c a s t over T o k e n Ring a n d R F C 2 0 2 2 d e s c r i b e s ATM n e t w o r k s .

Joining the Group To join a m u l t i c a s t g r o u p either by a u s e r who w a n t s to listen to a m u l t i m e d i a c h a n n e l or by a specific application, it is a c t u a l l y very simple: the k e r n e l h a s to be configured to p r o c e s s t h e IP m u l t i c a s t a d d r e s s of the g r o u p or c h a n n e l . Then, all p a c k e t s w i t h a n IP destin a t i o n a d d r e s s as the g r o u p IP m u l t i c a s t a d d r e s s will be p r o c e s s e d by the h o s t a n d s e n t to the u p p e r layer applications. But, if the m u l t i c a s t c h a n n e l c o m e s from far a w a y ( m e a n i n g t h a t it c o m e s from a n o t h e r network), it is possible t h a t t h i s c h a n n e l is n o t c u r r e n t l y m u l t i c a s t e d on the local n e t w o r k of the host. In this case, the h o s t will have to tell its n e i g h b o r r o u t e r t h a t it w a n t s to listen to t h i s m u l t i c a s t c h a n n e l . This is done u s i n g the I n t e r n e t G r o u p M a n a g e m e n t Protocol (IGMP), d o c u m e n t e d in RFC2236. T h e n this r o u t e r will try to get t h a t c h a n n e l from its s o u r c e a n d s e n d the

341

342

Chapter 8 * Multicast Addressing

m u l t i c a s t p a c k e t s of t h a t c h a n n e l to the local network. This entire process involves routing m u l t i c a s t over the larger network.

IGMP W h e n a h o s t joins a m u l t i c a s t group, it s e n d s a report to the allh o s t s group (224.0.0.1) on its local network. Routers can t h e n learn who is joining which group. W h e n a h o s t is leaving a m u l t i c a s t group, it s e n d s a report to the all-routers group (224.0.0.2) on its local network. Routers also send queries periodically to a n all-hosts group a d d r e s s to r e q u e s t reports of group m e m b e r s h i p to all h o s t s on each m u l t i c a s t n e t w o r k to w hi c h it connects. In this way, a m u l t i c a s t r o u t e r k n o w s the m e m b e r s h i p of all g r o u p s for all m u l t i c a s t hosts. RFC2236 describes in detail all the state d i a g r a m s a n d transitions of IGMP for h o s t s a n d routers.

Multicast Routing Protocols Since m u l t i c a s t ne e ds special processing for routers, the IETF defines m u l t i c a s t routing protocols to help r o u t e r s control the routing of those m u l t i c a s t c h a n n e l s over the networks. The first one w a s Distance Vector Multicast Routing Protocol (DVMRP), w h ich h a s b e e n u s e d a lot; however, the RFC (RFC 1075) now h a s experimental s t a t u s , w hi c h m e a n s t h a t its i m p l e m e n t a t i o n is not r e c o m m e n d e d . This m u l t i c a s t routing protocol w a s b a s e d on the Routing Information Protocol (RIP), a n d inherits its simplicity. Other protocols have be e n developed for m u l t i c a s t routing, like the Protocol I n d e p e n d e n t Multicast (PIM) protocol a n d Multicast extensions to OSPF (MOSPF). Within the IETF, there h a s b e e n work on e n h a n c i n g the multicast routing a n d other related issues, mostly u n d e r the mboned, idmr, pim, a n d malloc working groups.

Multicast Addressing

9Chapter 8

Mbone It is often really i m p o r t a n t to t e s t s t a n d a r d s on a real n e t w o r k w i t h real u s e r s . T h e M b o n e (Multicast b a c k b o n e ) is a n initiative of v o l u n t e e r s w h o t e s t m u l t i c a s t t e c h n o l o g y over t h e I n t e r n e t . It is still u s e d f r e q u e n t l y d u r i n g m u l t i c a s t e v e n t s a n d to t e s t n e w p r o t o c o l s or applications. B e c a u s e n o t all t h e ISPs s u p p o r t m u l t i c a s t n a t i v e l y in t h e i r infras t r u c t u r e a n d r o u t e r s , t h e M b o n e w a s c r e a t e d b y u s i n g a m i x of t u n n e l s a n d n a t i v e m u l t i c a s t links.

343

344

Chapter

8 *

Multicast Addressing

Multicast Addresses M u l t i c a s t a d d r e s s e s are in t h e 2 2 4 . 0 . 0 . 0 to 2 3 9 . 2 5 5 . 2 5 5 . 2 5 5 r a n g e , or in b i n a r y h a v e t h e four h i g h - o r d e r b i t s a s 1110. T h i s is defined a s C l a s s D a d d r e s s e s . C l a s s E a d d r e s s e s , w h i c h cover t h e 2 4 0 . 0 . 0 . 0 to 2 5 5 . 2 5 5 . 2 5 5 . 2 5 5 r a n g e , h a v e b e e n r e s e r v e d for f u t u r e a d d r e s s i n g modes.

Transient and Permanent Addresses Two t y p e s of m u l t i c a s t a d d r e s s e s c a n be defined: t h e p e r m a n e n t a n d t h e t r a n s i e n t . T h e p e r m a n e n t a d d r e s s e s are defined in t h e protocol itself, a s t h e a l l - h o s t s a n d a l l - r o u t e r s d e s c r i b e d in t h e n e x t section. P e r m a n e n t a d d r e s s e s c a n also be a s s i g n e d b y t h e IANA for o t h e r p r o t o c o l s or o t h e r u s e s . T r a n s i e n t a d d r e s s e s a r e u s e d for s o m e period of time. F o r e x a m ple, a t r a n s i e n t a d d r e s s will be u s e d to m u l t i c a s t a v i d e o c o n f e r e n c e of a n event. After t h e e v e n t is finished, t h e t r a n s i e n t a d d r e s s c a n be r e u s e d . In t h i s way, t h e r e s h o u l d be c o o r d i n a t i o n of t r a n s i e n t a d d r e s s e s u s e d to be s u r e t h a t two people or o r g a n i z a t i o n s will n o t u s e t h e s a m e t r a n s i e n t a d d r e s s for different n e e d s . B a c k in t h e old d a y s of t h e Mbone, y o u e i t h e r p r e a n n o u n c e it on a specific M b o n e c h a n n e l or on a Web page. C u r r e n t l y , IETF w o r k i n g g r o u p s a r e defining a m o r e p r o t o c o l - b a s e d a p p r o a c h .

Generic Assignments In t h e protocol definition, s o m e a d d r e s s e s have already b e e n reserved. The a d d r e s s 2 2 4 . 0 . 0 . 0 is reserved a n d g u a r a n t e e d n o t to be a s s i g n e d to a n y group. The a d d r e s s 224.0.0.1 is a s s i g n e d to all IP h o s t s on t h e directly c o n n e c t e d network. In o t h e r words, it is a link-local a d d r e s s . Any hosts, including routers, p r i n t e r s a n d the like, are m e m b e r s of this group. So as soon as a n IP device is configured for m u l t i c a s t , it is a u t o m a t i c a l l y a n d statically a m e m b e r of this group. The a d d r e s s 2 2 4 . 0 . 0 . 2 is a s s i g n e d to all IP r o u t e r s on t h e directly c o n n e c t e d network. Only r o u t e r s are m e m b e r s of this group.

Multicast Addressing

9Chapter 8

IANA Assignments RFC 1112 didn't define p e r m a n e n t addresses other than the allhosts address. But the task of assigning p e r m a n e n t multicast addresses has been done by the Internet Assigned Numbers Authority (IANA). IANA assigns addresses in the 2 2 4 . 0 . 0 . 0 to 2 2 4 . 0 . 0 . 2 5 5 range "for the u s e of routing protocols and other low-level topology discovery or m a i n t e n a n c e protocols, s u c h as gateway discovery and group membership reporting. Multicast routers should not forward any multicast datagram with destination addresses in this range, regardless of its TI'L." For example, in that range, multicast addresses have been assigned for the u s e of some protocols: 224.0.0.4

DVMRP

Routers

224.0.0.5

OSPFIGP

OSPFIGP All Routers

224.0.0.6

OSPFIGP

OSPFIGP Designated Routers

224.0.0.9

RIP2 Routers

224.0.0.12

DHCP Server

224.0.0.13

All PIM Routers

/ Relay Agent

224.0.0.18 VRRP 224.0.0.22

IGMP

In the 2 2 4 . 0 . 1 . 0 + range, multicast addresses are defined for protocols but can be forwarded by routers like: 224.0. i. 1

NTP

Network Time Protocol

224.0. i. 3

Rwhod

SUN NIS+

Information

224.0.1.22

SVRLOC Service Location Protocol

224.0.1.75

SIP Session

Service Initiation

Protocol

Or, addresses are assigned to "permanent" conferencing, like the IETF events: 224.0. i. i0 IETF-I-LOW-AUDIO 224.0. i. Ii IETF-I-AUDI0 224.0. i. 12 IETF-I-VIDEO

345

346

Chapter

8

Multicast Addressing

9

224.0. i. 13 IETF-2-LOW-AUDIO 224.0. i. 14 IETF-2-AUDIO 224.0. I. 15 IETF-2-VIDEO

For IPv6, the first a s s i g n m e n t s are defined in RFC2375. O t h e r s are h a n d l e d by IANA. The c u r r e n t list of a s s i g n m e n t s is available at: ftp" / / ftp. iana. o r g / i n - n o t e s / i a n a / a s s i g n m e n t s / m u l t i c a s t - a d d r e s s e s .

Scope of Multicast Addresses Using TTL W h e n holding a n i n t e r n a l videoconference inside the c o m p a n y , we w o u l d like to e n s u r e t h a t this conference will n o t be received or s e e n on the I n t e r n e t or o u t s i d e the c o m p a n y . Even w i t h i n the c o m p a n y network, we also m i g h t w a n t to r e s t r i c t the conference to one s u b net. Scoping h a s b e e n realized by u s i n g the TTL field in the IP h e a d er. By u s i n g T r L = 1, this tells a n y IP r o u t e r n o t to forward t h i s p a c k e t to a n o t h e r network, since e a c h r o u t e r m u s t d e c r e a s e by 1 the TTL field, a n d if the TI'L = 0, t h e n the p a c k e t s h o u l d n o t be forw a r d e d . TI'L w a s t h e r e to detect r o u t i n g loops, as d e s c r i b e d in previous chapters. In m u l t i c a s t , scoping of m u l t i c a s t a d d r e s s e s w a s b a s e d on the TTL v a l u e of the IP packet, a n d so is controlled by the s o u r c e host. By defining specific t h r e s h o l d s a n d by configuring a p p r o p r i a t e l y the m u l t i c a s t r o u t e r s , Mbone people were able to scope m a n y b u t n o t all of the s i t u a t i o n s . Scoping u s i n g the TTL w o r k s h a s s o m e limitations, b e c a u s e it is b a s e d on the n u m b e r of r o u t e r s in the n e t w o r k topology, n o t on the a d m i n i s t r a t i v e b o u n d a r i e s . Also it conflicts with s o m e r o u t i n g functions, like p r u n i n g .

Administrative Scopes A n e w scoping a p p r o a c h b a s e d on special m u l t i c a s t a d d r e s s e s in the r a n g e 2 3 9 . 0 . 0 . 0 to 2 3 9 . 2 5 5 . 2 5 5 . 2 5 5 h a s b e e n defined in RFC2365. It is b a s e d on a n a d m i n i s t r a t i v e scope i n s t e a d of a n e t w o r k topology

Multicast Addressing

9Chapter 8

scope. So t h e n e t w o r k m a n a g e r c a n c o n f i g u r e t h e a d m i n i s t r a t i v e s c o p e a s n e e d e d , w i t h o u t t a k i n g c a r e of t h e n e t w o r k topology. T h e following s c o p e s a r e defined: 9 T h e IPv4 Local Scope, defined a s 2 3 9 . 2 5 5 . 0 . 0 / 1 6 , is for a n y local m u l t i c a s t c h a n n e l s . T h e locality is s i t e - d e p e n d e n t , b u t we c a n define local scope to h a v e one site in a city b y c o n f i g u r i n g its site b o u n d a r y r o u t e r s n o t to f o r w a r d local scope multicast packets. 9 T h e IPv4 O r g a n i z a t i o n Local Scope, defined a s 2 3 9 . 1 9 2 . 0 . 0 / 1 4 , is for a n o r g a n i z a t i o n s c o p e t h a t c a n i n c l u d e m a n y sites. 9

Link-local scope, defined a s 2 2 4 . 0 . 0 . 0 / 2 4 .

9 T h e global s c o p e ( m e a n i n g t h e full I n t e r n e t ) is defined a s 224.0.1.0-238.255.255.255.

IP Stacks and Multicast M o s t c u r r e n t IP s t a c k s s u p p o r t m u l t i c a s t , e i t h e r i n s t a l l e d b y d e f a u l t or c o n f i g u r e d to do so. It is n o t e a s y to find w h e t h e r t h e k e r n e l of a c o m p u t e r s u p p o r t s m u l t i c a s t . T h e b a s i c w a y is to find if t h e h o s t h a s t h e a l l - h o s t s a d d r e s s (224.0.0.1) configured, since, b y definition, if a h o s t is m u l t i c a s t - e n a b l e d , t h i s a d d r e s s is configured. A n o t h e r (harder) w a y is to s e n d a n a l l - h o s t s (224.0.0.1) p a c k e t on t h e local n e t w o r k a n d h a v e a n e t w o r k sniffer see w h o r e s p o n d s to it. A n o t h e r w a y is to u s e c o m m a n d s t h a t s h o w t h e 2 2 4 . 0 . 0 . 1 a d d r e s s . O n Unix a n d NT, u s i n g n e t s t a t - r n c a n s h o w a r o u t e to t h e m u l t i c a s t g r o u p

347

348

Chapter 8

Multicast Addressing

9

2 2 4 . 0 . 0 . 1 . F i g u r e 8.1 s h o w s a n e x a m p l e of a n e t s t a t c o m m a n d on a S u n Solaris 2.6 c o m p u t e r .

Figure 8.1 Netstat command on Solaris. Sun Microsystems hostl% netstat

Inc.

SunOS 5.6

Generic August 1997

-rn

Rout ing Table : Destination

Gateway

Flags

Ref

Use

Interface

198.202.48.128

198.202.48.134

U

3

9310

hme0

224.0.0.0

198.202.48.134

U

3

0

hme0

default

198.202.48.131

UG

0

153900

127.0.0.1

127.0.0.1

UH

0

0

io0

T h e s e c o n d line in t h e r o u t i n g table s h o w s t h a t 2 2 4 . 0 . 0 . 0 n e t w o r k is available, w h i c h m e a n s t h a t m u l t i c a s t is e n a b l e d on t h a t c o m p u t e r .

Why Multicast? T h e first a n d m o s t w e l l - k n o w n u s e of m u l t i c a s t is to save b a n d w i d t h w h e n c a s t i n g a v i d e o c o n f e r e n c e to a n u m b e r of u s e r s . B u t m u l t i c a s t c a n do more.

Efficiency of Bandw dth Usage and Scaling As d i s c u s s e d in t h i s c h a p t e r , m u l t i c a s t h a s b e e n u s e d s i n c e t h e b e g i n n i n g to save b a n d w i d t h , especially for a n y c o n t e n t t h a t is for m a n y u s e r s , for e x a m p l e , a u d i o a n d video. O t h e r e x a m p l e s a r e netn e w s s e n t to m a n y s e r v e r s a n d software u p g r a d e s for a w h o l e netw o r k s e n t to all h o s t s . All t h e s e e x a m p l e s save b a n d w i d t h b y s e n d i n g only one copy of t h e c o n t e n t w h a t e v e r t h e n u m b e r of clients, i n s t e a d of one copy p e r client in t h e s t a n d a r d u n i c a s t way.

Multicast Addressing

9Chapter 8

Discovering M a n y d i s c u s s i o n s on IP are related to m a k i n g it easier a n d a u t o c o n figurable, a n d e n a b l i n g devices to discover "automatically" servers, services, a n d t h e like. E x a m p l e s of this are wireless a n d s m a l l devices t h a t do n o t h a v e p e r m a n e n t m e m o r y , a n d h a v e to discover w h e r e t h e y are, who t h e y are, a n d w h i c h services are available. A n o t h e r e x a m p l e is the f a m o u s "dentist office," m e a n i n g t h a t IP s h o u l d be able to be m o r e p l u g - a n d - p l a y , so a d e n t i s t c a n deploy a n IP n e t w o r k of m a n y devices w i t h o u t a n e t w o r k a d m i n i s t r a t o r . A l t h o u g h IPv6 h e l p s a lot in this a n d is the key technology for t h a t p u r p o s e , m u l t i c a s t is very interesting, b e c a u s e h o s t s t h a t n e e d to discover t h i n g s c a n m u l t i c a s t their r e q u e s t on specific c h a n n e l s in o r d e r to get m o r e i n f o r m a t i o n from listening servers. This is a c t u a l l y being i m p l e m e n t e d in the Service Location Protocol (SLP), d e s c r i b e d in RFC2608. IPv6 u s e s m u l t i c a s t to get t h i s a u t o c o n f i g u r a t i o n working. Even more, IPv6 u s e s m u l t i c a s t for r e n u m b e r i n g a whole network, w h e n the organization c h a n g e s its ISP a n d n e e d s to r e n u m b e r . In c o m p a r i s o n , in IPv4, r e n u m b e r i n g is a complex a n d very difficult task. C h a p t e r s 9 a n d 10 cover IPv6.

Efficient Channel W i t h o u t m u l t i c a s t , the only w a y to s e n d a p a c k e t to c o m p u t e r s t h a t have t h e s a m e c h a r a c t e r i s t i c s (like r u n n i n g a specific protocol) or are r o u t e r s , w a s either to k n o w the a d d r e s s e s of t h e m , w h i c h is a very difficult t a s k w h e n the n u m b e r is i m p o r t a n t , or to u s e b r o a d cast. If b r o a d c a s t s were u s e d for all t h o s e p u r p o s e s , t h e n all comp u t e r s w o u l d have to p r o c e s s t h o s e p a c k e t s , even if the p a c k e t is n o t for t h e m . Not only that, b u t b r o a d c a s t is limited to the linklocal, w h e r e m u l t i c a s t c a n be u s e d over m u l t i p l e n e t w o r k s . So m u l t i c a s t is a n e a s y w a y to s e n d i n f o r m a t i o n to u n k n o w n p a r t i e s t h a t s h a r e t h e s a m e c h a r a c t e r i s t i c s w i t h o u t d i s t u r b i n g others.

349

350

Chapter

8

Multicast Addressing

9

Industry The h i s t o r y of m u l t i c a s t s h o w s t h a t i n d u s t r y w a s n o t very s u p p o r t ive. B u t now, a n i n d u s t r y c o n s o r t i u m h a s b e e n formed on IP multic a s t by S t a r d u s t Inc. This will help m u l t i c a s t to be u s e d a n d deployed, a n d to deliver p r o d u c t s to the m a r k e t . I n f o r m a t i o n is available at h t t p : / / w w w . i p m u l t i c a s t . c o m . They provide very good i n f o r m a t i o n on everything related to IP m u l t i c a s t a n d also organize events a n d meetings. Excellent t e c h n i c a l white p a p e r s a n d refere n c e s are available at this site.

Summary M u l t i c a s t is a g r e a t technology t h a t e n a b l e s a g r o u p of c o m p u t e r s s h a r i n g a m u l t i c a s t a d d r e s s to c o m m u n i c a t e together. The IP a d d r e s s e s u s e d in m u l t i c a s t are from 2 2 4 . 0 . 0 . 0 to 239.255.255.255, defined as Class D a d d r e s s e s . Class E a d d r e s s e s are reserved for f u t u r e a d d r e s s i n g needs. With IGMP a n d m u l t i c a s t r o u t i n g protocols, a n e t w o r k with s u b n e t s as well as the I n t e r n e t by the Mbone, c a n be configured to u s e a n d forward m u l t i c a s t p a c k e t s . Hosts c a n r e p o r t t h e y are joining or leaving a g r o u p u s i n g IGMP. A l t h o u g h a few a d d r e s s e s , like 224.0.0.1 as a l l - h o s t s a n d 2 2 4 . 0 . 0 . 2 as aU-routers, on the local n e t w o r k are defined in the protocol, IANA is the a u t h o r i t y t h a t a s s i g n s o t h e r m u l t i c a s t a d d r e s s e s . Scoping is a n i m p o r t a n t i s s u e of m u l t i c a s t . The t r a d i t i o n a l w a y u s e s the TTL IP h e a d e r field to m a n a g e the scope, b u t it h a s s o m e l i m i t a t i o n s d e p e n d i n g on the need. A n e w r a n g e of m u l t i c a s t a d d r e s s e s have b e e n a s s i g n e d a n d defined as Local Scope a n d O r g a n i z a t i o n a l Local Scope to help o r g a n i z a t i o n s m a n a g e the scope of the m u l t i c a s t traffic. M u l t i c a s t c a n be u s e d for effective b a n d w i d t h usage, discovery, a n d efficient c h a n n e l s . IPv6 u s e s m u l t i c a s t in its core f u n c t i o n s a n d i n d u s t r y is s u p p o r t i n g it. You are invited to join the Mbone if y o u w a n t s to l e a r n by practice.

Multicast Addressing

Q: Which

9Chapter 8

IP multicast addresses have been allocated?

A: Allocation of IP multicast addresses is done by IANA (http://www.iana.org). The current list of assignments can be found at f t p : / / f t p . i a n a . o r g / i n - n o t e s / i a n a / a s s i g n m e n t s / multic ast - ad dresses.

Q: Who

is working on multicast protocols and s t a n d a r d s ?

A: Many IETF working groups are working on multicast. Please refer to the IETF working group pages to get the most current work (http: //www.ietf.org).

References [RFC 1075] "Distance Vector Multicast Routing Protocol." D. Waitzman, C. Partridge, S.E. Deering. Nov-01-1988. (Status: Experimental) [RFCI 112] "Host Extensions for IP Multicasting." S.E. Deering. Aug-0 i- 1989. Obsoletes RFC0988, RFC 1054; updated by RFC2236 and STD0005. (Status: Standard) [RFC 1469] "IP Multicast over Token-Ring Local Area Networks. T. Pusater. J u n e , 1993. (Status: Proposed Standard)

351

352

Chapter

8

Multicast Addressing

9

[RFC2022] "Support for Multicast over UNI 3.0/3.1 based ATM Networks." G. Armitage. November, 1996. (Status: Proposed Standard) [RFC2236] "Internet Group Management Protocol, version 2." W. Fenner. November, 1997. Updates RFC 1112. (Status: Proposed Standard) [RFC2608] "Service Location Protocol, version 2." E. Guttman, C. Perkins, J. Veizades, M. Day. June, 1999. Updates RFC2165. (Status: Proposed Standard)

354

Chapter 9

9IPv6 Addressing

Introduction First, in order to u n d e r s t a n d h o w IP version 6 (IPv6) c a n solve s o m e of t h e c u r r e n t a n d f u t u r e p r o b l e m s e n c o u n t e r e d with IP version 4 (IPv4), we m u s t u n d e r s t a n d the m o t i v a t i o n for its inception. This c h a p t e r will give a s h o r t i n t r o d u c t i o n to the h i s t o r y a n d developm e n t of the IPv6 protocol, t h r o u g h its c u r r e n t a c c e p t e d form. Second, we will look at s o m e of the key a s p e c t s of IPv6 t h a t sepa r a t e the protocol from IPv4, a n d look into the benefits t h a t we c a n gain by utilizing IPv6 a n d its a d d r e s s i n g s c h e m a s to build a m o r e scalable network. F r o m there, we c a n begin to build real-world e x a m p l e s of h o w this a d d r e s s i n g c a n be deployed in I n t e r n e t - c o n n e c t e d n e t w o r k s to come. Finally, we will look into s o m e of IPv6's o u t s t a n d i n g i s s u e s a n d its a d d r e s s i n g s c h e m e s , a n d s o m e of the p r o p o s e d s o l u t i o n s to cope with t h e s e yet u n s o l v e d issues. Also in this section, we will give a brief i n t r o d u c t i o n to the IPv6 t e s t network, the 6Bone.

IPv6 Addressing Basics By the early 1990s, it w a s clear t h a t the I n t e r n e t w a s going to t a k e off. The average p e r s o n w a s b e c o m i n g a w a r e of its existence, a n d t h e k i l l e r - a p p s of t o d a y (Web browsers) were coming into t h e i r own. This d r a m a t i c i n c r e a s e in u s a g e of the I n t e r n e t , w h i c h s t e m m e d from o u t s i d e the r e s e a r c h c o m m u n i t y , w a s clearly n o t going to go away. A d d r e s s s p a c e delegations i n c r e a s e d at a n a l a r m i n g rate, a n d it w a s clear t h a t the I n t e r n e t Protocol version 4 h a d a foreseeable u p p e r limit in t e r m s of the n u m b e r of entities it could c o n n e c t to t h e e v e r - i n c r e a s i n g worldwide I n t e r n e t . The I n t e r n e t E n g i n e e r i n g T a s k Force (IETF), the s t a n d a r d s g r o u p from w h i c h a large portion of I n t e r n e t technologies emerge, w a s b e g i n n i n g to see this as a n i s s u e t h a t n e e d e d to be tackled earlier r a t h e r t h a n later. At p r e s e n t , for

IPv6 Addressing

9Chapter 9

example, regional n u m b e r i n g a u t h o r i t i e s (such as ARIN, RIPE, APNIC, etc.) are delegating n u m b e r s from w i t h i n the 2 1 6 / 8 n e t w o r k block. In 1996, by c o n t r a s t , ARIN w a s only delegating in the 2 0 8 / 8 range. This w o u l d m e a n t h a t j u s t over 150 million h o s t s were a d d e d to the I n t e r n e t in this t h r e e - y e a r s p a n (if delegations a n d a d d r e s s a s s i g n m e n t s were m a d e efficiently). We calculate this by raising 2 to the power of 24 (for e a c h / 8 ) a n d multiplying by 9. A l t h o u g h the I n t e r n e t / s growing at a n a l a r m i n g rate, a n d slowly w o r k i n g its w a y into o u r d a y - t o - d a y lives, it is clear t h a t 150 million h o s t s were n o t added. There w a s a m a j o r p r o b l e m with a d d r e s s allocation, even after the efforts of CIDR (Classless I n t e r - D o m a i n Routing) were i m p l e m e n t e d . A d d r e s s space w a s being w a s t e d . F u r t h e r m o r e , we k n o w t h a t 2 2 4 / 8 - 2 3 9 / 8 is set aside for m u l t i c a s t , a n d t h a t 2 4 0 / 8 - 2 5 5 / 8 is reserved. F r o m this, we c a n see t h a t we are n e a r i n g o u r end (although s o m e of the a d d r e s s e s in the middle, from 6 4 / 8 - 1 2 8 / 8 , are j u s t n o w being delegated, so it will b u y a little m o r e time t h a n expected). Now we see t h a t n o t only w a s t h e r e n o t e n o u g h s p a c e to t a k e u s far b e y o n d the m i l l e n n i u m , b u t also m u c h of the c u r r e n t l y delegated a d d r e s s s p a c e w a s being w a s t e d . Additionally, a g r e a t e r n e e d for e n h a n c e d Network-Layer (Layer 3 on the OSI stack) f e a t u r e s w a s b e g i n n i n g to emerge, for example, e n d - t o - e n d encryption, a u t h e n t i cation of p a c k e t s , s o u r c e - r o u t i n g , a n d Quality of Service. For all of t h e s e r e a s o n s , it w a s b e c o m i n g a p p a r e n t t h a t a n e w I n t e r n e t Protocol, or IP, w a s going to have to be conceived a n d a d o p t e d for the f u t u r e of the Internet. This is w h e r e the fun began. As people b e g a n to see t h e s e factors as a reality, m a n y p r o p o s a l s for a n e w I n t e r n e t Protocol emerged. The first draft t h a t gained w i d e s p r e a d notice w a s loosely b a s e d on the CLNP (Connection-Less Network Protocol), w h i c h w a s b a s e d u p o n a n o t h e r protocol suite, the OSI stack. This s t a c k originally r a n on the early Internet, b u t w a s quickly replaced by IPv4 w h e n the I n t e r n e t b e g a n to t a k e on

355

356

Chapter 9 *

IPv6 Addressing

size a n d popularity. The proposal w a s coined TUBA (TCP/UDP over Bigger Addresses). CLNP does provide for a m u c h larger a d d r e s s range t h a n the c u r r e n t IPv4. Its Network Service Access Point (NSAP) a d d r e s s consisted of 20 octets, a n d would provide a d e q u a t e a d d r e s s i n g r a nge s for the Internet's foreseeable future. However, this proposal w a s rejected b e c a u s e CLNP lacked some of the v a l u e - a d d e d features t h a t were already installed into the c u r r e n t IP (Quality of Service, multicast, etc.), a n d these were d e t e r m i n e d to be i m p o r t a n t to the Internet's future growth. There w a s a proposal t h a t a t t e m p t e d to create a p a c k e t format compatible with c u r r e n t IP, CLNP, a n d IPX. Yet a n o t h e r proposal, k n o w n as SIPP (Simple IP Plus), simply advocated increasing the c u r r e n t IP a d d r e s s i n g format to 64 bits, a n d fine-tuning some of the feature sets of IPv4, as well as establishing better routing strategies. SIPP t u r n e d out to be the closest m a t c h for w h a t the I n t e r n e t needed, after some modifications. The a d d r e s s i n g range w a s c h a n g e d from 64 to 128 bits, a n d the n a m e w as c h a n g e d to IP version 6, or IPv6 (IPv5 w a s already delegated to a n o t h e r protocol). This would be the protocol to solve the I n t e r n e t scalability problems, a n d p u t u s into the next m i l l e n n i u m (and the foreseeable future). In this chapter, we will learn more a b o u t the specifics of IPv6. We will begin by looking at IPv6 a d d r e s s i n g schemes, a n d d i s c u s s how they c an improve routing stability a n d efficiency. T h en we will look at how the protocol design will aid in n u m b e r i n g a n d r e n u m b e r i n g networks. Finally, we will d i s c u s s some of the v a l u e - a d d e d services t h a t come with IPv6, a n d how they can benefit b o th residential u s e r s a n d big b u s i n e s s e s on the Internet. We will also go into some details a b o u t the 6Bone, the IPv6 proving ground, where deployment a n d t ra ns i t i on strategies are developed a n d tested.

IPv6 Addressing

9Chapter 9

IPv6 Addressing Scheme Characteristics Now t h a t we h a v e looked at s o m e of t h e h i s t o r y of IPv6, as well as s o m e of p r o p o s a l s t h a t c o m p e t e d w i t h IPv6 as t h e n e w I n t e r n e t s t a n d a r d , let u s t a k e a look at s o m e of t h e generic c h a r a c t e r i s t i c s of IP v e r s i o n 6. A full d i s c u s s i o n of IPv6 c a n be f o u n d at w w w . i e t f . o r g / r f c / r f c 2 4 6 0 . t ~ . Figure 9.1 is t h e IPv6 p a c k e t h e a d e r , t a k e n f r o m this RFC.

Figure 9.1 IPv6 header format. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ IVersion [ Traffic C l a s s I

Flow Label

I

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

I

P~load ~ngth

I Ne~ Header

I

Hop Mmit

I

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

I +

I Source Address

+ +

I +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

I

I

+

+

I +

I Destination Address

+

I

I

+

+

I

I

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Let's look at t h e s e fields in a little detail (the n e x t c h a p t e r will provide a m o r e i n t e n s e s t u d y of t h e specifics of t h e IPv6 protocol).

357

358

Chapter 9

9IPv6 Addressing

Version The version field in the IPv6 h e a d e r is p r e s e n t so t h a t I n t e r n e t m e c h a n i s m s t h a t k n o w h o w to route, or even s p e a k r o u t i n g protocols, will k n o w w h a t type of r o u t i n g protocol t h e y are a b o u t to deal with. Notice t h e similarities to IPv4. In the case of IPv6, the version field is a 4-bit integer, with the value of 6 (0110 in binary), to design a t e this p a c k e t as a n IP version 6 packet.

Traffic Class The Traffic Class field is a n 8-bit field in w h i c h s o m e sort of traffic differentiation identifier c a n be placed. Currently, in the IETF, m a n y w o r k i n g g r o u p s are d e d i c a t e d to coming u p with t h e b e s t w a y to utilize this type of differentiation m e c h a n i s m (though t h e y m o s t l y conc e n t r a t e on IPv4 today). One e x a m p l e of s u c h a g r o u p is t h e DiffServ (Differentiated Services). The m e m b e r s of DiffServ are trying to come u p with a w a y to give m o r e i m p o r t a n t traffic a h i g h e r priority for r o u t i n g on t h e I n t e r n e t today. This field w a s designed for t h i n g s s u c h as IP P r e c e d e n c e bits (giving certain v a l u e s of this field h i g h e r priority, a n d t h e n u s i n g differentiated q u e u i n g strategies in the r o u t e r to tell "who goes first"). You c a n l e a r n m o r e a b o u t DiffServ on t h e Web at w w w . i e t f . o r g / h t m l . c h a r t e r s / d i f f s e r v - c h a r t e r . h t m l . A n u m b e r of drafts a n d RFCs have b e e n w r i t t e n with ideas as to h o w to i m p l e m e n t s u c h a policy. The list of c u r r e n t o p e n drafts (they are only good for six m o n t h s after writing, at w h i c h time t h e y n e e d to be r e s u b m i t t e d , j u s t to keep t h i n g s current) a n d RFCs is at the b o t t o m of t h e a f o r e m e n t i o n e d URL.

Flow Label This is a 20-bit field u s e d w h e n special h a n d l i n g of a p a c k e t is needed. C o m m o n i n t e r p r e t a t i o n of this field at the time of this writing is t h a t the field will a s s i g n flow labels in order to engineer differe n t traffic p a t t e r n s in a n IPv6 network. The m a j o r player in this (though for m o s t l y IPv4 at this time} is the MPLS (Multi-Protocol

IPv6 Addressing

9Chapter 9

Label Switching) w o r k i n g group. To see the g r o u p ' s charter, please see w w w . i e t f . o r g / h t m l . c h a r t e r s / m p l s - c h a r t e r . h t m l . This g r o u p ' s m a i n i n t e n t i o n is to come u p with a n efficient w a y to a s s i g n labels to flows, a n d to come u p with a n efficient a n d scalable w a y to r o u t e b a s e d on t h e s e flows. A flow c a n be defined as a n y class of traffic going from one point to anther, w h e t h e r p o i n t - t o - p o i n t traffic, or a TCP flow from one e n d - s t a t i o n at a given port to a d e s t i n a t i o n ends t a t i o n at a given port. The possibility of a s s i g n i n g flows o p e n s u p m a n y i n t e r e s t i n g options for deployment. P e r h a p s Quality of Service (quite a b u z z w o r d in the field today!) c a n be deployed with scalability this way. M a n y I n t e r n e t providers are k e e p i n g their eyes wide open as this w o r k i n g g r o u p develops, since a d v a n c e d services t h a t the MPLS w o r k i n g g r o u p sees as feasible could lead to g r o u n d b r e a k i n g n e w d e v e l o p m e n t s in the I n t e r n e t i n d u s t r y as a whole.

Payload Length This 16-bit integer is u s e d to d e s i g n a t e the length of the p a y l o a d (the data) in the IPv6 packet, in octets. Notice this field is 16 bits long (2 raised to the power 16), w h i c h gives u s over 6 4 , 0 0 0 different possibilities, allowing IPv6 to have fairly big p a c k e t s (over 6 4 , 0 0 0 octets). To have the ability to m a k e big p a c k e t s c a n i n c r e a s e the efficiency of the I n t e r n e t as a whole. W h e n y o u r p a c k e t s are bigger, the n u m b e r of p a c k e t s n e e d e d to s e n d a given a m o u n t of d a t a b e c o m e s s m a l l e r for a given flow. W h e n t h e r e are fewer p a c k e t s to route, t h e n a r o u t e r h a s m o r e time to r o u t e o t h e r p a c k e t s , or p e r f o r m o t h e r t a s k s (routing table m a i n t e n a n c e , c a c h e aging, etc.). You c a n see h o w this c a n help to i n c r e a s e I n t e r n e t efficiency altogether. Note t h a t a n y e x t e n s i o n h e a d e r s (see later) o u t s i d e of this h e a d e r are i n c l u d e d in the total p a c k e t length in this case. C o m p a r e this with the IPv4 case (RFC791) w h e r e the total length field includes the IPv4 m a i n header.

359

360

Chapter 9 * IPv6

Addressing

Next Header This field is d e s i g n a t e d to tell r o u t e r s if t h e r e are a n y o t h e r h e a d e r s t h a t n e e d be looked at for the p a c k e t to r o u t e according to i n s t r u c tion. This differs drastically with the IPv4 case, w h e r e t h e r e is only one h e a d e r with a fixed length. The IPv6 m a i n h e a d e r is fixed length as well (allowing r o u t e r s to k n o w b e f o r e h a n d h o w m u c h of the p a c k et t h e y n e e d to read), b u t h a s built-in functionality to s t a c k o t h e r h e a d e r s t h a t provide o t h e r v a l u e - a d d e d services, on top of the m a i n header. This field is 8 bits in length, allowing for u p to 255 types of n e x t - h e a d e r s . Currently, only a finite a m o u n t of n e x t - h e a d e r s are developed. Here is a list of the ones c u r r e n t l y on the plate: .

Hop-by-Hop Options H e a d e r

2.

D e s t i n a t i o n Options H e a d e r I

3.

Routing H e a d e r

4.

Fragment Header

5.

Authentication Header

6.

E n c a p s u l a t i n g S e c u r i t y Payload H e a d e r

7.

D e s t i n a t i o n Options H e a d e r II

The p r e c e d i n g list s h o w s the selection of Next H e a d e r fields t h a t c a n o c c u r in a n IPv6 packet. T h e s e h e a d e r s are listed in order of the a p p e a r a n c e t h e y w o u l d m a k e in a n IPv6 p a c k e t utilizing this extra functionality. All of t h e s e h e a d e r s will be d i s c u s s e d in detail in the n e x t chapter, b u t for now, we c a n give a brief e x p l a n a t i o n of e a c h one, a n d w h y t h e y are in a p a r t i c u l a r order.

Hop-by-Hop Options Header This h e a d e r d e s i g n a t e s properties t h a t are to be e x a m i n e d by e a c h IPv6 s p e a k i n g node in the path.

IPv6 Addressing

9

Chapter9

Destination Options Header I This h e a d e r is reserved for options to be performed by the destination concerning handling of the packet. Notice this h e a d e r is the first of two with the s a m e name. In the case of IPv6 packets, with the Hop-by-Hop h e a d e r in use, the destination can be the next hop on the router. This is the motivation for putting the Destination Options h e a d e r right behind the Hop-by-Hop header. For a full description of this h e a d e r a n d its options, read on, a n d see RFC2460, the protocol specification.

Routing Header The r o u t i n g h e a d e r d e s i g n a t e s a list of i n t e r m e d i a t e n o d e s t h a t a p a c k e t m u s t t r a v e r s e prior to arrival at the final p a c k e t d e s t i n a t i o n . This is a n a l o g o u s to the f u n c t i o n a l i t y in IPv4 k n o w n as Loose S o u r c e Route a n d Record. This allows y o u to designate, at the very least, a set of r o u t i n g devices t h a t a p a c k e t m u s t travel t h r o u g h on the w a y to its d e s t i n a t i o n .

For IT Professionals

361

362

Chapter 9

9IPv6 Addressing

Fragment Header This h e a d e r is u s e d by the s o u r c e to s e n d p a c k e t s t h a t are bigger t h a n t h e defined M a x i m u m T r a n s m i s s i o n Unit, or MTU of the p a t h . Normally, in IPv4, i n t e r m e d i a t e n o d e s m a y f r a g m e n t p a c k e t s in order to fit the s t a n d a r d s of given m e d i a t h a t the p a c k e t m a y traverse. E a c h media, be it E t h e r n e t , FDDI, or other, is designed with a specific MTU in m i n d for optimal p e r f o r m a n c e of the given media. In c o n t r a s t , IPv6 does n o t allow for f r a g m e n t a t i o n of a p a c k e t at a n i n t e r m e d i a t e point t h r o u g h the path. Instead, the IPv6 s p e a k i n g device will u n d e r g o MTU Discovery. In this, IPv6 will u s e ICMPv6 (Internet Control a n d Message Protocol version 6) to s e n d p a c k e t s h o p - b y - h o p t h r o u g h the p a t h from s o u r c e to destination, e a c h time r e p o r t i n g the MTU for t h a t p a r t i c u l a r link b e t w e e n hops. The lowest value for MTU is u s e d as the m a x i m u m size p a c k e t t h a t the s o u r c e will s e n d (again, this c a n i n c r e a s e r o u t i n g stability a n d efficiency, since r o u t i n g entities n o w d o n ' t have to s p e n d time a n d CPU fragm e n t i n g p a c k e t s , b u t c a n c o n c e n t r a t e on simply r o u t i n g them). This h e a d e r is u s e d w h e n the s o u r c e w a n t s or n e e d s to s e n d a bigger p a c k e t t h a n the largest MTU t h a t w a s discovered.

Authentication Header This h e a d e r is u s e d if the n e e d for e n d - t o - e n d a u t h e n t i c a t i o n exists. It c o n t a i n s a m e t h o d of a u t h e n t i c a t i o n so t h a t a d e s t i n a t i o n c a n be s u r e t h a t a given p a c k e t is, in fact, from the s o u r c e t h a t it s a y s it is. Please note the order of this h e a d e r in the line. We allow for the preceding h e a d e r s to come first for good r e a s o n s . For i n s t a n c e , if a s o u r c e a n d d e s t i n a t i o n are u s i n g complex a u t h e n t i c a t i o n , b u t we still w a n t to utilize the H o p - b y - H o p header, no a u t h e n t i c a t i o n inform a t i o n n e e d s to be r e a d or t a m p e r e d with along the p a t h . T h i n k of the extra CPU time if all r o u t e r s h a d to a u t h e n t i c a t e p a c k e t s prior to r o u t i n g them! We c a n still u s e the H o p - b y - H o p or D e s t i n a t i o n O p t i o n s I (the h o p - b y - h o p destination) w i t h o u t h a v i n g to c h e c k or t a m p e r with the a u t h e n t i c a t i o n .

IPv6 Addressing

9Chapter 9

Encrypted Security Payload Header Now t h a t we h a v e m e t h o d s to e n s u r e t h a t p a c k e t s c o m e from t h e s o u r c e t h a t t h e y s a y t h e y do, we n e e d s o m e w a y to e n s u r e t h a t no one c a n r e a d t h e p a y l o a d of t h e p a c k e t along t h e way. T h e E n c r y p t e d S e c u r i t y P a y l o a d (ESP) h e a d e r allows for encl3rption of b o t h t h e d a t a in t h e p a c k e t , a n d all h e a d e r s b e h i n d it, in o r d e r to e n s u r e s e c u r i t y of t h e d a t a in t h e p a c k e t . Details of t h i s h e a d e r c a n be f o u n d later in t h e n e x t c h a p t e r , or in t h e RFC archives. T h e c o m b i n a t i o n of t h i s h e a d e r a n d t h e A u t h e n t i c a t i o n h e a d e r m a k e s u p IPSec (IP Security). This is c u r r e n t l y b e i n g i m p l e m e n t e d w i t h IPv4, b u t since it is n o t i n h e r e n t in t h e protocol, t h e IETF is c h a l l e n g e d to m a k e t h i s w o r k in a w a y t h a t is n o t severely p e r f o r m a n c e - e n h a n c i n g . This is one of t h e benefits of IPv6: It is a l r e a d y b u i l t into t h e protocol, so m i n i m a l perf o r m a n c e h i t s are r e q u i r e d to e n a b l e t h i s functionality.

Destination Options Header II T h i s is s i m i l a r to t h e D e s t i n a t i o n O p t i o n s h e a d e r I, e x c e p t t h i s h e a d e r is d e s i g n a t e d for o p t i o n s d e s t i n e d for t h e final d e s t i n a t i o n only. Note t h a t t h e E S P a n d A u t h e n t i c a t i o n h e a d e r s c o m e p r i o r to t h i s h e a d e r in order. T h i s will allow s e c u r e O p t i o n s to be p a s s e d without worrying about someone learning something valuable about t h e d e s t i n a t i o n while t h e p a c k e t is in t r a n s i t a c r o s s t h e I n t e r n e t . So a s we c a n see, t h e n e x t h e a d e r field is of v a s t i m p o r t a n c e to s e c u r i t y a n d v a l u e - a d d e d services a s s o c i a t e d w i t h IPv6. Also of note, Service P r o v i d e r s m a y n o t a l w a y s h a v e t h e i r B a c k b o n e s l i s t e n to c e r t a i n n e x t h e a d e r s , a s t h e y c a n c a u s e r o u t i n g inefficiency. Notice t h e VPN s o l u t i o n s t h a t c a n r e s u l t f r o m t h e A u t h e n t i c a t i o n a n d E S P h e a d e r s alone. Does t h i s m e a n t h a t I n t e r n e t d a t a will n o w be s e c u r e ? At t h e t i m e of t h i s writing, it definitely looks like a good a t t e m p t at d a t a s e c u r i t y over t h e I n t e r n e t . R a m i f i c a t i o n s of IPv6 d e p l o y m e n t w i t h full f u n c t i o n a l i t y could i n c l u d e t h e collapse of t h e " I n t r a n e t " ("secure" Internet), w h i c h u s e s p h y s i c a l l y s e p a r a t e b a c k h a u l facilities in o r d e r to p r e v e n t d a t a or m a c h i n e s f r o m g e t t i n g a t t a c k e d or s t o l e n b y m e a n I n t e r n e t u s e r s .

363

364

Chapter 9

9IPv6

Addressing

Hop Limit This is similar in function to the TI'L field in IPv4. It specifies the n u m ber of Layer 3 (Network Layer) h o p s t h a t a given packet can traverse before a routing s y s t e m will discard the packet. Having a limit s u c h as this is of vital importance. If a routing loop occurs on the Internet, as they s o m e t i m e s do even today, packets have the potential to circle a r o u n d a n d a r o u n d to infinity. If a u s e r gets tired of waiting, a n d s e n d s more packets, you can see how quickly this can bring certain a r e a s where a loop exists to its knees. To fix this, the T I ~ field is u s e d in IPv4. This originally w a s m e a n t as a Time To Live (in seconds) parameter, by which a packet will be discarded if it exists on a network for a specified a m o u n t of time. It was quickly determined t h a t this w a s not the b e s t approach, so the concept of Hop Limit came into being. Every time a r o u t e r receives a packet, the TI'L field is decreased by 1. W h e n a p a c k e t is received with a T r L of zero, the packet is discarded. This helps to e n s u r e t h a t packets do not exist forever on the Internet, taking u p valuable CPU cycles a n d bandwidth. In IPv6, the Hop Limit field is 8 bits long, giving a m a x i m u m of 255 routed h o p s between source a n d destination. Although we would be extremely dissatisfied if we h a d to traverse even 100 h o p s from a source to a destination today, this field is given a high available m a x i m u m value to e n s u r e t h a t future routing r e q u i r e m e n t s are met. Who knows how m a n y h o p s y o u r h o m e refrigerator will be from y o u r office?

Source Address This is t h e IPv6 a d d r e s s of the m a c h i n e t h a t originates the packet. This is d i s c u s s e d in detail later in the section.

Destination Address This is the 128-bit IPv6 a d d r e s s of the d e s t i n a t i o n for the p a c k e t (note t h a t b a s e d on the Next H e a d e r field d i s c u s s e d earlier, this c a n be the final d e s t i n a t i o n , or a n i n t e r m e d i a r y d e s t i n a t i o n , d e p e n d i n g on w h i c h n e x t h e a d e r s are used).

IPv6 Addressing

9Chapter 9

More Bits! I n t e r n e t Protocol version 6 w a s developed to r e s c u e the I n t e r n e t from c u r r e n t p r o b l e m s d i s c u s s e d in the I n t r o d u c t i o n section of this chapter. First a n d foremost of these p r o b l e m s is the a d d r e s s scalability p r o b l e m t h a t the I n t e r n e t faces today. The c u r r e n t I n t e r n e t Protocol a d d r e s s field, being only 32 bits in length (see IPv4 Figure 9.2), c a n be s h o w n to have scaling p r o b l e m s given c u r r e n t I n t e r n e t growth. It is b e c o m i n g clear t h a t the n u m b e r of Internetc o n n e c t e d entities will only increase as time passes. Eventually, everyone will be connected, a n d given p o p u l a t i o n e x p a n s i o n alone, we can see scaling p r o b l e m s already (a 32-bit a d d r e s s field provided for roughly 4.2 billion addresses). W h e n you take into a c c o u n t other devices t h a t either already are, or m a y be, c o n n e c t e d to the I n t e r n e t in years to come (phones, television, routers, radios, diagnostic e q u i p m e n t , Web servers, refrigerators!), we c a n see this p r o b l e m only getting worse. If you t h e n factor in the legacy p r o b l e m s with IP w a s t i n g (owning more IP a d d r e s s e s t h a n you have a s s i g n e d to I n t e r n e t entities), it is clear t h a t a n o t h e r solution is needed.

Figure 9.2 IPv4 packet header format. 0 1234567890

1234567890

1234567890

1

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

[Version I IHL IType of Service I

Total Length

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

I

Identification

I Flags I

F r a g m e n t Offset

I

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

I Time to Live I

Protocol

I

Header Checksum

I

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+_+_+_+_+_+_+_+_+_+_+

]

Source A d d r e s s

I

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

I

Destination A d d r e s s

I

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

I

Options

I

Padding

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

I

365

366

Chapter 9 * IPv6

Addressing

IPv6 does a good job at h a n d l i n g this problem. R a t h e r t h a n the 32-bit a d d r e s s field of IPv4, IPv6 w a s designed with four times as m a n y bits for a d d r e s s i n g . With 128 bits for a d d r e s s i n g (see IPv6 Figure 9.3), we are left with e n o u g h a d d r e s s s p a c e to a c c o m m o d a t e f u t u r e growth as predicted within the IETF (128 bits is r o u g h l y e n o u g h for 4.2 E37 (4.2 * 10 to the power of 37) I n t e r n e t - c o n n e c t e d entities. This is r o u g h l y equivalent to having 8 . 2 7 E + 0 1 6 u n i c a s t I n t e r n e t a d d r e s s e s for e a c h s q u a r e millimeter of the E a r t h ' s surface! As we c a n see, this a p p e a r s to scale to f u t u r e growth for w h a t hopefully will be a long time.

Figure 9.3 IPv6 packet header format. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

IVersion

I

Traffic Class

I

Flow Label

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

l

Payload Length

I Next H e a d e r

I

Hop Limit

I I

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

I

I

+

+

I +

I Source Address

+

I

I

+

+

I

I

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

I

I

+

+

I +

I Destination Address

+

I

I

+

+

I

I

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

IPv6 Addressing

9Chapter 9

Before we dive into t h e a d d r e s s i n g s c h e m e s i n h e r e n t to IPv6, let u s first look a t t h e n e w c o n v e n t i o n for e x p r e s s i n g IPv6 a d d r e s s e s . C o n t r a r y to IPv4, w h i c h u s e s d o t t e d d e c i m a l n o t a t i o n , w i t h one n u m b e r p e r octet of its 3 2 - b i t a d d r e s s , IPv6 utilizes h e x n o t a t i o n for d e s c r i b i n g its a d d r e s s e s . A l t h o u g h d o t t e d d e c i m a l n o t a t i o n is well s u i t e d for t h e relatively s h o r t IPv4 h o s t a d d r e s s , it d o e s n o t scale well to t h e 1 2 8 - b i t IPv6 h o s t a d d r e s s (with d o t t e d d e c i m a l n o t a t i o n , we w o u l d n e e d 16 n u m b e r s to d e s i g n a t e e a c h host). W i t h h e x n o t a tion, e a c h digit signifies 4 b i t s of a d d r e s s s p a c e , c u t t i n g a d d r e s s length, w h e n w r i t t e n , s u b s t a n t i a l l y . Table 9.1 s u m m a r i z e s h o w h e x n o t a t i o n differs f r o m d o t t e d d e c i m a l n o t a t i o n . Notice t h a t h e x n o t a tion h a s 16 v a l u e s , i n s t e a d of t h e c l a s s i c a l 10 v a l u e s of d e c i m a l n o t a t i o n . T h i s allows a b y t e of d a t a to be s u m m a r i z e d b y two digits. Therefore, a n a d d r e s s in IPv6 will look a little different f r o m w h a t y o u a r e u s e d to. However, w i t h a little practice, h e x n o t a t i o n b e c o m e s e a s y to u s e . For i n s t a n c e , t h e IPv4 a d d r e s s 2 4 . 1 7 2 . 9 6 . 2 4 0 c a n be w r i t t e n in h e x (with d o t s in t h e s a m e place) a s 18.AC.60.F0.

Hex n o t a t i o n is u s e f u l for c o n d e n s i n g large n u m e r i c a l e x p r e s sions. E a c h digit e x p r e s s e s 4 b i t s of t h e a d d r e s s . T h e n e x t c o n v e n tion to k n o w a b o u t t h a t differs f r o m IPv4 is t h a t a d d r e s s e s a r e g r o u p e d t o g e t h e r in g r o u p s of 16 bits. For i n s t a n c e , a s a m p l e IPv6 a d d r e s s m a y be 3 F F E : 2 9 0 0 : B 0 0 2 : C A 9 6 : 8 5 D l : 1 0 9 D : 0 0 0 2 : 0 0 A D . T h e

367

368

Chapter 9

9IPv6 Addressing

colon (:) is u s e d a s a d e l i m i t e r in IPv6 a d d r e s s e s . M o s t i m p l e m e n t a t i o n s will s u p p o r t d o t t e d d e c i m a l n o t a t i o n a s well, to aid in a s m o o t h t r a n s i t i o n in t h e n e t w o r k i n g c o m m u n i t y (old h a b i t s a r e h a r d to b r e a k , y o u know), b u t t h e a g r e e d u p o n c o n v e n t i o n will be h e x w i t h colon delimiters. Now t h a t we see h o w IPv6 a d d r e s s e s ar e formed, we c a n u s e a c o u p l e of a d d i t i o n a l c o n v e n t i o n s to aid in I P v 6 - a d d r e s s h e x e x p r e s sions. T h e c o n v e n t i o n c a r r i e s over from IPv4: All z e r o e s t h a t a r e to t h e left of a given 16-bit e x p r e s s i o n m a y be left out. For i n s t a n c e , t h e IPv6 a d d r e s s 3 F F E : 2 9 0 0 : C 0 0 5 : 0 0 1 A : 0 0 0 0 : 0 0 0 0 : 0 A D 0 : 0 0 0 1 c a n be r e d u c e d to 3 F F E : 2 9 0 0 : C 0 0 5 : 1 A : 0 : 0 : A D 0 1 : 1 , w h i c h s a v e s s u b s t a n t i a l time. T h i s is a n a l o g o u s to t h e w r i t i n g of t h e a d d r e s s s (for example) in IPv4 of 1 9 9 . 0 0 0 . 0 5 5 . 0 8 5 a s 1 9 9 . 0 . 5 5 . 8 5 . T h e seco n d c o n v e n t i o n h e l p s even more. It s t a t e s t h a t if t h e r e is m o r e t h a n one s t r i n g of 16 b i n a r y zeroes in a row, t h e y c a n be omitted. In place of t h e zero s t r i n g s , we s i m p l y u s e t h e d o u b l e - c o l o n (::). F r o m t h e p r e c e d i n g a d d r e s s , we c a n e x p r e s s t h i s a d d r e s s as 3 F F E : 2 9 0 0 : C 0 0 5 : 1 A : : A D 0 : 1 , w h i c h s h o r t e n s t h e e x p r e s s i o n even f u r t h e r . Please n o t e t h a t t h e d o u b l e colon c a n only be u s e d once in a n a d d r e s s . S i n c e t h e l e n g t h of t h e zero s t r i n g is u n k n o w n , a n y IPv6 n o d e i n t e r p r e t i n g t h e e x p r e s s i o n w o u l d n o t k n o w h o w m a n y 16-bit zero s t r i n g s to p a d t h e a d d r e s s with, if t h i s s h o r t c u t w e r e to be u s e d m o r e t h a n once. For i n s t a n c e , 3 F F E : 2 9 0 0 : 1 : : 1::2 c o u l d be 3 F F E : 2 9 0 0 : 1 : 0 : 1 : 0 : 0 : 2 or 3 F F E : 2 9 0 0 : 1 : 0 : 0 : 1 : 0 : 2 . W h e n we look at b o t h of t h e se s h o r t c u t s in full use, we c a n see t h a t a d d r e s s e s c a n b e c o m e especially easy to express. For instance, the IPv6 6Bone a d d r e s s 3 F F E : 2 9 0 0 : 0 0 0 0 : 0 0 0 0 : 0 0 0 0 : 0 0 0 0 : 0 0 0 0 : 0 0 0 1 c a n be written as 3FFE:2900:: 1. This dramatically r e d u c e s b o t h the time to write IPv6 a d d r e s s e s , a n d the t h i n k i n g associated with m a k i n g s u r e t h a t you get all 128 bits into y o u r expression. Now t h a t we have all of t h e s e rules down, we c a n begin to look at the protocol a d d r e s s i n g s c h e m e in more detail. Familiarize yourself with Table 9.1 prior to moving into the next sections of this book, as hex will be the n o r m a l m e t h o d for expressing IPv6 a d d r e s s e s from here on out.

IPv6 Addressing

9Chapter 9

Table 9.1 Hex-to-Decimal Translation Cheat Chart

Value

Hex Notation

Decimal Notation

Binary

0

00000000

1

00000001 00000010

3

3

3

00000011

4

4

4

000001 O0

5

5

5

00000101

6

6

6

00000110

7

7

7

00000111

8

8

8

OOO010O0

9

9

9

00001001

10

a

10

00001010

11

b

11

00001011

12

C

12

000011 O0

13

d

13

00001101

14

e

14

00001110

15

f

15

0000111

Now t h a t we h a v e m o r e b i t s from w h i c h to a d d r e s s I n t e r n e t entities, we n e e d to m a k e s u r e t h a t we h a v e sufficient m e a n s for all of t h e s e m a c h i n e s to t a l k w i t h one a n o t h e r . In o t h e r w o r d s , we m u s t also i n c o r p o r a t e into t h e n e w I n t e r n e t Protocol w a y s for r o u t i n g to m a i n t a i n a n efficient state. J u s t i m a g i n e t h e p r o c e s s i n g p o w e r I n t e r n e t B a c k b o n e r o u t e r s w o u l d n e e d to h a v e in o r d e r to r e t a i n a n d p r o c e s s a g a i n s t a list of every h o s t in IPv6! At t h e time of t h i s writing, t h e r e a r e b e t w e e n 6 2 , 0 0 0 a n d 6 5 , 0 0 0 c l a s s l e s s r o u t i n g e n t r i e s in t h e I n t e r n e t default-free B a c k b o n e r o u t i n g tables. T h i s n u m b e r is i n c r e a s i n g , b u t a t a m u c h slower r a t e t h a n a d d r e s s a l l o c a t i o n s (providers are d e l e g a t i n g a d d r e s s s p a c e t h a t c a n be a g g r e g a t e d into s u p e r n e t s ; t h i s k e e p s global r o u t i n g table g r o w t h less t h a n t h a t of I n t e r n e t - c o n n e c t e d e n t i t y growth). We n e e d to e n s u r e t h a t t h e u p p e r

369

370

Chapter 9

9IPv6 Addressing

limit of r o u t i n g entries w i t h IPv6 is still w i t h i n foreseeable limits of w h a t B a c k b o n e r o u t e r s c a n hold, a n d p r o c e s s u p o n , quickly. In the following sections, we will first look at h o w IPv6 a d d r e s s i n g works, a n d t h e n look at how this a d d r e s s i n g s c h e m e e n s u r e s t h a t t h e s e c o n c e r n s are sufficiently a d d r e s s e d .

A More Flexible Hierarchical Organization of Addresses As s t a t e d earlier, a n y protocol t h a t r e p l a c e s the c u r r e n t IP will n e e d to n o t only provide for m o r e I n t e r n e t - r o u t a b l e a d d r e s s e s , b u t it will also have to c o n t a i n i n h e r e n t m e c h a n i s m s to e n s u r e a stable a n d efficient B a c k b o n e r o u t i n g system. If we were to a d o p t a n I n t e r n e t Protocol w i t h o u t a d d r e s s i n g this issue, we m a y solve a n a d d r e s s s p a c e problem, b u t getting from one p o i n t in the I n t e r n e t to a n o t h e r will b e c o m e c u m b e r s o m e for B a c k b o n e r o u t i n g e q u i p m e n t a n d could lead to a less stable I n t e r n e t as a whole. M a n y I n t e r n e t g u r u s t o d a y envision the I n t e r n e t replacing all prior m e a n s of c o m m u n i c a t i o n , be it phone, television, radio, etc., so the r o u t i n g stability i s s u e h a s to be held in high priority for this d r e a m to b e c o m e reality. In this section, we will look at one of the m a i n i m p r o v e m e n t s IPv6 a t t e m p t s to m a k e over IPv4, a n d s t u d y the effects this c a n have on B a c k b o n e r o u t i n g tables. A l t h o u g h IPv4 first r o u t e d b a s e d on classful entries (Class A, B, C blocks), it w a s a p p a r e n t t h a t this w a s n o t sufficient for wide-scale d e p l o y m e n t . Then, the c o n c e p t for C l a s s l e s s I n t e r - D o m a i n Routing w a s developed. With CIDR, the c o n c e p t of c l a s s e s w e n t away, allowing the ability to aggregate s m a l l e r n e t w o r k s into s u p e r n e t s , or to b r e a k u p big blocks into s u b n e t s . This i n c r e a s e d the efficiency of n e t w o r k a d d r e s s i n g , b e c a u s e we could n o w a d d r e s s a n e t w o r k with the a p p r o p r i a t e l y - s i z e d n e t w o r k block, r e g a r d l e s s of w h a t class the a d d r e s s fell into. With this n e w development, IPv4 a d d r e s s e s were n o w u s e d m o r e efficiently, b u t t h e r e w a s a side effect on the B a c k b o n e r o u t i n g t a b l e s of the Internet. I n s t e a d of carrying the first 128 blocks of n e t w o r k s p a c e with 128 entries, t h e s e n e t w o r k s could

IPv6 Addressing

9Chapter 9

n o w be s p r e a d o u t over large n o n c o n t i g u o u s g e o g r a p h i c a r e a s . T h i s c a u s e d r o u t i n g t a b l e size to g r o w at a n i n c r e a s e d rate. Let u s p e r f o r m a m e n t a l exercise to h e l p d e m o n s t r a t e t h i s point. S u p p o s e t h a t I n t e r n e t - c o n n e c t e d N e t w o r k I h a s two I n t e r n e t Providers, A a n d B. N e t w o r k I h a s b e e n d e l e g a t e d a s u b n e t f r o m Provider A f r o m w h i c h to a d d r e s s t h e i r I n t e r n e t - c o n n e c t e d m a c h i n e s , to provide for I n t e r n e t routability. W h e n t h i s p r o v i d e r r u n s BGP, it a n n o u n c e s t h i s s u b n e t u p to b o t h p r o v i d e r s . T h i s is w h e r e t h e p r o b l e m s occur. If Provider A d e c i d e s to a n n o u n c e to its p e e r s only t h e a g g r e g a t e of t h e A d d r e s s b l o c k f r o m w h i c h N e t w o r k I w a s given a s u b n e t , only traffic o r i g i n a t i n g on Provider A's n e t w o r k (and s o m e t i m e s n o t even that) w o u l d u s e t h e c o n n e c t i o n f r o m Provider A to N e t w o r k I to get to N e t w o r k I. Since Provider B receives, a n d p a s s e s on, t h e s u b n e t t h a t N e t w o r k I a n n o u n c e s , all I n t e r n e t traffic will u s e Provider B's c o n n e c t i v i t y to N e t w o r k I for its b e s t p a t h (via t h e l o n g e s t m a t c h r o u t i n g rule). We c a n see t h a t t h i s limits a d o w n s t r e a m n e t w o r k ' s ability to l o a d - b a l a n c e b e t w e e n m u l tiple p r o v i d e r links. T h e only s o l u t i o n t h a t w o u l d allow N e t w o r k I to c o n t r o l its traffic load on e i t h e r c o n n e c t i o n w o u l d h a v e to i n c l u d e t h e e x t e r n a l a n n o u n c e m e n t of b o t h t h e a g g r e g a t e a n d t h e s u b n e t f r o m Provider A to its peers.

371

372

Chapter 9 *

IPv6 Addressing

So as we can see, the inception of CIDR provided for more efficient use of Internet-routable addresses, b u t in turn, it also reduced the efficiency of Internet routing tables. When this example is expanded to the global Internet, we can see t h a t this is a problem. IPv6 m a k e s some good modifications in policy to rid the Internet of both problems. The IPv6 a d d r e s s consists of 128 bits. One advantage t h a t IPv6 h a s over CIDR is a built-in, well-defined set of b o u n d a r i e s from which to define sets of a d d r e s s space to delegate d o w n s t r e a m to other people who get Internet connectivity from you.

Figure 9.4 Globally-routable IPv6 addressing architecture. 13l +---+

13 1 8 l .......

+ .....

24]

16

+ ~ - +

liD ......

I -4- .....

64 bits

4

4

IFPl TLA IRESI NLA]

I

]

ID

4

] t

SLA ] ID ]

Interface ID

t

Notice in Figure 9.4 t h a t the IPv6 globally-routable u n i c a s t prefix is divided into six different sections. Let u s look at each section in detail.

FP: F o r m a t Prefix The F o r m a t Prefix for globally-routable u n i c a s t prefixes will always have the s a m e three bits (in the initial deployment of IPv6). These first three bits will always be set to 001, and are there to designate (to any routing entity on the Internet) t h a t this a d d r e s s is a globallyroutable u n i c a s t address. For each type of IPv6 a d d r e s s t h a t we discuss, the FP will be u n i q u e to t h a t type of address, t h u s m a k i n g it easier for routing entities to discern packet types, and process t h e m according to the rules t h a t apply to the respective packet type. For instance, m u l t i c a s t packets and u n i c a s t packets are routed in very different ways. Unicast packet routing is 1-to-1 (a packet with an IPv6 Globally-Routable Unicast destination originates from one host,

IPv6 Addressing

9Chapter 9

a n d is delivered to one host), a n d m u l t i c a s t p a c k e t s are 1-to-N (one m u l t i c a s t p a c k e t m a y be delivered to N i n t e r e s t e d d e s t i n a t i o n hosts), or N-to-N (N s o u r c e s delivering p a c k e t s to N destinations), so t h e s e p a c k e t s are h a n d l e d in vastly different w a y s on a n I n t e r n e t b a c k b o n e . The FP serves as a delimiter, so a r o u t i n g device c a n m a k e a q u i c k decision as to h o w to h a n d l e the i n c o m i n g packet, a n d e n s u r e t h a t it is h a n d l e d correctly. Note t h a t u s i n g the first few bits of a n a d d r e s s to d e s i g n a t e type of a d d r e s s is m o r e efficient t h a n p u t t i n g it into the packet, b e c a u s e n o w we c a n utilize m o r e of the p a c k e t for o t h e r v a l u a b l e features, d i s c u s s e d earlier.

TI A ID This is the Top Level Aggregator Identifier, 13 bits u s e d to signify to w h i c h Top Level Aggregator the a d d r e s s belongs. A Top Level Aggregator is a Network Provider t h a t sits at the top level of aggregation of I n t e r n e t traffic. In u n i c a s t t e r m s , Top Level Aggregators are s o m e t i m e s referred to as '~rier-1 Providers." T h e s e are I n t e r n e t Providers w h o m a k e u p the core of the I n t e r n e t B a c k b o n e . They u s u a l l y have equal p a r t peering (they d o n ' t p a y the o t h e r provider to receive the o t h e r provider's routes) r e l a t i o n s h i p s with o t h e r TLAs (nonpaid connectivity to o t h e r TLAs), e n c o m p a s s a large a r e a of the globe with coverage of I n t e r n e t core routing, a n d provide the highspeed t r a n s p o r t t h a t moves p a c k e t s from one p a r t of the globe to another. Their B a c k b o n e s are c o m p o s e d of highly s o p h i s t i c a t e d , f a s t - r o u t i n g devices, a n d their cores c a r r y full I n t e r n e t routes. C u r r e n t e x a m p l e s of Top Level Aggregators include S p r i n t a n d WorldCom. In IPv6, providers of this caliber are given blocks of IPv6 Globally R o u t a b l e U n i c a s t a d d r e s s e s (a TLA a s s i g n m e n t ) , a n d they, in t u r n , delegate pieces of this block d o w n to their c u s t o m e r s .

RES T h e s e bits are reserved for now. It h a s n o t b e e n d e t e r m i n e d by the IETF w h a t c o u r s e of action s h o u l d be u s e d for t h e s e bits. At this stage, it is a p p r o p r i a t e for TLAs to s u b n e t their a s s i g n m e n t u s i n g

373

374

Chapter 9 *

IPv6 Addressing

t h e s e 8 bits to i n c r e a s e t h e a m o u n t of Globally R o u t a b l e U n i c a s t a d d r e s s s p a c e t h a t a TLA c a n u s e to delegate to their c u s t o m e r s , or u s e on t h e i r B a c k b o n e .

NLA ID These 24 bits depict the Next Level Aggregator Identifier. A Next Level Aggregator c a n be t h o u g h t of today as a Tier-2 Network Service Provider or ISP. An NLA c a n range from a small organization with one TLA connection, to a large, regional Provider with m a n y u p s t r e a m TLA connections, a n d complex Backbones. An NLA will receive a n NLA ID from their u p s t r e a m TLA, a n d in t u r n , will b r e a k their NLA ID into c h u n k s , w h i c h will be delegated to their c u s t o m e r s .

SLA ID A Site Level Aggregator Identifier d e s c r i b e s a n entity t h a t h a s no d o w n s t r e a m c u s t o m e r s w h o are n e t w o r k service providers. A SLA could be a small to large b u s i n e s s , or a small Service Provider who does n o t delegate a d d r e s s s p a c e to its providers (for i n s t a n c e , t o d a y ' s c a b l e - m o d e m providers could fit into a SLA a r r a n g e m e n t ) .

Interface ID The final 64 bits of t h e globally r o u t a b l e IPv6 u n i c a s t a d d r e s s is r e s e r v e d for t h e Interface Identifier. In IPv4 t e r m s , this is k n o w n as t h e h o s t id. T h e s e 64 bits will be d e s i g n a t e d to d i s t i n g u i s h one h o s t from a n o t h e r on a given n e t w o r k s e g m e n t . E a c h Interface ID on a given n e t w o r k s e g m e n t m u s t be u n i q u e . We will see t h a t IPv6 b u i l d s in a clever w a y to e n s u r e this is so.

Aggregation Realized Now t h a t we k n o w h o w t h e IPv6 Globally R o u t a b l e U n i c a s t a d d r e s s f o r m a t is split up, we c a n begin to see h o w a g g r e g a t i o n b a s e d on this f o r m a t is possible. Figure 9.5 depicts a TLA t h a t h a s a variety of c u s t o m e r s for w h i c h t h e y provide t r a n s i t I n t e r n e t connectivity. By

IPv6 Addressing * Chapter 9

delegating a s u b s e t of their a d d r e s s s p a c e (TLA ID) to e a c h customer, d e p e n d i n g on t h a t c u s t o m e r ' s p u r p o s e , t h e y are e n s u r e d t h a t all a d d r e s s s p a c e t h a t is advertised to t h e m from their d o w n s t r e a m c u s t o m e r s is a s u b s e t of their a d d r e s s space. This b r i n g s u p a good point r e g a r d i n g the political c h a n g e s s u r r o u n d i n g IPv6. With IPv6, small to regional Network Service Providers as well as e n d - u s e r s will no longer have the ability to o b t a i n a d d r e s s s p a c e directly from registries. I n s t e a d , Top Level Aggregators will be a s s i g n e d a d d r e s s blocks, w h i c h t h e y will in t u r n be in c h a r g e of m a n a g i n g a n d delegating to their d o w n s t r e a m c o n n e c t i o n s (NLAs a n d SLAs). This shift in a d d r e s s m a n a g e m e n t is t h o u g h t to be m u c h m o r e efficient t h a n the c u r r e n t a d d r e s s m a n a g e m e n t policies of today. If a small-tomidsize I S P / N S P c a n no longer get a d d r e s s s p a c e from registries, a n d therefore p u t s a b u r d e n on B a c k b o n e TLA core providers to carry t h e s e r o u t e s as transit, t h e n the possibility of aggregation b e y o n d w h a t IPv4 c a n do t o d a y b e c o m e s a reality. In the n e x t section, we will look at h o w this aggregation works, a n d w h y it will i n c r e a s e the stability of the I n t e r n e t as a whole.

Figure 9.5 A generic IPv6 Internet.

375

376

Chapter

9

IPv6 Addressing

9

Minimizing the Size of Routing Tables As we have discovered, IPv6 will allow a m p l e a d d r e s s s p a c e for the f u t u r e of the Internet. With 128 bits of a d d r e s s spacing, t h e r e s h o u l d be a d e q u a t e a d d r e s s e s for I n t e r n e t - c o n n e c t e d entities to grow in n u m b e r a n d complexity. With a well-defined f o r m a t for IPv6 a d d r e s s i n g , we c a n see t h a t a d d r e s s i n g b e c o m e s m o r e organized t h a n classical IPv4. F r o m this, we will n o w look at how the a d d r e s s ing s c h e m e for IPv6 helps to minimize the n u m b e r or I n t e r n e t Core r o u t i n g entries t h a t n e e d to be carried, t h u s limiting the scope of f u t u r e I n t e r n e t r o u t i n g complexity. In Figure 9.6, we see two TLAs, w i t h v a r i o u s c o n n e c t e d c u s t o m e r s of b o t h the NLA a n d SLA variety. Let u s look at the r o u t i n g a n n o u n c e m e n t s n e c e s s a r y for this scenario to f u n c t i o n with stability a n d efficiency.

Figure 9.6 Generic addressed IPv6 Internet. 3FFE:2900::/24

3FFE:4200::/24 BGP4+

BGP4+

I

SLA III 3FFE:29

0:2::/48

3FFE:2900:1:10::/63 3FFE:2900:2:20::/63

3FFE:4200:D:E::/63

IPv6 Addressing

9Chapter 9

In F i g u r e 9.6, we h a v e two TLAs (Tier 1 N e t w o r k Service Providers) a n d a v a r i e t y of NLAs a n d SLAs in v a r i o u s c o n f i g u r a t i o n s . TLA I is in a b i l a t e r a l p e e r i n g a r r a n g e m e n t for TLA II, a n d b o t h e x c h a n g e r o u t e s via BGP (there are c h a n g e s to BGP t h a t a r e c u r r e n t l y in IETF w o r k i n g g r o u p s to s u p p o r t different t y p e s of NLRI (Network-Layer R e a c h a b i l i t y I n f o r m a t i o n ) , so B G P 4 very well m a y n o t be t h e s t a n d a r d BGP b y t h e t i m e IPv6 is deployed; for t h e p u r p o s e s of t h i s e x a m p l e , B G P 4 will serve a d e q u a t e l y ) . TLA I o w n s a Top Level A g g r e g a t o r Block. In t h i s e x a m p l e , we d e s i g n a t e TLA I w i t h 3 F F E : 2 9 0 0 : : / 2 4 a s its TLA delegation, a n d TLA II w i t h 3 F F E : 4 2 0 0 : : / 2 4 a s its TLA delegation. So we k n o w t h a t TLA I a n d TLA II m u s t s u p p l y e a c h o t h e r w i t h t h e s e r o u t e s a t a m i n i m u m for r o u t i n g to o p e r a t e p r o p e r l y b e t w e e n TLA I a n d TLA II B a c k b o n e s . TLA I will s u b d e l e g a t e b l o c k s of a d d r e s s s p a c e to its NLA a n d SLA c u s t o m e r s . In t h i s case, let u s a s s i g n NLA I w i t h 3 F F E : 2 9 0 0 : 1 : : / 4 8 , a n d NLA II w i t h 3 F F E : 2 9 0 0 : 2 : : / 4 8 . F u r t h e r m o r e , t h e s e NLAs m u s t d e l e g a t e b l o c k s d o w n to t h e i r c u s t o m e r s o u t of t h i s block. Let u s a s s u m e SLA I will be given 3 F F E : 2 9 0 0 : l : 1 0 : : / 6 3 , SLA II 3 F F E : 2 9 0 0 : 2 : 2 0 : : / 6 3 , a n d SLA III 3 F F E : 4 2 0 0 : D : E : : / 6 3 . S t a r t i n g a t t h e b o t t o m a g g r e g a t o r s , SLA I m u s t a n n o u n c e its b l o c k 3 F F E : 2 9 0 0 : l : 1 0 : : / 6 3 u p to NLA I. B e c a u s e t h i s is a s u b s e t of NLA I's s p a c e , NLA I is n o t r e q u i r e d to a n n o u n c e t h i s SLA (from SLA I) u p to TLA I. A s i m i l a r s i t u a t i o n exists w i t h NLA II. TLA I only n e e d s to h e a r t h e NLA a g g r e g a t i o n s t h a t it d e l e g a t e d d o w n to t h e s e two NLAs, r e g a r d l e s s of h o w t h a t NLA h a s s u b d e l e g a t e d its space. So f r o m this, we c a n see t h a t a t t h i s point, TLA I h a s to c a r r y only t h r e e a n n o u n c e m e n t s for n o n b a c k b o n e space:

3FFE'2900"1 ":/48 (from NLA I) 3FFE'2900"2":/48 (from NLA II) 3FFE'4200":/24 (from TLA II) E v e n f u r t h e r , we notice t h a t t h e first two of t h e s e a n n o u n c e m e n t s a r e s i m p l y s u b s e t s of t h e b l o c k a s s i g n e d to TLA I. Therefore, in t h e b i l a t e r a l p e e r i n g b e t w e e n TLA I a n d TLA II, we c a n see t h a t only one r o u t e n e e d s to be e x c h a n g e d b e t w e e n t h e s e peers.

377

378

Chapter 9

9IPv6

Addressing

A l t h o u g h this is a limited example, we c a n see the r o u t i n g simplicity t h a t h a s come to p a s s as a r e s u l t of this aggregation. The b e a u t y of this c o m e s from two facts.

Figure 9.7 Routing advertisements along aggregation paths.

~

3FFE:2900::/24.~~ ~-3FFE:4200::/24

,'

3FFE:2900::/24' 3FFE:2900:l::/48 -" ~ "- 3FEE:2900:2::/18

4-

3FFE:4200::/24

A ! I /.,.,

1

..

3FFE:2900::/24 3FFE:2900:1::/48

!

,' '

~'~ ~

"--1 3FFE:2900::/24 3FFE:2900:2::/48

3FFE:4200:D:E::/63.....

3FFE:2900:1:10::/63- -' '- -- 3FFE:2900:2:20::/63 The first is t h a t no a d d r e s s b l o c k s a r e p o r t a b l e . Today, a large p a r t of IP s p a c e is k n o w n as portable. A portable a d d r e s s block is a block t h a t c a n be t a k e n with y o u w h e n you leave a c e r t a i n service provider's j u r i s d i c t i o n , a n d go to a n o t h e r provider. This leads to m a n y e x t r a n e o u s a n n o u n c e m e n t s in the core of the I n t e r n e t B a c k b o n e , as Network Service Providers lose the ability to aggregate a n n o u n c e m e n t s properly. For example, if a service provider is given the c l a s s l e s s block 7 1 . 1 6 . 0 . 0 / 1 6 , a n d loses one p a r t of this, s a y 7 1 . 1 6 . 2 4 1 . 0 / 2 4 , from its p o s s e s s i o n (a c u s t o m e r t a k e s it with t h e m

IPv6 Addressing

9Chapter 9

w h e n t h e y leave), we are left with a s u b o p t i m a l r o u t i n g scenario. Now, 0

0

The Service Provider h a s to a n n o u n c e this block one / 1 6 to peers a n d c u s t o m e r s as m a n y different s u b n e t s ~ i n this case, eight a n n o u n c e m e n t s ( 7 1 . 1 6 . 0 . 0 / 1 7 , 7 1 . 1 6 . 1 2 8 . 0 / 1 8 , 71.16.224.0/19, 71.16.240.0/24, 71.16.242.0/23, 71.16.244.0/22, 71.16.248.0/21). The Service Provider h a s to u p d a t e its filters to peers to allow this lost block to be h e a r d via BPG from peers. Normally, this block w o u l d be denied, to p r e v e n t r o u t i n g loops (see the note r e g a r d i n g BGP in a p r e v i o u s section of this chapter; the BGP4 provider helps a little d u e to the originating ASN). Not only is this a m a n a g e m e n t n i g h t m a r e for Network Service Providers, it is also extremely inefficient for the I n t e r n e t core.

So by r e m o v i n g portability, we have greatly i n c r e a s e d t h e longt e r m efficiency of the I n t e r n e t B a c k b o n e r o u t i n g tables. S o m e m a y ask, "Why d o n ' t we eliminate this in IPv4?" This h a s b e e n done, for the m o s t part; however, legacy portability h a s t a k e n its toll on the Internet. Second, p r e s s u r e still r e m a i n s from d o w n s t r e a m I n t e r n e t entities. The a r g u m e n t is t h a t n o t allowing IP blocks to be p o r t a b l e p u t s the c u s t o m e r u n d e r p r e s s u r e n o t to c h a n g e providers, b e c a u s e a big n e t w o r k is c u m b e r s o m e to r e n u m b e r with n e w IP s p a c e (DNS entries, as well as h o s t r e c o n f i g u r a t i o n is required). T h e r e is no w a y for IPv4 to provide a s m o o t h t r a n s i t i o n from one Provider-delegated block of IPv4 a d d r e s s e s to another. IPv6 will n e e d s o m e m e c h a n i s m to allow for s m o o t h m i g r a t i o n from one provider's a d d r e s s s p a c e to another. We will see t h a t this is the case. The u s e of a n y c a s t a d d r e s s i n g , as well as a u t o - c o n f i g u r a t i o n of interfaces, aids in the p a i n of r e n u m b e r i n g u p o n switching providers, or r e n u m b e r i n g for a n y o t h e r r e a s o n . B u t let's p u t this aside for the m o m e n t to complete o u r s t u d y of r o u t i n g tables. We will d i s c u s s strategies for r e n u m b e r i n g in the n e x t section. The s e c o n d r e a s o n is t h a t only TLAs will be a s s i g n e d a d d r e s s space from the N u m b e r i n g Authorities. Today, IANA (the I n t e r n e t

379

380

Chapter 9

9IPv6

Addressing

Assigned N u m b e r s Authority) is the responsible party for n u m b e r ing, which in t u r n delegates n u m b e r s to Regional Registries, s u c h as ARIN, RIPE, and APNIC. These regional n u m b e r s authorities in t u r n assign IPv4 a d d r e s s space to Internet providers, or b u s i n e s s e s and organizations t h a t can d e m o n s t r a t e sufficient need for their own IP blocks. Notice how this leads to more small blocks being carried in the core Internet table. This all goes b a c k to r e n u m b e r i n g problems. If r e n u m b e r i n g were simple, t h e n getting IP space directly from our u p s t r e a m providers of connectivity would not be a big deal. If we are dissatisfied with service, we can simply get a n o t h e r provider, and t h e n renumber. Many b u s i n e s s e s today feel restricted in doing this, as r e n u m b e r i n g in IPv4 is sufficiently complex to sway people away from going somewhere else w h e n their provider is not satisfactorily providing service. By e n s u r i n g t h a t only TLAs get a d d r e s s space, the Internet is a s s u r e d t h a t only big blocks of space are delegated, which will m a k e sure t h a t aggregation can always occur.

IPv6 Addressing

9Chapter 9

Global Addresses for the Internet and Local Addresses for Intranet Now t h a t we c a n see how the I n t e r n e t core c a n benefit from IPv6, a n d we have t o u c h e d on some of the nice things it provides to e n d - u s e r networks, let u s look at how a typical LAN will be a d d r e s s e d , a n d how its routing allows for r o b u s t a n d easily m a n a g e d connectivity. So far, we have l e a r n e d t h a t Globally-Routable U n i c a s t IPv6 a d d r e s s e s follow a strict aggregation s c h e m e . B u t does every m a c h i n e n e e d to have a Globally R o u t a b l e U n i c a s t a d d r e s s ? Most c o m p a n i e s t o d a y t h a t are c o n n e c t e d to the I n t e r n e t have s o m e s u b set of s y s t e m s t h a t r o u t e a n d s p e a k IPv4, b u t do n o t n e c e s s a r i l y n e e d to be r o u t e d a c r o s s the I n t e r n e t , n o r do t h e y n e e d to have t h e i r very own Globally R o u t a b l e U n i c a s t a d d r e s s . C e r t a i n s y s t e m s , s u c h as i n t e r n a l - o n l y servers, p r i n t e r s , a n d o t h e r s y s t e m s n e e d be able to r o u t e on a c o m p a n y network, b u t do n o t n e e d to be globally r o u t e d a c r o s s the I n t e r n e t . F u r t h e r m o r e , m a n y c o m p a n i e s w i s h t h e r e were a w a y to e n s u r e t h a t t h e s e s y s t e m s could n o t be s e e n from the o u t s i d e world. Today, this is r e m e d i e d t h r o u g h s e c u r i t y p r e c a u t i o n s : the firewall a n d the p a c k e t filter are the b e s t w a y s to e n s u r e (or h o p e to ensure) t h a t s o m e s e c r e t or i m p o r t a n t m a c h i n e s are n o t accessible from the outside. A l t h o u g h s e c u r i t y is i m p o r t a n t , a n d will n o t go a w a y with the i n v e n t i o n of IPv6, t h e r e are o t h e r possibilities. IPv6 i n c o r p o r a t e s the idea of scoped a d d r e s s i n g into its protocol stack. Scoped a d d r e s s i n g , in a d d i t i o n to providing o t h e r functionality, provides for this problem. A d d r e s s e s are said to be scoped w h e n the a d d r e s s in q u e s t i o n h a s a well-defined b o u n d a r y in w h i c h it will route. F u r t h e r m o r e , the s c o p e d a d d r e s s does n o t r o u t e o u t s i d e of this b o u n d a r y , n o r does it have a r o u t i n g e n t r y a s s o c i a t e d with it t h a t leaves this b o u n d a r y . To b e t t e r u n d e r s t a n d , let u s look at a d i a g r a m of a simple IPv6 network, a n d a generic e x a m p l e of h o w scoping c a n be u s e d to e n s u r e t h a t m a c h i n e s o p e r a t e only w i t h i n t h e i r j u r i s d i c t i o n . Refer to Figure 9.8 to p i c t u r e this type of scenario.

381

382

Chapter 9

9IPv6

Addressing

Figure 9.8 A scoped IPv6 network.

T h e m a c h i n e labeled "secure" s e r v e r c a n n o t r o u t e o u t s i d e of t h e b o u n d a r y of its n e t w o r k , b e c a u s e it does n o t k n o w a b o u t t h e r e s t of t h e w o r l d (it h a s no d e f a u l t route). T h e r e s t of t h e world does n o t k n o w a b o u t it e i t h e r (no r o u t i n g e n t r y is a d v e r t i s e d to o t h e r r o u t e r s a b o u t t h e e x i s t e n c e of t h e link-local network.) In t h i s n e t w o r k , we h a v e s o m e people w h o m a y be in a n o t h e r side of t h e building, w h o n e e d to a c c e s s M a c h i n e A. Also, M a c h i n e A c a n t a l k to o t h e r p a r t s of t h e building. We still h a v e t h e ability to u s e filters a n d firewalls (or s o m e s o r t of s e c u r i t y m e a s u r e s ) to e n s u r e t h i s m a c h i n e is invisible f r o m t h e o u t s i d e . However, classically, t h i s c a n be d a n g e r o u s , a s m o s t o p e r a t o r s , no m a t t e r h o w good a n d careful, c a n m a k e m i s t a k e s . A d d r e s s e s t h a t a r e n o t s u p p o s e d to

IPv6 Addressing

9Chapter 9

get a n n o u n c e d to t h e r e s t of t h e world e v e n t u a l l y will get a n n o u n c e d , even if b y a c c i d e n t a n d for a s h o r t p e r i o d of time, w h e n a m i s t a k e g e t s m a d e . RFC 1918 d e s i g n a t e s r e s e r v e d a d d r e s s s p a c e for IPv4 (RFC 1918: A d d r e s s Allocation for Private I n t e r n e t s , w w w . i e f f . o r g / r f c / r f c l 9 1 8 . t ~ ). Note t h a t in IPv4, it is left to t h e c o m p e t e n c e of t h e N e t w o r k O p e r a t o r to e n s u r e t h a t r e s e r v e d a d d r e s s s p a c e is n o t a n n o u n c e d globally. In IPv6, it is c o n c e i v a b l e t h a t a r o u t i n g s y s t e m will a u t o m a t i c a l l y k n o w n o t to r o u t e link-local or site-local s p a c e b e t w e e n ASs. As y o u h a v e p r o b a b l y g u e s s e d b y now, IPv6 a d d r e s s e s t h i s p r o b lem, a n d d o e s w h a t m a n y feel IPv4 h a s tried to do too late. IPv6 h a s a set of a d d r e s s s p a c e t h a t is s c o p e d for different t y p e s of a p p l i c a tions. T a b l e 9.2 s u m m a r i z e s d e l e g a t i o n of IP s p a c e s . Table 9.2 s u m m a r i z e s h o w t h e first few b i t s of t h e IPv6 a d d r e s s will tell u s w h a t type of a d d r e s s it is. Notice t h a t in t h r e e bits, we c a n see w h e t h e r or n o t a given a d d r e s s is a Globally R o u t a b l e U n i c a s t a d d r e s s or n o t (001; w h i c h leaves a s hex, e i t h e r 0 0 1 0 (2) or 0 0 1 1 (3)). As a side note, t h i s is p r e t t y nice for r o u t i n g s y s t e m s ! So we c a n see t h a t t h e r e are two levels of u n i c a s t s c o p e d a d d r e s s e s . T h e first type of s c o p e d a d d r e s s for IPv6 is t h e Link Local U n i c a s t a d d r e s s , w h i c h exists only on t h e m e d i a t h a t c o n n e c t s two or m o r e m a c h i n e s together. For i n s t a n c e , on a PPP l i n k (or HDLC, F r a m e - R e l a y , E t h e r n e t , T o k e n Ring) t h e r e will be a specific s e t of a d d r e s s s p a c e especially d e s i g n e d for t h a t link. T h e m o t i v a t i o n for t h i s w a s to allow IPv6 s p e a k i n g m a c h i n e s to h a v e a s e t of a d d r e s s e s f r o m w h i c h to link g r o u p s of m a c h i n e s t o g e t h e r in o r d e r to c o m m u n i c a t e f u n c t i o n s t h a t a r e specific to t h a t link. For i n s t a n c e , Link Local a d d r e s s e s c a n be u s e d for t h i n g s like N e i g h b o r Discovery, or A u t o - C o n f i g u r a t i o n ( d i s c u s s e d later). T h i s allows all m a c h i n e s to h a v e a n a d d r e s s t h a t allows t h e m to t a l k to o t h e r directly c o n n e c t e d m a c h i n e s (directly c o n n e c t e d a t Layer 1 or 2 in t h i s case; c o n s i d e r two m a c h i n e s t h a t a r e on t h e s a m e E t h e r n e t s u b n e t a s b e i n g directly c o n n e c t e d ) . Notice t h a t in itself, t h i s relieves s o m e of t h e b u r d e n of r e n u m b e r i n g . A l t h o u g h a n a d m i n i s t r a t o r r e n u m b e r s a n e t w o r k , for w h a t e v e r r e a s o n , at l e a s t m a c h i n e s t h a t n e e d to t a l k to e a c h

383

384

Chapter 9 * IPv6 Addressing

o t h e r c a n still do so o u t s i d e of the Globally R o u t a b l e U n i c a s t a d d r e s s . Link Local a d d r e s s e s are to be r o u t e d only on t h a t link, a n d are n o t to be s e n t into a n y IGP (Interior G a t e w a y Protocol) or EGP (Exterior G a t e w a y Protocol; to o t h e r r o u t i n g domains), for obvio u s r e a s o n s . They are Link Local after all! Most r o u t i n g s y s t e m s for IPv6 t o d a y have this functionality built into their o p e r a t i n g s y s t e m s (it is u n c l e a r w h e t h e r r o u t i n g s y s t e m s will n e e d to have this a u t o matically built in at this time, b u t it s e e m s to m a k e the b e s t s e n s e t h a t t h e y do). Table 9.2 IPv6 Address First-Bits Standards Allocation

Prefix (binary)

Fraction of Address Space

Reserved Unassigned Reserved for NSAP Allocation Reserved for IPX Allocation Unassigned Unassigned Unassigned Aggregatable Global Unicast Addresses Unassigned Unassigned Unassigned Unassigned

0000 0000 0000 0001 0000 001

1/256 1/256 1/128

0000 010

1/128

0000 011

1/128 1/32 1/16 1/8

Unassigned Unassigned Unassigned Unassigned

110

Unassigned Unassigned

0000 1 0001 001

1/8 1/8 1/8 1/8

010 011 100 101

1110 1111 1111 1111 1111

0 10 110 1110 0

1/8 1/16 1/32 1/64 1/128 1/512 Continued

IPv6 Addressing 9Chapter 9 Allocation

Prefix (binary)

Fraction of Address Space

Link-Local Unicast Addresses

1111 1110 10

1/1024

Site-Local Unicast Addresses

1111 1110 11

1/1024

Multicast Addresses

1111 1111

1/256

The s e c o n d type of s c o p e d a d d r e s s is t h e site-local a d d r e s s . This a d d r e s s d e s i g n a t e s a r o u t i n g d o m a i n , or s u b s e t of a r o u t i n g d o m a i n . M a c h i n e s t h a t are a d d r e s s e d site-locally will be able to c o m m u n i cate w i t h o t h e r d e s i g n a t e d s u b n e t s t h r o u g h t h i s a d d r e s s i n g s c h e m e , b u t will n o t r o u t e globally on t h e I n t e r n e t . This c a n benefit u s in s o m e w a y s a s well. P e r h a p s t h e r e is a n e e d for a m a c h i n e to s p e a k w i t h o t h e r i n t e r n a l m a c h i n e s a t a n office, b u t t h e a d m i n i s t r a t o r w a n t s to m a k e s u r e t h a t t h a t p a r t i c u l a r m a c h i n e ( p e r h a p s a n a c c o u n t i n g m a c h i n e for a c o m p a n y , for example) c a n n o t r o u t e t h r o u g h t h e I n t e r n e t . T h r o u g h t h e u s e of Site Local a d d r e s s i n g , we c a n a c c o m p l i s h this, w i t h o u t t h e i n t e r v e n t i o n of c o m p l e x s e c u r i t y s c h e m e s to e n s u r e t h a t a m a c h i n e is invisible to t h e b a d g u y s o u t t h e r e w h o w a n t to c a u s e t r o u b l e (this does n o t s u b s t i t u t e for a netw o r k security, b u t does e n s u r e t h a t p a c k e t s c o m i n g from t h i s h o s t do n o t r e a c h t h e global internet). The b a s i c r o u t i n g p r i n c i p l e s a s s o ciated w i t h Site Local a d d r e s s e s are c o m m o n s e n s e . A Site Local a d d r e s s m a y be r o u t e d t h r o u g h a n IGP, b u t s h o u l d n e v e r p a s s into a n EGP. Again, m o s t of t h e time, a n intelligent r o u t i n g s y s t e m will h a v e t h e ability to d i s c e r n t h e s e r o u t e s by t h e i r u n i q u e a d d r e s s i n g , a n d m a k e s u r e t h a t t h e y are n o t l e a k e d to t h e I n t e r n e t . So a s we c a n see, IPv6 m a k e s a n a t t e m p t (and a p r e t t y good one a t that) for s e p a r a t i n g o u t a d d r e s s e s t h a t are i n t e r n a l to a r o u t i n g d o m a i n , or i n t e r n a l to a given n e t w o r k or link, a n d m a k e s s u r e t h a t t h e I n t e r n e t r o u t i n g table integrity is m a i n t a i n e d . Now t h a t we h a v e a n i d e a of w h a t t y p e s of local a d d r e s s i n g IPv6 h a s for us, let u s look a t s o m e of t h e b e n e f i t s of scoping. F i g u r e 9.9 s h o w s a d d r e s s e s t h a t h a v e b e e n a s s i g n e d to h o s t s in t h e Site Local, Link Local, a n d Globally R o u t a b l e U n i c a s t space.

385

386

Chapter 9

9IPv6 Addressing

F i g u r e 9.9 Scoped addresses on a LAN.

Now t h a t we h a v e m a c h i n e s t h a t c a n s p e a k to e a c h o t h e r on a LAN or link w i t h w e l l - k n o w n a d d r e s s e s t h a t are a l w a y s in t h e s a m e r a n g e , we c a n look a t s o m e of t h e b e n e f i t s a s s o c i a t e d w i t h t h i s scenario. Earlier in t h e c h a p t e r , we m e n t i o n e d t h e p r o b l e m s a s s o c i a t e d w i t h r e n u m b e r i n g t o d a y in IPv4. R e n u m b e r i n g a n e t w o r k is r a t h e r c o m p l e x w i t h IPv4, b e c a u s e n o t only w o u l d y o u h a v e to sit a t every m a c h i n e {or DHCP s e r v e r a t t h e least) for every n e t w o r k a n d r e c o n figure t h e LAN to u s e n e w IPv4 a d d r e s s e s , b u t also t h e r e w o u l d be c o n s i d e r a b l e d o w n t i m e w i t h t h i s a p p r o a c h . F u r t h e r m o r e , services s u c h a s D o m a i n N a m e Service p o t e n t i a l l y could be d r a s t i c a l l y

IPv6 Addressing

9Chapter 9

i m p a c t e d b y t h i s u n d e r t a k i n g , in t h a t zone files w o u l d n e e d to be c h a n g e d to reflect n e w f o r w a r d a n d r e v e r s e DNS e n t r i e s for m a c h i n e s . If y o u a r e in t h e I n t e r n e t b u s i n e s s , p r o v i d i n g a c c e s s to services or i n f o r m a t i o n t h a t n e e d s to be r e a c h a b l e to c o n s u m e r s a t a n y time, y o u c a n see h o w t h i s c a n c o s t b u s i n e s s e s m o n e y . Today, d o w n t i m e is b e c o m i n g m o r e a n d m o r e pricey a s people b e g i n to rely m o r e a n d m o r e u p o n I n t e r n e t availability for b u s i n e s s - c r i t i c a l applic a t i o n s a n d i n f o r m a t i o n . We will see in t h e following s e c t i o n s h o w IP v e r s i o n 6 will help u s to m i n i m i z e d o w n t i m e , while also h e l p i n g a d m i n i s t r a t o r s (those p o o r fellows) to k e e p u p w i t h n e t w o r k c h a n g e s s u c h a s r e n u m b e r i n g , m o r e efficiently.

IPv6 Benefits Now t h a t we h a v e looked into t h e p r o m i s e t h a t IPv6 gives to t h e I n t e r n e t of t h e f u t u r e , let u s d i s c u s s s o m e of t h e b e n e f i t s of IPv6 in m o r e detail, in o r d e r to see h o w t h i s protocol a t t e m p t s to deal w i t h t h e I n t e r n e t a n d b u s i n e s s n e t w o r k p r o b l e m s of today. We will look a t t h e two m a i n p r o b l e m s t h a t IPv6 s o l v e s ~ a d d r e s s d e p l e t i o n a n d r o u t i n g s c a l a b i l i t y ~ i n m o r e detail, a n d t h e n look a t s o m e of t h e a d d e d b e n e f i t s t h a t IPv6 gives to n e t w o r k d e s i g n e r s a n d a d m i n i s t r a tors.

387

388

Chapter 9

9IPv6 Addressing

Increased IP Address Size We n o w u n d e r s t a n d t h a t IPv6 h a s 128 bits for reserving. Let u s look at t h i s closer a n d a p p r e c i a t e the v a s t n e s s of this degree of a d d r e s s space. 128 bits of a d d r e s s s p a c e m e a n s t h a t t h e r e are 2~28 different a d d r e s s e s available. B e c a u s e we a l r e a d y k n o w t h a t the first t h r e e bits of 001 are reserved for Globally R o u t a b l e U n i c a s t a d d r e s s e s , we n o w have 125 bits left to play with (128-3= 125). So n o w we h a v e 2125 a d d r e s s e s available before Globally R o u t a b l e U n i c a s t a d d r e s s s p a c e is depleted, roughly, 4.25 E + 0 3 7 a d d r e s s e s . To p u t this into perspective, let u s c o m p a r e this to IPv4. In IPv4, we u s e all a d d r e s s s p a c e b e t w e e n 0.0.0.0 a n d 2 2 3 . 2 5 5 . 2 5 5 . 2 5 5 for u n i c a s t r o u t i n g (we will n o t t a k e into a c c o u n t t h e a d d r e s s e s delegated as n o n r o u t a b l e r e s e r v e d a d d r e s s e s as defined by RFC 1918), w h i c h is a p p r o x i m a t e l y 2 . 1 5 E + 0 9 a d d r e s s e s (3 t i m e s 229, as t h e r e are t h r e e legal possibilities for t h e first t h r e e bits, 000, 100, 110, a n d 101). This m e a n s t h a t t h e r e 23~ m o r e a d d r e s s e s t h a n IPv4l Clearly, 128 bits provides e n o u g h a d d r e s s s p a c e to t a k e c u r r e n t I n t e r n e t t r e n d s well into t h e future. We could even a r g u e t h a t this is a s e e m i n g l y i n e x h a u s t i b l e a m o u n t of a d d r e s s space. A l t h o u g h this n u m b e r is big, we will see, w h e n we get into t h e details of LAN a n d WAN configuration, t h a t t h i s is n o t quite t h e case, b u t t h e r e is still m a n y t i m e s t h e a d d r e s s s p a c e of IPv4. One t h i n g to get u s e d to t h i n k i n g of in order to a p p r e c i a t e IPv6 is t h e n u m b e r of n e t w o r k s t h a t IPv6 c a n s u p p o r t . F r o m t h e a d d r e s s f o r m a t d i s c u s s e d previously, we k n o w t h a t , in a n IPv6 a d d r e s s , t h e l a s t 64 bits d e s c r i b e s t h e h o s t ID for a s y s t e m on a network. Did this s e e m fishy w h e n y o u r e a d it? It p r o b a b l y s h o u l d have. IPv6 a c t u a l l y u s e s t h e last 64 bits of t h e a d d r e s s to d i s t i n g u i s h h o s t s from one another. W h e t h e r u s i n g t h e Link Local, Site Local, or Globally R o u t a b l e U n i c a s t a d d r e s s format, the l a s t 64 bits on a m a c h i n e will r e m a i n t h e same. This is b e c a u s e IPv6 u s e s t h e Layer 2 MAC a d d r e s s (the a d d r e s s t h a t is b u r n e d into all Layer 2 h a r d ware; for example, E t h e r n e t c a r d s or o t h e r Network Interface Cards) as t h e h o s t ID for a m a c h i n e . This does, in fact, limit the n u m b e r of a d d r e s s e s t h a t are o u t there, b e c a u s e t h e r e will rarely be 264

IPv6 Addressing

9Chapter 9

a d d r e s s e s in u s e on a typical E t h e r n e t LAN (we c o u l d a r g u e t h a t t h e r e will n e v e r be 264 m a c h i n e s on a LAN; especially on 10 or 100 Meg E t h e r n e t ! ) . S o m e a d d r e s s s p a c e definitely gets w a s t e d . However, if y o u r e m o v e t h e 64 b i t s u s e d for h o s t id, a n d t h e first t h r e e b i t s of a d d r e s s s p a c e to d e s i g n a t e Globally R o u t a b l e U n i c a s t a d d r e s s e s , y o u get 26~ p o s s i b l e (2.31E+018) n e t w o r k s , c o m p a r e d to 1 . 0 7 E + 0 9 t h a t IPv4 p r o v i d e s ( a s s u m i n g t h a t e v e r y n e t w o r k in IPv4 is a / 2 8 , of w h i c h m o s t a r e not; t h i s n u m b e r is derived by m u l t i P l y i n g 4 t i m e s t h e first 28 bits of a d d r e s s space). Notice t h a t t h i s is still 2.1 billion t i m e s a s m a n y n e t w o r k s a s IPv4 allows, a n d IPv6 d o e s n o t h a v e t h e n e t w o r k r e s t r i c t i o n t h a t we a s s u m e h e r e for IPv4 (the n u m b e r of IPv4 n e t w o r k s u s e d h e r e is for t h e n u m b e r of LANs if all IPv4 n e t w o r k s w e r e s u b n e t t e d d o w n t o / 2 8 s ; 13 h o s t s , one d e f a u l t router, one r e s e r v e d , a n d one b r o a d c a s t for t h e network). So we see t h a t we h a v e 2.1 billion t i m e s a s m a n y n e t w o r k s a s this, a n d t h e IPv6 n e t w o r k s h e r e c a n h a v e u p to 1.8E+ 19 h o s t s on e a c h n e t w o r k ( m i n u s one for t h e d e f a u l t router). So even w i t h o u t u s i n g all of t h e a d d r e s s es t h a t IPv6 c a n u s e , we h a v e t h e s c a l i n g ability to t a k e u s well b e y o n d t h e f u t u r e of IPv4, a n d in all likelihood, t h e s c a l i n g ability to t a k e all of u s t h r o u g h all of o u r c a r e e r s in t h e IT field (or a n y o t h e r field). Clearly, IPv6 frees u p t h e ability to u s e A d d r e s s i n g efficiently, w i t h o u t h a v i n g to w o r r y a b o u t r u n n i n g out. P l e a s e k e e p in m i n d t h a t I do n o t m e a n to s a y t h a t a d d r e s s s p a c e s h o u l d be u s e d in a carefree m a n n e r . T h i s is h o w IPv4 c a m e into t h e p r e d i c a m e n t t h a t it is in so early in its life cycle!

Increased Addressing Hierarchy Support As we l e a r n e d earlier in t h e c h a p t e r , IPv6 a d d r e s s i n g h a s r e s t r u c t u r e d t h e m e a n s b y w h i c h a d d r e s s b l o c k s a r e delegated. A l t h o u g h IPv4 first u s e d t h e c l a s s f u l IP a s s i g n m e n t rules, a n d t h e n b e g a n to a s s i g n b a s e d on t h e p r i n c i P l e s of CIDR, IPv6 c o r r e c t s t h e d e a g g r e g a tion p r o b l e m s a s s o c i a t e d w i t h e a c h b y s p l i t t i n g t h e IPv6 a d d r e s s into a s e t of definite scopes, or b o u n d a r i e s , b y w h i c h IPv6 a d d r e s s e s a r e delegated.

389

390

Chapter 9

9IPv6 Addressing

The F o r m a t Prefix is u s e d to s h o w t h a t a n a d d r e s s is Globally R o u t a b l e Unicast, or a n o t h e r type of a d d r e s s , a n d is always set to t h e s a m e value. This allows a r o u t i n g s y s t e m to d i s c e r n quickly w h e t h e r or n o t a p a c k e t is Globally Routable Unicast, or another. By k n o w i n g t h i s quickly, the r o u t i n g device c a n m o r e efficiently p a s s the p a c k e t off to r o u t i n g s u b s y s t e m s for p r o p e r handling. The Top Level Aggregator ID is u s e d for two p u r p o s e s . First, it is u s e d to d e s i g n a t e a big block of a d d r e s s e s from w h i c h s m a l l e r blocks of a d d r e s s e s are carved, in order to give d o w n s t r e a m connectivity to t h o s e who n e e d to get to the Internet. Second, it is u s e d to d i s t i n g u i s h w h e r e a r o u t e h a s come from. If big blocks of a d d r e s s s p a c e are given o u t to Providers only, a n d t h e n in t u r n delegated d o w n to c u s t o m e r s , it b e c o m e s easier to see w h i c h t r a n s i t n e t w o r k a r o u t e h a s traversed, or from w h i c h t r a n s i t n e t w o r k the r o u t e first originated. With IPv4, in which, historically, m a n y a d d r e s s e s were portable, a n d the n u m b e r s a u t h o r i t i e s were delegating blocks d o w n to small b u s i n e s s e s , it b e c a m e impossible to k n o w w h e r e a r o u t e c a m e from w i t h o u t t r a c e r o u t i n g b a c k t o w a r d s the s o u r c e of the packet. Now, with IPv6, the possibilities for d e t e r m i n i n g the s o u r c e of a r o u t e are m o r e feasible. Imagine a n I n t e r n e t c o n s i s t i n g of 500 Tier 1 providers. If this were the case (which is m o s t likely n o t too far off from today, t h o u g h w h a t m a k e s a provider a Tier 1 provider is very a m b i g u o u s ) t h e n at the very least a q u i c k s e a r c h t h r o u g h a text file could tell y o u w h e r e a r o u t e originated, b a s e d on the TLA ID of t h e longest m a t c h route. It's even possible to c o n t a i n software t h a t h a s this functionality b u i l t into it (though I k n o w of n o n e curr e n t l y in existence, a n d this software w o u l d m o s t likely b e c o m e outd a t e d quickly, as n e w delegations were assigned). Let u s look at the size of the T I ~ in more detail. We d i s c u s s e d in prior sections how the a d d r e s s space would be given only to providers, or those who needed their own IPv6 space (the t e r m needed is u s e d cautiously here, as it is a m b i g u o u s as well--there are currently no set b o u n d a r i e s or r e q u i r e m e n t s with respect to w h a t need means). This way, we are able to sufficiently aggregate prefixes into big blocks at the I n t e m e t core, a n d p a s s fewer routes between r o u t i n g d o m a i n s , as well as internally, w h i c h will i n c r e a s e the efficiency of the I n t e r n e t core.

IPv6 Addressing

9Chapter 9

For tim, let u s a s s u m e t h a t we have the delegation 3D00::B234::/24. Let us fiJrther a s s u m e t h a t all of our customers have sufficient need for a / 4 8 delegation for their networks. This leaves u s with 24 bits of addressing to delegate out! This is quite a lot of address space. The n u m b e r of n e t w o r k s we can support with this scheme is equivalent to the n u m b e r of hosts t h a t we could support with a classfial Class A IPv4 address block! You can see t h a t there will be m u c h more p r e s s u r e on Tier 1 Service Providers to efficiently track the delegation of address space t h a t they make. Today, a Tier 1 Service provider gets addresses in blocks of perhaps / 1 6 or less. If we a s s u m e t h a t a Service Provider today only delegates addresses up t o / 2 4 , t h a t leaves only 256 delegations (8 bits) t h a t the Service Provider can m a k e prior to applying for more address space. Most Tier-1 Service Providers today are required to subnet delegations down to at l e a s t / 2 8 in order to qualify for more address space, so this example m a y not be entirely realistic, b u t we can still grasp the size of a TI.A as being m o n u m e n t a l compared to t h a t of the a s s i g n m e n t s t h a t h a p p e n today.

As we c a n see from the previous example, Tier 1 Service Providers will have a n e x t r e m e l y big set of a d d r e s s s p a c e to deal with. This will n o t only eliminate m u c h of the politics s u r r o u n d i n g a d d r e s s delegation a n d o b t a i n i n g m o r e a d d r e s s blocks, b u t will also provide m o t i v a t i o n for m a j o r s u p p o r t a n d a u t o m a t i o n i n f r a s t r u c t u r e

391

392

Chapter 9

9IPv6 Addressing

u p g r a d e s w i t h i n a n organization. M a n y Service Providers t o d a y h a v e difficulty in u p g r a d i n g s u p p o r t s t r u c t u r e d u e to the e n g r a i n e d functionality a n d i n t e r d e p e n d e n c i e s of m a n y s u p p o r t p l a t f o r m s i n t e g r a t ed together. IPv6 provides for g r e a t challenges a n d o p p o r t u n i t i e s n o t only in n e t w o r k engineering a n d a r c h i t e c t u r e , b u t also in IT developm e n t a n d integration. The trick will be m a k i n g a move from the old to the n e w world look like a fresh start, r a t h e r t h a n a w o r k a r o u n d for s u p p o r t . The Next Level Aggregator a d d r e s s block is a block of a d d r e s s e s t h a t are a s s i g n e d to a d o w n s t r e a m o u t of a TLA block. We k n o w t h a t t h e s e a d d r e s s e s are to be aggregated as m u c h as possible into bigger TLA blocks, w h e n t h e y are e x c h a n g e d b e t w e e n providers, in the I n t e r n e t core. Let u s look at the benefits of this type of a d d r e s s i n g s t r u c t u r e from the NLA perspective. There are two m a i n v a l u e s in getting a d d r e s s s p a c e from a provider. The first a d v a n t a g e or value h a s to do with individual B a c k b o n e r o u t i n g stability. If we are a NLA a n d w i s h to provide d o w n s t r e a m service to o u r c u s t o m e r s , we will m o s t likely w i s h to provide the fullest, m o s t r o b u s t service we c a n to o u r client b a s e in o r d e r to r e t a i n c u r r e n t clients, a n d to gain m a r k e t s h a r e . P e r h a p s we w i s h to allow c u s t o m e r to c o n n e c t to u s at multiple locations, as we are fairly geographically diverse for a given region, a n d have rich connectivity u p s t r e a m to I n t e r n e t Tier-1 (the core) providers. F u r t h e r m o r e , we w a n t to allow o u r c u s t o m e r s to receive a full r o u t ing table s h o u l d t h e y desire one, if t h e y w a n t to u s e explicit r o u t e s to form t h e i r r o u t i n g policy. P e r h a p s t h e y w i s h to l o a d - b a l a n c e b e t w e e n two c o n n e c t i o n s , u s i n g s o m e d e s t i n a t i o n s preferred t h r o u g h one connection, a n d the r e s t preferred t h r o u g h the o t h e r c o n n e c t i o n to us. To do this, we have to c a r r y full r o u t e s in o u r B a c k b o n e , so we m a y p a s s t h e m d o w n to o u r c u s t o m e r s . T h o u g h a n I n t e r n e t core is u s u a l l y c o m p o s e d of very m o d e r n , r o b u s t r o u t i n g e q u i p m e n t , a Tier-2 provider m a y n o t be able to afford to u p g r a d e t h e i r B a c k b o n e s c o n s t a n t l y in order to keep u p with n e w technology, as well as i n c r e a s e d r o u t i n g table size. Luckily, p r o c e s s i n g power is n o t as big of a worry as it could be with IPv6. B e c a u s e the

IPv6 Addressing

9Chapter 9

I n t e r n e t core is f u n d a m e n t a l l y aggregated efficiently, we n o w have a m u c h s m a l l e r r o u t i n g table to m a i n t a i n . We c a n provide full r o u t e s to a c u s t o m e r , a n d t h a t set of r o u t e s m a y not be too big for u s to handle. So by everyone "playing nice" a n d following a g g r e g a t i o n s strategies, we are able to r e a p the benefits of the core's m i n i m i z e d r o u t i n g table size in o u r own B a c k b o n e . The s e c o n d benefit to NLA aggregation h a s to do w i t h a c t u a l r o u t e stability of o u r r o u t e s a c r o s s the I n t e r n e t core globally. A little b a c k g r o u n d is n e e d e d in o r d e r to fully a p p r e c i a t e this point. In the b e g i n n i n g of the I n t e r n e t explosion in size, t h e r e were t i m e s w h e n the I n t e r n e t w a s n o t very stable. BGP s p e a k e r s w o u l d lose r o u t e s , d u e to B a c k b o n e links failing, i m m a t u r e software, a n d the like. B e c a u s e of this, r o u t e s were c o n s t a n t l y being advertised, a n d t h e n w i t h d r a w n (when the r o u t e b e c a m e u n r e a c h a b l e ) , c a u s i n g considerably m o r e p r o c e s s i n g to t a k e place on core r o u t e r s , w h i c h are r e q u i r e d to keep a n u p - t o - d a t e set of full I n t e r n e t r o u t e s at all times. To c o m b a t this BGP instability, the c o n c e p t of route dampening c a m e into being. Essentially, r o u t e d a m p e n i n g w o r k s in the following way: Every time a r o u t e is w i t h d r a w n a n d readvertised, it is a s s i g n e d a penalty, w h i c h is r e c o r d e d at the place of instability (usually a n EBGP session). The m o r e the r o u t e flaps, the h i g h e r the p e n a l t y a s s o c i a t e d with t h a t r o u t e gets. W h e n the p e n a l t y a s s o c i a t e d with t h a t r o u t e r e a c h e s a c e r t a i n level, the r o u t e is w i t h d r a w n , a n d not a c c e p t e d for a d v e r t i s e m e n t for a given period of time. W h e n this h a p p e n s , the r o u t e is k n o w n as dampened. The d a m p e n e d r o u t e m u s t u n d e r g o s o m e period of wait time, w i t h o u t flapping m o r e (or the p e n a l t y gets even higher) before it c a n be r e - i n t r o d u c e d into a r o u t e r ' s BGP table. W h e n the r o u t e goes for a long e n o u g h period of time w i t h o u t flapping (the p e n a l t y d e c r e a s e s with time) t h e n the r o u t e is a g a i n allowed, a n d it is i n s e r t e d b a c k into the r o u t e r ' s BGP table, a n d t r e a t e d like o t h e r routes. This r o u t e d a m p e n i n g allowed a w a y for the I n t e r n e t core to deal with instabilities in a m a n n e r t h a t m i n i m i z e d the cost of o t h e r crucial processing. Now t h a t we u n d e r s t a n d r o u t e d a m p e n i n g , we c a n a p p r e c i a t e the s e c o n d benefit of aggregation. W h e n o u r u p s t r e a m provider

393

394

Chapter 9 *

IPv6 Addressing

aggregates this r o u t e for us, a n d only a n n o u n c e s the aggregate to t h e i r peers, this aggregate will in all likelihood r e m a i n stable, witho u t r e s p e c t to the stability of o u r own network. B e c a u s e of this, we are virtually c e r t a i n t h a t a n o t h e r provider will never d a m p e n o u r r o u t e s s o m e w h e r e else in the Internet. None of the m o r e specific r o u t e s t h a t we u s e n e e d be s p r e a d a c r o s s the I n t e r n e t core, o u t s i d e of o u r own u p s t r e a m provider. This improved r o u t i n g stability is a m a j o r benefit to aggregation as a whole, b o t h in IPv4, a n d in IPv6. The good p a r t is t h a t it is r e q u i r e d in IPv6, i n s t e a d of only being reco m m e n d e d . So now, the only place t h a t we m a y n e e d to w o r r y a b o u t being d a m p e n e d is w i t h i n o u r own u p s t r e a m provider's network. F o r t u n a t e l y , b e c a u s e in m o s t cases, we are paying for o u r u p s t r e a m connectivity, it is s u b s t a n t i a l l y easier to get o u r own u p s t r e a m provider to help u s to remove the p e n a l t i e s on d a m p e n e d r o u t e s t h a n it is with a n o t h e r provider, to w h o m we have no financial obligation. So as we c a n see, with the exception of m o r e a d d r e s s e s a n d s m a l l e r r o u t i n g table sizes, t h e r e are m o r e r a m i f i c a t i o n s of IPv6 aggregation s c h e m e s t h a n first m e e t the eye. The Site Level Aggregator enjoys m o s t of the benefits t h a t a n NLA does, except for its size. The Site Level Aggregator is u s u a l l y a netw o r k or n e t w o r k provider with a m u c h s m a l l e r network. B e c a u s e of this, a s m a l l e r delegation of a d d r e s s s p a c e is needed. It r e t a i n s t h e v a l u e s of aggregations, in t h a t its r o u t i n g t a b l e s are k e p t smaller, even w h e n receiving a full I n t e r n e t r o u t i n g table from its u p s t r e a m provider. It also enjoys t h e benefits of global r o u t e stability, in t h a t its u p s t r e a m providers, w h e t h e r a n NLA or a TLA, aggregate according to the principles of the IPv6 aggregations model.

Simplified Host Addressing As we h a v e s t u d i e d earlier, the IPv6 model defines 128 bits of a d d r e s s space. The first 64 bits are u s e d for n e t w o r k n u m b e r i n g , a n d the l a s t 64 bits are u s e d for h o s t n u m b e r i n g . We also r e m e m b e r t h a t the l a s t 64 bits of the h o s t ID are o b t a i n e d from the MAC a d d r e s s of the h o s t ' s Network Interface. You m a y w o n d e r h o w the

IPv6 Addressing

9Chapter 9

6 4 - b i t a d d r e s s is derived from a MAC a d d r e s s , w h i c h is classically only 48 bits. In this section we will look into h o w a d d r e s s is derived, a n d w h a t d e v e l o p m e n t s we m a y see in t h e f u t u r e as a r e s u l t of the IPv6's a d d r e s s i n g s c h e m e . W h e n a s s i g n i n g a h o s t in IPv4, by convention, one will b r e a k u p the s u b n e t given, a n d a s s i g n h o s t a d d r e s s e s b a s e d u p o n t h e a d d r e s s e s t h a t are available. Normally, a g a i n by convention, t h e first a d d r e s s is given to t h e d e s i g n a t e d router, a n d the r e s t of t h e a d d r e s s e s get a s s i g n e d to h o s t s on t h a t s u b n e t , r e s e r v i n g t h e last a d d r e s s in t h e s u b n e t for t h e b r o a d c a s t a d d r e s s e s for t h a t s u b n e t . In IPv6, the s i t u a t i o n c h a n g e s s o m e w h a t . With IPv6, we k n o w t h a t the h o s t ID is a 6 4 - b i t a d d r e s s t h a t is o b t a i n e d from t h e MAC a d d r e s s . A l t h o u g h t h e MAC a d d r e s s e s of t o d a y are classically 48 bits, we n e e d a w a y to get t h e h o s t ID to come o u t to 64 bits. The a n s w e r to this p r o b l e m is to p a d t h e MAC a d d r e s s with s o m e well-defined set of bits t h a t will be k n o w n by r o u t i n g s y s t e m s on t h a t s u b n e t . Today, we u s e the s t r i n g 0XFF a n d 0 x F E (:FF:FE: in IPv6 terms) to p a d t h e MAC a d d r e s s b e t w e e n the c o m p a n y ID a n d the v e n d o r - s u p p l i e d ID of the MAC a d d r e s s (MAC a d d r e s s e s are delegated in m u c h t h e s a m e w a y as IP a d d r e s s e s today, except c o m p a nies w h o m a k e NIC c a r d s are given a piece of MAC space, r a t h e r t h a n providers b e i n g given IPv4 space). This way, every h o s t will have a 6 4 - b i t h o s t ID t h a t is related to their MAC a d d r e s s in the s a m e way. F u r t h e r m o r e , we k n o w t h a t the 64-bit MAC a d d r e s s will be u n i q u e on a given network, b e c a u s e every NIC c a r d will have a u n i q u e MAC a d d r e s s . By u s i n g this well-defined p a d d i n g , it n o w b e c o m e s possible to l e a r n IPv6 a d d r e s s e s (or at least h o s t IDs) of o t h e r m a c h i n e s on the s u b n e t , simply by l e a r n i n g the Layer 2 MAC information. One i n t e r e s t i n g d e b a t e is w h e t h e r or n o t MAC a d d r e s s e s will n e e d to b e c o m e 64 bits in l e n g t h prior to the w i d e s p r e a d deploym e n t of IPv6. If t h e r e is a n e e d for MAC a d d r e s s e s to b e c o m e longer (if all MAC a d d r e s s e s are used) t h e n 64 bits will m o s t likely be the n e x t option for length, as this will s u p p l y over 1.8E019 m o r e MAC a d d r e s s e s to u s e (264-248). Moreover, if this b e c o m e s the case, we

395

396

Chapter 9

9IPv6 Addressing

m a y s i m p l y s t o p t h e p a d d i n g of t h e MAC a d d r e s s , a n d u s e t h e full 64 b i t s of t h e MAC a d d r e s s for t h e H o s t ID. Now t h a t we see w h e r e t h e H o s t ID c o m e s from, let u s n o w look into one of a n a d m i n i s t r a t o r ' s favorite a s p e c t s of IPv6. Not only is H o s t ID a l r e a d y d e t e r m i n e d p r i o r to c o n f i g u r i n g a n I P v 6 - s p e a k i n g m a c h i n e , b u t t h e n e t w o r k on w h i c h it r e s i d e s c a n be d e d u c e d a s well.

Simpler Autoconfiguration of Addresses Now t h a t we u n d e r s t a n d w h e r e t h e H o s t ID c o m e s from, let u s look a t one of t h e n e w e s t i n v e n t i o n s of IPv6, its ability to a u t o c o n f i g u r e . Before we go into detail a b o u t a u t o c o n f i g u r a t i o n , a n e w type of a d d r e s s will h a v e to be b r o u g h t into o u r repertoire, t h e m u l t i c a s t address. A m u l t i c a s t a d d r e s s c a n be a s s i g n e d to m o r e t h a n one m a c h i n e s i m u l t a n e o u s l y . It differs f r o m a n a n y c a s t a d d r e s s : a n y c a s t p a c k e t s a r e r o u t e d to t h e d e s t i n a t i o n (one of t h e s e t of m a c h i n e s w i t h t h e s a m e a d d r e s s ) t h a t is closest, b u t m u l t i c a s t p a c k e t s a r e r o u t e d to all m a c h i n e s t h a t are a s s i g n e d t h i s a d d r e s s . T h i s is f u n d a m e n t a l l y different t h a n a Globally R o u t a b l e U n i c a s t a d d r e s s , b e c a u s e m o r e t h a n one h o s t c a n be n u m b e r e d w i t h t h e s a m e a d d r e s s , so t h e a d d r e s s t h a t a given h o s t is a s s i g n e d n e e d n o t n e c e s s a r i l y be u n i q u e for t h e given scope on w h i c h t h e m u l t i c a s t a d d r e s s is acting. All m a c h i n e s a s s i g n e d t h i s m u l t i c a s t a d d r e s s are s a i d to be in a m u l t i c a s t g r o u p , w h o s e a d d r e s s is t h e m u l t i c a s t a d d r e s s t h e y u s e . M u l t i c a s t - s p e a k i n g m a c h i n e s s e n d a n d receive d a t a f r o m m o r e t h a n one h o s t (every m e m b e r in t h a t group). T h i s type of a d d r e s s i n g a n d r o u t i n g classically h a s b e e n u s e d for 1 to N, or M to N type I n t e r n e t t r a n s a c t i o n s (when one or m o r e people n e e d to get i d e n t i c a l inform a t i o n to m o r e t h a n one d e s t i n a t i o n ) . M u l t i c a s t p r o v i d e s t h e effic i e n t m e a n s to do so. Now t h a t we u n d e r s t a n d the idea of multicast, if we unite this idea with the idea of Host ID coming from the h a r d w a r e on a given machine, we c a n see how autoconfiguration is possible. W h e n a m a c h i n e first powers u p onto a network, a n d realizes t h a t it is connected a n d is

IPv6 Addressing

9Chapter 9

s u p p o s e d to s p e a k IPv6, it will send a m u l t i c a s t p a c k e t - t h a t is well k n o w n a n d defined by s t a n d a r d - o u t onto the LAN s e g m e n t to which it is attached. This p a c k e t will be destined towards a locally-scoped (see earlier) m u l t i c a s t address, k n o w n as the Solicited Node Multicast address. W h e n the r o u t e r sees this p a c k e t come in, it c a n t h e n reply with the network a d d r e s s from which the m a c h i n e s h o u l d be n u m b e r e d , in the payload of the reply packet. The m a c h i n e receives the packet, a n d in t u r n r e a d s the n e t w o r k n u m b e r t h a t the r o u t e r h a s sent. It t h e n assigns itself a n IPv6 a d d r e s s t h a t consists of t h a t n e t w o r k n u m b e r , a p p e n d i n g its Host ID (obtained from its MAC a d d r e s s of the interface t h a t it connected to t h a t subnet) to the network n u m b e r , a n d it n o w h a s a n IPv6 address. Not only does this not involve m a n u a l intervention by the a d m i n i s t r a t o r to configure this m a c h i n e (though it m a y or m a y not involve m a n u a l configuration of the r o u t e r on t h a t subnet), b u t it also does not require a n y worry a b o u t the a d d r e s s being n o n u n i q u e . The m a c h i n e is g u a r a n teed to have a u n i q u e a d d r e s s b e c a u s e the n e t w o r k n u m b e r is assigned uniquely by the r o u t e r on t h a t network. The Host ID is u n i q u e b e c a u s e the MAC a d d r e s s of the interface by which t h a t m a c h i n e is a t t a c h e d is provided by the vendor a n d is unique. F u r t h e r m o r e , it c a n learn the default route t h a t it n e e d s in order to get off of t h a t subnet, n o w t h a t it h a s a routable address. Notice the ease of configuration t h a t we now have w h e n we move from one network to another. Not only do we no longer have to reconfigu r e a n end-station m a n u a l l y (and t h e n reboot in m o s t cases), we also no longer have to take time out of our network administrator's b u s y day for h i m to delegate a n a d d r e s s in order to e n s u r e its u n i q u e n e s s . Also, the a d m i n i s t r a t o r no longer h a s to keep t r a c k of the a d d r e s s e s t h a t he h a s assigned, a n d which ones are free at a n y given time! Certainly, this c a n be seen to save a n e t w o r k a d m i n i s t r a t o r m u c h time, b o t h in p a p e r w o r k associated with keeping t r a c k of a d d r e s s e s used, a n d in reconfiguration t h a t m u s t occur for a network to be r e n u m b e r e d . T h i n k of the things a n a d m i n i s t r a t o r could be doing ff he or she isn't constantly being h o u n d e d for IP a d d r e s s e s or network n u m b e r s ! We will get into the concept of the m u l t i c a s t address, a n d its possible uses, in more detail in a later section. See Figure 9.10 for a graphical r e p r e s e n t a t i o n of autoconfiguration.

397

398

Chapter 9

9IPv6

Addressing

Figure 9.10 LAN discovery mechanism.

Improved Scalability of Multicast Routing Now t h a t we have s t u d i e d u n i c a s t a d d r e s s i n g , looked at the p r i m a r y m e r i t s of m u l t i c a s t a d d r e s s i n g , a n d discovered the potential of r o u t ing table size scalability on the I n t e r n e t with IPv6, let u s t a k e a m o m e n t to d i s c u s s the m u l t i c a s t a d d r e s s in a little m o r e detail. M u l t i c a s t servers are p e r h a p s the m o s t m i s u n d e r s t o o d technology of today. Let's look into the c o n c e p t of m u l t i c a s t i n g in general. In the beginning, the I n t e r n e t w a s p r i m a r i l y a r e s e a r c h n e t w o r k u p o n w h i c h r e s e a r c h d a t a flowed from one u n i v e r s i t y to another. This w a s n o t big b u s i n e s s , so congestion p r o b l e m s were

IPv6 Addressing

9Chapter 9

t o l e r a t e d , a n d t h e d a t a t h a t people w e r e s e n d i n g w a s n o t d a t e d ( b e c a u s e d a t a d i d n ' t n e e d to be received in real-time). Today, b y c o n t r a s t , b u s i n e s s e s a n d c o n s u m e r s a r e u s i n g t h e I n t e r n e t for a v a s t a r r a y of a p p l i c a t i o n s . More a n d mor e , we a r e s e e i n g different t y p e s of m e d i a going over t h e I n t e r n e t , w h e t h e r it is s t o c k q u o t e s , p h o n e calls, or even o u r favorite TV c h a n n e l . We see t h e n e e d for m e d i a to n o t only arrive quickly, b u t also to be s e n t to a n i n c r e a s e d audience. Even things s u c h as n e w s g r o u p s are getting information o u t to millions of people e a c h day. T h i s 1 to N t r a n s m i s s i o n t r e n d is b r i n g i n g a b o u t a n e e d for a n e w type of traffic s e n d i n g , in w h i c h one p e r s o n c a n s e n d a piece of d a t a to m a n y people. In t h e p a s t , if we w a n t e d to s e n d a piece of d a t a to 10 friends, we w o u l d s i m p l y m a k e 10 copies of t h a t d a t a , a n d s e n d t h e m to e a c h p e r s o n one a t a time. However, a s t h i s type of t r a n s m i s s i o n g a i n s p o p u l a r i t y , a s c a l i n g p r o b l e m t a k e s place. For i n s t a n c e , p e r h a p s we h a v e a video or a r a d i o s h o w t h a t we w i s h to s e n d o u t over t h e I n t e r n e t . If we w a n t to s e n d t h i s m e d i a to 1 0 , 0 0 0 people w h o all w a n t to see t h i s s h o w in a f a s h i o n a s close to realtime a s possible, we r u n into a p r o b l e m . Now in o r d e r to do so, we h a v e to m a k e s u r e t h a t o u r u p s t r e a m b a n d w i d t h is sufficient to h a n d l e u p to 1 0 , 0 0 0 t i m e s t h e d a t a r a t e of one t r a n s m i s s i o n . We n o w m u s t s p e n d m u c h m o r e m o n e y in o r d e r to p u r c h a s e t h i s u p s t r e a m b a n d w i d t h a n d satisfy o u r client b a s e (our v i e w e r s or listeners). F o r t u n a t e l y , t h e c o n c e p t of m u l t i c a s t w a s c o n c e i v e d s o m e time ago, a n d h a s b e e n in a t e s t i n g p h a s e for quite s o m e time. T h e c o n c e p t of t a k i n g one piece of d a t a , a n d s e n d i n g it to m a n y i n t e r e s t ed p a r t i e s at once, efficiently, b e c o m e s quite a c o m p l e x r o u t i n g p r o b l e m , especially if we b e c o m e c a u g h t in t h e u n i c a s t p a r a d i g m we ar e all u s e d to. T h e c o n c e p t of m u l t i c a s t a d d r e s s e s t h i s p r o b l e m . In a m u l t i c a s t s i t u a t i o n , we h a v e a 1 to N (or M to N) r e l a t i o n s h i p b e t w e e n t h e s o u r c e a n d t h e d e s t i n a t i o n . I n s t e a d of u s i n g a u n i c a s t a d d r e s s to d e s i g n a t e t h a t we a re i n t e r e s t e d in receiving a given m u l t i c a s t feed, t h e c o n c e p t of a m u l t i c a s t a d d r e s s is u s e d . A m u l t i c a s t a d d r e s s , in IPv4, is u s u a l l y r e f e r r e d to a s a g r o u p a d d r e s s . T h i s g r o u p a d d r e s s , w h e n a p p l i e d to a m a c h i n e , or to a n a p p l i c a t i o n on t h a t m a c h i n e , signifies t h a t we a re i n t e r e s t e d in l i s t e n i n g to a n y

399

400

Chapter 9

9IPv6 Addressing

d a t a t h a t is s e n t to t h a t address. In IPv4, the a d d r e s s range from 224.0.0.0 t h r o u g h 2 3 9 . 2 5 5 . 2 5 5 . 2 5 5 is u s e d to designate m u l t i c a s t group addresses. W h e n someone w a n t s to receive m u l t i c a s t feeds, they (temporarily or permanently, depending on the situation) a d d r e s s themselves with t h a t address, a n d effectively listen for packets coming along t h a t have t h a t m u l t i c a s t a d d r e s s listed as a destination The r o u t i n g for m u l t i c a s t b e c o m e s r a t h e r complex, a n d is o u t of the scope of this book, b u t y o u are e n c o u r a g e d to r e a d m o r e a b o u t this. Good i n f o r m a t i o n c a n be f o u n d either in the M u l t i c a s t F o r u m h o m e page at h t t p : / / w w w . i p m u l t i c a s t . c o m , or in the IETF w o r k i n g g r o u p s r e g a r d i n g m u l t i c a s t . S o m e of the working g r o u p s y o u m a y w i s h to c h e c k o u t include the Mbone D e p l o y m e n t Working G r o u p ( w w w . i e t f . o r g / h t m l . c h a r t e r s / m b o n e d - c h a r t e r . h t m l ) or the InterD o m a i n M u l t i c a s t Routing Working G r o u p ( w w w . i e t f . o r g / h t m l . c h a r t e r s / i d m r - c h a r t e r . h t m l ) . There are also a n u m b e r of protocol-specific working g r o u p s c u r r e n t l y active w i t h i n the IETF, i n c l u d i n g the M u l t i c a s t S o u r c e Discovery Protocol Working G r o u p (MSDP) a n d the Protocol I n d e p e n d e n t M u l t i c a s t Working G r o u p (PIM). I leave it u p to you to l e a r n as m u c h as y o u w i s h a b o u t the c u r r e n t u p d a t e s to m u l t i c a s t r o u t i n g in general. For the p u r p o s e s of this book, let u s a s s u m e t h a t m u l t i c a s t works, a n d will help save u s b a n d w i d t h , since n o w we only n e e d to s e n d one s t r e a m o u t of o u r I n t e r n e t connection, a n d the B a c k b o n e will r e p r o d u c e it as s e e n fit to m a k e s u r e it gets to all the i n t e r e s t e d d e s t i n a t i o n s . IPv6 c o n t a i n s the c o n c e p t of a m u l t i c a s t scoping. One of the nice u s e s of m u l t i c a s t c a n be in a c o r p o r a t e network. P e r h a p s a m e m o n e e d s to be s e n t to all employees' w o r k s t a t i o n s at once, or a live videoconference from the CEO n e e d s to be s e n t over the c o r p o r a t e n e t w o r k to all employees. In a c o r p o r a t e network, we w a n t to save as m u c h m o n e y as possible on b a n d w i d t h , while m a i n t a i n i n g a n efficient r o u t i n g s t r u c t u r e . M u l t i c a s t b u y s u s j u s t that. However, in m o s t cases, we only w a n t m u l t i c a s t i n f o r m a t i o n (streams) to get to t h e places t h a t are s u p p o s e d to see t h e m . We do n o t w a n t the whole I n t e r n e t to h e a r o u r CEO talk a b o u t o u r n e w e s t secret initiative to t a k e over o u r competition! For this, IPv6 h a s b u i l t in the c o n c e p t of

IPv6 Addressing

9Chapter 9

m u l t i c a s t scoping. With IPv6, we c a n d e s i g n a t e c e r t a i n m u l t i c a s t s t r e a m s to be r o u t e d only w i t h i n a c e r t a i n area, a n d n e v e r to allow p a c k e t s to get o u t of t h a t area, for fear of who m a y see t h e m . This scoping will be well k n o w n a n d u n d e r s t o o d by all r o u t i n g entities, in o r d e r to e n s u r e , t h r o u g h m i n i m a l configuration, t h a t m u l t i c a s t d a t a a n d m u l t i c a s t r o u t e s do n o t get o u t s i d e the edges of the r o u t i n g d o m a i n for w h i c h t h e y are m e a n t to exist. Figure 9.11 p r e s e n t s m u l t i c a s t a d d r e s s i n g f o r m a t in a little detail.

Figure 9.11 I

8

IPv6 multicast address format.

I 4 I F .....

Illlllllllflgs f

F .....

4 I

+ ......

I

+

Iseopl + ......

1 12 bits g r o u p ID

+ . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . .

] 4.

So as we c a n see, the m u l t i c a s t a d d r e s s i n g a r c h i t e c t u r e is a little different t h a n t h a t of the Globally R o u t a b l e U n i c a s t a d d r e s s i n g form a t . Notice the first eight bits are all set to 1, w h i c h will allow a r o u t i n g device to k n o w i m m e d i a t e l y t h a t the p a c k e t is m u l t i c a s t in n a t u r e , a n d s u b j e c t to special h a n d l i n g a s s o c i a t e d with this p a c k e t type. The n e x t four bits are u s e d for flags. C u r r e n t l y , the first t h r e e bits in the figs field are reserved, a n d u n d e f i n e d , so t h e y s h o u l d always be set to 0 (though y o u will find s o m e i m p l e m e n t e r s of protocols will u s e t h e s e bits fallaciously for s o m e sort of p r o p r i e t a r y signaling. This is fine, u n t i l the bits get s t a n d a r d i z e d to s o m e t h i n g in the future, at w h i c h time incompatibilities arise). The f o u r t h bit is k n o w n as the T bit (see RFC2460), a n d is u s e d to decide w h e t h e r the m u l t i c a s t a d d r e s s is a p e r m a n e n t l y a s s i g n e d a d d r e s s (also k n o w n as well-known) or a t e m p o r a r y a s s i g n m e n t (also k n o w n as transient). So this field will tell u s if the m u l t i c a s t a d d r e s s being u s e d is one t h a t is s t a n d a r d ( p e r h a p s a g r o u p a d d r e s s u s e d to cont a c t all n o d e s w i t h i n a given r o u t i n g d o m a i n , for example) or a t e m porarily a s s i g n e d a d d r e s s ( p e r h a p s the M o n d a y n i g h t football g a m e b r o a d c a s t over the Internet). The n e x t field is the one we are interested in here. The scope field will d e t e r m i n e h o w far the m u l t i c a s t

401

402

Chapter 9

9IPv6 Addressing

p a c k e t c a n go, in w h a t a r e a s of a r o u t i n g d o m a i n t h e p a c k e t c a n travel, a n d t h e g r o u p a d d r e s s t h a t c a n be a d v e r t i s e d . T h e s c o p e field v a l u e s are in Table 9.3.

Table 9.3 Scope Definitions 0 1

2 3 4

5 6 7 8

9 A B

C D E F

reserved node-local scope link-local scope (unassigned) (unassigned) site-local scope (unassigned) unassigned) organization-local scope (unassigned) (unassigned) (unassigned) (unassigned) (unassigned) global scope reserved

D e p e n d i n g on h o w we a s s i g n o u r m u l t i c a s t a d d r e s s , we c a n control h o w far t h e m u l t i c a s t p a c k e t s will travel, a n d h o w far t h e r o u t ing a n n o u n c e m e n t s a s s o c i a t e d w i t h t h a t m u l t i c a s t g r o u p will get a d v e r t i s e d . For i n s t a n c e , if y o u w o u l d like to a d v e r t i s e a m u l t i c a s t s e s s i o n of y o u r fish t a n k in y o u r office, a n d y o u w o u l d like t h e w h o l e world to see it, y o u w o u l d a s s i g n a s c o p e of E (1110 in binary). However, if y o u w a n t to set u p a m u l t i c a s t g r o u p so y o u a n d y o u r c o w o r k e r s c a n h a v e a video c o n f e r e n c e over t h e c o r p o r a t e n e t w o r k , y o u w o u l d w a n t to m a k e s u r e to give t h e a d d r e s s u s e d a s c o p e of 5 (0101 in binary), or 2 if everyone involved is on t h e s a m e LAN a s y o u (0010 in binary). See h o w t h i s m a k e s life a little e a s i e r

IPv6 Addressing

9Chapter 9

for controlling h o w far i n f o r m a t i o n gets p r o p a g a t e d . Now, i n s t e a d of relying on a Network A d m i n i s t r a t o r to apply filters at the b o r d e r s of e a c h r o u t i n g d o m a i n , we c a n rely on software (which generally is not s u s c e p t i b l e to the s a m e sort of r a n d o m c h a n g e s t h a t n e t w o r k s are) to keep o u r traffic inside of the scope we want. This allows for privacy at a m u c h e a s i e r level to i m p l e m e n t . This is a n o t h e r benefit of IPv6. Not only are m u l t i c a s t b o u n d a r i e s well defined, t h e y are also e a s y to m a i n t a i n .

The Anycast Address IPv6 defines a n e w type of a d d r e s s , k n o w n as the a n y c a s t a d d r e s s . A l t h o u g h this form of a d d r e s s is deployed in a limited f a s h i o n in IPv4, IPv6 i n t e g r a t e s this a d d r e s s type into its o p e r a t i o n s , w h i c h i m p r o v e s r o u t i n g efficiency. In this section we will explore s o m e of the c h a r a c t e r i s t i c s of the a n y c a s t a d d r e s s in detail, a n d d i s c u s s s o m e of the i n t e r e s t i n g a p p l i c a t i o n s of the a n y c a s t a d d r e s s in the IPv6 I n t e r n e t of the future. An a n y c a s t a d d r e s s is a n IPv6 a d d r e s s w h i c h is a s s i g n e d to a g r o u p of one or m o r e h o s t s t h a t serve a c o m m o n p u r p o s e or function. W h e n p a c k e t s are s e n t to the IPv6 a n y c a s t a d d r e s s , r o u t i n g will dictate w h i c h m e m b e r of the g r o u p receives the packet, via the closest m a c h i n e to the source, as decided by the IGP (Interior G a t e w a y Protocol: the r o u t i n g protocol y o u u s e in y o u r r o u t i n g d o m a i n ; e.g., RIP, EIGRP, IS-IS) of the n e t w o r k in question. In this way, it b e c o m e s possible to d i s p e r s e f u n c t i o n a l i t y geographically a c r o s s y o u r n e t w o r k in a w a y t h a t h e l p s efficiency in two ways. This differs f u n d a m e n t a l l y with the m u l t i c a s t a d d r e s s . A l t h o u g h b o t h the a n y c a s t a n d the m u l t i c a s t a d d r e s s are a s s i g n e d to m o r e t h a n one host, the a n y c a s t a d d r e s s serves for d a t a t r a n s m i s s i o n s t h a t are 1 to 1, w h e r e a s m u l t i c a s t a d d r e s s i n g is u s e d w h e n a d a t a t r a n s m i s sion to multiple d e s t i n a t i o n s is required. Let u s look at the two m a i n benefits of the a n y c a s t a d d r e s s i n g s c h e m e . First, if y o u are going to the closest m a c h i n e in a group, a n d it is irrelevant w h i c h g r o u p m e m b e r y o u e x c h a n g e i n f o r m a t i o n with in the a n y c a s t group, y o u are u s u a l l y saving time by c o m m u n i c a t i n g

403

404

Chapter 9

9IPv6

Addressing

w i t h t h e c l o s e s t (IGP-wise) g r o u p m e m b e r . S e c o n d , w h e n y o u are going to t h e c l o s e s t a n y c a s t g r o u p m e m b e r , y o u are s a v i n g b a n d w i d t h , b e c a u s e t h e a m o u n t of d i s t a n c e a p a c k e t h a s to travel is in m o s t c a s e s m i n i m i z e d b y t h i s a p p r o a c h . So n o t only do y o u save time w i t h a n y c a s t , b u t y o u also save m o n e y ( b a n d w i d t h IS m o n e y t h e s e days) w i t h t h i s a p p r o a c h . T h e a n y c a s t a d d r e s s does n o t h a v e its own s e t of bits to define it, however; i n s t e a d , a n y c a s t a d d r e s s i n g is derived from e i t h e r s c o p e d or Globally R o u t a b l e U n i c a s t a d d r e s s e s . F r o m t h e p o i n t of a n IPv6s p e a k i n g m a c h i n e , t h e a n y c a s t a d d r e s s is no different t h a n a u n i c a s t a d d r e s s . The only difference is t h a t t h e r e m a y be o t h e r m a c h i n e s t h a t are also n u m b e r e d w i t h t h e s a m e s c o p e of u n i c a s t a d d r e s s , w i t h i n t h e s a m e region for w h i c h t h a t s c o p e is defined (for i n s t a n c e , y o u m a y h a v e m o r e t h a n one m a c h i n e w i t h a Site Local a n y c a s t a d d r e s s w i t h i n a given site). Now t h a t we u n d e r s t a n d t h e differences b e t w e e n a n y c a s t a n d m u l t i c a s t a d d r e s s e s , let u s look into s o m e p o s s i b l e u s e s of t h e a n y c a s t a d d r e s s . One nice a p p l i c a t i o n t h a t a n y c a s t c a n help w i t h is DNS ( D o m a i n N a m e Service). If we were to offer DNS to m a n y people or c u s t o m e r s , a s in t h e c a s e of m o s t Tier-1 Service Providers today, we w o u l d n e e d to b u i l d o u r DNS in a w a y t h a t c a n h a n d l e a large n u m b e r of q u e r i e s from all p a r t i e s for w h i c h we provide t h i s service. B e c a u s e of this, it is m o r e efficient to deploy m u l t i p l e DNS servers, a n d s p r e a d t h e m o u t geographically. This will allow for fail-over, if one DNS s e r v e r b e c o m e s u n r e a c h a b l e d u e to n e t w o r k failures, a n d will also allow u s to s p r e a d t h e load of o u r DNS service b e t w e e n t h e s e servers. However, we do n o t w a n t to m a k e o u r c u s t o m e r s a s s i g n too m a n y different IP a d d r e s s e s of DNS servers, a s m o s t people only u s e one or two. Also, we w a n t s o m e w a y for one or two IP a d d r e s s e s to be u s e d for all of o u r service geographically, for t h e fail-over r e a s o n j u s t s t a t e d . O n e w a y to do t h i s w o u l d be to a s s i g n e a c h DNS s e r v e r t h a t h a s i d e n t i c a l c o n f i g u r a t i o n a n d a u t h o r i t a t i v e i n f o r m a t i o n t h e SAME IP a d d r e s s . If we t h e n inject r o u t e s to e a c h of t h e s e DNS s e r v e r s into o u r B a c k b o n e r o u t i n g table, w h e n s o m e o n e w a n t s to q u e r y o u r

IPv6 Addressing

9Chapter 9

DNS, t h e r e q u e s t will be s e n t to the geographically closest DNS server. This will allow u s n o t only to split u p the load b e t w e e n multiple DNS servers, b u t also will avoid b a c k h a u l i n g DNS q u e r i e s a c r o s s o u r B a c k b o n e too m u c h . So by this m e t h o d of deployment, we are saving b o t h time for o u r c u s t o m e r s (DNS servers are close, so t h e y t h e d a t a t r a n s m i s s i o n t a k e s less time), a n d m o n e y for ourselves ( b a n d w i d t h = m o n e y for Service Providers). B e c a u s e DNS is U D P - b a s e d , r a t h e r t h a n TCP-based, t r a n s a c t i o n s b e t w e e n DNS servers a n d e n d - s t a t i o n s are quick, short, a n d n o t t r a c k e d with s e q u e n c i n g , error checking, etc. W h e n we w a n t to resolve a h o s t n a m e , a p a c k e t is s e n t to t h e DNS server r e q u e s t i n g t h e a d d r e s s a s s o c i a t e d with a given I n t e r n e t D o m a i n Name, a n d a r e s p o n s e is s e n t b a c k with the answer. This m a k e s t h e a n y c a s t - a d d r e s s i n g model viable for this type of application. For m o r e i n f o r m a t i o n on this specific type of deployment, y o u can read draft-catalone-rockell-hadns.00.t~.

405

406

Chapter 9

9IPv6 Addressing

The Need for Further Development A l t h o u g h IPv6 does in fact p r e s e n t m a n y n e w a n d u s e f u l ideas a i m e d at i n c r e a s e d efficiency a n d ease of r o u t i n g a n d configuration, the w o r k t h a t is n e e d e d prior to IPv6 d e p l o y m e n t natively on t h e I n t e r n e t is n o t done. In this section, we will look at one c u r r e n t i s s u e t h a t is gaining i n c r e a s e d a t t e n t i o n by the IETF w o r k i n g g r o u p IPNGWG (Internet Protocol, N e x t - G e n e r a t i o n Working Group; please see h t t p : / / w w w . i e t f . o r g / h t m l . c h a r t e r s / I P n g w g - c h a r t e r . h t m l for m o r e the w o r k i n g g r o u p ' s c h a r t e r a n d the c u r r e n t s t a t u s on their goals a n d h o w close t h e y are to r e a c h i n g them).

The Multihoming Problem Now t h a t we have basic familiarity with h o w IPv6 a d d r e s s i n g a n d r o u t i n g works, let u s look at one of the potential p r o b l e m s associated with IPv6 routing. We k n o w from earlier in this c h a p t e r t h a t Tier 1 Service Providers will be given large c h u n k s of a d d r e s s space, from w h i c h t h e y will delegate smaller bits of t h a t space to their customers, to n u m b e r their own n e t w o r k s . We also k n o w t h a t f u n d a m e n t a l to IPv6 is the c o n c e p t of firm r o u t e aggregation, by w h i c h t h a t Tier 1 Service Provider will n e e d to a n n o u n c e the aggregate of their space only to o t h e r Tier 1 peers. This will keep the r o u t i n g table size small, c o m p a r e d to w h a t it could be w i t h o u t aggregation, a n d r o u t e stability maximized, as c h a n g e s in small a r e a s of one's n e t w o r k n e e d n o t w i t h d r a w r o u t e s globally. This c a u s e s r o u t e d a m p e n i n g to affect r e a c h a b i l i t y once a n e t w o r k failure o c c u r s a n d is corrected. However, w h a t do we do w h e n a smaller network, s u c h as a n ISP or a b u s i n e s s , is b u y i n g I n t e r n e t connectivity t h r o u g h multiple providers? Classically, in IPv4, the w a y to do this is to r u n BGP from t h a t ISP or b u s i n e s s to its u p s t r e a m s , a n n o u n c i n g the IP s p a c e t h a t y o u o b t a i n e d from one of y o u r providers to b o t h of y o u r u p s t r e a m providers. T h e s e a n n o u n c e m e n t s in t u r n will n e e d to be a n n o u n c e d everywhere, in order for the Network A d m i n i s t r a t o r s of this small ISP or b u s i n e s s to r e t a i n the ability to l o a d - s h a r e over

IPv6 Addressing

9Chapter 9

b o t h of t h e s e I n t e r n e t c o n n e c t i o n s i n b o u n d . So the s u b n e t t h a t is delegated n o w h a s to be a c c e p t e d into the global r o u t e table. With IPv6, this violates f u n d a m e n t a l principles r e g a r d i n g aggregation. If we look at the IPv4 s c e n a r i o listed earlier in the chapter, a n d s u b s t i t u t e IPv6 a d d r e s s e s , we are left with the identical p r o b l e m s . Not only will the Service Provider (the one t h a t delegates the c u s t o m e r the a d d r e s s block) n e e d to allow the s m a l l e r block a n n o u n c e d from its c u s t o m e r , a n d h e a r d t h r o u g h its peer (the one t h r o u g h w h i c h the c u s t o m e r also b u y s connectivity), b u t it will have to export the m o r e specific r o u t e to all of its peers as well, so t h e y a u t o m a t i c a l l y do n o t choose the o t h e r provider (from w h o m the a d d r e s s block w a s n o t delegated) as the m o r e specific r o u t e a d v e r t i s e m e n t , a n d therefore the b e s t p a t h to the c u s t o m e r . Both the IPNGWG a n d the NGTRANSWG (Next-Generation TRANSition Working Group) are looking into this problem. At the time of this writing, t h e r e are a couple of prop o s e d s o l u t i o n s to this problem, b u t e a c h of t h e m p r e s e n t s o t h e r i n t e r e s t i n g d i l e m m a s as well. The first p r o p o s e d solution to this p r o b l e m is n o w w r i t t e n as a n RFC (RFC2260). This a p p r o a c h , s u m m e d up, is to follow the aggregation principles as outlined previously in the chapter, until s u c h time as a n e t w o r k failure occurs. W h e n everything is working, the b o r d e r r o u t e r to u p s t r e a m 1 s e n d s only the prefix t h a t w a s delegated by u p s t r e a m 1 to u p s t r e a m 1, a n d conversely, t h e b o r d e r r o u t e r t h a t c o n n e c t s to u p s t r e a m 2 a n n o u n c e s only the prefix t h a t u p s t r e a m 2 h a s delegated, u p to u p s t r e a m 2. W h e n a failure occurs, however, the b o r d e r r o u t e r t h a t does n o t have a failure will a n n o u n c e b o t h prefixes u p to the u p s t r e a m t h a t is still working. W h e n the connectivity failure is fixed, the illegal prefix is w i t h d r a w n , a n d the s i t u a t i o n r e t u r n s to n o r m a l . A l t h o u g h this p r o p o s a l h a s merits, since it allows for fail-over for a d o w n s t r e a m t h a t is multih o m e d a n d a s s i g n s a d d r e s s e s in its n e t w o r k from b o t h providers, it does p r e s e n t s o m e m a n a g e m e n t p r o b l e m s for the u p s t r e a m provider. If the u p s t r e a m provider h a s a n efficient r o u t i n g policy t o w a r d s its d o w n s t r e a m c u s t o m e r s , this u s u a l l y i n c l u d e s a filter on the BGP s e s s i o n to t h a t d o w n s t r e a m t h a t allows only r o u t e s t h a t the u p s t r e a m expects to h e a r from its d o w n s t r e a m c u s t o m e r . Now the

407

408

Chapter 9

9IPv6 Addressing

u p s t r e a m w o u l d have to allow b o t h the r o u t e it h a s delegated, a n d the r o u t e t h a t the o t h e r u p s t r e a m provider h a s delegated to its customer. F u r t h e r m o r e , the u p s t r e a m provider w h o receives b o t h prefixes h a s no w a y of k n o w i n g w h e n or even if a n e t w o r k failure h a s o c c u r r e d b e t w e e n its d o w n s t r e a m c u s t o m e r , a n d the o t h e r provider. Also, the u p s t r e a m provider h a s no w a y of d e t e r m i n i n g w h e n the d o w n s t r e a m c u s t o m e r ' s o t h e r provider c o n n e c t i o n h a s b e e n fixed, a n d t h e r o u t e s h o u l d be w i t h d r a w n . The only w a y to k n o w w o u l d be to rely on the d o w n s t r e a m c u s t o m e r to have their configuration done correctly to avoid a n n o u n c i n g b o t h r o u t e s w h e n everything works, a n d to have a software i m p l e m e n t a t i o n t h a t h a s the capability of a u t o m a t i c a l l y w i t h d r a w i n g the illegal r o u t e w h e n the p r o b l e m is fixed. A d o w n s t r e a m c u s t o m e r in this case could easily misconfigu r e their o u t b o u n d policy to a n n o u n c e b o t h r o u t e s illegally, even w h e n t h e r e is no failure. So in s u m m a t i o n , a l t h o u g h this p r o p o s a l does have merits, the i m p l e m e n t a t i o n specifics are n o t n e a r l y as controllable as a n u p s t r e a m provider w o u l d like. The s e c o n d proposal, w h i c h is c u r r e n t l y in u s e in the 6Bone IPv6 test network, is to a s s i g n e a c h m u l t i h o m e d h o s t a n a d d r e s s for e a c h u p s t r e a m connection, a n d therefore IPv6 delegation, t h a t the downs t r e a m c u s t o m e r has. For i n s t a n c e , if y o u are delegated two prefixes, one from Provider A, a n d one from Provider B, t h e n each m a c h i n e t h a t w i s h e s to u s e the benefits of m u l t i h o m i n g w o u l d n e e d to be a s s i g n e d a prefix from e a c h of the delegations received from Provider A a n d Provider B (let u s call t h e s e delegations Prefix A a n d Prefix B). So e a c h h o s t n o w h a s two Globally R o u t a b l e U n i c a s t a d d r e s s e s , one from Prefix A a n d one from Prefix B. Then, e a c h border r o u t e r t h a t s p e a k s with the u p s t r e a m providers c a n a n n o u n c e only the prefix delegated from t h a t provider, a n d the r o u t i n g is stable. In theory, if t h e r e is a n e t w o r k failure, a n d one provider b e c o m e s u n r e a c h a b l e , t h e n m a c h i n e s t h a t were u s i n g the a d d r e s s a s s o c i a t e d with t h a t provider c a n switch over to the a d d r e s s associated with the o t h e r provider, a n d connectivity is established. This solution c o m e s with its own h o s t of problems. First, this a p p r o a c h is n o t t h a t optimal w h e n it comes to efficient delegation of IPv6 a d d r e s s space. Now e a c h n e t w o r k with N u p s t r e a m providers

IPv6 Addressing

9Chapter 9

will have N a d d r e s s e s assigned to them. F u r t h e r m o r e , a n d p e r h a p s more important, is t h a t currently, TCP does not allow for a d d r e s s changing in the middle of a TCP session. The only solution is to a d j u s t TCP to allow for this, which in itself s e e m s easy, b u t the ramifications are far more t h a n m e e t the eye. Most TCP applications are built in s u c h a way t h a t modifications of TCP would require modifications of the application. This could m e a n drastic reworking of c u r r e n t network software. Also, c u r r e n t operating s y s t e m s themselves m a y need overhauling in order to switch source a d d r e s s e s dynamically w h e n a network becomes u n r e a c h a b l e . How does a source k n o w t h a t a network failure h a s OCCUlTed in the right place? W h a t if the destination h a d a problem? How would the source know if switching IPv6 source a d d r e s s e s would fix the problem? All of these factors lead u s to believe t h a t this is not a viable long-term solution either. So as y o u c a n see, m u l t i h o m i n g with IPv6 still h a s s o m e work. It is c u r r e n t l y of top priority in the IETF w o r k i n g g r o u p IPNGWG. Hopefully, t h e i r w o r k will p r o d u c e a solution t h a t is b o t h scalable, a n d able to a c c o m m o d a t e the p r o b l e m s a s s o c i a t e d with either of the p r e v i o u s p r o p o s a l s . S t a y t u n e d to this one!

The 6Bone Now t h a t we have the b a s i s for u n d e r s t a n d i n g e l e m e n t a r y IPv6 a d d r e s s i n g a n d routing, let u s look into c u r r e n t IPv6 d e p l o y m e n t , a n d its s u c c e s s e s a n d s h o r t c o m i n g s . The p r i m a r y e x a m p l e of IPv6 d e p l o y m e n t is the IETF N e x t - G e n e r a t i o n T r a n s i t i o n Working G r o u p (NGTRANSWG) 6Bone. The 6Bone is a n e t w o r k of I P v 6 - s p e a k i n g entities i n t e r c o n n e c t e d over the classical IPv4 I n t e r n e t . It c o n s i s t s of b o t h native n e t w o r k s (where IPv6 is r u n n i n g w i t h o u t being t u n n e l e d t h r o u g h a n o t h e r Layer 3 protocol) a n d IPv4 t u n n e l s b e t w e e n differe n t IPv6 s p e a k i n g entities. The p u r p o s e of this n e t w o r k is twofold. The first r e a s o n for the 6Bone is to provide i m p l e m e n t e r s a m e a n s to t e s t t h e i r IPv6 i m p l e m e n t a t i o n s in a large n e t w o r k w h e r e o t h e r v e n d o r s have deployed their own v e r s i o n of IPv6 i m p l e m e n t a t i o n s . By allowing this, we c a n e n s u r e t h a t IPv6 i m p l e m e n t a t i o n s are i n t e r o p e r a b l e . This way, protocol developers c a n m a k e s u r e t h a t the

409

410

Chapter 9

9IPv6 Addressing

protocol specifications are specific e n o u g h to allow for i m p l e m e n t e r s to develop I P v 6 - s p e a k i n g m a c h i n e s w i t h o u t ambiguity. The s e c o n d r e a s o n for the 6Bone is to give n e t w o r k o p e r a t o r s a c h a n c e to design n e t w o r k s a n d get their feet wet with the n e w protocol. Also, it allows o p e r a t o r s to u n c o v e r a n y p r o b l e m s with the IPv6 protocol (such as the p r e v i o u s m u l t i h o m i n g problems) t h a t m a y have b e e n m i s s e d or u n d e r a p p r e c i a t e d d u r i n g the p r o t o c o r s conception. A l t h o u g h the f a t h e r s of the IPv6 protocol were extremely m e t i c u lous in t h e p r o t o c o r s design, it never h u r t s to get the n e w technology r u n n i n g on a live n e t w o r k s o m e w h e r e prior to i m p l e m e n t a t i o n on a g r a n d scale. The 6Bone helps to w o r k all of the details out, a n d test n e w features, prior to deployment, in a cooperative, m u l t i n a tional fashion. It follows all r o u t i n g practices as defined by t h e IETF. For the m o s t c u r r e n t IPv6 r o u t i n g practices on the 6Bone, see www.ietf, o r g / i n t e r n e t - d r a f t s / d r a f t - i e t f - n g t r a n s - h a r d e n - 0 2 , t ~ . (Note: This is a n I n t e r n e t draft. At the time of this writing it is in the lastcall stage for RFC.) For m o r e i n f o r m a t i o n on the 6Bone, please see http: / / w w w . 6bone. net.

Summary We c a n see t h a t IPv6 provides for m a n y of the p r e s e n t l y n e e d e d i m p r o v e m e n t s in the Internet. Not only does it solve the a d d r e s s depletion p r o b l e m s of t o d a y ' s IPv4, b u t it also m a k e s for a m o r e scalable I n t e r n e t core, w h i c h c a n help improve r o u t i n g efficiency of the I n t e r n e t as a whole. By allowing for 128 bits of a d d r e s s e s , we c a n see t h a t t h e r e is a d e q u a t e a d d r e s s space for the future. By t h e n aggregating this a d d r e s s space in a n efficient m a n n e r , we m a y e s t a b l i s h a firm u p p e r limit on r o u t i n g table size in the I n t e r n e t core. This, in t u r n , c a n help u s to build a n I n t e r n e t to t a k e u s into the future. A l t h o u g h the two p r i m a r y p r o b l e m s of the I n t e r n e t c a n be solved with IPv6, the protocol i m p r o v e m e n t s do n o t stop there. Also built into the IPv6 protocol are m e a n s for h o p - b y - h o p routing, a u t h e n t i cation of p a c k e t s , e n c r y p t e d p a c k e t s , tag switching, Quality of

IPv6 Addressing

9Chapter 9

Service, a n d o t h e r t h i n g s to m a k e the protocol m o r e versatile t h a n its g r a n d f a t h e r , IPv4. F u r t h e r m o r e , IPv6 h a s b u i l t into it the ability to u s e m u l t i c a s t a n d u n i c a s t r o u t i n g in a m a n n e r s u c h t h a t b o u n d aries easily c a n be scoped to e n s u r e t h a t d a t a does n o t get to places w h e r e it is n o t allowed. IPv6 also i n t r o d u c e s the u s e of a n a n y c a s t a d d r e s s , for a p p l i c a t i o n s t h a t m a y be serviced by m u l t i p l e m a c h i n e s , b u t the n e e d for d i s t r i b u t i o n of t h e s e services in a scalable m a n n e r is required. We c a n also see t h a t IPv6 is a l r e a d y in testing, a n d is s t a r t i n g into p r o d u c t i o n in s o m e areas, c o n n e c t e d via the 6Bone. This virtual b a c k b o n e will provide for testing of b o t h IPv6 i m p l e m e n t a t i o n s a n d the protocol itself. Clearly, we c a n see t h a t IPv6 is getting m o r e a n d m o r e a t t e n t i o n , a n d is looking like a p r o m i s i n g a s p e c t for the f u t u r e of the Internet.

Q" W h e r e do I get a n IPv6 a d d r e s s ?

A: IPv6 a d d r e s s e s are delegated o u t by the Providers who h a v e t h e m . W h e n y o u join the 6Bone or a n y o t h e r IPv6 network, y o u r u p s t r e a m Provider is r e s p o n s i b l e for providing y o u w i t h a d e q u a t e IPv6 a d d r e s s s p a c e to t a k e care of y o u r needs.

411

412

Chapter 9

9IPv6

Addressing

Q" W h e r e do I get the IPv6 protocol specifications for m o r e details? A: All protocol specifications are in the form of IETF RFCs (Requests for Comments). These c a n be f o u n d at www.ietf.org; t h e r e is a s e a r c h engine w h e r e y o u c a n pull u p all c u r r e n t IPv6 RFC a n d I n t e r n e t drafts.

414

Chapter 10

9

The IPv6 Header

Introduction The IPv4 h a s served u s well in the past; however, some design decisions m a d e a couple of decades ago have m a n y s h o r t c o m i n g s for s u p p o r t i n g c u r r e n t a n d future networking. The IPv6 is the new IP protocol t h a t is designed to meet the r e q u i r e m e n t s for s u p p o r t i n g future generation networking, while interoperating with the c u r r e n t IPv4. With the growing popularity of internetworking, it h a s become a p p a r e n t t h a t the n u m b e r of nodes in the In tern et will outgrow the 32-bit a d d r e s s space u s e d in IPv4. Further, as the n u m b e r of a d d r e s s a b l e nodes increases, the size of the routing table is likely to grow. The larger routing table degrades the p e r f o r m a n c e of the IP network; this, a n d the shortage of a d d r e s s space, are the p r i m a r y c o n c e r n s for c ont i nue d us e of IPv4. These c o n c e r n s raised the need for a new IP protocol, IPv6. In addition to solving these problems, several other features have been incorporated in the design of IPv6 to e n h a n c e the IP network. The a dva nc e s in h a r d w a r e technology have resulted in the develo p m e n t of new applications, which m a y need special provisioning w h e n deployed over the network. However, the connectionless, ond e m a n d n a t u r e of IPv4 does not lend itself well for p e r - c o n n e c t i o n b a s e d support. The design of IPv6 includes flow labeling for providing p e r - c o n n e c t i o n - b a s e d support. For c o n t i n u e d s u c c e s s of IP internetworking, the u s e of the IP n e t w o r k s houl d be plug-and-play, similar to the use of a telephone system. To achieve the p l u g - a n d - p l a y concept in the IP network, configuration of a n IP node should be simple, if not automatic. Even with the c o n t i n u e d autoconfiguration effort s u c h as Dynamic Host Configuration Protocol, configuration of an IPv4 node h a s b een nontrivial so far. The IPv6 h a s be e n designed to better s u p p o r t autoconfiguration of IPv6 nodes. In recent years, the us e of the I n t e r n e t for m a n y b u s i n e s s e s h a s be e n increased drastically, a n d e-commerce h a s also gained popularity. It is n e c e s s a r y to i m p l e m e n t security features in internet-

The IPv6 Header

9Chapter 10

working. The security features are m a n d a t o r y in IPv6, m a k i n g an IPv6 n e t w o r k more suitable for meeting security r e q u i r e m e n t s . Most importantly, the design of IPv6 h a s provided for the transition from IPv4 to IPv6. This transition cannot occur overnight; therefore, the IPv6 ha s been designed with the a s s u m p t i o n th at the IPv4 network will coexist with the IPv6 network for a long time, if not indefinitely. Many design decisions are in place for interoperability with IPv4 nodes. A lot of investment h a s been made in the current infrastructure of IPv4 networks. Without the ability to communicate with the existing network, no new protocol is likely to replace the current intemetworking infrastructure successfully, regardless of its benefits. The design of IPv6 h a s s t e m m e d from limitations of w h a t IPv4 offers, a n d from lessons learned in IPv4. First, this c h a p t e r covers the c h a n g e s from IPv4 to IPv6. E x p a n d e d addressing, simplified header, improved extension a n d option support, flow labeling capability, a n d a u t h e n t i c a t i o n a n d privacy capability s u m m a r i z e these changes. The first three c h a n g e s are due to modifications to b a s e s of IPv4 technology s u c h as u s i n g 128-bit a d d r e s s size in s tead of 32bit, not allowing i n t e r m e d i a t e r o u t e r s to perform fragmentation, or e m b e d d i n g optional information in extension h e a d e r s i n s t e a d of including it in the IP header. The latter two c h a n g e s include additional functionality incorporated into the design of IPv6 to satisfy the n e t w o r k s u p p o r t c u r r e n t a n d n e a r - f u t u r e applications d e m a n d . This chapter also covers the format of the IPv6 h ead er an d extension header. The fields in the IPv6 header are discussed an d compared to those in the IPv4 header. The formats of extension headers are provided, along with an example usage of each extension header. Finally, u p p e r - l a y e r protocol i s s u e s imposed u p o n the u se of IPv6 are covered.

Expanded Addressing IPv4 u s e s 32-bit a d d r e s s e s , which potentially can a d d r e s s u p to 232 nodes. However, the c om bi na t i on of n e t w o r k a n d local a d d r e s s hiera r c h y a n d reserved a d d r e s s space for special handling, s u c h as

415

416

Chapter 10 * The IPv6 Header

loopback and broadcast, reduces the n u m b e r of a d d r e s s a b l e nodes. At the s a m e time, the exponential growth of c o m p u t e r networks in recent years indicates the outgrowth of addressable node using 32bit addresses. F u r t h e r m o r e , the network and local a d d r e s s hierarchy in IPv4 a d d r e s s architecture leads to inefficient use of a d d r e s s spaces. For instance, an organization t h a t needs far fewer t h a n 2~6 hosts, b u t more t h a n 28 hosts, m a y waste m u c h usable a d d r e s s space w h e n using a 2-octet network a d d r e s s and a 2-octet local address. Despite the inefficiency of the network a d d r e s s hierarchy, a fiat network a d d r e s s (e.g., a sequential a d d r e s s assignment) is not realistic, since network operations s u c h as routing would be impossible. When using a sequential a d d r e s s assignment, the size of routing tables would be u n m a n a g e a b l e and routing would become a slow process b e c a u s e of the a m o u n t of d a t a t h a t needs to be scanned. The IPv6 a d d r e s s size h a s been increased to 128 bits. The advantages of this increase are, one, more addressable nodes, and two, the ability to s u p p o r t more levels of addressing hierarchy. Better addressing hierarchy leads to more efficient network operations and network scaling. As more networks are added, the size of the routing table increases, and the routing process takes longer. A careful planning of addressing hierarchy can limit the growth of the size of the routing table, while routing packets efficiently. An organizational change often m e a n s configuration changes at each node t h a t is affected. For instance, w h e n an organization obtains a new Internet Service Provider (most often network a d d r e s s change), each node in this organization m u s t be reconfigured to reflect this. However, despite c o n t i n u o u s efforts of developing autoconfiguration m e c h a n i s m s s u c h as Dynamic Host Configuration Protocol, the reconfiguration process often needs to be done manually. The larger a d d r e s s space can s u p p o r t autoconfiguration better. In addition to increased a d d r e s s size, IPv6 h a s eliminated broadc a s t a d d r e s s and added the notion of a n y c a s t address, which can be u s e d to send a packet to any one of a group of nodes.

The IPv6 Header

9

Chapter 10

Simplified Header IPv6 h a s evolved from the IPv4 technology; experiences l e a r n e d from the IPv4 are reflected in the design of IPv6. The length of the IPv4 h e a d e r varies b e t w e e n 20 a n d 60 bytes, a n d t h e r e are 11 fields within the first 20 b y t e s of the IPv4 header. The complexity of IPv4 c a n lead to inefficient r o u t e r operations. By employing a s i m p l e r header, 8 fields in 40 bytes a n d fixed length of the header, IPv6 c a n e n h a n c e the p e r f o r m a n c e of r o u t e r s . A couple of fields in the IPv4 h e a d e r have b e e n either r e m o v e d or e m b e d d e d in e x t e n s i o n h e a d e r s . Since options are e m b e d d e d in e x t e n s i o n h e a d e r s , the length of the IPv6 h e a d e r is no longer variable, t h u s eliminating the n e e d for the H e a d e r Length field in the IPv6 header. In IPv6, only s o u r c e node c a n p e r f o r m f r a g m e n t a t i o n ; therefore, the i n f o r m a t i o n n e c e s s a r y for f r a g m e n t a t i o n a n d r e a s s e m bly is r e m o v e d from the IP header. Since the u p p e r - l a y e r protocol, s u c h as TCP a n d UDP, c a l c u l a t e s the c h e c k s u m for the entire packet, the C h e c k s u m field also c a n be r e m o v e d from the IP header.

Improved Support for Extension and Option Since the total length of the IPv4 h e a d e r is variable, the H e a d e r Length field is u s e d to indicate its length. The n u m b e r of bits in this field, 4 bits, d e t e r m i n e s the m a x i m u m length of the IPv4 header. In particular, 60 b y t e s is the largest size of the IPv4 header, for this field specifies the h e a d e r length in 4-octet units. Since the fixed portion of the IPv4 h e a d e r is 20 b y t e s long, it places a s t r i n g e n t r e q u i r e m e n t on the length of options.

417

418

Chapter 10

9The IPv6 Header

Flow and Flow Labeling IPv4 wa s designed to be connectionless (or stateless); in other words, each p a c k e t belonging to the s a m e session is routed independently, a n d two p a c k e t s from the s a m e session m a y arrive at the destination via different paths. This a p p r o a c h works well u n d e r erro r-p ro n e networks, s u c h as the time w h e n IPv4 w a s being developed. There is a cost associated with this, h o w e v e r ~ p r o c e s s i n g each p a c k e t at every hop a d d s to the delay, a n d it is not trivial to provide special services for a c o m m u n i cation between selected source a n d destination. With technological a d v a n c e s in networking, n e t w o r k failures, especially h a r d w a r e failures, have been drastically r e d u c e d in recent

The IPv6 Header

9Chapter 10

years. Also, n e w a p p l i c a t i o n s are m o r e t o l e r a n t to errors, b u t m o r e sensitive to f l u c t u a t i o n s in delay. It is inevitable t h a t n e t w o r k s s u p port s u c h applications. In the design of IPv6, the n o t i o n of a flow h a s b e e n i n c o r p o r a t e d in order to facilitate special h a n d l i n g of d a t a belonging to a n a p p l i c a t i o n with special r e q u i r e m e n t s . RFC 1883 defines a flow as a s e q u e n c e of p a c k e t s s e n t from a p a r t i c u l a r s o u r c e to a p a r t i c u l a r d e s t i n a t i o n for w h i c h the s o u r c e desires special h a n d l i n g by the i n t e r v e n i n g r o u t e r s . IPv6 provides a f r a m e w o r k for a n easier per-flow handling. A video application, w h i c h m a y have strict r e q u i r e m e n t s on the m a x i m u m delay difference, m a y t a k e a d v a n t a g e of flow a n d flow labeling in IPv6. The a p p l i c a t i o n m a r k s e a c h p a c k e t with a flow label, a n d r o u t e r s on the p a t h r e m e m b e r the s t a t e of p a c k e t t r a n s m i s s i o n s on this flow. This s t a t e i n f o r m a t i o n will help a r o u t e r to d e t e r m i n e w h i c h p a c k e t to service next. A r o u t e r m a y service a p a c k e t t h a t h a s the largest e l a p s e d time since its previous p a c k e t in the flow, for i n s t a n c e .

Authentication and Privacy No real s e c u r i t y f e a t u r e s have b e e n i n c o r p o r a t e d into the design of IPv4. However, the wide u s e of IP n e t w o r k s by the general public h a s led to the u s e of c o m p u t e r n e t w o r k s as a m e a n s of c o n d u c t i n g v a r i o u s k i n d s of b u s i n e s s e s . T h u s , it is n a t u r a l for the design of IPv6 to provide n e c e s s a r y s e c u r i t y m e a s u r e s . RFC2401 defines the s e c u r i t y a r c h i t e c t u r e for the IP network, a n d IPv6 u s e s the A u t h e n t i c a t i o n H e a d e r a n d E n c a p s u l a t i n g S e c u r i t y Payload extension h e a d e r s to i m p l e m e n t s u c h features. Both A u t h e n t i c a t i o n H e a d e r a n d E n c a p s u l a t i n g S e c u r i t y Payload h e a d e r c a n be u s e d alone, or as a c o m b i n a t i o n of s o u r c e a n d destin a t i o n or two s e c u r i t y gateways. The f o r m e r m o d e of o p e r a t i o n is called T r a n s p o r t Mode a n d the latter is referred to as T u n n e l i n g Mode operation. W h e n u s e d in t r a n s p o r t mode, the s o u r c e a n d d e s t i n a t i o n of a p a c k e t is the s e n d e r a n d receiver of the A u t h e n t i c a t i o n Header, respectively. W h e n u s e d in t u n n e l i n g mode, however, the s e c u r i t y

419

420

Chapter 10

9The IPv6 Header

g a t e w a y at the s o u r c e of a p a c k e t w o u l d be the s e n d e r of the A u t h e n t i c a t i o n Header, a n d the s e c u r i t y gateway at the d e s t i n a t i o n of this p a c k e t w o u l d be the receiver of the A u t h e n t i c a t i o n Header. The s e n d e r c a l c u l a t e s s e c u r e a n d reliable c h e c k s u m (message digest) c a l c u l a t i o n over p a c k e t s a n d places it in the A u t h e n t i c a t i o n Header. The receiver r e c a l c u l a t e s it a n d c o m p a r e s it to the v a l u e provided in A u t h e n t i c a t i o n Header. W h e n t h e s e v a l u e s differ, a p a c k e t is a s s u m e d to be d a m a g e d d u r i n g t r a n s m i s s i o n . Using E n c a p s u l a t i n g S e c u r i t y Payload, a p a y l o a d of a p a c k e t m a y be e n c r y p t e d , or the entire IP p a c k e t m a y be e n c r y p t e d in t u n nel m o d e via s e c u r i t y gateways. W h e n e n c r y p t e d in t u n n e l mode, real s o u r c e a n d d e s t i n a t i o n a n d s o m e IP h e a d e r i n f o r m a t i o n c a n be h i d d e n , t h u s m a k i n g it m o r e secure.

IPv6 Header The IPv6 h e a d e r is fixed in length a n d aligned at 8-octet b o u n d a r y , u n l i k e the IPv4 header, w h i c h is v a r i a b l e - l e n g t h a n d aligned at 4octet b o u n d a r y . Most m o d e r n c o m p u t e r a r c h i t e c t u r e s are optimized to r e a d 8 octets at a time. T h u s , the length of the IPv6 h e a d e r or e x t e n s i o n h e a d e r s is designed to be a multiple of 8-octets for 8-octet a l i g n m e n t . With a fixed IPv6 header, a r o u t e r c a n efficiently p r o c e s s a packet. For i n s t a n c e , a r o u t e r m u s t decide if t h e r e are a n y options in a n IPv4 p a c k e t by r e a d i n g the H e a d e r Length field. P r o c e s s i n g a v a r i a b l e - l e n g t h h e a d e r leads to inefficient r o u t e r i m p l e m e n t a t i o n . The c h a n g e s from the IPv4 h e a d e r a n d IPv6 h e a d e r will be covered in the s u b s e q u e n t section. In this section, e a c h field in the IPv6 h e a d e r a n d its i n t e n d e d role is described. Figure 10.1 s h o w s the form a t of a n IPv6 header. The IPv6 h e a d e r s t o r e s the i n f o r m a t i o n n e c e s s a r y to r o u t e a n d deliver p a c k e t s to their d e s t i n a t i o n . The h e a d e r s are p r o c e s s e d by e a c h n o d e along the p a t h . The first 4-bit field, version, i n d i c a t e s the v e r s i o n of the I n t e r n e t Protocol being u s e d , a n d its value is 6 for IPv6. This field is n e c e s s a r y b e c a u s e it allows b o t h protocols to coexist on the s a m e s e g m e n t w i t h o u t conflicts. The n e x t two fields,

The IPv6 Header

9Chapter 10

traffic class a n d flow label, are u s e d to provide differentiated services a n d s u p p o r t a p p l i c a t i o n s r e q u i r i n g special h a n d l i n g per-flow. The 8-bit traffic class field c a n be u s e d to provide differentiated services b a s e d on the n a t u r e of d a t a being t r a n s m i t t e d . This field is similar to the i n t e n d e d u s e of the type of service field in the IPv4 header. For i n s t a n c e , a n o r g a n i z a t i o n m a y set u p its n e t w o r k to prioritize n e t w o r k traffic b a s e d on applications, s o u r c e a n d d e s t i n a t i o n inform a t i o n , etc., a n d h o s t s a n d / o r r o u t e r s u s e the traffic class field to differentiate the priority. The v a l u e s a n d the exact u s e of this field are yet to be d e t e r m i n e d . The flow label, in c o m b i n a t i o n with s o u r c e a n d d e s t i n a t i o n a d d r e s s e s , c a n u n i q u e l y identify a flow t h a t r e q u i r e s special h a n d l i n g by i n t e r m e d i a t e r o u t e r s . W h e n a r o u t e r identifies a flow the first time, it r e m e m b e r s the flow a n d a n y special h a n d l i n g this flow requires. Once per-flow h a n d l i n g h a s b e e n set up, the processing of s u b s e q u e n t p a c k e t s belonging to this flow c a n be s h o r t e r t h a n p r o c e s s i n g individual p a c k e t s . The 16-bit p a y l o a d length field, similar to the total length field in t h e IPv4 header, i n d i c a t e s the length of t h e packet, n o t i n c l u d i n g the length of t h e IPv6 header. The 8-bit n e x t h e a d e r field is u s e d to indicate t h e n e x t h e a d e r following the IPv6 header. The i n t e n d e d u s e of this field is identical to the u s e of the protocol field in the IPv4 header. The h o p limit c a n be u s e d to limit the n u m b e r of i n t e r m e d i a t e h o p s a p a c k e t is allowed to visit, w h i c h c a n p r e v e n t p a c k e t s from being circularly r o u t e d in a network. In IPv4, the time to live field h a s b e e n u s e d to p r e v e n t p a c k e t s from being r o u t e d circularly. The n a m e of this field h a s b e e n c h o s e n to reflect a c c u r a t e l y the p u r p o s e of this field. As in IPv4 h e a d e r s , IPv6 h e a d e r s c o n t a i n s o u r c e a n d d e s t i n a t i o n IP a d d r e s s e s . Unlike IPv4 nodes, IPv6 n o d e s u s e 128-bit a d d r e s s e s .

421

422

C h a p t e r 10

9The IPv6 Header

Figure 10.1 IPv6 header. Version

Traffic Class Payload Length

Flow Label Next Header

Hop Limit

SourceIP Address

DestinationIP Address

IPv4 Header Figure 10.2 illustrates the f o r m a t of a n IPv4 header. The first 4-bit version field in the IPv4 h e a d e r is u s e d to indicate t h e c u r r e n t version of the I n t e r n e t Protocol (IP) being used. The s a m e field is u s e d in the IPv6 h e a d e r a n d is n e c e s s a r y in order to m a k e IPv6 b a c k w a r d - c o m p a t i b l e . The 4-bit h e a d e r length field is n e c e s s a r y for the IPv4 h e a d e r to indicate t h e length of the h e a d e r since the total length of the IPv4 h e a d e r is a variable length b e t w e e n 20 a n d 64 bytes, d e p e n d i n g on t h e p r e s e n c e a n d the length of options in the option field. However, this field is n o t n e c e s s a r y in a n IPv6 header, b e c a u s e a n IPv6 h e a d er is a fixed length of 40 bytes. The i n t e n t of this type of service field in IPv4 is similar to the traffic class field in the IPv6 header. Nevertheless, this field h a s n o t b e e n widely a c c e p t e d a n d u s e d in IPv4 i m p l e m e n t a t i o n s . Next, two fields in the IPv4 header, flags a n d f r a g m e n t a t i o n offset, are all related to the h a n d l i n g of f r a g m e n t a t i o n a n d the r e a s s e m b l y of p a c k e t s in IPv4. In IPv4, a n i n t e r m e d i a t e h o p m a y

The IPv6 Header

9Chapter 10

f u r t h e r f r a g m e n t a p a c k e t w h e n the m a x i m u m t r a n s f e r u n i t (MTU) on the outgoing link is s m a l l e r t h a n the size of the p a c k e t t h a t is to be t r a n s m i t t e d on t h a t link. Unlike IPv4, in IPv6, f r a g m e n t a t i o n processing t a k e s place only at the s o u r c e node, u s i n g a p a t h MTU. Further, i n f o r m a t i o n related to f r a g m e n t a t i o n is e n c o d e d in the F r a g m e n t a t i o n h e a d e r as a n e x t e n s i o n h e a d e r in a IPv6 packet. Therefore, identification, flags, a n d f r a g m e n t a t i o n offset fields are n o t n e c e s s a r y in the IPv6 header. Figure

10.2 IPv4 header.

In the original design of IPv4, the time to live field is u s e d to indicate the n u m b e r of s e c o n d s to live in a network, t h u s p r e v e n t i n g p a c k e t s from being circularly routed, if a circular r o u t e exists in a network. However, in i m p l e m e n t a t i o n s , this field is u s e d to limit the n u m b e r of h o p s the p a c k e t is allowed to visit. At e a c h hop, a r o u t e r d e c r e m e n t s this field, a n d w h e n this field r e a c h e s 0, the p a c k e t is r e m o v e d from the network. In IPv6, this field is r e n a m e d to h o p limit, a m o r e a c c u r a t e description of the i m p l e m e n t a t i o n . The protocol field, w h i c h is u s e d to indicate the next protocol (header) following this IPv4 header, is similar to the Next H e a d e r field in the IPv6 header.

423

424

Chapter 10

9The IPv6 Header

The h e a d e r c h e c k s u m field is u s e d to m a i n t a i n t h e integrity of the IPv4 header. However, the h i g h e r layer calculates t h e c h e c k s u m again for the entire packet, t h u s m a k i n g this field r e d u n d a n t . Therefore, this field is n o t u s e d in IPv6 header. If a p p l i c a t i o n s require a h i g h e r degree of integrity, t h e y c a n achieve it t h r o u g h a p p r o p r i a t e u s e of A u t h e n t i c a t i o n H e a d e r a n d E n c a p s u l a t i n g S e c u r i t y Payload e x t e n s i o n h e a d e r s . The s o u r c e a n d d e s t i n a t i o n fields in the IPv4 h e a d e r r e m a i n the s a m e in t h e IPv6, except t h a t the IPv4 n o d e a d d r e s s e s are 32 bits, a n d the IPv6 n o d e a d d r e s s e s are 128 bits. The u s e of options in IPv4 implies t h a t e a c h i n t e r m e d i a t e n o d e in the p a t h n e e d s to e x a m i n e t h e option field in the IPv4 header, a l t h o u g h t h e options m a y be p e r t i n e n t only to the d e s t i n a t i o n node. This leads to inefficient r o u t e r p e r f o r m a n c e w h e n options are used. In IPv6, optional i n f o r m a t i o n is e n c o d e d in e x t e n s i o n h e a d e r s .

Extension Headers Extension headers, placed between the IPv6 h e a d e r a n d the u p p e r layer protocol header, s u c h as a TCP-header, are u s e d to carry optional Internet-layer information in a packet. An IPv6 p a c k e t m a y carry zero, one, or more extension headers. The Next Header field in the IPv6 h e a d e r a n d extension h e a d e r s is u s e d to indicate w h i c h extension h e a d e r or u p p e r - l a y e r protocol h e a d e r follows the c u r r e n t header.

The IPv6 Header Table 10.1

Chapter 10

Next Value Headers

Next Header Value

Next Header

0

Hop-by-Hop Options header Internet Protocol

4

9

6 17

Transmission Control Protocol

43

Routing header

44

Fragment header

45

Inter-Domain Routing Protocol

46

Resource Reservation Protocol

50

Encapsulating Security Payload

51

Authentication header

58

Internet Control Message Protocol

59

No next header

60

Destination Options header

User Datagram Protocol

W h e n a TCP h e a d e r immediately follows an IPv6 h e a d e r w i t h o u t an extension header, the value of the Next Header field in the IPv6 h e a d e r indicates t h a t the following h e a d e r is a TCP header. W h e n a p a c k e t u s i n g TCP as its u p p e r - l a y e r protocol carries one extension header, Routing header, this extension h e a d e r is placed b etween the IPv6 h e a d e r a n d the TCP header. The Next Header field in the IPv6 h e a d e r indicates t h a t the Routing h e a d e r follows the IPv6 h e a d e r a n d the Next Header field in the Routing h e a d e r indicates t h a t the TCP h e a d e r immediately follows the Routing header. The Next Header value of 59 indicates t h a t there is no extension or u p p e r layer protocol h e a d e r following the c u r r e n t header. A full i m p l e m e n t a t i o n of IPv6 includes the following extension headers: Hop-by-Hop Options, Routing (Type 0), Fragment, Destination Options, Authentication, a n d E n c a p s u l a t i n g Security Payload. The r e c o m m e n d e d ordering of extension headers, w h e n multiple extension h e a d e r s are p r e s e n t in a packet, is as follows:

425

426

Chapter 10

9The IPv6 Header

9 IPv6 h e a d e r 9 Hop-by-Hop Options h e a d e r []

Destination Options h e a d e r (to be processed by all destination nodes a ppe arin g in the routing header)

9 Routing h e a d e r 9 Fragment header m Authentication h e a d e r 9 E n c a p s u l a t i n g Security Payload h e a d e r []

Destination Options h e a d e r (to be processed only by the final destination of the packet) u p p e r - l a y e r header.

Except for the Destination Options header, each extension header shoul d a p p e a r at m o s t once in a packet. The Destination Options h e a d e r c ont a i ns information to be processed by the final destination node. W h e n the Routing h e a d e r is present, an additional Destination Options h e a d e r m a y be u s e d for options to be processed by all nodes listed in the Routing header; in this case, there will be at m o s t two oc c ur r e nc e s of Destination Options h e a d e r s in an IPv6 packet. W h e n a n IPv4 p a c k e t carries an option t h a t is applicable only to its destination node, all intermediate nodes m u s t examine a n d process the p a c k e t before forwarding, t h u s impacting the performance of the forwarding nodes.

The IPv6 Header

9Chapter 10

E x c e p t for the H o p - b y - H o p O p t i o n s header, e x t e n s i o n h e a d e r s are e x a m i n e d or p r o c e s s e d only by the d e s t i n a t i o n n o d e (or nodes, in the case of multicast) of the packet. T h u s , a n IPv6 p a c k e t m a y carry optional i n f o r m a t i o n applicable only to its d e s t i n a t i o n node, w i t h o u t i m p a c t i n g the p e r f o r m a n c e of all i n t e r m e d i a t e nodes. The H o p - b y - H o p O p t i o n s h e a d e r c a n be u s e d to c a r r y optional i n f o r m a tion t h a t n e e d s to be e x a m i n e d or p r o c e s s e d at all i n t e r m e d i a t e nodes. The value of the Next H e a d e r field in the c u r r e n t h e a d e r determ i n e s the n e x t action to be t a k e n , a n d the s e m a n t i c s of c u r r e n t e x t e n s i o n h e a d e r d e t e r m i n e s w h e t h e r to c o n t i n u e p r o c e s s i n g the next header. T h u s , e x t e n s i o n h e a d e r s m u s t be e x a m i n e d in the order t h e y a p p e a r in a packet. A n o d e d i s c a r d s a p a c k e t a n d s e n d s a n ICMP P a r a m e t e r Problem m e s s a g e to the s o u r c e of the packet, with a n ICMP Code value of one, u n r e c o g n i z e d Next H e a d e r type e n c o u n t e r e d , w h e n it receives u n r e c o g n i z e d Next H e a d e r value in a packet. B e c a u s e the H o p - b y - H o p O p t i o n s h e a d e r m u s t i m m e d i a t e l y follow the IPv6 header, the Next H e a d e r value of zero in a n y h e a d e r o t h e r t h a n IPv6 h e a d e r is t r e a t e d as a p a c k e t with u n r e c o g n i z e d Next H e a d e r value. Currently, the H o p - b y - H o p O p t i o n s h e a d e r a n d the D e s t i n a t i o n O p t i o n s h e a d e r c a r r y a variable n u m b e r of options, e n c o d e d in Type-Length-Value (TLV) format, as seen in Figure 10.3. The Option Type identifiers are e n c o d e d in s u c h a w a y t h a t the h i g h e s t - o r d e r two bits specify the action to be t a k e n w h e n the processing n o d e does n o t recognize the Option Type, a n d the thirdh i g h e s t bit specifies w h e t h e r or n o t the Option D a t a of t h a t option c a n c h a n g e en r o u t e to the p a c k e t ' s final d e s t i n a t i o n . For i n s t a n c e , w h e n a n o d e e n c o u n t e r s a n u n k n o w n option type value of 130 (1000 0010), the h i g h e s t - o r d e r two bits indicate t h a t the n o d e m u s t d i s c a r d the p a c k e t a n d s e n d a n ICMP P a r a m e t e r Problem, Code 2, m e s s a g e to the s o u r c e of the packet. Table 10.2 d e s c r i b e s the e n c o d i n g of Option Type a n d its m e a n i n g for h a n d l i n g u n r e c o g n i z e d Option Type.

427

428

Chapter 10

9The IPv6 Header

Figure 10.3 TLV-encoded option format.

I OptionType I Opt Data Len I Option Type Opt Data Len Option Data

Table

Option Data

8-bit identifier of the type of option 8-bit unsignedinteger. Lengthof the option Data field of this option, in octets. Variable-length field. Option-Type-specificdata.

10.2 Option Type Encoding

Highest-order two

bits

Action to be taken

00

Skip over this option and continue processing the header.

01

Discard the packet.

10

Discard the packet and, regardless of whether or not the packet's Destination Address was not a multicast address, send an ICMP Parameter Problem, Code 2, message to the packet's Source Address, pointing to the unrecognized Option Type. Discard the packet, and only if the packet's Destination Address was not a multicast address, send an ICMP Parameter Problem, Code 2, message to the packet's Source Address, pointing to the unrecognized Option Type.

il

Some Option Type values m a y change as the packet progresses t h r o u g h the route to its destination. The third highest-order bit of the Option Type is u s e d to indicate if its d a t a value can be changed en-route or not. The third highest-order bit is 0 w h e n Option Data does not change en-route and 1 w h e n it m a y change. When the

The IPv6 Header

9Chapter 10

A u t h e n t i c a t i o n h e a d e r is used, the s o u r c e of the p a c k e t c o m p u t e s the a u t h e n t i c a t i n g value over the p a c k e t a n d places in t h e A u t h e n t i c a t i o n header. For Option Type w h o s e Option D a t a m a y c h a n g e en route, t h e Option D a t a is t r e a t e d as zero-valued octets w h e n c o m p u t i n g t h e p a c k e t ' s a u t h e n t i c a t i n g value. As s t a t e d before, e x t e n s i o n h e a d e r s are d e s i g n e d to be a multiple of 8-octets in length. To e n s u r e t h a t the end of the Option D a t a field is aligned with the 8-octet b o u n d a r y , specific Option Types m a y be a s s o c i a t e d with a l i g n m e n t r e q u i r e m e n t s in the form of xn+y, indicating t h a t the Option Type m u s t a p p e a r at a n integer multiple of x octets from the s t a r t of the header, p l u s y octets. For i n s t a n c e , a 4n+2 a l i g n m e n t r e q u i r e m e n t indicates t h a t the Option Type m u s t s t a r t at a n y 4-octet offset from the s t a r t of t h e header, p l u s 2 octets, s u c h as 2, 6, 10, 14, etc. TWo p a d d i n g options, Pad l option a n d PadN option, m a y be u s e d to m a k e h e a d e r s c o n t a i n i n g options to be m u l t i p l e s of 8 octets in length. The Pad l option, one zero-valued octet, is u s e d to i n s e r t one octet of p a d d i n g , a n d the PadN option is u s e d to i n s e r t m o r e t h a n one octet of padding. The f o r m a t of the PadN option is s h o w n in Figure 10.4. To i n s e r t 2 octets of padding, Pad2, one octet with the value of 1 a n d one octet (Option D a t a Length field) with the value of 0 c a n be used. The Pad2 option is a special case in t h a t t h e r e is no Option Data, or Option D a t a of 0 length is used.

Figure 10.4 PadN Option format.

I Opt Data Len I Opt Data Len OptionData

Option Data

For N octetsof padding,N-2 For N octetsof padding,N-2 zero-valuedoctets.

429

430

Chapter 10

9The IPv6 Header

Hop-by-Hop Option Header The Hop-by-Hop Options header, identified by a Next Header value of zero in the Ipv6 header, carries optional information that m u s t be processed by every node along a packet's delivery path. For instance, it may be necessary for a router to examine and process a packet containing control messages for new protocols, such as RSVP. The use of the Hop-by-Hop Options header allows routers to examine selectively packets for special handling, if necessary. The format of the Hop-by-Hop Option header is shown in Figure 10.5. Note that the Header Extension Length field is the length of the Hop-by-Hop Options header, in 8-octet units, not including the first 8 octets. In other words, when the length of TLV encoded option(s) is less t h a n or equal to 6 octets, the Header Extension Length field is zero. Examples of Hop-by-Hop Options include Router Alert Option and J u m b o Payload Option.

Figure 10.5 Hop-by-Hop Options header. Next Header I Hdr Ext Len [ Options

Next Header Hdr Ext Len Options

8-bit selector.Identifiesthe type of header immediately following the Hop-by-Hop Optionsheader. Usesthe same values as the IPv4 Protocolfield [RFC1700]. 8-bit unsignedinteger. Lengthof the Hop-by-HopOptionsheader in 8-octet units, not includingthe first 8 octets. Variable-length field, of length suchthat the complete Hop-by-Hop Optionsheader is an integer multiple of 8 octetslong. Containsone or more TLV-encodedoptions.

The IPv6 Header

9Chapter 10

A call set-up control message using RSVP protocol needs special provisioning at each router along the path of the connection. Using the Router Alert Hop-by-Hop option, routers can provide special handling. Processing of a Hop-by-Hop option may result in processing of an upper-layer protocol such as RSVP. The Option Type of the Router Alert option is 5 (00000101), indicating that nodes not recognizing this option should skip it and continue processing the header, and Option Data m u s t not change its value en route. The Option Length of Router Alert option is 2; thus, the valid range of Option Data is between 0 and 65,535. Currently, only 0, 1, and 2 have been defined to indicate a packet containing ICMPv6 Group Membership message, RSVP message, and Active Network message, respectively. No alignment requirement h a s been associated with this option. Figure 10.6(a) illustrates a packet containing a Router Alert Hopby-Hop Option. The value of the Next Header field in IPv6 header is 0, indicating that Hop-by-Hop Options header follows. All nodes in the path of this packet are to examine and process this packet. The Next Header field of the Hop-by-Hop Options header indicates the next header following this Hop-by-Hop h e a d e r ~ T C P header in this example packet. The Extension Header Length field is 0 since there is only one option, Router Alter option, and the total length of TLV encoding of this option is 4 octets. Since there is no alignment requirement associated with this option, its TLV encoded option is placed first and Pad2 Option is used to make the length of this Hopby-Hop Options header to be exactly 8 octets. The IPv6 header uses the 16-bit Payload Length field, which limits the m a x i m u m length of a packet to 65,536. However, the advances in hardware enabled the transmission of a jumbogram, a packet with payload larger t h a n 65,536 octets. This option supports j u m b o g r a m s up to 4,294,967,296 octets. When path MTU can support payloads larger t h a n 65,535, this option may be used to transmit jumbograms. The Option Type of J u m b o Payload Option is 192 (1100 0010), indicating that nodes not recognizing this option type m u s t discard this packet and send an ICMP, Parameter Problem, Code 2, message

431

432

Chapter 10

9

The IPv6 Header

to its sender only if the destination is not a multicast, and Option Data m u s t not change en route. The Option Length field of this option is 4 octets, and the Option Data is the length of the IPv6 j u m b o g r a m , not including the IPv6 header. When this option is used, the Payload Length field in IPv6 is set to 0. This option h a s an alignment r e q u i r e m e n t of 4n+2. Figure 10.6{b) illustrates a packet with J u m b o Payload Hop-by-Hop option. The Next Header field in the IPv6 header indicates that the Hopby-Hop Options header follows. Note that the Payload Length field in IPv6 header is set to 0 in this sample packet. The Next Header field in this Hop-by-Hop options header indicates that the next header is TCP header. The Extension Header field is 0 because the total length of TLV encoded J u m b o Payload option is 6 octets. The value in Option Data of this packet indicates that the payload of this packet is 2,818,048 octets (0x002A FFFF). Since the end of Option Data is aligned with 8-octet boundary, no padding option is necessary in this sample packet. Processing of a J u m b o Payload option m u s t detect several format errors and send an appropriate ICMP P a r a m e t e r Problem message. These format errors include the absence of the J u m b o Payload option w h e n the IPv6 Payload is 0 and the IPv6 Next Header is 0, the use of the J u m b o Payload option w h e n the IPv6 Payload is not 0, use of the J u m b o Payload option w h e n actual payload is less t h a n 65,535, and the use of the J u m b o Payload option w h e n the

The IPv6 Header

9Chapter 10

Figure 10.6 Packets with the Hop-by-Hop Options header.

61

(a)

Iol

61

0

(b)

Iol

Source Destination 6]0 5 2 1 0 Upper-layer ProtocolHeader

61o119214

Data

Data

Router Alert Option

Jumbo Payload Option

Source Destination

OxOO2AFFFF Upper-layer ProtocolHeader

Routing Header The Routing Header, identified by a Next H e a d e r value of 43 in the i m m e d i a t e l y p r o c e e d i n g header, allows a n IPv6 s o u r c e to d e t e r m i n e r o u t e s to r e a c h its d e s t i n a t i o n by listing one or m o r e i n t e r m e d i a t e n o d e s to be visited (very similar to IPv4's Loose S o u r c e a n d Record Route option). The f o r m a t of the Routing H e a d e r is s h o w n in Figure 10.7. W h e n a n o d e e n c o u n t e r s a n u n r e c o g n i z e d Routing Type, a n d S e g m e n t Left is zero, it ignores the RouUng h e a d e r a n d c o n t i n u e s to p r o c e s s the n e x t header. However, if S e g m e n t Left is nonzero, a node d i s c a r d s the p a c k e t a n d s e n d s a n ICMP P a r a m e t e r Problem, Code 0, m e s s a g e to the p a c k e t ' s S o u r c e Address. Currently, only Type 0 h a s b e e n defined, a n d Figure 10.8 s h o w s the f o r m a t of Type 0 Routing header.

433

434

Chapter 10

9The IPv6 Header

Figure 10.7 Routing header. Next Header

Hdr Ext Len

RoutingType SegmentsLeft

Type-SpecificData Next Header Hdr Ext Len RoutingType Segments Left Type-Specific Data

8-bit selector. Identifies the type of header immediately following the Routing header. Usesthe same values as the IPv4 Protocol field [RFC1700]. 8-bit unsigned integer. Length of the Routing header in 8-octet units, not including the first 8 octets. 8-bit identifier of a particular Routing header variant. 8-bit unsigned integer. Number of route segments remaining, i.e., number of explicitly listed intermediate nodes still to be visited before reaching the final destination. Variable-length field, of format determined by the Routing Type, and of length such that the complete Routing header is an integer multiple of 8 octets long.

An example of Type 0 Routing h e a d e r use is in s u p p o r t i n g new protocols, s u c h as RSVP. In RSVP, a connection p a t h m a y be established, a n d all packets belonging to the connection follow the s a m e p a t h to r e a c h the destination. T h e n the source of this connection m a y u s e a Type 0 Routing h e a d e r to specify the p a t h to its destination. A n o t h e r u s e of a Routing h e a d e r is to c o m m u n i c a t e w i t h a mobile n o d e a w a y from its h o m e n e t w o r k w i t h o u t triangle routing. W i t h o u t Route Optimization, w h i c h m a y or m a y n o t be s u p p o r t e d , p a c k e t s m a y have to be s e n t to the mobile n o d e ' s h o m e n e t w o r k a n d be f o r w a r d e d by the h o m e agent, creating triangle routing, w h e n a mobile n o d e is a w a y from its h o m e network. The s o u r c e of s u c h a c o n n e c t i o n c a n specify the p a t h u s i n g a Type 0 Routing h e a d e r to allow the s o u r c e of a c o n n e c t i o n to specify its p a t h a n d avoid t r i a n gle routing.

The IPv6 Header

9Chapter 10

Figure 10.8 Type 0 Routing header.

Next Header

Hdr Ext Len RoutingType=O I SegmentsLeft Reserved Address [1]

Address [n]

Next Header Hdr Ext Len

RoutingType Segments Left Reserved Address[1...n]

8-bit selector. Identifies the type of header immediately following the Routing header. Usesthe same values as the IPv4 Protocol field [RFC1700]. 8-bit unsigned integer. Length of the Routing header in 8-octet units, not including the first 8 octets. For the Type 0 Routing header, Hdr Ext Length is equal to two times the number of addressesin the header. 0 8-bit unsigned integer. Number of route segments remaining, i.e., number of explicitly listed intermediate nodes still to be visited before reaching the final destination. 32-bit reserved field. Initialized to zero for transmission; ignored on reception. Vector of 128-bit addresses,numbered 1 to n.

For t h e c o n n e c t i o n b e t w e e n s o u r c e n o d e s a n d d e s t i n a t i o n n o d e d via r o u t e r s r l a n d r2, s o u r c e n o d e s c r e a t e s a n IPv6 p a c k e t w i t h t h e r o u t i n g h e a d e r , a s s h o w n in F i g u r e 10.9(a). Notice t h a t t h e dest i n a t i o n field is r l, t h e first r o u t e r in t h e p a t h , i n s t e a d of t h e final d e s t i n a t i o n n o d e d. Recall t h a t e x c e p t for t h e H o p - b y - H o p O p t i o n s h e a d e r , all o t h e r e x t e n s i o n h e a d e r s a r e e x a m i n e d only b y t h e p a c k et's d e s t i n a t i o n node. S i n c e r o u t e r r 1 is t h e d e s t i n a t i o n of t h i s

435

436

C h a p t e r 10

9The IPv6 Header

packet, after e x a m i n i n g the IPv6 header, it c o n t i n u e s to p r o c e s s the n e x t h e a d e r as indicated by the Next H e a d e r field in the IPv6 h e a d er. In this case, the Routing h e a d e r will be p r o c e s s e d by r o u t e r r 1. The E x t e n s i o n H e a d e r Length field is 4, indicating t h a t the length of the Routing h e a d e r is four 8-octets, not c o u n t i n g the first eight octets. The value 4 is also twice the n u m b e r of a d d r e s s e s (2 as i n d i c a t e d in the S e g m e n t s Left field) in this Routing header. The first a d d r e s s in the Routing h e a d e r is the next r o u t e r in the p a t h , r2, followed b y the final d e s t i n a t i o n node d. R o u t e r r l d e c r e m e n t s the S e g m e n t s Left field a n d s w a p s the valu e s in the d e s t i n a t i o n field in the IPv6 h e a d e r a n d the first a d d r e s s in the Routing header. Figure 10.9(b) s h o w s the p a c k e t s e n t from r o u t e r r l to r o u t e r r2. Similarly, after e x a m i n i n g the IPv6 header, r o u t e r r2 c o n t i n u e s to p r o c e s s the Routing header, since the destin a t i o n field of the IPv6 is r2. Again, r o u t e r r2 d e c r e m e n t s the S e g m e n t Left field a n d s w a p s the values in the d e s t i n a t i o n field in the IPv6 h e a d e r a n d the s e c o n d a d d r e s s in the Routing header. W h e n p r o c e s s i n g the Routing header, the index of the a d d r e s s to visit c a n be c o m p u t e d u s i n g the H e a d e r E x t e n s i o n Length a n d the S e g m e n t Left fields (the H e a d e r E x t e n s i o n L e n g t h / 2 - the S e g m e n t Left + 1). W h e n the S e g m e n t Left is 0, the node h a n d l i n g this Routing h e a d e r p r o c e e d s to p r o c e s s the n e x t h e a d e r in the packet, w h o s e type is identified in the Next H e a d e r field in the Routing header. W h e n p r o c e s s i n g the Type 0 Routing header, f o r m a t c h e c k i n g is performed. Recall t h a t the H e a d e r E x t e n s i o n length is two times the n u m b e r of a d d r e s s e s in the Routing header. T h u s , the H e a d e r E x t e n s i o n length m u s t n o t be a n odd length. A node p r o c e s s i n g this p a c k e t d i s c a r d s the p a c k e t a n d s e n d s a n ICMP P a r a m e t e r Problem, Code 0, m e s s a g e to the s o u r c e node. Since the H e a d e r E x t e n s i o n length is two times the n u m b e r of a d d r e s s e s in the Routing header, the largest value in the S e g m e n t Left field is at m o s t h a l f of the H e a d e r E x t e n s i o n length. If the S e g m e n t Left is larger t h a n the h a l f of the H e a d e r E x t e n s i o n length, the node h a n d l i n g the p a c k e t also d i s c a r d s this p a c k e t a n d s e n d s a n ICMP P a r a m e t e r Problem, Code 0, m e s s a g e to the source.

The IPv6 Header

Figure 10.9 Packets with a Routing header.

9Chapter 10

437

438

Chapter 10

9The IPv6 Header

Fragment Header The 16-bit Total Length field in the IPv4 h e a d e r limits the m a x i m u m size of a p a c k e t to be 6 4 k bytes. However, d e p e n d i n g on the link t e c h n o l o g y used, the a c t u a l size of a p a c k e t m a y be f u r t h e r limited. In IPv4 p a c k e t t r a n s m i s s i o n , e a c h IP-layer is r e s p o n s i b l e for fragm e n t i n g p a c k e t s if n e c e s s a r y to e n s u r e t h a t the p a c k e t size w o u l d n o t exceed the M a x i m u m T r a n s f e r Unit (MTU). T h u s , the u s e r d a t a s e n t in a single p a c k e t from a s o u r c e n o d e m a y arrive at the destin a t i o n n o d e in multiple p a c k e t s if t h e r e is a link w h o s e MTU is s m a l l e r t h a n the link MTU at the s o u r c e node. This a p p r o a c h , however, m a y n o t be the m o s t optimal solution for the path.

The IPv6 Header

9Chapter 10

In IPv6, only source nodes perform fragmentation. A source node first finds the path MTU and then segments the fragmentable part of the original packet so that the length of each fragmented packet does not exceed the path MTU. The original packet before fragmentation consists of two parts: the unfragmentable part and fragmentable part. The IPv6 header and any extension headers that need to be processed at each hop on the way to the destination are unfragmentable, and extension headers processed only by the final destination node (or nodes in the case of multicast) are considered to be fragmentable. When Hop-by-Hop Options header is present, b u t not the Routing header, the unfragmentable part of the original packet includes the IPv6 header and the Hop-by-Hop Options header. When the Routing header is present, the unfragmentable part includes the IPv6 header, the Hop-by-Hop Options header, the Destination Options header, and the Routing header, if the Hop-by-Hop Options header and Destination Options header are present. The Fragmentation header is identified by the Next Header value of 44 in the immediately preceding header. Figure 10.10 shows the format of the Fragmentation header. The source node generates a unique 32-bit identifier for every fragmented packet sent to the same destination. Except for the last fragmented packet, the fragmentable part of the original packet is divided so that each fragmented part is of length integer multiples of 8 octets long. The Fragment Offset field is used to indicate the offset of the data following this Fragmentation header, relative to the start of the Fragmentable part of the original packet. Consider the packet shown in Figure 10.1 l(a). This packet needs to be further fragmented by the source node since its path MTU is 1514 bytes. The unfragmentable part of the original packet in the example includes the IPv6 header and the Routing header (the Next Header of the IPv6 is 43). The original packet is broken into three parts. Since the Ethernet header is 14 bytes, the IPv6 packet including the IPv6 header cannot be longer t h a n 1500 bytes. Since

439

440

Chapter 10 * The IPv6 Header

the Routing h e a d e r is p a r t of the u n f r a g m e n t e d part, each fragment includes the Routing header. Further, the F r a g m e n t a t i o n h e a d e r (8 octets) is added, leaving 1412 bytes for u s e r data. However, the F r a g m e n t a t i o n Offset field in the F r a g m e n t a t i o n h e a d e r is in an 8octet unit. Therefore, the m a x i m u m size of the fragmentable p a r t of the original packet is limited to 1408. This explains 1456 in the Payload length field in the IPv6 of the first fragmentation as s h o w n in Figure 10.1 l(b).

Figure 10.10

Fragmentation

Next Header

header.

Reserved FragmentOffset Identification

I Res[ M

8-bit selector. Identifies the initial header type of the Fragmentabh Part of the original packet. Uses the same values as the IPv4 Protocolfield [RFC1700]. 8-bit reserved field. Initialized to zero for transmission; Reserved ignored on reception. Fragment Offset 13-bit unsigned integer. The offset, in 8-octet units, of the data following this header, relative to the start of the Fragmentable Part of the original packet. 2-bit reserved field. Initialized to zero for transmission; Res ignored on reception. 1-more fragments; O-last fragment. M flag 32-bit identifier. Identification

Next Header

The Next Header fields in the Routing h e a d e r in all three fragm e n t s (Figure 10.1 l(b), (c), a n d (d)) are 44, indicating t h a t the next h e a d e r following this Routing h e a d e r is the F r a g m e n t a t i o n header. The Next Header field in the first fragment is 6, indicating t h a t the u p p e r - l a y e r protocol h e a d e r follows this F r a g m e n t a t i o n header. However, the Next Header fields in the other two fragments are 59, indicating t h a t there are no more h e a d e r s following this

The IPv6 Header

9Chapter 10

F r a g m e n t a t i o n header. In this example, the hexadecimal of 0 x 1 2 3 4 5 6 7 8 is u s e d to indicate t h a t the s a m e identifier is u s e d for all fragments. The F r a g m e n t a t i o n Offset field is u s e d to indicate the offset, in 8-octet units, of the d a t a following the F r a g m e n t a t i o n header, relative to the s t a r t of the fragmentable p a r t of the original packet. Thus, the F r a g m e n t a t i o n offset in Figure 10.11 (c) indicates t h a t the d a t a following this F r a g m e n t a t i o n h e a d e r s h o u l d be positioned in the 176x8 th byte in the fragmentable p a r t w h e n r e a s s e m bled at the destination node.

Figure 10.11

Example of fragmentation.

(a)

(b)

(c)

(d)

61 J 2902 r431

611 1456 1431

61 1456 1431

611 94 1431

Source

Source

Source rl

Source rl

44141ol2 44141012 r2 Destination Upper-layer ProtocolHeader

r2 Destination

6 Iolololl

0x12345678

Upper-layer ProtocolHeader

Data

Original Packet

0 r2

0

Destination

Destination

0x12345678

0x12345678

591 o 11761oL1 59L o 521olo Data

Data

Data First Fragment Packet

Second Fragment Packet

Third Fragment Packet

441

442

Chapter 10

9The IPv6 Header

Authentication Header In a n IP n e t w o r k (both IPv4 a n d IPv6), the A u t h e n t i c a t i o n h e a d e r is u s e d to provide integrity a n d d a t a origin a u t h e n U c a U o n for IP p a c k e t s a n d to protect against replays. However, in this section, all t e r m s are provided b a s e d on the IPv6 network. The AuthenUcaUon Header provides a u t h e n t i c a U o n for the IPv6 h e a d e r a n d extension h e a d e r s fields t h a t m a y not change en route. For instance, the DestinaUon Address field in the IPv6 h e a d e r c h a n g e s at every hop w h e n the Type 0 Routing Header is used. In this case, the AuthenUcaUon Header c a n n o t provide the a u t h e n U c a U o n of the DestinaUon Address field. Figure 10.12 shows the f o r m a t of the AuthenUcaUon Header.

Figure 10.12 Authentication Next Header

header.

Payload Len Reserved Security Parameters Index (SPI) Sequence Number Field Authentication Data (Variable)

8-bit selector. Identifies the type of header immediately following the Authentication header. 8-bit unsigned integer. Length of the Authentication header Payload Len in 4-octet units, not including the first 8 octets. 16-bit reserved field. Initialized to zero for transmission; Reserved ignored on reception. Security Parameter 32-bit unsigned integer. Combination of this field, destination address, and security protocol. Identifies the Security Index Association for this packet. Sequence Number 32-bit unsigned integer. Monotonically increasing countervalue. Variable-length field containing the Integrity CheckValue (ICV) Authentication for this packet. This field must be an integral multiple of Data 8-octet units in length. Next Header

The IPv6 Header

9Chapter 10

Note t h a t the Payload Length field is in a 4-octet u n i t (32-bit word), not including the first eight octets (or 2 u n i t s of 4-octet). Thus, with 96-bit A u t h e n t i c a t i o n Data value, the Payload Length will be 4. For debugging pur pos e s , the Null a u t h e n t i c a t i o n algorithm m a y be used. In this case, the Payload Length field will be 2. The Se quenc e N u m b e r field is u s e d to provide protection a g a i n s t anti-replay. W h e n a Security Association is established between source a n d de s t i na t i on nodes, c o u n t e r s at s e n d e r a n d receiver are b ot h initialized to 0. It is m a n d a t o r y for the s e n d e r to i n c r e m e n t this field for every t r a n s m i s s i o n ; however, the receiver m a y elect not to process. This service is effective only if the receiver processes this field. The A u t h e n t i c a t i o n D a t a field contains the Integrity Check Value (ICV) for this packet. The a u t h e n t i c a t i o n algorithm, selected w h e n the Security Association is established between the s e n d e r a n d the receiver, specifies the length of the ICV, the c o m p a r i s o n rules, a n d the processing steps necessary. This is the value c o m p u t e d over the p a c k e t by the source node a n d verified by the d es tin atio n node by c o m p a r i n g this value to the value r e c o m p u t e d at the destination node. The A u t h e n t i c a t i o n h e a d e r m a y be applied in t r a n s p o r t or t u n n e l mode. The t r a n s p o r t mode A u t h e n t i c a t i o n header, i m p l e m e n t e d in hosts, provides protection for the u p p e r - l a y e r protocol h e a d e r a n d a n y fields in the IPv6 header, a n d extension h e a d e r s t h a t do not change in transit. The t u n n e l mode A u t h e n t i c a t i o n h e a d e r is applied to the original IPv6 packet, e n c a p s u l a t i n g the original p a c k e t by c o n s t r u c t i n g a new IPv6 p a c k e t u s i n g a distinct IPv6 a d d r e s s e s , s u c h as security gateway. In t r a n s p o r t mode, the A u t h e n t i c a t i o n header, viewed as an endto-end payload, is placed after the IPv6 h e a d e r a n d Hop-by-Hop, Routing, a n d F r a g m e n t a t i o n extension headers. Recall t h a t the Destination Options h e a d e r m a y a p p e a r once before the Routing header, the options in the Destination Options h e a d e r are applicable to i n t e r m e d i a t e nodes specified in the Routing header. In this case, the A u t h e n t i c a t i o n h e a d e r comes after the Destination Options h e a d e r as s h o w n in Figure 10.13.

443

444

Chapter 10

9The IPv6 Header

Figure 10.13 Header order with Authentication header in transport mode. Extension Upper-Layer IPv6 Header Headers, Protocol Header Data if any

~ ApplyAuthenticationHeader Upper-Layer I New Extension Authentication Destination Protocol Data OptionsHeader IPv6 Header Headers* Header Header *Hop-by-HopOptions,DestinationOptions,Routing,and FragmentHeaders In tunnel mode, the AuthenUcation Header is applied to the original ItM3 packet using distinct IPv6 addresses as communication end points (e.g., addresses of security gateways). A new IPv6 header is constructed with addresses of security gateways as source and destination addresses. FragmentaUon processing may be necessary after applying the AuthenUcaUon header. Thus, a newly constructed IPv6 packet may undergo further processing if necessary. Figure 10.14 shows the order of headers after applying AuthenticaUon header in tunnel mode.

Figure 10.14 Header order with Authentication header in tunnel mode. Extension Upper- .ayer IPv6 Header Headers, Protocol Header Data if any

~ ApplyAuthenticationHeader ExtensionAuthentication Origina! Extension Upper-Layer Protocol Data Header IPv6 Header Headers, IPv6 Header Headers, if any if any Header New

The IPv6 Header

9Chapter 10

Encapsulating Security Payload The Encapsulating Security Payload header, used in t r a n s p o r t mode or in tunnel mode, also provides security services in both IPv4 and IPv6 networks. The security services provided through the Encapsulating Security Payload include confidentiality, authentication (data origin authentication and connectionless integrity), an antireplay service, and limited traffic flow confidentiality. Implementation and options chosen at the time of Security Association establishment determine the security services provided. As in the case of the anti-replay service provided by the Authentication header, the source increments the Sequence Number; however, the destination node m u s t check this field to enable the anti-replay service. To provide traffic flow confidentiality service, true source and destination information should be hidden. Thus, this service requires that the Encapsulating Security Payload header be used in a tunnel mode. Figure 10.15 shows the format of the Encapsulating Security Payload header. The Next Header value of 50 in the immediately preceding header indicates that the Encapsulating Security Payload header processing is necessary. The m a n d a t o r y Payload Data field contains encrypted data described by the Next Header field. The enc13rption algorithm used specifies the length and the location of the structure of the data within the Payload Data field. To fulfill the encryption algorithm requirement of the length of the plain text or the 4-octet b o u n d a r y alignment of the Payload Data field, the use of padding may be necessary. Figures 10.16 and 10.17 illustrate the sequence of an IPv6 packet with its encrypted portion when Encapsulating Security Payload headers are used in transport mode and tunnel mode, respectively.

445

446

Chapter 10

9The IPv6 Header

Figure 10.15 Encapsulating Security Payload header. Security Parameters Index (SPI) SequenceNumber

Payload Data (Variable) Padding (0-255 bytes) Pad Length Next Header

/~~

AuthenticationData (Variable)

Security Parameters 32-bit unsignedinteger. Combinationof this field, destination Index address, and Security Protocol (ESP)identifies the SecurityAssociation for this packet. SequenceNumber 32-bit unsigned integer. Monotonicallyincreasing countervalue. Payload Data Variable-lengthfield containing data describedby the Next Header field. Padding Variable-lengthfield containing 0 to 255 of 8-bit padding. Pad Length 8-bit unsignedinteger. Indicatesthe number of pad bytes immediately preceding it. Next Header 8-bit selector. Identifies the type of data contained in the Payload Data. Authentication Variable-lengthfield containing an Integrity CheckValue (ICV) Data computed over the ESPpacket minus the Authentication Data.

Destination Options Header A source node m a y need to convey optional information t h a t needs to be processed by a destination node. For instance, w h e n a mobile node is away from its home network, a home agent (i.e., a router at the home network) m a y be a proxy forwarding packets to the mobile node. A mobile node away from its home network needs to send control messages to its home agent so t h a t the home agent could set up the proxy service and forwarding packets destined for the mobile node at its current address. An IPv4 network, a packet w h e n containing options in the IPv4 header, will be subject to an examination at every hop on the path.

The IPv6 Header

9Chapter 10

Figure 10.16 Header order with Encapsulating Security Payload in

transport mode.

Extension Upper-Layer IPv6 Header Headers, Protocol Header Data if any

ApplyAuthenticationHeader New Extension ESP Destination Upper-Layer D IESP ESP IPv6 Header Headers* Header OptionsHeader ProtocolHeader atalTrailer Authentication q q

Encrypted

b

Authenticated

*Hop-by-HopOptions,DestinationOptions,Routing,and FragmentHeaders

Figure 10.17 Header order with encapsulating security payload in

tunnel mode.

Extension I Upper-Layer. IPv6 Header Headers, if anyIProtocolHeader Data J, ApplyAuthenticationHeader New Original Upper-Layer ESP Original ESP ESP IPv6 Extension Extension Protocol Data Trailer IPv6 Header Headers Header Authentication Header Headers Header New

Encrypted

k

Authenticated In a n IPv6 network, s u c h optional m e s s a g e s can be h a n d l e d efficiently either us i ng a n extension h e a d e r dedicated for h a n d l i n g specific optional information or us i ng the Destination Options header. Packet f r a g m e n t a t i o n or a u t h e n t i c a t i o n information is h a n d l e d as an extension h e a d e r as s h o w n previously. The IPv6 Mobility S u p p o r t

447

448

Chapter 10 * The IPv6 Header

Internet-Draft proposes four Destination Options to s u p p o r t Mobile IPv6. The optional information m a y be encoded either in a s e p a r a t e extension h e a d e r or in the Destination Options header, b a s e d on the desired action to be t a k e n at the destination node, w h e n the node does not recognize the option. Optional information t h a t requires a few octets whose desired action is to send an ICMP Unrecognized Type m e s s a g e to the s e n d e r only if the destination node is not a m u l t i c a s t address, m a y be encoded in a s e p a r a t e extension header. The Destination Options header, identified by a Next Header value of 60 in the immediately preceding header, carries optional information t h a t needs to be examined a n d processed only by a pa c ke t 's destination node (nodes, in multicast). The format is s h o w n in Figure 10.18.

Figure 10.18 Destination Options header. Next Header

I

Hdr Ext Len Options

Next Header Hdr Ext Len Options

8-bit selector. Identifies the type of header immediately following the Hop-by-Hop Options header. Usesthe same values as the IPv4 Protocol field [RFC1700]. 8-bit unsigned integer. Length of the Hop-by-Hop Options header in 8-octet units, not including the first 8 octets. Variable-length field, of lenght such that the complete Destination Options header is an integer multiple of 8 octets long. Containsone or more TLV-encodedoptions.

The IPv6 Header

*

Chapter 10

Upper-Layer Protocol Issues The layered architecture in general shields the u p p e r layer protocols from changes in the network layers. However, a couple of i s s u e s need to be addressed. For instance, u p p e r - l a y e r protocols t h a t compute c h e c k s u m s over packets m u s t a c c o u n t for c h a n g e s in IPv6 including use of 128-bit a d d r e s s e s and final destination, not intermediate destinations w h e n the Routing h e a d e r is used, and so forth. It h a s been d i s c u s s e d t h a t the time-to-live field, which behaves differently t h a n its original definition, h a s been r e n a m e d to hop limit. Any u p p e r - l a y e r protocol t h a t relies on the original m e a n i n g of the time-to-live m a y have to m a k e n e c e s s a r y a d j u s t m e n t s . The maxi m u m u p p e r layer payload size also needs to be adjusted to reflect t h a t the length of the IPv6 h e a d e r is 40 bytes long.

Summary In all aspects of IPv6 design, the limitations imposed u p o n the design of IPv4 have been resolved or improved, the inefficiency in IPv4 h a s been eliminated, and the additional capabilities have been added to m a k e IPv6 suitable for next-generation IPs. IPv6 u s e s 128-bit addresses, providing a greater n u m b e r of a d d r e s s a b l e nodes, better s u p p o r t for stateless autoconfiguration, and a better a d d r e s s hierarchy, which in t u r n leads to better routing. Embedding optional information in extension h e a d s allows efficient r o u t e r i m p l e m e n t a t i o n s while being able to handle optional information directed to routers. The use of extension h e a d e r s to carry optional information fixed the IPv6 h e a d e r length. Combining with the F r a g m e n t a t i o n At Source Only policy simplified the IPv6 header, t h u s increasing the efficiency of routers. The limit on options h a s been relaxed, and it is m u c h easier to add new options using extension headers.

449

450

C h a p t e r 10

9The IPv6 Header

Further, the design of IPv6 incorporated the concept of flow, and flow labeling along with the source and the final destination information helps routers maintain the state information of the flow for special handling, ff necessary. The security and privacy features are built into the design of IPv6.

Q. Where are good resources for obtaining more information on IPv6? A: There are m a n y sites on the Net. However, these two sites can be a good starting point: http: //www. ieff. org/html, charters / ipngwg-charter, html http: / / p l a y g r o u n d . s u n . c o m / p u b / i p n g / h t m l / i p n g - m a i n . h t m l Q" What is the core set of RFCs specifying IPv6 header and extension headers? A: Most of information in this chapter is based on the following RFCs. Newer RFCs may render these RFCs obsolete: RFC2460~IPv6, Hop-by-Hop Options, Routing, Fragment, and Destination Options R F C 2 4 0 2 ~ I P Authentication Header RFC2406---IP Encapsulating Security Payload Header Q" What is the implementation status? A: It is being developed for m a n y host systems and routers, including 3Com, Cisco Systems, Digital, IBM. The h t t p : / / p l a y g r o u n d . s u n . c o m / p u b / i p n g / h t m l / i p n g - m a i n . h t m l site also has information and links providing the details.

The IPv6 Header

9Chapter 10

References [RFC2462} "IPv6 Stateless Address Autoconfiguration." S. T h o m p s o n a n d T. Narten. December, 1998. [RFC2401] "Security Architecture for the I n t e r n e t Protocol." S. Kent a n d R. Atl~nson. "Route Optimization in Mobile IP." C. Perkins a n d D. J o h n s o n . I n t e r n e t draft, draft-ieft-mobileip-optim-07.t~, November, 1997. Work in progress. [RFC2402] "IP A u t h e n t i c a t i o n Header." S. Kent a n d R. Atkinson.

451

This Page Intentionally Left Blank

454

Appendix A* Address Assignment

Introduction E a c h h o s t c o n n e c t e d to a n IP n e t w o r k m u s t have a n IP a d d r e s s . For connectivity on the Internet, the a d d r e s s space m u s t be m a n a g e d to e n s u r e the u n i q u e n e s s of e a c h a d d r e s s . In the past, J o n Postel w a s giving IP a d d r e s s e s to universities c o n n e c t e d to the I n t e r n e t (well, the A r p a n e t at t h a t time). Then, Internic, a n u m b r e l l a c r e a t e d b y the US g o v e r n m e n t , gave IP a d d r e s s e s to a n y r e q u e s t i n g organization. At t h a t time, J o n Postel w a s still m a n a g i n g the whole a d d r e s s space, giving r a n g e s of a d d r e s s e s to Internic.

Registries Now, the I n t e r n e t Assigned N u m b e r s A u t h o r i t y (IANA) is m a n a g i n g the whole IPv4 a d d r e s s space a n d the IPv6 a d d r e s s space. IANA gives r a n g e s of a d d r e s s e s to regional registries; t h o s e registries give a d d r e s s e s r a n g e s to I n t e r n e t Service Providers (ISPs) who t h e n give a d d r e s s e s to c o r p o r a t i o n s (or to smaller ISPs). E a c h level of delegation h a s to prove to the u p p e r level t h a t it h a s c o n s u m e d m o s t of its a d d r e s s space before r e q u e s t i n g a n o t h e r r a n g e of a d d r e s s e s . The t h r e e regional registries are: 9 A m e r i c a n Registry for I n t e r n e t N u m b e r s (ARIN): http: / / w w w . a r i n . n e t 9 R 6 s e a u x IP E u r o p 6 e n s - N e t w o r k Coordination C e n t e r (RIPENCC): h t t p : / / w w w . r i p e . n e t 9 Asia-Pacific Network I n f o r m a t i o n C e n t e r (APNIC): http: / / w w w . a p n i c . n e t ARIN covers North America, S o u t h America, the Caribbean, a n d s u b - S a h a r a n Africa. RIPE-NCC covers Europe, the Middle East, a n d p a r t s of Africa. APNIC covers Asia a n d the Pacific. If y o u are n o t c o n n e c t e d to the I n t e r n e t a n d d o n ' t w a n t to be, t h e n t h e r e is a n IP a d d r e s s space reserved for t h a t situation. It is

Address Assignment

9Appendix A

called the private a d d r e s s s p a c e a n d is described in RFC 1918 a n d d i s c u s s e d in the NAT c h a p t e r in this book. On the o t h e r h a n d , if y o u n e e d a d d r e s s e s for y o u r n e t w o r k , y o u s h o u l d a s k y o u r u p s t r e a m I n t e r n e t provider to give y o u a r a n g e of a d d r e s s e s for y o u r own use. As soon as y o u move to a n o t h e r provider, y o u will need to remove the previous r a n g e of a d d r e s s e s a n d r e n u m b e r to the n e w r a n g e of a d d r e s s .

Provider-Based Assignments A r o u n d 1996, to minimize the r o u t i n g table explosion, the technical c o m m u n i t y agreed to enforce Classless I n t e r - D o m a i n R o u t i n g by a s k i n g c o r p o r a t i o n s to get their r a n g e of IP a d d r e s s e s only from their u p s t r e a m provider. By doing so, the n u m b e r of entries in the global r o u t i n g table will grow at a m u c h lower rate t h a n the n u m b e r of n e t w o r k s c o n n e c t i n g to it, b e c a u s e ISPs aggregate the a d d r e s s e s of their c u s t o m e r s . B u t t h e r e are s o m e exceptions to this rule, m a i n l y w h e n y o u are m u l t i h o m e d . In IPv6, the a d d r e s s i n g a r c h i t e c t u r e is b a s e d on p r o v i d e r - b a s e d a d d r e s s e s , w h i c h m e a n s t h a t IPv6 enforces this CIDR at the beginning. As d i s c u s s e d in the IPv6 chapter, IPv6 clearly will be m o r e scalable by this optimized r o u t i n g a n d by the a d d r e s s s p a c e it has. The d r a w b a c k of r e n u m b e r i n g w h e n u s i n g p r o v i d e r - b a s e d a d d r e s s e s h a s b e e n a d d r e s s e d in IPv6 by a specific protocol.

455

456

Appendix A

9Address Assignment

Cost of an IP Address In theory, a n IP a d d r e s s costs nothing. The registries are not-forprofit organizations. T h e y charge a fee to their clients (ISPs) for the r e g i s t r a t i o n service, n o t for the IP a d d r e s s themselves. In s o m e ways, ISPs will include this cost in the prices of their service to their clients, so the effective cost of IP a d d r e s s e s is h i d d e n s o m e w h e r e .

How to Find an IPv4 Address Delegation E a c h regional registry m a i n t a i n s a d a t a b a s e of its a d d r e s s assignm e n t s . ISPs are m a n d a t e d to provide the i n f o r m a t i o n a b o u t their own a s s i g n m e n t s to c u s t o m e r s . All this i n f o r m a t i o n is available by u s i n g a simple q u e r y protocol called whois. F r o m the early days, w h o i s h a s b e e n available in Unix as a c o m m a n d , b u t h a s n o t b e e n available in the o t h e r e n v i r o n m e n t s . Now, all registries have a Web interface to the whois d a t a b a s e , w h i c h m a k e s it accessible to u s e r s . The following URI~ point to the Web w h o i s interface for all registries" 9 ARIN: h t t p : / / w w w . a r i n . n e t / w h o i s / i n d e x . h t m l 9 RIPE: h t t p : / / w w w . r i p e . n e t / d b / w h o i s . h t m l 9 APNIC: h t t p : / / w w w . a p n i c . n e t / a p n i c - b i n / w h o i s . p l 9 Network S o l u t i o n s (Internic): http: / / w w w . n e t w o r k s o l u t i o n s , corn / c g i - b i n / w h o i s / w h o i s 9 US D e p a r t m e n t of Defense: h t t p : / / n i c . m i l / c g i - b i n / w h o i s The w h o i s d a t a b a s e i n c l u d e s n o t only IP a d d r e s s e s , b u t o t h e r data, s u c h as the m a i n t e n a n c e of t h o s e IP a d d r e s s e s , the A u t o n o m o u s S y s t e m (AS) n u m b e r s , etc. Here is a n example: I w a n t to k n o w w h o is r e s p o n s i b l e for the 2 0 6 . 1 2 3 . 3 1 . 0 a d d r e s s space. I choose to go to the ARIN w h o i s Web interface ( h t t p : / / w w w . a r i n . n e t / w h o i s / i n d e x . h t m l l a n d a s k for the a d d r e s s in Figure A. 1.

Address Assignment

9Appendix A

Figure A.1 ARIN whois web interface.

The a n s w e r given by the ARIN w h o i s d a t a b a s e is s h o w n in Figure A.2.

Figure A.2 ARIN whois answer to 206.123.31.0. Canadian Registry (NETBLK-CA-RISQ3) CA-REGISTRY3 ViaGenie Inc. (NET-VIAGENIE) VIAGENIE

206. 123.0.0 - 206. 123.255.0 206.123.31.0

The a n s w e r in Figure A.2 s a y s that the 2 0 6 . 1 2 3 . X . X range h a s b e e n given by ARIN to the C a n a d i a n Registry, and the C a n a d i a n registry gives the 2 0 6 . 1 2 3 . 3 1 . 0 / 2 4 range to Viag6nie Inc. Then, if I click on NET-VIAGENIE to k n o w more a b o u t it, it will s h o w m e the i n f o r m a t i o n in Figure A.3.

Figure A.3 ARIN whois answer to NET-VIAGENIE. ViaGenie Inc. ( N E T - V I A G E N I E ) 3107 des hotels S t e - F o y , Q u e b e c G I W 4~15 CA

Netname: VIAGENIE Netnumber" 206. 1 2 3 . 3 1.0 Coordinator : Blancher, Marc 418-656-9254

Domain

System

JAZZ.VIAGENIE.

(MB84 I-ARIN)

inverse

mapping

QC. C A

Record

last

updated

last

provided

by"

206.123,3i.2

S O C R A T E .RIQ. QC. C A

Database

Marc. B lanchet@VIAGENIE.

199,84,128, i

on

updated

23-Jan-1996.

on

8-Nov-1999

03"49"ii

EDT.

QC. C A

457

458

Appendix A

9Address Assignment

This a n s w e r tells m e w h e r e Viag6nie Inc. is located, who is r e s p o n s i b l e for it, a n d w h a t DNS servers are a n s w e r i n g for the inverse m a p p i n g of t h o s e a d d r e s s e s . The whois d a t a b a s e s are all defined with objects (like the NETVIAGENIE object) t h a t have a m a i n t a i n e r a s s o c i a t e d with it. In this example, the m a i n t a i n e r ID of the NET-VIAGENIE object is MB841ARIN. This is the w a y to keep t r a c k of who is r e s p o n s i b l e for w h i c h object. It is the s a m e w i t h the d o m a i n n a m e s registries.

How to Find an IPv6 Address Delegation To t e s t IPv6, a t e s t n e t w o r k called 6Bone w a s b u i l t in J u l y 1996. It is still r u n n i n g a n d alive. E a c h site h a s a prefix (address range) delegated from a t e s t prefix allocated by IANA: 3ffe::/16. A registry with a whois interface h a s b e e n set u p to h a n d l e the registrations, a n d is available t h r o u g h the 6Bone Web site: h t t p : / / w w w . 6 b o n e . n e t . The official IPv6 a d d r e s s e s are available from the previous registries (ARIN, RIPE, a n d APNIC) a n d t h e s e registries have the s a m e Web interface for b o t h the IPv6 a n d IPv4 a d d r e s s e s .

Internet Governance For a few years, w o r k h a s b e e n done in the global c o m m u n i t y for I n t e r n e t g o v e r n a n c e , w h i c h covers m a n y d o m a i n s a n d i s s u e s . The c u r r e n t o r i e n t a t i o n for IP a d d r e s s e s a s s i g n m e n t s is to move the IANA f u n c t i o n s to the I n t e r n e t C o r p o r a t i o n of Assigned N a m e s a n d N u m b e r s (ICANN: h t t p : : / / w w w . i c a n n . o r g ) . B u t at the time of this writing, m a n y d i s c u s s i o n s are still pending.

Address Assignment

9Appendix A

Summary Address a s s i g n m e n t s are controlled at the higher level by IANA. It assigns rmlges of a d d r e s s e s to regional registries as needed, a n d those registries assign ranges of a d d r e s s e s to ISPs, which t h e n assign to t h e m to corporations. This enables CIDR, which m a k e s I n t e r n e t routing efficient. This process is for both IPv4 a n d IPv6. You can see the a s s i g n m e n t s by looking at the whois d a t a b a s e s at the various registries. I m p o r t a n t d i s c u s s i o n s are c u r r e n t l y being held on I n t e r n e t governance, mostly a r o u n d ICANN.

459

This Page Intentionally Left Blank

462

Index

options, length. S e e Internet Protocol version 4 (IPv4). plan, 100, 109 creation, 45. S e e also Fixed length mask. design, 44 problems, 103 requirements, 53 determination, 40-44 scheme. S e e Internet Protocol. strategy, 3. S e e also Class A. Addressing plan. S e e Variable-Length Subnet Mask. Administrative (Admin) LANs, 102, 105 Administrative scopes, 346-347 usage, 347 Administrative user, 6 Aggregate route, 229 Aggregates. S e e Fractional aggregates. Aggregation, realization, 374-375 Aggregator, 233 All-hosts address, 347 AU-routers group, 342 All Subnets Are Local Option (option), 320 Allocations depiction, 380 granularity, 89 American Registry of Internet Numbers (ARIN), 52, 354, 380 Anycast address, 403-405 applications, usage, 405 APNIC, 52, 354, 380 Applications. S e e TCP; TCP-based applications. parameters, 323-328 protocols, 4 usage. S e e Anycast.

Architecture. S e e Internet Protocol version 4; Security. Area Border Router (ABR), 254, 262 ARIN. S e e American Registry of Internet Numbers. ARP. S e e Address Resolution Protocol. ARP Cache Timeout (option), 322 ARP settings, 184 AS. S e e Autonomous System. As built documentation, 41 ASB, 265 ASCII, 127 Asia Pacific Registry, 52 ASN. See Autonomous System Number. Assignable IP address, 54 Assigned IP addresses, 97 Assignments. S e e Generic assignments; Internet Assigned Numbers Authority. Asynchronous WAN links, 247 ATM, 253, 341 Authentication, 419--420, 425. S e e also Optional authentication; Routing. capability, 415 header, 362, 419, 420, 426, 429, 442-444 Autoconfiguration, 383 mechanisms, 416 simplification, 396--398 Autonomous System (AS), 255, 261, 267-275, 383 AS Border Router, 266 boundary routers, 254 defining, 269 topology, 252 Autonomous System Number (ASN), 247, 379

Index

B Backbone, 257, 262, 393, 400. S e e also Collapsed backbone; Multicast. engineer. S e e Internet. network. S e e Corporate backbone. routers, 254, 370 routing tables. S e e Internet. Bandwidth, 239, 243 saving, 348 usage/scaling, efficiency, 348 Bastion host, 167 BGP. S e e Border Gateway Protocol. Binary address, 33 Binary numbering systems, 17-18 Binary numbers, 36 Binary representation, 20, 38 Binary subnet field, 28 ID, 50 Bits. S e e Highest-order bit; Networks. amount, 365-370 ordering problems. S e e Token Ring. Blocks, 62. S e e also Addresses; Class C; Classless Inter-Domain Routing; Private addresses. addresses, 235 diagrams, 150 Boot File Size (option), 317 Bootfile Name, 305 BOOTP. S e e Bootstrap Protocol. BOOTREPLY. S e e Bootstrap Reply. BOOTREQUEST. S e e Bootstrap Request; Client BOOTREQUEST. Bootstrap Protocol (BOOTP) clients, 333 functionality, 312 database, 293, 297

file, 334 Dynamic Host Configuration Protocol, comparison, 311-312 function, explanation, 312-313 implementation checklist, 333-334 interoperation. S e e Dynamic Host Configuration Protocol. messages, 292, 295 networks, 328-333 objectives, usage. S e e Internet Protocol addresses. options, RFC 1497 influence, 314-318 packet, 288, 333 process details, 294-297 protocol, 299 relay agent, 285, 328-330, 334 servers, 292, 301,332, 334 database, 297-298 usage, 286-287 vendor-extensions, 313 Bootstrap Reply (BOOTREPLY), 283. S e e also Server BOOTREPLY. packet, 298 field values, 296-297 unicast message, 329 Bootstrap Request (BOOTREQUEST) message, 290, 291 packet, 296, 3 1 1 , 3 2 9 Border Gateway Protocol (BGP), 224, 248, 250, 277, 371,377, 406 functionality, 371 instability, 393 protocols, 254 requirements, 267-272 routers, 270, 271 speakers, 393 update, 270 version 4, 226

463

464

Index

Border routers, 271 Branch offices, 44, 91 routers, 42, 91 Bridges, 41, 43 Broadcast Address (option), 320-321 Broadcast-intensive protocol, 243 Broadcasts, 332 addresses, 30, 31, 35, 54. S e e also Subnets. networks, 253, 259. S e e also Nonbroadcast networks. packets, 251 BSD, 272

C Cache aging, 359 Call set-up control message, 431 CERN HTI'P server, 171 CERN proxy, 171 CHADDR, 297 (code), 292 (field), 294, 295, 298, 332 values, 308 Channels. S e e Multicast. occupancy, 239 Checkpoint, 174 Checksums, 163, 166, 420, 424 Choke point, 115 CIADDR, 294, 297 (code), 291 CIDR. S e e Classless Inter-Domain Routing. Circuit-level proxy, 172 Cisco, 154, 188, 206, 237 devices, 130 lOS, 130, 131, 135-137, 144-145, 157-160 configuration commands, 13

PAT, 157 routers, 13, 164, 173, 255, 272 lines, 130 Class A addresses, 6-7, 88, 95, 97, 227 blocks, 370, 391 networks, 23, 25, 26, 89, 100, 268 address, 45, 88 private network, 102-103 address assignment, 105-108 addressing strategies, 103-105 administration, ease, 101, 108 documentation, 101, 108 results, 108-110 simplicity, 101, 108 subnetting strategy, 101-110 subnetting tables, 67-72 Class B, 88 addresses, 7-8, 19, 34, 9 1 , 2 2 0 , 227 block, 98 blocks, 370 networks, 23, 25, 28, 65, 88, 89, 93, 97, 100, 202, 268 address, 45 problem, 207 subnetting tables, 73-76 Class C addresses, 8-9, 33, 57, 95, 96, 227, 235, 279 blocks, 236, 370 networks, 23, 25, 31, 32, 45, 53, 57, 88, 89, 98, 208, 268 address, 26, 45 prefixes, 64 problem, 207 subnetting problem, 208 tables, 35, 76-78

Index

VLSM, problem, 206-210 completion, 210-214 Class D addresses, 344 Class E addresses, 344 Class masks, 192 Classful addressing, 3-9 Classless addressing, 225. S e e also Classless Inter-Domain Routing. Classless Inter-Domain Routing (CIDR), 50, 88, 89, 225-236, 277, 355, 370, 390 addresses, 88, 232 usage. S e e Networks. addressing, 237 block, 65, 234 prefix, 229 capability, 231 CIDR-capable routing protocol, 236 classless addressing, 236 contribution, 112 inception, 372 notation, 66, 89, 97 tab, 57 terminology, 97 Classless routing, 245 Client BOOTREQUEST, 294-295 Client functionality. S e e Bootstrap Protocol. Client Identifier, 308-309 Client/server model, 283 CLNP. S e e Connection-Less Network Protocol. Collapsed backbone, 91 Collisions, 146 Computing devices, 14 Configuration. S e e Internet Connection Sharing. errors, 166 examples. S e e Network Address Translation.

files. S e e Routers. Connection-Less Network Protocol (CLNP), 355, 356 Connection-oriented protocols, 143 Connection tables, 159 Contiguous IP addresses, 227 Contiguous network, 237 Contiguous subnets, 236-237 Control channel connection, 170 Convergence, 258 time, 245. S e e also Routing Information Protocol. Cookie Server List (option), 316 Corporate backbone, 109 network, 102 Corporate network, 402 CPU cycles, 364 CUSeeMe, 157

D Data flow, 168 Data-link frames, 288 Data networks, growth, 44 Databases, 63, 239. S e e also One-table database; Routes; Routing. software, 63 Datagrams, 27, 28, 35, 48. S e e also Internet Protocol. forwarding, 16 DC LANs, 106, 109 DCC send, 157 Decimal address, 5 Decimal numbering systems, 17-18 Decision making, management. S e e Information Systems department. Dedicated leased lines, 92 Default Finger Server List (option), 327 Default Internet Relay Chat (IRC) Server List (option), 328

465

466

Index

Default IP Time-to-Live (option), 319 Default mask, 20, 23 Default timer, 266 Default World Wide Web (WWW) Server List (option), 327 Delay time. S e e Topological delay time. Demilitarized Zone (DMZ), 168, 169, 185 Denial of Service (DOS), 176 Deployed subnets, 198 Designated Router (DR), 261 Destination address, 120, 125, 252, 364, 444 field, 442 IP address, 149 network, 246 node, 435, 4 4 1 , 4 4 8 options, 425, 426, 439, 448 header, 443, 446-448 header I, 361 header II, 363 port number, 288 UPD port number, 329 Devices. S e e Internet Protocol; Internetworking devices; Local devices; Multihomed devices; Physical devices; Source device; Target device. addresses allocation, 58-62 assignation, 60--62 DHCP. S e e Dynamic Host Configuration Protocol. Dial-up interface, 162 Differentiated Service (DiffServ), 358 DfffServ. S e e Differentiated Service. Diffusing Update Algorithm (DUAL) finite state machine, 243 DISCOVER-OFFER-REQUESTACKNOWLEDGEMENT process, 309

Discovering, 349 Distance-vector-based routing, 242 Distance Vector Multicast Routing Protocol (DVMRP), 342 Distance-vector protocol, 238 Distribution centers, 104. S e e also Regional distribution centers. LANs, 106 WAN links, 105-106 Distribution LAN, 109 DMZ. S e e Demilitarized Zone. DNS. S e e Domain Name System. Documentation, 59. S e e also A s built documentation; Class A; Networks. Domain Name (option), 317 Domain Name System (DNS), 12, 96, 287, 404 connections, 159 DNS Server List (option), 315 domain name, 317 entries, 13, 379. S e e also Forward DNS entries; Reverse DNS entries. proxy, 131 queries, 146 servers, 12, 123, 126, 154, 286, 293, 310, 3 1 1 , 4 0 4 , 405 address pool, 309 setup, 126 Domains. S e e Internet. DoS. S e e Denial of Service. Dotted decimal notation, 33, 34, 367, 368 Double NAT, 123-126 Downstream connectivity, 389 DR. S e e Designated Router. DSL, 161 setups, 131 DUAL. S e e Diffusing Update Algorithm.

Index

DVMRP. S e e Distance Vector Multicast

Routing Protocol. Dynamic address assignment, 299 role, 283-284 Dynamic addressing protocols, history, 284-286 Dynamic Host Configuration Protocol (DHCP), 100, 155, 234, 416 address assignments, 286 scopes, 310-311 BOOTP, interoperation, 309-310 comparison. S e e Bootstrap Protocol. configuration, 414 DCHPREQUEST, 302 DHCP Message Type, 305-306 DHCP-specffic option codes, 328 DHCP-specific options, 304-309 DHCPACK, 302, 307 message, 306 DHCPDISCOVER, 302 requests, 309 DHCPNAK message, 306 DHCPOFFER, 304 DHCPRELEASE message, 300 DHCPREQUEST, 306 extension, 308 function, explanation, 298-303 implementation checklist, 334 interoperability, 298 message, 306 size. S e e Maximum DHCP Message size. types, 302-304, 310 networks, 328-333 objectives, usage. S e e Internet Protocol addresses. options, 313-328 process

details, 301-303 overview, 299-300 servers, 131, 132, 287, 299, 300, 307, 3 3 1 , 3 8 6 usage, 286-287 Dynamic NAT, 139-141, 147, 148, 159 function, explanation, 141-142 problems, 142-144

E E-mail, 95 EBGP, 2 7 1 , 3 9 3 requirements, 272-276 EGP. S e e Exterior Gateway Protocol. EGRP, 238 EIGRP. S e e Enhanced Interior Gateway Routing Protocol. Encapsulating Security Payload (ESP), 425 extension headers, 419 header, 363, 426, 445-446 Encrypted security payload header, 363 Encryption algorithm, 445 End (code), 314 End points, 268 Enhanced Interior Gateway Routing Protocol (EIGRP), 40, 66, 206, 235, 242-244, 403 concepts, 243-244 Error Message, 307 Error rates, 238 ESP. S e e Encapsulating Security Payload. eth0 interface, 138 Ethernet, 146, 162, 341, 383. S e e also 802.3 Ethernet. 0 interface, 13

467

468

Index

address, 2 cards, 388 encapsulation type, 322 header, 439 hub, 49 II, 322 interface, 10 network, 2, 3, 11, 14, 243, 246 ports. S e e Fast Ethernet ports. segments, 26, 49 star topology, 253 Ethernet Encapsulation (option), 322 European Registry, 52 Extension headers, 415, 424-448. S e e also Encapsulating Security Payload. field, 432 Extensions Path (option), 318 Exterior Gateway Protocol (EGP), 250, 267 protocols, 254 External links, 2 6 1 , 2 6 5 information, 261 External routes, 254 External routing, 253 Externally derived routes, tagging, 252

F Fast Ethernet, 162 ports, 135 Fastethernet 0 / i , 157 Feal Audio, 157 Field Overload, 304--305 Fields descriptions/comments, 288-293 involvement, 331-333 values. S e e Bootstrap Reply.

FILE (code), 293 (field), 294, 295, 297, 305 File Transfer Protocol (FTP), 126, 138, 152, 155, 167 client, 160, 171 programs, 170 difficulty, 127 handler, 156 module, 157 protocol, 179 server, 12 session, 128, 142 Filtering routers, 168 Filters, 382. S e e also Packet filters; Stateful packet filters. FIN exchange, 139, 149 FIN flags, 149, 159 FIN packets, 151, 152, 163 Finger Servers, 327 FireWall ToolKit (FWTK), 114 Firewalls, 114--119, 169, 189-190, 382. S e e also Proxies; Threeinterface firewall. administrators, 115, 179 capabilities, 165-180 definition, 165 effect, 152 products, 120, 123, 145 Fixed length mask, 19-36 networks addressing plan creation, 39, 40 exercises, 65-66 FAQs, 64-65 Fixed-length-mask addressing plan, 40 Fixed-length subnet masks, 104, 192 Fixed-length subnetting, 66, 201 Fixed m a s k addressing, 40 approach, 104

Index

Fixed-subnetted networks, 40 FLAGS (code), 291 (field), 294, 297, 332 Flags, 422 Flooding, 261 Flow, 418-419 Flow label, 358-359 Flow labeling, 418-419 Flush timer, 241 Format Pref~r (FP), 372-373 Forward DNS entries, 387 FP. S e e Format Prefix. Fractional aggregates, 235 Fragment, 425 header, 362, 426, 438-441 Fragmentation header, 440, 441 offset, 422 processing, 444 Frame-Relay, 383 Frame relay network, usage, 92 FTP. S e e File Transfer Protocol. Full-time access, 64 FWTK. S e e FireWall ToolKit.

G Garbage collection, 245 Gateway addresses, 292 Gateways. S e e Local gateways. Generic assignments, 344 GIADDR, 294, 297, 332 (code), 292 (field), 3 1 1 , 3 3 0 , 337 role, 330-331 Global addresses. S e e Internet. Global routing tables, 234

Globally Routable Unicast addresses, 373, 3 8 1 , 3 8 4 , 388, 390, 396, 404, 408 addressing, 401 prefixes, 372 Globally unique addresses, 51, 94, 98, 99 Globally unique IP addresses, 96, 110 Grow Towards the Middle technique, 61-62 GUI, 180 GUI FTP clients, 170

H Hackers, 245 Hardware failure, 418 HDLC, 383 Header Extension Length field, 430, 436 Headers. S e e Authentication header; Destination; Encrypted security payload header; Extension headers; Fragment header; Hop by hop options header; Internet Protocol version 6; Next header; Routing. correspondence, 424 fixed length, 417 length field, 422 simplification, 417 Headquarters, 102, 104 LANs, 47, 48, 91, 102, 105 interfaces, 47 location, 92, 108 router, 42 subnets, 93 WAN links, 105-106 Hexadecimal system, 17 Hide NAT, 145

469

470

Index

Hierarchy, levels, 104 Highest-order bit, 428 HLEN (code), 290 (field), 294-296, 332 Hold-downs, 240, 2425 Hold-time period, 241 Home network, 434 Hop by Hop header, 361 Hop-by-hop option, 425, 439 header, 426, 427, 430-433 Hop by hop options header, 360 Hop count, 247, 249. S e e also Metric hop count. Hop limit, 364, 423 HOPS (code), 290 (field), 331-332 Horizons. S e e Split horizons. Host Name (option), 317 Host-name-to-address-resolution database, 286 Host-to-host protocol, 4 Hosts, 234, 390. S e e also Bastion host; Local hosts. addresses, 30, 46, 47 addressing, simplification, 394--396 bits, 45, 53 definition, 30 fields, 21, 22, 25, 32, 35 ID, 104, 105, 388, 396, 397 networks, 251 HOSTS file, 293 HP JetDirect, 43 HQ-DC links, 107 HTrP, 152, 179 1.0, 143 proxy, 178 request, 96 server. S e e CERN HTTP server.

HTYPE (code), 289-290 (field), 294-296, 298, 308, 332 Hubs, 43, 253

IANA. S e e Internet Assigned Numbers

Authority. IBGP requirements, 272-276 ICANN. S e e Internet Corporation for Assigned Names and Numbers. ICMP. S e e Internet Control and Message Protocol. ICS. S e e Internet Connection Sharing. ICV. S e e Integrity Check Value. IEN 116 Name Servers, 315 IETF. S e e Internet Engineering Task Force. ffconfig (command), 137 IGMP. S e e Internet Group Management Protocol. IGP. S e e Interior Gateway Protocol. IGRP. S e e Interior Gateway Routing Protocol. Impress Server List (option), 316 Industry support. S e e Multicast. Information Systems department, decision making management, 266--267 Information Technology (IT) industry, 42 profession, network usage, 230 Integer distance, 246 Integrated IS-IS, 235 Integrity Check Value (ICV), 443 Inter-area routing, 253 Inter-enterprise links, 99 Interal network, 118 Interconnected network, 90

Index

Interface MTU Option (option), 320 Interfaces, 42, 122. S e e also Ethernet; Headquarters; Local Area Networks; Physical interfaces; Secondary interfaces; Wide Area Network. commands, 136 ID, 374-375 names, 158 usage. S e e Unnumbered interfaces. Interior Gateway Protocol (IGP), 238, 250, 2 5 1 , 2 7 4 , 277, 384, 385, 403 Interior Gateway Routing Protocol (IGRP), 40, 66, 237-241, 251, 258 RIP-2, comparison, 247-248 stability, 241 Interior routing protocols, 235 Internal dialing, 228 Internal IP address, 149 Internal network, 235, 244 topology, 238 Internal OSPF routes, 254 Internal routers, 254 Internet, 88, 96 access, 118, 140 addresses, 4. S e e also Unicast. mapping, 9 architecture, 97 backbones, 3 7 1 , 3 7 3 engineer, 361 routers, 369 community, 94 connectivity options, 161 default-free backbone routing tables, 369 domains, 231 global addresses, 381-387

networks, 19 non-CIDR-capable portions, 231 routing complexity, 376 table integrity, 385 scalability problems, 356 site, 12 Internet Address Registry, 50 Internet Assigned Numbers, 94 Internet Assigned Numbers Authority (IANA), 94, 313, 344, 351, 379-380 assignments, 345-346 Internet Connection Sharing (ICS), 131-135, 154, 163, 164 configuration, 132 issues, 155 Internet Control and Message Protocol (ICMP), 144, 160, 431 m a s k discovery, 321 parameter problem, 427, 432, 433, 436 Unrecognized Type message, 448 version 6 (ICMPv6), 362 Internet Corporation for Assigned Names and Numbers (ICANN), 94, 95 Internet Engineering Task Force (IETF), 226, 237, 342-344, 358, 366, 400, 406, 410 Internet Group Management Protocol (IGMP), 341, 342, 350 Internet Protocol (IP), 15, 28, 43, 243 addressing, 89, 90, 224. S e e also Private IP addressing. plan, 40, 64 rules, 95, 100 scheme, 15 calculator, 62

471

472

Index

Chains, 156, 188 data transmission rules, i I datagrams, i0, 13, 35 destinations. S e e Multiple IP destinations. address, 295 devices, 16, 35, 58 forwarding, 318 header, 420, 438 IP Datagram header, 333 IP Forwarding Enable/Disable (option), 318 IP-level TTL field, 323 layer, 438 layer parameters per host, 318-320 per interface, 320-322 mapping, 136 masquerade, 162, 167. S e e also Linux. Linux, 187-188 multicast, 350 mapping, 341 networks, 5, 14, 49, 101 Precedence bits, 358 process, 30 protocols, 95 resources, 5 routers, 344 routing protocols, 66 software, 35, 36, 96 modules, 100 space, 378 stacks, 347-348 subnets, 27 subnetting, 13, 37 TTL field, 333 unnumbered, 46, 66 Internet Protocol tiP) addresses, 19,

20, 27, 30, 32, 33, 40, 45, 48, 90, 95, 98, 117, 123, 270, 365, 404. S e e also Assignable IP address; Assigned IP addresses; Contiguous IP addresses; Destination; Internal IP address; Public IP addresses; Source; Virtual IP addresses. allocation, 51 amount, need, 161 assignment, 62, 94 automatic assignment BOOTP/DHCP objectives usage, 281 FAQs, 336-338 introduction, 282-286 availability, 61 basics, 2-13 bits, 45 blocks, 232 configuration, 284 mapping, 9 need, determination. S e e Subnets. range, 41, 42 calculation. S e e Subnets. retrieval, 50-53 size, increase, 388--390 specification, 255 tracking, 62 usage, 95-96. S e e Networks. work documentation, 62--63 Internet Protocol (IP) Subnet Calculator, 57 Internet Protocol Next-Generation Working Group (IPNGWG), 406, 407, 409 Internet Protocol version 4 (IPv4), 3, 9 1 , 3 4 9 , 354 addresses, 4, 5, 36, 386 addressing, 2 options, length, 418

Index

architecture, 88 headers, 422-424 networks, options usage, 426 Internet Protocol version 6 (IPv6), 91, 231,251 benefits, 387-405 development, 406-410 enabling, amount determination, 361 Mobility Support Internet-Draft, 447-448 packet, 360 header, 357 Internet Protocol version 6 (IPv6) addressing, 353 basics, 354-356 FAQs, 411-412 introduction, 354 scheme characteristics, 357-387 version, 358 Internet Protocol version 6 (IPv6) headers, 413, 420-422, 426 extension/option, improved support, 417 FAQs, 450 introduction, 414-415 references, 451 Internet Registry, usage, 52 Internet Relay Chat (IRC), 157 Internet Service Provider (ISP), 50, 64, 94, 95, 112, 118, 227, 232, 268, 278, 343, 374, 406. S e e also Major ISP; Minor ISP. address assignment, 233-234 change, 349 routers, 140 usage, 51-52 Internet-wide connectivity, 231 Internet-wide IP connectivity, 234 Internetwork, 101 design, review, 40-41

Internetworking devices, 44 Interoperability, 415 problems, 49, 59 Intra-area routing, 253 Intradomain routing protocols, 235 Intranet, local addresses, 381-387 Invalid timer, 241 lOS. S e e Cisco. IP. S e e Internet Protocol. IPng, 231 IPNGWG. S e e Internet Protocol NextGeneration Working Group. IPSec, 130 IPv4. S e e Internet Protocol version 4. IPv6. S e e Internet Protocol version 6. IPX, 356 IRC. S e e Internet Relay Chat. Server List. S e e Default Internet Relay Chat Server List. IS-IS, 2 5 1 , 4 0 3 . S e e also Integrated ISIS. ISDN, 161 ISP. S e e Internet Service Provider. IT. S e e Information Technology.

Java, 177 J u m b o Payload Option, 430, 432

L LAN. S e e Local Area Network.

Layer-2 switches, 43, 63 Layer 3 address translation, 120 headers, 120 Layer-3 switches, 42, 43, 63

473

474

Index

Layer 4 headers, 120 Layer parameters per host. S e e Internet Protocol. per interface. S e e Internet Protocol; Link layer parameters per interface. Layer protocol, 3 Lease Time, 304 Leased lines. S e e Dedicated leased lines. Leased point-to-point line, 102 Leased T1 lines, 65 Legacy problems, 365 Length field, 417. S e e also Headers. Link analyzer, 256 Link layer, 341 parameters per interface, 322 Link Local, 384, 385, 388 Link-local address, 344 Link-local network, 382 Link-local scope, 347 Link-state advertisement, 261 Link-state algorithm, 260 Link-state database, 260 Link-state information, 261 Link-state messages, 260, 262 Link-state technology, 239, 252 Link-state update, 263 Links. S e e Distribution centers; External links; Headquarters; HQ-DC links; Networks; Physical links; Point-to-point links; Pointto-point WAN links; Routers; Summary links; Virtual link; Wide Area Network. Linux, 130, 272 IP masquerade, 137-139, 156-157 kernel, 156 Load sharing, 252

Local addresses. S e e Intranet. hierarchy, 415 Local Area Network (LAN), 13, 90, 9 I, 102, 105, 108, 164, 192, 199, 386, 390. S e e also Admin 12kNs; Administrative LANs; DC LANs; Distribution centers; Distribution 12kN; Headquarters; Store LANs; Warehouse LANs. addresses, 107 configuration, 388 connections, 42, 131 interfaces, 42, 131, 137, 155 segment, 397 segments, 41, 46-47, 49 topology, 262 Local devices, 6 Local gateways, 4 Local hosts, 7 Local net, 4 addresses, 4 mapping, 9 Log Server List (option), 316 Loop-free paths, 243 Loopback interfaces, 275-276 Loose Source Route and Record, 361, 433 Low overhead topology changes, response, 252 LPR Server List (option), 316

M MAC address, 285, 290, 292, 394, 395, 397 Mail server, 12 Major ISP, 52 Management consultant reports, 102 Manual address assignment, 299

Index

Many-to-many NAT, 138, 144 Many-to-one NAT, 155 Many-to-one PAT, 156 Mask Supplier (option), 321 Masking, 225 Masks. S e e Class masks; Default mask; Fixed length mask; Fixedlength subnet masks; Natural mask; Subnets; Variable-Length Subnet Mask. addressing. S e e Fixed mask. choice, 45-50, 53, 56, 62 cohesiveness, 204 components, 21 creation. S e e Networking problems. function, 19-20 interaction. S e e Addresses. interpretation, 34 necessity. S e e Variable length masks. number, 210 usage, 37 determination, 200-201 values binary determination, 22-23 decimal equivalent, 23-25 Matrix, 199 Maximum Datagram Reassembly Size (option), 319 Maximum DHCP Message size, 307 Maximum Transmission Unit (MTU), 319, 362, 423, 438, 439. S e e also Path MTU. value, 320 Mbone. S e e Multicast. Memory space, 251 Mergers/acquisitions, 44, 95 Merit Dump File (option), 317 Meshed links, 252 Message Digest Authentication, 256

Messages. S e e Update messages. Metric Cost, 239 parameter, 266 Metric hop count, 243, 245-248 Metrics, 243, 244, 246-248 Microsoft Proxy Server (MPS), 155, 172 Migrations, 258 Minor ISP, 52 MIT-LCS UDP log servers, 316 Mobile IP Home Agent (option), 326 MOSPF. S e e Multicast. MPLS. S e e Multi-Protocol Label Switching. MPS. S e e Microsoft Proxy Server. MSDP. S e e Multicast Source Discovery Protocol. MTU. S e e Maximum Transmission Unit. Multi-Protocol Label Switching (MPLS), 358-359 Multicast, 439. S e e also Internet Protocol. addresses, 344-347 scope, TI'L usage, 346 backbone (Mbone), 343, 344, 346, 400 channels, 349 definition, 340-343 experience, 343 group, joining, 341-342 industry support, 350 management, administrative scopes usage, 347 mapping. S e e Internet Protocol. nodes, 448 OSPF (MOSPF), 342 routing, 343 protocols, 342-343 scalability improvement, 398-403

475

476

Index

session, 402 usage, reason, 348-350 Multicast addressing, 339 FAQs, 351 references, 351-352 Multicast Source Discovery Protocol (MSDP), 400 Multicast-speaking machines, 396 Multicasting, 2 5 1 , 3 4 0 Multihomed devices, 10-12 Multihomed link, 269 Multihoming, 9, 10 problem, 406-409 Multinetting, 12-13, 47 Multiple addresses per interface, 12-13 Multiple IP destinations, 229

N Name Server List (option), 315 NAT. S e e Network Address Translation. Natural mask, 20 NBDD server addresses, 325 NBT node type, 325 Neighbor discovery, 242, 383 recovery, 242 table, 243 Net3 Group, 57 NetBIOS, 2 NetBIOS over TCP/IP Datagram Distribution Server List (option), 325 Name Server List (option), 324 Node Type (option), 325 Scope (option), 325 Netizens, 94

Network Address Translation (NAT), 90, 95, 99, i00, i i i , i13. S e e also Double NAT; Dynamic NAT; Hide NAT; Many-to-many NAT; Many-to-one NAT; One-to-one NAT; Static NAT. advantages, 161-162 command, 145 configuration, 122 examples, 130-139, 144-145, 154-160

devices, 147, 162, 176 explanation, 119-120 FAQs, 183-186 function, explanation, 120-160 introduction, 114 packages, 163, 165 performance issues, 162-164 products, 123, 156, 188 proxy server, comparison, 174--177 references/resources, 187-190 routers, 124 usage, 161 whitepapers, 189 network (command), 255 Network Information Server List (option), 324 Network Information Service+ Domain (option), 326 Servers list (option), 326 Network Information Service (NIS) Domain (option), 323-324 server, 324 Network-layer addresses, 285 Network-Layer Reachability Information (NLRI), 377 Network Management applications, 63 Network/mask combination, 55 Network News Transport Protocol (NNTP) Server List, 327

Index

Network Service Provider, 375, 378. S e e also Tier-2 Network Service Provider. Network/subnet, 49 Network Time Protocol Server List (option), 324 Networking device, 10 problems, m a s k creation, 26-27 Networks. S e e Class C; Corporate backbone; Ethernet; Fixed length mask; Internal network; Internet; Internet Protocol; Point-to-point networks; Private networks; Routing Information Protocol. addresses, 6, 8, 25, 30, 214. S e e also Class A; Class B; Class C; Private network addresses. headers, 126 hierarchy, 416 translations, 51 administrators, 7, 403 architecture, 22 bandwidth, 263 broadcast address, 30, 203 CIDR addresses, usage, 235-236 computers, 285 control panel, 131 definition, 5-6 design specifications, 41 designers, 63, 387 diagram, 194 documentation, 40 failure, 406, 418 field, 21 growth. S e e Data networks. hierarchy, 415 ID, 104, 109, 226 IP address usage, 197

joining, 100 layer, 242 links, 261 management system. S e e SNMPbased network management system. managers, 347 usage, 51 numbers, 4, 7-9, 21, 27, 88, 389 bits, 6 prefix, 50 quantity, 231-233 restriction, 390 routing protocol upgrades, 230 segments, 58, 60 specification, 255 subnetting, 87 exercises, 111-112 FAQs, 110-111 topology, 239, 261 traffic, 421 usability, 26 usage. S e e Information Technology. Next-generation IPs, 449 Next-Generation TRANSition Working Group (NGTRANSWG), 407, 409 Next Header, 360 fields, 360, 364, 424, 427, 440, 445 values, 424 Ne~.vt Hop, 251 Next-hop address, 319 Next-hop router address, 322 Next Level Aggregator Identifier (NLA ID), 374 Next Level Aggregator (NLA), 375-377, 380, 392, 394 aggregation, 393 NGTRANSWG. S e e Next-Generation TRANSition Working Group.

477

478

Index

NIS. S e e Network Information Service. NLA. S e e Next Level Aggregator. ID. S e e Next Level Aggregator Identifier. NLRI. S e e Network-Layer Reachability Information. NNTP. S e e Network News Transport Protocol. Node servicing router discovery requests, 321 Nodes, quantity requirement, 199-200 Non-OSPF interfaces, 266 Nonbroadcast networks, 253 Nonlocal Source Routing Enable/Disable (option), 318-319 Nortel Networks, 265 Nortel routers, 2 7 2 NSAP addresses, 356 Numbering systems. S e e Binary numbering systems; Decimal numbering systems.

0 One-table database, 63 One-to-one mapping, 122, 3 i0 One-to-one NAT, 139 OP (code), 289 (field), 294, 296 Open Shortest Path First (OSPF), 40, 66, 206, 224, 235, 239, 245, 251-267 configuration, 255-258 database, 263 implementation recommendations, 265-266 network, 258 OSPF-routing environment, 258 protocol, 258

routers, 256, 263 routes. S e e Internal OSPF routes. specifications, 237 version 2, 226 Operating systems, 135, 147, 164, 167 Option Data Length field, 429 Option Type, 427-429 Optional authentication, 250 OSI stack, 355 OSPF. S e e Open Shortest Path First.

P Packet capture, 127 fragmentation overhead, 438 routing. S e e Unicast. Packet Filter (PF), 166-- 168 Pad (code), 314 Parallel port, 43 Parallel routes, 238 Parameter Request List, 306--307 Passive routers, 246 Passwords, 255, 256 PAT. S e e Port Address Translation. Path, reliability, 239 Path MTU, 4 3 1 , 4 3 9 Path MTU Aging Timeout Option (option), 319-320 Path MTU Discovery, 320 Path MTU Plateau Table (option), 320 Payload length, 359 Peer review, 97 Per-flow handling, 421 Perform Mask Discovery (option), 321 Perform Router Discovery (option), 321 Performance, issues. S e e Network Address Translation.

Index

Permanent addresses, 344 PF. S e e Packet Filter. Physical address, 3 Physical devices, 26 Physical interface, 275 Physical interfaces, 9 Physical links, 257 Physical network, 13-15 Physical router, 137 PIM. S e e Protocol Independent Multicast. Plug and play, 349, 414 Plug gateway, 172 Point-to-multlPoint networks, 253 Point-to-point line. S e e Leased pointto-point line. Point-to-point links, 93 Point-to-point networks, 46, 92, 253, 259 Point-to-point traffic, 359 Point-to-point WAN connections, 194 links, 90, 196 Poison-reverse updates, 240 Policy Filter Option (option), 319 POP3. S e e Post Office Protocol. Port Address Translation (PAT), 142, 1 4 5 - 1 4 7 , 173. S e e also Cisco; Many-to-one PAT. configuration, 160 device, 172 function, explanation, 147-152 problems, 152-154 process, 219 PORT commands, 128, 129, 152, 153, 163, 170, 173, 175 modification, 181 starting, 176 Port number. S e e Destination; UDP.

Post Office Protocol (POP3) Server List (option), 327 PPP link, 383 Prefix-based addressing, 225 Printers, 43 Privacy, 419-420 capability, 415 Private addresses, 51, 90, 99, 193 blocks, 100 spaces, 100 comparison. S e e also Public addresses. usage, 111 Private addressing, 87, 89, 108 exercises, 111-112 FAQs, 110-111 Private IP addressing, 101 Private network addresses, 96-100 considerations, 98-100 renumbering, 99-100 scope, 99 security, 99 Private networks, 95, 110. S e e also Class A. addressing, 99 Protocol addressing scheme, 368 Protocol dependent modules, 243 Protocol Independent Multicast (PIM), 342, 400 Proxies, 168-173. S e e also CERN proxy; Domain Name System; SOCKS proxy; Telnet. architecture, 118-119 capabilities, 165-180 firewalls, 177 forwarding packets, 446 servers, 169, 189 comparison. S e e Network Address Translation.

479

480

Index

Public addresses, 90, 119 spaces, private address spaces comparison, 94--95 usage, 111 Public comment process, 97 Public IP addresses, 90

Q QoS. S e e Quality of Service. Quake, 157 Quality of Service (QoS), 355, 359

R RARP. S e e Reverse Address Resolution

Protocol. Region ID, 112 Regional distribution centers, 102, 105 Registry, usage. S e e Internet. Relay agent. S e e Bootstrap Protocol. Reliable tranport protocol, 242-243 Renumbering. S e e Private network addresses. Report-writing capability, 63 Request For Comment (RFC), 2, 30, 67, 357, 412 791, 2, 4, 9, 359 887 Resource Location servers, 316 893, 322 940, 19 950, 19, 36, 46, 50, 100 9 5 1 , 2 8 2 , 285, 2 9 1 , 2 9 7 1075, 342 1112, 340 1236, 321 1469, 341 1497, influence. S e e Bootstrap Protocol.

1517,89,226 1518,89,226 1519,89,226 1520,226 1532,282 1533,314 1541,283,285 1542, 291 1542-compliant router, 337 1597, 96, 97, 117 1627, 97, 117 1812, 50 1883, 419 1917, 94 1918, 51, 96-100, 104, 117-119, 186, 187, 189, 383, 388 2022, 341 2131, 100, 283 2236, 3 4 1 , 3 4 2 2260, 407 2365, 346 2402, 450 2406, 450 2460, 401, 450 2608, 349 discussion, 330 understanding, 282-283 Requested Address, 304 RES, 373-374 Reserved addresses, 30-31, 35--36, 61 Resource Location Server List (option), 316 Rest field, 4 Restricted addresses, 30-31 Reverse Address Resolution Protocol (RARP), 285 Reverse-connection entry, 160 Reverse connections, 167 Reverse DNS entries, 387

Index

Rewrite, usage. S e e Stateful Packet Filters. RFC. S e e Request For Comment. RIP. S e e Routing Information Protocol. RIP II. S e e Routing Information Protocol. RIPE, 354, 380 RIPE NCC, 52 Root Path (option), 318 Routable addresses, 99, 397 Route states, 244 Route summarization, 108, 109 Route Tag field, 250 Routed networks, 328-333 Router Alert Hop-by-Hop option, 431 Option, 430 Router List (option), 315 Router Solicitation Address (option), 321 Router-to-end station communications, 258 Router-to-router communications, 258 Routers, 10, 41-43, 114-119, 224. S e e also Area Border routers; Branch offices; Cisco; Filtering routers; Headquarters; Internal routers; Internet Service Provider; Network Address Translation; Physical router; Subnets. addresses, 44, 292 carriage, 226 configuration files, 159 efficiency, 101, 108-110 links, 261 number, 247 types, 254 update, 238, 258, 260 usage, 47-49, 229

Routes. S e e Aggregate route; Externally derived routes. computation/recomputation, 244 dampening, 393 database, 249 tags, 250 Routing. S e e Classless interdomain routing; Classless routing; Unicasts. complexity. S e e Internet. database, 249 decisions, 27, 270 device, 373 domain field, 250 FAQs, 278-279 headers, 3 6 1 , 4 2 6 , 433-437. S e e also Type 0 routing header. introduction, 224-225 issues, 223 loops, 242 option, 418 packets, 246 policy, 392 protocols, 40, 206, 230, 235, 248, 251, 2 6 1 , 2 7 6 . S e e also Interior routing protocols; Internet Protocol; Intradomain routing protocols; Multicast. upgrading. S e e Networks. stability, 393 tables, 109, 163, 225, 232, 250, 261, 263, 379. S e e also Global routing tables; Internet. maintenance, 359 size, minimization, 376-380 Type, 433 Type 0, 425 update authentication, 252

481

482

Index

impact, 248--250, 258-265 information, 262 Routing Information Protocol (RIP), 220, 224, 230, 239, 272, 342, 403 convergence time, 245 networks, 245 delays, 245 protocol, 237, 244, 245 RIP-1 comparison. S e e Interior Gateway Routing Protocol. requirements, 244-250 RIP-2 requirements, 250-251 RIP II, 235 routing, 258 updates, 250 security, 245 slow links, 245 support, 244 update broadcast, 245 version 1 (RIP1), 40, 92 routers, 255 version 2 (RIP2), 66, 206, 226, 277 RST, 149 packet, 151, 152 RSVP, 430, 434 usage, 431

S Scope-defined options, 311 Secondary addresses, 13 Secondary addressing, 13 Secondary interfaces, 47 SECS (code), 291 (field), 294, 296, 332 Security. See Private network addresses.

architecture, 145, 165 breaches, 99 gateways, 444 package, 114 Segment Left field, 436 Sequence Number field, 443 Sequential allocation, 61 Serial links, 246 Serial port, 43 Server BOOTREPLY, 295-296 Server Identifier, 306 Servers, 43. S e e also Dynamic Host Configuration Protocol; Telnet; Users/servers. database. S e e Bootstrap Protocol. Service Location Protocol (SLP), 349 Service parameters, 323-328 Services applet, 259 Shim, 172 Shortest Path First (SPF), 239, 252 algorithm, 277 SPF-based routers, 252 Shortest Path Trees, 261 SIADDR, 297 (code), 292 (field), 293, 306 Simple IP Plus (SIPP), 356 Simple Mail Transport Protocol (SMTP) Server List (option), 327 Single address per interface, 10 SIPP. S e e Simple IP Plus. Site Level Aggregator Identifier (SLA ID), 374 Site Level Aggregator (SLA), 375-377, 394 Site Local, 385, 388 SixBone (6Bone), 409-411 SLA. S e e Site Level Aggregator. ID. S e e Site Level Aggregator Identifier.

Index

Sleep timer, 241 SLP. S e e Service Location Protocol. SMLI. S e e Stateful Multi-Layer Inspection. SMTP. S e e Simple Mail Transport Protocol. SNAME, 294 (code), 293 (field), 295, 297, 305 SNMP-based network m a n a g e m e n t system, 43 SOCKS proxy, 171, 172 Solicited Node Multicast address, 397 Source address, 120, 124, 151, 159, 364, 433 device, 28 information, 421 IP address, 149, 288 machine, 29 node, 435 port, 147, 149, 151, 153 Source-routing information, 319 SPF. S e e Shortest Path First. SPFs. S e e Stateful Packet Filters. Split horizons, 240 Spreadsheets, 57, 62-63, 199, 214 assignments, 63 Stateful Multi-Layer Inspection (SMLI), 174 Stateful Packet Filters (SPFs), 173, 177, 183 Rewrite, usage, 173-174 shortcomings, 178-180 SPF-type architecture, 179 Static NAT, 120-121, 135, 152 configuration, 159 function, explanation, 122-123 mapping, 141

problems, 126-- 130 Static Router List (option), 322 STDA. S e e StreetTalk Directory Assistance. Store LANs, 106-109 Stores, 104 Strategic relationships, 233 Streaming media protocol, 183 StreetTalk Directory Assistance (STDA) Server List (option), 328 StreetTalk Server List (option), 328 Structural reorganization, 233 Stubs, 254 Subnet All Ones, 36 Subnet-by-subnet basis, 44 Subnet Mask, 19-23, 25, 28, 29, 32, 33-35, 144, 226, 252. S e e also Fixed-length subnet masks; Variable-Length Subnet Masks. (code), 314 field, 251 inclusion, 255 Subnet Zero, 36, 46, 54, 59 usage, 49-50 Subnets, 15, 16, 19, 44, 46-48, 92, 93, 213, 226, 234, 268. S e e also Contiguous subnets; Deployed subnets; Headquarters; Internet Protocol. addresses, 30, 31, 33, 35, 54, 66 determination, single a d d r e s s / m a s k inclusion, 32-33 assignation, 58-60 assignment, 56, 62 worksheet, 79-86 bits, 25, 53, 54, 101 broadcast address, 33 calculators, 57-58 creation. See Variable length subnets. enumeration, 199-200

483

484

Index

field, 21, 22, 32. S e e also Binary subnet field. changes, 23 groups, 105 ID, 104. S e e also Binary subnet ID. identifier, 45 IP addresses number determination, 42-44 range calculation, 53-58 management. S e e Variable length subnets. masking, 225. S e e also TCP/IP. tables, 195 need, 201-205, 219 analysis, 199 number, 19, 21, 26, 27, 29, 31, 35, 36, 50, 102 determination, 41-42 portion, 29 resizing, 194--196 routers, 61--62 routes, 236 tables, consultation, 45-50 types, 108 usage. S e e Addresses. utility, 19 Subnetted network, 285 Subnetting, 19, 28, 34, 367. S e e also Fixed-length subnetting; Internet Protocol; Networks; TCP/IP; Variable-length subnetting. basics, 1 FAQs, 37-38 purpose, 13-18 schemes, 23 choice, 100 standard, 19, 50 strategy. S e e Class A. tables, 57, 67-78, 90. S e e also Class A; Class B; Class C.

Successors, 243-244 Summary links, 261 Sun Solaris 2.6 computer, 348 Supernets, 226, 227, 268 addresses, 228 Supernetting, 225, 232 Swap Server (option), 317 Switches, 41. S e e also Layer-2 switches; Layer-3 switches. SyGate, 189 SYN packet, 150 System documentation, 11

T T I line, 46, 64, 65. S e e also Leased T I lines. TI Renewal Time, 307 T2 Rebinding Time, 307-308 Table entry, 163 Tabular worksheets, 55 Tag-Length-Parameter arrangement, 324 Tags, 313 Talking IP, 42 Target device, 28, 29 Target network, 28, 29 TCP, 114, 143, 160, 405 applications, 409 conflicts, 148 connections, 142, 153, 169, 273, 275, 276, 323 flow, 359 headers, 166, 167, 424, 425, 432 packet, 173 parameters, 323 ports, 167 numbers, 146 protocol, 133, 178

Index

TCP-based applications, 405 TCP Default TTL (option), 323 TCP/IP, 244, 255 address, 273 protocols, 90, 259 router, 248 software, 175 subnet, 235 masking, 225 subnetting, 226 TCP/IP0-based networks, 244 TCP Keepalive Garbage (option), 323 TCP Keepalive Interval (option), 323 TCP/UDP over Bigger Addresses (TUBA), 355 Telecommunications medium, 5 Telnet, 169 program, 171 protocol, 170 proxy, 178 server, 133 Template-based address assignment, 214-218 TFTP server, 306 TFTP Server Name, 305 Three-interface firewall, 185 Tier 1 peers, 406 Tier 1 providers, 389, 392 Tier-1 Service Providers, 3 9 1 , 4 0 4 , 406 Tier-2 Network Service Provider, 374 Time Offset (option), 315 Time-out information, 245 Time Server List (option), 315 Time-to-live field, 449 Timer, 149, 151, 159, 266. S e e also Default timer; Flush timer; Invalid timer; Sleep timer; Update timer. TLA. S e e Top Level Aggregator.

ID. S e e Top Level Aggregator Identifier. TLV. S e e Type-Length-Value. Token Ring, 383 bit-ordering problems, 282 Token-ring network, 3, 11, 14 Token-ring segments, 26 Top Level Aggregator Identifier (TLA ID), 373, 389 Top Level Aggregator (TLA), 375-377, 380, 391, 394 blocks, 392 Topological delay time, 239 Topology change, 266 changes, reponse. S e e Low overhead topology changes. table, 243 Topology change, 242 TOS-based routing, 252 Traffic. S e e Point-to-point traffic. class, 358 patterns, 192 splitting, 238, 247 Trailer Encapsulation (option), 322 Transaction identifier, 290 Transient addresses, 344 Transit area, 257 Translated IP address, 122 Transport mode, 419 Transport protocol, 149 TTL, 345 default value, 319 field, 163, 346, 347, 363. S e e also Internet Protocol. usage. S e e Multicast. TUBA. S e e TCP/UDP over Bigger Addresses. Tunnel mode, 444

485

486

Index

Tunneling mode, 419 Type 0 routing, 442 header, 437 Type-Length-Value (TLV) encoded option, 431 format, 427

U UDP, 114, 144, 152, 159, 160, 405 conflicts, 148 connections, 139, 147 header, 288, 294, 296 ports, 301 numbers, 146, 332 Unicast, 332 addressing, 398 Internet addresses, 366 packet routing, 372 prefixes. S e e Globally Routable Unicast. UNIX, 347 variants, 272 Unnumbered interfaces, usage, 46-47 Update messages, 240, 271 Update timer, 241 Updates. S e e Poison-reverse updates. Upper-layer header, 426 Upper-layer protocols, issues, 449 Upstream providers, 269, 408 Users/servers, 44

V Value-added services, 360 Variable length masks, necessity, 192-197

Variable-Length Subnet Mask (VLSM), 89, 90, 104, 19 i, 192, 196, 206, 244 addressing plan, 193, 219 FAQs, 220-221 introduction, 192 planning, 198 problem. S e e Class C. procedures, simplification, 214 process, 197 tables, 210 usage, 93, 110 Variable-length subnet masking, 244 Variable length subnets creation, 198--218 management, 198-218 Variable-length subnetting, 66 Variably-subnetted networks, 40 VDOLive, 157 VEND (field), 294, 297, 301 VEND/OPTION (code), 293 (field), 304, 313, 318 Vendor Class ID, 308 Vendor Class Identifier, 324 Vendor options, 295 Vendor-Specific Information (option), 324 Vendor-specific parameters, 308 Vendor-supplied ID, 395 Videoconference, 340, 344, 402 Virtual IP addresses, 184 Virtual link, 254, 257 Virtual Private Network (VPN), 130 solutions, 363 V I ~ M . S e e Variable-Length Subnet Mask. VPN. S e e Virtual Private Network.

Index

W

WS1, 49 WS2, 49

WAN. S e e Wide Area Network.

W W W . S e e World Wide Web.

Warehouse LANs, 102 Wide Area Network (WAN), 192, 199 configuration, 388 connections, 42, 47. S e e also Pointto-point WAN. interfaces, 42 links, 43, 44, 47, 59, 93, 107-109, 260. S e e also A s y n c h r o n o u s WAN links; Distribution centers; H e a d q u a r t e r s ; Point-to-point WAN. technology, 92 Windows, 188-189 clipboard, 57 Windows NT 2000, 131-135, 154-156 WINS server, 338 Worksheets, 55-57, 60. S e e also Subnets; T a b u l a r worksheets. scalability, 57 Workstations, 43, 61, 99, 283 World Wide Web (WWW / Web), 88 page, 115, 143, 187 server, 12, 150, 171, 179 farm, 96 surfing, 178

Server list. S e e Default World Wide Web Server List.

X X Window S y s t e m Display Manager List {option), 326 X Window S y s t e m Font Server List (option), 325--326 X.25, 253 XID (code), 290 (field), 296, 297

Y YIADDR (code), 291 (field), 295, 297, 310, 332

487

This Page Intentionally Left Blank

Bonus Coverage

9"Windows 2000 Server System Administration Handbook"

Introduction to Administering Active Directory As o r g a n i z a t i o n s grow a n d r e q u i r e m o r e applications, services, a n d r e s o u r c e s , a d d i t i o n a l m a n a g e m e n t a n d a d m i n i s t r a t i o n b e c o m e necessary. Even the s m a l l e s t c o m p a n i e s now s e e m to r e q u i r e c o m p u t e r n e t w o r k s a n d their services, i n c l u d i n g the a s s i s t a n c e of a n IT professional, as either a full-time employee, a contractor, or a t h i r d party. Fulfilling t h e s e n e e d s c a n b e c o m e expensive very quickly, so it is n e c e s s a r y to find the m o s t effective a n d efficient m e t h o d s of r e d u c i n g total cost of o w n e r s h i p (TCO). The IT i n d u s t r y h a s developed m a n y options to ease this b u r d e n , i n c l u d i n g t h e c o n c e p t of directory service, w h i c h h a s b e e n u s e d for y e a r s to define m a n y different services from one end of the s p e c t r u m to the other. For example, Microsoft h a s called its u s e r a c c o u n t s d a t a b a s e NTDS (NT Directory Service) for s o m e time. O t h e r v e n d o r s u s e o t h e r f o r m s of directory services to p e r f o r m similar functions. Microsoft h a s i n c o r p o r a t e d m a n y of the c u r r e n t a n d n e w technologies into its n e w o p e r a t i n g system, Windows 2000. Microsoft h a s also u p d a t e d a n d r e d e s i g n e d its previous NTDS into a n e w form, Active Directory. A l t h o u g h Active Directory is fairly new, m a n y of the c o n c e p t s u p o n w h i c h it is b a s e d have long b e e n in u s e t h r o u g h o u t the comp u t e r i n d u s t r y . The Active Directory n a m e s p a c e is b a s e d on c u r r e n t DNS s t a n d a r d s t h a t have b e e n in p l a c e for years. O t h e r f e a t u r e s have b e e n a d d e d t h a t are fairly n e w to Windows; for example, the E n c r y p t i n g File S y s t e m (EFS), Kerberos a u t h e n t i c a t i o n for c o m m u nications, a n d Certificate Authorities have b e e n a d d e d to provide a m o r e scalable a n d s e c u r e e n v i r o n m e n t . With t h e s e f e a t u r e s c o m e s a r e q u i r e m e n t for a r o b u s t directory service to s u p p o r t t h e m . This is w h e r e Active Directory c o m e s in. To u s e a n d m a n a g e Active Directory, you n e e d a good u n d e r s t a n d i n g of the c o m p o n e n t s a n d objects u s e d w i t h i n it, a n d y o u m u s t u n d e r s t a n d the m a n a g e m e n t interfaces a n d how to u s e t h e m . O t h e r f e a t u r e s i n c l u d e d with Active Directory, s u c h as the s e a r c h

Bonus Coverage

9"Windows 2000 Server System Administration Handbook"

m e c h a n i s m s and security subsystems, have been enhanced. These c a n be u s e d to provide a d v a n c e d a d m i n i s t r a t i o n a n d a solution t h a t c a n m e e t the n e e d s of m o s t organizations.

Active Directory Concepts You m u s t u n d e r s t a n d several c o n c e p t s a n d c o m p o n e n t s in o r d e r to u s e the services t h a t are available in Active Directory. T h e s e concepts define its l a y o u t as well as the o p e r a t i o n a l factors t h a t m u s t be considered. E a c h c o m p o n e n t of Active Directory is i m p o r t a n t in m a k i n g this n e w directory service w o r k for you. The c o m p o n e n t s a n d c o n c e p t s t h a t m a k e u p Active Directory help to form the directory i n f r a s t r u c t u r e , a n d e a c h m u s t be properly d e s i g n e d a n d / o r m a i n t a i n e d to provide a reliable a n d stable Windows 2 0 0 0 e n v i r o n m e n t .

Directory The directory i n c l u d e d with Windows 2 0 0 0 h o u s e s the i n f o r m a t i o n r e q u i r e d to p e r f o r m m a n y a d m i n i s t r a t i v e t a s k s s u c h as u s e r m a n agement, printer management, and security information mainten a n c e . M a n y of the tools i n c l u d e d u s e this directory to i n t e g r a t e t h e i r services in order to provide a m o r e c o m p r e h e n s i v e a n d cohesive n e t w o r k i n g e n v i r o n m e n t . The directory i n f o r m a t i o n is stored w i t h i n a d a t a store t h a t is replicated a m o n g d o m a i n controllers (DC), w h i c h are c o m p u t e r s t h a t provide services s u c h as a u t h e n t i c a tion, directory replication, a n d r e s o u r c e location. In o t h e r words, if a n a d m i n i s t r a t o r m a k e s a c h a n g e to the directory on one d o m a i n controller, the c h a n g e will be copied to all o t h e r servers m a i n t a i n i n g replicas of the directory. In addition, a d m i n i s t r a t o r s a n d u s e r s c a n p u b l i s h r e s o u r c e s w i t h i n Active Directory. The directory is s t o r e d on d o m a i n controllers m u c h as it w a s in earlier v e r s i o n s of Windows NT. Only one d o m a i n controller is r e q u i r e d for a d o m a i n , a n d y o u c a n have a n y w h e r e from one to t h o u s a n d s if n e c e s s a r y . E a c h d o m a i n controller m a i n t a i n s a replica of the directory. T h e s e c o m p u t e r s are u s e d to provide scalability,

Bonus Coverage

9"Windows 2000 Server System Administration Handbook"

r e d u n d a n c y , a n d efficient r e s o u r c e location by providing u s e r s with multiple copies of the directory. The d a t a t h a t is stored within the Active Directory c a n be divided into two areas: private a n d public. The i n f o r m a t i o n is stored in a file located on the d o m a i n controllers n a m e d NTDS.dit a n d is stored in < s y s t e m r o o t > \ N T D S by default. The location of the d a t a b a s e c a n be specified d u r i n g the d o m a i n controller p r o m o t i o n process. Private d a t a is secured, while public d a t a is freely replicated a m o n g d o m a i n controllers in a s h a r e d s y s t e m volume. T h r e e forms of public d a t a are replicated. 9 C o n f i g u r a t i o n i n f o r m a t i o n describes the topology or l a y o u t of the directory. I n f o r m a t i o n m a y include d o m a i n s , trees, d o m a i n controllers, a n d global catalog servers. 9 D o m a i n i n f o r m a t i o n c o n t a i n s i n f o r m a t i o n a b o u t the objects located in the directory. This i n c l u d e s the i n f o r m a t i o n c o n t a i n e d w i t h i n objects s u c h as u s e r a t t r i b u t e s or c o m p u t e r properties. 9 S c h e m a i n f o r m a t i o n defines the a t t r i b u t e s a n d objects t h a t are available w i t h i n the directory. For example, the s c h e m a defines a u s e r object a n d its available a t t r i b u t e s .

Namespace Active Directory u s e s n a m e s p a c e s to define its b o u n d a r i e s . A n a m e space is primarily a b o u n d a r y t h a t is u s e d to define a n d resolve n a m e s c o n t a i n e d in it. B a s e d on the DNS n a m e s p a c e s t a n d a r d s specified in R e q u e s t for C o m m e n t s (RFC) 1034 a n d 1035, the Active Directory n a m e s p a c e is i n t e r o p e r a b l e with the I n t e r n e t a n d with a n y o t h e r s t a n d a r d T C P / I P network. T h e s e s t a n d a r d s are key to the ability of W i n d o w s 2 0 0 0 a n d Active Directory to provide T C P / I P n e t w o r k services (see Figure 12.1).

Bonus Coverage

Figure 12.1

9"Windows 2000 Server System Administration Handbook"

This is an e x a m p l e o f a c o n t i g u o u s n a m e s p a c e .

Serverl.d Server2.dev.xyz.com

Two types of n a m e s p a c e s c a n be used: c o n t i g u o u s a n d disjointed. T h e s e also reflect the difference b e t w e e n a W i n d o w s 2 0 0 0 tree a n d forest. A tree is a c o n t i g u o u s n a m e s p a c e , w h i c h c o n s i s t s of a h i e r a r c h y of p a r e n t a n d related c h i l d r e n d o m a i n s . A child d o m a i n h a s a direct r e l a t i o n s h i p to its p a r e n t . For example, dev.xyz.com is a child d o m a i n of xyz.com. C o n t i g u o u s n a m e s p a c e s define trees in W i n d o w s 2000. A forest in W i n d o w s 2 0 0 0 is a disjointed n a m e s p a c e , w h i c h is a series of d o m a i n s t h a t are n o t directly related. For e x a m ple, dev.xyz.com is n o t directly r e l a t e d to abc.com. T h e s e two d o m a i n s are s e p a r a t e , a n d a forest m u s t be f o r m e d in o r d e r to conn e c t t h e s e two t o g e t h e r by s e t t i n g u p bidirectional t r u s t relationships. A l t h o u g h m o s t l y a methodology, this c o n c e p t is one of the m o s t critical c o n c e p t s in u n d e r s t a n d i n g a n d d e s i g n i n g a W i n d o w s 2 0 0 0 Active Directory i n f r a s t r u c t u r e (see Figure 12.2).

Bonus Coverage

Figure 12.2

9

"Windows 2000 Server System Administration Handbook"

This is an example of a disjointed namespace.

Naming Conventions W i t h i n W i n d o w s 2 0 0 0 , every object is identified by a n a m e . N a m i n g c o n v e n t i o n s h a v e b e e n c r e a t e d to provide a u n i f o r m m e t h o d of identifying a r e s o u r c e . In addition, d e p e n d i n g u p o n t h e object or its role, a p a r t i c u l a r item m a y h a v e m o r e t h a n one n a m e . For e x a m p l e , J o h n Doe m a y also be k n o w n a s J o h n D . This m a y be b e c a u s e his full n a m e is J o h n Doe, b u t his n e t w o r k logon n a m e is J o h n D . Several different n a m i n g c o n v e n t i o n s are u s e d w i t h i n W i n d o w s 2 0 0 0 a n d Active Directory. To u n d e r s t a n d e a c h object a n d h o w it p e r t a i n s to o t h e r r e s o u r c e s , y o u m u s t u n d e r s t a n d t h e s e n a m i n g s c h e m e s . The n a m i n g s c h e m e s are: 9

Distinguished Name

9

Relative D i s t i n g u i s h e d N a m e

9

Globally U n i q u e Identifier (GUID)

9

U s e r Principal N a m e

D i s t i n g u i s h e d N a m e s (DN) is a u n i q u e identifier for a n object w i t h i n Active Directory, s u c h a s a u s e r or printer. The d i s t i n g u i s h e d n a m e p r o v i d e s t h e i n f o r m a t i o n r e q u i r e d to allow a client to r e q u e s t r e s o u r c e s . T h e s e n a m e s i n c l u d e t h e c o m p l e t e p a t h t h r o u g h Active Directory, i n c l u d i n g t h e d o m a i n n a m e . D i s t i n g u i s h e d n a m e s m u s t all be u n i q u e a s well. B e c a u s e Active Directory u s e s t h e s e n a m e s to locate r e s o u r c e s w i t h i n t h e d i r e c t o r y service, no two n a m e s c a n be i d e n t i c a l (see Table 12.1).

Bonus Coverage

Table 12.1

9"Windows 2000 Server System Administration Handbook"

Attributes Used in Distinguished Names

Attri bute

Desc ri pti on

CN

Common Name

DC

Domain Component

OU

Organizational Unit

Here is a n e x a m p l e of d i s t i n g u i s h e d n a m e for J o h n Doe located in the sales OU in the xyz.com d o m a i n . CN=John Doe,OU=sales,DC=xyz,DC=com

The Relative Distinguished Name (RDN) is u s e d to locate r e s o u r c e s b a s e d on a p a r t i c u l a r attribute. For example, you m a y w a n t to k n o w only w h e t h e r a J o h n D u s e r id exists. This gives you the ability to s e a r c h t h r o u g h o u t the directory for informaUon w h e n the DN is u n k n o w n or h a s b e e n modified. Also, you c a n have duplicate Relative Unique Identifiers, b u t only if they do not reside within the s a m e organizational unit. In other words, two J o h n D u s e r s c a n exist, b u t not within the s a m e OU, b e c a u s e if this object is placed within a separate OU, the DN will be different for each object (see Figure 12.3).

Figure 12.3

This illustrates the difference between DN and RDN.

DistinguishedName (DN) ,~RDN

1

JohnDoeI UsersI salesI xyz I com DN:CN-JohnDoe OU=Sales DC=xyz DC=com

RDN:JohnDoe

Bonus Coverage

9"Windows 2000 Server System Administration Handbook"

T h e r e are two o t h e r n a m e types. T h e first is t h e Globally U n i q u e Identifier (GUID), w h i c h is a 128-bit identifier t h a t is u s e d to identify a n object w i t h i n Active Directory. T h e GUID is a s s i g n e d once t h e object is c r e a t e d a n d will r e m a i n t h e s a m e if t h e object is m o v e d or r e n a m e d . T h i s allows services to find a n object even if its n a m e or a t t r i b u t e s a r e modified. T h e s e c o n d type is t h e U s e r P r i n c i p a l N a m e (UPN), w h i c h is a u s e r - f r i e n d l y n a m e for a n object u s i n g t h e DNS n a m e c o n v e n t i o n , w h i c h is s i m i l a r to a n e-mail a d d r e s s . T h i s m a k e s it e a s i e r to find a n object l o c a t e d w i t h i n Active Directory. For e x a m ple, J o h n Doe m a y h a v e a UPN of J o h n D @ x y z . c o m .

Schema W i t h i n a d i r e c t o r y service, r u l e s m u s t be u s e d to define t h e objects t h a t a r e available, t h e a t t r i b u t e s of t h o s e objects, a n d h o w t h e y a r e applied. T h i s is t h e j o b of t h e s c h e m a w i t h i n Active Directory. T h e s c h e m a c o n t a i n s definitions of t h e c l a s s e s , a t t r i b u t e s , a n d t h e i r p r o p e r t i e s , s u c h a s t h e u s e r object w i t h t h e d e s c r i p t i o n a t t r i b u t e . W h e n Active D i r e c t o r y is first installed, a d e f a u l t s c h e m a is u s e d . E x a m p l e s of s c h e m a objects i n c l u d e d are u s e r s , c o m p u t e r s , a n d g r o u p s . T h e r e are two t y p e s of s c h e m a objects: a t t r i b u t e s a n d c l a s s es. E a c h is u s e d a n d defined differently w i t h i n Active Directory. An a t t r i b u t e is a field t h a t c a n c o n t a i n i n f o r m a t i o n a b o u t a n object s u c h a s g r o u p n a m e or u s e r e - m a i l a d d r e s s . T h e s e fields c a n also be a p p l i e d to m u l t i p l e c l a s s e s while b e i n g defined only once. Object c l a s s e s define t h e objects t h a t c a n be c r e a t e d w i t h Active Directory. F o r e x a m p l e , a u s e r a c c o u n t or g r o u p a c c o u n t is a c l a s s of object. Every object t h a t is c r e a t e d w i t h i n Active D i r e c t o r y is k n o w n a s a n i n s t a n c e . T h e a t t r i b u t e s for a n object a r e u s e d to define i n f o r m a t i o n a b o u t t h e m s u c h a s n a m e , location, or p h o n e n u m b e r . Therefore, a c l a s s is a collection of m u l t i p l e a t t r i b u t e s . To a p p l y t h e s e t e r m s , a u s e r a c c o u n t n a m e d J o e S is a single i n s t a n c e of t h e object c l a s s U s e r w i t h a t t r i b u t e s i n c l u d i n g t h e n a m e J o e S . T h e d o m a i n controller, a c t i n g a s t h e s c h e m a m a s t e r , c o n t r o l s t h e s c h e m a c o n t e n t . By default, t h i s is t h e first W i n d o w s 2 0 0 0 d o m a i n

Bonus Coverage

9"Windows 2000 Server System Administration Handbook"

controller installed. A copy of the s c h e m a is replicated to all o t h e r d o m a i n controllers w i t h i n t h e forest to m a i n t a i n c o n s i s t e n c y . The s c h e m a c a n be modified, b u t this s h o u l d only be done after extensive testing. For example, a n e w class object or a t t r i b u t e for a n existing class object c a n be added. A l t h o u g h Active Directory does n o t s u p p o r t deleting s c h e m a extensions, objects c a n be m a r k e d as deactivated. E x t e n d i n g the s c h e m a c a n have d i s a s t r o u s affects on the Active Directory, as this will modify the r u l e s by w h i c h it works. Be s u r e to p e r f o r m extensive t e s t i n g before modifying the s c h e m a in a n y way. Microsoft provides a n a p p l i c a t i o n - p r o g r a m m i n g interface (API) k n o w n as Active Directory Services Interface (ADSI). This tool set is d e s i g n e d to provide a n interface with Active Directory t h a t developers c a n i m p l e m e n t w i t h o u t n e e d i d n g to u n d e r s t a n d h o w the interface w o r k s technically.

Global Catalog With a n y directory, a fast a n d efficient w a y to locate r e s o u r c e s is required. For example, u s e r s who are looking for a p r i n t e r p r o b a b l y will n o t w a n t to t r u d g e t h r o u g h the entire n e t w o r k or wait a long time to find w h a t t h e y are looking for. Active Directory u s e s a global catalog server to provide the ability to index i t e m s located w i t h i n the network. The global catalog is designed to provide i n f o r m a t i o n a b o u t r e s o u r c e s located w i t h i n the directory as efficiently as possible, w h i c h s p e e d s the service to the end u s e r r e q u e s t i n g n e t w o r k services. In addition, since a global catalog server m a i n t a i n s i n f o r m a t i o n a b o u t all d o m a i n s i n c l u d e d w i t h i n a forest, a server w i t h i n the d o m a i n from w h i c h a r e q u e s t originates c a n a n s w e r a query. For example, a u s e r located in d o m a i n l c a n provide i n f o r m a t i o n a b o u t a r e s o u r c e located in d o m a i n 2 w i t h o u t h a v i n g to c r o s s d o m a i n b o u n d aries. Any d o m a i n controller c a n be configured as a global catalog server to fulfill y o u r o r g a n i z a t i o n ' s r e q u i r e m e n t s . By default, the first d o m a i n controller installed in a forest is configured as a global catalog server. The global catalog is c r e a t e d a n d m a i n t a i n s i n f o r m a t i o n on all objects located w i t h i n its d o m a i n a n d a

Bonus Coverage

9"Windows 2000 Server System Administration Handbook"

partial set of i n f o r m a t i o n on objects in all o t h e r d o m a i n s . This allows quick a n d efficient q u e r y r e s u l t s for c r o s s - d o m a i n lookups. The global catalog is u s e d to provide two m a i n roles: 9 Gives the ability to locate objects a n y w h e r e w i t h i n the forest. 9 Provides u n i v e r s a l g r o u p m e m b e r s h i p to d o m a i n controllers for a logon request. W h e n the logon a u t h e n t i c a t i o n p r o c e s s begins, the global catalog server provides u n i v e r s a l g r o u p m e m b e r s h i p to the d o m a i n controller being used, so u s e r a u t h e n t i c a t i o n c a n occur a n y w h e r e within the forest. If a global catalog server is unavailable, u s e r s will not be allowed access to n e t w o r k resources, b u t will be allowed to log on only locally. The role of global catalog server c a n be s h a r e d with a n y d o m a i n controller, w h i c h h a p p e n s w h e n only one d o m a i n controller exists within a domain.

This is h o w the global catalog server role is a d d e d or removed on a d o m a i n controller: 1. Select S t a r t i P r o g r a m s i Administrative Tools I Active Directory Sites a n d Services. 2. E x p a n d the site n a m e followed by the Servers c o n t a i n e r a n d t h e n the server n a m e to configure. 3. Highlight the NTDS d o m a i n controller properties, right-click the object, a n d select Properties.

Bonus Coverage 9"Windows 2000 Server System Administration Handbook" 0

Figure 12.4 displays the available options. Select or deselect the c h e c k box for Global Catalog to d e t e r m i n e t h e d o m a i n controller's role.

Figure 1 2.4

Select this check box to provide a n o t h e r global catalog server.

5. Select OK or Apply to approve the modification.

Replication To enable u s e r s to u s e services s u c h as the directory a n d global catalog, t h e directory i n f o r m a t i o n m u s t r e m a i n c o n s i s t e n t t h r o u g h o u t all servers t h a t store this data. To a c c o m p l i s h this c o n s i s t e n c y , a replication s t r a t e g y h a s b e e n defined to m a i n t a i n c o n s i s t e n t replicas of directory services d a t a s u c h as the directory store a n d global catalog. This allows a n y o n e to r e q u e s t a directory r e s o u r c e from anyw h e r e w i t h i n the n e t w o r k of d o m a i n s a n d forests. For example, if User A a d d s the ability for User B to a c c e s s a r e s o u r c e , this inform a t i o n m u s t be replicated to the d o m a i n controller r e s p o n d i n g to

Bonus Coverage

9"Windows 2000 Server System Administration Handbook"

User B. Otherwise, User B w o u l d n o t have the ability to a c c e s s this r e s o u r c e w i t h o u t m a k i n g the c h a n g e on b o t h c o m p u t e r s . A l t h o u g h this i n f o r m a t i o n m u s t r e m a i n c o n s i s t e n t , the a m o u n t of n e t w o r k traffic r e q u i r e d m u s t be m o n i t o r e d as well. If u p d a t e s o c c u r c o n s t a n t l y , a n entire n e t w o r k c a n be c o n s u m e d quickly. Replication s h o u l d be m o n i t o r e d closely to control t h e a m o u n t of traffic t h a t is being c a u s e d . W i n d o w s 2 0 0 0 u s e s several t e c h n i q u e s to optimize replication traffic. For example, Active Directory evaluates t h e n e t w o r k c o n n e c t i o n s t h a t are u s e d a n d selects the m o s t efficient. Also, a n y available multiple r o u t e s are u s e d to provide fault tolerance a n d r e d u n d a n c y . One of the m o s t effective optimization t e c h n i q u e s is the replication of Delta information; in o t h e r words, only the c h a n g e s to a n object are replicated. For example, if J o e S c h a n g e s his p a s s w o r d , only t h a t c h a n g e d a t t r i b u t e is replicated a n d n o t the entire object. This c a n m a k e a d r a m a t i c difference for y o u r local a n d w i d e - a r e a network. Two types of site replication c a n occur. Intrasite c o m m u n i c a t i o n o c c u r s a m o n g all d o m a i n controllers located w i t h i n the s a m e site, a n d intersite c o m m u n i c a t i o n o c c u r s b e t w e e n two sites configured with a site link. Two c o m m u n i c a t i o n m e t h o d s , IP a n d SMTP, are available for site links. Intrasite links are a u t o m a t i c a l l y g e n e r a t e d a n d m a i n t a i n e d , b u t intersite links m u s t be m a n u a l l y created. Intrasite links are m a i n t a i n e d by Active Directory to optimize replication. By default, two links to every d o m a i n controller are c r e a t e d to eliminate a single link failure. This replication s t r a t e g y is c o n t i n u ally m o n i t o r e d a n d u p d a t e d . For example, w h e n a n e w d o m a i n controller is installed in a site, the replication topology is r e c a l c u l a t e d to provide t h e m o s t efficient n e t w o r k replication.

The Global Knowledge Advantage Global Knowledge has a global delivery system for its products and services. The company has 28 subsidiaries. and offers its programs through a total of 60+ locations. No other vendor can provide consistent services across a geographic area this large. Global Knowledge is the largest independent information technolo@ erlilcatlion provider, offering programs on a variety of platforms. This enables our multi-platform and multi-national customers to obtain all of their programs from a single vendor. The company has developed the unique CompetusTM Framework software tool and methodolorn which can quickly reconfigure courseware to the proficiency level of a student on an interactive basis. Combined with self-paced and on-line programs. this technolo@ can reduce the time required for training by prescribing content in only the deficient skills areas. The company has fully automated every aspect of the education process, from registration and follow-up, to ‘]ust-in-tirne” production of courseware. Global Knowledge through its Enterprise Services Consultancy, can customize programs and products to suit the needs of an individual customer.

Global Knowledge Classroom Education Programs The backbone of our delively options is classroom-based education. Our modern, well-equipped facilities staffed with the finest instructors offer programs in a wide variety of information technology topics, many of which lead to professional certiflcations.

Custom Learning Solutions This delivery option has been created for companies and governments that value customized learning solutions. For them, our consultancy-based approach of developing targeted education solutions is most effective at helping them meet specific objectives.

Self-Paced and Multimedia Products This delivery option offers self-paced program titles in interactive CD-ROM, videotape and audio tape programs. In addition, w e offer custom development of interactive multimedia courseware to customers and partners. Call us at 1-888427-4228.

Electronic Delivery of Training Our network-based training service delivers efficient competency-based, interactive training via the World Wide Web and organizational intranets. This leadingedge delivery option provides a custom learning path and ”just-in-time”training for maximum convenience to students.

Global Knowledge Courses Available Microsoft 9 9 9 9 9 9 9 9 9 9 9 9 9

Windows 2000 Deployment Strategies I n t r o d u c t i o n to Directory Services W i n d o w s 2 0 0 0 Client A d m i n i s t r a t i o n W i n d o w s 2 0 0 0 Server Windows 2000 Update MCSE Bootcamp Microsoft N e t w o r k i n g E s s e n t i a l s W i n d o w s NT 4.0 W o r k s t a t i o n W i n d o w s NT 4.0 Server W i n d o w s NT T r o u b l e s h o o t i n g W i n d o w s NT 4.0 S e c u r i t y Windows 2000 Security I n t r o d u c t i o n to Microsoft Web Tools

Management Skills 9 Project M a n a g e m e n t for IT P r o f e s s i o n a l s 9 Microsoft Project W o r k s h o p 9 M a n a g e m e n t Skills for IT P r o f e s s i o n a l s

Network Fundamentals 9 9 9 9 9 9 9

Understanding Computer Networks Telecommunications Fundamentals I T e l e c o m m u n i c a t i o n s F u n d a m e n t a l s II Understanding Nehvorking F u n d a m e n t a l s U p g r a d i n g a n d R e p a i r i n g PCs D O S / W i n d o w s A+ P r e p a r a t i o n N e t w o r k Cabling S y s t e m s

WAN Networking and Telephony 9 9 9 9 9

Building B r o a d b a n d N e t w o r k s F r a m e Relay Internetvcorking C o n v e r g i n g Voice a n d D a t a N e t w o r k s I n t r o d u c t i o n to Voice Over IP U n d e r s t a n d i n g Digital S u b s c r i b e r Line {xDSL}

Internetworking 9 9 9 9 9 9 9 9 9 9 9 9 9 9

ATM E s s e n t i a l s ATM I n t e r n e t w o r k i n g ATM T r o u b l e s h o o t i n g U n d e r s t a n d i n g N e t w o r k i n g Protocols Internetworking Routers and Switches Network Troubleshooting Internetworking with TCP/IP Troubleshooting TCP/IP Networks Network Management Network Security Administration Virtual Private N e t w o r k s Storage Area Networks Cisco O S P F Design a n d C o n f i g u r a t i o n Cisco B o r d e r G a t e w a y Protocol (BGP) Configuration

Web Site Management and Development 9 9 9 9 9 9

A d v a n c e d Web Site Design I n t r o d u c t i o n to XML Building a Web Site I n t r o d u c t i o n to J a v a S c r i p t Web D e v e l o p m e n t F u n d a m e n t a l s I n t r o d u c t i o n to Web D a t a b a s e s

PERL, UNIX, and Linux 9 9 9 9 9 9

PERL Scripting PERL w i t h CGI for t h e Web UNIX Level I UNIX Level II I n t r o d u c t i o n to Linux for New U s e r s Linux Installation, Configuration, a n d Maintenance

Authorized Vendor Training Red Hat 9 I n t r o d u c t i o n to Red H a t L i n u x 9 Red H a t L i n u x S y s t e m s A d m i n i s t r a t i o n 9 Red H a t Linux N e t w o r k a n d S e c u r i t y Administration 9 RHCE Rapid T r a c k Certification

Cisco Systems 9 I n t e r c o n n e c t i n g Cisco N e t w o r k Devices 9 A d v a n c e d Cisco R o u t e r C o n f i g u r a t i o n 9 I n s t a l l a t i o n a n d M a i n t e n a n c e of Cisco Routers 9 Cisco I n t e r n e t w o r k T r o u b l e s h o o t i n g 9 D e s i g n i n g Cisco N e t w o r k s 9 Cisco I n t e r n e t w o r k Design 9 Configuring Cisco C a t a l y s t S w i t c h e s 9 Cisco C a m p u s ATM S o l u t i o n s 9 Cisco Voice Over F r a m e Relay, ATM, a n d IP 9 Configuring for S e l s i u s IP P h o n e s 9 Building Cisco R e m o t e Access N e t w o r k s 9 M a n a g i n g Cisco N e t w o r k S e c u r i t y 9 Cisco E n t e r p r i s e M a n a g e m e n t S o l u t i o n s

Nortel Networks 9 Nortel N e t w o r k s A c c e l e r a t e d R o u t e r Configuration 9 Nortel N e t w o r k s A d v a n c e d IP R o u t i n g 9 Nortel N e t w o r k s WAN Protocols 9 Nortel N e t w o r k s F r a m e S w i t c h i n g 9 Nortel N e t w o r k s Accelar 1000 9 Comprehensive Configuration 9 Nortel N e t w o r k s Centillion S w i t c h i n g 9 Netnvork M a n a g e m e n t w i t h Optivity for Windows

Oracle Training 9 I n t r o d u c t i o n to Oracle8 a n d P L / S Q L 9 Oracle8 D a t a b a s e A d m i n i s t r a t i o n

Custom Corporate Network Training Train on Cutting; ‘Edge Technology We can bring the best in skill-based training to your facility to create a real-world hands-on training experience. Global Knowledge has invested millions of dollars in network hardware and software to train our students on the same equipment they will work with on the job. Our relationships with vendors allow us to incorporate the latest equipment and platforms into your on-site labs.

Maximize Your Training Budget Global Knowledge provides experienced instructors, comprehensive course materials, and all the networking equipment needed to deliver high quality training. You provide the students: we provide the knowledge.

Avoid Travel Expenses On-site courses allow you to schedule technical training at your convenience. saving time, expense, and the opportunity cost of travel away from the workplace.

Discuss Confidentia I Topics Private on-site training permits the open discussion of sensitive issues such as security, access, and network design. We can work with your existing network’s proprietary files while demonstrating the latest technologies.

Customize Course Content Global Knowledge can tailor your courses to include the technoIogies and the topics which have the greatest impact on your business. We can complement your internal training efforts or provide a total solution to your training needs.

Corporate Pass The Corporate Pass Discount Program rewards our best network training customers with preferred pricing on public courses, discounts on multimedia training packages, and an m a y of career planning services.

Global Knowledge Training Lifecycle Supporting the Dynamic and Specialized Training Requirements of Information TechnoIogy Professionals Define Profile Assess Skills rn Design Training I Deliver

Training Test Knowledge rn Update Profile U s e New Skills

Global Knowledge Global Knowledge programs are developed and presented by i n d u s t r y professionals with "real-world" experience. Designed to help professionals meet today's interconnectivity and interoperability challenges, most of our programs feature h a n d s - o n labs t h a t incorporate state-of-the-art c o m m u n i c a t i o n c o m p o n e n t s and equipment.

ON-SITE TEAM TRAINING Bring Global Knowledge's powerful training programs to your company. At Global Knowledge, we will c u s t o m design courses to meet your specific network requirements. Call (919)-461-8686 for more information.

YOUR GUARANTEE Global Knowledge believes its courses offer the best possible training in th~,~ ~ i . If during the first day you are not satisfied and wish to w i t h d r a w from the course, simply notify the instructor, r e t u r n all course materials and receive a 100% refund.

REGISTRATION INFORMATION In the US: call: {888) 7 6 2 - 4 4 4 2 fax: (919) 4 6 9 - 7 0 7 0 visit our website: www.globalknowledge.com

The premier online information source for IT professionals You've g a i n e d a c c e s s to a Global Knowledge i n f o r m a t i o n p o r t a l d e s i g n e d to inform, e d u c a t e a n d u p d a t e visitors on i s s u e s r e g a r d i n g IT a n d IT e d u cation. Get w h a t y o u w a n t w h e n y o u w a n t it at t h e access..q t o b a t k n o w L e d g e site:

Choose personalized technology articles related to your interests. Access a new article, review, or t u t o r i a l regularly t h r o u g h o u t the week customized to w h a t you w a n t to see. Keep learning in between Global courses by taking advantage of chat sessions w i t h other users or instructors. Get the tips, tricks and advice t h a t you need today! Make your point in the Access.Globalknowledge c o m m u n i t y w i t h t h r e a d e d d i s c u s s i o n g r o u p s r e l a t e d to t e c h n o l o g i e s a n d certification. Get instant course information at y o u r fingertips. Customized

course calendars showing you the courses you w a n t w h e n and where you w a n t them.

Get the resources you need w i t h online tools, trivia, skills assess-

ment and more!

All t h i s a n d m o r e is available n o w on t h e web a t access, g loba l knowledge. VISIT TODAYI

ccess " global knowledge

http://access.globalknowledge.com