Ethernet


Ethernet is a more complicated and more interesting protocol than PPP and is extremely popular in corporate and home networks. If you're already familiar with Ethernet, you probably learned everything you needed to know about configuring your system to talk to your local network in Chapter 5. If not, read on.

Ethernet is a shared network; many different machines can connect to the same Ethernet and can communicate directly with each other. This gives Ethernet a great advantage over PPP. Ethernet has physical distance limitations that make it practical only for offices, colocation facilities, and other comparatively short-range networks.

Many different physical networks have been used to run Ethernet over the years. Once upon a time, most Ethernet cables were thick chunks of coaxial cable. Today, most are comparatively thin cat5 cables with eight strands of very think wire inside them. You may also encounter Ethernet over optical fiber or radio. For purposes of our discussion we'll assume that you're working with category 5 cable, which is the most popular choice today. No matter what physical media you're using, the theory of Ethernet doesn't change. (Remember, the physical layer is abstracted away!)

Prerequisites

Before you try to configure your system to access an Ethernet, you need to have some basic IP address information. If your network runs DHCP, that's all you need to know. If your machine will have a static IP address, you need the following information:

  • Your machine's IP address

  • The netmask for that IP address

  • The default gateway

While it would be nice to be able to check for a dial tone on your Ethernet cable, that requires specialized (but reasonably inexpensive) equipment.

Ethernet Physical Protocol

Ethernet is a broadcast protocol, which means that every packet you send on the network is sent to every workstation on that network. (Today this isn't necessarily true, as we'll discuss later.) Your network card's device driver sorts out the data intended for your computer from the data meant for other computers. One side effect of Ethernet's broadcast nature is that you can "sniff" other computers' connections, capturing everything sent and received by those systems. While this can be very useful when diagnosing problems, it's also a major security issue. Capturing clear-text passwords is trivial on an old-fashioned Ethernet.

Ethernet started out supporting only a couple of megabits per second, but has grown beyond its original design to handle gigabit speeds. Most people use 10/100 megabits per second (Mbps) speeds, and gigabit Ethernet cards have just recently dropped below $100 each.

MAC Addresses

Every Ethernet network card has a unique identifier, its MAC address. A MAC address is a 48-bit number, and is sometimes called an Ethernet address. When a system wants to transmit data to another host on the Ethernet, it sends out an Ethernet request that basically says "Which MAC address is responsible for this IP address?" If a host responds, further data is addressed to that MAC address. This process is known as the Address Resolution Protocol, or ARP.

You can view your OpenBSD machine's current MAC and ARP knowledge with arp(8). The most common form is the "arp -a" command, which shows the MAC addresses and host names of all hosts that the system has previously communicated with on the local network.

 # arp -a petulance.blackhelicopters.org (192.168.1.2) at 00:30:65:31:dc:4d pedicular.blackhelicopters.org (192.168.1.200) at 00:02:2d:0c:9a:40 # 

Here we see that the host petulance.blackhelicopters.org has an IP address of 192.168.1.2, and a MAC address of 00:30:65:31:dc:4d. If a MAC address shows up as "incomplete," the host cannot be contacted. In such a case, check your physical layer (the wire), the remote system, and your system configuration.

Hubs, Switches, and Bridges

An Ethernet hub is a central piece of hardware to physical connections to many other Ethernet devices. They simply forward all Ethernet frames received to every other device hooked to them. Hubs broadcast all Ethernet traffic that they receive to every attached host and other attached hubs. Each host is responsible for filtering out the traffic they don't want. This is the classic way Ethernet works.

A switch is like a hub, but filters for the hosts by tracking the MAC and IP addresses of attached devices and, for the most part, only forwarding packets to the device that they are meant for. Because each Ethernet host has a finite amount of bandwidth (for example, a 100 Mbps card can handle 100 megabits per second), switching reduces the load on individual systems by limiting the amount of data transferred to each device. Switches are more expensive than hubs, however.

A bridge is any device that joins two different Ethernet segments. The more flexible switches largely supplant them. You might have two small Ethernet hubs joined by a bridge. Hardware bridges are no longer common, but OpenBSD includes extensive bridging functionality. Bridging is discussed in brconfig(8).

Configuring Your Ethernet Card

You can assign an IP address to your Ethernet card with ifconfig(8). The basic syntax is very simple:

 ifconfig interface-name IP-address netmask 

For example, if your network card is fxp0, your IP address is 192.168.1.250, and your netmask is 255.255.255.0, you would type:

 # ifconfig fxp0 192.168.1.250 255.255.255.0 

You can also set an interface's media options with ifconfig(8). Some combinations of cards and switches cannot successfully autonegotiate a connection speed, so you'll need to manually force the media to be what you want. For example, suppose your network card thinks that you have a full-duplex connection to the switch, while the switch thinks you have a half-duplex connection. In case of doubt, the switch is usually right. Get the name of the valid media types from the driver's man page.

 # ifconfig fxp0 media  100baseTX 

You can, of course, combine these.

 ifconfig fxp0 192.168.1.250 255.255.255.0 media 100baseTX mediaopt full-duplex 

Multiple IP Addresses on One Ethernet Card

One network card can respond to requests for multiple IP addresses. One server might have to support hundreds or thousands of domains and need an IP address for each. You can add extra IP addresses to a single card quite easily with IP aliases. With IP aliasing, you tell a network card that "although your real IP address is such-and-such, answer to requests for this IP address as well." You can add extra IP addresses with ifconfig(8).

 # ifconfig fxp0 alias 192.168.1.5 netmask 255.255.255.255 

The alias should have the keyword "alias" immediately after the interface name and a netmask of 255.255.255.255. (You can use other netmasks to assign a range of IP addresses, as we'll see in "Blocks of Aliases IPs.")

You can see any aliases assigned to a card by using ifconfig.

 # ifconfig fxp0 fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500         address: 00:02:b3:63:e4:1d         media: Ethernet autoselect (100baseTX full-duplex)         status: active       1 inet 192.168.1.250 netmask 0xffffff00 broadcast 192.168.1.255         inet6 fe80::202:b3ff:fe63:e41d%fxp0 prefixlen 64 scopeid 0x1       2 inet 192.168.1.5 netmask 0xffffff00 broadcast 192.168.1.255 # 

Here we see the 1 primary IP address on this card and the 2 alias IP. The primary IP address appears first.

You can configure the additional IP addresses at boot by using additional ifconfig statements in /etc/hostname.if, much like this:

 alias 192.168.1.5 netmask 255.255.255.255 

The only real difference between this entry and the standard hostname.if ifconfig statement is the "alias" keyword.

All outgoing connections use the system's real IP address. You might have 2,000 IP addresses bound to one network card, but when you ssh outward, the connection comes from the primary IP address. Keep this in mind when writing firewall rules and other access-control filters.

IP Aliases on a Loopback Interface

OpenBSD allows you to bind IP addresses to a loopback interface. This means that the machine will respond to those IP addresses, no matter which interface the packet arrives on, allowing you to change network cards with impunity.

A standard OpenBSD system has two loopback interfaces, lo0 and lo1. lo0 is reserved for the standard "localhost" address, 127.0.0.1, and for connections to the local system. Adding extra IP addresses to this interface can cause confusion. The lo1 interface is provided specifically for hosting additional IP addresses. You configure IP aliases on lo1 in exactly the same way you configure them on any other network interface, either in /etc/hostname.lo1 or on the command line.

 # ifconfig lo1 alias 192.168.1.5 netmask 255.255.255.255 

Blocks of Alias IPs

One special feature of OpenBSD's ifconfig(8) is that it supports adding blocks of IP aliases by netmask. For example, suppose you need to assign the entire 192.168.9.0/24 address block (also known as a class C, for those network engineers stuck in the 1980s) to be aliases on a particular machine. Rather than using a whole slew of "ifconfig lo1 alias" commands, you can tie the whole block to the interface by giving a netmask.

 ifconfig lo1 alias 192.168.9.0 netmask 255.255.255.0 

Of course, you can use this in /etc/hostname.lo1 as well.

This is quick, easy, and creates a routing issue. For the system to respond to a packet, that packet must arrive at the system. Route that block of addresses to this machine, as discussed in Chapter 8, and everything will work properly.

Congratulations, you're hooked up to the Internet! Before you get too comfortable out there, let's look at some of OpenBSD's advanced security features in the next chapter.




Absolute Openbsd(c) Unix for the Practical Paranoid
Absolute OpenBSD: Unix for the Practical Paranoid
ISBN: 1886411999
EAN: 2147483647
Year: 2005
Pages: 298

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net