|
The Internet Protocol suite (commonly referred to as TCP/IP) comprises the essential protocol stack for modern networks. To effectively plan or manage a network based on TCP/IP, one must understand the network addressing methodology.
As mentioned previously, the Internet Protocol stack consists of only four layers. It does not define the physical layer connectivity as in the OSI model, but it allows connectivity to the same types of physical media through compatibility at the "link" layer. Of the four layers, the transport and network layers are of primary interest.
The IP protocol classifies all application (user-oriented) protocols into a single layer. IP is primarily concerned with internetworking so these protocols are handled monolithically.
The IP transport layer consists of two primary services: connection-oriented (session) service via TCP, and connectionless service via UDP. TCP is used for guaranteed delivery by tracking individual segments in sequence. UDP provides less overhead and "faster" service, but does not guarantee delivery. Connection-oriented service is used for most data transfer needs while connectionless service is used extensively for voice over IP (VoIP) and similar needs. To understand the difference, envision two environments: First, a Citrix session (ICA) where video display data is transported to and from a server—because data integrity is more important than speed, the key-clicks and resulting screens must be accurately represented, and second, a VoIP call—the talker is not subject to flow control and a listener must receive most of the data in a contiguous flow to hold a conversation. As a result, they cannot wait for the missing pieces of the conversation to be retransmitted and reassembled, even over a poor quality path. Data flow is more important than integrity.
The IP network layer consists of the addressing and routing protocols needed to get IP packets across the Internet.
The IP link layer (also called the network access layer) employs industry standard drivers and OSI-compatible data link layer services (Ethernet, Token Ring, and so on).
The textbook for one 300-level college course attempts to teach IP addressing logic by jumping straight into binary math, espousing the mathematical concept of a "bitwise AND." For those unaccustomed to IP addressing, this explanation immediately falls in the range between voodoo and techno-babble. Nonetheless, binary math is the key to really understanding IP addressing. A "bitwise AND" means, given two expressions (IP address in binary and mask in binary), the bitwise AND result returns a 1 if both expressions have 1s in a bit position, otherwise the result is 0. This is the logical process used to derive the network (or subnet) from an address and mask combination. The first example under the upcoming "Address Classes" section illustrates the bitwise logic.
Standards define IP addresses by "class" and further define reserved and private address ranges. Reserved addresses are not usable by host devices, while "private" addresses are private in the sense that they are not routable over the Internet and must undergo network address translation (NAT) to a registered public IP address when traversing the Internet. Table A-1 lists the IP address allocations and classes.
Decimal Range | Class | Default Mask/Length | First Octet |
---|---|---|---|
1.0.0.0-126.255.255.255 | Class A | 255.0.0.0/8 | 0xxxxxxx |
128.0.0.0-191.255.255.255 | Class B | 255.255.0.0/16 | 10xxxxxx |
192.0.0.0-223.255.255.255 | Class C | 255.255.255.0/24 | 110xxxxx |
224.0.0.0-239.255.255.255 | Class D (Multicast) | None | 1110xxxx |
240.0.0.0-255.255.255.254 | Class E (Experimental) | None | 11111xxx |
Special Address | |||
10.0.0.0-10.255.255.255 | RFC 1918 | 255.255.255.0/8 | |
127.0.0.0-127.255.255.255 | Reserved - Loopback | ||
169.254.0.0-169.254.255.255 | Automatic Private IP Addressing | 255.255.0.0/16 | |
172.16.0.0-172.31.255.255 | RFC 1918 | 255.255.0.0/12 | |
192.168.0.0-192.168.255.255 | RFC 1918 | 255.255.255.0/16 |
Address Classes Class A networks encompass 126 networks, each with over 16 million unique addresses. The decimal values specified are based on the underlying binary values such that the first eight bits (octet) of the address defines the class.
Class B networks encompass over 14,000 networks, each with over 65,000 addresses.
Class C networks encompass some two million possible networks of 254 addresses each.
Class D networks are used for multicast services (including many dynamic routing protocols), while Class E networks are reserved.
Each of the first three classes carries a presumed (default) self-encoded mask. This is evident when entering an IP address on most network hardware; once the address is entered, the default mask automatically populates. As an example, in the IP address 10.10.10.1:
Decimal: | 10. | 10. | 10. | 1 |
Mask (decimal): | 255. | 0. | 0. | 0 |
Binary: | 00001000 | 00001000 | 000010000 | 00000001 |
Mask (binary): | 11111111 | 00000000 | 000000000 | 00000000 |
Bitwise AND: | 00001000 | 00000000 | 000000000 | 00000000 |
Network (decimal): | 10. | 0. | 0. | 0 |
The first octet starts with the binary sequence 0xxxxxxx, making it a Class A address.
Binary Basics The binary values of each octet reveal the structure of the IP address. Use a simplified conversion table to convert decimal to binary. In IP addressing, the default mask can be modified to reduce (subnet) or expand (supernet) existing networks. In common notation, the mask is expressed either in decimal format (255.255.255.128) or as a number of 1s in the mask (/25). In the following example, the binary values use the same address (10.10.10.1) with different subnet masks. To determine the "size" of the network (number of hosts), use the formula 2n-2. When determining the maximum number of hosts on a given subnet, n represents the number of 0s in the binary mask. When determining the number of possible subnets, n is the number of 1s added to the default mask.
Decimal: | 10. | 10. | 10. | 1 |
Mask (decimal): | 255. | 0. | 0. | 0 |
Binary: | 00001000 | 00001000 | 000010000 | 00000001 |
Mask (binary): | 11111111 | 00000000 | 000000000 | 00000000 |
The address and mask define one network (no bits added to the default mask). There are 24 0s in the mask, so the network has 224-2 host addresses (16,777,214). The two excluded addresses (the -2) are the host address of all zeros (10.0.0.0), which defines the network, and the host address of all ones (10.255.255.255), which defines a broadcast to all hosts on this network.
In a routed environment, addresses at each end of the link must be different (different networks or subnet). To use the 10.x.x.x address space, subnetting is required to define smaller networks.
Decimal: | 10. | 10. | 10. | 1 |
Mask (decimal): | 255. | 255. | 254. | 0 |
Binary: | 00001000 | 00001000 | 000010000 | 00000001 |
Mask (binary): | 11111111 | 11111111 | 111111110 | 00000000 |
The address and mask define multiple networks (15 bits were added to the default mask). The original network has been subnetted to produce 215-2 individual (32,766) subnets. There are nine 0s in the mask so each subnet has 29-2 host addresses (510). The two excluded addresses are the host address of all zeros (10.10.10.0), which defines the network, and the host address of all ones (10.10.11.255), which defines a broadcast to all hosts on this network.
Why Binary? Until IP addressing becomes second nature, only the binary values can reveal problems with the addressing scheme. From the last example, the host A at 10.10.10.1 with a mask of 255.255.255.240 needs to communicate to host B plugged into the same hub with an address of 10.10.10 21 and a mask of 255.255.255.240. All appears well, but they cannot communicate over IP.
Decimal (A): | 10. | 10. | 10. | 1 |
Decimal (B): | 10. | 10. | 10. | 21 |
Mask (decimal): | 255. | 255. | 255. | 240 |
Binary (A): | 00001000 | 00001000 | 000010000 | 00000001 |
Binary (B): | 00001000 | 00001000 | 000010000 | 00010101 |
Mask (binary): | 11111111 | 11111111 | 111111111 | 11111000 |
The bits in the host address that correspond to the ones in the mask must match for both devices to be on the same logical network. In this case, host A is on network 10.10.10.0 while host B is on network 10.10.10.16. Even though they share the same Layer-1 electrical signal and they can see each other's MAC address at Layer 2, they cannot communicate without a router.
Referring back to Figure A-1, note that at both the transport and network layer, services are keyed to specific protocols (of which IP is one) and ports (such as TCP port 23 for Telnet). Numerous web sites have extensive lists of both well-known and not-so-well-known ports and protocols. The partial lists in Table A-2 (protocols) and Table A-3 (ports) covers the majority of values common in modern networking. Table A-4, meanwhile, lists Internet Control Message Protocol message types and codes.
Literal | Value | Description |
---|---|---|
ip | 0 | Internet Protocol |
icmp | 1 | Internet Control Message Protocol, RFC 792 |
igmp | 2 | Internet Group Management Protocol, RFC 1112 |
ipinip | 4 | IP-in-IP encapsulation |
tcp | 6 | Transmission Control Protocol, RFC 793 |
igrp | 9 | Interior Gateway Routing Protocol |
udp | 17 | User Datagram Protocol, RFC 768 |
gre | 47 | General Routing Encapsulation |
esp | 50 | Encapsulated Security Payload for IPv6, RFC 1827 |
ah | 51 | Authentication Header for IPv6, RFC 1826 |
eigrp | 88 | Enhanced Interior Gateway Routing Protocol |
ospf | 89 | Open Shortest Path First routing protocol, RFC 1247 |
nos | 94 | Network Operating System (Novell's NetWare) |
pcp | 108 | Payload Compression Protocol |
Literal | Protocol | Value | Description |
---|---|---|---|
ftp-data | TCP | 20 | File Transfer Protocol (data port) |
ftp | TCP | 21 | File Transfer Protocol (control port) |
ssh | TCP | 22 | Secure Shell |
telnet | TCP | 23 | RFC 854 Telnet |
smtp | TCP | 25 | Simple Mail Transport Protocol |
domain | TCP/UDP | 53 | DNS (Domain Name System) |
bootps | UDP | 67 | Bootstrap Protocol Server |
bootpc | UDP | 68 | Bootstrap Protocol Client |
tftp | UDP | 69 | Trivial File Transfer Protocol |
gopher | TCP | 70 | Gopher |
finger | TCP | 79 | Finger |
www | TCP | 80 | World Wide Web |
pop3 | TCP | 110 | Post Office Protocol — Version 3 |
ntp | TCP | 123 | Network Time Protocol |
netbios-ns | TCP | 137 | NETBIOS Name Service |
netbios-dgm | TCP | 138 | NETBIOS Datagram Service |
bgp | TCP | 179 | Border Gateway Protocol, RFC 1163 |
ssl (https) | TCP | 443 | Secure HTTP (secure sockets layer) |
smb | TCP | 445 | Microsoft SMB |
isakmp | UDP | 500 | ISAKMP |
syslog | UDP | 514 | System Log |
lpd | TCP | 515 | Line Printer Daemon — printer spooler |
rip | TCP | 520 | Routing Information Protocol |
mssql | TCP | 1433 | Microsoft SQL |
citrix-ica | TCP | 1494 | Citrix ICA |
sqlnet | TCP | 1521 | Structured Query Language Network |
radius | TCP | 1645, 1646 | Remote Authentication Dial-In User Service |
rdp | TCP | 3389 | Microsoft RDP |
ICMP Type | Message | Code | Code Meaning |
---|---|---|---|
0 | Echo Reply | ||
3 | Destination Unreachable | 0 | Net unreachable |
1 | Host unreachable | ||
2 | Protocol unreachable | ||
3 | Port unreachable | ||
4 | Fragmentation needed and Don't Fragment was set | ||
5 | Source route failed | ||
6 | Destination network unknown | ||
7 | Destination host unknown | ||
8 | Source host isolated | ||
9 | Communication with destination network is administratively prohibited | ||
10 | Communication with destination host is administratively prohibited | ||
11 | Destination network unreachable for type of service | ||
12 | Destination host unreachable for type of service | ||
13 | Communication administratively prohibited | ||
14 | Host precedence violation | ||
15 | Precedence cutoff in effect | ||
4 | Source Quench | ||
5 | Redirect | 0 | Redirect datagram for the network (or subnet) |
1 | Redirect datagram for the host | ||
2 | Redirect datagram for the type of service and network | ||
3 | Redirect datagram for the type of service and host | ||
8 | Echo | ||
11 | Time Exceeded | 0 | Time to live (TTL) exceeded in transit |
1 | Fragment reassembly time exceeded | ||
12 | Parameter Problem | 0 | Pointer indicates the error |
1 | Missing a required option | ||
2 | Bad length | ||
13 | Timestamp | ||
14 | Timestamp Reply | ||
15 | Information Request | ||
16 | Information Reply | ||
17 | Address Mask Request | ||
18 | Address Mask Reply |
In Table A-2, the literal value is the common name. When defining access control lists or firewall rules to control access to the corporate data center, some protocols are generally "safe" and can be permitted (such as esp, the encrypted traffic in IPSec) while others may need to be restricted (such as gre, to prevent non-approved tunneling through the network).
Individual ports at the transport layer are a more granular way of controlling, monitoring, and managing traffic flows. Both Citrix (ICA, TCP port 1494) and Microsoft (RDP, TCP port 3389) use defined ports that can be easily managed to restrict traffic.
ICMP messages are included as a reference for two reasons: First, some ICMP messages are essential to a well-behaved network (unreachables), while others are essential troubleshooting tools (echo, echo-reply, traceroute); second, the remaining messages will propagate through the network and create a security and denial-of-service (DoS) risk if not controlled. As an example, mask reply messages can be used for fingerprinting the network, redirects can be used for DoS attacks, and echo requests should not be allowed "in" from the Internet.
|