Help
Add this page to your collection
Show collection (0 pages)
Suggest pagesComputer Networks/IP, ARP, DHCP, NAT, ICMP
<< Network | IP, ARP, DHCP, NAT, ICMP | Routing >>
Contents |
[edit] Introduction
Network Layer is responsible for transmitting messages hop by hop. The major internet layer protocols exist in this layer. Internet Protocol (IP) plays as a major component among all others, but we will also discuss other protocols, such as Address Resolution Protocol (ARP), Dynamic Host Configuration Protocol (DHCP), Network Address Translation (NAT), and Internet Control Message Protocol (ICMP). Network layer does not guarantee the reliable communication and delivery of data.
[edit] Internet Protocol
Internet Protocol (IP) is the Internet layer protocol that contains address information for routing packets in Network Layer of OSI model.
IP, as an integral part of TCP/IP, is for addressing and routing packets. It provides the mechanism to transport datagram across a large network. In more detail, the main purpose of IP is to handle all the functions related to routing and to provide a network interface to the upper-layer protocols, such as TCP from Transport Layer. Applications use this single protocol in the layer for anything that requires networking access.
[edit] Network Layer Functionality
Network Layer is responsible for transmitting datagrams hop by hop, which sends from station to station until the messages reach their destination. Each computer should have a unique IP address assigned as an interface to identify itself from the network. When a message arrives from Transport Layer, IP looks for the message addresses, performs encapsulation and add a header end to become a datagram, and passes to the Data Link Layer. As for the same at the receive side, IP performs decapsulation and remove network layer header, and then sends to the Transport Layer. The network model illustrates below:
Figure 1 Network Layer in OSI Model
When a datagram sends from the source to the destination, here are simple steps on how IP works with a datagram travels:
- Upper-layer application sends a packet to the Network Layer.
- Data calculation by checksum.
- IP header and datagram constructs.
- Routing through gateways.
- Each gateways IP layer performs checksum. If checksum does not match, the datagram will be dropped and an error message will send back to the sending machine. Along the way, if TTL decrements to 0, the same result will occur. And, the destination address routing path will be determined on every stop as the datagram passes along the internetwork.
- Datagram gets to the Network Layer of destination.
- Checksum calculation performs.
- IP header takes out.
- Message passes to upper-layer application.
Figure 2 IP Characteristic in Network Layer
In Network Layer, there exist other protocols, such as Address Resolution Protocol (ARP) and Internet Control Message Protocol (ICMP), but, however, IP holds a big part among all.
Figure3 Internet Protocol in Network Layer
In addition, IP is a connectionless protocol, which means each packet acts as individual and passes through the Internet independently. There is sequence, but no sequence tracking on packets on the traveling, which no guarantee, in result of unreliable transmission.
[edit] IP Packet Format
Each IP header contains information relates to data sends from upper layers for identifying the destination, and is shown as follows:
Figure 4: IP Packet
Here is a snapshot of an IP packet capture on Ethereal:
Figure 5: IP packet captured from Ethereal
Notice in the protocol field that captured above, it indicates TCP. Since the header does not have any protocol information for the next layer, it simply directs IP to pass the segment to TCP at the Transport Layer. All other fields correspond to the description above.
[edit] IP Address
IP address is a set of numbers identify any packet sends from sender to receiver on IP network in the Internet. It is a software address associated with interfaces, 32-bit information as a hierarchical address structures to handle a large number of addresses, assigns to each machine as interface that designs to communicate between hosts in different network. Dotted-decimal notation usually use as for easy understanding purpose.
An IP address consists of two parts, Network Address and Host Address. Network Address for identify each network, and Host Address for identify individual machine.
Example:
One would wonder what the IP address information of the current machine that connecting to the network, we could use ipconfig command to find out:
Figure 6 ipconfig Command for Address Information
The current machine turns out to have the IP address of 192.168.1.4. The next figure will show a physical interface representation corresponds to the IP address, and notice the first 16 bits are representing the network address, which will stay the same within its own network:
Figure 7 Network Connection
There are different classes of networks, based on the network size, as shown in the following:
Figure 8 IP Address Class Identification
Notice that bits in the beginning of each class set are defines by address schemes, which will not be used. So, the network address ranges for each class are as follows:
File:Network Address Range.jpg
However, because of the address demanding and shortage, there IP addresses exist that reserved for special purposes and sets for private network.
[edit] Subnetwork
Subnetwork (Subnet) is used to group computers in the same network that has IP address with the same network address. Subnet is one of the solutions for resolving the shortage of addresses and to help utilizing the address assignment in the network. Subnet mask is introduced to have the network breaks into subnetworks in order to provide a hierarchical routing architecture.
Example:
Subnet: 180.28.30.1-128
Subnet mask: 255.255.255.128
Slash notation is introduced to identify the number of bits turn on. When the Internet Service Provider (ISP) allocates addresses to the users, these addresses will be in a slash notation form:
Example:
In addition to the advantage of grouping computer, there are some benefits from subnetwork:
- Reduced network traffic
- Increase network performance
- Simplified management
Classless Interdomain Routing (CIDR), also known as supernetting, is another solution for shortage of addresses. The basic idea is the same as subnet. The only different is that host address is occupying bits from the network address, which help for address wasteful avoidant purpose.
Example:
[edit] Additional IP Related Information
There are four steps defined for troubleshooting IP addressing:
1. Ping 127.0.0.1
2. Ping localhost IP address
3. Ping default gateway
4. Ping the remote server
Each of these could give information about the network status. Step 1 is generally a loopback test, which means the IP stack is initialized if successful. Then if Step 2 is successful, it means that the Network Interface Card (NIC) is functioning properly. Step 3 allows the user to find that the machine can communicate within the local network. Lastly, Step 4 gives the administrator the information of a host that successfully communicates with the remote server, where the remote physical server is working.
[edit] Address Resolution Protocol
Address Resolution Protocol (ARP) is a mechanism used by IP to find the hardware address of a host from an IP address.
When IP is trying to send a datagram to the Data Link Layer (layer 2), Ethernet will be informed to look for the hardware address, also known as MAC Address, of the destination in the local network. Since Ethernet is using hardware addresses to identify source and destination, ARP will be used to obtain the hardware address by broadcast the specified IP address. Then, the machine that matched the specified IP address will reply with the requested hardware address.
Figure 9: ARP broadcast
[edit] ARP Packet Format
Similar to IP Packet, Each ARP packet field is explain as follows:
Figure 10: ARP packet
The image below is a snapshot of an ARP packet capture on Ethereal:
Figure 11: ARP packet captured from Ethereal
Notice the destination from Ethernet header is all 1s (ff:ff:ff:ff:ff:ff). ARP is performing a broadcast in the above trace.
Here is another example for ARP to locate hardware address. “arp –a” command allows to display current ARP cache tables for all interfaces:
Figure 12: ARP Command for Hardware Address
IP allows datagram to transport across a large network, the Internet. However, if two nodes are going to communicate across the same Local Area Network (LAN), IP in layer 3 will not be needed because ARP with the Ethernet address is enough for the data transfer. Unless many different layer 2 communications are established across the internet, then IP and router will be forced to use. Layer 3 IP is usually only used when a communication goes beyond layer 2 and is required.
[edit] Dynamic Host Configuration Protocol
Dynamic Host Configuration Protocol (DHCP) allows for manual and automatic assignment of IP addresses (see IETF rfc 2131 & 2132). DHCP is enacted when a new machine joins a network or an existing machine attempts to renew its IP address. DHCP is an extension of an older protocol known as the "bootstrap protocol" (BOOTP) and is backwards compatible with BOOTP. There are three methods of IP address allocation:
Manual: An administrator manually assigns the IP address; tedious but most secure method.
Automatic: DHCP server assigns permanent IP address to requesting client.
Dynamic: DHCP server "leases" IP address to requesting client. The IP address is only valid for a limited period of time;
after which the client must request a renewal or ask for a new IP address.
By far the most common (and most detailed) method is the dynamic method, which we'll focus our attention on. A typical sequence for a new client requesting an IP address is shown in the diagrams.below. Please note that this depiction shows the DHCP server located on a different network segment than the new client. But it's not required to be that way.
[edit] Example
Figure 1
In figure 1, a new client that just joined the network, needs an IP address. Since it does not know the DHCP server's location, the client broadcasts (step 1) a DHCPDISCOVER message on the local network. The message packet contains a hardware identifier (usually the MAC address), the source port (68), the destination IP (255.255.255.255), destination port (67), and a randomly generated transaction id. Optionally the client can specify the IP address it wants and the lease duration in the message. Once the DHCP relay receives the broadcasted message, it fills in the "giaddr" field of the packet with the gateway IP address of 10.1.2.9 . This piece of information is critical because the DHCP Server needs it to determine which subnet the client is on and thus which IP address to allocate to the client. Afterwards the DHCPDISCOVER message is relayed to the DHCP Server via unicast (step 2). A unicast, instead of a broadcast, is sufficient because the DHCP relay knows the exact location of the DHCP server. For this same reason, the DHCP relay does not allow the other network segment, 10.1.1.X, to receive the message.
Once the DHCP server receives the DHCPDISCOVER request, it allocates an IP address, marks it as taken, and then broadcasts a DHCPOFFER message back to the requesting client. This message packet contains the DHCP server's IP address, the client's hardware identifier, the same transaction id, and the IP address allocated for the client. Optionally, the message may also contain the lease time, subnet mask, default TTL, default router(s), and numerous other parameters.
Figure 2
In figure 2, the DHCP server allocates new IP address 10.1.2.3 for the client and broadcasts a DHCPOFFER message to its network (step 3). When the DHCP relay sees the DHCPOFFER broadcast, it relays the broadcast to the 10.1.2.X network and only that network (step 4). Once the new client sees the DHCPOFFER message, it accepts the IP address (step 5) and prepares a confirmation message to the DHCP server with a DHCPREQUEST packet. Please note that the client does not have to accept this IP address, in which case it will not send a DHCPREQUEST message. If multiple DHCP servers sends out a DHCPOFFER, the client can choose which one to accept. If for some reason, the DHCPOFFER message fails to ever arrive, the client will rebroadcast the DHCPDISCOVER message.
Figure 3
If the client included optional information in the initial DHCPDISCOVER message, it must include that same information in the subsequent DHCPREQUEST message. In step 6 of figure 3, the new client confirms it wants the IP address 10.1.2.3 by broadcasting a DHCPREQUEST to the DHCP server. Once the DHCP Server receives this message (with help again from the DHCP Relay), it first ensures that it is the intended target - because the client could be responding to another DHCP Server. If this DHCP server is not the intended target, then it knows some other DHCP server is handling this client. So this DHCP server can discard any previously allocated IP address for that client. If this DHCP Server is the intended recipient, then it has to verify the optional parameters that it specified in the previous DHCPOFFER message to this client, are still valid. Assuming everything is fine up to this point, the DHCP Server sends a DHCPACK broadcast (step 8) to tell the client that its new IP address can now officially be used. However, if something is wrong, then a DHCPNACK is broadcasted instead. Either way, a DHCPACK or DHCPNACK will be the final message sent by the DHCP server in the dynamic IP address allocation sequence..
Assuming it receives the DHCPACK relayed by the router (step 9), the client is encouraged to verify no other hosts has the same IP address. This is usually accomplished through a simple ARP probe. Any response to the probe means that another client is already using the IP address. In such a situation, the client must send a DHCPDECLINE message to the DHCP server. Afterwards the client will then need to restart this whole process beginning with DHCPDISCOVER phase. In most cases, there's no response to the client's ARP probe. This means the client can go ahead and use the allocated IP address along with any other optional information stored in the message packet.
If the client got a DHCPNAK instead of DHCPACK, then it has no choice but to restart everything from the very beginning i.e. the DHCPDISCOVER stage. Finally, if the client doesn't receive any DHCPACK or DHCPNAK message after a certain period of time, then it rebroadcasts the DHCPREQUEST message.
[edit] Other DHCP Messages
IP Renewal: If the client wishes to renew its existing IP address (usually because of expiring lease), it unicasts a special
DHCPREQUEST message that indicates it's renewing (and not asking for new) IP address. The DHCP server can choose
to extend the lease or reject it. Either way, it must inform the client via a DHCPACK message.
Release IP: The client can request its current IP address be relinquished by issuing a DHCPRELEASE message (via unicast) to
the DHCP server. The message packet must contain the IP address and the hardware identifier of the client. Upon
receipt, the DHCP server marks the client's IP address as unallocated.
Inform: The client already has an IP address but needs additional configuration parameters, such as default TTL, subnet
mask, etc. So it sends a DHCPINFORM message to the DHCP server. In response, the DHCP server unicasts a DHCPACK
[edit] Security Concerns
DHCP is inherently insecure because there's no authentication mechanism built in. Here are a few examples of security weaknesses.
Problem: The DHCP server does not know if requests are from a legitimate new client or a rogue host pretending to be one.
Impact: This could lead to IP addresses allocated to spoofed MAC addresses that don't exist, and eventually exhaust the pool
of legitimate IP addresses. Thus new hosts cannot added to the network.
Solution: Manually assign IP addresses or manually verify every new client requesting IP address. Can also audit the DHCP
database. But these are all fairly time-consuming. No simple way to address this issue.
Problem: A new client doesn't know if responses are coming from real DHCP server or rogue host pretending to be a DHCP server.
Impact: If the client accepts all the information given to it by the rogue DHCP server, then false information (e.g. bad
subnet mask) could render the client useless.
Solution: Can identify fake DHCP servers by using security tools that send out DHCPDISCOVER & DHCPREQUEST messages and flag any
suspicious information returned.
[edit] References
http://tools.ietf.org/html/rfc2131
http://www.windowsecurity.com/articles/DHCP-Security-Part1.html
http://www.eventhelix.com/RealtimeMantra/Networking/DHCP.pdf
[edit] Network Address Translation
When IP addresses were introduced, only a portion of the theoretical four billion or so IP addresses were available for assignment. Early on, this was not a problem because the Internet was only used among groups of academic researchers, a few high tech companies, and the U.S. Government. But after the Internet exploded in popularity during the mid-1990s, it soon became clear that there won't be enough IP addresses to keep up with demand. In response, IPv6 was proposed as a long term solution. But IPv6 was quite different from IPv4 and had complexities that slowed down its adoption. So a practical short term solution was needed, and thereby Network Address Translation (NAT) was introduced.
[edit] Example
The basic idea behind NAT is to assign a single IP address to a NAT device. We'll call this the public IP address. Within the local network behind the NAT device, every computing device gets assigned a private IP address as illustrated below:
Figure 1
.jpg)
In figure 1, the NAT device's public IP address is 145.12.131.7 while the private IP addresses are in the range 192.168.X.X. This range of private IP addresses is one of three common ranges:
Class A: 10.0.0.0 - 10.255.255.255/8 Class B: 172.16.0.0 - 172.31.255.255/12 Class C: 192.168.0.0 - 192.168.255.255/16
Keep in mind that private IP addresses are valid only within that local area network. It is not recognized on the public Internet. For packets that originate from a private IP address and port, it must be converted to a unique public IP address and port before it can be sent to the Internet. The mapping from private IP address & port to a public IP address & port is typically done through a translation table inside the NAT device. An example is shown in figure 2:
Figure 2 .jpg)
In step 1, the host at private IP address 192.168.100.3 is requesting the homepage of www.yahoo.com via an HTTP request through port 3855. When the HTTP packet arrives at the NAT device (step 2), it looks up the translation table for an existing public (IP addr, port) entry for this private (IP addr, port) combination. If no existing entry exists, then the NAT device will create a new public (IP addr, port) entry. If there is an existing entry, then the translation process will use the existing entry. Please remember that each entry in the translation table must always remain unique! After the table lookup is complete, the IP packet is then altered so that the new IP address and port replaces the old one. Finally in step 3, the altered packet is routed to www.yahoo.com . This entire network address translation process is completely transparent to the end hosts. In other words, neither the host at 192.168.100.3 nor the Yahoo web server realizes the packet has been changed.
The packet from Yahoo's web server now goes through the reverse translation process to reach the requesting host.
Figure 3 
The reverse process is similar to the original translation process. It will look up the translation table for the corresponding private (IP addr, port) pair when given the public (IP addr, port) pair. The only difference it that a missing entry will result in the packet getting thrown away. Once the lookup and alteration is completed (step 5), the packet (now contains the original private (IP addr, port) information) is sent to the requesting host at 192.168.100.3 port 3855.
[edit] NAT vs. Proxy
NATs are sometimes confused with proxies, but they are actually quite different in one aspect: transparency. NAT is completely transparent to the end hosts i.e. only the NAT device knows that an IP conversion is taking place. But for proxies, the source application/host is well aware of the change because it has to deliberately be configured to use the proxy.
[edit] Problems with NAT
Applications that holds their [private] IP address information inside data packets will find that it doesn't match with their actual IP address once the IP translation is done and the packet is on the Internet. Example: FTP
Among the chief complaints is that the widespread use of NAT has resulted in delayed deployment of IPv6, which is the more ideal long-term solution. Despite all the issues associated with NAT, it is still "good enough" for most home users. Therefore, adoption of IPv6 among DSL and cable Internet customers in the U.S. will continue to be slow. For Internet purists, the whole NAT solution is considered to be a quick "hack" rather than a long term solution. The original Internet was designed for end-to-end communication, where every host has a public IP address.
[edit] Overcoming NAT Restrictions
Simple Traversal of UDP through NAT (STUN) : Suppose Host A and Host B are both behind asymmetric NATs and both have a UDP session with server S who is directly connected to the Internet. Then host A can use the same source IP & port as the existing connection with S to initiate session with host B. Meanwhile, S knows the public IP and port of A's session with B since it's the same as A's session with S. S then passes this info to B, and B initiates UDP session with A.
Traversal Using Relay NAT (TURN): this setup requires an intermediary server S, who is directly connected to Internet. Both hosts A and B would have to initiate session with S, and then S will relay their messages to each other.
[edit] Port Address Translation
A related but somewhat different concept to NAT is port address translation (PAT). PAT allows incoming sessions, that are initiated from an external host, to map to a specific internal host and port. For example, in figure 4
Figure 4 
all incoming requests to port 80 of the router are forwarded to internal host 192.168.100.2 port 7575. Likewise, all incoming connections to port 22 or the router are redirected to host 192.168.100.1 port 22. This type of setup is common for users to wish to run a server behind a NAT device. The only down side to PAT is that it's restricted to one entry per router port.
[edit] References
http://computer.howstuffworks.com/nat.htm/printable
http://en.wikipedia.org/wiki/Network_address_translation
http://www.brynosaurus.com/pub/net/draft-ford-midcom-p2p-01.txt
[edit] Internet Control Message Protocol
Internet Control Message Protocol (ICMP) is a protocol used to pass information related to network operation between hosts, routers and gateways in network level.
There are four major functions as follows:
* Announce network errors when the network being unreachable. * Announce network congestion when a router over-buffer due to too many packets transmitting. * Assist Troubleshooting when packets send over a network to compute the loss percentages and round-trip times. * Announce Timeouts when TTL of an IP packet drops to zero, where a packet being discards.
Please note that ICMP packets are crafted at the IP layer and thus does not guarantee delivery.
[edit] Network Connectivity Check
Two of the most practical connectivity test commands are ping and traceroute. These two commands are good mechanisms for network troubleshooting, and both of these use ICMP.
[edit] Ping
Ping is a computer program that determines if a host is up or not. Ping basically consists of a source sending an ICMP "echo request" to a target, followed by the target replying with an ICMP "echo response" - assuming the target is up. A typical output of Ping is shown in figure 1 and an Ethereal capture in figure 2:
Figure 1: Output of Ping command
Figure 2: ping Ethereal capture
Notice the ICMP echo request and reply comes up in the capture when a Ping command is performed. The Type and Code fields represent the different kinds of action and error results. A brief description of each is shown in the following table:
| Type | Code | description |
|---|---|---|
| 0 | 0 | echo reply (ping) |
| 3 | 0 | dest network unreachable |
| 3 | 1 | dest host unreachable |
| 3 | 3 | dest port unreachable |
| 3 | 6 | dest network unknown |
| 3 | 7 | dest host unknown |
| 4 | 0 | source quench (congestion control - not used) |
| 8 | 0 | echo request (ping) |
| 9 | 0 | route advertisement |
| 10 | 0 | router discovery |
| 11 | 0 | TTL expired |
| 12 | 0 | bad IP header |
[edit] Traceroute
Traceroute is a computer program that sends ICMP packets to show the route a packet takes across an IP network from source to destination. It does this by incrementing the time-to-live (TTL) field by 1 for every successive host until it reaches its destination. A traceroute output and Ethereal capture are shown in figures 1 & 2, respectively.
Figure 3: Output of Traceroute command
Figure 4: traceroute Ethereal capture
Notice a TTL timeout message sent back to the source every time an ICMP message passes a network device. Then the source will record the router name.
[edit] References
http://tools.ietf.org/html/rfc792
http://www.techbooksforfree.com/intro_to_data_com/page253.html
http://www.cisco.com/en/US/tech/tk436/tk428/technologies_tech_note09186a008020a42a.shtml
[edit] Summary
Internet Protocol (IP) is responsible for addressing and routing packets in the Network Layer (layer 3) of the 7 layer OSI model. Messages are transmitted hop by hop in this layer, and each node's interface has a unique IP address for identification in the network. It allows datagram to transport across a large network.
Address Resolution Protocol (ARP) is a mechanism used by IP that finds the hardware address of a host from an IP address within the local area network.
Dynamic Host Configuration Protocol (DHCP) is a convenient, though insecure, technique to assign an IP address to a host newly added to a network. It can also be used to extend the lease period of an existing IP address, drop the IP address of a host, or provide initial configuration parameters to a requesting host.
Network Address Translation (NAT) is a widely-used solution to the shortage of IP addresses. NAT introduces the concept of a "private" IP address that is valid only within a Local Area Network (LAN) and must be translated to the "public" IP address that's used on the Internet. With NAT, we can have multiple private IP addresses share a single public IP address, thus delaying the need to deploy long-term solutions to the shortage of IP addresses.
Internet Control Message Protocol (ICMP) is a way to send error messages or perform network diagnostics across a network. Two of the most common tools utilizing ICMP are Traceroute and Ping.
[edit] Exercises
Question:
- What is the Class C private IP address space?
- What is the subnetwork number of a host with an IP address of 172.16.170.0/22?
- What is the subnetwork number of a host with an IP address of 192.168.111.88/26?
- The network address of 192.16.0.0/19 provides how many subnets and hosts?
- You have a Class B network ID and need about 450 IP addresses per subnet. What is the best mask for this network?
- You router has the following IP address on Ethernet: 172.16.112.1/20. How many hosts can be accommodated on the Ethernet segment?
- If a company calls for technical support regarding to its malfunction network, what are the four basic steps to perform a IP addressing troubleshooting?
- If an Ethernet port on a router were assigned an IP address of 172.16.112.1/25, what would be the valid subnet address of this host?
- (T/F) ICMP messages are encapsulated in IP datagrams.
- (T/F) Ping program uses “TTL” field to detect if a destination host is alive.
- Using the example illustrated in the DHCP section, explain how the interaction between the new client and the DHCP Server would change if the DHCP Server is located on the same network segment as the new client.
- (T/F) Once a new client receives the IP address after the DHCPOFFER, the client should verify no other hosts are using that IP address.
- STUN and TURN were presented as 2 ways to bypass NATs. Can you describe 2 additional methods for bypassing NAT?
- (T/F) Both STUN and TURN can only be used for UDP and never for TCP.
Answer:
- 192.168.0.0 – 192.168.255.255
- 172.16.168.0
- 192.168.111.64
- 8 subnets, 8190 hosts each
- 255.255.254.0
- 4094
- (a) Ping 127.0.0.1. (b) Ping local host IP address. (c) Ping default gateway. (d) Ping the remote server.
- 172.16.112.0
- True
- False - Ping waits for an "echo response" packet from the target.
- The only difference would be the DHCP Relay not getting involved. Thus the DHCP Server receives broadcasts instead of unicasts, and the "igaddr" field of the message packet wil be empty.
- False - the client must wait until DHCPACK (not DHCPOFFER) because the IP address is not officially assigned to the new client until DHCPACK is received.
- Universal Plug and Play (mkiUPnP), assuming the router or NAT device is configured to accept it. Another method is to tunnel out to a server. Yet a third method is to use Application Layer Gateways, assuming the router or NAT device has it built in.
- False - STUN is only for UDP, but TURN applies to both UDP and TCP.
