Appendix B
Let us now see how this works with a second range, often used elsewhere in this book, and go from CIDR to a full network description. The CIDR notation is 205.150.200.223/28. First, we rewrite the full netmask. 28 bits is 8 bits + 8 bits + 8 bits + 4 bits. So we have a netmask of 11111111 11111111 11111111 11110000, which in decimal is 255.255.255.240.
IP address |
205.150.200.223 |
11001101 10010110 11001000 11011111 |
Netmask |
255.255.255.240 |
11111111 11111111 11111111 11110000 |
|
|
|
So, the bits in the netmask that are zero are those that can be changed for this subnet. Again, to get the lowest address, we write zeros in the IP address for which the netmask has a zero, which means that bit can be changed. To get the highest address, we write ones in the IP address for which the netmask has a zero.
The following table might help make this clear:
|
IP address |
Netmask |
IP address AND netmask |
|
|
|
|
Lowest IP |
205.150.200.223 |
11001101 10010110 11001000 11010000 |
205.150.200.208 |
Highest IP |
205.150.200.223 |
11001101 10010110 11001000 11011111 |
205.150.200.223 |
|
|
|
|
The lowest address is also called the network address, the highest address is also called the broadcast address, as this is used to send messages that need to reach all the hosts in the subnet. It is important to realize that a netmask does not mean anything on its own; it must be used in conjunction with an actual IP address.
The Rest of the Network
Now we have a method for determining what is a local directly reachable host, and what is not directly reachable. We only need one last piece of information. If we cannot communicate to a host directly, because it is not in our local subnet, where do we send packets for that host to? We send it to a special host called the gateway. A host can have different gateways it uses for different remote subnets, and usually a host also has one gateway that it uses for all the unspecified subnets. This gateway is called the 'default gateway'. Obviously, this gateway must be in the local subnet, or we would need a gateway to reach the gateway! Since a gateway is also part of the remote LAN in the remote subnet, you can already deduce that such a gateway machine is in two different subnets, and that it will have two different IP address for that one host. Since an IP address is therefore no longer something that we can unique identify a host with, we need another qualifier to denote a host. This is called the Autonomous System number (AS). Only hosts that need to make dynamic routing decisions tend to get an AS assignment.
Linux Networking Commands
To see the IP address and netmask of a machine, you can use the ifconfig command. To see what a host knows about other subnets and gateways, you can use the route command. Technically
315
Networking 101
speaking, however, both these two commands are obsolete. On Linux, they have been obsoleted in favor of the less friendly and almost completely undocumented but more powerful ip command.
Old Style |
New Style |
|
|
ifconfig |
ip iface listen |
route -n |
ip route list |
|
|
Routing
In essence the Internet is nothing more than a lot of these local subnets and gateway machines connected to each other. An important difference between a leaf node of the Internet and a core host in the Internet is the default route. A leaf node can just send packets upstream using the default gateway. But giving a packet to a default gateway is really just postponing making a decision in the hope that the default gateway knows what to do with the packet. And our default gateway itself might have its own default gateway defined, or it might keep a big table of subnets and gateways. There are various routing protocols that facilitate learning and updating these lists of routes. Some older routing protocols are RIP (which is really R.I.P.) and Open Shortest Path First (OSPF). Mostly, modern day routers use the Border Gateway Protocol (BGP).
Routing Decisions
So far we have made decisions on where to send packets to based on where they need to go to. This is called destination-based routing, and is the most common type of routing on leaf nodes. Routing decisions can, however, be made based on many criteria. Another common type of routing is source-based routing. For those familiar with the 'funny routes' with Openswan, these two half default routes into the IPsec network device make sure all packets are processed by Openswan to get encrypted. This mechanism predates proper source routing and will be replaced soon. Linux source routing is performed using the ip rule command.
Routing of packets to non-local machines is a rather dynamic process. Hosts on the Internet keep changing locations from a network topology point of view. If there is an outage, a different route will be taken. But there are more things to consider when routing packets, and the most common criterion on backbone routers these days sadly is money. Packets will be routed based on the cost. Some call this hot-potato routing, which means "get rid of the packet as soon as you can", because that is most often the cheapest solution.
Peering
The concept of peering is that you have a few 'network routes' or subnets and that you are willing to exchange traffic with them. Two networks exchanging traffic like this are called peering partners. Internet Exchanges are locations where many peering partners get together to lower the costs of running cables to too many peering partners. Instead, everyone gets together on a few big switches and exchanges routing information using BGP. If the relationship between two ISPs is rather asymmetrical, that is one end has a few networks or routes and the other has "most or all of the Internet routes", one usually speaks of transit traffic. Transit traffic is much more expensive than peering traffic.
316
Appendix B
Network Address Translation
Every host on the Internet has to have a unique routable IP address, or else it would not be considered a host on the Internet. For various reasons, people have started to use tricks to get more IP addresses. ISPs often give an end user only one IP address, while those end users want to connect more than one computer. The trick mostly deployed now is Network Address Translation (NAT, sometimes also called NAPT). The end user connects these computers together using internal IP addresses. On the machine that is actually connected to the Internet, which could be a phone, cable or DSL line, the real globally routable IP address is configured. This is the IP address that everyone on the Internet can talk to. The address is given out by the ISP.
This computer, technically speaking now acting as a router, takes incoming packets from the LAN's private IP addresses, and rewrites these packets so they appear to come from its own real IP address. It remembers which local machine these packets were translated for. When the remote machine it were trying to reach answers, that machine thinks it is talking to the router. Once the router receives the response packet, it matches it with the list of local computers and their network connections, and translates the destination IP address back to the local machine's private IP address and sends the packets onto the local network.
Of course, there is one problem. A remote machine cannot reach the local machine behind the router, since it has no public routable IP address. It cannot just connect to the public IP address either, because the router would have no idea for whom this packet was intended, since no local machine has initiated the communication.
People began to see this as more than a shortcoming. After all, this setup is ideal for protecting those internal machines. Since the world cannot reach them, no hackers or viruses could ever reach them either. It sort of works like a firewall, and this is why you often see NAT and firewalls combined on one device. All common DSL and cable modem routers can do NAT and firewalling.
Port Forwarding
A trick to allow more direct access to those machines behind a NAT host is to listen on certain ports, for example port 80 which is used for HTTP web servers, and any packet received for this port can be forwarded to a predefined 'internal' machine. Once the web server with its private IP address answers, the router rewrites the source address to itself, and sends it back to the machine on the Internet. The machine on the Internet never knows its packet was actually sent further into the network than the machine it contacted. This trick is also used to create load balancing or failover configurations.
317