IP Addressing and Subnetting, Including IPv6 Author: J D Wegner, Robert Rockell ISBN: 1928994016 Published: 2000 Publisher: Syngress Media See Table of Contents IP Addressing and Subnetting, Including IPv6 This book covers every aspect of the current version, as well as what will be a widespread migration starting in late 1999 These include: increasing the IP address size from 32 bits to 128 bits; supporting more levels of addressing hierarchy and an increased number of addressable nodes; supporting simpler auto-configuration of addresses; improving the scalability of multicast routing by adding a "scope" field to multicast addresses; and using a new "anycast address" to send a packet to any one of a group of nodes As in other Syngress books, this one makes a complex subject accessible by including appendices, summaries, extensive art, and detailed indexes (Coq) Contents PREFACE CHAPTER 1 Addressing and Subnetting Basics IP Address Basics Classful Addressing-Structure and Size of Each Type What Is a Network? Class A Class B Class C Address Assignments Single Address per Interface Multihomed Devices Multinetting-Multiple Addresses per Interface Examples Purpose of Subnetting The Basic Fixed-Length Mask What the Mask Does Components of a Mask Binary Determination of Mask Values Decimal Equivalent Mask Values Creating Masks for Various Networking Problems Addresses and Mask Interaction Reserved and Restricted Addresses Determining the Range of Addresses within Subnets Determining Subnet Addresses Given a Single Address and Mask Interpreting Masks Reserved Addresses Summary FAQs CHAPTER 2 Creating an Addressing Plan for FixedLength Mask Networks Introduction Determine Addressing Requirements Review Your Internetwork Design How Many Subnets Do You Need? How Many IP Addresses Are Needed in Each Subnet? What about Growth? Choose the Proper Mask Consult the Tables Use Unnumbered Interfaces Ask for a Bigger Block of Addresses Router Tricks Use Subnet Zero Obtain IP Addresses From Your Organization's Network Manager From Your ISP From Your Internet Registry Calculate Ranges of IP Addresses for Each Subnet Doing It the Hard Way Worksheets Subnet Calculators Allocate Addresses to Devices Assigning Subnets Assigning Device Addresses Sequential Allocation Reserved Addresses Grow Towards the Middle Document Your Work Keeping Track of What You've Done Paper Spreadsheets Databases In Any Case Summary FAQs Exercises Subnetting Tables Class A Subnetting Table Class B Subnetting Table Class C Subnetting Table Subnet Assignment Worksheet CHAPTER 3 Private Addressing and Subnetting Large Networks Introduction Strategies to Conserve Addresses CIDR VLSM Private Addresses Addressing Economics An Appeal Public vs Private Address Spaces Can I Pick My Own? RFC 1918-Private Network Addresses The Three-Address Blocks Considerations Which to Use When Strategy for Subnetting a Class A Private Network The Network The Strategy Address Assignment The Headquarters LANs The WAN Links from Headquarters to the Distribution Centers The Distribution Center LANs The WAN Links from the DC to the Stores The Store LANs Results Summary FAQs Exercises CHAPTER 4 Network Address Translation Introduction Hiding Behind the Router/Firewall What Is NAT? How Does NAT Work? Network Address Translation (Static) How Does Static NAT Work? Double NAT Problems with Static NAT Configuration Examples Windows NT 2000 Cisco IOS Linux IP Masquerade Network Address Translation (Dynamic) How Does Dynamic NAT Work? Problems with Dynamic NAT Configuration Examples Cisco IOS Port Address Translation (PAT) How Does PAT Work? Problems with PAT Configuration Examples Windows NT 2000 Linux IP Masquerade Cisco IOS What Are the Advantages? What Are the Performance Issues? Proxies and Firewall Capabilities Packet Filters Proxies Stateful Packet Filters Stateful Packet Filter with Rewrite Why a Proxy Server Is Really Not a NAT Shortcomings of SPF Summary FAQs References & Resources RFCs IP Masquerade/Linux Cisco Windows NAT Whitepapers Firewalls CHAPTER 5 Variable-Length Subnet Masking Introduction Why Are Variable-Length Masks Necessary? Right-sizing Your Subnets More Addresses or More Useful Addresses? The Importance of Proper Planning Creating and Managing Variable-Length Subnets Analyze Subnet Needs Enumerate Each Subnet and Number of Required Nodes Determine Which Mask to Use in Each Subnet Allocate Addresses Based on Need For Each Subnet Routing Protocols and VLSM Class C VLSM Problem Completing the Class C Problem Template-based Address Assignment Summary FAQs CHAPTER 6 Routing Issues Introduction Classless Interdomain Routing From Millions to Thousands of Networks ISP Address Assignment Using CIDR Addresses Inside Your Network Contiguous Subnets IGRP EIGRP EIGRP Concepts RIP-1 Requirements Comparison with IGRP Routing Update Impact RIP-2 Requirements OSPF Configuring OSPF Routing Update Impact OSPF Implementation Recommendations BGP Requirements IBGP and EBGP Requirements Loopback Interfaces Summary FAQs CHAPTER 7 Automatic Assignment of IP Addresses with BOOTP and DHCP Objectives Introduction The Role of Dynamic Address Assignment A Brief History Address Management with These Tools The BOOTP Packet Field Descriptions and Comments OP HTYPE HLEN HOPS XID SECS FLAG CIADDR YIADDR SIADDR GIADDR CHADDR SNAME FILE VEND/OPTION BOOTP Process Details Client BOOTREQUEST Server BOOTREPLY Field Values in the BOOTREPLY packet The BOOTP Server Database How Does DHCP Work? DHCP Process Overview DHCP Process Details DHCP-Specific Options Interoperation between DHCP and BOOTP DHCP Address Scopes Comparing BOOTP and DHCP How BOOTP Works BOOTP Process Overview DHCP / BOOTP Options BOOTP Options from RFC1497 IP Layer Parameters per Host IP Layer Parameters per Interface Link Layer Parameters per Interface TCP Parameters Application and Service Parameters BOOTP, DHCP, and Routed Networks The BOOTP Relay Agent The Role of the GIADDR Other Fields Involved HOPS CHADDR, YIADDR, HTYPE, HLEN, FLAG SECS UDP Port Number IP TTL Field ALL Other Fields BOOTP Implementation Checklist DHCP Implementation Checklist Summary FAQs CHAPTER 8 Multicast Addressing What Is Multicast? Mapping IP Multicast to the Link Layer Joining the Group IGMP Multicast Routing Protocols Mbone Multicast Addresses Transient and Permanent Addresses Generic Assignments IANA Assignments Scope of Multicast Addresses Using TTL Administrative Scopes IP Stacks and Multicast Why Multicast? Efficiency of Bandwidth Usage and Scaling Discovering Efficient Channel Industry Summary FAQ References CHAPTER 9 IPv6 Addressing Introduction IPv6 Addressing Basics IPv6 Addressing Scheme Characteristics Version Traffic Class Flow Label Payload Length Next Header Hop-by-Hop Options Header Destination Options Header I Routing Header Fragment Header Authentication Header Encrypted Security Payload Header Destination Options Header II Hop Limit Source Address Destination Address More Bits! A More Flexible Hierarchical Organization of Addresses FP: Format Prefix TLA ID RES NLA ID SLA ID Interface ID Minimizing the Size of Routing Tables Global Addresses for the Internet and Local Addresses for Intranet IPv6 Benefits Increased IP Address Size Increased Addressing Hierarchy Support Simplified Host Addressing Simpler Autoconfiguration of Addresses Improved Scalability of Multicast Routing The Anycast Address The Need for Further Development The Multihoming Problem The 6Bone Summary original packet Thus, the Fragmentation offset in Figure 10.11(c) indicates that the data following this Fragmentation header should be positioned in the 176x8th byte in the fragmentable part when reassembled at the destination node Figure 10.11 Example of fragmentation Authentication Header In an IP network (both IPv4 and IPv6), the Authentication header is used to provide integrity and data origin authentication for IP packets and to protect against replays However, in this section, all terms are provided based on IPv6 network The Authentication Header provides authentication for IPv6 header and extension headers fields that may not change en route For instance, the Destination Address field in the IPv6 header changes at every hop when the Type 0 Routing Header is used In this case, the Authentication Header cannot provide the authentication of the Destination Address field Figure 10.12 shows the format of the Authentication Header Figure 10.12 Authentication header Note that the Payload Length field is in a 4-octet unit (32-bit word), not including the first eight octets (or 2 units of 4-octet) For Managers Only All other IPv6 header extension length is encoded by subtracting 1 from the header length measured in 8-octet units Thus, with 96-bit Authentication Data value, the Payload Length will be 4 For debugging purposes, the Null authentication algorithm may be used In this case, the Payload Length field will be 2 The Sequence Number field is used to provide protection against antireplay When a Security Association is established between source and destination nodes, counters at sender and receiver are both initialized to 0 It is mandatory for the sender to increment this field for every transmission; however, the receiver may elect not to process This service is effective only if the receiver processes this field The Authentication Data field contains the Integrity Check Value (ICV) for this packet The authentication algorithm, selected when the Security Association is established between the sender and the receiver, specifies the length of the ICV, the comparison rules, and the processing steps necessary This is the value computed over the packet by the source node and verified by the destination node by comparing this value to the value recomputed at the destination node The Authentication header may be applied in transport or tunnel mode The transport mode Authentication header, implemented in hosts, provides protection for the upper layer protocol header and any fields in the IPv6 header, and extension headers that do not change in transit The tunnel mode Authentication header is applied to the original IPv6 packet, encapsulating the original packet by constructing a new IPv6 packet using a distinct IPv6 addresses, such as security gateway In transport mode, the Authentication header, viewed as an end-to-end payload, is placed after the IPv6 header and Hop-by-Hop, Routing, and Fragmentation extension headers Recall that the Destination Options header may appear once before the Routing header, the options in the Destination Options header are applicable to intermediate nodes specified in the Routing header In this case, the Authentication header comes after the Destination Options header as shown in Figure 10.13 Figure 10.13 Header order with Authentication header in transport mode In tunnel mode, the Authentication Header is applied to the original IPv6 packet using distinct IPv6 addresses as communication end points (e.g., addresses of security gateways) A new IPv6 header is constructed with addresses of security gateways as source and destination addresses Fragmentation processing may be necessary after applying the Authentication header Thus, a newly constructed IPv6 packet may undergo further processing if necessary Figure 10.14 shows the order of headers after applying Authentication header in tunnel mode Figure 10.14 Header order with Authentication header in tunnel mode Encapsulating Security Payload The Encapsulating Security Payload header, used in transport mode or in tunnel mode, also provides security services in both IPv4 and IPv6 networks The security services provided through the Encapsulating Security Payload include confidentiality, authentication (data origin authentication and connectionless integrity), an antireplay service, and limited traffic flow confidentiality Implementation and options chosen at the time of Security Association establishment determine the security services provided As in the case of the antireplay service provided by the Authentication header, the source increments the Sequence Number; however, the destination node must check this field to enable the antireplay service To provide traffic flow confidentiality service, true source and destination information should be hidden Thus, this service requires that the Encapsulating Security Payload header be used in a tunnel mode Figure 10.15 shows the format of the Encapsulating Security Payload header The Next Header value of 50 in the immediately preceding header indicates that the Encapsulating Security Payload header processing is necessary Figure 10.15 Encapsulating Security Payload header The mandatory Payload Data field contains encrypted data described by the Next Header field The encryption algorithm used specifies the length and the location of the structure of the data within the Payload Data field To fulfill the encryption algorithm requirement of the length of the plain text or the 4-octet boundary alignment of the Payload Data field, the use of padding may be necessary Figure 10.16 Header order with Encapsulating Security Payload in transport mode Figure 10.17 Header order with Encapsulating Security Payload in tunnel mode Figures 10.16 and 10.17 illustrate the sequence of an IPv6 packet with its encrypted portion when Encapsulating Security Payload headers are used in transport mode and tunnel mode, respectively Destination Options Header A source node may need to convey optional information that needs to be processed by a destination node For instance, when a mobile node is away from its home network, a home agent (i.e., a router at the home network) may be a proxy forwarding packets to the mobile node A mobile node away from its home network needs to send control messages to its home agent so that the home agent could set up the proxy service and forwarding packets destined for the mobile node at its current address An IPv4 network, a packet when containing options in the IPv4 header, will be subject to an examination at every hop on the path In an IPv6 network, such optional messages can be handled efficiently either using an extension header dedicated for handling specific optional information or using the Destination Options header Packet fragmentation or authentication information is handled as an extension header as shown previously The IPv6 Mobility Support Internet-Draft [0] proposes four Destination Options to support Mobile IPv6 The optional information may be encoded either in a separate extension header or in the Destination Options header, based on the desired action to be taken at the destination node, when the node does not recognize the option Optional information that requires a few octets whose desired action is to send an ICMP Unrecognized Type message to the sender only if the destination node is not a multicast address, may be encoded in a separate extension header The Destination Options header, identified by a Next Header value of 60 in the immediately preceding header, carries optional information that needs to be examined and processed only by a packet’s destination node (nodes, in multicast) The format is shown in Figure 10.18 Figure 10.18 Destination Options header Upper-Layer Protocol Issues The layered architecture in general shields the upper layer protocols from changes in the network layers However, a couple of issues need to be addressed For instance, upper layer protocols that compute checksums over packets must account for changes in IPv6 including use of 128-bit addresses and final destination, not intermediate destinations when the Routing header is used, and so forth It has been discussed that the time-to-live field, which behaves differently than its original definition, has been renamed to hop limit Any upper layer protocol that relies on the original meaning of the time-to-live may have to make necessary adjustments The maximum upper layer payload size also needs to be adjusted to reflect that the length of the IPv6 header is 40 bytes long Summary In all aspects of IPv6 design, the limitations imposed upon the design of IPv4 have been resolved or improved, the inefficiency in IPv4 has been eliminated, and the additional capabilities have been added to make IPv6 suitable for nextgeneration IPs IPv6 uses 128-bit addresses, providing a greater number of addressable nodes, better support for stateless autoconfiguration, and a better address hierarchy, which in turn leads to better routing Embedding optional information in extension heads allows efficient router implementations while being able to handle optional information directed to routers The use of extension headers to carry optional information fixed the IPv6 header length Combined with the Fragmentation At Source Only policy simplified the IPv6 header, thus increasing the efficiency of routers The limit on options has been relaxed, and it is much easier to add new options using extension headers Further, the design of IPv6 incorporated the concept of flow, and flow labeling along with the source and the final destination information help routers maintain the state information of the flow for special handling, if necessary The security and privacy features are built into the design of IPv6 FAQs Q: Where are good resources for obtaining more information on IPv6? A: There are many sites on the net However, these two sites can be a good starting point: http://www.ietf.org/html.charters/ipngwg-charter.html http:// playground.sun.com/pub/ipng/html/ipng-main.html Q: What is the core set of RFCs specifying IPv6 header and extension headers? A: Most of information in this chapter is based on the following RFCs Newer RFCs may render these RFCs obsolete: RFC2460—IPv6, Hop-by-Hop Options, Routing, Fragment, and Destination Options RFC2402—IP Authentication Header RFC2406—IP Encapsulating Security Payload Header Q: What is the implementation status? A: It is being developed for many host systems and routers including 3Com, Cisco Systems, Digital, IBM http:// playground.sun.com/pub/ipng/html/ipng-main.html site also has information and links providing the details References [1] S Thompson and T Narten IPv6 Stateless Address Autoconfiguration, RFC 2462, December 1998 [2] S Kent and R Atkinson Security Architecture for the Internet Protocol, RFC2401 [3] C Perkins and D Johnson Route Optimization in Mobile IP, Internet draft, draft-ieft-mobileipoptim-07.txt, November 1997 Work in progress [4] S Kent and R Atkinson IP Authentication Header, RFC2402 Return Home Appendix A: Address Assignment Registries Provider-based Assignments Cost of an IP Address How to Find an IPv4 Address Delegation How to Find an IPv6 Address Delegation Internet Governance Summary Each host connected to an IP network must have an IP address For connectivity on the Internet, the address space must be managed to ensure the uniqueness of each address In the past, Jon Postel was giving IP addresses to universities connected to the Internet (well, the Arpanet at that time) Then, Internic, an umbrella created by the US government, gave IP addresses to any requesting organization At that time, Jon Postel was still managing the whole address space, giving ranges of addresses to Internic Registries Now, the Internet Assigned Numbers Authority (IANA) is managing the whole IPv4 address space and the IPv6 address space IANA gives ranges of addresses to regional registries; those registries give addresses ranges to Internet Service Providers (ISPs) who then give addresses to corporations (or to smaller ISPs) Each level of delegation has to prove to the upper level that it has consumed most of its address space before requesting another range of addresses The three regional registries are: American Registry for Internet Numbers (ARIN): http://www.arin.net Réseaux IP Européens-Network Coordination Center (RIPE-NCC): http://www.ripe.net Asia-Pacific Network Information Center (APNIC): http://www.apnic.net ARIN covers North America, South America, the Caribbean, and subSaharan Africa RIPE-NCC covers Europe, the Middle East, and parts of Africa APNIC covers Asia and the Pacific If you are not connected to the Internet and don’t want to be, then there is an IP address space reserved for that situation It is called the private address space and is described in RFC 1918 and discussed in the NAT chapter in this book On the other hand, if you need addresses for your network, you should ask your upstream Internet provider to give you a range of addresses for your own use As soon as you move to another provider, you will need to remove the previous range of addresses and renumber to the new range of address For Managers Only To get IP addresses for your network, ask your upstream provider Note that when you change providers, you will have to change the IP addresses Provider-based Assignments Around 1996, to minimize the routing table explosion, the technical community agreed to enforce Classless Inter-Domain Routing by asking corporations to get their range of IP addresses only from their upstream provider By doing so, the number of entries in the global routing table will grow at a much lower rate than the number of networks connecting to it, because ISPs aggregate the addresses of their customers But there are some exceptions to this rule, mainly when you are multihomed In IPv6, the addressing architecture is based on provider-based addresses, which means that IPv6 enforces this CIDR at the beginning As discussed in the IPv6 chapter, IPv6 clearly will be more scalable by this optimized routing and by the address space it has The drawback of renumbering when using providerbased addresses has been addressed in IPv6 by a specific protocol Cost of an IP Address In theory, an IP address costs nothing The registries are not-for-profit organizations They charge a fee to their clients (ISPs) for the registration service, not for the IP address themselves In some ways, ISPs will include this cost in the prices of their service to their clients, so the effective cost of IP addresses is hidden somewhere How to Find an IPv4 Address Delegation Each regional registry maintains a database of its address assignments ISPs are mandated to provide the information about their own assignments to customers All this information is available by using a simple query protocol called whois From the early days, whois has been available in Unix as a command, but has not been available in the other environments Now, all registries have a Web interface to the whois database, which makes it accessible to users The following URLs point to the Web whois interface for all registries: ARIN: http://www.arin.net/whois/index.html RIPE: http://www.ripe.net/db/whois.html APNIC: http://www.apnic.net/apnic-bin/whois.pl Network Solutions (Internic): http://www.networksolutions.com/cgi-bin/whois/whois US Department of Defense: http://nic.mil/cgi-bin/whois The whois database not only includes IP addresses, but other data like the maintainers of those IP addresses, the Autonomous System (AS) numbers, etc Here is an example: I want to know who is responsible for the 206.123.31.0 address space I choose to go to the ARIN whois Web interface (http://www.arin.net/whois/index.html) and ask for the address in Figure 1 Figure 1 ARIN whois web interface The answer given by the ARIN whois database is shown in Figure 2 Figure 2 ARIN whois answer to 206.123.31.0 The answer in Figure 2 says that the 206.123.X.X range has been given by ARIN to the Canadian Registry, and the Canadian registry gives the 206.123.31.0/24 range to Viagénie Inc Then, I click on NET-VIAGENIE to know more about it, it will show the information in Figure 3 Figure 3 ARIN whois answer to NET-VIAGENIE This answer tells me where Viagénie Inc is located, who is responsible for it, and what DNS servers are answering for the inverse mapping of those addresses The whois databases are all defined with objects (like the NETVIAGENIE object) that have a maintainer associated with it In this example, the maintainer ID of the NET-VIAGENIE object is MB841-ARIN This is the way to keep track of who is responsible for which object It is the same with the domain names registries How to Find an IPv6 Address Delegation To test IPv6, a test network called 6Bone was built in July 1996 It is still running and alive Each site has a prefix (address range) delegated from a test prefix allocated by IANA: 3ffe::/16 A registry with a whois interface has been set up to handle the registrations, and is available through the 6Bone Web site: http://www.6bone.net The official IPv6 addresses are available from the previous registries (ARIN, RIPE, and APNIC) and these registries have the same Web interface for both the IPv6 and IPv4 addresses Internet Governance For a few years, work has been done in the global community for Internet governance, which covers many domains and issues The current orientation for IP addresses assignments is to move the IANA functions to the Internet Corporation of Assigned Names and Numbers (ICANN: http:://www.icann.org) But at the time of this writing, many discussions are still pending For Managers The regulation of the Internet is a hot issue and it will not be easily resolved But it will certainly have many consequences for the way the Internet is managed You should follow the discussions and be up-to-date in this area The place to begin is at the Internet Society (ISOC) Web site (http://www.isoc.org) or ICANN Web site (http://www.icann.org) Summary Address assignments are controlled at the higher level by IANA It assigns ranges of addresses to regional registries as needed, and those registries assign ranges of addresses to ISPs, which then assign to them to corporations This enables CIDR, which makes Internet routing efficient This process is for both IPv4 and IPv6 You can see the assignments by looking at the whois databases at the various registries Important discussions are currently being held on Internet governance, mostly around ICANN ... Administrative Scopes IP Stacks and Multicast Why Multicast? Efficiency of Bandwidth Usage and Scaling Discovering Efficient Channel Industry Summary FAQ References CHAPTER 9 IPv6 Addressing Introduction IPv6 Addressing Basics... CHAPTER 10 The IPv6 Header Introduction Expanded Addressing Simplified Header Improved Support for Extension and Option Flow and Flow Labeling Authentication and Privacy IPv6 Header IPv4 Header... new version of the IP protocol, called IPv6, which brings new schemes of addressing With addressing, IPv6 enables autoconfiguration, renumbering, efficient routing on the backbone, etc Chapters 9 and 10 9 discuss IPv6 and its header and addressing structure in depth