Xem mẫu

  1. Addressing in IP Networks Without an address, you can put a stamp on an envelope, put it in the mail, and it is not going to go anywhere. IP traffic on the network is no different. Without an address, it is impossible for hosts on a network to determine where the data should be delivered. To deal with this, two forms of addressing are used on IP networks: • Physical/hardware addresses • Logical/IP addresses Physical Addresses Physical addresses are used to identify the specific host that data is being transmitted to. The important thing about physical addresses is that they have a local significance only. What this means is that the physical address can only be used to communicate between hosts that share a common subnet or network segment. This is a legacy that goes back to the early days of networking where all hosts on a network received the electric signal that contained the data (such as how Ethernet functions). To ensure that only the host that the data belongs to processes the data, physical addresses were used to distinguish between hosts. The most common form of physical address, and the physical address that is used for TCP/IP communications, is the MAC address. The MAC address is a vendor-assigned value that is supposed to be globally unique and that identifies the actual network card. MAC addresses are 6 bytes in length and typically consist of a 3-byte vendor identifier (known as the organizationally unique identifier or OUI) followed by a 3-byte unique identifier that is assigned by the vendor. The use of physical addresses allows for network communications between two hosts on the same subnet regardless of logical address and is a key element to how routing works. For example, when two hosts on different networks want to communicate with each other, they use their logical addresses to identify each other from a global perspective. When they transmit the data to each other, each host physically addresses the frames to the hardware address of their corresponding router interface. This allows the routers to receive and process the frames directly, while still being able to use the logical addresses to determine the original source and final destination of the data. Figure 3-11 illustrates how this process works. Figure 3-11. Physical Addressing of Data Between Hosts
  2. [View full size image] The process in Figure 3-11 is as follows: 1. Host A logically addresses the data for Host B but physically addresses it to 00:05:9A:3C:78:00, the router interface physical address. 2. The router receives the data, because it is physically addressed to it, but realizes that logically it must be delivered to Host B. Therefore, it rebuilds the frame, using the physical address of the interface on the same network as Host B (00:05:9A:3C:78:01) and physically addresses it to 00:05:9A:3C:78:30. Logical Addresses Logical addresses are the counterpart to physical addresses and allow for the identification of hosts and the delivery of data to hosts regardless of physical location or proximity to each other. Consequently, logical addresses must have a true global significance, and must be unique within all interconnected network segments. TCP/IP uses IP addresses as the logical addressing method. The following sections look at IP addresses in more detail. IP Addressing An IP address is a 32-bit universal identifier that provides a means of uniquely identifying from a global perspective. What we mean by global perspective is that the address is unique on all interconnected networks, such as all internal networks in an organization, or in a truly global sense on all networks across the Internet. The 32-bit IP address is separated into four 8-bit octets, allowing each octet to have a value ranging from 0 to 255. Furthermore, the IP address is logically separated into two distinct components: the network ID and the host ID. The network ID is used to identify the subnet upon which the host resides. The host ID is used to identify the host itself within the given subnet. IP addresses can be displayed in three typical formats: • Binary notation Binary notation is the format that systems on the network use to
  3. process the address. An example of binary notation is 11000000.10101000.00000001.01100100. • Hexadecimal notation Hexadecimal notation is the format typically used when identifying IPv6 addresses. An example of hexadecimal notation of an IPv4 address is C0.A8.01.64 • Dotted-decimal notation Dotted-decimal notation is the format that is typically used for displaying the IP address in a human-readable format. An example of dotted-decimal notation is IP Address Classes Not all networks are the same size. Some are smaller than others; some are larger than others. To provide a hierarchy and structure to the assignment of IP addresses, they were broken down into distinct classes, with each class natively supporting a different number of networks and hosts. For the public IP address space, which is managed by the IANA, three classes of addresses were defined: • Class A addresses Class A addresses provide for 128 (27) total networks, with each network containing 16,777,216 (224) hosts. This is achieved by designating the first octet as the network ID and the remaining 3 octets as the host ID. Class A addresses can be identified by the first bit of the first octet, which must be a 0, providing for a range of first octet values from 1 to 126 because the values of 0 and 127 are unusable (because 0 is all 0s and 127 is reserved for use as a loopback address). • Class B addresses Class B addresses provide for a greater number of network IDs at the cost of the total number of hosts per network. For the Class B address space, the first 2 octets are designated as network ID, and the last 2 octets are designated as the host ID. Class B addresses can be identified by the fact that the first 2 bits of the first octet must be a 10. This allows for the total number of network IDs to be 16,384 (or 214 because the first 2 bits are defined) and the total number of hosts per network to be 65,536 (216). This provides a first octet range of values from 128 to 191. • Class C addresses Class C addresses provide for an extremely large number of networks, with a small number of hosts per network. For the Class C address space, the first 3 octets are designated as network ID, and the last octet is designated as host ID. Class C addresses can be identified by the fact that the first 3 bits of the first octet must be 110, which provides for a first octet range of values from 192 to 223. This provides for 2,097,152 total networks (221) with each network containing 256 host IDs (28). In addition to the public address space, there are two additional address spaces,
  4. one for use in multicasting and the other for future use and testing: • Class D addresses Class D addresses are identified by the first 4 bits of the first octet having a value of 1110, which allows for a range of values in the first octet of 224 to 239. Unlike the public address space, which is designed to allow an IP address to be assigned to and represent the host on the network, the Class D addresses are used to assign multicast addresses (addresses that may be assigned to multiple hosts allowing them to receive the same data without the data needing to be transmitted uniquely to each host). In addition, Class D addresses have no network or host portion of the address, leaving the remaining 28 bits of the address to be the multicast address. • Class E addresses Class E addresses are identified by the first 4 bits of the first octet having a value of 1111, which allows a range of values in the first octet of 240 to 255. This address space should not be used in any circumstance. The address of is used to indicate an "all subnets" broadcast. Figure 3-12 shows the different address classes. Figure 3-12. Address Classes Classless Interdomain Routing (CIDR) Although the classful address space is a great idea, the truth is that not everyone needs networks with the number of hosts that each class of address provides. For example, if you have more than 255 hosts that you need to connect to a network, using the classful address space you have to bump up to a full Class B, providing for 65,534 hosts on the network. Obviously, that is far more hosts than is necessary. To address this deficiency,
  5. CIDR was implemented. One of the benefits of classful addresses is that they provide a hierarchy to the network through the use of the network ID. This translates into an efficient routing environment because it is easy for a router to determine what networks can be grouped together and treated as a single routing entry. CIDR adheres to this philosophy while allowing for administrators to create additional networks regardless of address class by using a strict interpretation of the subnet mask as the means of identifying a network. The subnet mask is used to determine the network prefix, which defines where the network ID portion of a given IP address ends. For example, a default Class B address (let's say uses a network prefix of /16, or 16 bits. However, using CIDR, the administrator can elect to assign 20 bits of the IP address to the network, resulting in a network prefix of /20. This allows an administrator that has been assigned a single Class B address space to effectively turn that single network ( into 16 individual networks (the result of 24, or the 4 additional bits that were borrowed from the host ID portion of the address and given to the network portion of the address). Similarly, because 4 bits have been taken from the host ID of the address, this leaves a total 12 bits for host ID assignment. This results in each of the 16 networks that were created having the potential for a maximum of 4096 hosts per network (212). Note As you have read through this chapter, you may have noticed the use of (2x) when referring to the number of hosts per network. This is the technically accurate representation of hosts per network. However, most networks reserve a host ID to identify the subnet itself (a host ID that consists of all 0s) as well as the broadcast ID for the subnet (a host ID that consists of all 1s). Consequently, the number of usable hosts per subnet is typically represented as (2x) -2 to account for the loss of those two host IDs. Subnets Throughout this section, I have mentioned subnets repeatedly, but what is a subnet and why are they important to firewalls? A subnet is nothing more than a group of IP addresses that are on the same network ID. By extension, a subnet is the collection of hosts that are on the same network segment. Subnets allow us to dissect the network into small, easier-to-manage chunks. The reason for this is simple: The fewer the number of hosts on a given subnet, the less extraneous the traffic and the smoother the flow of traffic will go because there are not as many hosts in contention with each other. For communications to occur between subnets, a router needs to be involved. Routers
  6. keep track of the list of the subnets in existence through the use of a routing table. This allows a router to receive traffic and determine how to forward the traffic so that it can eventually be delivered to the destination network (and thus the destination host). Subnets are important to firewalls because in many cases a firewall performs a similar function as a router. In fact, in most firewall implementations the firewall is implemented in such a manner as to explicitly reside between two subnets and thus restrict and control the traffic passing between subnets. IPv6 Although the IPv4 address space provides for what would seem to be a virtually unlimited number of IP addresses, the reality is that with the growth of the Internet the number of IP addresses that are available for assignment has continued to decline. This served as the catalyst to motivate the designers of the Internet and IP to develop a new addressing system to address the lack of available IP addresses as well as a number of other issues that are covered here. They came up with IPv6. Whereas IPv4 is based on a 32-bit address space, IPv6 is based on a 128-bit address space. This increased the total number of addresses from 4,294,967,296 (232) addresses to 340,282,366,920,938,463,463,374,607,431,768,211,456 (2128) addresses. This will allow for an address space that is so large that it will not be depleted for the foreseeable future. IPv6 also addressed a number of other deficiencies with IPv4, particularly around the areas of performance, security, control, and reliability. Whereas IPv4 needs to rely on numerous other protocols to handle many of these tasks, IPv6 includes new options and extensions that allow for performance, control, and reliability information and configuration to be handled natively by IPv6. This makes for a much more efficient communications system. Finally, IPv6 allows for a flexible header format, allowing for the implementer of the protocol to determine which optional header components they will or will not implement. IPv6 is completely incompatible with IPv4, and with the widespread implementation of Network Address Translation (NAT) this has caused adoption of IPv6 to be dramatically slowed.