1

IP: putting it all togetherIP: putting it all togetherPart 2Part 2

G53ACCG53ACC

Chris GreenhalghChris Greenhalgh

2

ContentsContents

FragmentationFragmentation Error reporting (ICMP)Error reporting (ICMP) Auto-configurationAuto-configuration Network Address TranslationNetwork Address Translation

3

FragmentationFragmentation IP allows datagram sizes up to 64KbytesIP allows datagram sizes up to 64Kbytes Physical networks often only support Physical networks often only support

smaller frame types (Maximum smaller frame types (Maximum Transmission Unit, MTU):Transmission Unit, MTU):– E.g. Ethernet 1500bytes, dialup PPP ~256bytesE.g. Ethernet 1500bytes, dialup PPP ~256bytes

Single IP datagram may need to be Single IP datagram may need to be divided into “fragments” for transmission…divided into “fragments” for transmission…

4

IP fragmentationIP fragmentation Each fragment is a (new) IP packetEach fragment is a (new) IP packet

– Has IP header, original source & destinationHas IP header, original source & destination– Identification field same for each fragmentIdentification field same for each fragment– Fragment offset identifies what bit it isFragment offset identifies what bit it is– ““More Fragments” flag set in all but last More Fragments” flag set in all but last

fragmentfragment

5

Fragmenting packetsFragmenting packets

May be done by sending hostMay be done by sending host May be done by intermediate router:May be done by intermediate router:

May be prevented with IP “Do not May be prevented with IP “Do not fragment” flagfragment” flag ICMP fragmentation required response if a ICMP fragmentation required response if a

router would have needed to fragment itrouter would have needed to fragment it– Used by TCP to learn path MTU and avoid Used by TCP to learn path MTU and avoid

fragmentationfragmentation

6

Reassembling fragmentsReassembling fragments

Done ONLY by the ultimate destination of Done ONLY by the ultimate destination of the packetthe packet– After checking header checksum and After checking header checksum and

destination, but before any more processingdestination, but before any more processing Maintains a pool of fragmentsMaintains a pool of fragments

– Discarded after a time-outDiscarded after a time-out– If all fragments of a datagram received the If all fragments of a datagram received the

datagram is reassembled and handled as beforedatagram is reassembled and handled as before

7

Fragmentation and Fragmentation and reassembly issuesreassembly issues

Lose one segment and you lose the whole Lose one segment and you lose the whole messagemessage– Bad if segment loss is likely or Bad if segment loss is likely or

number of segments is largenumber of segments is large E.g. NFS v.2 used UDP, v.3 uses TCPE.g. NFS v.2 used UDP, v.3 uses TCP

– because block size 8K -> 32Kbecause block size 8K -> 32K– many more segments!many more segments!

=> higher effective packet loss rate with UDP => higher effective packet loss rate with UDP and more wasted bandwidth and more wasted bandwidth

8

Error reportingError reporting

IP includes Internet Control Message Protocol IP includes Internet Control Message Protocol (ICMP) RFC 792(ICMP) RFC 792

ICMP messages sent in IP packetsICMP messages sent in IP packets– (i.e. same protocol level as UDP or TCP)(i.e. same protocol level as UDP or TCP)– IP protocol number 2IP protocol number 2

Not seen by applications - between hosts or Not seen by applications - between hosts or routers OSs onlyrouters OSs only– Error messagesError messages– Informational messages (mostly superceded by DHCP)Informational messages (mostly superceded by DHCP)

NOTE: some may be dropped by firewalls to NOTE: some may be dropped by firewalls to avoid possible attacks e.g. denial of service (but avoid possible attacks e.g. denial of service (but makes diagnosis of problems harder)makes diagnosis of problems harder)

9

ICMP message typesICMP message types

10

ICMP Error messages (i)ICMP Error messages (i)

Source QuechSource Quech– router to host, please slow down (buffer overflow)router to host, please slow down (buffer overflow)

Time exceededTime exceeded– datagram discarded due to TTL=0 or lost fragmentdatagram discarded due to TTL=0 or lost fragment

can be used to trace a route by gradually increasing TTL can be used to trace a route by gradually increasing TTL and seeing which router it gets to before timing out and seeing which router it gets to before timing out

See commands: tracert (windows), traceroute (unix)See commands: tracert (windows), traceroute (unix)

11

ICMP error messages (ii)ICMP error messages (ii)

Destination unreachableDestination unreachable– datagram discarded by router because host or network not datagram discarded by router because host or network not

reachablereachable

– Datagram discarded by host because UDP/TCP port not in Datagram discarded by host because UDP/TCP port not in useuse

RedirectRedirect– datagram sent to wrong next hop (gives alternative)datagram sent to wrong next hop (gives alternative)

Fragmentation requiredFragmentation required– if fragmentation not allowed but necessaryif fragmentation not allowed but necessary

can be used to determine path MTU (maximum transmission unit) can be used to determine path MTU (maximum transmission unit)

12

ICMP informational messagesICMP informational messages

Echo Request/ReplyEcho Request/Reply– ICMP software sends Reply when receives RequestICMP software sends Reply when receives Request

test computer accessible (e.g. ping)test computer accessible (e.g. ping)

Address mask request/replyAddress mask request/reply– allow host on booting to query local router for netmask allow host on booting to query local router for netmask

(see DHCP, later)(see DHCP, later)

Gateway discoveryGateway discovery– allow host on booting to find default router (see DHCP)allow host on booting to find default router (see DHCP)

13

Auto-configuration - low-levelAuto-configuration - low-level

ICMP address mask request/replyICMP address mask request/reply– => netmask=> netmask

Reverse ARP (RARP) RFC 903Reverse ARP (RARP) RFC 903– send Ethernet address and a server returns your send Ethernet address and a server returns your

IP addressIP address ICMP gateway discoveryICMP gateway discovery

– => default route=> default route

14

Auto-configuration - higher-Auto-configuration - higher-level (i)level (i)

Bootstrap Protocol (BOOTP)Bootstrap Protocol (BOOTP)RFC 951 and RFC 1542RFC 951 and RFC 1542– single BOOTP requestsingle BOOTP request– BOOTP server replies with IP address, Router BOOTP server replies with IP address, Router

IP address, server informationIP address, server information– requires server configuration for each machinerequires server configuration for each machine

15

Auto-configuration - higher Auto-configuration - higher level (ii)level (ii)

Dynamic Host Configuration Protocol Dynamic Host Configuration Protocol (DHCP) RFC 1541(DHCP) RFC 1541– conceptually an extension of BOOTPconceptually an extension of BOOTP– server can maintain pool of IP addressesserver can maintain pool of IP addresses– no configuration for a new machineno configuration for a new machine– but IP address (and therefore domain names) but IP address (and therefore domain names)

may change each time a machine is bootedmay change each time a machine is booted

16

Network Address Translation: Network Address Translation: motivationsmotivations

IP requires every machine to have a unique IP requires every machine to have a unique IP addressIP address– But there are not enough IPv4 addresses to go But there are not enough IPv4 addresses to go

round so…round so…– Allow sites to have their own internal private Allow sites to have their own internal private

addressesaddresses– And share just a few global IP addresses And share just a few global IP addresses

between all of their machinesbetween all of their machines

17

Network Address TranslationNetwork Address Translation

– NAT device at boundary between private NAT device at boundary between private network and Internetnetwork and Internet

translates to and from internal private addresses…translates to and from internal private addresses…

18

Simple NATSimple NAT

Maps between an internal private IP address Maps between an internal private IP address and an external global IP addressand an external global IP address– E.g. for a server machineE.g. for a server machine– NAT device is configured (by hand?!) with the NAT device is configured (by hand?!) with the

address mappingaddress mapping– Re-writes IP packet headers when forwarding:Re-writes IP packet headers when forwarding:

19

Network Address and Port Network Address and Port Translation (NAPT)Translation (NAPT)

Allows a single external IP to be shared by Allows a single external IP to be shared by many private IPsmany private IPs– By changing port numbers as well as IP By changing port numbers as well as IP

addresses:addresses:

20

Configuring NAPTConfiguring NAPT

Can be statically configuredCan be statically configured– E.g. for a web serverE.g. for a web server

External IP, port 80 External IP, port 80 Internal server IP, port 80 Internal server IP, port 80

Can be dynamically configured by outgoing Can be dynamically configured by outgoing connections/packetsconnections/packets– For normal clients, e.g. accessing external For normal clients, e.g. accessing external

servers…servers…– NB. Does NOT allow external hosts to initiate NB. Does NOT allow external hosts to initiate

connections to internal hosts (good security connections to internal hosts (good security ))

21

NAPT dynamic configuration NAPT dynamic configuration exampleexample

Internal IP IInternal IP IAA, port P, port PAA sends a packet to external sends a packet to external IP IIP IB, B, port Pport PBB……

– IP header has IPs, UDP/TCP header has portsIP header has IPs, UDP/TCP header has ports

NAT device sees outgoing packetNAT device sees outgoing packet– Chooses a currently unused port number PChooses a currently unused port number PCC

– for its own global IP address, Ifor its own global IP address, ICC

– Creates a new translation mapping Creates a new translation mapping IIAA, P, PAA I ICC,P,PCC (leaves external IP/port) (leaves external IP/port)

– Discards mapping if unused for some time Discards mapping if unused for some time (configurable)(configurable)

22

NAT/NAPT deploymentNAT/NAPT deployment

Most ISPsMost ISPs– Hence need to apply specifically for “static” Hence need to apply specifically for “static”

(globally routable) IP addresses(globally routable) IP addresses Many home/small office firewalls and Many home/small office firewalls and

broadband routersbroadband routers

23

Additional NAT/NAPT issuesAdditional NAT/NAPT issues

Internet server sees NAT device’s IP address and Internet server sees NAT device’s IP address and translated port number (if NAPT)translated port number (if NAPT)

Private network client only knows its private IP Private network client only knows its private IP address and local portaddress and local port

Client IP address not transferable (correct or Client IP address not transferable (correct or useful) outside the NAT deviceuseful) outside the NAT device– E.g. RMI references passed from client to server will E.g. RMI references passed from client to server will

contain private IP and so won’t work for servercontain private IP and so won’t work for server

– The client and server will disagree about what they The client and server will disagree about what they consider the client’s IP address to be (security issue?!)consider the client’s IP address to be (security issue?!)