3. TCP/IP Protocol Suite Reference Model Application Presentation Session Transport Network Data Link Physical IP OSI Reference Model Network Protocols Layer Internet Layer Host-to-Host Layer Applications Layer Ethernet Token Ring FDDI PPP ATM ARP RARP ICMP TCP UDP FTP SMTP Telnet TIME RPC NFS IP Networking Model HTTP Ping Hardware RIP
4.
5. TCP/IP Protocol Suite IP Datagrams Vers. (4) IH Length (4) Type of Service Total Length of Datagram Identification Flags (3) Fragment Offset (13) Time to Live Protocol Header Checksum IP Source Address IP Source Address IP Destination Address IP Destination Address IP Options Data
6.
7.
8. Addressing in IP Internet Addresses Network Host Network Network Host Host 8 bit 24 bits 16 bit 16 bit 24 bit 8 bit Class A Address Class B Address Class C Address 110 10 0
9. Addressing in IP Internet Addresses 100000010 00101100 01001111 00100010 130 . 44 . 79 . 34 Internet Address 130.44.79.34 converted in binary format
10.
11. Addressing in IP Subnetting Network Host Extended Network Address Network Host Subnet
15. IP Routing OSPF (Open Shortest Path First) Node/Network Shortest / Best Path 1 2 1 2 1 2 3 4 1 2 3 1 A B C D E 2 3 1 2 1 2 3 2
16. Address Resolution ARP (Address Resolution Protocol) ARP Request (Multicast) ARP Response Router 08 00 2B 00 AA 0C 192.168.3.75 08 00 2B 00 AC FC 192.168.3.77 192.168.3.75 / Hardware Address? 192.168.3.75 / 08 00 2B 00 AA 0C Internet
17. Dynamic Host Configuration DHCP Dynamic Host Configuration Protocol) Request Response with IP Setup Information Router Internet
18. IP Networking Domain Names / Host Names Examples for top-level domains : .com Commercial organizations .edu Educational organizations .gov US Government and government agencies .net Network providers (like ISPs, etc.) .org Misc. organizations .mil US military organizations .int International organisations such as UNO, NATO, etc. Countries are assigned domains that start with their ISO country code : .de Germany .ch Switzerland .at Austria .fr France
19. IP Networking DNS (Domain Name System) DNS Server Resolver queries DNS Server Router Internet
20.
21. TCP/IP Tools and Applications HTTP Internet Public Network Web Server (HTTP Server) Web Browser (HTTP Client)
22. TCP/IP Tools and Applications TELNET Internet Public Network TELNET Client TELNET Server
23. TCP/IP Tools and Applications FTP Internet Public Network FTP Server FTP Client FTP Command Active FTP DATA
24. TCP/IP Tools and Applications Email Internet Public Network Mail sending (SMTP) POP Mail reception Mail sending (SMTP) Mail sending (SMTP) POP Mail reception Mail sending (SMTP)
25. TCP/IP Tools and Applications PING (Packet Internet Groper) Internet Public Network
26. Address Translation NAT/PAT Router with NAT/PAT 10.1.1.0 Network 10.1.1.1 149.35.29.1 10.1.1.3 10.1.1.2 10.1.1.4 Remote Access Server or ISP Router Internet
34. IPv6 Next Generation IP Colon-hexadecimal Dotted-decimal Address notation Uses ICMPv6 Requires ARP Neighbor Discovery Built-in Add-on Mobile IP Flow labeling, priority Defined but not generally implemented Quality of Service Multicast, anycast All-broadcast only Multicast Automatic Manual or DHCP Configuration IPSec built-in Add-on Security < 64 Kbytes normal “ jumbogram” support < 64 Kbytes Max packet size 3.4 x 10 38 addresses 4.3 x 10 9 addresses Address space 128 bits (16 octets) 32 bits (4 octets) Addressing IPv6 IPv4 Feature
35. IPv6 Extended Addressing 0 32 Bit 128 Bit 0 IPv4 address IPv6 address 128 bit address: 2 128 -1 = 340282366920938463374607432768211455 addresses ! 32 bit address: 2 32 -1 = 4294967296 addresses ! The IPv6 address space is 2 96 times the size of the IPv4 address space! 32 Bit
36. IPv6 Example Address Format 2001 : 1234 : 5678 : 0123 : 0000 : 1234 : 5678 : 9ABC IPv6 Global Unicast Address Format Example (colon-hexadecimal notation): 0 16 32 48 64 80 96 112 128 bit 0 0 1 Provider Site / Subnet & Interface ID 3 + 45 bits Format Prefix (FP) TLA ID RES NLA ID SLA ID
37. IPv6 Header Format Optimization 32 bits Version Traffic Class Flow Label Payload Length Next Header Hop Limit Source Address Destination Address
38. IPv6 Improved multicast & streaming Multicast Application Destination (Source) User 1 User 2 User 3 User 4 User 5
40. IPv6 Better Support for Mobile Devices HA Internet (IPv6) Home network Mobile Node (with a care-of address) Correspondent Node Home Agent Visited network
41.
42. IPv6 Migrating from IPv4 - Dual Stack / Layer Approach Network Protocols Layer IPv4 TCP/ UDP Applications Layer Hardware IPv6 Application Presentation Session Transport Network Data Link Physical OSI Reference Model Network Protocols Layer IPv4 TCP/ UDP Applications Layer Dual Stack Approach Hardware IPv6 TCP/ UDP Dual Layer Approach
In the US, government agencies already recognized in the late 1960s the need for a technology that would interconnect many different networks in order to make them all function as one unit with a high level of redundancy. The internet technology that resulted from research funded by the Defense Advanced Research Projects Agency (DARPA) was a set of layered protocols called TCP/IP named after two of its main protocols. ( Transmission Control Protocol and Internet Protocol ). In about 1983, TCP/IP became the standard protocol suite used on the DoD Internet (Department of Defence Internet) including the ARPANET which was the first available packet switching network. The ARPANET research resulted in the establishment of additional networks that are referred to as the DARPA Internet or simply the Internet . (The term Internet written with a capital “I” is used when referring to the DARPA Internet. If it is written with a small “I” then the term is used in a generic way.) The Internet is today a worldwide grouping of networks, all of which use TCP/IP . These networks include large and small private networks, science and research networks and military networks like the DDN (Defence Data Network). Since years the Internet grows at an incredible speed. In January 1993 only about 1.3 million hosts were connected to the Internet. January 2003 already close to 172 million hosts have been counted by the ISC (Inernet Software Consortium) an organization that regulary determines the approximate number of computer systems connected to the Internet.
The TCP/IP protocol suite contains a large number protocols at all layers within the architecture. Some of the more common protocols are: IP Internet Protocol ICMP Internet Control Message Protocol ARP Address Resolution Protocol RARP Reverse Address Resolution Protocol RIP Routing Information Protocol TCP Transmission Control Protocol UDP User Datagram Protocol FTP File Transfer Protocol RPC Remote Procedure Call NFS Network File Server SMTP Simple Mail Transfer Protocol Ping Packet Internet Groper HTTP Hypertext Transfer Protocol
IP datagrams are sent from one host to another, possibly through interconnecting routers. These routers ( in IP terminology also called gateways ) forward IP packets from one network to another. The IP service does not guarantee the delivery of packets . The packets may be duplicated, lost or delivered in wrong order. Error detection is only provided for the IP header not for the payload portion of the packet. The IP service is called connectionless because each packet is processed independently from all others. IP datagrams contain all the information necessary for intermediate routers to process the packets and forward them accordingly.
To send an IP datagram , the sending machine encapsulates the datagram inside a network frame for transmission across a directly connected network. If for example the network technology used is Ethernet, then the IP datagram is placed in the data portion of the Ethernet frame, and the frame´s type field is set to IP. After the network delivers the frame to the destination, the receiver uses the type field to identify data portion of the frame as an IP datagram and forwards the datagram to the software that processes them.
The Transport Layer identifies which processes (programs) are active on each host and provides either connection-oriented or connection-less services to these processes. Connection-oriented services ensure a reliable transmission of data. TCP (Transmission Control Protocol) provides such reliable services to upper layer protocols like FTP or HTML. Connection-less services provide faster, less overhead transmissions but offer no reliability. UDP (User Datagram Protocol) is used to provide connection-less services to upper layer protocols like NFS or TIME. The Transport layer uses ports to identify upper-layer processes or programs. Port addresses are used to distinguish between the different programs running within a system. The combination of an end systems IP address and transport layer port is called socket and uniquely identifies a process running on a specific host. A socket pair includes each end systems IP address and port address and identifies a logical communication channel between the systems (processes). Client- and server-based addresses are used (with TCP and UDP) to identify processes running on a host. Server ports have a range of 1 to 1023. Industry wide recognized port addresses are within the range of 1 through 255. Client port addresses can be anywhere between 1024 to 65536.
To understand the derivation of network addresses it is important to get a basic understanding of decimal and binary numbering. The decimal number system consists of the 10 unique digits of 0 to 9. Decimal numbering uses therefore powers of 10. This number system is also referred to as the base-10 system. The binary number system consists only of two unique numbers 0 and 1. Unlike decimal numbering, the binary numbering systems uses power of 2 rather than power of 10. This number system is also referred to as base-2 system. A byte or octet is composed of 8-bit positions with possible values ranging from 0 (all bits are 0) to 255 (all bits are 1).
An Internet host address is a 32 bit number that identifies both the network on which a host is located and the host on that network. Network addresses ( Internet addresses ) are assigned by a central agency , while host numbers are assigned individually by the local network administrator. The most significant bits of the network portion of the Internet address determine the class of an address. There are three classes defined: A , with high-order bit “0”, 8 bits network portion B , with high-order bits “10”, 16 bits network portion C , with high-order bits “110”, 24 bits network portion Each class has fewer bits for the host part of each Internet address and therefore supports fewer hosts than the higher classes.
The numeric representation of an Internet address is as follows: Each 8 bit field of the address is denoted by a decimal number, separated from the other fields with a period.
Class D addresses have the first four bits set to “1110” and are reserved for use as multicast addresses and are not for use by individual hosts. Class E addresses have the first five bits set to “11110” and have been reserved for future use. 255.255.255.255 is the decimal representation of an IP address with all binary digits set to 1. It identifies a message sent to all nodes on all networks and is therefore used for broadcast purposes. The address 0.0.0.0 is the decimal representation of an IP address with all binary digits set to 0. This number typically represents an unknown network/host. The address 127.0.0.1 is a special address (Class A) used for internal loop-back testing. It designates the the local node and does not generate any traffic on the network. Private addresses defined in RFC 1918 may be used internally by private networks. These Addresses are not routable through the Internet. These addresses are used to overcome addressing issues in the current Internet (IP V4 ) address space and give companies more flexibility by providing larger usable address ranges. To communicate with the Internet subnets using RFC 1918 addresses need to be connected using some form of address translation with registered Internet addresses like NAT (Network Address Translation) or PAT (Port Address Translation).
In 1985, RFC 950 defined a standard procedure to support the subnetting , or division, of a single Class A, B, or C network number into smaller pieces. Subnetting was introduced to overcome some of the problems that parts of the Internet were beginning to experience with the classful two-level addressing hierarchy: growing internet routing tables local administrators had to request another network from the Internet before a new network could be installed at their site. Subnetting divides the addressing hierarchy into three levels. Adding another level makes it unnecessary to have a knowledge of the internal subnet structure outside of the organization. Since the subnets for a given network number all use the same network prefix, the route in from outside to any subnet is the same. This means that for one entry in the global routing tables, there can exist many individual sub-networks. The network prefix is effectively extended -- the most significant bits after the network number and the next most significant bits to the subnet.
The subnet mask is used to define the host part of the IP address. The bits in the mask are set to 1 for the digits that are to be a part of the extended network prefix and are set to 0 for the digits that are part of the host number.
Routing Information Protocol (RIP) is described fully in RFC 1058. Extensions for RIP version 2 are described in RFC 1723 . Extensions for RIP on demand is described in RFC 1582. RIP is a fairly simple distance vector protocol which defines networks based on how many hops they are from the router. Once a network is more than 15 hops away (one hop is one link) it is not included in the routing table. The possible routes (there may be more than one) to a particular host are selected on the basis of the shortest one. If two routes have the same metric (hop count) or cost, the first one found will be chosen. RIP does not cope very well with a meshed (multiply connected) network. It suits star topologies very well. Each router configured for RIP maintains a relatively simple route table as described earlier. The router will periodically broadcast its routing information to other routers. Similarly it will need to obtain this information from neighbouring routers to improve its own picture of the network. Routes are removed from the table if they are not kept up to date (refreshed) by the neighbouring routers. The RIP version 2 extensions allow the RIP updates to contain subnet masks and next hop information. The ability to carry subnet masks allows the use of different sized subnet masks on different subnets within the same network.
The Open Shortest Path First (OSPF) protocol is a relatively recent standard which is documented in RFC 1247 . It has a number of significant benefits over older distance vector based protocols like RIP, including: OSPF is an open, published specification . It is not proprietary to any manufacturer. OSPF supports the concept of areas to allow networks to be administratively partitioned as they grow in size. Load balancing, in which multiple routes exist to a destination is also supported. OSPF distributes traffic over these links. OSPF routes IP packets based solely on the destination IP address and IP Type of Service found in the IP packet header. OSPF is a dynamic routing protocol . It quickly detects topological changes in the network and calculates new loop-free routes after a period of convergence. This period of convergence is short and involves a minimum of routing traffic.
In an OSPF-based routing protocol, each router maintains a database describing the Autonomous System's topology . Each participating router has an identical database. Each individual piece of this database is a particular router's local state (e.g., the router's usable interfaces and reachable neighbours). The router distributes its local state throughout the Autonomous System by flooding. All routers run the exact same algorithm, in parallel. From the topological database, each router constructs a tree of shortest paths with itself as root. This shortest-path tree gives the route to each destination in the Autonomous System. Externally derived routing information appears on the tree as leaves. OSPF calculates separate routes for each Type of Service (TOS). When several equal-cost routes to a destination exist, traffic is distributed equally among them. The cost of a route is described by a single dimensionless metric. OSPF allows sets of networks to be grouped together. Such a grouping is called an area. The topology of an area is hidden from the rest of the Autonomous System. This information hiding enables a significant reduction in routing traffic. Also, routing within the area is determined only by the area's own topology, lending the area protection from bad routing data. An area is a generalization of an IP subnetted network.
Whenever the IP process running on a source node is attempting to send an IP datagram, it examines whether the destination internet address is on its own physical network. If the IP datagram is destined for a host on its own local network the IP process delivers the IP datagram directly. If the IP datagram is destined for a host on some other network it sends it to a router on the local network. To make this direct delivery possible, each node maintains an ARP (Address Resolution Protocol) cache (or table) containing the mappings of internet addresses to physical (hardware) addresses. To add an entry to the ARP table for a destination host that has not been contacted for some time, ARP multicasts an ARP Request packet containing the destination nodes internet address. The destination node (or router) replies with an ARP Response packet containing its physical (hardware) address. RARP (Reverse ARP) allows a host that only knows its physical (hardware) address to obtain the internet address that it should use in communicating with other systems.
IP networks require each node in the network to be provided with: IP address Subnet mask DNS address Domain name Gateway DHCP (Dynamic Host Configuration Protocol) enables network servers to assign a range of IP addresses automatically to client stations logging into a TCP/IP network eliminating the need to manually assign permanent IP addresses to each node. It is also a means to provide other necessary IP setup information automatically. Whenever a computer supporting DHCP is switched on, it sends out a DHCP request to obtain TCP/IP setup information.
Before 1984 when there were only a few hundred machines connected to the ARPANET. A simple file called “ hosts.txt ” was maintained to provide name to address information. This file was then copied to the individual hosts. In the mid 1980s it became clear that this method would soon be unworkable. The Internet was growing at a very fast rate and new system were connected every day. The names used with the Domain Name System (DNS) are constructed hierarchically , so that responsibility for portions of the namespace can be assigned to different organisations. These parts of the namespace are called “ Domain s”. The domain names can be read from right to left, with each portion of the domain being more specific. The top-level domains (.com, .edu, .net, .int, etc.) are administered by the Internic (Internet Network Information Centre). National organizations in each country manages name assignment for the respective domains (.fr, .de, .at, etc.).
The Domain Name System (DNS) is the distributed Internet service that provides translation from hostnames to the numeric addresses used to uniquely identify a host in the Internet. To perform a name to address translation two elements/functions are involved. One element is part of the operating system requesting the translation and is called the “resolver”. In order to perform the translation the resolver has to interact with name servers . Name servers store and distribute the information about what address corresponds with which name. When the resolver needs an IP address, it sends a query to the name server. The name server may have the answer, and if so, it returns the information to the resolver. If the server does not know the answer, it asks a neighbouring name server.
The combination of an end systems IP address and transport layer port is called socket and uniquely identifies a process (application) running on a specific host. A socket pair includes each end systems IP address and port address and identifies a logical communication channel between the systems processes (applications). Client- and server-based addresses (16 bit code, from 0 to 65535) are used (with TCP and UDP) to identify processes (applications) running on a host. The server ports have a range of 1 to 1023 and are assigned by the IANA (Internet Assigned Numbers Authority) and reserved for the specific server application. Industry wide recognized (well-known) port addresses are within the range of 1 through 255. Client port addresses can be anywhere between 1024 to 65536.
HTTP (Hypertext Transfer Protocol) is the basis for a very popular Internet application - the World Wide Web (WWW) . It contains the set of rules for transferring files (text, graphic images, sound, and other multimedia data) fromn a Web server. As soon as a Web user opens their Web browser, the user is indirectly making use of HTTP. HTTP concepts include (as the Hypertext part of the name implies) the idea, that files contain references to other files whose selection will lead to automatically access those files. Any Web server contains, in addition to the Web page files it can serve, an HTTP server program, that is designed to listen for HTTP requests and respond to them as soon as they arrive. A Web browser is basically a HTTP client, sending requests to server machines. As soon as the browser user enters file requests by either typing in a Uniform Resource Locator (URL) or by clicking on a hypertext link, the browser sends an HTTP request to the IP address indicated by the URL. The HTTP server process receives the request and sends back the requested files associated with the request. The HTML session uses the TCP transport layer protocol for connecting the client and server processes. The standard well-known port that clients connect to at the WWW server side is port 80.
TELNET is a simple text-based remote terminal protocol that allows an user to log in on a remote host. Using a telnet session to another computer is like using a lokal terminal of that system. TELNET is typically used with Unix-oriented systems and to access many networking devices for management and configuration purposes. TELNET is based on a client/server principle in which one host (the telnet client) negotiates opening a session on another computer (the remote host, running the TELNET server ). During the negotiation process, the two computers agree on the parameters relating the session including the terminal type (virtual terminal) to be used. In this context virtual terminal refers to a set of terminal characteristics and functionalities that both sides of a TELNET connection agree to use to transmit data across the network. The TELNET session uses the TCP transport layer protocol for connecting the client and server processes on the system. The standard well-known port for TELNET terminal access is port 23 on the server side
The File Transfer Protocol (FTP ) allows the user to transfer data in both directions between the local host (FTP client) and a remote host (FTP sever). FTP is a TCP based service. FTP is an unusual service in that it utilizes two ports, a 'data' port and a 'command' port (also known as the control port). Traditionally these are port 21 for the command port and port 20 for the data port although depending on the FTP mode, the data port may be on an other port than 20. In active mode FTP the client connects from a random unprivileged port (N > 1024) to the FTP server's command port, port 21. Then, the client starts listening to the next higher port (N+1) and sends the FTP command PORT N+1 to the server. The server will then connect back to the client's specified data port from its local data port, which is port 20. In order to resolve the issue of the server initiating the connection to the client an other method for FTP connections - called “passsive mode” was introduced. In passive mode FTP the client initiates both connections to the server. This solvies the problem of some firewalls filtering the incoming data port connection from the server. When opening an FTP connection, the client opens two random unprivileged ports locally. As in the example with active mode before the first port contacts the server on port 21, but instead of then allowing the server to connect back to its data port, the client will send the passive mode instruction. Because of this is, the server then opens a random unprivileged port (P) and sends the PORT P command back to the client. The client then initiates the connection from port N+1 to port P on the server to transfer data.
Electronic mail is one of the most commonly used networking applications resulting in a number of different protocols that have beed developed over time to transfer emails across TCP/IP networks (and the Internet). The Simple Mail Transfer Protocol (SMTP) is the classic Internet standard for transfering emails between computers. SMTP deals with the exchanges that occur between a process with mail to be sent (SMTP client) and a SNMP process that receives mail (SMTP server). Other standards define extensions to SNMP that enable it to transport any type of information. Multipart messages are described in Multipurpose Internet Mail Extensions (MIME) standards that allow the transfer of word processor documents, binary files or multimedia data. The Post Office Protocol (POP) enables a desktop mail client to retrieve mail from a mail server. An alternative technology is the Internet Message Access Protocol (IMAP), that enables a user to work with his emails actually stored at a server.
Packet Internet Groper (PING ) is a protocol that uses ICMP as a transport mechanism. It is used to send a message to a host and wait for that node to respond to the message. PING is a helpful tool on TCP/IP networks, where it is used to determine if a node or network can be reached. PING will also report the round trip delay time for the connection.
NAT Firewall/ IP Sharing (Network Address Translation) allows a LAN to connect to the Internet using one purchased IP address. NAT converts the outgoing IP address of each LAN device into one IP address for the Internet and vice versa. It also serves as a network firewall by keeping node IP addresses hidden from the outside world. One of the main reasons for NAT (Network Address Translation) is because of the depletion of IP address space on the Internet. Network managers need Internet access for their entire networks, but have only limited IP addresses to work with. NAT allows them to have an internal IP addressing scheme using one of the ranges allocated for private networks in RFC 1918. Any traffic leaving the private network would go through a router with NAT(PAT) which would replace the source address of the IP header with a registered Internet address. However, a comprehensive solution of the Internet address problem will only become possible in the future, with the implementation of new addressing schemes (IPv6). Experience has shown that the implementation of new technologies and standards takes a considerable time, so technologies like NAT and PAT will provide good pragmatic solutions for current problems.
The first attempt to solve the issues with Internet Address space was a technology called Network Address Translation (NAT) and described in RFC 1631. NAT was seen as a process whereby private addresses (defined in RFC 1918) could be masked with an authorized or registered IP address or a number of addresses. NAT is based on the assumption that not all users on a private LAN will need to access the Internet at the same time. A small pool of IP addresses are registered and assigned to the local “inside” network. All systems on this network are given RFC 1918 defined addresses. The registered IP addresses can then be dynamically assigned and reassigned, as appropriate, by the NAT router to computers accessing the Internet. A special version of NAT is a „many-to-one“ scheme with just one single registered IP address. The abbreviation NAT is used today in a more generic way and typically includes more advanced address translation techniques like PAT (Port Address Translation).
IP addresses became a scarce resource. Most Internet Service Providers (ISPs) will only allocate one address to a single customer. In majority of cases this address is assigned dynamically, so every time a client connects to the ISP a different address will be provided. Because such users are given only one IP address, they can have only one computer connected to the Internet at a time. A variation of NAT, called enhanced NAT (ENAT) or PAT (Port Address Translation) or NAPT (Network Address Port Translation) , uses only a single global Internet IP address that is globally unique and assigned by the ISP to the WAN interface. The advantage of this scheme is that only a single IP address is required from an Internet Service Provider (ISP) to connect an entire private network. The private network can easily be shifted to another ISP simply by changing the one global IP address.
PAT (Port Address Translation) or NAPT (Network Address Port Translation), uses only a single global Internet IP address that is globally unique and assigned by the ISP to the WAN interface. This IP address can be either static or dynamic and can either be configured in the router manually or automatically while dialling into the ISPs router or access concentrator. Each new session crossing the access router is assigned a set of unique TCP/UDP port numbers. For example, consider a TELNET packet sent from a private network to a host on the Internet. The source IP address is changed to the single global IP address and the source TCP port number is substituted for one that is unique. The router maintains a list of all current sessions using the IP source address, original source port, substituted port, destination port and destination IP address information.
PAT (Port Address Translation) or NAPT (Network Address Port Translation) requires a system connected to the local (or “internal”) network to initiate a connection through the PAT/NAPT router. This is one of the reasons why access router using PAT/NAPT already provide a relatively high level of security against attacks from the Internet. There are nevertheless applications where access from the Internet may be necessary. To address this issue, some access routers support “inverse” PAT/NAPT functions. This functionality permits a limited translation function in the opposite direction. When accessing the Internet from the local or “internal” network the router itself makes the entry in the port and IP address information table. For example, a computer system sends a packet from the Internet to a HTTP server on the Intranet. From the point of view of this system the “inverse” PAT/NAPT router appears to be the HTTP server. The router knows the Intranet address of the server to which the packet is forwarded from the entry in the service table. All packets that come from the HTTP server in the local network (answers from the server) are hidden behind the IP address of the router. In order to access to a service (port) in the local network from outside it is necessary to define in advance a service table entry in the router by specifying a port number. The destination port is specified with the local network address of, in our example, the HTTP server.
A firewall is a security device designed to allow safe access between networks by enforcing a set of access rules between the various interfaces connecting them. Typically a firewall has two interfaces — one interface is attached to the public network and the other interface is attached to an internal private network (intranet) which requires protection. The firewall prevents unrestricted access to the private network and protects the computer systems behind the firewall from attack. There are two main types of technologies used in firewalls. The traditional firewall is an Application Gateway where the firewall functions as a proxy between networks for certain applications. The proxy is designed with the knowledge of how a protocol works and what is to be allowed or disallowed. This methodology is CPU intensive and very restrictive. Only protocols that have specific proxies configured are allowed through. The second type of firewall methodology is Stateful Inspection . Stateful inspection is also referred to as dynamic packet filtering or context-based access control (CBAC). In this technology, an inspection module understands data in packets from the network layer (IP headers) up to the application layer . The inspection module checks every packet passing through the firewall and makes access decisions based on the source , destination and service requested. The term stateful refers to the firewall’s ability to remember the status of a flow, for example, whether a packet from the public Internet is returning traffic for a flow originated from the private intranet. Stateful inspection firewalls are generally faster, less demanding on hardware and more adaptive to new Internet applications.
A VPN (Virtual Private Network) physically shares a backbone connection with other data traffic and links over a secure connection via access control and encryption. One of the main reasons for the implementation of a secure VPN (Virtual Private Network) across the Internet is to provide secure and private business data links with good performance at low cost. VPNs are also implemented to allow remote users and mobile users a low cost secure connection to the internal company network over the Internet infrastructure. In order to maintain privacy in a public environment, VPNs use access control and encryption. Internet virtual private networks are the latest evolution of private networks. Internet VPNs establish local dedicated or dial-up Internet connections with a local service provider and rely on that provider to ensure that one’s packets are properly routed through the public Internet to the appropriate destination. VPN implementations are implemented using several different methods. These include PPTP (Point to Point Tunnelling Protocol), L2TP (Layer 2 Tunnelling Protocol), GRE (Generic Router Encapsulation) with SA (Security Associations), and IPSec. PPTP is a simple Layer 2 VPN. L2TP is used for VPNs that need protocols other than IP. GRE with SA is a simpler configuration for IP only VPNs. IPSec is a very popular IP centric solution. SMC Routers allow for PPTP and IPSec VPN pass through.
Over the last years, several partly standardized methods have been developed, that represent the technical basis for VPN solutions today. By using the OSI layer model , these methods can be divided into two groups, which operate on the OSI Layer 2 (Link layer) and Layer 3, respectively. PPTP (Point-to-Point Tunnelling Protocol) and L2TP (Layer 2 Tunnelling Protocol) are typical examples of the OSI Layer 2 protocols . PPTP is a point-to-point tunnelling protocol, which was originally developed for RAS (Remote Access Server) hardware and software (in particular Windows NT). Efforts to combine the technical principles of other manufacturers of router and RAS components with PPTP and hence to create a wider standard, led to the development of L2TP. As layer 2 protocols (in accordance with the OSI model), PPTP and L2TP can also be used for multi-protocol applications. IPSec is regarded in many quarters as the most comprehensive VPN technology (for IP networks). The standards relating to IPSec contain comprehensive security functions, serving as methods for the authentication and administration of „Keys“ in addition to encoding. Since IPSec is an OSI layer 3-based protocol, IPSec can only be used in IP networks.
IP version 6 (IPv6) is the next generation of the Internet Protocol, designed as a successor to IP version 4 (IPv4). Many enhancements to the IP protocoll suite have been developed over the years to overcome many of the IPV4 limitations and shortcomings. The changes and enhancements from IPv4 can be grouped into the following categories: Extended Addressing Header Format Optimisation Improved Flexibility (Extensions and Options) Flow Labelling Improved multicast & streaming Security (Authentication and Encryption) Increased maximum packet size Better Support for mobile applications & devices Improved neghbor discovery protocol - replacing ARP Especially the extended addressing capabilities solve most of the problems with the restricted address range in IPv4. IPv6 increases the IP address size from 32 bits to 128 bits. Optimised Header Format. Some IPv4 header field have been removed or made optional, to reduce processing of packet handling and to limit IPv6 header overhead. Changes in the way IP header options are encoded allows for more efficient forwarding and greater flexibility for introducing new options. A new capability is added to enable the labelling of packets belonging to particular traffic “flows” for which the sender requests special handling. Examples are quality of service or real-time services. Besides several performance enhancements compared to IPv4 also the maximum packet size has been increased. IPv6 offers now a “ jumbopackets ” option allowing payloads up to 4 billion octets. IPv6 also incorporates major security (Authentication and Encryption) enhancements. Extensions to support authentication, data integrity and data confidentiality are defined. IPSec (VPN) is an integral part of IPv6. In addition other protocols like an improved neighbor discovery protocol (using ICMPv6) to replace ARP have been implemented.
The extended addressing capabilities solve most of the problems with the restricted address range in IPv4. IPv6 increases the IP address size from 32 bits to 128 bits. In IPv6 addresses are not assigned to nodes but to interfaces. Any of a nodes interfaces unicast adresses may be used as an identifier for the node. It is also possible to assign multiple IPv6 addresses to a single interface. In IPv6 there are three types of addresses used: unicast addresses multicast addresses anycast addresses Unicast addresses identify a single interface. Multicast addresses identify a group of interfaces in a way that a packet sent to a multicast address is delivered to all of the interfaces in the group. In IPv6 the multicast address replaces the IPv4 broadcast address. The third address type in IPv6, the anycast address also identifies a set of interfaces, but a packet sent to such an address will only be delivered to one member of the set.
Best example to show the addressing logic in IPv6 is looking at structure of an IPv6 Global Unicast Address Format , which are characterized by a Format Prefix of “001”. The Top-Level Aggregation IDentifier (TLA ID) field is typically assigned not to a private organization but to an organization providing a public transit infrastructure. The IANA will assign small blocks of TLA ID to IPv6 registries. Examples for such registries are IANA (Multiregional), RIPE-NCC (Europe), INTERNIC (Northern America) and APNIC (Asia and Pacific). The Next-Level Aggregation IDentifier (NLA ID) field is used to create an addressing hierarchy and to identify sites respectively ISPs. The Site-Level Aggregation IDentifier (SLA ID) field and the subnet identifier are used to create an addressing hierarchy within these sites. The Interface ID identifies a single interface among the interfaces identified by the subnet prefix. The IP standards also introduce a new format for presenting the IPv6 addresses . That format splits the address into eight 16 bit parts. Colons separate the parts, which are shown in hexidecimal notation.
The optimised header format is one important enhancement in IPv6. Some IPv4 header field have been removed or made optional, to reduce processing of packet handling and to limit IPv6 header overhead. The result is that the IPv6 is much simpler to process and reduces the time taken to process IP headers in hosts and intermediate routers. Changes in the way IP header options are encoded allows for more efficient forwarding and greater flexibility for introducing new extensions and options. The elements (fields) of the IPv&6 header in some more details: Version (4 bits) that contains the IPv6 version number. Traffic Class (8 bits) - Internet traffic priority delivery value. Flow Label (20 bits) used for specifying special router handling from source to destination(s) for a sequence of packets. Payload Length (16 bits) specifies the length of the data in the packet. Next Header (8 bits)specifies the next encapsulated protocol. (The values are compatible with the IPv4 protocol field values). Hop Limit (8 bits) replaces the TTL field in the IPv4 header. Source address (16 bytes) containing the IPv6 address of the sending node. Destination address (16 bytes) containing the IPv6 address of the destination node.
In IPv4, multicast was simulated by broadcasting to all devices in the neighborhood. IPv6 provides multiple groups of multicast addresses so that multicast streams can be pinpointed to the required hosts and only those hosts Improved multicast methods means that applications such as video and audio streaming, online gaming and Internet telephony will expand and prosper with IPv6. Besides multicast addressing and protocols also quality of service features and functions are vimplemented in IPv6. One new capability is added to enable the labelling of packets belonging to particular traffic “flows” for which the sender requests special handling. Also the IPv6 Header contains traffic class information. This allows to support quality of service or real-time services for various applications.
In IPv4, the only way to implement secure communications such as IPsec-based VPNs has been to terminate the IPSec tunnels at a firewall and de-encrypt the packet before passing it in the clear to the host over the local network. IPv6 also incorporates major Security (Authentication and Encryption) enhancements. Extensions to support authentication, data integrity and data confidentiality are defined. IPSec (VPN) is an integral part of IPv6 which provides true end-to-end secure communication and will enable new security mechanisms to prevent spoofing, interception and tampering with IP packet data.
As more 3G mobile networks and orther wireless networks are deployed, the opportunities to use mobile phones, PDAs and many other embedded systems as true data communication devices will increase. Each mobile device also requires multiple addresses as they move between cells and base stations. In IPv4 the technologyto implement true mobile and transport media independent solutions is called Mobile IP. IP mobility allows packets sent to a home address to be delivered to the mobile node. In addition, mobile IP can hide any address changes from the transport and application layers, enabling the mobile devicel to move without interruption between different access networks using different access technologies. IP mobility is a part of the IPv6 standards and therefore includes built-in features which allow IP addresses to change as a mobile user moves between base stations which can reconfigure and reassign IP addresses. Mobile IPv4 and Mobile IPv6 protocols are based on similar concepts, but the implementations are different. In Mobile IPv6 , each mobile node is identified with a static home address , independent of where and how it is connected to the Internet. The home address is known by the Home Agent (HA) router in the home network of the mobile node. When the mobile node is connected to a new link, it is addressable by a “ care-of address ”, in addition to its home address. It is the care-of address that holds information about the mobile node’s current location.
Most network migrations are accomplished by shutting down the network, upgrading our replacing the network devices to use the new protocol and then turning the network back on. But with the Internetas in enterprise networks this is just not possible or desirable. The huge investment in IPv4 based devices including routers and hosts means that simply flipping the protocol version over is not a viable option. IPv6 migration will take years to complete; in reality it may never be completed as many IPv4 devices will never migrate. During this migration, various methods have been recommended to handle the transition and allow coexistence between the two protocol versions: In order to migrate as smoothly as possible several technology approaches have been developed: Dual Stack / Dual Layer Tunneling Translating IPv4/IPv6
In order to participate in both an existing IPv4 and a newer IPv6 network, a host must support both protocol stacks in its operating system. This may be by using a dual stack or a dual layer approach as shown in the figure above. Although from a networks point ov view the two approaches are similar, the difference between these approaches is in its implementation. The dual layer approach does not implement a second parallel transport layer where the dual stack solution does exactly that. Most current operating systems support one of these methods. For instance Microsoft Windows XP and Server 2003 support the dual stack approach while Sun Solaris, HP True64 Unix and most Linux implementations support a dual layer integrated stack.
Currently there is very small number of islands of IPv6 capable devices attached to the Internet. To communicate with each other, the IPv6 traffic is normally carried over the IPv4 network using tunnelling techniques. At the other end, the tunnel device de-encapsulates the IPv6 packet and delivers it to the local Ipv6 host as shown in Figure There are various methods for tunnelling IPv6 data over an IPv4 network . These are dependent on the type of traffic being tunneled and the configuration of the host/router network. The main tunneling techniques are: 6to4 is a router-to-router tunneling technology that provides automatic address assignment and connectivity between IPv6 sites and hosts across an IPv4 Internet ISATAP is designed for campus environments and supports automatic tunneling between IPv6 hosts that do not have a direct connection to an IPv6 capable router across an IPv4 intranet. Teredo , uses UDP datagrams to encapsulate IPv6 traffic over an IPv4 Internet. It is designed to punch holes through existing IPv4 NAT devices and is especially suited to consumer applications such as multi-player gaming. Translators on the other hand can be seen as an intermediate component between a native IPv6 system (interface) and a native IPv6 system (interface). They are designed to enable direct communication between such systems by performing header translation , without the necessity of any modifications at the hosts. Although this approach is completely transparent it very probably will be only used to incorporate remaining IPv4 systems into IPv6 networks.