IP LayerMichael Tsai
2017/04/10

ptg

IPv4 and IPv6 451

IP N

etw

orki

ng

Exhibit A TCP/IP layering model

IPv4 and IPv6The version of TCP/IP that has been in widespread use for three decades is proto-col revision 4, aka IPv4. It uses four-byte IP addresses. A modernized version, IPv6, expands the IP address space to 16 bytes and incorporates several other les-sons learned from the use of IPv4. It removes several features of IP that experi-ence has shown to be of little value, making the protocol potentially faster and easier to implement. IPv6 also integrates security and authentication into the ba-sic protocol.

All modern operating systems and many network devices already support IPv6. However, active use of IPv6 remains essentially zero in the real world.3 Experience suggests that it’s probably best for administrators to defer production use of IPv6 to the extent that this is possible. Everyone will eventually be forced to switch to IPv6, but as of 2010 that day is still years away. At the same time, the transition is not so far in the future that you can ignore it when purchasing new network de-vices. Insist on IPv6 compatibility for new acquisitions.

The development of IPv6 was to a large extent motivated by the concern that we are running out of 4-byte IPv4 address space. And indeed we are: projections in-dicate that the current IPv4 allocation system will collapse some time around 2011. (See ipv4.potaroo.net for a daily update.) Even so, mainstream adoption of IPv6 throughout the Internet is probably still not in the cards anytime soon.

More likely, another round of stopgap measures on the part of ISPs and ICANN (or more specifically, its subsidiary IANA, the Internet Assigned Numbers Au-thority) will extend the dominance of IPv4 for another few years. We expect to see wider use of IPv6 on the Internet backbone, but outside of large ISPs, academic sites involved in Internet research, and universal providers such as Google, our

APPLICATION

TRANSPORT

NETWORK

LINK

PHYSICAL

LAYER

LAYER

LAYER

LAYER

LAYER

IP ICMP

ARP, device drivers

Copper, optical fiber, radio waves

UDPTCP

DNS, Halo 3 tracerouteSSH, FTP, HTTParp

3. A Google study presented at RIPE 57 in October 2008 indicated that overall IPv6 penetration (actual use, not capability) was 0.24%. No country had IPv6 penetration greater than 0.76%.

IP (Network layer) 的主要功能

1. Forwarding: Router通常有多個interface (網卡)。把packet從來來源的interface移到⽬目的地⽅方向的interface並發送出去叫做forwarding。

! ⼀一般client並不會開啟此⼀一功能!2. Routing: 找出往⽬目的地⽅方向的⼀一條路路徑。通常由

routing algorithms/protocol決定。

! 因為系上通常到特定的⽬目的地都只有⼀一條路路徑，我們網管的⼯工作通常只會接觸到第⼀一部分。

IP封包的格式(v4) 表⽰示是否需要特殊處理理(如即時的影像或聲⾳音)

v4 or v6

⽤用來來處理理
fragmentation 
(想想MTU)

最多可以經過
幾台機器(router)

Transport layer使⽤用的協定
(通常為TCP or UDP)

Where is IP packet?

PreambleStart of frame

delimiter

MAC destination

MAC source

Length (IEEE 802.

3)

802.1Q tag (optional) Payload

Frame check

sequence(32‑bit CRC)

7 octets 1 octet 6 octets 6 octets 2 octets (4 octets) 42–1500 octets 4 octets

Ethernet Frame

IP Packet is in 
Ethernet’s payload!

Typical Internet Packet

ptg

Maximum transfer unit 453

IP N

etw

orki

ng

Exhibit B A typical network packet4

Ethernet framingOne of the main chores of the link layer is to add headers to packets and to put separators between them. The headers contain each packet’s link-layer addressing information and checksums, and the separators ensure that receivers can tell where one packet stops and the next one begins. The process of adding these extra bits is known generically as framing.

The link layer is actually divided into two parts: MAC, the Media Access Control sublayer, and LLC, the Link Layer Control sublayer. The MAC layer deals with the media and transmits packets onto the wire. The LLC layer handles the framing.

Today, a single standard for Ethernet framing is in common use: DIX Ethernet II. Historically, several slightly different standards based on IEEE 802.2 were also used, especially on Novell networks.

Maximum transfer unitThe size of packets on a network may be limited both by hardware specifications and by protocol conventions. For example, the payload of a standard Ethernet frame is traditionally 1,500 bytes. The size limit is associated with the link-layer protocol and is called the maximum transfer unit or MTU. Table 14.1 shows some typical values for the MTU.

4. For specificity, RFCs that describe protocols often use the term “octet” instead of “byte.”

Ethernet frame (146 bytes)

Ethernet header

IPv4 header

UDP header Application data

14 bytes 20 bytes 8 bytes

Ethernet CRC

4 bytes100 bytes

IPv4 packet (128 bytes)

UDP packet (108 bytes)

Table 14.1 MTUs for various types of network

Network type Maximum transfer unitEthernet 1,500 bytes (1,492 with 802.2 framing)a

FDDI 4,470 bytes (4,352 for IP/FDDI)Token ring Configurable b

PPP modem link Configurable, often 512 or 576 bytes Point-to-point WAN links (T1, T3) Configurable, often 1,500 or 4,500 bytes

a. See page 541 for some comments on “jumbo” Ethernet packets.b. Common values are 552; 1,064; 2,088; 4,508; and 8,232. Sometimes 1,500 to match Ethernet.

IP Address (v4)• AAA.BBB.CCC.DDD (4 bytes) = ? # total hosts

• Network + host address —> same network address == same network (subnet)

Class 1st byte Format Comments

A 1-127 N.H.H.H Very early networks

B 128-191 N.N.H.H Large sites 
(hard to get)

C 192-223 N.N.N.H Easy to get
(often obtained in sets)

D 224-239 - Multicast addresses

E 240-255 - Experimental addresses

Historical Internet Classes (no mask)

But this is inefficient

• Most networks only have ~100 hosts

• Class A & B addresses are wasted

• Thus we need to find a way to further split the networks! (subnetting)

Netmask• Netmask == 


32-bit number with leading 1’s + trailing 0’s

• Digits mapped to 1’s —> network address
Digits mapped to 0’s —> host address

• Expressed as (a) 0xffffffc0 or (b) 255.255.255.192

ptg

Tricks and tools for subnet arithmetic 459

IP N

etw

orki

ng

Exhibit C Netmask base conversion

A /26 network has 6 bits left (32 – 26 = 6) to number hosts. 26 is 64, so the network has 64 potential host addresses. However, it can only accommodate 62 actual hosts because the all-0 and all-1 host addresses are reserved (they are the network and broadcast addresses, respectively).

In our 128.138.243.0/26 example, the extra two bits of network address obtained by subnetting can take on the values 00, 01, 10, and 11. The 128.138.243.0/24 net-work has thus been divided into four /26 networks:

• 128.138.243.0/26 (0 in decimal is 00000000 in binary)• 128.138.243.64/26 (64 in decimal is 01000000 in binary)• 128.138.243.128/26 (128 in decimal is 10000000 in binary)• 128.138.243.192/26 (192 in decimal is 11000000 in binary)

The boldfaced bits of the last byte of each address are the bits that belong to the network portion of that byte.

Tricks and tools for subnet arithmeticIt’s confusing to do all this bit twiddling in your head, but some tricks can make it simpler. The number of hosts per network and the value of the last byte in the netmask always add up to 256:

last netmask byte = 256 – net size

For example, 256 – 64 = 192, which is the final byte of the netmask in the preced-ing example. Another arithmetic fact is that the last byte of an actual network address (as opposed to a netmask) must be evenly divisible by the number of hosts per network. We see this fact in action in the 128.138.243.0/26 example, where the last bytes of the networks are 0, 64, 128, and 192—all divisible by 64.7

Given an IP address (say, 128.138.243.100), we cannot tell without the associated netmask what the network address and broadcast address will be. Table 14.3 on the next page shows the possibilities for /16 (the default for a class B address), /24 (a plausible value), and /26 (a reasonable value for a small network).

The network address and broadcast address steal two hosts from each network, so it would seem that the smallest meaningful network would have four possible

IP address

Decimal netmask Hex netmask Binary netmask

128 138 243 0

255 f f

1111 1111

255 f f

1111 1111

255 f f

1111 1111

192 c 0

1100 0000

. . .

.

.

.

.

.

.

.

.

.

7. Of course, 0 counts as being divisible by any number…

Two Special Addresses

• Network address 
= “network address” + “host address = 0”

• Broadcast address
= “network address” + “host address = all 1’s”

Setting Interface Address• ifconfig -a —> display all interfaces

• ifconfig eth0 192.168.25.1 netmask 255.255.255.0 
—> set the IP and netmask of an interface

• ifconfig eth0 up 
—> enable the interface

• ifconfig eth0 media auto 
—> set the media type to auto-sense

Why do we need to know the “network address”?

• Answer: we need to know if the destination host can be reached directly (in the same network).

• How? Q: is the network address the same?

• Question: what if it is not on the same newtwork?

• Answer: we ask a host to relay for us.

• Question: but, which host? 
(it has to be on the same network)

系上防火牆的Routing table (部分)

Routing Table:192.168.48.0 255.255.248.0 192.168.55.254192.168.219.0 255.255.255.0 192.168.219.254140.112.28.0 255.255.252.0 140.112.30.2540.0.0.0 0.0.0.0 140.112.x.x

140.112.28.0/ 
255.255.252.0

140.112.30.254

192.168.55.254

192.168.48.0/ 
255.255.248.0

192.168.219.0/ 
255.255.255.0

192.168.219.254

How to represent 
a group of destination hosts?• CIDR == Classless Inter-Domain Routing

• Borrowing the netmask idea: 
IPs from192.144.0.0 to 192.144.7.0, 
we can say 192.144.0.0/21 (21==255.255.248.0)

• Any IP address falls in that “network” 
(though might not be a real network), can be represented by that CIDR

Private IP• Private IP


==IPs that are not globally allocated to anyone

IP Class From To CIDR range

Class A 10.0.0.0 10.255.255.255 10.0.0.0/8

Class B 172.16.0.0 172.31.255.255 172.16.0.0/12

Class C 192.168.0.0 192.168.255.255 192.168.0.0/16

In-class exercise• Install “ipcalc” on your VM or the platform of your

choice. Learn how to use it.

• Suppose you would like to allocate some private IPs for a sub-network with around 20 hosts. Give the network address and the net mask such that it is not “oversized”.

• Paste the output of ipcalc for that network address.

NAT (Network Address Translation)

⾨門牌: 140.112.91.208

只有⼀一塊⾨門牌發給我們，怎麼辦呢?

⾺馬撒起

菜瓜布

凱莉

⼩小⼩小郭

內部⽤用: 192.168.0.2

內部⽤用: 192.168.0.3

內部⽤用: 192.168.0.4

內部⽤用: 192.168.0.5

內部⽤用⾨門牌:192.168.0.254

Src: 192.168.0.2Dest: 8.8.8.8

Src: 140.112.91.208Dest: 8.8.8.8

對照表:• 菜瓜布有連到8.8.8.8• 要找助教請轉到192.168.0.4

Src: 8.8.8.8Dest: 140.112.91.208

Src: 8.8.8.8Dest: 192.168.0.2

Routing Table• netstat -nr (不看hostname) or 


netstat -r (看hostname)

• route add default gw 140.112.30.254 
—> all traffic not to local subnets goes to the gw

• route add -net 132.236.220.64 netmask 255.255.255.192 
—> all traffic that has destination address with the described network address goes to 132.236.220.64

ICMP (Internet Control Message Protocol)! ⼀一些管理理⽤用的訊息，⽤用來來通知client關於網路路的狀狀況。! 常⽤用的⽤用途:

1. 通知client此路路不通。(Destination network/host/protocol/port unreachable or unknown)

2. Ping使⽤用的echo request & reply

3. TTL expire (⽤用來來偵測或預防路路徑中的loop或是traceroute使⽤用)

Firewall

⾺馬撒起

菜瓜布

凱莉

⼩小⼩小郭

Bit Torrent 封包

Firewall 規則表:1. 如果是⼩小⼩小郭的封包，直接丟掉

2. 如果是Bit Torrent 封包，直接丟掉

3. 如果是去以下IP address的封包(x.x.x.x, y.y.y.y, z.z.z.z)直接丟掉

4. 剩下的可以過

DNS (Domain Name Service) ! ⼀一⾔言以蔽之: 將名稱轉為IP的服務! 常⾒見見的轉換種類:! Domain name -> IP (type A): 


ntucsv.csie.ntu.edu.tw -> 140.112.30.28! @domainname的mail server (type MX):


csie.ntu.edu.tw -> ms.csie.ntu.edu.tw! Domain name -> domain name (type CNAME):


www.csie.ntu.edu.tw -> ntucsv.csie.ntu.edu.tw! IP -> domain name (type PTR)


140.112.30.21 -> csman.csie.ntu.edu.tw! 可以多重宣告: 增加可靠度或分散性.! 例例如www.google.com的A指到了了6個IP!

http://www.google.com

分散式的架構: 分層負責 (recursive query)

csman.csie.ntu.edu.tw(Local DNS的⾓角⾊色)

Your Machine

IP of www.ntu.edu.tw?

Root DNS

.tw NS(Top-level Domain 


DNS server)

.edu.tw(Authoritative DNS Server)

.ntu.edu.tw(Authoritative DNS)

我不負責主管ntu.edu.tw請問負責.tw的機器

我負責主管ntu.edu.twwww.ntu.edu.tw=x.x.x.x

DNS的細節

! 如果local DNS本⾝身主管被查詢的domain，則可以直接回覆。! 例例如140.112.30.21如果被查詢www.csie.ntu.edu.tw

! Local DNS可以暫存之前查詢過的結果。! 主要⽤用來來減輕主管DNS server及網路路的負擔。! 每筆在主管DNS server上的紀錄都有對應的TTL值，規範可以被占存多久。

/etc/resolv.confnameserver 140.112.30.21

nameserver 140.112.254.4

nameserver 140.112.2.2

search csie.ntu.edu.tw

• search 
—> resolve incomplete names (linux1 —> linux1.csie.ntu.edu.tw)

• nameserver —> specify the address of the DNS server

http://csie.ntu.edu.twhttp://linux1.csie.ntu.edu.tw

DNS延伸閱讀• Top 10 DNS attacks: 


http://www.networkworld.com/article/2886283/security0/top-10-dns-attacks-likely-to-infiltrate-your-network.html#slide1

• Distributed Reflection DoS attack

• Cache poisoning / DNS hijacking (sol: DNSSEC)

• TCP SYN floods

http://www.networkworld.com/article/2886283/security0/top-10-dns-attacks-likely-to-infiltrate-your-network.html#slide1http://www.networkworld.com/article/2886283/security0/top-10-dns-attacks-likely-to-infiltrate-your-network.html#slide1http://www.networkworld.com/article/2886283/security0/top-10-dns-attacks-likely-to-infiltrate-your-network.html#slide1

常⽤用DNS指令• Examples:

• dig @8.8.8.8 -t MX csie.ntu.edu.tw

• dig @140.112.30.21 www.csie.ntu.edu.tw

http://csie.ntu.edu.twhttp://www.csie.ntu.edu.tw

In-Class Exercise

• 找出linux1到www.nasa.gov經過了了哪些機器(domain name可) keyword: mtr, traceroute

• 找出csie.ntu.edu.tw和ntu.edu.tw的mail server們(SMTP)的IP是什什麼

延伸閱讀

• 前講師(⼩小⼩小郭)的線上投影片:
http://xdlab.org/~math120908/slides/nettool.html#/introduction-to-network-tools

http://xdlab.org/~math120908/slides/nettool.html#/introduction-to-network-toolshttp://xdlab.org/~math120908/slides/nettool.html#/introduction-to-network-tools