230 likes | 337 Views
IP: putting it all together Part 2. G53ACC Chris Greenhalgh. Contents. Fragmentation Error reporting (ICMP) Auto-configuration Network Address Translation. Fragmentation. IP allows datagram sizes up to 64Kbytes
E N D
IP: putting it all togetherPart 2 G53ACC Chris Greenhalgh
Contents • Fragmentation • Error reporting (ICMP) • Auto-configuration • Network Address Translation
Fragmentation • IP allows datagram sizes up to 64Kbytes • Physical networks often only support smaller frame types (Maximum Transmission Unit, MTU): • E.g. Ethernet 1500bytes, dialup PPP ~256bytes • Single IP datagram may need to be divided into “fragments” for transmission…
IP fragmentation • Each fragment is a (new) IP packet • Has IP header, original source & destination • Identification field same for each fragment • Fragment offset identifies what bit it is • “More Fragments” flag set in all but last fragment
Fragmenting packets • May be done by sending host • May be done by intermediate router: • May be prevented with IP “Do not fragment” flag • ICMP fragmentation required response if a router would have needed to fragment it • Used by TCP to learn path MTU and avoid fragmentation
Reassembling fragments • Done ONLY by the ultimate destination of the packet • After checking header checksum and destination, but before any more processing • Maintains a pool of fragments • Discarded after a time-out • If all fragments of a datagram received the datagram is reassembled and handled as before
Fragmentation and reassembly issues • Lose one segment and you lose the whole message • Bad if segment loss is likely or number of segments is large • E.g. NFS v.2 used UDP, v.3 uses TCP • because block size 8K -> 32K • many more segments! => higher effective packet loss rate with UDP and more wasted bandwidth
Error reporting • IP includes Internet Control Message Protocol (ICMP) RFC 792 • ICMP messages sent in IP packets • (i.e. same protocol level as UDP or TCP) • IP protocol number 2 • Not seen by applications - between hosts or routers OSs only • Error messages • Informational messages (mostly superceded by DHCP) • NOTE: some may be dropped by firewalls to avoid possible attacks e.g. denial of service (but makes diagnosis of problems harder)
ICMP Error messages (i) • Source Quech • router to host, please slow down (buffer overflow) • Time exceeded • datagram discarded due to TTL=0 or lost fragment • can be used to trace a route by gradually increasing TTL and seeing which router it gets to before timing out • See commands: tracert (windows), traceroute (unix)
ICMP error messages (ii) • Destination unreachable • datagram discarded by router because host or network not reachable • Datagram discarded by host because UDP/TCP port not in use • Redirect • datagram sent to wrong next hop (gives alternative) • Fragmentation required • if fragmentation not allowed but necessary • can be used to determine path MTU (maximum transmission unit)
ICMP informational messages • Echo Request/Reply • ICMP software sends Reply when receives Request • test computer accessible (e.g. ping) • Address mask request/reply • allow host on booting to query local router for netmask (see DHCP, later) • Gateway discovery • allow host on booting to find default router (see DHCP)
Auto-configuration - low-level • ICMP address mask request/reply • => netmask • Reverse ARP (RARP) RFC 903 • send Ethernet address and a server returns your IP address • ICMP gateway discovery • => default route
Auto-configuration - higher-level (i) • Bootstrap Protocol (BOOTP)RFC 951 and RFC 1542 • single BOOTP request • BOOTP server replies with IP address, Router IP address, server information • requires server configuration for each machine
Auto-configuration - higher level (ii) • Dynamic Host Configuration Protocol (DHCP) RFC 1541 • conceptually an extension of BOOTP • server can maintain pool of IP addresses • no configuration for a new machine • but IP address (and therefore domain names) may change each time a machine is booted
Network Address Translation: motivations • IP requires every machine to have a unique IP address • But there are not enough IPv4 addresses to go round so… • Allow sites to have their own internal private addresses • And share just a few global IP addresses between all of their machines
Network Address Translation • NAT device at boundary between private network and Internet • translates to and from internal private addresses…
Simple NAT • Maps between an internal private IP address and an external global IP address • E.g. for a server machine • NAT device is configured (by hand?!) with the address mapping • Re-writes IP packet headers when forwarding:
Network Address and Port Translation (NAPT) • Allows a single external IP to be shared by many private IPs • By changing port numbers as well as IP addresses:
Configuring NAPT • Can be statically configured • E.g. for a web server • External IP, port 80 Internal server IP, port 80 • Can be dynamically configured by outgoing connections/packets • For normal clients, e.g. accessing external servers… • NB. Does NOT allow external hosts to initiate connections to internal hosts (good security )
NAPT dynamic configuration example • Internal IP IA, port PA sends a packet to external IP IB, port PB… • IP header has IPs, UDP/TCP header has ports • NAT device sees outgoing packet • Chooses a currently unused port number PC • for its own global IP address, IC • Creates a new translation mapping • IA, PA IC,PC (leaves external IP/port) • Discards mapping if unused for some time (configurable)
NAT/NAPT deployment • Most ISPs • Hence need to apply specifically for “static” (globally routable) IP addresses • Many home/small office firewalls and broadband routers
Additional NAT/NAPT issues • Internet server sees NAT device’s IP address and translated port number (if NAPT) • Private network client only knows its private IP address and local port • Client IP address not transferable (correct or useful) outside the NAT device • E.g. RMI references passed from client to server will contain private IP and so won’t work for server • The client and server will disagree about what they consider the client’s IP address to be (security issue?!)