TCP/IP Networking Topics: What are all those fields in the TCP/IP Preference Pane for? How do computers on the internet communicate with each other?
IP Address:
A unique number that makes your machine addressable on the internet, separated into 4 ‘octets’. This address must be unique, similar to the fact that there can’t be two cell phones with the same phone number. With a small exception…
Un-route-able IP Addresses:
There are three commonly used sets of IP addresses (called subnets) which are what they call ‘unroute-able’. These are addresses in the 192.168.x.y, 172.x.y.z and 10.x.y.z ranges. Any packets addressed to these address ranges are dropped by routers on the internet. As far as these routers are concerned, ‘you can’t get there from here’.
These unroutable subnets are often used for networks that will never be connected to the actual internet (or won’t need to talk to the internet) and more recently for Network Address Translation (NAT, a.k.a IP Masquerading). With NAT you can use a single IP address from a provider and share it with up to 254 different machines on your local network.
Network Address Translation:
To understand NAT, one needs to understand a little about IP addressing and network packets. As I mentioned above, each machine on the internet has a unique address. To tell a machine which software program needs to receive a http packet vs. a POP mail packet, there is an additional IP Port number assigned to every packet. The Port number tells a machine which type of packet is being received and what to do with it. A few common ports are:
web/http uses port 80
POP mail uses port 110
FTP uses port 20 and 21
etc.
Every network packet has:
1. a source IP address (“this packet is from…”),
2. a destination address (“this packet goes to…”),
3. a port number (“Upon arrival at the destination, this packet goes to X software on that machine…”) and
4. some data (the contents of an email or a web page).
NAT Example:
I’ll illustrate how NAT uses IP Ports by looking at how an actual web surfing session works. NAT works by using a router (such as the Netopia, LinkSys, xRouter, AirPort base station or other NAT router) to act as a proxy which adds unique Port numbers to every packet it forwards to the internet on behalf of a machine on the local network.
For example, when a user wants to see a web page, his/her machine sends it’s outbound packets, requesting the web page, to the NAT router (I’ll discuss the Router or Gateway field in the IP control panel below). The router then generates a packet with it’s IP address as the source and ‘marks’ the outgoing packet(s) by adding a unique Port number to the packet. The router then sends the packet to the web server across the internet. When the packet hits the destination (the web site), the web server thinks the packet was originally sent from a specific Port (i.e software process) and therefore any packets it sends in reply (the html page) go back to the NAT router’s IP address with the same Port number. The smarty-pants NAT router keeps a table of the port numbers it added to which machine’s packets when it forwarded them on to the internet. Upon receipt of a packet, the NAT router looks at the port number, checks it’s table and forwards it to the right machine on network. Viola! the user gets their web page!
As you can see in the example above, there is only one ‘real’ IP address needed (the NAT router). All the other machines can use non-route-able IP addresses. NAT is also a good way to use less IP addresses. In a world where the internet address space is growing limited, this can be a good thing.
Knowing how NAT works explains why it acts as a fairly decent firewall. Only inbound packets with an exactly matching port number sent to the IP address of the router will be forwarded to a machine on your network. In practice, only reply packets are accepted back into the network. Everything else is dropped by the router and never reaches anything inside the network. Because of this, machines behind a NAT firewall are virtually inaccessible from the internet (unless you do something called port-mapping as discussed below).
OK, now on to the other fields in the IP control panel.
Subnet Mask:
To make a machine addressable on any network (local or Internet, AppleTalk or TCP/IP), there must be a network number number assigned to each network and a node number assigned to each machine on the network. Like a postal address, the Network and Node number make the machine unique and therefore able to communicate. With AppleTalk, the network number (and zone name if applicable) is assigned by the network administrator and node numbers are dynamically assigned when your machine starts up. This is a very cool feature of AppleTalk. At startup your Mac looks in it’s parameter RAM and checks what it’s node number was yesterday (or during the last time it was on). It then yells (technically known as broadcasting) it’s node address to everyone on the network saying “I was node number 54 yesterday, is anyone on the network using 54 today”? If nobody’s machine replies after a defined amount of time, your machine assumes nobody’s machine is using that node number and goes ahead and starts up using that number. If someone’s machine says “Hey pal, I’m node number 54 today, take a hike”, your machine generates another random node number and broadcasts that one to see if anyone’s machine is using it. It keeps doing this until it gets a unique node address for that network.
Originally, with TCP/IP there wasn’t any such dynamic addressing (see DHCP below) All settings had to be manually configured. An IP Subnet mask is a way to tell all the machines on a network which part of the 4 octet IP address is the network number and which is the node number. With postal addresses we usually use numbers for one part of the address and letters for the other (i.e. 5020 Golden Gate Ave.). As IP addresses are all numbers we have to ‘explain’ to the machines on the network which part of the address is which. For example, a 255.255.255.0 subnet mask tells all the machines on the network that the first 3 octets (255) are the network number and the fourth octet (0) is the node number. So, an IP address of 209.239.169.33 with a subnet mask of 255.255.255.0 means that the network number is 209.239.169 and the node address for that machine is 33.
Likewise, a 255.255.0.0 subnet mask tells machines on the network that the first two octets are network number and the last two are node number. Using the same IP address of 209.239.169.33 but a 255.255.0.0 subnet mask, the network number would be 209.239 and the node number would be 169.33.
If you’re paying attention (by now I wouldn’t be!) you may have noticed that the first example only allows for 255 different node addresses (1 thru 255). The second example has significantly more possibilities for node address (i.e. 169.34, 170.33, 171.x, etc.) Depending on the number of nodes you need to be able to put on one network in your organization you can use subnetting to obtain the desired results. It can get much more involved than this but these are the basics. In most cases you live with the subnet mask created by the network admin or ISP and just enter it in the ‘Subnet Mask’ field. Whew!
Router Address:
The ‘Router Address’ (a.k.a Gateway Address in the Windows world) is the IP address of the router that your machine needs to send it’s packets to to get out to the internet.
Depending on the type of DSL or cable modem device you have, you will have either be a bridge or a router in your house or office. Routers have IP addresses, Bridges don’t. You’ll notice that the Router Address that your ISP gave you will be either:
1. the IP address of your DSL/cable router or
2. the IP address of the thing on the ISP side of your DSL/cable line which is usually a router.
If you’re using a NAT router, it will have two IP addresses. One is the public IP address you were assigned by your ISP and one non-route-able IP address such as 192.168.0.1. Routers have to be on the same subnet as your machine (otherwise you couldn’t talk to it), so you would use the non-route-able IP address of the NAT router as the Router Address in the TCP/IP control panel (192.168.0.1). This essentially tells your machine to send all internet related packets to the NAT router and let it figure out where to send them from there.
Name Server Addr:
The Name Server Address field (a.k.a. Domain Name Server or DNS in the Wintel world) is where you enter the IP address of the machine(s) at your ISP that resolve a named address (www.lansharks.net) to the IP address of the actual server that handles the web service for lansharks.net (209.239.160.84). Most ISP’s will give you more than one name server address in case their main DNS server gets overloaded or goes down. If your machine can’t find the first name server after some amount of time, it will try to resolve the name with the next server in the list.
Port-Mapping 101:
OK, so enough about IP addressing, subnet masks, DNS and all the rest for a minute. Let’s talk about port-mapping. As I mentioned above, NAT routers create a firewall by keeping all inbound packets off the local network, unless they’re replies to packets from one of the machines on the network. The NAT router looks at an inbound packet and says “Excuse me, but this packet must be trash since it’s destined for a network that can’t exist and doesn’t match a port number in my NAT table. 192.168.x.y or 10.x.y.z aren’t real networks, so I’m going to drop that packet on the floor”.
But what if you wanted to allow a specific kind of traffic from the internet onto your network? Let’s say for example, you wanted to serve web pages from a machine on your network or host a mail server. With most NAT routers you can port-maps that tell the router what to do with specific types of packet. Traffic that is sent to specific ports on the public IP address of the NAT router goes to specific machines inside the firewall.
So let’s say your web server (or Mac running Personal Web sharing) had the non-route-able IP address of 192.168.0.5 and the IP address your NAT router is 209.239.165.30 (the IP address your ISP gave you). You would configure the NAT router to port-map all port 80 traffic to 192.168.0.5 on the local network. Users wishing to access the web server from outside the network (i.e. on the internet) would send their traffic to the address of the NAT router (i.e. http://209.239.165.30). Instead of the inbound traffic being dropped on the floor, the NAT router would check it’s table for a map for port 80 traffic and say “Yep, that’s a match! Send that traffic to Mr. 192.168.0.5 over there inside the firewall”.
You can port-map any software service, such as FTP, POP mail, SMTP mail, http/web, etc., etc., but be careful because each port you open up, essentially creates a hole in your firewall. When port-mapping, it’s a good idea to make sure the service (or server) you’re allowing traffic to is secure. Web servers (and Personal Web Sharing) on Macs are usually pretty secure and won’t allow outside access to other things (i.e. files) on your machine.
Macintosh File Sharing via TCP/IP:
In MacOS 9 and later, Apple introduced the ability to share files via TCP/IP. If you’ve checked the “Enable file sharing clients to connect over TCP/IP” option in the File Sharing control panel, make sure you assign a user name, password and sharing privileges. If you wanted outside users to be able to access your machine for file sharing you would also need to port-map port 548 to the IP address of your machine (192.168.0.5 in this example). To access your machine for file sharing, a Mac user on the internet would open the Chooser. click on the AppleShare icon and click the “Server IP address…” button. After entering the public IP address of your network (209.239.165.30) they should be prompted for a log-in name and password.
There is a list of all known IP ports at: http://www.isi.edu/in-notes/iana/assignments/port-numbers
See also the following article on NAT and Firewalls in Apple’s Tech Info Library.
Intermission:
So, with all these numbers and acronyms flying around in your head, you’re probably ready for a break. OK, go get some tea and head back when you’re ready.
DHCP Explained:
One of the things about TCP/IP is that you have to manually configure all the numbers correctly in the TCP/IP control panel – or maybe not. A while back, system and network administrators got tired of manually configuring things on each and every machine on their networks. It’s also way too easy to mis-type something and then network/internet related services won’t work. DHCP stands for Dynamic Host Configuration Protocol and does just that, dynamically configures hosts/nodes on a network. Most routers have the ability to act as DHCP servers and assign a pre-defined pool of addresses to machines as they need them. You’ve probably noticed in the TCP/IP control panel there is an option in the ‘Configure’ pop-up menu for ‘Using DHCP Server’. If configured to use DHCP (which is now the default setting on both Macs and PC’s) your computer will ‘ask’ for a ‘lease’ on a TCP/IP address whenever it needs to speak TCP/IP. The DHCP server then supplies your machine with a unique IP address from a pool of addresses, the subnet mask, router address and DNS server(s). Eventually the lease on that IP runs out and your machine will ask for another address.
DHCP Pros and Cons:
Like anything, DHCP has it’s good and bad points. One of the drawbacks with DHCP is that it’s not simple to find out which computer is using a particular IP address. For troubleshooting purposes, it’s really nice know which machine is using which address. Using a packet analyzer (such as AG Group’s EtherPeek) you can look at network traffic and tell if a particular computer is misbehaving and what it’s IP address is.
It’s also a good idea NOT to use DHCP to assign the IP address for a server. To connect to a server, users need to know the IP address (or name associated to the IP address via a DNS entry) of the server (i.e. mail, file, calendar, web, etc.). Assign all servers with static IP addresses.
Ethernet MAC Addresses:
Every Ethernet card ever made has a unique hardware address known as the ‘MAC address’. Don’t confuse MAC addresses with anything to do with Apple’s Macintosh. Everything that has an Ethernet port has a unique MAC address assigned to it’s hardware, even if it’s a Compaq PC running Windows or an Epson printer. Most decent DHCP servers keep a table of which TCP/IP address it has assigned to which Ethernet MAC address, but it’s not always an easy task to know what a particular machine’s MAC address is. Unless you know where to look (it’s usually a found in software on the machine), this alone can be a time consuming task during a network problem or outage. Some manufacturers list the MAC address of every machine on or near the Ethernet interface, but others don’t. An additional twist is that the MAC address is a hexadecimal number, making troubleshooting even more cumbersome. Mac users can view the MAC address of their Macintosh’s Ethernet interface using Apple menu:Apple System Profiler:Nework Overview:AppleTalk:Hardware Address.
If users often come and go from other networks/offices often, DHCP can be a huge time saver, especially for those users running Windows. Since DHCP is the default on Macs and PC’s it makes accessing the internet on any network with a DHCP server as simple as plugging in an Ethernet cable. Manually configuring the IP settings on different networks requires that you know an unused IP address (assuming there are spares), the subnet mask, gateway address and DNS server addresses. This is all information that can be elusive unless the network administrator is available and cooperative.
Any change to the TCP/IP settings on a Windows machine requires a restart. Macs can have multiple TCP/IP ‘Configurations’ (under the File menu in the TCP/IP control panel) which are essentially different sets of settings, each with different TCP/IP configurations. This makes it really nice for a traveling PowerBook or iBook user to walk in, plug in the Ethernet cable, switch to a previously saved group of IP settings and get to work. No restart necessary.
Please contact us if you have questions regarding any of the information above.
Kirk van Druten – LANsharks Consulting
510-601-5475