After completing these activities you should be able to:
"Nippernet" is the colloquial name for the DoD subset of the Internet that carries sensitive but UNCLASSIFIED IP data. Access to the NIPRNet is tightly controlled: all data crossing the NIPRNet/Internet boundary must pass through a DoD-owned router, and hosts on the NIPRNet resolve names using DNS servers operated by the DoD Network Information Center. The DoD also owns and operates the SIPRNet (pronounced Sippernet), for classified data.
Both the NIPRNet (Non-secure Internet Protocol Routed Network) and SIPRNet (Secret Internet Protocol Routed Network) use the TCP/IP Stack that you are learning about. So, best practices from the Internet apply to the NIPRNet and SIPRNet, but vulnerabilities from the Internet also apply to the NIPRNet and SIPRNet. Ships and other war fighting platforms are connected to the NIPRNet, and SIPRNet.
So, the Data Link Layer provides a local network, but how do Alice and Bob talk if they are on different networks? That is the exact problem that the Network Layer solves. Within the TCP/IP Stack the Network Layer interconnects local networks, forming interconnected networks; i.e. an internet. An internet is simply a collection of interconnected networks. Just like there are different types of local networks, different Data Link Layer protocols, there are different Network Layer protocols. However, in practice there is one vastly dominate (usage wise) Network Layer protocol the Internet Protocol (IP). The Internet Protocol was named because it is used to interconnect networks. The Internet is the largest, public, global collection of interconnected networks; actually the Internet is interplanetary, the Curiosity Rover on Mars has a Twitter feed.
On the Internet, hosts are identified by their IP addresses, Internet Protocol (IP) address.
They may or may not have a name as well, but always an IP address.
IPv4 (IP version 4) addresses are usually written down as four numbers with dots in between, like
184.108.40.206, though more on that later.
Packets. Information travels around the Internet like notes being passed in class. Suppose Host A has a message to send to Host B. Host A breaks his message into small chunks and sends each chunk, prefaced with Host B's address, across the Internet. This address information + message chunk is called a packet. Each packet gets passed from one host to another (again, like a note passed in class) until it finally reaches Host B.
Routers. The intermediate packet-passing hosts in this process are called routers. Hosts normally live at the end points of communication, and routers live along the communication links in the middle. When passing notes in class, when a note gets passed to you, you can't usually hand it directly to the recipient, instead you can only hand it to one of your neighbors — and you choose a neighbor that gets the packet closer to the recipient. Routers work the same way. A router's neighbors are the routers (or hosts) it has direct connections to (e.g. connected by a cable). The diagram below depicts two local, edge networks interconnected via two routers; no Data Link Layer hardware devices (like a switch) are depicted in the diagram. Host 0 and Host 1 are on one local network, and Host 2 and Host 3 are on a separate local network. Router 0 and Router 1 are connected, and thus able to interconnect the two edge local networks.
A router uses a packet's IP Address to choose a neighbor host that gets the packet closer to the recipient (destination IP Address), and passes the packet on to that neighbor. The process of forwarding a packet to the next closer network performed by a router is known as routing. Basically, routers are the networking devices that interconnect separate local networks. The largest public global collection of such interconnected networks is known as ... drum roll ... the Internet. Since a router interconnects multiple local networks, it has to be on (be a member of each local network). If a router interconnects two local networks, then it will be a member of each local network. So, looking back at the diagram above, there are actually three local networks:
With some of the basics covered, we will now take a deeper look at IPv4 (Internet Protocol version 4). Being a Network Layer protocol, IPv4 interfaces with the Data Link Layer and the Transport Layer; we will talk about the Transport Layer in the next discussion. Recall, that ARP translates between a Data Link Layer address and a Network Layer address (see diagram below). The Internet Address column is the Network Layer address, in the case below the IPv4 addresses of the hosts on the local network. ARP is one of the protocols that binds the Data Link Layer and the Network Layer together; i.e. ARP is part of the interfacing between the Data Link Layer and the Network Layer.
So, beyond interconnecting local networks, what else does IPv4 do? What services does IPv4 provide? Well, unfortunately IPv4 like Ethernet is a best effort protocol, so there is no guarantee of delivery. That being said, the technologies, IPv4 being one of them, that make up the Internet are quite robust, and resilient.
IPv4 provides a mechanism for large amounts of data from upper layers to be broken down into smaller chunks of data, a process called fragmenting. This allows the data in a packet to be fit into the associated size of the frame at the Data Link Layer, different Data Link Layer protocols support difference frame sizes, as the packet traverses across different types of local networks. In IPv4 the fragmenting of packets is done by routers, this allows the data to traverse across networks with out involving the sending (source) host. Fragmented packets are then reassembled at the receiving (destination) end.
Like Ethernet, IPv4 has a way to detect data transmission errors from the lower layers, at least errors within the IP header. Remember the concepts of encapsulation and de-encapsulation (see below).
IPv4 does have a companion protocol, called Internet Control Message Protocol (ICMP), that it uses to report errors back to source address. For example, if a router does not know who to get to the destination network, then the router will send a specific ICMP message back to the source host letting them know that there is no route to the destination.
It is important to point out a couple other aspects of best effort. Think back to the passing notes in class example. Just like in class, on the Internet a packet may be dropped, or lost; if there is too much interference at the Physical Layer than a frame may not be reconstructed, and therefore the associated packet will not make it to the next router, or destination host. Similarly, one packet of a message make take a different route between the interconnected networks than the next packet and arrive out of order (Janet left the message in her pocket overnight). Since IPv4 does not solve these problems, it is up to layers higher in the protocol stack to address those issues, or not.
One of the key problems that IPv4 does solve is identifying hosts across all of the interconnected networks. That seemingly easy sounding problem, is actually a challenging problem in and of itself; a problem that has had to be readdressed multiple times over the decades. Just like Ethernet, all IP packets have a source and destination address. But instead of a MAC address, IPv4 uses IP addresses.
Dotted Quad Notation. An IP Address is a 32-bit number. A 32-bit number can be viewed as four 8-bit pieces (four bytes) and we usually write IPv4 Addresses as four 8-bit numbers, separated by dots. This is called a dotted quad notation. For example:
220.127.116.11 ___/ / \ \____ / / \ \ 10010010.10010001.00000101.01000011 → 10010010100100100000010101000011 → 2458977603
The reason we prefer dotted quad notation is a) they're generally easier to remember than a string of 32 bits, and b) the first two to three bytes are often the same for all hosts on the same local network.
For example, IP Addresses in Michelson Hall often begin with
The similarity is harder to see when addresses are written out as a single 32-bit number.
ifconfig(Interface Configure) is used to get information, and configure network interfaces much like the Windows equivalent
IPv4 Address. . . . . . : 10.22.88.124which is the IPv4 Address of your computer
Network Address. The subnet mask is used to reveal a network address within an IP address. The network address is common to all IP addresses on the same network. Every host on the same network shares the same network address. If you were to apply a network's subnet mask to every IP address on that network, each one would reveal the same network address.
As we know, each host has an IP address.
Two hosts on the same network have the same initial chunk of bits within their IP addresses.
How big that initial chunk of bits is is defined by a 32-bit number called the subnet mask.
If you write it out a subnet mask in binary it looks like a sequence of 1's followed by a sequence of 0's.
The sequence of 1's defines the bits that are identical for every host in the network.
You can see your subnet mask by looking in the output from
Is Host X on my network?
A host uses its own subnet mask to determine if a remote host is on its own local network or not.
For example, Host Alice wants to send a message to Host Bob.
Alice knows her own IP address, and can lookup the IP address of Bob since he's connected to the Internet.
Alice bit-wise AND's, boolean logic operation (you remember your true/false values right?), her subnet mask with her IP address to determine what network she own.
Alice then bit-wise AND's her subnet mask with the IP address of Bob.
Alice compares the results (there's
if statement again) of her network address and what she calculated Bob's network address to be.
If the two network addresses match, then Alice and Bob are on the same network.
Hmm, if Alice and Bob are on the same network, then Bob should be in Alice's ARP table, and we know about local network communications from the Data Link Layer.
But if Alice and Bob are on different networks, what does Alice do? Well, what device interconnects different networks? Right, a router interconnects different local networks. Since Alice's router is on her network, Alice transmits a frame to her router at the Data Link Layer because Alice and her router are directly connected (on the same network). The data inside that frame includes the IPv4 header information, but at the Network Layer the packet is addressed to Bob not Alice's router. By keeping the source address as Alice, and the destination address as Bob in the IP header the packet can hop between networks, still reach Bob, and Bob knows who the packet came from so he can reply.
Routers. Routers are special devices that are connected to multiple networks and make decisions on where next to forward, or route, the packets they receive. In addition to forwarding packets for others, routers also generate their own packets used to communicate with other routers. Routers communicate using a routing protocol, which is used to maintain accurate routing information for the Internet, and to determine where the best next hop is for a packet based on its destination network. All routers must be connected to at least two different networks to actually route packets. A hop is a unit of measure at the Network Layer, each router that a packet passes through en route to its destination is considered a hop. A hop is unit less; i.e. it is simply a counter.
A router is considered a Network Layer device since it processes packets based on IP addresses. A router additionally performs the same functions of a switch (a router reads and writes MAC addresses) and a hub (detects signals and collisions). Since a router has multiple IP addresses, so it can perform the interconnections, a router also has multiple MAC addresses. Again routers are hosts on networks, where as hubs and switches are not hosts on a network.
When determining where to send a packet, the originating host first must calculate if the destination IP and its source IP are on the same network (as defined above). If the destination IP is on the same network, the packet will be sent to the destination host directly. If the destination IP address is on a different network, the packet will be sent out via the local network's router, which will then forward the packet out a different network connection.
When a packet is sent to another host on the same network (as defined above), the frame's destination MAC address is set to the MAC address of the destination host. When a packet is sent to another host on a different network, the frame's destination MAC address is set to the MAC address of the local network's router.
Demo. Local Network/Inter-Network Demo (credit: Aaron Herber, USNA 2012): This demo illustrates how packets are sent within a single network and between hosts on different networks. Additionally, it has a nice animation for ARP requests, which is how a host builds up an ARP table, the table that matches IP addresses to MAC addresses for host on the same network.
One of the most fundamental questions you might ask involving IP networking is this: is there a host at a given IP address?
The shell utility
ping is designed to answer this question.
ping makes use of a part of the Internet Control Message Protocol (ICMP), specifically echo request and echo reply.
ICMP is a companion protocol to IPv4, ICMP operates at the Network Layer just like IPv4.
ping takes an IP address (or a host name, MTF) and sends an ICMP "echo request" packet to the destination address.
ping waits for a response for a while, then tries again.
ping prints out statistics about how many packets were received, round trip time, etc.
Here are the results of two pings:
$ ping 10.1.83.17 PING 10.1.83.17 (10.1.83.17) 56(84) bytes of data. 64 bytes from 10.1.83.17: icmp_seq=1 ttl=255 time=0.269 ms 64 bytes from 10.1.83.17: icmp_seq=2 ttl=255 time=0.363 ms 64 bytes from 10.1.83.17: icmp_seq=3 ttl=255 time=0.229 ms 64 bytes from 10.1.83.17: icmp_seq=4 ttl=255 time=0.243 ms ^C --- 10.1.83.17 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 2998ms rtt min/avg/max/mdev = 0.229/0.276/0.363/0.052 ms
$ ping 18.104.22.168 PING 22.214.171.124 (126.96.36.199) 56(84) bytes of data. From 188.8.131.52 icmp_seq=1 Destination Host Unreachable From 184.108.40.206 icmp_seq=2 Destination Host Unreachable From 220.127.116.11 icmp_seq=3 Destination Host Unreachable From 18.104.22.168 icmp_seq=4 Destination Host Unreachable From 22.214.171.124 icmp_seq=5 Destination Host Unreachable From 126.96.36.199 icmp_seq=6 Destination Host Unreachable ^C --- 188.8.131.52 ping statistics --- 7 packets transmitted, 0 received, +6 errors, 100% packet loss, time 6032ms , pipe 3
In the first case, the destination host was "up" (responding) and responded with an echo reply for each echo request received.
In the second case, there was no host at that address.
ping is useful for debugging network problems; e.g. rona is not refreshing ... is the server down/unreachable right now, or is it something else?
It's also used as a tool for network reconnaissance, as we'll see later in this course.
You could ping every address in a range in order to find out what hosts there are on a given network.
Another nefarious use for ping is to have a group of computers send lots and lots of ping requests to a given server, hoping to keep it so busy answering the stupid pings that it can't do any useful work.
This is a simple Denial of Service (DoS) attack, which we'll see more of later.
Not all hosts reply to a ping request, mainly because the tool is sometimes abused by malicious people and programs.
Still, it is a useful tool.
tracert. Open a shell and try it from your laptop.
We know that each host on the Internet has a n IP Address, and we learned that information is communicated between hosts in packets.
We can use software tools to get an idea of the path a network packet takes as it transits from source to destination.
There's a shell utility called
traceroute that shows the path a single packet travels from a source host to a destination host on the Internet.
The following output from
traceroute shows the route from a host here at USNA to a host (in this case, a web server) in Austria.
$ traceroute www.risc.uni-linz.ac.at # Host names are used here, we will discuss host names when we get to the Application Layer 1 michelson-3a-as1-v401.gw.usna.edu (10.53.33.1) 1.779 ms 1.180 ms 1.167 ms 2 michelson-1a-ag1-v2x05.net.usna.edu (10.48.1.93) 1.200 ms 1.274 ms 0.904 ms 3 yard-d2-v3x60.net.usna.edu (10.48.2.81) 0.776 ms 0.681 ms 0.734 ms 4 usna-c2-v2x14.net.usna.edu (10.0.2.25) 0.922 ms 0.786 ms 0.805 ms 5 border-d2-v2x18.net.usna.edu (10.0.2.34) 1.533 ms 0.992 ms 1.011 ms 6 border-f2-gi0_8s3001.net.usna.edu (10.4.16.2) 1.506 ms 1.044 ms 1.230 ms 7 maryland-r1-po1s2001.net.usna.edu (184.108.40.206) 1.335 ms 1.714 ms 1.487 ms 8 gig1-8.umab-core.net.ums.edu (220.127.116.11) 2.477 ms 2.763 ms 12.486 ms 9 balt-usm.maxgigapop.net (18.104.22.168) 4.015 ms 3.218 ms 3.271 ms 10 i2-newy-rtr.maxgigapop.net (22.214.171.124) 11.083 ms 11.311 ms 12.932 ms 11 126.96.36.199 (188.8.131.52) 110.292 ms 110.289 ms 109.886 ms 12 ae3.mx1.ams.nl.geant.net (184.108.40.206) 97.495 ms 110.193 ms 97.360 ms 13 ae0.mx1.fra.de.geant.net (220.127.116.11) 91.859 ms 95.822 ms 104.412 ms 14 ae0.mx1.pra.cz.geant.net (18.104.22.168) 98.401 ms 98.421 ms 101.505 ms 15 ae2.mx2.bra.sk.geant.net (22.214.171.124) 103.908 ms 125.384 ms 114.995 ms 16 ae0.mx1.vie.at.geant.net (126.96.36.199) 116.916 ms 130.063 ms 117.406 ms 17 aconet-gw.rt1.vie.at.geant.net (188.8.131.52) 117.472 ms 119.264 ms 129.666 ms 18 vlan73.wien21.aco.net (184.108.40.206) 129.450 ms 116.790 ms 116.867 ms 19 vlan71.wien1.aco.net (220.127.116.11) 116.849 ms 135.726 ms 117.317 ms 20 vlan311.linz1.aco.net (18.104.22.168) 132.574 ms 119.865 ms 132.131 ms 21 jku-gw.edvz.uni-linz.ac.at (22.214.171.124) 132.455 ms 120.046 ms 120.938 ms 22 jkuc3hb1.edvz.uni-linz.ac.at (126.96.36.199) 120.389 ms 120.000 ms 120.348 ms 23 router.risc.uni-linz.ac.at (188.8.131.52) 120.341 ms 120.172 ms 120.265 ms 24 crow.risc.uni-linz.ac.at (184.108.40.206) 132.354 ms 132.261 ms 120.308 ms
Examine the sample output above. In the command, we gave the name of the server instead of its IP Address. Usually we use names, but we could just as easily have used the IP Address instead. Below the command, each numbered row lists the name of the hosts, the host's IP Address, and some data about how long it takes the packet to travel that far along the route. We say that a move from one host to the next host along the way (whether that host is a router or computer) is one "hop". The packet takes a large number of hops on its way to Europe! Occasionally, we will see * * * in our traceroute output. This usually means that one of the hosts along the way is not responding to our request, possibly due to a firewall setting. Once we hit such a roadblock, unfortunately, that particular trace won't succeed. There are ways to modify our traceroute request to increase its chances of success, but that's beyond the scope of this discussion.
What traceroute provide us is not just IP Addresses, but also a list of names for the hosts along the way, and those names actually tell a story. The packet travels from usna.edu (that's us!) to ums.edu (USNA's internet access is provided through the University of MD, Eastern Shore) to maxgigapop.net, then across the Atlantic Ocean to the Netherlands (.nl), Germany (.de), Czech Republic (.cz), Slovak Republic (.sk), then finally to some routers in Austria (.at), and to the city of Linz, to uni-linz.ac.at, which is the University of Linz. Notice that in several places we have a few consecutive host with similar IP Address. For example, there are three consecutive 62.40.98.x addresses. This tells a story too, though exactly what it means will have to wait. It's important to note that packets don't always follow the same route from the same host A to the same host B. Once again, it's like note passing: there are many possible ways to the same destination.
The following listings show the outputs of
arp from the same host (
Notice that the host (
mich300csd02w) on the same local network (Link Layer) is a single hop away, or directly connected from the perspective of the Network Layer, and that the host (
mich392csd02w) on a separate network is multiple hops away (Network Layer).
Additionally, notice that the host (
mich300csd02w) on the same local network (Link Layer) is in the host's (
mich300csd01w) own ARP table, and how the host (
mich392csd02w) on a separate network is not in the host's own ARP table.
The IPv4 address space is divided up into different blocks, or classes, of IP addresses. There are five classes of public IP addresses:
*indicates the host portion of the IP address; i.e. the unique part to each host on the local network)
220.127.116.11. Each multicast IPv4 address represents a unique broadcast group.
Beyond the classful IP blocks there are some IPv4 address blocks that are not routed across the public Internet. Besides the loopback block (see below) all the non-routable address blocks are called private address block because routers are the public Internet should be configured to drop packets destined for or coming from a private IP space.
10.0.0.0network; IP addresses take on the form
172.31.*.*., there are 16 such private networks.
127.0.0.0, IP addresses take on the form
127.*.*.*. The loopback network is internal to the local host; i.e. network traffic destined for the localhost does not exit the host.
The IP addresses that we talk about in this course are IPv4 addresses.
With 32 bits, there are a little over four billion such addresses possible (232).
When an organization wants to set up a network, it needs to ask for some IP addresses for web servers, e-mail servers, etc.
There are agencies responsible for allocating blocks of addresses to organizations, and they'd say something like "you get block
18.104.22.168/24", which means you get all addresses whose first 24-bits (3 bytes) are the same as
22.214.171.124 — i.e. addresses of the form
131.122.88.*, where "*" means anything.
That's why addresses within an organization usually share a common prefix.
Check out this visualization of how
/8 blocks (i.e. the blocks
255.*.*.*) were allocated.
Despite having over four billion addresses, the IPv4 Address space has essentially been exhausted. There's a newer standard, IPv6, that uses 128-bit addresses. That gives about 3.4 × 1038 addresses (specifically 2128), which ought to be enough for all eternity, right? Well, that's what we said with IPv4 ...
We will only use IPv4 Addresses in this course, but it's good to be aware that the IPv6 standard is being slowly adopted worldwide. Your laptop knows both IPv4 and IPv6