Regardless of whether or not you decide to connect your network to the Internet, one thing is certain: you should build your enterprise network using the TCP/IP protocols. To do so, you must provide certain basic information to configure the physical TCP/IP network interface. The network interface needs an IP address and may also need a subnet mask. In this section we look at how the network administrator arrives at each of the required values.
Every interface on a TCP/IP network must have a unique IP address. If a host is part of the Internet, its IP address must be unique within the entire Internet. If a host’s TCP/IP communications are limited to a local network, its IP address only needs to be unique locally. Administrators whose networks will not be connected to the Internet select an address from RFC 1918, Address Allocation for Private Internets, which lists network numbers that are reserved for private use.
The private network numbers are:
Class A network 10.0.0.0 (10/8 prefix and a 24-bit block of addresses).
Class B networks 172.16.0.0 to 172.31.0.0 (172.16/12 prefix and a 20-bit block of addresses).
Class C networks 192.168.0.0 to 192.168.255.0 (192.168/16 prefix and a 16-bit block of addresses).
Networks connecting to the Internet must obtain official network addresses. An official address is needed for every system on your network that directly exchanges data with remote Internet hosts.
Obtain the address from your ISP. Your ISP may have been delegated authority over a group of network addresses, and should be able to assign you a network number. If your local ISP doesn’t offer this service, perhaps the ISP’s upstream provider does. Ask your local ISP who it receives service from and ask that organization for an address. If all else fails you may be forced to go directly to an Internet registry. The box Internet Registries provides information about the Internet registry services. The form required for registering an address is available at ftp://rs.internic.net. Use the application as a last resort to obtain an address.
The advantage to obtaining your address from an Internet registry is that you will not have to change your address in the future if you do connect to the Internet. However, the InterNIC strongly encourages you to obtain your IP address from an ISP rather than applying directly to InterNIC for your own block of addresses to avoid wasting IP addresses and to slow the growth of routing tables. There is a downside to using addresses provided by your ISP. Addresses provided by your ISP belong to the ISP rather than to you. This means they aren’t portable. If you decide to change ISPs, you must change your IP address assignments network-wide to use the addresses provided by your new ISP. In effect, using addresses provided by an ISP locks you into that ISP.
To avoid this problem use DHCP on your network. DHCP allows you to easily change to the address provided by your new ISP when you switch ISPs. Using DHCP you change only the DHCP server configuration and the few static addresses assigned to servers and routers to recast the addresses for an entire network. If you are not running DHCP, you will need to change the IP configurations individually for each machine on your network.
The advantages to choosing a network address from RFC 1918 are that you do not have to apply for an official address and you save address space for those who do need to connect to the Internet.
If you do choose an address from RFC 1918 it is possible to use DHCP to simplify the renumbering process but it is also possible to connect to the Internet without renumbering all of your systems. It will, of course, take some effort. You’ll need a network address translation (NAT) box or a proxy server. NAT is available as a separate piece of hardware or as an optional piece of software in some routers and firewalls. It works by converting the source address of datagrams leaving your network from your private address to your official address. Address translation has several advantages.
It conserves IP addresses. Most network connections are between systems on the same enterprise network. Only a small percentage of systems need to connect to the Internet at any one time. Therefore far fewer official IP addresses are needed than the total number of systems on an enterprise network. NAT makes it possible for you to use a large address space from RFC 1918 for configuring your enterprise network while using only a small official address space for Internet connections.
It eliminates address spoofing, a security attack in which a remote system pretends to be a local system. The addresses in RFC 1918 cannot be routed over the Internet. Therefore, even if a datagram is routed off of your network toward the remote system, the fact that the datagram contains an RFC 1918 destination address means that the routers in the Internet will discard the datagram as a martian.
It eliminates the need to renumber your hosts when you connect to the Internet.
Network address translation also has disadvantages:
NAT may add cost for new hardware or optional software.
Address translation adds overhead to the processing of every datagram. When the address is changed, the checksum must be recalculated. Furthermore, some upper-layer protocols carry a copy of the IP address that also must be converted.
NAT is a new technology and there is very little experience with it in the network. Routers never modify the addresses in a datagram header, but NAT does. This might introduce some instability. Similarly, no one has much experience in determining how many addresses should be kept in a NAT address pool or how long an address should be held by a connection before it is released back to the pool.
NAT limits the use of encryption and authentication. Authentication schemes that include the header within the calculation do not work because the router changes the addresses in the header. Encryption does not work if the encrypted data includes the source address.
Proxy servers provide many of the same advantages as NAT boxes. In fact, these terms are often used interchangeably. But there are differences. Proxy servers are application gateways originally created as part of firewall systems to improve security. Internal systems connect to the outside world through the proxy server, and external systems respond to the proxy server. Unlike routers, even routers with network address translation, the external systems do not see a network of internal systems. They see only one system—the proxy server. All FTP, Telnet, and other connections appear to come from one IP address: the address of the proxy server. Therefore the difference between NAT boxes and proxy servers is that NAT uses a pool of IP addresses to differentiate the connection between internal and external systems. The true proxy server has only one address and therefore must use protocol numbers and port numbers to differentiate the connections.
Proxy servers often have added security features. Address translation can be done at the IP layer. Proxy services require the server to handle data up to the application layer. Security filters can be put in proxy servers that filter data at all layers of the protocol stack.
Given the differences discussed here, network address translation servers should scale better than proxy servers, and proxy servers should provide better security. Proxy servers are frequently used in place of address translation for small networks. Before you decide to use either NAT or proxy services, make sure they are suitable for your network needs. Often, the best choice for a connected network is to obtain an official address from your ISP and to manage that address with a DHCP server.
So far we have been discussing network numbers. Our imaginary company’s network was assigned network number 172.16.0.0/16. The network administrator assigns individual host addresses within the range of IP addresses available to the network address; in other words, the administrator assigns the last two bytes of the four-byte address.
The portion of the address assigned by the administrator cannot have all bits or all bits 1; that is, 172.16.0.0 and 172.16.255.255 are not valid host addresses. Beyond these two restrictions, you’re free to assign host addresses in any way that seems reasonable to you.
Network administrators usually assign host addresses in one of two ways:
Each individual host is assigned an address, perhaps in sequential order, through the address range.
Blocks of addresses are delegated to smaller organizations within the overall organization, which then assign the individual host addresses.
The assignment of groups of addresses is most common when the network is subnetted, and the address groups are divided along subnet boundaries. But assigning blocks of addresses does not require subnetting. It can just be an organizational device for delegating authority. Delegating authority for groups of addresses is often very convenient for large networks, while small networks tend to assign host addresses one at a time. No matter how addresses are assigned, someone must retain sufficient central control to prevent duplication and to ensure that the addresses are recorded correctly on the domain name servers.
Addresses can be assigned statically or dynamically. Static assignment is handled through manually configuring the boot file on the host computer, or through a configuration server. Dynamic address assignments are always handled by a server, such as PPP or DHCP. Before installing a server for dynamic addressing, make sure it is useful for your purposes. Dynamic PPP addressing is useful for servers that handle many remote dial-in clients that connect for a short duration. If the PPP server is used to connect together various parts of the enterprise network and has long-lived connections, dynamic addressing is probably unnecessary. The dynamic address assignment features of DHCP are used for Microsoft clients and other single user systems that have DHCP client software. Servers and other multi-user systems are assigned static addresses. You will use DHCP on your Windows NT network, but not necessarily for every system on that network. See Chapter 9 for information on PPP, and Chapter 6 for details of DHCP.
Chapter 2 describes the structure of IP addresses and touches upon the reasons for subnetting. Unless you wish to change the interpretation of your assigned network number, you do not have to define a subnet mask. The decision to subnet is commonly driven by topological or organizational considerations.
The topological reasons for subnetting include:
Some network hardware has very strict distance limitations. Ethernet is the most common example. The maximum length of a thick Ethernet cable is 500 meters; the maximum length of a thin cable is 185 meters; the total length of a coax Ethernet, called the maximum diameter, is 2500 meters. If you need to cover a greater distance, you can use IP routers to link a series of Ethernet cables. Individual cable still must not exceed the maximum allowable length, but using this approach, every cable is a separate Ethernet. Therefore the total length of the IP network can exceed the maximum length of an Ethernet.
IP routers can be used to link networks that have different and incompatible underlying network technologies. Figure 4-1 shows a central token ring subnet, 172.16.1.0, connecting two Ethernet subnets, 172.16.6.0 and 172.16.12.0.
Local traffic stays on the local subnet. Only traffic intended for other networks is forwarded through the gateway.
Subnetting is not the only way to solve topology problems. Networks are implemented in hardware and can be altered by changing or adding hardware, but subnetting is an effective way to overcome these problems at the TCP/IP software level.
Of course, there are non-technical reasons for creating subnets. Subnets often serve organizational purposes such as:
Subnets can be used to delegate address management, troubleshooting, and other network administration responsibilities to smaller organizations within the overall organization. This is an effective tool for managing a large network with a limited staff. It places the responsibility for managing the subnet on the people who benefit from its use.
The structure of an organization (or simply office politics) may require independent network management for some divisions. Creating independently managed subnets for these divisions is preferable to having them go directly to an ISP to get their own independent network numbers.
Certain organizations may prefer to have their local traffic isolated to a network that is primarily accessible only to members of that organization. This is particularly appropriate when security is involved. For example, the payroll department might not want their network packets on the engineering network, where some clever person could figure out how to intercept them.
If a certain segment is less reliable than the remainder of the net, you may want to make that segment a subnet. For example, if the research group puts experimental systems on the network from time to time, or experiments with the network itself, this part of the network will be unstable. You would make it a subnet to prevent experimental hardware or software from interfering with the rest of the network.
The network administrator decides if subnetting is required and defines the subnet mask for the network. The subnet mask has the same form as an IP address mask. As described in Chapter 2, it defines which bits form the network part of the address and which bits form the host part. Bits in the network part are turned on (i.e., 1), while bits in the host part are turned off (i.e., 0).
The subnet mask used on our network is 255.255.255.0. This mask sets aside 8 bits to identify subnets, which creates 254 subnets. The network administrator has decided that this mask provides enough subnets and that the individual subnets have enough hosts to effectively use the address space of 252 hosts per subnet. Figure 4-1 shows an example of this type of subnetting. Applying this subnet mask to the addresses 172.16.1.0 and 172.16.12.0 causes them to be interpreted as the addresses of two different networks, not as two different hosts on the same network.
Once a mask is defined, it must be disseminated to all hosts on the network. There are two ways this is done: manually, through the configuration of network interfaces; and automatically, through routing protocols. Old routing protocols cannot distribute subnet masks, and old operating systems cannot store the masks in the routing table. In an environment that contains these old systems, every device on the network must use the same subnet mask because every computer believes that the entire network is subnetted in exactly the same way as its local subnet.
New routing protocols distribute address masks for each destination, and new operating systems store those masks in the routing table. This makes it possible to use variable-length subnet masks (VLSM). Using variable-length subnet masks increases the flexibility and power of subnetting. Assume you wanted to divide 172.16.5.0/24 into three networks: one network of 110 hosts, one network of 50 hosts, and one network of 60 hosts. Using traditional subnet masks, a single subnet mask would have to be chosen and applied to the entire address space. At best this would be a compromise. With variable length subnet masks you could use a mask of 255.255.255.128, which creates subnets of 126 hosts, for the large subnet, and a mask of 255.255.255.192 to create subnets of 62 hosts for the smaller subnets. VLSMs, however, require operating systems that know how to store and use the masks and routing protocols that can transmit them. As we saw in Chapter 2, Windows NT stores the masks in its routing table.
 The address (172.16.0.0) used in this book is an address set aside for use by non-connected enterprise networks. Feel free to use this address on your network if it will not be connected to the Internet.
 Hosts that communicate with the Internet through a firewall or proxy server may not need official addresses. Check your firewall/proxy server documentation.
 A martian is a datagram with an address that is known to be invalid.
 The range of addresses is called the address space.