CS 520: Network Architecture I Winter 2006 Lecture 11: IP Address Conservation This lecture provides discussion of several approaches that are used to make better use of the IP address space. Subnetting Supernetting (CIDR) Network Address Translation (NAT) IPv6 I. Minimizing Network Numbers Chapter 9 - Classless and Subnet Address Extensions (CIDR) Remember: Routers keep one routing entry per network. Designers failed to envision network growth Size has been doubling every 9 to 15 months. Designers did not foresee tens of thousands of small networks. Internet design is stressed Immense administrative overhead is required simply to manage all of the network addresses. Routing tables are extremely large - Over 100,000 entries in core network routers. - Core network routers do not use default routes. - They are the routers that need to know the routes to everywhere. The IPv4 address space will eventually be exhausted. - Maybe not until 2019 as predicted by the textbook author. - Maybe much sooner if IP addresses are assigned to small appliances - cell phones, home devices, etc. Lecture 11, Page 1 of 20
There are not enough Class B addresses 2 14 = 16384 Class B And Class B addresses are in many cases too large. How many hosts are on a Class B network? 64k But Class C addresses are too small. And there are many of them remaining. 2 21 = 2 million Class C Possible solutions Use one IP network prefix for multiple physical networks. Eliminate wasted addresses for point-to-point networks. Abandon rigid class system for addresses. We will examine the two more prominent solutions II. Subnet Addressing Subnet Addressing Use a single network address for multiple physical networks. Classless Addressing Addresses can be saved if the Class A/B/C framework is not used. This is a method for using the same netid for multiple physical networks. Popular because it is very general and has been standardized. Lecture 11, Page 2 of 20
Example above A site uses a single class B address, 128.10.0.0. Local site chooses to use the third octet to distinguish between two physical networks. R (but only R) examines this third octet. Remember: A site can choose to use the hostid portion of the IP address however they wish. It is better in this case to consider this the local portion of the IP address, rather than just a hostid. Lecture 11, Page 3 of 20
A site may choose to use the most significant bits of the local portion for a subnet address. This is the concept of hierarchical addressing and hierarchical routing. Similar to the U.S. telephone system. 3-digit area code 3-digit exchange 4-digit connection Can allocate bits for the subnet address as desired Depending on - Number of networks. - Number of hosts in each network. - Growth potential. 8-bit network, 8-bit host 254 networks each with 254 hosts. - All 1's and all 0's host addresses are reserved. - All 1's or all 0's subnet addresses are not recommended. Variable or fixed length Most sites that implement subnet addressing used fixed assignments. - Same division of bits for all addresses. Can use variable-length subnetting. - Variability does not mean varying with time, but varies with the subnetwork. - Can use different partitions for different physical networks. - This is a good idea: Can achieve higher utilization of address space. - But why might this be difficult to implement? Must be careful to avoid address ambiguity - addresses could be interpreted inconsistently. An address could appear to match two different subnets. Lecture 11, Page 4 of 20
A site that uses subnet addressing will define a subnet mask. Example: 11111111 11111111 11111100 00000000 Here 22 bits are defined for the netid and subnet address. Bits are not required to be consecutive, but it is recommended. Can extract the network part of the address using a Boolean bitwise AND. Mask representation Can represent the mask above using dotted decimal 255.255.252.0. Subnet routing The standard routing table has entries of (network address, next hop address). With subnetting, the table must also include the subnet mask. (subnet mask, network address, next hop address). Routers use the subnet mask to first extract network addressing (AND the address with the mask). After that, the network address must be matched. The next hop still must be reachable by a directly connected network (as always). Masks must be shared between routers (only inside a group of physical networks that share the same netid) As should addresses. A special control message exists to transfer subnet masks. Lecture 11, Page 5 of 20
III. Classless Addressing (Supernetting) The above subnetting technique, while useful, still would not prevent an exhaustion of the IP address space. It still did not make use of the Class C address space. Subnet addressing was invented in the early 1980's. In 1993, work began on a new version of IP, IPv6, with much larger addresses. 128 bits per address Addresses would never be exhausted. From 32 bits to 128 bits from 4 Billion to (4 Billion) 4 = 256 x 10 36 Until the work on IPv6 could be completed, a temporary solution was devised. This "temporary" solution has made a transition to IPv6 seem unnecessary to some people. Along with Network Address Translators (NAT's) which will be discussed later in this lecture. Called classless addressing, supernet addressing, or supernetting. Allows addresses for one organization to span multiple classed prefixes. Example: Medium-sized organization Class C cannot accommodate more than 254 hosts. Class B has more addresses. Class B can support subnetting. Supernetting can support the same objectives without allocating a Class B at all. 256 Class C s have the same number of addresses than one Class B. - Supernetting allows assignment of 256 Class C addresses instead of one Class B. - So a Class B need not be used. Lecture 11, Page 6 of 20
Or fewer Class C addresses can be allocated if that many are not needed. These Class C addresses are all in (unbroken sequence of addresses). Could come from an ISP that has a batch of Class C addresses it can allocate. - So the organizations (ISP s) can allocate addresses to other organizations. Classless Interdomain Routing (CIDR) Effect of Supernetting on Routing If we allocate many Class C addresses, this increases router demands dramatically. - Much larger routing tables from many more networks. - Many more entries to search and maintain. If all Class C addresses are in one continuous block, we can simplify. CIDR requires two items to specify a block of addresses. - 32-bit value of the lowest address in the block - 32-bit mask The size of a block of addresses must be a power of two. Example: - The range of addresses above share the same first 21 bits. - A mask for that would have 21 1's. - 11111111 11111111 11111000 00000000 - This would result in a block of usable addresses of size 2 11-2 = 2046. Lecture 11, Page 7 of 20
CIDR addresses are simplified using a slash notation. - For above, the address could be said to be 128.211.168.0 with a mask of 255.255.248.0. - Alternatively, it could be designated as 128.211.168.0 / 21. - Since it is a mask with 21 1's. CIDR does not require allocation of Class C address blocks. Can be smaller than Class C, even networks of 4 hosts. Only needs to be in a contiguous range of addresses that can be specified by a mask that covers that range. - This causes some restrictions to exist on how addresses can be assigned (see homework problems). - Example: Allocation of 8 addresses in the range 128.211.168.2 to 128.211.168.9. 128.211.168.2 = 10000000 11010011 10101000 00000010 128.211.168.9 = 10000000 11010011 10101000 00001001 CIDR allocation to include those addresses would have to be 128.211.168.0 / 28, because of the need to create a mask to cover the addresses. Only the first 28 bits are in common. But this would allocate the range of addresses from 128.211.168.0 to 128.211.168.15 (16 addresses instead of 8). A better range of addresses could be from 128.211.168.0 to 128.211.168.7 which would be 128.211.168.0 / 29. Another option would be 128.211.168.8 / 29 for 128.211.168.8 to 128.211.168.15. Both options would only use 8 addresses. UMKC addressing Let's look at some UMKC addresses. www.umkc.edu :134.193.82.1 www.sice.umkc.edu :134.193.2.78 unofficial.umkc.edu :134.193.82.43 ftp.umkc.edu :134.193.4.7 This is based on a Class B address allocated to UMKC. Lecture 11, Page 8 of 20
From these addresses, we would not have to have a Class B network, however. What could it be? How many hosts would it have? 134.193.82.1 = 10000110 11000001 01010010 00000001 134.193.82.43 = 10000110 11000001 01010010 00101011 134.193.2.78 = 10000110 11000001 00000100 01001110 134.193.4.7 = 10000110 11000001 00000010 00000111 17 bits shared in common 134.193.0.0 / 17 with 2ˆ15-2 = 32766 hosts Instead of 134.193.0.0 /16 (Class B) with 2ˆ16-2 = 65534 hosts The real story for UMKC UMKC's primary address is the entire Class B range of 134.193. Most buildings have subnets of 254 addresses like with a class C, for example, 134.193.50.1 to 134.193.50.254. Some of the larger buildings like Flarsheim Hall have subnets made up of 1024 addresses. Lecture 11, Page 9 of 20
Example: The following requests for network address allocations are received (in this chronological order). Requests: Network A - 2046 Hosts Network B - 1022 Hosts Network C - 126 Hosts Use CIDR address allocation for the requests above. The last allocated address before these requests were received is 134.193.10.255. Give the CIDR address that would be stored in routing tables for each of these networks. Use open spaces that may have been leftover from previous allocations. Start: 134.193.11.0 = 134.193.00001011.0 Net A => 2046 = 2^11-2 => 11 bits, 3 bits in second octet 2046 addresses will share the first 21 bits Need: xxxxx000.00000000 So next available is xxx10000.0 uses range 00010000.0 (16.0) to 00010111.11111111 (23.255) 134.193.16.0 / 21 unused 11.0 to 15.255, and above 24.0 Net B => 1022 = 2^10-2 => 10 bits, 2 bits in second octet Need: xxxxxx00.00000000 So next available (from 134.193.11.0) is 00001100.0 uses range 00001100.0 (12.0) to 00001111.11111111 (15.255) 134.193.12.0 / 22 unused 11.0 to 11.255, above 24.0 Net C => 126 = 2^7-2 => 7 bits, only 7 of 8 bits in last octet Need: xxxxxxxx.x0000000 So next available (from 134.193.11.0) is 00001011.00000000 uses range 00001011.0 (11.0) to 00001011.01111111 (11.127) 134.193.11.0 / 25 unused 11.128 to 11.255, above 24.0 Lecture 11, Page 10 of 20
Lecture 11, Page 11 of 20
Routing information CIDR is used throughout the Internet So CIDR addresses must be transferred inside and between multiple organizations. Routing protocols were modified to send both addresses and masks. Blocks reserved for private networks. IETF has defined a set of prefixes that are reserved for private networks. Never used for addresses on the global Internet. A CIDR block was also defined (172.16 / 12) in addition to Class A and B blocks. Chapter 19 - Private Network Interconnection (VPN, NAT) IV. Network Address Translation (Section 19.6ff and RFC 3022) Private networks can use their own addressing schemes Do not need globally unique addresses. Do not need to use up IPv4 addresses. And a private network can use a smaller number of addresses to interact outside the network. Which must be globally unique. And can use as many addresses as they wish inside a private network. Can use all 32 bits. But operators normally use the CIDR private address ranges. One can avoid any address renumbering inside a network. Lecture 11, Page 12 of 20
Hosts inside the network only need a globally unique address when they wish to communicate outside the network. Assumption: Only a few globally unique addresses are needed at any one time. Can be shared and reallocated as needed. But addresses do not even really need to be allocated. All that is really needed is a translation function. Each host uses a private address inside the network. Formally called Network Address Translation (NAT) All datagrams pass through a device informally called a to go to the global Internet. The NAT box changes the address to be appropriate for the global Internet. Source address is now assigned by the NAT box. - A globally unique address. - A NAT box could have a set of addresses it could use. To the rest of the world, it looks like all packets come from the NAT box. For outgoing datagrams: Replace source address with globally unique address. Easy. For incoming datagrams Replace NAT box address with internal private address. More complicated. How does NAT know which internal address applies to a datagram it receives from the Internet? In general, a NAT box must have a translation table. Translate from information in a received datagram to an internal private address. If there is no entry in the translation table for a datagram, the datagram cannot be delivered. Lecture 11, Page 13 of 20
Can use a manually configured table. With static translations that are always used. With no entry in the table, a host will not be able to send outgoing datagrams or receive incoming datagrams. Can fill the table based on outgoing datagrams. Any host can send an outgoing datagram. The NAT box will remember the address it uses. With this approach, communication cannot be initiated from a host the network. - Why? It would not know which address to use. The table could be filled based on other information. Like web addresses. Most implementations use outgoing datagrams to initialize the table. Port-mapped NAT Upper layer protocols use the concept of ports in addition to the IP address. Like with UDP and TCP (discussed in a later lecture). IP only specifies the destination host for a datagram. - But a host may be executing multiple processes simultaneously. The real destination of a datagram is to one of those processes. But it is difficult to send a datagram to a process. - Processes are created and destroyed dynamically. - We would like to replace processes and still receive datagrams. - We need to identify destinations by the functions they implement without needing to know the specific process. Therefore, each machine contains a set of abstract destination points called protocol ports. - Identified by a positive integer. - The local operating system provides an interface mechanism to those ports. Lecture 11, Page 14 of 20
In general, ports are buffered. - Packets for a particular port are buffered. - A process extracts packets when it is ready. So, to conduct communication between applications, the sending application needs to know both the IP address and the port number. NAT can use TCP or UDP port numbers as well as addresses. Sometimes called Network Address Port Translation (NAPT). Can have 16 bits worth of port numbers. Simple example. A network could have one globally unique IP address. Say: 128.10.0.0. And each host application would have a port. - Say 10.0.0.5 is using port 21023 for a particular application. (10.0.0.5 / 21023) Then NAT sends this packet out onto the global Internet with source address and source port as (128.10.0.0 / 14003) Packets that arrive to 128.10.0.0 for port 14003 would be sent to 10.0.0.5 / 21023. A unique port number would have to be assigned for each communication on the external Internet (in this case it was 14003). So, a NAT box will assign an IP address and a port number to outgoing packets. Advantages of port-mapped NAT. Can conceptually use only a single global IP address. - Without port-mapped NAT, the number of computers that could be accessing the Internet is limited to the number of addresses that can be used by the NAT box. - With port-mapped NAT, there is no practical limit (16 bits for port numbers, 65536 ports). Disadvantage Depends on TCP and UDP. Lecture 11, Page 15 of 20
Complications in implementing NAT Error messages must be handled properly. NAT will not work with applications that send IP addresses or protocol ports as data. Maybe if it is a standard application, like the File Transfer Protocol (FTP), a special translator can be created. But then the packets could not be encrypted by the end host. - Since NAT would need to be able to read the packet and change it. - So a security weakness exists that does not allow end-to-end encryption. NAT also compromises the robustness, security, performance, and manageability of the Internet. More difficult to coordinate with hosts behind a NAT box. Since NAT usually uses outgoing datagrams to initialize the table, some applications cannot be executed that are initiated from the outside. Unless allowed on an exceptional basis using manually configured permanent address maps for pre-selected hosts/host ports. What are examples of applications where unsolicited incoming datagrams are common and where NAT will not work without special functionality? IP Telephony, peer-to-peer games, home servers, file sharing. Lecture 11, Page 16 of 20
So, how does one summarize the effectiveness of NAT at slowing down the exhaustion of IPv4 addresses? Can use one address for many hosts. Very good so far. But will be less effective as peerto-peer applications become popular. Chapter 31 A Next Generation IP (IPv6) Also: From a very good overview of IPv6 by Steve Deering of Cisco, coauthor of the RFC and co-chair of WG. He gave this presentation at UMKC a couple of years ago. http://www.cisco.com/warp/public/779/largeent/programs/hets/0602/5488_06_2002_d_ c2_ipv6.pdf V. The Future of TCP/IP IPv4 has operated well since the late 1970's. But the 32 bit address space is being exhausted. Comer predicts all addresses will be gone by 2019. Even with CIDR. Even with NAT. Even with some organizations, like Stanford, reallocating their addresses and giving back unused addresses. (See: http://www.nwfusion.com/news/2000/0124ipv4.html where Stanford gave back its Class A address). Lecture 11, Page 17 of 20
Even with 4 billion possible addresses, only about 250 million are usable (see RFC 3194). There is waste in every address allocation and it multiplies through levels of addresses. Today there are 100~150 million devices. Address allocations must still be very conservative. Most existing address allocations will not likely be given back. - See http://www.ipindex.de for the list of how the address space is currently allocated. - Especially look at the /8 addresses for specific organizations. (General Electric, IBM, AT&T Bell Laboratories, Xerox, Ford, MIT, and MERIT) - MERIT is an educational network in Michigan analogous to MOREnet in Missouri. - 16 million addresses for these organizations!? Steve Deering said the ONLY compelling reason for IPv6 is more addresses! Billions of new users in Japan, China, India, etc. Billions of new IP-enabled devices mobile phones, cars, appliances, etc. Always-on access for home devices through DSL, cable modems, etc. To phase out NAT, because of its limitations that were discussed above. Business demands the only demands that really mean anything Demand for cellular wireless services in Asia and Europe Demand for Internet gaming (peer-to-peer). Microsoft includes IPv6 in Windows XP (by default it is not enabled). If IP is to be replaced, we can implement new features as well. Processing power is much different in routers than in the 1970 s. New types of capabilities: Support for real-time applications. Network resource reservations. Electronic commerce. Built-in security. Lecture 11, Page 18 of 20
IPv6 Started under the IPng effort (Next Generation IP). Version 5 was taken by an experimental protocol. Due to a misunderstanding. Designers call IPv6 basically the same as IPv4 with a few modifications. Not a radical change. No changes to IPv4 QoS and routing. Features Larger addresses - 128 bits - From 2 32 (4 x 10 9 ) to 2 128 (256 x 10 36 ) possible hosts. - addresses for each square meter of the Earth's surface. - Address representation can be done several ways. Additional levels of addressing hierarchy are possible (multiple levels of subnetting). Flexible header formats. - Entirely new datagram format. Improved options fields. Ability to extend the protocol in the future. Support for autoconfiguration and renumbering. Support for QoS resource allocations. The protocol spec puts more functions into options fields. IPv6 calls options extension headers. For example, fragmentation information would be put in an extension header. - By default, fragmentation is not allowed, unless the extension header is used. - Can either use a guaranteed minimum MTU of 1280 octets or use MTU probing. - The source will make sure datagrams are the correct size before they are sent out. No header checksum Expensive to compute - 50% of instructions in current IPv4 router code is for checksums. Assumes TCP/UDP and Layer 2 devices check for errors. The header length field was eliminated. Lecture 11, Page 19 of 20
The transition to IPv6 is a big issue. IPv6 has been slow to catch on. Requires a costly and time-consuming upgrade to the Internet's backbone and edge systems. Can operate IPv4 and IPv6 at the same time. Can send IPv6 packets in IPv4 packets through IPv4-only areas. Can translate IPv6 packets to IPv4 packets. Demand for IPv6 gear is small. Vendors are starting to supply more products, however. But vendor products in many cases are missing pieces for a full IPv6 implementation. IPv4 and supporting technologies already can do a lot of what IPv6 does, but without larger addresses. So not much is gained with IPv6. Next lecture: Internet control messages. Lecture 11, Page 20 of 20