Friday, July 10, 2015

TCP/IP, Subnet Masking, CIDR, Default Gateways, and DHCP

TCP/IP

TCP/IP is a collection of protocols. The two main protocols we need to be concerned about are TCP (Transmission Control Protocol), which enables two hosts to connect and exchange data, and IP (Internet Protocol), which handles the routing of information (packets) between servers and devices within a network. So TCP/IP can be categorized as a routable protocol, where you can divide networks into subnetworks and define the communication channels within them. With an non-routable protocol, all devices can communicate directly with one another, which ends up resulting in extremely inefficient bandwidth utilization.

By dividing the hosts across subnetworks that connect to the outside world through a router, you not only have more efficient communication, but more IP addresses afforded to everyone since we don't need to allocate a unique IP address to every single device. Now that we have a better idea of what a subnetwork is in relation to the network, let's talk about the different components of a subnetwork.

Subnet Mask

A Subnet Mask allows you to mask an IP address in order to distinguish what part of that address belongs to the network and what belongs to the host. It has the same basic structure of an IP address, being a 32-bit number broken up into four octets. In a Subnet Mask, all the network bits are set to 1 and host bits to 0. Let's take a look at an example.

You may have seen a Subnet Mask that looks something like 255.255.255.0. Let's break this down a bit (pun intended) more.

     255.     255.     255.       0
11111111.11111111.11111111.00000000

So all we've done here is show you how the Subnet Mask is represented in individual bits. Because we're dealing with octets, and every position is 2n, the highest value you can achive for each set is 255. Take a look at the following. Going from right to left, we raise 2 to the power of n.

  1    1    1    1    1    1    1    1
2^7  2^6  2^5  2^4  2^3  2^2  2^1  2^0
128   64   32   16    8    4    2    1

128+64+32+16+8+4+2+1 = 255

And remember, the 1s are reserved for the network, and the 0s are reserved for the hosts. So in the above Class C Subnet Mask, we're have more available addresses for the network and only 256 for the devices. This is because we can only reserve 256 possible addresses (0 is included) with that last octet before we run out. So for this subnet, if our address was 172.71.10.0 , we could have any range between that and 172.71.10.255 for the devices within that network.

If you have more than 255 devices that will need IP addresses, you should use a Subnet Mask that accommodates. Say you need addresses for 258 devices, your Subnet Mask would need to be:

     255.     255.     252.       0
11111111.11111111.11111100.00000000

This takes away 3 addresses from the network and frees up 3 more addresses for the devices because:

  1    1    1    1    1    1    0    0
2^7  2^6  2^5  2^4  2^3  2^2  2^1  2^0
128   64   32   16    8    4    0    0

128+64+32+16+8+4+0+0 = 252

Everything to the left, must be 1s, and everything to the right must be 0s. Here's another way to visualize it:

                NETWORK | HOSTS
                        |
11111111.11111111.111111|00.00000000
                        |
                        |

Hopefully, that was easy to understand. If you're still having a hard time wrapping your head around it, check the Related Resources section at the bottom of this article.

CIDR

Classless Internet Domain Routing, or CIDR (pronounced liked cider), is another way to understanding the Subnet Mask. It tells you from left to right, how many bits are in the Subnet Mask withouth actually seeing the 255.255.252.0 mask. The convention would look like the following, instead: 172.71.10.0/22. So with that address, you can find out how many addresses can be allocated to the network and how many can be allocated to the hosts. Let's break this down. So from left to right let's count up to 22.

11111111.11111111.11111100.00000000

So again, from left to right, you can count 22 bits, which also conveniently equals 255.255.252.0, our mask from before.

Default Gateway

The Default Gateway is the router that separates your network from the internet. So when your device needs to connect to a server or hit a website, it will first make the requests within your local network. If it's unsucessful, it will rely on the Default Gateway to search the outside networks.

DNS

Now we've become pretty familiar with IP addresses at this point, but if I were to challenge you to give me an IP address off the top of your head, you probably wouldn't be able to. This is mainly because we've grown accustomed to navigating the internet by way of search or something called a domain name. An example of a domain name is https://www.google.com. DNS stands for Domain Name Service that maps domain names with IP addresses so that our computers will actually know how to locate the servers for all of these applications and websites.

DHCP

The Dynamic Host Control Protocol is the mechanism that dynamically allocates IP addresses to most, if not all, the devices within your network. In addition to this, it will tell it the Subnet Mask, the Default Gateway, and the DNS servers, keeping a record of what it has already assigned. The devices that end up being exempt from this process are the ones where you've manually assign a static IP address yourself. A common use case for assigning a static address is when you've set up an always-on NAT[1] server that needs to be accessed from work. This is how you expose this server to the outside world. Now, say you haven't paid for a static IP address from your Internet Service Provider. If you have the proper security groups or firewall settings set to allow incoming connections on certain ports (80, 443, 22), you'll still be able to access that machine, but remember, that IP address will dynamically change after a certain period of time, based on the Least Time.

That's about it for this guide. But now that you know all about IP addresses, it'll be a lot easier to approach setting up a firewall with iptables.

No comments:

Post a Comment