The Netwok LayerIPv4 and IPv6
Part 1Jean‐YvesLeBoudec
2014
1
ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE
Contents
1. TheTwoPrinciplesofIPUnicast2. IPv4addresses3. IPv6addresses
4. SubnetsandMasks5. NATs6. ARP
2
TextbookChapter5:TheNetworkLayer
IP Principle #1 =Structured addresses + Longest prefix match
RecallgoalofInternetProtocol(IP)=interconnectallsystemsintheworldPrinciple#1:
everyinterfacehasanIPaddressIPaddressisstructuredtoreflectwherethesystemisintheworldeverypacketcontainsIPaddressofdestinationeverysystemhasaforwardingtable(=routingtable)andperformslongestprefixmatchonaddressdestination
3
4
routerR1
routerR2
routerR4
LisaA.H1
BartB.D.H2
2 1
2
21
1
to outputB.*2A.*0
to outputA.*1B.D.*2B.*3
to outputA.*1B.*2
routerR3
to outputA.*1B.D.*1B.C.*0
13
HomerB.C.H2
0 0
Forwarding table Forwarding table
Forwarding table
Forwarding table
to: B.D.H2
IP Principle #2 =Don’t use routers inside a LAN
B↔ EandW↔PshouldnotgothroughrouterW↔ EgoesthroughrouterTerminology:LAN=subnetIPprinciple2says:betweensubnetsuserouters,insidesubnetdon’t
5
Ethernetconcentrator
WiFibase
stationP
E
WB
We observe a packet from W to P at 1. Which IP destination address do we see ?
1. TheIPaddressofP2. TheIPaddressofan
EthernetinterfaceoftheEthernetconcentrator
3. ThereisnodestinationIPaddressinthepacketsincecommunicationisinsidethesubnetanddoesnotgothrougharouter
4. Idon’tknow
6
1
The IP address of P
dress of an Ethernet...
no destination IP a...
I don’t know
25% 25%25%25%
The Internet Protocol (IP)
CommunicationbetweenIPhostsrequiresknowledgeofIPaddressesAnIPaddressisuniqueacrossthewholenetwork(=theworldingeneral)AnIPaddressistheaddressofaninterfaceTherearetwoversions:IPv4(currentversion)andIPv6(nextversion)
Therearetwonetworklayers:Internet4andInternet6
Terminology:packet=IPdataunitintermediatesystem=systemthatforwardsdataunitstoanothersystem;anIPintermediatesystemiscalleda“router”anIPsystemthatdoesnotforwardiscalleda“host”
7
2. IPv4 addresses
IPv4addressUniquelyidentifiesoneinterfaceintheworld(inprinciple)AnIPv4addressis32bits,usuallynotedindotteddecimalnotation
dotteddecimal:4integers(oneinteger=8bits)example1: 128.191.151.1
example2: 129.192.152.2
hexadecimal:8hexa digits(onehexa digit=4bits)example1: x80 bf 97 01
example2: x81 c0 98 02
binary:32bitsexample1: b1000 0000 1011 1111 1001 0111 0000 0001
example2: b1000 0001 1100 0000 1001 1000 0000 0010
8
Binary, Decimal and Hexadecimal
GivenanintegerB“thebasis”:anyintegercanberepresentedin“baseB”bymeansofanalphabetofBsymbolsUsualcasesare
decimal:234binary:11101010hexadecimal:ea
Mappingbinary<‐>hexa issimple:onehexa digitis4binarydigitse =1110 a =1010 ea =b11101010
Mappingbinary<‐>decimalisbestdonebyacalculator11101010 =128+64+32+8+2=234
SpecialCasestorememberf =1111 =15ff =11111111 =255
9
Example
10
129.13266.46
129.132.100.12
lrcsuns128.178.156.24
08:00:20:71:0D:D4
lrcpc3128.178.156.7
00:00:C0:B8:C2:8D
in-inr128.178.156.1
00:00:0C:02:78:36128.178.79.1
00:00:0C:17:32:96
ed2-in182.1
in-inj128.178.182.3
182.5
128.178.100.3
LRC
15.221
Ring SIDI SUN
DI
ed0-swi15.13 128.178.100.12
128.178.84.1ed0-ext EPFL-Backbone
sic500cs128.178.84.130
Modem+ PPP
disun3128.178.79.9
08:00:20:20:46:2E
128.178.84.133
stisun115.7
sw-la-01
128.178.47.5
128.178.47.3
sw-zu-03Switch
ezci7-ethz-switch129.132.35.1
130.59.x.x
ed2-el
128.178.29.6408:00:07:01:a2:a5
LEMA
128.178.156.2308:00:07:01:a2:a5
ezci7-ethz-switch
KomsysETHZ-Backbone
129.132.100.27
lrcmac4
lrcmac4
Network Prefix
Networkprefixesareusedinroutingtables
/24istheprefixlengthinbits
11
Destination Next hop
128.178/16 128.178.47.5
Destination Next hop
128.178/16 128.178.100.3
0/0 130.59.23.2
0/0 128.178.47.3
Extract from routing table at sw-la-0
Extract from routing table at ed0-swi
128.178.29/24 128.178.100.2
128.178.29.1
128.178.100.2
Special Addresses
12
0.0.0.0 absenceofaddress
127.0.0/24forexample 127.0.0.1
thishost(loopbackaddress)
10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
privatenetworks(e.g inIEW)cannotbeusedonthepublicInternet
169.254.0.0/16 linklocaladdress(canbeusedonlybetweensystems onsameLAN)
224/4 multicast
240/5 reserved
255.255.255.255/32 linklocalbroadcast
IPv4 Packet Format
13
Header20 bytes
(+ options, if any)
payload
Higher layer protocol
1= ICMP, 6 = TCP, 17 = UDP)
We will see the functions of the fields other thanthe addresses in a following module
3. IPv6 AddressesThecurrentIPisIPv4.IPv6isthenextversionofIPWhy anewversion?
IPv4addressspaceistoosmall(32bits→ 4 ⋅ 10 addresses)
What doesIPv6do?Redefinepacketformatwithalargeraddress:128bits( 3 ⋅ 10addresses)OtherwiseessentiallythesameasIPv4
IPv6isincompatiblewithIPv4;routersandhostsmusthandlebothseparately
AcantalktoW,BcantalktoW,AandBcannotcommunicate
14
Application
TCP
IPv6 IPv4
Web browser W
IPv6 IPv4
HTTP
TCP
IPv6HTTP
TCP
IPv4MAC MAC
Dual StackLocal router
B
A
Routing Tables ated0‐swi
15
Destination Next hop
2001:620:618/48 fe80::4%2::/0 fe80::1%2
2001:620:618:1a4/64 fe80::1%1
interfacenumber
IP address of next hop
sw-la-01
lrcsuns128.178.156.24
08:00:20:71:0D:D4
lrcpc3128.178.156.7
00:00:C0:B8:C2:8D
in-inr128.178.156.1
2001:620:618:1ad::100:00:0C:02:78:36
128.178.79.12001:620:618:1ab::100:00:0C:17:32:96
ed2-in182.1
2001:620:618:1ac::1in-inj
128.178.182.32001:620:618:1ac::5
182.52001:620:618:1ac::3
LRC
DI
ed0-swied0-extstisun1
128.178.15.72001:620:618:1a6:1:80b2:f66:1
2001:620:618:1ad:0a00:20ff:fe78:30f9 08:00:20:78:30:F9
lrcmac4
ed2-el
128.178.29.12001:620:618:1a4::1
%1
%2
128.178.47.32001:620:618:10a::1
fe80::1
128.178.47.32001:620:618:10b::1fe80::1
128.178.47.32001:620:618:10b::4
fe80::4
IPv6 addresses are 128 bit long and are written using hexadecimal digits
anEPFLpublicaddress:2001:620:618:1a6:0a00:20ff:fe78:30f9
anEPFLprivateaddress:fd24:ec43:12ca:1a6:0a00:20ff:fe78:30f9
16
EPFL privateThis is a private address
Compression Rules for IPv6 Addresses
1piece =16bits=[0‐4]hexa digits;leadingzeroesinonepieceareomitted;preferlowercasepiecesseparatedby“:”(colon)oneIPv6addressuncompressed=8pieces:: replacesanynumberof0sinmorethanonepiece;appearsonlyonceinaddress
17
uncompressed compressed
2002:0000:0000:0000:0000:ffff:80b2:0c26 2002::ffff:80b2:c26
2001:0620:0618:01a6:0000:20ff:fe78:30f9 2001:620:618:1a6:0:20ff:fe78:30f9
A Few IPv6 Global Unicast Addresses
Theblock2000/3(i.e.2xxxand3xxx)isallocatedforglobalunicastaddresses
18
2001:620::/32 Switch
2001:620:618::/48 EPFL
2001:620:8::/48 ETHZ
2a02:1200::/27 Swisscom
2001:678::/29 providerindependentaddress
2001::/32 Teredo
2002::/16 6to4
Examples of Special Addresses
19
::/128 absenceofaddress
::1/128 thishost(loopbackaddress)
fc00::/7(i.e.fcxx:andfdxx:)Forexample
fd24:ec43:12ca:1a6:a00:20ff:fe78:30f9
Uniquelocal addresses=privatenetworks(e.g inIEW)cannotbeusedonthepublicInternet
fe80::/10 linklocaladdress(canbeusedonlybetweensystems onsameLAN)
ff00::/8 multicast
ff02::1:ff00:0/104 Solicitednodemulticast
ff02::1/128ff02::2/128
linklocalbroadcastalllinklocalrouters
EP
FL
Pri
vate
IPv6 Packet Format
20
Header40 bytes
(+ options, if any)
payload
e.g. Higher layer
protocol1= ICMP, 6 =
TCP, 17 = UDP) 16 bytes
We will see the functions of the fields other thanthe addresses in a following module
The dotted decimal notation for 80 1: is …
1. 128.193.255.2552. 228.393.255.2553. Idon’tknow
21
128.193.255.255
228.393.255.255
I don’t know
33%33%33%
The hexadecimal notation «2001::bad:babe» denotes a string of …1. 32bits
2. 44bits3. 48bits4. 64bits5. 128bits6. Noneoftheabove7. Idon’tknow
22
32 bits
44 bits
48 bits
64 bits
128 bits
None of the above
I don’t know
14% 14% 14%14%14%14%14%
4. Subnets and Masks
RecalltheIPprinciples:longestprefixmatch+routersbetweensubnetsonlyAnIPsystemneedstoknow(initsforwardingtable)whichaddressesareinsameLANasself(=“on‐link”)
Thisisdoneusingthe“subnetmask”
23
dest next-hop interface
128.178.15.0/24 On-link eth0
128.178.10.0/24 On-link eth1
128.178.182.0/24 On-link eth2
128.178.156.0/24 128.178.182.5 eth20.0.0.0/0 128.178.10.1 eth1
ed2‐inhasanIPv4packettodestinationaddress…
…128.178.15.7:packetissentdirectlyto128.178.15.7…128.178.156.24:packetissenttoin‐ inr
One IP subnet must correspond to one network part
AnIPaddressisusuallyinterpretedanetworkpart ahostpart
128.178.151.242001:620:618:1a6:0a00:20ff:fe78:30f9NetworkpartidentifiessubnetOnesubnet=oneLANAllhostsinsameLANmusthavesamenetworkpartThesizeofthenetworkpartmayvary
EPFLIPv4networkpartis24bitsETHZIPv4networkpart26bitsIPv6networkpartisveryoften64bits
24
Subnet MaskAsystemcomputesitsnetworkpartfromitsIPaddressusingthe“subnetmask”,configuredwiththeaddress
=stringofbitsequalto1innetworkpart,to0inhostpart
network==IPaddress&&mask
AtEPFL,IPv4mask=255.255.255.0128.178.15.7and128.178.15.221areonsamesubnetbecause128.178.15.7&&255.255.255.0=128.178.15.221&&255.255.255.0=128.178.15.0
IPv6maskisveryoften64bitsi.e.=ffff:ffff:ffff:ffff::
Thenotation/<lengthofnetworkpart>isalsoused
25
We could use the notation /24 instead of 255.255.255.0
26
Same as sayingMask = ffff:ffff:ffff:ffff::
Reserved Addresses with IPv4
0and«all1»areoftenavoidedashostpart
Example:128.178.156.0and128.178.156.255areavoided(topreventconfusionswithbroadcast)
27
IPv4 address classes
Longago,IPv4addresseshadaclass
subnetmaskwasnotnecessary
Thisisnowobsolete…
…butmanypeoplecontinuetouseit.
28
Class Range
ABCDE
0.0.0.0 to 127.255.255.255128.0.0.0 to 191.255.255.255192.0.0.0 to 223.255.255.255224.0.0.0 to 239.255.255.255240.0.0.0 to 247.255.255.255
0 Net Id
0 1 2 3… 8 16 24 31
10 Net Id
110 Net Id
1110 Multicast address
11110 Reserved
Subnet Id
Host Id
Host Id
class A
class B
class C
class D
class E
Host Id
Subnet Id
Can Host A have this address ?
Masks are all 255.255.255.0
1. Yes2. No
3. Idon’tknow
29
bridge? ?
?
X? bridge host A192.44.78.254
? 192.44.77.254 192.44.77.2__.__.__.1
__.__.__.__
187.44.__.__ __.__.__.__
__.__.__.253
Yes
Noknow
33%33%33%
The IPv4 Subnet Mask at ETHZ is …1. 255.255.255.02. 255.255.255.13. 255.255.255.24. 255.255.255.1925. 255.255.255.1986. 255.255.255.3327. ffff:ffff:ffff:ffff::8. ffff:ffff:ffff:ffff:c000::9. Idon’tknow
30
255.255.255.0
255.255.255.1
255.255.255.2
255.255.255.192
255.255.255.198
255.255.255.332
ffff:ffff:ffff:ffff::
ffff:ffff:ffff:ffff:c000::
I don’t know
11% 11% 11% 11%11%11%11%11%11%
The IPv6 Subnet Mask at ETHZ is …1. 255.255.255.02. 255.255.255.13. 255.255.255.24. 255.255.255.1925. 255.255.255.1986. /487. ffff:ffff:ffff:ffff::8. ffff:ffff:ffff:ffff:c000::9. Idon’tknow
315.255.0
5.255.1
5.255.2
255.192
255.198
/48
ffff:ffff::
ff:c000::
11% 11% 11% 1111%11%11%11%
What is the subnet broadcast address for subnet 129.132.100.0/26 ?
1. 129.132.100.02. 129.132.100.153. 129.132.100.634. 129.132.100.1925. 129.132.100.2556. Idon’tknow
33
129.132.100.0
129.132.100.15
129.132.100.63
129.132.100.192
129.132.100.255
I don’t know
17% 17% 17%17%17%17%
5. NATs: Why invented ?(Network Address Translation boxes)
Goal:re‐usesameIPaddressforseveraldevices/useprivateaddressesThisisaspecialtypeof«middlebox»,thatisviolatingtheTCP/IParchitectureUsedinresidentialnetworks(«ADSLModem»)UsedincompaniestosaveIPaddresses
35
How does Network Address Translation Work ?
NATboxmodifiesIPaddressandportnumbers(portnumbersareinTCPandUDPheaders– seetransportprotocolmodule)Maps(IPaddress,protocoltype,portnumber)ExactmatchingfromNATTable
36
LANInternet192.168.10.11udp 1029130.104.228.200udp 3441192.168.10.11 udp 1029130.104.228.200 udp 3442
IPv4NATboxLAN
NAT table
To: 130.104.228.200 UDP : 3441
To: 130.104.228.200 UDP : 3442
To: 192.168.10.11 UDP : 1029
To: 192.168.10.10 UDP : 1029
Creating a NAT table entry: on the fly
37
LANInternet192.168.10.10udp 1029130.104.228.200udp 3441192.168.10.11 udp 1029130.104.228.200 udp 3442
NAT table
192.168.10.11tcp 1765130.104.228.200tcp 2343
IPv4NATboxLAN
201.19.32.45
From: 192.168.10.11 TCP : 1765To: 201.19.32.45 Port 80 From: 130.104.228.200 TCP : 2343
To: 201.19.32.45 Port 80
Why some applications don’t work with NATs
AssumeAbehindaNATandSintheinternetCommunicationbetweenAandSmustbeinitiatedbyA
« punchaholethroughtheNAT »
IfAandSarebothbehindaNAT(e.g.withvoiceoverIP),wehaveabootstrapproblem
AdoesnotknowitsIPaddressasseenbySSolvingthisrequiresathirdparty– thisiswhatmadeSkype’sfortuneConeorrestrictedNATs:thirdpartyusedonlytodiscovertranslatedaddressSymmetricNAT:thirdpartyrelaysalltraffic
38
S
NAT
Types of NATs
Cone:translated(address,port)=f(internal(address,port));
remainsvalidaslongasrefreshed
Symmetric:translated(address,port)=f(internal(address,port),correspondent(address,port))
Restricted:translated(address,port)=f(internal(address,port));butvalidonlyforspecificcorrespondentaddresstrafficfromanunknowncorrespondentaddressissilentlydiscarded
Thisisonlyaroughclassification;manythingsmayhappeninpractice;
NATsareahack!
39
NAT44 and NAT66
NATsaremotivatedprimarilybyshortageofIPv4addressesNAT44mapsIPv4‐IPv4addressesWidespread
ManybelievethatthereisnoneedforNAT66sincethereareasmanyIPv6addressesasonemayeverneed
NAT66arenotwidespreadBut NAT66maybeneededforotherreasonsuseprivateaddresseseg IEWv6toEPFLv6RFC6296specifiesNAT66
40
When a NAT has a packet to forward and an association exists in the NAT table…
A. TheNATlooksforalongestprefixmatch
B. TheNATlooksforanexactmatch
C. NoneoftheaboveD. Idon’tknow
41
The NAT looks for a longest .
The NAT looks for an exact .
None of the above
I don’t know
0% 0%0%0%
From WAN to LAN, the NAT may modify…
A. ThesourceportB. ThedestinationportC. NoneoftheaboveD. Idon’tknow
42
The source port
The destination port
None of the above
I don’t know
0% 0%0%0%
6. MAC Address Resolution
Q:Whatdoes«sendpacketdirectly»mean?A:sendinanEthernetframe,withdestinationMACaddress=MACaddressof128.178.15.7Pb:whatistheMACaddressof128.178.15.7?Solution:ed2‐inlearnsMACaddressof128.178.15.7usinganaddressresolutionprocedure
44
ed2‐inhasapacket todestinationaddress:
128.178.15.7;packet issentdirectly to128.178.15.7128.178.156.24;packet issentto128.178.182.5
Address Resolution with IPv4 : ARP Protocol
1:ed2-in hasapackettosendto128.178.15.7(stisun1)
thisaddressisonthesamesubnetlrcsuns sendsanARPrequesttoallsystemsonthesubnet(Ethernetbroadcast– Ethernettype=ARP)targetIPaddress=128.178.156.7
ARPrequestisreceivedbyallIPhostsonthelocalnetworkisnotforwardedbyrouters
45
ed2-in stisun1 lrcpc2 ed0-ext
128.178.15.22108:00:20:71:0d:d4
128.178.15.700:00:c0:b3:d2:8d
128.178.15.1300:00:0c:02:78:36
1 No dest IP addressDest MAC addr = ff:ff:ff:ff:ff:ff
Address Resolution with IPv4 : ARP Protocol
2:stisun1 hasrecognizeditsIPv4addresssendsanARPreplypackettotherequestinghostwithitsIPv4andMACaddresses
46
2
ed2-in stisun1 lrcpc2 ed0-ext
128.178.15.22108:00:20:71:0d:d4
128.178.15.700:00:c0:b3:d2:8d
128.178.15.1300:00:0c:02:78:36
1
No dest IP addressDest MAC addr = 08:00:20:71:0d:d4
Address Resolution with IPv4 : ARP Protocol
3:ed2-in readsARPreply,storesinacacheandsendsIPv4packettostisun1
1and2areARPpackets;Ethertype =ARP(0806)3isanIPv4packet;Ethertype =IPv4(0800)
ed2‐inkeepsmappingincache;expiresifthereisnotrafficfromstisun2forsomeperiodoftime>cachetimeout
47
1
23
ed2-in stisun1 lrcpc2 ed0-ext
128.178.15.22108:00:20:71:0d:d4
128.178.15.700:00:c0:b3:d2:8d
128.178.15.1300:00:0c:02:78:36
1
Dest IP addr = 128.178.15.7Dest MAC Addr = 00:00:c0:b3:d2:8d
Address Resolution with IPv6 is part of the Neighbor Discovery Protocol (NDP)
1:ed2-in hasapackettosendto2001:620:618:1a6:1:80b2:f66:1(stisun1)
thisaddressisonthesamesubnetlrcsuns sendsa NeighborSolicitation (NS)packettothesolicitednodemulticastaddressff02::1:ff66:1
NSisreceivedbyallIPv6hostsonthelocalnetworkthathavethesamesolicitednodemulticastaddress(here:onlystisun1)
48
ed2-in stisun1 lrcpc2 ed0-ext
128.178.15.2212001:620:618:1a6:1:80b2:f01:108:00:20:71:0d:d4
128.178.15.72001:620:618:1a6:1:
80b2:f66:100:00:d0:b3:d2:8d
1 Dest IP address = ff02::1:ff66:1Dest MAC address = 33:33:ff:66:00:01
The Solicited Node Multicast Address
Addlast24bitsoftargetIPaddresstoff02::1:ff00:0/104Apacketwithsuchadestinationaddressisforwardedbylayer2toallnodesthatlistentothismulticastaddress
UsingMACmulticastaddress33:33:<last32bitsofIPaddress>
Thisisbetterthanbroadcast
49
Targetaddress
Compressed 2001:620:618:1a6:001:80b2:f66:1
Uncompressed 2001:0620:0618:01a6:0001:80b2:0f66:0001
SolicitedNodemulticastaddress
Uncompressed ff02:0000:0000:0000:0000:0001:ff66:0001
Compressed ff02::1:ff66:1
Address Resolution with IPv6 : NDP Protocol
2:stisun1 hasreceivedtheNSpacketandrecognizeditsIPv6addressasthetarget
sendsaNeighborAdvertisementinreplywithitsIPv6andMACaddresses
50
2
ed2-in stisun1 lrcpc2 ed0-ext
128.178.15.2212001:620:618:1a6:1:80b2:f01:108:00:20:71:0d:d4
128.178.15.72001:620:618:1a6:1:
80b2:f66:100:00:c0:b3:d2:8d
1
Dest IP address = 2001:620:618:1a6:1:80b2:f01:1Dest MAC address = 08:00:20:71:0d:d4
Address Resolution with IPv6 : NDP Protocol
3:ed2-in readsNA,storesinacacheandsendsIPv6packettostisun11,2and3areIPv6packets;Ethertype =ARP(86DD)
ed2‐inkeepsmappingincache;expiresifthereisnotrafficfromstisun2forsomeperiodoftime>cachetimeout
51
32
ed2-in stisun1 lrcpc2 ed0-ext
128.178.15.2212001:620:618:1a6:1:80b2:f01:108:00:20:71:0d:d4
128.178.15.72001:620:618:1a6:1:
80b2:f66:100:00:c0:b3:d2:8d
1
Dest IP address = 2001:620:618:1a6:1:80b2:f66:1Dest MAC address = 00:00:c0:b3:d2:8d
Look inside an ARP packet
Ethernet II
Destination: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff)
Source: 00:03:93:a3:83:3a (Apple_a3:83:3a)
Type: ARP (0x0806)
Trailer: 00000000000000000000000000000000...
Address Resolution Protocol (request)
Hardware type: Ethernet (0x0001)
Protocol type: IP (0x0800)
Hardware size: 6
Protocol size: 4
Opcode: request (0x0001)
Sender MAC address: 00:03:93:a3:83:3a (Apple_a3:83:3a)
Sender IP address: 129.88.38.135 (129.88.38.135)
Target MAC address: 00:00:00:00:00:00 (00:00:00_00:00:00)
Target IP address: 129.88.38.254 (129.88.38.254)
52
Look Inside an ICMPv6 NDP Neighbour Solicitation Packet
53
Neighbor Solicitation (=ARP Request)
Solicited Node Multicast Address corresponding to this IPv6 target address
ed2‐in has a packet to destination address128.178.156.24; packet is sent to 128.178.182.5;
the packet is sent by «ed2‐in» …
1. ...insideanEthernetframewithdestinationMACaddress=08:00:20:71:0d:d4
2. ...insideanEthernetframewithdestinationMACaddress=00:00.0d:0d:9a:75
3. Noneoftheabove4. Idon’tknow
54
00:00.0d:0d:9a:75
1. 2. 3. 4.
0% 0%0%0%
Security Issues with ARP/ NDP
ARPrequests/repliesmaybefalsified(ARPspoofing)
CanwepreventARPspoofing?
55
2
ed2-in stisun1 lrcpc2 ed0-ext
128.178.15.22108:00:20:71:0d:d4
128.178.15.700:00:c0:b3:d2:8d
128.178.15.1300:00:0c:02:78:36
1
No dest IP addressDest MAC addr = 08:00:20:71:0d:d4
DHCP Snooping and Dynamic ARP Inspectioncan prevent ARP spoofing in LANs
DHCPsnooping =switch/Ethernetconcentrator/WiFi basestationobservesallDHCPtrafficandremembersmappingsIPaddr ↔MACaddresses(DHCPisusedtoautomaticallyconfiguretheIPaddressatsystemboot)
DynamicARPinspection: switchfiltersallARP(orNDP)trafficandallowsonlyvalidanswers
Thissolutionisdeployedinenterprisenetworks,rarelyinhomesorWiFi accesspoints
56
Conclusion
Thenetworklayer(=IP)isthecenterpieceofcommunicationnetworksIPisbuiltontwoprinciples:
oneIPaddressperinterfaceandlongestprefixmatch;thisallowstocompressroutingtablesbyaggregationinsidesubnet,don’tuserouters
Thereare(unfortunately)twoversionsofIP,IPv4andIPv6;theyarenotcompatible– interworkingrequiressometricks(seelater).NATscameasanafter‐thoughtanduseadifferentprinciplethanIPunicast(exactmatchversuslongestprefixmatch)– arewidelydeployed
NATshideIPaddressesandcomplicatetheoperationofnetworks
ThegoalofARP/NDPistofindtheMACaddresscorrespondingtoanIPaddress 57