IP, NAT and PAT

Table of Contents

IP ...... 2

IP Classes ...... 5

IP Addresses of Note ...... 7

NAT and PAT ...... 9

Notices ...... 11

Page 1 of 11 IP

Internet Protocol (OSI Layer 3) • Sends packets over a network, used for addressing and routing • No guarantee of delivery, only best effort IP addressing • IPv4 address is 32-bits in length • 192.168.1.1  11000000 . 1010100 . 00000001 . 00000001 • Each number between periods is an “octet” between 0 and 255 • Reflects both the network, and the host address — These numbers are separated out by the subnet mask

128

**128 We're talking about first Internet protocol. Now, we're talking about Internet protocol version four at this moment in time, which is at layer three. We're also going to switch over to IPv6 in just a second. In v4, you have to know how big the address is in bits. Even though it's converted into decimal form, you need to think about it in terms of bits because then when we deal with subnet masking and when we deal with routing tables, we have to know how this conversion works in our head.

So, when we convert this what we do is we do it in octets. That's four sets

Page 2 of 11 of eight. And each IP address piece, each octet, is a number between two fifty-five and zero. Now, we don't use two fifty-five. And we don't use zero. That's the first and the last address because we use them for something else. But all of the other addresses area valid. And by the way, two fifty- five would be ones all the way across the bits. And zero would be zero all the way across the bits in that octet.

So, right here we have an example of 192.168.1.1. Well, the first two bits are turned on in a thirty-two bit address. That's the one twenty-eight bit is the first bit. And the second bit is the sixty-four bit. Sixty-four plus one twenty-eight equals one hundred and ninety-two. The math works.

The one sixty-eight address, the first bits turned on. That's one hundred twenty-eight. We'll keep that in our head. The second one is turned off, so we skip over the sixty four. And then the next bit is thirty-two. And that one's turned on. Well, not all of them are turned off. So, we've got one twenty-eight plus thirty-two. Let's see one twenty-eight plus thirty- two, that's a hundred and sixty. We count down a couple more bits, and we get to the third bit in that list. It's turned on. That's the eight bit. So, eight plus one hundred and sixty is one hundred and sixty-eight. Hey look, the math works. And then the other two, one and one. I mean we don't have to worry about those two, right? We're good for that. You get the idea that we have to know this and convert this in our head every

Page 3 of 11 once and a while, not often, but every once and a while.

So, we're also looking at the network address and the host address, and which are the portions here one versus the other. And these numbers are separated by the subnet mask. In this case, for a 192.168.1.255, that would be the network address. And what that says is all the numbers, the first three octets must stay the same.

The subnet mask for this to tell us that this is a particular network is going to be 255.255.255, and what that says is-- I'm sorry, 255.255.255.0. That says everything in this octet has to be the same. Everything in the next octet has to be the same. Everything in the next octet has to be the same. So, if we want to communicate on the same network, you better be in the 192.168.1 and then change the numbers in the last octet.

Page 4 of 11 IP Classes

IP Classes

Number Addresses Start Class End address of networks per network address

Class A 128 (27) 16,777,216 (224) 0.0.0.0 127.255.255.255

Class B 16,384 (214) 65,536 (216) 128.0.0.0 191.255.255.255

Class C 2,097,152 (221) 256 (28) 192.0.0.0 223.255.255.255

Class D 224.0.0.0 239.255.255.255 (multicast)

Class E 240.0.0.0 255.255.255.255 (reserved)

129

**129 There are different classes of IP addresses. A, B, and C are the normal classes. When we talk about the start and end address, some of the hosts that are in there, some of the numbers that are in there, are not valid. But we are talking about what is the extent of this network.

Well, in a class A network what we do is we fix the first octet. And then we mess with the rest of them. So, we have a hundred and twenty-eight class A networks that are available.

When we go down to the class B set of addresses, the first octet and the first bit is fixed. If you convert one

Page 5 of 11 twenty-eight into decimal, you see that it is a one followed by a zero.

In a class C address, we have two million networks. But each one of those networks only has two hundred and fifty-six hosts on it. So, the first two bits will be fixed. One, one, zero makes up one ninety-two. And then anything below that is configurable.

What about the class D and the class E? Well, first off the class E is experimental. And it's not used. Any address that came to you that was, "Hi, I'm from 240.1.1. You're not from anywhere that I really want to know about. I'm putting you on the bogon list, and all those addresses are no good because we don't play experiments with the Internet. Okay, I can go ahead and lop those off.

The class D is the multicast address. This is IGMP not ICMP. And you'll know that it is a class D address because it is just shy of two forty, between two twenty-four and just shy of two forty, at two thirty-nine trip two fifty-five. That class D is for multicasting.

Page 6 of 11 IP Addresses of Note

IP Addresses of Note

Private IP spaces are not routable on the open Internet • Intended for organizations to use instead of public (costly) IP addresses

Private Address Start Address End Address Space

Class A 10.0.0.0 10.255.255.255

Class B 172.16.0.0 172.31.255.255

Class C 192.168.1.0 192.168.1.255

127.0.0.0  127.255.255.255 – loopback address 169.254.0.0  169.254.255.255 – autoconfiguration

130

**130 There are a set of private IP address-- well, the IP address space that is limited by rule RFC 1918. And in it what it says is that we've got a group of IP addresses, because we're running out of IP addresses, what we're going to do is allow you to do internal IP address assignments back in here that we don't care about on the Internet. And, in fact, all of the routers that are RFC 1918 compliant won't even pass that traffic.

So, what can we use back here that's not routable on the Internet or is not supposed to be? Well, there's one for each class of address. In the class A, it's the ten network, the entire ten

Page 7 of 11 network. Sixty million hosts are useable inside your organization. But not on the Internet.

Class B is a little bit different. It's the 172.16, just shy of the 172.32. That's a class B network that is totally useable by you. And actually there are sixty-five thousand hosts sixteen different times that are useable. So, you could have a sixteen, a seventeen, an eighteen, a nineteen, a twenty, all the way up to thirty-one. Those are all Class B addresses. They are not supposed to be routable.

Last is the Class C address. Now, there's a funny little thing about the Class C address. The 192.168.1.0 through 255 is a class A address with only two hundred and fifty-four hosts on it. However, that's by convention. If you try to use the 192.168.2, three, four, all the way up to two- fifty-five. Those are also non-routable and not used. But the convention is 1.0.

Now, there are two other special addresses that we want to pay attention to that aren't inside of the RFC 1918, but these are very good lists of hosts to not allow on your network filtered at your router or firewall. And that is the loopback address, the entire class A address of one twenty-seven-- we only use 127.0.0.1 as our loopback. The other ones don't count. They're not useable.

And lastly, Microsoft created something called automatic IP

Page 8 of 11 addressing, or APIPA, where they disqualified the entire 169.254 all the way up through 255.255. They eliminated that one. So, that's a list of addresses that you can use internally.

NAT and PAT

Network Address Translation (NAT) • Translates private IP space to public IP space and reverse • Permits entire networks built with private IP addresses to operate as if they were fully connected to the Internet, with only a single public IP address • Offers security benefit of “hiding” private IP space from external view

Port Address Translation (PAT) • Translates between publicly visible ports and internal ports • Offers security benefit of “hiding” internal ports from external view Any Public IP Port 80

NAT: Translate Public IP to 192.168.1.1 192.168.1.1 PAT: Translate Port 80 to Port 8080 Port 8080

131

**131 So, if we use these internally, how do we communicate externally? Well, that router, or we might call it a NAT gateway-- that's a bad name for it, but people have used that. I've heard it. That router says those are ten network, that's internal stuff, and this is external stuff. As long as I'm configured with one live IP address here, all these other hosts back here

Page 9 of 11 can use that one live IP address. And I'll do it in a proxy fashion for them. And in network address translation, what we do is we map one live IP address to one internal IP address. Well, that doesn't conserve very many IP addresses.

Enter port address translation. In port address translation, what we do is we have a live IP address on the outside and many we'll call them nonroutables on the inside. And I'll create a map for every one of those hosts so that a unique port address translation comes from me to request.

We do this port address translation so that we can get a many internal host to one external host on the outside. And then we're only limited by the total number of hosts that are going through that mapping. And we reuse those mappings over and over and over again.

Page 10 of 11 Notices

Notices

© 2015 Carnegie Mellon University This material is distributed by the Software Engineering Institute (SEI) only to course attendees for their own individual study. Except for the U.S. government purposes described below, this material SHALL NOT be reproduced or used in any other manner without requesting formal permission from the Software Engineering Institute at [email protected]. This material was created in the performance of Federal Government Contract Number FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The U.S. government's rights to use, modify, reproduce, release, perform, display, or disclose this material are restricted by the Rights in Technical Data-Noncommercial Items clauses (DFAR 252-227.7013 and DFAR 252-227.7013 Alternate I) contained in the above identified contract. Any reproduction of this material or portions thereof marked with this legend must also reproduce the disclaimers contained on this slide. Although the rights granted by contract do not require course attendance to use this material for U.S. government purposes, the SEI recommends attendance to ensure proper understanding. THE MATERIAL IS PROVIDED ON AN “AS IS” BASIS, AND CARNEGIE MELLON DISCLAIMS ANY AND ALL WARRANTIES, IMPLIED OR OTHERWISE (INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE, RESULTS OBTAINED FROM USE OF THE MATERIAL, MERCHANTABILITY, AND/OR NON-INFRINGEMENT). CERT ® is a registered mark owned by Carnegie Mellon University.

Page 11 of 11