
TCP/IP Networking Resources
Routing Table of Contents

DS3 interfaces on a Cisco 7000 series router.
The OSI Model
This idealized model organizes any look at network protocols. Remember this by reading from bottom to top:
Advice |
Application | |
People's | Presentation | |
Sales' | Session | |
Take | Transport | |
Not | Network | |
Do | Data-Link | |
Please | Physical |
Application | Let's be honest: The top three layers are pretty much just academic. Practical implementations like TCP/IP leave this to the application itself. Some network applications like NFS really have seven or so layers, analogous to these, but they are the exception! |
Presentation | |
Session | |
Transport | Deals with end-to-end process addressing using ports. TCP is a connection-oriented protocol, UDP is a message-passing protocol. |
Network | Route a packet from its source to its destination, including hops through routers across multiple networks. IP is the protocol. |
Data Link |
Data link layer
uses hardware addresses (also called
MAC addresses or physical addresses) to
transmit
a frame across a network link. Physical layer is physics and electrical engineering — how to modulate electrical signals and photons to send zeros and ones. Both these layers are done in the network interface. ARP is a protocol mapping MAC address to IP address. |
Physical |
Understanding the Protocols
Quick Overview of Protocol Header Structures
The protocols are defined by RFCs and those RFCs can be found at rfc-editor.org and tools.ietf.org/html.
These organizations
design protocols, identify standards,
and define and dissemenate The Truth:
Internet Engineering Task Force (IETF)
Internet Assigned Numbers Authority (IANA)
Internet International Ad-Hoc Committee
Internet Society (ISOC)
Institute of Electrical and Electronics
Engineers (IEEE)
Here are some of the books on my shelf:
Internetworking with TCP/IP, Volume 1, Douglas Comer, Prentice Hall. This is a very readable description of the major components (and many of the minor ones) of the TCP/IP internetworking protocol suite. Comer's book is the best place to start.
TCP/IP Illustrated, Volume 1, W. Richard Stevens, Addison-Wesley. A bit tough for an introduction, but a good one to follow Comer's book with lots more details. Comer's book is readable, this is more like an encyclopedia.
DNS and BIND, Paul Albitz and Cricket Liu, O'Reilly and Associates. Since you use DNS, use it correctly!
Managing IP Networks with Cisco Routers, Scott M. Ballew, O'Reilly and Associates. And use those routers correctly, too!
Interconnections: Bridges and Routers, Radia Perlman, Addison-Wesley. Loads of details on routing algorithms and protocols.
Operating System Details
TCP/IP commands for Linux, UNIX, Apple OS X, Cisco IOS, and Windows
OS Specifics for Linux, UNIX, Switches, and Routers
How to harden the TCP/IP stack of Linux or any other UNIX-like operating systems
How to break in, initialize, and configure a Cisco router
How to program Cisco Catalyst and 3com 3000 switches
Cisco Catalyst 2900 XL Ethernet switch disassembly and repair
Physical / Data Link Layers
Network and Telecommunication Cables
The interactive Submarine Cable Map is a great resource for investigating undersea cables.
Cisco Catalyst 2900 XL Ethernet switch disassembly and repair
IEEE OUI assignments Organizationally Unique Identifiers, or Ethernet MAC address manufacturer codes.
Ooma infographic on wired, mobile,
and Wi-Fi speeds world-wide
Ethernet Infrastructure
Modern switched networks are built in a multi-tier architecture. It may be as simple as spine switches at the core and leaf switches for the host connections.
A three-tier architecture uses core, distribution (or aggregation), and access switches. The core switches at, well, the core of your network, distribution switches in data centers, and access switches for host connections.
A top-of-rack or TOR model has an access switch in each rack. Not necessarily at the top! All the servers in that rack connect to the TOR switch. It then connects to a distribution switch for a row of racks, which then connects to a core switch. If the inter-switch connections are fibre, the architecture is somewhat "future-proofed" or "upgrade-proofed" — if you upgrade the TOR access switches, it's a simple replacement.
An end-of-rack or EOR model connects all the servers in all the racks in that row directly to a distribution switch at the end of the row. The advantage is that there is one less switch in the end-to-end connection, and a little less latency. The disadvantage is that the cabling is much more difficult to manage.
Ethernet 5-4-3 rule (the IEEE way)
The rule was needed in the days of 10BASE5 and 10BASE2 bus topologies built from coaxial cable, as the Ethernet standard required that a signal reach every part of the network within a specified time:
- There can only be a maximum of five LAN segments,
- connected via four repeaters,
- and only three may have user connections.
Modern switched Ethernet LANs are exempt from the 5-4-3 rule because switches have buffers to temporarily store frames and all nodes can access a switched Ethernet LAN simultaneously.
Network Layer — IP — Internet Protocol
Understanding IP Addressing
In order to understand IP addresses, netmasks,
subnet design, VLSM, CIDR, etc.,
you should read this paper:
Understanding IP Addressing:
Everything You Ever Wanted To Know
IP Address Assignment Authorities
The Internet Assigned Numbers Authority handles global coordination of the DNS root servers and IP address allocation.
North and South America — ARIN, the American Registry of Internet Numbers, has a page listing the the IP address space allocated to ARIN.
Latin America and Caribbean — LACNIC or Latin American and Caribbean Internet Addresses Registry.
Europe — RIPE, Reseaux IP Europeens, is the European authority.
Asia and Pacific — APNIC, Asia Pacific Network Information Center, is the Asia-Pacific authority.
AfriNIC is the Africa IP address registry.
Click here for a list of all Class A networks
U.S. Government/Military — The U.S. Department of Defense Network Information Center is no longer accessible to non-DoD users.
Here is information on your IP address block — a lookup of the DNS PTR record, the network assignment and possibly some routing information:
Block Countries
Block trafficby country Countries as
CIDR blocks
This archive of country IP block lists in CIDR format lets you block traffic or email on a country-by-country basis.
The IP2location site has a tool that will build rules to block traffic by country. It supports Cisco ACLs, Linux iptables, Apache .htaccess, and more.
Slash Versus Dotted-Quad Notation
The key to all this is the following relations of decimal versus binary:
Decimal | Binary | How the binary is built | ||
0 | 00000000 | |||
128 | 10000000 | 128 |
||
192 | 11000000 | 128 + 64 |
||
224 | 11100000 | 128 + 64 + 32 |
||
240 | 11110000 | 128 + 64 + 32 + 16 |
||
248 | 11111000 | 128 + 64 + 32 + 16 + 8 |
||
252 | 11111100 | 128 + 64 + 32 + 16 + 8 + 4 |
||
254 | 11111110 | 128 + 64 + 32 + 16 + 8 + 4 + 2 |
||
255 | 11111111 | 128 + 64 + 32 + 16 + 8 + 4 + 2 + 1 |
Given that, we can build the following table of netmasks:
Useful only for CIDR block of any networks |
Useful for subnets of /8, or for CIDR blocks of /16 and /24 networks |
Useful for subnets of /8 or /16, or for CIDR blocks of /24 networks |
Useful for subnets of any networks |
0.0.0.0 /0
|
255.0.0.0 /8
|
255.255.0.0 /16
|
255.255.255.0 /24
|
128.0.0.0 /1
|
255.128.0.0 /9
|
255.255.128.0 /17
|
255.255.255.128 /25
|
192.0.0.0 /2
|
255.192.0.0 /10
|
255.255.192.0 /18
|
255.255.255.192 /26
|
224.0.0.0 /3
|
255.224.0.0 /11
|
255.255.224.0 /19
|
255.255.255.224 /27
|
240.0.0.0 /4
|
255.240.0.0 /12
|
255.255.240.0 /20
|
255.255.255.240 /28
|
248.0.0.0 /5
|
255.248.0.0 /13
|
255.255.248.0 /21
|
255.255.255.248 /29
|
252.0.0.0 /6
|
255.252.0.0 /14
|
255.255.252.0 /22
|
255.255.255.252 /30
|
254.0.0.0 /7
|
255.254.0.0 /15
|
255.255.254.0 /23
|
255.255.255.254 /31
|
Note that not all combinations are really useful, apply the follow exceptions.
0.0.0.0
isn't useful for much of anything at all.
Plus, those CIDR blocks represented by the rest of the
first column are awfully big!
You probably won't encounter them unless you're
running a backbone or selling IP space to a continent.
255.0.0.0,
255.255.0.0,
and
255.255.255.0
define
the classful /8, /16, and /24, or Class A, B, and C, respectively.
They cannot define subnets of their own classful nets.
255.254.0.0,
255.255.254.0,
and
255.255.255.254
cannot define subnets of /8, /16, and /24 nets, respectively, as that would
only allow one bit for the host number, and that is not allowed by
the RFC's.
Really Simple CIDR Block Rule
CIDR is an acronym for Classless Inter-Domain Routing, and relates to higher level abstractions of IP address blocks.
To answer the question, "Does this set of classful network
addresses form a CIDR block",
instead answer the following question.
Is there a netmask /X such that:
- The first X bits of all network addresses in the set are identical, and
- The remaining bits of all network addresses exhibit all possible patterns.
If so, the answer is "Yes", and the CIDR block description is the first network address followed by /X.
As an example, this is a CIDR block, divided as indicated:
network |
host bits |
|||||
200.201.200.0 |
= |
1100 1000 |
1100 1001 |
1100 10 |
00 |
xxxx xxxx |
200.201.201.0 |
= |
1100 1000 |
1100 1001 |
1100 10 |
01 |
xxxx xxxx |
200.201.202.0 |
= |
1100 1000 |
1100 1001 |
1100 10 |
10 |
xxxx xxxx |
200.201.203.0 |
= |
1100 1000 |
1100 1001 |
1100 10 |
11 |
xxxx xxxx |
22 constant bits |
varying |
|||||
CIDR block = 200.201.200.0/22 |
But this is not a CIDR block:
network |
host bits |
|||||
200.201.201.0 |
= |
1100 1000 |
1100 1001 |
1100 1 |
001 |
xxxx xxxx |
200.201.202.0 |
= |
1100 1000 |
1100 1001 |
1100 1 |
010 |
xxxx xxxx |
200.201.203.0 |
= |
1100 1000 |
1100 1001 |
1100 1 |
011 |
xxxx xxxx |
200.201.204.0 |
= |
1100 1000 |
1100 1001 |
1100 1 |
100 |
xxxx xxxx |
21 constant bits |
varying |
The above is not a CIDR block, because not all eight possible combinations of the last three bits of the classful network designations are used, 001, 101, 110 and 111 are missing. But this shows us what would have to be added to make it a CIDR block:
network |
host bits |
||||||
200.201.200.0 |
= |
1100 1000 |
1100 1001 |
1100 1 |
000 |
xxxx xxxx |
added! |
200.201.201.0 |
= |
1100 1000 |
1100 1001 |
1100 1 |
001 |
xxxx xxxx |
|
200.201.202.0 |
= |
1100 1000 |
1100 1001 |
1100 1 |
010 |
xxxx xxxx |
|
200.201.203.0 |
= |
1100 1000 |
1100 1001 |
1100 1 |
011 |
xxxx xxxx |
|
200.201.204.0 |
= |
1100 1000 |
1100 1001 |
1100 1 |
100 |
xxxx xxxx |
|
200.201.205.0 |
= |
1100 1000 |
1100 1001 |
1100 1 |
101 |
xxxx xxxx |
added! |
200.201.206.0 |
= |
1100 1000 |
1100 1001 |
1100 1 |
110 |
xxxx xxxx |
added! |
200.201.207.0 |
= |
1100 1000 |
1100 1001 |
1100 1 |
111 |
xxxx xxxx |
added! |
21 constant bits |
varying |
||||||
CIDR block = 200.201.200.0/21 |
A VLSM Example
VLSM stands for Variable Length Subnet Mask, and is used with CIDR.
The best place to look is the 3com paper (see above), but here's a fairly simple example. Let's say you're allocated the /24 address space 200.201.202.0/24, and you have to address hosts on the following networks:
- Six point-to-point WAN links (2 IP addresses each for end points)
- Six LAN's:
- 60 hosts (LAN #1)
- 50 hosts (LAN #2)
- 25 hosts (LAN #3)
- 20 hosts (LAN #4)
- 10 hosts (LAN #5)
- 10 hosts (LAN #6)
Assign the addresses as below, where bits marked "x" can take all possible patterns other than all zeros and all ones.
IP addresses, dotted-quad and binary | Net base address |
Number of hosts |
Final octet |
||||||
200 |
. |
201 |
. |
202 |
. |
??? |
|||
1100 1000 |
1100 1001 |
1100 1010 |
01xx xxxx |
200.201.202.64/26 |
62 |
65-126 |
|||
1100 1000 |
1100 1001 |
1100 1010 |
10xx xxxx |
200.201.202.128/26 |
62 |
129-190 |
|||
1100 1000 |
1100 1001 |
1100 1010 |
001x xxxx |
200.201.202.32/27 |
30 |
33- 62 |
|||
1100 1000 |
1100 1001 |
1100 1010 |
110x xxxx |
200.201.202.192/27 |
30 |
193-222 |
|||
1100 1000 |
1100 1001 |
1100 1010 |
1110 xxxx |
200.201.202.224/28 |
14 |
225-238 |
|||
1100 1000 |
1100 1001 |
1100 1010 |
0001 xxxx |
200.201.202.16/28 |
14 |
17- 30 |
|||
1100 1000 |
1100 1001 |
1100 1010 |
0000 01xx |
200.201.202.4/30 |
2 |
5- 6 |
|||
1100 1000 |
1100 1001 |
1100 1010 |
0000 10xx |
200.201.202.8/30 |
2 |
9- 10 |
|||
1100 1000 |
1100 1001 |
1100 1010 |
0000 11xx |
200.201.202.12/30 |
2 |
13- 14 |
|||
1100 1000 |
1100 1001 |
1100 1010 |
1111 00xx |
200.201.202.240/30 |
2 |
241-242 |
|||
1100 1000 |
1100 1001 |
1100 1010 |
1111 01xx |
200.201.202.244/30 |
2 |
245-246 |
|||
1100 1000 |
1100 1001 |
1100 1010 |
1111 10xx |
200.201.202.248/30 |
2 |
249-250 |
Final octet for host addresses on each network:
Minimum = final octet of base address plus one
Maximum = final octet of base address plus number of hosts
Final octet for broadcast on each net:
Broadcast = final octet of base address plus one plus number of hosts
Inadequately theoretical for you? Then read the paper by Mikail Atallah and Doug Comer.
IPsec
What is IPsec?
See my simple explanation of what IPsec is, what
cryptographic security it provides,
and a little about how to set it up.
For more details:
RFC 4301 —
Security Architecture for the Internet Protocol
RFC 4302 —
IP Authentication Header
RFC 4303 —
IP Encapsulating Security Payload (ESP)
RFC 4306 —
Internet Key Exchange (IKEv2) Protocol
Multicast and Anycast
Assigned multicast addresses and address blocks
RFC 1112 describes how to do multicast.
Anycast, on the other hand, is described in RFC 1546 and RFC 4786.
IPv6
RFC 2460 is the formal specification of IPv6 or Internet Protocol, Version 6. RFC 4291 defines the IPv6 addressing architecture. And RFC 2461, RFC 2462, RFC 2463, RFC 2464, RFC 2465, RFC 2466, RFC 2471, and RFC 2473 specify various details and applications of IPv6.
Geolocation
See the NSA's US Patent 6,947,978, "Method for Geolocating Logical Network Addresses". It builds a network latency topology map using latency to and between known nodes.
sipcalc
The sipcalc tool provides command-line IP subnet calculations. It's available as Linux and BSD packages.
$ sipcalc 98.226.144.69/21 -[ipv4 : 98.226.144.69/21] - 0 [CIDR] Host address - 98.226.144.69 Host address (decimal) - 1659015237 Host address (hex) - 62E29045 Network address - 98.226.144.0 Network mask - 255.255.248.0 Network mask (bits) - 21 Network mask (hex) - FFFFF800 Broadcast address - 98.226.151.255 Cisco wildcard - 0.0.7.255 Addresses in network - 2048 Network range - 98.226.144.0 - 98.226.151.255 Usable range - 98.226.144.1 - 98.226.151.254 - $ sipcalc 2001:558:600d:16:9937:9580:ac52:27f5/64 -[ipv6 : 2001:558:600d:16:9937:9580:ac52:27f5/64] - 0 [IPV6 INFO] Expanded Address - 2001:0558:600d:0016:9937:9580:ac52:27f5 Compressed address - 2001:558:600d:16:9937:9580:ac52:27f5 Subnet prefix (masked) - 2001:558:600d:16:0:0:0:0/64 Address ID (masked) - 0:0:0:0:9937:9580:ac52:27f5/64 Prefix address - ffff:ffff:ffff:ffff:0:0:0:0 Prefix length - 64 Address type - Aggregatable Global Unicast Addresses Network range - 2001:0558:600d:0016:0000:0000:0000:0000 - 2001:0558:600d:0016:ffff:ffff:ffff:ffff -
Routing, NAT, and DNS
Check the current Internet backbone activity with the Internet Traffic Report. The Internet Traffic Report monitors the flow of data around the world. It then displays a value between zero and 100. Higher values indicate faster and more reliable connections.
How routing works
How NAT
(Network Address Translation) works
DNS / BIND
DNS security issues — how DNS should work, exploits based on stateless DNS, and the Kaminsky DNS Vulnerability.
Mapping DNS to geographic information with IP2geo, cities.lk.net, and dns-loc.
The standard introductory RFC's to read are RFC 1034 and RFC 1035. for the truth about DNS. Also see:
- RFC 1032 and RFC 1033, the Domain Adminstrator's Guides
- RFC 1535 for security issues
- RFC 1536 for implementation problems
- RFC 1537 and RFC 1912 for common configuration problems
- RFC 1591 for DNS structure and delegation
- RFC 1706 for integrating DNS and OSI protocols
- RFC 2181 and RFC 2182 for DNS security issues
Other great DNS and BIND documents are at isc.org and Team Cymru's Secure BIND Template.
You can get BIND at isc.org.
Transport Layer — TCP and UDP
IANA maintains the list of all the assigned TCP/UDP port numbers.
The netstat
command gives you loads
of information on a machine's network communications.
Listening TCP ports, currently active sockets, etc.
It's available under Linux, Unix, Apple OS X,
and Windows, but the precise format
of the output varies between operating systems.
Here are some examples of
netstat -s
output.
Cisco Router Simulators
Dynamips, the Cisco 7200 simulator itself.
VNUML (Virtual Network User Mode Linux), the Linux simulator.
Odds & Ends
I was working on this networking project in Japan, and ... Click here to be subjected to them.
Client IP / OS / Browser Identification
A demonstration of how a PHP script on the server can read and reformat the connection information and the client's request: moanmyip.com.
RouterGod Magazine
Including Jessica Simpson's thoughts on open-source routers, Gillian Anderson's on LAN switching, Elizabeth Hurley on the Cisco 2600 series routers, Mr Rogers on the RS-232 standard, and other really odd stuff: routergod.com.
History of the Internet
If you're curious, look here:
The history of the Internet
The isoc.org Internet history
Also, see
RFC 2235
Just What Is A "Daemon", Anyway?
According to the Oxford English Dictionary, it is "an attendant, ministering, or indwelling spirit." Socrates wrote of his daemon as his inner spirit. The designers of daemons in Linux/Unix (a concept later ported to most other operating systems) intended this meaning, as pointed out in some manual pages. It's an uncommon word these days, we usually use the Arabic djinn, these days often spelled genie, when we're talking about what used to be called a daemon in the Middle Ages.