Learn Cyber Security, How to InfoSec, Tutorials, and more about CyberSecurity!

Sunday, 29 November 2015

Number systems and Conversion



Binary and hexadecimal numbers are a complete mystery for many of us. Often we don't find it really interesting because on the internet there are plenty of "subnet" or "binary" calculators where you can easily calculate from decimal to binary to hexadecimal or the other way around, without knowing how the exact calculation works.
This is no problem when you are not configuring or designing networks on a daily basis, but it will be a problem as soon as you take a networking examn, so it's best to know how to do these calculations off the top of your head.
Another advantage you will have is once you have mastered the art of binary calculations you can immediately see how big a network is and what the subnet mask is when people start throwing numbers at you.
So, let's start:

1. Decimal and Binary Numbers
When we write decimal (base 10) numbers, we use a positional notation system. Each digit is multiplied by an appropriate power of 10 depending on its position in the number:
For example:
843 = 8*10^2 + 4*10^1 + 3*10^0 = 8*100 + 4*10 + 3*1 = 800 + 40 + 3 = 843

For whole numbers, the rightmost digit position is the one's position (10^0 = 1). The numeral in that position indicates how many ones are present in the number. The next position to the left is ten's, then hundred's, thousand's, and so on. Each digit position has a weight that is ten times weight of the position to its right.
In the decimal number system, there are ten possible values that can appear in each digit position, and so there are ten numerals required to represent the quantity in each digit position. The decimal numerals are the familiar zero through nine (0, 1, 2, 3, 4, 5, 6, 7, 8, 9).
In a positional notation system, the number base is called the radix. Thus, the base ten system that we normally use has a radix of 10. The term radix and base can be used interchangeably. When writing numbers in a radix other than ten, or where the radix isn't clear from the context, it is customary to specify the radix using a subscript. Thus, in a case where the radix isn't understood, decimal numbers would be written like this:






Generally, the radix will be understood from the context and the radix specification is left off.

The binary number system is also a positional notation numbering system, but in this case, the base is not ten, but is instead two. Each digit position in a binary number represents a power of two. So, when we write a binary number, each binary digit is multiplied by an appropriate power of 2 based on the position in the number:
For example:
101101 = 1*2^5 + 0*2^4 + 1*2^3 + 1*2^2 + 0*2^1 + 1*2^0 = 1*32 + 0*16 + 1*8 + 1*4 + 0*2 + 1*1 = 32 + 8 + 4 + 1 = 45

In the binary number system, there are only two possible values that can appear in each digit position rather than the ten that can appear in a decimal number. Only the numerals 0 and 1 are used in binary numbers. The term "bit" is a contraction of the words "binary" and "digit", and when talking about binary numbers the terms bit and digit can be used interchangeably. When talking about binary numbers, it is often necessary to talk of the number of bits used to store or represent the number. This merely describes the number of binary digits that would be required to write the number. The number in the above example is a 6 bit number.
The following are some additional examples of binary numbers:




2. Conversion between Decimal and Binary
Converting a number from binary to decimal is quite easy. All that is required is to find the decimal value of each binary digit position containing a 1 and add them up.





The method for converting a decimal number to binary is one that can be used to convert from decimal to any number base. It involves successive division by the radix until the dividend reaches 0. At each division, the remainder provides a digit of the converted number, starting with the least significant digit.






3. Hexadecimal Numbers
In addition to binary, another number base that is commonly used in digital systems is base 16. This number system is called hexadecimal, and each digit position represents a power of 16. For any number base greater than ten, a problem occurs because there are more than ten symbols needed to represent the numerals for that number base. It is customary in these cases to use the ten decimal numerals followed by the letters of the alphabet beginning with A to provide the needed numerals. Since the hexadecimal system is base 16, there are sixteen numerals required. The following are the hexadecimal numerals:
0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E, F

The reason for the common use of hexadecimal numbers is the relationship between the numbers 2 and 16. Sixteen is a power for 2 (16 = 2^4). Because of this relationshipp, four digits in a binary number can be represented with a single hexadecimal digit. This makes conversion between binary and hexadecimal numbers very easy, and hexadecimal can be used to write large binary numbers with much fewer digits. When working with large digital systems such as computers, it is common to find binary numbers with 8, 16 and even 32 digits. Writing a 16 or 32 bit binary number would be quite tedious and error prone. By using hexadecimal, the numbers can be written with fewer digits and much less likelihood of error.
To convert a binary number to hexadecimal, divide it into groups of four digits starting with the rightmost digit. If the number of digits isn't a multiple of 4, prefix the number with 0's so that each group contain 4 digits. For each four digit group, convert the 4 bit binary number into an equivalent hexadecimal digit.
There are several ways in common use to specify that a given number is in hexadecimal representation rather than some other radix. In cases where the context makes it absolutely clear that numbers are represented in hexadecimal, no indicator is used. In much wirtten material where the context doesn't make it clear what the radix is, the numeric subscript 16 following the hexadecimal number is used. In most programming languages, this method isn't really feasible, so there are several conventions used depending on the language. In the C and C++ languages, hexadecimal constants are represented with a "0x" preceding the number, as in: 0x317F, or 0x1234, or 0xAF. In assembler programming languages that follow the Intel style, a hexadecimal constant begins with a numeric character (so that the assembler can distinguish it from a variable name), a leading "0" being used if necessary. The letter "h" is then suffixed onto the number to inform the assembler that it is a hexadecimal constant. In Intel style assembler format: 371Fh and 0FABCh are valid hexadecimal constants.

4. Binary Coded Decimal Numbers
Another number system that is encountered occasionally is Binary Coded Decimal. In this system, numbers are represented in a decimal form, however each decimal digit is encoded using a four bit binary number.
136 = 0001 0011 0110

Conversion of numbers between decimal and BCD is quite simple. To convert from decimal to BCD, simply write down the four bit binary pattern for each decimal digit. To convert from BCD to decimal, divide the number into groups of 4 bits and write down the corresponding decimal digit for each 4 bit group.
There are a couple of variations on the BCD representation, namely packed and unpacked. An unpacked BCD number has only a single decimal digit stored in each data byte. In this case, the decimal digit will be in the low four bits and the upper 4 bits of the byte will be 0. In the packed BCD representation, two decimal digits are placed in each byte. Generally, the high order bits of the data byte contain the more significant decimal digit.
Example:
01010110 10010011
This is converted to a decimal number as follows:
0101 0110 1001 0011
 5     6   9     3

The use of BCD to represent numbers isn't as common as binary in most computer systems, as it is not as space efficient. In packed BCD, only 10 of the 16 possible bit patterns in each 4 bit unit are used. In unpacked BCD, only 10 of the 256 possible bit patterns in each byte are used. A 16 bit quantify can represent the range 0 - 65535 in binary, 0 - 9999 in packed BCD and only 0-99 in unpacked BCD.

5. Fixed Precision and Overflow
So far, in talking about binary numbers, we haven't considered the maximum size of the number. We have assumed that as many bits are available as needed to represent the number. In most computer systems, this isn't the case. Numbers in computers are typically represented using a fixed number of bits. These sizes are typically 8 bits, 16 bits, 32 bits, 64 bits and 80 bits. These sizes are generally a multiple of 8, as most computer memories are organized on an 8 bit byte basis. Numbers in which a specific number of bits are used to represent the value are called fixed precision numbers. When a specific number of bits are used to represent a number, that determines the range of possible values that can be represented. For example, there are 256 possible combinations of 8 bits, therefore an 8 bit number can represent 256 distinct numeric values and the range is typically considered to be 0-255. Any number larger than 255 can't be represented using 8 bits. Similarly, 16 bits allows a range of 0-65535.
When fixed precision numbers are used, the concept of overflow must be considered. An overflow occurs when the result of a calculation can't be represented with the number of bits available. For example when adding the two eight bit quantities: 150 + 170 = 320. This is outside the range 0-255, and so the result can't be represented using 8 bits. The result has overflowed the available range. When overflow occurs, the low order bits of the result will remain valid, but the high order bits will be lost. This result in a value that is significantly smaller than the correct result.

6. Signed and Unsigned Numbers
So far, we have only considered positive values for binary numbers. When a fixed precision binary number is used to hold only positive values, it is said to be unsigned. In this case, the range of positive values that can be represented is 0 --2^n - 1, where n is the number of bits used. It is also possible to represent signed (negative as well as positive) numbers in binary. In this case, part of the total range of values is used to represent positive values, and the rest of the range is used to represent negative values.
There are several ways that signed numbers can be represented in binary, but the most common representation used today is called two's complement. The term two's complement is somewhat ambiguous, in that it is used in two different ways. First, as a representation, two's complement is a way of interpreting and assigning meaning to a bit pattern contained in a fixed precision binary quantify. Second, the term two's complement is also used to refer to an operation that can be performed on the bits of a binary quantity. As an operation, the two's complement of a number is formed by inverting all of the bits and adding 1. In a binary number being interpreted using the two's complement representation, the high order bit of the number indicates the sign. If the sign bit is 0, the number is positive, and if the sign bit is 1, the number is negative. For positive numbers, the rest of the bits hold the true magnitude of the number. For negative numbers, the lower order bits hold the complement (or bitwise inverse) of the magnitude of the number. It is important to note that two's complement representation can only be applied to fixed precision quantities, that is, quantities where there are a set number of bits.
Two's complement representation is used because it reduces the complexity of hardware in the arithmetic-logic unit of a computer's CPU. Using two's complement representation, all of the arithmetic operations can be performed by the same hardware whether the numbers are considered to be unsigned or signed. The bit operations performed are identical, the difference comes from the interpretation of the bits. The interpretation of the value will be different depending on whether the value is considered to be unsigned or signed.
Example: Find the two's complement of the following 8 bit number: 00101001
 11010110 (first invert the bits)
+00000001 (then add 1)
=11010111
 If you like this post, please share it :)
Also,

Follow on:
1. Facebook
2. Google+

Monday, 23 November 2015

VLANs (Virtual LANs) - Part 2



Port-based VLANs
In the previos post (VLANs), we simply stated that the network is split up into sets of virtual LANs. It is one thing to say this; it is quite another thing to understand how this is actually achieved.
Fundamentally, the act of creating a VLAN on a switch involves defining a set of ports, and defining the criteria for VLAN membership for workstations connected to those ports.
By far the most common VLAN membership criterium is port-based. We will consider that criterium here, and visit the other options later in this post.
With port-based VLANs, the ports of a switch are simply assigned to VLANs, with no extra criteria.





All devices connected to a given port automatically become members of the VLAN to which that port was assigned.
In effect, this just divides a switch up into a set of independent sub-switches.

Protocol-based VLANs
With this method, different protocol types are assigned to different VLANs. For example, IP defines one VLAN, IPX defines another VLAN, Netbeui yet another VLAN, etc.







Subnet-based VLANs
With this method, the VLAN membership is defined by the subnet to which a workstations's IP address belongs.







Workstation or packet?
Now that you have read the descriptions of protocol-based and subnet-based VLANs, it is possible that some awkward questions will come to your mind like "Isn't a VLAN a set of workstations? How does a protocol specify a workstation?" etc.
At this point, you may be starting to see that the description of a VLAN as a set of workstations is a bit of a simplification. So, let us look a bit deeper here and get to a better understanding of what VLAN membership means.
In fact, a given workstation can belong to multiple VLANs. It could belong to one subnet-based VLAN when sending IP packets, another protocol-based VLAN when sending IPX packets, and yet another different port-based VLAN when sending some other protocol.
So, certainly, when analysing the VLAN setup on a network, it is a mistake to as "What VLAN does this workstation belong to?" The more meaningful question to ask is "If a packet of such-and-such a protocol arrived at port x of the switch, which VLAN would that packet be associated with?"
It is important to really understand the change of mind-set that has just been introduced here. When initially learning about VLANs, it is usual to think of VLANs as sets of workstations. And, in practice, this is often all that a network administrator wants to achieve. However, once the VLAN configuration on a switch becomes complex, with multiple VLANs of different types all configured on the same port, it is no longer possible to really think about the VLAN from the workstation point of view. It becomes necessary to think of it from the packet point of view.
Therefore, it really is vital to think of packets being associated to VLANs when trying to understand VLAN configurations. Any other approach just ends in confusion.
The main poin is that, when using protocol-based and subnet-based VLANs, it is data streams that are divided into VLANs, not necessarily whole workstations.


Follow on:
1. Facebook
2. Google+

Sunday, 22 November 2015

VLANs (Virtual LANs)







What is a VLAN?
In simple terms, a VLAN (Virtual LAN) is a set of workstations within a LAN that can communicate with each other as though they were on a single, isolated LAN.
Question: What does it mean to say that they "communicate with each other as though they were on a single, isolated LAN"?
Answer:
- broadcast packets sent by one of the workstations will reach all the others in the VLAN
- broadcasts sent by one of the workstations in the VLAN will not reach any workstations that are not in the VLAN
- broadcasts sent by workstations that are not in the VLAN will never reach workstations that are in the VLAN
- the workstations can all communicate with each other without needing to go through a gateway. For example, IP connections would be established by ARPing for the destination IP and sending packets directly to the destination workstation - there would be no need to send packets to the IP gateway to be forwarded on.
- the workstations can communicate with each other using non-routable protocols.

The purpose of VLANs
The basic reason for splitting a network into VLANs is to reduce congestion on a large LAN. To understand this problem, we need to look briefly at how LANs have developed over the years.
Initially LANs were very flat - all the workstations were connected to a single piece of coaxial cable, or to sets of chained hubs. In a flat LAN, every packet that any device puts onto the wire gets sent to every other device on the LAN.
As the number of workstations on the typical LAN grew, they started to become hopelessly congested; there were just too many collisions, because most of the time when a workstations tried to send a packet, it would find that the wire was already occupied by a packet send by some other device.
This section describes the three solutions for this congestion that were developed:
1. Using routers to segment LANs
2. Using switches to segment LANs
3. Using VLANs to segment LANs

1. Using routers to segment LANs
The early solution to this problem was to segment the network using routers. This would split the network into a number of smaller LANs. There would be less workstations on each LAN, and so less congetion.
Of course, routable data being send between LANs would have to be routed, so the layer 3 addresses would have to be organized so that each LAN had an identifiable set of addresses that could be routerd to - such as an IP subnet. Non-routable protocols would have to be bridged, which is not quite so congestion-reducing, because bridges forward all broadcasts. But, at least for unicast packets, a bridge only forwards packets if it knows that the destination address is not in the originating LAN.

2. Using switches to segment LANs
As switches became more available, there was a move from chained hubs to a set of hubs connected to a switch. A switch only send traffic to a given port if the traffic has to go to that port. So switches have the effect of reducing congestion at workstations, by stopping the workstations from seeing all the traffic from other ports of the switch.
A simple switched network, though, still needs routers to set the boundaries of where broadcasts are sent (referred to as "broadcast containment"). So, the typical LAN was set up as shown in the following figure:






The above figure introduces the concept of a LAN segment. This is also referred to as a collision domain, because when a device is trying to send a packet, it can only collide with packets sent by other devices on the same segment. Each LAN segment consists of all the devices attached to a single switch port - the switch stops packets from different ports from collidig with each other.
The LAN itself is referred to as a broadcast domain, because if any device within the LAN sends out a broadcast packet, it will be transmitted to all devices in that LAN, but not to devices beyond the LAN.

3. Using VLANs to segment LANs
As LANs became larger, data rates became faster, and users desired greater flexibility, the routers in a network started to become a bottleneck. This is because:
- routers typically forward data in software, and so are not as fast as switches
- splitting up a LAN using routers meant that a LAN typically corresponded to a particular physical location. This became limiting when many users had laptops. and wanted to be able to move between buildings, but still have the same network environment wherever they plugged in.
So, switch vendors started implementing methods for defining "virtual LANs" - sets of switch ports, usually distributed across multiple switches, that somehow interacted as though they were in a single isolated LAN. This way, workstations could be separated off into separate LANs without being physically divided up by routers.
At about the same time, hubs became less popular and have been largely replaced by L2 switches. This has made the whole concept of a collision domain somewhat historical. In modern networks, a "collision domain" mostly consists of a single device attached to an L2 switch port, or possibly a PC with something like an IP phone attached to it.
So, the layout of the LAN has become more like:








So, instead of the LANs corresponding to physical areas divided from each other by routers, there are virtual LANs distributed across the network. For example, all the devices in the various areas labelled "VLAN A" all belong to a single virtual LAN - i.e. a single broadcast domain.


Follow on:
1. Facebook
2. Google+

Wednesday, 11 November 2015

Domain Name System (DNS)





         The Domain Name System (DNS) is one of the most important components of Internet infrastructure. If DNS unavailable, you'll have difficulty finding resources on the Internet and, likewise, others will be unable to find you. That's because DNS is the phone book that translates names such as www.mysite.com to Internet Protocol (IP) addresses such as 199.239.136.245, and vice versa. DNS saves us from having to remember the IP addresses of all of our favorite sites, and it allows Web pages to link to others by name, not by IP address. Finding hosts by name allows IP addresses to change over time, allowing sites to grow, change location, or reconfigure. But, DNS does a whole lot more than just name-to-address mapping. Understanding the basic structure, function, and operations of DNS is an important foundation for all modern-day IT professionals.
        DNS is a hierarchical, distributed database with delegated authority. The "delegated authority" part means that you're responsible for providing a way for Internet users to loop up an IP address associated with your organization's domain. Many organizations let their ISPs manage DNS for them, but that's a risky proposition at best. A configuration mistake or failure at your ISP can make your company appear offline for at least a portion of the Internet. A political issue could cause you to lose control of your domain information. And, unless you're your ISPs largest customer, you have to wait in line with everyone else when you need to make a change to one of your DNS records.
        DNS holds the key to your existence on the Internet, which is why you want to control DNS for your domain. DNS is even more than that. DNS is an anti-phishing mechanism, it helps your organization to reject email spam, and it's a privacy mechanism that helps to hide your email internal network topology. Here are just a few ways DNS helps in these areas:
1. Anti-phishing: Imagine how quickly your personal information would be lost if your couldn't trust the identify of your online bookseller or bank. When DNS is working correctly, it helps you to reach the real site, not the imitation one run by an identify thief.
2. Anti-spam: Do you think that you get a lot of spam? You'd be getting a lot more if DNS weren't working for you. Your mail server can verify domain names on incoming email messages, helping to weed out spam. New DNS mechanisms, including Sender Policy Framework (SPF) or DomainKeys (DKIM), identify who is allowed to send mail on behalf of a domain so you can reject email from imposters. Real-time blacklists (RBL) let your mail server quickly check to see whether a sender is a knwown spammer or a known infected machine. RBL such as www.spamhaus.org use DNS as a lightweight query-response mechanism for checking the addresses of email senders.
3. Privacy: DNS reveals to external clients only what you want the public to see about your network. Likewise, it lets internal users and servers see whatever is appropriate for them to see. DNS helps you mask addresses by giving them different names depending on whether they're accessed from the inside or outside of your network, helping to increase your network security.

The three main components of a DNS system are:
- Domain Name Space: defines the overall naming structure of the Internet
- Name Server: maintains a portion of the domain name spaces, resolve lookups, and maintains a cache
- Domain Name Resolution: maps a domain name to an IP address

Domain Name Space
           The domain name space defines the overall naming structure of the Internet.
The name space is consists of a tree structure of domain names, with a root domain at the top. Immediately below the root domain are the major domains such as .com, .net, and .org. From these domains, the name space can branch into multiple pathsm with each intersection point called a node and labeled with a simple name.




           DNS processes a domain name from right to left, with the highest-level node represented at the far right, and the lowest level node at the far left. The node labels are separated by dots (examples: google.com).
The domain name of any node in the tree is the sequence of node labels leading from that node all the way up to the root domain. The top-level node (appearing farthest to the right) identifies the geography or purpose (examples: .com, .uk). The second-level node (appearing second from the right) identifies a unique place within the top-level domain.
Domain names can contain up to 255 characters consisting of: characters A to Z, 0 to 9, and/or "-"; 63 characters per node; and up to 127 node levels. To ensure that each node is uniquely identified, DNS requires that sibling nodes - nodes that are "children" of the same "parents" - be uniquely named. For example, these "absolute" names are unique:
beckett.af.mil

As shown in the following diagram, the name space tree is sub-divided into zones. A zone consists of a group of linked nodes served by an authoritative DNS name server (the final authority in providing information about a set of domains).





          A zone contains domain names starting at a particular point in the tree ("Start Of Authority") to the end node or to a point in the tree where another host has authority for the names.
For example, the top-level .gov domain has the subdomains wa.gov, tx.gov, co.gov for the states Washington, Texas and Colorado. The .gov zone file contains pointers to the sources of data for tx.fov, co.gov and wa.gov.
Similarly, if the wa.gov domain delegated authority for dol.co.gov to the information system section of the Washington State Department of Licensing, the zone file for wa.gov only contains a pointer to the data source for dol.wa.gov.

          Each node in the tree has one or more resource records (RR), which hold information about the domain name (for instance, the IP address of www.google.com)
RR can store a large variety of information about a domain: IP address, name server, mail exchanger, alias, hostname, geo-location, service discovery, certificates and arbitrary text.
RR contain information such as:
a) Start-of-Authority (SOA) Record
When a zone file indicates to a querying server that this is the authoritative record for this domain, it says to the query, "You have arrived". The SOA contains the following data fields:
- Serial Number: indicates number of changes to the zone file. The number increases as the file is updated.
- Refresh: tells the name server how often to check to update its data
- Retry: tells server when to return if it is unable to refresh data
- Expire: tells how long the data can site bfore it is too old to be valid
- Time to Live: tells other servers how long to cache the data they have downloaded

b) Name Server (NS) Record
An NS record is a record that indicates which computer is to be used to retrive information about the domain name space for a particular domain name. A Host Name Server contains information about "your" computer and supplies IP addresses that are associated with it.

c) Mail eXchange (MX) Record
MX records specify the mail server address for the domain name. This record allows email addressed to a specific domain to be delivered to the mail server that is responsible for it. The mail server is a host address. There can be a number of mail servers associated with a MX record. Each server has a priority set for mail receipt.

d) Address (A) Record
This record tells the name server the correct IP address for the domain. The name server that is authoritative for the domain contains all the information necessary to resolve this name.

e) Canonical (C-NAME) Record
C-Name records provide name-to-name-to-IP address mapping for any domain name aliasing. The difference between CNAME and A records is that the CNAME resolves to another domain name that then resolve to an IP address.

Name Servers
Name servers generally store complete information about a zone. There are two types of name servers: primary and secondary. Every zone must have its data stored on both a primary and a secondary name server.

Primary Name Servers
Primary name servers hold "authoritative" information about set of domains, as well as cached data about domains previously requested from other servers.
Each name server stores a portion of the overall name space (a zone file), and can contact other name servers to lookup names outside its name space. The name server listens for DNS queries,  and if the queried name is in the local zone data or cache, responds immediately with an answer. If the name isn't in the local database or cache, the server uses its "resolver" to forward the query to other authoritative name servers.
If domain data changes, the primary name server is responsible for incrementing the Serial Number field in the SOA record in order to signal the change to secondary name servers.

Secondary Name Servers
Secondary name servers can download a copy of zone information from a primary name server using a process called a "zone transfer". Zone transfers allow secondary name servers to download complete copies of zones. Secondary name servers perform "zone transfers" according to the Expire Time parameter in the SOA record.

Dynamic DNS (DDNS)
Over the last decade, the exponential increase in the number of hosts on the Internet eventually uncovered two drawbacks with the original DNS system.
First, changes to zone files would not take effect until the DNS server was stopped and restarted. Second, primary name servers could only update secondary servers through processes called zone transfers. Traditional full zone transfers are inefficient because they occur on a scheduled basis instead of occurring as changes are made. These full transfers also involve transfer of all the records in a zone regardless of how many are changed.
To address these problems, the IEFT defined Dynamic DNS (DDNS) protocol in RFC 2136, zone change notification in RFC 1996, and incremental transfers in RFC 1995. DDNS allows DHCP servers to send updates to primary DNS servers, removing the need for administrator intervention. Additionally, when a change is made on the primary server, a zone change notification is immediately send to the secondary servers, with only the changed records being transferred.

Full Zone Transfer Process
To perform a zone transfer, the secondary name server queries the primary name server to determine if any changes have been made to the zone. The query is based on data in the primary server's SOA record: the Serial Number, and the interval specified by the Minimum TTL value.
The secondary server downloads all RR even if there are only a few modified records. Primary and secondary name servers are typically out of synchronization by approximately one hour.

Incremental Zone Transfer Process
If the primary name server supports the notify and I incremental Zone Transfer (IXFR) protocol, then the primary name server can notify the secondary name server that a portion of its data has changed. After receiving the notify command, the secondary name server can request only the data has changed from the primary using the IXFR command.

Domain Name Resolution
Resolvers
Name servers are capable of retrieving data from both their domain name spaces and other name servers domain name spaces. This process is necessary to translate human-readable domain names into machine-readable IP addresses.
When a name server acts as a "resolver", it maps a domain name, such as www.google.com, to an IP address that identifies the domain's hosted location. The resolver serves as a link between two computers: the one requesting a domain's IP address, and the one holding that information. The resolver returns the domain's IP address to the computer that requested the information.

Domain Name Resolution Process

In order to resolve the IP address of a domain name, a name server works on the domain name segment by segment, from highest-level domain appearing on the right, to lowest-level domain on the left. The resolver usually has to query several servers that are authoritative for various portions of the domain name to find all the necessary information.
A name server begins a search by first checking its own name space. If the queried domain name is not part of its space, the name server then issues a query to a root name server.
The root name server returns the names and addresses of the top-level name servers ("referrals") that are authoritative for the top-level domain. Root name servers know where the authoritative name servers are for all the top-level domains.
Next, the top-level name servers can provide the list of name servers authoritative for the second-level domain. Each name server queried provides the further information about how to get "closer" to the location it is seeking.






Some resolvers can only communicate with a single name server. These simple resolvers rely on a recursing name server to perform the work of finding information of them.

Caching
One of the inherent abilities of DNS is the ability to store recently retrieved domain names, a process caleed "caching". This process is useful for speeding up the resolution process.
Each time a name server "learns" the authoritative name servers for a zone and the addresses of those servers, it can cache this information to help speed-up subsequent queries. Thus, the next time a resolver queries for the same domain name, the name server is able to respond immediately because the answer is stored in its cache.

Conclusion: A DNS system is a fundamental piece of the Internet framework.

Follow on:
1. Facebook
2. Google+

Wednesday, 4 November 2015

Network Address Translation (NAT)



         This section explains Network Address Translation (NAT). NAT is also known as IP masquerading. It provides a mapping between internat IP addresses and officially assigned external addresses.
        Originally, NAT was suggested as a short-term solution to the problem of IP address depletion. Also, many organizations have, in the past, used locally assigned IP addresses, not expecting to require Internet connectivity.

        The idea of NAT is based on the fact that only a small number of the hosts in a private network are communicating outside of that network. If each host is assigned an IP address from the official IP address pool only when they need to communicate, then only a small number of official addresses are required.
        NAT might be a solution for networks that have private address ranges or unofficial addresses and want to communicate with hosts on the Internet. In fact, most of the time, this can also be achieved by implementing a firewall. Hence, clients that communicate with the Internet by using a proxy or SOCKS server do not expose their addresses to the Internet, so their addresses do not have to be translated anyway. However, for any reason, when proxy and SOCKS are not available, or do not meet specific requirements, NAT might be used to manage the traffic between the internal and external network without advertising the internal host addresses.
        Consider an internal network that is based on the private IP address space, and the users want to use an application protocol for which there is no application gateway; the only option is to estabilish IP-level connectivity between hosts in the internal network and hosts on the Internet. Since the routers in the Internet would not know how to route IP packets back to a private IP address, there is no point in sending IP packets with private IP addresses as source IP addresses through a router into the Internet.
        NAT takes the IP address of an outgoing packet and dynamically translates it to an officially assigned global address. For incoming packets it translates the assigned address to an internal address.



        From the point of two hosts that exchange IP packets with each other, one in the secure network and one in the non-secure network, NAT looks like a standard IP router that forwards IP packets between two network interfaces.





        For each outgoing IP packet, the source address is checked by the NAT configuration rules. If a rule matches the source address, the address is translated to a global address from the address pool. The predefined address pool contains the addresses that NAT can use for translation. For each incoming packet, the destination address is checked if it is used by NAT. When this is true, the address is translated to the original internal address.




         If NAT translates an address for an IP packet, the checksum is also adjusted. For FTP packets, the task is even more difficult, because the packets can contain addresses in the data of the packet. For example, the FTP PORT command contains an IP address in ASCII. These addresses should also be translated correctly and checksum updates and even TCP sequence and acknowledgement updates should be made accordingly.
        NAT looks like a normal IP router to the systems which use it. In order to make the routing tables work, the IP network design should choose addresses as if connecting two or more IP networks or subnets through a router. The NAT IP addresses need to come from separate networks or subnets, and the addresses need to be unambiguous with respect to other networks or subnets in the non-secure network. If the non-secure network is the Internet, the NAT addresses need to come from a public network or subnet, in other words, the NAT addresses need to be assigned by IANA.
        The assigned addresses should be reversed in a pool, in order to use them when needed. If connections are established from the secure network, NAT can just pick the next free public address in the NAT pool and assign that to the requesting secure host. NAT keeps track of which internal IP addresses are mapped to which external IP addresses at any give point in time, so it will be able to map a response it receives from the external network into the corresponding secure IP address.
          When NAT assigns IP addresses on a demand basis, it needs to know when to return the external IP address to the pool of available IP addresses. There is no connection setup or tear-down at the IP level, so there is nothing in the IP protocol itself that NAT can use to determine when an association between a secure IP address and a NAT non-secure IP address is no longed needed. Since TCP is a connection-oriented protocol, it is possible to obtain the connection status information from TCP (whether connection is ended or not), whereas UDP does no include such information. Therefore, a timeout value should be configured that instructs NAT how long to keep an association in an indle state before returning the external IP address to the free NAT pool. Generally, the default value for this parameter is 15 minutes.
Network administrators also need to instruct NAT whether all the secure hosts are allowed to use NAT or not. This can be done by using corresponding configuration commands. If hosts in the non-secure network need to initiate connections to hosts in the secure network, NAT should be configured in advance as to which non-secure NAT address matches which secure IP address. Thus, a static mapping should be defined to allow connections from non-secure networks to a specific host in the internal network. The external name server may, for example, have an entry for a mail gateway that runs on a computer in the secure network. The external name server resolves the public host name of the internal mail gateway to the statically mapped IP address (the external address), and the remote mail server sends a connection request to the IP address. When that request comes to NAT on the non-secure interface, NAT looks into its mapping rules to see if it has a static mapping between the specified non-secure public IP address and a secure IP address. If so, it translates the IP address and forwards the IP packet into the secure network to the internal mail gateway.
         Please note that the non-secure NAT addresses as statically mapped to secure IP addresses should not overlap with the addresses specified as belonging to the pool of non-secure addresses NAT can use on a demand basis.

         NAT works fine for IP addresses in the IP header. Some application protocols exchange IP address information in the application data part of an IP packet, and NAT will generally not be able to handle translation of IP addresses in the protocol. It should be noted that implementation of NAT for specific applications that have IP information in the application data is more sophisticated than the standard NAT implementations.

Saturday, 31 October 2015

Dynamic Host Configuration Protocol (DHCP)



          Every computer or device that connects to the Internet or to an IP network needs an IP address. Most users do not have the expertise to configure an IP address, subnet mask, and gateway. In addition, whenever a computer changes its location in the network, it must receive a new address. Somehow, the address assigned to each device and the addresses that are still available must both be tracked. Most companies do no have the time, resources, or staff to devote to managing such configurations. In addition, networks operate with a finite number of IP addresses. It is most efficient for a host to reserve an address only when it is using it.
          Dynamic Host Configuration Protocol (DHCP) enables hosts on an IP network, called DHCP clients, to lease a temporary IP address from a DHCP server. The server can also issue other configurations to the client that help it function on the network (such as the addresses of Domain Name System (DNS) and Windows Internet Naming Service (WINS) servers). This protocol helps reduce administrative overhead on an IP-based network.
         The ProCurve Secure Router can act as a DHCP server for hosts on directly connected subnets. Router interfaces can also act as DHCP clients and receive a dynamic address from a directly connected DHCP server.

          Understanding the basics of DHCP will help you understand and remember how to configure a DHCP pool. If you can track the DHCP process, you will also find it much easier to troubleshoot the router's DHCP activity.
The DHCP request process breaks down into four steps:
1. The client broadcasts a DHCPDISCOVER packet, requesting an IP address and other configurations.
2. The server responds with a DHCPOFFER, which includes an available network address.
3. The client sends a DHCPREQUEST, accepting the offer and requesting the complete configuration from the server.
4. The server responds with a DHCPACK, which includes:
- the agreed-upon network address
- a default gateway
- a lease time
- the address of one or more DNS servers (optional)
- the address of one or more WINS servers (optional)





         Depending on how you configure the ProCurve Secure Router, the router can act as the DHCP server and/or one of its interfaces can act as a DHCP client (however, an interface that acts as a DHCP client cannot also act as a server).

The ProCurve Secure Router as a DHCP Server
          A router that also functions as a DHCP server is particularly useful for a small-to-medium site at which all subnets connect to the WAN router. The ProCurve Secure Router can connect to up to two switches on its Ethernet ports.








          You should configure one DHCP pool for each subnet. For the default gateway, you would specify the IP address of the Ethernet interface through which the router connects to the subnet.
The switches may also connect to several VLANs. In this case, you would configure VLAN support on the Ethernet interfaces. You would then create a DHCP pool for each VLAN.
           A WAN interface can also act as a server for DHCP clients. However, usually the router at the remote site or a DHCP server would act as the remote network's server. On the other hand, when you bridge two remote sites, one router should act as a DHCP server for all clients in the network.

The ProCurve Secure Router as a DHCP Client
          Some service providers require their subscribers to lease a dynamic address from them. In particular, Frame Relay service providers often require their costumers to use DHCP when connecting to their network. Each permanent virtual circuit (PVC) endpoint receives an IP address only when it needs it. This allows the service provider to conserve the limited number of IP addresses it owns. Internet service providers (ISPs) also often require subscribers to receive an IP address and other configurations from them.
         You must configure the interface that connects to such a provider to act as a DHCP client.
          Ethernet interfaces can also be DHCP clients on the connected subnet. Usually, it is a good idea to assign network nodes a static address.
Interfaces on the ProCurve Secure Router that can take a dynamic address are:
- Ethernet interfaces
- Frame Relay subinterfaces
- Asynchronous Transfer Mode (ATM) subinterfaces
- Point-to-Point Protocol(PPP) interfaces (only when brdging traffic)

            Rather than acting as the server for connected DHCP clients, the router can run DHCP relay, which allows hosts on one subnet to receive configurations from a server on a different subnet. The router receives DHCP packets from clients and forwards them to a remote server on behalf of the clients. Similarly, it receives the committed IP addresses from the server and forwards them to the clients.

If you like this post, please follow us on:
Facebook
Google+ 

Wednesday, 28 October 2015

Internet Protocol (IP)






           In the good old days back when Ben Kenobi was still called Obi Wan Kenobi, there was a wonderful network routing system called The Internet Protocol Version 4, also called IPv4. It had addresses made up of four bytes (four octets), and was commonly written in "dots and numbers" form, like so: 192.0.2.111 (you've probably seen it around).
In fact, every site on the Internet uses IPv4.
Things were great, until a man by the name of Vint Cerf(also well-known for being The Father Of The Internet) warned everyone that we were about to run out of IPv4 addresses.

Question: Run out of addresses? (I mean, there are like billions of IP addresses in a 32-bit IPv4 address)
Answer: In the beggining, when there were only a few computers and everyone though a billion was an impossibly large number, some big organizations were generously allocated millions of IP addresses for their own use. Now we're living in an era where we're talking about every human having an IP address, every computer, every calculator, every phone, every parking meter, etc.

And so, IPv6 was born. Since Vint Cerf is probably immortal (he is probably already existing as some kind of hyper-intelligent ELIZA program out in depths of the Internet), no one wants to have to hear him say again "I told you so" if we don't have enough addresses in the next version of the Internet Protocol.
IPv6 form is in hexadecimal representation, with each two-byte chunk separated by a colon, like this:


2001 : 0db8 : c9d2 : aee5 : 73e3 : 934a : a5ae : 9551


That's not all! Lots of times, you'll have an IP address with lots of zeros in it, and you can compress them between two colons. And you can leave off leading zeros for each byte pair. For instance, each of these pairs of addresses are equivalent:


2001 : 0db8 : c9d2 : 0012 : 0000 : 0000 : 0000 : 0051
2001 : db8 : c9d2 : 12 : : 51

2001 : 0db8 : ab00 : 0000 : 0000 : 0000 : 0000 : 0000
2001 : db8 : ab00 : :

0000 : 0000 : 0000 : 0000 : 0000 : 0000 : 0000 : 0001
: : 1


The address : : 1 is the loopback address. It always mean "this machine I'm running on now". In  IPv4, the loopback address is 127.0.0.1.
Finally, there's and IPv4-compatibility mode for IPv6 addresses that you might come across. If you want, for example, to represent the IPv4 address 192.0.2.33 as an IPv6 address, you use the following notation: ": : ffff : 192.0.2.33"
There are a lot of IPv6 addresses left for all men, women, childrens, etc.


SUBNETS
            For organizational reasons, it's sometimes convenient to declare that "this first part of this IP address up through this bit is the network portion of the IP address, and the remainder is the host portion."
For instance, with IPv4, you might have 192.0.2.12, and we could say that the first three bytes are the network and the last byte was the host. Or, put another way, we're talking about host 12 on network 192.0.2.0.
There were "classes" of subnets, where the first one, two, or three bytes of the address was the network part. If you were lucky enough to have one byte for the network and three for the host, you could have 24 bits-worth of hosts on your network (16 million or so). Tha was a "Class A" network. On the opposite end was a "Class C", with three bytes of network, and one byte of host (256 hosts, minus a couple that were reserved). So as you can see, there were just a few Class A, a huge pile of Class C, and some Class B in the middle.
              The network portion of the IP address is described by something called the netmask, which you bitwise-AND with the IP address to get the network number out of it. The netmask usually looks something like 255.255.255.0 (with that netmask, if your IP is 192.0.2.12, then your network is 192.0.2.12 AND 255.255.255.0 which gives 192.0.2.0)
Unfortunately, it turned out that this wasn't fine-grained enough for the eventual needs of the Internet; we were running out of Class C networks quite quickly, and we were most definitely out of Class A. To remedy this, The Powers That Be allowed for the netmask to be an arbitrary number of bits, not just 8, 16, or 24. So you might have a netmask of, say 255.255.255.252, which is 30 bits of network, and 2 bits of host allowing for four hosts on the network.
               But it's a bit unwieldy to use a big string of numbers like 255.192.0.0 as a netmask. First of all, people don't have an intuitive idea of how many bits that is, and secondly, it's really not compact. So the New Style came along, and it's much nicer. You just put a slash after the IP address, and then follow that by the number of network bits in decimal like this: 192.0.2.12/30 (or for IPv6 like this: 2001 : db8 : :/32 or 2001 : db8 : 5413 : 4028 : : 9db9/64)


PORT NUMBERS
                Turns out that besides an IP address (used by the IP layer), there is another address that is used by TCP (stream sockets) and, coincidentally, by UDP (datagram sockets). It is the port number. It's a 16-bit number that's like the local address for the connection (think of the IP address as the street address of a hotel, and the port number as the room number).

Question: Let's say you want to have a computer that handles incoming mail AND web services - how do you differentiate between the two on a computer with a single IP address?
Answer: Well, different services on the Internet have different well-known port numbers. You can see them all in the Big IANA Port List or, if you're on a Unix box, in your /etc/services file. HTTP/HTTPS (the web) is port 80/8080, telnet is port 23, SMTP is port 25, the game DOOM used port 666, etc. Ports under 1024 are often considered special, and usually require special OS privileges to use.

References:
1. Beej's Guide to Network Programming - Copyright © 2015 Brian “Beej Jorgensen” Hall  

Popular Posts

Recent Posts

Powered by Blogger.