Networking: Using and Abusing Network Addresses

Networking: Using and Abusing Network Addresses

Home

The Internet a patchwork of linked networks that range from small to obscenely large. For the most part, each network is composed of a computers or devices with similar Internet Protocol (or IP) addresses. Unfortunately, IP addresses are not unlimited nor are they evenly distributed across the computing world. While there is a concerted effort to solve this problem by redesigning the foundations of Internet addressing, interim solutions that coexist with today's infrastructure have become increasing popular.

Unfortunately, these measures often require extra work on the part of the user, the network administrator, or even the software engineer. As more networks use these services, it becomes more important to understand how they work and what is necessary to support them effectively. Let's start by examining how network hosts communicate with each other normally, and then explore a cross-section of security and address management tools.

Network Interface, Multihoming

The technical term for a given network connection is "network interface". Most computers only have zero or one network interface at a given time, but servers and dedicated network hardware often manage many network interfaces. A host communicating on 2 different interfaces at the same time is multihomed.

Each network interface on a computer or device is has a unique hardware "link layer" address which identifies the source and recipient of packets on the local network. Each high-level network protocols (such as TCP/IP) layered on top of the link layer network has its own way of addressing it's peers, which is mapped to and from a link-layer address for transmission.

Routers, Gateways

Most computers aren't linked by the same segment of cable, but require a special device to forward packets from one network to another. A router is a multihomed device that reads packets from one network interface, modifies the link layer header, and forwards the packet to another interface.

To communicate on the Internet, each host is configured to send its packets to a default router, called a "gateway". This gateway then uses the destination IP to forward the packet from router to router until it reaches the destination network and read by the target computer. The target computer is also given the IP address of the sender so that he can respond to the packet.

Routers comprise the backbone of the Internet, and each router maintains static and/or dynamic information about other routers, so that it can pick an optimal path (or route) to deliver each message. Most routers are maintained by the network administrator, and may be configured with simple rules for filtering undesired or malicious packets.

A router often runs on dedicated hardware, but any computer can run software to route between multiple network interfaces. Note that not every network appliance is a router: long segments of Ethernet cable are linked with "repeaters" to improve the signal and reduce noise, and a "hub" joins multiple cables but blindly copies all data from one interface to the others.

Tunnels, Virtual Private Networks (VPN)

A tunnel is a router where one interface uses a different protocol than the rest. When a packet is forwarded to the special interface, it is placed inside a packet of the new protocol and sent to another tunnelling router. The second tunnel extracts the original packet and forwards it using the original protocol to the desired target.

For example, MacIP is a tunnelling protocol for carrying IP packets over an AppleTalk network. Also, cable modems are basically routers that tunnel packets through the same wire that carries multiple television signals. In both cases, user software only sees the tunnel as a single connection, or "hop", between two routers.

VPNs are just another form of network tunnel, often configured to encrypt data while it travels over a public network backbone. Tunnels often function transparently as just another router, but may also support other features such as network address translation or packet filtering. Most software doesn't know or care that its data has been tunneled.

Network Address Translation (NAT)

A NAT server is a special kind of router or tunnel that "translates" packets before forwarding them to another interface. When the host on the internal network sends a packet to a host on the other side of the router, NAT modifies the source IP address from the "internal" address range to a new one in the "external" address range. When a remote host sends a response to the translated packet, the router intercepts the message and translates the destination address from the external range back to the original source address before passing it along.

One implementation of NAT (and tunnelling) is AppleTalk Remote Access, where one computer dials up to a host on the target network and leeches off it. The host computer creates a new "virtual interface" that sends and receive packets as if it were a second computer, then translates and tunnels the data over the dialup connection.

Most software or network protocols does not need to be modified to run over NAT, unless they send local network addresses as data inside a packet. Such services include peer-to-peer networks and host referral services (like game trackers). Even FTP provides a special "passive" mode that can cope with address translation.

IP Masquerade (NAT with Port Multiplexing)

Some NAT routers also provide "port multiplexing," which means that they will translate addresses of multiple local hosts to a single external address. They do this by creating a mapping from an internal host address and port number to a specific port on the external address. This prevents collisions when several hosts assume they can use use the same port.

For example, many hardware DSL routers and wireless hubs support connecting an entire local network to the Internet using only a single IP address, and there are software packages (or operating systems) that handle "port forwarding" or "port sharing" across multiple network interfaces.

There are 2 ways that mappings are created: explicitly (by configuration) or implicitly (by usage). Most software packages (such as IPNetRouter and ipmasq) can be configured with specific rules for translating and forwarding requests on an external port to the address and port of a local host. In this way, one of the local clients can be configured to handle incoming requests on well-known ports of the external address.

In contrast, many hardware NAT routers only create a mapping when a local host initiates the outgoing connection. Once the mapping is created, the remote host can respond to the apparent address of the sender, and it will be forwarded to the client accordingly. In addition, most implicit mappings are only temporary, and may be deleted after a period of inactivity.

One problem with remapping port numbers is that many protocols expect a server process to listen on a well-defined port. Unless the router has been configured with an explicit mapping for that port, a local computer cannot act as a network servers. The combination of remapped network addresses and port numbers makes it very hard to design a peer-to-peer or referral protocol to connects multiple NAT clients.

Proxy Servers

A proxy server is a special kind of router that requires an explicit request before it will forward data packets, and is often associated with a firewall. Unlike NAT and IP Masquerade, which rely on security through obscurity, a proxy server permits only a small set of network services to be forwarded -- and may require some sort of authentication to do so.

To initiate a connection to a remote host using a proxy server, the local host connects to the proxy and indicates the IP address and port it wishes to talk with. The proxy server then creates its own connection to the remote host and echos incoming data from one connection out to the other, until either host disconnects. Similarly for local servers or datagram based communication, except that the listening host contacts the proxy to open its own listening endpoint and forward incoming connection requests or datagrams.

Note that no translation is performed. In fact, a proxy server is only a router in the sense that it forwards packets to another interface. The proxy service is not automatic like the other services, and application software must be modified to support communication through a proxy. In addition, as far as the remote host is concerned, the proxy server is its client -- because no information about the originating host (even its existence) is forwarded.

Since a proxy is an explicit service and doesn't imitate an actual network router, any application software must be modified to support the two-step connection process. In addition, the user must configure the the software so that it has the address of the proxy server and any authentication that may be required. The SOCKS protocol is one common method for clients talk to a proxy server.

Firewalls are not the only flavor of proxy servers. Some ISPs redirect web requests to proxy servers so that frequently accessed pages can be cached. In addition, privacy freaks (er, afficionados) may connect to an "anonymizing" proxy to conceal their identity when interacting with public servers.