IP basics

IP fundamentals

 Internet Protocol (IP) is a Network Layer protocol

which operates at Layer 3 of the OSI stack
 Layer 2 of the OSI stack refers to the hardware (MAC)
addresses of hosts
 Each host on a network is identified by both an IP
address and a MAC address
 Networks are normally segmented into different
broadcast domains called subnets
 IP addresses are 32 bits
 Bits are used to identify the subnet
 The remaining bits are used to identify the host
 MAC addresses are significant only within a subnet –
IP addresses allow hosts on different subnets to
communicate with each other
IP network components

 Hosts on the same subnet are traditionally interconnected

using switches (Layer 2 devices)
 Switches forward traffic to a host based on MAC
addresses in their ARP table
 Hosts on different subnets are traditionally interconnected
using routers (Layer 3 devices)
 Routing tables allow different subnets to communicate
with each other based on information in the IP address
 Tropos wireless routers have some properties of both
Layer 2 and Layer 3 devices
 They limit broadcast traffic like routers
 But each Tropos router interface in a mesh network
need not necessarily be on its own subnet
 Other network components include firewalls, wireless
access points, bandwidth managers, etc.
Address Resolution Protocol (ARP)

 Address Resolution Protocol (ARP) is a network protocol, which

maps an IP address to a MAC address
 Every router maintains a table listing IP addresses and respective
MAC addresses of devices that exist on the network
 This table is called an ARP cache

 The ARP cache is referenced by the router when it looks up a

hardware address of a device for which it knows the IP
address and needs to forward a datagram to it
 If no hardware address is found in the ARP cache then an ARP
broadcast is sent on to the adjoining media (ARP only applies to
the connecting wire)
 This broadcast is read by every station including the
destination station
 The destination station sends back an ARP reply with its
hardware address so that the IP datagram can now be
forwarded to it by the router
 RFC 826 describes ARP in detail
Proxy ARP

 A router that is configured for Proxy ARP can respond to

the ARP Request on behalf of other devices
 Proxy ARP is used to fool the sending station into
believing that it has found its destination
 The router acts as a proxy, as the name suggests, and
forwards the packets to the correct destination since it
has the relevant information
 The Tropos gateway in a Tropos mesh cluster will Proxy
ARP for all Tropos nodes and all endpoints that are
associated to that cluster
 RFC 1027 describes Proxy ARP
Gratuitous ARP

 Most hosts on a network will send out a Gratuitous ARP

when they are initializing their IP stack
 This Gratuitous ARP allows other devices on the
network to automatically update their ARP cache with
the correct IP – MAC mapping
 The Tropos gateways send a Gratuitous ARP for each
node and client as they associate with their Tropos cluster
DHCP

 Dynamic Host Configuration Protocol (DHCP) is defined in

RFCs 2131 and 2132
 DHCP's enables individual computers on an IP network to
extract their IP configurations from a server (the DHCP
server) or servers
 The most significant piece of information distributed in this
manner is the IP address
 The overall purpose of DHCP is to reduce the work
necessary to administer a large IP network
 Many large Tropos mesh networks are deployed using
DHCP
 DHCP uses two well-known port numbers
 UDP port number 67 is used for the server
 UDP port number 68 is used for the client
DHCP

DHCP client and server on same LANs

If client and server on different LANs,

DHCP relay is required on the router
DHCP operation with DHCP server and client on
different LANs

 DHCP client broadcasts a DHCPDISCOVER looking for a

DHCP server to use
 Router relays this DHCPDISCOVER to the DHCP server
 The GIADDR field in the DHCPDISCOVER is set to IP
address of the router
 The DHCP server will respond to the relayed request with a
DHCPOFFER message
 The IP address offered to the client can be based on
the GIADDR field in the DHCPDISCOVER
 If there is more than one DHCPOFFER (ie, more than one
DHCP server), the client uses the first offer it receives
DHCP operation with DHCP server and client on
different LANs (cont.)

 The client broadcasts a DHCPREQUEST message

 This is relayed by router to the DHCP Server
previously identified in the DHCPOFFER
 DHCP Server responds with a DHCPACK message
containing the configuration parameters for the requesting
client, eg, IP address, default gateway, DNS servers, lease
time, etc.
 The client receives the DHCPACK message with
configuration parameters – at this point, the client is
configured
DHCP in the Tropos world

 Although Tropos gateways can be configured as DHCP

servers, this is not recommended for scalability reasons
 Instead configure Tropos gateways as DHCP relays,
pointing them to an external DHCP server
 The GIADDR field in a Tropos network will be the wireless
address of the Tropos node to which the client first
associates
 The external DHCP server must support the following
parameters to interoperate with a Tropos mesh network
 Unicast of DHCPOFFER messages
 Interpretation of the GIADDR field
 Most, but not all, DHCP servers meet these criteria –
check with your DHCP vendor
IP addressing/subnetting

 The IP address is a 32-bit long binary number normally

represented by 4 decimal numbers in the range 0 to 255,
each representing 8 binary bits, eg,
 192.168.100.10 – decimal
 11000000.10101000.01100100.00001010 – binary
 IP addresses are comprised of two parts – one identifying
the network and the other the host
IP addressing/subnetting

 The subnet mask determines how many bits are for the
network and how many for the hosts
 Eg, 192.168.100.0/24 has 24 bits for the network address and
eight bits for hosts (0 – 255)
 With a /24 mask there are 254 usable hosts
 0 not used as it represents the subnet

 255 is the broadcast address for the subnet

 The /24 mask’s decimal representation is 255.255.255.0

 A network with a 24-bit mask is a Class C Network
 Class B Networks use 16-bit masks and Class A
Networks eight-bit masks
 Class A Networks have many more hosts per network
than Class B Networks, which, in turn, have many more
hosts per network than Class C Networks
 However, there are far fewer registered Class A and B
Networks available than Class C Networks
IP addressing/subnetting

 Two ways to overcome registered Internet IP network shortage

 Network Address Translation (NAT) separates private
network IP address space from public Internet IP space
 Networks can be subnetted into smaller networks
 Class C network with a /29 mask (255.255.255.248) has 32
available subnets each with six hosts
 Class B network with a /22 mask (255.255.252.0) has 64
available subnets each with 1022 hosts
 By selectively choosing the subnet mask, network
administrators can strike the optimal balance between
number of subnets and number of hosts per subnet
 This is a very brief overview of IP addressing and subnetting
 Study and practice IP addressing and subnetting – it is an
important topic when deploying Tropos networks
 Many publications available on this topic

 Think about optimum subnet masks and clients per

subnet
Switching basics

 Layer 2 switches allow devices on the same network to communicate

based on MAC addresses
 Switches maintain a table of MAC addresses of devices connected to
each switch port
 Switches learn about new devices as they join the network
 Switches improve performance by dividing a shared Layer 2 segment
(eg, Ethernet) into separate collision domains
 Switches allow devices on the segment to broadcast to each other –
broadcast overhead can limit performance on large networks
 Some switches limit unnecessary broadcast traffic
 Tropos routers also do this
Routing basics

Where do I send Destination Host

packets next?

Source Host

 Routers allow users on different IP networks to communicate

 Routers limit unneeded traffic by dividing a large network into smaller ones
 Routers use routing algorithms (eg, RIP) to decide the best path to a
destination based on routing metrics (eg, hop count)
 Each router maintains a routing table listing the next hop to each destination
network
 Tropos has a wireless optimized routing algorithm, PWRP, which uses
packet success probability, hop count and other metrics to find the best path
 PWRP does not exchange routing tables with wired routing protocols such
as OSPF and IGRP – however connection with these networks is supported
VLANs

 VLANs break a switched network into different broadcast domains

 Users on different VLANs communicate via a router
 Or, they can be prevented from communicating based on security
settings on the router
 The router has a VLAN trunk port which carries traffic from multiple
VLANs – another device connected to this port must also be configured
as a VLAN trunk
 VLAN trunks use special oversized Ethernet packets with VLAN
tags to identify to which VLAN individual packets belong
 VLAN trunks follow the 802.1Q standard (some older Cisco
equipment uses the non-standard ISL protocol)
 LAN interfaces on Tropos gateways support the 802.1Q standard
VLANs (cont.)

 Each VLAN on a VLAN trunk port is assigned a unique IP

address from a distinct subnet
 A management VLAN is assigned for network management
communication with devices on both ends of the VLAN
trunk
 Usually, any tagged VLAN can be the management VLAN
 Cisco routers using 802.1Q trunks are a special case
 Cisco routers must be managed via a non-tagged, aka
native, VLAN that uses standard size Ethernet frames
 By default this is VLAN 1 although it is configurable
 If you have a VLAN trunk between at Tropos gateway and
a Cisco router, assign the Tropos gateway a management
VLAN other than the Cisco native VLAN
Access lists

 Routers provide a measure of security using access lists

 Access lists filter traffic to/from certain IP port numbers or addresses
 Port numbers are sometimes used to identify applications, eg, SMTP on port 25
 Depending on router configuration, access lists can be implicit allow (all traffic allowed except traffic
specifically denied) or explicit allow (all traffic denied expect traffic specifically allowed)
 Tropos supports both types of access lists
 Access lists are ordered from most to least specific and are checked from the top down (first match is
applied)
 Eg, implicit allow list allows SMTP traffic from all hosts on 192.150.200.0/24 except 192.150.200.60,
blocks SMTP traffic from other subnets, blocks all other TCP traffic but allows UDP traffic
 deny smtp 192.150.200.60
 allow smtp 192.150.200.0/24
 deny smtp
 deny any tcp port
 allow any
 While access lists provide some security, most networks require firewalls or other more robust security
solutions
 Some applications use common port numbers (eg, HTTP and Kazaa both use port 80) so access lists are
not appropriate for filtering such traffic
 Bandwidth management devices are more suitable for such tasks
Security

DMZ Segment

Inside-Filter Router

Open Segment
Secure Segment Internet
Other e.g.
ISP Router
Bandwidth Manager
Email / SPAM Filter Firewall
Intrusion Detection System
Virtual Private Network

 To be properly protected form malicious Internet users,

multiple layers of security should be used
 This example shows one potential security architecture
 The secure segment could be connected to a Tropos mesh
network
 Tropos routers have additional wireless security features,
eg, MAC filtering, authentication
IP settings on clients

 IP clients (such as PCs) must be configured with IP

address information to communicate with an IP network
 IP addresses may be dynamic (provided by a DHCP
server) or static
 Gateway, subnet mask and DNS information must also
be configured or provided by DHCP
IP and wireless settings on a PC

 Wireless clients normally use DHCP (obtain an IP address

automatically) to connect to a Tropos network
 Clients need to associate with the wireless SSID of the
Tropos mesh network
 SSID is configured by the network administrator
 Authentication settings on the PC must match those of the
Tropos networks (e.g. Open, WEP, WPA, WPA2, 802.11x,
with matching keys)