Historical Using Knoppix Network addressing
General information Debian information Local network design
Further information Installing Debian Local project
Distributions What now? Main site home page

Local network design

Most local networks will be intended to have some connection to the internet, or will need to be at some time in the future, so should be configured to comply with the internet rules.
The rules associated with running any system connected to the internet are first proposed by the Internet Engineering Task Force (IETF) as a series of Requests For Comments (RFC's), together with any updates, which may then be accepted by the International Standards Organisation (ISO). The RFC index, and the files themselves, can be viewed or downloaded as plain text, html, or PDF from https://tools.ietf.org. Anything you do should comply with the latest rules, found by working backwards through the list. International standards information is available from http://standards.ieee.org.
Interconnection services between internet devices, such as email, websites, and video streaming, use port numbers defined by the Internet Assigned Numbers Authority (IANA).
Internet names and addresses are allocated by IANA but delegated in blocks to Regional Internet Registries, AFRINIC in Africa, APNIC in the Asia Pacific region including Australia, ARIN in the USA, LACNIC in South America, and RIPE in Europe, with further local delegations such as Nominet in the UK. The internet "backbone" provides the physical interconnections and services, and blocks of numerical addresses are allocated to individual Internet Service Providers (ISP's) which must provide access and routing between their customers and the internet, together with the Domain Name Service (DNS) linking domain names to their numerical addresses, which are difficult to remember and may not be static.
ISP's supply or rent resources as required to meet their requirements, normally in large binary block sizes quoted as powers of 2, limited by maximum capability rather than actual use, so that there can be congestion at peak times but often no charge for large overnight data transfers.
Any organisation or individual person can apply for a unique domain name, which will require information to enable a DNS search for the relevant numerical addresses. The domain name must be registered through an ISP unless the organisation is large enough to act as an ISP itself, but the allocation is made to the individual customer, so can be moved to a different ISP if required. There will be a relatively small annual charge for the domain name itself, plus any DNS and other ISP charges. However many domain names are purchased as unused investments, and then offered for sale at inflated prices.
The IPv4 and/or IPv6 numerical addresses supplied are specific to the ISP. ISP's may restrict use by blocking individual "well known ports" to prevent access to perhaps a local web server.
IPv6 was introduced because the supply of IPv4 addresses was exhausted, although some ISP's still have a few available from their allocation. Many ISP's will not allocate static assigned addresses, only temporary dynamic addresses when actually needed, relying on private connections between them and their customers, and this can be a problem for required connections from the internet. There is no shortage of IPv6 addresses, and should be no need for dynamic IPv6 prefix allocation, but check with your ISP. Some ISP's will charge extra for a static IPv4 address if available.
Both the IPv4 and IPv6 address systems have special use addresses, including addresses reserved for private use only that must not be used on the public internet.
A local system could include both IPv4 and IPv6, with both officially assigned and private addresses, spread over more than one network. Networks could be separated or linked for convenience, by location, or by designed use, and even remote networks can be linked using Virtual Private Network software (VPN).
Each network can be allocated multiple IPv4 and IPv6 officially assigned addresses and private IPv4 and IPv6 addresses. A 64-bit /64 IPv6 address prefix could apply to more than one network, but perhaps a 48-bit /48 prefix can be divided so that individual networks can be separated and allocated a derived /64 address.
Local access to DNS information could be provided by a Dynamic Host Configuration Protocol (DHCP) service or a DNS nameserver. Addresses can be assigned automatically from a local pool using DHCP (with Network Address Translation NAT, somtimes known as masquerading, for IPv4), with IPv6 Router Advertisement (RA) and/or DHCP6, but you may wish to have your own local domain name server, with restricted access to the data provided. Unix compatible systems usually offer the Berkley Internet Name Daemon, BIND9, maintained by the Internet Engineering Consortium (IEC) for multiple networks and address types, while Microsoft uses a totally different method. If your firewall is required to provide automatic DHCP configuration for mobile devices your domain name server(s) may need to be sited elsewhere on one or more of your local networks to prevent them grabbing the DNS service port 53. Note that the IEC are currently developing their KEA DHCP system for both IPv4 and IPv6 rather than a BIND version 10.
A private IPv6 prefix can be generated according to RFC4193 "Unique Local IPv6 Unicast Addresses", ensure that each network, including any that are (or may be in the future) connected via internet "tunnels", has a different address prefix.
Because the original defined site local IPv6 addresses are not unique, this can lead to major problems if two former independent networks would be connected later (overlapping of subnets). This and other issues lead to a new address type, beginning with fcxx: not yet used, or fdxx: currently the only one in use. A 40 bit part of the prefix must be generated using a pseudo-random algorithm, so that it is improbable that two generated ones are equal.
An example of a prefix generated using a web-based tool "createLULA" provided by www.goebel-consult.de is fd0f:8b72:ac90::/48 and allows another 16 bits (four Hex characters) to build a 64-bit prefix for each individual local network.
If you would like to experiment with a real IPv6 address but your ISP has not provided one you can request a free IPv6-in-IPv4 tunnel provided by Hurricane Electric through their http://www.tunnelbroker.net website, or SixXS.
An alternative "6to4" tunnel is not recommended, see https://labs.ripe.net/Members/emileaben/6t04-why-is-it-so-bad

Unfortunately not all connections are welcome, so you will probably need to use some kind of firewall protection.
Firewall software such as UFW is designed to protect an individual computer by selectively blocking access. Some internet connection modems can provide multiple outlets with optional separation and filtering by service port. However you may prefer to provide your own dedicated firewall router. Firewall software such as OPNSense, PFsense, m0n0wall, and some others, is available for download from the internet, or a dedicated firewall can be built using something like the Shoreline firewall system (Shorewall and Shorewall6) as available through the Debian distribution.
A typical home firewall might provide a best protected main network, a semi-secure network for visiting guests or "surfing the web", and a firewall isolated de-militiarised zone (DMZ) for web servers and email gateway hubs that must be accessible from the internet, each with access restrictions to and/or from the network.
A small company may wish to isolate some departments, such as management, accounts, R&D, production, and general office use.
The firewall may be configured to examine only the initial request for each connection, and decide whether the connection should be allowed to start, allowing mostly full access from local networks to the internet but restricted access from the internet. Permitted connections are then just allowed to continue, so there may be no inherent protection if a local user requests a connection to a booby-trapped or infected destination unless separate anti-virus and spam protection is used.
Anti-virus facilities or software such as "snort" may be added.
Individual destinations may be blacklisted, or restricted according to the user, (but note that access to many named sites is available through multiple numerical addresses and multiple physical locations, so all would need to be treated equally).
A firewall based router will require individual separate, possibly ethernet, network connections for the internet and each local network, none shared, followed by individual network distribution hubs or switches as required.
Downloadable firewall systems will require some configuration, see the documentation provided.
Select names for local networks with care. Some firewall software sets limits on the length of local network names, for example shorewall sets a maximum limit of three characters, while networks which will eventually be linked via the internet using Virtual Private Network (VPN) software must not have the same names.

Local project

Return to foss index
Return to Chrisbell home page