Historical Debian information What now?
General information Installing Debian Help for beginners
Further information Network addressing FOSS index
Distributions Using Knoppix Main site index

Network Addressing

The international rules of the internet are as proposed and amended by The Internet Engineering Task Force in a series of Requests For Comments (RFC's), see https://www.ietf.org together with standards set by the IEEE, see https://standards.ieee.org/

An internet connection is built on an underlying network system which will depend on the type of hardware, such as ethernet cable, wireless, or optical fibre.

All internet access and routing is done using numerical IP addresses, but humans are not very good at remembering numbers so there is also a system to provide unique domain names together with a service to convert between the two called the Domain Name Service, DNS.

Each of the top level domains such as .com or .co or .uk is allocated to one of several possible individual organizations located around the world including ICANN / IANA in the USA and Nominet in Oxford, UK. They can lease individual domain names to companies or individuals, normally working via an Internet Service Provider responsible for providing at least access route information, and maintain a database with the details of those allocations. However the unique domain names are leased to end users, and the end user can transfer the responsibility for managing the domain name to another Internet Service Provider, retaining the domain name, although there may be a brief interruption while the old DNS records time out and are replaced.

Blocks of internet numerical addresses are allocated to individual Internet Service Providers according to their demonstrated need, and it is up to the ISP to allocate individual IP addresses to their customers. Address blocks are allocated in a binary tree format, most significant digit first, with the block size set by the number of leading digits. Each ISP is responsible for providing Domain Name Service (DNS) databases linking domain names and numerical addresses within their allocation, as well as search facilities allowing their customers to find the information held by other ISPs. Most supply email and web services to their customers using unique names subsidiary to the ISP domain name.

Individual domain name registration, DNS, email, and web services may be provided by the ISP that supplies the physical connection, but those services may be split between several ISPs. Terms and conditions and associated charges are as agreed between the ISP and the customer. An internet search should provide links to ISPs throughout the world. Beware that connections, registrations, and transport are subject to the legal controls applied by all countries involved, so for example a .com registration is subject to the USA legislation and conditions, while access to a machine in an Icelandic datacentre may be via both western Europe and Scandinavia.

Do compare the terms, conditions, and services supplied by different ISPs, not all services may be provided, while some may only be available at additional cost.

Both IPv4 and IPv6 are in reality binary numbers, 32-bit for IPv4 and 128-bit for IPv6. An IPv4 address can be given in 32-bit binary format or a sequence of four numbers, each representing 8 binary bits, separated by single dots, while those four numbers can each be given as either decimal between 0 and 255 or two hex digits in the ranges 0-9, a-f. Although the four dot-separated decimal numbers is normal, an IPv4 address is sometimes deliberately obscured using another format.

The pool of 32-bit binary IPv4 addresses was effectively exhausted several years ago, so a premium rate may be charged for a fixed IPv4 address. The internet has managed to cope by re-using a restricted number of private network addresses which can not be used on the real internet. Blocks of addresses within the 32-bit binary system were set aside for private use, not to be used directly on the internet, which together with Network Address Translation (NAT) enabled entire local private networks to share the same internet connection and address. A side effect of NAT was a possible reduction in the security threats to end users. Dynamic addresses are only allocated to end users for the time they are actively connected to the internet, and may be reclaimed as soon as they disconnect.

The newer 128-bit binary IPv6 addresses are designed to be allocated as a two-part address, with the first 64 binary bits allocated in blocks to ISPs and the remaining 64 bits allocated to the end users for their own purposes, with all the address bits visible on the internet without NAT. This enables huge numbers of visible destinations which could also be used for remote control and automation. Unfortunately not all ISPs have provided this facility yet, and hardware and/or software modifications may be required in parts of the internet connection system.

IPv4 and IPv6 can work concurrently. More than one domain name and/or IP address can be allocated to any individual hardware interface, a single IP address may be linked to more than one interface as part of a load sharing "round robin", and any piece of hardware, (known as a node), may have several active interfaces.

The DNS "A" record for an IPv4 domain name will usually point to a machine which provides website facilities, but there can also be a MX list of mail servers, showing their order of preference, that are configured to handle email for the domain, so that no mail is lost when one is not available.

IPv6 aims to provide a much greater number of internet addresses so that every network interface can have a fully accessible address without NAT, and there is no provision for NAT in IPv6. The system can be used to access far more devices, and allow remote control and monitoring via the internet, but this has already exposed security problems, with the advanced control systems of a greater range of devices being corrupted and used for unauthorised processes. It is not so easy to conceal an interface without a properly configured firewall, and security is important for each and every device.


IPv4

A block of IPv4 addresses can be described as either a 32-bit binary number, or split into four 8-bit groups in decimal or Hex format, separated by "." with the block size set by the number N of binary bits in the left-hand part of the number shown as /N or a netmask.
Connections to a device may provide numerous services, and each service will attempt to connect to a specific port number, shown as :port_number following the address.
The first address in a block (0) is the address of the network block itself, and should not be allocated to a device.
The last address of a block is the broadcast address for the network, and should not be allocated to a device.

127.0.0.1 is a special "loopback" address for the localhost itself.

IPv4 private networks are normally a group of 256 addresses (the last number) selected from the following ranges, with a netmask of 255.255.255.0 ( /24 )
Class A   10.0.0.0/8         to 10.255.255.255
Class B   172.16.0.0/12   to 172.31.255.255
Class C   192.168.0.0/16 to 192.168.255.255
where the first of the group, 0, is the address of the network, the default gateway is 1, and 255 the broadcast address. The default is usually one of the Class C groups, but B or A if there are likely to be several interconnected private networks in a large organisation.

You are free to choose any of these addresses for your private network, but it is very important to choose a network address that is different from any other that you may wish to link to, either locally or via a long distance link (which could be a point to point virtual link routed via the internet).

RFC 3330 - Special-Use IPv4 Addresses
169.254.0.0/16 is a reserved block for link local addresses
224.0.0.1 is a special address which means all interfaces connected to the network, and may be used by a router as it attempts to identify possible connections.


IPv6

IPv6 is already becoming common, and is being deployed rapidly. Recent Microsoft systems are able to use IPv6, although some network devices may need to be updated or replaced. Linux has been able to use the new system for some time.
See RFC3306, RFC3956, RFC4913, RFC4291, RFC4489, RFC5952, RFC6052, RFC7136, RFC7346, and RFC7371, for full information on the structure of IPv6 addresses.
Please only take my notes as an introduction, IPv6 is a much larger system than IPv4, with serious security implications. I suggest that even if you do not use Linux you should read the HOWTO giving extensive information about IPv6 at The Linux Documentation Project, http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO

An IPv6 address is composed of a 64-bit network part plus a 64-bit local part, written as eight blocks of 16 binary bits separated by a colon. Each group of 16 bits is normally shown as four hexadecimal (hex) characters, with leading zero's removed, although there must be at least one remaining character in each 16-bit group which can be zero. A single sequence of zero groups within the 132-bit address can be shown as :: because the remaining characters can still be expanded to the full address.

An alternative form which can be used in a mixed IPv4 and IPv6 environment is x:x:x:x:x:x:d.d.d.d where the x's are the hex values of the first six 16-bit groups and the d's are the decimal values of the four 8-bit of the IPv4 address.

A node is a single physical item, such as a computer or a router, which may have multiple network interfaces.

Any interface may have more than one address, and the address format must comply with restrictions and requirements which specify the type of address.

A unicast address is specific to a single interface.
An anycast address is one assigned to a group of interfaces, perhaps part of a load share group, where the "nearest" or first to reply is selected.
A multicast address is the IPv6 equivalent of the IPv4 broadcast address for all interfaces connected to a network.

The scope of an address covers the intended use, perhaps local to a single link, local to a single network, or global.

All interfaces must have at least one Link-Local unicast address, and each interface may have multiple IPv6 addresses of any type (unicast, anycast, and multicast) or scope.

A subnet prefix is associated with a single link, but multiple subnet prefixes may be assigned to the same link.

A unicast address may be assigned to multiple physical interfaces if they can be treated as a single interface, perhaps for load sharing.

Special IPv6 addresses
0:0:0:0:0:0:0:1 or ::1   Localhost
0:0:0:0:0:0:0:0 or ::    Unspecified

IPv4-mapped IPv6 address but listed as a DNS A record, not a DNS AAAA record
0:0:0:0:0:ffff:a.b.c.d/96
or   ::ffff:a.b.c.d/96
decimal is expected, so for 192.168.1.7 enter ::ffff:192.168.1.7/96

IPv4-compatible IPv6 address are used for automatic tunneling, (now deprecated, being replaced by 6to4 tunneling)
0:0:0:0:0:0:a.b.c.d/96
or   ::a.b.c.d/96

2001:0db8::/32 reserved for examples and documentation


Local or Host part (the last 64 bits)

Address types (host part)
Automatically computed (also known as stateless)
With auto-configuration, the host part of the address is computed by expanding the MAC address of an interface (if available) to 64 bits as in the Extended Unique Identifier IEEE-Tutorial EUI-64 at http://standards.ieee.org/regauth/oui/tutorials/EUI64.html
The "universal" bit 7 of the 64-bit host part (bit 71 of the entire 128-bits) must be set to 1 for universal global scope, 0 to indicate local scope
The "group" bit 8 of the 64-bit host part (bit 72 of the entire 128-bits) must be set to 1 for a group, 0 for an individual interface.
E.g. if a NIC has the 48 bit MAC address:
00:10:a4:01:23:45
This would be expanded to the 64 bit interface identifier:
0210:a4ff:fe01:2345
With a given prefix, the result is the IPv6 address shown in example above:
2001:0db8:0100:f101:0210:a4ff:fe01:2345
If no MAC address is available for this device (happens e.g. on virtual devices), something else (like the IPv4 address) is used instead.

Privacy problem with automatically computed addresses and a solution
Because the "automatically computed" host part is globally unique (except when a vendor of a NIC uses the same MAC address on more than one NIC), client tracking is possible on the host when not using a proxy of any kind.
This is a known problem, and a solution was defined: privacy extension, defined in RFC4941 / Privacy Extensions for Stateless Address Autoconfiguration in IPv6. Using a random and a static value a new suffix is generated from time to time. Note: this is only reasonable for outgoing client connections and isn't really useful for well-known servers.

Manually set
For servers, it's probably easier to remember simpler addresses, and this can also be accommodated by assigning an additional IPv6 address to an interface, e.g.
2001:0db8:100:f101::1
For manual suffixes like ::1 shown in the above example, it's required that the 7th most significant bit of the local part is set to 0 (the universal/local bit of the automatically generated identifier). Some other bit combinations are reserved for anycast addresses.


Network part (prefix, the first 64 bits)

Prefix lengths for routing
In the early design phase it was planned to use a fully hierarchical routing approach to reduce the size of the routing tables maximally. The reasons behind this approach were the number of current IPv4 routing entries in core routers (> 400 thousand in 2013), reducing the need of memory in hardware routers (Application Specified Integrated Circuit, ASIC driven) to hold the routing table and increase speed (fewer entries hopefully result in faster lookups).
Today's view is that routing will be mostly hierarchically designed for networks with only one service provider. With more than one ISP connections, this is not possible, and subject to an issue named multi-homing (infos on multi-homing: drafts-ietf-multi6-*,IPv6 Multihoming Solutions).

Prefix lengths (also known as "netmasks")
Similar to IPv4, the routable network path for routing to take place. Because standard netmask notation for 128 bits doesn't look nice, designers employed the IPv4 Classless Inter Domain Routing (CIDR, RFC 1519 / Classless Inter-Domain Routing) scheme, which specifies the number of bits of the IP address to be used for routing. It is also called the "slash" notation.
An example:
  2001:0db8:100:1:2:3:4:5/48
This notation will be expanded:
Network:
  2001:0db8:0100:0000:0000:0000:0000:0000
Netmask:
  ffff:ffff:ffff:0000:0000:0000:0000:0000


Address types:     Binary prefix:    IPv6 notation:
Unspecified          00...0 (128 bits) ::/128
Loopback             00...1 (128 bits) ::1/128
Multicast               11111111          ff00::/8  further details below.
Link-Local unicast 1111111010      fe80::/10 with the rest of the network part normally all 0
Global Unicast        (everything else)
Anycast addresses are taken from within the unicast ranges.
Site-local unicast addresses, were fecx::/10, are now deprecated, to be treated as Global unicast.

Multicast addresses must not be used as source address, and must not appear in any Routing header. The first 8 bits of a multicast address are followed by 4 "flag" bits, 4 "scope" bits, 8 reserved "0" bits, 8 bits which specify the effective prefix length, the 64-bit network prefix, and 32 bits for the multicast group ID, so in
11111111 0RPT scop 00000000 prlength networkprefix groupID
the first of the flag bits must be 0, R=1 if a rendezvous point address is included, P=1 or 0 indicates that the address is, or is not, based on the network prefix, T=0 for a permanently assigned multicast address, T=1 for a transient dynamically assigned multicast address, but if P=1 then T must also be 1, while the four scope bits indicate
0 reserved
1 Interface-Local scope, only useful for multicast loopback
2 Link-Local scope spans the same region as the corresponding unicast scope
3 reserved
4 Admin-Local scope is the smallest that must be administratively configured
5 Site-Local scope spans a single site
6 unassigned, can be used to define additional regions
7 unassigned, can be used to define additional regions
8 Organization-Local scope spans multiple sites which belong to the same organization
9 unassigned, can be used to define additional regions
A unassigned, can be used to define additional regions
B unassigned, can be used to define additional regions
C unassigned, can be used to define additional regions
D unassigned, can be used to define additional regions
E Global scope
F reserved

and the group ID defines the multicast group within the given scope.

2001:0db8::/32 reserved for examples and documentation

2001:x:x:x:0:0:0:0/64 (or 2001:x:x:x::/64)  subnet to router anycast address

2002:  6to4 addresses where in 2002:t:u:v:w:x:y:z
       t = first 16 bits u = second 16 bits v = netmask of IPv4 address
See RFC 6052 from the Internet Engineering Task Force (IETF) for further details of IPv4 in IPv6 and IPv6 in IPv4 tunnelling

Unique Local IPv6 Unicast Addresses
Because the original defined site local addresses are not unique, this can lead to major problems if two former independent networks would be connected later (overlapping of subnets). This and other issues lead to a new address type, see RFC4193 / Unique Local IPv6 Unicast Addresses.
It begins with:
fcxx:  not yet used, or
fdxx:  currently the only one in use
A 40 bit part of the prefix is generated using a pseudo-random algorithm, and it's improbable that two generated ones are equal.
Example for a prefix (generated using a web-based tool: Goebel Consult / createLULA):
fd0f:8b72:ac90::/48

fe8x:  link local
fe9x:  link local not yet in use
feax:  link local not yet in use
febx:  link local not yet in use

fecx:  site local most common, now deprecated, similar to IPv4 10.0.0.0/8
fedx:  site local now deprecated
feex:  site local now deprecated
fefx:  site local now deprecated

ffx1:  Multicast node-local scope

ffx2:  Multicast link-local scope

ffx3:  Multicast reserved
ffx4:  Multicast reserved

ffx5:  Multicast site-local scope

ffx6:  Multicast reserved
ffx7:  Multicast reserved

ffx8:  Multicast organization-local scope

ffx9:  Multicast reserved
ffxa:  Multicast reserved
ffxb:  Multicast reserved
ffxc:  Multicast reserved
ffxd:  Multicast reserved

ffxe:  Multicast global scope

ffxf:  Multicast reserved
    where ffxx:0:0:0:0:0:0:1 addresses all hosts
    and   ffxx:0:0:0:0:0:0:2 addresses all routers
    also   ffxx:x:x:x:x:1:ff00::/104 is solicited node link-local multicast

Service ports

Standard services such as email, web, and remote access, are usually handled at standard numerical access "ports" which are monitored by suitable software. Routing is normally automatic, although the destination port can be specified by adding ":port_number" to the address.


IPv6 firewalls

IPv6 allows any network interface to have more than one address, while more than one interface can respond to a multicast address, although it must then respond with a unique address.

The global IPv6 address prefix of 64 binary bits supplied by an ISP provides routing information to your site, and allows you to add a 64 binary bit suffix for each interface to build as many unique 128-bit addresses as you need for your entire system. A globally unique suffix can be generated automatically from the hardware MAC address, while a site-unique address suffix can be assigned manually.
There is provision for Site Local 64-bit address prefixes which can not be accessed from the internet, only to be used for local traffic, with a requirement that each should be generated by a random number process so that it is unlikely to cause a problem even when multiple local sites are merged later. Address suffixes can be added as needed, a site local address is not required to have the same 64-bit suffix as a global address.

A router provided by your ISP may allow administration traffic to the router itself, and contain a simple firewall which by default allows all traffic towards the internet but blocks all traffic initiated from the internet. Some may allow configuration by the user. You may be able to replace that router with your own to be able to block administration access from the internet, and provide your own firewall. The use of virtual machines is not recommended because they rely on the integrity of the underlying system, and there is much more that can go wrong or be compromised.

Before you build a firewall, decide how many separate local network zones you require, for example

DMZ for attack resistant "Bastion Host" machines which must be accessible from the internet such as web servers and mail gateways, but the firewall should block attacks on the other local networks from any compromised Bastion Host.

Semi-secure for guests, web surfing, and wireless links, which need to be able to initiate a connection to the internet but do not require direct access from the internet or to the fully protected zone.

Best protected, for important machines and internal servers, but able to initiate a connection to the internet and other zones as required.

Data is transmitted in discrete blocks. The first is checked against the firewall configuration, and a decision is made on whether to allow the transfer to proceed, including related data blocks that follow. Usually reply data is also enabled, although in some cases this may only be allowed if configured.
Individual network services linked to numerical "ports" associated with the connection can be enabled only if and when required, and only for specific individual interfaces, for example allowing only emails to a mail server and web requests to a web server.
There is no provision for Network Address Translation (NAT) in IPv6, and every global address can be accessed from the internet unless blocked by a firewall.
Totally independent network interfaces and connection hardware (hubs and switches) must be dedicated to the internet and each local network, none can be shared. Network hardware is available with multiple independent interfaces if physical space is limited. They are not required to have a site local network address prefix, (or to share the same), although it may help to provide isolation.

Access to information can be restricted, and routes blocked, as configured. Local traffic can be required to use site local addresses only, but global addresses only to connect to the internet.
Mobile devices require Router Advice (RA) information provided by each router and gateway, including the firewall. Independent DNS and DHCP servers may also be provided.
Separate internet domain information can be provided using a name server accessible from the internet, while local configuration information is restricted as required.
Each site local prefix will need separate address list and reverse (arpa) records. Emails received by a dedicated mail gateway in the DMZ can be forwarded to an internal mail server, but a separate DNS record for each domain name may be required to provide just the internal mail server MX information.

A firewall may be able to do personal identity checks, date and time access restriction, traffic accounting, virtual connections between separate sites, and much more.

Return to foss index