Add Book to My BookshelfPurchase This Book Online

Chapter 7 - Building a TCP/IP Router-Based Network

Cisco TCP/IP Routing Professional Reference
Chris Lewis
  Copyright © 1999 The McGraw-Hill Companies, Inc.

IANA or Not IANA?
IANA stands for the Internet Assigned Numbers Authority, which is essentially an independent body responsible for assigning Internet addresses, well-known port numbers, autonomous system numbers, and other centrally administered Internet resources. The people who actually assign IP addresses for use on the Internet in the United States are those at InterNIC. If you have to apply directly for Internet addresses (that is, if you do not want to go through an Internet service provider, or ISP), the documentation you have to fill out states that the InterNIC assigns Internet addresses under the authority of IANA. In Europe, address assignment is handled by the Resaux IP Europeans (RIPE), and the Asia Pacific Network Information Center (APNIC) assigns addresses in Asia.
The question is, do you use on your internetwork IP addresses that are globally valid on the Internet, or do you make up your own numbers to suit your particular internetwork's needs? Let's take a few moments to consider the benefits and pitfalls of each approach.
Assuming that a firewall of some kind is in place to separate your internetwork from the Internet (firewalls will be considered in more depth later in this chapter), the question boils down to: Should I use network address translation or a firewall's proxy server function to allow me the freedom of assigning my own addressing scheme, or do I want to get InterNIC addresses and be part of the global Internet addressing scheme?
We first should discuss the benefits of using a proxy server. If you have any concerns regarding security, it is appropriate to use a proxy server firewall machine as a single connection point from your internetwork to the Internet. A proxy server separates two networks from each other, but allows only prespecified communication between the two to occur. A proxy server has two sides, the inside (your internetwork) and the outside (the Internet), and is configured to allow only certain types of communication to take place.
This means that if you decide to allow outgoing Telnet sessions, and if a client PC on the inside of a proxy server wants to establish a Telnet session with a host on the outside of the proxy server (the Internet side), a direct Telnet session between the two machines will not be made. What does happen is that the client PC will establish a Telnet session with the proxy server, the proxy server will establish a separate session with the host on the Internet, and the proxy server will pass information between the two. As far as the client PC and the Internet host are concerned, they are talking to each other directly; in reality, however, the client PC is talking to the client side of the proxy server, and the Internet host is talking to the Internet side of the proxy server. The proxy server passes any traffic that we have previously determined is allowable onto the other side, and, optionally, logs all communications that have taken place.
As a side benefit, this type of server shields the internal network numbering scheme from the external network. This means that an Internet proxy firewall server will have a set of InterNIC-assigned addresses on the Internet side and some user-defined addressing scheme on the internal side. To enable communication between the two, the proxy server maps internal to external addresses.
If you choose to implement your own addressing, this proxy server feature gives you a lot of freedom to design an appropriate networking scheme for the internal network. Addresses assigned by the InterNIC are typically Class C addresses, which might not fit the internal network's needs. Also, the application process to get addresses directly from the InterNIC is arduous, to say the least.
The same benefits of shielding the internal network numbering scheme can be delivered by a network address translation server. An address translation server changes the addresses in packet headers, as packets pass through it. This type of server does not run any application software and does not require hosts to run proxy-aware applications.
There are, however, some potential issues related to implementing your own IP addressing scheme that are avoided when addresses are obtained from the InterNIC. The most obvious is that if you assign to your internal network a network number that already is in use on the Internet, you will not be able to communicate with the Internet sites using that address. The problem is that the routing table on the proxy server directs all packets destined for that network number back to the internal network.
The Internet Assigned Numbers Authority (IANA) foresaw this problem and reserved some Class A, B, and C network numbers for use by internal networks that were isolated from the Internet by a proxy server. These reserved addresses are as follows:
10.0.0.0
172.16.0.0 to 172.31.0.0
192.168.xxx.0  (where xxx is any value 0–255)
This means that any number of organizations can use these addresses for their internal networks and still be assured of reaching all Internet sites. This solution creates another problem, however, because firewalls are not used only to connect to the Internet. Corporations in increasing numbers are connecting their networks to each other and need to secure communications between the two. This is particularly true for information service companies that deliver their information to a client's network. If two organizations use 172.16.0.0 as their internal network, they cannot connect their networks together unless one of them renumbers. The only alternative to renumbering would be for the two corporations to go through a double address translation stage, which would be difficult to manage. There are some benefits to having InterNIC-assigned addresses on your internal network. You have the peace of mind of knowing that your network can be safely hidden from the Internet, yet you still have the ability to access every Internet site out there. In addition, if you need to connect to another company's network, you should be okay. The chances of any given organization implementing network address translation and choosing your assigned address for their internal network are small.
On the downside, using InterNIC addresses can be restrictive and can necessitate implementation of a very complex network numbering scheme. If you have only 200 hosts that need addresses, you are likely to get only one Class C address. If you are particularly unlucky during the appli-cation process, you will not even be assigned Class C addresses. Some applicants now are expected to use only portions of a Class C network address, which requires a routing protocol that supports discontinuous subnets. This may cause restrictions to network design, or at the very least, a complex numbering scheme that will prove difficult to troubleshoot.
I recommend that unless you already have adequate addresses assigned by the InterNIC, you do not use InterNIC-assigned numbers for your internal internetwork. Most people who implement network address translation will use the IANA-reserved addresses, typically the Class A network number 10. If you are concerned that you might need to connect your internetwork to another company that has implemented network number 10 for its internal network, use network number 4 or 5. These class A numbers are reserved for the military and are not present on the Internet.
The rest of this chapter will assume that we have decided to hide the internal network numbering scheme and are free to assign a network numbering scheme that makes things easy to administer.

 


 
Books24x7.com, Inc © 2000 –  Feedback