COMPUTER NETWORKS

Network Layer

Network Layer
Introduction

The network layer in the TCP/IP protocol suite is responsible for the host-to-host delivery of
datagrams. It provides services to the transport layer and receives services from the data-link layer.
In this chapter, we introduce the general concepts and issues in the network layer.

NETWORK-LAYER SERVICES

• Packetizing

• Routing and Forwarding

• Other Services

i) Error Control

ii) Flow Control

iii) Congestion Control

iv) Quality of Service

v) Security

As the figure shows, the network layer is involved at the source host, destination host, and all
routers in the path (R2, R4, R5, and R7). At the source host (Alice), the network layer accepts a
packet from a transport layer, encapsulates the packet in a datagram, and delivers the packet to the
data-link layer. At the destination host (Bob), the datagram is decapsulated, and the packet is
extracted and delivered to the corresponding transport layer. Although the source and destination
hosts are involved in all five layers of the TCP/IP suite, the routers use three layers if they are routing
packets only;

1
Packetizing

The first duty of the network layer is definitely packetizing: encapsulating the payload in a packet at
the source and decapsulating the payload from the packet at the destination. In other words
network layer is to carry a payload from the source to the destination without changing it or using it.

The source is not allowed to change the content of the payload unless it is too large for delivery
and needs to be fragmented. If the packet is fragmented at the source or at routers along the path,
the network layer is responsible for waiting until all fragments arrive, reassembling them, and
delivering them to the upper-layer protocol. The routers are not allowed to change source and
destination addresses either.

Routing and Forwarding

2
Routing

The network layer is responsible for routing the packet from its source to the destination. Generally
there is more than one route from the source to the destination. The network layer is responsible
for finding the best one among these possible routes. The network layer needs to have some specific
strategies for defining the best route. The routing protocols, should be run before any
communication occurs.

Forwarding

Forwarding can be defined as the action applied by each router when a packet arrives at one of its
interfaces. A router normally uses forwarding table for applying this action is sometimes called the
the routing table. To make decision, the router uses a piece of information in the packet header,
which can be the destination address or a label, to find the corresponding output interface number
in the forwarding table .

Other Services

Error Control

Although error control also can be implemented in the network layer, the designers of the network
layer ignore this issue. One reason is the fact that the packet in the network layer may be
fragmented at each router, which makes error checking at this layer inefficient. Although the
network layer in the Internet does not directly provide error control, the Internet uses an auxiliary
protocol, ICMP, that provides some kind of error control .

Flow Control

3
Flow control regulates the amount of data a source can send without overwhelming the receiver. To
control the flow of data, the receiver needs to send some feedback to the sender to inform the latter
that it is overwhelmed with data. The network layer, however, does not directly provide any flow
control. The datagrams are sent by the sender when they are ready, without any attention to the
readiness of the receiver.

Congestion Control

Congestion in the network layer is a situation in which too many datagrams are present in an area of
the Internet. Congestion may occur if the number of datagrams sent by source computers is beyond
the capacity of the network or routers. In this situation, some routers may drop some of the
datagrams.

However, as more datagrams are dropped, the situation may become worse because, due to the
error control mechanism at the upper layers, the sender may send duplicates of the lost packets. If
the congestion continues, sometimes a situation may reach a point where the system collapses and
no datagrams are delivered.

Quality of Service

As the Internet has allowed new applications such as multimedia communication the quality of
service (QoS) of the communication has become more and more important. However, to keep the
network layer untouched, these provisions are mostly implemented in the upper layer.

Security

Security was not a concern when the Internet was originally designed because it was used by a small
number of users at universities for research activities; other people had no access to the Internet.
The network layer was designed with no security provision. Today, however, security is a big
concern. To provide security for a connectionless network layer, we need to have another virtual
level that changes the connectionless service to a connection-oriented service.

IPV4 ADDRESSES

The identifier used in the IP layer of the TCP/IP protocol suite to identify the connection of each
device to the Internet is called the Internet address or IP address. An IPv4 address is a 32-bit address
that uniquely and universally defines the connection of a host or a router to the Internet.

The IP address is the address of the connection, not the host or the router, because if the device
is moved to another network, the IP address may be changed. IPv4 addresses are unique in the
sense that each address defines one, and only one, connection to the Internet.

Address Space

An address space is the total number of addresses used by the protocol. If a protocol uses b bits to
define an address, the address space is 2 b because each bit can have two different values (0 or 1).
IPv4 uses 32-bit addresses, which means that the address space is 2 32 or 4,294,967,296 (more than
four billion). If there were no restrictions, more than 4 billion devices could be connected to the
Internet.

4
Notation

There are three common notations to show an IPv4 address:

• binary notation (base 2),

• dotted-decimal notation (base 256), and

• hexadecimal notation (base 16).

Hierarchy in Addressing

In any communication network that involves delivery, such as a telephone network or a postal
network, the addressing system is hierarchical. In a postal network, the postal address (mailing
address) includes the country, state, city, street, house number, and the name of the mail recipient.
Similarly, a telephone number is divided into the country code, area code, local exchange, and the
connection.

A 32-bit IPv4 address is also hierarchical, but divided only into two parts. The first part of the
address, called the prefix, defines the network; the second part of the address, called the suffix,
defines the node (connection of a device to the Internet).

The prefix length is n bits and the suffix length is (32 − n) bits.

A prefix can be fixed length or variable length. The network identifier in the IPv4 was first designed
as a fixed-length prefix. This scheme, which is now obsolete, is referred to as classful addressing.
The new scheme, which is referred to as classless addressing, uses a variable-length network prefix .

5
Classful Addressing

When the Internet started, an IPv4 address was designed with a fixed-length prefix, but to
accommodate both small and large networks, three fixed-length prefixes were designed instead of
one (n = 8, n = 16, and n = 24). The whole address space was divided into five classes (class A, B, C, D,
and E), as shown in Figure 18.18. This scheme is referred to as classful addressing.

Address Depletion

The reason that classful addressing has become obsolete is address depletion. Since the addresses
were not distributed properly, the Internet was faced with the problem of the addresses being
rapidly used up. This resulted in no more addresses available for organizations and individuals that
needed to be connected to the Internet.

To understand the problem, let us think about class A. This class can be assigned to only 128
organizations in the world, but each organization needs to have a single network (seen by the rest of
the world) with 16,777,216 nodes (computers in this single network). Since there may be only a few
organizations that are this large, most of the addresses in this class were wasted (unused).

Class B addresses were designed for midsize organizations, but many of the addresses in this
class also remained unused.

Class C addresses have a completely different flaw in design. The number of addresses that can
be used in each network (256) was so small that most companies were not comfortable using a block
in this address class. Class E addresses were almost never used, wasting the whole class.

6
 In class A, the network length is 8 bits, but since the first bit, which is 0, defines the class, we can
have only seven bits as the network identifier. This means there are only 27 = 128 networks in the
world that can have a class A address.

Subnetting and Supernetting

To alleviate address depletion, two strategies were proposed and, to some extent,
implemented: subnetting and supernetting.

In subnetting, a class A or class B block is divided into several subnets. Each subnet has a
larger prefix length than the original network. For example, if a network in class A is divided
into four subnets, each subnet has a prefix of nsub = 10.

At the same time, if all of the addresses in a network are not used, subnetting allows the
addresses to be divided among several organizations. This idea did not work because most
large organizations were not happy about dividing the block and giving some of the unused
addresses to smaller organizations.

While subnetting was devised to divide a large block into smaller ones, supernetting was
devised to combine several class C blocks into a larger block to be attractive to organizations
that need more than the 256 addresses available in a class C block. This idea did not work
either because it makes the routing of packets more difficult.

Advantage of Classful Addressing

Given an address, we can easily find the class of the address and, since the prefix length for each
class is fixed, we can find the prefix length immediately. In other words, the prefix length in classful
addressing is inherent in the address; no extra information is needed to extract the prefix and the
suffix.

Classless Addressing:

Subnetting and supernetting in classful addressing did not really solve the address depletion
problem. With the growth of the Internet, it was clear that a larger address space was needed as a
long-term solution. The larger address space, however, requires that the length of IP addresses also
be increased, which means the format of the IP packets needs to be changed. Although the long-
range solution has already been devised and is called IPv6 (discussed later), a short-term solution
was also devised to use the same address space but to change the distribution of addresses to
provide a fair share to each organization. The short-term solution still uses IPv4 addresses, but it is
called classless addressing. In other words, the class privilege was removed from the distribution to
compensate for the address depletion. There was another motivation for classless addressing.
During the 1990s, Internet Service Providers (ISPs) came into prominence. An ISP is an organization
that provides Internet access for individuals, small businesses, and midsize organizations that do not
want to create an Internet site and become involved in providing Internet services (such as
electronic mail) for their employees. An ISP can provide these services. An ISP is granted a large
range of addresses and then subdivides the addresses (in groups of 1, 2, 4, 8, 16, and so on), giving a

7
range of addresses to a household or a small business. The customers are connected via a dial-up
modem, DSL, or cable modem to the ISP. However, each customer needs some IPv4 addresses. In
1996, the Internet authorities announced a new architecture called classless addressing. In classless
addressing, variable-length blocks are used that belong to no classes. We can have a block of 1
address, 2 addresses, 4 addresses, 128 addresses, and so on. In classless addressing, the whole
address space is divided into variable length blocks. The prefix in an address defines the block
(network); the suffix defines the node (device). Theoretically, we can have a block of 20, 21,
22, ...,232 addresses. One of the restrictions, as we discuss later, is that the number of addresses in a
block needs to be a power of 2. An organization can be granted one block of addresses. Figure 18.19
shows the division of the whole address space into nonoverlapping blocks.

Unlike classful addressing, the prefix length in classless addressing is variable. We can have a prefix
length that ranges from 0 to 32. The size of the network is inversely proportional to the length of the
prefix. A small prefix means a larger network; a large prefix means a smaller network. We need to
emphasize that the idea of classless addressing can be easily applied to classful addressing. An
address in class A can be thought of as a classless address in which the prefix length is 8. An address
in class B can be thought of as a classless address in which the prefix is 16, and so on. In other words,
classful addressing is a special case of classless addressing.

Prefix Length: Slash Notation:

The first question that we need to answer in classless addressing is how to find the prefix length if
an address is given. Since the prefix length is not inherent in the address, we need to separately give
the length of the prefix. In this case, the prefix length, n, is added to the address, separated by a
slash. The notation is informally referred to as slash notation and formally as classless interdomain
routing or CIDR (pronounced cider) strategy. An address in classless addressing can then be
represented as shown in Figure 18.20.

In other words, an address in classless addressing does not, per se, define the block or network to
which the address belongs; we need to give the prefix length also.

8
Extracting Information from an Address:

Given any address in the block, we normally like to know three pieces of information about the
block to which the address belongs: the number of addresses, the first address in the block, and the
last address. Since the value of prefix length, n, is given, we can easily find these three pieces of
information, as shown in Figure 18.21.

1. The number of addresses in the block is found as N = 232−n.

2. To find the first address, we keep the n leftmost bits and set the (32 − n) rightmost bits all to 0s.

3. To find the last address, we keep the n leftmost bits and set the (32 − n) rightmost bits all to 1s.

Example 18.1

A classless address is given as 167.199.170.82/27. We can find the above three pieces of information
as follows. The number of addresses in the network is 232 − n = 25 = 32 addresses.

The first address can be found by keeping the first 27 bits and changing the rest of the bits to 0s.

Address Mask:

Another way to find the first and last addresses in the block is to use the address mask. The address
mask is a 32-bit number in which the n leftmost bits are set to 1s and the rest of the bits (32 − n) are
set to 0s. A computer can easily find the address mask because it is the complement of (232 − n − 1).
The reason for defining a mask in this way is that it can be used by a computer program to extract
the information in a block, using the three bit-wise operations NOT, AND, and OR.

1. The number of addresses in the block N = NOT (mask) + 1.

9
2. The first address in the block = (Any address in the block) AND (mask).

3. The last address in the block = (Any address in the block) OR [(NOT (mask)].

Example 18.2

We repeat Example 18.1 using the mask. The mask in dotted-decimal notation is 256.256.256.224.
The AND, OR, and NOT operations can be applied to individual bytes using calculators and applets at
the book website.

Example 18.3

In classless addressing, an address cannot per se define the block the address belongs to. For
example, the address 230.8.24.56 can belong to many blocks. Some of them are shown below with
the value of the prefix associated with that block.

Network Address:

The above examples show that, given any address, we can find all information about the block. The
first address, the network address, is particularly important because it is used in routing a packet to
its destination network. For the moment, let us assume that an internet is made of m networks and
a router with m interfaces. When a packet arrives at the router from any source host, the router
needs to know to which network the packet should be sent: from which interface the packet should
be sent out. When the packet arrives at the network, it reaches its destination host using another
strategy that we discuss later. Figure 18.22 shows the idea. After the network address has been
found, the router consults its forwarding table to find the corresponding interface from which the
packet should be sent out. The network address is actually the identifier of the network; each
network is identified by its network address.

10
Block Allocation:

The next issue in classless addressing is block allocation. How are the blocks allocated? The ultimate
responsibility of block allocation is given to a global authority called the Internet Corporation for
Assigned Names and Numbers (ICANN). However, ICANN does not normally allocate addresses to
individual Internet users. It assigns a large block of addresses to an ISP (or a larger organization that
is considered an ISP in this case). For the proper operation of the CIDR, two restrictions need to be
applied to the allocated block.

1. The number of requested addresses, N, needs to be a power of 2. The reason is that N = 2 32 − n or

n = 32 − log2N. If N is not a power of 2, we cannot have an integer value for n.

2. The requested block needs to be allocated where there is an adequate number of contiguous
addresses available in the address space. However, there is a restriction on choosing the first
address in the block. The first address needs to be divisible by the number of addresses in the block.
The reason is that the first address needs to be the prefix followed by (32 − n) number of 0s. The
decimal value of the first address is then

First address = (prefix in decimal) x232-n = (prefix in decimal) x N

Example 18.4

An ISP has requested a block of 1000 addresses. Since 1000 is not a power of 2, 1024 addresses are
granted. The prefix length is calculated as n = 32 –log 21024 = 22. An available block, 18.14.12.0/22, is
granted to the ISP. It can be seen that the first address in decimal is 302,910,464, which is divisible
by 1024.

Subnetting

More levels of hierarchy can be created using subnetting. An organization (or an ISP) that is granted
a range of addresses may divide the range into several subranges and assign each subrange to a
subnetwork (or subnet). Note that nothing stops the organization from creating more levels. A

11
subnetwork can be divided into several sub-subnetworks. A sub-subnetwork can be divided into
several sub-sub-subnetworks, and so on.

Designing Subnets

The subnetworks in a network should be carefully designed to enable the routing of packets. We
assume the total number of addresses granted to the organization is N, the prefix length is n, the
assigned number of addresses to each subnetwork is N sub, and the prefix length for each subnetwork
is nsub. Then the following steps need to be carefully followed to guarantee the proper operation of
the subnetworks.

 The number of addresses in each subnetwork should be a power of 2.

 The prefix length for each subnetwork should be found using the following formula:
first address = (prefix in decimal) × 232 − n = (prefix in decimal) × N.

nsub = 32 − log2Nsub

 The starting address in each subnetwork should be divisible by the number of addresses in
that subnetwork. This can be achieved if we first assign addresses to larger subnetworks.
Finding Information about Each Subnetwork

After designing the subnetworks, the information about each subnetwork, such as first and last
address, can be found using the process we described to find the information about each network in
the Internet.

If we add all addresses in the previous subblocks, the result is 208 addresses, which means 48
addresses are left in reserve. The first address in this range is 14.24.74.208. The last address is

12
14.24.74.255. We don’t know about the prefix length yet. Figure 18.23 shows the configuration of
blocks. We have shown the first address in each block.

Address Aggregation:

One of the advantages of the CIDR strategy is address aggregation (sometimes called address
summarization or route summarization). When blocks of addresses are combined to create a larger
block, routing can be done based on the prefix of the larger block. ICANN assigns a large block of
addresses to an ISP. Each ISP in turn divides its assigned block into smaller subblocks and grants the
subblocks to its customers.

Example 18.6

Figure 18.24 shows how four small blocks of addresses are assigned to four organizations by an ISP.
The ISP combines these four blocks into one single block and advertises the larger block to the rest
of the world. Any packet destined for this larger block should be sent to this ISP. It is the
responsibility of the ISP to forward the packet to the appropriate organization. This is similar to
routing we can find in a postal network. All packages coming from outside a country are sent first to
the capital and then distributed to the corresponding destination.

13
Special Addresses

Before finishing the topic of addresses in IPv4, we need to mention five special addresses that are
used for special purposes: this-host address, limited-broadcast address, loopback address, private
addresses, and multicast addresses.

This-host Address

The only address in the block 0.0.0.0/32 is called the this-host address. It is used whenever a host
needs to send an IP datagram but it does not know its own address to use as the source address. We
will see an example of this case in the next section.

Limited-broadcast Address

The only address in the block 255.255.255.255/32 is called the limited-broadcast address. It is used
whenever a router or a host needs to send a datagram to all devices in a network. The routers in the
network, however, block the packet having this address as the destination; the packet cannot travel
outside the network.

Loopback Address

The block 127.0.0.0/8 is called the loopback address. A packet with one of the addresses in this block
as the destination address never leaves the host; it will remain in the host. Any address in the block
is used to test a piece of software in the machine. For example, we can write a client and a server
program in which one of the addresses in the block is used as the server address. We can test the
programs using the same host to see if they work before running them on different computers.

Private Addresses

Four blocks are assigned as private addresses: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, and
169.254.0.0/16. We will see the applications of these addresses when we discuss NAT later in the
chapter.

14
Multicast Addresses

The block 224.0.0.0/4 is reserved for multicast addresses. We discuss these addresses later in the
chapter.

Dynamic Host Configuration Protocol (DHCP):

We have seen that a large organization or an ISP can receive a block of addresses directly from
ICANN and a small organization can receive a block of addresses from an ISP. After a block of
addresses are assigned to an organization, the network administration can manually assign
addresses to the individual hosts or routers. However, address assignment in an organization can be
done automatically using the Dynamic Host Configuration Protocol (DHCP). DHCP is an application-
layer program, using the client-server paradigm, that actually helps TCP/IP at the network layer.

DHCP has found such widespread use in the Internet that it is often called a plugand-play
protocol. In can be used in many situations. A network manager can configure DHCP to assign
permanent IP addresses to the host and routers. DHCP can also be configured to provide temporary,
on demand, IP addresses to hosts. The second capability can provide a temporary IP address to a
traveller to connect her laptop to the Internet while she is staying in the hotel. It also allows an ISP
with 1000 granted addresses to provide services to 4000 households, assuming not more than one-
forth of customers use the Internet at the same time.

In addition to its IP address, a computer also needs to know the network prefix (or address
mask). Most computers also need two other pieces of information, such as the address of a default
router to be able to communicate with other networks and the address of a name server to be able
to use names instead of addresses, as we will see in Chapter 26. In other words, four pieces of
information are normally needed: the computer address, the prefix, the address of a router, and the
IP address of a name server. DHCP can be used to provide these pieces of information to the host.

DHCP Message Format:

DHCP is a client-server protocol in which the client sends a request message and the server returns a
response message. Before we discuss the operation of DHCP, let us show the general format of the
DHCP message in Figure 18.25. Most of the fields are explained in the figure, but we need to discuss
the option field, which plays a very important role in DHCP.

15
The 64-byte option field has a dual purpose. It can carry either additional information or some
specific vendor information. The server uses a number, called a magic cookie, in the format of an IP
address with the value of 99.130.83.99. When the client finishes reading the message, it looks for
this magic cookie. If present, the next 60 bytes are options. An option is composed of three fields: a
1-byte tag field, a 1-byte length field, and a variable-length value field. There are several tag fields
that are mostly used by vendors. If the tag field is 53, the value field defines one of the 8 message
types shown in Figure 18.26. We show how these message types are used by DHCP.

16
1. The joining host creates a DHCPDISCOVER message in which only the transactionID
field is set to a random number. No other field can be set because the host has no
knowledge with which to do so. This message is encapsulated in a UDP user
datagram with the source port set to 68 and the destination port set to 67. We will
discuss the reason for using two well-known port numbers later. The user datagram
is encapsulated in an IP datagram with the source address set to 0.0.0.0 (“this host”)
and the destination address set to 255.255.255.255 (broadcast address). The reason
is that the joining host knows neither its own address nor the server address.
2. The DHCP server or servers (if more than one) responds with a DHCPOFFER message
in which the your address field defines the offered IP address for the joining host and
the server address field includes the IP address of the server. The message also
includes the lease time for which the host can keep the IP address. This message is
encapsulated in a user datagram with the same port numbers, but in the reverse
order. The user datagram in turn is encapsulated in a datagram with the server
address as the source IP address, but the destination address is a broadcast address,
in which the server allows other DHCP servers to receive the offer and give a better
offer if they can.
3. The joining host receives one or more offers and selects the best of them. The
joining host then sends a DHCPREQUEST message to the server that has given the
best offer. The fields with known value are set. The message is encapsulated in a
user datagram with port numbers as the first message. The user datagram is

17
 encapsulated in an IP datagram with the source address set to the new client
address, but the destination address still is set to the broadcast address to let the
other servers know that their offer was not accepted.
4. Finally, the selected server responds with a DHCPACK message to the client if the
offered IP address is valid. If the server cannot keep its offer (for example, if the
address is offered to another host in between), the server sends a DHCPNACK
message and the client needs to repeat the process. This message is also broadcast
to let other servers know that the request is accepted or rejected.

Two Well-Known Ports:

We said that the DHCP uses two well-known ports (68 and 67) instead of one well-
known and one ephemeral. The reason for choosing the well-known port 68 instead
of an ephemeral port for the client is that the response from the server to the client
is broadcast. Remember that an IP datagram with the limited broadcast message is
delivered to every host on the network. Now assume that a DHCP client and a
DAYTIME client, for example, are both waiting to receive a response from their
corresponding server and both have accidentally used the same temporary port
number (56017, for example). Both hosts receive the response message from the
DHCP server and deliver the message to their clients. The DHCP client processes the
message; the DAYTIME client is totally confused with a strange message received.
Using a well-known port number prevents this problem from happening. The
response message from the DHCP server is not delivered to the DAYTIME client,
which is running on the port number 56017, not 68. The temporary port numbers
are selected from a different range than the well-known port numbers.
The curious reader may ask what happens if two DHCP clients are running at
the same time. This can happen after a power failure and power restoration. In this
case the messages can be distinguished by the value of the transaction ID, which
separates each response from the other.

Using FTP

The server does not send all of the information that a client may need for joining the
network. In the DHCPACK message, the server defines the pathname of a file in
which the client can find complete information such as the address of the DNS
server. The client can then use a file transfer protocol to obtain the rest of the
needed information.

Error Control

18
 DHCP uses the service of UDP, which is not reliable. To provide error control, DHCP
uses two strategies. First, DHCP requires that UDP use the checksum. As we will see
in Chapter 24, the use of the checksum in UDP is optional. Second, the DHCP client
uses timers and a retransmission policy if it does not receive the DHCP reply to a
request. However, to prevent a traffic jam when several hosts need to retransmit a
request (for example, after a power failure), DHCP forces the client to use a random
number to set its timers.

Transition States:

The previous scenarios we discussed for the operation of the DHCP were very simple.
To provide dynamic address allocation, the DHCP client acts as a state machine that
performs transitions from one state to another depending on the messages it
receives or sends. Figure 18.28 shows the transition diagram with the main states.

When the DHCP client first starts, it is in the INIT state (initializing state). The client
broadcasts a discover message. When it receives an offer, the client goes to the SELECTING
state. While it is there, it may receive more offers. After it selects an offer, it sends a request
message and goes to the REQUESTING state. If an ACK arrives while the client is in this state,
it goes to the BOUND state and uses the IP address. When the lease is 50 percent expired,
the client tries to renew it by moving to the RENEWING state. If the server renews the lease,
the client moves to the BOUND state again. If the lease is not renewed and the lease time is
75 percent expired, the client moves to the REBINDING state. If the server agrees with the
lease (ACK message arrives), the client moves to the BOUND state and continues using the
IP address; otherwise, the client moves to the INIT state and requests another IP address.
Note that the client can use the IP address only when it is in the BOUND, RENEWING, or
REBINDING state. The above procedure requires that the client uses three timers: renewal

19
timer (set to 50 percent of the lease time), rebinding timer (set to 75 percent of the lease
time), and expiration timer (set to the lease time).

Network Address Resolution (NAT)

The distribution of addresses through ISPs has created a new problem. Assume that an ISP
has granted a small range of addresses to a small business or a household. If the business
grows or the household needs a larger range, the ISP may not be able to grant the demand
because the addresses before and after the range may have already been allocated to other
networks. In most situations, however, only a portion of computers in a small network need
access to the Internet simultaneously. This means that the number of allocated addresses
does not have to match the number of computers in the network. For example, assume that
in a small business with 20 computers the maximum number of computers that access the
Internet simultaneously is only 4. Most of the computers are either doing some task that
does not need Internet access or communicating with each other. This small business can
use the TCP/IP protocol for both internal and universal communication. The business can
use 20 (or 25) addresses from the private block addresses (discussed before) for internal
communication; five addresses for universal communication can be assigned by the ISP.

A technology that can provide the mapping between the private and universal
addresses, and at the same time support virtual private networks, which we discuss in
Chapter 32, is Network Address Translation (NAT). The technology allows a site to use a set
of private addresses for internal communication and a set of global Internet addresses (at
least one) for communication with the rest of the world. The site must have only one
connection to the global Internet through a NAT-capable router that runs NAT software.
Figure 18.29 shows a simple implementation of NAT.

As the figure shows, the private network uses private addresses. The router that connects
the network to the global address uses one private address and one global address. The
private network is invisible to the rest of the Internet; the rest of the Internet sees only the
NAT router with the address 200.24.5.8.

Address Translation

20
All of the outgoing packets go through the NAT router, which replaces the source address in
the packet with the global NAT address. All incoming packets also pass through the NAT
router, which replaces the destination address in the packet (the NAT router global address)
with the appropriate private address. Figure 18.30 shows an example of address translation.

Translation Table

The reader may have noticed that translating the source addresses for an outgoing packet is
straightforward. But how does the NAT router know the destination address for a packet
coming from the Internet? There may be tens or hundreds of private IP addresses, each
belonging to one specific host. The problem is solved if the NAT router has a translation
table.

Using One IP Address

In its simplest form, a translation table has only two columns: the private address and the
external address (destination address of the packet). When the router translates the source
address of the outgoing packet, it also makes note of the destination address— where the
packet is going. When the response comes back from the destination, the router uses the
source address of the packet (as the external address) to find the private address of the
packet. Figure 18.31 shows the idea.

21
In this strategy, communication must always be initiated by the private network. The NAT
mechanism described requires that the private network start the communication.

As we will see, NAT is used mostly by ISPs that assign a single address to a customer. The
customer, however, may be a member of a private network that has many private
addresses. In this case, communication with the Internet is always initiated from the
customer site, using a client program such as HTTP, TELNET, or FTP to access the
corresponding server program. For example, when e-mail that originates from outside the
network site is received by the ISP e-mail server, it is stored in the mailbox of the customer
until retrieved with a protocol such as POP.

Using a Pool of IP Addresses

The use of only one global address by the NAT router allows only one private-network host
to access a given external host. To remove this restriction, the NAT router can use a pool of
global addresses. For example, instead of using only one global address (200.24.5.8), the
NAT router can use four addresses (200.24.5.8, 200.24.5.9, 200.24.5.10, and 200.24.5.11). In
this case, four private-network hosts can communicate with the same external host at the
same time because each pair of addresses defines a separate connection. However, there
are still some drawbacks. No more than four connections can be made to the same
destination. No private-network host can access two external server programs (e.g., HTTP
and TELNET) at the same time. And, likewise, two private-network hosts cannot access the
same external server program (e.g., HTTP or TELNET) at the same time.

Using Both IP Addresses and Port Addresses

To allow a many-to-many relationship between private-network hosts and external server

programs, we need more information in the translation table. For example, suppose two

22
hosts inside a private network with addresses 172.18.3.1 and 172.18.3.2 need to access the
HTTP server on external host 25.8.3.2. If the translation table has five columns, instead of
two, that include the source and destination port addresses and the transport-layer
protocol, the ambiguity is eliminated. Table 18.1 shows an example of such a table.

Note that when the response from HTTP comes back, the combination of source address
(25.8.3.2) and destination port address (1401) defines the private network host to which the
response should be directed. Note also that for this translation to work, the ephemeral port
addresses (1400 and 1401) must be unique.

23