Packet Routing and Delivery

Although some network connections are point-to-point links between two hosts, most network connections involve more than two hosts, often connected through a hub, switch, router, or other hardware. This means that each host can potentially receive packets intended for other hosts on the network. Thus, each host must be able to recognize whether it is the intended recipient so that it does not incorrectly act upon someone else’s packet.

To support this, each packet contains a the link-layer address of its intended recipient. When the host receives a packet intended for another host, it ignores it. In many systems, this filtering is performed in hardware, so that the operating system does not need to concern itself with other hosts’ traffic.

Because of this design, when two hosts need to communicate across a local physical network, the sending host needs to know the link-layer address of the receiving host before it can start sending packets. To provide that information, the hardware-specific portions of the operating system use various means to convert between a logical address (such as an IP address) and a physical address (such as an Ethernet MAC address). The mechanism for performing this conversion depends on the type of network:

When two hosts need to communicate across a larger distance, however, these protocols are not sufficient for two reasons:

Thus, ARP packets are limited to a physical local area network, and the Internet uses routing to determine how to send packets to distant machines. More specifically, a router is a type of infrastructure device that knows how to send data from one range of IP addresses to another range.

Similarly, when a link is severed (whether because of an intentional change or because a backhoe inadvertently severed a fiber bundle while digging for a new sewer main), the routers on either end can detect the problem and reroute packets transparently through a different link. This design allows the Internet as a whole to be dynamically reconfigurable and robust against hardware failures.

Because the network topology is complex and regularly changing, networking performance is also complex and regularly changing. For example, if you have a laptop connected to a Wi-Fi router, and two desktop computers connected by Ethernet, communication between the two desktop computers is faster than communication between the laptop and the desktop computers. Both local connections are probably faster than the connection to any site on the public Internet. And the speed at which you communicate with one site can be much faster or slower than another site simply because the connection passes through different routers, cables, and so on.

The details of routing differ depending on whether you are using IPv4 or IPv6.

IPv4 Routing

An IPv4 address consists of a 32-bit number, divided into a host part and a network part. The host part uniquely identifies a given host on a given physical network. The network part identifies the network to which the host is connected.

Depending on how a particular block of IP addresses has been divided up by its owner, the network part may be as small as 8 bits, or as large as 30 bits.

For networking to work correctly, each host must know three things: its own IP addresses, the IP address of the destination host, and whether that destination host is on the same network as one of its own addresses. The host uses that information to determine whether to send a packet directly to its destination (if the destination is on the same network) or through a router (if it isn’t).

Most hosts make this decision using a fairly simple algorithm:

To represent how big the network part is, a host uses a netmask. A netmask is a 32-bit value in which a 1 bit indicates that the equivalent bit in an IP address is in the network part, and a 0 bit indicates that the matching bit is in the host part. The netmask is usually written in the same format as an IP address. For example, if you have a 28-bit network part, the netmask is 255.255.255.240. Table 5-1 shows how the IP address for developer.apple.com can be decomposed into a network part and a host part based on an example netmask.

Table 5-1  An IPv4 network address and (example) netmask for developer.apple.com

Network Part

Host Part

IP address

17.

254.

2.

129

IP address

(in binary)

00010001

11111110

00000010

10000001

Netmask

255.

0.

0.

0

Netmask

(in binary)

11111111

00000000

00000000

00000000

Because the network part and host part are always contiguous (in practice), this netmask is often shortened to a single number representing the number of 1 bits in the netmask, which is usually preceded by a slash. Thus, the aforementioned network with a 28-bit network part is sometimes referred to as a /28 network, the example in Table 5-1 is a /8 network, and so on. In theory, you can create a network with any arbitrary combination of zeros and ones in the netmask, but there is no guarantee that all operating systems or network management software will correctly support such a nonstandard configuration.

Given a particular value for the network part, the valid range of IP addresses available for use in the host part is referred to as a subnet or netblock. A subnet might, for example, use 24 bits for the network part, leaving 8 bits for the host part. This gives you a block of 256 IP addresses to work with.

However, not all of those 256 IP addresses are actually available. Within any given subnet, there are three special IP addresses reserved: the broadcast address, the network address, and the router address.

In addition, IPv4 reserves certain addresses for specific uses. The design allows you to recognize specific address types by looking for specific patterns in the high-order bits, as listed below:

Address type

IPv4 mask

Unspecified address

Used to indicate the absence of an address. May not be assigned to any host.

0.0.0.0

Loopback address

An address that allows a host to connect back to itself (localhost).

127.0.0.1

Multicast address

An address used to send packets to any interested party.

224.0.0.0/4

Link-local unicast address

An address that should never be routed.

169.254.0.0/16

Site-local unicast address

An address that should be routed only within the customer site.

10.0.0.0/8

172.16.0.0/12

192.168.0.0/16

IPv6 Routing

An IPv6 address is divided into the following parts:

Table 5-2  The structure of an IPv6 address

Network part

Host part

Global routing prefix

n bits

Subnet ID

64-n bits

Interface ID

64 bits

In concept, IPv6 routing is similar to IPv4 routing. However, there are no reserved broadcast or network addresses. Instead, a special link-local “all nodes” multicast group (ff02::1) provides similar functionality. Similarly, there are no variably-sized subnets; the per-interface portion is always 64 bits.

IPv6 reserves certain addresses for specific uses. The design allows you to recognize specific address types by looking for specific patterns in the high-order bits, as listed below:

Address Type

IPv6 mask

Mask bit pattern

Unspecified address

Used to indicate the absence of an address. May not be assigned to any host.

::/128

00000000....00000000

Loopback address

An address that allows a host to connect back to itself (localhost).

::1/128

00000000....00000001

Multicast address

An address used to send packets to any interested party.

FF00::/8

11111111

Link-local unicast address

An address that should never be routed.

FE80::/10

11111110 10

Site-local unicast address

An address that should be routed only within the customer site.

FEC0::/10

11111110 11

All other address patterns are assumed to be globally routable unicast addresses.

Firewalls and Network Address Translation

Most routers are configured to be as transparent as possible from the perspective of hosts on either side. Routers that are not transparent are called firewalls.

A firewall is any router that inspects traffic, modifies traffic, or blocks specific subsets of traffic that flows through it. Like a physical firewall (a fireproof wall that prevents fire from spreading from one part of a building to another), network firewalls are commonly used as edge routers to improve the security of corporate or home networks by limiting the ways that an outside attacker can interact with that network.

Firewalls are commonly used to:

Network address translation deserves further explanation. NAT is most commonly used to make traffic from every machine on one side of a firewall appear to have originated from a different IP address. It can serve different purposes depending on how it is configured:

Some masquerading firewalls also support protocols that let applications running on hosts inside the firewall request temporary destination NAT rules so that outside hosts can temporarily reach them. The two most common protocols for supporting this are the network address translation port mapping protocol (NAT-PMP) and the internet gateway device (IGD) standardized device control protocol (part of the Universal Plug And Play standard, or UPnP).

In OS X and iOS, Bonjour provides built-in support for creating port mappings through firewalls that support NAT-PMP or UPnP. Services advertised using wide-area Bonjour are automatically mapped. For services advertised in other ways, you can call DNSServiceNATPortMappingCreate to create the mapping, and DNSServiceRefDeallocate to destroy the mapping. These mappings are also torn down automatically when the process that created the mappings exits.