Cybersecurity Essentials

Networking

202: IP and Routing

Version 1.0

Welcome. 202: IP and Routing is the third in a series of courses that explain how networks
operate and some of the cybersecurity issues they exhibit.

Sophos Cybersecurity Essentials

Networking

February 2020
Version: 1.0

© 2019 Sophos Limited. All rights reserved. No part of this document may be used or
reproduced in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names,
logos and marks mentioned in this document may be the trademarks or registered
trademarks of Sophos Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes
no warranties, conditions or representations (whether express or implied) as to its
completeness or accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered

office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Networking 202: IP and Routing - Page 1

 About This Course
This course is designed for technical professionals who want to understand
IPv4 addresses and the way they are used to route packets. It also provides
an overview of IPv6

Course Duration This course will take around 60 minutes to complete

This course is designed for technical professionals who want to understand IPv4 addresses
and the way these are used to route packets. It also provides an overview of IPv6.

Networking 202: IP and Routing - Page 2

 Assumed Knowledge
This course assumes knowledge of the content included in other parts of the series
There is no requirement to complete all courses but if you are unfamiliar with any of
the terms and concepts used during this training we recommend:

101 Getting Started with Networking

201 TCP/IP Networking Model

This course assumes knowledge of the content included in other parts of the series. There is
no requirement to complete all courses but if you unfamiliar with any of the terms and
concepts used during this training, we recommend one or more of the courses shown.

Networking 202: IP and Routing - Page 3

 Activities

Activities are suggested throughout the course that allow you to try the
techniques described

Use the Download Activity button to open instructions for a single activity

Open a PDF with all activities from the RESOURCES menu

Activities later in the course may depend on steps completed earlier

Activities are suggested throughout the course that allow you to try the techniques
described. You can complete these during the course or at a later time.

Each activity slide will include a button that opens a PDF containing instructions for that
activity. Instructions for all activities can be opened by selecting the file from the
RESOURCES menu. Instructions are also included at the back of the Student Handout.

Activities later in the course may rely on the completion of earlier activities.

Networking 202: IP and Routing - Page 4

 Course Agenda

Introduction to IP IP Addresses

IP Routing Obtaining an IP Address

Subnetting IPv6

Finished? Click here to continue

IP addresses allow data to be passed between devices on the same network and routed
between different networks.

In this course you will learn the structure of IP address, how they are assigned and how they
are used when routing data. You will also learn about some of the ways that IP networks can
be exploited and security risks this can present.

Networking 202: IP and Routing - Page 5

Introduction to IP

Introduction to IP

Networking 202: IP and Routing - Page 7

 Introduction to IP (Internet Protocol)
Introduction to IP

Internet

If you completed earlier courses in this series then you will have learned that IP networks
support communication between a variety of devices on private networks and the Internet.

This course will explain how devices use IP (Internet Protocol) to communicate with others
on the same network and on remote networks.

Networking 202: IP and Routing - Page 8

 The TCP/IP Protocol Suite

HTTP SMTP SSH DNS RIP DHCP

Application
80 25 22 53 520 67/68
Introduction to IP

Transport TCP UDP

ICMP
Network IP
ARP
Data Link Network Hardware Devices
Physical and Software Drivers

IP is found at the Network Layer of the TCP/IP model. The network layer is responsible for
delivering data across one or more networks. In order to make successful delivery possible,
it must add network addressing information. Therefore, it adds both a Source and a
Destination IP address to the data to form a structure called a Packet. The Destination IP
addresses in the packet are used by the source host and any intermediate hosts, known as
routers, to assist in selecting the most appropriate route to the final destination.

Networking 202: IP and Routing - Page 9

 Internet Protocol (IP)

Two forms of IP are in use:

• IP version 4 (IPv4)
• IP version 6 (IPv6)
Introduction to IP

• IPv4 was the first version

• Deployed in 1983, it still routes most network traffic today

• IPv6, the second version of IP, was deployed in 2012

• It is used extensively on the Internet backbone

There are currently two forms of IP in use which are known as IP version 4 (IPv4) and IP
version 6 (IPv6).

IPv4 was the first version deployed for use in 1983, whilst IPv6 was released much more
recently in 2012 on “World IPv6 Day”.

Despite the numerous advantages of IPv6, which include reduced processing overhead,
more efficient routing, and built-in security, it still doesn’t account for the majority of traffic
on the Internet. However, because of the advantages, Internet Service Providers (ISPs) make
extensive use of it on the Internet backbone.

In the majority of this course we will focus mainly on IPv4 because of its prevalence.
However, you still need an understanding of IPv6 so we have included a section at the end of
the course which examines it in detail.

Networking 202: IP and Routing - Page 10

 Terminology

IP Address
Subnet Mask
Introduction to IP

Network ID
Host ID
Default Gateway

There are many technical-sounding terms which must be understood in order to successfully
implement and manage a TCP/IP network.

We’ll now provide a basic definition of each of these terms.

Networking 202: IP and Routing - Page 11

 IP Addresses

IP Addresses are unique numerical labels assigned to devices on an IP

network
Introduction to IP

• IPv4 addresses use 4 numbers between 0 and 255

• For example 192.168.1.200 and 4.2.2.2

• IPv6 addresses use 32 hexadecimal numbers between 0 and f

• For example 2001:0db8:85a3:0000:0000:8a2e:0370:7334

IP Addresses are unique numerical labels assigned to devices connected to an IP network.

IPv4 addresses use 4 decimal numbers between 0 and 255. Examples of IPv4 addresses are
192.168.1.200 and 4.2.2.2

IPv6 addresses use hexadecimal number. This is base 16 and numbers are 0-9 followed by a-
f. An example of an IPv6 address is 2001:0db8:85a3:0000:0000:8a2e:0370:7334

This course focuses mainly on IPv4.

Networking 202: IP and Routing - Page 12

 Subnet Mask

The subnet mask identifies which part of the IP address is the network
ID and which is the host ID
Introduction to IP

Typically the subnet mask includes the numbers 255 and 0

IP Address 192 168 1 150

Subnet Mask 255 255 255 0

Each IP Address is formed from two different components known as the Network ID and the
Host ID. The two separate components can be determined by applying a Subnet Mask. The
subnet mask hides the network part of a system's IP address and leaves only the host part as
the machine identifier.

Typical Subnet Masks contain a series of one or more 255s followed by one or more 0s.

Networking 202: IP and Routing - Page 13

 Network and Host IDs

Numbers corresponding with

• 255 are network
• 0 are host
Introduction to IP

In the example:
• Network ID is 192.168.1.0
• Host ID is 150

IP Address 192 168 1 150

Subnet Mask 255 255 255 0
Network ID 192 168 1 0
Host ID 0 0 0 150

The Network ID is the portion of a host’s IP address that identifies the IP network on which
the host resides. The parts of the IP Address above a 255 belong to the Network ID and the
remainder belong to the Host ID. Other devices on the same network will have the same
Network ID.

The Host ID is the portion of a host’s IP address that uniquely identifies that host on their IP
network.

Networking 202: IP and Routing - Page 14

 Default Gateway
Network 1 Network 2

PC-A PC-B
IP-A IP-B
Introduction to IP

Switch 1 Switch 2

IP-R1 IP-R2
Router
(Default Gateway)

Non-Windows operating systems may use a different name

such as Router, Default Route and Gateway

The Default Gateway is the IP Address of a host on the network responsible for forwarding
traffic to other networks.

Gateway is another term for a router and it is the router which makes communication with
remote networks possible. On Windows computers, it is known as a Default Gateway
because each host wishing to communicate remotely will, by default, forward the message
to this device. Sometimes the default will not be used because an alternative gateway exists
for that specific destination.

Non-Windows operating systems, such as Linux and Mac OS X, may use a different name
such as Router, Default Route and Gateway.

Networking 202: IP and Routing - Page 15

Knowledge Check

Match the definition to the term

The portion of an IP address that is shared with other hosts

IP Address Subnet Mask Default Gateway

Network ID Host ID

Submit

Networking 202: IP and Routing - Page 16

Knowledge Check

Match the definition to the term

The portion of an IP address that is unique on the network

IP Address Subnet Mask Default Gateway

Network ID Host ID

Submit

Networking 202: IP and Routing - Page 17

Knowledge Check

Match the definition to the term

A router responsible for forwarding traffic between different networks

IP Address Subnet Mask Default Gateway

Network ID Host ID

Submit

Networking 202: IP and Routing - Page 18

 Internet Protocol Addresses
IP Addresses

(IP Addresses)

Networking 202: IP and Routing - Page 19

 Internet Protocol Version 4 (IPv4)

IPv4 is the most widely used version of IP on local area networks (LANs)

IPv4 addresses are 32-bits long

IP Addresses

For example: 11000000101010000000000101100101

Dotted-decimal notation is used for ease of use

The example 32-bit address in dotted-decimal is 192.168.1.101

As described earlier, although Internet Protocol Version 4 (IPv4) is not the latest version of
IP, it is still the most widely used on local area networks (LANs) and is typically just referred
to as IP.

Computers work in binary and IPv4 uses addresses which are 32 binary digits or bits long,
such as the example shown.

This is the actual format of an IPv4 address which would be found in an IP Packet and
processed by a computer.

However, whilst computers are designed to recognise and manipulate bits, humans are not.
Therefore, in order to make IP addresses easier for humans to work with, they are
commonly displayed in what is known as “dotted-decimal notation”. The 32-bit address
above is converted to 192.168.1.101.

I’m sure you’ll agree, the dotted-decimal format is significantly easier to remember than the
native binary.

Networking 202: IP and Routing - Page 20

 Dotted-Decimal Notation
A 32-bit IP address:
11000000101010000000000101100101

The 32-bits are divided into 4 x 8-bit Octets and separated by spaces:
IP Addresses

11000000 10101000 00000001 01100101

Each 8-bit octet is converted into decimal and separated by dots:

192.168.1.101

Each decimal number ranges from 0 to 255

i.e. from 00000000 to 11111111

Let’s see how this conversion is achieved.

An IP address is converted to dotted-decimal notation in 2 simple steps:

1. Firstly, the 32-bit long address is divided into four groups of 8-bits which are separated
by spaces. Each 8-bit portion is known as an Octet.
2. Secondly, each 8-bit long octet is converted into a decimal number and separated by a
dot. Each decimal number will always have a value ranging from 0 to 255. This is because
these are the minimum and maximum values possible using 8-bits, from all 0s to all 1s.

Networking 202: IP and Routing - Page 21

 Binary to Decimal Conversion

192 168 1 101

IP Addresses

128 64 32 16 8 4 2 1
1 1 0 0 0 0 0 0 =192
1 0 1 0 1 0 0 0 =168
0 0 0 0 0 0 0 1 =1
0 1 1 0 0 1 0 1 =101

Here you can see in more detail how the conversion works. Each of the 8 digits has the value
shown in the blue line of the table and if all digits were ‘1’ the decimal value would be 255 –
this is the sum of 128+64+32+16+8+4+2+1.

The Programmer mode, selected from the Windows Calculator menu, provides an easy way
to find out the binary equivalent of a number.

If you’d like to review a tutorial on binary to decimal conversion look at the following URL:
https://www.wikihow.com/Convert-from-Binary-to-Decimal

Networking 202: IP and Routing - Page 22

 Subnet Masks in Binary

The subnet mask is also binary

IP Addresses

255.255.255.0 is 11111111 11111111 1111111 00000000

This is often shown as /24

255.255.0.0 is 11111111 11111111 00000000 00000000

This is often shown as /16

The subnet mask is also binary:

For example:
• 255.255.255.0 is three octets that are all ones, followed by the last which is all zeros. This
is often shown as /24 to indicate the number of bits used
• 255.255.0.0 is two octets that are all ones, followed by two that are all zeros. This is often
shown as /16

Networking 202: IP and Routing - Page 23

 IPv4 Packet Structure
IP Addresses

This slide shows a Wireshark packet capture of an Hypertext Transfer Protocol (HTTP) web
request. As HTTP is part of the TCP/IP suite of protocols, it requires the IP protocol to move
the request from source to destination host.

In the top pane, the IP packet has been highlighted. Wireshark has translated the packet
from the native binary to a human-friendly format to assist analysis. It can be seen that the
IP packet has a number of fields which contain information about it. These fields include the
Version; the Protocol field, which shows the content of the packet; and the Source and
Destination IP addresses of the packet.

The bottom pane has been configured to show the native binary to show what a computer
on an IP network must process to successfully transfer data.

Because the Destination IP address has been selected in the top pane, the bottom frame
highlights the binary form of the destination address.

Networking 202: IP and Routing - Page 24

 Knowledge Check

Which of the dotted decimal IP addresses is the correct conversion for IP shown below?
01101000 01001000 10101010 00110111
(If required, use the calculator on your computer in Programmer mode)

192.172.55.170 128.170.70.24 104.72.170.55

124.72.100.55 169.254.155.70

Submit

Networking 202: IP and Routing - Page 25

 Public and Private IP Addresses

Public IP Addresses Private IP Addresses

o Purchased for devices and o Free for use by any organization

IP Addresses

hosts that connect directly o Addresses beginning

to the Internet o 10.x.x.x
o Must be globally unique o 172.16.x.x-172.31.x.x
o 192.168.x.x
o Routable on the Internet
o Not globally unique
o Must be translated to a public
IP address for Internet access

In our Networking 101 course, we explained that IP addresses fall into two categories: public
and private.

Public IP addresses must be purchased for devices and hosts that connect directly to the
Internet. They must be globally unique and allow messages to be routed on the Internet.

Private IP addresses are free for use by any organization. They use reserved addresses which
begin with the octets shown. The same addresses will be used simultaneously by many
different entities, so they are not globally unique.

Private IP addresses must be translated to a public IP address for access to the Internet.
Network Address Translation (NAT) will be covered later in this course.

Networking 202: IP and Routing - Page 26

Knowledge Check

Which 3 of these are private IP addresses?

192.168.1.150 172.168.7.150 10.0.0.1

4.2.2.2 172.16.255.254

Submit

Networking 202: IP and Routing - Page 27

 Reserved IP Addresses and Networks

1 Loopback Address (127.x.x.x)

2 Global Broadcast Address (255.255.255.255)

IP Addresses

3 Local Network Address (0.0.0.0)

4 Network Broadcast Address

5 Multicast Address (244.x.x.x)

As well as reserving ranges for private IP address, the designers of TCP/IP also reserved
several special IP addresses and networks. We’ll examine these addresses in more detail in
the next few slides.

Networking 202: IP and Routing - Page 28

 Loopback Address

A special address used to test the TCP/IP network stack on a device

Most commonly 127.0.0.1 is used

IP Addresses

Is often mapped to the hostname of the device, localhost or loopback

Test the network stack using the command ping 127.0.0.1

The first of these special addresses is known as the Loopback address.

The loopback interface is a virtual network interface implemented in the TCP/IP network
stack. This virtual interface can be used by network applications when they are
communicating with each other on the same machine. It is implemented entirely within the
operating system's networking software, which is known as the “network stack”. It doesn’t
pass any packets to the network interface for transmission but rather it is looped back up
the network stack.

Typically, the address used is 127.0.0.1, however, the entire 127 address range is reserved
for this purpose.

The main use of the loopback address is to test the TCP/IP network stack whilst excluding
the network interface hardware, driver and configuration from the test. A common way to
test the network stack would be to use the ping command as follows:

ping 127.0.0.1

A reply would prove that the network stack is working correctly.

Commonly these loopback addresses are mapped to the hostname of the device, localhost
or loopback.

Networking 202: IP and Routing - Page 29

 Broadcast Address

A special address used to send packets to all devices on the local

network
IP Addresses

Two types of broadcast address:

1. Global broadcast address 255.255.255.255
2. Network broadcast address depends on the network ID
• Example 1: Network ID 192.168.1.0 is 192.168.1.255
• Example 2: Network ID 192.168.0.0 is 192.168.255.255

Broadcasts are not generally forwarded by routers

The next of these special addresses is the broadcast address. An IP packet transmitted to the
broadcast address will be received by all the devices connected to the local network.

A high number of broadcasts should be avoided as this can slow the network. However,
sometimes broadcasting is unavoidable. For example, if the destination address of the target
device is unknown then using a broadcast is the only way to guarantee that the target
receives the message.

There are two different forms of broadcast address:

The global broadcast address of 255.255.255.255 is typically used in circumstances where

the source device does not know its own Network ID. For example, this address is used to
send the DHCP Server Discovery message, discussed later in this course, when the source
device does not yet have any IP configuration.

The network broadcast address is used when the Network ID of the source device is known.
On a host with multiple interfaces on different networks, this type of broadcast address has
the advantage of only using a specific interface based on the Network ID.

As an example, if network ID is 192.168.1.0 then the broadcast address will be

192.168.1.255. However, if the network ID is 192.168.0.0 the broadcast address will be
192.168.255.255.

Generally, broadcasts are not forwarded by routers to other networks.

Regardless of the broadcast type, both these broadcast addresses are mapped to the data
link layer broadcast address. In the case of Ethernet, they are mapped to a destination MAC

Networking 202: IP and Routing - Page 30

address of FF:FF:FF:FF:FF:FF.

Networking 202: IP and Routing - Page 30

 Local Network and Multicast Addresses

The Local Network address 0.0.0.0 indicates the current local network
IP Addresses

• Multicast addresses 224.0.0.0 to 239.255.255.255

• A multicast address is a logical identifier for a group of hosts on a
network
Examples include:
• 224.0.0.1 - all hosts on the same network segment
• 224.0.0.2 – all routers on the same network segment

The address 0.0.0.0 is used to indicate the current local network.

And finally, addresses in the range 224.0.0.0 to 239.255.255.255 are used for multicast. A
multicast address is a logical identifier for a group of hosts on a computer network.

Examples include:
224.0.0.1 – a group containing all hosts on the same network segment
224.0.0.2 – a group containing all routers on the same network segment

Networking 202: IP and Routing - Page 31

Knowledge Check

Which of the following is a Loopback address?

255.255.255.255 244.0.0.1 192.168.1.255

0.0.0.0 127.0.1.1

Submit

Networking 202: IP and Routing - Page 32

Knowledge Check

Which of the following is a Multicast address?

255.255.255.255 244.0.0.1 192.168.1.255

0.0.0.0 127.0.1.1

Submit

Networking 202: IP and Routing - Page 33

 Comparing an IP Address to a Postal Address
Trafalgar Avenue
Delivery Address:
10 Trafalgar Avenue 8 10 12
IP Addresses

Network 192.168.1.0
Destination IP:
8 10 12
192.168.1.10

IP addresses are similar to postal addresses. You would not expect letters to be successfully
delivered to your house if it didn’t have a unique mailing address to identify it from all the
other houses.

However, apart from uniqueness, there is another reason why an IP address can be
compared to a postal address. A postal address provides the Post Office with information
about which street contains the destination house. For example; a mailing address of 10
Trafalgar Avenue tells us that we need to go to Trafalgar Avenue and then look for house
number 10.

Similarly an IP address provides information about the network containing the host.
Knowledge of the network ensures that the IP packet is efficiently routed to the host
destination. In order to determine the destination network, we need to look in more detail
at how the Subnet Mask is used.

Networking 202: IP and Routing - Page 34

 Subnet Mask

Used by a source host to determine whether a destination host is on

the same network
IP Addresses

In the example, the Subnet Mask is 255.255.255.0 which means that

the Network ID is 192.168.1.0

IP Address 192 168 1 150

Subnet Mask 255 255 255 0
Network ID 192 168 1 0
Host ID 0 0 0 150

As described earlier, the Subnet Mask is used to determine which portion of the IP address
relates to the network, known as the Network ID, and which portion relates to the host,
known as the Host ID. It is used by a source host to determine whether the destination host
is located on the same network.

In the example, we apply a Subnet Mask of 255.255.255.0 to an IP Address of

192.168.1.150. This means the Network ID is 192.168.1.0

It is the convention is to add additional 0s to the Network ID so that it follows the dotted-
decimal format. The host ID is 150.

Networking 202: IP and Routing - Page 35

 The Importance of the Network ID

Technologies below the IP layer can only transfer messages between

devices on the same physical network
IP Addresses

If source and destination are on the same network then the message
can be addressed directly

If source and destination are on a different networks then the message

must be addressed to the Default Gateway

The networking technologies which exist below the IP layer, such as Ethernet, are only
capable of transferring messages between devices on the same physical network.
Consequently, a source computer needs to determine whether the destination IP is on the
same or another network.

If the destination IP address is on the same network then the source computer can generate
a message addressed directly to the destination.

If the destination IP address is on a different network then the source computer must create
a message addressed to a local router, typically the Default Gateway, which can forward it on
towards the final destination.

Networking 202: IP and Routing - Page 36

 Changing the Subnet Mask

In the example the subnet mask has been changed from 255.255.255.0
to 255.255.0.0
IP Addresses

• Network ID is now 192.168.0.0

• Host ID is now 1.150

IP Address 192 168 1 150

Subnet Mask 255 255 255 0
Network ID 192 168 0 0
Host ID 0 0 1 150

Here, we’ve kept the same IP Address but changed the Subnet Mask from 255.255.255.0 to
255.255.0.0. As you can see, this simple change has a significant effect on both the Network
ID and the Host ID. In this case, the Network ID is now 192.168.0.0 and the Host ID is 1.150.

In a later section, we will look at more complex Subnet Masks, which do not use all 255s.
These are much less common but may be used where a small number of public IP addresses
are required.

Networking 202: IP and Routing - Page 37

Knowledge Check

What is the Network ID of an IP Address of 172.30.1.65 with a Subnet Mask of

255.255.255.0?

172.30.1.0 172.30.0.0 172.0.0.0

1.65 65

Submit

Networking 202: IP and Routing - Page 38

Knowledge Check

What is the Host ID of an IP Address of 172.30.1.65 with a Subnet Mask of

255.255.255.0?

172.30.1.0 172.30.0.0 172.0.0.0

1.65 65

Submit

Networking 202: IP and Routing - Page 39

 Default Gateway
IP Addresses

In order to communicate with remote IP networks, hosts need the IP address of a router on
the local network. The example shows configuration of a Default Gateway on a Windows
computer. “Gateway” is another term for a router and this is the “default” router used by
the source host when there isn’t another more specific route configured. Other operating
systems may use different terms such as Router, Default Route and Gateway.

The figure shows the configuration of an IP host including IP Address, Subnet Mask and
Default Gateway settings. We will examine the various options for assigning IP configuration
in a later section.

Networking 202: IP and Routing - Page 40

 Network Scenario
Head Office Branch Office
192.168.1.0 / 255.255.255.0 192.168.2.0 / 255.255.255.0

Switch 2
PC-A PC-B PC-C
IP Addresses

R-A

Switch 1
Router
(Default Gateway)

We will now use a scenario to demonstrate how IP networks work.

There is a Head Office network that uses IP addresses with a Network ID of 192.168.1.0 and
a Branch Office network that uses 192.168.2.0 as a Network ID. For IP networks to work
together successfully, it is important that each network is allocated a unique Network ID so
that it can be differentiated from the others.

For simplicity we’ll assume that the underlying network technology is Ethernet.

We will cover connecting to the Internet in a later section of this course.

Networking 202: IP and Routing - Page 41

 Communication Within the Same Network
Head Office Branch Office
192.168.1.0 / 255.255.255.0 192.168.2.0 / 255.255.255.0

Switch 2
PC-A PC-B PC-C
IP Addresses

R-A

Switch 1
Router
(Default Gateway)

Network ID Host ID
Subnet Mask 255 255 255 0
Head Office PC-A 192 168 1 101
Head Office PC-B 192 168 1 102

We’ll start with a computer, PC-A, on the Head Office network that wants to talk to PC-B
which is on the same network. PC-A will compare its own network ID with the network ID of
the destination host. As shown in the table, the resulting network IDs are shown to match
which means the two PCs are able to communicate directly.

The IP packet containing the communication would be placed in an Ethernet frame which
will be addressed to the hardware address of PC-B and successfully transmitted between the
two hosts.

No default gateway is required for this example. PC-A can communicate with PC-B because
the two hosts are on the same network.

Networking 202: IP and Routing - Page 42

 Communication Between Different Networks
Head Office Branch Office
192.168.1.0 / 255.255.255.0 192.168.2.0 / 255.255.255.0

Switch 2
PC-A PC-B PC-C
IP Addresses

R-A

Switch 1
Router
(Default Gateway)

Network ID Host ID
Subnet Mask 255 255 255 0
Head Office PC-A 192 168 1 101
Head Office PC-C 192 168 2 102

Let’s look at a second scenario where the computer, PC-A, on the Head Office network
wants to talk to PC-C which is on a different network.

In this scenario, PC-A will compare its own network ID with the network ID of the
destination. As shown in the table, the resulting network IDs do not match which means the
two PCs are on different networks and unable to communicate directly. The source host, PC-
A, must send the message to a local router (its default gateway) for forwarding to the other
network.

The IP packet containing the communication is placed in a frame addressed to the hardware
address of R-A. On arrival at the router, the IP packet is unpacked. The router will then use
the destination IP address to determine the best way to forward the packet towards the
destination.

Networking 202: IP and Routing - Page 43

 Incorrectly Configured Subnet Mask
Head Office Branch Office
192.168.1.0 / 255.255.255.0 192.168.2.0 / 255.255.255.0

Switch 2
PC-A PC-B PC-C
IP Addresses

R-A
?!
Switch 1
Router
(Default Gateway)

Network ID Host ID
Subnet Mask 255 255 255 0
Head Office PC-A 192 168 1 101
Head Office PC-C 192 168 2 102

It is important that subnet masks are correctly configured.

If the computer in Head Office, PC-A, had been mis-configured with a subnet mask of
255.255.0.0 then it would only check the first two octets in the IP address for a match. As a
consequence, it would conclude that the Branch Office PC-C with an IP address
192.168.2.101 is on the same network and attempt to communicate directly. PC-A would
attempt to create an Ethernet frame with the PC-C hardware address as the destination,
however, it would be unable to determine this address and the communication would fail.

Networking 202: IP and Routing - Page 44

IP Routing

IP Routing

Networking 202: IP and Routing - Page 45

 IP Routing
Head Office Branch Office
192.168.1.0 / 255.255.255.0 192.168.2.0 / 255.255.255.0

Switch 2
PC-A PC-B PC-C
IP Routing

Switch 1

IP Routing is the process of selecting a path to move IP packets across multiple networks.

In this section, we’ll look at how traffic is routed across IP networks within an organization.

Networking 202: IP and Routing - Page 46

 What is a Router?
A device that moves traffic from one network to another

A router forwards packets based on their destination IP addresses

IP Routing

It is generally optimized hardware but can be software

They are layer 3 (Network Layer) devices

They are typically configured so they do not forward broadcasts

Routers are the network devices that specialize in moving traffic from one network to
another. They are designed to receive and analyze incoming IP packets which they then
forward to other networks in the most efficient manner available. Typically a router is
hardware which has been optimized for this specialist task.

Routers are said to work at the Network layer because they deal with IP packets and IP is a
Layer 3 protocol.

As previously mentioned, generally routers are configured not to forward any broadcasts.
The router therefore acts as an important barrier to keep broadcast traffic within a single
“broadcast domain” and, in doing so, it prevents all the networks from being overwhelmed
by excessive broadcasting.

Networking 202: IP and Routing - Page 47

 Security Issue: Broadcast Storm
A Broadcast Storm is caused by an excessive number of broadcasts

This can consume the network bandwidth and overwhelm hosts

IP Routing

The cause is most commonly mis-configuration of the network

Another possible cause is a Denial of Service (DoS) attack

A Broadcast Storm occurs when an excessive number of broadcasts are transmitted on the
network at a given point in time. The high number of broadcasts can consume the network
bandwidth and overwhelm hosts which are attempting to process the packets. The storm
results in degraded network performance, slow responding hosts and, at worst, a complete
loss of network service, and the hosts crashing.

The cause of a broadcast storm is most commonly mis-configuration of the network which
results in frames looping around the network forever. However, another cause may be an
attacker performing a Denial of Service (DoS) attack using specially-crafted packets often
with spoofed IP addresses.

Although routers do not necessarily prevent broadcast storms, they do offer a boundary to
prevent the storm propagating further to other networks.

Networking 202: IP and Routing - Page 48

 How Does a Router Work?
IP Routing

Destination IP Address
52.85.34.59

A router will have two or more network interfaces and each interface will be connected to a
different IP network. When data is received at one of the interfaces, the router removes any
Data Link layer packaging, such as an Ethernet frame, to reveal the IP packet payload. It will
then examine the IP address in the packet to find the final destination.

The packet, which has been captured using WireShark shows a destination IP Address of
52.85.34.59 and a source of 172.16.1.30.

Networking 202: IP and Routing - Page 49

 How Does a Router Work?
An example of a routing table

Destination Subnet Mask Gateway Cost/Metric Interface

192.168.1.0 255.255.255.0 * 1 192.168.1.254
IP Routing

122.168.2.0 255.255.255.0 * 1 192.168.2.254

0.0.0.0 0.0.0.0 192.168.1.254 1 192.168.1.1

Using the destination IP address, the router performs a lookup in its routing table to
determine the best route for the packet.

The example shows a typical routing table. The Destination and Subnet Mask allow the
router to determine the best match with the destination in the IP packet. If the routing table
indicates an asterisk as the Gateway then the router has a direct connection with the
destination network. It can then package the IP packet into a frame for direct delivery to the
hardware address of the final destination host.

Otherwise, the gateway is another router and its IP address is used as the next destination
address. The cost/metric column can be used if there are multiple matches with the lowest
cost indicating the preferred router. Finally, the Interface is used to indicate from which
interface the packet should be transmitted.

Networking 202: IP and Routing - Page 50

 Home Router
IP Routing

LAN
Interface
WAN
Interface

The most familiar type of IP routers are the home routers provided by Internet Service
Providers (ISPs). They are designed to forward IP packets between devices in the home and
the Internet.

An example of a home router is shown and this has a standard set of features including:

• A Wide-Area Network (WAN) interface for connecting the router to the

incoming broadband signal from the ISP – this connection often makes use of a
broadband-enabled telephone line.

• There is a Local-Area Network (LAN) interface for connecting wired devices in the home
to the Internet. This interface is usually presented as a 4-port Ethernet Switch so that
multiple devices can be connected to the interface simultaneously.

• The router also has an integrated Wi-Fi Access Point (AP) which allows mobile devices
such as smartphones and laptops to access to the Internet using a wireless signal. A
connection between the AP and the Ethernet Switch means that all the home devices can
communicate with one another.

• Most home routers include a built-in firewall which, by default, will drop incoming
connection attempts in order to protect the home devices from attackers located out on
the Internet.

Networking 202: IP and Routing - Page 51

 Enterprise Router

Two types:
IP Routing

o Core: primarily for packet

routing within the network
o Edge: primarily handles
external connections

Larger businesses and ISPs use sophisticated enterprise routers like the example shown.
These dedicated pieces of hardware are optimised to forward packets at high speed over
fast data lines.

The rate at which a router can operate is measured in packets per second (pps). A basic
home router might handle 10,000pps whilst an enterprise router might be up to 10 times
faster. Some of the routers used on the Internet backbone are capable of forwarding 40
million pps.

Routers can be divided into two different types:

• Core – a core router sits at the centre of the enterprise’s network and the primary goal is
to route packets as fast as possible. In order to increase packet flow, core routers have
faster processors and increased memory.
• Edge – an edge router is located at the network boundary of the enterprise’s network
and external networks. A common example of an edge router is the device which
connects the enterprise to the Internet. In addition to their routing responsibilities, edge
routers must also incorporate strong security to protect the trusted internal enterprise
network from untrusted external networks. This means strict access control and packet
filtering.

Networking 202: IP and Routing - Page 52

 Communication Between Different Networks
Head Office Branch Office
192.168.1.0 / 255.255.255.0 192.168.2.0 / 255.255.255.0
192.168.1.101

R-A R-B
PC-A 192.168.2.101
192.168.255.0 /
IP Routing

255.255.255.0 PC-C
Router Router

PC-B

Returning to the scenario in the last topic, routers R-A and R-B have been installed to
connect the Head Office and Branch Office networks. This means there is now a third
network between the two routers. This network uses 192.168.255.0/24 for its IP addresses.

We’ll now look at the configuration that is required to allow the devices located on the
different networks to communicate.

Networking 202: IP and Routing - Page 53

 Communication Between Different Networks (Step 1)
Head Office Branch Office
192.168.1.0 / 255.255.255.0 192.168.2.0 / 255.255.255.0
192.168.1.101

R-A R-B
PC-A 192.168.2.101
192.168.255.0 /
IP Routing

255.255.255.0 PC-C
IP-1 = 192.168.1.254 IP-1 = 192.168.2.254
IP-2 = 192.168.255.1 IP-2 = 192.168.255.2

PC-B
Router A
Router B
IP Address
IP Address
Routing Table for R-A
Destination Subnet Mask Gateway Cost Interface
192.168.1.0 255.255.255.0 * 1 1
192.168.255.0 255.255.255.0 * 1 2

Each router has two interfaces.

Step 1 is to configure these interfaces with IP addresses which are valid for both of the
networks they are connected to.

Once configured each router will only know about the networks to which it is directly
connected. Consequently, the routing table for router R-A shows a direct connection with
network 192.168.1.0 via interface 1 and a direct connection with network ID 192.168.255.0
via interface 2.

In the next step we need to configure the hosts so that they know where to send any traffic
which is destined for a remote network.

Networking 202: IP and Routing - Page 54

 Communication Between Different Networks (Step 2)
Head Office Branch Office
192.168.1.0 / 255.255.255.0 192.168.2.0 / 255.255.255.0
192.168.1.101 DG = 192.168.2.254
R-A R-B
PC-A 192.168.2.101
192.168.255.0 /
IP Routing

255.255.255.0 PC-C
IP-1 = 192.168.1.254 IP-1 = 192.168.2.254
IP-2 = 192.168.255.1 IP-2 = 192.168.255.2

PC-B

Routing Table for R-A

DG = 192.168.1.254
Destination Subnet Mask Gateway Cost Interface
192.168.1.0 255.255.255.0 * 1 1
192.168.255.0 255.255.255.0 * 1 2

In step 2 we configure the network hosts with the IP address of the default gateway (DG).
The default gateway for each host is the address of the router that is on the same network.

For example, the Head Office computer PC-A has been allocated a default gateway setting of
192.168.1.254, which is the interface of Router R-A which is on the same network as PC-A.

Networking 202: IP and Routing - Page 55

 Communication Between Different Networks (Step 3)
Head Office Branch Office
192.168.1.0 / 255.255.255.0 192.168.2.0 / 255.255.255.0
192.168.1.101 DG = 192.168.2.254
R-A R-B
PC-A 192.168.2.101
192.168.255.0 /
IP Routing

255.255.255.0 PC-C
IP-1 = 192.168.1.254 IP-1 = 192.168.2.254
IP-2 = 192.168.255.1 IP-2 = 192.168.255.2

PC-B
Routing Table for R-A
Destination Subnet Mask Gateway Cost Interface
DG = 192.168.1.254 192.168.1.0 255.255.255.0 * 1 1
192.168.255.0 255.255.255.0 * 1 2
192.168.2.0 255.255.255.0 192.168.255.2 10 2

Step 3 is the final part of the configuration and is done on the routers.

Initially, a router only has knowledge of the networks to which it is directly attached. The
highlighted section shows that the administrator has added a route in the routing table of R-
A so that it is aware of the 192.168.2.0 network. The route tells the router to forward any
packet destined to the 192.168.2.0 network out of interface 2 to the next router, R-B using
the IP address of 192.168.255.2.

In a similar way, the administrator should also add a route to 192.168.1.0 on R-B so that
hosts on the Branch Office network can communicate with this network.

Networking 202: IP and Routing - Page 56

 Communication Between Different Networks (Example)
Head Office Branch Office
192.168.1.0 / 255.255.255.0 192.168.2.0 / 255.255.255.0
192.168.1.101
1 R-A
2 R-B
DG = 192.168.2.254
PC-A
192.168.255.0 / 3 192.168.2.101
IP Routing

255.255.255.0 PC-C
IP-1 = 192.168.1.254 IP-1 = 192.168.2.254
IP-2 = 192.168.255.1 IP-2 = 192.168.255.2

PC-B
Routing Table for R-A
Destination Subnet Mask Gateway Cost Interface
DG = 192.168.1.254 192.168.1.0 255.255.255.0 * 1 1
192.168.255.0 255.255.255.0 * 1 2
192.168.2.0 255.255.255.0 192.168.255.2 10 2

Having configured our routing infrastructure, we can now test that communication is
working by using PC-A to run the command:

ping 192.168.2.101

Let’s review what happens:

1. PC-A determines that the destination 192.168.2.101 is on a different network and

forwards the packet in a frame to its default gateway R-A on 192.168.1.254

2. R-A receives the frame and unpacks the packet. After examining the destination address,
it looks at its routing table and determines how to route packets to 192.168.2.0. It
forwards the packet in a new frame and uses interface 2 to send it to R-B on
192.168.255.2

3. R-B receives the frame and unpacks the packet. After examining the destination address,
it looks at its routing table and determines it has a direct connection to the 192.168.2.0
network. It forwards the packet in a new frame and uses interface 1 to send it directly to
PC-C.

In order for the ping on PC-A to show a successful reply the reverse route from PC-C to PC-A
must also be configured correctly.

Networking 202: IP and Routing - Page 57

 Troubleshooting With Ping

1 The localhost address: ping 127.0.0.1

2 The host’s own IP address: ping 192.168.1.101

IP Routing

3 The host’s default gateway address: ping 192.168.1.254

4 The destination host: ping 192.168.255.2

5 The destination host on a remote network: ping 192.168.2.101

In the scenario above, we discussed using ping to test connectivity between PC-A and PC-C.
If there was no response from PC-C then we would commence troubleshooting.

There is a logical order of using ping to identify network connectivity issues, and this is
shown in the slide. In the next activity you will use similar commands.

This process can be performed at both ends of a failed connection in order to more
accurately pinpoint the possible causes.

Networking 202: IP and Routing - Page 58

 Activity 1

In this activity you will use the ipconfig and ping commands to
verify network connectivity
IP Routing

Use the Download Activity button to open the instructions

When you have finished click Continue

Download Activity Continue

Networking 202: IP and Routing - Page 59

 What Route Does the Packet Take?
IP Routing

The traceroute tool, as its name implies, traces the route between any two hosts on a
network. In a similar manner to ping, traceroute records whether it successfully connected
with the other host, however, it also returns details of every router the packet passes
through during the journey. The result is a complete record of the route taken between the
two hosts.

Whilst the traceroute utility is helpful in showing the complete route taken by a packet to a
particular destination host, it can be even more helpful when the connection fails. The
partial route returned clearly shows which router is experiencing problems and gives the
network administrator an indication of where to start their troubleshooting. Typical issues
might be a failed connection, issues with the next router upstream, or an issue with the
router itself.

Networking 202: IP and Routing - Page 60

 Commands to Trace a Route
tracert
tracert –d
Names are resolved
IP Routing

Most operating system come with a utility which provides similar functionality to traceroute,
however, the actual command name can vary. For example, in the Windows operating
system, the command is tracert. Linux and Mac OS X use traceroute.

In the example the tracert command has been used to trace the route to the sophos.com
host.

In the first example, the –d switch disables name resolution so only IP addresses are shown.

In the second example, the –d has been removed so name resolution takes place. This
approach can take longer to run, however, the domain names returned sometimes give an
indication which organisation is responsible for the router.

Networking 202: IP and Routing - Page 61

 Activity 2

In this activity you will run use the traceroute to find the route
taken between your computer and server hosting sophos.com
IP Routing

Use the Download Activity button to open the instructions

When you have finished click Continue

Download Activity Continue

1. In the Command Prompt run the command tracert sophos.com

This will show the route taken to sophos.com and will resolve the names of the routers if
possible
2. Run the command tracert –d sophos.com
This will show the route taken to sophos.com and will resolve the names of the routers if
possible
3. Close the command prompt

Networking 202: IP and Routing - Page 62

 Routing Table Example
IP Routing

This shows an example of a routing table on a Windows Server with two interfaces that has
been configured as router.

The route print command can be used on any Windows computer to display the routing
table. The -4 switch limits the output to IPv4 only.

Networking 202: IP and Routing - Page 63

 Dynamic Routes
Larger networks use dynamic routing protocols to optimise network
availability

Dynamic routes are automatically added to each router’s routing table

IP Routing

Routers learn routes from neighbouring routers

Routers must use a common protocol

Commonly used routing protocols include:

o Open Shortest Path First (OSPF)
o Routing Information Protocol (RIP)
o Border Gateway Protocol (BGP)

On a large network there may be multiple possible paths from source to destination.
Dynamic routing and the protocols which support it can dynamically adjust as conditions
change on the network; for example, when routers fail, data lines are busy, or the network
layout is re-configured. The dynamic nature of the routes means they can help route data
around these issues and maintain the network reliability and availability.

Dynamic routes are automatically added to a routing table. They are routes which a router
learns from other neighbouring routers. The routers must have a common routing protocol
in order to communicate with one another. Some of the most common routing protocols
include:
• Routing Information Protocol (RIP)
• Open Shortest Path First (OSPF)
• Border Gateway Protocol (BGP)

Initially, each router only has knowledge of the networks to which it is directly attached. The
use of a common routing protocol allows the router to share this information initially with
it’s immediate neighbours, and subsequently throughout the network as the information
propagates from router to router.

Networking 202: IP and Routing - Page 64

 Static Routes
Use a static route to override the catch-all default gateway setting

Give the static route a higher preference than the default gateway
IP Routing

They can co-exist with dynamic routes and provide a manual fallback

Static routes can be more secure than dynamic routes

Adding a route in the Windows operating system:

o route ADD 172.16.3.0 MASK 255.255.255.0 192.168.1.150 METRIC 10 IF 2 -p

Network ID Router Cost Interface Persistent

Although default gateways are the most common way for hosts to route packets to other
networks, it is possible to configure static routes which use a different router for complex
routing requirements. The routes configured must be given a higher preference in order to
override the “catch-all” default gateway setting.

The key disadvantage of using static routes is that they are fixed which means they cannot
adapt to changing network conditions such as failed routers, busy routes or network re-
configuration. If used in combination with dynamic routes they can provide a manual
fallback in circumstances where the dynamic mechanism fails. A further advantage of static
routes is that they are considered more secure than dynamic routes sourced from third-
parties.

The example shows the command to add a static route to the 172.16.3.0 network that will
use the router 192.168.1.1. The cost is 10, it will use interface 2 and the route is persistent,
which means it will be available following a reboot.

Different operating systems will have differing methods for adding static routes however
they will all have the same parameters.

Networking 202: IP and Routing - Page 65

 Static Route Example
IP Routing

Persistent static route to the

172.16.3.0 network

Following entry of the command route, print now shows the static route in the persistent
section of the routing table.

Networking 202: IP and Routing - Page 66

 Security Issue: Routing Table Poisoning
A vulnerable part of the router is the routing table

If an attacker gains control over the routing table they can:

o Eavesdrop on traffic by diverting it through a controlled host
IP Routing

o Perform Denial of Service (DoS) attacks

Attacks can target vulnerabilities in routing protocols

One of the most vulnerable parts of a router is its routing table since it uses this table for
decisions on all packet forwarding. For an attacker, it is extremely desirable to gain control
over the routing table as it can allow them to:

• Eavesdrop on traffic by diverting the traffic through an attacker-controlled host, and

• Perform Denial of Service (DoS) attacks on the network by creating routing loops, or
alternatively diverting the traffic towards slow routes or black holes where the traffic is
silently dropped.

A common methodology for such attacks is to take advantage of vulnerabilities found in

routing protocols, such as OSPF, which are used to dynamically populate these routing table.
For example, the attacker might generate a spoofed route advertisement containing false
information which appears to come from a neighbouring router. If the target router can be
manipulated into changing its routing table using this false information then the attacker has
gained control of the routing table without having to breach the router itself. Once in
control, the attacker can route the traffic as they desire.

Networking 202: IP and Routing - Page 67

 Wireshark Capture on a Router
IP-A = 192.168.1.30 IP-B = 192.168.2.30
DG = 192.168.1.254 DG = 192.168.2.254
MAC-A = 00:50:56:80:4a:4b Ethernet1 Ethernet2 MAC-B = 00:50:56:80:18:27
IP-R1=192.168.1.254 IP-R2=192.168.2.254
MAC-R1=00:50:56:1a:65:d9 Router MAC-R2=00:50:56:80:c4:8e
PC-A PC-B
IP Routing

Continue

It is possible to see routing in operation using packet capture tools such as Wireshark. When
the ping command is used to send an ICMP Request ping packet from one network to
another, it is re-packaged in a number of different frames in order to complete its journey.
The same is also true of the ICMP Reply packet sent in response.

This shows the network scenario that will be used in the simulation that follows. We
recommend that you make a note of the last 2 characters in each of the MAC addresses, or
refer to the handout which includes this.

PC A 192.168.1.30 MAC ends 4b

Router Interface 1 192.168.1.254 MAC ends d9
Router Interface 2 192.168.2.254 MAC ends 8e
PC A 192.168.2.30 MAC ends 27

Networking 202: IP and Routing - Page 68

 Capture ICMP Packets Traversing a Router
IP Routing

In this simulation you will use Wireshark to capture and view

ICMP packets traversing a router

Read the information and follow the instructions to advance to the next step

Start

In this simulation you will use Wireshark to capture and view ICMP packets traversing a
router.

Read the information and follow the instructions to advance to the next step.

Networking 202: IP and Routing - Page 69

You want Wireshark to capture traffic on both the Ethernet0 and Ethernet1 interfaces
Simulation
First, click on the Ethernet0 interface

Networking 202: IP and Routing - Page 70

Hold down the <Ctrl> key and click on the Ethernet1 interface
Simulation

Networking 202: IP and Routing - Page 71

Begin capturing traffic on the both interfaces so that incoming and outgoing traffic will be seen
ClickSimulation
the Capture menu

Networking 202: IP and Routing - Page 72

Click Start
Simulation

Networking 202: IP and Routing - Page 73

Traffic capture has commenced
ClickSimulation
the button to switch to PC-A

Switch to PC-A

Networking 202: IP and Routing - Page 74

Open a command prompt by clicking the shortcut on the taskbar
Simulation

Networking 202: IP and Routing - Page 75

Run the command ping 192.168.2.30
Simulation

Networking 202: IP and Routing - Page 76

The ping command shows successfully connectivity to 192.168.2.30
ClickSimulation
the button to return to the router

Switch to Router

Networking 202: IP and Routing - Page 77

To stop the traffic capture click the Capture menu
Simulation

Networking 202: IP and Routing - Page 78

Click the Stop option
Simulation

Networking 202: IP and Routing - Page 79

To filter the traffic to just show the ping request and reply
Simulation
In the ‘Apply a display filter’ box type icmp and press Enter

Networking 202: IP and Routing - Page 80

Select the first item in the list with ‘Info’ column showing Echo (ping) request
Simulation

Networking 202: IP and Routing - Page 81

In the lower pane, click the arrow icon > to expand the Ethernet II section
Simulation

Networking 202: IP and Routing - Page 82

The ping packet is in a frame from MAC-A to MAC-R1
This indicates that PC-A has sent the frame to its default gateway (DG)
Simulation
In the upper pane, select the next item in the list with Info column showing Echo (ping) request

Networking 202: IP and Routing - Page 83

The Router has re-packaged the ping packet into a frame from MAC-R2 to MAC-B
Simulation
In the upper pane, select the next item in the list with Info column showing Echo (ping) reply

Networking 202: IP and Routing - Page 84

The reply is sent from MAC-B to MAC-R2 so PC-B has sent the frame to its DG
Simulation
In the upper pane, select the next item in the list with Info column showing Echo (ping) reply

Networking 202: IP and Routing - Page 85

Lastly, the Router has re-package the ping packet into a frame from MAC-R1 to MAC-A
TheSimulation
ping reply will now be received by PC-A. Click anywhere to end the simulation

Networking 202: IP and Routing - Page 86

Obtaining an IP Address

Obtaining an IP Address

Networking 202: IP and Routing - Page 87

 Where Do IP Addresses Come From?
Home users and enterprises typically get their public IP addresses from
their Internet Service Providers (ISP)
Obtaining an IP Address

ISPs obtain ranges of IP addresses from one of five regional registry

authorities
Ranges of Private IP Addresses are freely available for any organisation
or individual
Private IP addresses cannot be used outside their networks or on the
Internet

https://www.iana.org/numbers

Following the discussion of IP Addresses in an earlier section, the next thing to consider is
how to obtain them. The answer depends on whether you need a public or a private IP
address.

Home users and enterprises typically obtain their public IP addresses from their Internet
Service Provider (ISP). In turn, the ISPs obtain ranges of IP addresses from one of five registry
authorities which cover different regions of the world. For example, in North America the
American Registry for Internet Numbers (ARIN) manages the IP address space whilst in
Europe the IP addresses are managed by the Reseaux IP Europeens Network Coordination
Centre (RIPE NCC). Follow the link to determine which Registry manages the IP space for
which country.

https://www.iana.org/numbers

Many IP networks make use of the reserved ranges of private IP addresses. These ranges of
Private IP Addresses are freely available for any organisation or individual, however whilst
they can be used on private networks, they cannot be used on the Internet. If a private IP
address is seen by a router on the Internet then it will be dropped immediately.

Networking 202: IP and Routing - Page 88

 Obtaining an IP Address – Static Configuration
Obtaining an IP Address

A device can only successfully communicate on an IP network once it has been configured
with an appropriate IP address.

It is possible to manually configure the IP addresses of all the devices on a network. This
approach is known as “static” configuration and the example shows static configuration on a
Windows system. Widescale use of static configuration has many disadvantages:

• the network administrators must keep track of all the IP addresses

• there is a significant administrative burden in having to configure the IP addresses of
more than a few hosts
• manually configuring IP addresses makes mis-configuration, such as duplicate IP
addresses or invalid parameters, much more likely

However, in most networks, particularly at enterprise level, there will be hosts which should
be statically configured. This form of configuration ensures the IP address will not change
and therefore makes locating the device easier. Best practice suggests hosts for static
configuration should include; network infrastructure devices, servers, printers and
multipurpose devices.

Networking 202: IP and Routing - Page 89

 Obtaining an IP Address – Automatic Configuration
Obtaining an IP Address

Most networks provide an automatic configuration mechanism which is capable of

allocating IP addresses, subnet masks, default gateways and other IP parameters.

The choice of automatic configuration option is so common and convenient that most client
operating systems default to this configuration. The slide above shows that the default
configuration of a Windows client is set to ‘Obtain an IP address automatically’.

The most common service for automatic IP configuration is called Dynamic Host
Configuration Protocol (DHCP) which will be discussed next.

Networking 202: IP and Routing - Page 90

 Dynamic Host Configuration Protocol (DHCP)
DHCP automatically configures hosts to operate on a network

DHCP dynamically assigns IP addresses and network configuration

Obtaining an IP Address

parameters
DHCP servers allow DHCP clients to request and receive an IP
configuration

With DHCP there is no need for a manual static configuration

DHCP can be implemented on all networks

Dynamic Host Configuration Protocol (DHCP) is a network management protocol that

automatically assigns an IP address, subnet mask, default gateway and other network
configuration parameters whenever a device requests these.

The DHCP process eliminates the need for someone to perform a static configuration. It is
particularly useful for networks in which devices and IP addresses change frequently, such as
networks supporting mobile devices.

Networks offering automatic IP configuration must have a DHCP server deployed. Most
small office and home networks will use a single DHCP server instance which is typically
implemented as part of the Internet router supplied by an ISP. Enterprise networks may have
multiple DHCP servers deployed for reasons of redundancy. These DHCP servers will typically
be located on servers or network infrastructure devices.

DHCP was developed as an extension of the earlier Bootstrap Protocol (BOOTP). DHCP has
generally replaced BOOTP since it provides a more sophisticated feature set and offers
backward compatibility with the older protocol. DHCP can be implemented on all types of
networks and operating systems.

Networking 202: IP and Routing - Page 91

 How does DHCP work?

Client Server
Obtaining an IP Address

Discovery
Offer
Request
Acknowledgement

DHCP employs the User Datagram Protocol (UDP) as it’s transport protocol. Port 67 is used
by the server to receive any client requests and port 68 is used by the clients to receive any
server responses.

As shown in the slide above, the operation of DHCP fall into four phases:

• Discovery
• Offer
• Request
• Acknowledgement

This 4-way process is often abbreviated to the acronym of DORA because of the phase
names.

Networking 202: IP and Routing - Page 92

 How does DHCP work?
When a DHCP client boots up, it automatically sends out a DHCP
Discovery message, commencing DORA
Obtaining an IP Address

A DHCP client may also request its last known IP address

The offer from the DHCP server contains the network parameters

The request confirms the network parameters to all DHCP servers

The acknowledgement confirms the DHCP lease for a default period

The DHCP process begins with server discovery. When a DHCP client boots up, it
automatically sends out a DHCP Discovery message using the global broadcast address of
255.255.255.255 as the destination. Sending a broadcast message guarantees reaching any
DHCP servers which may be listening. A global broadcast is used because the DHCP client
does not have an IP configuration so cannot use the alternative network broadcast address.
A DHCP client may also request its last known IP address. If the client remains connected to
the same network, the server may grant the request.

When the DHCP server receives the message, it responds by sending the client a DHCP Lease
Offer message. This message will contain an IP address and a subnet mask along with other
configuration information such as the default gateway.

When the DHCP client receives the offer message from the server, it accepts the offer by
sending a DHCP Lease Request message. This message also informs other DHCP servers
which may have responded, that the client is accepting IP information from this DHCP server
only.

Finally, the DHCP server responds with a DHCP Acknowledgment message which lists the IP
information along with the associated MAC address to the DHCP client.

At the end of this process, the DHCP client has what’s known as a DHCP Lease. The term
“lease” means that the client has use of the IP information for a specified period of time; for
example, a common default lease period is 8 days. Towards the end of the lease time, the
DHCP client may request a renewal of the lease by communicating directly with the DHCP
server from which the existing lease was obtained. The DHCP server will look at the MAC
address associated with the renewal and if possible provide the client the same IP address.

Networking 202: IP and Routing - Page 93

 Security Issue: Rogue DHCP Server
A DHCP client will accept IP configuration from any DHCP server

A rogue DHCP server distributes false IP configuration details

Obtaining an IP Address

A rogue DHCP server attack may not be intentional

Malware can be used to create rogue DHCP servers

A false default gateway gives an attacker control of traffic sent

externally

Enable DHCP Snooping to mitigate rogue DHCP server attacks

A DHCP client is happy to accept IP configuration from the first DHCP server that responds to
it. Unfortunately, the lack of an authorisation check can leave the client vulnerable to attack.
This means that it is very easy for an attacker to place another DHCP server on the network
which distributes false IP configuration details. Such a DHCP server which is not controlled
by the network administrator and is known as a “Rogue DHCP server”.

This type of attack may not always be intended. For example, a user in the organization may
inadvertently connect a test virtual machine to the live network and it will start to distribute
incorrect IP configurations. The user may be completely unaware of the consequences of
their actions. Any clients accepting an IP configuration from the DHCP server in the test
environment will almost certainly experience network access problems because of the
invalid IP configuration provided to it.

A malicious attacker placing a properly configured rogue DHCP service on the network can
cause even more serious problems. The server does not have to be hardware, some types of
malware have been used to set up rogue DHCP servers.

The attacker wants the rogue server to be difficult to detect, so they configure it to provide
valid IP addresses which are in the same scope as the legitimate DHCP server. However, at
the same time, the attacker changes the default gateway parameter to point to the IP
address of another machine under the attackers control. This configuration means all
outgoing traffic sent by the clients to other networks can be intercept or captured on this
machine. This traffic can then be used by the attacker to launch other attacks against the
organisation.

One way to mitigate this type of attack is to enable DHCP Snooping on the network switch.
This feature allows the switch to monitor and filter any DHCP messages. With this feature

Networking 202: IP and Routing - Page 94

enabled it is possible to configure the ports handling “authorised” DHCP servers as
trusted. All the other ports will remain untrusted and the DHCP Snooping feature
will begin monitoring any DHCP conversations on these ports. The switch can
recognise traffic such as a rogue DHCP server response and block the frames.

Networking 202: IP and Routing - Page 94

 Security Issue: DHCP Starvation
DHCP Starvation maliciously stops clients receiving IP configurations

An attacker sends DHCP requests exhausting available IP addresses

Obtaining an IP Address

Mitigation depends upon the starvation method

Configure Port Protection to prevent the use of spoofed source MAC

addresses
Configure DHCP Snooping to check that the source MAC address and
client address field MAC address are the same

DHCP Starvation is a malicious attack which prevents legitimate DHCP clients from acquiring
an IP configuration from the DHCP server. In this attack, the attacker will send multiple
forged DHCP requests to the DHCP server with the intent of exhausting the pool of available
IP addresses on the server. This means legitimate DHCP clients cannot obtain an IP
configuration resulting in denial of service for the network users.

Mitigation depends upon the method used for creating the starvation attack:

In the simpler approach, the attack uses specially crafted DHCP requests with different
source MAC addresses. This form of attack can be mitigated by configuring Port Protection
on the network switches. Port protection allows the administrator to define a list of known
MAC addresses for a given port. The switch will then drop the frames for any unknown MAC
addresses which enter the port. In order to reduce the administrative burden, the list of
known addresses can be learnt dynamically rather than hard-coded.

A more sophisticated attack may use a valid source MAC address in the frame but change
the MAC address held in in the Client Address field of the DHCP payload. As a consequence,
the DHCP server will still see each request as a different client and port protection will be
ineffective.
Under these circumstances, the DHCP Snooping feature of the network switch must be
enabled. This feature can be configured to check that the source MAC address in the frame
matches the Client Address field in the DHCP packet payload. If the two do not match, then
the frame is dropped.

Networking 202: IP and Routing - Page 95

 DHCP Scope
Obtaining an IP Address

Whilst DHCP clients require little or no configuration, in contrast, DHCP servers do require
some significant configuration. These settings are known as a “DHCP scope” and
configuration includes the following:

• a range or pool of valid IP addresses that can be leased-out to the clients

• a subnet mask for the network
• other IP configuration information such as a default gateway, DNS server and Network
Time server
• a lease period appropriate for network usage – a shorter lease is often used on networks
where there are devices frequently joining and leaving

The figure in the slide above shows a typical DHCP scope. The scope is for the network ID of
192.168.1.0 and it is leasing-out a DHCP IP address pool of 192.168.1.10 to 192.168.1.200.
When a request arrives from a client, the DHCP server takes the next available address and
returns it to the client for a specified period.

Networking 202: IP and Routing - Page 96

 Security Issue: IP Address Conflict (Denial of Service)
Obtaining an IP Address

Most commonly due to manually setting a static IP address

Enable IP address conflict detection in DHCP

Best practice is to plan, document and divide the available IP address

range by network role

When two devices on the same network have the same IP address, an IP address conflict
occurs. The can result in disrupted network services and lost time locating and fixing the
issue.

This issue arises most commonly when a system administrator attempts to statically assign a
computer with an address in the DHCP pool. On Microsoft Windows computers suffering an
IP conflicts, you will receive an error message similar to the above as soon as the conflict is
detected.

The best way to avoid this issue is to use DHCP whenever possible. Another benefit of DHCP
is that devices can detect IP address conflicts. If this feature is enabled, the device will check
whether an IP address is already in use on the network before agreeing to lease it out. If a
DHCP client receives an offer message from the server and detects a conflict, it responds by
declining the offer using a DHCP Decline message.

Best practice when allocating IP addresses is to divide the network range and allocate IP
addresses according to network role. For example, the default gateway is often allocated the
last valid IP address on the network. Similarly, servers could be allocated addresses at the
beginning of the network range to separate them from clients. Documenting the scheme will
help yourself and other administrators to recognise the function of a host by its IP address.

Networking 202: IP and Routing - Page 97

 Can DHCP Provide a Fixed IP Address?
Using DHCP to Give Fixed IP Addresses:
Devices commonly given fixed IPs:
o Servers
Obtaining an IP Address

o Storage (SAN, NAS)

o Network Switches, Routers, Gateways, Load Balancers
o Printers
o Wireless Access Points
o Computers/Workstations using special services (or
requiring firewall exceptions)

Consider using DHCP MAC Reservation instead

of manually setting static configurations

On an enterprise network, there are many hosts that should have a fixed IP addresses so
they can be more easily located.

For some networks, it’s considered best practice to provide these devices with a DHCP-
assigned address rather than to configure the device statically. This is because a simple mis-
configuration can cause significant disruption on a network. Even if use of DHCP is not
required it is also highly convenient.

For this mechanism to work, the DHCP server must be configured with a “MAC Reservation”.
The MAC Reservation associates a specific IP address with a specific MAC address.
Whenever the device with that MAC address makes a DHCP Request, the DHCP Server uses
the MAC Reservation to ensure that it will always get the same associated IP address.

Networking 202: IP and Routing - Page 98

 Verify Configuration Using ipconfig /all
Obtaining an IP Address

DHCP Lease
Information

DHCP Server
IP Address

The ipconfig command you used in an earlier activity can also be used on the Windows
operating system to confirm DHCP configuration.

The ipconfig command has a number of switches which can be used to alter its functionality
and in this example, the ipconfig command has been used with the /all switch which
displays all details of the current IP configuration.

In the case shown, the IP address, subnet mask, default gateway etc. have been assigned by
a DHCP Server with the IP address of 192.168.1.254 and this configuration has been leased
to the client for a period of around 40 hours.

Networking 202: IP and Routing - Page 99

 What is a 169.254 IP Address?
Obtaining an IP Address

APIPA IP Address

Missing Default
Gateway

In some situations, for example when no DHCP server is available or the client has no
connectivity to the network, the DHCP Discovery process will fail. Under these
circumstances, a Windows DHCP client may configure itself to use an Automatic Private IP
Address (APIPA). APIPA addresses use the reserved network ID of 169.254.0.0. In the
example the host is using the address 169.254.134.223 with a subnet mask of 255.255.0.0.

APIPA is Microsoft’s implementation of a mechanism called Zero-Configuration networking

(ZeroConf). This technology is designed to generate a usable IP network of devices without
the need for human intervention or special configuration servers. Each device uses an IP
address formed by combining the 169.254.0.0 network ID with a host ID based on the MAC
address of the interface. By basing the host ID part on the unique MAC address, the
mechanism can ensure that the IP address is also unique on the network.

Although ZeroConf creates a working network, the network is isolated because it cannot
configure a default gateway, which is required for communicating with other networks.

Typically when a host has an APIPA address there is a problem on the network which
requires troubleshooting.

Networking 202: IP and Routing - Page 100

 Troubleshoot DHCP Using ipconfig

ipconfig /all Displays full IP configuration details

Obtaining an IP Address

ipconfig /release Releases the current IP configuration

ipconfig /renew Renews the IP configuration

We previously looked at the use of the ipconfig /all command to show the detailed IP
configuration for a Windows host. When troubleshooting DHCP, other switches are also
useful:

ipconfig /release – is used to release the current IP address configuration

ipconfig /renew – is used to renew IP configuration using DHCP

An example of when the above commands might be used would be if a host had obtained an
invalid IP configuration from a mis-configured DHCP server. After correcting the
configuration on the DHCP server, the administrator could use the above commands to
release the invalid configuration and then renew the configuration to pick-up the revised
settings. Finally, the ipconfig /all command would show if the valid configuration had been
obtained successfully.

Networking 202: IP and Routing - Page 101

 Troubleshoot a Network Connectivity Issue

Original Current
Obtaining an IP Address

Continue

In this scenario, a user reports that their PC has no access to resources on the network.

The images above show the original working configuration and the current non-functioning
configuration for comparison.

Review the configuration details displayed in each image and try to determine the key
differences.

Networking 202: IP and Routing - Page 102

 Troubleshoot a Network Connectivity Issue

Original Current
Obtaining an IP Address

Continue

As shown in the highlighted sections above, the key differences in IP configuration are the
change in IP address, subnet mask and lack of a DHCP server. The IP address starting
169.254.x.x suggests the PC has been unable to pick-up an address from the DHCP server.

Networking 202: IP and Routing - Page 103

 Release and Renew DHCP Configuration
Obtaining an IP Address

In this simulation you will use the ipconfig command to release and renew
DHCP configuration

Read the information and follow the instructions to advance to the next step

Start

The DHCP server administrator has discovered a configuration error on the server which has
now been fixed.

In this simulation, you will use the ipconfig command to release and renew DHCP
configuration

Networking 202: IP and Routing - Page 104

In the Command Prompt run the command ipconfig /all
ThisSimulation
will display the current network configuration in detail

Networking 202: IP and Routing - Page 105

Review the network configuration output and verify the it is still invalid
RunSimulation
the command ipconfig /release to release the existing configuration

Networking 202: IP and Routing - Page 106

The existing IP configuration has now been released but network resources are still not available
RunSimulation
the command ipconfig /renew to pick-up the new configuration

Networking 202: IP and Routing - Page 107

The IP configuration has now been renewed using the corrected DHCP server configuration
RunSimulation
the command ipconfig /all to review the new configuration in detail

Networking 202: IP and Routing - Page 108

Review the network configuration output and check that it shows the DHCP server
RunSimulation
the command ping 192.168.1.254 to check connectivity with the Default Gateway

Networking 202: IP and Routing - Page 109

The Ping statistics indicate that access to network resources is now restored
ClickSimulation
anywhere to finish the simulation

Networking 202: IP and Routing - Page 110

Subnetting

Subnetting

Networking 202: IP and Routing - Page 111

 Subnetting
IP Address

Before
Network Identifier Host Identifier
subnetting
Subnetting

After
Network Identifier Host Identifier
Subnet Identifier Host Identifier
subnetting

A “subnetwork” or “subnet” is a subdivision of a larger IP network.

Put another way, we could say that “subnetting” is the practice of dividing an IP network
into smaller parts called subnetworks or subnets.

Either way, this is a common practice which is usually done in order to make the
management of a large IP network more efficient.

Networking 202: IP and Routing - Page 112

 Subnet Mask – Revisited
The subnet mask identifies which part of the IP address is the Network
ID and which is the Host ID

Numbers corresponding with 255s belong to the network whilst those

corresponding with 0s belong to the host
Subnetting

In the example: Network ID is 192.168.1.0 and Host ID is 150

IP Address 192 168 1 150

Subnet Mask 255 255 255 0
Network ID 192 168 1 0
Host ID 0 0 0 150

As we discovered earlier in the course, the subnet mask is used to determine which portion
of an IP address is the Network ID.

Typically the subnet mask adopts the dotted-decimal notation and uses groups of 255s and
0s.

The numbers above a 255 belong to the Network ID whilst the rest relate to the Host ID.

So in our example above, the Network ID is 192.168.1.0 and the Host ID is 150. The
convention is to add ‘0s’ so that the network ID always has 4 decimal numbers.

Networking 202: IP and Routing - Page 113

 Network and Host ID in Binary

IP addresses are 32-bit numbers, divided into 4 groups of 8 (octets)

An IP address and subnet mask as the computer will see it

Subnetting

IP Address 192 168 1 150

IP Address 11000000 10101000 00000001 10010110
Subnet Mask 255 255 255 0
Subnet Mask 11111111 11111111 11111111 00000000
Network ID 11000000 10101000 00000001 00000000
Host ID 00000000 00000000 00000000 10010110

You have also seen that IP addresses and subnet masks are really 32-bit binary numbers. In
the table, we have converted the dotted-decimal octets of the IP address and subnet mask
to binary which is how a computer would see them.

Any bit in the IP address which has a corresponding bit in the subnet mask set to a 1 will
form part of the Network ID. Bits that have the corresponding bit in the subnet mask set to a
0 are in the Host ID.

Networking 202: IP and Routing - Page 114

 How Many Possible IP Addresses?
If the Host ID has 8 binary digits (bits):
o The range of Host IDs is 0-255 – that’s 256 possibilities (28)
o But all 0s is reserved for the network: that’s 192.168.1.0
o And all 1s is used to broadcast: that’s 192.168.1.255
Subnetting

o So there are 254 possible IP address (28 - 2)

IP Address 192 168 1 150

IP Address 11000000 10101000 00000001 10010110
Subnet Mask 11111111 11111111 11111111 00000000
Host ID 00000000 00000000 00000000 10010110
Network ID 11000000 10101000 00000001 00000000

The number of Host ID bits identified by the subnet mask dictates the number of possible IP
addresses which can be configured on the network.

From the table, we can see that the Host ID is 8-bits long. Using 8-bits, it is possible to
generate numbers ranging from 0 to 255 which means 256 possibilities. However, two of
these addresses are reserved:

• The host ID which is all 0s is used for the Network ID, in this example 192.168.1.0
• The host ID which is all 1s is used for the Network Broadcast, in this example
192.168.1.255

This means we are left with 254 possible IP addresses. This number can be calculated more
quickly be using the equation 2n -2 where n is the number of Host ID bits.

Networking 202: IP and Routing - Page 115

 What if the Host ID Has 16 bits?
If the Host ID has 16 binary digits (bits):
o The range of Host IDs is 0.0 to 255.255 = 65,536 possibilities (2 16)
o But all 0s is reserved for the network: that’s 172.28.0.0
o And all 1s is used to broadcast: that’s 172.28.255.255
Subnetting

o So there are 65,534 possible IP address (216 - 2)

IP Address 172 28 1 150

IP Address 10101100 00011100 00000001 10010110
Subnet Mask 11111111 11111111 00000000 00000000
Host ID 00000000 00000000 00000001 10010110
Network ID 10101100 00011100 00000001 00000000

In this example, the subnet mask is 16-bits so the Host ID is also 16-bits long. Using 16-bits,
it is possible to generate 65,536 (that’s 2 to the power of 16) possible combinations. As in
the previous example, we need to subtract 2 addresses. All 0s in the host ID for this example
gives a network address of 172.28.0.0. All 1s in the host ID makes the Network Broadcast
122.28.255.255. As a consequence, we are left with 65,534 possible IP addresses.

Any host with an IP address starting with 172.28 will communicate directly with others on
the same network, with no need for routing.

Networking 202: IP and Routing - Page 116

 Simple Subnetting
o The Network ID is increased to 24 binary digits
o The third octet is used for the subnet ID
o Subnet IDs can be 172.28.1.0, 172.28.2.0, 172.28.3.0, …..
172.28.255.0
o IP addresses such as 172.28.1.150 and 172.28.2.150 will be on
Subnetting

different networks and require a router to communicate

Subnet Mask 11111111 11111111 11111111 00000000

Host ID 00000000 00000000 00000000 00000001 (1)
11111110 (254)
Network ID 10101100 00011100 00000001 (1) 00000000
11111110 (254)

What if your organization has multiple small locations that require different network IDs?
Subnetting can provide the answer.

Instead of using the default 16-bit subnet mask it can be increased to 24-bits. This means
the third octet can now be used as the subnet ID. The first possible subnet is 172.28.1.0 and
the last is 172.28.255.0 – this means there can be 255 subnets and each of these can have
up to 254 hosts, using the remaining 8 bits.

A subnet operates in the same way as standard network. A host with IP address
172.28.1.150 will now require a router to communicate with 172.28.2.150.

Networking 202: IP and Routing - Page 117

 IPv4 Address Classes (Classful Addressing)

o In the early days of the Internet, different classes of IP address

could be purchased
o The concept has largely disappeared with the introduction of
CIDR (Classless Inter Domain Routing)
Subnetting

Class Address Range Supports Subnet Mask Host bits No of hosts

1.0.0.1 to 16 million hosts on 127

A
126.255.255.254 networks
255.0.0.0 24 224 – 2
128.1.0.1 to 65,000 hosts on 16,000
B
191.255.255.254 networks
255.255.0.0 16 216 - 2
192.0.1.1 to 254 hosts on 2 million
C
223.255.254.254 networks
255.255.255.0 8 224 - 2

Let’s take a step back now and look at how IP addressing worked in the early days of the
Internet. A system known as classful addressing was around from the early 1980s until the
early 1990s. The method divides the whole IPv4 address space (all 232 possibilities) into five
address classes labelled A to E.

As shown in the table above:

• Classes A, B, and C provide IP addresses for networks of three different sizes and each
class uses fixed subnet masks, which can be further subnetted if required
• Class D is used for multicast networking in which packets addressed to the multicast
group are delivered to all the members
• Finally, the Class E address range was reserved

As the Internet grew this approach became impractical as it was wasteful of IP addresses.
For example, if an organisation required 1,000 addresses the use of a Class B would be
wasteful. The use of four Class C networks would be much more efficient but would require
routing configuration.

This approach was replaced by Classless Inter Domain Routing, known as CIDR.

Networking 202: IP and Routing - Page 118

 Classless Inter-Domain Routing (CIDR)

CIDR allows a variable-length subnet mask

CIDR shows the number of bits for the subnet mask:

Subnetting

o 255.0.0.0 becomes /8
o 255.255.0.0 becomes /16
o 255.255.255.0 becomes /24

IP addresses and networks are shown with their subnet bits:

o 10.0.1.15/8
o 192.168.1.0/24

The Internet Engineering Task Force (IETF) introduced Classless Inter-Domain Routing (CIDR)
in 1993. Its primary goal was to overcome the inefficiencies of the classful system to make
better use of the limited number of available IPv4 addresses. In addition, the IETF wanted to
reduce the growth in the size of routing tables on routers across the Internet.

CIDR allows the use of variable-length subnet masking (VLSM) so that networks could be
closely matched to the number of hosts required. As part of this concept, it introduced a
new method of representing IP addresses called “CIDR notation”. In this notation, subnet
masks are denoted by a forward slash and a number indicating the number of bits, such
as 192.0.2.0/24 for IPv4. The final piece of CIDR was to introduce an administrative process
for the allocation of network ranges to organizations based on their current and short-term
future needs.

Networking 202: IP and Routing - Page 119

 Advanced Subnetting

Subnet masks don’t have to be all 255s and 0s

Subnet masks must include a continuous sequence of 1s

Subnetting

Examples of valid subnet masks:

Decimal Binary
255.255.255.240 or /28 1111111.11111111.1111111.11110000
255.255.255.248 or /29 1111111.11111111.1111111.11111000
255.255.255.252 or /30 1111111.11111111.1111111.11111100

Advanced subnet masks are used by ISPs to provide small ranges of

public IP addresses

So far all the subnet masks we have looked at in dotted-decimal notation are comprised of
255s and 0s but this is not a requirement. The only rule for a subnet mask is that it must
include a continuous sequence of 1s. Some examples of valid subnet masks which do not
use all 255s and 0s are shown.

You will typically encounter these forms of subnet masks when dealing with a range of
public IP addresses obtained from an ISP.

Networking 202: IP and Routing - Page 120

 Communication with the Internet
Head Office
192.168.1.0 / 24
192.168.1.101

R-C R-D
PC-A
ISP Internet
Subnetting

IP-1 = 192.168.1.254/24
IP-2 = <not configured>

DG = 192.168.1.254

Returning to our earlier scenario, the organisation now wishes to provide an Internet
connection for the Head Office network. To simplify the diagram the Branch Office network
is not shown. Its Internet communication will be routed through the Head Office.

We’ll now look at the configuration required to allow communication from Head Office to
and from the Internet.

Networking 202: IP and Routing - Page 121

 Communication with the Internet (Step 1)
Head Office
192.168.1.0 / 24
192.168.1.101

R-C R-D
PC-A
ISP Internet
Subnetting

IP-1 = 192.168.1.254/24 Request range of

IP-2 = <not configured> Static addresses

DG = 192.168.1.254

Step 1 is to request a range of “static” public IP addresses from an ISP. The number of IP
addresses requested should be sufficient for all devices requiring direct access from the
Internet.

Typical home Internet connections use what are known as “dynamic” IP addresses which
means the public IP address allocated by the ISP is taken from a pool of available addresses
and can change whenever the connection is reset. In contrast, enterprises typically require
“static” IP addresses meaning the public IP address provided by the ISP always remains the
same. This is important for enterprise networks with Internet-facing services such as email,
web and VPN.

Networking 202: IP and Routing - Page 122

 Communication with the Internet (Step 2)
o Step 2 is for the ISP to provide a range of IP addresses
o In our scenario, the requirement is for 6 useable IP addresses and the ISP has
provided them with 217.137.65.168/29
IP Addresses

Customer Network ID Subnet Mask IP Addresses

Customer W 217.137.65.160 /29 6
Head Office 217.137.65.168 /29 6
Customer Y 217.137.65.176 /28 14
Customer Z 217.137.65.192 /30 2

Step 2 is for the ISP to determine a range of “static” IP addresses which are suitable for the
enterprise.

The ISP will fulfil the request using part of a network or range allocated to them by one of
the five registry authorities such as RIPE. In order to make best use of this address space,
they will divide it up into multiple smaller subnets for use by each customer.

In the example the ISP owns the 217.137.0.0/16 network. This network provides a single
network ID of 217.137.0.0 with a maximum of 65534 (2^8 -2) hosts. However, to make best
use of the network address space, the ISP will divide it into numerous subnets sized for the
customer’s needs. Typically, ISPs will offer “standard” subnets supporting 2, 6 or 14 hosts.

In our scenario, the requirement is for 6 useable IP addresses and the ISP has provided them
with 217.137.65.168/29.

The ISP’s other customers use ranges either side of the one allocated and the table only
shows a small part of the allocated ranges.

Networking 202: IP and Routing - Page 123

 How Does this Provide the 6 IP Addresses?
o The Host ID only needs 3 binary digits
o The range of Host IDs is 0 to 7 – that’s 8 possibilities (23)
o BUT the Host IDs with all 0s and all 1s are reserved leaving 6 IP addresses (2 3 - 2)

Network ID 217 137 65 168

Subnetting

Network ID 11011001 10001001 01000001 10101000

Subnet Mask 11111111 11111111 11111111 11111000

Subnet Mask 255 255 255 248

IP Address #1 11011001 10001001 01000001 10101001 169

IP Address #6 11011001 10001001 01000001 10101110 174

Broadcast 11011001 10001001 01000001 10101111 175

The ISP can provide a range of 6 useable IP addresses by using 3 bits for the Host ID, which
means a subnet mask of /29. Using 3 bits for the Host ID provides 2 to the power 3 possible
addresses, this is 8. Then, by subtracting 2 addresses used for the Network ID and Network
Broadcast, we are left with the 6 usable IP addresses required.

In our scenario, the network of 217.137.65.168/29 provides:

Network ID: 217.137.65.168

IP Addresses: 217.137.65.169 to 174
Network Broadcast: 217.137.65.175

One of these addresses, must be used by the router, whilst the others can be assigned to the
Web, Email and VPN servers.

Networking 202: IP and Routing - Page 124

 Communication with the Internet (Step 3)
Head Office
192.168.1.0 / 24
192.168.1.101

R-C R-D
PC-A
ISP Internet
Subnetting

IP-1 = 192.168.1.254/24 217.137.0.0/16

IP-2 = 217.137.65.174/29
Web Server

Web Server
IP = 217.137.65.169/29
DG = 192.168.1.254

Step 3 is to assign the IP addresses to Internet facing devices. The ISP will specify which IP
address should be used for the router and the remaining IP addresses can be used as
desired.

In the figure above, the router, R-C, has been physically connected to the ISP’s network. One
of the interfaces on the router has been configured with the last IP address in the useable
range allocated by the ISP. Typically, the network default gateway uses either the first or last
address in this range. The customer has also configured a web server with another of the
addresses so that the website is accessible from the Internet.

Networking 202: IP and Routing - Page 125

 Are Two IP Addresses on the Same Network?
How many bit are in the subnet mask?
o In this example the subnet mask is /29

What is the decimal value of the last digit in the subnet mask?
o Subnet 29 = 11111111 11111111 11111111 11111000
Subnetting

8421
o So in this example the last digit is 8

This means that the network ID must be divisible 8

o In this example the network ID is 217.137.65.168/29
o 168 divided by 8 = 21

o IP address #1: 217.137.65.170/29 – 170 divided by 8 = 21.25 (Same network)

o IP address #1: 217.137.65.175/29 – 174 divided by 8 = 21.75 (Same network)
o IP address #1: 217.137.65.180/29 – 180 divided by 8 = 22.5 (Different network)

How can you work out if two IP addresses are on the same network? Here’s an easy way to
find out.

The first thing to do is work out the decimal value of the last digit in the subnet mask. In our
example this is 8, for /28 it would be 16, for /27 it is 32 and so on.

Once you know this number, divide the last part of the network address by this. In our
example this is 168 divided by 8 which equals 21.

Perform the same calculation on the IP addresses. If the number beings with 21 it is on the
same network.

Networking 202: IP and Routing - Page 126

Knowledge Check

Your IP address is 171.17.25.42/29

Select the 1 useable IP address which is on the same network
TIP: Remember you can’t use the network and broadcast IP addresses

171.17.25.47 171.17.25.48 171.17.25.39

171.17.25.46 171.17.25.40

Submit

Networking 202: IP and Routing - Page 127

 Network Address Translation (NAT)
Private IP addresses are used inside networks but public IP addresses are needed for
external communication

Network Address Translation (NAT) allows for this by modifying the address
information in IP packets sent to and received from destinations outside the network
Subnetting

Most commonly NAT is used to change a private IP address in the source field of an
Internet-bound packet to the public IP address of the NAT device

Response packets use the public IP address and are routed to the NAT device
The NAT device changes each address to the original private address and forwards
packets to the hosts that made the requests

Most organizations and home networks make use of private IP addresses for communication
within their internal network or networks. However, public IP addresses are required for
communication with the Internet.

This means that hosts using privately addressed networks cannot access the Internet directly
but must use a service designed to provide them with access. One mechanism is known as
Network Address Translation (NAT) and, as the name suggests, NAT is capable of modifying
the address information in an IP packet.

Most commonly NAT is used to change a private IP address in the source field of an Internet-
bound packet to the public IP address of the NAT device. This means that any response
packet will be able to use the public IP address and so be successfully routed back to the
NAT device. The NAT device then changes the address back to the original private address
and forwards it to the host that made the request.

The use of NAT allows private IP addresses to be used on multiple home and office networks
because they are “hidden” behind the external IP address of the router. This has the
advantage of conserving the limited number of public IP addresses. For the organization this
reduces the cost of public IP addresses and provides a more secure infrastructure.

Networking 202: IP and Routing - Page 128

 Accessing the Internet Using Network Address Translation

NAT Table
192.168.1.101 192.168.1.101:50001 12.35.55.99:5001 www.sophos.com
192.168.1.102:49992 12.35.55.99:5002 23.64.22.240
Subnetting

192.168.1.102

Router
12.35.55.99 ISP
192.168.1.1 Internet

It is typically the responsibility of the router to perform the Network Address Translation
(NAT) process.

When the NAT service replaces the internal private address with the Internet-routable public
address of the router, it keeps a record in memory of the replacements using a “NAT Table”.
This table allows the router to correctly change the address back when a response is
received and then route it to the host which made the original request.

In the example:
• A request for www.sophos.com is received by the router from the laptop (192.168.1.101)
• The router identifies that the request must be forwarded onto the Internet
• The router uses its NAT mechanism to replace the original source IP with its own external
IP address of 12.35.55.99. It then forwards the request using its external interface
• In order to keep track of “NATed” requests, the router adds an entry to the NAT table. This
includes the source IP address and the source TCP port. If this does not provide a unique
combination it may change the source port
• When the router receives a response from www.sophos.com to 12.35.55.99:5001, it uses
its NAT table to determine which internal host made this request. In the example, it
would change the destination IP to 192.168.1.101 and the destination port to 50001. It
would then forward the response to the host and remove the entry from the NAT table

Networking 202: IP and Routing - Page 129

 Communication with the Internet (Step 4)
Head Office
192.168.1.0 / 24
192.168.1.101

R-C R-D
PC-A
ISP Internet
Subnetting

IP-1 = 192.168.1.254/24 217.137.0.0/16

IP-2 = 217.137.65.174/29
Web Server NAT from IP-1 to IP-2

Web Server
IP = 217.137.65.169/29
DG = 192.168.1.254

Returning to our scenario, Step 4. of obtaining an enterprise Internet connection is to give

the privately addressed hosts on the Head Office network Internet access. This is achieved
by configuring router, R-C, to perform NAT on any packet passing from the internal interface
to the external interface.

One key disadvantage to the use of NAT is that it cannot be used with certain applications
which break when it is enabled. A common example is the Session Initiation Protocol (SIP)
which is used to provide voice and video.

Networking 202: IP and Routing - Page 130

 Wireshark Capture on a NAT Router
IP-A = 192.168.1.30 IP-WS = 217.137.65.169/29
DG = 192.168.1.254 DG = 217.137.65.174
MAC-A = 00:50:56:80:4a:4b Ethernet0 Ethernet1 MAC-WS = 00:50:56:80:18:27
IP-R1=192.168.1.254 NAT IP-R2 = 217.137.65.174/29
MAC-R1=00:50:56:1a:65:d9 Router MAC-R2 = 00:50:56:80:c4:8e Web Server
PC-A
Subnetting

Continue

It is possible to see NAT taking place using packet capture tools such as Wireshark.

The network scenario shown will be used in the simulation that follows. When you review
the packet capture, note how the source IP address of the ICMP Request packet is changed
by the NAT service. Once back at the NAT router, the destination address of the packet is
changed back to the original private address by the NAT service so that it can complete its
journey to PC-A.

We recommend that you make a note of the last 2 characters in each of the MAC addresses,
or refer to the handout which includes this.

PC-A 192.168.1.30 MAC ends 4b

NAT Router Interface 1 192.168.1.254 MAC ends d9
NAT Router Interface 2 217.137.65.174 MAC ends 8e
Web Server 217.137.65.169 MAC ends 27

Networking 202: IP and Routing - Page 131

 Capture ICMP Packets Traversing a Router
Subnetting

In this simulation you will use Wireshark to capture and view

ICMP packets traversing a NAT router

Read the information and follow the instructions to advance to the next step

Start

In this scenario, we’ll ping the Web Server from PCA and use a copy of Wireshark which is
located on the NAT Router to capture and review the results.

Read the information and follow the instructions to advance to the next step.

Networking 202: IP and Routing - Page 132

You want Wireshark to capture traffic on both the Ethernet0 and Ethernet1 interfaces
Simulation
First, click on the Ethernet0 interface

Networking 202: IP and Routing - Page 133

Hold down the <Ctrl> key and click on the Ethernet1 interface
Simulation

Networking 202: IP and Routing - Page 134

Begin capturing traffic on the both interfaces so that incoming and outgoing traffic will be seen
ClickSimulation
the Capture menu

Networking 202: IP and Routing - Page 135

Click Start
Simulation

Networking 202: IP and Routing - Page 136

Traffic capture has commenced
ClickSimulation
the button to switch to PC-A

Switch to PC-A

Networking 202: IP and Routing - Page 137

Open a command prompt by clicking the shortcut on the taskbar
Simulation

Networking 202: IP and Routing - Page 138

Run the command ping 217.137.65.169
Simulation

Networking 202: IP and Routing - Page 139

The ping command shows successful connectivity to 217.137.65.169
ClickSimulation
the button to return to the NAT Router

Switch to Router

Networking 202: IP and Routing - Page 140

To stop the traffic capture, click the Capture menu
Simulation

Networking 202: IP and Routing - Page 141

Click Stop
Simulation

Networking 202: IP and Routing - Page 142

To filter the traffic to just show the ping request and reply
Simulation
In the ‘Apply a display filter’ box type icmp and press Enter

Networking 202: IP and Routing - Page 143

Select the first item in the list with ‘Info’ column showing Echo (ping) request
Simulation

Networking 202: IP and Routing - Page 144

In the lower pane, review the Internet Protocol Version 4 section. The ping packet is addressed
from IP-A to IP-WS whilst the Ethernet frame is from MAC-A to MAC-R1
Simulation
In the upper pane, select the next item in the list with ‘Info’ column showing Echo (ping) request

Networking 202: IP and Routing - Page 145

The NAT Router has re-addressed the ping packet from IP-R2 (the public NAT interface) to IP-WS
Simulation
In the upper pane, select the next item in the list with ‘Info’ column showing Echo (ping) reply

Networking 202: IP and Routing - Page 146

The ping packet reply is from IP-WS to IP-R2 (the public NAT Router interface)
Simulation
In the upper pane, select the next item in the list with ‘Info’ column showing Echo (ping) reply

Networking 202: IP and Routing - Page 147

Verify that the NAT Router has re-addressed the ping packet from IP-WS to IP-A
TheSimulation
ping reply will now be received by PC-A. Click anywhere to end the simulation

Networking 202: IP and Routing - Page 148

 Internet Protocol version 6 (IPv6)
IPv6

Networking 202: IP and Routing - Page 149

 A World Shortage of IPv4 Addresses

Internet Protocol version 6 (IPv6) was introduced in 2012 but is not widely
used

The Internet Registry Authorities, which are responsible for allocating IP

addresses, have exhausted their available IPv4 address pools
IPv6

These authorities are now only able to allocate IPv4 addresses which have
been recovered or were previously reserved

IPv6 was primarily developed to solve the IPv4 address exhaustion issue

Internet Protocol version 6 (IPv6) was introduced in 2012 and it is the most recent version of
IP. However, the adoption of IPv6 by enterprises and individuals has been limited and IPv4
still remains by far the most common version. That said, there is a big problem with only
focussing on this version because the world is rapidly running out of IPv4 addresses.

As we’ve learned, IPv4 uses 32-bit address which means it can provide around 232 or almost
4.3 billion possible IP addresses. Although, this may sound a lot, they have become almost
completely depleted chiefly because of the rapid increase in the number of users and mobile
devices on the Internet.

Currently all the Internet Registry Authorities which are responsible for allocating IP
addresses have exhausted their available IPv4 address pools. With ARIN and RIPE exhausting
their pools most recently on the 25th November 2019. These authorities are now only able
to allocate addresses which have been recovered or were previously reserved.

One of the key drivers for the development of IPv6 by the Internet Engineering Task Force
(IETF) in the 1990s was to deal with this anticipated IPv4 address exhaustion problem. This
problem was also the driving force in the adoption of other technologies such as NAT and
CIDR.

Networking 202: IP and Routing - Page 150

 Internet Protocol Version 6 (IPv6)

o IPv6 uses 128-bit addresses

o This generates 2128 or about 340 trillion trillion trillion addresses (3.4 x 1038)

o IPv6 is displayed in colon-hexadecimal format

o An example IPv6 address is 2001:0001:0000:0000:0000:8a2e:0370:7334
IPv6

Addresses can be shortened to omit zeros:

o Leading Zero Compression: 2001:1:0:0:0:8a2e:370:7334
o Zero Compression: 2001:1::8a2e:370:7334

Instead of the 32-bits used by IPv4 addresses, IPv6 format uses a 128-bit address. This
generates 2128 or about 340 trillion trillion trillion addresses (i.e. 3.4 x 1038). This means that
with IPv6 we will will run out of address space.

The length of IPv6 addresses means the most efficient way to represent them is using eight
groups of four hexadecimal digits with each pair of hexadecimal digits the equivalent to an
octet. Each group is then separated by a colon (i.e. :). This notation is known as “colon-
hexadecimal” format. An example of a full IPv6 address is shown.

IPv6 addresses tend to contain a lot of zeros and the address can often be shortened.

Leading Zero Suppression is used when a section of an address starts with one or more
zeros. These zeros may be omitted so long as each group keeps at least one hexadecimal
digit. The example address may be shorten from 39 to 26 characters.

Zero Compression allows one or more consecutive groups of zeros to be compressed to a

single empty group which is represented by two consecutive colons. This tells the operating
system that everything in between the two colons is a zero. In the example the middle
section of the address is reduced to 1::8a2e. This type of compression can only occur once
in an address to prevent ambiguity. This further shortens the example address from 26 to 21
characters.

Networking 202: IP and Routing - Page 151

 IPv6 Subnet Masks

IPv6 subnet masks which identify the network ID are always 48-bits long

The subnet ID uses the next 16-bits which provides 65,535 subnets
IPv6

The host ID uses the remaining 64-bits

If required, some of the host ID bits can be used to provide additional subnets

Like IPv4, IPv6 also uses subnet masks. However, these do not need to be explicitly
configured because the network ID is always the first 48-bits. The next 16-bits are used to
identify the subnet ID and this length provides for 216 or 65,535 possible subnets. Finally, the
remaining 64-bits are used to provide the host ID.

If required, some of the 64-bits reserved for the host ID can be used to create additional
subnets. Although this might seem an unlikely requirement, some organisations have
already needed to make use of this expansion facility.

Networking 202: IP and Routing - Page 152

 Comparison of IPv4 and IPv6 Headers
IPv4 Header
0 4 8 12 16 20 24 28 31
Version IHL Type of Service Total Length
Identification Flags Fragment Offset
Source Address
Destination Address

IPv6 Header
0 4 8 12 16 20 24 28 32 36 40 44 48 52 56 60 63

Version Traffic Class Flow Label Payload Length Next Header Hop Limit

Source Address

Destination Address

As you have seen from our Wireshark simulations each IP packet has a header that contains
information such as the source and destination IP address.

As the image shows, IPv4 contains a number of other headers and routers had to process
each and every field regardless of whether it was used or not. One of the design goals of
IPv6 was to simplify the header. The header can still be expanded when needed but
otherwise it only includes the important fields. The Next Header field points to an extension
if it being used.

Networking 202: IP and Routing - Page 153

Knowledge Check

Your IPv6 full address is: 2001:0db8:85a3:0000:0000:8a2e:0370:7334

Select the compressed address which is both valid and the shortest

21:db8:85a3:::8a2e:37:7334 2001:db8:85a3:0:0:8a2e:370:7334

2001:db8:85a3::8a2e:370:7334 2001:0db8:85a3::8a2e:0370:7334

Submit

Networking 202: IP and Routing - Page 154

 IPv6 Special Addresses

The localhost (loopback) address

0000:0000:0000:0000:0000:0000:0000:0001 is reduced to ::1
The unspecified address
0000:0000:0000:0000:0000:0000:0000:0000 is reduced to ::
Link-Local addresses start with fe80
IPv6

o Example fe80::c001:37ff:fe6C:1
There are no broadcast addresses in IPv6. It uses multicast addresses instead
Multicast addresses start with ff0x
Well known IPv6 multicast addresses include:
o ff02::1 All IPv6 devices
o ff02::2 All IPv6 routers

Like IPv4, the designers of IPv6 reserved several special IP addresses.

The first of these is the loopback address for IPv6 which is 31 zeros followed by a 1 and can
be reduced to ::1

The unspecified address is typically used as a source address when a unique address has not
yet been allocated. The full address is 32 zeros and it can be reduced to ::

In an earlier section we discussed the ZeroConf technology which automatically generates a

usable IP network of devices without the need for human intervention or special
configuration servers. Link-local addresses for IPv4 are formed using the addresses starting
with 169.254. In IPv6 these addresses also exist and always begin with fe80. As with IPv4,
the link-local address is only valid for communication within the local network segment.

IPv6 was not designed to implement the type of IP broadcasts which we’ve seen used in
IPv4 and as a consequence there are no broadcast addresses. Instead, IPv6 achieves the
same result by transmitting a packet to what is called the link-local all nodes multicast
group.

In IPv6, multicast addresses can be readily identified since they always begin with ff0x,
where the x is a placeholder representing a single hexadecimal digit from 0 to f. Each digit
represents a different scope including 1 for interface-local, 2 for link-local and e for global.
These addresses are the equivalent of the 224.x.x.x addresses used in IPv4.

Some common examples of multicast addresses are those used to send packets to all IPv6
devices and all IPv6 routers.

Networking 202: IP and Routing - Page 155

 IPv6 Configuration
IPv6 is enabled by default in Windows
ipconfig shows the configuration of IPv4 and IPv6
IPv6

Although using just IPv6 is rare on private networks it is often used in combination with IPv4
as this ipconfig example shows. IPv6 is enabled by default in the Windows operating system.

The term ‘dual-stack’ can be used to describe a TCP/IP protocol stack that contains both IPv4
and IPv6. The remainder of the stack is identical so the TCP and UDP transport protocols can
run over both IPv4 and IPv6. Also, applications can run over both IPv4 and IPv6.

The same utilities we’ve discussed for IPv4 also work with IPv6.

Networking 202: IP and Routing - Page 156

 IPv6 Is Used When Available
IPv6

The ping command can be used with IPv6 to test connectivity. IPv6 will be used when
supported by both the source and destination.

Networking 202: IP and Routing - Page 157

 Tracing an IPv6 Route
IPv6

The traceroute utility can also be used with IPv6. In this example, the Windows tracert
command has been used to trace a route to google.com. As we covered earlier in the
course, the –d switch disables any name resolution for the addresses returned. It is also
possible to force tracert to use a specific IP version using either the -4 or -6 switch.

Networking 202: IP and Routing - Page 158

 IPv6 Advantages

More efficient routing

More efficient packet processing

IPv6

Easier network configuration

Better support for services

Built-in security

With the much larger address space offered by IPv6, it is now possible for everything to
become interconnected. However, IPv6 was also designed to provide other important
technical benefits.

• One issue with IPv4 was the large size of the routing tables required on Internet routers.
IPv6 permits hierarchical address allocation which means routes can be combined. This
approach limits the size of routing tables and makes routing more efficient

• IPv6 has a much simpler packet header than IPv4 which makes for more efficient packet
processing. In addition, unlike IPv4, it does not contain a checksum which has to be
recalculated at each router hop. There is no loss in error detection as the check can be
performed at the Transport layer

• IPv6 offers built-in automatic IP configuration meaning that the DHCP service is no longer
required

• The huge IPv6 address space removes the need for NAT. This means that the true end-to-
end IP layer connectivity is available which is required for services such as Session
Initiation Protocol (SIP)

• Another significant issue for IPv4 is that it was not designed to be secure. In contrast, IPv6
was designed to be secured by using IP Security (IPsec). This provides traffic with the key
security services of confidentiality, authentication and data integrity. It is important to
note that whilst IPsec is included in IPv6, its use in not mandatory

Networking 202: IP and Routing - Page 159

 Security Issue: IP Address Spoofing

Trusted
Actual Source IP 172.15.1.6
System
Destination IP 10.0.0.25 Victim using
IP based authentication
IPv6

Attacker (Actual Source IP) (172.1.4.05)

Spoofed Source IP 172.15.1.6
Destination IP 10.0.0.25

IP address spoofing can be used by attackers to bypass network security measures which are
based on trusted IP addresses. Some applications use the source IP address to verify the
identify of a remote system when it attempts to gain access. If an attacker knows the IP
address of a trusted system then they can forge IP packets with this source address in order
to impersonate the trusted machine and so bypass authentication.

Although it is relatively easy for the attacker to send packets, it is much harder for the
attacker to see the responses since they will be returned to the forged IP address. For the
attacker to see the responses, they will typically need to locate themselves on the same
network as the victim machine and use packet capture tools.

IP address spoofing is difficult to prevent on IPv4 networks but IPv6 includes an

Authentication Header which prevents spoofing attacks by providing authentication and
data integrity for the entire IPv6 packet. A solution for IPv4 networks is to implement multi-
factor authentication.

Networking 202: IP and Routing - Page 160

 Security Issue: Eavesdropping on Network Traffic

Security weaknesses provide an attacker with the

opportunity to eavesdrop on network traffic

One method to mitigate this is to encrypt the traffic

IPv6

IPsec is built-in to IPv6 and provides strong end-to-end

encryption Cybersecurity Essentials:
Cryptography
NAT prevents the use of IPsec on IPv4 networks

Security issues, such as IP address spoofing and routing table poisoning, can provide an
attacker with the opportunity to eavesdrop on network traffic. One method used to mitigate
such attacks is to encrypt the traffic so the attacker cannot read any traffic they manage to
capture.

As we mentioned in the previous slide, IPv6 has IPsec built-in which means it can prevent an
attacker eavesdropping on traffic by providing strong encryption from source host to
destination host – known as “end-to-end” traffic encryption.

Although it is possible to use IPsec on IPv4 networks, it is rarely done. This is mainly because
of the widespread use of NAT. Unfortunately, the NAT process changes the IP headers
causing IPsec to break and so makes highly secure end-to-end encryption impractical.

To learn more about how cryptography is used to provide information security we

recommend the Sophos Cybersecurity Essentials: Cryptography courses.

Networking 202: IP and Routing - Page 161

 Discover More About IPv6
IPv6

This section has provided an introduction to IPv6. If you would like to find out more about
the latest version of IPv6 then you can start with the resources shown.

• https://www.sans.org/reading-room/whitepapers/protocols/paper/380 Security Features

in IPv6
• https://www.ipv6.com/
• http://www.ipv6forum.com/

Networking 202: IP and Routing - Page 162

 Course Review
Now that you have completed this course, you should be able to:

Identify the configuration required for hosts in IPv4 and IPv6 networks

Recognize how packets are routed within private networks and the
methods used to provide Internet connectivity
Understand the benefits of subnetting and how the length of the subnet
mask can be varied to achieve the desired subnet size
Use Windows utilities and packet capture tools to view IP configuration
and network traffic

Continue

Here are the skills you should be able to take away from this course.

If you feel confident that you have met these objectives, click Continue to complete the quiz.

Networking 202: IP and Routing - Page 163

Knowledge Check 1

Your network address is 10.0.0.0/8. Which 3 of these IP addresses

can be used for hosts?

10.0.0.1 10.255.255.255 10.255.255.0

10.0.0.0 10.255.255.254

Submit

Networking 202: IP and Routing - Page 164

Knowledge Check 2
Match the windows command to the task

Release and renew

ping
DHCP configuration

Display and modify the

tracert
routing table

Show the route taken

route
by a packet

ipconfig
Test connectivity with
another host Submit

Networking 202: IP and Routing - Page 165

Knowledge Check 3
Match the subnet mask to the number of hosts it allows

255.255.255.0 6

/28 510

255.255.254.0 14

255.255.255.248 254
Submit

Networking 202: IP and Routing - Page 166

Knowledge Check 4

Enter the Windows command that would display the route taken to
www.sophos.com without resolving host names

Submit

Networking 202: IP and Routing - Page 167

Knowledge Check 5
Match the IPv6 addresses to their type

::1 Multicast: All IPv6 devices

ff02::1 Localhost (loopback)

fe80::c001:37ff:fe6C:1 Unspecified

:: Link-Local
Submit

Networking 202: IP and Routing - Page 168

 TRAINING FEEDBACK

Feedback is always welcome

Please email [email protected]

Feedback on our courses is always welcome.

Please email us at [email protected] with your comments.

Networking 202: IP and Routing - Page 171

 Next Steps
If you want to learn more about networking we recommend:

203 Name Resolution

If you want to learn more about networking we recommend:

203: Name Resolution.

This looks at the types of names that are used for network devices and the methods that can
be used to resolve these to their IP address.

The course also highlights cybersecurity issues and ways to mitigate them.

Networking 202: IP and Routing - Page 172

 Series Feedback – What Do You Want to See?
Currently
Planned
Available
Cryptography Networking › Perimeter Security
101: Getting Started with Cryptography 101: Getting Started with Networking › Mobile Devices
201: Cryptography in Depth 201: TCP/IP Network Model › Windows Operating Systems
202: Working with Digital Certificates 202: IP and Routing › Microsoft Active Directory
203: Understanding Ciphers 203: Name Resolution › Security Threats
› Public Cloud Platforms

Wireless
101: Getting Started

Email [email protected] with your suggestions and feedback

Back to Hub

The courses in this series are designed for individuals with no prior knowledge of the topics.

Here is a list of currently available courses.

Additionally, we have a number of courses that are being developed and will be made
available soon.

We also have a list of planned courses we would like to add to this series.

If you would like to suggest a topic for a course for inclusion or to provide any feedback on
this series then please email us at [email protected]

Networking 202: IP and Routing - Page 173

Networking 202: IP and Routing - Page 174
Sophos Cybersecurity Essentials Networking 202

In this activity you will use the ipconfig and ping commands to verify network connectivity.
Note: you will use the information collected in this activity for later tasks.

1 Click the button and type

2 From the matching items which are displayed, click on the Command Prompt program
or app
3 In the Command Prompt dialog, run the command
ipconfig
4 Write down your IP address

________________________________________________________
5 Write down the IP address of you Default Gateway

________________________________________________________
6 Run the command Pinging the localhost address checks that
ping 127.0.0.1 there are no issues with the local IP
networking stack.

7 Run the command Pinging the configured IP address of the host

ping <Your IP Address> itself checks that the host has picked-up the
address and that it is working successfully.

8 Run the command Pinging the configured default gateway of

ping <IP Address of you Default Gateway> the host itself checks that the configured
default gateway is accessible.

9 Run the command Pinging a remote checks that the default

ping 4.2.2.2 gateway is able to route the packet
successfully.

10 Leave the command prompt open for the next activity

You have used the ipconfig and ping commands to verify network connectivity.

Activity No. 1
Sophos Cybersecurity Essentials Networking 202

In this activity you will run a traceroute between your Windows computer and the server hosting sophos.com using the tracert sophos.com
command.
Once the trace has is displayed, compare the results with those on the previous slide. The initial hops will be different, depending on your ISP.
However at some point you’ll probably start to see that the route becomes similar.

1 Return to the command prompt used in the last activity

2 Run the command
tracert sophos.com
3 Review the results and compare with the example
4 Run the command The results for this command should appear
tracert –d sophos.com more quickly.
5 Close the command prompt
In this activity you have run a traceroute between your Windows computer and the server hosting sophos.com using the tracert
command.

Activity No. 2