Unit 1

Lesson 6 - Addressing

Hexadecimal Number Expression

You can expect to see hexadecimal (hex) numbers in documents as well as on the Web expressed in different ways, depending on what method was chosen by the writers. Lexical convention for hexadecimal numbers commonly allows base 16 number representation as follows:

23A916

2eb6H

0xE0

'7b'

0x23facb92

%0a000c834fa8

>34ce

0FCDh

10-00-5a-29-16-ab

00:00:0C:48:8C:11  (Colon hex notation is the standard for IPv6 address representation)

#FFFFFF   (and other hex RGB color codes that appear in most Web pages)

Physical Addresses

A physical address, also referred to as a hardware address, network interface card (NIC) address, or Media Access Control (MAC) address, is always the address required for information to ultimately be delivered to a given network node. The word "ultimately" is chosen here because information often starts out (at the higher layers) to be simply addressed to some symbolic name, such as the host name in the command "telnet serverhost." The name "serverhost" refers to the name of a target host the user is attempting to contact using the telnet (TCP/IP) application and protocol. For the user to connect to the above host, an address must somehow be derived from the symbolic name and then used in an agreed-upon addressing scheme to reach the target. In this case, an intermediate logical (or software) address (the IP address) will first be derived from the symbolic name using a name service, such as DNS.

It would be natural to want to associate the physical address with the Physical Layer, but the physical address is actually processed by the Data Link Layer. Remember, the Physical Layer is just concerned with transmitting bits to and receiving bits from the physical medium and does not "see" the bits as organized into meaningful patterns, such as an address.

Physical addresses, for the purposes of networking, can be categorized into two general types: LAN addresses and wide area network (WAN) addresses. A LAN address would be the type commonly found in an Ethernet or a Token Ring environment, while a WAN address might be used in High-Level Data Link Control (HDLC) or Point-to-Point Protocol (PPP).

A LAN address can be further categorized into three classes:

1.

Broadcast address--a destination address that is used to specify that all stations on a network should receive and process the frame. This address often appears in the hexadecimal form of all 1s (FF:FF:FF:FF:FF:FF).

2.

Multicast address (or group address)--a destination address that specifies a certain (predefined) group of stations should receive and process the frame. A group address is usually designated by a particular bit pattern in the Address field assigned for that purpose. This tags it as a group address so the address recognition logic can see if it matches the configured group address in the node. Ethernet uses the low order bit of the high order byte (octet) of the destination address to indicate a multicast address, while Token Ring uses the high order bit of the same byte.

3.

Unicast address--an address that specifies only one station that should receive and process the frame. The source address is the station that sent the frame.

Note that certain applications, such as LAN management programs running on a PC attached to the network, as well as network analyzer tools, such as Ethereal, will program their address recognition logic to operate in what is commonly referred to as "promiscuous mode." In this mode, all frames appearing on the network will be read for management (statistics gathering) purposes and/or analysis.

The Ethernet Frame Format Diagram illustrates two addresses: a destination address and a source address. These are each 6 bytes in length. Both of these are physical addresses and are normally associated with the hardware present in the node. In many instances, it is a purely hardware operation that actually recognizes the address in the frame and forwards the frame to the higher layers for processing. This is done by hardware registers being programmed to "match" the destination Address field in the frame received off the LAN with the address that is "burned in" to the NIC at the time of manufacture. The purpose of the Preamble and Start of Frame Delimiter (SOFD) is to synchronize the hardware clock before reading the bit stream.

Ethernet Frame Format

Ethernet Frame Format

The Burned In Address (BIA) does not have to be used; a different address may be configured by means of a software utility program. It is better to use the BIA, otherwise the chances of picking an address that is duplicated in another node on the network increase. This would cause duplicate address errors to be detected on the network. WAN address operations are not much different from a LANs; although WAN Address fields are typically shorter (1 or 2 bytes).

Real Audio Clip

Why is a network address as well as a physical address required to reach a node?

Logical Addresses

A logical address differs from a physical address in that it is generally implemented as a software entity rather than a hardware entity. There are two types of logical addresses:

Network addresses

Port or process addresses

Some examples of these types of addresses would be an IP network address, such as 205.169.85.123, a port number (process address) such as 23, or a SAP (service access point) number, such as 0xE0.

An important fact to remember concerning logical addresses is that a logical address will not get the information "ultimately" into the node. Only the physical address, whether it is a broadcast address, multicast (group) address, or a unicast address, can accomplish this.

The Internet Address Formats Diagram shows the various Internet addressing formats, consisting of Network Identifier and Host (or node) Identifier fields. This address is recognized and acted upon at the Network Layer to provide an end-to-end reference point for node addresses.

Internet Address Formats

Internet Address Formats

Depending on the size of the network, in terms of the number of networks and the number of hosts, different addressing formats are used. To properly recognize network addresses, a subnet mask is used to mask (cover) the network/subnetwork part of the address so that the proper network (and subnetwork) ID can be recognized. The subnet mask is expressed in the dotted decimal notation of 255.255.255.0. This mask, if used for a Class B network, would specify approximately 250 subnetworks and the same number of hosts on each subnet. On the other hand, a mask of 255.255.0.0 used on the same Class B address can have over 65,000 hosts (16 bits of host addressing), but no subnets would be available (somewhat impractical). A Classless Interdomain Routing (CIDR) address is expressed as 205.169.85.0/24, but the actual subnet mask in this example is 255.255.255.0.

Real Audio Clip

What is the significance of using well-known ports?

Address Mapping Protocols

Mapping an address is translating it from one format to another more suitable for the medium and protocol for which it will be used. For example, people prefer to work with addresses represented by names, such as http://www.westnetinc.com, rather than remembering an IP address of 205.169.85.247. But the IP address is required to reach WestNet's Web server, and here is where address mapping protocols, such as DNS, come into play.

   Physical Address Mapping

We just covered two kinds of addresses--physical addresses and logical (or software) addresses. You saw how a physical address was necessary to get information delivered to the network node, where the data was then forwarded to the higher layers. You also discovered that a logical address was used by higher layers in the OSI model to provide end-to-end connectivity and routing between network nodes that were not necessarily located on the same physical network.

We will now examine how the logical addresses are translated or mapped to the physical addresses. The protocols used to accomplish this mapping (or discovery) are ARP and Reverse Address Resolution Protocol (RARP). RARP is used primarily by diskless workstations to discover their IP address by communicating with a node on the network that handles these requests.

The ARP Format Diagram illustrates the layout of an ARP packet. The field descriptions are as follows (the diagram is 4 bytes, or 32 bits wide):

ARP Format

ARP Format

Hardware type (2 bytes/octets)--hexadecimal "0001" for Ethernet

Protocol type (2 bytes)--0800H indicating IP

HLEN (byte)--specifies the length of the hardware address

PLEN (1 byte)--specifies the length of the high-level (logical/software) protocol address

Operation (2 bytes)--specifies a request (1) or a reply (2)

Sender H/W (hardware address, 6 bytes)--specifies the sender's MAC address

Sender IP (4 bytes)--specifies the sender's protocol address

Target H/W (6 bytes)--specifies the target's hardware address, which is the unknown
(all zeros)

Target IP (4 bytes)--specifies the target's protocol address

The initial sender, upon receiving a reply, then knows the MAC address of the target destination it is trying to reach. Remember, on the reply, the target is now the sender.

The following trace shows an ARP being used to discover the hardware address of a target destination the sender wishes to reach. The sender only knows about the target's IP address and wants to discover the actual MAC (hardware) address so the frame can be sent to the desired node. Notice that the destination MAC address is a broadcast address, because the sender does not know the intended receiver's MAC address yet; so the frame is sent to all nodes on the network. The bolded hexadecimal data corresponds to what the protocol analyzer translated for the ARP portion of the frame. The Ethertype (0806) indicates that an ARP is being carried in the frame. Although the minimum size for an Ethernet frame is 64 bytes, only 60 bytes is shown for the frame size since the 4-byte frame check sequence (FCS) is not displayed. Note how the frame is padded (to 64 bytes) with binary zeros. 

DLC:  Frame 1 arrived at  23:33:39.6638; frame size is 60 (003C hex) bytes.
DLC:  Destination = BROADCAST FFFFFFFFFFFF, Broadcast
DLC:  Source      = Station WstDig488C11
DLC:  Ethertype  = 0806 (ARP)
DLC:  
ARP:  ----- ARP/RARP frame -----
ARP:  
ARP:  Hardware type = 1 (10Mb Ethernet)
ARP:  Protocol type = 0800 (IP)
ARP:  Length of hardware address = 6 bytes
ARP:  Length of protocol address = 4 bytes
ARP:  Opcode 1 (ARP request)
ARP:  Sender's hardware address = WstDig488C11
ARP:  Sender's protocol address = [128.1.0.2]
ARP:  Target hardware address = 000000000000
ARP:  Target protocol address = [128.1.0.1]
ARP:


ADDR  HEX                                                ASCII
0000  FF FF FF FF FF FF 00 00  C0 48 8C 11 08 06 00 01  .........H......
0010  08 00 06 04 00 01 00 00  C0 48 8C 11 80 01 00 02  .........H......
0020  00 00 00 00 00 00 80 01  00 01 00 00 00 00 00 00  ................
0030  00 00 00 00 00 00 00 00  00 00 00 00              ............





DLC:  Frame 2 arrived at  23:33:39.6661; frame size is 60 (003C hex) bytes.
DLC:  Destination = Station WstDig488C11
DLC:  Source      = Station WstDigE58C11
DLC:  Ethertype  = 0806 (ARP)
DLC: 
ARP:  ----- ARP/RARP frame -----
ARP:  
ARP:  Hardware type = 1 (10Mb Ethernet)
ARP:  Protocol type = 0800 (IP)
ARP:  Length of hardware address = 6 bytes
ARP:  Length of protocol address = 4 bytes
ARP:  Opcode 2 (ARP reply)
ARP:  Sender's hardware address = WstDigE58C11
ARP:  Sender's protocol address = [128.1.0.1]
ARP:  Target hardware address = WstDig488C11
ARP:  Target protocol address = [128.1.0.2]
ARP:


ADDR  HEX                                                ASCII
0000  00 00 C0 48 8C 11 00 00  C0 E5 8C 11 08 06 00 01  ...H............
0010  08 00 06 04 00 02 00 00  C0 E5 8C 11 80 01 00 01  ................
0020  00 00 C0 48 8C 11 80 01  00 02 00 00 00 00 00 00  ...H............
0030  00 00 00 00 00 00 00 00  00 00 00 00              ............

Notice the "WstDig" substituted for the first 3 bytes of the hardware address. The first 3 bytes are the manufacturer's code, which in this case is Western Digital.

   Logical Address Mapping

To communicate with a host in an IP network, TCP/IP software must know the host's IP address. People, on the other hand, find names easier to remember than addresses. The DNS provides a mechanism to translate host names to IP addresses. The process of translating names to addresses is called name resolution, and is performed by machines called name servers. The database that maps host names to addresses is distributed across the name servers in a hierarchical fashion. Each name server stores a subset of the names database.

A node that uses DNS must be configured with the IP address of at least one name server. When software on that node needs to translate a name to an address, such as "ftp://ftp.ripe.net/rfc" (to retrieve a request for comment [RFC]), the following actions may occur:

The DNS software on the node--called the resolver--looks in its cache to see if it already knows the IP address corresponding to the name. If so, it simply returns the address to that calling software.

If the name is not found in the cache, the resolver sends a DNS query to its configured name server. The query contains the domain name to be resolved.

If the server knows the address corresponding to the name, it returns it to the resolver, which passes it to the calling software. If the server doesn't know the name, it identifies a server that is more likely to know the answer and either forwards the query to that server (recursion), or sends the address of that server back to the resolver (referral), so the resolver can send the query to that server.

Servers continue to recurse or refer the resolver to other servers until the query arrives at a server that knows the address corresponding to the name. That server will respond with a DNS response that includes the address. In the case of referral, the response gets sent directly back to the resolver. In the case of recursion, the response is forwarded back through the chain of servers until it gets to the resolver.

Domain names are organized hierarchically. For example, in the case of the name "students.westnetinc.com", "students" is the most specific part of the name, referring to a single node, or host. The "com" portion is the least specific, referring to a for-profit business. All domain names in the world can be organized into a single tree. Immediately below the unnamed root of the tree are the Top Level Domains (TLDs), such as "com" and "edu." Below "com" are names corresponding to companies. Below "edu" are names corresponding to educational institutions. Each of these names can have subtrees below them, corresponding to subdivisions within the company or school. The name corresponding to a node is determined by following the path from the node to the root, appending the name of each node encountered along the way. IP addresses corresponding to a name can be located at any node at or below the second level.

The tree of all domain names is partitioned into pieces whose administration is delegated; these administrative pieces are called zones. For instance, responsibility for "westnetinc.com" and all nodes below it has been delegated to WestNet Learning Technologies. WestNet can create names within the westnetinc.com domain and assign addresses to them as required.

Each DNS server contains the translation database for one or more zones. The server is said to be authoritative for the names in those zones. In addition to knowing addresses corresponding to names within its zones, servers also know the names and addresses of servers authoritative for zones below theirs in the tree. For instance, the nodes at WestNet's offices in Europe might be organized into a "westnetinc.co.uk" domain, or in Asia, "westnetinc.co.jp." These names could be in a separate zone with its authoritative servers in Europe and Asia. For example, the WestNet name server in the United States would not be authoritative for names in the "westnetinc.co.jp" domain, but would know the names and addresses of the servers in Asia, and would recurse or refer queries of the form "nnn.westnetinc.co.jp" to them. Incidentally, the "co" in the name is a shortened version of "com," not the fact that WestNet's headquarters are located in Colorado.

All name servers also know the name and address of at least one root server. Root servers are administered by the Internet authorities and are authoritative for all names down to the second level. In other words, root servers know the names and addresses of all other servers that are authoritative for names of the form "nnn.com," "nnn.edu," "nnn.org," and so on. Root servers are the last resort in the name server hierarchy. If a server gets a query and doesn't know either the answer or a name server for the requested name, it recurses or refers the query to a root server.

For names allocated by the Internet authorities, each zone is required to have multiple servers, and these servers are supposed to be geographically separated. This minimizes the chance that all of them will be simultaneously inaccessible. One of the servers for each zone is the primary; the others are secondary. The primary name server has a manually maintained file containing the translation database for the zone. The secondary servers check in with the primary periodically to see if the database file has been changed. If so, they automatically download the file from the primary; this is called a zone transfer. Except for initially being given the name of the primary, secondary servers require no manual configuration.

DNS queries and responses normally are sent by means of the User Datagram Protocol (UDP), although the RFC says that TCP may be used. The use of UDP means that a resolver is responsible for retransmitting a query if it doesn't get a response. Because they must be reliable, zone transfers are always performed over TCP connections. A frame sent from a workstation requesting a DNS translation looks like the one shown on the DNS Request Diagram.

DNS Request

DNS Request

The DNS system is also capable of translating "backwards," from IP address to the corresponding name. This is called reverse DNS. To do this, the resolver sends a query on the "in-addr.arpa" domain, with the IP address in byte-reversed order. For instance, to find the name corresponding to the address 144.49.32.39, a resolver would query on the name "39.32.49.144.in-addr.arpa." This is used by some programs, such as UNIX rlogin, to verify an incoming client is really who they say.

DNS has been around for quite some time. A common software program used in name servers is BIND, which stands for Berkeley Internet Name Domain, and typically runs on UNIX.

It is important to remember the following:

Don't confuse name resolution with routing. They are separate functions performed by different devices. Although there are probably exceptions, routers generally do not perform name resolution and name servers generally do not perform routing.

Some systems, including Windows NT/2000 and most UNIX versions, have a program called "nslookup" that can be used to query name servers. Type "nslookup" from a command prompt to start it then just type in the name you want to be resolved. There are options for querying a different server or for sending different kinds of queries. A "?" gets a help screen.

The following trace was captured with a Network Associates NetXRay product, now called Sniffer Basic. It shows a DNS request for a server (regis.edu) and the subsequent response. Address 199.117.27.21 is the name server. DNS uses well-known Port 53, which is a 0035 hex in the data stream. The DNS port is found at offset 0024h, or the third line, fifth byte. Notice the DNS portion of the frame is comprised of a Question Section, and in the response, an Answer Section. The result of the DNS query is to return the IP address of regis.edu, or address 165.212.213.50. The Question section is repeated in the response.


Packet 1 captured at 08/24/2000 04:02:14 PM; Packet size is 69(0x45) bytes
      Relative time: 000:00:04.039
      Delta time: 0.000.000
Ethernet Version II
      Address: 00-60-94-05-11-D9 --->00-C0-7B-6E-12-35
      Ethernet II Protocol Type: IP
Internet Protocol
      Version(MSB 4 bits): 4
      Header length(LSB 4 bits): 5 (32-bit word)
      Service type: 0x00
            000. .... = 0 - Routine
            ...0 .... = Normal delay
            .... 0... = Normal throughput
            .... .0.. = Normal reliability
      Total length: 55 (Octets)
      Fragment ID: 7173
      Flags summary: 0x00
            0... .... = Reserved
            .0.. .... = May be fragmented
            ..0. .... = Last fragment
            Fragment offset(LSB 13 bits): 0 (0x00)
      Time to live: 32 seconds/hops
      IP protocol type: UDP (0x11)
      Checksum: 0x78DB
      IP address 205.169.85.162 ->199.117.27.21
      No option
User Datagram Protocol
      Port 1162 ---> Domain Name Server (port 53)
      Total length: 35 (Octets)
      Checksum: 0xB5E9
Domain Name Service
      HEADER SECTION:
      Identifier: 1
      Flags:
            0... .... = Request packet
            .000 0... = OP Code is 0x00 - Query
            .... .0.. = Non-Authoritative Answer
            .... ..0. = No Truncation Packet
            .... ...1 = Recursion Desired
            0... .... = Recursion Not Available
            .000 .... = Reserved Bits
            .... 0000 = Response Code is 0 - No Error
      Section Entries:
            Question   Section: 1 Entrie(s)
            Answer     Section: 0 Entrie(s
            Authority  Section: 0 Entrie(s)
            Additional Section: 0 Entrie(s)
      QUESTION SECTION[1]:
            Domain Name: regis.edu
            Query  Type: 1 = A - a host address
            Query Class: 1 = IN - the ARPA internet



Hexadecimal Detail
Packet: 1
0000: 00 c0 7b 6e 12 35 00 60 94 05 11 d9 08 00 45 00 | .À{n.5.`...Ù..E.
0010: 00 37 1c 05 00 00 20 11 78 db cd a9 55 a2 c7 75 | .7.... .xÛí©U..u
0020: 1b 15 04 8a 00 35 00 23 b5 e9 00 01 01 00 00 01 | .....5.#.é......
0030: 00 00 00 00 00 00 05 72 65 67 69 73 03 65 64 75 | .......regis.edu
0040: 00 00 01 00 01                                  | .....





Packet 2 captured at 08/24/2000 04:02:14 PM; Packet size is 160(0xa0) bytes
      Relative time: 000:00:04.052
      Delta time: 0.013.007
Ethernet Version II
      Address: 00-C0-7B-6E-12-35 --->00-60-94-05-11-D9
      Ethernet II Protocol Type: IP
Internet Protocol
      Version(MSB 4 bits): 4
      Header length(LSB 4 bits): 5 (32-bit word)
      Service type: 0x00
            000. .... = 0 - Routine
            ...0 .... = Normal delay
            .... 0... = Normal throughput
            .... .0.. = Normal reliability
      Total length: 146 (Octets)
      Fragment ID: 47249
      Flags summary: 0x40
            0... .... = Reserved
            .1.. .... = Do not fragment
            ..0. .... = Last fragment
            Fragment offset(LSB 13 bits): 0 (0x00)
      Time to live: 252 seconds/hops
      IP protocol type: UDP (0x11)
      Checksum: 0xBFF2 
      IP address 199.117.27.21 ->205.169.85.162
      No option
User Datagram Protocol
      Port Domain Name Server ---> 1162
      Total length: 126 (Octets)
      Checksum: 0xED3D
Domain Name Service
      HEADER SECTION:
      Identifier: 1
      Flags:
            1... .... = Response packet
            .000 0... = OP Code is 0x00 - Query
            .... .0.. = Non-Authoritative Answer
            .... ..0. = No Truncation Packet
            .... ...1 = Recursion Desired
            1... .... = Recursion Available
            .000 .... = Reserved Bits
            .... 0000 = Response Code is 0 - No Error
      Section Entries:
            Question   Section: 1 Entrie(s)
            Answer     Section: 1 Entrie(s)
            Authority  Section: 2 Entrie(s)
            Additional Section: 2 Entrie(s)
      QUESTION SECTION[1]:
            Domain Name: regis.edu
            Query  Type: 1 = A - a host address
            Query Class: 1 = IN - the ARPA internet
      ANSWER SECTION[1]:
            Domain Name (w/Pointer): regis.edu
            RR  Type: 1 = A - a host address
            RR Class: 1 = IN - the ARPA internet
            RR Time To Live: 78691 second(s)
            RR Data  Length: 4 Octet(s)
            An ARPA internet address: 165.212.213.50
      AUTHORITY SECTION[1]:
            Domain Name (w/Pointer): regis.edu
            RR  Type: 2 = NS - an authoritative name server
            RR Class: 1 = IN - the ARPA internet
            RR Time To Live: 126610 second(s)
            RR Data  Length: 13 Octet(s)
            Domain Name: NS2.IEX.NET is a host has the Name Server


Hexadecimal Detail
Packet: 2
0000: 00 60 94 05 11 d9 00 c0 7b 6e 12 35 08 00 45 00 | .`...Ù.À{n.5..E.
0010: 00 92 b8 91 40 00 fc 11 bf f2 c7 75 1b 15 cd a9 | ..¸.@.ü....u..í©
0020: 55 a2 00 35 04 8a 00 7e ed 3d 00 01 81 80 00 01 | U..5...~í=......
0030: 00 01 00 02 00 02 05 72 65 67 69 73 03 65 64 75 | .......regis.edu
0040: 00 00 01 00 01 c0 0c 00 01 00 01 00 01 33 63 00 | .....À.......3c.
0050: 04 a5 d4 d5 32 c0 0c 00 02 00 01 00 01 ee 92 00 | .¥ÔÕ2À.......î..
0070: 00 02 00 01 00 01 ee 92 00 06 03 4e 53 31 c0 3b | ......î....NS1À;
0060: 0d 03 4e 53 32 03 49 45 58 03 4e 45 54 00 c0 0c | ..NS2.IEX.NET.À.

The last four bolded hex numbers, "a5 d4 d5 32," is the IP address of regis.edu expressed as a hexadecimal number. Remember, data sent across the Internet is comprised of a binary stream of 1s and 0s. If the number is converted to decimal, it is the IP address 165.212.213.50. Note just above the hexadecimal detail, the RR Time To Live is 78691 seconds. This number is also a binary number expressed in hex in the data stream. Incidentally, the "time to live" is how long the entry has left in the name server cache that requested it before it is aged out, or deleted.

[ Previous Section ] [ Unit Contents ] [ Next Lesson ]