Understanding how the DHCP protocol works — it’s client/server again
DHCP does its magic by using a well-established approach to networked computers: client/server networking. The DHCP server holds pools of IP addresses to lease to clients. When you turn on your computer (a DHCP client), it contacts your network’s DHCP server and asks to lease an address. The client and server negotiate the lease and — voila! You have an IP address to use for the duration of the lease.
Here’s how it works:
1. You turn on your computer.
TCP/IP starts, but remember, you’re leasing. You have no permanent IP address.
2. Your DHCP client software asks to lease an IP address.
This request is called a DHCP discover message. The DHCP discover message contains the name of your computer and its MAC hardware address. Your hardware address comes on your NIC (network interface card), so the DHCP software already knows where to look for it.
3. Your DHCP client keeps broadcasting its lease request until a DHCP server responds.
The response is usually so quick, you don’t notice any wait time. A DHCP server is software that usually runs on a large host. The server software provides DHCP services, such as storing a large pool of IP addresses in a central database and leasing you an IP address. If there’s no DHCP server — maybe an earthquake destroyed it — your computer keeps trying, but never gets its address. In that case, you can’t use any TCP/IP applications or services.
4. All the available DHCP servers answer your message by offering your proposed IP address, the servers’ IP address, a subnet mask, and the duration of the lease in hours.
The server’s response is called a DHCP offer message. Your computer grabs an IP address so no one else can take it while you’re negotiating.
The client and server negotiate in Figure 5-4.
5. Your DHCP client takes the first offer and broadcasts its acceptance.
The client responds to the server’s offer message with a DHCP request message. The request message asks the DHCP server to verify the address it offered. Then the other servers can cancel their offers.
Figure 5-4:
The client and server pass messages to negotiate a lease for an IP address.
6. Your selected DHCP server makes your IP address permanent and sends you an "acknowledged" message (DHCP^CK).
7. Congratulations! You have an IP address.
Figure 5-5:
The DHCP server’s ACK tells the client that it has an IP address.
You can use TCP/IP applications and services as long as you want — or until your lease expires.
Being evicted after your lease expires
Usually a DHCP server renews your lease with no problem. In fact, you don’t have to do anything. The entire process is automatic and doesn’t interfere with what you’re doing.
If the DHCP server dies during your lease, you keep your IP address until its lease expires. You won’t be able to renew the lease. When your lease expires, so does your ability to use TCP/IP services and applications.
Because any DHCP server on the network can renew your lease, your network administrator should configure more than one DHCP server. That way, a lone DHCP server is not the single point of failure on a network.
Sharing Addresses with Network Address Translation (NAT)
NAT (also called IP NAT) consists of two parts:
✓ A pass-through between your private intranet and the outside world (public Internet)
✓ A translator to and from private IP addresses to global IP addresses
NAT allows multiple computers on one intranet to share one officially registered IP address. Only one computer on the intranet must have a registered IP address to get to the Internet; the device that has the official IP address is called a NAT router. Requests from the hosts on your intranet go through the NAT router on their way to and from the Internet.
Using IPv6 removes the need for NAT because IPv6 provides so many addresses that there’s no need to share. If you’re running IPv6, pat yourself on the back, have a piece of layer cake, and skip the sections about NAT. If you stay with this topic, you get a glimpse of how NAT works behind the scenes, how to ensure your NAT configuration is secure, and how NAT and DHCP work together.
Understanding how NAT works
When packets move from inside your intranet through the NAT router, those packets seem to come directly from the router; they have the router’s external address. Here’s how it works. When a request comes from one of the hosts on your intranet, the NAT router replaces that host’s local IP address with its own global address. The NAT software then sends the message out to the world on behalf of the local requester. When a response comes back, the NAT router reverses the procedure and removes its own IP address from the message and restores the originating computer’s address. Figure 5-6 shows NAT running on a router.
NAT comes in two flavors:
✓ Static NAT requires you to assign a permanent public address to each host on your private intranet.
✓ Dynamic NAT automatically assigns public addresses on an as-needed basis.
Figure 5-6:
NAT translates multiple private addresses to one public address and back again.
Securing NAT
Using Dynamic NAT has the added benefit of adding security to your network because your internal addresses are not available to the outside world. It’s impossible for a hacker/cracker to see the address of your computer when it’s hidden in a private network behind a NAT router.
Your private hosts can only see the NAT router. They can’t see the Internet. For example, when you browse the Web, all your requests go through the NAT router with the NAT router’s address. When there is any kind of incoming request to your private host, Internet routers cannot see your host. As far as the Internet is concerned, your IP address doesn’t exist. Any incoming requests for your host see only the NAT router’s address. You are invisible.
Using NAT and DHCP to work together
The computer acting as a NAT router can also be the DHCP server that leases IP addresses to the other computers on the intranet. The computer that serves as the NAT router might also be a DHCP client, getting its official
IP address from the ISP. Microsoft’s Internet Connection Sharing (a feature of older Windows operating systems, such as Windows 98 Second Edition, Windows 2000, and Windows XP Professional) functions as a DHCP server and NAT router. The network we use for most of this topic’s examples uses NAT and DHCP. Instead of requesting a Class C network for our small intranet, we have one computer with an IP address assigned by our ISP. Figure 5-7 shows a piece of our intranet and how a Web-browser request goes through our NAT router and out to the Internet.
Figure 5-7:
NAT saves our house from needing seven IP registrations.
Here the router, with multiple NICs inside, serves three roles:
✓ NAT router: Again, this is the computer that has the official IP address.
✓ DHCP Client: It gets our official IP address from our ISP. One NIC connects us to our ISP through a cable modem.
✓ DHCP server: It leases IP addresses to the other computers on our in-house intranet. The other NIC goes to a hub that connects all the in-house computers.
The browser request follows these steps:
1.The packet includes tweety’s address, and it goes to the combination router/DHCP server. The router removes tweety’s IP address from the packet and inserts its own address.
2. The router sends tweety’s browser request.
3.The router’s IP address is part of the packet. The router receives the response packet. The router also removes its own IP address and replaces the address with tweety’s IP address.
4. The router forwards the response to tweety.
Swallowing NAT incompatibilities
Thank goodness the TCP/IP Restaurant at the End of the Universe allows address substitutions. A NAT router works by rewriting IP addresses in the packet header. NAT assumes that IP addresses only occur in the Internet layer of the TCP/IP model. NAT’s assumption is usually true, but not always. Figure 5-8 shows the fields in an IP packet header.
Figure 5-8:
NAT rewrites the IP addresses in the IP packet header.
Some applications also include IP addresses in applications. NAT doesn’t look beyond the IP packet header. The problem arises when some applications repeat the IP address in its data. FTP, the File Transfer Application, is an application that embeds the IP address in its data. NAT never sees the IP addresses that FTP includes. When you download a file, the FTP message specifies one destination address, and NAT rewrites and specifies a different address. Result (oops): You don’t get your file.
This incompatibility between the IP address embedded in application-layer data and the rewritten address provided by the NAT router affects other applications besides FTP. Applications that have compatibility difficulties with NAT include IPSec (the most effective security protocol for VPNs), video games (such as Halo), and the Internet Relay Chat (IRC) protocol.
There are various workarounds to solve these NAT/application address compatibilities, but remember that IPv6 is coming. IPv6 makes NAT processing unnecessary in most situations. If you’re already using IPv6, the workarounds are yesterday’s news; if you’re not there yet, read on.
Digesting NAT-PT (Network Address Translation-Protocol Translation)
NAT-PT does what NAT does — it hides a private network behind a NAT router, and the router substitutes a global IP address for the addresses of the computers in the private network — but it doesn’t stop there. NAT-PT lets IPv6 hosts communicate with IPv4 hosts and vice versa. Of course, you have to put a dual-stack router (a router that understands both IPv4 and IPv6) on the boundary between the IPv4 network and the IPv6 network to get NAT-PT to work.
When IPv6 packets go to IPv4 hosts, NAT-PT overwrites the IPv6 address with an IPv4 address. When IPv4 packets go to IPv6 hosts, NAT-PT overwrites the IPv4 address with an IPv6 address. You can see how NAT-PT works in Figure 5-9. Don’t worry about the weird-looking address that has a colon (:).That is an IPv6 address.
NAT-PT is especially useful for an organization that has started to move to IPv6 and has a mix of IPv4 and IPv6 computers on its networks.
Figure 5-9:
NAT-PT translates IPv4 to IPv6 and vice versa.
