|
OSI LAYER |
SERVICE |
TCP/IP SUITE |
APPLE |
MICROSOFT |
NOVELL |
|
7 |
Application |
File transfer, browsing, mail, network management, remote terminal session |
FTP, Finger, HTTP, SHTTP, POP3, SMTP, SNMP, Telnet |
|
|
|
6 |
Presentation |
Encryption, data conversion (e.g. BCD to binary, ASCII to EBCDIC) |
|
AppleTalk Filing Protocol (AFP) |
Server Message Block (SMB) |
NetWare Core Protocols (NCP) |
5 |
Session |
Start, stop session |
DNS |
AppleTalk Session Protocol (ASP) |
Network Basic Input/Output System (NetBIOS) |
Network Basic Input/Output System (NetBIOS) |
4 |
Transport |
Flow control, multiplexing, error checking and recovery |
TCP, UDP |
AppleTalk Transaction Protocol (ATP) |
Network Basic Extended User Interface (NetBEUI) |
Sequenced Packet Exchange (SPX) |
3 |
Network |
Routing to LANs and WANs |
IP, DHCP |
Datagram Delivery Protocol (DDP) |
|
Internet Packet Exchange (IPX) |
2 |
Data Link |
Transmit data from node to node |
SLIP, PPP |
|
|
|
1 |
Physical |
Cabling and electrical signals |
Ethernet |
Ethernet |
Ethernet |
Ethernet |
AppleTalk is used for printing and file sharing on the Macintosh. It can be turned on or off with the AppleTalk Control Panel. You also select the port by which your Mac connects to the AppleTalk network: either via the modem port, the printer port, or the Ethernet port. For some peripherals AppleTalk must be turned off. For example, AppleTalk must be turned off for my Olympus digital camera to connect to my Mac via the printer port. I haven't learned more about AppleTalk than that, because Apple has made it simple for the user. TCP/IP, the suite of protocols used on the Internet, is not so simple, and so I have more to say about that.
Each layer of a network has a function, as indicated in Figure 1. A given layer in the OSI stack generally communicates with three other OSI layers: the layer directly above it, the layer directly below it, and its peer layer in other networked computer systems. A layer communicates with another in order to obtain the service it provides.
Communications are broken into pieces (called packets or datagrams or frames), each with a header containing addressing information. It's as though a book was sent through the mail page by page, each page wrapped in an envelope (datagram) with an address (header) on the outside.
For data to move across a network from one application to another, it must move through each of the OSI levels. For example, when you request a web page, your browser application must send that request to the Application layer. It acquires a header and is sent to the Presentation layer, where it is again encapsulated within another protocol, given another header, and sent down to the Session layer. It moves on down to the Physical layer, where it is transported over the Ethernet cables. The concept of encapsulation is depicted in Figure 2.
System A |
|
|
|
|
System B |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|
|
I will not talk about each of the TCP/IP protocols, but will limit this article to those topics you may need to set up a home network like the one in my house. That work will involve the use of the three control panels I mentioned above: AppleTalk, File Sharing, and TCP/IP. In addition, setting up a SonicWALL firewall will lead us to several other topics.
First, note that both AppleTalk and TCP/IP run over Ethernet. This is indicated in Figure 1, and is reflected in the Connect via Ethernet setting that you make in the two control panels. Ethernet is a LAN protocol that operates at OSI layers 1 and 2. That is, it moves data around inside my house, but to get the data out to the phone company and onto the Internet, higher layer protocols (PPP, IP, TCP) are needed. Ethernet comes in various flavors, of which the most familiar is 10BaseT. The 10 means 10 MHz, the rate at which bits are transmitted. The T means twisted pair, the physical conductor of 10BaseT Ethernet. Other types of Ethernet include Gigabit Ethernet, 100BaseT, 10Base5 (ThickNet), and 10Base2 (ThinNet). The last two types use more expensive coaxial cable and connectors, and have been replaced for the most part by 10BaseT and 100BaseT. Gigabit Ethernet operates at one billion bits per second over optical fiber. An Ethernet frame is shown in Figure 3.
LENGTH (bits) |
FIELD NAME |
FUNCTION |
|
Preamble |
Alerts receiving nodes that a frame is coming |
|
Destination address |
To: MAC address |
|
Source address |
From: MAC address |
|
Type |
Specifies the upper-layer protocol to receive the data after Ethernet processing is completed. |
|
Data |
|
|
FCS |
Frame check sequence to detect errors |
The IEEE (Institute of Electrical and Electronic Engineers) has broken the Data Link layer into two sublayers, the Logical Link Control (LLC) and Media Access Control (MAC). MAC addresses are hardware addresses that identify each node on a network. They are also known as Ethernet addresses. MAC addresses are 48 bits in length and are expressed as 12 hexadecimal digits. A hexidecimal digit can take the 16 values 0-15, and is written 0,1,2,3,4,5,6,7,8,9,A,B,C,D,E,F. The MAC address of the Ethernet card on the computer on which I am writing this is 00 30 65 51 0E A8, sometimes written 00:30:65:A8:51:0E. The first 6 hexadecimal digits, which are administered by the IEEE, identify the manufacturer or vendor. You can find the MAC address of your Mac from the TCP/IP Control Panel. Click the Info button in the lower left corner of the TCP/IP window, and the MAC address will be displayed as the hardware address. You needn't be concerned with the MAC address, since you don't have any control over it, with standard Apple software. It is set at the factory, and you don't reset it or enter it in any control panel or firewall configuration. Figure 4 gives the settings in the AppleTalk Control Panels for three computers on my home network.
AppleTalk |
iBook |
G4 |
Quadra 800 |
Connect via |
AirPort |
Ethernet |
Ethernet |
Current zone |
<no zones available> |
<no zones available> |
<no zones available> |
AppleTalk address |
|
|
|
Node |
174 |
128 |
92 |
Network |
65114 |
65802 |
65664 |
Network range |
0 to 65534 |
0 to 65534 |
0 to 65534 |
Addresses |
|
|
|
This Macintosh |
65114.174 |
65802.128 |
65664.92 |
Hardware address |
00 30 65 30 10 73 |
00 30 65 51 0E A8 |
08 00 07 2B D2 9C |
Router |
<not available> |
<not available> |
<not available> |
The AppleTalk Control Panel is a view into OSI layers 1 and 2 on your Macintosh. When you open the TCP/IP Control Panel, you're into OSI layers 3 and 4. The Internet Protocol (IP) is in layer 3 of the TCP/IP protocol stack. An IP datagram is shown in Figure 5.
|
LENGTH (bits) |
FIELD NAME |
FUNCTION |
|
|
Version |
Version of the IP header |
|
|
IHL |
Internet header length in units of 32 bit words; points at beginning of data |
|
|
Type of service |
Quality of service, in terms of precedence, delay, throughput and reliability |
|
|
Total length |
Total length of datagram, in units of 8 bit words; usually limited to 576 octets |
|
|
Identification |
Aids in assembling the fragments of a datagram |
|
|
Flag |
Controls fragmentation of datagram |
|
|
Fragment offset |
Indicates where in the datagram this fragment belongs |
|
|
Time to live |
Limits the time a datagram can stay in the internet system |
|
|
Protocol |
Indicates the next level protocol used in the data portion of the datagram |
|
|
Header checksum |
Error detection for the header only |
|
|
Source address |
IP address of the author of the datagram |
|
|
Destination address |
IP address of the destination to which the datagram is directed |
|
|
Options + Padding |
|
|
|
Data |
|
The fields of the IP header you are most often concerned with are the Source Address and Destination Address. These are the To and From IP addresses. Since a 32-bit digital number is inconveniently long to write in digital format, IP addresses are written as four "octets" separated by periods. An octet can take 28 =256 values from 0 to 255. E.g. the IP address for google.com is 64.208.34.100. Written in digital format, that is 00001000000110100001000101100100, which is harder to copy without error. IP addresses are assigned by the Internet Address Naming Authority (IANA) so that no two servers have the same address. The IANA has left some blocks of IP addresses unassigned, reserved for the use of private intranets, such as the private network behind my firewall. The unassigned IP number ranges are 10.x.x.x, 172.16.x.x-172.32.x.x, and 192.168.x.x, where x can have any value from 0 to 255. Therefore, there should be no servers connected to the Internet with an address in those ranges. Since 232 = 4,294,967,296, the IP version 4 limit of 32 bit IP addresses means there can be no more than 4.3 billion IP addresses. With the growth in the internet and in the use of TCP/IP, this limit is being reached, so IP version 6, being introduced now, will use IP addresses up to 128 bits long.
The service provided by IP is transmission of datagrams, fragmentation of large datagrams when required, and reassembly of datagram fragments. The IP service does not include reliability (error detection and correction), flow control (adjusting transmission rate so slower nodes can keep up with faster nodes), or proper sequencing of datagrams to reassemble a long message. Those services are provided instead by a higher level protocol, the Transmission Control Protocol (TCP). A TCP datagram is shown in Figure 6.
|
LENGTH (bits) |
FIELD NAME |
FUNCTION |
|
|
Source port |
|
|
|
Destination port |
|
|
|
Sequence number |
|
|
|
Acknowledgement number |
|
|
|
Data offset |
Total length of TCP header, in units of 32bit words; points to where the data begins |
|
|
Reserved |
For future use |
|
|
Control bits |
|
|
|
Window |
Limit on the size of data field, in units of 8bits |
|
|
Checksum |
Error detection for header and data |
|
|
Urgent pointer |
|
|
|
Options + Padding |
|
|
|
Data |
TCP data or higher layer protocol |
The port fields in a TCP header are used by the firewall to correctly route messages from the Internet to the proper clients on the LAN. They are also used for messages going the other direction, from clients to servers that offer multiple services. A single server on the Internet can host more than one service. That is, it may serve files using FTP and web pages using HTTP and mail using SMTP. A client request is directed to the correct service by the destination port number, which is part of the request. The destination port is a 16-bit number (0 to 65525) in the TCP protocol. The TCP header also contains the source port number. Some port numbers (0-1023) are "well known", a list that is maintained by the IANA (Internet Assigned Numbers Authority). Some of these are shown in Figure 7.
PORT |
SERVICE |
23 |
Telnet |
20 |
FTP (File Transfer Protocol) |
21 |
FTP |
25 |
SMTP (Simple Mail Transport Protocol) |
53 |
DNS (Domain name server) |
70 |
GOPHER |
79 |
Finger |
80 |
HTTP (Hypertext Transfer Protocol) |
107 |
Remote Telnet |
109 |
POP (Post Office Protocol) |
110 |
POP |
144 |
News |
194 |
IRC (Internet Relay Chat Protocol) |
220 |
IMAP (Interactive Mail Access Protocol) |
531 |
Chat |
532 |
Readnews |
|
|
Note that we have defined three different addresses used in the TCP/IP suite:
Which address is used depends on which service is being performed. En route to your Internet service provider, a datagram traverses several other devices, and depending on the function performed by each device, it is passed up to the layer at which the function is performed, then passed back down to the Physical layer for transmission to the next node. For example, an Ethernet hub is an OSI layer 1 device, so it just passes on the signals it receives from one node to all other ports on the hub, without any translation. However, a bridge, such as a Base Station, needs a MAC address to which to forward a datagram. This is a level 2 function. My firewall allows only packets to pass that pass certain tests, and those tests can be at levels 3, 4, or 5.
The TCP/IP Control Panel is the place where you set the IP address of your computer and of your ISP. Figure 8 shows the TCP/IP settings for three of the computers in my home network, which is shown in Figure 9. The possible settings for the Configure field are Manually, Using PPP Server, Using BootP Server, and Using DHCP Server. If I had a fixed IP address given me by my ISP and no firewall, I would Configure Manually and enter that IP address in TCP/IP. However, I am using a firewall, which defines a LAN on the "safe" side. The other side of the firewall is the WAN, or Internet side. The Configure Using DHCP Server setting in TCP/IP Control Panels means that all three computers, which are on the LAN, get their IP addresses from the firewall. DHCP stands for "Dynamic Host Configuration Protocol". DHCP's purpose is to supply you an IP address, from a pool held by the server. The alternative is for each client to have a fixed IP address, which would mean more IP addresses would be used. DHCP runs over UDP, utilizing ports 67 and 68. In DHCP's typical use, the server uses a requesting computer's MAC address to uniquely identify it. A DHCP lease is the amount of time that the DHCP server grants to the DHCP client permission to use a particular IP address. I didn't enter the values shown in Figure 8; they were provided by the firewall. For this to happen, I have to tell each computer, using the TCP/IP Control Panels, to look to the router (the firewall) at 192.168.114.1 for an IP address; and I have to tell the firewall to turn on DHCP. (I'll show where you do that later.)
TCP/IP |
iBook |
G4 |
Quadra 800 |
Connect via |
AirPort |
Ethernet |
Ethernet |
Configure |
Using DHCP Server |
Using DHCP Server |
Using DHCP Server |
IP Address |
192.168.114.4 |
192.168.114.2 |
192.168.114.5 |
Subnet mask |
255.255.255.0 |
255.255.255.0 |
255.255.255.0 |
Router address |
192.168.114.1 |
192.168.114.1 |
192.168.114.1 |
Name server addr. |
blank |
199.46.23.38 |
199.46.23.38 |
H-P Laserjet Quadra800 \ / Internet---PhoneCo---DSLmodem---SonicWALL---Hub---G4 / \ iBook---BaseStation G3 downstairs |
The field Subnet Mask tells each computer what is local and what is remote. If a computer wants to communicate with an IP address that is local (on the LAN), it does so directly. If it wants to communicate with a remote IP address (on the Internet), it has to go via the router, whose address is given in another field in the TCP/IP Control Panel. The operation of a subnet mask is better understood if we rewrite it in binary notation. When we do that, 255.255.255.0 becomes 11111111.11111111.11111111.00000000. The 1 means "same as" and the 0 means "variable". The subnet mask is added to the router address, and the result is "Any IP address that is same as 192.168.114.x where x is between 0 and 255 is on the LAN". With this subnet mask, there can be 255 nodes on the LAN.
The Name Server Address gives the location of the server that converts URLs (uniform resource locators, such as google.com and wap.org) to IP addresses. Domain names are easier to remember than IP addresses, and often contain trademarked terms, such as kodak.com or kleenex.com. A domain name server (DNS) is a server that either can translate a URL into an IP address or knows where to ask. Resolving URLs into IP addresses is an OSI layer 5 process.
You configure a computer using AppleTalk and TCP/IP Control Panels. To configure a Base Station, you use the AirPort application and the AirPort Admin Utility application. Figure 10 shows the settings for these applications on my network. Note that "AirPort ID" is the hardware address of the AirPort card in my iBook, the same as the hardware address that I read in the AppleTalk Control Panel. If I had AppleTalk set to Connect via Ethernet, the Hardware Address displayed would be for the Ethernet card in the iBook, which is different from the AirPort card. The Base Station ID is the hardware (MAC) address for the wireless network card in the Base Station. We will see below that the Base Station has another MAC address, for the Ethernet card it contains. While a Base Station contains a modem and can dialup to an ISP, that capability is not used in my network and my Base Station is not connected to a phone line. The RJ45 Ethernet port of my Base Station is connected to the firewall via a hub. My Base Station functions as a bridge from the wireless network to the wired Ethernet. As I noted earlier, a bridge operates at OSI level 2 and reads MAC addresses to send datagrams to the correct nodes on the Ethernet. I've given the same name to my wireless network and to my Base Station.
AirPort |
|
AirPort ID |
00 30 65 30 10 73 |
Base Station ID |
00 60 1D F2 42 C9 |
|
|
AirPort Admin Utility |
|
Base Station name |
LaGuardia |
IP Address |
192.168.114.3 |
Configure |
|
Airport tab |
|
Identity [Base Station name] |
LaGuardia |
Network name |
LaGuardia |
Internet tab |
|
Connect using |
Ethernet |
Configure TCP/IP |
Using DHCP |
Network tab |
|
Distribute IP addresses |
Not selected |
My firewall took some time to set up, though the large number of parameters to set there stimulated me to learn more about networks and how a Macintosh connects to them. The basic problem was that I needed an upgrade to the SonicWALL to allow me to connect using PPPoE. The firewall is like a computer that uses solid state flash memory instead of a hard disk. Whereas a computer application is updated by revising the software on the hard disk, the SonicWALL is updated by uploading new firmware to its flash memory. The updates are obtained from the http://firmware.sonicwall.com/ web site. The expanded update is a file with the extension .bin. This is not a compressed file; running Stuffit or BinHex or other decompression applications to expand it is unnecessary. It is ready to upload as is.
To get it into your firewall, you connect a computer to the private side (a.k.a. safe or LAN side, to distinguish it from the Internet or WAN side) of the firewall and navigate to the firewall with a browser. As SonicWALL comes from the factory, its address is http://192.168.168.168. It behaves like a web server, and provides HTML pages to show the settings currently loaded and forms to allow you, the administrator, to input new settings. The factory settings do not allow any access to this web site except from computers on the private side that supply the correct userid and password. The userid is always "admin" and the password should be changed by you when you first access the firewall and begin setting it up. It is possible to change the settings so that someone from the WAN can access the firewall, e.g. to administer it remotely; but that is less secure than requiring an administrator to physically be present in your home. To load new firmware, you click the Tools button on the page at http://192.168.168.168 and select the Firmware tab. Note that if you sit and think about what to do for 5 minutes or longer, your authentication expires, and you have to re-enter userid and password. To help you in configuring SonicWALL for DSL, there is an assistant, which you can invoke if it does not launch automatically, by clicking the Tools button on the page at http://192.168.168.168 then the Launch Wizard button at the Preferences tab.
General button |
|
Status tab |
|
Serial number (hardware address) |
00 40 10 0C DE 62 |
Network tab |
|
Network Addressing Mode |
NAT with PPPoE Client |
LAN Settings |
|
SonicWALL LAN IP Address |
192.168.114.1 |
LAN Subnet Mask |
255.255.255.0 |
ISP Settings (PPPoE) |
|
User Name |
|
Password |
|
WAN Settings |
|
WAN Gateway (Router) Address |
10.1.1.2 |
SonicWALL WAN IP (NAT Public) Address |
142.155.40.17 |
DNS Settings |
|
DNS Server 1 |
199.46.23.43 |
DNS Server 2 |
199.46.23.38 |
DHCP button |
|
Setup tab |
|
General |
|
Enable DHCP Server |
à |
Lease Time |
60 min |
Client Default Gateway |
192.168.114.1 |
DNS |
|
Specify manually |
|
DNS Server 1 |
199.46.23.38 |
DNS Server 2 |
199.46.23.37 |
DNS Server 3 |
0.0.0.0 |
WINS |
|
WINS Server 1 |
0.0.0.0 |
WINS Server 2 |
0.0.0.0 |
Dynamic Ranges |
192.168.114.2 &emdash; 192.168.114.11 |
Status tab |
|
DHCP Leases |
|
Current |
4 |
Available Dynamic |
6 |
Available Static |
0 |
Total |
10 |
Current DHCP Leases |
192.168.114.2 00:30:65:A8:51:0E dynamic [G4] |
|
192.168.114.3 00:30:65:3A:65:ED dynamic [Base Station] |
|
192.168.114.5 08:00:07:9C:2B:D2 dynamic [Quadra800] |
Advanced button |
|
Intranet tab |
|
SonicWALL’s WAN link is connected directly to the Internet router |
à |
Many of the settings on my firewall are shown in Figure 11. I haven't implemented several features of the firewall that other users, e.g. those with young families, may want to use. I haven't blocked access to any web sites; I haven't set up access privileges for different users; I haven't changed any of the allowed services (HTTP, FTP, SMTP, et al.) from their factory settings. The two features that you must use to connect to DSL with multiple computers, however, are NAT and DHCP. NAT is network address translation. I have as many as four computers on the private side, and they can all simultaneously be browsing. The WAN side of the firewall has the single IP address assigned to my DSL account. So if computer 1 asks for web page A and computer 2 asks for web page B, verizon.net sends both page A and page B to the same IP address. However, they are sent to different port numbers. The firewall looks up the port number in its translation table, and sends the page to the proper browser to display.
Note that the only settings I had to make for DSL were the router address, the DNS address, and NAT using PPPoE Client. I didn't have to install any software from my ISP. The instructions that come with Verizon service assume that you will not use a firewall, and involve the installation of software off a CD while your computer is directly connected to the DSL modem. This will install a couple of extensions and an application called Verizon Online on your computer. It may also overwrite any version of Netscape Communicator you have already installed, so you should save your Address Book and Bookmarks before installing. You should also record the settings for home page, incoming and outgoing mail servers, and mail address, since the installer will change them to the values for your Verizon account.
I have reset my home page and my mail server preferences in Netscape back to Washington Apple Pi, so while I browse at high speed using the Verizon web server, I can retrieve mail from WAP and send mail from WAP. To send mail from wap.org while using verizon.net as my ISP, I have to first Get Mail, then Send Mail within 30 seconds. Otherwise, when I try to Send Mail I will get the error message that the mail was refused by wap.org because "We do not relay mail". The 30 second rule is in effect to prevent spammers from using the WAP mail servers. When I Get Mail, my Internet address is put on the list of machines from which Send Mail will be accepted, but it stays on that list for just 30 seconds. That is, the window of opportunity for any spammers using verizon.net is just open for 30 seconds, and is thus unlikely be used by anyone except the same user who logged on, giving a valid WAP password with the Get Mail requrest.
Verizon isn't the only supplier of DSL or high speed Internet service in the Washington area. You can look at the TCS Conference 3 Bulletin Board 2 or browse at dslreports.com to do your own market survey. I didn't look around much, and subsequently I learned from dslreports.com that Verizon has a bad rating from other users. As I write this, Verizon is 27th down the list of national DSL ISPs at http://www.dslreports.com/gbu. (There is a separate list for cable ISPs.) However, I chose Verizon because it had the lowest total cost (monthly fee plus startup fee plus equipment cost). The worst part of Verizon so far has been very long waits for telephone support. I think that has improved in the month that I have had DSL service, though.