Category Archives: Networking

Ping request and response messages

Ping “Packet InterNet Groper” (operates by sending Internet Control

Message Protocol (ICMP) echo request packets) is a network

administration software utility used to test the reachability of a

host on an Internet Protocol (IP) network and to measure the round-

trip time for messages sent from the originating host to a destination

computer and back.

Destination host unreachable: The device you are trying to PING is

down or is not operating on the network. This could also mean you will

have to recheck the settings on your device to make sure the host is

correctly configured and also check that the routing is working

properly because a route to the destination system could not be found.

If you are trying to PING something outside of your local network,

check if gateway address is correct.

Bad IP address: An invalid IP address was entered on the command

prompt line. The IP address must be written in a dotted decimal

format, for example 127.0.0.1. Check that the IP address is correct.

Destination net unreachable: The targeted gateway to the IP

address written in the command prompt window could not be reached.

Check your computer gateway to be correct and routing table to the IP

address.

Destination specified is invalid: An invalid address has been

written in the command prompt window. Make sure the format of the

address is correct and then try again.

Request timed out: The ping command has timed out because there

was no reply from the targeted device. First check if your TCP/IP

stack is functioning correctly by pinging 127.0.0.1 . This doesn’t

mean that your network card is working properly. Now ping your default

gateway and make sure you have connectivity. Ping the next hop after

the gateway or a device before our faulty device, like a router

interface. If you have connectivity this could mean our faulty device,

the one we get replies with “request timed out” from has a problem or

may be down and not the network channel to the device. If you get

reply from another device on the way, but not from the host we are

troubleshooting, this could also mean there is no route back to your

device. Note: Destination Net Unreachable will show the IP address of

the router that tried to route a packet but couldn’t find a valid

route.

TTL expired during reassembly: The TTL value defines the number of

maximum hops a packet may live inside a network without reaching its

destination, before being discarded. It’s actually the number of

routers a packet may pass through network to destination, before being

dropped. This means the TTL value was too small and it failed to

reassembly either at the destination or on the local machine. Use -i

parameter for PING command to increase TTL value.

TTL expired in transit: The TTL value defines the number of

maximum hops a packet may live inside a network without reaching its

destination, before being discarded. It’s actually the number of

routers a packet may pass through network to destination, before being

dropped. This means the TTL value was too small to reach the target

and it failed on the way by being dropped. Use -i parameter for PING

command to increase TTL value.

Hardware error: Ping your loop-back address 127.0.0.1 to verify

that your TCP stack is working properly. If you can ping this, check

the cable. Else you will have to troubleshoot the TCP stack and

network interface card.

 No resources: Means exactly what it says but it targets RAM memory

most of times. Close some applications like the ones you don’t need

right now and try again. If this fails, reboot your computer. Will

work after.

APIPA – Automatic Private IP Addressing

A network client fails to get an IP address using DHCP,then can discover an address on its own using APIPA(is a DHCP failover mechanism for local networks in Microsoft Windows clients can obtain IP addresses when DHCP servers are non-functional  implemented in Windows 98 and later)

The entire address range 169.254.0.0/16 has been set aside for “link local” addresses.They should not be manually assigned or assigned using DHCP.

APIPA requires all devices to use the same default subnet mask of 255.255.0.0. The systems must all reside on the same network segment. APIPA cannot provide information about local routers or about DNS servers.

APIPA is intended for small business or residential network environments, usually less than 25 clients, that are not routed or connected to the Internet.

for more informations available http://support.microsoft.com/kb/220874

References
http://en.wikipedia.org/wiki/Link-local_address
http://files.zeroconf.org/draft-ietf-zeroconf-ipv4-linklocal.txt
http://www.zeroconf.org/
http://tools.ietf.org/html/rfc4291#section-2.5.6

POODLE Attack

Thai Duong and Krzysztof Kotowicz from the Google Security Team discovered

this SSL(Secure Socket Layer) vulnerability in September 2014.The POODLE

(Padding Oracle On Downgraded Legacy Encryption) attack are not serious as the

Heartbleed and Shellshock attacks.On December 8, 2014 a variation of the

POODLE vulnerability that impacted TLS was announced.
The CVE ID’s(CVE-2014-3566 and CVE-2014-8730) associated with the original

POODLE attack and F5 Networks’ faulty implementation of TLS that allows

POODLE.

There is currently no fix for the vulnerability SSL 3.0.To mitigate the POODLE

attack,completely disable SSL 3.0 on the Server and client side.But, some old

clients and servers do not support TLS 1.0 and above. Thus,for such clients

browser and server better to implement TLS_FALLBACK_SCSV.

https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00

Browser enabled
===============
Opera 25 has implemented this mitigation in addition to TLS_FALLBACK_SCSV.
Chrome 39,already support TLS_FALLBACK_SCSV.
Mozilla has disabled SSL 3.0 in Firefox 34 and ESR 31.3, which were released

in December 2014, and will add support of TLS_FALLBACK_SCSV in Firefox 35.
Microsoft announced the plan to disable SSL 3.0 by default in their products

and services and a fix for to disable SSL 3.0 in Internet Explorer and Windows

OS.
Apple’s Safari (on OS X 10.8, iOS 8.1 and later) has been mitigated against

POODLE by removing support for all CBC protocols in SSL 3.0.

Service providers status
————————
OpenSSL has added support for TLS_FALLBACK_SCSV to their latest versions and

recommend the following upgrades
OpenSSL 1.0.1 users should upgrade to 1.0.1j.
OpenSSL 1.0.0 users should upgrade to 1.0.0o.OpenSSL 0.9.8 users should

upgrade to 0.9.8zc.

Both clients and servers need to support TLS_FALLBACK_SCSV to prevent

downgrade attacks

Akamai, a popular CDN, has accelerated its deprecation of SSL 3.0.
CloudFlare has disabled SSL 3.0 support by default for all customers.
Twitter and Wikimedia have dropped support of SSL 3.0 to prevent the POODLE

attack.

https://www.openssl.org/~bodo/ssl-poodle.pdf
http://www.symantec.com/connect/blogs/ssl-30-vulnerability-poodle-bug-aka-

poodlebleed

How to check your server&client
===============================
Web site test
https://www.ssllabs.com/ssltest/

Client test
https://www.ssllabs.com/ssltest/viewMyClient.html

Resolutions for Server and Clients
==================================

Disable in Microsoft Server
—————————
Microsoft OS registry disable for SSL
HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders

\SCHANNEL\Protocols\SSL 3.0\Server
On the Edit menu, click Add Value.
In the Data Type list, click DWORD.
In the Value Name box, type Enabled, and then click OK.
Type 00000000 in Binary Editor to set the value of the new key equal to “0”

and restart.

CVE-2014-3566 – KB3009008
https://technet.microsoft.com/en-us/library/security/3009008.aspx

How to disable SSLv3 in Apache?
——————————-
Include “SSLProtocol all -SSLv2 -SSLv3 ” within every VirtualHost in

httpd.conf of version 2.2.23

<VirtualHost your.website.example.com:443>
DocumentRoot /var/www/directory
ServerName your.website.example.com


SSLEngine on

SSLProtocol all -SSLv2 -SSLv3

</VirtualHost>

Note : if there is separeate ssl configuration like Ubuntu 10.04
/etc/apache2/mods-available/ssl.conf :
SSLProtocol all -SSLv2 -SSLv3

For httpd version 2.2.22 and older, only specify TLSv1. This is treated as a

wildcard for all TLS versions.

SSLProtocol TLSv1

For Apache + mod_nss, edit /etc/httpd/conf.d/nss.conf to allow only TLS 1.0+.

NSSProtocol TLSv1.0,TLSv1.1

Apache Tomcat Web server
————————
Tomcat 5

Configured via $TOMCAT_HOME/conf/server.xml

<Connector
protocol=”org.apache.coyote.http11.Http11AprProtocol”
port=”8443″ maxThreads=”200″
SSLEnabled=”true” scheme=”https” secure=”true”
SSLCertificateFile=”/usr/local/ssl/server.crt”
SSLCertificateKeyFile=”/usr/local/ssl/server.pem”
clientAuth=”false” sslProtocols = “TLSv1,TLSv1.1,TLSv1.2″ />

Tomcat 6,7

<Connector
protocol=”org.apache.coyote.http11.Http11AprProtocol”
port=”8443″ maxThreads=”200″
SSLEnabled=”true” scheme=”https” secure=”true”
SSLCertificateFile=”/usr/local/ssl/server.crt”
SSLCertificateKeyFile=”/usr/local/ssl/server.pem”
clientAuth=”false” sslEnabledProtocols = “TLSv1,TLSv1.1,TLSv1.2” />

Lighthttpd
————
For Lighttpd 1.4.28+, edit /etc/lighttpd/lighttpd.conf

ssl.use-sslv2 = “disable”

ssl.use-sslv3 = “disable”

Postfix SMTP
————-
Modify the smtpd_tls_mandatory_protocols configuration line.

smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3

Sendmail
———
Modify the LOCAL_CONFIG section of the sendmail.mc file.

CipherList=HIGH

ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3

+SSL_OP_CIPHER_SERVER_PREFERENCE

ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3

Dovecot
——–
For Dovecot 2.1+, edit /etc/dovecot/local.conf to add the below lines and then

restart Dovecot.

ssl_protocols = !SSLv2 !SSLv3

For Dovecot 2, edit /etc/dovecot/conf.d/10-ssl.conf to add the below lines and

then restart Dovecot.

ssl_cipher_list = ALL:!LOW:!SSLv2:!SSLv3:!EXP:!aNULL

Courier-imap
————-
For Ubuntu 12.04, edit /etc/courier/imapd-ssl.

IMAPDSSLSTART=NO

IMAPDSTARTTLS=YES

IMAP_TLS_REQUIRED=1

TLS_PROTOCOL=TLS1

TLS_STARTTLS_PROTOCOL=TLS1

HAProxy Server
—————-
Edit the bind line in your /etc/haproxy.cfb file.

bind :443 ssl crt  ciphers  no-sslv3

Nginx
—–
Modify the ssl_protocols directive to only use TLSv1, TLSv1.1, and TLSv1.2. If

you do not have a ssl_protocols directive, add it to the top of your

configuration file.

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

389 Directory Server
——————–
Modify cn=encryption,cn=configA and restart the server.

ldapmodify -x -D “cn=Directory Manager” -W <<EOF

dn: cn=encryption,cn=config

changetype: modify

replace: nsSSL3

nsSSL3: off

Enabling on Browser Settings
—————————-
Chrome:
right click on shortcu and go to properties,and go to end “C:\Program Files

\Google\Chrome\Application\chrome.exe” add type ––ssl-version-min=tls1

IE:
Click on the Settings and then Internet options,advanced tab then security

section,un check SSL and check TLS

Firefox:
download and install the SSL Version Control 0.2 add-on from

https://addons.mozilla.org/en-US/firefox/addon/ssl-version-control/
Alternatively, you can set the value security.tls.version.min = 1 in the

about:config dialog.

Safari:
Apple has released Security Update 2014-005, which disables CBC-mode ciphers

in coordination with SSLv3.

Mac OS Mavericks: http://support.apple.com/kb/DL1772
MAC OS Mountain Lion: http://support.apple.com/kb/DL1771
MAC OS Yosemite: https://support.apple.com/kb/HT6535

Hardware providers
==================
F5 Networks
———–
https://support.f5.com/kb/en-us/solutions/public/15000/800/sol15882.html

A10 Networks
————
https://www.a10networks.com/vadc/index.php/cve-2014-3566-from-beast-to-

poodle-or-dancing-with-beast/

Cisco Networks
—————
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-

sa-20141015-poodle
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_Poodle_10152014

.html

Juniper Networks
—————–
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10656&actp=RSS

Note:POODLE attack against TLS
A new variant of the original POODLE attack was announced on December 8, 2014.

This attack exploits implementation flaws of CBC mode ciphers in the TLS 1.0 –

1.2 protocols. Even though TLS specifications require servers to check the

padding, some implementations fail to validate it properly, which makes some

servers vulnerable to POODLE even if they disable SSL 3.0. SSL Pulse showed

“about 10% of the servers are vulnerable to the POODLE attack against TLS”

before this vulnerability is announced. The CVE ID for F5 Networks’

implementation bug is CVE-2014-8730. The entry in NIST’s NVD states that this

CVE ID is to be used only for F5 Networks’ implementation of TLS, and that

other vendors whose products have the same failure to validate the padding

mistake in their implementations like A10 Networks and Cisco Systems need to

issue their own CVE ID’s for their implementation errors because this is not a

flaw in the protocol itself and is a flaw in the protocol’s implementation.

The POODLE attack against TLS was found to be easier to initiate than the

initial POODLE attack against SSL. There is no need to downgrade clients to

SSL 3.0, requiring less real-world scenarios to appear active.

IPV6 Router configurations

First enable the protocol and assign IPv6 addresses to your interfaces

Router(config)# ipv6 unicast-routing
Router(config)# interface type [slot_#/]port_#
Router(config-if)# ipv6 address ipv6_address_prefix/prefix_length [eui-64]

just add an address to the interface use
interface configuration command ipv6 address <ipv6prefix>/ <prefix-length > [eui-64

Router(config)# interface fastethernet0/0
Router(config-if)# ipv6 address 2001:1cc1:dddd:2::/64 eui-64
Router(config-if)# end
Router# show ipv6 interface fastethernet0/0
FastEthernet0/0 is administratively down, line protocol is down
IPv6 is enabled, link-local address is FE80::207:EFF:FE46:4070
[TEN]
No Virtual link-local address(es):
Global unicast address(es):
2001:1CC1:DDDD:2:207:EFF:FE46:4070, subnet is
2001:1CC1:DDDD:2::/64 [EUI/TEN]
Joined group address(es):
FF02::1
FF02::2

To set up a static DNS resolution table on the router
Router(config)# ipv6 host hostname [port_#] ipv6_address1 [ipv6_address2…]
Router(config)# ip name-server DNS_server_IPv6_address

Enabling RIP
Router(config)# ipv6 router rip tag

ipv6 rip tag enable command
Router(config)# interface type [slot_#/]port_#
Router(config-if)# ipv6 rip tag enable

show ipv6 rip command
Router# show ipv6 rip
RIP process “RIPPROC1”, port 521, multicast-group FF02::9,
pid 187
Administrative distance is 120. Maximum paths is 16
Updates every 30 seconds, expire after 180
Holddown lasts 0 seconds, garbage collect after 120
Split horizon is on; poison reverse is off
Default routes are not generated
Periodic updates 2, trigger updates 0
Interfaces:
FastEthernet0/0
Redistribution:
None

EIGRPv6
Router1(config)#ipv6 router eigrp 12
Router1(config-rtr)#no shutdown
Router1(config-if)#ipv6 eigrp 12

OSPFv3
Router1(config)#ipv6 router osfp 10
Router1(config-rtr)#router-id 1.1.1.1
Router1(config-if)#ipv6 ospf 10 area 0.0.0.0

What is IPV6
https://teckadmin.wordpress.com/2014/11/23/what-is-ipv6-address/

How to configure in windows
https://teckadmin.wordpress.com/2014/11/23/how-to-configure-ipv6-in-windows/

How to configure in Linux
https://teckadmin.wordpress.com/2014/11/23/ipv6-static-address-configuration-for-linux/

What is Drain in Loadbalancer

A feature in Load balancer called server draining enables you to take a server offline without any loss of service to users. When a server is drained it stops taking new connections and calls. These new connections and calls are routed through other servers in the pool. A server being drained allows its sessions on existing connections to continue until they naturally end. When all existing sessions have ended, the server is ready to be taken offline.
Most external load-balancing devices do not have this concept of a drain time; they simply persist the existing connections on a server and redirect new connections to other servers

Load balancer node conditions
ENABLED Node is permitted to accept new connections.
DISABLED Node is not permitted to accept any new connections regardless of session persistence configuration. Existing connections are forcibly terminated.
DRAINING Node is allowed to service existing established connections and connections that are being directed to it as a result of the session persistence configuration.

AWS ELB how to configure
http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/config-conn-drain.html
F5 how to
https://support.f5.com/kb/en-us/products/big-ip_gtm/manuals/product/bigipgtm9_2_2/BIG-IP_9_2_2GTM_Guide-09-1.html

Difference between Stickey and Affinity in Load Balancer

Stickey session means ensuring requests can be  automatically routed to the same Real Server for handling as the initial request from the same source.

Session enhances application performance by using in-memory caching, not a database. Session affinity uses cookies to track session information and, potentially, to maintain login credentials.

Different Vender have different machanism for identifing either through the use of an HTTP cookie or a CIDR netmask.

Affinity: this is when we use an information from a layer below the application layer to maintain a client request to a single server

Persistence: this is when we use Application layer information to stick a client to a single server

sticky session: a sticky session is a session maintained by persistence

The main advantage of the persistence over affinity is that it’s much more accurate, but sometimes, Persistence is not doable, so we must rely on affinity.

Using persistence, we mean that we’re 100% sure that a user will get redirected to a single server.
Using affinity, we mean that the user may be redirected to the same server

Load Balancers

A load balancer is a device that acts as a reverse proxy and distributes network or application traffic across a number of servers. Load balancers are used to increase capacity (concurrent users) and reliability of applications. They improve the overall performance of applications by decreasing the burden on servers associated with managing and maintaining application and network sessions, as well as by performing application-specific tasks.

Load balancers are generally grouped into two categories: Layer 4 and Layer 7. Layer 4 load balancers act upon data found in network and transport layer protocols (IP, TCP, FTP, UDP). Layer 7 load balancers distribute requests based upon data found in application layer protocols such as HTTP.

Requests are received by both types of load balancers and they are distributed to a particular server based on a configured algorithm. Some industry standard algorithms are:

Round robin
Weighted round robin
Least connections
Least response time

Layer 7 load balancers can further distribute requests based on application specific data such as HTTP headers, cookies, or data within the application message itself, such as the value of a specific parameter.

Load balancers ensure reliability and availability by monitoring the “health” of applications and only sending requests to servers and applications that can respond in a timely manner.

https://www.barracuda.com/products/loadbalancer
http://www.loadbalancer.org/
http://aws.amazon.com/elasticloadbalancing/
http://www.citrix.com/glossary/load-balancing.html
https://f5.com/glossary/load-balancer
http://www.hardwareloadbalancer.com/
http://kemptechnologies.com/load-balancer/

Classless Inter-Domain Routing

Classless Inter-Domain Routing (CIDR, pronunciation: /’s??.dr/ or /’si.dr/) is a method for allocating IP addresses and routing Internet Protocol packets. The Internet Engineering Task Force introduced CIDR in 1993 to replace the previous addressing architecture of classful network design in the Internet. Its goal was to slow the growth of routing tables on routers across the Internet, and to help slow the rapid exhaustion of IPv4 addresses.[1][2]

IP addresses are described as consisting of two groups of bits in the address: the most significant bits are the network address, which identifies a whole network or subnet, and the least significant set forms the host identifier, which specifies a particular interface of a host on that network. This division is used as the basis of traffic routing between IP networks and for address allocation policies. Classful network design for IPv4 sized the network address as one or more 8-bit groups, resulting in the blocks of Class A, B, or C addresses. Classless Inter-Domain Routing allocates address space to Internet service providers and end users on any address bit boundary, instead of on 8-bit segments. In IPv6, however, the interface identifier
has a fixed size of 64 bits by convention, and smaller subnets are never allocated to end users.

CIDR notation is a syntax for specifying IP addresses and their associated routing prefix. It appends a slash character to the address and the decimal number of leading bits of the routing
prefix, e.g., 192.168.2.0/24 for IPv4, and 2001:db8::/32 for IPv6.

http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing

What is an IP address

An Internet Protocol address (also known as an IP address) is a numerical label assigned to each device (e.g., computer, printer) participating in a computer network that uses the Internet Protocol for communication.[1] An IP address serves two principal functions: host or network interface identification and location addressing. Its role has been characterized as follows: “A name indicates what we seek. An address indicates where it is. A route indicates how to get there.”[2]

The designers of the Internet Protocol defined an IP address as a 32-bit number consisting of 4 octets[1] and this system, known as Internet Protocol Version 4 (IPv4), is still in use today. However, due to the enormous growth of the Internet and the predicted depletion of available addresses, a new version of IP (IPv6), using 128 bits for the address, was developed in 1995.[3] IPv6 was standardized as RFC 2460 in 1998,[4] and its deployment has been ongoing since the mid-2000s.

IP addresses are binary numbers, but they are usually stored in text files and displayed in human-readable notations, such as 172.16.254.1 (for IPv4), and 2001:db8:0:1234:0:567:8:1 (for IPv6).

The Internet Assigned Numbers Authority (IANA) manages the IP address space allocations globally and delegates five regional Internet registries (RIRs) to allocate IP address blocks to local Internet registries (Internet service providers) and other entities.

IP versions

Two versions of the Internet Protocol (IP) are in use: IP Version 4 and IP Version 6. Each version defines an IP address differently. Because of its prevalence, the generic term IP address typically still refers to the addresses defined by IPv4. The gap in version sequence between IPv4 and IPv6 resulted from the assignment of number 5 to the experimental Internet Stream Protocol in 1979, which however was never referred to as IPv5.
IPv4 addresses
Main article: IPv4 § Addressing
Decomposition of an IPv4 address from dot-decimal notation to its binary value.

In IPv4 an address consists of 32 bits which limits the address space to 4294967296 (232) possible unique addresses. IPv4 reserves some addresses for special purposes such as private networks (~18 million addresses) or multicast addresses (~270 million addresses).

IPv4 addresses are canonically represented in dot-decimal notation, which consists of four decimal numbers, each ranging from 0 to 255, separated by dots, e.g., 172.16.254.1. Each part represents a group of 8 bits (octet) of the address. In some cases of technical writing, IPv4 addresses may be presented in various hexadecimal, octal, or binary representations.
IPv4 subnetting

In the early stages of development of the Internet Protocol,[1] network administrators interpreted an IP address in two parts: network number portion and host number portion. The highest order octet (most significant eight bits) in an address was designated as the network number and the remaining bits were called the rest field or host identifier and were used for host numbering within a network.

This early method soon proved inadequate as additional networks developed that were independent of the existing networks already designated by a network number. In 1981, the Internet addressing specification was revised with the introduction of classful network architecture.[2]

Classful network design allowed for a larger number of individual network assignments and fine-grained subnetwork design. The first three bits of the most significant octet of an IP address were defined as the class of the address. Three classes (A, B, and C) were defined for universal unicast addressing. Depending on the class derived, the network identification was based on octet boundary segments of the entire address. Each class used successively additional octets in the network identifier, thus reducing the possible number of hosts in the higher order classes (B and C). The following table gives an overview of this now obsolete system.

Historical classful network architecture Class     Leading
bits     Size of network
number bit field     Size of rest
bit field     Number
of networks     Addresses
per network     Start address     End address
A     0     8     24     128 (27)     16,777,216 (224)     0.0.0.0     127.255.255.255
B     10     16     16     16,384 (214)     65,536 (216)     128.0.0.0     191.255.255.255
C     110     24     8     2,097,152 (221)     256 (28)     192.0.0.0     223.255.255.255

Classful network design served its purpose in the startup stage of the Internet, but it lacked scalability in the face of the rapid expansion of the network in the 1990s. The class system of the address space was replaced with Classless Inter-Domain Routing (CIDR) in 1993. CIDR is based on variable-length subnet masking (VLSM) to allow allocation and routing based on arbitrary-length prefixes.

Today, remnants of classful network concepts function only in a limited scope as the default configuration parameters of some network software and hardware components (e.g. netmask), and in the technical jargon used in network administrators’ discussions.

http://en.wikipedia.org/wiki/IP_address
http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing

What is a MAC address

A media access control address (MAC address) is a unique identifier assigned to network interfaces for communications on the physical network segment. MAC addresses are used as a network address for most IEEE 802 network technologies, including Ethernet. Logically, MAC addresses are used in the media access control protocol sublayer of the OSI reference model.

MAC addresses are most often assigned by the manufacturer of a network interface controller (NIC) and are stored in its hardware, such as the card’s read-only memory or some other firmware mechanism. If assigned by the manufacturer, a MAC address usually encodes the manufacturer’s registered identification number and may be referred to as the burned-in address (BIA). It may also be known as an Ethernet hardware address (EHA), hardware address or physical address. This can be contrasted to a programmed address, where the host device issues commands to the NIC to use an arbitrary address.

A network node may have multiple NICs and each NIC must have a unique MAC address.

MAC addresses are formed according to the rules of one of three numbering name spaces managed by the Institute of Electrical and Electronics Engineers (IEEE): MAC-48, EUI-48, and EUI-64. The IEEE claims trademarks on the names EUI-48 and EUI-64, in which EUI is an abbreviation for Extended Unique Identifier.
Notational conventions

The standard (IEEE 802) format for printing MAC-48 addresses in human-friendly form is six groups of two hexadecimal digits, separated by hyphens (-) or colons (:), in transmission order (e.g. 01-23-45-67-89-ab   or   01:23:45:67:89:ab ). This form is also commonly used for EUI-64. Another convention used by networking equipment uses three groups of four hexadecimal digits separated by dots (.) (e.g. 0123.4567.89ab ), again in transmission order.[1]
Address details
MAC-48 Address.svg

The original IEEE 802 MAC address comes from the original Xerox Ethernet addressing scheme.[2] This 48-bit address space contains potentially 248 or 281,474,976,710,656 possible MAC addresses.

All three numbering systems use the same format and differ only in the length of the identifier. Addresses can either be universally administered addresses or locally administered addresses. A universally administered address is uniquely assigned to a device by its manufacturer. The first three octets (in transmission order) identify the organization that issued the identifier and are known as the Organizationally Unique Identifier (OUI).[3] The following three (MAC-48 and EUI-48) or five (EUI-64) octets are assigned by that organization in nearly any manner they please, subject to the constraint of uniqueness. The IEEE has a target lifetime of 100 years for applications using MAC-48 space, but encourages adoption of EUI-64s instead.[3] A locally administered address is assigned to a device by a network administrator, overriding the burned-in address. Locally administered addresses do not contain OUIs.

Universally administered and locally administered addresses are distinguished by setting the second-least-significant bit of the most significant byte of the address. This bit is also referred to as the U/L bit, short for Universal/Local, which identifies how the address is administered. If the bit is 0, the address is universally administered. If it is 1, the address is locally administered. In the example address 06-00-00-00-00-00 the most significant byte is 06 (hex), the binary form of which is 00000110, where the second-least-significant bit is 1. Therefore, it is a locally administered address.[4] Consequently, this bit is 0 in all OUIs.

If the least significant bit of the most significant octet of an address is set to 0 (zero), the frame is meant to reach only one receiving NIC.[5] This type of transmission is called unicast. A unicast frame is transmitted to all nodes within the collision domain, which typically ends at the nearest network switch or router. A switch will forward a unicast frame through all of its ports (except for the port that originated the frame) if the switch has no knowledge of which port leads to that MAC address, or just to the proper port if it does have knowledge.[6][not in citation given] Only the node with the matching hardware MAC address will accept the frame; network frames with non-matching MAC-addresses are ignored, unless the device is in promiscuous mode.

If the least significant bit of the most significant address octet is set to 1, the frame will still be sent only once; however, NICs will choose to accept it based on criteria other than the matching of a MAC address: for example, based on a configurable list of accepted multicast MAC addresses. This is called multicast addressing.

The following technologies use the MAC-48 identifier format:

Ethernet
802.11 wireless networks
Bluetooth
IEEE 802.5 token ring
most other IEEE 802 networks
Fiber Distributed Data Interface (FDDI)
Asynchronous Transfer Mode (ATM), switched virtual connections only, as part of an NSAP address
Fibre Channel and Serial Attached SCSI (as part of a World Wide Name)
The ITU-T G.hn standard, which provides a way to create a high-speed (up to 1 gigabit/s) local area network using existing home wiring (power lines, phone lines and coaxial cables). The G.hn Application Protocol Convergence (APC) layer accepts Ethernet frames that use the MAC-48 format and encapsulates them into G.hn Medium Access Control Service Data Units (MSDUs).

Every device that connects to an IEEE 802 network (such as Ethernet and WiFi) has a MAC-48 address.[7] Common consumer devices to use MAC-48 include every PC, smartphone or tablet computer.

The distinction between EUI-48 and MAC-48 identifiers is purely nominal: MAC-48 is used for network hardware; EUI-48 is used to identify other devices and software. (Thus, by definition, an EUI-48 is not in fact a “MAC address”, although it is syntactically indistinguishable from one and assigned from the same numbering space.)

The IEEE now considers the label MAC-48 to be an obsolete term, previously used to refer to a specific type of EUI-48 identifier used to address hardware interfaces within existing 802-based networking applications, and thus not to be used in the future. Instead, the proprietary term EUI-48 should be used for this purpose.

The EUI-48 is expected to have its address space exhausted by the year 2100.[3]

EUI-64 identifiers are used in:

FireWire
IPv6 (Modified EUI-64 as the least-significant 64 bits of a unicast network address or link-local address when stateless autoconfiguration is used)
ZigBee / 802.15.4 / 6LoWPAN wireless personal-area networks

The IEEE has built in several special address types to allow more than one network interface card to be addressed at one time:

Packets sent to the broadcast address, all one bits, are received by all stations on a local area network. In hexadecimal the broadcast address would be FF:FF:FF:FF:FF:FF. A broadcast frame is flooded and is forwarded to and accepted by all other nodes.
Packets sent to a multicast address are received by all stations on a LAN that have been configured to receive packets sent to that address.
Functional addresses identify one or more Token Ring NICs that provide a particular service, defined in IEEE 802.5.

These are all examples of group addresses, as opposed to individual addresses; the least significant bit of the first octet of a MAC address distinguishes individual addresses from group addresses. That bit is set to 0 in individual addresses and set to 1 in group addresses. Group addresses, like individual addresses, can be universally administered or locally administered.

In addition, the EUI-64 numbering system encompasses both MAC-48 and EUI-48 identifiers by a simple translation mechanism.[8] To convert a MAC-48 into an EUI-64, copy the OUI, append the two octets FF-FF and then copy the organization-specified extension identifier. To convert an EUI-48 into an EUI-64, the same process is used, but the sequence inserted is FF-FE. In both cases, the process can be trivially reversed when necessary. Organizations issuing EUI-64s are cautioned against issuing identifiers that could be confused with these forms. The IEEE policy is to discourage new uses of 48-bit identifiers in favor of the EUI-64 system.
IPv6 — one of the most prominent standards that uses a Modified EUI-64 — treats MAC-48 as EUI-48 instead (as it is chosen from the same address pool) and toggles the U/L bit (as this makes it easier to type locally assigned IPv6 addresses based on the Modified EUI-64). This results in extending MAC addresses (such as IEEE 802 MAC address) to Modified EUI-64 using only FF-FE (and never FF-FF) and with the U/L bit inverted.[9]
Individual address block

An Individual Address Block is a 24-bit OUI managed by the IEEE Registration Authority, followed by 12 IEEE-provided bits (identifying the organization), and 12 bits for the owner to assign to individual devices. An IAB is ideal for organizations requiring fewer than 4097 unique 48-bit numbers (EUI-48).[10]
Usage in hosts

Although intended to be a permanent and globally unique identification, it is possible to change the MAC address on most modern hardware. Changing MAC addresses is necessary in network virtualization. It can also be used in the process of exploiting security vulnerabilities. This is called MAC spoofing.

A host cannot determine from the MAC address of another host whether that host is on the same link (network segment) as the sending host, or on a network segment bridged to that network segment.

In IP networks, the MAC address of an interface can be queried given the IP address using the Address Resolution Protocol (ARP) for Internet Protocol Version 4 (IPv4) or the Neighbor Discovery Protocol (NDP) for IPv6. In this way, ARP or NDP is used to translate IP addresses (OSI layer 3) into Ethernet MAC addresses (OSI layer 2). On broadcast networks, such as Ethernet, the MAC address uniquely identifies each node on that segment and allows frames to be marked for specific hosts. It thus forms the basis of most of the link layer (OSI Layer 2) networking upon which upper layer protocols rely to produce complex, functioning networks.

http://en.wikipedia.org/wiki/MAC_address

%d bloggers like this: