Introduction
The purpose of this document is to provide some very basic vocabulary
terms, definitions, and descriptions of how IP numbers, IP names, and
DNS are used by the current ILCSO-provided online services. This
document should put some of the processes and networking activity in
perspective and tries to address the "what is it and why do I need
it?" questions that many ILCSO library staff have. If you would like
more information about these topics I can recommend TCP/IP for Dummies
by Marshall Wilensky and Candace Leiden, ISBN: 1-56884-241-4. If you
are already familiar with the networking vocabulary presented, you
might want to skip to the material on page 3.
IP Numbers
Each device used by or for Internet access (e.g., servers,
workstations, printers, routers, etc.) must be identifiable to the
Internet by a unique number. These are IP numbers (IP stands for
Internet Protocol - the second half of TCP/IP). Ranges of IP numbers
are assigned to an institution (upon request by the institution, or on
the institution's behalf by its ISP) by a national clearinghouse
(InterNIC). Every network, whether it's an educational institution,
government office, or commercial organization requests IP numbers from
InterNIC.
IP numbers are 32 bit numbers, parsed into four sections of eight bits
each (each section, separated from the others by a "." is called an
"octet."). Most ILCSO institutions have "Class C" IP numbers, which
means that the first three octets describe the institution itself, and
the last octet describes a particular server, workstation, etc.
The parts of the IP number are: octet1.octet2.octet3.octet4.
Example: 123.45.67.89
| | | |
1st octet -/ | | |
2nd octet -----/ | |
3rd octet --------/ |
4th octet -----------/
In this example, 123.45.67.* was assigned to an individual institution
by InterNIC. The institution can then assign the numbers available in
the last octet (possible numbers are 1 - 254) to its networked devices
any way it chooses. If an institution requests a range of IP numbers
as shown above, its network can contain up to 254 numbered devices
before it runs out of IP numbers.
Larger institutions can request a range such as 123.45.*.* which then
gives them not only the 254 numbers available in the last octet, but,
in addition, the 254 possible numbers in the third octet, giving the
institution a total of 64,516 (254 x 254) possible IP numbers to
assign.
Institutions that need somewhere between 254 and 64,516 IP numbers can
request IP ranges in blocks of 254 as predicted or needed.
IP Names
Most institutions then assign an IP name to a machine. Names are
typically alphanumeric and (at least to the network administrator)
mnemonic or symbolic. For example, an e-mail server may be assigned a
name such as "email." An IP name also includes the institution's name
and type of institution it is. For example, 123.45.67.89's name may be
email.university.edu. A library may use a scheme such as libpub1,
libpub2, libpub3 to name its public access machines; the institution
may then use southlab1, southlab2, southlab3, etc. to name the
machines in its Computer Labs on the south campus or against the south
wall of the lab.
The complete IP name, such as libpub3.university.edu (which might be
the symbolic form of 123.45.67.109) is called a "Fully Qualified
Domain Name." When looking at a machine's IP name and comparing it to
its IP number, note that the name is read left-to-right to discern the
lowest-to-highest hierarchy (libpub3 is the lowest name in the domain
hierarchy; .edu is the highest). The IP number's hierarchy is the
reverse: 123.45.67 describes the institution, while .109 is the lowest
domain annotation. The ".edu" aspect of the IP name is not reflected
in the IP number at all.
There are a large number of directory and configuration files that go
into supporting an institution's network and many of these files
require lists of the machines that can use or are defined for a
particular service. These directory and configuration files may be
required or replicated on many servers throughout an institution. As
these different servers need to be updated, it is much easier for the
humans doing the updating to recognize and interpret IP names than the
IP numbers; names are also less prone to typos than numbers.
As a number of ILCSO libraries have already found out, IP numbers may
change. This could be the result of changing ISPs (not all ISPs can
re-use the IP numbers used by a previous ISP), or the institution may
have found a reason to reallocate existing IP numbers among and
between its departments. If this should happen, the IP name should not
have to change (email.university.edu) although its IP number does
change.
What is DNS?
DNS stands for Domain Name System (or Service). Online tables in an
institution's DNS server contain both IP numbers and names. DNS
servers perform the function of translating IP names into IP numbers
and vice-versa. This process is called "resolving" the name. DNS
resolves "email.university.edu" into 123.45.67.89; 123.45.67.109 into
"libpub3," etc. When an IP number (or, less frequently, an IP name)
changes, a network administrator needs to change a table entry in the
DNS. Though tedious, this process, done once, is much more efficient
than changing addresses in multiple security files that do not refer
to a DNS.
For its DNS to work properly-locally and as part of the Internet-an
institution should use the DNS to "register" every IP name it assigns
to the IP numbers it requested from InterNIC. Each institution (or its
ISP) has to maintain its own DNS server. DNS servers from different
institutions share data, so that registered address information gets
"propagated" around the Internet.
We rely on DNS for authentication on our ILCSO servers. Our services,
including IBIS and ILLINET Online, use DNS recognition, for example,
to customize database offerings and set search scope.When a server
receives a connection from a client, the server does a lookup on the
IP address to find the client computer's DNS Name. If the IP resolves
to a "something.xxx.edu" (where xxx is the domain name of an ILCSO
institution), then the server knows that the request is from an ILCSO
member library and reacts with the appropriate level of service.
While implementing this authentication scheme, we have noticed that
some ILCSO member institutions have "A Records" (Name to IP mapping),
but do not have "PTR Records" (IP to Name mapping) in their DNS
servers. Another problem often appears when institutions change
Internet Service Providers. Much work is done to make sure DNS names
can be resolved to the new IP Addresses, but arrangements are not made
for their new ISP to forward PTR queries on to the appropriate DNS
servers so that the IP Addresses can be resolved back to DNS Names.
(The primary reason that America Online users have trouble accessing
some online services is that AOL gets IP numbers from InterNIC but
does not then register the IP names with InterNIC. Thus, any service
that checks IP names can find no information about the AOL user's
address and so refuses access.)
Why does AITS do a "Reverse DNS Lookup"?
AITS does not require a unique log-in on its servers for public
ILCSO-provided systems. The DNS processes that AITS and various online
vendors use provide machine-level security for access to services.
(Some online services require an individual's ID to provide enhanced
services, such as Ovid's save search or SDI features or to place a
request in ILLINET Online, but basic searching is available to
unidentified "guests" in all systems.)
As a deterrent to ill-intentioned hackers (who presumably prefer
anonymity), AITS servers do a "reverse DNS lookup" to resolve the IP
addresses of workstations connecting to them. Workstations whose
addresses cannot be resolved, because they have not been defined in a
DNS, will not be allowed to connect to AITS-supported services. In
other words, ILCSO libraries should define all of their addresses in a
DNS. If library services are to be made available through a
campus-wide network, each machine that might use the library services
should be defined in the campus' DNS servers.
How does DHCP fit in to the picture?
Dynamic Host Configuration Protocol is a common scheme used by network
administrators to assign IP Numbers to a pool of workstation sessions.
DHCP is a framework for passing configuration information to hosts on
a TCPIP network. It enables automatic allocation of reusable network
addresses and additional configuration options. We are not opposed to
sites using DHCP. However, since our servers use DNS Names for
authentication, we do request that DNS Administrators give a DNS Name
to all IP Addresses that will be used by the DHCP server. An example
of this would be to give the IP Address 10.20.30.100 the name
'dhcp100.xxx.edu' (where 'xxx' is an ILCSO institution domain name),
so that it resolves to that institution's domain.
Why do libraries still need to keep track of IP numbers?
IP-based user authorizations are handled differently by different
service providers. Whereas AITS prefers to use IP names, the Gale
Group, for instance, uses IP numbers.
If your library subscribes through ILCSO to Gale Group databases and
you want to offer your users access to InfoTrac Web, you will need to
send the range of numeric IP addresses that should have access to
InfoTrac to Martin Borg at martin.borg@galegroup.com. (Please send a
copy of your note to the ILCSO Office at
oncall@listserv.ilcso.uiuc.edu.)
What to do if your institution's IP numbers change
Should, for whatever reason, your library's or institution's IP
numbers change, access to the services listed in the preceding section
will stop. You must inform each of the service providers named above
of the change in IP numbers -preferably, ahead of the scheduled change
so the service providers know the change is coming, and then again a
day or two before the change happens. This will allow the service
providers time to make the necessary changes at their ends so that
service is interrupted for only a short time. |
