IP Addressing and Routing for SLIP and PPP

[Terminology] [Addressing Schemes] [Proxy-ARP Networking] [Seperate Dialup Net] [Server Assigned IP addresses] [Connecting Two Networks] [Special Addressing Case] [Connecting Hosts that Move] [Connect a Network via an ISP] [Finding Routing Problems] [Where To Go From Here]

Introduction

IP address selection and routing are intimately connected. You cannot discuss one without at least mentioning the other. Routing is how the packets know where to go in the network. Using a wrong IP address can screw up routing for more than just the machine with the wrong IP address, in worst case it can cause the whole network to fail! Fortunately, we've never seen anything approaching worst case yet.

IP addresses are not selected at random, they are assigned by certain administrators within your organization. However, the ultimate authority on IP addresses comes from the Network Information Center (NIC), which arbitrates the whole Internet.

Terminology

I will refer to the host running PPP that is connected to the larger network, normally your local LAN (or the Internet), as the server host. The host running PPP connected to the smaller network is the client host. In particular, if there is only the one machine on the client network, it is known as isolated or stand alone. Unless otherwise stated, SLIP and PPP are interchangeable in this document.

The IP address for a PPP-client is determined by the IP network to which the PPP-server is connected. There are 3 general cases to consider, and one special case (also referred to as a "borderline" case).

The first cases deal with stand-alone or isolated machines. There is a fuzzy dividing line between "a few" and "a lot" of standalone hosts wanting to be PPP-connected to one network. 1-5 hosts is definitely "a few", 50 is definitely "a lot". The difference is that "a few" puts the clients on the same IP network as the server(s). Conversely, "a lot" puts all the clients on their own "ppp-net", using another IP network number. IP network numbers are in limited supply, so it makes sense to not "waste" them.

Addressing Schemes

"A Few" Clients (Proxy ARP)

The first case deals with "a few" isolated machines to become PPP clients. Each client is expected to not grow into a multiple-host network site, for which this technique is not appropriate (although there is a special case that works, with a lot of manual configuration).

In this case, the easiest solution is to use an IP address on the network of the server. The client sets up a default route through the PPP interface, and the server does a "proxy arp" for the client. This makes the least demands on routing. On the client, the rest of the world is accessed via the PPP interface and the server acts in proxy for the client for packets going the other way. The client has it's Ethernet interface disabled, using one of the following techniques:

  1. `chkconfig network off` and rebooting (IRIX 5.3 and earlier only. In 6.2 and later, this can cause problems with PPP).
  2. Leave the IP address associated with `hostname` (the same as the contents of /etc/sys_id) as the default 192.0.2.1. You will have to explicitely specify localhost= in /etc/ppp.conf (or the equivalent for SLIP), if you are using static IP address assignment.
  3. Create (or edit) the file /etc/config/ifconfig-1.options to contain the value "down".
The second case is generally the preferred one. For cases 2 and 3, you will have to explicitely `chkconfig off ...` various inappropriate network daemons (routed, gated, yp, etc).

For example, let's connect an Indigo via PPP to an Internet site. We can understand the process by following a packet during the operation `ping sgigate.sgi.com`.

The example that follows shows the specific commands that should be executed on the client, after slip or ppp starts:
   route add net default server 1

Note: For IRIX-5.1 and later this can be done automatically by the slip or ppp process, see the man pages.

Disabling the Default (usually Ethernet) Interface

for SLIP and IRIX-6.2 and older PPP:
The following commands should be executed on the server:
   arp -s client `netstat -ian | grep :` pub
The part of the command `netstat -ian | grep :` returns the active ethernet address of the server. The ethernet address is changed by DecNet (4DDN) software, among others. Note that this command will fail if the server has multiple hardware interfaces, or has the Appleshare software installed, and you will have to determine the correct ethernet MAC address by a different mechanism, and hard-code it in the script. See the man page on arp.

It has been reported that some networks require the trail keyword (see the arp man page), I don't know what circumstances would require it.

for IRIX-6.3 and later PPP:
Put the following option into /etc/ppp.conf for this client:
         proxy_arp=ifname
Where ifname is the name of the interface that the client IP address is part of.

"A Lot" of Standalone Clients (PPP net)

The second case for "a lot" of standalone hosts is to assign a new IP network number (a "ppp-net") for SLIP or PPP clients to use. This method is simpler in some respects than the previous case.

Each client gets an IP address on the ppp-net. The client needs to setup a default route such as the one described above. The server can use the standard Irix routed configuration (although adding the "-F ppp-net" option to the router increases the available bandwidth). The client does not need to disable the Ethernet port unless it needs to communicate with other hosts on the ppp-net. In this case, both hosts need to disable the default network interface (above). You could, in fact, set up a small remote LAN using the ppp-net, but you would forever give up the ability to communicate with other, non-local, hosts on the ppp-net. In addition, routing to let the other machines communicate would be very tricky.

You can use the ppp-net with servers on multiple nets provided the routers on ALL possible routes between the networks pass host routes correctly. Currently, IRIS routers do this, but Cisco routers do not in older software releases, though they can be configured to not break things too badly. I don't know about other routers. This is the most "hands-off" mechanism, but is usually not justifiable for small numbers of PPP hosts.

Server Assigned Address

There is a variation of the previous case is common at many sites, including many Internet access providers. It is for the server to assign the clients IP address on connection. The server then requires only enough IP addresses for the number of ports, rather than the number of potential clients. This mechanism works on some SLIP implementations (not SGI's, though), and is part of the PPP spec, so it will work with any PPP implementation. For IRIX PPP you specify this in /etc/ppp.conf with the keyword:
    localhost=0,0

The advantage to the server is obvious -- minimum usage of IP addresses. The disadvantages are not so obvious: security is slightly weaker (one less bit of information a cracker needs), and the client can't use dynamic dialing mode ("quiet" mode for IRIX PPP) since the route can't be defined before the connection starts and the addresses have been negotiated. In addition, all existing TCP connections would fail if you got a different IP address when you reconnected.

Connecting Two Networks

The other major case is connecting a small remote LAN to a larger one (usually a campus LAN or WAN or the Internet). In this case, the remote LAN is given it's own IP network number, and the SLIP- or PPP-client gets one of the remote LAN IP addresses. Routing issues are much more important with this method. All hosts (if prior to IRIX-5.0) running SLIP must also run gated so they advertise the appropriate network routes to the other hosts on their respective LANs.

The PPP-client has a static default route to the PPP interface as in the previous case. However, because it runs gated, it advertises the default route to the other machines on the LAN.

If the server is running IRIX-4.x, then it will need to run gated (5.x and later routed seems to do the correct thing) to advertise the network route via the PPP link to the remote LAN. In addition, the next level router(s) may have to have it's (their) configuration modified to know about the additional IP network for which it must route. Since gated is difficult to configure, other approaches include setting up a static route on each of the client-side hosts, or have another machine, such as a router advertise the route.

Note: Click here for sample /usr/etc/gated.conf files. These configurations have been known to work in some cases, but I am definitely not a gated expert!.

If the server is running IRIX-5.2 or later, then routed and ppp seem to do the correct thing in most environments.

Special Addressing Case

This case describes a SLIP or PPP connection between a very small LAN consisting of 2 (or at most 3) hosts connected to the larger network or Internet. It may have grown out of the isolated host case, or an office that is expected to never grow any more.

All the hosts are assigned IP addresses from the IP network of the PPP-server. The server performs a proxy-ARP for all of the remote hosts. In addition, the PPP-client needs to ARP for each of the hosts on the other side for which they want a connection. At a minimum, this is the nearest router, the mail relay (if any), and any server machines. In addition, the client has a static default route pointing to the PPP interface and each of the other machines needs a static default route pointing to the PPP-client. The gory details, based upon an actual case, can be seen here.

Because of the need to maintain the ARP tables up-to-date, moving machines around can cause mysterious failures of the network. Note: Because of ARP caches, changes to the ARP tables via the ARP command may not take affect immediately. This can cause routing problems until the cache expires after the ARP mapping is explicitly deleted (via `arp -d` on IRISes, or removing the host), or times out. The ARP cache timeout is 20 minutes on IRISes and defaults to 4 hours on Cisco routers, and is very vendor dependent.

Connecting Hosts that Move

This is not recommended, but is frequently unavoidable. This typically occurs when a host moves back and forth between Ethernet and PPP connectivity to the same LAN segment. This is most commonly used in combination with Proxy-ARP routing, and problems frequently occur due to ARP cache timeouts. In this case, it is better that PPP (or SLIP) login as a shell script which will set and delete the Proxy ARP entry. An example portion of a PPP login script might look like:
arp -s client `netstat -ian | grep :` pub
ppp -r client
arp -d client
If problems persist, it is probably best to assign a different IP address for remote operation, even though they are on the same network.

Connect a Network via an ISP

Connecting your network to the Internet through an ISP is a common desire, once the benefits of connecting one host have been seen.

While the principles are the same as above, one factor makes it much more difficult: you have no control over routing on your ISP's end of the connection!. It doesn't matter that you've done everything needed on your end to route packets from your other machines to the machine with the modem (or ISDN, etc) connection, and you can get your connected machine to route packets back to your other hosts, if the ISP doesn't route packets from the Internet back to your network, you're out of luck.

There are 3 main methods to connect a network of hosts to the Internet. In all following descriptions, I will refer to the host with the Internet connection as a gateway:

a network ISP account instead of a single-host account
Your ISP will probably assign you a subnet to use. You need to renumber your hosts to use that subnet, and everything will work. You will likely get some assistance from the ISP when dealing with routing issues.
a Proxy server on the gateway host
A Proxy is a program that is run on the gateway (or other connection) host that acts as an intermediary for the other hosts on the network. The Internet hosts talks to the proxy, and since it runs on the gateway, the ISP only has to know about the one host. SOCKS is one of the more common proxy servers, and is free. The Netscape browser knows about SOCKS proxies, and the SOCKS code comes with SOCKS-ified versions of ftp and telnet. The TIS Firewall Kit also provides proxy capabilities, including (in some versions) a transparent proxy (so no special code is needed on the client hosts behind the gateway).
an Address Translator on the gateway host
Alternatively, you can put an IP address translation product on your gateway host. Sometimes this requires that a subnet be known to your ISP. It can be fewer hosts than you have behind the gateway, but is also the maximum number of simultaneous hosts with external connections. Some versions may alternatively translate port numbers as well, allowing the use of only one translated IP address.

All the mechanisms require that all your hosts be able to get nameservice. If your gateway is a proxy, then your gateway must run a nameserver or at least nameserver forwarding code. The first and third mechanism require that all your hosts have a default route to your gateway machine, and they can use that as a route to your ISPs nameserver. If the link will not be up permanently, then some mechanism of seperating your local nameservice from the Internet nameservice is required.

Nameservice for the local machine is handled by the /etc/resolv.conf configuration file (in addition to /etc/nsswitch.conf for IRIX-6.4 and later). To supply nameservice for your network, and to forward requests to your ISP's nameserver, you need to run named on your gateway machine.

Finding Routing Problems

The theory of the various routing mechanisms is described above. How do you go about finding and fixing routing problems? You always start close and work your way away. I recommend installing the optional subsystem eoe2.sw.ipgate, which contains a few useful tools, the most important being /usr/etc/traceroute.

First, check to see that you have a route to your destination. For most stand-alone clients, this usually means a default route. You check the status of networking stuff using the /etc/etc/netstat command. For example, to get the status of your network interfaces:

% netstat -in
Name Mtu   Network     Address            Ipkts Ierrs    Opkts Oerrs  Coll
ec0* 1500  192.0.2     192.0.2.1              0     0        0     0     0
lo0  8304  127         127.0.0.1          49150     0    49150     0     0
ppp0 1500  192.132.120 192.132.120.14    321347     0   246809     0     0
And to get the available routes:
% netstat -rn
Routing tables
Destination      Gateway            Flags    MTU    RTT RTTvar    Use Interface
127.0.0.1        127.0.0.1          UH         0      0      0  47763  lo0
192.132.120.14   127.0.0.1          UH         0      0      0   1247  lo0
default          192.132.120.1      UG         0      0      0 245797  ppp0
224.0.0.0        192.132.120.14     U          0      0      0   2397  lo0
The key here is the existence of the default route. A routing table like this is sufficient to get anywhere that routing on the server side allows.

The first test is make sure that you can ping your server, in this example 192.132.120.1:

% /usr/etc/ping 192.132.120.1
PING 192.132.120.1 (192.132.120.1): 56 data bytes
64 bytes from 192.132.120.1: icmp_seq=0 ttl=64 time=248 ms
64 bytes from 192.132.120.1: icmp_seq=1 ttl=64 time=249 ms
64 bytes from 192.132.120.1: icmp_seq=2 ttl=64 time=248 ms


----192.132.120.1 PING Statistics----
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 248/248/249 ms
At least your PPP link is working! Now try to get somewhere else. Let's try (note that traceroute needs to run as root):
# /usr/etc/traceroute -n www.sgi.com
traceroute to www.sgi.com (192.82.208.8), 30 hops max, 40 byte packets
 1  192.132.120.1  239 ms (ttl=64!)  240 ms (ttl=64!)  239 ms (ttl=64!)
 2  192.82.184.1  240 ms  241 ms  241 ms
 3  192.82.184.1  241 ms (ttl=254!) !H *  241 ms (ttl=254!) !H
This shows that packets can get to 192.82.184.1, but it doesn't know how to get to www.sgi.com (192.82.208.8). Therefore, your routing is fine, it is your ISP (or your server network) that is having routing problems. In this case, you can't do anything except call Your support contact for help.

traceroute is a way of determining the path that packets take on their way from the source location to the destination location. traceroute is a potentially dangerous command, since it picks "random" ports to probe to determine a path, unlike /usr/etc/ping, which uses pre-defined ports. ping can do a lot of tracing, but it isn't as powerful for complex problems as traceroute.


Where To Go From Here

Several standard places include: Or the Back button on your browser...


I hope and intend that this documentation can help you with your PPP connection problems. My other commitments (like work) permitting, I will attempt to help you on issues not covered, or that you are unclear on. Please make sure that you provide me a valid return email address! (I won't try to fix it).

Scott Henry <[email protected]>

Last modified: Sun Feb 1 13:52:11 1998