ract
ice, each IP address has typically been associated with a fixed hardware address (e.g., an Ethernet address).
This stable association has been used as the basis for IP-based security and network management and configuration schemes. IP addresses are also the usual way of finding network resources, such as servers on TCP/IP networks.
If the server's IP address changes, the Domain Naming System (DNS) must be reconfigured, or applications won't be able to connect with the server. In an environment with many changes, this maintenance can be time-consuming.
A Lack of Stability
Many network functions, including security, finding resources, and routing, assume stable addresses. Unfortunately, many of today's LAN environments tend to thwart such stability. Machines move from one network to another as departments grow or shrink, workgroups move from one set of machines to another, and networks are segmented to improve performance.
For every machine move
d, the administrator has to change the IP address, default routers, DNS information, and all IP-address-dependent security. Thus, from the LAN administrator's point of view, the requirement to assign an IP address to each device on the LAN can create real management problems.
The simplest ways around such problems are often not practical. For example, having an IP address hard-wired to an Ethernet card, and then having that IP address determine security, configuration, and routing, makes sense only with stable usage patterns and nonmobile users.
Similarly, having one IP address per workstation makes sense if there are plenty of addresses to go around. However, because of the way IP addresses are allocated to companies, organizations frequently do not have enough addresses to assign a separate one to each device that's on a LAN.
Given these circumstances, there are two approaches to
dealing with IP address management
. The first is centralized management and storage fo
r workstation-based TCP/IP stacks. The other is an IP gateway, providing a combination of centralized, automatic allocation of addresses; dynamic address pooling; and address sharing.
A Matter of Choice
The workstation-based stack and gateway approaches differ primarily in the extent to which address allocation is centralized and automated, and whether it's possible for multiple workstations to share a single IP address. Before discussing these differences, it's important to have a common definition of the terms.
With dynamic allocation, software allocates and deallocates a pool of addresses on the fly, in response to user needs. An example of dynamic allocation is sharing 10 IP addresses among 25 sporadic users. Such an approach might be used to give 25 users access to 10 shared Internet-access accounts. Each time a user requests an address, he or she may get a different one.
Automated allocation does not imply on-the-fly responses to user requests for IP addresses.
It simply means that a whole block of IP addresses can be allocated to hardware addresses in a single operation, instead of having to be allocated one at a time.
It's important to differentiate sharing addresses from pooling addresses. When one address is shared among multiple workstations, all the workstations can access the IP network simultaneously using that address. (This is typically possible only with gateways.) Software running on the gateway machine separates multiple IP data streams and routes them to the correct workstations based on the port number, a standard TCP/IP identifier for a software process or application (see the figure
"Sharing Addresses"
).
This type of sharing is like mail coming to a company and being delivered to individual boxes through company mail. Each workstation needs its own port number -- just as each employee needs a unique internal address. But as with the public mail system, the routers and gateways outside the LAN must pay attention onl
y to the corporate address.
With address pooling, each workstation has a unique IP address while that workstation is on the IP network. Centralized IP management software allocates a given IP address to a workstation when the workstation requests access to the IP network, and deallocates the address and returns it to the pool when the workstation is through using the IP network. Each time the workstation needs IP access, it may use a different address.
Address sharing is possible when workstations need to act only as clients and therefore no one needs to find them through the DNS. For instance, multiple FTP and telnet clients on the same network, or even the same machine, can share a single address. This is also true for clients for NFS, Mosaic, gopher, mail, and news. Clients need unique IP port numbers for these applications, but they can share a single address.
In contrast, servers require a unique IP address. If they are to be located through the DNS, they must have fixed addresses. F
TP and NFS servers fall into this category. Some servers (e.g., X servers) are not typically registered with the DNS. They need a unique address, but not necessarily a fixed address, and are therefore suited to address pooling but not address sharing.
What's the Difference?
With pure workstation-based TCP/IP, address allocation and management are decentralized, static, and manual. The administrator assigns the IP address when the software is installed at the workstation. The address can be changed at the workstation as needed. Typically, though, once an address is allocated, it isn't changed. There's no automated assignment or changing of IP addresses; addresses are allocated one-by-one. There's also no way for multiple workstations to share a single IP address.
However, on a LAN, there may be centralized management and storage for workstation-based TCP/IP stacks. Centralized management and storage of IP addresses is typically based on one of two standard protocols, BOOTP or
DHCP, for passing configuration information (including IP-address information) to devices on an IP network. BOOTP and DHCP do not lend themselves to address sharing -- they assume one TCP/IP stack and IP address per workstation.
Using such centralized facilities, a LAN administrator can assign and change IP addresses from a single management console, as well as do a variety of other tasks, including specifying a DNS server and a default gateway for each workstation.
The central management utility can also automate the process of assigning IP addresses. For instance, the administrator can manually type in a list of IP addresses, which the management utility automatically allocates to hardware addresses. An IP address can be reserved for a particular user or simply assigned from a pool. However, a single address cannot be shared.
Gateways, on the other hand, are much more flexible. They provide any combination of centralized, automatic allocation of addresses; dynamic address pooling; and
address sharing. A gateway can be configured to share a single address among all the workstations on the LAN.
The advantage to the gateway approach is that pooling addresses or sharing a single address can greatly simplify the task of IP-address administration on LANs. Not only do these techniques reduce the number of addresses, they also make it possible to adapt automatically and transparently to moves and changes. Such an approach also lends itself to handling mobile users. If a machine moves from one LAN to another, there's no need to change the machine's IP address or default router, because it doesn't have an IP address of its own.
Similarly, a user can move to a new machine without creating any problems. User workstations require no configuration. All configuration information resides centrally on the file server and can be associated with the user ID, group name, or Ethernet address.
With address pooling or sharing, it's not always possible to tie security or configuration to IP a
ddresses, which may not be associated with any particular machine or user. Instead, the gateway management software may support security and configuration tied to the user ID, group membership, or Ethernet address.
Using such characteristics may offer a degree of flexibility not normally available when configuration and security are associated with IP addresses, which are in turn associated with the Ethernet address. For instance, a user will always have the same user ID, no matter which workstation he or she is using. Thus, transplanted workgroups and mobile users can have the same security and configuration wherever they go.
There are fault-tolerance implications to using gateways, too. If a user's machine fails, he or she can easily use another machine. The ability to configure by group achieves the same level of flexibility without having to define security and configuration for each individual. On the other hand, if it's desirable to associate security and configuration information with a p
articular machine, that can be accomplished via the Ethernet address.
Given these choices, many managers are opting for the gateway approach to providing IP connectivity for LAN users. It offers less administrative work to manage user moves, adds, and changes. Also, there's less work handling changes in the rapidly changing networking environment found in many corporations.
-- Address sharing:
A single address is shared among multiple
workstations, and all the workstations can access the IP network
simultaneously using that address.
-- Address pooling:
Each workstation has a unique IP address while
that workstation is on the IP network. The address is deallocated
after the session is complete. Each time the workstation needs IP
access, it may use a different address.
-- Automatic allocation:
Blocks of IP addresses can be allocated in
a single operat
ion rather than being allocated one at a time.
-- Dynamic allocation:
Software allocates and deallocates a pool of
addresses in response to user needs.
illustration_link (8 Kbytes)
A gateway leaves the client unchanged and lets multiple clients share one IP address, thus reducing the administrative work required to support a large number of users.
Bob Schoettle is vice president of Firefox Communications, Inc. (San Jose, CA). Firefox supplies server-based TCP/IP communications software for NetWare LANs. You can reach him on the Internet or BIX at
editors@bix.com
.
IP-Address Management on LANs
