October 2, 1997
{Addendum on DNS recognition and DHCP1/23/2001. References to UnCover removed 10/18/01.}

To: ILCSO Operations Committee Representatives
From: Anne Hudson, ILCSO Office
Re: IP Numbers, IP Names, and DNS

Introduction

The purpose of this document is to provide some very basic vocabulary terms, definitions, and descriptions of how IP numbers, IP names, and DNS are used by the current ILCSO-provided online services. This document should put some of the processes and networking activity in perspective and tries to address the "what is it and why do I need it?" questions that many ILCSO library staff have. If you would like more information about these topics I can recommend TCP/IP for Dummies by Marshall Wilensky and Candace Leiden, ISBN: 1-56884-241-4. If you are already familiar with the networking vocabulary presented, you might want to skip to the material on page 3.

IP Numbers

Each device used by or for Internet access (e.g., servers, workstations, printers, routers, etc.) must be identifiable to the Internet by a unique number. These are IP numbers (IP stands for Internet Protocol - the second half of TCP/IP). Ranges of IP numbers are assigned to an institution (upon request by the institution, or on the institution's behalf by its ISP) by a national clearinghouse (InterNIC). Every network, whether it's an educational institution, government office, or commercial organization requests IP numbers from InterNIC.

IP numbers are 32 bit numbers, parsed into four sections of eight bits each (each section, separated from the others by a "." is called an "octet."). Most ILCSO institutions have "Class C" IP numbers, which means that the first three octets describe the institution itself, and the last octet describes a particular server, workstation, etc.

The parts of the IP number are: octet1.octet2.octet3.octet4.

Example:  123.45.67.89
            |   |  |  |
1st octet -/    |  |  |
2nd octet -----/   |  |
3rd octet --------/   |
4th octet -----------/

In this example, 123.45.67.* was assigned to an individual institution by InterNIC. The institution can then assign the numbers available in the last octet (possible numbers are 1 - 254) to its networked devices any way it chooses. If an institution requests a range of IP numbers as shown above, its network can contain up to 254 numbered devices before it runs out of IP numbers.

Larger institutions can request a range such as 123.45.*.* which then gives them not only the 254 numbers available in the last octet, but, in addition, the 254 possible numbers in the third octet, giving the institution a total of 64,516 (254 x 254) possible IP numbers to assign.

Institutions that need somewhere between 254 and 64,516 IP numbers can request IP ranges in blocks of 254 as predicted or needed.

IP Names

Most institutions then assign an IP name to a machine. Names are typically alphanumeric and (at least to the network administrator) mnemonic or symbolic. For example, an e-mail server may be assigned a name such as "email." An IP name also includes the institution's name and type of institution it is. For example, 123.45.67.89's name may be email.university.edu. A library may use a scheme such as libpub1, libpub2, libpub3 to name its public access machines; the institution may then use southlab1, southlab2, southlab3, etc. to name the machines in its Computer Labs on the south campus or against the south wall of the lab.

The complete IP name, such as libpub3.university.edu (which might be the symbolic form of 123.45.67.109) is called a "Fully Qualified Domain Name." When looking at a machine's IP name and comparing it to its IP number, note that the name is read left-to-right to discern the lowest-to-highest hierarchy (libpub3 is the lowest name in the domain hierarchy; .edu is the highest). The IP number's hierarchy is the reverse: 123.45.67 describes the institution, while .109 is the lowest domain annotation. The ".edu" aspect of the IP name is not reflected in the IP number at all.

There are a large number of directory and configuration files that go into supporting an institution's network and many of these files require lists of the machines that can use or are defined for a particular service. These directory and configuration files may be required or replicated on many servers throughout an institution. As these different servers need to be updated, it is much easier for the humans doing the updating to recognize and interpret IP names than the IP numbers; names are also less prone to typos than numbers.

As a number of ILCSO libraries have already found out, IP numbers may change. This could be the result of changing ISPs (not all ISPs can re-use the IP numbers used by a previous ISP), or the institution may have found a reason to reallocate existing IP numbers among and between its departments. If this should happen, the IP name should not have to change (email.university.edu) although its IP number does change.

What is DNS?

DNS stands for Domain Name System (or Service). Online tables in an institution's DNS server contain both IP numbers and names. DNS servers perform the function of translating IP names into IP numbers and vice-versa. This process is called "resolving" the name. DNS resolves "email.university.edu" into 123.45.67.89; 123.45.67.109 into "libpub3," etc. When an IP number (or, less frequently, an IP name) changes, a network administrator needs to change a table entry in the DNS. Though tedious, this process, done once, is much more efficient than changing addresses in multiple security files that do not refer to a DNS.

For its DNS to work properly-locally and as part of the Internet-an institution should use the DNS to "register" every IP name it assigns to the IP numbers it requested from InterNIC. Each institution (or its ISP) has to maintain its own DNS server. DNS servers from different institutions share data, so that registered address information gets "propagated" around the Internet.

We rely on DNS for authentication on our ILCSO servers. Our services, including IBIS and ILLINET Online, use DNS recognition, for example, to customize database offerings and set search scope.When a server receives a connection from a client, the server does a lookup on the IP address to find the client computer's DNS Name. If the IP resolves to a "something.xxx.edu" (where xxx is the domain name of an ILCSO institution), then the server knows that the request is from an ILCSO member library and reacts with the appropriate level of service.

While implementing this authentication scheme, we have noticed that some ILCSO member institutions have "A Records" (Name to IP mapping), but do not have "PTR Records" (IP to Name mapping) in their DNS servers. Another problem often appears when institutions change Internet Service Providers. Much work is done to make sure DNS names can be resolved to the new IP Addresses, but arrangements are not made for their new ISP to forward PTR queries on to the appropriate DNS servers so that the IP Addresses can be resolved back to DNS Names.

(The primary reason that America Online users have trouble accessing some online services is that AOL gets IP numbers from InterNIC but does not then register the IP names with InterNIC. Thus, any service that checks IP names can find no information about the AOL user's address and so refuses access.)

Why does AITS do a "Reverse DNS Lookup"?

AITS does not require a unique log-in on its servers for public ILCSO-provided systems. The DNS processes that AITS and various online vendors use provide machine-level security for access to services. (Some online services require an individual's ID to provide enhanced services, such as Ovid's save search or SDI features or to place a request in ILLINET Online, but basic searching is available to unidentified "guests" in all systems.)

As a deterrent to ill-intentioned hackers (who presumably prefer anonymity), AITS servers do a "reverse DNS lookup" to resolve the IP addresses of workstations connecting to them. Workstations whose addresses cannot be resolved, because they have not been defined in a DNS, will not be allowed to connect to AITS-supported services. In other words, ILCSO libraries should define all of their addresses in a DNS. If library services are to be made available through a campus-wide network, each machine that might use the library services should be defined in the campus' DNS servers.

How does DHCP fit in to the picture?

Dynamic Host Configuration Protocol is a common scheme used by network administrators to assign IP Numbers to a pool of workstation sessions. DHCP is a framework for passing configuration information to hosts on a TCPIP network. It enables automatic allocation of reusable network addresses and additional configuration options. We are not opposed to sites using DHCP. However, since our servers use DNS Names for authentication, we do request that DNS Administrators give a DNS Name to all IP Addresses that will be used by the DHCP server. An example of this would be to give the IP Address 10.20.30.100 the name 'dhcp100.xxx.edu' (where 'xxx' is an ILCSO institution domain name), so that it resolves to that institution's domain.

Why do libraries still need to keep track of IP numbers?

IP-based user authorizations are handled differently by different service providers. Whereas AITS prefers to use IP names, the Gale Group, for instance, uses IP numbers.

If your library subscribes through ILCSO to Gale Group databases and you want to offer your users access to InfoTrac Web, you will need to send the range of numeric IP addresses that should have access to InfoTrac to Martin Borg at martin.borg@galegroup.com. (Please send a copy of your note to the ILCSO Office at oncall@listserv.ilcso.uiuc.edu.)

What to do if your institution's IP numbers change

Should, for whatever reason, your library's or institution's IP numbers change, access to the services listed in the preceding section will stop. You must inform each of the service providers named above of the change in IP numbers -preferably, ahead of the scheduled change so the service providers know the change is coming, and then again a day or two before the change happens. This will allow the service providers time to make the necessary changes at their ends so that service is interrupted for only a short time.