Understanding Internet connections | Bitvise (2023)

Our products can be used in ways that don't require much knowledge aboutthe internet. You can just type in the address of the server you'reconnecting to, open an SFTP window and start transferring files.However, if you will be using the more advanced features of ourproducts, such as tunneling, you will need to understand the basics ofhow the Internet is structured. This guide is an attempt at relayingsome of that understanding.

This guide is composed of the following sections:

• IP addresses
• DNS names
• Subnets
• Types of IP addresses and subnets
• TCP and UDP
• Direction of TCP connections
• Ports
• Connecting to the internet from office
• Connecting to the internet from home
• Dynamic IP address issues
• Virtual servers - port forwarding at the router
• Firewalls

Everycomputer connected to the internet has an Internet Protocol or IPaddress which identifies the computer on the internet. In the currentlymost widely used version of the Internet Protocol - version 4 - IPaddresses are 4 bytes long and are expressed in the form nn.nn.nn.nn.Each nn is a number between 0 and 255.

Whenyou connect to a web server to browse a web page, the DNS name of theweb server, e.g. www.bitvise.com, is automatically translated by thesoftware in your machine to an IP address in the nn.nn.nn.nn form. Thisaddress is then used to connect to the actual web server.

Forexample, the IP address of the server hosting fogbugz.bitvise.com atthe time of this writing is 70.85.217.69. Our primary website, on theother hand, is hosted on several servers, and their IP addresses are207.155.248.18, 207.155.248.31, 207.155.248.122 and 207.155.252.47.

Ina Windows Command Prompt session, you can discover the IP addressesassociated with DNS names using the nslookup command: e.g. 'nslookupwww.bitvise.com'.

IPaddresses are difficult to remember, so the internet provides atranslation service which translates memorable names into associated IPaddresses. This facility is called the Domain Name System orDNS. You use DNS implicitly every time you type in an address such as'www.bitvise.com' - your browser asks your operating system fortranslation into an IP address, and the operating system either returnsa cached result, or inquires with a DNS server operated by your ISP.This server in turn either returns a cached result or inquires withanother DNS server.

Nocomputer is directly connected to every other computer on the internet.Instead, each computer is a member of one or more subnets. Subnets, inturn, are connected to each other by machines called routers orgateways, which belong to multiple subnets, forwarding internet trafficfrom one subnet to the other and reverse.

Inorder to successfully communicate with other computers throughout theinternet, your computer must know what subnet it is part of, so that itknows what IP addresses are outside your local subnet and must berelayed through the gateway. In addition, your computer must of coursealso know the IP address of the gateway.

Typically,a subnet is a group of consecutive IP addresses, such as all IPaddresses from 11.22.33.0 to 11.22.33.255.

There are three major types of IP addresses (or subnets) that you need to be aware of.

• Public IP addresses. Most IP addresses in the IPv4 address range have the purpose of uniquely identifying a computer on the internet. The IP address 207.155.248.18, for example, is a public IP address that at some point uniquely identified one of the servers hosting the www.bitvise.com website. This is the type of IP address through which a server must be reachable in order to be accessible to computers throughout the internet.

• Private subnets. Special ranges of the IPv4 address range have been set aside for use in private networks, where the computers in such a network do not need to be directly accessible from the internet as servers (but may nevertheless access the internet through a gateway, as clients). These ranges include:

  • 10.0.0.0/8 (addresses from 10.0.0.0 to 10.255.255.255)
  • 172.16.0.0/12 (addresses from 172.16.0.0 to 172.31.255.255)
  • 192.168.0.0/16 (addresses from 192.168.0.0 to 192.168.255.255)

• Special IP ranges. There are several special purpose IP ranges, but the one you need to know about is 127.0.0.0/8 (addresses from 127.0.0.0 to 127.255.255.255). This is the local loopback range and is used to connect two programs running on the same machine. Any address in this range can be used for this kind of purpose, but the most commonly used are 127.0.0.1 and 127.0.0.2. The special DNS name 'localhost' translates to 127.0.0.1.

TheInternet Protocol itself is a relatively rudimentary protocol whichprovides only the capability of delivering small chunks of data toother computers. The Internet Protocol does not provide reliability:chunks of data that are sent using the Internet Protocol may be lost.They also may arrive in an order different to the order in which thechunks were sent.

For sometypes of data transfer, the (un)reliability afforded by the InternetProtocol is fine. When streaming video, for example, it does not matterif chunks that make up intermediate frames of the video are lost. Whatmatters is that most of the data arrives relatively quickly, allowingthe video to be played with reasonable quality and on the fly. The User Datagram Protocol,or UDP, is a simple protocol layered on top of the Internet Protocolthat provides this level of reliability. UDP is used for purposes suchas relaying video and audio streams as well as for networked games; allenvironments where responsiveness and fast delivery are more importantthan perfect reliability.

Forother types of data transfer, however, this level of reliability is notenough. When transferring a file, for example, you want to transfer allof its contents in perfect order and integrity; you don't want anychunks of it to accidentally be lost. When accessing a web page,likewise, you want all the text to be transferred without error. Datatransfers that require this higher level of reliability use the Transmission Control Protocol,or TCP. Like UDP, TCP is a protocol layered on top of the InternetProtocol, but it is more complex than UDP: it contains mechanisms toensure that data is received in order and that, if any chunks are lost,they are resent. The reliability provided by TCP has costs in terms ofresponsiveness. Before any data can be sent using TCP, the twocomputers must engage in a short back-to-forth to establish a TCPconnection. If any data are lost during transmission, delivery ofsubsequent data awaits until the data that were lost are retransmittedand delivered. When there is a high rate of data loss on a connection,this may cause transmission to be jerky.

The majority of widely known protocols used on the internet are layered on top of TCP. These include:

• the Simple Mail Transfer Protocol (SMTP), used for email delivery;
• the Post Office Protocol (POP) and IMAP, used for email retrieval;
• the Hypertext Transfer Protocol (HTTP), used for accessing websites;
• as well as, of course, the Secure Shell protocol (SSH), which our products are about.

TCPconnections are like phone calls: they are always initiated by oneparty and accepted (or not) by the other. The computer that originatesthe TCP connection is usually the client, and the computer that acceptsit is usually the server. Sometimes, notably in the FTP protocol, asecondary TCP connection will be established in the reverse direction,from the server to the client. But, in protocols other than FTP,connections are almost always initiated by the client.

Regardlessof the direction in which a TCP connection is established, data canalways flow both ways. However, the direction of the TCP connectionmatters because it determines who the initiating party is, and is alsoused by network components to impose rules on whether a connection canbe established.

Inorder to handle multiple simultaneous connections with the samecomputer, your computer must be able to distinguish them. To do so,each connection is assigned two port numbers, one at each end point ofthe connection. A connection is then uniquely identified with fourpieces of information: (1) local address, (2) local port, (3) remoteaddress, (4) remote port. Valid port numbers are between 1 and 65535.The party that originates a TCP connection usually selects a local portnumber at random. On the other hand, the port number of the party thataccepts the connection must be known in advance by the party thatoriginates the connection. You can confirm this by executing 'netstat-n' from a Windows Command Prompt just after loading a web page in yourbrowser.

For example, this excerpt from 'netstat -n' output was taken just after opening www.bitvise.com in a browser.

ProtoLocalAddressForeignAddressState
TCP10.10.10.123:21681207.155.248.122:80ESTABLISHED

Theabove output indicates an established TCP connection with local address10.10.10.123, local port 21681, remote address 207.155.248.122 andremote port 80. The connection was initiated by the local machine,therefore the local port number 21681 was randomly selected, whereasthe remote port number 80 is the well-known HTTP port. This is the portwhere the vast majority of web servers accept connection, so even whenaccess to other ports is blocked, connections to port 80 will verylikely be permitted.

Other well-known destination ports are:

• 21 - FTP (control connection)
• 22 - SSH
• 23 - Telnet
• 25 - SMTP
• 80 - HTTP
• 110 - POP3
• 143 - IMAP4
• 443 - HTTPS (HTTP over TLS or SSL)
• 1080 - SOCKS proxy

On Windows, a more exhaustive list of well-known ports can be found in thefile \Windows\System32\Drivers\etc\services (open it with Notepad).

Inan office environment, your computer will most likely be connected to asubnet in one of the private address ranges. This means that yourcomputer will have an IP address not unique throughout the internet, soit cannot communicate with other computers on the internet directly.However, the network administrators at your office have most likelyapplied one of the following solutions to allow you to access theinternet.

• Network address translation (NAT).In this setup, your computer directs all traffic destined to theinternet through a gateway in your local subnet. This gateway has apublic IP address which is unique and can be used for internetaddressing. The gateway substitutes its own IP address and port inplace of your computer's. When chunks of data arrive in reply, thegateway knows from the port number in the data that they must beforwarded to your computer and local port.

  Inthis setup, your computer is led to believe that it is present on theinternet with its private subnet IP address; but it isn't. The gatewayis present on the internet and represents all computers in the subnetwith its own public IP. All connections initiated to the internet bycomputers on the subnet appear to outside observers as coming from thegateway's public IP address.

• Proxy.In this setup, your computer cannot initiate connections to theinternet directly. Instead, applications on your computer must contactone of several types of proxy servers residing on your local subnet,and ask the proxy server if it would kindly relay a connection to theoutside. This is conceptually similar to NAT. However, whereas NATworks for all applications on your machine and requires from them nospecial awareness, the proxy setup works only with those applicationswhich can connect to the internet through the proxy. The proxy setupalso affords administrators more control: they can more easily restrictand monitor your traffic and permit or deny access selectively basednot just on port numbers, but the content being accessed and protocolsbeing used.

Thereis also a number of office environments where each computer has aseparate, own public IP address. These are simple and involve no NAT orproxy servers as outlined above.

Fromhome, you usually connect to the internet through a modem - whether itis phone, cable, ISDN or DSL. In any case, you can either hook themodem directly to your computer; or, if you have multiple computers,you can buy a router, connect the router to your modem and yourcomputers to the router.

• Ifyou use a router, the machines connected to it are assigned addressesin a private subnet, and the router performs Network AddressTranslation to allow your machines to access the internet.
• Ifyou connect the modem to your machine directly, the computer gets apublic IP address directly accessible from the internet. If you thenconnect other machines to this machine (through a second networkinterface), those machines are joined to a private subnet. The directlyconnected machine then performs Network Address Translation to allowthe other computers to access the internet.

Inmost cases, you will be provided a single public IP address by yourinternet provider. Sometimes this IP address will be fixed; this iscalled a static IP address. In other situations, the IP address will periodically change; this is called a dynamic IP addres.With dial-up modems, you will get a different public IP address everytime you dial up. With DSL and cable modems, your IP address may changeat a predefined time every day or night.

The following issues correspond with a continuously changing IP address.

Wheneveryour public IP address changes, all ongoing TCP connections to and fromyour machine are terminated and must be reestablished using the new IP.

Sincethe IP address of your computer is unpredictable, it is difficult forothers to connect to it. If you want to host any kind ofnetwork-accessible service on your machine, you need to either use adynamic DNS service; this works by allocating you a DNS name which isregularly updated to reflect your changing IP address; or you need toimplement a more pedestrian solution, such as configuring a program onyour computer to periodically connect to another server and store yourcurrent IP address there, making it available for retrieval.

Ifyou want to host a service on your home machine and find that your IPaddress changes periodically, the best way around this problem is toask your ISP to grant you a static IP. They will frequently agree to dothis free of charge. If this is unavailable, you can use a dynamic DNSservice.

Ifyou want to make a server accessible from the internet, but thecomputer on which the server will be based has only a private subnet IPaddresses, there is a solution. Usually, the router which connects theprivate subnet to the internet can be configured to forward allincoming connections on a certain port to one of the computers insidethe private network. This is called port forwarding (not the same thingas SSH port forwarding) or a 'virtual server' facility (although theserver is quite real; it's just its IP address that is not).

Thissetup generally works just fine, but there is one thing to remember.The IP address by which the server is known to internet clients is notthe IP address that the server machine actually has. This distinctionbetween the public IP address at the router, and the private IP addressof the actual server machine inside, frequently arises in SSHconnection tunneling, leading to incorrect configuration if notproperly understood.

Moderncomputers run a large number of local services (such as Windows fileand printer sharing) which accept connections on various port numbers,but are meant to be accessible only from locally trusted subnets.Preventing the wider internet from accessing these services in possiblymalicious ways is the purpose of ingress firewalls.

Inorganizations, gateways that connect the local subnet to the internetusually feature an ingress firewall. This firewall should normally beconfigured to allow no connections into the subnet, except connectionsto servers that must accept connections from the internet.

At home, your ISP will usually notprotect your PC from malicious access from the internet. Instead, thistask must be performed by a firewall installed on your home router, orif your computer is connected to the internet directly, a softwarefirewall in your machine. Windows XP comes equipped with such afirewall; you should use it. Software firewall solutions are availablefor earlier versions of Windows.

There is another type of firewall called an egress firewall,or a firewall that filters outbound connections from your machine tothe internet. This is generally software which tries to control whatprograms on your machine access the internet. This is intended to blockmalicious software from doing too much damage after it has alreadyinfected your computer. However, cleverly written malware can fool anegress firewall like this with fairly simple and straightforwarddeceptions. The only real medicine against malware is therefore toprevent it from infecting your computer in the first place.