Static and Dynamic IP Addresses

Every computer that communicates over the Internet must have an IP address, which the computer typically receives from its ISP. The IP address may be static or dynamic. A static IP address stays the same until someone explicitly changes it, while a dynamic IP address can change on every boot up or network connect (though the address typically changes only occasionally).

An embedded system may store a static IP address in non-volatile memory, either within an application or in memory where program code can retrieve the address when needed. Or the system may receive a static or dynamic IP address from a DHCP server on boot-up or network connect. For hosting a domain, a static IP address is preferable because the name servers don’t have to be updated unless the domain changes ISPs. If the computer hosting the domain has a dynamic IP address, the local name servers must be updated when the address changes, as described later in this networking tutorial.

Connecting Multiple Computers to the Internet

A computer that connects to the Internet must have an IP address that is different from the addresses of all of the other computers on the Internet. When you contract with an ISP, you obtain the right for your computer to use one or more of the ISP’s assigned IP addresses. If you have a local network with multiple computers that need Internet access, it’s often easier, more secure, and less expensive to have all of the computers share a single public IP address for Internet communications. Some ISPs charge for each connected computer whether or not they share an IP address, however. Two ways to enable multiple computers to share a public IP address are with a router that supports the Network Address Translation (NAT) protocol and with a Windows PC configured as an Internet Connection Sharing host. A router that supports the NAT protocol enables multiple computers to share a public IP address. The router connects to the ISP and to the computers in the local network. The router has two IP addresses: a public address for Internet communications and a local address for communicating with the local network. The router uses the NAT protocol to translate between the public and local addresses as needed. To send a message on the Internet using a router with NAT support, a computer in the local network sends the message to the router’s local address. The router creates a new IP datagram, placing the message in the datagram’s data area and the router’s public IP address in the datagram’s Source Address field. The router than forwards the datagram to a router at the ISP, which sends the datagram onto the Internet.

On receiving a datagram from the ISP’s router, the local router uses information in the IP header to determine where to forward the message. The router then creates a new datagram with the appropriate local IP address in the datagram’s Destination Address field and forwards the datagram to its destination. A router with NAT support also helps to keep a local network secure, as described in Chapter 10. If your local network includes a PC running Windows XP, there is another option. You can enable multiple computers to share a public IP address by configuring the PC as an Internet Connection Sharing host. The PC requires two network interfaces, one to the local network and one to the modem or other connection to the ISP. In Windows XP’s Network Setup Wizard, select This computer connects directly to the Internet. The other computers on my network connect to the Internet through this computer. All Internet communications for the local network then go through the interfaces on this computer. Windows Help has more information on using Internet Connection Sharing.

Communicating through a Firewall

Any PC or other large computer with Internet access should have a firewall. All communications from outside the local network should pass through the firewall to reach a computer in the local network. The firewall protects the local network by controlling what local resources external computers can access. A firewall may be software only or a combination of hardware and software. Without a firewall, a computer from outside the network might be able to retrieve private files, install a program that deletes files, or use another computer to launch attacks on other computers. A firewall can also defend against denial-of-service attacks, where a computer attempts to overwhelm a server by bombarding it with requests using forged, invalid source addresses.

In a local network, each computer may have its own firewall, or a single firewall may protect all of the computers in the network. The firewall may be software running on a PC or another general-purpose computer, or it may be a device designed specifically to function as a firewall. For networks that use a single firewall, the firewall is the only computer in the local network with a direct Internet connection. Some operating systems have firewall software built in. For example, Windows XP has an Internet Connection Firewall that you can configure for specific needs.

A hardware firewall for a small local network may provide additional capabilities, including functioning as a router with address translation and functioning as a DHCP server. Even when an embedded system doesn’t need a firewall to protect itself, many embedded systems are behind a firewall because they’re in local networks that have firewall protection. If your embedded system is behind a firewall, you may need to configure the firewall to enable your system to communicate. In a common setup, a firewall allows the local computers to request resources from computers on the Internet, but blocks all unsolicited incoming requests from the Internet. For example, the firewall typically enables local computers to request Web pages from computers on the Internet. The firewall stores information about each request, and when the computer returns an IP datagram containing the requested page, the firewall examines the header, determines that the datagram is in response to a previous request, and passes the datagram to the requesting computer.

If the firewall doesn’t recognize a datagram as a response to a previous request, the datagram doesn’t pass through the firewall. A computer that functions as a server available to all computers on the Internet must be able to receive unsolicited requests because the computer has no way of knowing where requests will come from. So you’ll need to configure the firewall to allow the server to receive unsolicited communications on at least one port. The details of how to configure a firewall vary with the product. Many stand-alone firewalls have a password-protected Web interface. Network article 4-7 shows an example configuration setup. Typically, to enable a specific computer to serve Web pages, you can configure the firewall to forward all open, or unsolicited, communications for port 80, which is the port used for HTTP requests, to the computer that serves the pages.