The worlds of IT and Operational Technology (OT) are merging more and more these days as the Internet of Things grows in prominence. This collaboration between IT and OT is great, but there are still gaps in understanding that keep these worlds from fully working together.
To help, we teamed up with Distech Controls to create a webinar series on networking, for OT professionals. Be sure to check out our Introduction to Networking and our session on Network Access as well!
In this edition about the Internet layer, we dug into DHCP, IP addressing, subnets, and more. Watch our webinar recording on “the Internet layer,” and read the recap below. You can also download the PDF handout of our presentation to refer back to later.
The webinar dug into a lot of topics, including:
- The Internet Layer (from 2:04 to 10:20)
- Static IP (from 10:20 to 13:20)
- DHCP (from 13:20 to 26:08)
- IP Routing (from 26:08 to 43:45)
- Gateway (from 43:45 to 44:09)
- Subnet (from 44:09 to 58:26)
- NAT (from 58:26 to 1:04:08)
- DNS and Hosting (from 1:04:08 to 1:06:57)
- Firewall and VPN (from 1:06:57 to 1:11:01)
The Internet layer (from 2:04 to 10:20) is responsible for placing data that needs to be transmitted into data packets known as IP datagrams. These will contain the source and destination addresses for the data within.
This layer is also responsible for routing the IP datagrams. The main protocols included at the Internet layer are Internet Protocol (IP), Internet Control Message Protocol (ICMP), Address Resolution Protocol (ARP), Reverse Address Resolution Protocol (RARP), and Internet Group Management Protocol (IGMP).
You will commonly hear IPV4 and IPV6 mentioned in relation to this layer. For the purposes of this training, though, we focused on IPV4.
Static IP (also known as fixed IP address – view from 10:20 to 13:20) is a manually configured IP address for a device. The IP address is referred to as static because it does not change without user input. When setting up a controller, you will manually assign an IP address that corresponds to the IP range chosen for the job or assigned by the IT department. Each device on the network must have a unique IP address and each device will have to be manually assigned.
The major disadvantage that static IP addresses have over dynamic addresses is that you have to configure the devices manually. Typically this is done on a per-device basis.
Dynamic Host Configuration Protocol (DHCP – from 13:20 to 26:08) is a client/server protocol that automatically provides an IP host with its IP address and other related configuration information, like the subnet mask and default gateway.
DHCP provides an automated way to distribute and update IP addresses and other configuration information on a network. Typically, a DHCP server will respond to requests from clients with an address that resides in the DHCP scope. Along with IP addresses, DHCP servers can provide other information concerning the network if they are configured to do so.
A DHCP scope is a valid range of IP addresses that are available for assignment or lease to client computers on a particular subnet. In a DHCP server, a scope is configured to determine the address pool of IPs that the server can provide to DHCP clients.
When an address has a dynamic lease, the DHCP server can manage the address by allocating it to a client, extending the lease time, detecting when it is no longer in use, and reclaiming it.
Conversely, a DHCP reservation is a permanent IP address assignment. It is a specific IP address within a DHCP scope that is permanently reserved for leased use to a specific DHCP client.
Lease reservations are preferred over dynamic leases in controls networks. Knowing the IP address of a controller can be critical to sending and receiving data to other devices in the same network. Ensuring that the IP address doesn’t change will make the system easier to configure and manage. To make use of lease reservations, you will need to know the MAC address for the controller. You will need to provide this to whoever is managing the DHCP server so they can ensure each controller gets the IP address it’s supposed to have.
IP routing (from 26:08 to 43:45) refers to the way that data is routed through a network, from source to destination. These routes are based on a routing table, and routers do not pass broadcast packets. Here’s an example of IP routing in a network:
Typically, in a TCP/IP network, nodes such as servers, workstations, and network devices each have a defined default route setting, (pointing to the default gateway), defining where to send packets for IP addresses for which they can determine no specific route. The gateway (from 43:45 to 44:09) is by definition a router.
A subnet (sub network – view from 44:09 to 58:26) is a logical subdivision of an IP network. The practice of dividing a network into two or more networks is called “subnetting.” A subnet is basically a smaller network within a larger one. We can subdivide a larger network to create a smaller network for our controllers and devices on a job, and we can control how much the network sees our broadcast traffic.
Using two subnets that are very close to each other in appearance can show just how important this is. The subnet 255.255.255.0 and 255.255.254.0 look very similar. The only difference between the two is in the third octet, where one is 255 and the other is 254. Even though this would appear to be a small difference, it’s not small at all when it comes to broadcast traffic. The subnet 255.255.255.0 can broadcast to a total of 256 hosts. The subnet 255.255.254.0 can broadcast to a total of 512 hosts. Choosing the correct subnet for a controls network with IP based controllers is critical to the speed, reliability, and stability of the network.
Fully understanding subnetting can take time and a lot of reading. Until you have the time to review and understand the concepts, it’s best to remember a couple simple rules.
First, think small. If you only have 10 IP-based controllers for a job, you would want a subnet of 255.255.255.224, which can broadcast to a total of 32 hosts. If you have a customer who gives you the subnet 255.255.0.0 for all your controllers, you should ask them to check with their IT department to ensure that it needs to be this big. A subnet of 255.255.0.0 can broadcast to 65,536 hosts, which is far more than you would want for your average controls network.
Second, use a subnet calculator. They are widely available on the Internet, and there are a large number of apps available for mobile devices. This will help to avoid mistakes and make planning your next job much easier.
Network Address Translation (NAT)
The Network Address Translation (NAT – view from 58:26 to 1:04:08) converts all private IP address as one public IP address, and uses port mapping to provide uniqueness
Why should you use NAT? Well, first off, there’s a limited number of public IP addresses. Despite the huge number of IP addresses available (approximately 4.3 billion!) the Internet is running out of routable IP Addresses. Billions of IoT devices are coming online, and that number is growing very fast. Operational Technology in particular is contributing heavily to this increase
NAT also adds a layer of security. IP Addresses in the private network are not directly routable or visible, so hackers would need to scan/probe ports to find NATed devices. That scanning is easily detectable.
Domain Name Service (DNS) and Hosting
The Domain Name Service (DNS – view from 1:04:08 to 1:06:57) is the Internet’s system for converting alphabetic names into numeric IP addresses. For example, when a Web address (URxL) is typed into a browser, DNS servers return the IP address of the Web server associated with that name.
Just a few notable DNS servers:
Firewall and VPN
Firewalls (from 1:06:57 to 1:11:01) are a well-known tool for permitting or blocking network traffic based on rules. For example, you might set a firewall that says “Only port 47808 may exit.” It’s a great practice for safeguarding your assets.
A Virtual Private Network (VPN) is a way to extend your network over a secure, encrypted tunnel. You can give remote trusted devices using a local IP address