Bridging

From StarOS Community Wiki
Revision as of 00:26, 24 July 2007 by Handyman (talk | contribs)
Jump to navigation Jump to search

"Bridge" is a general term which means different things in different contexts. This discussion will be confined to a component which joins two networks in a way that in some regards performs as if the two formed just a single network.

Preliminaries

A typical packet contains a destination MAC address, a destination IP address, and other things we don't care about here (source MAC, source IP, checksum, port numbers, preamble, data). The MAC address serves the job of getting the packet over one hop. The IP address serves the job of directing the packet from hop to hop toward its final destination. The IP address stays the same as the packet moves; the MAC address typically changes at each hop.

A router receives a packet and decides whether and how to forward it. It scans its routing table to find an applicable route. This tells it the IP address and interface of the directly connected host that the packet should be forwarded to in its next hop. It then consults the ARP table where it finds the MAC address that corresponds to that next-hop IP address and interface. It puts this MAC address into the packet and leave the destination IP address unchanged. It then sends the packet on the given interface. The use of the given MAC address causes the host identified in the routing table to receive the packet. Note that the IP address of the next-hop host is not recorded in the packet at all; only its MAC address is needed. The source and destination MAC addresses in a packet describe the enpoints of a one-hop communication between directly connected hosts. The source and destination IP addresses describe the endpoints of a multi-hop communication between arbitrary hosts on the Internet.

ARP tables are maintained automatically through exchanges of information that occur regularly. They can be browsed under either StarOS or the Mikrotik OS.

The general idea of a bridge is basically to make all the MAC addresses on one network to act as if they are directly connected to another network, and vice versa.

Simple hub

One way to bridge two networks is with a simple hub that forwards every packet it receives on either one of the networks to the other one. The drawback to this is that it unnecessarily increases the traffic on both networks.

Dumb switch

A better approach is to maintain a table recording which MAC addresses appear in each of the connected networks, and to forward a packet just on the network that actually has the MAC address that is the destination of the packet. (A broadcast packet, meant for every possible recipient, obviously must be forwarded onto both networks.) This simple technique is highly successful and is implemented in the cheap Ethernet switches that everyone uses.

A "managed switch" is like a dumb switch in the way it forwards packets, but it adds lots of additional features that are not of interest here.

True bridge

A "true bridge" forwards packets without modifying them. Both the above techniques form true bridges.

The 802.11b problem

Under the 802.11b and related protocols, MAC addresses are used to identify clients for purposes of wireless communication. This means that an access point does not expect to see a particular associated client emitting packets with source-MAC addresses that vary, nor to send packets with differing MAC addresses to a particular station. That implies that the associated client cannot be a true bridge, because the packets coming out of a true bridge will have the diversity of MAC addresses that are seen in the network on the other side.

Wireless Pseudo-bridges

Given that the wireless station must consistently use just one MAC address, the question arises of how to accomplish some kind of bridging in the wireless station under that constraint. Two approaches have been used: MAC cloning, and proxy-arp.

MAC cloning

MAC cloning can be used when the network on the other side of the pseudo-bridge contains just one host (MAC address). That MAC address is adopted, or "cloned" by the wireless station. Packets emanating from it carry the given host's MAC address, and packets sent to it will carry that MAC address. The station duly forwards the packets. If packets are to be sent to or received from the wireless station itself rather than the host, something other than a MAC address (e.g. an IP address) must serve to determine that, and the station must sort that out.

Proxy-arp

With proxy-arp, sometimes called MAC-NAT, every packet is rewritten to use the MAC address of the pseudo-bridge device. The bridge relies on its ARP table to know how to do this. The critical step in this technique involves the pseudo-bridge telling every host on each connected network that its own MAC address corresponds to all the IP addresses that are present on the other network. This means that attached hosts will send packets to it in order to reach hosts on the other side, without really knowing that they are doing so. When the pseudo-bridge forwards such a packet, the outgoing packet naturally carries the pseudo-bridge's MAC as source address. Packets received by the pseudo-bridge are routed in the usual fashion without any special treatment.

Caveats

The above discussion concerned how to accomplish bridging, not whether and where to do so. Where one should bridge is a much bigger issue. Bridging is an inherently non-scalable technique. It is also difficult to observe, and therefore difficult to troubleshoot. In fact, the primary purpose of "managed switches" is to provide control over bridging devices as a response to this problem. Regardless, bridging tends to become more and more mysterious and troublesome as the number of involved components increases.