When a device on a TCP/IP network starts up and is not configured for a static IP address, it needs to receive an IP address before it can communicate with other devices on the network. A standard computer with a hard disk can be enabled for static configuration but a diskless device that does not have any storage, only has an option to acquire an IP address from the network. This process of getting a new machine up and running is commonly referred to as bootstrapping. To provide this functionality, the TCP/IP Bootstrap Protocol (BOOTP) was created. 

The Bootstrap Protocol, or BOOTP, is a network protocol used by a network client to obtain an IP address from a configuration server. In order to get an IP address the network clients contact other devices on the network. Initially (ages ago) a boot floppy disk had to be inserted to establish the initial network connection, but later on Network Interface card manufacturers embedded the protocol in the ROM of the interface card as well as on motherboards that have onboard network adapters, thereby avoiding the need for floppy disks and allowing for direct network booting.

During the bootstrap process when a computer is starting up, the BOOTP protocol is used. A BOOTP server assigns an IP address to each client from a pool of addresses and based on the configuration of the server. BOOTP generally uses the User Datagram Protocol (UDP) as the transport protocol. Earlier, BOOTP has also been used for diskless workstations to obtain the network location of their boot image in addition to an IP address using protocols like PXE, and also by enterprises to roll out pre-configured client installations to newly installed PCs.

Although BOOTP provides a very important function, it is not used frequently today and has been superseded by DHCP (Dynamic Host Configuration Protocol) which is a more advanced protocol for the same purpose. Most DHCP servers also offer BOOTP support and are the most prevalent method used today to assign IP addresses to diskless workstations and clients that require IP addresses.

For those of you who have heard of Address Resolution Protocol (ARP) and think that Reverse Address Resolution Protocol (RARP) is its complement, they are totally off track. RARP is a computer networking protocol used by a host computer to request for an IPV4 address from another host computer if it does not have one used (not statically assigned), the Network Interface that is connected to the network would already have a Layer 2 MAC address (hardware address).

This might very well sound like DHCP which is very popular and does the same thing. In fact RARP has been rendered obsolete by two of its successors, the Bootstrap Protocol (BOOTP) and the newer Dynamic Host Configuration Protocol (DHCP), which have better features than RARP.

In an RARP setup, one or more server hosts maintain a database of mappings of Link Layer addresses to their respective protocol addresses (similar to an IP to MAC mapping in Ethernet networks). Media Access Control (MAC) addresses needed to be individually configured on the servers by an administrator (this is where DHCP rules and RARP got kicked out). RARP was limited to serving only IP addresses.

Another misnomer is that Reverse ARP is the same as Inverse Address Resolution Protocol (InARP). But InARP was designed to get the IP address associated with another host’s MAC address. InARP is actually just the reverse of ARP in functionality.

The are many special types of IP address that we seldom come across as they are only used in special cases. We will go through each of them in the overview below:

1. Limited Broadcast IP address

In this type of an IP address all the 32 bits of the IP address are set to 1′s. The address is 255.255.255.255. Routers never forward packets destined to this address because routers are by default designed to stop traditional broadcasts. This address is seen quite often in the routing tables of many systems.

This address is normally used when the host does not know its IP address (like when a Windows PC starts up and wants an IP address) like during an automated configuration process such as Boot Protocol (BOOTP) or DHCP because initially it does not know the IP address of the DHCP server. For example, with DHCP, a DHCP client must use the limited broadcast address for all traffic sent until the DHCP server acknowledges the IP address lease.

2. Loopback IP address

This IP address represents the local host and has the network part of the IP address as 127. A common loopback address is 127.0.0.1 and they range from 127.0.0.0 – 127.255.255.255. When a packet is destined to a loopback address whether via a ping or other utility it is actually addressed to the same local machine from where it originated. They are normally used to test connectivity of the Network Interface card of the host. These address do not leave the host nor will they traverse an external network interface.

A loopback address is also used to simulate a telnet or connection to an address of a device acting as a terminal server which is actually on the same host. This scenario is used for example, in Dynamips (Cisco Router Simulator) where a Microsoft Loopback address is created. This is not the same as the built in loopback of Windows (localhost or 127.x.x.x)

More on how a Microsoft loopback adapter can be created can be found here http://support.microsoft.com/kb/839013

3. Zeros IP address

The zeros IP address is normally 0.0.0.0 but actually range from 0.0.0.0 – 0.255.255.255. These address are most seen in system log files and are reserved for the default network. Sometimes while fingerprinting a target system using an ARP Scan, packets sent with a source of 0.0.0.0 are received. The response to these type of non-standard ARP packet differs depending on the operating system. So if you see packets with a source of 0.0.0.0 in the logs of a system, it implies that the system is the target of a fingerprint attack.

The detailed RFC 1700 concerning zeros IP address and Loopback address is available at the IETF website http://tools.ietf.org/html/rfc1700

4. Network Directed Broadcast IP address

This IP address is made of the host bits of all 1′s and the network part is the same as that of the network that it belongs to. An example of a network broadcast address for the classful network ID 140.101.0.0/16 is 140.101.255.255. Routers usually forward packets addressed to a network directed broadcast address. This type of a packet is sent when the entire network needs to receive the packet in a type of a broadcast which is very rarely the case and only a few applications might follow this kind of behaviour.

IP Directed broadcasts can be used to launch ICMP smurf attacks if hardware devices are not configured properly. They do this by using spoofed source IP addresses. For example, in Cisco devices prior to IOS 12.0 you would need to add the no ip directed-broadcast command or put in specific Access lists to deny this type of behaviour.

5. Subnet Directed Broadcast IP address

Here the host part of the address is represented by 1′s, while the subnet part of the address is the actual subnet. An example of a subnet directed broadcast address for the nonclassful network ID 140.101.46.0/24 is 140.101.46.255. For a classful network, there is no subnet broadcast address, only a network broadcast address. For a nonclassful network, there is no network broadcast address, only a subnet broadcast address.

This feature is useful in Wake up on LAN (WOL) implementations where a packet might want to be destined to an entire subnet if the IP addresses of devices in the subnet are not static and the source does not exactly know which destination to wake up. Apart from the WOL advantage, the disadvantage is that an attacker might launch a smurf attack to keep all other hosts in the subnet awake and respond to his ICMP packet.

6. All Subnets Directed Broadcast IP address

Both the host and the subnet part of the address bits are 1′s. The subnet mask of the network must be known wherever such an address is being used or it does not make any sense. An example of an all-subnets-directed broadcast address for the subnetted network ID 140.101.46.0/24 is 140.101.255.255. The all-subnets-directed broadcast is the network broadcast address of the original classful network ID.

7. Multicast IP addresses

These IP address are used when a needs to send a multicast to a group. IP multicast addresses are used for single-packet one-to-many delivery. The source host sends a packet with the destination from the class D range which signifies the group number and to route the packet the unicast routing table is used. Every node on the path of the source internetwork that has been configured with a multicast routing protocol and is therefore listening for multicast traffic receives and processes the packet. Unlike broadcast packets, routers forward IP multicast packets and only the hosts listening for the IP multicast traffic are disturbed. IP multicast addresses can be used only as the destination IP address.. They fall into the class D space and addresses in the range 224.0.0.0 – 239.255.255.255 are reserved for multicast.