Sat, 21 Jun 2008 04:58:05 GMT
Does Your Network Have a Public IP Address?.
I pose the question in the headline based on early feedback of readers of my new book, Take Control of Back to My Mac, which covers using Apple’s Leopard plus .Mac (soon MobileMe) service for remotely accessing files and remotely controlling the screen of Macs you manage or own.
The trouble with Back to My Mac, distinct from Skype and LogMeIn as two contrary examples, is that Back to My Mac requires an exposed and publicly routable IP address on either a computer that’s to be reachable or on a router to which one or more computers with Back to My Mac are connected.
The question my readers have asked is, “We’re not network engineers. How do we figure out if we have such an IP address?”
There’s a short answer and a long answer. The short answer isn’t precisely to your question: all this is hard, and I can’t give you a good short answer because the Internet is broken. The current system of public and private networks, designed in part to get around a shortage in the current IP addressing system that’s being addressed, doesn’t allow easy end-to-end connections. The long answer, which is really an answer? Read on. (I expand on the short non-answer in the last section here, too.)
Public IP versus Private IP — Let me back up a second to explain what a public IP address really is. The Internet is Balkanized through something called Network Address Translation (NAT), which allows a public IP address that’s reachable or routable from any other computer on the Internet to act as a kind of proxy for one, 1,000, or 1 million private IP addresses. A gateway mediates traffic between the public address and the private one. (You can read more about NAT in “Punch Through NAT with Port Map’s Port Forwarding,” 2008-04-16.)
If a computer on which you want to enable Back to My Mac has a public IP address – as do some computers in my office network – then Back to My Mac works without a hitch. It allows any other computers that you log into with your .Mac account name and password, and on which you enable Back to My Mac in the .Mac system preference pane, to access that publicly addressed computer. (If you have a public IP that’s assigned to individual computers, you probably already know that you do, because you’re likely paying your Internet service provider, or ISP, more for that privilege.)
Where a computer is on a private network, using a range of addresses that explicitly cannot be reached directly but only through a router, Back to My Mac has to perform a NAT end-run using one of two widely available protocols that let a privately addressed computer punch through the NAT gateway with the router’s assistance. Those protocols are NAT-PMP (NAT Port Mapping Protocol), an open standard used exclusively and solely by Apple, and UPnP (Universal Plug and Play), widely used by other routers and supported by Apple and Microsoft for various services they use.
By subverting NAT, these two protocols allowing a router that has a public IP address to make available services on computers connected to the router. It’s a secondary problem to let other computers know precisely which ports – a kind of numbered cubbyhole on an IP address, in this case the address of the router – are used by whatever game, remote access service, IP phone, or other software has engaged NAT-PMP or UPnP.
Apple plays nice with networks by using these two protocols. LogMeIn, Skype, and other remote connection and VoIP software use their own techniques to tunnel links out to central locations that can then be linked with each other. Skype, for instance, uses supernodes, which are computers with a logged-in Skype user and with a high bandwidth connection and a reachable address. Supernodes are chosen dynamically by the system to coordinate connections from users on other networks, and are a matter of some varying degrees of concern or irritation from network administrators. (Skype 3 for Windows has a checkbox to disable becoming a supernode; the current Mac release, 2.7, does not.)
Your Network’s Layout — The next piece in figuring out whether you have a publicly reachable IP is looking at how your broadband network is set up. Most of us at home have a cable, fiber, or DSL modem that connects to some incoming cable in one port, and has one or more local Ethernet jacks, and optionally Wi-Fi.
Some broadband modems act as full-fledged routers: they assign out private address to network machines and let you configure firewall and other network settings. Others act like bridges: they take traffic from the ISP’s network and rely it to yours, including allowing an ISP’s dynamic address (or DHCP) server to assign you an address (which can be public or private). A bridge also allows an ISP to assign you one or more static (unchanging) public or private IP addresses that you type into the configuration for your router and computers. (Broadband wireless connections are also in greater use this year than last, from companies like Clearwire, where you have a wireless receiver or computer adapter that has an Ethernet plug or
connects directly to your computer.)
With the first kind of modem, you may wind up being stuck unable to use Back to My Mac, because that modem controls access to the network. If the modem doesn’t include UPnP or includes that feature but doesn’t allow you to enable it, then you’re stuck using manual port mapping (if it offers that feature), which lets you wire up only one computer to be reachable via Back to My Mac. (I cover the ugly details of port mapping in my book. It gets rather involved at times.)
I’ve got the first kind of modem in my home, from Qwest for their DSL service, and I’m stuck because it’s a 2Wire modem. Although Qwest gives me a public IP address, 2Wire does not offer UPnP support in any of its modems; its customers are ISPs, typically DSL providers, and it’s not congruent with the security and control interests of those providers to make incoming connections available when local computers request them.
A malicious program (not under Mac OS X – at present) could use UPnP or NAT-PMP to open a tunnel to itself from other agents in the outside world, and become, for instance, a mail server delivering spam or any of a number of other activities. So there’s some justification for that position, but it should be left up to the user, since viruses can still work just fine without enabling direct port mapping.
With the second kind of modem, the one that bridges a network, you can connect your AirPort Extreme Base Station or any gateway to the broadband modem, obtain what’s typically a publicly reachable IP address, enable the automatic port mapping option (NAT-PMP or UPnP), and then bob’s your uncle: Back to My Mac typically works. Many broadband networks are set up this way, and it’s one of the best cases in which to use Back to My Mac.
Now how can you tell whether you have the first or second type of modem, and how can you tell whether you have an actual public IP? Let’s get into that next.
Reach Out and IP Someone — We start with looking at the broadband modem. Can you connect over your local network to the modem via a Web browser to view its configuration? If you cannot, then your ISP’s modem is almost certainly a bridge, and you still need to determine whether or not devices you plug into the modem obtain or can be assigned a public IP address or not.
If you can connect to your broadband modem, do so (this may require a password, which may require a call to your ISP), and see what the summary screen or status screen tells you about the modem’s Wide Area Network (WAN) connection – the modem’s connection back to the ISP’s network.
That screen should provide you the address the modem is using. In some cases, you’ll see just one number; with my Qwest modem, I see both a private address in Qwest’s network and a separate public address that Qwest connects my modem to, both of them clearly labeled.
You can tell whether this WAN address is public or private by looking at its first few numbers. Current IP addresses – using the ancient IPv4 or version 4 numbering system – comprise four numbers separated by dots, like 10.0.0.1. If the WAN port’s IP address starts with 192.168 or 10., or begins with 172. followed by the numbers 16 to 31, it’s a private address. (Examples: 192.168.0.1, 172.16.5.1, 10.0.0.1.) You’ll need to contact your ISP to see if you can get a public address.
If the number doesn’t fit any of those patterns, it should be a public address, and should be generally reachable.
Now if you can’t connect to your broadband modem from the local network or you want to ensure the address you’re looking at for the WAN port is truly public, you can use one of many Web sites that try to tell you your current IP address; WhatIsMyIPAddress.com is one of many examples. These sites tell you what they believe the address is of the router or computer that sent the request. If your network is nested in one or more layers of NAT, the page shows the IP address of an ISP’s router, however.
Visit that link. Does it match the configuration screen (if any) of the broadband modem? If so, you’re almost certainly set to go.
If not or that doesn’t apply, you can try at least one technique to see if the router is reachable: the command-line tool ping. Copy the address from the Web page, and then launch Terminal (Applications > Utilities) and type at the prompt:
ping -c 10 address
replacing address with the IP address that you copied. Do you see a response in the Terminal like this one:
64 bytes from 34.33.111.253: icmp_seq=0 ttl=127 time=10.564 ms
That means the modem is responding to an “are you alive” request over the Internet, and is likely reachable.
Let’s put this all together.
Back into Back to My Mac — If in any of the cases above, you believe or know that you have a public IP address connected to a modem or router that can use NAT-PMP or UPnP and that protocol is enabled, or you have used manual port mapping to enable access to one computer via Back to My Mac, turn on Back to My Mac and see if you can reach the computer outside the local network.
If that doesn’t work, or you determine you don’t have a public IP address, there’s nothing more you can do on your own; it’s time to call your ISP if you want any hope of the remote access service working.
Just to recap, Back to My Mac should work on a network in which these conditions are met:
- The network’s ISP has assigned its modem a public IP address in some form and either their modem supports UPnP (for reaching multiple computers on the network) or their modem allows manual port mapping configuration; or
- The ISP bridges their network across its modem, providing a public IP address for your router, which has either NAT-PMP or UPnP built in (for reaching multiple computers on the network) or your router allows manual port mapping configuration.
The remote access service won’t work on a network in which:
- Your ISP doesn’t provide a public IP address in any form to its modem or your router; or
- You can’t configure any of UPnP, NAT-PMP, or manual port mapping on an ISP’s modem or your router.
If you fit into the category of networks that should allow proper Back to My Mac functioning, and you still get a yellow dot (in Mac OS X 10.5.3) in the .Mac system preferences pane’s Back to My Mac view – see “Back to My Mac Communicates Faults in 10.5.3,” 2008-05-29 – then you either need to read my book, or try an alternative like LogMeIn Free for Mac or Timbuktu plus Skype. I have recommended to many TidBITS readers to forget my book and try the alternative because their networks simply can’t work with Back to My Mac.
The Future with IPv6 — As I said at the outset, the Internet is broken. IPv4 addresses are in short supply and running out. But take heart: IPv6 (version 6) is IPv4’s replacement, has vastly more potential addresses (4 billion to the fourth powers versus 4 billion), and is designed and implemented in a way that will restore much of the end-to-end principle of the Internet. This introduces more security concerns, but also makes it much more likely that network services just work.
IPv6 isn’t a simple migration; every single device on the Internet has to support the new protocol and deal with the long, perhaps eternal transition from IPv4. Mac OS X and Windows have supported IPv6 for years, but DSL and cable modems have lagged even as other components of broadband networks have been upgraded. Comcast, for instance, uses IPv6 for its vast internal routing network, because they simply couldn’t obtain enough IPv4 numbers for their needs. (You can read more about this in a recent article I wrote for the Economist, “Your Number’s Up.”)
I bring up IPv6 not just to complicate your understanding, but partly because Apple has enabled IPv6 in two key places that have to do with your network and Back to My Mac. IPv6 can be tunneled over existing IPv4 networks, which means that data addresses using the new scheme can be wrapped within packages addressed with the old.
In fact, Back to My Mac takes advantage of this. Connections made with the service use tunnels of IPv6 to transport data packets, which are wrapped in strong encryption. Back to My Mac essentially creates two IPv6 end points, one on each computer in a pair that’s connected via Back to My Mac. Ultimately, this should enable better connectivity using more services – perhaps allowing Mac third-party developers to wire in their own services.
The other key point is that Apple has enabled IPv6 in their Draft N routers: any Wi-Fi-enabled base station released in 2007 and 2008, including the revised AirPort Express. Not just supporting the addressing – kind of like letting postal carriers on a local route know that a house has an old house number and a new house number – but it also allows tunneling IPv6 from the local network out to IPv6 gateways on the Internet.
These gateways, run at no cost to the user, let you connect native IPv6 networks such as those run by Apple’s Wi-Fi networks, to each other using the current Internet without any need for changes by your ISP. Over time, experts and network operators have told me, IPv6 connections will expand further and further into the backbone of the Internet, and eventually IPv4 will primarily be tunneled inside of IPv6, instead of the reverse.
With IPv6, the idea of a public or private IP address more or less goes away, and the necessity of building and using a service like Back to My Mac drops a bit, too. You’d still want the security of Back to My Mac’s authentication (proving your identity) and encryption (securing the connection), but you’ll no longer need to muck about with the contents of this article.
Copyright © 2008 Glenn Fleishman. TidBITS is copyright © 2008 TidBITS Publishing Inc. If you’re reading this article on a Web site other than TidBITS.com, please let us know, because if it was republished without attribution, by a commercial site, or in modified form, it violates our Creative Commons License.
Make friends and influence people by sponsoring TidBITS!Put your company and products in front of tens of thousands of
savvy, committed Macintosh users who actually buy stuff.
More information: < http://db.tidbits.com/advertising.html>
By glenn@tidbits.com (Glenn Fleishman). [TidBITS: Mac News for the Rest of Us]
