CIDR: A Prescription for Shortness of Address Space
While IP classifications A-D are still in use in the networking world, those terms are obsolete. For the sake of clarity, I will continue to use them to explain how CIDR works and how you can implement it. Along with CIDR comes the concept of variable length subnet masking (VLSM).
Basically, with a “Class” address, you have a default subnet mask. For a Class C address, this default subnet is 24 bytes long, so putting all ones in the first 24 bytes and zeroes in the rest, we have 255.255.255.0. For class A and B, this would be 255.0.0.0 and 255.255.0.0, respectively. This basically gives anyone assigned a full Class C address 256 unique addresses, of which two are reserved, one each for network and broadcast addresses. Under “classful” addressing, we are limited to providing full Class A, B or C addresses to those requiring IP addresses. With “classless” addressing, we can subnet these addresses quite simply. As stated above, the network portion of the address is equivalent to that portion of the IP address corresponding in base 2 to all ones, and the host address to all zeroes. This means that a Class C address looks like:
11111111.11111111.11111111.00000000 = 255.255.255.0 (128+64+32+16+8+4+2+1 in the first three positions and 0 in the last). Again, note that this is 24 ones and 8 zeroes, for a total of 32 positions.
Let's say we have one Class C address (192.168.1.0) available for use, but we have two offices with approximately 75 hosts at each location, one in New York and one in New Jersey. While we could simply use the Class A address at each site with each office using unique numbers, we can't connect them together because machines in New Jersey can't find those in New York and vice versa. The reason these two portions of the network can't find each other is because in order for a computer to find another on a network, it assumes an address on its local network (the host portion where all the numbers are zeroes) is directly connected to it, and one on another network is reachable only by going through a gateway.
A gateway is a machine (computer or router) that has two or more network addresses, at least one on the local network and one or more on other networks. A gateway sends any communications not on the local network via one of its other communications devices, depending on the information stored in its routing table. Under classful routing, we would need two half-used Class C addresses for each office, which would be very wasteful of scarce IP addresses.
With CIDR, we can cut the Class C address into two different networks. To do this, we will extend our netmask by one more bit, giving us two separate networks, where before we just had one. This will change our netmask from 255.255.255.0 or 24 ones (hereinafter referred to as /24) to a /25 network, or 255.255.255.128. Both of our new networks will have this same netmask; all other rules remain the same. We now have one network with a network address of 192.168.1.0 and a broadcast address of 192.168.1.127. The other network will use a network address of 192.168.1.128 and a broadcast address of 192.168.1.255.
In the same manner, we can continue slicing up our network into four, eight, sixteen, thirty-two, ... networks. In fact, starting at /8, we can slice and dice until we reach /30. Since we have 32 numbers to work with, a /32 represents just one address, and in this special case, there's no need for network or broadcast addresses. That also means a /31 would represent two addresses, but since one would be the network address and the other the broadcast address, this would leave us with no host addresses—almost certainly undesirable.
Under this scheme, the first octet of the netmask would remain 255, but after that we could change any of the other numbers. Instead of being restricted to 255 and 0, we may find ourselves replacing the first zero in our netmask with any of 128, 192, 224, 240, 248, 252 or 254, except in the last octet as noted above. The network and broadcast addresses would bind each subnet (see Table 2 for details). Now, any network can be referred to by its variable length subnet mask, or the number of ones in the host portion of the address from /8 to /32 (excepting /31). By extrapolation, each host can be referred to directly by its IP address and the VLSM notation, so that it is readily apparent what the network and broadcast addresses and netmask are.
For example, if someone told me to assign my machine 192.168.0.50/27, I would know that the network address was 192.168.0.32, the broadcast address was 192.168.0.63, and the netmask was 255.255.255.224. For those of you who still have problems visualizing how this all translates, I've provided a chart to assist you (Table 3).
You will find more uses for classless addressing than this. CIDR can also give you a way to isolate departments in large organizations to provide better security (by implementing internal firewalls) and decrease traffic on any given network segment, reducing collisions and increasing response times.
Fast/Flexible Linux OS Recovery
On Demand Now
In this live one-hour webinar, learn how to enhance your existing backup strategies for complete disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible full-system recovery solution for UNIX and Linux systems.
Join Linux Journal's Shawn Powers and David Huffman, President/CEO, Storix, Inc.
Free to Linux Journal readers.Register Now!
- The Qt Company's Qt Start-Up
- Devuan Beta Release
- May 2016 Issue of Linux Journal
- EnterpriseDB's EDB Postgres Advanced Server and EDB Postgres Enterprise Manager
- The US Government and Open-Source Software
- Open-Source Project Secretly Funded by CIA
- The Humble Hacker?
- The Death of RoboVM
- New Container Image Standard Promises More Portable Apps
- BitTorrent Inc.'s Sync
In modern computer systems, privacy and security are mandatory. However, connections from the outside over public networks automatically imply risks. One easily available solution to avoid eavesdroppers’ attempts is SSH. But, its wide adoption during the past 21 years has made it a target for attackers, so hardening your system properly is a must.
Additionally, in highly regulated markets, you must comply with specific operational requirements, proving that you conform to standards and even that you have included new mandatory authentication methods, such as two-factor authentication. In this ebook, I discuss SSH and how to configure and manage it to guarantee that your network is safe, your data is secure and that you comply with relevant regulations.Get the Guide