Home

CIDR: A Prescription for Shortness of Address Space

Issue 56

From Issue #56
December 1998

Dec 01, 1998  By David A. Bandel
 in
This article explains the concept of CIDR and shows you how you can implement it on your network.

CIDR, Classless Inter-Domain Routing, allows you to maximize use of the limited address space under the current implementation of the Internet Protocol version 4 (IPv4). After reading this article, even if you have never configured a computer for network communications before, you should have a good understanding of these references to networking.

Background

CIDR is the current trend in routing and has been for over three years. This concept was introduced in 1993 to alleviate the shortage of Internet Protocol (IP) addresses until the next generation (IP version 6—IPv6, aka IPng for IP next generation) arrives.

Currently in testing, IPng will significantly expand the IP address space by several orders of magnitude. IPng will also come with its own security enhancements. Those desiring to participate in the future today may have the opportunity to do so, since Linux has kernel-level support for IPng. Until IPng is deployed on a wide scale, making the best use of what we have is what CIDR is all about.

To help you understand why we need CIDR at all, let's journey back in time to the beginning of this decade. IPv4, the protocol used by computers to find each other on a network, was in use then, but there really weren't many connections to the Internet or machines needing Internet connections. In fact, a good number of systems still relied on uucp, the UNIX to UNIX copy protocol, where machines “called” each other at predetermined times and exchanged e-mail traffic. At that time, the IP-address pool seemed unlimited. That was also about the time Mosaic, the first web browser, appeared.

IP Basics

Those who consider themselves well-versed in “classful” routing may wish to skip ahead to the next section. Computers understand base 2 numbers (ones and zeroes), and humans understand base 10 (0-9), so engineers worked out a compromise to give computers numbers while keeping it simple for use by humans. All computers on the Internet have a unique IP address which can be represented by a string of ones and zeroes. If that string is divided up into four sets of eight (octets), you get four numbers with a range from 0 (eight zeroes) to 255 (eight ones), which are arranged in the form XXX.XXX.XXX.XXX. This arrangement is called “dotted decimal notation” and makes understanding the significance of each unique IP address a little easier for us humans. These addresses were then further broken down into arbitrary “classes” A-D. Looking at the first half of the first octet:

Class A = 0-127 (0000)
Class B = 128-191 (1000)
Class C = 192-223 (1100)
Class D = the rest (1110)

The positions beginning from the left represent 128, 64, 32 and 16—see Table 1. Furthermore, Class A uses only the first number as the network number, e.g., 10.XXX.XXX.XXX; Class B uses the first two numbers as the network number, e.g., 172.32.XXX.XXX; Class C uses three numbers as the network number, e.g., 192.168.1.XXX; Class D is reserved for testing purposes. A network address can be thought of as having a network and host portions represented by numbers and XXXs respectively. For a Class C address, the network portion consists of the first three octets with the host portion as the final octet.

The following concepts with respect to networking computers must be understood. Note that the “definitions” I provide here are given to aid in understanding basic concepts for use in this article, and are not the actual definitions of the terms.

  • host address: A unique address assigned to a communications device in a computer. If a computer has multiple communications devices (e.g., Ethernet cards or modems), each of these devices will have its own unique address. This means that a host (computer or router) can be multi-homed, i.e., have multiple IP addresses. This can also be artificially created by assigning different IP addresses to the same device (called IP aliasing).

  • network address: The base (lower) address assigned to a network segment, depending on its netmask. This is the first host IP number on a subnet. For example, on the Class C network that extends from 192.168.1.0 to 192.168.1.255, the network address would be 192.168.1.0.

  • broadcast address: The upper address assigned to a network segment. In the example above, this address would be 192.168.1.255.

  • netmask: A mask consisting of that portion of the IP address where all greater bits consist of ones (in base 2) and all lower bits consist of zeroes—in other words, ones represent the network portion of the address, and zeroes represent the host portion. For the example above, this mask would be 255.255.255.0.

With this introduction to IP addressing, and remembering that a decade ago almost no PCs participated in networking, it is easy to see why during the 1980s IPv4 seemed to have an endless supply of addresses, even though not all addresses could be assigned. Theoretically, if you could make use of all the usable IP addresses available, you'd have a maximum of approximately 500 million addresses, but even 100 million is extremely optimistic and insufficient for today.

Before leaving this section, I'd like to describe an experiment. This experiment will not work properly if performed in an environment with machines using only the Microsoft Windows IP stack, since its implementation is broken, or at least doesn't follow the rules everyone else plays by. Therefore, you will need to be on a UNIX or Linux machine with other UNIX or Linux boxes on your network. Type the following command:

ping -c 1

What you will see in response is every UNIX box answering back with its IP address, and each reply following the first one will have (DUP!) next to it, indicating it is a duplicate reply. The -c 1 argument tells ping to send only one ping packet. The number of replies received will depend on how many (non-MS) machines you have on the network. If this is performed from an MS Windows machine (95 or NT), you will receive a reply from the local machine only.

What is the point of this little demonstration? If you change the netmask on a machine, say from 255.255.255.0 to 255.255.0.0 thereby changing its network and broadcast addresses, even though nothing else changed (i.e., it still has the same IP address and is still connected to the network the same way) it will cease talking to its neighbors. In other words, this machine is now on another network and will require a gateway to talk to the other machines on the local net (all bets are off for the Microsoft machines).

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

ping no longer working without destination address?

koanhead's picture
Submitted by koanhead (not verified) on Wed, 07/28/2010 - 18:03.

I realize that this article is 12 years old, but I stumbled across it whilst searching to find if/why ping does not work with CIDR addresses. The article says:

Type the following command:

ping -c 1
What you will see in response is every UNIX box answering back with its IP address, and each reply following the first one will have (DUP!) next to it, indicating it is a duplicate reply.

On my system, I see:
me@here:~$ ping -c 1
Usage: ping [-LRUbdfnqrvVaA] [-c count] [-i interval] [-w deadline]
[-p pattern] [-s packetsize] [-t ttl] [-I interface or address]
[-M mtu discovery hint] [-S sndbuf]
[ -T timestamp option ] [ -Q tos ] [hop1 ...] destination
Which suggests to me that ping won't work at all without a destination address.
It's possible but not clear that my router is causing a problem with this. ip neigh show outputs the router's address only. I can ping other hosts on the network, but only if I already know their IP addresses. I don't know any other way of discovering the hosts on the network, so I tried ping with a CIDR address, which was not recognized:
me@here:~$ ping 10.0.0.0/24
ping: unknown host 10.0.0.0/24
Interestingly, nmap does work with CIDR, and discovers most but not all hosts on the network (except the sole Win7 computer, which responds to ping.)
None of this is intended as a complaint against the author, only as further information for others who may read this article.

Webcast
More Resources
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers

Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.

Learn More

Sponsored by AMD

White Paper
More Resources
Red Hat White Paper: Using an Open Source Framework to Catch the Bad Guy

Built-in forensics, incident response, and security with Red Hat Enterprise Linux 6

Every security policy provides guidance and requirements for ensuring adequate protection of information and data, as well as high-level technical and administrative security requirements for a system in a given environment. Traditionally, providing security for a system focuses on the confidentiality of the information on it. However, protecting the data integrity and system and data availability is just as important. For example, when processing United States intelligence information, there are three attributes that require protection: confidentiality, integrity, and availability.

Learn more about catching the bad guy in this free white paper.

Learn More

Sponsored by DLT Solutions