net masks within net masks?

[haplorrhine]

If a more inclusive net mask shares its leading bits with a less inclusive net mask, would the former include all of the addresses of the latter?

My understanding is that each IPv4 address is a series of 4 8-bit octets, and a net mask is an address followed by /n where n is an integer indicating that the included addresses are the addresses for which the first n bits are shared with the net mask address.
This system doesn't sound awfully specific. How are these system used typically? How do they ensure that no other networks will have an address that falls within a netmask?

added: As far as iptables rules go, could I just use stars (*) instead of a net mask?

[TheFu]

The netmask tells equipment which things are "local" to the LAN and should be reached using ethernet (run arp). IP is needed to reach systems outside the netmask. The netmask is handy for routing, so changing it without understanding that will likely break the routing.

A network engineer would setup the devices so there aren't any conflicts for subnets on a corporate network. When a mistake happens, entire subnets get dropped and lots of people complain quickly.

Security Now! - a podcast did a "how the internet works" series of episodes a few years ago. The description was accurate and I was able to picture everything based on verbal descriptions provided. Plus they have human-created transcripts. Look for episode 25 - at grc.com/sn

[Doug S]

added: As far as iptables rules go, could I just use stars (*) instead of a net mask?

To specify any IP address use 0.0.0.0/0.

To specify an exact IP address don't specify any mask, or specify 32. Examples: 192.168.17.13/32 or 192.168.17.13

To specify a range of, say 8, IP addresses use 29, typically with the base address. Example. 192.168.17.8/29

And so on.

You can not use "*". You will get this error:

Code:

iptables v1.4.12: invalid mask `*' specified

[The Cog]

The mask is just the slash and following number, so in 1.2.3.4/24 the mask is /24.
The mask indicates how much of the IP address should be regarded as the network number, and how much should be regarded as just identifying a host on that network.
In the example above, the network is 24 bits It is normal when talking about network numbers to use all 0 bits for the host part of the address, so the network part is 1.2.3 and the network number is 1.2.3.0. IP addresses that live within that network (1.2.3.0-1.2.3.255) can all talk directly to each other without needing to talk via a router. Hosts wanting to talk to other hosts that are not on the same network must send their messages to a router that is connected to their network, and the router will pass them on.

How do they ensure that no other networks will have an address that falls within a netmask?

Hope this example helps:
Imagine an office block that has no more than 200 PCs on each floor. They might decide to give each floor its own network number, e.g. 10.0.1.0/24, 10.0.2.0/24, 10.0.3.0/24 etc. Then PCs on each floor can talk directly to each other, and use a router when they talk between floors.

Giving a host the right address but the wrong mask is a mistake. For instance in the example above, configuring a PC as 10.0.4.19/16 in the above example would leave it thinking it should be able to talk directly to any other PC starting with 10.0, so it would not be able to talk to PCs on other floors because it wouldn't think it needed to talk via a router. It would try to talk directly and get no answer.

But the company has many buildings. They may decide to advertise the entire building to the rest of the company network as 10.0.0.0/16 (net 10.0 and hosts 0.0-255.255). Externally the building looks like a single 16-bit network, but when messages get to the building, the routers in the building use the /24 subdivsion to route to the appropriate floor. In this case, networks falling within other larger networks is actually the norm and it is called summarising. It needs to be thought out carefully or some parts may not be reachable from some other parts.

I don't think you can use * in iptables - you have to use a proper mask which says exactly how many bits to check and how many to ignore.

You may sometimes see a mask written in dotted quad notation, e.g. 255.255.255.0. This form gives a 32-bit value that consists of n 1s followed by 32-n zeros. 255.255.255.0 has 24 leading ones, and so means the same as /24.

People tend to prefer /8, /16 and /24 masks because the network/host boundary falls on a byte boundary and it's easy to read the network part. Something like 11.22.33.44/28 implies network 11.22.33.32 containing addresses 11.22.33.32-11.22.33.47 and that kind of thinking does my head in. Ugh.

[Doug S]

You may sometimes see a mask written in dotted quad notation, e.g. 255.255.255.0. This form gives a 32-bit value that consists of n 1s followed by 32-n zeros. 255.255.255.0 has 24 leading ones, and so means the same as /24.

I had forgotten about the dotted quad notation. While I can not think of a reason why it would be needed, it does provide a way to have whatever bit mask one wants. Example:

Code:

# . check the static blacklist.
#
# http related
$IPTABLES -A http-new-in -i $EXTIF -s 5.100.113.117/255.255.0.255 -j DROP
$IPTABLES -A http-new-in -i $EXTIF -s 5.100.113.117/255.255.255.0 -j DROP
$IPTABLES -A http-new-in -i $EXTIF -s 5.248.83.0/24 -j DROP

Which gives (from "sudo iptables -v -x -n -L | more"):

Code:

Chain http-new-in (1 references)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 DROP       all  --  eth1   *       5.100.0.117/255.255.0.255  0.0.0.0/0
       0        0 DROP       all  --  eth1   *       5.100.113.0/24       0.0.0.0/0
       0        0 DROP       all  --  eth1   *       5.248.83.0/24        0.0.0.0/0

[The Cog]

I had forgotten about the dotted quad notation. While I can not think of a reason why it would be needed, it does provide a way to have whatever bit mask one wants. Example:

Code:

# . check the static blacklist.
#
# http related
$IPTABLES -A http-new-in -i $EXTIF -s 5.100.113.117/255.255.0.255 -j DROP
$IPTABLES -A http-new-in -i $EXTIF -s 5.100.113.117/255.255.255.0 -j DROP
$IPTABLES -A http-new-in -i $EXTIF -s 5.248.83.0/24 -j DROP

Which gives (from "sudo iptables -v -x -n -L | more"):

Code:

Chain http-new-in (1 references)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 DROP       all  --  eth1   *       5.100.0.117/255.255.0.255  0.0.0.0/0
       0        0 DROP       all  --  eth1   *       5.100.113.0/24       0.0.0.0/0
       0        0 DROP       all  --  eth1   *       5.248.83.0/24        0.0.0.0/0

You are right of course. It's unusual to want complicated filter rules like that, but perfectly feasible.

I believe that use of dis-contiguous masks, ones that are not just ones followed by zeros, is not allowed in routing - you cannot configure such network/masks in a routed network. I don't think routers these days would accept it.

[haplorrhine]

This really helps.

Now I'm getting into Ubuntu help, but I'm guessing that I only must distinguish the "from" addresses in ufw since the "to" will always be the same unless I do something funky with my configuration?

Also a question about the C* network in Table A-4 of the link. http://www.cisco.com/en/US/docs/secu...uide/appA.html
THe last octect of the network is 64, which is 01000000, so shouldn't the subnetwork address end in 192, 11000000, rather than 224, 11100000? Or can the network portion end with a zero (e.g. 198.41.9.64/32 as opposed to /64)?

I don't think you can use * in iptables - you have to use a proper mask which says exactly how many bits to check and how many to ignore.

You may sometimes see a mask written in dotted quad notation, e.g. 255.255.255.0. This form gives a 32-bit value that consists of n 1s followed by 32-n zeros. 255.255.255.0 has 24 leading ones, and so means the same as /24.

People tend to prefer /8, /16 and /24 masks because the network/host boundary falls on a byte boundary and it's easy to read the network part. Something like 11.22.33.44/28 implies network 11.22.33.32 containing addresses 11.22.33.32-11.22.33.47 and that kind of thinking does my head in. Ugh.

It seems the forum's uploader automatically shrank my 250x250 tarsier avatar to 90x90, so I left it.

I just learned how the binary strings correspond to the Latin numbers of the IP address, which I explain for anybody interested.
When counting with Latin numbers, you proceed through all ten digits before increasing the next right-most digit by one. Well, when converting the binary code into Latin numbers, they treat the binary as a two-digit system of counting. Thus, as you proceed through all possible octet values, of which there are 256 ( 2^{^8} ), the left-most value changes only once at halfway, at 127/128. Therefore, conventiently, having the octet above or below 127½ corresponds to one or the other subnetwork, respectively. See Table A-3 in the link. http://www.cisco.com/en/US/docs/secu...uide/appA.html
Note that the subnetwork upper limits are 2^7-1 (127) and 2^8-1 (255) because we started counting at zero.

[mips]

I believe that use of dis-contiguous masks, ones that are not just ones followed by zeros, is not allowed in routing - you cannot configure such network/masks in a routed network. I don't think routers these days would accept it.

You are correct that routers have very strict rules wrt subnet masks but they don't have to be followed by zeros, /30 or 255.255.255.252 for exmple is fine and commonly used for point-to-point serial or data links as it provides a ip address for each of the two endpoints/interfaces as well as a network & broadcast addrress, wasting nothing.

In the old days you only had clasful routing where you could not do the above and had to route on strict class a, b, c boundaries. This was highly inefficient use of address space until classless routing came along allowing above and other nice things like variable length subnet masking (VLSM) etc

[haplorrhine]

but 255.255.255.252 is followed by zeros.
11111111.11111111.11111111.11111100

30 is odd though.
.00011110
What does that mean? That I can change the first four of the last five bits? Could I end that net address with a 161?

[TheFu]

I found using a network calculater to get a feel for these things was extremely helpful. My ISP give me a /29, for example. A long time ago, it was easy to get a /28 from ISPs without being hassled too much.

IPv6 solves the subnet restrictions for everyone. When available, I expect my ISP will give us /54 or /48 subnets on IPv6 - larger than the entire internet addr space today.