Re: Using netmask ffffffff

Keve Nagy wrote:

Hello Everyone!

I'm not the most knowledgeable and not the best person to explain stuff, but
I'll try and take a stab at some of it. Just trying to stimulate a neuron,
or two. :-)

I walked into a bit of a foggy territory with this FFFFFFFF netmask,
or /32 CIDR mask if you prefer.
I have already used it multiple times for if_aliases (usually jails). I
think this needs no further explanation.

Yes, aliasing is one of the three main usages of this. (Think routing tables
and netstat -r)

I have also seen this netmask (255.255.255.255) being assigned to client
machines connecting to an ISP. I think it was DSL, but might have been
POTS dial-up or cable too.

It is commnon to see it in conjunction with a dial up terminal server and a
point to point link such as ppp. Again, routing is the reason.


Now I was wondering if I could use this netmask on my LAN to connect some
machines to the network. (see reasons later)
The concept is to assign IP addresses by the DHCP server with this mask.
Say, 172.31.255.1-254/32. AFAIK, I could even offer the 0 and 255 IP with
the netmask of 255.255.255.255, not only 1-254, but a confirmation never
hurts.

You would not want to do this as 0 and 255 are reserved for special meanings
that are not designated to represent typical network or host addresses. If
you did this how would something trying to decide how to route a packet
decide which part of the 32bit binary number is netid and which part is
hostid? Subnet masking is the cornerstone that TCP/IP routing is built on,
and it has rules just like everything else. If you threw an IP with a /32
netmask out on your LAN how would you route it? How would you be able to
tell which part is the netid and which part is the hostid?

Anyway, what I'd like to know in theory is what a host on my network
receiving such a DHCP configuration could do connection- and
visibility-wise.
[snip irrelevant]

The reason that it would be a problem is centered around routing. Subnet
masks are essential for a router to know what to do with a packet. The IP
part is the network address and the hostid part refers to a specific host.
What you would accomplish by using such a subnet mask as #ffffffff in the
wrong application is to thoroughly confuse TCP/IP routing.


The idea behind this is the same thing ISPs do. There are hundreds of
machines receiving their IP address with the netmask of ffffffff, and all
of these machines have routes to the internet (therefore can connect to
certain IPs, websites, ftp, etc) while none of them can see (or even know
about) the other machines connected the same way. I believe it all
depends on the routes.

Not exactly. In the case of an ISP dial up connection you see the #ffffffff
because it is a point to point link from one machine to a terminal provider
on the other end of the modem line. When the ISP assigns you an IP to your
ppp connection he is using #ffffffff to extend his routing out to you as a
tributary point.

In my case, I'd like to have 120 workstations on my internal network to
get internet connection, and also to have access to some common resources
like printer, diskshare, etc, while interaction between these 120
machines should be denied. What I don't quite understand is what routes
these clients have, or rather how do I set these routes up. How will a
machine with ffffffff netmask see its router?

Oh it could probably see the router. But the router would have no idea what
to do with the traffic because it is outside the established protocol.

The third main useage for #ffffffff is with NAT routing. For example, here
is a NAT line from IPNAT.conf (part of IPFILTER):

map ppp0 192.168.10.0/24 -> 0/32

(Think about it a minute - look like what the terminal provider does when he
gives you an IP on a dial up?)

I also consider a solution by using only an appropriately defined firewall
ruleset with a generic /24 mask for the clients, but for now I would also
like to investigate and hopefully test this ffffffff netmask possibility.

0.0.0.0 generally has a meaning of "the whole network" and is somewhat
ambiguous. 255 is reserved for broadcast packet traffic. Neither are used
for IP addressing which are designed to combine a "network id" and a "host
id" together in a single 32 bit binary number. Stick with the /24 concept
as it will be within protocol and routing will work.

The place where the problem(s) will surface from using such a malformed IP
address will be in your routing tables. TCP/IP routing will be very
confused by bad addressing which doesn't comply with the protocol(s).

If you can direct me to a useful page/manual or you can lift some of the
fog yourself, please do so!

One place to start are with the RFC documentations themselves. Sites like
http://www.faqs.org/rfcs/ and http://www.ietf.org/rfc.html. It takes some
hunting to figure out which RFC pertains to what, an exercise only for
those who are truly inquisitive and enjoy mind numbingly dry reading. :-)

My firewalls and gateways are FreeBSD 6.2-PreRelease with pf, but I am
open to use another firewall if needed (like pf under freebsd has no
layer2 filtering capabilities). The DHCP server is isc-dhcpd built from
ports.

[snip]

I used ipfw/natd for the longest time. Its dummynet is a viable traffic
shaping utility. I then moved on to IPFILTER because it is all kernel
whereas natd is a userland app with associated context switching. IPFILTER
may squeak out a little better performance but doesn't have dummynet. I've
since moved to pf and it seems like almost the best of both worlds. The
syntax crossover from IPFILTER to PF was pretty easy. And with ALTQ it can
readily manipulate bandwidth allocation. With CARP you can have a cluster
of several machines for increased load capacity and failover. I have come
to prefer PF, but you should probably study them all to see which best
serves your exact requirements.

I also know I haven't been exactly clear either. It is intended more to give
you food for thought so you'll know what to go study and why. You'll reach
a deeper understanding by refining your question/study to areas that make
sense and apply directly to what you are trying to accomplish. While some
of it is Networking 101, the central fact remains that TCP/IP is suite of
protocols. And protocols are nothing more than rules. Learn the protocol,
learn the rules within you must operate. As far as /32 goes, it has certain
useages in very specific areas for very specific reasons. As far as general
purpose use in a LAN such as you are suggesting is probably not a good
idea, it will cause you routing troubles.

-Jason


.

Relevant Pages

  • Re: Routing problems
    ... addresses on all machines on our network, ... avoid setting up static routing on every machine on the network (which would ... Here's the routes in our local Sprint router ...
    (comp.os.linux.networking)
  • Re: IPF and Routing
    ... > gateway for the remaining IP address and when the other 14 machines came ... > I have question regarding IPNat and routing. ... > need to setup a network where each machine gets a unique global IP ... To unsubscribe, ...
    (freebsd-questions)
  • Re: LAN-to-LANS routing
    ... Routing is a two-way ... What is the default route of the 172 machines? ... to your RRAS router. ... enable routing out of that network at least. ...
    (microsoft.public.win2000.ras_routing)
  • Re: winxp static route problem
    ... Ok below is my routing table. ... When I say "they dont work" I mean, after a reboot, the routing table still ... Active Routes: ... Network Destination Netmask Gateway Interface Metric ...
    (microsoft.public.windowsxp.network_web)
  • Re: Routing two networks
    ... Those things are not related to routing. ... Windows 98 machines cannot join a domain. ... They do not log on using DNS like XP clients. ... Two Network Cards ...
    (microsoft.public.windows.server.networking)