⬆️ ⬇️

Back mask

The existing mask for IP addresses has grown out of the class division of addresses, at the dawn of the IP era:

Class A: 8 bits for a network number of 24 bits for a host number

Class B: 16 bits per network and 16 bits per host

Class C: 24 bits per network 8 bits per host


When it became too wasteful to divide addresses in this way, a mask appeared, which is a 32-bit field (the IP address consists of so many bits) of consecutive units from the beginning of the field, and after consecutive zeros. Units define those bits in the IP address that form the network number, zeros those bits in the address that form the host number.

  IP address, decimal: 10. 10. 0. 1
 Binary IP Address: 00001010.00001010.00000000.00000001
 Binary mask: 11111111.11111111.11111100.00000000
 Mask, decimal: 255. 255. 252. 0 


The representation of the mask in this way, quite, is related to the term of the bit mask, i.e. units and zeros define actions on specific bits in the original number, but they do not correlate well with the format of the IP address — the network number is always determined by the bits at the beginning, the host number by the bits at the end. Therefore, the representation of the mask in the form of a 32-bit field is redundant. To uniquely identify the mask, you can only determine the number of consecutive units from the beginning of the IP address from 0 to 32 - a prefix notation, usually written after a fraction after the IP address: for the example above 10.10.0.1/22 - 22 bits network number and 32-22 = 10 bit host number. If he is talking about an IPv6 address, then only the prefix mask / address entry is determined - 2001: d8: a15e :: 1/48



Now we will present the mask so that the units define those bits in the IP address that form the host number, and the zeros those bits that form the network number, as a result we get an inverse mask:

  IP address, decimal: 10. 10. 0. 1/22
 Binary IP Address: 00001010.00001010.00000000.00000001
 Binary mask: 11111111.11111111.11111100.00000000
 Inverse binary mask: 00000000.00000000.00000011.11111111
 Mask, decimal: 255. 255. 252. 0
 Inverse mask, decimal: 0. 0. 3. 255 


This is what any, or almost any, calculator of a network can do; here it is not binary arithmetic, or rather arithmetic, rather than basic manipulations on the transfer of numbers between number systems.



Obtaining an inverse mask from the direct one, and the opposite action is performed by inverting the bit field - replacing 0 with 1, and 1 with 0. If you use the decimal representation, then the inverse mask is calculated as follows: the number corresponding to the octet value in the direct mask is taken from 255 :

  255.255.255.255
 - 255.255.252.  0
 = 0. 0. 3.255 


Translation from inverse to direct is also performed by subtracting from 255 the value of the octet corresponding to the inverse mask:

  255.255.255.255
 - 0. 0. 3.255
 = 255.255.252.  0 


Using the term inverse mask, I deliberately distorted the generally accepted name of the Russian term - reverse mask (invers mask, wildcard mask) - because the reverse mask is a much more powerful mechanism than just another notation for network and host numbering in the IP address. The reverse mask is not required to contain consecutive units or zeros, and units are not just the designation of the host area in the IP address. Units are the designation of bits in the IP address, which may change when checking conditions, and zeros fix the constant bits. That is, the Russian term inverse mask more closely matches the “wildcard mask” rather than the “invers mask”, although the technical documentation uses both in the same sense.

')

The scope of the reverse mask is conditional operations with IP addresses in the cisco like interface and ideology (not only the cisco device). These areas include, in particular, access lists (ACLs) - allows you to create not just host conditions from this network, but much more flexible rules and network definitions, as well as in configuring routing protocols, OSPF for example - allows you to create compact rules for announcements that are not consecutive networks.



Let's solve the problem of prohibiting access from odd hosts from the network 192.168.0.0/24 to either. If we have only a direct mask, then we need to make a rule for each of the odd numbers in this network. From 192.168.0.1 to 192.168.0.253. IP 192.168.0.255 is a broadcast address and we do not need to process it. We receive (in cisco notation):

access-list 101 deny ip 192.168.0.1 255.255.255.255 any
(255.255.255.255 can be replaced by the special word host, let's do it)

  access-list 101 deny ip host 192.168.0.1 any
 access-list 101 deny ip host 192.168.0.3 any
 access-list 101 deny ip host 192.168.0.5 any
 access-list 101 deny ip host 192.168.0.7 any
 ...
 access-list 101 deny ip host 192.168.0.93 any
 ...
 access-list 101 deny ip host 192.168.0.253 any
 access-list 101 permit ip any any 


Total: 128 lines.



In the end, we allowed access to everything that we did not ban. Now we need to associate this ACL with the necessary interface, Fa0 / 1 for example:

  int fa0 / 1
 ip access-group 101 in 


Let's try to reduce the resulting ACL, using the property that an odd number in the binary representation always has the value 1 in the zero digit.

  192.168.0.0 = 11000000.10101000.00000000.0000000 | 0 - par.
 192.168.0.1 = 11000000.10101000.00000000.0000000 | 1 - not odd.
 192.168.0.2 = 11000000.10101000.00000000.0000001 | 0 - even
 192.168.0.3 = 11000000.10101000.00000000.0000001 | 1 - not even
 192.168.0.4 = 11000000.10101000.00000000.0000010 | 0 - even
 192.168.0.5 = 11000000.10101000.00000000.0000010 | 1 - not even
 192.168.0.6 = 11000000.10101000.00000000.0000011 | 0 - even
 192.168.0.93 = 11000000.10101000.00000000.0101110 | 1 - not even 


Use the reverse mask, I remind you that 1 - bits that can change, 0 that can not. The mask / 24 = 255.255.255.0 in the inverse mask has 0.0.0.255 or 00000000.00000000.00000000.11111111. That is, the last octet can change in all bits, but we know that 0 bits must be left unchanged, so we change the reverse mask as follows: 00000000.0000000000000000.11111110 or 0.0.0.254. Note that if we convert this record to a direct mask, according to the rules for an inverse mask, we get 255.255.255.1, which is an incorrect record for the mask, and the network calculator can no longer cope (or I have not seen them).



So our network 192.168.0.0/24 should always have 1 in the last octet of the zero bit, that is, 192.168.0.1 with a reverse mask of 0.0.0.254.

  Binary 192.168.0.1: 11000000.10101000.00000000.00000001
 Reverse mask 0.0.0.254, binary: 00000000.00000000.00000000.11111110 


The units in the reverse mask are mutable bits in the address - these are bits in the last octet from 1 to 7, with their use and the zero bit always equal to one, we can compose any odd number from 1 to 255.



Now let's write the ACL, because IP value 192.168.0.255, has a special meaning, let's solve it in the first line, otherwise it will also be prohibited:

  access-list 101 permit ip host 192.168.0.255 any
 access-list 101 deny ip 192.168.0.1 0.0.0.254 any
 access-list 101 permit ip any any 


Total: 3 lines instead of 128, you can say "Wow!".



Let's complicate the task, the second to last octet in the 192.168.0.0/16 subnets should be odd. That is, for networks 192.168.1.0/24, 192.168.3.0/24, etc. access must be closed. Let's change our reverse mask - inverse mask for / 16 = 0.0.255.255, the penultimate octet, we will make 254 by analogy with the first example, we will get 0.0.254.255 in total. And our networks must have an odd-numbered octet of 192.168.1.0 with a reverse mask of 0.0.254.255.

  Binary 192.168.1.0: 11000000.10101000.00000001.00000000
 Reverse mask 0.0.254.255, binary: 00000000.00000000.11111110.11111111 


And our ACL, pre-resolve IP 192.168.255.255 having a special meaning:

  access-list 101 permit ip host 192.168.255.255 any
 access-list 101 deny ip 192.168.1.0 0.0.254.255 any
 access-list 101 permit ip any any 


And now we will do so in the odd subnets 192.168.0.0/16 in the penultimate octet, the hosts (numbers in the last octet) from 1 to 63 should be banned. .63 in binary representation is 111111, therefore we need to select numbers from 00000001 to 00111111. The previous inverse mask 0.0.254.255 selects all the numbers in the last octet, that is, all 8 bits could change, we need to change only 6 bits, ie numbers from 0 to 63, total for the last octet we have the record 00111111 the whole mask 0.0.254.63.

  Binary 192.168.1.0: 11000000.10101000.00000001.00000000
 Reverse mask 0.0.254.63, binary: 00000000.00000000.11111110.00111111 


Host value is 0, for odd second-to-last octets, we allow a separate ACL rule, since they should not be prohibited by the condition of the problem. For this case, the reverse mask in the last octet must be hard-set one number, that is, none of the bits should be changed, so this octet in the reverse mask will be 0.

  Binary 192.168.1.0: 11000000.10101000.00000001.00000000
 Reverse mask 0.0.254.0, binary: 00000000.00000000.11111110.00000000 


And our ACL, we have no permit rules with a value of 255 in the last octet, because this value is not included in the prohibition rule:

  access-list 101 permit ip 192.168.1.0 0.0.254.0 any
 access-list 101 deny ip 192.168.1.0 0.0.254.255 any
 access-list 101 permit ip any any 


As a fixing material, you can try to make the last ACL using only an inverse mask (i.e., where 0 and 1 are strictly in a row, at the beginning and, respectively, at the end of the record), and calculate the benefit in the number of lines.



A possible question is what to do if it is necessary to prohibit even networks: in even numbers, the zero bit is always 0, respectively, we put 0 instead of one. For the first example, everything is the same, but even hosts:

  Binary 192.168.0.0: 11000000.10101000.00000000.00000000
 Reverse mask 0.0.0.254, binary: 00000000.00000000.00000000.11111110 


ACL is shorter, because IP 192.168.0.255, does not fall into the forbidden:

  access-list 101 deny ip 192.168.0.1 0.0.0.254 any
 access-list 101 permit ip any any 


I heard a lot of controversy about how often this mechanism is put into practice. Over 4 years of work in the industry, I applied it only once, but this time I allowed to reduce the ACL from several thousand entries if standard masks were used (or just inversion to a standard mask) to one, the actual example is higher.



This post is inspired by habrahabr.ru/blogs/sysadm/129664 in which I did not find for myself the disclosure of the described topic, thanks to its author for the inspiration. You can read about ACLs and masks for cisco routers on the cisco site (in English): www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml

Source: https://habr.com/ru/post/131712/



All Articles