Address space in IPv4

As we have seen, the current implementation of the Internet protocol has a number of problems. The model ofclassedInternet addresses was connected to the design of early routing protocols. This has proved to be a poor design decision, leading to a sparse usage of the available addresses.

It is straightforward to calculate that, because of the structure of the IP addresses, divided into class A, B and C networks, something under two percent of the possible addresses can actually be used in practice. A survey from Unix Reviewin March 1998 showed that, of the total numbers of addresses, these are already allocated:

Max possible Percent allocated

Class A 127 100%

Class B 16382 62%

Class C 2097150 36%

Of course, this does not mean that all of the allocated addresses are in active use. After all, what organization has 65,535 hosts? In fact the survey showed that under two percent of these addresses were actually in use. This is an enormous wastage of IP addresses. Amongst the class C networks, where smaller companies would like address space, the available addresses are being used up quickly, but amongst the class A networks, the addresses will probably never be used. A new addressing structure is therefore required to solve this problem. Three solutions have been devised.

2.8.1 Classless addresses (CIDR)

CIDR stands for Classless Inter-Domain Routing and is documented in RFCs 1517, 1518, 1519, and 1520. CIDR was introduced as an interim measure to combat the problems of IP address allocation as well as that of routing table overflow. It is also the strategy of choice for IPv6 addressing. The name refers to inter-domain routing because it provides not only an addressing solution, but also an improved model for routing packets, by defining routing domains(distinct from logical domains of the Domain Name Service).

The IPv4 address space has two problems:

• It is running out of address space, because many addresses are bound up in classes that make them unusable, with the class A,B,C scheme of IP addresses.

• Global routing tables are becoming too large, making routing slow and memory intensive.

In the early 1990s, the limit of routing table size was believed to be somewhere in the order of 100,000 routes. Beyond this, the time it would take for lookup would be longer than TCP/IP timeouts, and the Internet would fail to function. In fact we have already passed this mark [30], but the problem would have been much worse had it not been for classless addressing.

The solution to this problem was a straightforward extension of the idea used in subnetting: to allow the possibility to aggregate or join together smaller networks into larger ones, while at the same time being able to address individual elements within these conglomerates (see table 2.7).

Broadcast flood Routing table flood Local Area Net Wide Area Net Subnet mask CIDR mask

Subnet address Aggregate network address Host address Autonomous system number (computer) (Routing domain)

Table 2.7:Analogy between subnetting of hosts and super-netting of routing domains.

The classless IPv4 addresses are identical in concept to addresses and subnet masks. The main change is in notation. A ‘slash’ form is used to represent the number of network bits, instead of another address. This is more compact. For example, the network:

192.0.2.0, 255.255.255.0→192.0.2.0/24

The number of bits that are ‘1’ in the netmask are simply written after the slash. This notation works across any class of address. It respects only power-of-two (bit) boundaries. Thus CIDR addresses no longer refer to any class of nepower-of-twork,

only a range of addresses. In order to make this work, new routing protocols were required (such as BGP-4) that did not rely on the simplifications inherent in the classed address scheme.

Address class IP prefix Network bits Hosts bits

Class A 1–126 8 bits 24 bits

Class B 128–191 16 bits 16 bits Class C 192–224 24 bits 8 bits

Table 2.8:Summary of network classes, and numbers of bits used.

CIDR mask Equiv. class C Host addresses

/27 1/8th 32

/26 1/4th 64

/25 1/2 128

/24 1 256

/23 2 512

/22 4 1,024

/21 8 2,048

/20 16 4,096

/19 32 8,192

/18 64 16,384

/17 128 32,768

/16 256 = 1 class B 65,536

/15 512 131,072

/14 1,024 262,144

/13 2,048 524,288

Table 2.9:Examples of bit usage in generalized classless addresses.

Table 2.8 shows the bit usage of the original IPv4 address classes, and table 2.9 shows how the concept of network part and host part is generalized by the classless addressing scheme. Notice how, at this stage, this is nothing more than a change of notation. The importance of the change, however, lies in the ability to combine or aggregate addresses with a common prefix. Routing author-ities that support CIDR are hierarchically organized. Each bit boundary that

distinguishes a different network must be responsible for its own administration, so that the level above can simply refer to all its IP sub-ranges in one table entry.

2.8.2 Routing domains or Autonomous Systems

Having made a more general split between the network part and host part of an IP address, one can associate a general network prefix with all the hosts in a block of addresses, provided one refers to a block by a bit-boundary. It is now easier to make a generalized hierarchy of ‘containers within containers’, making each organization responsible for its own internal routing.

An Autonomous System (AS) (sometimes called a routing domain) is a set of routers under a single administrative umbrella, that is responsible for its own internal routing, but which needs to exchange data alongexteriororborderroutes between itself and other autonomous systems. Within the AS, interior routing protocols are used; between ASs, border protocols are used, e.g. the Border Gateway Protocol (version 4 supports CIDR) (see figure 2.10).

AS6 AS4813

AS3266

AS4571

AS887

AS2 AS67

AS1 AS86

AS877

Figure 2.10: The Internet is made up of top-level autonomous systems. These are not necessarily related to the ‘Top Level Domains’, like .com and .net.

In routing tables, CIDR address boundaries are used to represent aggregated containers, i.e. the largest container that contains all of the hosts one is interested in. In general, this aggregate address boundary will also contain more than one is interested in, so there must be a way of restricting traffic to parts within the aggregate address. As with subnetting of hosts, the routers within the aggregate container only pay attention to data if they are addressed to them, using an

‘Autonomous System Number’ (ASN). The ASN of a routing domain is analogous to

a ‘host’ address on a Local Area Network, and it requires that each border router knows its ASN identity.

Currently, blocks of addresses are assigned to the large Internet Service Providers (ISPs) who then allocate portions of their address blocks to their cus-tomers. These customers, who are often smaller ISPs themselves, then distribute portions of their address block to their customers. Because of the bit-structure in the top-level global routing tables all these different networks and hosts can be represented by the single Internet route entry for the largest container. In this way, the growth in the number of routing table entries at each level in the network hierarchy has been significantly reduced.

In the past, one would get a Class A, B or C address assignment directly from the appropriate Internet Registry (i.e. the InterNIC). Under this scenario, one

‘owned’ the address and could continue to use it even in the event of changing Internet Service Providers (ISPs). However, this would break the CIDR scheme that allows route aggregation. Thus the new model for address assignments is to obtain them from a ‘greater’ ISP in the hierarchy of which the system is a part.

At the time of writing, the global routing tables have approximately 120,000 entries. There are 22,000 assigned Autonomous Systems, of which about half are active.

2.8.3 Network Address Translation

In order to provide a ‘quick fix’ for organizations that required only partial connec-tivity, Network Address Translation (NAT) was introduced by a number of router manufacturers [331]. In a NAT, a network is represented to the outside world by a single official IP address; it shields the remainder of its networked machines on a private network that (hopefully) uses non-routable addresses (usually 10.x.x.x).

When one of these hosts on the private network attempts to contact an address on the Internet, the Network Address Translator creates the illusion that the request comes from the single representative address. The return data are, in turn, routed back to the particular host ‘as if by magic’ (see figure 2.11). NAT makes associations of this form:

(private IP, private port) <-> (public IP, public port)

It is important that the outside world (i.e. the true Internet) should not be able to see the private addresses behind a NAT. Using a private address in a public IP address is not just bad manners, it could quickly spoil routing protocols and preclude us from being able to send to the real owners of those addresses. NATs are often used in conjunction with a firewall.

Network address translation is a quick and cheap solution to giving many computers access to the Internet, but it has many problems. The most serious, perhaps, is that it breaks certain IP security mechanisms that rely on IP addresses, because IP addresses are essentially spoofed. Thus some network services will not run through a NAT, because the data stream looks as though it has been forged.

Indeed, it has.

Figure 2.11:Network address translation masquerades many private addresses as a single IP address.