How to use netmasks at [ignore IPs] section

This section of the document and the code to use netmasks is written by Davorin Bengez, (dbengez@znanost.hr)

1. Summary of changes

`Host ignore' block contains one or more lines with IP addresses of hosts that will be ignored for counter updates.

New feature in this release is possibility to mask off groups of hosts (subnetworks) defined by corresponding network / netmask pairs. This can be useful if we wish to exclude accesses from the hosts on our campus or hosts of people developing the pages.

To accomplish this, each line in host ignore block can take two arguments. If second argument is present, first is assumed to be network address and second the netmask. If only one argument is present, it is taken as a host address or a host address with wild card.

If this concept with "network address / netmask" sounds unfamiliar, you should consult your friendly network administrator.

2. How to determine ignore hosts parameters

To configure `ignore hosts' block in configuration file, you should know at least how the network / netmask concept works. Here is a brief description.

2.1. IP Addresses and netmasks concept

IP address is a 32 bit value (four octets) that is for readability purposes written as four decimal values separated by a dot (so called dotted quad). For example, network address - in dotted quad notation

 161.53.4.28

is - in binary notation

 10100001 00110101 00000100 00011100

Binary representation is what we will need to determine network addresses and netmasks.

Each network IP address is contained of network and host part.

Generally speaking, networks are split into several classes. Here are three primary forms [1]:

- class A network has first octet in range from 0 to 127. First octet is network address while other three octets specify the host part. In binary notation it is something like (n - network, h - host)

 0nnnnnnn hhhhhhhh hhhhhhhh hhhhhhhh

There are 2⁷ such possible networks, each with (2²⁴ - 2) hosts.

- class B network has first octet in range from 128 to 191. First two octets are the network address, and third and fourth are host address. In binary notation it is something like (n - network, h - host)

 10nnnnnn nnnnnnnn hhhhhhhh hhhhhhhh

There are 2¹⁴ such possible networks, each with (2¹⁶ - 2) hosts.

- class C network has first octet in range from 192 to 223. First three octets are the network address, and fourth is host address. In binary notation it is something like (n - network, h - host)

 110nnnnn nnnnnnnn nnnnnnnn hhhhhhhh

There are 2²¹ such possible networks, each with (2⁸ - 2) hosts.

Note: "-2" is because 0 is reserved for "this host", and 255 means broadcast, or "all hosts on this network".

Nothing stops us to divide the network given to us by a service provider into a several smaller networks. This is often done in real life.

Network is being partitioned by setting the 32-bit subnet mask in which 1's represent the network part, and 0's represent the host part if IP address. As of now, we may correctly assume that a default netmask for class B network is 11111111 11111111 00000000 00000000 (in binary, or 255.255.0.0 in dotted quad notation).

For example, if we are given one class C network (maximum of 254 hosts), and we want to partition it into 8 networks of 32 hosts per each subnetwork, we can do it as in the following example:

Example:

Let us assume that we are given class C network with address 220.105.101.0. Initial netmask is set to 255.255.255.0. To partition this network into 8 subnetworks, we need to take 3 bits from host part of the address (2³ = 8). Let's write it in binary:

Network address 220.105.101.0:

 11011100 01101001 01100101 00000000

Netmask was 255.255.255.0:

 11111111 11111111 11111111 00000000

As we want to have 8 subnetworks (this needs 3 bits from the host part), netmask will be: 11111111 11111111 11111111 11100000 or 255.255.255.224 in dotted quad notation.

Host part of address has shrunk to 5 bits, and we will have new network address based on 2⁵ intervals. Therefore, our new subnetworks will be:

 220.105.101.0     220.105.101.32    220.105.101.64    220.105.101.96
 220.105.101.128   220.105.101.160   220.105.101.192   220.105.101.224

n.b. The same netmask (255.255.255.224) applies to each of the 8 networks.

From previous example can be seen that netmask cannot be set on arbitrary boundary, but rather on addresses that are powers of 2.

2.2. Configuration guidelines

As a matter of fact, it doesn't matter whether your network is class A, B or C. What matters is which subnetwork or part of the network you want to mask off.

To determine whether a certain host is within a certain network, the host's address AND netmask are compared to the network address. If they are identical, host is within the given network.

Example 1: Determine whether host 161.53.4.4 is located within the network 161.53.4.0 with netmask 255.255.255.0:

decimal binary host address 161.53.4.4 10100001 00110101 00000100 00000100 netmask 255.255.255.0 11111111 11111111 11111111 00000000 ANDed 161.53.4.0 10100001 00110101 00000100 00000000 network address 161.53.4.0 10100001 00110101 00000100 00000000

since 161.53.4.0 = 161.53.4.0, host is contained within the network.

Example 2:

Determine whether the host 161.53.91.7 is located within the network 161.53.91.0 with netmask set to 255.255.255.224

decimal binary host address 161.53.91.7 10100001 00110101 01011011 00000111 netmask 255.255.255.224 11111111 11111111 11111111 11100000 ANDed 161.53.91.0 10100001 00110101 01011011 00000000 network address 161.53.91.0 10100001 00110101 01011011 00000000

since 161.53.91.0 = 161.53.91.0, host is located within the network.

Example 3:

Determine whether the host 161.53.91.99 is located within the network 161.53.91.0 with netmask set to 255.255.255.224

decimal binary host address 161.53.91.99 10100001 00110101 01011011 01100011 netmask 255.255.255.224 11111111 11111111 11111111 11100000 ANDed 161.53.91.96 10100001 00110101 01011011 01100000 network address 161.53.91.0 10100001 00110101 01011011 00000000

since 161.53.91.96 != 161.53.91.0, host is NOT located within the network.

To set the netmask properly, and to check the configuration, you must know what addresses are being covered with certain network address / netmask combination.

Example 4:

Which host are located within the network 161.53.91.0 with netmask set to 255.255.255.224?

decimal binary network address 161.53.91.0 10100001 00110101 01011011 00000000 netmask 255.255.255.224 11111111 11111111 11111111 11100000

It is obvious that only last 5 bits are host address, since netmask will mask off upper 3 bits in last octet. Possible host addresses are from 0 (which cannot be used) up to 00011111 binary, or 31 in decimal. Therefore, hosts within given network are 161.53.91.1 to 161.53.91.31. (n.b. with above configuration, we have possible networks:

161.53.91.0 161.53.91.32 161.53.91.64 161.53.91.96, 161.53.91.128 161.53.91.160 161.53.91.192 161.53.91.224

Example 5:

How can I select hosts with addresses in range 161.53.5.16 to 161.53.5.31?

first host 161.53.5.16 10100001 00110101 00000101 00010000 last host 161.53.5.31 10100001 00110101 00000101 00011111 (all selected hosts) 10100001 00110101 00000101 0001xxxx

It can be observed that host part is last four bits of the address, which leads to the netmask of 255.255.255.240. Network address is address of any of the hosts ANDed with netmask:

any host 10100001 00110101 00000101 0001xxxx netmask 255.255.255.240 11111111 11111111 11111111 11110000 network 161.53.5.16 10100001 00110101 00000101 00010000

References:

[1] Douglas E. Comer
    "Internetworking With TCP/IP - Principles,
     Protocols, and Architecture"

[2] Uyless Black
    "TCP/IP and Related Protocols"