Copyright © 2005 Andrew Macpherson. Redistribution permitted under the GNU Creative Commons Licence.
Maximising address space by shuning ones neighbours
Today’s SOHO ADSL customer typically buys a small block of 8 fixed IP Addresses which after deduction of two broadcast values, and a gateway address leaves 5 usable addresses for their equipment.
None of these three deducted addresses should be accessible from the Internet at large, unless the gateway address is used both on the LAN and WAN interface (unusual). Additionally hosting center customers will sometimes find themselves with blocks that cannot simply be joined by shifting their netmask by one bit, implying a duplication of the overhead.
This article will explore ways of losing the overhead, and discuss the consequences.
Address allocation to network customers
Address space is given to end customers in two models, which can be characterised as hub vs firewall, or N vs N+1. In the hub case the N addresses will be just that — N addresses within a larger address space, quite possibly assigned completely at random. The random assignment is particularly true of some cable operators.
With the firewall or N+1 model the address assignment matches conventional routed subnets, the N addresses are contiguous, while the 1 is the Red interface of the firewall, and will definitely be assigned on the hub model.
Switch / Hub customers
Where each host plugs directly into a larger network, each must act as its own firewall. The broadcast address will be that for the whole subnetwork, and no address space wasted. The Interface hub will simply forward most packets to the service provider’s lan, though local inter-host packets may stay within the hub or switch. Many service providers use this model, and it is the only model for single-address USB broadband modems, and in common use for multi-address cable modems.
RFC1219 (qv) “On the assignment of subnet numbers” is unfortunately much neglected by hosting centres and those assigning static blocks on the N+1 model to ADSL/leased line customers. This scheme would allocate starting addresses for allocation chunks thus:
|. . .|
in a form of reverse binary counting, where the leftmost bit of the final octet is the least significant bit and the rightmost the most significant. It maximises the space that an assigned block can be expanded to fill for as long as possible while the bigger block is being split up
If the simple guidelines in this standard were followed for the starting addresses of the assigned blocks, then it would be easy to accomodate any rapid initial growth of address-space requirements of their customers, with an easy
netmask change. Of course once the space is allocated problems are as bad as if the procedure had never been followed.
So what usually happens? The technician delegating address space simply starts at the bottom of their allocated space and hands it out in their normal n-address chunks, typically 8 addresses for broadband, and 16 or 32 for hosting centres. We will consider an 8 address block for most of the rest of this article:
This block has an associated netmask of 255.255.255.248, when we do a bitwise not of the netmask, and birwise ‘or’ that with the network, we get the broadcast addresses. The total effect is that 3 addresses, 38% of the address space you are paying for is lost to overhead and unusable for your machines
So what about this overhead?
Let’s start with something that may surprise you. All these “overhead” addresses are just host addresses as far as most of the internet is concerned. They have no special meaning — nothing tells the internet that these are broadcast addresses, gateways or sub-networks.
That’s right — if we can remove their special local meaning these addresses can be used for more hosts — just like you thought you would be able to!
Yes, but don’t we need broadcast addresses?
Yes we need a broadcast address locally, but there is no legitimate reason for all the Internet at large to be able to talk to it. Also the first address in the block, sometimes known as the “zeros” broadcast is not actually used except inside routing tables to identify the sub-network. It may or may not be usable depending on what equipment your ISP is using to talk to you — but outside your ISP it is definitely just another host address.
Ok but what about my firewall?
Well you have to be able to address it, but the world out there does not need to be able to talk to the inside address of your firewall — you’ve already exposed the WAN port for them to attack. That’s enough! If you move that address outside the visible range you have space for another server.
Ok I want to have more addresses, what do I do?
Poor artists copy, great artists steal. — Salvador Dali Steal some extra address space for internal use. The stolen space is something you can only look at in private (like stolen art) and you will not be able to access the systems which legitimately have those addresses, so if the WAN – side gateway falls into the range you are going to steal forget it, likewise other WAN – side services, but in general you will be cutting off your neighbours. In Britain those neighbours might well be at the other end of the country because of the way traffic is tunnelled by BT to your ISP. The odds are you would never want to talk to their servers anyway.
To steal addresses you need to shift your netmask until there is address space both before and after the routable block you have been assigned. In our example our block starts at
184.108.40.206, and the netmask is
255.255.255.248. If we shift the netmask by one bit to
255.255.255.240 then the address block will start at
220.127.116.11 but still finish at
18.104.22.168, so we need to move the netmask by 2 bits to
255.255.255.224. Now we are declaring our internal network to comprise 32 addresses
22.214.171.124, though we still only have the original 8 routable addresses.
There have been some side effects though — the zeros broadcast address has become the unroutable
126.96.36.199 and the ones broadcast
188.8.131.52 — again outside the routable block, freeing 2 addresses for you to put hosts on.
And don’t forget that you can get an extra address by moving your firewall’s internal gateway address out of the routable block as well — in our example
184.108.40.206 might be a good address, as it is a “broadcast address” when allocated by your ISP
None of the addresses we’ve subverted will be used by anyone with a conventional configuration. They’re all broadcast or network addresses. If you’re really concerned you can put explicit routes into your kernel for the other hosts in the blocks you’ve taken over as local
Finally if you have a managed hub, this again is something that you should keep outside the publicly visible address space, but if you have a remote control power switches, remember that the switch that controlls your firewall has to have an accessible address outside the firewalled block.
Configuring iptables on a Linux Firewall/Router
We need to confine the forwarded traffic to the address range that we have been allocated, and prevent any of our usurped address space from leaking. I’ll assume that you have other filtering to do in your FORWARD iptable, but all you need is:
iptables -I FORWARD -p all -i $Red -o $Green -d ! 220.127.116.11/29 -j DROP
iptables -I FORWARD -p all -i $Green -o $Red -s ! 18.104.22.168/29 -j DROP
where Red and Green are the obvious network interfaces,
Is it worth the bother?
Well let’s keep things in proportion… When one is dealing with very small address blocks (4, 8, 16 addresses) the overhead of 3 lost addresses is high. By the time the address block is 32 wide, the loss is under 10% and may be considered acceptable.
There are “edge conditions” where you might think twice — for instance if your block had ended with a 255 you might consider taking an internal net mask of
255.255.254.0 — two Class C network’s worth of address space cuts off too many neighbours to be reasonable for the gain of 1 host address.
Where the technique is particularly useful is where one wishes to join 2 small blocks of public address space that are adjacent, but not immediately suitable for a simple bit shift in netmask, here instead of for instance 2 lots of 5 usable addresses, one can gain 6 further addresses. For example if the initial address block we had
8--15 were added to with the block
16--24 we could use the same extended subnet as in the example above, and might want to set the gateway to
Finally — disturbing thought — ISPs can use this method to give their customers blocks of four addresses, and thus almost double their address space utilisation, but for the ISP it’s easier to use hub allocation and make it difficult for the customer to install firewalls, than to man a help desk to explain what’s in this paper..
This paper was first presented at the UKUUG 2005 Spring Convention