One of the most confusing aspects of building an Internet/Amprnet gateway is the design of the gateway's subnets. This short article will attempt to explain the ideas behind subnets and make the subject a little less confusing.
The prime purpose of a gateway is to forward packets to/from a number of local machines. In order to forward packets, you need a route to each and every machine that you service. Now, it doesn't make sense to have routes to every individual machine. Instead, the local machines are grouped together as a range of IP addresses, and the gateway forwards packets to all machines in this range of addresses.
Gateways have to route packets as quickly as possible. One of the ways to speed the process is to express each route in the routing table as a subnet, instead of a range of addresses.
Let's take a range of IP addresses that we want to build a route for.
44.136.8.0 to 44.136.15.255
Rewriting this in binary, the range is
00101100100010000000100000000000 to 00101100100010000000111111111111
We can see that, for all addresses in the range, most of the bits are common. We call these the network bits in each address, as they represent the `network' portion of each machine's address. The remaining bits are known as the host bits, as they represent the particular host machine on the network (i.e in the range of addresses). In the range of addresses above, we can divide each address thus:
001011001000100000001 XXXXXXXXXXX
network bits host bits
We can rewrite this in subnet form as 44.136.8.0/21 or 44.136.8/21. This says that the range of addresses all have the first 21 bits in common, and that these 21 bits are 44.136.8. This also says that the first address in the range is 44.136.8.0.
How does this speed up a gateway's job? When a packet arrives at a gateway for delivery, the gateway may have to check each route to see if the packet's destination is covered by the route. If the gateway expressed routes as ranges of addresses, it would have to check if the destination fell inside every route's range, which is a slow process.
If subnets are used instead, the gateway can turn off the host bits in the destination address, and match against the network bits of each route. For example, a packet arrives for 44.136.12.89:
00101100100010000000110001011001
The gateway tries each route in turn, starting with the routes that have the most network bits. When it reaches 44.136.8/21, it turns off the host bits:
001011001000100000001 00000000000 matches
001011001000100000001
which matches the network bits 44.136.8. The packet can then be successfully delivered using the matching route.
Choosing a suitable range of address can be difficult. The main thing to note here is that, because a subnet is expressed as a set of network bits, you can't represent a range of IP addresses that don't all share a common set of network bits. For example, the range 44.63.27.9 to 44.85.99.12 is the range:
00101100001111110001101100001001 to 00101100010101010110001100001100
001011000 are the shared bits
The machines in this range share the network bits 001011000, which results in the subnet 44.0/9. This has the range 44.0.0.0 to 44.127.255.255, which is a lot larger than the desired range!
The problem here is that the number of bits shared by all the machines in the range is small, which results in a subnet expression which covers many more addresses than desired. We can solve this by altering the range so that more of the network bits are shared, e.g:
The moral here is: start your range of addresses on a power of two. In other words, use components of your address that are powers of two:
To help you convert IP ranges into subnets, and let you try `what if' tweaking of your ranges, I have written a C program which converts a range of IP addresses into subnets. Email me to get a copy, or use the Range Checker web page to check your ranges via the Web. Your aim is always to minimize the number of subnets needed to express your range of addresses.
Let's take a couple of examples from the current encap.txt file. 198.31.121.65 has routes for 44.2.0/20, which is the range 44.2.0.0 to 44.2.15.255, nice and tidy. Similarly, 128.149.37.26 has routes for 44.16/16, which is the range 44.16.0.0 to 44.16.255.255; again nice and tidy.
202.12.89.9 has the problem that it wants to route for the range 44.136.171.0 to 44.136.203.255. This leads to the set of subnets 44.136.171/24, 44.136.172/22, 44.136.176/20, 44.136.192/21 and 44.136.200/22. Unless this range can be reduced, not much can be done here. I'll suggest a possible alternative in the next section.
In some instances, a gateway's set of subnets can be made smaller. From the current encap.txt file we see that 151.97.6.19 has 8 subnets covering the range 44.134.120.0 to 44.134.127.255. This range can actually be covered by the single subnet 44.134.120/21. This change would help reduce the size of the routing table in every gateway.
Remember that gateways process routes from most network bits down. This means that a 44.136.8/21 route is chosen before a 44.136/16 route, which is chosen before a 44/8 route. This allows very general routes to be specified, which are overridden by more specific routes (i.e routes to a smaller number of machines).
We can use this ordering of routes to install a subnet which covers a greater range that actually required, in the knowledge that a more specific subnet will override it where necessary. Let's reconsider the range 44.136.171.0 to 44.136.203.255 which requires 5 subnets. If the five subnets were replaces by the single subnet 44.136.128/17, this will cover a much larger range, 44.136.128.0 to 44.136.255.255. This is not a problem because more specific subnets will cover the unwanted addresses, e.g the /24 subnet 44.136.221/24 (from the encap.txt file) will override the /17 subnet for the range 44.136.221.0 - 44.136.221.255.
Here's another example from the encap.txt file. 198.189.21.30 has three separate subnets which cover three address ranges that are disjoint:
The single subnet 44.4.40/21 will cover the range 44.4.40.0 to 44.4.47.255, and the unwanted addresses in the range can be covered by more specific subnets.
Before you try this technique out, use the Range Checker to get a single subnet, and cross-check the resulting range against the routes in the encap.txt file. Make sure you document your desired and actual ranges in the gateways file, and be prepared to go back to multiple subnets if a conflict arises.
In summary, subnets are used instead of IP address ranges to improve the
speed of packet routing. There are some limitations with subnetting, and you
should be aware of them when choosing a range of addresses for a subnet.
However, with a little bit of care you can select a suitably small number of
subnets to cover the range of addresses that you have.