You may have heard that computers represent
all numbers as "bits", or "zeros and ones." It would be more fair to say that computers
work primarily with groups of eight 0's or 1's, called bytes.
In practice, most desktop PC's work with clumps of four bytes at a time, or 32 bits.
That's why 80386 through Pentium IV processors are called 32-bit processors.
[Athough Pentium class processors have some 64-bit attributes such as a 64-bit
external memory bus,they still do most operations as 32-bit operations.]
Now, think back to first grade math, when the teacher was describing the decimal numbering
system. As it happens, it's called "decimal" (the root of the word is from Latin decima,
a tenth part or tithe) because it's a numbering system that uses ten
numbers: the numbers zero through nine. If you need to represent a number larger than nine,
you have to start adding additional digits; then the teacher described the ones place,
the tens place, the hundreds place, etc. For example,
the number 45678 has a four in the "ten thousands" place, a five in the "thousands" place,
a six in the "hundreds" place, a seven in the "tens" place, and a 8 in the "ones" place:
Since computers work in binary, and only have "0" and "1" to work with, they have to start
new digits ("binary places", not "decimal places") as soon as they get past the
number one! In decimal, the "decimal places" were all powers of ten:
In binary, the "binary places" follow powers of two:
20=1 (1 binary),
21=2 (10 binary),
22=4 (100 binary),
23=8 (1000 binary),
24=16 (10000 binary),
25=32 (100000 binary),
26=64 (1000000 binary),
27=128 (10000000 binary),
28=256 (100000000 binary), etc.
The number 45678 is represented in binary as follows:
(Binary Places, expressed as Decimal:)
(Add up the columns where you find ones: 32768 plus 8192 plus 4096 plus 512 plus 64 plus 32 plus 8 plus 4 plus 2 equals 45678!)
Counting to Forty:
Now, an IP Address is four bytes, eight bits each, represented as decimal numbers with
periods in between; for example, 10.5.72.230. This number can be represented in binary
(remember when I said that IP Addresses are best expresses as 32-bit binary numbers?
I did mention that, didn't I?) as b00001010.00000101.01001000.11100110.
(The "b" means "binary"; that and the periods are added for your convenience.)
Now, 232 (two to the thirty-second power) is 4294967296, or just over four
billion. So, theoretically, there are over four billion IP addresses available to the world;
so why is there a shortage? (Oh yeah, have you heard? There's a shortage. Last I checked,
they're projecting to run out of IP addresses around the year 2025.)
Well, as it turns out, trying to keep track of where four billion individual hosts are
would be pretty much impossible for equipment today, and certainly impossible for equipment
many years ago when TCP/IP routing was being developed. So, routing was (over)simplified by splitting
the IP address space into "classes"; those IP addresses whose first byte was in the
range 1-126 would belong to networks of 16,777,214 (224-2) hosts; these were called
"Class A" networks, and there are 127 of them. In Class A networks, the first eight bits
are the "network portion", and the last 24 bits are the "host portion." Those IP addresses
whose first byte was in the range 128-191 were called "Class B" networks of 65,534
(216-2) hosts, and there were 16,384 (that's (192-128)*256) of them. That's 16 bits
for the network portion, and 16 bits for the host portion. "Class C" networks, where the first
byte is in the range 192-223, have a 24 bit network portion, and an 8 bit host portion.
Note how neatly everything lines up on byte boundaries:
Network Mask (binary)
Now, since it's unlikely that a network administratior is going to want to have some
16,777,214 (nearly seventeen million) hosts on the same network segment(!), network administators
were allowed to administratively split up their networks by subnetting them. Routing on
the Internet backbones was fairly simple... until they started to hit the Class C networks
hard. If your company needed 1,000 IP addresses, you'd probably get four Class C networks to
accomodate them... but that would add four individual routes propagated to every "backbone" router
on the Internet! Hence the need to split up networks on other than just byte boundaries.
This is where everything got hard.
It turns out that you can combine four "Class C" networks together into one routing table entry
by using a subnet mask (aka Network Prefix) of 255.255.252.0. But not just any four;
as it happens, they must be contiguous, and the third byte of the first network must
be a multiple of four (like the number 204 is.) If you want to join eight of them
together, the first network must be a multiple of eight (which the number 204 is not.)
If you want to join ten networks together... well, you can't. Ten is not a power
of two. Funny how everything follows powers of two...
B. Boolean Logic and The Binary "AND"
Named after the nineteenth-century mathematician George Boole, Boolean logic is a form of
algebra in which all values are reduced to either TRUE (1) or FALSE (0). All math performed
by modern computers is done using Boolean algebra. A few basic operations:
true if A AND B are true
1 AND 1 = 1
1 AND 0 = 0
0 AND 1 = 0
0 AND 0 = 0
true if A OR B are true
1 OR 1 = 1
1 OR 0 = 1
0 OR 1 = 1
0 OR 0 = 0
XOR (eXclusive Or)
true if either A or B are true
1 XOR 1 = 0
1 XOR 0 = 1
0 XOR 1 = 1
0 XOR 0 = 0
opposite of A
NOT 1 = 0
NOT 0 = 1
The binary "and" operation is often used when you want to see only certain bits of a given byte--
a procedure called "masking." Some of you may have seen a similar thing in school; some of my
teachers used to conduct multiple-choice tests where you would fill in a circle cooresponding to
the answer you thought was correct. The teacher would then take an overlay, or mask, and place it over the
answer sheet. This overlay had holes only where the marking spots for the correct answers were,
and the teacher would mark any answers where he/she didn't see a mark, as incorrect. The subnet mask
is used in this fashion by the computer to determine which address bits are in the network portion of an IP
address, and which bits are used for the host, or workstation, portion.
C. The Subnet "Mask"
The subnet mask is used to figure out what network you're on. The reason it's called a "mask"
is the same reason the tape you use to cover trim when painting is called "masking tape"; you
use it to cover up the parts you don't want to deal with right now. Did you notice how, in
a binary AND, any time B is zero, the result is zero? And any time B is one, the result is
whatever A is? Hmmm.....
The primary use of the subnet mask (from our perspective at the Near Side of the 'Net) is for
workstations to determine whether or not the server or workstation they're trying to talk to
(the "destination IP address") is on the same subnet as itself; if the destination IP address
is on your subnet, you'll send the IP packet directly to the other computer via the Ethernet or
Token Ring (or whatever) network you're on, without bothering the router... at all!
The first routing decision made on an IP packet is made by the workstation sending it;
it decides whether or not to send the packet to a router. Doing this is a four step process:
Step 1: Convert the IP Addresses to Binary.
If necessary, the IP address is converted from the familiar dotted-decimal into a 32-bit
binary value. It sucks as much for the computer to do it as it does for humans to do it,
but computers generally complain less, and they're good at math :-)
Step 2: Apply Source subnet mask to Source addresses:
The network portion of the workstation's IP address is determined by performing
a binary AND operation on the workstation's IP address and its subnet mask. This operation "masks
off" all of the bits of the "host portion" of the IP address, and leaves the "network portion"
behind for comparison with the destination's network portion. Hey, wait a minute? How do we
know what the subnet mask of the destination is?
Step 3: Apply Source subnet mask to Destination addresses:
As it happens, we don't care what the subnet mask of the destination is. We only care if the
destination is on our same network segment! Since every workstation on our network segment
shares the same subnet mask, we can apply our subnet mask to the destination to determine if
its network portion matches ours. So, the network portion of the destination
workstation's IP address that we can use to see if it matches ours is determined by performing
a binary AND operation on the destination IP address and our subnet mask.
Step 4: Compare the derived network portions for equality:
At this point, we can compare the network portions we have masked from the source and destination
IP addresses to see if they're the same. If they are, then we must be on the same subnet
so we send the packet directly; if they are different, even by only one bit, the destination is
on another network segment...somewhere. We don't know where. Maybe the router does...
OK, so let's try this a few times ourselves; get a few IP addresses and subnet masks together
enabled on your browser. If you're reading a hard copy of this, the full URL is
Remember the part about combining four "Class C" networks together? Watch your binary arithmetic:
(network prefix bits shown in green)
Networks, in Binary
Notice how all of the bits above the ones in the subnet mask stay the same; following the rules
above, all hosts on these networks, if you apply the mask, are on the same network.
This was called "supernetting", but now is called "CIDR Routing", pronounced "Cider Routing".
Doing it wrong:
(carefully watch the network-portion bit in red)
Networks, in Binary
Oops-- seems the sixth bit of the third byte changed within the
network prefix portion (the part above the 1's in the subnet mask), so with the given subnet mask
(22 bits, or 255.255.252.0), 10.0 and 11.0 would ALWAYS be on a different network aggregation
than networks 12.0 and 13.0. Confused? Play with it in the
Subnet Calculator, and compare the network portions.
D. "Slash" Notation
Subnet masks are often abbreviated using a forward slash "/" and the number of "one" bits in the mask.
For example, a network 192.168.1.0 with a subnet mask of 255.255.255.0 can be expressed as
192.168.1.0/24 (since 255.255.255.0 is 24 binary ones followed by eight binary zeros.) Therefore, a /25 subnet
is a subnet with a mask of 255.255.255.128, and a /26 subnet has a mask of 255.255.255.192, etc.
E. A Neat Trick
Now that you actually understand the binary arithmetic behind subnet masking (well, I hope you do,
anyway) we can cover some of the neat tricks for computing subnet masks. To determine the number of
hosts on a given subnet (assuming the subnet is smaller than class "C",) simply subtract the last number
of the subnet mask from 256. For example, a subnet mask of 255.255.255.224 has 32 hosts (256-224=32.)
Then you can just divide the result into 256 to determine the number of subnets (256/32=8.) So, using
a subnet mask of 255.255.255.224 gives you 8 subnets of 32 hosts each. Of course, this only works when
you are subtracting a number that is a power of two (1, 2, 4, 8, 16, 32, 64, or 128.) When the network
prefix is larger than class "C", you can determine how many class "C" networks are aggregated by
subtracting the third byte from 256-- so a network prefix of 255.255.240.0 is an aggregation of
(256-240) 16 class "C" networks. Thanks to Gael M. for this tip.
F. In closing...
Why all this crap about binary arithmetic? Do I have to know this stuff? I'm afraid so;
subnet masks are created and used on a bit-by-bit basis; in order to effectively use subnet
masks that don't fall on byte boundaries (like 255.255.255.0 does), you have to determine what
hosts are on each subnet by using binary arithmetic. It sucks, it's hard, it's confusing
(espically since IP addresses and masks are expressed in decimal instead of hexadecimal notation)
but you must use and understand IP addresses and subnet masks as binary.