In recent days, I’ve had a couple of engineers express some confusion about the “mask” part of IP addressing. It is a little arcane, being sort of a bolt-on fix for limitations of the original dotted quad addressing scheme. The values seem not to have much to do with the actual IP “address” of a given device. But trust me, mask performs an essential role. Here’s a mildly wordy tutorial.
IN THE BEGINNING …
Once upon a time, the internet was small and there seemed to be no need to subdivide it into more than four layers of hierarchy. So, addresses were formed of four 8-bit values. Because typing 32 ones or zeros was tedious, the notation convention became ###.###.###.### with each ### being an integer between 0 and 255. It was roughly:
ENTITY [govt agency, college, etc.] (dot) LOCALITY [campus, military base, etc.] (dot) DEPARTMENT (dot) MACHINE
When the internet grew up a bit, it was obvious that four hard boundaries in the addressing scheme was just not workable. What if only a handful of machines need to talk to each other directly? The hard boundary wastes the remaining addresses since it assumes 254* machines. (See * box at the end of article.)
So the idea was abandoned in favor of a movable boundary between the “network” address and the “host” address. But the ###.###.###.### was already standardized, so it was kept. This was probably a mistake, but I suppose it’s too late to change it.
BEHIND THE MASK
The “mask” defines the boundary between the “network segment address” shared by multiple hosts and the “host address” on the particular larger network. Upstream routers look at the “segment” part and hand packets off to a switch at the interface associated with the “segment” to be read by the host device whose address completes the entire ###.###.###.### unique address assignment. Using this approach, it is now possible to create any size of segment, theoretically without wasting addresses.
Mask tells the host machine two things: What is my unique address number on the segment I am connected to, and where should I look for packets sent to all the machines on my segment? A wrong mask means the host will be looking for messages from its neighbors and from its upstream gateway in the wrong place. Coincidentally, network connectivity won’t work. From the location of the boundary between the string of ones to the left and zeros to the right in the binary representation of the mask, the machine knows where to put the divide. That’s why the possible values for each mask number in the ###.###.###.### are limited to the sum of powers of two.
255.255.255.128 turns on the leftmost bit and creates a subnet with 126* possible hosts. 255.255.255.192 (128+64=192) turns on the leftmost two bits and creates a subnet with 62* possible hosts. 255.255.255.224 (128+64+32=224) turns on the leftmost three bits and creates a subnet with 30* possible hosts and so on, down to 255.255.255.252, which turns on all but two bits and creates a network of 2* possible hosts. This is a network that connects two and only two devices.
0, 192, 224, 240, 248, 252 are the valid values for the rightmost mask number. 254 and 255 can be used in the others so as to create a binary that is all ones to the left and all zeros to the right. Why can’t 254 and 255 be used in the rightmost value? Because those create subnets with no host addresses at all. I use “segment” and “subnet” interchangeably here. A segment with 510* hosts can be created by a mask of 255.255.254.0 (all the bits in the rightmost byte plus the last bit in the next to last byte. The binary looks like:
The first address on this subnet might look like 10.100.0.1 and the last like 10.100.1.254. In the middle we’d find consecutive addresses of 10.100.0.255 and 10.100.1.0. This is just counting up the binary for the rightmost nine bits of the unique host address range. It could just as easily be 192.168.77.001 to 192.168.78.254.
The mask for a subnet with 4094 hosts might look like 255.255.240.0 with a binary representation of
That’s a big subnet!
There’s an alternative notation to the four dotted quads for the mask value which you may have seen. CIDR notation follows a complete host or network address with a /## where ## is the number of bits set to one in the binary representation of the mask. CIDR stands for Classless Inter-domain Routing. We abandoned the old A, B and C classes of internet addresses when the mask parameter was adopted.
Frank McCoy is chief engineer for Salem Media’s cluster in Chicago, what he describes as his “retirement job.” He has held a variety of corporate roles in engineering and broadcast equity development.
* The 2n-2 number of possible hosts on a segment (where n is the number of host bits — those rightmost address bits — is because the lowest address in the segment is the “network number” and the highest number is the “broadcast address” to which all hosts on the segment listen and communicate with one another.