Netmasks

Netmasks (or subnet masks) are a shorthand for referring to ranges of consecutive IP addresses in the Internet Protocol. They used for defining networking rules in e.g. routers and firewalls.

Every entity (server or client) communicating on the internet will have a unique Internet Protocol (IP) address. Most commonly, these addresses are written human-readable notation as follows: 192.168.0.1. This describes and IP version 4 addess. (The internet is moving towards the IP version 6 standard to allow for more resources to be addressed).

An IP address is actually just a unique binary number - IPv4 allows for around 4.3 billion addresses and one time, IPv6 expands the address space to 3.4×1038 addresses.

In networking, it is convenient to talk about groups of addresses to help with networking. For instance, different internet providers will be awarded 'chunks' of consecutive addresses, so internet routers need only read the start of each IP address before deciding to pass TCP packets off to known network node.

A netmask is a shorthand for describing a range of IP addresses. A netmask may describe just a single IP address:

  • 192.168.0.1/32: just the address 192.168.0.1

Or all possible IP addresses:

  • 192.168.0.1/0: all 4.3 billion addresses from 0.0.0.0 to 255.255.255.255

More usefully, it does something in between:

  • 192.168.0.1/31: the IP addresses 192.168.0.0 and 192.168.0.1

How to read a netmask

The left hand side of a netmask (e.g. 192.168.0.1) specifies a the host IP address. The right hand side specifies (e.g. /32) how many digits of the host address are significant, when considered as a binary number. Non-significant bits in the binary form are treated as a wild-card.

For instance, in the netmask 192.168.0.1/32, the host address is 192.168.0.1. This can be written in binary as 11000000.10101000.11111111.00000001. To match this netmask, an address must have match exactly 32 digits - i.e. have the same binary digit in each position. This means only one address will be matched by this pattern.

The netmask 192.168.0.1/31 states that the last binary digit is not significant, so will match two addresses: 11000000.10101000.11111111.00000000 and 11000000.10101000.11111111.00000001 (written more readably as 192.168.0.0 and 192.168.0.1).

Similarly 192.168.0.1/30 states that the last two binary digits are not significant, so will match four different addresses.

Further Reading