OSDev.org

Hello,
I have some questions about networking. Here's my first one.
What's the purpose of subnet masks (eg: "255.255.255.0")? What does it mean? Does it have any impact on security? Can anything other than "255.255.255.0" be used for a private network? Does its value depend on the IP address of the computer?
PS: I've already read some technical stuff about it but didn't understand much.
Thanks for your help.

consider the standard home LAN: DSL/cable (56k even?) modem with a hub/switch and a few computers attached to it.
the computers and the router each have an ip adres, subnet mask, and default gateway. The ip adres indicates the current computer, the default gateway indicates the ip of the router.

Now, computer 1 wants to send something to computer 2. He knows the ip address, and uses ARP to get the corresponding mac address. Next he can send data directly to the computer in question.

Now, computer 1 wants to send something to a server on the internet (e.g. osdev.org). Given that he knows the IP he can try ARP, but it will fail because the server is not on the local net.
What he needs to do is send the data to the router/modem which will forward it to the internet. The problem is: how does the computer know when to use the router and when it shouldn't.

This is where the subnet mask comes in: Computer 1 compares his ip with the ip of the computer he wants to contact, and checks wether there are any changed bits which are also set in the subnet mask. If that happens, the computer knows the computer is not on the local network and the gateway needs to be used.

Examples:
192.168.0.1 (computer 1) -> 192.168.0.2 (computer 2)
XOR -> 0.0.0.3
AND with subnet mask (255.255.255.0) -> 0.0.0.0
the result is zero, which means the computer is on the same subnet

192.168.0.1 (computer 1) -> 64.233.183.103 (google)
xor -> 128.104.183.102
and -> 128.104.183.0
the result is non-zero, so use the router

the subnet mask need not be 255.255.255.0, a subnet mask of 255.255.255.248 will say that the first 29 bits need to match for a computer to be on the same network, and that all other ips are on some other network. In this case, this leaves 8 ips on the 'local' network (7 computers, which includes a gateway/router/modem, and one reserved for broadcast)
Network admins can use this mechanism to assign ip ranges to groups of computers. The only constraint is that subnet masks be (x) 1s, followed by (32-x) 0s

ManOfSteel wrote:Hello,
I have some questions about networking. Here's my first one.
What's the purpose of subnet masks (eg: "255.255.255.0")? What does it mean? Does it have any impact on security? Can anything other than "255.255.255.0" be used for a private network? Does its value depend on the IP address of the computer?
PS: I've already read some technical stuff about it but didn't understand much.
Thanks for your help.

The subnet mask indicates which addresses belong to your subnet. It could be (back in the days up to 1995 or so) either 255.0.0.0, 255.255.0.0 or 255.255.255.0. If it's the first, the network stretches to, say, 85.*.*.*. If the second, it'll stretch to 169.254.*.*. If the third, you'll reach 192.168.0.*. The numbers aren't random.

In the past there were 3 types of network sizes, class A, B and C. Class A was 16.8 million addresses and had the first type of netmask and applied to all networks below 128. This includes the localnet IP address range 10.* and localhost address range 127.*. Yes, your computer is also adressable at 127.12.34.56.

The second type is between 128.0.0.0 and 191.255.0.0. This includes the Microsoft non-routing segment 169.254.* (which by default has 255.255.0.0 as netmask).

The third type is between 192.0.0.0 and 223.255.255.0. This includes the common localnet network 192.168.0.*, although the entirety of 192.168.* is reserved for this purpose.

There is a fourth type, class D, between 224.0.0.0 and 239.255.255.255, which is reserved for multicast (so don't assign any of these to your computer). A fifth class, class E, is plain reserved, and goes from 240.0.0.0 to 255.255.255.254. The single last address is reserved as global broadcast address, which has lead to all Windows machines plain ignoring it (since it was a handy way of reaching all machines you could find).

Nowadays, there are more complex types of subnetting, which involves knowing how many bits of the address are fixed (and thereby, how many you can fill in, and thereby how many you can choose yourself). This is commonly indicated as a /xyz subnet. For instance, the three localnets above would be 127.0.0.0/8, 169.254.0.0/16 and 192.168.0.0/24. Since the 0's are redundant you can omit them, leaving 127/8 (uncommon since it's confusing), 169.254/16 and 192.168.0/8.

Since the distinction leads to largely unused networks (say, for universities, 65k addresses is too few, but 16 million is a bit over the top) these were split up and are sold in smaller portions. There are a few universities that still own a /8, as well as large US corporations.

Smaller netmasks are also possible. The / system only allows logical subnets, in that all addresses in it are consecutive. You could make a netmask 255.254.254.254 over the network 192.168.0.0 but that would allow 8 addresses, 192.168.0.0, 192.168.0.1, 192.168.1.0, 192.168.1.1, 192.169.0.0, 192.169.0.1, 192.169.1.0 and 192.169.1.1. As you can tell, that confuses the hell out of most people. Don't use them, use only those you can express with a / notation.

Which are they then? The / notation indicates, from the most significant bit going backwards into the number (to the right) how many bits exactly must be kept equal to the network address. So, 192.168.0.0/19 indicates a range from 192.168.0.0 to 192.168.7.255 (first and last reserved as broadcast within the subnet) and 84.25.225.61/14 (which is an IP address in the city I was born in - coincidentally - http://whois.domaintools.com/84.25.225.61) in a subnet between 84.24.0.0 to 84.31.255.255. Write down the IP addresses in hexadecimal, binary or octal form to make this more clear.

Combuster wrote:Network admins can use this mechanism to assign ip ranges to groups of computers. The only constraint is that subnet masks be (x) 1s, followed by (32-x) 0s

AFAIK it's not a requirement but it does keep your sanity.

Thank you all.

So, basically, if my home network is formed of two computers, I could use the first 30 bits of the subnet mask - that is 255.255.255.252 - to limit the network to just two computers.
This is all new to me. Could such setting be effectively used for security purposes? Would it actually change anything security-wise?

Ok, let me explain my situation.
I currently have two computers, connected with Ethernet adapters through a twisted-pair cable.
On one of them, I connect to the Internet with a modem through the phone line. But I'll soon switch to "cable Internet" (using an Ethernet adapter too).
What I want is to be able to connect to the Internet and still (safely) share resources at the same time by using two separate adapters like on the diagram below?

First of all, is such a configuration possible? If it is, then what's its "level of security", if any? I'm using Win98SE, the shared resources are password-protected and no "outsider" has physical access to the network's computers.
If I configure my home network computers' subnet masks as above would it add any security? Would "outsiders" see my shared resources? And in that case, could they easily crack the passwords?
Also, if for the Internet provider network, the IP address was 192.168.0.0 and for the home LAN, the IP address was, let's say, 10.0.0.0, would the other people on the Internet provider network be able to access my home LAN computers' resources?


Now:
After:

ManOfSteel wrote: So, basically, if my home network is formed of two computers, I could use the first 30 bits of the subnet mask - that is 255.255.255.252 - to limit the network to just two computers.
This is all new to me. Could such setting be effectively used for security purposes? Would it actually change anything security-wise?

It doesn't really have any effect on security, if you've really got a man in the middle, the address range is the least problem for him.

About internet access: What you are looking for is a good NAT Router, either as a seperate piece of hardware (I can really recommend that) or in software, in that case you'd deploy it on PC1. I'm not sure whether there is good router software available for Win98 though.

When you've got a properly configured NAT router, no one from the outside can get into your internal LAN, but all your machines on the internal network can access the internet.

cheers
Joe

ManOfSteel wrote:On one of them, I connect to the Internet with a modem through the phone line. But I'll soon switch to "cable Internet" (using an Ethernet adapter too).
What I want is to be able to connect to the Internet and still (safely) share resources at the same time by using two separate adapters like on the diagram below?

Strictly speaking, you could use one card on each computer, configuring the "router" computer to take two IP addresses. This is far from trivial and doesn't allow physical separation so most people opt for two cards instead. Two cards has the main advantage that it's not physically possible for anybody to see the internal network. If you use one card + a hub, the packets get sent to your ISP. The ISP should (must) ignore them, but they still arrive there.

First of all, is such a configuration possible? If it is, then what's its "level of security", if any? I'm using Win98SE, the shared resources are password-protected and no "outsider" has physical access to the network's computers.

Never mind the one-card solution above, Win32 doesn't support it. Only the NT series has the ability to do that (and of course, about every unix there is).

If I configure my home network computers' subnet masks as above would it add any security? Would "outsiders" see my shared resources? And in that case, could they easily crack the passwords?

Put a firewall on the internet port, block all incoming connection requests. That just about fully shields your computer.

Also, if for the Internet provider network, the IP address was 192.168.0.0 and for the home LAN, the IP address was, let's say, 10.0.0.0, would the other people on the Internet provider network be able to access my home LAN computers' resources?

If and only if you advertise those services on the 192.168.* network. You can see which services you advertise using netstat, iptraf, any proper port sniffer or some web sites.

Candy,

Two cards has the main advantage that it's not physically possible for anybody to see the internal network.

So, do you actually mean that by using the second diagram of my last post, my home network would be separated from both the Internet AND my Internet provider network (which is an Ethernet LAN itself) and that PC2 would be invisible to anyone outside the building even if it has shared resources?

If and only if you advertise those services on the 192.168.* network. You can see which services you advertise using netstat, iptraf, any proper port sniffer or some web sites.

I've already checked netstat more than once, and I've been getting something like this: What are all those services for? Should some or all be silenced? If yes, how?

ManOfSteel wrote:

Two cards has the main advantage that it's not physically possible for anybody to see the internal network.

So, do you actually mean that by using the second diagram of my last post, my home network would be separated from both the Internet AND my Internet provider network (which is an Ethernet LAN itself) and that PC2 would be invisible to anyone outside the building even if it has shared resources?

That's the theory. In practice, you can make computers do everything you want, including forward messages & pretend they came from himself. That's called Network Address Translation, which boils down to your local computer being able to pretend your other computer is the entire internet (set it as the gateway), send his messages there, that computer receives them and forwards it to the other network pretending he himself sent them. The other network sends back replies, he looks up in the database where they came from and sends them back pretending they were destined for the local computer. Long story short - you type www.google.com and you get www.google.cctld. Outgoing filesharing stuff using SMB Incoming filesharing stuff using SMB.