5

Is it possible to assign to an ethernet host via DHCP a subnet mask of only the host itself, e.g. 192.168.1.123/32? Do common operating systems support this kind of configuration?

I'd like for the hosts to send all of their traffic to the router (and not directly to some other host on the same segment), but still for them to be able to communicate (so no "client isolation"); effectively creating a point-to-point link, but without any client-side configuration.

Update: My intention is to configure a home router running dd-wrt so that all the traffic has to pass through the IP stack on the router, so it can be filtered by some ipfilter rules. I'd hoped for a general solution, some standard way to implement point-to-point Ethernet connections that still can be automatically configured by DHCP for all commons operating systems.

Based on the responses so far, this doesn't seem to be that easy; I'll read some more about VLANs and then reconsider my plans.

lxgr
  • 563
  • 1
  • 6
  • 18
  • Can I ask why you want to do this? What benefit does this give you? – Driftpeasant Dec 02 '11 at 13:34
  • I want to be able to use a firewall between all the clients on the local network and especially reduce the amount of broadcast on the segment, while still allowing traffic on certain ports. – lxgr Dec 03 '11 at 12:40

4 Answers4

11

First of all, in order to create point-to-point link, you need at least 4 addresses, so you'll have to use a /30 mask. For example: 192.168.1.0/30

  • Network address: 192.168.1.0/30
  • 1st point address: 192.168.1.1/30
  • 2nd point address: 192.168.1.2/30
  • Broadcast address: 192.168.1.3/30

You'll have to place each host on a different /30 subnet and implement inter-subnet routing on your gateway.

Edit: You don't write much about your infrastructure or the scalability you want to achieve with this configuration. I suppose your router supports the use of subinterfaces.

Also, no additional client-side configuration will be required if you use a DHCP server in order to distribute the addressing scheme.

dkaragasidis
  • 745
  • 4
  • 11
  • Looks like the cleanest solution, but it wastes three addresses. I was hoping for a way to somehow eliminate subnets altogether. – lxgr Dec 02 '11 at 11:37
  • It is clean, it gives you full control of the traffic exchanged in your network (_...as well as a single point of failure_) and it works both for small and large number of network nodes -of course if you use this scheme for a large number of hosts your router will suffer a serious performance hit. That's the only major drawback I can think of. Another solution is to place each host on a different VLAN and implement inter-VLAN routing -you can have up to 4090 hosts and a big fat performance hit as well (if they're many). Assuming of course that you have a VLAN-capable switch. – dkaragasidis Dec 02 '11 at 11:56
  • The drawback would be a potential waste of IP addresses - I'm using private adresses, so in my case it's not a big deal, but how does that work with public addresses? VLANs sound like a nice idea - I'll check if my switch supports them. Would the configuration also be a /30 mask for all the hosts? If not, how do the clients know to send their packets to the gateway instead of using ARP and directly transmitting on the layer 2 interface? – lxgr Dec 03 '11 at 12:37
  • Keep in mind that not all switches support 802.11q (VLANs) and not all switches support a large number of VLANs. I can't describe the details of VLAN operation in something less than 600 characters. VLANs are isolated on layer 2, and inter-vlan communication occurs on layer 3. What do you mean how would that work with public IP addresses? – dkaragasidis Dec 03 '11 at 20:11
  • At my old university, I once requested a static IP for a host, and they assigned it a /30 public address like you described. I've always wondered whether there was any more efficient way to handle that (but they don't seem to have a lack of public addresses - every electric door opener has a public IPv4 address...). At my current university, all the users get a static, public IP by default, in a /16 subnet - but I can't see any ARP requests etc. on the network. I was always wondering how the clients know where to send traffic to another host on the same subnet in that environment. – lxgr Dec 04 '11 at 11:33
  • I _seriously_ doubt that someone would waste *public* IP address space in such way, so you must have misunderstood some networking concepts. I would suggest reading documentation on IP addressing, it will make things clear. The lack of ARP traffic on a network segment may be caused by static ARP entries in hosts' ARP tables (_for security reasons_). – dkaragasidis Dec 04 '11 at 12:02
  • I'll do that (guess there's a lot more more to IP addressing than what was explained in my networking class ;). I'm pretty certain about the public IP addresses though; the static /30 is not translated in any way (the webserver on the host is reachable from the internet on that address), and in our campus management system I can clearly see my "personal" public IP address. Incoming connections to port 80 are possible as well. Seems like a giant waste, but they apparently do it to comply to wiretap legislation which would otherwise force them to log all dynamic IP assignments in time. – lxgr Dec 04 '11 at 12:08
  • Actually, you can use `/31` networks for point-to-point links. This has been the case since the year 2000. See _[RFC 3021, Using 31-Bit Prefixes on IPv4 Point-to-Point Links](https://tools.ietf.org/rfc/rfc3021.txt)_. – Ron Maupin Mar 12 '17 at 14:27
  • @RonMaupin Despite this RFC being written in the year 2000, there is still networking equipment in the year 2017 that does not support this functionality. _See [RFC 1796, Not All RFCs are Standards](https://tools.ietf.org/html/rfc1796)._ – dkaragasidis Mar 21 '17 at 15:06
  • RFC 3021 is classified as "_Category: Standards Track_," and it is not defined as "_Optional_." There is an [excellent answer](http://serverfault.com/a/755655/324849), here on [sf], that explains RFC standards. All the equipment I work with for many years now supports RFC 3021, and I would consider any equipment that doesn't support it to be out of compliance. – Ron Maupin Mar 21 '17 at 15:23
  • 1
    @RonMaupin I stand corrected on the RFC classifications. In any case, the original question specifically asked for a solution that works on most common operating systems and -as far as I am aware- the /31 netmask was unsupported on MS Windows 6 years ago. Good for you and your compliant equipment, but this is not what was originally asked. – dkaragasidis Mar 21 '17 at 16:10
5

Use of a /32 netmask (either set statically or provided over DHCP) is a common default configuration applied by cloud hosting providers for Linux virtual private servers.

Google Compute, Rackspace Cloud, CheapVPS, 1&1 and Strato do this for example.

The configuration has the benefit that it reduces East-West and broadcast traffic without requiring collateral, infrastructure IPs. It places certain requirements on the next hop "gateway" such as disablement of reverse path filtering to allow inter-VM traffic for devices on the same network segment or host to hairpin back out of the incoming interface.

A manual configuration for a Debian-flavour Linux host looks like this.

/etc/network/interfaces:

auto eth0
iface eth0 inet static
  address 123.123.82.130
  netmask 255.255.255.255
  broadcast 123.123.82.130
  up route add 123.123.92.171/32 dev eth0
  up route add default gw 123.123.92.171

Google Compute instances assign the same configuration over DHCP by providing a static host route to the off-subnet gateway using Option 121

Support for such a configuration is dependant on a distribution's network scripts.

There is widespread support for this (e.g. NetworkManager) and such support is demonstrated by the following commit to the ubiquitous Dracut initramfs build tool:

https://github.com/haraldh/dracut/commit/99ccbc30dff9fa51dd3187dc10f8f632e5e54e4b

Terry Burton
  • 160
  • 1
  • 9
1

It is possible to assign everything, but I doubt this will work - especially with Windows clients. The common-sense-approach that works with Linux would go like this:

  1. configure the interface with the address and the correct subnetmask
  2. remove the local network route
  3. add an explicit route to the gateway via the interface
  4. add a default route via the gateway

It usually would require either manual configuration or scripting on the DHCP client side to do everything after 1.

You also should make sure your gateway is not going to send ICMP redirect messages to hosts - it usually would do this upon detecting that a host is trying to reach another host within the same network via the gateway (information is derived from the address/subnetmask combination of the router's local host-facing interface).

the-wabbit
  • 40,319
  • 13
  • 105
  • 169
-2

The smallest IPv4 prefix you can use to communicate with another device in a point-to-point link is a /31 prefix. This was defined in RFC 3021, Using 31-Bit Prefixes on IPv4 Point-to-Point Links.

Similarly, you can use a /127 IPv6 network for point-to-point links. See RFC 6164, Using 127-Bit IPv6 Prefixes on Inter-Router Links.

Community
  • 1
Ron Maupin
  • 3,158
  • 1
  • 11
  • 16