Logical look at masks
Having done an introduction to wildcard masks and the cool things you can do with them I thought it might be worth writing about the logic behind both subnet masks and wildcard masks. Masks use two of the most basic logical functions that computers can perform, a logical AND and a logical OR.
Logical AND
Logical AND is a comparison of two bits which produces an output of a single bit. It is quite sensibly named because in order to yield a 1 in the output both of the input bits, input 1 and input 2 must be 1. The table below shows the possible outputs for a logical AND.
Input 1 Input 2 Output 0 0 0 1 0 0 0 1 0 1 1 1
Logical OR
In a logical OR comparison the output is a 1 if input 1 or input 2 is set to 1. The comparison will also return 1 if both inputs are 1; this is slightly different from an XOR (exclusive OR) which will return a 0 of both inputs are 1. XOR is used to calculate parity in RAID 5 because it is possible to find one of the inputs if you have the other input and the XOR output; you just do another XOR. This is how RAID 5 controllers use the parity stripe to rebuild a failed volume.
Input 1 Input 2 OR Output XOR Output 0 0 0 0 1 0 1 1 0 1 1 1 1 1 1 0
Subnet masks
Logical AND functions are used by networked devices to determine if a host address is in a particular subnet. As the network portion of a subnet mask is all ones the network part of the address is preserved and as the host part of the mask is all zeroes those bits return as zeros. In the example below we have a destination address and a local address and subnet. We will apply the AND to both and see if they match.
Local address 192.168.0.94 Binary address 11000000.10101000.00000000.01011110 Subnet mask 255.255.252.0 Binary mask 11111111.11111111.11111100.00000000
Remote address 192.168.3.52 Binary address 11000000.10101000.00000011.00110100
We’ll AND the local address with the mask first, remember we’re looking down the columns for where there is a 1 in the address and the mask.
Local address 11000000.10101000.00000000.01011110 Binary mask 11111111.11111111.11111100.00000000 Result 11000000.10101000.00000000.00000000
Then the same for the destination address and the same mask.
Local address 11000000.10101000.00000011.00110100 Binary mask 11111111.11111111.11111100.00000000 Result 11000000.10101000.00000000.00000000
As the results match we can conclude that they are in the same network.
Wildcard masks
The wildcard mask uses the OR function to match two addresses using a wildcard mask. Where the subnet mask effectively changes the host portion of the address to zeroes the wildcard mask changes the wildcard bits to ones so that we can match the rest of the address.
In the first example we’ll use 192.168.0.1 0.0.0.64 and see if the address 192.168.0.65 matches it.
Address 11000000.10101000.00000000.00000001
Wildcard mask 00000000.00000000.00000000.01000000
Match address 11000000.10101000.00000000.01000001
We’ll start with the address and mask combination followed by the address we want to match and the mask.
Address 11000000.10101000.00000000.00000001 Wildcard mask 00000000.00000000.00000000.01000000 Result 11000000.10101000.00000000.01000001
Match address 11000000.10101000.00000000.01000001 Wildcard mask 00000000.00000000.00000000.01000000 Result 11000000.10101000.00000000.01000001
The results both match so the address would match the ACL.
In the second example the ACL is 0.0.0.0 255.255.255.254 and we’ll try matching 10.0.0.1 and 10.0.0.2
ACL 00000000.00000000.00000000.00000000 Wildcard mask 11111111.11111111.11111111.11111110 Result 11111111.11111111.11111111.11111110
10.0.0.1 00001010.00000000.00000000.00000001 Wildcard mask 11111111.11111111.11111111.11111110 Result 11111111.11111111.11111111.11111111
10.0.0.2 00001010.00000000.00000000.00000010 Wildcard mask 11111111.11111111.11111111.11111110 Result 11111111.11111111.11111111.11111110
First address doesn’t match but the second one does.