Using /31 network masks in cOS Core (RFC-3021)

Frequently Asked Questions
Post Reply
Peter
Posts: 690
Joined: 10 Apr 2008, 14:14
Location: Clavister HQ - Örnsköldsvik

Using /31 network masks in cOS Core (RFC-3021)

Post by Peter » 09 Sep 2020, 09:28

This FAQ applies to:
  • cOS Core any version
Question:
Is it possible to configure cOS Core with a /31 network mask? I get an error when i try to add 192.168.1.175/31 to the address book, saying it's invalid.

Answer:
It is possible but the correct (base) network address needs to be specified. If we look at the above IP example it looks like this if we use an IPv4 calculator on it:

Network:   192.168.1.174/31
Broadcast: 192.168.1.175
HostMin:   192.168.1.174
HostMax:   192.168.1.175

Just to clarify, 192.168.1.175/31 is by definition of RFC-1878/RFC-950 invalid. The reason for this is because the first address in a e.g. a /31 should be the starting number of the subnet. This varies of course depending on the size of the network, a /24 subnet mask for example the last number must be set to zero (may also vary between vendors/systems).

Note: On /31 network masks, no broadcast address is used. Both IP addresses will be treated as host addresses. The above calculator output does not reflect this.

Some systems accept e.g. 192.168.1.175/31 as valid because it automatically converts it to the correct network. When using e.g. an online IPv4 calculator it may also automatically convert 192.168.175/31 to the correct 192.168.1.174/31. Since cOS Core does not automatically convert it, it will instead report it as an error.

This has both a advantage and a disadvantage, the advantage is that the administrator quickly will get feedback on an invalid network and the drawback is that the system could have handled this automatically. But one question would be, how far should we go in modifying what a user types in? There may not be a correct answer to this question :)

Limitation note:

There is a known limitation when using /31 networks and that appears when you are attempting to connect to the Firewall for remote management. It will not work and there will not be any log generated about it (COP-21060)

Workaround:
  • 1. Disable automatic route creation on the interface.
  • 2. Assign the IP you want to the interface but use a dummy network, e.g. 127.0.25.0/32
  • 3. Create a manual route with the /31 network.
Question:
What about the DHCP client in the Firewall? What if an ISP hands out a /31 with e.g. 192.168.1.175/31?

Answer:
At this time it is unconfirmed on how it would behave, there is a fairly good chance that the DHCP lease offer would be unable to update the cOS Core address book and it could generate a failure/error.

Post Reply