CIDR is an initialism for Classless Inter-Domain Routing. It defines a way to route packets between devices without the limitations of the older specifications.

For modern penetration testing, it is generally not necessary to know the details of older specifications. However, the basic gist is that the original specifications had either scalability or efficiency issues where:

  • There were limitations on the total number of potential networks (ARPANET)
  • Networks were too small to be useful for large enterprises (Class C networks)
  • Networks were too big to be used efficiently (Class B networks)

CIDR defines networks arbitrarily by the number of bits of an IP address that are "fixed" and therefore the number of bits that can change. This allows various systems to have efficient routing tables while allowing variably-sized networks.

CIDR applies to both IP address protocols in current use (IPv4 and IPv6) using the same concepts, shown below.

IPv4 CIDR

IPv4 addresses are made of 32 bits broken down into 4 octets, such as 192.168.1.1. This can be displayed in binary form as: 11000000.10101000.00000001.00000001.

With CIDR, a number is appended to the IP address to define the number of fixed bits, such as: /24 to make 192.168.1.1/24.

This notation means that the first 24 bits of the address in binary form are fixed (11000000.10101000.00000001) and the remaining 8 bits can change (from .00000000 to .11111111).  

In the above example, the network starts at 11000000.10101000.00000001.00000000 (192.168.1.0) and ends at 11000000.10101000.00000001.11111111 (192.168.1.255), with 254 IP addresses in the middle forming the bulk of the network.

IPv4 CIDR Example 1

192.168.10.0/24

This network represents the 256 IP addresses between 192.168.10.0 and 192.168.10.255, inclusive.

IPv4 CIDR Example 2

192.168.10.0/16

This network represents the 65,536 IP addresses between 192.168.0.0 and 192.168.255.255, inclusive. Even though the third octet has the binary 10, this value is not fixed as the '/16' indicates these bits are not fixed.

IPv4 CIDR Example 3

192.168.10.132/32

This network represents only the IP address 192.168.10.132 as all 32 bits in the IP address have been fixed.

IPv4 CIDR Example 4

8.8.8.8/0

This network represents the entire IPv4 range as no bits are fixed, from 0.0.0.0 to 255.255.255.255.

IPv4 CIDR Example 5

1.2.3.4/27

This network represents the 32 IP addresses between 1.2.3.0 and 1.2.3.31, inclusive. The fixed part of the address can be any number of bits from 0-32, inclusive.

IPv6 CIDR

IPv6 addresses are made of 128 bits broken down into 8 hextets (8 groups of 16 bits), such as 2001:0db8:0000:0000:0000:ff00:0042:8329. IPv6 are written using hexadecimal digits to shorten the length of the address. It could equally be written in binary as:

0010000000000001 0000110110111000 0000000000000000 0000000000000000 0000000000000000 1111111100000000 0000000001000010 1000001100101001

However, this is an unnecessarily long to show an IPv6 address as each hexadecimal digit can store 4 bits of binary data instead. There are also rules to shorten the IPv6 address with zero suppression and zero compression which isn't necessary to know here.

For CIDR with IPv6, an IP address is still suffixed with the number of fixed bits, such as: 2001:0db8:0000:0000:0000:0000:0000:0001/64.

In the above scheme, the first 64 bits are fixed and the remaining 64 define the size of the network and all available IP addresses. Again, any number from 0-128, inclusive, is allowable, though generally not all would be useful.

IPv6 CIDR Example 1

9a1f:3686:20fd:7854:ef1e:7eae:f0cd:6680/32

In this example, the start of the network is at 9a1f:3686:0:0:0:0:0:0 and the end of the network is at 9a1f:3686:ffff:ffff:ffff:ffff:ffff:ffff. In this network there are approximately 8 * 10^28 available hosts. From this, it should be readily apparent how IPv6 addresses will solve the problem of IPv4 address exhaustion!

Summary

No matter how an IP address is constructed, with CIDR the possibilities to create networks of different sizes for an organisation's requirements is incredibly useful. Networks are defined by the number of fixed bits and the number of varying bits with a simple notation for easy use and adoption.