avoiding 255 / 31-bit prefixes

avoiding 255 / 31-bit prefixes

  • Written by
    Walter Doekes
  • Published on

At OSSO, we've been using a spine-leaf architecture in the datacenter, using BGP and Layer 3 to the host. This means that we can have any IP address of ours just pop up anywhere in our network, simply by adding a prefix on a leaf switch. We sacrifice half of our IP space for this. But we gain simplicity by avoiding all Layer 2 tricks.

TL;DR: Avoid IP addresses ending in .255 for endpoints.

Do we want IP 1.2.3.5 to show up somewhere? We'll just enable the 1.2.3.4/31 prefix on the relevant port on leafX. BGP handles that both IPs are now reachable on the leaf switch and 1.2.3.5 can be reached at the selected switch port.

This makes deploying and moving services a breeze. And we don't have to deal with Layer 2 hacks. But as you can see, we have to sacrifice one IP (the switch end) per prefix.

Normally, networks have to contain a network address (x.x.x.0 for a class C network) and a broadcast address (x.x.x.255). Thus, the smallest network would be 2 bits: e.g. 1.2.3.0/30:

IP what
1.2.3.0 network address
1.2.3.1 usable IP
1.2.3.2 usable IP
1.2.3.3 broadcast address

The network address is obsolete and never used. And the broadcast address equates to “the other host”, so it is not needed for networks with only two parties. Therefore RFC 3021 specifies that for such small networks, we only need two addresses: a /31.

Wasting 75% of our address space would've been awful, but wasting 50% is a good trade-off for what we're winning.

The problem with Windows

Microsoft unfortunately did not read RFC 3021, so for those hosts we're stuck wasting two additional IP addresses. I've seen reports that one could use a /32 on the Windows side, and it will effectively work as if it was a /31, but this has not been verified by us.

The problem with some routers

Recently we ran into an issue where someone could connect to a service from work, but not from home. Investigation revealed that the problem arose because the endpoint was on an IP address that ends in .255.

Following the setup above, we can hand out all 128 prefixes from 1.2.3.0/31 up to 1.2.3.254/31. By convention we assigned the even IP — here 1.2.3.254 — to the switch: this meant that the endpoint/service got address 1.2.3.255.

This had been running fine for years, until now.

The user with issues was using the KPN network (86.90.0.0/16), with an Experia box V8 (Arcadyan, Astoria Networks VGV7519), S/N A30401xxxx, MAC 84:9C:A6:xx:xx:xx. Apparently that device treats addresses that end in .255 specially, and drops packets headed in that direction.

We tested this with two different public IP addresses that ended in .255. Neither IP would receive UDP or ICMP from this NAT-router. Traffic to neighbouring IPs had no issues. Maybe this is some overeager Smurf Attack protection?

(Here's a note to KPN: please fix your firmware!)

Avoid using 255 for endpoints

Moral of the story: we'll keep the convention of assigning the uneven address to the endpoint, except for the .255 address, which we'll assign to the switch instead. This should avoid problems with crappy routers in the future. We know the real network hardware beyond that will cope.


Back to overview Newer post: recap 2022 - part 1 Older post: supermicro / x9drw / quest for kvm