• Classfull, CIDR Web-based calculators.

• 3CIPCalc IP Subnet mask calculator from 3Com.

• ipsubcal.zip Simple IP Subnet mask calculator.  Does not need to be installed, just unzip and run.

• ipcalc.zip v1.02 Net3 Group’s IP Subnet mask calculator.  Does not need to be installed, just unzip and run.

• ipcalc2.zip v2.02 Net3 Group’s IP Subnet mask calculator.  Must run a setup program.

• Hymie’s IP Subnet mask calculator For the Palm Pilot.

Background

An IP (Internet Protocol) Address is a 32-bit number broken up into “quads” of 1 byte each, separated by dots. 1 byte is 8 bits which in decimal is a number in the range 0 to 255. For example, 10.234.56.71 is an IP Address. There are only so many “real” IP addresses, and they are (and have been) perpetually very close to being used up and thus are very difficult to get.

One of the solutions to this problem is so-called “private” IP Addresses. These are ranges of IP Addresses set aside expressly for use by a company or other entity internally. Private IP Addresses cannot be used to connect directly to the Internet–that is they are non-routable. These are also often called RFC1918 addresses.

Use

You use a Private IP Address when you wish to use TCP/IP on your LAN, but do not wish to try and register enough legal or legitimate addresses for all your devices. Even if you do wish to get than many, you will not. Essentially all valid IP addresses are already owned, either by very large corporations (like AT&T) or by ISPs. When you contract for service from an ISP, you are allocated some number of legitimate IP Addresses out of that ISP’s pool of addresses.

Advantages

1. Increased security (since private IP addresses are not routable across the Internet).
2. You conserve the world-wide pool of IP Addresses.
3. You do not have to register or pay for these IP Addresses in any way (internal independence from ISP IP addresses).
4. When you connect to the Internet via a Firewall and NAT (Network Address Translation, AKA IP Masquerading) you will not block any address ranges from yourself.
5. Little or no performance degradation (depending on your Firewall).

See also my ../infosec/home and ../infosec/home_networks pages.

Disadvantages

1. If you merge with a company that has chosen the same Private IP Address, one or both of you will have to re-number. This can be difficult and expensive.
2. Some applications don’t work with NAT.
3. Anything using NBT (UDP 138), i.e. NT Networking cannot communicate behind a Firewall with NAT. See below for the reason.
4. Some applications needing encryption and key exchange (specifically any application that embeds IPs in the datastream) may not work with NAT.
5. It may require more work to plan and configure.

Private IP Address Ranges

This is the “classic” RFC1918.

Other useful Ranges

This table is a bit out of date and is downright WRONG in a few places (e.g., 24.0.0.0). Refer to IANA: Internet Protocol v4 Address Space, RFC3330 and the Bogon List for more up-to-date information.

The following was adapted (a long time ago) from this comment associated with RFC1918 and RFC3330. See also the Bogon List.

Network Address Translation (NAT) AKA IP Masquerading

NAT, AKA IP Masquerading, is the process by which a “private,” “illegal,” and non-routable IP Address is translated into a “legal,” routable address. There are two kinds of NAT, often called static NAT and Hide NAT. Static NAT provides a one to one correlation between the illegal private address and the legal routable one. For example, the Web Server on 192.168.1.10 may be statically mapped to 39.136.195.47. Hide NAT is a many to one arrangement where the many illegal addresses behind some device appear to the Internet as one single address (often the legal address of the device itself). For example, the entire 172.25.1.0 network may hide behind the single valid IP address of the device at 38.111.56.96.

NAT Devices

There are three devices that typically perform NAT. They are routers, firewalls and proxy servers.

Hide Mode NAT

In hide mode, the external address of the NAT device “hides” most or all outgoing connections. To the Internet, it seems that all traffic originates from this single address, when it really comes from all different machines on the internal network. The traffic is differentiated at the NAT device by a table of port numbers. For example, the port used for Web Surfing is port 80 (http). If a client computer at 192.168.1.37 surfs to www.dell.com, the NAT device may assign that to port 20,134. When the response comes back, the firewall knows that anything directed to port 20,134 really goes to the client at 192.168.1.37. That way, more than one person can surf at the same time, using the same external IP address, but everything goes to the correct person.

Static Mode NAT

In static mode, there is a one to one correlation between internal (illegal, non-routable) and external (legal, routable) addresses. The must be the case if you wish top have an E-Mail server, Web server or any other service that is accessible from the Internet. DNS (Domain Name Service) published the IP Addresses of server (or services) that are accessible. These published addresses must be legal, and routable. The IP network of addresses available for this use is termed the “moat” network, below. A typical “moat” network looks like this:

A very interesting thing happens with static NAT, however. Since the router is at IP address 209.146.2.41, when it sees a packet destined for 209.146.2.43, it “arps” for the Web server. Since the router knows that it is on network 209.146.2.40/29 and the Web server address is 209.146.2.43 they should be on the same network. But they really aren’t. So when the router “arps” (uses the Address Resolution Protocol to find the Web server), the Web server will not answer, since it is really on network 192.168.1.0/24. To solve this problem, devices that perform static NAT also perform “proxy arp”.

Any device configured to do static NAT has a list of servers it will “answer for” when it hears an arp request. IT will essentially lie and say, “yes, I am that server, please send me the packet.” When it get the packet, it forwards it to the real server.

A Typical Internet Connection Scenario

A very common small business-class (as opposed to home use) Internet connection looks like this following:

• The Company LAN uses the private (RFC1918) address of 192.168.1.0/24.
• There is a “Service Network” (AKA DMZ) for hosting Web Servers, FTP Servers, extranet (partner) connections, etc.
• The Firewall is performing both hide NAT and Static NAT.
  • Hide NAT is that all outgoing connections from the 192.168.1.0 network are hidden behind the firewall’s address of 10.146.2.42.
  • Static NAT is that the E-Mail server on the company LAN has a “routable,” external IP address of 10.146.2.44, but an internal IP Address of 192.168.1.15.
• The “Moat” network is the network between the external interface of the firewall and the internal interface of the router.
• There is confusion about the term DMZ. Originally, the term DMZ was used to denote the “moat” network. Recently, however, the common usage has been that the DMZ is the “Service Network”. I have used “Service Network” and “Moat Network” to avoid confusion. The term “Moat Network” is not in common usage, however.

Appendixes

Subnet Masks: Decimal and CIDR

Notes:

1. The “# Useable” series can be derived by “previous # Useable x 2 + 2”.
2. The “# Useable” series can be derived by “# Hosts - 2”.
3. The “# Hosts” series can be derived by “previous # Hosts * 2”.
4. The “# Hosts” series can be derived by “# Useable + 2”.
5. The number of subnets is only correct under CIDR. Using the old classfull numbers it is “# CIDR Subnets - 2”.

RFC1918: Address Allocation for Private Internets

URL: http://www.faqs.org/rfcs/rfc1918.html

Excerpt:

3. Private Address Space

   The Internet Assigned Numbers Authority (IANA) has reserved the
   following three blocks of the IP address space for private internets:

     10.0.0.0        -   10.255.255.255  (10/8 prefix)
     172.16.0.0      -   172.31.255.255  (172.16/12 prefix)
     192.168.0.0     -   192.168.255.255 (192.168/16 prefix)

   We will refer to the first block as "24-bit block", the second as
   "20-bit block", and to the third as "16-bit" block. Note that (in
   pre-CIDR notation) the first block is nothing but a single class A
   network number, while the second block is a set of 16 contiguous
   class B network numbers, and third block is a set of 256 contiguous
   class C network numbers.

   An enterprise that decides to use IP addresses out of the address
   space defined in this document can do so without any coordination
   with IANA or an Internet registry. The address space can thus be used
   by many enterprises. Addresses within this private address space will
   only be unique within the enterprise, or the set of enterprises which
   choose to cooperate over this space so they may communicate with each
   other in their own private internet.

Daylight Saving Time Switch

In 2007, the US and Canada, as well as others, changed the rules for when Daylight Saving Time begins and ends. In my opinion this is sheer idiocy, but then, they didn’t ask me. Anyway, it really screwed up quite a lot of things, many of which are not in our power to easily fix (GPS, car GPS, VCRs, embedded systems like cheap routers, and much more). Here are some resources:

• Daylight saving time from Wikipedia
• Various discussions on Slashdot
• Unofficial Windows 2000 (and 98/ME) Daylight Saving Time Patch
• Preparing for daylight saving time changes in 2007
  • 2007 time zone update for XP and 2003
  • tzmove.exe for Outlook/Exchange
  • How to configure daylight saving time for the United States in 2007
  • How to change the daylight-saving time program for the new 2004 to 2005 schedule in the Uruguay time zone
• Non-MS Preparing for daylight saving time changes in 2007
• 2007 Time Zone Changes Will Impact Many Computers in Canada, the United States and Bermuda
• Daylight Saving Chaos during the Commonwealth Games in Australia in 2006
• DOS/Windows RTC clock should be set to UTC

Importance

If time is not consistent across your network

1. ISO/IEC 17799:2000(E) (AKA BS7799), clause 9.7.3 specifies “Clock synchronization:” “[…]Where a computer or communications device has the capability to operate a real-time clock, it should be set to an agreed standard, e.g. Universal Coordinated Time (UCT) or local standard time. As some clocks are known to drift with time, there should be a procedure that checks for and corrects any significant variation.”
2. Event Logging, Auditing or Intrusion Detection across different systems becomes very difficult.
3. Many cryptographic functions, especially those involving key creation, exchange and expiration, as well as “ticketing” functions such as used by Kerberos require precise time synchronization.
4. Event or program scheduling may not work as expected.
5. Client/Server transactions may not work as expected (transaction precedence is incorrect).
6. There may be legal issues when submitting logs or other material as evidence if the time is not known to be correct. ¹
7. Security certificates, WWW Cookies, DHCP and WINS leases may not work as expected.
8. High Availability or clustering solutions may depend on members clocks being exactly synchronized.
9. File creation and access times will be wrong across different computers, thus:
   1. Differential, Incremental or other backups may not work as expected.
   2. Revision control systems (such as CVS) may not work properly.
   3. E-Mail Message time stamps may be wrong, leading to unexpected transmission issues.
10. NetWare NDS will not work right unless all NDS servers have the same time.
11. Neither will Active Directory, even though it says it will. If you have an object collision (two objects are modified at the same time by different people on different masters) the time stamp is used to help resolve the conflict. If time is not synchronized, the results will not be as expected.

For more uses or requirements for time synchronization, search the RFCs for other RFCs that specify the use of NTP.

Time & Time Tips

Fascinating book review and thread on NTP and time issues at Slashdot.

• Why is UTC used as the acronym for Coordinated Universal Time instead of CUT? In 1970 the Coordinated Universal Time system was devised by an international advisory group of technical experts within the International Telecommunication Union (ITU). The ITU felt it was best to designate a single abbreviation for use in all languages in order to minimize confusion. Since unanimous agreement could not be achieved on using either the English word order, CUT, or the French word order, TUC, the acronym UTC was chosen as a compromise.

• Which is correct, UTC or GMT? Does GMT have summer time? From http://wwp.greenwichmeantime.com/home.htm During the Summer the UK is on British Summer Time which is 1 hour ahead of GMT (GMT+1). […] GMT is fixed all year and does not switch to daylight savings time. […] Although GMT has been replaced by atomic time (UTC) it is still widely regarded as the correct time for every international time zone. Greenwich Mean Time is international time, the basis of the world time clock. Marks precision time and military time (sometimes called Zulu Time). […]

• What some critical and significant dates in computing? See J R Stockton’s Critical and Significant Dates.

• Hey, what time is it anyway? About comp.protocols.time.ntp: life imitates art.

Time & Time Zone Links

• A listing of different “standard” times, and why they are not all the same.
• Information about different Systems of Time.
• A Summary of the International Standard Date and Time Notation ISO8601.
  • Download a Copy of the ISO 8601 Standard
• w3c: Date and Time Formats
• U.S. Naval Observatory World Time Zone Map
• Set Your Computer Clock to NIST Time
• ISO Time Displayed
• TimeZone Table
• Sources for Time Zone and Daylight Saving Time Data
• World TimeZone Map
• Info about GMT/UTC, etc.
• A World Time Clock
• Perl/CGI Time Zone Converter
• The Yahoo Time Directory
• Excel: Using Dates and Times (XE0127) Complete Text
• A Graphical World Time Map/Clock
• Minimalist FREE Time Zone Clock Software
• FREE Time Zone Clock Software
• FREE Time Zone Clock Software
• FREE Time Zone Clock Software
• The ID LOGIC World Time Clock
• Time Zone software for PC
• Sells all kinds of clock products, including auto-sync “slave” clocks!

NTP Links

• The definitive book: Computer Network Time Synchronization: the Network Time Protocol
  • See also a fascinating book review and thread on NTP and time issues at Slashdot
• Another book: Expert Network Time Protocol: An Experience in Time with NTP
• Then read public NTP time servers for everyone and the NTP Pool for vendors. Don’t be idiots like Netgear and D-Link were.
• The following articles from Sun are an excellent introduction to NTP concepts and implementation, while from a Solaris perspective, they are probably useful to anyone interested in time synchronization.
  • Introduction to NTP (July 2001) [PDF]
  • Basic NTP Administration and Architecture (August 2001) [PDF]
  • NTP Monitoring and Troubleshooting (September 2001) [PDF]
• The “ Time WWW server” page. Official page of NTP and the source of time and NTP information.
  • Quick start for NTP
  • Configuring xntp
  • Configuring Clients and Servers
  • The NTP FAQ
  • Notes on Configuring NTP and Setting up a NTP Subnet
• Doug Hogarth’s Niceties site.
• A list of Windows Time Sync Tools (in Excel format, originally researched by me in 1999 and 2000, last updated May 2003 by Jason Mathews <mathews@mitre.org>)

Time Synchronization Tools

NTP Tools for Windows

• First read public NTP time servers for everyone and the NTP Pool for vendors.
• By far the best NTP client and server that I found is Tardis. It runs as an NTP client and NTP server. There is one version that is an NT4/Win2K service, and another that runs as a normal application under Win9x/ME. It has only one minor problem – it’s not free. It runs from $20 to $2,000 USD, see the web site for details.
• The next best is the “official” NTP package from David Mills. Only the source is available from the Time Server site, but compiled binaries for Windows are available.
  • ntp4172.zip is available from 510 Software Group. This package includes a GUI setup.exe installation routine.
  • There is also a Windows NT port Maintained by Terje Mathisen.
• NTP for Windows NT/2000/XP/2003/Vista is an NTP for Windows binary port and installer, along with a cool monitoring GUI.
• If you own the NT Resource Kit (or a newer ResKit), you should look into the NTRK TimeServ utility. While you can only get the TimeServ tool from the NTRK, you can find more information about it, and time in general at Doug Hogarth’s Niceties site, specifically the TimeServ page. Also see other built-in Windows options below.
• Tom Horsley’s NTP Time for Windows is a nice NTP client program. It is free, but is a client only, and can be configured to talk to only one NTP server at a time. NTP works much better when referencing a pool of servers.
• I have also used the very cool AboutTime program, which is a Daytime/TCP, Time/TCP, Time/UDP and SNTP client and server. It runs under any Windows version, but does not run as a service. It is free!
• I’ve used Dimension4, which is a free client for Time and NTP.
• There are also Tardis/K9, which are excellent shareware tools.
• And for a minimalistic web site but neat sounding tool, see Graham Mainwaring’s NetTime, at Sourceforge.

The Microsoft Networking “Net Time” Command

Displays the time on or synchronizes your computer’s clock with the shared clock on a Microsoft Windows for Workgroups, Windows NT, Windows 95, or NetWare time server.

NET TIME [\\computer | /WORKGROUP:wgname] [/SET] [/YES]

  computer    Specifies the name of the computer (time
              server) whose time you want to check or
              synchronize your computer's clock with.

  /WORKGROUP  Specifies that you want to use the clock on a
              computer (time server) in another workgroup.

  wgname      Specifies the name of the workgroup containing
              a computer whose clock you want to check or
              synchronize your computer's clock with. If
              there are multiple time servers in that
              workgroup, NET TIME uses the first one it
              finds.

  /SET        Synchronizes your computer's clock with the
              clock on the computer or workgroup you
              specify.

  /YES        Carries out the NET TIME command without
              first prompting you to provide information or
              confirm actions.

For example, if your PCD is named MYPDC, the following command in a shortcut in your Startup Group, or in a logon script will synchronize a client PC’s time at logon. Note, if your clients never log off, this will not work. Of course, that’s very bad for other reasons. This works for any system that runs Microsoft Networking. You can even sync again a Linux server running Samba with this command, if you’d like!

“net time \\MYPDC /set/ yes”

Win2K NTP Time Service

Win2K has a very simple SNTP facility built in: “net time /setsntp[:NTP server list]”. See the following for more information:

• First read public NTP time servers for everyone and the NTP Pool for vendors.
• Win32 Time Service Informational, Warning, and Error Messages [Q232209]
• How to Configure an Authoritative Time Server in Windows 2000 [Q216734]
• Registry Entries for the W32Time Service [Q223184]
• “Could Not Locate a Time Server” After Setting SNTP Time Server [Q243574]

Here is the batch file I use, since I find the documentation lacking and the usage statement obscure:

@echo off
REM Win2k-SNTP.bat -- Set Win2K SNTP service
REM v1.0 25-May-2001 JP Vossen JPATjpsdomainDOTorg

REM v1.1 22-Jun-2001 JPV Changed to use home NTP time source only

rem NOTE: The Win2K "Windows Time" service is manual by default, so you have to
rem set it to automatic and start it. Also, it will attempt to use all specified
rem time sources and get an "average" so only specify servers that will be
rem available at all times. Do not use the list as a set of sequential
rem "failover" servers (as I did in v1.0 of this).

rem NET TIME /SETSNTP:"192.168.1.11 172.16.1.1 10.1.1. 10.1.1.2"
NET TIME /SETSNTP:"192.168.1.11"

You can see how it’s currently set by using this command: “net time /querysntp” which will return something like:

The current SNTP value is: 192.168.1.11
The command completed successfully.

NTP Tools for Netware

For a small network with one or more NetWare servers, but no WAN links or remote sites:

1. First read public NTP time servers for everyone and the NTP Pool for vendors, don’t use the ones listed in TID 10011518.
2. Set one NetWare server as the SINGLE Reference server. This server will sync itself to the NTP time.
   • Load MONITOR.NLM | Server Parameters | Time, change the following parameters
     • Default Time Server Type = SINGLE
     • TIMESYNC Configured Sources = ON
     • TIMESYNC Time Sources = <2-4 NTP time sources>:123; Where 123 is the NTP port on that time source.
       • Example: TIMESYNC Time Sources = 172.31.1.1:123;172.31.2.1:123;172.31.3.1:123;
3. Set any/all other NetWare servers as SECONDARY.

For a small network with more than one NetWare server, and with WAN links or remote sites:

1. First read public NTP time servers for everyone and the NTP Pool for vendors, don’t use the ones listed in TID 10011518.
2. Set one NetWare server as the REFERENCE server. This server will sync itself to the NTP time.
   • Load MONITOR.NLM | Server Parameters | Time, change the following parameters
     • Default Time Server Type = REFERENCE
     • Time Server Type = REFERENCE
     • TIMESYNC Configured Sources = ON
     • TIMESYNC Time Sources = <At least one PRIMARY server>;<2-4 NTP time sources>:123;
3. Set one other NetWare server at the main site, and one NetWare server at each remote site as a PRIMARY server.
   • Load MONITOR.NLM | Server Parameters | Time, change the following parameters
     • Default Time Server Type = PRIMARY
     • Time Server Type = PRIMARY
     • TIMESYNC Configured Sources = ON
     • TIMESYNC Time Sources = <Your REFERENCE server from step 2>;
4. Set all other NetWare servers as SECONDARY.
   • Load MONITOR.NLM | Server Parameters | Time, change the following parameters
     • Default Time Server Type = SECONDARY
     • Time Server Type = SECONDARY
     • TIMESYNC Configured Sources = ON
     • TIMESYNC Time Sources = <The closest PRIMARY server from step 3>;

Note: usually, the REFERENCE server does not ever change it’s own time, it just serves the time. However, when using NTP, the REFERENCE server will adjust its local clock to synchronize with the NTP time source. See the middle of TID 10050215.

• TID 10020147: Time Synchronization White Paper
• TID 10011518: Configuring an External NTP Source with NW 5
• TID 10050215: Timesync Frequently Asked Questions
• TID 10011517 (Formerly TID 2908867 Part 3): TIMESYNC SET Parameters Reference
• TID 2955431: “Timesync Type” vs “Default Timesync Type”.
• Using Network Time Protocol (NTP) with NetWare 5
• Understanding NetWare Time Synchronization
• TID 10016021 (formerly TID 2932671): External timesync sources - web site for NetWare servers not using v5 or better.

Thanks to Steve Schrank & Bob Kulp for some of these Netware pointers.

NTP Tools for UNIX

• First read public NTP time servers for everyone and the NTP Pool for vendors.
• Use xNTPd, or whatever came with your UNIX system.
• For Linux, use whatever xNTP package comes with your system. Avoid “time,” “daytime,” etc.
• For Solaris, use SUNWntpr & SUNWntpu, or get the NTP package from Sunfreeware.com. Here is a very minimalist sample ntp.conf and startup script (minor modifications to http://www.eecis.udel.edu/~mills/ntp/html/hints/solaris.xtra.S99ntpd.
• For HPUX use SAM to configure the NTP facility.

See the following articles as well. They are Sun centric, but still relevant for other UNIX systems:

• Introduction to NTP (July 2001)
• Basic NTP Administration and Architecture (August 2001)
• NTP Monitoring and Troubleshooting (September 2001)

NTP for Cisco IOS

Thanks to Greg Sottile for this section on IOS.

• SNTP does not support server mode. In order for the router to act as a master, it must be capable of running as a server.
• First read public NTP time servers for everyone and the NTP Pool for vendors.

With that said, the commands are the following:

NTP for Nokia IPSO

IPSO comes with xNTP, but you can’t change the default polling, which is something like every minute and a half. Until Voyager is enhanced to provide this capability, there is no easy way to do it. You could edit the ntp.conf file, but Voyager will overwrite it at bootup.

S50fixntp.sh is a script I got from Nokia support database resolution 3808 (Thanks Dameon), with minor modifications and additional documentation. Read the code for more details. Then read public NTP time servers for everyone and the NTP Pool for vendors.

Other Lists of Time Client and/or Server Programs

• A list of Windows Time Sync Tools (in Excel format, originally researched by me in 1999 and 2000, last updated May 2003 by Jason Mathews <mathews@mitre.org>)
• http://www.boulder.nist.gov/timefreq/general/softwarelist.htm
• http://www.niceties.com/TimeServ.html#FAQ

Time Protocols

Notes:

1. Protocols marked with ( RFC1700) are listed, but not defined in the RFC.
2. Protocols marked with GnatBox Admin Tool are listed in the services list in the executable.