Hank Nussbacher HANK at
Tue Nov 28 13:11:21 UTC 1995

                            The CIDR FAQ
                              Version 5
                          15 November 1995
 The following document is a collection of Frequently Asked Questions
 about CIDR.  This document is not meant to be a networking/routing
 guide and tutorial.  Where appropriate pointers to other documents
 of a more general nature have been mentioned.

 Updates from a previous version are marked with a '|' in column 1.

 If you have any questions you would like added, please send them to
 the editor mentioned below:

 Hank Nussbacher (Tel Aviv University and IBM Israel)
 hank at or hank at

 If you would like to "discuss" items from this FAQ please send
 your mail to cidrd at

 This FAQ is being distributed to the following groups and lists:
 nanog at
 inet-access at
 iap at
 local-ir at
 cidrd at
|local-ir at

 To retrieve the most up-to-date version of this document:

 General questions

 1. What does CIDR stand for?

    CIDR stands for Classless Inter-Domain Routing and is documented
    in RFC1517/1518/1519/1520.  CIDR is an effective method to
    stem the tide of IP address allocation as well as routing table
    overflow.  Without CIDR having been implemented in 1994 & 1995,
    the Internet would not be functioning today.

    Basically, CIDR eliminates the concept of class A, B, and C
    networks and replaces this with a generalized "IP prefix".  CIDR
    can be used to perform route aggregation in which a single route
    can cover the address space of several "old-style" network
    numbers and thus replace a lot of old routes.  This lessens the
    local administrative burden of updating external routing, saves
    routing table space in all backbone routers and reduces route
    flapping (rapid changes in routes), and thus CPU load, in all
    backbone routers.  CIDR will also allow delegation of pieces of
    what use d to be called "network numbers" to customers, and
    therefore make it possible to utilize the available address space
    more efficiently.

    See question #6 below for details on "IP prefix"s.

 2. What is an ASN?

    ASN stands for Autonomous System Number and acts to merge many
    networks into a logical domain.

 3. What is BGP?

    BGP stands for Border Gateway Protocol and is the de-facto
    standard for routing between Autonomous Systems in the Internet.
    All communications between Internet Service Providers (ISP) is
    handled via BGP4 which supports CIDR.

 4. Why should I make the effort and convert my routing to be

    The routing tables in the Internet have been growing as fast
    as the Internet and the router technology specifically and
    computer technology in general has not been able to
    keep pace.  In December 1990 there were 2190 routes and 2 years
    later there were over 8500 routes.  In July 1995 there are now over
    29,000 routes, which require approximately 10 MB in a router with a
    single peer.  Routers at interconnection points (or multi-homed
    hosts doing full routing with many peers) receive these routes from
    several peers, and need several dozen megabytes of RAM (and the
    appropriate CPU horsepower) to handle this. A list of those routers
    that can handle this appears at the end of this question. Routers
    with 64MB of memory have the capacity for approximately 60,000
    routes after which some routes will just have to be left out of
    the global routing tables, and the more likely ones to be left out
    are routes covering small pieces of address space.

    Without the CIDRization work that has gone on for the past 2 years
    the routing tables would be in excess of 65,000 routes.  By
    CIDRizing you help the Internet reduce the routing overload
    as well as increasing the liklihood that in the future your
    routes will be carried by all ISPs.

    The major benefit of CIDR is to allow for continuous, uninterrupted
    growth of the Internet. For a significant percentage of sites
    connected to the Internet the value of the Internet increases with
    the total number of sites connected to the Internet. Therefore,
    taking steps needed to allow for continuous uninterrupted growth
    (like CIDRizing, or renumbering) is beneficial to such sites.

    The routers today that are available to handle the full routing
    table are:

    cisco 7000 w/ 64Mb
    cisco 4500 w/ 32Mb
    IBM ENSS and CNSS w/ 64Mb
    BayNetworks models AN/ASN/BLN/BCN  w/ 32Mb

 5. Can you give an example of a simple CIDR configuration for a
    cisco router?

    The following example creates 2 aggregates and suppresses
    any more specific addresses that may be contained within
    those aggregates.  The access-list causes only those nets
    to be distributed as listed, and not any others that may
    exist in the BGP routing tables.

    router bgp 64100
    no synchronization
    aggregate-address summary-only
    aggregate-address summary-only
    neighbor remote-as 65000
    neighbor distribute-list 12 out
    default-metric 70
    access-list 12 permit
    access-list 12 permit

|   Another method might be:
|   router bgp 64100
|   no synchronization
|   aggregate-address
|   aggregate-address
|   neighbor remote-as 65000
|   neighbor distribute-list 102 out
|   default-metric 70
|   !
|   access-list 102 deny
|   access-list 102 deny

    An alternate method is via network and route statements:

    router bgp 64100
    no synchronization
    network mask
    network mask
    neighbor remote-as 65000
    default-metric 70
    ip route Null0 254
    ip route Null0 254

    In this case, only those routes explicitly mentioned in "network"
    statements will be announced with BGP.  For these routes to be
    announced, there has to be a corresponding route in the IP
    forwarding table, thus the need to create the static routes.  The
    static routes will also serve as "pull-ups" for the route
    advertisements and thus prevent route flapping: these routes will
    always be announced with BGP by this router.  Note that as long
    as more specific routes exist internally in your network, these
    will be used in preference to the static "less specific" route
    entries (longest prefix matching is being used).

    A good rule to follow is to never redistribute IGP learnt routes
    directly into BGP, but to rather use network or aggregate-address
    statements.  And if you must redistribute dynamically learnt IGP
    routes into BGP, you MUST use filtering.

    The reasons for this advice are several, some of which are:

    1) if your IGP is classful (e.g. RIP or IGRP) you will by
       default not do any route aggregation
    2) if you have an internal stability problem (accidents do
       happen), this will be reflected as a "route flap" in the whole
       routing system, globally burning CPU cycles better spent on
       other things
    3) if the IGP -> BGP transition is unrestricted, this can lead to
       false routing information escaping from your network
       (especially if you do not fully have administrative control
       over your IGP)

 6. What do all these /16s and /24s mean in my BGP tables?

    This refers to the number of bits of the network part of the
    IP address.  A former class B may appear as,
    which is the same as 256 class C's which can appear as  A single class C appears as
    These "things" are often called an "IP prefix", which
    consists of an IP address and a mask length.  The mask length
    specifies the number of leftmost contiguous significant bits in
    the corresponding IP address.  Thus, an IP prefix with a prefix
    length of 15 (denoted /15) covers the address space of 128k IP
    addresses, and a /17 covers the address space of 32k IP

    Here is a table of the more popular CIDR blocks:

                      # of
    CIDR              class C
    block             nets
    ----              ----
    /27               1/8
    /26               1/4
    /25               1/2
    /24                 1
    /23                 2
    /22                 4
    /21                 8
    /20                16
    /19                32
    /18                64
    /17               128
    /16               256  = 1 former class B
    /15               512
    /14              1024
    /13              2048

    In general, advertising a prefix covering less address space than
    a /24 prefix will probably not get into the global routing
    tables, and global Internet connectivity is less likely to
    happen.  Note that for you as an administrator of an AS, it is a
    good idea to announce as few prefixes as possible and to utilize
    the address space as much as possible.

|   A more comprehensive table came out in October 1995 as:
|   RFC1860: Variable Length Subnet Table For IPv4
|   This RFC is being revised and a new one will be out shortly.

 7.  Do I need to carry the full Internet routing table?  When would it
     be necessary?  What routers on the Internet carry full routing
     tables and how much memory is needed?

     No you do not need to carry the full Internet routing table.  If
     you are single-homed, meaning you have a single connection to an
     ISP, then all you need to do is point a default route to the
     ISP and tell your ISP not to send you the full routing table.  If
     you are multi-homed, you will want to know which nets to route
     via connection A and which nets to route via connection B.  The
     easiest way to do this is to request a partial routing table
     from one ISP - with those nets that are closest to them, and default
     everything else to the other ISP.  This way your routing tables
     need not contain the entire Internet universe but only a small

     The closer you get to the hub or nexus of the Internet, the larger
     your routing tables need to be.  For example, those connected to
     public exchange points (like the NAPs, CIX, STIX, LINX, dGIX) in
     general, carry full routing tables and run without a default

 8.  What is there in the Internet to stop me from making a mistake and
     announcing via BGP an aggregate that is larger than the nets I am
     in charge of?

     In principle there is nothing to stop you.  The responsibility falls
     on both ends of the BGP link - you are responsible to filter what
     you announce and the receiving end - if it has its act together -
     filters also what it *thinks* it should be hearing from you so as
     prevent mistakes on your part.  Those sites that do not work with
     access lists and filters and just readily accept what is sent to
     them are just waiting for a problem to happen.

     Filtering can either be done at the IP network level or at the
     BGP path (BGP orgin AS) level.  See question 20 below for details
     on a tool to assist in filtering.

  9. Who has to renumber with CIDR ?

     Sites that move from one ISP to another, and who had been allocated
     addresses from their original ISP's CIDR block, in all likelihood
     will have to return those addresses as part of the move. The reason
     is to keep the number of prefixes in the global routing system
     within the limits of current technology.

|    For further hints and procedures for renumbering, see the PIER
|    (Procedures for Internet/Enterprise Renumbering) homepage at:

 Specific questions

 10. I have a /16 but have registered parts of it as /24s in the RADB.
     I now want to CIDRize.  The problem is parts of the /16s are
     missing and are routed via a different ASN.  Can you explain how
     more specific routes override more general ones and will I hurt my
     routing if I just advertise the /16 and not a bunch of /20s and

     There are two aspects to the answer:

     1) Real (BGP) world:  Given there are several AS's sharing addresses
     out of a /16 prefix, every AS should advertise exactly those
     prefixes which it is really originating.  However, if there is one
     AS "originating" a significant majority of this address space, the
     concerned AS's might agree that this one and only advertises the /16
     and all others their more specifics. The more specifics always take
     precedence over the less specific.

     2) Routing registry:  The registry DB, of course, should always
     reflect reality.  If in the above example the AS's agree on the "big
     AS" announcing the /16, the "big AS" should document with the
     route-object that it's not really originating the whole aggregate
     by using "hole" attributes (see ripe.181, 5. The Route Object).

 11. How can I redistribute our IGP routes (IGRP) so that they become
     aggregated when sent out via BGP?

     It is strongly discouraged to redistribute IGPs into BGP, because
     local IGP configuration errors might easily corrupt routing
     information of the whole Internet.  If, however, you have to do
     it anyway, you MUST use strict distribute-lists with explicit
     permits (or route-maps) for redistribution.  Here is an example
     for a Cisco configuration:

     router bgp 64100
     aggregate-address summary-only
     aggregate-address summary-only
     redistribute igrp 64100 route-map origin-AS64100
     ! or:
     ! redistribute igrp 64100
     ! distribute-list 10 out igrp 64100
     route-map origin-AS64100 permit 10
     match ip address 10
     access-list 10 permit
     access-list 10 permit
     access-list 10 permit

     This example would generate one route 192.168/18 and one route
     172.16/15 if any of the contained networks is in the IGP.

 12. I am multihomed to three ISPs and can only CIDRize to two of them
     but to the third I need to still announce specific nets.  What
     damage will this do to my AS?

     No damage can be done if the non-CIDR peer does not further
     announce your specifics to the global Internet.  If your non-CIDR
     ISP DOES announce your specifics to the global Internet those
     specifics will have preference over the less specifics and
     therefore all traffic to you will get routed through the non-CIDR

 13. I don't want to CIDRize.  Can someone do proxy aggregation for me?

     Proxy aggregation should only be done with great care and should
     be avoided if you are not single-homed !  If you are single-homed
     ask your ISP.

     Others may proxy aggregate over your address range without your
     consent, and send your traffic over paths/links not of your
     choosing.  Use of Routing Registries may help to identify and
     correct these problem areas.

 14. What routers on the market today do support CIDR (classless

     Routers that are capable of handling CIDR are:

     - all Cisco routers running 10.0 or higher
     - all Bay Networks routers running 8.01 or higher
     - 3Com Netbuilder II and Netbuilder Remote Office
     - Telebit EMPB
     - Unix w/ BSD/OS 2.0 w/ gated 3.5alpha_11 + radix-fixes
     - IBM 2210 routers

 15. How do I reach other parts of a subnetted old-style network when
     I have only partial routing information for that same old-style

     There are actually three ways to solve this particular problem
     with Cisco's software.  Which of them applies will depend on
     what software version is involved:

      o Preferred solution: turn on "ip classless" in your routers and
        use a default route inside your AS.  The "ip classless"
        command prevents the existence of a single "subnet" route from
        blocking access via the default route to other subnets of the
        same old-style network.

      o Workaround for 9.1 or later software where the "ip classless"
        command is not available: install a "default network route"
        like this: "ip route next-hop" along the
        axis your default route would normally take.

      o Workaround for 9.0 or older software: create a "default
        subnet route": "ip route 39.x.y.0 next-hop" combined with "ip
        default-network 39.x.y.0", otherwise as the 9.1 fix.

     Both of the latter solutions rely on static routes, and in the
     long run these will be impossible to maintain.  In some
     topologies the use of static routes can be a problem (e.g. if you
     have more than one possible exit point from your AS to choose

 Supplemental information

  The following information is presented as supplemental information
  that is related to the CIDRization process.

 16. What is the Internet Routing Registry?

     The IRR is a way for ASN's to publicize their own intended
     routing policies without having to request a change from a

     The RAdb which stands for the Routing Arbiter Data Base, which
     is part of the IRR, is part of a joint project between Merit and
     ISI. For full details contact:

     The Routing Arbiter is a project of the US National Science
     Foundation.  As part of that project, it runs a routing
     registry database.

     That database (the RAdb) forms part of the IRR collection
     of databases.  The RIPE database is not part of the RAdb
     but does participate in the IRR.  At present, there are
     five entities that contribute to the IRR effort and more
     are expected.  Today, all the contributing registries use the
     RIPE-181 database format.

     All IRR participants can be contacted via automail handlers
     that accept batch updates via email. An example of a routing
     update appears below:

     password: xxxxxxxx
     *de: NET-IEC
     *or: AS378
     *mb: AS378-MNT
     *ch: hank at 950724
     *so: RIPE

     The *rt: tag identifies the net and the routing policy is based on
     *or: tag.  An example of a routing policy is presented below:

     aut-num:     AS378
     descr:       ILAN
     descr:       Israeli Academic and Research Network
     as-in:       from AS1755 100 accept ANY
     as-in:       from AS174 100 accept ANY
     as-in:       from AS3339 100 accept AS3339
     as-out:      to AS1755 announce AS378 AS3339
     as-out:      to AS174 announce AS378 AS3339
     as-out:      to AS3339 announce ANY
     default:     AS174 10
     default:     AS1755 20
     default:     AS3339 30
     guardian:    HANK at
     mnt-by:      AS378-MNT
     admin-c:     Hank Nussbacher
     tech-c:      Hank Nussbacher
     changed:     hank at 950627
     source:      RIPE

     For further details read over, and (via anonymous ftp from

|17. Are there any statistics available as to aggregation in the
|    Internet?

|    COUNTS OF RADB PREFIXES BY LENGTH - The number of Route objects
|    registered in the RADB, with active and withdrawn routes listed
|    by prefix length.  Data from the current week is available from:
|           counts-by-prefix/Summarize_prefix.current
|    Reports from previous weeks are available from:
|              counts-by-prefix/summarize_prefix.yymmdd
|    summary of unique prefixes registered in the IRR.  Routes are
|    summarized by the first octet of the network number.  If routes
|    within a prefix can be aggregated, a count is printed for each
|    prefix length that has a different count after aggregation. Data
|    from the current week is available from:
|            IRR_profile/IRR_Profile.current
|    Reports from previous weeks are available from:
|             IRR_profile/IRR_Profile.yymmdd

 18. How do I update the registered routing information for my ASN?

     You need to submit a "route" object update and perhaps an
     "aut-num" object update (see examples above).  Route objects
     add new nets to your autonomous system (or you can remove nets
     from your autonomous system) and the Autonomous-system object
     describes the type of routing you wish to have.

 19. Which Routing database takes precedence?  RIPE?  RADB?  MCI?  Do I
     have to update all of them?

     Each provider is allowed to select the preference order for
     authentic data.  For example, ANS uses the following precedence:

     If there are two routes (with different origins) within one
     database, the changed date is used as a tiebreaker.  Else, only
     database precedence is used.  Thus, if the RADB entry has a more
     recent changed date than the RIPE, ANS will use the RIPE entry.

     You should only have to register in one of the IRR component

|    There is a report which shows all routes in the RADB for a specified
|    AS and whether there are any duplicate routes in other IRR
|    registries or any aggregates which cover the route (in any of the
|    registries, including the RADB):

 20. How do I check what is registered in the IRR?

     The tool to use is whois.  A few examples make the command
     self explanatory:

     whois -h
     whois -h as378
     whois -h

|    There is an easy Web interface to query and update the IRR:

 21. Is there a tool to automatically create route filters based
     on IRR information?

     rlc is a route list compiler which is a subset of nlc/alc that
     allows the generation of route based filters (cisco access-
     lists) by extracting the nets belonging to an AS or AS MACRO
     from a routing database (i.e. Ripe Routing Database).  In
     addition, it supports a limited set of functions to generate
     AS based filter lists.

     rlc is fully classless, and hence supports CIDR routes and
     subnets, as well as host routes.

     Author: Jean-Michel Jouanigot, CERN <jimi at>

|22. What other tools are available in the CIDR world?

|    A web version of this information can be located at:
|    ------------------------
|    Online Tools and Reports
|    ------------------------
|    IRRWeb
|      This graphical interface into the Internet Routing Registry makes
|      it possible to use the Web to query the IRR and update RADB AS
|      objects, Route objects, and Maintainer objects.  Users can enter
|      any value that can be submitted through a whois query, such as an
|      AS number, network IP address, or maintainer. IRRWeb then displays
|      the corresponding AS objects, Route objects, or Maintainer objects
|      from the various registries in the IRR.  Authorized maintainers can
|      edit the objects directly; IRRWeb performs a cursory pre-check and
|      mails the revised object to auto-dbm at  The user then
|      receives e-mail from auto-dbm confirming and displaying the revised
|      object, or explaining why the object was rejected.
|      See
|      Source code is available at
|    Route History Server
|      The Route History Server provides a mechanism for tracking
|      the announce/withdraw history of a given prefix for the last 24
|      hours. The History Server peers with the route servers at
|      each NAP and records all BGP updates in History Server/Route
|      Server peering session.
|      See
|    -----------------------
|    Tools Available for FTP
|    -----------------------
|    RSd
|      The Route Server daemon (RSd) is an enhanced version of
|      the GateD routing software that provides multiples views of
|      routing information.
|      The software provides a mechanism for network service provides
|      to off-load the computational complexity of routing policy
|      calculations from their routers. RSd supports configuration and
|      transparent passing of BGP MEDs. The software also supports
|      BGP route flap dampening.
|      Available at
|    Peval
|      A policy evaluator that inputs a RIPE-181 policy
|      expression, performs essential background
|      calculations such as symbolic evaluations and
|      expansions, and outputs another RIPE-181 policy
|      expression that is used by other tools, such as
|      RTConfig.
|      Available as part of the RAToolSet at
|    RTConfig
|      A router configuration tool that can be used by
|      providers to generate router configs directly from
|      the RADB or other IRR registries.  Currently in
|      production use for the RA Route Servers, ANSNET, and
|      CA*net, RTConfig is a front-end tool that uses peval
|      and radbserver transparently to users.
|      Available as part of the RAToolSet at
|    rrc2r/rrmerge
|      This Cisco-to-RIPE-181 conversion package makes it possible for
|      users to convert Cisco router configuration files to RIPE-181
|      objects that can be submitted to the Internet Routing Registry
|      (IRR).  The Cisco access-list can be converted into an explicit set
|      of nets embedded in an AS object or represented as a community.
|      The RADBserver is queried for any missing or previously registered
|      information.
|      Available at
|    CiscoBGP
|      IRR users have long recognized the need for tools that check the
|      IRR against routes actually propagated in the Internet.  CiscoBGP
|      obtains and analyzes routing information from production Ciscos,
|      and compares the data with routes in the IRR.  The software also
|      flags prefixes that are reserved by RFC 1597, Address Allocation
|      for Private Internets.
|      Available as part of the MRT software distribution at
|    BGPCheck
|      BGPCheck obtains and analyzes routing information from BGP4
|      peering sessions, and compares the data with routes in the IRR.  The
|      software also flags prefixes that are reserved by
|      RFC 1597, <em>Address Allocation for Private Internets</em>.
|       Available as part of the MRT software distribution at
|    PRtraceroute
|      The 'prtraceroute' tool is a powerful form of traceroute that
|      displays the Autonomous Systems that a packet traverses.
|      PRtraceroute was developed by the Pride project.
|      A version of prtraceroute that queries the RADB is available at
|    ------------------
|    Tool Announcements
|    ------------------
|    PGP-Based Radb Authentication
|      Follow these steps to take advantage of the new RADB support for
|      PGP-based digital signatures:
|        1. Register your public key with the Routing Arbiter Service.
|        2. Modify your Maintainer object to reflect your use of digital
|           signatures.
|        3. Use PGP to sign your RADB transactions.
|    For detailed instructions, see:

  Christian Panigl - Vienna University, Austria
  Bill Manning - ISI
  Tony Li - Cisco Systems
  Havard Eidnes - SINTEF, Norway
  Yakov Rekhter - Cisco Systems
| Craig Labovitz - Merit Network

More information about the NANOG mailing list