IP Address Normalizers
IP address normalizers specify one or more IP addresses, defined by the normalizer as strings using the Classless Inter-Domain Routing (CIDR) notation, with which to compare an IP address value in the network message. If a match is found, the index associated with that IP address is used. A specified IP address can be an exact address or it can contain an optional network mask to denote a range of IP addresses.
IPv4 Addresses
The IPv4 normalizer accepts either an integer containing the 32-bit (four-byte) IP address, or a string written in dot-decimal notation, for example: 192.168.12.34. The normalizer interprets the decimal part internally as a 32-bit binary number separated into four octets. Each IPv4 address range string can indicate a single address (192.168.12.34) or a range of addresses (192.168.12.0/24, 192.168.12.0/255.255.255.0). The IPv4 normalizer also accepts an integer representation of the IP address or a string in the network message field. For example, the normalizer accepts an input string of 192.168.10.10, or the integer 3232238090 (in hexadecimal this is 0xC0A80A0A, which when looked at per byte is 192.168.10.10).
- Standard IPv4 (exact match) — 192.168.0.139.
- IPv4 integer representation or string —
3232238090. - IPv4 with CIDR NetMask (range match) —
192.168.0.0/16.
The CIDR mask is the prefix length (the number of shared initial bits) counting from the most-significant bit of the address. The mask can be any number between 1 and 32.
- IPv4 with Subnet Mask (range match) —
192.168.0.0/255.255.0.0.
This example has the same effect as the CIDR NetMask 192.168.0.0/16.
IPv6 Addresses
The IPv6 normalizer accepts either an integer containing the 128-bit IPv6 address, or a case-insensitive string in colon-hexadecimal notation (::ffff:0:c0a8:0c22, ::ffff:0:192.168.12.34). Each IPv6 address range string is also case-insensitive and can indicate a single address (::ffff:0:c0a8:0c22) or a range of addresses (::ffff:0:c0a8:0c00/120).
- Standard IPv6 (exact match) — fe80:0000:0000:0000:0202:b3ff:fe1e:8329
- IPv6 with an optional CIDR NetMask (range match) —
fe80::0202:b3ff:fe1e:8329/16
CIDR masks can be any number between 1 and 128.
- Omit leading zeroes within a 16-bit value. For example, write the address fe80:0000:0000:0000:0202:b3ff:fe1e:8329 as fe80:0:0:0:202:b3ff:fe1e:8329.
- Replace one group of consecutive zeroes within an address by a double colon. For example, write fe80:0:0:0:202:b3ff:fe1e:8329 as fe80::202:b3ff:fe1e:8329.
IPv4 addresses can also be represented as IPv6 addresses. Typically, when this is done, the IPv4 address is included with its normal dot notation in place of the colons, for example ::ffff:192.0.2.128 and ::192.0.2.128.
About Network Masks
CIDR specifies an IP address range using a combination
of an IP address and its associated network mask. CIDR notation for IPv4 uses the
format xxx.xxx.xxx.xxx/n, where 0 <=
xxx <= 255 and n is the
number of the left-most 1 bits in the mask in the range, from 1 to 32. For example,
192.168.12.0/23 applies the network mask
255.255.254.0 to the 192.168 network,
starting at 192.168.12.0. This notation represents the address
range 192.168.12.0 – 192.168.13.255. Any IP address in the
range would result in a match.
To determine the closest match, the IP address in the network message and all IP addresses in the IP normalizer are converted to binary format. The network mask is used to determine the number of binary digits, from the beginning of the binary address, with which to perform the comparison for that IP value. If the IP address value falls into more than one binary range, the range with the least amount of addresses (the biggest mask) is used.
Range Match Example
- Value 1 — 192.168.10.10/4
- Value 2 — 192.168.10.10/7
- Value 3 — 192.168.10.10/16
11000000.10101000.00001010.00001010
- Normalizer value 1 (NetMask = 4)
uses the first four bits,
1100, to determine whether there is a match with the IP address in the network message. - Normalizer value 2 (NetMask = 7)
uses the first 7 bits,
1100000, to determine whether there is a match with the IP address in the network message. - Normalizer value 3 (NetMask = 16)
uses the first 16 bits,
1100000010101000, to determine whether there is a match with the IP address in the network message.
A network message is received that contains an IPv4
address 192.170.11.11. The IP address in binary format is equal to:
11000110.10101010.00001011.00001011
During rating, all IP address normalizer values are examined to see which one contains the smallest number of matching bits, starting from the beginning of the binary string. If a match is found, that range is used. In this example, the first 5 bits of the network message match the IP address in the normalizer. Therefore, only the first normalizer value is valid because it requires four matching bits. However, say the network IP address had 10 matching bits, making it able to map to both the first and second normalizer values. In this case, the first normalizer value is still chosen because it has the most mask bits (the smallest range).
As another example, XYZ corporation has IP addresses in the range 198.168.0.0/16. Within this set, IP addresses 198.168.13.0/24 are assigned to the engineering department. If an IP address normalizer uses both of these IP address values, and a network message is received with IP address 198.168.13.12, it would match the entries for both the XYZ corporation and the engineering department. Since the entry for engineering has the most mask bits (the smallest range), it is chosen as the matching entry and the associated result is used. On the other hand, if a message was received from the XYZ corporation with an IP address of 198.168.12.0, it would match the corporation entry. Different results can apply to the corporation and to the engineering department, or the same result can be applied, and only the usage is tracked separately.