NimbostratusBinary arithmetic on IP addresses
We are considering a network redesign that would move our users from public IP addressing (on large, flat networks) to private addressing (on smaller, per-building subnets). Any run-of-the-mill NAT firewall could handle outbound connectivity. Our security folks; however, have asked whether it would be possible to assign a particular user a single public IP address, regardless of its location on the inside of our network.
For the purposes of this conversation, let's assume the DHCP server has some intelligence baked in. And assume we are using 10.0.0.0/8 for client addressing. The first octet is always 10, the second octet is always the building identifier. This means clients are issued a /16 address. The last two octets are split between the user identifier (14 bits) and the device identifier (2 bits). This means the network can accommodate 16K users, each with four devices.
The iRule could be a long list of thousands of "if / then" clauses, but would be more efficient to leverage some binary math. Extract the user identifier, convert it to an integer, then add that to some base IP address. So, if the base is 1.2.3.4, then user 5 gets 1.2.3.9, while user 500 gets 1.2.4.48.
I see support for bit shifting and addition. But can an iRule handle the necessary binary math to convert IP to binary (and vice versa)?
Thanks!
Norman
Norman:
iRUle can do a good bit of IP address comparison, take a look at this: https://devcentral.f5.com/wiki/iRules.IP__addr.ashx
TCL, particularly the "binary scan" command can do a lot of manipulation, take a look at this: http://wiki.tcl.tk/4180 For examples look at this: http://wiki.tcl.tk/11766 and: http://www.opensource.apple.com/source/tcl/tcl-87/tcl_ext/tcllib/tcllib/modules/dns/ip.tcl
