Why can't all zeros in the host portion of IP address be used for a host?

An address with an all-zero host portion refers to the network itself, rather than to any particular host.

Historically, this zero host address has served as an alternative broadcast address, and devices still respond that way.

So, I have to disagree with some other answers: no, zero is not a perfectly usable host address. If you need more than 254 addresses, you have to create a larger subnet.

Look, my Linksys router, whose address is .1 responds to pings of .0. (The netmask is 255.255.255.0, so the last octet corresponds to the host number.)

webserver:~# ping  192.168.1.0
Do you want to ping broadcast? Then -b
webserver:~# ping -b 192.168.1.0
WARNING: pinging broadcast address
PING 192.168.1.0 (192.168.1.0) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=1.46 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=0.812 ms
64 bytes from 192.168.1.1: icmp_seq=3 ttl=64 time=0.819 ms

If I assigned the .0 address to some host, I wouldn't be able to ping it without the router chiming in with its responses also. And as you can see, some tools like that router's version of ping treat 0 as a broadcast.

You can bend the rules, if you're willing to patch all protocol stacks and other software which is affected by such a bending. Otherwise, stick to the rules.

Case in point.

I worked at a company which designed a network node built in a 14 slot chassis, running numerous independent OS images on several types of cards, all communicating via a backplane. There was a networking setup over the backplane with a convention that 127.X.0.Y is the internal IP address of node Y in slot X, all numbered from 1.

We basically subnetted the loopback address for our own purposes. To make it work, we had to patch the Linux kernel here and there, and IIRC, a little bit of user space.

Since that network was only used within the box, and most programs that require loopback use the 127.0.* network (and in fact the specific address 127.0.0.1) which continued to work normally, everything was cool.

Is an IP packet's destination ever set to the subnet IP address?

Yes. It is a valid IP so it can be used.

If yes, in what cases and why?

It is simply one of the 255 usable IPs in a /24

If no, then why not free up that address for any host to use?

If you have ancient hardware then you need to check if it uses the first or the last address as network address. (.0 or .255 for networks with mask FF.FF.FF.00)

This makes it a good habit to skip that IP. And habits learned long ago are hard to ignore.

And people who do not know the background do not use it 'because other do not use it either, so it must be wrong to use it' or because they do not realise that '0' can be a first number.

[Edit] Grezzo just tested it on Windows XP where windows network GUI 'helpfully' prevented this setting. Windows 7 has the same behaviour. I then tried it on a non-windows host where it just works. If you use windows then you might have to configure your network manually via IPconfig to set it to all zeros.

[Edit 2]

The longer I work with this the more confused I get.

Rfc4632 - Classless Inter-domain Routing does not seem to forbid it, but neither allows it explicitly.

This ServerFault post mentions: "For historical reasons many OSes treat the first address as a broadcast. For example, pinging x.x.x.0 from OS X, Linux, and Solaris on my local (/24) network gets responses. Windows doesn't let you ping the first address by default but you might be able to enable it using the SetIPUseZeroBroadcast WMI method. I wonder if you could get away with using .0 as a host address on an all-Windows network.".

It is the same question, but not an answer.

The network address is also used in routing tables. But I fail to see why it would not work due to that. The same notation in the routing tables would route to the right network. Once on the right network it would arrive at a PC with IP 0.

(All of this for a 192.168.1/24.
If you used 192.168.0/23 then 192.168.1.0 would be a valid and safe value in the middle of the range)

[Edit 3]

One more link to the same question. It seems somewhat popular on stack exchange:

https://superuser.com/questions/379451/why-can-a-network-address-not-be-a-valid-host-address

And one thought:

Destination_IP is probably ANDed with the network mast (a fast operation in hardware) before being compared to the entries in the routing tables. But:

(A semi-random IP) 192.168.0.42 AND 255.255.255.0 would yield 192.168.0.0
But 192.168.0.0 AND 255.255.255.0 would also yield 192.168.0.0

[Edit 4 - Long after this answer was written - I might need to rewrite the entire post due to this new information ]

RFC923 states on page 3 that:

  In certain contexts, it is useful to have fixed addresses with
  functional significance rather than as identifiers of specific
  hosts.  When such usage is called for, the address zero is to be
  interpreted as meaning "this", as in "this network".  The address
  of all ones are to be interpreted as meaning "all", as in "all
  hosts".  For example, the address 128.9.255.255 could be
  interpreted as meaning all hosts on the network 128.9.  Or, the
  address 0.0.0.37 could be interpreted as meaning host 37 on this
  network.

Quoting @ylearn on our networkengineering site

I believe the first documentation of that comes from RFC950 which references RFC943 (which obsoleted RFC923 above but uses the same language for special addresses):

     It is useful to preserve and extend the interpretation of these
     special addresses in subnetted networks.  This means the values
     of all zeros and all ones in the subnet field should not be
     assigned to actual (physical) subnets.

actually it depends on the netmask, for example, for the network 83.23.159.0/23, 83.23.159.0 is a perfectly usable ip address

Sounds like there is a little confusion here with basic networking.

The 'ancient hardware' referred to in one of the responses would not use IP Subnet Zero - using ip address x.x.x.0 with a network set up for a /24 CIDR or 255.255.255.0 subnet mask is a different issue completely.

IP Subnet Zero

• Older hardware would not use IP Subnet Zero - meaning they would not use the first subnet on a multi-subnet network system. So on a /23 or 255.255.254.0 network the subnet X.X.X.0 and all it's addresses would not be used. Modern routers do not have this restriction but can be configured to use this old model I.E. not use subnet zero, if desired.

Usable host IP addresses on a subnet

• Basic networking:
  • With /24 i.e. subnet mask of 255.255.255.0
  • x.x.x.0 is reserved as the network address. Routers and routing protocols (EIGRP, RIP2, etc.) use the network address to define network segments for moving packets within and across network network boundaries.
  • x.x.x.255 is reserved for the broadcast address
  • It is common practice to use the addresses .1 or .254 on routers so that leaves 253 usable IP numbers.

Both the network address and the broadcast address are reserved and cannot (by current and previous network standards) be assigned to a device. Using x.x.x.0 for a host address on a /24 system is wrong. Even if Linux lets you use it does not mean that it is right, it just means that Linux thinks that you know what you are doing.

If your system is letting you assign x.x.x.0 as an IP4 address to a host and it appears to be working - chances are that particular host is receiving ALL traffic targeted to ANY device on that network so its networking is probably not working optimally.

RFC 1122 ("Requirements for Internet Hosts -- Communication Layers") prohibits it:

IP addresses are not permitted to have the value 0 or -1 for any of the < Host-number>, < Network-number>, or < Subnet- number> fields

Actually the answer is the basic of subnetting. The "all zeros" IP of your subnet combined with the network id is used to calculate where the packet has to be sent to.

In your example you have a subnet of 255.255.255.0. Any device that knows the TCP/IP protocol will use the netmask combined with the IP address to calculate if the packet is destined for the local network (by performing a logical AND operation) or that it has to be sent trough the gateway / router.

So I guess the reason that IP can not be used is because it is already used to "define" the network boundaries together with the netmask by design.

It was requested that I repost my answer from NetworkEngineering, so I will do so with some modification for this site.

In RFC919, it makes reference of the general acceptance of the network address:

However, as a notational convention, we refer to
networks (as opposed to hosts) by using addresses with zero fields.
For example, 36.0.0.0 means "network number 36"

This provides a convention that should clarify our understanding if someone were to mention "10.1.2.0" as the network and not a host on the network.

From there, the use of "0" in a IP addresss was defined in RFC923 and carried over in successive RFCs:

Special Addresses:

  In certain contexts, it is useful to have fixed addresses with
  functional significance rather than as identifiers of specific
  hosts.  When such usage is called for, the address zero is to be
  interpreted as meaning "this", as in "this network".  The address
  of all ones are to be interpreted as meaning "all", as in "all
  hosts".  For example, the address 128.9.255.255 could be
  interpreted as meaning all hosts on the network 128.9.  Or, the
  address 0.0.0.37 could be interpreted as meaning host 37 on this
  network.

This example provides for a specific host on the current network (0.0.0.37) by using 0's in the network portions of the address, but it doesn't actually clarify the opposite case (0's in the host portion of the address). However as it did define "0" as "this."

In RFC1060 the address "0.0.0.0" was clearly documented as "this host on this network":

     (a)   {0, 0}

        This host on this network.  Can only be used as a source
        address (see note later).

Since all zeroes for the host part of the address meant "this host," it logically follows that it is unusable as a host address.

Getting back to directly answering your questions:

1. Is an IP packet's destination ever set to the subnet IP address?
2. If yes, in what cases and why?
3. If no, then why not free up that address for any host to use?

According to what I find in the RFCs, this should not be used. I will admit it isn't as clearly specified as I would like, but that is all to common in many standards. When the standards are a bit less firm on a point, the industry then seems to "settle" into a generally accepted interpretation.

Further, based on the content of the RFCs software may be written to assume that this address is used to address the network and not a particular host. Or even more literally as some sort of "loopback" (i.e. this host on the specified network).

So why do some OSes clearly allow it's use? I would imagine like many things that it comes down to developer time/resources or no one really thought to add the validity check. The logic has to be a bit more involved than "if it ends in 0" as a larger subnet (a /23 or larger) will contain valid IP address of .255 and .0 (i.e. 10.1.2.0/23 contains both valid IP address of 10.1.2.255 and 10.1.3.0). Although some organizations do also avoid the use of those valid address in larger subnets to avoid any odd issues with software that doesn't support modern subnetting correctly.

As to why not free up that one IP address, it simply comes down to cost/benefit. It would take a lot of time and effort to make this change to get back one IP address per subnet and in how many cases where you need additional IP addresses, will only one address be enough? It is much easier to add a second subnet or enlarge the current subnet, potentially giving you many addresses to use instead of just one while making no major changes to any software/hardware in place.

First, it is worth noting that all-zero addresses in IPv6 are defined by RFC4291 as "Required Anycast Address" which are addresses that at least one router on a segment, but not necessarily all of them, will answer to. (Anycast addresses in both IPv6 and IPv4 can have non-zero host portions.) So the answer is definitively "no" for IPv6 unless you are using it to provide anycast services.

As mentioned in other answers it is not safe to use these IPv4 addresses as host addresses on a broadcast medium: for historical reasons many hosts will respond to packets with these addresses as though they were broadcast packets. However, it is also not safe to ban use of these addresses upstream even if you have a clear indication (from a routing entry) that the address is at the bottom of a subnet... the address may be used on a non-broadcast subnet like a NAT pool, or a /31 used as a router wire address. This means anti-"smurf"-like DoS protections belong if at all possible on the directly connected router, which should know if the media is or is not a broadcast domain. And these protections are present in the usual case, so that's a second reason why using these addresses as unicast addresses on broadcast media will not work: no traffic from off-segment may be allowed to reach them by the router.

If one were to extrapolate from RFC923, a zero host would be "This host on a particular network". It's not safe to make that extrapolation because the RFC only addresses the network address, not the host address. However it is conceivable that some IP address negotiation protocol may have been been deployed where a host knows the subnet it wants to belong to, but does not know its host address and is asking for autoconfiguration on that particular network by specifying a zero host address. That is another possible interpretation to look out for.