CIDR (Classless Interdomain Routing), sometimes known as Supernetting or route aggregation, is a means of aggregating networks by "borrowing" bits from the network portion of the subnet mask. An example:

If we have a 192.168.0.0 network and we use the default class C mask of 255.255.255.0 we can have 254 hosts per subnet. A router with a route into our network would have a single route entry:
" 192.168.0.0 255.255.255.0".
Imagine if our network was expanded and we now have the 192.168.1.0 255.255.255.0 network too. No problem, we just add another route to our router:
" 192.168.1.0 255.255.255.0".
This is quite acceptable but imagine if we had hundreds of networks behind our router - we would have to add a single route entry for each one. Not only is this boring, it will effect the performance of the router as it will have to maintain a larger routing table.
This is where CIDR comes in - CIDR allows you to aggregate multiple networks into single routing table entries. Continuing our example above, imagine we have been given four networks:
192.168.0.0 255.255.255.0
192.168.1.0 255.255.255.0
192.168.2.0 255.255.255.0
192.168.3.0 255.255.255.0
We can represent these four entries with a single routing table entry
192.168.0.0 255.255.252.0
Here we have borrowed two bits from the network portion of the mask (hence the 255.255.252.0 mask). These two bits allow four networks; 0.0, 1.0, 2.0 and 3.0 resulting in a routing entry which allows 1022 hosts (4 x 256 - 2). This entry represents all hosts from 192.168.0.0 up to 192.168.3.255. This is a very basic example but the concept can be scaled up to aggregate much larger network into single routing entries.
One thing to be aware of is that CIDR only allows you to aggregate contiguous networks. For example:
We have been given another three networks - we now have:
192.168.0.0 255.255.255.0
192.168.1.0 255.255.255.0
192.168.2.0 255.255.255.0
192.168.3.0 255.255.255.0
192.168.5.0 255.255.255.0
192.168.6.0 255.255.255.0
192.168.7.0 255.255.255.0
So now we can borrow another bit and use the mask 255.255.248.0 which will represent all hosts from 192.168.0.0 up to 192.168.7.255? No - whilst this mask does represent those hosts it also includes the network 192.168.4.0 which is not in our list. If we use that mask our router will route 192.168.4.0 traffic onto our network which we do not own. This is what is meant by contiguous networks - a range of addresses that are unbroken. If we did have the addresses above we would have to aggregate it like this:
192.168.0.0 255.255.252.0 (this covers 192.168.0.0 up to 192.168.3.255)
192.168.5.0 255.255.255.0 (this covers 192.168.5.0 up to 192.168.5.255)
192.168.6.0 255.255.254.0 (this covers 192.168.6.0 up to 192.168.7.255)
As you can see, the benefits of CIDR are reduced when networks are non-contiguous and networks must be broken up in chunks of 1, 2, 4, 8, 16 networks etc.

What does any of this have to do with Datacryptor®?

In the same way that many routes on a router will degrade its performance, the more Private Network Selector (PNS) entries that the Datacryptor® has the longer it will take to process traffic. The Datacryptor® has a finite size of the amount of policies, local and remote selectors that it can have configured on it - this is known as the Data Set Size and is calculated with the equation:
LS *(SRS + LP)
where;
LS = local selectors (the number of lines in the PNS section on this Datacryptor®)
SRS = sum of remote selectors (the number of lines in the PNS section in all peer Datacryptors®)
LP = local policies (the number of discard/passthrough policies on this Datacryptor®)
If the result of this equation is greater than 4000 then you will experience problems. By using CIDR you may be able to reduce the number of selectors/policies used.

An example

The following network was set up.

Click on picture thumbnails to view diagrams

If we wanted to allow only PC A to get to PC D we would configure a PNS mask selector like this:
200.0.0.0 255.255.255.0 (this allows all hosts from 200.0.0.0 up to 200.0.0.255).
If we wanted to allow PC A and PC B to get to PC D we would configure a PNS mask selector like this:
200.0.0.0 255.255.254.0 (this allows all hosts from 200.0.0.0 up to 200.0.1.255).
If we wanted to allow PC A, B and C to get to PC D we would configure a PNS mask selector like this:
200.0.0.0 255.255.192.0 (this allows all hosts from 200.0.0.0 up to 200.0.63.255).

The problem with using the 255.255.192.0 mask is that allows not just our three networks but everything in-between. This may or may not be a problem depending on your configuration. If it is a problem you would have to aggregate the network in smaller chunks as discussed above.