Private network
Encyclopedia
In the Internet
addressing architecture, a private network is a network
that uses private IP address
space, following the standards set by RFC 1918 and RFC 4193. These addresses are commonly used for home, office, and enterprise local area network
s (LANs), when globally routable addresses are not mandatory, or are not available for the intended network applications. Private IP address spaces were originally defined in an effort to delay IPv4 address exhaustion, but they are also a feature of the next generation Internet Protocol
, IPv6
.
These addresses are characterized as private because they are not globally delegated, meaning they are not allocated to any specific organization, and IP packets addressed by them cannot be transmitted onto the public Internet. Anyone may use these addresses without approval from a regional Internet registry
(RIR). If such a private network needs to connect to the Internet, it must use either a network address translator (NAT) gateway, or a proxy server
.
(IETF) has directed the Internet Assigned Numbers Authority
(IANA) to reserve the following IPv4 address ranges for private networks, as published in RFC1918 :
Classful addressing is obsolete and has not been used in the Internet since the implementation of Classless Inter-Domain Routing
(CIDR) starting in 1993. For example, while 10.0.0.0/8 was a single class A network, it is common for organizations to divide it into smaller /16 or /24 networks.
, IPv6
.
The address block fc00::/7 has been reserved by IANA as described in RFC 4193. These addresses are called Unique Local Address
es (ULA). They are defined as being unicast
in character and contain a 40-bit random number in the routing prefix to prevent collisions when two private networks are interconnected. Despite being inherently local in usage, the IPv6 address scope of unique local addresses is global.
A former standard proposed the use of so-called "site-local" addresses in the fec0::/10 range, but due to major concerns about scalability and the poor definition of what constitutes a site, its use has been deprecated since September 2004 by RFC 3879.
, or to one wireless network
. Hosts on different sides of a bridge are also on the same link, whereas hosts on different sides of a router are on different links.
(DHCP) services are not available and manual configuration by a network administrator is not desirable.
The block 169.254/16 is reserved for this purpose, with the exception of the first and the last /24 subnets in the range. If a host on an IEEE 802 (ethernet
) network cannot obtain a network address via DHCP, an address from 169.254.1.0 to 169.254.254.255 may be assigned pseudorandomly. The standard prescribes that address collisions must be handled gracefully.
The IPv6 addressing architecture (RFC 4291) sets aside the block fe80::/10 for IP address autoconfiguration.
s (ISPs) only allocate a single routable
IP address to each residential customer, but many homes have more than one computer
or other Internet connected device, such as televisions. In this situation, a network address translator
(NAT) gateway is usually used to provide Internet connectivity to multiple hosts.
Private addresses are also commonly used in corporate networks, which for security reasons, are not connected directly to the Internet. Often a proxy, SOCKS
gateway, or similar devices are used to provide restricted Internet access to network-internal users.
In both cases, private addresses are often seen as enhancing network security
for the internal network, since it is difficult for an Internet host to connect directly to an internal system.
s for these addresses, causing extra traffic to the Internet root nameservers. The AS112
project attempted to mitigate this load by providing special blackhole anycast
nameservers for private address ranges which only return negative result codes (not found) for these queries.
Organizational edge routers are usually configured to drop ingress IP traffic for these networks, which can occur either by misconfiguration, or from malicious traffic using a spoofed source address. Less commonly, ISP edge routers drop such egress traffic from customers, which reduces the impact to the Internet of such misconfigured or malicious hosts on the customer's network.
must be placed between the networks to masquerade the duplicated addresses.
To mitigate this problem for IPv6, RFC 4193 specifies a large (40-bit) unique Global ID to be pseudo-randomly generated by each organization using Unique Global Addresses. It is very unlikely that two network addresses generated in this way will be the same.
Internet
The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite to serve billions of users worldwide...
addressing architecture, a private network is a network
Computer network
A computer network, often simply referred to as a network, is a collection of hardware components and computers interconnected by communication channels that allow sharing of resources and information....
that uses private IP address
IP address
An Internet Protocol address is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing...
space, following the standards set by RFC 1918 and RFC 4193. These addresses are commonly used for home, office, and enterprise local area network
Local area network
A local area network is a computer network that interconnects computers in a limited area such as a home, school, computer laboratory, or office building...
s (LANs), when globally routable addresses are not mandatory, or are not available for the intended network applications. Private IP address spaces were originally defined in an effort to delay IPv4 address exhaustion, but they are also a feature of the next generation Internet Protocol
Internet Protocol
The Internet Protocol is the principal communications protocol used for relaying datagrams across an internetwork using the Internet Protocol Suite...
, IPv6
IPv6
Internet Protocol version 6 is a version of the Internet Protocol . It is designed to succeed the Internet Protocol version 4...
.
These addresses are characterized as private because they are not globally delegated, meaning they are not allocated to any specific organization, and IP packets addressed by them cannot be transmitted onto the public Internet. Anyone may use these addresses without approval from a regional Internet registry
Regional Internet registry
A regional Internet registry is an organization that manages the allocation and registration of Internet number resources within a particular region of the world...
(RIR). If such a private network needs to connect to the Internet, it must use either a network address translator (NAT) gateway, or a proxy server
Proxy server
In computer networks, a proxy server is a server that acts as an intermediary for requests from clients seeking resources from other servers. A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource available from a different server...
.
Private IPv4 address spaces
The Internet Engineering Task ForceInternet Engineering Task Force
The Internet Engineering Task Force develops and promotes Internet standards, cooperating closely with the W3C and ISO/IEC standards bodies and dealing in particular with standards of the TCP/IP and Internet protocol suite...
(IETF) has directed the Internet Assigned Numbers Authority
Internet Assigned Numbers Authority
The Internet Assigned Numbers Authority is the entity that oversees global IP address allocation, autonomous system number allocation, root zone management in the Domain Name System , media types, and other Internet Protocol-related symbols and numbers...
(IANA) to reserve the following IPv4 address ranges for private networks, as published in RFC
RFC1918 name | IP address range | number of addresses | classful Classful network A classful network is a network addressing architecture used in the Internet from 1981 until the introduction of Classless Inter-Domain Routing in 1993. The method divides the address space for Internet Protocol Version 4 into five address classes. Each class, coded in the first four bits of the... description | largest CIDR Classless Inter-Domain Routing Classless Inter-Domain Routing is a method for allocating IP addresses and routing Internet Protocol packets. The Internet Engineering Task Force introduced CIDR in 1993 to replace the previous addressing architecture of classful network design in the Internet... block (subnet mask) |
host id size |
---|---|---|---|---|---|
24-bit block | 10.0.0.0 – 10.255.255.255 | 16,777,216 | single class A | 10.0.0.0/8 (255.0.0.0) | 24 bits |
20-bit block | 172.16.0.0 – 172.31.255.255 | 1,048,576 | 16 contiguous class Bs | 172.16.0.0/12 (255.240.0.0) | 20 bits |
16-bit block | 192.168.0.0 – 192.168.255.255 | 65,536 | 256 contiguous class Cs | 192.168.0.0/16 (255.255.0.0) | 16 bits |
Classful addressing is obsolete and has not been used in the Internet since the implementation of Classless Inter-Domain Routing
Classless Inter-Domain Routing
Classless Inter-Domain Routing is a method for allocating IP addresses and routing Internet Protocol packets. The Internet Engineering Task Force introduced CIDR in 1993 to replace the previous addressing architecture of classful network design in the Internet...
(CIDR) starting in 1993. For example, while 10.0.0.0/8 was a single class A network, it is common for organizations to divide it into smaller /16 or /24 networks.
Private IPv6 addresses
The concept of private networks and special address reservation for such networks has been carried over to the next generation of the Internet ProtocolInternet Protocol
The Internet Protocol is the principal communications protocol used for relaying datagrams across an internetwork using the Internet Protocol Suite...
, IPv6
IPv6
Internet Protocol version 6 is a version of the Internet Protocol . It is designed to succeed the Internet Protocol version 4...
.
The address block fc00::/7 has been reserved by IANA as described in RFC 4193. These addresses are called Unique Local Address
Unique local address
A unique local address is an IPv6 address in the block fc00::/7, defined in RFC 4193. It is the IPv6 counterpart of the IPv4 private address. Unique local addresses are available for use in private networks, e.g. inside a single site or organization, or spanning a limited number of sites or...
es (ULA). They are defined as being unicast
Unicast
right|200pxIn computer networking, unicast transmission is the sending of messages to a single network destination identified by a unique address.-Addressing methodologies:...
in character and contain a 40-bit random number in the routing prefix to prevent collisions when two private networks are interconnected. Despite being inherently local in usage, the IPv6 address scope of unique local addresses is global.
A former standard proposed the use of so-called "site-local" addresses in the fec0::/10 range, but due to major concerns about scalability and the poor definition of what constitutes a site, its use has been deprecated since September 2004 by RFC 3879.
Link-local addresses
Another type of private networking uses the link-local address range. The validity of link-local addresses is limited to a single link; e.g. to all computers connected to a switchNetwork switch
A network switch or switching hub is a computer networking device that connects network segments.The term commonly refers to a multi-port network bridge that processes and routes data at the data link layer of the OSI model...
, or to one wireless network
Wireless network
Wireless network refers to any type of computer network that is not connected by cables of any kind. It is a method by which homes, telecommunications networks and enterprise installations avoid the costly process of introducing cables into a building, or as a connection between various equipment...
. Hosts on different sides of a bridge are also on the same link, whereas hosts on different sides of a router are on different links.
IPv4
In IPv4, link-local addresses are codified in RFC 5735 and RFC 3927. Their utility is in self-autoconfiguration by network devices when Dynamic Host Configuration ProtocolDynamic Host Configuration Protocol
The Dynamic Host Configuration Protocol is a network configuration protocol for hosts on Internet Protocol networks. Computers that are connected to IP networks must be configured before they can communicate with other hosts. The most essential information needed is an IP address, and a default...
(DHCP) services are not available and manual configuration by a network administrator is not desirable.
The block 169.254/16 is reserved for this purpose, with the exception of the first and the last /24 subnets in the range. If a host on an IEEE 802 (ethernet
Ethernet
Ethernet is a family of computer networking technologies for local area networks commercially introduced in 1980. Standardized in IEEE 802.3, Ethernet has largely replaced competing wired LAN technologies....
) network cannot obtain a network address via DHCP, an address from 169.254.1.0 to 169.254.254.255 may be assigned pseudorandomly. The standard prescribes that address collisions must be handled gracefully.
IPv6
In IPv6, link-local addresses are codified in RFC 4862. Their use is mandatory, and an integral part of the IPv6 standard.The IPv6 addressing architecture (RFC 4291) sets aside the block fe80::/10 for IP address autoconfiguration.
Common uses
The most common use of private addresses is in residential networks, since most Internet service providerInternet service provider
An Internet service provider is a company that provides access to the Internet. Access ISPs directly connect customers to the Internet using copper wires, wireless or fiber-optic connections. Hosting ISPs lease server space for smaller businesses and host other people servers...
s (ISPs) only allocate a single routable
Routing
Routing is the process of selecting paths in a network along which to send network traffic. Routing is performed for many kinds of networks, including the telephone network , electronic data networks , and transportation networks...
IP address to each residential customer, but many homes have more than one computer
Computer
A computer is a programmable machine designed to sequentially and automatically carry out a sequence of arithmetic or logical operations. The particular sequence of operations can be changed readily, allowing the computer to solve more than one kind of problem...
or other Internet connected device, such as televisions. In this situation, a network address translator
Network address translation
In computer networking, network address translation is the process of modifying IP address information in IP packet headers while in transit across a traffic routing device....
(NAT) gateway is usually used to provide Internet connectivity to multiple hosts.
Private addresses are also commonly used in corporate networks, which for security reasons, are not connected directly to the Internet. Often a proxy, SOCKS
SOCKS
SOCKS is an Internet protocol that routes network packets between a client and server through a proxy server. SOCKS5 additionally provides authentication so only authorized users may access a server...
gateway, or similar devices are used to provide restricted Internet access to network-internal users.
In both cases, private addresses are often seen as enhancing network security
Network security
In the field of networking, the area of network security consists of the provisions and policies adopted by the network administrator to prevent and monitor unauthorized access, misuse, modification, or denial of the computer network and network-accessible resources...
for the internal network, since it is difficult for an Internet host to connect directly to an internal system.
Misrouting
It is common for packets originating in private address spaces to be misrouted onto the Internet. Private networks often do not properly configure DNS services for addresses used internally and attempt reverse DNS lookupReverse DNS lookup
In computer networking, reverse DNS lookup or reverse DNS resolution is the determination of a domain name that is associated with a given IP address using the Domain Name System of the Internet....
s for these addresses, causing extra traffic to the Internet root nameservers. The AS112
AS112
The AS112 project is a group of volunteer name server operators joined in an autonomous system. They run anycasted instances of the name servers that answer reverse DNS lookups for private network and link-local addresses sent to the public Internet. These queries ambiguous by their nature, and can...
project attempted to mitigate this load by providing special blackhole anycast
Anycast
Anycast is a network addressing and routing methodology in which datagrams from a single sender are routed to the topologically nearest node in a group of potential receivers all identified by the same destination address.-Addressing methodologies:...
nameservers for private address ranges which only return negative result codes (not found) for these queries.
Organizational edge routers are usually configured to drop ingress IP traffic for these networks, which can occur either by misconfiguration, or from malicious traffic using a spoofed source address. Less commonly, ISP edge routers drop such egress traffic from customers, which reduces the impact to the Internet of such misconfigured or malicious hosts on the customer's network.
Merging private networks
Since the private IPv4 address space is relatively small, many private IPv4 networks use the same address space. This creates a common problem when merging such networks, namely the duplication of addresses on multiple devices. In this case, networks or hosts must be renumbered, often a time-consuming task, or a network address translatorNetwork address translation
In computer networking, network address translation is the process of modifying IP address information in IP packet headers while in transit across a traffic routing device....
must be placed between the networks to masquerade the duplicated addresses.
To mitigate this problem for IPv6, RFC 4193 specifies a large (40-bit) unique Global ID to be pseudo-randomly generated by each organization using Unique Global Addresses. It is very unlikely that two network addresses generated in this way will be the same.
Private use of other reserved addresses
Historically other address blocks than the private address ranges have been reserved for other potential future uses. Some organizations have used them for private networking applications despite official warnings of possible future address collisions. Typically these addresses are not referred to as "reserved." IPv4 addresses 240.0.0.0 to 254.255.255.254 (all addresses in 240.0.0.0/4 except 255.0.0.0/8) are designated for future use and research and development.RFC References
- RFC 1918 – "Address Allocation for Private Internets"
- RFC 2036 – "Observations on the use of Components of the Class A Address Space within the Internet"
- RFC 2050 – "Internet Registry IP Allocation Guidelines"
- RFC 2101 – "IPv4 Address Behaviour Today"
- RFC 2663 – "IP Network Address Translator (NAT) Terminology and Considerations"
- RFC 3022 – "Traditional IP Network Address Translator (Traditional NAT)"
- RFC 3330 – "Special-Use IPv4 Addresses" (superseded)
- RFC 5735 – "Special-Use IPv4 Addresses"
- RFC 3879 – "Deprecating Site Local Addresses"
- RFC 3927 – "Dynamic Configuration of IPv4 Link-Local Addresses"
- RFC 4193 – "Unique Local IPv6 Unicast Addresses"