Private IP Addresses

Based on the incredible growth of the Internet, it soon became evident that the IP address space would quickly become exhausted if the growth continued. To account for this, the IETF looked for ways in which the address space currently available could be extended. A future solution exists in the form of IP version 6 (or IPv6 for short), which uses a much larger 128-bit addressing scheme. In order to deal with the issue in the shorter term, it was decided that certain address ranges would be deemed “private”. Private IP address ranges are defined in RFC 1918.

The idea behind private ranges of IP addresses is surprisingly simple – certain IP address ranges would be dedicated and limited to use for hosts on private networks. These addresses would no longer be considered valid (or be routable) on the public Internet. Instead, companies could allocate addresses in these ranges as they saw fit, with the address ranges open and available to everyone. Private IP addresses are a practical solution, since companies can use technologies such as Network Address Translation (NAT) or Proxy servers to connect their private networks to the public Internet. When these technologies are used, a single public IP address can be used to connect an entire organization to the Internet. NAT will be looked at in detail later in the series. For the time being, the figure below shows a network that connects to the Internet using only a single public IP address.

Figure: Network using NAT to connect to the Internet.

To the outside world (the public Internet), all requests from within the company above appear to be coming from the single public IP address.

Three ranges of private IP addresses are defined in RFC 1918. The ranges defined have been allocated custom subnet masks that define their network and host portions. The lists below outline the private IP address ranges defined in RFC 1918.

Network Address: 10.0.0.0 Subnet Mask: 255.0.0.0 Range of Addresses: 10.0.0.1 – 10.255.255.254

Network Address: 172.16.0.0 Subnet Mask: 255.240.0.0 Range of Addresses: 172.16.0.1 – 172.31.255.254

Network Address: 192.168.0.0 Subnet Mask: 255.255.0.0 Range of Addresses: 192.168.0.1 – 192.168.255.254

Notice the second private network address, 172.16.0.0 with a subnet mask of 255.240.0.0. It’s easy to immediately react and consider this to be a Class B address, based on the fact that the first octet value falls into the 128-191 range that we learned earlier. Instead, the private portion of this address range only goes as high as 172.31.255.254. Addresses beginning with network 172.32.0.0 are actually valid, public IP addresses. The 192.168.0.0 network uses a special subnet mask as well. In this case, its mask appears to be that of a Class B address. For the time being noting the differences is enough – we’ll explore how custom masks are defined shortly.

So why would a company want to use private IP addresses? A big reason is because they offer a great degree of flexibility. A company can now pick one of these network IDs, and address internal hosts as they see fit. In the past, public IP addresses were allocated to companies, and later needed to be “rented” from ISPs. When private IP addressing is used, a company’s need for public addresses is dramatically reduced, sometimes to only one or just a few IP addresses.

So which private range should a company use? Well, that’s entirely up to them. Obviously the 10.0.0.0 network ID offers the greatest flexibility, based on the number of possible host addresses it provides. For small networks, the 192.168.0.0 range is probably most appropriate. At the end of the day, however, it’s completely in the hands of the network administrator.

Tip: For a more detailed look at the private IP addressing ranges, see RFC 1918.

Author: Dan DiNicolo

Dan DiNicolo is a freelance author, consultant, trainer, and the managing editor of 2000Trainers.com. He is the author of the CCNA Study Guide found on this site, as well as many books including the PC Magazine titles Windows XP Security Solutions and Windows Vista Security Solutions. Click here to contact Dan.