Private network

Last updated May 09, 2024

In Internet networking, a private network is a computer network that uses a private address space of IP addresses. These addresses are commonly used for local area networks (LANs) in residential, office, and enterprise environments. Both the IPv4 and the IPv6 specifications define private IP address ranges.^[1]^[2]

Most Internet service providers (ISPs) allocate only a single publicly routable IPv4 address to each residential customer, but many homes have more than one computer, smartphone, or other Internet-connected device. In this situation, a network address translator (NAT/PAT) gateway is usually used to provide Internet connectivity to multiple hosts. Private addresses are also commonly used in corporate networks which, for security reasons, are not connected directly to the Internet. Often a proxy, SOCKS gateway, or similar devices are used to provide restricted Internet access to network-internal users.

Private network addresses are not allocated to any specific organization. Anyone may use these addresses without approval from regional or local Internet registries. Private IP address spaces were originally defined to assist in delaying IPv4 address exhaustion. IP packets originating from or addressed to a private IP address cannot be routed through the public Internet.

Private addresses are often seen as enhancing network security for the internal network, since use of private addresses internally makes it difficult for an external host to initiate a connection to an internal system.

Private IPv4 addresses

The Internet Engineering Task Force (IETF) has directed the Internet Assigned Numbers Authority (IANA) to reserve the following IPv4 address ranges for private networks:^[1]^: 4

RFC 1918 name	IP address range	Number of addresses	Largest CIDR block (subnet mask)	Host ID size	Mask bits	Classful description^{[Note 1]}
24-bit block	10.0.0.0 – 10.255.255.255	16777216	10.0.0.0/8 (255.0.0.0)	24 bits	8 bits	single class A network
20-bit block	172.16.0.0 – 172.31.255.255	1048576	172.16.0.0/12 (255.240.0.0)	20 bits	12 bits	16 contiguous class B networks
16-bit block	192.168.0.0 – 192.168.255.255	65536	192.168.0.0/16 (255.255.0.0)	16 bits	16 bits	256 contiguous class C networks

In practice, it is common to subdivide these ranges into smaller subnets.

Dedicated space for carrier-grade NAT deployment

In April 2012, IANA allocated the 100.64.0.0/10 block of IPv4 addresses specifically for use in carrier-grade NAT scenarios.^[4]

IP address range	Number of addresses	Largest CIDR block (subnet mask)	Host ID size	Mask bits
100.64.0.0 – 100.127.255.255	4194304	100.64.0.0/10 (255.192.0.0)	22 bits	10 bits

This address block should not be used on private networks or on the public Internet. The size of the address block was selected to be large enough to uniquely number all customer access devices for all of a single operator's points of presence in a large metropolitan area such as Tokyo.^[4]

Private IPv6 addresses

The concept of private networks has been extended in the next generation of the Internet Protocol, IPv6, and special address blocks are reserved.

The address block fc00::/7 is reserved by IANA for unique local addresses (ULAs).^[2] They are unicast addresses, but contain a 40-bit random number in the routing prefix to prevent collisions when two private networks are interconnected. Despite being inherently local in usage, the IPv6 address scope of unique local addresses is global.

The first block defined is fd00::/8, designed for /48 routing blocks, in which users can create multiple subnets, as needed.

RFC 4193 Block	Prefix/L	Global ID (random)	Subnet ID	Number of addresses in subnet
	48 bits		16 bits	64 bits
fd00::/8	fd	xx:xxxx:xxxx	yyyy	18446744073709551616

Examples:

Prefix/L	Global ID (random)	Subnet ID	Interface ID	Address	Subnet
fd	xx:xxxx:xxxx	yyyy	zzzz:zzzz:zzzz:zzzz	fdxx:xxxx:xxxx:yyyy:zzzz:zzzz:zzzz:zzzz	fdxx:xxxx:xxxx:yyyy::/64
fd	12:3456:789a	0001	0000:0000:0000:0001	fd12:3456:789a:1::1	fd12:3456:789a:1::/64

A former standard proposed the use of site-local addresses in the fec0::/10 block, but because of scalability concerns and poor definition of what constitutes a site, its use has been deprecated since September 2004.^[5]

Link-local addresses

Another type of private networking uses the link-local address range. The validity of link-local addresses is limited to a single link; e.g. to all computers connected to a switch, or to one wireless network. Hosts on different sides of a network bridge are also on the same link, whereas hosts on different sides of a network router are on different links.

IPv4

In IPv4, the utility of link-local addresses is in zero-configuration networking when Dynamic Host Configuration Protocol (DHCP) services are not available and manual configuration by a network administrator is not desirable. The block 169.254.0.0/16 was allocated for this purpose.^[6]^[7] If a host on an IEEE 802 (Ethernet) network cannot obtain a network address via DHCP, an address from 169.254.1.0 to 169.254.254.255^{[Note 2]} may be assigned pseudorandomly. The standard prescribes that address collisions must be handled gracefully.

IPv6

In IPv6, the block fe80::/10 is reserved for IP address autoconfiguration.^[8] The implementation of these link-local addresses is mandatory, as various functions of the IPv6 protocol depend on them.^[9]

Loopback interface

A special case of private link-local addresses is the loopback interface. These addresses are private and link-local by definition, since packets never leave the host device.

IPv4 reserves the entire class A address block 127.0.0.0/8 for use as private loopback addresses. IPv6 reserves the single address ::1.

Misrouting

It is common for packets originating in private address spaces to be misrouted onto the Internet. Private networks often do not properly configure DNS services for addresses used internally and attempt reverse DNS lookups for these addresses, causing extra traffic to the Internet root nameservers. The AS112 project attempted to mitigate this load by providing special blackhole anycast nameservers for private address ranges which only return negative result codes (not found) for these queries.

Organizational edge routers are usually configured to drop ingress IP traffic for these networks, which can occur either by misconfiguration, or from malicious traffic using a spoofed source address. Less commonly, ISP edge routers drop such egress traffic from customers, which reduces the impact to the Internet of such misconfigured or malicious hosts on the customer's network.

Merging private networks

Since the private IPv4 address space is relatively small, many private IPv4 networks unavoidably use the same address ranges. This can create a problem when merging such networks, as some addresses may be duplicated for multiple devices. In this case, networks or hosts must be renumbered, often a time-consuming task, or a network address translator must be placed between the networks to translate or masquerade one of the address ranges.

IPv6 defines unique local addresses,^[2] providing a very large private address space from which each organization can randomly or pseudo-randomly allocate a 40-bit prefix, each of which allows 65536 organizational subnets. With space for about one trillion (10¹²) prefixes, it is unlikely that two network prefixes in use by different organizations are the same, provided each of them was selected randomly, as specified in the standard. When two such private IPv6 networks are connected or merged, the risk of an address conflict is therefore virtually absent.

RFC documents

RFC 1918 –Address Allocation for Private Internets
RFC 2036 –Observations on the use of Components of the Class A Address Space within the Internet
RFC 7020 –The Internet Number Registry System
RFC 2101 –IPv4 Address Behaviour Today
RFC 2663 –IP Network Address Translator (NAT) Terminology and Considerations
RFC 3022 –Traditional IP Network Address Translator (Traditional NAT)
RFC 3330 –Special-Use IPv4 Addresses (superseded)
RFC 3879 –Deprecating Site Local Addresses
RFC 3927 –Dynamic Configuration of IPv4 Link-Local Addresses
RFC 4193 –Unique Local IPv6 Unicast Addresses
RFC 5735 –Special-Use IPv4 Addresses (superseded)
RFC 6598 –Reserved IPv4 Prefix for Shared Address Space
RFC 6890 –Special-Purpose IP Address Registries

Notes

↑ Classful addressing is obsolete and has not been used in the Internet since the implementation of Classless Inter-Domain Routing (CIDR), starting in 1993. For example, while 10.0.0.0/8 was a single class A network, it is common for organizations to divide it into smaller /16 or /24 networks. Contrary to a common misconception, a /16 subnet of a class A network is not referred to as a class B network. Likewise, a /24 subnet of a class A or B network is not referred to as a class C network. The class is determined by the first three bits of the prefix.^[3]
↑ The first and last /24 subranges of the subnet (addresses 169.254.0.0 through 169.254.0.255 and 169.254.255.0 through 169.254.255.255) are reserved for future use.^[7]^: §2.1

Related Research Articles

The Dynamic Host Configuration Protocol (DHCP) is a network management protocol used on Internet Protocol (IP) networks for automatically assigning IP addresses and other communication parameters to devices connected to the network using a client–server architecture.

An Internet Protocol address is a numerical label such as 192.0.2.1 that is assigned to a device connected to a computer network that uses the Internet Protocol for communication. IP addresses serve two main functions: network interface identification, and location addressing.

Internet Protocol version 4 (IPv4) is the fourth version of the Internet Protocol (IP). It is one of the core protocols of standards-based internetworking methods in the Internet and other packet-switched networks. IPv4 was the first version deployed for production on SATNET in 1982 and on the ARPANET in January 1983. It is still used to route most Internet traffic today, even with the ongoing deployment of Internet Protocol version 6 (IPv6), its successor.

Internet Protocol version 6 (IPv6) is the most recent version of the Internet Protocol (IP), the communications protocol that provides an identification and location system for computers on networks and routes traffic across the Internet. IPv6 was developed by the Internet Engineering Task Force (IETF) to deal with the long-anticipated problem of IPv4 address exhaustion, and was intended to replace IPv4. In December 1998, IPv6 became a Draft Standard for the IETF, which subsequently ratified it as an Internet Standard on 14 July 2017.

Classless Inter-Domain Routing is a method for allocating IP addresses for IP routing. The Internet Engineering Task Force introduced CIDR in 1993 to replace the previous classful network addressing architecture on the Internet. Its goal was to slow the growth of routing tables on routers across the Internet, and to help slow the rapid exhaustion of IPv4 addresses.

A multicast address is a logical identifier for a group of hosts in a computer network that are available to process datagrams or frames intended to be multicast for a designated network service. Multicast addressing can be used in the link layer, such as Ethernet multicast, and at the internet layer for Internet Protocol Version 4 (IPv4) or Version 6 (IPv6) multicast.

The Routing Information Protocol (RIP) is one of the oldest distance-vector routing protocols which employs the hop count as a routing metric. RIP prevents routing loops by implementing a limit on the number of hops allowed in a path from source to destination. The largest number of hops allowed for RIP is 15, which limits the size of networks that RIP can support.

A subnetwork, or subnet, is a logical subdivision of an IP network. The practice of dividing a network into two or more networks is called subnetting.

A classful network is an obsolete network addressing architecture used in the Internet from 1981 until the introduction of Classless Inter-Domain Routing (CIDR) in 1993. The method divides the IP address space for Internet Protocol version 4 (IPv4) into five address classes based on the leading four address bits. Classes A, B, and C provide unicast addresses for networks of three different network sizes. Class D is for multicast networking and the class E address range is reserved for future or experimental purposes.

Bogon filtering is the practice of filtering bogons, which are bogus (fake) IP addresses of a computer network. Bogons include IP packets on the public Internet that contain addresses that are not in any range allocated or delegated by the Internet Assigned Numbers Authority (IANA) or a delegated regional Internet registry (RIR) and allowed for public Internet use. The areas of unallocated address space are called the bogon space.

<span class="mw-page-title-main">Anycast</span> Network addressing and routing methodology

Anycast is a network addressing and routing methodology in which a single IP address is shared by devices in multiple locations. Routers direct packets addressed to this destination to the location nearest the sender, using their normal decision-making algorithms, typically the lowest number of BGP network hops. Anycast routing is widely used by content delivery networks such as web and name servers, to bring their content closer to end users.

A broadcast address is a network address used to transmit to all devices connected to a multiple-access communications network. A message sent to a broadcast address may be received by all network-attached hosts.

In computer networking, localhost is a hostname that refers to the current computer used to access it. The name localhost is reserved for loopback purposes. It is used to access the network services that are running on the host via the loopback network interface. Using the loopback interface bypasses any local network interface hardware.

In the Internet addressing architecture, the Internet Engineering Task Force (IETF) and the Internet Assigned Numbers Authority (IANA) have reserved various Internet Protocol (IP) addresses for special purposes.

In computer networking, a link-local address is a network address that is valid only for communications on a local link, i.e. within a subnetwork that a host is connected to. Link-local addresses are most often unicast network addresses assigned automatically through a process known as stateless address autoconfiguration (SLAAC) or link-local address autoconfiguration, also known as automatic private IP addressing (APIPA) or auto-IP. Link-local addresses are not all unicast; e.g. IPv6 addresses beginning with ff02:, and IPv4 addresses beginning with 224.0.0. are multicast addresses that are link-local.

A unique local address (ULA) is an Internet Protocol version 6 (IPv6) address in the address range fc00::/7. These addresses are non-globally reachable. For this reason, ULAs are somewhat analogous to IPv4 private network addressing, but with significant differences. Unique local addresses may be used freely, without centralized registration, inside a single site or organization or spanning a limited number of sites or organizations.

The Internet Protocol Version 4 address 0.0.0.0 can have multiple uses.

An Internet Protocol version 6 address is a numeric label that is used to identify and locate a network interface of a computer or a network node participating in a computer network using IPv6. IP addresses are included in the packet header to indicate the source and the destination of each packet. The IP address of the destination is used to make decisions about routing IP packets to other networks.

In order to ensure proper working of carrier-grade NAT (CGN), and, by doing so, alleviating the demand for the last remaining IPv4 addresses, a /10 size IPv4 address block was assigned by Internet Assigned Numbers Authority (IANA) to be used as shared address space. This block of addresses is specifically meant to be used by Internet service providers that implement carrier-grade NAT, to connect their customer-premises equipment (CPE) to their core routers.

References

1 2 Y. Rekhter; B. Moskowitz; D. Karrenberg; G. J. de Groot; E. Lear (February 1996). Address Allocation for Private Internets. Network Working Group. doi: 10.17487/RFC1918 . BCP 5. RFC 1918.Best Common Practice. Obsoletes RFC 1627 and 1597. Updated by RFC 6761.
1 2 3 R. Hinden; B. Haberman (October 2005). Unique Local IPv6 Unicast Addresses. Network Working Group. doi: 10.17487/RFC4193 . RFC 4193.Proposed Standard.
↑ Forouzan, Behrouz (2013). Data Communications and Networking. New York: McGraw Hill. pp. 530–31. ISBN 978-0-07-337622-6.
1 2 J. Weil; V. Kuarsingh; C. Donley; C. Liljenstolpe; M. Azinger (April 2012). IANA-Reserved IPv4 Prefix for Shared Address Space. Internet Engineering Task Force. doi: 10.17487/RFC6598 . ISSN 2070-1721. BCP 153. RFC 6598.Best Common Practice. Updates RFC 5735.
↑ C. Huitema; B. Carpenter (September 2004). Deprecating Site Local Addresses. Network Working Group. doi: 10.17487/RFC3879 . RFC 3879.Proposed Standard.
↑ M. Cotton; L. Vegoda; B. Haberman (April 2013). R. Bonica (ed.). Special-Purpose IP Address Registries. IETF. doi: 10.17487/RFC6890 . ISSN 2070-1721. BCP 153. RFC 6890.Best Common Practice. Obsoletes RFC 4773, 5156, 5735 and 5736. Updated by RFC 8190.
1 2 S. Cheshire; B. Aboba; E. Guttman (May 2005). Dynamic Configuration of IPv4 Link-Local Addresses. Network Working Group. doi: 10.17487/RFC3927 . RFC 3927.Proposed Standard.
↑ R. Hinden; S. Deering (February 2006). IP Version 6 Addressing Architecture. Network Working Group. doi: 10.17487/RFC4291 . RFC 4291.Draft Standard. Obsoletes RFC 3513. Updated by RFC 5952, 6052, 7136, 7346, 7371 and 8064.
↑ S. Thomson; T. Narten; T. Jinmei (September 2007). IPv6 Stateless Address Autoconfiguration. Network Working Group. doi: 10.17487/RFC4862 . RFC 4862.Draft Standard. Obsoletes RFC 2462. Updated by RFC 7527.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[4] Classful addressing is obsolete and has not been used in the Internet since the implementation of Classless Inter-Domain Routing (CIDR), starting in 1993. For example, while 10.0.0.0/8 was a single class A network, it is common for organizations to divide it into smaller /16 or /24 networks. Contrary to a common misconception, a /16 subnet of a class A network is not referred to as a class B network. Likewise, a /24 subnet of a class A or B network is not referred to as a class C network. The class is determined by the first three bits of the prefix.^[3]

[9] The first and last /24 subranges of the subnet (addresses 169.254.0.0 through 169.254.0.255 and 169.254.255.0 through 169.254.255.255) are reserved for future use.^[7]^: §2.1

[rfc1918-1] 1 2 Y. Rekhter; B. Moskowitz; D. Karrenberg; G. J. de Groot; E. Lear (February 1996). Address Allocation for Private Internets. Network Working Group. doi: 10.17487/RFC1918 . BCP 5. RFC 1918.Best Common Practice. Obsoletes RFC 1627 and 1597. Updated by RFC 6761.

[rfc4193-2] 1 2 3 R. Hinden; B. Haberman (October 2005). Unique Local IPv6 Unicast Addresses. Network Working Group. doi: 10.17487/RFC4193 . RFC 4193.Proposed Standard.

[3] Forouzan, Behrouz (2013). Data Communications and Networking. New York: McGraw Hill. pp. 530–31. ISBN 978-0-07-337622-6.

[rfc6598-5] 1 2 J. Weil; V. Kuarsingh; C. Donley; C. Liljenstolpe; M. Azinger (April 2012). IANA-Reserved IPv4 Prefix for Shared Address Space. Internet Engineering Task Force. doi: 10.17487/RFC6598 . ISSN 2070-1721. BCP 153. RFC 6598.Best Common Practice. Updates RFC 5735.

[rfc3879-6] C. Huitema; B. Carpenter (September 2004). Deprecating Site Local Addresses. Network Working Group. doi: 10.17487/RFC3879 . RFC 3879.Proposed Standard.

[rfc6890-7] M. Cotton; L. Vegoda; B. Haberman (April 2013). R. Bonica (ed.). Special-Purpose IP Address Registries. IETF. doi: 10.17487/RFC6890 . ISSN 2070-1721. BCP 153. RFC 6890.Best Common Practice. Obsoletes RFC 4773, 5156, 5735 and 5736. Updated by RFC 8190.

[rfc3927-8] 1 2 S. Cheshire; B. Aboba; E. Guttman (May 2005). Dynamic Configuration of IPv4 Link-Local Addresses. Network Working Group. doi: 10.17487/RFC3927 . RFC 3927.Proposed Standard.

[rfc4291-10] R. Hinden; S. Deering (February 2006). IP Version 6 Addressing Architecture. Network Working Group. doi: 10.17487/RFC4291 . RFC 4291.Draft Standard. Obsoletes RFC 3513. Updated by RFC 5952, 6052, 7136, 7346, 7371 and 8064.

[rfc4862-11] S. Thomson; T. Narten; T. Jinmei (September 2007). IPv6 Stateless Address Autoconfiguration. Network Working Group. doi: 10.17487/RFC4862 . RFC 4862.Draft Standard. Obsoletes RFC 2462. Updated by RFC 7527.

[1]

[2]

[Note 1]

[4]

[5]

[6]

[7]

[Note 2]

[8]

[9]

[3]