Private network
From Wikipedia, the free encyclopedia
|
In Internet terminology a private network is typically a network that uses private IP address space, following the agreed standard of RFC 1918. Computers may be allocated addresses from this address space when it is necessary for them to communicate with other computing devices on an internal (not public Internet) network.
Private networks are quite common in home and office local area network (LAN) designs, as many organizations do not see a need for globally unique IP addresses for every computer, printer and other device that the organizations use. Another reason for the extensive use of private IP addresses is the shortage of publicly registered IP addresses. IPv6 was created to alleviate this shortage, but has yet to achieve widespread use.
Routers on the Internet should be configured to discard any packets containing private IP addresses in the IP header. This isolation gives private networks a basic form of security as it is not usually possible for the outside world to establish a connection directly to a machine using these addresses. As connections cannot be made between different private networks via the internet, different organizations can use the same private address range without risking address conflicts (communications accidentally reaching a third party which is using the same IP address).
If a device on a private network needs to communicate with other networks, a "mediating gateway" is needed to ensure that the outside network is presented with an address that is "real" (or publicly reachable) so that Internet routers allow the communication. This gateway is typically a network address translation (NAT) device or a proxy server. Routers by default will forward packets with RFC 1918 addresses. Unlike public Internet routers that need additional configuration to discard these packets, internal routers do not need any additional configuration to forward these packets.
This can cause problems, however, when organizations try to connect networks that both use private address spaces. There is the potential for clashes and routing problems if both networks use the same IP addresses for their private networks, or rely on NAT to connect them through the Internet.
For someone familiar with the boundaries of classful addressing, it is important to note that even though the RFC 1918 range of 172.16.0.0-172.31.255.255 falls in the traditional class B range, the block of addresses reserved is not a /16, but a /12. The same applies for the range of 192.168.0.0-192.168.255.255; this block is not a /24, but a /16. However, someone can still (and many individuals typically do) use addresses from these CIDR blocks and apply a subnet mask appropriate for the traditional classful boundary of the address.
The current IANA private internet addresses are:
| Name | IP address range | number of IPs | classful description | largest CIDR block | defined in |
|---|---|---|---|---|---|
| 24-bit block | 10.0.0.0 – 10.255.255.255 | 16,777,216 | single class A | 10.0.0.0/8 | RFC 1597 (obsolete), RFC 1918 |
| 20-bit block | 172.16.0.0 – 172.31.255.255 | 1,048,576 | 16 contiguous class Bs | 172.16.0.0/12 | |
| 16-bit block | 192.168.0.0 – 192.168.255.255 | 65,536 | 256 contiguous class Cs | 192.168.0.0/16 |
To reduce load on the root nameservers caused by reverse DNS lookups for these IP addresses, a system of "black-hole" nameservers are provided by anycast network AS112.
[edit] Link-local addresses (Zeroconf)
A second set of private networks is the link-local address range codified in RFC 3330 and RFC 3927. The intention behind these RFCs is to provide an IP address (and by implication, network connectivity) without a DHCP server being available and without having to configure a network address manually. The network 169.254/16 has been reserved for this purpose. Within this address range, the networks 169.254.0/24 and 169.254.255/24 have been set aside for future use.
If a host on an IEEE 802 (ethernet) network cannot obtain a network address via DHCP, an address from 169.254.1.0 to 169.254.254.255 is assigned pseudorandomly. The standard prescribes that address collisions must be handled gracefully.
Link-local addresses have even more restrictive rules than the private network addresses defined in RFC 1918: packets to or from link-local addresses must not be allowed to pass through a router at all (RFC 3927, section 7).
[edit] Private networks and IPv6
IPv6 does not include private network features such as NAT. Because of the very large number of IPv6 addresses (the IPv6 address space is 128 bits compared to 32 bits for IPv4), IPv6 users should be able to obtain IPv6 address space for use at their discretion and without artificial barriers between their network and the Internet. However, there is an address range allocated for cases where users will not be able to get an officially assigned network, namely the fc00::/7 range as described in RFC 4193. Addresses from this range are called "Unique Unicast", since each network contains a 40 bit random number to prevent collisions when two private networks are interconnected.
A former standard proposed the use of so-called "site-local" addresses in the fec0::/10 range, but due to major concerns about scalability and the extremely fuzzy definition of "site", its use has been deprecated since September 2004 in RFC 3879.
[edit] IANA Reserved Addresses
The IANA has reserved several address ranges, including 1.0.0.0 - 2.255.255.255[1]. In recent years, large companies have begun to use this address space internally; though discouraged, it appears to have become an accepted practice among larger companies to use these reserved address spaces when connecting two private networks, to eliminate any chance of address conflicts.
Fonality uses both 1.0.30.1/24 and 2.0.30.1/24 to establish a tunnel between their PBX's and their servers. Data Return (now Terremark) uses 1.4.0.0/16 for their internal network.[citation needed] Hamachi uses 5.0.0.0/8 within their VPN service over UDP (they only use that address for the VPN Service and not transport across routers, 5.0.0.0/8 is not routable across any internet router). Meraki uses 5.0.0.0/8 and 6.0.0.0/8 with their mesh routers.
[edit] External links
- RFC 1918 – "Address Allocation for Private Internets"
- RFC 3879 – "Deprecating Site Local Addresses"
- RFC 3927 – "Dynamic Configuration of IPv4 Link-Local Addresses"
- RFC 4193 – "Unique Local IPv6 Unicast Addresses"
- Generator for RFC 4193 Addresses (source code available from same page)
