Usage of 192.168.xxx, 172.xxx and 10.xxx in private networks

Asked Jan 20 '20 at 03:49

Active Jan 22 '20 at 21:20

Viewed 3.7k times

24

I know that the organization that distributes IP addresses decided to assign 192.168.xxx, 172.xxx and 10.xxx to private networks. However, I thought that private networks have their own address space so shouldn't a private network be able to assign any values in the IP address space and not be limited to those values?

Assuming IPV4 CIDR notation

asked Jan 20 '20 at 03:49

coderhk

343
1
2
6

Related on [sf]: [Are there any advantages to using someone else's publicly-routable IPv4 addresses locally?](https://serverfault.com/q/520952/126632) – Michael Hampton Jan 20 '20 at 18:23
1

The question is really one of terminology. The internet is a network of networks. The "private addresses" (192.168/16 etc) are for private portions of the internet. If you have a whole **private internet** (not connected to the public internet), then you can do whatever you like. You can imagine an organisation like a bank or an army might well want a whole network which is absolutely not connected in any way to the public. – jonathanjo Jan 20 '20 at 23:33
5

This isn't even a question of theoretical consequences, it's been done at scale with all the expected consequences. https://en.wikipedia.org/wiki/LogMeIn_Hamachi#Addressing – Kaithar Jan 21 '20 at 00:52

5 Answers5

50

RFC 1918 allocates the following for private address space:

10.0.0.0/8
172.16.0.0/12 (not 172.0.0.0/8!!!)
192.168.0.0/16

While those are private, network engineers often use NAT to allow users on those nets to reach internet resources.

If you used 8.0.0.0/8 for private address space (for example), you would not be able to reach the google address server 8.8.8.8, because you would have an internal route for that block.

In addition, even if your “private” servers did not need to reach the internet at all, if google tried to reach your public webserver, and your public webserver had your internal routing table (with your “private” 8-net route), the replies would not get back to google.

So use the RFC1918 private address space and save yourself a bunch of trouble.

edited Oct 07 '21 at 07:59

Community

1

answered Jan 20 '20 at 03:59

Darrell Root

2,153
1
8
12

Correct me if I'm wrong, so if we assign a set of addresses in our private network, it will always use that internal route if the address we are accessing is in the range of our network. However, if we try to access something that is not in that range we will then go to the NAT gateway – coderhk Jan 20 '20 at 04:17
8

It depends on your routing but yes, usually you will have specific internal routes which will be preferred over a default route to the internet. So using someone else’s space internally will prevent you from accessing their sites, and may prevent them from accessing your public sites. That’s a lose-lose situation. – Darrell Root Jan 20 '20 at 07:10
8

There's a very real example of this happening. 1.x.x.x was left unallocated until a few years ago, so it sometimes got used for private addressing. When Cloudflare set up 1.1.1.1 and 1.0.0.1 as public DNS servers, some clients couldn't reach them because they were behind a net that did weird things with those addresses. See [this Cloudflare blog article](https://blog.cloudflare.com/fixing-reachability-to-1-1-1-1-globally/). – Gordon Davisson Jan 21 '20 at 01:42
@coderhk the problem is - (NAT)routers are dumb - they have no way of knowing that packet addressed to 8.x.x.x have to go outside - and all the other packets addressed with virtually the same addresses are to stay inside. – eagle275 Jan 21 '20 at 09:17
3

Doesn't have anything to do with NAT or routers. Routers are not involved if your PC is addressed 8.1.1.100 /8 and you try and access google DNS at 8.8.8.8. It will either reach the 8.8.8.8 directly connected on your net (if there is one) or if there isn't one it will fail. – AbraCadaver Jan 21 '20 at 19:00
@AbraCadaver you're being rather pedantic. In most cases the router is the device that provides the routing table to clients, and if it tells the clients that 8.0.0.0/8 is internal space, the client won't even touch the router. NAT is the reason that assigning your network 8.0.0.0/8 doesn't completely break your entire internet access. – Doktor J Jan 22 '20 at 04:35
2

@DoktorJ Routers don't provide routing tables to clients. The point Abra is making is that if a device is sat on the 8.0.0.0/8 range then it'll never even try to get off the network – Dan Jan 22 '20 at 12:04
@Dan, thanks, saved me a lot of typing. – AbraCadaver Jan 22 '20 at 15:18

15

If you use assigned global address space internally -- and pretty much all of it is assigned now -- your users will not be able to reach the real internet site(s) at those addresses. That's the entire reason RFC1918 defined 192.168.0.0/16, 172.16.0.0/12, and 10.0.0.0/8. Those blocks will never be assigned and routed on the global internet, so you can safely use them internally without interference.

(The only issue is two orgs using overlapping private ranges. But that's their problem.)

answered Jan 20 '20 at 03:59

Ricky

31,438
2
43
84

7

You're not technically limited to just 192.168.0.0/16, 172.16.0.0/12, and 10.0.0.0/8 (in an IPv4 network). You can use whatever you want privately. The deal is that everything else, with the exception of a few other restricted subnets (such as multicast, localhost, APIPA, etc.) are routable on the internet, so if you decide to use something other than 192.168.0.0/16, 172.16.0.0/12, or 10.0.0.0/8 privately (in an IPv4 network), such as 100.200.0.0/16, keep in mind that you will not be able to talk with the organization that actually has 100.200.0.0/16 assigned to them.

edited Jan 20 '20 at 12:17

answered Jan 20 '20 at 04:01

Jesse P.

4,690
1
10
14

So, it means that the private address is just an agreement between organizations? – M. Rostami Jan 20 '20 at 06:47
5

@M.Rostami More or less. There is no technical reason someone couldn't use a public IP address internally, but they have to understand the implications of they do. It's a bad practice, and the subnets defined in RFC 1918 are more than enough for most organizations but if they're not for yours, your better solution would be to convert to IPv6. – Jesse P. Jan 20 '20 at 12:20
If you (for example) don’t want anyone internal to communicate with China, you could have your outside connection block all traffic to/from China’s IP blocks, and do anything you want with those addresses internally. – WGroleau Jan 20 '20 at 17:04
1

@WGroleau Correct but it is still a bad practice. Many websites and apps have things like API calls and graphics that may be hosted around the world, and you may inadvertantly block them and cause issues. Avoid using anything but the allocated private subnets unless there's **absolutely** no alternative. – Jesse P. Jan 20 '20 at 17:10
1

I didn’t recommend it, though I personally would not trust an API that demands access to China. :-) – WGroleau Jan 20 '20 at 17:26
@WGroleau I know you didnt. And, that's not quite what I meant (not a privacy discussion). There may be a service hosted in a DC located in China, or maybe a support center that users need to work with for an application they use is located in China. Gotta think of things like that before breaking connectivity by using methods like this. – Jesse P. Jan 20 '20 at 17:29
True. But if the company wanted it, they could do it. – WGroleau Jan 20 '20 at 17:55
6

@M.Rostami **All** of the internet is just an agreement between organizations. The rules of internetworking are not "laws", they are spelled out in "Requests For Comments", a name that does not sound liek it makes the specifications really compelling. You can use other networks than suggested by RFC1918, use different mail standards than in RFC822, run a web server that ignores RFC2616, or even a different IP protocol than the one described in RFC722 or RFC2460. [...] – Hagen von Eitzen Jan 20 '20 at 21:44
3

[...] However, by not abiding to the "suggestions", you will lose functionality (some network not reachable, mail not transmittable, webserver not functional for the public, or no communication whatsoever possible) and may perhaps not be considered a good netizen – Hagen von Eitzen Jan 20 '20 at 21:44
@HagenvonEitzen Thanks for the great explanation. "*All of the internet is just an agreement between organizations.*" Agreed, of course it is. – M. Rostami Jan 21 '20 at 00:28

4

First, you should use RFC 1918 addresses in your internal network because none of those addresses will be associated with a service on the Internet. Whatever external address the service on example.com has, it cannot be an RFC 1918 address because those are not routed on the Internet. So, those addresses are "safe to use" within your own network.

Second, I personally know a very large organization that uses the complete IPv4 unicast address space internally. Yes, all of it. But how could you do that when you still want to reach Gmail or Twitter? Well, in many company networks, external Internet access is limited anyway: You can use e-mail with the internal mail server and have Web access over a proxy server. Those proxies and servers of course need contact to the Internet with "official" (i.e. routable) IP addresses to work, but this is not a big problem to achieve with an appropriate infrastructure (DMZs and some firewalls). But forget any services that need NAT traversal or direct connections.

So, is it feasible? Yes, if you can restrict your Internet usage to some services that can be proxied by internal servers. Is it advisable? Certainly not.

(And after all, with IPv6 nobody should have the need to use otherwise allocated IP space for their own networks. There is enough for everyone, if we are not too lavish.)

answered Jan 21 '20 at 10:48

Dubu

234
1
5

-2

Private IP Address

You can use any private IP address range within your private network. A private network can use both IPv4 and IPv6 addresses. Private IP ranges are NOT allocated to any particular organization

Private IP Ranges specified by RFC 1918
- Class A: 10.x.x.x - 10.255.255.255 (CIDR - 10.0.0.0/8),255.0.0.0, 24 bit block
- Class B: 172.16.x.x - 172.31.255.255 (CIDR - 172.16.0.0/12), 255.240.0.0, 20 bit block
- Class C: 192.168.x.x - 192.168.255.255 (CIDR - 172.16.0.0/16), 255.255.0.0, 16 bit block
Available hosts per IP class
- Class A: 16,777,216
- Class B: 1,048,576
- Class C: 65,536
Not routable on the Internet
Does not require issuance by IANA (Internet Assigned Number Authority)
Used within a 'private' local network space
Communicates to other private LAN's and hosts

Public IP Addresses

Public IP Ranges Specified by RFC
- Class A: 0.0.0.0 - 127.255.255.255
- Class B: 128.0.0.0 - 191.255.255.255
- Class C: 192.0.0.0 - 223.255.255.255
Used on the Internet
Temporarily issued to customers by ISP's
Permanently issued to customers by IANA
Network addresses cannot be changed without co-ordination with a public network provider (ISP)

Routing Private to Public

Accessing public network from a private network requires the use of NAT (Network Address Translation) which modifies the private IP packet headers when they transit from private to a public network across a routing device that will perform the NAT translation to the public network. A routing device can be a firewall, router or Layer 3 switch.

There's the basics. Hope this is helpful.

answered Jan 22 '20 at 21:20

Citizen

387
5
16

5

BTW, classes haven't been used for decades. – Ricky Jan 23 '20 at 01:41
You should go tell these old IBM knowledge base writers too. You have a lot of work ahead of you making the world a more better at conforming to your desired nomenclature place. https://www.ibm.com/support/knowledgecenter/SSSHRK_4.2.0/disco/concept/dsc_private_addr_ranges.html – Citizen Jan 23 '20 at 02:35
3

@Citizen, just like IPv6, it has to start somewhere and if enough people start pushing the idea, eventually the rest of the world will catch up to reality. Personally, whenever I interview potential network candidates, any mention of classes like they still exist is of concern and will at least count against them when comparing candidates if not eliminating them from consideration entirely. – YLearn Jan 23 '20 at 04:30
3

When people say class a, b, c, they *mean* /8, /16, and /24 -- while technically incorrect, it's on par with a typo. What you've parroted under *Public IP Addresses* is classful networking. That went away LONG ago, and is *absolutely* wrong to continue preaching. – Ricky Jan 23 '20 at 05:20