Private network

In the Internet addressing architecture, a private network is a network that uses private IP address space, following the standards set by RFC 1918 for Internet Protocol Version 4 (IPv4), and RFC 4193 for Internet Protocol Version 6 (IPv6). These addresses are commonly used for home, office, and enterprise local area networks (LANs). Private IP address spaces were originally defined in an effort to delay IPv4 address exhaustion, but they are also a feature of IPv6 where exhaustion is not an issue.

Addresses in the private space are not allocated to any specific organization and anyone may use these addresses without approval from a regional Internet registry. However, IP packets addressed from them cannot be transmitted through the public Internet, and so if such a private network needs to connect to the Internet, it must do so via a network address translator (NAT) gateway, or a proxy server.

Private IPv4 address spaces

The Internet Engineering Task Force (IETF) has directed the Internet Assigned Numbers Authority (IANA) to reserve the following IPv4 address ranges for private networks, as published in RFC 1918:^[1]

RFC1918 name	IP address range	number of addresses	largest CIDR block (subnet mask)	host id size	mask bits	classful description^{[Note 1]}
24-bit block	10.0.0.0 – 10.255.255.255	16,777,216	10.0.0.0/8 (255.0.0.0)	24 bits	8 bits	single class A network
20-bit block	172.16.0.0 – 172.31.255.255	1,048,576	172.16.0.0/12 (255.240.0.0)	20 bits	12 bits	16 contiguous class B networks
16-bit block	192.168.0.0 – 192.168.255.255	65,536	192.168.0.0/16 (255.255.0.0)	16 bits	16 bits	256 contiguous class C networks

Users can randomly assign networks and subnets from the above ranges, however as the space is relatively small this can create conflicts when merging (see below).

Dedicated space for carrier grade NAT deployments

In April 2012, IANA allocated 100.64.0.0/10 for use in carrier-grade NAT scenarios in RFC 6598.^[3] This address block should not be used either on private networks or on the public Internet: it is intended only for use within the internal operations of carrier networks. The size of the address block (2²², approximately 4 million, addresses) was selected to be large enough to uniquely number all customer access devices for all of a single operator's points of presence in a large metropolitan area such as Tokyo.^[3]

Private IPv6 addresses

The concept of private networks and special address reservation for such networks has also been provided in the next generation of the Internet Protocol, IPv6.

The address block fc00::/7 has been reserved by IANA as described in RFC 4193. These addresses are called Unique Local Addresses (ULA). They are defined as unicast addresses, and contain a 40-bit random number in the routing prefix to prevent collisions when two private networks are interconnected. Despite being inherently local in usage, the IPv6 address scope of unique local addresses is global.

The first block defined is fd00::/8, designed for /48 routing blocks, in which users can create multiple subnets as needed.

RFC 4193 Block	Prefix/L	Global ID (random)	Subnet ID	Number of addresses in subnet
	48 bits		16 bits	64 bits
`fd00::/8`	`fd`	`xx:xxxx:xxxx`	`yyyy`	18,446,744,073,709,551,616

Examples:

Prefix/L	Global ID (random)	Subnet ID	Interface ID	Address	Subnet
`fd`	`xx:xxxx:xxxx`	`yyyy`	`zzzz:zzzz:zzzz:zzzz`	`fdxx:xxxx:xxxx:yyyy:zzzz:zzzz:zzzz:zzzz`	`fdxx:xxxx:xxxx:yyyy::/64`
`fd`	`12:3456:789a`	`0001`	`0000:0000:0000:0001`	`fd12:3456:789a:1::1`	`fd12:3456:789a:1::/64`

A former standard proposed the use of site-local addresses in the fec0::/10 block, but because of scalability concerns and poor definition of what constitutes a site, its use has been deprecated since September 2004 by RFC 3879.

Link-local addresses

Another type of private networking uses the link-local address range. The validity of link-local addresses is limited to a single link; e.g. to all computers connected to a switch, or to one wireless network. Hosts on different sides of a bridge are also on the same link, whereas hosts on different sides of a router are on different links.

IPv4

In IPv4, link-local addresses are codified in RFC 6890 and RFC 3927. Their utility is in zero configuration networking when Dynamic Host Configuration Protocol (DHCP) services are not available and manual configuration by a network administrator is not desirable. The block 169.254.0.0/16 is reserved for this purpose, with the exception of the first and the last /24 subnets in the range. If a host on an IEEE 802 (Ethernet) network cannot obtain a network address via DHCP, an address from 169.254.1.0 to 169.254.254.255 may be assigned pseudorandomly. The standard prescribes that address collisions must be handled gracefully.

IPv6

In IPv6, link-local addresses are codified in RFC 4862. Their use is mandatory, and an integral part of the IPv6 standard. The architecture defined in RFC 4291 sets aside the block fe80::/10 for IP address autoconfiguration.

==

Misrouting

It is common for packets originating in private address spaces to be misrouted onto the Internet. Private networks often do not properly configure DNS services for addresses used internally and attempt reverse DNS lookups for these addresses, causing extra traffic to the Internet root nameservers. The AS112 project attempted to mitigate this load by providing special blackhole anycast nameservers for private address ranges which only return negative result codes (not found) for these queries.

Organizational edge routers are usually configured to drop ingress IP traffic for these networks, which can occur either by misconfiguration, or from malicious traffic using a spoofed source address. Less commonly, ISP edge routers drop such egress traffic from customers, which reduces the impact to the Internet of such misconfigured or malicious hosts on the customer's network.

Merging private networks

Since the private IPv4 address space is relatively small, many private IPv4 networks unavoidably use the same address ranges and hence the same addresses. This can create a problem when merging such networks, as multiple devices are likely to have the same address. In this case, networks or hosts must be renumbered, often a time-consuming task, or a network address translator must be placed between the networks to translate or masquerade the duplicate addresses.

For IPv6, RFC 4193 defines Unique Local Addresses, providing an extremely large private address space from which each organisation can randomly or pseudo-randomly allocate its own 40-bit prefix, each of which allows 65536 organisational subnets. With space for about one trillion (10¹²) prefixes, it is extremely unlikely that two network prefixes in use by different organisations are the same, provided each of them was allocated randomly, as specified in the standard. When two such private IPv6 networks are connected or merged, the risk of an address conflict is therefore virtually absent.

Private use of other reserved addresses

Despite official warnings, historically some organizations have used other parts of the reserved IP address space for their internal networks.^{[citation needed]}

RFC documents

RFC 1918 – "Address Allocation for Private Internets"
RFC 2036 – "Observations on the use of Components of the Class A Address Space within the Internet"
RFC 2050 – "Internet Registry IP Allocation Guidelines"
RFC 2101 – "IPv4 Address Behaviour Today"
RFC 2663 – "IP Network Address Translator (NAT) Terminology and Considerations"
RFC 3022 – "Traditional IP Network Address Translator (Traditional NAT)"
RFC 3330 – "Special-Use IPv4 Addresses" (superseded)
RFC 3879 – "Deprecating Site Local Addresses"
RFC 3927 – "Dynamic Configuration of IPv4 Link-Local Addresses"
RFC 4193 – "Unique Local IPv6 Unicast Addresses"
RFC 5735 – "Special-Use IPv4 Addresses" (superseded)
RFC 6598 – "Reserved IPv4 Prefix for Shared Address Space"
RFC 6890 – "Special-Purpose IP Address Registries"

Notes

^ Classful addressing is obsolete and has not been used in the Internet since the implementation of Classless Inter-Domain Routing (CIDR), starting in 1993. For example, while 10.0.0.0/8 was a single class A network, it is common for organizations to divide it into smaller /16 or /24 networks. Contrary to a common misconception, a /16 subnet of a class A network is not referred to as a class B network. Likewise, a /24 subnet of a class A or B network is not referred to as a class C network. The class is determined by the first three bits of the prefix.^[2]

References

^ "RFC 1918: Address Allocation for Private Internets". IETF. February 1996. p. 4.
^ Forouzan, Behrouz (2013). Data Communications and Networking. New York: McGraw Hill. pp. 530–31. ISBN 978-0-07-337622-6.
^ ^a ^b "RFC 6598: Reserved IPv4 Prefix for Shared Address Space". IETF. April 2011. p. 8.

[3] Classful addressing is obsolete and has not been used in the Internet since the implementation of Classless Inter-Domain Routing (CIDR), starting in 1993. For example, while 10.0.0.0/8 was a single class A network, it is common for organizations to divide it into smaller /16 or /24 networks. Contrary to a common misconception, a /16 subnet of a class A network is not referred to as a class B network. Likewise, a /24 subnet of a class A or B network is not referred to as a class C network. The class is determined by the first three bits of the prefix.^[2]

[1] "RFC 1918: Address Allocation for Private Internets". IETF. February 1996. p. 4.

[2] Forouzan, Behrouz (2013). Data Communications and Networking. New York: McGraw Hill. pp. 530–31. ISBN 978-0-07-337622-6.

[rfc6598-4] "RFC 6598: Reserved IPv4 Prefix for Shared Address Space". IETF. April 2011. p. 8.

[1]

[Note 1]

[3]

[2]