Karen
JP
- PGP Keys
- Vossen's Law
- Firefox
- MythTV
Photos
- Deck
- SCUBA
- Dolphins
Security
- Firewall Rules
- Flypaper
- GNATBox
- Home
- Home Net Security
- Principles
- Snort
- Snort Books
- Sec Tools
- GenPass
- Honeypot Stats
- Firewall Stats
Source
- Perl
Networking
- Time
- NAT
- IP Calcs
Linux
- apt
- Edutainment
- SME Server
- Backup (DI-30)
Windows
- Win Tools
- Voodoo
- Win. Shell Scripting
- POSIX Redirection
- Winlogcheck
What's New
Email me
Email Form
Background
An IP (Internet Protocol) Address is a 32-bit number broken up into "quads" of 1 byte each, separated by dots. 1 byte is 8 bits which in decimal is a number in the range 0 to 255. For example, 10.234.56.71 is an IP Address. There are only so many "real" IP addresses, and they are (and have been) perpetually very close to being used up and thus are very difficult to get.
One of the solutions to this problem is so-called "private" IP Addresses. These are ranges of IP Addresses set aside expressly for use by a company or other entity internally. Private IP Addresses cannot be used to connect directly to the Internet--that is they are non-routable. These are also often called RFC1918 addresses.
Use
You use a Private IP Address when you wish to use TCP/IP on your LAN, but do not wish to try and register enough legal or legitimate addresses for all your devices. Even if you do wish to get than many, you will not. Essentially all valid IP addresses are already owned, either by very large corporations (like AT&T) or by ISPs. When you contract for service from an ISP, you are allocated some number of legitimate IP Addresses out of that ISP’s pool of addresses.
Advantages
- Increased security (since private IP addresses are not routable across the Internet).
- You conserve the world-wide pool of IP Addresses.
- You do not have to register or pay for these IP Addresses in any way (internal independence from ISP IP addresses).
- When you connect to the Internet via a Firewall and NAT (Network Address Translation, AKA IP Masquerading) you will not block any address ranges from yourself.
- Little or no performance degradation (depending on your Firewall).
See also my SOHO Information Security and Typical Home Network Designs pages.
Disadvantages
- If you merge with a company that has chosen the same Private IP Address, one or both of you will have to re-number. This can be difficult and expensive.
- Some applications don't work with NAT.
- Anything using NBT (UDP 138), i.e. NT Networking cannot communicate behind a Firewall with NAT. See below for the reason.
- Some applications needing encryption and key exchange (specifically any application that embeds IPs in the datastream) may not work with NAT.
- It may require more work to plan and configure.
Private IP Address Ranges
This is the "classic" RFC1918.
| Class | From | To | CIDR Mask | Decimal Mask |
|---|---|---|---|---|
| Class "A" or 24 Bit | 10.0.0.0 | 10.255.255.255 | /8 | 255.0.0.0 |
| Class "B" or 20 Bit | 172.16.0.0 | 172.31.255.255 | /12 (or more typically /16) | 255.240.0.0 (or 255.255.0.0) |
| Class "C" or 16 Bit | 192.168.0.0 | 192.168.255.255 | /16 (or more typically /24) | 255.255.0.0 (or 255.255.255.0) |
Other useful Ranges
This table is a bit out of date and is downright WRONG in a few places (e.g., 24.0.0.0). Refer to IANA: Internet Protocol v4 Address Space, RFC3330 and the Bogon List for more up-to-date information.
The following was adapted (a long time ago) from this comment associated with RFC1918 and RFC3330. See also the Bogon List.
| Class/Type | From | To | CIDR Mask | Decimal Mask |
|---|---|---|---|---|
| Broadcast/This Net [RFC1700] | 0.0.0.0 255.255.255.255 |
N/A | N/A | N/A |
| Null | 0.0.0.1 | 0.255.255.255 | /8 | 255.0.0.0 |
| Public-Data Networks [RFC1700] | 14.0.0.0 | 14.255.255.255 | /8 | 255.0.0.0 |
| Cable Television Networks | 24.0.0.0 | 24.255.255.255 | /8 | 255.0.0.0 |
| Loopback [RFC1700] | 127.0.0.0 | 127.255.255 | /8 | 255.0.0.0 |
| Local-Link (for auto-DHCP) | 169.254.0.0 | 169.254.255.255 | /16 | 255.255.0.0 |
| Testnet addresses (for tests only) | 192.0.2.0 | 192.0.2.255 | /24 | 255.255.255.0 |
| 6to4 Relay Anycast [RFC3068] | 192.88.99.0 | 192.88.99.255 | /24 | 255.255.255.0 |
| Network Interconnect/Testing [RFC2544] | 198.18.0.0 | 198.19.255.255 | /15 (supernet) | 255.254.0.0 |
| Class "D" (IPv4 multicast) [RFC3171] | 224.0.0.0 | 239.255.255.255 | /4 (supernet) | 240.0.0.0 |
| Class "E" (don't use) | 240.0.0.0 | 247.255.255 | /4 (supernet) | 240.0.0.0 |
Network Address Translation (NAT) AKA IP Masquerading
NAT, AKA IP Masquerading, is the process by which a "private," "illegal," and non-routable IP Address is translated into a "legal," routable address. There are two kinds of NAT, often called static NAT and Hide NAT. Static NAT provides a one to one correlation between the illegal private address and the legal routable one. For example, the Web Server on 192.168.1.10 may be statically mapped to 39.136.195.47. Hide NAT is a many to one arrangement where the many illegal addresses behind some device appear to the Internet as one single address (often the legal address of the device itself). For example, the entire 172.25.1.0 network may hide behind the single valid IP address of the device at 38.111.56.96.
NAT Devices
There are three devices that typically perform NAT. They are routers, firewalls and proxy servers.
Hide Mode NAT
In hide mode, the external address of the NAT device "hides" most or all outgoing connections. To the Internet, it seems that all traffic originates from this single address, when it really comes from all different machines on the internal network. The traffic is differentiated at the NAT device by a table of port numbers. For example, the port used for Web Surfing is port 80 (http). If a client computer at 192.168.1.37 surfs to www.dell.com, the NAT device may assign that to port 20,134. When the response comes back, the firewall knows that anything directed to port 20,134 really goes to the client at 192.168.1.37. That way, more than one person can surf at the same time, using the same external IP address, but everything goes to the correct person.
Static Mode NAT
In static mode, there is a one to one correlation between internal (illegal, non-routable) and external (legal, routable) addresses. The must be the case if you wish top have an E-Mail server, Web server or any other service that is accessible from the Internet. DNS (Domain Name Service) published the IP Addresses of server (or services) that are accessible. These published addresses must be legal, and routable. The IP network of addresses available for this use is termed the "moat" network, below. A typical "moat" network looks like this:
| IP Address | Description |
|---|---|
| 209.146.2.40 | Network Name |
| 209.146.2.41 | Available IP Address (usually assigned to the internal router interface) |
| 209.146.2.42 | Available IP Address (usually assigned to the external firewall interface) |
| 209.146.2.43 | Available IP Address (may be Web server?) |
| 209.146.2.44 | Available IP Address (may be E-Mail server?) |
| 209.146.2.45 | Available IP Address |
| 209.146.2.46 | Available IP Address |
| 209.146.2.47 | Broadcast Address |
A very interesting thing happens with static NAT, however. Since the router is at IP address 209.146.2.41, when it sees a packet destined for 209.146.2.43, it "arps" for the Web server. Since the router knows that it is on network 209.146.2.40/29 and the Web server address is 209.146.2.43 they should be on the same network. But they really aren’t. So when the router "arps" (uses the Address Resolution Protocol to find the Web server), the Web server will not answer, since it is really on network 192.168.1.0/24. To solve this problem, devices that perform static NAT also perform "proxy arp".
Any device configured to do static NAT has a list of servers it will "answer for" when it hears an arp request. IT will essentially lie and say, "yes, I am that server, please send me the packet." When it get the packet, it forwards it to the real server.
A Typical Internet Connection Scenario
A very common small business-class (as opposed to home use) Internet connection looks like this following:
 |
| Figure 1: Common Firewalled Network Diagram--With Router |
 |
| Figure 2: Common Firewalled Network Diagram--With Bridge |
| Description | Network | IP Range |
|---|---|---|
| Company LAN | 192.168.1.0/24 | 192.168.1.1 to 192.168.1.254 |
| Service Network (DMZ) | 192.168.200.1/24 | 192.168.200.1 to 192.168.200.254 |
| Moat | 10.146.2.40/29 | 10.146.2.41 to 10.146.2.46 |
| Link Network | 10.146.37.28/30 | 10.146.37.29 to 10.146.37.30 |
| Network or Device | Default Gateway |
|---|---|
| Company LAN | 192.168.1.1 |
| Service Network (DMZ) | 192.200.1.1 |
| Firewall | 10.146.2.41 |
| ISP Router | 10.146.37.29 |
- The Company LAN uses the private (RFC1918) address of 192.168.1.0/24.
- There is a "Service Network" (AKA DMZ) for hosting Web Servers, FTP Servers, extranet (partner) connections, etc.
- The Firewall is performing both hide NAT and Static NAT.
- Hide NAT is that all outgoing connections from the 192.168.1.0 network are hidden behind the firewall’s address of 10.146.2.42.
- Static NAT is that the E-Mail server on the company LAN has a "routable," external IP address of 10.146.2.44, but an internal IP Address of 192.168.1.15.
- The "Moat" network is the network between the external interface of the firewall and the internal interface of the router.
- There is confusion about the term DMZ. Originally, the term DMZ was used to denote the "moat" network. Recently, however, the common usage has been that the DMZ is the "Service Network". I have used "Service Network" and "Moat Network" to avoid confusion. The term "Moat Network" is not in common usage, however.
| Service | Internal Address | External Address | NAT Mode |
|---|---|---|---|
| Hide NAT | 192.168.1.0/24 | 209.146.2.42 | Hide |
| E-Mail Server | 192.168.1.15 | 209.146.2.44 | Static |
| Web Server | 192.168.1.10 | 209.146.2.43 | Static |
Appendixes
Subnet Masks: Decimal and CIDR
| CIDR | Decimal Mask | Old | A Subnets | B Subnets | C Subnets | # Useable | # Hosts |
|---|---|---|---|---|---|---|---|
| 8 | 255.0.0.0 | A | 1 | 16,777,214 | 16,777,216 | ||
| 9 | 255.128.0.0 | A | 2 | 8,388,606 | 8,388,608 | ||
| 10 | 255.192.0.0 | A | 4 | 4,194,302 | 4,194,304 | ||
| 11 | 255.224.0.0 | A | 8 | 2,097,150 | 2,097,152 | ||
| 12 | 255.240.0.0 | A | 16 | 1,048,574 | 1,048,576 | ||
| 13 | 255.248.0.0 | A | 32 | 524,286 | 524,288 | ||
| 14 | 255.252.0.0 | A | 64 | 262,142 | 262,144 | ||
| 15 | 255.254.0.0 | A | 128 | 131,070 | 131,072 | ||
| 16 | 255.255.0.0 | B | 256 | 1 | 65,534 | 65,536 | |
| 17 | 255.255.128.0 | B | 512 | 2 | 32,766 | 32,768 | |
| 18 | 255.255.192.0 | B | 1,024 | 4 | 16,382 | 16,384 | |
| 19 | 255.255.224.0 | B | 2,048 | 8 | 8,190 | 8,192 | |
| 20 | 255.255.240.0 | B | 4,096 | 16 | 4,094 | 4,096 | |
| 21 | 255.255.248.0 | B | 8,192 | 32 | 2,046 | 2,048 | |
| 22 | 255.255.252.0 | B | 16,384 | 64 | 1,022 | 1,024 | |
| 23 | 255.255.254.0 | B | 32,768 | 128 | 510 | 512 | |
| 24 | 255.255.255.0 | C | 65,536 | 256 | 1 | 254 | 256 |
| 25 | 255.255.255.128 | C | 131,072 | 512 | 2 | 126 | 128 |
| 26 | 255.255.255.192 | C | 262,144 | 1,024 | 4 | 62 | 64 |
| 27 | 255.255.255.224 | C | 524,288 | 2,048 | 8 | 30 | 32 |
| 28 | 255.255.255.240 | C | 1,048,576 | 4,096 | 16 | 14 | 16 |
| 29 | 255.255.255.248 | C | 2,097,152 | 8,192 | 32 | 6 | 8 |
| 30 | 255.255.255.252 | C | 4,194,304 | 16,384 | 64 | 2 | 4 |
| 31 | 255.255.255.254 | C | N/A | N/A | N/A | N/A | N/A |
| 32 | 255.255.255.255 | C | BC | BC | BC | Broadcast | Broadcast |
Notes:
- The "# Useable" series can be derived by "previous # Useable x 2 + 2".
- The "# Useable" series can be derived by "# Hosts - 2".
- The "# Hosts" series can be derived by "previous # Hosts * 2".
- The "# Hosts" series can be derived by "# Useable + 2".
- The number of subnets is only correct under CIDR. Using the old classfull numbers it is "# CIDR Subnets - 2".
RFC1918: Address Allocation for Private Internets
URL: http://www.faqs.org/rfcs/rfc1918.html
Excerpt:
3. Private Address Space
The Internet Assigned Numbers Authority (IANA) has reserved the
following three blocks of the IP address space for private internets:
10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
We will refer to the first block as "24-bit block", the second as
"20-bit block", and to the third as "16-bit" block. Note that (in
pre-CIDR notation) the first block is nothing but a single class A
network number, while the second block is a set of 16 contiguous
class B network numbers, and third block is a set of 256 contiguous
class C network numbers.
An enterprise that decides to use IP addresses out of the address
space defined in this document can do so without any coordination
with IANA or an Internet registry. The address space can thus be used
by many enterprises. Addresses within this private address space will
only be unique within the enterprise, or the set of enterprises which
choose to cooperate over this space so they may communicate with each
other in their own private internet.
