Gecko-AK.org Networking/Security Reference Pages

Gecko Logo

Gecko-AK.org Home

Networking/Security Home

Basic Networking:



Routing:



Network Security:

Valid HTML 4.01!

Valid CSS!

Private IP Addressing

Every host (computer, router, etc.) on the Internet, or any other TCP/IP network has an address that identifies that host. These addresses are rather like telephone numbers--one computer cannot communicate with another unless it has or can obtain the remote computer's IP address.

Most IP addresses are assigned by an Internet Service Provider for publicly accessible hosts, since the IP address must be unique (just like you can't have the same phone number as your best friend down the street--otherwise, how would the telephone company know if the call was meant for you or for your friend?).

However, there are specified ranges of IP addresses that are set aside for use on internal company or home networks. These IP addresses are called Private IP addresses, and are not assigned to any publicly accessible hosts. If you have a router that provides a service called "network address translation (NAT)", you can assign these IP addresses to computers on a private network, such as a corporate or home local area network (LAN), and "NAT" out to the Internet (more on NAT later). These addresses are:

10.0.0.0--10.255.255.255
172.16.0.0--172.31.255.255
192.168.0.0--192.168.255.255

Microsoft also purchased a block of IP addresses to use as defaults when a TCP/IP host that is dynamically assigned IP addresses cannot automatically obtain an IP address. Technically, these are not truly private IP addresses, as they are owned by Microsoft, but are (for now, at least) guaranteed not to be used on any public host, so I have included them here. Microsoft called this feature "Automatic Private IP Addressing", or "APIPA", and the APIPA addresses are:
169.254.0.0--169.254.255.255

"But I want to create a local network, and still reach the Internet," you say. Not a problem. Most routers, including consumer-grade Linksys, D-Link and SMC routers perform "Network Address Translation", where the router detects a connection from a specific host on your internal LAN, and maps it to the IP address assigned by your Internet Service Provider. This way, you can have multiple hosts on your internal network, using private IP addresses while only using one public IP address.

"But why can't I just make up a number for computers on my internal network?" you ask. Chances are, if you select an IP address at random, you will probably grab an address that already belongs to someone else. Suppose you decide you want to use the address 216.239.57.99 for a host on your internal network. That IP address really belongs to Google. By "hijacking" one of their IP addresses, you won't be able to connect to Google from your internal network. If you try to tell your web browser to go to www.google.com, your computer will look up the IP address for Google. Because www.google.com is 216.239.57.99 (at least, it is as I am writing this document), your computer will try to establish a connection to 216.239.57.99. However, that's the IP address you assigned to one of your local computers, so rather than going to Google, you'll connect to your local PC. Troubleshooting these kinds of problems can be a real pain, as you can connect to some hosts, but not to others.

Think it's just academic? It's not. An ISP I used to work for received a block of IP addresses from ARIN, installed a lot of network equipment using these addresses, then later decided they no longer needed this block of addresses. Unfortunately, we released these addresses back to ARIN before we had migrated all of our equipment to new addresses. All was fine for a few months until another ISP received this same block of addresses from ARIN and we started receiving complaints from our customers who couldn't e-mail friends and family on the other ISP's network because we still had routes in our network to the IP address used by the other ISP's mail server. Oops...

On the other hand, if you use Private IP addresses, you can be certain that you will not conflict with anyone else on the Internet. Even if you are creating a LAN that you don't intend to connect to the Internet, you should still consider using Private IP addresses. That way, if you later decide to connect your network with another network or to the Internet, you can keep all of your existing IP addresses, and NAT to the outside network through your router, without fear of colliding with other external IP addresses.






Creative Commons License

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License .