The Value of
Private Address Space

IP addresses identify the network interfaces connected to a network. But which network?

by Leo Vegoda


In the beginning, all data networks were local, so all network addresses were local. Before Vint Cerf led DARPA’s Internetting Project, a globe spanning network of data networks was impossible.

The early internet was small. Most of the users were its builders, or worked alongside them. It was also culturally cohesive. Security was less important than developing the technology.

That changed in 1989. The US National Science Foundation allowed commercial traffic on its internet backbone. This signaled a change in the nature of the internet. It was no longer small and the diversity of its users was growing fast. So fast that engineers started to worry the IPv4 address space was too small.

They began developing strategies for IPv4 runout in March 1992. They discussed the possibility of some addresses only being unique within a local network. By 1994, three blocks of addresses had been reserved for use on private networks. They deliver just over 17 million IPv4 addresses: enough for all but the largest of networks.

But internet engineers did not standardize the technology for connecting private networks and the internet. Many considered the concept heretical. They wanted “every system to be globally accessible” and knew this required “a globally unique addressing system.”

John Mayes, a consulting engineer, regularly renumbered networks for clients. Often, they had used unallocated IP addresses for a private network. When they connected to the internet they experienced address clashes. Data didn’t flow reliably.

In 1995 he and Brantley Coile developed the first commercial Network Address Translator (NAT). It solved their clients’ technical problems. It also provided a stateful firewall, which many networks of the time were missing. This was the PIX, or Private Internet Exchange, named to riff on PBX running telephone networks inside a business.

We now have two types of unique addresses and two types of non-unique addresses.

Registered Unique Addresses

When you get your IPv4 or IPv6 addresses from a registry, you are paying for three things:

  • You have a guarantee that your addresses are globally unique.
  • You can publish information about yourself and how you use the addresses in their registry.
  • And you can use DNS and other services connected with your addresses.

This means you can publish GeoIP information about your network and share the names used on your network. Reverse DNS is helpful for network troubleshooting and testing.

Private Addresses

IPv4 – Locally Unique

There is no technical difference between private and shared addresses. The distinction is down to the intended use case. Private addresses are intended for use on end user networks. That means anything from a domestic WiFi connection to a large bank’s internal server infrastructure.

Internal network communication can use the private addresses. Communication from the internal network to the internet must be supported by a NAT. The NAT maps the internal address to an external address for the duration of a session, which could be under a second and could last for days.

But the number of sessions is limited by the NAT’s hardware capacity and the size of the pool of unique addresses it has available. Networks that generate many simultaneous flows, or many long lived flows, will need a bigger pool of unique addresses.

Shared addresses are intended for use on service provider networks. Engineers agreed to reserve an extra 4 million IPv4 addresses for shared use because many service provider networks had already used all the private addresses.

IPv6 – Probabilistically Unique Local Addresses

IPv6 is so big that its private addresses can be unique. Internet engineers have reserved a /8, which is 0.4% of the IPv6 address space. That doesn’t sound very much but provides over a trillion blocks and they could be used if that was necessary. This is because they are used one-by-one and not organized as hierarchies.

The risk of an address clash between any two networks is about one in a trillion. It increases with the number of networks. The risk of a clash between any thousand networks is about one in 40 billion.

But avoiding address clashes depends on users generating a properly random prefix. There are online tools and freely available code to help anyone manually generating a prefix. But popular services, including Apple’s consumer products and Google’s cloud services automatically generate random prefixes, reducing the chance for human error.

A second /8 was also reserved but should not be used now. It was originally intended as a place where people could register a prefix for a small one-time payment. This approach was abandoned because of the huge challenge of ensuring an organization running the service could survive for at least a century.