About Private Address Space
by Leo Vegoda
IP addresses identify the network interfaces connected to a network. But which network?
In the beginning, all data networks were local, so all network addresses were local. Before Vint Cerf led DARPA’s Internetting Project, a globe spanning network of data networks was impossible.
For a network to be global, the devices on it each needed a unique address (or identifier) so that data could flow to and from one device and one device only. After some false starts, Internet Protocol version 4 (IPv4) was created. Then, a system of global registries were developed to keep track of each IP address. This system provides the following:
- It guarantees that each addresses is globally unique;
- You can publish additional information about your use of the address in the registry;
- And you can use DNS and other services connected with your addresses to expand their utility.
The early internet was small. Most of the users were its builders, or worked alongside them. It was also culturally cohesive. Security was less important than developing the technology.
That changed in 1989. The US National Science Foundation allowed commercial traffic on its internet backbone. This signaled a change in the nature of the internet. It was no longer small and the diversity of its users was growing fast. So fast that engineers started to worry the IPv4 address space (about 4 billion addresses) was not going to be adequate.
They began developing strategies for IPv4 exhaustion in March, 1992. They discussed the possibility of some addresses only being unique within a local (closed) network. This meant the same address could be used in multiple local networks. By 1994, three blocks of addresses had been reserved for use on private networks. They provide just over 17 million IPv4 addresses: enough for all but the largest of networks.
But internet engineers did not standardize the technology for connecting private networks and the internet. Many considered the concept heretical. They wanted “every system to be globally accessible” and knew this required “a globally unique addressing system.” Clearly, the ideal of universal access and re-use of IP addresses locally was in conflict.
Before the protocol for the use of private IPs, the impact of this conflict was quite simple: network operators might, from time to time, use an IP address that had not been allocated to them when creating a private network. If and when this network connected to the internet, multiple users of the same IP address conflicted. Data would then flow in irregular, unreliable ways to both locations using that IP address.
John Mayes, a consulting engineer, worked with networks for clients. Often, the networks he was involved with had used unallocated IP addresses for a private network. When they were then connected to the internet they experienced address clashes.
In 1995 he and Brantley Coile developed the first commercial Network Address Translator (NAT). It solved their clients’ technical problems. A NAT is an intermediary between the local, private network and the internet. It provides a layer where private identifiers are replaced with temporary, public ones. This process replaces the private IP address with the NAT’s own public and unique address on outgoing packets. It rewrites the local, private destination address on incoming packets and forwards them to your local, “private” device. The NAT maps the internal address to an external address for the duration of a session, which could be under a second and could last for days.
But the number of sessions is limited by the NAT’s hardware capacity and the size of the pool of unique addresses it has available. Networks that generate many simultaneous flows, or many long lived flows, will need a bigger pool of unique addresses.
A NAT provides an internet access gateway for the otherwise local devices that need it. As a result, some private IP addresses are completely isolated and others (those associated with a NAT) are protected against data conflicts.
Importantly, a NAT has a default deny rule for incoming traffic that’s not part of a session established by a device on the inside network. This very basic level of protection was missing from many networks at the time and was their first stepping stone towards a proper firewall. This was the PIX, or Private Internet Exchange, named to riff on PBX running telephone networks inside a business.
We now have two types of unique (public) addresses and two types of non-unique (private) addresses. To recap: there is no technical difference between private and shared addresses. The distinction is down to the intended use case. Private addresses are intended for use on end-user networks. That means anything from a domestic WiFi connection to a large bank’s internal server infrastructure.
Public addresses are those that devices use to connect directly to the internet.
Public IPv4 addresses are published in their appropriate registry and are unique on the internet. They identify one device only. There are somewhat more than 4 billion of them.
Public IPv6 addresses are like IPv4 in regard to their unique status on the network. There are 340 trillion trillion trillion IPv6 addresses.
As noted here, there are about 17 million IPv4 addresses set aside for repeat (private, non-unique) use. That is, they can be deployed on private networks and may or may not communicate with the internet via a NAT
Two /8s were set aside for private use in IPv6 but only one is designated as being “active”. Private addresses are assigned in /48 blocks. Each /48 has 16 bits of space for LANs, meaning 65,536 /64 networks because all IPv6 LANs are /64. This means there are 1,099,511,627,776 /48s in the /8 used for private addresses, which is just over a trillion. They key concepts to communicate here are:
Everyone uses unique addresses for private networks in IPv6
As long as everyone uses a suitable prefix generator, there is almost no chance of an address clash
The risk of an address clash between any two networks using this private IPv6 space is about one in a trillion even if the private network is given internet acess. That chance increases with the number of networks. The risk of a clash between any thousand networks is about one in 40 billion. Popular services, including Apple’s consumer products and Google’s cloud services automatically generate random prefixes, reducing the chance of error.