|NAT & Private IP Address Ranges|
- PGP Keys
- Vossen's Law
- Firewall Rules
- Home Net Security
- Snort Books
- Sec Tools
- Honeypot Stats
- Firewall Stats
- IP Calcs
- SME Server
- Backup (DI-30)
- Win Tools
- Win. Shell Scripting
- POSIX Redirection
An IP (Internet Protocol) Address is a 32-bit number broken up into "quads" of 1 byte each, separated by dots. 1 byte is 8 bits which in decimal is a number in the range 0 to 255. For example, 10.234.56.71 is an IP Address. There are only so many "real" IP addresses, and they are (and have been) perpetually very close to being used up and thus are very difficult to get.
One of the solutions to this problem is so-called "private" IP Addresses. These are ranges of IP Addresses set aside expressly for use by a company or other entity internally. Private IP Addresses cannot be used to connect directly to the Internet--that is they are non-routable. These are also often called RFC1918 addresses.
You use a Private IP Address when you wish to use TCP/IP on your LAN, but do not wish to try and register enough legal or legitimate addresses for all your devices. Even if you do wish to get than many, you will not. Essentially all valid IP addresses are already owned, either by very large corporations (like AT&T) or by ISPs. When you contract for service from an ISP, you are allocated some number of legitimate IP Addresses out of that ISP’s pool of addresses.
Private IP Address Ranges
This is the "classic" RFC1918.
Other useful Ranges
Network Address Translation (NAT) AKA IP Masquerading
NAT, AKA IP Masquerading, is the process by which a "private," "illegal," and non-routable IP Address is translated into a "legal," routable address. There are two kinds of NAT, often called static NAT and Hide NAT. Static NAT provides a one to one correlation between the illegal private address and the legal routable one. For example, the Web Server on 192.168.1.10 may be statically mapped to 220.127.116.11. Hide NAT is a many to one arrangement where the many illegal addresses behind some device appear to the Internet as one single address (often the legal address of the device itself). For example, the entire 172.25.1.0 network may hide behind the single valid IP address of the device at 18.104.22.168.
There are three devices that typically perform NAT. They are routers, firewalls and proxy servers.
Hide Mode NAT
In hide mode, the external address of the NAT device "hides" most or all outgoing connections. To the Internet, it seems that all traffic originates from this single address, when it really comes from all different machines on the internal network. The traffic is differentiated at the NAT device by a table of port numbers. For example, the port used for Web Surfing is port 80 (http). If a client computer at 192.168.1.37 surfs to www.dell.com, the NAT device may assign that to port 20,134. When the response comes back, the firewall knows that anything directed to port 20,134 really goes to the client at 192.168.1.37. That way, more than one person can surf at the same time, using the same external IP address, but everything goes to the correct person.
Static Mode NAT
In static mode, there is a one to one correlation between internal (illegal, non-routable) and external (legal, routable) addresses. The must be the case if you wish top have an E-Mail server, Web server or any other service that is accessible from the Internet. DNS (Domain Name Service) published the IP Addresses of server (or services) that are accessible. These published addresses must be legal, and routable. The IP network of addresses available for this use is termed the "moat" network, below. A typical "moat" network looks like this:
A very interesting thing happens with static NAT, however. Since the router is at IP address 22.214.171.124, when it sees a packet destined for 126.96.36.199, it "arps" for the Web server. Since the router knows that it is on network 188.8.131.52/29 and the Web server address is 184.108.40.206 they should be on the same network. But they really aren’t. So when the router "arps" (uses the Address Resolution Protocol to find the Web server), the Web server will not answer, since it is really on network 192.168.1.0/24. To solve this problem, devices that perform static NAT also perform "proxy arp".
Any device configured to do static NAT has a list of servers it will "answer for" when it hears an arp request. IT will essentially lie and say, "yes, I am that server, please send me the packet." When it get the packet, it forwards it to the real server.
A Typical Internet Connection Scenario
A very common small business-class (as opposed to home use) Internet connection looks like this following:
Subnet Masks: Decimal and CIDR
RFC1918: Address Allocation for Private Internets
3. Private Address Space The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private internets: 10.0.0.0 - 10.255.255.255 (10/8 prefix) 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) 192.168.0.0 - 192.168.255.255 (192.168/16 prefix) We will refer to the first block as "24-bit block", the second as "20-bit block", and to the third as "16-bit" block. Note that (in pre-CIDR notation) the first block is nothing but a single class A network number, while the second block is a set of 16 contiguous class B network numbers, and third block is a set of 256 contiguous class C network numbers. An enterprise that decides to use IP addresses out of the address space defined in this document can do so without any coordination with IANA or an Internet registry. The address space can thus be used by many enterprises. Addresses within this private address space will only be unique within the enterprise, or the set of enterprises which choose to cooperate over this space so they may communicate with each other in their own private internet.
Last Modified: $Date: 2011-06-29 01:25:24 -0400 (Wed, 29 Jun 2011) $