It is important to know how to distinguish between a private vs public IP address. IT professionals and security professionals frequently have to work with them, and it is a very common job interview question, and certification question. Here are the ranges of private IP addresses, and why we need them.
In the early days of the Internet, all we had were public facing IP addresses. The Internet was wide open, and any machine could talk to any other machine. It was like a small town where no one locked their doors, just in case one of the neighbors needed to come over and use the phone because theirs was broken. Keeping things open was polite.
Why Do We Need Private IP Addresses?
Private IP addresses solve two major problems.
The first problem was that the internet took off in popularity much faster than most people expected. Bill Gates infamously underestimated the impact of the Internet in 1995, stopping just short of calling it overrated in his infamous book The Road Ahead, and being late to market with Microsoft’s first web browser. Gates wasn’t the only one who underestimated the Internet, but he is the most famous example, and an example of how industry experts didn’t all agree on what the Internet’s impact and popularity would be.
As designed, the Internet had room for about 4.3 billion computers. Considering it started out as a connection between some government computers and university computers, 4.3 billion seemed like plenty. But much like the 640k memory limit in PCs, we outgrew it more quickly than expected.
Private IP addresses and security
The second problem that it solved is the security problem. Now, instead of putting every computer directly on its own public IP address, you could put one computer on a public IP address, a firewall, and then stand up a private network behind the firewall. All of the computers on the private network could talk to each other and trust each other, but nothing on the public network could reach inside.
One of the first crises of my IT career involved public vs private IP addresses. At that point in time, RFC 1918 was brand new, and we hadn’t adopted it yet. We had about 200 computers, and all of them had public IP addresses. One night around 11:00 p.m., one of my co-workers went rogue. I won’t go into the details, but suffice it to say, by about 1:00 p.m. the next day, he was no longer my co-worker. The problem was, we had 200 computers with public IP addresses and no protection. He had 200 ways to get back on our network if he wanted to exact revenge.
With all of our systems on a private network and protected by a firewall, that would have been a less hectic Thursday afternoon. He would have had about 198 fewer options to cause mayhem.
This particular individual cared enough about his future to not try anything stupid, but I have been involved in other incidents where that wasn’t the case.
What Is A Private IP Address?
A private IP address is non routable, and unable to talk outside its local range without an intermediary. That’s the major thing to remember about a private vs public IP address.
A Quick Look At How They Work
When your computers on your private network ask for an IP address, they receive not only an IP address, but also the address of a router. The computer never talks directly to the Internet. Instead, it talks to the router, which talks to the internet on its behalf. The router does internal translation keeping track of what conversations are going on between the computers on its network and on public networks, and routes the conversations accordingly.
The method they use can vary, some routers use network address translation, or NAT to route these conversations, and some routers use a technology called port address translation, or PAT. Both methods accomplish the same thing, and it’s transparent to the person using the computer.
A Table Of The Common Private IP Ranges
RFC 1918 defines three private IP ranges. There is also a fourth. This is one of my favorite trick questions. I don’t use that one to disqualify someone automatically, but it can help me to know the difference between two otherwise similar candidates.
Class A: 10.0.0.0 – 10.255.255.255
Class B: 172.16.0.0 – 172.31.255.255
Class C: 192.168.x.0 – 192.168.x.255, where x is any number from 0 to 255.
These networks very in size, from small to huge, mirroring the original IP address allocation of the Internet, which divided IP addresses into blocks of three different sizes, called class A, class B, and class C. This division is largely academic today, because these classes were largely impractical. The class A networks had 16.7 million addresses, too large for anyone but governments and Fortune 10 megacorporations. The class C networks were too small to be of much practical use, since they only had 255 addresses. They were too easy to outgrow. Class B networks had 65,535 addresses, enough for many Fortune 100 companies to give every employee an IP address, and gives a lot more room for growth than an allocation of just 255. It’s also much more practical than having a deal with 16 million addresses. It was by far the most popular block size.
IP addresses are no longer sold that way, so that discussion is purely academic. But that’s where the sizes of the private networks came from.
Two of them are easy to remember. Smallest ones are in the 192.168 range. These are used in small offices, DMZ, and home networks. Being only 255 addresses, they are much more practical for those uses. The large private network starts with 10. Any IP address starting with the number 10 is part of one ginormous private network.
Corporations love to use this network because it has room for practically unlimited growth. But it can become a problem in merger situations depending on how the two companies carved up the space. Frequently they have overlaps and conflicts that have to be worked out before they can simply connect their two networks together.
The first trick question is the 172 network. 172.16.0.0 through 172.31.255.255 is a class b private network. This is the least popular of the three because it’s the hardest to remember. Be on the lookout for a question on a certification test asking whether 172.36.something.something is a private address, or if 172.29.something.something is public or private. The upper bounds of the 172 network can be hard to remember. Any question about private vs public IP addresses and a 172 address has the potential to trip you up.
The other trick question is the 169.254 range. These are the addresses that a computer will grab when the DHCP server is down, and are called APIPA addresses. These can turn up in an asset inventory but are usually secondary network interfaces that aren’t plugged in.
I am fond of asking about public versus private IP addresses in job interviews, because it tells me a lot about a candidate. I don’t expect you to know off the top of your head that FTP uses two ports, and which port is used for which, and at this point, I’m not terribly concerned if you even know which port FTP is off the top of your head. It’s not something you see everyday. As far as I’m concerned, if I ask you an FTP question, and you respond with another question, “Why are you using FTP?” that’s a valid answer. Maybe the best answer.
But you deal with IP addresses very frequently, pretty much every day. And whether you are dealing with a public or a private IP address makes a big difference in how you configure a computer or how you react to a problem.
Internal vs external
I will also sometimes change up the language. Public and private are the official terminology, but you sometimes hear internal and external. I’ve had people get pedantic with me when I ask if a network address is internal or external. If you answer with, “Do you mean private or public?” that tells me that you’re more interested in proving that you’re smarter than somebody then in working with that person. There are way too many pedantic security professionals out there. I don’t need them on my team.
On Twitter I’ll have people get an attitude with me about this attitude, saying there aren’t enough security professionals to go around, but give me a burnt out IT professional who knows the basics and can talk to people without an attitude, and I can teach them security. I can’t turn an egomaniac into a nice person.
You will have questions about public and private IP ranges on your certification tests. I promise you that. While I don’t believe in making you take your certification test orally again during a job interview, I do want to make sure that you retained the information from it that you’ll use every day.