In: Categories » Computers and technology » Linux » Public and Private IP Addresses
The Internet is a public network, and therefore a device connected directly to the Internet has a public IP address. Those IP addresses must be administered by someone in such way that two devices connected to the public network don't use the same IP address or that two networks don't have the same network address. This job was done by InterNIC (Internet Network Information Center), which has been succeeded by IANA (Internet Assigned Numbers Authority). IANA makes sure to provide unique IP network addresses to Internet Service Providers (ISPs) and keeps track of their usage. Both IPv4 and IPv6 addresses are assigned in a delegated manner. Users are assigned IP addresses by ISPs. ISPs obtain allocations of IP addresses from a local Internet registry (LIR) or national Internet registry (NIR), or from their appropriate regional Internet Registry (RIR):
- AfriNIC (African Network Information Centre): Africa Region, http://www.afrinic.net
- APNIC (Asia Pacific Network Information Centre): Asia/Pacific Region, http://www.apnic.net
- ARIN (American Registry for Internet Numbers): North America Region, http://www.arin.net
- LACNIC (Regional Latin-American and Caribbean IP Address Registry): Latin America and some Caribbean Islands, http://www.lacnic.net
- RIPE NCC (Réseaux IP Européens): Europe, the Middle East, and Central Asia, http://www.ripe.net
A local area network connected to the Internet through a router doesn't always need public IP addresses for all the devices in that network. The devices will use local IP addresses, and when going outside the network, the router can do Network Address Translation (NAT), a process that translates the local IP address of the device into one IP address that is actually routed on the Internet to that router. NAT will be explained in greater detail later in this article.
NAT must be done by using private IP addresses that are not routed anywhere on the Internet. If we didn't have private IP addresses when using NAT, devices behind NAT could access any public IP address, except those within the same subnet as the ones used for the network behind NAT.
C IP address 217.207.125.0, which the router will translate into its own IP address whenever a device will access the Internet. This way, everything works fine, except one thing: no devices in the local network will be able to access, for example, www.packtpub.com, which has the IP address 217.207.125.58, because they will search for that IP address in the local network. In fact, no device in the local network will be able to access any devices in the Internet that have public addresses assigned by IANA within the class C network 217.207.125.0.
To address this problem, IANA has reserved several IP classes that can't be used in the public network, meaning that they will not be routed in the Internet. These IP classes are described by RFC 1918 as private IP addresses that should be used in private networks. They are:
10.0.0.0 to 10.255.255.255 class A IP addresses
172.16.0.0 to 172.31.255.255 class B IP addresses
192.168.0.0 to 192.168.255.255 class C IP addresses
By using these private IP addresses for local networks (intranets) connected to the Internet, the number of public IP addresses needed for devices accessing the public network decreases a lot. If a company has two local networks connected to the Internet in geographically distanced locations without a separate connection between those two networks, it doesn't have to use public IP addresses for the devices in each network. Instead, both networks can communicate by creating a virtual connection over the Internet, thus creating a VPN (Virtual Private Network), which will be discussed later in this article.
| Since private IP addresses are not routed by any ISP, a company with two geographically distanced locations that have internet connections from different providers can't access one network from the other directly. In this case, they can create a virtual connection between the two locations and add routes to the public IP addresses in those locations only on their routers. This creates the advantage that both private networks can access the Internet and each other, but other hosts from the Internet can't access them. This is called a VPN (Virtual Private Network). |
IP Subnetting
Subnetting is the process in which you break a network into smaller pieces. This can be done for a variety of reasons. For example, a company having department LANs use the same network part and the same mask for devices in all departments because they would not communicate with each other.
Using different IP network addresses for devices in different LANs within the same company is not recommended because of the large number of IP addresses that might be wasted in the process.
Subnetting is done by choosing an appropriate mask, called a subnet mask or NetMask to define the number of hosts in that network. The network address of a subnet can be a valid IP address from the subnetted network that devices will no longer be able to use. By subnetting, you lose some usable IP addresses (two for each subnet).
The Subnet Mask
The subnet mask is a 32 bit sequence of zeros and ones, just like the IP address. The subnet mask has all the bits in the network part of the IP address set to 1, and all the bits in the host part of the IP address set to 0. The subnet mask works like the network mask (it's basically the same thing), except that the subnet mask borrows some bits from the host part to identify the subnet.
Let's say the IP address 192.168.1.130 is in the class C network 192.168.1.0-255; so, it has the mask 255.255.255.0. The company has two different departments, and they are both in the same network, but it is required that they should be on different networks. When assigning IP addresses, the network administrator used to assign IP addresses ascending, starting with 192.168.1.1 to department A and descending starting from 192.168.1.254 to department B, and so decided to divide this class C network into two subnets, each containing 128 addresses. Those subnets will be 192.168.1.0-127 and 192.168.1.128-255.
Initially, we would have:
| 11000000.10101000.00000001.10000010 | 192.168.1.130 |
| 11111111.11111111.11111111.00000000 | 255.255.255.0 |
In order to break the class C network in two subnets, we need to borrow one bit from the host part of the IP address for the network part, so we will have the subnet mask:
11111111.11111111.11111111.10000000=255.255.255.128
The first bit in the last byte of the subnet mask is called a "borrowed bit". The logic is pretty simple and it's based on Boolean logic. A device with IP capabilities does a logical AND between the subnet mask and the IP address to find out the network this IP address belongs to.
the following operation:
11000000.10101000.00000001.10000010 AND
11111111.11111111.11111111.10000000 EQUALS
11000000.10101000.00000001.10000000 = 192.168.1.128
This way it finds out that the IP address 192.168.1.130 having the subnet mask 255.255.255.128 is in the subnet 192.168.1.128.
For 192.168.1.1 having the subnet mask 255.255.255.128, the logical AND will be:
11000000.10101000.00000001.00000010 AND
11111111.11111111.11111111.10000000 EQUALS
11000000.10101000.00000001.00000000 = 192.168.1.0
So the address is in the subnet 192.168.1.0.
By performing a logical AND of all IP addresses in the 192.168.1.0-255 class C with the subnet mask 255.255.255.128, the results can only be 192.168.1.0 or 192.168.1.128. This way, we divide the class C network in two.
Before dividing the class C network, we had the broadcast address 192.168.1.255. Now, the last IP address from every subnet becomes the broadcast address for that subnet. The first subnet will have 192.168.1.127 as a broadcast address, and the second will have 192.168.1.255 as a broadcast address. By dividing this class C in two, we lost two possible host IP addresses—192.168.1.127 (first subnet's broadcast) and 192.168.1.128 (second subnet's network).
Everything Divided in Two
If we need four subnets in that class C network, we do the same thing to the 255.255.255.128 subnet mask. This means we will borrow one bit from the host part of the IP address and add it to the subnet mask, and so we will be borrowing two bits from the class C mask:
11111111.11111111.11111111.11000000 = 255.255.255.192
By performing a logical AND with any IP address starting with 192.168.1, we will have four possible values for the last byte:
00000000 = 0
01000000 = 64
10000000 = 128
11000000 = 192
So we have created four subnets: 192.168.1.0, 192.168.1.64, 192.168.1.128, and 192.168.1.192.
We can divide those subnets in another two subnets, and so on.
The rule with the first and the last address of the subnet as being reserved still applies here; so, the first IP address in the subnet is the network address (to identify the subnet) and the last possible address in a subnet is used for broadcast. For the example we just saw, we have:
| Usable IP addresses | Network Address | Broadcast Address |
| 192.168.1.1 to 192.168.1.62 | 192.168.1.0 | 192.168.1.63 |
| 192.168.1.65 to 192.168.1.126 | 192.168.1.64 | 192.168.1.127 |
| 192.168.1.129 to 192.168.1.190 | 192.168.1.128 | 192.168.1.191 |
| 192.168.1.193 to 192.168.1.254 | 192.168.1.192 | 192.168.1.255 |
If the class C 192.168.1.0-255 network is subneted as in the example, the host having the IP address 192.168.1.71 and the subnet mask 255.255.255.192 will send the broadcasts to the IP address 192.168.1.127, and only the devices having IP addresses in the same subnet will receive those broadcasts.
| For a subnet mask to be valid, it must have a host part, meaning it cannot borrow all the bits in the last byte. At least the last bit must be 0; so the last valid subnet mask is: 11111111.11111111.11111110 = 255.255.255.254. However, a subnet with the subnet mask 255.255.255.254 has only two possible IP addresses, and by using one for broadcast and one for network address, there are no usable IP addresses in that subnet! |
For a class C network, the valid subnets are:
11111111.11111111.11111111.10000000 = 255.255.255.128
11111111.11111111.11111111.11000000 = 255.255.255.192
11111111.11111111.11111111.11100000 = 255.255.255.224
11111111.11111111.11111111.11110000 = 255.255.255.240
11111111.11111111.11111111.11111000 = 255.255.255.248
11111111.11111111.11111111.11111100 = 255.255.255.252
The smallest number of usable IP addresses in a subnet is two, given by the subnet mask 255.255.255.252, which has four IP addresses in that network (one for network, one for broadcast, and two usable IP addresses).
A Different Approach
Thinking in binary is not always that simple, but that is the process that devices using IP communication use to calculate things. A simple logic in decimal would be like this:
A class C network has 256 IP addresses (from 0 to 255). I need to create four subnets in that class C, and so, each subnet will have (256 / 4 =) 64 IP addresses (only 62 usable for devices). The last byte (in decimal) for the subnet mask will be (256 – 64 =) 192, and so, I get the subnet mask 255.255.255.192, and subnets 192.168.1.0, 192.168.1.64, 192.168.1.128, and 192.168.1.255.
The trick for subneting class C networks is to subtract the number of hosts that you want in that subnet from 256 and you get the subnet mask. Please remember that the number of hosts in that subnet must be a power of 2. For 16 addresses in a subnet, you will use the subnet mask 255.255.255.240 (256 – 16 = 240).
To subnet a class B network, if you don't want to use the binary logic, you can still use this procedure by working on the third byte of the subnet mask. For example, a full class B network has 256 * 256 IP addresses. If I want to use 16 * 256 IP addresses in a subnet, I will use for the third byte of the subnet mask the value 256 – 16 = 240, so I will have a subnet mask of 255.255.240.0.
legal notice
Our website is not responsible for the information contained by this article. Web-articles is a free articles resource.
Suggestion: If you need fresh, daily updated content for your website, feel free to use our service. Click here for more information.
Useful tools and features
If you like this article (tutorial), please link to it from your web page using the information above.
related articles
The Internet Protocol (IP) found at OSI Layer 3 is responsible for end-to-end delivery of data between computers in an IP network (the Internet). To find a path between two computers in a large network such as the Internet, computers must be uniquely identified. To do that, the Internet Protocol defines IP Addresses, which are unique 32 bit sequences of one and zeros. For example, 11000000101010000000000100000001 is a valid IP address. For the ease of use, IP addresses are represented in a form called the dotted decimal forma...
2. IP Supernetting or CIDR
CIDR stands for "Classless Inter-Domain Routing". It is a new addressing scheme for the Internet, intended to replace the old classful (Class A, B, C) address scheme. CIDR allows a more efficient allocation of IP addresses and uses routing aggregation for minimizing the routing table entries, and is also called supernetting. A recapitulation of classful IP addressing shows us the following: Address ...
3. Linux Security Threats
Creating firewalls may block some malicious attempts on your network, but this step is far from running an entirely secure network. As a network administrator or security consultant, to design a proper firewall for your network you need to know what you defend your network from. We cannot fully discuss this topic, even in 1000 pages, but we want to explain some principles that you should consider in running a safe network. As hard as it may seem to protect your network from the outside world, the most dangerous threats always come f...
4. IP Spoofing
An attacker might spoof a trusted IP address when communicating to a host in order to gain unauthorized access on that host. There are a variety of tools that can be found on the Internet to do IP spoofing. Using IP spoofing, attackers can also initiate Denial of Service by sending data with the source IP spoofed to the attacked IP address. The receiver then sends back replies that can contain large amounts of data to the attacked IP address resulting in...
5. BIND Domain Name System DNS
BIND (Berkley Internet Name Domain) is the most used DNS server on the Internet. Nowadays, every Linux distribution has a BIND package for DNS services. The problem with BIND and any DNS server is that in order to be able to translate names into IP addresses it has to communicate with a whole lot of other DNS servers, and so, filtering DNS packets is not possible. DNS services are vital for internet connection; so in order to disrupt services to victims, attackers have a great interest in bringing down DNS servers. Although BIN...
6. Simple Network Management Protocol SNMP
These days, most network devices use SNMP for remote monitoring and configuration. SNMP is a simple protocol used usually to create monitoring software that can retrieve information such as network traffic, CPU load, disk load, etc., and also to modify configuration of devices such as wireless equipment, broadband routers, etc. Most SNMP implementations on those kinds of network devices use version 1 or version 2, which have a very weak authentication method. SNMP version 1 contains a set of bugs in the way SNMP traps and reques...
7. Firewalls, netfilter/iptables
The two things needed to build firewalls and Quality of Service (QoS) with Linux are two packages named netfilter and iproute. While netfilter is a packet filtering framework included in the Linux kernels 2.4 and 2.6, iproute is a package containing a few utilities that allow Linux users to do advanced routing and traffic shaping. This article is intended to introduce the tools we will use throughout this article. However, netfilter ...
8. Iptables Target Specifications in Linux
For the filter table, the most used targets for firewall rules are DROP and ACCEPT. If a rule matches the filtering specifications and has a DROP target, the packet will simply be discarded. If a packet matches a rule with a DROP target, the Linux kernel will drop the packet without consulting other rules in the firewall. If the target is ACCEPT, then the packet is accepted without further consultation of other firewall rules. An alternative to DROP is the REJECT target, which drops the packet but sends an ICMP packet to the sou...