IP addresses come in two forms: public addresses, which are assigned by a central network authority and may be used to reach systems located across the Internet and private addresses, which are available for anyone’s use but may only be used on local networks and will not work across the Internet. Learn the differences between public and private IP addresses and the use of Network Address Translation (NAT).
- [Instructor] As we've discussed throughout this course, IP addresses uniquely identify systems on a network. TCP/IP-compatible devices use these addresses to correctly route packets across networks, but how are these addresses assigned? IP addresses come in two forms, public addresses, which are assigned by a central network authority and may be used to reach systems located across the Internet, and private addresses, which are available for anyone's use, but may only be used on local networks and will not work across the Internet.
Let's begin by discussing public IP addresses. These addresses are centrally managed by a group known as the Internet Corporation for Assigned Names and Numbers, or ICANN. ICANN breaks addresses up into blocks, and gives them out to regional authorities in different countries for distribution. These regional authorities each take responsibility for a geographic portion of the world. For example, the American Registry for Internet Numbers, or ARIN, governs the distribution of IP addresses in the United States and Canada.
One of the major issues with IP addresses is that they are a scare resource, especially when it comes to the traditional dotted quad IPv4 addresses. There are no large blocks of IPv4 addresses available for assignment today, and the only way to get these public IP addresses is by purchasing or renting them from other organizations, such as Internet service providers. In the early days of networking, many organizations would simply obtain a large block of public IP addresses, and use them on all of their systems.
For example, if an organization owned the 188.8.131.52 network, they might have just freely handed out those addresses on their own networks. The scarcity of IP addresses, combined with security concerns, makes this impractical today. Why are these addresses so scarce? With the dotted quad notation of IPv4, there are only 4.3 billion possible IP addresses. While this may sound like a lot, Sysco estimates that there are currently around seven and a half billion mobile devices alone in the world today.
That count doesn't even include servers, desktop computers, network appliances or any non-mobile devices. There simply aren't enough possible addresses to assign every device in the world a unique public IP address. The solution to this dilemma is the use of private IP address ranges. When ICANN's predecessor organizations divided up the original IP address space, they reserved three different address ranges for use on private networks. These ranges are the 10 network, from 10.0.0.1 to 10.255.255.255, another is a portion of the 172 network, from 172.16.0.1 to 172.31.255.255.
And the last is the 192.168 network, from 192.168.0.1 to 192.168.255.255. These ranges are called private IP addresses, and anyone can use them on their local networks. The only catch is that they are reserved for use on private networks and cannot be used for routing traffic across the Internet. Today, organizations typically use a balance of public and private IP addresses.
They use private addresses broadly within their private networks, assigning them to all of their internal systems. They then use a small number of public IP addresses for systems that require public access. In the case of this network that formerly used public addresses from the 8.1 range, administrators might instead assign private addresses from the 192.168 range. You might have noticed one problem with this approach. Systems that have private IP addresses cannot communicate on the Internet using those addresses because they are not Internet-routable.
Thousands of organizations around the world use those same private addresses on their own internal networks, so remote systems would have no way of telling where reply traffic should actually go. The solution to this is a technology known as Network Address Translation, or NAT. Routers and firewalls perform NAT translation at the border of a network. When a system with a private IP address, such as this laptop with private address 192.168.1.1 wants to communicate on the Internet, the NAT device lends the system a public IP address temporarily for use during that communication.
It then records the public and private IP address translation in a table, and when a reply comes in for that public address, the NAT device looks up the corresponding private address in the table, and then routes the packet to the correct system on the private network. NAT does introduce new concerns for security professionals. It does bring the privacy benefit of hiding IP addresses from the public Internet and limiting direct access to systems, but it also makes it difficult to correlate activity on a public IP address back to the true originator.
For this reason, most organizations maintain logs of their NAT translations that allow them to determine who was using a particular public IP address at any given time. NAT is a very useful technology, but it is somewhat limited because it requires a public IP address for every system on the network that needs to communicate on the Internet. Since most organizations have a limited pool of public addresses, they can quickly run into a situation where that pool is exhausted, and no new systems can communicate on the Internet.
Port Address Translation, or PAT, solves this problem by allowing multiple systems to share the same public address. Instead of recording translations between IP addresses, PAT assigns each connection a different port on a public IP address. This way, many different systems can share the same public IP address at any point in time.
Learn about communication and networking best practices, including TCP/IP networking, network security devices, and secure network design and management. Instructor and cybersecurity expert Mike Chapple also includes coverage of converged protocols, network encryption, and wireless networking. You can find Mike's companion study books for this series at the Sybex test prep site and review the complete CISSP Body of Knowledge at https://www.isc2.org/cissp-domains/default.aspx.
- IP addressing
- Switches and routers
- Content distribution networks
- Designing secure networks
- Specialized networking
- Managing secure networks
- Working with virtualized networks like SDNs
- Detecting and preventing network attaches
- Transport encryption
- Wireless networking
- Host security