Previous Table of Contents Next


Private Addressing and Network Address Translation (NAT)

To find ways to slow down the pace at which the IP addresses were being allocated, it was important to identify different connectivity requirements and try to assign IP addresses accordingly.

Most organizations' connectivity needs fall in the following categories:

  Global connectivity
  Private connectivity (total or partial)

Global Connectivity

Global connectivity means that hosts inside an organization have access to both internal hosts and Internet hosts. In this case, hosts have to be configured with globally unique IP addresses that are recognized inside and outside the organization. Organizations requiring global connectivity must request IP addresses from their service providers.

Private Connectivity

Private connectivity means that hosts inside an organization have access to internal hosts only, not Internet hosts. Examples of hosts that require only private connectivity include bank ATM machines, cash registers in a retail company, or any host that does not really need to reach or be reached by hosts outside the company. Private hosts need to have IP addresses that are unique inside the organization, but do not have to be unique outside the organization. For this type of connectivity, the IANA has reserved the following three blocks of the IP address space for what is referred to as "private Internets:"

  10.0.0.0 through 10.255.255.255 (a single class A network number)
  172.16.0.0 through 172.31.255.255 (16 contiguous class B network numbers)
  192.168.0.0 through 192.168.255.255 (256 contiguous class C network numbers)

An enterprise that picks its addresses from the preceding range does not need to get permission from the IANA or an Internet Registry. Hosts that get a private IP address can connect with any other host inside the organization, but cannot connect to hosts outside the organization without going through a proxy gateway. The reason is that IP packets leaving the company will have a source IP address that is ambiguous outside the company and cannot be replied to by outside hosts. Because multiple companies building private networks can use the same IP addresses, fewer unique global IP addresses need to be assigned.

Hosts having private addresses can co-exist with hosts having global addresses. Figure 3-18 illustrates such an environment. Companies might choose to have most of their hosts private and still keep particular segments with hosts having global addresses. The latter hosts can reach the Internet as usual. Companies that use private addresses and still have connectivity to the Internet have the responsibility of applying routing filters to prevent the private networks from being leaked to the Internet.


Figure 3-18  General private Connectivity environment.

The drawback of this approach is that if an organization later on decides to open up its hosts to the Internet, the private IP addresses will have to be renumbered.With the introduction of new protocols such as the Dynamic Host Configuration Protocol (DHCP) [5], this task might become easy. DHCP provides a mechanism for transmitting configuration parameters (including IP addresses) to hosts using the TCP/IP protocol suite. Provided that the hosts are DHCP-compatible, hosts can get their new addresses dynamically from a central server.

Hosts that have private addresses can still reach the outside by going through a gateway or some kind of host that has a global address.

Host A in Figure 3-19 has a private IP address. If A wants to telnet to a destination outside the company, it can do so by first logging into host B and then telnetting from host B to the outside. Packets leaving the company now would have B's source IP address, which is global and can be replied to.


Figure 3-19  Privately addressed hosts accessing Internet resources.

Network Address Translator

Companies migrating from a private address to a global address space can do so with the help of Network Address Translators (NAT). Cisco Systems offers this solution as part of its Cisco Internetwork Operating System (IOS)™ software running on its routers.

NAT technology enables private networks to connect to the Internet without resorting to renumbering IP addresses. A NAT router is placed at the border of a domain, and it translates the private addresses into global addresses before sending packets to the Internet.

As illustrated in figure 3-20, hosts A and B have private IP addresses 10.1.1.1 and 10.1.1.2. If A and B want to reach destinations outside the company, the NAT will convert the source IP addresses of the packets according to the predefined mapping in the NAT table. Packets from host A will reach the outside with a source IP address of 128.213.x.y, and packets from host B will reach the outside as coming from source IP address 128.213.z.w. Hosts in the global domains will not know the difference and will reply to hosts A and B as they would to any other host. On the way back, the destination address of the packets will be mapped back to the private IP address.


Figure 3-20  Network Address Translator example.

Discussions about NAT devices are beyond the scope of this book because they have to handle many "corner cases" and more involved situations. Such cases include enterprises that have used addresses that are not part of the IANA private addresses. In this case, addresses used could be already assigned by the IANA to some other company. Other situations involve enterprises that get assigned fewer global addresses than their number of hosts. In this case, the NAT has to dynamically map private IP addresses to a smaller pool of global addresses.


Previous Table of Contents Next