Reserved IP Address Space Reminder
As we are running out of IPv4 address space, many networks, instead of embracing IPv6, stretch existing IPv4 space via multiple levels of NAT. NAT then uses "reserved" IP address space. However, there are more address ranges reserved then listed in RFC1918, and not all of them should be used in internal networks. Here is a (probably incomplete) list of address ranges that are reserved, and which once are usable inside your network behind a NAT gateway.
Address Range | RFC | Suitable for Internal Network |
---|---|---|
0.0.0.0/8 | RFC1122 | no ("any" address) |
10.0.0.0/8 | RFC1918 | yes |
100.64.0.0/10 | RFC6598 | yes (with caution: If you are a "carrier") |
127.0.0.0/8 | RFC1122 | no (localhost) |
169.254.0.0/16 | RFC3927 | yes (with caution: zero configuration) |
172.16.0.0/12 | RFC1918 | yes |
192.0.0.0/24 | RFC5736 | no (not used now, may be used later) |
192.0.2.0/24 | RFC5737 | yes (with caution: for use in examples) |
192.88.99.0/24 | RFC3068 | no (6-to-4 anycast) |
192.168.0.0/16 | RFC1918 | yes |
198.18.0.0/15 | RFC2544 | yes (with caution: for use in benchmark tests) |
198.51.100.0/24 | RFC5737 | yes (with caution: test-net used in examples) |
203.0.113.0/24 | RFC5737 | yes (with caution: test-net used in examples) |
224.0.0.0/4 | RFC3171 | no (Multicast) |
240.0.0.0/4 | RFC1700 | no (or "unwise"? reserved for future use) |
Most interesting in this context is RFC6598 (100.64.0.0/10), which was recently assigned to provide ISPs with a range for NAT that is not going to conflict with their customers NAT networks. It has been a more and more common problem that NAT'ed networks once connected with each other via for example a VPN tunnel, have conflicting assignments.
Which networks did I forget? I will update the table for a couple days as comments come in.
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Application Security: Securing Web Apps, APIs, and Microservices | Online | US Eastern | Jan 27th - Feb 1st 2025 |
Comments
dsh
May 16th 2012
1 decade ago
http://www.caida.org/~youngh/bogons.html
brianc
May 16th 2012
1 decade ago
Anyway, 44.128/16 is considered a test network for AMPRnet and not routable, much like 10/8, so it should certainly be reasonable to consider using it at least.
fritz
May 16th 2012
1 decade ago
The ugly part is that not everything is IPv6 compatible; and this needs to be as much bottom to top as top to bottom.
dynamicnet.net
May 17th 2012
1 decade ago
Michael
May 17th 2012
1 decade ago
RFC 5735 obsoleted/updates RFC 3330
44.0.0.0/8 is still considered AMPRNET according to Whois. I think the use of 44.128.0.0/16 as non-routable test net is an AMPRNET policy. I wasn't able to find an official reference to it yet.
Dr. J.
May 17th 2012
1 decade ago
Dr. J.
Feb 29th 2016
8 years ago
Also, I find it rather sad that the companies that were so graciously handed one or several /8 ranges can not be bothered to return at least a part of them.
Dr. J.
Mar 3rd 2016
8 years ago