What's the difference between public and private IPv4 addresses?
Over the last month or so, we’ve been using strange, fictional hotels as metaphors for networks.
So far, we’ve covered Le Hotel being allocated the
34.0/8 address block, which allows the manager to address the rooms and floors between
If you don’t know what
34.0/8 means, check out my primer on CIDR blocks. And if you don’t know why we stop at
34.255 and not, say,
34.256 then check out my answer to why IPv4 address octets cap at 255.
The manager has used “sub-hotels” – aka subnets – to address her hotel floors and rooms like this:
Everybody can talk to everybody, whether they like it or not
Every room has a globally unique address. This means that anyone can send anything to any hotel room.
But… what if the manager doesn’t want guests’ rooms to receive mail from outside the hotel?
These public addresses make it easy for spammers and conmen to flood a hotel with messages. They don’t need to know who’s behind any of the doors. They only need to send their shenanigans to every address between
34.255 then wait and see if any poor sods take the bait.
Guests don’t want to deal with all this junk mail when they’re on vacation, but it’s the price of booking a room with a public address.
The hotel can’t have rooms without addresses. A guest could never check in. The room wouldn’t be able to receive essential hotel services like housekeeping. Every room must have an address.
So, the manager needs to give these rooms private addresses.
We’ve already talked a bit about the protocols of hotel room addressing in our made-up little world. One of these rules is that hoteliers need to request blocks of room addresses from the Hotel Assigned Numbers Authority to ensure no two hotels ever use the same range of global addresses.
But, what if a room address doesn’t need to be globally unique?
What if it needs to be unique only inside the hotel?
Luckily for us, the-powers-that-be have already thought about this. The Hotel Assigned Numbers Authority has reserved the address block
10.0/8 for every hotel to use.
This is on the understanding that these addresses –
10.255 – can never be publicly routable, because there’s no guarantee that they’ll ever be globally unique. But since they’ll never be publicly routable, they don’t need to be globally unique.
- Every hotel in the world can have rooms with addresses
10.255, and that’s okay.
- If a hotel’s mail room ever needs to deliver a message addressed to a
10.0/8address, then that message must be for that same hotel. It can never be delivered to any other hotel.
So instead of Le Hotel having its
34.0/8 addresses assigned to all the rooms, it actually makes more sense for the manager to assign the hotel’s
10.0/8 block like this to make all the rooms private by default:
…and then assign public addresses to only the rooms which need to receive messages from outside the hotel.
In Le Hotel, this means that only three rooms need public addresses:
- The mail room. This needs to be publicly addressable because this is where mail carriers drop off the mail.
- The manager’s office. This needs to be publicly addressable so that self-important guests can escalate their petty problems directly with the manager after they’ve left, rather than during their stay while the manager has a chance to rectify problems.
- The reception desk.This needs to be publicly addressable so that guests can request a bowl of purple M&Ms to be left in their room for their arrival.
So these three rooms are assigned an additional address from Le Hotel’s public
All done! Now each room address is only as unique as it needs to be.
- Messages can be sent from outside the hotel to any public address.
- Messages can sent internally to any address.
- Messages cannot be sent from outside the hotel to any private address.
Let’s check out a couple of examples.
Routing mail from outside the hotel to the manager’s office
Someone from outside Le Hotel has addressed a letter of complaint to the manager.
The mail carrier doesn’t know where
34.2 is inside the hotel, so he drops it off at the mail room.
The mail room knows where all the publicly-addressed rooms are, so they’re able to finish the delivery internally.
The manager didn’t bother responding to the complaint, by the way. The guest was an ass to the staff and he won’t be welcome back in Le Hotel any time soon.
Routing mail from the manager’s office to a guest room
The manager needs to send a voucher for a free drink up to room
10.18. The bar ran out of purple M&Ms last night, and she’s desperately trying to placate the guests.
Now, remember this rule about mail delivery that we established the subnet primer?
If you know exactly where a message’s destination is then you have to deliver it yourself. You’re only allowed to dump it on someone else to deliver on your behalf if you don’t know where the destination is.
The manager doesn’t know exactly where
10.18 is because it’s on another floor, so she sends the voucher to the mail room on her floor at
10.1 to deliver the rest of the way.
The mail room at
10.1 also can’t deliver directly to
10.18 – but the staff know a nearer mail room, so they take it up to
Finally, the staff in the mail room at
10.17 know exactly where
10.18 is, so they finish the delivery.
And the guest was so grateful, she bought the mail staff a round of drinks.
Private addresses in real-world networks
In our made-up world, the
10.0/8 block is reserved for private hotel room addresses.
In real-world networks, three IPv4 ranges are reserved for private addresses.
|CIDR||First address||Last address|
Any device that should be accessible only by other devices on your network and not by via the public Internet should have an IPv4 address within one of those ranges. Chances are, your home network is already configured to assign addresses within one of them.
My home network, for example, allocates addresses from the
192.168.0.0/16 range. My laptop has address
My iPhone is on the same network, and is assigned the address
Isolation isn’t guaranteed, but let’s save that discussion for later
With all that said, a device having a private address is not a guarantee that it’s completely inaccessible via the public Internet.
Strategies like Network Address Translation allow “private” devices to receive responses from requests sent to public devices, and port forwarding allows your “private” devices to be almost as public as anything with a public address.
But let’s save all those for another time.
For now, that’s the difference between public and private addresses:
- Public addresses are globally unambiguously unique.
- Private addresses are members of
192.168.0.0/16, and are unique only on their own network.