This site requires JavaScript to be enabled

Use of RFC 1918 "Private Addresses" on the UC Berkeley Campus Network

8037 views

2.0 - Updated on 2022-09-28 by Sean Schluntz

1.0 - Authored on 2017-09-13 by Sean Schluntz

RFC 1918, "Address Allocation for Private Internets," specifies ranges of IP addresses that will never be routable on the global Internet. These addresses can therefore be used on "private" networks without concern for potential addressing conflicts with other networks.

However, RFC 1918 addresses are routable inside an enterprise. As stated in RFC 1918:

"... an enterprise needs to determine which hosts do not need to have network layer connectivity outside the enterprise in the foreseeable future and thus could be classified as private. Such hosts will use the private address space defined above [in RFC 1918]. Private hosts can communicate with all other hosts inside the enterprise, both public and private."

The ability for "private hosts" (i.e. hosts using RFC 1918 addresses) to communicate with all other hosts in the enterprise dictates that RFC 1918 addresses may be routed inside the enterprise.

Some Berkeley campus sysadmins use RFC 1918 addresses in order to assure that the devices using these addresses cannot be reached by any other device outside the "private" network, including elsewhere on campus. Neither privacy or access restrictions are actually guaranteed by RFC 1918. Sysadmins seeking to protect their systems should rely on network firewalls, such as the bSecure firewall service, instead of RFC 1918 addresses. 

While RFC 1918 requires that DNS information about RFC 1918 addresses must not be visible outside the enterprise bIT believes that any IP address that is used should be registered in the DNS. This means that DNS entries that point to RFC 1918 addresses are visible from the Internet even while the addresses themselves are not reachable from non-Campus networks. Also note that IPv6 addresses can be assigned to hosts with RFC 1918 IPv4 addresses and all IPv6 addresses are globally routable. This means a host with an RFC 1918 address and an IPv6 address can be reached from the Internet using IPv6 unless a firewall or similar access limiting technology is employed. 

The purpose of this document is to describe a set of conventions that will allow campus sysadmins to use RFC 1918 addresses today, with reasonable confidence that the use of these addresses will not cause serious conflict in the future. Specifically, this document identifies ranges of RFC 1918 address that bIT will not route inside campus, as well as ranges that might someday be routed inside campus.

I. RFC 1918 address ranges are:

     10.0.0.0/8         (10.0.0.0 - 10.255.255.255)
     172.16.0.0/12      (172.16.0.0 - 172.31.255.255)
     192.168.0.0/16     (192.168.0.0 - 192.168.255.255)

As required by RFC 1918, these addresses will never be routed outside the campus network.

II. RFC 1918 addresses that bIT will not route inside campus are:

     10.0.0.0/12        (10.0.0.0 - 10.15.255.255)
     192.168.0.0/16     (192.168.0.0 - 192.168.255.255) 

Campus computer users can use addresses in those two ranges however they like, confident that these addresses will not be routed by bIT.

III. RFC 1918 addresses that bIT may route inside campus are:

    10.16.0.0/12
    10.32.0.0/11
    10.64.0.0/10
    10.128.0.0/9
     (10.16.0.0 - 10.255.255.255)
    172.16.0.0/12      (172.16.0.0 - 172.31.255.255)

RFC 1918 addresses in the blocks listed immediately above can be routed inside campus. Campus sysadmins who might someday want to take advantage of this -- i.e. who want to use RFC 1918 addresses that can be routed on the campus network -- should choose RFC 1918 addresses according to the guidelines in the following section ("IV. Guidelines...").

Note:Choosing RFC 1918 addresses from the list above, in adherence with the guidelines below, does not mean that these addresses will automatically be routed: at least initially, routing of RFC 1918 address will only happen when requested. (Routing requests should be submitted through the Telecom Catalog)

IV. Guidelines for choosing RFC 1918 addresses to use on the campus network:

Guideline (1)
If the RFC 1918-addressed devices will somehow connect (e.g. through a NAT device) to a campus subnet in one of the three main address ranges -- 128.32.0.0/16, 136.152.0.0/16, 169.229.0.0/16 -- replace the first octet with 10, as follows:
if your subnet is 128.32.x.y/N --> use 10.32.x.y/N
if your subnet is 136.152.x.y/N --> use 10.152.x.y/N
if your subnet is 169.229.x.y/N --> use 10.229.x.y/N

Note that the lowest number in the RFC 1918 address range should be left reserved for the router interface; the highest number in the RFC 1918 address range is reserved for the broadcast address.

Example: if your subnet is 128.32.155.0/25, use RFC 1918 address range 10.32.155.0/25, with 10.32.155.1 reserved for the router and 10.32.155.127 reserved for broadcast.

Guideline (2)
If your subnet campus subnet has some other address range (i.e. 192.31.161.z/N, 192.35.209.z/N, 192.58.221.z/N, etc.) open a support ticket through Campus Shared Services. As in guideline (1), the lowest and highest address in the RFC 1918 address block are reserved.
Guideline (3)
Guidelines (1) and (2) prevent the condition where private nets on different campus subnets use the same RFC 1918 addresses, which would cause problems if the addresses are routed inside campus. However, guidelines (1) and (2) do not prevent use of of the same RFC 1918 address range on two or more private networks within a single campus subnet. if this problem occurs, report the problem through Campus Shared Services.
Guideline (4)
Guidelines (1) and (2) limit the number of RFC 1918 addresses to the number of hosts on the conventional campus subnet. if this is too restrictive open a request through Telecom Catalog.
Guideline (5)
Guidelines (1)-(4) will not meet all situations, but following them will minimize future problems, and maximize the chances that any RFC 1918 addresses you adopt will be routable in the future. If guidelines (1)-(4) don't meet your needs, please open a request through Telecom Catalog.