1. RFC 1918: The Non-Routable Sanctuaries
In 1996, as the reality of IPv4 depletion set in, the IETF published **RFC 1918**, reserving three blocks of IP addresses for internal use. These addresses are "Non-Routable," meaning they can be reused by every house and office on earth simultaneously without conflict—because they never meet each other on the public web.
10.0.0.0/8
16.7 million addresses. Used by global corporations and data center fabrics for internal east-west traffic.
172.16.0.0/12
1.04 million addresses. Frequently used for infrastructure management interfaces and out-of-band (OOB) networks.
192.168.0.0/16
65,536 addresses. The ubiquitous home network standard. 99% of consumer routers default to this block.
The History of Choice
Why were these specific ranges chosen? The authors of RFC 1918 (Rekhter, Karrenberg, et al.) chose ranges that covered Class A, B, and C sizes to ensure compatibility with classful routing hardware of the era. The 10.0.0.0/8 block was a single Class A network, the 172.16 block covered 16 Class B networks, and the 192.168 block covered 256 Class C networks.
Forensic Boundary: Bogon Filtering
A **Bogon Filter** is an ACL applied by ISPs to their Internet-facing interfaces. It explicitly denies any packet entering the provider network that claims to originate from an RFC 1918 address. This prevents **IP Spoofing** from internal networks and ensures that 'Martian' packets (packets that shouldn't exist) cannot transit the global core.
2. The Public IP: Ownership & BGP Forensics
A Public IP is a globally unique identifier assigned by **IANA** via the Regional Internet Registries (RIRs) like ARIN or RIPE. To have a public IP is to be visible to the entire world.
The AS (Autonomous System) Tie
Public IPs don't just 'exist'; they are announced via **BGP (Border Gateway Protocol)**. A block of public IPs (e.g., a /24) is associated with an **ASN (Autonomous System Number)**. When you trace a public IP, you are really tracing the path to the AS that owns that block.
IP Geolocation Forensics
Because public IP assignments are public record, services like MaxMind can map an IP to a physical city, ISP, and even a building. Private IPs have NO geolocation; a 192.168.1.1 exists in every city on earth simultaneously.
3. CGNAT (RFC 6598): The Last Lifeline
When even ISPs ran out of public IPs, they implemented **Carrier-Grade NAT (CGNAT)**. This is "NAT within NAT." To prevent collisions with customer internal networks, the IETF reserved **100.64.0.0/10**.
Shared Address Space
The 100.64.0.0/10 range is known as **Shared Address Space**. It is routable within the ISP's network but dropped on the public internet. If your router's WAN port shows an IP like 100.72.15.22, you are sharing a public IP with potentially thousands of other subscribers.
CGNAT Forensic Impacts:
- Bulk Port Allocation: ISPs don't assign ports one-by-one. They assign a block (e.g., 512 ports) to a user. If you open more than 512 simultaneous connections, your traffic is dropped.
- Deterministic NAT: High-scale ISPs use a mathematical formula (Hash) to map internal IPs to external ports. This allows law enforcement to "reverse" the NAT without needing massive log databases.
- Inbound Hosting: You cannot Port Forward through CGNAT because the external IP doesn't belong to your router.
- Reputation Logic: If one "bad actor" on your ISP is blacklisted, every user sharing that public IP might be blocked from the same service.
The Application Layer Gateway (ALG) Problem
Some protocols (like FTP or SIP) "embed" the IP address inside the data payload. When NAT changes the header IP, the payload IP remains wrong, breaking the connection. To solve this, routers use **ALGs** to perform Deep Packet Inspection and rewrite the IP inside the data. However, ALGs are notorious for causing high CPU usage and "Garbage" data corruption in modern encrypted streams.
4. NAT Hydraulics: Swapping the Labels
To move traffic from a Private IP to a Public IP, the router must perform a **NAT/PAT (Port Address Translation)** operation. This is essentially a high-speed database lookup for every packet.
The NAT Table Forensic Trace
Notice how two different internal hosts are using the SAME public IP (1.2.3.4), differentiated only by the **Source Port** (10522 vs 10523). This is the 'Hydraulic' pressure of the 32-bit limit—squeezing multiple internal identities through a single global port.
6. Private IPs: Security vs. Obsolescence
A common misconception is that Private IPs are "Secure" because they are hidden. While NAT provides a basic barrier against unsolicited inbound traffic, it does nothing once an attacker is inside the perimeter.
Lateral Movement Forensics
Once an attacker compromises a single workstation, they can scan the entire 10.0.0.0/8 network internally. Private IPs provide NO logical separation unless **Micro-segmentation** or **Zero Trust** is implemented. The "Hard Shell, Soft Center" model of RFC 1918 networks is the primary reason for massive data breaches.
7. IPv6: The End of Private Translation?
IPv6 is designed for a world where every grain of sand on earth can have a unique Public IP. However, the concept of "Local" still exists for administrative stability.
GUA (Global Unicast)
The equivalent of a Public IP. Every device has one, and it is routable across the entire internet.
ULA (Unique Local)
Starting with fd00::/8. The modern RFC 1918. It is unique to your site but never leaves the building.
With IPv6, we no longer need NAT for address conservation, but we still use it for Network Prefix Translation (NPTv6) to allow for easier ISP switching without renumbering the entire internal network.
8. Case Study: The IP Conflict Storm
The Incident
Company A merged with Company B. Both had been using 10.1.1.0/24 for their primary servers. When the VPN tunnel was established, half the servers became unreachable as routers had "Equal Cost" paths to the same IP block in two different locations.
Remediation: We implemented Twice NAT (Double-NAT), where the router translates the Source IP and the Destination IP at the same time to hide the conflict.
9. Technical Encyclopedia: Global vs. Local
A list of IP ranges that should not be visible in the global routing table, including private, reserved, and unallocated space.
Carrier-Grade NAT. Large-scale NAT used by ISPs to share one public IP among thousands of subscribers.
A temporary port number used by NAT/PAT to track a session. Range is typically 49152 to 65535.
Global Unicast Address. An IPv6 address that is globally unique and routable on the public internet.
Techniques like STUN, TURN, or ICE that allow P2P applications to communicate through NAT boundaries.
Regional Internet Registry. Organizations (ARIN, RIPE, APNIC) that manage the allocation of public IPs in their regions.
Frequently Asked Questions
Technical Standards & References
Related Engineering Resources
"You are our partner in accuracy. If you spot a discrepancy in calculations, a technical typo, or have a field insight to share, don't hesitate to reach out. Your expertise helps us maintain the highest standards of reliability."
Contributors are acknowledged in our technical updates.