Choosing Public or Private Addresses
Updated: March 28, 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
If you use a direct (routed) connection to the Internet, you must use public addresses. If you use an indirect connection such as a proxy server or Network Address Translator (NAT), use private addresses. If your organization is not connected to the Internet, use private addresses (rather than "unauthorized" addresses) so that if you later connect to the Internet using an indirect connection, you do not need to change addresses already in use.
If you connect to the Internet by using an Internet service provider (ISP), the ISP might provide only private addresses. The ISP itself uses public addresses to connect to the Internet.
IANA assigns public addresses and guarantees them to be globally unique on the Internet. In addition, routes are programmed into the routers on the Internet so that traffic can reach those assigned public addresses. That is why public addresses can be reached on the Internet.
Private addresses are a predefined set of IPv4 addresses that the designers of the Internet provided for those hosts within an organization that do not require direct access to the Internet. These addresses do not duplicate already assigned public addresses. RFC 1918, "Address Allocation for Private Internets," defines the following three private address blocks:
10.0.0.0/8. The 10.0.0.0/8 private network is a Class A network ID that supports the following range of valid IP addresses: 10.0.0.1 through 10.255.255.254. The 10.0.0.0/8 private network has 24 host bits that a private organization can use for any subnetting scheme within the organization.
172.16.0.0/12. The 172.16.0.0/12 private network can be interpreted either as a block of 16 Class B network IDs or as a 20-bit assignable address space (20 host bits) that can be used for any subnetting scheme within the private organization. The 172.16.0.0/12 private network supports the following range of valid IP addresses: 172.16.0.1 through 172.31.255.254.
192.168.0.0/16. The 192.168.0.0/16 private network can be interpreted either as a block of 256 Class C network IDs or as a 16-bit assignable address space (16 host bits) that can be used for any subnetting scheme within the private organization. The 192.168.0.0/16 private network supports the following range of valid IP addresses: 192.168.0.1 through 192.168.255.254.
Because IANA never assigns IP addresses in the private address space as public addresses, routes for private addresses never exist on the Internet routers. Any number of organizations can repeatedly use the private address space, which helps to prevent the depletion of public addresses.
Private addresses cannot be reached on the Internet. Therefore, Internet traffic from a host that has a private address must either send its requests to an application layer gateway (such as a proxy server), which has a valid public address, or have its private address translated into a valid public address by a NAT before it is sent over the Internet.
For an introduction to TCP/IP and more information about public and private addresses, see the Networking Collection of the Windows Server 2003 Technical Reference (or see the Networking Collection on the Web at http://www.microsoft.com/reskit).
Network administrators of private networks who have no plans to connect to the Internet can choose any IP addresses they want, even public addresses that IANA has assigned to other organizations. Such potentially duplicate addresses are known as unauthorized (or illegal) addresses. Later, if the organization decides to connect directly to the Internet after all, its current addressing scheme might include addresses that IANA has assigned to other organizations. You cannot connect to the Internet by using unauthorized addresses.
Do not use unauthorized addresses if even the slightest possibility exists of ever establishing a connection between your network and the Internet. On some future date, discovering that you need to quickly replace the IP addresses of all the nodes on a large private network can require considerable time and interrupt network operation.
Network Address Translation
Network address translation, defined in RFC 3022, is the translation process performed by an IP router functioning as a network address translator (NAT). A NAT translates IP addresses from private network addresses used inside an organization to public addresses used outside the organization. Typically, a NAT-enabled router connects an internal corporate network with the Internet and builds a table that maps the connections between hosts inside the network and hosts outside on the Internet.
You can use NAT to map multiple internal private addresses to a single external public IP address. For example, a small business might obtain an ISP–allocated public IP address for each computer on its network. By using NAT, however, the business could use private addressing internally and have NAT map its private addresses to one or more public IP addresses that the ISP allocates.
NAT makes it more difficult for external users to attack systems on a private network. NAT also allows several nodes on the private network, each with its own private address, to share a smaller number of scarcer public addresses to access the Internet. However, although NAT allows you to reuse the private address space, it does not support standards-based network layer security or the correct mapping of all higher layer protocols. One purpose for the large number of addresses made available with the introduction of IPv6 is to make address conservation techniques such as NAT unnecessary.
Windows Server 2003 also supports IPSec NAT traversal (NAT-T), which allows nodes located behind a NAT (that is, they use private addresses) to use Encapsulating Security Payload (ESP) to protect traffic. This capability allows the creation of Layer Two Tunneling Protocol with IPSec (L2TP/IPSec) connections from remote access clients and routers located behind NATs.
For more information about unicast IP routing, including technical information about the NAT routing protocol component of the Routing and Remote Access service, see the Networking Collection of the Windows Server 2003 Technical Reference (or see the Networking Collection on the Web at http://www.microsoft.com/reskit).