What are Public and Private IP Addresses?

public IP address is one that will route on the global Internet. Anyone can connect to a node with a public IP address (assuming that node is connected to the public Internet), whether the sender has a public IP address or not. Before about 1995, all IPv4 addresses were public. We had a monolithic (single level) address space. Kind of like everyone having their own real telephone numbers. Any node could connect to any other node on Earth.

Some ISPs refer to such an address as a static address. This goes back to the old days when all IPv4 addresses were public (globally routable). They were all public, in the days of dialup access, ISPs shared a few IPv4 addresses among many customers, using dynamic addresses (ones that changed frequently). Each time you called in, you got a different address, and lost it the moment you disconnected (and it was assigned to someone else). For premium service (at extra cost) you could reserve a static address (every time you called you got the same address and didn’t have to share it with anyone else). Today, even private (unroutable) IP addresses can be static (don’t change over time), but they are no more use than private addresses that change. They still won’t route over the global Internet – nobody can connect to your private address even if it is static. Be sure when they say “static address” that it’s not a private address. They really should stop using the old term to refer to a “real” (globally routable) IP address.

Unfortunately, the Internet was too successful.  Due to its explosive growth, we ran out of real “telephone numbers” (public IPv4 addresses) and had to put most people behind the equivalent of a company PBX (Private Branch Exchange). Each PBX (NAT gateway) has one real “telephone number” (public IPv4 address), and many “extensions” (private IPv4 addresses) behind it. Just as with a company PBX, nobody can “call” (connect to) my extension (private address) directly. All outgoing calls appear to be from the same real telephone number (public IP address). With the Internet, the equivalent of the PBX is the Network Address Translation (NAT) gateway.

If you read the relevant RFCs, the words “temporary measure” are all over the place. NAT and private addresses were never supposed to be used once IPv6 was available. They were just an emergency stopgap measure. They should have been phased out by 2010. Unfortunately, we have an entire generation of network engineers who only know IPv4 and are afraid of IPv6 because it is new and different. They used IPv4 (mostly with NAT) for their entire career, and don’t want to admit that those days are over.

If you have only a private address (extension number) nobody can connect directly to your node. You are a second class netizen. You can make outgoing connections to first class netizens (lucky ones who have a public IP address), but nobody from outside of your LAN can connect to you. You can call (connect) from one extension to another, behind the NAT gateway (within your company subnet). But for the rest of the world, you can only make outgoing connections. This makes a major difference in the way we use the Internet. Among the changes we implemented large, centralized servers (e.g. mail, ftp, etc) at telcos and ISPs (who now have most of the public IP addresses, but won’t share them with us second class netizens). Actually there are no new (previously unallocated) IPv4 public addresses available, even for telcos and ISPs. They are all gone. Extinct. One with the Dodo bird.

We basically splintered the once monolithic IPv4 Internet into millions of private internets, each using a separate address space from the RFC 1918 blocks of IPv4 addresses. These are the blocks 10/8 (10.x.x.x), 172.16/12 (172.16.x.x to 172.31.x.x) or 192.168/16 (192.168.x.x). Note that the title of the RFC is “Addresses for Private Internets”, not “Private Addresses for the Internet”.

Recently a new block of private addresses was reserved as 100.64/10. These can only by used by telcos and ISPs for the first NAT stage of Carrier Grade NAT (CGN). If you are behind two layers of NAT, you are now a third class netizen. You have to go through two NAT gateways to get to a public node. This causes even more problems. One layer broke VoIP and IPsec and added some subtle instabilities – two layers breaks even more things and adds even more instabilities.

One of the big problems with CGN is it makes it impossible to tunnel IPv6 through your IPv4-only ISP using 6in4 tunnels. To use 6in4, you need a public IPv4 address on your gateway. It can be the same public IPv4 that you hide behind with NAT, but with CGN you don’t have even a single public IPv4 address in your network, even on the WAN side of your router or firewall. This is why the IETF had planned for the migration to IPv6 to be FINISHED by 2010 – before we ran completely out of public IPv4 addresses. It is now more difficult to get IPv6 in your network unless your ISP gets it for you.

The good news is that IPv6 has an essentially unlimited supply of public addresses. However, we’ve got to get everyone to convert over to the new addressing model for this to work. We’ve been working on this transition since about 1996, but in the last few years (since the world ran completely out of IPv4 public addresses everywhere) we’ve gotten a lot more serious about it. We are now in the rapid adoption phase. There is no other choice now.