When is something “private” not Private

Tony posts that one should santitize the Ipconfig/all posting that is done in the newsgroups and I’d like to clarify one point he’s made.  He says that you should clean out the 192.168.16.x and 10.0.0.x addresses in your post and I disagree.  While those are class c and class a “private” ranges they are so well known of internal IP address ranges that IMHO, you aren’t disclosing anything that your email header doesn’t post in more stuff on.  I would recommend taking off an “external” IP address [something your ISP gave you, but posting in ipconfig/all shouldn’t also expose your ISP’s DNS info [and it’s not like an ISP’s DNS isn’t googable anyway.  We as SBSers don’t “host” our own public DNS.


So what are the standard IP addresss that are considered “private“ but so used by everyone that it’s common knowledge?  There’s a page here that talks about the ‘standards“.  In general in SBS land, back in the SBS 4.0/4.5 days we used a “class a“ with a kind of “class c“ subnet mask.  What’s a subnet mask?  It’s the part of the IP address that lets that system know how big of a network range it’s going to talk to.


Back in SBS 4.0/4.5 we used 10.0.0.2 with a 255.255.255.0 mask.  That meant that as long as a computer had a IP address that started with 10.0.0.X, our server would “talk“ to that system.  You’ll also see it noted as a 10.0.0.X/24. 


Now in SBS 2003 our default “’base“ range is a classic “C“ address of 192.168.16.x [where the server is normally 192.168.16.2].  Again the subnet mask of 255.255.255.0 makes that system “talk“ only to the 250 someodd systems in that range.  What that 255.255.255.255 mask really means is this.


As per RFC 1918, these address are “non routable“ they are your “inside“ addresses.  What many consultants do is pick that 172.16.x.x range and that is more often than not, NOT in a SBS network and thus any static VPN routing that the internal firm may do won’t mess with that consultant’s own ranges and settings.


What do I mean by Class “A“, and Class “C“?  These are agreed upon naming ranges for “private“ non-routable addresses.  Typically the Class A is a 10.x.x.x with a netmask of 255.0.0.0 and Class C is a 192.168.16.x with a net mask of 255.255.255.0, Thus in the SBS 4.0/4.5 days our 10.0.0.x/subnet of 255.255.255.0 was kinda not exactly the best setup.  Our new default of 192.168.16.x is the proper way to name our internal range.


Class

Range of Addresses

A

Any addresses in 10.x.x.x

B

Addresses in the range of 172.16.x.x-172.31.x.x

C

Addresses in the range of 192.168.0.x-192.168.255.x


In computers the use of “on“ and “off“ is really what everything talks in, so 255 is in reality the value of 11111111


Starting from right to left in a logarithmic fashion it’s the total of


128   64   32   16   8   4   2   1  = 255


   1    1     1     1    1   1   1   1  = 255


Which is telling that system match every single number from the IP “octet“ [between the “.“] to the IP address that you are comparing it to. So a 192.168.16.2 with a subnet of 255.255.255.0 can talk to a 192.168.16.200 that also has a subnet of 255.255.255.0, because the “0“ at the end is telling the system “okay you talk to ANYTHING in the 192.168.16.1 to 192.168.16.255 range and I won’t care“.


See how it works?


So when your ISP gives you an external REALLY PUBLIC IP address and the net mask is set for 255.255.255.248, it’s saying the following:


128   64   32   16   8    _   _  _  = 248


   1    1     1     1    1   0   0   0  = 248


And because 1 + 2 + 4 = 7, your ISP has just given you only “that“ IP addresses that your public IP can talk to [normally a gateway IP address and 6 public IP addresses.   Get it? [Assuming I'm doing that right, someone correct me if I'm wrong]


So bottom line when you post your IPconfig /all in the public newsgroups DO clear out an PUBLIC Ip addresses that your ISP gave you but I would argue there’s no need to clear out the 192.168.16.x stuff.  Wouldn’t take a rocket scientist to know that we’re “supposed” to be using those inside our networks.

2 Thoughts on “When is something “private” not Private

  1. Nice start on a topic some might find hard to understand, Susan.

    For the real newbies, I would further suggest this metaphor:

    When you lay the subnet mask over your IP address to split it into a "Network ID" part (hidden by the mask) and the "Host ID" (left exposed byt the mask), the two parts are similar to a typical postal address…

    NetworkID = Streetname

    HostID = House Number

    So, in this way think of all the houses on your street as your network and each house as a workstation in your network.

    And, when I wrote about "sanitizing" the NetworkID when posting, it’s comparable to changing your streetname. You might actually be living on Elm street but you’re telling everyone you’re living on Main Street instead. Then when the answer comes back you can figure out the diff in your head or do a "Search and Replace" so everything is exactly what is in your network.

    As for whether a Class A private network with a 24 bit mask which was assigned to SBS4.x is worse than today’s SBS2K3 default Class C private network, I doubt there really is any kind of practical difference. SBS networks are so small, as long as you leave yourself a little bit of room to supernet or subnet the network you begin with you should be OK and both SBS setups likely give you that with plenty to spare.

    By this, I mean that

    - You can configure at least one and more new networks in the same Network Class (A, B or C) and configure a subnet mask enabling access to all networks while still being private (This is supernetting)

    - You can break your existing network into individual smaller networks by simply configuring a more restrictive subnet mask and doing nothing more (This is subnetting).

    Since SBS networks support only a maximum of up to 75 workstations today and a maximum one Windows Domain, even if someone were to go hog wild supernetting or subnetting, I wouldn’t think that more than about 200 addresses or 5 networks would be configured and I would be surprised to see someone configure even that many addresses or networks(I’m pretty nuts in my own private network and I’m not up there). Again, I think that both earlier and current conventions support these numbers easily.

    Last notes, actually I don’t see much point to hiding any public addresses, more than likely they exist and are configured that way because you <want> them publicized, those are the addresses you use to connect to your network from the Internet. Because they’re publicized all over the place and intentionally, hiding those numbers wouldn’t have any purpose.

    On the other hand, I’ll still suggest the typical person has nothing to gain and much to potentially lose publicizing their actual private network… :)

    Tony

  2. Travis on January 5, 2005 at 12:07 pm said:

    Great Info, both by the author and Tony.

    I just wanted to point out a few things in the example given toward the end. First off, with a 248 subnet mask it is correct that 1 + 2 + 4 = 7, however we are forgetting the zero in this case. There are actually 8 addresses, but at the same time all 0’s and all 1’s cannot be used for the client address (these are local network and broadcast addresses). So in fact with a 248 mask you end up with 8 addresses where 2 are reserved, and of the 6 left you usually need one for a router, leaving you 5 usable for hosts on that network.

    Its a common mistake for some companies to want 2 addresses on the internet and thinking they can use a 252 mask from their ISP, when in fact they only end up with 1 usable address by the time you take out reserved addresses and a router address.

    Travis

Post Navigation