75

Why are home networks prefixed with 192.168 ?

Why those numbers?

For some historical reasons?

studiohack
  • 13,468
  • 19
  • 88
  • 118
alex
  • 4,222
  • 7
  • 46
  • 52
  • 1
    Best answer I found so far is https://superuser.com/questions/784978/why-did-the-ietf-specifically-choose-192-168-16-to-be-a-private-ip-address-class – Bram Aug 24 '21 at 12:12
  • 1
    Does this answer your question? [Why did the IETF specifically choose 192.168/16 to be a private IP address class?](https://superuser.com/questions/784978/why-did-the-ietf-specifically-choose-192-168-16-to-be-a-private-ip-address-class) – mwfearnley Jul 05 '22 at 16:08

5 Answers5

102

The short answer

An Internet spec called RFC 1918 reserved a few blocks of addresses for "private" networks, which is what you should use when you don't have enough public, routable IP addresses to go around. 192.168/16 was one of those blocks.

The long answer (and then some)

Back in the good old days, everything on the Internet got its own public, routable, "real" IP address that almost never needed to change. It was awesome because anytime you wanted to run some cool new app that implemented some new protocol, or set up your own server at home that was reachable anywhere, you could just run the software and not worry about network address translation (NAT) port forwarding/mapping or ALGs or DMZs or trigger ports or hairpinning. The engineers writing the software also didn't have to become experts in NAT traversal issues just to make their cool idea work out.

But the Internet Assigned Numbers Authority started worrying that they would run out of addresses too quickly, so they made it harder for ISPs to get addresses. So ISPs made it harder for customers to get addresses. By the time home broadband and home networks really started catching on, it had become common practice to give each household just a single public IP address (and even that's about to go away soon). So if you wanted to get more than one machine in your household onto the Internet, you had to run a NAT gateway that fakes like all the machines on your home network are actually sharing the same single public IP address. But all those other machines on your home network needed their own private IP addresses to use to talk to the NAT gateway, and an earlier Internet Engineering Task Force specification called RFC 1918 had defined a few blocks of IP addresses that could be used for private networks like that:

10/8 (10.0.0.0 through 10.255.255.255)
172.16/12 (172.16.0.0 through 172.31.255.255)
192.168/16 (192.168.0.0 through 192.168.255.255)

NAT actually breaks a very important Internet design principle called End to End. Hopefully we'll be able to get back to uninhibited End-to-End connectivity as we move to IPv6. IPv6 has an address space so big we ought never be able to run out, so we should never need NATs on IPv6. It'll hopefully re-open the door to a lot of innovative protocols that are a bit hard to write when all of the machines that would like to use the protocols are behind arbitrary numbers of differently-implemented NATs that manage to break things in lots of different, often subtle ways.

Community
  • 1
Spiff
  • 101,729
  • 17
  • 175
  • 229
  • 12
    Great answer. It's also useful to note that NATing is often a helpful security measure (certainly for home users who may otherwise be vulnerable to inbound attacks). While there are loads of IPv6 addresses to go round, it is quite possible they will go quicker than they should if people are able to reserve/buy large blocks. The reason IPv4 started to run out so soon was a combination of the way classes were implemented and several large organisations buying up multiple class A spaces, which are still registered to them but hardly being used at all. NAT and CIDR together slowed the problem. – AdamV May 28 '10 at 07:53
  • 7
    @AdamV NAT itself is not a helpful security measure. NAT's side-effect of blocking unsolicited incoming connections by default could be seen as a security measure, but we'd all be better off if we just used firewalls for that, without introducing NAT-style breakage along with it. Also, when has a Class A ever been bought (excluding ones that only incidentally changed hands in corporate mergers & acquisitions)? – Spiff May 28 '10 at 20:57
  • MIT owns a /8 (old class A) IP space, for example. So does the DoD and many other government agencies. – MDMarra May 28 '10 at 21:00
  • @spiff. Yes, I meant that most NAT routers won't pass unsolicited inbound connections unless/until explicitly configured to do so, and in that sense provided some limited security. You are right in what I think you are pointing out that once you have configured a rule for forwarding an inbound connection (eg to a particular port) then the NAT itself does not provide any inherent security, and that packet inspection firewalling is far better. And yes maybe "registering" would have been a better verb than "buying", but the addresses are still gone and "ownership" won't be given up any time soon. – AdamV May 28 '10 at 21:12
  • @Adam, *once you have configured a rule for forwarding an inbound connection* -- or when your favorite trojan horse [has used UPnP](http://en.wikipedia.org/wiki/Universal_Plug_and_Play#NAT_traversal) to do so...? – Arjan May 28 '10 at 23:30
  • @MarkM I'm not saying there aren't inefficient allocations of Class A networks, I'm just saying no one "bought" (i.e. paid money or otherwise exchanged anything of value for) them. As far as I know, they have all been assigned free of charge to those institutions that met the allocation criteria at the time of allocation. – Spiff May 29 '10 at 00:03
  • 6
    "IPv6 has an address space so big we ought never be able to run out" and then suddenly you have to setup a net for the mars and one for jupiter .. reminds me a bit "nah, 640kb .. MORE ram than ever needed" :) – akira May 29 '10 at 21:12
  • 2
    @akira, IPv6 uses a 128-bit address space. 2^128 is a very big number. It works out to something like one address for every molecule in the observable universe. Then again, they've pretty much burned half the address space on the host part of the address, so who knows, maybe they'll still end up mismanaging it so badly that we'll run out. – Spiff May 29 '10 at 21:22
  • 3
    @Spiff: and the some nets in other galaxies and all out of a sudden you whish to have 1024-bit ip addresses :) that comment was not really meant to be serious, btw – akira May 29 '10 at 21:29
  • @akira. What with speed of light effects, networks on other planets will have to be separate anyway, and use a store-and-forward mechanism to get through between planets, using satellites at Lagrange points. – TRiG Mar 02 '14 at 15:33
  • The RFC's are not Specifications. They are Standards which have been developed from specifications. - http://www.ietf.org/about/standards-process.html – joeqwerty Apr 01 '14 at 01:22
  • @joeqwerty Most RFCs are decidedly NOT standards. Very few are standards-track, and extremely few ever reach full "Standard" status and get an STD# assigned. I'm open to a better generic term for what non-STD RFCs are, but "standards" is certainly a worse suggestion than "specification". – Spiff Apr 01 '14 at 01:30
  • Fair enough, although neither is truly correct in reference to the RFC's. – joeqwerty Apr 01 '14 at 01:49
  • So when are we going to move to IPv6? I just got a dedicated IP for my domain and it is still IPv4. – user287352 Sep 29 '14 at 22:48
  • @fredsbend Many connections already go over IPv6 today. No one is going to cut over. Everyone will just add IPv6 to IPv4, and use both for the foreseeable future. Eventually IPv4 may "die on the vine", but it may take decades. – Spiff Sep 29 '14 at 22:52
  • it's 2021, and we're still using IPv4 100% of the time – djolf Apr 26 '21 at 06:52
26

It is a private block of IPs that aren't allowed to be routed on the public Internet and are reserved for internal use to be NATed to the outside world. The document that defines this is RFC 1918, which is enforced by IANA.

The blocks of private-use IPv4 addresses are:

 10.0.0.0 /8     (any address beginning with 10.x.x.x)
 192.168.0.0 /16 (any address beginning with 192.168.x.x)
 172.16.0.0 /12  (any address beginning with 172.16.x.x through 172.31.x.x)
Community
  • 1
MDMarra
  • 20,442
  • 4
  • 44
  • 54
  • As for `192.168.0.x` vs `192.168.x.x`, there is no semantic difference. Any IP addresses in `192.168.0.0/16` are for private networks. My home router has been set up by default to allocate `192.168.0.0/24` IP addresses to local machines, and it's something you can change by your personal preference, within the `192.168.0.0/16` range. – Константин Ван Feb 11 '23 at 11:30
20

the short answer is, really, we don't know.

having special range(s) of addresses available for local networks is a useful idea, obviously.

and rfc 1918 may have specified them, but didn't explain why those particular ranges of addresses were assigned, rather than any other. (i.e. 192.168.x.y is not inherently different than 193.169.x.y, except that it is agreed by convention to be used as "private". it could just as easily have been any range of addresses.)

0.x.y.z or 255.x.y.z might have been more obvious choices, but may not have been available. so we're left using a random bunch of meaningless numbers.

shloime
  • 211
  • 2
  • 2
  • 11
    I feel like this is the only answer that even addresses the question "Why those numbers?" – joshfindit May 05 '18 at 19:07
  • 1
    It sounds like the closest we'll get to an answer is at https://superuser.com/a/785641/19792. We still don't fully know, but there's a lot more info there. – mwfearnley Jul 06 '22 at 12:30
5

Each computer in a network has an address to identify itself. In a network someone assigns an address to each computer making sure that there are no duplicates. Internets are inter connected networks. When two networks want to be connected the identifying addresses need to be unique across both of the networks now. If you have a network, an internet or any collection of these you may use whatever scheme you want for assigning the addresses. But, if you want to connect these to THE Internet you will need to only use addresses for your machines that are not being used by the others in the rest of the Internet. There exist ways to get address for this purpose.

The reason 192.168 exists is so that you do not need to ask someone else for an address. You can pick ones that start with 192.168 and there will be not conflict with any one else because those addresses may only used in your network(s) and are not used by some outside your network to reference your machines. They also may use the 192.168 addresses for machine inside there network that you will not be able to see so they will not conflict with your 192.168 addresses.

This speaks to question where the 192.168 came from but not why they are used for home computers that ARE connected to the Internet. There became a shortage of addresses to hand out for computers on the Internet. So, rather than permanently assigning an address to each computer a temporary address was assigned by your ISP while your modem was connected and they used the number for some one else when you would disconnect. This way a number could be shared by dozens of customers.

When homes starting having multiple computers such that they became their own networks rather just a computer on the ISP's network the 192.168 scheme was used for the home networks and the ISP, hardware and software handled all of the magic to convert your internal not Internet accessible address, 192.168, into one that is shared by all of the computers in your home network. They all look like one just computer to the outside networks.

CW Holeman II
  • 2,108
  • 6
  • 23
  • 38
  • Thank you for making me realise what a network of network and what it implies in termes of IP adresses. – ygorg Aug 23 '23 at 12:05
4

As noted 198.168.0.0/16 is a private address range. This range is typically used for small networks, so it has become the default for home routers to use. As discussed below, this provides a measure of security.

169.254.0.0/16 has been set aside for self-configured addresses. These are used by zeroconf and bonjour to configure an address when an address is not otherwise available. Systems using these addresses may still have access to the Internet if they can discover a proxy in this address range.

While end-to-end is a good design principle, it can be a bad security principle. In the old days, the system administrators worked in a web of trust, and there was little concern for viruses, worms, and the like. Times have changed.

In practice, most networks consist of a large number of machines that should never be directly accessible from the Internet, and a few which need to be. By placing those machines which do not need to be addressable from the Internet on a private network address, they are automatically secured from the internet. Many organizations have moved most machines from public to private addresses even when they have the public addresses available.

Machines with addresses on a private address need to have assistance to access the Internet. Home routers provide NAT (network address translation) to map the machine to a valid Internet address. They may provide a firewall to limit which ports on the Internet can be accessed, and may also allow a machine to be designated a DMZ server.

Larger organizations will have mail servers and web proxies in a DMZ (demilitarized zone) which has limited access into the organization's network. These machines may have a valid Internet address or may use NAT to access the network. NAT may also be used to allow machines on private addresses access to some or all services on the Internet. In any case, they will likely use one or more firewalls to separate the Internet, DMX, and internal network.

BillThor
  • 10,899
  • 2
  • 25
  • 24