Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Reserved IP Address Space Reminder

Published: 2012-05-16
Last Updated: 2012-05-17 02:58:11 UTC
by Johannes Ullrich (Version: 1)
8 comment(s)

As we are running out of IPv4 address space, many networks, instead of embracing IPv6, stretch existing IPv4 space via multiple levels of NAT. NAT then uses "reserved" IP address space. However, there are more address ranges reserved then listed in RFC1918, and not all of them should be used in internal networks. Here is a (probably incomplete) list of address ranges that are reserved, and which once are usable inside your network behind a NAT gateway.

List of Reserved IPv4 Address ranges
Address Range RFC Suitable for Internal Network RFC1122 no ("any" address) RFC1918 yes RFC6598 yes (with caution: If you are a "carrier") RFC1122 no (localhost) RFC3927 yes (with caution: zero configuration) RFC1918 yes RFC5736 no (not used now, may be used later) RFC5737 yes (with caution: for use in examples) RFC3068 no (6-to-4 anycast) RFC1918 yes RFC2544 yes (with caution: for use in benchmark tests) RFC5737 yes (with caution: test-net used in examples) RFC5737 yes (with caution: test-net used in examples) RFC3171 no (Multicast) RFC1700 no (or "unwise"? reserved for future use)

Most interesting in this context is RFC6598 (, which was recently assigned to provide ISPs with a range for NAT that is not going to conflict with their customers NAT networks. It has been a more and more common problem that NAT'ed networks once connected with each other via for example a VPN tunnel, have conflicting assignments.

Which networks did I forget? I will update the table for a couple days as comments come in.

Johannes B. Ullrich, Ph.D.
SANS Technology Institute

Keywords: nat rfc1918
8 comment(s)
Diary Archives