Networking, Private or Public IP Space - How to choose?
Summary (TL;DR)
Most new networks on campus should be built with IPv6 addresses and Private IPv4 addresses, and should use the Fully Closed firewall group.
Networks for servers or services that need to be accessed from off-campus (including other parts of the University of Illinois System) should be built with IPv6 addresses and Public IPv4 addresses.
IPv6 networks are all the same size (a /64 with ~65,000 hosts). Private IPv4 networks should be sized for your expected current needs and some future growth. Public IPv4 networks should be the smallest size that will meet your current needs.
Details (for the curious)
Why build new networks with IPv6?
IPv6 has been around for many years and has not seen high adoption rates. This has led to a historical lack of local adoption on campus. What's changed?
- There is currently a steady increase of adoption of IPv6 world wide.
- Many parts of the world can not get necessary numbers of IPv4 addresses and have built IPv6-only networks.
- The U.S. Federal government has decided to simplify their network management by converting to IPv6-only for the majority of their networks over the next five years.
- Many phone carriers have built IPv6 networks, and tunnel the IPv4 traffic from your smartphone to the edge of their network over IPv6.
- Protocols have been developed to ensure that enabling IPv6 doesn't make computers less responsive when servers only have IPv4 connectivity.
Having both IPv6 and IPv4 enabled (often referred to as "dual-stacking") on a campus network will provide the best customer experience. This is true for both server networks, allowing inbound connections to be native for the remote users, as well as for end-user networks on campus where people might be connecting to IPv6-only servers directly instead of via a proxy somewhere on the Internet.
Dual-stacked networks must have the same Firewall Group for both the IPv6 and the IPv4 addresses. When using private IPv4 networks, the IPv6 needs to be in the Fully Closed firewall group.
IPv6 Space Overview
IPv6 is designed to be an eventual replacement for IPv4. A major design goal of IPv6 was to have more unique IP addresses available, and with a 128-bit address size, that was achieved. A standard-size IPv6 customer network (a /64) has 65,000 addresses available (that's roughly 1/3 of the total Urbana-Champaign public IPv4 addresses, for each customer network!). Urbana-Champaign has roughly 1,000,000 networks available for campus to use.
Because of the scale designed into IPv6, there wasn't an emphasis put on having private IPv6 space. While there are some IPv6 addresses that can be used in that way, the use of those isn't as standardized as they are for IPv4 and can cause unintentional issues when they are used. Given this, Technology Services is not supporting the use of private IPv6 addresses at this time.
Recommendation: Public IPv6 space should be enabled on all new networks.
Public IPv4 Space Overview
Public IPv4 space is globally unique, and can only be used by the organization it is assigned to. This allows public IP addresses to receive inbound network connections from other computers connecting from both on- and off-campus. How restricted the access is from off-campus depends on what Firewall Plan the IP address is in. Addresses in Fully Closed Firewall Group are protected from off-campus access, but are able to reach outbound to the public Internet. Addresses in other firewall groups are deliberately less protected so that connections can be made from outside campus.
Computers in any of the campus public IPv4 ranges can be used to provide Internet-facing services as well as campus services. The IP address has to be in the correct Firewall Group to allow the inbound traffic needed for the service (see Networking, Firewall, Service Plan Details).
Public IPv4 addresses are a limited resource. The 32-bit number that represents the IP address means that there are a relatively small fixed number of unique addresses available globally. Because of this, additional public IPv4 address space is difficult to impossible to get depending on the amount needed. Urbana-Champaign has enough public IPv4 addresses to meet our current needs, but could not expect to get more.
Recommendation: Only new networks that will have servers or services that need to be accessed from off-campus should ask for public IPv4 space.
Private IPv4 Space Overview
The Internet Assigned Numbers Authority (IANA) has reserved several IP ranges for use on private networks within an organization; this private IP space can be used by anyone, but may never be routed on the public Internet (i.e. outside of the U of I System). RFC 1918 establishes three private IP address ranges: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16.
Computers in the 172.16.0.0/13 (Urbana-Champaign) and 172.24.0.0/13 (NCSA) private IP ranges can only receive inbound network connections from other computers within the IP ranges for Urbana-Champaign, System-wide shared services, and NCSA. However, they are usually able to reach outbound to the public Internet with the help of Network Address Translation (NAT), which maps the computer's private IP address to a public IP address (see Networking, Firewall, Service Plan Details). By default all new private IPv4 networks are setup with NAT.
You can find more information on how Private IPv4 space is used on campus in the Networking, Guide to University of Illinois IP Spaces article.
A private IPv4 address can not be used to provide Internet-facing services. However, it can be used to provide services whose only customers are on the campus network (including customers who connect using the VPN).
Recommendation: Private IPv4 space should be used for all new networks that don't have servers or services that need to be accessed directly from off-campus.
IP Network Sizes
IPv6 networks come in a single standard size. Commonly referred to as a /64, this network size uses half of the 128 bits for host information and half for network information allowing roughly 65,000 hosts per network. Clients expect to see this network size, and not all systems will work when getting an address of a different network size, so a /64 is the only size network that will be provided.
IPv4 network sizes have evolved and currently can accommodate from 2 to thousands of hosts. A detailed guide to IPv4 network addressing is beyond the scope of this article. The table below includes the most common sizes used on campus, and reflects the fact that the first three IP host addresses in most networks cannot be used for computers because they are reserved for Networking's use to provide routing.
Network size | Netmask | Number of usable hosts |
---|---|---|
/22 | 255.255.252.0 | 1019 |
/23 | 255.255.254.0 | 507 |
/24 | 255.255.255.0 | 251 |
/25 | 255.255.255.128 | 123 |
/26 | 255.255.255.192 | 59 |
/27 | 255.255.255.224 | 27 |
/28 | 255.255.255.240 | 11 |
/29 | 255.255.255.248 | 3 |