Document Managed by Network Architecture
Introduction
The IPv4 address space allocated to Rutgers is finite and must be used efficiently to assure our future needs can continue to be met. Historically Rutgers has made very inefficient choices on how to use this resource. One of these inefficiencies has been in the allocation of our assigned network space for networks within Rutgers that are by design not routed to. Rather than continuing this inefficiency, such needs should be met utilizing the private address ranges available which will never be routed on the internet.
Internet Practices
It is the practice of the internet to reserve several blocks of address space under the guarantee that they will never be routed across the backbone. Three categories of hosts have been identified [RFC1918]:
- Hosts which do not require access to the internet.
- Hosts which access a limited set of internet services through a gateway.
- Hosts which need full internet connectivity.
At Rutgers, all hosts in categories (2) and (3) must be assigned IP addresses from within our assigned ranges. Hosts in category (1) should not be assigned such addresses so as to conserve our available address space.
At many internet sites the needs of hosts not requiring internet access are met in practice through the use of these private address space assignments:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
All of this space is guaranteed to be unrouted on the internet and available for private use within a site such as Rutgers University.
Rutgers" Requirements
The the three available blocks of private address space are assigned internally to three different usage patterns. Two blocks will be routed within the Rutgers network but not to the internet. One of these is reserved for use by OIT/TD; the other is made available for use by any group at Rutgers. The last block will neither be routed nor coordinated. The three available blocks of private address space are assigned directly to Rutgers" three uses.
OIT/TD Private Routed Network
At Rutgers, the private address space 10.0.0.0/8 is
routed on the Rutgers network and is reserved for allocation by
OIT/TD for internal use such as network infrastructure. No networked
device on the Rutgers network should utilize this space in an
uncoordinated manner under the assumption that no conflict could
occur.
Rutgers Private Registered and Routed Networks
The smallest block of private address space,
172.16.0.0/12, is available for coordinated use within
the university. Networks will be assigned on request from this range
and may optionally be routed.
OIT/TD coordinates the assignment of this space to assure no conflicts will occur when different group"s resources are caused to interact and permits a guarantee of sole ownership to an address range just as with normal Rutgers" addresses. Should conflicts arise between two groups utilizing an address in this range the party who has registered their use will be permitted to keep the addresses while the party with the unregistered use will be required to renumber into other space.
OIT/TD will, on request, provide these networks the ability to route their data within the university. It is not, and will never be, possible for these addresses to be routed over the internet and systems using then will not ever be able to reach internet hosts or be reached by them. (note: proxy services can enable limited, indirect access to internet resources.)
Some sections of this address range are reserved for special uses.
| Registered Networks | Network infrastructure |
External LANs | Reserved for future use |
| 172.16.0.0 to 172.27.255.255 |
172.28.0.0 to 172.28.255.255 |
172.29.0.0 to 172.29.255.255 |
172.30.0.0 to 172.31.255.255 |
Within the registered networks section of this space the addresses are assigned by geographic area.
| New Brunswick | Camden | Newark |
| 172.16.0.0 to 172.23.255.255 |
172.24.0.0 to 172.25.255.255 |
172.26.0.0 to 172.27.255.255 |
Rutgers Private Unregistered and Unrouted Networks
The last block of private address space, 192.168.0.0/16,
is available for for use by any LAN at Rutgers in an uncoordinated and
unrouted manner. Uses and conflicts between them are not the interest
of OIT.
Security Considerations
Within the university"s network the address range
172.16.0.0/12 should be considered a part of the Rutgers
network. Access control lists should be updated to permit access from
these addresses similar to those of our main allocations.
The use of 172.16.0.0/12 provides a measure of
security from attack by sites on the internet. Since these addresses
can not be passed over the internet they will never receive traffic
from external systems. This offers a form of limited protection
against harm from systems outside the rutgers network.
Conclusion
|
Groups requiring address space that does not require internet connectivity should consider the use of one of these private address ranges. Where OIT/TD allocates minimally sized networks this private space offers the opportunity for much larger address ranges. Private address space is also often ideal for dedicated links between hosts and clusters of systems not required to talk to the rest of the network. The absence of strict allocation procedures make this space available more quickly and easily than a formally requested allocation. An unrouted private range can also be implemented immediately since it requires no changes to the OIT managed routing hardware on the network. Private addresses make a good alternative to formally assigned networks for some common uses at Rutgers.
