Private IP address space is a Bad idea

I believe that IP address space that is not globally unique, even when not connected to the public Internet, is a bad idea because I believe that, one day, we all will be connected to the public Internet.

Some people disagree with me, and set aside some of the public IP address space for this purpose. I and some friends of mine wrote up an opposing point of view.

The first side of this debate is in RFC 1597, and our first response is in RFC 1627 (entitled "Network 10 Considered Harmful" - so named to get the attention of the Old Network Boys who remember that net 10 was the ARPANET).

My side has lost the procedural argument (we asserted that the Internet Assigned Numbers Authority (IANA) did not have the authority to make what we felt was a change to the fundamental architecture of the Internet without community input), and the architectural argument (we felt the Internet address space should remain centrally assigned, and world-wide unique, regardless of whether a given network is actually routed to the public Internet or not). We then took our remaining objections to the IETF Classless InterDomain Routing Deployment (CIDRd) Working Group's mailing list for a time (where RFC 1597 had originated), and then into private E-mail with the proponents of the idea, to come up with a compromise document.

Our objections to the private IP address space scheme have (mostly) been incorporated into a revised version of the private IP address assignment documment (this is the best we could do, I suppose - make sure that everyone who wants to use private IP address spaces goes into it with eyes wide open, fully cognizant of the potential perils). The result, such as it is, is in RFC 1918.

Personally, I recommend to every network manager out there - get your networks cleanly numbered with globally unique IP address space. You will have to renumber when you change Internet Service Providers (and thus Dynamic Host Configuration Protocol (DHCP) is your friend), but you should not kid yourself that you will never connect your network to any one else's network; business being the dynamic process that it is, you should assume that you will be asked to do this at some future date, and that you should set things up now so as to minimize the pain involved, and maximize the potential for successful communication and collaboration.

As for the security aspects of this notion, I have my own opinion about "firewall systems" that some sites try to use to mitigate Internet security risks.

Just for the record, I think that Network Address Translation (NAT) devices are a bad idea, too. Network Address Translation violates the end-to-end model, proper network layering, and will not work in the presence of IP security (if the payload of the packets is encrypted, how can you fiddle the IP addresses hiding in there? Answer: you can't).


Erik Fair <fair@clock.org>
October 18, 1996