IPv4 Private Address Space

Simon Hobson dhcp1 at thehobsons.co.uk
Wed May 12 12:22:10 UTC 2021 

Louis Garcia <louisgtwo at gmail.com> wrote:

>> According to standards set forth in Internet Engineering Task Force
>> (IETF) document RFC-1918, the following IPv4 address ranges are reserved by the IANA for private internets,
>> 
>> 10.0.0.0/8 IP addresses: 10.0.0.0 – 10.255.255.255
>> 172.16.0.0/12 IP addresses: 172.16.0.0 – 172.31.255.255
>> 192.168.0.0/16 IP addresses: 192.168.0.0 – 192.168.255.255

Correct.
But just because 172.16.0.0/12 is reserved doesn't mean you have to use all 1,048,576 addresses in that block, and you don't have to use /12 as your mask. The /12 here simply tells you that everything from 172.16.0.0 to 172.31.255.255 is in that reserved space.
The DHCP server will not allocate anything you haven't told it to, and your border routers (and certainly your ISP) should be filtering any of these RFC1918 address out - "nothing out, nothing in" should be the policy for them.
Also, because of the way the server works, it's a really bad idea to create large blocks (though I think relates to ranges, rather than subnets) as it makes in-memory tables huge.


>> dhcpd does not seem to like subnet/mask combination.
>> 
>>          authoritative;
>>          default-lease-time 600;
>>          max-lease-time 7200;
>>          subnet 172.16.4.0 netmask 255.240.0.0 {
>>                      option domain-name-servers 172.16.4.1;
>>                      option broadcast-address 172.31.255.255;
>>                      option routers 172.16.4.1;
>>                      option ntp-servers 172.16.4.1;
>>                      range 172.16.4.50 172.16.4.254;
>>          }

Yes, as already mentioned, that's not a valid address & mask.


> Currently I have three networks 172.16.2.0/24 172.16.3.0/24
> 172.16.4.0/24. I read that not all of 172.16.0.0 is private, only
> 172.16.0.0/12. I am trying to not have public routable IPs on my
> network. Please let me know if this setup is fine.
> 
>          # DHCP Server Configuration file.
> 
>          authoritative;
>          default-lease-time 600;
>          max-lease-time 7200;
> 
>          # Client system architecture type: RFC4578
>          option arch code 93 = unsigned integer 16;
> 
>          subnet 172.16.2.0 netmask 255.255.255.0 {
>                      option domain-name-servers 172.16.2.1;
>                      option broadcast-address 172.16.2.255;
>                      option routers 172.16.2.1;
>                      option ntp-servers 172.16.2.1;
>                      range 172.16.2.50 172.16.2.254;
>                      if option arch = 00:07 {
>                            filename "/grub/shim.efi";
>                      }
>                      next-server 172.16.2.5;
>          }
> 
>          subnet 172.16.3.0 netmask 255.255.255.0 {
>                      option domain-name-servers 172.16.3.1;
>                      option broadcast-address 172.16.3.255;
>                      option routers 172.16.3.1;
>                      option ntp-servers 172.16.3.1;
>                      range 172.16.3.50 172.16.3.254;
>          }
> 
>          subnet 172.16.4.0 netmask 255.255.255.0 {
>                      option domain-name-servers 172.16.4.1;
>                      option broadcast-address 172.16.4.255;
>                      option routers 172.16.4.1;
>                      option ntp-servers 172.16.4.1;
>                      range 172.16.4.50 172.16.4.254;
>          }

Yes, that's just fine.



Simon

More information about the dhcp-users mailing list