You may be using a Web browser that does not support standards for accessibility and user interaction. Find out why you should upgrade your browser for a better experience of this and other standards-based sites...

Dartmouth Home  Search  Index

Dartmouth Home | Search | Index

 Dartmouth home page
Computing at Dartmouth
 

Home | Resources | Services | Support | About
Computing > Support >  Library >  Safe Computing > Initiatives > Infrastructure >  

Private (Internal) Addressing

Each computer (or other networked device, such as a printer) has its own unique Internet Protocol (IP) address. This is just like the address that each house has with the U.S. Postal Service. Anything sent to that address will get delivered to that address.

Traditionally, Dartmouth's IP address range has been 129.170.0.0 to 129.170.255.255. These are considered public addresses. In most cases, on the Dartmouth network, the address of a computer is assigned automatically by the network; the user does not need to know what the address is. The applications used on the computer know the address and can use them, when necessary.

Dartmouth College has moved to private addressing for all new network deployments. This was done for two major reasons:

  1. Address exhaustion
  2. Security

Private Internet Protocol (IP) addressing will reduce the threat from the Internet to most Dartmouth computers by making them more difficult to attack from outside Dartmouth.

Under Private Addressing, computers inside Dartmouth's network get IP addresses in the 10.x.x.x range (private to Dartmouth), as opposed to 129.170.x.x addresses (a range of addresses allocated to Dartmouth and known to the public). Private addressing will also fix the problem we are having of running out of 129.170.x.x addresses. We have already started deploying internal addressing and will continue to roll it out in coordination with departments.

  • Most user computers and internally accessed servers will use private addresses allocated from the 10.x.x.x address range.
  • Private addresses are translated to 129.170.x.x addresses only at the border of Dartmouth's network and only for Internet traffic.
  • Servers accessed by users not in the DND and other special computers can get static public (129.170.x.x) addresses.
  • Departments can arrange for users in their facilities to still translate to the same 129.170.x.x subnets they currently get (for external providers restricting users to those subnets).
  • Departments can arrange for "one to many" or (if needed) "one to one" NAT at the border; "one to one" eliminates port translation.
  • Departments need to identify which of their computers need to retain statically allocated 129.170 addresses. Most computers using DHCP will now be fine using internal addresses.
  • Clients that identify printers using explicit IP addresses instead of hostnames will need to reconfigure their printers to use hostnames when the printers convert to internal addressing.

Address Exhaustion

As more and more wired and wireless devices are added to Dartmouth's network, and as new buildings are built, it has become increasingly more difficult to allocate IP addresses in Dartmouth's limited public IP address range. Additionally, moving the telephone system from analog to digital with the VoIP handsets and switches (each requiring an IP address), and the new wireless rollout (almost tripling the number of Access Points, each requiring an IP address), are two examples of new network devices consuming addresses.

As these new projects were rolled out, Dartmouth's core network was re-engineered to support private addressing and address aggregation (for routing efficiency). The new design has been running since the VoIP rollout, and the wireless rollout took advantage of the new design.

Security

Computers (or other devices) with private addresses are not reachable from other computers on the Internet, unless further steps are taken to expose them. This means that a computer in Thailand (for example) that is searching for other computers on the Internet to attack cannot find a computer on the Dartmouth network if it has a private address. However, computers with private addresses are reachable from other private addresses and Dartmouth's public address space, unless further steps are taken to hide them.

Computers with Dartmouth public addresses are automatically reachable from anywhere on the Internet, unless further steps are taken to hide them. Private addresses enhance security because they are not reachable from the Internet, unless further steps are taken to make them reachable.

Private address spaces can be broken down as follows :

10.0.0.0 - 10.255.255.255 (10/8 prefix): Dartmouth
172.16.0.0 - 172.31.255.255 (172.16/12 prefix): Dartmouth remote
192.168.0.0 - 192.168.255.255 (192.168/16 prefix): Non-Dartmouth

Dartmouth is currently using 10/8 private address space. Uses for the 172.16 and 192.168 spaces are in the planning stages.

Public to Private Address Conversion

Given the security and scalability benefits of using private addresses, all systems that do not need to be reachable from the Internet should be converted to using private addresses. This process has already started for critical services (such as VoIP) and will be continued, eventually reaching all subnets at Dartmouth. Currently, most dorms use private addresses on the Dartmouth Secure and Dartmouth Public wireless networks; the libraries use private addresses on the Dartmouth Library Public wireless network; and some departments have moved to private addresses on the wired network as well. As departmental discovery meetings continue, more departments will be moved to private addressing once any needs for public addresses are discovered and addressed.

Implications

Many people at Dartmouth have assumed that only the 129.170.x.x addresses indicate a Dartmouth affiliation. This has led to the implementation of Access Control Lists (ACLs) or Firewall Rules in applications such as the Digital Library and Banner Student that in the past rejected private addresses, even though they are part of Dartmouth. This has been corrected so that current and future deployments will handle private addresses appropriately.

Additionally, any network re-addressing (public to public, public to private, private to public, private to private) will impact systems with statically assigned addresses. As long as those systems have been assigned fully-qualified domain names (FQDN), and clients accessing those systems use the FQDNs, the change will be transparent. As an example, you should refer to a printer by its FQDN (for example, printername.dartmouth.edu) and not by its IP address when you set up the printer.

03/17/08

Last Updated: 3/24/08