Table of Contents

Private IP Addresses at LBL

This document describes how private IP addresses are managed and allocated in the main LBL network.  This is the network that is provided to desktops, labs, and instruments in the Berkeley and Emeryville buildings managed by LBL that are in Autonomous System 16 and typically have public IPv4 addresses in the 128.3.0.0/16 and 131.243.0.0/16 or IPv6 addresses in the 2620:83:8000::/48 ranges.  This does not cover the separate LBL visitor wireless and eduroam network or the networks managed by ESnet and NERSC, all of which are separate autonomous systems on the Internet.

IPv4

Because the number of possible unique IPv4 addresses is limited a set of those addresses have been set aside by IANA for re-use by any organization within their own organization as documented in RFC 1918.

The address ranges set aside for these uses within an organization are:

• 10.0.0.0        -   10.255.255.255  (10/8 prefix)

• 172.16.0.0      -   172.31.255.255  (172.16/12 prefix)

• 192.168.0.0     -   192.168.255.255 (192.168/16 prefix)

While hosts using addresses from these ranges can not talk to other hosts across the Internet, according to RFC 1918 they may be able to talk to other hosts on other subnets within their own enterprise network:

"... an enterprise needs to determine which hosts do not need to have network layer connectivity outside the enterprise in the foreseeable future and thus could be classified as private. Such hosts will use the private address space defined above [in RFC 1918]. Private hosts can communicate with all other hosts inside the enterprise, both public and private."

In the main LBL network we manage and allocate private addresses based on three categories.

Never Routed Within LBL

These addresses may be used by anyone at LBL for private networks without conflicting with subnets that may be available in the routed portion of the main LBL network.

• 10.0.0.0 - 10.15.255.255 (10.0.0.0/12)

• 192.168.0.0 - 192.168.255.255 (192.168.0.0/16)

Hosts using IP addresses from these ranges will never be able to natively talk with other hosts across the LBL enterprise network -- they will always either be limited to their own subnet OR will need to use a Network Address Translation (NAT) service to translate their address to a routed address for communications with other subnets.

The main LBL Domain Name Service (DNS) servers and zones will not register any hosts with IP addresses using addresses from these ranges, nor will they return useful values for reverse lookups for these IP addresses.

Systems on the LBL network should never expect to need to access services provided from addresses in these ranges, and if providing a service (e.g. website, file share, licensing server) should never expect LBL hosts to attempt to access their service using an address from these ranges.

Internal IT Division Infrastructure

These addresses may be used by LBL IT Division infrastructure in a manner that is routed across the LBL site.  However, systems outside of the IT Division are never expected to need to know about or talk to any systems using these addresses, so using these same addresses again for private, un-routed networks may not cause problems for many users.

• 172.16.0.0 - 172.31.255.255 (172.16.0.0/12)

Even though use of these addresses may not cause problems, users needing IPv4 addresses for networks that will not be routed are strongly encouraged to use addresses from the ranges listed above as “Never Routed Within LBL”.

The main LBL Domain Name Service (DNS) servers and zones will provide forward and reverse entries for hosts assigned addresses in these ranges, but only for queries that are initiated from within the main LBL network.  Regular forward records will all live inside of private zones like private.lbl.gov that are not visible from the Internet or other networks (including NERSC, ESnet, etc.).

Most systems on the LBL network not managed by the IT Division should expect to probably not need to access services provided from addresses in these ranges, and if providing a service (e.g. website, file share, licensing server) should probably be safe to not expect LBL hosts to attempt to access their service using an address from these ranges.

Because IPv6 does not have the constraints on the number of available unique addresses that exist in IPv4 there are fewer reasons to use private addresses instead of publicly routable addresses, and the IT Division has no plans to ever route addresses in the LBL enterprise network that are not globally routable and globally unique.

Unique Local Addresses

RFC 4193 defines a method of self-allocating blocks of IPv6 private addresses that have a high chance of not conflicting with other nearby private networks.  Addresses assigned through the current version of this RFC will be in this range:

• fd00::/8  (fd00:: - fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff)

The LBL IT Division has no plans to route any addresses in these ranges within the LBL network and departments or users should be able to assign themselves an address block from that range as documented in RFC 4193 with low chance of any future conflicts.

The main LBL Domain Name Service (DNS) servers and zones will not register any hosts with IP addresses using addresses from these ranges, nor will they return useful values for reverse lookups for these IP addresses.

Systems on the LBL network should never expect to need to access services provided from addresses in these ranges, and if providing a service (e.g. website, file share, licensing server) should never expect LBL hosts to attempt to access their service using an address from these ranges.

Private Globally Unique Addresses

LBL has been assigned a block of IPv6 addresses that we intend to use as globally unique but private addresses:

• 2620:83:800f::/48  (2620:83:800f:: - 2620:83:800f:ffff:ffff:ffff:ffff:ffff)

The LBL IT Division has no plans to route any addresses in these ranges within the LBL network.  Subnets or blocks of subnets within this range may be assigned by the LBL IT Division for use by a department.  No addresses from this range should be used unless the range has been assigned for that purpose by the IT Division.

The main LBL Domain Name Service (DNS) servers and zones will provide forward and reverse entries for hosts assigned addresses in these ranges, but only for queries that are initiated from within the main LBL network.  Regular forward records will all live inside of private zones like private.lbl.gov that are not visible from the Internet or other networks (including NERSC, ESnet, etc.).

Systems on the LBL network should never expect to need to access services provided from addresses in these ranges, and if providing a service (e.g. website, file share, licensing server) should never expect LBL hosts to attempt to access their service using an address from these ranges.

Examples

Instrument on a Private Network

A sensitive scientific instrument needs to be protected from the Internet and only available for use from one Windows management workstation.  The Windows management workstation has two network interfaces -- one with a regular public address from the LBLnet subnet available at the wall jack in the lab, and one on a private network that uses a small local switch that connects the Windows management workstation to the scientific instrument.  For that private subnet the Windows management workstation and the scientific instrument should use an address from the “Never Routed Within LBL” ranges such as 192.168.0.0/24, 10.0.0.0/24, 10.1.0.0/24.

Cluster behind a Firewall

A cluster of compute nodes live on a private subnet.  There is a bastion/gateway system that has two network connections, one on the regular public LBLnet subnet available in the building and one on the private subnet with the compute nodes.  The compute nodes can make outgoing connections to the Internet to download software updates, get network time, or do DNS lookups by routing their traffic through the bastion/gateway system.  The bastion/gateway system translates the traffic from the nodes on the private subnet using NAT and that traffic shares the one public address of the bastion/gateway system.  The private subnet with the compute nodes and the inside interface of the bastion/gateway system should use an address from the “Never Routed Within LBL” ranges such as 192.168.0.0/24, 10.0.0.0/24, 10.1.0.0/24.

VPC in a Cloud Service with a NATed Site-to-Site VPN to LBL

A project has a collection of cloud resources in a VPC hosted by the cloud provider.  They utilize a site-to-site VPN connection with a NAT gateway to allow their resources in the VPC to access certain resources inside the LBL enterprise network (e.g. licensing server, file share, intranet web services).  They should utilize network blocks from the “Never Routed Within LBL” ranges such as 10.4.0.0/16 to provide addresses for the different subnets within their VPC.

VPC in a Cloud Service with an un-NATed Site-to-Site VPN to LBL

A project has a collection of cloud resources in a VPC hosted by the cloud provider.  They utilize a site-to-site VPN connection without a NAT gateway to allow their resources in the VPC to access certain resources inside the LBL enterprise network (e.g. licensing server, file share, intranet web services) and to allow systems on the LBL enterprise network to access resources within the VPC.  They should request an allocation from the IT Division from the “May be Routed within LBL” ranges to provide addresses for the different subnets within their VPC.  The IT Division would assign a specific prefix or range for their use and coordinate routing those addresses into the LBL enterprise network and setting up Cyber Security visibility for the traffic between the cloud VPC and the main LBL enterprise network.

Private Storage Network

The XYZ project has a cluster of virtualization hosts that utilized shared storage from a network storage appliance.  In addition to their primary, public network interface each virtualization host has a high speed dedicated network interface for a private storage network that consists only of the virtualization hosts and the storage appliance.  The project could request an allocation of a subnet from the “Private Globally Unique Addresses” address ranges and then assign host address uses the LBL IP Request DNS management system.  This would allow them to use hostnames like storage1.xyz.private.lbl.gov for their storage appliance instead of an IP address like 2620:83:800f:1234::100.

Split Tunnel VPN Services

The IT Division may offer a split tunnel remote access VPN service.  This would mean that VPN clients would connect from home to the LBL split tunnel VPN service and use two different IP addresses -- their regular home system IP address for traffic to most of the Internet, and an address assigned by the VPN service over the VPN tunnel to access resources on the main LBL network.  This service could use a pool of client addresses from the “May be Routed within LBL” range, and when the clients connected to services on the LBL network (e.g. license servers, file shares, intranet sites) they would be using an address from that pool.

Further Information or Assistance

For further information or assistance with issues related to the use of private addresses at LBL please contact [email protected]