4

In one of the previous organizations I worked, all of our ip addresses were in public IP range. So, is there any advantage of having public ip addresses for private network?

chappar
  • 141
  • 2
  • 4

4 Answers4

12

Advantages of public IP addresses:

  • Your routers don't need to handle NAT (Network Address Translation).
  • Your applications don't need to deal with the protocol issues that arise from NAT.
  • Any device can provide services to the internet without configuring port forwarding rules (subject to any firewalls in place).

Disadvantages of public IP addresses:

  • You don't get the built-in security of a private address -- that is, if devices don't have a public address, they can't be accessed from the internet (without specific port forwarding rules or address mappings).
  • IPv4 addresses are a limited and increasingly expensive resource.
Tom Shaw
  • 3,752
  • 16
  • 23
  • 1
    @Tom: I agree with your answer except for the part about acccessing internal hosts from the outside. Using routable addresses internally doesn't make those hosts any more accessible from the internet without specific forwarding rules then when using RFC 1918 addresses and NAT. – joeqwerty May 26 '11 at 11:03
  • @joeqwerty: Interesting - what makes you say that? – Tom Shaw May 26 '11 at 11:11
  • How would an internal host using a routable ip address be accessible from the internet without an explicit firewall rule allowing that inbound access? The firewall is a security boundary, incoming connections originating from the outside should be blocked except when there's a firewall rule allowing said inbound connection to a specific internal ip address and port. We use routable ip addresses on our network and I can tell you that you can't get to any of our internal hosts from the outside unless there's a firewall rule allowing such access. – joeqwerty May 26 '11 at 12:24
  • 1
    I agree with everything you say, so maybe I was ambiguous about what I meant by talking about forwarding rules without mentioning firewall rules. I'll try and make it clearer. – Tom Shaw May 26 '11 at 13:26
  • @Joe - if there's no firewall, there doesn't need to be any forwarding :-) – mfinni May 26 '11 at 14:03
  • @mfinni: I'm not following. Was there a mention of there being no firewall or am I misunderstanding what you're saying? – joeqwerty May 26 '11 at 15:56
  • 1
    @Joe - the question doesn't say anything about a firewall. You could just have a routed network with public IPs and no firewall (even though that would be insane today). – mfinni May 26 '11 at 16:07
  • 1
    @mfinni: Gotcha. I assumed too much when reading the question. – joeqwerty May 26 '11 at 16:21
  • 1
    @Joe - it's like a Microsoft exam question :-) Don't fill in the gaps with best practices, just stick with the scenario given, as unlikely as it might be. – mfinni May 26 '11 at 16:39
  • There is no "built-in security of NAT". NAT's job is to make things "just work". The security comes from firewalling, which is often included with NAT but doesn't need to be (permissive NAT does exist). The advantage of public IP addresses is that a lack of a stateful firewall is more likely to be noticed because it will break things rather than just compromising security. – David Schwartz Aug 29 '14 at 01:41
  • Updated to say "built-in security of a private address". I agree that NAT itself doesn't provide security. The point I was making is that a public address is accessible from the internet unless it is blocked (e.g. a firewall), whereas a private address is not accessible from the internet unless you specifically make it accessible (e.g. permissive NAT or port forwarding). – Tom Shaw Aug 29 '14 at 05:37
5

To expand a bit on Tom Shaw's answer. The end-to-end principle is a fundamental design paradigm of IP networking. The idea is that the "intelligence" in connectivity is aggregated at the end-points of a connection an the all the stuff, the switches, routers, etc. in between are "dumb" in an attempt to limit the amount of things that can break. The IP protocol and its stateless nature is an example of this. The old MaBell telephone infrastructure is example of the opposite approach. The end-points are "dumb" and the infrastructure has the "intelligence".

NAT utterly breaks this principle by creating and holding state, translating IPs and doing a number of other things. Some application protocols will handle this gracefully, others will not (for example: FTP, SIP/RTP and some Peer-to-Peer protocols). NAT also adds another layer of complexity to building and managing your edge devices.

There's nothing intrinsically wrong about using public IP addresses for a private network (I have worked with few state governmental agencies that do this), provided they are actually allocated and assigned to you or your organization.

Community
  • 1
4

No. And in fact it can be a problem if you want to access public resources that have the same address as a machine on your private network.

Now if the machines truly were connected directly to the Internet via a public address then protocols that normally wouldn't work well over NAT would work properly.

Ignacio Vazquez-Abrams
  • 45,939
  • 6
  • 79
  • 84
  • 2
    Only a problem if the organization does not own the public IP addresses. Some old and big organizations have large IP address spaces but still route some of those only internally and they are not contactable from the outside. – user53747 May 26 '11 at 06:58
  • 1
    Even some not-so-big ones... we got a Class C back when they were class C's and it's still assigned to us. I used to boast about having a single digit in my NIC handle and that still lives on at ARIN. So the "old" part of your is correct! – Ward - Trying Codidact May 27 '11 at 03:09
1

If you and one or your vendors (for example), use the same internal IP scheme, then creating site-to-site ipsec vpns can be tricky, especially when using vpn equipment made by different vendors. One way around this is to use a public ip address (that you own) internally to avoid these types of conflicts.

jftuga
  • 5,731
  • 4
  • 42
  • 51
  • I agree with the idea (I've seen the same problem in corporate mergers: overlapping address spaces), but didn't you mean to say that companies should use public IP addresses for this reason? You can't own a non-public address. – Tom Shaw May 26 '11 at 14:13
  • RFC 4193 has a solution for that kind of address conflicts (once you have upgraded to IPv6). – kasperd Sep 01 '14 at 05:51