课程: ISC2 Certified Information Systems Security Professional (CISSP) (2024) Cert Prep

Public and private addressing

课程: ISC2 Certified Information Systems Security Professional (CISSP) (2024) Cert Prep

开始一个月试用 购买团队方案

Public and private addressing

- [Instructor] As we've discussed throughout this course, IP addresses uniquely identify systems on a network. TCP/IP-compatible devices use these addresses to correctly route packets across networks, but how are those addresses originally assigned? Well, IP addresses come in two forms: public addresses, which are assigned by a central network authority and may be used to reach systems located across the internet; and private addresses, which are available for anyone's use, but may only be used on local networks and will not work across the internet. Let's begin by discussing public IP addresses. These addresses are centrally managed by a group known as the Internet Corporation for Assigned Names and Numbers, or ICAN. ICAN breaks addresses up into blocks and gives them out to regional authorities in different countries for distribution. These regional authorities each take responsibility for a specific geographic area of the world. For example, the American Registry for Internet Numbers, ARIN, governs the distribution of IP addresses in the United States and Canada. One of the major issues with IP addresses is the fact that they are a scarce resource, especially when it comes to the traditional dotted quad IPv4 addresses. There are no large blocks of IPv4 addresses available for assignment, and the only way to get these public addresses today is by purchasing or renting them from other organizations, such as an internet service provider. In the early days of IP networking, many organizations would simply obtain a large block of public IP addresses and use them on all of their systems. For example, if an organization owned the 8.1.0.0 network, they might have just freely handed out those addresses on their network. The scarcity of IP addresses combined with security concerns makes this impractical today. Now, why are these addresses so scarce? With a dotted quad notation of IPv4, there are only 4.3 billion possible IP addresses. Now, while that may sound like a lot, Cisco estimates that there are currently around 7.5 billion mobile devices alone in the world. That count doesn't even include servers, desktop computers, networked appliances, or other non-mobile devices. There simply aren't enough possible addresses in IPv4 to assign every device in the world a unique one. The solution to this dilemma is the use of private IP address ranges. When ICAN's predecessor organizations divided up the original IP address space, they reserved three different address ranges for use on private networks. These ranges are the 10 network from 10.0.0.1 to 10.255.255.255, the 172 network portion from 172.16.0.1 to 172.31.255.255, and the 192.168 network from 192.168.0.1 to 192.168.255.255. These ranges are called private IP address ranges, and anyone can use addresses from these ranges on their local networks. The only catch is that they are reserved for use on those private networks and cannot be used for routing traffic across the internet. Today, organizations typically use a balance of public and private IP addresses. They use private addresses broadly within their private networks, assigning them to all of their internal systems. They then use a small number of public IP addresses for systems that require public access. In the case of this network that formerly used public addresses from the 8. range, administrators might instead assign private addresses from the 192.168 range. Now, you might have noticed one problem with this approach. Systems that have private IP addresses cannot communicate on the internet using those addresses because those addresses are not routable. Thousands of organizations around the world use those addresses on their internal networks, so remote systems would have no way of telling where reply traffic should actually go. The solution to this is a technology known as network address translation, or NAT. Routers and firewalls perform NAT translation at the border of a network. When a system with a private IP address, such as this laptop with private address 192.168.1.1, wants to communicate on the internet, the NAT device lends the system a public IP address temporarily for that communication. It then records the public and private IP address translation in a table, and when a reply comes in for the public address, the NAT device looks up the corresponding private address in the table, routing the packet to the correct system on the private network. NAT does introduce new security concerns. It brings the privacy benefit of hiding internal IP addresses from the public internet and limiting direct access to systems, but it also makes it difficult to correlate activity on a public IP address back to the true originator. For this reason, most organizations maintain logs of their NAT translations that allow them to determine which device was using a particular public IP address at any given time. NAT is a very useful technology, but it's somewhat limited because it requires a public IP address for every system on the network that needs to communicate on the internet. Since most organizations have a limited pool of public addresses, they can quickly run into a situation where that pool is exhausted and no new systems can communicate on the internet. Port address translation, or PAT, solves this problem by allowing multiple systems to share the same public address. Instead of recording translations between IP addresses, PAT assigns each connection a different port on a public IP address. This way, many different systems can share the same public IP address at any point in time.

内容