Internet Protocol (IP) addresses

The Internet Protocol (IP) transmits packets from one node on an IP network to another. This requires that both nodes have their own unique address: the IP address. There are two versions of IP: version 4 and version 6. In the past IP addresses (version 4) were managed using classes but now, especially with IP version 6, classless addressing is used more often.

Certain addresses are defined as for local use only. Such private networks cannot communicate with the rest of the Internet directly. The Network Address Translation (NAT) scheme is used to allow such networks access to the public Internet.

IP address structure

On Internet Protocol (IP) networks such as the Internet itself, data is sent in packets. Each packet carries the addresses of the source and the destinations. These addresses on IP networks are then of course called IP addresses. Every node (computer) on an IP network needs to have its own IP address.

As humans usually prefer to use names, applications such as Web browsers will need to translate those names (using DNS) into IP addresses before they can communicate with the host in question.

IP version 4 addresses

IP version 4 (IPv4) is the main version of the Internet Protocol. This version is currently used by almost all IP networks. An IP version 4 address is a 32-bit number that is typically written as four decimal numbers separated by periods. An example is "".

As a convention, an IP address that ends in ".1" usually refers to a gateway or router on a particular network. An address that ends in ".255" is a so-called broadcast address: all devices in the same network should handle packets addressed to the broadcast address.

IP version 6 addresses

IP version 6 (IPv6) addresses were introduced because the old IP version 4 addresses were in danger of running out. An IP version 6 address is a 128-bit number that is typically written as eight groups of four hexadecimal digits. The groups are separated by colons. An example is "2001:610:113b:50a1::136".

Class-based IP addresses

Originally, when the Internet Protocol was first defined, IP (version 4) addresses were handed out to organizations in blocks. There are three classes of blocks: Class A, Class B and Class C. The higher the class, the larger the number of IP addresses in the block.

The class an IP address belongs to follows from the first decimal number: Class A addresses have numbers between 1 and 127, Class B is between 128 and 191, and Class C is 192 and higher. There are also Class D (224 to 247) and Class E (248-255), but these are rarely used in practice.

The organization is itself responsible for dividing the IP addresses in its assigned block to nodes in its IP network. For example, the Eindhoven University of Technology has been assigned the Class B block of 131.155, and so can use any IP address between and The ".0.0" and ".255.255" addresses are reserved.

It's clear that this method of dividing up the IP address blocks quickly runs out of addresses. A Class B and especially a Class A block gives an enormous amount of addresses to one organization, which probably does not need all of them. However the remaining unneeded parts of the block cannot be reassigned to someone else.

Classless IP addresses

To allow a more fine-grained way of handing out addresses, today most IP version 4 address blocks are handed out as subnets. This approach avoids the class-based division and its coarse-grained distribution of IP addresses. For IPv6, classless assignment is the only way to obtain blocks of IP version 6 addresses.


A block of IP addresses can be divided into smaller, more manageable groups that can each be assigned to different organizations. And even within one organization different subnets can be set up for different networks within the organization.

For example every building could be given its own subnet, or the sales, marketing and R&D departments could be given their own respective subnets. The subnets or local networks can then be managed separately, for example with their own firewalls or separate connections to the Internet.

Subnet masks

Subnets are defined by means of a subnet mask that specifies which parts of an IP address belong to the group, the network, and which parts make up the individual node's address. This requires comparing the IP address and the subnet mask (or just netmask for short) in their binary forms. If a bit of the subnet mask is '1', the corresponding bit in the IP address belongs to the group (subnet). If the subnet bit is '0', the corresponding IP address bit is part of the individual address.

An example: subnetting a Class B netblock

For example, consider the IP address "". This is part of the Class B block "192.168". The standard subnet mask in this block is "", which means there are 65,000 individual IP addresses in this network (these range from to To split this up, the network administrator can define the subnet mask "", which allows the creation of 255 networks with 255 hosts in each network. More flexibility can be obtained with more creative choices of subnets.

Default network

The default subnet mask is "". This makes the IP address "" a part of the network "192.128.100.*". This is determined by comparing bits in the IP address and the subnet mask, as shown in the below table:

Decimal address:         192 .      168 .      100 .        1
Address in binary:  11000000   10101000   01100100   00000001
Binary netmask:     11111111   11111111   11111111   00000000
Network address:    11000000   10101000   01100100   00000000
Address in decimal:      192 .      168 .      100 .        0 

The zero at the end indicates that this is a network address. This is why individual hosts can only have IP addresses ending in 1 or higher.

Changing the subnet mask

The same address can belong to a different network by changing the subnet mask. For example, when the subnet mask is "" instead, the network address now is "192.168.96.*":

Decimal address:         192 .      168 .      100 .        1
Address in binary:  11000000   10101000   01100100   00000001
Binary netmask:     11111111   11111111   11110000   00000000
Network address:    11000000   10101000   01100000   00000000
Address in decimal:      192 .      168 .       96 .        0

This choice of netmask allows 4,095 hosts on a single network, although only 16 of these networks can be created within this block of IP addresses. The fact that this network has the number '96' in its third decimal is misleading: it's actually the sixth network (decimal six in binary is 0110), but because of the four zeroes after the "0110" in the notation above, the third decimal in the IP address becomes "96".

Of course an administrator can use different subnets within one block. This way one network can have 255 nodes and another can have 4,095 hosts. The netmasks should be chosen carefully not to overlap each other of course.

Reserved addresses

Not everyone is interested in building IP-based networks where each node needs an address on the worldwide Internet. Three special ranges (blocks) of IP addresses have been reserved for use in local networks. These "private ranges" or "private addresses" are:

These addresses can always be used in local networks that do not directly connect to the Internet. In fact they are not even supposed to connect to the Internet, and any node that receives messages from outside its own network with one of these addresses as the sender will discard such messages rightaway.

The reserved range of is intended for use on a single node. Addresses in this range are called loopback addresses. Only applications on the same node can send packets to these addresses. This makes it possible, for example, to run a Webserver from the address so changes to a Website can be tested from the Web designer's computer. Other people can never access that Webserver.

These reserved addresses are often used in conjunction with the Network Address Translation (NAT) scheme, sometimes also called "IP Masquerading" or "Network Masquerading". This means the private addresses are mapped to a single public IP address so the nodes with these private addresses can still access the Internet. This way no public IP address block needs to be allocated.

Network Address Translation (NAT)

The Network Address Translation (NAT) scheme is used to "hide" local networks from the public Internet. Essentially, all communication from that local network appears to come from a single node, the NAT gateway. The NAT gateway forwards requests from other nodes in that network, and also pasess on responses from outside to the right node on the internal network.

A network with a NAT gateway

A network with a NAT gateway

As shown in the figure, three computers on a local network have private addresses, and They are connected with a hub which in turn connects to a NAT gateway. If any of these computers contacts the server on the right via the Internet, the server always sees the NAT gateway's IP address (here

The NAT gateway

The NAT gateway is both connected to the local network and to the Internet. It receives the IP packets that are intended for outside nodes. It registers from which local node those packets came, and then replaces the source address with its own, public IP address before forwarding the packets to the real destination.

Incoming packets are also received by the NAT gateway, which determines the real intended destination, replaces the destination address (its own IP address) with the real, local IP address and forwards the packets onto the local network.

On-the-fly NAT address replacement

This on-the-fly address replacement is possible because the NAT gateway examines the IP packets for the TCP or UDP ports mentioned in those packets. In TCP a connection is established between a port on the client and a port on the server. The gateway registers both the local source IP address and the source port. It then replaces the source port number with a new port number it chooses itself. Incoming responses from the external server carry that port number, allowing the gateway to determine to which local host. the packet is to be forwarded.

A problem with NAT is that some application-level protocols do not work well, as they rely on the IP address provided by the real source. Since that is often a private and thus unreachable address, the communication will fail.

IP address assignment

Before a computer or other device can be connected to an IP network, it needs to be assigned an IP address. The most straightforward way is to statically assign the address: simply enter the address (and netmask) into a configuration screen. That address will then be used until it is again manually changed. This works well for small networks or networks that are rarely changed.

Static address assignment

If an IP address is likely to change, or manually updating addressing is problematic, a dynamic assignment is preferred. Here the computer that tries to connect to the network is sent a message from some server telling which IP address and netmask to use.

Dynamic address assignment: DHCP

Dynamic assignment is today most commonly done with the Dynamic Host Configuration Protocol (DHCP). When trying to connect to a network, the computer sends a request for an IP address. The DHCP server receives the request and assigns or "leases" the address to that computer. A special "lease" message, containing the IP address together with netmask and other network configuration information, is then sent to that computer. The lease is valid for a certain period of time, after which the computer will request a new one.

The address in a lease is taken from a certain block, called the pool in DHCP terminology).The address that is sent in such a lease can be the same every time, although this is not required.