5. Allocating IP Addresses

During Installation, you give the machine a name, and a position in the networking world. If you need to allocate your own IP address, here's how ...

If you have an Internet account, you have an IP_address. If you have an Ethernet card installed, it should have an IP address.

If you use Novell, you will also need to invent a Novell address, but I haven't tried that yet.

5.1 PRIVATE LAN IP addresses
5.2 20 LANS per Site
5.3 Registered addresses
5.4 RFC 1918 private addresses
5.5 What is IP and addresses?
5.6 MULTI-ADDRESS machines
5.7 Ethernet addresses (-aka- MAC, DTE)
5.8 So what is Intranet?
5.9 DNS NIS ...


PRIVATE LAN IP addresses

See also: rfc1918 (previously rfc-1597): Address Allocation for Private Internets.

(*) Actually the network part can be 0 or 255. but why allow confusion in the door.

If you are creating an Ethernet network, you must allocate a unique TCP/IP address for each network and for each machine. How do you do this ? Think of a number? How do you know that your number will not conflict with someone else number? What is the 'right' thing to do? Many documents tell you to 'consult your network administrator', hmm.


20 LANS per Site


Actually multiples of 16 or 32 might be easier if you have a real national network, and you then use bit masks to pick the correct route. However, you will probably only have occasional gateway-to-gateway connections between them, such as dial-up batch email delivery, so building routing tables won't be a headache, but remembering numbers will be!


Registered addresses

A TCP/IP address is an Internet address. A 'proper' Internet address is one allocated and registered by the Internet authorities, and it is unique in the world. No-one else is allowed to use the same address.

If you have an Internet service provider, they will allocate you one of their numbers, and register your machine name and address in the correct places.

Your Internet provider allocated your modem dial-up IP_ADDR. This address is unique the world over - any caller will be directed to your machine (if you are online). They also allocate and publish your email address, along with a second MX destination, so when you are off-line, their email machine accepts email on your behalf, and batches them until you connect.

Private addresses

If your PC is connected to Ethernet it will have a second IP address. If you have an Ethernet card, you have a LAN. Unless it's registered, it's a private LAN.

Your private LAN will have private addresses. Several address ranges have been reserved for this. They allow you to allocate your own IP addresses, without having to ask anyone. Note that they are PRIVATE: you can't use them to communicate with the PUBLIC Internet.

I presume that you have both a PPP account, and a local LAN.

Address conflicts

Other people will also use addresses in the PRIVATE range (conflicting with your use of the same range).

You cannot connect your network to their network. Neither your network, nor their remote network can communicate with the "The Internet". Only your registered machine is allowed to send packets to and from the Internet. Your private machines can only communicate directly with other private machine addresses.

As long as all your machines have unique addresses, you will be OK, except that you can only use the Internet from the REGISTERED host.

Yes there are tricks to get around this, see the IP_MASQ HOWTO, and the PROXY HOWTO, for two different approaches.

EMAIL gateways

Your registered machine will be a gateway, and has TWO addresses. It can talk to hosts on the public and private networks. When your global EMAIL arrives at the registered address machine, the post room forwards it to the correct local machine (over the private network). Similarly outgoing mail has to be sent via the post room on the gateway, which will either send it directly to the destination, or the destination's nominated EMAIL exchanger, or probably your service providers EMAIL exchanger.

PROXY gateways / firewalls

If you want a private host to connect directly to a host on the public Internet, you can't.

You can only initiate/receive comms from the registered address. However, you can build up your network so that your private machines ask the gateway to do this for them. The return address is the gateway, which then relays the results back to the private host.

This can happen in three ways. Email uses a batch-like system. The email completely arrives at the gateway then it is send as a second email transfer to the PC (You also have a choice of SMTP and POP3).

Proxies are similar, but more 'real-time', and appears like a single connected session. Actually you have two connections, into and out-of the gateway/proxy. Every request you make, goes to the PROXY-gateway, where the proxy software interprets it, and it makes a request on your behalf over the internet. The client PC has to know that it is using a proxy, and have client-proxy software installed on it.

To do this, you will need a PROXY gateway machine that is properly configured, and lots of client APPS on the PC's that understand that flavour of PROXY. Not all apps are proxy aware, and there will be extra work configuring the security options of the firewall.

IP_Masquerading, is a clever trick, where the connection goes through the gateway, in real time, on a packet-by-packet basis. The gateway/router "edits" each packet as it goes through. Your private machines think they are connected to the remote. The remote thinks it is connected to the gateway.

It works with TCP, but not (so well) with UDP, and utilites like ping. It also needs testing, to be sure that the lies are never revealed. For example the remote may ask the local "who are you", and the local must reply "I am the gateway" because that is the only address the remote will accept. The IP_masquerading gateway does that for you , and it works, currently.

The difference between proxy and IP masqerading is that the proxy gateway uses two connection, whereas masqerading edits each packet.

With proxy, the client knows that it is using a proxy, and has to have special software.


RFC 1918 private addresses

The reserved private ranges are:		- upto -		- upto -		<-- SUGGESTED		<-- RANGE

So for example, you decide to number your machines:


What is IP and addresses?

IP (Internet protocol) is a system for transporting packets - networking. Each packet has a destination address - a 32 bit IP address.

Those 32 bits are usually written as four decimal numbers, which is why 'C' class addresses are so easy to use.

Routers retransmit packets that they receive to other routers that know how to reach the remote network. Routers talk to other routers, and can redirect traffic - hopefully via the best route.

TCP is a system (protocol) that uses IP packets to implement reliable connections (with retransmission, timeouts etc). Hence TCP/IP (over).

The 32 bit IP address is split into two parts. The split can be at any bit boundary, but a typical split is used in 'C' class addresses 24:8

|<------ NETWORK --------->|<-HOST->|
| BYTE   | BYTE   | BYTE   | BYTE   |

| 192    | 168    |  67    |   3    |  HOST 3 on LAN 67
| 192    | 168    |  67    |   0    |  Address of LAN itself
| 192    | 168    |  67    |  255   |  Broadcast to LAN
| 192    | 168    | 100    |   2    |  Different LAN  

All the hosts in a physical LAN share the same network address. Two host addresses are reserved: zero and all 1's. The netmask-split for our sample network is 24:8, so the Host part of the address is simple. is reserved for broadcasting to ALL hosts on LAN 67.   is reserved to describe the LAN itself.   is your first host (upto 254 in a C mask LAN).

Two networks - one LAN

If you have two networks with different addresses in operation on the same LAN wire, both will run concurrently. You may get communication between them, especially if there is a gateway on the LAN, which listens to both broadcasts, and redirects traffic.

This is not a good idea, unless two independent departments share the same LAN wire, or you are testing something.

sub-netting - don't do it

If you have more than 254 hosts, you should not run them all on the same wire. Split your network into chunks so that each LAN uses a C-class address. You may wish to have fewer (eg 14) hosts on a LAN, with 16 such mini-lans inside one C-class address range.

However most people with small office networks will have more (private) address space than time, and would use several ordinary C-class network addresses, with default bitmasks.

Redefining the position of the split is "sub-netting". Its biggest benefit is to allow several LANS connected by gateways OR bridges, to share in broadcast traffic, and act as one 'logical' LAN.

The problems are mostly in configuring in the correct mask values in the correct places. It is easiest to leave the hosts (ie not gateways) on LANS with upto 254 addresses, and the standard broadcasts.


An IP address is really a 32 bit number (that's binary), it's just usually printed in dotted quad decimal for readability. This address is split into two sides: network and host. The split can happen any where (if you use sub-netting), but there are three 'default' recommended splits, depending on how may hosts you want to have on a network.

These are class A, B and C. The 192 range is within the class-C range where the split is defined as:

24 bit network part (left = high)
 8 bit host    part (right= low)

So your network address is 192.168.67.__, and the host part is __.__.__.3, which combined gives you

Although the default interpretation of a 192.__.__.__ address is class-C, and that has a split of net.net.net.host It is possible to redefine the boundary line. If you did that, you would have to tell all the hosts about the special splitting boundary line. This is done using the NET-MASK and BROADCAST address.

Note that any routers, outside the LAN, can be told a slightly different story. If all of Manchester fits under one bitmask, (and noone else does), you can route traffic towards Manchester by telling the routers about the bigger bitmask (super-sub-net), but still telling every host within Manchester to use the standard C-class sub-net mask.

In binary logic, a MASK is used to AND or OR, to select bits of data or to mask them off (de-select them). With the default split line, most of the networking software can guess correctly at the default. You may need to calculate the following numbers in-order to configure the TCP/IP interface devices (eth0 sl0), and routing software. ifconfig(1) route(1)

Converting binary to decimal, 11111111 is 255

netmask  = 255.255.255.  0	11111111.11111111.11111111.00000000
hostmask =   0.  0.  0.255	00000000.00000000.00000000.11111111
netaddr  = 192.168. 67.  0	  -192- .  -168- .01000011.00000000
broadcast= 192.168. 67.255	  -192- .  -168- .01000011.11111111
hostaddr = 192.168. 67.  3	  -192- .  -168- .01000011.00000011

NEVER have a host at address 0 or at address 255. Host address 0 is reserved for the network itself and 255 is reserved for broadcasting to every host on the network. If you have a different net mask, re-read as host part all '0' or host part all '1', and avoid 255 and 0 anyway.

So now you should see that the 192.168 range gives you 256 networks of 254 hosts. If you only have one Ethernet LAN, simply PICK-A-NUMBER (eg 100) for the LAN address. If you have four LAN's pick 100, 101, 102, 103 for them.

The only real problem you may have is when your company merges with another company, or you decide to link networks together. If you have both picked the same network addresses, one of you will have to move. So pick a magic number (67) at random (not 1,2,3 ...).

point-to-point networks

Each network must have a unique network address, if you experiment with SLIP or PLIP (SLIP over a parallel cable), you should really create a new network address for the cable itself, and two numbers for the hosts.

This is not absolutely necessary, as the two ends are 'point-to-point' when you can re-use the Ethernet address. Doing so works because the two networks are otherwise disconnected, and every packet has an unique destination and origin.

Whilst experimenting, I had two machines connected by both ethernet and PPP over a serial line, using the same IP addresses for both interfaces. When I switched the ethernet off (using ifconfig eth0 down) nothing happened! Or at least appeared to, the serial PPP simply took all the traffic, which gave me time to bring eth0 back up and take PPP down. All the ftp/telnet/... sessions continued, unaware that their routes had changed, simply aware that nothing had broken.



Now your machine has TWO IP addresses! One for the PPP connection via the modem, one for the LAN connection via the Ethernet card. One is globally registered, the other is privately registered and publicly ignored.

This is only confusing if you let it be. Every network has a network address, every interface card has a host address, and most machines only have one interface card.

A host with several (physical) connections to several networks, has several addresses.

There is also the special 'loopback' address, which is used to allow hosts to talk to themselves.


IP addresses exist whether or not they are listed in /etc/hosts. This is just a mechanism of finding the address from the NAME. Of course it makes sense to keep a central host up-to-date with all the hosts on the network, and document which addresses have already been allocated by editing this file.

The job of /etc/hosts (finding IP address of hostname) can be configured to be done by name-servers over the network. That's how you can call tsx-11.mit.edu without it being in your /etc/hosts file.

After the IP address, the first name in /etc/hosts is the "proper name" of the host, followed by abbreviations, and aliases. Multi-address machine will have multiple lines for the same name.

If you use /etc/hosts in preference to NIS+BIND, it makes it harder for hackers to feed you lies about your own network addresses (but it also provides a list for them to try out).


This file is a list of network addresses (without NETMASKS - confusingly). It is only really used by the ifconfig and route commands. It is limited by it's lack of NETMASK.


Ethernet addresses (-aka- MAC, DTE)

Every Ethernet card in the world has a unique MAC or DTE address, (nothing to do with Apple MAC!) on a plug in PROM. This is put there by the manufacturer (though most cards can be programmed to pretend to have a different address!).

This address is used within the LAN segment, to uniquely identify the card (and host). You don't need to know the address, it all happens automatically. You might have to program the address into any 'secure' bridges.

When running IP over ethernet, it is the MAC address that gets used in the ethernet packet headers. ARP and RARP is all about converting MAC addresses to IP addresses (and reverse). Inside the ethernet packet is an IP packet with the IP address, and the ethernet packets have their own checksums, and often retransmission protcols.


So what is Intranet?

An "internet" is the generic term for multiple IP networks that interconnect somehow. Your private LAN's form an internet.

The "Internet" (with a uppercase I) is the global, public, registered internet.

An Intranet is a marketing term, invented by people who didn't know that, thought they were doing something new, and needed a name to sell it.

Arguably, it could be used when two (or more) private internets, connect via tunelling over the Internet, though that is still inter-networking using strange gateways. When most people talk about an Intranet, they really mean a private internet, with emphasis on the business applications, running Lotus Notes through a web-browser behind a filewall.

With private internet(s), things like "internal IT and IS solutions" become relevent, so that people can share their meeting scheduling diaries, and company databases over the company internet.

So having invented networking, business and applications, the marketeers needed their own name for it, so they coined one.

i.e. it is a term to help sell web-browsers and applications that serve them. Unfortunately, now that the word exists, it has meaning and should be used.



Your ISP should do all your Internet DNS for you, but you might want to run a Domain Name Server for your private LAN. You don't have to, simply use /etc/hosts and sendmail without MX lookups.

You're supposed to have two DNS servers, for when one is down. For small private LAN's you don't have to.

NIS is about sharing /etc/passwd (and other files) between hosts on your private network. You can also share /etc/hosts, but don't confuse a networked /etc/hosts file, with a real DNS service. Shared files are easier to maintain, but possibly less secure. For small networks, it isn't worth running NIS, as you'd probably prefer more resilience, and independent operation.