RFC 1918 · · Best Current Practice

Private IP addresses, explained like you're new here.

The official title is "Address Allocation for Private Internets." What it actually decides: which IP addresses belong to you and your home network, and which belong to the public internet.

Status
✓ Still current
Also known as
BCP 5
Replaces
RFC 1597
Updated by
RFC 6761

TL;DR

RFC 1918 reserves three blocks of IPv4 addresses for private use: 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16. Anyone may use them inside their own network without asking anybody. In exchange, the public internet refuses to route them. That’s why millions of homes can all be 192.168.0.1 at the same time without chaos.

The problem it solves

In the early 1990s the internet had a scary math problem: IPv4 has only about 4.3 billion addresses, and they were being handed out fast. At the same time, most machines on company networks never talked to the outside world at all. Giving a warehouse printer a globally unique internet address was like giving every chair in your office its own postal address.

RFC 1918’s deal: if a device doesn’t need to be reachable from the internet, it shouldn’t burn a public address. Instead, it uses one from a shared pool that everybody may reuse.

The trade is elegant. You get millions of addresses for free, forever, no registry involved. The internet gets to pretend your devices don’t exist. Both sides are happy, and IPv4 lived roughly two decades longer than it had any right to.

The apartment building analogy

Think of the internet as a city and your home network as an apartment building. The building has one street address: that’s your public IP, the one your internet provider gives your router. Inside, apartments are numbered 1, 2, 3 … those are the private IPs of your laptop, phone, and TV.

Every building in the city can have an apartment 4B. No conflict, because mail from outside only ever goes to the street address. The doorman (your router, doing NAT) figures out which apartment it’s for. RFC 1918 is simply the rule that says which numbers are apartment numbers, so nobody accidentally prints them on outgoing envelopes.

One thing the analogy gets exactly right: an apartment number is useless to someone standing in another city. A private IP means nothing outside its own network. When a website “sees” you, it sees your building’s street address, never your apartment number.

The three private ranges

Three blocks, three sizes. Which one you meet depends on where you are:

  • 10.0.0.0/816,777,216 addresses

    The big one. One address for every phone in Australia, roughly. You'll meet it in corporate networks, VPNs, data centers and Kubernetes clusters. From 10.0.0.0 to 10.255.255.255.

  • 172.16.0.0/121,048,576 addresses

    The forgotten middle child. Docker quietly uses it for container networks, which is why 172.17.0.2 looks familiar to developers. From 172.16.0.0 to 172.31.255.255, and yes, only 172.16 through 172.31: that's the /12 trap in exams.

  • 192.168.0.0/1665,536 addresses

    The famous one. The default of nearly every home router on earth. If you've ever typed 192.168.0.1 to reach your router's admin page, you've used RFC 1918 without knowing it. From 192.168.0.0 to 192.168.255.255.

Bar length ≈ share of all private addresses (not to scale below 1%: the famous one is tiny).

What it looks like at your house

Private addresses inside, one public address outside. Your router translates between the two worlds. That trick is called NAT, and it lives in RFC 2663, not here.

Private territory · RFC 1918💻 Laptop192.168.0.23📱 Phone192.168.0.42📺 TV192.168.0.77Router (NAT)in: 192.168.0.1out: 203.0.113.7one public IPInternetpublic addresses only
Your neighbor’s laptop can also be 192.168.0.23. Neither of you will ever notice.

What the RFC actually says

The original is nine pages and surprisingly readable. Here's the map, in case you want to visit:

SectionIn plain words
1–2 · Intro & MotivationAddresses are running out, most hosts don't need public ones. Let's stop wasting them.
3 · Private Address SpaceThe heart of it: the three blocks, in exactly four sentences. Everything else is commentary.
4 · Pros and consHonest warning: renumbering later hurts, and merging two companies that both use 10.x hurts more.
5 · Operational rulesThe enforcement clause: routers must not leak these addresses, DNS must not serve them to outsiders.
6 · SecurityOne paragraph, roughly: "this isn't a security feature." People ignore this to this day (see below).

Try it: is this IP private?

Type any IPv4 address. We'll tell you whether RFC 1918 claims it, and which range it falls into.

Waiting for an address ...

Things people get wrong

  • "Private means secure."

    No. RFC 1918 says so itself, in its own security section. A private address makes you unaddressable from outside, which is not the same as protected: one phishing click and the attacker is inside your building, where every apartment number works fine. Being hidden is a side effect, not a defense. Your actual defense is the firewall.

  • "RFC 1918 defines NAT."

    It doesn't mention NAT once. RFC 1918 only reserves the address space; the translation trick that lets private devices reach the internet came separately (RFC 2663 and RFC 3022). They're a famous couple, but they are two different documents solving two different problems.

  • "Everything starting with 172 is private."

    Only 172.16.0.0 through 172.31.255.255. The address 172.15.0.1 is a regular public address, and so is 172.32.0.1. The /12 doesn't align with a "whole number" boundary, which makes it the single most reliable trap in networking exams.

  • "Websites can see my 192.168 address."

    They can't. By the time your request leaves the house, NAT has replaced your private address with your router's public one. Any "your IP is..." website shows the building, never the apartment.

Where you'll meet these addresses

RFC 1918 is probably the most-used standard you've never read. A field guide:

You seeYou're probably looking at
192.168.178.1A FRITZ!Box. AVM's factory default, burned into German muscle memory.
192.168.0.1 / 192.168.1.1Almost every other home router's admin page.
172.17.0.2A Docker container on the default bridge network.
172.31.x.xAn AWS default VPC. Amazon picked the very last /16 of the middle range.
10.x.x.xA corporate network, a VPN, or a Kubernetes cluster's pod network.
169.254.x.xNot RFC 1918! A device that failed to get an address and is improvising (RFC 3927).

Questions people actually ask

Is 192.168.x.x always a private address?+

Yes. The entire block from 192.168.0.0 to 192.168.255.255 is reserved by RFC 1918. If you see it, you're looking at somebody's local network, never at a machine on the public internet.

Can private IPs be routed on the internet?+

No. Internet routers are required to drop packets with RFC 1918 source or destination addresses. That's the whole deal: free reuse inside, invisibility outside. To reach the internet, a NAT gateway swaps your private address for a public one.

What's the difference between the three ranges?+

Technically only their size: 16.7 million, 1 million, and 65,536 addresses. Functionally they're identical. Conventions grew around them anyway: 10.x for big corporate and cloud networks, 172.16 to 172.31 for Docker and mid-size setups, 192.168 for homes.

Is 127.0.0.1 an RFC 1918 address?+

No. 127.0.0.1 is loopback ("this very machine") and comes from RFC 1122. It never leaves your device at all, whereas RFC 1918 addresses travel across your local network. Different rule, different RFC.

Why is my router 192.168.178.1?+

Because it's a FRITZ!Box. AVM picked 192.168.178.0/24 as its factory default decades ago, comfortably inside RFC 1918's 192.168 block. Other vendors picked 192.168.0.1 or 192.168.1.1. All equally valid, all private, all changeable in the settings.

Does RFC 1918 apply to IPv6?+

No, it's IPv4 only. IPv6 has its own flavor of private addresses called Unique Local Addresses (the fd00::/8 block), defined in RFC 4193. The philosophy is the same, the mechanics differ.

How RFC 1918 connects