RFC 1918 · · Best Current Practice
Private IP addresses, explained like you're new here.
The official title is "Address Allocation for Private Internets." What it actually decides: which IP addresses belong to you and your home network, and which belong to the public internet.
TL;DR
RFC 1918 reserves three blocks of IPv4 addresses for private use: 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16. Anyone may use them inside their own network without asking anybody. In exchange, the public internet refuses to route them. That’s why millions of homes can all be 192.168.0.1 at the same time without chaos.
The problem it solves
In the early 1990s the internet had a scary math problem: IPv4 has only about 4.3 billion addresses, and they were being handed out fast. At the same time, most machines on company networks never talked to the outside world at all. Giving a warehouse printer a globally unique internet address was like giving every chair in your office its own postal address.
RFC 1918’s deal: if a device doesn’t need to be reachable from the internet, it shouldn’t burn a public address. Instead, it uses one from a shared pool that everybody may reuse.
The trade is elegant. You get millions of addresses for free, forever, no registry involved. The internet gets to pretend your devices don’t exist. Both sides are happy, and IPv4 lived roughly two decades longer than it had any right to.
The apartment building analogy
Think of the internet as a city and your home network as an apartment building. The building has one street address: that’s your public IP, the one your internet provider gives your router. Inside, apartments are numbered 1, 2, 3 … those are the private IPs of your laptop, phone, and TV.
Every building in the city can have an apartment 4B. No conflict, because mail from outside only ever goes to the street address. The doorman (your router, doing NAT) figures out which apartment it’s for. RFC 1918 is simply the rule that says which numbers are apartment numbers, so nobody accidentally prints them on outgoing envelopes.
One thing the analogy gets exactly right: an apartment number is useless to someone standing in another city. A private IP means nothing outside its own network. When a website “sees” you, it sees your building’s street address, never your apartment number.
The three private ranges
Three blocks, three sizes. Which one you meet depends on where you are:
- 10.0.0.0/816,777,216 addresses
The big one. One address for every phone in Australia, roughly. You'll meet it in corporate networks, VPNs, data centers and Kubernetes clusters. From 10.0.0.0 to 10.255.255.255.
- 172.16.0.0/121,048,576 addresses
The forgotten middle child. Docker quietly uses it for container networks, which is why 172.17.0.2 looks familiar to developers. From 172.16.0.0 to 172.31.255.255, and yes, only 172.16 through 172.31: that's the /12 trap in exams.
- 192.168.0.0/1665,536 addresses
The famous one. The default of nearly every home router on earth. If you've ever typed 192.168.0.1 to reach your router's admin page, you've used RFC 1918 without knowing it. From 192.168.0.0 to 192.168.255.255.
Bar length ≈ share of all private addresses (not to scale below 1%: the famous one is tiny).
What it looks like at your house
Private addresses inside, one public address outside. Your router translates between the two worlds. That trick is called NAT, and it lives in RFC 2663, not here.
What the RFC actually says
The original is nine pages and surprisingly readable. Here's the map, in case you want to visit:
| Section | In plain words |
|---|---|
| 1–2 · Intro & Motivation | Addresses are running out, most hosts don't need public ones. Let's stop wasting them. |
| 3 · Private Address Space | The heart of it: the three blocks, in exactly four sentences. Everything else is commentary. |
| 4 · Pros and cons | Honest warning: renumbering later hurts, and merging two companies that both use 10.x hurts more. |
| 5 · Operational rules | The enforcement clause: routers must not leak these addresses, DNS must not serve them to outsiders. |
| 6 · Security | One paragraph, roughly: "this isn't a security feature." People ignore this to this day (see below). |
Try it: is this IP private?
Type any IPv4 address. We'll tell you whether RFC 1918 claims it, and which range it falls into.
Waiting for an address ...
Things people get wrong
"Private means secure."
No. RFC 1918 says so itself, in its own security section. A private address makes you unaddressable from outside, which is not the same as protected: one phishing click and the attacker is inside your building, where every apartment number works fine. Being hidden is a side effect, not a defense. Your actual defense is the firewall.
"RFC 1918 defines NAT."
It doesn't mention NAT once. RFC 1918 only reserves the address space; the translation trick that lets private devices reach the internet came separately (RFC 2663 and RFC 3022). They're a famous couple, but they are two different documents solving two different problems.
"Everything starting with 172 is private."
Only 172.16.0.0 through 172.31.255.255. The address 172.15.0.1 is a regular public address, and so is 172.32.0.1. The /12 doesn't align with a "whole number" boundary, which makes it the single most reliable trap in networking exams.
"Websites can see my 192.168 address."
They can't. By the time your request leaves the house, NAT has replaced your private address with your router's public one. Any "your IP is..." website shows the building, never the apartment.
Where you'll meet these addresses
RFC 1918 is probably the most-used standard you've never read. A field guide:
| You see | You're probably looking at |
|---|---|
| 192.168.178.1 | A FRITZ!Box. AVM's factory default, burned into German muscle memory. |
| 192.168.0.1 / 192.168.1.1 | Almost every other home router's admin page. |
| 172.17.0.2 | A Docker container on the default bridge network. |
| 172.31.x.x | An AWS default VPC. Amazon picked the very last /16 of the middle range. |
| 10.x.x.x | A corporate network, a VPN, or a Kubernetes cluster's pod network. |
| 169.254.x.x | Not RFC 1918! A device that failed to get an address and is improvising (RFC 3927). |
Questions people actually ask
Is 192.168.x.x always a private address?+
Yes. The entire block from 192.168.0.0 to 192.168.255.255 is reserved by RFC 1918. If you see it, you're looking at somebody's local network, never at a machine on the public internet.
Can private IPs be routed on the internet?+
No. Internet routers are required to drop packets with RFC 1918 source or destination addresses. That's the whole deal: free reuse inside, invisibility outside. To reach the internet, a NAT gateway swaps your private address for a public one.
What's the difference between the three ranges?+
Technically only their size: 16.7 million, 1 million, and 65,536 addresses. Functionally they're identical. Conventions grew around them anyway: 10.x for big corporate and cloud networks, 172.16 to 172.31 for Docker and mid-size setups, 192.168 for homes.
Is 127.0.0.1 an RFC 1918 address?+
No. 127.0.0.1 is loopback ("this very machine") and comes from RFC 1122. It never leaves your device at all, whereas RFC 1918 addresses travel across your local network. Different rule, different RFC.
Why is my router 192.168.178.1?+
Because it's a FRITZ!Box. AVM picked 192.168.178.0/24 as its factory default decades ago, comfortably inside RFC 1918's 192.168 block. Other vendors picked 192.168.0.1 or 192.168.1.1. All equally valid, all private, all changeable in the settings.
Does RFC 1918 apply to IPv6?+
No, it's IPv4 only. IPv6 has its own flavor of private addresses called Unique Local Addresses (the fd00::/8 block), defined in RFC 4193. The philosophy is the same, the mechanics differ.
How RFC 1918 connects
What came before
RFC 1597 (1994) made the exact same three-block proposal first. RFC 1918 is its cleaned-up second edition.
RFC 1627 (1994) was the angry rebuttal, arguing private addresses would fragment the internet. Yes, RFCs used to flame each other in public. It lost the argument, but its warnings about renumbering pain made it into RFC 1918's section 4.
What it works with
- RFC 2663 · companion
NAT, the other half of the trick
Private addresses only work at scale because NAT translates them at the border. 1918 reserves, 2663 translates.
- RFC 6761 · updates this one
The DNS fine print
Formalizes how special addresses (including these) are treated in DNS, so your private names never leak into the public tree.
Its counterparts
- RFC 6598 · the sequel
The secret fourth range
By 2012 even ISPs ran out of addresses and got their own private-ish block, 100.64.0.0/10, for carrier-grade NAT. History repeating one layer up.
- RFC 4193 · the IPv6 remake
Private addresses, IPv6 edition
Unique Local Addresses (fd00::/8). Same idea, but with a twist: you generate a random prefix, so merging two networks no longer hurts.