Updated 2 hours ago
Every IP address that never reaches the Internet serves a purpose.
The IPv4 address space provides over 4 billion unique addresses, but significant portions were deliberately removed from public routing. These reserved ranges form the invisible architecture that makes private networks possible, prevents documentation examples from attacking real systems, and provides addresses for protocols to talk to themselves.
What Are Reserved IP Addresses?
The Internet Assigned Numbers Authority (IANA) maintains registries documenting which IP address blocks are reserved and why. These reservations, defined through IETF Request for Comments (RFC) documents, include metadata about whether addresses can be used as source or destination, whether routers should forward them, and whether they're globally reachable.
This isn't bureaucracy—it's preventing chaos. Without coordination, your home network's 192.168.1.1 router might try to route to someone else's 192.168.1.1 halfway across the world.
Private Network Ranges (RFC 1918)
In 1996, as IPv4 exhaustion loomed, RFC 1918 carved out three address blocks that would never be routable on the public Internet. This decision enabled billions of devices to exist on private networks without consuming public address space.
10.0.0.0/8 — The Enterprise Range
With 16.7 million addresses, this is the largest private block. Enterprises favor it because it provides room for complex network hierarchies—you can subnet extensively while maintaining clear boundaries between departments, data centers, and security zones.
172.16.0.0/12 — The Cloud Range
The middle range offers about a million addresses. It was less common in traditional networks but found new life when Amazon Web Services chose it as the default for Virtual Private Cloud configurations. Now millions of cloud instances live here.
192.168.0.0/16 — The Home Range
This range powers nearly every home network and small office. Consumer routers default to subnets like 192.168.1.0/24 because 254 addresses are plenty for a household, and the range is small enough that simple DHCP servers manage it easily.
Why Private Addresses Are Isolated
Private addresses are toxic to Internet routers. Edge routers drop packets with private source or destination addresses on sight. This isolation does double duty: it provides security by preventing direct Internet access to private devices, and it allows the same address ranges to be reused across millions of independent networks simultaneously.
Network Address Translation (NAT) bridges these isolated networks to the Internet, translating private addresses to public ones at the boundary. Your laptop's 192.168.1.100 becomes your ISP's public IP when packets cross the gateway.
This wasn't the original intent. RFC 1918 was about conserving addresses. But the isolation created an accidental security boundary—private devices are unreachable from the Internet by default. The architecture shaped behavior in ways its designers didn't anticipate.
Shared Address Space (RFC 6598)
100.64.0.0/10 — Carrier-Grade NAT
By 2012, even IPv4 conservation wasn't enough. ISPs needed to deploy Carrier-Grade NAT to share scarce public addresses across many subscribers, but using RFC 1918 space created conflicts with customers' own private networks.
RFC 6598 reserved 100.64.0.0/10 specifically for ISP infrastructure. Service providers use these addresses on the customer-facing side of CGNAT devices, avoiding collisions with subscribers using 10.0.0.0/8 or 192.168.0.0/16.
The compromise is real: CGNAT breaks port forwarding, complicates peer-to-peer applications, and adds another layer of NAT between users and the Internet. If your ISP uses CGNAT, you're behind double NAT—your router NATs your devices, then the ISP NATs your router. But it bought years of IPv4 viability while IPv6 deployment continues.
Loopback Range
127.0.0.0/8 — The Address That Goes Nowhere
The entire 127.0.0.0/8 range is reserved for loopback, though 127.0.0.1 is the conventional choice. Packets sent to loopback addresses never touch a network interface—they're caught and processed by the local TCP/IP stack.
This enables crucial workflows: testing network services without a real network, inter-process communication using standard TCP/IP, and ensuring services can reliably reach themselves. Applications binding to 127.0.0.1 are invisible to the network, creating a security boundary for development tools and administrative interfaces.
Link-Local Range
169.254.0.0/16 — When Everything Fails
This range handles a specific failure mode: a device configured for DHCP cannot reach any DHCP server. Rather than remain completely unconfigured, the device assigns itself an address from this range using Automatic Private IP Addressing (APIPA).
APIPA addresses allow devices on the same physical network segment to communicate even when centralized services are down. But they're limited—no default gateway, no routing beyond the local link.
If you see 169.254.x.x on a device, something is broken. The device tried to get a proper IP address from DHCP and failed. The link-local address is a symptom, not a solution—it tells you to look at your DHCP server or network connectivity.
Special-Purpose Ranges
0.0.0.0/8 — This Network
The address 0.0.0.0 indicates an unknown or unspecified address. It's what a device uses as its source address when broadcasting a DHCP DISCOVER message before it has an IP address. It also represents a default route in routing tables. This range should never appear in normal traffic.
192.0.0.0/24 — Protocol Assignments
IANA reserved this block for addresses used by IETF protocols for specific technical functions. These addresses appear in protocol specifications and implementations but aren't for general networking.
Documentation Ranges (RFC 5737)
Three /24 blocks exist solely for examples, documentation, and technical writing:
- 192.0.2.0/24 (TEST-NET-1)
- 198.51.100.0/24 (TEST-NET-2)
- 203.0.113.0/24 (TEST-NET-3)
Before these reservations, technical documentation used real IP addresses, inadvertently directing traffic toward unsuspecting networks. Imagine writing a firewall tutorial that accidentally told thousands of readers to block traffic from an operational business.
Now documentation can safely use these addresses knowing they won't conflict with real networks. Never use these ranges for production—they seem to work initially but fail unpredictably as they're filtered in various contexts.
Multicast Range
224.0.0.0/4 — One to Many
Unlike unicast addresses that identify single interfaces, multicast addresses represent groups of interested receivers. A single packet sent to a multicast address can reach multiple destinations simultaneously.
Multicast powers efficient video streaming, routing protocol updates, service discovery, and real-time data distribution. Without it, streaming a live event to a million viewers would require sending a million individual streams. With multicast, routers duplicate packets only where necessary, distributing load intelligently across the network.
Multicast addresses behave fundamentally differently from unicast. Don't expect normal routing—these addresses don't identify destinations, they identify groups.
Future Use and Broadcast
240.0.0.0/4 — Reserved for Future Use
This range was originally set aside for future use. As IPv4 addresses grew scarce, proposals emerged to reclaim this space, but compatibility concerns with existing systems prevented adoption. Many networking devices treat these addresses as invalid, making the space unusable without widespread equipment replacement.
It's a technological fossil—space that was set aside for tomorrow but became trapped in yesterday's assumptions.
255.255.255.255 — Limited Broadcast
Packets sent to 255.255.255.255 broadcast to all devices on the local network segment but are never forwarded by routers. DHCP clients use this address to broadcast DISCOVER messages when they don't yet have an IP address of their own.
The Architecture That Emerged
Reserved address ranges aren't administrative overhead—they're architectural decisions that shaped how the Internet functions:
Preventing Chaos: Documentation ranges stop technical examples from accidentally attacking operational networks. Before these reservations, every tutorial was a potential security incident.
Enabling Scale: RFC 1918 private ranges allow billions of devices to operate without public addresses. Without them, the Internet would have exhausted addresses years before IPv6 was ready.
Creating Accidental Security: Private address isolation wasn't designed as a security feature, but it became one. NAT as a firewall, private networks unreachable by default—these emerged from address conservation decisions.
Graceful Degradation: Link-local addresses ensure devices can still communicate when central services fail. The network degrades to local-only communication rather than complete failure.
Buying Time: Ranges like 100.64.0.0/10 extend IPv4's viability by allowing service providers to share addresses more aggressively. Every year IPv4 remains viable is another year for IPv6 deployment to mature.
Authoritative Reference
IANA maintains the definitive special-purpose address registries:
The registry includes detailed information about each reserved block: the defining RFC, whether addresses are forwardable, globally reachable, and valid as source or destination addresses.
The Hidden Scaffolding
Reserved IP address ranges are the invisible scaffolding that makes the visible Internet possible. RFC 1918 wasn't just conserving addresses—it was creating an architecture where private networks are isolated by default, where NAT provides an unintended security boundary, where network topology naturally mirrors organizational structure.
These reservations are decisions that compound. Each one solved an immediate problem while creating emergent properties that shaped everything built on top of them.
Every IP address that never reaches the Internet is doing exactly what it was designed to do: providing structure, preventing chaos, and buying time for better solutions to mature.
Frequently Asked Questions About Reserved IP Address Ranges
Sources
Was this page helpful?