Understanding IP Addresses and Subnets
How IP addressing works, the difference between IPv4 and IPv6, and why subnetting matters for network security.
Continue your mission
How IP addressing works, the difference between IPv4 and IPv6, and why subnetting matters for network security.
# Understanding IP Addresses and Subnets
Every device that communicates on a network requires an address, and every security practitioner who investigates an incident, configures a firewall, or interprets a log file must be able to read, interpret, and reason about those addresses. IP addressing is the foundation of network communication, and subnetting is the mechanism by which large, unmanageable address spaces are divided into logical, defensible segments. Without this knowledge, a practitioner cannot trace an attacker's movement through a network, cannot write a meaningful firewall rule, and cannot evaluate whether a security control is placed correctly. This article explains how IP addressing works at a level of precision that supports real security work.
---
An Internet Protocol (IP) address is a numerical label assigned to each device participating in a network that uses the Internet Protocol for communication. The address serves two fundamental purposes: host identification and location addressing. There are two versions in active use today.
IPv4 uses a 32-bit address space, written in dotted-decimal notation (for example, 192.168.1.10). This produces approximately 4.3 billion unique addresses, a number that proved insufficient as the internet expanded globally. IPv4 remains dominant inside enterprise networks and is the address type most commonly encountered during incident response and internal assessments.
IPv6 uses a 128-bit address space, written in eight groups of four hexadecimal digits separated by colons (for example, 2001:0db8:85a3:0000:0000:8a2e:0370:7334). IPv6 was designed to replace IPv4, but dual-stack environments, where both protocols run simultaneously, are the current operational reality and introduce their own security considerations.
A subnet (short for subnetwork) is a logical subdivision of an IP network. Subnetting involves splitting a larger address block into smaller, contiguous segments using a subnet mask or CIDR (Classless Inter-Domain Routing) prefix notation. For example, 192.168.1.0/24 describes a network containing 256 addresses (254 usable host addresses, one network address, and one broadcast address).
This concept is distinct from routing, though closely related. Routing determines how traffic moves between networks; subnetting defines the boundaries of those networks. It is also distinct from VLANs (Virtual Local Area Networks), which operate at Layer 2 of the OSI model, though VLANs and subnets are often configured in alignment. IP addressing is not the same as MAC addressing, which is a hardware-level identifier at Layer 2 and does not traverse routed boundaries without specific configuration.
---
Every IPv4 address is a 32-bit binary number. The dotted-decimal format is a human-readable representation. The address 192.168.1.10 in binary is 11000000.10101000.00000001.00001010. Understanding binary is not academic; it is operationally necessary for calculating network ranges, writing access control lists, and understanding why certain firewall rules behave unexpectedly.
A subnet mask operates as a bitmask. The mask 255.255.255.0 (binary: 11111111.11111111.11111111.00000000) defines which portion of the IP address identifies the network and which portion identifies the individual host. In CIDR notation, this mask is written as /24, meaning 24 bits are fixed as the network portion and 8 bits are available for host assignment.
Applying a bitwise AND operation between an IP address and its subnet mask produces the network address. For 192.168.1.10 with mask 255.255.255.0, the network address is 192.168.1.0. All devices sharing this network address can communicate directly without routing. Devices on different subnets must send traffic through a router or gateway, which is precisely the control point that security teams use to enforce policy.
Consider an organization with the address block 10.0.0.0/8, a private address space containing over 16 million addresses. Assigning all devices to a single flat network at this scale would mean any infected workstation could reach any server directly, with no routing boundary to inspect or block traffic. Instead, network architects divide this space.
A common approach uses /24 subnets for individual departments or functions. The IT department might occupy 10.1.1.0/24 (hosts 10.1.1.1 through 10.1.1.254). Finance might occupy 10.1.2.0/24. A server segment might occupy 10.10.0.0/24. A guest wireless network might occupy 10.20.0.0/24. Each boundary is a chokepoint where a firewall or access control list can enforce which traffic is permitted to cross.
Smaller subnets serve specialized purposes. A /30 subnet provides exactly two usable host addresses and is commonly used for point-to-point links between routers. A /29 provides six usable addresses and is appropriate for small clusters of servers. A /27 provides 30 usable addresses and suits a mid-sized workgroup.
Before CIDR, IPv4 addresses were allocated in classes. Class A (1.0.0.0 to 126.255.255.255) was assigned to large organizations and governments. Class B (128.0.0.0 to 191.255.255.255) was assigned to mid-sized organizations. Class C (192.0.0.0 to 223.255.255.255) was for smaller networks. Classful addressing was wasteful and was replaced by CIDR in the 1990s, but the class system still informs how practitioners read and discuss address ranges.
Three address ranges are reserved for private use (RFC 1918): 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. These addresses are not routable on the public internet. Network Address Translation (NAT) allows devices on private ranges to communicate with external hosts by mapping private addresses to a public address at the network boundary. Most corporate and home networks operate entirely within RFC 1918 space.
An analyst receives an alert: a workstation at 10.5.3.47 is attempting connections to multiple hosts on the 10.10.0.0/24 server segment on port 445 (SMB). The analyst immediately draws several conclusions from the addresses alone. First, both addresses are internal, so this is lateral movement, not an inbound attack. Second, the source is in a workstation subnet (10.5.3.0/24) and the destination is in a server segment (10.10.0.0/24), which means the traffic must have passed through a firewall or router between subnets. Third, if the firewall is correctly configured, this traffic should have been blocked, and its presence indicates either a misconfiguration or a firewall rule that is too permissive. Fourth, the analyst can query the DHCP server or asset management system for the /24 subnet to identify which device holds the 10.5.3.47 lease. Each of these steps depends on the analyst understanding subnets as logical boundaries, not just address labels.
IPv6 introduces link-local addresses (fe80::/10) that are auto-configured on every interface without administrator involvement. It also introduces global unicast addresses, unique local addresses (fc00::/7), and multicast addresses. Organizations that have not fully inventoried their IPv6 configuration may find that security monitoring tools are logging only IPv4 traffic while IPv6 traffic flows without inspection. Attackers have used IPv6 to bypass IPv4-focused controls, making dual-stack awareness mandatory for defenders.
---
The consequences of poor IP addressing practices and flat network design are well-documented in public breach reports. The 2017 NotPetya attack spread rapidly across corporate networks because infected systems could reach other systems directly without routing boundaries. Organizations with segmented networks, where workstations could not communicate directly with other workstations and servers sat in separate subnets behind enforced access controls, experienced significantly reduced blast radius.
Proper subnet design enforces the principle of least privilege at the network layer. A workstation in the employee subnet should not be able to initiate connections to database servers on port 1433 by default. That restriction is only enforceable if a routing boundary exists between the two segments. Without subnetting, the network is flat, and every device is reachable from every other device, which means a compromised endpoint is a compromised network.
Compliance frameworks recognize this. NIST SP 800-53 includes network segmentation controls under the SC (System and Communications Protection) control family. The CIS Controls (v8) explicitly address network segmentation in Control 12. PCI DSS requires network segmentation to isolate cardholder data environments from other systems. Failure to implement subnetting correctly results in audit findings and can constitute a reportable control deficiency.
A common misconception is that firewalls alone are sufficient without subnetting. A firewall can filter traffic between any two endpoints, but without subnet-based segmentation, the firewall must have explicit rules for every possible host-to-host communication path, which is unmanageable at scale and prone to rule-order errors. Subnets allow policy to be written at the group level (permit the 10.1.1.0/24 workstation subnet to reach the 10.10.0.0/24 server subnet on HTTPS only), which is both more efficient and easier to audit.
Another misconception is that IPv6 is not relevant for internal security work. Many modern operating systems enable IPv6 by default and will prefer it when available. An organization that has not addressed IPv6 in its firewall rules and monitoring strategy has gaps it may not be aware of.
---
CDA approaches IP addressing and subnetting through the Structured Perimeter Hygiene (SPH) domain, which is one of the foundational domains in the Planetary Defense Model (PDM). SPH addresses the outermost layers of organizational defense: the controls that define what the network looks like, how traffic enters and exits, and how internal segments are isolated from one another.
The CDA Autonomous Posture Command (APC) methodology applies the principle that posture must be continuously maintained, not periodically reviewed. In the context of IP addressing, this means subnet configurations, DHCP scope assignments, and firewall rules governing inter-subnet traffic must be treated as living artifacts that are continuously validated against the intended architecture. When a new subnet is provisioned but the corresponding firewall rules are not reviewed, posture degrades silently. APC addresses this by treating any change to network addressing as a trigger for automated policy validation.
CDA differs from standard frameworks in its operational specificity. Most frameworks identify subnetting as a best practice and leave implementation to the organization. CDA provides concrete templates for subnet allocation, including recommended prefix lengths for different network functions, naming conventions that encode function and security zone into subnet documentation, and automated checks that compare live routing tables against approved network diagrams.
In practice, CDA assessors evaluating SPH will examine whether each subnet has a defined security classification, whether firewall rules are written at the subnet level rather than the host level, whether IPv6 is addressed in policy and monitoring, and whether DHCP logs are retained and correlated with security events. An organization that cannot answer basic questions about its own subnet topology during an assessment has a gap in SPH hygiene that CDA treats as a high-priority remediation item.
The APC methodology also addresses the lifecycle problem. Networks grow. Subnets get added for projects, then forgotten. Address space fragments. RFC 1918 ranges overlap when mergers occur. CDA treats subnet lifecycle management as a continuous hygiene function, not a one-time design task. Your posture adapts. Your hygiene never sleeps.
---
---
---
CDA Theater missions that address topics covered in this article.
Cryptographic technique that encrypts data while preserving its original format and length, enabling protection without breaking legacy system compatibility.
Guide to HTTP/2 security covering binary framing, HPACK compression attacks, rapid reset vulnerability, stream multiplexing risks, and mitigation strategies.
Explanation of Certificate Transparency framework, covering log servers, Signed Certificate Timestamps, monitoring capabilities, and detection of fraudulent certificates.
Written by CDA Wiki Team
Found an issue? Help improve this article.