Skip to content

Documentation / Knowledge Base

What are the 100.64.x.x IP addresses

Each system or device running an Enclave overlay network requires at last one unique IP address in order to participate in that network and communicate with other Enclave peers. That IP address should:

  • Coexist with all other IP addresses, subnets and routes which the system comes into contact with.

  • Remain static over the lifetime of the system (no matter where it moves in the physical world).

These requirements make it difficult to reliably use IP addresses from the RFC1918 range without an organisation first checking to ensure no pre-existing address allocations would overlap and also commit to ensuring future developments of the underlay IP network would not conflict with addressing in the Enclave overlay IP network.

Private networks and RFC 1918

While all IP addresses are technically routable, including those listed in used in private networks, RFC1918 defines several blocks of IPv4 address space which is intended for private-use networking only. As such, RFC1918 ranges are often referred to non-routable as they are not meant to be reachable from the public Internet, and carriers will avoid publishing routes for those ranges.

  • 10.0.0.0/8 (255.0.0.0) — [10.0.0.0 – 10.255.255.255] — 16,777,216 addresses

  • 172.16.0.0/12 (255.240.0.0) — [172.16.0.0 – 172.31.255.255] — 1,048,576 addresses

  • 192.168.0.0/16 (255.255.0.0) — 192.168.0.0 – 192.168.255.255 — 65,536 addresses

Almost every private network on earth has devices assigned IP addresses from one, or more of those ranges, so the potential for conflict is extremely high. Indeed, network operators must take care to ensure that different parts of their aggregate address space do not overlap or conflict to avoid connectivity challenges.

Carrier Grade NAT (CGNAT)

IANA has reserved another prefix which is far less commonly deployed, 100.64.0.0/10. Defined by RFC6598 (IANA-Reserved IPv4 Prefix for Shared Address Space) Carrier Grade NAT is expressly reserved as a range that does not conflict with either the private network address ranges defined by RFC1918 or the public Internet ranges assigned to the Regional Internet Registries by IANA.

  • 100.64.0.0/10 (255.192.0.0) — [100.64.0.0 - 100.127.255.255] — 4,194,304 addresses

As this range is reserved for carriers and ISP, it is never exposed either to the customer side of the carrier's network, or the public Internet. As such, the CGNAT range meets all of the criteria we require from a network IP address in an overlay network:

  • The CGNAT range is not to be used on private networks, so non-conflicting with 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16.

  • The CGNAT range is not to be used on the public Internet, so non-conflicting with routable networks.

  • The CGNAT range is large enough to accommodate private networks where up to 4 million devices may co-exist without IP addresse conflicts.

  • Have a set of well defined and universally recognised constraints which allow their safe re-use within organisations.

100.64.0.0/10

Enclave uses the 100.64.0.0/10 network to assign static IP addresses by default, but that's configurable. Unless the default configuration is changed, Enclave will assign each enrolling host, device or system an IP address from the 100.64.0.0/10 range.

However, Enclave can be configured to use any IPv4 address and subnet combination for flexibility during host migrations, network consolidation or when working with esoteric, inflexible or difficult underlay networks.

Changing the network address

In order to change the IP address of an Enclave agent, an administrator will need to install and enrol Enclave to a system, stop Enclave, manually edit the relevant Enclave profile file and then restart Enclave.

On Windows, administrators can find the profiles directory in %programfiles%\Enclave Networks\Enclave\Agent\profiles, and /etc/enclave/profiles on Linux and macOS.

To switch Enclave to use a new addressing scheme for the overlay network, first, stop Enclave by running enclave stop. Open the relevant .profile file with a text editor like Notepad. Unless you've enrolled the same System to multiple Enclave organisations, you'll probably want to edit Universe.profile.

Manually change the values of VirtualAddress and VirtualNetwork as required, for example you might change Universe.profile from this:

  "VirtualAddress": "100.80.76.30",
  "VirtualNetwork": "100.64.0.0/10",

To this:

  "VirtualAddress": "172.16.5.6",
  "VirtualNetwork": "172.16.4.0/23",

Once you've saved the config, run enclave start and Enclave will automatically re-configure the local virtual network interface for you.

Info

Remember that if you switch to manually configured IP addressing on one system, in order for it to successfully communicate with other systems running Enclave you'll also need to manually re-configure complimentary IP addresses and subnets on those systems too.

Warning

Beware! If you're using Enclave on Windows, please note that it will automatically add a DNS entry to the Enclave virtual network interface to enable the local stub resolver function. Enclave will respect your choice to configure alternative name servers for your network adapters, so if you switch to manual IP addressing, please remember to remove the previous Enclave IP addresses from the adapter's DNS configuration. If you don't remove the old IP address, DNS queries may take longer to resolve and web pages may appear to load slowly, as the operating system attempts to send queries to the old, auto-generated Enclave IP address that is no longer in use. So, it may be necessary to remove the old IP address from the network adapter's DNS configuration when an Enclave agent's IP address is manually changed.

Having problems? Contact us at support@enclave.io or get help and advice in our community support channels.

Last updated May 3rd, 2023