Am I missing something?

I installed docker and noticed that it created a virtual interface named docker0 with the IP address 172.17.42.1. This behavior is consistent with the Docker networking documentation. However, I was confused by this statement:

It randomly chooses an address and subnet from the private range defined by RFC 1918 that are not in use on the host machine, and assigns it to docker0. Docker made the choice 172.17.42.1/16 when I started it a few minutes ago...

It seems like RFC 1918 defines:

  • 10.0.0.0 - 10.255.255.255 (10/8 prefix)
  • 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
  • 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

How is 172.17.42.1/16 from the private ranges listed above? Is 172.17.42.1 a potentially public IP address?

hmm am I mistaken or is 172.17.0.0/16 part of 172.16.0.0/12?
Comment by Anonymous Tue 05 May 2015 04:09:48 PM EDT
Well, 172.17.42.1/16 really looks like it's inside 172.16/12 to me.
Comment by Anonymous Tue 05 May 2015 04:10:56 PM EDT
172.16.0.0 < 172.17.42.1/16 < 172.31.255.255
Comment by Anonymous Tue 05 May 2015 04:14:39 PM EDT
172.17.42.1 is in 172.16/12
Comment by Anonymous Tue 05 May 2015 04:21:27 PM EDT
172.17.42.1 is in 172.16/12
Comment by Anonymous Tue 05 May 2015 04:22:33 PM EDT

172.16.0.0/12 defines the range from 172.16.0.0 to 172.31.255.255

The IP your container was assigned (172.17.42.1) is within that range. So, it is a valid RFC 1918 address.

Comment by Anonymous Tue 05 May 2015 04:23:37 PM EDT
172.17.42.1 is in 172.16/12
Comment by Anonymous Tue 05 May 2015 04:25:19 PM EDT

172.16.0.0 - 172.31.255.255 or 172.16/12

172.17 is belowthe 172.31 ...

Comment by Anonymous Tue 05 May 2015 04:26:25 PM EDT
Note that it's a /12 so it's from 172.16.0.0 to 172.31.255.255 as you noted. 172.17.42.1 falls within that range.
Comment by Anonymous Tue 05 May 2015 04:28:38 PM EDT

That /16 block is definitely part of the larger 172.16.0.0/12 block, so you're fine. No publicly routable addresses were assigned.

It's just a bit odd to specify the .42 octet in combination with the /16 CIDR mask. Your range is effectively 172.17.0.1 - 172.17.255.254.

Comment by Anonymous Tue 05 May 2015 04:42:08 PM EDT
172.16.0.0 - 172.31.255.255 (172.16/12 prefix) contains all the /16 networks from 172.16/16 to 172.31/16 so 172.17/16 is fine.
Comment by Anonymous Tue 05 May 2015 04:43:12 PM EDT
172.17.42.1/16 i.e. 172.17.0.0 - 172.17.255.255 is in the subnet 172.16.0.0/12 i.e. 172.16.0.0 - 172.31.255.255, which, according to RFC 1918, is reserved for private internets. Right?
Comment by Anonymous Tue 05 May 2015 04:44:39 PM EDT
172.17.42.1/16 is well within the 172.16/12 prefix. Check with ipcalc :)
Comment by Anonymous Tue 05 May 2015 04:56:58 PM EDT

Yes, you're missing something. 172.16/12 covers the range 172.16.0.0 - 172.31.255.255.

HTH, Chris

Comment by Anonymous Tue 05 May 2015 05:08:10 PM EDT
172.17.42.1 is in the 172.16.0.0/12 range defined by RFC1918 (17 is between 16 and 31, inclusive), so it's a perfectly valid private IP address. Or did I misunderstand your question?
Comment by Anonymous Tue 05 May 2015 05:09:15 PM EDT
The chosen range of addresses is found within the 172.16.0.0/12 range. The number after the / tells you that it's a rage starting at 172.16.0.0 and ending at 172.31.255.255. You can slice and dice the networks within this range as you see fit; so to carve out 172.17.0.0/16 is perfectly valid.
Comment by Anonymous Tue 05 May 2015 05:14:08 PM EDT
172.17. is within the 172.16.0.0 - 172.31.255.255 range.
Comment by Anonymous Tue 05 May 2015 05:17:28 PM EDT

No, it's a private IP range. When you plug the numbers into ipcalc, you get:

$ ipcalc 172.16.0.0/12 -s 65534
Address:   172.16.0.0           10101100.0001 0000.00000000.00000000
Netmask:   255.240.0.0 = 12     11111111.1111 0000.00000000.00000000
Wildcard:  0.15.255.255         00000000.0000 1111.11111111.11111111
=>
Network:   172.16.0.0/12        10101100.0001 0000.00000000.00000000
HostMin:   172.16.0.1           10101100.0001 0000.00000000.00000001
HostMax:   172.31.255.254       10101100.0001 1111.11111111.11111110
Broadcast: 172.31.255.255       10101100.0001 1111.11111111.11111111
Hosts/Net: 1048574               Class B, Private Internet

1. Requested size: 65534 hosts
Netmask:   255.255.0.0 = 16     11111111.11111111. 00000000.00000000
Network:   172.16.0.0/16        10101100.00010000. 00000000.00000000
HostMin:   172.16.0.1           10101100.00010000. 00000000.00000001
HostMax:   172.16.255.254       10101100.00010000. 11111111.11111110
Broadcast: 172.16.255.255       10101100.00010000. 11111111.11111111
Hosts/Net: 65534                 Class B, Private Internet

Needed size:  65536 addresses.
Used network: 172.16.0.0/16
Unused:
172.17.0.0/16
172.18.0.0/15
172.20.0.0/14
172.24.0.0/13

As you can see above, '172.17.0.0/16' subnet is contained within 172.16.0.0/12' subnet.

Your example of '172.17.42.1/16' might look weird at first, but it's just a normal CIDR notation of specific host / prefix. This style is a common way to write down IPv6 addresses as well. When you plug this one into ipcalc, you get:

$ ipcalc 172.17.42.1/16        
Address:   172.17.42.1          10101100.00010001. 00101010.00000001
Netmask:   255.255.0.0 = 16     11111111.11111111. 00000000.00000000
Wildcard:  0.0.255.255          00000000.00000000. 11111111.11111111
=>
Network:   172.17.0.0/16        10101100.00010001. 00000000.00000000
HostMin:   172.17.0.1           10101100.00010001. 00000000.00000001
HostMax:   172.17.255.254       10101100.00010001. 11111111.11111110
Broadcast: 172.17.255.255       10101100.00010001. 11111111.11111111
Hosts/Net: 65534                 Class B, Private Internet

In other words, you're in the clear. :-)

Comment by Anonymous Tue 05 May 2015 05:22:37 PM EDT
Wow. Thank you Internet! And a curse on my naive decimal thinking. Also, thank you to the commenter who alerted me to the ipcalc program. I just installed it and will be using it a lot in the future.
Comment by jamie [id.mayfirst.org] Wed 06 May 2015 08:43:12 AM EDT

The big problem is that you lack knowledge of the basics of IPv4 addressing. You'd better study it a bit, or you will have real problems when trying to configure any networking.

Comment by Anonymous Mon 11 May 2015 02:10:11 PM EDT
FWIW, I find the default /12 to be rather wide, and I have the unfortunate situation where I get another 172/8 address at work, 10/8 taken up by work VPN, and a 192-range address at home, meaning other private networks (host only VM or whatever) need to share with something. I narrow the range down for docker to a /24, which is more than big enough for my uses. -- (Jonathan Dowland)
Comment by Anonymous Thu 14 May 2015 12:50:40 PM EDT