User:Asilvering/How IPs work

Don't understand how IP addresses work, and scared to admit it since you just became an admin/TAIV? Don't worry. I've got you covered. Mostly. Parts of this guide still under construction.

You can learn about networking and IP addresses in our own articles on them, maybe. If you can do that, go do that instead. But if you try to do that and then your brain looks like the image at right and then explodes, you're in the right place. We are not here to learn network engineering. We are here to learn how to set rangeblocks that aren't stupid, and how to be a WP:TAIV without sounding like a dumbass.

People often say that IP addresses are like street addresses. This is kind of true. An IP address tells other computers on the network "where you are". The beginning of the address is the "network address". Following the street address analogy, you can think of this part like the name of an apartment or gated residential community.^[1] The rest of the address is the "host address". This identifies a single device, like a computer or a router.^[2] You can think of this part like the apartment number, or the number on a house inside that gated residential community. But beyond this, IP addresses aren't much like street addresses at all.

For our purposes (remember, we just want to learn how to set rangeblocks that aren't stupid), the pieces of an IP address don't "mean anything" in the way that a street address can be broken down into a number, a street, a town, and so forth. There's just a "beginning part" and an "everything else". (Without more information, you don't even know where the "beginning part" ends and the "everything else" begins!^[3])

For example, 64.43.50.82 (talk · contribs · IP contribs · WHOIS), 213.233.154.159 (talk · contribs · IP contribs · WHOIS), and 89.100.138.238 (talk · contribs · IP contribs · WHOIS) all geolocate to the same place (Dublin), despite sharing nothing in common, not even the first number. The first two are even from the same ISP, Vodafone Ireland. These could all be used by the same editor, but it would be impossible to make a rangeblock that caught all three of these IP addresses without blocking literally the entire internet.^[4] Similarly, even though the octets 183.0.0.0/8, 184.0.0.0/8, 185.0.0.0/8, and 186.0.0.0/8 look "sequential", they're in four completely different regions of the world, and aren't "next to" each other in any meaningful sense.

Usually, but not always, at any given time, an IP address represents a single device in a single place. In most circumstances, you can assume that a bunch of edits on a single IP address all happening in sequence are coming from the same device, and in most circumstances you can assume that those edits are, therefore, by the same person.^[2] But many IPs aren't static, so individual people, even people editing in the same place from the same device, may use many different addresses. And even static IP addresses might get reassigned to someone else. (By the time you're reading this, those addresses in the previous paragraph might not be in Dublin anymore.)

You will see two different kinds of IP addresses. One looks like four neat, readable numbers, separated into 4 groups by periods, like these examples:

• 197.211.196.186
• 144.140.10.59
• 151.31.236.85

These are IPv4 addresses.

The other looks like hot garbage, separated into 8 groups by colons, like these examples:

• 2001:5d2a:905d:5783:51dd:325c:629e:cf8d
• 2009:1026:8509:f3fb:beeb:740d:4901:ae97
• 2260:498c:8c4a:2fd2:3601:eb23:aa29:8b51

These are IPv6 addresses.

You might also see IPv6 addresses looking something like this, because they've been abbreviated: 2001:db8::1.^[5]

There are two kinds of IP addresses because we ran out of IPv4 addresses. This is not a joke. There are just over 4 billion possible IPv4 addresses (2³², to be exact), and we ran out in the first decade of the 21st century. There are 2¹²⁸ IPv6 addresses, which will keep us going for a while longer.

If your eyes glaze over at this, that's fine, you don't need to be able to do this math in your head, or indeed at all. But I found it really helpful for understanding what people mean when they talk about "a /64" or "197.12.13.0/24".

Basically, IP addresses are actually made up of a series of 1s and 0s. (These are "bits".) So the example from earlier, 197.211.196.186, is actually:

• 11000101.11010011.11000100.10111010

And one of the hot mess examples from earlier, 132e:5d2a:905d:5783:51dd:325c:629e:cf8d, is actually:

• 0001001100101110:0101110100101010:1001000001011101:0101011110000011:0101000111011101:0011001001011100:0110001010011110:1100111110001101

(You can see why switching to IPv6 gives us many more addresses to play with, right?)

These expanded IP addresses are in binary notation, ie, base 2. The numbers you're used to seeing are in decimal notation, ie, base 10. For more on how bases work, see the sections below.

An IP range is a group of IP addresses. What makes them part of the group is that they share the same starting bits. When we talk about an IP range, we represent the range with a series of numbers, then a slash, then another number. The number after the slash is the number of bits that have to "agree" with the IP address before the slash. Let's look at some examples in binary notation:

• 11111001.01110101.11100101.00101111
• 11111001.01110101.11101111.10111011
• 11111001.01110101.00101111.10111011

You'll notice that the first two "chunks" of eight digits of these IPs are all identical. After that, they diverge (the 17th digit of the third one is 0, not 1). That means that these three addresses share the first 16 numbers, so the narrowest range that contains all of them is a /16. The first two IPs also share the next four digits. So the top two are on the same /20, but the bottom one isn't.

Here's what they look like converted back into the standard decimal notation:

• 249.117.229.47
• 249.117.239.187
• 249.117.47.187

explain ranges with these

The smaller the number after the slash, the more IP addresses are contained within the range (because fewer bits have to agree). We call larger ranges "wider" than smaller ones, which are "narrow". Because this works in binary, each successive number represents a range half the size of the one previous. So a /9 is half the size of a /8. And a /12 is one-sixteenth the size of a /8.

Once you realize that each group in an IPv4 address contains 8 bits, it's easy to eyeball some ranges: if only the first number agrees, that's a /8. If the first two do, that's a /16. If the first three do, that's a /24. It's important to note that this kind of "IP range" is just math. It doesn't actually "mean anything" from a networking perspective. See § Networks and subnets for more ranges that do have meaning.

Think of the "base" as "this is how many numbers I have before the column runs out". So in base 10, we have ten numbers in order: 0,1,2,3,4,5,6,7,8,9. Then we run out. There aren't any numbers higher than "9". So we increment the next column over, and end up with one ten and one zero, that is: 10. You write the next number up, eleven, as 11. You do this kind of math all the time in a decimal system without ever thinking of it as math.

When we look at binary notation, the "math" of it becomes more obvious. In base 2, we have two numbers in order: 0,1. Then we run out. There aren't any numbers higher than "1". (Work with me, here.) So if you want to represent a number higher than one, you increment the next column over, and end up with one two and one zero, that is: 10. You write the next number up, three, as 11.

When we look at hexadecimal notation, we're counting in base 16. Since our numerals were designed for a decimal system this presents extra problems: we run out of glyphs to represent numbers. To fix this we add letters, like so: 0,1,2,3,4,5,6,7,8,9,a,b,c,d,e,f. So you can represent numbers up to sixteen, but once you want to represent a number higher than F, you increment the next column over, and end up with one sixteen and one zero, that is: 10. You write the next number up, seventeen, as 11.

To count in the decimal system, you need to know how powers of 10 work. Luckily, as a literate human in the 21st century, you already have this programmed into your brain and I don't need to explain it.

To be able to convert IPv4 addresses from decimal to binary, you need to know how powers of 2 work. Or you can just memorize the first 8 powers of 2, starting from 2⁰, which are: 1, 2, 4, 8, 16, 32, 64, 128.

Let's look at the number 249 (which was 11111001 in binary), from the example above, and break it down by column:

128	64	32	16	8	4	2	1
1	1	1	1	1	0	0	1

This gives us 128+64+32+16+8+0+0+1=249.

You don't need to be able to do this in your head, or indeed to be able to do this at all, but in my opinion it makes rangeblocks a lot easier. If you want to be able to do this but don't care to do it in your head, there are calculators, like this one. (It's not special. I just found it on Google. If you're aware of a toolforge one, let me know.)

Remember that even if you don't use a calculator or feel up to doing much math in your head, you can count each group of numbers divided by a dot as 8 bits. So if the first number matches, that's an /8 or something narrower. The first two is thus 16, and the first three is 24. There's no such thing as an IPv4 /32. That's just a single IP address.

I could do the thing with tables again, but honestly: fuck this. If you ever need to convert an IPv6 into binary for some reason, just use a calculator. Here's a random one via Google.

Remember that you can eyeball these to some extent: each group of numbers divided by a colon is 16 bits. So if the first chunk and only the first chunk agrees, you're looking at a /16 or something narrower. The first two is thus 32, the first three 48, and the first four (this is the first half) is a /64. There's no point in going more narrow than an IPv6 /64.

A proxy allows someone to connect (or appear to connect) to the internet via a different IP than they would ordinarily have. Because this is often done for abusive reasons, we generally block people from editing via proxy connections.

You should read the Legal:Wikimedia IP Information Tool Policy and enable the IP information tool before continuing. This tool will display various risk factors about IPs, which includes some information on whether or not the IP might be a proxy. That's might be a proxy. Before making any proxy blocks or describing an editor as "on proxies", familiarize yourself with the rest of this section.

A callback proxy is a kind of proxy that buries proxy traffic among perfectly legitimate traffic. Sometimes this is because someone on that IP address is using a kind of residential proxy that allows their traffic to route through someone else's IP, and in exchange makes their own IP available for other customers to do the same. Sometimes it's because some hackers have pwned someone's smart TV. Most editors connecting from IPs flagged as possible callback proxies are perfectly legitimate editors and have no idea their IP has been compromised in this way.

For this reason, you probably shouldn't be blocking IPs as callback proxies unless you're a CU or you're looking at a really prolific TA that allows you to see that the editor is likely doing something scummy. Here are some signs that something is amiss:

• rapidly cycling through IP addresses, especially IPv4 addresses (you'll get a sense for what "rapidly" means as you get more experience)
• IP addresses changing geolocation in totally implausible ways over a short period of time (eg, from Venezuela to Chile to Ecuador without time to get on a plane, or randomly switching through individual unconnected provinces in a country like France or Germany)
• IP addresses changing geolocation in extremely unusual ways over time (eg, from Brazil to South Korea to Nigeria to the UK - most people aren't doing this kind of trans-continental travel inside of any given 90-day window)
• weird topic-area intrusions that don't appear to match the editing style - edit summary use, etc - of the regular editors on the IP range (eg, someone pops up editing about Norwegian food, and someone else pops up editing about shopping malls in Canada, on a Philippine ISP where most people are writing about more obviously local-interest topics)

add stuff here and how to block

An open proxy is a kind of server that is open to anyone on the internet. We block these, because, obviously, that's a huge abuse vector. You can find more information on them at WP:PROXY, but mostly you won't need to do anything about these because they are usually already globally blocked by the stewards. If you think you've found an open proxy that isn't blocked, you can report it at WP:OP.

A VPN allows for tunnelling across the internet. We generally don't allow this, and block this kind of connection. If you spot something in the "tunnel operator" part of the IP infobox, you are justified in blocking with {{blocked proxy}}. You should probably look up the range it's on (see below) and block the whole thing if you can. If you're a TAIV, feel free to point this out when reporting to AIV, AN3, etc., just in case. SPI clerks should be awake enough to catch these on their own.

IP block exemption is given to editors who need to connect to proxies in order to edit Wikipedia (for example, to avoid the Great Firewall of China, or to avoid a WP:HARDBLOCK aimed at a different user). If you're considering granting IPBE, please see User:Risker/IPBE. If you're a TAIV trying to help someone caught in one of these, tell them to request an unblock, or to email WP:CHECK.

A subnet is a logical (not simply mathematical) subdivision of IP addresses. What do I mean by "logical"? Well, the total pool of IP addresses is broken down and handed out to various regional organizations that determine which blocks of addresses are allocated to which internet service providers. Those ISPs, in turn, divide those blocks of addresses in various ways in order to allocate them to customers. So while you might be able to theoretically describe any range, for example, 74.255.59.18/22 (a range I just created by keyboard mashing), that might not be how those IP addresses are actually clumped together in practice. To illustrate this, let's look at that random range and find out who they belong to.

That range includes the following IPs: 74.255.56.0 - 74.255.59.255.^[6] I'll be honest: I didn't do the math for this one, but outsourced it to a calculator.

Let's look up one of these addresses. I'll start with 74.255.59.18 (talk · contribs · IP contribs · WHOIS), and look it up through a free IP information service: [1]. Apparently, at the time this guide was written, this address belonged to AT&T, geolocates to Vinings, Georgia, and is part of AS6389. What does that last thing mean? It's telling us the autonomous system number. All you need to know about that is that it's a collection of collections of IP addresses.

What we now want to do is look up this ASN to find out how it's subdivided into individual ranges. I look the ASN up on ipinfo.io: [2]. Notice how you don't see 74.255.59.18/22, or the more normal way to write that, 74.255.56.0/22, anywhere on that list, even if you expand it? It's not actually a netblock, just some mathematically possible IP range inside a netblock. The actual netblock that contains 74.255.59.18 is 74.252.0.0/14, a much wider range.

A range like this is a series of sequential IP addresses that is assigned to an ASN, which is probably an ISP. That ISP can in turn assign that range, or parts of that range, to its customers. A "customer" from the point of view of the ISP could be an individual consumer, or it could be something like a corporate headquarters or a university. If it's the latter, a local system administrator in charge of the network will probably further subdivide the range into "subnets". In short, a subnet is some kind of subdivision of a network.

For our purposes, the only thing we really need to know about subnets is that they exist, because they have implications for blocking ranges and looking for sockpuppet accounts.

I explained all that with a calculator and ipinfo.io so that you could see how many different blocks of IP addresses are all under the same ASN. But if you just want to know what range an individual IP address is on normally, you can just use the WHOIS link on an IP's contribs page, or using various IP templates like this one: 74.255.59.18 (talk · contribs · IP contribs · WHOIS).

still under construction, obviously

• with a calculator
• better than that
• WP:64
• for more effective blocks, don't just assume you know what the range is, look it up