Residential Network Mapping Model
draft-savich-residential-network-map-00
This document is an Internet-Draft (I-D).
Anyone may submit an I-D to the IETF.
This I-D is not endorsed by the IETF and has no formal standing in the
IETF standards process.
| Document | Type | Active Internet-Draft (individual) | |
|---|---|---|---|
| Author | Melisa K. Savich | ||
| Last updated | 2026-06-04 | ||
| RFC stream | (None) | ||
| Intended RFC status | (None) | ||
| Formats | |||
| Stream | Stream state | (No stream defined) | |
| Consensus boilerplate | Unknown | ||
| RFC Editor Note | (None) | ||
| IESG | IESG state | I-D Exists | |
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
draft-savich-residential-network-map-00
Independent Submission M. K. Savich
Internet-Draft 4 June 2026
Intended status: Informational
Expires: 6 December 2026
Residential Network Mapping Model
draft-savich-residential-network-map-00
Abstract
Residential networks increasingly include managed routers, switches,
wireless access points, home lab systems, smart home devices,
surveillance devices, guest networks, and cloud-connected equipment.
These devices are often added incrementally without a durable mapping
model for addressing, classification, review, or troubleshooting.
This document describes a lightweight residential network mapping
model for IPv4 address planning and device classification. The model
defines Network Categories, Addressing Priority, Trust Levels,
Exposure Levels, device record fields, flat-network and segmented-
network examples, and simple review and change-log practices.
The motivation for this document is security awareness. A
residential network map can help consumers understand what kinds of
devices are on their network, which devices are trusted or
restricted, which devices are reachable locally or remotely, and
where personal or household data may flow. The model is intended for
regular users and technically capable home administrators who need a
practical way to organize residential, home lab, IoT, and
surveillance networks without deploying enterprise network management
systems.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
Savich Expires 6 December 2026 [Page 1]
Internet-Draft Residential Net Map June 2026
This Internet-Draft will expire on 6 December 2026.
Copyright Notice
Copyright (c) 2026 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Requirements Language . . . . . . . . . . . . . . . . . . . . 5
4. Applicability . . . . . . . . . . . . . . . . . . . . . . . . 5
5. Design Goals . . . . . . . . . . . . . . . . . . . . . . . . 6
6. Non-Goals . . . . . . . . . . . . . . . . . . . . . . . . . . 7
7. Mapping Model Overview . . . . . . . . . . . . . . . . . . . 8
8. Network Categories . . . . . . . . . . . . . . . . . . . . . 9
8.1. Management . . . . . . . . . . . . . . . . . . . . . . . 9
8.2. Main . . . . . . . . . . . . . . . . . . . . . . . . . . 10
8.3. Guest . . . . . . . . . . . . . . . . . . . . . . . . . . 10
8.4. IoT . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
8.5. Surveillance . . . . . . . . . . . . . . . . . . . . . . 11
8.6. Unknown . . . . . . . . . . . . . . . . . . . . . . . . . 11
9. Addressing Priority . . . . . . . . . . . . . . . . . . . . . 12
9.1. Static Required . . . . . . . . . . . . . . . . . . . . . 12
9.2. Reservation Recommended . . . . . . . . . . . . . . . . . 13
9.3. Dynamic Acceptable . . . . . . . . . . . . . . . . . . . 13
10. Trust Levels . . . . . . . . . . . . . . . . . . . . . . . . 13
10.1. Management . . . . . . . . . . . . . . . . . . . . . . . 14
10.2. Trusted . . . . . . . . . . . . . . . . . . . . . . . . 14
10.3. Restricted . . . . . . . . . . . . . . . . . . . . . . . 14
10.4. Guest . . . . . . . . . . . . . . . . . . . . . . . . . 14
10.5. Unknown . . . . . . . . . . . . . . . . . . . . . . . . 14
11. Exposure Levels . . . . . . . . . . . . . . . . . . . . . . . 15
11.1. Internal Only . . . . . . . . . . . . . . . . . . . . . 15
11.2. Local Shared . . . . . . . . . . . . . . . . . . . . . . 15
11.3. Remote Access . . . . . . . . . . . . . . . . . . . . . 15
11.4. Internet Exposed . . . . . . . . . . . . . . . . . . . . 15
11.5. Unknown . . . . . . . . . . . . . . . . . . . . . . . . 16
12. Classification Consistency . . . . . . . . . . . . . . . . . 16
13. Classification Examples . . . . . . . . . . . . . . . . . . . 16
14. Device Records . . . . . . . . . . . . . . . . . . . . . . . 18
Savich Expires 6 December 2026 [Page 2]
Internet-Draft Residential Net Map June 2026
15. Credential Guidance . . . . . . . . . . . . . . . . . . . . . 19
16. Flat Networks and Segmented Networks . . . . . . . . . . . . 19
17. Flat-Network Address Planning . . . . . . . . . . . . . . . . 20
18. Segmented-Network Address Planning . . . . . . . . . . . . . 21
19. Review Guidance . . . . . . . . . . . . . . . . . . . . . . . 22
20. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 23
21. Troubleshooting Uses . . . . . . . . . . . . . . . . . . . . 24
21.1. Address Conflicts . . . . . . . . . . . . . . . . . . . 24
21.2. Unknown Devices . . . . . . . . . . . . . . . . . . . . 24
21.3. Unreachable Devices . . . . . . . . . . . . . . . . . . 24
22. Privacy Considerations . . . . . . . . . . . . . . . . . . . 25
23. Security Considerations . . . . . . . . . . . . . . . . . . . 26
24. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 27
25. References . . . . . . . . . . . . . . . . . . . . . . . . . 27
25.1. Normative References . . . . . . . . . . . . . . . . . . 27
25.2. Informative References . . . . . . . . . . . . . . . . . 27
Appendix A. Example Network Map . . . . . . . . . . . . . . . . 27
Appendix B. Example Device Records . . . . . . . . . . . . . . . 28
B.1. Router . . . . . . . . . . . . . . . . . . . . . . . . . 29
B.2. Switch . . . . . . . . . . . . . . . . . . . . . . . . . 29
B.3. Wireless Access Point . . . . . . . . . . . . . . . . . . 30
B.4. Smart Display . . . . . . . . . . . . . . . . . . . . . . 30
B.5. Camera . . . . . . . . . . . . . . . . . . . . . . . . . 31
B.6. Robotic Cleaner . . . . . . . . . . . . . . . . . . . . . 31
B.7. Phone . . . . . . . . . . . . . . . . . . . . . . . . . . 32
B.8. EV Charger . . . . . . . . . . . . . . . . . . . . . . . 33
B.9. Connected Vehicle . . . . . . . . . . . . . . . . . . . . 33
B.10. Streaming Device . . . . . . . . . . . . . . . . . . . . 34
B.11. Robotic Vacuum . . . . . . . . . . . . . . . . . . . . . 34
B.12. Guest Phone . . . . . . . . . . . . . . . . . . . . . . . 35
B.13. Unknown Device . . . . . . . . . . . . . . . . . . . . . 35
Appendix C. CSV Representation . . . . . . . . . . . . . . . . . 36
Appendix D. JSON Representation . . . . . . . . . . . . . . . . 37
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 39
1. Introduction
Residential networks are no longer limited to a router, a few
laptops, and a printer. Many homes now contain managed routers or
firewalls, switches, wireless access points, smart home systems,
surveillance systems, guest networks, home lab equipment, cloud-
connected devices, and transient client devices.
These environments often grow incrementally. A router is installed.
A switch is added. A camera appears. A robotic cleaner joins the
network. A guest network is enabled. A network-connected vehicle,
EV charger, thermostat, streaming device, or appliance begins using
an address. Over time, the administrator can lose track of which
Savich Expires 6 December 2026 [Page 3]
Internet-Draft Residential Net Map June 2026
devices exist, which addresses are assigned, which devices should
receive stable addresses, which devices are trusted, and which
devices are reachable locally or remotely.
This document describes a lightweight residential network mapping
model that combines:
* IPv4 address planning,
* device classification,
* addressing stability guidance,
* trust posture,
* exposure posture,
* review practices, and
* lightweight change tracking.
This document does not define a new protocol. It defines an
operational mapping model that can be implemented as a worksheet,
spreadsheet, Markdown document, database table, configuration record,
or simple network mapping tool.
2. Terminology
The following terms are used in this document.
Administrator: The person or group responsible for maintaining the
residential network and its mapping records.
Address Plan: A documented allocation of IPv4 addresses or address
ranges to Network Categories.
Addressing Priority: A classification field that describes how
stable a device's address assignment is expected to be.
Device Record: A structured record describing a mapped network
device.
Dynamic Address: An IP address assigned by DHCP without a fixed
reservation.
Exposure Level: A classification field that describes how reachable
a mapped device is expected to be.
Savich Expires 6 December 2026 [Page 4]
Internet-Draft Residential Net Map June 2026
Flat Network: A network where multiple device classes share a common
subnet, such as 192.0.2.0/24.
Network Category: A logical network zone or administrative grouping.
In segmented networks, a Network Category often maps to a VLAN,
subnet, SSID, firewall zone, or equivalent control boundary. In
flat networks, a Network Category can still be used as an
administrative mapping label.
Residential Network Map: A structured representation of devices,
addresses, categories, and classification information for a
residential network.
Segmented Network: A network where devices are separated into
multiple VLANs, subnets, SSIDs, firewall zones, or equivalent
control boundaries.
Static Address: An IP address manually configured on a device or
otherwise fixed so that the device is expected to remain reachable
at that address.
DHCP Reservation: An IP address assigned by a Dynamic Host
Configuration Protocol server to a specific device, typically
based on a link-layer address.
Trust Level: A classification field that describes the expected
access posture of a mapped device.
3. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
4. Applicability
This document applies to residential, home lab, and prosumer networks
that include managed routing, switching, guest access, Internet of
Things devices, and surveillance devices.
The model is intended for networks where address planning and device
classification are useful, but enterprise network management systems
are unnecessary or impractical.
This document is most applicable to:
Savich Expires 6 December 2026 [Page 5]
Internet-Draft Residential Net Map June 2026
* residential networks with managed routing or switching,
* home lab networks,
* smart home networks,
* residential IoT networks,
* residential surveillance networks,
* networks with guest access,
* networks maintained by technically capable homeowners,
* networks maintained by family members or informal administrators,
and
* networks maintained by residential technology consultants or
integrators.
The examples in this document use IPv4 documentation addresses. A
real residential deployment would normally use IPv4 private address
space, including the address ranges described in [RFC1918]. IPv6
mapping guidance is out of scope for this version of the document.
This document is not limited to any router, firewall, wireless,
surveillance, smart home, or home lab vendor.
5. Design Goals
The mapping model described in this document has the following goals:
* provide predictable address planning,
* classify devices consistently,
* distinguish network zones from trust and exposure posture,
* identify devices that need stable addressing,
* improve consumer awareness of the types of devices on the network,
* help administrators recognize devices that may collect, transmit,
or expose household data,
* encourage review of devices with remote access or unknown
classifications,
Savich Expires 6 December 2026 [Page 6]
Internet-Draft Residential Net Map June 2026
* reduce address conflicts,
* support troubleshooting,
* support flat networks and segmented networks,
* remain usable by regular home-network administrators,
* avoid credential collection, and
* provide a simple path from an informal worksheet to a structured
map.
6. Non-Goals
This document does not define:
* a new Internet protocol,
* a full enterprise IP address management system,
* a firewall policy model,
* a network monitoring system,
* a credential vault,
* an automated device discovery protocol,
* IPv6 address planning,
* residential audio/video system classification,
* a complete zero trust architecture,
* a vendor-specific configuration method, or
* a replacement for professional network design or security
assessment.
This document does not define firewall policy between Network
Categories. Administrators can use Network Categories as inputs to
firewall or segmentation policy, but those policies are out of scope
for this document.
Savich Expires 6 December 2026 [Page 7]
Internet-Draft Residential Net Map June 2026
7. Mapping Model Overview
A residential network map describes devices using four classification
axes:
* Network Category,
* Addressing Priority,
* Trust Level, and
* Exposure Level.
These axes answer four different questions:
The four classification axes answer these questions:
* Network Category: Where does this device belong logically?
* Addressing Priority: How stable does this device's address
assignment need to be?
* Trust Level: How much access should this device receive?
* Exposure Level: How reachable is this device expected to be?
The following diagram shows the four classification questions used by
the residential network mapping model.
+------------------------------------------------------+
| Device Classification Model |
+--------------------------+---------------------------+
| Network Category | Addressing Priority |
| | |
| Where does this device | How stable does its |
| belong logically? | address need to be? |
+--------------------------+---------------------------+
| Trust Level | Exposure Level |
| | |
| How much access should | How reachable is this |
| this device receive? | device expected to be? |
+--------------------------+---------------------------+
These axes are intentionally separate. For example, a device can
belong to the IoT Network Category, have a Restricted Trust Level,
and have a Remote Access Exposure Level. Similarly, a device can
belong to the Main Network Category while still having a Restricted
Trust Level if the administrator does not fully trust it.
Savich Expires 6 December 2026 [Page 8]
Internet-Draft Residential Net Map June 2026
8. Network Categories
A Network Category represents the logical network zone or
administrative grouping to which a device belongs.
This document defines the following Network Categories:
* Management,
* Main,
* Guest,
* IoT,
* Surveillance, and
* Unknown.
In a segmented network, a Network Category often maps one-to-one to a
VLAN, subnet, SSID, firewall zone, or equivalent control boundary.
In a flat network, a Network Category can still be used as an
administrative label for planning and documentation.
8.1. Management
The Management category is used for devices and interfaces involved
in administering or operating the network.
Examples include:
* router or firewall management interfaces,
* switches,
* wireless access points,
* network controllers,
* local network management systems, and
* administrative appliances.
Devices in this category commonly require stable addressing.
Savich Expires 6 December 2026 [Page 9]
Internet-Draft Residential Net Map June 2026
8.2. Main
The Main category is used for trusted household or primary user
devices.
Examples include:
* personal laptops,
* desktop computers,
* phones,
* tablets,
* trusted printers,
* trusted storage devices, and
* other regular household devices.
The Main category is commonly associated with the primary LAN or
primary trusted Wi-Fi network.
8.3. Guest
The Guest category is used for visitor, temporary, or contractor
devices.
Examples include:
* visitor phones,
* visitor laptops,
* contractor devices, and
* temporary devices that should not be treated as trusted household
devices.
8.4. IoT
The IoT category is used for smart home, appliance, embedded, cloud-
connected, or lower-trust connected devices.
Examples include:
* smart thermostats,
Savich Expires 6 December 2026 [Page 10]
Internet-Draft Residential Net Map June 2026
* robotic cleaners,
* smart speakers,
* appliances,
* lighting bridges,
* smart plugs,
* EV chargers,
* connected vehicles,
* sensors, and
* vendor-managed smart devices.
8.5. Surveillance
The Surveillance category is used for physical monitoring and video
security devices.
Examples include:
* IP cameras,
* network video recorders,
* video door stations,
* camera bridges,
* intercom cameras, and
* other monitoring devices.
The Surveillance category is intentionally narrower than a general
"Security" category. A general Security category can become
ambiguous because it could include firewalls, alarm panels, door
locks, cameras, identity systems, endpoint security tools, or access
control systems.
8.6. Unknown
The Unknown category is used for devices that have been discovered
but not yet classified.
Savich Expires 6 December 2026 [Page 11]
Internet-Draft Residential Net Map June 2026
The Unknown category is intended as a temporary holding category by
default. Devices SHOULD NOT remain in the Unknown category
indefinitely without review.
If a device remains Unknown for an extended period, the Notes field
SHOULD explain why the device has not been reclassified.
9. Addressing Priority
Addressing Priority describes the addressing stability expected for a
mapped device.
This document defines the following Addressing Priority values:
* Static Required,
* Reservation Recommended, and
* Dynamic Acceptable.
9.1. Static Required
Static Required means the device needs predictable addressing. A
static address or a functionally equivalent fixed assignment is
expected.
This value is appropriate when loss of address predictability can
disrupt administration, routing, switching, surveillance, automation,
or core network operation.
Examples include:
* router or firewall management interfaces,
* switches,
* wireless access points,
* network controllers,
* network video recorders, and
* other devices that must remain reachable for troubleshooting.
Savich Expires 6 December 2026 [Page 12]
Internet-Draft Residential Net Map June 2026
9.2. Reservation Recommended
Reservation Recommended means the device should receive a stable DHCP
reservation when practical, but the network can tolerate temporary
dynamic assignment.
This value is appropriate for devices that are easier to maintain
when their address is stable, but that are not core network
infrastructure.
Examples include:
* cameras,
* printers,
* smart home hubs,
* robotic cleaners,
* EV chargers, and
* devices commonly accessed from applications or local dashboards.
9.3. Dynamic Acceptable
Dynamic Acceptable means the device can use ordinary DHCP without a
fixed reservation.
This value is appropriate for devices that do not require a
predictable address.
Examples include:
* ordinary phones,
* laptops,
* tablets,
* guest devices, and
* transient devices.
10. Trust Levels
Trust Level describes the expected access posture of a mapped device.
Savich Expires 6 December 2026 [Page 13]
Internet-Draft Residential Net Map June 2026
This document defines the following Trust Levels:
* Management,
* Trusted,
* Restricted,
* Guest, and
* Unknown.
10.1. Management
The Management Trust Level is used for devices or interfaces that
administer, control, or operate network infrastructure.
Examples include router management interfaces, switch management
interfaces, wireless controller interfaces, and network
administration systems.
10.2. Trusted
The Trusted Trust Level is used for known household or primary user
devices that are expected to have ordinary access to the Main
network.
Examples include trusted laptops, phones, tablets, and workstations.
10.3. Restricted
The Restricted Trust Level is used for known devices that should
receive limited access compared with Trusted devices.
Examples include IoT devices, surveillance devices, appliances, smart
home devices, and devices with unclear update or security posture.
10.4. Guest
The Guest Trust Level is used for visitor or temporary devices.
10.5. Unknown
The Unknown Trust Level is used when the trust posture of a device
has not yet been determined.
Devices SHOULD NOT remain Unknown indefinitely without review.
Savich Expires 6 December 2026 [Page 14]
Internet-Draft Residential Net Map June 2026
11. Exposure Levels
Exposure Level describes how reachable a mapped device is expected to
be.
This document defines the following Exposure Levels:
* Internal Only,
* Local Shared,
* Remote Access,
* Internet Exposed, and
* Unknown.
11.1. Internal Only
Internal Only is used for devices that should only be reachable for
device-specific operation or administration.
Examples include switches, management interfaces, and cameras that
should not be accessed directly by ordinary client devices.
11.2. Local Shared
Local Shared is used for devices that provide services to other
devices on the local network.
Examples include printers, storage devices, shared controllers, local
media services, or devices intentionally discoverable by trusted
local clients.
11.3. Remote Access
Remote Access is used for devices that are reachable from outside the
local network through a controlled method, such as a vendor cloud
service, VPN, managed remote access feature, or remote management
application.
11.4. Internet Exposed
Internet Exposed is used for devices that are directly reachable from
the public Internet or through an explicit port forwarding rule.
Savich Expires 6 December 2026 [Page 15]
Internet-Draft Residential Net Map June 2026
This document does not define port-forwarding record fields. The
Internet Exposed value is intended only to help regular
administrators identify that a device has public exposure.
11.5. Unknown
Unknown is used when reachability has not yet been verified.
Devices SHOULD NOT remain Unknown indefinitely without review.
12. Classification Consistency
A mapped device can have classifications that appear unusual. For
example, a device can belong to the IoT Network Category while having
a Remote Access Exposure Level, or a device in the Main Network
Category can have a Restricted Trust Level.
When classification fields appear to conflict, administrators SHOULD
review whether the device belongs in the correct Network Category and
whether the Trust Level or Exposure Level accurately reflects how the
device is used.
Unusual classifications MAY be valid, but the Notes field SHOULD
explain the reason.
13. Classification Examples
The following examples illustrate how the four classification axes
can be applied.
* router-1
- Network Category: Management
- Addressing Priority: Static Required
- Trust Level: Management
- Exposure Level: Remote Access
- Notes: Primary gateway with administrative access.
* switch-1
- Network Category: Management
- Addressing Priority: Static Required
Savich Expires 6 December 2026 [Page 16]
Internet-Draft Residential Net Map June 2026
- Trust Level: Management
- Exposure Level: Internal Only
- Notes: Main switch.
* phone-1
- Network Category: Main
- Addressing Priority: Dynamic Acceptable
- Trust Level: Trusted
- Exposure Level: Local Shared
- Notes: Trusted household device.
* camera-1
- Network Category: Surveillance
- Addressing Priority: Reservation Recommended
- Trust Level: Restricted
- Exposure Level: Internal Only
- Notes: IP camera.
* nvr-1
- Network Category: Surveillance
- Addressing Priority: Static Required
- Trust Level: Restricted
- Exposure Level: Remote Access
- Notes: Network video recorder.
* robotic-cleaner-1
- Network Category: IoT
- Addressing Priority: Dynamic Acceptable
Savich Expires 6 December 2026 [Page 17]
Internet-Draft Residential Net Map June 2026
- Trust Level: Restricted
- Exposure Level: Remote Access
- Notes: Vendor app access.
* guest-phone-1
- Network Category: Guest
- Addressing Priority: Dynamic Acceptable
- Trust Level: Guest
- Exposure Level: Local Shared
- Notes: Visitor device.
* unknown-1
- Network Category: Unknown
- Addressing Priority: Dynamic Acceptable
- Trust Level: Unknown
- Exposure Level: Unknown
- Notes: Needs review.
14. Device Records
A mapped device SHOULD have a device record.
A device record SHOULD contain the following fields:
The device record fields are listed below in their canonical order.
Hostname: Required. A human-readable hostname, device hostname, or
administrator-assigned label.
IP Address: Required. The assigned IPv4 address.
MAC Address: Recommended. The link-layer address used for
identification or DHCP reservation.
Manufacturer: Recommended. The device manufacturer or vendor.
Savich Expires 6 December 2026 [Page 18]
Internet-Draft Residential Net Map June 2026
Network Category: Required. One of Management, Main, Guest, IoT,
Surveillance, or Unknown.
Addressing Priority: Required. One of Static Required, Reservation
Recommended, or Dynamic Acceptable.
Trust Level: Required. One of Management, Trusted, Restricted,
Guest, or Unknown.
Exposure Level: Required. One of Internal Only, Local Shared,
Remote Access, Internet Exposed, or Unknown.
Notes: Optional. Location, purpose, firmware, switch port, owner,
review note, or other context.
This document does not define a separate device-type taxonomy.
Device type can be recorded in freeform Notes or implementation-
specific metadata when useful.
This document also does not define credential fields. Administrators
SHOULD NOT store credentials in the residential network map.
15. Credential Guidance
The network map defined by this document does not include credential
fields.
Administrators SHOULD store credentials in a password manager or
other credential management system rather than in the network map.
Administrators MUST NOT store plaintext passwords in a published or
shared residential network map.
If a separate credential system is used, the network map MAY note
that a credential exists elsewhere, but it SHOULD NOT include the
credential itself, password hints, recovery answers, multi-factor
recovery codes, or shared secrets.
16. Flat Networks and Segmented Networks
The Network Categories defined by this document can be used in both
flat and segmented residential networks.
In a flat network, all devices may share a single subnet, such as
192.0.2.0/24. In this case, Network Categories are administrative
labels that help the administrator plan addresses and classify
devices.
Savich Expires 6 December 2026 [Page 19]
Internet-Draft Residential Net Map June 2026
In a segmented network, Network Categories can map to VLANs, subnets,
SSIDs, firewall zones, or equivalent control boundaries. For
example, Management, Main, Guest, IoT, Surveillance, and Unknown can
each map to a separate VLAN and subnet.
This document does not require segmentation. A residential network
map can begin as a flat-network planning tool and later evolve into a
segmented design.
17. Flat-Network Address Planning
In a flat network, Network Categories can be mapped to ranges within
a single subnet.
The following example uses 192.0.2.0/24, which is reserved for
documentation examples.
Example flat-network ranges:
* Management: 192.0.2.1-192.0.2.19
- Router, firewall, switches, access points, and management
interfaces.
* Main: 192.0.2.20-192.0.2.99
- Trusted household devices.
* IoT: 192.0.2.100-192.0.2.159
- Smart home devices, hubs, sensors, appliances, and cloud-
connected devices.
* Surveillance: 192.0.2.160-192.0.2.199
- Cameras, network video recorders, and door stations.
* Guest: 192.0.2.200-192.0.2.239
- Guest DHCP pool.
* Unknown: 192.0.2.240-192.0.2.254
- Temporary holding range for unclassified devices.
In a /24 network, the .0 address is the network address and the .255
address is the broadcast address. These addresses MUST NOT be
assigned to hosts.
Savich Expires 6 December 2026 [Page 20]
Internet-Draft Residential Net Map June 2026
The ranges in this section are examples only. Administrators can
choose different ranges based on network size, router capabilities,
existing address assignments, or operational preference.
18. Segmented-Network Address Planning
In a segmented network, Network Categories can map to VLANs, subnets,
SSIDs, firewall zones, or equivalent control boundaries.
The following example uses one documentation subnet slice per Network
Category. A real deployment would normally use private IPv4 subnets.
Example segmented-network layout:
* Management
- VLAN: 10
- Subnet: 192.0.2.0/28
- Notes: Router, firewall, switches, access points, and
management interfaces.
* Main
- VLAN: 20
- Subnet: 192.0.2.16/28
- Notes: Trusted household devices.
* IoT
- VLAN: 30
- Subnet: 192.0.2.32/28
- Notes: Smart home devices, hubs, sensors, appliances, and
cloud-connected devices.
* Surveillance
- VLAN: 40
- Subnet: 192.0.2.48/28
- Notes: Cameras, network video recorders, and door stations.
Savich Expires 6 December 2026 [Page 21]
Internet-Draft Residential Net Map June 2026
* Guest
- VLAN: 50
- Subnet: 192.0.2.64/28
- Notes: Guest devices.
* Unknown
- VLAN: 99
- Subnet: 192.0.2.80/28
- Notes: Unclassified devices pending review.
This document does not define firewall policy between these
categories.
19. Review Guidance
A residential network map SHOULD be reviewed when meaningful network
changes occur.
Examples of meaningful changes include:
* adding or removing a device,
* changing a device address,
* creating or removing a DHCP reservation,
* moving a device to a different Network Category,
* changing a device Trust Level,
* changing a device Exposure Level,
* adding a guest network,
* adding an IoT device,
* adding a surveillance device,
* replacing the router or firewall,
* replacing a switch, and
Savich Expires 6 December 2026 [Page 22]
Internet-Draft Residential Net Map June 2026
* replacing an access point.
Administrators SHOULD also review the map periodically to identify
unknown devices, outdated records, and devices that no longer match
their intended classification.
This document does not define a fixed review interval. A review
interval can be selected based on the size, complexity, and risk of
the network.
20. Change Log
A residential network map SHOULD include a lightweight change log.
The change log helps administrators understand when meaningful
network changes occurred and why they were made.
A change log entry SHOULD include:
A change log entry SHOULD include:
* Date: The date of the change.
* Change: What changed.
* Reason: Why the change was made.
Example:
* 2026-06-04
- Change: Added IoT Network Category.
- Reason: Smart home devices needed separate classification.
* 2026-06-08
- Change: Reserved address for main switch.
- Reason: Switch should remain reachable for troubleshooting.
* 2026-06-12
- Change: Moved unknown device to Guest.
- Reason: Device was identified as a visitor phone.
Savich Expires 6 December 2026 [Page 23]
Internet-Draft Residential Net Map June 2026
21. Troubleshooting Uses
The mapping model is intended to support ordinary troubleshooting.
21.1. Address Conflicts
When an address conflict is suspected, an administrator can:
1. check the residential network map for the assigned device,
2. check router or firewall client lists,
3. check DHCP lease records,
4. compare the observed MAC address with the mapped MAC address,
5. identify duplicate static assignments or reservation conflicts,
6. correct the assignment, and
7. update the map.
21.2. Unknown Devices
When an unknown device is discovered, an administrator can:
1. record the IP address,
2. record the host name if available,
3. record the MAC address if available,
4. record the manufacturer if available,
5. classify the device as Unknown,
6. investigate the device,
7. reclassify the device when identified, and
8. add a note if the device remains Unknown.
21.3. Unreachable Devices
When a mapped device is unreachable, an administrator can check:
1. whether the device is powered on,
Savich Expires 6 December 2026 [Page 24]
Internet-Draft Residential Net Map June 2026
2. whether the device is connected to the expected network,
3. whether the device address changed,
4. whether the device appears in the router or firewall client list,
5. whether the mapped MAC address matches the observed MAC address,
6. whether the device moved to a different Network Category, and
7. whether recent changes explain the issue.
22. Privacy Considerations
A completed residential network map can reveal sensitive operational
details.
Examples include:
* internal addressing,
* host names,
* MAC addresses,
* device manufacturers,
* network categories,
* trust posture,
* exposure posture,
* camera or surveillance device presence,
* smart home device presence,
* guest network structure,
* management infrastructure, and
* maintenance patterns.
Completed maps SHOULD be protected from unauthorized access.
Administrators SHOULD consider:
* encrypted storage,
Savich Expires 6 December 2026 [Page 25]
Internet-Draft Residential Net Map June 2026
* restricted sharing,
* secure backups,
* redaction before vendor sharing,
* removal of sensitive fields before publication, and
* avoiding publication of real host names, MAC addresses, or
locations.
Public examples SHOULD use fictitious MAC addresses, fictitious host
names, and non-sensitive device descriptions.
23. Security Considerations
The practices described in this document can improve residential
network manageability and consumer security awareness, but they can
also concentrate sensitive information into one artifact.
A residential network map can help an administrator identify devices
that may affect privacy or security, including devices that collect
video, audio, location, usage, occupancy, or behavioral data. It can
also help identify devices that rely on remote access, vendor cloud
services, or unclear connectivity patterns.
This document does not attempt to define where each device sends data
or whether a device's data handling is acceptable. Instead, it
provides a simple structure that can help consumers notice which
classes of devices exist on the network and which devices deserve
further review.
If an attacker obtains a completed residential network map, the
attacker may gain insight into device roles, management interfaces,
internal addressing, device manufacturers, device trust posture,
device exposure posture, and possible privacy-sensitive device
categories.
Administrators MUST NOT store plaintext passwords in the map.
Administrators SHOULD restrict access to completed maps.
Administrators SHOULD avoid sharing maps that contain real MAC
addresses, host names, device locations, or other sensitive
operational details unless sharing is necessary and appropriately
controlled.
Savich Expires 6 December 2026 [Page 26]
Internet-Draft Residential Net Map June 2026
Administrators SHOULD review Unknown devices, devices marked Internet
Exposed, and devices marked Remote Access.
Administrators SHOULD pay particular attention to IoT and
Surveillance devices because these devices may collect or transmit
household data that users do not routinely inspect.
Administrators SHOULD update the map after meaningful network
changes.
Security considerations for protocol design are discussed more
generally in [RFC3552]. Although this document does not define a
protocol, the same general discipline applies: operational guidance
should identify risks and mitigations clearly.
24. IANA Considerations
This document has no IANA actions.
25. References
25.1. Normative References
[RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G.
J., and E. Lear, "Address Allocation for Private
Internets", BCP 5, RFC 1918, DOI 10.17487/RFC1918,
February 1996, <https://www.rfc-editor.org/info/rfc1918>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
25.2. Informative References
[RFC3552] Rescorla, E. and B. Korver, "Guidelines for Writing RFC
Text on Security Considerations", BCP 72, RFC 3552,
DOI 10.17487/RFC3552, July 2003,
<https://www.rfc-editor.org/info/rfc3552>.
Appendix A. Example Network Map
The following example illustrates how the Network Categories defined
in this document can be represented as a residential network map.
Savich Expires 6 December 2026 [Page 27]
Internet-Draft Residential Net Map June 2026
The diagram is illustrative only. It does not define required
topology, firewall policy, routing behavior, or permitted
communication between categories.
Example Residential Network Map
+----------+
| Internet |
+----+-----+
|
+------+------+
| Router/ |
| Firewall |
+------+------+
|
+------+------+
| Network |
| Core |
+------+------+
|
+------------------+------------------+
| | |
+------+-----+ +------+-----+ +------+-----+
| Management | | Main | | IoT |
| VLAN 10 | | VLAN 20 | | VLAN 30 |
| .2.0/28 | | .2.16/28 | | .2.32/28 |
+------------+ +------------+ +------------+
+------------------+------------------+
| | |
+------+-----+ +------+-----+ +------+-----+
| Surveillance| | Guest | | Unknown |
| VLAN 40 | | VLAN 50 | | VLAN 99 |
| .2.48/28 | | .2.64/28 | | .2.80/28 |
+-------------+ +------------+ +------------+
In a flat-network implementation, the same categories can be
represented as ranges inside a single subnet instead of separate
VLANs or subnets.
Appendix B. Example Device Records
The following tables provide realistic but sanitized example device
records for a residential, home lab, IoT, and surveillance network.
The IP addresses are documentation addresses and are not intended for
deployment.
Savich Expires 6 December 2026 [Page 28]
Internet-Draft Residential Net Map June 2026
The fields are listed in the canonical order defined by this
document.
B.1. Router
+=====================+=======================+
| Field | Value |
+=====================+=======================+
| hostname | router-1 |
+---------------------+-----------------------+
| ip_address | 192.0.2.1 |
+---------------------+-----------------------+
| mac_address | 00:00:5E:00:53:01 |
+---------------------+-----------------------+
| manufacturer | Example Router Vendor |
+---------------------+-----------------------+
| network_category | Management |
+---------------------+-----------------------+
| addressing_priority | Static Required |
+---------------------+-----------------------+
| trust_level | Management |
+---------------------+-----------------------+
| exposure_level | Remote Access |
+---------------------+-----------------------+
| notes | Primary gateway |
+---------------------+-----------------------+
Table 1
B.2. Switch
+=====================+=======================+
| Field | Value |
+=====================+=======================+
| hostname | switch-1 |
+---------------------+-----------------------+
| ip_address | 192.0.2.10 |
+---------------------+-----------------------+
| mac_address | 00:00:5E:00:53:10 |
+---------------------+-----------------------+
| manufacturer | Example Switch Vendor |
+---------------------+-----------------------+
| network_category | Management |
+---------------------+-----------------------+
| addressing_priority | Static Required |
+---------------------+-----------------------+
| trust_level | Management |
+---------------------+-----------------------+
Savich Expires 6 December 2026 [Page 29]
Internet-Draft Residential Net Map June 2026
| exposure_level | Internal Only |
+---------------------+-----------------------+
| notes | Main switch |
+---------------------+-----------------------+
Table 2
B.3. Wireless Access Point
+=====================+=========================+
| Field | Value |
+=====================+=========================+
| hostname | ap-1 |
+---------------------+-------------------------+
| ip_address | 192.0.2.11 |
+---------------------+-------------------------+
| mac_address | 00:00:5E:00:53:11 |
+---------------------+-------------------------+
| manufacturer | Example Wireless Vendor |
+---------------------+-------------------------+
| network_category | Management |
+---------------------+-------------------------+
| addressing_priority | Static Required |
+---------------------+-------------------------+
| trust_level | Management |
+---------------------+-------------------------+
| exposure_level | Internal Only |
+---------------------+-------------------------+
| notes | Wireless access point |
+---------------------+-------------------------+
Table 3
B.4. Smart Display
+=====================+=============================+
| Field | Value |
+=====================+=============================+
| hostname | smart-tv-1 |
+---------------------+-----------------------------+
| ip_address | 192.0.2.50 |
+---------------------+-----------------------------+
| mac_address | 00:00:5E:00:53:50 |
+---------------------+-----------------------------+
| manufacturer | Samsung Electronics |
+---------------------+-----------------------------+
| network_category | IoT |
+---------------------+-----------------------------+
Savich Expires 6 December 2026 [Page 30]
Internet-Draft Residential Net Map June 2026
| addressing_priority | Reservation Recommended |
+---------------------+-----------------------------+
| trust_level | Restricted |
+---------------------+-----------------------------+
| exposure_level | Local Shared |
+---------------------+-----------------------------+
| notes | Smart display or television |
+---------------------+-----------------------------+
Table 4
B.5. Camera
+=====================+=========================+
| Field | Value |
+=====================+=========================+
| hostname | camera-1 |
+---------------------+-------------------------+
| ip_address | 192.0.2.64 |
+---------------------+-------------------------+
| mac_address | 00:00:5E:00:53:64 |
+---------------------+-------------------------+
| manufacturer | Hikvision |
+---------------------+-------------------------+
| network_category | Surveillance |
+---------------------+-------------------------+
| addressing_priority | Reservation Recommended |
+---------------------+-------------------------+
| trust_level | Restricted |
+---------------------+-------------------------+
| exposure_level | Internal Only |
+---------------------+-------------------------+
| notes | IP camera |
+---------------------+-------------------------+
Table 5
B.6. Robotic Cleaner
+=====================+==========================================+
| Field | Value |
+=====================+==========================================+
| hostname | robotic-cleaner-1 |
+---------------------+------------------------------------------+
| ip_address | 192.0.2.100 |
+---------------------+------------------------------------------+
| mac_address | 00:00:5E:00:53:70 |
+---------------------+------------------------------------------+
Savich Expires 6 December 2026 [Page 31]
Internet-Draft Residential Net Map June 2026
| manufacturer | Espressif |
+---------------------+------------------------------------------+
| network_category | IoT |
+---------------------+------------------------------------------+
| addressing_priority | Dynamic Acceptable |
+---------------------+------------------------------------------+
| trust_level | Restricted |
+---------------------+------------------------------------------+
| exposure_level | Remote Access |
+---------------------+------------------------------------------+
| notes | Robotic cleaner or embedded smart device |
+---------------------+------------------------------------------+
Table 6
B.7. Phone
+=====================+================================+
| Field | Value |
+=====================+================================+
| hostname | phone-1 |
+---------------------+--------------------------------+
| ip_address | 192.0.2.106 |
+---------------------+--------------------------------+
| mac_address | 00:00:5E:00:53:71 |
+---------------------+--------------------------------+
| manufacturer | Unknown |
+---------------------+--------------------------------+
| network_category | Main |
+---------------------+--------------------------------+
| addressing_priority | Dynamic Acceptable |
+---------------------+--------------------------------+
| trust_level | Trusted |
+---------------------+--------------------------------+
| exposure_level | Local Shared |
+---------------------+--------------------------------+
| notes | Trusted personal mobile device |
+---------------------+--------------------------------+
Table 7
Savich Expires 6 December 2026 [Page 32]
Internet-Draft Residential Net Map June 2026
B.8. EV Charger
+=====================+=========================+
| Field | Value |
+=====================+=========================+
| hostname | ev-charger-1 |
+---------------------+-------------------------+
| ip_address | 192.0.2.138 |
+---------------------+-------------------------+
| mac_address | 00:00:5E:00:53:72 |
+---------------------+-------------------------+
| manufacturer | Tesla |
+---------------------+-------------------------+
| network_category | IoT |
+---------------------+-------------------------+
| addressing_priority | Reservation Recommended |
+---------------------+-------------------------+
| trust_level | Restricted |
+---------------------+-------------------------+
| exposure_level | Remote Access |
+---------------------+-------------------------+
| notes | EV charging equipment |
+---------------------+-------------------------+
Table 8
B.9. Connected Vehicle
+=====================+====================+
| Field | Value |
+=====================+====================+
| hostname | vehicle-1 |
+---------------------+--------------------+
| ip_address | 192.0.2.143 |
+---------------------+--------------------+
| mac_address | 00:00:5E:00:53:73 |
+---------------------+--------------------+
| manufacturer | Tesla |
+---------------------+--------------------+
| network_category | IoT |
+---------------------+--------------------+
| addressing_priority | Dynamic Acceptable |
+---------------------+--------------------+
| trust_level | Restricted |
+---------------------+--------------------+
| exposure_level | Remote Access |
+---------------------+--------------------+
| notes | Connected vehicle |
Savich Expires 6 December 2026 [Page 33]
Internet-Draft Residential Net Map June 2026
+---------------------+--------------------+
Table 9
B.10. Streaming Device
+=====================+====================+
| Field | Value |
+=====================+====================+
| hostname | streaming-device-1 |
+---------------------+--------------------+
| ip_address | 192.0.2.145 |
+---------------------+--------------------+
| mac_address | 00:00:5E:00:53:74 |
+---------------------+--------------------+
| manufacturer | Apple |
+---------------------+--------------------+
| network_category | IoT |
+---------------------+--------------------+
| addressing_priority | Dynamic Acceptable |
+---------------------+--------------------+
| trust_level | Restricted |
+---------------------+--------------------+
| exposure_level | Local Shared |
+---------------------+--------------------+
| notes | Streaming device |
+---------------------+--------------------+
Table 10
B.11. Robotic Vacuum
+=====================+====================+
| Field | Value |
+=====================+====================+
| hostname | robotic-cleaner-2 |
+---------------------+--------------------+
| ip_address | 192.0.2.150 |
+---------------------+--------------------+
| mac_address | 00:00:5E:00:53:75 |
+---------------------+--------------------+
| manufacturer | Roborock |
+---------------------+--------------------+
| network_category | IoT |
+---------------------+--------------------+
| addressing_priority | Dynamic Acceptable |
+---------------------+--------------------+
| trust_level | Restricted |
Savich Expires 6 December 2026 [Page 34]
Internet-Draft Residential Net Map June 2026
+---------------------+--------------------+
| exposure_level | Remote Access |
+---------------------+--------------------+
| notes | Robotic vacuum |
+---------------------+--------------------+
Table 11
B.12. Guest Phone
+=====================+====================+
| Field | Value |
+=====================+====================+
| hostname | guest-phone-1 |
+---------------------+--------------------+
| ip_address | 192.0.2.230 |
+---------------------+--------------------+
| mac_address | 00:00:5E:00:53:76 |
+---------------------+--------------------+
| manufacturer | Unknown |
+---------------------+--------------------+
| network_category | Guest |
+---------------------+--------------------+
| addressing_priority | Dynamic Acceptable |
+---------------------+--------------------+
| trust_level | Guest |
+---------------------+--------------------+
| exposure_level | Local Shared |
+---------------------+--------------------+
| notes | Visitor device |
+---------------------+--------------------+
Table 12
B.13. Unknown Device
+=====================+====================+
| Field | Value |
+=====================+====================+
| hostname | unknown-1 |
+---------------------+--------------------+
| ip_address | 192.0.2.245 |
+---------------------+--------------------+
| mac_address | 00:00:5E:00:53:77 |
+---------------------+--------------------+
| manufacturer | Unknown |
+---------------------+--------------------+
| network_category | Unknown |
Savich Expires 6 December 2026 [Page 35]
Internet-Draft Residential Net Map June 2026
+---------------------+--------------------+
| addressing_priority | Dynamic Acceptable |
+---------------------+--------------------+
| trust_level | Unknown |
+---------------------+--------------------+
| exposure_level | Unknown |
+---------------------+--------------------+
| notes | Needs review |
+---------------------+--------------------+
Table 13
Appendix C. CSV Representation
A comma-separated values representation MAY use the following header.
It is shown across multiple lines for readability.
hostname,
ip_address,
mac_address,
manufacturer,
network_category,
addressing_priority,
trust_level,
exposure_level,
notes
Example records are shown below with one field per line. A CSV
implementation would place each record on a single row.
Savich Expires 6 December 2026 [Page 36]
Internet-Draft Residential Net Map June 2026
hostname: router-1
ip_address: 192.0.2.1
mac_address: 00:00:5E:00:53:01
manufacturer: Example Router Vendor
network_category: Management
addressing_priority: Static Required
trust_level: Management
exposure_level: Remote Access
notes: Primary gateway
hostname: camera-1
ip_address: 192.0.2.64
mac_address: 00:00:5E:00:53:64
manufacturer: Hikvision
network_category: Surveillance
addressing_priority: Reservation Recommended
trust_level: Restricted
exposure_level: Internal Only
notes: IP camera
hostname: ev-charger-1
ip_address: 192.0.2.138
mac_address: 00:00:5E:00:53:72
manufacturer: Tesla
network_category: IoT
addressing_priority: Reservation Recommended
trust_level: Restricted
exposure_level: Remote Access
notes: EV charging equipment
Appendix D. JSON Representation
A JSON representation MAY use one object per mapped device.
The following field names are defined:
The following fields are defined, in canonical order.
hostname: String. Human-readable hostname, device hostname, or
administrator-assigned label.
ip_address: String. Assigned IPv4 address.
mac_address: String. Link-layer address used for identification or
DHCP reservation.
manufacturer: String. Device manufacturer or vendor.
Savich Expires 6 December 2026 [Page 37]
Internet-Draft Residential Net Map June 2026
network_category: String. Logical network category or zone.
addressing_priority: String. Addressing stability expectation.
trust_level: String. Expected trust posture.
exposure_level: String. Expected reachability posture.
notes: String. Freeform operational notes.
The network_category field SHOULD use one of the following values:
* Management,
* Main,
* Guest,
* IoT,
* Surveillance, or
* Unknown.
The addressing_priority field SHOULD use one of the following values:
* Static Required,
* Reservation Recommended, or
* Dynamic Acceptable.
The trust_level field SHOULD use one of the following values:
* Management,
* Trusted,
* Restricted,
* Guest, or
* Unknown.
The exposure_level field SHOULD use one of the following values:
* Internal Only,
Savich Expires 6 December 2026 [Page 38]
Internet-Draft Residential Net Map June 2026
* Local Shared,
* Remote Access,
* Internet Exposed, or
* Unknown.
Example:
{
"hostname": "camera-1",
"ip_address": "192.0.2.64",
"mac_address": "00:00:5E:00:53:64",
"manufacturer": "Hikvision",
"network_category": "Surveillance",
"addressing_priority": "Reservation Recommended",
"trust_level": "Restricted",
"exposure_level": "Internal Only",
"notes": "IP camera"
}
Author's Address
Melisa K. Savich
Email: hello@melisasavich.com
Savich Expires 6 December 2026 [Page 39]